Nortel Commands

Nortel Application Switch Operating System 23.0.
Command Reference
part number: 320506-A, January 2006
4655 Great America Parkway

Santa Clara, CA 95054
Phone 1-800-4Nortel
http://www.nortel.com
Nortel Application Switch Operating System 23.0.2 Command Reference
Copyright 2006 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA.
All rights reserved. Part Number: 320506-A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided as is without
warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a commercial item as defined by FAR
2.101 (Oct 1995) and contains commercial technical data and commercial software documentation as
those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application
Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180,
Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel
Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and
certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the
United States and certain other countries. Check Point and FireWall-1 are trademarks or registered
trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are
owned by their respective companies.
Originated in the U.S.A.
2
320506-A, January 2006
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
The Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Connecting to the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Establishing a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . .26
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Establishing a Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Using a BOOTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Establishing an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Running SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Accessing the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
CLI Versus Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
First-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Using the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Information Needed For Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Starting Setup When You Log In . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . . . . .36
Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . . . . .36
3
320506-A, January 2006
Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Setup Part 3: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Setup Part 4: IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Default Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Setup Part 5: Final Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Optional Setup for SNMP Support. . . . . . . . . . . . . . . . . . . . . . . . . . 46
Optional Setup for Telnet Support . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Changing the Default Administrator Password . . . . . . . . . . . . . . . . 47
Changing the Default User Password. . . . . . . . . . . . . . . . . . . . . . . . 49
Changing the Default Layer 4 Administrator Password. . . . . . . . . . 51
Menu Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
The Main Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Menu Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Global Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Command Line Interface Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Command Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Command Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Tab Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuration Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
The Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
System Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
SNMPv3 System Information Menu . . . . . . . . . . . . . . . . . . . 65
SNMPv3 USM User Table Information . . . . . . . . . . . . . . 66
SNMPv3 View Table Information . . . . . . . . . . . . . . . . . . 67
SNMPv3 Access Table Information . . . . . . . . . . . . . . . . . 68
SNMPv3 Group Table Information . . . . . . . . . . . . . . . . . 69
SNMPv3 Community Table Information . . . . . . . . . . . . . 69
SNMPv3 Target Address Table Information . . . . . . . . . . 70
SNMPv3 Target Parameters Table Information . . . . . . . . 71
SNMPv3 Notify Table Information . . . . . . . . . . . . . . . . . 72
SNMPv3 Dump Information . . . . . . . . . . . . . . . . . . . . . . 73
4 Contents
320506-A, January 2006
General System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Show System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Show Last 64 Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 76
Last 64 Saved Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 77
Management Port Information . . . . . . . . . . . . . . . . . . . . . . . . 78
SONMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
System Capacity Information . . . . . . . . . . . . . . . . . . . . . . . . . 80
Show switch fan status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Show switch temperature sensor status . . . . . . . . . . . . . . . . . 83
Show encryption licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Show current user status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
System Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Layer 2 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Layer 2 FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Show All FDB Information . . . . . . . . . . . . . . . . . . . . . . . 92
Clearing Entries from the Forwarding Database. . . . . . . . . . . . . . . .92
Link Aggregation Control Protocol Information Menu . . . . . . . . 93

LACP Aggregator Information . . . . . . . . . . . . . . . . . . . . . . . . 94
LACP Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
LACP Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Layer 2 Spanning Tree Group Information . . . . . . . . . . . . . . 98
Show common internal spanning tree (CIST) information . 101
Trunk Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
Status of port teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Layer2 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Layer3 Information Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
IP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Show All IP Route Information . . . . . . . . . . . . . . . . . . . 108
Type Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Tag Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
IPv6 Routing Information Menu. . . . . . . . . . . . . . . . . . . . . . 110

ARP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Show ARP Entries on Referenced SP. . . . . . . . . . . . . . . 113
Show All ARP Entry Information . . . . . . . . . . . . . . . . . 114
ARP Address List Information . . . . . . . . . . . . . . . . . . . . 115
IPv6 Neighbor Cache Information . . . . . . . . . . . . . . . . . 115
Contents 5
320506-A, January 2006
BGP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

BGP Peer information. . . . . . . . . . . . . . . . . . . . . . . . . . . 118
BGP Summary information . . . . . . . . . . . . . . . . . . . . . . 119
Dump BGP Information . . . . . . . . . . . . . . . . . . . . . . . . . 119
OSPF Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
OSPF General Information . . . . . . . . . . . . . . . . . . . . . . . 121
OSPF Interface Information . . . . . . . . . . . . . . . . . . . . . . 122
OSPF Database Information . . . . . . . . . . . . . . . . . . . . . . 122
OSPF Information Route Codes . . . . . . . . . . . . . . . . . . . 124
OSPF Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
IP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
VRRP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Layer3 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 129
Layer 4 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
Session Table Information . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Samples of Session Dumps for Different Applications . . . . . . 135
Session dump information in Nortel Application Switch
Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Global SLB Information Menu. . . . . . . . . . . . . . . . . . . . . . . 139

Show All Layer 4 Information . . . . . . . . . . . . . . . . . . . . . . . 140
Bandwidth Management Information . . . . . . . . . . . . . . . . . . . . . 141
BWM IP User Information Menu . . . . . . . . . . . . . . . . . . . . . 142
BWM Contract Information . . . . . . . . . . . . . . . . . . . . . . . . . 144
Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
Link Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147
Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Software Enabled Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
The Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

System statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
Port Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Bridging Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Ethernet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
Interface Protocol Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 162
Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
6 Contents
320506-A, January 2006
RMON Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Port Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Port mirroring statistics menu. . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Layer 2 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
FDB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
LACP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Spanning Tree Group Statistics . . . . . . . . . . . . . . . . . . . 173
Layer 3 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
OSPF Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
OSPF Global Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 177
IP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
IP6 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Route Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
ARP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
VRRP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
DNS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
ICMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
UDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Server Load Balancing Statistics Menu . . . . . . . . . . . . . . . . . . . 199
Server Load Balancing SP statistics Menu . . . . . . . . . . . . . . 202
SP Real Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . 202
SP Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
SP Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 204
Global SLB Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 206
Real Server Global SLB Statistics . . . . . . . . . . . . . . . . . 207
Virtual Server Global SLB Statistics . . . . . . . . . . . . . . . 207
Global SLB Site Statistics. . . . . . . . . . . . . . . . . . . . . . . . 208
Global SLB Maintenance Statistics . . . . . . . . . . . . . . . . 209
Real Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Per Service Octet Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Real Server Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 212

Virtual Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . 213
Filter SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
SLB Layer7 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 214
Layer7 Redirection Statistics . . . . . . . . . . . . . . . . . . . . . 214
Layer 7 SLB String Statistics . . . . . . . . . . . . . . . . . . . . . 215
Contents 7
320506-A, January 2006
Layer 7 SLB Maintenance Statistics. . . . . . . . . . . . . . . . 216

Layer7 Pooling Statistics . . . . . . . . . . . . . . . . . . . . . . . . 218
SLB Secure Socket Layer Statistics . . . . . . . . . . . . . . . . . . . 219
File Transfer Protocol SLB and Filter Statistics Menu. . . . . 220
Active FTP SLB Parsing and Filter Statistics. . . . . . . . . 221
Passive FTP SLB Parsing Statistics . . . . . . . . . . . . . . . . 221
FTP SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . 222
FTP SLB Statistics Dump. . . . . . . . . . . . . . . . . . . . . . . . 222
RTSP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
DNS SLB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
WAP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 227
SIP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Display Workload Manager SASP statistics . . . . . . . . . . . . 230
Clear Workload Manager SASP Statistics . . . . . . . . . . . . . . 230
Display Workload Manager SASP statistics . . . . . . . . . . . . 231
BWM Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
BWM Switch Processor Statistics . . . . . . . . . . . . . . . . . . . . 233
BWM Switch Processor Contract Statistics Menu . . . . . 233
BWM Switch Processor Rate Contract Statistics . . . . . . 233
BWM Contract Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
BWM Contract Rate Statistics . . . . . . . . . . . . . . . . . . . . . . . 235
BWM History Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
BWM Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 238
BWM IP Users Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Security Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
DOS Attack Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 240
Types of DOS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
IP Access Control List Statistics. . . . . . . . . . . . . . . . . . . . . . 244

UDP Blast Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
UDP Blast Dump Statistics. . . . . . . . . . . . . . . . . . . . . . . 245
UDP Pattern Match Statistics . . . . . . . . . . . . . . . . . . . . . . . . 246
Rate Limiting Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Dump Statistics for Security . . . . . . . . . . . . . . . . . . . . . . . . . 247
Management Processor Statistics . . . . . . . . . . . . . . . . . . . . . . . . 248
MP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
UCB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
8 Contents
320506-A, January 2006
MP-Specific SFD Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 252

CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
SP Specific Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
SP-Specific Maintenance Statistics . . . . . . . . . . . . . . . . . . . 254
CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Port Mirroring Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Management Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
The Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Viewing, Applying, and Saving Changes . . . . . . . . . . . . . . . . . . . . . . .259
Viewing Pending Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Applying Pending Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259
System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

System Host Log Configuration . . . . . . . . . . . . . . . . . . . . . . 263
Seven Levels of Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264
Management Port Configuration Menu . . . . . . . . . . . . . . . . 264

Management Port Link Menu . . . . . . . . . . . . . . . . . . . . . . . . 268
RADIUS Server Configuration. . . . . . . . . . . . . . . . . . . . . . . 268
TACACS+ Server Configuration Menu . . . . . . . . . . . . . . . . 270
NTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 271
SynOptics Network Management Protocol Configuration . . 273
System SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . 273
SNMPv3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . 276
User Security Model Configuration Menu . . . . . . . . . . . 278
SNMPv3 View Configuration Menu . . . . . . . . . . . . . . . 279
View-based Access Control Model Configuration Menu280
SNMPv3 Group Configuration Menu. . . . . . . . . . . . . . . 282
SNMPv3 Community Table Configuration Menu . . . . . 283
SNMPv3 Target Address Table Configuration Menu . . 284
SNMPv3 Target Parameters Table Configuration Menu 285
SNMPv3 Notify Table Configuration Menu . . . . . . . . . 286
System Health Check Configuration Menu . . . . . . . . . . . . . 287
System Access Control Configuration . . . . . . . . . . . . . . . . . 288
Management Networks Menu. . . . . . . . . . . . . . . . . . . . . 289
Port Management Access Menu . . . . . . . . . . . . . . . . . . . . . . 291
Contents 9
320506-A, January 2006
User Access Control Menu . . . . . . . . . . . . . . . . . . . . . . . 291

System User ID Configuration Menu . . . . . . . . . . . . . . . 294
HTTPS Access Configuration Menu . . . . . . . . . . . . . . . 295
SSH Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
XML Configuration Access Menu . . . . . . . . . . . . . . . . . . . . 298
Example of enabling or disabling XML access . . . . . . . 299
Configure the Timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Nortel Application Switch Operating System 2000 Series . . . . . . 302
Fast Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
SFP GBIC Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Port Link Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Nortel Application Switch 3000 Series . . . . . . . . . . . . . . . . . . . . . 306
Port Configuration on Nortel Application Switch 3408. . . . . . . . . 306
Single-Mode ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Single-Mode Copper Port Gigabit Ethernet Link

Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Single-Mode SFP Gigabit Ethernet Port Link
Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Dual-Mode Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Dual-Mode Copper Port Link Configuration . . . . . . . . . 313

Dual-Mode SFP Gigabit Link Configuration Menu . . . . 314
Temporarily Disabling a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Port Mirroring Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Port-Mirroring Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Bandwidth Management Configuration . . . . . . . . . . . . . . . . . . . 316
Bandwidth Management Contract Configuration . . . . . . . . 319
BWM Contract Time Policy Configuration Menu . . . . . 320
Bandwidth Management Policy Configuration . . . . . . . . . . 322
Bandwidth Management Group Configuration Menu . . . . . 323
Bandwidth Management Current Configuration . . . . . . . . . 324
Layer 2 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 326
Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 327
CIST Bridge Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
Current configuration for CIST Bridge . . . . . . . . . . . . . 328
Spanning Tree Group Configuration . . . . . . . . . . . . . . . . . . . . . 329
Bridge Spanning Tree Configuration . . . . . . . . . . . . . . . . . . 331
10 Contents
320506-A, January 2006
Spanning Tree Port Configuration . . . . . . . . . . . . . . . . . 332

Trunk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Link Aggregation Control Protocol Menu . . . . . . . . . . . . . . . . . 335
LACP Port Configuration Menu . . . . . . . . . . . . . . . . . . . . . 338
VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Port Team Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
Layer 3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
IP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 344
IPv6 Neighbor Discovery Menu . . . . . . . . . . . . . . . . . . . . . . 345
Default IP Gateway Configuration . . . . . . . . . . . . . . . . . . . . 346
Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
IP Static Route Configuration. . . . . . . . . . . . . . . . . . . . . . . . 348

ARP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
ARP Static Configuration Menu. . . . . . . . . . . . . . . . . . . 349
IP Forwarding Configuration Menu . . . . . . . . . . . . . . . . . . . 350
Local Network Route Caching Definition . . . . . . . . . . . 350
Defining IP Address Ranges for the Local Route Cache . . . . . . . .351
Network Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . 352

Route Map Configuration Menu. . . . . . . . . . . . . . . . . . . . . . 353
IP Access List Configuration Menu . . . . . . . . . . . . . . . . 355
Autonomous System Filter Path . . . . . . . . . . . . . . . . . . . 356
Routing Information Protocol Configuration . . . . . . . . . . . . 357
RIP Interface Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Open Shortest Path First Configuration . . . . . . . . . . . . . . . . 361
Area Index Configuration Menu. . . . . . . . . . . . . . . . . . . 363
OSPF Summary Range Configuration Menu . . . . . . . . 364
OSPF Interface Configuration Menu . . . . . . . . . . . . . . . 365
OSPF Virtual Link Configuration Menu . . . . . . . . . . . . 367
OSPF MD5 Key Configuration Menu . . . . . . . . . . . . . . 368
OSPF Host Entry Configuration Menu . . . . . . . . . . . . . 369
OSPF Route Redistribution Configuration Menu. . . . . . 370
Border Gateway Protocol Configuration . . . . . . . . . . . . . . . 371
BGP Peer Configuration Menu. . . . . . . . . . . . . . . . . . . . 373
BGP Redistribution Configuration Menu . . . . . . . . . . . . 375
BGP Aggregate Routing Configuration Menu . . . . . . . . 377
IP Forwarding Port Configuration Menu . . . . . . . . . . . . . . . 378
Domain Name System Configuration Menu . . . . . . . . . . . . 379
Bootstrap Protocol Relay Configuration Menu . . . . . . . . . . 380
Contents 11
320506-A, January 2006
VRRP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . 381

Virtual Router Configuration Menu . . . . . . . . . . . . . . . . . . . 383
Virtual Router Priority Tracking Configuration . . . . . . . 385
Virtual Router Group Menu . . . . . . . . . . . . . . . . . . . . . . 387
Virtual Router Group Priority Tracking Configuration
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Virtual Router Group Configuration. . . . . . . . . . . . . . . . . . . 390
Virtual Router Group Priority Tracking Configuration . 392
VRRP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . 394
VRRP Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . 395
Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Security Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Port Security Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
IP Address Access Control List Configuration Menu . . . . . 400
UDP Blast Protection Configuration Menu . . . . . . . . . . . . . 402
Anomaly and Denial of Service Attack Prevention Menu . . 403
Pattern Matching Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Saving the Active Switch Configuration . . . . . . . . . . . . . . . . . . 408
Restoring the Active Switch Configuration . . . . . . . . . . . . . . . . 408
The SLB Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . .411
SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Filtering and Layer 4 (Server Load Balancing) . . . . . . . . . . . . 414
Real Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 414

Real Server Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . 419
Buddy Server Health Check Menu . . . . . . . . . . . . . . . . . . . . 420
Real Server Layer 7 Configuration . . . . . . . . . . . . . . . . . . . . 421
Real server IDS Configuration Menu . . . . . . . . . . . . . . . . . . 422
Real Server Group SLB Configuration. . . . . . . . . . . . . . . . . . . . 423
SLB Health Check Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Server Load Balancing Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Virtual Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . 431

Virtual Server Service Configuration . . . . . . . . . . . . . . . . . . 434
WTS Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . 440
HTTP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 441
12 Contents
320506-A, January 2006
SIP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 442

RTSP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 443
Cookie-Based Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
SLB Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Defining IP Address Ranges for Filters . . . . . . . . . . . . . . . . . . . . .449
Advanced Filter Configuration . . . . . . . . . . . . . . . . . . . . . . 450

802.1p Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . 453
Advanced Filter TCP Configuration. . . . . . . . . . . . . . . . 453
IP Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
ICMP Message Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Layer 7 Advanced Filter Configuration Menu . . . . . . . . 457

Layer 7 SIP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Proxy Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460
SLB Filter Advanced Security Menu . . . . . . . . . . . . . . . 460
Advanced Security Rate Limiting Configuration Menu. 462
Port SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Global SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
GSLB Remote Site Configuration . . . . . . . . . . . . . . . . . . . . 467
GSLB Network Preference Configuration Menu . . . . . . . . . 469
GSLB Rule Configuration Menu . . . . . . . . . . . . . . . . . . . . . 470
Global SLB Rule Metric Menu. . . . . . . . . . . . . . . . . . . . 472
Layer 7 SLB Resource Definition Menu . . . . . . . . . . . . . . . 472
Web Cache Redirection Configuration. . . . . . . . . . . . . . . . . 473
Server Load Balance Resource Configuration Menu . . . . . . 475
SDP Mapping Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
WAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Synchronize Peer Switch Configuration. . . . . . . . . . . . . . . . . . . 478
Peer Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Advanced Layer 4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . 480
SYN Attack Detection Configuration Menu . . . . . . . . . . . . 483
Advanced SMT Real Server Port Configuration Menu . 483
Inbound Link Load Balancing configuration Menu . . . . . . . 484
Inbound Link Load Balancing Domain Record Menu . . . . . 485
Inbound Link Load Balancing Mapping Menu . . . . . . . 486
Advanced Health Check Configuration Menu . . . . . . . . 486
Scriptable Health Checks Configuration . . . . . . . . . . . . . . . 488
SNMP Health Check Configuration . . . . . . . . . . . . . . . . . . . 490
WAP Health Check Configuration . . . . . . . . . . . . . . . . . . . . 492
Contents 13
320506-A, January 2006
WSP Content Health Check . . . . . . . . . . . . . . . . . . . . . . 494

WTP and WSP Content Health Check Menu . . . . . . . . . 495
Proxy IP Address Configuration Menu . . . . . . . . . . . . . . . . 496
SLB Peer Proxy IP Address Menu . . . . . . . . . . . . . . . . . 497
WorkLoad Management Menu . . . . . . . . . . . . . . . . . . . . . . . 498
The Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Operations Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Operations-Level Port Options . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Operations-Level SLB Options . . . . . . . . . . . . . . . . . . . . . . . . . 502
Real Server Group Operations . . . . . . . . . . . . . . . . . . . . . . . 503
Global SLB Operations Menu . . . . . . . . . . . . . . . . . . . . . . . 504
Operations-Level VRRP Options. . . . . . . . . . . . . . . . . . . . . . . . 505
Operations-Level Bandwidth Management Options . . . . . . . . . 505
Security Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
IP ACL Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Operations-Level IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
Operations-Level BGP Options . . . . . . . . . . . . . . . . . . . . . . 508
Activating Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Removing Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
The Boot Options Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Scheduled Reboot of the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Scheduled Reboot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Updating the Switch Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . 512
Downloading New Software to Your Switch. . . . . . . . . . . . . . . . . 513
Selecting a Software Image to Run . . . . . . . . . . . . . . . . . . . . . . . . 514
Uploading a Software Image from Your Switch . . . . . . . . . . . . . . 514
Selecting a Configuration Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Resetting the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
The Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519
Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

System Maintenance Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Forwarding Database Options . . . . . . . . . . . . . . . . . . . . . . . . . . 522
ARP Cache Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
ARP Entries on a Single Port . . . . . . . . . . . . . . . . . . . . . . . . 524
14 Contents
320506-A, January 2006
IP Route Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

IPv6 Manipulation Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
Uuencode Flash Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528
System Dump Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Clearing Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Panic Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Unscheduled System Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531
The SSL Processor Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Login to the SSL processor. . . . . . . . . . . . . . . . . . . . . . . . . . 533

SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
SSL Performance information menu . . . . . . . . . . . . . . . . . . . . . 536
SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 540
SSL Performance Statistics menu . . . . . . . . . . . . . . . . . . . . . . . 541
SSL Performance SSL Local Statistics Menu . . . . . . . . . . . 543
SSL Performance: Single ISD SSL Statistics Menu. . . . . . . 544
IPSEC Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545
SSL Performance: Local IPSEC Statistics Menu . . . . . . . . . 546
SSL Performance: Single IPSEC ISD Statistics Menu . . . . 547
AAA Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548
SSL Performance Configuration Menu . . . . . . . . . . . . . . . . 548
SSL Configuration Server Menu . . . . . . . . . . . . . . . . . . . . . 551
SSL Configuration Server-specific Menu. . . . . . . . . . . . . . . 552
SSL Configuration Server-specific Trace Menu . . . . . . . . . 554
SSL Configuration Server-specific SSL Menu. . . . . . . . . . . 555
SSL Configuration Server-specific TCP Menu . . . . . . . . . . 556
SSL Configuration Server-specific Advanced Menu . . . . . . 557
SSL Configuration Server Advanced String Menu . . . . . . . 558
SSL Configuration Server Advanced Load Balancing Menu559
SSL Configuration Server Advanced Load Balancing
Cookie Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
Local VIP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 562
Health Script Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
Remote SSL Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Contents 15
320506-A, January 2006

Remote SSL Verification Menu . . . . . . . . . . . . . . . . . . . . . . 564
Backend Server Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
SSL Configuration Certificate Menu . . . . . . . . . . . . . . . . . . 566
SSL Configuration Revoke Certificate Menu. . . . . . . . . . . . 571
SSL Configuration Revoke Certificate Automatic Menu. . . 572
SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 573
SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 574
SSL VPN Configuration TunnelGuard Menu . . . . . . . . . . . 576
SSL VPN Configuration Authentication Menu . . . . . . . . . . 578
SSL VPN Configuration Authentication Radius Menu . . . . 579
SSL VPN Configuration Authentication Radius Servers
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
SSL VPN Configuration Authentication Radius Session
Timeout Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
SSL VPN Configuration Authentication Radius Macro
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
SSL VPN Configuration Authentication Advanced Menu. . 582
SSL VPN Configuration Network Menu . . . . . . . . . . . . . . . 582
SSL VPN Configuration Network Subnet Menu . . . . . . . . . 583
SSL VPN Configuration Service Menu . . . . . . . . . . . . . . . . 584
SSL VPN Configuration Application specific Menu . . . . . . 585
SSL VPN Configuration Application specific Paths Menu . 587
SSL VPN Configuration AAA Filter Menu . . . . . . . . . . . . . 588
SSL VPN Configuration AAA Group Menu . . . . . . . . . . . . 589
SSL VPN Configuration AAA Group Access Menu . . . . . . 591
SSL VPN Configuration AAA Group Linkset Menu . . . . . . 592
SSL VPN Configuration AAA Group Extend Profiles
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
Access Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
Linkset Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
SSL VPN Configuration AAA Group IPsec Menu . . . . . . . 595
SSL VPN Configuration AAA Single-sign on Enabled
Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
16 Contents
320506-A, January 2006
SSL VPN Configuration AAA Single-sign on Headers

Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
SSL VPN Configuration AAA Radius Accounting
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599
VPN attributes Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
SSL VPN Configuration Server Menu . . . . . . . . . . . . . . . . . 601
SSL VPN Configuration Server Traffic Trace Menu . . . . . . 602
SSL VPN Configuration Server SSL Settings Menu . . . . . . 603
SSL VPN Configuration Server TCP endpoint
Settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
SSL VPN Configuration Server HTTP Settings Menu . . . . 606
SSL VPN Configuration Server SSL triggered
rewrite Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
SSL VPN Configuration Server Intranet Proxy
settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608
SSL VPN Configuration Server Portal settings Menu . . . . . 609
SSL VPN Configuration Server Advanced Menu . . . . . . . . 609
SSL VPN Configuration Server UDP Syslog Traffic
Log Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610
SSL VPN Configuration Server SSL Connect Menu . . . . . . 611
SSL VPN Configuration Server SSL Connect verify
Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612
SSL VPN Configuration IPsec Server Menu . . . . . . . . . . . . 612
SSL VPN Configuration IPsec Server IKE Profile Menu . . 614
SSL VPN Configuration IPsec Server IKE Profile
Encryption Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
Diffie-Hellman Group Mask Menu . . . . . . . . . . . . . . . . . . . 616
NAT Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
Dead Peer Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
SSL VPN Configuration IP Pool Menu . . . . . . . . . . . . . . . . 618
SSL VPN Configuration Portal Menu . . . . . . . . . . . . . . . . . 619
SSL VPN Configuration Portal Colors Menu. . . . . . . . . . . . 621
Contents 17
320506-A, January 2006
SSL VPN Configuration Portal Full Access Menu . . . . . . . 621

SSL VPN Configuration Portal Language Menu . . . . . . . . . 622
SSL VPN Configuration Portal Whitelist settings Menu . . . 623
SSL VPN Configuration Portal Whitelist settings
Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
SSL VPN Configuration Linkset Menu . . . . . . . . . . . . . . . . 624
SSL VPN Configuration Linkset Link Menu . . . . . . . . . . . . 625
SSL VPN Configuration Linkset Link Internal
Setting Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
SSL VPN Configuration SSL Client Menu . . . . . . . . . . . . . 626
SSL VPN Configuration Advanced Menu . . . . . . . . . . . . . . 627
SSL VPN Configuration Advanced DNS settings Menu . . . 627
SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 628
SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 629
SSL Configuration System Host Routes Menu . . . . . . . . . . 630
SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 631
SSL Configuration System Host Interface Routes Menu . . . 632
SSL Configuration System Host Port Menu. . . . . . . . . . . . . 632
SSL Configuration System Time Menu . . . . . . . . . . . . . . . . 633
SSL Configuration System Time NTP servers Menu. . . . . . 634
SSL Configuration System DNS settings Menu. . . . . . . . . . 634
SSL Configuration System DNS Servers settings Menu . . . 635
SSL Configuration System RSA servers Menu . . . . . . . . . . 636
SSL Configuration System SysLog Servers Menu. . . . . . . . 636
SSL Configuration System Access List Menu . . . . . . . . . . . 637
SSL Configuration System Administrative applications
Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638
SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
SNMPv2 MIB SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . 640
SNMP Community Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 640
SNMP Users Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
SNMP Target Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
18 Contents
320506-A, January 2006

Audit Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
Audit Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
HTTP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
HTTPS Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
SSH Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
SSH Known Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . 646
SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648
SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648
SSL Configuration Language Support Menu . . . . . . . . . . . . 649
SSL Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
SSL Performance Maintenance Menu . . . . . . . . . . . . . . . . . 652
SSL Performance HSM Menu . . . . . . . . . . . . . . . . . . . . . . . 653
Nortel Application Switch Operating System
Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
LOG_WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655
LOG_ALERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656
LOG_CRIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
LOG_ERR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657
LOG_NOTICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663
LOG_INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665
Nortel Application Switch Operating System SNMP Agent . 667
Performing a Serial Download . . . . . . . . . . . . . . . . . . . . . . . . 671
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Contents 19
320506-A, January 2006
20 Contents
320506-A, January 2006
Preface
The Nortel Application Switch Operating System 23.0.2 Command Reference describes how to
configure and use the Nortel Application Switch Operating System software with your Nortel
Application Switch.
For documentation on installing the switches physically, see the Hardware Installation Guide
for your particular switch model.
Who Should Use This Book

This Command Reference is intended for network installers and system administrators engaged
in configuring and maintaining a network. The administrator should be familiar with Ethernet
concepts, IP addressing, the IEEE 802.1d Spanning Tree Protocol, and SNMP configuration
parameters.
How This Book Is Organized

The Command Line Interface describes how to connect to the switch and access
the information and configuration menus.
First-Time Configuration describes how to use the Setup utility for initial
switch configuration and how to change the system passwords.
Menu Basics provides an overview of the menu system, including a menu map, global commands, and menu shortcuts.
The Information Menu describes how to view switch configuration parameters.
The Statistics Menu describes how to view switch performance statistics.
The Configuration Menu describes how to configure switch system parameters, ports,
VLANs, Spanning Tree Protocol, SNMP, Port Mirroring, IP Routing, Port Trunking, and more.
21
320506-A, January 2006
The SLB Configuration Menu describes how to configure Server Load Balancing, Filtering, Global Server Load Balancing, and more.
The Operations Menu describes how to use commands which affect switch performance
immediately, but do not alter permanent switch configurations (such as temporarily disabling
ports). The menu describes how to activate or deactivate optional software features.
The Boot Options Menu describes the use of the primary and alternate switch images, how
to load a new software image, and how to reset the software to factory defaults.
The Maintenance Menu describes how to generate and access a dump of critical switch state
information, how to clear it, and how to clear part or all of the forwarding database.
Appendix A, Nortel Application Switch Operating System Syslog Messages presents
a listing of syslog messages.
Appendix B, Nortel Application Switch Operating System SNMP Agent lists
the Management Interface Bases (MIBs) supported in the switch software.
Appendix C, Performing a Serial Download shows how to directly load a binary software
image into the switch for upgrade or maintenance.
Glossary defines the terminology used throughout the book.
Index includes pointers to the description of the key words used throughout the book.
Related Documentation
Nortel Application Switch Operating System 23.0.2 Application Guide (Part Number
320507-A)
Provides application explanations and configuration examples for the Switch.
Nortel Application Switch Operating System 23.0.2 Browser-Based Interface (BBI) Quick
Guide (Part Number 320508-A)
Provides a description of the Switch BBI and how to configure and access it on the
Switch.
Nortel Application Switch Hardware Installation Guide (Part Number 315396-E)

Provides a description of the Nortel Application Switch hardware, the physical features,
how to install it, and how to troubleshoot it.
22 Preface
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Release Notes (Part Number 320509A).
This document provides a description of new features and caveats and limitations, if any,
in the software.
Typographic Conventions
The following table describes the typographic styles used in this book.
Table 1 Typographic Conventions
Typeface or
Symbol
Meaning
Example
AaBbCc123
This type is used for names of commands,

files, and directories used within the text.
View the readme.txt file.
It also depicts on-screen computer output and Main#

prompts.
AaBbCc123
This bold type appears in command examples. It shows text that must be typed in
exactly as shown.
Main# sys
<AaBbCc123> This italicized type appears in command

To establish a Telnet session, enter:
examples as a parameter placeholder. Replace host# telnet <IP address>
the indicated text with the appropriate real
name or value when using the command. Do
not type the brackets.
[ ]
This also shows book titles, special terms, or

words to be emphasized.
Read your Users Guide thoroughly.
Command items shown inside brackets are

optional and can be used or excluded as the
situation demands. Do not type the brackets.
host# ls [-a]
Preface 23
320506-A, January 2006
How to Get Help

If you purchased a service contract for your Nortel product from a distributor or authorized
reseller, contact the technical support staff for that distributor or reseller for assistance.
If you purchased a Nortel service program, contact one of the following Nortel
Technical Solutions Centers:
Technical Solutions Center
Telephone
Europe, Middle East, and Africa
00800 8008 9009

or
+44 (0) 870 907 9009
North America
(800) 4NORTEL or (800) 466-7835
Asia Pacific
(61) (2) 8870-8800
China
(800) 810-5000
Additional information about the Nortel Technical Solutions Centers is available at the following URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel products and services. When
you use an ERC, your call is routed to a technical support person who specializes in supporting
that product or service. To locate an ERC for your product or service, refer to the following
URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
24 Preface
320506-A, January 2006
CHAPTER 1
The Command Line Interface

Your Nortel Application Switch is ready to perform basic switching functions right out of the
box. Some of the more advanced features, however, require some administrative configuration
before they can be used effectively.
The extensive Nortel Application Switch Operating System switching software included in
your switch provides a variety of options for accessing and configuring the switch:
A built-in, text-based command line interface and menu system for access via
local terminal or remote Telnet session
A GUI-based Application Switch Element Manager (ASEM) for interactive network

access
SNMP support for access through network management software such as HP OpenView
Nortel Application Switch Operating System Browser-Based Interface (BBI)
The command line interface is the most direct method for collecting switch information and
performing switch configuration. Using a basic terminal, you are presented with a hierarchy of
menus that enable you to view information and statistics about the switch, and to perform any
necessary configuration.
This chapter explains how to access the Command Line Interface (CLI) of the switch.
25
320506-A, January 2006
Connecting to the Switch

You can access the command line interface in any one of the following ways:
Using a console connection via the console port
Using a Telnet connection over the network
Using an SSH connection to securely log into another computer over a network
Establishing a Console Connection

Requirements
To establish a console connection with the switch, you will need the following:
An ASCII terminal or a computer running terminal emulation software set to

the parameters shown in the table below:
Table 1-1 Console Configuration Parameters
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
9600
8
None
1
None
A standard serial cable with a male DB9 connector (see your switch hardware installation
guide for specifics).
Procedure
1.
Connect the terminal to the Console port using the serial cable.
2.
Power on the terminal.
3.
To establish the connection, press <Enter> a few times on your terminal.

You will next be required to enter a password for access to the switch. (For more information,
see Setting Passwords on page 47).
26 Chapter 1: The Command Line Interface

320506-A, January 2006
Establishing a Telnet Connection

A Telnet connection offers the convenience of accessing the switch from any
workstation connected to the network. Telnet access provides the same options for user access
and administrator access as those available through the console port.
To configure the switch for Telnet access, you need to have a device with Telnet software
located on the same network as the switch. The switch must have an IP address. The switch can
get its IP address in one of two ways:
Dynamically, from a BOOTP server on your network
Manually, when you configure the switch IP address (see Setup Part 1: Basic System
Configuration on page 36).
NOTE You need to enable Telnet and SSH, using serial connection, before you can use these
methods of accessing the switch. Refer to Establishing a Telnet Connection on page 27.
Using a BOOTP Server

By default, the Nortel Application Switch Operating System software is set up to request its IP
address from a BOOTP server. If you have a BOOTP server on your network, add the MAC
address of the switch to the BOOTP configuration file located on the BOOTP server. The MAC
address can be found on a small white label on the back panel of the switch. The MAC address
can also be found in the System Information menu (see System Information on page 63).
NOTE If connecting to the management port, BOOTP is not supported. The port must be
manually configured with the proper IP address.
Running Telnet
Once the IP parameters on the Nortel Application Switch are configured, you can access the CLI
using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <IP address>
You will then be prompted to enter a password as explained on page 28.
Chapter 1: The Command Line Interface 27

320506-A, January 2006
Establishing an SSH Connection

Although a remote network administrator can manage the configuration of an Nortel Application
Switch via Telnet, this method does not provide a secure connection. The SSH (Secure Shell)
protocol enables you to securely log into another computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH
ensures that all data sent over the network is encrypted and secure.
The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client
will not be able to login if the switch is doing key generation at that time or if another client
has just logged in before this client. Similarly, the system will fail to do the key generation if a
SSH/SCP client is logging in at that time.
The supported SSH encryption and authentication methods are listed below.
Server Host Authentication: Client RSA-authenticates the switch in the beginning of

every connection.
Key Exchange: RSA
Encryption: 3DES-CBC, DES
User Authentication: Local password authentication, Radius
The following SSH clients have been tested:
SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)
SecureCRT 3.0.2 and SecureCRT 3.0.3 (Van Dyke Technologies, Inc.)
F-Secure SSH 1.1 for Windows (Data Fellows)
NOTE The Nortel Application Switch Operating System implementation of SSH is based on
SSH version 1.5 and supports SSH-1.5-1.X.XX. SSH clients of other versions
(especially Version 2) will not be supported.
Running SSH
Once the IP parameters are configured and the SSH service is turned on the Nortel Application
Switch, you can access the command line interface using an SSH connection.
To establish an SSH connection with the switch, run the SSH program on your workstation by
issuing the SSH command, followed by the switch IP address:
>> # ssh <switch IP address>

320506-A, January 2006
or, if SecurID authentication is required, use the following command:

>> # ssh -1 ace <switch IP address>
You will then be prompted to enter your user name and password.
Accessing the Switch

To enable better switch management and user accountability, seven levels or classes of user
access have been implemented on the Nortel Application Switch. Levels of access to CLI, Web
management functions, and screens increase as needed to perform various switch management
tasks. Conceptually, access classes are defined as follows:
User interaction with the switch is completely passivenothing can be changed on the
Nortel Application Switch. Users may display information that has no security or privacy
implications, such as switch statistics and current operational state information.
Operators can only effect temporary changes on the Nortel Application Switch. These
changes will be lost when the switch is rebooted/reset. Operators have access to the switch
management features used for daily switch operations. Because any changes an operator
makes are undone by a reset of the switch, operators cannot severely impact switch operation.
Administrators are the only ones that may make permanent changes to the switch configurationchanges that are persistent across a reboot/reset of the switch. Administrators can
access switch functions to configure and troubleshoot problems on the Nortel Application
Switch. Because administrators can also make temporary (operator-level) changes as well,
they must be aware of the interactions between temporary and permanent changes.
Access to switch functions is controlled through the use of unique surnames and passwords.
Once you are connected to the switch via local console, Telnet, or SSH, you are prompted to
enter a password. The default user names/password for each access level are listed in the following table.
NOTE It is recommended that you change default switch passwords after initial configuration
and as regularly as required under your network security policies. For more information, see
Setting Passwords on page 47.

320506-A, January 2006
Table 1-2 User Access Levels

User Account
Description and Tasks Performed
Password
User
The User has no direct responsibility for switch management.

He or she can view all switch status information and statistics,
but cannot make any configuration changes to the switch.
user
SLB Operator
The SLB Operator manages Web servers and other Internet ser- slboper
vices and their loads. In addition to being able to view all switch
information and statistics, the SLB Operator can enable/disable
servers using the Server Load Balancing operation menu.
Layer 4 Operator
The Layer 4 Operator manages traffic on the lines leading to the l4oper
shared Internet services. This user currently has the same access
level as the SLB operator. and the access level is reserved for
future use, to provide access to operational commands for operators managing traffic on the line leading to the shared Internet
services.
Operator
The Operator manages all functions of the switch. In addition to oper

SLB Operator functions, the Operator can reset ports or the
entire switch.
SLB Administrator
The SLB Administrator configures and manages Web servers

and other Internet services and their loads. In addition to SLB
Operator functions, the SLB Administrator can configure
parameters on the Server Load Balancing menus, with the
exception of not being able to configure filters or bandwidth
management.
slbadmin
Layer 4
Administrator
The Layer 4 Administrator configures and manages traffic on

the lines leading to the shared Internet services. In addition to
SLB Administrator functions, the Layer 4 Administrator can
configure all parameters on the Server Load Balancing menus,
including filters and bandwidth management.
l4admin
The superuser Administrator has complete access to all menus,

information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and
administrator passwords.
admin
Administrator
NOTE With the exception of the admin user, access to each user level can be disabled by
setting the password to an empty value. All user levels below admin will by default be initially disabled (empty password) until they are enabled by the admin user. This prevents
inadvertently leaving the switch open to unauthorized users.

320506-A, January 2006
CLI Versus Setup

Once the administrator password is verified, you are given complete access to the switch. If the
switch is still set to its factory default configuration, the system will ask whether you wish to
run Setup (see Chapter 2, First-Time Configuration), a utility designed to help you through
the first-time configuration process. If the switch has already been configured, the Main Menu
of the CLI is displayed instead.
The following table shows the Main Menu with administrator privileges.
[Main Menu]
info
stats
cfg
oper
boot
maint
diff
apply
save
revert
exit
Information Menu
Statistics Menu
Configuration Menu
Operations Command Menu
Boot Options Menu
Maintenance Menu
Show pending config changes [global command]
Apply pending config changes [global command]
Save updated config to FLASH [global command]
Revert pending or applied changes [global command]
Exit [global command, always available]
NOTE If you are accessing a user account or Layer 4 administrator account, some menu
options will not be available.
Command Line History and Editing

For a description of global commands, shortcuts, and command line editing functions, see
Menu Basics on page 53.
Idle Timeout
By default, the switch will disconnect your console or Telnet session after five minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080
minutes. For information on changing this parameter, see System Configuration on page 261.

320506-A, January 2006

320506-A, January 2006
CHAPTER 2
First-Time Configuration
To help with the initial process of configuring your switch, the Nortel Application Switch
Operating System software includes a Setup utility. The Setup utility prompts you step-by-step
to enter all the necessary information for basic configuration of the switch. This chapter
describes how to use the Setup utility and how to change system passwords.
NOTE If you are configuring a 2000-SSL Series Switch, you can use the Switch Setup Utility
in the Nortel Application Switch Operating System 2000-SSL Series Quick Setup Guide (part
number 215102-A) instead for setting up the Switch and the SSL Processor. Then return to this
guide for configuration and management information on your Switch.
Using the Setup Utility

Whenever you log in as the system administrator under the factory default configuration, you
are asked whether you wish to run the Setup utility. Setup can also be activated manually from
the command line interface any time after login.
Information Needed For Setup

Setup requests the following information:
Basic system information
Date & time
Whether to use BOOTP or not
Whether to use Spanning Tree Protocol or not
Management port configuration
Optional configuration for each port
Speed, duplex, flow control, and negotiation mode (as appropriate)
Whether to use VLAN tagging or not (as appropriate)

33
320506-A, January 2006
Optional configuration for each VLAN
Name of VLAN
Which ports are included in the VLAN
Optional configuration of IP parameters
IP address, subnet mask, and broadcast address, and VLAN for each IP interface
IP addresses for up to four default gateways
Destination, subnet mask, and gateway IP address for each IP static route
Whether IP forwarding is enabled or not
Whether the RIP supply is enabled or not
Starting Setup When You Log In

The Setup prompt appears automatically whenever you login as the system administrator under
the factory default settings.
1.
Connect to the switch console.

After connecting, the login prompt will appear as shown below.
Enter Password:
2.
Enter admin as the default administrator password.

If the factory default configuration is detected, the system prompts:
Connected to Nortel Application Switch 2424
18:44:05 Mon April 12, 2004
The switch is booted with factory default configuration.
To ease the configuration of the switch, a "Set Up" facility which
will prompt you with those configuration items that are essential to
the operation of the switch is provided.
Would you like to run "Set Up" to configure the switch? [y/n]:
NOTE If the default admin login is unsuccessful, or if the administrator Main Menu appears
instead, the system configuration has probably been changed from the factory default settings.
If you are certain that you need to return the switch to its factory default settings, see Selecting a Configuration Block on page 515.
34 Chapter 2: First-Time Configuration

320506-A, January 2006
3.
Enter y to begin the initial configuration of the switch, or n to bypass the Setup facility.
Chapter 2: First-Time Configuration 35

320506-A, January 2006
Stopping and Restarting Setup Manually

Stopping Setup
To abort the Setup utility, press <Ctrl-C> during any Setup question. When you abort Setup,
the system will prompt:
Would you like to run from top again? [y/n]
Enter n to abort Setup, or y to restart the Setup program at the beginning.
Restarting Setup
You can restart the Setup utility manually at any time by entering the following command at
the administrator prompt:
# /cfg/setup
Setup Part 1: Basic System Configuration

When Setup is started, the system prompts:
"Set Up" will walk you through the configuration of
System Date and Time, BOOTP, Spanning Tree, Management port, Port
Speed/Mode,
VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"]
-----------------------------------------------------------Will you be configuring VLANs? [y/n]
1.
Enter y if you will be configuring VLANs. Otherwise enter n.

If you decide not to configure VLANs during this session, you can configure them later using
the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Nortel Application Switch Operating System23.0.2 Application Guide.
Next, the Setup utility prompts you to input basic system information.
2.
Enter the year of the current date at the prompt:

System Date:
Enter year [2004]:
Enter the last two digits of the year as a number from 00 to 99. 00 is considered 2000. To
keep the current year, press <Enter>.

320506-A, January 2006
3.
Enter the month of the current system date at the prompt:

System Date:
Enter month [4]:
Enter the month as a number from 1 to 12. To keep the current month, press <Enter>.
4.
Enter the day of the current date at the prompt:

Enter day [12]:
Enter the date as a number from 1 to 31. To keep the current day, press <Enter>.
5.
Enter the hour of the current system time at the prompt:

System Time:
Enter hour in 24-hour format [18]:
Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>.
6.
Enter the minute of the current time at the prompt:

Enter minutes [55]:
Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>.
7.
Enter the seconds of the current time at the prompt:

Enter seconds [37]:
Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>.
The system displays the date and time settings:
System clock set to 18:55:36 Mon April 12, 2004.
8.
Enable or disable the use of BOOTP at the prompt:

BootP Option:
Current BOOTP usage:
Enter new BOOTP usage [d/e]:
disabled

320506-A, January 2006
If available on your network, a BOOTP server can supply the switch with IP parameters so that
you do not have to enter them manually. BOOTP must be disabled however, before the system
will prompt for IP parameters.
Enter d to disable the use of BOOTP, or enter e to enable the use of BOOTP. To keep the current setting, press <Enter>.
9.
Turn Spanning Tree Protocol on or off at the prompt:

Spanning Tree:
Current Spanning Tree setting: ON
Turn Spanning Tree OFF? [y/n]
Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on.
Setup Part 2: Port Configuration

NOTE The port configuration options shown in these steps are for the Nortel Application
Switch Operating System 2424. When configuring port options for other switches, some of the
prompts and options may be different.
1.
If desired, set up the management port:

Management Port Config:
Configure management port? [y/n] y
If you answer y to configure the management port, you will be prompted for IP address, subnet
mask, broadcast address, default gateway, and other management port options.
2.
Select the port to configure, or skip port configuration at the prompt:

Port Config:
Enter port number: (1-28)
If you wish to change settings for individual ports, enter the number of the port you wish to
configure. To skip port configuration, press <Enter> without specifying any port and go to
Setup Part 3: VLANs on page 41.

320506-A, January 2006
3.
If appropriate, configure Ethernet/Fast Ethernet port speed.

If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:
Fast Link Configuration:
Port Speed:
Current Port 1 speed setting:
10/100
Enter new speed ["10"/"100"/"any"]:
Enter the port speed from the options available, or enter any to have the switch auto-sense the
port speed. To keep the current setting, press <Enter>.
4.
If appropriate, configure Ethernet/Fast Ethernet port duplex mode.

Port Mode:
Current port 1 mode setting:
any
Enter new speed ["full"/"half"/"any"]
Enter full for full-duplex, half for half-duplex, or any to have the switch auto-negotiate. To
keep the current setting, press <Enter>.
5.
If appropriate, configure Ethernet/Fast Ethernet port flow control.

Port Flow Control:
Current Port 1 flow control setting:
both
Enter new value ["rx"/"tx"/"both"/"none"]:
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
6.
If appropriate, configure Ethernet/Fast Ethernet port autonegotiation mode.

Port Auto Negotiation:
Current Port 1 autonegotiation:
Enter new value ["on"/"off"]:
on
Enter on to enable autonegotiation, off to disable it, or press <Enter> to keep the current setting.

320506-A, January 2006
7.
If appropriate, configure Gigabit Ethernet port flow parameters.

If you selected a port that has a Gigabit Ethernet connector, the system prompts:
Gig Link Configuration:
Port Flow Control:
Current Port 1 flow control setting:
both
Enter new value ["rx"/"tx"/"both"/"none"]:
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
8.
If appropriate, configure Gigabit Ethernet port autonegotiation mode.

If you selected a port that has a Gigabit Ethernet connector, the system prompts:
Port Auto Negotiation:
Current Port 1 autonegotiation:
Enter new value ["on"/"off"]:
on
Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep the current
setting.
9.
If configuring VLANs, enable or disable VLAN tagging for the port.

If you have selected to configure VLANs back in Part 1, the system prompts:
Port VLAN tagging config (tagged port can be a member of multiple VLANs)
Current TAG flag:
disabled
Enter new TAG status [d/e]:
Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port.
To keep the current setting, press <Enter>.
10. The system prompts you to configure the next port:
Enter port number:
When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section.

320506-A, January 2006
Setup Part 3: VLANs

If you chose to skip VLANs configuration back in Part 1, skip to Setup Part 4: IP Configuration on page 42.
1.
Select the VLAN to configure, or skip VLAN configuration at the prompt:

VLAN Config:
Enter VLAN number from 2 to 4090, NULL at end:
If you wish to change settings for individual VLANs, enter the number of the VLAN you wish
to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and
go to Setup Part 4: IP Configuration on page 42.
2.
Enter the new VLAN name at the prompt:

VLAN is newly created.
Pending new VLAN name: "VLAN 2"
Enter new VLAN name, without quotes:
Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>.
3.
Enter the VLAN port numbers.

The system prompts you to define the first port in the VLAN:
Define ports in VLAN:
Current VLAN 2: empty
Enter port numbers one per line, NULL at end:
Type the first port number to add to the current VLAN and press <Enter>. The right angle
prompt appears:
>
For each additional port in the VLAN, type the port number and press <Enter> to move to the
next line. Repeat this until all ports for the VLAN being configured are entered. When you are
finished adding ports to this VLAN, press <Enter> without specifying any port.
4.
The system prompts you to configure the next VLAN:

VLAN Config:
Enter VLAN number from 2 to 4090, NULL at end:

320506-A, January 2006
Repeat the steps in this section until all VLANs have been configured. When all VLANs have
been configured, press <Enter> without specifying any VLAN.
Setup Part 4: IP Configuration

If BOOTP was enabled back in Part 1, skip to Setup Part 5: Final Steps. Otherwise, if you disabled BOOTP, the system prompts for IP parameters.
IP Interfaces
IP interfaces are used for defining subnets to which the switch belongs.
Up to 256 IP interfaces can be configured on the Nortel Application Switch. The IP address
assigned to each IP interface provides the switch with an IP presence on your network. No two
IP interfaces can be on the same IP subnet. The interfaces can be used for connecting to the
switch for remote configuration, and for routing between subnets and VLANs (if used).
1.
Select the IP interface to configure, or skip interface configuration at the prompt:

IP Config:
IP interfaces:
Enter interface number: (1-256)
NOTE The total number of interfaces on an Nortel Application Switch 2424-SSL is

1-255.
If you wish to configure individual IP interfaces, enter the number of the IP interface you wish
to configure. To skip IP interface configuration, press <Enter> without typing an interface
number and go to Default Gateways on page 43.
2.
For the specified IP interface, enter the IP address in dotted decimal notation:
Current IP address:
Enter new IP address:
0.0.0.0

3.
At the prompt, enter the IP subnet mask in dotted decimal notation:

Current subnet mask:
Enter new subnet mask:
0.0.0.0

320506-A, January 2006

4.
At the prompt, enter the broadcast IP address in dotted decimal notation:

Current broadcast address:
Enter new broadcast address:
0.0.0.0

5.
If configuring VLANs, specify a VLAN for the interface.

This prompt appears if you selected to configure VLANs back in Part 1:
Current VLAN:
Enter new VLAN:
Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting.
6.
At the prompt, enter y to enable the IP interface, or n to leave it disabled:

Enable IP interface? [y/n]
7.
The system prompts you to configure another interface:

Enter interface number: (1-256)
Repeat the steps in this section until all IP interfaces have been configured. When all interfaces
have been configured, press <Enter> without specifying any interface number.
Default Gateways
1.
At the prompt, select a default gateway for configuration, or skip default gateway configuration:
IP default gateways:
Enter default gateway number: (1-259)
Enter the number for the default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to IP Routing on page 44.

320506-A, January 2006
2.
At the prompt, enter the IP address for the selected default gateway:
Current IP address:
Enter new IP address:
0.0.0.0
Enter the IP address in dotted decimal notation, or press <Enter> without specifying an address
to accept the current setting.
3.
At the prompt, enter y to enable the default gateway, or n to leave it disabled:

Enable default gateway? [y/n]
4.
The system prompts you to configure another default gateway:

Enter default gateway number: (1-259)
Repeat the steps in this section until all default gateways have been configured. When all
default gateways have been configured, press <Enter> without specifying any number.
IP Routing
When IP interfaces are configured for the various subnets attached to your switch, IP routing
between them can be performed entirely within the switch. This eliminates the need to bounce
inter-subnet communication off an external router device. Routing on more complex networks,
where subnets may not have a direct presence on the Nortel Application Switch, can be accomplished through configuring static routes or by letting the switch learn routes dynamically.
This part of the Setup program prompts you to configure the various routing parameters.
1.
At the prompt, enable or disable forwarding for IP Routing:

Enable IP forwarding? [y/n]
Enter y to enable IP forwarding. To disable IP forwarding, enter n and proceed to Step 2.To
keep the current setting, press <Enter>.
2.
At the prompt, enable or disable the RIP supply:

Enable RIP supply? [y/n]

320506-A, January 2006
Setup Part 5: Final Steps

1.
When prompted, decide whether to restart Setup or continue:

Would you like to run from top again? [y/n]
Enter y to restart the Setup utility from the beginning, or n to continue.

2.
When prompted, decide whether you wish to review the configuration changes:
Review the changes made? [y/n]
Enter y to review the changes made during this session of the Setup utility. Enter n to continue
without reviewing the changes. We recommend that you review the changes.
3.
Next, decide whether to apply the changes at the prompt:

Apply the changes? [y/n]
Enter y to apply the changes, or n to continue without applying. Changes are normally applied.
4.
At the prompt, decide whether to make the changes permanent:

Save changes to flash? [y/n]
Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes
are normally saved at this point.
5.
If you do not apply or save the changes, the system prompts whether to abort them:
Abort all changes? [y/n]
Enter y to discard the changes. Enter n to return to the Apply the changes? prompt.
NOTE After initial configuration is complete, it is recommended that you change the default
passwords as shown in Setting Passwords on page 47.

320506-A, January 2006
Optional Setup for SNMP Support

NOTE This step is optional. Perform this procedure only if you are planning on using SNMPbased tools, such as Nortel ASEM.
NOTE If you need to configure SNMPv3, refer to SNMPv3 Configuration Menu on page
276 of this manual.
1.
Enable SNMP and select one of the options.

>> # /cfg/sys/access/snmp (disabled/read-only/read-write) [d/r/w]:
2.
Set SNMP read or write community string. By default, they are public and private
respectively.
>> # /cfg/sys/ssnmp/rcomm|wcomm
3.
Apply and save configuration if you are not configuring the switch with Telnet support.
Otherwise apply and save after Optional Setup for Telnet Support on page 46.
>> System# apply
>> System# save
Optional Setup for Telnet Support

NOTE This step is optional. Perform this procedure only if you are planning on connecting to
the switch through any telnet application.
1.
Enable telnet.
>> # /cfg/sys/access/tnet ena
2.
Apply and save SNMP and /or telnet configuration(s).

>> System# apply
>> System# save

320506-A, January 2006
If your network uses Routing Interface Protocol (RIP), enter y to enable the RIP supply. Otherwise, enter n to disable it. When RIP is enabled, RIP listen is set by default.
Setting Passwords
It is recommended that you change the user and administrator passwords after initial configuration and as regularly as required under your network security policies.
To change both the user password and the administrator password, you must login using the
administrator password. Passwords cannot be modified from the user command mode.
NOTE If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
Changing the Default Administrator Password

The administrator has complete access to all menus, information, and configuration commands, including the ability to change both the user and administrator passwords.
The default password for the administrator account is admin. To change the default password,
follow this procedure:
1.
Connect to the switch and log in using the admin password.
2.
From the Main Menu, use the following command to access the Configuration Menu:
Main# /cfg

320506-A, January 2006
The Configuration Menu is displayed.

[Configuration Menu]
sys
- System-wide Parameter Menu
port
- Port Menu
pmirr
- Port Mirroring Menu
bwm
- Bandwidth Management Menu
l2
- Layer 2 Menu
l3
- Layer 3 Menu
slb
- Server Load Balancing (Layer 4-7) Menu
security - Security Menu
setup
- Step by step configuration set up
dump
- Dump current configuration to script file
ptcfg
- Backup current configuration to tftp server
gtcfg
- Restore current configuration from tftp server
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
The System Menu is displayed.

[System Menu]
syslog
mmgmt
sshd
radius
tacacs
ntp
sonmp
ssnmp
health
access
date
time
idle
notice
bannr
smtp
hprompt
bootp
cur
Syslog Menu
Management Port Menu
SSH Server Menu
RADIUS Authentication Menu
TACACS+ Authentication Menu
NTP Server Menu
SONMP Menu
System SNMP Menu
System Health Check Menu
System Access Menu
Set system date
Set system time
Set timeout for idle CLI sessions
Set login notice
Set login banner
Set SMTP host
Enable/disable display hostname (sysName) in CLI prompt
Enable/disable use of BOOTP
Display current system-wide parameters

320506-A, January 2006
4.
From the System menu, use the following path to select the User menu:
System# access/user
5.
Select the administrator password.

System# user/admpw
6.
Enter the current administrator password at the prompt:

Changing ADMINISTRATOR password; validation required...
Enter current administrator password:
7.
Enter the new administrator password at the prompt:

Enter new administrator password:
8.
Enter the new administrator password, again, at the prompt:

Re-enter new administrator password:
9.
Apply and save your change by entering the following commands:

System# apply
System# save
Changing the Default User Password

The user login has limited control of the switch. Through a user account, you can view switch
information and statistics, but you cant make configuration changes.
The default password for the user account is user. This password cannot be changed from the
user account. Only the administrator has the ability to change passwords, as shown in the following procedure.

320506-A, January 2006
1.
Connect to the switch and log in using the admin password.
2.
From the Main Menu, use the following command to access the Configuration Menu:
Main# cfg
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
4.
Select the user password.

System# access/user/usrpw
5.
Enter the current administrator password at the prompt.

Only the administrator can change the user password. Entering the administrator password
confirms your authority.
Changing USER password; validation required...
6.
Enter the new user password at the prompt:

Enter new user password:
7.
Enter the new user password, again, at the prompt:

Re-enter new user password:
8.
Apply and save your changes:

System# apply
System# save

320506-A, January 2006
Changing the Default Layer 4 Administrator Password

The Layer 4 administrator has limited control of the switch. Through a Layer 4 administrator
account, you can view all switch information and statistics, but can configure changes only on
the Server Load Balancing menus.
The default password for the Layer 4 administrator account is l4admin. To change the
default password, follow this procedure:
1.
Connect to the switch and log in using the administrator account.

To change any switch password, you must login using the administrator password. Passwords
cannot be modified from the Layer 4 administrator account or the user account.
2.
From the Main Menu, use the following path to access the user command:
Main# /cfg/sys/access/user
3.
Select the Layer 4 administrator password:

System# l4apw
4.
Enter the current administrator password (not the Layer 4 administrator password) at
the prompt:
Changing L4 ADMINISTRATOR password; validation required...
5.
Enter the new Layer 4 administrator password at the prompt:

Enter new L4 administrator password:
6.
Enter the new administrator password, again, at the prompt:

Re-enter new L4 administrator password:

320506-A, January 2006
7.
Apply and save your change by entering the following commands:

System# apply
System# save

320506-A, January 2006
CHAPTER 3
Menu Basics
The Nortel Application Switchs Command Line Interface (CLI) is used for viewing switch
information and statistics. In addition, the administrator can use the CLI for performing all levels of switch configuration.
To make the CLI easy to use, the various commands have been logically grouped into a series
of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are
available, along with a summary of what each command will do. Below each menu is a prompt
where you can enter any command appropriate to the current menu.
This chapter describes the Main Menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
The Main Menu

The Main Menu appears after a successful connection and login. The following table shows
the Main Menu for the administrator login. Some features are not available under the user
login.
53
320506-A, January 2006
NOTE The ssl option is only visible on the Nortel Application Switch Operating System
2000-SSL Series.
[Main Menu]
info
stats
cfg
oper
boot
maint
ssl
diff
apply
save
revert
exit
Information Menu
Statistics Menu
Configuration Menu
Boot Options Menu
Maintenance Menu
SSl Accelerator Menu
Show pending config changes [global command]
Apply pending config changes [global command]
Save updated config to FLASH [global command]
Revert pending or applied changes [global command]
Exit [global command, always available]
Menu Summary
Information Menu
Provides sub-menus for displaying information about the current status of the switch:
from basic system settings to VLANs, Layer 4 settings, and more.
Statistics Menu
Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP,
ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics.
Configuration Menu
This menu is available only from an administrator login. It includes sub-menus for configuring every aspect of the switch. Changes to configuration are not active until explicitly
applied. Changes can be saved to non-volatile memory.

Operations-level commands are used for making immediate and temporary changes to
switch configuration. This menu is used for bringing ports temporarily in and out
of service, performing port mirroring, and enabling or disabling Server Load Balancing
functions. It is also used for activating or deactivating optional software packages.
Boot Options Menu

This menu is used for upgrading switch software, selecting configuration blocks, and for
resetting the switch when necessary.
54 Chapter 3: Menu Basics

320506-A, January 2006
Maintenance Menu
This menu is used for debugging purposes, enabling you to generate a dump of the critical
state information in the switch, and to clear entries in the forwarding database and the
ARP and routing tables.
SSL Accelerator Menu

This menu is used for
Chapter 3: Menu Basics 55

320506-A, January 2006
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are
useful for obtaining online help, navigating through menus, and for applying and saving configuration changes.
For help on a specific command, type help. You will see the following screen:
Global Commands: [can be issued from any menu]
help
up
print
lines
verbose
exit
diff
apply
save
ping
ping6
traceroute
history
pushd
popd
pwd
quit
revert
telnet
who
The following are used to navigate the menu structure:

. Print current menu
.. Move up one menu level
/ Top menu if first, or command separator
! Execute command from history
Table 3-1 Description of Global Commands

Command
Action
? command
or help
Provides more information about a specific command on the current menu.

When used without the command parameter, a summary of the global commands is displayed.
. or print
Display the current menu.
.. or up
Go up one level in the menu structure.
If placed at the beginning of a command, go to the Main Menu. Otherwise,

this is used to separate multiple commands placed on the same line.
lines
Set the number of lines (n) that display on the screen at one time. The default
is 24 lines. When used without a value, the current setting is displayed.
diff
Show any pending configuration changes.
apply
Apply pending configuration changes.
save
Write configuration changes to non-volatile flash memory.
revert
Remove pending configuration changes between apply commands. Use

this command to restore configuration parameters set since last apply command.
exit or quit
Exit from the command line interface and log out.

320506-A, January 2006

Command
Action
ping
Use this command to verify station-to-station connectivity across the network. The format is as follows:
ping <host name>|<IP address> [tries <(1-32)> [msec delay]] [-m|
-mgmt|-d|-data]
Where IP address is the hostname or IP address of the device, tries (optional)
is the number of attempts (1-32), msec delay (optional) is the number of milliseconds between attempts. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or
-mgmt option. The DNS parameters must be configured if specifying hostnames (see Domain Name System Configuration Menu on page 379).
ping6
Use this command to verify an IP address and interface connectivity across

the network. The format is as follows:
ping6 <IP6 address> <Interface number>
For example:
ping6 3001::1234 - for ping6 global unicast address
ping6 fe80::201:2ff:feb1:10e2 20 - for ping6 link-local address
traceroute
Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows:
traceroute <host name>| <IP address> [<max-hops (1-32)>
[msec delay]] [-m|-mgmt|-d|-data]
Where IP address is the hostname or IP address of the target station, maxhops (optional) is the maximum distance to trace (1-16 devices), and delay
(optional) is the number of milliseconds for wait for the response. By default,
the -d or -data option for network ports is in effect. If the management
port is used, specify the -m or -mgmt option. As with ping, the DNS
parameters must be configured if specifying hostnames.
pwd
Display the command path used to reach the current menu.
verbose n
Sets the level of information displayed on the screen:

0 =Quiet: Nothing appears except errorsnot even prompts.
1 =Normal: Prompts and requested output are shown, but no menus.
2 =Verbose: Everything is shown.
When used without a value, the current setting is displayed.
telnet
This command is used to telnet out of the switch. The format is as follows:
<hostname>|<IP address> [port] [-m|-mgmt|-d|-data].
Where IP address is the hostname or IP address of the device. By default, the
-d or -data option for network ports is in effect. If the management port
is used, specify the -m or -mgmt option.
history
This command brings up the history of the last 10 commands.

320506-A, January 2006

Command
Action
pushd
This command stores the current location of the menu tree. Optionally, a new
path to change to can be specified. The format is as follows:
pushd [<new_path>]
popd
This command takes the user one level back to the menu location stored by
the last pushd command.
who
This command displays the currently logged users session information.

320506-A, January 2006
Command Line History and Editing

Using the command line interface, you can retrieve and modify previously entered commands
with just a few keystrokes. The following options are available globally at the command line:
Table 3-2 Command Line History and Editing Options
Option
Description
history
Display a numbered list of the last 10 previously entered commands.
!!
Repeat the last entered command.
!n
Repeat the nth command shown on the history list.
<Ctrl-p>
(Also the up arrow key.) Recall the previous command from the history list. This can
be used multiple times to work backward through the last 10 commands. The recalled
command can be entered as is, or edited using the options below.
<Ctrl-n>
(Also the down arrow key.) Recall the next command from the history list. This can be
used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.
<Ctrl-a>
Move the cursor to the beginning of command line.
<Ctrl-e>
Move cursor to the end of the command line.
<Ctrl-b>
(Also the left arrow key.) Move the cursor back one position to the left.
<Ctrl-f>
(Also the right arrow key.) Move the cursor forward one position to the right.
<Backspace>
(Also the Delete key.) Erase one character to the left of the cursor position.
<Ctrl-d>
Delete one character at the cursor position.
<Ctrl-k>
Kill (erase) all characters from the cursor position to the end of the command line.
<Ctrl-l>
Redraw the screen.
<Ctrl-u>
Clear the entire line.
Other keys
Insert new characters at the cursor position.

320506-A, January 2006
Command Line Interface Shortcuts

Command Stacking
As a shortcut, you can type multiple commands on a single line, separated by forward slashes
(/). You can connect as many commands as required to access the menu option that you want.
For example, the keyboard shortcut to access the Spanning Tree Port Configuration Menu
from the Main# prompt is as follows:
Main# cfg/l2/stg/port
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above
could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will
display all commands or options in that menu that begin with that letter. Entering additional
letters will further refine the list of commands or options displayed. If only one command fits
the input text when <Tab> is pressed, that command will be supplied on the command line,
waiting to be entered. If the <Tab> key is pressed without any input on the command line, the
currently active menu will be displayed.
Configuration Ranges
Most commands now support the use of configuration ranges. Configuration ranges allow the
user to set common parameters on a range of similar items on the switch like ports or VLANs.
For example, the command shown below would set the PVID of ports 1 through 10 to 5.
Main# /cfg/port 1-10/pvid 5

320506-A, January 2006
CHAPTER 4
The Information Menu

You can view configuration information for the switch in both the user and administrator command
modes. This chapter discusses how to use the command line interface to display switch infor-
mation.
/info
Information Menu
[Information Menu]
sys
- System Information Menu
l2
- Layer 2 Information Menu
l3
- Layer 3 Information Menu
slb
- Layer 4-7 Information Menu
bwm
- Bandwidth Management Information Menu
security - Show Security status
link
- Show link status
port
- Show port information
swkey
- Show enabled software features
dump
- Dump all information
The information provided by each menu option is briefly described in Table 4-1 on page 61,
with pointers to where detailed information can be found.
Table 4-1 Information Menu Options (/info)
Command Syntax and Usage
sys
Displays system menu information. To view menu options, see page 63.
l2
Displays the Layer 2 Information Menu. For details, see page 89.
l3
Displays the Layer 3 information menu. For details, see page 106.
61
320506-A, January 2006
Table 4-1 Information Menu Options (/info)

slb
Displays the Layer 4 Information Menu. To view menu options, see page 132.
bwm
Displays Bandwidth Management information. For details, see page 141.
security
Displays current UDP blast settings and the security status of the port. To view a sample, see
page 146.
link
Displays configuration information about each port, including:
Port number
Port speed (10, 100, 10/100, or 1000)
Duplex mode (half, full, or auto)
Flow control for transmit and receive (no, yes, or auto)
Link status (up or down)
For details, see page 147.
port
Displays port status information, including:
Port number
Whether the port uses VLAN Tagging or not
Port VLAN ID (PVID)
Port name
VLAN membership
swkey
Displays a list of all the optional software packages which have been activated or installed on your
switch. For details see page 150.
dump
Dumps all switch information available from the Information Menu (10K or more, depending on
your configuration).
If you want to capture dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump commands. For details, see page 150.
62 Chapter 4: The Information Menu

320506-A, January 2006
/info/sys
System Information Menu
[System Menu]
snmpv3
general
time
log
slog
mgmt
sonmp
capacity
fan
temp
encrypt
user
dump
SNMPv3 Information Menu

Show general system information
Show date and time
Show last 64 syslog messages
Show last 64 syslog messages saved in FLASH
Show management port information
Show SONMP topology table information
Show switch capacity information
Show switch fan status
Show switch temperature sensor status
Show switch encryption licenses
Show current user status
Dump all system information
Table 4-2 Information System Menu Options (/info/sys)

snmpv3
Displays SNMPv3 Information Menu. To view the menu options, see page 65.
general
Displays general system information including:
System information like time, day, and date.
Switch model name and number
How long the switch has been up
Time of last boot
MAC address of the switch management processor
Internal SSL Processor MAC Address if the switch is 2424-SSL
IP address of IP interface #1
Hardware order number and part numbers of the Mainboard Hardware, Management Processor
Board Hardware, and Fast Ethernet Board Hardware
Software image file and version number
Configuration name
Log-in banner, if one is configured
See page 74 for a sample output.
time
Displays the current time.
log
Displays last 64 syslog messages. See page 76 for a sample output and detailed information.
Chapter 4: The Information Menu 63

320506-A, January 2006
Table 4-2 Information System Menu Options (/info/sys)

slog
Displays the last 64 syslog messages that are saved in flash. See page 77 for a sample output.
mgmt
Displays Management port information. See page 78 for detailed information.
sonmp
Displays SONMP topology table information. See page 79 for detailed information.
capacity gen|bwm|l2|l3|slb|port
Displays the switch capacity information. This output displays the maximum switch capacity for
the various applications and services that the switch supports. The output contains capacity information about Layer 2, Layer 3, RIP, OSPF, BGP, Route Maps, Network Filters, VRRP, Layer 4-7,
which includes Server Load Balancing, Filters, GSLB, Health Checks, Bandwidth Management,
General switch information, and SNMPv3.
fan
Displays the fan status of the switch.
temp
Displays the temperature status of the switch sensors.
encrypt
Displays the current encryption licenses.
user
Displays the current user names.
dump
Displays all system information. See page 84 for a sample output.

320506-A, January 2006
/info/sys/snmpv3
SNMPv3 System Information Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
a new SNMP message format
security for messages
access control
remote configuration of SNMP parameters
For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Information Menu]
usm
- Show usmUser table information
view
- Show vacmViewTreeFamily table information
access
- Show vacmAccess table information
group
- Show vacmSecurityToGroup table information
comm
- Show community table information
taddr
- Show targetAddr table information
tparam
- Show targetParams table information
notify
- Show notify table information
dump
- Show all SNMPv3 information
Table 4-3 SNMPv3 information Menu Options (/info/sys/snmpv3)

usm
Displays User Security Model (USM) table information. To view the table, see page 66.
view
Displays information about view, sub tress, mask and type of view. To view a sample, see page 67.
access
Displays View-based Access Control information. To view a sample, see page 68.
group
Displays information about the group that includes, the security model, user name, and group
name. To view a sample, see page 69.
comm
Displays information about the community table information. To view a sample, see page 69.
taddr
Displays the Target Address table information. To view a sample, see page 70.

320506-A, January 2006
Table 4-3 SNMPv3 information Menu Options (/info/sys/snmpv3)

tparam
Displays the Target parameters table information. To view a sample, see page 71.
notify
Displays the Notify table information. To view a sample, see page 72.
dump
Displays all the SNMPv3 information. To view a sample, see page 73.
/info/sys/snmpv3/usm
SNMPv3 USM User Table Information
The User-based Security Model (USM) in SNMPv3 provides security services such as authentication and privacy of messages. This security model makes use of a defined set of user identities displayed in the USM user table. The USM user table contains information like:
the user name
a security name in the form of a string whose format is independent of the Security Model
an authentication protocol, which is an indication that the messages sent on behalf of the
user can be authenticated
the privacy protocol.
usmUser Table:
User Name
-------------------------------admin
adminmd5
adminsha
v1v2only
Protocol
-------------------------------NO AUTH, NO PRIVACY
HMAC_MD5, DES PRIVACY
HMAC_SHA, DES PRIVACY
NO AUTH, NO PRIVACY

320506-A, January 2006
Table 4-4 USM User Table Information Parameters (/info/sys/usm)

Field
Description
User Name
This is a string that represents the name of the user that you can
use to access the switch.
Protocol
This indicates whether messages sent on behalf of this user are

protected from disclosure using a privacy protocol. Nortel Application Switch Operating System23.0.2 supports DES algorithm
for privacy. The software also supports two authentication algorithms: MD5 and HMAC-SHA.
/info/sys/snmpv3/view
SNMPv3 View Table Information
The user can control and restrict the access allowed to a group to only a subset of the management information in the management domain that the group can access within each context by
specifying the groups rights in terms of a particular MIB view for security reasons.
View Name
----------------org
v1v2only
v1v2only
v1v2only
v1v2only
Subtree
-----------------1.3
1.3
1.3.6.1.6.3.15
1.3.6.1.6.3.16
1.3.6.1.6.3.18
Mask
--------------
Type
-------included
included
excluded
excluded
excluded
Table 4-5 SNMPv3 View Table Information Parameters (/info/sys/snmpv3/view)

Field
Description
View Name
Displays the name of the view.
Subtree
Displays the MIB subtree as an OID string. A view subtree is the set
of all MIB object instances which have a common Object Identifier
prefix to their names.
Mask
Displays the bit mask.
Type
Displays whether a family of view subtrees is included or

excluded from the MIB view.

320506-A, January 2006
/info/sys/snmpv3/access
SNMPv3 Access Table Information
The access control sub system provides authorization services.
The vacmAccessTable maps a group name, security information, a context, and a message
type, which could be the read or write type of operation or notification into a MIB view.
The View-based Access Control Model defines a set of services that an application can use for
checking access rights of a group. This group's access rights are determined by a read-view, a
write-view and a notify-view. The read-view represents the set of object instances authorized
for the group while reading the objects. The write-view represents the set of object instances
authorized for the group when writing objects. The notify-view represents the set of object
instances authorized for the group when sending a notification.
Group Name Prefix Model
Level
Match ReadV
WriteV
NotifyV
---------- ------ ------- ----------- ------ ---------admin
usm
noAuthNoPriv exact org
org
org
v1v2grp
snmpv1 noAuthNoPriv exact org
org
v1v2only
admingrp
usm
authPriv
exact org
org
org
Table 4-6 SNMPv3 Access Table Information (/info/sys/snmpv3/access)

Field
Description
Group Name
Displays the name of group.
Prefix
Displays the prefix that is configured to match the values.
Model
Displays the security model used, for example, SNMPv1, or

SNMPv2 or USM.
Level
Displays the minimum level of security required to gain rights of

access. For example, noAuthNoPriv, authNoPriv, or authPriv.
Match
Displays the match for the contextName. The options are: exact
and prefix.
ReadV
Displays the MIB view to which this entry authorizes the read
access.
WriteV
Displays the MIB view to which this entry authorizes the write
access.
NotifyV
Displays the Notify view to which this entry authorizes the notify
access.

320506-A, January 2006
/info/sys/snmpv3/group
SNMPv3 Group Table Information
A group is a combination of security model and security name that defines the access rights
assigned to all the security names belonging to that group. The group is identified by a group
name.
Sec Model
---------snmpv1
usm
usm
usm
User Name
------------------------------v1v2only
admin
adminmd5
adminsha
Group Name
-------------------v1v2grp
admin
admingrp
admingrp
Table 4-7 SNMPv3 Group Table Information Parameters (/info/sys/snmpv3/group)

Field
Description
Sec Model
Displays the security model used, which is any one of: USM,
SNMPv1, SNMPv2, and SNMPv3.
User Name
Displays the name for the group.
Group Name
Displays the access name of the group.
/info/sys/snmpv3/comm
SNMPv3 Community Table Information
This command displays the community table information stored in the SNMP engine.
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------trap1
public
v1v2only
v1v2trap

320506-A, January 2006
Table 4-8 SNMPv3 Community Table Parameters (/info/sys/snmpv3/comm)

Field
Description
Index
Displays the unique index value of a row in this table
Name
Displays the community string, which represents the configuration.
User Name
Displays the User Security Model (USM) user name.
Tag
Displays the community tag. This tag specifies a set of transport

endpoints from which a command responder application accepts
management requests and to which a command responder application sends an SNMP trap.
/info/sys/snmpv3/taddr
SNMPv3 Target Address Table Information
This command displays the SNMPv3 target address table information, which is stored in the
SNMP engine.
Name
Transport Addr Port Taglist
Params
---------- --------------- ---- ---------- --------------trap1
47.81.25.66
162 v1v2trap
v1v2param
Table 4-9 SNMPv3 Target Address Table Information Parameters (/info/sys/

snmpv3/taddr)
Field
Description
Name
Displays the locally arbitrary, but unique identifier associated with

this snmpTargetAddrEntry.
Transport Addr
Displays the transport addresses.
Port
Displays the SNMP UDP port number.
Taglist
This column contains a list of tag values which are used to select target addresses for a particular SNMP message.
Params
The value of this object identifies an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used
when generating messages to be sent to this transport address.

320506-A, January 2006
/info/sys/snmpv3/tparam
SNMPv3 Target Parameters Table Information
Name
MP Model
--------------- -------v1v2param
snmpv2c
User Name
-------------v1v2only
Sec Model
--------snmpv1
Sec Level
--------noAuthNoPriv
Table 4-10 SNMPv3 Target Parameters Table Information (/info/sys/snmpv3/

tparam)
Field
Description
Name
Displays the locally arbitrary, but unique identifier associated with

this snmpTargeParamsEntry.
MP Model
Displays the Message Processing Model used when generating

SNMP messages using this entry.
User Name
Displays the securityName, which identifies the entry on whose

behalf SNMP messages will be generated using this entry.
Sec Model
Displays the security model used when generating SNMP messages

using this entry. The system may choose to return an inconsistentValue error if an attempt is made to set this variable to a
value for a security model which the system does not support.
Sec Level
Displays the level of security used when generating SNMP messages using this entry.

320506-A, January 2006
/info/sys/snmpv3/notify
SNMPv3 Notify Table Information
Name
Tag
-------------------- -------------------v1v2trap
v1v2trap
Table 4-11 SNMPv3 Notify Table Information (/info/sys/snmpv3/notify)

Field
Description
Name
The locally arbitrary, but unique identifier associated with this

snmpNotifyEntry.
Tag
This represents a single tag value which is used to select entries in

the snmpTargetAddrTable. Any entry in the snmpTargetAddrTable that contains a tag value equal to the value of this
entry, is selected. If this entry contains a value of zero length, no
entries are selected.

320506-A, January 2006
/info/sys/snmpv3/dump
SNMPv3 Dump Information
usmUser Table:
User Name
-------------------------------admin
adminmd5
adminsha
v1v2only
Protocol
-------------------------------NO AUTH, NO PRIVACY
HMAC_MD5, DES PRIVACY
NO AUTH, NO PRIVACY
vacmAccess Table:
Level
Match ReadV
WriteV NotifyV
---------- ------ ------- ---------- ------ ------- -------- -----admin
usm
noAuthNoPriv exact org
org
org
v1v2grp
snmpv1 noAuthNoPriv exact org
org
v1v2only
admingrp
usm
authPriv
exact org
org
org
vacmViewTreeFamily Table:
View Name
Subtree
-------------------- --------------org
1.3
v1v2only
1.3
v1v2only
1.3.6.1.6.3.15
v1v2only
1.3.6.1.6.3.16
v1v2only
1.3.6.1.6.3.18
Mask
------------
vacmSecurityToGroup Table:
Sec Model User Name
---------- ------------------------------snmpv1
v1v2only
usm
admin
usm
adminsha
Type
-------------included
included
excluded
excluded
excluded
Group Name
----------------------v1v2grp
admin
admingrp
snmpCommunity Table:
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------snmpNotify Table:
Name
Tag
-------------------- -------------------snmpTargetAddr Table:
Name
Params
---------- --------------- ---- ---------- --------------snmpTargetParams Table:
Name
MP Model User Name
Sec Model Sec Level
-------------------- -------- ------------------ --------- -------

320506-A, January 2006
/info/sys/general
General System Information
On a Nortel Application Switch 2424:
System Information at 6:56:53 Thu Sep 15, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)
Alteon Application Switch 2424
Switch is up 3 days, 11 hours, 28 minutes and 34 seconds.
Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet)
Last apply: unknown
Last save: 5
MAC Address: 00:01:81:2e:bc:50
IP (If 1) Address: 0.0.0.0
Hardware Order No:
EB1412006
Serial No: ABCDE600MJ Rev:
Mainboard Hardware:
Part No: P314090-A Rev:
Management Processor Board Hardware: Part No: P314080-A Rev:
Fast Ethernet Board Hardware:
09
00
00
00
Note - When the measured temperature inside the switch EXCEEDs

the high threshold at 62 degree Celsius a syslog message
will be generated.
Software Version 23.0.1 (FLASH image2), active configuration.

320506-A, January 2006
On a Nortel Application Switch 2424-SSL:

Alteon Application Switch 2424-SSL
Last apply: unknown
Last save: 5
Internal SSL Processor MAC Address: 00:01:81:2e:bc:6f
Hardware Order No:
EB1412006
Serial No:ABCDE600MJ Rev:
Mainboard Hardware:
09
00
00
00

will be generated.
NOTE The display of temperature will come up only if the temperature of any of the sensors
exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this
temperature threshold. The switch will shut down if the power supply overheats and the temperature gets to 100oC. Information about fan failures will also be displayed if one or more
fans are not functioning.

320506-A, January 2006
/info/sys/time
Show System Time
>> Main# /info/sys/time
12:52:49 Fri Jul 8, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia
DST on first Sunday of April at 02:00
DST off last Sunday of October at 02:00
/info/sys/log
Show Last 64 Syslog Messages
Date
Time
Criticality level
Message
Nov 19 12:16:51 ALERT
stp: STG 1, new root bridge
Nov 19 13:52:03 ALERT
ip: cannot contact default gateway
47.80.22.1
Nov 19 13:52:23 NOTICE
ip: default gateway 47.80.22.1 operational
ip: default gateway 47.80.22.1 enabled
Nov 19 14:21:27 ALERT
ip: cannot contact default gateway
47.80.22.1
ip: default gateway 47.80.22.1 operational
ip: default gateway 47.80.22.1 enabled
mgmt: admin login from host 47.81.27.4
mgmt: admin idle timeout from Telnet/SSH
Nov 19 16:15:06 INFO
mgmt: new configuration applied
Nov 19 16:15:20 INFO
mgmt: new configuration saved
Nov 19 16:18:44 INFO
Nov 19 16:19:37 ERROR
mgmt: Error: Apply not done
Nov 19 16:19:57 INFO
Each syslog message has a criticality level associated with it, included in text form as a prefix
to the log message. One of eight different prefixes is used, depending on the condition that the
administrator is being notified of, as shown below.
EMERG: indicates the system is unusable
ALERT: Indicates action should be taken immediately

320506-A, January 2006
CRIT: Indicates critical conditions
ERR: indicates error conditions or error operations
WARNING: indicates warning conditions
NOTICE: indicates a normal but significant condition
INFO: indicates an information message
DEBUG: indicates a debut-level message
/info/sys/slog
Last 64 Saved Syslog Messages
Aug 20 13:54:21 NOTICE
47.80.22.1 operational
Aug 20 13:57:53 ALERT
gateway 47.80.22.1
Aug 20 13:58:23 ALERT
gateway 47.80.22.1
ip: management port default gateway

ip: cannot contact management port default
ip: cannot contact management port default
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
admin login from host 47.81.25.12

admin idle timeout from Telnet/SSH
switch reset from CLI

320506-A, January 2006
/info/sys/mgmt
Management Port Information
Speed
----100
Duplex
-----full
Link
---up
MAC address:
00:01:81:2e:a4:8d
Interface information:
47.80.23.251
255.255.254.0
47.80.23.255
Gateway information:
47.80.22.1
Use this command to display Management port information on an Nortel Application Switch
including:
Port speed (10/100)
Duplex mode (half, full, any, or auto)
Link (Up or down)
MAC Address of the system
IP address of the Interface
IP address of the gateway.

320506-A, January 2006
/info/sys/sonmp
SONMP Information
This command displays the SynOptics Network Management Protocol (SONMP) topology
table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/
sonmp on command, and is necessary so that a Nortel Application Switch can be discovered
by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network
exchange multicast packets namely: flatnet hellos and segment hellos. The IP
address of the device is written into the hello packets. As the network devices exchange
information, a topology table is built like the one shown below.
Slot
Port
----0 /0
1 /11
1 /11
1 /11
1 /11
1 /11
IP address
Seg
Id
--------------- --47.80.23.247
0
47.80.22.1
770
47.80.23.25
259
47.80.23.25
260
47.80.23.241
257
50.10.10.1
263
MAC address
----------------00:01:81:2e:a3:60
00:e0:16:7c:28:24
00:60:cf:81:54:28
00:60:cf:81:54:38
00:60:cf:43:a2:10
00:60:cf:46:d5:60
Chassis Type
Local State
Seg
------------------ ----- ----Alteon2224
true topChanged
Passport1200
true heartbeat
Passport8610
true heartbeat
Passport8610
true heartbeat
AlteonAD4
true topChanged
Alteon184
true topChanged
Table 4-12 SONMP Information Parameters Description

Parameter
Description
Slot Port
Specifies the slot and port on which the topology message was
received.
IP Address
This is the IP address of the sender of the topology message.
Seg ID
The segment identifier of the segment from which the remote

agent send the topology message. Different devices may use different methods for representing the segment identifier.
Mac Address
The MAC address of the sender of the topology message.
Chassis Type
The chassis type of the device that sent the topology message.
Local Seg
Indicates if the sender of the topology message is on the same Ethernet segment (i.e. not across a bridge) as the reporting agent.
State
The current state of the sender of the topology message. the values
are:
topChangedtopology information has recently changed
heartbeattopology information unchanged.
newsending agent is in new state.

320506-A, January 2006
/info/sys/capacity
System Capacity Information
The following sample output from an Nortel Application Switch 2424 displays the maximum
and currently enabled switch capacity for various services and applications from Layer 2-7.
Maximum
Current(Enabled)
LAYER 2
FDB
FDB per SP
VLANs
Static Trunk Groups
LACP Trunk Groups
Trunks per Trunk Group
Spanning Tree Groups
Port Teams
Monitor Ports
16384
8192
1024
12
28
8
16
8
1
54
LAYER 3
IP Interfaces
IP Gateways
IP Routes
Static Routes
ARP Entries
Static ARP Entries
Local Nets
DNS Servers
BOOTP Servers
256
4+255
4096
128
8192
128
5
2
2
1(1)
1+0(1+0)
7
0
5
0
0
0
0
RIP Interfaces
256
OSPF
OSPF
OSPF
OSPF
OSPF
LSDB
256
3
16
3
128
12288
0(0)
0(0)
0(0)
0(0)
0(0)
Interfaces
Areas
Summary Ranges
Virtual Links
Hosts
Limit
1(1)
0(0)
16(1)
8(0)
Continued...

320506-A, January 2006
BGP Peers
BGP Route Aggregators
16
16
0(0)
0(0)
Route Maps
Network Filters
AS Filters
32
256
8
0(0)
0(0)
VRRP Routers
VRRP Router Groups
VRRP Interfaces
1024
16
256
0(0)
0(0)
0
SLB (LAYER 4-7)

Real Servers
Server Groups
Virtual Servers
Virtual Services
Real Services
1024
1024
1024
1024
8192
0(0)
0
0(0)
Real IDS Servers

IDS Server Groups
62
63
Global
Global
Global
Global
Global
Global
Global
Global
Global
Global
Global
1024
8192
1024
1024
64
2
128
7
128
8
100000
0(0)
0(0)
0(0)
0(0)
0(0)
2(2)
0(0)
7(7)
0(1)
8(8)
100000(100000)
2048
1024
64
5
1024
1048550
64
64
8
0(0)
0
0
0
1
0
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
Domains
Services
Local Servers
Remote Servers
Remote Sites
Failovers per Remote Site
Networks
Geographical Regions
Rules
Metrics Per Rule
DNS Persistence Cache Entries
Filters
PIPs
Scriptable Health Checks
SNMP Health Checks
Rules for URL Parsing
SLB Sessions
Number of Rports to Vport
Domain Records
Mapping Per Domain Record
LAYER 4 - PORTS
Port # Client Server
Filter
0(0)
RTS
Continued...

320506-A, January 2006
BWM
Policies
Contracts
Groups
Contracts per Group
Time Policies per Contract
512
1024
32
8
2
0
1(1)
0
Security
Configuration source IP ACLs
Bogon source IP ACLs
Operations source IP ACLs
Total source IP ACLs
Configuration destination IP ACLs
Operations destination IP ACLs
Total destination IP ACLs
IP DoS attacks prevention
TCP DoS attacks prevention
UDP DoS attacks prevention
ICMP DoS attacks prevention
IGMP DoS attacks prevention
ARP DoS attacks prevention
IPv6 DoS attacks prevention
Total DoS attacks prevention
UDP ports for UDP blast protection
5120
8192
1024
14340
1024
1024
2052
17
18
6
5
3
5
2
56
5000
0
0
0
0
0
0
0
GENERAL
Syslog hosts
RADIUS servers
NTP servers
SMTP hosts
Mnet/Mmask
End Users
Panic Dumps
MP memory
SP memory
2
2
1
1
5
10
2
128M
128M
0
0
0
1
0
SNMPv3
SNMPv3
SNMPv3
SNMPv3
SNMPv3
16
128
32
16
16
3
5
2
0
0
Users
Views
Access Groups
Target Address Entries
Target Params Entries

320506-A, January 2006
/info/sys/fan
Show switch fan status
>> System# fan
Fans OK.
/info/sys/temp
Show switch temperature sensor status
>> System# temp
Temperature OK.
/info/sys/encrypt
Show encryption licenses
AOS contains the following encryption licenses:
BLOWFISH
DES & 3DES
MD5
RC4
SHA-1
/info/sys/user
Show current user status
Usernames:
user
slboper
l4oper
oper
slbadmin
l4admin
admin
enabled
disabled
disabled
disabled
disabled
disabled
Always Enabled
Note: there are pending config changes; use "diff" to see them.
Current User ID table:

320506-A, January 2006
/info/sys/dump
System Information Dump
Alteon Application Switch 2424-SSL
Last apply: unknown
Last save: 5
Internal SSL Processor MAC Address: 00:01:81:2e:bc:6f
Hardware Order No:
EB1412006
Serial No: ABCDE600MJ Rev:
Mainboard Hardware:
09
00
00
00

will be generated.
Last 64 syslog messages:
Sep 12 10:42:19 NOTICE mgmt:
Sep 12 12:19:01 ERROR
mgmt:
Sep 12 17:56:01 ERROR
mgmt:
Sep 12 23:33:01 ERROR
mgmt:
Sep 13 5:10:01 ERROR
mgmt:
Sep 13 10:47:01 ERROR
mgmt:

admin connection closed from Telnet/SSH
tcp open error, cannot contact reporting
server
server
server
server
server
Continued . . .

320506-A, January 2006
Sep
Sep
Sep
Sep
Sep
Sep
(5)
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
13 16:24:00
13 22:01:00
14 3:38:00
14 9:15:00
14 10:23:04
14 10:23:05
needs to be
14 10:23:05
14 10:23:05
14 10:24:45
14 11:30:36
14 11:35:25
14 11:35:40
14 11:39:37
14 11:49:12
14 11:58:20
14 13:41:54
14 13:46:18
14 14:37:07
14 14:52:00
14 14:58:57
14 16:09:44
14 16:20:44
14 16:24:58
14 16:30:51
14 16:48:16
14 16:50:34
14 16:57:47
14 16:57:55
14 17:00:02
14 17:04:59
14 17:05:49
14 17:06:05
14 19:54:04
14 20:00:22
14 20:01:47
14 20:22:49
14 20:23:10
14 20:23:55
14 20:29:00
14 20:40:41
14 21:43:51
15 2:06:00
15 6:56:45
ERROR
mgmt: tcp open error, cannot contact reporting server
ERROR
ERROR
ERROR
NOTICE mgmt: admin login from host 192.168.0.3
ERROR
cli: Error: VLAN 5 doesn't exist; the PVID for port 1
changed
ERROR
cli: Error: PVID 5 for port 1 is not created
ERROR
NOTICE mgmt: admin connection closed from Telnet/SSH
ERROR
ERROR
NOTICE mgmt: admin idle timeout from Telnet/SSH
ERROR
Continued . . .

320506-A, January 2006
Last 64 syslog messages saved in FLASH:

Sep 8 10:44:06 NOTICE mgmt: admin login from host 192.168.0.3
Sep 8 10:48:43 NOTICE mgmt: admin connection closed from Telnet/SSH
cli: Error: IP interface 2 has no IP address configured
Sep 8 10:58:19 INFO
Sep 8 10:58:20 INFO
mgmt: Operational change made by Admin from Telnet:192.168.0.3, login since 10:56:59
Sep 8 10:58:33 INFO
mgmt: new configuration saved
Sep 9 0:25:00 ERROR
Sep 9 6:02:04 ERROR
Sep 9 13:38:07 NOTICE mgmt: Failed login attempt via BBI.
Sep 9 13:38:22 NOTICE mgmt: Failed login attempt via BBI.
Sep 10 10:07:03 ERROR
Sep 10 15:44:03 ERROR
Sep 10 21:21:03 ERROR
Sep 11 14:12:03 ERROR
Sep 11 19:21:27 NOTICE mgmt: Failed login attempt via TELNET from host
192.168.249.237
Sep 11 19:25:08 INFO
mgmt: image2 downloaded from host 192.168.0.10, file
'AAS-23.0.1.0-2000-AlteonOS.img', software version 23.0.1
Sep 11 19:26:39 NOTICE mgmt: Next boot will use new image2.
Sep 11 19:26:52 NOTICE mgmt: switch reset from CLI
Continued . . .

320506-A, January 2006
Management port information:

Speed
----100
Duplex
-----half
Link
---up
MAC address:
00:03:24:6e:bd:3d
192.168.0.13 255.255.255.0
192.168.0.255
Gateway information:
192.168.0.1
Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50
usmUser Table:
User Name
-------------------------------adminmd5
adminsha
v1v2only
vacmAccess Table:
---------- ------ ------v1v2grp
snmpv1
admingrp
usm
Protocol
-------------------------------HMAC_MD5, DES PRIVACY
NO AUTH, NO PRIVACY
Level
-----------noAuthNoPriv
authPriv
Match
-----exact
exact
ReadV
---------iso
iso
vacmViewTreeFamily Table:
View Name
Subtree
-------------------- -----------------------------iso
1
v1v2only
1
v1v2only
1.3.6.1.6.3.15
v1v2only
1.3.6.1.6.3.16
v1v2only
1.3.6.1.6.3.18
vacmSecurityToGroup Table:
Sec Model User Name
---------- ------------------------------snmpv1
v1v2only
usm
adminmd5
usm
adminsha
WriteV
---------iso
iso
Mask
--------------
NotifyV
-------v1v2only
iso
Type
-----included
included
excluded
excluded
excluded
Group Name
------------------------------v1v2grp
admingrp
admingrp
Continued . . .

320506-A, January 2006
snmpCommunity Table:
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------snmpNotify Table:
Name
Tag
-------------------- -------------------snmpTargetAddr Table:
Name
Params
---------- --------------- ---- ---------- --------------snmpTargetParams Table:
Name
MP Model User Name
Sec Model Sec Level
-------------------- -------- -------------------- --------- --------Slot
IP address
Seg
MAC address
Chassis Type
Local
State
Port
Id
Seg
----- --------------- ---- ----------------- ----------------- ----- -------

320506-A, January 2006
/info/l2
Layer 2 Information Menu
[Layer 2 Menu]
fdb
lacp
stg
cist
trunk
vlan
team
dump
-
Forwarding Database Information Menu

Link Aggregation Control Protocol Menu
Show STG information
Show CIST information
Show Trunk Group information
Show VLAN information
Show port team information
Dump all layer 2 information
Table 4-13 Layer 2 Information Menu Options

fdb
Displays the Forwarding Database Information Menu. For details, see page 90.
lacp
Displays Link Aggregation Control Protocol Information Menu. For details, see page 93.
stg <STG index to display or carriage return for all STGs>
In addition to seeing if Spanning Tree Protocol is enabled or disabled, you can view the following
STP bridge information:
Priority
Hello interval
Maximum age value
Forwarding delay
Aging time
You can also see the following port-specific STP information:
Port number and priority

Cost
State

cist
Display the CIST information.
trunk
When trunk groups are configured, you can view the state of each port in the various trunk groups.

320506-A, January 2006

vlan <VLAN number to display or carriage return to display all VLANs>
Displays VLAN configuration information, including:
VLAN Number
VLAN Name
Status
Port membership of the VLAN
team
Show port team information.
dump
Displays all Layer 2 information.
/info/l2/fdb
Layer 2 FDB Information
The forwarding database (FDB) contains information that maps the media access control
(MAC) address of each known device to the switch port where the device address was learned.
The FDB also shows which other ports have seen frames destined for a particular MAC
address.
[Forwarding Database Menu]
find
- Show a single FDB entry by MAC address
port
- Show FDB entries on a single port
trunk
- Show FDB entries on a single trunk
vlan
- Show FDB entries on a single VLAN
refpt
- Show FDB entries referenced by a single SP
dump
- Show all FDB entries

320506-A, January 2006
NOTE The master forwarding database supports up to 16K MAC address entries on the MP
per switch. Each SP supports up to 8K entries.
Table 4-14 Layer 2 FDB Information Menu Options (/info/l2/fdb)
find <MAC address> [<VLAN>]
Displays a single database entry by its MAC address. You are prompted to enter the MAC address
of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example,
08:00:20:12:34:56.
You can also enter the MAC address using the format, xxxxxxxxxxxx.
For example, 080020123456.
port <port number, 0 for "unknown">
Displays all FDB entries for a particular port.
trunk <trunk group number>
Displays all FDB entries on a single trunk.
vlan <VLAN number (1-4090)>
Displays all FDB entries on a single VLAN.
refpt <SP number (1-4)>
Displays the FDB entries referenced by a single port.
dump
Displays all entries in the Forwarding Database. For more information, see page 92.

320506-A, January 2006
/info/l2/fdb/dump
Show All FDB Information
MAC address
VLAN Port State Referenced SPs Referenced ports
----------------- ---- ---- ----- -------------- ------------00:02:01:00:00:00
300
23
FWD
1 2
1 23
00:02:01:00:00:01
300
23
FWD
1 2
1 23
00:02:01:00:00:02
300
23
FWD
1 2
1 23
00:02:01:00:00:03
300
23
FWD
1 2
1 23
00:02:01:00:00:04
300
23
FWD
1 2
1 23
00:02:01:00:00:05
300
23
FWD
1 2
1 23
00:02:01:00:00:06
300
23
FWD
1 2
1 23
00:02:01:00:00:07
300
23
FWD
1 2
1 23
00:02:01:00:00:08
300
23
FWD
1 2
1 23
00:02:01:00:00:09
300
23
FWD
1 2
1 23
00:02:01:00:00:0a
300
23
FWD
1 2
1 23
00:02:01:00:00:0b
300
23
FWD
1 2
1 23
00:02:01:00:00:0c
300
23
FWD
1 2
1 23
An address that is in the forwarding (FWD) state, means that it has been learned by the switch.
When in the trunking (TRK) state, the port field represents the trunk group number. If the state
for the port is listed as unknown (UNK), the MAC address has not yet been learned by the
switch, but has only been seen as a destination address. When an address is in the unknown
state, no outbound port is indicated, although ports which reference the address as a destination
will be listed under Reference ports.
If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP
virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual
server routera virtual router with the same IP address as a virtual server.
Clearing Entries from the Forwarding Database

To delete a MAC address from the forwarding database (FDB) or to clear the entire FDB, refer
to Forwarding Database Options on page 522.

320506-A, January 2006
/info/l2/lacp
Link Aggregation Control Protocol Information
Menu
The following menu options display the Link Aggregation Control Protocol (LACP) information on the Nortel Application Switch Operating System.
[LACP Menu]
aggr
port
dump
- Show LACP aggregator information for the port

- Show LACP port information
- Show all LACP ports information
Table 4-15 Link Aggregation Control Protocol Information Menu Options (/info/
lacp)
aggr <aggregator index 1 to max num ports>
Displays information an LACP aggregator.
port <port index 1 to max num ports>
Displays information of an LACP port.
dump
Displays LACP information of all the ports. Use this command to verify the state of ports in an
LACP trunk group. To view a sample output, see page 96.

320506-A, January 2006
/info/lacp/aggr
LACP Aggregator Information
Aggregator Id 1
---------------------------------------------MAC address
- 00:01:81:2e:a1:d1
Actor System Priority
- 32768
Actor System ID
- 00:01:81:2e:a1:b0
Individual
- FALSE
Actor Admin Key
- 300
Actor Oper Key
- 300
Partner System Priority - 32768
Partner System ID
- 00:0d:29:e3:4a:00
Partner Oper Key
- 1
ready
- TRUE
Number of Ports in aggr - 10
index 0
port 1
index 1
port 2
index 2
port 3
index 3
port 4
index 4
port 5
index 5
port 6
index 6
port 7
index 7
port 8
index 8
port 9
index 9
port 10

320506-A, January 2006
/info/lacp/port
LACP Port Information
port 1
---------------------------------------------lacp_enabled
- TRUE
lacp_admin_enabled
- TRUE
Actor
Actor
Actor
Actor
Actor
Actor
System ID
System Priority
Admin Key
Oper Key
Port Number
Port Priority
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Admin System Priority

Oper System Priority
Admin System ID
Oper System ID
Admin Key
Oper Key
Admin Port Number
Admin Port Priority
Oper Port Number
Oper Port Priority
00:01:81:2e:a1:b0
32768
300
300
1
32768
0
32768
00:00:00:00:00:00
00:0d:29:e3:4a:00
0
1
0
0
4
32768
Actor Admin Port state

Activity:
Active Timeout:
Synchronization:FALSE Collecting:
Defaulted:
FALSE
Expired:
Actor Oper Port state
Activity:
Active Timeout:
Synchronization:TRUE
Collecting:
Defaulted:
FALSE
Expired:
Partner Admin Port state
Partner Oper Port state
Long
FALSE
FALSE
Aggregation:
Distributing:
Long
Aggregation:
TRUE
Distributing:
FALSE
TRUE
FALSE
TRUE
TRUE
- 0x0
Continued

320506-A, January 2006
Individual
- TRUE
Selected Aggregator ID
- 0
Attached Aggregator ID
- 0
ready_n
- FALSE
ntt
- FALSE
selected
- Unselcted
port_moved
- FALSE
Collection and Distribution state turned ON!
Rx machine state
Mux machine state
Periodic machine state
- LACP_RX_INIT_STATE
- LACP_MUX_DETACHED_STATE
- LACP_PERIODIC_NO_STATE

320506-A, January 2006
/info/lacp/dump
LACP Dump Information
port
lacp
adminkey
operkey
selected
prio
attached trunk
aggr
------------------------------------------------------------------1 active
300
300
y
32768
1
13
2 active
300
300
y
32768
1
13
3 active
300
300
y
32768
1
13
4 active
300
300
y
32768
1
13
5 active
300
300
y
32768
1
13
6 active
300
300
y
32768
1
13
7 active
300
300
y
32768
1
13
8 active
300
300
y
32768
1
13
9 active
300
300
n
32768
--10 active
300
300
n
32768
--11 active
300
300
n
32768
--12 active
300
300
n
32768
--13 active
300
300
n
32768
--14 off
14
14
n
32768
--15 off
15
15
n
32768
--16 off
16
16
n
32768
--17 off
17
17
n
32768
--18 off
18
18
n
32768
--19 off
19
19
n
32768
--20 off
20
20
n
32768
--21 off
21
21
n
32768
--22 off
22
22
n
32768
--23 off
23
23
n
32768
--24 off
24
24
n
32768
--25 off
25
25
n
32768
--26 off
26
26
n
32768
--27 off
27
27
n
32768
--28 off
28
28
n
32768
---

320506-A, January 2006
/info/l2/stg
Layer 2 Spanning Tree Group Information
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path.
NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
Spanning Tree Group 1: On
Current Root:
8000 00:01:81:2e:a1:80
Parameters:
Port
----1
2
3
4
5
6
7
8
9
10
11
Priority
32768
Priority
-------128
128
128
128
128
128
128
128
128
128
128
Cost
---0
0
0
0
5
0
0
0
0
0
0
Path-Cost
0
Hello
2
Port Hello MaxAge FwdDel Aging

0
2
20
15
300
MaxAge
20
State
---------DISABLED
DISABLED
DISABLED
DISABLED
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
FwdDel
15
Aging
300
Designated Bridge
Des Port
---------------------- -------
8000-00:01:81:2e:a1:80
32773
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing
if STP is enabled or disabled, you can view the following STP bridge information:
Priority
Hello interval
Maximum age value
Forwarding delay
Aging time

320506-A, January 2006
You can also see the following port-specific STP information:
Port number and priority
Cost
State
Designated Bridge
Designated Port
The following table describes the STP parameters.

Table 4-16 Spanning Tree Parameter Descriptions
Parameter
Description
Priority (bridge)
The bridge priority parameter controls which bridge on the network will
become the STP root bridge.
Hello
The hello time parameter specifies, in seconds, how often the root bridge
transmits a configuration bridge protocol data unit (BPDU). Any bridge that
is not the root bridge uses the root bridge hello value.
MaxAge
The maximum age parameter specifies, in seconds, the maximum time the
bridge waits without receiving a configuration bridge protocol data unit
before it reconfigure the STP network.
FwdDel
The forward delay parameter specifies, in seconds, the amount of time that a
bridge port has to wait before it changes from learning state to forwarding
state.
Aging
The aging time parameter specifies, in seconds, the amount of time the
bridge waits without receiving a packet from a station before removing the
station from the Forwarding Database.
priority (port)
The port priority parameter helps determine which bridge port becomes the
designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the
designated port for the segment.
Cost
The port path cost parameter is used to help determine the designated port for
a segment. Generally speaking, the faster the port, the lower the path cost. A
setting of 0 indicates that the cost will be set to the appropriate default after
the link speed has been auto negotiated.
State
The state field shows the current state of the port. The state field can be either
BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.

320506-A, January 2006
Table 4-16 Spanning Tree Parameter Descriptions (Continued)

Parameter
Description
Designated
Bridge
The designated bridge resides closest to the root bridge and is responsible for
forwarding packets from LAN towards the root bridge. This bridge is displayed as character string starting with the bridge priority (1-65535) followed by a hyphen and six byte MAC address of that switch.
Designated port
The designated port identifies a physical port. This is a number that is the
numerical sum of bridge priority and the actual physical port number. For
example, a physical port number four with bridge priority 32768 will be displayed as 32678+4=32772.

320506-A, January 2006
/info/l2/cist
Show common internal spanning tree (CIST) information
NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
-----------------------------------------------------------------Common Internal Spanning Tree:
VLANs:
1 4-4094
Current Root:
8000 00:01:81:2e:bc:50
Cist Regional Root:
8000 00:01:81:2e:bc:50
Path-Cost
0
Port MaxAge FwdDel

0
20
15
Path-Cost
0
Parameters:
Priority MaxAge FwdDel Hops

32768
20
15
20
Port Prio Cost
State Role Designated Bridge
Des Port Hello Type
----- ---- --------- ----- ---- ---------------------- -------- ----- ---1
128
20000 DSB
2
128
20000 DSB
3
128
20000 DSB
4
128
20000 DSB
5
128
20000 DSB
6
128
20000 DSB
7
128
20000 DSB
.
.
.
18
128
20000 DSB
19
128
20000 DSB
20
128
20000 DSB
21
128
20000 DSB
22
128
20000 DSB
23
128
20000 DSB
24
128
20000 DSB
25
128
20000 DSB
26
128
20000 DSB
27
128
20000 DSB
28
128
20000 DSB
sslpro 128
20000 DISC DESG 8000-00:01:81:2e:bc:50
801d
2 Shared

320506-A, January 2006
/info/l2/trunk
Trunk Group Information
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act
together, combining their bandwidth to create a single, larger virtual link. When trunk groups
are configured, you can view the state of each port in the various trunk groups.
Trunk group 1, bw contract 1024, port state:
1: STG 1 forwarding
2: STG 1 forwarding
NOTE If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the
remaining ports in the trunk group will also be set to forwarding.

320506-A, January 2006
/info/l2/vlan
VLAN Information
VLAN
---1
Name
Status Jumbo BWC Learn Ports
-------------------------------- ------ ----- ---- ----- ----Default VLAN
ena
n
1024 ena 1-28
This information display includes all configured VLANs and all member ports that have an
active link state. Port membership is represented in slot/port format.
VLAN information includes:
VLAN Number
VLAN Name
Status
Jumbo Frames
Bandwidth Contract if BWM is enabled
Source MAC Address Learning
Port membership of the VLAN

320506-A, January 2006
/info/l2/vlan
VLAN Information
VLAN
---1
Name
Status Jumbo BWC Learn Ports
-------------------------------- ------ ----- ---- ----- ----Default VLAN
ena
n
1024 ena 1-28

320506-A, January 2006
/info/l2/team
Status of port teams
>> Layer 2# team
All port teams are disabled.
/info/l2/dump
Layer2 Dump Information
Spanning Tree Group 1: On
Current Root:
8000 00:01:81:2e:a1:80
Parameters:
Port
-----1
2
3
4
5
6
7
8
9
10
11
12
Priority
32768
Priority
-------128
128
128
128
128
128
128
128
128
128
128
128
Cost
---0
0
0
0
5
0
0
0
0
0
0
0
Path-Cost
0
Hello
2
Port Hello MaxAge FwdDel Aging

0
2
20
15
300
MaxAge
20
State
---------DISABLED
DISABLED
DISABLED
DISABLED
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
FwdDel
15
Aging
300
Designated Bridge
Des Port
---------------------- ------
8000-00:01:81:2e:a1:80
32773

320506-A, January 2006
/info/l3
Layer3 Information Menu
[Layer 3 Menu]
route
route6
arp
nbrcache bgp
ospf
ip
vrrp
dump
-
IP Routing Information Menu

IP6 Routing Information Menu
ARP Information Menu
IP6 Neighbor Cache Information Menu
BGP Information Menu
OSPF Routing Information Menu
Show IP information
Show Virtual Router Redundancy Protocol information
Dump all layer 3 information

route
Displays the IP Routing Menu. Using the options of this menu, the system displays the following
for each configured or learned route:
Route destination IP address, subnet mask, and gateway address
Type of route
Tag indicating origin of route
Metric for RIP tagged routes, specifying the number of hops to the destination (1-15 hops, or 16
for infinite hops)
The IP interface that the route uses
route6
IP6 Routing Information Menu. To view menu options, see page 110.
arp
Displays the Address Resolution Protocol (ARP) Information Menu. For details, see page 112.
nbrcache
IP6 Neighbor Cache Menu. To view menu options, see page 115.
bgp
Displays BGP Information Menu. To view menu options, see page 117.
ospf
Displays OSPF routing information menu. For details, see page 119.

320506-A, January 2006

ip
Displays IP Information. For details, see page 126.
IP information, includes:
IP interface information: Interface number, IP address, subnet mask, broadcast address, VLAN
number, and operational status.

Default gateway information: Metric for selecting which configured gateway to use, gateway
number, IP address, and health status

IP forwarding information: Enable status, lnet and lmask
Port status
vrrp
Displays the VRRP Information Menu. For details, see page 127.
dump
Displays all Layer 3 information.
/info/l3/route
IP Routing Information
[IP Routing Menu]
find
- Show
gw
- Show
type
- Show
tag
- Show
if
- Show
dump
- Show
a single route by destination IP address

routes to a single gateway
routes of a single type
routes of a single tag
routes on a single interface
all routes
Using the commands listed below, you can display all or a portion of the IP routes currently
held in the switch.
Table 4-18 Route Information Menu Options (/info/route)
find <IP address (such as, 192.4.17.101)>
Displays a single route by destination IP address.
gw <default gateway address (such as, 192.4.17.44)>
Displays routes to a single gateway.
type indirect|direct|local|broadcast|martian|multicast
Displays routes of a single type. For a description of IP routing types, see Table 4-19 on page 109.

320506-A, January 2006
Table 4-18 Route Information Menu Options (/info/route)

tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip
Displays routes of a single tag. For a description of IP routing types, see Table 4-20 on page 109.
if <interface number (1-256)>
Displays routes on a single interface.
NOTE The total number of interfaces on a Nortel Application Switch 2424-SSL is

1-255.
dump
Displays all routes configured in the switch. For more information, see page 108.
/info/l3/route/dump
Show All IP Route Information
Status code: * - best
Destination
Mask
Gateway
Type
Tag Metr If
--------------- --------------- ------------- --------- ----- -* 0.0.0.0
0.0.0.0
47.80.22.1
indirect static
1
* 47.80.22.0
255.255.254.0
47.80.23.249 direct
fixed
1
* 47.80.23.249
255.255.255.255 47.80.23.249 local
addr
1
* 47.80.23.255
255.255.255.255 47.80.23.255 broadcast broadcast 1
* 127.0.0.0
255.0.0.0
0.0.0.0
martian
martian
* 224.0.0.0
224.0.0.0
0.0.0.0
martian
martian
* 224.0.0.5
255.255.255.255 0.0.0.0
multicast addr
* 224.0.0.6
255.255.255.255 0.0.0.0
multicast addr
* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast

320506-A, January 2006
Type Parameters
The following table describes the Type parameters.
Table 4-19 IP Routing Type Parameters (/info/l3/route/dump/type)
Parameter
Description
indirect
The next hop to the host or subnet destination will be forwarded through a
router at the Gateway address.
direct
Packets will be delivered to a destination host or subnet attached to the

switch.
local
Indicates a route to one of the switchs IP interfaces.
broadcast
Indicates a broadcast route.
martian
The destination belongs to a host or subnet which is filtered out. Packets to

this destination are discarded.
multicast
Indicates a multicast route.
Tag Parameters
The following table describes the Tag parameters.
Table 4-20 IP Routing Tag Parameters (info/l3/route/tag)
Parameter
Description
fixed
The address belongs to a host or subnet attached to the switch.
static
The address is a static route which has been configured on the Nortel Application Switch.
addr
The address belongs to one of the switchs IP interfaces.
rip
The address was learned by the Routing Information Protocol (RIP).
ospf
The address was learned by Open Shortest Path First (OSPF).
bgp
The address was learned via Border Gateway Protocol (BGP)
broadcast
Indicates a broadcast address.
martian
The address belongs to a filtered group.
vip
Indicates a route destination that is a virtual server IP address. VIP routes are
needed to advertise virtual server IP addresses via BGP.

320506-A, January 2006
/info/l3/route6
IPv6 Routing Information Menu
This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing
table stores routes it learns from network traffic and pre-configured, static routes.
NOTE Presently there is no mechanism for clearing this IPv6 routing table..
[IP6 Routing Menu]
dump
- Show all routes
Table 4-21provides a description of this menu.

Table 4-21 IPv6 Routing Information Menu Options (/info/l3/route6)
dump
The /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each
link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/
10; is not shown for each interface to avoid too many network entries in the table.

320506-A, January 2006
The following is an example of output from the /info/l3/route6/dump command.

>> Main# /info/l3/route6/dump
IPv6 Forwarding Table:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
Destination:
NextHop:
0:0:0:0:0:0:0:0/0
2005:0:0:0:0:0:0:16
2005:0:0:0:0:0:0:0/64
0:0:0:0:0:0:0:0
2005:0:0:0:0:0:0:1/128
0:0:0:0:0:0:0:0
2005:0:0:0:0:0:0:16/128
0:0:0:0:0:0:0:0
fe80:0:0:0:201:81ff:fe2e:a100/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:0:0:1/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:0:0:2/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff00:0/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff00:1/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff2e:a100/128
0:0:0:0:0:0:0:0
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
STATIC
LOCAL
LOCAL
STATIC
LOCAL
STATIC
STATIC
STATIC
STATIC
STATIC
Total number of route6 entries: 10

320506-A, January 2006
/info/l3/arp
ARP Information Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the router is present in the ARP cache. Then the corresponding physical address is used to send
a packet.
[Address Resolution Protocol Menu]
find
- Show a single ARP entry by IP address
port
- Show ARP entries on a single port
vlan
- Show ARP entries on a single VLAN
refpt
- Show ARP entries referenced by a single SP
dump
- Show all ARP entries
help
- Show help on the fields of ARP entries
addr
- Show ARP address list
The ARP information includes IP address and MAC address of each entry, address status flags
(see Table 4-23 on page 114), VLAN and port for the address, and port
referencing information.
Table 4-22 ARP Information Menu Options (/info/l3/arp)
find <IP address (such as, 192.4.17.101>
Displays a single ARP entry by IP address.
port <port number>
Displays the ARP entries on a single port.
Displays the ARP entries on a single VLAN.
Displays the ARP entries referenced by a single SP. For details, see page 113.

320506-A, January 2006
Table 4-22 ARP Information Menu Options (/info/l3/arp)

dump
Displays all ARP entries. including:
IP address and MAC address of each entry

Address status flag (see below)
The VLAN and port to which the address belongs
The ports which have referenced the address (empty if no port has routed traffic to the IP address
shown)
For more information, see page 114.
help
Displays help on the ARP field entries. For example:
IP address:
Flags:
IP address of ARP entry

J - ARP entry belongs to a Jumbo capable VLAN
P - Permanent ARP entry (not obtained via ARP request), e.g. IP interface,
VIP, etc.
R - Indirect ARP (cache) entry for IP address reachable via indirect routes
(static/dynamic)
4 - Layer 4 IP address (VIP)
u - Unresolved ARP entry. The MAC address has not been learned.
MAC address:
MAC address of ARP entry
VLAN:
VLAN of this ARP entry
Port:
Physical port where this IP address owner is connected
Referenced SPs:
SPs on which this ARP entry is present
addr
Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.
/info/l3/arp/refpt
Show ARP Entries on Referenced SP
IP address
Flags
------------- ----47.80.23.249
P
MAC address
VLAN Port
----------------- ---- ----00:0e:40:2f:5b:00
1
Referenced SPs
-----------1-4

320506-A, January 2006
/info/l3/arp/dump
Show All ARP Entry Information
IP address
Flags
MAC address
VLAN Port
--------------- ----- ----------------- ---- ---1.1.11.1
P 4 00:09:97:16:5f:01
10.10.10.10
P 4 00:09:97:16:5f:01
47.80.22.1
00:e0:16:7c:28:86
1
23
47.80.23.81
P
00:09:97:16:5f:00
1
172.31.3.1
P
00:09:97:16:5f:00
1
172.31.3.10
00:b0:d0:98:d8:1b
1
3
172.31.3.11
00:b0:d0:98:d8:1b
1
3
Referenced SPs
------------1-4
1-4
empty
1-4
1-4
empty
empty
Referenced ports are the ports that request the ARP entry. So the traffic coming into the referenced ports has the destination IP address. From the ARP entry (the referenced ports), this traffic needs to be forwarded to the egress port (port 6 in the above example).
NOTE If you have VMA turned on, the referenced port will be the designated port. If you
have VMA turned off, the designated port will be the normal ingress port.
The Flag field is interpreted as follows:
Table 4-23 ARP Dump Flag Parameters
Flag
Description
Permanent entry created for switch IP interface.
P 4
Permanent entry created for Layer 4 proxy IP address or virtual server IP

address.
Indirect route entry.
Unresolved ARP entry. The MAC address has not been learned.
ARP entry belongs to a Jumbo capable VLAN

320506-A, January 2006
/info/l3/arp/addr
ARP Address List Information
IP address
--------------10.10.10.10
1.1.11.1
172.31.4.200
172.31.3.1
172.31.4.1
47.80.23.81
IP mask
--------------255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
MAC address
----------------00:09:97:16:5f:01
00:09:97:16:5f:01
00:09:97:16:5f:0e
00:09:97:16:5f:00
00:09:97:16:5f:00
00:09:97:16:5f:00
VLAN
----
Flags
-----
D
1
1
1
/info/l3/nbrcache
IPv6 Neighbor Cache Information
This menu provides a mechanism for viewing IPv6 Neighbor Cache information.
IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses
and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate
addresses. ND enables routers to advertise their presence and address prefixes and to inform
hosts of a better next-hop address to forward packets.
The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache
maintains information about each neighbor such as:
MAC Address
Reachability State
Neighbor Type
VLAN
Ingress Port
Neighbor Cache entries are added in a number of situations:

1.
Entries are added when an IPv6 Interface or Virtual IP is operational.
2.
Reception of ND messages from neighbor.
3.
A switch sends ND packets to resolve a link-layer address that it wishes to send packets
to.

320506-A, January 2006
There are 5 reachability states:
INCOMPLETE
The link-layer address of the neighbor has not yet been determined.
REACHABLE
The neighbor is known to have been reachable recently.
STALE
The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no
attempt should be made to verify its reachability.
DELAY
The neighbor is no longer known to be reachable and traffic has recently been sent to the
neighbor.
PROBE
The neighbor is no longer known to be reachable, and ND messages are sent to
the neighbor to verify reachability.
The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch
pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND.
NOTE Once the Neighbor Cache table reaches 2000 entries, table entries are replaced
by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until
the entry is replaced by a new one. During this 2000 full entries period, no new entries will be
used to sort for display.
[IP6 Neighbor Discovery Protocol Menu]
dump
- Show all IP6 neighbor cache entries
Table 4-24 provides a description of this menu.

Table 4-24 IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)
dump
Displays all IPv6 neighbor cache entries.

320506-A, January 2006
The following is an example of output from the /info/l3/nbrcache/dump command.

>> IP6 Neighbor Discovery Protocol#
IP address
State
----------------------------- ----2000:0:0:0:0:0:0:0
REACH
2000:0:0:0:0:0:0:1
STALE
2000:0:0:0:0:0:0:100
REACH
2000:0:0:0:0:0:0:200
REACH
fe80:0:0:0:20e:62ff:fef6:b200 REACH
fe80:0:0:0:211:11ff:fee3:32b9 STALE
fe80:0:0:0:250:daff:fe16:f727 STALE
dump
Type MAC address
VLAN Port
--- ----------------- ---- ---LOC 00:0e:62:f6:b2:00 1
DYN 00:50:da:16:f7:27 1
1
LOC 00:0e:62:f6:b2:00 1
LOC 00:0e:62:f6:b2:0e 1
LOC 00:0e:62:f6:b2:00 1
DYN 00:11:11:e3:32:b9 1
9
DYN 00:50:da:16:f7:27 1
1
Total dynamic neighbor cache entries: 3

Total local neighbor cache entries: 4
Other neighbor cache entries: 0
/info/l3/bgp
BGP Information Menu
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. For
more information, refer to BGP section in chapter: The Configuration Menu on page 257
and the Application Guide.
[BGP Menu]
peer
- Show all BGP peers
summary - Show all BGP peers in summary
dump
- Show BGP routing table
Table 4-25 BGP Peer Information Menu Options (/info/l3/bgp)

peer
Displays BGP peer information. See page 118 for a sample output.
summary
Displays peer summary information such as AS, message received, message sent, up/down, state.
dump
Displays the BGP routing table. See page 119 for a sample output.

320506-A, January 2006
/info/l3/bgp/peer
BGP Peer information
Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information:
3: 2.1.1.1
, version 0, TTL 1
Remote AS: 0, Local AS: 0, Link type: IBGP
Remote router ID: 0.0.0.0,
Local router ID: 1.1.201.5
BGP status: idle, Old status: idle
Total received packets: 0, Total sent packets: 0
Received updates: 0, Sent updates: 0
Keepalive: 0, Holdtime: 0, MinAdvTime: 60
LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0)
Established state transitions: 0
4: 2.1.1.4
, version 0, TTL 1
Remote AS: 0, Local AS: 0, Link type: IBGP
Remote router ID: 0.0.0.0,
Local router ID: 1.1.201.5
BGP status: idle, Old status: idle
Total received packets: 0, Total sent packets: 0
Received updates: 0, Sent updates: 0
Keepalive: 0, Holdtime: 0, MinAdvTime: 60
LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0)
Established state transitions: 0

320506-A, January 2006
/info/l3/bgp/summary
BGP Summary information
Following is an example of the information that /info/l3/bgp/summary provides.
BGP Peer Summary Information:
Peer
V
AS
MsgRcvd MsgSent Up/Down
State
--------------- - -------- -------- -------- -------- ---------1: 205.178.23.142 4
142
113
121 00:00:28 established
2: 205.178.15.148 0
148
0
0 never
connect
/info/l3/bgp/dump
Dump BGP Information
Following is an example of the information that /info/l3/bgp/dump provides.
>> BGP# dump
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metr LcPrf Wght
--------------- --------------- ----- ---- ----*> 10.0.0.0
205.178.21.147
1
256
*>i205.178.15.0
0.0.0.0
*
205.178.21.147
1
128
*> 205.178.17.0
205.178.21.147
1
128
13.0.0.0
205.178.21.147
1
256
Path
-------------147 148 i
0 i
147 i
147 i
147 {35} ?
/info/l3/ospf
OSPF Information Menu
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be
divided into smaller logical units known as areas. In any AS with multiple areas, one area must
be designated as area 0, known as the backbone. The backbone acts as the central OSPF area.
All other areas in the AS must be connected to the backbone. Areas inject summary routing
information into the backbone, which then distributes it to other areas as needed. For more

320506-A, January 2006
information on how to configure OSPF on the switch, refer to the OSPF section in chapter
The Configuration Menu on page 257 and your Nortel Application Switch Operating System
Application Guide.
[OSPF Information Menu]
general - Show general information
aindex
- Show area(s) information
if
- Show interface(s) information
virtual - Show details of virtual links
nbr
- Show neighbor(s) information
dbase
- Database Menu
sumaddr - Show summary address list
nsumadd - Show NSSA summary address list
routes
- Show OSPF routes
dump
- Show OSPF information
Table 4-26 OSPF Information Menu (/info/l3/ospf)

general
Displays general OSPF information. See page 121 for a sample output.
aindex <area index [0-2]>
Displays area information for a particular area index. If no parameter is supplied, it displays area
information for all the areas.
if <interface number [1-256]>
Displays interface information for a particular interface. If no parameter is supplied, it displays
information for all the interfaces. See page 122 for a sample output.
virtual
Displays information about all the configured virtual links.
nbr <nbr router-id (A.B.C.D)>
Displays the status of a neighbor with a particular router ID. If no router ID is supplied, it displays
the information about all the current neighbors.
dbase
Displays OSPF database menu. To view menu options, see page 122.
sumaddr <area index (0-2)>
Displays the list of summary ranges belonging to non-NSSA areas.
nsumadd <area index (0-2)>
Displays the list of summary ranges belonging to NSSA areas.
routes
Displays OSPF routing table. See page 124 for a sample output.

320506-A, January 2006
Table 4-26 OSPF Information Menu (/info/l3/ospf)

dump
Display all the OSPF information. See for a sample output.
/info/l3/ospf/general
OSPF General Information
OSPF Version 2
Router ID: 47.80.23.247
Started at 95 and the process uptime is 352315
Area Border Router: yes, AS Boundary Router: no
LS types supported are 6
External LSA count 0
External LSA checksum sum 0x0
Number of interfaces in this router is 2
Number of virtual links in this router is 1
16 new lsa received and 34 lsa originated from this router
Total number of entries in the LSDB 10
Database checksum sum 0x0
Total neighbors are 1, of which
2 are >=INIT state,
2 are >=EXCH state,
2 are =FULL state
Number of areas is 2, of which 3-transit 0-nssa
Area Id : 0.0.0.0
Authentication : none
Import ASExtern : yes
Number of times SPF ran : 8
Area Border Router count : 2
AS Boundary Router count : 0
LSA count : 5
LSA Checksum sum : 0x2237B
Summary : noSummary

320506-A, January 2006
/info/l3/ospf/if
OSPF Interface Information
Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP
Router ID 10.10.10.1, State DR, Priority 1
Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1
Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2
Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5,
Poll interval 0, Transit delay 1
Neighbor count is 1
If Events 4, Authentication type none
/info/l3/ospf/dbase
OSPF Database Information
[OSPF Database Menu]
advrtr - LS Database info for an Advertising Router
asbrsum - ASBR Summary LS Database info
dbsumm - LS Database summary
ext
- External LS Database info
nw
- Network LS Database info
nssa
- NSSA External LS Database info
rtr
- Router LS Database info
self
- Self Originated LS Database info
summ
- Network-Summary LS Database info
all
- All
Table 4-27 OSPF Database Information Menu (/info/l3/ospf/dbase)

advrtr <router-id (A.B.C.D)>
Takes advertising router as a parameter. Displays all the Link State Advertisements (LSAs) in the
LS database that have the advertising router with the specified router ID, for example: 20.1.1.1.
asbrsum <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays ASBR summary LSAs. The usage of this command is as follows:
a) asbrsum adv-rtr 20.1.1.1 displays ASBR summary LSAs having the advertising
router 20.1.1.1.
b) asbrsum link_state_id 10.1.1.1 displays ASBR summary LSAs having the link
state ID 10.1.1.1.
c) asbrsum self displays the self advertised ASBR summary LSAs.
d) asbrsum with no parameters displays all the ASBR summary LSAs.

320506-A, January 2006
Table 4-27 OSPF Database Information Menu (/info/l3/ospf/dbase)

dbsumm
Displays the following information about the LS database in a table format:
a) the number of LSAs of each type in each area.
b) the total number of LSAs for each area.
c) the total number of LSAs for each LSA type for all areas combined.
d) the total number of LSAs for all LSA types for all areas combined.
No parameters are required.
ext <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays the AS-external (type 5) LSAs with detailed information of each field of the LSAs. The
usage of this command is the same as the usage of the command asbrsum.
nw <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays the network (type 2) LSAs with detailed information of each field of the LSA.network LS
database. The usage of this command is the same as the usage of the command asbrsum.
nssa <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays the NSSA (type 7) LSAs with detailed information of each field of the LSAs. The usage
of this command is the same as the usage of the command asbrsum.
rtr <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays the router (type 1) LSAs with detailed information of each field of the LSAs. The usage
of this command is the same as the usage of the command asbrsum.
self
Displays all the self-advertised LSAs. No parameters are required.
summ <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>
Displays the network summary (type 3) LSAs with detailed information of each field of the LSAs.
The usage of this command is the same as the usage of the command asbrsum.
all
Displays all the LSAs.

320506-A, January 2006
/info/l3/ospf/routes
OSPF Information Route Codes
Codes: IA - OSPF inter area,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
IA 10.10.0.0/16 via 200.1.1.2
IA 40.1.1.0/28 via 20.1.1.2
IA 80.1.1.0/24 via 200.1.1.2
IA 100.1.1.0/24 via 20.1.1.2
IA 140.1.1.0/27 via 20.1.1.2
IA 150.1.1.0/28 via 200.1.1.2
E2 172.18.1.1/32 via 30.1.1.2
E2 172.18.1.2/32 via 30.1.1.2
E2 172.18.1.3/32 via 30.1.1.2
E2 172.18.1.4/32 via 30.1.1.2
E2 172.18.1.5/32 via 30.1.1.2
E2 172.18.1.6/32 via 30.1.1.2
E2 172.18.1.7/32 via 30.1.1.2
E2 172.18.1.8/32 via 30.1.1.2

320506-A, January 2006
/info/ospf/dump
OSPF Dump Information
OSPF Version 2
Router ID: 1.1.1.1
Started at 42 and the process uptime is 1197051
Area Border Router: no, AS Boundary Router: no
External LSA count 0
Number of interfaces in this router is 0
Number of virtual links in this router is 0
0 new lsa received and 0 lsa originated from this router
Total number of entries in the LSDB 0
Total neighbors are 0, of which
0 are >=INIT state,
0 are >=EXCH state,
0 are =FULL state
Number of areas is 0, of which 0-transit 0-nssa
OSPF Neighbors:
Intf NeighborID
---- ----------
Prio
----
State
-----
Address
-------
OSPF LS Database:
OSPF LSDB breakdown for router with ID (1.1.1.1)
No areas enabled.

320506-A, January 2006
/info/l3/ip
IP Information
1: 47.80.23.81
255.255.254.0
2: 172.31.4.1
255.255.255.0
3: 172.31.3.1
255.255.255.0
47.80.23.255,
172.31.4.255,
172.31.3.255,
vlan 1, up
vlan 1, up
vlan 1, up
Default gateway information: metric strict

2: 47.80.22.1,
vlan any, up
Current IP forwarding settings: ON, dirbr disabled
Current local networks:
Current IP port settings:
All other ports have forwarding ON
Current network filter settings:
none
Current route map settings:
Current OSPF settings: ON
Default route none
Router ID: 1.1.1.1
lsdb limit 0

320506-A, January 2006
/info/l3/vrrp
VRRP Information
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Refer
to your Nortel Application Switch Operating System Application Guide for more information on
VRRP.
VRRP information:
10: vrid 10, 10.1.2.200,
11: vrid 11, 11.1.2.200,
12: vrid 12, 12.1.2.200,
13: vrid 13, 13.1.2.200,
14: vrid 14, 14.1.2.200,
20: vrid 20, 20.1.2.200,
27: vrid 27, 27.1.2.200,
28: vrid 28, 28.1.2.200,
100: vrid 100, 172.21.8.100,
server
172: vrid 172, 172.21.8.200,
254: vrid 254, 27.1.2.100,
server
255: vrid 255, 28.1.2.100,
server
VRRP information:
1: vrid 2, 205.178.18.210, if
2: vrid 1, 205.178.18.202, if
3: vrid 3, 205.178.18.204, if
if
if
if
if
if
if
if
if
if
10, renter, prio 110, master

12, renter, prio 102, backup
172, renter, prio 110, master,
if 172, renter, prio 110, master

if 27, renter, prio 102, backup,
if 28, renter, prio 118, master,
1, renter, prio 100, master, server

1, renter, prio 100, master, proxy
When virtual routers are configured, you can view the status of each virtual router using this
command. VRRP information includes:
Virtual router number
Virtual router ID and IP address
Interface number
Ownership status
owner identifies the preferred master virtual router. A virtual router is the owner
when the IP address of the virtual router and its IP interface are the same.
renter identifies virtual routers which are not owned by this device.

320506-A, January 2006
Priority value. During the election process, the virtual router with the highest priority
becomes master.
Activity status
master identifies the elected master virtual router.
backup identifies that the virtual router is in backup mode.
Server status. The server state identifies virtual routers that support Layer 4 services.
These are known as virtual server routers: any virtual router whose IP address is the same
as any configured virtual server IP address.
Proxy status. The proxy state identifies virtual proxy routers, where the virtual router
shares the same IP address as a proxy IP address. The use of virtual proxy routers enables
redundant switches to share the same IP address, minimizing the number of unique IP
addresses that must be configured.

320506-A, January 2006
/info/l3/dump
Layer3 Dump Information
This command dumps all the information about Layer 3 parameters. This dump is a collection
of all the individual commands described in the sections above.
IP information:
IP information:
Router ID: 45.1.1.201,
AS number 100
2: 45.1.1.201
255.0.0.0
3: 205.1.1.201
255.255.255.0
4: 172.21.1.254
255.255.255.0
45.255.255.255 ,
205.1.1.255
,
172.21.1.255
,
vlan 1, up
vlan 1, up
vlan 1, up
Default gateway information: metric strict

Current IP forwarding settings: ON, dirbr disabled
Current local networks:
Current IP port settings:
All other ports have forwarding ON
Current network filter settings:
none
Current route map settings:
Current BGP settings:
ON, pref 100, AS number 100
Current BGP peer settings:
1: 45.1.1.203, ras 300, hold 180, alive 60, adv 60
retry 120, orig 15, ttl 1, enabled
metric none, default none, rip disabled, ospf disabled
fixed disabled, static disabled, vip disabled
in-rmap: empty
out-rmap: empty
Current BGP aggr settings:
Continued

320506-A, January 2006
Virtual Router Redundancy is globally turned OFF.

ARP cache information:
IP address
Flags
MAC address
VLAN Port Referenced SPs
--------------- ----- ----------------- ---- ----- ---------------45.1.1.75
00:0f:06:ec:8a:00
1 24
empty
45.1.1.201
P
00:01:81:2e:a2:20
1
1-4
45.1.1.202
00:09:97:5e:69:00
1 24
empty
172.21.1.254
P
00:01:81:2e:a2:20
1
1-4
205.1.1.1
00:09:6b:b5:0b:d6
1 24
empty
205.1.1.2
00:09:6b:b5:08:48
1 24
empty
205.1.1.3
00:09:6b:00:6f:b7
1 24
empty
205.1.1.4
00:09:6b:00:76:1b
1 24
empty
205.1.1.5
00:09:6b:00:74:97
1 24
empty
205.1.1.6
00:09:6b:00:71:bb
1 24
empty
205.1.1.100
P 4 00:01:81:2e:a2:2e
1-4
205.1.1.201
P
00:01:81:2e:a2:20
1
1-4
ARP address information:
IP address
IP mask
--------------- --------------205.1.1.100
255.255.255.255
172.21.1.254
255.255.255.255
205.1.1.201
255.255.255.255
45.1.1.201
255.255.255.255
MAC address
VLAN Flags
----------------- ---- ----00:01:81:2e:a2:2e
D
00:01:81:2e:a2:20
1
00:01:81:2e:a2:20
1
00:01:81:2e:a2:20
1
Route table information:

Status code: * - best
Destination
Mask
Gateway
Type
Tag Metr If
--------------- ------------- ------------ ------------- -* 45.0.0.0
255.0.0.0
45.1.1.201
direct
fixed
2
* 45.1.1.201
255.255.255.255 45.1.1.201
local
addr
2
* 45.255.255.255 255.255.255.255 45.255.255.255broadcast broadcast 2
* 127.0.0.0
255.0.0.0
0.0.0.0
martian martian
* 172.21.1.0
255.255.255.0
172.21.1.254
direct
fixed
4
* 172.21.1.254
255.255.255.255 172.21.1.254
local
addr
4
* 172.21.1.255 255.255.255.255 172.21.1.255 broadcast broadcast 4
Continued

320506-A, January 2006
* 205.1.1.0
255.255.255.0
205.1.1.201
direct
fixed 3
* 205.1.1.100
255.255.255.255 205.1.1.100
direct
vip
* 205.1.1.201
255.255.255.255 205.1.1.201
local
addr
3
* 205.1.1.255
255.255.255.255 205.1.1.255 broadcast broadcast 3
* 224.0.0.0
224.0.0.0
0.0.0.0
martian
martian
* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast
OSPF is disabled.
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metr LcPrf Wght Path
--------------- --------------- ----- ----- ----- --------------*> 45.0.0.0
0.0.0.0
0 ?
*> 172.21.1.0
0.0.0.0
0 ?
*> 205.1.1.0
0.0.0.0
0 ?

320506-A, January 2006
/info/slb
Layer 4 Information Menu
Server Load Balancing (SLB) allows you to configure the Nortel Application Switch to balance user session traffic among a pool of available servers that provide shared services. In an
average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access
to applications or data that is in high demand, it can become overutilized. Placing this kind of
strain on a server can decrease the performance of the entire network as user requests are
rejected by the server and then resubmitted by the user stations. With this software feature, the
switch is aware of the services provided by each server and can direct user session traffic to an
appropriate server, based on a variety of load-balancing algorithms.
Refer to your Nortel Application Switch Operating System Application Guide for detailed information on this feature.:
[Server Load Balancing Information Menu]
sess
- Session Table Information Menu
gslb
- Global SLB Information Menu
real
- Show real server information
group
- Show real server group information
virt
- Show virtual server information
filt
- Show filter information
port
- Show port information
wlm
- Show Workload Manager information
idshash - Show IDS server selected by hash or minmisses metric
bind
- Show real server selected by hash, phash, or minmisses metric
cookie
- Decode the HEX value to get VIP, RIP and Rport
synatk
- Show SYN attack detection information
dump
- Show all layer 4 information
Table 4-28 Layer 4 Information Menu Options (/info/slb)

sess
Displays the Session Table Information Menu. To view menu options, see page 134.
gslb
Displays the Global SLB Information Menu. To view menu options, see page 139.
real <real server number (1-1023)>
Displays Real server number, real IP address, MAC address, VLAN, physical switch port, layer
where health check is performed, and health check result.

320506-A, January 2006
Table 4-28 Layer 4 Information Menu Options (/info/slb)

group <real server group number, 1-1024>
Real server group information
virt <virtual server number (1-1024)>
Displays Virtual Server State: Virtual server number, IP address, virtual MAC address
Virtual Port State: Virtual service or port, server port mapping, real server group, group backup
server.
filt <filter ID (1-2048)>|list|allow|deny|redir|nat
Displays the filter number, destination port, real server port, real server group, health check layer,
group backup server, URL for health checks, and real server group, IP address, backup server, and
status.
port <port number>
Displays the physical port number, proxy IP address, filter status, a list of applied filters, and client
and/or server Layer 4 activity.
wlm <work_load_manager_number, 1 to 16>
Show workload manager information.
idshash <IP address 1> <IP address 2>
Displays the Intrusion Detection System server selected by hash or minmisses metric.
bind <IP address> <mask> <group number>
Displays the real server selected by hash, phash, or minmisses metric.
cookie <16 or 20 bytes cookie value in HEX as 0xXXXXXXXXXXXXXXXX>
Decodes the hexadecimal value to get the virtual server IP address, real server IP address, and real
server port.
synatk
Displays SYN attack detection information. To identify whether or not the server is under SYN
attack, the number of new half open sessions is examined within a set period of time, for example,
every two seconds. This feature requires dbind to be enabled.
dump
Displays all Layer 4 information for the switch. For details, see page 140.

320506-A, January 2006
/info/slb/sess
Session Table Information
[Session Table Information Menu]
cip
- Show all session entries with source IP address
cip6
- Show all session entries with source IP6 address
cport
- Show all session entries with source port
dip
- Show all session entries with destination IP address
dip6
- Show all session entries with source IP6 address
dport
- Show all session entries with destination port
pip
- Show all session entries with proxy IP address
pport
- Show all session entries with proxy port
filter
- Show all session entries with matching filter
flag
- Show all session entries with matching flag
port
- Show all session entries with ingress port
real
- Show all session entries with real IP address
sp
- Show all session entries on sp
dump
- Show all session entries
help
- Session entry description
Table 4-29 Session Information Menu Options (/info/slb/sess)

cip <IP address>
Displays all session entries with clients source IP address.
cip6 <IP6_address>
Display session entries with the specified IP6 address.
cport <real port>
Displays all session entries with source (client) port.
dip <Destination IP address>
Displays all session entries with the destination IP address.
dip6 <IP6_address>
Display session entries with the specified IP6 address.
dport <Destination real port>
Displays all session entries with destination port.
pip <Proxy IP address>
Displays all session entries with proxy IP address.
pport <proxy port>
Displays all session entries with proxy port.

320506-A, January 2006
Table 4-29 Session Information Menu Options (/info/slb/sess)

filter <filter ID (1-2048)>
Displays all session entries with matching filter.
flag <E|L|N|P|S|Rt|Ru|Ri|Vi|Vr|Vs|Vm|Vd|U|W>
Displays all session entries with matching flag. See Session dump information in Nortel Application Switch Operating System on page 137 for a description of these options.
port <port number>
Displays all session entries on the ingress port.
real <IP address>
Displays all session entries with real server IP address.
sp <port number (1-4)>
Displays all session entries on switch processor.
dump <v4 | v6>
Displays all session entries. Specify v4 to dump IPv4 information, v6 to dump IPv6 information or
no parameter to display all information. Information similar to the following may appear in
a session entry dump:
3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c
(1) (2) (3)
(4)
(5)
(6)
(7a)
(7)
(8)
(9)
(10)
(11) (12)
(13)
Note: The fields, 1 to 13 associated with a session as identified in the above example, are described
in Session dump information in Nortel Application Switch Operating System on page 137.
help
Displays the description of the session entry.
Samples of Session Dumps for Different Applications

L4 HTTP
3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 http age 4
L4-L7 WCR HTTP
2,16: 172.21.8.200 44687, 172.21.8.51 http -> 192.168.1.11 wcr age 4 f:12 E
3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 urlwcr age 6 f:123 E
RTSP
L4-L7 RTSP

320506-A, January 2006
3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU

3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P
The first session is RTSP TCP control connection.
The second session is RTSP UDP data connection.
3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 P
During client-server port negotiation, the destination port shows rtsp and server port
shows 0
L7 WCR RTSP
3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU
3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P
Filtering LinkLB
2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E
FTP
1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:1
1,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU
1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-data age 10 E
NAT
2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E
Persistent session
3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3
The destination port, real server IP and server port are not shown for
persistent session.

320506-A, January 2006
Session dump information in Nortel Application Switch

Field
Description
(1) SP number
This field indicates the Switch Processor number that created the
session.
(2) Ingress port
This field shows the physical port through which the client traffic
enters the switch.
(3) Source IP
address
This field contains the source IP address from the clients IP

packet in IPv4 or IPv6.
(4) Source port
This field identifies the source port from the clients TCP/UDP
packet.
(5) Destination IP
address
This field identifies the destination IP address from the clients

TCP/UDP packet.
(6) Destination
port
This field identifies the destination port from clients TCP/UDP

packet.
(7a) Proxy IP
address
This field contains the Proxy IP address substituted by the switch.

This field contains the real server IP address of the corresponding
server that the switch selects to forward the client packet to, for
load balancing. If the switch does not find a live server, this field
contains the same information as the destination IP address mentioned in field (5).
This field also shows the real server IP address for filtering. No
address is shown if the filter action is Allow, Deny or NAT.
It will show ALLOW, DENY or NAT instead.
(7) Proxy Port
This field identifies the TCP/UDP source port substituted by the

switch.
(8) Real Server IP

Address
For load balancing, this field contains the IP address of the real server
that the switch selects to forward client packet to. If the switch does not
find live server, this field is the same as destination IP address (as in row
5).
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10
3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P
For filtering, this field also shows the real server IP address. No address is
shown if the filter action is Allow, Deny or NAT. It will show ALLOW,
DENY or NAT instead.
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11
2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E

320506-A, January 2006
Field
Description
(9) Server port
This field is the same as the destination port (field 6) for load balancing except for the RTSP UDP session. For RTSP UDP session,
this server port is obtained from the client-server negotiation.
This field is the filtering application port for filtering. It is for
internal use only. This field can be urlwcr, wcr, idslb,
linkslb or nonat.
(10) Age
This is the session timeout value. If no packet is received within

the value specified, the session is freed. For example, if:
age 10
- The session is aged out in 10 minutes.
age < 160 - The session is aged out in 160 minutes.

This indicates that slowage is used. The user can configure slowage
by using the command: /cfg/slb/adv/slowage.
(11) Filter number
This field indicates the session created by filtering code as a

result of the IP header keys matching the filtering criteria.
(12) Flag
E: Indicates the session is established and will be aged out if no

traffic is received within session timeout value.
L: Indicates the session is a link load balance session.
N: Indicates no NAT, which means the session only translates
the destination MAC when forwarding client traffic to the real
server.
P: Indicates the session is a persistent session and is not to be aged out.
Fields (6), (7) and (8) cannot have persistent session.
S: Indicates the session is a persistent session and the application is
SSL session ID, or Cookie Pbind.
Rt: Indicates the session is TCP rate limiting for every client entry.
Ru: Indicates UDP rate limiting for every client entry.
Ri: Indicates the session is ICMP rate limiting per-client entry.
Vr: Indicates the session is a SIP REGISTER session.
Vs: Indicates the session is a SIP SUBSCRIBE session.
Vi: Indicates the session is a SIP INVITE session.
Vm: Indicates the session is a SIP MESSAGE session.
Vd: Indicates the session is a SIP NAT data session.
U: Indicates the session is Layer 7 delayed binding and the switch is
trying to open TCP connection to the real server.
W: Indicates the session only translates the destination MAC when
forwarding Layer 7 WCR traffic to the real server.
(13) Persistent session

user count
This counter indicates the number of client sessions created to

associate with this persistent session.
Operating System
320506-A, January 2006
/info/slb/gslb
Global SLB Information Menu
An Nortel Application Switch Operating System running Global SLB selects the most appropriate site to direct the client traffic for a given domain during the initial client connection. The
menu for this feature displays the following information:
[Global SLB Information Menu]
virt
- Show Global SLB
site
- Show Global SLB
rule
- Show Global SLB
geo
- Show Global SLB
pers
- Show Global SLB
dump
- Show all Global
virtual server information

remote site information
rule information
geographical preference information
DNS persistence cache information
SLB information
Table 4-30 Global SLB Information Menu Options (/info/slb/gslb)

Displays the Global SLB virtual server information such as the domain name of the virtual server,
the number of the local and remote virtual servers, the number of virtual services on those virtual
servers, and the group of real servers associated with the local and remote virtual servers.
site
Displays the Global SLB remote site information.
geo
Displays the Global SLB geographical preference information.
pers <IP_Address>
Display the Global SLB DNS persistence cache information.
dump
Displays all Global SLB information.

320506-A, January 2006
/info/slb/dump
Show All Layer 4 Information
Real
1:
2:
26:
27:
server state:
210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up
210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up
20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up
20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up
Virtual server state:

1: 20.20.20.200,
00:60:cf:47:5c:1e
virtual ports:
http: rport http, group 88, backup none, dbind
HTTP Application: urlslb
real servers:
26: 20.20.20.102, backup none, 2 ms, up
exclusionary string matching: disabled
1: any
2: urlone
27: 20.20.20.101, backup none, 1 ms, up
exclusionary string matching: disabled
3: urltwo
4: urlthree
Redirect filter state:
Action redir
dport http, rport 3128, vlan any
200: group 1, health 3, backup none
proxy enabled, radius snoop disabled
real servers:
1: 210.1.2.200, backup none, 3 ms, up
2: 210.1.2.1, backup none, 2 ms, up
Port
1:
2:
3:
4:
state:
filt disabled, filters: 80
idslb filt enabled, filters: 200
idslb filt enabled, filters: 200
filt disabled, filters: 50 200

320506-A, January 2006
/info/bwm
Bandwidth Management Information
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-criticaltraffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
You can see the following information on your switch when you execute this command:
[Bandwidth Management Information Menu]
ipuser
- BWM IP User Entries Information Menu
cont
- Show Bandwidth Management Contract information
Table 4-31 Bandwidth Management Information

ipuser
Displays the IP user entries with their IP addresses. See page 142 for sample output.
cont
Displays the BWM contract information configured on this switch.

320506-A, January 2006
/info/bwm/ipuser
BWM IP User Information Menu
[BWM IP User Entries Information Menu]
ip
- Show all IP user entries with IP address
cont
- Show all IP user entries for a contract
sp
- Show all IP user entries on sp
dump
- Show all IP user entries
Table 4-32 BWM IP User Information Menu (/info/bwm/ipuser)

ip <IP address>
Displays the IP user entries for a specific IP address.
cont <BW Contract number, 1-1024>
Displays the IP user entries for a specific BWM contract.
sp <SP number (1-4)>
Displays the IP user entries on the Switch Processor. The same fields as described in cont above
are displayed, but only for the specified sp number.
dump
Displays all the IP user entries.

320506-A, January 2006
The format of the output of the above commands:

SP Contract IP Address Age Octets Discards Allowed Offered
Rate Rate
-- -------- ---------------- --- ---------- ---------- ----2 11 11.0.1.100 86 21500000 301001440 1953 29297
2 10 11.0.1.100 86 1076600 0 97 97
2 10 11.0.1.107 16 199940 0 97 97
2 10 11.0.1.105 16 198402 0 96 96
2 10 11.0.1.106 16 199940 0 97 97
2 10 11.0.1.103 16 196864 0 96 96
2 10 11.0.1.104 16 204554 0 99 99
2 10 11.0.1.101 16 201478 0 98 98
2 10 11.0.1.102 16 198402 0 96 96
2 10 11.0.1.108 16 199940 0 97 97
2 10 11.0.1.109 16 203016 0 99 99
SP Rate: the switch processor number (1-4) of the ipuser entry.
Contract Rate: the BWM contract number of the ipuser entry.
IP address: the IP address of the ipuser entry.
Age: the age of the entry in seconds.
Octets: the number of octets processed on this ipuser entry
Discards: the number of octets discarded on this ipuser entry
Allowed Rate: the rate of traffic allowed for this IP address
Offered Rate: the rate including the discards for this IP address

320506-A, January 2006
/info/bwm/cont
BWM Contract Information
Current Bandwidth Management setting: ON
Policy Enforcement:enabled
BWM history will be mailed in a minute
to 'abcd' at host '100.81.138.26'
BWM IP user table entries 64k
Contract
Policy
Per User
Traffic
Num
Name
Prec Hard Soft Resv Limit Key State Shaping
1
123456789012345
2
1
50M
1M 500K
E
D
2
vlan
4
1
60M
2M 500K
E
D
3
filter
7
20
2M
1M 500K
E
D
4
5
1
2M
1M 500K
D
D
5
512
1
2M
1M 500K
E
D
10
10
1
1M
0K
0K 500K sip
E
D
11
11
1 100M
80M 500K
2M sip
E
D
12
12
1
2M
1M 500K
E
D
13
13
1
3M
1M 500K
E
D
14
14
1
4M 400K 100K
E
D
15
15
1
2M
1M 500K
E
D
This command displays information about any configured contracts and the BWM policies
applied to the contracts.
Table 4-33 BWM Contract Information
Field
Description
Contract
Displays the BWM contract number.
Policy
Displays specific information about a policy applied to a contract.

Includes the following:
The policy number applied to the contract

Prec: the precedence applied to the policy
Hard: the hard limit applied to the policy
Soft: the soft limit applied to the policy
Resv: the reserve limit applied to the policy

320506-A, January 2006
Table 4-33 BWM Contract Information

Field
Description
Per User
These two columns display information for an ipuser limit, if applied

to the contract. Includes the following:
Limit: the user rate limit applied to the ipuser.
Key: If an ipuser rate limit is enforced, this field displays whether the
user limit is enforced on a source IP address (sip) or a destination IP
address (dip).
State
Displays whether the BWM contract is enabled (E) or disabled (D).
Traffic Shaping
Displays whether Traffic Shaping is enabled (E) or disabled (D)

for this contract.

320506-A, January 2006
/info/security
Security Information
[Security Information Menu]
port
- Show port security information
ipacl
- Show IP ACL information
udpblast - Show UDP blast protection information
dos
- Show protocol anomaly and DoS attack prevention
information
dump
- Show all security information
The information provided by each menu option is described in Table 4-34.

Table 4-34 Security Information Menu (/info/security)
port
This menu displays the current port security settings.
ipacl
This menu displays the current IP ACL settings.
udpblast
This menu displays UDP blast protection settings.
dos
This menu displays DoS protection settings.
dump
This menu displays all security settings.

320506-A, January 2006
/info/link
Link Status Information
Alias
-----1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Port
---1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Speed
----10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
1000
1000
1000
1000
Duplex
-------any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
full
full
full
full
Flow Ctrl
--TX-----RX-yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Link
-----down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Use this command to display link status information about each port on an Nortel Application
Switch slot, including:
Port Alias
Port number
Port speed (10, 100, 10/100, or 1000)
Duplex mode (half, full, any, or auto)
Flow control for transmit and receive (no, yes, or auto)

320506-A, January 2006
Link status (up or down)

320506-A, January 2006
/info/port
Port Information
Alias
-----1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Port
---1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Tag
--y
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
RMON
---d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
PVID
---1
2
3
3
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
BWC
----1024
1024
1024
1024
1024
5
1024
1024
1024
1024
1024
1024
6
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
NAME
--------------
VLAN(s)
-------------1
2
3
3
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Port information includes:
Port alias
Port number
Whether the port uses VLAN tagging or not (y or n)
Whether Remote Monitor is enabled or disabled
Port VLAN ID (PVID)
Port name
VLAN membership

320506-A, January 2006
Whether RMON is enabled or disabled on the port
/info/swkey
Software Enabled Keys
For optional Layer 4 switching software, the information would be displayed as follows:
Enabled Software features:
Layer 4: GSLB
Bandwidth Management
Security Pack
Enabled Software features:
Layer 4: GSLB
Inbound Linklb
Intelligent Traffic Management
Software key information includes a list of all the optional software packages which have been
activated or installed on your switch. For information on ordering optional software license
keys, see How to Get Help on page 24.
/info/dump
Information Dump
Use the dump command to dump all switch information available from the Information Menu
(10K or more, depending on your configuration). This data is useful for tuning and debugging
switch performance.
If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands.

320506-A, January 2006
CHAPTER 5
The Statistics Menu

You can view switch performance statistics in both the user and administrator command
modes. This chapter discusses how to use the command line interface to display switch statistics.
/stats
Statistics Menu
[Statistics Menu]
sys
- System Stats Menu
port
- Port Stats Menu
pmirr
- Port Mirroring Stats Menu
l2
- Layer 2 Stats Menu
l3
- Layer 3 Stats Menu
slb
- Server Load Balancing (Layer 4-7) Stats Menu
bwm
- Bandwidth Management Stats Menu
security - Security Stats Menu
mp
- MP-specific Stats Menu
sp
- SP-specific Stats Menu
dump
- Dump all stats
151
320506-A, January 2006
Table 5-1 Statistics Menu Options (/stats)

sys
System statistics menu
port <port number>
Displays the Port Statistics Menu for the specified port. Use this command to display traffic statistics on a port-by-port basis. Traffic statistics are included in SNMP Management Information Base
(MIB) objects. To view menu options, see page 154.
l2
Displays Layer 2 Statistics Menu. To view menu options, see page 170.
l3
Displays Layer3 Statistics Menu. To view menu options, see page 174.
slb
Displays the Server Load Balancing (SLB) Menu. To view menu options, see page 199.
bwm
Displays the Bandwidth Management Menu. To view menu options, see page 232.
mp
Displays the Management Processor Statistics Menu. Use this command to view information on
how switch management processes and resources are currently being allocated. To view menu
options, see page 248.
Displays Switch Processor-Specific Menu. To view menu options, see page 253.
security
Displays Security Statistics Menu. To view menu options, see page 239.
snmp
Displays SNMP Statistics.
ntp <clear>
Displays Network Time Protocol (NTP) Statistics.
You can execute the clear command option to delete all statistics.
pm
Displays Port Mirroring Statistics Menu. To view menu options, see page 255.
mgmt
Displays interface statistics for the Management Port. See page 255 for sample output.
152 Chapter 5: The Statistics Menu

320506-A, January 2006
Table 5-1 Statistics Menu Options (/stats)

dump
Dumps all switch statistics. Use this command to gather data for tuning and debugging switch performance. If you want to capture dump data to a file, set your communication software on your
workstation to capture session data prior to issuing the dump command. For details, see page 256.
Chapter 5: The Statistics Menu 153

320506-A, January 2006
/stats/sys
System statistics menu
This menu displays traffic statistics on a system basis.
[System Statistics Menu]
access
- System Access Menu
mgmt
- Show management port stats
ntp
- Show NTP server stats
snmp
- Show SNMP stats
dump
- Dump system stats
Table 5-2 System Statistics Menu Options (/stats/sys)

access
Go to the System Access menu.
mgmt
Management port interface statistics.
ntp
Show NTP server statistics.
snmp
Show SNMP statistics.
dump
Dump system statistics.

320506-A, January 2006
/stats/port <port number>

Port Statistics Menu
This menu displays traffic statistics on a port-by-port basis. Traffic statistics include SNMP
Management Information Base (MIB) objects.
[Port Statistics Menu]
brg
- Show bridging ("dot1") stats
ether
- Show Ethernet ("dot3") stats
if
- Show interface ("if") stats
ip
- Show Internet Protocol ("IP") stats
link
- Show link stats
rmon
- Show RMON stats
dump
- Dump port stats
clear
- Clear all port stats
Table 5-3 Port Statistics Menu Options (/stats/port)

brg
Displays bridging (dot1) statistics for the port. See page 156 for a sample output and the description of statistics.
ether
Displays Ethernet (dot1) statistics for the port. See page 157 for a sample output and the description of statistics.
if
Displays interface statistics for the port. See page 161 for a sample output and the description of
statistics.
ip
Displays IP statistics for the port. See page 162 for a sample output and the description of statistics.
link
Displays link statistics for the port. See page 163 for a sample output and the description of statistics.
rmon
Displays Remote Monitor (RMON) statistics for the port. See page 164 for a sample output and the
description of statistics.
dump
Displays all the port statistics.

320506-A, January 2006
Table 5-3 Port Statistics Menu Options (/stats/port) (Continued)

clear
This command clears all the statistics on this port.
/stats/port <port number>/brg

Bridging Statistics
This menu option enables you to display the bridging statistics of the selected port.
Bridging statistics for port 1:
dot1PortInFrames:
dot1PortOutFrames:
dot1PortInDiscards:
dot1TpLearnedEntryDiscards:
dot1BasePortDelayExceededDiscards:
dot1BasePortMtuExceededDiscards:
dot1StpPortForwardTransitions:
63242584
63277826
0
0
NA
NA
0
Table 5-4 Bridging Statistics of a Port (/stats/port/brg)

Statistics
Description
dot1PortInFrames
The number of frames that have been received by this port from its segment. A frame received on the interface corresponding to this port is only
counted by this object if and only if it is for a protocol being processed by
the local bridging function, including bridge management frames.
dot1PortOutFrames
The number of frames that have been transmitted by this port to its segment. Note that a frame transmitted on the interface corresponding to this
port is only counted by this object if and only if it is for a protocol being
processed by the local bridging function, including bridge management
frames.
dot1PortInDiscards
Count of valid frames received which were discarded (that is, filtered) by
the Forwarding Process.
dot1TpLearnedEntry
Discards
The total number of Forwarding Database entries, which have been or

would have been learnt, but have been discarded due to a lack of space to
store them in the Forwarding Database. If this counter is increasing, it
indicates that the Forwarding Database is regularly becoming full (a condition which has unpleasant performance effects on the subnetwork). If
this counter has a significant value but is not presently increasing, it indicates that the problem has been occurring but is not persistent.

320506-A, January 2006
Table 5-4 Bridging Statistics of a Port (/stats/port/brg)

Statistics
Description
dot1BasePortDelay
ExceededDiscards
The number of frames discarded by this port due to excessive transit

delay through the bridge. It is incremented by both transparent and source
route bridges.
dot1BasePortMtu
ExceededDiscards
The number of frames discarded by this port due to an excessive size. It is

incremented by both transparent and source route bridges.
dot1StpPortForward
Transitions
The number of times this port has transitioned from the Learning state to
the Forwarding state.
/stats/port <port number>/ether

Ethernet Statistics
This menu option enables you to display the ethernet statistics of the selected port
Ethernet statistics for port 1:
dot3StatsAlignmentErrors:
dot3StatsFCSErrors:
dot3StatsSingleCollisionFrames:
dot3StatsMultipleCollisionFrames:
dot3StatsSQETestErrors:
dot3StatsDeferredTransmissions:
dot3StatsLateCollisions:
dot3StatsExcessiveCollisions:
dot3StatsInternalMacTransmitErrors:
dot3StatsCarrierSenseErrors:
dot3StatsFrameTooLongs:
dot3StatsInternalMacReceiveErrors:
dot3CollFrequencies [1-15]:
0
0
0
0
NA
0
0
0
NA
0
0
0
NA

320506-A, January 2006
Table 5-5 Ethernet Statistics for Port (/stats/port/ether)

Statistics
Description
dot3StatsAlignment
Errors
A count of frames received on a particular interface that are not

an integral number of octets in length and do not pass the Frame Check
Sequence (FCS) check.
The count represented by an instance of this object is incremented when
the alignmentError status is returned by the MAC service to the
Logical Link Control (LLC) (or other MAC user). Received frames for
which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC.
dot3StatsFCSErrors
A count of frames received on a particular interface that are an integral

number of octets in length but do not pass the Frame Check Sequence
(FCS) check. This count does not include frames received with frametoo-long or frame-too-short errors.
the frameCheckError status is returned by the MAC service to the
LLC (or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3
Layer Management, counted exclusively according to the error status presented to the LLC.
Note: Coding errors detected by the physical layer for speeds above 10
Mb/s will cause the frame to fail FCS check.
dot3StatsSingleCollisionFrames
A count of successfully transmitted frames on a particular interface for

which transmission is inhibited by exactly one collision.
A frame that is counted by an instance of this object is also counted by the
corresponding instance of either the ifOutUcastPkts, ifOutMulticastPkts, or ifOutBroadcastPkts, and is not counted by the
corresponding instance of the dot3StatsMultipleCollisionFrame object.
This counter does not increment when the interface is operating in fullduplex mode.
dot3StatsMultipleCollisionFrames
A count of successfully transmitted frames on a particular interface for

which transmission is inhibited by more than one collision.
A frame that is counted by an instance of this object is also counted by the
corresponding instance of either the ifOutUcastPkts, ifOutMulticastPkts, or ifOutBroadcastPkts, and is not counted by the
corresponding instance of the dot3StatsSingleCollisionFrames object.

320506-A, January 2006

Statistics
Description
dot3StatsSQETestErrors
A count of times that the SQE TEST ERROR message is generated by the
PLS sub layer for a particular interface. The SQE TEST ERROR is set in
accordance with the rules for the verification of the SQE detection mechanism in the PLS Carrier Sense Function as described in IEEE Std.802.31998 Edition, section 7.2.4.6.
dot3StatsDeferredTransmissions
A count of frames for which the first transmission attempt on a particular

interface is delayed because the medium is busy.
The count represented by an instance of this object does not include
frames involved in collisions.
dot3StatsLateCollisions
The number of times that a collision is detected on a particular interface

later than one slotTime into the transmission of a packet.
Five hundred and twelve bit-times corresponds to 51.2 microseconds on a
10 Mbit/s system.
A (late) collision included in a count represented by an instance of this
object is also considered as a (generic) collision for purposes of other collision-related statistics.
dot3StatsExcessive
Collisions
A count of frames for which transmission on a particular interface fails

due to excessive collisions.
dot3StatsInternalMacTransmitErrors
A count of frames for which transmission on a particular interface fails

due to an internal MAC sub layer transmit error. A frame is only counted
by an instance of this object if it is not counted by the corresponding
instance of either the dot3StatsLateCollisions object, the
dot3StatsExcessiveCollisions object, or the dot3StatsCarrierSenseErrors object.
The precise meaning of the count represented by an instance of this object
is implementation-specific. In particular, an instance of this object may
represent a count of transmission errors on a particular interface that are
not otherwise counted.

320506-A, January 2006

Statistics
Description
dot3StatsCarrierSenseErrors
The number of times that the carrier sense condition was lost or never
asserted when attempting to transmit a frame on a particular interface.
The count represented by an instance of this object is incremented at most
once per transmission attempt, even if the carrier sense condition fluctuates during a transmission attempt.
dot3StatsFrameTooLongs
A count of frames received on a particular interface that exceed the maximum permitted frame size.
the frameTooLong status is returned by the MAC service to the LLC
(or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer
Management, counted exclusively according to the error status presented
to the LLC.
dot3StatsInternalMacReceiveErrors
A count of frames for which reception on a particular interface fails due

to an internal MAC sub layer receive error. A frame is only counted by an
instance of this object if it is not counted by the corresponding instance of
either the dot3StatsFrameTooLongs object, the dot3StatsAlignmentErrors object, or the dot3StatsFCSErrors object.
The precise meaning of the count represented by an instance of this object
is implementation-specific. In particular, an instance of this object may
represent a count of received errors on a particular interface that are not
otherwise counted.
dot3CollFrequencies
A count of individual MAC frames for which the transmission

(successful or otherwise) on a particular interface occurs after the frame
has experienced exactly the number of collisions specified by the index.
For example, a frame which is transmitted after experiencing exactly 4
collisions would be indicated by incrementing only
dot3CollFrequencies [4]. No other instance of
dot3CollFrequencies would be incremented in this example.

320506-A, January 2006
/stats/port <port number>/if

Interface Statistics
This menu option enables you to display the interface statistics of the selected port.
Interface statistics for port 1:
ifHCIn Counters
Octets:
51697080313
UcastPkts:
65356399
BroadcastPkts:
0
MulticastPkts:
0
Discards:
0
Errors:
0
ifHCOut Counters
51721056808
65385714
6516
0
0
0
Table 5-6 Interface Statistics for Port (/stats/port/if)

Statistics
Description
ifHCInOctets
The number of octets in valid MAC frames received on the interface,

including the MAC header and FCS. This does include the number of
octets in valid MAC Control frames received on this interface.
ifHCInUcastPkts
The number of packets, delivered by this sub-layer to a higher sub- layer,

which were not addressed to a multicast or broadcast address at this sublayer.
ifHCInBroadcastPkts
The number of packets, delivered by this sub-layer to a higher sub- layer,

which were addressed to a broadcast address at this sub-layer.
ifHCInMulticastPkts
The number of packets delivered by this sub-layer to a higher (sub) layer,

which were addressed to a multicast address at this sub-layer. For a MAC
layer protocol, this includes both Group and Functional addresses.
ifHCInDiscards
The number of inbound packets which were chosen to be discarded even

though no errors had been detected to prevent their being delivered to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
ifHCInErrors
The sum for this interface of dot3statsAlignmentErrors,

dot3StatsFCSErrors, dot3StatsFrameTooLongs,
dot3StatsInternalMacReceiveErrors and
dot3StatsSymbolErrors.
ifHCOutOctets
The number of octets transmitted in valid MAC frames on this interface,

including the MAC header and FCS. This does not include the number of
octets in valid MAC Control frames transmitted on this interface.

320506-A, January 2006
Table 5-6 Interface Statistics for Port (/stats/port/if)

Statistics
Description
ifHCOutUcastPkts
The total number of packets that higher-level protocols requested to be

transmitted, and which were not addressed to a multicast or broadcast
address at this sub-layer, including those that were discarded or not sent.
ifHCOutBroadcastPkts

transmitted, and which were addressed to a broadcast address at this sublayer, including those that were discarded or not sent.
ifHCOutMulticastPkts

transmitted, and which were addressed to a multicast address at this sublayer, including those that were discarded or not sent. For a MAC layer
protocol, this includes both Group and Functional addresses.
ifHCOutDiscards
The number of outbound packets which were chosen to be discarded even

though no errors had been detected to prevent their being transmitted.
One possible reason for discarding such a packet could be to free up
buffer space.
ifHCOutErrors
The sum for this interface of: dot3statsSQETestErrors,

dot3StatsLateCollisions,
dot3StatsExcessiveCollisions,
dot3StatsInternalMacTransmitErrors and
dot3StatsCarrierSenseErrors.
/stats/port <port number>/ip

Interface Protocol Statistics
This menu option enables you to display the interface statistics of the selected port.
IP statistics for port 1:
ipInReceives:
ipInAddrErrors:
ipInUnknownProtos:
ipInDelivers:
ipTtlExceeds:
ipLANDattacks:
0
0
0
0
0
0
ipForwDatagrams:
ipInDiscards:
0
0
Table 5-7 Interface Protocol Statistics (/stats/port/ip)

Statistics
Description
ipInReceives
The total number of input datagrams received from interfaces, including

those received in error.

320506-A, January 2006
Table 5-7 Interface Protocol Statistics (/stats/port/ip)

Statistics
Description
ipInAddrErrors
The number of input datagrams discarded because the IP address in their

IP header's destination field was not a valid address to be received at this
entity (the switch). This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported Classes (for example, Class E). For
entities which are not IP Gateways and therefore do not forward datagrams, this counter includes datagrams discarded because the destination
address was not a local address.
ipForwDatagrams
The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInUnknownProtos
The number of locally-addressed datagrams received successfully but

discarded because of an unknown or unsupported protocol.
ipInDiscards
The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipInDelivers
The total number of input datagrams successfully delivered to IP userprotocols (including ICMP).
ipTtlExceeds
The number of IP datagram for which an ICMP TTL exceeded message was sent.
ipLANDattacks
The number of packets that have the same source and destination IP
address.
/stats/port <port number>/link

Link Statistics
This menu enables you to display the link statistics of the selected port.
Link statistics for port 1:
linkStateChange:

320506-A, January 2006
Table 5-8 Link Statistics (/stats/port/link)

Statistics
Description
linkStateChange
The total number of link state changes.
/stats/port <port number>/rmon

RMON Statistics
This menu option enables you to display the remote monitor statistics of the selected port.
RMON statistics for port 1:
etherStatsDropEvents:
etherStatsOctets:
etherStatsPkts:
etherStatsBroadcastPkts:
etherStatsMulticastPkts:
etherStatsCRCAlignErrors:
etherStatsUndersizePkts:
etherStatsOversizePkts:
etherStatsFragments:
etherStatsJabbers:
etherStatsCollisions:
etherStatsPkts64Octets:
etherStatsPkts65to127Octets:
0
129677
1485
734
712
0
0
0
0
0
0
954
578
35
26
16
8
Table 5-9 Remote Monitor Statistics (/stats/port/rmon)

Statistics
Description
etherStatsDrop
Events
The total number of events in which packets were dropped by the probe
due to lack of resources. Note that this number is not necessarily the number of packets dropped; it is just the number of times this condition has
been detected.

320506-A, January 2006

Statistics
Description
etherStatsOctets
The total number of octets of data (including those in bad packets)

received on the network (excluding framing bits but including FCS
octets).
This object can be used as a reasonable estimate of utilization (which is
the percent utilization of the ethernet segment). If greater precision is
desired, the etherStatsPkts and etherStatsOctets objects
should be sampled before and after a common interval. The differences in
the sampled values are Pkts and Octets, respectively, and the number
of seconds in the interval is Interval. These values are used to calculate the utilization as follows:
Pkts ( 9.6 + 6.4 ) + ( Octets 0.8 )Utilization = --------------------------------------------------------------------------------------Interval 10, 000
The result of this equation is the percent value of utilization.
etherStatsPkts
The total number of packets (including bad packets, broadcast packets,

and multicast packets) received.
etherStatsBroadcastPkts
The total number of good packets received that were directed to the
broadcast address. Note that this does not include multicast packets.
etherStatsMulticastPkts
The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to
the broadcast address.
etherStatsCRCAlign
Errors
The total number of packets received that had a length (excluding framing bits, but including Frame Check Sequence (FCS) octets) of between
64 and 1518 octets, inclusive, but had either a bad Frame Check
Sequence (FCS) with an integral number of octets (FCS Error) or a bad
FCS with a non-integral number of octets (Alignment Error).
etherStatsUndersizePkts
The total number of packets received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise
well formed.
etherStatsOversizePkts
The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise
well formed.

320506-A, January 2006

Statistics
Description
etherStatsFragments
The total number of packets received that were less than 64 octets in
length (excluding framing bits but including FCS octets) and had either a
bad Frame Check Sequence (FCS) with an integral number of octets
(FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
Note that it is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences
due to collisions) and noise hits. (A runt is a packet that is less than 64
bytes.)
etherStatsJabbers
The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
Frame Check Sequence (FCS) with an integral number of octets (FCS
Error) or a bad FCS with a non-integral number of octets (Alignment
Error).
Note that this definition of jabber is different than the definition in IEEE802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These
documents define jabber as the condition where any packet exceeds 20
ms. The allowed range to detect jabber is between 20 milliseconds and
150 milliseconds.
etherStatsCollisions
The best estimate of the total number of collisions on this Ethernet segment.
The value returned will depend on the location of the RMON probe. Section 8.2.1.3 (10Base-5) and section 10.3.1.3 (10Base-2) of IEEE standard
802.3 states that a station must detect a collision, in the receive mode, if
three or more stations are transmitting simultaneously. A repeater port
must detect a collision when two or more stations are transmitting simultaneously. Thus a probe placed on a repeater port could record more collisions than a probe connected to a station on the same segment would.
Probe location plays a much smaller role when considering 10Base-T.
14.2.1.4 (10Base-T) of IEEE standard 802.3 defines a collision as the
simultaneous presence of signals on the DO and RD circuits (transmitting
and receiving at the same time). A 10Base-T station can only detect collisions when it is transmitting. Thus probes placed on a station and a
repeater, should report the same number of collisions.
Note also that an RMON probe inside a repeater should ideally report collisions between the repeater and one or more other hosts (transmit collisions as defined by IEEE 802.3k) plus receiver collisions observed on
any coax segments to which the repeater is connected.
etherStatsPkts64Octets
The total number of packets (including bad packets) received that were
64 octets in length (excluding framing bits but including Frame Check
Sequence (FCS) octets).

320506-A, January 2006

Statistics
Description
etherStatsPkts65to127Octets
between 65 and 127 octets in length (excluding framing bits but including
FCS octets).
between 128 and 255 octets in length (excluding framing bits but including Frame Check Sequence (FCS) octets).
between 256 and 511 octets in length (excluding framing bits but including FCS octets).
between 512 and 1023 octets in length (excluding framing bits but including FCS octets).
between 1024 and 1518 octets in length (excluding framing bits but
including FCS octets).

320506-A, January 2006
/stats/port <port number>/dump

Port Dump Statistics
Bridging statistics for port 1:
dot1PortInFrames:
1284
dot1PortOutFrames:
142
dot1PortInDiscards:
130
dot1TpLearnedEntryDiscards:
0
dot1BasePortDelayExceededDiscards:
NA
dot1BasePortMtuExceededDiscards:
NA
dot1StpPortForwardTransitions:
2
-----------------------------------------------------------------Ethernet statistics for port 1:
dot3StatsAlignmentErrors:
0
dot3StatsFCSErrors:
0
dot3StatsSingleCollisionFrames:
0
dot3StatsMultipleCollisionFrames:
0
dot3StatsSQETestErrors:
NA
dot3StatsDeferredTransmissions:
0
dot3StatsLateCollisions:
0
dot3StatsExcessiveCollisions:
0
dot3StatsInternalMacTransmitErrors:
NA
dot3StatsCarrierSenseErrors:
1
dot3StatsFrameTooLongs:
0
dot3StatsInternalMacReceiveErrors:
0
dot3CollFrequencies [1-15]:
NA
-----------------------------------------------------------------Interface statistics for port 1:
ifHCIn Counters
ifHCOut Counters
Octets:
124166
19560
UcastPkts:
39
27
BroadcastPkts:
631
14
MulticastPkts:
614
101
Discards:
130
0
Errors:
1
0
-----------------------------------------------------------------IP statistics for port 1:
ipInReceives:
0
ipInAddrErrors:
0
ipForwDatagrams:
0
ipInUnknownProtos:
0
ipInDiscards:
0
ipInDelivers:
0
ipTtlExceeds:
0
ipLANDattacks:
0
-----------------------------------------------------------------Link statistics for port 1:
linkStateChange:
3
------------------------------------------------------------------

320506-A, January 2006
RMON statistics for port 1:

etherStatsDropEvents:
etherStatsOctets:
etherStatsPkts:
etherStatsBroadcastPkts:
etherStatsMulticastPkts:
etherStatsCRCAlignErrors:
etherStatsUndersizePkts:
etherStatsOversizePkts:
etherStatsFragments:
etherStatsJabbers:
etherStatsCollisions:
etherStatsPkts64Octets:
0
123840
1406
698
669
0
0
0
0
0
0
906
548
35
25
16
8

320506-A, January 2006
/stats/pmirr
Port mirroring statistics menu
This menu displays port mirroring statistics on an all ports basis.
[Port Mirroring Statistics Menu]
dump
- Show port mirroring stats
clear
- Clear all port mirroring stats
Table 5-10 PMIRR Statistics Menu Options (/stats/pmirr)

dump
Displays all mirrored port statistics.
clear
Clears the port statistics.
/stats/l2
Layer 2 Statistics Menu
[Layer 2 Statistics Menu]
fdb
- Show FDB stats
lacp
- Show LACP stats
stg
- Show STG stats
dump
- Dump layer 2 stats
Table 5-11 Layer 2 Statistics Menu Options (/stats/l2)

fdb
Displays Forwarding Database statistics. To view statistics and their description, see page 171.
lacp <port number (1 to max num ports)>
Displays Link Aggregation Control Protocol statistics. To view statistics and their description, see
page 172.
stg
Displays Spanning Tree Group statistics. To view statistics and their description, see page 173.

320506-A, January 2006
Table 5-11 Layer 2 Statistics Menu Options (/stats/l2)

dump
Dump the Layer 2 statistics.
/stats/l2/fdb
FDB Statistics
FDB statistics:
creates:
current:
lookups:
finds:
find_or_c's:
max:
9611
58
850254
5832
11874
16384
deletes:
hiwat:
lookup fails:
find fails:
overflows:
9553
65
151373
0
0
This menu option enables you to display statistics regarding the use of the forwarding database, including the number of new entries, finds, and unsuccessful searches.
FDB statistics are described in the following table:
Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)
Statistic
Description
creates
Number of entries created in the Forwarding Database.
current
Current number of entries in the Forwarding Database.
lookups
Number of entry lookups in the Forwarding Database.
finds
Number of successful searches in the Forwarding Database.
find_or_cs
Number of entries found or created in the Forwarding Database.
deletes
Number of entries deleted from the Forwarding Database.
hiwat
Highest number of entries recorded at any given time in the Forwarding

Database.
lookup fails
Number of unsuccessful searches made in the Forwarding Database.
find fails
Number of search failures in the Forwarding Database.
overflows
Number of entries overflowing the Forwarding Database.

320506-A, January 2006
Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)

Statistic
Description
max
Number of maximum Forwarding Database entries supported by the

switch.
/stats/l2/lacp
LACP Statistics
>> Layer 2 Statistics# lacp 1
port 1
Valid LACPDUs received
Valid Marker PDUs received
Valid Marker Rsp PDUs received
Unknown version/TLV type
Illegal subtype received
LACPDUs transmitted
Marker PDUs transmitted
Marker Rsp PDUs transmitted
9394
0
0
0
0
8516
0
0
Table 5-13 LACP Statistics Parameters (/stats?l2/lacp)

Field
Description
Valid LACPDUs received The number of LACPDUs that the switch received on this port.
Valid Marker PDUs
received
The number of valid Marker PDUs that the switch received on this
port.
Valid Marker Rsp PDUs

received
The number of valid Marker Responses that the switch received on

this port.
Unknown version/TLV
type
The number of unknown version or TLV type that the switch

received on this port.
Illegal subtype
received
The number of illegal LACP subtype received on this port.
LACPDUs transmitted
The number of LACPDUs transmitted out of this port.
Marker PDUs transmitted
The number of Marker PDUs transmitted out of this port.
Marker Rsp PDUs trans- The number of Marker Responses transmitted out of this port.
mitted

320506-A, January 2006
/stats/l2/stg
Spanning Tree Group Statistics
Spanning Tree Group 1:
Port
Rcv Cfg
Rcv TCN
----- ------------------1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
8
0
0
9
139046
176
10
0
0
11
0
0
12
0
0
13
0
0
14
0
0
15
0
0
16
0
0
17
0
0
18
0
0
19
0
0
20
0
0
21
0
0
22
0
0
23
0
0
24
0
0
25
0
0
26
0
0
27
0
0
28
0
0
Xmt Cfg
---------0
0
0
0
0
0
0
0
27
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Xmt TCN
---------0
0
0
0
0
0
0
0
15
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Table 5-14 Spanning Tree Group Statistics Parameters (/stats/l2/stg)

Field
Description
Port
Displays the port number.
Rcv cfg
Displays the number of configuration BPDUs received
Rcv TCN
Displays the number of TCN (Topology Change Notification) messages received.
Xmt Cfg
Displays the number of configuration BPDUs transmitted.

320506-A, January 2006
Table 5-14 Spanning Tree Group Statistics Parameters (/stats/l2/stg)

Field
Description
Xmt TCN
Displays the number of TCN (Topology Change Notification) messages transmitted
/stats/l3
Layer 3 Statistics Menu
ospf
- OSPF Statistics Menu
ip
- Show IP stats
ip6
- Show IP6 stats
route
- Show route stats
arp
- Show ARP stats
vrrp
- Show VRRP stats
dns
- Show DNS stats
icmp
- Show ICMP stats
if
- Show IP interface ("if") stats
tcp
- Show TCP stats
udp
- Show UDP stats
ifclear - Clear IP interface ("if") stats
ipclear - Clear IP stats
dump
- Dump layer 3 stats
Table 5-15 Layer 3 Statistics Menu (/stats/l3)

ospf
Displays OSPF statistics Menu. See page 176 for sample output.
ip
Displays IP statistics. See page 181 for sample output.
ip6
Displays IP6 statistics.See page 184 for sample output.
route
Displays route statistics. See page 189 for sample output.
arp
Displays Address Resolution Protocol (ARP) statistics. See page 190 for sample output.

320506-A, January 2006
Table 5-15 Layer 3 Statistics Menu (/stats/l3)

vrrp
When virtual routers are configured, you can display the following protocol statistics for VRRP:
Advertisements received (vrrpInAdvers)
Advertisements transmitted (vrrpOutAdvers)
Advertisements received, but ignored (vrrpBadAdvers)
See page 191 for sample output.

dns
Displays Domain Name Server/System (DNS) statistics. See page 192 for sample output.
icmp
Displays ICMP statistics. See page 193 for sample output.
Displays IP interface statistics for the management processors. See page 195 for sample output.
tcp
Displays TCP statistics. See page 197 for sample output.
udp
Displays UDP statistics. See page 199 for sample output.
ifclear
Clears IP interface statistics. Use this command with caution as it will delete all the IP interface
statistics.
ipclear
Clears IP statistics. Use this command with caution as it will delete all the IP statistics.
dump
Dumps all Layer 3 switch statistics. Use this command to gather data for tuning and debugging
Layer 3 switch performance. If you want to capture dump data to a file, set your communication
software on your workstation to capture session data prior to issuing the dump command.

320506-A, January 2006
/stats/l3/ospf
OSPF Statistics Menu
[OSPF stats Menu]
general - Show global stats
aindex - Show area(s) stats
if
- Show interface(s) stats
Table 5-16 OSPF Statistics Menu (/stats/l3/ospf)

general
Displays global statistics. See page 177 for sample output and details.
aindex <area index (0-2)>
Displays area index statistics.
Displays interface statistics.

320506-A, January 2006
/stats/l3/ospf/general
OSPF Global Statistics
The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF
areas and interfaces.
OSPF stats
---------Rx/Tx Stats:
Pkts
hello
database
ls requests
ls acks
ls updates
Nbr change stats:
hello
start
n2way
adjoint ok
negotiation done
exchange done
bad requests
bad sequence
loading done
n1way
rst_ad
down
Timers kickoff
hello
retransmit
lsa lock
lsa ack
dbage
summary
ase export
Rx
-------0
23
4
3
7
9
2
0
2
2
2
2
0
0
2
0
0
1
Tx
-------0
518
12
1
7
7
Intf change Stats:
hello
down
loop
unloop
wait timer
backup
nbr change
4
2
0
0
2
0
5
514
1028
0
0
0
0
0

320506-A, January 2006
Table 5-17 OSPF General Statistics (stats/l3/ospf/general)

Statistics
Description
Rx/Tx Stats:
Rx Pkts
The sum total of all OSPF packets received on all OSPF areas and interfaces.
Tx Pkts
The sum total of all OSPF packets transmitted on all OSPF areas and
interfaces.
Rx Hello
The sum total of all Hello packets received on all OSPF areas and interfaces.
Tx Hello
The sum total of all Hello packets transmitted on all OSPF areas and
interfaces.
Rx Database
The sum total of all Database Description packets received on all OSPF
Tx Database
The sum total of all Database Description packets transmitted on all

OSPF areas and interfaces.
Rx ls Requests
The sum total of all Link State Request packets received on all OSPF
Tx ls Requests
The sum total of all Link State Request packets transmitted on all OSPF
Rx ls Acks
The sum total of all Link State Acknowledgement packets received on all
Tx ls Acks
The sum total of all Link State Acknowledgement packets transmitted on

all OSPF areas and interfaces.
Rx ls Updates
The sum total of all Link State Update packets received on all OSPF areas
and interfaces.
Tx ls Updates
The sum total of all Link State Update packets transmitted on all OSPF

320506-A, January 2006
Table 5-17 OSPF General Statistics (stats/l3/ospf/general) (Continued)

Statistics
Description
Nbr Change Stats:

hello
The sum total of all Hello packets received from neighbors on all OSPF
Start
The sum total number of neighbors in this state (that is, an indication that
Hello packets should now be sent to the neighbor at intervals of HelloInterval seconds) across all OSPF areas and interfaces.
n2way
The sum total number of bidirectional communication establishment

between this router and other neighboring routers.
adjoint ok
The sum total number of decisions to be made (again) as to whether an

adjacency should be established/maintained with the neighbor across all
negotiation done
The sum total number of neighbors in this state wherein the Master/slave
relationship has been negotiated, and sequence numbers have been
exchanged, across all OSPF areas and interfaces.
exchange done
The sum total number of neighbors in this state (that is, in an adjacency's
final state) having transmitted a full sequence of Database Description
packets, across all OSPF areas and interfaces.
bad requests
The sum total number of Link State Requests which have been received
for a link state advertisement not contained in the database across all
interfaces and OSPF areas.
bad sequence
The sum total number of Database Description packets which have been
received that either:
a) Has an unexpected DD sequence number
b) Unexpectedly has the init bit set
c) Has an options field differing from the last Options field
received in a Database Description packet.
Any of these conditions indicate that some error has occurred during
adjacency establishment for all OSPF areas and interfaces.
loading done
The sum total number of link state updates received for all out-of-date
portions of the database across all OSPF areas and interfaces.
n1way
The sum total number of Hello packets received from neighbors, in which
this router is not mentioned across all OSPF interfaces and areas.
rst_ad
The sum total number of times the Neighbor adjacency has been reset
across all OPSF areas and interfaces.

320506-A, January 2006
Table 5-17 OSPF General Statistics (stats/l3/ospf/general) (Continued)

Statistics
Description
down
The total number of Neighboring routers down (that is, in the initial
state of a neighbor conversation) across all OSPF areas and interfaces.
Intf Change Stats:

hello
The sum total number of Hello packets sent on all interfaces and areas.
down
The sum total number of interfaces down in all OSPF areas.
loop
The sum total of interfaces no longer connected to the attached network

across all OSPF areas and interfaces.
unloop
The sum total number of interfaces, connected to the attached network in

all OSPF areas.
wait timer
The sum total number of times the Wait Timer has been fired, indicating
the end of the waiting period that is required before electing a (Backup)
Designated Router across all OSPF areas and interfaces.
backup
The sum total number of Backup Designated Routers on the attached network for all OSPF areas and interfaces.
nbr change
The sum total number of changes in the set of bidirectional neighbors

associated with any interface across all OSPF areas.
Timers Kickoff:
hello
The sum total number of times the Hello timer has been fired (which triggers the send of a Hello packet) across all OPSF areas and interfaces.
retransmit
The sum total number of times the Retransmit timer has been fired across
all OPSF areas and interfaces.
lsa lock
The sum total number of times the Link State Advertisement (LSA) lock
timer has been fired across all OSPF areas and interfaces.
lsa ack
The sum total number of times the LSA Ack timer has been fired across
all OSPF areas and interfaces.
dbage
The total number of times the data base age (Dbage) has been fired.
summary
The total number of times the Summary timer has been fired.
ase export
The total number of times the Autonomous System Export (ASE) timer
has been fired.

320506-A, January 2006
/stats/l3/ip
IP Statistics
IP statistics:
ipInReceives:
ipInAddrErrors:
ipInUnknownProtos:
ipInDelivers:
ipOutDiscards:
ipReasmReqds:
ipReasmFails:
ipFragFails:
ipRoutingDiscards:
ipReasmTimeout:
3115873
35447
500504
2334166
4
0
0
0
0
5
ipInHdrErrors:
ipForwDatagrams:
ipInDiscards:
ipOutRequests:
ipOutNoRoutes:
ipReasmOKs:
ipFragOKs:
ipFragCreates:
ipDefaultTTL:
1
0
0
1010542
4
0
0
0
255
Table 5-18 IP Statistics (/stats/l3/ip)

Statistics
Description
ipInReceives
The total number of input datagrams received from interfaces, including

those received in error.
ipInHdrErrors
The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format
errors, time-to-live exceeded, errors discovered in processing their IP
options, and so forth.
ipInAddrErrors
The number of input datagrams discarded because the IP address in their

IP header's destination field was not a valid address to be received at this
entity (the switch). This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported Classes (for example, Class E). For
entities which are not IP Gateways and therefore do not forward datagrams, this counter includes datagrams discarded because the destination
address was not a local address.
ipForwDatagrams
The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets, which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInUnknownProtos
The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.

320506-A, January 2006

Statistics
Description
ipInDiscards
The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipInDelivers
The total number of input datagrams successfully delivered to IP userprotocols (including ICMP).
ipOutRequests
The total number of IP datagrams which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. Note that this
counter does not include any datagrams counted in
ipForwDatagrams.
ipOutDiscards
The number of output IP datagrams for which no problem was

encountered to prevent their transmission to their destination, but which
were discarded (for example, for lack of buffer space). Note that this
counter would include datagrams counted in ipForwDatagrams if any
such packets met this (discretionary) discard criterion.
ipOutNoRoutes
The number of IP datagrams discarded because no route could be found

to transmit them to their destination. Note that this counter includes any
packets counted in ipForwDatagrams, which meet this no-route criterion. Note that this includes any datagrams which a host cannot route
because all of its default gateways are down.
ipReasmReqds
The number of IP fragments received which needed to be reassembled at

this entity (the switch).
ipReasmOKs
The number of IP datagrams successfully reassembled.
ipReasmFails
The number of failures detected by the IP re- assembly algorithm (for

whatever reason: timed out, errors, and so forth). Note that this is not necessarily a count of discarded IP fragments since some algorithms (notably
the algorithm in RFC 815) can lose track of the number of fragments by
combining them as they are received.
ipFragOKs
The number of IP datagrams that have been successfully fragmented at

this entity (the switch).
ipFragFails
The number of IP datagrams that have been discarded because they

needed to be fragmented at this entity (the switch) but could not be, for
example, because their Don't Fragment flag was set.
ipFragCreates
The number of IP datagram fragments that have been generated as a

result of fragmentation at this entity (the switch).

320506-A, January 2006

Statistics
Description
ipRoutingDiscards
The number of routing entries, which were chosen to be discarded even

though they are valid. One possible reason for discarding such an entry
could be to free-up buffer space for other routing entries.
ipDefaultTTL
The default value inserted into the Time-To-Live (TTL) field of the
IP header of datagrams originated at this entity (the switch), whenever a
TTL value is not supplied by the transport layer protocol.
ipReasmTimeout
The maximum number of seconds, which received fragments are held

while they are awaiting reassembly at this entity (the switch).

320506-A, January 2006
/stats/l3/ip6
IP6 Statistics Menu
>> Layer 3 Statistics# /stat/l3/ip6
-----------------------------------------------------------------IP6 statistics:
InReceives:
20519
InDiscards:
2
InDelivers:
24793
ForwDatagrams:
0
UnknownProtos:
0
InAddrErrors:
0
OutRequests:
34548
OutNoRoutes:
0
ReasmOKs:
0
ReasmFails:
0
IcmpInMsgs:
24793
IcmpInErrors:
4268
IcmpOutMsgs:
12829
IcmpOutErrors:
4271
InEchos:
0
OutEchos:
8538
InEchoReplies:
8536
OutEchoReplies:
0
InDestUnreachs:
4268
OutDestUnreachs:
4271
InPktTooBigs:
0
OutPktTooBigs:
0
InTimeExcds:
0
OutTimeExcds:
0
-----------------------------------------------------------------ICMP6 statistics:
Interface: 1
InMsgs:
18929
InErrors:
0
InEchos:
0
InEchoReplies:
4268
InNeighborSolicits:
4513
InNeighborAdvertisements:4271
InRouterSolicits:
0
InRouterAdvertisements: 5877
InDestUnreachs:
0
InTimeExcds:
0
InPktTooBigs:
0
InParmProblems:
0
InRedirects:
0
OutMsgs:
4280
OutErrors:
0
OutEchos:
4269
OutEchoReplies:
0
OutNeighborSolicits:
3
OutNeighborAdvertisements:4516
OutRouterSolicits:
0
OutRouterAdvertisements:
1
OutRedirects:
0
-----------------------------------------------------------------Interface: 7
InMsgs:
5864
InErrors:
4268
InEchos:
0
InEchoReplies:
4268
InNeighborSolicits:
122
InNeighborAdvertisements:
3
InRouterSolicits:
0
InRouterAdvertisements: 1471
InDestUnreachs:
4268
InTimeExcds:
0
InPktTooBigs:
0
InParmProblems:
0
InRedirects:
0
OutMsgs:
8549
OutErrors:
4271
OutEchos:
4269
OutEchoReplies:
0
OutNeighborSolicits:
2
OutNeighborAdvertisements:124
OutRouterSolicits:
0
OutRouterAdvertisements:
1
OutRedirects:
0
-----------------------------------------------------------------IP6 gateway health check statistics:
gateway
5 echo-req
4269 echo-resp
gateway
7 echo-req
4269 echo-resp
4268 fails
0 fails
0
4268

320506-A, January 2006
Table 5-19 IPv6 Statistics (/stats/l3/ip6)

Statistics
Description
IP6 Statistics Section

InReceives
The total number of input datagrams received by the interface,

including those received in error.
InDelivers
The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP). This counter is incremented at the
interface to which these datagrams were addressed which might not
be necessarily the input interface for some of the datagrams.
UnknownProtos
The number of locally-addressed datagrams received successfully

but discarded because of an unknown or unsupported protocol. This
counter is incremented at the interface to which these datagrams
were addressed which might not be necessarily the input interface
for some of the datagrams.
OutRequests
The total number of IPv6 datagrams which local IPv6 user-protocols

(including ICMP) supplied to IPv6 in requests for transmission.
Note that this counter does not include any datagrams counted in
ipv6IfStatsOutForwDatagrams.
ReasmOKs
The number of IPv6 datagrams successfully reassembled. Note that

this counter is incremented at the interface to which these datagrams
for some of the fragments.
InDiscards
The number of input IPv6 datagrams for which no problems were

encountered to prevent their continued processing, but which were
discarded (e.g., for lack of buffer space). Note that this counter does
not include any datagrams discarded while awaiting re-assembly.
ForwDatagrams
The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as
IPv6 routers, this counter will include only those packets which
were Source-Routed via this entity, and the Source-Route processing
was successful. Note that for a successfully forwarded datagram the
counter of the outgoing interface is incremented.
InAddrErrors
The number of input datagrams discarded because the IPv6 address

in their IPv6 header's destination field was not a valid address to be
received at this entity. This count includes invalid addresses (e.g.,
::0) and unsupported addresses (e.g., addresses with unallocated prefixes). For entities which are not IPv6 routers and therefore do not
forward datagrams, this counter includes datagrams discarded
because the destination address was not a local address.

320506-A, January 2006
Table 5-19 IPv6 Statistics (/stats/l3/ip6) (Continued)

Statistics
Description
OutNoRoutes
The number of locally generated IP datagrams discarded because no

route could be found to transmit them to their destination.
ReasmFails
The number of failures detected by the IPv6 re-assembly algorithm

(for whatever reason: timed out, errors, etc.). Note that this is not
necessarily a count of discarded IPv6 fragments since
some algorithms (notably the algorithm in RFC 815) can lose track
of the number of fragments by combining them as they are received.
This counter is incremented at the interface to which these fragments
for some of the fragments.
IcmpInMsgs
The total number of ICMP messages received by the interface which

includes all those counted by ipv6IfIcmpInErrors. Note that this
interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
IcmpOutMsgs
The total number of ICMP messages which this interface attempted

to send. Note that this counter includes all those counted
by icmpOutErrors
IcmpInErrors
The number of ICMP messages which the interface received but

determined as having ICMP-specific errors (bad ICMP checksums,
bad length, etc.).
IcmpOutErrors
The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
IcmpInEchos
The number of ICMP Echo (request) messages received by the interface.
ICMP6 Statistics Section

InMsgs
The total number of ICMP messages received by the interface which

includes all those counted by ipv6IfIcmpInErrors. Note that this
interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
InNeighborSolicits
The number of ICMP Neighbor Solicit messages received by the

interface.

320506-A, January 2006

Statistics
Description
InRouterSolicits
The number of ICMP Router Solicit messages received by the interface.
InDestUnreachs
The number of ICMP Destination Unreachable messages received

by the interface.
InPktTooBigs
The number of ICMP Packet Too Big messages received by the

interface.
InRedirects
The number of Redirect messages received by the interface.
InErrors
The number of ICMP messages which the interface received but

determined as having ICMP-specific errors (bad ICMP checksums,
bad length, etc.).
InEchoReplies
The number of ICMP Echo Reply messages received by the interface.
InNeighborAdvertisements
The number of ICMP Neighbor Advertisement messages received

by the interface.
InRouterAdvertisements
The number of ICMP Router Advertisement messages received by

the interface.
InTimeExcds
The number of ICMP Time Exceeded messages received by the

interface.
InParmProblems
The number of ICMP Parameter Problem messages received by the

interface.
OutMsgs
The total number of ICMP messages which this interface attempted

to send.
OutEchos
The number of ICMP Echo Request messages sent by the interface.
OutNeighborSolicits
The number of ICMP Neighbor Solicitation messages sent by the

interface.
OutRouterSolicits
The number of ICMP Router Solicitation messages sent by

the interface.
OutRedirects
The number of Redirect messages sent. For a host, this object will
always be zero, since hosts do not send redirects.

320506-A, January 2006

Statistics
Description
OutErrors
The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
OutEchoReplies
The number of ICMP Echo Reply messages sent by the interface.
OutNeighborAdvertisements
The number of ICMP Neighbor Advertisement messages sent by the

interface.
OutRouterAdvertistments
The number of ICMP Router Advertisement messages sent by the

interface.

320506-A, January 2006
/stats/l3/route
Route Statistics
Route statistics:
ipRoutesCur:
3 ipRoutesHighWater:
3
ipRoutesMax:
4096
-----------------------------------------------------------------SP Route statistics:
SP
ipRoutesCur
ipRoutesHighWater
ipRoutesMax
--- ------------- ------------------- ------------1
3
3
4096
2
3
3
4096
3
3
3
4096
4
3
3
4096
-----------------------------------------------------------------RIP statistics:
ripInPkts:
ripDiscardPkts:
BGP statistics:
bgpInPkts:
bgpBadPkts:
bgpRoutesAdded:
bgpRoutesCur:
bgpRoutesIgnored:
0
0
0
0
0
ripOutPkts:
0 ripRoutesAgedOut:
bgpOutPkts:
bgpSessFailures:
bgpRoutesRemoved:
bgpRoutesFailed:
bgpRoutesFiltered:
0
0
0
0
0
Table 5-20 Route Statistics (/stats/l3/route)

Statistics
Description
Route Statistics & SP

Route Statistics:
ipRoutesCur
The total number of outstanding routes in the route table.
ipRoutesHighWater
The highest number of routes ever recorded in the route table.
ipRoutesMax
The maximum number of supported routes.
RIP statistics:
ripInPkts
The total number of good RIP advertisement packets received.
ripOutPkts
The total number of RIP advertisement packets sent.
ripDiscardPkts
The total number of RIP advertisement packets received that were

dropped.

320506-A, January 2006
Table 5-20 Route Statistics (/stats/l3/route)

Statistics
Description
ripRoutesAgedOut
The total number of routes learned via RIP that has aged out.
BGP statistics:
bgpInPkts
The total number of BGP packets received.
bgpOutPkts
The total number of BGP packets sent.
bgpBadPkts
The total number of BGP packets dropped.
bgpSessFailures
The total number of failed sessions.
bgpRoutesAdded
The total number of routes that were added to the routing table.
bgpRoutesRemoved
The total number of routes that were removed from the routing table.
bgpRoutesCur
The total number of current BGP routes.
bgpRoutesFailed
The total number of BGP routes that failed to add in the routing table.
bgpRoutesIgnored
The total number of routes ignored because the peer was not connected locally or multihop was not configured.
bgpRoutesFiltered
The total number of routes dropped by the filter.
/stats/l3/arp
ARP statistics
This menu option enables you to display Address Resolution Protocol statistics.
MP ARP statistics:
arpEntriesCur:
2 arpEntriesHighWater:
2
arpEntriesMax:
8192
-----------------------------------------------------------------SP ARP statistics:
SP
arpEntriesCur
arpEntriesHighWater
arpEntriesMax
--- --------------- --------------------- --------------1
1
1
8192
2
1
1
8192
3
1
1
8192
4
1
1
8192

320506-A, January 2006
Table 5-21 ARP Statistics (/stats/l3/arp)

Statistics
Description
arpEntriesCur
The total number of outstanding ARP entries in the ARP table.
arpEntriesHighWater
The highest number of ARP entries ever recorded in the ARP table.
arpEntriesMax
The maximum number of ARP entries that are supported.
/stats/l3/vrrp
VRRP Statistics
Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides
assumes control of the shared virtual router IP address. If the master fails, one of the backup
virtual routers will assume routing authority and take control of the virtual router IP address.
When virtual routers are configured, you can display the following protocol statistics for VRRP:
Advertisements received (vrrpInAdvers)
Advertisements transmitted (vrrpOutAdvers)
Advertisements received, but ignored (vrrpBadAdvers)
The statistics for the VRRP LAN are displayed:

VRRP statistics:
vrrpInAdvers:
vrrpOutAdvers:
vrrpBadVersion:
vrrpBadAddress:
vrrpBadPassword:
0
0
0
0
0
vrrpBadAdvers:
vrrpBadVrid:
vrrpBadData:
vrrpBadInterval:
0
0
0
Table 5-22 VRRP Statistics (/stats/l3/vrrp)

Statistics
Description
vrrpInAdvers
The total number of VRRP advertisements that have been received.
vrrpBadAdvers
The total number of VRRP advertisements received that were dropped.
vrrpOutAdvers
The total number of VRRP advertisements that have been sent.
vrrpBadVersion

320506-A, January 2006
Table 5-22 VRRP Statistics (/stats/l3/vrrp)

Statistics
Description
vrrpBadVrid
vrrpBadAddress
vrrpBadData
vrrpBadPassword
vrrpBadInterval
/stats/l3/dns
DNS Statistics
This menu option enables you to display Domain Name System statistics.
DNS statistics:
dnsInRequests:
dnsBadRequests:
0
0
dnsOutRequests:
Table 5-23 DNS Statistics (/stats/l3/dns)

Statistics
Description
dnsInRequests
The total number of DNS request packets that have been received.
dnsOutRequests
The total number of DNS response packets that have been transmitted.
dnsBadRequests
The total number of DNS request packets received that were dropped.

320506-A, January 2006
/stats/l3/icmp
ICMP Statistics
ICMP statistics:
icmpInMsgs:
icmpInDestUnreachs:
icmpInParmProbs:
icmpInRedirects:
icmpInEchoReps:
icmpInTimestampReps:
icmpInAddrMaskReps:
icmpOutErrors:
icmpOutTimeExcds:
icmpOutSrcQuenchs:
icmpOutEchos:
icmpOutTimestamps:
icmpOutAddrMasks:
245802
41
0
0
244350
0
0
0
0
0
253777
0
0
icmpInErrors:
icmpInTimeExcds:
icmpInSrcQuenchs:
icmpInEchos:
icmpInTimestamps:
icmpInAddrMasks:
icmpOutMsgs:
icmpOutDestUnreachs:
icmpOutParmProbs:
icmpOutRedirects:
icmpOutEchoReps:
icmpOutTimestampReps:
icmpOutAddrMaskReps:
1393
0
0
18
0
0
253810
15
0
0
18
0
0
Table 5-24 ICMP Statistics (/stats/l3/icmp)

Statistics
Description
icmpInMsgs
The total number of ICMP messages which the entity (the switch)
received. Note that this counter includes all those counted by
icmpInErrors.
icmpInErrors
The number of ICMP messages which the entity (the switch)

received but determined as having ICMP-specific errors (bad ICMP
checksums, bad length, and so forth).
icmpInDestUnreachs
The number of ICMP Destination Unreachable messages received.
icmpInTimeExcds
The number of ICMP Time Exceeded messages received.
icmpInParmProbs
The number of ICMP Parameter Problem messages received.
icmpInSrcQuenchs
The number of ICMP Source Quench (buffer almost full, stop sending data) messages received.
icmpInRedirects
The number of ICMP Redirect messages received.
icmpInEchos
The number of ICMP Echo (request) messages received.
icmpInEchoReps
The number of ICMP Echo Reply messages received.
icmpInTimestamps
The number of ICMP Timestamp (request) messages received.
icmpInTimestampReps
The number of ICMP Timestamp Reply messages received.
icmpInAddrMasks
The number of ICMP Address Mask Request messages received.

320506-A, January 2006
Table 5-24 ICMP Statistics (/stats/l3/icmp)

Statistics
Description
icmpInAddrMaskReps
The number of ICMP Address Mask Reply messages received.
icmpOutMsgs
The total number of ICMP messages which this entity (the switch)
attempted to send. Note that this counter includes all those counted
by icmpOutErrors.
icmpOutErrors
The number of ICMP messages which this entity (the switch) did not
send due to problems discovered within ICMP such as a lack of
buffer. This value should not include errors discovered outside the
ICMP layer such as the inability of IP to route the resultant datagram. In some implementations there may be no types of errors that
contribute to this counter's value.
icmpOutDestUnreachs
The number of ICMP Destination Unreachable messages sent.
icmpOutTimeExcds
The number of ICMP Time Exceeded messages sent.
icmpOutParmProbs
The number of ICMP Parameter Problem messages sent.
icmpOutSrcQuenchs
The number of ICMP Source Quench (buffer almost full, stop sending data) messages sent.
icmpOutRedirects
The number of ICMP Redirect messages sent. For a host, this object
will always be zero, since hosts do not send redirects.
icmpOutEchos
The number of ICMP Echo (request) messages sent.
icmpOutEchoReps
The number of ICMP Echo Reply messages sent.
icmpOutTimestamps
The number of ICMP Timestamp (request) messages sent.
icmpOutTimestampReps
The number of ICMP Timestamp Reply messages sent.
icmpOutAddrMasks
The number of ICMP Address Mask Request messages sent.
icmpOutAddrMaskReps
The number of ICMP Address Mask Reply messages sent.

320506-A, January 2006
/stats/l3/if <interface number>

Interface Statistics
IP interface 1 statistics:
ifInOctets:
48948386
ifInNUCastPkts:
167895
ifInErrors:
0
ifOutOctets:
27100789
ifOutNUcastPkts:
218652
ifOutErrors:
0
ifInUcastPkts:
ifInDiscards:
ifInUnknownProtos:
ifOutUcastPkts:
ifOutDiscards:
ifStateChanges
220553
0
0
441938
0
1
Table 5-25 Interface Statistics (/stats/if)

Statistics
Description
ifInOctets
The total number of octets received on the interface, including framing

characters.
ifInUcastPkts
The number of packets, delivered by this sub-layer to a higher (sublayer), which were not addressed to a multicast or broadcast address at
this sub-layer.
ifInNUCastPkts
The number of packets, delivered by this sub-layer to a higher (sublayer), which were addressed to a multicast or broadcast address at this
sub-layer. This object is deprecated in favor of ifInMulticastPkts
and ifInBroadcastPkts.
ifInDiscards
The number of inbound packets that were chosen to be discarded even

though no errors had been detected to prevent their being delivered to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
ifInErrors
For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being delivered to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of
inbound transmission units that contained errors preventing them from
being deliverable to a higher-layer protocol.
ifInUnknownProtos
For packet-oriented interfaces, the number of packets received via the

interface which were discarded because of an unknown or unsupported
protocol. For character-oriented or fixed-length interfaces which support
protocol multiplexing the number of transmission units received via the
interface which were discarded because of an unknown or unsupported
protocol. For any interface which does not support protocol multiplexing,
this counter will always
be 0.

320506-A, January 2006
Table 5-25 Interface Statistics (/stats/if)

Statistics
Description
ifOutOctets
The total number of octets transmitted out of the interface, including

framing characters.
ifOutUcastPkts

transmitted, and which were not addressed to a multicast or broadcast
address at this sub-layer, including those that were discarded or not sent.
ifOutNUcastPkts

transmitted, and which were addressed to a multicast or broadcast address
at this sub-layer, including those that were discarded or not sent.
This object is deprecated in favor of ifOutMulticastPkts and
ifOutBroadcastPkts.
ifOutDiscards
The number of outbound packets, which were chosen to be discarded

even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up
buffer space.
ifOutErrors
For packet-oriented interfaces, the number of outbound packets that

could not be transmitted because of errors. For character-oriented or
fixed-length interfaces, the number of outbound transmission units that
could not be transmitted because of errors.
ifStateChanges
The number of times an interface has transitioned from either down to up

or from up to down.

320506-A, January 2006
/stats/l3/tcp
TCP Statistics
TCP statistics:
tcpRtoAlgorithm:
tcpRtoMax:
tcpActiveOpens:
tcpAttemptFails:
tcpInSegs:
tcpRetransSegs:
tcpCurBuff:
tcpCurInConn:
tcpCurLstnConn:
tcpAllocTCBFails:
4
240000
0
0
0
0
0
0
3
0
tcpRtoMin:
tcpMaxConn:
tcpPassiveOpens:
tcpEstabResets:
tcpOutSegs:
tcpInErrs:
tcpCurConn:
tcpCurOutConn:
tcpOutRsts:
0
1600
0
0
0
0
6
0
0
Table 5-26 TCP Statistics (/stats/l3/tcp)

Statistics
Description
tcpRtoAlgorithm
The algorithm used to determine the timeout value used for retransmitting unacknowledged octets.
tcpRtoMin
The minimum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the LBOUND quantity
described in RFC 793.
tcpRtoMax
The maximum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the UBOUND quantity
described in RFC 793.
tcpMaxConn
The limit on the total number of TCP connections the entity (the switch)
can support. In entities where the maximum number of connections is
dynamic, this object should contain the value -1.
tcpActiveOpens
The number of times TCP connections have made a direct transition to

the SYN-SENT state from the CLOSED state.
tcpPassiveOpens

the SYN-RCVD state from the LISTEN state.

320506-A, January 2006
Table 5-26 TCP Statistics (/stats/l3/tcp)

Statistics
Description
tcpAttemptFails

the CLOSED state from either the SYN-SENT state or the SYN-RCVD
state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state.
tcpEstabResets

the CLOSED state from either the ESTABLISHED state or the CLOSEWAIT state.
tcpInSegs
The total number of segments received, including those received in error.

This count includes segments received on currently established connections.
tcpOutSegs
The total number of segments sent, including those on current connections but excluding those containing only retransmitted octets.
tcpRetransSegs
The total number of segments retransmitted - that is, the number of TCP
segments transmitted containing one or more previously transmitted octets.
tcpInErrs
The total number of segments received in error (for example, bad TCP
checksums).
tcpCurBuff
The total number of outstanding memory allocations from heap by TCP

protocol stack.
tcpCurConn
The total number of outstanding TCP sessions that are currently opened.
tcpCurInConn
The total number of remotely-initiated TCP connections.
tcpCurOutConn
The total number of switch-originated TCP connection requests.
tcpCurLstnConn
The total number of TCP ports on which the switch is listening.
tcpOutRsts
The number of TCP segments sent containing the RST flag.
tcpAllocTCBFails

320506-A, January 2006
/stats/l3/udp
UDP Statistics
UDP statistics:
udpInDatagrams:
udpInErrors:
54
0
udpOutDatagrams:
udpNoPorts:
43
1578077
Table 5-27 UDP Statistics (/stats/l3/udp)

Statistics
Description
udpInDatagrams
The total number of UDP datagrams delivered to the switch.
udpOutDatagrams
The total number of UDP datagrams sent from this entity (the switch).
udpInErrors
The number of received UDP datagrams that could not be delivered for
reasons other than the lack of an application at the destination port.
udpNoPorts
The total number of received UDP datagrams for which there was no
application at the destination port.
/stats/slb
Server Load Balancing Statistics Menu
[Server Load Balancing Statistics Menu]
sp
- SLB Switch SP Stats Menu
gslb
- Global SLB Stats Menu
real
- Show real server stats
group
- Show real server group stats
virt
- Show virtual server stats
filt
- Show filter stats
layer7
- Show Layer 7 stats
ssl
- Show SSL SLB stats
ftp
- Show FTP SLB parsing and NAT stats
rtsp
- Show RTSP SLB stats
dns
- Show DNS SLB stats
wap
- Show WAP SLB stats
maint
- Show maintenance stats
sip
- Show SIP SLB stats
wlm
- Show Workload Manager SASP stats
mirror
- Show Session mirroring stats
clear
- Clear non-operational Server Load Balancing stats
aux
- Show auxiliary session table stats
dump
- Dump all SLB statistics

320506-A, January 2006
Table 5-28 SLB Statistics Menu Options (/stats/slb)

Displays the server load balancing statistics menu. To view menu options, see page 202.
gslb
Displays the Global SLB Statistics menu. For more information, see page 206.
Displays the following real server statistics:
Number of times the real server has failed its health checks
Number of sessions currently open on the real server
Total sessions the real server was assigned
Highest number of simultaneous sessions recorded for each real server
Real server transmit/receive octets
group <real server group number (1-1024)>

Displays the following real server group statistics:
Current and total sessions for each real server in the real server group.
Current and total sessions for all real servers associated with the real server group.
Highest number of simultaneous sessions recorded for each real server.
Real server transmit/receive octets. For per-service octet counters, see page 211.

Displays the following virtual server statistics:
Current and total sessions for each real server associated with the virtual server.
Current and total sessions for all real servers associated with the virtual server.
Real server transmit/receive octets. For per-service octet counters, see page 211.
filt <filter ID (1-2048)>

Displays the total number of times any filter has been used. See page 213 for sample output.
layer7
Displays Layer 7 statistics. See page 214 for sample output.
ssl
Displays SSL server load balancing statistics. See page 219 for sample output.
ftp
Displays FTP SLB parsing and NAT statistics. See page 220 for sample output.
rtsp
Displays RTSP SLB statistics. See page 223 for sample output.

320506-A, January 2006
Table 5-28 SLB Statistics Menu Options (/stats/slb)

dns
Displays DNS SLB statistics. See page 224 for sample output.
wap
Displays WAP SLB statistics. See page 225 for sample output.
maint
Displays SLB maintenance statistics. See page 227 for sample output.
sip
Displays SIP SLB statistics. See page 229 for sample output.
wlm <Workload Manager number, 1-16> <clear>
Display Workload Manager SASP statistics. See page 230 for sample output.
mirror
Display session mirroring statistics. See page 231 for sample output.
clear [y|n]
Clears all non-operating SLB statistics on the Nortel Application Switch, resetting them to zero.
This command does not reset the switch and does not affect the following counters:
Counters required for Layer 4 and Layer 7 operation (such as current real server sessions).
All related SNMP counters.
To view the statistics reset by this command, refer to Table 5-51 on page 230.
aux
Displays auxiliary session table statistics.
dump
Dumps all switch SLB statistics. Use this command to gather data for tuning and debugging switch
performance. To save dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump command.

320506-A, January 2006
/stats/slb/sp
Server Load Balancing SP statistics Menu
[Server Load Balancing SP Statistics Menu]
real
- Show real server stats
group
- Show real server group stats
virt
- Show virtual server stats
filt
- Show filter stats
maint
aux
- Show auxiliary session table stats
clear
- Clear SP stats
Table 5-29 SP Statistics Menu options (/stats/slb/sp)

Displays real server statistics of the switch port. See page 202 for a sample output.
Displays real server group statistics of the switch port. See page 203 for a sample output.
Displays statistics of the virtual server. See page 203 for a sample output.
Displays statistics of the filter. See page 203 for a sample output.
maint
Displays the SP maintenance statistics. See page 204 for a sample output.
aux
Displays the statistics of the auxiliary session table.
clear
Deletes all the SP statistics.
/stats/slb/sp/real <real server number>

SP Real Server Statistics
Port 1 Real server 1 stats:
Current sessions:
Total sessions:
Octets:
3
3
24

320506-A, January 2006
/stats/slb/sp <sp number>/group <real

group server number>
SP Real Group Server Statistics
Real server group 1 stats:
Current
Total Highest
Real IP address
Sessions
Sessions Sessions
---- --------------- -------- ---------- -------1 200.100.10.14
20
60
9
2 200.100.10.15
20
77
12
---- --------------- -------- ---------- -------40
137
21
Octets
--------------480000
616000
--------------1096000
/stats/slb/sp <sp number>/virt <virtual

server number>
SP Virtual Server Statistics
Current
Total Highest
Real IP address
Sessions
Sessions Sessions
---- --------------- -------- ---------- -------1 200.100.10.14
20
60
9
2 200.100.10.15
20
77
12
---- --------------- -------- ---------- -------200.100.10.100
40
137
21
Octets
--------------480000
616000
--------------1096000
/stats/slb/sp <sp number>/filt <filter

number>
SP Filter Statistics
SP 1 Filter 1 stats:
Total firings:

320506-A, January 2006
/stats/slb/sp <sp number>/maint

SP Maintenance Statistics
SP 1 SLB Maintenance stats:
Maximum sessions:
Current sessions:
4 second average:
64 second average:
Terminated sessions:
Allocation failures:
Non TCP/IP frames:
UDP datagrams:
Incorrect VIPs:
Incorrect Vports:
No available real server:
Filtered (denied) frames:
LAND attacks:
No TCP control bits:
Invalid reset packet drops:
Total IP fragment sessions:
IP fragment sessions:
IP fragment discards:
IP fragment table full:
524276
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Table 5-30 SP Maintenance Statistics (/stats/slb/sp/maint)

Statistic
Description
Maximum sessions
The maximum number of simultaneous sessions supported.
Current Sessions
Number of session bindings currently in use (the last 4 and 64 seconds).
Terminated Sessions
Number of sessions removed from the session table because the

server assigned to them failed and graceful server failure was not
enabled.
Allocation Failures
Indicates instances where the Switch ran out of available sessions for a
port.
UDP Datagrams
Indicates that the virtual server IP address and MAC are receiving
UDP frames when UDP balancing is not turned on.
Non TCP/IP Frames
Indicates the number of non-IP based frames received by the virtual

server.
Incorrect VIPs
Indicates the number of times the switch received a Layer 4 request

for a virtual server which was not configured.

320506-A, January 2006
Table 5-30 SP Maintenance Statistics (/stats/slb/sp/maint)

Statistic
Description
Incorrect Vports
This dropped frames counter indicates that the virtual server has
received frames for TCP/UDP services that have not been configured.
Normally this indicates a mis-configuration on the virtual server or the
client, but it may be an indication of a potential security probing application like SATAN.
No Available Real
Server
This dropped frames counter indicates that all real servers are either
out of service or at their maxcon limit.
Backup Server
Activations
This indicates the number of times a real server failure has occurred
and caused a backup server to be brought online.
Overflow Server Activations
This indicates the number of times a real server has reached the
maxcon limit and caused an overflow server to be brought online.
Filtered (Denied)
Frames
This indicates the number of frames that were dropped because of

one of the following reasons:
1. They matched an active filter with the deny action set.
2. There are no real servers (in the case of redirection filters.)
3. When there are no available session entries.
LAND attacks
This counter increases whenever a packet has the same source and
destination IP addresses and ports.
No TCP Control Bits
The number of packets that were dropped because the packet had no
control bits set in the TCP header.
Invalid reset packet

drops
The number of packets that were dropped because the packet had an
invalid reset flag set.
Total IP fragment ses- This represents the total number of fragment sessions the switch has
sions
processed so far.
Current IP fragment
sessions
This represents the current number of fragment sessions.
IP fragment discards
The number of fragmented packets that are discarded due to lack of

resources.
IP fragment table full This counter indicates how many times session table is full.

320506-A, January 2006
/stats/slb/gslb
Global SLB Statistics Menu
[Global SLB Statistics Menu]
real
- Show Global SLB remote real server stats
virt
- Show Global SLB virtual server stats
site
- Show Global SLB remote site stats
network - Show Global SLB network preference stats
rule
- Show Global SLB rule stats
geo
- Show Global SLB geographical preference stats
pers
- Show Global SLB DNS persistence cache stats
maint
- Show Global SLB maintenance stats
clear
- Clear all Global SLB stats
dump
- Show all Global SLB stats
Table 5-31 Global SLB Statistics Menu Options (/stats/slb/gslb)

Where the real server number represents the real server ID on this switch, under which the remote
server is configured.
To view an example and description of what is displayed on-screen, see page 211.
To view an example and description of what is displayed on-screen, see page 207.
site <remote site, 1-64>
Displays Global SLB statistics for the remote site. To view an example, see page 208.
network <network, 1-64>
Displays Global SLB statistics for the network.
rule <rule, 1-64>
Displays Global SLB statistics for the rule.
pers
Displays Global SLB DNS persistence cache statistics.
geo
Displays Global SLB statistics for the geographical preference.
maint
To view an example and description of Global SLB maintenance statistics, see page 209.
clear
Deletes all Global SLB statistics.

320506-A, January 2006
Table 5-31 Global SLB Statistics Menu Options (/stats/slb/gslb)

dump
Displays all Global SLB statistics.
/stats/slb/gslb/real <real server number>

Real Server Global SLB Statistics
Real server 1 global stats:
DNS directs:
HTTP redirects:
3210
12
For any remote real server configured for Global Server Load Balancing, the following statistics can be viewed:
Number of DNS responses directed to the remote real server
Number of HTTP redirects to the remote real server
/stats/slb/gslb/virt <virtual server number>

Virtual Server Global SLB Statistics
Global SLB virtual server 1 http service stats:
Domain: www.gslb.example.com
Server IP address
Site DNS directs HTTP redirects
------ --------------- ---- ----------- -------------v1
200.200.200.1
0
0
r2
200.200.200.10
5
0
0
------ --------------- ---- ----------- -------------Totals
0
0
Table 5-32 Virtual Server Global SLB Statistics (/stats/slb/gslb/virt)

Field
Description
Server
Type of server configuration and server ID number.

v# represents a local virtual server number
r# represents a remote site. Since each remote sites is configured on its peers as if it were a real server (with certain special
properties), the number represents the real server ID on this
switch, under which the remote server is configured.

320506-A, January 2006
Table 5-32 Virtual Server Global SLB Statistics (/stats/slb/gslb/virt)

Field
Description
IP Address
IP address of the server.
Site
The remote site number.
DNS directs
The number of DNS responses that return the IP address of the corresponding server.
HTTP redirects
The number of HTTP requests redirected to the corresponding

server.
/stats/slb/gslb/site
Global SLB Site Statistics
Global SLB remote site 1 stats:
Bad remote site packets received:
DSSPv1 remote site updates sent:
DSSPv1 remote site updates received:
386
0
0
768
348
Table 5-33 Global SLB Site Statistics Parameters (/stats/slb/gslb/site)

Field
Description
Bad remote site packets received
The number of bad packets received from remote site.
DSSPv1 remote site

updates sent
The number of remote site updates sent using DSSP version 1.
DSSPv1 remote site

updates received
The number of remote site updates received using DSSP version 1.
DSSPv2 remote site

updates sent
The number of remote site updates sent using DSSP version 2.
DSSPv2 remote site

updates received
The number of remote site updates received using DSSP version 2.

320506-A, January 2006
/stats/slb/gslb/maint
Global SLB Maintenance Statistics
Global SLB maintenance stats:
Bad remote site packets received:
DNS queries received:
Bad DNS queries received:
DNS responses sent:
HTTP requests received:
Bad HTTP requests received:
HTTP responses sent:
Hostname domain hits:
Network domain hits:
Basic domain hits:
No server selected for hostname domain:
No server selected for network domain:
No server selected for basic domain:
No matching domain:
Last no result domain:
Last source IP:
0
0
0
127746
85164
0
0
0
0
0
0
0
0
0
0
0
0
0
0.0.0.0
Table 5-34 Global SLB Maintenance Statistics (/stats/slb/gslb/maint)

Field
Description
Bad remote site packets received
The number of bad packets received from the remote site.

Bad updates or dropped packets usually indicate that there is
a configuration problem at local or remote GSLB switches. If
bad updates or dropped packets occur, check your syslog
for configuration error messages.
DSSPv1 remote site

updates sent
The number of Distributed Site State Protocol (DSSP) version one updates/packets sent to the remote sites.
DSSPv1 remote site

updates received
The number of Distributed Site State Protocol (DSSP) version one updates/packets received from the remote sites.
DSSPv2 remote site

updates sent
The number of Distributed Site State Protocol (DSSP) version two updates/packets sent to the remote sites.
DSSPv2 remote site

updates received
The number of Distributed Site State Protocol (DSSP) version two updates/packets received from the remote sites.

320506-A, January 2006
Table 5-34 Global SLB Maintenance Statistics (/stats/slb/gslb/maint)

Field
Description
DNS queries received
The number of DNS queries received.
Bad DNS queries

received
The number of bad DNS queries received.
DNS responses sent
The number of DNS responses sent by the switch that

includes DNS directs and DNS error responses.
HTTP requests received The number of HTTP requests received.

Bad HTTP requests
received
The number of bad/dropped client HTTP requests. Client

HTTP GET request packets that do not contain the entire
URL are considered bad and are dropped.
HTTP responses sent
The number of HTTP responses sent by the switch that

includes HTTP redirects.
Hostname domain hits
The number of times the DNS queries received matched for

the hostname configured.
Network domain hits

the network domain name configured.
Basic domain hits

the basic domain name configured.
No server selected for

hostname domain
The number of times no server was selected after matching

the host name domain.

network domain

the network domain name.

basic domain

the basic domain name.
No matching domain
The number of times the DNS queries received did not match
the host name, domain name, or the network domain configured.
Last no result domain
The domain in the last DNS query received that did not match
the host name, domain name, or the network domain configured.
Last source IP
The source IP address of the last DNS query or HTTP request

received.

320506-A, January 2006
/stats/slb/real <real server number>

Real Server SLB Statistics
Real server 1 stats:
Current sessions:
Total sessions:
Highest sessions:
Octets
129
65478
4343
523824000
NOTE Octets are provided per server, not per service, unless configured as described in Per
Service Octet Counters on page 211.
Table 5-35 Real Server SLB Statistics (/stats/slb/real)
Statistics
Description
Current sessions
The total number of outstanding sessions that are established to the particular real server.
Total sessions
The total number of sessions that have been established to the particular
real server.
Highest sessions
The highest number of sessions ever recorded for the particular real
server.
Octets
The total number of octets sent by the particular real server.
Per Service Octet Counters

For each load-balanced real server, the octet counters represent the combined number of transmit and receive bytes (octets). These counters are then added to report the total octets for each
virtual server.
The octet counters are provided per servernot per service. If you need octet counters on a perservice basis, you can accomplish this through the following configuration:
1.
Configure a separate IP address for each service on each server being load balanced.
For instance, you can configure IP address 10.1.1.20 for HTTP services, and 10.1.1.21 for FTP
services on the same physical server.

320506-A, January 2006
2.
On the Nortel Application Switch, configure a real server with a real IP address for each
service above.
Continuing the example above, two real servers would be configured for the physical server
(representing each real service). If there were five physical servers providing the two services
(HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on
each physical server, and five for the FTP services on each physical server.
3.
On the Nortel Application Switch, configure one real server group for each type of service, and group each appropriate real server IP address into the group that handles the
specific service.
Thus, in keeping with our example, two groups would be configured: one for handling HTTP
and one for handling FTP.
4.
Configure a virtual server and add the appropriate services to that virtual server.
/stats/slb/group <real server group number>

Real Server Group Statistics
Total weight updates from WorkLoad Manager : 10
Real
---1
2
----
Current
Total Highest
IP address
Sessions
Sessions Sessions
--------------- -------- ---------- -------200.100.10.14
20
60
9
200.100.10.15
20
77
12
--------------- -------- ---------- -------40
137
21
Octets
--------------480000
616000
--------------1096000
Real server group statistics include the following:
Current and total sessions for each real server in the real server group.
Current and total sessions for all real servers associated with the real server group.
Real server transmit/receive octets. For per-service octet counters, see the procedure on
Per Service Octet Counters on page 211.

320506-A, January 2006
/stats/slb/virt <virtual server number>

Virtual Server SLB Statistics
Virtual server 1 stats:
Current
Total Highest
Real IP address
Sessions
Sessions Sessions
---- --------------- -------- ---------- -------1 200.100.10.14
20
60
9
2 200.100.10.15
20
77
12
---- --------------- -------- ---------- -------200.100.10.20
40
309
21
Octets
--------------480000
616000
--------------1096000
NOTE The virtual server IP address is shown on the last line, below the real server IP addresses.
Virtual server statistics include the following:
Current and total sessions for each real server associated with the virtual server.
Current and total sessions for all real servers associated with the virtual server.
Real server transmit/receive octets. For per-service octet counters, see Per Service Octet
Counters on page 211.
/stats/slb/filt <filter number>

Filter SLB Statistics
Filter 1 stats:
Total firings:
1011
You can obtain the total number of times any filter has been matched.

320506-A, January 2006
/stats/slb/layer7
SLB Layer7 Statistics Menu
redir
- Show URL Redirection stats
str
- Show SLB String stats
maint
- Show Layer 7 Maintenance stats
pooling - Show connection pooling stats
Table 5-36 SLB Layer 7 Statistics Menu Options (/stats/slb/layer7)

Command Syntax & Usage
redir
Displays URL Redirection statistics. See page 214 for a sample output.
str
Displays SLB string statistics. See page 215 for a sample output.
maint
Displays Layer 7 maintenance statistics. See page 216 for a sample output.
pooling
Display the connection pooling statistics.See page 216 for a sample output.
/stats/slb/layer7/redir
Layer7 Redirection Statistics
Total
Total
Total
Total
Total
Total
Total
Total
Total
Total
URL based web cache redirection stats:

cache server hits:
origin server hits:
straight to origin server hits:
none-GETs hits:
'Cookie: ' hits:
no-cache hits:
RTSP cache server hits:
RTSP origin server hits:
HTTP redirection hits:
0
0
0
0
0
0
0
0
0
Table 5-37 Layer 7 Redirection Statistics (/stats/slb/layer7/redir)

Statistics
Description
Total cache server hits The total number of HTTP requests redirected to the cache server.
Total origin server hits The total number of HTTP requests forwarded to the origin server.

320506-A, January 2006
Table 5-37 Layer 7 Redirection Statistics (/stats/slb/layer7/redir)

Statistics
Description
Total straight to ori- The total number of HTTP requests forwarded from straight to the
gin server hits
origin server.
Total none-GETs hits
The total number of none GET requests forwarded to the origin

server.
Total 'Cookie:' hits
The total number of cookie requests forwarded to the origin server.
Total no-cache hits
The total number of requests containing no-cache header forwarded

to the origin server.
Total RTSP cache

server hits
The total number of RTSP requests redirected to the cache server.
Total RTSP origin

server hits
The total number of RTSP requests forwarded to the origin server.
Total HTTP redirection hits
The total number of HTTP requests that were redirected by redirection filter.
/stats/slb/layer7/str
Layer 7 SLB String Statistics
SLB String stats:
ID SLB String
1 any
2 www.[abcdefghijklm]*.com
3 www.[nopqrstuvwxyz]*.com
4 www.junk.com
5 www.abc.com
6 www.[abcdefjhijklm]*.org
7 www.[nopqrstuvwxyz]*.org
Hits
1527115
0
0
0
0
0
0
Table 5-38 Layer 7 SLB String Statistics (/stats/slb/layer7/str)

Statistics
Description
ID SLB String
The user-defined strings being used in URL matching.
Hits
The total number of instances that are load-balanced due to matching of

the particular URL ID.

320506-A, January 2006
/stats/slb/layer7/maint
Layer 7 SLB Maintenance Statistics
Layer 7 maintenance stats:
Clients reset by switch on client side:
0
Clients reset by switch on server side:
0
Connection Splicing to support HTTP/1.1:
0
Invalid HTTP methods:
0
Aged delayed binding sessions:
0
Half open connections:
0
Switch retries:
0
Random early drops:
0
Requests exceeded 9000 bytes:
0
Invalid 3-way handshakes:
0
Exceeded max frame size:
0
Out of order packet drops:
0
Current SP[1] memory units:
1260 Lowest:
1260 Lowest:
1260 Lowest:
1260 Lowest:
Current SP memory units:
5040
Current SEQ buffer entries:
0 Highest:
Current Data buffer use:
0 Highest:
Current SP buffer entries:
0 Highest:
Total Nonzero SEQ Alloc:
0
Total SEQ Buffer Allocs:
0 Total SEQ Frees:
Total Data Buffer Allocs:
0 Total Data Frees:
Alloc Fails - Seq buffers:
0 Alloc Fails - Ubufs:
Max sessions per bucket:
0 Max frames per session:
Max bytes buffered (sess):
0
1260
1260
1260
1260
0
0
0
0
0
0
0
Table 5-39 SLB Layer 7 Maintenance Statistics (/stats/slb/layer7/maint)

Statistics
Description
Clients reset by
switch on client side
The number of reset frames sent to the client by the switch during
server connection termination. This means that when the switch
could not connect to the real sever and the clients retries exceeded
the threshold due to delayed binding, the switch will send a reset
frame to the client to terminate the connection.
Clients reset by
switch on server side
The number of reset frames sent to the server by the switch during
server connection termination due to delayed binding.
Connection Splicing to
support HTTP/1.1
The total number of connection swapping between different real

servers in supporting multiple HTTP/1.1 client requests.0

320506-A, January 2006

Statistics
Description
Invalid HTTP methods
The total number of HTTP requests that contain invalid methods

sent by the client.
Aged delayed binding

sessions
The total number of aged delayed binding sessions caused by failed

connection initialization between the switch and the server.
Half open connections
The total numbers of outstanding TCP connections that are half

opened. It is incremented when the switch responds to TCP SYN
packet and decremented upon receiving TCP SYN ACK packet from
the requester.
Switch retries
The total number of switch retries to connect to the real server.
Random early drops
The total number of SYN frames dropped when the buffer is low.
Requests exceeded 4500

bytes
The total number of GET requests that exceeded 4500 bytes.
Invalid 3-way handshakes
The total number of dropped frames because of invalid 3-way hand

shakes.
Exceeded max frame

size
The total number of switch-generated frames that exceeded the maximum allowed frame size.
Out of order packet

drops:
The total number of TCP packets dropped because they were

received out of order.
Current SP memory
units
The currently available SP memory units.
Current SEQ buffer

entries
The number of outstanding sequence buffers used.
Highest SEQ buffer

entries
The highest number of sequence buffers ever used.
Current Data buffer

use
The number of outstanding data buffers used.
Highest Data buffer

use
The highest number of data buffers ever used.
Total Nonzero SEQ

Alloc
The total number of sequence buffer allocated.2
Total SEQ Buffer

Allocs
The total number of sequence buffer allocations.
Total SEQ Frees
The total number of sequence buffer is freed.

320506-A, January 2006

Statistics
Description
Total Data Buffer

Allocs
The total number of buffers allocated to store client request.2
Total Data Frees
The total of number buffers freed.
Alloc Fails - Seq

buffers
The number of times sequence buffer allocation failed.
Alloc Fails - Ubufs
The number of times the URL data buffer allocation failed.
Max sessions per

bucket
The maximum number of items (sessions) allowed in the session

table hash bucket chain.
Max frames per session The maximum number of frames to be buffered per session.
Max bytes buffered
(sess)
The maximum number of bytes to be buffered per session.
/stats/slb/layer7/pooling
Layer7 Pooling Statistics
>> Layer 7 Statistics# pooling
-----------------------------------------------------------------Connection pooling statistics:
Current opened server connections:
0
Active server connections:
0
Available server connections:
0
Total number of aged out client connections:
0
Total number of aged out server connections:
0

320506-A, January 2006
/stats/slb/ssl
SLB Secure Socket Layer Statistics
SSL SLB maintenance stats:
SessionId allocation fails:
Total number of SSL ID reassignments:
0
0
Current
Total Highest
Sessions
Sessions Sessions
------------------------- -------- ---------- -------Unique SessionIds
0
0
0
SSL connections
0
0
0
Persistent Port Sessions
0
0
0
Table 5-40 SLB Secure Socket Layer Statistics (/stats/slb/ssl)

Statistics
Description
SSL SLB maintenance

stats
Debug stats for SSL SessionId based persistence.
SessionId allocation
fails
The number of times allocation of a session table entry failed when

attempting to store a SessionId in the table.
Total number of SSL ID

reassignments
The table shows the Current Sessions, the total sessions seen on the switch since last reset and the high
water mark of current sessions for the following:
Unique SessionIds
Many SSL sessions can use the same SessionId, these should all
bind to the same server. This number shows the number of unique
SSL sessions seen on the switch.
SSL connections
The number of different TCP connections using SSL service.
Persistent Port
Sessions
The number of SessionIds maintained to allow for persistence

across different client ports.

320506-A, January 2006
/stats/slb/ftp
File Transfer Protocol SLB and Filter Statistics Menu
[FTP SLB parsing and
active - Show
parsing - Show
maint
- Show
dump
- Dump
Filter Statistics Menu]

active FTP NAT filter stats
FTP SLB parsing server stats
FTP maintenance stats
all FTP SLB/NAT stats
Table 5-41 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)
active
Shows active FTP SLB parsing and filter statistics. See page 221 for sample output.
parsing
Shows parsing statistics. See page 221 for sample output.
maint
Shows maintenance statistics. See page 222 for sample output.
dump
Shows all FTP SLB/NAT statistics. See page 222.

320506-A, January 2006
/stats/slb/ftp/active
Active FTP SLB Parsing and Filter Statistics
Total Active FTP NAT stats(PORT):
Total FTP:
Total New Active FTP Index:
Active FTP NAT ACK/SEQ diff:
0
0
0
Table 5-42 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)
Statistics
Description
Total Active FTP NAT

stats (PORT)
The number of times the switch receives the port command from
the client.
Total FTP
The number of times the switch receives both active and passive
FTP connections.
Total New Active FTP

Index
The number of times the switch creates a new index due to port
command from the client.
Active FTP NAT ACK/SEQ

diff
The difference in the numbers of ACK and SEQ that the Switch
needs for packet adjustment.
/stats/slb/ftp/parsing
Passive FTP SLB Parsing Statistics
Total FTP SLB Parsing Stats(PASV):
Total FTP:
Total New FTP SLB parsing Index:
FTP SLB parsing ACK/SEQ diff:
0
0
0
Table 5-43 Passive FTP SLB Parsing Statistics (/stats/slb/ftp/parsing)

Statistics
Description
Total FTP
The number of times the switch receives both active and passive
FTP connections.
Total New FTP SLB

parsing Index
The number of times the switch creates a new index in response to

the pasv command from the client.
FTP SLB parsing ACK/

SEQ diff
The difference in the numbers of ACK and SEQ that the switch
needs FTP SLB parsing.

320506-A, January 2006
/stats/slb/ftp/maint
FTP SLB Maintenance Statistics
FTP mode switch error:
Table 5-44 FTP SLB Maintenance Statistics (/stats/slb/ftp/maint)

Statistics
Description
FTP mode switch error
The number of times the switch is not able to switch modes from
active to passive and vice versa.
/stats/slb/ftp/dump
FTP SLB Statistics Dump
Total FTP :
Total FTP NAT Filtered:
Total new active FTP NAT Index:
Total new FTP SLB parsing Index:
FTP Active FTP NAT ACK/SEQ diff:
FTP SLB parsing ACK/SEQ diff:
FTP mode switch error:
0
0
0
0
0
0
0
Table 5-45 FTP SLB Statistics Dump (/stats/slb/ftp/dump)

Statistics
Description
Total FTP
The total number of FTP sessions that occurred.
Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred.
Total new active FTP
NAT Index
The total number of new data sessions created for FTP NAT filter in
active mode.
Total new FTP SLB

parsing Index
The number of times the switch creates a new index in response to

the pasv command from the client.
FTP Active FTP NAT

ACK/SEQ diff
The total number of times the adjustment between ACK and SEQ
occurred on the filter.
FTP SLB parsing ACK/

SEQ diff
The difference in the numbers of ACK and SEQ that the switch
needs for FTP SLB parsing.
FTP mode switch error
The number of times the switch could not switch mode from active
to passive and vice versa.

320506-A, January 2006
/stats/slb/rtsp
RTSP SLB Statistics
Control
UDP
Connection Buffer
Alloc
SP Connection Streams
Redirect
Denied
Allocs
Failures
-- ---------- ---------- ---------- ---------- ---------- ---------1
0
0
0
0
0
0
2
0
0
0
0
0
0
3
0
0
0
0
0
0
4
0
0
0
0
0
0
-- ---------- ---------- ---------- ---------- ---------- -------0
0
0
0
0
0
Table 5-46 RTSP SLB Statistics (/stats/slb/rtsp)

Statistics
Description
ControlConnection
The total number of TCP connections for RTSP control connection.
UDP Streams
The total number of UDP connections for data channels. The number
depends upon the type of media player being used.
Redirect
The total number of times the connection got redirected.
ConnectionDenied
The total number of times the connections got denied due to shortage of
resources or the real server being down.
BufferAllocs
The total number of buffer allocations used.
AllocFailures
The total number of times the buffer allocation failed.

320506-A, January 2006
/stats/slb/dns
DNS SLB Statistics
Total
Total
Total
Total
Total
Total
Total
number
number
number
number
number
number
number
of
of
of
of
of
of
of
TCP DNS queries:

UDP DNS queries:
invalid DNS queries:
multiple DNS queries:
domain name parse errors:
failed real server name matches:
DNS parsing internal errors:
0
0
0
0
0
0
0
Table 5-47 DNS SLB Statistics (/stats/slb/dns)

Statistics
Description
Total number of TCP

DNS queries
The total number of DNS queries that received through TCP

connections.
Total number of UDP

DNS queries
The total number of DNS queries received through UDP requests.
Total number of
invalid DNS queries
The total number of malformed DNS queries received.
Total number of
multiple DNS queries
The total number of DNS queries that contain more than one domain
name to be resolved. Currently only one domain name resolution per
request is supported.
Total number of domain

name parse errors
The total number of DNS queries that have short or invalid domain
names to be resolved.
Total number of failed

real server name
matches
The total number of times the user failed to find a real server which
has the same layer 7 strings that match the domain name to be
resolved.
Total number of DNS

parsing internal
errors
The total number of out of memory and other unexpected errors the
user gets while processing the DNS query.

320506-A, January 2006
/stats/slb/wap
WAP SLB Statistics
This command displays all the Radius and WAP related counters.
WAP Maintenance stats:
current sessions:
0
allocation failures:
0
incorrect VIPs:
0
incorrect Vports:
0
no available real server:
0
requests to wrong SP:
0
-----------------------------------------------------------------TPCP External Notification stats:
add session reqs:
0
del session reqs:
0
req fails- SP dead:
0
req fails- SP dead:
0
-----------------------------------------------------------------RADIUS Snooping stats:
acct reqs:
0
acct wrap reqs:
0
acct start reqs:
0
acct update reqs:
0
acct stop reqs:
0
acct bad reqs:
0
acct reqs(FIP):
0
acct reqs(no FIP):
0
add session reqs:
0
del session reqs:
0
req fails- SP dead:
0
req fails- DMA:
0
Table 5-48 WAP SLB Statistics (/stats/slb/wap)

Statistics
Description
WAP Maintenance stats:

current sessions
The number of session bindings currently in use.
allocation failures
Indicates instances where the switch ran out of available bindings for a
port.
incorrect VIPs
Indicates the number of times the switch received a Layer 4 request for
a virtual server which was not configured.
incorrect Vports
This dropped frames counter indicates that the virtual server has received
frames for TCP/UDP services that have not been configured. Normally
this indicates a mis-configuration on the virtual server or the client.
no available real
server
This dropped frames counter indicates that all real servers are either out
of service or at their maxcon limit.
requests to wrong SP The number of session add/delete requests sent to the wrong SP.

320506-A, January 2006
Table 5-48 WAP SLB Statistics (/stats/slb/wap)

Statistics
Description
TPCP External Notification stats:

add session reqs
The number of WAP session add requests via TPCP.
req fails- SP dead
The number of add-request failures due to dead target SP.
RADIUS Snooping stats:

acct reqs
The number of RADIUS Accounting frames received.
acct wrap reqs
The number of wrapped RADIUS Accounting frames

received.
acct start reqs
The number of RADIUS Accounting Start frames received.
acct update reqs
The number of RADIUS Accounting Update frames.
acct stop reqs
The number of RADIUS Accounting Stop frames received.
acct bad reqs
The number of bad RADIUS Accounting frames received.
add session reqs
The number of WAP session add requests via RADIUS snooping.
del session reqs
The number of WAP session delete requests via RADIUS snooping.
req fails- SP dead
The number of add/delete request failures due to dead target SP.
req fails- DMA
The number of add/delete requests failed due to DMA write failure.

320506-A, January 2006
/stats/slb/maint
SLB Maintenance Statistics
SLB Maintenance stats:
Maximum sessions:
Current sessions:
4 second average:
64 second average:
Terminated sessions:
Allocation failures:
UDP datagrams:
Non TCP/IP frames:
Incorrect VIPs:
Incorrect Vports:
No available real server:
Backup server activations:
Overflow server activations:
Filtered (denied) frames:
LAND attacks:
No TCP control bits:
Invalid reset packet drops:
Total IP fragment sessions:
Current IP fragment sessions
IP fragment discards:
IP fragment table full:
Current IPF buffer sessions:
Highest IPF buffer sessions:
IPF buffer alloc fails:
IPF SP buffer alloc fails:
SP buffer too low:
Exceeded 16 OOO packets:
Free Service pool entries:
Current IP6 sessions:
Incorrect IP6 VIPs:
Incorrect IP6 Vports:
IP6 packets drops:
2097104
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
8192
0
0
0
0
SLB Maintenance statistics are described in the following table.

Table 5-49 Server Load Balancing Maintenance Statistics (/stats/slb/maint)
Statistic
Description
Maximum sessions
The maximum number of simultaneous sessions supported.
Current Sessions
Number of session bindings currently in use (the last 4 and 64 seconds).
Terminated Sessions Number of sessions removed from the session table because the server
assigned to them failed and graceful server failure was not enabled.

320506-A, January 2006
Table 5-49 Server Load Balancing Maintenance Statistics (/stats/slb/maint)

Statistic
Description
Allocation Failures Indicates instances where the Switch ran out of available sessions for a port.
UDP Datagrams
Indicates that the virtual server IP address and MAC are receiving UDP
frames when UDP balancing is not turned on.
Non TCP/IP Frames
Indicates the number of non-IP based frames received by the virtual server.
Incorrect VIPs
Indicates the number of times the switch received a Layer 4 request for a
virtual server which was not configured.
Incorrect Vports
This dropped frames counter indicates that the virtual server has received
frames for TCP/UDP services that have not been configured. Normally this
indicates a mis-configuration on the virtual server or the client, but it may
be an indication of a potential security probing application like SATAN.
No Available Real
Server
This dropped frames counter indicates that all real servers are either out
of service or at their maxcon limit.
Backup Server
Activations
This indicates the number of times a real server failure has occurred and
caused a backup server to be brought online.
Overflow Server
Activations
This indicates the number of times a real server has reached the maxcon
limit and caused an overflow server to be brought online.
Filtered (Denied)
Frames
This indicates the number of frames that were dropped because they
matched an active filter with the deny action set.
LAND attacks
This counter increases whenever a packet has the same source and destination IP addresses and ports.
No TCP Control Bits The number of packets that were dropped because the packet had no control bits set in the TCP header.
Invalid reset
packet drops
The number of packets that were dropped because the packet had an
invalid reset flag set.
Total IP fragment
sessions
This represents the total number of fragment sessions the switch has processed so far.
Current IP fragment
sessions
This represents the current number of fragment sessions.
IP
fragment discards
The number of fragmented packets that are discarded due to lack of

resources.
IP fragment table
full
This counter indicates how many times session table is full.
Free service pool

entries
This counter indicates the number of free service pool entries.

320506-A, January 2006
/stats/slb/sip
SIP SLB Statistics
SIP Stats:
Total
Total
Total
Total
Total
Total
number
number
number
number
number
number
of
of
of
of
of
of
SIP Client Parse Errors

SIP Server Parse Errors
SIP Unknown Method packets
SIP Incomplete Messages
SIP Filter Parse Errors
packets with SIP SDP NAT
:
:
:
:
:
:
0
0
0
0
0
0
Table 5-50 SIP SLB Statistics (/stats/slb/sip)

Statistics
Description
Total number of SIP

Client Parse Errors
The total number of errors encountered during client processing

when parsing an incoming SIP packet.
Total number of SIP

Server Parse Errors
The total number of errors encountered during server processing

when parsing an incoming SIP packet.
Total number of SIP

Total number of packets received with methods not known to the
Unknown Method packets SIP parser on the switch.
Total number of SIP
Incomplete Messages
Total number of packets received which do not have the complete

SIP message in a single packet.
Total number of SIP

Filter Parse Errors
Total number of errors encountered during filter processing when

parsing an incoming SIP packet.
Total number
of packets with SIP
SDP NAT
Total number of packets received that have SIP SDP

NAT information.

320506-A, January 2006
/stats/slb/wlm <wlm number>

Display Workload Manager SASP statistics
Table 5-51 SLB WorkLoad Manager SASP (/stats/slb/wlm)
>> Server Load Balancing Statistics# /st/sl/wlm 1
-----------------------------------------------------------------Workload Manager 1 Statistics:
Registration Requests:
1
Registration Replies:
1
Registration Reply Errors:
0
Deregisteration Requests:
Deregisteration Replies:
Deregisteration Reply Errors:
1
1
0
Set LB State Requests:

Set LB State Replies:
Set LB State Reply Errors:
1
1
0
Set Member State Requests:

Set Member State Replies:
Set Member State Reply Errors:
0
0
0
Send Weights Messages received:

Send Weights Message Parse Errors:
Total Messages with Invalid LB Name:
Total Messages with Invalid Group Name:
Total Messages with Invalid Real Server Name:
Messages with Invalid SASP Header:
Messages with parse errors:
Messages with Unsuppored Message Type:
47
0
0
0
0
0
0
0
/stats/slb/wlm <wlm number>/clear

Clear Workload Manager SASP Statistics
This command clears statistics for the specified Workload Manager.

320506-A, January 2006
/stats/slb/mirror
Display Workload Manager SASP statistics
Table 5-52 SLB Session Mirroring statistics (/stats/slb/mirror)
>> Server Load Balancing Statistics# mirror
-----------------------------------------------------------------Session Mirroring Stats:
Rx
Tx
Total Create Session Messages
0
0
Total Update Session Messages
0
0
Total Delete Session Messages
0
0
Total Create Data Session Messages
0
0
Total Update Data Session Messages
0
0
Total Delete Data Session Messages
0
0
Total Sessions Created
0
Total Sessions Updated
0
Total Sessions Deleted
0
Total Data Sessions Created
0
Total Data Sessions Updated
0
Total Data Sessions Deleted
0
Session table full
0
Unvailable pport
0
Session already present
0
Session not found
0
Control session not found
0

320506-A, January 2006
/stats/bwm
BWM Statistics Menu
[Bandwidth Management Statistics Menu]
port
- Switch Port Contract Stats Menu
cont
- BW Contract stats
rcont
- BW Contract rate stats
hist
- BW History stats
maint
- Show BWM maint statistics
ipusers - Show BWM IP user stats for iplimit contracts
dump
- Dump all BWM statistics
clear
- Clear BWM statistics
Table 5-53 Bandwidth Management Statistics Menu Options (/stats/bwm)

port <port number>
Displays Switch Port Contract Statistics Menu. To view menu options, see page 233.
cont <BW Contract number (1-1024)>
Displays bandwidth management contract statistics. See page 234 for details.
rcont <BW Contract number (1-1024)>
Displays bandwidth management contract rate statistics. See page 235 for details.
hist
Displays bandwidth management history statistics. See page 237 for sample output.
maint
Displays bandwidth management maintenance statistics. See page 238 for sample output.
ipusers
Displays Bandwidth Management IP user stats for iplimit contracts. Each IP address is limited
to the user limit configured in /cfg/bwm/contract on page 319.
dump
Displays all bandwidth management statistics.
clear
Clears all bandwidth management statistics.

320506-A, January 2006
/stats/bwm/port <port number>

BWM Switch Processor Statistics
[Bandwidth Management Port Statistics Menu]
cont
- BW Contract stats
rcont
- BW Contract rate stats
Table 5-54 Management Port Statistics Menu Options (/stats/bwm/sp)

cont <BW Contract number (1-1024)>
Displays bandwidth management contract statistics. See page 233 for a sample output.
rcont <BW Contract number (1-1024)>
Displays bandwidth management contract rate statistics.
/stats/bwm/port <port number>/cont

BWM Switch Processor Contract Statistics Menu
>> Bandwidth Management Port Statistics# cont
-----------------------------------------------------------------BW Contract statistics
Contract Name
Octets
Discards Total Pkts BufUsed BufMax
-------- ------------------- ---------- ---------- ------- ---1024
Default
0
0
0
0
16320
/stats/bwm/port <port number>/rcont

BWM Switch Processor Rate Contract Statistics
This command repeats its output when the printed lines are less than the configured CLI lines
per screen. If the CLI lines are configured at zero per screen, the command will continue to
repeat its output until you type a key on the console or telnet session.
You can configure the number of CLI lines per screen using the global (hidden) command:
lines <number of lines>. For example:
>> AAS_2424 - Bandwidth Management Statistics# lines
Current lines-per-screen: 24
>> AAS_2424 - Bandwidth Management Statistics# lines ?
lines
sets lines-per-screen 0-300, zero for infinite

320506-A, January 2006
BW Contract statistics
Contract Name
Rate(Kbps)
Octets
Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- ----1
cont1
0
40465360 262049256
0
16320
2
cont2
0
0
0
0
16320
20
cont20
5230 682947936 1822133376
16384
16320
26
cont26
0
0
0
0
16320
1024
Default
0
773974
0
0
16320
1
cont1
0
40465360 262049256
0
16320
2
cont2
0
0
0
0
16320
20
cont20
5238 684289056 1825753104
16384
16320
26
cont26
0
0
0
0
16320
1024
Default
0
774114
0
0
16320
/stats/bwm/cont <contract number>

BWM Contract Statistics
Contract Name
Octets
Discards Total Pkts BufUsed BufMax
-------- ---------- ---------- ---------- ---------- ------- ------1024
Default
0
0
0
0
16320
The following description of statistics applies on a specific switch port for all enabled
contracts.
NOTE This command displays enabled contracts only.
Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)
Statistics
Description
Contract
The contract number.
Name
The contract name.
Octets
The number of octets that are being transmitted through a particular contract since the switch is booted.
Discards
The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limit permits.
Total Pkts
The total number of packets classified for that contract.
BufUsed
The current amount of buffer space used to store the packets that is waiting to be transmitted.

320506-A, January 2006
Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)

Statistics
Description
BufMax
Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.
/stats/bwm/rcont
BWM Contract Rate Statistics
Use this command to show the rate statistics of all the enabled contracts.
NOTE This command displays enabled contracts only.
This command repeats its output when the printed lines are less than the configured CLI lines
per screen. If the CLI lines are configured at zero per screen, the command will continue to
repeat its output until you type a key on the console or telnet session.
You can configure the number of CLI lines per screen using the global (hidden) command:
lines <number of lines>. For example:
>> AAS_2424 - Bandwidth Management Statistics# lines
Current lines-per-screen: 24
>> AAS_2424 - Bandwidth Management Statistics# lines ?
lines
sets lines-per-screen 0-300, zero for infinite

320506-A, January 2006
Contract Name
Rate(Kbps)
Octets
Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- ----1
cont1
5222 285408288 735607152
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5238 285720864 735308784
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
4
517182
0
0 456960
1
cont1
5230 286747296 739228896
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5230 287059872 738930528
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
8
519400
0
0 456960
1
cont1
5222 288084192 742853160
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5238 288400992 742550760
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
8
521578
0
0 456960
Table 5-56 Bandwidth Management Contract Rate Statistics (/stats/bwm/rcont)

Statistics
Description
Contract
The contract number.
Name
The contract name.
Rate (in Kbps)
Rate at which the packets are going out of the switch on a particular contract.
Octets
The number of octets that are being transmitted through a particular contract since the switch is booted.
Discards
The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limits.
BufUsed
The current amount of buffer space used to store the packets that is waiting to be transmitted.
BufMax
Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.

320506-A, January 2006
/stats/bwm/hist
BWM History Statistics
Switch IP
Cont
Name
Octets
Discards
TimeStamp
YyyyMmDd:Hr:Mi/TmZone
--------------- ---- ---------------- ---------- ---------- ---------47.80.23.124
1 filter_number01
0
0
20030910:15:11/ -8:00
47.80.23.124
2 filter_number02
0
0
20030910:15:11/ -8:00
47.80.23.124
3 filter_number03
0
0
20030910:15:11/ -8:00
47.80.23.124
4 filter_number04
0
0
20030910:15:11/ -8:00
47.80.23.124
5 filter_number05
0
0
20030910:15:11/ -8:00
47.80.23.124
6 filter_number06
0
0
20030910:15:11/ -8:00
47.80.23.124
7 filter_number07
0
0
20030910:15:11/ -8:00
47.80.23.124
8 filter_number08
0
0
20030910:15:11/ -8:00
47.80.23.124
9 filter_number09
0
0
20030910:15:11/ -8:00
47.80.23.124
10 filter_number10
0
0
20030910:15:11/ -8:00
47.80.23.124 1024 Default
608
0
20030910:15:11/ -8:00
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an
E-mail is sent. This command is used to keep long term history only for the contracts that are
enabled and have history command turned on.
Use this command to show the history of all the contracts for which history command is
enabled. The sampling is done at one-minute intervals.
Table 5-57 Bandwidth Management History Statistics (/stats/bwm/hist)
Statistics
Description
Contract
The contract number for which history is enabled.
Octets
The number of octets sent out on a particular contract.
Discards
The number of octets discarded because of seeing more traffic than the
bandwidth contract limit permits.
TimeStamp
Indicates the time the packets were received or discarded.
NOTE These statistics can only be viewed when the e-mail option is enabled.

320506-A, January 2006
/stats/bwm/maint
BWM Maintenance Statistics
BWM Maint statistics
-----------------------------------------------------------------Maint Stats for rate limiting contracts
Discard pkts 0
Discard octets 0
Out pkts 0
Out octets 0
Transmit failed 0
User Limit entry allocation failures 0
-----------------------------------------------------------------Maint Stats for traffic shaping contracts
QFull Discard pkts 0
QFull Discard octets 0
Out of buffers pkts 0
Out of buffers pkts 0
Transmit failed 0
TDT set when qfull 0
TDT set between soft and hard 0
TDT set at soft 0
/stats/bwm/ipusers
BWM IP Users Statistics
This command displays the number of BWM IP user entries for each BWM contract for each
SP.
BWM IP users statistics
Contract
SP1
SP2
SP3
SP4
Total
-------- ---------- ---------- ---------- ---------- ---------10
0
10
0
0
10
11
0
10
0
0
10
---------- ---------- ---------- ---------- ---------0
20
0
0
20

320506-A, January 2006
/stats/security
Security Statistics
[Security Statistics Menu]
ipacl
- IP Address ACL Statistics Menu
udpblast - UDP Blast Statistics Menu
dos
- DoS Attack Statistics Menu
pgroup
- Show pattern match group statistics
ratelim - Show rate limiting statistics
dump
- Dump all security statistics
dos
Displays the DOS Attack statistics menu. To view a sample output and a description of the stats,
see page 240.
ipacl
Displays the IP Address Access Control List statistics menu. To view a sample output and a
description of the statistics, see page 244.
udpblast
Displays the UDP Blast statistics menu. To view a sample output and a description of the statistics,
see page 245.
pgroup
Displays the Pattern Match Group statistics menu. To view a sample output and a description of
the statistics, see page 246.
ratelim
Displays the Rate Limiting statistics menu. To view a sample output and a description of the stats,
see page 246.
dump
Displays all security statistics.

320506-A, January 2006
/stats/security/dos
DOS Attack Statistics Menu
[Protocol Anomaly and DoS Attack Prevention Statistics Menu]
port
- Show port protocol anomaly and DoS attack prevention stats
dump
- Dump all protocol anomaly and DoS attack prevention stats
clear
- Clear all protocol anomaly and DoS attack prevention stats
help
- Protocol anomaly and DoS attack prevention description
Table 5-58 DOS Attacks Statistics Menu Options (/stats/security/dos)

port <port number>
Displays the number of times the packets were dropped for each of the following types of DOS
attacks, on the selected port only.
dump
Displays the number of times the packets were dropped on the switch, for each of the following
types of DOS attacks:
iplen, ipversion, broadcast, loopback, land, ipreserved, ipttl, ipprot, ipoptlen,
fragmoredont, fragdata, fragboundary, fraglast, fragdontoff, fragopt, fragoff, fragoversize, tcplen,
tcpportzero, blat, tcpreserved, nullscan, fullxmasscan, finscan, vecnascan, xmasscan, synfinscan,
flagabnormal, syndata, synfrag, ftpport, dnsport, seqzero, ackzero, tcpoptlen, udplen, udpportzero,
fraggle, pepsi, rc8, snmpnull, icmplen, smurf, icmpdata, icmpoff, icmptype, igmplen, igmpfrag,
igmptype, arplen, arpnbcast, arpnucast, arpspoof, garp, ip6len, ip6version
For a description of these different types of DOS attacks, see Types of DOS Attacks on page
241.
clear
Deletes all DOS attack statistics.
help
Displays a description of each type of DOS attack by name and how it works.

320506-A, January 2006
Types of DOS Attacks

Nortel Application Switch Operating System can protect switch ports against a variety of
Denial of Service (DOS) attacks including Port Smurf, LandAttack, Fraggle, Nullscan, Xmascan, PortZero, and ScanSynFin. Enable DOS protection on ports connected to any network that
could be the source of an attack.
You can use the help command to obtain a brief explanation of each type of DOS attack
detected by the switch.

320506-A, January 2006
Refer to your Nortel Application Switch Operating System Application Guide for a detailed
description of DOS attacks.
>> /stats/security/dos help
iplen
: IPv4 packets with bad IP header or payload length.
ipversion
: IPv4 packets with IP version not 4.
broadcast
: IPv4 packets with broadcast source or destination IP
[0.0.0.0,255.255.255.255].
loopback
: IPv4 packets with loopback source or destination IP
[127.0.0.0/8].
land
: IPv4 packets with same source and destination IP.
ipreserved : IPv4 packets with IP reserved bit is set.
ipttl
: IPv4 packets with small IP TTL.
ipprot
: IPv4 packets with IP protocol is unassigned or
reserved.
ipoptlen
: IPv4 packets with bad IP options length.
fragmoredont: IPv4 packets with more fragments and don't fragment
bits are set.
fragdata
: IPv4 packets with more fragments bit is set and small
payload.
fragboundary: IPv4 packets with more fragments bit is set and
payload not at 8-byte boundary.
fraglast
: IPv4 packets last fragment without payload.
fragdontoff : IPv4 packets with non-zero fragment offset and don't
fragment bits are set.
fragopt
: IPv4 packets with non-zero fragment offset and IP
options.
fragoff
: IPv4 packets with small non-zero fragment offset.
fragoversize: IPv4 packets with non-zero fragment offset and oversize payload.
tcplen
: TCP packets with bad TCP header length.
tcpportzero : TCP packets with source or destination port is zero.
blat
: TCP packets with SIP!=DIP and SPORT=DPORT.
tcpreserved : TCP packets with TCP reserved bit is set.
nullscan
: TCP packets with all control bits are zero.
fullxmasscan: TCP packets with all control bits are set.
finscan
: TCP packets with only FIN bit is set.
vecnascan
: TCP packets with only URG or PUSH or URG|FIN or
PSH|FIN or URG|PSH bits are set.

320506-A, January 2006
xmasscan
: TCP packets with FIN, URG and PSH bits are set.
synfinscan : TCP packets with SYN and FIN bits are set.
flagabnormal: TCP packets with abnormal control bits combination.
syndata
: TCP packets with SYN bit is set and with payload.
synfrag
: TCP packets with SYN bit is set and more fragments bit
is set.
ftpport
: TCP packets with SPORT=20, DPORT<1024 and SYN bit is
set.
dnsport
: TCP packets with SPORT=53, DPORT<1024 and SYN bit is
set.
seqzero
: TCP packets with sequence number is zero.
ackzero
: TCP packets with acknowledgement number is zero and ACK
bit is set.
tcpoptlen
: TCP packets with bad TCP options length.
udplen
: UDP packets with bad UDP header length.
udpportzero : UDP packets with source or destination port is zero.
fraggle
: UDP packets to broadcast destination IP (x.x.x.255).
pepsi
: UDP packets with SPORT=19, DPORT=7 or SPORT=7,
DPORT=19.
rc8
: UDP packets with SPORT=7 and DPORT=7.
snmpnull
: UDP packets with DPORT=161 and without payload.
icmplen
: ICMP packets with bad ICMP header length.
smurf
: ICMP ping requests to a broadcast destination IP
(x.x.x.255).
icmpdata
: ICMP packets with zero fragment offset and large payload.
icmpoff
: ICMP packets with large fragment offset.
icmptype
: ICMP packets with type is unassigned or reserved.
igmplen
: IGMP packets with bad IGMP header length.
igmpfrag
: IGMP packets with more fragments bit is set or non-zero
fragment offset.
igmptype
: IGMP packets with type is unassigned or reserved.
arplen
: ARP request or reply packets with bad length.
arpnbcast
: ARP request packets with non broadcast destination MAC.
arpnucast
: ARP reply packets with non unicast destination MAC.
arpspoof
: ARP request or reply packets with mismatch source with
sender MACs
or destination with target MACs.
garp
: ARP request or reply packets with same source and destination IP.
ip6len
: IPv6 packets with bad header length.
ip6version : IPv6 packets with IP version not 6.

320506-A, January 2006
/stats/security/ipacl
IP Access Control List Statistics
The following IP Access Control List statistics can be viewed with this command:
[IP ACL Statistics Menu]
dump
- IP address access control Stats
clear
- Clear all access control Stats
Table 5-59 IPACL Security Statistics Menu Options (/stats/security/ipacl)

dump
Displays the accumulated blocked packets for each source or destination IP address and mask pair
in the access control list.
>> Main# /stats/security/ipacl/dump
----------------------------------------------------------------IP ACL stats:
Source IP Addr
Mask
Type
Blocked Packets
--------------- --------------- ----- --------------No source IP ACL's created

Dest IP Addr
Mask
Type
Blocked Packets
--------------- --------------- ----- --------------No destination IP ACL's created

clear
Deletes all the statistics of accumulated blocked packets.

320506-A, January 2006
/stats/security/udpblast
UDP Blast Statistics
[UDP Blast Statistics Menu]
dump
- UDP Blast Stats
clear
- Clear all UDP Blast Stats
Table 5-60 UDP Blast Statistics Menu Options (/stats/security/udpblast)

dump
Displays all the accumulated blocked packets for each port, and the current packet rate per second.
See page 245 for a sample output and a description of the statistics.
clear
Deletes all the accumulated blocked packets.
/stats/security/udpblast/dump
UDP Blast Dump Statistics
UDP blast protection stats:
UDP Port
Blocked Packets
-------------------------
Current Packet Rate/Second

--------------------------
Table 5-61 UDP Blast Dump Statistics Parameters

(/stats/security/udpblast/dump)
Field
Description
UDP Port
UDP ports that experienced UDP blast attacks.
Blocked Packets
The number of blocked packets.
Current Packet Rate/

Second
Displays the current rate of packet to the UDP port.

320506-A, January 2006
/stats/security/pgroup
UDP Pattern Match Statistics
Pattern Match Group stats:
ID Name
1
Hits
0
This menu displays how many times each configured pattern group has been matched and a
subsequent filtering action performed. Pattern groups are configured in the Pattern Matching
Menu on page 404.
/stats/security/ratelim
Rate Limiting Statistics
Rate limiting stats:
TCP:
Total hold downs triggered:
Current per-client state entries:
0
0
UDP:
0
0
ICMP:
0
0
Table 5-62 Rate Limiting Statistics (/stats/security/ratelim)

Field
Description
Total holds down

triggered
The total number of packets dropped after the hold-down period

expired.
Current per-client
state entries
The total number of per-client state entries for TCP/UDP/ICMP rate

limiting.

320506-A, January 2006
/stats/security/dump
Dump Statistics for Security
IP ACL stats:
Address
Blocked Packets
---------------------------------------------------------------------------------------------UDP blast protection stats:
UDP Port
Blocked Packets
Current Packet Rate/Second
------------------------------------------------------------------------------------------------------------------Pattern Match Group stats:
ID Name
Hits
1
0
100
0
101
0
-----------------------------------------------------------------Rate limiting stats:
TCP:
0
0
UDP:
0
0
ICMP:
0
0

320506-A, January 2006
/stats/mp
Management Processor Statistics
[MP-specific Statistics Menu]
pkt
- Show Packet and TCP stats
tcb
- Show All TCP control blocks in use
ucb
- Show All UDP control blocks in use
sfd
- Show All Socket FD in use
cpu
- Show CPU utilization
mem
- Show memory stats
Table 5-63 Management Processor Statistics Menu Options (/stats/mp)

pkt
Displays packet statistics, to check for leads and load. To view a sample output and a description
of the stats, see page 249.
tcb
Displays all TCP control blocks that are in use. To view a sample output and a description of the
stats, see page 251.
ucb
Displays all UDP control blocks that are in use. To view a sample output, see page 251.
sfd
Displays all Socket File Descriptors that are in use. To view a sample output, see page 252.
cpu
Displays CPU utilization for periods of up to 1, 4, and 64 seconds. To view a sample output and a
description of the stats, see page 252.
mem
Displays memory statistics.

320506-A, January 2006
/stats/mp/pkt
MP Packet Statistics
Packet counts:
allocs:
mediums:
jumbos:
smalls:
alloc fails:
TCP counts:
allocs:
current:
alloc fails:
89262
0
0
0
0
frees:
mediums hi-watermark:
jumbos hi-watermark:
smalls hi-watermark:
packet discards:
89262
4
0
4
0
4866
46
0
frees:
current hi-watermark:
alloc discards:
4827
146
0
Table 5-64 Packet Statistics (/stats/mp/pkt)

Statistics
Description
Packet counts:
allocs
Total number of packet allocations from the packet buffer pool by the
TCP/IP protocol stack.
frees
Total number of times the packet buffers are freed (released) to the packet
buffer pool by the TCP/IP protocol stack.
mediums
Total number of packet allocations with size between 128 to 1536 bytes
from the packet buffer pool by the TCP/IP protocol stack.
jumbos
Total number of packet allocations with size between 1536 bytes to

9K bytes from the packet buffer pool by the TCP/IP protocol stack.
smalls
Total number of packet allocations with size less than 128 bytes from the
packet buffer pool by the TCP/IP protocol stack.
alloc fails
Total number of packet allocation failures from the packet buffer pool by
the TCP/IP protocol stack.
frees
Total number of packets freed from the packet buffer pool by the TCP/IP
protocol stack.
mediums hi-watermark
The highest number of packet allocation with size between 128 to 1536
bytes from the packet buffer pool by the TCP/IP protocol stack.
jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to
9K bytes from the packet buffer pool by the TCP/IP protocol stack.
smalls hi-watermark The highest number of packet allocation with size less than 128 bytes
from the packet buffer pool by the TCP/IP protocol stack.

320506-A, January 2006
Table 5-64 Packet Statistics (/stats/mp/pkt)

Statistics
Description
packet discards
The number of packets that are discarded by the MP. The packets are discarded because buffer resources are not available or the buffer threshold
is reached and the low priority packets are discarded.
TCP counts:
allocs
Total number of TCP packet allocations from MP memory by the TCP/IP

protocol stack.
current
Total number of TCP packet allocations from MP memory by the TCP/IP

protocol stack.
alloc fails
Total number of TCP packet allocation failures from MP memory by the

frees
Total number of times the TCP packet buffers are freed (released) to MP
memory by the TCP/IP protocol stack.
current hi-watermark
The highest number of TCP packet allocation from MP memory by the

alloc discards
The number of TCP packets that are discarded by the MP. The packets
are discarded because MP memory resources are not available.

320506-A, January 2006
/stats/mp/tcb
TCP Statistics
All TCP allocated control blocks:
117f6d00: 0.0.0.0
0 <=> 0.0.0.0
117f81a8: 47.81.27.6
1331 <=> 47.80.16.59
80
23
listen
established
Table 5-65 MP Specified TCP Statistics (/stats/mp/tcb)

Statistics
Description
117f6d00/117f81a8
Memory
0.0.0.0/47.81.27.6
Destination IP address
0/1331
Destination port
0.0.0.0/47.80.16.59
Source IP
80/23
Source port
listen/established
State
/stats/mp/ucb
UCB Statistics
All UDP allocated control blocks:
161: listen
1985: listen
3122: listen
Table 5-66 UCB Statistics on MP (/stats/mp/ucb)

Field
Description
161/1985/3122
UDP port number
Listen
State

320506-A, January 2006
/stats/mp/sfd
MP-Specific SFD Statistics
All Socket FD allocated:
0 -1 16 1180b128: 0.0.0.0
server
1 -1 17 108c5bd8: 0.0.0.0
server
2 -1 18 108d5cfc: 0.0.0.0
server
3 -1 19 1180a258: 0.0.0.0
server
0 <=> 47.133.88.31
81
listen
TCP
0 <=> 47.133.88.31
23
listen
TCP
0 <=> 47.133.88.31
22
listen
TCP
0 <=> 47.133.88.31
443
listen
TCP
/stats/mp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization:
cpuUtil1Second:
cpuUtil4Seconds:
cpuUtil64Seconds:
100%
100%
100%
Table 5-67 CPU Statistics (stats/mp/cpu)

Statistics
Description
cpuUtil1Second
The percentage of CPU utilization as measured over the last one second
interval.
cpuUtil4Seconds
The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds
The percentage of CPU utilization as measured over the last 64 second

interval.

320506-A, January 2006
/stats/sp <SP Number>

SP Specific Statistics
[SP-specific Statistics Menu]
maint
clear
- Clear maintenance stats
cpu
- Show CPU utilization
Table 5-68 SP Specific Statistics (/stats/sp)

Statistics
Description
maint
Displays internal statistics, Layer 2 FDB maintenance statistics, and

MP DOS shield statistics. See page 254 for a sample output.
clear
Deletes all the maintenance statistics.
cpu
Displays what percentage of the CPU has been utilized. To view a sample output and a description of the stats, see page 254.

320506-A, January 2006
/stats/sp <SP number>/maint

SP-Specific Maintenance Statistics
Maintenance statistics for SP 1:
Receive Letter success from MP:
158648
Receive Letter success from SP 2:
0
0
0
Receive Letter errors from MP:
0
Receive Letter errors from SP 2:
0
0
0
Send Letter success to MP:
125516
Send Letter success to SP 2:
0
6799
6791
Send Letter failures to MP:
0
Send Letter failures to SP 2:
0
0
0
learnErrNoddw:
0
resolveErrNoddw:
ageMPNoddw:
0
deleteMiss:
pfdbFreeEmpty:
0
arpDiscards:
0
icmpDiscards:
tcpDiscards:
0
udpDiscards:
0
0
0
0
/stats/sp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on the Switch Processor
(SP).
CPU utilization for SP 1:
cpuUtil1Second:
cpuUtil4Seconds:
cpuUtil64Seconds:
6%
6%
6%
Table 5-69 CPU Statistics (stats/sp/cpu)

Statistics
Description
cpuUtil1Second
The percentage of CPU utilization as measured over the last one second
interval.

320506-A, January 2006
Table 5-69 CPU Statistics (stats/sp/cpu)

Statistics
Description
cpuUtil4Seconds
The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds
The percentage of CPU utilization as measured over the last 64 second

interval.
/stats/pmirr
Port Mirroring Statistics Menu
[Port Mirroring Statistics Menu]
dump
- Port Mirroring Stats
clear
- Clear all Port Mirroring Stats
Table 5-70 Port Mirroring

dump
Displays the port number, and the statistics of the traffic on the ingress and egress ports.
clear
Deletes all the port mirroring statistics.
CAUTIONUse this command carefully as it will delete all statistics permanently.
/stats/mgmt
Management Port Statistics
Management port interface
RX bytes:
RX packets:
RX errors:
RX dropped:
RX overruns:
RX frame errors:
RX multicast:
statistics:
0
TX bytes:
0
TX packets:
0
TX errors:
0
TX dropped:
0
TX overruns:
0
TX carrier errors:
0
TX collisions:
0
0
0
0
0
0
0

320506-A, January 2006
Table 5-71 Management Port Statistics (/stats/mgmt)

Statistics
Description
RX bytes
The total number of incoming bytes successfully transferred by the

interface.
RX packets
The total number of incoming packets successfully transferred by

the interface.
RX errors
The number of bad packets received.
RX dropped
The number of incoming packets that were dropped due to lack of

receive buffers.
RX overruns
The number of received packets that were dropped because their size
exceeded that of the receive queue.
RX frame errors
The number of incoming packets dropped due to IP framing errors.
RX multicast
The number of multicast packets received.
TX bytes
The total number of outgoing bytes successfully transferred by the

interface.
TX packets
The total number of outgoing packets successfully transferred by the

interface.
TX errors
The number of packets dropped due to transmission problems.
TX dropped
The number of packets dropped due to lack of transmit buffers.
TX overruns
The number of packets dropped because size exceeded that of the

transmit queue.
TX carrier errors
Not applicable.
TX collisions
The number of collisions due to congestion on the medium. Collisions occur when two or more stations are transmitting signals at the
same time.
/stats/dump
Dump Statistics
Use the dump command to dump all switch statistics available from the Statistics Menu (40K or more,
depending on your configuration). This data can be used to tune or debug switch performance.
If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands.
320506-A, January 2006
CHAPTER 6
The Configuration Menu

This chapter discusses how to use the Command Line Interface (CLI) for making, viewing, and
saving switch configuration changes. Many of the commands, although not new, display more
or different information than in the previous version. Important difference are called out in the
text.
To make finding information easier, the menu options under the Server Load Balancing Menu
(/cfg/slb) are in Chapter 7.
/cfg
Configuration Menu
sys
- System-wide Parameter Menu
port
- Port Menu
pmirr
- Port Mirroring Menu
bwm
- Bandwidth Management Menu
l2
- Layer 2 Menu
l3
- Layer 3 Menu
slb
- Server Load Balancing (Layer 4-7) Menu
security - Security Menu
sslproc - SSL Processor Setup Menu
setup
- Step by step configuration set up
dump
- Dump current configuration to script file
ptcfg
- Backup current configuration to FTP/TFTP server
gtcfg
- Restore current configuration from FTP/TFTP server
257
320506-A, January 2006
Table 6-1 Configuration Menu Options (/cfg)

sys
Displays the System-wide parameter Configuration Menu. To view menu options, see page 261.
port <port number>
Displays the Port Configuration Menu. To view menu options, see page 301.
pmirr
Displays the Mirroring Configuration Menu. To view menu options, see page 315.
bwm
Displays the Bandwidth Management Configuration Menu. To view menu options, see page 316.
l2
Displays Layer 2 Configuration Menu. To view menu options, see page 325.
l3
Displays Layer 3 Configuration Menu. To view menu options, see page 342.
slb
Displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7,
The SLB Configuration Menu.
security
Displays the Security Menu. To view menu options, see page 397.
sslproc
Displays the SSL processor setup Menu. To view menu options, see page 403
setup
Step-by-step configuration set-up of the switch. For details, see page 403.
dump
Dumps current configuration to a script file. For details, see page 407.
ptcfg <host name or IP address of TFTP server> <filename on host>
Backs up current configuration to TFTP server. For details, see page 408.
gtcfg <host name or IP address of TFTP server> <filename on host>
Restores current configuration from TFTP server. For details, see page 408.
258 Chapter 6: The Configuration Menu

320506-A, January 2006
Viewing, Applying, and Saving Changes

As you use the configuration menus to set switch parameters, the changes you make do not
take effect immediately. All changes are considered pending until you explicitly apply them.
Also, any changes are lost the next time the switch boots unless the changes are explicitly
saved.
While configuration changes are in the pending state, you can do the following:
View the pending changes
Apply the pending changes
Save the changes to flash memory
Viewing Pending Changes

You can view all pending configuration changes by entering diff at the menu prompt.
NOTE The diff command is a global command. Therefore, you can enter diff at any
prompt in the CLI.
Applying Pending Changes

To make your configuration changes active, you must apply them. To apply configuration
changes, enter apply at any prompt in the CLI.
# apply
NOTE The apply command is a global command. Therefore, you can enter apply at any
prompt in the administrative interface.
NOTE All configuration changes take effect immediately when applied, except for starting
Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see
below), and then reset the switch (see Resetting the Switch on page 517).
Saving the Configuration

In addition to applying the configuration changes, you can save them to flash memory on the
Nortel Application Switch.
Chapter 6: The Configuration Menu 259
320506-A, January 2006
NOTE If you do not save the changes, they will be lost the next time the system is rebooted.
To save the new configuration, enter the following command at any CLI prompt:
# save
When you save configuration changes, the changes are saved to the active configuration block.
The configuration being replaced by the save is first copied to the backup configuration block.
If you do not want the previous configuration block copied to the backup configuration block,
enter the following instead:
# save n
You can decide which configuration you want to run the next time you reset the switch. Your
options include:
The active configuration block
The backup configuration block
Factory default configuration
You can view all pending configuration changes that have been applied but not saved to flash
memory using the diff flash command. It is a global command that can be executed from
any menu.
For instructions on selecting the configuration to run at the next system reset, see Selecting a
Configuration Block on page 515.

320506-A, January 2006
/cfg/sys
System Configuration
[System Menu]
syslog
mmgmt
radius
tacacs
ntp
sonmp
ssnmp
health
access
date
time
timezone
idle
notice
bannr
smtp
hprompt
bootp
cur
Syslog Menu
Management Port Menu
RADIUS Authentication Menu
TACACS+ Authentication Menu
NTP Server Menu
SONMP Menu
System SNMP Menu
System Health Check Menu
System Access Menu
Set system date
Set system time
Set system timezone (daylight savings)
Set timeout for idle CLI sessions
Set login notice
Set login banner
Set SMTP host
Enable/disable display hostname (sysName) in CLI prompt
Enable/disable use of BOOTP
Display current system-wide parameters
This menu provides configuration of switch management parameters such as user and
administrator privilege mode passwords, Web-based management settings, and management
access list.
Table 6-2 System Configuration Menu Options (/cfg/sys)
syslog
Displays the Syslog Menu. To view menu options, see page 263.
mmgmt
Displays Management Port Menu. To view menu options, see page 264.
radius
Displays the RADIUS Authentication Menu. To view menu options, see page 268.
tacacs
Displays TACACS+ authentication Menu. To view menu options, see page 270.
ntp
Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 271.

320506-A, January 2006
Table 6-2 System Configuration Menu Options (/cfg/sys)

sonmp
Displays the SynOptics Network Management Protocol (SONMP) menu. To view menu options,
see page 273.
ssnmp
Displays the System SNMP Menu. To view menu options, see page 273.
health
Displays system health check menu. To view menu options, see page 287.
access
Displays System Access Menu. To view menu options, see page 288.
date
Prompts the user for the system date.
time
Configures the system time using a 24-hour clock format.
timezone
Configures the system time zone. To view an example, see page 300.
idle <idle timeout in minutes; affects both console and Telnet>
Sets the idle timeout for CLI sessions, from 1 to 10080 minutes. The default is 5 minutes.
notice <max 1024 char multi-line login notice> <'-' to end>
Displays login notice immediately before the Enter password: prompt. This notice can contain
up to 1024 characters and new lines.
bannr <string, maximum 80 characters>
Configures a login banner of up to 80 characters. When a user or administrator logs into the switch,
the login banner is displayed. It is also displayed as part of the output from the /info/sys command.
smtp <SMTP host name or IP address>
Sets the Simple Mail Transfer Protocol (SMTP) host, which is used for sending bandwidth management history information.
hprompt disable|enable
Enables or disables displaying of the host name (system administrators name) in the Command
Line Interface (CLI).
bootp disable|enable
Enables or disables the use of BOOTP. If you enable BOOTP, the switch will query its BOOTP
server for all of the switch IP parameters. This command is disabled by default.
cur
Displays the current system parameters.

320506-A, January 2006
/cfg/sys/syslog
System Host Log Configuration
NOTE Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for
Syslogs.
[Syslog Menu]
host
host2
sever
sever2
facil
facil2
console
log
cur
Set IP address of first syslog host

Set IP address of second syslog host
Set the severity of first syslog host
Set the severity of second syslog host
Set facility of first syslog host
Set facility of second syslog host
Enable/disable console output of syslog messages
Enable/disable syslogging of features
Display current syslog settings
Table 6-3 System Configuration Menu Options (/cfg/sys/syslog)

host <new syslog host IP address (such as, 192.4.17.223)>
Sets the IP address of the first syslog host.
host2 <new syslog host IP address (such as, 192.4.17.223)>
Sets the IP address of the second syslog host.
sever <syslog host local severity (07)>
This option sets the severity level of the first syslog host displayed. The default is 7, which means
log all the seven severity levels. For a detailed description of the seven levels of severity, see
page 264.
sever2 <syslog host local severity (07)>
This option sets the severity level of the second syslog host displayed. The default is 7, which
means, log all the seven severity levels. For a detailed description of the seven levels of severity,
see page 264.
facil <syslog host local facility (0-7)>
This option sets the facility level of the first syslog host displayed. The default is 0.
facil2 <syslog host local facility (0-7)>
This option sets the facility level of the second syslog host displayed. The default is 0.
console disable|enable
Enables or disables delivering syslog messages to the console. When necessary, disabling console ensures the switch is not affected by syslog messages. It is enabled by default.

320506-A, January 2006
Table 6-3 System Configuration Menu Options (/cfg/sys/syslog)

log <feature|all> <enable|disable>
Displays a list of features for which syslog messages can be generated. You can choose to enable/
disable specific features (such as vlans, gslb, filter), or enable/disable syslog on all available
features.
cur
Displays the current syslog settings.
Seven Levels of Severity

Following is the description of the seven levels of severity:
0: Emergency. This means that the system is unusable.
1: Alert. This means that corrective action must be taken immediately.
2: Critical. This means the condition of the system is critical.
3: Error. This means that the system has errors that should be corrected.
4: Warning. This means that the system is giving a warning.
5: Notice. This means that the condition of the system is normal but with significant conditions
that need attention.
6: Informational. This means that the system is working but giving out information about certain unfavorable conditions.
7. Debug. This means that the system is giving out debug-level messages.
/cfg/sys/mmgmt
Management Port Configuration Menu
The Management port is a Fast Ethernet port that is used exclusively to manage the switch.
While the switch can be managed from any network port, the Management port saves consuming a port that could otherwise be used for processing data and traffic. This port manages the
switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not participate in the networking protocols that run on the network ports.
The Management port must be configured with a static IP address, subnet mask, broadcast
address, and default gateway, and must be enabled before it can be used. If this port is disabled,
the network ports have to perform all switch management (other than the switch management

320506-A, January 2006
using the console). If this port is enabled, the factory default settings for some of the management features remain with the network ports. You can change the defaults by configuring these
features to permanently use the management port, or in some cases, by using the operational
commands to set these options on a one-time basis.
NOTE The Management port does not support BOOTP.
[Management Port Menu]
port
- Management Port Phy Menu
addr
- Set IP address
mask
- Set subnet mask
gw
- Set default gateway address
intr
- Set interval between gateway ping attempts
retry
- Set number of failed attempts to declare gateway DOWN
dns
- Set default port for DNS
ntp
- Set default port for NTP
radius
- Set default port for RADIUS
tacacs
- Set default port for TACACS+
smtp
- Set default port for SMTP
snmp
- Set default port for SNMP traps
syslog
- Set default port for SYSLOG
sonmp
- Set default IP for SONMP hello packets
tftp
- Set default port for FTP/TFTP
wlm
- Set default port for Workload Manager
report
- Set default port for Reporting server
ena
- Enable management port
dis
- Disable management port
cur
- Display current configuration
Table 6-4 Management Port Configuration Menu Options (/cfg/sys/mmgmt)

port
Displays the management port link menu. To view the menu options, see page 268.
addr <IP address (such as, 192.4.17.101)>
Sets the IP address.
mask <subnet mask (such as, 255.255.255.0)>
Sets the subnet mask.
gw <gateway address (such as, 192.4.17.1)>
Sets the IP address for the default gateway.
intr <interval (0 - 60 seconds)>
Sets the interval between gateway ping attempts.
320506-A, January 2006

retry <number of attempts (1-120>
Sets the number of failed ping attempts before a gateway is declared DOWN.
dns default port mgmt|data
Sets DNS over management or data port. Default is data port.
ntp default port mgmt|data
Sets NTP over management or data ports. The default is data port.
radius default port mgmt|data
Sets RADIUS over management or data ports. Default is data port.
tacacs mgmt|data
Sets TACACS+ over management or data ports. Default is data port.
smtp default port mgmt|data
Sets SMTP over management or data ports. Default is data port.
snmp default port mgmt|data
Sets SNMP trap host over management or data ports. Default is data port.
syslog default port mgmt|data
Sets syslog host access over management or data ports. Default is data port.
sonmp default port mgmt|data
Sets default IP address for SONMP hello packets.
When this option is set to mgmt then the Management Port IP address is used in the SONMP hello
packets transmitted by the switch. But if it is set to data, then the IP address of the data port
interface specified by srcif (/cfg/sys/sonmp/srcif) command is used in the hello
packets.
tftp default port mgmt|data
Sets TFTP over management or data port. Default is data port.
wlm ["mgmt"|"data"]
Set the default port for the workload manager.
report ["mgmt"|"data"]
Set the default port for the reporting server.
ena
Enables the Management port.

320506-A, January 2006

dis
Disables the Management port.
cur
Displays the current configuration.

320506-A, January 2006
/cfg/sys/mmgmt/port
Management Port Link Menu
[Management Port Link Menu]
speed
- Set link speed
mode
- Set full or half duplex mode
auto
- Set autonegotiation
cur
- Display current link configuration
Table 6-5 Management Port Link Menu Options (/cfg/sys/mgmt/port)

speed 10|100|any
Sets the speed of the link with the Management port. Default is any.
mode full|half|any
Sets half or full duplex mode. Default is any.
auto on|off
Sets auto negotiation for the port. By default this command is turned on.
cur
Displays the current link configuration.
/cfg/sys/radius
RADIUS Server Configuration
[RADIUS Server Menu]
prisrv
- Set primary RADIUS server address
secsrv
- Set secondary RADIUS server address
secret
- Set primary RADIUS server secret
secret2 - Set secondary RADIUS server secret
port
- Set RADIUS port
retries - Set RADIUS server retries
timeout - Set RADIUS server timeout
telnet
- Enable/disable RADIUS backdoor for telnet
on
- Turn RADIUS authentication ON
off
- Turn RADIUS authentication OFF
cur
- Display current RADIUS configuration

320506-A, January 2006
Table 6-6 RADIUS Server Configuration Menu Options (/cfg/sys/radius)

prisrv <IP address>
Sets the primary RADIUS server address.
secsrv <IP address>
Sets the secondary RADIUS server address.
secret <1-128 character secret>
This is the shared secret password between the switch and the primary RADIUS server(s).
secret2 <1-128 character secret>
This is the shared secret password between the switch and the secondary RADIUS server(s).
port <RADIUS port to configure, default 1645>
Enter the number of the UDP port to be configured, between 1500 - 3000. The default is 1645.
retries <RADIUS server retries (1-3)>
Sets the number of failed authentication requests before switching to a different RADIUS server.
The default is 3 requests.
timeout <RADIUS server timeout seconds (1-10)>
Sets the amount of time, in seconds, before a RADIUS server authentication attempt is considered
to have failed. The default is 3 seconds.
telnet disable|enable
Enables or disables the RADIUS back door for telnet. Telnet also applies to SSH/SCP connections.
on
Enables the RADIUS server.
off
Disables the RADIUS server.
cur
Displays the current RADIUS server parameters.

320506-A, January 2006
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
TACACS (Terminal Access Controller Access Control System) is an authentication protocol
that allows a remote access server to forward a user's logon password to an authentication
server to determine whether access can be allowed to a given system. TACACS is
an encryption protocol and therefore less secure than TACACS+ and Remote Authentication
Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in
RFC 1492.)
TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also,
RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations.
TACACS+ protocol has been implemented on Nortel Application Switch Operating System to
support the customers that have Ciscos TACACS+ protocol as their network security feature.
Apart from that, TACACS+ offers the following advantages over RADIUS as the authentication device:
TACACS+ is TCP-based so it facilitates connection-oriented traffic.
It supports full-packet encryption as against password-only in authentication requests.
Supports decoupled authentication, authorization, and accounting.
[TACACS+ Server
prisrv
secsrv
secret
secret2 port
retries timeout telnet
on
off
cur
-
Menu]
Set primary TACACS+ server address
Set secondary TACACS+ server address
Set primary TACACS+ server secret
Set secondary TACACS+ server secret
Set TACACS+ TCP port
Set TACACS+ server retries
Set TACACS+ server timeout (seconds)
Enable/disable TACACS+ backdoor for telnet
Turn TACACS+ authentication ON
Turn TACACS+ authentication OFF
Display current TACACS+ configuration

320506-A, January 2006
Table 6-7 TACACS+ Server Menu Options (/cfg/sys/tacacs)

prisrv <IP address>
Defines the primary TACACS+ server address.
secsrv <IP address>
Defines the secondary TACACS+ server address.
This is the shared secret between the switch and the primary TACACS+ server(s).
secret2 <1-128 character secret>
This is the shared secret between the switch and the secondary TACACS+ server(s).
port <RADIUS port configure, default 1645>
Enter the number of the TCP port to be configured, between 1500 - 3000. The default is 1645.
retries <RADIUS server retries, 1-3>
Sets the number of failed authentication requests before switching to a different TACACS+ server.
The default is 3 requests.
timeout <RADIUS server timeout seconds, 4 to 15>
Sets the amount of time, in seconds, before a TACACS+ server authentication attempt is considered to have failed. The default is 3 seconds.
telnet disable|enable
Enables or disables the TACACS+ back door for telnet. Telnet also applies to SSH/SCP connections.
on
Enables the TACACS+ server.
off
Disables the TACACS+ server.
cur
Displays current TACACS+ configuration parameters.
/cfg/sys/ntp
NTP Server Configuration

320506-A, January 2006
This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP)
server. By default, this option is disabled.
[NTP Server Menu]
prisrv
- Set primary NTP server address
secsrv
- Set secondary NTP server address
intrval - Set NTP server resync interval
tzone
- Set NTP timezone offset from GMT
on
- Turn NTP service ON
off
- Turn NTP service OFF
cur
- Display current NTP configuration
Table 6-8 NTP Server Configuration Menu Options (/cfg/sys/ntp)

prisrv <primary NTP server IP address>
Prompts for the IP address of the primary NTP server to which you want to synchronize the switch
clock.
secsrv <secondary NTP server IP address>
Prompts for the IP address of the secondary NTP server to which you want to synchronize the
switch clock.
intrval <resync interval in minutes>
Specifies how often the switch will re-synchronize the switch clock with the NTP server. This
interval of time will be specified in minutes (1-44640). The default value is 1440 minutes.
tzone <offset from GMT, in HH:MM>
Prompts for the NTP time zone offset, in hours and minutes, of the switch you are synchronizing
from Greenwich Mean Time (GMT).
on
Enables the NTP synchronization service.
off
Disables the NTP synchronization service.
cur
Displays the current NTP service settings.

320506-A, January 2006
/cfg/sys/sonmp
SynOptics Network Management Protocol Configuration
[SONMP Menu]
srcif
on
off
cur
Set source interface to be used in hello packets

Turn Ethernet Autotopology ON
Turn Ethernet Autotopology OFF
Display current SONMP configuration
SynOptics Network Management Protocol (SONMP) is a proprietary network management

protocol that is used by Nortel Networks Optivitiy Switch Manager (OSM) to discover Nortel
Application Switches on the network. The following commands add support for the Ethernet
Autotopology algorithm and the Bay Topology MIB. The topology algorithm is executed by
each Nortel Application Switch on which SONMP is enabled.
Table 6-9 System Configuration Menu Options (/cfg/sys/sonmp)
srcif <interface number (1-256)>
This command specifies the IP address to be used in the hello packets. If the interface specified by
this command is not up, then the first interface which is up and running is used in the hello packets.
on
This command enables the SONMP protocol, and turns Ethernet Autotopology on.
off
This command disables the SONMP protocol, and turns Ethernet Autotopology off.
cur
This command displays the current SONMP configuration.
/cfg/sys/ssnmp
System SNMP Configuration
Nortel Application Switch Operating System supports SNMP-based network management. In
SNMP model of network management, a management station (client/manager) accesses a set
of variables known as MIBs (Management Information Base) provided by the managed device
(agent). If you are running an SNMP network management station on your network, you can
manage the switch using the following standard SNMP MIBs:
MIB II (RFC 1213)
Ethernet MIB (RFC 1643)

320506-A, January 2006
Bridge MIB (RFC 1493)
An SNMP agent is a software process on the managed device that listens on UDP port 161 for
SNMP messages. Each SNMP message sent to the agent contains a list of management objects
to retrieve or to modify.
SNMP parameters that can be modified include:
System name
System location
System contact
Use of the SNMP system authentication trap function
Read community string
Write community string
Trap community strings
[System SNMP Menu]

snmpv3
- SNMPv3 Menu
name
- Set SNMP "sysName"
locn
- Set SNMP "sysLocation"
cont
- Set SNMP "sysContact"
rcomm
- Set SNMP read community string
wcomm
- Set SNMP write community string
trsrc
- Set SNMP trap source interface
timeout - Set timeout for the SNMP state machine
auth
- Enable/disable SNMP "sysAuthenTrap"
linkt
- Enable/disable SNMP link up/down trap
cur
- Display current system SNMP configuration
Table 6-10 SNMP Configuration Menu Options (/cfg/sys/ssnmp)

snmpv3
Displays SNMPv3 menu. To view menu options, see page 276.
name <new string (maximum 64 characters)>
Configures the name for the system. The name can have a maximum of 64 characters.
locn <new string (maximum 64 characters)>
Configures the name of the system location. The location can have a maximum of 64 characters.
cont <new string (maximum 64 characters)>
Configures the name of the system contact. The contact can have a maximum of 64 characters.

320506-A, January 2006
Table 6-10 SNMP Configuration Menu Options (/cfg/sys/ssnmp)

rcomm <new SNMP read community string (maximum 32 characters)>
Configures the SNMP read community string. The read community string controls SNMP get
access to the switch. It can have a maximum of 32 characters. The default read community string is
public.
wcomm <new SNMP write community string (maximum 32 characters)>
Configures the SNMP write community string. The write community string controls SNMP set
and get access to the switch. It can have a maximum of 32 characters. The default write community string is private.
trsrc <interface number (1-256)>
Defines the interface number for SNMP trap source interface. This command enables the user to
select one of the configured interfaces as the source interface using the interface number.
NOTE This command is applicable only to SNMPv1 and SNMPv2 traps because only
the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be
set with this command. The SNMPv3 packets do not contain this field.
timeout <SNMP state machine timeout minutes, 1-30>
Defines the timeout period for SNMP state machine. When you use diff and apply, memory is
allocated to store the output of the command. The timeout period determines when the
resources/memory allocated for the output will be freed.
auth disable|enable
Enables or disables the use of the system authentication trap facility. The default setting is disabled.
linkt <port> <disable|enable>
Enables or disables the sending of SNMP link up and link down traps. The default setting is
enabled.
cur
Displays the current STP port parameters.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3
SNMPv3 Configuration Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
a new SNMP message format
security for messages
access control
remote configuration of SNMP parameters
For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Menu]
usm
view
access
group
comm
taddr
tparam
notify
v1v2
cur
usmUser Table menu

vacmViewTreeFamily Table menu
vacmAccess Table menu
vacmSecurityToGroup Table menu
community Table menu
targetAddr Table menu
targetParams Table menu
notify Table menu
Enable/disable V1/V2 access
Display current SNMPv3 configuration
Table 6-11 SNMPv3 Configuration Menu Options (/cfg/sys/ssnmp/snmpv3)

usm <usmUser number [1-16]>
This command allows you to create a user security model (USM) entry for an authorized user. You
can also configure this entry through SNMP. To view menu options, see page 278.
view <vacmViewTreeFamily number [1-128]>
This command allows you to create different MIB views. To view menu options, see page 279.
access <vacmAccess number [1-32]>
This command allows you to specify access rights. The View-based Access Control Model
defines a set of services that an application can use for checking access rights of the user.
You need access control when you have to process retrieval or modification request
from an SNMP entity. To view menu options, see page 280.

320506-A, January 2006
Table 6-11 SNMPv3 Configuration Menu Options (/cfg/sys/ssnmp/snmpv3)

group <vacmSecurityToGroup number [1-16]>
A group maps the user name to the access group names and their access rights needed to
access SNMP management objects. A group defines the access rights assigned to all
names that belong to a particular group. To view menu options, see page 282.
comm <snmpCommunity number [1-16]>
The community table contains objects for mapping community strings and version-independent
SNMP message parameters. To view menu options, see page 283.
taddr <snmpTargetAddr number [1-16]>
This command allows you to configure destination information, consisting of a transport domain
and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a
mechanism for performing source address validation on incoming requests, and for selecting community strings based on target addresses for outgoing notifications. To view menu options, see
page 284.
tparam <target params index [1-16]>
This command allows you to configure SNMP parameters, consisting of message processing
model, security model, security level, and security name information. There may be multiple transport endpoints associated with a particular set of SNMP parameters, or a particular transport endpoint may be associated with several sets of SNMP parameters. To view menu options, see
page 285.
notify <notify index [1-16]>
A notification application typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. To view menu options, see
page 286.
v1v2 disable|enable
This command allows you to enable or disable the access to SNMP version 1 and version 2. This
command is enabled by default.
cur
Displays the current SNMPv3 configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/usm
User Security Model Configuration Menu
You can make use of a defined set of user identities using this Security Model. An SNMP
engine must have the knowledge of applicable attributes of a user.
This menu helps you create a user security model entry for an authorized user. You need to provide a security name to create the USM entry.
[SNMPv3 usmUser
name
auth
authpw
priv
privpw
del
cur
-
1 Menu]
Set USM user name
Set authentication protocol
Set authentication password
Set privacy protocol
Set privacy password
Delete usmUser entry
Display current usmUser configuration
Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/

snmpv3/usm)
name <32 character name>
This command allows you to configure a string up to 32 characters long that represents the name of
the user. This is the login name that you need in order to access the switch.
auth md5|sha|none
This command allows you to configure the authentication protocol between HMAC-MD5-96 or
HMAC-SHA-96. The default algorithm is none.
authpw
If you selected an authentication algorithm using the above command, you need to provide a password, otherwise you will get an error message during validation. This command allows you to create or change your password for authentication.
priv des|none
This command allows you to configure the type of privacy protocol on your switch. The privacy
protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryption Protocol) or none. If you specify des as the privacy protocol, then make sure that you have
selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the
authentication protocol, you will get an error message.
privpw
This command allows you to create or change the privacy password.

320506-A, January 2006
Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/

snmpv3/usm)
del
Deletes the USM user entries.
cur
Displays the USM user entries.
cfg/sys/ssnmp/snmpv3/view
SNMPv3 View Configuration Menu
[SNMPv3 vacmViewTreeFamily 1 Menu]
name
- Set view name
tree
- Set MIB subtree(OID) which defines a family of view subtrees
mask
- Set view mask
type
- Set view type
del
- Delete vacmViewTreeFamily entry
cur
- Display current vacmViewTreeFamily configuration
Table 6-13 SNMPv3 View Menu Options (/cfg/sys/ssnmp/snmpv3/view)

This command defines the name for a family of view subtrees up to a maximum of 32 characters.
tree <object identifier, such as,. 1.3.6.1.2.1.1.1.0, max 32 characters>
This command defines MIB tree, a string of maximum 32 characters, which when combined with
the corresponding mask defines a family of view subtrees.
mask <bitmask, max size 32 characters>
This command defines the bit mask, which in combination with the corresponding tree defines a
family of view subtrees.
type included|excluded
This command indicates whether the corresponding instances of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask define a family of view subtrees, which is included
in or excluded from the MIB view.
del
Deletes the vacmViewTreeFamily group entry.
cur
Displays the current vacmViewTreeFamily configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/access
View-based Access Control Model Configuration Menu
The view-based Access Control Model defines a set of services that an application can use for
checking access rights of the user. Access control is needed when the user has to process
SNMP retrieval or modification request from an SNMP entity.
[SNMPv3 vacmAccess 1 Menu]
name
- Set group name
prefix
- Set content prefix
model
- Set security model
level
- Set minimum level of security
match
- Set prefix only or exact match
rview
- Set read view index
wview
- Set write view index
nview
- Set notify view index
del
- Delete vacmAccess entry
cur
- Display current vacmAccess configuration
Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/

snmpv3/access)
Defines the name of the group.
prefix <32 character name>
Defines the name of the context. An SNMP context is a collection of management information that
an SNMP entity can access. An SNMP entity has access to many contexts. For more information
on naming the management information, see RFC2571, the SNMP Architecture document. The
view-based Access Control Model defines a table that lists the locally available contexts by contextName.
model usm|snmpv1|snmpv2
Allows you to select the security model to be used.
level noAuthNoPriv|authNoPriv|authPriv
Defines the minimum level of security required to gain access rights. The level noAuthNoPriv
means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but
without using a privacy protocol. The authPriv means that the SNMP message will be sent both
with authentication and using a privacy protocol.

320506-A, January 2006
Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/

snmpv3/access)
match exact|prefix
If the value is set to exact, then all the rows whose contextName exactly matches the prefix are
selected. If the value is set to prefix then the all the rows where the starting octets of the contextName exactly match the prefix are selected.
rview <32 character view name>
This is a 32 character long read view name that allows you read access to a particular MIB view. If
the value is empty or if there is no active MIB view having this value then no access is granted.
wview <32 character view name>
This is a 32 character long write view name that allows you write access to the MIB view. If the
value is empty or if there is no active MIB view having this value then no access is granted.
nview <32 character view name>
This is a 32 character long notify view name that allows you notify access to the MIB view.
del
Deletes the View-based Access Control entry.
cur
Displays the View-based Access Control configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/group
SNMPv3 Group Configuration Menu
[SNMPv3 vacmSecurityToGroup 1 Menu]
model
uname
- Set USM user name
gname
- Set group gname
del
- Delete vacmSecurityToGroup entry
cur
- Display current vacmSecurityToGroup configuration
Table 6-15 SNMPv3 Group Menu Options (/cfg/sys/ssnmp/snmpv3/group)

Defines the security model.
uname <32 character name>
Sets the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 278.
gname <32 character name>
The name for the access group as defined in /cfg/sys/ssnmp/snmpv3/access/name on
page 280.
del
Deletes the vacmSecurityToGroup entry.
cur
Displays the current vacmSecurityToGroup configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/comm
SNMPv3 Community Table Configuration Menu
This command is used for configuring the community table entry. The configured entry is
stored in the community table list in the SNMP engine. This table is used to configure community strings in the Local Configuration Datastore (LCD) of SNMP engine.
[SNMPv3 snmpCommunityTable 1 Menu]
index
- Set community index
name
- Set community string
uname
- Set USM user name
tag
- Set community tag
del
- Delete communityTable entry
cur
- Display current communityTable configuration
Table 6-16 SNMPv3 Community Table Configuration Menu Options (/cfg/sys/

ssnmp/snmpv3/comm)
index <32 character name>
Allows you to configure the unique index value of a row in this table consisting of 32 characters
maximum.
Defines the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 278.
Defines a readable 32 character long string that represents the corresponding value of an SNMP
community name in a security model.
tag <list of tag string, max 255 characters>
Allows you to configure a tag of up to 255 characters maximum. This tag specifies a set of transport endpoints to which a command responder application sends an SNMP trap.
del
Deletes the community table entry.
cur
Displays the community table configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/taddr
SNMPv3 Target Address Table Configuration Menu
This command is used to configure the target transport entry. The configured entry is stored in
the target address table list in the SNMP engine. This table of transport addresses is used in the
generation of SNMP messages.
[SNMPv3 snmpTargetAddrTable 1 Menu]
name
- Set target address name
addr
- Set target transport address IP
port
- Set target transport address port
taglist - Set tag list
pname
- Set targetParams name
del
- Delete targetAddrTable entry
cur
- Display current targetAddrTable configuration
Table 6-17 Target Address Table Menu Options (/cfg/sys/ssnmp/snmpv3/taddr)

Allows you to configure the locally arbitrary, but unique identifier, target address name associated
with this entry.
addr <transport address ip>
Allows you to configure a transport address IP that can be used in the generation of SNMP traps.
port <transport address port>
Allows you to configure a transport address port that can be used in the generation of SNMP traps.
taglist <list of tag string, max 255 characters>
Allows you to configure a list of tags that are used to select target addresses for a particular operation.
pname <32 character name>
Defines the name as defined in /cfg/sys/ssnmp/snmpv3/tparam/name on page 285.
del
Deletes the Target Address Table entry.
cur
Displays the current Target Address Table configuration.

320506-A, January 2006
/cfg/sys/ssnmp/snmpv3/tparam
SNMPv3 Target Parameters Table Configuration Menu
You can configure the target parameters entry and store it in the target parameters table in the
SNMP engine. This table contains parameters that are used to generate a message. The parameters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the
security model (for example: USM), the security name, and the security level (noAuthnoPriv, authNoPriv, or authPriv).
[SNMPv3 snmpTargetParamsTable 1 Menu]
name
- Set target params name
mpmodel - Set message processing model
model
uname
- Set USM user name
level
- Set minimum level of security
del
- Delete targetParamsTable entry
cur
- Display current targetParamsTable configuration
Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/

ssnmp/snmpv3/tparam)
Allows you to configure the locally arbitrary, but unique identifier that is associated with this
entry.
mpmodel snmpv3|snmpv1|snmpv2c
Allows you to configure the message processing model that is used to generate SNMP messages.
Allows you to select the security model to be used when generating the SNMP messages.
Defines the name that identifies the user in the USM table (page 278) on whose behalf the SNMP
messages are generated using this entry.
level noAuthNoPriv|authNoPriv|authPriv
Allows you to select the level of security to be used when generating the SNMP messages using
this entry. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means
that the SNMP message will be sent both with authentication and using a privacy protocol.

320506-A, January 2006
Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/

ssnmp/snmpv3/tparam)
del
Deletes the targetParamsTable entry.
cur
Displays the current targetParamsTable configuration.
/cfg/sys/ssnmp/snmpv3/notify
SNMPv3 Notify Table Configuration Menu
SNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for
particular events or conditions, and generates Notification-Class messages based on these events or conditions.
[SNMPv3 snmpNotifyTable 1 Menu]
name
- Set notify name
tag
- Set notify tag
del
- Delete notifyTable entry
cur
- Display current notifyTable configuration
Table 6-19 Notify Table Menu Options (/cfg/sys/ssnmp/snmpv3/notify)

Defines a locally arbitrary but unique identifier associated with this SNMP notify entry.
tag <list of tag string, max 255 characters>
Allows you to configure a tag of 255 characters maximum that contains a tag value which is used
to select entries in the Target Address Table. Any entry in the snmpTargetAddrTable, that
matches the value of this tag, is selected.
del
Deletes the notify table entry.
cur
Displays the current notify table configuration.

320506-A, January 2006
/cfg/sys/health
System Health Check Configuration Menu
[System TCP Health Menu]
add
- Add TCP services to listen for health check
rem
- Remove TCP services from listening
on
- Turn system TCP health services ON
off
- Turn system TCP health services OFF
cur
- Display current TCP health services configuration
Table 6-20 System Health Check Configuration Menu Options (/cfg/sys/health)

add <TCP port (2-65534)>
Adds TCP services to listen to the health checks. Specify a TCP service port number, such as 80
for HTTP.
rem <TCP port (2-65534)>
Removes TCP services that were added for listening to health checks. Specify a TCP service port
number, such as 80 for HTTP.
on
Turns on the TCP health check services.
off
Turns off the TCP health check services.
cur
Displays the current TCP health check services configuration.

320506-A, January 2006
/cfg/sys/access
System Access Control Configuration
[System Access Menu]
mgmt
- Management Network Access Menu
port
- Port Management Access Menu
user
- User Access Control Menu (passwords)
https
- HTTPS (Web) Server Access Menu
sshd
- SSH Server Menu
xml
- XML Configuration Access Menu
http
- Enable/disable HTTP (Web) server access
wport
- Set HTTP (Web) server port number
snmp
- Set SNMP access control
tnport
- Set Telnet server port number
rlimit
- Set max rate of ARP, ICMP, TCP, or UDP packets to MP
cur
- Display current system access configuration
Table 6-21 System Access Configuration Menu Options (/cfg/sys/access)

mgmt
Displays the Management Configuration Menu. To view menu options, see page 289.
port
Dispal the port management access menu.To view menu options, see page 291.
user
Displays the User Access Control Menu. To view menu options, see page 291.
https
Displays HTTPS Server Access Menu. To view menu options, see page 295.
http disable|enable
Enables or disables HTTP (Web) access to the browser-based interface. It is disabled by default.
wport <TCP port number (1-65535)>
Sets the switch port used for serving switch Web content. The default is HTTP port 80. If Global
Server Load Balancing is to be used, set this to a different port (such as 8080).
snmp disable|read-only|read-write
Sets the snmp user access level to either disabled, read-only, or read-write.
tnet
Enables or disables Telnet access to the switch. This command is disabled by default. You will see
this command only if you are connected to the switch through the console port.

320506-A, January 2006
Table 6-21 System Access Configuration Menu Options (/cfg/sys/access)

tnport <TCP port number>
The TCP port number that the telnet server listens for telnet sessions. Sets an optional telnet server
port number for cases where the server listens for telnet sessions on a non-standard port.
rlimit <arp|icmp|tcp|udp> <max rate, 0-65535 (pkts/sec)>
Sets switch-wide rate limiting on traffic entering the switch over ARP, ICMP, TCP, or UDP protocols. Specify which protocol you wish to limit. Then specify the maximum rate, which the maximum number of packets per second that is allowed to enter the switch.
cur
/cfg/sys/access/mgmt
Management Networks Menu
This menu is used to define IP address ranges which are allowed to access the switch
for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10
management networks.
NOTE The add and rem commands below replace the /cfg/sys/mnet and /cfg/
sys/mmask commands found in earlier releases of Nortel Application Switch Operating System.
[Management Networks Menu]
add
- Add mgmt network definition
rem
- Remove mgmt network definition
cur
- Display current mgmt network definitions

320506-A, January 2006
Table 6-22 Management Network Menu Options (/cfg/sys/access/mgmt)

add <mgmt network address> <mgmt network mask>
Adds a defined network through which switch access is allowed through Telnet, SNMP, RIP, or
the Nortel Application Switch Operating System browser-based interface. A range of IP addresses
is produced when used with a network mask address. Specify an IP address and mask address in
dotted-decimal notation.
NOTE If you configure the management network without including the

switch interfaces, it will cause the Firewall Load Balancing health checks
to fail and will create a Network Down state on the network.
rem <mgmt network address> <mgmt network mask>
Removes a defined network, which consists of a management network address and a management
network mask address.
cur

320506-A, January 2006
/cfg/sys/access/port
Port Management Access Menu
[Port Management Access Menu]
add
- Add port with management access
aadd
- Add all ports with management access
rem
- Remove port from management access
arem
- Remove all ports from management access
cur
- Display current ports with management access
Table 6-23 Port Management Access Menu Options

add <port_number>
Add a port with management access.
aadd
Add all ports with management access.
rem <port_number>
Remove a port from management access.
arem
Remove all ports from management access.
cur
Displays the port numbers that currently have management access.
/cfg/sys/access/user
User Access Control Menu
uid
usrpw
sopw
l4opw
opw
sapw
l4apw
admpw
cur
User ID Menu
Set user password (user)
Set SLB operator password (slboper)
Set L4 operator password (l4oper)
Set operator password (oper)
Set Slb administrator password (slbadmin)
Set L4 administrator password (l4admin)
Set administrator password (admin)
Display current user status

320506-A, January 2006
NOTE Passwords can be a maximum of 15 characters.

Table 6-24 User Access Control Menu Options (/cfg/sys/access/user)
uid <User ID, 1-10>
Displays the User ID Menu. To view menu options, see page 294.
usrpw
Sets the user (user) password. The user has no direct responsibility for switch management. He or
she can view switch status information and statistics, but cannot make any configuration changes.
sopw
Sets the SLB operator (slboper)password. The SLB operator manages Web servers and other
Internet services and their loads. He or she can view all switch information and statistics and can
enable/disable servers using the Server Load Balancing configuration menus.
Access includes user functions.
l4opw
Sets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines
leading to the shared Internet services. He or she can view all switch information and statistics.
Access includes slboper functions.
opw
Sets the operator (oper)password. The operator password can have a maximum of 15 characters.
The operator manages all functions of the switch. He or she can view all switch information and
statistics and can reset ports or the entire switch.
Access includes l4oper functions.
sapw
Sets the SLB administrator (slbadmin) password. Administrator who configures and manages
Web servers and other Internet services and their loads. He or she can view all switch information
and statistics, but can configure changes only on the Server Load Balancing menus. Note that the
Filter Menu options are not accessible to the SLB administrator.
Access includes l4oper functions.
l4apw
Sets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and
manages traffic on the lines leading to the shared Internet services. He or she can view all switch
information and statistics and can configure parameters on the Server Load Balancing menus, with
the exception of not being able to configure filters.
Access includes slbadmin functions.

320506-A, January 2006
Table 6-24 User Access Control Menu Options (/cfg/sys/access/user)

admpw
Sets the administrator (admin) password. The super user administrator has complete access to all
menus, information, and configuration commands on the Nortel Application Switch, including the
ability to change both the user and administrator passwords.
Access includes oper and l4admin functions.
cur
Displays the current user status.

320506-A, January 2006
/cfg/sys/access/user/uid
System User ID Configuration Menu
This feature allows the users to operate the real servers assigned to them. Using this command
you can list the current status of the real server including the real server number, the real server
name, the operational state of the real server, and the number of current sessions. You can
enable or disable the real servers and change the password for accessing these real servers.
[User ID 1
cos
name
pswd
add
rem
ena
dis
del
cur
Menu]
- Set class of service
- Set user name
- Set user password
- Add real server
- Remove real server
- Enable user ID
- Disable user ID
- Delete user ID
- Display current user configuration
Table 6-25 User ID Configuration Menu Options (/cfg/sys/access/user/uid)

cos <user|slboper|l4oper|oper|slbadmin|l4admin|admin>
Sets the Class-of-Service to define the users authority level. Nortel Application Switch Operating
System defines these levels as: User, SLB Operator, Layer 4 Operator, Operator, SLB Administrator, and Administrator, with User being the most restricted level.
name <8 char max>
Defines the user name of maximum eight characters.
pswd <15 char max>
Sets the user password of up to 15 characters maximum.
add <real server number, 1-1023>
Assigns a real server access to this user.
rem <real server number, 1-1023>
Removes a real server access from this user.
ena
Enables the user ID.
dis
Disables the user ID.

320506-A, January 2006
Table 6-25 User ID Configuration Menu Options (/cfg/sys/access/user/uid)

del
Deletes the user ID.
cur
Displays the current user ID configuration.
/cfg/sys/access/https
HTTPS Access Configuration Menu
[https Menu]
https
port
generate
certSave
cur
Enable/Disable HTTPS Web access

HTTPS WebServer port number
Generate self-signed HTTPS server certificate
save HTTPS certificate
Display current SSL Web Access configuration
Table 6-26 HTTPS Access Configuration Menu Options (/cfg/sys/access/https)

https
Enables or disables BBI access (Web access) using HTTPS.
port <TCP port number>
Defines the HTTPS Web server port number.
generate
Allows you to generate a certificate to connect to the SSL to be used during the key exchange. A
default certificate is created when HTTPS is enabled for the first time. The user can create a new
certificate defining the information that they want to be used in the various fields. For example:
Country Name (2 letter code) [ ]: CA
State or Province Name (full name) []: Ontario
Locality Name (for example, city) []: Ottawa
Organization Name (for example, company) []: Nortel Networks
Organizational Unit Name (for example, section) []: Alteon
Common Name (for example, users name) []: Mr Smith
Email (for example, email address) []: info@nortelnetworks.com
You will be asked to confirm if you want to generate the certificate. It will take approximately 30
seconds to generate the certificate. Then the switch will restart SSL agent.

320506-A, January 2006
Table 6-26 HTTPS Access Configuration Menu Options (/cfg/sys/access/https)

certSave
Allows the client, or the Web browser, to accept the certificate and save the certificate to Flash to
be used when the switch is rebooted.
cur
Displays the current SSL Web Access configuration.

320506-A, January 2006
/cfg/sys/access/sshd
SSH Server Menu
[SSH Server Menu]
sshport - Set SSH server port number
ena
- Enable SCP apply and save
on
- Turn SSH server ON (SSHv1/SSHv2)
cur
- Display current SSH server configuration
Table 6-27 SSH Server Menu Options

sshport <TCP_port_number>
Set the server port number.
ena
Sets the SCP apply and save.
on
Set the SSH server to on.
cur
Display the current SSH server configuration.

320506-A, January 2006
/cfg/sys/access/xml
XML Configuration Access Menu
[XML Config Access Menu]
xml
- Enable/disable XML config access
port
- Set XML server port number
gtcert
- Import XML client certificate
delcert - Delete XML client certificate
dispcert - Display XML client certificate
debug
- Debug XML operations
cur
- Display current XML config access configuration
Table 6-28 XML Configuration Menu Options

xml
Enable or disable XML access. For an example, see page 299
port <TCP_port_number>
Set the XML server port number.
gtcert
Import an XML client certificate.
Enter hostname or IP address of FTP/TFTP server:
Enter name of file on FTP/TFTP server:
Enter username for FTP server or hit return for TFTP server:
delcert
Delete XML client certificate.
Current XML client certificate has been deleted from FLASH
dispcert
Display the current XML certificate.
debug
Toggle Debug mode on or off. Enabling XML debugging causes all commands in the XML file to
be echoed to the Console and prefaces each one with running XML cmd: or Invalid XML cmd:. All
responses to the commands will also be output to the Console.
Current XML debug: enabled
Enter new XML debug [d/e]:
cur
Display current XML configuration.
XML config access currently disabled on TCP port 443
XML debug is enabled
Note: there are pending config changes; use "diff" to see them.

320506-A, January 2006
/cfg/sys/access/xml/xml
Example of enabling or disabling XML access
Current XML access: disabled
Pending new XML access: enabled
Enter new XML access [d/e]:

320506-A, January 2006
/cfg/sys/timezone
Configure the Timezone
>> Main# /cfg/sys/timezone
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) None - disable timezone setting
Enter the number of your choice: 2
Please select a country.
1) Anguilla
18) Ecuador
35) Paraguay
2) Antigua & Barbuda
19) El Salvador
36) Peru
3) Argentina
20) French Guiana
37) Puerto Rico
4) Aruba
21) Greenland
38) St Kitts & Nevis
5) Bahamas
22) Grenada
39) St Lucia
6) Barbados
23) Guadeloupe
40) St Pierre &
Miquelon
7) Belize
24) Guatemala
41) St Vincent
8) Bolivia
25) Guyana
42) Suriname
9) Brazil
26) Haiti
43) Trinidad & Tobago
10) Canada
27) Honduras
44) Turks & Caicos Is
11) Cayman Islands
28) Jamaica
45) United States
12) Chile
29) Martinique
46) Uruguay
13) Colombia
30) Mexico
47) Venezuela
14) Costa Rica
31) Montserrat
48) Virgin Islands
(UK)
15) Cuba
32) Netherlands Antilles 49) Virgin Islands
(US)
16) Dominica
33) Nicaragua
17) Dominican Republic 34) Panama

320506-A, January 2006
Please select one of the following time zone regions.

1) Newfoundland Island
2) Atlantic Time - Nova Scotia (most places), NB, W Labrador, E Quebec & PEI
3) Atlantic Time - E Labrador
4) Eastern Time - Ontario & Quebec - most locations
5) Eastern Time - Thunder Bay, Ontario
6) Eastern Standard Time - Pangnirtung, Nunavut
7) Eastern Standard Time - east Nunavut
8) Eastern Standard Time - central Nunavut
9) Central Time - Manitoba & west Ontario
10) Central Time - Rainy River & Fort Frances, Ontario
11) Central Time - west Nunavut
12) Central Standard Time - Saskatchewan - most locations
13) Central Standard Time - Saskatchewan - midwest
14) Mountain Time - Alberta, east British Columbia & west
Saskatchewan
15) Mountain Time - central Northwest Territories
16) Mountain Time - west Northwest Territories
17) Mountain Standard Time - Dawson Creek & Fort Saint John, British
Columbia
18) Pacific Time - west British Columbia
19) Pacific Time - south Yukon
20) Pacific Time - north Yukon
/cfg/port <port number>

Port Configuration
The Port Menu enables you to configure settings for individual switch ports. This command is
enabled by default.
Port configuration is different on Nortel Application Switch Operating System 2000 series and 3000
series.

320506-A, January 2006
Nortel Application Switch Operating System 2000 Series

The following table displays the number of Fast Ethernet ports and SFP GBIC ports with the
numbering of the ports on Nortel Application Switch Operating System 2000 series:
Table 6-29 Port Configuration and Numbering on Nortel Application Switch Operating
System 2000 Series
Model
10/100 Mbps Fast Ethernet 1000 Mbps SFP GBIC Port

Port Numbers
Numbers
Nortel Application Switch

2208 (1U)
18
910

2216 (1U)
116
1718

2224 (1U)
124
2526

2424 (1U)
124
2528
Fast Ethernet Ports

The RJ-45 jack is used for connecting 10/100 Mbps Ethernet segments to the port. The ports
are auto-sensing, auto-negotiating, and support half or full-duplex operation.
SFP GBIC Ports

The LC jack is used for connecting Gigabit Ethernet fiber optic segments. The SFP modules
are not shipped with the product. You may order the SFP modules from Nortel Networks.
For more information on connectors, please refer to the Hardware Installation Guide for Nortel
Application Switch Operating System.

320506-A, January 2006
The commands on Nortel Application Switch Operating System 2000 series and their description are
as follows:
[Port <port_number> Menu]
fast
- Fast Phy Menu
gig
- Gig Phy Menu
pvid
- Set default port VLAN id
alias
- Set port alias
name
- Set port name
cont
- Set default port BW Contract
nonip
- Set BW Contract for non-IP traffic
egbw
- Set port egress bandwidth Limit
rmon
- Enable/Disable RMON for port
tag
- Enable/disable VLAN tagging for port
iponly
- Enable/disable allowing only IP related frames at ingress
ena
- Enable port
dis
- Disable port
cur
- Display current port configuration
Table 6-30 Port Configuration Menu Options (/cfg/port)

fast
If a port is configured to support Fast Ethernet, this option displays the Fast Ethernet Physical Link
Menu. To view menu options, see page 313.
gig
If a port is configured to support Gigabit Ethernet, this option displays the Gigabit Ethernet Physical Link Menu. To view menu options, see page 313.
pvid <VLAN number, 1-4090>
Sets the default VLAN number which will be used to forward frames which are not VLAN tagged.
The default number is 1.
alias <15 characters string>
Set an alias for the port number.
name <64 character string>|none
Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to none.
cont <BWM Contract (1-1024)>
Sets the default Bandwidth Management Contract for this port.
nonip <BW Contract number, 1-1024>
Sets the Bandwidth Management contract for non-IP traffic for this port.

320506-A, January 2006
Table 6-30 Port Configuration Menu Options (/cfg/port)

egbw <0k-5000k|1m-100m>
Sets the egress bandwidth limit for the port to avoid overloading the receiving router or switch.
Using this command, you can configure the egress bandwidth limit of the port to match with the
bandwidth link of the receiving router or the switch. This means that the ports speed will be taken
as the egress bandwidth. For example, the egress bandwidth for an FE port will be 100m. The
default is 0.
NOTE You need Bandwidth Management license to use this command.

rmon disable|enable
Disables or enables RMON for this port. It is disabled by default.
tag disable|enable
Disables or enables VLAN tagging for this port. It is disabled by default.
iponly disable|enable
Disables or enables allowing only IP-related frames. It is disabled by default.
ena
Enables the port.
dis
Disables the port. (To temporarily disable a port without changing its configuration attributes, refer
to Temporarily Disabling a Port on page 314.)
cur
Displays the current port parameters.
/cfg/port <port number> fast|gig

Port Link Configuration
[Fast Link Menu]
speed
- Set link speed
mode
fctl
- Set flow control
auto
- Set auto negotiation
cur
- Display current fast link configuration
Use these menu options to set port parameters for the port link.

320506-A, January 2006
NOTE If the port does not have a Gig Ethernet physical link, the following message is displayed:
>> Port 1# gig
Current Port 1 does not have Gig Ethernet phy.
NOTE Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these
options do not appear on the Gigabit Link Menu.
Link menu options are described in Table 6-38 and appear on the fast and gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set
port parameters such as speed, flow control, and negotiation mode for the port link.
Table 6-31 Port Link Configuration Menu Options (/cfg/port/fast|gig)
speed 10|100|any
Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default)
10 Mbps
100 Mbps
This menu appears only if a Fast Ethernet port is selected.

mode full|half|any
Sets the operating mode. This command is available only in the Fast Link Menu.The choices
include:
Any for auto negotiation (default)
Full-duplex
Half-duplex
This menu appears only if a Fast Ethernet port is selected.

fctl rx|tx|both|none
Sets the flow control. This command is available only in the Fast Link Menu.The choices include:
Receive flow control

Transmit flow control
Both receive and transmit flow control (default)
No flow control
auto on|off
Enables or disables auto negotiation for the port.
cur

320506-A, January 2006
Nortel Application Switch 3000 Series

The following table displays the port configuration and numbering on Nortel Application Switch
3408:
Table 6-32 Port configuration on Nortel Application Switch 3408
Model
10/100/1000Base-T
Copper Port Numbers
Dual-Mode Port
Numbers
1000 Mbps SFP

GBIC Port Numbers
Nortel Application
Switch 3408 (1U)
1, 2, 7, 8
36
912
Port Configuration on Nortel Application Switch 3408

The Nortel Application Switch 3408 contains 12 ports. Their description is as follows:
Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The ports are autonegotiating and support half or full duplex operation.
Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaces each: 1000 Mbps
SFP GBIC and 10/100/1000Base-T Copper. When the 1000 Mbps SFP GBIC port is
selected as the preferred link, it is fixed at 1000 Mbps, full-duplex with autonegotiation
turned on. When the 10/100/1000Base-T copper port is selected as the preferred link, it
can be configured at any speed. However, if 1000 Mbps is selected, autonegotiation must
be turned on. You can set either interface as the preferred or backup link. See Dual-Mode
Ports on page 311 for more details.
Four Small Form Pluggable (SFP) GBIC Fiber ports (912). These ports are designed to
operate at 1000 Mbps and full duplex mode only.
NOTE For more information on connectors, refer to the Nortel Application Switch Operating
System Hardware Installation Guide Part Number 315393-E.

320506-A, January 2006
Single-Mode ports
10/100/1000Base-T Copper Ports
When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:
[Port 1 Menu]
fast
gig
pvid
alias
name
cont
nonip
egbw
rmon
tag
iponly
ena
dis
cur
Fast Phy Menu

Gig Phy Menu
Set default port VLAN id
Set port alias
Set port name
Set default port BW Contract
Set BW Contract for non-IP traffic
Set port egress bandwidth Limit
Enable/Disable RMON for port
Enable/disable VLAN tagging for port
Enable/disable allow IP related frames at ingress
Enable port
Disable port
Display current port configuration
Table 6-33 Single-Mode Copper Port Configuration Menu Options

(/cfg/port <1, 2, 7, or 8>)
gig
If a port is configured to support Gigabit Ethernet, this option displays the Copper Gigabit Ethernet
Physical Link Menu. To view menu options, see page 308.
pvid <VLAN number (1-4090)>
Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None.
rmon disable|enable
tag disable|enable

320506-A, January 2006
Table 6-33 Single-Mode Copper Port Configuration Menu Options

(/cfg/port <1, 2, 7, or 8>)
ena
Enables the port.
dis
cur
/cfg/port <port number> gig

Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
[GE Copper Link Menu]
speed
- Set link speed
mode
- Set duplex mode
fctl
- Set flow control
auto
- Set auto negotiate
cur
- Display current ge copper link configuration
Use these menu options to set port parameters for the port link. Link menu options are
described in Table 6-38 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow
control, and negotiation mode for the port link.
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
speed 10|100|1000|any

10 Mbps
100 Mbps
1000 Mbps
mode full|half|any
Sets the operating mode. The choices include:
Any for auto negotiation (default)
Full-duplex
Half-duplex

320506-A, January 2006
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
Sets the flow control. This command is available only in the Fast Link Menu.The choices include:

No flow control
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.
1000 Mbps SFP GBIC Fiber SFP Ports

When you select a single-mode SFP fiber port (912), you see a slightly different menu as
below:
[Port 9 Menu]
gig
pvid
name
cont
egbw
rmon
tag
iponly
ena
dis
cur
SFP Gig Phy Menu

Set port name
Set port egress bandwidth Limit
Enable/disable allowing only IP related frames
Enable port
Disable port
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <912>)
gig
If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet
Physical Link Menu. To view menu options, see page 310.

320506-A, January 2006
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <912>)
rmon disable|enable
tag disable|enable
ena
Enables the port.
dis
cur
/cfg/port <port number> gig

Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu
[GE SFP Link
fctl
auto
cur
Menu]
- Set flow control
- Display current SFP gig link configuration
Link menu options are described in Table 6-38 and appear on the gig port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as flow control, and negotiation mode for the port link.

320506-A, January 2006
Table 6-36 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu
Options (/cfg/port <9-12>/gig)
Sets the flow control. The choices include:

No flow control
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
When you select any one of the dual-mode ports (36), you see the menu below:
[Port 3 Menu]
cop
sfp
pref
back
pvid
name
cont
rmon
tag
iponly
ena
dis
cur
Copper Gig Phy Menu

SFP Gig Phy Menu
Set preferred link
Set backup link
Set port name
Enable/disable allowing only IP related frames
Enable port
Disable port
Table 6-37 Dual-Mode Port Configuration Menu Options (/cfg/port <36>)

cop
Displays Copper Gigabit Physical Link Menu. To view menu options, see page 313.
sfp
Displays SFP Gigabit Physical Link Menu. To view menu options, see page 314.

320506-A, January 2006
Table 6-37 Dual-Mode Port Configuration Menu Options (/cfg/port <36>)

pref copper|sfp
Sets the port preference between copper or SFP mode. The selected port will be used as the preferred port if both the ports are available.
back copper|sfp|none
Sets the preference for the backup link if the preferred port is not available. You cannot set the preferred port as the backup port. If you choose none, the port will not switch automatically to the
backup port if the preferred port goes down.
rmon disable|enable
tag disable|enable
ena
Enables the port.
dis
cur

320506-A, January 2006
/cfg/port <port number (36)> cop

Dual-Mode Copper Port Link Configuration
[GE Copper Link Menu]
speed
- Set link speed
mode
- Set duplex mode
fctl
- Set flow control
auto
cur
- Display current ge copper link configuration
Link menu options are described in Table 6-38 and appear on the cop port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as speed, flow control, and negotiation mode for the port link.
Table 6-38 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port
<36>/cop)
speed 10|100|1000|any

10 Mbps
100 Mbps
1000 Mbps
mode full|half|any
Sets the operating mode. The choices include:
Any for autonegotiation (default)
Full-duplex
Half-duplex

No flow control
auto on|off
Enables or disables auto negotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.

320506-A, January 2006
/cfg/port <port number (36)> sfp

Dual-Mode SFP Gigabit Link Configuration Menu
[GE SFP Link
fctl
cur
Menu]
- Set flow control
- Display current SFP gig link configuration
Table 6-39 Dual-Mode SFP Gigabit Link Configuration Menu Options

(/cfg/port <3-6>/sfp)

No flow control
cur
Displays the current SFP Gigabit link port configuration.
Temporarily Disabling a Port

To temporarily disable a port without changing its stored configuration attributes, enter the following command at any prompt:
Main# /oper/port <port number>/dis
Because this configuration sets a temporary state for the port, you do not need to use apply or
save. The port state will revert to its original configuration when the Nortel Application Switch
is reset. See the Operations Menu on page 499 for other operations-level commands.

320506-A, January 2006
/cfg/pmirr
Port Mirroring Menu
[Port Mirroring
mirror
monport cur
-
Menu]
Enable/Disable Mirroring
Configure Monitor Port
Display All Mirrored and Monitored Ports and VLANs
Port mirroring is disabled by default.

The Port Mirroring Menu is used to configure, enable, and disable the monitored port. When
enabled, network packets being sent and/or received on a target port are duplicated and sent to
a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed
information about your network performance and usage.
Table 6-40 Port Mirroring menu options (/cfg/pmirr)
mirror disable|enable
Enables or disables port mirroring
monport <monitoring port (port to mirror to)>
Displays port-mirroring menu options that help configure the port. To view menu options, see
page 315.
cur
Displays the current settings of the mirrored and monitoring ports.
/cfg/pmirr monport
Port-Mirroring Menu
>> Port Mirroring# monport
Enter port (1-28):
<port_number>
-----------------------------------------------------------[Port 1 Menu]
add
- Add "Mirrored" port and VLANs
rem
- Rem "Mirrored" port and VLANs
cur
- Display current Port-based Port Mirroring configuration

320506-A, January 2006
Table 6-41 Port-Based Port-Mirroring Menu Options (/cfg/pmirr/monport)

add <mirrored port (port to mirror from)> <direction (in, out, or both)> <vlan index or Carriage
Return for all vlans>
Adds the port to be mirrored. This command also allows you to enter the direction of the traffic. It
is necessary to specify the direction because:
If the source port of the frame matches the mirrored port and the mirrored direction is ingress or
both (ingress and egress), the frame is sent to the mirrored port.
If the destination port of the frame matches the mirrored port and the mirrored direction is egress or
both, the frame is sent to the monitoring port.
VLAN-based port mirroring allows the user to monitor traffic based on VLANs associated with a
port. You can add specific VLAN(s) to a be monitored even if there are multiple VLANs associated with that port. If you do not specify a VLAN, all traffic on that port will be mirrored.
rem <mirrored port (port to mirror from)> <vlan index or Carriage Return for all vlans>
Removes the mirrored port.
cur
Displays the current settings of the monitoring port. For example:
>> Port 1# cur
Monitoring port (Mirrored port,direction,vlans)
1
none
/cfg/bwm
Bandwidth Management Configuration
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-critical
traffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
NOTE BWM is a software key-enabled feature that requires users to purchase a license and a
key. In order to enable BWM, users need to enter the Bandwidth Management key using the
/oper/swkey command.
By default, BWM is turned off.
Refer to your Application Guide for more information.

320506-A, January 2006
[Bandwidth Management Menu]

cont
- Contract Menu
policy
- Policy Menu
group
- Group Menu
user
- Set SMTP server user name
report
- Set IP address of Reporting server
entries - Set number of entries in the BWM IP user table
frequen - Set the frequency of BWM statistics in minutes
email
- Enable/disable sending BWM statistics via email
force
- Enable/disable enforce policies
on
- Globally turn Bandwidth Management processing ON
off
- Globally turn Bandwidth Management processing OFF
cur
- Display current Bandwidth Management configuration
NOTE Up to 1024 bandwidth management contracts can be configured on the Nortel Application Switch Operating System.
Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)
cont <BW contract number (1-1024)>
Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel
Application Switch, you must create one or more bandwidth management contracts. The
switch uses these contracts to limit individual traffic flows. For further details, see the
Nortel Application Switch Operating System 23.0.2 Application Guide.
By default, this option is disabled. To view menu options, see page 319.
policy <BW policy number (1-512)>

Displays the Bandwidth Management Policy Menu. Bandwidth policies are bandwidth limita-
tions defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host could charge a
customer for bandwidth utilization. For further details, see the Nortel Application Switch
Operating System 23.0.2 Application Guide.
To view menu options, see page 322.
group <BW Group number (1-32)>

Displays the Bandwidth Management Group Menu. To view menu options, see page 323.
user <user name>
Sets the SMTP user name to whom the history statistics will be mailed. The default is set to None.
report <IP4 address> | <IP6 address>
Set the IP address of the Reporting Server.

320506-A, January 2006
Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)

entries <64k|128k|256k|512k>
Sets the number of entries in the Bandwidth Management IP user table.
frequen <1-1440 minutes, 0 for default behavior>
Sets the frequency of Bandwidth Management email in minutes. The default is set to 0.
email disable|enable
Enable/disable sending BWM statistics using email. When this option is disabled, these statistics
are sent using a socket mechanism.
force disable|enable
Enables or disables the enforcement of bandwidth policy on the traffic. When disabled, the reordering of the packets does not occur. The packets will exit in the order they came in. This means
that no bandwidth limit is applied on the queues. By default, this option is enabled.
on
Globally enables Bandwidth Management on this switch.
off
Globally disables Bandwidth Management on this switch.
cur
Displays the current Bandwidth Management configuration.

320506-A, January 2006
/cfg/bwm/cont <contract number>

Bandwidth Management Contract Configuration
[BW Contract <1 to 1024> Menu]
timepol - Time policy Menu
name
- Set Contract name
policy
- Set Contract Policy
prec
- Set Contract Precedence
iptype
- Set user (IP address) limiting type for this contract
pmirr
- Set monitoring port for packet mirroring
iplimit - Enable/disable user (IP address) limiting for this contract
history - Enable/disable Saving Contract stats history
wtos
- Enable/disable overwriting IP TOS for this Contract
mononly - Enable/disable monitor-only mode for this Contract
shaping - Enable/disable traffic shaping - disable is rate limiting
wtcpwin - Enable/disable overwriting TCP Window for this Contract
ena
- Enable BW Contract
dis
- Disable BW Contract
del
- Delete BW Contract
cur
- Display current BW Contract configuration
Table 6-43 Bandwidth Management Policy Menu Options (/cfg/bwm/cont)

timepol <BW Contract time policy number (1-2)>
Displays Time Policy Menu. To view menu options, see page 320.
Sets the name for this Bandwidth Management contract.
>> BW Contract 1# name
Current BW Contract name:
Enter new BW Contract name:
policy <Bandwidth policy number (1-512)>
Sets the policy number for this Bandwidth Management contract. The default policy number is 64.
prec <Bandwidth precedence value (1-255)>
Sets the precedence value for this Bandwidth Management contract. The default value is 1.
iptype <sip|dip>
Defines the IP type for this contract, whether the user (IP address) limiting is enforced by the
source IP address (SIP) or the destination IP address (DIP).
pmirr <port | none>
Defines a port to mirror contract packets to. Enter a valid port to enable this feature or none
to disable it. This command is available in maintenance mode only.

320506-A, January 2006
Table 6-43 Bandwidth Management Policy Menu Options (/cfg/bwm/cont)

iplimit disable|enable
Enables or disables user (IP address) limiting for this contract. If enabled, each IP address is limited to the user limit configured in /cfg/bwm/policy on page 322.
history disable|enable
Disables or enables saving statistics for this contract on the server. By default, it is enabled.
wtos disable|enable
Disables or enables overwriting the IP Type of Service (TOS) for this contract. By default, it is disabled.
mononly disable|enable
Enables or disables monitor-only mode for this Contract. This command is used for design and
auditing purposes only. The statistics are generated but no shaping or limiting will apply to this
contract.
shaping disable|enable
Disables or enables shaping of the traffic for this contract. In this context, shaping means buffering
a packet and keeping it ready to be sent.
wtcpwin disable|enable
Enables or disables overwriting TCP Window for this Contract. By overwriting the default window size, the user can modify the TCP window size to a lower value so that when the packet
arrives carrying the bytes within that window size, the receiver of that packet does not have to wait
for acknowledgement. This may help reduce the traffic congestion.
Do not set the value to lower than 1500 bytes. For details, refer to the Application Guide.
ena
Enables this Bandwidth Management contract.
dis
Disables this Bandwidth Management contract.
del
Removes this contract from the switch.
cur
Displays the current Bandwidth Management contract configuration.
/cfg/bwm/cont <contract number>/timepol

<Contract time policy number>
BWM Contract Time Policy Configuration Menu

320506-A, January 2006
This feature enables the user to configure different policies based on the time of the day using
the following menu and commands:
[BW Contract 1 Time Policy 1 Menu]
day
- Set Time Policy day
from
- Set Time Policy from hour
to
- Set Time Policy to hour
policy
- Set Time Policy
enable
- Enable Time Policy
disable - Disable Time Policy
delete
- Delete Time Policy
cur
- Display current Time Policy configuration
Table 6-44 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/
timepol)
day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday>
Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or
everyday. The default is everyday.
from <1-12am/pm>
Defines the time from where you need to start the time in hours. If am or pm is not specified, the
switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or
higher.
to <1-12am/pm>
Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for
numbers lower than 12 and will default to pm for numbers 13 or higher.
policy <BW Policy number, 1-512>
Defines the policy number for the contract.
enable
Enables the Time Policy command on the switch.
disable
Disables the Time Policy command on the switch.
delete
Deletes the current Time Policy.
cur
Displays the current Time Policy configuration on the switch. For example:
Time Policy 1:
Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled

320506-A, January 2006
/cfg/bwm/policy <policy number>

Bandwidth Management Policy Configuration
[Policy 1 Menu]
hard
soft
resv
userlim utos
otos
buffer
del
cur
-
Set hard Limit

Set soft Limit
Set Reservation Limit
Set per user (IP address) Limit
Set underlimit (soft limit) TOS
Set overlimit (soft limit) TOS
Set Buffer Limit
Delete BW Policy
Display current Policy configuration
Table 6-45 Bandwidth Management Policy Menu Options (/cfg/bwm/pol)

hard <0k-5000k|1m-1000m>
Sets the hard bandwidth limit for this policy. This is the highest amount of bandwidth available to
this policy. The default value is 2000 kbps.
soft <0k-5000k|1m-1000m>
Sets the soft bandwidth limit for this policy. The default value is 1000 kbps.
resv <0k-5000k|1m-1000m>
Sets the reserve limit for this policy. This is the amount of bandwidth always available to this policy. The default value is 500Kbytes.
userlim <0k-5000k|1m-1000m>
Sets the bandwidth limit for each IP address in the contract traffic.
utos <BW Policy TOS (0-255)>
Sets the new utos (underlimit TOS) value to overwrite the original TOS value if the traffic for
this contract is under the soft limit. With this option set to the default value of 0, the switch will
not overwrite the TOS value.
otos <BW Policy TOS (0-255)>
Sets the new otos (over the limit TOS) value to overwrite the original TOS value if the traffic for
this contract is over the soft limit. With this option set to the default value of 0, the switch will
not overwrite the TOS value.
buffer <Maximum buffer space (bytes) (8192-128000)>
Sets the buffer limit for this policy. The default value is 8192 bytes.

320506-A, January 2006
Table 6-45 Bandwidth Management Policy Menu Options (/cfg/bwm/pol)

del
Deletes the bandwidth management policy.
cur
Displays the current value of the bandwidth policy configuration.
/cfg/bwm/group
Bandwidth Management Group Configuration Menu
[BW Group 1 Menu]
add
- Add Contract to this group
rem
- Remove Contract from this group
del
- Delete BW Group
cur
- Display current BW Group configuration
Table 6-46 Bandwidth Management Group Menu Options (/cfg/bwm/group)

add <BW Contract number, 1-1023 excluding default>
Adds a contract to this group.
rem <BW Contract number, 1-1023 excluding default>
Removes a contract from this group.
del
Deletes this Bandwidth Management group.
cur
Displays all current Bandwidth Management Group configurations.

320506-A, January 2006
/cfg/bwm/cur
Bandwidth Management Current Configuration
Current Bandwidth Management setting: ON
Policy Enforcement: enabled
SMTP server user name:
Contract Name
Policy Prec Hist TOS State Shaping
1
cont_1
1
1
E
E
E
E
2
cont_2
2
1
E
D
D
D
1024
Default
-0
E
D
E
D
*Default contract gets all the BW that is available on
a port after the active contracts reserved BW is taken.
Policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Hard
25M
10M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
Soft
20M
8M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
Resv oTOS uTOS Buffer

500K 150 100
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320
500K
0
0
16320

320506-A, January 2006
/cfg/l2
Layer 2 Configuration Menu
[Layer 2 Menu]
mrst
stg
trunk
lacp
vlan
team
ntmstg
cur
-
Multiple Spanning Tree/Rapid Spanning Tree Menu

Spanning Tree Menu
Trunk Group Menu
VLAN Menu
Port Teaming Menu
Enable/disable Nortel multiple STG mode
Display current layer 2 parameters
Table 6-47 Layer 2 Configuration Menu Options (/cfg/l2)

mrst
Go to the Multiple/Rapid Spanning Tree menu. See page 326.
stg <group number [1-16]>
Displays Spanning Tree Group Menu. To view menu options, see page 329.
trunk <trunk group number>
Displays Trunk Group Menu. To view menu options, see page 333.
lacp
Displays Link Aggregation Control Protocol (LACP) Menu. To view menu options, see page 335.
Displays VLAN Menu. To view menu options, see page 339.
team
Go to the port teaming menu. See page 341.
ntmstg disable|enable
Enables or disables Nortel Multiple Spanning Tree Group mode. When Nortel multiple STG mode
is enabled, the Nortel implementation of multiple STGs will be followed. When Nortel multiple
STG mode is disabled, the Cisco implementation of multiple STGs will be followed. The ntmstg enabled device will not work with the device configured for Cisco implementation of Spanning Tree BPDUs. The factory default value of this command is Nortel multiple STG mode
disabled.
You need to reset the switch with the command /boot/reset for the Spanning Tree Group configuration to change to ntmstg enabled.
cur
Displays the current Layer 2 parameters.

320506-A, January 2006
/cfg/l2/mrst
Multiple Spanning Tree Menu
[Multiple Spanning Tree Menu]
cist
- Common and Internal Spanning Tree menu
name
- Set MST region name
version - Set Version of this MST region
maxhop
- Set Maximum Hop Count for MST (4 - 60)
mode
- Spanning Tree Mode
on
- Globally turn Multiple Spanning Tree (MSTP/RSTP) ON
off
- Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF
cur
- Display current MST parameters
Table 6-48 Multiple Spanning Tree Menu Options

cist
Go to the Common and Internal Spanning Tree menu. See page 327.
name <1-32 character region name>
Set the MST region name.
version <version number 1-65535>
Set the MST region version.
maxhop <max hops 4-60>
Set the maximum MST hop count.
mode mstp|rstp
Set the spanning tree mode.
on
Set the spanning tree on (Bridge MSTP/RSTP runs normally).
off
Set the spanning tree off (Bridge MSTP/RSTP does not run).
cur
Display the current MST parameters.

320506-A, January 2006
/cfg/l2/mrst/cist
Multiple Spanning Tree Menu
[Common Internal Spanning Tree Menu]
brg
- CIST Bridge parameter menu
port
- CIST Port parameter menu
default - Default Common Internal Spanning Tree and Member parms
cur
- Display current CIST parameters
Table 6-49 Mupltiple Spanning Tree CIST Bridge Menu Options

brg
Go to the CIST Bridge parameter menu. See page 328.
port <port_number>
Set the port number.
default
Resets STG and Group member parameters to factory default.
cur
Displays current values of all objects settable from this menu.

320506-A, January 2006
/cfg/l2/mrst/cist/brg
CIST Bridge Menu
[CIST Bridge Menu]
prior
- Set CIST bridge
mxage
- Set CIST bridge
fwd
- Set CIST bridge
cur
- Display current
Priority (0-65535)
Max Age (6-40 secs)
Forward Delay (4-30 secs)
CIST bridge parameters
Table 6-50 Mupltiple Spanning Tree CIST Bridge Menu Options

prior <new bridge Priority, 0-65535>
Set the bridge priority.
mxage <new bridge Max Age, 6-40 secs>
Set the port number.
fwd <new bridge Forward Delay, 4-30 secs>
Set the CIST bridge forward delay.
cur
Displays current values of all objects settable from the CIST bridge menu.
/cfg/l2/mrst/cist/brg cur
Current configuration for CIST Bridge
>> CIST Bridge# cur
-----------------------------------------------------------------Current Common Internal Spanning Tree settings:
Bridge params: Priority MaxAge FwdDel
32768
20
15
Table 6-51 CIST bridge configuration

Statistics
Description
Priority
The current CIST Bridge priority setting. Priority is a value between

0 and 65535.
MaxAge
The current CIST Bridge maximum aging setting. MaxAge is a

value in seconds between 6 and 40.
FwdDel
The current CIST Bridge forwarding delay setting. FwdDel is a

value in seconds between 4 and 30.

320506-A, January 2006
/cfg/l2/stg
Spanning Tree Group Configuration
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path. Spanning Tree Protocol (STP) detects and
eliminates logical loops in a bridged or switched network. STP forces redundant data paths
into a standby (blocked) state. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Thus, STP
is used to prevent loops in the network topology.
Nortel Application Switch Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Nortel Application Switch Operating System supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree
group per switch except for the default Spanning Tree group (STG 1). The default Spanning
Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can
have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each
port. Multiple Spanning Trees can be enabled on tagged or untagged ports. See your Application Guide for a detailed description of this feature and how to configure Spanning Tree
Groups on the switch.
This command is turned on by default.
[Spanning Tree Group 1 Menu]
brg
- Bridge parameter menu
port
- Port parameter menu
add
- Add VLAN(s) to Spanning Tree Group
remove - Remove VLAN(s) from Spanning Tree Group
clear
- Remove all VLANs from Spanning Tree Group
on
- Globally turn Spanning Tree ON
off
- Globally turn Spanning Tree OFF
default - Default Spanning Tree and Member parameters
cur
- Display current bridge parameters

320506-A, January 2006
NOTE When VRRP is used for active/active redundancy, STP must be enabled.
Table 6-52 Spanning Tree Configuration Menu (/cfg/l2/stp)
brg
Displays the Bridge Spanning Tree Menu. To view menu options, see page 331.
port <port number>
Displays the Spanning Tree Port Menu. To view menu options, see page 332.
add <VLAN numbers (1-4090)>
Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter.
remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)>
Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as
a parameter.
clear
Removes all VLANs from a spanning tree.
on
Globally enables Spanning Tree Protocol.
off
Globally disables Spanning Tree Protocol.
default
Resets STG and Group member parameters to factory default.
cur
Displays the current Spanning Tree Protocol parameters.

320506-A, January 2006
/cfg/l2/stg/brg
Bridge Spanning Tree Configuration
[Bridge Spanning Tree Menu]
prior
- Set bridge Priority [0-65535]
hello
- Set bridge Hello Time [1-10 secs]
mxage
- Set bridge Max Age (6-40 secs)
fwd
- Set bridge Forward Delay (4-30 secs)
aging
- Set bridge Aging Time (1-65535 secs, 0 to disable)
cur
- Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge
parameters include:
Bridge priority
Bridge hello time
Bridge maximum age
Forwarding delay
Bridge aging time

Table 6-53 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)

prior <new bridge priority (0-65535)>
Configures the bridge priority. The bridge priority parameter controls which bridge on the network
is the STP root bridge. To make this switch the root bridge, configure the bridge priority lower
than all other switches and bridges on your network. The lower the value, the higher the bridge priority. The range is 0 to 65535, and the default is 32768.
hello <new bridge hello time (1-10 secs)>
Configures the bridge hello time.The hello time specifies how often the root bridge transmits a
configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root
bridge hello value. The range is 1 to 10 seconds, and the default is 2 seconds.
mxage <new bridge max age (6-40 secs)>
Configures the bridge maximum age. The maximum age parameter specifies the maximum time
the bridge waits without receiving a configuration bridge protocol data unit before it re configures
the STP network. The range is 6 to 40 seconds, and the default is 20 seconds.
fwd <new bridge Forward Delay (4-30 secs)>
Configures the bridge forward delay parameter. The forward delay parameter specifies the amount
of time that a bridge port has to wait before it changes from the listening state to the learning state
and from the learning state to the forwarding state. The range is 4 to 30 seconds, and the default is
15 seconds.

320506-A, January 2006
Table 6-53 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)

aging <new bridge Aging Time (1-65535 secs, 0 to disable)>
Configures the forwarding database aging time. The aging time specifies the amount of time the
bridge waits without receiving a packet from a station before removing the station from the forwarding database. The range is 1 to 65535 seconds, and the default is 300 seconds. To disable
aging, set this parameter to 0.
cur
Displays the current bridge STP parameters.
When configuring STP bridge parameters, the following formulas must be used:
2*(fwd-1) > mxage
2*(hello+1) < mxage
/cfg/l2/stg <STG Group Index>/port <port #>

Spanning Tree Port Configuration
[Spanning Tree Port 1 Menu]
prior
- Set port Priority (0-255)
cost
- Set port Path Cost
link
- Set port link type (auto,p2p,or shared; default: auto)
edge
- Enable/disable edge port
on
- Turn port's Spanning Tree ON
off
- Turn port's Spanning Tree OFF
cur
- Display current port Spanning Tree parameters
Spanning Tree port parameters are used to modify STP operation on an individual port basis.
STP port parameters include:
Port priority
Port path cost
STP is turned on by default for the port.

320506-A, January 2006
Table 6-54 Spanning Tree Port Menu (/cfg/l2/stp/port)

prior <new port Priority (0-255)>
Configures the port priority. The port priority helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment,
the port with the lowest port priority becomes the designated port for the segment. The range is 0
to 255, and the default is 128.
cost <new port Path Cost (1-65535, 0 for default)>
Configures the port path cost. The port path cost is used to help determine the designated port for a
segment. Generally speaking, the faster the port, the lower the path cost. The range is 1 to 65535.
The default is 10 for 100Mbps ports, and 1 for Gigabit ports. A value of 0 indicates that the default
cost will be computed for an auto negotiated link speed.
link auto|p2p|shared
Set port link type (auto, p2p, or shared; default: auto)
edge disable|enable
Enable/disable edge port
on
Enables STP on the port.
off
Disables STP on the port.
cur
Displays the current STP port parameters.
/cfg/l2/trunk <trunk group number>

Trunk Configuration
Trunk groups can provide super-bandwidth and multi-link connections between Nortel Application Switches or other trunk capable devices. A trunk group is a group of ports that act together,
combining their bandwidth to create a single, larger virtual link. When trunk groups are configured, you can view the state of each port in the various trunk groups. Up to 12 trunk groups can
be configured on the Nortel Application Switch, with the following restrictions:
Any physical switch port can belong to no more than one trunk group.
Up to eight ports/trunks can belong to the same trunk group.
Best performance is achieved when all ports in a trunk are configured for the same speed.

320506-A, January 2006
Trunking from non-Nortel devices must comply with Cisco EtherChannel technology.
By default, the trunk group is empty and disabled.

[Trunk group 1 Menu]
cont
- Set BW contract for this trunk group
add
- Add port to trunk group
rem
- Remove port from trunk group
ena
- Enable trunk group
dis
- Disable trunk group
del
- Delete trunk group
cur
- Display current Trunk Group configuration
Table 6-55 Trunk Configuration Menu Options (/cfg/l2/trunk)

Sets the default Bandwidth Management Contract for this trunk group. By default, the contract
number is 1024 for AD3 and 1024 for AD4.
add <port number>
Adds a physical port to the current trunk group.
rem <port number>
Removes a physical port from the current trunk group.
ena
Enables the current trunk group.
dis
Turns the current trunk group off.
del
Removes the current trunk group configuration.
cur
Displays the current trunk group parameters.

320506-A, January 2006
/cfg/l2/lacp
Nortel Application Switch Operating System 23.0.2 supports IEEE 802.3ad standard on the
Nortel Application Switch Operating System. At the core of the 802.3ad standard is Link
Aggregation Control Protocol (LACP). This protocol allows the user to group several physical
ports into one logical port (LACP trunk group) with any switch that supports IEEE 802.3ad
standard (LACP). You can configure the trunk groups manually called the static trunks as well
as you can configure dynamic trunk group using the IEEE 802.3ad standard called the LACP
trunks. The maximum number of configurable trunk groups are 40: 12 user configurable trunks
and 28 LACP trunks depending upon the maximum number of ports in the switch. The maximum number of active physical ports in any trunk group is eight and the number of standby
ports is also eight.
The 802.3ad standard allows two or more standard Ethernet links to form a single Layer 2 link
using the Link Aggregation Control Protocol (LACP). Link aggregation is a method of grouping physical link segments of the same media type and speed in full duplex, and treating them
as if they were part of a single, logical link segment. If a link in a LACP trunk group fails, traffic is reassigned dynamically to the remaining links of the LACP trunk group or is assigned to
the standby LACP links.
NOTE Refer to IEEE 802.3ad-2000 for a detailed information about the standard.
LACP automatically determines which member links can be aggregated and then aggregates
them. It provides for the controlled addition and removal of physical links for the link aggregation.
Each external port in the Nortel Application Switch Operating System can have one of the following LACP modes.
off (default)
The user can configure this port to a regular static trunk group. When the system initializes, all ports are in off mode by default.
active
The port is capable of forming an LACP trunk. This port initiates negotiation with the
partner system port by sending LACPDU (Link Aggregation Control Protocol Data Unit)
packets.

320506-A, January 2006
passive
The port is capable of forming an LACP trunk. This port only responds to the negotiation
requests sent from an LACP active port.
Each LACP active or passive port needs an admin, an operational key, and an aggregator
for LACP to start negotiation on these ports. You need to assign the same admin key to a group
of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID)
based on the operational key. All the aggregatable ports must have the same LAG ID. You can
form an active LACP trunk group with all the ports that have the same LAG ID.
Please refer to your Nortel Application Switch Operating System Application Guide for a
detailed information on this protocol.
NOTE All ports are in LACP off mode by default.
Use the following commands to configure LACP on the Nortel Application Switch Operating
System.
[LACP Menu]
sysprio - Set LACP system priority
timeout - Set LACP system timeout scale for timing out partner info
port
- LACP port Menu
cur
- Display current LACP configuration
Table 6-56 Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp)

sysprio <1-65535>
Defines the priority value (1 through 65535) for the Nortel Application Switch Operating System. Lower numbers provide higher priority.
System priority is used when there are more than eight ports configured with the same adminkey. The system priority, in conjunction with port priority, decides which eight ports should be
combined to form a trunk group between two switches. The rest of the ports stay in standby mode
to substitute for any failed ports.
The default value is 32768.
timeout <short|long>
Defines the timeout period before invalidating LACP data from a remote partner. You can choose
between short (3 seconds) or long (90 seconds) timeout periods. The default value is long.

320506-A, January 2006
Table 6-56 Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp)

port <port number>
Displays the LACP Port menu. To view menu options, see page 338.
cur
Displays the current LACP configuration.

320506-A, January 2006
/cfg/l2/lacp/port <port number>

LACP Port Configuration Menu
[LACP Port 1 Menu]
mode
- Set LACP mode
prio
- Set LACP port priority
adminkey - Set LACP port admin key
cur
- Display current LACP port configuration
Use the following commands to configure Link Aggregation Control Protocol (LACP) on a
selected port.
Table 6-57 Link Aggregation Control Protocol Port Configuration Menu Options
(/cfg/l2/lacp/port #)
mode <off for no LACP or active or passive>
off: Using this option, you can turn LACP off for this port. You can use this port to manually
configure a static trunk. All ports are in off mode by default.
active: Using this option, you can turn LACP on and set this port to active. Only active
ports initiate negotiation with the partner system port by sending the LACPDU packets.
passive: Using this option, you can turn LACP on and set this port to passive mode.
Passive ports do not initiate negotiation, but only respond to the negotiation requests from
active ports.
prio <1-65535>
Sets the priority value for the selected port. Lower numbers provide higher priority. The default
value is 128.
adminkey <1-65535>
Sets the admin key for this port. Only ports with the same admin key and oper key (operational
state generated internally) can form an LACP trunk group.
cur
Displays the current LACP configuration for this port.

320506-A, January 2006
/cfg/l2/vlan <VLAN number>

VLAN Configuration
VLANs are commonly used to split up groups of network users into manageable broadcast
domains, to create logical segmentation of workgroups, and to enforce security policies among
logical segments. The commands in this menu configure VLAN attributes, change the status of
the VLAN, delete the VLAN, and change the port membership of the VLAN. For more information on configuring VLANs, see Setup Part 3: VLANs on page 41.
By default, the VLAN menu option is disabled except VLAN 1, which is enabled all the time.
[VLAN 1 Menu]
name
stg
cont
add
rem
def
jumbo
learn
ena
dis
del
cur
Set VLAN name

Assign VLAN to a Spanning Tree Group
Set BW contract
Add port to VLAN
Remove port from VLAN
Define VLAN as list of ports
Enable/disable Jumbo Frame support
Enable/disable smac learning
Enable VLAN
Disable VLAN
Delete VLAN
Display current VLAN configuration
Table 6-58 VLAN Configuration Menu Options (/cfg/l2/vlan)

name
Assigns a name to the VLAN or changes the existing name. The default VLAN name is the first
one.
stg <Spanning Tree Group index (1-16)>
Assigns a VLAN to a Spanning Tree Group.
cont <BW Contract number, (1-1024)>
Sets the Bandwidth Management contract for this VLAN. The default contract number is 1024 on
AD3 and AD4.
add <port number>
Adds port(s) or trunk group(s) to the VLAN membership.
rem <port number>
Removes port(s) or trunk group(s) from this VLAN.

320506-A, January 2006
Table 6-58 VLAN Configuration Menu Options (/cfg/l2/vlan)

def <list of port numbers>
Defines which ports are members of this VLAN. Every port must be a member of at least one
VLAN. By default, it defines ports between 1-28 for VLAN 1.
jumbo disable|enable
Enables or disables jumbo frame support on this VLAN. You need to reset the switch using
/boot/reset command to enable jumbo frames on the switch.
learn disable|enable
Enables or disables source MAC address learning on this VLAN.
ena
Enables this VLAN.
dis
Disables this VLAN without removing it from the configuration.
del
Deletes this VLAN.
cur
Displays the current VLAN configuration.
NOTE All ports must belong to at least one VLAN. Any port which is removed from a
VLAN and which is not a member of any other VLAN is automatically added to default
VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any
other VLAN.
Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned
on (see the tag command on page 307).

320506-A, January 2006
/cfg/l2/team <team number>

Port Team Configuration
Port teams are used to operationally link ports and interfaces together.
[Port team 1 Menu]
addport - Add port to team
remport - Remove port from team
addtrunk - Add trunk group to team
remtrunk - Remove trunk group from team
ena
- Enable port team
dis
- Disable port team
del
- Delete port team
cur
- Display current port team configuration
Table 6-59 outlines the commands in this menu.

Table 6-59 Port Team Configuration Menu
addport <port number>
Adds the specified port to the current team.
remport <port number>
Removes the specified port from the current team.
addtrunk <trunk group number>
Adds a trunk group to the current team.
remtrunk <trunk group number>
Removes a trunk group from the current team.
ena
Enables the port team.
dis
Disables the port team.
del
Deletes the port team.
cur
Displays the current port team configuration.

320506-A, January 2006
/cfg/l3
Layer 3 Configuration Menu
[Layer 3 Menu]
if
gw
route
arp
frwd
nwf
rmap
rip
ospf
bgp
port
dns
bootp
vrrp
rtrid
metrc
cur
-
Interface Menu
Default Gateway Menu
Static Route Menu
ARP Menu
Forwarding Menu
Network Filters Menu
Route Map Menu
Routing Information Protocol Menu
Open Shortest Path First (OSPF) Menu
Border Gateway Protocol Menu
IP Port Menu
Domain Name System Menu
Bootstrap Protocol Relay Menu
Virtual Router Redundancy Protocol Menu
Set router ID
Set default gateway metric
Display current IP configuration

Displays the IP Interface Menu. To view menu options, see page 344.
gw <default gateway number (1-259)>
Displays the IP Default Gateway Menu. To view menu options, see page 346.
route
Displays the IP Static Route Menu. To view menu options, see page 348.
arp
Displays Address Resolution Protocol menu. To view menu options, see page 348.
frwd
Displays the IP Forwarding Menu. To view menu options, see page 350.
nwf <Network filter number (1-256)>
Displays the Network Filter Configuration Menu. To view menu options see page 352.
rmap <route map number (1-32)>
Displays the Route Map Menu. To view menu options see page 353.
rip
Displays the Routing Interface Protocol Menu. To view menu options, see page 357.

320506-A, January 2006

ospf
Displays the OSPF Menu. To view menu options, see page 361.
bgp
Displays the Border Gateway Protocol Menu. To view menu options, see page 371.
port <port number>
Displays the IP Port Menu. To view menu options, see page 378.
dns
Displays the IP Domain Name System Menu. To view menu options, see page 379.
bootp
Displays the Bootstrap Protocol Menu. To view menu options, see page 380.
vrrp
Displays Virtual Router Redundancy Protocol Menu. To view menu options, see page 381.
rtrid <IP address (such as, 192.4.17.101)>
Defines the router ID.
metrc strict|roundrobin
Sets the default gateway metric for strict or roundrobin. The default gateway metric is
strict. For more information on gateway metrics, see page 396.
cur
Displays the current IP configuration.

320506-A, January 2006
/cfg/l3/if <interface number>

IP Interface Configuration
[IP Interface
ip6nd
ipver
addr
mask
vlan
relay
ena
dis
del
cur
1
-
Menu]
IP6 Neighbor Discovery Menu
Set IP version
Set IP address
Set subnet mask/prefix len
Set VLAN number
Enable/disable BOOTP relay
Enable IP interface
Disable IP interface
Delete IP interface
Display current interface configuration
The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface
represents the Nortel Application Switch on an IP subnet on your network. The Interface option is
disabled by default.
Table 6-61 IP Interface Menu Options (/cfg/l3/if)
ip6nd
Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of
IPv6 Router Advertisement packets from this interface. For more information on this topic, refer
to page 345.
ipver <IP version (v4 or v6)>
Set the IP version.
addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)>
Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon
notation for IPv6.
mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for
IPv6)>
Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or
prefix length for IPv6.
Configures the VLAN number for this interface. Each interface can belong to one VLAN, though
any VLAN can have multiple IP interfaces in it.
relay disable|enable
Enables or disables the BOOTP relay on this interface. It is enabled by default.

320506-A, January 2006
Table 6-61 IP Interface Menu Options (/cfg/l3/if)

ena
Enables this IP interface.
dis
Disables this IP interface.
del
Removes this IP interface.
cur
Displays the current interface settings.
/cfg/l3/if/ip6nd
IPv6 Neighbor Discovery Menu
[IP6 Neighbor Discovery Menu]
rtradv
- Enable/disable router advertisement
This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements
from this interface.
Table 6-62 IPv6 Neighbor Discovery Menu Options
rtradv disable | enable
Enables or disables the sending of IPv6 Neighbor Discovery router advertisements from
this interface.

320506-A, January 2006
/cfg/l3/gw <gateway number>

Default IP Gateway Configuration
[Default gateway 1 Menu]
ipver
- Set IP version
addr
- Set IP address
intr
- Set interval between ping attempts
retry
- Set number of failed attempts to declare gateway DOWN
vlan
- Set VLAN number
prio
- Set priority of default gateway route
arp
- Enable/disable ARP only health checks
ena
- Enable default gateway
dis
- Disable default gateway
del
- Delete default gateway
cur
- Display current default gateway configuration
NOTE The switch can be configured with up to 255 gateways. Gateways one to four are
reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing
of VLAN-based gateways.
This option is disabled by default.
Table 6-63 Default Gateway Options (/cfg/l3/gw)
Set the IP version.
addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)>
Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and
colon notation for IPv6.
intr <0-60 seconds>
The switch pings the default gateway to verify that its up. The intr option sets the time between
health checks. The range is from 1 to 120 seconds. The default is 2 seconds.
retry <number of attempts (1-120)>
Sets the number of failed health check attempts required before declaring this default gateway
inoperative. The range is from 1 to 120 attempts. The default is 8 attempts.
Sets the VLAN to be assigned to this default IP gateway.

320506-A, January 2006
Table 6-63 Default Gateway Options (/cfg/l3/gw)

prio <high|low>
Allows you to change the priority of the default gateway route to either high or low, relative to
learned default routes. If you set the priority to high, then the default gateway route will always
be preferred over learned default routes (such as from OSPF, BGP, or RIP protocols). If you set the
priority to low, then learned default routes will always be preferred over the default gateway
route.
NOTE By default learned default route has higher priority than the configured default
gateway route.
arp disable|enable
Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled
by default.
ena
Enables the gateway for use.
dis
Disables the gateway.
del
Deletes the gateway from the configuration.
cur
Displays the current gateway settings.
Default Gateway Metrics

For information about configuring which gateway is selected when multiple default gateways
are enabled, see page 396.

320506-A, January 2006
/cfg/l3/route
IP Static Route Configuration
[IP Static Route Menu]
add
- Add static route
rem
- Remove static route
cur
- Display current static routes
Up to 128 static routes can be configured.

Table 6-64 IP Static Route Configuration Menu Options (cfg/l3/route)
add <destination> <mask> <gateway> [interface number]
Adds a static route. You will be prompted to enter a destination IP address, destination subnet
mask, and gateway address. Enter all addresses using dotted decimal notation. If a gateway address
is 0.0.0.0., the route becomes a black hole route, where any packet routed to this destination will be
dropped.
rem <destination> <mask>
Removes a static route. The destination address of the route to remove must be specified using dotted decimal notation.
cur
Displays the current IP static routes.
/cfg/l3/arp
ARP Configuration Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the computer or the router is present in the ARP cache. Then the corresponding physical
address is used to send a packet.
[ARP Menu]
static
rearp
cur
- Static ARP Menu

- Set re-ARP period in minutes
- Display current ARP configuration

320506-A, January 2006
Table 6-65 ARP Configuration Menu Options (/cfg/l3/arp)

static
Displays Static ARP menu. To view options, see page 349.
rearp <2-120 minutes>
Defines re-ARP period in minutes. You can set this duration between two and 120 minutes.
cur
Displays the current ARP configurations.
/cfg/l3/arp/static
ARP Static Configuration Menu
Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that
are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending
an ARP broadcast request to the network. Static ARPs are also useful to communicate with
devices that do not respond to ARP requests. Static ARPs can also be configured on some gateways as a protection against malicious ARP Cache corruption and possible DOS attacks.
NOTE Nortel Application Switch Operating System 21.0 and above allows the static ARP
configuration to be retained over reboots. Nortel Application Switch Operating System 20.x
and below allow the user to configure the ARP information but that information cannot be
retained over a switch reboot.
[Static ARP Menu]
add
- Add a permanent ARP entry
del
- Delete an ARP entry
cur
- Display current static ARP configuration
Table 6-66 ARP Static Configuration Menu Options (/cfg/l3/arp/static)

add <IP address> <MAC address> <VLAN number> <port number>
Adds a permanent ARP entry.
del <IP address (such as, 192.4.17.101)>
Deletes a permanent ARP entry.
cur
Displays current static ARP configuration.

320506-A, January 2006
/cfg/l3/frwd
IP Forwarding Configuration Menu
[IP Forwarding Menu]
local
- Local network definition for route caching menu
dirbr
- Enable or disable forwarding directed broadcasts
on
- Globally turn IP Forwarding ON
off
- Globally turn IP Forwarding OFF
cur
- Display current IP Forwarding configuration
Table 6-67 IP Forwarding Configuration Menu Options (/cfg/l3/frwd)

local
Displays the menu used to define local network for route caching. Up to five local networks (lnets)
can be configured. To view menu options, see page 350.
dirbr disable|enable
Enables or disables forwarding directed broadcasts. This command is disabled by default.
on
Enables IP forwarding (routing) on the Nortel Application Switch.
off
Disables IP forwarding (routing) on the Nortel Application Switch. Forwarding is turned on by
default.
cur
Displays the current IP forwarding settings.
/cfg/l3/frwd/local
Local Network Route Caching Definition
This menu is used for adding local networks by setting the local network address and netmask
for the route cache, and to remove local networks.
[IP Local Networks Menu]
add
- Add local network definition
rem
- Remove local network definition
cur
- Display current local network definitions

320506-A, January 2006
Table 2 IP Local Networks Menu Options (/cfg/l3/frwd/local)

add <local network address> <local network mask>
Adds a definition for a local network. For details, see Defining IP Address Ranges for the Local
Route Cache on page 351.
rem <local network address> <local network mask>
Removes a definition for a local network.
cur
Displays the current local network definitions.
Defining IP Address Ranges for the Local Route Cache

The Local Route Cache lets you use switch resources more efficiently, by reducing the size of
the ARP table on the Nortel Application Switch. The /cfg/l3/frwd/local/add parameters define a range of addresses that will be cached on the Nortel Application Switch. The local
network address is used to define the base IP address in the range which will be cached, and
the local network mask is the mask which is applied to produce the range. To determine if a
route should be added to the memory cache, the destination address is masked (bitwise and)
with the local network mask and checked against the local network address.
By default, the local network address and mask are both set to 0.0.0.0. This produces a range
that includes all Internet addresses for route caching: 0.0.0.0 through 255.255.255.255.
Addresses to be cached are subnets that are directly connected and for which there is an interface configured on the Nortel Application Switch. To limit the route cache to your local hosts,
you could configure the parameters as shown in the examples in the following table.
Table 6-68 Local Routing Cache Address Ranges
Local Host Address Range
Address
Mask
0.0.0.0 - 127.255.255.255
0.0.0.0
128.0.0.0
128.0.0.0 - 255.255.255.255
128.0.0.0
128.0.0.0
205.32.0.0 - 205.32.255.255
205.32.0.0
255.255.0.0
NOTE All addresses that fall outside the defined range are forwarded to the default gateway.
The default gateways must be within range.

320506-A, January 2006
/cfg/l3/nwf
Network Filter Configuration
[IP Network Filter 1 Menu]
addr
- IP Address
mask
- IP Subnet mask
enable - Enable Network Filter
disable - Disable Network Filter
delete - Delete Network Filter
cur
- Display current Network Filter configuration
Table 6-69 IP Network Filter Menu Options (/cfg/l3/nwf)

Sets the starting IP address for this filter. The default address is 0.0.0.0.
mask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 mask prefix len (eg, 64)>
Sets the IP subnet mask that is used with /cfg/l3/nwf/addr to define the range of IP
addresses that will be accepted by the peer when the filter is enabled. The default value is 0.0.0.0.
For Border Gateway Protocol (BGP), assign the network filter to a route map, then assign the route
map to the peer.
enable
Enables the Network Filter configuration.
disable
Disables the Network Filter configuration.
delete
Deletes the Network Filter configuration.
cur
Displays the current the Network Filter configuration. For example:
Current Network Filter 1:
addr 0.0.0.0, mask 0.0.0.0, disabled

320506-A, January 2006
/cfg/l3/rmap <route map number>

Route Map Configuration Menu
Route maps control and modify routing information.
NOTE The map number (1-32) represents the routing map you wish to configure.
[IP Route Map
alist
aspath
ap
lp
metric
type
prec
weight
enable
disable
delete
cur
1
-
Menu]
Access List number
AS Filter Menu
Set as-path prepend of the matched route
Set local-preference of the matched route
Set metric of the matched route
Set OSPF metric-type of the matched route
Set the precedence of this route map
Set weight of the matched route
Enable route map
Disable route map
Delete route map
Display current route map configuration
Table 6-70 Routing Map Menu Options (/cfg/l3/rmap)

alist <number (1-8)>
Displays the Access List menu. For more information, see page 355.
aspath <number (1-8)>
Displays the Autonomous System (AS) Filter menu. For more information, see page 356.
ap <AS number> [<AS number>] [<AS number>]|none
Sets the AS path preference of the matched route. One to three path preferences can be configured.
lp <(value 0-4294967294)>|none
Sets the local preference of the matched route, which affects both inbound and outbound directions. The path with the higher preference is preferred.
metric <(value 0-4294967294)>|none
Sets the metric of the matched route.

320506-A, January 2006
Table 6-70 Routing Map Menu Options (/cfg/l3/rmap) (Continued)

type <value (1|2)>|none
Assigns the type of OSPF metric. The default is type 1.
Type 1External routes are calculated using both internal and external metrics.
Type 2External routes are calculated using only the external metrics. Type 2 routes have
more cost than Type 2.

noneRemoves the OSPF metric.
prec <value (1-255)>

Sets the precedence of the route map. The smaller the value, the higher the precedence. Default
value is 10.
weight <value (0-65534)>|none
Sets the weight of the route map.
enable
Enables the route map.
disable
Disables the route map.
delete
Deletes the route map.
cur
Displays the current route configuration.

320506-A, January 2006
/cfg/l3/rmap <route map number/alist

<access list number>
IP Access List Configuration Menu
NOTE The route map number (1-32) and the access list number (1-8) represent the IP access
list you wish to configure.
[IP Access List
nwf
metric action enable disable delete cur
-
1 Menu]
Network Filter number
Metric
Set Network Filter action
Enable Access List
Disable Access List
Delete Access List
Display current Access List configuration
Table 6-71 IP Access List Menu Options (/cfg/l3/rmap/alist)

nwf <network filter number (1-256)>
Sets the network filter number. See /cfg/l3/nwf on page 352 for details.
metric <(1-4294967294)>|none
Sets the metric value in the AS-External (ASE) LSA.
action permit|deny or p|d
Permits or denies action for the access list.
enable
Enables the access list.
disable
Disables the access list.
delete
Deletes the access list.
cur
Displays the current Access List configuration.

320506-A, January 2006
/cfg/l3/rmap <route map number> aspath

<autonomous system path>
Autonomous System Filter Path
NOTE The rmap number (1-32) and the path number (1-8) represent the AS path you wish to
configure.
[AS Filter 1 Menu]
as
- AS number
action - Set AS Filter action
enable - Enable AS Filter
disable - Disable AS Filter
delete - Delete AS Filter
cur
- Display current AS Filter configuration
Table 6-72 AS Filter Menu Options (/cfg/l3/rmap/aspath)

as <AS number (1-65535)>
Sets the Autonomous System filters path number.
action permit|deny or p|d
Permits or denies Autonomous System filter action.
enable
Enables the Autonomous System filter.
disable
Disables the Autonomous System filter.
delete
Deletes the Autonomous System filter.
cur
Displays the current Autonomous System filter configuration.

320506-A, January 2006
/cfg/l3/rip
Routing Information Protocol Configuration
The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a
class of algorithms known as distance vector algorithms. The distance or hop count is used as
the metric to determine the best path to a remote network or host where the hop count does not
exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram
protocol (UDP) data packets to exchange routing information.
RIP sends routing information updates every 30 seconds. This update contains known networks and the distances (hop count) associated with each one. For RIP1, no mask information
is exchanged; the natural mask is always applied by the router receiving the update. For RIP2,
mask information is sent. There are two timers associated with each route: a timeout
and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid
but it is retained in the routing table for a short time so that neighbors can be notified that the
route has been dropped. Upon expiration of the garbage-collection timer, the route is finally
removed from the routing table. The timeout timer is set for 180 seconds and the garbage-collection timer is set for 120 seconds by default.
The menu below is used for configuring globally Routing Information Protocol parameters.
The Routing Information Protocol is turned off by default.
[Routing Information Protocol Menu]
if
- RIP Interface Menu
update
- Set update period in seconds
vip
- Enable/disable vip advertisement
statc
- Enable/disable static routes advertisement
on
- Globally turn RIP ON
off
- Globally turn RIP OFF
current - Display current RIP configuration
Table 6-73 Routing Information Protocol Menu (/cfg/l3/rip)

if <Interface Number (1-256)>
Go to the RIP Interface menu. See page 359.
update <update period (1-120 seconds)>
Sets the RIP update period in seconds. It is set at 30 seconds by default.

320506-A, January 2006
Table 6-73 Routing Information Protocol Menu (/cfg/l3/rip)

vip disable|enable
Enables or disables the advertisement of virtual IP addresses as Host Routes. If a VIP route exists
in a routing table, it will always be advertised except when it is included in another network route
that is already being advertised.
Note: If all real servers behind a VIP go down, the route gets removed from the routing table, and
will not be advertised. If we disable all the real servers using operation command, the VIP route
does not get eliminated from the routing table, and the switch will continue to advertise the route.
statc disable|enable
Enables or disables the advertisement of static routes.
on
Globally turns RIP ON.
off
Globally turns RIP OFF.
cur
Displays the current RIP configuration.

320506-A, January 2006
/cfg/l3/rip/if
RIP Interface Menu
[RIP Interface 1 Menu]
version - Set RIP version
supply
- Enable/disable supplying route updates
listen
- Enable/disable listening to route updates
poison
- Enable/disable poisoned reverse
trigg
- Enable/disable triggered updates
mcast
- Enable/disable multicast updates
default - Set default route action
metric
- Set metric
auth
- Set authentication type
key
- Set authentication key
enable
- Enable interface
disable - Disable interface
current - Display current RIP interface configuration
Table 6-74 RIP Menu Options

version 1|2|both
Set the RIP version. The default value is 2.
supply disable|enable
Enables or disables supplying route updates. When enabled, the switch supplies routes to other
routers. This is enabled by default.
listen disable|enable
When enabled, the switch stores routing information from other routers. The default is enabled.
poison disable|enable
When enabled, the switch uses split horizon with poisoned reverse. The default is disabled. When
disabled, the switch uses split horizon only.
mcast disable|enable
Enable or disable triggered updates. The default is enabled.
default none|listen|supply|both
Set the default route action. The default action is none.
metric <value [1-15]>
Set metric value for this RIP interface. The default value is 1.
auth none|password
Set the type of authentication. The default value is none.
key <key|none (to remove existing key value)>
Set the authentication key. The default value is none.

320506-A, January 2006
Table 6-74 RIP Menu Options

enable
Enable the interface.
disable
Disable the interface.
current
Displays current values of all objects settable from this menu.

320506-A, January 2006
/cfg/l3/ospf
Open Shortest Path First Configuration
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583.
OSPF is designed for routing traffic within a single IP domain called an Autonomous System
(AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as
the central OSPF area. All other areas in the AS must be connected to the backbone. Areas
inject summary routing information into the backbone, which then distributes it to other areas
as needed. For more information on how to configure OSPF on the switch, refer to your Nortel
Application Switch Operating System Application Guide.
[Open Shortest Path First Menu]
aindex
- OSPF Area (index) Menu
range
- OSPF Summary Range Menu
if
- OSPF Interface Menu
virt
- OSPF Virtual Links Menu
md5key
- OSPF MD5 Key Menu
host
- OSPF Host Entry Menu
redist
- OSPF Route Redistribute Menu
lsdb
- Set the LSDB limit for external LSA
default - Export default route information
on
- Globally turn OSPF ON
off
- Globally turn OSPF OFF
cur
- Display current OSPF configuration
Table 6-75 OSPF Configuration Menu Options (/cfg/l3/ospf)

Displays the area index menu. This area index does not represent the actual OSPF area number.
See page 363 to view menu options.
range <range number (1-16)>
Displays summary routes menu for up to 16 IP addresses. See page 364 to view menu options.
Displays the OSPF interface configuration menu. See page 365 to view menu options.
virt <virtual link (1-3)>
Displays the Virtual Links menu used to configure OSPF for a Virtual Link. See page 367 to view
menu options.

320506-A, January 2006
Table 6-75 OSPF Configuration Menu Options (/cfg/l3/ospf)

md5key <key ID (1-255)>
Assigns a string to MD5 authentication key. See
host <host entry number (1-128)>
Displays the menu for configuring OSPF for the host routes. Up to 128 host routes can be configured. Host routes are used for advertising network device IP addresses to external networks to perform server load balancing within OSPF. It also makes Area Border Route (ABR) load sharing and
ABR failover possible. See page 369 to view menu options.
redist <fixed|static|rip|ebgp|ibgp>
Displays Route Distribution Menu See page 370 to view menu options.
lsdb <LSDB limit (0-2000, 0 for no limit)>
Sets the link state database limit.
default <metric (1-16777215)> <metric-type 1|2>|none
Sets one default route among multiple choices in an area. Use none for no default.
on
Enables OSPF on the Nortel Application Switch.
off
Disables OSPF on the Nortel Application Switch.
cur
Displays the current OSPF configuration settings.

320506-A, January 2006
/cfg/l3/ospf/aindex
Area Index Configuration Menu
[OSPF Area (index) 1 Menu]
areaid - Set area ID
type
- Set area type
metric - Set stub area metric
auth
- Set authentication type
spf
- Set time interval between two SPF calculations
enable - Enable area
disable - Disable area
delete - Delete area
cur
- Display current OSPF area configuration
Table 6-76 Area Index Configuration Menu Options (/cfg/l3/ospf/aindex)

areaid <IP address (such as, 192.4.17.101)>
Defines the IP address of the OSPF area number.
type transit|stub|nssa
Defines the type of area. For example, when a virtual link has to be established with the backbone,
the area type must be defined as transit.
Transit area: allows area summary information to be exchanged between routing devices. Any
area that is not a stub area or NSSA is considered to be transit area.
Stub area: is an area where external routing information is not distributed. Typically, a stub area is
connected to only one other area.
NSSA: Not-So-Stubby Area (NSSA) is similar to stub area with additional capabilities. For example, routes originating from within the NSSA can be propagated to adjacent transit and backbone
areas. External routes from outside the Autonomous System (AS) can be advertised within the
NSSA but are not distributed into other areas.
metric <metric value (1-65535)>
Configures a stub area to send a numeric metric value. All routes received via that stub area carry
the configured metric to potentially influencing routing decisions.
Metric value assigns the priority for choosing the switch for default route. Metric type determines
the method for influencing routing decisions for external routes.
auth none|password|md5
None: No authentication required.
Password: Authenticates simple passwords so that only trusted routing devices can participate.
MD5: This parameter is used when MD5 cryptographic authentication is required.

320506-A, January 2006
Table 6-76 Area Index Configuration Menu Options (/cfg/l3/ospf/aindex)

spf <interval (0-255)>
Sets time interval between two successive SPF (shortest path first) calculations of the shortest path
tree using the Dijkstras algorithm.
enable
Enables the OSPF area.
disable
Disables the OSPF area.
delete
Deletes the OSPF area.
cur
Displays the current OSPF configuration.
/cfg/l3/ospf/range
OSPF Summary Range Configuration Menu
[OSPF Summary
addr
mask
aindex
hide
enable
disable
delete
cur
Range 1 Menu]
- Set IP address
- Set IP mask
- Set area index
- Enable/disable hide range
- Enable range
- Disable range
- Delete range
- Display current OSPF summary range configuration
Table 6-77 OSPF Summary Range Configuration Menu Options (/cfg/l3/ospf/range)

addr <IP Address (such as, 192.4.17.101)>
Displays the base IP address for the range.
mask <IP address (such as, 192.4.17.101>
Displays the IP address mask for the range.
Displays the area index used by the Nortel Application Switch.

320506-A, January 2006
Table 6-77 OSPF Summary Range Configuration Menu Options (/cfg/l3/ospf/range)

hide disable|enable
Hides the OSPF summary range.
enable
Enables the OSPF summary range.
disable
Disables the OSPF summary range.
delete
Deletes the OSPF summary range.
cur
Displays the current OSPF summary range.
/cfg/l3/ospf/if
OSPF Interface Configuration Menu
[OSPF Interface
aindex prio
cost
hello
dead
trans
retra
key
mdkey
enable disable delete cur
-
1 Menu]
Set area index
Set interface router priority
Set interface cost
Set hello interval in seconds
Set dead interval in seconds
Set transit delay in seconds
Set retransmit interval in seconds
Set authentication key
Set MD5 key ID
Enable interface
Disable interface
Delete interface
Display current OSPF interface configuration

320506-A, January 2006
Table 6-78 OSPF Interface Configuration Menu Options (/cfg/l3/ospf/if)

Displays the OSPF area index.
prio <priority value (0-255)>
Displays the assigned priority value to the Nortel Application Switchs OSPF interfaces.
(A priority value of 127 is the highest and 1 is the lowest. A priority value of 0 specifies that the
interface cannot be used as Designated Router (DR) or Backup Designated Router (BDR).)
cost <cost value (1-65535)>
Displays cost set for the selected pathpreferred or backup. Usually the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth.
hello <value (1-65535)>
Displays the interval in seconds between the hello packets for the interfaces.
dead <value (1-65535)>
Displays the health parameters of a hello packet, which is set for an interval of seconds before
declaring a silent router to be down.
trans <value (0-3600)>
Displays the transit delay in seconds.
retra <value (0-3600)>
Displays the retransmit interval in seconds.
key <key>|none
Sets the authentication key to clear the password.
mdkey <key ID (1-255)>|none
Assigns an MD5 key to the interface.
enable
Enables OSPF interface.
disable
Disables OSPF interface.
delete
Deletes OSPF interface.
cur
Displays the current settings for OSPF interface.

320506-A, January 2006
/cfg/l3/ospf/virt
OSPF Virtual Link Configuration Menu
[OSPF Virtual
aindex
hello
dead
trans
retra
nbr
key
mdkey
enable
disable
delete
cur
Link 1 Menu]
- Set area index
- Set hello interval in seconds
- Set dead interval in seconds
- Set transit delay in seconds
- Set retransmit interval in seconds
- Set router ID of virtual neighbor
- Set authentication key
- Set MD5 key ID
- Enable interface
- Disable interface
- Delete interface
- Display current OSPF interface configuration
Table 6-79 OSPF Virtual Link Configuration Menu Options (/cfg/l3/ospf/virt)

Displays the OSPF area index.
hello <value (1-65535)>
Displays the authentication parameters of a hello packet, which is set to be in an interval of
seconds.
dead <value (1-65535)>
Displays the health parameters of a hello packet, which is set to be in an interval of seconds.
Default is 40 seconds.
trans <value (1-3600)>
Displays the delay in transit in seconds. Default is one seconds.
retra <value (1-3600)>
Displays the retransmit interval in seconds. Default is five seconds.
nbr <nbr router ID (IP address)>
Displays the router ID of the virtual neighbor. Default is 0.0.0.0.
key <key>|none
Displays the password (up to eight characters) for each virtual link. Default is none.
mdkey <key ID (1-255)>|none
Sets MD5 key ID for each virtual link. Default is none.

320506-A, January 2006
Table 6-79 OSPF Virtual Link Configuration Menu Options (/cfg/l3/ospf/virt)

enable
Enables OSPF virtual link.
disable
Disables OSPF virtual link.
delete
Deletes OSPF virtual link.
cur
Displays the current OSPF virtual link settings.
/cfg/l3/ospf/md5key
OSPF MD5 Key Configuration Menu
[OSPF MD5 Key
key
delete
cur
1
-
Menu]
Set authentication key
Delete key
Display current MD5 key configuration
Table 6-80 OSPF MD5 Key Configuration Menu Options (/cfg/l3/ospf/md5key)

key <key, up to 16 chars>
Sets the authentication key up to 16 characters for this OSPF packet.
delete
Deletes the authentication key for this OSPF packet.
cur
Displays the current MD5 key configuration.

320506-A, January 2006
/cfg/l3/ospf/host
OSPF Host Entry Configuration Menu
[OSPF Host Entry 1 Menu]
addr
- Set host entry IP address
aindex - Set area index
cost
- Set cost of this host entry
enable - Enable host entry
disable - Disable host entry
delete - Delete host entry
cur
- Display current OSPF host entry configuration
Table 6-81 OSPF Host Entry Configuration Menu Options (/cfg/l3/ospf/host)

Displays the base IP address for the host entry.
Displays the area index of the host.
cost <cost value [1-65535]>
Displays the cost value of the host.
enable
Enables OSPF host entry.
disable
Disables OSPF host entry.
delete
Deletes OSPF host entry.
cur
Displays the current OSPF host entries.

320506-A, January 2006
/cfg/l3/ospf/redist
<fixed|static|rip|ebgp|ibgp>
OSPF Route Redistribution Configuration Menu.
[OSPF Redistribute Fixed Menu]
add
- Add rmap into route redistribution list
rem
- Remove rmap from route redistribution list
export - Export all routes of this protocol
cur
- Display current route-maps added
Table 6-82 OSPF Route Redistribution Menu Options (/cfg/l3/ospf/redist)

add (<route map (1-32)> <route map (1-32)>)|all
Adds selected routing maps to the rmap list.To add all the 32 route maps, enter all. To add specific route maps, enter routing map numbers one per line, NULL at the end.
This option adds a route map to the route redistribution list. The routes of the redistribution protocol matched by the route maps in the route redistribution list will be redistributed.
rem (<route map (1-32)> <route map (1-32)>) ... |all
Removes the route map from the route redistribution list.
Removes routing maps from the rmap list. To remove all 32 route maps, enter all. To remove
specific route maps, enter routing map numbers one per line, NULL at end.
export <metric (1-16777215)><metric type (1|2)> |none
Exports the routes of this protocol as external OSPF AS-external LSAs in which the metric and
metric type are specified. To remove a previous configuration and stop exporting the routes of the
protocol, enter none.
cur
Displays the current route map settings.

320506-A, January 2006
/cfg/l3/bgp
Border Gateway Protocol Configuration
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. BGP
allows you to decide what is the best route for a packet to take from your network to a destination on another network, rather than simply setting a default route from your border router(s)
to your upstream provider(s). You can configure BGP either within an autonomous system or
between different autonomous systems. When run within an autonomous system, it is called
internal BGP (iBGP). When run between different autonomous systems, it is called external
BGP (eBGP). BGP is defined in RFC 1771.
The BGP Menu enables you to configure the switch to receive routes and to advertise static
routes, fixed routes and virtual server IP addresses with other internal and external routers.
BGP is turned off by default.
[Border Gateway
peer
aggr
as
maxpath pref
on
off
cur
-
Protocol Menu]
Peer menu
Aggregation menu
Set Autonomous System (AS) number
Set Max AS Path Length
Set Local Preference
Globally turn BGP ON
Globally turn BGP OFF
Display current BGP configuration
NOTE Fixed routes are subnet routes. There is one fixed route per IP interface.
Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)
peer <peer number (1-16)>
Displays the menu used to configure each BGP peer. Each border router, within an autonomous
system, exchanges routing information with routers on other external networks. To view menu
aggr <aggregate number (1-16)>
Displays the Aggregation Menu. To view menu options, see page 377.

320506-A, January 2006
Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)

as <autonomous system number (1-65535)>
Sets Autonomous System Number for this autonomous system.
An autonomous system (AS) is the unit of router policy, either a single network or a group of networks that is controlled by a common network administrator on behalf of an administrative entity
(such as a university, a business enterprise, or a business division). An autonomous system is
assigned a globally unique number called an Autonomous System Number (ASN). An autonomous system shares routing information with other autonomous systems using the Border Gateway
Protocol (BGP).
maxpath <max AS path length (1-127)>
This command limits the maximum length of an accepted AS Path. The default value is 50. Paths
greater than this value will be ignored. The command is designed to protect the MP CPU, memory
resources and routing table from BGP-based attacks, BGP errors and probes designed to locate
BGP speaking devices that do not limit the maximum AS Path.
pref <preference (0-4294967294)>
Sets the local preference. The path with the higher value is preferred.
When multiple peers advertise the same route, use the route with the shortest AS path as
the preferred route if you are using eBGP, or use the local preference if you are using
iBGP.
on
Globally turns BGP on.
off
Globally turns BGP off.
cur
Displays the current BGP configuration.

320506-A, January 2006
/cfg/l3/bgp/peer <peer number>

BGP Peer Configuration Menu
[BGP Peer 1 Menu]
redist - Redistribution menu
addr
- Set remote IP address
ras
- Set remote autonomous system number
hold
- Set hold time
alive
- Set keep alive time
advert - Set min time between advertisements
retry
- Set connect retry interval
orig
- Set min time between route originations
ttl
- Set time-to-live of IP datagrams
addi
- Add rmap into in-rmap list
addo
- Add rmap into out-rmap list
remi
- Remove rmap from in-rmap list
remo
- Remove rmap from out-rmap list
enable - Enable peer
disable - Disable peer
delete - Delete peer
cur
- Display current peer configuration
This menu is used to configure BGP peers, which are border routers that exchange routing
information with routers on internal and external networks. The peer option is disabled by
default.
Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)
redist
Displays BGP Redistribution Menu. To view the menu options, see page 375.
Defines the IP address for the specified peer (border router), using dotted decimal notation. The
default address is 0.0.0.0.
ras <AS number (0-65535)>
Sets the remote autonomous system number for the specified peer.
hold <hold time (0, 3-65535)>
Sets the period of time, in seconds, that will elapse before the peer session is torn down because the
switch hasnt received a keep alive message from the peer. It is set at 90 seconds by default.
alive <keepalive time (0, 1-21845)>
Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default.

320506-A, January 2006
Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)

advert <min adv time (1-65535)>
Sets time in seconds between advertisements.
retry <connect retry interval (1-65535)>
Sets connection retry interval in seconds.
orig <min orig time (1-65535)>
Sets the minimum time between route originations in seconds.
ttl <number of router hops (1-255)>
Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet
has been in the network too long and should be discarded. TTL specifies a certain time span in seconds that, when exhausted, would cause the packet to be discarded. The TTL is determined by the
number of router hops the packet is allowed before it must be discarded.
This command specifies the number of router hops that the IP packet can make. This value is used
to restrict the number of hops the advertisement makes. It is also used to support multi-hops,
which allow BGP peers to talk across a routed network. The default number is set at 1.
addi <route map ID (1-32)>
Adds route map into in-route map list.
addo <route map ID (1-32)>
Adds route map into out-route map list.
remi <route map ID (1-32)>
Removes route map from in-route map list.
remo <route map ID (1-32)>
Removes route map from out-route map list.
ena
Enables this peer configuration.
dis
Disables this peer configuration.
del
Deletes this peer configuration.
cur
Displays the current BGP peer configuration.

320506-A, January 2006
/cfg/l3/bgp/peer/redist
BGP Redistribution Configuration Menu
[Redistribution
metric default rip
ospf
fixed
static vip
cur
-
Menu]
Set default-metric of advertised routes
Set default route action
Enable/disable advertising RIP routes
Enable/disable advertising OSPF routes
Enable/disable advertising fixed routes
Enable/disable advertising static routes
Enable/disable advertising VIP routes
Display current redistribution configuration
Table 6-85 BGP Redistribution Configuration Menu Options

(/cfg/l3/bgp/peer/redist)
metric <metric (1-4294967294)>|none
Sets default metric of advertised routes.
default none|import|originate|redistribute
Sets default route action.
Defaults routes can be configured as import, originate, redistribute, or none.
None: No routes are configured
Import: Import these routes.
Originate: The switch sends a default route to peers even though it does not have any default
routes in its routing table.
Redistribute: Default routes are either configured through default gateway or learned through
other protocols and redistributed to peer. If the routes are learned from default gateway configuration, you have to enable static routes since the routes from default gateway are static routes. Similarly, if the routes are learned from a certain routing protocol, you have to enable that protocol in
this redistribute submenu.
rip disable|enable
Enables or disables advertising RIP routes
ospf disable|enable
Enables or disables advertising OSPF routes.
fixed disable|enable
Enables or disables advertising fixed routes.
static disable|enable
Enables or disables advertising static routes.

320506-A, January 2006
Table 6-85 BGP Redistribution Configuration Menu Options

(/cfg/l3/bgp/peer/redist)
vip disable|enable
Enables or disables advertising VIP routes.
cur
Displays the current redistribution configuration.

320506-A, January 2006
/cfg/l3/bgp/aggr <aggregate number>

BGP Aggregate Routing Configuration Menu
NOTE The aggregate number (1-16) represents the aggregation route you wish to configure.
[BGP Aggr 1 Menu]
addr
- Set aggregation IP address
mask
- Set aggregation network mask
enable - Enable aggregation
disable - Disable aggregation
delete - Delete aggregation
current - Display current aggregation configuration
This menu allows you to configure aggregate routing to condense the number of routes
between internal and external peer routers.
Table 6-86 BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)
addr <IP address, such as 192.4.17.101>
Adds the IP address to the selected aggregate.
mask <IP subnet mask, such as 255.255.255.0>
Sets the IP mask for the selected aggregate.
enable
Enables the selected aggregate.
disable
Disables the selected aggregate.
delete
Deletes the selected aggregate.
current
Displays the current aggregate configuration.

320506-A, January 2006
/cfg/l3/port <port number>

IP Forwarding Port Configuration Menu
[IP Forwarding Port 1 Menu]
on
- Turn Forwarding ON
off
- Turn Forwarding OFF
cur
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By
default, the port forwarding option is turned on.
Table 6-87 IP Forwarding Port Configuration Menu Options (/cfg/l3/port)
on
Enables IP forwarding for the current port.
off
Disables IP forwarding for the current port.
cur
Displays the current IP forwarding settings.

320506-A, January 2006
/cfg/l3/dns
Domain Name System Configuration Menu
[Domain Name System Menu]
prima
- Set IP address of primary DNS server
secon
- Set IP address of secondary DNS server
dname
- Set default domain name
cur
- Display current DNS configuration
The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS
servers on your local network, and for setting the default domain name served by the switch
services. DNS parameters must be configured prior to using hostname parameters with the
ping, traceroute, and tftp commands.
Table 6-88 Domain Name System Menu Options (/cfg/l3/dns)
prima <IP address (such as, 192.4.17.101)>
You will be prompted to set the IP address for your primary DNS server. Use dotted decimal notation.
secon <IP address (such as, 192.4.17.101)>
You will be prompted to set the IP address for your secondary DNS server. If the primary DNS
server fails, the configured secondary will be used instead. Enter the IP address using dotted decimal notation.
dname <dotted DNS notation>|none
Sets the default domain name used by the switch.
For example: mycompany.com
cur
Displays the current Domain Name System settings.

320506-A, January 2006
/cfg/l3/bootp
Bootstrap Protocol Relay Configuration Menu
[Bootstrap Protocol Relay Menu]
addr
- Set IP address of BOOTP server
addr2
- Set IP address of second BOOTP server
on
- Globally turn BOOTP relay ON
off
- Globally turn BOOTP relay OFF
cur
- Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configurations from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration
enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers
with IP addresses that have been configured on the Nortel Application Switch.
BOOTP relay menu is turned off by default.
Table 6-89 Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)
Sets the IP address of the BOOTP server.
addr2 <IP address (such as, 192.4.17.101)>
Sets the IP address of the second BOOTP server.
on
Globally turns on BOOTP relay.
off
Globally turns off BOOTP relay.
cur
Displays the current BOOTP relay configuration.

320506-A, January 2006
/cfg/l3/vrrp
VRRP Configuration Menu
[Virtual Router
vr
vrgroup group
if
track
hotstan on
off
holdoff cur
-
Redundancy Protocol Menu]

VRRP Virtual Router Menu
VRRP Virtual Router Vrgroup Menu
VRRP Virtual Router Group Menu
VRRP Interface Menu
VRRP Priority Tracking Menu
Enable/disable hot-standby processing
Globally turn VRRP ON
Globally turn VRRP OFF
Globally VRRP hold off time
Display current VRRP configuration
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address.
By default, VRRP is disabled. Nortel Application Switch Operating System has extended
VRRP to include virtual servers as well, allowing for full active/active redundancy between its
Layer 4 switches.For more information on VRRP, see the High Availability chapter in your
Nortel Application Switch Operating System 23.0.2 Application Guide.
Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)
vr <virtual router number (1-1024)>
Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual
routers on this switch. To view menu options, see page 383.
vrgroup <virtual router vrgroup number (1-16)>
Displays VR Group Menu. To view menu options, see page 387.
group
Displays the VRRP virtual router group menu, used to combine all virtual routers together as one
logical entity. Group options must be configured when using two or more Nortel Application
Switches in a hot-standby failover configuration where only one switch is active at any given time.

320506-A, January 2006
Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)

Displays the VRRP Virtual Router Interface Menu. To view menu options, see page 394.
track
Displays the VRRP Tracking Menu. This menu is used for weighting the criteria used when modifying priority levels in the master router election process. To view menu options, see page 395.
hotstan disable|enable
Enables or disables hot standby processing, in which two or more switches provide redundancy for
each other. By default, this option is disabled.
on
Globally enables VRRP on this switch.
off
Globally disables VRRP on this switch.
holdoff <0-255 seconds>
Globally suspends VRRP operation for the specified interval.
cur
Displays the current VRRP parameters.

320506-A, January 2006
/cfg/l3/vrrp/vr <router number>

Virtual Router Configuration Menu
[VRRP Virtual
track
vrid
addr
if
prio
adver
preem
share
ena
dis
del
cur
Router 1 Menu]
- Priority Tracking Menu
- Set virtual router ID
- Set IP address
- Set interface number
- Set renter priority
- Set advertisement interval
- Enable or disable preemption
- Enable or disable sharing
- Enable virtual router
- Disable virtual router
- Delete virtual router
- Display current VRRP virtual router configuration
This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is
defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the
same virtual router ID and IP address.
Virtual routers are disabled by default.
Table 6-91 VRRP Virtual Router Options (/cfg/l3/vrrp/vr)
track
Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortels proprietary
extension to VRRP, used for modifying the standard priority system used for electing the master
router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 385.
vrid <virtual router ID (1-1024)>
Defines the virtual router ID. This is used in conjunction with addr (below) to define a virtual
router on this switch. To create a pool of VRRP-enabled routing devices which can provide redundancy to each other, each participating VRRP device must be configured with the same virtual
router: one that shares the same vrid and addr combination.
The vrid for standard virtual routers (where the virtual router IP address is not the same as any
virtual server) can be any integer between 1 and 255. The default value is 1.
The vrid of virtual server routers where the virtual router IP address is the same as the virtual
server can be between 1 and 1024.
All vrid values must be unique within the VLAN to which the virtual routers IP interface
belongs.

320506-A, January 2006

Defines the IP address for this virtual router using dotted decimal notation. This is used in conjunction with the vrid (above) to configure the same virtual router on each participating VRRP
device. The default address is 0.0.0.0.
Selects a switch IP interface (between 1 and 256). If the IP interface has the same IP address as the
addr option above, this switch is considered the owner of the defined virtual router. An owner
has a special priority of 255 (highest) and will always assume the role of master router, even if it
must preempt another virtual router which has assumed master routing authority. This preemption
occurs even if the preem option below is disabled. The default value is 1.
prio <priority (1-254)>
Defines the election priority bias for this virtual server. This can be any integer between 1 and 254.
During the master router election process, the routing device with the highest virtual router priority
number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual
routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest).
When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track),
this base priority value can be modified according to a number of performance and operational criteria.
adver <seconds (1-255)>
Defines the time interval between VRRP master advertisements. This can be any integer between 1
and 255 seconds. The default value is 1.
preem disable|enable
Enables or disables master preemption. When enabled, if this virtual router is in backup mode but
has a higher priority than the current master, this virtual router will preempt the lower priority master and assume control. Note that even when preem is disabled, this virtual router will always preempt any other master if this switch is the owner (the IP interface address and virtual router addr
are the same). By default, this option is enabled.
share disable|enable
Enables or disables virtual router sharing, an Nortel proprietary extension to VRRP. When
enabled, this switch will process any traffic addressed to this virtual router, even when in backup
mode. By default, this option is enabled.
ena
Enables this virtual router.
dis
Disables this virtual router.
del
Deletes this virtual router from the switch configuration.

320506-A, January 2006

cur
Displays the current configuration information for this virtual router.
/cfg/l3/vrrp/vr <router number>/track

Virtual Router Priority Tracking Configuration
[VRRP Virtual
vrs
ifs
ports
l4pts
reals
hsrp
hsrv
cur
Router 1 Priority Tracking Menu]

- Enable/disable tracking master virtual routers
- Enable/disable tracking other interfaces
- Enable/disable tracking VLAN switch ports
- Enable/disable tracking L4 switch ports
- Enable/disable tracking L4 real servers
- Enable/disable tracking HSRP
- Enable/disable tracking HSRP by VLAN
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395).
Criteria are tracked dynamically, continuously updating virtual router priority levels when
enabled. If the virtual router preemption option (see preem in Table 6-91 on page 383) is
enabled, this virtual router can assume master routing authority when its priority level rises
above that of the current master.
Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, otherwise called virtual interface routers. Other tracking criteria (l4pts, reals, and hsrp)
apply to virtual server routers, which perform Layer 4 Server Load Balancing functions. A
virtual server router is defined as any virtual router whose IP address (addr) is the same as
any configured virtual server IP address.

320506-A, January 2006
Table 6-92 VRRP Priority Tracking Menu Options (/cfg/l3/vrrp/vr/track)

vrs disable|enable
When enabled, the priority for this virtual router will be increased for each virtual router in master
mode on this switch. This is useful for making sure that traffic for any particular client/server pairing are handled by the same switch, increasing routing and load balancing efficiency. This command is disabled by default.
ifs disable|enable
When enabled, the priority for this virtual router will be increased for each IP interface active on
this switch. An IP interface is considered active when there is at least one active port on the same
VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default.
ports disable|enable
When enabled, the priority for this virtual router will be increased for each active port on the same
VLAN. A port is considered active if it has a link and is forwarding traffic. This helps elect the
virtual routers with the most available ports as the master. This command is disabled by default.
l4pts disable|enable
When enabled for virtual server routers, the priority for this virtual router will be increased for
each physical switch port which has active Layer 4 processing on this switch. This helps elect the
main Layer 4 switch as the master. This command is disabled by default.
reals disable|enable
each healthy real server behind the virtual server IP address of the same IP address as the virtual
router on this switch. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default.
hsrp disable|enable
Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router
failover. In networks where HSRP is used, enable this switch option to increase the priority of this
virtual router for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP
helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default.
hsrv disable|enable
Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable
this switch option to increment only that vrrp instance that is on the same VLAN as the tagged
hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router.

320506-A, January 2006
/cfg/l3/vrrp/vrgroup
Virtual Router Group Menu
This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is
shared between two or more customers on a single VRRP switch, you can group VIRs and
VSRs to serve the high availability of a specific customer. If failover occurs on a customer
link, the group of VIRs and VSRs associated with that customer alone will fail over to the
backup switch. The VIRs and VSRs configured for the other customers on the master switch
are not affected.
Up to 16 virtual router groups can be configured on the switch.
[VRRP Virtual Router Vrgroup 1 Menu]
track
name
- Set virtual router group name
add
- Add virtual router to group
rem
- Remove virtual router from group
prio
- Set priority for virtual router group
trackvr - Set track virtual router for group
adver
- Set advertisement interval for group
preem
- Enable/disable preemption for group
share
- Enable/disable sharing for group
ena
- Enable virtual router group
dis
- Disable virtual router group
del
- Delete virtual router group
cur
- Display current VRRP virtual router group configuration
Table 6-93 Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup)

track
Displays VRRP priority tracking menu for this virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the
master router. To view menu options, see page 388.
name
Defines virtual router group name up to eight characters.
add <virtual router number (1-1024)>
Adds a virtual router to the group. Each virtual router group can have up to 64 virtual routers.
rem <virtual router number (1-1024)>
Removes a virtual router from the group.

320506-A, January 2006
Table 6-93 Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup)

prio <1-254>
Defines the election priority bias for this virtual router group. This can be any integer between 1
and 254. The default value is 100.
When priority tracking is used (/cfg/l3/vrrp/vrgroup #/track), this base priority value
can be modified according to a number of performance and operational criteria.
trackvr <virtual router number (0-1024)>
Set track virtual router for group
adver <1-255 seconds>
Set advertisement interval for group.
Enable/disable preemption for group.
Enable/disable sharing for group.
ena
Enables the virtual router group.
dis
Disables the virtual router group.
del
Deletes the virtual router group.
cur
Displays the current VRRP virtual router group configuration.
/cfg/l3/vrrp/vrgroup <vrgroup number>/

track
Virtual Router Group Priority Tracking Configuration Menu

320506-A, January 2006
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled.
[VRRP Vrgroup
ifs
ports
l4pts
reals
hsrp
hsrv
cur
1
-
Priority Tracking Menu]

Enable/disable tracking interfaces
Enable/disable tracking VLAN switch ports
Enable/disable tracking L4 switch ports
Enable/disable tracking L4 real servers
Enable/disable tracking HSRP
Enable/disable tracking HSRP by VLAN
Display current VRRP vrgroup tracking configuration
Table 6-94 Virtual Router Group Priority Tracking Menu Options

(/cfg/l3/vrrp/vrgroup/track)
ifs disable|enable
When enabled, the priority will be increased for each IP interface active on this virtual router
group. An IP interface is considered active when there is at least one active port on the same
VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default.
When enabled, the priority will be increased for each active port on the VLAN on this virtual
router group. A port is considered active if it has a link and is forwarding traffic. This helps elect
the virtual routers with the most available ports as the master. This command is disabled by
default.
When enabled for virtual server routers, the priority will be increased for each physical switch port
which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4
switch as the master. This command is disabled by default.
When enabled for virtual server routers, the priority will be increased for each healthy real server
behind the virtual server IP address of the same IP address as the virtual router on this virtual
router group. This helps elect the switch with the largest server pool as the master, increasing
Layer 4 efficiency. This command is disabled by default.

320506-A, January 2006
Table 6-94 Virtual Router Group Priority Tracking Menu Options

(/cfg/l3/vrrp/vrgroup/track)
hsrp disable|enable
Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router
failover. In networks where HSRP is used, enable this switch option to increase the priority of this
virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling
HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing
efficiency. This command is disabled by default.
hsrv disable|enable
this switch option to increment only that vrrp instance on the virtual router group that is on the
same VLAN as the tagged hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router group.
/cfg/l3/vrrp/group
Virtual Router Group Configuration
[VRRP Virtual
track
vrid
if
prio
adver
preem
share
ena
dis
del
cur
Router Group Menu]

- Set virtual router ID
- Set interface number
- Set renter priority
- Set advertisement interval
- Enable or disable preemption
- Enable or disable sharing
- Enable virtual router
- Disable virtual router
- Delete virtual router
The Virtual Router Group menu is used for associating all virtual routers into a single logical
virtual router, which forces all virtual routers on the Nortel Application Switch to either be master
or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On
each VRRP-capable routing device participating in redundancy for this virtual router, a virtual
router will be configured to share the same virtual router ID and IP address.

320506-A, January 2006
NOTE This option is required to be configured only when using at least two Nortel Application
Switches in a hot-standby failover configuration, where only one switch is active at any time.
Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)
track
Displays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the
master router. Tracking is not needed if sharing (share) is enabled.
vrid <virtual router ID (1-1024)>
Defines the virtual router ID for this group.
Selects a switch IP interface (between 1 and 256). The default switch IP interface number is 1.
prio <priority (1-254)>
Defines the election priority bias for this virtual router group. This can be any integer between 1
and 254. The default value is 100.
When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track),
this base priority value can be modified according to a number of performance and operational criteria.
adver <1-255 (seconds)>
Defines the time interval between VRRP master advertisements. This can be any integer between 1
and 255 seconds. The default is 1.
Enables or disables master preemption. When enabled, if the virtual router group is in backup
mode but has a higher priority than the current master, this virtual router will preempt the lower
priority master and assume control. Note that even when preem is disabled, this virtual router will
always preempt any other master if this switch is the owner (the IP interface address and virtual
router addr are the same). By default, this option is enabled.
Enables or disables virtual router sharing, Nortels proprietary extension to VRRP. When enabled,
this switch will process any traffic addressed to this virtual router, even when in backup mode. By
default, this option is enabled.

320506-A, January 2006
Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)

ena
Enables the virtual router group.
dis
Disables the virtual router group.
del
Deletes the virtual router group from the switch configuration.
cur
Displays the current configuration information for the virtual router group.
/cfg/l3/vrrp/group/track
Virtual Router Group Priority Tracking Configuration
[Virtual Router
ifs
ports
l4pts
reals
hsrp
hsrv
cur
-
Group Priority Tracking Menu]

Enable/disable tracking other interfaces
Enable/disable tracking VLAN switch ports
Enable/disable tracking L4 switch ports
Enable/disable tracking L4 real servers
Enable/disable tracking HSRP
Enable/disable tracking HSRP by VLAN
Display current VRRP Group Tracking configuration
NOTE If Virtual Router Group Tracking is enabled, then the tracking option will be available
only under group option. The tracking setting for the other individual virtual routers will be
ignored.

320506-A, January 2006
Table 6-96 Virtual Router Group Priority Tracking Options (/cfg/l3/vr/group/track)

ifs disable|enable
When enabled, the priority for this virtual router will be increased for each other IP interface active
on this switch. An IP interface is considered active when there is at least one active port on the
same VLAN. This helps elect the virtual routers with the most available routes as the master. This
command is disabled by default.
When enabled, the priority for this virtual router will be increased for each active port on the same
VLAN. A port is considered active if it has a link and is forwarding traffic. This helps elect the
virtual routers with the most available ports as the master. This command is disabled by default.
each physical switch port which has active Layer 4 processing on this switch. This helps elect the
main Layer 4 switch as the master. This command is disabled by default.
each healthy real server. This helps elect the switch with the largest server pool as the master,
increasing Layer 4 efficiency. This command is disabled by default.
hsrp disable|enable
Enables Hot Standby Router Protocol (HSRP) for this virtual router group. HSRP is used with
some types of routers for establishing router failover. In networks where HSRP is used, enable this
switch option to increase the priority of this virtual router for each Layer 4 client-only port that
receives HSRP advertisements. This helps elect the switch closest to the master HSRP router as the
master, optimizing routing efficiency. This command is disabled by default.
hsrv disable|enable
this switch option to increment only that vrrp instance that is on the same VLAN as the tagged
hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router.

320506-A, January 2006
/cfg/l3/vrrp/if <interface number>

VRRP Interface Configuration
NOTE The interface-number (1 to 256) represents the IP interface on which authentication
parameters must be configured.
[VRRP Interface
auth
passw
del
cur
-
1 Menu]
Set authentication types
Set plain-text password
Delete interface
Display current VRRP interface configuration
This menu is used for configuring VRRP authentication parameters for the IP interfaces used
with the virtual routers.
Table 6-97 VRRP Interface Menu Options (/cfg/l3/vrrp/if)
auth none|password
Defines the type of authentication that will be used: none (no authentication), or password
(password authentication).
passw <password>
Defines a plain text password up to eight characters long. This password will be added to each
VRRP packet transmitted by this interface when password authentication is chosen (see auth
above).
del
Clears the authentication configuration parameters for this IP interface. The IP interface itself is
not deleted.
cur
Displays the current configuration for this IP interfaces authentication parameters.

320506-A, January 2006
/cfg/l3/vrrp/track
VRRP Tracking Configuration
[VRRP Tracking Menu]
vrs
- Set priority increment for virtual router tracking
ifs
- Set priority increment for IP interface tracking
ports
- Set priority increment for VLAN switch port tracking
l4pts
- Set priority increment for L4 switch port tracking
reals
- Set priority increment for L4 real server tracking
hsrp
- Set priority increment for HSRP tracking
hsrv
- Set priority increment for HSRP by VLAN tracking
cur
- Display current VRRP Priority Tracking configuration
This menu is used for setting weights for the various criteria used to modify priority levels during the master router election process. Each time one of the tracking criteria is met (see VRRP
Virtual Router Priority Tracking Menu on page 385), the priority level for the virtual router is
increased by an amount defined through this menu.
Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)
vrs <0-254>
Defines the priority increment value (1 through 254) for virtual routers in master mode detected on
this switch. The default value is 2.
ifs <0-254>
Defines the priority increment value (1 through 254) for active IP interfaces detected on this
switch. The default value is 2.
ports <0-254>
Defines the priority increment value (1 through 254) for active ports on the virtual routers VLAN.
l4pts <0-254>
Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4
processing. The default value is 2.
reals <0-254>
Defines the priority increment value (1 through 254) for healthy real servers behind the virtual
server router. The default value is 2.
hsrp <0-254>
Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only processing that receive HSRP broadcasts. The default value is 10.

320506-A, January 2006
Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)

hsrv <0-254>
Defines the priority increment value (1 through 254) for vrrp instances that are on the same
VLAN.
cur
Displays the current configuration of priority tracking increment values.
These priority tracking options only define increment values. These options do not affect the
VRRP master router election process until options under the VRRP Virtual Router Priority
Tracking Menu (see page 385) are enabled.
/cfg/l3/metrc <metric name>

Default Gateway Metrics
If multiple default gateways are configured and enabled, a metric can be set to determine
which primary gateway is selected. There are two metrics, which are described in the table
Default Gateway Metrics (/cfg/l3/metrc) on page 396.
Table 6-99 Default Gateway Metrics (/cfg/l3/metrc)
Option
Description
strict
The gateway number determines its level of preference. Gateway #1 acts as

the preferred default IP gateway until it fails or is disabled, at which point the
next in line will take over as the default IP gateway.
roundrobin
This provides basic gateway load balancing. The switch sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests
to the same destination IP address are resolved to the same gateway.

320506-A, January 2006
/cfg/slb
/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7,
The SLB Configuration Menu.
/cfg/security
Security Configuration Menu
[Security Menu]
port
ipacl
udpblast dos
pgroup
seclog
pdepth
cur
-
Port Security Menu

IP ACL Menu
UDP Blast Protection Menu
Protocol Anomaly and DoS Attack Prevention Menu
Pattern Match Group Menu
Set rate threshold for security logging
Set packet depth for pattern matching
Display current Security configuration
Table 6-100 Security Configuration Menu Options (/cfg/security)

port <port number>
Displays Port Security Menu. To view menu options, see page 399.
ipacl
Displays IP address Access Control Menu. To view options, see page 400.
udpblast
Displays UDP Blast Menu. To view menu options, see page 402.
dos
Go to the Protocol Anomaly and DoS Attack Prevention Menu. To view menu
pgroup <pattern group ID (1-128)>
Displays Pattern Match Group Menu. To view menu options, see page 404.
seclog <rate threshold packets/sec, 0-1048576 (0, no rate threshold)>
Defines the rate threshold for security logging by the number of packets per second. Any packets
above the current threshold will be logged.

320506-A, January 2006
Table 6-100 Security Configuration Menu Options (/cfg/security)

pdepth <# of packets, 1-255|none>
Defines the search window for pattern matching beginning from the start of the packet stream.
The window is in units of packets.
cur
Displays the current security configuration.

320506-A, January 2006
/cfg/security/port
Port Security Menu
[Port <port_number> Menu]
bogon
- Enable/disable bogon IP ACL
ipacl
- Enable/disable IP ACL
udpblast - Enable/disable UDP blast protection
dos
- Enable/disable protocol anomaly and DoS attack prevention
add
- Add protocol anomaly/DoS attack to prevention
aadd
- Add all protocol anomaly/DoS attack to prevention
rem
- Remove protocol anomaly/DoS attack from prevention
arem
- Remove all protocol anomaly/DoS attack from prevention
help
cur
Table 6-101 Port Security Menu Options

bogon enable|disable
Enable or disable bogon IP ACL.
ipacl enable|disable
Enable or disable IP ACL.
udpblast enable|disable
Enable or disable UDP blast protection.
dos enable|disable
Enable or disable protocol anomaly and DoS attack prevention.
add iplen | ipversion | broadcast | loopback | land | ipreerved |ipttl
| ipprot | ipoptlen | fragmoredont | fragdata | fragboundary | fraglast
| fragdontoff | fragopt | fragoff | frag oversize | tcplen | tcportzero
| blat | tcpreserved | nullscan | fullxmasscan | finscan | vecnascan |
xmasscan | synfinscan | flagabnormal | syndata | synfrag | ftpport |
dnsport | seqzero |ackzero | tcpoptlen | udplen | udpportzero | fraggle
| pepsi | rc8 | snmpnull | icmplen | smurf | icmpdata | icmpoff | icmptype | igmplen | igmpfrag | igmptype | arplen | arpnbcast | arpncast |
arpspoof | garp | ip6len | ip6version
Add protocol anomaly/DoS attack to prevention.
aadd
Add all protocol anomaly/DoS attack to prevention for the port.

320506-A, January 2006
Table 6-101 Port Security Menu Options

rem iplen | ipversion | broadcast | loopback | land | ipreerved |ipttl
| ipprot | ipoptlen | fragmoredont | fragdata | fragboundary | fraglast
| fragdontoff | fragopt | fragoff | frag oversize | tcplen | tcportzero
| blat | tcpreserved | nullscan | fullxmasscan | finscan | vecnascan |
xmasscan | synfinscan | flagabnormal | syndata | synfrag | ftpport |
dnsport | seqzero |ackzero | tcpoptlen | udplen | udpportzero | fraggle
| pepsi | rc8 | snmpnull | icmplen | smurf | icmpdata | icmpoff | icmptype | igmplen | igmpfrag | igmptype | arplen | arpnbcast | arpncast |
arpspoof | garp | ip6len | ip6version
Remove protocol anomaly/DoS attack from prevention.
arem
Remove all protocol anomaly/DoS attack from prevention for the port.
help
Description of Protocol anomaly and DoS attack prevention.
cur
Display current port configuration. For example:
Current port 1:
bogon disabled, ipacl disabled, udpblast disabled, dos disabled
/cfg/security/ipacl
IP Address Access Control List Configuration Menu
Nortel Application Switch Operating System can be configured with IP access control lists
(ACLs) composed of ranges of client IP addresses that are to be denied access to the switch.
When traffic ingresses the switch, the client source or destination IP address is checked against
this pool of addresses. If a match is found, then the client traffic is blocked.
[IP ACL Menu]
add
rem
arem
dadd
drem
darem
cfg
bogon
oper
cur
Add configuration source IP Address/Mask

Remove configuration source IP Address/Mask
Remove all configuration source IP Address/Mask
Add configuration destination IP Address/Mask
Remove configuration destination IP Address/Mask
Remove all configuration destination IP Address/Mask
Display configuration IP Address/Mask
Display bogon IP Address/Mask
Display operations IP Address/Mask
Display all IP Address/Mask

320506-A, January 2006
Table 6-102 IP Address ACL Menu Options (/cfg/sec/ipacl)

add <IP address> <IP mask>
Adds range of source IP addresses to be denied, defined by the IP address/mask pair.
rem <IP address/mask pair index>
Removes range of source IP addresses to be denied, defined by the IP address/mask pair index.
arem
Remove all configuration source IP Address/Mask.
dadd <IP address> <IP subnet mask>
Add configuration destination IP Address/Mask.
drem <IP address> <IP subnet mask>
Remove configuration destination IP Address/Mask.
darem
Remove all configuration destination IP Address/Mask.
cfg
Display configuration IP Address/Mask.
bogon
Display bogon IP Address/Mask.
oper
Display operations IP Address/Mask.
cur
Displays current IP addresses ranges in Access Control List.

320506-A, January 2006
/cfg/security/udpblast
UDP Blast Protection Configuration Menu
Malicious attacks over UDP protocol ports are becoming a common way to bring down real
servers. Nortel Application Switch Operating System can be configured to restrict the amount
of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with
data and disabled.
You can specify a series of UDP port ranges and the allowed packet limit for that range. When
the maximum number of packets/second is reached, UDP traffic is shut down on those ports.
Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using
any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300,
the last number that can be used is 5300.
While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum
of 5000 ports.
[UDP Blast Protection Menu]
add
- Add UDP port/range for UDP blast protection
rem
- Remove UDP port/range for UDP blast protection
default - Default packet rate for UDP blast protection
cur
- Display all UDP blast protection Ports
Table 6-103 UDP Blast Protection Menu Options (/cfg/sec/udpblast)

add <UDP port number or range (first-last)> [packet rate]
Adds UDP port or range for UDP blast protection, as well as the maximum packet rate per second.
If the number of packets on this port range exceeds the maximum packet rate per second, UDP
traffic will be dropped.
rem <UDP port number or range (first-last)>
Removes UDP port or range for UDP blast protection.
default <packet rate>
Defines the default packet rate for UDP blast protection.
cur
Displays all UDP blast protection ports.

320506-A, January 2006
/cfg/security/dos
Anomaly and Denial of Service Attack Prevention Menu
[Protocol Anomaly and DoS Attack Prevention Menu]
ipttl
- Set the smallest allowable IP ttl for ipttl
ipprot
- Set the highest allowable IP protocol for ipprot
fragdata - Set smallest allowable IP fragment payload for fragdata
fragoff - Set the smallest allowable IP fragment offset for fragoff
syndata - Set the largest allowable TCP SYN payload for syndata
icmpdata - Set the largest allowable ICMP payload for icmpdata
icmpoff - Set the largest allowable ICMP fragment offset for icmpoff
help
cur
- Display current protocol anomaly and DoS attack prevention
Table 6-104 Anomaly and DoS Menu Options

ipttl <IPv4 TTL, 0-255>
Set the smallest allowable IP ttl for IPTTL.
ipprot <highest allowable IPv4 protocol [0-255]>
Set the highest allowable IP protocol for IP protection. For example:
Current highest allowable IPv4 protocol: 137
Enter new highest allowable IPv4 protocol [0-255]:
fragdata <IPv4 fragment payload size in bytes, 16-248>
Set the smallest allowable IP fragment payload.
fragoff <IPv4 fragment offset in multiples of 8 bytes, 1-255>
Set the smallest allowable IP fragment offset.
syndata <TCP packet payload size in bytes, 0-255>
Set the largest allowable IP SYN payload.
icmpdata <ICMP packet payload size in bytes, 1-9026>
Set the largest allowable ICMP payload.
icmpoff <ICMP fragment offset in multiples of 8 bytes, 1-8190>
Set the largest allowable ICMP fragment offset.
help
Description of the Anomaly and DoS attack prevention.
cur
Display current protocol anomaly and DoS attack prevention settings. For example:
Current protocol anomaly and DoS attack prevention settings:
ipttl 1, ipprot 137, fragdata 32, fragoff 4, syndata 0,
icmpdata 800, icmpoff 101

320506-A, January 2006
/cfg/security/pgroup <pattern group number>

Pattern Matching Menu
When a virus or other attack contains multiple patterns or strings, it is useful to combine them
into one group and give the group a name that is easy to remember. When a pattern group is
applied to a deny filter, the switch will match any of the strings or patterns within that group
before denying and dropping the packet. Up to five patterns can be combined into a single pattern group. Configure the binary or ASCII pattern strings, group them into a pattern group,
name the pattern group, and then apply the group to a filter.
The filtering commands in Nortel Application Switch Operating System Advanced Denial of
Service Pack allow the administrator to define groups of patterns. By applying the patterns and
groups to a deny filter, the packet content can be detected and thus denied access to the network.
The Nortel Application Switch Operating System 23.0 supports up to 1024 pattern matching
groups.
[Pattern Match Group 1 Menu]
name
- Set pattern group name
add
- Add SLB string to group
rem
- Remove SLB string from group
del
- Delete pattern group
cur
Table 6-105 Pattern Matching Group Menu Options (/cfg/sec/pgroup)

name <31 character name>|none
Specifies a descriptive name for this pattern group.
add <string ID>
Adds a pre-configured SLB string to this pattern group by the string ID number.
To configure SLB strings, use the /cfg/slb/layer7/slb/add command described on
page 475.
To view existing strings and their ID numbers, use the /cfg/slb/layer7/slb/cur command, also on page 475.
Note: You can only add the binary or ASCII strings to a pattern matching group. Up to five patterns can be combined into a single pattern group.
rem <SLB string ID>
Removes an SLB string from this pattern group.
del
Deletes the pattern group.

320506-A, January 2006
Table 6-105 Pattern Matching Group Menu Options (/cfg/sec/pgroup)

cur
Displays the current configuration of this pattern group.

320506-A, January 2006
/cfg/sslproc
SSL Processor Menu
[SSL Processor Menu]
mip
- Set SSL processor management IP
port
- Set SSL processor Web server port
rts
- Enable/disable RTS processing
filt
- Enable/disable filtering
add
- Add filter
rem
- Remove filter
cur
- Display current SSL processor configuration
Table 6-106 SSL Processor Menu Options

mip <SSL processor management IP>
Set SSL processor management IP.
port <SSL processor Web server port>
Set SSL processor Web server port.
rts enable|disable
Enable/disable RTS processing
filt enable|disable
Enable/disable filtering.
add <filter ID, 1-2048>
Add a filter.
rem <filter ID, 1-2048>
Remove a filter.
cur
Display current SSL processor configuration.
/cfg/setup
Setup
The setup program steps you through configuring the system date and time, BOOTP, IP, Spanning Tree, port speed/mode, VLAN parameters, and IP interfaces. For a complete description
of how to use setup, see Chapter 2, First-Time Configuration.

320506-A, January 2006
To start the setup program, at the Configuration# prompt, enter:

>> Configuration# setup
"Set Up" will walk you through the configuration of
System Date and Time, BOOTP, Spanning Tree, Management Port, Port
Speed/Mode,VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"]
------------------------------------------------------------------
/cfg/dump
Dump
The dump program writes the current switch configuration to the terminal screen. To start the
dump program, at the Configuration# prompt, enter:
Configuration# dump
The configuration is displayed with parameters that have been changed from the default values. The screen display can be captured, edited, and placed in a script file, which can be used to
configure other switches through a Telnet connection. When using Telnet to configure a new
switch, paste the configuration commands from the script file at the command line prompt of
the switch. The active configuration can also be saved or loaded via TFTP, as described on
page 408.

320506-A, January 2006
/cfg/ptcfg
Saving the Active Switch Configuration
When the ptcfg command is used, the switchs active configuration commands (as displayed
using /cfg/dump) will be uploaded to the specified script configuration file on the TFTP or
FTP server. To start the switch configuration upload, at the Configuration# prompt, enter:
Configuration# ptcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.
NOTE The output file is formatted with line-breaks but no carriage returnsthe file cannot
be viewed with editors that require carriage returns (such as Microsoft Notepad).
NOTE If the TFTP server is running SunOS or the Solaris operating system, the specified
ptcfg file must exist prior to executing the ptcfg command and must be writable (set with
proper permission, and not locked by any application). The contents of the specified file will
be replaced with the current configuration data.
/cfg/gtcfg
Restoring the Active Switch Configuration
When the gtcfg command is used, the active configuration will be replaced with
the commands found in the specified configuration file. The file can contain a full switch configuration or a partial switch configuration. The configuration loaded using gtcfg is not activated until the apply command is used. If the apply command is found in the configuration
script file loaded using this command, the apply action will be performed automatically.
To start the switch configuration download, at the Configuration# prompt, enter:
Configuration# gtcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]

320506-A, January 2006
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.

320506-A, January 2006

320506-A, January 2006
CHAPTER 7
The SLB Configuration Menu

Server Load Balancing (SLB) allows you to configure the Nortel Application Switch to balance user session traffic among a pool of available servers that provide shared services. In an
average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access
to applications or data that is in high demand, it can become overutilized. Placing this kind of
strain on a server can decrease the performance of the entire network as user requests are
rejected by the server and then resubmitted by the user stations. With this software feature, the
switch is aware of the services provided by each server and can direct user session traffic to an
appropriate server, based on a variety of load-balancing algorithms.
This chapter discusses how to use the Command Line Interface (CLI) for configuring Server
Load Balancing (SLB) on the Nortel Application Switch. Refer to your Nortel Application Switch
Operating System Application Guide for detailed information on this feature.
411
320506-A, January 2006
/cfg/slb
SLB Configuration
[Layer 4 Menu]
real
group
virt
filt
port
gslb
layer7
wap
sync
adv
linklb
advhc
pip
peerpip wlm
on
off
cur
-
Real Server Menu

Real Server Group Menu
Virtual Server Menu
Filtering Menu
Layer 4 Port Menu
Global SLB Menu
Layer 7 Resource Definition Menu
WAP Menu
Config Synch Menu
Layer 4 Advanced Menu
Inbound Linklb Menu
Layer 4 Advanced Health Check Menu
Proxy IP Address Menu
Peer Proxy IP Address Menu
Workload Manager Menu
Globally turn Layer 4 processing ON
Globally turn Layer 4 processing OFF
Display current Layer 4 configuration
Table 7-1 Server Load Balancing Configuration Menu Options (/cfg/slb)

Displays the menu for configuring real servers. To view menu options, see page 414.
Displays the menu for placing real servers into real server groups. To view menu options, see
page 423.
Displays the menu for defining virtual servers. To view menu options, see page 431.
Displays the menu for Filtering and Application Redirection. To view menu options, see page 445.
port <port number>
Displays the menu for setting physical switch port states for Layer 4 activity. To view menu
412 Chapter 7: The SLB Configuration Menu

320506-A, January 2006

gslb
Displays the menu for configuring Global Server Load Balancing. To view menu options, see
page 465.
layer7
Displays Layer 7 Resource Definition Menu. To view menu options, see page 472.
wap
Displays WAP Menu. To view menu options, see page 477.
sync
Displays the Synch Peer Switch Menu. To view menu options, see page 478.
adv
Displays the Layer 4 Advanced Menu. To view menu options, see page 480.
linklb
Displays Inbound Link Load Balancing Menu. To view menu options, see page 484.
advhc
Displays Layer 4 Advanced Health Check Menu. To view menu options, see page 486.
pip
This menu is used to set the switch proxy IP address using dotted decimal notation. When the pip
is defined, client address information in Layer 4 requests is replaced with this proxy IP address.To
view options, see page 496.
peerpip
Displays Peer Proxy IP address Menu. When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2, without performing server processing on the
packets of the other switch. This happens because the peer switches are aware of each others
proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in
the absence of the proxy IP address of the peer switch.
wlm
Displays the menu for workload management of servers. To view menu options, see page 498.
on
Globally turns on Layer 4 software services for Server Load Balancing and Application Redirection. This option can be performed only after the optional Layer 4 software is enabled (see Activating Optional Software on page 509). Enabling Layer 4 services is not necessary for using filters
only to allow, deny, or NAT traffic.
Chapter 7: The SLB Configuration Menu 413

320506-A, January 2006

off
Globally disables Layer 4 services. All configuration information will remain in place
(if applied or saved), but the software processes will no longer be active in the switch
cur
Displays the current Server Load Balancing configuration.
Filtering and Layer 4 (Server Load Balancing)

Filters configured to allow, deny, or perform Network Address Translation (NAT) on traffic do
not require Layer 4 software to be activated. These filters are not affected by the Server Load
Balancing on and off commands in this menu.
Application Redirection filters, however, require Layer 4 software services. Layer 4 processing must be turned on before redirection filters will work.
/cfg/slb/real <server number>

Real Server SLB Configuration
[Real Server 1 Menu]
adv
- Real Server Advanced Menu
layer7
- Layer 7 Command Menu
ids
- IDS Command Menu
rip
- Set IP addr of real server
name
- Set real server name
weight
- Set weight for real server
maxcon
- Set maximum number of connections
tmout
- Set minutes inactive connection remains open
backup
- Set backup real server
inter
- Set interval between health checks
retry
- Set number of failed attempts to declare server DOWN
restr
- Set number of successful attempts to declare server UP
overflo - Enable/Disable backup on overflow
addport - Add real port to server
remport - Remove real port from server
ena
- Enable real server
dis
- Disable real server
del
- Delete real server
cur
- Display current real server configuration

320506-A, January 2006
This menu is used for configuring information about real servers that participate in a server
pool for Server Load Balancing or Application Redirection. The required parameters are:
Real server IP address
Real server enabled (disabled by default)

Table 7-2 Real Server Configuration Menu Options (/cfg/slb/real)

adv
Go to the Real Server Advanced menu. To view menu options, see page 421.
layer7
Displays the Layer 7 Menu. To view menu options, see page 421.
ids
Displays Intrusion Detection Server/system menu. To view menu options, see page 422.
rip <real server IP address>
Sets the IP address of the real server in dotted decimal format. When this command is used, the
address entered is PINGed to determine if the server is up, and the administrator will be warned if
the server does not respond.
name <string, maximum 31 characters>|none
Defines a 15-character alias for each real server. This will enable the network administrator to
quickly identify the server by a natural language keyword value.
weight <real server weight (1-48)>
Sets the weighting value (1 to 48) that this real server will be given in the load balancing algorithms. Higher weighting values force the server to receive more connections than the other servers
configured in the same real server group. By default, each real server is given a weight setting of 1.
A setting of 10 would assign the server roughly 10 times the number of connections as a server
with a weight of 1.
Weights are not applied when using the hash or minmisses metrics (see Server Load Balancing Metrics on page 429).
avail <server weight (1-48)>
Displays the currently available real server for Global server load balancing and allows the user to
change to another real server for Global server load balancing.

320506-A, January 2006

maxcon <maximum connections (0-200000)>
Sets the maximum number of connections that this server should simultaneously support. By
default, the number of maximum connections is set at 200,000. This option sets a threshold as an
artificial barrier, such that new connections will not be issued to this server if the maxcon limit is
reached. New connections will be issued again to this server once the number of current connections has decreased below the maxcon setting.
If all servers in a real server group for a virtual server reach their maxcon limit at the same time,
client requests will be sent to the backup/overflow server or backup/overflow server group. If no
backup servers/server group are configured, client requests will be dropped by the virtual server.
tmout <even number of minutes (2-32768)>
Sets the number of minutes an inactive session remains open (in even numbered increments).
Every client-to-server session being load balanced is recorded in the switch's Session Table. When
a client makes a request, the session is recorded in the table. The data is transferred until the client
ends the session, and the session table entry is then removed.
In certain circumstances, such as when a client application is abnormally terminated by the client's
system, TCP/UDP connections will remain registered in the switch's binding table. In order to prevent table overflow, these orphaned entries must be aged out of the binding table.
Using the tmout option, you can set the number of minutes to wait before removing orphan table
entries. Settings must be specified in even numbered increments between 2 and 32768 minutes.
The default setting is 10.
This option is also used with the Persistent option (see /cfg/slb/virt/pbind). When persistent is activated, this option sets how long an idle client is allowed to remain associated with a particular server.
backup <real server number (1-1023)>|none
Sets the real server used as the backup/overflow server for this real server.
To prevent loss of service if a particular real server fails, use this option to assign a backup real
server number. Then, if the real server becomes inoperative, the switch will activate the backup
real server until the original becomes operative again.
The backup server is also used in overflow situations. If the real server reaches its maxcon (maximum connections) limit, the backup comes online to provide additional processing power until the
original server becomes desaturated.
The same backup/overflow server may be assigned to more than one real server at the same time

320506-A, January 2006

inter <number of seconds between health checks (0-60)>
Sets the interval between real server health verification attempts.
Determining the health of each real server is a necessary function for Layer 4 switching. For TCP
services, the switch verifies that real servers and their corresponding services are operational by
opening a TCP connection to each service, using the defined service ports configured as part of
each virtual service. For UDP services, the switch pings servers to determine their status.
The inter option lets you choose the time between health checks. The range is from 1 to 60 seconds. The default interval is 2 seconds. An interval of 0 disables health checking for the server.
retry <number of consecutive health checks (1-63)>
Sets the number of failed health check attempts required before declaring this real server inoperative. The range is from 1 to 63 attempts. The default is 4 attempts
restr <number of consecutive health checks (1-63)>
Sets the number of successful health check attempts required before declaring a UDP
service operational. The range is from 1 to 63 attempts. The default is 8 attempts
overflo enable|disable
Enable or disable backup upon overflow.
addport <real server port (265534)>
Add multiple service ports to the server.
remport <real server port (265534)>
Remove multiple service ports from the server.
remote disable|enable
Enables or disables remote site operation for this server. This option should be enabled when the
real IP address supplied above represents a remote server (real or virtual) that this switch will
access as part of its Global Server Load Balancing network. By default, this option is disabled.
proxy disable|enable
Enables or disables proxy IP address translation. With this option enabled (default), a client
request from any application can be proxied using a load-balancing Proxy IP address (PIP).
fasthc disable|enable
Enables or disables Fast Health Check operation. When enabled, the real server goes down operationally as soon as the physical port connected to the real server goes down. When disabled, the
real server will go down only after the configured health check interval.
This command is enabled by default.
submac disable|enable
Enables or disables source MAC address substitution. By default, this option is disabled.

320506-A, January 2006

ena
You must perform this command to enable this real server for Layer 4 service. When enabled, the
real server can process virtual server requests associated with its real server group. This option,
when the apply and save commands are used, enables this real server for operation until explicitly disabled.
See /oper/slb/ena on page 412 for an operations-level command.
dis
Disables this real server from Layer 4 service. A disabled server will no longer process virtual
server requests as part of the real server group to which it is assigned. This option, when the
apply and save commands are used, disables this real server until it is explicitly re-enabled.
NOTE This option does not perform a graceful server shutdown.

See /oper/slb/dis on page 502 for an operations-level command that permits graceful server
shutdown.
del
Deletes this real server from the Layer 4 switching software configuration. This removes the real
server from operation within its real server groups. Use this command with caution, as it will
delete any configuration options that have been set for this real server. This option does not perform a graceful server shutdown.
cur
Displays the current configuration information for this real server.

320506-A, January 2006
/cfg/slb/real/adv
Real Server Advanced Menu
[Real Server 1 Advanced Menu]
avail
- Set Global SLB availability for real server
remote
- Enable/disable Global SLB remote site operation
proxy
- Enable/disable client proxy operation
buddyhc - Buddy Server Menu
fasthc
- Enable/disable fast health check operation
submac
- Enable/disable source MAC address substitution
subdmac - Enable/disable destination MAC address substitution
cur
- Display current real server advanced configuration
Table 7-3 Real Server Advanced Menu Options

avail <server weight, 1-48>
Set Global SLB availability for real server.
remote enable|disable
Enable/disable Global SLB remote site operation
proxy enable|disable
Enable/disable client proxy operation.
buddyhc
Go to the Buddy Server Menu.
fasthc enable|disable
Enable/disable fast health check operation.
submac enable|disable
Enable/disable source MAC address substitution.
subdmac enable|disable
Enable/disable destination MAC address substitution.
cur enable|disable
Display current real server advanced configuration.

320506-A, January 2006
/cfg/slb/real/adv/buddyhc
Buddy Server Health Check Menu
[Real server 1 Buddy Menu]
addbd
- Add Buddy Server
delbd
- Delete Buddy Server
cur
- Display current buddy server configuration
Table 7-4 Buddy Server Health Check Menu Options

addbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>
Adds a buddy server.
delbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>
Deletes a previously added buddy server.
cur
Displays the current buddy server configuration.

320506-A, January 2006
/cfg/slb/real <server number>/layer7

Real Server Layer 7 Configuration
[Real Server 1 Layer 7 Commands Menu]
addlb
- Add SLB string for content load balance
remlb
- Remove SLB string for content load balance
cookser - Enable/disable cookie assignment server
exclude - Enable/disable exclusionary string matching
ldapwr
- Enable/disable LDAP Write server
cur
This menu is used for entering commands and strings for Layer 7 processing.
Table 7-5 Layer 7 Commands Menu Options (/cfg/slb/real/layer7)
addlb <defined SLB string ID, 1-1024>
Adds the predefined URL loadbalance string ID to the real server.
remlb <defined SLB string ID, 1-1024>
Removes the predefined URL loadbalance string ID from the real server.
cookser disable|enable
Enables or disables the real server to handle client requests that dont contain a cookie. This option
is used if you want to designate a specific server to assign cookies only. This server gets the client
request, assigns the cookie, and embeds the IP address of the real server that will handle the subsequent requests from the client.
By default, this option is disabled.
exclude disable|enable
Enables or disables exclusionary string matching. By default, this option is disabled.
ldapwr disable|enable
Enables or disables LDAP write server. LDAP servers are of two types: read servers and write
servers. You need to use read servers when you only want to browse the directory. You need to use
the write servers when you want to modify the directory on the server. The write server can conduct both read and write operations.
cur
Displays the current real server configuration.

320506-A, January 2006
/cfg/slb/real <real server number>/ids

Real server IDS Configuration Menu
Intrusion Detection System (IDS) is a type of security management system for computers and
networks. An Intrusion Detection System gathers and analyzes information from various areas
within a computer or a network to identify possible security breaches, which include both
intrusions (attacks from outside the organization) and misuse (attacks from within the organization). Refer to your Application Guide for more information.
[Real Server 1 IDS Menu]
idsvlan - Set Vlan ID for ID Server
idsport - Set Port for ID Server
oid
- Override OID for SNMP HC
comm
- Override community string for SNMP HC
cur
Table 7-6 IDS Configuration Menu options (/cfg/slb/real/ids)

idsvlan <vlan number (1-4090>
Defines VLAN ID for Intrusion Detection Server.
idsport <port number> | none
Defines port for Intrusion Detection Server.
Note: IDS can only be configured on real servers between one to maximum number of ports on the
switch.
oid <SNMP health check object identifier to override group OID>
Specifies the object identifier (OID). This OID overrides the OID for SNMP health checks.
comm <SNMP health check community string to override group community string>
Overrides community string for SNMP health checks.
cur
Displays the current real server configuration.

320506-A, January 2006
/cfg/slb/group <real server group number>

Real Server Group SLB Configuration
[Real Server Group 1 Menu]
metric
- Set metric used to select next server in group
rmetric - Set metric used to select next rport in server
content - Set health check content
health
- Set health check type
backup
- Set backup real server or group
name
- Set real server group name
realthr - Set real server failure threshold
idsrprt - Set Intrusion Detection Port
advhlth - Set an advance group health check formula
mhash
- Set minmisses hash parameter
wlm
- Set Workload Manager number
viphlth - Enable/disable VIP health checking in DSR mode
ids
- Enable/disable Intrusion Detection
idsfld
- Enable/disable Intrusion Detection Group Flood
oper
- Enable/disable the access to this group for operator
ena
- Enable real server in this group
dis
- Disable real server in this group
add
- Add real server
rem
- Remove real server
del
- Delete real server group
cur
- Display current group configuration
This menu is used for combining real servers into real server groups. Each real server group
should consist of all the real servers which provide a specific service for load balancing. Each
group must consist of at least one real server. Each real server can belong to more than one group.
Real server groups are used both for Server Load Balancing and Application Redirection.
Table 7-7 Real Server Group Configuration Menu Options (/cfg/slb/group)
metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash
Sets the load balancing metric used for determining which real server in the group will be the target of the next client request. The default setting is leastconns. See Server Load Balancing
Metrics on page 429 for more information.
rmetric
Sets the load balancing metric used for determining which port in the real server will be the target
of the next client request.

320506-A, January 2006

content <filename>|//<host>/<filename>|none
This option defines the specific content which is examined during health checks. The content
depends on the type of health check specified in the health option (see below).
health link|arp|icmp|tcp|http|httphead|dns|pop3|smtp|nntp|ftp|imap|
sslh|radius-auth|radius-acc|script<n>|udpdns|wsp|wtp|wtls|ldap|
snmp<n>|tftp|rtsp|sip|sipoptions|wts
http - use GET method, httphead - use HEAD method
Sets the type of health checking performed. The default is tcp. See SLB Health Check Types on
page 426.
backup r<real server number (1-1023)>|g<group number (1-1024)>|none
Sets the real server or real server group used as the backup/overflow server/server group for this
real server group.
To prevent loss of service if the entire real server group fails, use this option to assign a backup
real server/real server group number. Then, if the real server group becomes inoperative, the
switch will activate the backup real server /server group until one of the original real servers
becomes operative again.
The backup server/server group is also used in overflow situations. If all the servers in the real
server group reach their maxcon (maximum connections) limit, the backup server/server group
comes online to provide additional processing power until one of the original servers becomes
desaturated.
The same backup/overflow server/server group may be assigned to more than one real server
group at the same time.
name <maximum 31 characters>|none
Defines a 15-character alias for each Real Server Group. This will enable the network administrator to quickly identify the server group by a natural language keyword value.
realthr <real servers (1-15, 0 for disabled)>
Specifies a minimum number of real servers available. If any time, the number reaches this minimum limit, a SYSLOG ALERT message is sent to the configured SYSLOG servers stating that the
real server threshold has been reached for the concerned server load balancing group. The default
threshold is 0, which also means the option is disabled
idsrprt <real server port (2-65534)>|any
Sets real server port for the Intrusion Detection Server.

320506-A, January 2006

advhlth <(1&2|3..), 128>|none
Defines an advanced health check formula expression for the real servers. This command allows
you to create a boolean expression to health check the real server group based on the state of the
virtual services. This command supports two boolean operators, AND or OR that are used to
manipulate TRUE or FLALSE values. Using parenthesis with the boolean operators, you can create a boolean expression to state the health of the server group. This command also supports a
string expression which is up to 128 characters long, or you can also set the formula expression as
none.
mhash 24|32 <number of sip bits used for minmisses hash>
Defines the minmisses hash parameter for this real server as either 24 or 32 bits. By default the
minmiss algorithm uses the upper 24-bits of the source IP address to calculate the real server that
the traffic should be sent to when the minmiss metric is selected.You can also select all 32-bits of
the source IP address to hash to the real server.
wlm <1 - 16> | none
Set Workload Manager number.
viphlth disable|enable
Enables or disables VIP health checking in a service. This feature is enabled by default. However,
it works only when the service has DSR (Direct Server Return) feature enabled. When viphlth
is disabled, the switch uses RIP to perform all health checks, whether DSR is enabled or disabled.
ids disable|enable
Enables or disables Intrusion Detection Server (IDS) load balancing for the designated real server
group. This feature can only be configured on real server groups between 1-63.
idsfld disable|enable
Enables or disables the Intrusion Detection flood. When Intrusion Detection flood is enabled,
packets are copied to all IDS servers in the IDS group. When this is disabled, packets are only
copied to the load balanced IDS server within the IDS group.
oper disable|enable
Enables or disables the real server group operation.
ena <real server number, 1-1023>
Enables a real server in this group gracefully or on a per group basis. For example, if a real server
is a member of more than one group, you can configure this real server to accept requests from all
the groups or any number of groups that this real server is member of.
dis <real server number, 1-1023>
Disables a real server in this group gracefully or on a per group basis.
add <real server number (1-1023)>
Adds a real server to this real server group. You will be prompted to enter the number of the real
server to add to this group.

320506-A, January 2006

rem <real server number (1-1023)>
Remove a real server from this real server group. You will be prompted for the ID number for the
real server to remove from this group.
del
Deletes this real server group from the Layer 4 software configuration. This removes the group
from operation under all virtual servers it is assigned to. Use this command with caution: if you
remove the only group that is assigned to a virtual server, the virtual server will become inoperative.
cur
Displays the current configuration parameters for this real server group.
SLB Health Check Types

Using the health command, you can specify the type of health check for the group of real
servers. The health check options are described in the following table. Refer to your Application Guide for their detailed description.
>> Real Server Group 1# health
Current health check type:
Pending new health check type:
Enter health check type:
tcp
sipoptions
Table 7-8 SLB Health Check Types (/cfg/slb/group/health)

Option and Description
link
Checks status of port for each server for IDSLB group only.
arp
Sends an ARP request for Layer 2 health checking.
icmp
For Layer 3 health checking, pings the server.
tcp
Opens and closes a TCP/IP connection to the server for TCP service.

320506-A, January 2006

http
For HTTP service, use HTTP 1.1 GETS when a HOST: header is required to check that the URL
content is specified in content command. Otherwise, an HTTP/1.0 GET occurs.
Note: If the content is not specified, the health check will revert back to TCP on the port that is
being load balanced.
httphead
Allows the switch to declare if the server is up or not just by locating the URL header and not wait
until all the URL contents are received. You can use this command to test the validity and access to
the hypertext links or to look for any recent modification to the URL.
dns
For Domain Name Service, check that the domain name specified in content can be resolved by
the server.
pop3
For user mail service, check that the user:password account specified in content exists on the
server.
smtp
For mail-server services, check that the user specified in content is accessible on the server.
nntp
For newsgroup services, check that the newsgroup name specified in content is accessible on
the server.
ftp
For FTP services, check that the filename specified in content is accessible on the server
through anonymous login.
imap
For user mail service, check that the user:password value specified in content exists on the
serve
sslh
Enables the switch to query the health of the SSL servers by sending an SSL client Hello packet
and then verify the contents of the servers Hello response. During the handshake, the user and
server exchange security certificates, negotiate an encryption and compression method, and establish a session ID for each session.

320506-A, January 2006

radius-auth, radius-acc
For RADIUS remote access server authentication, check that the user:password value specified in
content exists on the Nortel Application Switch and the server. To perform application health
checking to a RADIUS server, the network administrator must also configure the /cfg/slb/
secrt parameter. The secrt value is a field of up to 32 alphanumeric characters that is used by
the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the
RADIUS server to decrypt the password during verification.
script <n>
Enables the use of script-based health checks in send/expect format to check for application and
content availability. <n> denotes the health script number (1-64).
udpdns
Allows the user to perform health checking using UDP DNS queries.
wsp
Enables connectionless WSP content health checks for WAP gateways. The content under /cfg/
slb/adv/waphc (see page 486) must also be configured.
wtp
Enables connection-oriented WTP + WSP content health checks for WAP gateways. The content
under /cfg/slb/adv/waphc (see page 486) must also be configured
wtls
Provides Wireless Transport Layer Security (WTLS) Hello-based health check for encrypted and
connection-oriented WTLS traffic on port 9203.
ldap
Sets the health check type to LDAP. The LDAP health checks enable the switch to determine if the
LDAP server is alive. This health check consists of three LDAP messages over one TCP connection: a bind request, a bind result, and an unbind request. The switch sends an anonymous bind
request to the server. If the server is up, it will send the bind result message and the switch will
mark the server as alive. The switch must send an unbind request so that the server does not hold
resources indefinitely. The switch administrator can choose LDAP version 2 or 3 as both the versions are compatible with Nortel Application Switch Operating System 23.0.2.
snmp <n>
Enables the use of SNMP-based health checks. <n> denotes the health script number (1-5).
tftp
Sets the health check type to TFTP. This protocol enables the user to request a file from the server.
At regular intervals, the switch transmits TFTP read requests (RRQ) to all servers in the group.
The health check is successful if the server responds to the RRQ. The health check fails if the
switch receives an error packet from the real server.

320506-A, January 2006

rtsp
Sets the health check type to RTSP. The RTSP health check can operate with or without content.
If there is no content configured the switch will issue an RTSP OPTIONS method. If content is
supplied the switch will issue the RTSP DESCRIBE method. If the response to either method is
RTSP/200 then the health check passes. If this is not the response, the health check will fail.
sip
Sets the health check type to sip. You can perform the SIP (Session Initiation Protocol) health
check by using SIP PING request. You must enable UDP to perform SIP load balancing.
sipoptions
Sets the health check type to sipoptions.
wts
Sets the health check type to wts.
Server Load Balancing Metrics

Using the metric command, you can set a number of metrics for selecting which real server
in a group gets the next client request.
>> Real Server Group 1# metric
Current metric: leastconns
Enter metric:
The metrics are described in the following table:

Table 7-9 Real Server Group Metrics (/cfg/slb/group/metric)
minmisses
Minimum misses. This metric is optimized for Application Redirection. When minmisses is
specified for a real server group performing Application Redirection, all requests for a specific IP
destination address will be sent to the same server. This is particularly useful in caching applications, helping to maximize successful cache hits. Best statistical load balancing is achieved when
the IP address destinations of load balanced frames are spread across a broad range of IP subnets.
Minmisses can also be used for Server Load Balancing. When specified for a real server group performing Server Load Balancing, all requests from a specific client will be sent to the same server.
This is useful for applications where client information must be retained on the server between sessions. Server load with this metric becomes most evenly balanced as the number of active clients
increases.

320506-A, January 2006

hash
Like minmisses, the hash metric uses IP address information in the client request to select a
server.
For Application Redirection, all requests for a specific IP destination address will be sent to the
same server. This is particularly useful for maximizing successful cache hits.
For Server Load Balancing, all requests from a specific client will be sent to the same server. This
is useful for applications where client information must be retained between sessions.
The hash metric should be used if the statistical load balancing achieved using minmisses is
not as optimal as desired. Although the hash metric can provide more even load balancing at any
given instance, it is not as effective as minmisses when servers leave and reenter service.
If the Load Balancing statistics indicate that one server is processing significantly more requests
over time than other servers, consider using the hash metric.
leastconns
Least connections. With this option, the number of connections currently open on each real server
is measured in real time. The server with the fewest current connections is considered to be the
best choice for the next client connection request.
This option is the most self-regulating, with the fastest servers typically getting the most connections over time, due to their ability to accept, process, and shut down connections faster than
slower servers.
roundrobin
Round robin. With this option, new connections are issued to each server in turn: the first real
server in this group gets the first connection, the second real server gets the next connection, followed by the third real server, and so on. When all the real servers in this group have received at
least one connection, the issuing process starts over with the first real server.
response
Real server response time. With this option, the switch monitors and records the amount of time
that each real server takes to reply to a health check. The response time is used to adjust the real
server weights. The weights are adjusted so they are inversely proportional to a moving average of
response time.
bandwidth
Bandwidth Metric. With this option, the real server weights are adjusted so they are inversely proportional to the number of octets that the real server processes during a given interval. The higher
the bandwidth used, the smaller is the weight assigned to that server.

320506-A, January 2006

phash
The phash metric utilizes the best features of the hash and minmiss metrics. With phash
enabled, the switch supports an even load distribution (hash) and stable server assignment (minmiss) even when a server in the group goes down. With the phash metric, the first hash will
always be the same even if a real server is down. If the first hash hits a dead server, it will rehash
for that request based on the actual number of servers that are up. This results in a request always
being sent to a server that is up.
NOTE Under the leastconns, roundrobin, hash, and phash metrics, when real
servers are configured with weights (see the weight option on page 415), a higher proportion
of connections are given to servers with higher weights. This can improve load balancing
among servers of different performance levels. Weights are not applied when using
the minmisses metrics.
/cfg/slb/virt <virtual server number>

Virtual Server SLB Configuration
[Virtual Server
service ipver
vip
vname
dname
cont
weight
avail
addrule remrule layr3
creset
ena
dis
del
cur
-
1 Menu]
Virtual Service Menu
Set IP version
Set IP addr of virtual server
Set name of virtual server
Set domain name of virtual server
Set BW Contract
Set Global SLB weight for virtual server
Set Global SLB availability for virtual server
Add Global SLB rule to domain
Remove Global SLB rule from domain
Enable/disable layer 3 only balancing
Enable/disable client connection reset invalid VPORT
Enable virtual server
Disable virtual server
Delete virtual server
Display current virtual configuration
This menu is used for configuring the virtual servers which will be the target for client requests
for Server Load Balancing. Configuring a virtual server requires the following parameters:

320506-A, January 2006
Creating a virtual server IP address
Adding TCP/UDP port and real server group
Enabling the virtual server (disabled by default)

Table 7-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)

service <virtual port or name>
Displays the Virtual Services Menu. The virtual port name can be a well-known port name, such as
http, ftp, the service number, and so on. The allowable port range is from 9 to 65534. To get more
information about well-known ports, see the sport command on page 447. To view the services
menu options, see page 434.

Set the IP version.
vip <virtual server IP address for IPv4 or IPv6>
Sets the IP address of the virtual server using dotted-decimal notation. The virtual server created
within the switch will respond to ARPs and PINGs from network ports as if it was a normal server.
Client requests directed to the virtual servers IP address will be balanced among the real servers
available to it through real server group assignments.
dname <64 character domain name>|none
Sets the domain name for this virtual server. The domain name typically includes the name of the
company or organization, and the Internet group code (.com, .edu, .gov, .org, and so forth). An
example would be foocorp.com. It does not include the hostname portion (www, www2, ftp, and
so forth). The maximum number of characters that can be used in a domain name is 64. To define
the hostname, see hname below. To clear the dname, specify the name as none.
vname <32 character virtual server name>|none
Set name of virtual server.
cont <BWM contract (1-1024)>
Enter a new Bandwidth Management Contract for this virtual service. By default, all services
under this virtual server are assigned this BW contract. However, the BW contract can be changed
for a selected virtual server with /cfg/slb/virt <number>/service <number>/cont.
All the frames that match this virtual server services are assigned this BW contract if the previously assigned contract for the frame has lower or equal precedence of the virtual server contract.
The default number of contracts is set at 1024 for Nortel Application Switch Operating System.
weight
Sets the Global server weight for the virtual server. The higher the weight value, the more connections that will be directed to the local site. The default is 1. The response time of this site is divided
by this weight before the best site is assigned to a client. Remote site response times are divided by
the real server weight before selection occurs.

320506-A, January 2006
Table 7-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)

avail
Sets the Global SLB availability for the virtual server.
addrule <rule, 1-64>
Adds Global SLB rule to domain. Rule allows the server selected for GSLB to use different metric
preference based on time of the day. Each domain has one or more rules. Each rule has metric preference list. The server selected for GSLB selects the first rule that matches the domain and starts
with the first metric in the preference list of the rule. The default is rule 1.
remrule <rule, 1-64>
Removes Global SLB rule from domain.
layr3 disable|enable
Normally, the client IP address is used with the client Layer 4 port number to produce a session
identifier. When the layr3 option is enabled (disabled by default), the switch uses only the client
IP address as the session identifier. It associates all the connections from the same client with the
same real server while any connection exists between them.
This option is necessary for some server applications where state information about the client system is divided across different simultaneous connections, and also in applications where TCP fragments are generated.
If the real server to which the client is assigned becomes unavailable, the Layer 4 software will
allow the client to connect to a different server.
creset enable|disable
Enable/disable client connection reset invalid VPORT.
ena
Enables this virtual server. This option activates the virtual server within the switch so that it can
service client requests sent to its defined IP address.
dis
This option disables the virtual server so that it no longer services client requests.
del
This command removes this virtual server from operation within the switch and deletes it from the
Layer 4 switching software configuration. Use this command with caution, as it will delete the
options that have been set for this virtual server.
cur
Displays the current configuration of the specified virtual server.

320506-A, January 2006
/cfg/slb/virt <server number>/service

<virtual port or name>
Virtual Server Service Configuration
This menu is used for configuring services assigned to a virtual server. The following example
shows a menu for http (port 80) services.
NOTE Select virtual service port 554 to configure RTSP traffic. See page 444 to view the
menu options for configuring virtual services on port 554 for RTSP.
[Virtual Server
wts
http
sip
rtsp
group
rport
hname
cont
pbind
thash
tmout
dbind
udp
frag
nonat
dnsslb
direct
mirror
epip
del
cur
-
1 14 Service Menu]
WTS Load Balancing Menu
HTTP Load Balancing Menu
SIP Load Balancing Menu
RTSP Load Balancing Menu
Set real server group number
Set real port
Set hostname
Set BW contract for this virtual service
Set persistent binding type
Set hash parameter
Set minutes inactive connection remains open
Enable/disable delayed binding
Enable/disable UDP balancing
Enable/disable remapping UDP server fragments
Enable/disable only substituting MAC addresses
Enable/disable DNS query load balancing
Enable/disable direct access mode
Enable/disable session mirroring
Enable/disable pip selection based egress port/vlan
Delete virtual service
Display current virtual service configuration

320506-A, January 2006
Table 7-11 Virtual Server Service Configuration Options (/cfg/slb/virt/service)

wts
Go to the WTS Load Balancing Menu. To view the menu options, see
page 440.
http
Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis.
Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view
the menu options, see page 441.
sip
Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel
Application Switch Operating System. When enabled, you can configure SIP service on the
service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol
for creating, modifying and terminating sessions with one or more participants (documented
in RFC3261). The SIP processing occurs at application level in order to parse out messages
coming from client side as well as the server side. Using SIP on your switch, you can load
balance Nortels MCS (Multimedia Communication Server) proxy servers. Nortel Networks
MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls
based on a SIP Call-ID header to an MCS server.
You need to turn Direct Access Mode (DAM) on to perform SIP load balancing.
You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID.
To view the menu options, see page 442.
rtsp
Go to the RTSP Load Balancing Menu. To view the menu options, see
page 443.

Sets a real server group for this service. The default is set at 1. You will be prompted to enter
the number (1 to 1024) of the real server group to add to this service.
rport <real server port (0-65534)>
Defines the real server TCP or UDP port assigned to this service. By default, this is the same
as the virtual port (service virtual port). If rport is configured to be different than the virtual
port defined in /cfg/slb/virt <number>/service <virtual port>, the switch will
map the virtual port to this real port.

320506-A, January 2006

hname <hostname>|none
Sets the hostname for a service added. This is used in conjunction with dname (above) to create a full host/domain name for individual services.
The format for this command is: # hname <hostname>
For example, to add a hostname for Web services, you could specify www as the hostname. If
a dname of foocorp.com was defined (above), www.foocorp.com would be the full host/
domain name for the service.
To clear the hostname for a service, use the command: # hname none
httpslb urlslb|host|cookie|browser|urlhash|headerhash|others
Load balances on the following applications:
urlslb: Enable or disable URL SLB

host: Enable or disable for virtual hosting
cookie: Enable or disable cookie-based SLB for cookie-based preferential load balanc-
ing. You will be prompted for the following: Cookie name, starting point of the cookie
value, number of bytes to be extracted, enable/disable checking for cookie in URI
browser: Enable or disable SLB, based on browser type
urlhash: Enable or disable URL hashing based on URI
headerhash: Hashes on any HTTP header value.
others: Requires inputs for a particular header field
You may choose to combine or select applications to load balance using the commands and
and/or or. For example:
httpslb <application>
httpslb <application> and|or <application>
cont <BWM Contract (0-1024), 0 for VIP default>

Sets a Bandwidth Management contract for this virtual service. The default number of contracts is set at 1024 for Nortel Application Switch Operating System.
Note: If you enter 0 for the service contract, it will carry the value entered for the Virtual
Server IP (vip) contract.
urlcont <URL path ID> <BW contract>
Sets the Bandwidth Management contract of a string specific to this virtual service. Only use
this command when a string is shared by multiple virtual services and each service requires a
separate bandwidth. The default is set at 1024.

320506-A, January 2006

pbind clientip|cookie<p|r|i>|sslid|disable
Enables or disables persistent bindings for a real server (disabled by default). This may be
necessary for some server applications where state information about the client system is
retained on the server over a series of sequential connections, such as with SSL (Secure
Socket Layer, HTTPS), Web site search results, or multi-page Web forms.
The clientip option uses the client IP address as an identifier, and associates all con-
nections from the same client with the same real server until the client becomes inactive
and the connection is aged out of the binding table. The connection timeout value (set in
the Real Server Menu) is used to control how long these inactive but persistent connections
remain associated with their real servers. When the client resumes activity after their connection has been aged out, they will be connected to the most appropriate real server based
on the load balancing metric.
An alternative approach may be to use the real server group metrics minmisses or hash
(see Server Load Balancing Metrics).
In Nortel Application Switch Operating System 23.0.2, with clientip command
enabled, HTTP and HTTPs traffic from the same client will map to the same server irrespective of the load balancing metric used, since the services are related. Whereas, different services from the same client may not map to the same server.
The cookie option uses a cookie defined in the HTTP header or placed in the URI for
hashing. For more information on cookie option, see Cookie-Based Persistence on
page 444. For detailed information on Cookie-Based Persistence, see the
Persistence chapter in the Nortel Application Switch Operating System 23.0.2 Application
Guide.
The sslid option is for Secure Sockets Layer (SSL), which is a set of protocols built on
top of TCP/IP that allow an application server and user to communicate over an encrypted
HTTP session. SSL provides authentication, non-repudiation, and security. The session ID
is a value comprising 32 random bytes chosen by the SSL server that gets stored in a session hash table. By enabling the sslid option, all subsequent SSL sessions which present
the same session ID will be directed to the same real server.
The disable option allows you to disable presistent binding, if it has previously been
enabled for a particular application.
rcount <response count number (116)>
Sets the maximum response counter for cookie-based persistence. The Nortel Application
Switch will examine each server response until the cookie is found, or until the maximum
count is reached. The default number is 1.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters
for computing the hash value used by the hash, phash, and minmisses SLB metrics. For
example, the source IP address, or both source IP address and source port. If the user does not
select any, the switch will use default hash parameter, which is sip.

320506-A, January 2006

dbind disable|enable
Enables or disables Layer 4 Delayed Binding for TCP service and ports. Enabling this command protects the server from Denial of Service (DoS) attacks. This option is disabled by
default.
udp disable|enable|stateless
Enables or disables UDP load balancing for a virtual port (disabled by default). You can configure this option if the service(s) to be load balanced include UDP and TCP. For example,
DNS uses UDP and TCP. In those environments, you must activate UDP balancing for the
particular virtual servers that clients will communicate with using UDP.
When stateless is enabled, no session table entry is created.
Since no session is created, you have to bind to a new server every time.
Note: If applying a filter to the same virtual server IP address on which UDP load balancing is
enabled, disable caching on that filter for optimal performance. For more information, see the
cache command in Table 7-18 on page 452.
frag disable|enable
Enables or disables remapping server fragments for virtual port. This option is enabled by
default.
nonat disable|enable
Enables or disables substituting only the MAC address of the real server (disabled by default).
This option does not substitute IP addresses. This option is used for Direct Server Return
(DSR) in an one-armed load balancing setup, so that frames returning from server to the client
do not have to pass through the switch.
dnsslb disable|enable
Enables or disables DNS-based Layer 7 content load balancing.
direct disable|enable
Enables or disables Direct Access Mode (DAM) on the selected virtual service.
This command takes precedence over the command to globally enable or disable Direct
Access Mode on the switch.
Enables or disables session mirroring on the selected virtual service.
xforward disable|enable
Enables or disables inserting the X-Forward-For header into the client HTTP request to preserve the client IP information. X-Forward-For is a special header that stores and identifies
the client IP information. This feature is applicable only on HTTP protocol.

320506-A, January 2006

epip disable|enable
Enables or disables proxy IP selection based on egress port or VLAN. By default, the SP
selects the proxy IP address based on ingress port or VLAN. Using the epip command, you
can configure the SP to select proxy IP address based on the egress port or VLAN.
del
This command removes this virtual service from operation within the switch and deletes it
from the Layer 4 switching software configuration. Use this command with caution, as it will
delete the options that have been set for this virtual service.
cur
Displays the current configuration of services on the specified virtual server.

320506-A, January 2006
/cfg/slb/virt/service/wts
WTS Load Balancing Menu
[WTS Load Balancing Menu]
userhash - Enable userhash when there is no Session Dir. Server
ena
- Enable WTS loadbalancing and persistence
dis
- Disable WTS loadbalancing and persistence
cur
- Display current WTS configuration
Table 7-12 WTS Load Balancing Menu Options

userhash
Enables the userhash if there is no session director server in the server platform.
ena [true|false]
Enable WTS load balancing.
dis
[true|false]
Disable WTS load balancing.
cur
Display the current WTS configuration.

320506-A, January 2006
/cfg/slb/virt/service/http
HTTP Load Balancing Menu
[HTTP Load Balancing Menu]
httpslb - Set HTTP SLB processing
urlcont - Set BW cont of an SLB string specific to this service
rcount
- Set multi response count
http
- Enable/disable HTTP redirects for Global SLB
xforward - Enable/disable X-Forwarded-For for proxy mode
pooling - Enable/disable connection pooling for HTTP traffic
cur
- Display current HTTP configuration
Table 7-13 HTTP Load Balancing Menu Options

httpslb
Set HTTP SLB processing.
urlcont
Set BW cont of an SLB string specific to this service.
rcount
Set multi response count.
http
Enable/disable HTTP redirects for Global SLB.
xforward
Enable/disable X-Forwarded-For for proxy mode.
pooling
Enable/disable connection pooling for HTTP traffic.
cur
Display current HTTP configuration.

320506-A, January 2006
/cfg/slb/virt/service/sip
SIP Load Balancing Menu
[SIP Load Balancing Menu]
sip
- Enable/disable SIP load balancing
sdpnat
- Enable/disable SIP SDP Media Portal NAT
cur
- Display current SIP configuration
Table 7-14 SIP Load Balancing Menu Options

sip
Enable SIP load balancing.
sdpnat
Enable SIP SDP Media Portal NAT.
cur
Display the current SIP configuration.

320506-A, January 2006
/cfg/slb/virt/service/rtsp
RTSP Load Balancing Menu
[RTSP Load Balancing Menu]
group
- Set real server group number
hname
- Set hostname
rtspslb - Set RTSP URL load balancing type
thash
- Set hash parameter
softgrid - Enable/disable SoftGrid load balancing
del
- Delete virtual service
cur
- Display current virtual service configuration
Table 7-15 RTSP Load Balancing Menu Options

Sets real server group number.
hname <hostname>|none
Sets the hostname for a service added. This is used in conjunction with dname (above) to create a
full host/domain name for individual services.
The format for this command is: # hname <hostname>
For example, to add a hostname for Web services, you could specify www as the hostname. If a
dname of foocorp.com was defined (above), www.foocorp.com would be the full host/
domain name for the service.
To clear the hostname for a service, use the command: # hname none
rtspslb hash|patternMatch|l4hash|none
This Layer 7 load balancing option sets the type of rtspslb, either hash or patternMatch,
thereby enabling the service. The default is hash.
hash: If you use hash, RTSP will parse the URL and will hash the URL to select a server to load
balance.
patternMatch: If you select this option, the switch will match the string or pattern
within the URL to select a server based on the string configured on the real server.
l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash
metric.
none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters for
computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, the destination IP address, or both source IP address and source port. If
the user does not select any, the switch will use default hash parameter, which is sip.
softgrid enable|disable
Enable or disable softgrid load balancing.

320506-A, January 2006
Table 7-15 RTSP Load Balancing Menu Options

del
Deletes this virtual service.
cur
Displays the current virtual service configuration.
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following command syntax and usage:
pbind cookie <mode> <name> <offset> <length> <URI>
Each parameter is explained in the following table.
Option
<mode>
Description
Specify the mode for cookie-based persistence. The following three modes are
available:
p: Passive mode. In this mode, the network administrator configures the Web
server to embed a cookie in the server response that the switch looks for in subsequent requests from the same client.
r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch,
and not the network administrator, generates the cookie value on behalf of the
server. The switch intercepts this persistence cookie and rewrites the value to
include server-specific information before sending it to the client.
i: Insert mode. When a client sends a request without a cookie, the server
responds with the data, and the switch inserts a persistence cookie into the data
packet. The switch uses this cookie to bind to the appropriate server.
Insert cookie mode expiration parameters are as follows:
Enter insert-cookie expiration as either:
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)
... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)
... or none <return>
<name>
Enter the name of the cookie.
<offset>
Enter the starting point of the cookie value (1-64)
<length>
Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length
must be 8 or 16.
<URI>
Look for cookie in the URI. If you want to look for cookie name or value in the
URI, enter e to enable this option. To look for cookie in the HTTP header, enter d
to disable this option.

320506-A, January 2006
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
/cfg/slb/filt <filter number>

SLB Filter Configuration
[Filter 1
Menu]
adv
- Filter Advanced Menu
name
- Set filter name
smac
- Set source MAC address
dmac
- Set destination MAC address
ipver
- Set Filter IP version
sip
- Set source IP address
smask
- Set source subnet mask/prefix len
dip
- Set destination IP address
dmask
- Set destination subnet mask/prefix len
proto
- Set IP protocol
sport
- Set source TCP/UDP port or range
dport
- Set destination TCP/UDP port or range
action
- Set action
group
- Set real server group for redirection
rport
- Set real server port for redirection
nat
- Set which addresses are network address translated
vlan
- Set vlan id
invert
- Enable/disable filter inversion
ena
- Enable filter
dis
- Disable filter
del
- Delete filter
cur
- Display current filter configuration
The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny,
redirect or perform Network Address Translation on traffic according to a variety of address
and protocol specifications, and each physical switch port can be configured to use any combination of filters. This command is disabled by default.
There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv,
page 450) that can be used to provide more information through syslog. The types of information include:
IP protocol
TCP/UDP ports
320506-A, January 2006
TCP flags
ICMP message type
The following parameters are required for filtering:
Set the address, masks, and/or protocol that will be affected by the filter
Set the filter action (allow, deny, redirect, nat)
Enable the filter
Add the filter to a switch port
Enable filtering on the Nortel Application Switch port

Table 7-16 Filter Configuration Menu Options (/cfg/slb/filt)

adv
Displays the Filter Advanced Menu. To view menu options, see page 450.
Allows the user to assign a name to a filter.
smac any|<MAC address (such as, 00:60:cf:40:56:00)>
Sets the source MAC address. The default is any.
dmac any|<MAC address (such as, 00:60:cf:40:56:00)>
Sets the destination MAC address. The default is any.
ipver v4 | v6
Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge
mode.
sip sip <IP4 address (eg, 192.4.17.101)> |
<IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>
If defined, traffic with this source IP address will be affected by this filter. Specify an IP
address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP
addresses is produced when used with the smask below. The default is any if the source
MAC address is any.
smask <IP4 subnet mask (such as, 255.255.255.0> | <IP6 prefix length (eg, 64)>
This IP address mask is used with the sip to select traffic which this filter will affect. See
details below for more information on producing address ranges. For more information, see
Defining IP Address Ranges for Filters on page 449.

320506-A, January 2006

dip <IP4 address (eg, 192.4.17.101)> |
<IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>
If defined, traffic with this destination IP address will be affected by this filter. Specify an IP
address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP
addresses is produced when used with the dmask below. The default is any if the destination
MAC address is any. For more information, see Defining IP Address Ranges for Filters on
page 449.
dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)>
This IP address mask is used with the dip to select traffic which this filter will affect.
proto any|<number>|<name>
If defined, traffic from the specified protocol is affected by this filter. Specify the protocol
number, name, or any. The default is any. Listed below are some of the well-known protocols.
Number
1
2
6
17
58
89
112
Name
icmp
igmp
tcp
udp
icmp6
ospf
vrrp
sport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified TCP or UDP source port will be affected by this filter.
Specify the port number, range, name, or any. The default is any. Listed below are some
of the well-known ports:
Number
20
21
22
23
25
37
42
43
53
69
70
79
80
109
110
Name
ftp-data
ftp
ssh
telnet
smtp
time
name
whois
domain
tftp
gopher
finger
http
pop2
pop3

320506-A, January 2006

dport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified real server TCP or UDP destination port will be affected
by this filter. Specify the port number, range, name, or any, just as with sport above. The
default is set at any.
action allow|deny|redir|nat|goto
Specifies the action this filter takes:
allow
Allow the frame to pass (by default).
deny
Discard frames that fit this filters profile. This can be used for building basic security profiles.
redir
Redirect frames that fit this filters profile, such as for web cache redirection. In
addition, Layer 4 processing must be activated (see the /cfg/slb/on command on
page 412).
nat
Perform generic Network Address Translation (NAT). This can be used to map the
source or destination IP address and port information of a private network scheme
to/from the advertised network IP address and ports. This is used in conjunction
with the nat option (mentioned in this table) and can also be combined with proxies.
goto
Allows the user to specify a target filter ID that the filter search should jump to
when a match occurs. The goto action causes filter processing to jump to a designated filter, effectively skipping over a block of filter IDs. Filter searching action
will then continue from the designated filter ID.
To specify the new filter to goto, use the /cfg.slb/filt/adv/goto command.

This option applies only when redir is specified at the filter action. Define a real server
group (1 to 16) to which redirected traffic will be sent. The default is group 1
rport <real server port (0-65535)>
This option applies only when redir is specified at the filter action. This defines the real
server TCP or UDP port to which redirected traffic will be sent. For valid Layer 4 health
checks, this must be configured whenever TCP protocol traffic is redirected. Also, if transparent proxies are used for Network Address Translation (NAT) on the Nortel Application Switch
(see the pip option in Table 7-28 on page 463), rport must be configured for all Application Redirection filters. The default is set at 0.
nat source|dest
When nat is set as the filter action (see above), this command specifies whether Network
Address Translation (NAT) is performed on the source or the destination information. Destination (dest) is set as the default filter. If source is specified, the frames source IP
address (sip) and port number (sport) are replaced with the dip and dport values. If
dest is specified, the frames destination IP address (dip) and port number (dport) are
replaced with the sip and sport values.

320506-A, January 2006

vlan any|<VLAN ID (1 - 4090)>
Sets the ID of the VLAN that is to be filtered. This option allows you to match the VLAN ID
of the switch against the VLAN ID of the incoming packet. The default is any, which means
the switch will match any VLAN ID of the incoming packet
This command allows filters to be configured on per VLAN basis, and applies a filter to a
VLAN that already has been configured. A VLAN has a set of member ports. But by applying
this filter to a VLAN, the filter does not get applied to all the member ports of this VLAN.
You have to manually add the filter to the port.
invert disable|enable
Inverts the filter logic. If the conditions of the filter are met, dont act. If the conditions for the
filter are not met, perform the assigned action. This option is disabled by default.
When using filter inversion for IPv6, be aware the Neighbor Solicitations (NSol) are filtered
out if no appropriate NSol filter was set up before inversion.
ena
Enables this filter.
dis
Disables this filter.
del
Deletes this filter.
cur
Displays the current configuration of the filter.
Defining IP Address Ranges for Filters

You can specify a range of IP address for filtering both the source and/or destination IP address
for traffic. When a range of IP addresses is needed, the sip (source) or dip (destination)
defines the base IP address in the desired range, and the smask (source) or dmask (destination) is the mask which is applied to produce the range.
For example, to determine if a client requests destination IP address should be redirected to
the cache servers attached to a particular switch, the destination IP address is masked (bitwise
AND) with the dmask and then compared to the dip.

320506-A, January 2006
As another example, you could configure the switch with two filters so that each would
handle traffic filtering for one half of the Internet. To do this, you could define the following
parameters:
Table 7-17 Filtering IP Address Ranges
Filter
Internet Address Range
dip
#1
0.0.0.0 - 127.255.255.255 0.0.0.0
#2
128.0.0.0 255.255.255.255
dmask
128.0.0.0
128.0.0.0 128.0.0.0
/cfg/slb/filt <filter number>/adv

Advanced Filter Configuration
[
F
i
l
t
e
r1A
d
v
a
n
c
e
dM
e
n
u
]
8
0
2
1
p
-8
0
2
.
1
pA
d
v
a
n
c
e
dM
e
n
u
t
c
p
-T
C
PA
d
v
a
n
c
e
dM
e
n
u
-I
PA
d
v
a
n
c
e
dM
e
n
u
i
p
l
a
y
e
r
7 -L
a
y
e
r7A
d
v
a
n
c
e
dM
e
n
u
p
r
o
x
y
a
d
v-P
r
o
x
yA
d
v
a
n
c
e
dM
e
n
u
r
e
d
i
r
-R
e
d
i
r
e
c
t
i
o
nA
d
v
a
n
c
e
dM
e
n
u
s
e
c
u
r
i
t
y-S
e
c
u
r
i
t
yM
e
n
u
i
c
m
p
-S
e
tI
C
M
Pm
e
s
s
a
g
et
y
p
e
c
o
n
t
-S
e
tB
Wc
o
n
t
r
a
c
t
r
e
v
c
o
n
t -S
e
tB
Wc
o
n
t
r
a
c
tf
o
rt
h
er
e
v
e
r
s
es
e
s
s
i
o
n
-S
e
tN
A
To
rL
7l
o
o
k
u
ps
e
s
s
i
o
nt
i
m
e
o
u
t
t
m
o
u
t
B
i
d
s
g
r
p -S
e
tI
D
Ss
e
r
v
e
rg
r
o
u
pf
o
ri
n
t
r
u
s
i
o
nd
e
t
e
c
t
i
o
nS
L
i
d
s
h
a
s
h -S
e
th
a
s
hp
a
r
a
m
e
t
e
rf
o
ri
n
t
r
u
s
i
o
nd
e
t
e
c
t
i
o
nS
L
B
t
h
a
s
h
-S
e
th
a
s
hp
a
r
a
m
e
t
e
rf
o
rF
i
l
t
e
r
g
o
t
o
-S
e
tG
O
T
Of
i
l
t
e
rI
D
r
a
f
f
i
c
r
e
v
e
r
s
e -E
n
a
b
l
e
/
d
i
s
a
b
l
ec
r
e
a
t
i
n
gs
e
s
s
i
o
nr
e
v
e
r
s
es
i
d
et
c
a
c
h
e
-E
n
a
b
l
e
/
d
i
s
a
b
l
ec
a
c
h
i
n
gs
e
s
s
i
o
n
st
h
a
tm
a
t
c
hf
i
l
t
e
r
l
el
o
g
g
i
n
g
l
o
g
-E
n
a
b
l
e
/
d
i
s
a
b
m
i
r
r
o
r -E
n
a
b
l
e
/
d
i
s
a
b
l
es
e
s
s
i
o
nm
i
r
r
o
r
i
n
g
c
u
r
-D
i
s
p
l
a
yc
u
r
r
e
n
ta
d
v
a
n
c
e
df
i
l
t
e
rc
o
n
f
i
g
u
r
a
t
i
o
n

320506-A, January 2006
Table 7-18 Advanced Filter Menu (/cfg/slb/filt/adv)

8021p
Displays 8021p Advanced Menu. IEEE 802.1p is the specification for prioritizing the net-
work traffic at the Layer 2 level in your switch. Using this command you can preserve
802.1p bits in all the frames that pass through the switch.

tcp
Displays the TCP Flags advanced menu. To view menu options, see page 453.
ip
Sets IP advanced menu. To view menu options, see page 454.
layer7
Displays Layer7 advanced menu. To view menu options, see page 457.
proxyadv
Displays the Proxy Advanced Menu. To view menu options, see page 460.
icmp any|<number>|<type; "icmp list" for list>
Sets the ICMP message type. The default is set at any. For a list of ICMP message types, see
Table 7-22 on page 455. For a detailed description of filtering and ICMP, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
Sets the Bandwidth Management Contract. By default, the contract number is set at 1024.
revcont <BW Contract (1-1024)>
Sets the Bandwidth Management contract for the reverse traffic session. This command helps you
assign a different Bandwidth management contract from the one configured on the ingress filter.
tmout <even number of minutes (4-32768)>
Sets the session timeout in an even number of minutes. The default is set at 4 minutes.
idsgrp <real server group number (1-1024)>|none
Sets the IDS server group for intrusion detection server load balancing. When filtering is used for
IDSLB, each filter added to an IDSLB-enabled port can be assigned a unique IDS real server
group.
idshash sip|dip|both
Sets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP
(sip), destination IP (dip), or both.

320506-A, January 2006
Table 7-18 Advanced Filter Menu (/cfg/slb/filt/adv)

thash auto|sip|dip|both|sip+sport
Allows you to choose hash parameter to use for filter redirection. The Default is auto. The sip
option allows you to perform tunable hash on source IP address for this filter. The option dip
allows you to perform tunable hash on destination IP address for this filter. The option both
allows you to perform tunable hash on both source IP address and the destination IP address at the
same time. The option sip+sport allows you to perform tunable hash on both source IP address
and source port at the same time.
goto <filter ID>
Allows the user to specify a target filter ID that the filter search should jump to when a match
occurs. Filter searching will then continue from the designated filter ID. Use this command to
specify the new filter to go to. In order to use this feature, the action on this filter must be set to
goto.
reverse disable|enable
Enables or disables the creation of a session for traffic coming from the reverse side.
This command allows for the creation of a session entry for reverse traffic to avoid
inspecting traffic in both directions.
cache disable|enable
Enables or disables caching sessions that match the filter. Exercise caution while applying cacheenabled and cache-disabled filters to the same switch port. A cache-enabled filter creates a session
entry in the switch, so that the switch can bypass checking for subsequent frames that match the
same criteria. Cache is enabled by default.
Note: Cache should be disabled if applying a filter to virtual server IP address while performing
UDP load balancing (see udp disable|enable|stateless on page 438).
log disable|enable
Enables or disables generating of syslog messages when a filter is hit. This option is disabled by
default.
Enables or disables session mirroring.
cur
Displays the current advanced filter configuration.

320506-A, January 2006
/cfg/slb/filt <filter number>/adv/8021p

802.1p Advanced Menu
This feature provides the Nortel Application Switch Operating System the capability to filter
IP packets based on the 802.1p bits in the packet's VLAN header. The 802.1p bits specify the
priority that you should give to the packets while forwarding them. The packets with a higher
(non-zero) priority bits are given forwarding preference over packets with numerically lower
priority bits value.
[802.1p Advanced Menu]
value
- Set 802.1p value
match
- Enable/disable 802.1p value matching
cur
- Display current 802.1p configuration
Table 7-19 8021p Advanced Menu Options (/cfg/slb/filt/adv/8021p)

value <0-7>
Defines 802.1p value. The value is the priority bits information in the packet structure.
match disable|enable
Enables or disables matching of 802.1p value. When the Management Processor needs to reuse the
packet to send to the destination, the switch matches the original priority bits information with the
priority bits information after the frame processing is complete.
cur
Displays current 802.1p configuration.
/cfg/slb/filt <filter number>/adv/tcp

Advanced Filter TCP Configuration
[TCP Advanced
urg
ack
psh
rst
syn
fin
ackrst
cur
Menu]
- Enable/disable TCP URG matching
- Enable/disable TCP ACK matching
- Enable/disable TCP PSH matching
- Enable/disable TCP RST matching
- Enable/disable TCP SYN matching
- Enable/disable TCP FIN matching
- Enable/disable TCP ACK or RST matching
- Display current TCP configuration

320506-A, January 2006
These commands can be used to configure packet filtering for specific TCP flags.
Table 7-20 Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)
urg disable|enable
Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled.
ack disable|enable
Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is disabled.
psh disable|enable
Enables or disables TCP PSH (push) flag matching. By default, this option is disabled.
rst disable|enable
Enables or disables TCP RST (reset) flag matching. By default, this option is disabled.
syn disable|enable
Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled.
fin disable|enable
Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled.
ackrst disable|enable
Enables or disables TCP acknowledgement or reset flag matching. By default, this option is
disabled.
cur
Displays the current Access Control List TCP filter configuration.
/cfg/slb/filt <filter number> /adv/ip

IP Advanced Menu
[IP Advanced Menu]
tos
- Set IP Type of Service
tmask
- Set IP TOS mask
newtos
- Set new IP TOS
length
- Set IP maximum packet length
option
- Enable/disable IP option matching
cur
- Display current IP configuration

320506-A, January 2006
Table 7-21 IP Advanced Menu Options (/cfg/slb/filt #/adv/ip)

tos <0-255>
Sets IP type of service (ToS) and the value of the type of service. For more information on ToS,
refer to RFC 1340 and 1349.
tmask <0-255>
Sets IP type of service mask.
newtos <0-255>
Sets new IP type of service.
length <IP packet length (in bytes), 64-65535>|any
Defines the limit of the IP packets length, including the IPv4 or IPv6 IP header. Any packet equal
or exceeding the specified length will not match the filter. This option supports both IPv4 and IPv6
packets.
option disable|enable
Enables or disables IP option matching.
cur
Displays the current advanced IP settings for the selected filter.
ICMP Message Types

The following ICMP message types are used with the /cfg/slb/filt/adv/icmp command. You can list all ICMP message types with the /cfg/slb/filt/adv/icmp list
command.
Table 7-22 ICMP Message Types
Type # Message Type
Description
echorep
ICMP echo reply
destun
ICMP destination unreachable
quench
ICMP source quench
redir
ICMP redirect
echoreq
ICMP echo request
rtradv
ICMP router advertisement
10
rtrsol
ICMP router solicitation
11
timex
ICMP time exceeded

320506-A, January 2006
Table 7-22 ICMP Message Types

Type # Message Type
Description
12
param
ICMP parameter problem
13
timereq
ICMP timestamp request
14
timerep
ICMP timestamp reply
15
inforeq
ICMP information request
16
inforep
ICMP information reply
17
maskreq
ICMP address mask request
18
maskrep
ICMP address mask reply

320506-A, January 2006
/cfg/slb/filt <filter number> /adv/layer7

Layer 7 Advanced Filter Configuration Menu
[Layer 7 Advanced Menu]
sip
- Layer 7 SIP Menu
urlcont - Set BW cont of an URL path specific to this filter
addrd
- Add HTTP redirection mapping
remrd
- Remove HTTP redirection mapping
addstr
- Add string for layer 7 filtering
remstr
- Remove string for layer 7 filtering
rdsnp
- Enable/disable WAP RADIUS Snooping
rdswap
- Enable/disable RADIUS/WAP Persistence
ftpa
- Enable/disable active FTP NAT
l7lkup
- Enable/disable layer 7 content lookup
parseall - Enable/disable layer 7 lookup (parsing) of all packets
cur
- Display current layer 7 configuration
Table 7-23 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/layer7)

sip
Go to the Layer 7 SIP menu. To view the menu options, see page 459.
urlcont <URL path ID> <BW contract>
Sets the URL path BW contract for this filter. Only use this command when a string is shared by
multiple filters and each filter requires a separate bandwidth.
addrd [1>2]
Adds an HTTP redirection mapping. Strings are defined under: /cfg/slb/layer7/slb/add.
This command tells the filter that if it matches on the first string id, then send back an HTTP redirection message back to the client that contains information in the second string ID.
remrd <string id to redirect from (1-1024)> <string id to redirect to (2-1024)>
Removes an HTTP redirection mapping that was added using the addrd command described
above.
addstr <string id (1-1024)>
Adds the string ID to this filter for L7 filtering. The string is defined under: /cfg/slb/
layer7/slb/add.
remstr <string id (1-1024)>
Removes the string ID for Layer 7 filtering. The string is defined under: /cfg/slb/layer7/
slb/add.

320506-A, January 2006
Table 7-23 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/layer7)

rdsnp disable|enable
Enables or disables WAP RADIUS snooping on this filter.
Radius snooping allows the Nortel Application Switch Operating System to examine
RADIUS accounting packets for client information. This information is needed to add to
or delete static session entries in the switchs session table so that it can perform the
required persistency for load balancing. For more details, please refer to your Application Guide.
rdswap enable|disable
Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and
WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server.
A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies
with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS
receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to
the bound server. The application switch snoops on the RADIUS accounting start packet for the
framed IP address attribute. The framed IP address attribute is used to rebind the RADIUS
accounting session to a new server. For more details, please refer to your Application Guide.
ftpa disable|enable
Enables or disables active FTP Client Network Address Translation (NAT). When a client in
active FTP mode sends a PORT command to a remote FTP server, the switch will look into the
data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address.
The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By
default, this option is disabled.
l7lkup disable|enable
Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny
commands found in earlier releases of Nortel Application Switch Operating System. When
enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When
combined with a filter action (for example, deny, redir), this feature enables content-intelligent
redirection or content-intelligent deny filtering.
parseall disable|enable
Enables or disables parsing of all packets in a session where layer 7 lookup is being performed.
This command is enabled by default, and normally all data packets in a session are examined by
the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup
is turned off for the remaining packets in the session.
cur
Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persistence settings.

320506-A, January 2006
/cfg/slb/filt <num> /adv/layer7/sip

Layer 7 SIP Menu
[Layer 7 SIP Menu]
rtpcont - Set BW contract for the SIP RTP sessions
sipp
- Enable/disable SIP parsing
cur
- Display current SIP configuration
Table 7-24 Layer 7 SIP Menu Options (/cfg/slb/filt/adv/layer7/sip)

rtpcont <BW contract>
Set BW contract for the SIP RTP sessions.
sipp enable|disable
Enable or disable SIP parsing.
cur
Displays the current advanced SIP configuration.

320506-A, January 2006
/cfg/slb/filt/adv/proxyadv
Proxy Advanced Menu
[Proxy Advanced
proxyip epip
proxy
cur
-
Menu]
Set client proxy IP address
Enable/disable pip selection based egress port/vlan
Enable/disable client proxy
Display current proxy configuration
Table 7-25 Proxy Advanced Menu Options

proxyip <IP_address>
Set the client proxy IP_address.
epip enable|disable
Enable or diable PIP selection based on the outgoing port or VLAN.
proxy enable|disable
Enable or disable client proxy.
cur
Shows all Proxy statistics.
/cfg/slb/filt <filter number> /adv/security

SLB Filter Advanced Security Menu
[Security Menu]
ratelim - Rate Limiting Menu
addgrp
- Add pattern match group for layer 7 filtering
remgrp
- Remove pattern match group for layer 7 filtering
pmatch
- Enable/disable pattern matching
matchall - Enable/disable match-all criteria for layer 7 filtering
parsechn - Enable/disable chained pgroup match criteria for l7
filtering
parseall - Enable/disable pattern string lookup (parsing) of all
packets
cur
- Display current Security configuration

320506-A, January 2006
Table 7-26 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/security)

ratelim
Displays the Rate Limiting Menu. The protocol-based rate limiting limits the traffic coming from
specific clients based on the IP address of the client. This feature enables the switch to detect and
block UDP or ICMP-based DOS attacks that slow down or decapitate the servers. Currently, the
switch allows rate limiting to be enabled on TCP, UDP, and ICMP protocols. To view menu
options see page 462.
addgrp <pattern match group id>
Adds a pattern group to this filter. Pattern groups are added using the /cfg/security/
pgroup/add command.
remgrp <pattern match group id>
Removes a pattern group from this filter.
pmatch disable|enable
Enables or disables pattern matching on this filter.
matchall disable|enable
Enables or disables matching of all configured patterns before the filter can perform the
deny action.
parsechn enable|disable
Enable/disable chained pgroup match criteria for l7 filtering.
parseall disable|enable
Enables or disables pattern string lookup (parsing) of all packets in a session where pattern matching is being performed. This command is enabled by default, and normally all data packets in a
session are examined by the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, pattern matching is turned off for the remaining packets in the session.
cur

320506-A, January 2006
/cfg/slb/filt <filter number> /adv/security/

ratelim
Advanced Security Rate Limiting Configuration Menu
[Rate Limiting
maxconn timewin holddur ena
dis
cur
-
Menu]
Set maximum connections for rate limiting
Set time window for rate limiting
Set hold down duration for rate limiting
Enable TCP, UDP, or ICMP rate limiting
Disable TCP, UDP, or ICMP rate limiting
Display current rate limiting configuration
Table 7-27 Rate Limiting Advanced Menu Options (/cfg/slb/filt/adv/security/

ratelim)
maxconn <# of connections in units of 10 (0-255)>
Defines maximum connections for rate limiting.
timewin <seconds, 1-65535>
Defines time window for rate limiting. A time window is a configured period of time (in seconds)
during which packets are allowed to be received. The time window can be configured per filter and
not globally on all the filters.
holddur <minutes, 2-65535>
Defines hold down duration for rate limiting. When the number of new connections or packets
exceeds the configured limit, any new TCP connection requests or UDP/ICMP packets from the
client are blocked. When blocking occurs, the client is said to be held down. The client is held
down for a specified number of minutes, after which new TCP connection requests or packets from
the client are allowed once again to pass through. The hold-down duration can be configured per
filter and not globally on all the filters.
ena
Enables the protocol for rate limiting. Rate limiting is applied to the protocol configured on the filter. The supported protocols are: TCP, UDP, and ICMP.
dis
Disables TCP, UDP, or ICMP rate limiting.
cur
Displays the current rate limiting configuration.

320506-A, January 2006
/cfg/slb/port <port number>

Port SLB Configuration
[SLB port 1 Menu]
client
- Enable/disable client processing
server
- Enable/disable server processing
rts
- Enable/disable RTS processing
hotstan - Enable/disable hot-standby processing
intersw - Enable/disable inter-switch processing
proxy
- Enable/disable use of PIP for ingress traffic
filt
- Enable/disable filtering
add
- Add filter to port
rem
- Remove filter from port
idslb
- Enable/disable intrusion detection server load balancing
cur
Nortel Application Switch Operating System switch software allows you to enable or disable
processing independently for each type of Layer 4 traffic (client and server) on a per port
basis, expanding your topology options.
NOTE When changing the filters on a given port, it may take some time before the port session information is updated so that the filter changes take effect. To make port filter changes
take effect immediately, clear the session binding table for the port (see the clear command
in Table 8-3 on page 502).
Table 7-28 Port Configuration Menu Options (/cfg/slb/port)
client disable|enable
For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports
configured to process client request traffic bind servers to clients and provide address translation
from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses
and port values to real server IP addresses and ports. Traffic not associated with virtual servers is
switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the
switchs potential for effective Server Load Balancing. This option is disabled by default.
server disable|enable
Ports configured to provide real server responses to client requests require real servers to be connected to the Layer 4 switch, directly or through a hub, router, or another switch. When server processing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to
virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched
normally. This option is disabled by default.

320506-A, January 2006
Table 7-28 Port Configuration Menu Options (/cfg/slb/port)

rts disable|enable
Enables or disables Return to Sender (RTS) load balancing on this port. This option is used for
firewall load balancing or VPN load balancing applications. Enable rts on all client-side ports to
ensure that traffic ingresses and egresses through the same port. This option is disabled by default.
For more information on using rts, see the Firewall Load Balancing and VPN Load Balancing chapters in the Nortel Application Switch Operating System 23.0.2 Application Guide.
hotstan disable|enable
Enables or disables hot-standby processing. Use this option and the intersw option in conjunction with VRRP hot-standby failover. This option is disabled by default.
intersw disable|enable
Enables or disables inter-switch processing. This option is enabled for ports connected to a peer
switch and is disabled by default.
proxy disable|enable
Enables or disables a proxy for traffic that ingresses this port. When the PIP is defined, client
address information in Layer 4 requests is replaced with this proxy IP address.
In Server Load Balancing applications, this forces response traffic to return through the switch,
rather than around it, as is possible in complex routing environments.
Proxies are also useful for Application Redirection and Network Address Translation (NAT).
When pip is used with Application Redirection filters, each filters rport parameter must also
be defined (see rport on page 446). This option is disabled by default.
filt disable|enable
Enables or disables filtering on this port. Enabling the filter sets up the Real Server to look into the
VPN session table. This option is disabled by default.
add <filter ID (1 to 2048)|block of IDs (first-last)>
Adds a filter or a block of filters for use on this port. Enter filter ID (1 to 2048) or a contiguous
block of filter IDs. For example, 1-100.
rem <filter ID (1 to 2048)|block of IDs (first-last)>
Removes a filter or a block of filters from use on this port. Enter filter ID (1 to 2048) or a
contiguous block of filter IDs. For example, 1-100.
idslb disable|enable
Enables or disables Intrusion Detection System Server Load Balancing on this port. In Nortel
Application Switch Operating System 23.0.2, IDSLB is done at the end of filter processing or at
the end of client processing where filtering is not enabled. In the case of client processing, IDSLB
is enabled on a port and a real server group is designated for IDSLB.This option is disabled by
default.
cur
Displays the current system parameters.

320506-A, January 2006
/cfg/slb/gslb
Global SLB Configuration
Global Server Load Balancing (GSLB) at any given site performs periodic SLB health checks
to determine the health and response time of the remote real server corresponding to the virtual
server at the remote site. GSLB uses the health and response time to select the server in the
GSLB selection engine. In addition, GSLB sends the health and response time together with
the local session and CPU utilization information that are collectively known as remote site
updates. The switch performs this periodically on every remote site using Distributed Site
State Protocol (DSSP). DSSP is a proprietary protocol that resides above TCP.
For more information, please refer to your Application Guide.s
[Global SLB Menu]
site
- Remote Site Menu
network - Network Preference Menu
rule
- Rule Menu
version - Set DSSP version 1 or 2 to send out remote site updates
port
- Set TCP port number for DSSPv2 remote site updates
sinter
- Set interval in seconds for remote site updates
sesscap - Set sessions utilization capacity threshold (DSSPv2)
cpucap
- Set CPU utilization capacity threshold (DSSPv2)
smask
- Set source IP subnet mask for DNS persistence cache
timeout - Set timeout in minutes for DNS persistence cache
mincon
- Set sessions available capacity threshold
noresp
- Set DNS response code when no server is returned
dns
- Enable/disable authoritative DNS direct based GSLB
hostlk
- Enable/disable virtual service hostname matching
http
- Enable/disable HTTP redirect based GSLB
usern
- Enable/disable HTTP redirect to remote real server name
norem
- Enable/disable no remote real SLB
encrypt - Enable/disable encrypting remote site updates
on
- Globally turn Global SLB ON
off
- Globally turn Global SLB OFF
cur
- Display current Global SLB configuration
Table 7-29 Global SLB Menu Options (/cfg/slb/gslb)

site <remote site (1-64)>
Displays the menu for a remote site. To view menu options, see page 467.
network <network (1-128)>
Displays Network Preference Menu. To view menu options, see page 469.

320506-A, January 2006

rule <rule (1-128)>
Displays the Rule Menu. To view menu options, see page 470.
version <DSSP version 1 or 2>
Defines the version of Distributed Site State Protocol (DSSP) that is used to send out the
remote site updates.

port <TCP port number>
Sets the TCP port number for remote site updates for Global server load balancing. The default
TCP port is 80.
sinter <remote site updates interval in seconds, 10-7200>
Sets the time interval in seconds for remote site updates. The range is between 10 and 7200 seconds.
sesscap <Session utilization capacity threshold (1-100)>
Sets the threshold for session utilization capacity. The default configuration is 90%.
cpucap <CPU utilization capacity threshold (1-100)>
Sets the threshold for the CPU utilization capacity. The default configuration is 90%.
smask <set IP4 subnet mask (eg, 255.255.255.0)> OR
smask <set IP6 prefix len (eg, 64)>
Set source IP subnet mask for DNS persistence cache.
timeout <timeout in minutes, 1-1440>
Set timeout in minutes for DNS persistence cache.
mincon <available sessions threshold, 0-65535>
Defines the capacity threshold for the sessions available on the real server for GSLB.
dns disable|enable
Enables or disables DNS direct-based GSLB. This option is enabled by default.
hostlk disable|enable
Enables or disables lookups based on host or domain name in a GSLB configuration. When
enabled, the hostname specified in the Virtual Service configuration, in addition to the domain
name, will be used to resolve the IP address for the domain. When disabled, only the domain name
will be used to match.
http disable|enable
Enables or disables HTTP redirects to peer sites by this switch. When enabled (default), this switch
will redirect client requests to peer sites if its own real servers fail or have reached their maximum
connection limits. If disabled, the switch will not perform HTTP Redirects, but will instead drop
requests for new connections and cause the clients browser to eventually issue a new DNS
request.

320506-A, January 2006

usern disable|enable
Enables or disables an HTTP redirect to a real server name. When a site redirects a client to
another site using an HTTP redirect, the client is redirected to the new site's IP address. This option
is disabled by default. If usern is enabled, the client will be redirected to the domain name specified by the remote real server name plus virtual server domain name:
<remote real server name> <virtual server domain name>
norem
This command enables or disables no-remote real server load balancing. If enabled, the switch will
not do remote real server load balancing for non-http protocols. For HTTP protocols, if you want
to do no-remote-real-server load balancing, you need to disable the http parameter in the same
menu.
encrypt
This command enables or disables encrypting of DSSP updates. If disabled, the switch will not
encrypt the DSSP messages going out of the switch. This option allows the GSLB feature to work
with older versions of Web OS that do not encrypt DSSP messages
on
Activates Global Server Load Balancing (GSLB) for this switch. This option can be performed
only once the optional GSLB software is activated (refer to Activating Optional Software on
page 509).
off
Turns GSLB off for this switch. Any active remote sites will still perform GSLB services with
each other, but will not hand off requests to this switch. By default, GSLB is turned off.
cur
Displays the current Global SLB configuration.
/cfg/slb/gslb/site <site number>

GSLB Remote Site Configuration
The switch initiates a global server selection to direct client traffic to the best server for a given
domain. Each domain has one or more sites. Each site has a virtual server for the domain. Each
virtual server has a number of virtual services. Each virtual service has a group of real servers.
Each virtual server has a domain name. Each virtual service has a host name. The combination
of a virtual server and a virtual service is called a domain.

320506-A, January 2006
At a local site for a domain, there is a local virtual server but no remote virtual server. The
local virtual server has a number of local virtual services Each local virtual service has a group
of local or remote real servers. The remote real servers are the virtual servers at the remote
sites.
[Remote site 1 Menu]
prima
- Set primary switch IP address of remote site
secon
- Set secondary switch IP address of remote site
name
- Set remote site name
update
- Enable/disable remote site updates
ena
- Enable remote site
dis
- Disable remote site
del
- Delete remote site
cur
- Display current remote site configuration
Up to 64 remote sites can be configured.

Table 7-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)
prima <server IP address>
Defines the IP interface IP address of the primary switch at the remote site used for Global Server
Load Balancing. Use dotted decimal notation.
secon <server IP address>
If the remote site is configured with a redundant switch, enter the IP address of the IP interface for
the remote secondary switch here. If the remote site primary switch fails, the local switch will
address the remote site secondary switch instead.
Sets the name of the remote site. The default is set at none.
update disable|enable
Enables or disables remote site updates. If enabled (default), this switch will send regular Distributed Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the
switch will not send state updates. If your local firewall does not permit this traffic, disable the
updates.
Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP interface for DSSP updates. By default, the Nortel Application Switch Operating System Webbased interface also uses port 80. Both services cannot use the same port. If both are enabled, configure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a
different service port (see the /cfg/sys/access/wport option on page 288).
ena
Enables this remote site for use with Global Server Load Balancing.

320506-A, January 2006
Table 7-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)

dis
Disables this remote site. The switch will no longer use this remote site for Global Server Load
Balancing.
del
Removes this remote site from operation and deletes its configuration.
cur
Displays the current remote site configuration.
/cfg/slb/gslb/network <network number>

GSLB Network Preference Configuration Menu
Network preference selects a server based on the preferred network of the source IP address for
a given domain. The preferred network contains a subset of the servers for the domain.
Up to 128 network preference numbers can be set.
[Network 1 Menu]
sip
- Set source IP address
mask
- Set source IP and network netmask
addvirt - Add virtual server to network
remvirt - Remove virtual server from network
addreal - Add remote real server to network
remreal - Remove remote real server from network
ena
- Enable network
dis
- Disable network
del
- Delete network
cur
- Display current network configuration
Table 7-31 GSLB Network Menu Options (/cfg/slb/gslb/network)

sip <IP address>
Defines the source (client) IP address. Specify an IP address in dotted decimal notation. A range of
IP addresses is produced when used with the mask option.
mask <IP subnet mask (such as, 255.255.255.0)>
This IP address mask is used with the source IP (SIP) address to find a correct virtual server IP
address to respond to a DNS request.

320506-A, January 2006
Table 7-31 GSLB Network Menu Options (/cfg/slb/gslb/network)

addvirt <virtual server number (1-1024)>
Adds a virtual server to the network. No virtual server is added by default.
remvirt <virtual server number (1-1024)>
Removes a virtual server from the network.
addreal <real server number (1-1023)>
Adds a real server to the network.
remreal <real server number (1-1023)>
Removes a real server from the network.
ena
Enables the network.
dis
Disables the network.
del
Deletes the network entry.
cur
Displays the current Internet network entry configuration.
/cfg/slb/gslb/rule
GSLB Rule Configuration Menu
Rules allow the GSLB selection to use different metric preferences based on time-of-day. You
can configure one or more rules on each domain. Each rule has a metric preference list. The
GSLB selection selects the first rule that matches the domain and starts with the first metric in
the metric preference list of the rule.
[Rule 1 Menu]
metric
start
end
ttl
rr
dname
ena
dis
del
cur
Metric Menu
Set start time for rule
Set end time for rule
Set Time To Live in seconds of DNS resource records
Set DNS resource records in DNS response
Set network preference domain name for rule
Enable rule
Disable rule
Delete rule
Display current rule configuration

320506-A, January 2006
Table 7-32 GSLB Rule Configuration Menu Options (/cfg/slb/gslb/rule)

metric <metric (1-16)>
Displays Metric Preference Menu. To view menu options, see page 472.
start <hour (0-23)> <minutes (0-59)>
Defines the start time for the rule. The default is zero.
end <hour (0-23)> <minutes (0-59)>
Defines the end time for the rule. The default is zero.
ttl <time to live in seconds (0-65535)>
Specifies the duration (from 0 to 65535 seconds, with default at 60) that the DNS response from
the switch (indicating site of best service) will remain in the cache of DNS servers. A lower value
may increase the ability of the GSLB system to adjust to sudden changes in traffic load, but will
generate more DNS traffic. Higher numbers may reduce the amount of DNS traffic, but may slow
GSLBs response to sudden traffic changes.
rr <rr (1-10)>
Sets the DNS resource records that how many DNS resource records will be returned in the DNS
response. The default is 2 records.
dname <34 character (wildcard "*" allowed) domain name> | none
Defines the domain name for the rule for network preference. The maximum length for the domain
name can be 34 characters. You can use wildcard * while creating the domain name. Default is
none.
ena
Enables the rule.
dis
Disables the rule.
del
Deletes the rule.
cur
Displays the current rule configuration.

320506-A, January 2006
/cfg/slb/gslb/rule/metric
Global SLB Rule Metric Menu
[Rule 1 Metric 1 Menu]
gmetric - Set metric to use to select next server
addnet
- Add network to gmetric=network
remnet
- Remove network from gmetric=network
cur
- Display current metric configuration
Table 7-33 Global SLB Rule Metric Menu Options (/cfg/slb/gslb/rule/metric)

gmetric leastconns|roundrobin|response|geographical|network|random|availability|qos|minmisses|hash|local|always|remote|none
Defines the metric to select the next real server for GSLB. The default is none.
addnet
Allows you to add a network to the selected metric. This command applies only if you select network as the metric.
remnet <1-128>
Allows you to delete a network that was added to the selected metric.
cur
Displays the current configuration of the metric.
/cfg/slb/layer7
Layer 7 SLB Resource Definition Menu
[Layer 7 Resource Definition Menu]
redir
- Web Cache Redirection Menu
slb
- Server Load Balancing Menu
sdp
- SIP SDP Menu
dbindtm - Set timeout for incomplete delayed binding connections
cur
- Display current Layer 7 configuration
Table 7-34 Layer 7 Resource Definition Menu Options (/cfg/slb/layer7)

redir
Displays the Web Cache Redirection Menu. To view menu options, see page 473.

320506-A, January 2006
Table 7-34 Layer 7 Resource Definition Menu Options (/cfg/slb/layer7)

slb
Displays the Server Load Balancing Menu. To view menu options, see page 475.
sdp
Displays the SIP SDP Menu. To view menu options, see page 477.
dbindtm <10-60 seconds>
Sets the timeout for incomplete delayed binding connections.
cur
Displays the current Layer 7 configuration.
/cfg/slb/layer7/redir
Web Cache Redirection Configuration
[Web Cache Redirection Menu]
urlal
- Enable/disable auto-ALLOW for non-GETs to origin servers
cookie - Enable/disable auto-ALLOW for Cookie to origin servers
nocache - Enable/disable no-cache control header to origin servers
hash
- Enable/disable URL hashing based on URI
header - Enable/disable server loadbalance based on HTTP header
cur
- Display current WCR configuration
Table 7-35 Web Cache Redirection Menu Options (/cfg/slb/layer7/redir)

urlal disable|enable
Enables or disables auto-ALLOW for non-GETs to origin servers.
If this command is enabled, the switch will redirect all non-GET requests to the origin server.
If this command is disabled, the switch will compare the URI against the expression table to
determine whether all non-GET requests should be redirected to a cache server or origin server.
This option is enabled by default.

320506-A, January 2006
Table 7-35 Web Cache Redirection Menu Options (/cfg/slb/layer7/redir)

cookie disable|enable
Enables or disables auto-ALLOW for cookie to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cookie: in the
HTTP header to the origin server.

determine whether it should redirect all requests that contain Cookie: in the HTTP header to a
cache server or origin server.
nocache disable|enable
Enables or disables no-cache control header to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cache-Control: no-
cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to the origin server.
determine whether it should redirect requests that contain Cache-Control: no-cache in HTTP/
1.1 header, or Pragma: no-cache in HTTP/1.0 header to a cache server or origin server.
This option is enabled by default.
hash disable|enable <number (1-255)>
Enables or disables URL hashing based on the URI.
If hashing is enabled, you can set the length of URI that will be used to hash into the cache
server by specifying a number from 1-255.

If hashing is disabled, the switch will only use the host header field to calculate the hash key.

header disable|enable host|useragent|others
Enables or disables server load balancing based on HTTP header. This option is disabled by
default.
cur
Displays the current URL expression table.

320506-A, January 2006
/cfg/slb/layer7/slb
Server Load Balance Resource Configuration Menu
[Server Loadbalance Resource Menu]
message - Set HTTP error message
addstr
- Add SLB string for load balance
remstr
- Remove SLB string for load balance
rename
- Rename SLB string for load balance
addmeth - Add HTTP method type
remmeth - Remove HTTP method type
case
- Enable/disable case sensitive for string matching
cont
- Set BW contract for the SLB string
cur
Table 7-36 Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb)

message <64 byte error message>
Sets the message that will be displayed when an error occurs. The default message is No available
server to handle this request.
addstr <l7lkup|pattern>
Allows the user to define a string that can be used for server load balancing or filtering by selecting
either a Layer 7 look up string or a pattern match.
If you choose l7lkup string, you can define a string for server load balancing or a string for
Layer 7 lookup.
If you choose pattern string, you will have the option to choose between ascii or binary
strings on a specific offset of the IP frame. These strings will only be used for filtering string pattern matching.
remstr <SLB string ID>
Removes this SLB string from the real server.
rename <SLB string ID> <SLB string>
Renames the SLB string for load balancing.
addmeth <Method, 1-32>
Allows you to add HTTP request methods of maximum 32 characters to your switch software.
HTTP allows an open-ended set of methods to be used to indicate the purpose of a request. Nortel
Application Switch Operating System 23.0.2 supports 22 request methods by default. The methods
GET and HEAD must be supported by all general-purpose servers. All other methods are optional.
You can see a list of supported default methods by using the command cur in this menu.
A method is case-sensitive.
The software supports both HTTP 1.0 and HTTP 1.1 to perform HTTP request methods.

320506-A, January 2006
Table 7-36 Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb)

remmeth <Method ID>
Allows you to remove HTTP methods from your switch software.
case disable|enable
Enables or disables case sensitivity for string matching. Using this command you can do either
case sensitive or case insensitive string comparison. If you disable case sensitive, all load balancing strings and all the request strings arriving on the switch will have to be converted to lower case
before doing any string comparison.
cont <SLB string ID [1-1024]> <BW contract number [1-1024]>
Sets the Bandwidth Management contract for a specified string for the SLB string ID.
cur
Displays the currently configured SLB strings and their associated string IDs (index numbers) and
the supported HTTP request methods.

320506-A, January 2006
/cfg/slb/layer7/sdp
SDP Mapping Menu
[SDP Mapping Menu]
add
- Add SDP mapping
rem
- Remove SDP mapping
cur
- Display current SDP mapping configuration
Table 7-37 SDP Mapping Menu Options

add <private IP> <public IP>
Add SDP mapping.
rem <private IP>
Remove SDP mapping.
cur
Display current SDP mapping configuration.
/cfg/slb/wap
WAP Configuration
[WAP Options Menu]
tpcp
- Enable/disable WAP TPCP external notification
debug
- WAP debug level
cur
- Display current WAP configuration
Table 7-38 WAP Configuration Menu Options (/cfg/slb/wap)

tpcp disable|enable
Enables or disables the TPCP external notification for Add/Delete session requests. This option
is disabled by default.
debug <wap debug level (0-10)>
Sets the debug level for tracing the WAP related messages. The default is set at 0.
cur
Displays the current WAP configuration

320506-A, January 2006
/cfg/slb/sync
Synchronize Peer Switch Configuration
[Config Synchronization Menu]
peer
- Synch Peer Switch Menu
filt
- Enable/disable syncing filter configuration
ports
- Enable/disable syncing port configuration
prios
- Enable/disable syncing VRRP priorities
pips
- Enable/disable syncing proxy IP addresses
peerpips - Enable/disable syncing peer proxy IP addresses
bwm
- Enable/disable syncing BWM configuration
state
- Enable/disable syncing persistent session state
update
- Set stateful failover update period
cur
- Display current Layer 4 sync configuration
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator password. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/
synch.
Table 7-39 Synchronization Menu Options (/cfg/slb/sync)
peer <peer switch number (1-2)>
Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see
page 479.
filt disable|enable
Enables or disables synchronizing filter configuration. This option is disabled by default.
Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default.
prios disable|enable
Enables or disables syncing VRRP priorities. This option is enabled by default.
pips disable|enable
Enables or disables synchronizing proxy IP addresses. This option is disabled by default.
peerpips disable|enable
Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in
VRRP Active/Active configuration. This option is disabled by default.

320506-A, January 2006
Table 7-39 Synchronization Menu Options (/cfg/slb/sync)

bwm disable|enable
Enables or disables synchronizing Bandwidth Management configuration between Master and
backup switches. This option is enabled by default.
state disable|enable
Enables or disables stateful failover for synchronizing the persistent session state. This option is
disabled by default.
update <seconds, 160>
Sets the stateful failover update interval. The active switch sends update packets of new persistent
binding entries, if any, to the backup switch at the specified update interval. The default value is 30
seconds.
cur
Displays the current Layer 4 synchronization configuration.
/cfg/slb/sync/peer <peer switch number>

Peer Switch Configuration
[Peer Switch 1 Menu]
addr
- Set peer switch IP address
ena
- Enable peer switch
dis
- Disable peer switch
del
- Delete peer switch
cur
- Display current peer switch configuration
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator password.
Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)
addr <IP address>
Sets the peer switch IP address. The default is 0.0.0.0
ena
Enables the peer for this switch. By default, this option is disabled.
dis
Disables the peer for this switch.

320506-A, January 2006
Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)

del
Deletes the peer for this switch
cur
Displays the current peer switch configuration.
/cfg/slb/adv
Advanced Layer 4 Configuration
[Layer 4 Advanced Menu]
synatk
- SYN Attack Detection Menu
smtport - Service Mapping Table Real Port Menu
imask
- Set virtual and real IP address mask
mnet
- Set management network
mmask
- Set management subnet mask
pmask
- Set persistent mask
intrval - Set SLB session attack inspection interval
allowlim - Set SLB session attack alert allowable limit
submac
- Enable/disable Source MAC address substitution
direct
- Enable/disable Direct Access Mode
grace
- Enable/disable graceful real server failure
matrix
- Enable/disable Virtual Matrix Architecture
vmasport - Enable/disable VMA with source port
tpcp
- Enable/disable Transparent Proxy Cache Protocol
vstat
- Enable/disable Virtual Service Statistics
rtsvlan - Enable/disable using VLAN info for real server lookup
pvlantag - Enable/disable preserving vlan tag during packet forwarding
portbind - Enable/disable Ingress Port For Session Table Binding
fastage - Session table fast-age (1 sec) period bit shift
slowage - Session table slow-age (2 min) period bit shift
cur
- Display current Layer 4 advanced configuration
Table 7-41 Layer 4 Advanced Menu Options (/cfg/slb/adv)

synatk
Displays SYN Attack Detection Menu. To view menu options, see page 483.

320506-A, January 2006

smtport
Displays Service Mapping Table (SMT) Real Server Port Menu. Using this command you can add
or remove a number of real server service port(s) that will process client traffic by-passing the
server. In other words, this service ports client request will not be processed by the server processor. To view menu options, see page 483.
imask <IP subnet mask (such as 255.255.255.0)>
Configures the real and virtual server IP address mask using dotted decimal notation. The default
is 255.255.255.255.
mnet <IP address>
If defined, management traffic with this source IP address will be allowed direct (non-Layer 4)
access to the real servers. Specify an IP address in dotted decimal notation. A range of IP addresses
is produced when used with the mmask option.
mmask <IP subnet mask (such as 255.255.255.0)>
This IP address mask is used with the mnet to select management traffic which is allowed direct
access to real servers. The default is 255.255.255.255.
pmask <IP subnet mask (such as 255.255.255.0)>
Sets persistent mask. The default is 255.255.255.255.
intrval <time window for collecting sessions (0-3600)>
This command allows you to configure the time interval (from one second to one hour) to specify
how frequently you want to check the SLB sessions (attacks) the switch received. At the configured interval of time the switch will check if the number of sessions is within the configured limits.
You can set this limit by using the next command in this menu: allowlim.
allowlim <allowable limit (1-2097104)>
This command allows you to specify the maximum number of sessions the switch can receive at
any given period of time. If the number of sessions exceeds this limit, the switch will generate a
syslog and an SNMP trap to alert the administrator that the switch is under SLB attack.
submac disable|enable
Enables or disables Source MAC address substitution. Typically, the source MAC is not modified
for the packets going to the servers in an SLB environment. But if you enable this command, the
switch will substitute the source MAC address (for the packets going to the server) with the MAC
address of the switch.
direct disable|enable
Enable/disables Direct Access Mode to real servers/services. This option also allows any virtual
server to load balance any real server. By default, this option is disabled.

320506-A, January 2006

grace disable|enable
Enables or disables graceful real server failure. Allows existing sessions to remain bound to a
server after the server has been placed in the service failed state (for more information,
see Service Failure in the Nortel Application Switch Operating System 23.0.2 Application
Guide). By default, this option is disabled.
matrix disable|enable
Enables or disables the use of Virtual Matrix Architecture on the Nortel Application Switch. By
default, this option is enabled.
vmasport enable|disable
Enable/disable VMA with source port.
tpcp disable|enable
Enables or disables the TPCP (Transparent Proxy Cache Protocol). This command is used for
security reasonsthe UDP port can be closed. By default, this option is disabled.
vstat disable|enable
Enables or disables reporting of virtual service statistics.
rtsvlan disable|enable
Enables or disables the use of VLAN for Return to Sender information on the real server.
pvlantag
Enable/disable preserving vlan tag during packet forwarding.
portbind disable|enable
Enables or disables the inclusion of the ingress port number in the session table look up.
fastage <shift the fast-age (1sec) period 0-7 bits>
Controls how frequently a fastage scan is performed. The default interval is two seconds. Each
incremental increase of the value doubles the length of the interval.
The fastage scan is used to remove TCP sessions that have been closed with a FIN and sessions
that have been identified by the slowage scan as idle for the maximum allowed period. If a large
value of fastage is used, a session can remain in the session table for a few minutes. The default
is 0.
slowage <shift the slow-age (2min) period 0-14 bits>
Controls how frequently a slowage scan is performed. The default interval is two minutes. Each
incremental increase of the value doubles the length of the interval. (Value is set in bits rather than
seconds, which causes the time to double per increment).
The slowage scan is used to remove idle or non-TCP sessions from the session at the specified
intervals. If a large value of slowage is used, a session can remain in the session table for
months. The default is 0.

320506-A, January 2006

cur
Displays the current Layer 4 advanced configuration.
/cfg/slb/adv/synatk
SYN Attack Detection Configuration Menu
[SYN Attack Detection Menu]
intrval - Set SYN attack detection interval
thrshld - Set SYN attack alarm threshold
cur
- Display current SYN attack detection configuration
Table 7-42 SYN Attack Detection Menu Options (/cfg/slb/adv/synatk)

intrval <SYN attack check interval in seconds (2-3600)>
Sets the interval of SYN attack inspection.
thrshld <SYN attack alarm threshold (new half-open sessions/second) (1-100000)>
Sets the threshold of SYN attack alarm.
cur
Displays the current SYN attack detection configuration.
/cfg/slb/adv/smtport
Advanced SMT Real Server Port Configuration Menu
[SMT Real Port Menu]
add
- Add real port
remove
- Remove real port
cur
- Display real port configuration
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
add <real server port (2-65534)>
This command allows you to add a service port to the real server that is configured to process client traffic by-passing the server processor.

320506-A, January 2006
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
remove <real server port (2-65534)>
This command allows you to remove a service port from the real server that is configured to process client traffic by-passing the server processor.
cur
Displays real port configuration.
/cfg/slb/linklb
Inbound Link Load Balancing configuration Menu
[Inbound Linklb
drecord group
ttl
ena
dis
cur
-
Menu]
Domain Record Menu
Set real server group
Set Time to Live of DNS resource records
Enable Inbound Linklb
Disable Inbound Linklb
Display current Inbound Linklb configuration
Table 7-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/
linklb)
drecord <domain record number (1-64)>
Displays domain record menu. To view menu options, see page 485.
Sets the real server ISP group number.
ttl <time to live in seconds (0-65535)>
Sets the time-to-live for DNS resource records.
ena
Enables inbound link load balancing.
dis
Disables inbound link load balancing.
cur
Displays current inbound link load configuration.

320506-A, January 2006
/cfg/slb/linklb/drecord
Inbound Link Load Balancing Domain Record Menu
[Domain Record <domain_number> Menu]
entry
- Virt Real Mapping Menu
domain
- Set Domain Name
ena
- Enable Domain Record
dis
- Disable Domain Record
del
- Delete Domain Record
cur
- Display current Domain Record configuration
Table 7-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/
linklb/drecord)
entry <linklb entry number (1-8)>
Displays the link load balancers mapping menu for the virtual and real servers. See page 452 to
view menu options.
domain <64 character domain name>|none
Allows you to configure the domain name. Default is none.
ena
Enables the domain records.
dis
Disables the domain records.
del
Deletes the domain records.
cur
Displays the current domain records.

320506-A, January 2006
/cfg/slb/linklb/drecord/entry
Inbound Link Load Balancing Mapping Menu
[Virt Real Mapping 1 Menu]
virt
- Set Virtual Server Number
real
- Set Real Server Number
ena
- Enable Entry
dis
- Disable Entry
del
- Delete Entry
cur
- Display current Entry configuration
Table 7-46
Command Syntax & Usage
virt <virtual server number, 1-1024>
Defines the virtual server number for mapping.
real
Defines the real server number for mapping.
ena
Enables the entry for drecords.
dis
Disables the entry for drecords.
del
Deletes the entry for drecords.
cur
Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc
Advanced Health Check Configuration Menu
[Layer 4 Advanced Health Check Menu]
script
- Scriptable Health Check Menu
snmphc
- SNMP Health Check Menu
waphc
- WAP Health Check Menu
aphttp
- Enable/disable Allow HTTP Health Check on any port
ldapver - LDAP version
secret
- Set RADIUS secret
minter
- Set interval of response and bandwidth metric updates
cur
- Display current Layer 4 advanced health check configuration

320506-A, January 2006
Table 7-47 Advanced Health Check Menu Options (/cfg/slb/advhc)

script <health script number (1-64)>
Displays the Scriptable Health Check Menu. To view menu options, see page 488.
snmphc <SNMP health check number (1-5)>
Displays the SNMP Health Check Menu. To view menu options, see page 490.
waphc
Displays the WAP Health Check Menu. To view menu options, see page 492.
aphttp disable|enable
Enables or disables HTTP health checks on any port. By default, this option is disabled. When disabled, you can use HTTP health checks only for HTTP service. Enabling it will allow you to use it
on any port, like HTTPs.
ldapver <LDAP version>
Sets the LDAP version to 2 or 3. The default is 2.
To perform application health checking to a RADIUS server, the network administrator must configure two parameters in the switch: the /cfg/slb/secret value and the cntnt parameter
with a username:password value. The secret value is a field of up to 32 alphanumeric characters that is used by the switch to encrypt a password during the RSA Message Digest Algorithm
(MD5) and by the RADIUS server to decrypt the password during verification. The default is
none.
minter <number of seconds between updates (1-256)>
This command sets the interval of response and bandwidth metric updates. The default is set at 10.
cur
Displays the current Layer 4 advanced health check configuration.

320506-A, January 2006
/cfg/slb/advhc/script <health script number>

Scriptable Health Checks Configuration
Scriptable health checks provide a robust and extensible way to health check a group of real
servers. With these health checks, the users can define their own health checks of varied complexity. The ASCII and binary-based scripts control how a group of real servers are healthchecked. So both TCP and UDP services can be health-checked.
The Health Script menu provides commands that can be used to define the health script. The
total number of characters cannot exceed 6144 bytes. Up to 64 scripts can be configured.
[Health Script 1 Menu]
open
- Add open command to end of script
send
- Add send command to end of script
bsend
- Add binary send command to end of script
nsend
- Add additional send binary string to end of script
expect
- Add expect command to end of script
bexpect - Add binary expect command to end of script
nexpect - Add additional expect binary string to end of script
offset
- Add offset command to end of script
depth
- Add depth command to end of script
wait
- Add wait command to end of script
close
- Add close command to end of script (TCP only)
rem
- Remove last command from script
del
- Delete script
cur
- Display current script configuration
Table 7-48 Scriptable Health Check Menu Options (/cfg/slb/adv/script)

open <real port or name (such as: http)> <tcp|udp>
Opens a TCP connection or specifies a UDP port for the health check. You need to specify the protocol (TCP or UDP), and the port number.
send <text string (TCP), hex string (UDP)>
Sends an ASCII request string through an open TCP or UDP port to the server.
bsend <hex string>
Sends a binary request string in hexadecimal format for the request packet through an open TCP or
UDP port to the server.

320506-A, January 2006

nsend <additional hex string (UDP)>
Allows you to append additional content to the packet generated by the bsend command. The
Nortel Application Switch Operating System 23.0.2 allows a maximum of 256 bytes to be entered.
Using one or more nsend commands allows you to generate a binary content of more than 256
bytes in length.
expect <text string (TCP), hex string (UDP)>
Allows you to configure an ASCII request string that you can search in each server response
packet for successful health check on an open TCP port. If you do not see this string in any
response packet before the health check interval or the configured wait window expires, the server
does not pass the expect step and the health check fails.
bexpect <hex string>
Allows you to configure binary content request string (in hexadecimal format) that you can search
in each server response packet for successful health check on an open TCP port.
nexpect <additional hex string (UDP)>
Allows you to append additional content to the original content of the response packet specified by
the bexpect command.
offset <offset, 1-1464>
Allows you to specify the offset from the beginning of the UDP data area to start matching the content specified in the expect command. If you need to specify offset, you must do it after executing the bexpect command.
depth <depth, 1-1464>
Allows you to specify the depth (the window) in bytes beginning from the start of the UDP data
area, or beginning from offset if offset was specified, to search for the bexpect content.
wait <wait window in milliseconds (1-65535)>
Allows the user to configure a wait window for the expected response. The wait window starts
when the request is sent from the switch. If the expected response is received within the wait
window, the health check passes, otherwise the health check fails. The wait command should
follow the offset and depth commands in the script. The wait window is set in the units of
milli-seconds.
close
Closes TCP connection.
rem
Removes the last entered line from the script.
del
Deletes the current script.

320506-A, January 2006

cur
Lists the current script configuration.
/cfg/slb/advhc/snmphc
SNMP Health Check Configuration
[SNMP Health Check 1 Menu]
oid
- OID to be sent in the SNMP request packet
comm
- Community string used in the SNMP request packet
rcvcnt
- Expected value in the SNMP response packet
invert
- Enable/disable inversion of expected value
weight
- Enable/disable readjusting of weights based on response
del
- Delete SNMP health check
cur
- Display current SNMP health check configuration
Table 7-49 SNMP Health Check Menu Options (/cfg/slb/adv/snmphc)

oid <object identifier, such as, 1.3.6.1.2.1.1.1.0 max 30 sub-identifiers>
Specify the Object Identifier (OID) to be sent in the SNMP GET request packet. The format of the
OID depends on the MIB file, for example, an OID is of the form 1.3.6.1.4.1.1872.2.5.7.11.
comm <community string, maximum 32 characters>
Enter the community string used in the SNMP get request packet. The default community string is
public.
rcvcnt <expected content an integer value or a string>
Enter the content the switch expects to receive from the SNMP agent on the real server.
invert disable|enable
Enables or disables the inversion of the expected value. When the invert option is enabled, the
health check fails if the response packet contains the value specified in the receive content
(rcvnt) field.
weight disable|enable
When enabled, the real server weights are dynamically adjusted based on SNMP health check
response.
del
Deletes the current SNMP health check.

320506-A, January 2006
Table 7-49 SNMP Health Check Menu Options (/cfg/slb/adv/snmphc)

cur
Displays the current SNMP Health Check configuration.

320506-A, January 2006
/cfg/slb/advhc/waphc
WAP Health Check Configuration
Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP)
suite to manage sessions between wireless devices and WAP content servers or WAP gateways. The Nortel Application Switch Operating System provides a content-based health check
mechanism where customized WSP packets are sent to the WAP gateways, and the switch verifies the expected response, in a manner similar to scriptable health checks.
WSP content health checks can be configured in two modes: connectionless and connectionoriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connectionoriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load
balance the gateways in both modes of operation.
The Nortel Application Switch Operating System allows you to configure three WAP gateway
health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP),
deployed on WAP gateways/servers. For further details, refer to the Application Guide.
[WAP Health Check Menu]
wspcnt
- WSP Health Check Content Menu
wtpcnt
- WTP+WSP Health Check Content Menu
wspport - WSP port number to health check
wtpport - WTP port number to health check
wtlswsp - WTLS+WSP port number to health check
wtlsprt - WTLS port number to health check
couple
- Enable/disable coupling with RADIUS Accounting Service
cur
- Display current WAP health check configuration
Table 7-50 WAP Health Check Menu Options (/cfg/slb/adv/waphc)

wspcnt
Displays WSP Health Check Content Menu. To view menu options, see page 494.
wtpcnt
Displays WTP and WSP Health Check Content Menu. To view menu options, see page 495.
wspport <wsp port number to health check (0-65534)>
Enter the port number on which WSP health checks will be performed. The default port number is
9200.
wtpport <wtp port number to health check (0-65534)>
Defines the WTP port number to health check. The default port number is 9201.

320506-A, January 2006
Table 7-50 WAP Health Check Menu Options (/cfg/slb/adv/waphc)

wtlswsp <wtls+wsp port number to health check (0-65534)>
Defines the WTLS (Wireless Transport Layer Security) and WSP port number to health check.
The connectionless encrypted WTLS traffic uses default port 9202.
wtlsprt <port number (0-65534)>
Enter the port number on which WTLS health checks will be performed. The connection-oriented
WTLS traffic uses default port 9203.
couple disable|enable
Enables or disables coupling together of all the four WAP services (WSP, WTP+WSP,
WTLS+WSP, WTLS+WTP+WSP) with Radius Accounting Service. If the health check to any
one of the four WAP services or Radius Accounting Service fails, then all of the four WAP services and Radius Accounting Service are disabled.
cur
Displays the current WAP Health Check configuration.

320506-A, January 2006
/cfg/slb/advhc/waphc/wspcnt
WSP Content Health Check
[WSP Health Check Content Menu]
offset
- Offset in received WSP packet
sndcnt
- Content to be sent to the WAP gateway
rcvcnt
- Content to be received from the WAP gateway
cur
- Display current WSP health check content configuration
Table 7-51 WSP Content Health Check Options (/cfg/slb/advhc/waphc/wspcnt)

offset <Offset in the received WSP packet (0-512)>
Enter the offset value content of the received WSP packages. An offset value of 0 (default) sets the
switch to start comparisons from the beginning of the content of the received packet.
sndcnt <send content as hexadecimal string>
Enter a hexadecimal string that represents a connectionless WSP request to a WSP gateway. This
string will be delivered to the WSP gateway.
rcvcnt <receive content as hexadecimal string>
Enter a hexadecimal string that represents the content that the switch expects to receive from the
WSP gateway.
cur
Displays the current WAP Health Check configuration.

320506-A, January 2006
/cfg/slb/advhc/waphc/wtpcnt
WTP and WSP Content Health Check Menu
This menu is used for configuring the health check for connection-oriented unencrypted WAP
traffic.
[WTP+WSP Health Check Content Menu]
offset
- Offset in received WSP PDU
connect - CONNECT PDU to be sent to the
sndcnt
- GET PDU to be sent to the WAP
rcvcnt
- REPLY PDU to be received from
cur
- Display current WTP+WSP health
WAP gateway
gateway
the WAP gateway
check content configuration
Table 7-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/
waphc/wtpcnt)
offset <offset in the received WSP PDU>
Enter the offset value content of the received WSP packets. The offset value is the number of bytes
from the beginning of the WSP PDU, at which the comparison begins to match with the expected
receive content. An offset value of 0 (default) sets the switch to start comparisons from the beginning of WSP PDU of the received packet.
connect <connect content as hexstring>
Enter the content for the first switch-generated WSP session packet. This command allows you to
customize the headers in the connect message.
sndcnt <send content as hexadecimal string>
Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be
delivered to the WSP gateway.
rcvcnt <receive content as a hexadecimal string>
Enter a hexadecimal string that represents the content that the switch expects to receive from the
WSP gateway.
cur
Displays current WTP+WSP health check content configuration.

320506-A, January 2006
/cfg/slb/pip
Proxy IP Address Configuration Menu
You need to enable proxy IP address processing on the port to use this command. You can configure multiple proxy IP addresses based on either port or VLAN.
You can configure up to 1024 proxy IP addresses on a per switch basis.
[Proxy IP Address Menu]
type
- Set base type of Proxy IP address
add
- Add port or VLAN to Proxy IP address
rem
- Remove port or VLAN from Proxy IP address
cur
- Display current Proxy IP address configuration
Table 7-53 Proxy IP Address Configuration Menu Options (/cfg/slb/pip)

type <port|vlan>
Defines the base type of the proxy IP address, whether it is port-based or VLAN-based.
add <IP address> <port number|vlan number>|<port number-port number|vlan number-vlan
number>
Allows you to add either a port or a VLAN to a proxy IP address.
rem <<PIP ID> <port#|vlan#>|<port#-port#|vlan#-vlan#>>
Allows you to remove a port or a VLAN from a proxy IP address. This command also allows you
to remove all ports or VLANs assigned to any proxy IP address.
cur
Displays the current Proxy IP address configuration.

320506-A, January 2006
/cfg/slb/peerpip
SLB Peer Proxy IP Address Menu
When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2,
without performing server processing on the packets of the other switch. This happens because the peer
switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being
sent to the backup switch in the absence of the proxy IP address of the peer switch.
[Peer Proxy IP Address Menu]
add
- Add peer Proxy IP address
rem
- Rem peer Proxy IP address
cur
- Display current peer Proxy IP address configuration
Table 7-54 Peer Proxy IP Address Menu Options (/cfg/slb/peerpip)

add <IP address>
Allows you to add a proxy IP address to the server load balancing peer.
rem <IP address>
Allows you to remove a proxy IP address from the server load balancing peer.
cur
Displays the current proxy address configuration of the peer.

320506-A, January 2006
/cfg/slb/wlm
WorkLoad Management Menu
[Workload Manager 1 Menu]
addr
- Set IP address for Workload Manager
port
- Set port for Workload Manager
del
- Delete Workload Manager
cur
- Display current Workload Manager configuration
Table 7-55 Workload Manager Menu Options

addr <IP_address>
Set the IP address for the Workload Manager.
port <TCP_port>
Set the port number for the Workload Manager.
del
Delete the Workload Manager.
cur
Shows all Workload Manager statistics. For example:
Current Workload Manager 1:
IP address
Port
0.0.0.0
0

320506-A, January 2006
CHAPTER 8
The Operations Menu

The Operations Menu is generally used for commands that affect switch performance immediately, but do not alter permanent switch configurations. For example, you can use the Operations Menu to immediately disable a port (without the need to apply or save the change), with
the understanding that when the switch is reset, the port returns to its normally configured
operation.
/oper
Operations Menu
[Operations Menu]
port
- Operational Port Menu
slb
- Operational Server Load Balancing Menu
vrrp
- Operational Virtual Router Redundancy Menu
bwm
- Operational Bandwidth Management Menu
security - Operational Security Menu
ip
- Operational IP Menu
swkey
- Enter key to enable software feature
rmkey
- Enter software feature to be removed
passwd
- Change current user password
clrlog
- Clear syslog messages
displog - Turn on/off display syslog msgs to telnet/ssh sessions
defalias - Set default port alias
ntpreq
- Send NTP request
The commands of the Operations Menu enable you to alter switch operational characteristics
without affecting switch configuration.
Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and
Nortel Application Switch 184 Web Switches.
499
320506-A, January 2006
Table 8-1 Operations Menu Options (/oper)

port <port number>
Displays the Operational Port Menu. To view menu options, see page 501.
slb
Displays the Operational Layer 4 Menu. To view menu options, see page 502.
vrrp
Displays the Operational Virtual Router Redundancy Menu. To view menu options, see page 505.
bwm
Operational Bandwidth Management Menu. To view menu options, see page 505.
security
Go to the Operational Security menu. To view menu options, see page 506.
ip
Displays the IP Operations Menu, which has one sub-menu/option, the Operational Border Gateway Protocol Menu. To view menu options, see page 505.
swkey <16-hexadecimal digit key to enable software feature>
Sets key to enable software feature. For details, see page 509.
rmkey <software feature to be removed (GSL|BWM|Security)>
Defines software feature to be removed. For details, see page 510.
passwd <15 char max>
Allows the user to change the password. You need to enter the current password in use for
validation.
clrlog
Clears all syslog messages.
displog on|off
Turn on/off display syslog msgs to telnet/ssh sessions
defalias
Set the default port alias.
ntpreq
Allows the user to send requests to the NTP server.
500 Chapter 8: The Operations Menu

320506-A, January 2006
/oper/port <port number>

Operations-Level Port Options
[Operations Port 1 Menu]
rmon
- Enable/Disable RMON for port
ena
- Enable port
dis
- Disable port
cur
- Current port state
Operations-level port options are used for temporarily disabling or enabling a port, and for
changing Remote Monitoring (RMON) status on a port.
Table 8-2 Operations-Level Port Menu Options (/oper/port)
rmon disable|enable
Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its configured operation mode when the switch is reset.
ena
Temporarily enables the port. The port will be returned to its configured operation mode when the
switch is reset.
dis
Temporarily disables the port. The port will be returned to its configured operation mode when the
switch is reset.
cur
Displays the current settings for the port.
Chapter 8: The Operations Menu 501

320506-A, January 2006
/oper/slb
Operations-Level SLB Options
[Server Load Balancing Operations Menu]
group
- Real Server Group Menu
gslb
- Global SLB Operations Menu
sync
- Synchronize SLB, VRRP and other configurations on peers
ena
- Enable real server
dis
- Disable real server
sessdel - Delete session table entry
clear
- Clear session table
cur
- Current layer 4 operational state
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing
options are used for temporarily disabling or enabling real servers and synchronizing the configuration between the active/active switches.
Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)
Displays the Real Server Group Menu. To view menu options, see page 503.
gslb
Displays Global SLB Operations Menu. To view menu options, see page 504.
sync
Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priorities on a peer switch (a switch that owns the IP address). To take effect, peers must be configured
on the Nortel Application Switch and the administrator password on the switch must be identical.
ena <real server number (1-1023)>
Temporarily enables a real server. The real server will be returned to its configured operation
mode when the switch is reset.

320506-A, January 2006
Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)

dis <real server number, 1-1023> [P - allow persistent http 1.0 sessions] p|n
The disable command is used to temporarily disable real servers as follows:
Using the p (persistent) optionimmediately suspends assignment of connections to the
specified real server (except for persistent http 1.0 sessions) by removing the real server from
operation within its real server group and virtual server
Using the n (none) optionimmediately suspends assignment of connections to the specified
real server by removing the real server from operation within its real server group and virtual
server
The real server will be returned to its configured state after a switch reset.
NOTE This command provides for orderly server shutdown to allow maintenance on a server.
For more information, see Disabling and Enabling Real Servers in the Nortel Application Switch
Operating System 23.0.2 Application Guide.
sessdel
Delete session table entry.
clear
Clears all session tables and allows port filter changes to take effect immediately.
NOTE This command disrupts current SLB and Application Redirection sessions.
cur
Displays the current SLB operational state.
/oper/slb/group
Real Server Group Operations
[Real server group 1 Menu]
ena
- Enable real server in this group
dis
- Disable real server in this group
cur
- Current server group operational state
Table 8-4 Real Server Group Operations Options (oper/slb/group)

ena <real server number (1-1023)>
Enables real server in this group.

320506-A, January 2006
Table 8-4 Real Server Group Operations Options (oper/slb/group)

dis <real server number (1-1023)>
Disables real server in this group.
cur
Displays current operational state of the server group.
/oper/slb/gslb
Global SLB Operations Menu
[Global SLB Operations Menu]
query
- Query Global SLB selection
add
- Add entry to Global SLB DNS persistence cache
arem
- Remove all entries Global SLB DNS persistence cache
Table 8-5 Global SLB Operations Menu Options (/oper/slb/gslb)

query
Allows you to query the Global site selection.
add
Add an entry to the Global SLB DNS persistence cache.
arem
Remove all entries Global SLB DNS persistence cache.

320506-A, January 2006
/oper/vrrp
Operations-Level VRRP Options.
[VRRP Operations Menu]
back
- Set virtual router to backup
Table 8-6 Virtual Router Redundancy Operations Menu Options (/oper/vrrp)

back <virtual router number (1-1024)>
Forces the specified master virtual router on this switch into backup mode. This is generally used
for passing master control back to a preferred switch once the preferred switch has been returned to
service after a failure. When this command is executed, the current master gives up control and initiates a new election by temporarily advertising its own priority level as 0 (lowest). After the new
election, the virtual router forced into backup mode by this command will resume master control in
the following cases:
This switch owns the virtual router (the IP addresses of the virtual router and its IP interface are
the same)
This switchs virtual router has a higher priority and preemption is enabled.
There are no other virtual routers available to take master control.
/oper/bwm
Operations-Level Bandwidth Management Options
[Bandwidth Management Operations Menu]
sndhist - Send BW History to SMTP server
clear
- Clear BWM IP user entry table
Table 8-7 Bandwidth Operations Menu Options (/oper/bwm/sndhist)

sndhist
Sends the bandwidth history to a system administrator specified under /cfg/bwm/user
(see page 316).
clear
Clear the BWM IP user entry table.

320506-A, January 2006
/oper/security
Security Menu
[Security Menu]
ipacl
- IP ACL Operations Menu
Table 8-8 Security Menu Options

ipacl
Go to the IP ACL Operation menu. To view menu options, see page 506
/oper/security/ipacl
IP ACL Operations Menu
[IP ACL Operations Menu]
add
- Add operations source IP Address/Mask
rem
- Remove operations source IP Address/Mask
arem
- Remove all operations source IP Address/Mask
dadd
- Add operations destination IP Address/Mask
drem
- Remove operations destination IP Address/Mask
darem
- Remove all operations destination IP Address/Mask
cfg
- Display configuration IP Address/Mask
bogon
- Display bogon IP Address/Mask
oper
- Display operations IP Address/Mask
cur
- Display all IP Address/Mask
Table 8-9 IP ACL Operations Menu Options

add <IP address> <IP subnet mask> <timeout in minutes, 1-10080>
Add the operations source IP mask.
rem <IP address> <IP subnet mask>
Remove the operations source IP mask.
arem
Remove all operations source IP addresses and Masks.
dadd <IP address> <IP subnet mask> <timeout in minutes, 1-10080>
Add an operations destination IP address and Mask.
drem <IP address> <IP subnet mask>
Remove an operations destination IP address and Mask.

320506-A, January 2006
Table 8-9 IP ACL Operations Menu Options

darem
Remove all of the operations destination IP addresses and Masks.
cfg
Display all configuration IP addresses and Masks. For example:
Current configuration IP ACL settings:
0 configuration source IP ACL.
0 configuration destination IP ACL.
bogon
Display bogon IP address and Mask. For example:
>> IP ACL Operations# bogon
Current bogon IP ACL settings:
0 bogon source IP ACL.
oper
Display operations IP addresses and Masks. For example:
Current operations IP ACL settings:
0 operations source IP ACL.
0 operations destination IP ACL.
cur
Display all IP addresses and Masks. For example:
Current total IP ACL settings:
0 total source IP ACL.
0 total destination IP ACL.
Current configuration IP ACL settings:
0 configuration source IP ACL.
0 configuration destination IP ACL.
Current bogon IP ACL settings:
0 bogon source IP ACL.
Use "bogon" command to display.
Current operations IP ACL settings:
0 operations source IP ACL.
0 operations destination IP ACL.

320506-A, January 2006
/oper/ip
Operations-Level IP Options
[IP Operations Menu]
bgp
- Operational Border Gateway Protocol Menu
garp
- Send gratuitous arp
Table 8-10 IP Operations Menu Options (/oper/ip)

bgp
Displays the Border Gateway Protocol Operations Menu. To view the menu options see page 508.
garp <IP address> <Vlan number>
Send gratuitous arp.
/oper/ip/bgp
Operations-Level BGP Options
[Border Gateway
start
stop
cur
-
Protocol Operations Menu]

Start peer session
Stop peer session
Current BGP operational state
Table 8-11 IP Operations Menu Options (/oper/ip)

start <peer number (1-16)>
Starts the peer session.
stop <peer number (1-16)>
Stops the peer session.
cur
Displays the current BGP operational state.

320506-A, January 2006
/oper/swkey
Activating Optional Software
The swkey option is used for activating any optional software you have purchased for your
switch.
Before you can activate optional software, you must obtain a software license from your Nortel
Networks representative or authorized reseller. One software license is needed for each switch
where the optional software is to be used. You will receive a Licence Certificate for each software license purchased.
Currently the following software packages are available for purchase and installation:
Security Pack
Bandwidth Management
Global Server Load Balancing
To obtain a software key, you must register each License Certificate with Nortel Networks and
provide the MAC address of the Nortel Application Switch Operating System switch that will
run the optional software. Nortel Networks will then provide a License Password.
NOTE Each License Password will work only on the specific switch which has the MAC
address you provided when registering your Licence Certificate.
Once you have your License Password, perform the following actions:
1.
Connect to the switchs command line interface and log in as the administrator (see Chapter 1, The Command Line Interface).
2.
At the Main# prompt, enter:

Main# oper
3.
At the Operations# prompt, enter:

Operations# swkey

320506-A, January 2006
4.
When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as,
123456789ABCDEF)>
If the correct code is entered, you will see the following message:
Valid software key entered.
Software feature enabled.
/oper/rmkey
Removing Optional Software
The rmkey option is used for deactivating any optional software. Deactivated software is still
present in switch memory and can be reactivated at any later time.
To review the deactivation options, enter the following at the Operations Menu:
>> Operations# ? rmk
Usage: rmkey <software feature to be removed (GSLB||BWM|Security|Linklb|ITM)>
To deactivate optional software, enter the following at the Operations Menu:

Operations# rmkey
When prompted, enter the code for software to be removed. For example:
Enter Software Feature to be removed:[GSLB]|BWM|Security: GSLB

320506-A, January 2006
CHAPTER 9
The Boot Options Menu

To use the Boot Options Menu, you must be logged in to the switch as the administrator. The
Boot Options Menu provides options for:
Selecting a switch software image to be used when the switch is next reset
Selecting a configuration block to be used when the switch is next reset
Downloading or uploading a new software image to the switch via TFTP
/boot
Boot Menu
[Boot Options
sched
image
conf
gtimg
ptimg
reset
cur
Menu]
- Scheduled Switch Reset Menu
- Select software image to use on next boot
- Select config block to use on next boot
- Download new software image via TFTP
- Upload selected software image via TFTP
- Reset switch [WARNING: Restarts Spanning Tree]
- Display current boot options
Each of these options is discussed in greater detail in the following sections.
511
320506-A, January 2006
Scheduled Reboot of the Switch

This feature allows the switch administrator to schedule a reboot to occur at a particular time in
future. This feature is particularly helpful if the user needs to perform switch upgrades during
off-peak hours. You can set the reboot time, cancel a previously scheduled reboot, and check
the time of the currently set reboot schedule with the help of the following sub-menu:
/boot/sched
Scheduled Reboot Menu
[Boot Schedule Menu]
set
- Set switch reset time
cancel
- Cancel pending switch reset
cur
- Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
>> Boot Schedule# cur
Currently scheduled reboot time: none
Updating the Switch Software Image

The switch software image is the executable code running on the Nortel Application Switch. A
version of the image ships with the switch, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your switch.
Upgrading the software image on your switch requires the following:
Loading the new image onto a TFTP server on your network
Downloading the new image from the TFTP server to your switch
Selecting the new software image to be loaded into switch memory the next time the
switch is reset
512 Chapter 9: The Boot Options Menu

320506-A, January 2006
Downloading New Software to Your Switch

The switch can store up to two different software images, called image1 and image2, as
well as boot software, called boot. When you download new software, you must specify
where it should be placed: either into image1, image2, or boot.
For example, if your active image is currently loaded into image1, you would probably load
the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed.
To download a new software to your switch, you will need the following:
The image or boot software loaded on a TFTP server on your network
The hostname or IP address of the TFTP server
The name of the new software image or boot file
Setup the TFTP option (/cfg/sys/mgmt/tftp) for the TFTP connection. This sets
the default option for the gtimg and ptimg commands. However, note that you can
override this setting with the option provided to these operational commands.
NOTE The DNS parameters must be configured if specifying hostnames. See Domain Name
System Configuration Menu on page 379).
When the above requirements are met, use the following procedure to download the new software to your switch.
1.
At the Boot Options# prompt, enter:

Boot Options# gtimg
2.
Enter the name of the switch software to be replaced:

Enter name of switch software image to be replaced
["image1"/"image2"/"boot"]: <image>
3.
Enter the hostname or IP address of the TFTP server.

Enter hostname or IP address of TFTP server: <server name or IP address>
Chapter 9: The Boot Options Menu 513

320506-A, January 2006
4.
Enter the name of the new software file on the server.

Enter name of file on TFTP server: <filename>
The exact form of the name will vary by TFTP server. However, the file location is normally
relative to the TFTP directory (usually /tftpboot).
5.
The system prompts you to confirm your request.

You should next select a software image to run, as described below.
Selecting a Software Image to Run

You can select which software image (image1 or image2) you want to run in switch memory for the next reboot.
1.

Boot Options# image
2.
Enter the name of the image you want the switch to use upon the next boot.
The system informs you of which image is currently set to be loaded at the next reset, and
prompts you to enter a new choice:
Currently set to use switch software "image1" on next reset.
Specify new image to use on next reset ["image1"/"image2"]:
Uploading a Software Image from Your Switch

You can upload a software image from the switch to a TFTP server.
1.

Boot Options# ptimg
2.
The system prompts you for information. Enter the desired image:
Enter name of switch software image to be uploaded
["image1"|"image2"|"boot"]: <image> <hostname or server-IP-addr> <server-file-
name>

320506-A, January 2006
3.
Enter the name or the IP address of the TFTP server:

Enter hostname or IP address of TFTP server: <server name or IP address>
4.
Enter the name of the file into which the image will be uploaded on the TFTP server:
Enter name of file on TFTP server: <filename>
5.
The system then requests confirmation of what you have entered. To have the file
uploaded, enter Y.
image2 currently contains Software Version 20.2.0.7
Upload will transfer image2 (1889411 bytes) to file "test"
on TFTP server 192.1.1.1.
Confirm upload operation [y/n]: y
Selecting a Configuration Block

When you make configuration changes to the Nortel Application Switch, you must save the
changes so that they are retained beyond the next time the switch is reset. When you perform
the save command, your new configuration changes are placed in the active configuration
block. The previous configuration is copied into the backup configuration block.
There is also a factory configuration block. This holds the default configuration set by the factory
when your Nortel Application Switch was manufactured. Under certain circumstances, it may be
desirable to reset the switch configuration to the default. This can be useful when a custom-configured Nortel Application Switch is moved to a network environment where it will be re configured for a different purpose.
Use the following procedure to set which configuration block you want the switch to load the
next time it is reset:
1.

Boot Options# conf
2.
Enter the name of the configuration block you want the switch to use:

320506-A, January 2006
The system informs you of which configuration block is currently set to be loaded at the next
reset, and prompts you to enter a new choice:
Currently set to use active configuration block on next reset.
Specify new block to use ["active"/"backup"/"factory"]:

320506-A, January 2006
Resetting the Switch

You can reset the switch to make your software image file and configuration block changes occur.
NOTE Resetting the switch causes the Spanning Tree Protocol to restart. This process can be
lengthy, depending on the topology of your network.
To reset the switch, at the Boot Options# prompt, enter:
>> Boot Options# reset
You are prompted to confirm your request.

320506-A, January 2006

320506-A, January 2006
CHAPTER 10
The Maintenance Menu

The Maintenance Menu is used to manage dump information and forward database information. It also includes a debugging menu to help with troubleshooting.
/maint
Maintenance Menu
NOTE To use the Maintenance Menu, you must be logged in to the switch as
the administrator.
[Maintenance Menu]
sys
- System Maintenance Menu
fdb
- Forwarding Database Manipulation Menu
arp
- ARP Cache Manipulation Menu
route
- IP Route Manipulation Menu
ip6
- IP6 Manipulation Menu
debug
- Debugging Menu
uudmp
- Uuencode FLASH dump
ptdmp
- Upload FLASH dump via FTP/TFTP
cldmp
- Clear FLASH dump
lsdmp
- List FLASH dump
panic
- Dump state information to FLASH and reboot
tsdmp
- Tech support dump
pttsdmp - Upload tech support dump via FTP/TFTP
sslrst
- Reset SSL card
Dump information contains internal switch state data that is written to flash memory on the
Nortel Application Switch after any one of the following occurs:
The switch administrator forces a switch panic. The panic option, found in the Maintenance Menu, causes the switch to dump state information to flash memory, and then
causes the switch to reboot.
519
320506-A, January 2006
The switch administrator enters the switch reset key combination on a device that is
attached to the console port. The switch reset key combination is <Shift><Ctrl><->.
The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot
the switch if the switch software freezes.
The switch detects a hardware or software problem that requires a reboot.
Table 10-1 Maintenance Menu Options (/maint)

sys
Displays the System Maintenance Menu. To view menu options, see page 522.
fdb
Displays the Forwarding Database Manipulation Menu. To view menu options, see page 522.
arp
Displays the ARP Cache Manipulation Menu. To view menu options, see page 523.
route
Displays the IP Route Manipulation Menu. To view menu options, see page 525.
ip6
Displays the IPv6 Manipulation Menu. To view menu options, see page 526.
debug
Displays the Debugging Menu. To view menu options, see page 527.
uudmp
Displays dump information in uuencoded format. For details, see page 528.
ptdmp hostname filename [-mgmt| -data]
Saves the system dump information using TFTP. For details, see page 529.
cldmp
Clears dump information from flash memory. For details, see page 529.
lsdmp
Displays list flash dump. For details, see page 530.
panic
Dumps MP information to FLASH and reboots. For details, see page 530.
tsdmp
Dumps all Nortel Application Switch information, statistics, and configuration.You can log the
tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes.
520 Chapter 10: The Maintenance Menu

320506-A, January 2006
Table 10-1 Maintenance Menu Options (/maint)

pttsdmp <hostname> <filename> <-tftp|username password> [-mgmt|-data]
Upload tech support dump using FTP/TFTP. For details, see page 531.
sslrst
Reset the SSL card. For details, see page 531.
Chapter 10: The Maintenance Menu 521

320506-A, January 2006
/maint/sys
System Maintenance Options
This menu is reserved for use by Nortel Networks Customer Support group. The options are
used to perform system debugging.
[System Maintenance Menu]
flags
- Set NVRAM flag word
sfpinfo - Show SFP information
Table 10-2 System Maintenance Menu Options (/maint/sys)

flags <new NVRAM flags word as 0xXXXXXXXX>
This command sets the flags that are used for debugging purposes by Tech support group.
sfpinfo <port_number>
Show the SFP information. For example:
>> System Maintenance# sfpinfo 1
Probing SFP on port 1 - please wait
Invalid: Port 1 does not support SFP's
/maint/fdb
Forwarding Database Options
[FDB Manipulation Menu]
find
- Show a single FDB entry by MAC address
port
- Show FDB entries for a single port
trunk
- Show FDB entries on a single trunk
vlan
- Show FDB entries for a single VLAN
refpt
- Show FDB entries referenced by a single port
dump
- Show all FDB entries
del
- Delete an FDB entry
clear
- Clear entire FDB
The Forwarding Database Manipulation Menu can be used to view information and to delete a
MAC address from the forwarding database or clear the entire forwarding database. This is
helpful in identifying problems associated with MAC address learning and packet forwarding
decisions.
320506-A, January 2006
Table 10-3 FDB Manipulation Menu Options (/maint/fdb)

find <MAC address> [<VLAN>]
Displays a single database entry by its MAC address. You are prompted to enter the MAC address
of the device. Enter the MAC address using the xx:xx:xx:xx:xx:xx format (such as
08:00:20:12:34:56) or xxxxxxxxxxxx format (such as 080020123456).
port <port number, 0 for unknown>>
Displays all FDB entries for a particular port. Use 0 for unknown port number.
trunk <trunk number (1-12)>
Displays all FDB entries for the specified trunk group.
Displays all FDB entries on a single VLAN.
Displays all FDB entries reference by a single port.
dump
Displays all entries in the Forwarding Database. For details, see page 90.
del <MAC address> [<VLAN number>]
Removes a single FDB entry.
clear
Clears the entire Forwarding Database from switch memory.
/maint/arp
ARP Cache Options
[Address Resolution Protocol Menu]
find
- Show a single ARP entry by IP address
port
- Show ARP entries on a single port
vlan
- Show ARP entries on a single VLAN
refpt
- Show ARP entries referenced by a single SP
dump
- Show all ARP entries
clear
- Clear ARP cache
addr
- Show ARP address list

320506-A, January 2006
Table 10-4 Address Resolution Protocol Menu Options (/maint/arp)

find <IP address (such as, 192.4.17.101)>
Shows a single ARP entry by IP address.
port <port number>
Displays ARP entries on a single port. See page 524 for a sample output.
Shows ARP entries on a single VLAN.
Shows all ARP entries referenced by a single port.
dump
Shows all ARP entries.
clear
Clears the entire ARP list from switch memory.
addr
Shows the list of IP addresses which the switch will respond to for ARP requests.
/maint/arp/port <port number>

ARP Entries on a Single Port
IP address
Flags
MAC address
VLAN Port Referenced SPs
--------------- ----- ----------------- ---- ----- --------------47.80.16.1
00:e0:16:7c:28:82
1
1
empty
47.80.16.81
00:e0:81:24:ef:3c
1
1
empty
47.80.17.169
00:04:75:db:1c:1a
1
1
empty
NOTE To display all ARP entries currently held in the switch, or a portion according to one
of the options listed on the menu above (find, port, vlan, refpt, dump), you can also
refer to ARP Information on page 112.

320506-A, January 2006
/maint/route
IP Route Manipulation
[IP Routing Menu]
find - Show a single route by destination IP address
gw
- Show routes to a single gateway
type - Show routes of a single type
tag
- Show routes of a single tag
if
- Show routes on a single interface
dump - Show all routes
clear - Clear route table
Table 10-5 IP Route Manipulation Menu Options (/maint/route)

find <IP4 address (eg, 192.4.17.101)> |
<IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)>
Shows a single route by destination IP address.
gw <default gateway IP4 address (eg, 192.4.17.44)>
<default gateway IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)
Shows routes to a default gateway.
type indirect|direct|local|broadcast|martian|multicast
Shows routes of a single type. For a description of IP routing types, see Table 4-19 on page 109
tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip
Shows routes of a single tag. For a description of IP routing tags, see Table 4-20 on page 109
Shows routes on a single interface.
dump
Shows all routes.
clear
Clears the route table from switch memory.
NOTE To display all routes, you can also refer to IP Routing Information on page 108.

320506-A, January 2006
/maint/ip6
IPv6 Manipulation Menu
[IP6 Menu]
nbrcache - Neighbor Cache Manipulation Menu
Table 10-6 IPv6 Manipulation Menu Options

nbrcache
Opens the Neighbor Cache menu whose only option is the clear command. This command is
used to clear the IPv6 Neighbor Cache table.

320506-A, January 2006
/maint/debug
Debugging Options
[Miscellaneous Debug Menu]
tbuf
- Show MP trace buffer
sptb
- Show SP trace buffer
spall
- Show All SPs trace buffers
clrcfg
- Clear all flash configs
portmap - Show port-SP-MAC mapping
vmasp
- Show designated SP for IP address
vmasp6
- Show designated SP for IP6 address
The Miscellaneous Debug Menu displays trace buffer information about events that can be
helpful in understanding switch operation. You can view the following information using the
debug menu:
Events traced by the Management Processor (MP)

Events traced by the Switch Processor (SP)
Events traced to a buffer area when a reset occurs
If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the
snap trace buffer area. The output from these commands can be interpreted by the Nortel Networks Customer Support division.
Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)
tbuf
Displays the Management Processor trace buffer. Header information similar to the following is shown:
MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748
The buffer information is displayed after the header.
sptb <port number (1-4)>
Displays the Switch Processor trace buffer. Header information similar to the following is shown:
SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008
The buffer information is displayed after the header.
spall
Displays the Switch Processor trace buffer. Header information similar to the following is shown:
SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008.
The buffer information is displayed after the header. Displays all SP trace buffers.
clrcfg
Deletes all flash configuration blocks.

320506-A, January 2006
Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)

portmap
Show port to SP to MAC mapping.
vmasp <IP address>
Displays the assigned SP (Switch Processor) for this IP address.
vmasp6 <IP_address>
Show designated SP for IP6 address.
/maint/uudmp
Uuencode Flash Dump
Using this command, dump information is presented in uuencoded format. This format makes
it easy to capture the dump information as a file or a string of characters. You can then contact
Nortel Networks Customer Support for help analyzing the information.
If you want to capture dump information to a file, set your communication software on your
workstation to capture session data prior to issuing the uudmp command. This will ensure that
you do not lose any information. Once entered, the uudmp command will cause approximately
23,300 lines of data to be displayed on your screen and copied into the file.
Using the uudmp command, dump information can be read multiple times. The command
does not cause the information to be updated or cleared from flash memory.
NOTE Dump information is not cleared automatically. In order for any subsequent dump
information to be written to flash memory, you must manually clear the dump region. For more
information on clearing the dump region, see page 529.
To access dump information, at the Maintenance# prompt, enter:
Maintenance# uudmp
The dump information is displayed on your screen and, if you have configured your communication software to do so, captured to a file. If there is a dump available, the system prompts as
follows:
>> Maintenance# uu
Enter region to dump [main/bkp]: main
Dumping main region:
Use 'ptdmp' to extract panic dumps.
Confirm proceed with large dump (15000 lines) [y/n]:
320506-A, January 2006
If the dump region is empty, the following message appears:

No FLASH dump available.
/maint/ptdmp <server> <filename>

System Dump Put
Use this command to put (save) the system dump to a TFTP or FTP server.
NOTE If the TFTP or FTP server is running SunOS or the Solaris operating system,
the specified ptdmp file must exist prior to executing the ptdmp command, and must be writable (set with proper permission, and not locked by any application). The contents of the specified file will be replaced with the current dump data.
To save dump information via TFTP or FTP, at the Maintenance# prompt, enter:
Maintenance# ptdmp <hostname> <filename> <-tftp|username password>
[-mgmt|-data]
Where server is the TFTP or FTP server IP address or hostname, and filename is the target
dump file.
/maint/cldmp
Clearing Dump Information
To clear dump information from flash memory, at the Maintenance# prompt, enter:
Maintenance# cldmp
The switch clears the dump region of flash memory and displays the following message:
FLASH dump region cleared.
If the flash dump region is already clear, the switch displays the following message:
FLASH dump region is already clear.

320506-A, January 2006
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
>> Maintenance# lsdmp
The main dump was saved at 8:12:58 Fri Jun 3, 2005.
A backup dump was saved at 14:47:31 Mon Jun 20, 2005.
/maint/panic
Panic Command
The panic command causes the switch to immediately dump state information to flash memory and automatically reboot.
To select panic, at the Maintenance# prompt, enter:
>> Maintenance# panic
A FLASH dump already exists.
Confirm replacing existing dump and reboot [y/n]:
Enter y to confirm the command:

Confirm dump and reboot [y/n]: y
The following messages are displayed:

Loading Image:..........
Alteon Application Switch 2424
Rebooted because of Software PANIC.
Booting complete 19:15:23 Thu Jan 9, 2003:
Version 20.2.7 from FLASH image1, active config block.
Jan 9 19:15:32 NOTICE system: link up on port 25
Enter password:

320506-A, January 2006
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical
support. For example:
>> Maintenance# tsdmp
Confirm dumping all information, statistics, and configuration [y/n]:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP
connection. The dump was performed earlier using the /maint/tsdmp command. For example:
>> Maintenance# ? pttsdmp
Usage: pttsdmp <hostname> <filename> <-tftp|username password> [mgmt|-data]
>> Maintenance# pttsdmp
Enter hostname or IP address of FTP/TFTP server: 0.0.0.0
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server: username
Enter password for username on FTP server:
Connecting to 0.0.0.0...
.
.
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
Unscheduled System Dumps

If there is an unscheduled system dump to flash memory, the following message is displayed
when you log on to the switch:
Note: A system dump exists in FLASH. The dump was saved
at 19:15:23 Thu Jan 9, 2003. Use /maint/uudmp to
extract the dump for analysis and /maint/cldmp to
clear the FLASH region. The region must be cleared
before another dump can be saved.

320506-A, January 2006

320506-A, January 2006
CHAPTER 11
The SSL Processor Menu

The SSL Menu is used to connect to the SSL processor.
NOTE To use the SSL Processor Menu, you must be logged in to the processor as
the administrator.
Login to the SSL processor

Log into the SSL Processor as described in the following paragraphs.
Go to the main menu and enter the SSL processor level.
# cd /
-----------------------------------------------------------[Main Menu]
info
- Information Menu
stats
- Statistics Menu
cfg
- Configuration Menu
oper
- Operations Command Menu
boot
- Boot Options Menu
maint
- Maintenance Menu
ssl
- SSL Accelerator Menu
diff
- Show pending config changes [global command]
apply
- Apply pending config changes [global command]
save
- Save updated config to FLASH [global command]
revert
- Revert pending or applied changes [global command]
exit
- Exit [global command, always available]
>> Main# ssl
533
320506-A, January 2006
Enter the appropriate account information to logon to the processor.

>> Main# ssl
Connected to SSL Processor. Type "exit" to quit.
login: admin
Password:
Alteon iSD SSL
Hardware platform: 2424S
Software version: 5.0.0.34
-----------------------------------------------------------[Main Menu]
info
- Information menu
stats
- Statistics menu
cfg
- Configuration menu
boot
- Boot menu
maint
- Maintenance menu
diff
- Show pending config changes
[global command]
apply
- Apply pending config changes [global command]
revert
- Revert pending config changes [global command]
paste
- Restore saved config with key [global command]
help
- Show command help
[global command]
exit
- Exit [global command, always available]
SSL >> Main#
NOTE Help information on specific commands uses the command help, and not the ?
symbol used at other directory levels. The command must also be spelled-out in full. For
example, to request help on the apply command enter:
SSL >> Main# help diff
Show any pending configuration changes.
534 Chapter 11: The SSL Processor Menu

320506-A, January 2006
/ssl
SSL Processor Menu
[Main Menu]
info
stats
cfg
boot
maint
diff
apply
revert
paste
help
exit
Information menu
Statistics menu
Configuration menu
Boot menu
Maintenance menu
Show pending config changes
Apply pending config changes
Revert pending config changes
Restore saved config with key
Show command help
Exit [global command, always
[global command]
[global command]
[global command]
[global command]
[global command]
available]

info
Go to the Information level of the SSL Processor menu. For details, see page 536.
stats
Go to the Statistics level of the SSL Processor menu. For details, see page 540.
cfg
Go to the Configuration level of the SSL Processor menu. For details, see page 545.
boot
Go to the Boot level of the SSL Processor menu. For details, see page 649.
maint
Go to the Maintenance level of the SSL Processor menu. For details, see page 652.
diff
Shows any pending configuration changes. For example:
SSL >> Main# diff
Configuration/
Certificate menu: new child "1" created
apply
Applies pending configuration changes.
revert
Remove pending configuration changes. Use this command to undo configuration parameters set
since last apply command. For example:
Chapter 11: The SSL Processor Menu 535

320506-A, January 2006

paste
Lets you restore a saved configuration that includes private keys. Before pasting the configuration,
you need to provide the password phrase you specified when selecting to include the private keys
in the configuration dump.
help
Displays a summary of the global commands.
exit
Leave the SSL Processor menu.
/ssl/info
SSL Performance information menu
[Information Menu]
servers
certs
hsm
sslvpn
users
ipsec
ippool
ip
sys
licenses
access
kick
isdlist
local
ethernet
ports
events
-
Show configured SSL servers

Show configured certificates
Show local HSM information
Show configured VPNs
Show logged in SSL VPN portal users
Show logged in IPSEC users
Show ip pool allocations
Find information about an IP address
Show system configuration
Show SSL VPN portal license usage
Print the access rules of an SSL VPN portal user
Kick an SSL VPN portal user
Show all iSDs and their operational status
Show local iSD information
Show local ethernet status information
Show local port(s) information
Inspect Events menu

320506-A, January 2006

servers
Displays the current SSL server settings, including SSL specific settings for each configured virtual SSL server.
certs
Displays the certificate name, serial number, expiration date, and key size for each installed certificate. Information related to the subject of the certificate is also displayed. For example:
Certificate 1:
Certificate name =
No certificate information.
Validate: key or certificate not defined.
No key has been defined.
No key has been defined.
Revocation:
Automatic CRL:
URL to retrieve CRL from =
LDAP DN used for bind/authentication =
Password to use when to authenticate =
Refresh interval = 1d
List of accepted signers of CRLs =
Enable automatic retrieval = disabled
hsm
Displays information related to the HSM card(s) on the iSD310-SSL FIPS device to which you are
currently connected. Information about the current security mode (Extended Security mode or
FIPS mode) in the iSD310-SSL FIPS cluster is displayed, as well as user login information (SO or
USER) for each HSM card on the iSD310-SSL FIPS device.
HSM information is only displayed when you are using the iSD310-SSL FIPS model.
sslvpn
Show the configured VPNs.
users
Shows all logged in VPN portal users. For example:
Number of currently logged in users: 0
VPN Id User Login
------ ---- -----
Source IP Access Group:Profile...Variables...

-------------- ----------------
ipsec [<vpnid> [<prefix>]]

Show number of IPSEC users logged-in. For example:
Number of active ipsec sessions for all VPNs: 0
ippool [<vpnid>]
Displays the IP pool allocations.

320506-A, January 2006

ip <IP_address>
Display information about a specific IP address. For example:
SSL >> Information# ip
Enter IP to search for: 0.0.0.0
IP 0.0.0.0 not allocated from IP pool
sys
Shows the system configuration. For example (in part):
System:
Management IP (MIP) address = 10.10.10.72
iSD Host 1:
Type of the iSD = master
IP address = 10.10.10.71
License =
IPSEC user sessions: 10
TPS: 300
SSL user sessions: 10
Default gateway address = 10.10.10.69
Ports = 1
Hardware platform = 2424S
Host Routes:
No items configured
Host Interface 1:
IP address = 10.10.10.71
Network mask = 255.255.255.0
Default gateway address = 0.0.0.0
VLAN tag id = 0
Mode = failover
Host Interface Routes:
No items configured
Interface Ports:
1
.
.
.
licenses [<vpn_ID>]
Show the SSL VPN port licenses. For example:
Global License Pools
VPN
Used
Size
-----------------------------------------------------SSL
0
10
IPSEC
0
10
access <vpnid> <username>
Display the access rules for an SSL Portal user.
kick <vpnid> <username>
Kick an SSL VPN user.

320506-A, January 2006

isdlist
Displays the IP addresses, master/slave assignments, CPU usage, memory usage, and operational
status for all the iSDs in the cluster. An asterisk (*) in the MIP column indicates which iSD in the
cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates
the particular iSD to which you have connected. For example:
SSL >> Information# isdlist
IP addr
type
MIP Local cpu(%) mem(%)
10.10.10.71
master *
*
2
52
op
up
local
Displays the current software version, iSD hardware platform, up time (since last boot), IP address,
and Ethernet MAC address for the particular iSD host to which you have connected. If you have
connected to the MIP address, the information displayed relates to the iSD host in the cluster that
currently is in control of the MIP. For example:
SSL >> Information# local
Alteon iSD SSL
Hardware platform: 2424S
Software version: 5.0.0.34
Up time: 11 days 1 hour 52 minutes
IP address: 10.10.10.71
MAC address: 00:01:81:2e:bc:6f
ethernet
Displays statistics for the Ethernet network interface card (NIC) on the particular iSD host to
which you have connected. If you have connected to the MIP address, the information displayed
relates to the iSD host in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.
RX packets: the total number of received packets
TX packets: the total number of transmitted packets errors: packets lost due to error
dropped: error due to lack of resources
overruns: error due to lack of resources frame: error due to malformed packets carrier: error due
to lack of carrier
collisions: number of packet collisions
Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation.
For example:
I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0
I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0
carrier:0 collisions:0
I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb)

320506-A, January 2006

ports
Displays the status of the local Ethernet interface (NIC) ports on the particular iSD host to which
you have connected. If you have connected to the MIP address, the information displayed relates to
the iSD host in the cluster that currently is in control of the MIP.
For each port, link status (up/down) and Ethernet autonegotiation setting (on/off) is shown. If the
link is up, current values for speed (10/100/1000) and duplex mode (half/full) are also shown. If
the link is down and autonegotiation is set to off, the configured values for speed and duplex mode
are shown instead.
For example:
SSL >> Information# ports
Port 1: link = up, autoneg = on, speed = 1000, mode = full
events
Go to the Inspect events menu. For details, see page 540.
/ssl/info/events
SSL Performance Menu
[Events Menu]
alarms
- List all pending alarms
download - Dump the event log file to a TFTP/FTP/SFTP server
Table 11-3 SSL Performance Menu Options

alarms
Displays all alarms in the active alarm list by their main attributes: severity level, alarm ID number, date and time when triggered, alarm name, sender, and cause.
download <protocol> <IP_address | hostname> <filename>
Transmits the event log file from the iSD cluster to a file on a TFTP server. Specify the IP address
or host name of the TFTP server, as well as a file name.

320506-A, January 2006
/ssl/stats
SSL Performance Statistics menu
[Statistics Menu]
sslstats
ipsec
aaa
dump
-
SSL stats
IPSEC stats
AAA specific statistics
Dump all information
Table 11-4 IP Route Manipulation Menu Options (/maint/route)

sslstats
Go to the SSL statistics menu. To view menu options, see page 542.
ipsec
Go to the IPSEC statistics menu. To view menu options, see page 545.
aaa
Go to the AAA specific statistics. To view menu options, see page 548.
dump
Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the number of
active request sessions, and the total number of completed request sessions. The total number of initiated SSL client connections, and the total number of established SSL client connections as accumulated
values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not
included in the output

320506-A, January 2006
/ssl/stats/sslstats
[SSL stats Menu]
vpn
- Cluster SSL VPN statistics
server
- Cluster SSL Server statistics
local
- Local statistics for each isdhost
clear
- Clear all statistics for all IPs
activesess - Number of currently active request sessions
totalsess - Total completed request sessions
sslaccept - Total completed SSL accept
sslconnect - Total completed SSL connect
tpshisto
- Cluster-wide TPS histograms for all servers
clihisto
- cluster wide client data histograms for all servers
srvhisto - cluster wide server data histograms for all servers

vpn <VPN_number>
Displays the cluster-wide statistics for SSL VPN.
server <srever_number>
Displays the cluster-wide statistics for SSL servers.
local
Go to the Local SSL Statistics Menu. To view menu options, see page 543.
clear
Erase all statistics for all IPs.
activesess
Display the number of currently active requests. For example:
active_sessions : 0
totalsess
Display the total number of completed request sessions.
sslaccept
Display the total number of completed SSL request sessions.
sslconnect
Display the total number of successful SSL connections.
tpshisto
Display the total number of cluster-wide TPS histograms for all servers.
clihisto
Display the total number of cluster-wide client data histograms for all servers.

320506-A, January 2006

srvhisto
Display the total number of cluster-wide server data histograms for all servers.
/ssl/stats/sslstats/local
SSL Performance SSL Local Statistics Menu
[Local SSL
isdhost
overview
tpshisto
clihisto
srvhisto
license
dump
Statistics Menu]
- ISD local SSL server statistics menu
- Overview of isdhost local statistics
- ISD local TPS histograms for all servers/ISDs
- ISD local client byte/s histos for all servers/ISDs
- ISD local server data byte/s histos for all servers/ISDs
- ISD local license statistics
Table 11-6 SSL Perfomance: SSL Local Statistics Menu Options

isdhost <host_number>
Go to the ISD local SSL Statistics Menu. To view menu options, see page 544.
overview
Display the overall of the isdhost local statistics.
tpshisto
Display ISD local TPS histograms for all servers/ISDs.
clihisto
Display ISD local client data histograms for all servers and ISDs.
srvhisto
Display ISD local server data histograms for all servers and ISDs.
license
Display local ISD license statistics. For example:
**** License stats at ISD number '1'
License
Limit reached times
tps
{ok,0}
****
dump
Display all local statistical information.

320506-A, January 2006
/ssl/stats/sslstats/local/isdhost
SSL Performance: Single ISD SSL Statistics Menu
[Single ISD SSL Stats 1 Menu]
server
- ISD local SSL server stats
tpshisto
- ISD local TPS histograms for all servers
clihisto
- ISD local client byte/s histograms for all servers
srvhisto
- ISD local server byte/s histograms for all servers
dump
Table 11-7 SSL Perfomance: Single ISD SSL Statistics Menu Options
server
Displays statistics for the local ISD SSL server.
tpshisto
Displays ISD local TPS histograms for all servers.
clihisto
Displays ISD local client data histograms for all servers.
srvhosto
Displays ISD local server histograms for all servers.
dump
Displays all statistical information.

320506-A, January 2006
/ssl/stats/ipsec
IPSEC Statistics menu
[IPSEC stats Menu]
vpn
- Cluster IPSEC Server statistics
local
- Local statistics for each isdhost
clear
- Clear all ipsec statistics for all IPs
activesess - Number of currently active ipsec sessions
totalsess - Total completed ipsec sessions
failedsess - Total failed ipsec sessions
enctot
- Total encoded kBytes
enc
- Encoded kB/sec last minute
dectot
- Total decoded kBytes
dec
- Decoded kB/sec last minute
sesshisto - Cluster-wide ipsec session histograms for all servers
enchisto
- Cluster-wide ipsec encrypt histograms for all servers
dechisto
- Cluster-wide ipsec decrypt histograms for all servers
Table 11-8 IPSEC Statistics Menu Options

vpn <VPN_number>
Displays cluster IPSEC server statistics.
local
Go to the local statistics menu. To view menu options, see page 546.
clear
Clear all IPSEC statistics.
activesess
Display the number of currently active IPSEC sessions.
totalsess
Display the number of completed IPSEC sessions.
failedsess
Display the number of failed IPSEC sessions.
enctot
Display the total number of encoded kBytes.
enc
Display the total number of encoded kBytes in the last 60 seconds.
dectot
Display the total number of decoded kBytes.
dec
Display the total number of decoded kBytes in the last 60 seconds.

320506-A, January 2006
Table 11-8 IPSEC Statistics Menu Options

sesshisto
Display the Cluster-wide ipsec session histograms for all servers.
enchisto
Display the Cluster-wide ipsec encrypt histograms for all servers.
dechisto
Display the Cluster-wide ipsec decrypt histograms for all servers.
/ssl/stats/ipsec/local
SSL Performance: Local IPSEC Statistics Menu
[Local IPSEC
isdhost
sesshisto
enchisto
dechisto
dump
Statistics Menu]
- ISD local IPSEC server
- ISD local ipsec session
- ISD local ipsec encrypt
- ISD local ipsec decrypt
statistics
histograms
histograms
histograms
menu
for all VPNs/ISDs
for all VPNs/ISDs
for all VPNs/ISDs
Table 11-9 SSL Perfomance: Local IPSEC Statistics Menu Options

isdhost
Go to the ISD Local IPSEC server statistics menu. To view menu options, see page 547.
sesshisto
Displays the local IPSEC session histograms for all VPNs and ISDs.
enchisto
Displays the local IPSEC encryption histograms for all VPNs and ISDs.
dechisto
Displays the local IPSEC decryption histograms for all VPNs and ISDs.
dump
Display all IPSEC statistical information.

320506-A, January 2006
/ssl/stats/ipsec/local/isdhost
SSL Performance: Single IPSEC ISD Statistics Menu
[Single ISD IPSEC Stats 1 Menu]
vpn
- ISD local IPSEC server stats
activesess - Locally active ipsec sessions all VPNs
totalsess - Locally total ipsec sessions all VPNs
failedsess - Locally failed ipsec sessions, all VPNs
enctot
- Locally total ipsec encoded kBytes all VPNs
enc
- Locally ipsec encoded kB/sec last minute all VPNs
dectot
- Locally total ipsec decoded kBytes all VPNs
dec
- Locally ipsec decoded kB/sec last minute all VPNs
sesshisto - ISD local ipsec sess histograms for all VPNs
enchisto
- ISD local ipsec encrypt histograms for all VPNs
dechisto
- ISD local ipsec decrypt histograms for all VPNs
dump
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
vpn <VPN_number>
Display the ISD local IPSEC server statistics.
activesess
Display the locally active IPSEC sessions for all VPNs.
totalsess
Display the total of locally active IPSEC sessions for all VPNs.
failedsess
Display the failed IPSEC sessions for all VPNs.
enctot
Display the total kBytes encoded for all VPNs.
enc
Display the locally encoded kBytes for all VPNs.
dectot
Display the total kBytes decoded for all VPNs.
dec
Display the locally decoded kBytes for all VPNs.
sesshisto
Display the ISD local IPSEC session histograms for all VPNs.
enchisto
Display the ISD local IPSEC encrypted histograms for all VPNs.

320506-A, January 2006
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
dechisto
Display the ISD local ipsec decrypt histograms for all VPNs.
dump
Display all ISD statistics.
/ssl/stats/aaa
AAA Statistics Menu
[AAA Statistics Menu]
total
- Cluster-wide authentication statistics (per VPN)
isdhost
- ISD local authentication statistics (per VPN)
dump
Table 11-11 AAA Statistics Menu Options

total <VPN_ID>
Display the Cluster-wide authentication statistics for each VPN.
isdhost </cfg/sys/host number>
Display the ISD local authentication statistics for each VPN.
dump
Display all AA statistics.
/ssl/cfg
SSL Performance Configuration Menu
ssl
- SSL offload menu
cert
- Certificate menu
vpn
- VPN menu
test
- Create test vpn, portal and certificate
quick
- Quick vpn setup wizard
sys
- System-wide parameter menu
lang
- Language support
ptcfg
- Backup configuration to TFTP/FTP/SCP/SFTP server
gtcfg
- Restore configuration from TFTP/FTP/SCP/SFTP server
dump
- Dump configuration on screen for copy-and-paste

320506-A, January 2006
Table 11-12 SSL Perfomance Configuration Menu Options

ssl
Go to the SSL offload menu. To view menu options, see page 551.
cert
Go to the Certificate menu. To view menu options, see page 554.
vpn
Go to the VPN menu. To view menu options, see page 573.
test
Create a test VPN, portal and certificate. For example:
SSL >> Configuration# test
Enter virtual IP address of test portal: 0.0.0.0
VPN user name: Test_vpn
VPN password: smith
Do you want to configure IPsec? (yes/no) [no]: n
Do you want to configure Netdirect? (yes/no) [no]: n
Creating VPN 1
Creating Linkset 1
Name: base-links
Creating Authentication 1
Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test
Creating Group 1
Name: test
Creating Access rule 1
Added base-links to linkset
Created /cfg/cert 2
Use 'apply' to activate.
quick
Create a VPN configuration using command prompts.
sys
Go to the System-wide parameter menu. To view menu options, see page 649.
lang
Go to the Language Support menu. To view menu options, see page 649.

320506-A, January 2006
Table 11-12 SSL Perfomance Configuration Menu Options

ptcfg
Saves the current configuration, including private keys and certificates, to a TFTP server. The configuration can later be restored by using the gtcfg command. You are required to specify a password phrase before the information is sent to the TFTP server.
If you restore the configuration by using the gtcfg command, you will be prompted for the password phrase you have specified. The password phrase is used to protect the private keys in the configuration.
NOTE Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration - transparently to the user.
When a configuration backup is restored by using the gtcfg command, the certificate
administrator must enter the correct passphrase.
NOTE Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys
are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.
gtcfg
Restores a configuration, including private keys and certificates, from a TFTP server. You need to
provide the password phrase you specified when saving the configuration to the TFTP server.
NOTE Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the
certificate administrator must enter the passphrase that was defined by him or her using
the /cfg/sys/user/caphrase command.
dump
Display the configuration on-screen for a copy and paste operation.

320506-A, January 2006
/ssl/cfg/ssl
SSL Configuration Server Menu
[SSL Menu]
server
test
quick
- SSL server menu

- Create test server and certificate
- Quick server setup wizard
Table 11-13 SSL Configuration Server Menu Options

server
Go to the SSl Server menu. To view menu options, see page 552.
test
Create a test VPN, portal and certificate. For example:
SSL >> Configuration# test
Enter virtual IP address of test portal: 0.0.0.0
VPN user name: Test_vpn
VPN password: smith
Do you want to configure IPsec? (yes/no) [no]: n
Do you want to configure Netdirect? (yes/no) [no]: n
Creating VPN 1
Creating Linkset 1
Name: base-links
Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test
Creating Group 1
Name: test
Added base-links to linkset
Created /cfg/cert 2
quick
Create a VPN configuration using command prompts.

320506-A, January 2006
/ssl/cfg/ssl/server
SSL Configuration Server-specific Menu
[Server 1 Menu]
name
vips
standalone
port
rip
rport
type
proxy
trace
ssl
tcp
adv
del
ena
dis
Set server name

Set IP addr(s) of server
Set standalone mode
Set listen port of server
Set real server IP addr
Set real server port
Set type (generic/http/socks)
Set transparent proxy mode (on/off)
Traffic trace menu
SSL settings menu
TCP endpoint settings menu
Advanced settings menu
Remove virtual server
Table 11-14 SSL Configuration Server-specific Menu Options

name <string>
Enter the name of the server.
vips <IP_address>
Enter the virtual IP address for the server.
standalone on|off
Set the standalone mode.
port <integer>
Set the listen port for the server.
rip <IP_address>
Set the actual server IP address.
rport <integer>
Set the actual server port number.
type <generic/http/socks>
Set the port type.
proxy on|off
Set the proxy mode.
trace
Go to the Trace menu.To view menu options, see page 554.

320506-A, January 2006

ssl
Go to the SSL Settings menu. To view menu options, see page 555.
tcp
Go to the TCP endpoints menu. To view menu options, see page 556.
adv
Go to the Advanced settings menu. To view menu options, see page 557.
del
Remove the virtual server.
ena enabled|disabled
Enable the virtual server.
dis enabled|diabled
Disable the virtual server.

320506-A, January 2006
/ssl/cfg/ssl/server/trace
SSL Configuration Server-specific Trace Menu
[Trace Menu]
ssldump
tcpdump
ping
dnslookup
traceroute
Create traffic dump

Create traffic dump
Ping through backend interface
Lookup a name in DNS through backend interface
traceroute through backend interface
Table 11-15 SSL Configuration Server-specific Trace Menu Options

ssldump
Create a traffic dump. Information on creating dump patterns can be found at
http://www.tcpdump.org/tcpdump_man.html.
tcpdump
Create a traffic dump. Information on creating dump patterns can be found at
http://www.tcpdump.org/tcpdump_man.html.
ping <hostname>
Use this command to verify station-to-station connectivity across the network.
dnslookup <hostname>
Lookup a hostname in DNS.
traceroute <hostname>
Use this command to identify the route used for station-to-station connectivity across the network.

320506-A, January 2006
/ssl/cfg/ssl/server/ssl
SSL Configuration Server-specific SSL Menu
[SSL Settings Menu]
cert
- Set server certificate
cachesize - Set SSL cache size
cachettl
- Set SSL cache timeout
cacerts
- Set list of accepted signers of client certificates
cachain
- Set list of CA chain certificates
protocol
- Set protocol version
verify
- Set certificate verification level
ciphers
- Set cipher list
ena
- Enable SSL
dis
- Disable SSL
Table 11-16 SSL Configuration Server-specific SSL Menu Options

cert unset|set
Create a server certificate.
cachesize <integer>
Set the SSL cache size.
cachettl <integer>
Set the SSL cache timeout (in seconds).
cacerts <integerlist>
Set the list of authorized signers of client certificates. Separate the signer list using commas.
cachain <integerlist>
Set the list of CA chain certificates. Separate the list using commas.
protocol <issl2/ssl3/ssl23/tls1>
Set the protocol version.
verify none|optional|require
Set the verification level of the certificate.
ciphers
Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g.
SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +. ! permanently deletes the
ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added
again by later options. + moves the ciphers to the end of the list. This option doesn't add any new
ciphers it just moves matching existing ones.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.

320506-A, January 2006
Table 11-16 SSL Configuration Server-specific SSL Menu Options

ena yes|no
Enable SSL.
dis yes|no
Disable SSL.
/ssl/cfg/ssl/server/tcp
SSL Configuration Server-specific TCP Menu
[TCP Settings Menu]
cwrite
- Set
ckeep
- Set
swrite
- Set
sconnect
- Set
csendbuf
- Set
crecbuf
- Set
ssendbuf
- Set
srecbuf
- Set
client
client
server
server
client
client
server
server
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
write timeout
keep alive timeout
write timeout
connect timeout
send buffer size
receive buffer size
send buffer size
receive buffer size
Table 11-17 SSL Configuration Server-specific TCP Menu Options

cwrite <integer>
Set the client TCP write timeout (in seconds, 1-2147483647).
ckeep <integer>
Set the client TCP keep alive timeout (in seconds, 1-2147483647).
swrite <integer>
Set the server TCP write timeout (in seconds, 1-2147483647).
sconnect <integer>
Set the server TCP connect timeout (in seconds, 1-2147483647).
csendbuf auto|<2000 to 100000>
Set the client TCP send buffer size (in bytes).
crecbuf auto|<2000 to 100000>
Set the client TCP receive buffer size (in bytes).
ssendbuf <generic/http/socks>
Set the server TCP send buffer size (in bytes).
srecbuf on|off
Set the server TCP receive buffer size (in bytes).

320506-A, January 2006
/ssl/cfg/ssl/server/adv
SSL Configuration Server-specific Advanced Menu
[Advanced Settings
string
blockstrin loadbalanc sslconnect -
Menu]
String menu
Set strings to block
Load balancing menu
SSL connect menu

string
Go to the String menu. To view the menu options, see page 558.
blockstrin <string>
Set the strings to block, separated by commas.
loadbalanc
Go to the Load Balancing menu. To view the menu options, see page 559.
sslconnect
Go to the SSL Connect menu. To view the menu options, see page 560.

320506-A, January 2006
/ssl/cfg/ssl/server/adv/string
SSL Configuration Server Advanced String Menu
[LB String 1 Menu]
match
location
icase
negate
del
-
Set string to match

Set locations to perform the match in
Set ignore case in to match
Set negate the result of the match
Remove string

match <string>|*
Enter the string to match. For example:
SSL >> LB String 1# match
Current value: <not set>
Enter match string (may contain *):
location <locationlist>
Set the match string locations, separated by commas.
Possible values are:
Macros
url, unknown, other, header
Methods
options, get, head, post, put, delete, trace, connect
Special
query, params, cookie-override
Headers
accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authorization, cache-control, connection, content-base, content-encoding, content-language, content-length,
content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires,
from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, keep-alive,
last-modified, location, max-forwards, pragma, proxy-authenticate, proxy-authorization, proxyconnection, public, range, referer, retry-after, server, set-cookie, transfer-encoding, upgrade, useragent, vary, via, warning, www-authenticate, x-forwarded-for, x-ssl
icase on|off
Set the string match as case respective yes (on) or no (off).
negate on|off
Set a negative match scheme. The current strings are excluded (on) or included (off).
del string<string_number>
Delete the string.

320506-A, January 2006
/ssl/cfg/ssl/server/adv/loadbalanc
Menu
[Load Balancing Settings Menu]
type
- Set load balancing type
persistenc - Set persistence strategy
cookie
- Cookie settings menu
metric
- Set load balancing metric
health
- Set health check type
script
- Health check script menu
interval
- Set health check interval (s)
remotessl - Remote SSL connect menu
backend
- Backend servers menu
ena
- Enable load balancing
dis
- Disable load balancing
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
type all|<string>
Set the load balancing type.
persistenc none|cookie|session
Set the persistence strategy.
cookie
Go to the Cookie settings menu. To view the menu options, see page 560. Note that this menu is
accessible only when persistenc is set to cookie.
metric hash|roundrobin|leastconn
Set the load balancing metric.
health none|tcp|ssl|auto|script
Set the health check type.
script
Go to the heath check script menu. To view the menu options, see page 562.
interval <integer>
Set the health check interval.
remotessl
Go to the Remote SSL connection menu. To view the menu options, see page 563.
backend
Go to the Backend Servers menu. To view the menu options, see page 565.

320506-A, January 2006
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
ena enable|disable
Enable load balancing.
dis enable|disable
Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/
cookie
Cookie Menu
[Cookie Settings
mode
name
domain
expires
expiresdel
localvips
offset
length
Menu]
- Set cookie mode
- Set cookie name
- Set cookie domain
- Set cookie expires
- Set cookie expires delta
- Configure other local VIPs
- Set cookie value offset
- Set cookie value length
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options
mode insert | passive | rewrite
Sets the cookie load balancing mode.
name <cookie_name>
Sets the cookie name.
domain <domain_name>
Sets the cookie domain name.
expires <date_time>
Sets the cookie expiration date and time.
expiresdel <0(session)-2147483647>
Sets the cookie expiration delta value.
localvips
Opens the Local VIPs menu. For more information on this menu refer to page 562.

320506-A, January 2006
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options (Continued)
offset <1-64>
Sets the cookie value offset.
length <0-64>
Sets the cookie length

320506-A, January 2006
cookie/localvips
Local VIP Configuration Menu
[Local VIPs Menu]
list
del
add
insert
move
-
List all values

Delete a value by number
Add a new value
Insert a new value
Move a value by number
Table 11-22 Local VIP Configuration Menu

list
Lists all configured values.
del <entry_index>
Deletes the entry indicated by the index value.
add <ip_address>
Adds an entry by IP address.
insert <entry_index, ip_address>
Adds an entry at a specific point by index and IP address.
move <source_index, destination_index>
Moves an entry from the source index to the destination index.
script
Health Script Menu
[Health Check Script Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number

320506-A, January 2006
Table 11-23 SSL Configuration Server Advanced Load Balancing Health Script
Menu Options
list
Display all values.
del <index>
Delete a specific value.
add <command> <timeout> <argument>
Add a new health script.
insert <position> <command> <timeout> <argument>
Insert a new value.
move <value> <value>
Exchange one value for another.
remotessl
Remote SSL Menu
[Remote SSL Connect Settings Menu]
protocol
cert
- Set client certificate
ciphers
- Set accepted ciphers for ssl connect
verify
- Verify server menu
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL
Menu Options
protocol aissl2|ssl3|ssl23|tls1
cert <integer, 1 to 1500>
Set the certificate number.

320506-A, January 2006
Menu Options
ciphers <string>
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the
ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added
again by later options. + moves the ciphers to the end of the list.
This option doesn't add any new ciphers it just moves matching existing ones. Additionally the
cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key
length
verify
Go to the Verify Server menu. To view the menu options, see page 564.
remotessl/verify
Remote SSL Verification Menu
[Remote SSL Connect Verify Settings Menu]
verify
commonname - Set server common name
cacerts - Set list of accepted signers of server's certificate
Verification Menu Options
verify none|require
Set the ertification verification level.
commonname <name>
Set the server common name. For example:
SSL >> Remote SSL Connect Verify Settings# commonname
Current value: [old_server_name]
Give common name of server: <new_server_name>

320506-A, January 2006
Verification Menu Options
cacerts <integer_list>
Enter the certificate numbers, separated by commas.
backend
Backend Server Menu
[Backend Server 1 Menu]
ip
- Set IP addr of backend server
port
- Set backend server port
sslconnect - Set perform SSL connect if enabled for server
remote
- Set server is remote
rname
- Set host name of remote server
remotessl - Set remote site is ssl
lbstrings - Set load balancing strings
lbop
- Set string load balancing operation
del
- Remove backend server
ena
- Enable backend server
dis
- Disable backend server
Table 11-26 SSL Configuration Server Advanced Load Balancing Backend

Server Menu Options
ip <IP_address>
Set theIP address of the backend server.
port <port_number>
Set the backend server port number.
sslconnect on|off
Set the SSL connection option.
remote true|false
Set the server as remote, as required.
rname <hostname>
Set hostname of the remote server.

320506-A, January 2006
Table 11-26 SSL Configuration Server Advanced Load Balancing Backend

Server Menu Options
remotessl true|false
Set the remote site as SSL.
lbstrings <integers>
Set the load balance strings, separated by a comma.
lbop any|all|one|none
Set the string load balancing operation.
del
Remove the backend server.
ena enable|disable
Enable the backend server.
dis enable|disable
Disable the backend server.
/ssl/cfg/cert
SSL Configuration Certificate Menu
[Certificate 1 Menu]
name
- Set certificate name
cert
- Set certificate
key
- Set private key
revoke
- Revocation menu
genkey
- Generate private key
gensigned - Generate signed client/server certificate
request
- Generate certificate request
sign
- Sign a certificate request
test
- Generate test certificate and key
import
- Import key and certificate with TFTP/FTP/SCP/SFTP
export
- Export certificate and key with TFTP/FTP/SCP/SFTP
display
- Display certificate and key
show
- Show certificate information
info
- Show certificate short information
subject
- Show certificate subject information
validate
- Check if key and certificate match
keysize
- Show key size
keyinfo
- Show how key is stored
del
- Remove certificate

320506-A, January 2006
Table 11-27 SSL Configuration Certificate Menu Options

name <string>
Enter the name of the certificate.
cert <pasted_certificate_content>
Paste the content of a copied certificate. For example:
Paste the certificate, press Enter to create a new line, and then
type "..."
(without the quotation marks) to terminate.
>
key <pasted_key_content>
Paste the copied key. For example:
Paste the key, press Enter to create a new line, and then
type "..."
(without the quotation marks) to terminate.
>
revoke
Go to the Revoke menu. To view the menu options, see page 571.
genkey 512|1024|2048|4096
Generate a private key.
gensigned <key> <certificate_number>
Generate a certificate.

320506-A, January 2006

request
Generate a certicate request.
SSL >> Certificate 1# request
The combined length of the following parameters may not exceed 225
bytes.
Country Name (2 letter code): CA
State or Province Name (full name): Ontario
Locality Name (eg, city): Ottawa
Organization Name (eg, company): NoTel
Organizational Unit Name (eg, section): MaintCommon Name (eg, your
name or your server's hostname): NoTel-12
Email Address: maint@notel.ca
Key size (512/1024/2048/4096) [1024]: 1024
Request a CA certificate (y/n) [n]: y
Specify challenge password (y/n) [n]: n
-----BEGIN CERTIFICATE REQUEST----MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
EwdPdHRhd2VhMQ4wDAYDVQQKEwVOb1RlbDEOMAwGA1UECxMFTWFpbnQxETAPBgNV
BAMTCE5vVGVsLTEyMR0wGwYJKoZIhvcNAQkBFg5tYWludEBub3RlbC5jYTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2LJNQnjDxHXm1bunZF39o/1CJ7egEupd
gXaIiDt1xQ5kWNlCcIhXrsksrpAOss/NMy2DNLmNd/31BO8XSvuZWs6LJxznZyBC
6WcSmOa6r96CnsvPPi/jIqAZQMbklwclH5Qa/JjSWuaoVdlVOAuhe58PqyQketXm
58w8n+Iy+a0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAMMhwai0XLkL+YT3qBBo
tmtTL7DgH/7czR97lgXsDawZOWaiYq4tAEBSr+Ap1qxAqgS4VJxrjBZIYT6xQW6z
MvHE20s+Reaf9cX9OePTvaSH9SUSKz8QNhPLUdBo7LOURUaF7aN5IWPBezGQwgjp
Rxxf+chfXa7M8i7VdY9YyAHA
-----END CERTIFICATE REQUEST----Use 'apply' to store the private key in the iSD until
the signed certificate is entered.
The private key will be lost unless you 'apply' or
save it elsewhere using 'export'.
sign <key> <certificate_number>
Sign a certificate.

320506-A, January 2006

test
Create a test certificate and key. For example:
SSL >> Certificate 1# test
The combined length of the following parameters may not exceed 225
bytes.
Country Name (2 letter code): CA
State or Province Name (full name): Ontario
Locality Name (eg, city): Ottawa
Organization Name (eg, company): NoTel
Organizational Unit Name (eg, section): Maint
Common Name (eg, your name or your server's hostname): NoTel-12
Email Address: maint@notel.ca
Valid for days [365]: 200
Valid for days [365]: 200
Key size (512/1024/2048/4096) [1024]: 1024
Test key and certificate added.
import <proto> <server> <certfile>
Import a remote certificate and key. For example:
SSL >> Certificate 1# import
Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp
Enter hostname or IP address of server: NoTel-10
Enter filename on server: key_certificate2389
Retrieving key_certificate2389 from NoTel-10
Error: Host not found, FTP server not found, or connection rejected.
export <proto> <server> <certfile>
Export a key and certificate to a remote host. For example:
SSL >> Certificate 1# export
Enter hostname or IP address of server: NoTel-10
Enter export format (pem/der/net/pkcs12): pem
Enter export pass phrase: <hidden_text>
Reconfirm export pass phrase: <hidden_text>
Enter name of combined key and certificate file on remote host:
key_cert_from_NoTel-12
Error: Host not found, FTP server not found, or connection rejected.

320506-A, January 2006

display
Display a certificate and key. For example:
SSL >> Certificate 1# display
Encrypt private key (yes/no) [yes]: yes
Enter export pass phrase: <hidden_text>
Reconfirm export pass phrase: <hidden_text>
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8E1E1EB54398437B
1NngBGmeIGxhndoR3+F4DNmYNCtH6tbVMZmmTCAu0ee9Ss9vjy6N3jXgMUy8RnfV
1dRLixDPlpAB5CwsSUBLROtvq6rhyZnwKbofz4UBon1tE33eX86uNrXGjdvPkfzD
x8TrCXdcewY0W1xuPA6mnb0mHCn768fqoNd5YlXPMRbPrK/nTfvCHlfvVmHkzpw3
BrvNfqVpdijQkdv+X53gn7DbYBsFYKSLsjyZ1Dst1JFDS5W594by1P7WseRYi4Lq
XPcmgZA7BtC5JV9d6Fwmd66Cois3WUxBtTeLJDFet6fr/9e3nXfa+pPyIgGGWAYE
.
.
.
A9xlBRMYzppbzQVjjFK0maFRtuhIiEbexLJwTCEwfyVMk8juHvBWIQ==
-----END RSA PRIVATE KEY---------BEGIN CERTIFICATE----MIID3jCCA0egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEOMAwGA1UEChMFTm9U
.
.
show
Show certificate information.
info
Show short-form certificate information. For example:
SSL >> Certificate 1# info
Serial number: 0 (0x0)
Expire: Jan 19 14:49:18 2006 GMT
Certificate subject:
C=CA
ST=Ontario
L=Ottawa
O=NoTel
OU=Maint
CN=NoTel-12/emailAddress=maint@notel.ca

320506-A, January 2006

subject
Show certificate subject information. For example:
SSL >> Certificate 1# subject
Certificate subject:
C/countryName (2.5.4.6)
ST/stateOrProvinceName (2.5.4.8)
L/localityName (2.5.4.7)
O/organizationName (2.5.4.10)
OU/organizationalUnitName (2.5.4.11)
CN/commonName (2.5.4.3)
emailAddress/emailAddress (1.2.840.113549.1.9.1)
=
=
=
=
=
=
=
CA
Ontario
Ottawa
NoTel
Maint
NoTel-12
maint@notel.ca
validate <matched_key> <matched_certificate>

Check if certificate and key are matched.
keysize
Display key size (in bytes).
keyinfo
Displays how the key is stored.
del
Delete the certificate and key. For example:
SSL >> Certificate 1# del
Certificate 1 will be deleted when changes are applied.
/ssl/cfg/cert/revoke
SSL Configuration Revoke Certificate Menu
[Revocation Menu]
add
addx
del
list
rev
import
automatic -
Add decimal serial number to revocation list

Add hex serial number to revocation list
Cancel revocation for a serial number
List revoked certificates
Enter revocation list
Import revocation list with TFTP/FTP/SCP/SFTP
Automatic CRL retrieval menu
Table 11-28 SSL Configuration Revoke Certificate Menu Options

add <integer>
Add a decimal serial number to the revocation list.

320506-A, January 2006
Table 11-28 SSL Configuration Revoke Certificate Menu Options

addx <hexidecimal_number>
Add a hexidecimal number to the revocation list.
del <serial_number>
Cancel the revocation of a serial number.
list
List the revoked certificates.
rev
Paste a revocation list into another revocation list.
import <proto> <server> <file>
Import a remote revocation list.
automatic
Go to the automatic retrieval menu.
/ssl/cfg/cert/revoke/automatic
SSL Configuration Revoke Certificate Automatic Menu
[Automatic CRL Menu]
url
- Set URL to retrieve CRL from
authDN
- Set LDAP DN used for bind/authentication
passwd
- Set password to use when to authenticate
interval
- Set refresh interval
cacerts
- Set list of accepted signers of CRLs
ena
- Enable automatic retrieval
dis
- Disable automatic retrieval
Table 11-29 SSL Configuration Revoke Certificate Automatic Menu Options

url <URL>
Set the URL value to retrieve the CRL.
authDN <LDAP-Distinguished-Name>
Set the LDAP DN to be used for bind and authentication.
passwd <string>
Set the authentication password.
interval <time>
Set the refresh interval.

320506-A, January 2006
Table 11-29 SSL Configuration Revoke Certificate Automatic Menu Options

cacerts <certificate_numbers>
Create a list of accepted signers of CRLs. Separate the lsit elements by commas
ena enabled|disabled
Enable automatic retrieval.
dis enabled|disabled
Disable automatic retrieval.
/ssl/cfg/vpn
SSL VPN Configuration Menu
[VPN 1 Menu]
ips
standalone
aaa
server
ipsec
ippool
portal
linkset
sslclient
adv
del
Set IP addr(s) of the VPN

Set standalone mode (no switch)
AAA menu
SSL server menu
IPsec server menu
IP address pool menu
Portal look and feel menu
Portal linkset menu
SSL VPN client menu
Remove VPN
Table 11-30 SSL VPN Configuration Menu Options

ips <IP_address>
Set the IP address of the VPN.
standalone on|off
aaa
Go to the AAA menu. To view the menu options, see page 573.
server
Go to the SSL server menu. To view the menu options, see page 578.
ipsec
Go to the IPsec server menu. To view the menu options, see page 602.

320506-A, January 2006
Table 11-30 SSL VPN Configuration Menu Options

ippool
Go to the IP POOL menu. To view the menu options, see page 615.
portal
Go to the Portal look and feel menu. To view the menu options, see page 619.
linkset
Go to the Portal lonkset menu. To view the menu options, see page 621.
sslclient
Go to the SSL VPN client menu.To view the menu options, see page 625.
adv
Go to the Advanced Settings menu.To view the menu options, see page 627.
del
Remove the VPN.
/ssl/cfg/vpn/aaa
SSL VPN Configuration Menu
[AAA Menu]
quick
tg
ttl
auth
authorder
network
service
appspec
filter
group
defgroup
ssodomains
ssoheaders
radacct
AAA setup wizard

TunnelGuard menu
Set login session TTL
Authentication menu
Set authentication server fallback order
Network access menu
Service access menu
Application specific menu
Client filter menu
Group menu
Set default group
Single-Sign on enabled domains menu
Single-Sign on headers menu
RADIUS accounting menu
Table 11-31 SSL VPN Configuration AAA Menu Options

quick <IP_address>
AAA setup wizard.

320506-A, January 2006
Table 11-31 SSL VPN Configuration AAA Menu Options

tg
Go to the TunnelGuard menu. To view the menu options, see page 576.
ttl <TTL for idle sessions (max 31d, min 2m)>
Set the login session TTL.
auth
Go to the Authentication menu. To view the menu options, see page 578.
authorder <list_of_servers>
Set the authetication server fallback order. Use a comma to separate entries.
network
Go to the Network Access menu. To view the menu options, see page 582.
service
Go to the Service Access menu. To view the menu options, see page 584.
appsec
Go to the Application Specific menu. To view the menu options, see page 585.
filter
Go to the Client Filter menu.To view the menu options, see page 588.
group
Go to the Group menu.To view the menu options, see page 589.
defgroup <name_of_group>
Set the default group.
ssodomains
Go to the Single sign-on enabled domains menu. To view the menu options, see page 597.
ssoheaders
Go to the Single Sugn-on Headers menu. To view the menu options, see page 597.
radacct
Go to the Radius Accounting menu. To view the menu options, see page 599.

320506-A, January 2006
/ssl/cfg/vpn/aaa/tg
SSL VPN Configuration TunnelGuard Menu
[TG Menu]
ena
dis
quick
recheck
action
retry
list
loglevel
Enable TunnelGuard
Disable TunnelGuard
Quick TunnelGuard setup wizard
Set recheck interval
Set fail action
Set UDP retry interval
List SRS rules
Set TunnelGuard applet loglevel
Table 11-32 SSL VPN Configuration AAA TunnelGuard Menu Options

ena enable|disable
Enable TunnelGuard.
dis enable|disable
Disable TunnelGuard.

320506-A, January 2006
Table 11-32 SSL VPN Configuration AAA TunnelGuard Menu Options

quick <TTL for idle sessions (max 31d, min 2m)>
Use the Quick TunnelGuard setup wizard. For example:
SSL >> TG# quick
In the event that the TunnelGuard checks fails on a client,
the session can be teardown, or left in restricted mode
with limited access.
Which action do you want to use for TunnelGuard
failure? (teardown/restricted) [restricted]: restricted
Do you want to create a tunnelguard test user? (yes/no) [yes]: yes
Enabling TunnelGuard
Creating Linkset 1
Name: tg_passed
This Linkset just prints the TG result
Creating Linkset 2
Name: tg_failed
This Linkset just prints the TG result
Adding test SRS rule srs-rule-test
This rule check for the presence of the file
C:\tunnelguard\tg.txt
Creating Group 1
Name: tunnelguard
Creating Extended Profile 1
Giving full access when tg passed
Giving no access when tg failed
Using SRS rule: srs-rule-test
Adding user 'tg' with password 'tg'
Use 'diff' to view pending changes, and 'apply' to commit
recheck <seconds>
Set the recheck interval.
action teardown|restricted
Set the Fail action.
retry <seconds, 1-65535>
Set the UDP retry interval.
list
List the SRS rules.
loglevel <string>
Set the TunnelGuard applet log level.

320506-A, January 2006
/ssl/cfg/vpn/aaa/auth
SSL VPN Configuration Authentication Menu
To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if
one does not already exist.
Select one of radius, ldap, ntlm, siteminder, cert, rsa or local:
radius
Auth name: Authentication_1
Entering: RADIUS settings menu
Entering: RADIUS servers menu
IP Address to add: 0.0.0.0
Port (default is 1812): 1812
Enter shared secret: shared
Leaving: RADIUS servers menu
Enter vendor id [alteon]: alteon
Enter vendor type [1]: 1
Leaving: RADIUS settings menu
-----------------------------------------------------------[Authentication 1 Menu]
type
- Set authentication mechanism
name
- Set auth name
display
- Set auth display name
domain
- Set windows domain for backend single sign-on
radius
- RADIUS settings menu
adv
- Advanced settings menu
del
- Remove Authentication
Table 11-33 SSL VPN Configuration AAA Authentication Menu Options

type radius|ldap|ntlm|siteminder|cert|rsa|local
Set the authentication scheme.
name <string>
Set the authentication name. The default is local.
display <string>
Set the authentication display name.
domain <string>
Set the current windows domain for backend single sign-on.
radius <list_of_servers>
Go to the Radius menu. The menu is available only if the type is Radius (# type radius). To view
the menu options, see page 579.

320506-A, January 2006
Table 11-33 SSL VPN Configuration AAA Authentication Menu Options

adv
Go to the Advanced menu. To view the menu options, see page 582.
del
Remove the authentication.
/ssl/cfg/vpn/aaa/auth/radius
SSL VPN Configuration Authentication Radius Menu
To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to
radius. For example, /ssl/vpn/aaa/auth/type radius.
[RADIUS Menu]
servers
vendorid
vendortype
timeout
sessiontim
macro
RADIUS servers menu

Set vendor id for group attribute
Set vendor type for group attribute
Set RADIUS server timeout
Session Timeout menu
User-defined Macro menu
Table 11-34 SSL VPN Configuration AAA Authentication Radius Menu Options
servers
Go to the Radius servers menu. To view the menu options, see page 580.
vendorid <string>
Set the switch vendor ID.
vendortype <vendortype>
Set the vendor type.
timeout <integer, 1 to 1000 seconds>
Set the Radius server timeout.
sessiontim
Go to the Sessiontim menu. To view the menu options, see page 580.
macro
Go to the Macro menu. To view the menu options, see page 581.

320506-A, January 2006
/ssl/cfg/vpn/aaa/auth/radius/servers
SSL VPN Configuration Authentication Radius Servers
Menu
[RADIUS Servers Menu]
list
- List all values
del
add
- Add a new value
insert
move
Table 11-35 SSL VPN Configuration AAA Authentication Radius Menu Options
list
List all values (servers).
del <index_number>
Delete a server value by name.
add <ip> <port, default=1812> <secret>
Add a new value (server).
insert <position> <ip> <port> <secret>
Insert a value into the list.
Move a value position in the list.
/ssl/cfg/vpn/aaa/auth/radius/
sessiontm
SSL VPN Configuration Authentication Radius Session
Timeout Menu
[SessionTimeout Menu]
vendorid
- Set vendor id for session timeout attribute
vendortype - Set vendor type for session timeout attribute
ena
- Enable Session-Timeout
dis
- Disable Session-Timeout

320506-A, January 2006
Table 11-36 SSL VPN Configuration AAA Authentication Radius Session Timeout
Menu Options
vendorid <vendorid>
Set the vendor ID number.
vendortype <value>
Set the Vendor Type number.
ena enable|disable
Enable session timeout.
dis enable|disable
Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
SSL VPN Configuration Authentication Radius Macro
Menu
[Macro Menu]
list
del
add
insert
move
List all values

Add a new value
Insert a new value
Table 11-37 SSL VPN Configuration AAA Authentication Radius Macro Menu
Options
list
List all values.
del <value>
Delete a value using its number.
add <vendorid> <vendortype> <attribute_type (IP, <string> <integer>)>
Add a value.
insert <index_position> <vendorid> <vendortype>
<attribute_type_string>
Insert a value.
Move a values position in the list.

320506-A, January 2006
/ssl/cfg/vpn/aaa/auth/adv
SSL VPN Configuration Authentication Advanced Menu
[Advanced Menu]
groupauth - Set Authentication server list of group information
secondauth - Set Secondary authentication server
Table 11-38 SSL VPN Configuration AAA Authentication Advamced Menu

Options
groupauth <hostnames>
Set the list of authentication servers. Separate values using a comma.
secondauth <hostname>
Set the secondary authentication server.
/ssl/cfg/vpn/aaa/network
SSL VPN Configuration Network Menu
To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one
does not already exist.
SSL >> AAA# network
Enter network number or name: (1-1023) 1
Creating Network 1
Network name: Network_1
-----------------------------------------------------------[Network 1 Menu]
name
- Set network name
subnet
- Subnet menu
comment
- Set comment
del
- Remove network
Table 11-39 SSL VPN Configuration AAA Network Menu Options

name <string>
Set the network name.
subnet
Go to the Subnet menu. To view the menu options, see page 583.

320506-A, January 2006
Table 11-39 SSL VPN Configuration AAA Network Menu Options

comment <text_string>
Create a text description (comment) about the network.
del
Remove the network. The network will be removed when the global /apply command is entered.
/ssl/cfg/vpn/aaa/network/subnet
SSL VPN Configuration Network Subnet Menu
To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if
SSL >> Network 1# sub
Enter subnet number: (1-1023) 1
Creating Network Subnet 1
Enter host name: Subnet_1
Enter network address: 0.0.0.0
Enter network netmask: netmask
-----------------------------------------------------------[Network Subnet 1 Menu]
host
- Set Host Name
net
- Set network address
mask
- Set network mask
del
- Remove subnet
Table 11-40 SSL VPN Configuration AAA Network Subnet Menu Options
host <hostname>
Set the hostname for the subnet.
net <IP_address>
Set the subnet address.
mask <IP_address>
Set the Network mask.
del
Remove the Subnet.

320506-A, January 2006
/ssl/cfg/vpn/aaa/service
SSL VPN Configuration Service Menu
To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one
SSL >> AAA# service
Enter service number or name: (1-1023) 1
Creating Service 1
Service name: Service_1
Enter service protocol (list of tcp,udp): tcp
Enter service ports: 1,2,3
-----------------------------------------------------------[Service 1 Menu]
name
- Set service name
protocol
- Set allowed protocols
ports
- Set allowed port
comment
- Set comment
del
- Remove Service
Table 11-41 SSL VPN Configuration AAA Service Menu Options

name <service_name>
Set the service name.
protocol tcp|udp
Set the protocols that are allowed.
ports <integers>
Set the allowed ports. If nore than one, use commas to separate.
comment <string>
Create a description (comment) about the service.
del
Delete the service.

320506-A, January 2006
/ssl/cfg/vpn/aaa/appspec
SSL VPN Configuration Application specific Menu
To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one
SSL >> AAA# appspec
Enter appspec number or name: (1-1023) 1
Creating AppSpecific 1
AppSpec name: AppSpec_1
Entering: Paths menu
Path format:
The paths are formated differently for different applications.
For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,
for example
/NORTEL/homes/public
This will give access to the public directory in the homes share
in the NORTEL workgroup/domain.
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
Enter path: /path
Leaving: Paths menu.
---------------------------------------------[AppSpecific 1 Menu]
name
- Set appspec name
paths
- Paths menu
comment
- Set comment
del
- Remove AppSpec
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
name <appsec_name>
Create an application name.
paths
Go to the Paths menu. To view the menu options, see page 571.

320506-A, January 2006
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
comment <string>
Create a description (comment) about the Application.
del
Delete the application.

320506-A, January 2006
/ssl/cfg/vpn/aaa/appspec/paths
SSL VPN Configuration Application specific Paths Menu
[Paths Menu]
list
del
add
insert
move
List all values

Add a new value
Insert a new value
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
list
List all paths.
del <path_value>
Delete a path by its number.
add
Add a new path. For example:
SSL >> Paths# list
Old:
Pending:
1: /info
SSL >> Paths# add
Path format:
The paths are formated differently for different applications.
For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,
for example
/NORTEL/homes/public
This will give access to the public directory in the homes share
in the NORTEL workgroup/domain.
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
Enter path: /home/storage
insert <index>
Insert a path into the path list.

320506-A, January 2006
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
del
Delete the path.
/ssl/cfg/vpn/aaa/filter
SSL VPN Configuration AAA Filter Menu
To enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does
not already exist.
SSL >> AAA# filter
Enter client filter number or name: (1-63) 1
Creating Client Filter 1
Filter name: Filter_1
-----------------------------------------------------------[Client Filter 1 Menu]
name
- Set filter name
cert
- Client certificate present
iewiper
- IE cache wiper present
tg
- TunnelGuard checks passed
methods
- Set access methods
authserver - Set authentication servers
clientnet - Set client network reference
comment
- Set comment
del
- Remove client filter
Table 11-44 SSL VPN Configuration AAA Filter Menu Options

name <filter_name>
Set the filter name.
cert true|false|ignore
Enter teh applicability of a certificate.
iewiper true|false|ignore
Set the prescence of the IE cache wiper.
tg true|false|ignore
Set the state of the TunnelGuard checks passed.

320506-A, January 2006
Table 11-44 SSL VPN Configuration AAA Filter Menu Options

methods ssl|ipsec|netdirect
Set the access methods.
authserver <hostnames>
Set authentication server names. If more than one, separate the names using a comma.
clientnet <clientnet_hostname>
Set client network reference.
comment
Create a description (comment) of the filter.
del
Remove the client filter.
/ssl/cfg/vpn/aaa/group
SSL VPN Configuration AAA Group Menu
To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one
SSL >> AAA# group
Enter group number or name: (1-1023) 1
Creating Group 1
Group name: Group_1
Enter number of sessions (0 is unlimited): 0
Enter user type (advanced/medium/novice): novice
-----------------------------------------------------------[Group 1 Menu]
name
- Set group name
access
- Access rule menu
print
- Print access rules
restrict
- Set number of login sessions
usertype
- Set portal user type
linkset
- Linkset menu
extend
- Extended profiles menu
tgsrs
- Set TunnelGuard SRS Rule
ipsec
- IPsec menu
comment
- Set comment
del
- Remove group

320506-A, January 2006
Table 11-45 SSL VPN Configuration AAA Group Menu Options

name <string>
Set tthe group name.
access
Go to the Access rule menu. To view the menu options, see page 591.
print
Display the Access rules. For example:
SSL >> Group 1# print
Network
Ports
-----------
Proto Path
----- ----
Action
------
restrict <integer>
Restrict the number of login sessions. The default is 0 (unlimited)
usertype advanced|medium|novice
Set the user level.
linkset
Go to the Linkset menu. To view the menu options, see page 592.
extend
Go to the Extended Profiles menu. To view the menu options, see page 593.
tgsrs <string>
Set the TunnelGuard SRS rule.
ipsec
Go to the IPSEC menu.To view the menu options, see page 595.
comment
Create a decription (comment) of the Group.
del
Delete the group.

320506-A, January 2006
/ssl/cfg/vpn/aaa/group/access
SSL VPN Configuration AAA Group Access Menu
To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if
SSL >> Group 1# access
Enter access rule number: (1-1023) 1
Enter network name: Network_1
Enter service name: Service_1
Enter application specific name: Application_1
Enter action (accept/reject): accept
-----------------------------------------------------------[Access rule 1 Menu]
network
- Set network reference
service
- Set service reference
appspec
- Set application specific reference
action
- Set action
comment
- Set access rule comment
del
- Remove access rule
Table 11-46 SSL VPN Configuration AAA Group Access Menu Options
network <network_name>
Enter the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the application specific name reference.
action accept|reject
Accept or reject the creation of this Access rule.
comment
Create a description (comment) of this Access rule.
del
Delete the Access rule.

320506-A, January 2006
/ssl/cfg/vpn/aaa/group/linkset
SSL VPN Configuration AAA Group Linkset Menu
[Linksets Menu]
list
del
add
insert
move
List all values

Add a new value
Insert a new value
Table 11-47 SSL VPN Configuration AAA Group Linkset Menu Options
list
List all of the configured linksets.
add <linkset_name>
Add a linkset name.
insert <position> <name>
Insert a linkset into the linkset list.
Move the linkset from one position to another in the linkset list.

320506-A, January 2006
/ssl/cfg/vpn/aaa/group/extend
Menu
To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended
service profile if one does not already exist.
SSL >> Group 1# extend
Enter profile number or name (1-63): 1
Enter client filter name: Filter_1
Enter user type (advanced/medium/novice): novice
-----------------------------------------------------------[Extended Profile 1 Menu]
filter
- Set client filter reference
access
- Access rule menu
print
- Print access rules
usertype
- Set portal user type
linkset
- Linkset menu
del
- Remove profile
Table 11-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options
filter <client_filter_name>
Set the client filter name reference.
access
Go to the Access Rule menu. To view the menu options, see page 594.
print
Display the extended profile information.
usertype advanced|medium|novice
Set the portal user level.
linkset
Go to the Linkset menu. To view the menu options, see page 595.
del
Delete the Extended Profile.

320506-A, January 2006
/ssl/cfg/vpn/aaa/group/extend/access
Access Menu
[Access rule 1 Menu]
network
- Set network reference
service
- Set service reference
appspec
- Set application specific reference
action
- Set action
comment
- Set access rule comment
del
- Remove access rule
Table 11-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu
Options
network <network_name>
Set the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the Application name reference..
action accept|reject
Accept or reject the Access rule change.
comment
Create a description (comment) of the Access rule.
del
Delete the Extended Profile Access rule.

320506-A, January 2006
/ssl/cfg/vpn/aaa/group/extend/
linkset
SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
[Linksets Menu]
list
del
add
insert
move
List all values

Add a new value
Insert a new value
Table 11-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
Options
list
List all of the configured Extended Profile linksets.
del <extended_profile_linkset_name>
Delete the Extended Profile Linkset.
add <extended_profile_linkset_name>
Add an Extended Profile linkset name.
insert <position> <name>
Insert an Extended Profile linkset into the linkset list.
Move the Extended Profile linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/ipsec
SSL VPN Configuration AAA Group IPsec Menu
[IPsec Menu]
secret
utunnel
- Set shared secret

- Set user tunnel profile
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
secret <string>
Set the group Secret value.

320506-A, January 2006
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
utunnel <string>
Set the user tunnel profile name.

320506-A, January 2006
/ssl/cfg/vpn/aaa/ssodomains
SSL VPN Configuration AAA Single-sign on Enabled
Domains Menu
[SSO Domain menu Menu]
list
- List all values
del
add
- Add a new value
Table 11-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu
Options
list
List all of the SSO domains.
del <index>
Delete an SSO domain.
add <domain_name> <mode, normal|add_domain>
Add an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders
SSL VPN Configuration AAA Single-sign on Headers
Menu
[SSO headers menu Menu]
list
- List all values
del
add
- Add a new value
insert
move
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
list
List all of the configured SSO Headers.
del <SSO Headers_name>
Delete the SSO Header.

320506-A, January 2006
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
add <domain> <header_pattern>
Add an SSO Header.
insert <position> <domain> <header_name>
Insert a SSO Header into the headers list.
Move the SSO Headers from one position to another in the SSO Headers list.

320506-A, January 2006
/ssl/cfg/vpn/aaa/radacct
SSL VPN Configuration AAA Radius Accounting Menu
[RADIUS Accounting
servers
vpnattribu ena
dis
-
Menu]
RADIUS accounting servers menu
VPN attribute menu
Enable RADIUS accounting
Disable RADIUS accounting
Table 11-54 SSL VPN Configuration AAA Radius Accounting Menu Options
servers
Go to the Radius servers menu. To view the menu options, see page 599.
vpnattribu
Go to the VPN attribute menu. To view the menu options, see page 601.
ena enable|disable
Enable AAA radius accounting.
dis enable|disable
Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers
SSL VPN Configuration AAA Radius Accounting Servers
Menu
[RADIUS Accounting
list
del
add
insert
move
-
Servers Menu]
List all values
Add a new value
Insert a new value
list
List all of the configured Radius Accounting servers.
del <Radius_Accounting_server_name>
Delete the SSO Header.

320506-A, January 2006
add <ip_address> <port> <secret>
Add a Radius Account.
insert <position> <ip_address> <port> <secret>
Insert a Radius account into the account list.
Move the Radius account from one position to another in the account list.

320506-A, January 2006
ssl/cfg/vpn/aaa/radacct/vpnattribu
SSL VPN Configuration AAA Radius Accounting VPN
attributes Menu
[VPN Attribute Menu]
vendorid
- Set vendor id for the VPN attribute
vendortype - Set vendor type for the VPN attribute
Table 11-56 SSL VPN Configuration AAA Radius Accounting VPN attributes
Menu Options
vendorid <vendorID>
Set the vendor name.
vendortype <integer>
/ssl/cfg/vpn/server
SSL VPN Configuration Server Menu
[Server Menu]
port
dnsname
trace
ssl
tcp
http
proxymap
portal
adv
ena
dis
Set listen port of server

Set DNS name of server
Traffic trace menu
SSL settings menu
TCP endpoint settings menu
HTTP settings menu
Intranet proxy configuration menu
Portal settings menu
Table 11-57 SSL VPN Configuration Server Menu Options

port <integer, 1-65534>
Set the listen port of the server.
dnsname <fully_qualified_DNS_name>
Set the DNS name of the server.

320506-A, January 2006
Table 11-57 SSL VPN Configuration Server Menu Options

trace
Go to the Trace menu. To view the menu options, see page 602.
ssl
Go to the SSL settings menu. To view the menu options, see page 603.
tcp
Go to the TCP endpoint settings menu. To view the menu options, see page 605.
http
Go to the HTTP settings menu. To view the menu options, see page 606.
proxymap
Go to the Intranet Proxy configuration menu. To view the menu options, see page 608.
portal
Go to the Portal menu. To view the menu options, see page 609.
adv
Go to the Advanced settings menu.To view the menu options, see page 609.
ena enable|disable
Enable the VPN server.
dis enable|disable
Disable the VPN server.
/ssl/cfg/vpn/server/trace
SSL VPN Configuration Server Traffic Trace Menu
[Trace Menu]
ssldump
tcpdump
ping
dnslookup
traceroute
Create traffic dump

Create traffic dump
Ping through backend interface
Lookup a name in DNS through backend interface
traceroute through backend interface
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
ssldump
Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that
are allowed. (http://www.tcpdump.org/tcpdump_man.html).

320506-A, January 2006
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
standalone on|off
Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are
allowed. (http://www.tcpdump.org/tcpdump_man.html)
traceroute - traceroute through backend interface
ping <hostname>
Ping through the backend interface.
dnslookup <hostname>
Lookup a name in DNS through the backend interface.
traceroute
Traceroute through backend interface. Use this command to identify the route used for station-tostation connectivity across the network.
/ssl/cfg/vpn/server/ssl
SSL VPN Configuration Server SSL Settings Menu
[SSL Settings Menu]
cert
cachesize - Set SSL cache size
cachettl
- Set SSL cache timeout
cacerts
- Set list of accepted signers of client certificates
cachain
- Set list of CA chain certificates
protocol
ciphers
- Set cipher list
verify
ena
- Enable SSL
dis
- Disable SSL
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
cert <certicate_nuber, 1 to 1500>
cachesize <integer, 0 to 10000>
Set the SSL cache size (kBytes).
cachettl <integer>
Set the SSL cache timeout (in minutes).

320506-A, January 2006
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
cacerts <certificate_numbers>
Set the list of accepted signers of client certificates. If more than one, use a comma to separate the
entries.
cachain <certificate_numbers>
Set the list of CA chain certificates. If more than one, use a comma to separate the entries.
protocol ssl2|ssl3|ssl23|tls1
ciphers
Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g.
SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list. This option does not add any new ciphers.
Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption
verify none|optional
Set the certificate verification level.
ena enable|disable
Enable SSL.
dis enable|disable
Disable SSL.

320506-A, January 2006
/ssl/cfg/vpn/server/tcp
SSL VPN Configuration Server TCP endpoint Settings
Menu
[TCP Settings Menu]
cwrite
- Set
ckeep
- Set
skeep
- Set
swrite
- Set
sconnect
- Set
csendbuf
- Set
crecbuf
- Set
ssendbuf
- Set
srecbuf
- Set
client TCP write timeout

client TCP keep alive timeout
socks client TCP keep alive heartbeat timeout
server TCP write timeout
server TCP connect timeout
client TCP send buffer size
client TCP receive buffer size
server TCP send buffer size
server TCP receive buffer size
Table 11-60 SSL VPN Configuration Server TCP endpoint settings Menu Options
ips <integer, 1 to 2147483647s>
Set client TCP write timeout, in seconds.
crecbuf - Set client TCP receive buffer size
ssendbuf - Set server TCP send buffer size
srecbuf - Set server TCP receive buffer size
ckeep <integer, 1 to 2147483647s>
Set client TCP keep alive timeout.
skeep <integer, 1 to 2147483647s>
Set the SOCKS client TCP keep alive heartbeat timeout.
swrite <integer, 1 to 2147483647s>
Set the server TCP write timeout.
sconnect <integer, 1 to 2147483647s>
Set the server TCP connect timeout.
csendbuf auto|<integer, 2000 to 100000>
Set the client TCP send buffer size (Bytes).
crecbuf auto|<integer, 2000 to 100000>
Set the client TCP receive buffer size (Bytes).
ssendbuf auto|<integer, 2000 to 100000>
Set the server TCP send buffer size (Bytes).
srecbuf auto|<integer, 2000 to 100000>
Set server TCP receive buffer size (Bytes).

320506-A, January 2006
/ssl/cfg/vpn/server/http
SSL VPN Configuration Server HTTP Settings Menu
[HTTP Settings Menu]
downstatus - Set server down reply status
rewrite
- SSL triggered rewrite menu
securecook - Set add secure option to session cookie
sslheader - Add SSL header
sslxheader - Add SSL header with serial in hex
sslsidhead - Add SSL SID header
addxfor
- Add X-Forwarded-For header
addvia
- Add Via header
addxisd
- Add HTTP-X-ISD debug header
addclicert - Add Client-Cert as a HTTP header
addnostore - Add no-cache/no-store HTTP header
allowimage - Allow image caching
allowdoc
- Allow document caching
allowscrip - Set allow script caching
allowica
- Allow ICA file caching
cmsie
- Set MSIE session termination bug workaround
maxrcount - Set max number of persistant client requests
maxline
- Set max line length
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
downstatus unavailable|redirect|reset
Set the server down reply status.
rewrite on|off
Go to the SSl triggered Rewrite menu. To view the menu options, see page 607.
securecook on|off
Set the add secure option for the session cookie.
sslheader on|off
Add an SSL session ID header.
sslxheader on|off
Add an SSL header with serial number in hexadecimal.
sslsidhead on|off
Add an SSL SID header.
addxfor on|off|anonymous|remove
Add X-Forwarded-For header.

320506-A, January 2006
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
addvia on|off|anonymous|remove
Set VIA header
addxisd on|off
Set HTTP-X-ISD debug header.
addclicert on|off
Set Client-Cert as a HTTP header.
adddnostore on|off
Set no-cache/no-store HTTP header.
allowimage on|off
Set image caching.
allowdoc on|off
Set document caching
allowscrip on|off
Set allow script caching.
allowica on|off
Set ICA file caching.
cmsie on|off
Set MSIE session termination bug workaround.
maxrcount <integer>
Set max number of persistant client requests.
maxline <integer>
Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
SSL VPN Configuration Server SSL triggered rewrite
Menu
[Rewrite Menu]
rewrite
ciphers
response
URI
Set
Set
Set
Set
SSL triggered rewrite

accepted ciphers
source of response
URI with the weak cipher alert

320506-A, January 2006
Table 11-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options
rewrite on|off
Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:SHA1:@STRENGTH
ciphers <string>
Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons
(e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
Each cipher string can be optionally preceded by the characters !, - or +:
+ moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves
matching existing ones.

response iSD|WebServer
Set the source of response.
URI <WebServer response only>
Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.
/ssl/cfg/vpn/server/proxymap
SSL VPN Configuration Server Intranet Proxy settings
Menu
The PROXY menu is not available for type portal and socks servers.
[Proxy Mapping Menu]
list
- List all values
del
add
- Add a new value
insert
move
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
list
List all of the server Intranet Proxy settings.

320506-A, January 2006
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
del <Proxy_server_name>
Delete the Intranet Proxy server.
add <ip_address> <port>
Add an Intranet Proxy server.
insert <position> <ip_address> <port>
Insert a Intranet Proxy server into the Proxy server list.
Move the Intranet Proxy server from one position to another in the server list.
ssl/cfg/vpn/server/portal
SSL VPN Configuration Server Portal settings Menu
[Portal Settings
resetcooki
domain
persistent
Menu]
- Set Re-Set session cookie in each request
- Set cookie domain
- Set use persistent session cookies
Table 11-64 SSL VPN Configuration Server Portal settings Menu Options
resetcoolki on|off
Set the Reset session cookie in each request.
domain <domain_name>
Set the cookie domain name for the portal.
persistent on|off
Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
SSL VPN Configuration Server Advanced Menu
[Advanced Settings Menu]
traflog
- UDP syslog Traffic Log menu
sslconnect - SSL connect menu

320506-A, January 2006
Table 11-65 SSL VPN Configuration Server Advanced Menu Options

traflog <IP_address>
Go to the UDP syslog Traffic Log menu. To view the menu options, see page 610.
sslconnect on|off
Go to the SSL Connect menu. To view the menu options, see page 611.
ssl/cfg/vpn/server/adv/traflog
SSL VPN Configuration Server UDP Syslog Traffic Log
Menu
[Traffic Log Settings Menu]
sysloghost - Set syslog host IP
udpport
- Set syslog portnumber
priority
- Set syslog priority
facility
- Set syslog facility
ena
- Enable traffic UDP syslog logging
dis
- Disable traffic UDP syslog logging
Table 11-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
sysloghost <IP_address>
udpport <UDP_port_number>
priority <syslog_name>
Set the syslog priority.
facility <string>
Set the syslog facility.
ena enable|disable
Enable traffic UDP syslog messaging.
dis
Disable traffic UDP syslog messaging.

320506-A, January 2006
ssl/cfg/vpn/server/adv/sslconnect
SSL VPN Configuration Server SSL Connect Menu
[SSL Connect Settings Menu]
protocol
cert
- Set client certificate
ciphers
- Set accepted ciphers for ssl connect
verify
- Verify server menu
Table 11-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
protocol ssl2|ssl3|ssl23|tls1
Set the Protocol version.
cert <certicate_number, 1 to 1500>
Set the client certificate.
ciphers
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +.
+ moves the ciphers to the end of the list.
verify
Go to the Verify server menu. To view the menu options, see page 612.

320506-A, January 2006
ssl/cfg/vpn/server/adv/sslconnect/
verify
SSL VPN Configuration Server SSL Connect verify
Server Menu
[SSL Connect Verify Settings Menu]
verify
commonname - Set server common name
cacerts
- Set list of accepted signers server's certificate
Table 11-68 SSL VPN Configuration Server SSL Connect Verify Server Menu
Options
verify none|verify
Set the Certicate Verication level.
commonname <string>
Set the server common name.
cacerts <certicate_numbers>
Set the list of accepted signers for each server certificate. If more than one, use a comma to separate each entry.
/ssl/cfg/vpn/ipsec
SSL VPN Configuration IPsec Server Menu
[IPsec Menu]
ena
dis
quick
ikeprof
utunprof
cacerts
cert
- Enable IPsec
- Disable IPsec
- Quick IPsec setup wizard
- IKE profile
- User tunnel profile
- Set list of accepted signers of clients certificate
Table 11-69 SSL VPN Configuration IPSEC Server Menu Options

ena [enable|disable]
Enable IPsec.

320506-A, January 2006
Table 11-69 SSL VPN Configuration IPSEC Server Menu Options

dis [enable|disable]
Disable IPsec.
quick
Use the Quick IPsec setup wizard. For example:
SSL >> IPsec# quick
Do you want to use IPsec Group login? (yes/no) [no]: n
Lower IP address in pool range: 0.0.0.0
Upper IP address in pool range: 1.1.1.1
Enabled IPsec
Creating IKE Profile 1
Name: vpn_1_1
Creating User Tunnel Profile 1
Name: vpn_1_1
You should create a AAA group for the user tunnel profile
Enabled Pool
Use apply to activate the changes
ikeprof
Go to the IKE profile menu.
utunprof
Set the User tunnel profile.
cacerts
Set the list of accepted signers of clients certificate.
cert
Set the server certicate.

320506-A, January 2006
/ssl/cfg/vpn/ipsec/ikeprof
SSL VPN Configuration IPsec Server IKE Profile Menu
[IKE Profile 1 Menu]
name
- Set IKE profile name
del
- Remove IKE Profile
enc
- Encryption mask menu
dh
- Diffie-Hellman group mask menu
pfs
- Enable Perfect Forward Secrecy
initcontac - Accept ISAKMP initial contact payload
rekeytime - Set rekey time limit
rekeytraf - Set rekey traffic limit
retransmit - Set ISAKMP retransmit interval
maxretrans - Set ISAKMP max attempts retransmits
replaywins - Set replay window size
nat
- NAT menu
deadpeer
- Dead peer menu
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
name <string>
Set the IKE profile name.
del <IKE_profile_name>
Disable IPsec.
enc
Go to the Encryption mask menu.To view the menu options, see page 615.
dh
Go to the Diffie_Hellman group mask menu. To view the menu options, see page 616.
pfs on|off
Enable Perfect Forward Secrecy.
initcontac on|off
Accept ISAKMP intitial contact payload.
rekeytime <integer>
Set the rekey time limit, in seconds.
rekeytraf <integer>
Set rekey traffic limit, in KBytes.
retransmit <integer>
Set ISAKMP retransmit limit, in seconds.

320506-A, January 2006
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
maxretrans <integer>
Set the maximum ISAKMP attempts to retransmit.
replaywins <integer>
Set replay window size.
nat
Go to the NAT menu.To view the menu options, see page 617.
deadpeer
Go to the Dead Peer menu.To view the menu options, see page 617.
/ssl/cfg/vpn/ipsec/ikeprof/enc
SSL VPN Configuration IPsec Server IKE Profile Encryption Menu
[Encryption Menu]
hmac_md5
hmac_sha
null_md5
null_sha
des_md5
des_sha
3des_md5
3des_sha
aes_128_sh -
Set
Set
Set
Set
Set
Set
Set
Set
Set
HMAC with MD5

HMAC with SHA
NULL with MD5
NULL with SHA
DES with MD5
DES with SHA
3DES with MD5
3DES with SHA
128 bits AES with SHA
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
hmac_md5 on|off
Set HMAC with MD5.
hmac_sha on|off
Set HMAC with SHA.
null_md5 on|off
Set NULL with MD5.
null_sha on|off
Set NULL with SHA.

320506-A, January 2006
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
des_md5 on|off
Set DES with MD5.
des_sha on|off
Set DES with SHA.
3des_md5 on|off
Set 3DES with MD5.
3des_sha on|off
Set 3DES with SHA.
aes_128_sh on|off
Set 128 bits AES with SHA.
/ssl/cfg/vpn/ipsec/ikeprof/dh
SSL VPN Configuration IPsec Server IKE Profile DiffieHellman Group Mask Menu
[Diffie-Hellman Group Menu]
dh1
- Set Diffie-Hellman group 1
dh2
dh5
Table 11-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman
Group Mask Menu Options
dh1 on|off
Set Diffie_Hellman group 1.
dh2 on|off
dh5 on|off

320506-A, January 2006
/ssl/cfg/vpn/ipsec/ikeprof/NAT
SSL VPN Configuration IPsec Server IKE Profile NAT
Menu
[NAT Menu]
natdetect
timeout
keepalive
- Set ESP UDP NAT detect

- Set detect timeout
- Set keepalive timeout
Table 11-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu
Options
natdetect disabled|auto|ipsec_capable|use_udp_encap
Set ESP UDP detection.
timeout <integer>
Set the detection timeout, in seconds.
keepalive <integer>
Set the keepalive timeout, in seconds.
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
SSL VPN Configuration IPsec Server IKE Profile Dead
Peer Menu
[Dead Peer Menu]
ena
dis
interval
retransmit
Enable dead peer detection

Disable dead peer detection
Set detect interval
Set max retransmissions
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
Enable dead peer detection.
Disable dead peer detection.

320506-A, January 2006
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
interval <integer>
Set the detection interval, in seconds.
retransmit <integer>
Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool
SSL VPN Configuration IP Pool Menu
[Pool Menu]
ena
dis
lowerip
upperip
proxyarp
info
Enable pool
Disable pool
Set lower IP in pool range
Set upper IP in pool range
Set proxy arp on clean side interfaces
Print alloc info for this VPN
Table 11-75 SSL VPN Configuration IP IPool Menu Options

ena enable|disable
Enable the IP Pool.
dis enable|disable
Disable the IP Pool.
lowerip <lower_IP_address>
Set the lower IP address in the pool range.
upperip <upper_IP_address>
Set the upper IP address in the pool range.
proxyarp on|off|all
Set proxy ARP on clean side interfaces.
info
Display all of the IP Pool configuration information.

320506-A, January 2006
/ssl/cfg/vpn/portal
SSL VPN Configuration Portal Menu
[Portal Menu]
import
restore
banner
redirect
logintext
iconmode
linktext
linkurl
linkcols
linkwidth
companynam
colors
faccess
lang
wiper
ieclear
whitelist
citrix
Import banner image gif

Restores default Nortel banner
Show installed banner file
Set redirect URL
Set static text on login page
Set Home tab icon mode
Set static text on link page
Set url input field on link page
Set number of columns on home tab
Set width of link columns on home tab
Set company name used on portal pages
Portal colors menu
Full Access menu
Portal language menu
Set use ActiveX component for clearing cache
Set use IE ClearAuthCache
White-list settings menu
Set Citrix support
Table 11-76 SSL VPN Configuration Portal Menu Options

import [<protocol> <hostname> <bannerfilename>]
Import banner image gif. For example:
SSL >> Portal# import
Enter hostname or IP address of server: 0.0.0.0
Enter filename on server: nortel_banner.gif
restore
Restores default Nortel banner.
banner
Show installed banner file.
redirect <URL>
Set redirect URL.
logintext
Set static text on login page. Write or paste the text to show up in the Login window, press Enter to
create a new line, and then type "..." (without the quotation marks) to terminate.
iconmode clean|fancy
Set Home tab icon mode.

320506-A, January 2006
Table 11-76 SSL VPN Configuration Portal Menu Options

linktext [<string>]
Set static text on link page. Write or paste the text, press Enter to create a new line, and then type
"..." (without the quotation marks) to terminate.
linkurl on|off
Set URL input field on link page.
linkcols [<integer>]
Set number of columns on home tab. Four can be considered a practical maximum.
linkwidth [auto|0 to 100%]
Set width of link columns on home tab.
companynam [<string>]
Set company name used on portal pages.
colors
Go to the Portal Colors menu.To view the menu options, see page 621.
faccess
Go to the Full Access menu. To view the menu options, see page 621.
lang
Go to the Portal language menu. To view the menu options, see page 622.
wiper [on|off]
Set use ActiveX component for clearing cache.
ieclear [on|off]
Set use IE ClearAuthCache.
whitelist
Go to the White-list settings menu. To view the menu options, see page 623.
citrix [on|off]
Set Citrix support.

320506-A, January 2006
/ssl/cfg/vpn/portal/colors
SSL VPN Configuration Portal Colors Menu
[Portal Colors Menu]
color1
- Set portal color
color2
- Set portal color
color3
- Set portal color
color4
- Set portal color
theme
- Color theme
1
2
3
4
Table 11-77 SSL VPN Configuration Portal Colors Menu Options

color1 [<HTML_color_syntax>]
Set Portal color 1. For example, #003399 for blue.
Set Portal color 2.
Set Portal color 3.
Set Portal color 4.
theme [default|aqua|apple|jeans|cinnamon|candy]
Set the color theme.
/ssl/cfg/vpn/portal/faccess
SSL VPN Configuration Portal Full Access Menu
[Full Access Menu]
ena
- Enable 'Full Access' tab
dis
- Disable 'Full Access' tab
ipsecmode - Set IPSEC Mode
contip
- Set Contivity IP address
contid
- Set Contivity group ID
contpass
- Set Contivity group password
portalmsg - Set text in 'Full Access' portal tab
appletmsg - Set text in 'Full Access' Applet window

320506-A, January 2006
Table 11-78 SSL VPN Configuration Portal Full Access Menu Options
Enable 'Full Access' tab.
Disable 'Full Access' tab.
ipsecmode [contivity|native]
Set the IPSEC Mode.
contip [<IP_address>]
Set Contivity IP address.
contid [<string>]
Set the Contivity group ID.
contpass [<string>]
Set a Contivity group password.
portalmsg
Set text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.
appletmsg
Set text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet
window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. If you *only* enter "..." a default text will be generated.
/ssl/cfg/vpn/portal/lang
SSL VPN Configuration Portal Language Menu
[Portal Language
setlang
charset
list
Menu]
- Set the language to be used in the portal
- Print charset in use
- List supported languages
Table 11-79 SSL VPN Configuration Portal Language Menu Options

ips [<ISO 639 Language Code>]
Set the language to be used in the portal. For English, enter en.

320506-A, January 2006
Table 11-79 SSL VPN Configuration Portal Language Menu Options

charset on|off
Display the current character set. For example:
Charset = iso-8859-1
list
Display all of the pre-defined languages.
/ssl/cfg/vpn/portal/whitelist
SSL VPN Configuration Portal Whitelist settings Menu
[White-list Settings Menu]
domains
- Configure white-list domains
ena
- Enable URL rewrite white-list
dis
- Disable URL rewrite white-list
Table 11-80 SSL VPN Configuration Portal Whitelist settings Menu Options
domains
Go to the Domains menu. To view the menu options, see page 623.
Enable URL re-write whitelist.
Disable URL re-write whitelist.
/ssl/cfg/vpn/portal/whitelist/
domains
SSL VPN Configuration Portal Whitelist settings
Domains Menu
[White-list menu Menu]
list
- List all values
del
add
- Add a new value

320506-A, January 2006
Table 11-81 SSL VPN Configuration Portal Whitelist settings Domains Menu
Options
list
Go to the Domains menu. To view the menu options, see page 621.
del [<index>]
Delete a value.
add [<domain_name>]
Add a domain.
/ssl/cfg/vpn/linkset
SSL VPN Configuration Linkset Menu
To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does
not already exist.
SSL >> VPN 1# linkset
Enter Linkset number or name (1-1023): 1
Creating Linkset 1
Linkset name: Linkset_1
Linkset text (HTML syntax, eg <b>A heading</b>): html
Autorun Linkset (true/false) [false]: false
-----------------------------------------------------------[Linkset 1 Menu]
name
- Set linkset name
text
- Set linkset text
autorun
- Set autorun support
link
- Link menu
del
- Remove tunnel
Table 11-82 SSL VPN Configuration Linkset Menu Options

name <string>
Set the linkset name.
text [<text_type>]
Set the text type. In the current release, only HTML is available (default).
autorun [true|false>]
Set the autorun linkset option.

320506-A, January 2006
Table 11-82 SSL VPN Configuration Linkset Menu Options

link
Go to the Link menu. To view the menu options, see page 625.
del [<linkset_number>]
Remove the linkset.
/ssl/cfg/vpn/linkset/link
SSL VPN Configuration Linkset Link Menu
To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does
not already exist.
SSL >> Linkset 1# link
Enter Link number or name (1-1023): 1
Creating Link 1
Enter link text: Link_1
Enter type of link (hit TAB to see possible values) [internal]: <tab>
smb
ftp
proxy
custom
mail
telnet
netdrive
wts
outlook
netdirect terminal
external
internal
eauto
iauto
Enter type of link (hit TAB to see possible values) [internal]: internal
Entering: Internal settings menu
Enter method (http/https): http
Enter host (eg inside.company.com): NoTel.ca
Enter path (eg /): /info
Leaving: Internal settings menu
-----------------------------------------------------------[Link 1 Menu]
move
- Move link
text
- Set link text
type
- Set link type
internal
- Internal settings menu
del
- Remove link
Table 11-83 SSL VPN Configuration Linkset Link Menu Options

move [<link_number>]
Move the link.

320506-A, January 2006
Table 11-83 SSL VPN Configuration Linkset Link Menu Options

text [<link_name>]
Set the name of the link.
type [link_type>]
Set the link type. See the list of link types on page 625.
internal
Go to the Internal link menu. To view the menu options, see page 626.
del [<link_number>]
Remove the link.
/ssl/cfg/vpn/linkset/link/internal
SSL VPN Configuration Linkset Link Internal Setting
Menu
[Internal menu Menu]
quick
- Quick internal link wizard
Table 11-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options
quick
Configure the link using the internal link wizard. For example:
SSL >> Internal menu# quick
Enter method (http/https): http
Enter host (eg inside.company.com): NoTel.ca
Enter path (eg /): /
/ssl/cfg/vpn/sslclient
SSL VPN Configuration SSL Client Menu
[SSL VPN Client Menu]
netdirect - Allow Netdirect client
xmlconfig - Set XML client configuration

320506-A, January 2006
Table 11-85 SSL VPN Configuration SSL Client Menu Options

netdirect [on|off]
Allow a Netdirect VPN client.
xmlconfig
Set the XML client configuration. Write or paste the text, press Enter to create a new line, and then
type "..."(without the quotation marks) to terminate.
/ssl/cfg/vpn/adv
SSL VPN Configuration Advanced Menu
[Advanced Menu]
interface
dns
log
- Set backend interface used by VPN

- DNS settings menu
- Set log settings
Table 11-86 SSL VPN Configuration Advanced Menu Options

interface [<backend_interface_number>]
Set the backend interface.
dns
Go to the DNS settings menu. To view the menu options, see page 627.
log [all|login|http|portal|reject|socks]
Set the log option.
/ssl/cfg/vpn/adv/dns
SSL VPN Configuration Advanced DNS settings Menu
[DNS Settings Menu]
search
- Set DNS search list
Table 11-87 SSL VPN Configuration Advanced DN S settings Menu Options

search [<domain_names>]
Set the domain search list. If more than one domain, use a comma to separate each entry.

320506-A, January 2006
/ssl/cfg/sys
SSL Configuration System Menu
[System Menu]
mip
host
routes
time
dns
rsa
syslog
accesslist
adm
user
distrace
Set management IP (MIP) address

iSD host menu
Routes menu
Date and time menu
DNS settings
RSA Servers
Syslog servers menu
Access list menu
Administrative applications menu
User Access Control menu
Disable tracing with tcpdump/ssldump
Table 11-88 SSL Configuration System Menu Options

mip [<IP_address>]
Set the management IP (MIP) address.
host
Go to the Host menu. To view menu options, see page 629.
routes
Go to the Routes menu. To view menu options, see page 630.
time
Go to the Time menu. To view menu options, see page 634.
dns
Go to the Time menu. To view menu options, see page 634.
rsa
Go to the RSA server menu. To view menu options, see page 636.
syslog
Go to the RSA server menu. To view menu options, see page 636.
accesslist
Go to the Access List menu. To view menu options, see page 637.
adm
Go to the Administrative Applcations menu.To view menu options, see page 638.
user
Go to the Administrative Applcations menu.To view menu options, see page 647.

320506-A, January 2006

distrace [yes|no]
Deactivate trace. Trace cannot be reactivated during the session.
/ssl/cfg/sys/host
SSL Configuration System Host Menu
[iSD Host 1 Menu]
type
ip
license
gateway
routes
interface port
ports
hwplatform halt
reboot
delete
-
Set type of the iSD

Set IP address
Set License
Set default gateway address
Routes menu
iSD host interface menu
iSD port configuration menu
Display physical ports
Display hardware platform
Halt the iSD
Reboot the iSD
Remove iSD Host
Table 11-89 SSL Configuration System Host Menu Options

type [master|slave]
Set the iSD type.
ip [<IP_address>]
Set the IP address of the host.
license [<string>]
Enter or paste the host license information. Paste the license, press Enter to create a new line, and
then type "..." (without the quotation marks) to terminate..
gateway [<IP_address>]
Set default gateway address.
routes
interface
Go to the iSD host interface menu. To view menu options, see page 631.
port
Go to the iSD port configuration menu. To view menu options, see page 632.

320506-A, January 2006
Table 11-89 SSL Configuration System Host Menu Options

ports
Display the number of physical ports.
hwplatform
Display hardware platform.
halt [yes|no]
Halt the iSD platform.
reboot [yes|no]
Reboot the iSD.
delete [<hostname>]
Remove iSD Host.
/ssl/cfg/sys/host/routes
SSL Configuration System Host Routes Menu
[Host Routes Menu]
list
- List all values
del
add
- Add a new value
Table 11-90 SSL Configuration System Host Routes Menu Options

list
List all host routes.
del [<route_number>]
Delete a route by its number.
add [<destination> <netmask> <gateway>]
Add a route.

320506-A, January 2006
/ssl/cfg/sys/host/interface
SSL Configuration System Host Menu
[Host Interface 1 Menu]
ip
- Set IP address
netmask
- Set network mask
gateway
- Set default gateway address
routes
- Routes menu
vlanid
- Set VLAN tag id
mode
- Set mode
ports
- Interface ports menu
primary
- Set primary port
delete
- Remove Host Interface
Table 11-91 SSL Configuration System Host Interface Menu Options

ip [<IP_address>]
Set the host inteface IP address.
netmask [<IP_address>]
Set the inteface netmask.
gateway [<IP_address>]
Set the Gateway IP address.
routes
vlanid [<integer>]
Set the VLAN tag ID.
mode [failover|trunking]
Set the interface mode.
ports
Go to the Ports menu. To view menu options, see page 633.
primary [<port_number>]
Set the Primary port.
delete [<interafce_hostname>]
Delete the interface.

320506-A, January 2006
/ssl/cfg/sys/host/interface/routes
SSL Configuration System Host Interface Routes Menu
[Host Interface Routes Menu]
list
- List all values
del
add
- Add a new value
Table 11-92 SSL Configuration System Host Interface Menu Options

list
List all of the configured interface routes.
Delete an interface route.
Add an interface route.
/ssl/cfg/sys/host/port
SSL Configuration System Host Port Menu
[Host Port 1 Menu]
autoneg - Set autonegotiation
speed
- Set Speed
mode
Table 11-93 SSL Configuration System Host Port Menu Options

autoneg <on | off>
Enables or disables autonegotiation on the port. The default is on.
speed <10 | 100 | 1000>
Sets the port speed in Mbits per second when autonegotiation is not in use.
mode <full | half>
Sets the duplex mode of the port when autonegotiation is not in use. When autonegotiation is not
in use the default mode is full.

320506-A, January 2006
/ssl/cfg/sys/routes
[Routes Menu]
list
del
add
- List all values

- Add a new value

list
List all of the configured routes.
Delete a route. This command removes the specified static route from the system configuration.
Use the list command to display the index numbers of all added static routes.
Add a static route.
/ssl/cfg/sys/time
SSL Configuration System Time Menu
[Date and Time Menu]
date
- Set system date
time
- Set system time
tzone
- Set Timezone
ntp
- Configure NTP servers
Table 11-95 SSL Configuration System Time Menu Options

date [YYYY-MM-DD]
Enter the date.
time [HH:MM:SS]
Set the time, using a 24-hour clock scheme.
tzone [<continent_number> <country_number> <region_number>]
Set the time zone.
ntp
Configure NTP servers. To view menu options, see page 634.

320506-A, January 2006
/ssl/cfg/sys/time/ntp
SSL Configuration System Time NTP servers Menu
[NTP Servers Menu]
list
- List all values
del
add
- Add a new value
Table 11-96 SSL Configuration System Time NTP Servers Menu Options
list
List the configured NTP servers.
del [<NTP_server>]
Delete the NTP server. Removes the specified NTP server from the system configuration. Use the
list command to display the index numbers of all added NTP servers..
add [<IP_address>]
Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is
used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of
servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns
SSL Configuration System DNS settings Menu
[DNS Settings Menu]
servers
- DNS
cachesize - Set
retransmit - Set
count
- Set
ttl
- Set
health
- Set
hdown
- Set
hup
- Set
servers menu
Local DNS cache size
DNS Retransmit interval timer
DNS Retransmit counter
Max TTL
Health check interval
Health check down counter
Health check up counter
Table 11-97 SSL Configuration System DNS Settings Menu Options

servers
Go to the DNS Servers menu. To view menu options, see page 635.
cachesize [<integer>]
Set the DNS cache size in kBytes.

320506-A, January 2006
Table 11-97 SSL Configuration System DNS Settings Menu Options

retransmit [<integer>]
Set the DNS retransmit interval timer value, in seconds.
count [<integer>]
Set the DNS Retransmit counter value.
ttl [<integer>]
Set the maximum TTL, in seconds.
health [<integer>]
Set Health check interval.
hdown [<integer>]
Set Health check down counter
hup
[<integer>]
Set Health check up counter
sl/cfg/sys/dns/servers
SSL Configuration System DNS Servers settings Menu
[DNS Servers Menu]
list
- List all values
del
add
- Add a new value
insert
move
Table 11-98 SSL Configuration System DNS Servers Menu Options

list
List all of the DNS server settings.
del <DNS_server_name>
Delete the DNS server.
add <ip_address>
Add a DNS server.
insert <position> <ip_address>
Insert a DNS server into the DNS server list.
Move the DNS server from one position to another in the server list.

320506-A, January 2006
/ssl/cfg/sys/rsa
SSL Configuration System RSA servers Menu
To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does
not already exist.
SSL >> System# rsa
Enter RSA Server number or name: (1-255) 1
Creating RSA Servers 1
RSA server symbolic name: RSA_1
-----------------------------------------------------------[RSA Servers 1 Menu]
rsaname
- Set RSA server symbolic name
import
- Import sdconf.rec file
rmnodesecr - Remove Node Secret
del
- Remove RSA server
Table 11-99 SSL Configuration System RSA servers Menu Options

rsname <string>]
Set the RSA server symbolic name.
import [<protocol> <host> <file>]
Import a sdconf.rec file.
rmnodesecr [<node_secret_name>]
Remove a Node Secret.
del
Remove an RSA server.
/ssl/cfg/sys/syslog
SSL Configuration System SysLog Servers Menu
[Syslog Servers Menu]
list
- List all values
del
add
- Add a new value
insert
move

320506-A, January 2006
Table 11-100 SSL Configuration System SysLog Servers Menu Options

list
List all of the Syslog server settings.
del <Syslog_server_name>
Delete the Syslog server.
add <ip_address>
Add a Syslog server.
insert [<position> <ip_address> <local_facility>]
Insert a Syslog server into the Syslog server list.
Move the Syslog server from one position to another in the server list. Moves a syslog server up or
down in the list of configured servers. The index numbers you specify must be in use. To view all
syslog servers currently added to the system configuration, use the list command.
/ssl/cfg/sys/accesslist
SSL Configuration System Access List Menu
[Access List Menu]
list
- List all values
del
add
- Add a new value

list
List the accesslist values.
del [<acces_list_number>]
Delete an accesslist.
add
Add a new value to the accesslist. Adds a single machine, or a range of machines on a specific network, to the access list. Only those machines listed will be allowed to access the iSD host via a
Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).

320506-A, January 2006
/ssl/cfg/sys/adm
Menu
[Administrative Applications Menu]
snmp
- SNMP menu
clitimeout - Set CLI idle timeout
audit
- Audit Settings Menu
auth
- Authentication menu
telnet
- Set telnet CLI access
ssh
- Set SSH CLI access
http
- HTTP access menu
https
- HTTPS access menu
sshkeys
- SSH host keys menu
Table 11-102 SSL Configuration System Administrative applications Menu

Options
snmp
Go to the SNMP menu. To view menu options, see page 639.
clitimeout [<integer>]
Set the CLI idle timeout value, in seconds.
audit
Go to the Audit menu. To view menu options, see page 643.
telnet
Set the telnet CLI access. Enables or disables Telnet access. When set to on and not having added
machine(s) to the access list, all Telnet connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are
allowed Telnet access.

When set to off, all Telnet connections are rejected, including connections from machine(s)
added to the access list.

The default Telnet setting is off.
ssh
Set the SSH CLI access. Enables or disables SSH access. When set to on and not having added
machine(s) to the access list, all SSH connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are
allowed SSH access.

When set to off, all SSH connections are rejected, including connections from machine(s)
added to the access list.

The default SSH setting is off.

320506-A, January 2006
Table 11-102 SSL Configuration System Administrative applications Menu

Options
http
Go to the HTTP access menu. To view menu options, see page 644.
https
sshkeys
/ssl/cfg/sys/adm/snmp
SNMP Menu
[SNMP Menu]
ena
dis
versions
snmpv2-mib
community
users
target
Enable SNMP
Disable SNMP
Set SNMP versions supported
SNMPv2-MIB menu
SNMP community menu
SNMP USM Users Menu
Notification target menu
Table 11-103 SSL Configuration System Administrative applications SNMP Menu

Options
ena [true|false]
Enable SNMP.
dis [true|false]
Disable SNMP.
versions [<SNMP_version_number>]
Set the SNMP version, such as v1.
snmpv2-mib
Go to the SNMPv2-MIB menu.To view menu options, see page 640.
community
Go to the SNMP community menu. To view menu options, see page 640.
users
Go to the SNMP USM Users community menu. To view menu options, see page 641.

320506-A, January 2006
Table 11-103 SSL Configuration System Administrative applications SNMP Menu

Options
target
Go to the Notification target menu. To view menu options, see page 642.
/ssl/cfg/sys/adm/snmp/snmpv2-mib
SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu]
sysContact sysName
sysLocatio snmpEnable -
Set
Set
Set
Set
sysContact
sysName
sysLocation
snmpEnableAuthenTraps
Table 11-104 SSL Configuration System Administrative applications SNMPv2MIB Menu Options
sysContact [<name_of_a_person>]
Set a system contact name. Designates a contact person for the managed iSD cluster, together with
information on how to contact this person.
sysName [<string, iSD_cluster_name>]
Assign a name to the managed iSD cluster.
sysLocatio [<string>]
Set the system location.
snmpEnable [<SNMP_trap_value>]
Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community
SNMP Community Menu
[SNMP Community Menu]
read
- Set Read Community String
write
- Set Write Community String
trap
- Set Trap Community String

320506-A, January 2006
Table 11-105 SSL Configuration System Administrative applications SNMP

Community Menu Options
read [<string>]
Set the Read Community String. Specifies the monitor community name that grants read access to
the Management Information Base (MIB). If no monitor community name is specified, read access
is not granted. The default monitor community name is public
write [<string>]
Set the Write Community String. Specifies the control community name that grants read and write
access to the Management Information Base (MIB). If no control community name is specified,
neither write nor read access is granted.
trap [<string>]
Set the Trap Community String. Specifies the trap community name that accompanies trap messages sent to the SNMP manager. If no trap community name is specified, the sending of trap messages is disabled.
The default trap community name is trap
/ssl/cfg/sys/adm/snmp/users
SNMP Users Menu
To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if
Enter user number or name: (1-1023) 1
Creating SNMP User 1
User name: Maint_Chief
Enter security level (none/auth/priv) [priv]: priv
Enter permission (list of get,set,trap): get
Enter auth password: <password>
Enter priv password: <password>
-----------------------------------------------------------[SNMP User 1 Menu]
name
- Set user name
seclevel
- Set Security level
permission - Set Permission
authpasswd - Set Authentication Password
privpasswd - Set Encryption Password
del
- Remove SNMP User

320506-A, January 2006

Users Menu Options
name [<string>]
Set the user name.
seclevel [none|auth|priv]
Set the user Security level.
permission [get|set|trap]
Set user Permission.
authpasswd [<string>]
Set the Authentication Password.
privpasswd [<string>]
Set the Encryption Password.
del [<SNMP_user_ID>]
Remove the SNMP User.
/ssl/cfg/sys/adm/snmp/target
SNMP Target Menu
To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one
SSL >> SNMP# target
Enter Notification Target number: (1-) 1
Creating Notification Target 1
Enter target ip: 0.0.0.0
Enter snmp version (v1/v2c/v3): v1
-----------------------------------------------------------[Notification Target 1 Menu]
ip
- Set target IP address
port
- Set target port
version
- Set SNMP version
del
- Remove Notification Target

320506-A, January 2006

Target Menu Options
ip [<IP_address]
Set the target IP address.
port [<port_number]
Disable SNMP.
version [v1|v2|v3]
Set the SNMP version.
del
Delete the SNMP target.
/ssl/cfg/sys/adm/audit
Audit Menu
[Audit Menu]
servers
vendorid
vendortype
ena
dis
RADIUS Servers Menu

Set vendor id for audit attribute
Set vendor type for audit attribute
Enable Audit
Disable Audit
Table 11-108 SSL Configuration System Administrative applications Audit Menu

Options
servers
Go to the Servers menu. To view menu options, see page 644.
vendorid [<string>]
Set the vendor ID.
vendortype [<integer>]
ena [<true|false>]
Enable Audit.
dis[<true|false>]
Disable audit.

320506-A, January 2006
/ssl/cfg/sys/adm/audit/servers
Audit Servers Menu
[RADIUS Audit Servers Menu]
list
- List all values
del
add
- Add a new value
insert
move
Table 11-109 SSL Configuration System Administrative applications Audit

Servers Menu Options
list
List all of the Audit server settings.
del <Audit_server_name>
Delete the Audit server.
add [<IP_address> <port> <secret>]
Add an Audit server.
insert [<position> <IP_address> <port> <secret>]
Insert a Audit server into the Audit server list.
Move the Audit server from one position to another in the server list.
/ssl/cfg/sys/adm/http
HTTP Menu
[HTTP Menu]
port
ena
dis
- Set HTTP Server port

- Enable server
- Disable server

320506-A, January 2006
Table 11-110 SSL Configuration System Administrative applications HTTP Menu

Options
port [<integer>]
Set the HTTP server port.
ena [true|false]
Enable the HTTP server.
dis [true|false]
Disable the HTTP server.
/ssl/cfg/sys/adm/https
HTTPS Menu
[HTTPS Menu]
port
ena
dis
- Set HTTPS Server port

- Enable server
- Disable server
Table 11-111 SSL Configuration System Administrative applications HTTPS

Menu Options
port [<integer>]
Set the HTTPS server port.
ena [true|false]
Enable the HTTPS server.
dis [true|false]
Disable the HTTPS server.

320506-A, January 2006
/ssl/cfg/sys/adm/sshkeys
SSH Host keys Menu
[SSH Host Keys
generate
show
knownhosts
Menu]
- Generate new SSH host keys for the cluster
- Show current SSH host keys for the cluster
- SSH known host keys menu
Table 11-112 SSL Configuration System Administrative applications SSH Host

keys Menu Options
generate [yes|no]
Generate new SSH host keys for the server cluster.
show
Show the SSH host keys for the server cluster.
knownhosts
Go to the Known Host Keys menu. To view menu options, see page 644.
/ssl/cfg/sys/adm/sshkeys/knownhosts
SSH Known Host keys Menu
[SSH Known Host Keys Menu]
list
- List known SSH keys of remote hosts
del
- Delete known SSH host key by index
add
- Add a new SSH host key
import
- Retrieve SSH key from remote host
Table 11-113 SSL Configuration System Administrative applications Known SSH

Host keys Menu Options
list [yes|no]
Display the known SSH keys of remote hosts.
del [<hostkey_name>]
Delete a host key.

320506-A, January 2006
Table 11-113 SSL Configuration System Administrative applications Known SSH

Host keys Menu Options
add
Add a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate
import [<hostname_or_IP_address>]
Retrieve an SSH key from a remote host.
/ssl/cfg/sys/user
[User Menu]
passwd
expire
list
del
add
edit
caphrase
Change own password

Set password expire time interval
List all users
Delete a user
Add a new user
Edit a user menu
Certadmin export passphrase

passwd
Change your current login password. The password can contain spaces and is case respective.
expire [DDdHHhMMmSS]
Set the password expiry time and date.
list
List all user accounts.
del
Delete a user ID. Removes the specified user account from the system. Of the three built-in users
(admin, oper, and root) only the oper user can be deleted. Only users with Administrator rights can
delete user accounts.
add [<string>]
Add a new user ID. After a user account is added, you must also assign the user account to a group.
Only users with Administrator rights can add user accounts.
edit
Go to the Edit a user menu. To view menu options, see page 648.

320506-A, January 2006

caphrase [<string>]
Set the Certadmin export passphrase.
/ssl/cfg/sys/user/edit
SSL Configuration System User Edit Menu
[User User_1 Menu]
groups
- Groups menu
cur
- Display current setting
Table 11-115 SSL Configuration System User Edit Menu Options

groups
Go to theGroups menu. To view menu options, see page 551.
cur
Display the user configurations.
/ssl/cfg/sys/user/edit/groups
SSL Configuration System User Edit Menu
[Groups Menu]
list
del
add
- List all values

- Add a new value
Table 11-116 SSL Configuration System User Edit Groups Menu Options
list
List all of the user groups information.
del [<user_group_name>]
Delete a user group.
add [<string, user_group_name>]
Add a user group.

320506-A, January 2006
/ssl/cfg/lang
SSL Configuration Language Support Menu
[Language Support Menu]
import
- Import language definition file
export
- Export language definition template
list
- List the loaded languages
vlist
- List ISO 639 language codes
del
- Delete (custom) language definition
Table 11-117 SSL Configuration System Language Support Menu Options

import [<protocol> <host> <filename> <ISO_language_code>]
Import a language definition file from another host.
export[<protocol> <host> <filename>]
Export a language definition file.
list [<language_number>]
List the pre-defined languages that have been loaded.
vlist [<language_shortform>]
List the ISO 639 language codes. If a language_shortform argument is used (e.g., en for English),
all of the codes that contain the argument characters are listed.
del [<language_deinition_filename>]
Delete a language definition.
/ssl/boot
SSL Boot Menu
[Boot Menu]
software
halt
reboot
delete
Software management menu

Halt the iSD
Reboot the iSD
Delete the iSD
Table 11-118 SSL Configuration Boot Menu Options

software
Go to Software Management menu. To view menu options, see page 651.

320506-A, January 2006
Table 11-118 SSL Configuration Boot Menu Options

halt
Halt the iSD. The command stops the particular iSD host to which you have connected by Telnet,
SSH, or a console connection. Always use this command before turning off the device.
If you are connected by Telnet or SSH to the Management IP address (MIP), use the halt command
in the iSD Host menu (/cfg/sys/cluster/host #) instead.
reboot
Reboot the iSD. The command reboots the particular iSD host to which you have connected by
Telnet, SSH or a console connection. If you are connected by Telnet or SSH to the Management IP
address (MIP), use the reboot command in the iSD Host menu (/cfg/sys/cluster/host #) instead.
delete
Delete an iSD host. Resets the particular iSD host to which you have connected via Telnet, SSH, or
a console connection, to its factory default configuration (all IP configuration is lost). The software
itself will remain intact.
After having performed a delete, you can only access the device via a console connection. Log in
as the admin user with the admin password to enter the Setup menu.
NOTE Note: If you receive a warning that the iSD you are trying to delete has no contact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or
SSH and delete the iSD from the cluster by using the delete command in the iSD Host
menu (/cfg/sys/cluster/host #).
The /boot/delete command is primarily intended for situations when you want to delete an iSD host
that has either become isolated from the cluster, or has been physically removed from the cluster
without first performing the delete command from the iSD Host menu. Under these circumstances,
you must use the /boot/delete command to present the Setup menu, from which you can perform
the new and join commands.

320506-A, January 2006
/ssl/boot/software
[Software Management Menu]
cur
- Display current software status
activate
- Select software version to run
download
- Download new software pkg. via TFTP/FTP/SCP/SFTP
del
- Remove unpacked/old releases
Table 11-119 SSL Perfomance Software Menu Options

cur
Display the current software status. For example:
SSL >> Software Management# cur
Version
Name
---------4.1.1.11
SSL
5.0.0.34
SSL
Status
-----old
permanent
activate [<software_version>]
Select the software version to run.
download [<protocol> <host> <filename>]
Download a new software package.
del [<software_version>]
Remove old software releases. Removes a software upgrade package that has been downloaded by
using the tftp or ftp command, in case you do not want to activate the unpacked software upgrade
package.
Only software versions whose status is indicated as unpacked (using the cur command) can be
removed.

320506-A, January 2006
/ssl/maint
SSL Performance Maintenance Menu
[Maintenance Menu]
hsm
- HSM menu
dumplogs
- Tech suppt dump log files to TFTP/FTP/SFTP server
dumpstat
- Tech suppt dump curr. status to TFTP/FTP/SFTP server
chkcfg
- Check applied configuration
starttrace - Start Trace
stoptrace - Stop Trace
Table 11-120 SSL Perfomance Maintenance Menu Options

hsm
Go to the HSM menu. To view menu options, see page 653.
dumplogs
Dump the log files. System log file information is collected from the iSD host you are connected to
(or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP server you have specified. The information can then be used for
technical support purposes.
The file sent to the TFTP server does not contain any sensitive information related to the system
configuration, such as certificates, private keys, and so on.
dumpstat
Dump the current status. Th current system internal status is collected from the iSD host you are
connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the
gzip compressed tar format on the TFTP server you have specified. The information can then be
used for technical support purposes.
chkcfg [all-isds | one-isd] [item...]
Check the applied configuration.
starttrace [<tags>] [<VPN>]
Start trace. Valid tags are all, aaa, dns, ike, ipsec, ippool, ssl, tg, pptp, upref, netdirect, net and
direct_packet.
stoptrace
Stop the Trace.

320506-A, January 2006
/ssl/maint/hsm
SSL Performance HSM Menu
The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu]
login
- Login to HSM cards on local iSD
splitkey
- Split a wrap key onto CODE iKeys
changepass - Change iKey password
Table 11-121 SSL Perfomance Maintenance HSM Menu Options

login <HSM-USER password for the currently inserted HSM-USER iKey>
Lets you log in to a HSM card, using the HSM-USER iKey and the correct password.
splitkey
Splits the wrap key used by the hardware security module onto the two black CODE iKeys.
changepass <card number [0 | 1]> <iKey [HSM-SO | HSM-USER]> <current password for the
selected iKey> <new password for the selected iKey>
Sets the password for a HSM-SO or a HSM-USER iKey.

320506-A, January 2006

320506-A, January 2006
APPENDIX A
Nortel Application Switch Operating

System Syslog Messages
The following syntax is used when outputting syslog messages:
<Time stamp><Log Label>Web OS<Thread ID>:<Message> where
<Timestamp>
The time of the message event is displayed in month day hour:minute:second format. For
example: Aug 19 14:20:30
<Log Label>
The following types of log messages are recorded: LOG_EMERG, LOG_ALERT,
LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG
<Thread ID>
This is the software thread that reports the log message. The following thread IDs are
recorded: stp, ip, slb, console, telnet, vrrp, system, web server, ssh, and
bgp
<Message>: The log message
Following is a list of potential syslog messages. To keep this list as short as possible, only
<Thread ID> and <Message> are shown. The messages are sorted by <Log Label>.
Where the <Thread ID> is listed as mgmt, one of the following may be shown: console,
telnet, web server, or ssh.
LOG_WARNING
FILTER filter <filter number> fired on port <port number>, <source IP address> -> <destination IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]
ntp:
cannot contact primary NTP server <ip_address>
ntp
cannot contact secondary NTP server <ip_address>
655
320506-A, January 2006
LOG_ALERT
stp:
own BPDU received from port <port_id>
IP
cannot contact default gateway <ip_address>
vrrp:
received errored advertisement from <ip_address>
vrrp:
received incorrect password from <ip_address>
vrrp:
received incorrect addresses from <ip_address>
vrrp:
received incorrect advertisement interval <seconds> from <ip_address>
slb:
cannot contact real server <ip_address>
slb:
real server <ip_address> has reached maximum connections
gslb:
received update from <ip_address> for unknown remote server <ip_address>
gslb:
received update from <ip_address> for unknown virtual service
gslb:
received update for unknown remote server <ip_address> from <ip_address>
gslb:
received update for unknown service <ip_address:service>
slb:
cannot contact real service <ip_address:real_port>
slb:
real server failure threshold (<threshold>) has been reach for group <group_id>
slb:
real server <ip_address> disabled through configuration
slb:
Virtual Service Pool full. gSvcPool=MAX_SERVICES
bgp:
notification (<reason>) received from <BGP peer ip_address>
bgp:
session with <BGP peer ip_address> failed (<reason>)
vrrp:
Synchronization from non-configured peer <ip_address>
vrrp:
Synchronization from non-configured peer <ip_address> was blocked
dps:
hold down triggered: <ip_address> for <min> minutes
dps:
manual hold down: <ip_address>
syn_atk
SYN attack detected: <count> new half-open sessions per second
tcplim
hold down triggered: <ip_address> for <min> minutes
656 Appendix A: Nortel Application Switch Operating System Syslog Messages
320506-A, January 2006
LOG_CRIT
SYSTEM: temperature at sensor <sensor_id> exceeded threshold
SYSTEM: internal power supply failed
SYSTEM: redundant power supply failed
SYSTEM: fan failure detected
SSH
can't allocate memory in load_MP_INT
LOG_ERR
mgmt:
PANIC at <file>:<line> in thread <thread id>
mgmt:
VERIFY at <file>:<line> in thread <thread id>
mgmt:
ASSERT at <file>:<line> in thread <thread id>
ntp:
unable to listen to NTP port
isd:
unable to listen to BOOTP_SERVER_PORT port
stp:
Error: Error writing STG config to FLASH
stp:
Error: Error writing config to FLASH
mgmt:
Apply not done
mgmt:
Save not done
mgmt:
<apply|save> is issued by another user. Try later
cli:
Error: Error writing %s config to FLASH
cli:
New Path Cost for Port <port_id> is invalid
cli:
PVID <vlan_id> for port <port_id> is not created
cli:
RADIUS secret must be 1-32 characters long
cli:
Please configure primary RADIUS server address
cli:
STP changes can't be applied since STP is OFF
cli:
Switch reset is required to turn STP on/off
cli:
Trunk group <trunk_id> contains ports with different PVIDs
cli:
Trunk group <trunk_id> has more than <max_trunk_ports> ports
Appendix A: Nortel Application Switch Operating System Syslog Messages

320506-A, January 2006
657
LOG_ERR (Continued)
cli:
Trunk group <trunk_id> contains no ports but is enabled
cli:
Not all ports in trunk group <trunk_id> are in VLAN <vlan_id>
cli:
Trunk groups <trunk_id> and <trunk_id> can not share the same port
port_mirr: Port Mirroring changes are not applied

cli:
Broadcast address for IP interface <interface_id> is invalid
cli:
IP Interfaces <interface_id> and <interface_id> are on the same subnet
cli:
Multiple static routes have same destination
cli:
Virtual router <vr_id> must have sharing disabled when hotstandby is enabled
cli:
Virtual router group must be enabled when hotstandby is enabled
cli:
At least one virtual router must be enabled when group is enabled
cli:
Virtual router group must have sharing disabled when hotstandby is enabled
cli:
Virtual router group must have preemption enabled when hotstandby is enabled
cli:
Virtual router <vr_id> must have an IP address
cli:
Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id>
cli:
Virtual router <vr_id> cannot have same IP address as <ip_address>
cli:
Virtual router <vr_id> corresponding virtual server <server_id> is not enabled
cli:
Hot-standby must be enabled when a virtual router has a PIP address
cli:
Virtual router <vr_id> IP interface should be <interface_id>
cli:
Enabled real server <server_id> has no IP address
cli:
Real server <server_id> has same IP address as IP interface <interface_id>
cli:
Real server <server_id> has same IP address as switch
cli:
Real server <server_id> (Backup for <server_id>) is not enabled
cli:
Real server <server_id> has same IP address as virtual server <server_id>
cli:
Real server <server_id> has same IP address as real server <server_id>
cli:
Real server group <group_id> cannot backup itself
cli:
Real server <server_id> cannot be added to same group
cli:
Enabled virtual server <server_id> has no IP address
320506-A, January 2006
LOG_ERR (Continued)
cli:
Virtual server <server_id> has same IP address as IP interface <interface_id>
cli:
Virtual server <server_id> has same IP address as switch
cli:
Virtual servers <server_id> and <server_id> with same IP address must support same layr3
configuration
cli:
Real server <server_id> cannot be backup server for both real server <server_id> and
group <group_id>
cli:
Virtual server <server_id> has same IP address and vport as virtual server <server_id>
cli:
RS <server_id> can't exist for VS <server_id> vport <virtual_port>
cli:
Switch port <port_id> has same proxy IP address as port <port_id>
cli:
Switch port <port_id> has same IP address as IP interface <interface_id>
cli:
A hot-standby port cannot also be an inter-switch port
cli:
There must be at least one inter-switch port if any hot-standby port exist
cli:
With VMA, ports 1-8 must all have a PIP if any one does
cli:
Client bindings are not supported with proxy IP addresses
cli:
DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual
server to support FTP parsing
cli:
Real server <server_id> and group %u cannot both have backups configured
cli:
Virtual server <server_id> : port mapping but layer3 bindings
cli:
Extracting length has to set to 8 or 16 for cookie rewrite mode
cli:
DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural
server <server_id> to support URL parsing
cli:
Port filtering must be disabled on port <port_id> in order to support cookie based persistence for virtual server <server_id>
cli:
Virtual server <server_id>: port mapping but Direct Access Mode
cli:
Virtual server %lu: support nonat IP but not layer 3 bindings
cli:
Virtual servers: all that support IP must use same group
cli:
Virtual servers <server_id> and <server_id> that include the same real server <server_id>
cannot map the same real port or balance UDP
cli:
Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number

320506-A, January 2006
659
LOG_ERR (Continued)
cli:
Switch cannot support more than <MAX_VIRT_SERVICES> virtual services
cli:
Switch cannot support more than <MAX_SMT> real services
cli:
Trunk group (<trunk_id>) ports must have same L4 config
cli:
Trunk group (<trunk_id>) ports must all have a PIP
cli:
DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL
based redirection
cli:
Two services have same hostname, <host_name>.<domain_name>
cli:
Direct access mode is not supported with default gateway load balancing
cli:
SLB Radius secret must be 16 characters long
cli:
Dynamic NAT filter <filter_id> must be cached
cli:
NAT filter <filter_id> must have same smask and dmask
cli:
NAT filter <filter_id> cannot have port ranges
cli:
NAT filter <filter_id> must be cached
cli:
NAT filter <filter_id> dest range includes VIP <server_id>
cli:
NAT filter <filter_id> dest range includes RIP <server_id>
cli:
Redirection filter <filter_id> must be cached
cli:
Filter with L4 ports configured <port_id> must have IP protocol configured
cli:
For Global SLB, Web server must be moved from TCP port 80
cli:
Remote site <site_id> does not have a primary IP address
cli:
Primary and secondary remote site <site_id> switches must differ
cli:
Remote sites <site_id> and <site_id> must use different addresses
cli:
Remote site <site_id> and real server <server_id> must use different addresses
cli:
Remote site <site_id> and virtual server <server_id> must use different addresses
cli:
Only <MAX_SLB_SITES> remote servers are allowed per group
cli:
Only <MAX_SLB_SERVICES> remote services are supported
cli:
Enabled external lookup IP address has no IP address
cli:
domain name must be configured
320506-A, January 2006
LOG_ERR (Continued)
cli:
Network <static_network_id> has no VIP address
cli:
duplicate default entry
cli:
BGP peer <bgp_peer_id> must have an IP address
cli:
BGP peers <bgp_peer_id> and <bgp_peer_id> have same address
cli:
BGP peer <bgp_peer_id> have same address as IP interface <ip_interface_id>
cli:
BGP peer <bgp_peer_id> IP interface <ip_interface_id> is not enabled
cli:
Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to
ICMP
cli:
Two services have same hostname, <host_name>.<domain_name>
cli:
Loadbalance string must be added to real server <server_id> in order to enable exclusionary string matching
cli:
intrval input value must be in the range [0-24]
mgmt:
unapplied changes reverted
mgmt:
unsaved changes reverted
mgmt:
Attempting to redirect a previously redirected output
vrrp:
Attempting to redirect a previously redirected output
vrrp:
cfg_sync_tx_putsn: ABORTED
vrrp:
Synchronization TX Error
vrrp:
Synchronization TX connection RESET
vrrp:
Synchronization TX connection TIMEOUT
vrrp:
Synchronization TX connection UNREACEABLE
vrrp:
Synchronization TX connection UNKNOWN CLOSE
vrrp:
Synchronization RX connection RESET
vrrp:
Synchronization RX connection TIMEOUT
vrrp:
Synchronization RX connection UNREACEABLE
vrrp:
Synchronization RX connection UNKNOWN CLOSE
vrrp:
Synchronization connection RCLOSE by peer
vrrp:
Synchronization connection RCLOSE before RX

320506-A, January 2006
661
LOG_ERR (Continued)
vrrp:
Synchronization connection early RCLOSE in RX
vrrp:
Synchronization connection Wait-For-Close Timeout
vrrp:
Synchronization connection Transmit Timeout
vrrp:
Synchronization Receive Timeout
vrrp:
Synchronization Receive UNKNOWN Timeout
vrrp:
Sync transmit in progress cannot start Sync
vrrp:
Sync receive in progress cannot start Sync
vrrp:
Sync already in progress cannot start Sync
vrrp:
Config Sync route find error
vrrp:
Config Sync tcp_open error
vrrp:
Config Synchronization Timeout - Resuming Console thread
vrrp:
<""apply""|""save""> is issued by another user. Try later
vrrp:
new configuration did not validate (rc = )
vrrp:
new configuration did not apply (rc = )
vrrp:
new configuration did not save (rc = )
vrrp:
Sync config apply error
vrrp:
Restoring Current Config
vrrp:
Sync rx tcp open error
vrrp:
Sync Version/Password Failed-No Version/Password Line
vrrp:
Sync Version Failed - peer:%s config:%s
vrrp:
Sync Password Failed-Bad Password
vrrp:
Sync receive already in progress cannot start Sync receive
vrrp:
Sync transmit in progress cannot start Sync receive
320506-A, January 2006
LOG_NOTICE
system:
internal power supply ok
system:
redundant power supply present and ok
system:
temperature ok
system:
fan ok
system:
rebooted <last_reset_information>
system:
rebooted <last_reset_information> administrator logged in
mgmt:
boot config block changed
mgmt:
boot image changed
mgmt:
switch reset from CLI
mgmt:
syslog host changed to <ip_address>
mgmt:
syslog host changed to this host
mgmt:
second syslog host changed to <ip_address>
mgmt:
second syslog host changed to this host
mgmt:
Next boot will use active config block
mgmt:
user password changed
mgmt:
SLB operator password changed
mgmt:
L4 operator password changed
mgmt:
operator password changed
mgmt:
SLB administrator password changed
mgmt:
L4 administrator password changed
mgmt:
administrator password changed
ssh:
scp <login_level> login
ssh:
scp <login_level> <""connection closed""|""idle timeout""|""logout"">
mgmt:
RADIUS server timeouts
mgmt:
Failed login attempt via TELNET from host %s
mgmt:
PASSWORD FIX-UP MODE IN USE
mgmt:
<login_level> login on Console

320506-A, January 2006
663
LOG_NOTICE (Continued)
mgmt:
<login_level> <""idle timeout""|""logout""> from Console
mgmt:
PANIC command from CLI
port_mirr: port mirroring is <""enabled""|""disabled"">

vlan:
Default VLAN can not be deleted
mgmt:
<login_level> login from host <ip_address>
mgmt:
<login_level> <""connection closed""|""idle timeout""|""logout""> from
IP
default gateway <ip_address> <""enabled""|""disabled"">
IP
default gateway <ip_address> operational
vrrp:
virtual router <ip_address> is now master
vrrp:
virtual router <ip_address> is now backup
slb:
backup server <ip_address> <""enabled""|""diabled""> for real server <server_id>
slb:
backup server <ip_address> <""enabled""|""disabled""> for real server group

<group_id>
slb:
backup group server <ip_address> <""enabled""|""disabled""> for real server group

group_id>
slb:
overflow server <ip_address> <""enabled""|""disabled""> for real server <server_id>
slb:
overflow server <ip_address> <""enabled""|""disabled""> for real server group

<group_id>
slb:
overflow group server <ip_address> <""enabled""|""disabled""> for real server group

<group_id>
slb:
real server <ip_address> operational
slb:
real service <ip_address:real_port> operational
slb:
No services are available for Virtual Server <virtual_server>
slb:
Services are available for Virtual Server <virtual_server>
bgp:
session established with <BGP_peer_ip_address>
320506-A, January 2006
LOG_INFO
SYSTEM:
bootp response from <ip_address>
mgmt:
new configuration applied
mgmt:
new configuration saved
mgmt:
unsaved changes reverted
mgmt:
Could not revert unsaved changes
mgmt:
"<image1|image2> downloaded from host <ip_address>, file <file_name>

<software_version>"
mgmt:
serial EEPROM downloaded from host <ip_address> file <file_name>
ssh:
scp <login_level> login
ssh:
"scp <login_level> <""connection closed""|""idle timeout""|""logout"">"
mgmt:
<login_level> login on Console
mgmt:
"<login_level> <""idle timeout""|""logout""> from Console"
mgmt:
<login_level> login from host <ip_address>
mgmt:
"<login_level> <""connection closed""|""idle timeout""|""logout""> from Telnet/SSH."
ssh:
server key autogen starts
ssh:
server key autogen completes
ssh:
server key autogen timer timeouts
vrrp:
new synch configuration applied
vrrp:
new synch configuration saved
vrrp:
Synchronizing from <host_name>
vrrp:
Synchronizing to <host_name>
vrrp:
Config Synchronization Transmit Successful
vrrp:
Config Synchronization Receive Successful
vrrp:
new configuration VALIDATED

320506-A, January 2006
665
320506-A, January 2006
APPENDIX B
Nortel Application Switch Operating

System SNMP Agent
The Nortel Application Switch Operating System SNMP agent supports SNMP Version 1,
Version 2, and Version 3. Version 3 supports two authentication protocols: MD5 and SHA.
Nortel MIBs are registered as Vendor 1872. Detailed SNMP MIBs and trap definitions of the
Nortel Application Switch Operating System SNMP agent can be found in the following enterprise MIB documents:
altroot.mib -
aosSwitch.mib
aosPhysical.mib
aosNetwork.mib
aosLayer4.mib
aosLayer7.mib
aosBwm.mib
aosTrap.mib
In addition, the following SynOptics MIBS are also supported:
synro193.mib -- SynOptics Root MIB
s5roo117.mib -- SynOptics Registration MIB
s5tcs112.mib -- Textual Convention MIB
s5emt104.mib -- Ethernet Multi segment Autotopology MIB
SNMPv1|v2|v3 traps can be sent to the hosts configured in targetAddr table. Up to 16 IP

addresses can be configured in targetAddr table.
Nortel Application Switch Operating System SNMP agent supports the following standard
MIBs:
RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP
Groups)
RFC 1573 - MIB II Extension (IFX table)
667
320506-A, January 2006
RFC 1643 - EtherLike MIB
RFC 1493 - Bridge MIB
RFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups)
RFC 1850 for OSPF
RFC 1657 for BGP
IEEE 802.3ad MIB for LACP
The following SNMPv3 MIBs are supported:
RFC 2571 - SNMP Frame work
RFC 2572 - MPD MIB
RFC 2573 - Target MIB
RFC 2574 - USM MIB
RFC 2575 - VACM MIB
RFC 2576 - Community MIB
Nortel Application Switch Operating System SNMP agent supports the following generic traps
as defined in RFC 1215:
ColdStart
WarmStart
LinkDown
LinkUp
AuthenticationFailure
The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:
NewRoot
TopologyChange
The following are the enterprise SNMP traps supported in Nortel Application Switch Operating System:
Table 11-122 Nortel Application Switch Operating System-Supported Enterprise
SNMP Traps
Trap Name
Description
altSwDefGwUp
Signifies that the default gateway is alive.
altSwDefGwDown
Signifies that the default gateway is down.
altSwDefGwInService
Signifies that the default gateway is up and in service
668 Appendix B: Nortel Application Switch Operating System SNMP Agent

320506-A, January 2006

SNMP Traps
Trap Name
Description
altSwDefGwNotInService
Signifies that the default gateway is alive but not in

service
altSwSlbRealServerUp
Signifies that the real server is up and operational
altSwSlbRealServerDown
Signifies that the real server is down and out of service
altSwSlbRealServerMaxConnReached
Signifies that the real server has reached maximum

connections
altSwSlbBkupRealServerAct
Signifies that the backup real server is activated due to

availablity of the primary real server
altSwSlbBkupRealServerDeact
Signifies that the backup real server is deactivated due

to the primary real server is available
altSwSlbBkupRealServerActOverflow

to the primary real server is overflowed
altSwSlbBkupRealServerDeactOverflow

to the primary real server is out from overflow situation
altSwfltFilterFired
Signifies that the packet received on a switch port

matches the filter rule
altSwSlbRealServerServiceUp
Signifies that the service port of the real server is up

and operational
altSwSlbRealServerServiceDown
Signifies that the service port of the real server is down

and out of service
altSwVrrpNewMaster
The newMaster trap indicates that the sending agent has

transitioned to 'Master' state.
altSwVrrpNewBackup
The newBackup trap indicates that the sending agent has

transitioned to 'Backup' state.
altSwVrrpAuthFailure
A vrrpAuthFailure trap signifies that a packet has been

received from a router whose authentication key or authentication type conflicts with this router's authentication key or
authentication type. Implementation of this trap is optional.
altSwLoginFailure
An altSwLoginFailure trap signifies that someone

failed to enter a valid username/password combination.
Appendix B: Nortel Application Switch Operating System SNMP Agent 669

320506-A, January 2006

SNMP Traps
Trap Name
Description
altSwSlbSynAttack
An altSwSlbSynAttack trap signifies that a SYN

attack has been detected.
altSwTcpHoldDown
An altSwTcpHoldDown trap signifies that new TCP connection requests from a particular client will be blocked for a
pre-determined amount of time since the rate of new TCP
connections from that client has reached a pre-determined
threshold.
altSwTempExceedThreshold
An altSwTempExceedThreshold trap signifies that the

switch temperature has exceeded maximum safety limits.
altSwSlbSessAttack
An altSwSlbSessAttack trap signifies that an SLB

attack has been detected.
altSwFanFailure
An altSwFanFailure trap signifies that a fan failure has

occured.
670 Appendix B: Nortel Application Switch Operating System SNMP Agent

320506-A, January 2006
APPENDIX C
Performing a Serial Download

You can perform a serial download of the new Nortel Application Switch software if you are
upgrading Nortel Application Switch Operating System directly from any image.
This procedure requires the following:
A computer running terminal emulation software
A standard serial cable with a male DB9 connector (see your switch hardware installation
guide for specifics)
A binary switch firmware image (not the tftp file used for TFTP download)
Use the following procedure to perform a serial upgrade.

1.
Using the serial cable, connect the Console port of an Nortel Application Switch to the
serial port of your PC that supports XModem/1K XModem.
2.
Start hyper terminal (part of Microsoft Windows) and set the following parameters:
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
9600
8
None
1
None
3.
Power on the switch.
4.
Hold the <Shift> key down and hit D repeatedly until the following message appears:
Nortel Application Switch - PPCBoot 2.2.
To download a serial image use 1K Xmodem at 115200
671
320506-A, January 2006
5.
Reconfigure your terminal emulation software with the following parameters (only after
you see the message displayed in step 4):
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
115200
8
None
1
None
NOTE You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200
baud rate by pressing Shift d.
6.
Press <Enter> on the key board of the PC that is connected to the console port of the
switch. When the Console Port is successfully communicating with the PC, you will see:
CCCC...
7.
Make sure that the new binary firmware file is available on the computer. This file can be
downloaded from the CD that is shipped with the switch. Select <Transfer-Send File>
and choose the following:
file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)
protocol: 1K XMODEM
It will take about 15 minutes for the transfer to complete.
NOTE Although slower, XMODEM will work too if you choose not to use 1K MODEM.
8.
Power off the switch, wait for a few seconds and power the switch on.
CAUTIONDo not power off the switch until you see the message: Change your baud rate to
9600 bps and power cycle switch, otherwise, the switch will be inoperable.
!
9.
The switch will boot with the new software load. You should see the following sample log
on your screen:
Nortel Application Switch - PPCBoot 2.2.
To download a serial image use 1K Xmodem at 115200
CCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Total bytes transferred: 0x4ff400
Extracting images... Do *NOT* power cycle the switch
Updating flash...
#################################################################
Change your baudrate to 9600 bps and power cycle the switch
672 Appendix C: Performing a Serial Download

320506-A, January 2006
Glossary
DIP (Destination IP
Address)
The destination IP address of a frame.
Dport (Destination
Port)
The destination port (application socket: for example, http-80/https-443/DNS-53)
NAT (Network
Address Translation)
Any time an IP address is changed from one source IP or destination IP address to another
address, network address translation can be said to have taken place. In general, half NAT
is when the destination IP or source IP address is changed from one address to another.
Full NAT is when both addresses are changed from one address to another. No NAT is
when neither source nor destination IP addresses are translated. Virtual server-based load
balancing uses half NAT by design, because it translates the destination IP address from
the Virtual Server IP address, to that of one of the real servers.
Preemption
In VRRP, preemption will cause a Virtual Router that has a lower priority to go into
backup should a peer Virtual Router start advertising with a higher priority.
Priority
In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s).
Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win
out for master designation.
Proto (Protocol)
The protocol of a frame. Can be any value represented by a 8-bit value in the IP header
adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.)
Real Server Group
A group of real servers that are associated with a Virtual Server IP address, or a filter.
673
320506-A, January 2006
Redirection or
Filter-Based Load
Balancing
A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and redirected to a server group. Transparently means that requests are not specifically destined
for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the
switch. This filter intercepts traffic based on certain IP header criteria and load balances it.
Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny,
Redirect to a Server Group, or NAT (translation of either the source IP or destination IP
address). In redirection-based load balancing, the destination IP address is not translated to
that of one of the real servers. Therefore, redirection-based load balancing is designed to
load balance devices that normally operate transparently in your networksuch as a firewall, spam filter, or transparent Web cache.
RIP (Real Server)
Real Server IP Address. An IP addresses that the switch load balances to when requests
are made to a Virtual Server IP address (VIP).
SIP (Source IP
Address)
The source IP address of a frame.
SPort (Source Port)
The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53).
Tracking
In VRRP, a method to increase the priority of a virtual router and thus master designation
(with preemption enabled). Tracking can be very valuable in an active/active configuration.
You can track the following:
Vrs: Virtual Routers in Master Mode (increments priority by 2 for each)
Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by
2 for each)
Ports: Active ports on the same VLAN (increments priority by 2 for each)
l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2
for each
reals: healthy real servers (increments by 2 for each healthy real server)
hsrp: HSRP announcements heard on a client designated port (increments by 10
for each)
VIP (Virtual Server IP

Address)
An IP address that the switch owns and uses to load balance particular service requests
(like HTTP) to other servers.
VIR (Virtual Interface

Router)
A VRRP address that is an IP interface address shared between two or more virtual routers.
674 Glossary
320506-A, January 2006
Virtual Router
A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch
is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there
is more than one VLAN defined on the Nortel Application Switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member.
Virtual Server Load

Balancing
Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is
owned by the switch, are load balanced to a real server contained in the group associated
with the VIP. Network address translation is done back and forth, by the switch, as
requests come and go.
Frames come to the switch destined for the VIP. The switch then replaces the VIP and
with one of the real server IP addresses (RIP's), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the
destination IP (VIP) with one of the real server addresses is called half NAT. If the frames
were not half NAT'ed to the address of one of the RIPs, a server would receive the frame
that was destined for it's MAC address, forcing the packet up to Layer 3. The server would
then drop the frame, since the packet would have the DIP of the VIP and not that of the
server (RIP).
VRID (Virtual Router

Identifier)
In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC
address and identify its peer for which it is sharing this VRRP address. The VRRP MAC
address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address
that two switches are sharing, then the VRID number needs to be identical on both
switches so each virtual router on each switch knows whom to share with.
VRRP (Virtual Router

Redundancy
Protocol)
A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol.
The reason for both of these protocols is so devices have a next hop or default gateway that
is always available. Two or more devices sharing an IP interface are either advertising or
listening for advertisements. These advertisements are sent via a broadcast message to an
address such as 224.0.0.18.
With VRRP, one switch is considered the master and the other the backup. The master is
always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the
VRRP IP and MAC addresses as defined by the specification. The switch announces this
change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to
the switch would not know that the MAC address had moved in the network. For a more
detailed description, refer to RFC 2338.
VSR (Virtual Server

Router)
A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary
extension to the VRRP specification. The switches must be able to share Virtual Server IP
addresses, as well as IP interfaces. If they didnt, the two switches would fight for ownership of the Virtual Server IP address, and the ARP tables in the devices around them
would have two ARP entries with the same IP address but different MAC addresses.
Glossary 675
320506-A, January 2006
676 Glossary
320506-A, January 2006
Index
Symbols
(MD5) .............................................................. 487
(SLB real server group option)
content ...................................................... 424
/ command .......................................................... 56
[ ]....................................................................... 23
Numerics
1K XModem ..................................................... 671
3000 series........................................................ 306
A
abbreviating commands (CLI) .............................. 60
access control
system ....................................................... 288
action (SLB filtering option) ............................... 448
activating optional software ................................ 509
active configuration block .......................... 260, 515
active FTP SLB parsing statistics ........................ 221
active IP interface .............................................. 393
active Layer 4 processing ................................... 393
active port
VLAN ....................................................... 393
active switch configuration
gtcfg ......................................................... 408
ptcfg ......................................................... 408
restoring .................................................... 408
active switch, saving and loading configuration .... 408
add
SLB port option .......................................... 464
addr
ARP entries................................................ 524
IP route tag ................................................ 109
Address Resolution Protocol (ARP)
address list ................................................. 524
administrator account30, 33
admpw (system option) ...................................... 293

advertisement of virtual IP addresses ................... 358
aging
STP bridge option ....................................... 332
STP information ........................................... 99
application redirection ................................ 415, 448
filter states.................................................. 133
filters ......................................................... 414
within real server groups .............................. 423
apply (global command) ..................................... 259
applying configuration changes ........................... 259
ASCII terminal .................................................... 26
autoconfiguration
duplex mode ................................................. 39
link........................................................ 39, 40
port speed..................................................... 39
auto-negotiation ................................................... 39
enable/disable on port .......... 305, 309, 311, 313
setup...................................................... 39, 40
autonomous system filter action .......................... 356
autonomous system filter path
action ........................................................ 356
as .............................................................. 356
aspath ........................................................ 356
B
backup
SLB real server group option ........................ 424
backup configuration block ......................... 260, 515
backup server activations (SLB statistics) .... 205, 228
bandwidth management
configuration .............................................. 316
contracts .................................................... 317
bandwidth management contract
precedence value ......................................... 319
bandwidth management contract configuration .... 264,
319
677
320506-A, January 2006

Bandwidth Management options
operations-level options ................................505
bandwidth management policy configuration ........322
buffer limit .................................................322
hard bandwidth limit ....................................322
over the limit TOS .......................................322
reserve limit ................................................322
soft bandwidth limit .....................................322
underlimit TOS ...........................................322
bandwidth management statistics .........................232
banner (system option)........................................262
baud rate
console connection ........................................26
serial download ...................................671, 672
BBI .....................................................................25
BGP
configuration...............................................371
eBGP .........................................................371
iBGP..........................................................371
in route .......................................................374
IP address, border router ...............................373
IP route tag .................................................109
keep-alive time ............................................373
peer ...........................................................371
peer configuration ........................................373
redistribution configuration ...........................375
remote autonomous system ...........................373
router hops..................................................374
binary ...............................................................671
binary firmware image ........................................672
binding failure ...........................................204, 228
binding table ......................................................437
BLOCKING (port state)........................................99
boot options menu ..............................................511
BOOTP ...............................................................27
setup (enable/disable) .....................................37
system option ..............................................262
bootstrap protocol ..............................................380
Border Gateway Protocol ....................................109
configuration...............................................371
Border Gateway Protocol (BGP)
operations-level options ................................508
BPDU. See Bridge Protocol Data Unit.
bridge parameter menu, for STP ..........................330
bridge priority ......................................................99
Bridge Protocol Data Unit (BPDU) ........................99
STP transmission frequency ..........................331
Bridge Spanning-Tree parameters ........................331
broadcast
IP route tag ................................................ 109
IP route type ............................................... 109
broadcast domains ............................................. 339
broadcast IP address ............................................ 43
Browser-Based Interface ...................................... 25
BWM
contract rate statistics................................... 235
contract statistics......................................... 234
history statistics .......................................... 237
port ........................................................... 233
switch processor contract statistics ................ 233
switch processor rate contract statistics .......... 233
C
capture dump information to a file....................... 528
Cisco Ether Channel .......................................... 334
clear
ARP entries ................................................ 524
dump information ....................................... 529
FDB entry .................................................. 523
routing table ............................................... 525
clearing SLB statistics ................................ 230, 231
client traffic processing ...................................... 463
command (help) .................................................. 56
Command-Line Interface (CLI) ....... 25 to 31, 33, 53
commands
abbreviations ................................................ 60
conventions used in this manual ...................... 23
global commands .......................................... 56
shortcuts ...................................................... 60
stacking ....................................................... 60
tab completion .............................................. 60
678 Index
320506-A, January 2006

configuration
administrator password ................................ 293
apply changes ............................................. 259
default gateway interval, for health checks ..... 346
default gateway IP address ........................... 346
dump command .......................................... 407
effect on Spanning-Tree Protocol .................. 259
Fast Ethernet .............................................. 303
flow control ....................... 305, 309, 311, 313
Gigabit Ethernet ......................... 303, 307, 309
IP static route ............................................. 348
Layer 4 administrator password .................... 292
operating mode ........................... 305, 308, 313
port link speed ............................ 305, 308, 313
port mirroring ............................................. 315
port trunking .............................................. 333
route cache................................................. 350
save changes .............................................. 260
setup ......................................................... 406
setup command .......................................... 403
switch IP address ........................................ 344
TACACS+ ................................................. 270
user password ............................................. 292
view changes.............................................. 259
VLAN default (PVID) ......... 303, 307, 309, 312
VLAN IP interface ...................................... 344
VLAN tagging ................... 304, 307, 310, 312
VRRP ....................................................... 381
configuration block
active ........................................................ 515
backup....................................................... 515
factory ....................................................... 515
selection .................................................... 515
configuration menu ............................................ 257
configuring routing information protocol ............. 357
connecting
via console ................................................... 26
via Telnet..................................................... 27
connection timeout (Real Server Menu option) ..... 437
console port
communication settings ................................. 26
connecting ................................................... 26
serial download settings ....................... 671, 672
content
SLB real server group option ........................ 424
contracts, bandwidth management ....................... 317
copper ports ...................................................... 307
Index 679
320506-A, January
cost
STP information ........................................... 99
STP port option........................................... 333
counters, No Server Available (dropped frames) .. 205,
228
CPU statistics ............................................ 252, 254

CPU utilization .......................................... 252, 254
cur (system option) .................................... 269, 272
current bindings ......................................... 204, 227
D
date
setup............................................................ 37
system option ............................................. 262
debugging ......................................................... 519
default gateway
information ................................................ 107
interval, for health checks............................. 346
metrics ....................................................... 396
round robin, load balancing for ..................... 396
default password .................................................. 30
delete
FDB entry .................................................. 523
deny (filtering) .................................................. 228
designated port. ................................................. 114
diff (global) command, viewing changes .............. 259
dip (destination IP address for filtering) ............... 449
direct (IP route type) .......................................... 109
directed broadcasts............................................. 350
DISABLED (port state) ........................................ 99
disconnect idle timeout ......................................... 31
Distributed Site State Protocol (DSSP)
setting update interval .................................. 466
dmask
destination mask for filtering ........................ 449
DNS statistics .................................................... 192
Domain Name System (DNS)
health checks .............................................. 427
downloading software ........................................ 513
dropped frames (No Server Available) counter .... 205,
228
dump
configuration command ............................... 407
maintenance ............................................... 519
state information ......................................... 530
duplex mode........................................................ 39
link status ....................................... 62, 78, 147
setup............................................................ 39

dynamic routes ...................................................525
E
EMS,Alteon EMS ................................................46
emulation software .............................................671
EtherChannel
as used with port trunking .............................334
F
factory configuration block .................................515
factory default configuration .....................31, 33, 34
Fast Ethernet Physical Link .................................303
Fast Ethernet, configuring ports for ......................303
fastage ..............................................................482
FDB statistics ....................................................171
fiber optic ports ..................................................309
File Transfer Protocol .........................................220
filter statistics ....................................................213
filtered (denied) frames ...............................205, 228
filters
IP address ranges .........................................449
Final Steps...........................................................45
first-time configuration ......................... 31, 33 to 50
fixed
IP route tag .................................................109
flag field............................................................114
flow control .................................................62, 147
configuring .........................305, 309, 311, 313
setup ......................................................39, 40
forwarding configuration
IP forwarding configuration ..........................350
forwarding database (FDB) .................................519
delete entry .................................................523
Forwarding Database Information Menu ................90
Forwarding Database Menu.........................522, 535
forwarding state (FWD) ..........................92, 99, 102
FTP server health checks ....................................427
FTP SLB maintenance statistics...........................222
FTP SLB statistics dump .....................................222
full-duplex ...........................................................39
fwd (STP bridge option) .....................................331
FwdDel (forward delay), bridge port ......................99
G
gig (Port Menu option) .......................303, 307, 309
Gigabit Ethernet
configuration...............................303, 307, 309
Gigabit Ethernet Physical Link ........... 303, 307, 309

global commands................................................. 56
global SLB maintenance statistics ....................... 209
global SLB statistics .......................................... 206
grace
graceful real server failure ............................ 482
Greenwich ........................................................ 272
Greenwich Mean Time (GMT) ........................... 272
group ................................................................ 212
gtcfg (TFTP load command) ............................... 408
H
half-duplex ......................................................... 39
hash metric ....................................................... 430
health check types, SLB ..................................... 426
health checks..................................................... 417
default gateway interval, retries .................... 346
IDSLB....................................................... 426
layer information ........................................ 132
parameters for most protocols ....................... 427
redirection (rport) ........................................ 448
retry, number of failed health checks ............. 346
script ......................................................... 488
SNMP ............................................... 428, 490
WAP ......................................................... 492
hello
STP information ........................................... 99
help .................................................................... 56
host routes ........................................................ 358
Hot Standby Router on VLAN (HSRV)
use with VLAN-tagged environment ............. 386
VRRP priority increment value ..................... 396
Hot Standby Router Protocol (HSRP)
priority increment value for L4 client ports ..... 395
use with VRRP ................................... 386, 393
VRRP priority increment value ..................... 395
Hot Standby Router VLAN (HSRV)
use with VRRP ........................................... 393
hot-standby failover ........................................... 391
HP-OpenView ..................................................... 25
hprompt
system option ............................................. 262
HSRP. See Hot Standby Router Protocol.
HSRV. See Hot Standby Router Protocol.
HTTP
application health checks ............................. 427
redirects (Global SLB option) ....................... 466
system option ............................................. 288
680 Index
320506-A, January 2006

http .................................................................. 288
HTTP health checks
on any port (aphttp) ..................................... 487
I
ICMP statistics .................................................. 193
idle timeout
overview...................................................... 31
IDSLB health checks ......................................... 426
IEEE standards
802.1d Spanning-Tree Protocol .............. 98, 329
image
downloading .............................................. 513
software, selecting ...................................... 514
IMAP server health checks ................................. 427
imask (IP address mask) ..................................... 481
incorrect VIPs (statistic) ............................. 204, 228
incorrect Vports (dropped frames counter) ... 205, 228
indirect (IP route type) ....................................... 109
Information
Trunk Group Information............................. 102
Information Menu ............................................... 61
Interface change stats ......................................... 180
interface statistics .............................................. 195
IP address ........................................................... 42
ARP information ........................................ 113
BOOTP ....................................................... 27
configuring default gateway ......................... 346
filter ranges ................................................ 449
IP interface .................................................. 42
local route cache ranges ............................... 351
Telnet .......................................................... 27
IP address mask for SLB .................................... 481
IP configuration via setup ..................................... 42
IP forwarding .................................................... 378
directed broadcasts ...................................... 350
local networks for route caching ................... 350
IP forwarding information .................................. 107
IP Information Menu ................................. 107, 126
IP interface ....................................................... 344
active ........................................................ 393
configuring address ..................................... 344
configuring VLANs .................................... 344
IP interfaces ................................................ 42, 109
information ................................................ 107
IP route tag ................................................ 109
priority increment value (ifs) for VRRP ......... 395
IP network filter configuration ............................ 352
Index 681
320506-A, January
IP port configuration .......................................... 378

IP Route Manipulation Menu .............................. 525
IP routing ............................................................ 42
tag parameters ............................................ 109
IP Static Route Menu ......................................... 348
IP statistics ........................................................ 181
IP subnet mask .................................................... 42
IP subnets
VLANs ...................................................... 339
L
l4apw (L4 administrator system option) ............... 292
Layer 4
administrator account..................................... 30
Layer 4 processing
active......................................................... 393
layer 7 SLB maintenance statistics ...................... 216
layer 7 SLB string statistics ................................ 215
layer7 redirection statistics ......................... 214, 218
LDAP version ................................................... 487
LEARNING (port state) ....................................... 99
least connections (SLB Real Server metric) .. 426, 430
licence certificate ............................................... 509
license password ................................................ 509
link
speed, configuring ....................... 305, 308, 313
link status............................................................ 62
command ................................................... 148
duplex mode ................................... 62, 78, 147
port speed....................................... 62, 78, 147
Link Status Information ...................................... 147
linkt (SNMP option) .......................................... 275
LISTENING (port state) ....................................... 99
lmask (routing option) ........................................ 107
lnet (routing option) ........................................... 107
local (IP route type) ........................................... 109
local network for route caching ........................... 350
local route cache
IP address ranges for.................................... 351
log
syslog messages .......................................... 264
logical segment. See IP subnets.
M
MAC (media access control) address ...... 63, 90, 113,
509, 522
switch location .............................................. 27

Main Menu ..........................................................53
Command-Line Interface (CLI) .......................31
summary ......................................................54
Maintenance Menu .............................................519
Management Processor (MP)...............................527
display MAC address .....................................63
manual style conventions ......................................23
martian
IP route tag (filtered) ....................................109
IP route type (filtered out) .............................109
mask
IP interface subnet address ............................344
MaxAge (STP information) ...................................99
mcon (maximum connections) .............205, 228, 424
MD5 authentication key ......................................362
MD5 cryptographic authentication .......................363
MD5 key ...........................................................366
media access control. See MAC address.
metric
SLB real server group option.........................423
metrics, SLB ......................................................429
minimum misses (SLB real server metric) ....426, 429
Miscellaneous Debug Menu ........................527, 545
mmask
IP address mask for SLB ..............................481
mnet
management traffic IP address for SLB ..........481
monitor port.......................................................315
mp
packet ........................................................249
MP. See Management Processor.
multicast
IP route type ...............................................109
multi-links between switches
using port trunking...............................102, 333
mxage (STP bridge option) .................................331
O
octet counters .................................................... 211
online help .......................................................... 56
operating mode, configuring ............... 305, 308, 313
operations menu ................................................ 499
operations-level BGP options ............................. 508
operations-level BWM options ........................... 505
operations-level IP options ................................. 508
Operations-Level Port Options ............................ 501
operations-level SLB options .............................. 502
operations-level VRRP options ........................... 505
optional software ......................................... 62, 150
activating ................................................... 509
removing ................................................... 510
OSPF
area types ........................................... 119, 361
ospf
area index .......................................... 361, 363
authentication key ....................................... 366
configuration .............................................. 361
cost of the selected path ............................... 366
cost value of the host ................................... 369
dead, declaring a silent router to be down ....... 366
dead, health parameter of a hello packet ......... 367
export ........................................................ 370
fixed routes ................................................ 371
general ...................................................... 177
global ........................................................ 177
hello, authentication parameter of a hello packet ...
N
nbr change statistics............................................179
Network Address Translation (NAT)
filter action .................................................448
network management ............................................25
non TCP/IP frames .....................................204, 228
notice ................................................................262
NTP synchronization ..........................................272
NTP time zone ...................................................272
682 Index
320506-A, January 2006
367
host entry configuration ............................... 369

host routes ................................................. 362
interface .................................................... 361
interface configuration ................................. 365
link state database ....................................... 362
MD5 authentication key............................... 362
Not-So-Stubby Area .................................... 363
priority value of the switch interface.............. 366
range number ............................................. 361
redistribution menu ..................................... 362
route redistribution configuration .................. 370
spf, shortest path first .................................. 364
stub area .................................................... 363
summary range configuration ....................... 364
transit area ................................................. 363
transit delay ............................................... 366
type........................................................... 363
virtual link ................................................. 361
virtual link configuration ............................. 367
virtual neighbor, router ID ........................... 367
OSPF Database Information ............................... 122
OSPF general .................................................... 120
OSPF General Information ................................. 121
OSPF Information ............................................. 119
OSPF Information Route Codes .......................... 124
OSPF statistics .......................................... 176, 184
overflow server activations ......................... 205, 228
overflow servers ................................................ 416
P
panic
command ................................................... 530
switch (and Maintenance Menu option) ......... 519
parameters
tag ............................................................ 109
type........................................................... 109
Passive FTP SLB Parsing Statistics ..................... 221
Password
user access control ...................................... 292
password
administrator account .................................... 30
default ......................................................... 30
L4 administrator account ............................... 30
user account ................................................. 30
VRRP authentication ................................... 394
passwords ........................................................... 29
Index 683
320506-A, January
persistent bindings
real server .................................................. 437
ping ............................................................ 57, 415
PIP ................................................................... 496
POP3
server health checks..................................... 427
port
bandwidth management switch processor statistics
233
switch port contract statistics menu................ 232

port configuration .............................................. 301
port flow control. See flow control.
Port Menu
configuration options ................................... 307
configuring Fast Ethernet ............................. 303
configuring Gigabit Ethernet (gig) . 303, 307, 309
port mirroring
configuration .............................................. 315
Port number ...................................................... 147
port speed ............................................. 62, 78, 147
auto-sense .................................................... 39
setup............................................................ 39
port states
UNK (unknown) ........................................... 92
port trunking
description ................................................. 333
port trunking configuration ................................. 333
ports
configuration ................................................ 38
disabling (temporarily)................................. 314
information ................................................ 149
IP status ..................................................... 107
membership of the VLAN ...................... 90, 103
priority......................................................... 99
RJ-45......................................................... 302
SLB state information .................................. 133
STP port priority ......................................... 333
VLAN ID............................................. 62, 149
preemption
assuming VRRP master routing authority ....... 385
virtual router ....................................... 384, 391
priority
virtual router ............................................... 391
priority (STP port option) ................................... 333
prisrv
primary radius server ................................... 269
proxies
IP address translation ................................... 417
proxy IP address (PIP)........................................ 133

proxy IP address (PIP) configuration ....................496
ptcfg (TFTP save command) ...............................408
PVID (port VLAN ID)..................................62, 149
pwd ....................................................................57
Q
quiet (screen display option) ..................................57
R
RADIUS
server authentication ....................................428
read community string (SNMP option) .................275
real server
statistics .....................................................211
real server global SLB statistics ...........................207
real server group options
add ............................................................425
real server group SLB configuration.....................423
real server group statistics ...................................212
real server groups
combining servers into .................................423
statistics .....................................................212
real server SLB configuration ..............................414
real servers
backup .......................................................424
priority increment value (reals) for VRRP .......395
SLB state information ..................................132
reboot .......................................................519, 530
receive flow control 39, 40, 305, 309, 311, 313, 314
redir (SLB filtering option) .................................448
reference ports .....................................................92
referenced port ...................................................114
remote monitoring on the port (rmon) ..................501
remote site servers ..............................................417
removing optional software .................................510
reset key combination .........................................520
restarting switch setup ..........................................36
retries
radius server ...............................................269
retry
health checks for default gateway ..................346
rip
IP route tag .................................................109
RIP. See Routing Information Protocol.
rmkey ...............................................................510
round robin
as used in gateway load balancing..................396
roundrobin
SLB Real Server metric ....................... 426, 430
route
cache configuration ..................................... 350
route statistics ................................................... 189
router hops ........................................................ 374
routing information protocol
configuration .............................................. 357
Routing Information Protocol (RIP) .................... 109
options ...................................................... 359
rport
SLB virtual server option ............................. 435
RTSP SLB statistics ........................................... 223
rx flow control .............................................. 39, 40
Rx/Tx statistics.................................................. 178
S
save (global command) ...................................... 260
noback option ............................................. 260
save command................................................... 515
script
health checks .............................................. 488
scriptable health checks configuration ................. 488
secret
radius server ............................................... 269
secsrv
secondary radius server ................................ 269
security
VLANs...................................................... 339
segmentation. See IP subnets.
segments. See IP subnets.
serial cable .......................................................... 26
serial download ................................................. 671
Server Load Balancing
IDS ........................................................... 422
operations-level options ............................... 502
real server weights ...................................... 415
server load balancing
client traffic processing ................................ 463
health check ............................................... 426
health check types ....................................... 426
metrics ...................................................... 429
port options ................................................ 464
server traffic processing ............................... 463
server load balancing configuration options ......... 412
Server Load Balancing Maintenance Statistics Menu ..
219, 220, 227
server port mapping ........................................... 133
684 Index
320506-A, January 2006

server traffic processing ..................................... 463
Session Binding Table ....................................... 416
session identifier ............................................... 433
setup
configuration .............................................. 406
setup command, configuration ............................ 403
setup facility ................................................. 31, 33
BOOTP ....................................................... 37
duplex mode ................................................ 39
IP configuration ............................................ 42
IP subnet mask ............................................. 42
port auto-negotiation mode ...................... 39, 40
port configuration ......................................... 38
port flow control ..................................... 39, 40
port speed .................................................... 39
restarting ..................................................... 36
Spanning-Tree Protocol ................................. 38
starting ........................................................ 34
stopping....................................................... 36
system date .................................................. 37
system time .................................................. 37
VLAN name ................................................ 41
VLAN port numbers ..................................... 41
VLAN tagging ............................................. 40
VLANs ....................................................... 41
SFD statistics
mp specific ................................................ 252
SFP GBIC ports ................................................ 309
shortcuts (CLI) .................................................... 60
single-mode ports .............................................. 307
SIP (source IP address for filtering) ..................... 449
SLB filtering option
action ........................................................ 448
SLB Information ............................................... 132
SLB layer7 statistics .......................................... 214
Index 685
320506-A, January
SLB real server group health checks

arp............................................................. 426
dns ............................................................ 427
ftp ............................................................. 427
http............................................................ 427
icmp .......................................................... 426
imap .......................................................... 427
ldap ........................................................... 428
radius ........................................................ 428
script ......................................................... 428
smtp .......................................................... 427
SNMP ....................................................... 428
sslh............................................................ 427
tcp ............................................................. 426
udpdns ....................................................... 428
wsp ........................................................... 428
wtls ........................................................... 428
SLB real server group option
application health checking .......................... 424
health checking ........................................... 424
metric ........................................................ 423
SLB real server option
backup ....................................................... 416
intr (interval) .............................................. 417
maxcon (maximum connections) ................... 416
name, alias for each real server ..................... 415
restr (restore) SLB real server UDP option ..... 417
retry .......................................................... 417
RIP, real server IP address ............................ 415
submac ...................................................... 417
tmout (time out) .......................................... 416
weights ...................................................... 415
slowage ............................................................ 482
smask
source mask for filtering .............................. 449
smtp ................................................................. 262
SMTP server health checks ................................. 427
snap traces
buffer ........................................................ 527
SNMP ........................................................ 25, 152
health checks .............................................. 490
HP-OpenView .............................................. 25
menu options .............................................. 274
set and get access ........................................ 275
SNMP Agent ..................................................... 667
SNMP health check configuration ....................... 490
SNMP health checks .......................................... 428
SNMP Support
optional setup for SNMP support .................... 46

software
image file and version ....................................63
license ........................................................509
software image ...................................................512
SP specific statistics ...........................................253
spanning tree
configuration...............................................329
Spanning-Tree Protocol ..............................102, 259
bridge aging option ......................................332
bridge parameters ........................................331
bridge priority ...............................................99
port cost option ...........................................333
port priority option.......................................333
root bridge ............................................99, 331
setup (on/off) ................................................38
switch reset effect ........................................517
SSL ..................................................................437
secure socket layer statistics ..........................219
stacking commands (CLI) .....................................60
starting switch setup .............................................34
state (STP information) .........................................99
state information, client system............................437
static
IP route tag .................................................109
static route
rem ............................................................348
statis route
add ............................................................348
statistics
group .........................................................212
management processor .................................248
Statistics Menu ..................................................151
stopping switch setup............................................36
subnet address maskconfiguration
IP subnet address .........................................344
subnet mask .........................................................42
subnets ................................................................42
IP interface .................................................344
switch
resetting .....................................................517
Switch Processor (SP).........................................527
display trace buffer ......................................527
swkey ...............................................................509
SYN attack detection configuration ......................483
sync ..................................................................502
synchronization
VRRP switch ......................................478, 502
syslog
system host log configuration ........................263
system
contact (SNMP option) ................................ 274
date and time .......................................... 61, 63
location (SNMP option) ............................... 274
system access control configuration..................... 288
System Maintenance Menu ................................. 522
system options
admpw (administrator password) .................. 293
BOOTP ..................................................... 262
cur (current system parameters) ............ 269, 272
date ........................................................... 262
hprompt ..................................................... 262
HTTP access .............................................. 288
l4apw (Layer 4 administrator password) ........ 292
login banner ............................................... 262
time........................................................... 262
tnet............................................................ 288
tnport ........................................................ 289
usrpw (user password) ................................. 292
system parameters, current ......................... 269, 272
T
tab completion (CLI) ........................................... 60
tacacs ............................................................... 270
TACACS+ ........................................................ 270
TCP
fragments ................................................... 433
health checking using .................................. 417
health checks .............................................. 427
source and destination ports.......................... 447
TCP statistics ............................................ 197, 251
Telnet ................................................................. 27
BOOTP ....................................................... 27
configuring switches using ........................... 407
telnet
radius server ............................................... 269
Telnet support
optional setup for Telnet support ..................... 46
terminal emulation ............................................... 26
text conventions .................................................. 23
TFTP ................................................................ 513
PUT and GET commands ............................ 408
TFTP server ...................................................... 408
time
setup ........................................................... 37
system option ............................................. 262
timeout
radius server ............................................... 269
686 Index
320506-A, January 2006

timeouts
idle connection ............................................. 31
timers kickoff.................................................... 180
time-to-live, DNS response (global SLB menu option)
471
tnet
system option ............................................. 288
tnport
system option ............................................. 289
TPCP (Transparent Proxy Cache Protocol) .......... 482
trace buffer ....................................................... 527
Switch Processor ........................................ 527
traceroute............................................................ 57
Tracking
VRRP ............................................... 383, 387
transmit flow control39, 40, 305, 309, 311, 313, 314
transparent proxies, when used for NAT .............. 448
Trunk Group Information ................................... 102
ttl (time to live, global SLB menu option) ............ 466
tx flow control............................................... 39, 40
type of area
ospf........................................................... 363
type parameters ................................................. 109
typographic conventions, manual .......................... 23
tzone ................................................................ 272
U
UCB statistics ................................................... 251
UDP
datagrams .......................................... 204, 228
server status using ....................................... 417
source and destination ports ......................... 447
UDP statistics ................................................... 199
unknown (UNK) port state ................................... 92
Unscheduled System Dump ................................ 531
upgrade, switch software .................................... 512
URL for health checks ....................................... 133
user account ........................................................ 30
usrpw (system option) ........................................ 292
Uuencode Flash Dump ....................................... 528
V
verbose ............................................................... 57
vip
advertisement of virtual IP addresses as Host
Routes ................................................ 358
IP route tag ................................................ 109
Index 687
320506-A, January
virtual IP address (VIP) ...................................... 133

virtual port state, SLB information about ............. 133
virtual router
description ................................................. 383
priority....................................................... 391
tracking criteria ........................................... 385
virtual router group
VRRP priority tracking ................................ 391
virtual router group configuration ........................ 390
virtual router group priority tracking .................... 392
Virtual Router Redundancy Protocol (VRRP)
authentication parameters for IP interfaces ..... 394
group options (prio) ..................................... 391
operations-level options ............................... 505
password, authentication .............................. 394
priority election for the virtual router ............. 384
priority tracking options ....................... 373, 386
Virtual Router Redundancy Protocol configuration381
virtual router sharing .......................................... 391
virtual routers
HSRP failover .................................... 386, 393
HSRP priority increment value ..................... 395
HSRV........................................................ 393
HSRV priority increment value ..................... 396
increasing priority level of .................... 385, 389
incrementing VRRP instance ........................ 386
master preemption (preem) ........................... 391
master preemption (prio) .............................. 384
priority increment values (vrs) for VRRP ....... 395
virtual server global SLB statistics ...................... 207
virtual server SLB statistics ................................ 213
virtual servers .................................................... 426
SLB state information .................................. 133
statistics ..................................................... 213
VLAN
active port .................................................. 393
configuration .............................................. 339
VLAN tagging
port configuration................ 304, 307, 310, 312
port restrictions ........................................... 340
setup............................................................ 40

VLANs ...............................................................42
ARP entry information .................................113
broadcast domains .......................................339
information .................................................103
interface .......................................................43
multiple spanning trees .................................329
name ....................................................90, 103
name setup....................................................41
port membership....................................90, 103
port numbers .................................................41
security ......................................................339
setting default number (PVID) .....303, 307, 309,
X
XModem .......................................................... 671
312
setup ............................................................41
Spanning-Tree Protocol ................................329
tagging ...................................40, 62, 149, 340
VLAN Number ...........................................103
VRID (virtual router ID) .............................383, 391
VRRP
interface configuration .................................394
master advertisements ..................................384
tracking ..............................................383, 387
tracking configuration ..................................395
virtual router sharing ....................................384
VRRP Information .............................................127
VRRP master advertisements
time interval ................................................391
VRRP statistics ..................................................191
W
WAP
health checks ..............................................492
WAP health check
wspport ..............................................490, 492
wtlsprt ................................................490, 493
WAP health check configuration .........................492
WAP SLB statistics ............................................225
watchdog timer ..................................................520
web-based management interface...........................25
weights
for SLB real servers .....................................431
setting virtual router priority values ................395
write community string (SNMP option) ................275
wspport
WAP health check ...............................490, 492
wtlsprt
WAP health check ...............................490, 493
688 Index
320506-A, January 2006

Nortel Commands

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Nortel Commands

Uploaded by

Copyright:

Available Formats

Nortel Application Switch Operating System 23.0.

part number: 320506-A, January 2006

4655 Great America Parkway

Nortel Application Switch Operating System 23.0.2 Command Reference

Nortel Application Switch Operating System 23.0.2 Command Reference

Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Nortel Application Switch Operating System 23.0.2 Command Reference

General System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Link Aggregation Control Protocol Information Menu . . . . . . . . 93

IPv6 Routing Information Menu. . . . . . . . . . . . . . . . . . . . . . 110

Nortel Application Switch Operating System 23.0.2 Command Reference

BGP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Global SLB Information Menu. . . . . . . . . . . . . . . . . . . . . . . 139

Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Nortel Application Switch Operating System 23.0.2 Command Reference

RMON Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Real Server Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 212

Nortel Application Switch Operating System 23.0.2 Command Reference

Layer 7 SLB Maintenance Statistics. . . . . . . . . . . . . . . . 216

IP Access Control List Statistics. . . . . . . . . . . . . . . . . . . . . . 244

Nortel Application Switch Operating System 23.0.2 Command Reference

MP-Specific SFD Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 252

Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Management Port Configuration Menu . . . . . . . . . . . . . . . . 264

Nortel Application Switch Operating System 23.0.2 Command Reference

User Access Control Menu . . . . . . . . . . . . . . . . . . . . . . . 291

Port Link Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Single-Mode Copper Port Gigabit Ethernet Link

Dual-Mode Copper Port Link Configuration . . . . . . . . . 313

Port Mirroring Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Nortel Application Switch Operating System 23.0.2 Command Reference

Spanning Tree Port Configuration . . . . . . . . . . . . . . . . . 332

IP Static Route Configuration. . . . . . . . . . . . . . . . . . . . . . . . 348

Network Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . 352

Nortel Application Switch Operating System 23.0.2 Command Reference

VRRP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . 381

SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Real Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 414

Virtual Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . 431

Nortel Application Switch Operating System 23.0.2 Command Reference

SIP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 442

SLB Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Advanced Filter Configuration . . . . . . . . . . . . . . . . . . . . . . 450

Layer 7 Advanced Filter Configuration Menu . . . . . . . . 457

Nortel Application Switch Operating System 23.0.2 Command Reference

WSP Content Health Check . . . . . . . . . . . . . . . . . . . . . . 494

Operations Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511

Scheduled Reboot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Nortel Application Switch Operating System 23.0.2 Command Reference

IP Route Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

Login to the SSL processor. . . . . . . . . . . . . . . . . . . . . . . . . . 533

Nortel Application Switch Operating System 23.0.2 Command Reference

SSL Configuration Server Advanced Load Balancing

Nortel Application Switch Operating System 23.0.2 Command Reference

SSL VPN Configuration AAA Single-sign on Headers

Nortel Application Switch Operating System 23.0.2 Command Reference

SSL VPN Configuration Portal Full Access Menu . . . . . . . 621

Nortel Application Switch Operating System 23.0.2 Command Reference

SSL Configuration System Administrative applications

Nortel Application Switch Operating System 23.0.2 Command Reference