Professional Documents
Culture Documents
Nortel Commands
Nortel Commands
Command Reference
Copyright 2006 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA.
All rights reserved. Part Number: 320506-A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided as is without
warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a commercial item as defined by FAR
2.101 (Oct 1995) and contains commercial technical data and commercial software documentation as
those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application
Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180,
Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel
Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and
certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the
United States and certain other countries. Check Point and FireWall-1 are trademarks or registered
trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are
owned by their respective companies.
Originated in the U.S.A.
2
320506-A, January 2006
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
The Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Connecting to the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Establishing a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . .26
Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Establishing a Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Using a BOOTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Establishing an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Running SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
Accessing the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
CLI Versus Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
First-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Using the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Information Needed For Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Starting Setup When You Log In . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . . . . .36
Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . . . . .36
3
320506-A, January 2006
Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
System Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
SNMPv3 System Information Menu . . . . . . . . . . . . . . . . . . . 65
SNMPv3 USM User Table Information . . . . . . . . . . . . . . 66
SNMPv3 View Table Information . . . . . . . . . . . . . . . . . . 67
SNMPv3 Access Table Information . . . . . . . . . . . . . . . . . 68
SNMPv3 Group Table Information . . . . . . . . . . . . . . . . . 69
SNMPv3 Community Table Information . . . . . . . . . . . . . 69
SNMPv3 Target Address Table Information . . . . . . . . . . 70
SNMPv3 Target Parameters Table Information . . . . . . . . 71
SNMPv3 Notify Table Information . . . . . . . . . . . . . . . . . 72
SNMPv3 Dump Information . . . . . . . . . . . . . . . . . . . . . . 73
4 Contents
320506-A, January 2006
14 Contents
320506-A, January 2006
16 Contents
320506-A, January 2006
Contents 19
320506-A, January 2006
20 Contents
320506-A, January 2006
Preface
The Nortel Application Switch Operating System 23.0.2 Command Reference describes how to
configure and use the Nortel Application Switch Operating System software with your Nortel
Application Switch.
For documentation on installing the switches physically, see the Hardware Installation Guide
for your particular switch model.
21
320506-A, January 2006
The SLB Configuration Menu describes how to configure Server Load Balancing, Filtering, Global Server Load Balancing, and more.
The Operations Menu describes how to use commands which affect switch performance
immediately, but do not alter permanent switch configurations (such as temporarily disabling
ports). The menu describes how to activate or deactivate optional software features.
The Boot Options Menu describes the use of the primary and alternate switch images, how
to load a new software image, and how to reset the software to factory defaults.
The Maintenance Menu describes how to generate and access a dump of critical switch state
information, how to clear it, and how to clear part or all of the forwarding database.
Appendix A, Nortel Application Switch Operating System Syslog Messages presents
a listing of syslog messages.
Appendix B, Nortel Application Switch Operating System SNMP Agent lists
the Management Interface Bases (MIBs) supported in the switch software.
Appendix C, Performing a Serial Download shows how to directly load a binary software
image into the switch for upgrade or maintenance.
Glossary defines the terminology used throughout the book.
Index includes pointers to the description of the key words used throughout the book.
Related Documentation
Nortel Application Switch Operating System 23.0.2 Application Guide (Part Number
320507-A)
Provides application explanations and configuration examples for the Switch.
Nortel Application Switch Operating System 23.0.2 Browser-Based Interface (BBI) Quick
Guide (Part Number 320508-A)
Provides a description of the Switch BBI and how to configure and access it on the
Switch.
22 Preface
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Release Notes (Part Number 320509A).
This document provides a description of new features and caveats and limitations, if any,
in the software.
Typographic Conventions
The following table describes the typographic styles used in this book.
Table 1 Typographic Conventions
Typeface or
Symbol
Meaning
Example
AaBbCc123
This bold type appears in command examples. It shows text that must be typed in
exactly as shown.
Main# sys
[ ]
host# ls [-a]
Preface 23
320506-A, January 2006
Telephone
North America
Asia Pacific
China
(800) 810-5000
Additional information about the Nortel Technical Solutions Centers is available at the following URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel products and services. When
you use an ERC, your call is routed to a technical support person who specializes in supporting
that product or service. To locate an ERC for your product or service, refer to the following
URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
24 Preface
320506-A, January 2006
CHAPTER 1
A built-in, text-based command line interface and menu system for access via
local terminal or remote Telnet session
SNMP support for access through network management software such as HP OpenView
The command line interface is the most direct method for collecting switch information and
performing switch configuration. Using a basic terminal, you are presented with a hierarchy of
menus that enable you to view information and statistics about the switch, and to perform any
necessary configuration.
This chapter explains how to access the Command Line Interface (CLI) of the switch.
25
320506-A, January 2006
Using an SSH connection to securely log into another computer over a network
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
9600
8
None
1
None
A standard serial cable with a male DB9 connector (see your switch hardware installation
guide for specifics).
Procedure
1.
Connect the terminal to the Console port using the serial cable.
2.
3.
Manually, when you configure the switch IP address (see Setup Part 1: Basic System
Configuration on page 36).
NOTE You need to enable Telnet and SSH, using serial connection, before you can use these
methods of accessing the switch. Refer to Establishing a Telnet Connection on page 27.
Running Telnet
Once the IP parameters on the Nortel Application Switch are configured, you can access the CLI
using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <IP address>
NOTE The Nortel Application Switch Operating System implementation of SSH is based on
SSH version 1.5 and supports SSH-1.5-1.X.XX. SSH clients of other versions
(especially Version 2) will not be supported.
Running SSH
Once the IP parameters are configured and the SSH service is turned on the Nortel Application
Switch, you can access the command line interface using an SSH connection.
To establish an SSH connection with the switch, run the SSH program on your workstation by
issuing the SSH command, followed by the switch IP address:
>> # ssh <switch IP address>
You will then be prompted to enter your user name and password.
User interaction with the switch is completely passivenothing can be changed on the
Nortel Application Switch. Users may display information that has no security or privacy
implications, such as switch statistics and current operational state information.
Operators can only effect temporary changes on the Nortel Application Switch. These
changes will be lost when the switch is rebooted/reset. Operators have access to the switch
management features used for daily switch operations. Because any changes an operator
makes are undone by a reset of the switch, operators cannot severely impact switch operation.
Administrators are the only ones that may make permanent changes to the switch configurationchanges that are persistent across a reboot/reset of the switch. Administrators can
access switch functions to configure and troubleshoot problems on the Nortel Application
Switch. Because administrators can also make temporary (operator-level) changes as well,
they must be aware of the interactions between temporary and permanent changes.
Access to switch functions is controlled through the use of unique surnames and passwords.
Once you are connected to the switch via local console, Telnet, or SSH, you are prompted to
enter a password. The default user names/password for each access level are listed in the following table.
NOTE It is recommended that you change default switch passwords after initial configuration
and as regularly as required under your network security policies. For more information, see
Setting Passwords on page 47.
Password
User
user
SLB Operator
The SLB Operator manages Web servers and other Internet ser- slboper
vices and their loads. In addition to being able to view all switch
information and statistics, the SLB Operator can enable/disable
servers using the Server Load Balancing operation menu.
Layer 4 Operator
The Layer 4 Operator manages traffic on the lines leading to the l4oper
shared Internet services. This user currently has the same access
level as the SLB operator. and the access level is reserved for
future use, to provide access to operational commands for operators managing traffic on the line leading to the shared Internet
services.
Operator
SLB Administrator
slbadmin
Layer 4
Administrator
l4admin
admin
Administrator
NOTE With the exception of the admin user, access to each user level can be disabled by
setting the password to an empty value. All user levels below admin will by default be initially disabled (empty password) until they are enabled by the admin user. This prevents
inadvertently leaving the switch open to unauthorized users.
Information Menu
Statistics Menu
Configuration Menu
Operations Command Menu
Boot Options Menu
Maintenance Menu
Show pending config changes [global command]
Apply pending config changes [global command]
Save updated config to FLASH [global command]
Revert pending or applied changes [global command]
Exit [global command, always available]
NOTE If you are accessing a user account or Layer 4 administrator account, some menu
options will not be available.
Idle Timeout
By default, the switch will disconnect your console or Telnet session after five minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080
minutes. For information on changing this parameter, see System Configuration on page 261.
CHAPTER 2
First-Time Configuration
To help with the initial process of configuring your switch, the Nortel Application Switch
Operating System software includes a Setup utility. The Setup utility prompts you step-by-step
to enter all the necessary information for basic configuration of the switch. This chapter
describes how to use the Setup utility and how to change system passwords.
NOTE If you are configuring a 2000-SSL Series Switch, you can use the Switch Setup Utility
in the Nortel Application Switch Operating System 2000-SSL Series Quick Setup Guide (part
number 215102-A) instead for setting up the Switch and the SSL Processor. Then return to this
guide for configuration and management information on your Switch.
Name of VLAN
IP address, subnet mask, and broadcast address, and VLAN for each IP interface
Destination, subnet mask, and gateway IP address for each IP static route
2.
NOTE If the default admin login is unsuccessful, or if the administrator Main Menu appears
instead, the system configuration has probably been changed from the factory default settings.
If you are certain that you need to return the switch to its factory default settings, see Selecting a Configuration Block on page 515.
3.
Enter y to begin the initial configuration of the switch, or n to bypass the Setup facility.
Restarting Setup
You can restart the Setup utility manually at any time by entering the following command at
the administrator prompt:
# /cfg/setup
1.
2.
Enter the last two digits of the year as a number from 00 to 99. 00 is considered 2000. To
keep the current year, press <Enter>.
3.
Enter the month as a number from 1 to 12. To keep the current month, press <Enter>.
4.
Enter the date as a number from 1 to 31. To keep the current day, press <Enter>.
5.
Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>.
6.
Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>.
7.
Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>.
The system displays the date and time settings:
System clock set to 18:55:36 Mon April 12, 2004.
8.
disabled
If available on your network, a BOOTP server can supply the switch with IP parameters so that
you do not have to enter them manually. BOOTP must be disabled however, before the system
will prompt for IP parameters.
Enter d to disable the use of BOOTP, or enter e to enable the use of BOOTP. To keep the current setting, press <Enter>.
9.
Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on.
If you answer y to configure the management port, you will be prompted for IP address, subnet
mask, broadcast address, default gateway, and other management port options.
2.
If you wish to change settings for individual ports, enter the number of the port you wish to
configure. To skip port configuration, press <Enter> without specifying any port and go to
Setup Part 3: VLANs on page 41.
3.
Enter the port speed from the options available, or enter any to have the switch auto-sense the
port speed. To keep the current setting, press <Enter>.
4.
Enter full for full-duplex, half for half-duplex, or any to have the switch auto-negotiate. To
keep the current setting, press <Enter>.
5.
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
6.
on
Enter on to enable autonegotiation, off to disable it, or press <Enter> to keep the current setting.
7.
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
8.
on
Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep the current
setting.
9.
Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port.
To keep the current setting, press <Enter>.
10. The system prompts you to configure the next port:
Enter port number:
When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section.
If you wish to change settings for individual VLANs, enter the number of the VLAN you wish
to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and
go to Setup Part 4: IP Configuration on page 42.
2.
Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>.
3.
Type the first port number to add to the current VLAN and press <Enter>. The right angle
prompt appears:
>
For each additional port in the VLAN, type the port number and press <Enter> to move to the
next line. Repeat this until all ports for the VLAN being configured are entered. When you are
finished adding ports to this VLAN, press <Enter> without specifying any port.
4.
Repeat the steps in this section until all VLANs have been configured. When all VLANs have
been configured, press <Enter> without specifying any VLAN.
IP Interfaces
IP interfaces are used for defining subnets to which the switch belongs.
Up to 256 IP interfaces can be configured on the Nortel Application Switch. The IP address
assigned to each IP interface provides the switch with an IP presence on your network. No two
IP interfaces can be on the same IP subnet. The interfaces can be used for connecting to the
switch for remote configuration, and for routing between subnets and VLANs (if used).
1.
For the specified IP interface, enter the IP address in dotted decimal notation:
Current IP address:
Enter new IP address:
0.0.0.0
0.0.0.0
0.0.0.0
Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting.
6.
7.
Repeat the steps in this section until all IP interfaces have been configured. When all interfaces
have been configured, press <Enter> without specifying any interface number.
Default Gateways
1.
At the prompt, select a default gateway for configuration, or skip default gateway configuration:
IP default gateways:
Enter default gateway number: (1-259)
Enter the number for the default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to IP Routing on page 44.
2.
At the prompt, enter the IP address for the selected default gateway:
Current IP address:
Enter new IP address:
0.0.0.0
Enter the IP address in dotted decimal notation, or press <Enter> without specifying an address
to accept the current setting.
3.
4.
Repeat the steps in this section until all default gateways have been configured. When all
default gateways have been configured, press <Enter> without specifying any number.
IP Routing
When IP interfaces are configured for the various subnets attached to your switch, IP routing
between them can be performed entirely within the switch. This eliminates the need to bounce
inter-subnet communication off an external router device. Routing on more complex networks,
where subnets may not have a direct presence on the Nortel Application Switch, can be accomplished through configuring static routes or by letting the switch learn routes dynamically.
This part of the Setup program prompts you to configure the various routing parameters.
1.
Enter y to enable IP forwarding. To disable IP forwarding, enter n and proceed to Step 2.To
keep the current setting, press <Enter>.
2.
When prompted, decide whether you wish to review the configuration changes:
Review the changes made? [y/n]
Enter y to review the changes made during this session of the Setup utility. Enter n to continue
without reviewing the changes. We recommend that you review the changes.
3.
Enter y to apply the changes, or n to continue without applying. Changes are normally applied.
4.
Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes
are normally saved at this point.
5.
If you do not apply or save the changes, the system prompts whether to abort them:
Abort all changes? [y/n]
Enter y to discard the changes. Enter n to return to the Apply the changes? prompt.
NOTE After initial configuration is complete, it is recommended that you change the default
passwords as shown in Setting Passwords on page 47.
NOTE If you need to configure SNMPv3, refer to SNMPv3 Configuration Menu on page
276 of this manual.
1.
2.
Set SNMP read or write community string. By default, they are public and private
respectively.
>> # /cfg/sys/ssnmp/rcomm|wcomm
3.
Apply and save configuration if you are not configuring the switch with Telnet support.
Otherwise apply and save after Optional Setup for Telnet Support on page 46.
>> System# apply
>> System# save
Enable telnet.
>> # /cfg/sys/access/tnet ena
2.
If your network uses Routing Interface Protocol (RIP), enter y to enable the RIP supply. Otherwise, enter n to disable it. When RIP is enabled, RIP listen is set by default.
Setting Passwords
It is recommended that you change the user and administrator passwords after initial configuration and as regularly as required under your network security policies.
To change both the user password and the administrator password, you must login using the
administrator password. Passwords cannot be modified from the user command mode.
NOTE If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
2.
From the Main Menu, use the following command to access the Configuration Menu:
Main# /cfg
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
Syslog Menu
Management Port Menu
SSH Server Menu
RADIUS Authentication Menu
TACACS+ Authentication Menu
NTP Server Menu
SONMP Menu
System SNMP Menu
System Health Check Menu
System Access Menu
Set system date
Set system time
Set timeout for idle CLI sessions
Set login notice
Set login banner
Set SMTP host
Enable/disable display hostname (sysName) in CLI prompt
Enable/disable use of BOOTP
Display current system-wide parameters
4.
From the System menu, use the following path to select the User menu:
System# access/user
5.
6.
NOTE If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
7.
8.
9.
1.
2.
From the Main Menu, use the following command to access the Configuration Menu:
Main# cfg
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
4.
5.
6.
7.
8.
2.
From the Main Menu, use the following path to access the user command:
Main# /cfg/sys/access/user
3.
4.
Enter the current administrator password (not the Layer 4 administrator password) at
the prompt:
Changing L4 ADMINISTRATOR password; validation required...
Enter current administrator password:
NOTE If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
5.
6.
7.
CHAPTER 3
Menu Basics
The Nortel Application Switchs Command Line Interface (CLI) is used for viewing switch
information and statistics. In addition, the administrator can use the CLI for performing all levels of switch configuration.
To make the CLI easy to use, the various commands have been logically grouped into a series
of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are
available, along with a summary of what each command will do. Below each menu is a prompt
where you can enter any command appropriate to the current menu.
This chapter describes the Main Menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
53
320506-A, January 2006
NOTE The ssl option is only visible on the Nortel Application Switch Operating System
2000-SSL Series.
[Main Menu]
info
stats
cfg
oper
boot
maint
ssl
diff
apply
save
revert
exit
Information Menu
Statistics Menu
Configuration Menu
Operations Command Menu
Boot Options Menu
Maintenance Menu
SSl Accelerator Menu
Show pending config changes [global command]
Apply pending config changes [global command]
Save updated config to FLASH [global command]
Revert pending or applied changes [global command]
Exit [global command, always available]
Menu Summary
Information Menu
Provides sub-menus for displaying information about the current status of the switch:
from basic system settings to VLANs, Layer 4 settings, and more.
Statistics Menu
Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP,
ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics.
Configuration Menu
This menu is available only from an administrator login. It includes sub-menus for configuring every aspect of the switch. Changes to configuration are not active until explicitly
applied. Changes can be saved to non-volatile memory.
Maintenance Menu
This menu is used for debugging purposes, enabling you to generate a dump of the critical
state information in the switch, and to clear entries in the forwarding database and the
ARP and routing tables.
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are
useful for obtaining online help, navigating through menus, and for applying and saving configuration changes.
For help on a specific command, type help. You will see the following screen:
Global Commands: [can be issued from any menu]
help
up
print
lines
verbose
exit
diff
apply
save
ping
ping6
traceroute
history
pushd
popd
pwd
quit
revert
telnet
who
Action
? command
or help
. or print
.. or up
lines
Set the number of lines (n) that display on the screen at one time. The default
is 24 lines. When used without a value, the current setting is displayed.
diff
apply
save
revert
exit or quit
Action
ping
Use this command to verify station-to-station connectivity across the network. The format is as follows:
ping <host name>|<IP address> [tries <(1-32)> [msec delay]] [-m|
-mgmt|-d|-data]
Where IP address is the hostname or IP address of the device, tries (optional)
is the number of attempts (1-32), msec delay (optional) is the number of milliseconds between attempts. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or
-mgmt option. The DNS parameters must be configured if specifying hostnames (see Domain Name System Configuration Menu on page 379).
ping6
traceroute
Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows:
traceroute <host name>| <IP address> [<max-hops (1-32)>
[msec delay]] [-m|-mgmt|-d|-data]
Where IP address is the hostname or IP address of the target station, maxhops (optional) is the maximum distance to trace (1-16 devices), and delay
(optional) is the number of milliseconds for wait for the response. By default,
the -d or -data option for network ports is in effect. If the management
port is used, specify the -m or -mgmt option. As with ping, the DNS
parameters must be configured if specifying hostnames.
pwd
verbose n
telnet
This command is used to telnet out of the switch. The format is as follows:
<hostname>|<IP address> [port] [-m|-mgmt|-d|-data].
Where IP address is the hostname or IP address of the device. By default, the
-d or -data option for network ports is in effect. If the management port
is used, specify the -m or -mgmt option.
history
Action
pushd
This command stores the current location of the menu tree. Optionally, a new
path to change to can be specified. The format is as follows:
pushd [<new_path>]
popd
This command takes the user one level back to the menu location stored by
the last pushd command.
who
Description
history
!!
!n
<Ctrl-p>
(Also the up arrow key.) Recall the previous command from the history list. This can
be used multiple times to work backward through the last 10 commands. The recalled
command can be entered as is, or edited using the options below.
<Ctrl-n>
(Also the down arrow key.) Recall the next command from the history list. This can be
used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.
<Ctrl-a>
<Ctrl-e>
<Ctrl-b>
(Also the left arrow key.) Move the cursor back one position to the left.
<Ctrl-f>
(Also the right arrow key.) Move the cursor forward one position to the right.
<Backspace>
(Also the Delete key.) Erase one character to the left of the cursor position.
<Ctrl-d>
<Ctrl-k>
Kill (erase) all characters from the cursor position to the end of the command line.
<Ctrl-l>
<Ctrl-u>
Other keys
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above
could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will
display all commands or options in that menu that begin with that letter. Entering additional
letters will further refine the list of commands or options displayed. If only one command fits
the input text when <Tab> is pressed, that command will be supplied on the command line,
waiting to be entered. If the <Tab> key is pressed without any input on the command line, the
currently active menu will be displayed.
Configuration Ranges
Most commands now support the use of configuration ranges. Configuration ranges allow the
user to set common parameters on a range of similar items on the switch like ports or VLANs.
For example, the command shown below would set the PVID of ports 1 through 10 to 5.
Main# /cfg/port 1-10/pvid 5
CHAPTER 4
mation.
/info
Information Menu
[Information Menu]
sys
- System Information Menu
l2
- Layer 2 Information Menu
l3
- Layer 3 Information Menu
slb
- Layer 4-7 Information Menu
bwm
- Bandwidth Management Information Menu
security - Show Security status
link
- Show link status
port
- Show port information
swkey
- Show enabled software features
dump
- Dump all information
The information provided by each menu option is briefly described in Table 4-1 on page 61,
with pointers to where detailed information can be found.
Table 4-1 Information Menu Options (/info)
Command Syntax and Usage
sys
Displays system menu information. To view menu options, see page 63.
l2
Displays the Layer 2 Information Menu. For details, see page 89.
l3
Displays the Layer 3 information menu. For details, see page 106.
61
320506-A, January 2006
Port number
Port speed (10, 100, 10/100, or 1000)
Duplex mode (half, full, or auto)
Flow control for transmit and receive (no, yes, or auto)
Link status (up or down)
For details, see page 147.
port
Displays port status information, including:
Port number
Whether the port uses VLAN Tagging or not
Port VLAN ID (PVID)
Port name
VLAN membership
For details, see page 149.
swkey
Displays a list of all the optional software packages which have been activated or installed on your
switch. For details see page 150.
dump
Dumps all switch information available from the Information Menu (10K or more, depending on
your configuration).
If you want to capture dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump commands. For details, see page 150.
/info/sys
System Information Menu
[System Menu]
snmpv3
general
time
log
slog
mgmt
sonmp
capacity
fan
temp
encrypt
user
dump
time
Displays the current time.
log
Displays last 64 syslog messages. See page 76 for a sample output and detailed information.
/info/sys/snmpv3
SNMPv3 System Information Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
access control
For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Information Menu]
usm
- Show usmUser table information
view
- Show vacmViewTreeFamily table information
access
- Show vacmAccess table information
group
- Show vacmSecurityToGroup table information
comm
- Show community table information
taddr
- Show targetAddr table information
tparam
- Show targetParams table information
notify
- Show notify table information
dump
- Show all SNMPv3 information
/info/sys/snmpv3/usm
SNMPv3 USM User Table Information
The User-based Security Model (USM) in SNMPv3 provides security services such as authentication and privacy of messages. This security model makes use of a defined set of user identities displayed in the USM user table. The USM user table contains information like:
a security name in the form of a string whose format is independent of the Security Model
an authentication protocol, which is an indication that the messages sent on behalf of the
user can be authenticated
usmUser Table:
User Name
-------------------------------admin
adminmd5
adminsha
v1v2only
Protocol
-------------------------------NO AUTH, NO PRIVACY
HMAC_MD5, DES PRIVACY
HMAC_SHA, DES PRIVACY
NO AUTH, NO PRIVACY
Description
User Name
This is a string that represents the name of the user that you can
use to access the switch.
Protocol
/info/sys/snmpv3/view
SNMPv3 View Table Information
The user can control and restrict the access allowed to a group to only a subset of the management information in the management domain that the group can access within each context by
specifying the groups rights in terms of a particular MIB view for security reasons.
View Name
----------------org
v1v2only
v1v2only
v1v2only
v1v2only
Subtree
-----------------1.3
1.3
1.3.6.1.6.3.15
1.3.6.1.6.3.16
1.3.6.1.6.3.18
Mask
--------------
Type
-------included
included
excluded
excluded
excluded
Description
View Name
Subtree
Displays the MIB subtree as an OID string. A view subtree is the set
of all MIB object instances which have a common Object Identifier
prefix to their names.
Mask
Type
/info/sys/snmpv3/access
SNMPv3 Access Table Information
The access control sub system provides authorization services.
The vacmAccessTable maps a group name, security information, a context, and a message
type, which could be the read or write type of operation or notification into a MIB view.
The View-based Access Control Model defines a set of services that an application can use for
checking access rights of a group. This group's access rights are determined by a read-view, a
write-view and a notify-view. The read-view represents the set of object instances authorized
for the group while reading the objects. The write-view represents the set of object instances
authorized for the group when writing objects. The notify-view represents the set of object
instances authorized for the group when sending a notification.
Group Name Prefix Model
Level
Match ReadV
WriteV
NotifyV
---------- ------ ------- ----------- ------ ---------admin
usm
noAuthNoPriv exact org
org
org
v1v2grp
snmpv1 noAuthNoPriv exact org
org
v1v2only
admingrp
usm
authPriv
exact org
org
org
Description
Group Name
Prefix
Model
Level
Match
Displays the match for the contextName. The options are: exact
and prefix.
ReadV
Displays the MIB view to which this entry authorizes the read
access.
WriteV
Displays the MIB view to which this entry authorizes the write
access.
NotifyV
Displays the Notify view to which this entry authorizes the notify
access.
/info/sys/snmpv3/group
SNMPv3 Group Table Information
A group is a combination of security model and security name that defines the access rights
assigned to all the security names belonging to that group. The group is identified by a group
name.
Sec Model
---------snmpv1
usm
usm
usm
User Name
------------------------------v1v2only
admin
adminmd5
adminsha
Group Name
-------------------v1v2grp
admin
admingrp
admingrp
Description
Sec Model
Displays the security model used, which is any one of: USM,
SNMPv1, SNMPv2, and SNMPv3.
User Name
Group Name
/info/sys/snmpv3/comm
SNMPv3 Community Table Information
This command displays the community table information stored in the SNMP engine.
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------trap1
public
v1v2only
v1v2trap
Description
Index
Name
User Name
Tag
/info/sys/snmpv3/taddr
SNMPv3 Target Address Table Information
This command displays the SNMPv3 target address table information, which is stored in the
SNMP engine.
Name
Transport Addr Port Taglist
Params
---------- --------------- ---- ---------- --------------trap1
47.81.25.66
162 v1v2trap
v1v2param
Description
Name
Transport Addr
Port
Taglist
This column contains a list of tag values which are used to select target addresses for a particular SNMP message.
Params
The value of this object identifies an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used
when generating messages to be sent to this transport address.
/info/sys/snmpv3/tparam
SNMPv3 Target Parameters Table Information
Name
MP Model
--------------- -------v1v2param
snmpv2c
User Name
-------------v1v2only
Sec Model
--------snmpv1
Sec Level
--------noAuthNoPriv
Description
Name
MP Model
User Name
Sec Model
Sec Level
Displays the level of security used when generating SNMP messages using this entry.
/info/sys/snmpv3/notify
SNMPv3 Notify Table Information
Name
Tag
-------------------- -------------------v1v2trap
v1v2trap
Description
Name
Tag
/info/sys/snmpv3/dump
SNMPv3 Dump Information
usmUser Table:
User Name
-------------------------------admin
adminmd5
adminsha
v1v2only
Protocol
-------------------------------NO AUTH, NO PRIVACY
HMAC_MD5, DES PRIVACY
HMAC_SHA, DES PRIVACY
NO AUTH, NO PRIVACY
vacmAccess Table:
Group Name Prefix Model
Level
Match ReadV
WriteV NotifyV
---------- ------ ------- ---------- ------ ------- -------- -----admin
usm
noAuthNoPriv exact org
org
org
v1v2grp
snmpv1 noAuthNoPriv exact org
org
v1v2only
admingrp
usm
authPriv
exact org
org
org
vacmViewTreeFamily Table:
View Name
Subtree
-------------------- --------------org
1.3
v1v2only
1.3
v1v2only
1.3.6.1.6.3.15
v1v2only
1.3.6.1.6.3.16
v1v2only
1.3.6.1.6.3.18
Mask
------------
vacmSecurityToGroup Table:
Sec Model User Name
---------- ------------------------------snmpv1
v1v2only
usm
admin
usm
adminsha
Type
-------------included
included
excluded
excluded
excluded
Group Name
----------------------v1v2grp
admin
admingrp
snmpCommunity Table:
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------snmpNotify Table:
Name
Tag
-------------------- -------------------snmpTargetAddr Table:
Name
Transport Addr Port Taglist
Params
---------- --------------- ---- ---------- --------------snmpTargetParams Table:
Name
MP Model User Name
Sec Model Sec Level
-------------------- -------- ------------------ --------- -------
/info/sys/general
General System Information
On a Nortel Application Switch 2424:
System Information at 6:56:53 Thu Sep 15, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)
Alteon Application Switch 2424
Switch is up 3 days, 11 hours, 28 minutes and 34 seconds.
Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet)
Last apply: unknown
Last save: 5
MAC Address: 00:01:81:2e:bc:50
IP (If 1) Address: 0.0.0.0
Hardware Order No:
EB1412006
Serial No: ABCDE600MJ Rev:
Mainboard Hardware:
Part No: P314090-A Rev:
Management Processor Board Hardware: Part No: P314080-A Rev:
Fast Ethernet Board Hardware:
Part No: P314091-A Rev:
09
00
00
00
09
00
00
00
NOTE The display of temperature will come up only if the temperature of any of the sensors
exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this
temperature threshold. The switch will shut down if the power supply overheats and the temperature gets to 100oC. Information about fan failures will also be displayed if one or more
fans are not functioning.
/info/sys/time
Show System Time
>> Main# /info/sys/time
12:52:49 Fri Jul 8, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia
DST on first Sunday of April at 02:00
DST off last Sunday of October at 02:00
/info/sys/log
Show Last 64 Syslog Messages
Date
Time
Criticality level
Message
Nov 19 12:16:51 ALERT
stp: STG 1, new root bridge
Nov 19 13:52:03 ALERT
ip: cannot contact default gateway
47.80.22.1
Nov 19 13:52:23 NOTICE
ip: default gateway 47.80.22.1 operational
Nov 19 13:52:23 NOTICE
ip: default gateway 47.80.22.1 enabled
Nov 19 14:21:27 ALERT
ip: cannot contact default gateway
47.80.22.1
Nov 19 14:21:47 NOTICE
ip: default gateway 47.80.22.1 operational
Nov 19 14:21:47 NOTICE
ip: default gateway 47.80.22.1 enabled
Nov 19 14:38:55 NOTICE
mgmt: admin login from host 47.81.27.4
Nov 19 14:44:02 NOTICE
mgmt: admin idle timeout from Telnet/SSH
Nov 19 16:15:06 INFO
mgmt: new configuration applied
Nov 19 16:15:20 INFO
mgmt: new configuration saved
Nov 19 16:18:44 INFO
mgmt: new configuration applied
Nov 19 16:19:37 ERROR
mgmt: Error: Apply not done
Nov 19 16:19:57 INFO
mgmt: new configuration applied
Nov 19 16:34:35 NOTICE
mgmt: admin login from host 47.81.27.4
Nov 19 16:39:43 NOTICE
mgmt: admin idle timeout from Telnet/SSH
Nov 19 16:39:59 NOTICE
mgmt: admin login from host 47.81.27.4
Nov 19 16:54:13 NOTICE
mgmt: admin idle timeout from Telnet/SSH
Nov 19 17:20:37 NOTICE
mgmt: admin login from host 47.81.27.4
Nov 19 17:26:21 NOTICE
mgmt: admin login from host 47.81.25.49
Nov 19 17:31:53 NOTICE
mgmt: admin idle timeout from Telnet/SSH
Each syslog message has a criticality level associated with it, included in text form as a prefix
to the log message. One of eight different prefixes is used, depending on the condition that the
administrator is being notified of, as shown below.
/info/sys/slog
Last 64 Saved Syslog Messages
Aug 20 13:54:21 NOTICE
47.80.22.1 operational
Aug 20 13:57:53 ALERT
gateway 47.80.22.1
Aug 20 13:57:57 NOTICE
47.80.22.1 operational
Aug 20 13:58:23 ALERT
gateway 47.80.22.1
Aug 20 13:58:33 NOTICE
47.80.22.1 operational
Aug 24 14:43:43 NOTICE
Aug 24 14:49:50 NOTICE
Aug 24 14:51:38 NOTICE
Aug 24 14:57:30 NOTICE
Aug 24 15:05:54 NOTICE
Aug 24 15:11:40 NOTICE
Aug 24 16:00:40 NOTICE
Aug 24 16:00:52 NOTICE
/info/sys/mgmt
Management Port Information
Speed
----100
Duplex
-----full
Link
---up
MAC address:
00:01:81:2e:a4:8d
Interface information:
47.80.23.251
255.255.254.0
47.80.23.255
Gateway information:
47.80.22.1
Use this command to display Management port information on an Nortel Application Switch
including:
/info/sys/sonmp
SONMP Information
This command displays the SynOptics Network Management Protocol (SONMP) topology
table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/
sonmp on command, and is necessary so that a Nortel Application Switch can be discovered
by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network
exchange multicast packets namely: flatnet hellos and segment hellos. The IP
address of the device is written into the hello packets. As the network devices exchange
information, a topology table is built like the one shown below.
Slot
Port
----0 /0
1 /11
1 /11
1 /11
1 /11
1 /11
IP address
Seg
Id
--------------- --47.80.23.247
0
47.80.22.1
770
47.80.23.25
259
47.80.23.25
260
47.80.23.241
257
50.10.10.1
263
MAC address
----------------00:01:81:2e:a3:60
00:e0:16:7c:28:24
00:60:cf:81:54:28
00:60:cf:81:54:38
00:60:cf:43:a2:10
00:60:cf:46:d5:60
Chassis Type
Local State
Seg
------------------ ----- ----Alteon2224
true topChanged
Passport1200
true heartbeat
Passport8610
true heartbeat
Passport8610
true heartbeat
AlteonAD4
true topChanged
Alteon184
true topChanged
Description
Slot Port
Specifies the slot and port on which the topology message was
received.
IP Address
Seg ID
Mac Address
Chassis Type
The chassis type of the device that sent the topology message.
Local Seg
Indicates if the sender of the topology message is on the same Ethernet segment (i.e. not across a bridge) as the reporting agent.
State
The current state of the sender of the topology message. the values
are:
/info/sys/capacity
System Capacity Information
The following sample output from an Nortel Application Switch 2424 displays the maximum
and currently enabled switch capacity for various services and applications from Layer 2-7.
Maximum
Current(Enabled)
LAYER 2
FDB
FDB per SP
VLANs
Static Trunk Groups
LACP Trunk Groups
Trunks per Trunk Group
Spanning Tree Groups
Port Teams
Monitor Ports
16384
8192
1024
12
28
8
16
8
1
54
LAYER 3
IP Interfaces
IP Gateways
IP Routes
Static Routes
ARP Entries
Static ARP Entries
Local Nets
DNS Servers
BOOTP Servers
256
4+255
4096
128
8192
128
5
2
2
1(1)
1+0(1+0)
7
0
5
0
0
0
0
RIP Interfaces
256
OSPF
OSPF
OSPF
OSPF
OSPF
LSDB
256
3
16
3
128
12288
0(0)
0(0)
0(0)
0(0)
0(0)
Interfaces
Areas
Summary Ranges
Virtual Links
Hosts
Limit
1(1)
0(0)
16(1)
8(0)
Continued...
BGP Peers
BGP Route Aggregators
16
16
0(0)
0(0)
Route Maps
Network Filters
AS Filters
32
256
8
0(0)
0(0)
VRRP Routers
VRRP Router Groups
VRRP Interfaces
1024
16
256
0(0)
0(0)
0
1024
1024
1024
1024
8192
0(0)
0
0(0)
62
63
Global
Global
Global
Global
Global
Global
Global
Global
Global
Global
Global
1024
8192
1024
1024
64
2
128
7
128
8
100000
0(0)
0(0)
0(0)
0(0)
0(0)
2(2)
0(0)
7(7)
0(1)
8(8)
100000(100000)
2048
1024
64
5
1024
1048550
64
64
8
0(0)
0
0
0
1
0
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
SLB
Domains
Services
Local Servers
Remote Servers
Remote Sites
Failovers per Remote Site
Networks
Geographical Regions
Rules
Metrics Per Rule
DNS Persistence Cache Entries
Filters
PIPs
Scriptable Health Checks
SNMP Health Checks
Rules for URL Parsing
SLB Sessions
Number of Rports to Vport
Domain Records
Mapping Per Domain Record
LAYER 4 - PORTS
Port # Client Server
Filter
0(0)
RTS
Continued...
BWM
Policies
Contracts
Groups
Contracts per Group
Time Policies per Contract
512
1024
32
8
2
0
1(1)
0
Security
Configuration source IP ACLs
Bogon source IP ACLs
Operations source IP ACLs
Total source IP ACLs
Configuration destination IP ACLs
Operations destination IP ACLs
Total destination IP ACLs
IP DoS attacks prevention
TCP DoS attacks prevention
UDP DoS attacks prevention
ICMP DoS attacks prevention
IGMP DoS attacks prevention
ARP DoS attacks prevention
IPv6 DoS attacks prevention
Total DoS attacks prevention
UDP ports for UDP blast protection
5120
8192
1024
14340
1024
1024
2052
17
18
6
5
3
5
2
56
5000
0
0
0
0
0
0
0
GENERAL
Syslog hosts
RADIUS servers
NTP servers
SMTP hosts
Mnet/Mmask
End Users
Panic Dumps
MP memory
SP memory
2
2
1
1
5
10
2
128M
128M
0
0
0
1
0
SNMPv3
SNMPv3
SNMPv3
SNMPv3
SNMPv3
16
128
32
16
16
3
5
2
0
0
Users
Views
Access Groups
Target Address Entries
Target Params Entries
/info/sys/fan
Show switch fan status
>> System# fan
Fans OK.
/info/sys/temp
Show switch temperature sensor status
>> System# temp
Temperature OK.
/info/sys/encrypt
Show encryption licenses
AOS contains the following encryption licenses:
BLOWFISH
DES & 3DES
MD5
RC4
SHA-1
/info/sys/user
Show current user status
Usernames:
user
slboper
l4oper
oper
slbadmin
l4admin
admin
enabled
disabled
disabled
disabled
disabled
disabled
Always Enabled
Note: there are pending config changes; use "diff" to see them.
Current User ID table:
/info/sys/dump
System Information Dump
System Information at 7:02:06 Thu Sep 15, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)
Alteon Application Switch 2424-SSL
Switch is up 3 days, 11 hours, 33 minutes and 48 seconds.
Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet)
Last apply: unknown
Last save: 5
MAC Address: 00:01:81:2e:bc:50
IP (If 1) Address: 0.0.0.0
Internal SSL Processor MAC Address: 00:01:81:2e:bc:6f
Hardware Order No:
EB1412006
Serial No: ABCDE600MJ Rev:
Mainboard Hardware:
Part No: P314090-A Rev:
Management Processor Board Hardware: Part No: P314080-A Rev:
Fast Ethernet Board Hardware:
Part No: P314091-A Rev:
09
00
00
00
server
server
server
server
server
Continued . . .
Sep
Sep
Sep
Sep
Sep
Sep
(5)
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
Sep
13 16:24:00
13 22:01:00
14 3:38:00
14 9:15:00
14 10:23:04
14 10:23:05
needs to be
14 10:23:05
14 10:23:05
14 10:24:45
14 11:30:36
14 11:35:25
14 11:35:40
14 11:39:37
14 11:49:12
14 11:58:20
14 13:41:54
14 13:46:18
14 14:37:07
14 14:52:00
14 14:58:57
14 16:09:44
14 16:20:44
14 16:24:58
14 16:30:51
14 16:48:16
14 16:50:34
14 16:57:47
14 16:57:55
14 17:00:02
14 17:04:59
14 17:05:49
14 17:06:05
14 19:54:04
14 20:00:22
14 20:01:47
14 20:22:49
14 20:23:10
14 20:23:55
14 20:29:00
14 20:40:41
14 21:43:51
15 2:06:00
15 6:56:45
ERROR
mgmt: tcp open error, cannot contact reporting server
ERROR
mgmt: tcp open error, cannot contact reporting server
ERROR
mgmt: tcp open error, cannot contact reporting server
ERROR
mgmt: tcp open error, cannot contact reporting server
NOTICE mgmt: admin login from host 192.168.0.3
ERROR
cli: Error: VLAN 5 doesn't exist; the PVID for port 1
changed
ERROR
cli: Error: PVID 5 for port 1 is not created
ERROR
mgmt: Error: Apply not done
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
ERROR
mgmt: tcp open error, cannot contact reporting server
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin connection closed from Telnet/SSH
ERROR
mgmt: tcp open error, cannot contact reporting server
NOTICE mgmt: admin login from host 192.168.0.3
NOTICE mgmt: admin idle timeout from Telnet/SSH
ERROR
mgmt: tcp open error, cannot contact reporting server
NOTICE mgmt: admin login from host 192.168.0.3
Continued . . .
Duplex
-----half
Link
---up
MAC address:
00:03:24:6e:bd:3d
Interface information:
192.168.0.13 255.255.255.0
192.168.0.255
Gateway information:
192.168.0.1
Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50
usmUser Table:
User Name
-------------------------------adminmd5
adminsha
v1v2only
vacmAccess Table:
Group Name Prefix Model
---------- ------ ------v1v2grp
snmpv1
admingrp
usm
Protocol
-------------------------------HMAC_MD5, DES PRIVACY
HMAC_SHA, DES PRIVACY
NO AUTH, NO PRIVACY
Level
-----------noAuthNoPriv
authPriv
Match
-----exact
exact
ReadV
---------iso
iso
vacmViewTreeFamily Table:
View Name
Subtree
-------------------- -----------------------------iso
1
v1v2only
1
v1v2only
1.3.6.1.6.3.15
v1v2only
1.3.6.1.6.3.16
v1v2only
1.3.6.1.6.3.18
vacmSecurityToGroup Table:
Sec Model User Name
---------- ------------------------------snmpv1
v1v2only
usm
adminmd5
usm
adminsha
WriteV
---------iso
iso
Mask
--------------
NotifyV
-------v1v2only
iso
Type
-----included
included
excluded
excluded
excluded
Group Name
------------------------------v1v2grp
admingrp
admingrp
Continued . . .
snmpCommunity Table:
Index
Name
User Name
Tag
---------- ---------- -------------------- ---------snmpNotify Table:
Name
Tag
-------------------- -------------------snmpTargetAddr Table:
Name
Transport Addr Port Taglist
Params
---------- --------------- ---- ---------- --------------snmpTargetParams Table:
Name
MP Model User Name
Sec Model Sec Level
-------------------- -------- -------------------- --------- --------Slot
IP address
Seg
MAC address
Chassis Type
Local
State
Port
Id
Seg
----- --------------- ---- ----------------- ----------------- ----- -------
/info/l2
Layer 2 Information Menu
[Layer 2 Menu]
fdb
lacp
stg
cist
trunk
vlan
team
dump
-
Priority
Hello interval
Maximum age value
Forwarding delay
Aging time
You can also see the following port-specific STP information:
VLAN Number
VLAN Name
Status
Port membership of the VLAN
For details, see page 103.
team
Show port team information.
dump
Displays all Layer 2 information.
/info/l2/fdb
Layer 2 FDB Information
The forwarding database (FDB) contains information that maps the media access control
(MAC) address of each known device to the switch port where the device address was learned.
The FDB also shows which other ports have seen frames destined for a particular MAC
address.
[Forwarding Database Menu]
find
- Show a single FDB entry by MAC address
port
- Show FDB entries on a single port
trunk
- Show FDB entries on a single trunk
vlan
- Show FDB entries on a single VLAN
refpt
- Show FDB entries referenced by a single SP
dump
- Show all FDB entries
NOTE The master forwarding database supports up to 16K MAC address entries on the MP
per switch. Each SP supports up to 8K entries.
Table 4-14 Layer 2 FDB Information Menu Options (/info/l2/fdb)
Command Syntax and Usage
find <MAC address> [<VLAN>]
Displays a single database entry by its MAC address. You are prompted to enter the MAC address
of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example,
08:00:20:12:34:56.
You can also enter the MAC address using the format, xxxxxxxxxxxx.
For example, 080020123456.
port <port number, 0 for "unknown">
Displays all FDB entries for a particular port.
trunk <trunk group number>
Displays all FDB entries on a single trunk.
vlan <VLAN number (1-4090)>
Displays all FDB entries on a single VLAN.
refpt <SP number (1-4)>
Displays the FDB entries referenced by a single port.
dump
Displays all entries in the Forwarding Database. For more information, see page 92.
/info/l2/fdb/dump
Show All FDB Information
MAC address
VLAN Port State Referenced SPs Referenced ports
----------------- ---- ---- ----- -------------- ------------00:02:01:00:00:00
300
23
FWD
1 2
1 23
00:02:01:00:00:01
300
23
FWD
1 2
1 23
00:02:01:00:00:02
300
23
FWD
1 2
1 23
00:02:01:00:00:03
300
23
FWD
1 2
1 23
00:02:01:00:00:04
300
23
FWD
1 2
1 23
00:02:01:00:00:05
300
23
FWD
1 2
1 23
00:02:01:00:00:06
300
23
FWD
1 2
1 23
00:02:01:00:00:07
300
23
FWD
1 2
1 23
00:02:01:00:00:08
300
23
FWD
1 2
1 23
00:02:01:00:00:09
300
23
FWD
1 2
1 23
00:02:01:00:00:0a
300
23
FWD
1 2
1 23
00:02:01:00:00:0b
300
23
FWD
1 2
1 23
00:02:01:00:00:0c
300
23
FWD
1 2
1 23
An address that is in the forwarding (FWD) state, means that it has been learned by the switch.
When in the trunking (TRK) state, the port field represents the trunk group number. If the state
for the port is listed as unknown (UNK), the MAC address has not yet been learned by the
switch, but has only been seen as a destination address. When an address is in the unknown
state, no outbound port is indicated, although ports which reference the address as a destination
will be listed under Reference ports.
If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP
virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual
server routera virtual router with the same IP address as a virtual server.
/info/l2/lacp
Link Aggregation Control Protocol Information
Menu
The following menu options display the Link Aggregation Control Protocol (LACP) information on the Nortel Application Switch Operating System.
[LACP Menu]
aggr
port
dump
Table 4-15 Link Aggregation Control Protocol Information Menu Options (/info/
lacp)
Command Syntax and Usage
aggr <aggregator index 1 to max num ports>
Displays information an LACP aggregator.
port <port index 1 to max num ports>
Displays information of an LACP port.
dump
Displays LACP information of all the ports. Use this command to verify the state of ports in an
LACP trunk group. To view a sample output, see page 96.
/info/lacp/aggr
LACP Aggregator Information
Aggregator Id 1
---------------------------------------------MAC address
- 00:01:81:2e:a1:d1
Actor System Priority
- 32768
Actor System ID
- 00:01:81:2e:a1:b0
Individual
- FALSE
Actor Admin Key
- 300
Actor Oper Key
- 300
Partner System Priority - 32768
Partner System ID
- 00:0d:29:e3:4a:00
Partner Oper Key
- 1
ready
- TRUE
Number of Ports in aggr - 10
index 0
port 1
index 1
port 2
index 2
port 3
index 3
port 4
index 4
port 5
index 5
port 6
index 6
port 7
index 7
port 8
index 8
port 9
index 9
port 10
/info/lacp/port
LACP Port Information
port 1
---------------------------------------------lacp_enabled
- TRUE
lacp_admin_enabled
- TRUE
Actor
Actor
Actor
Actor
Actor
Actor
System ID
System Priority
Admin Key
Oper Key
Port Number
Port Priority
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
Partner
00:01:81:2e:a1:b0
32768
300
300
1
32768
0
32768
00:00:00:00:00:00
00:0d:29:e3:4a:00
0
1
0
0
4
32768
Long
FALSE
FALSE
Aggregation:
Distributing:
Long
Aggregation:
TRUE
Distributing:
FALSE
TRUE
FALSE
TRUE
TRUE
- 0x0
Continued
Individual
- TRUE
Selected Aggregator ID
- 0
Attached Aggregator ID
- 0
ready_n
- FALSE
ntt
- FALSE
selected
- Unselcted
port_moved
- FALSE
Collection and Distribution state turned ON!
Rx machine state
Mux machine state
Periodic machine state
- LACP_RX_INIT_STATE
- LACP_MUX_DETACHED_STATE
- LACP_PERIODIC_NO_STATE
/info/lacp/dump
LACP Dump Information
port
lacp
adminkey
operkey
selected
prio
attached trunk
aggr
------------------------------------------------------------------1 active
300
300
y
32768
1
13
2 active
300
300
y
32768
1
13
3 active
300
300
y
32768
1
13
4 active
300
300
y
32768
1
13
5 active
300
300
y
32768
1
13
6 active
300
300
y
32768
1
13
7 active
300
300
y
32768
1
13
8 active
300
300
y
32768
1
13
9 active
300
300
n
32768
--10 active
300
300
n
32768
--11 active
300
300
n
32768
--12 active
300
300
n
32768
--13 active
300
300
n
32768
--14 off
14
14
n
32768
--15 off
15
15
n
32768
--16 off
16
16
n
32768
--17 off
17
17
n
32768
--18 off
18
18
n
32768
--19 off
19
19
n
32768
--20 off
20
20
n
32768
--21 off
21
21
n
32768
--22 off
22
22
n
32768
--23 off
23
23
n
32768
--24 off
24
24
n
32768
--25 off
25
25
n
32768
--26 off
26
26
n
32768
--27 off
27
27
n
32768
--28 off
28
28
n
32768
---
/info/l2/stg
Layer 2 Spanning Tree Group Information
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path.
NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
Spanning Tree Group 1: On
Current Root:
8000 00:01:81:2e:a1:80
Parameters:
Port
----1
2
3
4
5
6
7
8
9
10
11
Priority
32768
Priority
-------128
128
128
128
128
128
128
128
128
128
128
Cost
---0
0
0
0
5
0
0
0
0
0
0
Path-Cost
0
Hello
2
MaxAge
20
State
---------DISABLED
DISABLED
DISABLED
DISABLED
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
FwdDel
15
Aging
300
Designated Bridge
Des Port
---------------------- -------
8000-00:01:81:2e:a1:80
32773
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing
if STP is enabled or disabled, you can view the following STP bridge information:
Priority
Hello interval
Forwarding delay
Aging time
Cost
State
Designated Bridge
Designated Port
Description
Priority (bridge)
The bridge priority parameter controls which bridge on the network will
become the STP root bridge.
Hello
The hello time parameter specifies, in seconds, how often the root bridge
transmits a configuration bridge protocol data unit (BPDU). Any bridge that
is not the root bridge uses the root bridge hello value.
MaxAge
The maximum age parameter specifies, in seconds, the maximum time the
bridge waits without receiving a configuration bridge protocol data unit
before it reconfigure the STP network.
FwdDel
The forward delay parameter specifies, in seconds, the amount of time that a
bridge port has to wait before it changes from learning state to forwarding
state.
Aging
The aging time parameter specifies, in seconds, the amount of time the
bridge waits without receiving a packet from a station before removing the
station from the Forwarding Database.
priority (port)
The port priority parameter helps determine which bridge port becomes the
designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the
designated port for the segment.
Cost
The port path cost parameter is used to help determine the designated port for
a segment. Generally speaking, the faster the port, the lower the path cost. A
setting of 0 indicates that the cost will be set to the appropriate default after
the link speed has been auto negotiated.
State
The state field shows the current state of the port. The state field can be either
BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.
Description
Designated
Bridge
The designated bridge resides closest to the root bridge and is responsible for
forwarding packets from LAN towards the root bridge. This bridge is displayed as character string starting with the bridge priority (1-65535) followed by a hyphen and six byte MAC address of that switch.
Designated port
The designated port identifies a physical port. This is a number that is the
numerical sum of bridge priority and the actual physical port number. For
example, a physical port number four with bridge priority 32768 will be displayed as 32678+4=32772.
/info/l2/cist
Show common internal spanning tree (CIST) information
NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
-----------------------------------------------------------------Common Internal Spanning Tree:
VLANs:
1 4-4094
Current Root:
8000 00:01:81:2e:bc:50
Cist Regional Root:
8000 00:01:81:2e:bc:50
Path-Cost
0
Path-Cost
0
Parameters:
/info/l2/trunk
Trunk Group Information
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act
together, combining their bandwidth to create a single, larger virtual link. When trunk groups
are configured, you can view the state of each port in the various trunk groups.
Trunk group 1, bw contract 1024, port state:
1: STG 1 forwarding
2: STG 1 forwarding
NOTE If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the
remaining ports in the trunk group will also be set to forwarding.
/info/l2/vlan
VLAN Information
VLAN
---1
Name
Status Jumbo BWC Learn Ports
-------------------------------- ------ ----- ---- ----- ----Default VLAN
ena
n
1024 ena 1-28
This information display includes all configured VLANs and all member ports that have an
active link state. Port membership is represented in slot/port format.
VLAN information includes:
VLAN Number
VLAN Name
Status
Jumbo Frames
/info/l2/vlan
VLAN Information
VLAN
---1
Name
Status Jumbo BWC Learn Ports
-------------------------------- ------ ----- ---- ----- ----Default VLAN
ena
n
1024 ena 1-28
/info/l2/team
Status of port teams
>> Layer 2# team
All port teams are disabled.
/info/l2/dump
Layer2 Dump Information
Spanning Tree Group 1: On
Current Root:
8000 00:01:81:2e:a1:80
Parameters:
Port
-----1
2
3
4
5
6
7
8
9
10
11
12
Priority
32768
Priority
-------128
128
128
128
128
128
128
128
128
128
128
128
Cost
---0
0
0
0
5
0
0
0
0
0
0
0
Path-Cost
0
Hello
2
MaxAge
20
State
---------DISABLED
DISABLED
DISABLED
DISABLED
FORWARDING
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
DISABLED
FwdDel
15
Aging
300
Designated Bridge
Des Port
---------------------- ------
8000-00:01:81:2e:a1:80
32773
/info/l3
Layer3 Information Menu
[Layer 3 Menu]
route
route6
arp
nbrcache bgp
ospf
ip
vrrp
dump
-
route6
IP6 Routing Information Menu. To view menu options, see page 110.
arp
Displays the Address Resolution Protocol (ARP) Information Menu. For details, see page 112.
nbrcache
IP6 Neighbor Cache Menu. To view menu options, see page 115.
bgp
Displays BGP Information Menu. To view menu options, see page 117.
ospf
Displays OSPF routing information menu. For details, see page 119.
vrrp
Displays the VRRP Information Menu. For details, see page 127.
dump
Displays all Layer 3 information.
/info/l3/route
IP Routing Information
[IP Routing Menu]
find
- Show
gw
- Show
type
- Show
tag
- Show
if
- Show
dump
- Show
Using the commands listed below, you can display all or a portion of the IP routes currently
held in the switch.
Table 4-18 Route Information Menu Options (/info/route)
Command Syntax and Usage
find <IP address (such as, 192.4.17.101)>
Displays a single route by destination IP address.
gw <default gateway address (such as, 192.4.17.44)>
Displays routes to a single gateway.
type indirect|direct|local|broadcast|martian|multicast
Displays routes of a single type. For a description of IP routing types, see Table 4-19 on page 109.
/info/l3/route/dump
Show All IP Route Information
Status code: * - best
Destination
Mask
Gateway
Type
Tag Metr If
--------------- --------------- ------------- --------- ----- -* 0.0.0.0
0.0.0.0
47.80.22.1
indirect static
1
* 47.80.22.0
255.255.254.0
47.80.23.249 direct
fixed
1
* 47.80.23.249
255.255.255.255 47.80.23.249 local
addr
1
* 47.80.23.255
255.255.255.255 47.80.23.255 broadcast broadcast 1
* 127.0.0.0
255.0.0.0
0.0.0.0
martian
martian
* 224.0.0.0
224.0.0.0
0.0.0.0
martian
martian
* 224.0.0.5
255.255.255.255 0.0.0.0
multicast addr
* 224.0.0.6
255.255.255.255 0.0.0.0
multicast addr
* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast
Type Parameters
The following table describes the Type parameters.
Table 4-19 IP Routing Type Parameters (/info/l3/route/dump/type)
Parameter
Description
indirect
The next hop to the host or subnet destination will be forwarded through a
router at the Gateway address.
direct
local
broadcast
martian
multicast
Tag Parameters
The following table describes the Tag parameters.
Table 4-20 IP Routing Tag Parameters (info/l3/route/tag)
Parameter
Description
fixed
static
The address is a static route which has been configured on the Nortel Application Switch.
addr
rip
ospf
bgp
broadcast
martian
vip
Indicates a route destination that is a virtual server IP address. VIP routes are
needed to advertise virtual server IP addresses via BGP.
/info/l3/route6
IPv6 Routing Information Menu
This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing
table stores routes it learns from network traffic and pre-configured, static routes.
NOTE Presently there is no mechanism for clearing this IPv6 routing table..
[IP6 Routing Menu]
dump
- Show all routes
0:0:0:0:0:0:0:0/0
2005:0:0:0:0:0:0:16
2005:0:0:0:0:0:0:0/64
0:0:0:0:0:0:0:0
2005:0:0:0:0:0:0:1/128
0:0:0:0:0:0:0:0
2005:0:0:0:0:0:0:16/128
0:0:0:0:0:0:0:0
fe80:0:0:0:201:81ff:fe2e:a100/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:0:0:1/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:0:0:2/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff00:0/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff00:1/128
0:0:0:0:0:0:0:0
ff02:0:0:0:0:1:ff2e:a100/128
0:0:0:0:0:0:0:0
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
If:1
Proto:
STATIC
LOCAL
LOCAL
STATIC
LOCAL
STATIC
STATIC
STATIC
STATIC
STATIC
/info/l3/arp
ARP Information Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the router is present in the ARP cache. Then the corresponding physical address is used to send
a packet.
[Address Resolution Protocol Menu]
find
- Show a single ARP entry by IP address
port
- Show ARP entries on a single port
vlan
- Show ARP entries on a single VLAN
refpt
- Show ARP entries referenced by a single SP
dump
- Show all ARP entries
help
- Show help on the fields of ARP entries
addr
- Show ARP address list
The ARP information includes IP address and MAC address of each entry, address status flags
(see Table 4-23 on page 114), VLAN and port for the address, and port
referencing information.
Table 4-22 ARP Information Menu Options (/info/l3/arp)
Command Syntax and Usage
find <IP address (such as, 192.4.17.101>
Displays a single ARP entry by IP address.
port <port number>
Displays the ARP entries on a single port.
vlan <VLAN number (1-4090)>
Displays the ARP entries on a single VLAN.
refpt <SP number (1-4)>
Displays the ARP entries referenced by a single SP. For details, see page 113.
help
Displays help on the ARP field entries. For example:
IP address:
Flags:
MAC address:
VLAN:
Port:
Referenced SPs:
addr
Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.
/info/l3/arp/refpt
Show ARP Entries on Referenced SP
IP address
Flags
------------- ----47.80.23.249
P
MAC address
VLAN Port
----------------- ---- ----00:0e:40:2f:5b:00
1
Referenced SPs
-----------1-4
/info/l3/arp/dump
Show All ARP Entry Information
IP address
Flags
MAC address
VLAN Port
--------------- ----- ----------------- ---- ---1.1.11.1
P 4 00:09:97:16:5f:01
10.10.10.10
P 4 00:09:97:16:5f:01
47.80.22.1
00:e0:16:7c:28:86
1
23
47.80.23.81
P
00:09:97:16:5f:00
1
172.31.3.1
P
00:09:97:16:5f:00
1
172.31.3.10
00:b0:d0:98:d8:1b
1
3
172.31.3.11
00:b0:d0:98:d8:1b
1
3
Referenced SPs
------------1-4
1-4
empty
1-4
1-4
empty
empty
Referenced ports are the ports that request the ARP entry. So the traffic coming into the referenced ports has the destination IP address. From the ARP entry (the referenced ports), this traffic needs to be forwarded to the egress port (port 6 in the above example).
NOTE If you have VMA turned on, the referenced port will be the designated port. If you
have VMA turned off, the designated port will be the normal ingress port.
The Flag field is interpreted as follows:
Table 4-23 ARP Dump Flag Parameters
Flag
Description
P 4
Unresolved ARP entry. The MAC address has not been learned.
/info/l3/arp/addr
ARP Address List Information
IP address
--------------10.10.10.10
1.1.11.1
172.31.4.200
172.31.3.1
172.31.4.1
47.80.23.81
IP mask
--------------255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
255.255.255.255
MAC address
----------------00:09:97:16:5f:01
00:09:97:16:5f:01
00:09:97:16:5f:0e
00:09:97:16:5f:00
00:09:97:16:5f:00
00:09:97:16:5f:00
VLAN
----
Flags
-----
D
1
1
1
/info/l3/nbrcache
IPv6 Neighbor Cache Information
This menu provides a mechanism for viewing IPv6 Neighbor Cache information.
IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses
and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate
addresses. ND enables routers to advertise their presence and address prefixes and to inform
hosts of a better next-hop address to forward packets.
The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache
maintains information about each neighbor such as:
MAC Address
Reachability State
Neighbor Type
VLAN
Ingress Port
2.
3.
A switch sends ND packets to resolve a link-layer address that it wishes to send packets
to.
INCOMPLETE
The link-layer address of the neighbor has not yet been determined.
REACHABLE
The neighbor is known to have been reachable recently.
STALE
The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no
attempt should be made to verify its reachability.
DELAY
The neighbor is no longer known to be reachable and traffic has recently been sent to the
neighbor.
PROBE
The neighbor is no longer known to be reachable, and ND messages are sent to
the neighbor to verify reachability.
The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch
pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND.
NOTE Once the Neighbor Cache table reaches 2000 entries, table entries are replaced
by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until
the entry is replaced by a new one. During this 2000 full entries period, no new entries will be
used to sort for display.
[IP6 Neighbor Discovery Protocol Menu]
dump
- Show all IP6 neighbor cache entries
dump
Type MAC address
VLAN Port
--- ----------------- ---- ---LOC 00:0e:62:f6:b2:00 1
DYN 00:50:da:16:f7:27 1
1
LOC 00:0e:62:f6:b2:00 1
LOC 00:0e:62:f6:b2:0e 1
LOC 00:0e:62:f6:b2:00 1
DYN 00:11:11:e3:32:b9 1
9
DYN 00:50:da:16:f7:27 1
1
/info/l3/bgp
BGP Information Menu
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. For
more information, refer to BGP section in chapter: The Configuration Menu on page 257
and the Application Guide.
[BGP Menu]
peer
- Show all BGP peers
summary - Show all BGP peers in summary
dump
- Show BGP routing table
/info/l3/bgp/peer
BGP Peer information
Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information:
3: 2.1.1.1
, version 0, TTL 1
Remote AS: 0, Local AS: 0, Link type: IBGP
Remote router ID: 0.0.0.0,
Local router ID: 1.1.201.5
BGP status: idle, Old status: idle
Total received packets: 0, Total sent packets: 0
Received updates: 0, Sent updates: 0
Keepalive: 0, Holdtime: 0, MinAdvTime: 60
LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0)
Established state transitions: 0
4: 2.1.1.4
, version 0, TTL 1
Remote AS: 0, Local AS: 0, Link type: IBGP
Remote router ID: 0.0.0.0,
Local router ID: 1.1.201.5
BGP status: idle, Old status: idle
Total received packets: 0, Total sent packets: 0
Received updates: 0, Sent updates: 0
Keepalive: 0, Holdtime: 0, MinAdvTime: 60
LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0)
Established state transitions: 0
/info/l3/bgp/summary
BGP Summary information
Following is an example of the information that /info/l3/bgp/summary provides.
BGP Peer Summary Information:
Peer
V
AS
MsgRcvd MsgSent Up/Down
State
--------------- - -------- -------- -------- -------- ---------1: 205.178.23.142 4
142
113
121 00:00:28 established
2: 205.178.15.148 0
148
0
0 never
connect
/info/l3/bgp/dump
Dump BGP Information
Following is an example of the information that /info/l3/bgp/dump provides.
>> BGP# dump
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metr LcPrf Wght
--------------- --------------- ----- ---- ----*> 10.0.0.0
205.178.21.147
1
256
*>i205.178.15.0
0.0.0.0
*
205.178.21.147
1
128
*> 205.178.17.0
205.178.21.147
1
128
13.0.0.0
205.178.21.147
1
256
Path
-------------147 148 i
0 i
147 i
147 i
147 {35} ?
/info/l3/ospf
OSPF Information Menu
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be
divided into smaller logical units known as areas. In any AS with multiple areas, one area must
be designated as area 0, known as the backbone. The backbone acts as the central OSPF area.
All other areas in the AS must be connected to the backbone. Areas inject summary routing
information into the backbone, which then distributes it to other areas as needed. For more
information on how to configure OSPF on the switch, refer to the OSPF section in chapter
The Configuration Menu on page 257 and your Nortel Application Switch Operating System
Application Guide.
[OSPF Information Menu]
general - Show general information
aindex
- Show area(s) information
if
- Show interface(s) information
virtual - Show details of virtual links
nbr
- Show neighbor(s) information
dbase
- Database Menu
sumaddr - Show summary address list
nsumadd - Show NSSA summary address list
routes
- Show OSPF routes
dump
- Show OSPF information
/info/l3/ospf/general
OSPF General Information
OSPF Version 2
Router ID: 47.80.23.247
Started at 95 and the process uptime is 352315
Area Border Router: yes, AS Boundary Router: no
LS types supported are 6
External LSA count 0
External LSA checksum sum 0x0
Number of interfaces in this router is 2
Number of virtual links in this router is 1
16 new lsa received and 34 lsa originated from this router
Total number of entries in the LSDB 10
Database checksum sum 0x0
Total neighbors are 1, of which
2 are >=INIT state,
2 are >=EXCH state,
2 are =FULL state
Number of areas is 2, of which 3-transit 0-nssa
Area Id : 0.0.0.0
Authentication : none
Import ASExtern : yes
Number of times SPF ran : 8
Area Border Router count : 2
AS Boundary Router count : 0
LSA count : 5
LSA Checksum sum : 0x2237B
Summary : noSummary
/info/l3/ospf/if
OSPF Interface Information
Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP
Router ID 10.10.10.1, State DR, Priority 1
Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1
Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2
Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5,
Poll interval 0, Transit delay 1
Neighbor count is 1
If Events 4, Authentication type none
/info/l3/ospf/dbase
OSPF Database Information
[OSPF Database Menu]
advrtr - LS Database info for an Advertising Router
asbrsum - ASBR Summary LS Database info
dbsumm - LS Database summary
ext
- External LS Database info
nw
- Network LS Database info
nssa
- NSSA External LS Database info
rtr
- Router LS Database info
self
- Self Originated LS Database info
summ
- Network-Summary LS Database info
all
- All
/info/l3/ospf/routes
OSPF Information Route Codes
Codes: IA - OSPF inter area,
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
IA 10.10.0.0/16 via 200.1.1.2
IA 40.1.1.0/28 via 20.1.1.2
IA 80.1.1.0/24 via 200.1.1.2
IA 100.1.1.0/24 via 20.1.1.2
IA 140.1.1.0/27 via 20.1.1.2
IA 150.1.1.0/28 via 200.1.1.2
E2 172.18.1.1/32 via 30.1.1.2
E2 172.18.1.2/32 via 30.1.1.2
E2 172.18.1.3/32 via 30.1.1.2
E2 172.18.1.4/32 via 30.1.1.2
E2 172.18.1.5/32 via 30.1.1.2
E2 172.18.1.6/32 via 30.1.1.2
E2 172.18.1.7/32 via 30.1.1.2
E2 172.18.1.8/32 via 30.1.1.2
/info/ospf/dump
OSPF Dump Information
OSPF Version 2
Router ID: 1.1.1.1
Started at 42 and the process uptime is 1197051
Area Border Router: no, AS Boundary Router: no
External LSA count 0
Number of interfaces in this router is 0
Number of virtual links in this router is 0
0 new lsa received and 0 lsa originated from this router
Total number of entries in the LSDB 0
Total neighbors are 0, of which
0 are >=INIT state,
0 are >=EXCH state,
0 are =FULL state
Number of areas is 0, of which 0-transit 0-nssa
OSPF Neighbors:
Intf NeighborID
---- ----------
Prio
----
State
-----
Address
-------
OSPF LS Database:
OSPF LSDB breakdown for router with ID (1.1.1.1)
No areas enabled.
/info/l3/ip
IP Information
Interface information:
1: 47.80.23.81
255.255.254.0
2: 172.31.4.1
255.255.255.0
3: 172.31.3.1
255.255.255.0
47.80.23.255,
172.31.4.255,
172.31.3.255,
vlan 1, up
vlan 1, up
vlan 1, up
/info/l3/vrrp
VRRP Information
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Refer
to your Nortel Application Switch Operating System Application Guide for more information on
VRRP.
VRRP information:
10: vrid 10, 10.1.2.200,
11: vrid 11, 11.1.2.200,
12: vrid 12, 12.1.2.200,
13: vrid 13, 13.1.2.200,
14: vrid 14, 14.1.2.200,
20: vrid 20, 20.1.2.200,
27: vrid 27, 27.1.2.200,
28: vrid 28, 28.1.2.200,
100: vrid 100, 172.21.8.100,
server
172: vrid 172, 172.21.8.200,
254: vrid 254, 27.1.2.100,
server
255: vrid 255, 28.1.2.100,
server
VRRP information:
1: vrid 2, 205.178.18.210, if
2: vrid 1, 205.178.18.202, if
3: vrid 3, 205.178.18.204, if
if
if
if
if
if
if
if
if
if
When virtual routers are configured, you can view the status of each virtual router using this
command. VRRP information includes:
Interface number
Ownership status
owner identifies the preferred master virtual router. A virtual router is the owner
when the IP address of the virtual router and its IP interface are the same.
renter identifies virtual routers which are not owned by this device.
Priority value. During the election process, the virtual router with the highest priority
becomes master.
Activity status
Server status. The server state identifies virtual routers that support Layer 4 services.
These are known as virtual server routers: any virtual router whose IP address is the same
as any configured virtual server IP address.
Proxy status. The proxy state identifies virtual proxy routers, where the virtual router
shares the same IP address as a proxy IP address. The use of virtual proxy routers enables
redundant switches to share the same IP address, minimizing the number of unique IP
addresses that must be configured.
/info/l3/dump
Layer3 Dump Information
This command dumps all the information about Layer 3 parameters. This dump is a collection
of all the individual commands described in the sections above.
IP information:
IP information:
Router ID: 45.1.1.201,
AS number 100
Interface information:
2: 45.1.1.201
255.0.0.0
3: 205.1.1.201
255.255.255.0
4: 172.21.1.254
255.255.255.0
45.255.255.255 ,
205.1.1.255
,
172.21.1.255
,
vlan 1, up
vlan 1, up
vlan 1, up
Continued
MAC address
VLAN Flags
----------------- ---- ----00:01:81:2e:a2:2e
D
00:01:81:2e:a2:20
1
00:01:81:2e:a2:20
1
00:01:81:2e:a2:20
1
* 205.1.1.0
255.255.255.0
205.1.1.201
direct
fixed 3
* 205.1.1.100
255.255.255.255 205.1.1.100
direct
vip
* 205.1.1.201
255.255.255.255 205.1.1.201
local
addr
3
* 205.1.1.255
255.255.255.255 205.1.1.255 broadcast broadcast 3
* 224.0.0.0
224.0.0.0
0.0.0.0
martian
martian
* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast
OSPF is disabled.
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network
Next Hop
Metr LcPrf Wght Path
--------------- --------------- ----- ----- ----- --------------*> 45.0.0.0
0.0.0.0
0 ?
*> 172.21.1.0
0.0.0.0
0 ?
*> 205.1.1.0
0.0.0.0
0 ?
/info/slb
Layer 4 Information Menu
Server Load Balancing (SLB) allows you to configure the Nortel Application Switch to balance user session traffic among a pool of available servers that provide shared services. In an
average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access
to applications or data that is in high demand, it can become overutilized. Placing this kind of
strain on a server can decrease the performance of the entire network as user requests are
rejected by the server and then resubmitted by the user stations. With this software feature, the
switch is aware of the services provided by each server and can direct user session traffic to an
appropriate server, based on a variety of load-balancing algorithms.
Refer to your Nortel Application Switch Operating System Application Guide for detailed information on this feature.:
[Server Load Balancing Information Menu]
sess
- Session Table Information Menu
gslb
- Global SLB Information Menu
real
- Show real server information
group
- Show real server group information
virt
- Show virtual server information
filt
- Show filter information
port
- Show port information
wlm
- Show Workload Manager information
idshash - Show IDS server selected by hash or minmisses metric
bind
- Show real server selected by hash, phash, or minmisses metric
cookie
- Decode the HEX value to get VIP, RIP and Rport
synatk
- Show SYN attack detection information
dump
- Show all layer 4 information
/info/slb/sess
Session Table Information
[Session Table Information Menu]
cip
- Show all session entries with source IP address
cip6
- Show all session entries with source IP6 address
cport
- Show all session entries with source port
dip
- Show all session entries with destination IP address
dip6
- Show all session entries with source IP6 address
dport
- Show all session entries with destination port
pip
- Show all session entries with proxy IP address
pport
- Show all session entries with proxy port
filter
- Show all session entries with matching filter
flag
- Show all session entries with matching flag
port
- Show all session entries with ingress port
real
- Show all session entries with real IP address
sp
- Show all session entries on sp
dump
- Show all session entries
help
- Session entry description
3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c
(1) (2) (3)
(4)
(5)
(6)
(7a)
(7)
(8)
(9)
(10)
(11) (12)
(13)
Note: The fields, 1 to 13 associated with a session as identified in the above example, are described
in Session dump information in Nortel Application Switch Operating System on page 137.
help
Displays the description of the session entry.
Description
(1) SP number
This field indicates the Switch Processor number that created the
session.
This field shows the physical port through which the client traffic
enters the switch.
(3) Source IP
address
This field identifies the source port from the clients TCP/UDP
packet.
(5) Destination IP
address
(6) Destination
port
(7a) Proxy IP
address
For load balancing, this field contains the IP address of the real server
that the switch selects to forward client packet to. If the switch does not
find live server, this field is the same as destination IP address (as in row
5).
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10
3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P
For filtering, this field also shows the real server IP address. No address is
shown if the filter action is Allow, Deny or NAT. It will show ALLOW,
DENY or NAT instead.
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11
2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E
Field
Description
This field is the same as the destination port (field 6) for load balancing except for the RTSP UDP session. For RTSP UDP session,
this server port is obtained from the client-server negotiation.
This field is the filtering application port for filtering. It is for
internal use only. This field can be urlwcr, wcr, idslb,
linkslb or nonat.
(10) Age
(12) Flag
Operating System
138 Chapter 4: The Information Menu
320506-A, January 2006
/info/slb/gslb
Global SLB Information Menu
An Nortel Application Switch Operating System running Global SLB selects the most appropriate site to direct the client traffic for a given domain during the initial client connection. The
menu for this feature displays the following information:
[Global SLB Information Menu]
virt
- Show Global SLB
site
- Show Global SLB
rule
- Show Global SLB
geo
- Show Global SLB
pers
- Show Global SLB
dump
- Show all Global
/info/slb/dump
Show All Layer 4 Information
Real
1:
2:
26:
27:
server state:
210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up
210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up
20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up
20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up
state:
filt disabled, filters: 80
idslb filt enabled, filters: 200
idslb filt enabled, filters: 200
filt disabled, filters: 50 200
/info/bwm
Bandwidth Management Information
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-criticaltraffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
You can see the following information on your switch when you execute this command:
[Bandwidth Management Information Menu]
ipuser
- BWM IP User Entries Information Menu
cont
- Show Bandwidth Management Contract information
cont
Displays the BWM contract information configured on this switch.
/info/bwm/ipuser
BWM IP User Information Menu
[BWM IP User Entries Information Menu]
ip
- Show all IP user entries with IP address
cont
- Show all IP user entries for a contract
sp
- Show all IP user entries on sp
dump
- Show all IP user entries
Offered Rate: the rate including the discards for this IP address
/info/bwm/cont
BWM Contract Information
Current Bandwidth Management setting: ON
Policy Enforcement:enabled
BWM history will be mailed in a minute
to 'abcd' at host '100.81.138.26'
BWM IP user table entries 64k
Contract
Policy
Per User
Traffic
Num
Name
Prec Hard Soft Resv Limit Key State Shaping
1
123456789012345
2
1
50M
1M 500K
E
D
2
vlan
4
1
60M
2M 500K
E
D
3
filter
7
20
2M
1M 500K
E
D
4
5
1
2M
1M 500K
D
D
5
512
1
2M
1M 500K
E
D
10
10
1
1M
0K
0K 500K sip
E
D
11
11
1 100M
80M 500K
2M sip
E
D
12
12
1
2M
1M 500K
E
D
13
13
1
3M
1M 500K
E
D
14
14
1
4M 400K 100K
E
D
15
15
1
2M
1M 500K
E
D
This command displays information about any configured contracts and the BWM policies
applied to the contracts.
Table 4-33 BWM Contract Information
Field
Description
Contract
Policy
Description
Per User
State
Traffic Shaping
/info/security
Security Information
[Security Information Menu]
port
- Show port security information
ipacl
- Show IP ACL information
udpblast - Show UDP blast protection information
dos
- Show protocol anomaly and DoS attack prevention
information
dump
- Show all security information
/info/link
Link Status Information
Alias
-----1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Port
---1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Speed
----10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
10/100
1000
1000
1000
1000
Duplex
-------any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
any
full
full
full
full
Flow Ctrl
--TX-----RX-yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
yes
Link
-----down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
down
Use this command to display link status information about each port on an Nortel Application
Switch slot, including:
Port Alias
Port number
/info/port
Port Information
Alias
-----1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Port
---1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Tag
--y
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
n
RMON
---d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
d
PVID
---1
2
3
3
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
BWC
----1024
1024
1024
1024
1024
5
1024
1024
1024
1024
1024
1024
6
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
1024
NAME
--------------
VLAN(s)
-------------1
2
3
3
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
1
Port alias
Port number
Port name
VLAN membership
/info/swkey
Software Enabled Keys
For optional Layer 4 switching software, the information would be displayed as follows:
Enabled Software features:
Layer 4: GSLB
Bandwidth Management
Security Pack
Enabled Software features:
Layer 4: GSLB
Inbound Linklb
Intelligent Traffic Management
Software key information includes a list of all the optional software packages which have been
activated or installed on your switch. For information on ordering optional software license
keys, see How to Get Help on page 24.
/info/dump
Information Dump
Use the dump command to dump all switch information available from the Information Menu
(10K or more, depending on your configuration). This data is useful for tuning and debugging
switch performance.
If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands.
CHAPTER 5
/stats
Statistics Menu
[Statistics Menu]
sys
- System Stats Menu
port
- Port Stats Menu
pmirr
- Port Mirroring Stats Menu
l2
- Layer 2 Stats Menu
l3
- Layer 3 Stats Menu
slb
- Server Load Balancing (Layer 4-7) Stats Menu
bwm
- Bandwidth Management Stats Menu
security - Security Stats Menu
mp
- MP-specific Stats Menu
sp
- SP-specific Stats Menu
dump
- Dump all stats
151
320506-A, January 2006
/stats/sys
System statistics menu
This menu displays traffic statistics on a system basis.
[System Statistics Menu]
access
- System Access Menu
mgmt
- Show management port stats
ntp
- Show NTP server stats
snmp
- Show SNMP stats
dump
- Dump system stats
63242584
63277826
0
0
NA
NA
0
Description
dot1PortInFrames
The number of frames that have been received by this port from its segment. A frame received on the interface corresponding to this port is only
counted by this object if and only if it is for a protocol being processed by
the local bridging function, including bridge management frames.
dot1PortOutFrames
The number of frames that have been transmitted by this port to its segment. Note that a frame transmitted on the interface corresponding to this
port is only counted by this object if and only if it is for a protocol being
processed by the local bridging function, including bridge management
frames.
dot1PortInDiscards
Count of valid frames received which were discarded (that is, filtered) by
the Forwarding Process.
dot1TpLearnedEntry
Discards
Description
dot1BasePortDelay
ExceededDiscards
dot1BasePortMtu
ExceededDiscards
dot1StpPortForward
Transitions
The number of times this port has transitioned from the Learning state to
the Forwarding state.
0
0
0
0
NA
0
0
0
NA
0
0
0
NA
Description
dot3StatsAlignment
Errors
dot3StatsFCSErrors
dot3StatsSingleCollisionFrames
dot3StatsMultipleCollisionFrames
Description
dot3StatsSQETestErrors
A count of times that the SQE TEST ERROR message is generated by the
PLS sub layer for a particular interface. The SQE TEST ERROR is set in
accordance with the rules for the verification of the SQE detection mechanism in the PLS Carrier Sense Function as described in IEEE Std.802.31998 Edition, section 7.2.4.6.
This counter does not increment when the interface is operating in fullduplex mode.
dot3StatsDeferredTransmissions
dot3StatsLateCollisions
dot3StatsExcessive
Collisions
dot3StatsInternalMacTransmitErrors
Description
dot3StatsCarrierSenseErrors
The number of times that the carrier sense condition was lost or never
asserted when attempting to transmit a frame on a particular interface.
The count represented by an instance of this object is incremented at most
once per transmission attempt, even if the carrier sense condition fluctuates during a transmission attempt.
This counter does not increment when the interface is operating in fullduplex mode.
dot3StatsFrameTooLongs
A count of frames received on a particular interface that exceed the maximum permitted frame size.
The count represented by an instance of this object is incremented when
the frameTooLong status is returned by the MAC service to the LLC
(or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer
Management, counted exclusively according to the error status presented
to the LLC.
dot3StatsInternalMacReceiveErrors
dot3CollFrequencies
ifHCOut Counters
51721056808
65385714
6516
0
0
0
Description
ifHCInOctets
ifHCInUcastPkts
ifHCInBroadcastPkts
ifHCInMulticastPkts
ifHCInDiscards
ifHCInErrors
ifHCOutOctets
Description
ifHCOutUcastPkts
ifHCOutBroadcastPkts
ifHCOutMulticastPkts
ifHCOutDiscards
ifHCOutErrors
0
0
0
0
0
0
ipForwDatagrams:
ipInDiscards:
0
0
Description
ipInReceives
Description
ipInAddrErrors
ipForwDatagrams
The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInUnknownProtos
ipInDiscards
The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipInDelivers
The total number of input datagrams successfully delivered to IP userprotocols (including ICMP).
ipTtlExceeds
The number of IP datagram for which an ICMP TTL exceeded message was sent.
ipLANDattacks
The number of packets that have the same source and destination IP
address.
Description
linkStateChange
0
129677
1485
734
712
0
0
0
0
0
0
954
578
35
26
16
8
Description
etherStatsDrop
Events
The total number of events in which packets were dropped by the probe
due to lack of resources. Note that this number is not necessarily the number of packets dropped; it is just the number of times this condition has
been detected.
Description
etherStatsOctets
etherStatsPkts
etherStatsBroadcastPkts
The total number of good packets received that were directed to the
broadcast address. Note that this does not include multicast packets.
etherStatsMulticastPkts
The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to
the broadcast address.
etherStatsCRCAlign
Errors
The total number of packets received that had a length (excluding framing bits, but including Frame Check Sequence (FCS) octets) of between
64 and 1518 octets, inclusive, but had either a bad Frame Check
Sequence (FCS) with an integral number of octets (FCS Error) or a bad
FCS with a non-integral number of octets (Alignment Error).
etherStatsUndersizePkts
The total number of packets received that were less than 64 octets long
(excluding framing bits, but including FCS octets) and were otherwise
well formed.
etherStatsOversizePkts
The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets) and were otherwise
well formed.
Description
etherStatsFragments
The total number of packets received that were less than 64 octets in
length (excluding framing bits but including FCS octets) and had either a
bad Frame Check Sequence (FCS) with an integral number of octets
(FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).
Note that it is entirely normal for etherStatsFragments to increment. This is because it counts both runts (which are normal occurrences
due to collisions) and noise hits. (A runt is a packet that is less than 64
bytes.)
etherStatsJabbers
The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
Frame Check Sequence (FCS) with an integral number of octets (FCS
Error) or a bad FCS with a non-integral number of octets (Alignment
Error).
Note that this definition of jabber is different than the definition in IEEE802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These
documents define jabber as the condition where any packet exceeds 20
ms. The allowed range to detect jabber is between 20 milliseconds and
150 milliseconds.
etherStatsCollisions
The best estimate of the total number of collisions on this Ethernet segment.
The value returned will depend on the location of the RMON probe. Section 8.2.1.3 (10Base-5) and section 10.3.1.3 (10Base-2) of IEEE standard
802.3 states that a station must detect a collision, in the receive mode, if
three or more stations are transmitting simultaneously. A repeater port
must detect a collision when two or more stations are transmitting simultaneously. Thus a probe placed on a repeater port could record more collisions than a probe connected to a station on the same segment would.
Probe location plays a much smaller role when considering 10Base-T.
14.2.1.4 (10Base-T) of IEEE standard 802.3 defines a collision as the
simultaneous presence of signals on the DO and RD circuits (transmitting
and receiving at the same time). A 10Base-T station can only detect collisions when it is transmitting. Thus probes placed on a station and a
repeater, should report the same number of collisions.
Note also that an RMON probe inside a repeater should ideally report collisions between the repeater and one or more other hosts (transmit collisions as defined by IEEE 802.3k) plus receiver collisions observed on
any coax segments to which the repeater is connected.
etherStatsPkts64Octets
The total number of packets (including bad packets) received that were
64 octets in length (excluding framing bits but including Frame Check
Sequence (FCS) octets).
Description
etherStatsPkts65to127Octets
The total number of packets (including bad packets) received that were
between 65 and 127 octets in length (excluding framing bits but including
FCS octets).
etherStatsPkts128to255Octets
The total number of packets (including bad packets) received that were
between 128 and 255 octets in length (excluding framing bits but including Frame Check Sequence (FCS) octets).
etherStatsPkts256to511Octets
The total number of packets (including bad packets) received that were
between 256 and 511 octets in length (excluding framing bits but including FCS octets).
etherStatsPkts512to1023Octets
The total number of packets (including bad packets) received that were
between 512 and 1023 octets in length (excluding framing bits but including FCS octets).
etherStatsPkts1024to1518Octets
The total number of packets (including bad packets) received that were
between 1024 and 1518 octets in length (excluding framing bits but
including FCS octets).
0
123840
1406
698
669
0
0
0
0
0
0
906
548
35
25
16
8
/stats/pmirr
Port mirroring statistics menu
This menu displays port mirroring statistics on an all ports basis.
[Port Mirroring Statistics Menu]
dump
- Show port mirroring stats
clear
- Clear all port mirroring stats
/stats/l2
Layer 2 Statistics Menu
[Layer 2 Statistics Menu]
fdb
- Show FDB stats
lacp
- Show LACP stats
stg
- Show STG stats
dump
- Dump layer 2 stats
/stats/l2/fdb
FDB Statistics
FDB statistics:
creates:
current:
lookups:
finds:
find_or_c's:
max:
9611
58
850254
5832
11874
16384
deletes:
hiwat:
lookup fails:
find fails:
overflows:
9553
65
151373
0
0
This menu option enables you to display statistics regarding the use of the forwarding database, including the number of new entries, finds, and unsuccessful searches.
FDB statistics are described in the following table:
Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)
Statistic
Description
creates
current
lookups
finds
find_or_cs
deletes
hiwat
lookup fails
find fails
overflows
Description
max
/stats/l2/lacp
LACP Statistics
>> Layer 2 Statistics# lacp 1
port 1
Valid LACPDUs received
Valid Marker PDUs received
Valid Marker Rsp PDUs received
Unknown version/TLV type
Illegal subtype received
LACPDUs transmitted
Marker PDUs transmitted
Marker Rsp PDUs transmitted
9394
0
0
0
0
8516
0
0
Description
Valid LACPDUs received The number of LACPDUs that the switch received on this port.
Valid Marker PDUs
received
The number of valid Marker PDUs that the switch received on this
port.
Unknown version/TLV
type
Illegal subtype
received
LACPDUs transmitted
Marker Rsp PDUs trans- The number of Marker Responses transmitted out of this port.
mitted
/stats/l2/stg
Spanning Tree Group Statistics
Spanning Tree Group 1:
Port
Rcv Cfg
Rcv TCN
----- ------------------1
0
0
2
0
0
3
0
0
4
0
0
5
0
0
6
0
0
7
0
0
8
0
0
9
139046
176
10
0
0
11
0
0
12
0
0
13
0
0
14
0
0
15
0
0
16
0
0
17
0
0
18
0
0
19
0
0
20
0
0
21
0
0
22
0
0
23
0
0
24
0
0
25
0
0
26
0
0
27
0
0
28
0
0
Xmt Cfg
---------0
0
0
0
0
0
0
0
27
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Xmt TCN
---------0
0
0
0
0
0
0
0
15
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Description
Port
Rcv cfg
Rcv TCN
Xmt Cfg
Description
Xmt TCN
/stats/l3
Layer 3 Statistics Menu
[Layer 3 Statistics Menu]
ospf
- OSPF Statistics Menu
ip
- Show IP stats
ip6
- Show IP6 stats
route
- Show route stats
arp
- Show ARP stats
vrrp
- Show VRRP stats
dns
- Show DNS stats
icmp
- Show ICMP stats
if
- Show IP interface ("if") stats
tcp
- Show TCP stats
udp
- Show UDP stats
ifclear - Clear IP interface ("if") stats
ipclear - Clear IP stats
dump
- Dump layer 3 stats
/stats/l3/ospf
OSPF Statistics Menu
[OSPF stats Menu]
general - Show global stats
aindex - Show area(s) stats
if
- Show interface(s) stats
/stats/l3/ospf/general
OSPF Global Statistics
The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF
areas and interfaces.
OSPF stats
---------Rx/Tx Stats:
Pkts
hello
database
ls requests
ls acks
ls updates
Nbr change stats:
hello
start
n2way
adjoint ok
negotiation done
exchange done
bad requests
bad sequence
loading done
n1way
rst_ad
down
Timers kickoff
hello
retransmit
lsa lock
lsa ack
dbage
summary
ase export
Rx
-------0
23
4
3
7
9
2
0
2
2
2
2
0
0
2
0
0
1
Tx
-------0
518
12
1
7
7
Intf change Stats:
hello
down
loop
unloop
wait timer
backup
nbr change
4
2
0
0
2
0
5
514
1028
0
0
0
0
0
Description
Rx/Tx Stats:
Rx Pkts
The sum total of all OSPF packets received on all OSPF areas and interfaces.
Tx Pkts
The sum total of all OSPF packets transmitted on all OSPF areas and
interfaces.
Rx Hello
The sum total of all Hello packets received on all OSPF areas and interfaces.
Tx Hello
The sum total of all Hello packets transmitted on all OSPF areas and
interfaces.
Rx Database
The sum total of all Database Description packets received on all OSPF
areas and interfaces.
Tx Database
Rx ls Requests
The sum total of all Link State Request packets received on all OSPF
areas and interfaces.
Tx ls Requests
The sum total of all Link State Request packets transmitted on all OSPF
areas and interfaces.
Rx ls Acks
The sum total of all Link State Acknowledgement packets received on all
OSPF areas and interfaces.
Tx ls Acks
Rx ls Updates
The sum total of all Link State Update packets received on all OSPF areas
and interfaces.
Tx ls Updates
The sum total of all Link State Update packets transmitted on all OSPF
areas and interfaces.
Description
The sum total of all Hello packets received from neighbors on all OSPF
areas and interfaces.
Start
The sum total number of neighbors in this state (that is, an indication that
Hello packets should now be sent to the neighbor at intervals of HelloInterval seconds) across all OSPF areas and interfaces.
n2way
adjoint ok
negotiation done
The sum total number of neighbors in this state wherein the Master/slave
relationship has been negotiated, and sequence numbers have been
exchanged, across all OSPF areas and interfaces.
exchange done
The sum total number of neighbors in this state (that is, in an adjacency's
final state) having transmitted a full sequence of Database Description
packets, across all OSPF areas and interfaces.
bad requests
The sum total number of Link State Requests which have been received
for a link state advertisement not contained in the database across all
interfaces and OSPF areas.
bad sequence
The sum total number of Database Description packets which have been
received that either:
a) Has an unexpected DD sequence number
b) Unexpectedly has the init bit set
c) Has an options field differing from the last Options field
received in a Database Description packet.
Any of these conditions indicate that some error has occurred during
adjacency establishment for all OSPF areas and interfaces.
loading done
The sum total number of link state updates received for all out-of-date
portions of the database across all OSPF areas and interfaces.
n1way
The sum total number of Hello packets received from neighbors, in which
this router is not mentioned across all OSPF interfaces and areas.
rst_ad
The sum total number of times the Neighbor adjacency has been reset
across all OPSF areas and interfaces.
Description
down
The total number of Neighboring routers down (that is, in the initial
state of a neighbor conversation) across all OSPF areas and interfaces.
The sum total number of Hello packets sent on all interfaces and areas.
down
loop
unloop
wait timer
The sum total number of times the Wait Timer has been fired, indicating
the end of the waiting period that is required before electing a (Backup)
Designated Router across all OSPF areas and interfaces.
backup
The sum total number of Backup Designated Routers on the attached network for all OSPF areas and interfaces.
nbr change
Timers Kickoff:
hello
The sum total number of times the Hello timer has been fired (which triggers the send of a Hello packet) across all OPSF areas and interfaces.
retransmit
The sum total number of times the Retransmit timer has been fired across
all OPSF areas and interfaces.
lsa lock
The sum total number of times the Link State Advertisement (LSA) lock
timer has been fired across all OSPF areas and interfaces.
lsa ack
The sum total number of times the LSA Ack timer has been fired across
all OSPF areas and interfaces.
dbage
The total number of times the data base age (Dbage) has been fired.
summary
The total number of times the Summary timer has been fired.
ase export
The total number of times the Autonomous System Export (ASE) timer
has been fired.
/stats/l3/ip
IP Statistics
IP statistics:
ipInReceives:
ipInAddrErrors:
ipInUnknownProtos:
ipInDelivers:
ipOutDiscards:
ipReasmReqds:
ipReasmFails:
ipFragFails:
ipRoutingDiscards:
ipReasmTimeout:
3115873
35447
500504
2334166
4
0
0
0
0
5
ipInHdrErrors:
ipForwDatagrams:
ipInDiscards:
ipOutRequests:
ipOutNoRoutes:
ipReasmOKs:
ipFragOKs:
ipFragCreates:
ipDefaultTTL:
1
0
0
1010542
4
0
0
0
255
Description
ipInReceives
ipInHdrErrors
The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format
errors, time-to-live exceeded, errors discovered in processing their IP
options, and so forth.
ipInAddrErrors
ipForwDatagrams
The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets, which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInUnknownProtos
The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.
Description
ipInDiscards
The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipInDelivers
The total number of input datagrams successfully delivered to IP userprotocols (including ICMP).
ipOutRequests
The total number of IP datagrams which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. Note that this
counter does not include any datagrams counted in
ipForwDatagrams.
ipOutDiscards
ipOutNoRoutes
ipReasmReqds
ipReasmOKs
ipReasmFails
ipFragOKs
ipFragFails
ipFragCreates
Description
ipRoutingDiscards
ipDefaultTTL
The default value inserted into the Time-To-Live (TTL) field of the
IP header of datagrams originated at this entity (the switch), whenever a
TTL value is not supplied by the transport layer protocol.
ipReasmTimeout
/stats/l3/ip6
IP6 Statistics Menu
>> Layer 3 Statistics# /stat/l3/ip6
-----------------------------------------------------------------IP6 statistics:
InReceives:
20519
InDiscards:
2
InDelivers:
24793
ForwDatagrams:
0
UnknownProtos:
0
InAddrErrors:
0
OutRequests:
34548
OutNoRoutes:
0
ReasmOKs:
0
ReasmFails:
0
IcmpInMsgs:
24793
IcmpInErrors:
4268
IcmpOutMsgs:
12829
IcmpOutErrors:
4271
InEchos:
0
OutEchos:
8538
InEchoReplies:
8536
OutEchoReplies:
0
InDestUnreachs:
4268
OutDestUnreachs:
4271
InPktTooBigs:
0
OutPktTooBigs:
0
InTimeExcds:
0
OutTimeExcds:
0
-----------------------------------------------------------------ICMP6 statistics:
Interface: 1
InMsgs:
18929
InErrors:
0
InEchos:
0
InEchoReplies:
4268
InNeighborSolicits:
4513
InNeighborAdvertisements:4271
InRouterSolicits:
0
InRouterAdvertisements: 5877
InDestUnreachs:
0
InTimeExcds:
0
InPktTooBigs:
0
InParmProblems:
0
InRedirects:
0
OutMsgs:
4280
OutErrors:
0
OutEchos:
4269
OutEchoReplies:
0
OutNeighborSolicits:
3
OutNeighborAdvertisements:4516
OutRouterSolicits:
0
OutRouterAdvertisements:
1
OutRedirects:
0
-----------------------------------------------------------------Interface: 7
InMsgs:
5864
InErrors:
4268
InEchos:
0
InEchoReplies:
4268
InNeighborSolicits:
122
InNeighborAdvertisements:
3
InRouterSolicits:
0
InRouterAdvertisements: 1471
InDestUnreachs:
4268
InTimeExcds:
0
InPktTooBigs:
0
InParmProblems:
0
InRedirects:
0
OutMsgs:
8549
OutErrors:
4271
OutEchos:
4269
OutEchoReplies:
0
OutNeighborSolicits:
2
OutNeighborAdvertisements:124
OutRouterSolicits:
0
OutRouterAdvertisements:
1
OutRedirects:
0
-----------------------------------------------------------------IP6 gateway health check statistics:
gateway
5 echo-req
4269 echo-resp
gateway
7 echo-req
4269 echo-resp
4268 fails
0 fails
0
4268
Description
InDelivers
The total number of datagrams successfully delivered to IPv6 userprotocols (including ICMP). This counter is incremented at the
interface to which these datagrams were addressed which might not
be necessarily the input interface for some of the datagrams.
UnknownProtos
OutRequests
ReasmOKs
InDiscards
ForwDatagrams
The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as
IPv6 routers, this counter will include only those packets which
were Source-Routed via this entity, and the Source-Route processing
was successful. Note that for a successfully forwarded datagram the
counter of the outgoing interface is incremented.
InAddrErrors
Description
OutNoRoutes
ReasmFails
IcmpInMsgs
IcmpOutMsgs
IcmpInErrors
IcmpOutErrors
The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
IcmpInEchos
InNeighborSolicits
Description
InRouterSolicits
InDestUnreachs
InPktTooBigs
InRedirects
InErrors
InEchoReplies
InNeighborAdvertisements
InRouterAdvertisements
InTimeExcds
InParmProblems
OutMsgs
OutEchos
OutNeighborSolicits
OutRouterSolicits
OutRedirects
The number of Redirect messages sent. For a host, this object will
always be zero, since hosts do not send redirects.
Description
OutErrors
The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
OutEchoReplies
OutNeighborAdvertisements
OutRouterAdvertistments
/stats/l3/route
Route Statistics
Route statistics:
ipRoutesCur:
3 ipRoutesHighWater:
3
ipRoutesMax:
4096
-----------------------------------------------------------------SP Route statistics:
SP
ipRoutesCur
ipRoutesHighWater
ipRoutesMax
--- ------------- ------------------- ------------1
3
3
4096
2
3
3
4096
3
3
3
4096
4
3
3
4096
-----------------------------------------------------------------RIP statistics:
ripInPkts:
ripDiscardPkts:
BGP statistics:
bgpInPkts:
bgpBadPkts:
bgpRoutesAdded:
bgpRoutesCur:
bgpRoutesIgnored:
0
0
0
0
0
ripOutPkts:
0 ripRoutesAgedOut:
bgpOutPkts:
bgpSessFailures:
bgpRoutesRemoved:
bgpRoutesFailed:
bgpRoutesFiltered:
0
0
0
0
0
Description
ipRoutesHighWater
ipRoutesMax
RIP statistics:
ripInPkts
ripOutPkts
ripDiscardPkts
Description
ripRoutesAgedOut
The total number of routes learned via RIP that has aged out.
BGP statistics:
bgpInPkts
bgpOutPkts
bgpBadPkts
bgpSessFailures
bgpRoutesAdded
The total number of routes that were added to the routing table.
bgpRoutesRemoved
The total number of routes that were removed from the routing table.
bgpRoutesCur
bgpRoutesFailed
The total number of BGP routes that failed to add in the routing table.
bgpRoutesIgnored
The total number of routes ignored because the peer was not connected locally or multihop was not configured.
bgpRoutesFiltered
/stats/l3/arp
ARP statistics
This menu option enables you to display Address Resolution Protocol statistics.
MP ARP statistics:
arpEntriesCur:
2 arpEntriesHighWater:
2
arpEntriesMax:
8192
-----------------------------------------------------------------SP ARP statistics:
SP
arpEntriesCur
arpEntriesHighWater
arpEntriesMax
--- --------------- --------------------- --------------1
1
1
8192
2
1
1
8192
3
1
1
8192
4
1
1
8192
Description
arpEntriesCur
arpEntriesHighWater
The highest number of ARP entries ever recorded in the ARP table.
arpEntriesMax
/stats/l3/vrrp
VRRP Statistics
Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup
virtual routers will assume routing authority and take control of the virtual router IP address.
When virtual routers are configured, you can display the following protocol statistics for VRRP:
0
0
0
0
0
vrrpBadAdvers:
vrrpBadVrid:
vrrpBadData:
vrrpBadInterval:
0
0
0
Description
vrrpInAdvers
vrrpBadAdvers
vrrpOutAdvers
vrrpBadVersion
Description
vrrpBadVrid
vrrpBadAddress
vrrpBadData
vrrpBadPassword
vrrpBadInterval
/stats/l3/dns
DNS Statistics
This menu option enables you to display Domain Name System statistics.
DNS statistics:
dnsInRequests:
dnsBadRequests:
0
0
dnsOutRequests:
Description
dnsInRequests
The total number of DNS request packets that have been received.
dnsOutRequests
The total number of DNS response packets that have been transmitted.
dnsBadRequests
The total number of DNS request packets received that were dropped.
/stats/l3/icmp
ICMP Statistics
ICMP statistics:
icmpInMsgs:
icmpInDestUnreachs:
icmpInParmProbs:
icmpInRedirects:
icmpInEchoReps:
icmpInTimestampReps:
icmpInAddrMaskReps:
icmpOutErrors:
icmpOutTimeExcds:
icmpOutSrcQuenchs:
icmpOutEchos:
icmpOutTimestamps:
icmpOutAddrMasks:
245802
41
0
0
244350
0
0
0
0
0
253777
0
0
icmpInErrors:
icmpInTimeExcds:
icmpInSrcQuenchs:
icmpInEchos:
icmpInTimestamps:
icmpInAddrMasks:
icmpOutMsgs:
icmpOutDestUnreachs:
icmpOutParmProbs:
icmpOutRedirects:
icmpOutEchoReps:
icmpOutTimestampReps:
icmpOutAddrMaskReps:
1393
0
0
18
0
0
253810
15
0
0
18
0
0
Description
icmpInMsgs
The total number of ICMP messages which the entity (the switch)
received. Note that this counter includes all those counted by
icmpInErrors.
icmpInErrors
icmpInDestUnreachs
icmpInTimeExcds
icmpInParmProbs
icmpInSrcQuenchs
The number of ICMP Source Quench (buffer almost full, stop sending data) messages received.
icmpInRedirects
icmpInEchos
icmpInEchoReps
icmpInTimestamps
icmpInTimestampReps
icmpInAddrMasks
Description
icmpInAddrMaskReps
icmpOutMsgs
The total number of ICMP messages which this entity (the switch)
attempted to send. Note that this counter includes all those counted
by icmpOutErrors.
icmpOutErrors
The number of ICMP messages which this entity (the switch) did not
send due to problems discovered within ICMP such as a lack of
buffer. This value should not include errors discovered outside the
ICMP layer such as the inability of IP to route the resultant datagram. In some implementations there may be no types of errors that
contribute to this counter's value.
icmpOutDestUnreachs
icmpOutTimeExcds
icmpOutParmProbs
icmpOutSrcQuenchs
The number of ICMP Source Quench (buffer almost full, stop sending data) messages sent.
icmpOutRedirects
The number of ICMP Redirect messages sent. For a host, this object
will always be zero, since hosts do not send redirects.
icmpOutEchos
icmpOutEchoReps
icmpOutTimestamps
icmpOutTimestampReps
icmpOutAddrMasks
icmpOutAddrMaskReps
ifInUcastPkts:
ifInDiscards:
ifInUnknownProtos:
ifOutUcastPkts:
ifOutDiscards:
ifStateChanges
220553
0
0
441938
0
1
Description
ifInOctets
ifInUcastPkts
The number of packets, delivered by this sub-layer to a higher (sublayer), which were not addressed to a multicast or broadcast address at
this sub-layer.
ifInNUCastPkts
The number of packets, delivered by this sub-layer to a higher (sublayer), which were addressed to a multicast or broadcast address at this
sub-layer. This object is deprecated in favor of ifInMulticastPkts
and ifInBroadcastPkts.
ifInDiscards
ifInErrors
For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being delivered to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of
inbound transmission units that contained errors preventing them from
being deliverable to a higher-layer protocol.
ifInUnknownProtos
Description
ifOutOctets
ifOutUcastPkts
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifStateChanges
/stats/l3/tcp
TCP Statistics
TCP statistics:
tcpRtoAlgorithm:
tcpRtoMax:
tcpActiveOpens:
tcpAttemptFails:
tcpInSegs:
tcpRetransSegs:
tcpCurBuff:
tcpCurInConn:
tcpCurLstnConn:
tcpAllocTCBFails:
4
240000
0
0
0
0
0
0
3
0
tcpRtoMin:
tcpMaxConn:
tcpPassiveOpens:
tcpEstabResets:
tcpOutSegs:
tcpInErrs:
tcpCurConn:
tcpCurOutConn:
tcpOutRsts:
0
1600
0
0
0
0
6
0
0
Description
tcpRtoAlgorithm
The algorithm used to determine the timeout value used for retransmitting unacknowledged octets.
tcpRtoMin
The minimum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the LBOUND quantity
described in RFC 793.
tcpRtoMax
The maximum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the UBOUND quantity
described in RFC 793.
tcpMaxConn
The limit on the total number of TCP connections the entity (the switch)
can support. In entities where the maximum number of connections is
dynamic, this object should contain the value -1.
tcpActiveOpens
tcpPassiveOpens
Description
tcpAttemptFails
tcpEstabResets
tcpInSegs
tcpOutSegs
The total number of segments sent, including those on current connections but excluding those containing only retransmitted octets.
tcpRetransSegs
The total number of segments retransmitted - that is, the number of TCP
segments transmitted containing one or more previously transmitted octets.
tcpInErrs
The total number of segments received in error (for example, bad TCP
checksums).
tcpCurBuff
tcpCurConn
The total number of outstanding TCP sessions that are currently opened.
tcpCurInConn
tcpCurOutConn
tcpCurLstnConn
tcpOutRsts
tcpAllocTCBFails
/stats/l3/udp
UDP Statistics
UDP statistics:
udpInDatagrams:
udpInErrors:
54
0
udpOutDatagrams:
udpNoPorts:
43
1578077
Description
udpInDatagrams
udpOutDatagrams
The total number of UDP datagrams sent from this entity (the switch).
udpInErrors
The number of received UDP datagrams that could not be delivered for
reasons other than the lack of an application at the destination port.
udpNoPorts
The total number of received UDP datagrams for which there was no
application at the destination port.
/stats/slb
Server Load Balancing Statistics Menu
[Server Load Balancing Statistics Menu]
sp
- SLB Switch SP Stats Menu
gslb
- Global SLB Stats Menu
real
- Show real server stats
group
- Show real server group stats
virt
- Show virtual server stats
filt
- Show filter stats
layer7
- Show Layer 7 stats
ssl
- Show SSL SLB stats
ftp
- Show FTP SLB parsing and NAT stats
rtsp
- Show RTSP SLB stats
dns
- Show DNS SLB stats
wap
- Show WAP SLB stats
maint
- Show maintenance stats
sip
- Show SIP SLB stats
wlm
- Show Workload Manager SASP stats
mirror
- Show Session mirroring stats
clear
- Clear non-operational Server Load Balancing stats
aux
- Show auxiliary session table stats
dump
- Dump all SLB statistics
Number of times the real server has failed its health checks
Number of sessions currently open on the real server
Total sessions the real server was assigned
Highest number of simultaneous sessions recorded for each real server
Real server transmit/receive octets
See page 211 for sample output.
Current and total sessions for each real server in the real server group.
Current and total sessions for all real servers associated with the real server group.
Highest number of simultaneous sessions recorded for each real server.
Real server transmit/receive octets. For per-service octet counters, see page 211.
See page 212 for sample output.
Current and total sessions for each real server associated with the virtual server.
Current and total sessions for all real servers associated with the virtual server.
Highest number of simultaneous sessions recorded for each real server.
Real server transmit/receive octets. For per-service octet counters, see page 211.
See page 213 for sample output.
To view the statistics reset by this command, refer to Table 5-51 on page 230.
aux
Displays auxiliary session table statistics.
dump
Dumps all switch SLB statistics. Use this command to gather data for tuning and debugging switch
performance. To save dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump command.
/stats/slb/sp
Server Load Balancing SP statistics Menu
[Server Load Balancing SP Statistics Menu]
real
- Show real server stats
group
- Show real server group stats
virt
- Show virtual server stats
filt
- Show filter stats
maint
- Show maintenance stats
aux
- Show auxiliary session table stats
clear
- Clear SP stats
3
3
24
Octets
--------------480000
616000
--------------1096000
Octets
--------------480000
616000
--------------1096000
524276
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Description
Maximum sessions
Current Sessions
Terminated Sessions
Allocation Failures
Indicates instances where the Switch ran out of available sessions for a
port.
UDP Datagrams
Indicates that the virtual server IP address and MAC are receiving
UDP frames when UDP balancing is not turned on.
Incorrect VIPs
Description
Incorrect Vports
This dropped frames counter indicates that the virtual server has
received frames for TCP/UDP services that have not been configured.
Normally this indicates a mis-configuration on the virtual server or the
client, but it may be an indication of a potential security probing application like SATAN.
No Available Real
Server
This dropped frames counter indicates that all real servers are either
out of service or at their maxcon limit.
Backup Server
Activations
This indicates the number of times a real server failure has occurred
and caused a backup server to be brought online.
This indicates the number of times a real server has reached the
maxcon limit and caused an overflow server to be brought online.
Filtered (Denied)
Frames
LAND attacks
This counter increases whenever a packet has the same source and
destination IP addresses and ports.
The number of packets that were dropped because the packet had no
control bits set in the TCP header.
The number of packets that were dropped because the packet had an
invalid reset flag set.
Total IP fragment ses- This represents the total number of fragment sessions the switch has
sions
processed so far.
Current IP fragment
sessions
IP fragment discards
IP fragment table full This counter indicates how many times session table is full.
/stats/slb/gslb
Global SLB Statistics Menu
[Global SLB Statistics Menu]
real
- Show Global SLB remote real server stats
virt
- Show Global SLB virtual server stats
site
- Show Global SLB remote site stats
network - Show Global SLB network preference stats
rule
- Show Global SLB rule stats
geo
- Show Global SLB geographical preference stats
pers
- Show Global SLB DNS persistence cache stats
maint
- Show Global SLB maintenance stats
clear
- Clear all Global SLB stats
dump
- Show all Global SLB stats
3210
12
For any remote real server configured for Global Server Load Balancing, the following statistics can be viewed:
Description
Server
Description
IP Address
Site
DNS directs
The number of DNS responses that return the IP address of the corresponding server.
HTTP redirects
/stats/slb/gslb/site
Global SLB Site Statistics
Global SLB remote site 1 stats:
Bad remote site packets received:
DSSPv1 remote site updates sent:
DSSPv1 remote site updates received:
DSSPv2 remote site updates sent:
DSSPv2 remote site updates received:
386
0
0
768
348
Description
/stats/slb/gslb/maint
Global SLB Maintenance Statistics
Global SLB maintenance stats:
Bad remote site packets received:
DSSPv1 remote site updates sent:
DSSPv1 remote site updates received:
DSSPv2 remote site updates sent:
DSSPv2 remote site updates received:
DNS queries received:
Bad DNS queries received:
DNS responses sent:
HTTP requests received:
Bad HTTP requests received:
HTTP responses sent:
Hostname domain hits:
Network domain hits:
Basic domain hits:
No server selected for hostname domain:
No server selected for network domain:
No server selected for basic domain:
No matching domain:
Last no result domain:
Last source IP:
0
0
0
127746
85164
0
0
0
0
0
0
0
0
0
0
0
0
0
0.0.0.0
Description
The number of Distributed Site State Protocol (DSSP) version one updates/packets sent to the remote sites.
The number of Distributed Site State Protocol (DSSP) version one updates/packets received from the remote sites.
The number of Distributed Site State Protocol (DSSP) version two updates/packets sent to the remote sites.
The number of Distributed Site State Protocol (DSSP) version two updates/packets received from the remote sites.
Description
No matching domain
The number of times the DNS queries received did not match
the host name, domain name, or the network domain configured.
The domain in the last DNS query received that did not match
the host name, domain name, or the network domain configured.
Last source IP
129
65478
4343
523824000
NOTE Octets are provided per server, not per service, unless configured as described in Per
Service Octet Counters on page 211.
Table 5-35 Real Server SLB Statistics (/stats/slb/real)
Statistics
Description
Current sessions
The total number of outstanding sessions that are established to the particular real server.
Total sessions
The total number of sessions that have been established to the particular
real server.
Highest sessions
The highest number of sessions ever recorded for the particular real
server.
Octets
Configure a separate IP address for each service on each server being load balanced.
For instance, you can configure IP address 10.1.1.20 for HTTP services, and 10.1.1.21 for FTP
services on the same physical server.
2.
On the Nortel Application Switch, configure a real server with a real IP address for each
service above.
Continuing the example above, two real servers would be configured for the physical server
(representing each real service). If there were five physical servers providing the two services
(HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on
each physical server, and five for the FTP services on each physical server.
3.
On the Nortel Application Switch, configure one real server group for each type of service, and group each appropriate real server IP address into the group that handles the
specific service.
Thus, in keeping with our example, two groups would be configured: one for handling HTTP
and one for handling FTP.
4.
Configure a virtual server and add the appropriate services to that virtual server.
Real
---1
2
----
Current
Total Highest
IP address
Sessions
Sessions Sessions
--------------- -------- ---------- -------200.100.10.14
20
60
9
200.100.10.15
20
77
12
--------------- -------- ---------- -------40
137
21
Octets
--------------480000
616000
--------------1096000
Current and total sessions for each real server in the real server group.
Current and total sessions for all real servers associated with the real server group.
Real server transmit/receive octets. For per-service octet counters, see the procedure on
Per Service Octet Counters on page 211.
Octets
--------------480000
616000
--------------1096000
NOTE The virtual server IP address is shown on the last line, below the real server IP addresses.
Virtual server statistics include the following:
Current and total sessions for each real server associated with the virtual server.
Current and total sessions for all real servers associated with the virtual server.
Real server transmit/receive octets. For per-service octet counters, see Per Service Octet
Counters on page 211.
1011
You can obtain the total number of times any filter has been matched.
/stats/slb/layer7
SLB Layer7 Statistics Menu
[Layer 7 Statistics Menu]
redir
- Show URL Redirection stats
str
- Show SLB String stats
maint
- Show Layer 7 Maintenance stats
pooling - Show connection pooling stats
/stats/slb/layer7/redir
Layer7 Redirection Statistics
Total
Total
Total
Total
Total
Total
Total
Total
Total
Total
0
0
0
0
0
0
0
0
0
Description
Total cache server hits The total number of HTTP requests redirected to the cache server.
Total origin server hits The total number of HTTP requests forwarded to the origin server.
Description
Total straight to ori- The total number of HTTP requests forwarded from straight to the
gin server hits
origin server.
Total none-GETs hits
The total number of HTTP requests that were redirected by redirection filter.
/stats/slb/layer7/str
Layer 7 SLB String Statistics
SLB String stats:
ID SLB String
1 any
2 www.[abcdefghijklm]*.com
3 www.[nopqrstuvwxyz]*.com
4 www.junk.com
5 www.abc.com
6 www.[abcdefjhijklm]*.org
7 www.[nopqrstuvwxyz]*.org
Hits
1527115
0
0
0
0
0
0
Description
ID SLB String
Hits
/stats/slb/layer7/maint
Layer 7 SLB Maintenance Statistics
Layer 7 maintenance stats:
Clients reset by switch on client side:
0
Clients reset by switch on server side:
0
Connection Splicing to support HTTP/1.1:
0
Invalid HTTP methods:
0
Aged delayed binding sessions:
0
Half open connections:
0
Switch retries:
0
Random early drops:
0
Requests exceeded 9000 bytes:
0
Invalid 3-way handshakes:
0
Exceeded max frame size:
0
Out of order packet drops:
0
Current SP[1] memory units:
1260 Lowest:
Current SP[2] memory units:
1260 Lowest:
Current SP[3] memory units:
1260 Lowest:
Current SP[4] memory units:
1260 Lowest:
Current SP memory units:
5040
Current SEQ buffer entries:
0 Highest:
Current Data buffer use:
0 Highest:
Current SP buffer entries:
0 Highest:
Total Nonzero SEQ Alloc:
0
Total SEQ Buffer Allocs:
0 Total SEQ Frees:
Total Data Buffer Allocs:
0 Total Data Frees:
Alloc Fails - Seq buffers:
0 Alloc Fails - Ubufs:
Max sessions per bucket:
0 Max frames per session:
Max bytes buffered (sess):
0
1260
1260
1260
1260
0
0
0
0
0
0
0
Description
Clients reset by
switch on client side
The number of reset frames sent to the client by the switch during
server connection termination. This means that when the switch
could not connect to the real sever and the clients retries exceeded
the threshold due to delayed binding, the switch will send a reset
frame to the client to terminate the connection.
Clients reset by
switch on server side
The number of reset frames sent to the server by the switch during
server connection termination due to delayed binding.
Connection Splicing to
support HTTP/1.1
Description
Switch retries
The total number of SYN frames dropped when the buffer is low.
The total number of switch-generated frames that exceeded the maximum allowed frame size.
Current SP memory
units
Description
Max frames per session The maximum number of frames to be buffered per session.
Max bytes buffered
(sess)
/stats/slb/layer7/pooling
Layer7 Pooling Statistics
>> Layer 7 Statistics# pooling
-----------------------------------------------------------------Connection pooling statistics:
Current opened server connections:
0
Active server connections:
0
Available server connections:
0
Total number of aged out client connections:
0
Total number of aged out server connections:
0
/stats/slb/ssl
SLB Secure Socket Layer Statistics
SSL SLB maintenance stats:
SessionId allocation fails:
Total number of SSL ID reassignments:
0
0
Current
Total Highest
Sessions
Sessions Sessions
------------------------- -------- ---------- -------Unique SessionIds
0
0
0
SSL connections
0
0
0
Persistent Port Sessions
0
0
0
Description
SessionId allocation
fails
Many SSL sessions can use the same SessionId, these should all
bind to the same server. This number shows the number of unique
SSL sessions seen on the switch.
SSL connections
Persistent Port
Sessions
/stats/slb/ftp
File Transfer Protocol SLB and Filter Statistics Menu
[FTP SLB parsing and
active - Show
parsing - Show
maint
- Show
dump
- Dump
Table 5-41 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)
Command Syntax and Usage
active
Shows active FTP SLB parsing and filter statistics. See page 221 for sample output.
parsing
Shows parsing statistics. See page 221 for sample output.
maint
Shows maintenance statistics. See page 222 for sample output.
dump
Shows all FTP SLB/NAT statistics. See page 222.
/stats/slb/ftp/active
Active FTP SLB Parsing and Filter Statistics
Total Active FTP NAT stats(PORT):
Total FTP:
Total New Active FTP Index:
Active FTP NAT ACK/SEQ diff:
0
0
0
Table 5-42 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)
Statistics
Description
The number of times the switch receives the port command from
the client.
Total FTP
The number of times the switch receives both active and passive
FTP connections.
The number of times the switch creates a new index due to port
command from the client.
The difference in the numbers of ACK and SEQ that the Switch
needs for packet adjustment.
/stats/slb/ftp/parsing
Passive FTP SLB Parsing Statistics
Total FTP SLB Parsing Stats(PASV):
Total FTP:
Total New FTP SLB parsing Index:
FTP SLB parsing ACK/SEQ diff:
0
0
0
Description
Total FTP
The number of times the switch receives both active and passive
FTP connections.
The difference in the numbers of ACK and SEQ that the switch
needs FTP SLB parsing.
/stats/slb/ftp/maint
FTP SLB Maintenance Statistics
FTP mode switch error:
Description
The number of times the switch is not able to switch modes from
active to passive and vice versa.
/stats/slb/ftp/dump
FTP SLB Statistics Dump
Total FTP :
Total FTP NAT Filtered:
Total new active FTP NAT Index:
Total new FTP SLB parsing Index:
FTP Active FTP NAT ACK/SEQ diff:
FTP SLB parsing ACK/SEQ diff:
FTP mode switch error:
0
0
0
0
0
0
0
Description
Total FTP
Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred.
Total new active FTP
NAT Index
The total number of new data sessions created for FTP NAT filter in
active mode.
The total number of times the adjustment between ACK and SEQ
occurred on the filter.
The difference in the numbers of ACK and SEQ that the switch
needs for FTP SLB parsing.
The number of times the switch could not switch mode from active
to passive and vice versa.
/stats/slb/rtsp
RTSP SLB Statistics
Control
UDP
Connection Buffer
Alloc
SP Connection Streams
Redirect
Denied
Allocs
Failures
-- ---------- ---------- ---------- ---------- ---------- ---------1
0
0
0
0
0
0
2
0
0
0
0
0
0
3
0
0
0
0
0
0
4
0
0
0
0
0
0
-- ---------- ---------- ---------- ---------- ---------- -------0
0
0
0
0
0
Description
ControlConnection
UDP Streams
The total number of UDP connections for data channels. The number
depends upon the type of media player being used.
Redirect
ConnectionDenied
The total number of times the connections got denied due to shortage of
resources or the real server being down.
BufferAllocs
AllocFailures
/stats/slb/dns
DNS SLB Statistics
Total
Total
Total
Total
Total
Total
Total
number
number
number
number
number
number
number
of
of
of
of
of
of
of
0
0
0
0
0
0
0
Description
Total number of
invalid DNS queries
Total number of
multiple DNS queries
The total number of DNS queries that contain more than one domain
name to be resolved. Currently only one domain name resolution per
request is supported.
The total number of DNS queries that have short or invalid domain
names to be resolved.
The total number of times the user failed to find a real server which
has the same layer 7 strings that match the domain name to be
resolved.
The total number of out of memory and other unexpected errors the
user gets while processing the DNS query.
/stats/slb/wap
WAP SLB Statistics
This command displays all the Radius and WAP related counters.
WAP Maintenance stats:
current sessions:
0
allocation failures:
0
incorrect VIPs:
0
incorrect Vports:
0
no available real server:
0
requests to wrong SP:
0
-----------------------------------------------------------------TPCP External Notification stats:
add session reqs:
0
del session reqs:
0
req fails- SP dead:
0
req fails- SP dead:
0
-----------------------------------------------------------------RADIUS Snooping stats:
acct reqs:
0
acct wrap reqs:
0
acct start reqs:
0
acct update reqs:
0
acct stop reqs:
0
acct bad reqs:
0
acct reqs(FIP):
0
acct reqs(no FIP):
0
add session reqs:
0
del session reqs:
0
req fails- SP dead:
0
req fails- DMA:
0
Description
allocation failures
Indicates instances where the switch ran out of available bindings for a
port.
incorrect VIPs
Indicates the number of times the switch received a Layer 4 request for
a virtual server which was not configured.
incorrect Vports
This dropped frames counter indicates that the virtual server has received
frames for TCP/UDP services that have not been configured. Normally
this indicates a mis-configuration on the virtual server or the client.
no available real
server
This dropped frames counter indicates that all real servers are either out
of service or at their maxcon limit.
requests to wrong SP The number of session add/delete requests sent to the wrong SP.
Description
/stats/slb/maint
SLB Maintenance Statistics
SLB Maintenance stats:
Maximum sessions:
Current sessions:
4 second average:
64 second average:
Terminated sessions:
Allocation failures:
UDP datagrams:
Non TCP/IP frames:
Incorrect VIPs:
Incorrect Vports:
No available real server:
Backup server activations:
Overflow server activations:
Filtered (denied) frames:
LAND attacks:
No TCP control bits:
Invalid reset packet drops:
Total IP fragment sessions:
Current IP fragment sessions
IP fragment discards:
IP fragment table full:
Current IPF buffer sessions:
Highest IPF buffer sessions:
IPF buffer alloc fails:
IPF SP buffer alloc fails:
SP buffer too low:
Exceeded 16 OOO packets:
Free Service pool entries:
Current IP6 sessions:
Incorrect IP6 VIPs:
Incorrect IP6 Vports:
IP6 packets drops:
2097104
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
8192
0
0
0
0
Description
Maximum sessions
Current Sessions
Terminated Sessions Number of sessions removed from the session table because the server
assigned to them failed and graceful server failure was not enabled.
Description
Allocation Failures Indicates instances where the Switch ran out of available sessions for a port.
UDP Datagrams
Indicates that the virtual server IP address and MAC are receiving UDP
frames when UDP balancing is not turned on.
Indicates the number of non-IP based frames received by the virtual server.
Incorrect VIPs
Indicates the number of times the switch received a Layer 4 request for a
virtual server which was not configured.
Incorrect Vports
This dropped frames counter indicates that the virtual server has received
frames for TCP/UDP services that have not been configured. Normally this
indicates a mis-configuration on the virtual server or the client, but it may
be an indication of a potential security probing application like SATAN.
No Available Real
Server
This dropped frames counter indicates that all real servers are either out
of service or at their maxcon limit.
Backup Server
Activations
This indicates the number of times a real server failure has occurred and
caused a backup server to be brought online.
Overflow Server
Activations
This indicates the number of times a real server has reached the maxcon
limit and caused an overflow server to be brought online.
Filtered (Denied)
Frames
This indicates the number of frames that were dropped because they
matched an active filter with the deny action set.
LAND attacks
This counter increases whenever a packet has the same source and destination IP addresses and ports.
No TCP Control Bits The number of packets that were dropped because the packet had no control bits set in the TCP header.
Invalid reset
packet drops
The number of packets that were dropped because the packet had an
invalid reset flag set.
Total IP fragment
sessions
This represents the total number of fragment sessions the switch has processed so far.
Current IP fragment
sessions
IP
fragment discards
IP fragment table
full
/stats/slb/sip
SIP SLB Statistics
SIP Stats:
Total
Total
Total
Total
Total
Total
number
number
number
number
number
number
of
of
of
of
of
of
:
:
:
:
:
:
0
0
0
0
0
0
Description
Total number
of packets with SIP
SDP NAT
1
1
0
1
1
0
0
0
0
47
0
0
0
0
0
0
0
/stats/slb/mirror
Display Workload Manager SASP statistics
Table 5-52 SLB Session Mirroring statistics (/stats/slb/mirror)
>> Server Load Balancing Statistics# mirror
-----------------------------------------------------------------Session Mirroring Stats:
Rx
Tx
Total Create Session Messages
0
0
Total Update Session Messages
0
0
Total Delete Session Messages
0
0
Total Create Data Session Messages
0
0
Total Update Data Session Messages
0
0
Total Delete Data Session Messages
0
0
Total Sessions Created
0
Total Sessions Updated
0
Total Sessions Deleted
0
Total Data Sessions Created
0
Total Data Sessions Updated
0
Total Data Sessions Deleted
0
Session table full
0
Unvailable pport
0
Session already present
0
Session not found
0
Control session not found
0
/stats/bwm
BWM Statistics Menu
[Bandwidth Management Statistics Menu]
port
- Switch Port Contract Stats Menu
cont
- BW Contract stats
rcont
- BW Contract rate stats
hist
- BW History stats
maint
- Show BWM maint statistics
ipusers - Show BWM IP user stats for iplimit contracts
dump
- Dump all BWM statistics
clear
- Clear BWM statistics
BW Contract statistics
Contract Name
Rate(Kbps)
Octets
Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- ----1
cont1
0
40465360 262049256
0
16320
2
cont2
0
0
0
0
16320
20
cont20
5230 682947936 1822133376
16384
16320
26
cont26
0
0
0
0
16320
1024
Default
0
773974
0
0
16320
1
cont1
0
40465360 262049256
0
16320
2
cont2
0
0
0
0
16320
20
cont20
5238 684289056 1825753104
16384
16320
26
cont26
0
0
0
0
16320
1024
Default
0
774114
0
0
16320
The following description of statistics applies on a specific switch port for all enabled
contracts.
NOTE This command displays enabled contracts only.
Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)
Statistics
Description
Contract
Name
Octets
The number of octets that are being transmitted through a particular contract since the switch is booted.
Discards
The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limit permits.
Total Pkts
BufUsed
The current amount of buffer space used to store the packets that is waiting to be transmitted.
Description
BufMax
Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.
/stats/bwm/rcont
BWM Contract Rate Statistics
Use this command to show the rate statistics of all the enabled contracts.
NOTE This command displays enabled contracts only.
This command repeats its output when the printed lines are less than the configured CLI lines
per screen. If the CLI lines are configured at zero per screen, the command will continue to
repeat its output until you type a key on the console or telnet session.
You can configure the number of CLI lines per screen using the global (hidden) command:
lines <number of lines>. For example:
>> AAS_2424 - Bandwidth Management Statistics# lines
Current lines-per-screen: 24
>> AAS_2424 - Bandwidth Management Statistics# lines ?
lines
sets lines-per-screen 0-300, zero for infinite
BW Contract statistics
Contract Name
Rate(Kbps)
Octets
Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- ----1
cont1
5222 285408288 735607152
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5238 285720864 735308784
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
4
517182
0
0 456960
1
cont1
5230 286747296 739228896
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5230 287059872 738930528
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
8
519400
0
0 456960
1
cont1
5222 288084192 742853160
16384 456960
2
cont2
0
0
0
0 456960
20
cont20
5238 288400992 742550760
16384 456960
26
cont26
0
0
0
0 456960
1024
Default
8
521578
0
0 456960
Description
Contract
Name
Rate at which the packets are going out of the switch on a particular contract.
Octets
The number of octets that are being transmitted through a particular contract since the switch is booted.
Discards
The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limits.
BufUsed
The current amount of buffer space used to store the packets that is waiting to be transmitted.
BufMax
Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.
/stats/bwm/hist
BWM History Statistics
Switch IP
Cont
Name
Octets
Discards
TimeStamp
YyyyMmDd:Hr:Mi/TmZone
--------------- ---- ---------------- ---------- ---------- ---------47.80.23.124
1 filter_number01
0
0
20030910:15:11/ -8:00
47.80.23.124
2 filter_number02
0
0
20030910:15:11/ -8:00
47.80.23.124
3 filter_number03
0
0
20030910:15:11/ -8:00
47.80.23.124
4 filter_number04
0
0
20030910:15:11/ -8:00
47.80.23.124
5 filter_number05
0
0
20030910:15:11/ -8:00
47.80.23.124
6 filter_number06
0
0
20030910:15:11/ -8:00
47.80.23.124
7 filter_number07
0
0
20030910:15:11/ -8:00
47.80.23.124
8 filter_number08
0
0
20030910:15:11/ -8:00
47.80.23.124
9 filter_number09
0
0
20030910:15:11/ -8:00
47.80.23.124
10 filter_number10
0
0
20030910:15:11/ -8:00
47.80.23.124 1024 Default
608
0
20030910:15:11/ -8:00
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an
E-mail is sent. This command is used to keep long term history only for the contracts that are
enabled and have history command turned on.
Use this command to show the history of all the contracts for which history command is
enabled. The sampling is done at one-minute intervals.
Table 5-57 Bandwidth Management History Statistics (/stats/bwm/hist)
Statistics
Description
Contract
Octets
Discards
The number of octets discarded because of seeing more traffic than the
bandwidth contract limit permits.
TimeStamp
NOTE These statistics can only be viewed when the e-mail option is enabled.
/stats/bwm/maint
BWM Maintenance Statistics
BWM Maint statistics
-----------------------------------------------------------------Maint Stats for rate limiting contracts
Discard pkts 0
Discard octets 0
Out pkts 0
Out octets 0
Transmit failed 0
User Limit entry allocation failures 0
-----------------------------------------------------------------Maint Stats for traffic shaping contracts
QFull Discard pkts 0
QFull Discard octets 0
Out of buffers pkts 0
Out of buffers pkts 0
Transmit failed 0
TDT set when qfull 0
TDT set between soft and hard 0
TDT set at soft 0
/stats/bwm/ipusers
BWM IP Users Statistics
This command displays the number of BWM IP user entries for each BWM contract for each
SP.
BWM IP users statistics
Contract
SP1
SP2
SP3
SP4
Total
-------- ---------- ---------- ---------- ---------- ---------10
0
10
0
0
10
11
0
10
0
0
10
---------- ---------- ---------- ---------- ---------0
20
0
0
20
/stats/security
Security Statistics
[Security Statistics Menu]
ipacl
- IP Address ACL Statistics Menu
udpblast - UDP Blast Statistics Menu
dos
- DoS Attack Statistics Menu
pgroup
- Show pattern match group statistics
ratelim - Show rate limiting statistics
dump
- Dump all security statistics
Command Syntax and Usage
dos
Displays the DOS Attack statistics menu. To view a sample output and a description of the stats,
see page 240.
ipacl
Displays the IP Address Access Control List statistics menu. To view a sample output and a
description of the statistics, see page 244.
udpblast
Displays the UDP Blast statistics menu. To view a sample output and a description of the statistics,
see page 245.
pgroup
Displays the Pattern Match Group statistics menu. To view a sample output and a description of
the statistics, see page 246.
ratelim
Displays the Rate Limiting statistics menu. To view a sample output and a description of the stats,
see page 246.
dump
Displays all security statistics.
/stats/security/dos
DOS Attack Statistics Menu
[Protocol Anomaly and DoS Attack Prevention Statistics Menu]
port
- Show port protocol anomaly and DoS attack prevention stats
dump
- Dump all protocol anomaly and DoS attack prevention stats
clear
- Clear all protocol anomaly and DoS attack prevention stats
help
- Protocol anomaly and DoS attack prevention description
Refer to your Nortel Application Switch Operating System Application Guide for a detailed
description of DOS attacks.
>> /stats/security/dos help
iplen
: IPv4 packets with bad IP header or payload length.
ipversion
: IPv4 packets with IP version not 4.
broadcast
: IPv4 packets with broadcast source or destination IP
[0.0.0.0,255.255.255.255].
loopback
: IPv4 packets with loopback source or destination IP
[127.0.0.0/8].
land
: IPv4 packets with same source and destination IP.
ipreserved : IPv4 packets with IP reserved bit is set.
ipttl
: IPv4 packets with small IP TTL.
ipprot
: IPv4 packets with IP protocol is unassigned or
reserved.
ipoptlen
: IPv4 packets with bad IP options length.
fragmoredont: IPv4 packets with more fragments and don't fragment
bits are set.
fragdata
: IPv4 packets with more fragments bit is set and small
payload.
fragboundary: IPv4 packets with more fragments bit is set and
payload not at 8-byte boundary.
fraglast
: IPv4 packets last fragment without payload.
fragdontoff : IPv4 packets with non-zero fragment offset and don't
fragment bits are set.
fragopt
: IPv4 packets with non-zero fragment offset and IP
options.
fragoff
: IPv4 packets with small non-zero fragment offset.
fragoversize: IPv4 packets with non-zero fragment offset and oversize payload.
tcplen
: TCP packets with bad TCP header length.
tcpportzero : TCP packets with source or destination port is zero.
blat
: TCP packets with SIP!=DIP and SPORT=DPORT.
tcpreserved : TCP packets with TCP reserved bit is set.
nullscan
: TCP packets with all control bits are zero.
fullxmasscan: TCP packets with all control bits are set.
finscan
: TCP packets with only FIN bit is set.
vecnascan
: TCP packets with only URG or PUSH or URG|FIN or
PSH|FIN or URG|PSH bits are set.
xmasscan
: TCP packets with FIN, URG and PSH bits are set.
synfinscan : TCP packets with SYN and FIN bits are set.
flagabnormal: TCP packets with abnormal control bits combination.
syndata
: TCP packets with SYN bit is set and with payload.
synfrag
: TCP packets with SYN bit is set and more fragments bit
is set.
ftpport
: TCP packets with SPORT=20, DPORT<1024 and SYN bit is
set.
dnsport
: TCP packets with SPORT=53, DPORT<1024 and SYN bit is
set.
seqzero
: TCP packets with sequence number is zero.
ackzero
: TCP packets with acknowledgement number is zero and ACK
bit is set.
tcpoptlen
: TCP packets with bad TCP options length.
udplen
: UDP packets with bad UDP header length.
udpportzero : UDP packets with source or destination port is zero.
fraggle
: UDP packets to broadcast destination IP (x.x.x.255).
pepsi
: UDP packets with SPORT=19, DPORT=7 or SPORT=7,
DPORT=19.
rc8
: UDP packets with SPORT=7 and DPORT=7.
snmpnull
: UDP packets with DPORT=161 and without payload.
icmplen
: ICMP packets with bad ICMP header length.
smurf
: ICMP ping requests to a broadcast destination IP
(x.x.x.255).
icmpdata
: ICMP packets with zero fragment offset and large payload.
icmpoff
: ICMP packets with large fragment offset.
icmptype
: ICMP packets with type is unassigned or reserved.
igmplen
: IGMP packets with bad IGMP header length.
igmpfrag
: IGMP packets with more fragments bit is set or non-zero
fragment offset.
igmptype
: IGMP packets with type is unassigned or reserved.
arplen
: ARP request or reply packets with bad length.
arpnbcast
: ARP request packets with non broadcast destination MAC.
arpnucast
: ARP reply packets with non unicast destination MAC.
arpspoof
: ARP request or reply packets with mismatch source with
sender MACs
or destination with target MACs.
garp
: ARP request or reply packets with same source and destination IP.
ip6len
: IPv6 packets with bad header length.
ip6version : IPv6 packets with IP version not 6.
/stats/security/ipacl
IP Access Control List Statistics
The following IP Access Control List statistics can be viewed with this command:
[IP ACL Statistics Menu]
dump
- IP address access control Stats
clear
- Clear all access control Stats
Mask
Type
Blocked Packets
Mask
Type
Blocked Packets
/stats/security/udpblast
UDP Blast Statistics
[UDP Blast Statistics Menu]
dump
- UDP Blast Stats
clear
- Clear all UDP Blast Stats
/stats/security/udpblast/dump
UDP Blast Dump Statistics
UDP blast protection stats:
UDP Port
Blocked Packets
-------------------------
Description
UDP Port
Blocked Packets
/stats/security/pgroup
UDP Pattern Match Statistics
Pattern Match Group stats:
ID Name
1
Hits
0
This menu displays how many times each configured pattern group has been matched and a
subsequent filtering action performed. Pattern groups are configured in the Pattern Matching
Menu on page 404.
/stats/security/ratelim
Rate Limiting Statistics
Rate limiting stats:
TCP:
Total hold downs triggered:
Current per-client state entries:
0
0
UDP:
Total hold downs triggered:
Current per-client state entries:
0
0
ICMP:
Total hold downs triggered:
Current per-client state entries:
0
0
Description
Current per-client
state entries
/stats/security/dump
Dump Statistics for Security
IP ACL stats:
Address
Blocked Packets
---------------------------------------------------------------------------------------------UDP blast protection stats:
UDP Port
Blocked Packets
Current Packet Rate/Second
------------------------------------------------------------------------------------------------------------------Pattern Match Group stats:
ID Name
Hits
1
0
100
0
101
0
-----------------------------------------------------------------Rate limiting stats:
TCP:
Total hold downs triggered:
Current per-client state entries:
0
0
UDP:
Total hold downs triggered:
Current per-client state entries:
0
0
ICMP:
Total hold downs triggered:
Current per-client state entries:
0
0
/stats/mp
Management Processor Statistics
[MP-specific Statistics Menu]
pkt
- Show Packet and TCP stats
tcb
- Show All TCP control blocks in use
ucb
- Show All UDP control blocks in use
sfd
- Show All Socket FD in use
cpu
- Show CPU utilization
mem
- Show memory stats
/stats/mp/pkt
MP Packet Statistics
Packet counts:
allocs:
mediums:
jumbos:
smalls:
alloc fails:
TCP counts:
allocs:
current:
alloc fails:
89262
0
0
0
0
frees:
mediums hi-watermark:
jumbos hi-watermark:
smalls hi-watermark:
packet discards:
89262
4
0
4
0
4866
46
0
frees:
current hi-watermark:
alloc discards:
4827
146
0
Description
Packet counts:
allocs
Total number of packet allocations from the packet buffer pool by the
TCP/IP protocol stack.
frees
Total number of times the packet buffers are freed (released) to the packet
buffer pool by the TCP/IP protocol stack.
mediums
Total number of packet allocations with size between 128 to 1536 bytes
from the packet buffer pool by the TCP/IP protocol stack.
jumbos
smalls
Total number of packet allocations with size less than 128 bytes from the
packet buffer pool by the TCP/IP protocol stack.
alloc fails
Total number of packet allocation failures from the packet buffer pool by
the TCP/IP protocol stack.
frees
Total number of packets freed from the packet buffer pool by the TCP/IP
protocol stack.
mediums hi-watermark
The highest number of packet allocation with size between 128 to 1536
bytes from the packet buffer pool by the TCP/IP protocol stack.
jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to
9K bytes from the packet buffer pool by the TCP/IP protocol stack.
smalls hi-watermark The highest number of packet allocation with size less than 128 bytes
from the packet buffer pool by the TCP/IP protocol stack.
Description
packet discards
The number of packets that are discarded by the MP. The packets are discarded because buffer resources are not available or the buffer threshold
is reached and the low priority packets are discarded.
TCP counts:
allocs
current
alloc fails
frees
Total number of times the TCP packet buffers are freed (released) to MP
memory by the TCP/IP protocol stack.
current hi-watermark
alloc discards
The number of TCP packets that are discarded by the MP. The packets
are discarded because MP memory resources are not available.
/stats/mp/tcb
TCP Statistics
All TCP allocated control blocks:
117f6d00: 0.0.0.0
0 <=> 0.0.0.0
117f81a8: 47.81.27.6
1331 <=> 47.80.16.59
80
23
listen
established
Description
117f6d00/117f81a8
Memory
0.0.0.0/47.81.27.6
Destination IP address
0/1331
Destination port
0.0.0.0/47.80.16.59
Source IP
80/23
Source port
listen/established
State
/stats/mp/ucb
UCB Statistics
All UDP allocated control blocks:
161: listen
1985: listen
3122: listen
Description
161/1985/3122
Listen
State
/stats/mp/sfd
MP-Specific SFD Statistics
All Socket FD allocated:
0 -1 16 1180b128: 0.0.0.0
server
1 -1 17 108c5bd8: 0.0.0.0
server
2 -1 18 108d5cfc: 0.0.0.0
server
3 -1 19 1180a258: 0.0.0.0
server
0 <=> 47.133.88.31
81
listen
TCP
0 <=> 47.133.88.31
23
listen
TCP
0 <=> 47.133.88.31
22
listen
TCP
0 <=> 47.133.88.31
443
listen
TCP
/stats/mp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization:
cpuUtil1Second:
cpuUtil4Seconds:
cpuUtil64Seconds:
100%
100%
100%
Description
cpuUtil1Second
The percentage of CPU utilization as measured over the last one second
interval.
cpuUtil4Seconds
The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds
Description
maint
clear
cpu
Displays what percentage of the CPU has been utilized. To view a sample output and a description of the stats, see page 254.
0
0
0
0
/stats/sp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on the Switch Processor
(SP).
CPU utilization for SP 1:
cpuUtil1Second:
cpuUtil4Seconds:
cpuUtil64Seconds:
6%
6%
6%
Description
cpuUtil1Second
The percentage of CPU utilization as measured over the last one second
interval.
Description
cpuUtil4Seconds
The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds
/stats/pmirr
Port Mirroring Statistics Menu
[Port Mirroring Statistics Menu]
dump
- Port Mirroring Stats
clear
- Clear all Port Mirroring Stats
/stats/mgmt
Management Port Statistics
Management port interface
RX bytes:
RX packets:
RX errors:
RX dropped:
RX overruns:
RX frame errors:
RX multicast:
statistics:
0
TX bytes:
0
TX packets:
0
TX errors:
0
TX dropped:
0
TX overruns:
0
TX carrier errors:
0
TX collisions:
0
0
0
0
0
0
0
Description
RX bytes
RX packets
RX errors
RX dropped
RX overruns
The number of received packets that were dropped because their size
exceeded that of the receive queue.
RX frame errors
RX multicast
TX bytes
TX packets
TX errors
TX dropped
TX overruns
TX carrier errors
Not applicable.
TX collisions
The number of collisions due to congestion on the medium. Collisions occur when two or more stations are transmitting signals at the
same time.
/stats/dump
Dump Statistics
Use the dump command to dump all switch statistics available from the Statistics Menu (40K or more,
depending on your configuration). This data can be used to tune or debug switch performance.
If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands.
256 Chapter 5: The Statistics Menu
320506-A, January 2006
CHAPTER 6
/cfg
Configuration Menu
[Configuration Menu]
sys
- System-wide Parameter Menu
port
- Port Menu
pmirr
- Port Mirroring Menu
bwm
- Bandwidth Management Menu
l2
- Layer 2 Menu
l3
- Layer 3 Menu
slb
- Server Load Balancing (Layer 4-7) Menu
security - Security Menu
sslproc - SSL Processor Setup Menu
setup
- Step by step configuration set up
dump
- Dump current configuration to script file
ptcfg
- Backup current configuration to FTP/TFTP server
gtcfg
- Restore current configuration from FTP/TFTP server
257
320506-A, January 2006
NOTE The apply command is a global command. Therefore, you can enter apply at any
prompt in the administrative interface.
NOTE All configuration changes take effect immediately when applied, except for starting
Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see
below), and then reset the switch (see Resetting the Switch on page 517).
NOTE If you do not save the changes, they will be lost the next time the system is rebooted.
To save the new configuration, enter the following command at any CLI prompt:
# save
When you save configuration changes, the changes are saved to the active configuration block.
The configuration being replaced by the save is first copied to the backup configuration block.
If you do not want the previous configuration block copied to the backup configuration block,
enter the following instead:
# save n
You can decide which configuration you want to run the next time you reset the switch. Your
options include:
You can view all pending configuration changes that have been applied but not saved to flash
memory using the diff flash command. It is a global command that can be executed from
any menu.
For instructions on selecting the configuration to run at the next system reset, see Selecting a
Configuration Block on page 515.
/cfg/sys
System Configuration
[System Menu]
syslog
mmgmt
radius
tacacs
ntp
sonmp
ssnmp
health
access
date
time
timezone
idle
notice
bannr
smtp
hprompt
bootp
cur
Syslog Menu
Management Port Menu
RADIUS Authentication Menu
TACACS+ Authentication Menu
NTP Server Menu
SONMP Menu
System SNMP Menu
System Health Check Menu
System Access Menu
Set system date
Set system time
Set system timezone (daylight savings)
Set timeout for idle CLI sessions
Set login notice
Set login banner
Set SMTP host
Enable/disable display hostname (sysName) in CLI prompt
Enable/disable use of BOOTP
Display current system-wide parameters
This menu provides configuration of switch management parameters such as user and
administrator privilege mode passwords, Web-based management settings, and management
access list.
Table 6-2 System Configuration Menu Options (/cfg/sys)
Command Syntax and Usage
syslog
Displays the Syslog Menu. To view menu options, see page 263.
mmgmt
Displays Management Port Menu. To view menu options, see page 264.
radius
Displays the RADIUS Authentication Menu. To view menu options, see page 268.
tacacs
Displays TACACS+ authentication Menu. To view menu options, see page 270.
ntp
Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 271.
/cfg/sys/syslog
System Host Log Configuration
NOTE Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for
Syslogs.
[Syslog Menu]
host
host2
sever
sever2
facil
facil2
console
log
cur
/cfg/sys/mmgmt
Management Port Configuration Menu
The Management port is a Fast Ethernet port that is used exclusively to manage the switch.
While the switch can be managed from any network port, the Management port saves consuming a port that could otherwise be used for processing data and traffic. This port manages the
switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not participate in the networking protocols that run on the network ports.
The Management port must be configured with a static IP address, subnet mask, broadcast
address, and default gateway, and must be enabled before it can be used. If this port is disabled,
the network ports have to perform all switch management (other than the switch management
using the console). If this port is enabled, the factory default settings for some of the management features remain with the network ports. You can change the defaults by configuring these
features to permanently use the management port, or in some cases, by using the operational
commands to set these options on a one-time basis.
NOTE The Management port does not support BOOTP.
[Management Port Menu]
port
- Management Port Phy Menu
addr
- Set IP address
mask
- Set subnet mask
gw
- Set default gateway address
intr
- Set interval between gateway ping attempts
retry
- Set number of failed attempts to declare gateway DOWN
dns
- Set default port for DNS
ntp
- Set default port for NTP
radius
- Set default port for RADIUS
tacacs
- Set default port for TACACS+
smtp
- Set default port for SMTP
snmp
- Set default port for SNMP traps
syslog
- Set default port for SYSLOG
sonmp
- Set default IP for SONMP hello packets
tftp
- Set default port for FTP/TFTP
wlm
- Set default port for Workload Manager
report
- Set default port for Reporting server
ena
- Enable management port
dis
- Disable management port
cur
- Display current configuration
/cfg/sys/mmgmt/port
Management Port Link Menu
[Management Port Link Menu]
speed
- Set link speed
mode
- Set full or half duplex mode
auto
- Set autonegotiation
cur
- Display current link configuration
/cfg/sys/radius
RADIUS Server Configuration
[RADIUS Server Menu]
prisrv
- Set primary RADIUS server address
secsrv
- Set secondary RADIUS server address
secret
- Set primary RADIUS server secret
secret2 - Set secondary RADIUS server secret
port
- Set RADIUS port
retries - Set RADIUS server retries
timeout - Set RADIUS server timeout
telnet
- Enable/disable RADIUS backdoor for telnet
on
- Turn RADIUS authentication ON
off
- Turn RADIUS authentication OFF
cur
- Display current RADIUS configuration
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
TACACS (Terminal Access Controller Access Control System) is an authentication protocol
that allows a remote access server to forward a user's logon password to an authentication
server to determine whether access can be allowed to a given system. TACACS is
an encryption protocol and therefore less secure than TACACS+ and Remote Authentication
Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in
RFC 1492.)
TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also,
RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations.
TACACS+ protocol has been implemented on Nortel Application Switch Operating System to
support the customers that have Ciscos TACACS+ protocol as their network security feature.
Apart from that, TACACS+ offers the following advantages over RADIUS as the authentication device:
[TACACS+ Server
prisrv
secsrv
secret
secret2 port
retries timeout telnet
on
off
cur
-
Menu]
Set primary TACACS+ server address
Set secondary TACACS+ server address
Set primary TACACS+ server secret
Set secondary TACACS+ server secret
Set TACACS+ TCP port
Set TACACS+ server retries
Set TACACS+ server timeout (seconds)
Enable/disable TACACS+ backdoor for telnet
Turn TACACS+ authentication ON
Turn TACACS+ authentication OFF
Display current TACACS+ configuration
/cfg/sys/ntp
NTP Server Configuration
This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP)
server. By default, this option is disabled.
[NTP Server Menu]
prisrv
- Set primary NTP server address
secsrv
- Set secondary NTP server address
intrval - Set NTP server resync interval
tzone
- Set NTP timezone offset from GMT
on
- Turn NTP service ON
off
- Turn NTP service OFF
cur
- Display current NTP configuration
/cfg/sys/sonmp
SynOptics Network Management Protocol Configuration
[SONMP Menu]
srcif
on
off
cur
/cfg/sys/ssnmp
System SNMP Configuration
Nortel Application Switch Operating System supports SNMP-based network management. In
SNMP model of network management, a management station (client/manager) accesses a set
of variables known as MIBs (Management Information Base) provided by the managed device
(agent). If you are running an SNMP network management station on your network, you can
manage the switch using the following standard SNMP MIBs:
An SNMP agent is a software process on the managed device that listens on UDP port 161 for
SNMP messages. Each SNMP message sent to the agent contains a list of management objects
to retrieve or to modify.
SNMP parameters that can be modified include:
System name
System location
System contact
NOTE This command is applicable only to SNMPv1 and SNMPv2 traps because only
the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be
set with this command. The SNMPv3 packets do not contain this field.
timeout <SNMP state machine timeout minutes, 1-30>
Defines the timeout period for SNMP state machine. When you use diff and apply, memory is
allocated to store the output of the command. The timeout period determines when the
resources/memory allocated for the output will be freed.
auth disable|enable
Enables or disables the use of the system authentication trap facility. The default setting is disabled.
linkt <port> <disable|enable>
Enables or disables the sending of SNMP link up and link down traps. The default setting is
enabled.
cur
Displays the current STP port parameters.
/cfg/sys/ssnmp/snmpv3
SNMPv3 Configuration Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
access control
For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Menu]
usm
view
access
group
comm
taddr
tparam
notify
v1v2
cur
defines a set of services that an application can use for checking access rights of the user.
You need access control when you have to process retrieval or modification request
from an SNMP entity. To view menu options, see page 280.
A group maps the user name to the access group names and their access rights needed to
access SNMP management objects. A group defines the access rights assigned to all
names that belong to a particular group. To view menu options, see page 282.
comm <snmpCommunity number [1-16]>
The community table contains objects for mapping community strings and version-independent
SNMP message parameters. To view menu options, see page 283.
taddr <snmpTargetAddr number [1-16]>
This command allows you to configure destination information, consisting of a transport domain
and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a
mechanism for performing source address validation on incoming requests, and for selecting community strings based on target addresses for outgoing notifications. To view menu options, see
page 284.
tparam <target params index [1-16]>
This command allows you to configure SNMP parameters, consisting of message processing
model, security model, security level, and security name information. There may be multiple transport endpoints associated with a particular set of SNMP parameters, or a particular transport endpoint may be associated with several sets of SNMP parameters. To view menu options, see
page 285.
notify <notify index [1-16]>
A notification application typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. To view menu options, see
page 286.
v1v2 disable|enable
This command allows you to enable or disable the access to SNMP version 1 and version 2. This
command is enabled by default.
cur
Displays the current SNMPv3 configuration.
/cfg/sys/ssnmp/snmpv3/usm
User Security Model Configuration Menu
You can make use of a defined set of user identities using this Security Model. An SNMP
engine must have the knowledge of applicable attributes of a user.
This menu helps you create a user security model entry for an authorized user. You need to provide a security name to create the USM entry.
[SNMPv3 usmUser
name
auth
authpw
priv
privpw
del
cur
-
1 Menu]
Set USM user name
Set authentication protocol
Set authentication password
Set privacy protocol
Set privacy password
Delete usmUser entry
Display current usmUser configuration
cfg/sys/ssnmp/snmpv3/view
SNMPv3 View Configuration Menu
[SNMPv3 vacmViewTreeFamily 1 Menu]
name
- Set view name
tree
- Set MIB subtree(OID) which defines a family of view subtrees
mask
- Set view mask
type
- Set view type
del
- Delete vacmViewTreeFamily entry
cur
- Display current vacmViewTreeFamily configuration
/cfg/sys/ssnmp/snmpv3/access
View-based Access Control Model Configuration Menu
The view-based Access Control Model defines a set of services that an application can use for
checking access rights of the user. Access control is needed when the user has to process
SNMP retrieval or modification request from an SNMP entity.
[SNMPv3 vacmAccess 1 Menu]
name
- Set group name
prefix
- Set content prefix
model
- Set security model
level
- Set minimum level of security
match
- Set prefix only or exact match
rview
- Set read view index
wview
- Set write view index
nview
- Set notify view index
del
- Delete vacmAccess entry
cur
- Display current vacmAccess configuration
/cfg/sys/ssnmp/snmpv3/group
SNMPv3 Group Configuration Menu
[SNMPv3 vacmSecurityToGroup 1 Menu]
model
- Set security model
uname
- Set USM user name
gname
- Set group gname
del
- Delete vacmSecurityToGroup entry
cur
- Display current vacmSecurityToGroup configuration
/cfg/sys/ssnmp/snmpv3/comm
SNMPv3 Community Table Configuration Menu
This command is used for configuring the community table entry. The configured entry is
stored in the community table list in the SNMP engine. This table is used to configure community strings in the Local Configuration Datastore (LCD) of SNMP engine.
[SNMPv3 snmpCommunityTable 1 Menu]
index
- Set community index
name
- Set community string
uname
- Set USM user name
tag
- Set community tag
del
- Delete communityTable entry
cur
- Display current communityTable configuration
/cfg/sys/ssnmp/snmpv3/taddr
SNMPv3 Target Address Table Configuration Menu
This command is used to configure the target transport entry. The configured entry is stored in
the target address table list in the SNMP engine. This table of transport addresses is used in the
generation of SNMP messages.
[SNMPv3 snmpTargetAddrTable 1 Menu]
name
- Set target address name
addr
- Set target transport address IP
port
- Set target transport address port
taglist - Set tag list
pname
- Set targetParams name
del
- Delete targetAddrTable entry
cur
- Display current targetAddrTable configuration
/cfg/sys/ssnmp/snmpv3/tparam
SNMPv3 Target Parameters Table Configuration Menu
You can configure the target parameters entry and store it in the target parameters table in the
SNMP engine. This table contains parameters that are used to generate a message. The parameters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the
security model (for example: USM), the security name, and the security level (noAuthnoPriv, authNoPriv, or authPriv).
[SNMPv3 snmpTargetParamsTable 1 Menu]
name
- Set target params name
mpmodel - Set message processing model
model
- Set security model
uname
- Set USM user name
level
- Set minimum level of security
del
- Delete targetParamsTable entry
cur
- Display current targetParamsTable configuration
/cfg/sys/ssnmp/snmpv3/notify
SNMPv3 Notify Table Configuration Menu
SNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for
particular events or conditions, and generates Notification-Class messages based on these events or conditions.
[SNMPv3 snmpNotifyTable 1 Menu]
name
- Set notify name
tag
- Set notify tag
del
- Delete notifyTable entry
cur
- Display current notifyTable configuration
/cfg/sys/health
System Health Check Configuration Menu
[System TCP Health Menu]
add
- Add TCP services to listen for health check
rem
- Remove TCP services from listening
on
- Turn system TCP health services ON
off
- Turn system TCP health services OFF
cur
- Display current TCP health services configuration
/cfg/sys/access
System Access Control Configuration
[System Access Menu]
mgmt
- Management Network Access Menu
port
- Port Management Access Menu
user
- User Access Control Menu (passwords)
https
- HTTPS (Web) Server Access Menu
sshd
- SSH Server Menu
xml
- XML Configuration Access Menu
http
- Enable/disable HTTP (Web) server access
wport
- Set HTTP (Web) server port number
snmp
- Set SNMP access control
tnport
- Set Telnet server port number
rlimit
- Set max rate of ARP, ICMP, TCP, or UDP packets to MP
cur
- Display current system access configuration
/cfg/sys/access/mgmt
Management Networks Menu
This menu is used to define IP address ranges which are allowed to access the switch
for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10
management networks.
NOTE The add and rem commands below replace the /cfg/sys/mnet and /cfg/
sys/mmask commands found in earlier releases of Nortel Application Switch Operating System.
[Management Networks Menu]
add
- Add mgmt network definition
rem
- Remove mgmt network definition
cur
- Display current mgmt network definitions
/cfg/sys/access/port
Port Management Access Menu
[Port Management Access Menu]
add
- Add port with management access
aadd
- Add all ports with management access
rem
- Remove port from management access
arem
- Remove all ports from management access
cur
- Display current ports with management access
/cfg/sys/access/user
User Access Control Menu
uid
usrpw
sopw
l4opw
opw
sapw
l4apw
admpw
cur
User ID Menu
Set user password (user)
Set SLB operator password (slboper)
Set L4 operator password (l4oper)
Set operator password (oper)
Set Slb administrator password (slbadmin)
Set L4 administrator password (l4admin)
Set administrator password (admin)
Display current user status
/cfg/sys/access/user/uid
System User ID Configuration Menu
This feature allows the users to operate the real servers assigned to them. Using this command
you can list the current status of the real server including the real server number, the real server
name, the operational state of the real server, and the number of current sessions. You can
enable or disable the real servers and change the password for accessing these real servers.
[User ID 1
cos
name
pswd
add
rem
ena
dis
del
cur
Menu]
- Set class of service
- Set user name
- Set user password
- Add real server
- Remove real server
- Enable user ID
- Disable user ID
- Delete user ID
- Display current user configuration
/cfg/sys/access/https
HTTPS Access Configuration Menu
[https Menu]
https
port
generate
certSave
cur
/cfg/sys/access/sshd
SSH Server Menu
[SSH Server Menu]
sshport - Set SSH server port number
ena
- Enable SCP apply and save
on
- Turn SSH server ON (SSHv1/SSHv2)
cur
- Display current SSH server configuration
/cfg/sys/access/xml
XML Configuration Access Menu
[XML Config Access Menu]
xml
- Enable/disable XML config access
port
- Set XML server port number
gtcert
- Import XML client certificate
delcert - Delete XML client certificate
dispcert - Display XML client certificate
debug
- Debug XML operations
cur
- Display current XML config access configuration
/cfg/sys/access/xml/xml
Example of enabling or disabling XML access
Current XML access: disabled
Pending new XML access: enabled
Enter new XML access [d/e]:
/cfg/sys/timezone
Configure the Timezone
>> Main# /cfg/sys/timezone
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) None - disable timezone setting
Enter the number of your choice: 2
Please select a country.
1) Anguilla
18) Ecuador
35) Paraguay
2) Antigua & Barbuda
19) El Salvador
36) Peru
3) Argentina
20) French Guiana
37) Puerto Rico
4) Aruba
21) Greenland
38) St Kitts & Nevis
5) Bahamas
22) Grenada
39) St Lucia
6) Barbados
23) Guadeloupe
40) St Pierre &
Miquelon
7) Belize
24) Guatemala
41) St Vincent
8) Bolivia
25) Guyana
42) Suriname
9) Brazil
26) Haiti
43) Trinidad & Tobago
10) Canada
27) Honduras
44) Turks & Caicos Is
11) Cayman Islands
28) Jamaica
45) United States
12) Chile
29) Martinique
46) Uruguay
13) Colombia
30) Mexico
47) Venezuela
14) Costa Rica
31) Montserrat
48) Virgin Islands
(UK)
15) Cuba
32) Netherlands Antilles 49) Virgin Islands
(US)
16) Dominica
33) Nicaragua
17) Dominican Republic 34) Panama
Enter the number of your choice: 10
18
910
116
1718
124
2526
124
2528
The commands on Nortel Application Switch Operating System 2000 series and their description are
as follows:
[Port <port_number> Menu]
fast
- Fast Phy Menu
gig
- Gig Phy Menu
pvid
- Set default port VLAN id
alias
- Set port alias
name
- Set port name
cont
- Set default port BW Contract
nonip
- Set BW Contract for non-IP traffic
egbw
- Set port egress bandwidth Limit
rmon
- Enable/Disable RMON for port
tag
- Enable/disable VLAN tagging for port
iponly
- Enable/disable allowing only IP related frames at ingress
ena
- Enable port
dis
- Disable port
cur
- Display current port configuration
Use these menu options to set port parameters for the port link.
NOTE If the port does not have a Gig Ethernet physical link, the following message is displayed:
>> Port 1# gig
Current Port 1 does not have Gig Ethernet phy.
NOTE Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these
options do not appear on the Gigabit Link Menu.
Link menu options are described in Table 6-38 and appear on the fast and gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set
port parameters such as speed, flow control, and negotiation mode for the port link.
Table 6-31 Port Link Configuration Menu Options (/cfg/port/fast|gig)
Command Syntax and Usage
speed 10|100|any
Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default)
10 Mbps
100 Mbps
auto on|off
Enables or disables auto negotiation for the port.
cur
Displays the current port parameters.
10/100/1000Base-T
Copper Port Numbers
Dual-Mode Port
Numbers
Nortel Application
Switch 3408 (1U)
1, 2, 7, 8
36
912
Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The ports are autonegotiating and support half or full duplex operation.
Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaces each: 1000 Mbps
SFP GBIC and 10/100/1000Base-T Copper. When the 1000 Mbps SFP GBIC port is
selected as the preferred link, it is fixed at 1000 Mbps, full-duplex with autonegotiation
turned on. When the 10/100/1000Base-T copper port is selected as the preferred link, it
can be configured at any speed. However, if 1000 Mbps is selected, autonegotiation must
be turned on. You can set either interface as the preferred or backup link. See Dual-Mode
Ports on page 311 for more details.
Four Small Form Pluggable (SFP) GBIC Fiber ports (912). These ports are designed to
operate at 1000 Mbps and full duplex mode only.
NOTE For more information on connectors, refer to the Nortel Application Switch Operating
System Hardware Installation Guide Part Number 315393-E.
Single-Mode ports
10/100/1000Base-T Copper Ports
When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:
[Port 1 Menu]
fast
gig
pvid
alias
name
cont
nonip
egbw
rmon
tag
iponly
ena
dis
cur
Use these menu options to set port parameters for the port link. Link menu options are
described in Table 6-38 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow
control, and negotiation mode for the port link.
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage
speed 10|100|1000|any
Sets the link speed. Not all options are valid on all ports. The choices include:
mode full|half|any
Sets the operating mode. The choices include:
Any for auto negotiation (default)
Full-duplex
Half-duplex
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage
fctl rx|tx|both|none
Sets the flow control. This command is available only in the Fast Link Menu.The choices include:
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <912>)
Command Syntax and Usage
gig
If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet
Physical Link Menu. To view menu options, see page 310.
pvid <VLAN number (1-4090)>
Sets the default VLAN number which will be used to forward frames which are not VLAN tagged.
The default number is 1.
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <912>)
Command Syntax and Usage
name <64 character string>|none
Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None.
cont <BWM Contract (1-1024)>
Sets the default Bandwidth Management Contract for this port.
rmon disable|enable
Disables or enables RMON for this port. It is disabled by default.
tag disable|enable
Disables or enables VLAN tagging for this port. It is disabled by default.
iponly disable|enable
Disables or enables allowing only IP-related frames. It is disabled by default.
ena
Enables the port.
dis
Disables the port. (To temporarily disable a port without changing its configuration attributes, refer
to Temporarily Disabling a Port on page 314.)
cur
Displays the current port parameters.
Menu]
- Set flow control
- Set auto negotiate
- Display current SFP gig link configuration
Use these menu options to set port parameters for the port link.
Link menu options are described in Table 6-38 and appear on the gig port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as flow control, and negotiation mode for the port link.
Table 6-36 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu
Options (/cfg/port <9-12>/gig)
Command Syntax and Usage
fctl rx|tx|both|none
Sets the flow control. The choices include:
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
When you select any one of the dual-mode ports (36), you see the menu below:
[Port 3 Menu]
cop
sfp
pref
back
pvid
name
cont
rmon
tag
iponly
ena
dis
cur
Use these menu options to set port parameters for the port link.
Link menu options are described in Table 6-38 and appear on the cop port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as speed, flow control, and negotiation mode for the port link.
Table 6-38 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port
<36>/cop)
Command Syntax and Usage
speed 10|100|1000|any
Sets the link speed. Not all options are valid on all ports. The choices include:
mode full|half|any
Sets the operating mode. The choices include:
Any for autonegotiation (default)
Full-duplex
Half-duplex
fctl rx|tx|both|none
Sets the flow control. The choices include:
auto on|off
Enables or disables auto negotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.
Menu]
- Set flow control
- Display current SFP gig link configuration
cur
Displays the current SFP Gigabit link port configuration.
Because this configuration sets a temporary state for the port, you do not need to use apply or
save. The port state will revert to its original configuration when the Nortel Application Switch
is reset. See the Operations Menu on page 499 for other operations-level commands.
/cfg/pmirr
Port Mirroring Menu
[Port Mirroring
mirror
monport cur
-
Menu]
Enable/Disable Mirroring
Configure Monitor Port
Display All Mirrored and Monitored Ports and VLANs
/cfg/pmirr monport
Port-Mirroring Menu
>> Port Mirroring# monport
Enter port (1-28):
<port_number>
-----------------------------------------------------------[Port 1 Menu]
add
- Add "Mirrored" port and VLANs
rem
- Rem "Mirrored" port and VLANs
cur
- Display current Port-based Port Mirroring configuration
/cfg/bwm
Bandwidth Management Configuration
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-critical
traffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
NOTE BWM is a software key-enabled feature that requires users to purchase a license and a
key. In order to enable BWM, users need to enter the Bandwidth Management key using the
/oper/swkey command.
By default, BWM is turned off.
Refer to your Application Guide for more information.
NOTE Up to 1024 bandwidth management contracts can be configured on the Nortel Application Switch Operating System.
Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)
Command Syntax and Usage
cont <BW contract number (1-1024)>
Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel
Application Switch, you must create one or more bandwidth management contracts. The
switch uses these contracts to limit individual traffic flows. For further details, see the
Nortel Application Switch Operating System 23.0.2 Application Guide.
By default, this option is disabled. To view menu options, see page 319.
tions defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host could charge a
customer for bandwidth utilization. For further details, see the Nortel Application Switch
Operating System 23.0.2 Application Guide.
To view menu options, see page 322.
This feature enables the user to configure different policies based on the time of the day using
the following menu and commands:
[BW Contract 1 Time Policy 1 Menu]
day
- Set Time Policy day
from
- Set Time Policy from hour
to
- Set Time Policy to hour
policy
- Set Time Policy
enable
- Enable Time Policy
disable - Disable Time Policy
delete
- Delete Time Policy
cur
- Display current Time Policy configuration
Table 6-44 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/
timepol)
Command Syntax and Usage
day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday>
Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or
everyday. The default is everyday.
from <1-12am/pm>
Defines the time from where you need to start the time in hours. If am or pm is not specified, the
switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or
higher.
to <1-12am/pm>
Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for
numbers lower than 12 and will default to pm for numbers 13 or higher.
policy <BW Policy number, 1-512>
Defines the policy number for the contract.
enable
Enables the Time Policy command on the switch.
disable
Disables the Time Policy command on the switch.
delete
Deletes the current Time Policy.
cur
Displays the current Time Policy configuration on the switch. For example:
Time Policy 1:
Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled
/cfg/bwm/group
Bandwidth Management Group Configuration Menu
[BW Group 1 Menu]
add
- Add Contract to this group
rem
- Remove Contract from this group
del
- Delete BW Group
cur
- Display current BW Group configuration
/cfg/bwm/cur
Bandwidth Management Current Configuration
Current Bandwidth Management setting: ON
Policy Enforcement: enabled
SMTP server user name:
Contract Name
Policy Prec Hist TOS State Shaping
1
cont_1
1
1
E
E
E
E
2
cont_2
2
1
E
D
D
D
1024
Default
-0
E
D
E
D
*Default contract gets all the BW that is available on
a port after the active contracts reserved BW is taken.
Policy
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Hard
25M
10M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
2M
Soft
20M
8M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
1M
/cfg/l2
Layer 2 Configuration Menu
[Layer 2 Menu]
mrst
stg
trunk
lacp
vlan
team
ntmstg
cur
-
/cfg/l2/mrst
Multiple Spanning Tree Menu
[Multiple Spanning Tree Menu]
cist
- Common and Internal Spanning Tree menu
name
- Set MST region name
version - Set Version of this MST region
maxhop
- Set Maximum Hop Count for MST (4 - 60)
mode
- Spanning Tree Mode
on
- Globally turn Multiple Spanning Tree (MSTP/RSTP) ON
off
- Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF
cur
- Display current MST parameters
/cfg/l2/mrst/cist
Multiple Spanning Tree Menu
[Common Internal Spanning Tree Menu]
brg
- CIST Bridge parameter menu
port
- CIST Port parameter menu
default - Default Common Internal Spanning Tree and Member parms
cur
- Display current CIST parameters
/cfg/l2/mrst/cist/brg
CIST Bridge Menu
[CIST Bridge Menu]
prior
- Set CIST bridge
mxage
- Set CIST bridge
fwd
- Set CIST bridge
cur
- Display current
Priority (0-65535)
Max Age (6-40 secs)
Forward Delay (4-30 secs)
CIST bridge parameters
/cfg/l2/mrst/cist/brg cur
Current configuration for CIST Bridge
>> CIST Bridge# cur
-----------------------------------------------------------------Current Common Internal Spanning Tree settings:
Bridge params: Priority MaxAge FwdDel
32768
20
15
Description
Priority
MaxAge
FwdDel
/cfg/l2/stg
Spanning Tree Group Configuration
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path. Spanning Tree Protocol (STP) detects and
eliminates logical loops in a bridged or switched network. STP forces redundant data paths
into a standby (blocked) state. When multiple paths exist, Spanning Tree configures the network so that a switch uses only the most efficient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Thus, STP
is used to prevent loops in the network topology.
Nortel Application Switch Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Nortel Application Switch Operating System supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree
group per switch except for the default Spanning Tree group (STG 1). The default Spanning
Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can
have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each
port. Multiple Spanning Trees can be enabled on tagged or untagged ports. See your Application Guide for a detailed description of this feature and how to configure Spanning Tree
Groups on the switch.
This command is turned on by default.
[Spanning Tree Group 1 Menu]
brg
- Bridge parameter menu
port
- Port parameter menu
add
- Add VLAN(s) to Spanning Tree Group
remove - Remove VLAN(s) from Spanning Tree Group
clear
- Remove all VLANs from Spanning Tree Group
on
- Globally turn Spanning Tree ON
off
- Globally turn Spanning Tree OFF
default - Default Spanning Tree and Member parameters
cur
- Display current bridge parameters
NOTE When VRRP is used for active/active redundancy, STP must be enabled.
Table 6-52 Spanning Tree Configuration Menu (/cfg/l2/stp)
Command Syntax and Usage
brg
Displays the Bridge Spanning Tree Menu. To view menu options, see page 331.
port <port number>
Displays the Spanning Tree Port Menu. To view menu options, see page 332.
add <VLAN numbers (1-4090)>
Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter.
remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)>
Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as
a parameter.
clear
Removes all VLANs from a spanning tree.
on
Globally enables Spanning Tree Protocol.
off
Globally disables Spanning Tree Protocol.
default
Resets STG and Group member parameters to factory default.
cur
Displays the current Spanning Tree Protocol parameters.
/cfg/l2/stg/brg
Bridge Spanning Tree Configuration
[Bridge Spanning Tree Menu]
prior
- Set bridge Priority [0-65535]
hello
- Set bridge Hello Time [1-10 secs]
mxage
- Set bridge Max Age (6-40 secs)
fwd
- Set bridge Forward Delay (4-30 secs)
aging
- Set bridge Aging Time (1-65535 secs, 0 to disable)
cur
- Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge
parameters include:
Bridge priority
Forwarding delay
When configuring STP bridge parameters, the following formulas must be used:
Spanning Tree port parameters are used to modify STP operation on an individual port basis.
STP port parameters include:
Port priority
Any physical switch port can belong to no more than one trunk group.
Up to eight ports/trunks can belong to the same trunk group.
Best performance is achieved when all ports in a trunk are configured for the same speed.
Trunking from non-Nortel devices must comply with Cisco EtherChannel technology.
/cfg/l2/lacp
Link Aggregation Control Protocol Menu
Nortel Application Switch Operating System 23.0.2 supports IEEE 802.3ad standard on the
Nortel Application Switch Operating System. At the core of the 802.3ad standard is Link
Aggregation Control Protocol (LACP). This protocol allows the user to group several physical
ports into one logical port (LACP trunk group) with any switch that supports IEEE 802.3ad
standard (LACP). You can configure the trunk groups manually called the static trunks as well
as you can configure dynamic trunk group using the IEEE 802.3ad standard called the LACP
trunks. The maximum number of configurable trunk groups are 40: 12 user configurable trunks
and 28 LACP trunks depending upon the maximum number of ports in the switch. The maximum number of active physical ports in any trunk group is eight and the number of standby
ports is also eight.
The 802.3ad standard allows two or more standard Ethernet links to form a single Layer 2 link
using the Link Aggregation Control Protocol (LACP). Link aggregation is a method of grouping physical link segments of the same media type and speed in full duplex, and treating them
as if they were part of a single, logical link segment. If a link in a LACP trunk group fails, traffic is reassigned dynamically to the remaining links of the LACP trunk group or is assigned to
the standby LACP links.
NOTE Refer to IEEE 802.3ad-2000 for a detailed information about the standard.
LACP automatically determines which member links can be aggregated and then aggregates
them. It provides for the controlled addition and removal of physical links for the link aggregation.
Each external port in the Nortel Application Switch Operating System can have one of the following LACP modes.
off (default)
The user can configure this port to a regular static trunk group. When the system initializes, all ports are in off mode by default.
active
The port is capable of forming an LACP trunk. This port initiates negotiation with the
partner system port by sending LACPDU (Link Aggregation Control Protocol Data Unit)
packets.
passive
The port is capable of forming an LACP trunk. This port only responds to the negotiation
requests sent from an LACP active port.
Each LACP active or passive port needs an admin, an operational key, and an aggregator
for LACP to start negotiation on these ports. You need to assign the same admin key to a group
of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID)
based on the operational key. All the aggregatable ports must have the same LAG ID. You can
form an active LACP trunk group with all the ports that have the same LAG ID.
Please refer to your Nortel Application Switch Operating System Application Guide for a
detailed information on this protocol.
NOTE All ports are in LACP off mode by default.
Use the following commands to configure LACP on the Nortel Application Switch Operating
System.
[LACP Menu]
sysprio - Set LACP system priority
timeout - Set LACP system timeout scale for timing out partner info
port
- LACP port Menu
cur
- Display current LACP configuration
Use the following commands to configure Link Aggregation Control Protocol (LACP) on a
selected port.
Table 6-57 Link Aggregation Control Protocol Port Configuration Menu Options
(/cfg/l2/lacp/port #)
Command Syntax and Usage
mode <off for no LACP or active or passive>
off: Using this option, you can turn LACP off for this port. You can use this port to manually
configure a static trunk. All ports are in off mode by default.
active: Using this option, you can turn LACP on and set this port to active. Only active
ports initiate negotiation with the partner system port by sending the LACPDU packets.
passive: Using this option, you can turn LACP on and set this port to passive mode.
Passive ports do not initiate negotiation, but only respond to the negotiation requests from
active ports.
prio <1-65535>
Sets the priority value for the selected port. Lower numbers provide higher priority. The default
value is 128.
adminkey <1-65535>
Sets the admin key for this port. Only ports with the same admin key and oper key (operational
state generated internally) can form an LACP trunk group.
cur
Displays the current LACP configuration for this port.
NOTE All ports must belong to at least one VLAN. Any port which is removed from a
VLAN and which is not a member of any other VLAN is automatically added to default
VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any
other VLAN.
Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned
on (see the tag command on page 307).
/cfg/l3
Layer 3 Configuration Menu
[Layer 3 Menu]
if
gw
route
arp
frwd
nwf
rmap
rip
ospf
bgp
port
dns
bootp
vrrp
rtrid
metrc
cur
-
Interface Menu
Default Gateway Menu
Static Route Menu
ARP Menu
Forwarding Menu
Network Filters Menu
Route Map Menu
Routing Information Protocol Menu
Open Shortest Path First (OSPF) Menu
Border Gateway Protocol Menu
IP Port Menu
Domain Name System Menu
Bootstrap Protocol Relay Menu
Virtual Router Redundancy Protocol Menu
Set router ID
Set default gateway metric
Display current IP configuration
1
-
Menu]
IP6 Neighbor Discovery Menu
Set IP version
Set IP address
Set subnet mask/prefix len
Set VLAN number
Enable/disable BOOTP relay
Enable IP interface
Disable IP interface
Delete IP interface
Display current interface configuration
The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface
represents the Nortel Application Switch on an IP subnet on your network. The Interface option is
disabled by default.
Table 6-61 IP Interface Menu Options (/cfg/l3/if)
Command Syntax and Usage
ip6nd
Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of
IPv6 Router Advertisement packets from this interface. For more information on this topic, refer
to page 345.
ipver <IP version (v4 or v6)>
Set the IP version.
addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)>
Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon
notation for IPv6.
mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for
IPv6)>
Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or
prefix length for IPv6.
vlan <VLAN number (1-4090)>
Configures the VLAN number for this interface. Each interface can belong to one VLAN, though
any VLAN can have multiple IP interfaces in it.
relay disable|enable
Enables or disables the BOOTP relay on this interface. It is enabled by default.
/cfg/l3/if/ip6nd
IPv6 Neighbor Discovery Menu
[IP6 Neighbor Discovery Menu]
rtradv
- Enable/disable router advertisement
This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements
from this interface.
Table 6-62 IPv6 Neighbor Discovery Menu Options
Command Syntax and Usage
rtradv disable | enable
Enables or disables the sending of IPv6 Neighbor Discovery router advertisements from
this interface.
NOTE The switch can be configured with up to 255 gateways. Gateways one to four are
reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing
of VLAN-based gateways.
This option is disabled by default.
Table 6-63 Default Gateway Options (/cfg/l3/gw)
Command Syntax and Usage
ipver <IP version (v4 or v6)>
Set the IP version.
addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)>
Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and
colon notation for IPv6.
intr <0-60 seconds>
The switch pings the default gateway to verify that its up. The intr option sets the time between
health checks. The range is from 1 to 120 seconds. The default is 2 seconds.
retry <number of attempts (1-120)>
Sets the number of failed health check attempts required before declaring this default gateway
inoperative. The range is from 1 to 120 attempts. The default is 8 attempts.
vlan <VLAN number (1-4090)>
Sets the VLAN to be assigned to this default IP gateway.
NOTE By default learned default route has higher priority than the configured default
gateway route.
arp disable|enable
Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled
by default.
ena
Enables the gateway for use.
dis
Disables the gateway.
del
Deletes the gateway from the configuration.
cur
Displays the current gateway settings.
/cfg/l3/route
IP Static Route Configuration
[IP Static Route Menu]
add
- Add static route
rem
- Remove static route
cur
- Display current static routes
/cfg/l3/arp
ARP Configuration Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the computer or the router is present in the ARP cache. Then the corresponding physical
address is used to send a packet.
[ARP Menu]
static
rearp
cur
/cfg/l3/arp/static
ARP Static Configuration Menu
Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that
are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending
an ARP broadcast request to the network. Static ARPs are also useful to communicate with
devices that do not respond to ARP requests. Static ARPs can also be configured on some gateways as a protection against malicious ARP Cache corruption and possible DOS attacks.
NOTE Nortel Application Switch Operating System 21.0 and above allows the static ARP
configuration to be retained over reboots. Nortel Application Switch Operating System 20.x
and below allow the user to configure the ARP information but that information cannot be
retained over a switch reboot.
[Static ARP Menu]
add
- Add a permanent ARP entry
del
- Delete an ARP entry
cur
- Display current static ARP configuration
/cfg/l3/frwd
IP Forwarding Configuration Menu
[IP Forwarding Menu]
local
- Local network definition for route caching menu
dirbr
- Enable or disable forwarding directed broadcasts
on
- Globally turn IP Forwarding ON
off
- Globally turn IP Forwarding OFF
cur
- Display current IP Forwarding configuration
/cfg/l3/frwd/local
Local Network Route Caching Definition
This menu is used for adding local networks by setting the local network address and netmask
for the route cache, and to remove local networks.
[IP Local Networks Menu]
add
- Add local network definition
rem
- Remove local network definition
cur
- Display current local network definitions
Address
Mask
0.0.0.0 - 127.255.255.255
0.0.0.0
128.0.0.0
128.0.0.0 - 255.255.255.255
128.0.0.0
128.0.0.0
205.32.0.0 - 205.32.255.255
205.32.0.0
255.255.0.0
NOTE All addresses that fall outside the defined range are forwarded to the default gateway.
The default gateways must be within range.
/cfg/l3/nwf
Network Filter Configuration
[IP Network Filter 1 Menu]
addr
- IP Address
mask
- IP Subnet mask
enable - Enable Network Filter
disable - Disable Network Filter
delete - Delete Network Filter
cur
- Display current Network Filter configuration
1
-
Menu]
Access List number
AS Filter Menu
Set as-path prepend of the matched route
Set local-preference of the matched route
Set metric of the matched route
Set OSPF metric-type of the matched route
Set the precedence of this route map
Set weight of the matched route
Enable route map
Disable route map
Delete route map
Display current route map configuration
1 Menu]
Network Filter number
Metric
Set Network Filter action
Enable Access List
Disable Access List
Delete Access List
Display current Access List configuration
/cfg/l3/rip
Routing Information Protocol Configuration
The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a
class of algorithms known as distance vector algorithms. The distance or hop count is used as
the metric to determine the best path to a remote network or host where the hop count does not
exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram
protocol (UDP) data packets to exchange routing information.
RIP sends routing information updates every 30 seconds. This update contains known networks and the distances (hop count) associated with each one. For RIP1, no mask information
is exchanged; the natural mask is always applied by the router receiving the update. For RIP2,
mask information is sent. There are two timers associated with each route: a timeout
and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid
but it is retained in the routing table for a short time so that neighbors can be notified that the
route has been dropped. Upon expiration of the garbage-collection timer, the route is finally
removed from the routing table. The timeout timer is set for 180 seconds and the garbage-collection timer is set for 120 seconds by default.
The menu below is used for configuring globally Routing Information Protocol parameters.
The Routing Information Protocol is turned off by default.
[Routing Information Protocol Menu]
if
- RIP Interface Menu
update
- Set update period in seconds
vip
- Enable/disable vip advertisement
statc
- Enable/disable static routes advertisement
on
- Globally turn RIP ON
off
- Globally turn RIP OFF
current - Display current RIP configuration
/cfg/l3/rip/if
RIP Interface Menu
[RIP Interface 1 Menu]
version - Set RIP version
supply
- Enable/disable supplying route updates
listen
- Enable/disable listening to route updates
poison
- Enable/disable poisoned reverse
trigg
- Enable/disable triggered updates
mcast
- Enable/disable multicast updates
default - Set default route action
metric
- Set metric
auth
- Set authentication type
key
- Set authentication key
enable
- Enable interface
disable - Disable interface
current - Display current RIP interface configuration
/cfg/l3/ospf
Open Shortest Path First Configuration
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583.
OSPF is designed for routing traffic within a single IP domain called an Autonomous System
(AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as
the central OSPF area. All other areas in the AS must be connected to the backbone. Areas
inject summary routing information into the backbone, which then distributes it to other areas
as needed. For more information on how to configure OSPF on the switch, refer to your Nortel
Application Switch Operating System Application Guide.
[Open Shortest Path First Menu]
aindex
- OSPF Area (index) Menu
range
- OSPF Summary Range Menu
if
- OSPF Interface Menu
virt
- OSPF Virtual Links Menu
md5key
- OSPF MD5 Key Menu
host
- OSPF Host Entry Menu
redist
- OSPF Route Redistribute Menu
lsdb
- Set the LSDB limit for external LSA
default - Export default route information
on
- Globally turn OSPF ON
off
- Globally turn OSPF OFF
cur
- Display current OSPF configuration
/cfg/l3/ospf/aindex
Area Index Configuration Menu
[OSPF Area (index) 1 Menu]
areaid - Set area ID
type
- Set area type
metric - Set stub area metric
auth
- Set authentication type
spf
- Set time interval between two SPF calculations
enable - Enable area
disable - Disable area
delete - Delete area
cur
- Display current OSPF area configuration
/cfg/l3/ospf/range
OSPF Summary Range Configuration Menu
[OSPF Summary
addr
mask
aindex
hide
enable
disable
delete
cur
Range 1 Menu]
- Set IP address
- Set IP mask
- Set area index
- Enable/disable hide range
- Enable range
- Disable range
- Delete range
- Display current OSPF summary range configuration
/cfg/l3/ospf/if
OSPF Interface Configuration Menu
[OSPF Interface
aindex prio
cost
hello
dead
trans
retra
key
mdkey
enable disable delete cur
-
1 Menu]
Set area index
Set interface router priority
Set interface cost
Set hello interval in seconds
Set dead interval in seconds
Set transit delay in seconds
Set retransmit interval in seconds
Set authentication key
Set MD5 key ID
Enable interface
Disable interface
Delete interface
Display current OSPF interface configuration
/cfg/l3/ospf/virt
OSPF Virtual Link Configuration Menu
[OSPF Virtual
aindex
hello
dead
trans
retra
nbr
key
mdkey
enable
disable
delete
cur
Link 1 Menu]
- Set area index
- Set hello interval in seconds
- Set dead interval in seconds
- Set transit delay in seconds
- Set retransmit interval in seconds
- Set router ID of virtual neighbor
- Set authentication key
- Set MD5 key ID
- Enable interface
- Disable interface
- Delete interface
- Display current OSPF interface configuration
/cfg/l3/ospf/md5key
OSPF MD5 Key Configuration Menu
[OSPF MD5 Key
key
delete
cur
1
-
Menu]
Set authentication key
Delete key
Display current MD5 key configuration
/cfg/l3/ospf/host
OSPF Host Entry Configuration Menu
[OSPF Host Entry 1 Menu]
addr
- Set host entry IP address
aindex - Set area index
cost
- Set cost of this host entry
enable - Enable host entry
disable - Disable host entry
delete - Delete host entry
cur
- Display current OSPF host entry configuration
/cfg/l3/ospf/redist
<fixed|static|rip|ebgp|ibgp>
OSPF Route Redistribution Configuration Menu.
[OSPF Redistribute Fixed Menu]
add
- Add rmap into route redistribution list
rem
- Remove rmap from route redistribution list
export - Export all routes of this protocol
cur
- Display current route-maps added
/cfg/l3/bgp
Border Gateway Protocol Configuration
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. BGP
allows you to decide what is the best route for a packet to take from your network to a destination on another network, rather than simply setting a default route from your border router(s)
to your upstream provider(s). You can configure BGP either within an autonomous system or
between different autonomous systems. When run within an autonomous system, it is called
internal BGP (iBGP). When run between different autonomous systems, it is called external
BGP (eBGP). BGP is defined in RFC 1771.
The BGP Menu enables you to configure the switch to receive routes and to advertise static
routes, fixed routes and virtual server IP addresses with other internal and external routers.
BGP is turned off by default.
[Border Gateway
peer
aggr
as
maxpath pref
on
off
cur
-
Protocol Menu]
Peer menu
Aggregation menu
Set Autonomous System (AS) number
Set Max AS Path Length
Set Local Preference
Globally turn BGP ON
Globally turn BGP OFF
Display current BGP configuration
NOTE Fixed routes are subnet routes. There is one fixed route per IP interface.
Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)
Command Syntax and Usage
peer <peer number (1-16)>
Displays the menu used to configure each BGP peer. Each border router, within an autonomous
system, exchanges routing information with routers on other external networks. To view menu
options, see page 373.
aggr <aggregate number (1-16)>
Displays the Aggregation Menu. To view menu options, see page 377.
When multiple peers advertise the same route, use the route with the shortest AS path as
the preferred route if you are using eBGP, or use the local preference if you are using
iBGP.
on
Globally turns BGP on.
off
Globally turns BGP off.
cur
Displays the current BGP configuration.
This menu is used to configure BGP peers, which are border routers that exchange routing
information with routers on internal and external networks. The peer option is disabled by
default.
Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)
Command Syntax and Usage
redist
Displays BGP Redistribution Menu. To view the menu options, see page 375.
addr <IP address (such as, 192.4.17.101)>
Defines the IP address for the specified peer (border router), using dotted decimal notation. The
default address is 0.0.0.0.
ras <AS number (0-65535)>
Sets the remote autonomous system number for the specified peer.
hold <hold time (0, 3-65535)>
Sets the period of time, in seconds, that will elapse before the peer session is torn down because the
switch hasnt received a keep alive message from the peer. It is set at 90 seconds by default.
alive <keepalive time (0, 1-21845)>
Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default.
/cfg/l3/bgp/peer/redist
BGP Redistribution Configuration Menu
[Redistribution
metric default rip
ospf
fixed
static vip
cur
-
Menu]
Set default-metric of advertised routes
Set default route action
Enable/disable advertising RIP routes
Enable/disable advertising OSPF routes
Enable/disable advertising fixed routes
Enable/disable advertising static routes
Enable/disable advertising VIP routes
Display current redistribution configuration
This menu allows you to configure aggregate routing to condense the number of routes
between internal and external peer routers.
Table 6-86 BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)
Command Syntax and Usage
addr <IP address, such as 192.4.17.101>
Adds the IP address to the selected aggregate.
mask <IP subnet mask, such as 255.255.255.0>
Sets the IP mask for the selected aggregate.
enable
Enables the selected aggregate.
disable
Disables the selected aggregate.
delete
Deletes the selected aggregate.
current
Displays the current aggregate configuration.
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By
default, the port forwarding option is turned on.
Table 6-87 IP Forwarding Port Configuration Menu Options (/cfg/l3/port)
Command Syntax and Usage
on
Enables IP forwarding for the current port.
off
Disables IP forwarding for the current port.
cur
Displays the current IP forwarding settings.
/cfg/l3/dns
Domain Name System Configuration Menu
[Domain Name System Menu]
prima
- Set IP address of primary DNS server
secon
- Set IP address of secondary DNS server
dname
- Set default domain name
cur
- Display current DNS configuration
The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS
servers on your local network, and for setting the default domain name served by the switch
services. DNS parameters must be configured prior to using hostname parameters with the
ping, traceroute, and tftp commands.
Table 6-88 Domain Name System Menu Options (/cfg/l3/dns)
Command Syntax and Usage
prima <IP address (such as, 192.4.17.101)>
You will be prompted to set the IP address for your primary DNS server. Use dotted decimal notation.
secon <IP address (such as, 192.4.17.101)>
You will be prompted to set the IP address for your secondary DNS server. If the primary DNS
server fails, the configured secondary will be used instead. Enter the IP address using dotted decimal notation.
dname <dotted DNS notation>|none
Sets the default domain name used by the switch.
For example: mycompany.com
cur
Displays the current Domain Name System settings.
/cfg/l3/bootp
Bootstrap Protocol Relay Configuration Menu
[Bootstrap Protocol Relay Menu]
addr
- Set IP address of BOOTP server
addr2
- Set IP address of second BOOTP server
on
- Globally turn BOOTP relay ON
off
- Globally turn BOOTP relay OFF
cur
- Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configurations from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration
enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers
with IP addresses that have been configured on the Nortel Application Switch.
BOOTP relay menu is turned off by default.
Table 6-89 Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)
Command Syntax and Usage
addr <IP address (such as, 192.4.17.101)>
Sets the IP address of the BOOTP server.
addr2 <IP address (such as, 192.4.17.101)>
Sets the IP address of the second BOOTP server.
on
Globally turns on BOOTP relay.
off
Globally turns off BOOTP relay.
cur
Displays the current BOOTP relay configuration.
/cfg/l3/vrrp
VRRP Configuration Menu
[Virtual Router
vr
vrgroup group
if
track
hotstan on
off
holdoff cur
-
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address.
By default, VRRP is disabled. Nortel Application Switch Operating System has extended
VRRP to include virtual servers as well, allowing for full active/active redundancy between its
Layer 4 switches.For more information on VRRP, see the High Availability chapter in your
Nortel Application Switch Operating System 23.0.2 Application Guide.
Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)
Command Syntax and Usage
vr <virtual router number (1-1024)>
Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual
routers on this switch. To view menu options, see page 383.
vrgroup <virtual router vrgroup number (1-16)>
Displays VR Group Menu. To view menu options, see page 387.
group
Displays the VRRP virtual router group menu, used to combine all virtual routers together as one
logical entity. Group options must be configured when using two or more Nortel Application
Switches in a hot-standby failover configuration where only one switch is active at any given time.
To view menu options, see page 390.
Router 1 Menu]
- Priority Tracking Menu
- Set virtual router ID
- Set IP address
- Set interface number
- Set renter priority
- Set advertisement interval
- Enable or disable preemption
- Enable or disable sharing
- Enable virtual router
- Disable virtual router
- Delete virtual router
- Display current VRRP virtual router configuration
This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is
defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the
same virtual router ID and IP address.
Virtual routers are disabled by default.
Table 6-91 VRRP Virtual Router Options (/cfg/l3/vrrp/vr)
Command Syntax and Usage
track
Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortels proprietary
extension to VRRP, used for modifying the standard priority system used for electing the master
router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 385.
vrid <virtual router ID (1-1024)>
Defines the virtual router ID. This is used in conjunction with addr (below) to define a virtual
router on this switch. To create a pool of VRRP-enabled routing devices which can provide redundancy to each other, each participating VRRP device must be configured with the same virtual
router: one that shares the same vrid and addr combination.
The vrid for standard virtual routers (where the virtual router IP address is not the same as any
virtual server) can be any integer between 1 and 255. The default value is 1.
The vrid of virtual server routers where the virtual router IP address is the same as the virtual
server can be between 1 and 1024.
All vrid values must be unique within the VLAN to which the virtual routers IP interface
belongs.
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395).
Criteria are tracked dynamically, continuously updating virtual router priority levels when
enabled. If the virtual router preemption option (see preem in Table 6-91 on page 383) is
enabled, this virtual router can assume master routing authority when its priority level rises
above that of the current master.
Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, otherwise called virtual interface routers. Other tracking criteria (l4pts, reals, and hsrp)
apply to virtual server routers, which perform Layer 4 Server Load Balancing functions. A
virtual server router is defined as any virtual router whose IP address (addr) is the same as
any configured virtual server IP address.
/cfg/l3/vrrp/vrgroup
Virtual Router Group Menu
This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is
shared between two or more customers on a single VRRP switch, you can group VIRs and
VSRs to serve the high availability of a specific customer. If failover occurs on a customer
link, the group of VIRs and VSRs associated with that customer alone will fail over to the
backup switch. The VIRs and VSRs configured for the other customers on the master switch
are not affected.
Up to 16 virtual router groups can be configured on the switch.
[VRRP Virtual Router Vrgroup 1 Menu]
track
- Priority Tracking Menu
name
- Set virtual router group name
add
- Add virtual router to group
rem
- Remove virtual router from group
prio
- Set priority for virtual router group
trackvr - Set track virtual router for group
adver
- Set advertisement interval for group
preem
- Enable/disable preemption for group
share
- Enable/disable sharing for group
ena
- Enable virtual router group
dis
- Disable virtual router group
del
- Delete virtual router group
cur
- Display current VRRP virtual router group configuration
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled.
[VRRP Vrgroup
ifs
ports
l4pts
reals
hsrp
hsrv
cur
1
-
/cfg/l3/vrrp/group
Virtual Router Group Configuration
[VRRP Virtual
track
vrid
if
prio
adver
preem
share
ena
dis
del
cur
The Virtual Router Group menu is used for associating all virtual routers into a single logical
virtual router, which forces all virtual routers on the Nortel Application Switch to either be master
or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On
each VRRP-capable routing device participating in redundancy for this virtual router, a virtual
router will be configured to share the same virtual router ID and IP address.
NOTE This option is required to be configured only when using at least two Nortel Application
Switches in a hot-standby failover configuration, where only one switch is active at any time.
Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)
Command Syntax and Usage
track
Displays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the
master router. Tracking is not needed if sharing (share) is enabled.
To view menu options, see page 395.
vrid <virtual router ID (1-1024)>
Defines the virtual router ID for this group.
if <interface number (1-256)>
Selects a switch IP interface (between 1 and 256). The default switch IP interface number is 1.
prio <priority (1-254)>
Defines the election priority bias for this virtual router group. This can be any integer between 1
and 254. The default value is 100.
During the master router election process, the routing device with the highest virtual router priority
number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual
routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest).
When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track),
this base priority value can be modified according to a number of performance and operational criteria.
adver <1-255 (seconds)>
Defines the time interval between VRRP master advertisements. This can be any integer between 1
and 255 seconds. The default is 1.
preem disable|enable
Enables or disables master preemption. When enabled, if the virtual router group is in backup
mode but has a higher priority than the current master, this virtual router will preempt the lower
priority master and assume control. Note that even when preem is disabled, this virtual router will
always preempt any other master if this switch is the owner (the IP interface address and virtual
router addr are the same). By default, this option is enabled.
share disable|enable
Enables or disables virtual router sharing, Nortels proprietary extension to VRRP. When enabled,
this switch will process any traffic addressed to this virtual router, even when in backup mode. By
default, this option is enabled.
/cfg/l3/vrrp/group/track
Virtual Router Group Priority Tracking Configuration
[Virtual Router
ifs
ports
l4pts
reals
hsrp
hsrv
cur
-
NOTE If Virtual Router Group Tracking is enabled, then the tracking option will be available
only under group option. The tracking setting for the other individual virtual routers will be
ignored.
1 Menu]
Set authentication types
Set plain-text password
Delete interface
Display current VRRP interface configuration
This menu is used for configuring VRRP authentication parameters for the IP interfaces used
with the virtual routers.
Table 6-97 VRRP Interface Menu Options (/cfg/l3/vrrp/if)
Command Syntax and Usage
auth none|password
Defines the type of authentication that will be used: none (no authentication), or password
(password authentication).
passw <password>
Defines a plain text password up to eight characters long. This password will be added to each
VRRP packet transmitted by this interface when password authentication is chosen (see auth
above).
del
Clears the authentication configuration parameters for this IP interface. The IP interface itself is
not deleted.
cur
Displays the current configuration for this IP interfaces authentication parameters.
/cfg/l3/vrrp/track
VRRP Tracking Configuration
[VRRP Tracking Menu]
vrs
- Set priority increment for virtual router tracking
ifs
- Set priority increment for IP interface tracking
ports
- Set priority increment for VLAN switch port tracking
l4pts
- Set priority increment for L4 switch port tracking
reals
- Set priority increment for L4 real server tracking
hsrp
- Set priority increment for HSRP tracking
hsrv
- Set priority increment for HSRP by VLAN tracking
cur
- Display current VRRP Priority Tracking configuration
This menu is used for setting weights for the various criteria used to modify priority levels during the master router election process. Each time one of the tracking criteria is met (see VRRP
Virtual Router Priority Tracking Menu on page 385), the priority level for the virtual router is
increased by an amount defined through this menu.
Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)
Command Syntax and Usage
vrs <0-254>
Defines the priority increment value (1 through 254) for virtual routers in master mode detected on
this switch. The default value is 2.
ifs <0-254>
Defines the priority increment value (1 through 254) for active IP interfaces detected on this
switch. The default value is 2.
ports <0-254>
Defines the priority increment value (1 through 254) for active ports on the virtual routers VLAN.
The default value is 2.
l4pts <0-254>
Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4
processing. The default value is 2.
reals <0-254>
Defines the priority increment value (1 through 254) for healthy real servers behind the virtual
server router. The default value is 2.
hsrp <0-254>
Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only processing that receive HSRP broadcasts. The default value is 10.
These priority tracking options only define increment values. These options do not affect the
VRRP master router election process until options under the VRRP Virtual Router Priority
Tracking Menu (see page 385) are enabled.
Description
strict
roundrobin
This provides basic gateway load balancing. The switch sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests
to the same destination IP address are resolved to the same gateway.
/cfg/slb
/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7,
The SLB Configuration Menu.
/cfg/security
Security Configuration Menu
[Security Menu]
port
ipacl
udpblast dos
pgroup
seclog
pdepth
cur
-
/cfg/security/port
Port Security Menu
[Port <port_number> Menu]
bogon
- Enable/disable bogon IP ACL
ipacl
- Enable/disable IP ACL
udpblast - Enable/disable UDP blast protection
dos
- Enable/disable protocol anomaly and DoS attack prevention
add
- Add protocol anomaly/DoS attack to prevention
aadd
- Add all protocol anomaly/DoS attack to prevention
rem
- Remove protocol anomaly/DoS attack from prevention
arem
- Remove all protocol anomaly/DoS attack from prevention
help
- Protocol anomaly and DoS attack prevention description
cur
- Display current port configuration
/cfg/security/ipacl
IP Address Access Control List Configuration Menu
Nortel Application Switch Operating System can be configured with IP access control lists
(ACLs) composed of ranges of client IP addresses that are to be denied access to the switch.
When traffic ingresses the switch, the client source or destination IP address is checked against
this pool of addresses. If a match is found, then the client traffic is blocked.
[IP ACL Menu]
add
rem
arem
dadd
drem
darem
cfg
bogon
oper
cur
/cfg/security/udpblast
UDP Blast Protection Configuration Menu
Malicious attacks over UDP protocol ports are becoming a common way to bring down real
servers. Nortel Application Switch Operating System can be configured to restrict the amount
of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with
data and disabled.
You can specify a series of UDP port ranges and the allowed packet limit for that range. When
the maximum number of packets/second is reached, UDP traffic is shut down on those ports.
Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using
any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300,
the last number that can be used is 5300.
While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum
of 5000 ports.
[UDP Blast Protection Menu]
add
- Add UDP port/range for UDP blast protection
rem
- Remove UDP port/range for UDP blast protection
default - Default packet rate for UDP blast protection
cur
- Display all UDP blast protection Ports
/cfg/security/dos
Anomaly and Denial of Service Attack Prevention Menu
[Protocol Anomaly and DoS Attack Prevention Menu]
ipttl
- Set the smallest allowable IP ttl for ipttl
ipprot
- Set the highest allowable IP protocol for ipprot
fragdata - Set smallest allowable IP fragment payload for fragdata
fragoff - Set the smallest allowable IP fragment offset for fragoff
syndata - Set the largest allowable TCP SYN payload for syndata
icmpdata - Set the largest allowable ICMP payload for icmpdata
icmpoff - Set the largest allowable ICMP fragment offset for icmpoff
help
- Protocol anomaly and DoS attack prevention description
cur
- Display current protocol anomaly and DoS attack prevention
/cfg/sslproc
SSL Processor Menu
[SSL Processor Menu]
mip
- Set SSL processor management IP
port
- Set SSL processor Web server port
rts
- Enable/disable RTS processing
filt
- Enable/disable filtering
add
- Add filter
rem
- Remove filter
cur
- Display current SSL processor configuration
/cfg/setup
Setup
The setup program steps you through configuring the system date and time, BOOTP, IP, Spanning Tree, port speed/mode, VLAN parameters, and IP interfaces. For a complete description
of how to use setup, see Chapter 2, First-Time Configuration.
/cfg/dump
Dump
The dump program writes the current switch configuration to the terminal screen. To start the
dump program, at the Configuration# prompt, enter:
Configuration# dump
The configuration is displayed with parameters that have been changed from the default values. The screen display can be captured, edited, and placed in a script file, which can be used to
configure other switches through a Telnet connection. When using Telnet to configure a new
switch, paste the configuration commands from the script file at the command line prompt of
the switch. The active configuration can also be saved or loaded via TFTP, as described on
page 408.
/cfg/ptcfg
Saving the Active Switch Configuration
When the ptcfg command is used, the switchs active configuration commands (as displayed
using /cfg/dump) will be uploaded to the specified script configuration file on the TFTP or
FTP server. To start the switch configuration upload, at the Configuration# prompt, enter:
Configuration# ptcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.
NOTE The output file is formatted with line-breaks but no carriage returnsthe file cannot
be viewed with editors that require carriage returns (such as Microsoft Notepad).
NOTE If the TFTP server is running SunOS or the Solaris operating system, the specified
ptcfg file must exist prior to executing the ptcfg command and must be writable (set with
proper permission, and not locked by any application). The contents of the specified file will
be replaced with the current configuration data.
/cfg/gtcfg
Restoring the Active Switch Configuration
When the gtcfg command is used, the active configuration will be replaced with
the commands found in the specified configuration file. The file can contain a full switch configuration or a partial switch configuration. The configuration loaded using gtcfg is not activated until the apply command is used. If the apply command is found in the configuration
script file loaded using this command, the apply action will be performed automatically.
To start the switch configuration download, at the Configuration# prompt, enter:
Configuration# gtcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.
CHAPTER 7
411
320506-A, January 2006
/cfg/slb
SLB Configuration
[Layer 4 Menu]
real
group
virt
filt
port
gslb
layer7
wap
sync
adv
linklb
advhc
pip
peerpip wlm
on
off
cur
-
This menu is used for configuring information about real servers that participate in a server
pool for Server Load Balancing or Application Redirection. The required parameters are:
/cfg/slb/real/adv
Real Server Advanced Menu
[Real Server 1 Advanced Menu]
avail
- Set Global SLB availability for real server
remote
- Enable/disable Global SLB remote site operation
proxy
- Enable/disable client proxy operation
buddyhc - Buddy Server Menu
fasthc
- Enable/disable fast health check operation
submac
- Enable/disable source MAC address substitution
subdmac - Enable/disable destination MAC address substitution
cur
- Display current real server advanced configuration
/cfg/slb/real/adv/buddyhc
Buddy Server Health Check Menu
[Real server 1 Buddy Menu]
addbd
- Add Buddy Server
delbd
- Delete Buddy Server
cur
- Display current buddy server configuration
This menu is used for entering commands and strings for Layer 7 processing.
Table 7-5 Layer 7 Commands Menu Options (/cfg/slb/real/layer7)
Command Syntax and Usage
addlb <defined SLB string ID, 1-1024>
Adds the predefined URL loadbalance string ID to the real server.
remlb <defined SLB string ID, 1-1024>
Removes the predefined URL loadbalance string ID from the real server.
cookser disable|enable
Enables or disables the real server to handle client requests that dont contain a cookie. This option
is used if you want to designate a specific server to assign cookies only. This server gets the client
request, assigns the cookie, and embeds the IP address of the real server that will handle the subsequent requests from the client.
By default, this option is disabled.
exclude disable|enable
Enables or disables exclusionary string matching. By default, this option is disabled.
ldapwr disable|enable
Enables or disables LDAP write server. LDAP servers are of two types: read servers and write
servers. You need to use read servers when you only want to browse the directory. You need to use
the write servers when you want to modify the directory on the server. The write server can conduct both read and write operations.
cur
Displays the current real server configuration.
This menu is used for combining real servers into real server groups. Each real server group
should consist of all the real servers which provide a specific service for load balancing. Each
group must consist of at least one real server. Each real server can belong to more than one group.
Real server groups are used both for Server Load Balancing and Application Redirection.
Table 7-7 Real Server Group Configuration Menu Options (/cfg/slb/group)
Command Syntax and Usage
metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash
Sets the load balancing metric used for determining which real server in the group will be the target of the next client request. The default setting is leastconns. See Server Load Balancing
Metrics on page 429 for more information.
rmetric
Sets the load balancing metric used for determining which port in the real server will be the target
of the next client request.
tcp
sipoptions
NOTE Under the leastconns, roundrobin, hash, and phash metrics, when real
servers are configured with weights (see the weight option on page 415), a higher proportion
of connections are given to servers with higher weights. This can improve load balancing
among servers of different performance levels. Weights are not applied when using
the minmisses metrics.
1 Menu]
Virtual Service Menu
Set IP version
Set IP addr of virtual server
Set name of virtual server
Set domain name of virtual server
Set BW Contract
Set Global SLB weight for virtual server
Set Global SLB availability for virtual server
Add Global SLB rule to domain
Remove Global SLB rule from domain
Enable/disable layer 3 only balancing
Enable/disable client connection reset invalid VPORT
Enable virtual server
Disable virtual server
Delete virtual server
Display current virtual configuration
This menu is used for configuring the virtual servers which will be the target for client requests
for Server Load Balancing. Configuring a virtual server requires the following parameters:
1 14 Service Menu]
WTS Load Balancing Menu
HTTP Load Balancing Menu
SIP Load Balancing Menu
RTSP Load Balancing Menu
Set real server group number
Set real port
Set hostname
Set BW contract for this virtual service
Set persistent binding type
Set hash parameter
Set minutes inactive connection remains open
Enable/disable delayed binding
Enable/disable UDP balancing
Enable/disable remapping UDP server fragments
Enable/disable only substituting MAC addresses
Enable/disable DNS query load balancing
Enable/disable direct access mode
Enable/disable session mirroring
Enable/disable pip selection based egress port/vlan
Delete virtual service
Display current virtual service configuration
page 440.
http
Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis.
Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view
the menu options, see page 441.
sip
Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel
Application Switch Operating System. When enabled, you can configure SIP service on the
service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol
for creating, modifying and terminating sessions with one or more participants (documented
in RFC3261). The SIP processing occurs at application level in order to parse out messages
coming from client side as well as the server side. Using SIP on your switch, you can load
balance Nortels MCS (Multimedia Communication Server) proxy servers. Nortel Networks
MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls
based on a SIP Call-ID header to an MCS server.
You need to turn Direct Access Mode (DAM) on to perform SIP load balancing.
You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID.
To view the menu options, see page 442.
rtsp
Go to the RTSP Load Balancing Menu. To view the menu options, see
page 443.
ing. You will be prompted for the following: Cookie name, starting point of the cookie
value, number of bytes to be extracted, enable/disable checking for cookie in URI
browser: Enable or disable SLB, based on browser type
urlhash: Enable or disable URL hashing based on URI
headerhash: Hashes on any HTTP header value.
others: Requires inputs for a particular header field
You may choose to combine or select applications to load balance using the commands and
and/or or. For example:
httpslb <application>
httpslb <application> and|or <application>
nections from the same client with the same real server until the client becomes inactive
and the connection is aged out of the binding table. The connection timeout value (set in
the Real Server Menu) is used to control how long these inactive but persistent connections
remain associated with their real servers. When the client resumes activity after their connection has been aged out, they will be connected to the most appropriate real server based
on the load balancing metric.
An alternative approach may be to use the real server group metrics minmisses or hash
(see Server Load Balancing Metrics).
In Nortel Application Switch Operating System 23.0.2, with clientip command
enabled, HTTP and HTTPs traffic from the same client will map to the same server irrespective of the load balancing metric used, since the services are related. Whereas, different services from the same client may not map to the same server.
The cookie option uses a cookie defined in the HTTP header or placed in the URI for
hashing. For more information on cookie option, see Cookie-Based Persistence on
page 444. For detailed information on Cookie-Based Persistence, see the
Persistence chapter in the Nortel Application Switch Operating System 23.0.2 Application
Guide.
The sslid option is for Secure Sockets Layer (SSL), which is a set of protocols built on
top of TCP/IP that allow an application server and user to communicate over an encrypted
HTTP session. SSL provides authentication, non-repudiation, and security. The session ID
is a value comprising 32 random bytes chosen by the SSL server that gets stored in a session hash table. By enabling the sslid option, all subsequent SSL sessions which present
the same session ID will be directed to the same real server.
The disable option allows you to disable presistent binding, if it has previously been
enabled for a particular application.
rcount <response count number (116)>
Sets the maximum response counter for cookie-based persistence. The Nortel Application
Switch will examine each server response until the cookie is found, or until the maximum
count is reached. The default number is 1.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters
for computing the hash value used by the hash, phash, and minmisses SLB metrics. For
example, the source IP address, or both source IP address and source port. If the user does not
select any, the switch will use default hash parameter, which is sip.
/cfg/slb/virt/service/wts
WTS Load Balancing Menu
[WTS Load Balancing Menu]
userhash - Enable userhash when there is no Session Dir. Server
ena
- Enable WTS loadbalancing and persistence
dis
- Disable WTS loadbalancing and persistence
cur
- Display current WTS configuration
[true|false]
Disable WTS load balancing.
cur
Display the current WTS configuration.
/cfg/slb/virt/service/http
HTTP Load Balancing Menu
[HTTP Load Balancing Menu]
httpslb - Set HTTP SLB processing
urlcont - Set BW cont of an SLB string specific to this service
rcount
- Set multi response count
http
- Enable/disable HTTP redirects for Global SLB
xforward - Enable/disable X-Forwarded-For for proxy mode
pooling - Enable/disable connection pooling for HTTP traffic
cur
- Display current HTTP configuration
/cfg/slb/virt/service/sip
SIP Load Balancing Menu
[SIP Load Balancing Menu]
sip
- Enable/disable SIP load balancing
sdpnat
- Enable/disable SIP SDP Media Portal NAT
cur
- Display current SIP configuration
/cfg/slb/virt/service/rtsp
RTSP Load Balancing Menu
[RTSP Load Balancing Menu]
group
- Set real server group number
hname
- Set hostname
rtspslb - Set RTSP URL load balancing type
thash
- Set hash parameter
softgrid - Enable/disable SoftGrid load balancing
del
- Delete virtual service
cur
- Display current virtual service configuration
within the URL to select a server based on the string configured on the real server.
l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash
metric.
none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters for
computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, the destination IP address, or both source IP address and source port. If
the user does not select any, the switch will use default hash parameter, which is sip.
softgrid enable|disable
Enable or disable softgrid load balancing.
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following command syntax and usage:
pbind cookie <mode> <name> <offset> <length> <URI>
Each parameter is explained in the following table.
Option
<mode>
Description
Specify the mode for cookie-based persistence. The following three modes are
available:
p: Passive mode. In this mode, the network administrator configures the Web
server to embed a cookie in the server response that the switch looks for in subsequent requests from the same client.
r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch,
and not the network administrator, generates the cookie value on behalf of the
server. The switch intercepts this persistence cookie and rewrites the value to
include server-specific information before sending it to the client.
i: Insert mode. When a client sends a request without a cookie, the server
responds with the data, and the switch inserts a persistence cookie into the data
packet. The switch uses this cookie to bind to the appropriate server.
Insert cookie mode expiration parameters are as follows:
Enter insert-cookie expiration as either:
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)
... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)
... or none <return>
<name>
<offset>
<length>
Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length
must be 8 or 16.
<URI>
Look for cookie in the URI. If you want to look for cookie name or value in the
URI, enter e to enable this option. To look for cookie in the HTTP header, enter d
to disable this option.
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny,
redirect or perform Network Address Translation on traffic according to a variety of address
and protocol specifications, and each physical switch port can be configured to use any combination of filters. This command is disabled by default.
There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv,
page 450) that can be used to provide more information through syslog. The types of information include:
IP protocol
TCP/UDP ports
Chapter 7: The SLB Configuration Menu 445
TCP flags
Set the address, masks, and/or protocol that will be affected by the filter
Name
icmp
igmp
tcp
udp
icmp6
ospf
vrrp
sport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified TCP or UDP source port will be affected by this filter.
Specify the port number, range, name, or any. The default is any. Listed below are some
of the well-known ports:
Number
20
21
22
23
25
37
42
43
53
69
70
79
80
109
110
Name
ftp-data
ftp
ssh
telnet
smtp
time
name
whois
domain
tftp
gopher
finger
http
pop2
pop3
deny
Discard frames that fit this filters profile. This can be used for building basic security profiles.
redir
Redirect frames that fit this filters profile, such as for web cache redirection. In
addition, Layer 4 processing must be activated (see the /cfg/slb/on command on
page 412).
nat
Perform generic Network Address Translation (NAT). This can be used to map the
source or destination IP address and port information of a private network scheme
to/from the advertised network IP address and ports. This is used in conjunction
with the nat option (mentioned in this table) and can also be combined with proxies.
goto
Allows the user to specify a target filter ID that the filter search should jump to
when a match occurs. The goto action causes filter processing to jump to a designated filter, effectively skipping over a block of filter IDs. Filter searching action
will then continue from the designated filter ID.
To specify the new filter to goto, use the /cfg.slb/filt/adv/goto command.
As another example, you could configure the switch with two filters so that each would
handle traffic filtering for one half of the Internet. To do this, you could define the following
parameters:
Table 7-17 Filtering IP Address Ranges
Filter
dip
#1
#2
128.0.0.0 255.255.255.255
dmask
128.0.0.0
128.0.0.0 128.0.0.0
work traffic at the Layer 2 level in your switch. Using this command you can preserve
802.1p bits in all the frames that pass through the switch.
Menu]
- Enable/disable TCP URG matching
- Enable/disable TCP ACK matching
- Enable/disable TCP PSH matching
- Enable/disable TCP RST matching
- Enable/disable TCP SYN matching
- Enable/disable TCP FIN matching
- Enable/disable TCP ACK or RST matching
- Display current TCP configuration
These commands can be used to configure packet filtering for specific TCP flags.
Table 7-20 Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)
Command Syntax and Usage
urg disable|enable
Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled.
ack disable|enable
Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is disabled.
psh disable|enable
Enables or disables TCP PSH (push) flag matching. By default, this option is disabled.
rst disable|enable
Enables or disables TCP RST (reset) flag matching. By default, this option is disabled.
syn disable|enable
Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled.
fin disable|enable
Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled.
ackrst disable|enable
Enables or disables TCP acknowledgement or reset flag matching. By default, this option is
disabled.
cur
Displays the current Access Control List TCP filter configuration.
Description
echorep
destun
quench
redir
ICMP redirect
echoreq
rtradv
10
rtrsol
11
timex
Description
12
param
13
timereq
14
timerep
15
inforeq
16
inforep
17
maskreq
18
maskrep
Radius snooping allows the Nortel Application Switch Operating System to examine
RADIUS accounting packets for client information. This information is needed to add to
or delete static session entries in the switchs session table so that it can perform the
required persistency for load balancing. For more details, please refer to your Application Guide.
rdswap enable|disable
Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and
WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server.
A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies
with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS
receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to
the bound server. The application switch snoops on the RADIUS accounting start packet for the
framed IP address attribute. The framed IP address attribute is used to rebind the RADIUS
accounting session to a new server. For more details, please refer to your Application Guide.
ftpa disable|enable
Enables or disables active FTP Client Network Address Translation (NAT). When a client in
active FTP mode sends a PORT command to a remote FTP server, the switch will look into the
data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address.
The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By
default, this option is disabled.
l7lkup disable|enable
Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny
commands found in earlier releases of Nortel Application Switch Operating System. When
enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When
combined with a filter action (for example, deny, redir), this feature enables content-intelligent
redirection or content-intelligent deny filtering.
parseall disable|enable
Enables or disables parsing of all packets in a session where layer 7 lookup is being performed.
This command is enabled by default, and normally all data packets in a session are examined by
the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup
is turned off for the remaining packets in the session.
cur
Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persistence settings.
/cfg/slb/filt/adv/proxyadv
Proxy Advanced Menu
[Proxy Advanced
proxyip epip
proxy
cur
-
Menu]
Set client proxy IP address
Enable/disable pip selection based egress port/vlan
Enable/disable client proxy
Display current proxy configuration
Enables or disables matching of all configured patterns before the filter can perform the
deny action.
parsechn enable|disable
Enable/disable chained pgroup match criteria for l7 filtering.
parseall disable|enable
Enables or disables pattern string lookup (parsing) of all packets in a session where pattern matching is being performed. This command is enabled by default, and normally all data packets in a
session are examined by the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, pattern matching is turned off for the remaining packets in the session.
cur
Displays the current configuration.
Menu]
Set maximum connections for rate limiting
Set time window for rate limiting
Set hold down duration for rate limiting
Enable TCP, UDP, or ICMP rate limiting
Disable TCP, UDP, or ICMP rate limiting
Display current rate limiting configuration
Nortel Application Switch Operating System switch software allows you to enable or disable
processing independently for each type of Layer 4 traffic (client and server) on a per port
basis, expanding your topology options.
NOTE When changing the filters on a given port, it may take some time before the port session information is updated so that the filter changes take effect. To make port filter changes
take effect immediately, clear the session binding table for the port (see the clear command
in Table 8-3 on page 502).
Table 7-28 Port Configuration Menu Options (/cfg/slb/port)
Command Syntax and Usage
client disable|enable
For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports
configured to process client request traffic bind servers to clients and provide address translation
from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses
and port values to real server IP addresses and ports. Traffic not associated with virtual servers is
switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the
switchs potential for effective Server Load Balancing. This option is disabled by default.
server disable|enable
Ports configured to provide real server responses to client requests require real servers to be connected to the Layer 4 switch, directly or through a hub, router, or another switch. When server processing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to
virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched
normally. This option is disabled by default.
/cfg/slb/gslb
Global SLB Configuration
Global Server Load Balancing (GSLB) at any given site performs periodic SLB health checks
to determine the health and response time of the remote real server corresponding to the virtual
server at the remote site. GSLB uses the health and response time to select the server in the
GSLB selection engine. In addition, GSLB sends the health and response time together with
the local session and CPU utilization information that are collectively known as remote site
updates. The switch performs this periodically on every remote site using Distributed Site
State Protocol (DSSP). DSSP is a proprietary protocol that resides above TCP.
For more information, please refer to your Application Guide.s
[Global SLB Menu]
site
- Remote Site Menu
network - Network Preference Menu
rule
- Rule Menu
version - Set DSSP version 1 or 2 to send out remote site updates
port
- Set TCP port number for DSSPv2 remote site updates
sinter
- Set interval in seconds for remote site updates
sesscap - Set sessions utilization capacity threshold (DSSPv2)
cpucap
- Set CPU utilization capacity threshold (DSSPv2)
smask
- Set source IP subnet mask for DNS persistence cache
timeout - Set timeout in minutes for DNS persistence cache
mincon
- Set sessions available capacity threshold
noresp
- Set DNS response code when no server is returned
dns
- Enable/disable authoritative DNS direct based GSLB
hostlk
- Enable/disable virtual service hostname matching
http
- Enable/disable HTTP redirect based GSLB
usern
- Enable/disable HTTP redirect to remote real server name
norem
- Enable/disable no remote real SLB
encrypt - Enable/disable encrypting remote site updates
on
- Globally turn Global SLB ON
off
- Globally turn Global SLB OFF
cur
- Display current Global SLB configuration
At a local site for a domain, there is a local virtual server but no remote virtual server. The
local virtual server has a number of local virtual services Each local virtual service has a group
of local or remote real servers. The remote real servers are the virtual servers at the remote
sites.
[Remote site 1 Menu]
prima
- Set primary switch IP address of remote site
secon
- Set secondary switch IP address of remote site
name
- Set remote site name
update
- Enable/disable remote site updates
ena
- Enable remote site
dis
- Disable remote site
del
- Delete remote site
cur
- Display current remote site configuration
/cfg/slb/gslb/rule
GSLB Rule Configuration Menu
Rules allow the GSLB selection to use different metric preferences based on time-of-day. You
can configure one or more rules on each domain. Each rule has a metric preference list. The
GSLB selection selects the first rule that matches the domain and starts with the first metric in
the metric preference list of the rule.
[Rule 1 Menu]
metric
start
end
ttl
rr
dname
ena
dis
del
cur
Metric Menu
Set start time for rule
Set end time for rule
Set Time To Live in seconds of DNS resource records
Set DNS resource records in DNS response
Set network preference domain name for rule
Enable rule
Disable rule
Delete rule
Display current rule configuration
/cfg/slb/gslb/rule/metric
Global SLB Rule Metric Menu
[Rule 1 Metric 1 Menu]
gmetric - Set metric to use to select next server
addnet
- Add network to gmetric=network
remnet
- Remove network from gmetric=network
cur
- Display current metric configuration
/cfg/slb/layer7
Layer 7 SLB Resource Definition Menu
[Layer 7 Resource Definition Menu]
redir
- Web Cache Redirection Menu
slb
- Server Load Balancing Menu
sdp
- SIP SDP Menu
dbindtm - Set timeout for incomplete delayed binding connections
cur
- Display current Layer 7 configuration
/cfg/slb/layer7/redir
Web Cache Redirection Configuration
[Web Cache Redirection Menu]
urlal
- Enable/disable auto-ALLOW for non-GETs to origin servers
cookie - Enable/disable auto-ALLOW for Cookie to origin servers
nocache - Enable/disable no-cache control header to origin servers
hash
- Enable/disable URL hashing based on URI
header - Enable/disable server loadbalance based on HTTP header
cur
- Display current WCR configuration
determine whether all non-GET requests should be redirected to a cache server or origin server.
This option is enabled by default.
determine whether it should redirect all requests that contain Cookie: in the HTTP header to a
cache server or origin server.
This option is disabled by default.
nocache disable|enable
Enables or disables no-cache control header to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cache-Control: no-
cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to the origin server.
If this command is disabled, the switch will compare the URI against the expression table to
determine whether it should redirect requests that contain Cache-Control: no-cache in HTTP/
1.1 header, or Pragma: no-cache in HTTP/1.0 header to a cache server or origin server.
This option is enabled by default.
hash disable|enable <number (1-255)>
Enables or disables URL hashing based on the URI.
If hashing is enabled, you can set the length of URI that will be used to hash into the cache
/cfg/slb/layer7/slb
Server Load Balance Resource Configuration Menu
[Server Loadbalance Resource Menu]
message - Set HTTP error message
addstr
- Add SLB string for load balance
remstr
- Remove SLB string for load balance
rename
- Rename SLB string for load balance
addmeth - Add HTTP method type
remmeth - Remove HTTP method type
case
- Enable/disable case sensitive for string matching
cont
- Set BW contract for the SLB string
cur
- Display current configuration
/cfg/slb/layer7/sdp
SDP Mapping Menu
[SDP Mapping Menu]
add
- Add SDP mapping
rem
- Remove SDP mapping
cur
- Display current SDP mapping configuration
/cfg/slb/wap
WAP Configuration
[WAP Options Menu]
tpcp
- Enable/disable WAP TPCP external notification
debug
- WAP debug level
cur
- Display current WAP configuration
/cfg/slb/sync
Synchronize Peer Switch Configuration
[Config Synchronization Menu]
peer
- Synch Peer Switch Menu
filt
- Enable/disable syncing filter configuration
ports
- Enable/disable syncing port configuration
prios
- Enable/disable syncing VRRP priorities
pips
- Enable/disable syncing proxy IP addresses
peerpips - Enable/disable syncing peer proxy IP addresses
bwm
- Enable/disable syncing BWM configuration
state
- Enable/disable syncing persistent session state
update
- Set stateful failover update period
cur
- Display current Layer 4 sync configuration
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator password. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/
synch.
Table 7-39 Synchronization Menu Options (/cfg/slb/sync)
Command Syntax and Usage
peer <peer switch number (1-2)>
Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see
page 479.
filt disable|enable
Enables or disables synchronizing filter configuration. This option is disabled by default.
ports disable|enable
Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default.
prios disable|enable
Enables or disables syncing VRRP priorities. This option is enabled by default.
pips disable|enable
Enables or disables synchronizing proxy IP addresses. This option is disabled by default.
peerpips disable|enable
Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in
VRRP Active/Active configuration. This option is disabled by default.
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator password.
Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)
Command Syntax and Usage
addr <IP address>
Sets the peer switch IP address. The default is 0.0.0.0
ena
Enables the peer for this switch. By default, this option is disabled.
dis
Disables the peer for this switch.
/cfg/slb/adv
Advanced Layer 4 Configuration
[Layer 4 Advanced Menu]
synatk
- SYN Attack Detection Menu
smtport - Service Mapping Table Real Port Menu
imask
- Set virtual and real IP address mask
mnet
- Set management network
mmask
- Set management subnet mask
pmask
- Set persistent mask
intrval - Set SLB session attack inspection interval
allowlim - Set SLB session attack alert allowable limit
submac
- Enable/disable Source MAC address substitution
direct
- Enable/disable Direct Access Mode
grace
- Enable/disable graceful real server failure
matrix
- Enable/disable Virtual Matrix Architecture
vmasport - Enable/disable VMA with source port
tpcp
- Enable/disable Transparent Proxy Cache Protocol
vstat
- Enable/disable Virtual Service Statistics
rtsvlan - Enable/disable using VLAN info for real server lookup
pvlantag - Enable/disable preserving vlan tag during packet forwarding
portbind - Enable/disable Ingress Port For Session Table Binding
fastage - Session table fast-age (1 sec) period bit shift
slowage - Session table slow-age (2 min) period bit shift
cur
- Display current Layer 4 advanced configuration
/cfg/slb/adv/synatk
SYN Attack Detection Configuration Menu
[SYN Attack Detection Menu]
intrval - Set SYN attack detection interval
thrshld - Set SYN attack alarm threshold
cur
- Display current SYN attack detection configuration
/cfg/slb/adv/smtport
Advanced SMT Real Server Port Configuration Menu
[SMT Real Port Menu]
add
- Add real port
remove
- Remove real port
cur
- Display real port configuration
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage
add <real server port (2-65534)>
This command allows you to add a service port to the real server that is configured to process client traffic by-passing the server processor.
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage
remove <real server port (2-65534)>
This command allows you to remove a service port from the real server that is configured to process client traffic by-passing the server processor.
cur
Displays real port configuration.
/cfg/slb/linklb
Inbound Link Load Balancing configuration Menu
[Inbound Linklb
drecord group
ttl
ena
dis
cur
-
Menu]
Domain Record Menu
Set real server group
Set Time to Live of DNS resource records
Enable Inbound Linklb
Disable Inbound Linklb
Display current Inbound Linklb configuration
Table 7-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/
linklb)
Command Syntax and Usage
drecord <domain record number (1-64)>
Displays domain record menu. To view menu options, see page 485.
group <real server group number (1-1023)>
Sets the real server ISP group number.
ttl <time to live in seconds (0-65535)>
Sets the time-to-live for DNS resource records.
ena
Enables inbound link load balancing.
dis
Disables inbound link load balancing.
cur
Displays current inbound link load configuration.
/cfg/slb/linklb/drecord
Inbound Link Load Balancing Domain Record Menu
[Domain Record <domain_number> Menu]
entry
- Virt Real Mapping Menu
domain
- Set Domain Name
ena
- Enable Domain Record
dis
- Disable Domain Record
del
- Delete Domain Record
cur
- Display current Domain Record configuration
Table 7-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/
linklb/drecord)
Command Syntax and Usage
entry <linklb entry number (1-8)>
Displays the link load balancers mapping menu for the virtual and real servers. See page 452 to
view menu options.
domain <64 character domain name>|none
Allows you to configure the domain name. Default is none.
ena
Enables the domain records.
dis
Disables the domain records.
del
Deletes the domain records.
cur
Displays the current domain records.
/cfg/slb/linklb/drecord/entry
Inbound Link Load Balancing Mapping Menu
[Virt Real Mapping 1 Menu]
virt
- Set Virtual Server Number
real
- Set Real Server Number
ena
- Enable Entry
dis
- Disable Entry
del
- Delete Entry
cur
- Display current Entry configuration
Table 7-46
Command Syntax & Usage
virt <virtual server number, 1-1024>
Defines the virtual server number for mapping.
real
Defines the real server number for mapping.
ena
Enables the entry for drecords.
dis
Disables the entry for drecords.
del
Deletes the entry for drecords.
cur
Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc
Advanced Health Check Configuration Menu
[Layer 4 Advanced Health Check Menu]
script
- Scriptable Health Check Menu
snmphc
- SNMP Health Check Menu
waphc
- WAP Health Check Menu
aphttp
- Enable/disable Allow HTTP Health Check on any port
ldapver - LDAP version
secret
- Set RADIUS secret
minter
- Set interval of response and bandwidth metric updates
cur
- Display current Layer 4 advanced health check configuration
/cfg/slb/advhc/snmphc
SNMP Health Check Configuration
[SNMP Health Check 1 Menu]
oid
- OID to be sent in the SNMP request packet
comm
- Community string used in the SNMP request packet
rcvcnt
- Expected value in the SNMP response packet
invert
- Enable/disable inversion of expected value
weight
- Enable/disable readjusting of weights based on response
del
- Delete SNMP health check
cur
- Display current SNMP health check configuration
/cfg/slb/advhc/waphc
WAP Health Check Configuration
Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP)
suite to manage sessions between wireless devices and WAP content servers or WAP gateways. The Nortel Application Switch Operating System provides a content-based health check
mechanism where customized WSP packets are sent to the WAP gateways, and the switch verifies the expected response, in a manner similar to scriptable health checks.
WSP content health checks can be configured in two modes: connectionless and connectionoriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connectionoriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load
balance the gateways in both modes of operation.
The Nortel Application Switch Operating System allows you to configure three WAP gateway
health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP),
deployed on WAP gateways/servers. For further details, refer to the Application Guide.
[WAP Health Check Menu]
wspcnt
- WSP Health Check Content Menu
wtpcnt
- WTP+WSP Health Check Content Menu
wspport - WSP port number to health check
wtpport - WTP port number to health check
wtlswsp - WTLS+WSP port number to health check
wtlsprt - WTLS port number to health check
couple
- Enable/disable coupling with RADIUS Accounting Service
cur
- Display current WAP health check configuration
/cfg/slb/advhc/waphc/wspcnt
WSP Content Health Check
[WSP Health Check Content Menu]
offset
- Offset in received WSP packet
sndcnt
- Content to be sent to the WAP gateway
rcvcnt
- Content to be received from the WAP gateway
cur
- Display current WSP health check content configuration
/cfg/slb/advhc/waphc/wtpcnt
WTP and WSP Content Health Check Menu
This menu is used for configuring the health check for connection-oriented unencrypted WAP
traffic.
[WTP+WSP Health Check Content Menu]
offset
- Offset in received WSP PDU
connect - CONNECT PDU to be sent to the
sndcnt
- GET PDU to be sent to the WAP
rcvcnt
- REPLY PDU to be received from
cur
- Display current WTP+WSP health
WAP gateway
gateway
the WAP gateway
check content configuration
Table 7-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/
waphc/wtpcnt)
Command Syntax and Usage
offset <offset in the received WSP PDU>
Enter the offset value content of the received WSP packets. The offset value is the number of bytes
from the beginning of the WSP PDU, at which the comparison begins to match with the expected
receive content. An offset value of 0 (default) sets the switch to start comparisons from the beginning of WSP PDU of the received packet.
connect <connect content as hexstring>
Enter the content for the first switch-generated WSP session packet. This command allows you to
customize the headers in the connect message.
sndcnt <send content as hexadecimal string>
Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be
delivered to the WSP gateway.
rcvcnt <receive content as a hexadecimal string>
Enter a hexadecimal string that represents the content that the switch expects to receive from the
WSP gateway.
cur
Displays current WTP+WSP health check content configuration.
/cfg/slb/pip
Proxy IP Address Configuration Menu
You need to enable proxy IP address processing on the port to use this command. You can configure multiple proxy IP addresses based on either port or VLAN.
You can configure up to 1024 proxy IP addresses on a per switch basis.
[Proxy IP Address Menu]
type
- Set base type of Proxy IP address
add
- Add port or VLAN to Proxy IP address
rem
- Remove port or VLAN from Proxy IP address
cur
- Display current Proxy IP address configuration
/cfg/slb/peerpip
SLB Peer Proxy IP Address Menu
When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2,
without performing server processing on the packets of the other switch. This happens because the peer
switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being
sent to the backup switch in the absence of the proxy IP address of the peer switch.
[Peer Proxy IP Address Menu]
add
- Add peer Proxy IP address
rem
- Rem peer Proxy IP address
cur
- Display current peer Proxy IP address configuration
/cfg/slb/wlm
WorkLoad Management Menu
[Workload Manager 1 Menu]
addr
- Set IP address for Workload Manager
port
- Set port for Workload Manager
del
- Delete Workload Manager
cur
- Display current Workload Manager configuration
CHAPTER 8
/oper
Operations Menu
[Operations Menu]
port
- Operational Port Menu
slb
- Operational Server Load Balancing Menu
vrrp
- Operational Virtual Router Redundancy Menu
bwm
- Operational Bandwidth Management Menu
security - Operational Security Menu
ip
- Operational IP Menu
swkey
- Enter key to enable software feature
rmkey
- Enter software feature to be removed
passwd
- Change current user password
clrlog
- Clear syslog messages
displog - Turn on/off display syslog msgs to telnet/ssh sessions
defalias - Set default port alias
ntpreq
- Send NTP request
The commands of the Operations Menu enable you to alter switch operational characteristics
without affecting switch configuration.
Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and
Nortel Application Switch 184 Web Switches.
499
320506-A, January 2006
Operations-level port options are used for temporarily disabling or enabling a port, and for
changing Remote Monitoring (RMON) status on a port.
Table 8-2 Operations-Level Port Menu Options (/oper/port)
Command Syntax and Usage
rmon disable|enable
Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its configured operation mode when the switch is reset.
ena
Temporarily enables the port. The port will be returned to its configured operation mode when the
switch is reset.
dis
Temporarily disables the port. The port will be returned to its configured operation mode when the
switch is reset.
cur
Displays the current settings for the port.
/oper/slb
Operations-Level SLB Options
[Server Load Balancing Operations Menu]
group
- Real Server Group Menu
gslb
- Global SLB Operations Menu
sync
- Synchronize SLB, VRRP and other configurations on peers
ena
- Enable real server
dis
- Disable real server
sessdel - Delete session table entry
clear
- Clear session table
cur
- Current layer 4 operational state
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing
options are used for temporarily disabling or enabling real servers and synchronizing the configuration between the active/active switches.
Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)
Command Syntax and Usage
group <real server group number (1-1024)>
Displays the Real Server Group Menu. To view menu options, see page 503.
gslb
Displays Global SLB Operations Menu. To view menu options, see page 504.
sync
Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priorities on a peer switch (a switch that owns the IP address). To take effect, peers must be configured
on the Nortel Application Switch and the administrator password on the switch must be identical.
ena <real server number (1-1023)>
Temporarily enables a real server. The real server will be returned to its configured operation
mode when the switch is reset.
specified real server (except for persistent http 1.0 sessions) by removing the real server from
operation within its real server group and virtual server
Using the n (none) optionimmediately suspends assignment of connections to the specified
real server by removing the real server from operation within its real server group and virtual
server
The real server will be returned to its configured state after a switch reset.
NOTE This command provides for orderly server shutdown to allow maintenance on a server.
For more information, see Disabling and Enabling Real Servers in the Nortel Application Switch
Operating System 23.0.2 Application Guide.
sessdel
Delete session table entry.
clear
Clears all session tables and allows port filter changes to take effect immediately.
NOTE This command disrupts current SLB and Application Redirection sessions.
cur
Displays the current SLB operational state.
/oper/slb/group
Real Server Group Operations
[Real server group 1 Menu]
ena
- Enable real server in this group
dis
- Disable real server in this group
cur
- Current server group operational state
/oper/slb/gslb
Global SLB Operations Menu
[Global SLB Operations Menu]
query
- Query Global SLB selection
add
- Add entry to Global SLB DNS persistence cache
arem
- Remove all entries Global SLB DNS persistence cache
/oper/vrrp
Operations-Level VRRP Options.
[VRRP Operations Menu]
back
- Set virtual router to backup
the same)
This switchs virtual router has a higher priority and preemption is enabled.
There are no other virtual routers available to take master control.
/oper/bwm
Operations-Level Bandwidth Management Options
[Bandwidth Management Operations Menu]
sndhist - Send BW History to SMTP server
clear
- Clear BWM IP user entry table
/oper/security
Security Menu
[Security Menu]
ipacl
- IP ACL Operations Menu
/oper/security/ipacl
IP ACL Operations Menu
[IP ACL Operations Menu]
add
- Add operations source IP Address/Mask
rem
- Remove operations source IP Address/Mask
arem
- Remove all operations source IP Address/Mask
dadd
- Add operations destination IP Address/Mask
drem
- Remove operations destination IP Address/Mask
darem
- Remove all operations destination IP Address/Mask
cfg
- Display configuration IP Address/Mask
bogon
- Display bogon IP Address/Mask
oper
- Display operations IP Address/Mask
cur
- Display all IP Address/Mask
/oper/ip
Operations-Level IP Options
[IP Operations Menu]
bgp
- Operational Border Gateway Protocol Menu
garp
- Send gratuitous arp
/oper/ip/bgp
Operations-Level BGP Options
[Border Gateway
start
stop
cur
-
/oper/swkey
Activating Optional Software
The swkey option is used for activating any optional software you have purchased for your
switch.
Before you can activate optional software, you must obtain a software license from your Nortel
Networks representative or authorized reseller. One software license is needed for each switch
where the optional software is to be used. You will receive a Licence Certificate for each software license purchased.
Currently the following software packages are available for purchase and installation:
Security Pack
Bandwidth Management
To obtain a software key, you must register each License Certificate with Nortel Networks and
provide the MAC address of the Nortel Application Switch Operating System switch that will
run the optional software. Nortel Networks will then provide a License Password.
NOTE Each License Password will work only on the specific switch which has the MAC
address you provided when registering your Licence Certificate.
Once you have your License Password, perform the following actions:
1.
Connect to the switchs command line interface and log in as the administrator (see Chapter 1, The Command Line Interface).
2.
3.
4.
When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as,
123456789ABCDEF)>
If the correct code is entered, you will see the following message:
Valid software key entered.
Software feature enabled.
/oper/rmkey
Removing Optional Software
The rmkey option is used for deactivating any optional software. Deactivated software is still
present in switch memory and can be reactivated at any later time.
To review the deactivation options, enter the following at the Operations Menu:
>> Operations# ? rmk
Usage: rmkey <software feature to be removed (GSLB||BWM|Security|Linklb|ITM)>
When prompted, enter the code for software to be removed. For example:
Enter Software Feature to be removed:[GSLB]|BWM|Security: GSLB
CHAPTER 9
Selecting a switch software image to be used when the switch is next reset
/boot
Boot Menu
[Boot Options
sched
image
conf
gtimg
ptimg
reset
cur
Menu]
- Scheduled Switch Reset Menu
- Select software image to use on next boot
- Select config block to use on next boot
- Download new software image via TFTP
- Upload selected software image via TFTP
- Reset switch [WARNING: Restarts Spanning Tree]
- Display current boot options
511
320506-A, January 2006
/boot/sched
Scheduled Reboot Menu
[Boot Schedule Menu]
set
- Set switch reset time
cancel
- Cancel pending switch reset
cur
- Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
>> Boot Schedule# cur
Currently scheduled reboot time: none
Downloading the new image from the TFTP server to your switch
Selecting the new software image to be loaded into switch memory the next time the
switch is reset
Setup the TFTP option (/cfg/sys/mgmt/tftp) for the TFTP connection. This sets
the default option for the gtimg and ptimg commands. However, note that you can
override this setting with the option provided to these operational commands.
NOTE The DNS parameters must be configured if specifying hostnames. See Domain Name
System Configuration Menu on page 379).
When the above requirements are met, use the following procedure to download the new software to your switch.
1.
2.
3.
4.
The exact form of the name will vary by TFTP server. However, the file location is normally
relative to the TFTP directory (usually /tftpboot).
5.
2.
Enter the name of the image you want the switch to use upon the next boot.
The system informs you of which image is currently set to be loaded at the next reset, and
prompts you to enter a new choice:
Currently set to use switch software "image1" on next reset.
Specify new image to use on next reset ["image1"/"image2"]:
2.
The system prompts you for information. Enter the desired image:
Enter name of switch software image to be uploaded
["image1"|"image2"|"boot"]: <image> <hostname or server-IP-addr> <server-file-
name>
3.
4.
Enter the name of the file into which the image will be uploaded on the TFTP server:
Enter name of file on TFTP server: <filename>
5.
The system then requests confirmation of what you have entered. To have the file
uploaded, enter Y.
image2 currently contains Software Version 20.2.0.7
Upload will transfer image2 (1889411 bytes) to file "test"
on TFTP server 192.1.1.1.
Confirm upload operation [y/n]: y
2.
Enter the name of the configuration block you want the switch to use:
The system informs you of which configuration block is currently set to be loaded at the next
reset, and prompts you to enter a new choice:
Currently set to use active configuration block on next reset.
Specify new block to use ["active"/"backup"/"factory"]:
CHAPTER 10
/maint
Maintenance Menu
NOTE To use the Maintenance Menu, you must be logged in to the switch as
the administrator.
[Maintenance Menu]
sys
- System Maintenance Menu
fdb
- Forwarding Database Manipulation Menu
arp
- ARP Cache Manipulation Menu
route
- IP Route Manipulation Menu
ip6
- IP6 Manipulation Menu
debug
- Debugging Menu
uudmp
- Uuencode FLASH dump
ptdmp
- Upload FLASH dump via FTP/TFTP
cldmp
- Clear FLASH dump
lsdmp
- List FLASH dump
panic
- Dump state information to FLASH and reboot
tsdmp
- Tech support dump
pttsdmp - Upload tech support dump via FTP/TFTP
sslrst
- Reset SSL card
Dump information contains internal switch state data that is written to flash memory on the
Nortel Application Switch after any one of the following occurs:
The switch administrator forces a switch panic. The panic option, found in the Maintenance Menu, causes the switch to dump state information to flash memory, and then
causes the switch to reboot.
519
320506-A, January 2006
The switch administrator enters the switch reset key combination on a device that is
attached to the console port. The switch reset key combination is <Shift><Ctrl><->.
The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot
the switch if the switch software freezes.
The switch detects a hardware or software problem that requires a reboot.
Table 10-1 Maintenance Menu Options (/maint)
/maint/sys
System Maintenance Options
This menu is reserved for use by Nortel Networks Customer Support group. The options are
used to perform system debugging.
[System Maintenance Menu]
flags
- Set NVRAM flag word
sfpinfo - Show SFP information
/maint/fdb
Forwarding Database Options
[FDB Manipulation Menu]
find
- Show a single FDB entry by MAC address
port
- Show FDB entries for a single port
trunk
- Show FDB entries on a single trunk
vlan
- Show FDB entries for a single VLAN
refpt
- Show FDB entries referenced by a single port
dump
- Show all FDB entries
del
- Delete an FDB entry
clear
- Clear entire FDB
The Forwarding Database Manipulation Menu can be used to view information and to delete a
MAC address from the forwarding database or clear the entire forwarding database. This is
helpful in identifying problems associated with MAC address learning and packet forwarding
decisions.
522 Chapter 10: The Maintenance Menu
320506-A, January 2006
/maint/arp
ARP Cache Options
[Address Resolution Protocol Menu]
find
- Show a single ARP entry by IP address
port
- Show ARP entries on a single port
vlan
- Show ARP entries on a single VLAN
refpt
- Show ARP entries referenced by a single SP
dump
- Show all ARP entries
clear
- Clear ARP cache
addr
- Show ARP address list
NOTE To display all ARP entries currently held in the switch, or a portion according to one
of the options listed on the menu above (find, port, vlan, refpt, dump), you can also
refer to ARP Information on page 112.
/maint/route
IP Route Manipulation
[IP Routing Menu]
find - Show a single route by destination IP address
gw
- Show routes to a single gateway
type - Show routes of a single type
tag
- Show routes of a single tag
if
- Show routes on a single interface
dump - Show all routes
clear - Clear route table
NOTE To display all routes, you can also refer to IP Routing Information on page 108.
/maint/ip6
IPv6 Manipulation Menu
[IP6 Menu]
nbrcache - Neighbor Cache Manipulation Menu
/maint/debug
Debugging Options
[Miscellaneous Debug Menu]
tbuf
- Show MP trace buffer
sptb
- Show SP trace buffer
spall
- Show All SPs trace buffers
clrcfg
- Clear all flash configs
portmap - Show port-SP-MAC mapping
vmasp
- Show designated SP for IP address
vmasp6
- Show designated SP for IP6 address
The Miscellaneous Debug Menu displays trace buffer information about events that can be
helpful in understanding switch operation. You can view the following information using the
debug menu:
If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the
snap trace buffer area. The output from these commands can be interpreted by the Nortel Networks Customer Support division.
Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)
Command Syntax and Usage
tbuf
Displays the Management Processor trace buffer. Header information similar to the following is shown:
MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748
The buffer information is displayed after the header.
sptb <port number (1-4)>
Displays the Switch Processor trace buffer. Header information similar to the following is shown:
SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008
The buffer information is displayed after the header.
spall
Displays the Switch Processor trace buffer. Header information similar to the following is shown:
SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008.
The buffer information is displayed after the header. Displays all SP trace buffers.
clrcfg
Deletes all flash configuration blocks.
/maint/uudmp
Uuencode Flash Dump
Using this command, dump information is presented in uuencoded format. This format makes
it easy to capture the dump information as a file or a string of characters. You can then contact
Nortel Networks Customer Support for help analyzing the information.
If you want to capture dump information to a file, set your communication software on your
workstation to capture session data prior to issuing the uudmp command. This will ensure that
you do not lose any information. Once entered, the uudmp command will cause approximately
23,300 lines of data to be displayed on your screen and copied into the file.
Using the uudmp command, dump information can be read multiple times. The command
does not cause the information to be updated or cleared from flash memory.
NOTE Dump information is not cleared automatically. In order for any subsequent dump
information to be written to flash memory, you must manually clear the dump region. For more
information on clearing the dump region, see page 529.
To access dump information, at the Maintenance# prompt, enter:
Maintenance# uudmp
The dump information is displayed on your screen and, if you have configured your communication software to do so, captured to a file. If there is a dump available, the system prompts as
follows:
>> Maintenance# uu
Enter region to dump [main/bkp]: main
Dumping main region:
Use 'ptdmp' to extract panic dumps.
Confirm proceed with large dump (15000 lines) [y/n]:
528 Chapter 10: The Maintenance Menu
320506-A, January 2006
Where server is the TFTP or FTP server IP address or hostname, and filename is the target
dump file.
/maint/cldmp
Clearing Dump Information
To clear dump information from flash memory, at the Maintenance# prompt, enter:
Maintenance# cldmp
The switch clears the dump region of flash memory and displays the following message:
FLASH dump region cleared.
If the flash dump region is already clear, the switch displays the following message:
FLASH dump region is already clear.
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
>> Maintenance# lsdmp
The main dump was saved at 8:12:58 Fri Jun 3, 2005.
A backup dump was saved at 14:47:31 Mon Jun 20, 2005.
/maint/panic
Panic Command
The panic command causes the switch to immediately dump state information to flash memory and automatically reboot.
To select panic, at the Maintenance# prompt, enter:
>> Maintenance# panic
A FLASH dump already exists.
Confirm replacing existing dump and reboot [y/n]:
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical
support. For example:
>> Maintenance# tsdmp
Confirm dumping all information, statistics, and configuration [y/n]:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP
connection. The dump was performed earlier using the /maint/tsdmp command. For example:
>> Maintenance# ? pttsdmp
Usage: pttsdmp <hostname> <filename> <-tftp|username password> [mgmt|-data]
>> Maintenance# pttsdmp
Enter hostname or IP address of FTP/TFTP server: 0.0.0.0
Enter name of file on FTP/TFTP server: dump.txt
Enter username for FTP server or hit return for TFTP server: username
Enter password for username on FTP server:
Connecting to 0.0.0.0...
.
.
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
CHAPTER 11
533
320506-A, January 2006
NOTE Help information on specific commands uses the command help, and not the ?
symbol used at other directory levels. The command must also be spelled-out in full. For
example, to request help on the apply command enter:
SSL >> Main# help diff
Show any pending configuration changes.
/ssl
SSL Processor Menu
[Main Menu]
info
stats
cfg
boot
maint
diff
apply
revert
paste
help
exit
Information menu
Statistics menu
Configuration menu
Boot menu
Maintenance menu
Show pending config changes
Apply pending config changes
Revert pending config changes
Restore saved config with key
Show command help
Exit [global command, always
[global command]
[global command]
[global command]
[global command]
[global command]
available]
/ssl/info
SSL Performance information menu
[Information Menu]
servers
certs
hsm
sslvpn
users
ipsec
ippool
ip
sys
licenses
access
kick
isdlist
local
ethernet
ports
events
-
op
up
local
Displays the current software version, iSD hardware platform, up time (since last boot), IP address,
and Ethernet MAC address for the particular iSD host to which you have connected. If you have
connected to the MIP address, the information displayed relates to the iSD host in the cluster that
currently is in control of the MIP. For example:
SSL >> Information# local
Alteon iSD SSL
Hardware platform: 2424S
Software version: 5.0.0.34
Up time: 11 days 1 hour 52 minutes
IP address: 10.10.10.71
MAC address: 00:01:81:2e:bc:6f
ethernet
Displays statistics for the Ethernet network interface card (NIC) on the particular iSD host to
which you have connected. If you have connected to the MIP address, the information displayed
relates to the iSD host in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.
RX packets: the total number of received packets
TX packets: the total number of transmitted packets errors: packets lost due to error
dropped: error due to lack of resources
overruns: error due to lack of resources frame: error due to malformed packets carrier: error due
to lack of carrier
collisions: number of packet collisions
Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation.
For example:
I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0
I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0
carrier:0 collisions:0
I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb)
/ssl/info/events
SSL Performance Menu
[Events Menu]
alarms
- List all pending alarms
download - Dump the event log file to a TFTP/FTP/SFTP server
/ssl/stats
SSL Performance Statistics menu
[Statistics Menu]
sslstats
ipsec
aaa
dump
-
SSL stats
IPSEC stats
AAA specific statistics
Dump all information
/ssl/stats/sslstats
SSL Performance Menu
[SSL stats Menu]
vpn
- Cluster SSL VPN statistics
server
- Cluster SSL Server statistics
local
- Local statistics for each isdhost
clear
- Clear all statistics for all IPs
activesess - Number of currently active request sessions
totalsess - Total completed request sessions
sslaccept - Total completed SSL accept
sslconnect - Total completed SSL connect
tpshisto
- Cluster-wide TPS histograms for all servers
clihisto
- cluster wide client data histograms for all servers
srvhisto - cluster wide server data histograms for all servers
/ssl/stats/sslstats/local
SSL Performance SSL Local Statistics Menu
[Local SSL
isdhost
overview
tpshisto
clihisto
srvhisto
license
dump
Statistics Menu]
- ISD local SSL server statistics menu
- Overview of isdhost local statistics
- ISD local TPS histograms for all servers/ISDs
- ISD local client byte/s histos for all servers/ISDs
- ISD local server data byte/s histos for all servers/ISDs
- ISD local license statistics
- Dump all information
****
dump
Display all local statistical information.
/ssl/stats/sslstats/local/isdhost
SSL Performance: Single ISD SSL Statistics Menu
[Single ISD SSL Stats 1 Menu]
server
- ISD local SSL server stats
tpshisto
- ISD local TPS histograms for all servers
clihisto
- ISD local client byte/s histograms for all servers
srvhisto
- ISD local server byte/s histograms for all servers
dump
- Dump all information
Table 11-7 SSL Perfomance: Single ISD SSL Statistics Menu Options
Command Syntax and Usage
server
Displays statistics for the local ISD SSL server.
tpshisto
Displays ISD local TPS histograms for all servers.
clihisto
Displays ISD local client data histograms for all servers.
srvhosto
Displays ISD local server histograms for all servers.
dump
Displays all statistical information.
/ssl/stats/ipsec
IPSEC Statistics menu
[IPSEC stats Menu]
vpn
- Cluster IPSEC Server statistics
local
- Local statistics for each isdhost
clear
- Clear all ipsec statistics for all IPs
activesess - Number of currently active ipsec sessions
totalsess - Total completed ipsec sessions
failedsess - Total failed ipsec sessions
enctot
- Total encoded kBytes
enc
- Encoded kB/sec last minute
dectot
- Total decoded kBytes
dec
- Decoded kB/sec last minute
sesshisto - Cluster-wide ipsec session histograms for all servers
enchisto
- Cluster-wide ipsec encrypt histograms for all servers
dechisto
- Cluster-wide ipsec decrypt histograms for all servers
/ssl/stats/ipsec/local
SSL Performance: Local IPSEC Statistics Menu
[Local IPSEC
isdhost
sesshisto
enchisto
dechisto
dump
Statistics Menu]
- ISD local IPSEC server
- ISD local ipsec session
- ISD local ipsec encrypt
- ISD local ipsec decrypt
- Dump all information
statistics
histograms
histograms
histograms
menu
for all VPNs/ISDs
for all VPNs/ISDs
for all VPNs/ISDs
/ssl/stats/ipsec/local/isdhost
SSL Performance: Single IPSEC ISD Statistics Menu
[Single ISD IPSEC Stats 1 Menu]
vpn
- ISD local IPSEC server stats
activesess - Locally active ipsec sessions all VPNs
totalsess - Locally total ipsec sessions all VPNs
failedsess - Locally failed ipsec sessions, all VPNs
enctot
- Locally total ipsec encoded kBytes all VPNs
enc
- Locally ipsec encoded kB/sec last minute all VPNs
dectot
- Locally total ipsec decoded kBytes all VPNs
dec
- Locally ipsec decoded kB/sec last minute all VPNs
sesshisto - ISD local ipsec sess histograms for all VPNs
enchisto
- ISD local ipsec encrypt histograms for all VPNs
dechisto
- ISD local ipsec decrypt histograms for all VPNs
dump
- Dump all information
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage
vpn <VPN_number>
Display the ISD local IPSEC server statistics.
activesess
Display the locally active IPSEC sessions for all VPNs.
totalsess
Display the total of locally active IPSEC sessions for all VPNs.
failedsess
Display the failed IPSEC sessions for all VPNs.
enctot
Display the total kBytes encoded for all VPNs.
enc
Display the locally encoded kBytes for all VPNs.
dectot
Display the total kBytes decoded for all VPNs.
dec
Display the locally decoded kBytes for all VPNs.
sesshisto
Display the ISD local IPSEC session histograms for all VPNs.
enchisto
Display the ISD local IPSEC encrypted histograms for all VPNs.
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage
dechisto
Display the ISD local ipsec decrypt histograms for all VPNs.
dump
Display all ISD statistics.
/ssl/stats/aaa
AAA Statistics Menu
[AAA Statistics Menu]
total
- Cluster-wide authentication statistics (per VPN)
isdhost
- ISD local authentication statistics (per VPN)
dump
- Dump all information
/ssl/cfg
SSL Performance Configuration Menu
[Configuration Menu]
ssl
- SSL offload menu
cert
- Certificate menu
vpn
- VPN menu
test
- Create test vpn, portal and certificate
quick
- Quick vpn setup wizard
sys
- System-wide parameter menu
lang
- Language support
ptcfg
- Backup configuration to TFTP/FTP/SCP/SFTP server
gtcfg
- Restore configuration from TFTP/FTP/SCP/SFTP server
dump
- Dump configuration on screen for copy-and-paste
NOTE Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration - transparently to the user.
When a configuration backup is restored by using the gtcfg command, the certificate
administrator must enter the correct passphrase.
NOTE Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys
are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.
gtcfg
Restores a configuration, including private keys and certificates, from a TFTP server. You need to
provide the password phrase you specified when saving the configuration to the TFTP server.
NOTE Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the
certificate administrator must enter the passphrase that was defined by him or her using
the /cfg/sys/user/caphrase command.
dump
Display the configuration on-screen for a copy and paste operation.
/ssl/cfg/ssl
SSL Configuration Server Menu
[SSL Menu]
server
test
quick
/ssl/cfg/ssl/server
SSL Configuration Server-specific Menu
[Server 1 Menu]
name
vips
standalone
port
rip
rport
type
proxy
trace
ssl
tcp
adv
del
ena
dis
/ssl/cfg/ssl/server/trace
SSL Configuration Server-specific Trace Menu
[Trace Menu]
ssldump
tcpdump
ping
dnslookup
traceroute
/ssl/cfg/ssl/server/ssl
SSL Configuration Server-specific SSL Menu
[SSL Settings Menu]
cert
- Set server certificate
cachesize - Set SSL cache size
cachettl
- Set SSL cache timeout
cacerts
- Set list of accepted signers of client certificates
cachain
- Set list of CA chain certificates
protocol
- Set protocol version
verify
- Set certificate verification level
ciphers
- Set cipher list
ena
- Enable SSL
dis
- Disable SSL
/ssl/cfg/ssl/server/tcp
SSL Configuration Server-specific TCP Menu
[TCP Settings Menu]
cwrite
- Set
ckeep
- Set
swrite
- Set
sconnect
- Set
csendbuf
- Set
crecbuf
- Set
ssendbuf
- Set
srecbuf
- Set
client
client
server
server
client
client
server
server
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
write timeout
keep alive timeout
write timeout
connect timeout
send buffer size
receive buffer size
send buffer size
receive buffer size
/ssl/cfg/ssl/server/adv
SSL Configuration Server-specific Advanced Menu
[Advanced Settings
string
blockstrin loadbalanc sslconnect -
Menu]
String menu
Set strings to block
Load balancing menu
SSL connect menu
/ssl/cfg/ssl/server/adv/string
SSL Configuration Server Advanced String Menu
[LB String 1 Menu]
match
location
icase
negate
del
-
/ssl/cfg/ssl/server/adv/loadbalanc
SSL Configuration Server Advanced Load Balancing
Menu
[Load Balancing Settings Menu]
type
- Set load balancing type
persistenc - Set persistence strategy
cookie
- Cookie settings menu
metric
- Set load balancing metric
health
- Set health check type
script
- Health check script menu
interval
- Set health check interval (s)
remotessl - Remote SSL connect menu
backend
- Backend servers menu
ena
- Enable load balancing
dis
- Disable load balancing
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage
type all|<string>
Set the load balancing type.
persistenc none|cookie|session
Set the persistence strategy.
cookie
Go to the Cookie settings menu. To view the menu options, see page 560. Note that this menu is
accessible only when persistenc is set to cookie.
metric hash|roundrobin|leastconn
Set the load balancing metric.
health none|tcp|ssl|auto|script
Set the health check type.
script
Go to the heath check script menu. To view the menu options, see page 562.
interval <integer>
Set the health check interval.
remotessl
Go to the Remote SSL connection menu. To view the menu options, see page 563.
backend
Go to the Backend Servers menu. To view the menu options, see page 565.
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage
ena enable|disable
Enable load balancing.
dis enable|disable
Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/
cookie
SSL Configuration Server Advanced Load Balancing
Cookie Menu
[Cookie Settings
mode
name
domain
expires
expiresdel
localvips
offset
length
Menu]
- Set cookie mode
- Set cookie name
- Set cookie domain
- Set cookie expires
- Set cookie expires delta
- Configure other local VIPs
- Set cookie value offset
- Set cookie value length
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options
Command Syntax and Usage
mode insert | passive | rewrite
Sets the cookie load balancing mode.
name <cookie_name>
Sets the cookie name.
domain <domain_name>
Sets the cookie domain name.
expires <date_time>
Sets the cookie expiration date and time.
expiresdel <0(session)-2147483647>
Sets the cookie expiration delta value.
localvips
Opens the Local VIPs menu. For more information on this menu refer to page 562.
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options (Continued)
Command Syntax and Usage
offset <1-64>
Sets the cookie value offset.
length <0-64>
Sets the cookie length
/ssl/cfg/ssl/server/adv/loadbalanc/
cookie/localvips
Local VIP Configuration Menu
[Local VIPs Menu]
list
del
add
insert
move
-
/ssl/cfg/ssl/server/adv/loadbalanc/
script
SSL Configuration Server Advanced Load Balancing
Health Script Menu
[Health Check Script Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
Table 11-23 SSL Configuration Server Advanced Load Balancing Health Script
Menu Options
Command Syntax and Usage
list
Display all values.
del <index>
Delete a specific value.
add <command> <timeout> <argument>
Add a new health script.
insert <position> <command> <timeout> <argument>
Insert a new value.
move <value> <value>
Exchange one value for another.
/ssl/cfg/ssl/server/adv/loadbalanc/
remotessl
SSL Configuration Server Advanced Load Balancing
Remote SSL Menu
[Remote SSL Connect Settings Menu]
protocol
- Set protocol version
cert
- Set client certificate
ciphers
- Set accepted ciphers for ssl connect
verify
- Verify server menu
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL
Menu Options
Command Syntax and Usage
protocol aissl2|ssl3|ssl23|tls1
Set the protocol version.
cert <integer, 1 to 1500>
Set the certificate number.
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL
Menu Options
Command Syntax and Usage
ciphers <string>
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the
ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added
again by later options. + moves the ciphers to the end of the list.
This option doesn't add any new ciphers it just moves matching existing ones. Additionally the
cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key
length
verify
Go to the Verify Server menu. To view the menu options, see page 564.
/ssl/cfg/ssl/server/adv/loadbalanc/
remotessl/verify
SSL Configuration Server Advanced Load Balancing
Remote SSL Verification Menu
[Remote SSL Connect Verify Settings Menu]
verify
- Set certificate verification level
commonname - Set server common name
cacerts - Set list of accepted signers of server's certificate
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL
Verification Menu Options
Command Syntax and Usage
verify none|require
Set the ertification verification level.
commonname <name>
Set the server common name. For example:
SSL >> Remote SSL Connect Verify Settings# commonname
Current value: [old_server_name]
Give common name of server: <new_server_name>
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL
Verification Menu Options
Command Syntax and Usage
cacerts <integer_list>
Enter the certificate numbers, separated by commas.
/ssl/cfg/ssl/server/adv/loadbalanc/
backend
SSL Configuration Server Advanced Load Balancing
Backend Server Menu
[Backend Server 1 Menu]
ip
- Set IP addr of backend server
port
- Set backend server port
sslconnect - Set perform SSL connect if enabled for server
remote
- Set server is remote
rname
- Set host name of remote server
remotessl - Set remote site is ssl
lbstrings - Set load balancing strings
lbop
- Set string load balancing operation
del
- Remove backend server
ena
- Enable backend server
dis
- Disable backend server
/ssl/cfg/cert
SSL Configuration Certificate Menu
[Certificate 1 Menu]
name
- Set certificate name
cert
- Set certificate
key
- Set private key
revoke
- Revocation menu
genkey
- Generate private key
gensigned - Generate signed client/server certificate
request
- Generate certificate request
sign
- Sign a certificate request
test
- Generate test certificate and key
import
- Import key and certificate with TFTP/FTP/SCP/SFTP
export
- Export certificate and key with TFTP/FTP/SCP/SFTP
display
- Display certificate and key
show
- Show certificate information
info
- Show certificate short information
subject
- Show certificate subject information
validate
- Check if key and certificate match
keysize
- Show key size
keyinfo
- Show how key is stored
del
- Remove certificate
=
=
=
=
=
=
=
CA
Ontario
Ottawa
NoTel
Maint
NoTel-12
maint@notel.ca
/ssl/cfg/cert/revoke
SSL Configuration Revoke Certificate Menu
[Revocation Menu]
add
addx
del
list
rev
import
automatic -
/ssl/cfg/cert/revoke/automatic
SSL Configuration Revoke Certificate Automatic Menu
[Automatic CRL Menu]
url
- Set URL to retrieve CRL from
authDN
- Set LDAP DN used for bind/authentication
passwd
- Set password to use when to authenticate
interval
- Set refresh interval
cacerts
- Set list of accepted signers of CRLs
ena
- Enable automatic retrieval
dis
- Disable automatic retrieval
/ssl/cfg/vpn
SSL VPN Configuration Menu
[VPN 1 Menu]
ips
standalone
aaa
server
ipsec
ippool
portal
linkset
sslclient
adv
del
/ssl/cfg/vpn/aaa
SSL VPN Configuration Menu
[AAA Menu]
quick
tg
ttl
auth
authorder
network
service
appspec
filter
group
defgroup
ssodomains
ssoheaders
radacct
/ssl/cfg/vpn/aaa/tg
SSL VPN Configuration TunnelGuard Menu
[TG Menu]
ena
dis
quick
recheck
action
retry
list
loglevel
Enable TunnelGuard
Disable TunnelGuard
Quick TunnelGuard setup wizard
Set recheck interval
Set fail action
Set UDP retry interval
List SRS rules
Set TunnelGuard applet loglevel
/ssl/cfg/vpn/aaa/auth
SSL VPN Configuration Authentication Menu
To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if
one does not already exist.
Creating Authentication 1
Select one of radius, ldap, ntlm, siteminder, cert, rsa or local:
radius
Auth name: Authentication_1
Entering: RADIUS settings menu
Entering: RADIUS servers menu
IP Address to add: 0.0.0.0
Port (default is 1812): 1812
Enter shared secret: shared
Leaving: RADIUS servers menu
Enter vendor id [alteon]: alteon
Enter vendor type [1]: 1
Leaving: RADIUS settings menu
-----------------------------------------------------------[Authentication 1 Menu]
type
- Set authentication mechanism
name
- Set auth name
display
- Set auth display name
domain
- Set windows domain for backend single sign-on
radius
- RADIUS settings menu
adv
- Advanced settings menu
del
- Remove Authentication
/ssl/cfg/vpn/aaa/auth/radius
SSL VPN Configuration Authentication Radius Menu
To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to
radius. For example, /ssl/vpn/aaa/auth/type radius.
[RADIUS Menu]
servers
vendorid
vendortype
timeout
sessiontim
macro
Table 11-34 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage
servers
Go to the Radius servers menu. To view the menu options, see page 580.
vendorid <string>
Set the switch vendor ID.
vendortype <vendortype>
Set the vendor type.
timeout <integer, 1 to 1000 seconds>
Set the Radius server timeout.
sessiontim
Go to the Sessiontim menu. To view the menu options, see page 580.
macro
Go to the Macro menu. To view the menu options, see page 581.
/ssl/cfg/vpn/aaa/auth/radius/servers
SSL VPN Configuration Authentication Radius Servers
Menu
[RADIUS Servers Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
Table 11-35 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage
list
List all values (servers).
del <index_number>
Delete a server value by name.
add <ip> <port, default=1812> <secret>
Add a new value (server).
insert <position> <ip> <port> <secret>
Insert a value into the list.
move <value> <value>
Move a value position in the list.
/ssl/cfg/vpn/aaa/auth/radius/
sessiontm
SSL VPN Configuration Authentication Radius Session
Timeout Menu
[SessionTimeout Menu]
vendorid
- Set vendor id for session timeout attribute
vendortype - Set vendor type for session timeout attribute
ena
- Enable Session-Timeout
dis
- Disable Session-Timeout
Table 11-36 SSL VPN Configuration AAA Authentication Radius Session Timeout
Menu Options
Command Syntax and Usage
vendorid <vendorid>
Set the vendor ID number.
vendortype <value>
Set the Vendor Type number.
ena enable|disable
Enable session timeout.
dis enable|disable
Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
SSL VPN Configuration Authentication Radius Macro
Menu
[Macro Menu]
list
del
add
insert
move
Table 11-37 SSL VPN Configuration AAA Authentication Radius Macro Menu
Options
Command Syntax and Usage
list
List all values.
del <value>
Delete a value using its number.
add <vendorid> <vendortype> <attribute_type (IP, <string> <integer>)>
Add a value.
insert <index_position> <vendorid> <vendortype>
<attribute_type_string>
Insert a value.
move <value> <value>
Move a values position in the list.
/ssl/cfg/vpn/aaa/auth/adv
SSL VPN Configuration Authentication Advanced Menu
[Advanced Menu]
groupauth - Set Authentication server list of group information
secondauth - Set Secondary authentication server
/ssl/cfg/vpn/aaa/network
SSL VPN Configuration Network Menu
To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one
does not already exist.
SSL >> AAA# network
Enter network number or name: (1-1023) 1
Creating Network 1
Network name: Network_1
-----------------------------------------------------------[Network 1 Menu]
name
- Set network name
subnet
- Subnet menu
comment
- Set comment
del
- Remove network
/ssl/cfg/vpn/aaa/network/subnet
SSL VPN Configuration Network Subnet Menu
To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if
one does not already exist.
SSL >> Network 1# sub
Enter subnet number: (1-1023) 1
Creating Network Subnet 1
Enter host name: Subnet_1
Enter network address: 0.0.0.0
Enter network netmask: netmask
-----------------------------------------------------------[Network Subnet 1 Menu]
host
- Set Host Name
net
- Set network address
mask
- Set network mask
del
- Remove subnet
Table 11-40 SSL VPN Configuration AAA Network Subnet Menu Options
Command Syntax and Usage
host <hostname>
Set the hostname for the subnet.
net <IP_address>
Set the subnet address.
mask <IP_address>
Set the Network mask.
del
Remove the Subnet.
/ssl/cfg/vpn/aaa/service
SSL VPN Configuration Service Menu
To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one
does not already exist.
SSL >> AAA# service
Enter service number or name: (1-1023) 1
Creating Service 1
Service name: Service_1
Enter service protocol (list of tcp,udp): tcp
Enter service ports: 1,2,3
-----------------------------------------------------------[Service 1 Menu]
name
- Set service name
protocol
- Set allowed protocols
ports
- Set allowed port
comment
- Set comment
del
- Remove Service
/ssl/cfg/vpn/aaa/appspec
SSL VPN Configuration Application specific Menu
To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one
does not already exist.
SSL >> AAA# appspec
Enter appspec number or name: (1-1023) 1
Creating AppSpecific 1
AppSpec name: AppSpec_1
Entering: Paths menu
Path format:
The paths are formated differently for different applications.
For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,
for example
/NORTEL/homes/public
This will give access to the public directory in the homes share
in the NORTEL workgroup/domain.
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
Enter path: /path
Leaving: Paths menu.
---------------------------------------------[AppSpecific 1 Menu]
name
- Set appspec name
paths
- Paths menu
comment
- Set comment
del
- Remove AppSpec
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage
name <appsec_name>
Create an application name.
paths
Go to the Paths menu. To view the menu options, see page 571.
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage
comment <string>
Create a description (comment) about the Application.
del
Delete the application.
/ssl/cfg/vpn/aaa/appspec/paths
SSL VPN Configuration Application specific Paths Menu
[Paths Menu]
list
del
add
insert
move
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
Command Syntax and Usage
list
List all paths.
del <path_value>
Delete a path by its number.
add
Add a new path. For example:
SSL >> Paths# list
Old:
Pending:
1: /info
SSL >> Paths# add
Path format:
The paths are formated differently for different applications.
For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,
for example
/NORTEL/homes/public
This will give access to the public directory in the homes share
in the NORTEL workgroup/domain.
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
Enter path: /home/storage
insert <index>
Insert a path into the path list.
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
Command Syntax and Usage
del
Delete the path.
/ssl/cfg/vpn/aaa/filter
SSL VPN Configuration AAA Filter Menu
To enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does
not already exist.
SSL >> AAA# filter
Enter client filter number or name: (1-63) 1
Creating Client Filter 1
Filter name: Filter_1
-----------------------------------------------------------[Client Filter 1 Menu]
name
- Set filter name
cert
- Client certificate present
iewiper
- IE cache wiper present
tg
- TunnelGuard checks passed
methods
- Set access methods
authserver - Set authentication servers
clientnet - Set client network reference
comment
- Set comment
del
- Remove client filter
/ssl/cfg/vpn/aaa/group
SSL VPN Configuration AAA Group Menu
To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one
does not already exist.
SSL >> AAA# group
Enter group number or name: (1-1023) 1
Creating Group 1
Group name: Group_1
Enter number of sessions (0 is unlimited): 0
Enter user type (advanced/medium/novice): novice
-----------------------------------------------------------[Group 1 Menu]
name
- Set group name
access
- Access rule menu
print
- Print access rules
restrict
- Set number of login sessions
usertype
- Set portal user type
linkset
- Linkset menu
extend
- Extended profiles menu
tgsrs
- Set TunnelGuard SRS Rule
ipsec
- IPsec menu
comment
- Set comment
del
- Remove group
Proto Path
----- ----
Action
------
restrict <integer>
Restrict the number of login sessions. The default is 0 (unlimited)
usertype advanced|medium|novice
Set the user level.
linkset
Go to the Linkset menu. To view the menu options, see page 592.
extend
Go to the Extended Profiles menu. To view the menu options, see page 593.
tgsrs <string>
Set the TunnelGuard SRS rule.
ipsec
Go to the IPSEC menu.To view the menu options, see page 595.
comment
Create a decription (comment) of the Group.
del
Delete the group.
/ssl/cfg/vpn/aaa/group/access
SSL VPN Configuration AAA Group Access Menu
To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if
one does not already exist.
SSL >> Group 1# access
Enter access rule number: (1-1023) 1
Creating Access rule 1
Enter network name: Network_1
Enter service name: Service_1
Enter application specific name: Application_1
Enter action (accept/reject): accept
-----------------------------------------------------------[Access rule 1 Menu]
network
- Set network reference
service
- Set service reference
appspec
- Set application specific reference
action
- Set action
comment
- Set access rule comment
del
- Remove access rule
Table 11-46 SSL VPN Configuration AAA Group Access Menu Options
Command Syntax and Usage
network <network_name>
Enter the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the application specific name reference.
action accept|reject
Accept or reject the creation of this Access rule.
comment
Create a description (comment) of this Access rule.
del
Delete the Access rule.
/ssl/cfg/vpn/aaa/group/linkset
SSL VPN Configuration AAA Group Linkset Menu
[Linksets Menu]
list
del
add
insert
move
Table 11-47 SSL VPN Configuration AAA Group Linkset Menu Options
Command Syntax and Usage
list
List all of the configured linksets.
add <linkset_name>
Add a linkset name.
insert <position> <name>
Insert a linkset into the linkset list.
move <value> <value>
Move the linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/extend
SSL VPN Configuration AAA Group Extend Profiles
Menu
To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended
service profile if one does not already exist.
SSL >> Group 1# extend
Enter profile number or name (1-63): 1
Creating Extended Profile 1
Enter client filter name: Filter_1
Enter user type (advanced/medium/novice): novice
-----------------------------------------------------------[Extended Profile 1 Menu]
filter
- Set client filter reference
access
- Access rule menu
print
- Print access rules
usertype
- Set portal user type
linkset
- Linkset menu
del
- Remove profile
Table 11-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options
Command Syntax and Usage
filter <client_filter_name>
Set the client filter name reference.
access
Go to the Access Rule menu. To view the menu options, see page 594.
print
Display the extended profile information.
usertype advanced|medium|novice
Set the portal user level.
linkset
Go to the Linkset menu. To view the menu options, see page 595.
del
Delete the Extended Profile.
/ssl/cfg/vpn/aaa/group/extend/access
SSL VPN Configuration AAA Group Extend Profiles
Access Menu
[Access rule 1 Menu]
network
- Set network reference
service
- Set service reference
appspec
- Set application specific reference
action
- Set action
comment
- Set access rule comment
del
- Remove access rule
Table 11-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu
Options
Command Syntax and Usage
network <network_name>
Set the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the Application name reference..
action accept|reject
Accept or reject the Access rule change.
comment
Create a description (comment) of the Access rule.
del
Delete the Extended Profile Access rule.
/ssl/cfg/vpn/aaa/group/extend/
linkset
SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
[Linksets Menu]
list
del
add
insert
move
Table 11-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
Options
Command Syntax and Usage
list
List all of the configured Extended Profile linksets.
del <extended_profile_linkset_name>
Delete the Extended Profile Linkset.
add <extended_profile_linkset_name>
Add an Extended Profile linkset name.
insert <position> <name>
Insert an Extended Profile linkset into the linkset list.
move <value> <value>
Move the Extended Profile linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/ipsec
SSL VPN Configuration AAA Group IPsec Menu
[IPsec Menu]
secret
utunnel
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage
secret <string>
Set the group Secret value.
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage
utunnel <string>
Set the user tunnel profile name.
/ssl/cfg/vpn/aaa/ssodomains
SSL VPN Configuration AAA Single-sign on Enabled
Domains Menu
[SSO Domain menu Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
Table 11-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu
Options
Command Syntax and Usage
list
List all of the SSO domains.
del <index>
Delete an SSO domain.
add <domain_name> <mode, normal|add_domain>
Add an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders
SSL VPN Configuration AAA Single-sign on Headers
Menu
[SSO headers menu Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage
list
List all of the configured SSO Headers.
del <SSO Headers_name>
Delete the SSO Header.
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage
add <domain> <header_pattern>
Add an SSO Header.
insert <position> <domain> <header_name>
Insert a SSO Header into the headers list.
move <value> <value>
Move the SSO Headers from one position to another in the SSO Headers list.
/ssl/cfg/vpn/aaa/radacct
SSL VPN Configuration AAA Radius Accounting Menu
[RADIUS Accounting
servers
vpnattribu ena
dis
-
Menu]
RADIUS accounting servers menu
VPN attribute menu
Enable RADIUS accounting
Disable RADIUS accounting
Table 11-54 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
servers
Go to the Radius servers menu. To view the menu options, see page 599.
vpnattribu
Go to the VPN attribute menu. To view the menu options, see page 601.
ena enable|disable
Enable AAA radius accounting.
dis enable|disable
Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers
SSL VPN Configuration AAA Radius Accounting Servers
Menu
[RADIUS Accounting
list
del
add
insert
move
-
Servers Menu]
List all values
Delete a value by number
Add a new value
Insert a new value
Move a value by number
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
list
List all of the configured Radius Accounting servers.
del <Radius_Accounting_server_name>
Delete the SSO Header.
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
add <ip_address> <port> <secret>
Add a Radius Account.
insert <position> <ip_address> <port> <secret>
Insert a Radius account into the account list.
move <value> <value>
Move the Radius account from one position to another in the account list.
ssl/cfg/vpn/aaa/radacct/vpnattribu
SSL VPN Configuration AAA Radius Accounting VPN
attributes Menu
[VPN Attribute Menu]
vendorid
- Set vendor id for the VPN attribute
vendortype - Set vendor type for the VPN attribute
Table 11-56 SSL VPN Configuration AAA Radius Accounting VPN attributes
Menu Options
Command Syntax and Usage
vendorid <vendorID>
Set the vendor name.
vendortype <integer>
Set the vendor type.
/ssl/cfg/vpn/server
SSL VPN Configuration Server Menu
[Server Menu]
port
dnsname
trace
ssl
tcp
http
proxymap
portal
adv
ena
dis
/ssl/cfg/vpn/server/trace
SSL VPN Configuration Server Traffic Trace Menu
[Trace Menu]
ssldump
tcpdump
ping
dnslookup
traceroute
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage
ssldump
Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that
are allowed. (http://www.tcpdump.org/tcpdump_man.html).
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage
standalone on|off
Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are
allowed. (http://www.tcpdump.org/tcpdump_man.html)
traceroute - traceroute through backend interface
ping <hostname>
Ping through the backend interface.
dnslookup <hostname>
Lookup a name in DNS through the backend interface.
traceroute
Traceroute through backend interface. Use this command to identify the route used for station-tostation connectivity across the network.
/ssl/cfg/vpn/server/ssl
SSL VPN Configuration Server SSL Settings Menu
[SSL Settings Menu]
cert
- Set server certificate
cachesize - Set SSL cache size
cachettl
- Set SSL cache timeout
cacerts
- Set list of accepted signers of client certificates
cachain
- Set list of CA chain certificates
protocol
- Set protocol version
ciphers
- Set cipher list
verify
- Set certificate verification level
ena
- Enable SSL
dis
- Disable SSL
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage
cert <certicate_nuber, 1 to 1500>
Set the IP address of the VPN.
cachesize <integer, 0 to 10000>
Set the SSL cache size (kBytes).
cachettl <integer>
Set the SSL cache timeout (in minutes).
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage
cacerts <certificate_numbers>
Set the list of accepted signers of client certificates. If more than one, use a comma to separate the
entries.
cachain <certificate_numbers>
Set the list of CA chain certificates. If more than one, use a comma to separate the entries.
protocol ssl2|ssl3|ssl23|tls1
Set the protocol version.
ciphers
Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g.
SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list. This option does not add any new ciphers.
Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
verify none|optional
Set the certificate verification level.
ena enable|disable
Enable SSL.
dis enable|disable
Disable SSL.
/ssl/cfg/vpn/server/tcp
SSL VPN Configuration Server TCP endpoint Settings
Menu
[TCP Settings Menu]
cwrite
- Set
ckeep
- Set
skeep
- Set
swrite
- Set
sconnect
- Set
csendbuf
- Set
crecbuf
- Set
ssendbuf
- Set
srecbuf
- Set
Table 11-60 SSL VPN Configuration Server TCP endpoint settings Menu Options
Command Syntax and Usage
ips <integer, 1 to 2147483647s>
Set client TCP write timeout, in seconds.
crecbuf - Set client TCP receive buffer size
ssendbuf - Set server TCP send buffer size
srecbuf - Set server TCP receive buffer size
ckeep <integer, 1 to 2147483647s>
Set client TCP keep alive timeout.
skeep <integer, 1 to 2147483647s>
Set the SOCKS client TCP keep alive heartbeat timeout.
swrite <integer, 1 to 2147483647s>
Set the server TCP write timeout.
sconnect <integer, 1 to 2147483647s>
Set the server TCP connect timeout.
csendbuf auto|<integer, 2000 to 100000>
Set the client TCP send buffer size (Bytes).
crecbuf auto|<integer, 2000 to 100000>
Set the client TCP receive buffer size (Bytes).
ssendbuf auto|<integer, 2000 to 100000>
Set the server TCP send buffer size (Bytes).
srecbuf auto|<integer, 2000 to 100000>
Set server TCP receive buffer size (Bytes).
/ssl/cfg/vpn/server/http
SSL VPN Configuration Server HTTP Settings Menu
[HTTP Settings Menu]
downstatus - Set server down reply status
rewrite
- SSL triggered rewrite menu
securecook - Set add secure option to session cookie
sslheader - Add SSL header
sslxheader - Add SSL header with serial in hex
sslsidhead - Add SSL SID header
addxfor
- Add X-Forwarded-For header
addvia
- Add Via header
addxisd
- Add HTTP-X-ISD debug header
addclicert - Add Client-Cert as a HTTP header
addnostore - Add no-cache/no-store HTTP header
allowimage - Allow image caching
allowdoc
- Allow document caching
allowscrip - Set allow script caching
allowica
- Allow ICA file caching
cmsie
- Set MSIE session termination bug workaround
maxrcount - Set max number of persistant client requests
maxline
- Set max line length
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage
downstatus unavailable|redirect|reset
Set the server down reply status.
rewrite on|off
Go to the SSl triggered Rewrite menu. To view the menu options, see page 607.
securecook on|off
Set the add secure option for the session cookie.
sslheader on|off
Add an SSL session ID header.
sslxheader on|off
Add an SSL header with serial number in hexadecimal.
sslsidhead on|off
Add an SSL SID header.
addxfor on|off|anonymous|remove
Add X-Forwarded-For header.
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage
addvia on|off|anonymous|remove
Set VIA header
addxisd on|off
Set HTTP-X-ISD debug header.
addclicert on|off
Set Client-Cert as a HTTP header.
adddnostore on|off
Set no-cache/no-store HTTP header.
allowimage on|off
Set image caching.
allowdoc on|off
Set document caching
allowscrip on|off
Set allow script caching.
allowica on|off
Set ICA file caching.
cmsie on|off
Set MSIE session termination bug workaround.
maxrcount <integer>
Set max number of persistant client requests.
maxline <integer>
Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
SSL VPN Configuration Server SSL triggered rewrite
Menu
[Rewrite Menu]
rewrite
ciphers
response
URI
Set
Set
Set
Set
Table 11-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options
Command Syntax and Usage
rewrite on|off
Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:SHA1:@STRENGTH
ciphers <string>
Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons
(e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves
/ssl/cfg/vpn/server/proxymap
SSL VPN Configuration Server Intranet Proxy settings
Menu
The PROXY menu is not available for type portal and socks servers.
[Proxy Mapping Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage
list
List all of the server Intranet Proxy settings.
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage
del <Proxy_server_name>
Delete the Intranet Proxy server.
add <ip_address> <port>
Add an Intranet Proxy server.
insert <position> <ip_address> <port>
Insert a Intranet Proxy server into the Proxy server list.
move <value> <value>
Move the Intranet Proxy server from one position to another in the server list.
ssl/cfg/vpn/server/portal
SSL VPN Configuration Server Portal settings Menu
[Portal Settings
resetcooki
domain
persistent
Menu]
- Set Re-Set session cookie in each request
- Set cookie domain
- Set use persistent session cookies
Table 11-64 SSL VPN Configuration Server Portal settings Menu Options
Command Syntax and Usage
resetcoolki on|off
Set the Reset session cookie in each request.
domain <domain_name>
Set the cookie domain name for the portal.
persistent on|off
Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
SSL VPN Configuration Server Advanced Menu
[Advanced Settings Menu]
traflog
- UDP syslog Traffic Log menu
sslconnect - SSL connect menu
ssl/cfg/vpn/server/adv/traflog
SSL VPN Configuration Server UDP Syslog Traffic Log
Menu
[Traffic Log Settings Menu]
sysloghost - Set syslog host IP
udpport
- Set syslog portnumber
priority
- Set syslog priority
facility
- Set syslog facility
ena
- Enable traffic UDP syslog logging
dis
- Disable traffic UDP syslog logging
Table 11-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
Command Syntax and Usage
sysloghost <IP_address>
Set the IP address of the VPN.
udpport <UDP_port_number>
Set the standalone mode.
priority <syslog_name>
Set the syslog priority.
facility <string>
Set the syslog facility.
ena enable|disable
Enable traffic UDP syslog messaging.
dis
Disable traffic UDP syslog messaging.
ssl/cfg/vpn/server/adv/sslconnect
SSL VPN Configuration Server SSL Connect Menu
[SSL Connect Settings Menu]
protocol
- Set protocol version
cert
- Set client certificate
ciphers
- Set accepted ciphers for ssl connect
verify
- Verify server menu
Table 11-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
Command Syntax and Usage
protocol ssl2|ssl3|ssl23|tls1
Set the Protocol version.
cert <certicate_number, 1 to 1500>
Set the client certificate.
ciphers
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +.
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
verify
Go to the Verify server menu. To view the menu options, see page 612.
ssl/cfg/vpn/server/adv/sslconnect/
verify
SSL VPN Configuration Server SSL Connect verify
Server Menu
[SSL Connect Verify Settings Menu]
verify
- Set certificate verification level
commonname - Set server common name
cacerts
- Set list of accepted signers server's certificate
Table 11-68 SSL VPN Configuration Server SSL Connect Verify Server Menu
Options
Command Syntax and Usage
verify none|verify
Set the Certicate Verication level.
commonname <string>
Set the server common name.
cacerts <certicate_numbers>
Set the list of accepted signers for each server certificate. If more than one, use a comma to separate each entry.
/ssl/cfg/vpn/ipsec
SSL VPN Configuration IPsec Server Menu
[IPsec Menu]
ena
dis
quick
ikeprof
utunprof
cacerts
cert
- Enable IPsec
- Disable IPsec
- Quick IPsec setup wizard
- IKE profile
- User tunnel profile
- Set list of accepted signers of clients certificate
- Set server certificate
/ssl/cfg/vpn/ipsec/ikeprof
SSL VPN Configuration IPsec Server IKE Profile Menu
[IKE Profile 1 Menu]
name
- Set IKE profile name
del
- Remove IKE Profile
enc
- Encryption mask menu
dh
- Diffie-Hellman group mask menu
pfs
- Enable Perfect Forward Secrecy
initcontac - Accept ISAKMP initial contact payload
rekeytime - Set rekey time limit
rekeytraf - Set rekey traffic limit
retransmit - Set ISAKMP retransmit interval
maxretrans - Set ISAKMP max attempts retransmits
replaywins - Set replay window size
nat
- NAT menu
deadpeer
- Dead peer menu
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage
name <string>
Set the IKE profile name.
del <IKE_profile_name>
Disable IPsec.
enc
Go to the Encryption mask menu.To view the menu options, see page 615.
dh
Go to the Diffie_Hellman group mask menu. To view the menu options, see page 616.
pfs on|off
Enable Perfect Forward Secrecy.
initcontac on|off
Accept ISAKMP intitial contact payload.
rekeytime <integer>
Set the rekey time limit, in seconds.
rekeytraf <integer>
Set rekey traffic limit, in KBytes.
retransmit <integer>
Set ISAKMP retransmit limit, in seconds.
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage
maxretrans <integer>
Set the maximum ISAKMP attempts to retransmit.
replaywins <integer>
Set replay window size.
nat
Go to the NAT menu.To view the menu options, see page 617.
deadpeer
Go to the Dead Peer menu.To view the menu options, see page 617.
/ssl/cfg/vpn/ipsec/ikeprof/enc
SSL VPN Configuration IPsec Server IKE Profile Encryption Menu
[Encryption Menu]
hmac_md5
hmac_sha
null_md5
null_sha
des_md5
des_sha
3des_md5
3des_sha
aes_128_sh -
Set
Set
Set
Set
Set
Set
Set
Set
Set
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
Command Syntax and Usage
hmac_md5 on|off
Set HMAC with MD5.
hmac_sha on|off
Set HMAC with SHA.
null_md5 on|off
Set NULL with MD5.
null_sha on|off
Set NULL with SHA.
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
Command Syntax and Usage
des_md5 on|off
Set DES with MD5.
des_sha on|off
Set DES with SHA.
3des_md5 on|off
Set 3DES with MD5.
3des_sha on|off
Set 3DES with SHA.
aes_128_sh on|off
Set 128 bits AES with SHA.
/ssl/cfg/vpn/ipsec/ikeprof/dh
SSL VPN Configuration IPsec Server IKE Profile DiffieHellman Group Mask Menu
[Diffie-Hellman Group Menu]
dh1
- Set Diffie-Hellman group 1
dh2
- Set Diffie-Hellman group 2
dh5
- Set Diffie-Hellman group 5
Table 11-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman
Group Mask Menu Options
Command Syntax and Usage
dh1 on|off
Set Diffie_Hellman group 1.
dh2 on|off
Set Diffie_Hellman group 2.
dh5 on|off
Set Diffie_Hellman group 5.
/ssl/cfg/vpn/ipsec/ikeprof/NAT
SSL VPN Configuration IPsec Server IKE Profile NAT
Menu
[NAT Menu]
natdetect
timeout
keepalive
Table 11-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu
Options
Command Syntax and Usage
natdetect disabled|auto|ipsec_capable|use_udp_encap
Set ESP UDP detection.
timeout <integer>
Set the detection timeout, in seconds.
keepalive <integer>
Set the keepalive timeout, in seconds.
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
SSL VPN Configuration IPsec Server IKE Profile Dead
Peer Menu
[Dead Peer Menu]
ena
dis
interval
retransmit
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
Command Syntax and Usage
ena [enable|disable]
Enable dead peer detection.
dis [enable|disable]
Disable dead peer detection.
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
Command Syntax and Usage
interval <integer>
Set the detection interval, in seconds.
retransmit <integer>
Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool
SSL VPN Configuration IP Pool Menu
[Pool Menu]
ena
dis
lowerip
upperip
proxyarp
info
Enable pool
Disable pool
Set lower IP in pool range
Set upper IP in pool range
Set proxy arp on clean side interfaces
Print alloc info for this VPN
/ssl/cfg/vpn/portal
SSL VPN Configuration Portal Menu
[Portal Menu]
import
restore
banner
redirect
logintext
iconmode
linktext
linkurl
linkcols
linkwidth
companynam
colors
faccess
lang
wiper
ieclear
whitelist
citrix
/ssl/cfg/vpn/portal/colors
SSL VPN Configuration Portal Colors Menu
[Portal Colors Menu]
color1
- Set portal color
color2
- Set portal color
color3
- Set portal color
color4
- Set portal color
theme
- Color theme
1
2
3
4
/ssl/cfg/vpn/portal/faccess
SSL VPN Configuration Portal Full Access Menu
[Full Access Menu]
ena
- Enable 'Full Access' tab
dis
- Disable 'Full Access' tab
ipsecmode - Set IPSEC Mode
contip
- Set Contivity IP address
contid
- Set Contivity group ID
contpass
- Set Contivity group password
portalmsg - Set text in 'Full Access' portal tab
appletmsg - Set text in 'Full Access' Applet window
Table 11-78 SSL VPN Configuration Portal Full Access Menu Options
Command Syntax and Usage
ena [enable|disable]
Enable 'Full Access' tab.
dis [enable|disable]
Disable 'Full Access' tab.
ipsecmode [contivity|native]
Set the IPSEC Mode.
contip [<IP_address>]
Set Contivity IP address.
contid [<string>]
Set the Contivity group ID.
contpass [<string>]
Set a Contivity group password.
portalmsg
Set text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.
appletmsg
Set text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet
window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. If you *only* enter "..." a default text will be generated.
/ssl/cfg/vpn/portal/lang
SSL VPN Configuration Portal Language Menu
[Portal Language
setlang
charset
list
Menu]
- Set the language to be used in the portal
- Print charset in use
- List supported languages
/ssl/cfg/vpn/portal/whitelist
SSL VPN Configuration Portal Whitelist settings Menu
[White-list Settings Menu]
domains
- Configure white-list domains
ena
- Enable URL rewrite white-list
dis
- Disable URL rewrite white-list
Table 11-80 SSL VPN Configuration Portal Whitelist settings Menu Options
Command Syntax and Usage
domains
Go to the Domains menu. To view the menu options, see page 623.
ena [enable|disable]
Enable URL re-write whitelist.
dis [enable|disable]
Disable URL re-write whitelist.
/ssl/cfg/vpn/portal/whitelist/
domains
SSL VPN Configuration Portal Whitelist settings
Domains Menu
[White-list menu Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
Table 11-81 SSL VPN Configuration Portal Whitelist settings Domains Menu
Options
Command Syntax and Usage
list
Go to the Domains menu. To view the menu options, see page 621.
del [<index>]
Delete a value.
add [<domain_name>]
Add a domain.
/ssl/cfg/vpn/linkset
SSL VPN Configuration Linkset Menu
To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does
not already exist.
SSL >> VPN 1# linkset
Enter Linkset number or name (1-1023): 1
Creating Linkset 1
Linkset name: Linkset_1
Linkset text (HTML syntax, eg <b>A heading</b>): html
Autorun Linkset (true/false) [false]: false
-----------------------------------------------------------[Linkset 1 Menu]
name
- Set linkset name
text
- Set linkset text
autorun
- Set autorun support
link
- Link menu
del
- Remove tunnel
/ssl/cfg/vpn/linkset/link
SSL VPN Configuration Linkset Link Menu
To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does
not already exist.
SSL >> Linkset 1# link
Enter Link number or name (1-1023): 1
Creating Link 1
Enter link text: Link_1
Enter type of link (hit TAB to see possible values) [internal]: <tab>
smb
ftp
proxy
custom
mail
telnet
netdrive
wts
outlook
netdirect terminal
external
internal
eauto
iauto
Enter type of link (hit TAB to see possible values) [internal]: internal
Entering: Internal settings menu
Enter method (http/https): http
Enter host (eg inside.company.com): NoTel.ca
Enter path (eg /): /info
Leaving: Internal settings menu
-----------------------------------------------------------[Link 1 Menu]
move
- Move link
text
- Set link text
type
- Set link type
internal
- Internal settings menu
del
- Remove link
/ssl/cfg/vpn/linkset/link/internal
SSL VPN Configuration Linkset Link Internal Setting
Menu
[Internal menu Menu]
quick
- Quick internal link wizard
Table 11-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options
Command Syntax and Usage
quick
Configure the link using the internal link wizard. For example:
SSL >> Internal menu# quick
Enter method (http/https): http
Enter host (eg inside.company.com): NoTel.ca
Enter path (eg /): /
/ssl/cfg/vpn/sslclient
SSL VPN Configuration SSL Client Menu
[SSL VPN Client Menu]
netdirect - Allow Netdirect client
xmlconfig - Set XML client configuration
/ssl/cfg/vpn/adv
SSL VPN Configuration Advanced Menu
[Advanced Menu]
interface
dns
log
/ssl/cfg/vpn/adv/dns
SSL VPN Configuration Advanced DNS settings Menu
[DNS Settings Menu]
search
- Set DNS search list
/ssl/cfg/sys
SSL Configuration System Menu
[System Menu]
mip
host
routes
time
dns
rsa
syslog
accesslist
adm
user
distrace
/ssl/cfg/sys/host
SSL Configuration System Host Menu
[iSD Host 1 Menu]
type
ip
license
gateway
routes
interface port
ports
hwplatform halt
reboot
delete
-
/ssl/cfg/sys/host/routes
SSL Configuration System Host Routes Menu
[Host Routes Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
/ssl/cfg/sys/host/interface
SSL Configuration System Host Menu
[Host Interface 1 Menu]
ip
- Set IP address
netmask
- Set network mask
gateway
- Set default gateway address
routes
- Routes menu
vlanid
- Set VLAN tag id
mode
- Set mode
ports
- Interface ports menu
primary
- Set primary port
delete
- Remove Host Interface
/ssl/cfg/sys/host/interface/routes
SSL Configuration System Host Interface Routes Menu
[Host Interface Routes Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
/ssl/cfg/sys/host/port
SSL Configuration System Host Port Menu
[Host Port 1 Menu]
autoneg - Set autonegotiation
speed
- Set Speed
mode
- Set full or half duplex mode
/ssl/cfg/sys/routes
SSL Configuration System Menu
[Routes Menu]
list
del
add
/ssl/cfg/sys/time
SSL Configuration System Time Menu
[Date and Time Menu]
date
- Set system date
time
- Set system time
tzone
- Set Timezone
ntp
- Configure NTP servers
/ssl/cfg/sys/time/ntp
SSL Configuration System Time NTP servers Menu
[NTP Servers Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
Table 11-96 SSL Configuration System Time NTP Servers Menu Options
Command Syntax and Usage
list
List the configured NTP servers.
del [<NTP_server>]
Delete the NTP server. Removes the specified NTP server from the system configuration. Use the
list command to display the index numbers of all added NTP servers..
add [<IP_address>]
Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is
used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of
servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns
SSL Configuration System DNS settings Menu
[DNS Settings Menu]
servers
- DNS
cachesize - Set
retransmit - Set
count
- Set
ttl
- Set
health
- Set
hdown
- Set
hup
- Set
servers menu
Local DNS cache size
DNS Retransmit interval timer
DNS Retransmit counter
Max TTL
Health check interval
Health check down counter
Health check up counter
[<integer>]
Set Health check up counter
sl/cfg/sys/dns/servers
SSL Configuration System DNS Servers settings Menu
[DNS Servers Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
/ssl/cfg/sys/rsa
SSL Configuration System RSA servers Menu
To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does
not already exist.
SSL >> System# rsa
Enter RSA Server number or name: (1-255) 1
Creating RSA Servers 1
RSA server symbolic name: RSA_1
-----------------------------------------------------------[RSA Servers 1 Menu]
rsaname
- Set RSA server symbolic name
import
- Import sdconf.rec file
rmnodesecr - Remove Node Secret
del
- Remove RSA server
/ssl/cfg/sys/syslog
SSL Configuration System SysLog Servers Menu
[Syslog Servers Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
/ssl/cfg/sys/accesslist
SSL Configuration System Access List Menu
[Access List Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
/ssl/cfg/sys/adm
SSL Configuration System Administrative applications
Menu
[Administrative Applications Menu]
snmp
- SNMP menu
clitimeout - Set CLI idle timeout
audit
- Audit Settings Menu
auth
- Authentication menu
telnet
- Set telnet CLI access
ssh
- Set SSH CLI access
http
- HTTP access menu
https
- HTTPS access menu
sshkeys
- SSH host keys menu
/ssl/cfg/sys/adm/snmp
SSL Configuration System Administrative applications
SNMP Menu
[SNMP Menu]
ena
dis
versions
snmpv2-mib
community
users
target
Enable SNMP
Disable SNMP
Set SNMP versions supported
SNMPv2-MIB menu
SNMP community menu
SNMP USM Users Menu
Notification target menu
/ssl/cfg/sys/adm/snmp/snmpv2-mib
SSL Configuration System Administrative applications
SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu]
sysContact sysName
sysLocatio snmpEnable -
Set
Set
Set
Set
sysContact
sysName
sysLocation
snmpEnableAuthenTraps
Table 11-104 SSL Configuration System Administrative applications SNMPv2MIB Menu Options
Command Syntax and Usage
sysContact [<name_of_a_person>]
Set a system contact name. Designates a contact person for the managed iSD cluster, together with
information on how to contact this person.
sysName [<string, iSD_cluster_name>]
Assign a name to the managed iSD cluster.
sysLocatio [<string>]
Set the system location.
snmpEnable [<SNMP_trap_value>]
Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community
SSL Configuration System Administrative applications
SNMP Community Menu
[SNMP Community Menu]
read
- Set Read Community String
write
- Set Write Community String
trap
- Set Trap Community String
/ssl/cfg/sys/adm/snmp/users
SSL Configuration System Administrative applications
SNMP Users Menu
To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if
one does not already exist.
Enter user number or name: (1-1023) 1
Creating SNMP User 1
User name: Maint_Chief
Enter security level (none/auth/priv) [priv]: priv
Enter permission (list of get,set,trap): get
Enter auth password: <password>
Enter priv password: <password>
-----------------------------------------------------------[SNMP User 1 Menu]
name
- Set user name
seclevel
- Set Security level
permission - Set Permission
authpasswd - Set Authentication Password
privpasswd - Set Encryption Password
del
- Remove SNMP User
/ssl/cfg/sys/adm/snmp/target
SSL Configuration System Administrative applications
SNMP Target Menu
To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one
does not already exist.
SSL >> SNMP# target
Enter Notification Target number: (1-) 1
Creating Notification Target 1
Enter target ip: 0.0.0.0
Enter snmp version (v1/v2c/v3): v1
-----------------------------------------------------------[Notification Target 1 Menu]
ip
- Set target IP address
port
- Set target port
version
- Set SNMP version
del
- Remove Notification Target
/ssl/cfg/sys/adm/audit
SSL Configuration System Administrative applications
Audit Menu
[Audit Menu]
servers
vendorid
vendortype
ena
dis
/ssl/cfg/sys/adm/audit/servers
SSL Configuration System Administrative applications
Audit Servers Menu
[RADIUS Audit Servers Menu]
list
- List all values
del
- Delete a value by number
add
- Add a new value
insert
- Insert a new value
move
- Move a value by number
/ssl/cfg/sys/adm/http
SSL Configuration System Administrative applications
HTTP Menu
[HTTP Menu]
port
ena
dis
/ssl/cfg/sys/adm/https
SSL Configuration System Administrative applications
HTTPS Menu
[HTTPS Menu]
port
ena
dis
/ssl/cfg/sys/adm/sshkeys
SSL Configuration System Administrative applications
SSH Host keys Menu
[SSH Host Keys
generate
show
knownhosts
Menu]
- Generate new SSH host keys for the cluster
- Show current SSH host keys for the cluster
- SSH known host keys menu
/ssl/cfg/sys/adm/sshkeys/knownhosts
SSL Configuration System Administrative applications
SSH Known Host keys Menu
[SSH Known Host Keys Menu]
list
- List known SSH keys of remote hosts
del
- Delete known SSH host key by index
add
- Add a new SSH host key
import
- Retrieve SSH key from remote host
/ssl/cfg/sys/user
SSL Configuration System Menu
[User Menu]
passwd
expire
list
del
add
edit
caphrase
/ssl/cfg/sys/user/edit
SSL Configuration System User Edit Menu
[User User_1 Menu]
groups
- Groups menu
cur
- Display current setting
/ssl/cfg/sys/user/edit/groups
SSL Configuration System User Edit Menu
[Groups Menu]
list
del
add
Table 11-116 SSL Configuration System User Edit Groups Menu Options
Command Syntax and Usage
list
List all of the user groups information.
del [<user_group_name>]
Delete a user group.
add [<string, user_group_name>]
Add a user group.
/ssl/cfg/lang
SSL Configuration Language Support Menu
[Language Support Menu]
import
- Import language definition file
export
- Export language definition template
list
- List the loaded languages
vlist
- List ISO 639 language codes
del
- Delete (custom) language definition
/ssl/boot
SSL Boot Menu
[Boot Menu]
software
halt
reboot
delete
NOTE Note: If you receive a warning that the iSD you are trying to delete has no contact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or
SSH and delete the iSD from the cluster by using the delete command in the iSD Host
menu (/cfg/sys/cluster/host #).
The /boot/delete command is primarily intended for situations when you want to delete an iSD host
that has either become isolated from the cluster, or has been physically removed from the cluster
without first performing the delete command from the iSD Host menu. Under these circumstances,
you must use the /boot/delete command to present the Setup menu, from which you can perform
the new and join commands.
/ssl/boot/software
SSL Performance Menu
[Software Management Menu]
cur
- Display current software status
activate
- Select software version to run
download
- Download new software pkg. via TFTP/FTP/SCP/SFTP
del
- Remove unpacked/old releases
Status
-----old
permanent
activate [<software_version>]
Select the software version to run.
download [<protocol> <host> <filename>]
Download a new software package.
del [<software_version>]
Remove old software releases. Removes a software upgrade package that has been downloaded by
using the tftp or ftp command, in case you do not want to activate the unpacked software upgrade
package.
Only software versions whose status is indicated as unpacked (using the cur command) can be
removed.
/ssl/maint
SSL Performance Maintenance Menu
[Maintenance Menu]
hsm
- HSM menu
dumplogs
- Tech suppt dump log files to TFTP/FTP/SFTP server
dumpstat
- Tech suppt dump curr. status to TFTP/FTP/SFTP server
chkcfg
- Check applied configuration
starttrace - Start Trace
stoptrace - Stop Trace
/ssl/maint/hsm
SSL Performance HSM Menu
The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu]
login
- Login to HSM cards on local iSD
splitkey
- Split a wrap key onto CODE iKeys
changepass - Change iKey password
APPENDIX A
<Timestamp>
The time of the message event is displayed in month day hour:minute:second format. For
example: Aug 19 14:20:30
<Log Label>
The following types of log messages are recorded: LOG_EMERG, LOG_ALERT,
LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG
<Thread ID>
This is the software thread that reports the log message. The following thread IDs are
recorded: stp, ip, slb, console, telnet, vrrp, system, web server, ssh, and
bgp
Following is a list of potential syslog messages. To keep this list as short as possible, only
<Thread ID> and <Message> are shown. The messages are sorted by <Log Label>.
Where the <Thread ID> is listed as mgmt, one of the following may be shown: console,
telnet, web server, or ssh.
LOG_WARNING
FILTER filter <filter number> fired on port <port number>, <source IP address> -> <destination IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]
ntp:
ntp
655
320506-A, January 2006
LOG_ALERT
stp:
IP
vrrp:
vrrp:
vrrp:
vrrp:
slb:
slb:
gslb:
gslb:
gslb:
gslb:
slb:
slb:
real server failure threshold (<threshold>) has been reach for group <group_id>
slb:
slb:
bgp:
bgp:
vrrp:
vrrp:
dps:
dps:
syn_atk
tcplim
LOG_CRIT
SYSTEM: temperature at sensor <sensor_id> exceeded threshold
SYSTEM: internal power supply failed
SYSTEM: redundant power supply failed
SYSTEM: fan failure detected
SSH
LOG_ERR
mgmt:
mgmt:
mgmt:
ntp:
isd:
stp:
stp:
mgmt:
mgmt:
mgmt:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
657
LOG_ERR (Continued)
cli:
cli:
cli:
Trunk groups <trunk_id> and <trunk_id> can not share the same port
cli:
cli:
cli:
Virtual router <vr_id> must have sharing disabled when hotstandby is enabled
cli:
cli:
cli:
Virtual router group must have sharing disabled when hotstandby is enabled
cli:
Virtual router group must have preemption enabled when hotstandby is enabled
cli:
cli:
Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id>
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
LOG_ERR (Continued)
cli:
cli:
cli:
Virtual servers <server_id> and <server_id> with same IP address must support same layr3
configuration
cli:
Real server <server_id> cannot be backup server for both real server <server_id> and
group <group_id>
cli:
Virtual server <server_id> has same IP address and vport as virtual server <server_id>
cli:
cli:
cli:
cli:
cli:
There must be at least one inter-switch port if any hot-standby port exist
cli:
With VMA, ports 1-8 must all have a PIP if any one does
cli:
cli:
DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual
server to support FTP parsing
cli:
Real server <server_id> and group %u cannot both have backups configured
cli:
cli:
cli:
DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural
server <server_id> to support URL parsing
cli:
Port filtering must be disabled on port <port_id> in order to support cookie based persistence for virtual server <server_id>
cli:
cli:
cli:
cli:
Virtual servers <server_id> and <server_id> that include the same real server <server_id>
cannot map the same real port or balance UDP
cli:
Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number
659
LOG_ERR (Continued)
cli:
cli:
cli:
cli:
cli:
DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL
based redirection
cli:
cli:
Direct access mode is not supported with default gateway load balancing
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
cli:
For Global SLB, Web server must be moved from TCP port 80
cli:
cli:
cli:
cli:
Remote site <site_id> and real server <server_id> must use different addresses
cli:
Remote site <site_id> and virtual server <server_id> must use different addresses
cli:
cli:
cli:
cli:
LOG_ERR (Continued)
cli:
cli:
cli:
cli:
cli:
cli:
cli:
Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to
ICMP
cli:
cli:
Loadbalance string must be added to real server <server_id> in order to enable exclusionary string matching
cli:
mgmt:
mgmt:
mgmt:
vrrp:
vrrp:
cfg_sync_tx_putsn: ABORTED
vrrp:
Synchronization TX Error
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
661
LOG_ERR (Continued)
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
vrrp:
LOG_NOTICE
system:
system:
system:
temperature ok
system:
fan ok
system:
rebooted <last_reset_information>
system:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
ssh:
ssh:
mgmt:
mgmt:
mgmt:
mgmt:
663
LOG_NOTICE (Continued)
mgmt:
mgmt:
mgmt:
mgmt:
IP
IP
vrrp:
vrrp:
slb:
slb:
slb:
slb:
slb:
slb:
slb:
slb:
slb:
slb:
bgp:
LOG_INFO
SYSTEM:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
mgmt:
ssh:
ssh:
mgmt:
mgmt:
mgmt:
mgmt:
ssh:
ssh:
ssh:
vrrp:
vrrp:
vrrp:
vrrp:
Synchronizing to <host_name>
vrrp:
vrrp:
vrrp:
665
APPENDIX B
altroot.mib -
aosSwitch.mib
aosPhysical.mib
aosNetwork.mib
aosLayer4.mib
aosLayer7.mib
aosBwm.mib
aosTrap.mib
RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP
Groups)
667
320506-A, January 2006
Nortel Application Switch Operating System SNMP agent supports the following generic traps
as defined in RFC 1215:
ColdStart
WarmStart
LinkDown
LinkUp
AuthenticationFailure
The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:
NewRoot
TopologyChange
The following are the enterprise SNMP traps supported in Nortel Application Switch Operating System:
Table 11-122 Nortel Application Switch Operating System-Supported Enterprise
SNMP Traps
Trap Name
Description
altSwDefGwUp
altSwDefGwDown
altSwDefGwInService
Description
altSwDefGwNotInService
altSwSlbRealServerUp
altSwSlbRealServerDown
altSwSlbRealServerMaxConnReached
altSwSlbBkupRealServerAct
altSwSlbBkupRealServerDeact
altSwSlbBkupRealServerActOverflow
altSwSlbBkupRealServerDeactOverflow
altSwfltFilterFired
altSwSlbRealServerServiceUp
altSwSlbRealServerServiceDown
altSwVrrpNewMaster
altSwVrrpNewBackup
altSwVrrpAuthFailure
altSwLoginFailure
Description
altSwSlbSynAttack
altSwTcpHoldDown
An altSwTcpHoldDown trap signifies that new TCP connection requests from a particular client will be blocked for a
pre-determined amount of time since the rate of new TCP
connections from that client has reached a pre-determined
threshold.
altSwTempExceedThreshold
altSwSlbSessAttack
altSwFanFailure
APPENDIX C
A standard serial cable with a male DB9 connector (see your switch hardware installation
guide for specifics)
A binary switch firmware image (not the tftp file used for TFTP download)
Using the serial cable, connect the Console port of an Nortel Application Switch to the
serial port of your PC that supports XModem/1K XModem.
2.
Start hyper terminal (part of Microsoft Windows) and set the following parameters:
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
9600
8
None
1
None
3.
4.
Hold the <Shift> key down and hit D repeatedly until the following message appears:
Nortel Application Switch - PPCBoot 2.2.
To download a serial image use 1K Xmodem at 115200
671
320506-A, January 2006
5.
Reconfigure your terminal emulation software with the following parameters (only after
you see the message displayed in step 4):
Parameter
Value
Baud Rate
Data Bits
Parity
Stop Bits
Flow Control
115200
8
None
1
None
NOTE You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200
baud rate by pressing Shift d.
6.
Press <Enter> on the key board of the PC that is connected to the console port of the
switch. When the Console Port is successfully communicating with the PC, you will see:
CCCC...
7.
Make sure that the new binary firmware file is available on the computer. This file can be
downloaded from the CD that is shipped with the switch. Select <Transfer-Send File>
and choose the following:
file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)
protocol: 1K XMODEM
It will take about 15 minutes for the transfer to complete.
NOTE Although slower, XMODEM will work too if you choose not to use 1K MODEM.
8.
Power off the switch, wait for a few seconds and power the switch on.
CAUTIONDo not power off the switch until you see the message: Change your baud rate to
9600 bps and power cycle switch, otherwise, the switch will be inoperable.
!
9.
The switch will boot with the new software load. You should see the following sample log
on your screen:
Nortel Application Switch - PPCBoot 2.2.
To download a serial image use 1K Xmodem at 115200
CCCCCCCCCCCCCCCCCCCCCCCCCCCCC
Total bytes transferred: 0x4ff400
Extracting images... Do *NOT* power cycle the switch
Updating flash...
#################################################################
Change your baudrate to 9600 bps and power cycle the switch
Glossary
DIP (Destination IP
Address)
Dport (Destination
Port)
NAT (Network
Address Translation)
Any time an IP address is changed from one source IP or destination IP address to another
address, network address translation can be said to have taken place. In general, half NAT
is when the destination IP or source IP address is changed from one address to another.
Full NAT is when both addresses are changed from one address to another. No NAT is
when neither source nor destination IP addresses are translated. Virtual server-based load
balancing uses half NAT by design, because it translates the destination IP address from
the Virtual Server IP address, to that of one of the real servers.
Preemption
In VRRP, preemption will cause a Virtual Router that has a lower priority to go into
backup should a peer Virtual Router start advertising with a higher priority.
Priority
In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s).
Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win
out for master designation.
Proto (Protocol)
The protocol of a frame. Can be any value represented by a 8-bit value in the IP header
adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.)
A group of real servers that are associated with a Virtual Server IP address, or a filter.
673
320506-A, January 2006
Redirection or
Filter-Based Load
Balancing
A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and redirected to a server group. Transparently means that requests are not specifically destined
for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the
switch. This filter intercepts traffic based on certain IP header criteria and load balances it.
Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny,
Redirect to a Server Group, or NAT (translation of either the source IP or destination IP
address). In redirection-based load balancing, the destination IP address is not translated to
that of one of the real servers. Therefore, redirection-based load balancing is designed to
load balance devices that normally operate transparently in your networksuch as a firewall, spam filter, or transparent Web cache.
Real Server IP Address. An IP addresses that the switch load balances to when requests
are made to a Virtual Server IP address (VIP).
SIP (Source IP
Address)
Tracking
In VRRP, a method to increase the priority of a virtual router and thus master designation
(with preemption enabled). Tracking can be very valuable in an active/active configuration.
You can track the following:
Vrs: Virtual Routers in Master Mode (increments priority by 2 for each)
Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by
2 for each)
Ports: Active ports on the same VLAN (increments priority by 2 for each)
l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2
for each
reals: healthy real servers (increments by 2 for each healthy real server)
hsrp: HSRP announcements heard on a client designated port (increments by 10
for each)
An IP address that the switch owns and uses to load balance particular service requests
(like HTTP) to other servers.
A VRRP address that is an IP interface address shared between two or more virtual routers.
674 Glossary
320506-A, January 2006
Virtual Router
A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch
is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there
is more than one VLAN defined on the Nortel Application Switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member.
Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is
owned by the switch, are load balanced to a real server contained in the group associated
with the VIP. Network address translation is done back and forth, by the switch, as
requests come and go.
Frames come to the switch destined for the VIP. The switch then replaces the VIP and
with one of the real server IP addresses (RIP's), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the
destination IP (VIP) with one of the real server addresses is called half NAT. If the frames
were not half NAT'ed to the address of one of the RIPs, a server would receive the frame
that was destined for it's MAC address, forcing the packet up to Layer 3. The server would
then drop the frame, since the packet would have the DIP of the VIP and not that of the
server (RIP).
In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC
address and identify its peer for which it is sharing this VRRP address. The VRRP MAC
address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address
that two switches are sharing, then the VRID number needs to be identical on both
switches so each virtual router on each switch knows whom to share with.
A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol.
The reason for both of these protocols is so devices have a next hop or default gateway that
is always available. Two or more devices sharing an IP interface are either advertising or
listening for advertisements. These advertisements are sent via a broadcast message to an
address such as 224.0.0.18.
With VRRP, one switch is considered the master and the other the backup. The master is
always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the
VRRP IP and MAC addresses as defined by the specification. The switch announces this
change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to
the switch would not know that the MAC address had moved in the network. For a more
detailed description, refer to RFC 2338.
A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary
extension to the VRRP specification. The switches must be able to share Virtual Server IP
addresses, as well as IP interfaces. If they didnt, the two switches would fight for ownership of the Virtual Server IP address, and the ARP tables in the devices around them
would have two ARP entries with the same IP address but different MAC addresses.
Glossary 675
320506-A, January 2006
676 Glossary
320506-A, January 2006
Index
Symbols
(MD5) .............................................................. 487
(SLB real server group option)
content ...................................................... 424
/ command .......................................................... 56
[ ]....................................................................... 23
Numerics
1K XModem ..................................................... 671
3000 series........................................................ 306
A
abbreviating commands (CLI) .............................. 60
access control
system ....................................................... 288
action (SLB filtering option) ............................... 448
activating optional software ................................ 509
active configuration block .......................... 260, 515
active FTP SLB parsing statistics ........................ 221
active IP interface .............................................. 393
active Layer 4 processing ................................... 393
active port
VLAN ....................................................... 393
active switch configuration
gtcfg ......................................................... 408
ptcfg ......................................................... 408
restoring .................................................... 408
active switch, saving and loading configuration .... 408
add
SLB port option .......................................... 464
addr
ARP entries................................................ 524
IP route tag ................................................ 109
Address Resolution Protocol (ARP)
address list ................................................. 524
administrator account30, 33
B
backup
SLB real server group option ........................ 424
backup configuration block ......................... 260, 515
backup server activations (SLB statistics) .... 205, 228
bandwidth management
configuration .............................................. 316
contracts .................................................... 317
bandwidth management contract
precedence value ......................................... 319
bandwidth management contract configuration .... 264,
319
677
broadcast
IP route tag ................................................ 109
IP route type ............................................... 109
broadcast domains ............................................. 339
broadcast IP address ............................................ 43
Browser-Based Interface ...................................... 25
BWM
contract rate statistics................................... 235
contract statistics......................................... 234
history statistics .......................................... 237
port ........................................................... 233
switch processor contract statistics ................ 233
switch processor rate contract statistics .......... 233
C
capture dump information to a file....................... 528
Cisco Ether Channel .......................................... 334
clear
ARP entries ................................................ 524
dump information ....................................... 529
FDB entry .................................................. 523
routing table ............................................... 525
clearing SLB statistics ................................ 230, 231
client traffic processing ...................................... 463
command (help) .................................................. 56
Command-Line Interface (CLI) ....... 25 to 31, 33, 53
commands
abbreviations ................................................ 60
conventions used in this manual ...................... 23
global commands .......................................... 56
shortcuts ...................................................... 60
stacking ....................................................... 60
tab completion .............................................. 60
678 Index
320506-A, January 2006
Index 679
320506-A, January
cost
STP information ........................................... 99
STP port option........................................... 333
counters, No Server Available (dropped frames) .. 205,
228
D
date
setup............................................................ 37
system option ............................................. 262
debugging ......................................................... 519
default gateway
information ................................................ 107
interval, for health checks............................. 346
metrics ....................................................... 396
round robin, load balancing for ..................... 396
default password .................................................. 30
delete
FDB entry .................................................. 523
deny (filtering) .................................................. 228
designated port. ................................................. 114
diff (global) command, viewing changes .............. 259
dip (destination IP address for filtering) ............... 449
direct (IP route type) .......................................... 109
directed broadcasts............................................. 350
DISABLED (port state) ........................................ 99
disconnect idle timeout ......................................... 31
Distributed Site State Protocol (DSSP)
setting update interval .................................. 466
dmask
destination mask for filtering ........................ 449
DNS statistics .................................................... 192
Domain Name System (DNS)
health checks .............................................. 427
downloading software ........................................ 513
dropped frames (No Server Available) counter .... 205,
228
dump
configuration command ............................... 407
maintenance ............................................... 519
state information ......................................... 530
duplex mode........................................................ 39
link status ....................................... 62, 78, 147
setup............................................................ 39
E
EMS,Alteon EMS ................................................46
emulation software .............................................671
EtherChannel
as used with port trunking .............................334
F
factory configuration block .................................515
factory default configuration .....................31, 33, 34
Fast Ethernet Physical Link .................................303
Fast Ethernet, configuring ports for ......................303
fastage ..............................................................482
FDB statistics ....................................................171
fiber optic ports ..................................................309
File Transfer Protocol .........................................220
filter statistics ....................................................213
filtered (denied) frames ...............................205, 228
filters
IP address ranges .........................................449
Final Steps...........................................................45
first-time configuration ......................... 31, 33 to 50
fixed
IP route tag .................................................109
flag field............................................................114
flow control .................................................62, 147
configuring .........................305, 309, 311, 313
setup ......................................................39, 40
forwarding configuration
IP forwarding configuration ..........................350
forwarding database (FDB) .................................519
delete entry .................................................523
Forwarding Database Information Menu ................90
Forwarding Database Menu.........................522, 535
forwarding state (FWD) ..........................92, 99, 102
FTP server health checks ....................................427
FTP SLB maintenance statistics...........................222
FTP SLB statistics dump .....................................222
full-duplex ...........................................................39
fwd (STP bridge option) .....................................331
FwdDel (forward delay), bridge port ......................99
G
gig (Port Menu option) .......................303, 307, 309
Gigabit Ethernet
configuration...............................303, 307, 309
H
half-duplex ......................................................... 39
hash metric ....................................................... 430
health check types, SLB ..................................... 426
health checks..................................................... 417
default gateway interval, retries .................... 346
IDSLB....................................................... 426
layer information ........................................ 132
parameters for most protocols ....................... 427
redirection (rport) ........................................ 448
retry, number of failed health checks ............. 346
script ......................................................... 488
SNMP ............................................... 428, 490
WAP ......................................................... 492
hello
STP information ........................................... 99
help .................................................................... 56
host routes ........................................................ 358
Hot Standby Router on VLAN (HSRV)
use with VLAN-tagged environment ............. 386
VRRP priority increment value ..................... 396
Hot Standby Router Protocol (HSRP)
priority increment value for L4 client ports ..... 395
use with VRRP ................................... 386, 393
VRRP priority increment value ..................... 395
Hot Standby Router VLAN (HSRV)
use with VRRP ........................................... 393
hot-standby failover ........................................... 391
HP-OpenView ..................................................... 25
hprompt
system option ............................................. 262
HSRP. See Hot Standby Router Protocol.
HSRV. See Hot Standby Router Protocol.
HTTP
application health checks ............................. 427
redirects (Global SLB option) ....................... 466
system option ............................................. 288
680 Index
320506-A, January 2006
I
ICMP statistics .................................................. 193
idle timeout
overview...................................................... 31
IDSLB health checks ......................................... 426
IEEE standards
802.1d Spanning-Tree Protocol .............. 98, 329
image
downloading .............................................. 513
software, selecting ...................................... 514
IMAP server health checks ................................. 427
imask (IP address mask) ..................................... 481
incorrect VIPs (statistic) ............................. 204, 228
incorrect Vports (dropped frames counter) ... 205, 228
indirect (IP route type) ....................................... 109
Information
Trunk Group Information............................. 102
Information Menu ............................................... 61
Interface change stats ......................................... 180
interface statistics .............................................. 195
IP address ........................................................... 42
ARP information ........................................ 113
BOOTP ....................................................... 27
configuring default gateway ......................... 346
filter ranges ................................................ 449
IP interface .................................................. 42
local route cache ranges ............................... 351
Telnet .......................................................... 27
IP address mask for SLB .................................... 481
IP configuration via setup ..................................... 42
IP forwarding .................................................... 378
directed broadcasts ...................................... 350
local networks for route caching ................... 350
IP forwarding information .................................. 107
IP Information Menu ................................. 107, 126
IP interface ....................................................... 344
active ........................................................ 393
configuring address ..................................... 344
configuring VLANs .................................... 344
IP interfaces ................................................ 42, 109
information ................................................ 107
IP route tag ................................................ 109
priority increment value (ifs) for VRRP ......... 395
IP network filter configuration ............................ 352
Index 681
320506-A, January
L
l4apw (L4 administrator system option) ............... 292
Layer 4
administrator account..................................... 30
Layer 4 processing
active......................................................... 393
layer 7 SLB maintenance statistics ...................... 216
layer 7 SLB string statistics ................................ 215
layer7 redirection statistics ......................... 214, 218
LDAP version ................................................... 487
LEARNING (port state) ....................................... 99
least connections (SLB Real Server metric) .. 426, 430
licence certificate ............................................... 509
license password ................................................ 509
link
speed, configuring ....................... 305, 308, 313
link status............................................................ 62
command ................................................... 148
duplex mode ................................... 62, 78, 147
port speed....................................... 62, 78, 147
Link Status Information ...................................... 147
linkt (SNMP option) .......................................... 275
LISTENING (port state) ....................................... 99
lmask (routing option) ........................................ 107
lnet (routing option) ........................................... 107
local (IP route type) ........................................... 109
local network for route caching ........................... 350
local route cache
IP address ranges for.................................... 351
log
syslog messages .......................................... 264
logical segment. See IP subnets.
M
MAC (media access control) address ...... 63, 90, 113,
509, 522
O
octet counters .................................................... 211
online help .......................................................... 56
operating mode, configuring ............... 305, 308, 313
operations menu ................................................ 499
operations-level BGP options ............................. 508
operations-level BWM options ........................... 505
operations-level IP options ................................. 508
Operations-Level Port Options ............................ 501
operations-level SLB options .............................. 502
operations-level VRRP options ........................... 505
optional software ......................................... 62, 150
activating ................................................... 509
removing ................................................... 510
OSPF
area types ........................................... 119, 361
ospf
area index .......................................... 361, 363
authentication key ....................................... 366
configuration .............................................. 361
cost of the selected path ............................... 366
cost value of the host ................................... 369
dead, declaring a silent router to be down ....... 366
dead, health parameter of a hello packet ......... 367
export ........................................................ 370
fixed routes ................................................ 371
general ...................................................... 177
global ........................................................ 177
hello, authentication parameter of a hello packet ...
N
nbr change statistics............................................179
Network Address Translation (NAT)
filter action .................................................448
network management ............................................25
non TCP/IP frames .....................................204, 228
notice ................................................................262
NTP synchronization ..........................................272
NTP time zone ...................................................272
682 Index
320506-A, January 2006
367
P
panic
command ................................................... 530
switch (and Maintenance Menu option) ......... 519
parameters
tag ............................................................ 109
type........................................................... 109
Passive FTP SLB Parsing Statistics ..................... 221
Password
user access control ...................................... 292
password
administrator account .................................... 30
default ......................................................... 30
L4 administrator account ............................... 30
user account ................................................. 30
VRRP authentication ................................... 394
passwords ........................................................... 29
Index 683
320506-A, January
persistent bindings
real server .................................................. 437
ping ............................................................ 57, 415
PIP ................................................................... 496
POP3
server health checks..................................... 427
port
bandwidth management switch processor statistics
233
Q
quiet (screen display option) ..................................57
R
RADIUS
server authentication ....................................428
read community string (SNMP option) .................275
real server
statistics .....................................................211
real server global SLB statistics ...........................207
real server group options
add ............................................................425
real server group SLB configuration.....................423
real server group statistics ...................................212
real server groups
combining servers into .................................423
statistics .....................................................212
real server SLB configuration ..............................414
real servers
backup .......................................................424
priority increment value (reals) for VRRP .......395
SLB state information ..................................132
reboot .......................................................519, 530
receive flow control 39, 40, 305, 309, 311, 313, 314
redir (SLB filtering option) .................................448
reference ports .....................................................92
referenced port ...................................................114
remote monitoring on the port (rmon) ..................501
remote site servers ..............................................417
removing optional software .................................510
reset key combination .........................................520
restarting switch setup ..........................................36
retries
radius server ...............................................269
retry
health checks for default gateway ..................346
rip
IP route tag .................................................109
RIP. See Routing Information Protocol.
rmkey ...............................................................510
round robin
as used in gateway load balancing..................396
roundrobin
SLB Real Server metric ....................... 426, 430
route
cache configuration ..................................... 350
route statistics ................................................... 189
router hops ........................................................ 374
routing information protocol
configuration .............................................. 357
Routing Information Protocol (RIP) .................... 109
options ...................................................... 359
rport
SLB virtual server option ............................. 435
RTSP SLB statistics ........................................... 223
rx flow control .............................................. 39, 40
Rx/Tx statistics.................................................. 178
S
save (global command) ...................................... 260
noback option ............................................. 260
save command................................................... 515
script
health checks .............................................. 488
scriptable health checks configuration ................. 488
secret
radius server ............................................... 269
secsrv
secondary radius server ................................ 269
security
VLANs...................................................... 339
segmentation. See IP subnets.
segments. See IP subnets.
serial cable .......................................................... 26
serial download ................................................. 671
Server Load Balancing
IDS ........................................................... 422
operations-level options ............................... 502
real server weights ...................................... 415
server load balancing
client traffic processing ................................ 463
health check ............................................... 426
health check types ....................................... 426
metrics ...................................................... 429
port options ................................................ 464
server traffic processing ............................... 463
server load balancing configuration options ......... 412
Server Load Balancing Maintenance Statistics Menu ..
684 Index
320506-A, January 2006
Index 685
320506-A, January
system
contact (SNMP option) ................................ 274
date and time .......................................... 61, 63
location (SNMP option) ............................... 274
system access control configuration..................... 288
System Maintenance Menu ................................. 522
system options
admpw (administrator password) .................. 293
BOOTP ..................................................... 262
cur (current system parameters) ............ 269, 272
date ........................................................... 262
hprompt ..................................................... 262
HTTP access .............................................. 288
l4apw (Layer 4 administrator password) ........ 292
login banner ............................................... 262
time........................................................... 262
tnet............................................................ 288
tnport ........................................................ 289
usrpw (user password) ................................. 292
system parameters, current ......................... 269, 272
T
tab completion (CLI) ........................................... 60
tacacs ............................................................... 270
TACACS+ ........................................................ 270
TCP
fragments ................................................... 433
health checking using .................................. 417
health checks .............................................. 427
source and destination ports.......................... 447
TCP statistics ............................................ 197, 251
Telnet ................................................................. 27
BOOTP ....................................................... 27
configuring switches using ........................... 407
telnet
radius server ............................................... 269
Telnet support
optional setup for Telnet support ..................... 46
terminal emulation ............................................... 26
text conventions .................................................. 23
TFTP ................................................................ 513
PUT and GET commands ............................ 408
TFTP server ...................................................... 408
time
setup ........................................................... 37
system option ............................................. 262
timeout
radius server ............................................... 269
686 Index
320506-A, January 2006
471
tnet
system option ............................................. 288
tnport
system option ............................................. 289
TPCP (Transparent Proxy Cache Protocol) .......... 482
trace buffer ....................................................... 527
Switch Processor ........................................ 527
traceroute............................................................ 57
Tracking
VRRP ............................................... 383, 387
transmit flow control39, 40, 305, 309, 311, 313, 314
transparent proxies, when used for NAT .............. 448
Trunk Group Information ................................... 102
ttl (time to live, global SLB menu option) ............ 466
tx flow control............................................... 39, 40
type of area
ospf........................................................... 363
type parameters ................................................. 109
typographic conventions, manual .......................... 23
tzone ................................................................ 272
U
UCB statistics ................................................... 251
UDP
datagrams .......................................... 204, 228
server status using ....................................... 417
source and destination ports ......................... 447
UDP statistics ................................................... 199
unknown (UNK) port state ................................... 92
Unscheduled System Dump ................................ 531
upgrade, switch software .................................... 512
URL for health checks ....................................... 133
user account ........................................................ 30
usrpw (system option) ........................................ 292
Uuencode Flash Dump ....................................... 528
V
verbose ............................................................... 57
vip
advertisement of virtual IP addresses as Host
Routes ................................................ 358
IP route tag ................................................ 109
Index 687
320506-A, January
X
XModem .......................................................... 671
312
setup ............................................................41
Spanning-Tree Protocol ................................329
tagging ...................................40, 62, 149, 340
VLAN Number ...........................................103
VRID (virtual router ID) .............................383, 391
VRRP
interface configuration .................................394
master advertisements ..................................384
tracking ..............................................383, 387
tracking configuration ..................................395
virtual router sharing ....................................384
VRRP Information .............................................127
VRRP master advertisements
time interval ................................................391
VRRP statistics ..................................................191
W
WAP
health checks ..............................................492
WAP health check
wspport ..............................................490, 492
wtlsprt ................................................490, 493
WAP health check configuration .........................492
WAP SLB statistics ............................................225
watchdog timer ..................................................520
web-based management interface...........................25
weights
for SLB real servers .....................................431
setting virtual router priority values ................395
write community string (SNMP option) ................275
wspport
WAP health check ...............................490, 492
wtlsprt
WAP health check ...............................490, 493
688 Index
320506-A, January 2006