Professional Documents
Culture Documents
Command Reference
Copyright 2006 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA.
All rights reserved. Part Number: 320506-A.
This document is protected by copyright and distributed under licenses restricting its use, copying,
distribution, and decompilation. No part of this document may be reproduced in any form by any means
without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without
warranty of any kind, either express or implied, including any kind of implied or express warranty of non-
infringement or the implied warranties of merchantability or fitness for a particular purpose.
U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR
2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as
those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this
documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR
12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).
Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without
notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products
described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of
this product does not convey a license under any patent rights, trademark rights, or any other intellectual
property rights of Nortel Networks, Inc.
Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application
Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180,
Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel
Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and
certain other countries. Cisco® and EtherChannel® are registered trademarks of Cisco Systems, Inc. in the
United States and certain other countries. Check Point® and FireWall-1® are trademarks or registered
trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are
owned by their respective companies.
2
320506-A, January 2006
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
First-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Using the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Information Needed For Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Starting Setup When You Log In . . . . . . . . . . . . . . . . . . . . . . . . . . .34
Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . . . . .36
Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . . . . .36
3
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
4 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 5
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
6 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 7
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
8 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 9
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
10 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 11
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
12 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 13
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
14 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 15
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
16 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Contents 17
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
18 Contents
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Contents 19
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
20 Contents
320506-A, January 2006
Preface
The Nortel Application Switch Operating System 23.0.2 Command Reference describes how to
configure and use the Nortel Application Switch Operating System software with your Nortel
Application Switch.
For documentation on installing the switches physically, see the Hardware Installation Guide
for your particular switch model.
“First-Time Configuration” describes how to use the Setup utility for initial
switch configuration and how to change the system passwords.
“Menu Basics” provides an overview of the menu system, including a menu map, global com-
mands, and menu shortcuts.
“The Configuration Menu” describes how to configure switch system parameters, ports,
VLANs, Spanning Tree Protocol, SNMP, Port Mirroring, IP Routing, Port Trunking, and more.
21
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
“The SLB Configuration Menu” describes how to configure Server Load Balancing, Filter-
ing, Global Server Load Balancing, and more.
“The Operations Menu” describes how to use commands which affect switch performance
immediately, but do not alter permanent switch configurations (such as temporarily disabling
ports). The menu describes how to activate or deactivate optional software features.
“The Boot Options Menu” describes the use of the primary and alternate switch images, how
to load a new software image, and how to reset the software to factory defaults.
“The Maintenance Menu” describes how to generate and access a dump of critical switch state
information, how to clear it, and how to clear part or all of the forwarding database.
Appendix C, “Performing a Serial Download” shows how to directly load a binary software
image into the switch for upgrade or maintenance.
“Index” includes pointers to the description of the key words used throughout the book.
Related Documentation
Nortel Application Switch Operating System 23.0.2 Application Guide (Part Number
320507-A)
Provides application explanations and configuration examples for the Switch.
Nortel Application Switch Operating System 23.0.2 Browser-Based Interface (BBI) Quick
Guide (Part Number 320508-A)
Provides a description of the Switch BBI and how to configure and access it on the
Switch.
Nortel Application Switch Hardware Installation Guide (Part Number 315396-E)
Provides a description of the Nortel Application Switch hardware, the physical features,
how to install it, and how to troubleshoot it.
22 Preface
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Nortel Application Switch Operating System 23.0.2 Release Notes (Part Number 320509-
A).
This document provides a description of new features and caveats and limitations, if any,
in the software.
Typographic Conventions
The following table describes the typographic styles used in this book.
AaBbCc123 This type is used for names of commands, View the readme.txt file.
files, and directories used within the text.
<AaBbCc123> This italicized type appears in command To establish a Telnet session, enter:
examples as a parameter placeholder. Replace host# telnet <IP address>
the indicated text with the appropriate real
name or value when using the command. Do
not type the brackets.
This also shows book titles, special terms, or Read your User’s Guide thoroughly.
words to be emphasized.
Preface 23
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
If you purchased a Nortel service program, contact one of the following Nortel
Technical Solutions Centers:
Additional information about the Nortel Technical Solutions Centers is available at the follow-
ing URL:
http://www.nortelnetworks.com/help/contact/global
An Express Routing Code (ERC) is available for many Nortel products and services. When
you use an ERC, your call is routed to a technical support person who specializes in supporting
that product or service. To locate an ERC for your product or service, refer to the following
URL:
http://www.nortelnetworks.com/help/contact/erc/index.html
24 Preface
320506-A, January 2006
CHAPTER 1
The Command Line Interface
Your Nortel Application Switch is ready to perform basic switching functions right out of the
box. Some of the more advanced features, however, require some administrative configuration
before they can be used effectively.
The extensive Nortel Application Switch Operating System switching software included in
your switch provides a variety of options for accessing and configuring the switch:
A built-in, text-based command line interface and menu system for access via
local terminal or remote Telnet session
A GUI-based Application Switch Element Manager (ASEM) for interactive network
access
SNMP support for access through network management software such as HP OpenView
Nortel Application Switch Operating System Browser-Based Interface (BBI)
The command line interface is the most direct method for collecting switch information and
performing switch configuration. Using a basic terminal, you are presented with a hierarchy of
menus that enable you to view information and statistics about the switch, and to perform any
necessary configuration.
This chapter explains how to access the Command Line Interface (CLI) of the switch.
25
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Requirements
To establish a console connection with the switch, you will need the following:
Parameter Value
A standard serial cable with a male DB9 connector (see your switch hardware installation
guide for specifics).
Procedure
1. Connect the terminal to the Console port using the serial cable.
To configure the switch for Telnet access, you need to have a device with Telnet software
located on the same network as the switch. The switch must have an IP address. The switch can
get its IP address in one of two ways:
NOTE – You need to enable Telnet and SSH, using serial connection, before you can use these
methods of accessing the switch. Refer to “Establishing a Telnet Connection” on page 27.
NOTE – If connecting to the management port, BOOTP is not supported. The port must be
manually configured with the proper IP address.
Running Telnet
Once the IP parameters on the Nortel Application Switch are configured, you can access the CLI
using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet pro-
gram on your workstation and issue the Telnet command, followed by the switch IP address:
The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client
will not be able to login if the switch is doing key generation at that time or if another client
has just logged in before this client. Similarly, the system will fail to do the key generation if a
SSH/SCP client is logging in at that time.
The supported SSH encryption and authentication methods are listed below.
NOTE – The Nortel Application Switch Operating System implementation of SSH is based on
SSH version 1.5 and supports SSH-1.5-1.X.XX. SSH clients of other versions
(especially Version 2) will not be supported.
Running SSH
Once the IP parameters are configured and the SSH service is turned on the Nortel Application
Switch, you can access the command line interface using an SSH connection.
To establish an SSH connection with the switch, run the SSH program on your workstation by
issuing the SSH command, followed by the switch IP address:
You will then be prompted to enter your user name and password.
User interaction with the switch is completely passive—nothing can be changed on the
Nortel Application Switch. Users may display information that has no security or privacy
implications, such as switch statistics and current operational state information.
Operators can only effect temporary changes on the Nortel Application Switch. These
changes will be lost when the switch is rebooted/reset. Operators have access to the switch
management features used for daily switch operations. Because any changes an operator
makes are undone by a reset of the switch, operators cannot severely impact switch opera-
tion.
Administrators are the only ones that may make permanent changes to the switch configu-
ration—changes that are persistent across a reboot/reset of the switch. Administrators can
access switch functions to configure and troubleshoot problems on the Nortel Application
Switch. Because administrators can also make temporary (operator-level) changes as well,
they must be aware of the interactions between temporary and permanent changes.
Access to switch functions is controlled through the use of unique surnames and passwords.
Once you are connected to the switch via local console, Telnet, or SSH, you are prompted to
enter a password. The default user names/password for each access level are listed in the fol-
lowing table.
NOTE – It is recommended that you change default switch passwords after initial configuration
and as regularly as required under your network security policies. For more information, see
“Setting Passwords” on page 47.
User The User has no direct responsibility for switch management. user
He or she can view all switch status information and statistics,
but cannot make any configuration changes to the switch.
SLB Operator The SLB Operator manages Web servers and other Internet ser- slboper
vices and their loads. In addition to being able to view all switch
information and statistics, the SLB Operator can enable/disable
servers using the Server Load Balancing operation menu.
Layer 4 Operator The Layer 4 Operator manages traffic on the lines leading to the l4oper
shared Internet services. This user currently has the same access
level as the SLB operator. and the access level is reserved for
future use, to provide access to operational commands for opera-
tors managing traffic on the line leading to the shared Internet
services.
Operator The Operator manages all functions of the switch. In addition to oper
SLB Operator functions, the Operator can reset ports or the
entire switch.
SLB Administrator The SLB Administrator configures and manages Web servers slbadmin
and other Internet services and their loads. In addition to SLB
Operator functions, the SLB Administrator can configure
parameters on the Server Load Balancing menus, with the
exception of not being able to configure filters or bandwidth
management.
Administrator The superuser Administrator has complete access to all menus, admin
information, and configuration commands on the Nortel Appli-
cation Switch, including the ability to change both the user and
administrator passwords.
NOTE – With the exception of the “admin” user, access to each user level can be disabled by
setting the password to an empty value. All user levels below “admin” will by default be ini-
tially disabled (empty password) until they are enabled by the “admin” user. This prevents
inadvertently leaving the switch open to unauthorized users.
The following table shows the Main Menu with administrator privileges.
[Main Menu]
info - Information Menu
stats - Statistics Menu
cfg - Configuration Menu
oper - Operations Command Menu
boot - Boot Options Menu
maint - Maintenance Menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
save - Save updated config to FLASH [global command]
revert - Revert pending or applied changes [global command]
exit - Exit [global command, always available]
NOTE – If you are accessing a user account or Layer 4 administrator account, some menu
options will not be available.
Idle Timeout
By default, the switch will disconnect your console or Telnet session after five minutes of inac-
tivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080
minutes. For information on changing this parameter, see “System Configuration” on page 261.
NOTE – If you are configuring a 2000-SSL Series Switch, you can use the Switch Setup Utility
in the Nortel Application Switch Operating System 2000-SSL Series Quick Setup Guide (part
number 215102-A) instead for setting up the Switch and the SSL Processor. Then return to this
guide for configuration and management information on your Switch.
33
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Enter Password:
NOTE – If the default admin login is unsuccessful, or if the administrator Main Menu appears
instead, the system configuration has probably been changed from the factory default settings.
If you are certain that you need to return the switch to its factory default settings, see “Select-
ing a Configuration Block” on page 515.
3. Enter y to begin the initial configuration of the switch, or n to bypass the Setup facility.
Restarting Setup
You can restart the Setup utility manually at any time by entering the following command at
the administrator prompt:
# /cfg/setup
System Date:
Enter year [2004]:
Enter the last two digits of the year as a number from 00 to 99. “00” is considered 2000. To
keep the current year, press <Enter>.
System Date:
Enter month [4]:
Enter the month as a number from 1 to 12. To keep the current month, press <Enter>.
Enter the date as a number from 1 to 31. To keep the current day, press <Enter>.
System Time:
Enter hour in 24-hour format [18]:
Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>.
Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>.
Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>.
BootP Option:
Current BOOTP usage: disabled
Enter new BOOTP usage [d/e]:
If available on your network, a BOOTP server can supply the switch with IP parameters so that
you do not have to enter them manually. BOOTP must be disabled however, before the system
will prompt for IP parameters.
Enter d to disable the use of BOOTP, or enter e to enable the use of BOOTP. To keep the cur-
rent setting, press <Enter>.
Spanning Tree:
Current Spanning Tree setting: ON
Turn Spanning Tree OFF? [y/n]
Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on.
NOTE – The port configuration options shown in these steps are for the Nortel Application
Switch Operating System 2424. When configuring port options for other switches, some of the
prompts and options may be different.
If you answer y to configure the management port, you will be prompted for IP address, subnet
mask, broadcast address, default gateway, and other management port options.
Port Config:
Enter port number: (1-28)
If you wish to change settings for individual ports, enter the number of the port you wish to
configure. To skip port configuration, press <Enter> without specifying any port and go to
“Setup Part 3: VLANs” on page 41.
Enter the port speed from the options available, or enter any to have the switch auto-sense the
port speed. To keep the current setting, press <Enter>.
Port Mode:
Current port 1 mode setting: any
Enter new speed ["full"/"half"/"any"]
Enter full for full-duplex, half for half-duplex, or any to have the switch auto-negotiate. To
keep the current setting, press <Enter>.
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
Enter on to enable autonegotiation, off to disable it, or press <Enter> to keep the current setting.
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or
none to turn flow control off for the port. To keep the current setting, press <Enter>.
Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep the current
setting.
Port VLAN tagging config (tagged port can be a member of multiple VLANs)
Current TAG flag: disabled
Enter new TAG status [d/e]:
Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port.
To keep the current setting, press <Enter>.
When you are through configuring ports, press <Enter> without specifying any port. Other-
wise, repeat the steps in this section.
VLAN Config:
Enter VLAN number from 2 to 4090, NULL at end:
If you wish to change settings for individual VLANs, enter the number of the VLAN you wish
to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and
go to “Setup Part 4: IP Configuration” on page 42.
Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>.
Type the first port number to add to the current VLAN and press <Enter>. The right angle
prompt appears:
>
For each additional port in the VLAN, type the port number and press <Enter> to move to the
next line. Repeat this until all ports for the VLAN being configured are entered. When you are
finished adding ports to this VLAN, press <Enter> without specifying any port.
VLAN Config:
Enter VLAN number from 2 to 4090, NULL at end:
Repeat the steps in this section until all VLANs have been configured. When all VLANs have
been configured, press <Enter> without specifying any VLAN.
IP Interfaces
IP interfaces are used for defining subnets to which the switch belongs.
Up to 256 IP interfaces can be configured on the Nortel Application Switch. The IP address
assigned to each IP interface provides the switch with an IP presence on your network. No two
IP interfaces can be on the same IP subnet. The interfaces can be used for connecting to the
switch for remote configuration, and for routing between subnets and VLANs (if used).
IP Config:
IP interfaces:
Enter interface number: (1-256)
If you wish to configure individual IP interfaces, enter the number of the IP interface you wish
to configure. To skip IP interface configuration, press <Enter> without typing an interface
number and go to “Default Gateways” on page 43.
2. For the specified IP interface, enter the IP address in dotted decimal notation:
Current VLAN: 1
Enter new VLAN:
Enter the number for the VLAN to which the interface belongs, or press <Enter> without spec-
ifying a VLAN number to accept the current setting.
Repeat the steps in this section until all IP interfaces have been configured. When all interfaces
have been configured, press <Enter> without specifying any interface number.
Default Gateways
1. At the prompt, select a default gateway for configuration, or skip default gateway config-
uration:
IP default gateways:
Enter default gateway number: (1-259)
Enter the number for the default gateway to be configured. To skip default gateway configura-
tion, press <Enter> without typing a gateway number and go to “IP Routing” on page 44.
2. At the prompt, enter the IP address for the selected default gateway:
Enter the IP address in dotted decimal notation, or press <Enter> without specifying an address
to accept the current setting.
Repeat the steps in this section until all default gateways have been configured. When all
default gateways have been configured, press <Enter> without specifying any number.
IP Routing
When IP interfaces are configured for the various subnets attached to your switch, IP routing
between them can be performed entirely within the switch. This eliminates the need to bounce
inter-subnet communication off an external router device. Routing on more complex networks,
where subnets may not have a direct presence on the Nortel Application Switch, can be accom-
plished through configuring static routes or by letting the switch learn routes dynamically.
This part of the Setup program prompts you to configure the various routing parameters.
Enter y to enable IP forwarding. To disable IP forwarding, enter n and proceed to Step 2.To
keep the current setting, press <Enter>.
2. When prompted, decide whether you wish to review the configuration changes:
Enter y to review the changes made during this session of the Setup utility. Enter n to continue
without reviewing the changes. We recommend that you review the changes.
Enter y to apply the changes, or n to continue without applying. Changes are normally applied.
Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes
are normally saved at this point.
5. If you do not apply or save the changes, the system prompts whether to abort them:
Enter y to discard the changes. Enter n to return to the Apply the changes? prompt.
NOTE – After initial configuration is complete, it is recommended that you change the default
passwords as shown in “Setting Passwords” on page 47.
NOTE – This step is optional. Perform this procedure only if you are planning on using SNMP-
based tools, such as Nortel ASEM.
NOTE – If you need to configure SNMPv3, refer to “SNMPv3 Configuration Menu” on page
276 of this manual.
2. Set SNMP read or write community string. By default, they are public and private
respectively.
>> # /cfg/sys/ssnmp/rcomm|wcomm
3. Apply and save configuration if you are not configuring the switch with Telnet support.
Otherwise apply and save after “Optional Setup for Telnet Support” on page 46.
NOTE – This step is optional. Perform this procedure only if you are planning on connecting to
the switch through any telnet application.
1. Enable telnet.
If your network uses Routing Interface Protocol (RIP), enter y to enable the RIP supply. Other-
wise, enter n to disable it. When RIP is enabled, RIP listen is set by default.
Setting Passwords
It is recommended that you change the user and administrator passwords after initial configu-
ration and as regularly as required under your network security policies.
To change both the user password and the administrator password, you must login using the
administrator password. Passwords cannot be modified from the user command mode.
NOTE – If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
The default password for the administrator account is admin. To change the default password,
follow this procedure:
2. From the Main Menu, use the following command to access the Configuration Menu:
Main# /cfg
[Configuration Menu]
sys - System-wide Parameter Menu
port - Port Menu
pmirr - Port Mirroring Menu
bwm - Bandwidth Management Menu
l2 - Layer 2 Menu
l3 - Layer 3 Menu
slb - Server Load Balancing (Layer 4-7) Menu
security - Security Menu
setup - Step by step configuration set up
dump - Dump current configuration to script file
ptcfg - Backup current configuration to tftp server
gtcfg - Restore current configuration from tftp server
3. From the Configuration Menu, use the following command to select the System Menu:
[System Menu]
syslog - Syslog Menu
mmgmt - Management Port Menu
sshd - SSH Server Menu
radius - RADIUS Authentication Menu
tacacs - TACACS+ Authentication Menu
ntp - NTP Server Menu
sonmp - SONMP Menu
ssnmp - System SNMP Menu
health - System Health Check Menu
access - System Access Menu
date - Set system date
time - Set system time
idle - Set timeout for idle CLI sessions
notice - Set login notice
bannr - Set login banner
smtp - Set SMTP host
hprompt - Enable/disable display hostname (sysName) in CLI prompt
bootp - Enable/disable use of BOOTP
cur - Display current system-wide parameters
4. From the System menu, use the following path to select the User menu:
System# access/user
System# user/admpw
NOTE – If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
System# apply
System# save
The default password for the user account is user. This password cannot be changed from the
user account. Only the administrator has the ability to change passwords, as shown in the fol-
lowing procedure.
2. From the Main Menu, use the following command to access the Configuration Menu:
Main# cfg
3. From the Configuration Menu, use the following command to select the System Menu:
System# access/user/usrpw
System# apply
System# save
The default password for the Layer 4 administrator account is l4admin. To change the
default password, follow this procedure:
2. From the Main Menu, use the following path to access the user command:
Main# /cfg/sys/access/user
System# l4apw
4. Enter the current administrator password (not the Layer 4 administrator password) at
the prompt:
NOTE – If you forget your administrator password, call your technical support representative
for help using the password fix-up mode.
System# apply
System# save
To make the CLI easy to use, the various commands have been logically grouped into a series
of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are
available, along with a summary of what each command will do. Below each menu is a prompt
where you can enter any command appropriate to the current menu.
This chapter describes the Main Menu commands, and provides a list of commands and short-
cuts that are commonly available from all the menus within the CLI.
53
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
NOTE – The ssl option is only visible on the Nortel Application Switch Operating System
2000-SSL Series.
[Main Menu]
info - Information Menu
stats - Statistics Menu
cfg - Configuration Menu
oper - Operations Command Menu
boot - Boot Options Menu
maint - Maintenance Menu
ssl - SSl Accelerator Menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
save - Save updated config to FLASH [global command]
revert - Revert pending or applied changes [global command]
exit - Exit [global command, always available]
Menu Summary
Information Menu
Provides sub-menus for displaying information about the current status of the switch:
from basic system settings to VLANs, Layer 4 settings, and more.
Statistics Menu
Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP,
ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics.
Configuration Menu
This menu is available only from an administrator login. It includes sub-menus for config-
uring every aspect of the switch. Changes to configuration are not active until explicitly
applied. Changes can be saved to non-volatile memory.
Operations Command Menu
Operations-level commands are used for making immediate and temporary changes to
switch configuration. This menu is used for bringing ports temporarily in and out
of service, performing port mirroring, and enabling or disabling Server Load Balancing
functions. It is also used for activating or deactivating optional software packages.
Boot Options Menu
This menu is used for upgrading switch software, selecting configuration blocks, and for
resetting the switch when necessary.
Maintenance Menu
This menu is used for debugging purposes, enabling you to generate a dump of the critical
state information in the switch, and to clear entries in the forwarding database and the
ARP and routing tables.
SSL Accelerator Menu
This menu is used for
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are
useful for obtaining online help, navigating through menus, and for applying and saving con-
figuration changes.
For help on a specific command, type help. You will see the following screen:
Command Action
? command Provides more information about a specific command on the current menu.
or help When used without the command parameter, a summary of the global com-
mands is displayed.
lines Set the number of lines (n) that display on the screen at one time. The default
is 24 lines. When used without a value, the current setting is displayed.
exit or quit Exit from the command line interface and log out.
Command Action
ping Use this command to verify station-to-station connectivity across the net-
work. The format is as follows:
ping <host name>|<IP address> [tries <(1-32)> [msec delay]] [-m|
-mgmt|-d|-data]
Where IP address is the hostname or IP address of the device, tries (optional)
is the number of attempts (1-32), msec delay (optional) is the number of mil-
liseconds between attempts. By default, the -d or -data option for net-
work ports is in effect. If the management port is used, specify the -m or
-mgmt option. The DNS parameters must be configured if specifying host-
names (see “Domain Name System Configuration Menu” on page 379).
ping6 Use this command to verify an IP address and interface connectivity across
the network. The format is as follows:
ping6 <IP6 address> <Interface number>
For example:
ping6 3001::1234 - for ping6 global unicast address
ping6 fe80::201:2ff:feb1:10e2 20 - for ping6 link-local address
traceroute Use this command to identify the route used for station-to-station connectiv-
ity across the network. The format is as follows:
traceroute <host name>| <IP address> [<max-hops (1-32)>
[msec delay]] [-m|-mgmt|-d|-data]
Where IP address is the hostname or IP address of the target station, max-
hops (optional) is the maximum distance to trace (1-16 devices), and delay
(optional) is the number of milliseconds for wait for the response. By default,
the -d or -data option for network ports is in effect. If the management
port is used, specify the -m or -mgmt option. As with ping, the DNS
parameters must be configured if specifying hostnames.
pwd Display the command path used to reach the current menu.
telnet This command is used to telnet out of the switch. The format is as follows:
<hostname>|<IP address> [port] [-m|-mgmt|-d|-data].
Where IP address is the hostname or IP address of the device. By default, the
-d or -data option for network ports is in effect. If the management port
is used, specify the -m or -mgmt option.
Command Action
pushd This command stores the current location of the menu tree. Optionally, a new
path to change to can be specified. The format is as follows:
pushd [<new_path>]
popd This command takes the user one level back to the menu location stored by
the last pushd command.
who This command displays the currently logged user’s session information.
Option Description
<Ctrl-p> (Also the up arrow key.) Recall the previous command from the history list. This can
be used multiple times to work backward through the last 10 commands. The recalled
command can be entered as is, or edited using the options below.
<Ctrl-n> (Also the down arrow key.) Recall the next command from the history list. This can be
used multiple times to work forward through the last 10 commands. The recalled com-
mand can be entered as is, or edited using the options below.
<Ctrl-b> (Also the left arrow key.) Move the cursor back one position to the left.
<Ctrl-f> (Also the right arrow key.) Move the cursor forward one position to the right.
<Backspace> (Also the Delete key.) Erase one character to the left of the cursor position.
<Ctrl-k> Kill (erase) all characters from the cursor position to the end of the command line.
Command Stacking
As a shortcut, you can type multiple commands on a single line, separated by forward slashes
(/). You can connect as many commands as required to access the menu option that you want.
For example, the keyboard shortcut to access the Spanning Tree Port Configuration Menu
from the Main# prompt is as follows:
Main# cfg/l2/stg/port
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the com-
mand from the others in the same menu or sub-menu. For example, the command shown above
could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will
display all commands or options in that menu that begin with that letter. Entering additional
letters will further refine the list of commands or options displayed. If only one command fits
the input text when <Tab> is pressed, that command will be supplied on the command line,
waiting to be entered. If the <Tab> key is pressed without any input on the command line, the
currently active menu will be displayed.
Configuration Ranges
Most commands now support the use of configuration ranges. Configuration ranges allow the
user to set common parameters on a range of similar items on the switch like ports or VLANs.
For example, the command shown below would set the PVID of ports 1 through 10 to 5.
/info
Information Menu
[Information Menu]
sys - System Information Menu
l2 - Layer 2 Information Menu
l3 - Layer 3 Information Menu
slb - Layer 4-7 Information Menu
bwm - Bandwidth Management Information Menu
security - Show Security status
link - Show link status
port - Show port information
swkey - Show enabled software features
dump - Dump all information
The information provided by each menu option is briefly described in Table 4-1 on page 61,
with pointers to where detailed information can be found.
sys
Displays system menu information. To view menu options, see page 63.
l2
Displays the Layer 2 Information Menu. For details, see page 89.
l3
Displays the Layer 3 information menu. For details, see page 106.
61
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
slb
Displays the Layer 4 Information Menu. To view menu options, see page 132.
bwm
Displays Bandwidth Management information. For details, see page 141.
security
Displays current UDP blast settings and the security status of the port. To view a sample, see
page 146.
link
Displays configuration information about each port, including:
Port number
Port speed (10, 100, 10/100, or 1000)
Duplex mode (half, full, or auto)
Flow control for transmit and receive (no, yes, or auto)
Link status (up or down)
For details, see page 147.
port
Displays port status information, including:
Port number
Whether the port uses VLAN Tagging or not
Port VLAN ID (PVID)
Port name
VLAN membership
For details, see page 149.
swkey
Displays a list of all the optional software packages which have been activated or installed on your
switch. For details see page 150.
dump
Dumps all switch information available from the Information Menu (10K or more, depending on
your configuration).
If you want to capture dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump commands. For details, see page 150.
/info/sys
System Information Menu
[System Menu]
snmpv3 - SNMPv3 Information Menu
general - Show general system information
time - Show date and time
log - Show last 64 syslog messages
slog - Show last 64 syslog messages saved in FLASH
mgmt - Show management port information
sonmp - Show SONMP topology table information
capacity - Show switch capacity information
fan - Show switch fan status
temp - Show switch temperature sensor status
encrypt - Show switch encryption licenses
user - Show current user status
dump - Dump all system information
snmpv3
Displays SNMPv3 Information Menu. To view the menu options, see page 65.
general
Displays general system information including:
System information like time, day, and date.
Switch model name and number
How long the switch has been up
Time of last boot
MAC address of the switch management processor
Internal SSL Processor MAC Address if the switch is 2424-SSL
IP address of IP interface #1
Hardware order number and part numbers of the Mainboard Hardware, Management Processor
Board Hardware, and Fast Ethernet Board Hardware
Software image file and version number
Configuration name
Log-in banner, if one is configured
See page 74 for a sample output.
time
Displays the current time.
log
Displays last 64 syslog messages. See page 76 for a sample output and detailed information.
slog
Displays the last 64 syslog messages that are saved in flash. See page 77 for a sample output.
mgmt
Displays Management port information. See page 78 for detailed information.
sonmp
Displays SONMP topology table information. See page 79 for detailed information.
capacity gen|bwm|l2|l3|slb|port
Displays the switch capacity information. This output displays the maximum switch capacity for
the various applications and services that the switch supports. The output contains capacity infor-
mation about Layer 2, Layer 3, RIP, OSPF, BGP, Route Maps, Network Filters, VRRP, Layer 4-7,
which includes Server Load Balancing, Filters, GSLB, Health Checks, Bandwidth Management,
General switch information, and SNMPv3.
See page 80 for a sample output.
fan
Displays the fan status of the switch.
temp
Displays the temperature status of the switch sensors.
encrypt
Displays the current encryption licenses.
user
Displays the current user names.
dump
Displays all system information. See page 84 for a sample output.
/info/sys/snmpv3
SNMPv3 System Information Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
usm
Displays User Security Model (USM) table information. To view the table, see page 66.
view
Displays information about view, sub tress, mask and type of view. To view a sample, see page 67.
access
Displays View-based Access Control information. To view a sample, see page 68.
group
Displays information about the group that includes, the security model, user name, and group
name. To view a sample, see page 69.
comm
Displays information about the community table information. To view a sample, see page 69.
taddr
Displays the Target Address table information. To view a sample, see page 70.
tparam
Displays the Target parameters table information. To view a sample, see page 71.
notify
Displays the Notify table information. To view a sample, see page 72.
dump
Displays all the SNMPv3 information. To view a sample, see page 73.
/info/sys/snmpv3/usm
SNMPv3 USM User Table Information
The User-based Security Model (USM) in SNMPv3 provides security services such as authen-
tication and privacy of messages. This security model makes use of a defined set of user iden-
tities displayed in the USM user table. The USM user table contains information like:
usmUser Table:
User Name Protocol
-------------------------------- --------------------------------
admin NO AUTH, NO PRIVACY
adminmd5 HMAC_MD5, DES PRIVACY
adminsha HMAC_SHA, DES PRIVACY
v1v2only NO AUTH, NO PRIVACY
Field Description
User Name This is a string that represents the name of the user that you can
use to access the switch.
Protocol This indicates whether messages sent on behalf of this user are
protected from disclosure using a privacy protocol. Nortel Appli-
cation Switch Operating System23.0.2 supports DES algorithm
for privacy. The software also supports two authentication algo-
rithms: MD5 and HMAC-SHA.
/info/sys/snmpv3/view
SNMPv3 View Table Information
The user can control and restrict the access allowed to a group to only a subset of the manage-
ment information in the management domain that the group can access within each context by
specifying the group’s rights in terms of a particular MIB view for security reasons.
Field Description
Subtree Displays the MIB subtree as an OID string. A view subtree is the set
of all MIB object instances which have a common Object Identifier
prefix to their names.
/info/sys/snmpv3/access
SNMPv3 Access Table Information
The access control sub system provides authorization services.
The vacmAccessTable maps a group name, security information, a context, and a message
type, which could be the read or write type of operation or notification into a MIB view.
The View-based Access Control Model defines a set of services that an application can use for
checking access rights of a group. This group's access rights are determined by a read-view, a
write-view and a notify-view. The read-view represents the set of object instances authorized
for the group while reading the objects. The write-view represents the set of object instances
authorized for the group when writing objects. The notify-view represents the set of object
instances authorized for the group when sending a notification.
Field Description
Match Displays the match for the contextName. The options are: exact
and prefix.
ReadV Displays the MIB view to which this entry authorizes the read
access.
WriteV Displays the MIB view to which this entry authorizes the write
access.
NotifyV Displays the Notify view to which this entry authorizes the notify
access.
/info/sys/snmpv3/group
SNMPv3 Group Table Information
A group is a combination of security model and security name that defines the access rights
assigned to all the security names belonging to that group. The group is identified by a group
name.
Field Description
Sec Model Displays the security model used, which is any one of: USM,
SNMPv1, SNMPv2, and SNMPv3.
/info/sys/snmpv3/comm
SNMPv3 Community Table Information
This command displays the community table information stored in the SNMP engine.
Field Description
User Name Displays the User Security Model (USM) user name.
Tag Displays the community tag. This tag specifies a set of transport
endpoints from which a command responder application accepts
management requests and to which a command responder applica-
tion sends an SNMP trap.
/info/sys/snmpv3/taddr
SNMPv3 Target Address Table Information
This command displays the SNMPv3 target address table information, which is stored in the
SNMP engine.
Field Description
Name Displays the locally arbitrary, but unique identifier associated with
this snmpTargetAddrEntry.
Taglist This column contains a list of tag values which are used to select tar-
get addresses for a particular SNMP message.
/info/sys/snmpv3/tparam
SNMPv3 Target Parameters Table Information
Field Description
Name Displays the locally arbitrary, but unique identifier associated with
this snmpTargeParamsEntry.
User Name Displays the securityName, which identifies the entry on whose
behalf SNMP messages will be generated using this entry.
Sec Model Displays the security model used when generating SNMP messages
using this entry. The system may choose to return an inconsis-
tentValue error if an attempt is made to set this variable to a
value for a security model which the system does not support.
Sec Level Displays the level of security used when generating SNMP mes-
sages using this entry.
/info/sys/snmpv3/notify
SNMPv3 Notify Table Information
Name Tag
-------------------- --------------------
v1v2trap v1v2trap
Field Description
Name The locally arbitrary, but unique identifier associated with this
snmpNotifyEntry.
Tag This represents a single tag value which is used to select entries in
the snmpTargetAddrTable. Any entry in the snmpTar-
getAddrTable that contains a tag value equal to the value of this
entry, is selected. If this entry contains a value of zero length, no
entries are selected.
/info/sys/snmpv3/dump
SNMPv3 Dump Information
usmUser Table:
User Name Protocol
-------------------------------- --------------------------------
admin NO AUTH, NO PRIVACY
adminmd5 HMAC_MD5, DES PRIVACY
adminsha HMAC_SHA, DES PRIVACY
v1v2only NO AUTH, NO PRIVACY
vacmAccess Table:
Group Name Prefix Model Level Match ReadV WriteV NotifyV
---------- ------ ------- ---------- ------ ------- -------- ------
admin usm noAuthNoPriv exact org org org
v1v2grp snmpv1 noAuthNoPriv exact org org v1v2only
admingrp usm authPriv exact org org org
vacmViewTreeFamily Table:
View Name Subtree Mask Type
-------------------- --------------- ------------ --------------
org 1.3 included
v1v2only 1.3 included
v1v2only 1.3.6.1.6.3.15 excluded
v1v2only 1.3.6.1.6.3.16 excluded
v1v2only 1.3.6.1.6.3.18 excluded
vacmSecurityToGroup Table:
Sec Model User Name Group Name
---------- ------------------------------- -----------------------
snmpv1 v1v2only v1v2grp
usm admin admin
usm adminsha admingrp
snmpCommunity Table:
Index Name User Name Tag
---------- ---------- -------------------- ----------
snmpNotify Table:
Name Tag
-------------------- --------------------
snmpTargetAddr Table:
Name Transport Addr Port Taglist Params
---------- --------------- ---- ---------- ---------------
snmpTargetParams Table:
Name MP Model User Name Sec Model Sec Level
-------------------- -------- ------------------ --------- -------
/info/sys/general
General System Information
NOTE – The display of temperature will come up only if the temperature of any of the sensors
exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this
temperature threshold. The switch will shut down if the power supply overheats and the tem-
perature gets to 100oC. Information about fan failures will also be displayed if one or more
fans are not functioning.
/info/sys/time
Show System Time
>> Main# /info/sys/time
12:52:49 Fri Jul 8, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia
DST on first Sunday of April at 02:00
DST off last Sunday of October at 02:00
/info/sys/log
Show Last 64 Syslog Messages
Date Time Criticality level Message
Nov 19 12:16:51 ALERT stp: STG 1, new root bridge
Nov 19 13:52:03 ALERT ip: cannot contact default gateway
47.80.22.1
Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 operational
Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 enabled
Nov 19 14:21:27 ALERT ip: cannot contact default gateway
47.80.22.1
Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 operational
Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 enabled
Nov 19 14:38:55 NOTICE mgmt: admin login from host 47.81.27.4
Nov 19 14:44:02 NOTICE mgmt: admin idle timeout from Telnet/SSH
Nov 19 16:15:06 INFO mgmt: new configuration applied
Nov 19 16:15:20 INFO mgmt: new configuration saved
Nov 19 16:18:44 INFO mgmt: new configuration applied
Nov 19 16:19:37 ERROR mgmt: Error: Apply not done
Nov 19 16:19:57 INFO mgmt: new configuration applied
Nov 19 16:34:35 NOTICE mgmt: admin login from host 47.81.27.4
Nov 19 16:39:43 NOTICE mgmt: admin idle timeout from Telnet/SSH
Nov 19 16:39:59 NOTICE mgmt: admin login from host 47.81.27.4
Nov 19 16:54:13 NOTICE mgmt: admin idle timeout from Telnet/SSH
Nov 19 17:20:37 NOTICE mgmt: admin login from host 47.81.27.4
Nov 19 17:26:21 NOTICE mgmt: admin login from host 47.81.25.49
Nov 19 17:31:53 NOTICE mgmt: admin idle timeout from Telnet/SSH
Each syslog message has a criticality level associated with it, included in text form as a prefix
to the log message. One of eight different prefixes is used, depending on the condition that the
administrator is being notified of, as shown below.
/info/sys/slog
Last 64 Saved Syslog Messages
Aug 20 13:54:21 NOTICE ip: management port default gateway
47.80.22.1 operational
Aug 20 13:57:53 ALERT ip: cannot contact management port default
gateway 47.80.22.1
Aug 20 13:57:57 NOTICE ip: management port default gateway
47.80.22.1 operational
Aug 20 13:58:23 ALERT ip: cannot contact management port default
gateway 47.80.22.1
Aug 20 13:58:33 NOTICE ip: management port default gateway
47.80.22.1 operational
Aug 24 14:43:43 NOTICE mgmt: admin login from host 47.81.25.12
Aug 24 14:49:50 NOTICE mgmt: admin idle timeout from Telnet/SSH
Aug 24 14:51:38 NOTICE mgmt: admin login from host 47.81.25.12
Aug 24 14:57:30 NOTICE mgmt: admin idle timeout from Telnet/SSH
Aug 24 15:05:54 NOTICE mgmt: admin login from host 47.81.25.12
Aug 24 15:11:40 NOTICE mgmt: admin idle timeout from Telnet/SSH
Aug 24 16:00:40 NOTICE mgmt: admin login from host 47.81.25.12
Aug 24 16:00:52 NOTICE mgmt: switch reset from CLI
/info/sys/mgmt
Management Port Information
MAC address:
00:01:81:2e:a4:8d
Interface information:
47.80.23.251 255.255.254.0 47.80.23.255
Gateway information:
47.80.22.1
Use this command to display Management port information on an Nortel Application Switch
including:
/info/sys/sonmp
SONMP Information
This command displays the SynOptics Network Management Protocol (SONMP) topology
table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/
sonmp on command, and is necessary so that a Nortel Application Switch can be discovered
by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network
exchange multicast packets namely: flatnet hellos and segment hellos. The IP
address of the device is written into the hello packets. As the network devices exchange
information, a topology table is built like the one shown below.
Parameter Description
Slot Port Specifies the slot and port on which the topology message was
received.
Seg ID The “segment identifier” of the segment from which the remote
agent send the topology message. Different devices may use differ-
ent methods for representing the segment identifier.
Mac Address The MAC address of the sender of the topology message.
Chassis Type The chassis type of the device that sent the topology message.
Local Seg Indicates if the sender of the topology message is on the same Ether-
net segment (i.e. not across a bridge) as the reporting agent.
State The current state of the sender of the topology message. the values
are:
topChanged—topology information has recently changed
heartbeat—topology information unchanged.
new—sending agent is in new state.
/info/sys/capacity
System Capacity Information
The following sample output from an Nortel Application Switch 2424 displays the maximum
and currently enabled switch capacity for various services and applications from Layer 2-7.
Maximum Current(Enabled)
LAYER 2
FDB 16384 54
FDB per SP 8192
VLANs 1024 1(1)
Static Trunk Groups 12 0(0)
LACP Trunk Groups 28
Trunks per Trunk Group 8
Spanning Tree Groups 16 16(1)
Port Teams 8 8(0)
Monitor Ports 1
LAYER 3
IP Interfaces 256 1(1)
IP Gateways 4+255 1+0(1+0)
IP Routes 4096 7
Static Routes 128 0
ARP Entries 8192 5
Static ARP Entries 128 0
Local Nets 5 0
DNS Servers 2 0
BOOTP Servers 2 0
LAYER 4 - PORTS
Port # Client Server Filter RTS
Continued...
BWM
Policies 512 0
Contracts 1024 1(1)
Groups 32 0
Contracts per Group 8
Time Policies per Contract 2
Security
Configuration source IP ACLs 5120 0
Bogon source IP ACLs 8192 0
Operations source IP ACLs 1024 0
Total source IP ACLs 14340 0
Configuration destination IP ACLs 1024 0
Operations destination IP ACLs 1024 0
Total destination IP ACLs 2052 0
IP DoS attacks prevention 17
TCP DoS attacks prevention 18
UDP DoS attacks prevention 6
ICMP DoS attacks prevention 5
IGMP DoS attacks prevention 3
ARP DoS attacks prevention 5
IPv6 DoS attacks prevention 2
Total DoS attacks prevention 56
UDP ports for UDP blast protection 5000
GENERAL
Syslog hosts 2 0
RADIUS servers 2 0
NTP servers 1 0
SMTP hosts 1 1
Mnet/Mmask 5 0
End Users 10
Panic Dumps 2
MP memory 128M
SP memory 128M
SNMPv3 Users 16 3
SNMPv3 Views 128 5
SNMPv3 Access Groups 32 2
SNMPv3 Target Address Entries 16 0
SNMPv3 Target Params Entries 16 0
/info/sys/fan
Show switch fan status
>> System# fan
Fans OK.
/info/sys/temp
Show switch temperature sensor status
>> System# temp
Temperature OK.
/info/sys/encrypt
Show encryption licenses
AOS contains the following encryption licenses:
BLOWFISH
DES & 3DES
MD5
RC4
SHA-1
/info/sys/user
Show current user status
Usernames:
user - enabled
slboper - disabled
l4oper - disabled
oper - disabled
slbadmin - disabled
l4admin - disabled
admin - Always Enabled
Note: there are pending config changes; use "diff" to see them.
Current User ID table:
/info/sys/dump
System Information Dump
System Information at 7:02:06 Thu Sep 15, 2005 (DST)
Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)
Continued . . .
Sep 13 16:24:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 13 22:01:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 14 3:38:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 14 9:15:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 14 10:23:04 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 10:23:05 ERROR cli: Error: VLAN 5 doesn't exist; the PVID for port 1
(5) needs to be changed
Sep 14 10:23:05 ERROR cli: Error: PVID 5 for port 1 is not created
Sep 14 10:23:05 ERROR mgmt: Error: Apply not done
Sep 14 10:24:45 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 11:30:36 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 11:35:25 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 11:35:40 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 11:39:37 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 11:49:12 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 11:58:20 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 13:41:54 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 13:46:18 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 14:37:07 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 14:52:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 14 14:58:57 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 16:09:44 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 16:20:44 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 16:24:58 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 16:30:51 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 16:48:16 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 16:50:34 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 16:57:47 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 16:57:55 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 17:00:02 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 17:04:59 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 17:05:49 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 17:06:05 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 19:54:04 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 20:00:22 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 20:01:47 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 20:22:49 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 20:23:10 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 20:23:55 NOTICE mgmt: admin connection closed from Telnet/SSH
Sep 14 20:29:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 14 20:40:41 NOTICE mgmt: admin login from host 192.168.0.3
Sep 14 21:43:51 NOTICE mgmt: admin idle timeout from Telnet/SSH
Sep 15 2:06:00 ERROR mgmt: tcp open error, cannot contact reporting server
Sep 15 6:56:45 NOTICE mgmt: admin login from host 192.168.0.3
Continued . . .
Continued . . .
MAC address:
00:03:24:6e:bd:3d
Interface information:
192.168.0.13 255.255.255.0 192.168.0.255
Gateway information:
192.168.0.1
Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50
usmUser Table:
User Name Protocol
-------------------------------- --------------------------------
adminmd5 HMAC_MD5, DES PRIVACY
adminsha HMAC_SHA, DES PRIVACY
v1v2only NO AUTH, NO PRIVACY
vacmAccess Table:
Group Name Prefix Model Level Match ReadV WriteV NotifyV
---------- ------ ------- ------------ ------ ---------- ---------- --------
v1v2grp snmpv1 noAuthNoPriv exact iso iso v1v2only
admingrp usm authPriv exact iso iso iso
vacmViewTreeFamily Table:
View Name Subtree Mask Type
-------------------- ------------------------------ -------------- ------
iso 1 included
v1v2only 1 included
v1v2only 1.3.6.1.6.3.15 excluded
v1v2only 1.3.6.1.6.3.16 excluded
v1v2only 1.3.6.1.6.3.18 excluded
vacmSecurityToGroup Table:
Sec Model User Name Group Name
---------- ------------------------------- -------------------------------
snmpv1 v1v2only v1v2grp
usm adminmd5 admingrp
usm adminsha admingrp
Continued . . .
snmpCommunity Table:
Index Name User Name Tag
---------- ---------- -------------------- ----------
snmpNotify Table:
Name Tag
-------------------- --------------------
snmpTargetAddr Table:
Name Transport Addr Port Taglist Params
---------- --------------- ---- ---------- ---------------
snmpTargetParams Table:
Name MP Model User Name Sec Model Sec Level
-------------------- -------- -------------------- --------- ---------
/info/l2
Layer 2 Information Menu
[Layer 2 Menu]
fdb - Forwarding Database Information Menu
lacp - Link Aggregation Control Protocol Menu
stg - Show STG information
cist - Show CIST information
trunk - Show Trunk Group information
vlan - Show VLAN information
team - Show port team information
dump - Dump all layer 2 information
fdb
Displays the Forwarding Database Information Menu. For details, see page 90.
lacp
Displays Link Aggregation Control Protocol Information Menu. For details, see page 93.
cist
Display the CIST information.
trunk
When trunk groups are configured, you can view the state of each port in the various trunk groups.
For details, see page 102.
team
Show port team information.
dump
Displays all Layer 2 information.
/info/l2/fdb
Layer 2 FDB Information
The forwarding database (FDB) contains information that maps the media access control
(MAC) address of each known device to the switch port where the device address was learned.
The FDB also shows which other ports have seen frames destined for a particular MAC
address.
NOTE – The master forwarding database supports up to 16K MAC address entries on the MP
per switch. Each SP supports up to 8K entries.
dump
Displays all entries in the Forwarding Database. For more information, see page 92.
/info/l2/fdb/dump
Show All FDB Information
An address that is in the forwarding (FWD) state, means that it has been learned by the switch.
When in the trunking (TRK) state, the port field represents the trunk group number. If the state
for the port is listed as unknown (UNK), the MAC address has not yet been learned by the
switch, but has only been seen as a destination address. When an address is in the unknown
state, no outbound port is indicated, although ports which reference the address as a destination
will be listed under “Reference ports.”
If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP
virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual
server router—a virtual router with the same IP address as a virtual server.
/info/l2/lacp
Link Aggregation Control Protocol Information
Menu
The following menu options display the Link Aggregation Control Protocol (LACP) informa-
tion on the Nortel Application Switch Operating System.
[LACP Menu]
aggr - Show LACP aggregator information for the port
port - Show LACP port information
dump - Show all LACP ports information
Table 4-15 Link Aggregation Control Protocol Information Menu Options (/info/
lacp)
dump
Displays LACP information of all the ports. Use this command to verify the state of ports in an
LACP trunk group. To view a sample output, see page 96.
/info/lacp/aggr
LACP Aggregator Information
Aggregator Id 1
----------------------------------------------
MAC address - 00:01:81:2e:a1:d1
Actor System Priority - 32768
Actor System ID - 00:01:81:2e:a1:b0
Individual - FALSE
Actor Admin Key - 300
Actor Oper Key - 300
Partner System Priority - 32768
Partner System ID - 00:0d:29:e3:4a:00
Partner Oper Key - 1
ready - TRUE
Number of Ports in aggr - 10
index 0 port 1
index 1 port 2
index 2 port 3
index 3 port 4
index 4 port 5
index 5 port 6
index 6 port 7
index 7 port 8
index 8 port 9
index 9 port 10
/info/lacp/port
LACP Port Information
port 1
----------------------------------------------
lacp_enabled - TRUE
lacp_admin_enabled - TRUE
Individual - TRUE
Selected Aggregator ID - 0
Attached Aggregator ID - 0
ready_n - FALSE
ntt - FALSE
selected - Unselcted
port_moved - FALSE
Collection and Distribution state turned ON!
/info/lacp/dump
LACP Dump Information
port lacp adminkey operkey selected prio
attached trunk
aggr
-------------------------------------------------------------------
1 active 300 300 y 32768 1 13
2 active 300 300 y 32768 1 13
3 active 300 300 y 32768 1 13
4 active 300 300 y 32768 1 13
5 active 300 300 y 32768 1 13
6 active 300 300 y 32768 1 13
7 active 300 300 y 32768 1 13
8 active 300 300 y 32768 1 13
9 active 300 300 n 32768 -- --
10 active 300 300 n 32768 -- --
11 active 300 300 n 32768 -- --
12 active 300 300 n 32768 -- --
13 active 300 300 n 32768 -- --
14 off 14 14 n 32768 -- --
15 off 15 15 n 32768 -- --
16 off 16 16 n 32768 -- --
17 off 17 17 n 32768 -- --
18 off 18 18 n 32768 -- --
19 off 19 19 n 32768 -- --
20 off 20 20 n 32768 -- --
21 off 21 21 n 32768 -- --
22 off 22 22 n 32768 -- --
23 off 23 23 n 32768 -- --
24 off 24 24 n 32768 -- --
25 off 25 25 n 32768 -- --
26 off 26 26 n 32768 -- --
27 off 27 27 n 32768 -- --
28 off 28 28 n 32768 -- --
/info/l2/stg
Layer 2 Spanning Tree Group Information
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path.
NOTE – Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Span-
ning Tress or Spanning Tree Groups.
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing
if STP is enabled or disabled, you can view the following STP bridge information:
Priority
Hello interval
Maximum age value
Forwarding delay
Aging time
Parameter Description
Priority (bridge) The bridge priority parameter controls which bridge on the network will
become the STP root bridge.
Hello The hello time parameter specifies, in seconds, how often the root bridge
transmits a configuration bridge protocol data unit (BPDU). Any bridge that
is not the root bridge uses the root bridge hello value.
MaxAge The maximum age parameter specifies, in seconds, the maximum time the
bridge waits without receiving a configuration bridge protocol data unit
before it reconfigure the STP network.
FwdDel The forward delay parameter specifies, in seconds, the amount of time that a
bridge port has to wait before it changes from learning state to forwarding
state.
Aging The aging time parameter specifies, in seconds, the amount of time the
bridge waits without receiving a packet from a station before removing the
station from the Forwarding Database.
priority (port) The port priority parameter helps determine which bridge port becomes the
designated port. In a network topology that has multiple bridge ports con-
nected to a single segment, the port with the lowest port priority becomes the
designated port for the segment.
Cost The port path cost parameter is used to help determine the designated port for
a segment. Generally speaking, the faster the port, the lower the path cost. A
setting of 0 indicates that the cost will be set to the appropriate default after
the link speed has been auto negotiated.
State The state field shows the current state of the port. The state field can be either
BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.
Parameter Description
Designated The designated bridge resides closest to the root bridge and is responsible for
Bridge forwarding packets from LAN towards the root bridge. This bridge is dis-
played as character string starting with the bridge priority (1-65535) fol-
lowed by a hyphen and six byte MAC address of that switch.
Designated port The designated port identifies a physical port. This is a number that is the
numerical sum of bridge priority and the actual physical port number. For
example, a physical port number four with bridge priority 32768 will be dis-
played as 32678+4=32772.
/info/l2/cist
Show common internal spanning tree (CIST) information
NOTE – Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Span-
ning Tress or Spanning Tree Groups.
------------------------------------------------------------------
Common Internal Spanning Tree:
VLANs: 1 4-4094
/info/l2/trunk
Trunk Group Information
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Applica-
tion Switches or other trunk-capable devices. A trunk group is a group of ports that act
together, combining their bandwidth to create a single, larger virtual link. When trunk groups
are configured, you can view the state of each port in the various trunk groups.
NOTE – If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the
remaining ports in the trunk group will also be set to forwarding.
/info/l2/vlan
VLAN Information
VLAN Name Status Jumbo BWC Learn Ports
---- -------------------------------- ------ ----- ---- ----- -----
1 Default VLAN ena n 1024 ena 1-28
This information display includes all configured VLANs and all member ports that have an
active link state. Port membership is represented in slot/port format.
VLAN Number
VLAN Name
Status
Jumbo Frames
Bandwidth Contract if BWM is enabled
Source MAC Address Learning
Port membership of the VLAN
/info/l2/vlan
VLAN Information
VLAN Name Status Jumbo BWC Learn Ports
---- -------------------------------- ------ ----- ---- ----- -----
1 Default VLAN ena n 1024 ena 1-28
/info/l2/team
Status of port teams
>> Layer 2# team
All port teams are disabled.
/info/l2/dump
Layer2 Dump Information
Spanning Tree Group 1: On
/info/l3
Layer3 Information Menu
[Layer 3 Menu]
route - IP Routing Information Menu
route6 - IP6 Routing Information Menu
arp - ARP Information Menu
nbrcache - IP6 Neighbor Cache Information Menu
bgp - BGP Information Menu
ospf - OSPF Routing Information Menu
ip - Show IP information
vrrp - Show Virtual Router Redundancy Protocol information
dump - Dump all layer 3 information
route
Displays the IP Routing Menu. Using the options of this menu, the system displays the following
for each configured or learned route:
Route destination IP address, subnet mask, and gateway address
Type of route
Tag indicating origin of route
Metric for RIP tagged routes, specifying the number of hops to the destination (1-15 hops, or 16
for infinite hops)
The IP interface that the route uses
For details, see page 107.
route6
IP6 Routing Information Menu. To view menu options, see page 110.
arp
Displays the Address Resolution Protocol (ARP) Information Menu. For details, see page 112.
nbrcache
IP6 Neighbor Cache Menu. To view menu options, see page 115.
bgp
Displays BGP Information Menu. To view menu options, see page 117.
ospf
Displays OSPF routing information menu. For details, see page 119.
ip
Displays IP Information. For details, see page 126.
IP information, includes:
IP interface information: Interface number, IP address, subnet mask, broadcast address, VLAN
number, and operational status.
Default gateway information: Metric for selecting which configured gateway to use, gateway
number, IP address, and health status
IP forwarding information: Enable status, lnet and lmask
Port status
vrrp
Displays the VRRP Information Menu. For details, see page 127.
dump
Displays all Layer 3 information.
/info/l3/route
IP Routing Information
[IP Routing Menu]
find - Show a single route by destination IP address
gw - Show routes to a single gateway
type - Show routes of a single type
tag - Show routes of a single tag
if - Show routes on a single interface
dump - Show all routes
Using the commands listed below, you can display all or a portion of the IP routes currently
held in the switch.
type indirect|direct|local|broadcast|martian|multicast
Displays routes of a single type. For a description of IP routing types, see Table 4-19 on page 109.
tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip
Displays routes of a single tag. For a description of IP routing types, see Table 4-20 on page 109.
dump
Displays all routes configured in the switch. For more information, see page 108.
/info/l3/route/dump
Show All IP Route Information
Type Parameters
The following table describes the Type parameters.
Parameter Description
indirect The next hop to the host or subnet destination will be forwarded through a
router at the Gateway address.
martian The destination belongs to a host or subnet which is filtered out. Packets to
this destination are discarded.
Tag Parameters
The following table describes the Tag parameters.
Parameter Description
static The address is a static route which has been configured on the Nortel Appli-
cation Switch.
rip The address was learned by the Routing Information Protocol (RIP).
ospf The address was learned by Open Shortest Path First (OSPF).
bgp The address was learned via Border Gateway Protocol (BGP)
vip Indicates a route destination that is a virtual server IP address. VIP routes are
needed to advertise virtual server IP addresses via BGP.
/info/l3/route6
IPv6 Routing Information Menu
This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing
table stores routes it learns from network traffic and pre-configured, static routes.
NOTE – Presently there is no mechanism for clearing this IPv6 routing table..
dump
The /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each
link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/
10; is not shown for each interface to avoid too many network entries in the table.
/info/l3/arp
ARP Information Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the router is present in the ARP cache. Then the corresponding physical address is used to send
a packet.
The ARP information includes IP address and MAC address of each entry, address status flags
(see Table 4-23 on page 114), VLAN and port for the address, and port
referencing information.
dump
Displays all ARP entries. including:
IP address and MAC address of each entry
Address status flag (see below)
The VLAN and port to which the address belongs
The ports which have referenced the address (empty if no port has routed traffic to the IP address
shown)
For more information, see page 114.
help
Displays help on the ARP field entries. For example:
IP address: IP address of ARP entry
Flags: J - ARP entry belongs to a Jumbo capable VLAN
P - Permanent ARP entry (not obtained via ARP request), e.g. IP interface,
VIP, etc.
R - Indirect ARP (cache) entry for IP address reachable via indirect routes
(static/dynamic)
4 - Layer 4 IP address (VIP)
u - Unresolved ARP entry. The MAC address has not been learned.
MAC address: MAC address of ARP entry
VLAN: VLAN of this ARP entry
Port: Physical port where this IP address owner is connected
Referenced SPs: SPs on which this ARP entry is present
addr
Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.
/info/l3/arp/refpt
Show ARP Entries on Referenced SP
/info/l3/arp/dump
Show All ARP Entry Information
IP address Flags MAC address VLAN Port Referenced SPs
--------------- ----- ----------------- ---- ---- -------------
1.1.11.1 P 4 00:09:97:16:5f:01 1-4
10.10.10.10 P 4 00:09:97:16:5f:01 1-4
47.80.22.1 00:e0:16:7c:28:86 1 23 empty
47.80.23.81 P 00:09:97:16:5f:00 1 1-4
172.31.3.1 P 00:09:97:16:5f:00 1 1-4
172.31.3.10 00:b0:d0:98:d8:1b 1 3 empty
172.31.3.11 00:b0:d0:98:d8:1b 1 3 empty
Referenced ports are the ports that request the ARP entry. So the traffic coming into the refer-
enced ports has the destination IP address. From the ARP entry (the referenced ports), this traf-
fic needs to be forwarded to the egress port (port 6 in the above example).
NOTE – If you have VMA turned on, the referenced port will be the designated port. If you
have VMA turned off, the designated port will be the normal ingress port.
Flag Description
U Unresolved ARP entry. The MAC address has not been learned.
/info/l3/arp/addr
ARP Address List Information
IP address IP mask MAC address VLAN Flags
--------------- --------------- ----------------- ---- -----
10.10.10.10 255.255.255.255 00:09:97:16:5f:01
1.1.11.1 255.255.255.255 00:09:97:16:5f:01
172.31.4.200 255.255.255.255 00:09:97:16:5f:0e D
172.31.3.1 255.255.255.255 00:09:97:16:5f:00 1
172.31.4.1 255.255.255.255 00:09:97:16:5f:00 1
47.80.23.81 255.255.255.255 00:09:97:16:5f:00 1
/info/l3/nbrcache
IPv6 Neighbor Cache Information
This menu provides a mechanism for viewing IPv6 Neighbor Cache information.
IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses
and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate
addresses. ND enables routers to advertise their presence and address prefixes and to inform
hosts of a better next-hop address to forward packets.
The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache
maintains information about each neighbor such as:
MAC Address
Reachability State
Neighbor Type
VLAN
Ingress Port
Neighbor Cache entries are added in a number of situations:
3. A switch sends ND packets to resolve a link-layer address that it wishes to send packets
to.
INCOMPLETE
The link-layer address of the neighbor has not yet been determined.
REACHABLE
The neighbor is known to have been reachable recently.
STALE
The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no
attempt should be made to verify its reachability.
DELAY
The neighbor is no longer known to be reachable and traffic has recently been sent to the
neighbor.
PROBE
The neighbor is no longer known to be reachable, and ND messages are sent to
the neighbor to verify reachability.
The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch
pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND.
NOTE – Once the Neighbor Cache table reaches 2000 entries, table entries are replaced
by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until
the entry is replaced by a new one. During this 2000 full entries period, no new entries will be
used to sort for display.
dump
Displays all IPv6 neighbor cache entries.
/info/l3/bgp
BGP Information Menu
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. For
more information, refer to BGP section in chapter: “The Configuration Menu” on page 257
and the Application Guide.
[BGP Menu]
peer - Show all BGP peers
summary - Show all BGP peers in summary
dump - Show BGP routing table
/info/l3/bgp/peer
BGP Peer information
Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information:
/info/l3/bgp/summary
BGP Summary information
Following is an example of the information that /info/l3/bgp/summary provides.
/info/l3/bgp/dump
Dump BGP Information
Following is an example of the information that /info/l3/bgp/dump provides.
/info/l3/ospf
OSPF Information Menu
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for rout-
ing traffic within a single IP domain called an Autonomous System (AS). The AS can be
divided into smaller logical units known as areas. In any AS with multiple areas, one area must
be designated as area 0, known as the backbone. The backbone acts as the central OSPF area.
All other areas in the AS must be connected to the backbone. Areas inject summary routing
information into the backbone, which then distributes it to other areas as needed. For more
information on how to configure OSPF on the switch, refer to the OSPF section in chapter
“The Configuration Menu” on page 257 and your Nortel Application Switch Operating System
Application Guide.
general
Displays general OSPF information. See page 121 for a sample output.
virtual
Displays information about all the configured virtual links.
dbase
Displays OSPF database menu. To view menu options, see page 122.
routes
Displays OSPF routing table. See page 124 for a sample output.
dump
Display all the OSPF information. See for a sample output.
/info/l3/ospf/general
OSPF General Information
OSPF Version 2
Router ID: 47.80.23.247
Started at 95 and the process uptime is 352315
Area Border Router: yes, AS Boundary Router: no
LS types supported are 6
External LSA count 0
External LSA checksum sum 0x0
Number of interfaces in this router is 2
Number of virtual links in this router is 1
16 new lsa received and 34 lsa originated from this router
Total number of entries in the LSDB 10
Database checksum sum 0x0
Total neighbors are 1, of which
2 are >=INIT state,
2 are >=EXCH state,
2 are =FULL state
Number of areas is 2, of which 3-transit 0-nssa
Area Id : 0.0.0.0
Authentication : none
Import ASExtern : yes
Number of times SPF ran : 8
Area Border Router count : 2
AS Boundary Router count : 0
LSA count : 5
LSA Checksum sum : 0x2237B
Summary : noSummary
/info/l3/ospf/if
OSPF Interface Information
/info/l3/ospf/dbase
OSPF Database Information
dbsumm
Displays the following information about the LS database in a table format:
a) the number of LSAs of each type in each area.
b) the total number of LSAs for each area.
c) the total number of LSAs for each LSA type for all areas combined.
d) the total number of LSAs for all LSA types for all areas combined.
No parameters are required.
self
Displays all the self-advertised LSAs. No parameters are required.
all
Displays all the LSAs.
/info/l3/ospf/routes
OSPF Information Route Codes
/info/ospf/dump
OSPF Dump Information
OSPF Version 2
Router ID: 1.1.1.1
Started at 42 and the process uptime is 1197051
Area Border Router: no, AS Boundary Router: no
External LSA count 0
Number of interfaces in this router is 0
Number of virtual links in this router is 0
0 new lsa received and 0 lsa originated from this router
Total number of entries in the LSDB 0
Total neighbors are 0, of which
0 are >=INIT state,
0 are >=EXCH state,
0 are =FULL state
Number of areas is 0, of which 0-transit 0-nssa
OSPF Neighbors:
Intf NeighborID Prio State Address
---- ---------- ---- ----- -------
OSPF LS Database:
OSPF LSDB breakdown for router with ID (1.1.1.1)
No areas enabled.
/info/l3/ip
IP Information
Interface information:
1: 47.80.23.81 255.255.254.0 47.80.23.255, vlan 1, up
2: 172.31.4.1 255.255.255.0 172.31.4.255, vlan 1, up
3: 172.31.3.1 255.255.255.0 172.31.3.255, vlan 1, up
/info/l3/vrrp
VRRP Information
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup vir-
tual routers will assume routing authority and take control of the virtual router IP address. Refer
to your Nortel Application Switch Operating System Application Guide for more information on
VRRP.
VRRP information:
10: vrid 10, 10.1.2.200, if 10, renter, prio 110, master
11: vrid 11, 11.1.2.200, if 11, renter, prio 118, master
12: vrid 12, 12.1.2.200, if 12, renter, prio 102, backup
13: vrid 13, 13.1.2.200, if 13, renter, prio 118, master
14: vrid 14, 14.1.2.200, if 14, renter, prio 102, backup
20: vrid 20, 20.1.2.200, if 20, renter, prio 110, master
27: vrid 27, 27.1.2.200, if 27, renter, prio 118, master
28: vrid 28, 28.1.2.200, if 28, renter, prio 102, backup
100: vrid 100, 172.21.8.100, if 172, renter, prio 110, master,
server
172: vrid 172, 172.21.8.200, if 172, renter, prio 110, master
254: vrid 254, 27.1.2.100, if 27, renter, prio 102, backup,
server
255: vrid 255, 28.1.2.100, if 28, renter, prio 118, master,
server
VRRP information:
1: vrid 2, 205.178.18.210, if 1, renter, prio 100, master, server
2: vrid 1, 205.178.18.202, if 1, renter, prio 100, backup
3: vrid 3, 205.178.18.204, if 1, renter, prio 100, master, proxy
When virtual routers are configured, you can view the status of each virtual router using this
command. VRRP information includes:
Priority value. During the election process, the virtual router with the highest priority
becomes master.
Activity status
master identifies the elected master virtual router.
backup identifies that the virtual router is in backup mode.
Server status. The server state identifies virtual routers that support Layer 4 services.
These are known as virtual server routers: any virtual router whose IP address is the same
as any configured virtual server IP address.
Proxy status. The proxy state identifies virtual proxy routers, where the virtual router
shares the same IP address as a proxy IP address. The use of virtual proxy routers enables
redundant switches to share the same IP address, minimizing the number of unique IP
addresses that must be configured.
/info/l3/dump
Layer3 Dump Information
This command dumps all the information about Layer 3 parameters. This dump is a collection
of all the individual commands described in the sections above.
IP information:
IP information:
Router ID: 45.1.1.201, AS number 100
Interface information:
2: 45.1.1.201 255.0.0.0 45.255.255.255 , vlan 1, up
3: 205.1.1.201 255.255.255.0 205.1.1.255 , vlan 1, up
4: 172.21.1.254 255.255.255.0 172.21.1.255 , vlan 1, up
Continued
Continued
OSPF is disabled.
Status codes: * valid, > best, i - internal
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metr LcPrf Wght Path
--------------- --------------- ----- ----- ----- ---------------
*> 45.0.0.0 0.0.0.0 0 ?
*> 172.21.1.0 0.0.0.0 0 ?
*> 205.1.1.0 0.0.0.0 0 ?
/info/slb
Layer 4 Information Menu
Server Load Balancing (SLB) allows you to configure the Nortel Application Switch to bal-
ance user session traffic among a pool of available servers that provide shared services. In an
average network that employs multiple servers without server load balancing, each server usu-
ally specializes in providing one or two unique services. If one of these servers provides access
to applications or data that is in high demand, it can become overutilized. Placing this kind of
strain on a server can decrease the performance of the entire network as user requests are
rejected by the server and then resubmitted by the user stations. With this software feature, the
switch is aware of the services provided by each server and can direct user session traffic to an
appropriate server, based on a variety of load-balancing algorithms.
Refer to your Nortel Application Switch Operating System Application Guide for detailed infor-
mation on this feature.:
sess
Displays the Session Table Information Menu. To view menu options, see page 134.
gslb
Displays the Global SLB Information Menu. To view menu options, see page 139.
synatk
Displays SYN attack detection information. To identify whether or not the server is under SYN
attack, the number of new half open sessions is examined within a set period of time, for example,
every two seconds. This feature requires dbind to be enabled.
dump
Displays all Layer 4 information for the switch. For details, see page 140.
/info/slb/sess
Session Table Information
[Session Table Information Menu]
cip - Show all session entries with source IP address
cip6 - Show all session entries with source IP6 address
cport - Show all session entries with source port
dip - Show all session entries with destination IP address
dip6 - Show all session entries with source IP6 address
dport - Show all session entries with destination port
pip - Show all session entries with proxy IP address
pport - Show all session entries with proxy port
filter - Show all session entries with matching filter
flag - Show all session entries with matching flag
port - Show all session entries with ingress port
real - Show all session entries with real IP address
sp - Show all session entries on sp
dump - Show all session entries
help - Session entry description
cip6 <IP6_address>
Display session entries with the specified IP6 address.
dip6 <IP6_address>
Display session entries with the specified IP6 address.
flag <E|L|N|P|S|Rt|Ru|Ri|Vi|Vr|Vs|Vm|Vd|U|W>
Displays all session entries with matching flag. See “Session dump information in Nortel Applica-
tion Switch Operating System” on page 137 for a description of these options.
help
Displays the description of the session entry.
2,16: 172.21.8.200 44687, 172.21.8.51 http -> 192.168.1.11 wcr age 4 f:12 E
3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 urlwcr age 6 f:123 E
RTSP
L4-L7 RTSP
L7 WCR RTSP
3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU
3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P
Filtering LinkLB
2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E
FTP
NAT
Persistent session
(1) SP number This field indicates the Switch Processor number that created the
session.
(2) Ingress port This field shows the physical port through which the client traffic
enters the switch.
(3) Source IP This field contains the source IP address from the client’s IP
address packet in IPv4 or IPv6.
(4) Source port This field identifies the source port from the client’s TCP/UDP
packet.
(5) Destination IP This field identifies the destination IP address from the client’s
address TCP/UDP packet.
(6) Destination This field identifies the destination port from client’s TCP/UDP
port packet.
(7a) Proxy IP This field contains the Proxy IP address substituted by the switch.
address This field contains the real server IP address of the corresponding
server that the switch selects to forward the client packet to, for
load balancing. If the switch does not find a live server, this field
contains the same information as the destination IP address men-
tioned in field (5).
This field also shows the real server IP address for filtering. No
address is shown if the filter action is Allow, Deny or NAT.
It will show “ALLOW”, “DENY” or “NAT” instead.
(7) Proxy Port This field identifies the TCP/UDP source port substituted by the
switch.
(8) Real Server IP For load balancing, this field contains the IP address of the real server
Address that the switch selects to forward client packet to. If the switch does not
find live server, this field is the same as destination IP address (as in row
5).
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10
3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P
For filtering, this field also shows the real server IP address. No address is
shown if the filter action is Allow, Deny or NAT. It will show ALLOW,
DENY or NAT instead.
For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11
2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E
Field Description
(9) Server port This field is the same as the destination port (field 6) for load bal-
ancing except for the RTSP UDP session. For RTSP UDP session,
this server port is obtained from the client-server negotiation.
This field is the filtering application port for filtering. It is for
internal use only. This field can be urlwcr, wcr, idslb,
linkslb or nonat.
(10) Age This is the session timeout value. If no packet is received within
the value specified, the session is freed. For example, if:
age 10 - The session is aged out in 10 minutes.
age < 160 - The session is aged out in 160 minutes.
This indicates that slowage is used. The user can configure slowage
by using the command: /cfg/slb/adv/slowage.
(11) Filter number This field indicates the session created by filtering code as a
result of the IP header keys matching the filtering criteria.
(12) Flag “E”: Indicates the session is established and will be aged out if no
traffic is received within session timeout value.
“L”: Indicates the session is a link load balance session.
“N”: Indicates no NAT, which means the session only translates
the destination MAC when forwarding client traffic to the real
server.
“P”: Indicates the session is a persistent session and is not to be aged out.
Fields (6), (7) and (8) cannot have persistent session.
“S”: Indicates the session is a persistent session and the application is
SSL session ID, or Cookie Pbind.
“Rt”: Indicates the session is TCP rate limiting for every client entry.
“Ru”: Indicates UDP rate limiting for every client entry.
“Ri”: Indicates the session is ICMP rate limiting per-client entry.
“Vr”: Indicates the session is a SIP REGISTER session.
“Vs”: Indicates the session is a SIP SUBSCRIBE session.
“Vi”: Indicates the session is a SIP INVITE session.
“Vm”: Indicates the session is a SIP MESSAGE session.
“Vd”: Indicates the session is a SIP NAT data session.
“U”: Indicates the session is Layer 7 delayed binding and the switch is
trying to open TCP connection to the real server.
“W”: Indicates the session only translates the destination MAC when
forwarding Layer 7 WCR traffic to the real server.
(13) Persistent session This counter indicates the number of client sessions created to
user count associate with this persistent session.
Operating System
/info/slb/gslb
Global SLB Information Menu
An Nortel Application Switch Operating System running Global SLB selects the most appro-
priate site to direct the client traffic for a given domain during the initial client connection. The
menu for this feature displays the following information:
site
Displays the Global SLB remote site information.
geo
Displays the Global SLB geographical preference information.
pers <IP_Address>
Display the Global SLB DNS persistence cache information.
dump
Displays all Global SLB information.
/info/slb/dump
Show All Layer 4 Information
Real server state:
1: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up
2: 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up
26: 20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up
27: 20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up
Port state:
1: filt disabled, filters: 80
2: idslb filt enabled, filters: 200
3: idslb filt enabled, filters: 200
4: filt disabled, filters: 50 200
/info/bwm
Bandwidth Management Information
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the avail-
able bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-critical-
traffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
You can see the following information on your switch when you execute this command:
ipuser
Displays the IP user entries with their IP addresses. See page 142 for sample output.
cont
Displays the BWM contract information configured on this switch.
/info/bwm/ipuser
BWM IP User Information Menu
[BWM IP User Entries Information Menu]
ip - Show all IP user entries with IP address
cont - Show all IP user entries for a contract
sp - Show all IP user entries on sp
dump - Show all IP user entries
ip <IP address>
Displays the IP user entries for a specific IP address.
dump
Displays all the IP user entries.
/info/bwm/cont
BWM Contract Information
Current Bandwidth Management setting: ON
Policy Enforcement:enabled
BWM history will be mailed in a minute
to 'abcd' at host '100.81.138.26'
BWM IP user table entries 64k
This command displays information about any configured contracts and the BWM policies
applied to the contracts.
Field Description
Field Description
Per User These two columns display information for an ipuser limit, if applied
to the contract. Includes the following:
Limit: the user rate limit applied to the ipuser.
Key: If an ipuser rate limit is enforced, this field displays whether the
user limit is enforced on a source IP address (sip) or a destination IP
address (dip).
State Displays whether the BWM contract is enabled (E) or disabled (D).
Traffic Shaping Displays whether Traffic Shaping is enabled (E) or disabled (D)
for this contract.
/info/security
Security Information
port
This menu displays the current port security settings.
ipacl
This menu displays the current IP ACL settings.
udpblast
This menu displays UDP blast protection settings.
dos
This menu displays DoS protection settings.
dump
This menu displays all security settings.
/info/link
Link Status Information
Alias Port Speed Duplex Flow Ctrl Link
------ ---- ----- -------- --TX-----RX-- ------
1 1 10/100 any yes yes down
2 2 10/100 any yes yes down
3 3 10/100 any yes yes down
4 4 10/100 any yes yes down
5 5 10/100 any yes yes down
6 6 10/100 any yes yes down
7 7 10/100 any yes yes down
8 8 10/100 any yes yes down
9 9 10/100 any yes yes down
10 10 10/100 any yes yes down
11 11 10/100 any yes yes down
12 12 10/100 any yes yes down
13 13 10/100 any yes yes down
14 14 10/100 any yes yes down
15 15 10/100 any yes yes down
16 16 10/100 any yes yes down
17 17 10/100 any yes yes down
18 18 10/100 any yes yes down
19 19 10/100 any yes yes down
20 20 10/100 any yes yes down
21 21 10/100 any yes yes down
22 22 10/100 any yes yes down
23 23 10/100 any yes yes down
24 24 10/100 any yes yes down
25 25 1000 full yes yes down
26 26 1000 full yes yes down
27 27 1000 full yes yes down
28 28 1000 full yes yes down
Use this command to display link status information about each port on an Nortel Application
Switch slot, including:
Port Alias
Port number
Port speed (10, 100, 10/100, or 1000)
Duplex mode (half, full, any, or auto)
Flow control for transmit and receive (no, yes, or auto)
/info/port
Port Information
Alias Port Tag RMON PVID BWC NAME VLAN(s)
------ ---- --- ---- ---- ----- -------------- --------------
1 1 y d 1 1024 1
2 2 n d 2 1024 2
3 3 n d 3 1024 3
4 4 n d 3 1024 3
5 5 n d 1 1024 1
6 6 n d 1 5 1
7 7 n d 1 1024 1
8 8 n d 1 1024 1
9 9 n d 1 1024 1
10 10 n d 1 1024 1
11 11 n d 1 1024 1
12 12 n d 1 1024 1
13 13 n d 1 6 1
14 14 n d 1 1024 1
15 15 n d 1 1024 1
16 16 n d 1 1024 1
17 17 n d 1 1024 1
18 18 n d 1 1024 1
19 19 n d 1 1024 1
20 20 n d 1 1024 1
21 21 n d 1 1024 1
22 22 n d 1 1024 1
23 23 n d 1 1024 1
24 24 n d 1 1024 1
25 25 n d 1 1024 1
26 26 n d 1 1024 1
27 27 n d 1 1024 1
28 28 n d 1 1024 1
Port alias
Port number
Whether the port uses VLAN tagging or not (y or n)
Whether Remote Monitor is enabled or disabled
Port VLAN ID (PVID)
Port name
VLAN membership
/info/swkey
Software Enabled Keys
For optional Layer 4 switching software, the information would be displayed as follows:
Software key information includes a list of all the optional software packages which have been
activated or installed on your switch. For information on ordering optional software license
keys, see “How to Get Help” on page 24.
/info/dump
Information Dump
Use the dump command to dump all switch information available from the Information Menu
(10K or more, depending on your configuration). This data is useful for tuning and debugging
switch performance.
If you want to capture dump data to a file, set your communication software on your worksta-
tion to capture session data prior to issuing the dump commands.
/stats
Statistics Menu
[Statistics Menu]
sys - System Stats Menu
port - Port Stats Menu
pmirr - Port Mirroring Stats Menu
l2 - Layer 2 Stats Menu
l3 - Layer 3 Stats Menu
slb - Server Load Balancing (Layer 4-7) Stats Menu
bwm - Bandwidth Management Stats Menu
security - Security Stats Menu
mp - MP-specific Stats Menu
sp - SP-specific Stats Menu
dump - Dump all stats
151
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
sys
System statistics menu
l2
Displays Layer 2 Statistics Menu. To view menu options, see page 170.
l3
Displays Layer3 Statistics Menu. To view menu options, see page 174.
slb
Displays the Server Load Balancing (SLB) Menu. To view menu options, see page 199.
bwm
Displays the Bandwidth Management Menu. To view menu options, see page 232.
mp
Displays the Management Processor Statistics Menu. Use this command to view information on
how switch management processes and resources are currently being allocated. To view menu
options, see page 248.
security
Displays Security Statistics Menu. To view menu options, see page 239.
snmp
Displays SNMP Statistics.
ntp <clear>
Displays Network Time Protocol (NTP) Statistics.
You can execute the clear command option to delete all statistics.
pm
Displays Port Mirroring Statistics Menu. To view menu options, see page 255.
mgmt
Displays interface statistics for the Management Port. See page 255 for sample output.
dump
Dumps all switch statistics. Use this command to gather data for tuning and debugging switch per-
formance. If you want to capture dump data to a file, set your communication software on your
workstation to capture session data prior to issuing the dump command. For details, see page 256.
/stats/sys
System statistics menu
This menu displays traffic statistics on a system basis.
access
Go to the System Access menu.
mgmt
Management port interface statistics.
ntp
Show NTP server statistics.
snmp
Show SNMP statistics.
dump
Dump system statistics.
brg
Displays bridging (“dot1”) statistics for the port. See page 156 for a sample output and the descrip-
tion of statistics.
ether
Displays Ethernet (“dot1”) statistics for the port. See page 157 for a sample output and the descrip-
tion of statistics.
if
Displays interface statistics for the port. See page 161 for a sample output and the description of
statistics.
ip
Displays IP statistics for the port. See page 162 for a sample output and the description of statis-
tics.
link
Displays link statistics for the port. See page 163 for a sample output and the description of statis-
tics.
rmon
Displays Remote Monitor (RMON) statistics for the port. See page 164 for a sample output and the
description of statistics.
dump
Displays all the port statistics.
clear
This command clears all the statistics on this port.
Statistics Description
dot1PortInFrames The number of frames that have been received by this port from its seg-
ment. A frame received on the interface corresponding to this port is only
counted by this object if and only if it is for a protocol being processed by
the local bridging function, including bridge management frames.
dot1PortOutFrames The number of frames that have been transmitted by this port to its seg-
ment. Note that a frame transmitted on the interface corresponding to this
port is only counted by this object if and only if it is for a protocol being
processed by the local bridging function, including bridge management
frames.
dot1PortInDiscards Count of valid frames received which were discarded (that is, filtered) by
the Forwarding Process.
dot1TpLearnedEntry The total number of Forwarding Database entries, which have been or
Discards would have been learnt, but have been discarded due to a lack of space to
store them in the Forwarding Database. If this counter is increasing, it
indicates that the Forwarding Database is regularly becoming full (a con-
dition which has unpleasant performance effects on the subnetwork). If
this counter has a significant value but is not presently increasing, it indi-
cates that the problem has been occurring but is not persistent.
Statistics Description
dot1BasePortDelay The number of frames discarded by this port due to excessive transit
ExceededDiscards delay through the bridge. It is incremented by both transparent and source
route bridges.
dot1BasePortMtu The number of frames discarded by this port due to an excessive size. It is
ExceededDiscards incremented by both transparent and source route bridges.
dot1StpPortForward The number of times this port has transitioned from the Learning state to
Transitions the Forwarding state.
Statistics Description
Statistics Description
dot3StatsSQETest- A count of times that the SQE TEST ERROR message is generated by the
Errors PLS sub layer for a particular interface. The SQE TEST ERROR is set in
accordance with the rules for the verification of the SQE detection mech-
anism in the PLS Carrier Sense Function as described in IEEE Std.802.3-
1998 Edition, section 7.2.4.6.
This counter does not increment when the interface is operating in full-
duplex mode.
dot3StatsDeferred- A count of frames for which the first transmission attempt on a particular
Transmissions interface is delayed because the medium is busy.
The count represented by an instance of this object does not include
frames involved in collisions.
This counter does not increment when the interface is operating in full-
duplex mode.
Statistics Description
dot3StatsCarrier- The number of times that the carrier sense condition was lost or never
SenseErrors asserted when attempting to transmit a frame on a particular interface.
The count represented by an instance of this object is incremented at most
once per transmission attempt, even if the carrier sense condition fluctu-
ates during a transmission attempt.
This counter does not increment when the interface is operating in full-
duplex mode.
dot3StatsFrameToo- A count of frames received on a particular interface that exceed the maxi-
Longs mum permitted frame size.
The count represented by an instance of this object is incremented when
the frameTooLong status is returned by the MAC service to the LLC
(or other MAC user). Received frames for which multiple error condi-
tions are obtained are, according to the conventions of IEEE 802.3 Layer
Management, counted exclusively according to the error status presented
to the LLC.
dot3StatsInternal- A count of frames for which reception on a particular interface fails due
MacReceiveErrors to an internal MAC sub layer receive error. A frame is only counted by an
instance of this object if it is not counted by the corresponding instance of
either the dot3StatsFrameTooLongs object, the dot3Stats-
AlignmentErrors object, or the dot3StatsFCSErrors object.
The precise meaning of the count represented by an instance of this object
is implementation-specific. In particular, an instance of this object may
represent a count of received errors on a particular interface that are not
otherwise counted.
Statistics Description
ifHCInOctets The number of octets in valid MAC frames received on the interface,
including the MAC header and FCS. This does include the number of
octets in valid MAC Control frames received on this interface.
ifHCInUcastPkts The number of packets, delivered by this sub-layer to a higher sub- layer,
which were not addressed to a multicast or broadcast address at this sub-
layer.
ifHCInBroadcastP- The number of packets, delivered by this sub-layer to a higher sub- layer,
kts which were addressed to a broadcast address at this sub-layer.
ifHCInMulticastP- The number of packets delivered by this sub-layer to a higher (sub) layer,
kts which were addressed to a multicast address at this sub-layer. For a MAC
layer protocol, this includes both Group and Functional addresses.
ifHCInDiscards The number of inbound packets which were chosen to be discarded even
though no errors had been detected to prevent their being delivered to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
ifHCOutOctets The number of octets transmitted in valid MAC frames on this interface,
including the MAC header and FCS. This does not include the number of
octets in valid MAC Control frames transmitted on this interface.
Statistics Description
ifHCOutDiscards The number of outbound packets which were chosen to be discarded even
though no errors had been detected to prevent their being transmitted.
One possible reason for discarding such a packet could be to free up
buffer space.
Statistics Description
ipInReceives The total number of input datagrams received from interfaces, including
those received in error.
Statistics Description
ipInAddrErrors The number of input datagrams discarded because the IP address in their
IP header's destination field was not a valid address to be received at this
entity (the switch). This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported Classes (for example, Class E). For
entities which are not IP Gateways and therefore do not forward data-
grams, this counter includes datagrams discarded because the destination
address was not a local address.
ipForwDatagrams The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInDiscards The number of input IP datagrams for which no problems were encoun-
tered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipTtlExceeds The number of IP datagram for which an ICMP TTL exceeded mes-
sage was sent.
ipLANDattacks The number of packets that have the same source and destination IP
address.
Statistics Description
Statistics Description
etherStatsDrop The total number of events in which packets were dropped by the probe
Events due to lack of resources. Note that this number is not necessarily the num-
ber of packets dropped; it is just the number of times this condition has
been detected.
Statistics Description
etherStatsOctets The total number of octets of data (including those in bad packets)
received on the network (excluding framing bits but including FCS
octets).
This object can be used as a reasonable estimate of utilization (which is
the percent utilization of the ethernet segment). If greater precision is
desired, the etherStatsPkts and etherStatsOctets objects
should be sampled before and after a common interval. The differences in
the sampled values are Pkts and Octets, respectively, and the number
of seconds in the interval is Interval. These values are used to calcu-
late the utilization as follows:
etherStatsPkts The total number of packets (including bad packets, broadcast packets,
and multicast packets) received.
etherStatsBroad- The total number of good packets received that were directed to the
castPkts broadcast address. Note that this does not include multicast packets.
etherStatsMulti- The total number of good packets received that were directed to a multi-
castPkts cast address. Note that this number does not include packets directed to
the broadcast address.
etherStatsCRCAlign The total number of packets received that had a length (excluding fram-
Errors ing bits, but including Frame Check Sequence (FCS) octets) of between
64 and 1518 octets, inclusive, but had either a bad Frame Check
Sequence (FCS) with an integral number of octets (FCS Error) or a bad
FCS with a non-integral number of octets (Alignment Error).
etherStatsUnder- The total number of packets received that were less than 64 octets long
sizePkts (excluding framing bits, but including FCS octets) and were otherwise
well formed.
etherStatsOver- The total number of packets received that were longer than 1518 octets
sizePkts (excluding framing bits, but including FCS octets) and were otherwise
well formed.
Statistics Description
etherStatsFrag- The total number of packets received that were less than 64 octets in
ments length (excluding framing bits but including FCS octets) and had either a
bad Frame Check Sequence (FCS) with an integral number of octets
(FCS Error) or a bad FCS with a non-integral number of octets (Align-
ment Error).
Note that it is entirely normal for etherStatsFragments to incre-
ment. This is because it counts both runts (which are normal occurrences
due to collisions) and noise hits. (A runt is a packet that is less than 64
bytes.)
etherStatsJabbers The total number of packets received that were longer than 1518 octets
(excluding framing bits, but including FCS octets), and had either a bad
Frame Check Sequence (FCS) with an integral number of octets (FCS
Error) or a bad FCS with a non-integral number of octets (Alignment
Error).
Note that this definition of jabber is different than the definition in IEEE-
802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These
documents define jabber as the condition where any packet exceeds 20
ms. The allowed range to detect jabber is between 20 milliseconds and
150 milliseconds.
etherStats- The best estimate of the total number of collisions on this Ethernet seg-
Collisions ment.
The value returned will depend on the location of the RMON probe. Sec-
tion 8.2.1.3 (10Base-5) and section 10.3.1.3 (10Base-2) of IEEE standard
802.3 states that a station must detect a collision, in the receive mode, if
three or more stations are transmitting simultaneously. A repeater port
must detect a collision when two or more stations are transmitting simul-
taneously. Thus a probe placed on a repeater port could record more colli-
sions than a probe connected to a station on the same segment would.
Probe location plays a much smaller role when considering 10Base-T.
14.2.1.4 (10Base-T) of IEEE standard 802.3 defines a collision as the
simultaneous presence of signals on the DO and RD circuits (transmitting
and receiving at the same time). A 10Base-T station can only detect colli-
sions when it is transmitting. Thus probes placed on a station and a
repeater, should report the same number of collisions.
Note also that an RMON probe inside a repeater should ideally report col-
lisions between the repeater and one or more other hosts (transmit colli-
sions as defined by IEEE 802.3k) plus receiver collisions observed on
any coax segments to which the repeater is connected.
etherStatsPkts64- The total number of packets (including bad packets) received that were
Octets 64 octets in length (excluding framing bits but including Frame Check
Sequence (FCS) octets).
Statistics Description
etherStatsPkts65- The total number of packets (including bad packets) received that were
to127Octets between 65 and 127 octets in length (excluding framing bits but including
FCS octets).
etherStatsPkts128- The total number of packets (including bad packets) received that were
to255Octets between 128 and 255 octets in length (excluding framing bits but includ-
ing Frame Check Sequence (FCS) octets).
etherStatsPkts256- The total number of packets (including bad packets) received that were
to511Octets between 256 and 511 octets in length (excluding framing bits but includ-
ing FCS octets).
etherStatsPkts512- The total number of packets (including bad packets) received that were
to1023Octets between 512 and 1023 octets in length (excluding framing bits but includ-
ing FCS octets).
etherStatsPkts- The total number of packets (including bad packets) received that were
1024to1518Octets between 1024 and 1518 octets in length (excluding framing bits but
including FCS octets).
/stats/pmirr
Port mirroring statistics menu
This menu displays port mirroring statistics on an all ports basis.
dump
Displays all mirrored port statistics.
clear
Clears the port statistics.
/stats/l2
Layer 2 Statistics Menu
fdb
Displays Forwarding Database statistics. To view statistics and their description, see page 171.
stg
Displays Spanning Tree Group statistics. To view statistics and their description, see page 173.
dump
Dump the Layer 2 statistics.
/stats/l2/fdb
FDB Statistics
FDB statistics:
creates: 9611 deletes: 9553
current: 58 hiwat: 65
lookups: 850254 lookup fails: 151373
finds: 5832 find fails: 0
find_or_c's: 11874 overflows: 0
max: 16384
This menu option enables you to display statistics regarding the use of the forwarding data-
base, including the number of new entries, finds, and unsuccessful searches.
Statistic Description
hiwat Highest number of entries recorded at any given time in the Forwarding
Database.
Statistic Description
/stats/l2/lacp
LACP Statistics
Field Description
Valid LACPDUs received The number of LACPDUs that the switch received on this port.
Valid Marker PDUs The number of valid Marker PDUs that the switch received on this
received port.
Valid Marker Rsp PDUs The number of valid Marker Responses that the switch received on
received this port.
Unknown version/TLV The number of unknown version or TLV type that the switch
type received on this port.
Illegal subtype The number of illegal LACP subtype received on this port.
received
Marker PDUs transmit- The number of Marker PDUs transmitted out of this port.
ted
Marker Rsp PDUs trans- The number of Marker Responses transmitted out of this port.
mitted
/stats/l2/stg
Spanning Tree Group Statistics
Field Description
Rcv TCN Displays the number of TCN (Topology Change Notification) mes-
sages received.
Field Description
Xmt TCN Displays the number of TCN (Topology Change Notification) mes-
sages transmitted
/stats/l3
Layer 3 Statistics Menu
ospf
Displays OSPF statistics Menu. See page 176 for sample output.
ip
Displays IP statistics. See page 181 for sample output.
ip6
Displays IP6 statistics.See page 184 for sample output.
route
Displays route statistics. See page 189 for sample output.
arp
Displays Address Resolution Protocol (ARP) statistics. See page 190 for sample output.
vrrp
When virtual routers are configured, you can display the following protocol statistics for VRRP:
Advertisements received (vrrpInAdvers)
Advertisements transmitted (vrrpOutAdvers)
Advertisements received, but ignored (vrrpBadAdvers)
See page 191 for sample output.
dns
Displays Domain Name Server/System (DNS) statistics. See page 192 for sample output.
icmp
Displays ICMP statistics. See page 193 for sample output.
tcp
Displays TCP statistics. See page 197 for sample output.
udp
Displays UDP statistics. See page 199 for sample output.
ifclear
Clears IP interface statistics. Use this command with caution as it will delete all the IP interface
statistics.
ipclear
Clears IP statistics. Use this command with caution as it will delete all the IP statistics.
dump
Dumps all Layer 3 switch statistics. Use this command to gather data for tuning and debugging
Layer 3 switch performance. If you want to capture dump data to a file, set your communication
software on your workstation to capture session data prior to issuing the dump command.
/stats/l3/ospf
OSPF Statistics Menu
[OSPF stats Menu]
general - Show global stats
aindex - Show area(s) stats
if - Show interface(s) stats
general
Displays global statistics. See page 177 for sample output and details.
/stats/l3/ospf/general
OSPF Global Statistics
The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF
areas and interfaces.
OSPF stats
----------
Rx/Tx Stats: Rx Tx
-------- --------
Pkts 0 0
hello 23 518
database 4 12
ls requests 3 1
ls acks 7 7
ls updates 9 7
Timers kickoff
hello 514
retransmit 1028
lsa lock 0
lsa ack 0
dbage 0
summary 0
ase export 0
Statistics Description
Rx/Tx Stats:
Rx Pkts The sum total of all OSPF packets received on all OSPF areas and inter-
faces.
Tx Pkts The sum total of all OSPF packets transmitted on all OSPF areas and
interfaces.
Rx Hello The sum total of all Hello packets received on all OSPF areas and inter-
faces.
Tx Hello The sum total of all Hello packets transmitted on all OSPF areas and
interfaces.
Rx Database The sum total of all Database Description packets received on all OSPF
areas and interfaces.
Tx Database The sum total of all Database Description packets transmitted on all
OSPF areas and interfaces.
Rx ls Requests The sum total of all Link State Request packets received on all OSPF
areas and interfaces.
Tx ls Requests The sum total of all Link State Request packets transmitted on all OSPF
areas and interfaces.
Rx ls Acks The sum total of all Link State Acknowledgement packets received on all
OSPF areas and interfaces.
Tx ls Acks The sum total of all Link State Acknowledgement packets transmitted on
all OSPF areas and interfaces.
Rx ls Updates The sum total of all Link State Update packets received on all OSPF areas
and interfaces.
Tx ls Updates The sum total of all Link State Update packets transmitted on all OSPF
areas and interfaces.
Statistics Description
hello The sum total of all Hello packets received from neighbors on all OSPF
areas and interfaces.
Start The sum total number of neighbors in this state (that is, an indication that
Hello packets should now be sent to the neighbor at intervals of Hel-
loInterval seconds) across all OSPF areas and interfaces.
negotiation done The sum total number of neighbors in this state wherein the Master/slave
relationship has been negotiated, and sequence numbers have been
exchanged, across all OSPF areas and interfaces.
exchange done The sum total number of neighbors in this state (that is, in an adjacency's
final state) having transmitted a full sequence of Database Description
packets, across all OSPF areas and interfaces.
bad requests The sum total number of Link State Requests which have been received
for a link state advertisement not contained in the database across all
interfaces and OSPF areas.
bad sequence The sum total number of Database Description packets which have been
received that either:
a) Has an unexpected DD sequence number
b) Unexpectedly has the init bit set
c) Has an options field differing from the last Options field
received in a Database Description packet.
Any of these conditions indicate that some error has occurred during
adjacency establishment for all OSPF areas and interfaces.
loading done The sum total number of link state updates received for all out-of-date
portions of the database across all OSPF areas and interfaces.
n1way The sum total number of Hello packets received from neighbors, in which
this router is not mentioned across all OSPF interfaces and areas.
rst_ad The sum total number of times the Neighbor adjacency has been reset
across all OPSF areas and interfaces.
Statistics Description
down The total number of Neighboring routers down (that is, in the initial
state of a neighbor conversation) across all OSPF areas and interfaces.
hello The sum total number of Hello packets sent on all interfaces and areas.
down The sum total number of interfaces down in all OSPF areas.
loop The sum total of interfaces no longer connected to the attached network
across all OSPF areas and interfaces.
unloop The sum total number of interfaces, connected to the attached network in
all OSPF areas.
wait timer The sum total number of times the Wait Timer has been fired, indicating
the end of the waiting period that is required before electing a (Backup)
Designated Router across all OSPF areas and interfaces.
backup The sum total number of Backup Designated Routers on the attached net-
work for all OSPF areas and interfaces.
nbr change The sum total number of changes in the set of bidirectional neighbors
associated with any interface across all OSPF areas.
Timers Kickoff:
hello The sum total number of times the Hello timer has been fired (which trig-
gers the send of a Hello packet) across all OPSF areas and interfaces.
retransmit The sum total number of times the Retransmit timer has been fired across
all OPSF areas and interfaces.
lsa lock The sum total number of times the Link State Advertisement (LSA) lock
timer has been fired across all OSPF areas and interfaces.
lsa ack The sum total number of times the LSA Ack timer has been fired across
all OSPF areas and interfaces.
dbage The total number of times the data base age (Dbage) has been fired.
summary The total number of times the Summary timer has been fired.
ase export The total number of times the Autonomous System Export (ASE) timer
has been fired.
/stats/l3/ip
IP Statistics
IP statistics:
ipInReceives: 3115873 ipInHdrErrors: 1
ipInAddrErrors: 35447 ipForwDatagrams: 0
ipInUnknownProtos: 500504 ipInDiscards: 0
ipInDelivers: 2334166 ipOutRequests: 1010542
ipOutDiscards: 4 ipOutNoRoutes: 4
ipReasmReqds: 0 ipReasmOKs: 0
ipReasmFails: 0 ipFragOKs: 0
ipFragFails: 0 ipFragCreates: 0
ipRoutingDiscards: 0 ipDefaultTTL: 255
ipReasmTimeout: 5
Statistics Description
ipInReceives The total number of input datagrams received from interfaces, including
those received in error.
ipInHdrErrors The number of input datagrams discarded due to errors in their IP head-
ers, including bad checksums, version number mismatch, other format
errors, time-to-live exceeded, errors discovered in processing their IP
options, and so forth.
ipInAddrErrors The number of input datagrams discarded because the IP address in their
IP header's destination field was not a valid address to be received at this
entity (the switch). This count includes invalid addresses (for example,
0.0.0.0) and addresses of unsupported Classes (for example, Class E). For
entities which are not IP Gateways and therefore do not forward data-
grams, this counter includes datagrams discarded because the destination
address was not a local address.
ipForwDatagrams The number of input datagrams for which this entity (the switch) was not
their final IP destination, as a result of which an attempt was made to find
a route to forward them to that final destination. In entities which do not
act as IP Gateways, this counter will include only those packets, which
were Source-Routed via this entity (the switch), and the Source- Route
option processing was successful.
ipInUnknownProtos The number of locally addressed datagrams received successfully but dis-
carded because of an unknown or unsupported protocol.
Statistics Description
ipInDiscards The number of input IP datagrams for which no problems were encoun-
tered to prevent their continued processing, but which were discarded (for
example, for lack of buffer space). Note that this counter does not include
any datagrams discarded while awaiting re-assembly.
ipReasmFails The number of failures detected by the IP re- assembly algorithm (for
whatever reason: timed out, errors, and so forth). Note that this is not nec-
essarily a count of discarded IP fragments since some algorithms (notably
the algorithm in RFC 815) can lose track of the number of fragments by
combining them as they are received.
ipFragFails The number of IP datagrams that have been discarded because they
needed to be fragmented at this entity (the switch) but could not be, for
example, because their Don't Fragment flag was set.
Statistics Description
ipRoutingDiscards The number of routing entries, which were chosen to be discarded even
though they are valid. One possible reason for discarding such an entry
could be to free-up buffer space for other routing entries.
ipDefaultTTL The default value inserted into the Time-To-Live (TTL) field of the
IP header of datagrams originated at this entity (the switch), whenever a
TTL value is not supplied by the transport layer protocol.
ipReasmTimeout The maximum number of seconds, which received fragments are held
while they are awaiting reassembly at this entity (the switch).
/stats/l3/ip6
IP6 Statistics Menu
>> Layer 3 Statistics# /stat/l3/ip6
------------------------------------------------------------------
IP6 statistics:
InReceives: 20519 InDiscards: 2
InDelivers: 24793 ForwDatagrams: 0
UnknownProtos: 0 InAddrErrors: 0
OutRequests: 34548 OutNoRoutes: 0
ReasmOKs: 0 ReasmFails: 0
IcmpInMsgs: 24793 IcmpInErrors: 4268
IcmpOutMsgs: 12829 IcmpOutErrors: 4271
InEchos: 0 OutEchos: 8538
InEchoReplies: 8536 OutEchoReplies: 0
InDestUnreachs: 4268 OutDestUnreachs: 4271
InPktTooBigs: 0 OutPktTooBigs: 0
InTimeExcds: 0 OutTimeExcds: 0
------------------------------------------------------------------
ICMP6 statistics:
Interface: 1
InMsgs: 18929 InErrors: 0
InEchos: 0 InEchoReplies: 4268
InNeighborSolicits: 4513 InNeighborAdvertisements:4271
InRouterSolicits: 0 InRouterAdvertisements: 5877
InDestUnreachs: 0 InTimeExcds: 0
InPktTooBigs: 0 InParmProblems: 0
InRedirects: 0
OutMsgs: 4280 OutErrors: 0
OutEchos: 4269 OutEchoReplies: 0
OutNeighborSolicits: 3 OutNeighborAdvertisements:4516
OutRouterSolicits: 0 OutRouterAdvertisements: 1
OutRedirects: 0
------------------------------------------------------------------
Interface: 7
InMsgs: 5864 InErrors: 4268
InEchos: 0 InEchoReplies: 4268
InNeighborSolicits: 122 InNeighborAdvertisements: 3
InRouterSolicits: 0 InRouterAdvertisements: 1471
InDestUnreachs: 4268 InTimeExcds: 0
InPktTooBigs: 0 InParmProblems: 0
InRedirects: 0
OutMsgs: 8549 OutErrors: 4271
OutEchos: 4269 OutEchoReplies: 0
OutNeighborSolicits: 2 OutNeighborAdvertisements:124
OutRouterSolicits: 0 OutRouterAdvertisements: 1
OutRedirects: 0
------------------------------------------------------------------
Statistics Description
OutRequests The total number of IPv6 datagrams which local IPv6 user-protocols
(including ICMP) supplied to IPv6 in requests for transmission.
Note that this counter does not include any datagrams counted in
ipv6IfStatsOutForwDatagrams.
InDiscards The number of input IPv6 datagrams for which no problems were
encountered to prevent their continued processing, but which were
discarded (e.g., for lack of buffer space). Note that this counter does
not include any datagrams discarded while awaiting re-assembly.
ForwDatagrams The number of output datagrams which this entity received and for-
warded to their final destinations. In entities which do not act as
IPv6 routers, this counter will include only those packets which
were Source-Routed via this entity, and the Source-Route processing
was successful. Note that for a successfully forwarded datagram the
counter of the outgoing interface is incremented.
InAddrErrors The number of input datagrams discarded because the IPv6 address
in their IPv6 header's destination field was not a valid address to be
received at this entity. This count includes invalid addresses (e.g.,
::0) and unsupported addresses (e.g., addresses with unallocated pre-
fixes). For entities which are not IPv6 routers and therefore do not
forward datagrams, this counter includes datagrams discarded
because the destination address was not a local address.
Statistics Description
IcmpInMsgs The total number of ICMP messages received by the interface which
includes all those counted by ipv6IfIcmpInErrors. Note that this
interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
IcmpOutMsgs The total number of ICMP messages which this interface attempted
to send. Note that this counter includes all those counted
by icmpOutErrors
IcmpInErrors The number of ICMP messages which the interface received but
determined as having ICMP-specific errors (bad ICMP checksums,
bad length, etc.).
IcmpOutErrors The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
IcmpInEchos The number of ICMP Echo (request) messages received by the inter-
face.
InMsgs The total number of ICMP messages received by the interface which
includes all those counted by ipv6IfIcmpInErrors. Note that this
interface is the interface to which the ICMP messages were
addressed which may not be necessarily the input interface for the
messages.
Statistics Description
InRouterSolicits The number of ICMP Router Solicit messages received by the inter-
face.
InPktTooBigs The number of ICMP Packet Too Big messages received by the
interface.
InErrors The number of ICMP messages which the interface received but
determined as having ICMP-specific errors (bad ICMP checksums,
bad length, etc.).
InEchoReplies The number of ICMP Echo Reply messages received by the inter-
face.
OutMsgs The total number of ICMP messages which this interface attempted
to send.
OutEchos The number of ICMP Echo Request messages sent by the interface.
OutRedirects The number of Redirect messages sent. For a host, this object will
always be zero, since hosts do not send redirects.
Statistics Description
OutErrors The number of ICMP messages which this interface did not send due
to problems discovered within ICMP such as a lack of buffers. This
value should not include errors discovered outside the ICMP layer
such as the inability of IPv6 to route the resultant datagram. In some
implementations there may be no types of error which contribute to
this counter's value.
OutEchoReplies The number of ICMP Echo Reply messages sent by the interface.
/stats/l3/route
Route Statistics
Route statistics:
ipRoutesCur: 3 ipRoutesHighWater: 3
ipRoutesMax: 4096
------------------------------------------------------------------
SP Route statistics:
SP ipRoutesCur ipRoutesHighWater ipRoutesMax
--- ------------- ------------------- -------------
1 3 3 4096
2 3 3 4096
3 3 3 4096
4 3 3 4096
------------------------------------------------------------------
RIP statistics:
ripInPkts: 0 ripOutPkts: 0
ripDiscardPkts: 0 ripRoutesAgedOut: 0
BGP statistics:
bgpInPkts: 0 bgpOutPkts: 0
bgpBadPkts: 0 bgpSessFailures: 0
bgpRoutesAdded: 0 bgpRoutesRemoved: 0
bgpRoutesCur: 0 bgpRoutesFailed: 0
bgpRoutesIgnored: 0 bgpRoutesFiltered: 0
Statistics Description
ipRoutesHighWater The highest number of routes ever recorded in the route table.
RIP statistics:
ripDiscardPkts The total number of RIP advertisement packets received that were
dropped.
Statistics Description
ripRoutesAgedOut The total number of routes learned via RIP that has aged out.
BGP statistics:
bgpRoutesAdded The total number of routes that were added to the routing table.
bgpRoutesRemoved The total number of routes that were removed from the routing table.
bgpRoutesFailed The total number of BGP routes that failed to add in the routing table.
bgpRoutesIgnored The total number of routes ignored because the peer was not con-
nected locally or multihop was not configured.
/stats/l3/arp
ARP statistics
This menu option enables you to display Address Resolution Protocol statistics.
MP ARP statistics:
arpEntriesCur: 2 arpEntriesHighWater: 2
arpEntriesMax: 8192
------------------------------------------------------------------
SP ARP statistics:
SP arpEntriesCur arpEntriesHighWater arpEntriesMax
--- --------------- --------------------- ---------------
1 1 1 8192
2 1 1 8192
3 1 1 8192
4 1 1 8192
Statistics Description
arpEntriesCur The total number of outstanding ARP entries in the ARP table.
arpEntriesHighWater The highest number of ARP entries ever recorded in the ARP table.
/stats/l3/vrrp
VRRP Statistics
Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup
virtual routers will assume routing authority and take control of the virtual router IP address.
When virtual routers are configured, you can display the following protocol statistics for VRRP:
VRRP statistics:
vrrpInAdvers: 0 vrrpBadAdvers: 0
vrrpOutAdvers: 0
vrrpBadVersion: 0 vrrpBadVrid: 0
vrrpBadAddress: 0 vrrpBadData: 0
vrrpBadPassword: 0 vrrpBadInterval: 0
Statistics Description
vrrpInAdvers The total number of VRRP advertisements that have been received.
vrrpBadAdvers The total number of VRRP advertisements received that were dropped.
vrrpOutAdvers The total number of VRRP advertisements that have been sent.
vrrpBadVersion
Statistics Description
vrrpBadVrid
vrrpBadAddress
vrrpBadData
vrrpBadPassword
vrrpBadInterval
/stats/l3/dns
DNS Statistics
This menu option enables you to display Domain Name System statistics.
DNS statistics:
dnsInRequests: 0 dnsOutRequests: 0
dnsBadRequests: 0
/stats/l3/icmp
ICMP Statistics
ICMP statistics:
icmpInMsgs: 245802 icmpInErrors: 1393
icmpInDestUnreachs: 41 icmpInTimeExcds: 0
icmpInParmProbs: 0 icmpInSrcQuenchs: 0
icmpInRedirects: 0 icmpInEchos: 18
icmpInEchoReps: 244350 icmpInTimestamps: 0
icmpInTimestampReps: 0 icmpInAddrMasks: 0
icmpInAddrMaskReps: 0 icmpOutMsgs: 253810
icmpOutErrors: 0 icmpOutDestUnreachs: 15
icmpOutTimeExcds: 0 icmpOutParmProbs: 0
icmpOutSrcQuenchs: 0 icmpOutRedirects: 0
icmpOutEchos: 253777 icmpOutEchoReps: 18
icmpOutTimestamps: 0 icmpOutTimestampReps: 0
icmpOutAddrMasks: 0 icmpOutAddrMaskReps: 0
Statistics Description
icmpInMsgs The total number of ICMP messages which the entity (the switch)
received. Note that this counter includes all those counted by
icmpInErrors.
icmpInErrors The number of ICMP messages which the entity (the switch)
received but determined as having ICMP-specific errors (bad ICMP
checksums, bad length, and so forth).
icmpInSrcQuenchs The number of ICMP Source Quench (buffer almost full, stop send-
ing data) messages received.
Statistics Description
icmpOutMsgs The total number of ICMP messages which this entity (the switch)
attempted to send. Note that this counter includes all those counted
by icmpOutErrors.
icmpOutErrors The number of ICMP messages which this entity (the switch) did not
send due to problems discovered within ICMP such as a lack of
buffer. This value should not include errors discovered outside the
ICMP layer such as the inability of IP to route the resultant data-
gram. In some implementations there may be no types of errors that
contribute to this counter's value.
icmpOutSrcQuenchs The number of ICMP Source Quench (buffer almost full, stop send-
ing data) messages sent.
icmpOutRedirects The number of ICMP Redirect messages sent. For a host, this object
will always be zero, since hosts do not send redirects.
Statistics Description
ifInOctets The total number of octets received on the interface, including framing
characters.
ifInDiscards The number of inbound packets that were chosen to be discarded even
though no errors had been detected to prevent their being delivered to a
higher-layer protocol. One possible reason for discarding such a packet
could be to free up buffer space.
ifInErrors For packet-oriented interfaces, the number of inbound packets that con-
tained errors preventing them from being delivered to a higher-layer pro-
tocol. For character-oriented or fixed-length interfaces, the number of
inbound transmission units that contained errors preventing them from
being deliverable to a higher-layer protocol.
ifInUnknownProtos For packet-oriented interfaces, the number of packets received via the
interface which were discarded because of an unknown or unsupported
protocol. For character-oriented or fixed-length interfaces which support
protocol multiplexing the number of transmission units received via the
interface which were discarded because of an unknown or unsupported
protocol. For any interface which does not support protocol multiplexing,
this counter will always
be 0.
Statistics Description
ifOutOctets The total number of octets transmitted out of the interface, including
framing characters.
ifStateChanges The number of times an interface has transitioned from either down to up
or from up to down.
/stats/l3/tcp
TCP Statistics
TCP statistics:
tcpRtoAlgorithm: 4 tcpRtoMin: 0
tcpRtoMax: 240000 tcpMaxConn: 1600
tcpActiveOpens: 0 tcpPassiveOpens: 0
tcpAttemptFails: 0 tcpEstabResets: 0
tcpInSegs: 0 tcpOutSegs: 0
tcpRetransSegs: 0 tcpInErrs: 0
tcpCurBuff: 0 tcpCurConn: 6
tcpCurInConn: 0 tcpCurOutConn: 0
tcpCurLstnConn: 3 tcpOutRsts: 0
tcpAllocTCBFails: 0
Statistics Description
tcpRtoAlgorithm The algorithm used to determine the timeout value used for retransmit-
ting unacknowledged octets.
tcpRtoMin The minimum value permitted by a TCP implementation for the retrans-
mission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the LBOUND quantity
described in RFC 793.
tcpRtoMax The maximum value permitted by a TCP implementation for the retrans-
mission timeout, measured in milliseconds. More refined semantics
for objects of this type depend upon the algorithm used to determine the
retransmission timeout. In particular, when the timeout algorithm is
rsre(3), an object of this type has the semantics of the UBOUND quantity
described in RFC 793.
tcpMaxConn The limit on the total number of TCP connections the entity (the switch)
can support. In entities where the maximum number of connections is
dynamic, this object should contain the value -1.
tcpActiveOpens The number of times TCP connections have made a direct transition to
the SYN-SENT state from the CLOSED state.
tcpPassiveOpens The number of times TCP connections have made a direct transition to
the SYN-RCVD state from the LISTEN state.
Statistics Description
tcpAttemptFails The number of times TCP connections have made a direct transition to
the CLOSED state from either the SYN-SENT state or the SYN-RCVD
state, plus the number of times TCP connections have made a direct tran-
sition to the LISTEN state from the SYN-RCVD state.
tcpEstabResets The number of times TCP connections have made a direct transition to
the CLOSED state from either the ESTABLISHED state or the CLOSE-
WAIT state.
tcpInSegs The total number of segments received, including those received in error.
This count includes segments received on currently established connec-
tions.
tcpOutSegs The total number of segments sent, including those on current connec-
tions but excluding those containing only retransmitted octets.
tcpRetransSegs The total number of segments retransmitted - that is, the number of TCP
segments transmitted containing one or more previously transmitted octets.
tcpInErrs The total number of segments received in error (for example, bad TCP
checksums).
tcpCurBuff The total number of outstanding memory allocations from heap by TCP
protocol stack.
tcpCurConn The total number of outstanding TCP sessions that are currently opened.
tcpCurLstnConn The total number of TCP ports on which the switch is listening.
tcpOutRsts The number of TCP segments sent containing the RST flag.
tcpAllocTCBFails
/stats/l3/udp
UDP Statistics
UDP statistics:
udpInDatagrams: 54 udpOutDatagrams: 43
udpInErrors: 0 udpNoPorts: 1578077
Statistics Description
udpOutDatagrams The total number of UDP datagrams sent from this entity (the switch).
udpInErrors The number of received UDP datagrams that could not be delivered for
reasons other than the lack of an application at the destination port.
udpNoPorts The total number of received UDP datagrams for which there was no
application at the destination port.
/stats/slb
Server Load Balancing Statistics Menu
[Server Load Balancing Statistics Menu]
sp - SLB Switch SP Stats Menu
gslb - Global SLB Stats Menu
real - Show real server stats
group - Show real server group stats
virt - Show virtual server stats
filt - Show filter stats
layer7 - Show Layer 7 stats
ssl - Show SSL SLB stats
ftp - Show FTP SLB parsing and NAT stats
rtsp - Show RTSP SLB stats
dns - Show DNS SLB stats
wap - Show WAP SLB stats
maint - Show maintenance stats
sip - Show SIP SLB stats
wlm - Show Workload Manager SASP stats
mirror - Show Session mirroring stats
clear - Clear non-operational Server Load Balancing stats
aux - Show auxiliary session table stats
dump - Dump all SLB statistics
gslb
Displays the Global SLB Statistics menu. For more information, see page 206.
layer7
Displays Layer 7 statistics. See page 214 for sample output.
ssl
Displays SSL server load balancing statistics. See page 219 for sample output.
ftp
Displays FTP SLB parsing and NAT statistics. See page 220 for sample output.
rtsp
Displays RTSP SLB statistics. See page 223 for sample output.
dns
Displays DNS SLB statistics. See page 224 for sample output.
wap
Displays WAP SLB statistics. See page 225 for sample output.
maint
Displays SLB maintenance statistics. See page 227 for sample output.
sip
Displays SIP SLB statistics. See page 229 for sample output.
mirror
Display session mirroring statistics. See page 231 for sample output.
clear [y|n]
Clears all non-operating SLB statistics on the Nortel Application Switch, resetting them to zero.
This command does not reset the switch and does not affect the following counters:
Counters required for Layer 4 and Layer 7 operation (such as current real server sessions).
All related SNMP counters.
To view the statistics reset by this command, refer to Table 5-51 on page 230.
aux
Displays auxiliary session table statistics.
dump
Dumps all switch SLB statistics. Use this command to gather data for tuning and debugging switch
performance. To save dump data to a file, set your communication software on your workstation to
capture session data prior to issuing the dump command.
/stats/slb/sp
Server Load Balancing SP statistics Menu
[Server Load Balancing SP Statistics Menu]
real - Show real server stats
group - Show real server group stats
virt - Show virtual server stats
filt - Show filter stats
maint - Show maintenance stats
aux - Show auxiliary session table stats
clear - Clear SP stats
maint
Displays the SP maintenance statistics. See page 204 for a sample output.
aux
Displays the statistics of the auxiliary session table.
clear
Deletes all the SP statistics.
SP 1 Filter 1 stats:
Total firings: 2
Statistic Description
Current Sessions Number of session bindings currently in use (the last 4 and 64 sec-
onds).
Terminated Sessions Number of sessions removed from the session table because the
server assigned to them failed and graceful server failure was not
enabled.
Allocation Failures Indicates instances where the Switch ran out of available sessions for a
port.
UDP Datagrams Indicates that the virtual server IP address and MAC are receiving
UDP frames when UDP balancing is not turned on.
Non TCP/IP Frames Indicates the number of non-IP based frames received by the virtual
server.
Incorrect VIPs Indicates the number of times the switch received a Layer 4 request
for a virtual server which was not configured.
Statistic Description
Incorrect Vports This dropped frames counter indicates that the virtual server has
received frames for TCP/UDP services that have not been configured.
Normally this indicates a mis-configuration on the virtual server or the
client, but it may be an indication of a potential security probing appli-
cation like SATAN.
No Available Real This dropped frames counter indicates that all real servers are either
Server out of service or at their maxcon limit.
Backup Server This indicates the number of times a real server failure has occurred
Activations and caused a backup server to be brought online.
Overflow Server Acti- This indicates the number of times a real server has reached the
vations maxcon limit and caused an overflow server to be brought online.
Filtered (Denied) This indicates the number of frames that were dropped because of
Frames one of the following reasons:
1. They matched an active filter with the deny action set.
2. There are no real servers (in the case of redirection filters.)
3. When there are no available session entries.
LAND attacks This counter increases whenever a packet has the same source and
destination IP addresses and ports.
No TCP Control Bits The number of packets that were dropped because the packet had no
control bits set in the TCP header.
Invalid reset packet The number of packets that were dropped because the packet had an
drops invalid reset flag set.
Total IP fragment ses- This represents the total number of fragment sessions the switch has
sions processed so far.
IP fragment discards The number of fragmented packets that are discarded due to lack of
resources.
IP fragment table full This counter indicates how many times session table is full.
/stats/slb/gslb
Global SLB Statistics Menu
[Global SLB Statistics Menu]
real - Show Global SLB remote real server stats
virt - Show Global SLB virtual server stats
site - Show Global SLB remote site stats
network - Show Global SLB network preference stats
rule - Show Global SLB rule stats
geo - Show Global SLB geographical preference stats
pers - Show Global SLB DNS persistence cache stats
maint - Show Global SLB maintenance stats
clear - Clear all Global SLB stats
dump - Show all Global SLB stats
pers
Displays Global SLB DNS persistence cache statistics.
geo
Displays Global SLB statistics for the geographical preference.
maint
To view an example and description of Global SLB maintenance statistics, see page 209.
clear
Deletes all Global SLB statistics.
dump
Displays all Global SLB statistics.
For any remote real server configured for Global Server Load Balancing, the following statis-
tics can be viewed:
Field Description
Field Description
/stats/slb/gslb/site
Global SLB Site Statistics
Field Description
Bad remote site pack- The number of bad packets received from remote site.
ets received
DSSPv1 remote site The number of remote site updates sent using DSSP version 1.
updates sent
DSSPv1 remote site The number of remote site updates received using DSSP version 1.
updates received
DSSPv2 remote site The number of remote site updates sent using DSSP version 2.
updates sent
DSSPv2 remote site The number of remote site updates received using DSSP version 2.
updates received
/stats/slb/gslb/maint
Global SLB Maintenance Statistics
Field Description
Bad remote site pack- The number of bad packets received from the remote site.
ets received Bad updates or dropped packets usually indicate that there is
a configuration problem at local or remote GSLB switches. If
bad updates or dropped packets occur, check your syslog
for configuration error messages.
DSSPv1 remote site The number of Distributed Site State Protocol (DSSP) ver-
updates sent sion one updates/packets sent to the remote sites.
DSSPv1 remote site The number of Distributed Site State Protocol (DSSP) ver-
updates received sion one updates/packets received from the remote sites.
DSSPv2 remote site The number of Distributed Site State Protocol (DSSP) ver-
updates sent sion two updates/packets sent to the remote sites.
DSSPv2 remote site The number of Distributed Site State Protocol (DSSP) ver-
updates received sion two updates/packets received from the remote sites.
Field Description
DNS responses sent The number of DNS responses sent by the switch that
includes DNS directs and DNS error responses.
HTTP requests received The number of HTTP requests received.
Bad HTTP requests The number of bad/dropped client HTTP requests. Client
received HTTP GET request packets that do not contain the entire
URL are considered bad and are dropped.
HTTP responses sent The number of HTTP responses sent by the switch that
includes HTTP redirects.
Hostname domain hits The number of times the DNS queries received matched for
the hostname configured.
Network domain hits The number of times the DNS queries received matched for
the network domain name configured.
Basic domain hits The number of times the DNS queries received matched for
the basic domain name configured.
No server selected for The number of times no server was selected after matching
hostname domain the host name domain.
No server selected for The number of times no server was selected after matching
network domain the network domain name.
No server selected for The number of times no server was selected after matching
basic domain the basic domain name.
No matching domain The number of times the DNS queries received did not match
the host name, domain name, or the network domain config-
ured.
Last no result domain The domain in the last DNS query received that did not match
the host name, domain name, or the network domain config-
ured.
Last source IP The source IP address of the last DNS query or HTTP request
received.
NOTE – Octets are provided per server, not per service, unless configured as described in “Per
Service Octet Counters” on page 211.
Statistics Description
Current sessions The total number of outstanding sessions that are established to the par-
ticular real server.
Total sessions The total number of sessions that have been established to the particular
real server.
Highest sessions The highest number of sessions ever recorded for the particular real
server.
Octets The total number of octets sent by the particular real server.
The octet counters are provided per server–not per service. If you need octet counters on a per-
service basis, you can accomplish this through the following configuration:
1. Configure a separate IP address for each service on each server being load balanced.
For instance, you can configure IP address 10.1.1.20 for HTTP services, and 10.1.1.21 for FTP
services on the same physical server.
2. On the Nortel Application Switch, configure a real server with a real IP address for each
service above.
Continuing the example above, two real servers would be configured for the physical server
(representing each real service). If there were five physical servers providing the two services
(HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on
each physical server, and five for the FTP services on each physical server.
3. On the Nortel Application Switch, configure one real server group for each type of ser-
vice, and group each appropriate real server IP address into the group that handles the
specific service.
Thus, in keeping with our example, two groups would be configured: one for handling HTTP
and one for handling FTP.
4. Configure a virtual server and add the appropriate services to that virtual server.
Current and total sessions for each real server in the real server group.
Current and total sessions for all real servers associated with the real server group.
Highest number of simultaneous sessions recorded for each real server.
Real server transmit/receive octets. For per-service octet counters, see the procedure on
“Per Service Octet Counters” on page 211.
NOTE – The virtual server IP address is shown on the last line, below the real server IP addresses.
Current and total sessions for each real server associated with the virtual server.
Current and total sessions for all real servers associated with the virtual server.
Highest number of simultaneous sessions recorded for each real server.
Real server transmit/receive octets. For per-service octet counters, see “Per Service Octet
Counters” on page 211.
You can obtain the total number of times any filter has been matched.
/stats/slb/layer7
SLB Layer7 Statistics Menu
[Layer 7 Statistics Menu]
redir - Show URL Redirection stats
str - Show SLB String stats
maint - Show Layer 7 Maintenance stats
pooling - Show connection pooling stats
redir
Displays URL Redirection statistics. See page 214 for a sample output.
str
Displays SLB string statistics. See page 215 for a sample output.
maint
Displays Layer 7 maintenance statistics. See page 216 for a sample output.
pooling
Display the connection pooling statistics.See page 216 for a sample output.
/stats/slb/layer7/redir
Layer7 Redirection Statistics
Total URL based web cache redirection stats:
Total cache server hits: 0
Total origin server hits: 0
Total straight to origin server hits: 0
Total none-GETs hits: 0
Total 'Cookie: ' hits: 0
Total no-cache hits: 0
Total RTSP cache server hits: 0
Total RTSP origin server hits: 0
Total HTTP redirection hits: 0
Total cache server hits The total number of HTTP requests redirected to the cache server.
Total origin server hits The total number of HTTP requests forwarded to the origin server.
Total straight to ori- The total number of HTTP requests forwarded from straight to the
gin server hits origin server.
Total none-GETs hits The total number of none GET requests forwarded to the origin
server.
Total 'Cookie:' hits The total number of cookie requests forwarded to the origin server.
Total no-cache hits The total number of requests containing no-cache header forwarded
to the origin server.
Total RTSP cache The total number of RTSP requests redirected to the cache server.
server hits
Total RTSP origin The total number of RTSP requests forwarded to the origin server.
server hits
Total HTTP redirec- The total number of HTTP requests that were redirected by redirec-
tion hits tion filter.
/stats/slb/layer7/str
Layer 7 SLB String Statistics
SLB String stats:
ID SLB String Hits
1 any 1527115
2 www.[abcdefghijklm]*.com 0
3 www.[nopqrstuvwxyz]*.com 0
4 www.junk.com 0
5 www.abc.com 0
6 www.[abcdefjhijklm]*.org 0
7 www.[nopqrstuvwxyz]*.org 0
Hits The total number of instances that are load-balanced due to matching of
the particular URL ID.
/stats/slb/layer7/maint
Layer 7 SLB Maintenance Statistics
Statistics Description
Clients reset by The number of reset frames sent to the client by the switch during
switch on client side server connection termination. This means that when the switch
could not connect to the real sever and the client’s retries exceeded
the threshold due to delayed binding, the switch will send a reset
frame to the client to terminate the connection.
Clients reset by The number of reset frames sent to the server by the switch during
switch on server side server connection termination due to delayed binding.
Connection Splicing to The total number of connection swapping between different real
support HTTP/1.1 servers in supporting multiple HTTP/1.1 client requests.0
Statistics Description
Invalid HTTP methods The total number of HTTP requests that contain invalid methods
sent by the client.
Aged delayed binding The total number of aged delayed binding sessions caused by failed
sessions connection initialization between the switch and the server.
Half open connections The total numbers of outstanding TCP connections that are half
opened. It is incremented when the switch responds to TCP SYN
packet and decremented upon receiving TCP SYN ACK packet from
the requester.
Switch retries The total number of switch retries to connect to the real server.
Random early drops The total number of SYN frames dropped when the buffer is low.
Requests exceeded 4500 The total number of GET requests that exceeded 4500 bytes.
bytes
Invalid 3-way hand- The total number of dropped frames because of invalid 3-way hand
shakes shakes.
Exceeded max frame The total number of switch-generated frames that exceeded the max-
size imum allowed frame size.
Out of order packet The total number of TCP packets dropped because they were
drops: received out of order.
Highest SEQ buffer The highest number of sequence buffers ever used.
entries
Highest Data buffer The highest number of data buffers ever used.
use
Statistics Description
Total Data Buffer The total number of buffers allocated to store client request.2
Allocs
Alloc Fails - Seq The number of times sequence buffer allocation failed.
buffers
Alloc Fails - Ubufs The number of times the URL data buffer allocation failed.
Max sessions per The maximum number of items (sessions) allowed in the session
bucket table hash bucket chain.
Max frames per session The maximum number of frames to be buffered per session.
Max bytes buffered The maximum number of bytes to be buffered per session.
(sess)
/stats/slb/layer7/pooling
Layer7 Pooling Statistics
>> Layer 7 Statistics# pooling
------------------------------------------------------------------
Connection pooling statistics:
Current opened server connections: 0
Active server connections: 0
Available server connections: 0
Total number of aged out client connections: 0
Total number of aged out server connections: 0
/stats/slb/ssl
SLB Secure Socket Layer Statistics
SSL SLB maintenance stats:
SessionId allocation fails: 0
Total number of SSL ID reassignments: 0
Statistics Description
SSL SLB maintenance Debug stats for SSL SessionId based persistence.
stats
SessionId allocation The number of times allocation of a session table entry failed when
fails attempting to store a SessionId in the table.
The table shows the Current Sessions, the total sessions seen on the switch since last reset and the high
water mark of current sessions for the following:
Unique SessionIds Many SSL sessions can use the same SessionId, these should all
bind to the same server. This number shows the number of unique
SSL sessions seen on the switch.
SSL connections The number of different TCP connections using SSL service.
/stats/slb/ftp
File Transfer Protocol SLB and Filter Statistics Menu
[FTP SLB parsing and Filter Statistics Menu]
active - Show active FTP NAT filter stats
parsing - Show FTP SLB parsing server stats
maint - Show FTP maintenance stats
dump - Dump all FTP SLB/NAT stats
Table 5-41 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)
Command Syntax and Usage
active
Shows active FTP SLB parsing and filter statistics. See page 221 for sample output.
parsing
Shows parsing statistics. See page 221 for sample output.
maint
Shows maintenance statistics. See page 222 for sample output.
dump
Shows all FTP SLB/NAT statistics. See page 222.
/stats/slb/ftp/active
Active FTP SLB Parsing and Filter Statistics
Total Active FTP NAT stats(PORT):
Total FTP: 0
Total New Active FTP Index: 0
Active FTP NAT ACK/SEQ diff: 0
Table 5-42 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)
Statistics Description
Total Active FTP NAT The number of times the switch receives the port command from
stats (PORT) the client.
Total FTP The number of times the switch receives both active and passive
FTP connections.
Total New Active FTP The number of times the switch creates a new index due to port
Index command from the client.
Active FTP NAT ACK/SEQ The difference in the numbers of ACK and SEQ that the Switch
diff needs for packet adjustment.
/stats/slb/ftp/parsing
Passive FTP SLB Parsing Statistics
Statistics Description
Total FTP The number of times the switch receives both active and passive
FTP connections.
Total New FTP SLB The number of times the switch creates a new index in response to
parsing Index the pasv command from the client.
FTP SLB parsing ACK/ The difference in the numbers of ACK and SEQ that the switch
SEQ diff needs FTP SLB parsing.
/stats/slb/ftp/maint
FTP SLB Maintenance Statistics
Statistics Description
FTP mode switch error The number of times the switch is not able to switch modes from
active to passive and vice versa.
/stats/slb/ftp/dump
FTP SLB Statistics Dump
Total FTP : 0
Total FTP NAT Filtered: 0
Total new active FTP NAT Index: 0
Total new FTP SLB parsing Index: 0
FTP Active FTP NAT ACK/SEQ diff: 0
FTP SLB parsing ACK/SEQ diff: 0
FTP mode switch error: 0
Statistics Description
Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred.
Total new active FTP The total number of new data sessions created for FTP NAT filter in
NAT Index active mode.
Total new FTP SLB The number of times the switch creates a new index in response to
parsing Index the pasv command from the client.
FTP Active FTP NAT The total number of times the adjustment between ACK and SEQ
ACK/SEQ diff occurred on the filter.
FTP SLB parsing ACK/ The difference in the numbers of ACK and SEQ that the switch
SEQ diff needs for FTP SLB parsing.
FTP mode switch error The number of times the switch could not switch mode from active
to passive and vice versa.
/stats/slb/rtsp
RTSP SLB Statistics
Control UDP Connection Buffer Alloc
SP Connection Streams Redirect Denied Allocs Failures
-- ---------- ---------- ---------- ---------- ---------- ----------
1 0 0 0 0 0 0
2 0 0 0 0 0 0
3 0 0 0 0 0 0
4 0 0 0 0 0 0
-- ---------- ---------- ---------- ---------- ---------- --------
0 0 0 0 0 0
Statistics Description
ControlConnection The total number of TCP connections for RTSP control connection.
UDP Streams The total number of UDP connections for data channels. The number
depends upon the type of media player being used.
ConnectionDenied The total number of times the connections got denied due to shortage of
resources or the real server being down.
/stats/slb/dns
DNS SLB Statistics
Total number of TCP DNS queries: 0
Total number of UDP DNS queries: 0
Total number of invalid DNS queries: 0
Total number of multiple DNS queries: 0
Total number of domain name parse errors: 0
Total number of failed real server name matches: 0
Total number of DNS parsing internal errors: 0
Statistics Description
Total number of TCP The total number of DNS queries that received through TCP
DNS queries connections.
Total number of UDP The total number of DNS queries received through UDP requests.
DNS queries
Total number of The total number of DNS queries that contain more than one domain
multiple DNS queries name to be resolved. Currently only one domain name resolution per
request is supported.
Total number of domain The total number of DNS queries that have short or invalid domain
name parse errors names to be resolved.
Total number of failed The total number of times the user failed to find a real server which
real server name has the same layer 7 strings that match the domain name to be
matches resolved.
Total number of DNS The total number of out of memory and other unexpected errors the
parsing internal user gets while processing the DNS query.
errors
/stats/slb/wap
WAP SLB Statistics
This command displays all the Radius and WAP related counters.
Statistics Description
allocation failures Indicates instances where the switch ran out of available bindings for a
port.
incorrect VIPs Indicates the number of times the switch received a Layer 4 request for
a virtual server which was not configured.
incorrect Vports This dropped frames counter indicates that the virtual server has received
frames for TCP/UDP services that have not been configured. Normally
this indicates a mis-configuration on the virtual server or the client.
no available real This dropped frames counter indicates that all real servers are either out
server of service or at their maxcon limit.
requests to wrong SP The number of session add/delete requests sent to the wrong SP.
Statistics Description
add session reqs The number of WAP session add requests via TPCP.
req fails- SP dead The number of add-request failures due to dead target SP.
acct start reqs The number of RADIUS Accounting Start frames received.
acct stop reqs The number of RADIUS Accounting Stop frames received.
acct bad reqs The number of bad RADIUS Accounting frames received.
add session reqs The number of WAP session add requests via RADIUS snooping.
del session reqs The number of WAP session delete requests via RADIUS snooping.
req fails- SP dead The number of add/delete request failures due to dead target SP.
req fails- DMA The number of add/delete requests failed due to DMA write failure.
/stats/slb/maint
SLB Maintenance Statistics
SLB Maintenance stats:
Maximum sessions: 2097104
Current sessions: 0
4 second average: 0
64 second average: 0
Terminated sessions: 0
Allocation failures: 0
UDP datagrams: 0
Non TCP/IP frames: 0
Incorrect VIPs: 0
Incorrect Vports: 0
No available real server: 0
Backup server activations: 0
Overflow server activations: 0
Filtered (denied) frames: 0
LAND attacks: 0
No TCP control bits: 0
Invalid reset packet drops: 0
Total IP fragment sessions: 0
Current IP fragment sessions 0
IP fragment discards: 0
IP fragment table full: 0
Current IPF buffer sessions: 0
Highest IPF buffer sessions: 0
IPF buffer alloc fails: 0
IPF SP buffer alloc fails: 0
SP buffer too low: 0
Exceeded 16 OOO packets: 0
Free Service pool entries: 8192
Current IP6 sessions: 0
Incorrect IP6 VIPs: 0
Incorrect IP6 Vports: 0
IP6 packets drops: 0
/stats/slb/sip
SIP SLB Statistics
SIP Stats:
Statistics Description
Total number of SIP The total number of errors encountered during client processing
Client Parse Errors when parsing an incoming SIP packet.
Total number of SIP The total number of errors encountered during server processing
Server Parse Errors when parsing an incoming SIP packet.
Total number of SIP Total number of packets received with methods not known to the
Unknown Method packets SIP parser on the switch.
Total number of SIP Total number of packets received which do not have the complete
Incomplete Messages SIP message in a single packet.
Total number of SIP Total number of errors encountered during filter processing when
Filter Parse Errors parsing an incoming SIP packet.
Total number Total number of packets received that have SIP SDP
of packets with SIP NAT information.
SDP NAT
Deregisteration Requests: 1
Deregisteration Replies: 1
Deregisteration Reply Errors: 0
/stats/slb/mirror
Display Workload Manager SASP statistics
Table 5-52 SLB Session Mirroring statistics (/stats/slb/mirror)
/stats/bwm
BWM Statistics Menu
[Bandwidth Management Statistics Menu]
port - Switch Port Contract Stats Menu
cont - BW Contract stats
rcont - BW Contract rate stats
hist - BW History stats
maint - Show BWM maint statistics
ipusers - Show BWM IP user stats for iplimit contracts
dump - Dump all BWM statistics
clear - Clear BWM statistics
hist
Displays bandwidth management history statistics. See page 237 for sample output.
maint
Displays bandwidth management maintenance statistics. See page 238 for sample output.
ipusers
Displays Bandwidth Management IP user stats for iplimit contracts. Each IP address is limited
to the user limit configured in /cfg/bwm/contract on page 319.
See page 238 for sample output.
dump
Displays all bandwidth management statistics.
clear
Clears all bandwidth management statistics.
You can configure the number of CLI lines per screen using the global (hidden) command:
lines <number of lines>. For example:
BW Contract statistics
Contract Name Rate(Kbps) Octets Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- -----
1 cont1 0 40465360 262049256 0 16320
2 cont2 0 0 0 0 16320
20 cont20 5230 682947936 1822133376 16384 16320
26 cont26 0 0 0 0 16320
1024 Default 0 773974 0 0 16320
1 cont1 0 40465360 262049256 0 16320
2 cont2 0 0 0 0 16320
20 cont20 5238 684289056 1825753104 16384 16320
26 cont26 0 0 0 0 16320
1024 Default 0 774114 0 0 16320
The following description of statistics applies on a specific switch port for all enabled
contracts.
Statistics Description
Octets The number of octets that are being transmitted through a particular con-
tract since the switch is booted.
Discards The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limit permits.
Total Pkts The total number of packets classified for that contract.
BufUsed The current amount of buffer space used to store the packets that is wait-
ing to be transmitted.
Statistics Description
BufMax Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.
/stats/bwm/rcont
BWM Contract Rate Statistics
Use this command to show the rate statistics of all the enabled contracts.
This command repeats its output when the printed lines are less than the configured CLI lines
per screen. If the CLI lines are configured at zero per screen, the command will continue to
repeat its output until you type a key on the console or telnet session.
You can configure the number of CLI lines per screen using the global (hidden) command:
lines <number of lines>. For example:
BW Contract statistics
Contract Name Rate(Kbps) Octets Discards BufUsed BufMax
-------- --------------- ---------- ---------- ---------- ------- -----
1 cont1 5222 285408288 735607152 16384 456960
2 cont2 0 0 0 0 456960
20 cont20 5238 285720864 735308784 16384 456960
26 cont26 0 0 0 0 456960
1024 Default 4 517182 0 0 456960
1 cont1 5230 286747296 739228896 16384 456960
2 cont2 0 0 0 0 456960
20 cont20 5230 287059872 738930528 16384 456960
26 cont26 0 0 0 0 456960
1024 Default 8 519400 0 0 456960
1 cont1 5222 288084192 742853160 16384 456960
2 cont2 0 0 0 0 456960
20 cont20 5238 288400992 742550760 16384 456960
26 cont26 0 0 0 0 456960
1024 Default 8 521578 0 0 456960
Statistics Description
Rate (in Kbps) Rate at which the packets are going out of the switch on a particular con-
tract.
Octets The number of octets that are being transmitted through a particular con-
tract since the switch is booted.
Discards The number of octets that are being discarded because of seeing more
traffic than the bandwidth contract limits.
BufUsed The current amount of buffer space used to store the packets that is wait-
ing to be transmitted.
BufMax Maximum buffer space that can be used to store the packets before they
can be transmitted. The switch starts dropping the packets of a particular
contract after the maximum buffer space allocated for that contract is
being occupied.
/stats/bwm/hist
BWM History Statistics
Switch IP Cont Name Octets
Discards TimeStamp
YyyyMmDd:Hr:Mi/TmZone
--------------- ---- ---------------- ---------- ---------- ----------
47.80.23.124 1 filter_number01 0 0 20030910:15:11/ -8:00
47.80.23.124 2 filter_number02 0 0 20030910:15:11/ -8:00
47.80.23.124 3 filter_number03 0 0 20030910:15:11/ -8:00
47.80.23.124 4 filter_number04 0 0 20030910:15:11/ -8:00
47.80.23.124 5 filter_number05 0 0 20030910:15:11/ -8:00
47.80.23.124 6 filter_number06 0 0 20030910:15:11/ -8:00
47.80.23.124 7 filter_number07 0 0 20030910:15:11/ -8:00
47.80.23.124 8 filter_number08 0 0 20030910:15:11/ -8:00
47.80.23.124 9 filter_number09 0 0 20030910:15:11/ -8:00
47.80.23.124 10 filter_number10 0 0 20030910:15:11/ -8:00
47.80.23.124 1024 Default 608 0 20030910:15:11/ -8:00
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an
E-mail is sent. This command is used to keep long term history only for the contracts that are
enabled and have history command turned on.
Use this command to show the history of all the contracts for which history command is
enabled. The sampling is done at one-minute intervals.
Statistics Description
Discards The number of octets discarded because of seeing more traffic than the
bandwidth contract limit permits.
NOTE – These statistics can only be viewed when the e-mail option is enabled.
/stats/bwm/maint
BWM Maintenance Statistics
BWM Maint statistics
------------------------------------------------------------------
Maint Stats for rate limiting contracts
Discard pkts 0
Discard octets 0
Out pkts 0
Out octets 0
Transmit failed 0
User Limit entry allocation failures 0
------------------------------------------------------------------
Maint Stats for traffic shaping contracts
QFull Discard pkts 0
QFull Discard octets 0
Out of buffers pkts 0
Out of buffers pkts 0
Transmit failed 0
TDT set when qfull 0
TDT set between soft and hard 0
TDT set at soft 0
/stats/bwm/ipusers
BWM IP Users Statistics
This command displays the number of BWM IP user entries for each BWM contract for each
SP.
/stats/security
Security Statistics
dos
Displays the DOS Attack statistics menu. To view a sample output and a description of the stats,
see page 240.
ipacl
Displays the IP Address Access Control List statistics menu. To view a sample output and a
description of the statistics, see page 244.
udpblast
Displays the UDP Blast statistics menu. To view a sample output and a description of the statistics,
see page 245.
pgroup
Displays the Pattern Match Group statistics menu. To view a sample output and a description of
the statistics, see page 246.
ratelim
Displays the Rate Limiting statistics menu. To view a sample output and a description of the stats,
see page 246.
dump
Displays all security statistics.
/stats/security/dos
DOS Attack Statistics Menu
[Protocol Anomaly and DoS Attack Prevention Statistics Menu]
port - Show port protocol anomaly and DoS attack prevention stats
dump - Dump all protocol anomaly and DoS attack prevention stats
clear - Clear all protocol anomaly and DoS attack prevention stats
help - Protocol anomaly and DoS attack prevention description
dump
Displays the number of times the packets were dropped on the switch, for each of the following
types of DOS attacks:
iplen, ipversion, broadcast, loopback, land, ipreserved, ipttl, ipprot, ipoptlen,
fragmoredont, fragdata, fragboundary, fraglast, fragdontoff, fragopt, fragoff, fragoversize, tcplen,
tcpportzero, blat, tcpreserved, nullscan, fullxmasscan, finscan, vecnascan, xmasscan, synfinscan,
flagabnormal, syndata, synfrag, ftpport, dnsport, seqzero, ackzero, tcpoptlen, udplen, udpportzero,
fraggle, pepsi, rc8, snmpnull, icmplen, smurf, icmpdata, icmpoff, icmptype, igmplen, igmpfrag,
igmptype, arplen, arpnbcast, arpnucast, arpspoof, garp, ip6len, ip6version
For a description of these different types of DOS attacks, see “Types of DOS Attacks” on page
241.
clear
Deletes all DOS attack statistics.
help
Displays a description of each type of DOS attack by name and how it works.
You can use the help command to obtain a brief explanation of each type of DOS attack
detected by the switch.
Refer to your Nortel Application Switch Operating System Application Guide for a detailed
description of DOS attacks.
xmasscan : TCP packets with FIN, URG and PSH bits are set.
synfinscan : TCP packets with SYN and FIN bits are set.
flagabnormal: TCP packets with abnormal control bits combination.
syndata : TCP packets with SYN bit is set and with payload.
synfrag : TCP packets with SYN bit is set and more fragments bit
is set.
ftpport : TCP packets with SPORT=20, DPORT<1024 and SYN bit is
set.
dnsport : TCP packets with SPORT=53, DPORT<1024 and SYN bit is
set.
seqzero : TCP packets with sequence number is zero.
ackzero : TCP packets with acknowledgement number is zero and ACK
bit is set.
tcpoptlen : TCP packets with bad TCP options length.
udplen : UDP packets with bad UDP header length.
udpportzero : UDP packets with source or destination port is zero.
fraggle : UDP packets to broadcast destination IP (x.x.x.255).
pepsi : UDP packets with SPORT=19, DPORT=7 or SPORT=7,
DPORT=19.
rc8 : UDP packets with SPORT=7 and DPORT=7.
snmpnull : UDP packets with DPORT=161 and without payload.
icmplen : ICMP packets with bad ICMP header length.
smurf : ICMP ping requests to a broadcast destination IP
(x.x.x.255).
icmpdata : ICMP packets with zero fragment offset and large pay-
load.
icmpoff : ICMP packets with large fragment offset.
icmptype : ICMP packets with type is unassigned or reserved.
igmplen : IGMP packets with bad IGMP header length.
igmpfrag : IGMP packets with more fragments bit is set or non-zero
fragment offset.
igmptype : IGMP packets with type is unassigned or reserved.
arplen : ARP request or reply packets with bad length.
arpnbcast : ARP request packets with non broadcast destination MAC.
arpnucast : ARP reply packets with non unicast destination MAC.
arpspoof : ARP request or reply packets with mismatch source with
sender MACs
or destination with target MACs.
garp : ARP request or reply packets with same source and des-
tination IP.
ip6len : IPv6 packets with bad header length.
ip6version : IPv6 packets with IP version not 6.
/stats/security/ipacl
IP Access Control List Statistics
The following IP Access Control List statistics can be viewed with this command:
dump
Displays the accumulated blocked packets for each source or destination IP address and mask pair
in the access control list.
>> Main# /stats/security/ipacl/dump
-----------------------------------------------------------------
IP ACL stats:
Source IP Addr Mask Type Blocked Packets
--------------- --------------- ----- ---------------
No source IP ACL's created
Dest IP Addr Mask Type Blocked Packets
--------------- --------------- ----- ---------------
No destination IP ACL's created
clear
Deletes all the statistics of accumulated blocked packets.
/stats/security/udpblast
UDP Blast Statistics
[UDP Blast Statistics Menu]
dump - UDP Blast Stats
clear - Clear all UDP Blast Stats
dump
Displays all the accumulated blocked packets for each port, and the current packet rate per second.
See page 245 for a sample output and a description of the statistics.
clear
Deletes all the accumulated blocked packets.
/stats/security/udpblast/dump
UDP Blast Dump Statistics
Field Description
Current Packet Rate/ Displays the current rate of packet to the UDP port.
Second
/stats/security/pgroup
UDP Pattern Match Statistics
Pattern Match Group stats:
ID Name Hits
1 0
This menu displays how many times each configured pattern group has been matched and a
subsequent filtering action performed. Pattern groups are configured in the “Pattern Matching
Menu” on page 404.
/stats/security/ratelim
Rate Limiting Statistics
Rate limiting stats:
TCP:
Total hold downs triggered: 0
Current per-client state entries: 0
UDP:
Total hold downs triggered: 0
Current per-client state entries: 0
ICMP:
Total hold downs triggered: 0
Current per-client state entries: 0
Field Description
Total holds down The total number of packets dropped after the hold-down period
triggered expired.
Current per-client The total number of per-client state entries for TCP/UDP/ICMP rate
state entries limiting.
/stats/security/dump
Dump Statistics for Security
IP ACL stats:
TCP:
Total hold downs triggered: 0
Current per-client state entries: 0
UDP:
Total hold downs triggered: 0
Current per-client state entries: 0
ICMP:
Total hold downs triggered: 0
Current per-client state entries: 0
/stats/mp
Management Processor Statistics
[MP-specific Statistics Menu]
pkt - Show Packet and TCP stats
tcb - Show All TCP control blocks in use
ucb - Show All UDP control blocks in use
sfd - Show All Socket FD in use
cpu - Show CPU utilization
mem - Show memory stats
pkt
Displays packet statistics, to check for leads and load. To view a sample output and a description
of the stats, see page 249.
tcb
Displays all TCP control blocks that are in use. To view a sample output and a description of the
stats, see page 251.
ucb
Displays all UDP control blocks that are in use. To view a sample output, see page 251.
sfd
Displays all Socket File Descriptors that are in use. To view a sample output, see page 252.
cpu
Displays CPU utilization for periods of up to 1, 4, and 64 seconds. To view a sample output and a
description of the stats, see page 252.
mem
Displays memory statistics.
/stats/mp/pkt
MP Packet Statistics
Packet counts:
allocs: 89262 frees: 89262
mediums: 0 mediums hi-watermark: 4
jumbos: 0 jumbos hi-watermark: 0
smalls: 0 smalls hi-watermark: 4
alloc fails: 0 packet discards: 0
TCP counts:
allocs: 4866 frees: 4827
current: 46 current hi-watermark: 146
alloc fails: 0 alloc discards: 0
Statistics Description
Packet counts:
allocs Total number of packet allocations from the packet buffer pool by the
TCP/IP protocol stack.
frees Total number of times the packet buffers are freed (released) to the packet
buffer pool by the TCP/IP protocol stack.
mediums Total number of packet allocations with size between 128 to 1536 bytes
from the packet buffer pool by the TCP/IP protocol stack.
jumbos Total number of packet allocations with size between 1536 bytes to
9K bytes from the packet buffer pool by the TCP/IP protocol stack.
smalls Total number of packet allocations with size less than 128 bytes from the
packet buffer pool by the TCP/IP protocol stack.
alloc fails Total number of packet allocation failures from the packet buffer pool by
the TCP/IP protocol stack.
frees Total number of packets freed from the packet buffer pool by the TCP/IP
protocol stack.
mediums hi-water- The highest number of packet allocation with size between 128 to 1536
mark bytes from the packet buffer pool by the TCP/IP protocol stack.
jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to
9K bytes from the packet buffer pool by the TCP/IP protocol stack.
smalls hi-watermark The highest number of packet allocation with size less than 128 bytes
from the packet buffer pool by the TCP/IP protocol stack.
Statistics Description
packet discards The number of packets that are discarded by the MP. The packets are dis-
carded because buffer resources are not available or the buffer threshold
is reached and the low priority packets are discarded.
TCP counts:
allocs Total number of TCP packet allocations from MP memory by the TCP/IP
protocol stack.
current Total number of TCP packet allocations from MP memory by the TCP/IP
protocol stack.
alloc fails Total number of TCP packet allocation failures from MP memory by the
TCP/IP protocol stack.
frees Total number of times the TCP packet buffers are freed (released) to MP
memory by the TCP/IP protocol stack.
current hi-water- The highest number of TCP packet allocation from MP memory by the
mark TCP/IP protocol stack.
alloc discards The number of TCP packets that are discarded by the MP. The packets
are discarded because MP memory resources are not available.
/stats/mp/tcb
TCP Statistics
All TCP allocated control blocks:
117f6d00: 0.0.0.0 0 <=> 0.0.0.0 80 listen
117f81a8: 47.81.27.6 1331 <=> 47.80.16.59 23 established
Statistics Description
117f6d00/117f81a8 Memory
0.0.0.0/47.80.16.59 Source IP
listen/established State
/stats/mp/ucb
UCB Statistics
All UDP allocated control blocks:
161: listen
1985: listen
3122: listen
Field Description
Listen State
/stats/mp/sfd
MP-Specific SFD Statistics
All Socket FD allocated:
0 -1 16 1180b128: 0.0.0.0 0 <=> 47.133.88.31 81 listen TCP
server
1 -1 17 108c5bd8: 0.0.0.0 0 <=> 47.133.88.31 23 listen TCP
server
2 -1 18 108d5cfc: 0.0.0.0 0 <=> 47.133.88.31 22 listen TCP
server
3 -1 19 1180a258: 0.0.0.0 0 <=> 47.133.88.31 443 listen TCP
server
/stats/mp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization:
cpuUtil1Second: 100%
cpuUtil4Seconds: 100%
cpuUtil64Seconds: 100%
Statistics Description
cpuUtil1Second The percentage of CPU utilization as measured over the last one second
interval.
cpuUtil4Seconds The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds The percentage of CPU utilization as measured over the last 64 second
interval.
Statistics Description
cpu Displays what percentage of the CPU has been utilized. To view a sam-
ple output and a description of the stats, see page 254.
/stats/sp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on the Switch Processor
(SP).
Statistics Description
cpuUtil1Second The percentage of CPU utilization as measured over the last one second
interval.
Statistics Description
cpuUtil4Seconds The percentage of CPU utilization as measured over the last four second
interval.
cpuUtil64Seconds The percentage of CPU utilization as measured over the last 64 second
interval.
/stats/pmirr
Port Mirroring Statistics Menu
dump
Displays the port number, and the statistics of the traffic on the ingress and egress ports.
clear
Deletes all the port mirroring statistics.
CAUTION—Use this command carefully as it will delete all statistics permanently.
/stats/mgmt
Management Port Statistics
Statistics Description
RX dropped The number of incoming packets that were dropped due to lack of
receive buffers.
RX overruns The number of received packets that were dropped because their size
exceeded that of the receive queue.
RX frame errors The number of incoming packets dropped due to IP framing errors.
TX overruns The number of packets dropped because size exceeded that of the
transmit queue.
/stats/dump
Dump Statistics
Use the dump command to dump all switch statistics available from the Statistics Menu (40K or more,
depending on your configuration). This data can be used to tune or debug switch performance.
If you want to capture dump data to a file, set your communication software on your worksta-
tion to capture session data prior to issuing the dump commands.
To make finding information easier, the menu options under the Server Load Balancing Menu
(/cfg/slb) are in Chapter 7.
/cfg
Configuration Menu
[Configuration Menu]
sys - System-wide Parameter Menu
port - Port Menu
pmirr - Port Mirroring Menu
bwm - Bandwidth Management Menu
l2 - Layer 2 Menu
l3 - Layer 3 Menu
slb - Server Load Balancing (Layer 4-7) Menu
security - Security Menu
sslproc - SSL Processor Setup Menu
setup - Step by step configuration set up
dump - Dump current configuration to script file
ptcfg - Backup current configuration to FTP/TFTP server
gtcfg - Restore current configuration from FTP/TFTP server
257
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
sys
Displays the System-wide parameter Configuration Menu. To view menu options, see page 261.
pmirr
Displays the Mirroring Configuration Menu. To view menu options, see page 315.
bwm
Displays the Bandwidth Management Configuration Menu. To view menu options, see page 316.
l2
Displays Layer 2 Configuration Menu. To view menu options, see page 325.
l3
Displays Layer 3 Configuration Menu. To view menu options, see page 342.
slb
Displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7,
“The SLB Configuration Menu”.
security
Displays the Security Menu. To view menu options, see page 397.
sslproc
Displays the SSL processor setup Menu. To view menu options, see page 403
setup
Step-by-step configuration set-up of the switch. For details, see page 403.
dump
Dumps current configuration to a script file. For details, see page 407.
While configuration changes are in the pending state, you can do the following:
NOTE – The diff command is a global command. Therefore, you can enter diff at any
prompt in the CLI.
# apply
NOTE – The apply command is a global command. Therefore, you can enter apply at any
prompt in the administrative interface.
NOTE – All configuration changes take effect immediately when applied, except for starting
Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see
below), and then reset the switch (see “Resetting the Switch” on page 517).
NOTE – If you do not save the changes, they will be lost the next time the system is rebooted.
To save the new configuration, enter the following command at any CLI prompt:
# save
When you save configuration changes, the changes are saved to the active configuration block.
The configuration being replaced by the save is first copied to the backup configuration block.
If you do not want the previous configuration block copied to the backup configuration block,
enter the following instead:
# save n
You can decide which configuration you want to run the next time you reset the switch. Your
options include:
For instructions on selecting the configuration to run at the next system reset, see “Selecting a
Configuration Block” on page 515.
/cfg/sys
System Configuration
[System Menu]
syslog - Syslog Menu
mmgmt - Management Port Menu
radius - RADIUS Authentication Menu
tacacs - TACACS+ Authentication Menu
ntp - NTP Server Menu
sonmp - SONMP Menu
ssnmp - System SNMP Menu
health - System Health Check Menu
access - System Access Menu
date - Set system date
time - Set system time
timezone - Set system timezone (daylight savings)
idle - Set timeout for idle CLI sessions
notice - Set login notice
bannr - Set login banner
smtp - Set SMTP host
hprompt - Enable/disable display hostname (sysName) in CLI prompt
bootp - Enable/disable use of BOOTP
cur - Display current system-wide parameters
This menu provides configuration of switch management parameters such as user and
administrator privilege mode passwords, Web-based management settings, and management
access list.
syslog
Displays the Syslog Menu. To view menu options, see page 263.
mmgmt
Displays Management Port Menu. To view menu options, see page 264.
radius
Displays the RADIUS Authentication Menu. To view menu options, see page 268.
tacacs
Displays TACACS+ authentication Menu. To view menu options, see page 270.
ntp
Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 271.
sonmp
Displays the SynOptics Network Management Protocol (SONMP) menu. To view menu options,
see page 273.
ssnmp
Displays the System SNMP Menu. To view menu options, see page 273.
health
Displays system health check menu. To view menu options, see page 287.
access
Displays System Access Menu. To view menu options, see page 288.
date
Prompts the user for the system date.
time
Configures the system time using a 24-hour clock format.
timezone
Configures the system time zone. To view an example, see page 300.
hprompt disable|enable
Enables or disables displaying of the host name (system administrator’s name) in the Command
Line Interface (CLI).
bootp disable|enable
Enables or disables the use of BOOTP. If you enable BOOTP, the switch will query its BOOTP
server for all of the switch IP parameters. This command is disabled by default.
cur
Displays the current system parameters.
/cfg/sys/syslog
System Host Log Configuration
NOTE – Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for
Syslogs.
[Syslog Menu]
host - Set IP address of first syslog host
host2 - Set IP address of second syslog host
sever - Set the severity of first syslog host
sever2 - Set the severity of second syslog host
facil - Set facility of first syslog host
facil2 - Set facility of second syslog host
console - Enable/disable console output of syslog messages
log - Enable/disable syslogging of features
cur - Display current syslog settings
3: Error. This means that the system has errors that should be corrected.
5: Notice. This means that the condition of the system is normal but with significant conditions
that need attention.
6: Informational. This means that the system is working but giving out information about cer-
tain unfavorable conditions.
7. Debug. This means that the system is giving out debug-level messages.
/cfg/sys/mmgmt
Management Port Configuration Menu
The Management port is a Fast Ethernet port that is used exclusively to manage the switch.
While the switch can be managed from any network port, the Management port saves consum-
ing a port that could otherwise be used for processing data and traffic. This port manages the
switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not partic-
ipate in the networking protocols that run on the network ports.
The Management port must be configured with a static IP address, subnet mask, broadcast
address, and default gateway, and must be enabled before it can be used. If this port is disabled,
the network ports have to perform all switch management (other than the switch management
using the console). If this port is enabled, the factory default settings for some of the manage-
ment features remain with the network ports. You can change the defaults by configuring these
features to permanently use the management port, or in some cases, by using the operational
commands to set these options on a one-time basis.
port
Displays the management port link menu. To view the menu options, see page 268.
tacacs mgmt|data
Sets TACACS+ over management or data ports. Default is data port.
wlm ["mgmt"|"data"]
Set the default port for the workload manager.
report ["mgmt"|"data"]
Set the default port for the reporting server.
ena
Enables the Management port.
dis
Disables the Management port.
cur
Displays the current configuration.
/cfg/sys/mmgmt/port
Management Port Link Menu
[Management Port Link Menu]
speed - Set link speed
mode - Set full or half duplex mode
auto - Set autonegotiation
cur - Display current link configuration
speed 10|100|any
Sets the speed of the link with the Management port. Default is any.
mode full|half|any
Sets half or full duplex mode. Default is any.
auto on|off
Sets auto negotiation for the port. By default this command is turned on.
cur
Displays the current link configuration.
/cfg/sys/radius
RADIUS Server Configuration
[RADIUS Server Menu]
prisrv - Set primary RADIUS server address
secsrv - Set secondary RADIUS server address
secret - Set primary RADIUS server secret
secret2 - Set secondary RADIUS server secret
port - Set RADIUS port
retries - Set RADIUS server retries
timeout - Set RADIUS server timeout
telnet - Enable/disable RADIUS backdoor for telnet
on - Turn RADIUS authentication ON
off - Turn RADIUS authentication OFF
cur - Display current RADIUS configuration
telnet disable|enable
Enables or disables the RADIUS back door for telnet. Telnet also applies to SSH/SCP connec-
tions.
on
Enables the RADIUS server.
off
Disables the RADIUS server.
cur
Displays the current RADIUS server parameters.
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
TACACS (Terminal Access Controller Access Control System) is an authentication protocol
that allows a remote access server to forward a user's logon password to an authentication
server to determine whether access can be allowed to a given system. TACACS is
an encryption protocol and therefore less secure than TACACS+ and Remote Authentication
Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in
RFC 1492.)
TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmis-
sion Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also,
RADIUS combines authentication and authorization in a user profile, whereas TACACS+ sep-
arates the two operations.
TACACS+ protocol has been implemented on Nortel Application Switch Operating System to
support the customers that have Cisco’s TACACS+ protocol as their network security feature.
Apart from that, TACACS+ offers the following advantages over RADIUS as the authentica-
tion device:
telnet disable|enable
Enables or disables the TACACS+ back door for telnet. Telnet also applies to SSH/SCP connections.
on
Enables the TACACS+ server.
off
Disables the TACACS+ server.
cur
Displays current TACACS+ configuration parameters.
/cfg/sys/ntp
NTP Server Configuration
This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP)
server. By default, this option is disabled.
on
Enables the NTP synchronization service.
off
Disables the NTP synchronization service.
cur
Displays the current NTP service settings.
/cfg/sys/sonmp
SynOptics Network Management Protocol Configuration
[SONMP Menu]
srcif - Set source interface to be used in hello packets
on - Turn Ethernet Autotopology ON
off - Turn Ethernet Autotopology OFF
cur - Display current SONMP configuration
on
This command enables the SONMP protocol, and turns Ethernet Autotopology on.
off
This command disables the SONMP protocol, and turns Ethernet Autotopology off.
cur
This command displays the current SONMP configuration.
/cfg/sys/ssnmp
System SNMP Configuration
Nortel Application Switch Operating System supports SNMP-based network management. In
SNMP model of network management, a management station (client/manager) accesses a set
of variables known as MIBs (Management Information Base) provided by the managed device
(agent). If you are running an SNMP network management station on your network, you can
manage the switch using the following standard SNMP MIBs:
System name
System location
System contact
Use of the SNMP system authentication trap function
Read community string
Write community string
Trap community strings
snmpv3
Displays SNMPv3 menu. To view menu options, see page 276.
NOTE – This command is applicable only to SNMPv1 and SNMPv2 traps because only
the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be
set with this command. The SNMPv3 packets do not contain this field.
auth disable|enable
Enables or disables the use of the system authentication trap facility. The default setting is dis-
abled.
cur
Displays the current STP port parameters.
/cfg/sys/ssnmp/snmpv3
SNMPv3 Configuration Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2
Framework by supporting the following:
[SNMPv3 Menu]
usm - usmUser Table menu
view - vacmViewTreeFamily Table menu
access - vacmAccess Table menu
group - vacmSecurityToGroup Table menu
comm - community Table menu
taddr - targetAddr Table menu
tparam - targetParams Table menu
notify - notify Table menu
v1v2 - Enable/disable V1/V2 access
cur - Display current SNMPv3 configuration
v1v2 disable|enable
This command allows you to enable or disable the access to SNMP version 1 and version 2. This
command is enabled by default.
cur
Displays the current SNMPv3 configuration.
/cfg/sys/ssnmp/snmpv3/usm
User Security Model Configuration Menu
You can make use of a defined set of user identities using this Security Model. An SNMP
engine must have the knowledge of applicable attributes of a user.
This menu helps you create a user security model entry for an authorized user. You need to pro-
vide a security name to create the USM entry.
auth md5|sha|none
This command allows you to configure the authentication protocol between HMAC-MD5-96 or
HMAC-SHA-96. The default algorithm is none.
authpw
If you selected an authentication algorithm using the above command, you need to provide a pass-
word, otherwise you will get an error message during validation. This command allows you to cre-
ate or change your password for authentication.
priv des|none
This command allows you to configure the type of privacy protocol on your switch. The privacy
protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryp-
tion Protocol) or none. If you specify des as the privacy protocol, then make sure that you have
selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the
authentication protocol, you will get an error message.
privpw
This command allows you to create or change the privacy password.
del
Deletes the USM user entries.
cur
Displays the USM user entries.
cfg/sys/ssnmp/snmpv3/view
SNMPv3 View Configuration Menu
type included|excluded
This command indicates whether the corresponding instances of vacmViewTreeFamilySub-
tree and vacmViewTreeFamilyMask define a family of view subtrees, which is included
in or excluded from the MIB view.
del
Deletes the vacmViewTreeFamily group entry.
cur
Displays the current vacmViewTreeFamily configuration.
/cfg/sys/ssnmp/snmpv3/access
View-based Access Control Model Configuration Menu
The view-based Access Control Model defines a set of services that an application can use for
checking access rights of the user. Access control is needed when the user has to process
SNMP retrieval or modification request from an SNMP entity.
model usm|snmpv1|snmpv2
Allows you to select the security model to be used.
level noAuthNoPriv|authNoPriv|authPriv
Defines the minimum level of security required to gain access rights. The level noAuthNoPriv
means that the SNMP message will be sent without authentication and without using a privacy pro-
tocol. The level authNoPriv means that the SNMP message will be sent with authentication but
without using a privacy protocol. The authPriv means that the SNMP message will be sent both
with authentication and using a privacy protocol.
match exact|prefix
If the value is set to exact, then all the rows whose contextName exactly matches the prefix are
selected. If the value is set to prefix then the all the rows where the starting octets of the con-
textName exactly match the prefix are selected.
del
Deletes the View-based Access Control entry.
cur
Displays the View-based Access Control configuration.
/cfg/sys/ssnmp/snmpv3/group
SNMPv3 Group Configuration Menu
model usm|snmpv1|snmpv2
Defines the security model.
del
Deletes the vacmSecurityToGroup entry.
cur
Displays the current vacmSecurityToGroup configuration.
/cfg/sys/ssnmp/snmpv3/comm
SNMPv3 Community Table Configuration Menu
This command is used for configuring the community table entry. The configured entry is
stored in the community table list in the SNMP engine. This table is used to configure commu-
nity strings in the Local Configuration Datastore (LCD) of SNMP engine.
del
Deletes the community table entry.
cur
Displays the community table configuration.
/cfg/sys/ssnmp/snmpv3/taddr
SNMPv3 Target Address Table Configuration Menu
This command is used to configure the target transport entry. The configured entry is stored in
the target address table list in the SNMP engine. This table of transport addresses is used in the
generation of SNMP messages.
del
Deletes the Target Address Table entry.
cur
Displays the current Target Address Table configuration.
/cfg/sys/ssnmp/snmpv3/tparam
SNMPv3 Target Parameters Table Configuration Menu
You can configure the target parameters entry and store it in the target parameters table in the
SNMP engine. This table contains parameters that are used to generate a message. The param-
eters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the
security model (for example: USM), the security name, and the security level (noAuthno-
Priv, authNoPriv, or authPriv).
mpmodel snmpv3|snmpv1|snmpv2c
Allows you to configure the message processing model that is used to generate SNMP messages.
model usm|snmpv1|snmpv2
Allows you to select the security model to be used when generating the SNMP messages.
level noAuthNoPriv|authNoPriv|authPriv
Allows you to select the level of security to be used when generating the SNMP messages using
this entry. The level noAuthNoPriv means that the SNMP message will be sent without authen-
tication and without using a privacy protocol. The level authNoPriv means that the SNMP mes-
sage will be sent with authentication but without using a privacy protocol. The authPriv means
that the SNMP message will be sent both with authentication and using a privacy protocol.
del
Deletes the targetParamsTable entry.
cur
Displays the current targetParamsTable configuration.
/cfg/sys/ssnmp/snmpv3/notify
SNMPv3 Notify Table Configuration Menu
SNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for
particular events or conditions, and generates Notification-Class messages based on these events or con-
ditions.
del
Deletes the notify table entry.
cur
Displays the current notify table configuration.
/cfg/sys/health
System Health Check Configuration Menu
[System TCP Health Menu]
add - Add TCP services to listen for health check
rem - Remove TCP services from listening
on - Turn system TCP health services ON
off - Turn system TCP health services OFF
cur - Display current TCP health services configuration
on
Turns on the TCP health check services.
off
Turns off the TCP health check services.
cur
Displays the current TCP health check services configuration.
/cfg/sys/access
System Access Control Configuration
[System Access Menu]
mgmt - Management Network Access Menu
port - Port Management Access Menu
user - User Access Control Menu (passwords)
https - HTTPS (Web) Server Access Menu
sshd - SSH Server Menu
xml - XML Configuration Access Menu
http - Enable/disable HTTP (Web) server access
wport - Set HTTP (Web) server port number
snmp - Set SNMP access control
tnport - Set Telnet server port number
rlimit - Set max rate of ARP, ICMP, TCP, or UDP packets to MP
cur - Display current system access configuration
mgmt
Displays the Management Configuration Menu. To view menu options, see page 289.
port
Dispal the port management access menu.To view menu options, see page 291.
user
Displays the User Access Control Menu. To view menu options, see page 291.
https
Displays HTTPS Server Access Menu. To view menu options, see page 295.
http disable|enable
Enables or disables HTTP (Web) access to the browser-based interface. It is disabled by default.
snmp disable|read-only|read-write
Sets the snmp user access level to either disabled, read-only, or read-write.
tnet
Enables or disables Telnet access to the switch. This command is disabled by default. You will see
this command only if you are connected to the switch through the console port.
cur
Displays the current configuration.
/cfg/sys/access/mgmt
Management Networks Menu
This menu is used to define IP address ranges which are allowed to access the switch
for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10
management networks.
NOTE – The add and rem commands below replace the /cfg/sys/mnet and /cfg/
sys/mmask commands found in earlier releases of Nortel Application Switch Operating Sys-
tem.
cur
Displays the current configuration.
/cfg/sys/access/port
Port Management Access Menu
[Port Management Access Menu]
add - Add port with management access
aadd - Add all ports with management access
rem - Remove port from management access
arem - Remove all ports from management access
cur - Display current ports with management access
add <port_number>
Add a port with management access.
aadd
Add all ports with management access.
rem <port_number>
Remove a port from management access.
arem
Remove all ports from management access.
cur
Displays the port numbers that currently have management access.
/cfg/sys/access/user
User Access Control Menu
usrpw
Sets the user (user) password. The user has no direct responsibility for switch management. He or
she can view switch status information and statistics, but cannot make any configuration changes.
sopw
Sets the SLB operator (slboper)password. The SLB operator manages Web servers and other
Internet services and their loads. He or she can view all switch information and statistics and can
enable/disable servers using the Server Load Balancing configuration menus.
Access includes “user” functions.
l4opw
Sets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines
leading to the shared Internet services. He or she can view all switch information and statistics.
Access includes “slboper” functions.
opw
Sets the operator (oper)password. The operator password can have a maximum of 15 characters.
The operator manages all functions of the switch. He or she can view all switch information and
statistics and can reset ports or the entire switch.
Access includes “l4oper” functions.
sapw
Sets the SLB administrator (slbadmin) password. Administrator who configures and manages
Web servers and other Internet services and their loads. He or she can view all switch information
and statistics, but can configure changes only on the Server Load Balancing menus. Note that the
Filter Menu options are not accessible to the SLB administrator.
Access includes “l4oper” functions.
l4apw
Sets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and
manages traffic on the lines leading to the shared Internet services. He or she can view all switch
information and statistics and can configure parameters on the Server Load Balancing menus, with
the exception of not being able to configure filters.
Access includes “slbadmin” functions.
admpw
Sets the administrator (admin) password. The super user administrator has complete access to all
menus, information, and configuration commands on the Nortel Application Switch, including the
ability to change both the user and administrator passwords.
Access includes “oper” and “l4admin” functions.
cur
Displays the current user status.
/cfg/sys/access/user/uid
System User ID Configuration Menu
This feature allows the users to operate the real servers assigned to them. Using this command
you can list the current status of the real server including the real server number, the real server
name, the operational state of the real server, and the number of current sessions. You can
enable or disable the real servers and change the password for accessing these real servers.
[User ID 1 Menu]
cos - Set class of service
name - Set user name
pswd - Set user password
add - Add real server
rem - Remove real server
ena - Enable user ID
dis - Disable user ID
del - Delete user ID
cur - Display current user configuration
cos <user|slboper|l4oper|oper|slbadmin|l4admin|admin>
Sets the Class-of-Service to define the user’s authority level. Nortel Application Switch Operating
System defines these levels as: User, SLB Operator, Layer 4 Operator, Operator, SLB Administra-
tor, and Administrator, with User being the most restricted level.
ena
Enables the user ID.
dis
Disables the user ID.
del
Deletes the user ID.
cur
Displays the current user ID configuration.
/cfg/sys/access/https
HTTPS Access Configuration Menu
[https Menu]
https - Enable/Disable HTTPS Web access
port - HTTPS WebServer port number
generate - Generate self-signed HTTPS server certificate
certSave - save HTTPS certificate
cur - Display current SSL Web Access configuration
https
Enables or disables BBI access (Web access) using HTTPS.
generate
Allows you to generate a certificate to connect to the SSL to be used during the key exchange. A
default certificate is created when HTTPS is enabled for the first time. The user can create a new
certificate defining the information that they want to be used in the various fields. For example:
Country Name (2 letter code) [ ]: CA
State or Province Name (full name) []: Ontario
Locality Name (for example, city) []: Ottawa
Organization Name (for example, company) []: Nortel Networks
Organizational Unit Name (for example, section) []: Alteon
Common Name (for example, user’s name) []: Mr Smith
Email (for example, email address) []: info@nortelnetworks.com
You will be asked to confirm if you want to generate the certificate. It will take approximately 30
seconds to generate the certificate. Then the switch will restart SSL agent.
certSave
Allows the client, or the Web browser, to accept the certificate and save the certificate to Flash to
be used when the switch is rebooted.
cur
Displays the current SSL Web Access configuration.
/cfg/sys/access/sshd
SSH Server Menu
[SSH Server Menu]
sshport - Set SSH server port number
ena - Enable SCP apply and save
on - Turn SSH server ON (SSHv1/SSHv2)
cur - Display current SSH server configuration
sshport <TCP_port_number>
Set the server port number.
ena
Sets the SCP apply and save.
on
Set the SSH server to on.
cur
Display the current SSH server configuration.
/cfg/sys/access/xml
XML Configuration Access Menu
[XML Config Access Menu]
xml - Enable/disable XML config access
port - Set XML server port number
gtcert - Import XML client certificate
delcert - Delete XML client certificate
dispcert - Display XML client certificate
debug - Debug XML operations
cur - Display current XML config access configuration
xml
Enable or disable XML access. For an example, see page 299
port <TCP_port_number>
Set the XML server port number.
gtcert
Import an XML client certificate.
Enter hostname or IP address of FTP/TFTP server:
Enter name of file on FTP/TFTP server:
Enter username for FTP server or hit return for TFTP server:
delcert
Delete XML client certificate.
Current XML client certificate has been deleted from FLASH
dispcert
Display the current XML certificate.
debug
Toggle Debug mode on or off. Enabling XML debugging causes all commands in the XML file to
be echoed to the Console and prefaces each one with running XML cmd: or Invalid XML cmd:. All
responses to the commands will also be output to the Console.
Current XML debug: enabled
Enter new XML debug [d/e]:
cur
Display current XML configuration.
XML config access currently disabled on TCP port 443
XML debug is enabled
Note: there are pending config changes; use "diff" to see them.
/cfg/sys/access/xml/xml
Example of enabling or disabling XML access
Current XML access: disabled
Pending new XML access: enabled
Enter new XML access [d/e]:
/cfg/sys/timezone
Configure the Timezone
>> Main# /cfg/sys/timezone
Please identify a location so that time zone rules can be set cor-
rectly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) None - disable timezone setting
Enter the number of your choice: 2
Please select a country.
1) Anguilla 18) Ecuador 35) Paraguay
2) Antigua & Barbuda 19) El Salvador 36) Peru
3) Argentina 20) French Guiana 37) Puerto Rico
4) Aruba 21) Greenland 38) St Kitts & Nevis
5) Bahamas 22) Grenada 39) St Lucia
6) Barbados 23) Guadeloupe 40) St Pierre &
Miquelon
7) Belize 24) Guatemala 41) St Vincent
8) Bolivia 25) Guyana 42) Suriname
9) Brazil 26) Haiti 43) Trinidad & Tobago
10) Canada 27) Honduras 44) Turks & Caicos Is
11) Cayman Islands 28) Jamaica 45) United States
12) Chile 29) Martinique 46) Uruguay
13) Colombia 30) Mexico 47) Venezuela
14) Costa Rica 31) Montserrat 48) Virgin Islands
(UK)
15) Cuba 32) Netherlands Antilles 49) Virgin Islands
(US)
16) Dominica 33) Nicaragua
17) Dominican Republic 34) Panama
Enter the number of your choice: 10
Port configuration is different on Nortel Application Switch Operating System 2000 series and 3000
series.
Table 6-29 Port Configuration and Numbering on Nortel Application Switch Operating
System 2000 Series
Model 10/100 Mbps Fast Ethernet 1000 Mbps SFP GBIC Port
Port Numbers Numbers
Nortel Application Switch 1–8 9–10
2208 (1U)
Nortel Application Switch 1–16 17–18
2216 (1U)
Nortel Application Switch 1–24 25–26
2224 (1U)
Nortel Application Switch 1–24 25–28
2424 (1U)
For more information on connectors, please refer to the Hardware Installation Guide for Nortel
Application Switch Operating System.
The commands on Nortel Application Switch Operating System 2000 series and their description are
as follows:
fast
If a port is configured to support Fast Ethernet, this option displays the Fast Ethernet Physical Link
Menu. To view menu options, see page 313.
gig
If a port is configured to support Gigabit Ethernet, this option displays the Gigabit Ethernet Physi-
cal Link Menu. To view menu options, see page 313.
egbw <0k-5000k|1m-100m>
Sets the egress bandwidth limit for the port to avoid overloading the receiving router or switch.
Using this command, you can configure the egress bandwidth limit of the port to match with the
bandwidth link of the receiving router or the switch. This means that the port’s speed will be taken
as the egress bandwidth. For example, the egress bandwidth for an FE port will be 100m. The
default is 0.
rmon disable|enable
Disables or enables RMON for this port. It is disabled by default.
tag disable|enable
Disables or enables VLAN tagging for this port. It is disabled by default.
iponly disable|enable
Disables or enables allowing only IP-related frames. It is disabled by default.
ena
Enables the port.
dis
Disables the port. (To temporarily disable a port without changing its configuration attributes, refer
to “Temporarily Disabling a Port” on page 314.)
cur
Displays the current port parameters.
Use these menu options to set port parameters for the port link.
NOTE – If the port does not have a Gig Ethernet physical link, the following message is dis-
played:
>> Port 1# gig
Current Port 1 does not have Gig Ethernet phy.
NOTE – Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these
options do not appear on the Gigabit Link Menu.
Link menu options are described in Table 6-38 and appear on the fast and gig port configu-
ration menus for the Nortel Application Switch. Using these configuration menus, you can set
port parameters such as speed, flow control, and negotiation mode for the port link.
Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The ports are autonegotiat-
ing and support half or full duplex operation.
Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaces each: 1000 Mbps
SFP GBIC and 10/100/1000Base-T Copper. When the 1000 Mbps SFP GBIC port is
selected as the preferred link, it is fixed at 1000 Mbps, full-duplex with autonegotiation
turned on. When the 10/100/1000Base-T copper port is selected as the preferred link, it
can be configured at any speed. However, if 1000 Mbps is selected, autonegotiation must
be turned on. You can set either interface as the preferred or backup link. See “Dual-Mode
Ports” on page 311 for more details.
Four Small Form Pluggable (SFP) GBIC Fiber ports (9–12). These ports are designed to
operate at 1000 Mbps and full duplex mode only.
NOTE – For more information on connectors, refer to the Nortel Application Switch Operating
System Hardware Installation Guide Part Number 315393-E.
Single-Mode ports
[Port 1 Menu]
fast - Fast Phy Menu
gig - Gig Phy Menu
pvid - Set default port VLAN id
alias - Set port alias
name - Set port name
cont - Set default port BW Contract
nonip - Set BW Contract for non-IP traffic
egbw - Set port egress bandwidth Limit
rmon - Enable/Disable RMON for port
tag - Enable/disable VLAN tagging for port
iponly - Enable/disable allow IP related frames at ingress
ena - Enable port
dis - Disable port
cur - Display current port configuration
Use these menu options to set port parameters for the port link. Link menu options are
described in Table 6-38 and appear on the gig port configuration menus for the Nortel Applica-
tion Switch. Using these configuration menus, you can set port parameters such as speed, flow
control, and negotiation mode for the port link.
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage
speed 10|100|1000|any
Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default)
10 Mbps
100 Mbps
1000 Mbps
mode full|half|any
Sets the operating mode. The choices include:
Any for auto negotiation (default)
Full-duplex
Half-duplex
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu
Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage
fctl rx|tx|both|none
Sets the flow control. This command is available only in the Fast Link Menu.The choices include:
Receive flow control
Transmit flow control
Both receive and transmit flow control (default)
No flow control
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.
[Port 9 Menu]
gig - SFP Gig Phy Menu
pvid - Set default port VLAN id
name - Set port name
cont - Set default port BW Contract
egbw - Set port egress bandwidth Limit
rmon - Enable/Disable RMON for port
tag - Enable/disable VLAN tagging for port
iponly - Enable/disable allowing only IP related frames
ena - Enable port
dis - Disable port
cur - Display current port configuration
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <9–12>)
gig
If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet
Physical Link Menu. To view menu options, see page 310.
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options
(/cfg/port <9–12>)
rmon disable|enable
Disables or enables RMON for this port. It is disabled by default.
tag disable|enable
Disables or enables VLAN tagging for this port. It is disabled by default.
iponly disable|enable
Disables or enables allowing only IP-related frames. It is disabled by default.
ena
Enables the port.
dis
Disables the port. (To temporarily disable a port without changing its configuration attributes, refer
to “Temporarily Disabling a Port” on page 314.)
cur
Displays the current port parameters.
Use these menu options to set port parameters for the port link.
Link menu options are described in Table 6-38 and appear on the gig port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as flow control, and negotiation mode for the port link.
Table 6-36 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu
Options (/cfg/port <9-12>/gig)
Command Syntax and Usage
fctl rx|tx|both|none
Sets the flow control. The choices include:
Receive flow control
Transmit flow control
Both receive and transmit flow control (default)
No flow control
auto on|off
Enables or disables autonegotiation for the port.
cur
Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
When you select any one of the dual-mode ports (3–6), you see the menu below:
[Port 3 Menu]
cop - Copper Gig Phy Menu
sfp - SFP Gig Phy Menu
pref - Set preferred link
back - Set backup link
pvid - Set default port VLAN id
name - Set port name
cont - Set default port BW Contract
rmon - Enable/Disable RMON for port
tag - Enable/disable VLAN tagging for port
iponly - Enable/disable allowing only IP related frames
ena - Enable port
dis - Disable port
cur - Display current port configuration
cop
Displays Copper Gigabit Physical Link Menu. To view menu options, see page 313.
sfp
Displays SFP Gigabit Physical Link Menu. To view menu options, see page 314.
pref copper|sfp
Sets the port preference between copper or SFP mode. The selected port will be used as the pre-
ferred port if both the ports are available.
back copper|sfp|none
Sets the preference for the backup link if the preferred port is not available. You cannot set the pre-
ferred port as the backup port. If you choose none, the port will not switch automatically to the
backup port if the preferred port goes down.
rmon disable|enable
Disables or enables RMON for this port. It is disabled by default.
tag disable|enable
Disables or enables VLAN tagging for this port. It is disabled by default.
iponly disable|enable
Disables or enables allowing only IP-related frames. It is disabled by default.
ena
Enables the port.
dis
Disables the port. (To temporarily disable a port without changing its configuration attributes, refer
to “Temporarily Disabling a Port” on page 314.)
cur
Displays the current port parameters.
Use these menu options to set port parameters for the port link.
Link menu options are described in Table 6-38 and appear on the cop port configuration
menus for the Nortel Application Switch. Using these configuration menus, you can set port
parameters such as speed, flow control, and negotiation mode for the port link.
Table 6-38 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port
<3–6>/cop)
Command Syntax and Usage
speed 10|100|1000|any
Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default)
10 Mbps
100 Mbps
1000 Mbps
mode full|half|any
Sets the operating mode. The choices include:
Any for autonegotiation (default)
Full-duplex
Half-duplex
fctl rx|tx|both|none
Sets the flow control. The choices include:
Receive flow control
Transmit flow control
Both receive and transmit flow control (default)
No flow control
auto on|off
Enables or disables auto negotiation for the port.
cur
Displays the current Gigabit Ethernet copper link port parameters.
fctl rx|tx|both|none
Sets the flow control. The choices include:
Receive flow control
Transmit flow control
Both receive and transmit flow control (default)
No flow control
cur
Displays the current SFP Gigabit link port configuration.
Because this configuration sets a temporary state for the port, you do not need to use apply or
save. The port state will revert to its original configuration when the Nortel Application Switch
is reset. See the “Operations Menu” on page 499 for other operations-level commands.
/cfg/pmirr
Port Mirroring Menu
The Port Mirroring Menu is used to configure, enable, and disable the monitored port. When
enabled, network packets being sent and/or received on a target port are duplicated and sent to
a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed
information about your network performance and usage.
mirror disable|enable
Enables or disables port mirroring
cur
Displays the current settings of the mirrored and monitoring ports.
/cfg/pmirr monport
Port-Mirroring Menu
>> Port Mirroring# monport
Enter port (1-28): <port_number>
------------------------------------------------------------
[Port 1 Menu]
add - Add "Mirrored" port and VLANs
rem - Rem "Mirrored" port and VLANs
cur - Display current Port-based Port Mirroring configuration
/cfg/bwm
Bandwidth Management Configuration
Bandwidth Management (BWM) enables Web site managers to allocate a portion of the avail-
able bandwidth for specific users or applications. It allows companies to guarantee that critical
business traffic, such as e-commerce transactions, receive higher priority versus non-critical
traffic. Traffic classification can be based on user or application information. BWM policies
can be configured to set lower and upper bounds on the bandwidth allocation.
NOTE – BWM is a software key-enabled feature that requires users to purchase a license and a
key. In order to enable BWM, users need to enter the Bandwidth Management key using the
/oper/swkey command.
NOTE – Up to 1024 bandwidth management contracts can be configured on the Nortel Appli-
cation Switch Operating System.
entries <64k|128k|256k|512k>
Sets the number of entries in the Bandwidth Management IP user table.
email disable|enable
Enable/disable sending BWM statistics using email. When this option is disabled, these statistics
are sent using a socket mechanism.
force disable|enable
Enables or disables the enforcement of bandwidth policy on the traffic. When disabled, the reor-
dering of the packets does not occur. The packets will exit in the order they came in. This means
that no bandwidth limit is applied on the queues. By default, this option is enabled.
on
Globally enables Bandwidth Management on this switch.
off
Globally disables Bandwidth Management on this switch.
cur
Displays the current Bandwidth Management configuration.
This feature enables the user to configure different policies based on the time of the day using
the following menu and commands:
Table 6-44 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/
timepol)
day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday>
Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or
everyday. The default is everyday.
from <1-12am/pm>
Defines the time from where you need to start the time in hours. If am or pm is not specified, the
switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or
higher.
to <1-12am/pm>
Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for
numbers lower than 12 and will default to pm for numbers 13 or higher.
enable
Enables the Time Policy command on the switch.
disable
Disables the Time Policy command on the switch.
delete
Deletes the current Time Policy.
cur
Displays the current Time Policy configuration on the switch. For example:
Time Policy 1:
Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled
hard <0k-5000k|1m-1000m>
Sets the hard bandwidth limit for this policy. This is the highest amount of bandwidth available to
this policy. The default value is 2000 kbps.
soft <0k-5000k|1m-1000m>
Sets the soft bandwidth limit for this policy. The default value is 1000 kbps.
resv <0k-5000k|1m-1000m>
Sets the reserve limit for this policy. This is the amount of bandwidth always available to this pol-
icy. The default value is 500Kbytes.
userlim <0k-5000k|1m-1000m>
Sets the bandwidth limit for each IP address in the contract traffic.
del
Deletes the bandwidth management policy.
cur
Displays the current value of the bandwidth policy configuration.
/cfg/bwm/group
Bandwidth Management Group Configuration Menu
[BW Group 1 Menu]
add - Add Contract to this group
rem - Remove Contract from this group
del - Delete BW Group
cur - Display current BW Group configuration
del
Deletes this Bandwidth Management group.
cur
Displays all current Bandwidth Management Group configurations.
/cfg/bwm/cur
Bandwidth Management Current Configuration
Current Bandwidth Management setting: ON
Policy Enforcement: enabled
SMTP server user name:
/cfg/l2
Layer 2 Configuration Menu
[Layer 2 Menu]
mrst - Multiple Spanning Tree/Rapid Spanning Tree Menu
stg - Spanning Tree Menu
trunk - Trunk Group Menu
lacp - Link Aggregation Control Protocol Menu
vlan - VLAN Menu
team - Port Teaming Menu
ntmstg - Enable/disable Nortel multiple STG mode
cur - Display current layer 2 parameters
/cfg/l2/mrst
Multiple Spanning Tree Menu
[Multiple Spanning Tree Menu]
cist - Common and Internal Spanning Tree menu
name - Set MST region name
version - Set Version of this MST region
maxhop - Set Maximum Hop Count for MST (4 - 60)
mode - Spanning Tree Mode
on - Globally turn Multiple Spanning Tree (MSTP/RSTP) ON
off - Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF
cur - Display current MST parameters
cist
Go to the Common and Internal Spanning Tree menu. See page 327.
mode mstp|rstp
Set the spanning tree mode.
on
Set the spanning tree on (Bridge MSTP/RSTP runs normally).
off
Set the spanning tree off (Bridge MSTP/RSTP does not run).
cur
Display the current MST parameters.
/cfg/l2/mrst/cist
Multiple Spanning Tree Menu
[Common Internal Spanning Tree Menu]
brg - CIST Bridge parameter menu
port - CIST Port parameter menu
default - Default Common Internal Spanning Tree and Member parms
cur - Display current CIST parameters
brg
Go to the CIST Bridge parameter menu. See page 328.
port <port_number>
Set the port number.
default
Resets STG and Group member parameters to factory default.
cur
Displays current values of all objects settable from this menu.
/cfg/l2/mrst/cist/brg
CIST Bridge Menu
[CIST Bridge Menu]
prior - Set CIST bridge Priority (0-65535)
mxage - Set CIST bridge Max Age (6-40 secs)
fwd - Set CIST bridge Forward Delay (4-30 secs)
cur - Display current CIST bridge parameters
cur
Displays current values of all objects settable from the CIST bridge menu.
/cfg/l2/mrst/cist/brg cur
Current configuration for CIST Bridge
>> CIST Bridge# cur
------------------------------------------------------------------
Current Common Internal Spanning Tree settings:
Bridge params: Priority MaxAge FwdDel
32768 20 15
Priority The current CIST Bridge priority setting. Priority is a value between
0 and 65535.
/cfg/l2/stg
Spanning Tree Group Configuration
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network
so that a switch uses only the most efficient path. Spanning Tree Protocol (STP) detects and
eliminates logical loops in a bridged or switched network. STP forces redundant data paths
into a standby (blocked) state. When multiple paths exist, Spanning Tree configures the net-
work so that a switch uses only the most efficient path. If that path fails, Spanning Tree auto-
matically sets up another active path on the network to sustain network operations. Thus, STP
is used to prevent loops in the network topology.
Nortel Application Switch Operating System supports the IEEE 802.1p Spanning Tree Proto-
col (STP). Nortel Application Switch Operating System supports up to 16 instances of Span-
ning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree
group per switch except for the default Spanning Tree group (STG 1). The default Spanning
Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can
have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each
port. Multiple Spanning Trees can be enabled on tagged or untagged ports. See your Applica-
tion Guide for a detailed description of this feature and how to configure Spanning Tree
Groups on the switch.
NOTE – When VRRP is used for active/active redundancy, STP must be enabled.
brg
Displays the Bridge Spanning Tree Menu. To view menu options, see page 331.
clear
Removes all VLANs from a spanning tree.
on
Globally enables Spanning Tree Protocol.
off
Globally disables Spanning Tree Protocol.
default
Resets STG and Group member parameters to factory default.
cur
Displays the current Spanning Tree Protocol parameters.
/cfg/l2/stg/brg
Bridge Spanning Tree Configuration
[Bridge Spanning Tree Menu]
prior - Set bridge Priority [0-65535]
hello - Set bridge Hello Time [1-10 secs]
mxage - Set bridge Max Age (6-40 secs)
fwd - Set bridge Forward Delay (4-30 secs)
aging - Set bridge Aging Time (1-65535 secs, 0 to disable)
cur - Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge
parameters include:
Bridge priority
Bridge hello time
Bridge maximum age
Forwarding delay
Bridge aging time
cur
Displays the current bridge STP parameters.
When configuring STP bridge parameters, the following formulas must be used:
Spanning Tree port parameters are used to modify STP operation on an individual port basis.
STP port parameters include:
Port priority
Port path cost
STP is turned on by default for the port.
link auto|p2p|shared
Set port link type (auto, p2p, or shared; default: auto)
edge disable|enable
Enable/disable edge port
on
Enables STP on the port.
off
Disables STP on the port.
cur
Displays the current STP port parameters.
Any physical switch port can belong to no more than one trunk group.
Up to eight ports/trunks can belong to the same trunk group.
Best performance is achieved when all ports in a trunk are configured for the same speed.
Trunking from non-Nortel devices must comply with Cisco® EtherChannel® technology.
By default, the trunk group is empty and disabled.
/cfg/l2/lacp
Link Aggregation Control Protocol Menu
Nortel Application Switch Operating System 23.0.2 supports IEEE 802.3ad standard on the
Nortel Application Switch Operating System. At the core of the 802.3ad standard is Link
Aggregation Control Protocol (LACP). This protocol allows the user to group several physical
ports into one logical port (LACP trunk group) with any switch that supports IEEE 802.3ad
standard (LACP). You can configure the trunk groups manually called the static trunks as well
as you can configure dynamic trunk group using the IEEE 802.3ad standard called the LACP
trunks. The maximum number of configurable trunk groups are 40: 12 user configurable trunks
and 28 LACP trunks depending upon the maximum number of ports in the switch. The maxi-
mum number of active physical ports in any trunk group is eight and the number of standby
ports is also eight.
The 802.3ad standard allows two or more standard Ethernet links to form a single Layer 2 link
using the Link Aggregation Control Protocol (LACP). Link aggregation is a method of group-
ing physical link segments of the same media type and speed in full duplex, and treating them
as if they were part of a single, logical link segment. If a link in a LACP trunk group fails, traf-
fic is reassigned dynamically to the remaining links of the LACP trunk group or is assigned to
the standby LACP links.
NOTE – Refer to IEEE 802.3ad-2000 for a detailed information about the standard.
LACP automatically determines which member links can be aggregated and then aggregates
them. It provides for the controlled addition and removal of physical links for the link aggrega-
tion.
Each external port in the Nortel Application Switch Operating System can have one of the fol-
lowing LACP modes.
off (default)
The user can configure this port to a regular static trunk group. When the system initial-
izes, all ports are in off mode by default.
active
The port is capable of forming an LACP trunk. This port initiates negotiation with the
partner system port by sending LACPDU (Link Aggregation Control Protocol Data Unit)
packets.
passive
The port is capable of forming an LACP trunk. This port only responds to the negotiation
requests sent from an LACP active port.
Each LACP active or passive port needs an admin, an operational key, and an aggregator
for LACP to start negotiation on these ports. You need to assign the same admin key to a group
of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID)
based on the operational key. All the aggregatable ports must have the same LAG ID. You can
form an active LACP trunk group with all the ports that have the same LAG ID.
Please refer to your Nortel Application Switch Operating System Application Guide for a
detailed information on this protocol.
Use the following commands to configure LACP on the Nortel Application Switch Operating
System.
[LACP Menu]
sysprio - Set LACP system priority
timeout - Set LACP system timeout scale for timing out partner info
port - LACP port Menu
cur - Display current LACP configuration
sysprio <1-65535>
Defines the priority value (1 through 65535) for the Nortel Application Switch Operating Sys-
tem. Lower numbers provide higher priority.
System priority is used when there are more than eight ports configured with the same admin-
key. The system priority, in conjunction with port priority, decides which eight ports should be
combined to form a trunk group between two switches. The rest of the ports stay in standby mode
to substitute for any failed ports.
The default value is 32768.
timeout <short|long>
Defines the timeout period before invalidating LACP data from a remote partner. You can choose
between short (3 seconds) or long (90 seconds) timeout periods. The default value is long.
cur
Displays the current LACP configuration.
Use the following commands to configure Link Aggregation Control Protocol (LACP) on a
selected port.
Table 6-57 Link Aggregation Control Protocol Port Configuration Menu Options
(/cfg/l2/lacp/port #)
prio <1-65535>
Sets the priority value for the selected port. Lower numbers provide higher priority. The default
value is 128.
adminkey <1-65535>
Sets the admin key for this port. Only ports with the same admin key and oper key (operational
state generated internally) can form an LACP trunk group.
cur
Displays the current LACP configuration for this port.
By default, the VLAN menu option is disabled except VLAN 1, which is enabled all the time.
[VLAN 1 Menu]
name - Set VLAN name
stg - Assign VLAN to a Spanning Tree Group
cont - Set BW contract
add - Add port to VLAN
rem - Remove port from VLAN
def - Define VLAN as list of ports
jumbo - Enable/disable Jumbo Frame support
learn - Enable/disable smac learning
ena - Enable VLAN
dis - Disable VLAN
del - Delete VLAN
cur - Display current VLAN configuration
name
Assigns a name to the VLAN or changes the existing name. The default VLAN name is the first
one.
jumbo disable|enable
Enables or disables jumbo frame support on this VLAN. You need to reset the switch using
/boot/reset command to enable jumbo frames on the switch.
learn disable|enable
Enables or disables source MAC address learning on this VLAN.
ena
Enables this VLAN.
dis
Disables this VLAN without removing it from the configuration.
del
Deletes this VLAN.
cur
Displays the current VLAN configuration.
NOTE – All ports must belong to at least one VLAN. Any port which is removed from a
VLAN and which is not a member of any other VLAN is automatically added to default
VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any
other VLAN.
Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned
on (see the tag command on page 307).
ena
Enables the port team.
dis
Disables the port team.
del
Deletes the port team.
cur
Displays the current port team configuration.
/cfg/l3
Layer 3 Configuration Menu
[Layer 3 Menu]
if - Interface Menu
gw - Default Gateway Menu
route - Static Route Menu
arp - ARP Menu
frwd - Forwarding Menu
nwf - Network Filters Menu
rmap - Route Map Menu
rip - Routing Information Protocol Menu
ospf - Open Shortest Path First (OSPF) Menu
bgp - Border Gateway Protocol Menu
port - IP Port Menu
dns - Domain Name System Menu
bootp - Bootstrap Protocol Relay Menu
vrrp - Virtual Router Redundancy Protocol Menu
rtrid - Set router ID
metrc - Set default gateway metric
cur - Display current IP configuration
The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface
represents the Nortel Application Switch on an IP subnet on your network. The Interface option is
disabled by default.
ip6nd
Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of
IPv6 Router Advertisement packets from this interface. For more information on this topic, refer
to page 345.
addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)>
Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon
notation for IPv6.
mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for
IPv6)>
Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or
prefix length for IPv6.
relay disable|enable
Enables or disables the BOOTP relay on this interface. It is enabled by default.
ena
Enables this IP interface.
dis
Disables this IP interface.
del
Removes this IP interface.
cur
Displays the current interface settings.
/cfg/l3/if/ip6nd
IPv6 Neighbor Discovery Menu
[IP6 Neighbor Discovery Menu]
rtradv - Enable/disable router advertisement
This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements
from this interface.
NOTE – The switch can be configured with up to 255 gateways. Gateways one to four are
reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing
of VLAN-based gateways.
addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)>
Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and
colon notation for IPv6.
prio <high|low>
Allows you to change the priority of the default gateway route to either high or low, relative to
learned default routes. If you set the priority to high, then the default gateway route will always
be preferred over learned default routes (such as from OSPF, BGP, or RIP protocols). If you set the
priority to low, then learned default routes will always be preferred over the default gateway
route.
NOTE – By default learned default route has higher priority than the configured default
gateway route.
arp disable|enable
Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled
by default.
ena
Enables the gateway for use.
dis
Disables the gateway.
del
Deletes the gateway from the configuration.
cur
Displays the current gateway settings.
/cfg/l3/route
IP Static Route Configuration
[IP Static Route Menu]
add - Add static route
rem - Remove static route
cur - Display current static routes
cur
Displays the current IP static routes.
/cfg/l3/arp
ARP Configuration Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet
layer. ARP resolves a physical address from an IP address. ARP queries machines on the local
network for their physical addresses. ARP also maintains IP to physical address pairs in its
cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of
the computer or the router is present in the ARP cache. Then the corresponding physical
address is used to send a packet.
[ARP Menu]
static - Static ARP Menu
rearp - Set re-ARP period in minutes
cur - Display current ARP configuration
/cfg/l3/arp/static
ARP Static Configuration Menu
Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that
are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending
an ARP broadcast request to the network. Static ARPs are also useful to communicate with
devices that do not respond to ARP requests. Static ARPs can also be configured on some gate-
ways as a protection against malicious ARP Cache corruption and possible DOS attacks.
NOTE – Nortel Application Switch Operating System 21.0 and above allows the static ARP
configuration to be retained over reboots. Nortel Application Switch Operating System 20.x
and below allow the user to configure the ARP information but that information cannot be
retained over a switch reboot.
cur
Displays current static ARP configuration.
/cfg/l3/frwd
IP Forwarding Configuration Menu
[IP Forwarding Menu]
local - Local network definition for route caching menu
dirbr - Enable or disable forwarding directed broadcasts
on - Globally turn IP Forwarding ON
off - Globally turn IP Forwarding OFF
cur - Display current IP Forwarding configuration
local
Displays the menu used to define local network for route caching. Up to five local networks (lnets)
can be configured. To view menu options, see page 350.
dirbr disable|enable
Enables or disables forwarding directed broadcasts. This command is disabled by default.
on
Enables IP forwarding (routing) on the Nortel Application Switch.
off
Disables IP forwarding (routing) on the Nortel Application Switch. Forwarding is turned on by
default.
cur
Displays the current IP forwarding settings.
/cfg/l3/frwd/local
Local Network Route Caching Definition
This menu is used for adding local networks by setting the local network address and netmask
for the route cache, and to remove local networks.
cur
Displays the current local network definitions.
By default, the local network address and mask are both set to 0.0.0.0. This produces a range
that includes all Internet addresses for route caching: 0.0.0.0 through 255.255.255.255.
Addresses to be cached are subnets that are directly connected and for which there is an inter-
face configured on the Nortel Application Switch. To limit the route cache to your local hosts,
you could configure the parameters as shown in the examples in the following table.
NOTE – All addresses that fall outside the defined range are forwarded to the default gateway.
The default gateways must be within range.
/cfg/l3/nwf
Network Filter Configuration
[IP Network Filter 1 Menu]
addr - IP Address
mask - IP Subnet mask
enable - Enable Network Filter
disable - Disable Network Filter
delete - Delete Network Filter
cur - Display current Network Filter configuration
mask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 mask prefix len (eg, 64)>
Sets the IP subnet mask that is used with /cfg/l3/nwf/addr to define the range of IP
addresses that will be accepted by the peer when the filter is enabled. The default value is 0.0.0.0.
For Border Gateway Protocol (BGP), assign the network filter to a route map, then assign the route
map to the peer.
enable
Enables the Network Filter configuration.
disable
Disables the Network Filter configuration.
delete
Deletes the Network Filter configuration.
cur
Displays the current the Network Filter configuration. For example:
Current Network Filter 1:
addr 0.0.0.0, mask 0.0.0.0, disabled
NOTE – The map number (1-32) represents the routing map you wish to configure.
lp <(value 0-4294967294)>|none
Sets the local preference of the matched route, which affects both inbound and outbound direc-
tions. The path with the higher preference is preferred.
enable
Enables the route map.
disable
Disables the route map.
delete
Deletes the route map.
cur
Displays the current route configuration.
NOTE – The route map number (1-32) and the access list number (1-8) represent the IP access
list you wish to configure.
metric <(1-4294967294)>|none
Sets the metric value in the AS-External (ASE) LSA.
enable
Enables the access list.
disable
Disables the access list.
delete
Deletes the access list.
cur
Displays the current Access List configuration.
NOTE – The rmap number (1-32) and the path number (1-8) represent the AS path you wish to
configure.
enable
Enables the Autonomous System filter.
disable
Disables the Autonomous System filter.
delete
Deletes the Autonomous System filter.
cur
Displays the current Autonomous System filter configuration.
/cfg/l3/rip
Routing Information Protocol Configuration
The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a
class of algorithms known as distance vector algorithms. The distance or hop count is used as
the metric to determine the best path to a remote network or host where the hop count does not
exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram
protocol (UDP) data packets to exchange routing information.
RIP sends routing information updates every 30 seconds. This update contains known net-
works and the distances (hop count) associated with each one. For RIP1, no mask information
is exchanged; the natural mask is always applied by the router receiving the update. For RIP2,
mask information is sent. There are two timers associated with each route: a timeout
and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid
but it is retained in the routing table for a short time so that neighbors can be notified that the
route has been dropped. Upon expiration of the garbage-collection timer, the route is finally
removed from the routing table. The timeout timer is set for 180 seconds and the garbage-col-
lection timer is set for 120 seconds by default.
The menu below is used for configuring globally Routing Information Protocol parameters.
The Routing Information Protocol is turned off by default.
vip disable|enable
Enables or disables the advertisement of virtual IP addresses as Host Routes. If a VIP route exists
in a routing table, it will always be advertised except when it is included in another network route
that is already being advertised.
Note: If all real servers behind a VIP go down, the route gets removed from the routing table, and
will not be advertised. If we disable all the real servers using operation command, the VIP route
does not get eliminated from the routing table, and the switch will continue to advertise the route.
statc disable|enable
Enables or disables the advertisement of static routes.
on
Globally turns RIP ON.
off
Globally turns RIP OFF.
cur
Displays the current RIP configuration.
/cfg/l3/rip/if
RIP Interface Menu
[RIP Interface 1 Menu]
version - Set RIP version
supply - Enable/disable supplying route updates
listen - Enable/disable listening to route updates
poison - Enable/disable poisoned reverse
trigg - Enable/disable triggered updates
mcast - Enable/disable multicast updates
default - Set default route action
metric - Set metric
auth - Set authentication type
key - Set authentication key
enable - Enable interface
disable - Disable interface
current - Display current RIP interface configuration
version 1|2|both
Set the RIP version. The default value is 2.
supply disable|enable
Enables or disables supplying route updates. When enabled, the switch supplies routes to other
routers. This is enabled by default.
listen disable|enable
When enabled, the switch stores routing information from other routers. The default is enabled.
poison disable|enable
When enabled, the switch uses split horizon with poisoned reverse. The default is disabled. When
disabled, the switch uses split horizon only.
mcast disable|enable
Enable or disable triggered updates. The default is enabled.
default none|listen|supply|both
Set the default route action. The default action is none.
auth none|password
Set the type of authentication. The default value is none.
enable
Enable the interface.
disable
Disable the interface.
current
Displays current values of all objects settable from this menu.
/cfg/l3/ospf
Open Shortest Path First Configuration
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF)
routing protocol. The Nortel Application Switch Operating System implementation conforms
to the OSPF version 2 specifications detailed in Internet RFC 1583.
OSPF is designed for routing traffic within a single IP domain called an Autonomous System
(AS). The AS can be divided into smaller logical units known as areas. In any AS with multi-
ple areas, one area must be designated as area 0, known as the backbone. The backbone acts as
the central OSPF area. All other areas in the AS must be connected to the backbone. Areas
inject summary routing information into the backbone, which then distributes it to other areas
as needed. For more information on how to configure OSPF on the switch, refer to your Nortel
Application Switch Operating System Application Guide.
redist <fixed|static|rip|ebgp|ibgp>
Displays Route Distribution Menu See page 370 to view menu options.
on
Enables OSPF on the Nortel Application Switch.
off
Disables OSPF on the Nortel Application Switch.
cur
Displays the current OSPF configuration settings.
/cfg/l3/ospf/aindex
Area Index Configuration Menu
type transit|stub|nssa
Defines the type of area. For example, when a virtual link has to be established with the backbone,
the area type must be defined as transit.
Transit area: allows area summary information to be exchanged between routing devices. Any
area that is not a stub area or NSSA is considered to be transit area.
Stub area: is an area where external routing information is not distributed. Typically, a stub area is
connected to only one other area.
NSSA: Not-So-Stubby Area (NSSA) is similar to stub area with additional capabilities. For exam-
ple, routes originating from within the NSSA can be propagated to adjacent transit and backbone
areas. External routes from outside the Autonomous System (AS) can be advertised within the
NSSA but are not distributed into other areas.
auth none|password|md5
None: No authentication required.
Password: Authenticates simple passwords so that only trusted routing devices can participate.
MD5: This parameter is used when MD5 cryptographic authentication is required.
enable
Enables the OSPF area.
disable
Disables the OSPF area.
delete
Deletes the OSPF area.
cur
Displays the current OSPF configuration.
/cfg/l3/ospf/range
OSPF Summary Range Configuration Menu
hide disable|enable
Hides the OSPF summary range.
enable
Enables the OSPF summary range.
disable
Disables the OSPF summary range.
delete
Deletes the OSPF summary range.
cur
Displays the current OSPF summary range.
/cfg/l3/ospf/if
OSPF Interface Configuration Menu
key <key>|none
Sets the authentication key to clear the password.
enable
Enables OSPF interface.
disable
Disables OSPF interface.
delete
Deletes OSPF interface.
cur
Displays the current settings for OSPF interface.
/cfg/l3/ospf/virt
OSPF Virtual Link Configuration Menu
key <key>|none
Displays the password (up to eight characters) for each virtual link. Default is none.
enable
Enables OSPF virtual link.
disable
Disables OSPF virtual link.
delete
Deletes OSPF virtual link.
cur
Displays the current OSPF virtual link settings.
/cfg/l3/ospf/md5key
OSPF MD5 Key Configuration Menu
delete
Deletes the authentication key for this OSPF packet.
cur
Displays the current MD5 key configuration.
/cfg/l3/ospf/host
OSPF Host Entry Configuration Menu
enable
Enables OSPF host entry.
disable
Disables OSPF host entry.
delete
Deletes OSPF host entry.
cur
Displays the current OSPF host entries.
/cfg/l3/ospf/redist
<fixed|static|rip|ebgp|ibgp>
OSPF Route Redistribution Configuration Menu.
cur
Displays the current route map settings.
/cfg/l3/bgp
Border Gateway Protocol Configuration
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to
share routing information with each other and advertise information about the segments of the
IP address space they can access within their network with routers on external networks. BGP
allows you to decide what is the “best” route for a packet to take from your network to a desti-
nation on another network, rather than simply setting a default route from your border router(s)
to your upstream provider(s). You can configure BGP either within an autonomous system or
between different autonomous systems. When run within an autonomous system, it is called
internal BGP (iBGP). When run between different autonomous systems, it is called external
BGP (eBGP). BGP is defined in RFC 1771.
The BGP Menu enables you to configure the switch to receive routes and to advertise static
routes, fixed routes and virtual server IP addresses with other internal and external routers.
NOTE – Fixed routes are subnet routes. There is one fixed route per IP interface.
off
Globally turns BGP off.
cur
Displays the current BGP configuration.
This menu is used to configure BGP peers, which are border routers that exchange routing
information with routers on internal and external networks. The peer option is disabled by
default.
redist
Displays BGP Redistribution Menu. To view the menu options, see page 375.
ena
Enables this peer configuration.
dis
Disables this peer configuration.
del
Deletes this peer configuration.
cur
Displays the current BGP peer configuration.
/cfg/l3/bgp/peer/redist
BGP Redistribution Configuration Menu
[Redistribution Menu]
metric - Set default-metric of advertised routes
default - Set default route action
rip - Enable/disable advertising RIP routes
ospf - Enable/disable advertising OSPF routes
fixed - Enable/disable advertising fixed routes
static - Enable/disable advertising static routes
vip - Enable/disable advertising VIP routes
cur - Display current redistribution configuration
default none|import|originate|redistribute
Sets default route action.
Defaults routes can be configured as import, originate, redistribute, or none.
None: No routes are configured
Import: Import these routes.
Originate: The switch sends a default route to peers even though it does not have any default
routes in its routing table.
Redistribute: Default routes are either configured through default gateway or learned through
other protocols and redistributed to peer. If the routes are learned from default gateway configura-
tion, you have to enable static routes since the routes from default gateway are static routes. Simi-
larly, if the routes are learned from a certain routing protocol, you have to enable that protocol in
this redistribute submenu.
rip disable|enable
Enables or disables advertising RIP routes
ospf disable|enable
Enables or disables advertising OSPF routes.
fixed disable|enable
Enables or disables advertising fixed routes.
static disable|enable
Enables or disables advertising static routes.
vip disable|enable
Enables or disables advertising VIP routes.
cur
Displays the current redistribution configuration.
NOTE – The aggregate number (1-16) represents the aggregation route you wish to configure.
This menu allows you to configure aggregate routing to condense the number of routes
between internal and external peer routers.
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By
default, the port forwarding option is turned on.
on
Enables IP forwarding for the current port.
off
Disables IP forwarding for the current port.
cur
Displays the current IP forwarding settings.
/cfg/l3/dns
Domain Name System Configuration Menu
[Domain Name System Menu]
prima - Set IP address of primary DNS server
secon - Set IP address of secondary DNS server
dname - Set default domain name
cur - Display current DNS configuration
The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS
servers on your local network, and for setting the default domain name served by the switch
services. DNS parameters must be configured prior to using hostname parameters with the
ping, traceroute, and tftp commands.
cur
Displays the current Domain Name System settings.
/cfg/l3/bootp
Bootstrap Protocol Relay Configuration Menu
[Bootstrap Protocol Relay Menu]
addr - Set IP address of BOOTP server
addr2 - Set IP address of second BOOTP server
on - Globally turn BOOTP relay ON
off - Globally turn BOOTP relay OFF
cur - Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configura-
tions from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration
enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers
with IP addresses that have been configured on the Nortel Application Switch.
on
Globally turns on BOOTP relay.
off
Globally turns off BOOTP relay.
cur
Displays the current BOOTP relay configuration.
/cfg/l3/vrrp
VRRP Configuration Menu
[Virtual Router Redundancy Protocol Menu]
vr - VRRP Virtual Router Menu
vrgroup - VRRP Virtual Router Vrgroup Menu
group - VRRP Virtual Router Group Menu
if - VRRP Interface Menu
track - VRRP Priority Tracking Menu
hotstan - Enable/disable hot-standby processing
on - Globally turn VRRP ON
off - Globally turn VRRP OFF
holdoff - Globally VRRP hold off time
cur - Display current VRRP configuration
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides
redundancy between routers in a LAN. This is accomplished by configuring the same virtual
router IP address and ID number on each participating VRRP-capable routing device. One of
the virtual routers is then elected as the master, based on a number of priority criteria, and
assumes control of the shared virtual router IP address. If the master fails, one of the backup vir-
tual routers will assume routing authority and take control of the virtual router IP address.
By default, VRRP is disabled. Nortel Application Switch Operating System has extended
VRRP to include virtual servers as well, allowing for full active/active redundancy between its
Layer 4 switches.For more information on VRRP, see the “High Availability” chapter in your
Nortel Application Switch Operating System 23.0.2 Application Guide.
group
Displays the VRRP virtual router group menu, used to combine all virtual routers together as one
logical entity. Group options must be configured when using two or more Nortel Application
Switches in a hot-standby failover configuration where only one switch is active at any given time.
To view menu options, see page 390.
track
Displays the VRRP Tracking Menu. This menu is used for weighting the criteria used when modi-
fying priority levels in the master router election process. To view menu options, see page 395.
hotstan disable|enable
Enables or disables hot standby processing, in which two or more switches provide redundancy for
each other. By default, this option is disabled.
on
Globally enables VRRP on this switch.
off
Globally disables VRRP on this switch.
cur
Displays the current VRRP parameters.
This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is
defined by its virtual router ID and an IP address. On each VRRP-capable routing device par-
ticipating in redundancy for this virtual router, a virtual router will be configured to share the
same virtual router ID and IP address.
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395).
Criteria are tracked dynamically, continuously updating virtual router priority levels when
enabled. If the virtual router preemption option (see preem in Table 6-91 on page 383) is
enabled, this virtual router can assume master routing authority when its priority level rises
above that of the current master.
Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, other-
wise called “virtual interface routers.” Other tracking criteria (l4pts, reals, and hsrp)
apply to “virtual server routers,” which perform Layer 4 Server Load Balancing functions. A
virtual server router is defined as any virtual router whose IP address (addr) is the same as
any configured virtual server IP address.
vrs disable|enable
When enabled, the priority for this virtual router will be increased for each virtual router in master
mode on this switch. This is useful for making sure that traffic for any particular client/server pair-
ing are handled by the same switch, increasing routing and load balancing efficiency. This com-
mand is disabled by default.
ifs disable|enable
When enabled, the priority for this virtual router will be increased for each IP interface active on
this switch. An IP interface is considered active when there is at least one active port on the same
VLAN. This helps elect the virtual routers with the most available routes as the master. This com-
mand is disabled by default.
ports disable|enable
When enabled, the priority for this virtual router will be increased for each active port on the same
VLAN. A port is considered “active” if it has a link and is forwarding traffic. This helps elect the
virtual routers with the most available ports as the master. This command is disabled by default.
l4pts disable|enable
When enabled for virtual server routers, the priority for this virtual router will be increased for
each physical switch port which has active Layer 4 processing on this switch. This helps elect the
main Layer 4 switch as the master. This command is disabled by default.
reals disable|enable
When enabled for virtual server routers, the priority for this virtual router will be increased for
each healthy real server behind the virtual server IP address of the same IP address as the virtual
router on this switch. This helps elect the switch with the largest server pool as the master, increas-
ing Layer 4 efficiency. This command is disabled by default.
hsrp disable|enable
Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router
failover. In networks where HSRP is used, enable this switch option to increase the priority of this
virtual router for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP
helps elect the switch closest to the master HSRP router as the master, optimizing routing effi-
ciency. This command is disabled by default.
hsrv disable|enable
Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable
this switch option to increment only that vrrp instance that is on the same VLAN as the tagged
hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router.
/cfg/l3/vrrp/vrgroup
Virtual Router Group Menu
This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is
shared between two or more customers on a single VRRP switch, you can group VIRs and
VSRs to serve the high availability of a specific customer. If failover occurs on a customer
link, the group of VIRs and VSRs associated with that customer alone will fail over to the
backup switch. The VIRs and VSRs configured for the other customers on the master switch
are not affected.
track
Displays VRRP priority tracking menu for this virtual router group. Tracking is Nortel’s propri-
etary extension to VRRP, used for modifying the standard priority system used for electing the
master router. To view menu options, see page 388.
name
Defines virtual router group name up to eight characters.
prio <1-254>
Defines the election priority bias for this virtual router group. This can be any integer between 1
and 254. The default value is 100.
During the master router election process, the routing device with the highest virtual router priority
number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual
router’s IP address (addr) is the same as the one used by the IP interface, the priority for this vir-
tual router will automatically be set to 255 (highest).
When priority tracking is used (/cfg/l3/vrrp/vrgroup #/track), this base priority value
can be modified according to a number of performance and operational criteria.
preem disable|enable
Enable/disable preemption for group.
share disable|enable
Enable/disable sharing for group.
ena
Enables the virtual router group.
dis
Disables the virtual router group.
del
Deletes the virtual router group.
cur
Displays the current VRRP virtual router group configuration.
This menu is used for modifying the priority system used when electing the master router from
a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each
time one of the tracking criteria is met, the priority level for the virtual router is increased by an
amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynam-
ically, continuously updating virtual router priority levels when enabled.
ifs disable|enable
When enabled, the priority will be increased for each IP interface active on this virtual router
group. An IP interface is considered active when there is at least one active port on the same
VLAN. This helps elect the virtual routers with the most available routes as the master. This com-
mand is disabled by default.
ports disable|enable
When enabled, the priority will be increased for each active port on the VLAN on this virtual
router group. A port is considered “active” if it has a link and is forwarding traffic. This helps elect
the virtual routers with the most available ports as the master. This command is disabled by
default.
l4pts disable|enable
When enabled for virtual server routers, the priority will be increased for each physical switch port
which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4
switch as the master. This command is disabled by default.
reals disable|enable
When enabled for virtual server routers, the priority will be increased for each healthy real server
behind the virtual server IP address of the same IP address as the virtual router on this virtual
router group. This helps elect the switch with the largest server pool as the master, increasing
Layer 4 efficiency. This command is disabled by default.
hsrp disable|enable
Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router
failover. In networks where HSRP is used, enable this switch option to increase the priority of this
virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling
HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing
efficiency. This command is disabled by default.
hsrv disable|enable
Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable
this switch option to increment only that vrrp instance on the virtual router group that is on the
same VLAN as the tagged hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router group.
/cfg/l3/vrrp/group
Virtual Router Group Configuration
[VRRP Virtual Router Group Menu]
track - Priority Tracking Menu
vrid - Set virtual router ID
if - Set interface number
prio - Set renter priority
adver - Set advertisement interval
preem - Enable or disable preemption
share - Enable or disable sharing
ena - Enable virtual router
dis - Disable virtual router
del - Delete virtual router
cur - Display current VRRP virtual router configuration
The Virtual Router Group menu is used for associating all virtual routers into a single logical
virtual router, which forces all virtual routers on the Nortel Application Switch to either be master
or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On
each VRRP-capable routing device participating in redundancy for this virtual router, a virtual
router will be configured to share the same virtual router ID and IP address.
NOTE – This option is required to be configured only when using at least two Nortel Application
Switches in a hot-standby failover configuration, where only one switch is active at any time.
track
Displays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortel’s pro-
prietary extension to VRRP, used for modifying the standard priority system used for electing the
master router. Tracking is not needed if sharing (share) is enabled.
To view menu options, see page 395.
preem disable|enable
Enables or disables master preemption. When enabled, if the virtual router group is in backup
mode but has a higher priority than the current master, this virtual router will preempt the lower
priority master and assume control. Note that even when preem is disabled, this virtual router will
always preempt any other master if this switch is the owner (the IP interface address and virtual
router addr are the same). By default, this option is enabled.
share disable|enable
Enables or disables virtual router sharing, Nortel’s proprietary extension to VRRP. When enabled,
this switch will process any traffic addressed to this virtual router, even when in backup mode. By
default, this option is enabled.
ena
Enables the virtual router group.
dis
Disables the virtual router group.
del
Deletes the virtual router group from the switch configuration.
cur
Displays the current configuration information for the virtual router group.
/cfg/l3/vrrp/group/track
Virtual Router Group Priority Tracking Configuration
NOTE – If Virtual Router Group Tracking is enabled, then the tracking option will be available
only under group option. The tracking setting for the other individual virtual routers will be
ignored.
ifs disable|enable
When enabled, the priority for this virtual router will be increased for each other IP interface active
on this switch. An IP interface is considered active when there is at least one active port on the
same VLAN. This helps elect the virtual routers with the most available routes as the master. This
command is disabled by default.
ports disable|enable
When enabled, the priority for this virtual router will be increased for each active port on the same
VLAN. A port is considered “active” if it has a link and is forwarding traffic. This helps elect the
virtual routers with the most available ports as the master. This command is disabled by default.
l4pts disable|enable
When enabled for virtual server routers, the priority for this virtual router will be increased for
each physical switch port which has active Layer 4 processing on this switch. This helps elect the
main Layer 4 switch as the master. This command is disabled by default.
reals disable|enable
When enabled for virtual server routers, the priority for this virtual router will be increased for
each healthy real server. This helps elect the switch with the largest server pool as the master,
increasing Layer 4 efficiency. This command is disabled by default.
hsrp disable|enable
Enables Hot Standby Router Protocol (HSRP) for this virtual router group. HSRP is used with
some types of routers for establishing router failover. In networks where HSRP is used, enable this
switch option to increase the priority of this virtual router for each Layer 4 client-only port that
receives HSRP advertisements. This helps elect the switch closest to the master HSRP router as the
master, optimizing routing efficiency. This command is disabled by default.
hsrv disable|enable
Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable
this switch option to increment only that vrrp instance that is on the same VLAN as the tagged
hsrp master flagged packet. This command is disabled by default.
cur
Displays the current configuration for priority tracking for this virtual router.
This menu is used for configuring VRRP authentication parameters for the IP interfaces used
with the virtual routers.
auth none|password
Defines the type of authentication that will be used: none (no authentication), or password
(password authentication).
passw <password>
Defines a plain text password up to eight characters long. This password will be added to each
VRRP packet transmitted by this interface when password authentication is chosen (see auth
above).
del
Clears the authentication configuration parameters for this IP interface. The IP interface itself is
not deleted.
cur
Displays the current configuration for this IP interface’s authentication parameters.
/cfg/l3/vrrp/track
VRRP Tracking Configuration
[VRRP Tracking Menu]
vrs - Set priority increment for virtual router tracking
ifs - Set priority increment for IP interface tracking
ports - Set priority increment for VLAN switch port tracking
l4pts - Set priority increment for L4 switch port tracking
reals - Set priority increment for L4 real server tracking
hsrp - Set priority increment for HSRP tracking
hsrv - Set priority increment for HSRP by VLAN tracking
cur - Display current VRRP Priority Tracking configuration
This menu is used for setting weights for the various criteria used to modify priority levels dur-
ing the master router election process. Each time one of the tracking criteria is met (see “VRRP
Virtual Router Priority Tracking Menu” on page 385), the priority level for the virtual router is
increased by an amount defined through this menu.
vrs <0-254>
Defines the priority increment value (1 through 254) for virtual routers in master mode detected on
this switch. The default value is 2.
ifs <0-254>
Defines the priority increment value (1 through 254) for active IP interfaces detected on this
switch. The default value is 2.
ports <0-254>
Defines the priority increment value (1 through 254) for active ports on the virtual router’s VLAN.
The default value is 2.
l4pts <0-254>
Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4
processing. The default value is 2.
reals <0-254>
Defines the priority increment value (1 through 254) for healthy real servers behind the virtual
server router. The default value is 2.
hsrp <0-254>
Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only pro-
cessing that receive HSRP broadcasts. The default value is 10.
hsrv <0-254>
Defines the priority increment value (1 through 254) for vrrp instances that are on the same
VLAN.
The default value is 10.
cur
Displays the current configuration of priority tracking increment values.
These priority tracking options only define increment values. These options do not affect the
VRRP master router election process until options under the VRRP Virtual Router Priority
Tracking Menu (see page 385) are enabled.
/cfg/slb
/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7,
“The SLB Configuration Menu”.
/cfg/security
Security Configuration Menu
[Security Menu]
port - Port Security Menu
ipacl - IP ACL Menu
udpblast - UDP Blast Protection Menu
dos - Protocol Anomaly and DoS Attack Prevention Menu
pgroup - Pattern Match Group Menu
seclog - Set rate threshold for security logging
pdepth - Set packet depth for pattern matching
cur - Display current Security configuration
ipacl
Displays IP address Access Control Menu. To view options, see page 400.
udpblast
Displays UDP Blast Menu. To view menu options, see page 402.
dos
Go to the Protocol Anomaly and DoS Attack Prevention Menu. To view menu
options, see page 403.
cur
Displays the current security configuration.
/cfg/security/port
Port Security Menu
[Port <port_number> Menu]
bogon - Enable/disable bogon IP ACL
ipacl - Enable/disable IP ACL
udpblast - Enable/disable UDP blast protection
dos - Enable/disable protocol anomaly and DoS attack prevention
add - Add protocol anomaly/DoS attack to prevention
aadd - Add all protocol anomaly/DoS attack to prevention
rem - Remove protocol anomaly/DoS attack from prevention
arem - Remove all protocol anomaly/DoS attack from prevention
help - Protocol anomaly and DoS attack prevention description
cur - Display current port configuration
bogon enable|disable
Enable or disable bogon IP ACL.
ipacl enable|disable
Enable or disable IP ACL.
udpblast enable|disable
Enable or disable UDP blast protection.
dos enable|disable
Enable or disable protocol anomaly and DoS attack prevention.
aadd
Add all protocol anomaly/DoS attack to prevention for the port.
arem
Remove all protocol anomaly/DoS attack from prevention for the port.
help
Description of Protocol anomaly and DoS attack prevention.
cur
Display current port configuration. For example:
Current port 1:
bogon disabled, ipacl disabled, udpblast disabled, dos disabled
/cfg/security/ipacl
IP Address Access Control List Configuration Menu
Nortel Application Switch Operating System can be configured with IP access control lists
(ACLs) composed of ranges of client IP addresses that are to be denied access to the switch.
When traffic ingresses the switch, the client source or destination IP address is checked against
this pool of addresses. If a match is found, then the client traffic is blocked.
arem
Remove all configuration source IP Address/Mask.
darem
Remove all configuration destination IP Address/Mask.
cfg
Display configuration IP Address/Mask.
bogon
Display bogon IP Address/Mask.
oper
Display operations IP Address/Mask.
cur
Displays current IP addresses ranges in Access Control List.
/cfg/security/udpblast
UDP Blast Protection Configuration Menu
Malicious attacks over UDP protocol ports are becoming a common way to bring down real
servers. Nortel Application Switch Operating System can be configured to restrict the amount
of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with
data and disabled.
You can specify a series of UDP port ranges and the allowed packet limit for that range. When
the maximum number of packets/second is reached, UDP traffic is shut down on those ports.
Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using
any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300,
the last number that can be used is 5300.
While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum
of 5000 ports.
cur
Displays all UDP blast protection ports.
/cfg/security/dos
Anomaly and Denial of Service Attack Prevention Menu
[Protocol Anomaly and DoS Attack Prevention Menu]
ipttl - Set the smallest allowable IP ttl for ipttl
ipprot - Set the highest allowable IP protocol for ipprot
fragdata - Set smallest allowable IP fragment payload for fragdata
fragoff - Set the smallest allowable IP fragment offset for fragoff
syndata - Set the largest allowable TCP SYN payload for syndata
icmpdata - Set the largest allowable ICMP payload for icmpdata
icmpoff - Set the largest allowable ICMP fragment offset for icmpoff
help - Protocol anomaly and DoS attack prevention description
cur - Display current protocol anomaly and DoS attack prevention
help
Description of the Anomaly and DoS attack prevention.
cur
Display current protocol anomaly and DoS attack prevention settings. For example:
Current protocol anomaly and DoS attack prevention settings:
ipttl 1, ipprot 137, fragdata 32, fragoff 4, syndata 0,
icmpdata 800, icmpoff 101
The filtering commands in Nortel Application Switch Operating System Advanced Denial of
Service Pack allow the administrator to define groups of patterns. By applying the patterns and
groups to a deny filter, the packet content can be detected and thus denied access to the net-
work.
The Nortel Application Switch Operating System 23.0 supports up to 1024 pattern matching
groups.
del
Deletes the pattern group.
cur
Displays the current configuration of this pattern group.
/cfg/sslproc
SSL Processor Menu
[SSL Processor Menu]
mip - Set SSL processor management IP
port - Set SSL processor Web server port
rts - Enable/disable RTS processing
filt - Enable/disable filtering
add - Add filter
rem - Remove filter
cur - Display current SSL processor configuration
rts enable|disable
Enable/disable RTS processing
filt enable|disable
Enable/disable filtering.
cur
Display current SSL processor configuration.
/cfg/setup
Setup
The setup program steps you through configuring the system date and time, BOOTP, IP, Span-
ning Tree, port speed/mode, VLAN parameters, and IP interfaces. For a complete description
of how to use setup, see Chapter 2, “First-Time Configuration.”
/cfg/dump
Dump
The dump program writes the current switch configuration to the terminal screen. To start the
dump program, at the Configuration# prompt, enter:
Configuration# dump
The configuration is displayed with parameters that have been changed from the default val-
ues. The screen display can be captured, edited, and placed in a script file, which can be used to
configure other switches through a Telnet connection. When using Telnet to configure a new
switch, paste the configuration commands from the script file at the command line prompt of
the switch. The active configuration can also be saved or loaded via TFTP, as described on
page 408.
/cfg/ptcfg
Saving the Active Switch Configuration
When the ptcfg command is used, the switch’s active configuration commands (as displayed
using /cfg/dump) will be uploaded to the specified script configuration file on the TFTP or
FTP server. To start the switch configuration upload, at the Configuration# prompt, enter:
Configuration# ptcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.
NOTE – The output file is formatted with line-breaks but no carriage returns—the file cannot
be viewed with editors that require carriage returns (such as Microsoft Notepad).
NOTE – If the TFTP server is running SunOS or the Solaris operating system, the specified
ptcfg file must exist prior to executing the ptcfg command and must be writable (set with
proper permission, and not locked by any application). The contents of the specified file will
be replaced with the current configuration data.
/cfg/gtcfg
Restoring the Active Switch Configuration
When the gtcfg command is used, the active configuration will be replaced with
the commands found in the specified configuration file. The file can contain a full switch con-
figuration or a partial switch configuration. The configuration loaded using gtcfg is not acti-
vated until the apply command is used. If the apply command is found in the configuration
script file loaded using this command, the apply action will be performed automatically.
Configuration# gtcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password}
[-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and filename is the name of
the target script configuration file.
This chapter discusses how to use the Command Line Interface (CLI) for configuring Server
Load Balancing (SLB) on the Nortel Application Switch. Refer to your Nortel Application Switch
Operating System Application Guide for detailed information on this feature.
411
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
/cfg/slb
SLB Configuration
[Layer 4 Menu]
real - Real Server Menu
group - Real Server Group Menu
virt - Virtual Server Menu
filt - Filtering Menu
port - Layer 4 Port Menu
gslb - Global SLB Menu
layer7 - Layer 7 Resource Definition Menu
wap - WAP Menu
sync - Config Synch Menu
adv - Layer 4 Advanced Menu
linklb - Inbound Linklb Menu
advhc - Layer 4 Advanced Health Check Menu
pip - Proxy IP Address Menu
peerpip - Peer Proxy IP Address Menu
wlm - Workload Manager Menu
on - Globally turn Layer 4 processing ON
off - Globally turn Layer 4 processing OFF
cur - Display current Layer 4 configuration
gslb
Displays the menu for configuring Global Server Load Balancing. To view menu options, see
page 465.
layer7
Displays Layer 7 Resource Definition Menu. To view menu options, see page 472.
wap
Displays WAP Menu. To view menu options, see page 477.
sync
Displays the Synch Peer Switch Menu. To view menu options, see page 478.
adv
Displays the Layer 4 Advanced Menu. To view menu options, see page 480.
linklb
Displays Inbound Link Load Balancing Menu. To view menu options, see page 484.
advhc
Displays Layer 4 Advanced Health Check Menu. To view menu options, see page 486.
pip
This menu is used to set the switch proxy IP address using dotted decimal notation. When the pip
is defined, client address information in Layer 4 requests is replaced with this proxy IP address.To
view options, see page 496.
peerpip
Displays Peer Proxy IP address Menu. When this command is enabled, the switch is able to for-
ward traffic from the other switch, using Layer 2, without performing server processing on the
packets of the other switch. This happens because the peer switches are aware of each other’s
proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in
the absence of the proxy IP address of the peer switch.
To view menu options, see page 497.
wlm
Displays the menu for workload management of servers. To view menu options, see page 498.
on
Globally turns on Layer 4 software services for Server Load Balancing and Application Redirec-
tion. This option can be performed only after the optional Layer 4 software is enabled (see “Acti-
vating Optional Software on page 509). Enabling Layer 4 services is not necessary for using filters
only to allow, deny, or NAT traffic.
off
Globally disables Layer 4 services. All configuration information will remain in place
(if applied or saved), but the software processes will no longer be active in the switch
cur
Displays the current Server Load Balancing configuration.
Application Redirection filters, however, require Layer 4 software services. Layer 4 process-
ing must be turned on before redirection filters will work.
This menu is used for configuring information about real servers that participate in a server
pool for Server Load Balancing or Application Redirection. The required parameters are:
adv
Go to the Real Server Advanced menu. To view menu options, see page 421.
layer7
Displays the Layer 7 Menu. To view menu options, see page 421.
ids
Displays Intrusion Detection Server/system menu. To view menu options, see page 422.
overflo enable|disable
Enable or disable backup upon overflow.
remote disable|enable
Enables or disables remote site operation for this server. This option should be enabled when the
real IP address supplied above represents a remote server (real or virtual) that this switch will
access as part of its Global Server Load Balancing network. By default, this option is disabled.
proxy disable|enable
Enables or disables proxy IP address translation. With this option enabled (default), a client
request from any application can be proxied using a load-balancing Proxy IP address (PIP).
fasthc disable|enable
Enables or disables Fast Health Check operation. When enabled, the real server goes down opera-
tionally as soon as the physical port connected to the real server goes down. When disabled, the
real server will go down only after the configured health check interval.
This command is enabled by default.
submac disable|enable
Enables or disables source MAC address substitution. By default, this option is disabled.
ena
You must perform this command to enable this real server for Layer 4 service. When enabled, the
real server can process virtual server requests associated with its real server group. This option,
when the apply and save commands are used, enables this real server for operation until explic-
itly disabled.
See /oper/slb/ena on page 412 for an operations-level command.
dis
Disables this real server from Layer 4 service. A disabled server will no longer process virtual
server requests as part of the real server group to which it is assigned. This option, when the
apply and save commands are used, disables this real server until it is explicitly re-enabled.
NOTE – This option does not perform a graceful server shutdown.
See /oper/slb/dis on page 502 for an operations-level command that permits graceful server
shutdown.
del
Deletes this real server from the Layer 4 switching software configuration. This removes the real
server from operation within its real server groups. Use this command with caution, as it will
delete any configuration options that have been set for this real server. This option does not per-
form a graceful server shutdown.
cur
Displays the current configuration information for this real server.
/cfg/slb/real/adv
Real Server Advanced Menu
[Real Server 1 Advanced Menu]
avail - Set Global SLB availability for real server
remote - Enable/disable Global SLB remote site operation
proxy - Enable/disable client proxy operation
buddyhc - Buddy Server Menu
fasthc - Enable/disable fast health check operation
submac - Enable/disable source MAC address substitution
subdmac - Enable/disable destination MAC address substitution
cur - Display current real server advanced configuration
remote enable|disable
Enable/disable Global SLB remote site operation
proxy enable|disable
Enable/disable client proxy operation.
buddyhc
Go to the Buddy Server Menu.
fasthc enable|disable
Enable/disable fast health check operation.
submac enable|disable
Enable/disable source MAC address substitution.
subdmac enable|disable
Enable/disable destination MAC address substitution.
cur enable|disable
Display current real server advanced configuration.
/cfg/slb/real/adv/buddyhc
Buddy Server Health Check Menu
[Real server 1 Buddy Menu]
addbd - Add Buddy Server
delbd - Delete Buddy Server
cur - Display current buddy server configuration
addbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>
Adds a buddy server.
delbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>
Deletes a previously added buddy server.
cur
Displays the current buddy server configuration.
This menu is used for entering commands and strings for Layer 7 processing.
cookser disable|enable
Enables or disables the real server to handle client requests that don’t contain a cookie. This option
is used if you want to designate a specific server to assign cookies only. This server gets the client
request, assigns the cookie, and embeds the IP address of the real server that will handle the subse-
quent requests from the client.
By default, this option is disabled.
exclude disable|enable
Enables or disables exclusionary string matching. By default, this option is disabled.
ldapwr disable|enable
Enables or disables LDAP write server. LDAP servers are of two types: read servers and write
servers. You need to use read servers when you only want to browse the directory. You need to use
the write servers when you want to modify the directory on the server. The write server can con-
duct both read and write operations.
cur
Displays the current real server configuration.
comm <SNMP health check community string to override group community string>
Overrides community string for SNMP health checks.
cur
Displays the current real server configuration.
This menu is used for combining real servers into real server groups. Each real server group
should consist of all the real servers which provide a specific service for load balancing. Each
group must consist of at least one real server. Each real server can belong to more than one group.
Real server groups are used both for Server Load Balancing and Application Redirection.
metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash
Sets the load balancing metric used for determining which real server in the group will be the tar-
get of the next client request. The default setting is leastconns. See “Server Load Balancing
Metrics” on page 429 for more information.
rmetric
Sets the load balancing metric used for determining which port in the real server will be the target
of the next client request.
content <filename>|//<host>/<filename>|none
This option defines the specific content which is examined during health checks. The content
depends on the type of health check specified in the health option (see below).
health link|arp|icmp|tcp|http|httphead|dns|pop3|smtp|nntp|ftp|imap|
sslh|radius-auth|radius-acc|script<n>|udpdns|wsp|wtp|wtls|ldap|
snmp<n>|tftp|rtsp|sip|sipoptions|wts
http - use GET method, httphead - use HEAD method
Sets the type of health checking performed. The default is tcp. See “SLB Health Check Types” on
page 426.
viphlth disable|enable
Enables or disables VIP health checking in a service. This feature is enabled by default. However,
it works only when the service has DSR (Direct Server Return) feature enabled. When viphlth
is disabled, the switch uses RIP to perform all health checks, whether DSR is enabled or disabled.
ids disable|enable
Enables or disables Intrusion Detection Server (IDS) load balancing for the designated real server
group. This feature can only be configured on real server groups between 1-63.
idsfld disable|enable
Enables or disables the Intrusion Detection flood. When Intrusion Detection flood is enabled,
packets are copied to all IDS servers in the IDS group. When this is disabled, packets are only
copied to the load balanced IDS server within the IDS group.
oper disable|enable
Enables or disables the real server group operation.
del
Deletes this real server group from the Layer 4 software configuration. This removes the group
from operation under all virtual servers it is assigned to. Use this command with caution: if you
remove the only group that is assigned to a virtual server, the virtual server will become inopera-
tive.
cur
Displays the current configuration parameters for this real server group.
link
Checks status of port for each server for IDSLB group only.
arp
Sends an ARP request for Layer 2 health checking.
icmp
For Layer 3 health checking, pings the server.
tcp
Opens and closes a TCP/IP connection to the server for TCP service.
http
For HTTP service, use HTTP 1.1 GETS when a HOST: header is required to check that the URL
content is specified in content command. Otherwise, an HTTP/1.0 GET occurs.
Note: If the content is not specified, the health check will revert back to TCP on the port that is
being load balanced.
httphead
Allows the switch to declare if the server is up or not just by locating the URL header and not wait
until all the URL contents are received. You can use this command to test the validity and access to
the hypertext links or to look for any recent modification to the URL.
dns
For Domain Name Service, check that the domain name specified in content can be resolved by
the server.
pop3
For user mail service, check that the user:password account specified in content exists on the
server.
smtp
For mail-server services, check that the user specified in content is accessible on the server.
nntp
For newsgroup services, check that the newsgroup name specified in content is accessible on
the server.
ftp
For FTP services, check that the filename specified in content is accessible on the server
through anonymous login.
imap
For user mail service, check that the user:password value specified in content exists on the
serve
sslh
Enables the switch to query the health of the SSL servers by sending an SSL client “Hello” packet
and then verify the contents of the server’s “Hello” response. During the handshake, the user and
server exchange security certificates, negotiate an encryption and compression method, and estab-
lish a session ID for each session.
radius-auth, radius-acc
For RADIUS remote access server authentication, check that the user:password value specified in
content exists on the Nortel Application Switch and the server. To perform application health
checking to a RADIUS server, the network administrator must also configure the /cfg/slb/
secrt parameter. The secrt value is a field of up to 32 alphanumeric characters that is used by
the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the
RADIUS server to decrypt the password during verification.
script <n>
Enables the use of script-based health checks in send/expect format to check for application and
content availability. <n> denotes the health script number (1-64).
udpdns
Allows the user to perform health checking using UDP DNS queries.
wsp
Enables connectionless WSP content health checks for WAP gateways. The content under /cfg/
slb/adv/waphc (see page 486) must also be configured.
wtp
Enables connection-oriented WTP + WSP content health checks for WAP gateways. The content
under /cfg/slb/adv/waphc (see page 486) must also be configured
wtls
Provides Wireless Transport Layer Security (WTLS) Hello-based health check for encrypted and
connection-oriented WTLS traffic on port 9203.
ldap
Sets the health check type to LDAP. The LDAP health checks enable the switch to determine if the
LDAP server is alive. This health check consists of three LDAP messages over one TCP connec-
tion: a bind request, a bind result, and an unbind request. The switch sends an anonymous bind
request to the server. If the server is up, it will send the bind result message and the switch will
mark the server as alive. The switch must send an unbind request so that the server does not hold
resources indefinitely. The switch administrator can choose LDAP version 2 or 3 as both the ver-
sions are compatible with Nortel Application Switch Operating System 23.0.2.
snmp <n>
Enables the use of SNMP-based health checks. <n> denotes the health script number (1-5).
tftp
Sets the health check type to TFTP. This protocol enables the user to request a file from the server.
At regular intervals, the switch transmits TFTP read requests (RRQ) to all servers in the group.
The health check is successful if the server responds to the RRQ. The health check fails if the
switch receives an error packet from the real server.
rtsp
Sets the health check type to RTSP. The RTSP health check can operate with or without content.
If there is no content configured the switch will issue an RTSP OPTIONS method. If content is
supplied the switch will issue the RTSP DESCRIBE method. If the response to either method is
RTSP/200 then the health check passes. If this is not the response, the health check will fail.
sip
Sets the health check type to sip. You can perform the SIP (Session Initiation Protocol) health
check by using SIP PING request. You must enable UDP to perform SIP load balancing.
sipoptions
Sets the health check type to sipoptions.
wts
Sets the health check type to wts.
minmisses
Minimum misses. This metric is optimized for Application Redirection. When minmisses is
specified for a real server group performing Application Redirection, all requests for a specific IP
destination address will be sent to the same server. This is particularly useful in caching applica-
tions, helping to maximize successful cache hits. Best statistical load balancing is achieved when
the IP address destinations of load balanced frames are spread across a broad range of IP subnets.
Minmisses can also be used for Server Load Balancing. When specified for a real server group per-
forming Server Load Balancing, all requests from a specific client will be sent to the same server.
This is useful for applications where client information must be retained on the server between ses-
sions. Server load with this metric becomes most evenly balanced as the number of active clients
increases.
hash
Like minmisses, the hash metric uses IP address information in the client request to select a
server.
For Application Redirection, all requests for a specific IP destination address will be sent to the
same server. This is particularly useful for maximizing successful cache hits.
For Server Load Balancing, all requests from a specific client will be sent to the same server. This
is useful for applications where client information must be retained between sessions.
The hash metric should be used if the statistical load balancing achieved using minmisses is
not as optimal as desired. Although the hash metric can provide more even load balancing at any
given instance, it is not as effective as minmisses when servers leave and reenter service.
If the Load Balancing statistics indicate that one server is processing significantly more requests
over time than other servers, consider using the hash metric.
leastconns
Least connections. With this option, the number of connections currently open on each real server
is measured in real time. The server with the fewest current connections is considered to be the
best choice for the next client connection request.
This option is the most self-regulating, with the fastest servers typically getting the most connec-
tions over time, due to their ability to accept, process, and shut down connections faster than
slower servers.
roundrobin
Round robin. With this option, new connections are issued to each server in turn: the first real
server in this group gets the first connection, the second real server gets the next connection, fol-
lowed by the third real server, and so on. When all the real servers in this group have received at
least one connection, the issuing process starts over with the first real server.
response
Real server response time. With this option, the switch monitors and records the amount of time
that each real server takes to reply to a health check. The response time is used to adjust the real
server weights. The weights are adjusted so they are inversely proportional to a moving average of
response time.
bandwidth
Bandwidth Metric. With this option, the real server weights are adjusted so they are inversely pro-
portional to the number of octets that the real server processes during a given interval. The higher
the bandwidth used, the smaller is the weight assigned to that server.
phash
The phash metric utilizes the best features of the hash and minmiss metrics. With phash
enabled, the switch supports an even load distribution (hash) and stable server assignment (min-
miss) even when a server in the group goes down. With the phash metric, the first hash will
always be the same even if a real server is down. If the first hash hits a dead server, it will rehash
for that request based on the actual number of servers that are up. This results in a request always
being sent to a server that is up.
NOTE – Under the leastconns, roundrobin, hash, and phash metrics, when real
servers are configured with weights (see the weight option on page 415), a higher proportion
of connections are given to servers with higher weights. This can improve load balancing
among servers of different performance levels. Weights are not applied when using
the minmisses metrics.
This menu is used for configuring the virtual servers which will be the target for client requests
for Server Load Balancing. Configuring a virtual server requires the following parameters:
weight
Sets the Global server weight for the virtual server. The higher the weight value, the more connec-
tions that will be directed to the local site. The default is 1. The response time of this site is divided
by this weight before the best site is assigned to a client. Remote site response times are divided by
the real server weight before selection occurs.
avail
Sets the Global SLB availability for the virtual server.
layr3 disable|enable
Normally, the client IP address is used with the client Layer 4 port number to produce a session
identifier. When the layr3 option is enabled (disabled by default), the switch uses only the client
IP address as the session identifier. It associates all the connections from the same client with the
same real server while any connection exists between them.
This option is necessary for some server applications where state information about the client sys-
tem is divided across different simultaneous connections, and also in applications where TCP frag-
ments are generated.
If the real server to which the client is assigned becomes unavailable, the Layer 4 software will
allow the client to connect to a different server.
creset enable|disable
Enable/disable client connection reset invalid VPORT.
ena
Enables this virtual server. This option activates the virtual server within the switch so that it can
service client requests sent to its defined IP address.
dis
This option disables the virtual server so that it no longer services client requests.
del
This command removes this virtual server from operation within the switch and deletes it from the
Layer 4 switching software configuration. Use this command with caution, as it will delete the
options that have been set for this virtual server.
cur
Displays the current configuration of the specified virtual server.
NOTE – Select virtual service port 554 to configure RTSP traffic. See page 444 to view the
menu options for configuring virtual services on port 554 for RTSP.
wts
Go to the WTS Load Balancing Menu. To view the menu options, see
page 440.
http
Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis.
Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view
the menu options, see page 441.
sip
Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel
Application Switch Operating System. When enabled, you can configure SIP service on the
service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol
for creating, modifying and terminating sessions with one or more participants (documented
in RFC3261). The SIP processing occurs at application level in order to parse out messages
coming from client side as well as the server side. Using SIP on your switch, you can load
balance Nortel’s MCS (Multimedia Communication Server) proxy servers. Nortel Networks’
MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls
based on a SIP Call-ID header to an MCS server.
You need to turn Direct Access Mode (DAM) on to perform SIP load balancing.
You can use only minmiss as the load balancing metric since the load balancing is per-
formed based on the Call-ID.
To view the menu options, see page 442.
rtsp
Go to the RTSP Load Balancing Menu. To view the menu options, see
page 443.
group <real server group number (1-1024)>
Sets a real server group for this service. The default is set at 1. You will be prompted to enter
the number (1 to 1024) of the real server group to add to this service.
hname <hostname>|none
Sets the hostname for a service added. This is used in conjunction with dname (above) to cre-
ate a full host/domain name for individual services.
The format for this command is: # hname <hostname>
For example, to add a hostname for Web services, you could specify www as the hostname. If
a dname of “foocorp.com” was defined (above), “www.foocorp.com” would be the full host/
domain name for the service.
To clear the hostname for a service, use the command: # hname none
httpslb urlslb|host|cookie|browser|urlhash|headerhash|others
Load balances on the following applications:
urlslb: Enable or disable URL SLB
host: Enable or disable for virtual hosting
cookie: Enable or disable cookie-based SLB for cookie-based preferential load balanc-
ing. You will be prompted for the following: Cookie name, starting point of the cookie
value, number of bytes to be extracted, enable/disable checking for cookie in URI
browser: Enable or disable SLB, based on browser type
urlhash: Enable or disable URL hashing based on URI
headerhash: Hashes on any HTTP header value.
others: Requires inputs for a particular header field
You may choose to combine or select applications to load balance using the commands and
and/or or. For example:
httpslb <application>
httpslb <application> and|or <application>
pbind clientip|cookie<p|r|i>|sslid|disable
Enables or disables persistent bindings for a real server (disabled by default). This may be
necessary for some server applications where state information about the client system is
retained on the server over a series of sequential connections, such as with SSL (Secure
Socket Layer, HTTPS), Web site search results, or multi-page Web forms.
The clientip option uses the client IP address as an identifier, and associates all con-
nections from the same client with the same real server until the client becomes inactive
and the connection is aged out of the binding table. The connection timeout value (set in
the Real Server Menu) is used to control how long these inactive but persistent connections
remain associated with their real servers. When the client resumes activity after their con-
nection has been aged out, they will be connected to the most appropriate real server based
on the load balancing metric.
An alternative approach may be to use the real server group metrics minmisses or hash
(see Server Load Balancing Metrics).
In Nortel Application Switch Operating System 23.0.2, with clientip command
enabled, HTTP and HTTPs traffic from the same client will map to the same server irre-
spective of the load balancing metric used, since the services are related. Whereas, differ-
ent services from the same client may not map to the same server.
The cookie option uses a cookie defined in the HTTP header or placed in the URI for
hashing. For more information on cookie option, see “Cookie-Based Persistence” on
page 444. For detailed information on Cookie-Based Persistence, see the
Persistence chapter in the Nortel Application Switch Operating System 23.0.2 Application
Guide.
The sslid option is for Secure Sockets Layer (SSL), which is a set of protocols built on
top of TCP/IP that allow an application server and user to communicate over an encrypted
HTTP session. SSL provides authentication, non-repudiation, and security. The session ID
is a value comprising 32 random bytes chosen by the SSL server that gets stored in a ses-
sion hash table. By enabling the sslid option, all subsequent SSL sessions which present
the same session ID will be directed to the same real server.
The disable option allows you to disable presistent binding, if it has previously been
enabled for a particular application.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters
for computing the hash value used by the hash, phash, and minmisses SLB metrics. For
example, the source IP address, or both source IP address and source port. If the user does not
select any, the switch will use default hash parameter, which is sip.
dbind disable|enable
Enables or disables Layer 4 Delayed Binding for TCP service and ports. Enabling this com-
mand protects the server from Denial of Service (DoS) attacks. This option is disabled by
default.
udp disable|enable|stateless
Enables or disables UDP load balancing for a virtual port (disabled by default). You can con-
figure this option if the service(s) to be load balanced include UDP and TCP. For example,
DNS uses UDP and TCP. In those environments, you must activate UDP balancing for the
particular virtual servers that clients will communicate with using UDP.
When stateless is enabled, no session table entry is created.
Since no session is created, you have to bind to a new server every time.
Note: If applying a filter to the same virtual server IP address on which UDP load balancing is
enabled, disable caching on that filter for optimal performance. For more information, see the
cache command in Table 7-18 on page 452.
frag disable|enable
Enables or disables remapping server fragments for virtual port. This option is enabled by
default.
nonat disable|enable
Enables or disables substituting only the MAC address of the real server (disabled by default).
This option does not substitute IP addresses. This option is used for Direct Server Return
(DSR) in an one-armed load balancing setup, so that frames returning from server to the client
do not have to pass through the switch.
dnsslb disable|enable
Enables or disables DNS-based Layer 7 content load balancing.
direct disable|enable
Enables or disables Direct Access Mode (DAM) on the selected virtual service.
This command takes precedence over the command to globally enable or disable Direct
Access Mode on the switch.
mirror disable|enable
Enables or disables session mirroring on the selected virtual service.
xforward disable|enable
Enables or disables inserting the X-Forward-For header into the client HTTP request to pre-
serve the client IP information. X-Forward-For is a special header that stores and identifies
the client IP information. This feature is applicable only on HTTP protocol.
epip disable|enable
Enables or disables proxy IP selection based on egress port or VLAN. By default, the SP
selects the proxy IP address based on ingress port or VLAN. Using the epip command, you
can configure the SP to select proxy IP address based on the egress port or VLAN.
del
This command removes this virtual service from operation within the switch and deletes it
from the Layer 4 switching software configuration. Use this command with caution, as it will
delete the options that have been set for this virtual service.
cur
Displays the current configuration of services on the specified virtual server.
/cfg/slb/virt/service/wts
WTS Load Balancing Menu
[WTS Load Balancing Menu]
userhash - Enable userhash when there is no Session Dir. Server
ena - Enable WTS loadbalancing and persistence
dis - Disable WTS loadbalancing and persistence
cur - Display current WTS configuration
userhash
Enables the userhash if there is no session director server in the server platform.
ena [true|false]
Enable WTS load balancing.
dis [true|false]
Disable WTS load balancing.
cur
Display the current WTS configuration.
/cfg/slb/virt/service/http
HTTP Load Balancing Menu
[HTTP Load Balancing Menu]
httpslb - Set HTTP SLB processing
urlcont - Set BW cont of an SLB string specific to this service
rcount - Set multi response count
http - Enable/disable HTTP redirects for Global SLB
xforward - Enable/disable X-Forwarded-For for proxy mode
pooling - Enable/disable connection pooling for HTTP traffic
cur - Display current HTTP configuration
httpslb
Set HTTP SLB processing.
urlcont
Set BW cont of an SLB string specific to this service.
rcount
Set multi response count.
http
Enable/disable HTTP redirects for Global SLB.
xforward
Enable/disable X-Forwarded-For for proxy mode.
pooling
Enable/disable connection pooling for HTTP traffic.
cur
Display current HTTP configuration.
/cfg/slb/virt/service/sip
SIP Load Balancing Menu
[SIP Load Balancing Menu]
sip - Enable/disable SIP load balancing
sdpnat - Enable/disable SIP SDP Media Portal NAT
cur - Display current SIP configuration
sip
Enable SIP load balancing.
sdpnat
Enable SIP SDP Media Portal NAT.
cur
Display the current SIP configuration.
/cfg/slb/virt/service/rtsp
RTSP Load Balancing Menu
[RTSP Load Balancing Menu]
group - Set real server group number
hname - Set hostname
rtspslb - Set RTSP URL load balancing type
thash - Set hash parameter
softgrid - Enable/disable SoftGrid load balancing
del - Delete virtual service
cur - Display current virtual service configuration
hname <hostname>|none
Sets the hostname for a service added. This is used in conjunction with dname (above) to create a
full host/domain name for individual services.
The format for this command is: # hname <hostname>
For example, to add a hostname for Web services, you could specify www as the hostname. If a
dname of “foocorp.com” was defined (above), “www.foocorp.com” would be the full host/
domain name for the service.
To clear the hostname for a service, use the command: # hname none
rtspslb hash|patternMatch|l4hash|none
This Layer 7 load balancing option sets the type of rtspslb, either hash or patternMatch,
thereby enabling the service. The default is hash.
hash: If you use hash, RTSP will parse the URL and will hash the URL to select a server to load
balance.
patternMatch: If you select this option, the switch will match the string or pattern
within the URL to select a server based on the string configured on the real server.
l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash
metric.
none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance.
thash sip|sip+sport
Defines hash parameter. Tunable hash feature allows the user to select different parameters for
computing the hash value used by the hash, phash, and minmisses SLB metrics. For exam-
ple, the source IP address, the destination IP address, or both source IP address and source port. If
the user does not select any, the switch will use default hash parameter, which is sip.
softgrid enable|disable
Enable or disable softgrid load balancing.
del
Deletes this virtual service.
cur
Displays the current virtual service configuration.
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following com-
mand syntax and usage:
Option Description
<mode> Specify the mode for cookie-based persistence. The following three modes are
available:
p: Passive mode. In this mode, the network administrator configures the Web
server to embed a cookie in the server response that the switch looks for in sub-
sequent requests from the same client.
r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch,
and not the network administrator, generates the cookie value on behalf of the
server. The switch intercepts this persistence cookie and rewrites the value to
include server-specific information before sending it to the client.
i: Insert mode. When a client sends a request without a cookie, the server
responds with the data, and the switch inserts a persistence cookie into the data
packet. The switch uses this cookie to bind to the appropriate server.
Insert cookie mode expiration parameters are as follows:
Enter insert-cookie expiration as either:
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)
... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)
... or none <return>
<length> Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length
must be 8 or 16.
<URI> Look for cookie in the URI. If you want to look for cookie name or value in the
URI, enter e to enable this option. To look for cookie in the HTTP header, enter d
to disable this option.
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operat-
ing System 23.0.2 Application Guide.
[Filter 1 Menu]
adv - Filter Advanced Menu
name - Set filter name
smac - Set source MAC address
dmac - Set destination MAC address
ipver - Set Filter IP version
sip - Set source IP address
smask - Set source subnet mask/prefix len
dip - Set destination IP address
dmask - Set destination subnet mask/prefix len
proto - Set IP protocol
sport - Set source TCP/UDP port or range
dport - Set destination TCP/UDP port or range
action - Set action
group - Set real server group for redirection
rport - Set real server port for redirection
nat - Set which addresses are network address translated
vlan - Set vlan id
invert - Enable/disable filter inversion
ena - Enable filter
dis - Disable filter
del - Delete filter
cur - Display current filter configuration
The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny,
redirect or perform Network Address Translation on traffic according to a variety of address
and protocol specifications, and each physical switch port can be configured to use any combi-
nation of filters. This command is disabled by default.
There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv,
page 450) that can be used to provide more information through syslog. The types of informa-
tion include:
IP protocol
TCP/UDP ports
TCP flags
ICMP message type
The following parameters are required for filtering:
Set the address, masks, and/or protocol that will be affected by the filter
Set the filter action (allow, deny, redirect, nat)
Enable the filter
Add the filter to a switch port
Enable filtering on the Nortel Application Switch port
adv
Displays the Filter Advanced Menu. To view menu options, see page 450.
ipver v4 | v6
Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge
mode.
smask <IP4 subnet mask (such as, 255.255.255.0> | <IP6 prefix length (eg, 64)>
This IP address mask is used with the sip to select traffic which this filter will affect. See
details below for more information on producing address ranges. For more information, see
“Defining IP Address Ranges for Filters” on page 449.
dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)>
This IP address mask is used with the dip to select traffic which this filter will affect.
proto any|<number>|<name>
If defined, traffic from the specified protocol is affected by this filter. Specify the protocol
number, name, or “any”. The default is any. Listed below are some of the well-known proto-
cols.
Number Name
1 icmp
2 igmp
6 tcp
17 udp
58 icmp6
89 ospf
112 vrrp
sport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified TCP or UDP source port will be affected by this filter.
Specify the port number, range, name, or “any”. The default is any. Listed below are some
of the well-known ports:
Number Name
20 ftp-data
21 ftp
22 ssh
23 telnet
25 smtp
37 time
42 name
43 whois
53 domain
69 tftp
70 gopher
79 finger
80 http
109 pop2
110 pop3
dport any|<name>|<port>|<port>-<port>
If defined, traffic with the specified real server TCP or UDP destination port will be affected
by this filter. Specify the port number, range, name, or “any”, just as with sport above. The
default is set at any.
action allow|deny|redir|nat|goto
Specifies the action this filter takes:
allow Allow the frame to pass (by default).
deny Discard frames that fit this filter’s profile. This can be used for building basic secu-
rity profiles.
redir Redirect frames that fit this filter’s profile, such as for web cache redirection. In
addition, Layer 4 processing must be activated (see the /cfg/slb/on command on
page 412).
nat Perform generic Network Address Translation (NAT). This can be used to map the
source or destination IP address and port information of a private network scheme
to/from the advertised network IP address and ports. This is used in conjunction
with the nat option (mentioned in this table) and can also be combined with prox-
ies.
goto Allows the user to specify a target filter ID that the filter search should jump to
when a match occurs. The goto action causes filter processing to jump to a desig-
nated filter, effectively skipping over a block of filter IDs. Filter searching action
will then continue from the designated filter ID.
To specify the new filter to goto, use the /cfg.slb/filt/adv/goto com-
mand.
nat source|dest
When nat is set as the filter action (see above), this command specifies whether Network
Address Translation (NAT) is performed on the source or the destination information. Desti-
nation (dest) is set as the default filter. If source is specified, the frame’s source IP
address (sip) and port number (sport) are replaced with the dip and dport values. If
dest is specified, the frame’s destination IP address (dip) and port number (dport) are
replaced with the sip and sport values.
invert disable|enable
Inverts the filter logic. If the conditions of the filter are met, don’t act. If the conditions for the
filter are not met, perform the assigned action. This option is disabled by default.
When using filter inversion for IPv6, be aware the Neighbor Solicitations (NSol) are filtered
out if no appropriate NSol filter was set up before inversion.
ena
Enables this filter.
dis
Disables this filter.
del
Deletes this filter.
cur
Displays the current configuration of the filter.
As another example, you could configure the switch with two filters so that each would
handle traffic filtering for one half of the Internet. To do this, you could define the following
parameters:
Table 7-17 Filtering IP Address Ranges
8021p
Displays 8021p Advanced Menu. IEEE 802.1p is the specification for prioritizing the net-
work traffic at the Layer 2 level in your switch. Using this command you can preserve
802.1p bits in all the frames that pass through the switch.
To view menu options, see page 453.
tcp
Displays the TCP Flags advanced menu. To view menu options, see page 453.
ip
Sets IP advanced menu. To view menu options, see page 454.
layer7
Displays Layer7 advanced menu. To view menu options, see page 457.
proxyadv
Displays the Proxy Advanced Menu. To view menu options, see page 460.
idshash sip|dip|both
Sets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP
(sip), destination IP (dip), or both.
thash auto|sip|dip|both|sip+sport
Allows you to choose hash parameter to use for filter redirection. The Default is auto. The sip
option allows you to perform tunable hash on source IP address for this filter. The option dip
allows you to perform tunable hash on destination IP address for this filter. The option both
allows you to perform tunable hash on both source IP address and the destination IP address at the
same time. The option sip+sport allows you to perform tunable hash on both source IP address
and source port at the same time.
reverse disable|enable
Enables or disables the creation of a session for traffic coming from the reverse side.
This command allows for the creation of a session entry for reverse traffic to avoid
inspecting traffic in both directions.
cache disable|enable
Enables or disables caching sessions that match the filter. Exercise caution while applying cache-
enabled and cache-disabled filters to the same switch port. A cache-enabled filter creates a session
entry in the switch, so that the switch can bypass checking for subsequent frames that match the
same criteria. Cache is enabled by default.
Note: Cache should be disabled if applying a filter to virtual server IP address while performing
UDP load balancing (see “udp disable|enable|stateless” on page 438).
log disable|enable
Enables or disables generating of syslog messages when a filter is hit. This option is disabled by
default.
mirror disable|enable
Enables or disables session mirroring.
cur
Displays the current advanced filter configuration.
value <0-7>
Defines 802.1p value. The value is the priority bits information in the packet structure.
match disable|enable
Enables or disables matching of 802.1p value. When the Management Processor needs to reuse the
packet to send to the destination, the switch matches the original priority bits information with the
priority bits information after the frame processing is complete.
cur
Displays current 802.1p configuration.
These commands can be used to configure packet filtering for specific TCP flags.
urg disable|enable
Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled.
ack disable|enable
Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is dis-
abled.
psh disable|enable
Enables or disables TCP PSH (push) flag matching. By default, this option is disabled.
rst disable|enable
Enables or disables TCP RST (reset) flag matching. By default, this option is disabled.
syn disable|enable
Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled.
fin disable|enable
Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled.
ackrst disable|enable
Enables or disables TCP acknowledgement or reset flag matching. By default, this option is
disabled.
cur
Displays the current Access Control List TCP filter configuration.
tos <0-255>
Sets IP type of service (ToS) and the value of the type of service. For more information on ToS,
refer to RFC 1340 and 1349.
tmask <0-255>
Sets IP type of service mask.
newtos <0-255>
Sets new IP type of service.
option disable|enable
Enables or disables IP option matching.
cur
Displays the current advanced IP settings for the selected filter.
sip
Go to the Layer 7 SIP menu. To view the menu options, see page 459.
addrd [1>2]
Adds an HTTP redirection mapping. Strings are defined under: /cfg/slb/layer7/slb/add.
This command tells the filter that if it matches on the first string id, then send back an HTTP redi-
rection message back to the client that contains information in the second string ID.
rdsnp disable|enable
Enables or disables WAP RADIUS snooping on this filter.
Radius snooping allows the Nortel Application Switch Operating System to examine
RADIUS accounting packets for client information. This information is needed to add to
or delete static session entries in the switch’s session table so that it can perform the
required persistency for load balancing. For more details, please refer to your Applica-
tion Guide.
rdswap enable|disable
Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and
WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server.
A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies
with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS
receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to
the bound server. The application switch snoops on the RADIUS accounting start packet for the
“framed IP address” attribute. The “framed IP address” attribute is used to rebind the RADIUS
accounting session to a new server. For more details, please refer to your Application Guide.
ftpa disable|enable
Enables or disables active FTP Client Network Address Translation (NAT). When a client in
active FTP mode sends a PORT command to a remote FTP server, the switch will look into the
data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address.
The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By
default, this option is disabled.
l7lkup disable|enable
Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny
commands found in earlier releases of Nortel Application Switch Operating System. When
enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When
combined with a filter action (for example, deny, redir), this feature enables content-intelligent
redirection or content-intelligent deny filtering.
parseall disable|enable
Enables or disables parsing of all packets in a session where layer 7 lookup is being performed.
This command is enabled by default, and normally all data packets in a session are examined by
the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup
is turned off for the remaining packets in the session.
cur
Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persis-
tence settings.
sipp enable|disable
Enable or disable SIP parsing.
cur
Displays the current advanced SIP configuration.
/cfg/slb/filt/adv/proxyadv
Proxy Advanced Menu
[Proxy Advanced Menu]
proxyip - Set client proxy IP address
epip - Enable/disable pip selection based egress port/vlan
proxy - Enable/disable client proxy
cur - Display current proxy configuration
proxyip <IP_address>
Set the client proxy IP_address.
epip enable|disable
Enable or diable PIP selection based on the outgoing port or VLAN.
proxy enable|disable
Enable or disable client proxy.
cur
Shows all Proxy statistics.
[Security Menu]
ratelim - Rate Limiting Menu
addgrp - Add pattern match group for layer 7 filtering
remgrp - Remove pattern match group for layer 7 filtering
pmatch - Enable/disable pattern matching
matchall - Enable/disable match-all criteria for layer 7 filtering
parsechn - Enable/disable chained pgroup match criteria for l7
filtering
parseall - Enable/disable pattern string lookup (parsing) of all
packets
cur - Display current Security configuration
ratelim
Displays the Rate Limiting Menu. The protocol-based rate limiting limits the traffic coming from
specific clients based on the IP address of the client. This feature enables the switch to detect and
block UDP or ICMP-based DOS attacks that slow down or decapitate the servers. Currently, the
switch allows rate limiting to be enabled on TCP, UDP, and ICMP protocols. To view menu
options see page 462.
pmatch disable|enable
Enables or disables pattern matching on this filter.
matchall disable|enable
Enables or disables matching of all configured patterns before the filter can perform the
deny action.
parsechn enable|disable
Enable/disable chained pgroup match criteria for l7 filtering.
parseall disable|enable
Enables or disables pattern string lookup (parsing) of all packets in a session where pattern match-
ing is being performed. This command is enabled by default, and normally all data packets in a
session are examined by the filter.
However, some sessions may contain only one packet containing the layer 7 content. Once this
packet is found, subsequent packets can be ignored. When parseall is disabled, pattern match-
ing is turned off for the remaining packets in the session.
cur
Displays the current configuration.
ena
Enables the protocol for rate limiting. Rate limiting is applied to the protocol configured on the fil-
ter. The supported protocols are: TCP, UDP, and ICMP.
dis
Disables TCP, UDP, or ICMP rate limiting.
cur
Displays the current rate limiting configuration.
Nortel Application Switch Operating System switch software allows you to enable or disable
processing independently for each type of Layer 4 traffic (client and server) on a per port
basis, expanding your topology options.
NOTE – When changing the filters on a given port, it may take some time before the port ses-
sion information is updated so that the filter changes take effect. To make port filter changes
take effect immediately, clear the session binding table for the port (see the clear command
in Table 8-3 on page 502).
client disable|enable
For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports
configured to process client request traffic bind servers to clients and provide address translation
from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses
and port values to real server IP addresses and ports. Traffic not associated with virtual servers is
switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the
switch’s potential for effective Server Load Balancing. This option is disabled by default.
server disable|enable
Ports configured to provide real server responses to client requests require real servers to be con-
nected to the Layer 4 switch, directly or through a hub, router, or another switch. When server pro-
cessing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to
virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched
normally. This option is disabled by default.
rts disable|enable
Enables or disables Return to Sender (RTS) load balancing on this port. This option is used for
firewall load balancing or VPN load balancing applications. Enable rts on all client-side ports to
ensure that traffic ingresses and egresses through the same port. This option is disabled by default.
For more information on using rts, see the “Firewall Load Balancing” and “VPN Load Balanc-
ing” chapters in the Nortel Application Switch Operating System 23.0.2 Application Guide.
hotstan disable|enable
Enables or disables hot-standby processing. Use this option and the intersw option in conjunc-
tion with VRRP hot-standby failover. This option is disabled by default.
intersw disable|enable
Enables or disables inter-switch processing. This option is enabled for ports connected to a peer
switch and is disabled by default.
proxy disable|enable
Enables or disables a proxy for traffic that ingresses this port. When the PIP is defined, client
address information in Layer 4 requests is replaced with this proxy IP address.
In Server Load Balancing applications, this forces response traffic to return through the switch,
rather than around it, as is possible in complex routing environments.
Proxies are also useful for Application Redirection and Network Address Translation (NAT).
When pip is used with Application Redirection filters, each filter’s rport parameter must also
be defined (see rport on page 446). This option is disabled by default.
filt disable|enable
Enables or disables filtering on this port. Enabling the filter sets up the Real Server to look into the
VPN session table. This option is disabled by default.
idslb disable|enable
Enables or disables Intrusion Detection System Server Load Balancing on this port. In Nortel
Application Switch Operating System 23.0.2, IDSLB is done at the end of filter processing or at
the end of client processing where filtering is not enabled. In the case of client processing, IDSLB
is enabled on a port and a real server group is designated for IDSLB.This option is disabled by
default.
cur
Displays the current system parameters.
/cfg/slb/gslb
Global SLB Configuration
Global Server Load Balancing (GSLB) at any given site performs periodic SLB health checks
to determine the health and response time of the remote real server corresponding to the virtual
server at the remote site. GSLB uses the health and response time to select the server in the
GSLB selection engine. In addition, GSLB sends the health and response time together with
the local session and CPU utilization information that are collectively known as remote site
updates. The switch performs this periodically on every remote site using Distributed Site
State Protocol (DSSP). DSSP is a proprietary protocol that resides above TCP.
dns disable|enable
Enables or disables DNS direct-based GSLB. This option is enabled by default.
hostlk disable|enable
Enables or disables lookups based on host or domain name in a GSLB configuration. When
enabled, the hostname specified in the Virtual Service configuration, in addition to the domain
name, will be used to resolve the IP address for the domain. When disabled, only the domain name
will be used to match.
http disable|enable
Enables or disables HTTP redirects to peer sites by this switch. When enabled (default), this switch
will redirect client requests to peer sites if its own real servers fail or have reached their maximum
connection limits. If disabled, the switch will not perform HTTP Redirects, but will instead drop
requests for new connections and cause the client’s browser to eventually issue a new DNS
request.
usern disable|enable
Enables or disables an HTTP redirect to a real server name. When a site redirects a client to
another site using an HTTP redirect, the client is redirected to the new site's IP address. This option
is disabled by default. If usern is enabled, the client will be redirected to the domain name speci-
fied by the remote real server name plus virtual server domain name:
<remote real server name> <virtual server domain name>
norem
This command enables or disables no-remote real server load balancing. If enabled, the switch will
not do remote real server load balancing for non-http protocols. For HTTP protocols, if you want
to do no-remote-real-server load balancing, you need to disable the http parameter in the same
menu.
encrypt
This command enables or disables encrypting of DSSP updates. If disabled, the switch will not
encrypt the DSSP messages going out of the switch. This option allows the GSLB feature to work
with older versions of Web OS that do not encrypt DSSP messages
on
Activates Global Server Load Balancing (GSLB) for this switch. This option can be performed
only once the optional GSLB software is activated (refer to “Activating Optional Software” on
page 509).
off
Turns GSLB off for this switch. Any active remote sites will still perform GSLB services with
each other, but will not hand off requests to this switch. By default, GSLB is turned off.
cur
Displays the current Global SLB configuration.
At a local site for a domain, there is a local virtual server but no remote virtual server. The
local virtual server has a number of local virtual services Each local virtual service has a group
of local or remote real servers. The remote real servers are the virtual servers at the remote
sites.
update disable|enable
Enables or disables remote site updates. If enabled (default), this switch will send regular Distrib-
uted Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the
switch will not send state updates. If your local firewall does not permit this traffic, disable the
updates.
Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP inter-
face for DSSP updates. By default, the Nortel Application Switch Operating System Web-
based interface also uses port 80. Both services cannot use the same port. If both are enabled, config-
ure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a
different service port (see the /cfg/sys/access/wport option on page 288).
ena
Enables this remote site for use with Global Server Load Balancing.
dis
Disables this remote site. The switch will no longer use this remote site for Global Server Load
Balancing.
del
Removes this remote site from operation and deletes its configuration.
cur
Displays the current remote site configuration.
[Network 1 Menu]
sip - Set source IP address
mask - Set source IP and network netmask
addvirt - Add virtual server to network
remvirt - Remove virtual server from network
addreal - Add remote real server to network
remreal - Remove remote real server from network
ena - Enable network
dis - Disable network
del - Delete network
cur - Display current network configuration
ena
Enables the network.
dis
Disables the network.
del
Deletes the network entry.
cur
Displays the current Internet network entry configuration.
/cfg/slb/gslb/rule
GSLB Rule Configuration Menu
Rules allow the GSLB selection to use different metric preferences based on time-of-day. You
can configure one or more rules on each domain. Each rule has a metric preference list. The
GSLB selection selects the first rule that matches the domain and starts with the first metric in
the metric preference list of the rule.
[Rule 1 Menu]
metric - Metric Menu
start - Set start time for rule
end - Set end time for rule
ttl - Set Time To Live in seconds of DNS resource records
rr - Set DNS resource records in DNS response
dname - Set network preference domain name for rule
ena - Enable rule
dis - Disable rule
del - Delete rule
cur - Display current rule configuration
rr <rr (1-10)>
Sets the DNS resource records that how many DNS resource records will be returned in the DNS
response. The default is 2 records.
ena
Enables the rule.
dis
Disables the rule.
del
Deletes the rule.
cur
Displays the current rule configuration.
/cfg/slb/gslb/rule/metric
Global SLB Rule Metric Menu
gmetric leastconns|roundrobin|response|geographical|network|ran-
dom|availability|qos|minmisses|hash|local|always|remote|none
Defines the metric to select the next real server for GSLB. The default is none.
addnet
Allows you to add a network to the selected metric. This command applies only if you select net-
work as the metric.
remnet <1-128>
Allows you to delete a network that was added to the selected metric.
cur
Displays the current configuration of the metric.
/cfg/slb/layer7
Layer 7 SLB Resource Definition Menu
[Layer 7 Resource Definition Menu]
redir - Web Cache Redirection Menu
slb - Server Load Balancing Menu
sdp - SIP SDP Menu
dbindtm - Set timeout for incomplete delayed binding connections
cur - Display current Layer 7 configuration
redir
Displays the Web Cache Redirection Menu. To view menu options, see page 473.
slb
Displays the Server Load Balancing Menu. To view menu options, see page 475.
sdp
Displays the SIP SDP Menu. To view menu options, see page 477.
cur
Displays the current Layer 7 configuration.
/cfg/slb/layer7/redir
Web Cache Redirection Configuration
[Web Cache Redirection Menu]
urlal - Enable/disable auto-ALLOW for non-GETs to origin servers
cookie - Enable/disable auto-ALLOW for Cookie to origin servers
nocache - Enable/disable no-cache control header to origin servers
hash - Enable/disable URL hashing based on URI
header - Enable/disable server loadbalance based on HTTP header
cur - Display current WCR configuration
urlal disable|enable
Enables or disables auto-ALLOW for non-GETs to origin servers.
If this command is enabled, the switch will redirect all non-GET requests to the origin server.
If this command is disabled, the switch will compare the URI against the expression table to
determine whether all non-GET requests should be redirected to a cache server or origin server.
This option is enabled by default.
cookie disable|enable
Enables or disables auto-ALLOW for cookie to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cookie: in the
HTTP header to the origin server.
If this command is disabled, the switch will compare the URI against the expression table to
determine whether it should redirect all requests that contain Cookie: in the HTTP header to a
cache server or origin server.
This option is disabled by default.
nocache disable|enable
Enables or disables no-cache control header to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cache-Control: no-
cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to the origin server.
If this command is disabled, the switch will compare the URI against the expression table to
determine whether it should redirect requests that contain Cache-Control: no-cache in HTTP/
1.1 header, or Pragma: no-cache in HTTP/1.0 header to a cache server or origin server.
This option is enabled by default.
cur
Displays the current URL expression table.
/cfg/slb/layer7/slb
Server Load Balance Resource Configuration Menu
[Server Loadbalance Resource Menu]
message - Set HTTP error message
addstr - Add SLB string for load balance
remstr - Remove SLB string for load balance
rename - Rename SLB string for load balance
addmeth - Add HTTP method type
remmeth - Remove HTTP method type
case - Enable/disable case sensitive for string matching
cont - Set BW contract for the SLB string
cur - Display current configuration
addstr <l7lkup|pattern>
Allows the user to define a string that can be used for server load balancing or filtering by selecting
either a Layer 7 look up string or a pattern match.
If you choose l7lkup string, you can define a string for server load balancing or a string for
Layer 7 lookup.
If you choose pattern string, you will have the option to choose between ascii or binary
strings on a specific offset of the IP frame. These strings will only be used for filtering string pat-
tern matching.
case disable|enable
Enables or disables case sensitivity for string matching. Using this command you can do either
case sensitive or case insensitive string comparison. If you disable case sensitive, all load balanc-
ing strings and all the request strings arriving on the switch will have to be converted to lower case
before doing any string comparison.
cur
Displays the currently configured SLB strings and their associated string IDs (index numbers) and
the supported HTTP request methods.
/cfg/slb/layer7/sdp
SDP Mapping Menu
[SDP Mapping Menu]
add - Add SDP mapping
rem - Remove SDP mapping
cur - Display current SDP mapping configuration
cur
Display current SDP mapping configuration.
/cfg/slb/wap
WAP Configuration
tpcp disable|enable
Enables or disables the TPCP external notification for Add/Delete session requests. This option
is disabled by default.
cur
Displays the current WAP configuration
/cfg/slb/sync
Synchronize Peer Switch Configuration
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator pass-
word. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/
synch.
filt disable|enable
Enables or disables synchronizing filter configuration. This option is disabled by default.
ports disable|enable
Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default.
prios disable|enable
Enables or disables syncing VRRP priorities. This option is enabled by default.
pips disable|enable
Enables or disables synchronizing proxy IP addresses. This option is disabled by default.
peerpips disable|enable
Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in
VRRP Active/Active configuration. This option is disabled by default.
bwm disable|enable
Enables or disables synchronizing Bandwidth Management configuration between Master and
backup switches. This option is enabled by default.
state disable|enable
Enables or disables stateful failover for synchronizing the persistent session state. This option is
disabled by default.
cur
Displays the current Layer 4 synchronization configuration.
To synchronize the configuration between two switches, a peer must be configured and
enabled on each switch. Switches being synchronized must use the same administrator pass-
word.
ena
Enables the peer for this switch. By default, this option is disabled.
dis
Disables the peer for this switch.
del
Deletes the peer for this switch
cur
Displays the current peer switch configuration.
/cfg/slb/adv
Advanced Layer 4 Configuration
synatk
Displays SYN Attack Detection Menu. To view menu options, see page 483.
smtport
Displays Service Mapping Table (SMT) Real Server Port Menu. Using this command you can add
or remove a number of real server service port(s) that will process client traffic by-passing the
server. In other words, this service port’s client request will not be processed by the server proces-
sor. To view menu options, see page 483.
submac disable|enable
Enables or disables Source MAC address substitution. Typically, the source MAC is not modified
for the packets going to the servers in an SLB environment. But if you enable this command, the
switch will substitute the source MAC address (for the packets going to the server) with the MAC
address of the switch.
direct disable|enable
Enable/disables Direct Access Mode to real servers/services. This option also allows any virtual
server to load balance any real server. By default, this option is disabled.
grace disable|enable
Enables or disables graceful real server failure. Allows existing sessions to remain bound to a
server after the server has been placed in the service failed state (for more information,
see “Service Failure” in the Nortel Application Switch Operating System 23.0.2 Application
Guide). By default, this option is disabled.
matrix disable|enable
Enables or disables the use of Virtual Matrix Architecture on the Nortel Application Switch. By
default, this option is enabled.
vmasport enable|disable
Enable/disable VMA with source port.
tpcp disable|enable
Enables or disables the TPCP (Transparent Proxy Cache Protocol). This command is used for
security reasons—the UDP port can be closed. By default, this option is disabled.
vstat disable|enable
Enables or disables reporting of virtual service statistics.
rtsvlan disable|enable
Enables or disables the use of VLAN for Return to Sender information on the real server.
pvlantag
Enable/disable preserving vlan tag during packet forwarding.
portbind disable|enable
Enables or disables the inclusion of the ingress port number in the session table look up.
cur
Displays the current Layer 4 advanced configuration.
/cfg/slb/adv/synatk
SYN Attack Detection Configuration Menu
[SYN Attack Detection Menu]
intrval - Set SYN attack detection interval
thrshld - Set SYN attack alarm threshold
cur - Display current SYN attack detection configuration
cur
Displays the current SYN attack detection configuration.
/cfg/slb/adv/smtport
Advanced SMT Real Server Port Configuration Menu
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
cur
Displays real port configuration.
/cfg/slb/linklb
Inbound Link Load Balancing configuration Menu
[Inbound Linklb Menu]
drecord - Domain Record Menu
group - Set real server group
ttl - Set Time to Live of DNS resource records
ena - Enable Inbound Linklb
dis - Disable Inbound Linklb
cur - Display current Inbound Linklb configuration
Table 7-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/
linklb)
ena
Enables inbound link load balancing.
dis
Disables inbound link load balancing.
cur
Displays current inbound link load configuration.
/cfg/slb/linklb/drecord
Inbound Link Load Balancing Domain Record Menu
[Domain Record <domain_number> Menu]
entry - Virt Real Mapping Menu
domain - Set Domain Name
ena - Enable Domain Record
dis - Disable Domain Record
del - Delete Domain Record
cur - Display current Domain Record configuration
Table 7-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/
linklb/drecord)
ena
Enables the domain records.
dis
Disables the domain records.
del
Deletes the domain records.
cur
Displays the current domain records.
/cfg/slb/linklb/drecord/entry
Inbound Link Load Balancing Mapping Menu
Table 7-46
real
Defines the real server number for mapping.
ena
Enables the entry for drecords.
dis
Disables the entry for drecords.
del
Deletes the entry for drecords.
cur
Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc
Advanced Health Check Configuration Menu
waphc
Displays the WAP Health Check Menu. To view menu options, see page 492.
aphttp disable|enable
Enables or disables HTTP health checks on any port. By default, this option is disabled. When dis-
abled, you can use HTTP health checks only for HTTP service. Enabling it will allow you to use it
on any port, like HTTPs.
cur
Displays the current Layer 4 advanced health check configuration.
The Health Script menu provides commands that can be used to define the health “script.” The
total number of characters cannot exceed 6144 bytes. Up to 64 scripts can be configured.
close
Closes TCP connection.
rem
Removes the last entered line from the script.
del
Deletes the current script.
cur
Lists the current script configuration.
/cfg/slb/advhc/snmphc
SNMP Health Check Configuration
[SNMP Health Check 1 Menu]
oid - OID to be sent in the SNMP request packet
comm - Community string used in the SNMP request packet
rcvcnt - Expected value in the SNMP response packet
invert - Enable/disable inversion of expected value
weight - Enable/disable readjusting of weights based on response
del - Delete SNMP health check
cur - Display current SNMP health check configuration
invert disable|enable
Enables or disables the inversion of the expected value. When the invert option is enabled, the
health check fails if the response packet contains the value specified in the receive content
(rcvnt) field.
weight disable|enable
When enabled, the real server weights are dynamically adjusted based on SNMP health check
response.
del
Deletes the current SNMP health check.
cur
Displays the current SNMP Health Check configuration.
/cfg/slb/advhc/waphc
WAP Health Check Configuration
Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP)
suite to manage sessions between wireless devices and WAP content servers or WAP gate-
ways. The Nortel Application Switch Operating System provides a content-based health check
mechanism where customized WSP packets are sent to the WAP gateways, and the switch ver-
ifies the expected response, in a manner similar to scriptable health checks.
WSP content health checks can be configured in two modes: connectionless and connection-
oriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connection-
oriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load
balance the gateways in both modes of operation.
The Nortel Application Switch Operating System allows you to configure three WAP gateway
health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP),
deployed on WAP gateways/servers. For further details, refer to the Application Guide.
wspcnt
Displays WSP Health Check Content Menu. To view menu options, see page 494.
wtpcnt
Displays WTP and WSP Health Check Content Menu. To view menu options, see page 495.
couple disable|enable
Enables or disables coupling together of all the four WAP services (WSP, WTP+WSP,
WTLS+WSP, WTLS+WTP+WSP) with Radius Accounting Service. If the health check to any
one of the four WAP services or Radius Accounting Service fails, then all of the four WAP ser-
vices and Radius Accounting Service are disabled.
cur
Displays the current WAP Health Check configuration.
/cfg/slb/advhc/waphc/wspcnt
WSP Content Health Check
cur
Displays the current WAP Health Check configuration.
/cfg/slb/advhc/waphc/wtpcnt
WTP and WSP Content Health Check Menu
This menu is used for configuring the health check for connection-oriented unencrypted WAP
traffic.
Table 7-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/
waphc/wtpcnt)
cur
Displays current WTP+WSP health check content configuration.
/cfg/slb/pip
Proxy IP Address Configuration Menu
You need to enable proxy IP address processing on the port to use this command. You can con-
figure multiple proxy IP addresses based on either port or VLAN.
type <port|vlan>
Defines the base type of the proxy IP address, whether it is port-based or VLAN-based.
cur
Displays the current Proxy IP address configuration.
/cfg/slb/peerpip
SLB Peer Proxy IP Address Menu
When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2,
without performing server processing on the packets of the other switch. This happens because the peer
switches are aware of each other’s proxy IP addresses. This prevents the dropping of a packet or being
sent to the backup switch in the absence of the proxy IP address of the peer switch.
cur
Displays the current proxy address configuration of the peer.
/cfg/slb/wlm
WorkLoad Management Menu
[Workload Manager 1 Menu]
addr - Set IP address for Workload Manager
port - Set port for Workload Manager
del - Delete Workload Manager
cur - Display current Workload Manager configuration
addr <IP_address>
Set the IP address for the Workload Manager.
port <TCP_port>
Set the port number for the Workload Manager.
del
Delete the Workload Manager.
cur
Shows all Workload Manager statistics. For example:
Current Workload Manager 1:
IP address Port
0.0.0.0 0
/oper
Operations Menu
[Operations Menu]
port - Operational Port Menu
slb - Operational Server Load Balancing Menu
vrrp - Operational Virtual Router Redundancy Menu
bwm - Operational Bandwidth Management Menu
security - Operational Security Menu
ip - Operational IP Menu
swkey - Enter key to enable software feature
rmkey - Enter software feature to be removed
passwd - Change current user password
clrlog - Clear syslog messages
displog - Turn on/off display syslog msgs to telnet/ssh sessions
defalias - Set default port alias
ntpreq - Send NTP request
The commands of the Operations Menu enable you to alter switch operational characteristics
without affecting switch configuration.
Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and
Nortel Application Switch 184 Web Switches.
499
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
slb
Displays the Operational Layer 4 Menu. To view menu options, see page 502.
vrrp
Displays the Operational Virtual Router Redundancy Menu. To view menu options, see page 505.
bwm
Operational Bandwidth Management Menu. To view menu options, see page 505.
security
Go to the Operational Security menu. To view menu options, see page 506.
ip
Displays the IP Operations Menu, which has one sub-menu/option, the Operational Border Gate-
way Protocol Menu. To view menu options, see page 505.
clrlog
Clears all syslog messages.
displog on|off
Turn on/off display syslog msgs to telnet/ssh sessions
defalias
Set the default port alias.
ntpreq
Allows the user to send requests to the NTP server.
Operations-level port options are used for temporarily disabling or enabling a port, and for
changing Remote Monitoring (RMON) status on a port.
rmon disable|enable
Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its con-
figured operation mode when the switch is reset.
ena
Temporarily enables the port. The port will be returned to its configured operation mode when the
switch is reset.
dis
Temporarily disables the port. The port will be returned to its configured operation mode when the
switch is reset.
cur
Displays the current settings for the port.
/oper/slb
Operations-Level SLB Options
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing
options are used for temporarily disabling or enabling real servers and synchronizing the con-
figuration between the active/active switches.
gslb
Displays Global SLB Operations Menu. To view menu options, see page 504.
sync
Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priori-
ties on a peer switch (a switch that owns the IP address). To take effect, peers must be configured
on the Nortel Application Switch and the administrator password on the switch must be identical.
dis <real server number, 1-1023> [P - allow persistent http 1.0 sessions] p|n
The disable command is used to temporarily disable real servers as follows:
Using the p (persistent) option—immediately suspends assignment of connections to the
specified real server (except for persistent http 1.0 sessions) by removing the real server from
operation within its real server group and virtual server
Using the n (none) option—immediately suspends assignment of connections to the specified
real server by removing the real server from operation within its real server group and virtual
server
The real server will be returned to its configured state after a switch reset.
NOTE – This command provides for orderly server shutdown to allow maintenance on a server.
For more information, see “Disabling and Enabling Real Servers” in the Nortel Application Switch
Operating System 23.0.2 Application Guide.
sessdel
Delete session table entry.
clear
Clears all session tables and allows port filter changes to take effect immediately.
NOTE – This command disrupts current SLB and Application Redirection sessions.
cur
Displays the current SLB operational state.
/oper/slb/group
Real Server Group Operations
[Real server group 1 Menu]
ena - Enable real server in this group
dis - Disable real server in this group
cur - Current server group operational state
cur
Displays current operational state of the server group.
/oper/slb/gslb
Global SLB Operations Menu
[Global SLB Operations Menu]
query - Query Global SLB selection
add - Add entry to Global SLB DNS persistence cache
arem - Remove all entries Global SLB DNS persistence cache
query
Allows you to query the Global site selection.
add
Add an entry to the Global SLB DNS persistence cache.
arem
Remove all entries Global SLB DNS persistence cache.
/oper/vrrp
Operations-Level VRRP Options.
/oper/bwm
Operations-Level Bandwidth Management Options
sndhist
Sends the bandwidth history to a system administrator specified under /cfg/bwm/user
(see page 316).
clear
Clear the BWM IP user entry table.
/oper/security
Security Menu
[Security Menu]
ipacl - IP ACL Operations Menu
ipacl
Go to the IP ACL Operation menu. To view menu options, see page 506
/oper/security/ipacl
IP ACL Operations Menu
[IP ACL Operations Menu]
add - Add operations source IP Address/Mask
rem - Remove operations source IP Address/Mask
arem - Remove all operations source IP Address/Mask
dadd - Add operations destination IP Address/Mask
drem - Remove operations destination IP Address/Mask
darem - Remove all operations destination IP Address/Mask
cfg - Display configuration IP Address/Mask
bogon - Display bogon IP Address/Mask
oper - Display operations IP Address/Mask
cur - Display all IP Address/Mask
arem
Remove all operations source IP addresses and Masks.
darem
Remove all of the operations destination IP addresses and Masks.
cfg
Display all configuration IP addresses and Masks. For example:
Current configuration IP ACL settings:
0 configuration source IP ACL.
0 configuration destination IP ACL.
bogon
Display bogon IP address and Mask. For example:
>> IP ACL Operations# bogon
Current bogon IP ACL settings:
0 bogon source IP ACL.
oper
Display operations IP addresses and Masks. For example:
Current operations IP ACL settings:
0 operations source IP ACL.
0 operations destination IP ACL.
cur
Display all IP addresses and Masks. For example:
Current total IP ACL settings:
0 total source IP ACL.
0 total destination IP ACL.
/oper/ip
Operations-Level IP Options
bgp
Displays the Border Gateway Protocol Operations Menu. To view the menu options see page 508.
/oper/ip/bgp
Operations-Level BGP Options
[Border Gateway Protocol Operations Menu]
start - Start peer session
stop - Stop peer session
cur - Current BGP operational state
cur
Displays the current BGP operational state.
/oper/swkey
Activating Optional Software
The swkey option is used for activating any optional software you have purchased for your
switch.
Before you can activate optional software, you must obtain a software license from your Nortel
Networks representative or authorized reseller. One software license is needed for each switch
where the optional software is to be used. You will receive a Licence Certificate for each soft-
ware license purchased.
Currently the following software packages are available for purchase and installation:
Security Pack
Bandwidth Management
Global Server Load Balancing
To obtain a software key, you must register each License Certificate with Nortel Networks and
provide the MAC address of the Nortel Application Switch Operating System switch that will
run the optional software. Nortel Networks will then provide a License Password.
NOTE – Each License Password will work only on the specific switch which has the MAC
address you provided when registering your Licence Certificate.
Once you have your License Password, perform the following actions:
1. Connect to the switch’s command line interface and log in as the administrator (see Chap-
ter 1, “The Command Line Interface”).
Main# oper
Operations# swkey
4. When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as,
123456789ABCDEF)>
If the correct code is entered, you will see the following message:
/oper/rmkey
Removing Optional Software
The rmkey option is used for deactivating any optional software. Deactivated software is still
present in switch memory and can be reactivated at any later time.
To review the deactivation options, enter the following at the Operations Menu:
Operations# rmkey
When prompted, enter the code for software to be removed. For example:
Selecting a switch software image to be used when the switch is next reset
Selecting a configuration block to be used when the switch is next reset
Downloading or uploading a new software image to the switch via TFTP
/boot
Boot Menu
511
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
/boot/sched
Scheduled Reboot Menu
[Boot Schedule Menu]
set - Set switch reset time
cancel - Cancel pending switch reset
cur - Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
For example, if your active image is currently loaded into image1, you would probably load
the new image software into image2. This lets you test the new software and reload the origi-
nal active image (stored in image1), if needed.
To download a new software to your switch, you will need the following:
NOTE – The DNS parameters must be configured if specifying hostnames. See “Domain Name
System Configuration Menu” on page 379).
When the above requirements are met, use the following procedure to download the new soft-
ware to your switch.
The exact form of the name will vary by TFTP server. However, the file location is normally
relative to the TFTP directory (usually /tftpboot).
2. Enter the name of the image you want the switch to use upon the next boot.
The system informs you of which image is currently set to be loaded at the next reset, and
prompts you to enter a new choice:
2. The system prompts you for information. Enter the desired image:
4. Enter the name of the file into which the image will be uploaded on the TFTP server:
5. The system then requests confirmation of what you have entered. To have the file
uploaded, enter Y.
There is also a factory configuration block. This holds the default configuration set by the factory
when your Nortel Application Switch was manufactured. Under certain circumstances, it may be
desirable to reset the switch configuration to the default. This can be useful when a custom-con-
figured Nortel Application Switch is moved to a network environment where it will be re config-
ured for a different purpose.
Use the following procedure to set which configuration block you want the switch to load the
next time it is reset:
2. Enter the name of the configuration block you want the switch to use:
The system informs you of which configuration block is currently set to be loaded at the next
reset, and prompts you to enter a new choice:
NOTE – Resetting the switch causes the Spanning Tree Protocol to restart. This process can be
lengthy, depending on the topology of your network.
/maint
Maintenance Menu
NOTE – To use the Maintenance Menu, you must be logged in to the switch as
the administrator.
[Maintenance Menu]
sys - System Maintenance Menu
fdb - Forwarding Database Manipulation Menu
arp - ARP Cache Manipulation Menu
route - IP Route Manipulation Menu
ip6 - IP6 Manipulation Menu
debug - Debugging Menu
uudmp - Uuencode FLASH dump
ptdmp - Upload FLASH dump via FTP/TFTP
cldmp - Clear FLASH dump
lsdmp - List FLASH dump
panic - Dump state information to FLASH and reboot
tsdmp - Tech support dump
pttsdmp - Upload tech support dump via FTP/TFTP
sslrst - Reset SSL card
Dump information contains internal switch state data that is written to flash memory on the
Nortel Application Switch after any one of the following occurs:
The switch administrator forces a switch panic. The panic option, found in the Mainte-
nance Menu, causes the switch to dump state information to flash memory, and then
causes the switch to reboot.
519
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
The switch administrator enters the switch reset key combination on a device that is
attached to the console port. The switch reset key combination is <Shift><Ctrl><->.
The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot
the switch if the switch software freezes.
The switch detects a hardware or software problem that requires a reboot.
sys
Displays the System Maintenance Menu. To view menu options, see page 522.
fdb
Displays the Forwarding Database Manipulation Menu. To view menu options, see page 522.
arp
Displays the ARP Cache Manipulation Menu. To view menu options, see page 523.
route
Displays the IP Route Manipulation Menu. To view menu options, see page 525.
ip6
Displays the IPv6 Manipulation Menu. To view menu options, see page 526.
debug
Displays the Debugging Menu. To view menu options, see page 527.
uudmp
Displays dump information in uuencoded format. For details, see page 528.
cldmp
Clears dump information from flash memory. For details, see page 529.
lsdmp
Displays list flash dump. For details, see page 530.
panic
Dumps MP information to FLASH and reboots. For details, see page 530.
tsdmp
Dumps all Nortel Application Switch information, statistics, and configuration.You can log the
tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes.
For details, see page 531.
sslrst
Reset the SSL card. For details, see page 531.
/maint/sys
System Maintenance Options
This menu is reserved for use by Nortel Networks Customer Support group. The options are
used to perform system debugging.
sfpinfo <port_number>
Show the SFP information. For example:
>> System Maintenance# sfpinfo 1
Probing SFP on port 1 - please wait
Invalid: Port 1 does not support SFP's
/maint/fdb
Forwarding Database Options
The Forwarding Database Manipulation Menu can be used to view information and to delete a
MAC address from the forwarding database or clear the entire forwarding database. This is
helpful in identifying problems associated with MAC address learning and packet forwarding
decisions.
dump
Displays all entries in the Forwarding Database. For details, see page 90.
clear
Clears the entire Forwarding Database from switch memory.
/maint/arp
ARP Cache Options
[Address Resolution Protocol Menu]
find - Show a single ARP entry by IP address
port - Show ARP entries on a single port
vlan - Show ARP entries on a single VLAN
refpt - Show ARP entries referenced by a single SP
dump - Show all ARP entries
clear - Clear ARP cache
addr - Show ARP address list
clear
Clears the entire ARP list from switch memory.
addr
Shows the list of IP addresses which the switch will respond to for ARP requests.
NOTE – To display all ARP entries currently held in the switch, or a portion according to one
of the options listed on the menu above (find, port, vlan, refpt, dump), you can also
refer to “ARP Information” on page 112.
/maint/route
IP Route Manipulation
[IP Routing Menu]
find - Show a single route by destination IP address
gw - Show routes to a single gateway
type - Show routes of a single type
tag - Show routes of a single tag
if - Show routes on a single interface
dump - Show all routes
clear - Clear route table
type indirect|direct|local|broadcast|martian|multicast
Shows routes of a single type. For a description of IP routing types, see Table 4-19 on page 109
tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip
Shows routes of a single tag. For a description of IP routing tags, see Table 4-20 on page 109
dump
Shows all routes.
clear
Clears the route table from switch memory.
NOTE – To display all routes, you can also refer to “IP Routing Information” on page 108.
/maint/ip6
IPv6 Manipulation Menu
[IP6 Menu]
nbrcache - Neighbor Cache Manipulation Menu
nbrcache
Opens the Neighbor Cache menu whose only option is the clear command. This command is
used to clear the IPv6 Neighbor Cache table.
/maint/debug
Debugging Options
[Miscellaneous Debug Menu]
tbuf - Show MP trace buffer
sptb - Show SP trace buffer
spall - Show All SPs trace buffers
clrcfg - Clear all flash configs
portmap - Show port-SP-MAC mapping
vmasp - Show designated SP for IP address
vmasp6 - Show designated SP for IP6 address
The Miscellaneous Debug Menu displays trace buffer information about events that can be
helpful in understanding switch operation. You can view the following information using the
debug menu:
Events traced by the Management Processor (MP)
Events traced by the Switch Processor (SP)
Events traced to a buffer area when a reset occurs
If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the
snap trace buffer area. The output from these commands can be interpreted by the Nortel Net-
works Customer Support division.
Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)
Command Syntax and Usage
tbuf
Displays the Management Processor trace buffer. Header information similar to the following is shown:
MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748
The buffer information is displayed after the header.
/maint/uudmp
Uuencode Flash Dump
Using this command, dump information is presented in uuencoded format. This format makes
it easy to capture the dump information as a file or a string of characters. You can then contact
Nortel Networks Customer Support for help analyzing the information.
If you want to capture dump information to a file, set your communication software on your
workstation to capture session data prior to issuing the uudmp command. This will ensure that
you do not lose any information. Once entered, the uudmp command will cause approximately
23,300 lines of data to be displayed on your screen and copied into the file.
Using the uudmp command, dump information can be read multiple times. The command
does not cause the information to be updated or cleared from flash memory.
NOTE – Dump information is not cleared automatically. In order for any subsequent dump
information to be written to flash memory, you must manually clear the dump region. For more
information on clearing the dump region, see page 529.
Maintenance# uudmp
The dump information is displayed on your screen and, if you have configured your communi-
cation software to do so, captured to a file. If there is a dump available, the system prompts as
follows:
>> Maintenance# uu
Enter region to dump [main/bkp]: main
Dumping main region:
NOTE – If the TFTP or FTP server is running SunOS or the Solaris operating system,
the specified ptdmp file must exist prior to executing the ptdmp command, and must be writ-
able (set with proper permission, and not locked by any application). The contents of the spec-
ified file will be replaced with the current dump data.
To save dump information via TFTP or FTP, at the Maintenance# prompt, enter:
Where server is the TFTP or FTP server IP address or hostname, and filename is the target
dump file.
/maint/cldmp
Clearing Dump Information
To clear dump information from flash memory, at the Maintenance# prompt, enter:
Maintenance# cldmp
The switch clears the dump region of flash memory and displays the following message:
If the flash dump region is already clear, the switch displays the following message:
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
/maint/panic
Panic Command
The panic command causes the switch to immediately dump state information to flash mem-
ory and automatically reboot.
Loading Image:..........
Alteon Application Switch 2424
Rebooted because of Software PANIC.
Booting complete 19:15:23 Thu Jan 9, 2003:
Version 20.2.7 from FLASH image1, active config block.
Jan 9 19:15:32 NOTICE system: link up on port 25
Enter password:
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical
support. For example:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP
connection. The dump was performed earlier using the /maint/tsdmp command. For example:
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
NOTE – To use the SSL Processor Menu, you must be logged in to the processor as
the administrator.
# cd /
------------------------------------------------------------
[Main Menu]
info - Information Menu
stats - Statistics Menu
cfg - Configuration Menu
oper - Operations Command Menu
boot - Boot Options Menu
maint - Maintenance Menu
ssl - SSL Accelerator Menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
save - Save updated config to FLASH [global command]
revert - Revert pending or applied changes [global command]
exit - Exit [global command, always available]
>> Main# ssl
533
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
login: admin
Password:
Alteon iSD SSL
Hardware platform: 2424S
Software version: 5.0.0.34
------------------------------------------------------------
[Main Menu]
info - Information menu
stats - Statistics menu
cfg - Configuration menu
boot - Boot menu
maint - Maintenance menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
NOTE – Help information on specific commands uses the command “help”, and not the “?”
symbol used at other directory levels. The command must also be spelled-out in full. For
example, to request help on the “apply” command enter:
SSL >> Main# help diff
Show any pending configuration changes.
/ssl
SSL Processor Menu
[Main Menu]
info - Information menu
stats - Statistics menu
cfg - Configuration menu
boot - Boot menu
maint - Maintenance menu
diff - Show pending config changes [global command]
apply - Apply pending config changes [global command]
revert - Revert pending config changes [global command]
paste - Restore saved config with key [global command]
help - Show command help [global command]
exit - Exit [global command, always available]
info
Go to the Information level of the SSL Processor menu. For details, see page 536.
stats
Go to the Statistics level of the SSL Processor menu. For details, see page 540.
cfg
Go to the Configuration level of the SSL Processor menu. For details, see page 545.
boot
Go to the Boot level of the SSL Processor menu. For details, see page 649.
maint
Go to the Maintenance level of the SSL Processor menu. For details, see page 652.
diff
Shows any pending configuration changes. For example:
SSL >> Main# diff
Configuration/
Certificate menu: new child "1" created
apply
Applies pending configuration changes.
revert
Remove pending configuration changes. Use this command to undo configuration parameters set
since last apply command. For example:
paste
Lets you restore a saved configuration that includes private keys. Before pasting the configuration,
you need to provide the password phrase you specified when selecting to include the private keys
in the configuration dump.
help
Displays a summary of the global commands.
exit
Leave the SSL Processor menu.
/ssl/info
SSL Performance information menu
[Information Menu]
servers - Show configured SSL servers
certs - Show configured certificates
hsm - Show local HSM information
sslvpn - Show configured VPNs
users - Show logged in SSL VPN portal users
ipsec - Show logged in IPSEC users
ippool - Show ip pool allocations
ip - Find information about an IP address
sys - Show system configuration
licenses - Show SSL VPN portal license usage
access - Print the access rules of an SSL VPN portal user
kick - Kick an SSL VPN portal user
isdlist - Show all iSDs and their operational status
local - Show local iSD information
ethernet - Show local ethernet status information
ports - Show local port(s) information
events - Inspect Events menu
Revocation:
Automatic CRL:
URL to retrieve CRL from =
LDAP DN used for bind/authentication =
Password to use when to authenticate =
Refresh interval = 1d
List of accepted signers of CRLs =
Enable automatic retrieval = disabled
hsm
Displays information related to the HSM card(s) on the iSD310-SSL FIPS device to which you are
currently connected. Information about the current security mode (Extended Security mode or
FIPS mode) in the iSD310-SSL FIPS cluster is displayed, as well as user login information (SO or
USER) for each HSM card on the iSD310-SSL FIPS device.
HSM information is only displayed when you are using the iSD310-SSL FIPS model.
sslvpn
Show the configured VPNs.
users
Shows all logged in VPN portal users. For example:
Number of currently logged in users: 0
/ssl/info/events
SSL Performance Menu
[Events Menu]
alarms - List all pending alarms
download - Dump the event log file to a TFTP/FTP/SFTP server
alarms
Displays all alarms in the active alarm list by their main attributes: severity level, alarm ID num-
ber, date and time when triggered, alarm name, sender, and cause.
/ssl/stats
SSL Performance Statistics menu
[Statistics Menu]
sslstats - SSL stats
ipsec - IPSEC stats
aaa - AAA specific statistics
dump - Dump all information
sslstats
Go to the SSL statistics menu. To view menu options, see page 542.
ipsec
Go to the IPSEC statistics menu. To view menu options, see page 545.
aaa
Go to the AAA specific statistics. To view menu options, see page 548.
dump
Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the number of
active request sessions, and the total number of completed request sessions. The total number of initi-
ated SSL client connections, and the total number of established SSL client connections as accumulated
values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not
included in the output
/ssl/stats/sslstats
SSL Performance Menu
[SSL stats Menu]
vpn - Cluster SSL VPN statistics
server - Cluster SSL Server statistics
local - Local statistics for each isdhost
clear - Clear all statistics for all IPs
activesess - Number of currently active request sessions
totalsess - Total completed request sessions
sslaccept - Total completed SSL accept
sslconnect - Total completed SSL connect
tpshisto - Cluster-wide TPS histograms for all servers
clihisto - cluster wide client data histograms for all servers
srvhisto - cluster wide server data histograms for all servers
vpn <VPN_number>
Displays the cluster-wide statistics for SSL VPN.
server <srever_number>
Displays the cluster-wide statistics for SSL servers.
local
Go to the Local SSL Statistics Menu. To view menu options, see page 543.
clear
Erase all statistics for all IPs.
activesess
Display the number of currently active requests. For example:
active_sessions : 0
totalsess
Display the total number of completed request sessions.
sslaccept
Display the total number of completed SSL request sessions.
sslconnect
Display the total number of successful SSL connections.
tpshisto
Display the total number of cluster-wide TPS histograms for all servers.
clihisto
Display the total number of cluster-wide client data histograms for all servers.
srvhisto
Display the total number of cluster-wide server data histograms for all servers.
/ssl/stats/sslstats/local
SSL Performance SSL Local Statistics Menu
[Local SSL Statistics Menu]
isdhost - ISD local SSL server statistics menu
overview - Overview of isdhost local statistics
tpshisto - ISD local TPS histograms for all servers/ISDs
clihisto - ISD local client byte/s histos for all servers/ISDs
srvhisto - ISD local server data byte/s histos for all servers/ISDs
license - ISD local license statistics
dump - Dump all information
isdhost <host_number>
Go to the ISD local SSL Statistics Menu. To view menu options, see page 544.
overview
Display the overall of the isdhost local statistics.
tpshisto
Display ISD local TPS histograms for all servers/ISDs.
clihisto
Display ISD local client data histograms for all servers and ISDs.
srvhisto
Display ISD local server data histograms for all servers and ISDs.
license
Display local ISD license statistics. For example:
**** License stats at ISD number '1' ****
License Limit reached times
tps {ok,0}
dump
Display all local statistical information.
/ssl/stats/sslstats/local/isdhost
SSL Performance: Single ISD SSL Statistics Menu
[Single ISD SSL Stats 1 Menu]
server - ISD local SSL server stats
tpshisto - ISD local TPS histograms for all servers
clihisto - ISD local client byte/s histograms for all servers
srvhisto - ISD local server byte/s histograms for all servers
dump - Dump all information
Table 11-7 SSL Perfomance: Single ISD SSL Statistics Menu Options
Command Syntax and Usage
server
Displays statistics for the local ISD SSL server.
tpshisto
Displays ISD local TPS histograms for all servers.
clihisto
Displays ISD local client data histograms for all servers.
srvhosto
Displays ISD local server histograms for all servers.
dump
Displays all statistical information.
/ssl/stats/ipsec
IPSEC Statistics menu
[IPSEC stats Menu]
vpn - Cluster IPSEC Server statistics
local - Local statistics for each isdhost
clear - Clear all ipsec statistics for all IPs
activesess - Number of currently active ipsec sessions
totalsess - Total completed ipsec sessions
failedsess - Total failed ipsec sessions
enctot - Total encoded kBytes
enc - Encoded kB/sec last minute
dectot - Total decoded kBytes
dec - Decoded kB/sec last minute
sesshisto - Cluster-wide ipsec session histograms for all servers
enchisto - Cluster-wide ipsec encrypt histograms for all servers
dechisto - Cluster-wide ipsec decrypt histograms for all servers
/ssl/stats/ipsec/local
SSL Performance: Local IPSEC Statistics Menu
[Local IPSEC Statistics Menu]
isdhost - ISD local IPSEC server statistics menu
sesshisto - ISD local ipsec session histograms for all VPNs/ISDs
enchisto - ISD local ipsec encrypt histograms for all VPNs/ISDs
dechisto - ISD local ipsec decrypt histograms for all VPNs/ISDs
dump - Dump all information
isdhost
Go to the ISD Local IPSEC server statistics menu. To view menu options, see page 547.
sesshisto
Displays the local IPSEC session histograms for all VPNs and ISDs.
enchisto
Displays the local IPSEC encryption histograms for all VPNs and ISDs.
dechisto
Displays the local IPSEC decryption histograms for all VPNs and ISDs.
dump
Display all IPSEC statistical information.
/ssl/stats/ipsec/local/isdhost
SSL Performance: Single IPSEC ISD Statistics Menu
[Single ISD IPSEC Stats 1 Menu]
vpn - ISD local IPSEC server stats
activesess - Locally active ipsec sessions all VPNs
totalsess - Locally total ipsec sessions all VPNs
failedsess - Locally failed ipsec sessions, all VPNs
enctot - Locally total ipsec encoded kBytes all VPNs
enc - Locally ipsec encoded kB/sec last minute all VPNs
dectot - Locally total ipsec decoded kBytes all VPNs
dec - Locally ipsec decoded kB/sec last minute all VPNs
sesshisto - ISD local ipsec sess histograms for all VPNs
enchisto - ISD local ipsec encrypt histograms for all VPNs
dechisto - ISD local ipsec decrypt histograms for all VPNs
dump - Dump all information
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage
vpn <VPN_number>
Display the ISD local IPSEC server statistics.
activesess
Display the locally active IPSEC sessions for all VPNs.
totalsess
Display the total of locally active IPSEC sessions for all VPNs.
failedsess
Display the failed IPSEC sessions for all VPNs.
enctot
Display the total kBytes encoded for all VPNs.
enc
Display the locally encoded kBytes for all VPNs.
dectot
Display the total kBytes decoded for all VPNs.
dec
Display the locally decoded kBytes for all VPNs.
sesshisto
Display the ISD local IPSEC session histograms for all VPNs.
enchisto
Display the ISD local IPSEC encrypted histograms for all VPNs.
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage
dechisto
Display the ISD local ipsec decrypt histograms for all VPNs.
dump
Display all ISD statistics.
/ssl/stats/aaa
AAA Statistics Menu
[AAA Statistics Menu]
total - Cluster-wide authentication statistics (per VPN)
isdhost - ISD local authentication statistics (per VPN)
dump - Dump all information
total <VPN_ID>
Display the Cluster-wide authentication statistics for each VPN.
dump
Display all AA statistics.
/ssl/cfg
SSL Performance Configuration Menu
[Configuration Menu]
ssl - SSL offload menu
cert - Certificate menu
vpn - VPN menu
test - Create test vpn, portal and certificate
quick - Quick vpn setup wizard
sys - System-wide parameter menu
lang - Language support
ptcfg - Backup configuration to TFTP/FTP/SCP/SFTP server
gtcfg - Restore configuration from TFTP/FTP/SCP/SFTP server
dump - Dump configuration on screen for copy-and-paste
ssl
Go to the SSL offload menu. To view menu options, see page 551.
cert
Go to the Certificate menu. To view menu options, see page 554.
vpn
Go to the VPN menu. To view menu options, see page 573.
test
Create a test VPN, portal and certificate. For example:
SSL >> Configuration# test
Enter virtual IP address of test portal: 0.0.0.0
VPN user name: Test_vpn
VPN password: smith
Do you want to configure IPsec? (yes/no) [no]: n
Do you want to configure Netdirect? (yes/no) [no]: n
Creating VPN 1
Creating Linkset 1
Name: base-links
Creating Authentication 1
Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test
Creating Group 1
Name: test
Creating Access rule 1
Added base-links to linkset
Created /cfg/cert 2
Use 'apply' to activate.
quick
Create a VPN configuration using command prompts.
sys
Go to the System-wide parameter menu. To view menu options, see page 649.
lang
Go to the Language Support menu. To view menu options, see page 649.
ptcfg
Saves the current configuration, including private keys and certificates, to a TFTP server. The con-
figuration can later be restored by using the gtcfg command. You are required to specify a pass-
word phrase before the information is sent to the TFTP server.
If you restore the configuration by using the gtcfg command, you will be prompted for the pass-
word phrase you have specified. The password phrase is used to protect the private keys in the con-
figuration.
NOTE – Note 1: If you have fully separated the Administrator user role from the Certifi-
cate Administrator user role, the export passphrase defined by the certificate administra-
tor is used to protect the private keys in the configuration - transparently to the user.
When a configuration backup is restored by using the gtcfg command, the certificate
administrator must enter the correct passphrase.
NOTE – Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys
are encrypted using the wrap key that was generated when the first HSM card in the clus-
ter was initialized.
gtcfg
Restores a configuration, including private keys and certificates, from a TFTP server. You need to
provide the password phrase you specified when saving the configuration to the TFTP server.
NOTE – Note: If you have fully separated the Administrator user role from the Certifi-
cate Administrator user role (by removing the admin user from the certadmin group), the
certificate administrator must enter the passphrase that was defined by him or her using
the /cfg/sys/user/caphrase command.
dump
Display the configuration on-screen for a copy and paste operation.
/ssl/cfg/ssl
SSL Configuration Server Menu
[SSL Menu]
server - SSL server menu
test - Create test server and certificate
quick - Quick server setup wizard
server
Go to the SSl Server menu. To view menu options, see page 552.
test
Create a test VPN, portal and certificate. For example:
SSL >> Configuration# test
Enter virtual IP address of test portal: 0.0.0.0
VPN user name: Test_vpn
VPN password: smith
Do you want to configure IPsec? (yes/no) [no]: n
Do you want to configure Netdirect? (yes/no) [no]: n
Creating VPN 1
Creating Linkset 1
Name: base-links
Creating Authentication 1
Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test
Creating Group 1
Name: test
Creating Access rule 1
Added base-links to linkset
Created /cfg/cert 2
Use 'apply' to activate.
quick
Create a VPN configuration using command prompts.
/ssl/cfg/ssl/server
SSL Configuration Server-specific Menu
[Server 1 Menu]
name - Set server name
vips - Set IP addr(s) of server
standalone - Set standalone mode
port - Set listen port of server
rip - Set real server IP addr
rport - Set real server port
type - Set type (generic/http/socks)
proxy - Set transparent proxy mode (on/off)
trace - Traffic trace menu
ssl - SSL settings menu
tcp - TCP endpoint settings menu
adv - Advanced settings menu
del - Remove virtual server
ena - Enable virtual server
dis - Disable virtual server
name <string>
Enter the name of the server.
vips <IP_address>
Enter the virtual IP address for the server.
standalone on|off
Set the standalone mode.
port <integer>
Set the listen port for the server.
rip <IP_address>
Set the actual server IP address.
rport <integer>
Set the actual server port number.
type <generic/http/socks>
Set the port type.
proxy on|off
Set the proxy mode.
trace
Go to the Trace menu.To view menu options, see page 554.
ssl
Go to the SSL Settings menu. To view menu options, see page 555.
tcp
Go to the TCP endpoints menu. To view menu options, see page 556.
adv
Go to the Advanced settings menu. To view menu options, see page 557.
del
Remove the virtual server.
ena enabled|disabled
Enable the virtual server.
dis enabled|diabled
Disable the virtual server.
/ssl/cfg/ssl/server/trace
SSL Configuration Server-specific Trace Menu
[Trace Menu]
ssldump - Create traffic dump
tcpdump - Create traffic dump
ping - Ping through backend interface
dnslookup - Lookup a name in DNS through backend interface
traceroute - traceroute through backend interface
ssldump
Create a traffic dump. Information on creating dump patterns can be found at
http://www.tcpdump.org/tcpdump_man.html.
tcpdump
Create a traffic dump. Information on creating dump patterns can be found at
http://www.tcpdump.org/tcpdump_man.html.
ping <hostname>
Use this command to verify station-to-station connectivity across the network.
dnslookup <hostname>
Lookup a hostname in DNS.
traceroute <hostname>
Use this command to identify the route used for station-to-station connectivity across the network.
/ssl/cfg/ssl/server/ssl
SSL Configuration Server-specific SSL Menu
[SSL Settings Menu]
cert - Set server certificate
cachesize - Set SSL cache size
cachettl - Set SSL cache timeout
cacerts - Set list of accepted signers of client certificates
cachain - Set list of CA chain certificates
protocol - Set protocol version
verify - Set certificate verification level
ciphers - Set cipher list
ena - Enable SSL
dis - Disable SSL
cert unset|set
Create a server certificate.
cachesize <integer>
Set the SSL cache size.
cachettl <integer>
Set the SSL cache timeout (in seconds).
cacerts <integerlist>
Set the list of authorized signers of client certificates. Separate the signer list using commas.
cachain <integerlist>
Set the list of CA chain certificates. Separate the list using commas.
protocol <issl2/ssl3/ssl23/tls1>
Set the protocol version.
verify none|optional|require
Set the verification level of the certificate.
ciphers
Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g.
SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +. ! permanently deletes the
ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added
again by later options. + moves the ciphers to the end of the list. This option doesn't add any new
ciphers it just moves matching existing ones.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
ena yes|no
Enable SSL.
dis yes|no
Disable SSL.
/ssl/cfg/ssl/server/tcp
SSL Configuration Server-specific TCP Menu
[TCP Settings Menu]
cwrite - Set client TCP write timeout
ckeep - Set client TCP keep alive timeout
swrite - Set server TCP write timeout
sconnect - Set server TCP connect timeout
csendbuf - Set client TCP send buffer size
crecbuf - Set client TCP receive buffer size
ssendbuf - Set server TCP send buffer size
srecbuf - Set server TCP receive buffer size
cwrite <integer>
Set the client TCP write timeout (in seconds, 1-2147483647).
ckeep <integer>
Set the client TCP keep alive timeout (in seconds, 1-2147483647).
swrite <integer>
Set the server TCP write timeout (in seconds, 1-2147483647).
sconnect <integer>
Set the server TCP connect timeout (in seconds, 1-2147483647).
ssendbuf <generic/http/socks>
Set the server TCP send buffer size (in bytes).
srecbuf on|off
Set the server TCP receive buffer size (in bytes).
/ssl/cfg/ssl/server/adv
SSL Configuration Server-specific Advanced Menu
[Advanced Settings Menu]
string - String menu
blockstrin - Set strings to block
loadbalanc - Load balancing menu
sslconnect - SSL connect menu
string
Go to the String menu. To view the menu options, see page 558.
blockstrin <string>
Set the strings to block, separated by commas.
loadbalanc
Go to the Load Balancing menu. To view the menu options, see page 559.
sslconnect
Go to the SSL Connect menu. To view the menu options, see page 560.
/ssl/cfg/ssl/server/adv/string
SSL Configuration Server Advanced String Menu
[LB String 1 Menu]
match - Set string to match
location - Set locations to perform the match in
icase - Set ignore case in to match
negate - Set negate the result of the match
del - Remove string
match <string>|*
Enter the string to match. For example:
SSL >> LB String 1# match
Current value: <not set>
Enter match string (may contain *):
location <locationlist>
Set the match string locations, separated by commas.
Possible values are:
Macros
url, unknown, other, header
Methods
options, get, head, post, put, delete, trace, connect
Special
query, params, cookie-override
Headers
accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authoriza-
tion, cache-control, connection, content-base, content-encoding, content-language, content-length,
content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires,
from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, keep-alive,
last-modified, location, max-forwards, pragma, proxy-authenticate, proxy-authorization, proxy-
connection, public, range, referer, retry-after, server, set-cookie, transfer-encoding, upgrade, user-
agent, vary, via, warning, www-authenticate, x-forwarded-for, x-ssl
icase on|off
Set the string match as case respective yes (on) or no (off).
negate on|off
Set a negative match scheme. The current strings are excluded (on) or included (off).
del string<string_number>
Delete the string.
/ssl/cfg/ssl/server/adv/loadbalanc
SSL Configuration Server Advanced Load Balancing
Menu
[Load Balancing Settings Menu]
type - Set load balancing type
persistenc - Set persistence strategy
cookie - Cookie settings menu
metric - Set load balancing metric
health - Set health check type
script - Health check script menu
interval - Set health check interval (s)
remotessl - Remote SSL connect menu
backend - Backend servers menu
ena - Enable load balancing
dis - Disable load balancing
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage
type all|<string>
Set the load balancing type.
persistenc none|cookie|session
Set the persistence strategy.
cookie
Go to the Cookie settings menu. To view the menu options, see page 560. Note that this menu is
accessible only when persistenc is set to “cookie”.
metric hash|roundrobin|leastconn
Set the load balancing metric.
health none|tcp|ssl|auto|script
Set the health check type.
script
Go to the heath check script menu. To view the menu options, see page 562.
interval <integer>
Set the health check interval.
remotessl
Go to the Remote SSL connection menu. To view the menu options, see page 563.
backend
Go to the Backend Servers menu. To view the menu options, see page 565.
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage
ena enable|disable
Enable load balancing.
dis enable|disable
Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/
cookie
SSL Configuration Server Advanced Load Balancing
Cookie Menu
[Cookie Settings Menu]
mode - Set cookie mode
name - Set cookie name
domain - Set cookie domain
expires - Set cookie expires
expiresdel - Set cookie expires delta
localvips - Configure other local VIPs
offset - Set cookie value offset
length - Set cookie value length
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options
Command Syntax and Usage
name <cookie_name>
Sets the cookie name.
domain <domain_name>
Sets the cookie domain name.
expires <date_time>
Sets the cookie expiration date and time.
expiresdel <0(session)-2147483647>
Sets the cookie expiration delta value.
localvips
Opens the Local VIPs menu. For more information on this menu refer to page 562.
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu
Options (Continued)
Command Syntax and Usage
offset <1-64>
Sets the cookie value offset.
length <0-64>
Sets the cookie length
/ssl/cfg/ssl/server/adv/loadbalanc/
cookie/localvips
Local VIP Configuration Menu
[Local VIPs Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
list
Lists all configured values.
del <entry_index>
Deletes the entry indicated by the index value.
add <ip_address>
Adds an entry by IP address.
/ssl/cfg/ssl/server/adv/loadbalanc/
script
SSL Configuration Server Advanced Load Balancing
Health Script Menu
[Health Check Script Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-23 SSL Configuration Server Advanced Load Balancing Health Script
Menu Options
Command Syntax and Usage
list
Display all values.
del <index>
Delete a specific value.
/ssl/cfg/ssl/server/adv/loadbalanc/
remotessl
SSL Configuration Server Advanced Load Balancing
Remote SSL Menu
[Remote SSL Connect Settings Menu]
protocol - Set protocol version
cert - Set client certificate
ciphers - Set accepted ciphers for ssl connect
verify - Verify server menu
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL
Menu Options
Command Syntax and Usage
protocol aissl2|ssl3|ssl23|tls1
Set the protocol version.
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL
Menu Options
Command Syntax and Usage
ciphers <string>
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the
ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added
again by later options. + moves the ciphers to the end of the list.
This option doesn't add any new ciphers it just moves matching existing ones. Additionally the
cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key
length
verify
Go to the Verify Server menu. To view the menu options, see page 564.
/ssl/cfg/ssl/server/adv/loadbalanc/
remotessl/verify
SSL Configuration Server Advanced Load Balancing
Remote SSL Verification Menu
[Remote SSL Connect Verify Settings Menu]
verify - Set certificate verification level
commonname - Set server common name
cacerts - Set list of accepted signers of server's certificate
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL
Verification Menu Options
Command Syntax and Usage
verify none|require
Set the ertification verification level.
commonname <name>
Set the server common name. For example:
SSL >> Remote SSL Connect Verify Settings# commonname
Current value: [old_server_name]
Give common name of server: <new_server_name>
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL
Verification Menu Options
Command Syntax and Usage
cacerts <integer_list>
Enter the certificate numbers, separated by commas.
/ssl/cfg/ssl/server/adv/loadbalanc/
backend
SSL Configuration Server Advanced Load Balancing
Backend Server Menu
[Backend Server 1 Menu]
ip - Set IP addr of backend server
port - Set backend server port
sslconnect - Set perform SSL connect if enabled for server
remote - Set server is remote
rname - Set host name of remote server
remotessl - Set remote site is ssl
lbstrings - Set load balancing strings
lbop - Set string load balancing operation
del - Remove backend server
ena - Enable backend server
dis - Disable backend server
ip <IP_address>
Set theIP address of the backend server.
port <port_number>
Set the backend server port number.
sslconnect on|off
Set the SSL connection option.
remote true|false
Set the server as remote, as required.
rname <hostname>
Set hostname of the remote server.
remotessl true|false
Set the remote site as SSL.
lbstrings <integers>
Set the load balance strings, separated by a comma.
lbop any|all|one|none
Set the string load balancing operation.
del
Remove the backend server.
ena enable|disable
Enable the backend server.
dis enable|disable
Disable the backend server.
/ssl/cfg/cert
SSL Configuration Certificate Menu
[Certificate 1 Menu]
name - Set certificate name
cert - Set certificate
key - Set private key
revoke - Revocation menu
genkey - Generate private key
gensigned - Generate signed client/server certificate
request - Generate certificate request
sign - Sign a certificate request
test - Generate test certificate and key
import - Import key and certificate with TFTP/FTP/SCP/SFTP
export - Export certificate and key with TFTP/FTP/SCP/SFTP
display - Display certificate and key
show - Show certificate information
info - Show certificate short information
subject - Show certificate subject information
validate - Check if key and certificate match
keysize - Show key size
keyinfo - Show how key is stored
del - Remove certificate
name <string>
Enter the name of the certificate.
cert <pasted_certificate_content>
Paste the content of a copied certificate. For example:
Paste the certificate, press Enter to create a new line, and then
type "..."
(without the quotation marks) to terminate.
>
key <pasted_key_content>
Paste the copied key. For example:
Paste the key, press Enter to create a new line, and then
type "..."
(without the quotation marks) to terminate.
>
revoke
Go to the Revoke menu. To view the menu options, see page 571.
genkey 512|1024|2048|4096
Generate a private key.
request
Generate a certicate request.
SSL >> Certificate 1# request
The combined length of the following parameters may not exceed 225
bytes.
Country Name (2 letter code): CA
State or Province Name (full name): Ontario
Locality Name (eg, city): Ottawa
Organization Name (eg, company): NoTel
Organizational Unit Name (eg, section): MaintCommon Name (eg, your
name or your server's hostname): NoTel-12
Email Address: maint@notel.ca
Key size (512/1024/2048/4096) [1024]: 1024
Request a CA certificate (y/n) [n]: y
Specify challenge password (y/n) [n]: n
-----BEGIN CERTIFICATE REQUEST-----
MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQH
EwdPdHRhd2VhMQ4wDAYDVQQKEwVOb1RlbDEOMAwGA1UECxMFTWFpbnQxETAPBgNV
BAMTCE5vVGVsLTEyMR0wGwYJKoZIhvcNAQkBFg5tYWludEBub3RlbC5jYTCBnzAN
BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2LJNQnjDxHXm1bunZF39o/1CJ7egEupd
gXaIiDt1xQ5kWNlCcIhXrsksrpAOss/NMy2DNLmNd/31BO8XSvuZWs6LJxznZyBC
6WcSmOa6r96CnsvPPi/jIqAZQMbklwclH5Qa/JjSWuaoVdlVOAuhe58PqyQketXm
58w8n+Iy+a0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAMMhwai0XLkL+YT3qBBo
tmtTL7DgH/7czR97lgXsDawZOWaiYq4tAEBSr+Ap1qxAqgS4VJxrjBZIYT6xQW6z
MvHE20s+Reaf9cX9OePTvaSH9SUSKz8QNhPLUdBo7LOURUaF7aN5IWPBezGQwgjp
Rxxf+chfXa7M8i7VdY9YyAHA
-----END CERTIFICATE REQUEST-----
test
Create a test certificate and key. For example:
SSL >> Certificate 1# test
The combined length of the following parameters may not exceed 225
bytes.
Country Name (2 letter code): CA
State or Province Name (full name): Ontario
Locality Name (eg, city): Ottawa
Organization Name (eg, company): NoTel
Organizational Unit Name (eg, section): Maint
Common Name (eg, your name or your server's hostname): NoTel-12
Email Address: maint@notel.ca
Valid for days [365]: 200
Valid for days [365]: 200
Key size (512/1024/2048/4096) [1024]: 1024
Test key and certificate added.
Use 'apply' to activate.
display
Display a certificate and key. For example:
SSL >> Certificate 1# display
Encrypt private key (yes/no) [yes]: yes
Enter export pass phrase: <hidden_text>
Reconfirm export pass phrase: <hidden_text>
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,8E1E1EB54398437B
1NngBGmeIGxhndoR3+F4DNmYNCtH6tbVMZmmTCAu0ee9Ss9vjy6N3jXgMUy8RnfV
1dRLixDPlpAB5CwsSUBLROtvq6rhyZnwKbofz4UBon1tE33eX86uNrXGjdvPkfzD
x8TrCXdcewY0W1xuPA6mnb0mHCn768fqoNd5YlXPMRbPrK/nTfvCHlfvVmHkzpw3
BrvNfqVpdijQkdv+X53gn7DbYBsFYKSLsjyZ1Dst1JFDS5W594by1P7WseRYi4Lq
XPcmgZA7BtC5JV9d6Fwmd66Cois3WUxBtTeLJDFet6fr/9e3nXfa+pPyIgGGWAYE
.
.
.
A9xlBRMYzppbzQVjjFK0maFRtuhIiEbexLJwTCEwfyVMk8juHvBWIQ==
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIID3jCCA0egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCQ0Ex
EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEOMAwGA1UEChMFTm9U
.
.
show
Show certificate information.
info
Show short-form certificate information. For example:
SSL >> Certificate 1# info
Serial number: 0 (0x0)
Expire: Jan 19 14:49:18 2006 GMT
Certificate subject:
C=CA
ST=Ontario
L=Ottawa
O=NoTel
OU=Maint
CN=NoTel-12/emailAddress=maint@notel.ca
subject
Show certificate subject information. For example:
SSL >> Certificate 1# subject
Certificate subject:
C/countryName (2.5.4.6) = CA
ST/stateOrProvinceName (2.5.4.8) = Ontario
L/localityName (2.5.4.7) = Ottawa
O/organizationName (2.5.4.10) = NoTel
OU/organizationalUnitName (2.5.4.11) = Maint
CN/commonName (2.5.4.3) = NoTel-12
emailAddress/emailAddress (1.2.840.113549.1.9.1) = maint@notel.ca
keysize
Display key size (in bytes).
keyinfo
Displays how the key is stored.
del
Delete the certificate and key. For example:
SSL >> Certificate 1# del
Certificate 1 will be deleted when changes are applied.
/ssl/cfg/cert/revoke
SSL Configuration Revoke Certificate Menu
[Revocation Menu]
add - Add decimal serial number to revocation list
addx - Add hex serial number to revocation list
del - Cancel revocation for a serial number
list - List revoked certificates
rev - Enter revocation list
import - Import revocation list with TFTP/FTP/SCP/SFTP
automatic - Automatic CRL retrieval menu
add <integer>
Add a decimal serial number to the revocation list.
addx <hexidecimal_number>
Add a hexidecimal number to the revocation list.
del <serial_number>
Cancel the revocation of a serial number.
list
List the revoked certificates.
rev
Paste a revocation list into another revocation list.
automatic
Go to the automatic retrieval menu.
/ssl/cfg/cert/revoke/automatic
SSL Configuration Revoke Certificate Automatic Menu
[Automatic CRL Menu]
url - Set URL to retrieve CRL from
authDN - Set LDAP DN used for bind/authentication
passwd - Set password to use when to authenticate
interval - Set refresh interval
cacerts - Set list of accepted signers of CRLs
ena - Enable automatic retrieval
dis - Disable automatic retrieval
url <URL>
Set the URL value to retrieve the CRL.
authDN <LDAP-Distinguished-Name>
Set the LDAP DN to be used for bind and authentication.
passwd <string>
Set the authentication password.
interval <time>
Set the refresh interval.
cacerts <certificate_numbers>
Create a list of accepted signers of CRLs. Separate the lsit elements by commas
ena enabled|disabled
Enable automatic retrieval.
dis enabled|disabled
Disable automatic retrieval.
/ssl/cfg/vpn
SSL VPN Configuration Menu
[VPN 1 Menu]
ips - Set IP addr(s) of the VPN
standalone - Set standalone mode (no switch)
aaa - AAA menu
server - SSL server menu
ipsec - IPsec server menu
ippool - IP address pool menu
portal - Portal look and feel menu
linkset - Portal linkset menu
sslclient - SSL VPN client menu
adv - Advanced settings menu
del - Remove VPN
ips <IP_address>
Set the IP address of the VPN.
standalone on|off
Set the standalone mode.
aaa
Go to the AAA menu. To view the menu options, see page 573.
server
Go to the SSL server menu. To view the menu options, see page 578.
ipsec
Go to the IPsec server menu. To view the menu options, see page 602.
ippool
Go to the IP POOL menu. To view the menu options, see page 615.
portal
Go to the Portal look and feel menu. To view the menu options, see page 619.
linkset
Go to the Portal lonkset menu. To view the menu options, see page 621.
sslclient
Go to the SSL VPN client menu.To view the menu options, see page 625.
adv
Go to the Advanced Settings menu.To view the menu options, see page 627.
del
Remove the VPN.
/ssl/cfg/vpn/aaa
SSL VPN Configuration Menu
[AAA Menu]
quick - AAA setup wizard
tg - TunnelGuard menu
ttl - Set login session TTL
auth - Authentication menu
authorder - Set authentication server fallback order
network - Network access menu
service - Service access menu
appspec - Application specific menu
filter - Client filter menu
group - Group menu
defgroup - Set default group
ssodomains - Single-Sign on enabled domains menu
ssoheaders - Single-Sign on headers menu
radacct - RADIUS accounting menu
quick <IP_address>
AAA setup wizard.
tg
Go to the TunnelGuard menu. To view the menu options, see page 576.
auth
Go to the Authentication menu. To view the menu options, see page 578.
authorder <list_of_servers>
Set the authetication server fallback order. Use a comma to separate entries.
network
Go to the Network Access menu. To view the menu options, see page 582.
service
Go to the Service Access menu. To view the menu options, see page 584.
appsec
Go to the Application Specific menu. To view the menu options, see page 585.
filter
Go to the Client Filter menu.To view the menu options, see page 588.
group
Go to the Group menu.To view the menu options, see page 589.
defgroup <name_of_group>
Set the default group.
ssodomains
Go to the Single sign-on enabled domains menu. To view the menu options, see page 597.
ssoheaders
Go to the Single Sugn-on Headers menu. To view the menu options, see page 597.
radacct
Go to the Radius Accounting menu. To view the menu options, see page 599.
/ssl/cfg/vpn/aaa/tg
SSL VPN Configuration TunnelGuard Menu
[TG Menu]
ena - Enable TunnelGuard
dis - Disable TunnelGuard
quick - Quick TunnelGuard setup wizard
recheck - Set recheck interval
action - Set fail action
retry - Set UDP retry interval
list - List SRS rules
loglevel - Set TunnelGuard applet loglevel
ena enable|disable
Enable TunnelGuard.
dis enable|disable
Disable TunnelGuard.
Enabling TunnelGuard
Creating Linkset 1
Name: tg_passed
This Linkset just prints the TG result
Creating Linkset 2
Name: tg_failed
This Linkset just prints the TG result
Adding test SRS rule srs-rule-test
This rule check for the presence of the file
C:\tunnelguard\tg.txt
Creating Group 1
Name: tunnelguard
Creating Extended Profile 1
Giving full access when tg passed
Creating Access rule 1
Creating Extended Profile 2
Giving no access when tg failed
Using SRS rule: srs-rule-test
Creating Authentication 1
Adding user 'tg' with password 'tg'
recheck <seconds>
Set the recheck interval.
action teardown|restricted
Set the Fail action.
list
List the SRS rules.
loglevel <string>
Set the TunnelGuard applet log level.
/ssl/cfg/vpn/aaa/auth
SSL VPN Configuration Authentication Menu
To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if
one does not already exist.
Creating Authentication 1
Select one of radius, ldap, ntlm, siteminder, cert, rsa or local:
radius
Auth name: Authentication_1
Entering: RADIUS settings menu
Entering: RADIUS servers menu
IP Address to add: 0.0.0.0
Port (default is 1812): 1812
Enter shared secret: shared
Leaving: RADIUS servers menu
Enter vendor id [alteon]: alteon
Enter vendor type [1]: 1
Leaving: RADIUS settings menu
------------------------------------------------------------
[Authentication 1 Menu]
type - Set authentication mechanism
name - Set auth name
display - Set auth display name
domain - Set windows domain for backend single sign-on
radius - RADIUS settings menu
adv - Advanced settings menu
del - Remove Authentication
type radius|ldap|ntlm|siteminder|cert|rsa|local
Set the authentication scheme.
name <string>
Set the authentication name. The default is local.
display <string>
Set the authentication display name.
domain <string>
Set the current windows domain for backend single sign-on.
radius <list_of_servers>
Go to the Radius menu. The menu is available only if the type is Radius (# type radius). To view
the menu options, see page 579.
adv
Go to the Advanced menu. To view the menu options, see page 582.
del
Remove the authentication.
/ssl/cfg/vpn/aaa/auth/radius
SSL VPN Configuration Authentication Radius Menu
To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to
radius. For example, /ssl/vpn/aaa/auth/type radius.
[RADIUS Menu]
servers - RADIUS servers menu
vendorid - Set vendor id for group attribute
vendortype - Set vendor type for group attribute
timeout - Set RADIUS server timeout
sessiontim - Session Timeout menu
macro - User-defined Macro menu
Table 11-34 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage
servers
Go to the Radius servers menu. To view the menu options, see page 580.
vendorid <string>
Set the switch vendor ID.
vendortype <vendortype>
Set the vendor type.
sessiontim
Go to the Sessiontim menu. To view the menu options, see page 580.
macro
Go to the Macro menu. To view the menu options, see page 581.
/ssl/cfg/vpn/aaa/auth/radius/servers
SSL VPN Configuration Authentication Radius Servers
Menu
[RADIUS Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-35 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage
list
List all values (servers).
del <index_number>
Delete a server value by name.
/ssl/cfg/vpn/aaa/auth/radius/
sessiontm
SSL VPN Configuration Authentication Radius Session
Timeout Menu
[SessionTimeout Menu]
vendorid - Set vendor id for session timeout attribute
vendortype - Set vendor type for session timeout attribute
ena - Enable Session-Timeout
dis - Disable Session-Timeout
Table 11-36 SSL VPN Configuration AAA Authentication Radius Session Timeout
Menu Options
Command Syntax and Usage
vendorid <vendorid>
Set the vendor ID number.
vendortype <value>
Set the Vendor Type number.
ena enable|disable
Enable session timeout.
dis enable|disable
Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
SSL VPN Configuration Authentication Radius Macro
Menu
[Macro Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-37 SSL VPN Configuration AAA Authentication Radius Macro Menu
Options
Command Syntax and Usage
list
List all values.
del <value>
Delete a value using its number.
/ssl/cfg/vpn/aaa/auth/adv
SSL VPN Configuration Authentication Advanced Menu
[Advanced Menu]
groupauth - Set Authentication server list of group information
secondauth - Set Secondary authentication server
groupauth <hostnames>
Set the list of authentication servers. Separate values using a comma.
secondauth <hostname>
Set the secondary authentication server.
/ssl/cfg/vpn/aaa/network
SSL VPN Configuration Network Menu
To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one
does not already exist.
------------------------------------------------------------
[Network 1 Menu]
name - Set network name
subnet - Subnet menu
comment - Set comment
del - Remove network
name <string>
Set the network name.
subnet
Go to the Subnet menu. To view the menu options, see page 583.
comment <text_string>
Create a text description (comment) about the network.
del
Remove the network. The network will be removed when the global /apply command is entered.
/ssl/cfg/vpn/aaa/network/subnet
SSL VPN Configuration Network Subnet Menu
To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if
one does not already exist.
------------------------------------------------------------
[Network Subnet 1 Menu]
host - Set Host Name
net - Set network address
mask - Set network mask
del - Remove subnet
Table 11-40 SSL VPN Configuration AAA Network Subnet Menu Options
Command Syntax and Usage
host <hostname>
Set the hostname for the subnet.
net <IP_address>
Set the subnet address.
mask <IP_address>
Set the Network mask.
del
Remove the Subnet.
/ssl/cfg/vpn/aaa/service
SSL VPN Configuration Service Menu
To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one
does not already exist.
------------------------------------------------------------
[Service 1 Menu]
name - Set service name
protocol - Set allowed protocols
ports - Set allowed port
comment - Set comment
del - Remove Service
name <service_name>
Set the service name.
protocol tcp|udp
Set the protocols that are allowed.
ports <integers>
Set the allowed ports. If nore than one, use commas to separate.
comment <string>
Create a description (comment) about the service.
del
Delete the service.
/ssl/cfg/vpn/aaa/appspec
SSL VPN Configuration Application specific Menu
To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one
does not already exist.
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage
name <appsec_name>
Create an application name.
paths
Go to the Paths menu. To view the menu options, see page 571.
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage
comment <string>
Create a description (comment) about the Application.
del
Delete the application.
/ssl/cfg/vpn/aaa/appspec/paths
SSL VPN Configuration Application specific Paths Menu
[Paths Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
Command Syntax and Usage
list
List all paths.
del <path_value>
Delete a path by its number.
add
Add a new path. For example:
SSL >> Paths# list
Old:
Pending:
1: /info
For ftp you write the path as <ABSOLUTE FILE PATH>, for example
/home/share/public/
This will give access to the /home/share/public. Note that all paths
are absolute from the root.
For web servers you write the path <SERVER PATH>, for example
/intranet
This will give access to the /intranet path on the web server.
insert <index>
Insert a path into the path list.
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu
Options
Command Syntax and Usage
del
Delete the path.
/ssl/cfg/vpn/aaa/filter
SSL VPN Configuration AAA Filter Menu
To enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does
not already exist.
------------------------------------------------------------
[Client Filter 1 Menu]
name - Set filter name
cert - Client certificate present
iewiper - IE cache wiper present
tg - TunnelGuard checks passed
methods - Set access methods
authserver - Set authentication servers
clientnet - Set client network reference
comment - Set comment
del - Remove client filter
name <filter_name>
Set the filter name.
cert true|false|ignore
Enter teh applicability of a certificate.
iewiper true|false|ignore
Set the prescence of the IE cache wiper.
tg true|false|ignore
Set the state of the TunnelGuard checks passed.
methods ssl|ipsec|netdirect
Set the access methods.
authserver <hostnames>
Set authentication server names. If more than one, separate the names using a comma.
clientnet <clientnet_hostname>
Set client network reference.
comment
Create a description (comment) of the filter.
del
Remove the client filter.
/ssl/cfg/vpn/aaa/group
SSL VPN Configuration AAA Group Menu
To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one
does not already exist.
------------------------------------------------------------
[Group 1 Menu]
name - Set group name
access - Access rule menu
print - Print access rules
restrict - Set number of login sessions
usertype - Set portal user type
linkset - Linkset menu
extend - Extended profiles menu
tgsrs - Set TunnelGuard SRS Rule
ipsec - IPsec menu
comment - Set comment
del - Remove group
name <string>
Set tthe group name.
access
Go to the Access rule menu. To view the menu options, see page 591.
print
Display the Access rules. For example:
SSL >> Group 1# print
Network Ports Proto Path Action
------- ----- ----- ---- ------
restrict <integer>
Restrict the number of login sessions. The default is 0 (unlimited)
usertype advanced|medium|novice
Set the user level.
linkset
Go to the Linkset menu. To view the menu options, see page 592.
extend
Go to the Extended Profiles menu. To view the menu options, see page 593.
tgsrs <string>
Set the TunnelGuard SRS rule.
ipsec
Go to the IPSEC menu.To view the menu options, see page 595.
comment
Create a decription (comment) of the Group.
del
Delete the group.
/ssl/cfg/vpn/aaa/group/access
SSL VPN Configuration AAA Group Access Menu
To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if
one does not already exist.
------------------------------------------------------------
[Access rule 1 Menu]
network - Set network reference
service - Set service reference
appspec - Set application specific reference
action - Set action
comment - Set access rule comment
del - Remove access rule
Table 11-46 SSL VPN Configuration AAA Group Access Menu Options
Command Syntax and Usage
network <network_name>
Enter the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the application specific name reference.
action accept|reject
Accept or reject the creation of this Access rule.
comment
Create a description (comment) of this Access rule.
del
Delete the Access rule.
/ssl/cfg/vpn/aaa/group/linkset
SSL VPN Configuration AAA Group Linkset Menu
[Linksets Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-47 SSL VPN Configuration AAA Group Linkset Menu Options
Command Syntax and Usage
list
List all of the configured linksets.
add <linkset_name>
Add a linkset name.
/ssl/cfg/vpn/aaa/group/extend
SSL VPN Configuration AAA Group Extend Profiles
Menu
To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended
service profile if one does not already exist.
------------------------------------------------------------
[Extended Profile 1 Menu]
filter - Set client filter reference
access - Access rule menu
print - Print access rules
usertype - Set portal user type
linkset - Linkset menu
del - Remove profile
Table 11-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options
Command Syntax and Usage
filter <client_filter_name>
Set the client filter name reference.
access
Go to the Access Rule menu. To view the menu options, see page 594.
print
Display the extended profile information.
usertype advanced|medium|novice
Set the portal user level.
linkset
Go to the Linkset menu. To view the menu options, see page 595.
del
Delete the Extended Profile.
/ssl/cfg/vpn/aaa/group/extend/access
SSL VPN Configuration AAA Group Extend Profiles
Access Menu
[Access rule 1 Menu]
network - Set network reference
service - Set service reference
appspec - Set application specific reference
action - Set action
comment - Set access rule comment
del - Remove access rule
Table 11-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu
Options
Command Syntax and Usage
network <network_name>
Set the network name reference.
service <service_name>
Set the Service name reference.
appspec <application_name>
Set the Application name reference..
action accept|reject
Accept or reject the Access rule change.
comment
Create a description (comment) of the Access rule.
del
Delete the Extended Profile Access rule.
/ssl/cfg/vpn/aaa/group/extend/
linkset
SSL VPN Configuration AAA Group Extend Profiles Link-
set Menu
[Linksets Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
Options
Command Syntax and Usage
list
List all of the configured Extended Profile linksets.
del <extended_profile_linkset_name>
Delete the Extended Profile Linkset.
add <extended_profile_linkset_name>
Add an Extended Profile linkset name.
/ssl/cfg/vpn/aaa/group/ipsec
SSL VPN Configuration AAA Group IPsec Menu
[IPsec Menu]
secret - Set shared secret
utunnel - Set user tunnel profile
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage
secret <string>
Set the group Secret value.
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage
utunnel <string>
Set the user tunnel profile name.
/ssl/cfg/vpn/aaa/ssodomains
SSL VPN Configuration AAA Single-sign on Enabled
Domains Menu
[SSO Domain menu Menu]
list - List all values
del - Delete a value by number
add - Add a new value
Table 11-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu
Options
Command Syntax and Usage
list
List all of the SSO domains.
del <index>
Delete an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders
SSL VPN Configuration AAA Single-sign on Headers
Menu
[SSO headers menu Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage
list
List all of the configured SSO Headers.
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage
/ssl/cfg/vpn/aaa/radacct
SSL VPN Configuration AAA Radius Accounting Menu
[RADIUS Accounting Menu]
servers - RADIUS accounting servers menu
vpnattribu - VPN attribute menu
ena - Enable RADIUS accounting
dis - Disable RADIUS accounting
Table 11-54 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
servers
Go to the Radius servers menu. To view the menu options, see page 599.
vpnattribu
Go to the VPN attribute menu. To view the menu options, see page 601.
ena enable|disable
Enable AAA radius accounting.
dis enable|disable
Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers
SSL VPN Configuration AAA Radius Accounting Servers
Menu
[RADIUS Accounting Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
list
List all of the configured Radius Accounting servers.
del <Radius_Accounting_server_name>
Delete the SSO Header.
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage
ssl/cfg/vpn/aaa/radacct/vpnattribu
SSL VPN Configuration AAA Radius Accounting VPN
attributes Menu
[VPN Attribute Menu]
vendorid - Set vendor id for the VPN attribute
vendortype - Set vendor type for the VPN attribute
Table 11-56 SSL VPN Configuration AAA Radius Accounting VPN attributes
Menu Options
Command Syntax and Usage
vendorid <vendorID>
Set the vendor name.
vendortype <integer>
Set the vendor type.
/ssl/cfg/vpn/server
SSL VPN Configuration Server Menu
[Server Menu]
port - Set listen port of server
dnsname - Set DNS name of server
trace - Traffic trace menu
ssl - SSL settings menu
tcp - TCP endpoint settings menu
http - HTTP settings menu
proxymap - Intranet proxy configuration menu
portal - Portal settings menu
adv - Advanced settings menu
ena - Enable virtual server
dis - Disable virtual server
dnsname <fully_qualified_DNS_name>
Set the DNS name of the server.
trace
Go to the Trace menu. To view the menu options, see page 602.
ssl
Go to the SSL settings menu. To view the menu options, see page 603.
tcp
Go to the TCP endpoint settings menu. To view the menu options, see page 605.
http
Go to the HTTP settings menu. To view the menu options, see page 606.
proxymap
Go to the Intranet Proxy configuration menu. To view the menu options, see page 608.
portal
Go to the Portal menu. To view the menu options, see page 609.
adv
Go to the Advanced settings menu.To view the menu options, see page 609.
ena enable|disable
Enable the VPN server.
dis enable|disable
Disable the VPN server.
/ssl/cfg/vpn/server/trace
SSL VPN Configuration Server Traffic Trace Menu
[Trace Menu]
ssldump - Create traffic dump
tcpdump - Create traffic dump
ping - Ping through backend interface
dnslookup - Lookup a name in DNS through backend interface
traceroute - traceroute through backend interface
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage
ssldump
Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that
are allowed. (http://www.tcpdump.org/tcpdump_man.html).
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage
standalone on|off
Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are
allowed. (http://www.tcpdump.org/tcpdump_man.html)
traceroute - traceroute through backend interface
ping <hostname>
Ping through the backend interface.
dnslookup <hostname>
Lookup a name in DNS through the backend interface.
traceroute
Traceroute through backend interface. Use this command to identify the route used for station-to-
station connectivity across the network.
/ssl/cfg/vpn/server/ssl
SSL VPN Configuration Server SSL Settings Menu
[SSL Settings Menu]
cert - Set server certificate
cachesize - Set SSL cache size
cachettl - Set SSL cache timeout
cacerts - Set list of accepted signers of client certificates
cachain - Set list of CA chain certificates
protocol - Set protocol version
ciphers - Set cipher list
verify - Set certificate verification level
ena - Enable SSL
dis - Disable SSL
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage
cachettl <integer>
Set the SSL cache timeout (in minutes).
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage
cacerts <certificate_numbers>
Set the list of accepted signers of client certificates. If more than one, use a comma to separate the
entries.
cachain <certificate_numbers>
Set the list of CA chain certificates. If more than one, use a comma to separate the entries.
protocol ssl2|ssl3|ssl23|tls1
Set the protocol version.
ciphers
Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g.
SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list. This option does not add any new ciphers.
Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
verify none|optional
Set the certificate verification level.
ena enable|disable
Enable SSL.
dis enable|disable
Disable SSL.
/ssl/cfg/vpn/server/tcp
SSL VPN Configuration Server TCP endpoint Settings
Menu
[TCP Settings Menu]
cwrite - Set client TCP write timeout
ckeep - Set client TCP keep alive timeout
skeep - Set socks client TCP keep alive heartbeat timeout
swrite - Set server TCP write timeout
sconnect - Set server TCP connect timeout
csendbuf - Set client TCP send buffer size
crecbuf - Set client TCP receive buffer size
ssendbuf - Set server TCP send buffer size
srecbuf - Set server TCP receive buffer size
Table 11-60 SSL VPN Configuration Server TCP endpoint settings Menu Options
Command Syntax and Usage
/ssl/cfg/vpn/server/http
SSL VPN Configuration Server HTTP Settings Menu
[HTTP Settings Menu]
downstatus - Set server down reply status
rewrite - SSL triggered rewrite menu
securecook - Set add secure option to session cookie
sslheader - Add SSL header
sslxheader - Add SSL header with serial in hex
sslsidhead - Add SSL SID header
addxfor - Add X-Forwarded-For header
addvia - Add Via header
addxisd - Add HTTP-X-ISD debug header
addclicert - Add Client-Cert as a HTTP header
addnostore - Add no-cache/no-store HTTP header
allowimage - Allow image caching
allowdoc - Allow document caching
allowscrip - Set allow script caching
allowica - Allow ICA file caching
cmsie - Set MSIE session termination bug workaround
maxrcount - Set max number of persistant client requests
maxline - Set max line length
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage
downstatus unavailable|redirect|reset
Set the server down reply status.
rewrite on|off
Go to the SSl triggered Rewrite menu. To view the menu options, see page 607.
securecook on|off
Set the “add secure” option for the session cookie.
sslheader on|off
Add an SSL session ID header.
sslxheader on|off
Add an SSL header with serial number in hexadecimal.
sslsidhead on|off
Add an SSL SID header.
addxfor on|off|anonymous|remove
Add X-Forwarded-For header.
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage
addvia on|off|anonymous|remove
Set VIA header
addxisd on|off
Set HTTP-X-ISD debug header.
addclicert on|off
Set Client-Cert as a HTTP header.
adddnostore on|off
Set no-cache/no-store HTTP header.
allowimage on|off
Set image caching.
allowdoc on|off
Set document caching
allowscrip on|off
Set allow script caching.
allowica on|off
Set ICA file caching.
cmsie on|off
Set MSIE session termination bug workaround.
maxrcount <integer>
Set max number of persistant client requests.
maxline <integer>
Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
SSL VPN Configuration Server SSL triggered rewrite
Menu
[Rewrite Menu]
rewrite - Set SSL triggered rewrite
ciphers - Set accepted ciphers
response - Set source of response
URI - Set URI with the weak cipher alert
Table 11-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options
Command Syntax and Usage
rewrite on|off
Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:-
SHA1:@STRENGTH
ciphers <string>
Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons
(e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g.
SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).
Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves
matching existing ones.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
response iSD|WebServer
Set the source of response.
/ssl/cfg/vpn/server/proxymap
SSL VPN Configuration Server Intranet Proxy settings
Menu
The PROXY menu is not available for type portal and socks servers.
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage
list
List all of the server Intranet Proxy settings.
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage
del <Proxy_server_name>
Delete the Intranet Proxy server.
ssl/cfg/vpn/server/portal
SSL VPN Configuration Server Portal settings Menu
[Portal Settings Menu]
resetcooki - Set Re-Set session cookie in each request
domain - Set cookie domain
persistent - Set use persistent session cookies
Table 11-64 SSL VPN Configuration Server Portal settings Menu Options
Command Syntax and Usage
resetcoolki on|off
Set the Reset session cookie in each request.
domain <domain_name>
Set the cookie domain name for the portal.
persistent on|off
Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
SSL VPN Configuration Server Advanced Menu
[Advanced Settings Menu]
traflog - UDP syslog Traffic Log menu
sslconnect - SSL connect menu
traflog <IP_address>
Go to the UDP syslog Traffic Log menu. To view the menu options, see page 610.
sslconnect on|off
Go to the SSL Connect menu. To view the menu options, see page 611.
ssl/cfg/vpn/server/adv/traflog
SSL VPN Configuration Server UDP Syslog Traffic Log
Menu
[Traffic Log Settings Menu]
sysloghost - Set syslog host IP
udpport - Set syslog portnumber
priority - Set syslog priority
facility - Set syslog facility
ena - Enable traffic UDP syslog logging
dis - Disable traffic UDP syslog logging
Table 11-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
Command Syntax and Usage
sysloghost <IP_address>
Set the IP address of the VPN.
udpport <UDP_port_number>
Set the standalone mode.
priority <syslog_name>
Set the syslog priority.
facility <string>
Set the syslog facility.
ena enable|disable
Enable traffic UDP syslog messaging.
dis
Disable traffic UDP syslog messaging.
ssl/cfg/vpn/server/adv/sslconnect
SSL VPN Configuration Server SSL Connect Menu
[SSL Connect Settings Menu]
protocol - Set protocol version
cert - Set client certificate
ciphers - Set accepted ciphers for ssl connect
verify - Verify server menu
Table 11-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu
Options
Command Syntax and Usage
protocol ssl2|ssl3|ssl23|tls1
Set the Protocol version.
ciphers
Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings
separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical
and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES
algorithms).
Each cipher string can be optionally preceded by the characters !, - or +.
! permanently delets the ciphers from the list (e.g. !RSA).
- deletes the ciphers from the list, but the ciphers can be added again by later options.
+ moves the ciphers to the end of the list.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption
algorithm key length.
verify
Go to the Verify server menu. To view the menu options, see page 612.
ssl/cfg/vpn/server/adv/sslconnect/
verify
SSL VPN Configuration Server SSL Connect verify
Server Menu
[SSL Connect Verify Settings Menu]
verify - Set certificate verification level
commonname - Set server common name
cacerts - Set list of accepted signers server's certificate
Table 11-68 SSL VPN Configuration Server SSL Connect Verify Server Menu
Options
Command Syntax and Usage
verify none|verify
Set the Certicate Verication level.
commonname <string>
Set the server common name.
cacerts <certicate_numbers>
Set the list of accepted signers for each server certificate. If more than one, use a comma to sepa-
rate each entry.
/ssl/cfg/vpn/ipsec
SSL VPN Configuration IPsec Server Menu
[IPsec Menu]
ena - Enable IPsec
dis - Disable IPsec
quick - Quick IPsec setup wizard
ikeprof - IKE profile
utunprof - User tunnel profile
cacerts - Set list of accepted signers of clients certificate
cert - Set server certificate
ena [enable|disable]
Enable IPsec.
dis [enable|disable]
Disable IPsec.
quick
Use the Quick IPsec setup wizard. For example:
SSL >> IPsec# quick
Do you want to use IPsec Group login? (yes/no) [no]: n
Lower IP address in pool range: 0.0.0.0
Upper IP address in pool range: 1.1.1.1
Enabled IPsec
Creating IKE Profile 1
Name: vpn_1_1
Creating User Tunnel Profile 1
Name: vpn_1_1
You should create a AAA group for the user tunnel profile
Enabled Pool
Use apply to activate the changes
ikeprof
Go to the IKE profile menu.
utunprof
Set the User tunnel profile.
cacerts
Set the list of accepted signers of clients certificate.
cert
Set the server certicate.
/ssl/cfg/vpn/ipsec/ikeprof
SSL VPN Configuration IPsec Server IKE Profile Menu
[IKE Profile 1 Menu]
name - Set IKE profile name
del - Remove IKE Profile
enc - Encryption mask menu
dh - Diffie-Hellman group mask menu
pfs - Enable Perfect Forward Secrecy
initcontac - Accept ISAKMP initial contact payload
rekeytime - Set rekey time limit
rekeytraf - Set rekey traffic limit
retransmit - Set ISAKMP retransmit interval
maxretrans - Set ISAKMP max attempts retransmits
replaywins - Set replay window size
nat - NAT menu
deadpeer - Dead peer menu
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage
name <string>
Set the IKE profile name.
del <IKE_profile_name>
Disable IPsec.
enc
Go to the Encryption mask menu.To view the menu options, see page 615.
dh
Go to the Diffie_Hellman group mask menu. To view the menu options, see page 616.
pfs on|off
Enable Perfect Forward Secrecy.
initcontac on|off
Accept ISAKMP intitial contact payload.
rekeytime <integer>
Set the rekey time limit, in seconds.
rekeytraf <integer>
Set rekey traffic limit, in KBytes.
retransmit <integer>
Set ISAKMP retransmit limit, in seconds.
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage
maxretrans <integer>
Set the maximum ISAKMP attempts to retransmit.
replaywins <integer>
Set replay window size.
nat
Go to the NAT menu.To view the menu options, see page 617.
deadpeer
Go to the Dead Peer menu.To view the menu options, see page 617.
/ssl/cfg/vpn/ipsec/ikeprof/enc
SSL VPN Configuration IPsec Server IKE Profile Encryp-
tion Menu
[Encryption Menu]
hmac_md5 - Set HMAC with MD5
hmac_sha - Set HMAC with SHA
null_md5 - Set NULL with MD5
null_sha - Set NULL with SHA
des_md5 - Set DES with MD5
des_sha - Set DES with SHA
3des_md5 - Set 3DES with MD5
3des_sha - Set 3DES with SHA
aes_128_sh - Set 128 bits AES with SHA
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
Command Syntax and Usage
hmac_md5 on|off
Set HMAC with MD5.
hmac_sha on|off
Set HMAC with SHA.
null_md5 on|off
Set NULL with MD5.
null_sha on|off
Set NULL with SHA.
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu
Options
Command Syntax and Usage
des_md5 on|off
Set DES with MD5.
des_sha on|off
Set DES with SHA.
3des_md5 on|off
Set 3DES with MD5.
3des_sha on|off
Set 3DES with SHA.
aes_128_sh on|off
Set 128 bits AES with SHA.
/ssl/cfg/vpn/ipsec/ikeprof/dh
SSL VPN Configuration IPsec Server IKE Profile Diffie-
Hellman Group Mask Menu
[Diffie-Hellman Group Menu]
dh1 - Set Diffie-Hellman group 1
dh2 - Set Diffie-Hellman group 2
dh5 - Set Diffie-Hellman group 5
Table 11-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman
Group Mask Menu Options
Command Syntax and Usage
dh1 on|off
Set Diffie_Hellman group 1.
dh2 on|off
Set Diffie_Hellman group 2.
dh5 on|off
Set Diffie_Hellman group 5.
/ssl/cfg/vpn/ipsec/ikeprof/NAT
SSL VPN Configuration IPsec Server IKE Profile NAT
Menu
[NAT Menu]
natdetect - Set ESP UDP NAT detect
timeout - Set detect timeout
keepalive - Set keepalive timeout
Table 11-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu
Options
Command Syntax and Usage
natdetect disabled|auto|ipsec_capable|use_udp_encap
Set ESP UDP detection.
timeout <integer>
Set the detection timeout, in seconds.
keepalive <integer>
Set the keepalive timeout, in seconds.
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
SSL VPN Configuration IPsec Server IKE Profile Dead
Peer Menu
[Dead Peer Menu]
ena - Enable dead peer detection
dis - Disable dead peer detection
interval - Set detect interval
retransmit - Set max retransmissions
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
Command Syntax and Usage
ena [enable|disable]
Enable dead peer detection.
dis [enable|disable]
Disable dead peer detection.
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu
Options
Command Syntax and Usage
interval <integer>
Set the detection interval, in seconds.
retransmit <integer>
Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool
SSL VPN Configuration IP Pool Menu
[Pool Menu]
ena - Enable pool
dis - Disable pool
lowerip - Set lower IP in pool range
upperip - Set upper IP in pool range
proxyarp - Set proxy arp on clean side interfaces
info - Print alloc info for this VPN
ena enable|disable
Enable the IP Pool.
dis enable|disable
Disable the IP Pool.
lowerip <lower_IP_address>
Set the lower IP address in the pool range.
upperip <upper_IP_address>
Set the upper IP address in the pool range.
proxyarp on|off|all
Set proxy ARP on clean side interfaces.
info
Display all of the IP Pool configuration information.
/ssl/cfg/vpn/portal
SSL VPN Configuration Portal Menu
[Portal Menu]
import - Import banner image gif
restore - Restores default Nortel banner
banner - Show installed banner file
redirect - Set redirect URL
logintext - Set static text on login page
iconmode - Set Home tab icon mode
linktext - Set static text on link page
linkurl - Set url input field on link page
linkcols - Set number of columns on home tab
linkwidth - Set width of link columns on home tab
companynam - Set company name used on portal pages
colors - Portal colors menu
faccess - Full Access menu
lang - Portal language menu
wiper - Set use ActiveX component for clearing cache
ieclear - Set use IE ClearAuthCache
whitelist - White-list settings menu
citrix - Set Citrix support
restore
Restores default Nortel banner.
banner
Show installed banner file.
redirect <URL>
Set redirect URL.
logintext
Set static text on login page. Write or paste the text to show up in the Login window, press Enter to
create a new line, and then type "..." (without the quotation marks) to terminate.
iconmode clean|fancy
Set Home tab icon mode.
linktext [<string>]
Set static text on link page. Write or paste the text, press Enter to create a new line, and then type
"..." (without the quotation marks) to terminate.
linkurl on|off
Set URL input field on link page.
linkcols [<integer>]
Set number of columns on home tab. Four can be considered a practical maximum.
companynam [<string>]
Set company name used on portal pages.
colors
Go to the Portal Colors menu.To view the menu options, see page 621.
faccess
Go to the Full Access menu. To view the menu options, see page 621.
lang
Go to the Portal language menu. To view the menu options, see page 622.
wiper [on|off]
Set use ActiveX component for clearing cache.
ieclear [on|off]
Set use IE ClearAuthCache.
whitelist
Go to the White-list settings menu. To view the menu options, see page 623.
citrix [on|off]
Set Citrix support.
/ssl/cfg/vpn/portal/colors
SSL VPN Configuration Portal Colors Menu
[Portal Colors Menu]
color1 - Set portal color 1
color2 - Set portal color 2
color3 - Set portal color 3
color4 - Set portal color 4
theme - Color theme
color1 [<HTML_color_syntax>]
Set Portal color 1. For example, #003399 for blue.
color2 [<HTML_color_syntax>]
Set Portal color 2.
color3 [<HTML_color_syntax>]
Set Portal color 3.
color4 [<HTML_color_syntax>]
Set Portal color 4.
theme [default|aqua|apple|jeans|cinnamon|candy]
Set the color theme.
/ssl/cfg/vpn/portal/faccess
SSL VPN Configuration Portal Full Access Menu
[Full Access Menu]
ena - Enable 'Full Access' tab
dis - Disable 'Full Access' tab
ipsecmode - Set IPSEC Mode
contip - Set Contivity IP address
contid - Set Contivity group ID
contpass - Set Contivity group password
portalmsg - Set text in 'Full Access' portal tab
appletmsg - Set text in 'Full Access' Applet window
Table 11-78 SSL VPN Configuration Portal Full Access Menu Options
Command Syntax and Usage
ena [enable|disable]
Enable 'Full Access' tab.
dis [enable|disable]
Disable 'Full Access' tab.
ipsecmode [contivity|native]
Set the IPSEC Mode.
contip [<IP_address>]
Set Contivity IP address.
contid [<string>]
Set the Contivity group ID.
contpass [<string>]
Set a Contivity group password.
portalmsg
Set text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal win-
dow, press Enter to create a new line, and then type "..." (without the quotation marks) to termi-
nate.
appletmsg
Set text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet
window, press Enter to create a new line, and then type "..." (without the quotation marks) to termi-
nate. If you *only* enter "..." a default text will be generated.
/ssl/cfg/vpn/portal/lang
SSL VPN Configuration Portal Language Menu
[Portal Language Menu]
setlang - Set the language to be used in the portal
charset - Print charset in use
list - List supported languages
charset on|off
Display the current character set. For example:
Charset = iso-8859-1
list
Display all of the pre-defined languages.
/ssl/cfg/vpn/portal/whitelist
SSL VPN Configuration Portal Whitelist settings Menu
[White-list Settings Menu]
domains - Configure white-list domains
ena - Enable URL rewrite white-list
dis - Disable URL rewrite white-list
Table 11-80 SSL VPN Configuration Portal Whitelist settings Menu Options
Command Syntax and Usage
domains
Go to the Domains menu. To view the menu options, see page 623.
ena [enable|disable]
Enable URL re-write whitelist.
dis [enable|disable]
Disable URL re-write whitelist.
/ssl/cfg/vpn/portal/whitelist/
domains
SSL VPN Configuration Portal Whitelist settings
Domains Menu
[White-list menu Menu]
list - List all values
del - Delete a value by number
add - Add a new value
Table 11-81 SSL VPN Configuration Portal Whitelist settings Domains Menu
Options
Command Syntax and Usage
list
Go to the Domains menu. To view the menu options, see page 621.
del [<index>]
Delete a value.
add [<domain_name>]
Add a domain.
/ssl/cfg/vpn/linkset
SSL VPN Configuration Linkset Menu
To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does
not already exist.
------------------------------------------------------------
[Linkset 1 Menu]
name - Set linkset name
text - Set linkset text
autorun - Set autorun support
link - Link menu
del - Remove tunnel
name <string>
Set the linkset name.
text [<text_type>]
Set the text type. In the current release, only HTML is available (default).
autorun [true|false>]
Set the autorun linkset option.
link
Go to the Link menu. To view the menu options, see page 625.
del [<linkset_number>]
Remove the linkset.
/ssl/cfg/vpn/linkset/link
SSL VPN Configuration Linkset Link Menu
To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does
not already exist.
------------------------------------------------------------
[Link 1 Menu]
move - Move link
text - Set link text
type - Set link type
internal - Internal settings menu
del - Remove link
move [<link_number>]
Move the link.
text [<link_name>]
Set the name of the link.
type [link_type>]
Set the link type. See the list of link types on page 625.
internal
Go to the Internal link menu. To view the menu options, see page 626.
del [<link_number>]
Remove the link.
/ssl/cfg/vpn/linkset/link/internal
SSL VPN Configuration Linkset Link Internal Setting
Menu
[Internal menu Menu]
quick - Quick internal link wizard
Table 11-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options
Command Syntax and Usage
quick
Configure the link using the internal link wizard. For example:
SSL >> Internal menu# quick
Enter method (http/https): http
Enter host (eg inside.company.com): NoTel.ca
Enter path (eg /): /
/ssl/cfg/vpn/sslclient
SSL VPN Configuration SSL Client Menu
[SSL VPN Client Menu]
netdirect - Allow Netdirect client
xmlconfig - Set XML client configuration
netdirect [on|off]
Allow a Netdirect VPN client.
xmlconfig
Set the XML client configuration. Write or paste the text, press Enter to create a new line, and then
type "..."(without the quotation marks) to terminate.
/ssl/cfg/vpn/adv
SSL VPN Configuration Advanced Menu
[Advanced Menu]
interface - Set backend interface used by VPN
dns - DNS settings menu
log - Set log settings
interface [<backend_interface_number>]
Set the backend interface.
dns
Go to the DNS settings menu. To view the menu options, see page 627.
log [all|login|http|portal|reject|socks]
Set the log option.
/ssl/cfg/vpn/adv/dns
SSL VPN Configuration Advanced DNS settings Menu
[DNS Settings Menu]
search - Set DNS search list
search [<domain_names>]
Set the domain search list. If more than one domain, use a comma to separate each entry.
/ssl/cfg/sys
SSL Configuration System Menu
[System Menu]
mip - Set management IP (MIP) address
host - iSD host menu
routes - Routes menu
time - Date and time menu
dns - DNS settings
rsa - RSA Servers
syslog - Syslog servers menu
accesslist - Access list menu
adm - Administrative applications menu
user - User Access Control menu
distrace - Disable tracing with tcpdump/ssldump
mip [<IP_address>]
Set the management IP (MIP) address.
host
Go to the Host menu. To view menu options, see page 629.
routes
Go to the Routes menu. To view menu options, see page 630.
time
Go to the Time menu. To view menu options, see page 634.
dns
Go to the Time menu. To view menu options, see page 634.
rsa
Go to the RSA server menu. To view menu options, see page 636.
syslog
Go to the RSA server menu. To view menu options, see page 636.
accesslist
Go to the Access List menu. To view menu options, see page 637.
adm
Go to the Administrative Applcations menu.To view menu options, see page 638.
user
Go to the Administrative Applcations menu.To view menu options, see page 647.
distrace [yes|no]
Deactivate trace. Trace cannot be reactivated during the session.
/ssl/cfg/sys/host
SSL Configuration System Host Menu
[iSD Host 1 Menu]
type - Set type of the iSD
ip - Set IP address
license - Set License
gateway - Set default gateway address
routes - Routes menu
interface - iSD host interface menu
port - iSD port configuration menu
ports - Display physical ports
hwplatform - Display hardware platform
halt - Halt the iSD
reboot - Reboot the iSD
delete - Remove iSD Host
type [master|slave]
Set the iSD type.
ip [<IP_address>]
Set the IP address of the host.
license [<string>]
Enter or paste the host license information. Paste the license, press Enter to create a new line, and
then type "..." (without the quotation marks) to terminate..
gateway [<IP_address>]
Set default gateway address.
routes
Go to the Routes menu. To view menu options, see page 633.
interface
Go to the iSD host interface menu. To view menu options, see page 631.
port
Go to the iSD port configuration menu. To view menu options, see page 632.
ports
Display the number of physical ports.
hwplatform
Display hardware platform.
halt [yes|no]
Halt the iSD platform.
reboot [yes|no]
Reboot the iSD.
delete [<hostname>]
Remove iSD Host.
/ssl/cfg/sys/host/routes
SSL Configuration System Host Routes Menu
[Host Routes Menu]
list - List all values
del - Delete a value by number
add - Add a new value
list
List all host routes.
del [<route_number>]
Delete a route by its number.
/ssl/cfg/sys/host/interface
SSL Configuration System Host Menu
[Host Interface 1 Menu]
ip - Set IP address
netmask - Set network mask
gateway - Set default gateway address
routes - Routes menu
vlanid - Set VLAN tag id
mode - Set mode
ports - Interface ports menu
primary - Set primary port
delete - Remove Host Interface
ip [<IP_address>]
Set the host inteface IP address.
netmask [<IP_address>]
Set the inteface netmask.
gateway [<IP_address>]
Set the Gateway IP address.
routes
Go to the Routes menu. To view menu options, see page 632.
vlanid [<integer>]
Set the VLAN tag ID.
mode [failover|trunking]
Set the interface mode.
ports
Go to the Ports menu. To view menu options, see page 633.
primary [<port_number>]
Set the Primary port.
delete [<interafce_hostname>]
Delete the interface.
/ssl/cfg/sys/host/interface/routes
SSL Configuration System Host Interface Routes Menu
[Host Interface Routes Menu]
list - List all values
del - Delete a value by number
add - Add a new value
list
List all of the configured interface routes.
del [<route_number>]
Delete an interface route.
/ssl/cfg/sys/host/port
SSL Configuration System Host Port Menu
[Host Port 1 Menu]
autoneg - Set autonegotiation
speed - Set Speed
mode - Set full or half duplex mode
/ssl/cfg/sys/routes
SSL Configuration System Menu
[Routes Menu]
list - List all values
del - Delete a value by number
add - Add a new value
list
List all of the configured routes.
del [<route_number>]
Delete a route. This command removes the specified static route from the system configuration.
Use the list command to display the index numbers of all added static routes.
/ssl/cfg/sys/time
SSL Configuration System Time Menu
[Date and Time Menu]
date - Set system date
time - Set system time
tzone - Set Timezone
ntp - Configure NTP servers
date [YYYY-MM-DD]
Enter the date.
time [HH:MM:SS]
Set the time, using a 24-hour clock scheme.
ntp
Configure NTP servers. To view menu options, see page 634.
/ssl/cfg/sys/time/ntp
SSL Configuration System Time NTP servers Menu
[NTP Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
Table 11-96 SSL Configuration System Time NTP Servers Menu Options
Command Syntax and Usage
list
List the configured NTP servers.
del [<NTP_server>]
Delete the NTP server. Removes the specified NTP server from the system configuration. Use the
list command to display the index numbers of all added NTP servers..
add [<IP_address>]
Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is
used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of
servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns
SSL Configuration System DNS settings Menu
[DNS Settings Menu]
servers - DNS servers menu
cachesize - Set Local DNS cache size
retransmit - Set DNS Retransmit interval timer
count - Set DNS Retransmit counter
ttl - Set Max TTL
health - Set Health check interval
hdown - Set Health check down counter
hup - Set Health check up counter
servers
Go to the DNS Servers menu. To view menu options, see page 635.
cachesize [<integer>]
Set the DNS cache size in kBytes.
retransmit [<integer>]
Set the DNS retransmit interval timer value, in seconds.
count [<integer>]
Set the DNS Retransmit counter value.
ttl [<integer>]
Set the maximum TTL, in seconds.
health [<integer>]
Set Health check interval.
hdown [<integer>]
Set Health check down counter
hup [<integer>]
Set Health check up counter
sl/cfg/sys/dns/servers
SSL Configuration System DNS Servers settings Menu
[DNS Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
list
List all of the DNS server settings.
del <DNS_server_name>
Delete the DNS server.
add <ip_address>
Add a DNS server.
/ssl/cfg/sys/rsa
SSL Configuration System RSA servers Menu
To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does
not already exist.
------------------------------------------------------------
[RSA Servers 1 Menu]
rsaname - Set RSA server symbolic name
import - Import sdconf.rec file
rmnodesecr - Remove Node Secret
del - Remove RSA server
rsname <string>]
Set the RSA server symbolic name.
rmnodesecr [<node_secret_name>]
Remove a Node Secret.
del
Remove an RSA server.
/ssl/cfg/sys/syslog
SSL Configuration System SysLog Servers Menu
[Syslog Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
list
List all of the Syslog server settings.
del <Syslog_server_name>
Delete the Syslog server.
add <ip_address>
Add a Syslog server.
/ssl/cfg/sys/accesslist
SSL Configuration System Access List Menu
[Access List Menu]
list - List all values
del - Delete a value by number
add - Add a new value
list
List the accesslist values.
del [<acces_list_number>]
Delete an accesslist.
add
Add a new value to the accesslist. Adds a single machine, or a range of machines on a specific net-
work, to the access list. Only those machines listed will be allowed to access the iSD host via a
Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).
/ssl/cfg/sys/adm
SSL Configuration System Administrative applications
Menu
[Administrative Applications Menu]
snmp - SNMP menu
clitimeout - Set CLI idle timeout
audit - Audit Settings Menu
auth - Authentication menu
telnet - Set telnet CLI access
ssh - Set SSH CLI access
http - HTTP access menu
https - HTTPS access menu
sshkeys - SSH host keys menu
snmp
Go to the SNMP menu. To view menu options, see page 639.
clitimeout [<integer>]
Set the CLI idle timeout value, in seconds.
audit
Go to the Audit menu. To view menu options, see page 643.
telnet
Set the telnet CLI access. Enables or disables Telnet access. When set to on and not having added
machine(s) to the access list, all Telnet connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are
allowed Telnet access.
When set to off, all Telnet connections are rejected, including connections from machine(s)
added to the access list.
The default Telnet setting is off.
ssh
Set the SSH CLI access. Enables or disables SSH access. When set to on and not having added
machine(s) to the access list, all SSH connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are
allowed SSH access.
When set to off, all SSH connections are rejected, including connections from machine(s)
added to the access list.
The default SSH setting is off.
http
Go to the HTTP access menu. To view menu options, see page 644.
https
Go to the HTTP access menu. To view menu options, see page 645.
sshkeys
Go to the HTTP access menu. To view menu options, see page 646.
/ssl/cfg/sys/adm/snmp
SSL Configuration System Administrative applications
SNMP Menu
[SNMP Menu]
ena - Enable SNMP
dis - Disable SNMP
versions - Set SNMP versions supported
snmpv2-mib - SNMPv2-MIB menu
community - SNMP community menu
users - SNMP USM Users Menu
target - Notification target menu
ena [true|false]
Enable SNMP.
dis [true|false]
Disable SNMP.
versions [<SNMP_version_number>]
Set the SNMP version, such as v1.
snmpv2-mib
Go to the SNMPv2-MIB menu.To view menu options, see page 640.
community
Go to the SNMP community menu. To view menu options, see page 640.
users
Go to the SNMP USM Users community menu. To view menu options, see page 641.
target
Go to the Notification target menu. To view menu options, see page 642.
/ssl/cfg/sys/adm/snmp/snmpv2-mib
SSL Configuration System Administrative applications
SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu]
sysContact - Set sysContact
sysName - Set sysName
sysLocatio - Set sysLocation
snmpEnable - Set snmpEnableAuthenTraps
sysContact [<name_of_a_person>]
Set a system contact name. Designates a contact person for the managed iSD cluster, together with
information on how to contact this person.
sysLocatio [<string>]
Set the system location.
snmpEnable [<SNMP_trap_value>]
Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community
SSL Configuration System Administrative applications
SNMP Community Menu
[SNMP Community Menu]
read - Set Read Community String
write - Set Write Community String
trap - Set Trap Community String
read [<string>]
Set the Read Community String. Specifies the monitor community name that grants read access to
the Management Information Base (MIB). If no monitor community name is specified, read access
is not granted. The default monitor community name is public
write [<string>]
Set the Write Community String. Specifies the control community name that grants read and write
access to the Management Information Base (MIB). If no control community name is specified,
neither write nor read access is granted.
trap [<string>]
Set the Trap Community String. Specifies the trap community name that accompanies trap mes-
sages sent to the SNMP manager. If no trap community name is specified, the sending of trap mes-
sages is disabled.
The default trap community name is trap
/ssl/cfg/sys/adm/snmp/users
SSL Configuration System Administrative applications
SNMP Users Menu
To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if
one does not already exist.
------------------------------------------------------------
[SNMP User 1 Menu]
name - Set user name
seclevel - Set Security level
permission - Set Permission
authpasswd - Set Authentication Password
privpasswd - Set Encryption Password
del - Remove SNMP User
name [<string>]
Set the user name.
seclevel [none|auth|priv]
Set the user Security level.
permission [get|set|trap]
Set user Permission.
authpasswd [<string>]
Set the Authentication Password.
privpasswd [<string>]
Set the Encryption Password.
del [<SNMP_user_ID>]
Remove the SNMP User.
/ssl/cfg/sys/adm/snmp/target
SSL Configuration System Administrative applications
SNMP Target Menu
To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one
does not already exist.
------------------------------------------------------------
[Notification Target 1 Menu]
ip - Set target IP address
port - Set target port
version - Set SNMP version
del - Remove Notification Target
ip [<IP_address]
Set the target IP address.
port [<port_number]
Disable SNMP.
version [v1|v2|v3]
Set the SNMP version.
del
Delete the SNMP target.
/ssl/cfg/sys/adm/audit
SSL Configuration System Administrative applications
Audit Menu
[Audit Menu]
servers - RADIUS Servers Menu
vendorid - Set vendor id for audit attribute
vendortype - Set vendor type for audit attribute
ena - Enable Audit
dis - Disable Audit
servers
Go to the Servers menu. To view menu options, see page 644.
vendorid [<string>]
Set the vendor ID.
vendortype [<integer>]
Set the vendor type.
ena [<true|false>]
Enable Audit.
dis[<true|false>]
Disable audit.
/ssl/cfg/sys/adm/audit/servers
SSL Configuration System Administrative applications
Audit Servers Menu
[RADIUS Audit Servers Menu]
list - List all values
del - Delete a value by number
add - Add a new value
insert - Insert a new value
move - Move a value by number
list
List all of the Audit server settings.
del <Audit_server_name>
Delete the Audit server.
/ssl/cfg/sys/adm/http
SSL Configuration System Administrative applications
HTTP Menu
[HTTP Menu]
port - Set HTTP Server port
ena - Enable server
dis - Disable server
port [<integer>]
Set the HTTP server port.
ena [true|false]
Enable the HTTP server.
dis [true|false]
Disable the HTTP server.
/ssl/cfg/sys/adm/https
SSL Configuration System Administrative applications
HTTPS Menu
[HTTPS Menu]
port - Set HTTPS Server port
ena - Enable server
dis - Disable server
port [<integer>]
Set the HTTPS server port.
ena [true|false]
Enable the HTTPS server.
dis [true|false]
Disable the HTTPS server.
/ssl/cfg/sys/adm/sshkeys
SSL Configuration System Administrative applications
SSH Host keys Menu
[SSH Host Keys Menu]
generate - Generate new SSH host keys for the cluster
show - Show current SSH host keys for the cluster
knownhosts - SSH known host keys menu
generate [yes|no]
Generate new SSH host keys for the server cluster.
show
Show the SSH host keys for the server cluster.
knownhosts
Go to the Known Host Keys menu. To view menu options, see page 644.
/ssl/cfg/sys/adm/sshkeys/knownhosts
SSL Configuration System Administrative applications
SSH Known Host keys Menu
[SSH Known Host Keys Menu]
list - List known SSH keys of remote hosts
del - Delete known SSH host key by index
add - Add a new SSH host key
import - Retrieve SSH key from remote host
list [yes|no]
Display the known SSH keys of remote hosts.
del [<hostkey_name>]
Delete a host key.
add
Add a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (with-
out the quotation marks) to terminate
import [<hostname_or_IP_address>]
Retrieve an SSH key from a remote host.
/ssl/cfg/sys/user
SSL Configuration System Menu
[User Menu]
passwd - Change own password
expire - Set password expire time interval
list - List all users
del - Delete a user
add - Add a new user
edit - Edit a user menu
caphrase - Certadmin export passphrase
passwd
Change your current login password. The password can contain spaces and is case respective.
expire [DDdHHhMMmSS]
Set the password expiry time and date.
list
List all user accounts.
del
Delete a user ID. Removes the specified user account from the system. Of the three built-in users
(admin, oper, and root) only the oper user can be deleted. Only users with Administrator rights can
delete user accounts.
add [<string>]
Add a new user ID. After a user account is added, you must also assign the user account to a group.
Only users with Administrator rights can add user accounts.
edit
Go to the Edit a user menu. To view menu options, see page 648.
caphrase [<string>]
Set the Certadmin export passphrase.
/ssl/cfg/sys/user/edit
SSL Configuration System User Edit Menu
[User User_1 Menu]
groups - Groups menu
cur - Display current setting
groups
Go to theGroups menu. To view menu options, see page 551.
cur
Display the user configurations.
/ssl/cfg/sys/user/edit/groups
SSL Configuration System User Edit Menu
[Groups Menu]
list - List all values
del - Delete a value by number
add - Add a new value
Table 11-116 SSL Configuration System User Edit Groups Menu Options
Command Syntax and Usage
list
List all of the user groups information.
del [<user_group_name>]
Delete a user group.
/ssl/cfg/lang
SSL Configuration Language Support Menu
[Language Support Menu]
import - Import language definition file
export - Export language definition template
list - List the loaded languages
vlist - List ISO 639 language codes
del - Delete (custom) language definition
list [<language_number>]
List the pre-defined languages that have been loaded.
vlist [<language_shortform>]
List the ISO 639 language codes. If a language_shortform argument is used (e.g., en for English),
all of the codes that contain the argument characters are listed.
del [<language_deinition_filename>]
Delete a language definition.
/ssl/boot
SSL Boot Menu
[Boot Menu]
software - Software management menu
halt - Halt the iSD
reboot - Reboot the iSD
delete - Delete the iSD
software
Go to Software Management menu. To view menu options, see page 651.
halt
Halt the iSD. The command stops the particular iSD host to which you have connected by Telnet,
SSH, or a console connection. Always use this command before turning off the device.
If you are connected by Telnet or SSH to the Management IP address (MIP), use the halt command
in the iSD Host menu (/cfg/sys/cluster/host #) instead.
reboot
Reboot the iSD. The command reboots the particular iSD host to which you have connected by
Telnet, SSH or a console connection. If you are connected by Telnet or SSH to the Management IP
address (MIP), use the reboot command in the iSD Host menu (/cfg/sys/cluster/host #) instead.
delete
Delete an iSD host. Resets the particular iSD host to which you have connected via Telnet, SSH, or
a console connection, to its factory default configuration (all IP configuration is lost). The software
itself will remain intact.
After having performed a delete, you can only access the device via a console connection. Log in
as the admin user with the admin password to enter the Setup menu.
NOTE – Note: If you receive a warning that the iSD you are trying to delete has no con-
tact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or
SSH and delete the iSD from the cluster by using the delete command in the iSD Host
menu (/cfg/sys/cluster/host #).
The /boot/delete command is primarily intended for situations when you want to delete an iSD host
that has either become isolated from the cluster, or has been physically removed from the cluster
without first performing the delete command from the iSD Host menu. Under these circumstances,
you must use the /boot/delete command to present the Setup menu, from which you can perform
the new and join commands.
/ssl/boot/software
SSL Performance Menu
[Software Management Menu]
cur - Display current software status
activate - Select software version to run
download - Download new software pkg. via TFTP/FTP/SCP/SFTP
del - Remove unpacked/old releases
cur
Display the current software status. For example:
SSL >> Software Management# cur
Version Name Status
------- ---- ------
4.1.1.11 SSL old
5.0.0.34 SSL permanent
activate [<software_version>]
Select the software version to run.
del [<software_version>]
Remove old software releases. Removes a software upgrade package that has been downloaded by
using the tftp or ftp command, in case you do not want to activate the unpacked software upgrade
package.
Only software versions whose status is indicated as unpacked (using the cur command) can be
removed.
/ssl/maint
SSL Performance Maintenance Menu
[Maintenance Menu]
hsm - HSM menu
dumplogs - Tech suppt dump log files to TFTP/FTP/SFTP server
dumpstat - Tech suppt dump curr. status to TFTP/FTP/SFTP server
chkcfg - Check applied configuration
starttrace - Start Trace
stoptrace - Stop Trace
hsm
Go to the HSM menu. To view menu options, see page 653.
dumplogs
Dump the log files. System log file information is collected from the iSD host you are connected to
(or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip com-
pressed tar format on the TFTP server you have specified. The information can then be used for
technical support purposes.
The file sent to the TFTP server does not contain any sensitive information related to the system
configuration, such as certificates, private keys, and so on.
dumpstat
Dump the current status. Th current system internal status is collected from the iSD host you are
connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the
gzip compressed tar format on the TFTP server you have specified. The information can then be
used for technical support purposes.
stoptrace
Stop the Trace.
/ssl/maint/hsm
SSL Performance HSM Menu
The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu]
login - Login to HSM cards on local iSD
splitkey - Split a wrap key onto CODE iKeys
changepass - Change iKey password
splitkey
Splits the wrap key used by the hardware security module onto the two black CODE iKeys.
changepass <card number [0 | 1]> <iKey [HSM-SO | HSM-USER]> <current password for the
selected iKey> <new password for the selected iKey>
Sets the password for a HSM-SO or a HSM-USER iKey.
Where the <Thread ID> is listed as mgmt, one of the following may be shown: console,
telnet, web server, or ssh.
LOG_WARNING
FILTER “filter <filter number> fired on port <port number>, <source IP address> -> <desti-
nation IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]”
655
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
LOG_ALERT
stp: own BPDU received from port <port_id>
gslb: received update from <ip_address> for unknown remote server <ip_address>
gslb: received update for unknown remote server <ip_address> from <ip_address>
slb: real server failure threshold (<threshold>) has been reach for group <group_id>
syn_atk SYN attack detected: <count> new half-open sessions per second
LOG_CRIT
SYSTEM: temperature at sensor <sensor_id> exceeded threshold
LOG_ERR
mgmt: PANIC at <file>:<line> in thread <thread id>
LOG_ERR (Continued)
cli: Trunk group <trunk_id> contains no ports but is enabled
cli: Not all ports in trunk group <trunk_id> are in VLAN <vlan_id>
cli: Trunk groups <trunk_id> and <trunk_id> can not share the same port
cli: Virtual router <vr_id> must have sharing disabled when hotstandby is enabled
cli: At least one virtual router must be enabled when group is enabled
cli: Virtual router group must have sharing disabled when hotstandby is enabled
cli: Virtual router group must have preemption enabled when hotstandby is enabled
cli: Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id>
cli: Virtual router <vr_id> corresponding virtual server <server_id> is not enabled
cli: Hot-standby must be enabled when a virtual router has a PIP address
cli: Real server <server_id> has same IP address as virtual server <server_id>
cli: Real server <server_id> has same IP address as real server <server_id>
LOG_ERR (Continued)
cli: Virtual server <server_id> has same IP address as IP interface <interface_id>
cli: Virtual servers <server_id> and <server_id> with same IP address must support same layr3
configuration
cli: Real server <server_id> cannot be backup server for both real server <server_id> and
group <group_id>
cli: Virtual server <server_id> has same IP address and vport as virtual server <server_id>
cli: Switch port <port_id> has same proxy IP address as port <port_id>
cli: There must be at least one inter-switch port if any hot-standby port exist
cli: “With VMA, ports 1-8 must all have a PIP if any one does”
cli: DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual
server to support FTP parsing
cli: Real server <server_id> and group %u cannot both have backups configured
cli: DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural
server <server_id> to support URL parsing
cli: Port filtering must be disabled on port <port_id> in order to support cookie based persis-
tence for virtual server <server_id>
cli: Virtual server <server_id>: port mapping but Direct Access Mode
cli: Virtual server %lu: support nonat IP but not layer 3 bindings
cli: Virtual servers: all that support IP must use same group
cli: Virtual servers <server_id> and <server_id> that include the same real server <server_id>
cannot map the same real port or balance UDP
cli: Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number
LOG_ERR (Continued)
cli: Switch cannot support more than <MAX_VIRT_SERVICES> virtual services
cli: DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL
based redirection
cli: Direct access mode is not supported with default gateway load balancing
cli: NAT filter <filter_id> must have same smask and dmask
cli: Filter with L4 ports configured <port_id> must have IP protocol configured
cli: “For Global SLB, Web server must be moved from TCP port 80”
cli: Primary and secondary remote site <site_id> switches must differ
cli: Remote sites <site_id> and <site_id> must use different addresses
cli: Remote site <site_id> and real server <server_id> must use different addresses
cli: Remote site <site_id> and virtual server <server_id> must use different addresses
LOG_ERR (Continued)
cli: Network <static_network_id> has no VIP address
cli: Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to
ICMP
cli: Loadbalance string must be added to real server <server_id> in order to enable exclusion-
ary string matching
LOG_ERR (Continued)
vrrp: Synchronization connection early RCLOSE in RX
LOG_NOTICE
system: internal power supply ok
system: temperature ok
system: fan ok
LOG_NOTICE (Continued)
mgmt: “<login_level> <""idle timeout""|""logout""> from Console”
slb: “backup group server <ip_address> <""enabled""|""disabled""> for real server group
group_id>”
slb: “overflow group server <ip_address> <""enabled""|""disabled""> for real server group
<group_id>”
LOG_INFO
SYSTEM: bootp response from <ip_address>
altroot.mib -
aosSwitch.mib
aosPhysical.mib
aosNetwork.mib
aosLayer4.mib
aosLayer7.mib
aosBwm.mib
aosTrap.mib
In addition, the following SynOptics MIBS are also supported:
Nortel Application Switch Operating System SNMP agent supports the following standard
MIBs:
RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP
Groups)
RFC 1573 - MIB II Extension (IFX table)
667
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
ColdStart
WarmStart
LinkDown
LinkUp
AuthenticationFailure
The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:
NewRoot
TopologyChange
The following are the enterprise SNMP traps supported in Nortel Application Switch Operat-
ing System:
altSwSlbRealServerDown Signifies that the real server is down and out of service
altSwSlbRealServerServiceDown Signifies that the service port of the real server is down
and out of service
altSwVrrpNewMaster The newMaster trap indicates that the sending agent has
transitioned to 'Master' state.
altSwVrrpNewBackup The newBackup trap indicates that the sending agent has
transitioned to 'Backup' state.
1. Using the serial cable, connect the Console port of an Nortel Application Switch to the
serial port of your PC that supports XModem/1K XModem.
2. Start hyper terminal (part of Microsoft Windows) and set the following parameters:
Parameter Value
4. Hold the <Shift> key down and hit D repeatedly until the following message appears:
671
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
5. Reconfigure your terminal emulation software with the following parameters (only after
you see the message displayed in step 4):
Parameter Value
NOTE – You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200
baud rate by pressing Shift d.
6. Press <Enter> on the key board of the PC that is connected to the console port of the
switch. When the Console Port is successfully communicating with the PC, you will see:
CCCC...
7. Make sure that the new binary firmware file is available on the computer. This file can be
downloaded from the CD that is shipped with the switch. Select <Transfer-Send File>
and choose the following:
file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)
protocol: 1K XMODEM
NOTE – Although slower, XMODEM will work too if you choose not to use 1K MODEM.
8. Power off the switch, wait for a few seconds and power the switch on.
CAUTION—Do not power off the switch until you see the message: “Change your baud rate to
! 9600 bps and power cycle switch”, otherwise, the switch will be inoperable.
9. The switch will boot with the new software load. You should see the following sample log
on your screen:
Dport (Destination The destination port (application socket: for example, http-80/https-443/DNS-53)
Port)
NAT (Network Any time an IP address is changed from one source IP or destination IP address to another
Address Translation) address, network address translation can be said to have taken place. In general, half NAT
is when the destination IP or source IP address is changed from one address to another.
Full NAT is when both addresses are changed from one address to another. No NAT is
when neither source nor destination IP addresses are translated. Virtual server-based load
balancing uses half NAT by design, because it translates the destination IP address from
the Virtual Server IP address, to that of one of the real servers.
Preemption In VRRP, preemption will cause a Virtual Router that has a lower priority to go into
backup should a peer Virtual Router start advertising with a higher priority.
Priority In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s).
Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win
out for master designation.
Proto (Protocol) The protocol of a frame. Can be any value represented by a 8-bit value in the IP header
adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.)
Real Server Group A group of real servers that are associated with a Virtual Server IP address, or a filter.
673
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Redirection or A type of load balancing that operates differently from virtual server-based load balanc-
Filter-Based Load ing. With this type of load balancing, requests are transparently intercepted and “redi-
Balancing rected” to a server group. “Transparently” means that requests are not specifically destined
for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the
switch. This filter intercepts traffic based on certain IP header criteria and load balances it.
Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via net-
mask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny,
Redirect to a Server Group, or NAT (translation of either the source IP or destination IP
address). In redirection-based load balancing, the destination IP address is not translated to
that of one of the real servers. Therefore, redirection-based load balancing is designed to
load balance devices that normally operate transparently in your network—such as a fire-
wall, spam filter, or transparent Web cache.
RIP (Real Server) Real Server IP Address. An IP addresses that the switch load balances to when requests
are made to a Virtual Server IP address (VIP).
SPort (Source Port) The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53).
Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation
(with preemption enabled). Tracking can be very valuable in an active/active configuration.
You can track the following:
Vrs: Virtual Routers in Master Mode (increments priority by 2 for each)
Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by
2 for each)
Ports: Active ports on the same VLAN (increments priority by 2 for each)
l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2
for each
reals: healthy real servers (increments by 2 for each healthy real server)
hsrp: HSRP announcements heard on a client designated port (increments by 10
for each)
VIP (Virtual Server IP An IP address that the switch owns and uses to load balance particular service requests
Address) (like HTTP) to other servers.
VIR (Virtual Interface A VRRP address that is an IP interface address shared between two or more virtual routers.
Router)
674 Glossary
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One vir-
tual router is associated with an IP interface. This is one of the IP interfaces that the switch
is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there
is more than one VLAN defined on the Nortel Application Switch, then the VRRP broad-
casts will only be sent out on the VLAN of which the associated IP interface is a member.
Virtual Server Load Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is
Balancing owned by the switch, are load balanced to a real server contained in the group associated
with the VIP. Network address translation is done back and forth, by the switch, as
requests come and go.
Frames come to the switch destined for the VIP. The switch then replaces the VIP and
with one of the real server IP addresses (RIP's), updates the relevant checksums, and for-
wards the frame to the server for which it is now destined. This process of replacing the
destination IP (VIP) with one of the real server addresses is called half NAT. If the frames
were not half NAT'ed to the address of one of the RIPs, a server would receive the frame
that was destined for it's MAC address, forcing the packet up to Layer 3. The server would
then drop the frame, since the packet would have the DIP of the VIP and not that of the
server (RIP).
VRID (Virtual Router In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC
Identifier) address and identify its peer for which it is sharing this VRRP address. The VRRP MAC
address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address
that two switches are sharing, then the VRID number needs to be identical on both
switches so each virtual router on each switch knows whom to share with.
VRRP (Virtual Router A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol.
Redundancy The reason for both of these protocols is so devices have a next hop or default gateway that
Protocol) is always available. Two or more devices sharing an IP interface are either advertising or
listening for advertisements. These advertisements are sent via a broadcast message to an
address such as 224.0.0.18.
With VRRP, one switch is considered the master and the other the backup. The master is
always advertising via the broadcasts. The backup switch is always listening for the broad-
casts. Should the master stop advertising, the backup will take over ownership of the
VRRP IP and MAC addresses as defined by the specification. The switch announces this
change in ownership to the devices around it by way of a Gratuitous ARP, and advertise-
ments. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to
the switch would not know that the MAC address had moved in the network. For a more
detailed description, refer to RFC 2338.
VSR (Virtual Server A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary
Router) extension to the VRRP specification. The switches must be able to share Virtual Server IP
addresses, as well as IP interfaces. If they didn’t, the two switches would fight for owner-
ship of the Virtual Server IP address, and the ARP tables in the devices around them
would have two ARP entries with the same IP address but different MAC addresses.
Glossary 675
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
676 Glossary
320506-A, January 2006
Index
677
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
678 Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
configuration cost
administrator password ................................ 293 STP information ........................................... 99
apply changes ............................................. 259 STP port option........................................... 333
default gateway interval, for health checks ..... 346 counters, No Server Available (dropped frames) .. 205,
default gateway IP address ........................... 346 228
dump command .......................................... 407 CPU statistics ............................................ 252, 254
effect on Spanning-Tree Protocol .................. 259 CPU utilization .......................................... 252, 254
Fast Ethernet .............................................. 303 cur (system option) .................................... 269, 272
flow control ....................... 305, 309, 311, 313 current bindings ......................................... 204, 227
Gigabit Ethernet ......................... 303, 307, 309
IP static route ............................................. 348 D
Layer 4 administrator password .................... 292
operating mode ........................... 305, 308, 313 date
port link speed ............................ 305, 308, 313 setup............................................................ 37
port mirroring ............................................. 315 system option ............................................. 262
port trunking .............................................. 333 debugging ......................................................... 519
route cache................................................. 350 default gateway
save changes .............................................. 260 information ................................................ 107
setup ......................................................... 406 interval, for health checks............................. 346
setup command .......................................... 403 metrics ....................................................... 396
switch IP address ........................................ 344 round robin, load balancing for ..................... 396
TACACS+ ................................................. 270 default password .................................................. 30
user password ............................................. 292 delete
view changes.............................................. 259 FDB entry .................................................. 523
VLAN default (PVID) ......... 303, 307, 309, 312 deny (filtering) .................................................. 228
VLAN IP interface ...................................... 344 designated port. ................................................. 114
VLAN tagging ................... 304, 307, 310, 312 diff (global) command, viewing changes .............. 259
VRRP ....................................................... 381 dip (destination IP address for filtering) ............... 449
configuration block direct (IP route type) .......................................... 109
active ........................................................ 515 directed broadcasts............................................. 350
backup....................................................... 515 DISABLED (port state) ........................................ 99
factory ....................................................... 515 disconnect idle timeout ......................................... 31
selection .................................................... 515 Distributed Site State Protocol (DSSP)
configuration menu ............................................ 257 setting update interval .................................. 466
configuring routing information protocol ............. 357 dmask
connecting destination mask for filtering ........................ 449
via console ................................................... 26 DNS statistics .................................................... 192
via Telnet..................................................... 27 Domain Name System (DNS)
connection timeout (Real Server Menu option) ..... 437 health checks .............................................. 427
console port downloading software ........................................ 513
communication settings ................................. 26 dropped frames (No Server Available) counter .... 205,
connecting ................................................... 26 228
serial download settings ....................... 671, 672 dump
content configuration command ............................... 407
SLB real server group option ........................ 424 maintenance ............................................... 519
contracts, bandwidth management ....................... 317 state information ......................................... 530
copper ports ...................................................... 307 duplex mode........................................................ 39
link status ....................................... 62, 78, 147
setup............................................................ 39
Index 679
320506-A, January
Nortel Application Switch Operating System 23.0.2 Command Reference
dynamic routes ...................................................525 Gigabit Ethernet Physical Link ........... 303, 307, 309
global commands................................................. 56
E global SLB maintenance statistics ....................... 209
global SLB statistics .......................................... 206
EMS,Alteon EMS ................................................46 grace
emulation software .............................................671 graceful real server failure ............................ 482
EtherChannel Greenwich ........................................................ 272
as used with port trunking .............................334 Greenwich Mean Time (GMT) ........................... 272
group ................................................................ 212
F gtcfg (TFTP load command) ............................... 408
factory configuration block .................................515
factory default configuration .....................31, 33, 34 H
Fast Ethernet Physical Link .................................303 half-duplex ......................................................... 39
Fast Ethernet, configuring ports for ......................303 hash metric ....................................................... 430
fastage ..............................................................482 health check types, SLB ..................................... 426
FDB statistics ....................................................171 health checks..................................................... 417
fiber optic ports ..................................................309 default gateway interval, retries .................... 346
File Transfer Protocol .........................................220 IDSLB....................................................... 426
filter statistics ....................................................213 layer information ........................................ 132
filtered (denied) frames ...............................205, 228 parameters for most protocols ....................... 427
filters redirection (rport) ........................................ 448
IP address ranges .........................................449 retry, number of failed health checks ............. 346
Final Steps...........................................................45 script ......................................................... 488
first-time configuration ......................... 31, 33 to 50 SNMP ............................................... 428, 490
fixed WAP ......................................................... 492
IP route tag .................................................109 hello
flag field............................................................114 STP information ........................................... 99
flow control .................................................62, 147 help .................................................................... 56
configuring .........................305, 309, 311, 313 host routes ........................................................ 358
setup ......................................................39, 40 Hot Standby Router on VLAN (HSRV)
forwarding configuration use with VLAN-tagged environment ............. 386
IP forwarding configuration ..........................350 VRRP priority increment value ..................... 396
forwarding database (FDB) .................................519 Hot Standby Router Protocol (HSRP)
delete entry .................................................523 priority increment value for L4 client ports ..... 395
Forwarding Database Information Menu ................90 use with VRRP ................................... 386, 393
Forwarding Database Menu.........................522, 535 VRRP priority increment value ..................... 395
forwarding state (FWD) ..........................92, 99, 102 Hot Standby Router VLAN (HSRV)
FTP server health checks ....................................427 use with VRRP ........................................... 393
FTP SLB maintenance statistics...........................222 hot-standby failover ........................................... 391
FTP SLB statistics dump .....................................222 HP-OpenView ..................................................... 25
full-duplex ...........................................................39 hprompt
fwd (STP bridge option) .....................................331 system option ............................................. 262
FwdDel (forward delay), bridge port ......................99 HSRP. See Hot Standby Router Protocol.
HSRV. See Hot Standby Router Protocol.
G HTTP
application health checks ............................. 427
gig (Port Menu option) .......................303, 307, 309
redirects (Global SLB option) ....................... 466
Gigabit Ethernet
system option ............................................. 288
configuration...............................303, 307, 309
680 Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Index 681
320506-A, January
Nortel Application Switch Operating System 23.0.2 Command Reference
N
nbr change statistics............................................179
Network Address Translation (NAT)
filter action .................................................448
network management ............................................25
non TCP/IP frames .....................................204, 228
notice ................................................................262
NTP synchronization ..........................................272
NTP time zone ...................................................272
682 Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
Index 683
320506-A, January
Nortel Application Switch Operating System 23.0.2 Command Reference
684 Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
server traffic processing ..................................... 463 SLB real server group health checks
Session Binding Table ....................................... 416 arp............................................................. 426
session identifier ............................................... 433 dns ............................................................ 427
setup ftp ............................................................. 427
configuration .............................................. 406 http............................................................ 427
setup command, configuration ............................ 403 icmp .......................................................... 426
setup facility ................................................. 31, 33 imap .......................................................... 427
BOOTP ....................................................... 37 ldap ........................................................... 428
duplex mode ................................................ 39 radius ........................................................ 428
IP configuration ............................................ 42 script ......................................................... 428
IP subnet mask ............................................. 42 smtp .......................................................... 427
port auto-negotiation mode ...................... 39, 40 SNMP ....................................................... 428
port configuration ......................................... 38 sslh............................................................ 427
port flow control ..................................... 39, 40 tcp ............................................................. 426
port speed .................................................... 39 udpdns ....................................................... 428
restarting ..................................................... 36 wsp ........................................................... 428
Spanning-Tree Protocol ................................. 38 wtls ........................................................... 428
starting ........................................................ 34 SLB real server group option
stopping....................................................... 36 application health checking .......................... 424
system date .................................................. 37 health checking ........................................... 424
system time .................................................. 37 metric ........................................................ 423
VLAN name ................................................ 41 SLB real server option
VLAN port numbers ..................................... 41 backup ....................................................... 416
VLAN tagging ............................................. 40 intr (interval) .............................................. 417
VLANs ....................................................... 41 maxcon (maximum connections) ................... 416
SFD statistics name, alias for each real server ..................... 415
mp specific ................................................ 252 restr (restore) SLB real server UDP option ..... 417
SFP GBIC ports ................................................ 309 retry .......................................................... 417
shortcuts (CLI) .................................................... 60 RIP, real server IP address ............................ 415
single-mode ports .............................................. 307 submac ...................................................... 417
SIP (source IP address for filtering) ..................... 449 tmout (time out) .......................................... 416
SLB filtering option weights ...................................................... 415
action ........................................................ 448 slowage ............................................................ 482
SLB Information ............................................... 132 smask
SLB layer7 statistics .......................................... 214 source mask for filtering .............................. 449
smtp ................................................................. 262
SMTP server health checks ................................. 427
snap traces
buffer ........................................................ 527
SNMP ........................................................ 25, 152
health checks .............................................. 490
HP-OpenView .............................................. 25
menu options .............................................. 274
set and get access ........................................ 275
SNMP Agent ..................................................... 667
SNMP health check configuration ....................... 490
SNMP health checks .......................................... 428
SNMP Support
optional setup for SNMP support .................... 46
Index 685
320506-A, January
Nortel Application Switch Operating System 23.0.2 Command Reference
software system
image file and version ....................................63 contact (SNMP option) ................................ 274
license ........................................................509 date and time .......................................... 61, 63
software image ...................................................512 location (SNMP option) ............................... 274
SP specific statistics ...........................................253 system access control configuration..................... 288
spanning tree System Maintenance Menu ................................. 522
configuration...............................................329 system options
Spanning-Tree Protocol ..............................102, 259 admpw (administrator password) .................. 293
bridge aging option ......................................332 BOOTP ..................................................... 262
bridge parameters ........................................331 cur (current system parameters) ............ 269, 272
bridge priority ...............................................99 date ........................................................... 262
port cost option ...........................................333 hprompt ..................................................... 262
port priority option.......................................333 HTTP access .............................................. 288
root bridge ............................................99, 331 l4apw (Layer 4 administrator password) ........ 292
setup (on/off) ................................................38 login banner ............................................... 262
switch reset effect ........................................517 time........................................................... 262
SSL ..................................................................437 tnet............................................................ 288
secure socket layer statistics ..........................219 tnport ........................................................ 289
stacking commands (CLI) .....................................60 usrpw (user password) ................................. 292
starting switch setup .............................................34 system parameters, current ......................... 269, 272
state (STP information) .........................................99
state information, client system............................437 T
static
IP route tag .................................................109 tab completion (CLI) ........................................... 60
static route tacacs ............................................................... 270
rem ............................................................348 TACACS+ ........................................................ 270
statis route TCP
add ............................................................348 fragments ................................................... 433
statistics health checking using .................................. 417
group .........................................................212 health checks .............................................. 427
management processor .................................248 source and destination ports.......................... 447
Statistics Menu ..................................................151 TCP statistics ............................................ 197, 251
stopping switch setup............................................36 Telnet ................................................................. 27
subnet address maskconfiguration BOOTP ....................................................... 27
IP subnet address .........................................344 configuring switches using ........................... 407
subnet mask .........................................................42 telnet
subnets ................................................................42 radius server ............................................... 269
IP interface .................................................344 Telnet support
switch optional setup for Telnet support ..................... 46
resetting .....................................................517 terminal emulation ............................................... 26
Switch Processor (SP).........................................527 text conventions .................................................. 23
display trace buffer ......................................527 TFTP ................................................................ 513
swkey ...............................................................509 PUT and GET commands ............................ 408
SYN attack detection configuration ......................483 TFTP server ...................................................... 408
sync ..................................................................502 time
synchronization setup ........................................................... 37
VRRP switch ......................................478, 502 system option ............................................. 262
syslog timeout
system host log configuration ........................263 radius server ............................................... 269
686 Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference
V
verbose ............................................................... 57
vip
advertisement of virtual IP addresses as Host
Routes ................................................ 358
IP route tag ................................................ 109
Index 687
320506-A, January
Nortel Application Switch Operating System 23.0.2 Command Reference
VLANs ...............................................................42 X
ARP entry information .................................113
broadcast domains .......................................339 XModem .......................................................... 671
information .................................................103
interface .......................................................43
multiple spanning trees .................................329
name ....................................................90, 103
name setup....................................................41
port membership....................................90, 103
port numbers .................................................41
security ......................................................339
setting default number (PVID) .....303, 307, 309,
312
setup ............................................................41
Spanning-Tree Protocol ................................329
tagging ...................................40, 62, 149, 340
VLAN Number ...........................................103
VRID (virtual router ID) .............................383, 391
VRRP
interface configuration .................................394
master advertisements ..................................384
tracking ..............................................383, 387
tracking configuration ..................................395
virtual router sharing ....................................384
VRRP Information .............................................127
VRRP master advertisements
time interval ................................................391
VRRP statistics ..................................................191
W
WAP
health checks ..............................................492
WAP health check
wspport ..............................................490, 492
wtlsprt ................................................490, 493
WAP health check configuration .........................492
WAP SLB statistics ............................................225
watchdog timer ..................................................520
web-based management interface...........................25
weights
for SLB real servers .....................................431
setting virtual router priority values ................395
write community string (SNMP option) ................275
wspport
WAP health check ...............................490, 492
wtlsprt
WAP health check ...............................490, 493
688 Index
320506-A, January 2006