Professional Documents
Culture Documents
Nortel Commands
Nortel Commands
Command Reference
4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel http://www.nortel.com
Copyright 2006 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA. All rights reserved. Part Number: 320506-A. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided as is without warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a commercial item as defined by FAR 2.101 (Oct 1995) and contains commercial technical data and commercial software documentation as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.
Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application
Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point and FireWall-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are owned by their respective companies. Originated in the U.S.A.
2
320506-A, January 2006
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23 How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 The Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Connecting to the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Establishing a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . .26 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Establishing a Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Using a BOOTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 Establishing an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Running SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28 Accessing the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 CLI Versus Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 First-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Using the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Information Needed For Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33 Starting Setup When You Log In . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . . . . .36 Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . . . . .36
3
320506-A, January 2006
Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Setup Part 3: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 Setup Part 4: IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Default Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Setup Part 5: Final Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Optional Setup for SNMP Support. . . . . . . . . . . . . . . . . . . . . . . . . . 46 Optional Setup for Telnet Support . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Changing the Default Administrator Password . . . . . . . . . . . . . . . . 47 Changing the Default User Password. . . . . . . . . . . . . . . . . . . . . . . . 49 Changing the Default Layer 4 Administrator Password. . . . . . . . . . 51 Menu Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 The Main Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Menu Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Global Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Command Line Interface Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Command Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Command Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Tab Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Configuration Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 The Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 System Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 SNMPv3 System Information Menu . . . . . . . . . . . . . . . . . . . 65 SNMPv3 USM User Table Information . . . . . . . . . . . . . . 66 SNMPv3 View Table Information . . . . . . . . . . . . . . . . . . 67 SNMPv3 Access Table Information . . . . . . . . . . . . . . . . . 68 SNMPv3 Group Table Information . . . . . . . . . . . . . . . . . 69 SNMPv3 Community Table Information . . . . . . . . . . . . . 69 SNMPv3 Target Address Table Information . . . . . . . . . . 70 SNMPv3 Target Parameters Table Information . . . . . . . . 71 SNMPv3 Notify Table Information . . . . . . . . . . . . . . . . . 72 SNMPv3 Dump Information . . . . . . . . . . . . . . . . . . . . . . 73
4 Contents
320506-A, January 2006
General System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Show System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 Show Last 64 Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 76 Last 64 Saved Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 77 Management Port Information . . . . . . . . . . . . . . . . . . . . . . . . 78 SONMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79 System Capacity Information . . . . . . . . . . . . . . . . . . . . . . . . . 80 Show switch fan status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Show switch temperature sensor status . . . . . . . . . . . . . . . . . 83 Show encryption licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Show current user status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 System Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Layer 2 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Layer 2 FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90 Show All FDB Information . . . . . . . . . . . . . . . . . . . . . . . 92
Clearing Entries from the Forwarding Database. . . . . . . . . . . . . . . .92
Link Aggregation Control Protocol Information Menu . . . . . . . . 93 LACP Aggregator Information . . . . . . . . . . . . . . . . . . . . . . . . 94 LACP Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 LACP Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Layer 2 Spanning Tree Group Information . . . . . . . . . . . . . . 98 Show common internal spanning tree (CIST) information . 101 Trunk Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Status of port teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Layer2 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Layer3 Information Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 IP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Show All IP Route Information . . . . . . . . . . . . . . . . . . . 108
Type Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Tag Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
IPv6 Routing Information Menu. . . . . . . . . . . . . . . . . . . . . . 110 ARP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Show ARP Entries on Referenced SP. . . . . . . . . . . . . . . 113 Show All ARP Entry Information . . . . . . . . . . . . . . . . . 114 ARP Address List Information . . . . . . . . . . . . . . . . . . . . 115 IPv6 Neighbor Cache Information . . . . . . . . . . . . . . . . . 115
Contents
320506-A, January 2006
BGP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 BGP Peer information. . . . . . . . . . . . . . . . . . . . . . . . . . . 118 BGP Summary information . . . . . . . . . . . . . . . . . . . . . . 119 Dump BGP Information . . . . . . . . . . . . . . . . . . . . . . . . . 119 OSPF Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 OSPF General Information . . . . . . . . . . . . . . . . . . . . . . . 121 OSPF Interface Information . . . . . . . . . . . . . . . . . . . . . . 122 OSPF Database Information . . . . . . . . . . . . . . . . . . . . . . 122 OSPF Information Route Codes . . . . . . . . . . . . . . . . . . . 124 OSPF Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 IP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 VRRP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Layer3 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Layer 4 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Session Table Information . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Samples of Session Dumps for Different Applications . . . . . . 135 Session dump information in Nortel Application Switch Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Global SLB Information Menu. . . . . . . . . . . . . . . . . . . . . . . 139 Show All Layer 4 Information . . . . . . . . . . . . . . . . . . . . . . . 140 Bandwidth Management Information . . . . . . . . . . . . . . . . . . . . . 141 BWM IP User Information Menu . . . . . . . . . . . . . . . . . . . . . 142 BWM Contract Information . . . . . . . . . . . . . . . . . . . . . . . . . 144 Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Link Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Software Enabled Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
The Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 System statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Port Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Bridging Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 Ethernet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161 Interface Protocol Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 162 Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
6 Contents
320506-A, January 2006
RMON Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Port Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168 Port mirroring statistics menu. . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Layer 2 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 FDB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 LACP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Spanning Tree Group Statistics . . . . . . . . . . . . . . . . . . . 173 Layer 3 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 OSPF Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 OSPF Global Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 177 IP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 IP6 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Route Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 ARP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 VRRP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191 DNS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 ICMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195 TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197 UDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Server Load Balancing Statistics Menu . . . . . . . . . . . . . . . . . . . 199 Server Load Balancing SP statistics Menu . . . . . . . . . . . . . . 202 SP Real Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . 202 SP Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203 SP Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 204 Global SLB Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 206 Real Server Global SLB Statistics . . . . . . . . . . . . . . . . . 207 Virtual Server Global SLB Statistics . . . . . . . . . . . . . . . 207 Global SLB Site Statistics. . . . . . . . . . . . . . . . . . . . . . . . 208 Global SLB Maintenance Statistics . . . . . . . . . . . . . . . . 209 Real Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Per Service Octet Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . .211
Real Server Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 212 Virtual Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . 213 Filter SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 SLB Layer7 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 214 Layer7 Redirection Statistics . . . . . . . . . . . . . . . . . . . . . 214 Layer 7 SLB String Statistics . . . . . . . . . . . . . . . . . . . . . 215
Contents
320506-A, January 2006
Layer 7 SLB Maintenance Statistics. . . . . . . . . . . . . . . . 216 Layer7 Pooling Statistics . . . . . . . . . . . . . . . . . . . . . . . . 218 SLB Secure Socket Layer Statistics . . . . . . . . . . . . . . . . . . . 219 File Transfer Protocol SLB and Filter Statistics Menu. . . . . 220 Active FTP SLB Parsing and Filter Statistics. . . . . . . . . 221 Passive FTP SLB Parsing Statistics . . . . . . . . . . . . . . . . 221 FTP SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . 222 FTP SLB Statistics Dump. . . . . . . . . . . . . . . . . . . . . . . . 222 RTSP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 DNS SLB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 WAP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 227 SIP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Display Workload Manager SASP statistics . . . . . . . . . . . . 230 Clear Workload Manager SASP Statistics . . . . . . . . . . . . . . 230 Display Workload Manager SASP statistics . . . . . . . . . . . . 231 BWM Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 BWM Switch Processor Statistics . . . . . . . . . . . . . . . . . . . . 233 BWM Switch Processor Contract Statistics Menu . . . . . 233 BWM Switch Processor Rate Contract Statistics . . . . . . 233 BWM Contract Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 BWM Contract Rate Statistics . . . . . . . . . . . . . . . . . . . . . . . 235 BWM History Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 BWM Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 238 BWM IP Users Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 Security Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 DOS Attack Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 240
Types of DOS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
IP Access Control List Statistics. . . . . . . . . . . . . . . . . . . . . . 244 UDP Blast Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245 UDP Blast Dump Statistics. . . . . . . . . . . . . . . . . . . . . . . 245 UDP Pattern Match Statistics . . . . . . . . . . . . . . . . . . . . . . . . 246 Rate Limiting Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246 Dump Statistics for Security . . . . . . . . . . . . . . . . . . . . . . . . . 247 Management Processor Statistics . . . . . . . . . . . . . . . . . . . . . . . . 248 MP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 UCB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
8 Contents
320506-A, January 2006
MP-Specific SFD Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 252 CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 SP Specific Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253 SP-Specific Maintenance Statistics . . . . . . . . . . . . . . . . . . . 254 CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Port Mirroring Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Management Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
The Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Management Port Configuration Menu . . . . . . . . . . . . . . . . 264 Management Port Link Menu . . . . . . . . . . . . . . . . . . . . . . . . 268 RADIUS Server Configuration. . . . . . . . . . . . . . . . . . . . . . . 268 TACACS+ Server Configuration Menu . . . . . . . . . . . . . . . . 270 NTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 271 SynOptics Network Management Protocol Configuration . . 273 System SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . 273 SNMPv3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . 276 User Security Model Configuration Menu . . . . . . . . . . . 278 SNMPv3 View Configuration Menu . . . . . . . . . . . . . . . 279 View-based Access Control Model Configuration Menu280 SNMPv3 Group Configuration Menu. . . . . . . . . . . . . . . 282 SNMPv3 Community Table Configuration Menu . . . . . 283 SNMPv3 Target Address Table Configuration Menu . . 284 SNMPv3 Target Parameters Table Configuration Menu 285 SNMPv3 Notify Table Configuration Menu . . . . . . . . . 286 System Health Check Configuration Menu . . . . . . . . . . . . . 287 System Access Control Configuration . . . . . . . . . . . . . . . . . 288 Management Networks Menu. . . . . . . . . . . . . . . . . . . . . 289 Port Management Access Menu . . . . . . . . . . . . . . . . . . . . . . 291
Contents
320506-A, January 2006
User Access Control Menu . . . . . . . . . . . . . . . . . . . . . . . 291 System User ID Configuration Menu . . . . . . . . . . . . . . . 294 HTTPS Access Configuration Menu . . . . . . . . . . . . . . . 295 SSH Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 XML Configuration Access Menu . . . . . . . . . . . . . . . . . . . . 298 Example of enabling or disabling XML access . . . . . . . 299 Configure the Timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Nortel Application Switch Operating System 2000 Series . . . . . . 302 Fast Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 SFP GBIC Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Dual-Mode Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Dual-Mode Copper Port Link Configuration . . . . . . . . . 313 Dual-Mode SFP Gigabit Link Configuration Menu . . . . 314
Temporarily Disabling a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Port Mirroring Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Port-Mirroring Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Bandwidth Management Configuration . . . . . . . . . . . . . . . . . . . 316 Bandwidth Management Contract Configuration . . . . . . . . 319 BWM Contract Time Policy Configuration Menu . . . . . 320 Bandwidth Management Policy Configuration . . . . . . . . . . 322 Bandwidth Management Group Configuration Menu . . . . . 323 Bandwidth Management Current Configuration . . . . . . . . . 324 Layer 2 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 326 Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 327 CIST Bridge Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Current configuration for CIST Bridge . . . . . . . . . . . . . 328 Spanning Tree Group Configuration . . . . . . . . . . . . . . . . . . . . . 329 Bridge Spanning Tree Configuration . . . . . . . . . . . . . . . . . . 331
10 Contents
320506-A, January 2006
Spanning Tree Port Configuration . . . . . . . . . . . . . . . . . 332 Trunk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333 Link Aggregation Control Protocol Menu . . . . . . . . . . . . . . . . . 335 LACP Port Configuration Menu . . . . . . . . . . . . . . . . . . . . . 338 VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 Port Team Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 Layer 3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 342 IP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 344 IPv6 Neighbor Discovery Menu . . . . . . . . . . . . . . . . . . . . . . 345 Default IP Gateway Configuration . . . . . . . . . . . . . . . . . . . . 346
Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347
IP Static Route Configuration. . . . . . . . . . . . . . . . . . . . . . . . 348 ARP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 348 ARP Static Configuration Menu. . . . . . . . . . . . . . . . . . . 349 IP Forwarding Configuration Menu . . . . . . . . . . . . . . . . . . . 350 Local Network Route Caching Definition . . . . . . . . . . . 350
Defining IP Address Ranges for the Local Route Cache . . . . . . . .351
Network Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . 352 Route Map Configuration Menu. . . . . . . . . . . . . . . . . . . . . . 353 IP Access List Configuration Menu . . . . . . . . . . . . . . . . 355 Autonomous System Filter Path . . . . . . . . . . . . . . . . . . . 356 Routing Information Protocol Configuration . . . . . . . . . . . . 357 RIP Interface Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Open Shortest Path First Configuration . . . . . . . . . . . . . . . . 361 Area Index Configuration Menu. . . . . . . . . . . . . . . . . . . 363 OSPF Summary Range Configuration Menu . . . . . . . . 364 OSPF Interface Configuration Menu . . . . . . . . . . . . . . . 365 OSPF Virtual Link Configuration Menu . . . . . . . . . . . . 367 OSPF MD5 Key Configuration Menu . . . . . . . . . . . . . . 368 OSPF Host Entry Configuration Menu . . . . . . . . . . . . . 369 OSPF Route Redistribution Configuration Menu. . . . . . 370 Border Gateway Protocol Configuration . . . . . . . . . . . . . . . 371 BGP Peer Configuration Menu. . . . . . . . . . . . . . . . . . . . 373 BGP Redistribution Configuration Menu . . . . . . . . . . . . 375 BGP Aggregate Routing Configuration Menu . . . . . . . . 377 IP Forwarding Port Configuration Menu . . . . . . . . . . . . . . . 378 Domain Name System Configuration Menu . . . . . . . . . . . . 379 Bootstrap Protocol Relay Configuration Menu . . . . . . . . . . 380
Contents
320506-A, January 2006
11
VRRP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . 381 Virtual Router Configuration Menu . . . . . . . . . . . . . . . . . . . 383 Virtual Router Priority Tracking Configuration . . . . . . . 385 Virtual Router Group Menu . . . . . . . . . . . . . . . . . . . . . . 387 Virtual Router Group Priority Tracking Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Virtual Router Group Configuration. . . . . . . . . . . . . . . . . . . 390 Virtual Router Group Priority Tracking Configuration . 392 VRRP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . 394 VRRP Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . 395 Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 396 Security Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 Port Security Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 IP Address Access Control List Configuration Menu . . . . . 400 UDP Blast Protection Configuration Menu . . . . . . . . . . . . . 402 Anomaly and Denial of Service Attack Prevention Menu . . 403 Pattern Matching Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404 SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406 Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407 Saving the Active Switch Configuration . . . . . . . . . . . . . . . . . . 408 Restoring the Active Switch Configuration . . . . . . . . . . . . . . . . 408
The SLB Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . .411
Real Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 414 Real Server Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . 419 Buddy Server Health Check Menu . . . . . . . . . . . . . . . . . . . . 420 Real Server Layer 7 Configuration . . . . . . . . . . . . . . . . . . . . 421 Real server IDS Configuration Menu . . . . . . . . . . . . . . . . . . 422 Real Server Group SLB Configuration. . . . . . . . . . . . . . . . . . . . 423
SLB Health Check Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426 Server Load Balancing Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Virtual Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . 431 Virtual Server Service Configuration . . . . . . . . . . . . . . . . . . 434 WTS Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . 440 HTTP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 441
12 Contents
320506-A, January 2006
SIP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 442 RTSP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 443
Cookie-Based Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444
Advanced Filter Configuration . . . . . . . . . . . . . . . . . . . . . . 450 802.1p Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . 453 Advanced Filter TCP Configuration. . . . . . . . . . . . . . . . 453 IP Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
ICMP Message Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455
Layer 7 Advanced Filter Configuration Menu . . . . . . . . 457 Layer 7 SIP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 Proxy Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 SLB Filter Advanced Security Menu . . . . . . . . . . . . . . . 460 Advanced Security Rate Limiting Configuration Menu. 462 Port SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 Global SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465 GSLB Remote Site Configuration . . . . . . . . . . . . . . . . . . . . 467 GSLB Network Preference Configuration Menu . . . . . . . . . 469 GSLB Rule Configuration Menu . . . . . . . . . . . . . . . . . . . . . 470 Global SLB Rule Metric Menu. . . . . . . . . . . . . . . . . . . . 472 Layer 7 SLB Resource Definition Menu . . . . . . . . . . . . . . . 472 Web Cache Redirection Configuration. . . . . . . . . . . . . . . . . 473 Server Load Balance Resource Configuration Menu . . . . . . 475 SDP Mapping Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 WAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 Synchronize Peer Switch Configuration. . . . . . . . . . . . . . . . . . . 478 Peer Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 479 Advanced Layer 4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . 480 SYN Attack Detection Configuration Menu . . . . . . . . . . . . 483 Advanced SMT Real Server Port Configuration Menu . 483 Inbound Link Load Balancing configuration Menu . . . . . . . 484 Inbound Link Load Balancing Domain Record Menu . . . . . 485 Inbound Link Load Balancing Mapping Menu . . . . . . . 486 Advanced Health Check Configuration Menu . . . . . . . . 486 Scriptable Health Checks Configuration . . . . . . . . . . . . . . . 488 SNMP Health Check Configuration . . . . . . . . . . . . . . . . . . . 490 WAP Health Check Configuration . . . . . . . . . . . . . . . . . . . . 492
Contents
320506-A, January 2006
13
WSP Content Health Check . . . . . . . . . . . . . . . . . . . . . . 494 WTP and WSP Content Health Check Menu . . . . . . . . . 495 Proxy IP Address Configuration Menu . . . . . . . . . . . . . . . . 496 SLB Peer Proxy IP Address Menu . . . . . . . . . . . . . . . . . 497 WorkLoad Management Menu . . . . . . . . . . . . . . . . . . . . . . . 498
The Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499
Operations Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499 Operations-Level Port Options . . . . . . . . . . . . . . . . . . . . . . . . . . 501 Operations-Level SLB Options . . . . . . . . . . . . . . . . . . . . . . . . . 502 Real Server Group Operations . . . . . . . . . . . . . . . . . . . . . . . 503 Global SLB Operations Menu . . . . . . . . . . . . . . . . . . . . . . . 504 Operations-Level VRRP Options. . . . . . . . . . . . . . . . . . . . . . . . 505 Operations-Level Bandwidth Management Options . . . . . . . . . 505 Security Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 IP ACL Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 506 Operations-Level IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Operations-Level BGP Options . . . . . . . . . . . . . . . . . . . . . . 508 Activating Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 509 Removing Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
The Boot Options Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511
Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 System Maintenance Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Forwarding Database Options . . . . . . . . . . . . . . . . . . . . . . . . . . 522 ARP Cache Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 ARP Entries on a Single Port . . . . . . . . . . . . . . . . . . . . . . . . 524
14
Contents
320506-A, January 2006
IP Route Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 IPv6 Manipulation Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526 Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 Uuencode Flash Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528 System Dump Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Clearing Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529 Panic Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Unscheduled System Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531 The SSL Processor Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Login to the SSL processor. . . . . . . . . . . . . . . . . . . . . . . . . . 533 SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535 SSL Performance information menu . . . . . . . . . . . . . . . . . . . . . 536 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 540 SSL Performance Statistics menu . . . . . . . . . . . . . . . . . . . . . . . 541 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 542 SSL Performance SSL Local Statistics Menu . . . . . . . . . . . 543 SSL Performance: Single ISD SSL Statistics Menu. . . . . . . 544 IPSEC Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545 SSL Performance: Local IPSEC Statistics Menu . . . . . . . . . 546 SSL Performance: Single IPSEC ISD Statistics Menu . . . . 547 AAA Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548 SSL Performance Configuration Menu . . . . . . . . . . . . . . . . 548 SSL Configuration Server Menu . . . . . . . . . . . . . . . . . . . . . 551 SSL Configuration Server-specific Menu. . . . . . . . . . . . . . . 552 SSL Configuration Server-specific Trace Menu . . . . . . . . . 554 SSL Configuration Server-specific SSL Menu. . . . . . . . . . . 555 SSL Configuration Server-specific TCP Menu . . . . . . . . . . 556 SSL Configuration Server-specific Advanced Menu . . . . . . 557 SSL Configuration Server Advanced String Menu . . . . . . . 558 SSL Configuration Server Advanced Load Balancing Menu559 SSL Configuration Server Advanced Load Balancing Cookie Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560 Local VIP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 562 SSL Configuration Server Advanced Load Balancing Health Script Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 SSL Configuration Server Advanced Load Balancing Remote SSL Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
Contents
320506-A, January 2006
15
SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu . . . . . . . . . . . . . . . . . . . . . . 564 SSL Configuration Server Advanced Load Balancing Backend Server Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565 SSL Configuration Certificate Menu . . . . . . . . . . . . . . . . . . 566 SSL Configuration Revoke Certificate Menu. . . . . . . . . . . . 571 SSL Configuration Revoke Certificate Automatic Menu. . . 572 SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 573 SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 574 SSL VPN Configuration TunnelGuard Menu . . . . . . . . . . . 576 SSL VPN Configuration Authentication Menu . . . . . . . . . . 578 SSL VPN Configuration Authentication Radius Menu . . . . 579 SSL VPN Configuration Authentication Radius Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 SSL VPN Configuration Authentication Radius Session Timeout Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580 SSL VPN Configuration Authentication Radius Macro Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581 SSL VPN Configuration Authentication Advanced Menu. . 582 SSL VPN Configuration Network Menu . . . . . . . . . . . . . . . 582 SSL VPN Configuration Network Subnet Menu . . . . . . . . . 583 SSL VPN Configuration Service Menu . . . . . . . . . . . . . . . . 584 SSL VPN Configuration Application specific Menu . . . . . . 585 SSL VPN Configuration Application specific Paths Menu . 587 SSL VPN Configuration AAA Filter Menu . . . . . . . . . . . . . 588 SSL VPN Configuration AAA Group Menu . . . . . . . . . . . . 589 SSL VPN Configuration AAA Group Access Menu . . . . . . 591 SSL VPN Configuration AAA Group Linkset Menu . . . . . . 592 SSL VPN Configuration AAA Group Extend Profiles Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593 SSL VPN Configuration AAA Group Extend Profiles Access Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595 SSL VPN Configuration AAA Group IPsec Menu . . . . . . . 595 SSL VPN Configuration AAA Single-sign on Enabled Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
16
Contents
320506-A, January 2006
SSL VPN Configuration AAA Single-sign on Headers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597 SSL VPN Configuration AAA Radius Accounting Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 SSL VPN Configuration AAA Radius Accounting Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599 SSL VPN Configuration AAA Radius Accounting VPN attributes Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601 SSL VPN Configuration Server Menu . . . . . . . . . . . . . . . . . 601 SSL VPN Configuration Server Traffic Trace Menu . . . . . . 602 SSL VPN Configuration Server SSL Settings Menu . . . . . . 603 SSL VPN Configuration Server TCP endpoint Settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 SSL VPN Configuration Server HTTP Settings Menu . . . . 606 SSL VPN Configuration Server SSL triggered rewrite Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607 SSL VPN Configuration Server Intranet Proxy settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608 SSL VPN Configuration Server Portal settings Menu . . . . . 609 SSL VPN Configuration Server Advanced Menu . . . . . . . . 609 SSL VPN Configuration Server UDP Syslog Traffic Log Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610 SSL VPN Configuration Server SSL Connect Menu . . . . . . 611 SSL VPN Configuration Server SSL Connect verify Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 SSL VPN Configuration IPsec Server Menu . . . . . . . . . . . . 612 SSL VPN Configuration IPsec Server IKE Profile Menu . . 614 SSL VPN Configuration IPsec Server IKE Profile Encryption Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615 SSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman Group Mask Menu . . . . . . . . . . . . . . . . . . . 616 SSL VPN Configuration IPsec Server IKE Profile NAT Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 SSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 SSL VPN Configuration IP Pool Menu . . . . . . . . . . . . . . . . 618 SSL VPN Configuration Portal Menu . . . . . . . . . . . . . . . . . 619 SSL VPN Configuration Portal Colors Menu. . . . . . . . . . . . 621
Contents
320506-A, January 2006
17
SSL VPN Configuration Portal Full Access Menu . . . . . . . 621 SSL VPN Configuration Portal Language Menu . . . . . . . . . 622 SSL VPN Configuration Portal Whitelist settings Menu . . . 623 SSL VPN Configuration Portal Whitelist settings Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 SSL VPN Configuration Linkset Menu . . . . . . . . . . . . . . . . 624 SSL VPN Configuration Linkset Link Menu . . . . . . . . . . . . 625 SSL VPN Configuration Linkset Link Internal Setting Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626 SSL VPN Configuration SSL Client Menu . . . . . . . . . . . . . 626 SSL VPN Configuration Advanced Menu . . . . . . . . . . . . . . 627 SSL VPN Configuration Advanced DNS settings Menu . . . 627 SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 628 SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 629 SSL Configuration System Host Routes Menu . . . . . . . . . . 630 SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 631 SSL Configuration System Host Interface Routes Menu . . . 632 SSL Configuration System Host Port Menu. . . . . . . . . . . . . 632 SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 633 SSL Configuration System Time Menu . . . . . . . . . . . . . . . . 633 SSL Configuration System Time NTP servers Menu. . . . . . 634 SSL Configuration System DNS settings Menu. . . . . . . . . . 634 SSL Configuration System DNS Servers settings Menu . . . 635 SSL Configuration System RSA servers Menu . . . . . . . . . . 636 SSL Configuration System SysLog Servers Menu. . . . . . . . 636 SSL Configuration System Access List Menu . . . . . . . . . . . 637 SSL Configuration System Administrative applications Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638 SSL Configuration System Administrative applications SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639 SSL Configuration System Administrative applications SNMPv2 MIB SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . 640 SSL Configuration System Administrative applications SNMP Community Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 640 SSL Configuration System Administrative applications SNMP Users Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641 SSL Configuration System Administrative applications SNMP Target Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
18 Contents
320506-A, January 2006
SSL Configuration System Administrative applications Audit Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 SSL Configuration System Administrative applications Audit Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 SSL Configuration System Administrative applications HTTP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644 SSL Configuration System Administrative applications HTTPS Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 SSL Configuration System Administrative applications SSH Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646 SSL Configuration System Administrative applications SSH Known Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . 646 SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 647 SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648 SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648 SSL Configuration Language Support Menu . . . . . . . . . . . . 649 SSL Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 SSL Performance Maintenance Menu . . . . . . . . . . . . . . . . . 652 SSL Performance HSM Menu . . . . . . . . . . . . . . . . . . . . . . . 653
Nortel Application Switch Operating System Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655 LOG_WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655 LOG_ALERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656 LOG_CRIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657 LOG_ERR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657 LOG_NOTICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663 LOG_INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665 Nortel Application Switch Operating System SNMP Agent . 667 Performing a Serial Download . . . . . . . . . . . . . . . . . . . . . . . . 671 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 677
Contents
320506-A, January 2006
19
20
Contents
320506-A, January 2006
Preface
The Nortel Application Switch Operating System 23.0.2 Command Reference describes how to configure and use the Nortel Application Switch Operating System software with your Nortel Application Switch. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model.
21
320506-A, January 2006
The SLB Configuration Menu describes how to configure Server Load Balancing, Filtering, Global Server Load Balancing, and more. The Operations Menu describes how to use commands which affect switch performance immediately, but do not alter permanent switch configurations (such as temporarily disabling ports). The menu describes how to activate or deactivate optional software features. The Boot Options Menu describes the use of the primary and alternate switch images, how to load a new software image, and how to reset the software to factory defaults. The Maintenance Menu describes how to generate and access a dump of critical switch state information, how to clear it, and how to clear part or all of the forwarding database. Appendix A, Nortel Application Switch Operating System Syslog Messages presents a listing of syslog messages. Appendix B, Nortel Application Switch Operating System SNMP Agent lists the Management Interface Bases (MIBs) supported in the switch software. Appendix C, Performing a Serial Download shows how to directly load a binary software image into the switch for upgrade or maintenance. Glossary defines the terminology used throughout the book. Index includes pointers to the description of the key words used throughout the book.
Related Documentation
Nortel Application Switch Operating System 23.0.2 Application Guide (Part Number 320507-A) Provides application explanations and configuration examples for the Switch. Nortel Application Switch Operating System 23.0.2 Browser-Based Interface (BBI) Quick Guide (Part Number 320508-A) Provides a description of the Switch BBI and how to configure and access it on the Switch. Nortel Application Switch Hardware Installation Guide (Part Number 315396-E) Provides a description of the Nortel Application Switch hardware, the physical features, how to install it, and how to troubleshoot it.
22
Preface
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Release Notes (Part Number 320509A). This document provides a description of new features and caveats and limitations, if any, in the software.
Typographic Conventions
The following table describes the typographic styles used in this book. Table 1 Typographic Conventions
Typeface or Symbol AaBbCc123 Meaning This type is used for names of commands, files, and directories used within the text. Example View the readme.txt file.
It also depicts on-screen computer output and Main# prompts. AaBbCc123 This bold type appears in command examples. It shows text that must be typed in exactly as shown. Main# sys
<AaBbCc123> This italicized type appears in command To establish a Telnet session, enter: examples as a parameter placeholder. Replace host# telnet <IP address> the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, special terms, or words to be emphasized. [ ] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. Read your Users Guide thoroughly. host# ls [-a]
Preface
320506-A, January 2006
23
Additional information about the Nortel Technical Solutions Centers is available at the following URL: http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL: http://www.nortelnetworks.com/help/contact/erc/index.html
24
Preface
320506-A, January 2006
CHAPTER 1
25
320506-A, January 2006
A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specifics).
Procedure
1. 2. 3. Connect the terminal to the Console port using the serial cable. Power on the terminal. To establish the connection, press <Enter> a few times on your terminal. You will next be required to enter a password for access to the switch. (For more information, see Setting Passwords on page 47).
26
Running Telnet
Once the IP parameters on the Nortel Application Switch are configured, you can access the CLI using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <IP address>
27
Running SSH
Once the IP parameters are configured and the SSH service is turned on the Nortel Application Switch, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IP address:
>> # ssh <switch IP address>
28
You will then be prompted to enter your user name and password.
29
SLB Operator
The SLB Operator manages Web servers and other Internet ser- slboper vices and their loads. In addition to being able to view all switch information and statistics, the SLB Operator can enable/disable servers using the Server Load Balancing operation menu. The Layer 4 Operator manages traffic on the lines leading to the l4oper shared Internet services. This user currently has the same access level as the SLB operator. and the access level is reserved for future use, to provide access to operational commands for operators managing traffic on the line leading to the shared Internet services. The Operator manages all functions of the switch. In addition to oper SLB Operator functions, the Operator can reset ports or the entire switch. The SLB Administrator configures and manages Web servers and other Internet services and their loads. In addition to SLB Operator functions, the SLB Administrator can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters or bandwidth management. The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services. In addition to SLB Administrator functions, the Layer 4 Administrator can configure all parameters on the Server Load Balancing menus, including filters and bandwidth management. The superuser Administrator has complete access to all menus, information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and administrator passwords. slbadmin
Layer 4 Operator
Operator
SLB Administrator
Layer 4 Administrator
l4admin
Administrator
admin
NOTE With the exception of the admin user, access to each user level can be disabled by setting the password to an empty value. All user levels below admin will by default be initially disabled (empty password) until they are enabled by the admin user. This prevents inadvertently leaving the switch open to unauthorized users.
30
Information Menu Statistics Menu Configuration Menu Operations Command Menu Boot Options Menu Maintenance Menu Show pending config changes [global command] Apply pending config changes [global command] Save updated config to FLASH [global command] Revert pending or applied changes [global command] Exit [global command, always available]
NOTE If you are accessing a user account or Layer 4 administrator account, some menu options will not be available.
Idle Timeout
By default, the switch will disconnect your console or Telnet session after five minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080 minutes. For information on changing this parameter, see System Configuration on page 261.
31
32
CHAPTER 2
First-Time Configuration
To help with the initial process of configuring your switch, the Nortel Application Switch Operating System software includes a Setup utility. The Setup utility prompts you step-by-step to enter all the necessary information for basic configuration of the switch. This chapter describes how to use the Setup utility and how to change system passwords. NOTE If you are configuring a 2000-SSL Series Switch, you can use the Switch Setup Utility in the Nortel Application Switch Operating System 2000-SSL Series Quick Setup Guide (part number 215102-A) instead for setting up the Switch and the SSL Processor. Then return to this guide for configuration and management information on your Switch.
Optional configuration for each VLAN Name of VLAN Which ports are included in the VLAN Optional configuration of IP parameters IP address, subnet mask, and broadcast address, and VLAN for each IP interface IP addresses for up to four default gateways Destination, subnet mask, and gateway IP address for each IP static route Whether IP forwarding is enabled or not Whether the RIP supply is enabled or not
2.
Enter admin as the default administrator password. If the factory default configuration is detected, the system prompts:
Connected to Nortel Application Switch 2424 18:44:05 Mon April 12, 2004 The switch is booted with factory default configuration. To ease the configuration of the switch, a "Set Up" facility which will prompt you with those configuration items that are essential to the operation of the switch is provided. Would you like to run "Set Up" to configure the switch? [y/n]:
NOTE If the default admin login is unsuccessful, or if the administrator Main Menu appears instead, the system configuration has probably been changed from the factory default settings. If you are certain that you need to return the switch to its factory default settings, see Selecting a Configuration Block on page 515.
34
3.
Enter y to begin the initial configuration of the switch, or n to bypass the Setup facility.
35
Restarting Setup
You can restart the Setup utility manually at any time by entering the following command at the administrator prompt:
# /cfg/setup
1.
Enter y if you will be configuring VLANs. Otherwise enter n. If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configuring VLANs, see the Nortel Application Switch Operating System23.0.2 Application Guide. Next, the Setup utility prompts you to input basic system information.
2.
Enter the last two digits of the year as a number from 00 to 99. 00 is considered 2000. To keep the current year, press <Enter>.
36
3.
Enter the month as a number from 1 to 12. To keep the current month, press <Enter>. 4. Enter the day of the current date at the prompt:
Enter day [12]:
Enter the date as a number from 1 to 31. To keep the current day, press <Enter>. 5. Enter the hour of the current system time at the prompt:
System Time: Enter hour in 24-hour format [18]:
Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>. 6. Enter the minute of the current time at the prompt:
Enter minutes [55]:
Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>. 7. Enter the seconds of the current time at the prompt:
Enter seconds [37]:
Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>. The system displays the date and time settings:
System clock set to 18:55:36 Mon April 12, 2004.
8.
disabled
37
If available on your network, a BOOTP server can supply the switch with IP parameters so that you do not have to enter them manually. BOOTP must be disabled however, before the system will prompt for IP parameters. Enter d to disable the use of BOOTP, or enter e to enable the use of BOOTP. To keep the current setting, press <Enter>. 9. Turn Spanning Tree Protocol on or off at the prompt:
Spanning Tree: Current Spanning Tree setting: ON Turn Spanning Tree OFF? [y/n]
Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on.
If you answer y to configure the management port, you will be prompted for IP address, subnet mask, broadcast address, default gateway, and other management port options. 2. Select the port to configure, or skip port configuration at the prompt:
Port Config: Enter port number: (1-28)
If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to Setup Part 3: VLANs on page 41.
38
3.
If appropriate, configure Ethernet/Fast Ethernet port speed. If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:
Fast Link Configuration: Port Speed: Current Port 1 speed setting: 10/100 Enter new speed ["10"/"100"/"any"]:
Enter the port speed from the options available, or enter any to have the switch auto-sense the port speed. To keep the current setting, press <Enter>. 4. If appropriate, configure Ethernet/Fast Ethernet port duplex mode. If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:
Port Mode: Current port 1 mode setting: any Enter new speed ["full"/"half"/"any"]
Enter full for full-duplex, half for half-duplex, or any to have the switch auto-negotiate. To keep the current setting, press <Enter>. 5. If appropriate, configure Ethernet/Fast Ethernet port flow control. If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:
Port Flow Control: Current Port 1 flow control setting: both Enter new value ["rx"/"tx"/"both"/"none"]:
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or none to turn flow control off for the port. To keep the current setting, press <Enter>. 6. If appropriate, configure Ethernet/Fast Ethernet port autonegotiation mode. If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:
Port Auto Negotiation: Current Port 1 autonegotiation: Enter new value ["on"/"off"]:
on
Enter on to enable autonegotiation, off to disable it, or press <Enter> to keep the current setting.
39
7.
If appropriate, configure Gigabit Ethernet port flow parameters. If you selected a port that has a Gigabit Ethernet connector, the system prompts:
Gig Link Configuration: Port Flow Control: Current Port 1 flow control setting: both Enter new value ["rx"/"tx"/"both"/"none"]:
Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or none to turn flow control off for the port. To keep the current setting, press <Enter>. 8. If appropriate, configure Gigabit Ethernet port autonegotiation mode. If you selected a port that has a Gigabit Ethernet connector, the system prompts:
Port Auto Negotiation: Current Port 1 autonegotiation: Enter new value ["on"/"off"]:
on
Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep the current setting. 9. If configuring VLANs, enable or disable VLAN tagging for the port. If you have selected to configure VLANs back in Part 1, the system prompts:
Port VLAN tagging config (tagged port can be a member of multiple VLANs) Current TAG flag: disabled Enter new TAG status [d/e]:
Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>. 10. The system prompts you to configure the next port:
Enter port number:
When you are through configuring ports, press <Enter> without specifying any port. Otherwise, repeat the steps in this section.
40
If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to Setup Part 4: IP Configuration on page 42. 2. Enter the new VLAN name at the prompt:
VLAN is newly created. Pending new VLAN name: "VLAN 2" Enter new VLAN name, without quotes:
Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>. 3. Enter the VLAN port numbers. The system prompts you to define the first port in the VLAN:
Define ports in VLAN: Current VLAN 2: empty Enter port numbers one per line, NULL at end:
Type the first port number to add to the current VLAN and press <Enter>. The right angle prompt appears:
>
For each additional port in the VLAN, type the port number and press <Enter> to move to the next line. Repeat this until all ports for the VLAN being configured are entered. When you are finished adding ports to this VLAN, press <Enter> without specifying any port. 4. The system prompts you to configure the next VLAN:
VLAN Config: Enter VLAN number from 2 to 4090, NULL at end:
41
Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN.
IP Interfaces
IP interfaces are used for defining subnets to which the switch belongs. Up to 256 IP interfaces can be configured on the Nortel Application Switch. The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP subnet. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used). 1. Select the IP interface to configure, or skip interface configuration at the prompt:
IP Config: IP interfaces: Enter interface number: (1-256)
NOTE The total number of interfaces on an Nortel Application Switch 2424-SSL is 1-255. If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to Default Gateways on page 43. 2. For the specified IP interface, enter the IP address in dotted decimal notation:
Current IP address: Enter new IP address: 0.0.0.0
To keep the current setting, press <Enter>. 3. At the prompt, enter the IP subnet mask in dotted decimal notation:
Current subnet mask: Enter new subnet mask: 0.0.0.0
42
To keep the current setting, press <Enter>. 4. At the prompt, enter the broadcast IP address in dotted decimal notation:
Current broadcast address: Enter new broadcast address: 0.0.0.0
To keep the current setting, press <Enter>. 5. If configuring VLANs, specify a VLAN for the interface. This prompt appears if you selected to configure VLANs back in Part 1:
Current VLAN: Enter new VLAN: 1
Enter the number for the VLAN to which the interface belongs, or press <Enter> without specifying a VLAN number to accept the current setting. 6. At the prompt, enter y to enable the IP interface, or n to leave it disabled:
Enable IP interface? [y/n]
7.
Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number.
Default Gateways
1. At the prompt, select a default gateway for configuration, or skip default gateway configuration:
IP default gateways: Enter default gateway number: (1-259)
Enter the number for the default gateway to be configured. To skip default gateway configuration, press <Enter> without typing a gateway number and go to IP Routing on page 44.
43
2.
At the prompt, enter the IP address for the selected default gateway:
Current IP address: Enter new IP address: 0.0.0.0
Enter the IP address in dotted decimal notation, or press <Enter> without specifying an address to accept the current setting. 3. At the prompt, enter y to enable the default gateway, or n to leave it disabled:
Enable default gateway? [y/n]
4.
Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number.
IP Routing
When IP interfaces are configured for the various subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to bounce inter-subnet communication off an external router device. Routing on more complex networks, where subnets may not have a direct presence on the Nortel Application Switch, can be accomplished through configuring static routes or by letting the switch learn routes dynamically. This part of the Setup program prompts you to configure the various routing parameters. 1. At the prompt, enable or disable forwarding for IP Routing:
Enable IP forwarding? [y/n]
Enter y to enable IP forwarding. To disable IP forwarding, enter n and proceed to Step 2.To keep the current setting, press <Enter>. 2. At the prompt, enable or disable the RIP supply:
Enable RIP supply? [y/n]
44
Enter y to restart the Setup utility from the beginning, or n to continue. 2. When prompted, decide whether you wish to review the configuration changes:
Review the changes made? [y/n]
Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes. 3. Next, decide whether to apply the changes at the prompt:
Apply the changes? [y/n]
Enter y to apply the changes, or n to continue without applying. Changes are normally applied. 4. At the prompt, decide whether to make the changes permanent:
Save changes to flash? [y/n]
Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes are normally saved at this point. 5. If you do not apply or save the changes, the system prompts whether to abort them:
Abort all changes? [y/n]
Enter y to discard the changes. Enter n to return to the Apply the changes? prompt. NOTE After initial configuration is complete, it is recommended that you change the default passwords as shown in Setting Passwords on page 47.
45
NOTE If you need to configure SNMPv3, refer to SNMPv3 Configuration Menu on page 276 of this manual. 1. Enable SNMP and select one of the options.
>> # /cfg/sys/access/snmp (disabled/read-only/read-write) [d/r/w]:
2.
Set SNMP read or write community string. By default, they are public and private respectively.
>> # /cfg/sys/ssnmp/rcomm|wcomm
3.
Apply and save configuration if you are not configuring the switch with Telnet support. Otherwise apply and save after Optional Setup for Telnet Support on page 46.
>> System# apply >> System# save
2.
46
If your network uses Routing Interface Protocol (RIP), enter y to enable the RIP supply. Otherwise, enter n to disable it. When RIP is enabled, RIP listen is set by default.
Setting Passwords
It is recommended that you change the user and administrator passwords after initial configuration and as regularly as required under your network security policies. To change both the user password and the administrator password, you must login using the administrator password. Passwords cannot be modified from the user command mode. NOTE If you forget your administrator password, call your technical support representative for help using the password fix-up mode.
47
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
Syslog Menu Management Port Menu SSH Server Menu RADIUS Authentication Menu TACACS+ Authentication Menu NTP Server Menu SONMP Menu System SNMP Menu System Health Check Menu System Access Menu Set system date Set system time Set timeout for idle CLI sessions Set login notice Set login banner Set SMTP host Enable/disable display hostname (sysName) in CLI prompt Enable/disable use of BOOTP Display current system-wide parameters
48
4.
From the System menu, use the following path to select the User menu:
System# access/user
5.
6.
NOTE If you forget your administrator password, call your technical support representative for help using the password fix-up mode. 7. Enter the new administrator password at the prompt:
Enter new administrator password:
8.
9.
49
1. 2.
Connect to the switch and log in using the admin password. From the Main Menu, use the following command to access the Configuration Menu:
Main# cfg
3.
From the Configuration Menu, use the following command to select the System Menu:
>> Configuration# sys
4.
5.
Enter the current administrator password at the prompt. Only the administrator can change the user password. Entering the administrator password confirms your authority.
Changing USER password; validation required... Enter current administrator password:
6.
7.
8.
50
3.
4.
Enter the current administrator password (not the Layer 4 administrator password) at the prompt:
Changing L4 ADMINISTRATOR password; validation required... Enter current administrator password:
NOTE If you forget your administrator password, call your technical support representative for help using the password fix-up mode. 5. Enter the new Layer 4 administrator password at the prompt:
Enter new L4 administrator password:
6.
51
7.
52
CHAPTER 3
Menu Basics
The Nortel Application Switchs Command Line Interface (CLI) is used for viewing switch information and statistics. In addition, the administrator can use the CLI for performing all levels of switch configuration. To make the CLI easy to use, the various commands have been logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu. This chapter describes the Main Menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
53
320506-A, January 2006
NOTE The ssl option is only visible on the Nortel Application Switch Operating System 2000-SSL Series.
[Main Menu] info stats cfg oper boot maint ssl diff apply save revert exit
Information Menu Statistics Menu Configuration Menu Operations Command Menu Boot Options Menu Maintenance Menu SSl Accelerator Menu Show pending config changes [global command] Apply pending config changes [global command] Save updated config to FLASH [global command] Revert pending or applied changes [global command] Exit [global command, always available]
Menu Summary
Information Menu Provides sub-menus for displaying information about the current status of the switch: from basic system settings to VLANs, Layer 4 settings, and more. Statistics Menu Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP, ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics. Configuration Menu This menu is available only from an administrator login. It includes sub-menus for configuring every aspect of the switch. Changes to configuration are not active until explicitly applied. Changes can be saved to non-volatile memory. Operations Command Menu Operations-level commands are used for making immediate and temporary changes to switch configuration. This menu is used for bringing ports temporarily in and out of service, performing port mirroring, and enabling or disabling Server Load Balancing functions. It is also used for activating or deactivating optional software packages. Boot Options Menu This menu is used for upgrading switch software, selecting configuration blocks, and for resetting the switch when necessary.
54
Maintenance Menu This menu is used for debugging purposes, enabling you to generate a dump of the critical state information in the switch, and to clear entries in the forwarding database and the ARP and routing tables. SSL Accelerator Menu This menu is used for
55
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes. For help on a specific command, type help. You will see the following screen:
Global Commands: [can be issued from any menu] help up print lines verbose exit diff apply save ping ping6 traceroute history pushd popd
The following are used to navigate the menu structure: . Print current menu .. Move up one menu level / Top menu if first, or command separator ! Execute command from history
exit or quit 56
ping6
traceroute
pwd verbose n
telnet
history
57
popd who
58
<Ctrl-n>
<Ctrl-a> <Ctrl-e> <Ctrl-b> <Ctrl-f> <Backspace> <Ctrl-d> <Ctrl-k> <Ctrl-l> <Ctrl-u> Other keys
59
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will display all commands or options in that menu that begin with that letter. Entering additional letters will further refine the list of commands or options displayed. If only one command fits the input text when <Tab> is pressed, that command will be supplied on the command line, waiting to be entered. If the <Tab> key is pressed without any input on the command line, the currently active menu will be displayed.
Configuration Ranges
Most commands now support the use of configuration ranges. Configuration ranges allow the user to set common parameters on a range of similar items on the switch like ports or VLANs. For example, the command shown below would set the PVID of ports 1 through 10 to 5.
Main# /cfg/port 1-10/pvid 5
60
CHAPTER 4
mation.
The information provided by each menu option is briefly described in Table 4-1 on page 61, with pointers to where detailed information can be found. Table 4-1 Information Menu Options (/info)
Command Syntax and Usage sys Displays system menu information. To view menu options, see page 63. l2 Displays the Layer 2 Information Menu. For details, see page 89. l3 Displays the Layer 3 information menu. For details, see page 106.
61
320506-A, January 2006
62
63
64
/info/sys/snmpv3
SNMPv3 System Information Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote configuration of SNMP parameters For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Information Menu] usm - Show usmUser table information view - Show vacmViewTreeFamily table information access - Show vacmAccess table information group - Show vacmSecurityToGroup table information comm - Show community table information taddr - Show targetAddr table information tparam - Show targetParams table information notify - Show notify table information dump - Show all SNMPv3 information
65
/info/sys/snmpv3/usm
SNMPv3 USM User Table Information
The User-based Security Model (USM) in SNMPv3 provides security services such as authentication and privacy of messages. This security model makes use of a defined set of user identities displayed in the USM user table. The USM user table contains information like: the user name a security name in the form of a string whose format is independent of the Security Model an authentication protocol, which is an indication that the messages sent on behalf of the user can be authenticated the privacy protocol.
usmUser Table: User Name -------------------------------admin adminmd5 adminsha v1v2only
Protocol -------------------------------NO AUTH, NO PRIVACY HMAC_MD5, DES PRIVACY HMAC_SHA, DES PRIVACY NO AUTH, NO PRIVACY
66
/info/sys/snmpv3/view
SNMPv3 View Table Information
The user can control and restrict the access allowed to a group to only a subset of the management information in the management domain that the group can access within each context by specifying the groups rights in terms of a particular MIB view for security reasons.
View Name ----------------org v1v2only v1v2only v1v2only v1v2only Subtree -----------------1.3 1.3 1.3.6.1.6.3.15 1.3.6.1.6.3.16 1.3.6.1.6.3.18 Mask -------------Type -------included included excluded excluded excluded
Mask Type
67
/info/sys/snmpv3/access
SNMPv3 Access Table Information
The access control sub system provides authorization services. The vacmAccessTable maps a group name, security information, a context, and a message type, which could be the read or write type of operation or notification into a MIB view. The View-based Access Control Model defines a set of services that an application can use for checking access rights of a group. This group's access rights are determined by a read-view, a write-view and a notify-view. The read-view represents the set of object instances authorized for the group while reading the objects. The write-view represents the set of object instances authorized for the group when writing objects. The notify-view represents the set of object instances authorized for the group when sending a notification.
Group Name Prefix Model Level Match ReadV WriteV NotifyV ---------- ------ ------- ----------- ------ ---------admin usm noAuthNoPriv exact org org org v1v2grp snmpv1 noAuthNoPriv exact org org v1v2only admingrp usm authPriv exact org org org
68
/info/sys/snmpv3/group
SNMPv3 Group Table Information
A group is a combination of security model and security name that defines the access rights assigned to all the security names belonging to that group. The group is identified by a group name.
Sec Model ---------snmpv1 usm usm usm User Name ------------------------------v1v2only admin adminmd5 adminsha Group Name -------------------v1v2grp admin admingrp admingrp
/info/sys/snmpv3/comm
SNMPv3 Community Table Information
This command displays the community table information stored in the SNMP engine.
Index Name User Name Tag ---------- ---------- -------------------- ---------trap1 public v1v2only v1v2trap
69
/info/sys/snmpv3/taddr
SNMPv3 Target Address Table Information
This command displays the SNMPv3 target address table information, which is stored in the SNMP engine.
Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------trap1 47.81.25.66 162 v1v2trap v1v2param
Table 4-9 SNMPv3 Target Address Table Information Parameters (/info/sys/ snmpv3/taddr)
Field Name Transport Addr Port Taglist Params Description Displays the locally arbitrary, but unique identifier associated with this snmpTargetAddrEntry. Displays the transport addresses. Displays the SNMP UDP port number. This column contains a list of tag values which are used to select target addresses for a particular SNMP message. The value of this object identifies an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used when generating messages to be sent to this transport address.
70
/info/sys/snmpv3/tparam
SNMPv3 Target Parameters Table Information
Name MP Model --------------- -------v1v2param snmpv2c User Name -------------v1v2only Sec Model --------snmpv1 Sec Level --------noAuthNoPriv
Sec Level
71
/info/sys/snmpv3/notify
SNMPv3 Notify Table Information
Name Tag -------------------- -------------------v1v2trap v1v2trap
72
/info/sys/snmpv3/dump
SNMPv3 Dump Information
usmUser Table: User Name -------------------------------admin adminmd5 adminsha v1v2only Protocol -------------------------------NO AUTH, NO PRIVACY HMAC_MD5, DES PRIVACY HMAC_SHA, DES PRIVACY NO AUTH, NO PRIVACY
vacmAccess Table: Group Name Prefix Model Level Match ReadV WriteV NotifyV ---------- ------ ------- ---------- ------ ------- -------- -----admin usm noAuthNoPriv exact org org org v1v2grp snmpv1 noAuthNoPriv exact org org v1v2only admingrp usm authPriv exact org org org vacmViewTreeFamily Table: View Name Subtree -------------------- --------------org 1.3 v1v2only 1.3 v1v2only 1.3.6.1.6.3.15 v1v2only 1.3.6.1.6.3.16 v1v2only 1.3.6.1.6.3.18
Mask ------------
vacmSecurityToGroup Table: Sec Model User Name ---------- ------------------------------snmpv1 v1v2only usm admin usm adminsha
snmpCommunity Table: Index Name User Name Tag ---------- ---------- -------------------- ---------snmpNotify Table: Name Tag -------------------- -------------------snmpTargetAddr Table: Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------snmpTargetParams Table: Name MP Model User Name Sec Model Sec Level -------------------- -------- ------------------ --------- -------
73
/info/sys/general
General System Information
On a Nortel Application Switch 2424:
System Information at 6:56:53 Thu Sep 15, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00) Alteon Application Switch 2424 Switch is up 3 days, 11 hours, 28 minutes and 34 seconds. Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet) Last apply: unknown Last save: 5 MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0 Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: Mainboard Hardware: Part No: P314090-A Rev: Management Processor Board Hardware: Part No: P314080-A Rev: Fast Ethernet Board Hardware: Part No: P314091-A Rev:
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration.
74
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration.
NOTE The display of temperature will come up only if the temperature of any of the sensors exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this temperature threshold. The switch will shut down if the power supply overheats and the temperature gets to 100oC. Information about fan failures will also be displayed if one or more fans are not functioning.
75
/info/sys/time
Show System Time
>> Main# /info/sys/time 12:52:49 Fri Jul 8, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia DST on first Sunday of April at 02:00 DST off last Sunday of October at 02:00
/info/sys/log
Show Last 64 Syslog Messages
Date Time Criticality level Message Nov 19 12:16:51 ALERT stp: STG 1, new root bridge Nov 19 13:52:03 ALERT ip: cannot contact default gateway 47.80.22.1 Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 operational Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 enabled Nov 19 14:21:27 ALERT ip: cannot contact default gateway 47.80.22.1 Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 operational Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 enabled Nov 19 14:38:55 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 14:44:02 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 16:15:06 INFO mgmt: new configuration applied Nov 19 16:15:20 INFO mgmt: new configuration saved Nov 19 16:18:44 INFO mgmt: new configuration applied Nov 19 16:19:37 ERROR mgmt: Error: Apply not done Nov 19 16:19:57 INFO mgmt: new configuration applied Nov 19 16:34:35 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 16:39:43 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 16:39:59 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 16:54:13 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 17:20:37 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 17:26:21 NOTICE mgmt: admin login from host 47.81.25.49 Nov 19 17:31:53 NOTICE mgmt: admin idle timeout from Telnet/SSH
Each syslog message has a criticality level associated with it, included in text form as a prefix to the log message. One of eight different prefixes is used, depending on the condition that the administrator is being notified of, as shown below. EMERG: indicates the system is unusable ALERT: Indicates action should be taken immediately
76
CRIT: Indicates critical conditions ERR: indicates error conditions or error operations WARNING: indicates warning conditions NOTICE: indicates a normal but significant condition INFO: indicates an information message DEBUG: indicates a debut-level message
/info/sys/slog
Last 64 Saved Syslog Messages
Aug 20 13:54:21 NOTICE 47.80.22.1 operational Aug 20 13:57:53 ALERT gateway 47.80.22.1 Aug 20 13:57:57 NOTICE 47.80.22.1 operational Aug 20 13:58:23 ALERT gateway 47.80.22.1 Aug 20 13:58:33 NOTICE 47.80.22.1 operational Aug 24 14:43:43 NOTICE Aug 24 14:49:50 NOTICE Aug 24 14:51:38 NOTICE Aug 24 14:57:30 NOTICE Aug 24 15:05:54 NOTICE Aug 24 15:11:40 NOTICE Aug 24 16:00:40 NOTICE Aug 24 16:00:52 NOTICE ip: management port default gateway ip: cannot contact management port default ip: management port default gateway ip: cannot contact management port default ip: management port default gateway mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 switch reset from CLI
77
/info/sys/mgmt
Management Port Information
Speed ----100 Duplex -----full Link ---up
MAC address: 00:01:81:2e:a4:8d Interface information: 47.80.23.251 255.255.254.0 Gateway information: 47.80.22.1
47.80.23.255
Use this command to display Management port information on an Nortel Application Switch including: Port speed (10/100) Duplex mode (half, full, any, or auto) Link (Up or down) MAC Address of the system IP address of the Interface IP address of the gateway.
78
/info/sys/sonmp
SONMP Information
This command displays the SynOptics Network Management Protocol (SONMP) topology table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/ sonmp on command, and is necessary so that a Nortel Application Switch can be discovered by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network exchange multicast packets namely: flatnet hellos and segment hellos. The IP address of the device is written into the hello packets. As the network devices exchange information, a topology table is built like the one shown below.
Slot Port ----0 /0 1 /11 1 /11 1 /11 1 /11 1 /11 Seg Id --------------- --47.80.23.247 0 47.80.22.1 770 47.80.23.25 259 47.80.23.25 260 47.80.23.241 257 50.10.10.1 263 IP address MAC address ----------------00:01:81:2e:a3:60 00:e0:16:7c:28:24 00:60:cf:81:54:28 00:60:cf:81:54:38 00:60:cf:43:a2:10 00:60:cf:46:d5:60 Local State Seg ------------------ ----- ----Alteon2224 true topChanged Passport1200 true heartbeat Passport8610 true heartbeat Passport8610 true heartbeat AlteonAD4 true topChanged Alteon184 true topChanged Chassis Type
79
/info/sys/capacity
System Capacity Information
The following sample output from an Nortel Application Switch 2424 displays the maximum and currently enabled switch capacity for various services and applications from Layer 2-7.
Maximum LAYER 2 FDB FDB per SP VLANs Static Trunk Groups LACP Trunk Groups Trunks per Trunk Group Spanning Tree Groups Port Teams Monitor Ports LAYER 3 IP Interfaces IP Gateways IP Routes Static Routes ARP Entries Static ARP Entries Local Nets DNS Servers BOOTP Servers RIP Interfaces OSPF OSPF OSPF OSPF OSPF LSDB Interfaces Areas Summary Ranges Virtual Links Hosts Limit 16384 8192 1024 12 28 8 16 8 1 Current(Enabled) 54 1(1) 0(0)
16(1) 8(0)
256 4+255 4096 128 8192 128 5 2 2 256 256 3 16 3 128 12288
80
BGP Peers BGP Route Aggregators Route Maps Network Filters AS Filters VRRP Routers VRRP Router Groups VRRP Interfaces SLB (LAYER 4-7) Real Servers Server Groups Virtual Servers Virtual Services Real Services Real IDS Servers IDS Server Groups Global Global Global Global Global Global Global Global Global Global Global SLB SLB SLB SLB SLB SLB SLB SLB SLB SLB SLB Domains Services Local Servers Remote Servers Remote Sites Failovers per Remote Site Networks Geographical Regions Rules Metrics Per Rule DNS Persistence Cache Entries
0(0) 0(0) 0
1024 1024 1024 1024 8192 62 63 1024 8192 1024 1024 64 2 128 7 128 8 100000
0(0) 0 0(0)
0(0) 0(0) 0(0) 0(0) 0(0) 2(2) 0(0) 7(7) 0(1) 8(8) 100000(100000)
Filters PIPs Scriptable Health Checks SNMP Health Checks Rules for URL Parsing SLB Sessions Number of Rports to Vport Domain Records Mapping Per Domain Record LAYER 4 - PORTS Port # Client Server
0(0) 0 0 0 1 0 0(0)
Filter
RTS Continued...
81
BWM Policies Contracts Groups Contracts per Group Time Policies per Contract Security Configuration source IP ACLs Bogon source IP ACLs Operations source IP ACLs Total source IP ACLs Configuration destination IP ACLs Operations destination IP ACLs Total destination IP ACLs IP DoS attacks prevention TCP DoS attacks prevention UDP DoS attacks prevention ICMP DoS attacks prevention IGMP DoS attacks prevention ARP DoS attacks prevention IPv6 DoS attacks prevention Total DoS attacks prevention UDP ports for UDP blast protection GENERAL Syslog hosts RADIUS servers NTP servers SMTP hosts Mnet/Mmask End Users Panic Dumps MP memory SP memory SNMPv3 SNMPv3 SNMPv3 SNMPv3 SNMPv3 Users Views Access Groups Target Address Entries Target Params Entries
512 1024 32 8 2
0 1(1) 0
0 0 0 0 0 0 0
0 0 0 1 0
3 5 2 0 0
82
/info/sys/fan
Show switch fan status
>> System# fan Fans OK.
/info/sys/temp
Show switch temperature sensor status
>> System# temp Temperature OK.
/info/sys/encrypt
Show encryption licenses
AOS contains the following encryption licenses: BLOWFISH DES & 3DES MD5 RC4 SHA-1
/info/sys/user
Show current user status
Usernames: user slboper l4oper oper slbadmin l4admin admin enabled disabled disabled disabled disabled disabled Always Enabled
Note: there are pending config changes; use "diff" to see them. Current User ID table:
83
/info/sys/dump
System Information Dump
System Information at 7:02:06 Thu Sep 15, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00) Alteon Application Switch 2424-SSL Switch is up 3 days, 11 hours, 33 minutes and 48 seconds. Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet) Last apply: unknown Last save: 5 MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0 Internal SSL Processor MAC Address: 00:01:81:2e:bc:6f Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: Mainboard Hardware: Part No: P314090-A Rev: Management Processor Board Hardware: Part No: P314080-A Rev: Fast Ethernet Board Hardware: Part No: P314091-A Rev:
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration. Last 64 syslog messages: Sep 12 10:42:19 NOTICE mgmt: Sep 12 11:03:13 NOTICE mgmt: Sep 12 11:27:48 NOTICE mgmt: Sep 12 11:54:07 NOTICE mgmt: Sep 12 12:19:01 ERROR mgmt: Sep 12 13:57:54 NOTICE mgmt: Sep 12 14:02:58 NOTICE mgmt: Sep 12 14:07:27 NOTICE mgmt: Sep 12 14:10:03 NOTICE mgmt: Sep 12 14:19:44 NOTICE mgmt: Sep 12 14:59:20 NOTICE mgmt: Sep 12 15:08:06 NOTICE mgmt: Sep 12 15:09:43 NOTICE mgmt: Sep 12 15:15:08 NOTICE mgmt: Sep 12 15:15:32 NOTICE mgmt: Sep 12 15:58:30 NOTICE mgmt: Sep 12 16:00:02 NOTICE mgmt: Sep 12 17:56:01 ERROR mgmt: Sep 12 23:33:01 ERROR mgmt: Sep 13 5:10:01 ERROR mgmt: Sep 13 10:47:01 ERROR mgmt: Continued . . .
admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH tcp open error, cannot contact reporting admin login from host 192.168.0.3 admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin idle timeout from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH tcp open error, cannot contact reporting tcp open error, cannot contact reporting tcp open error, cannot contact reporting tcp open error, cannot contact reporting
server
84
Sep Sep Sep Sep Sep Sep (5) Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep
13 16:24:00 13 22:01:00 14 3:38:00 14 9:15:00 14 10:23:04 14 10:23:05 needs to be 14 10:23:05 14 10:23:05 14 10:24:45 14 11:30:36 14 11:35:25 14 11:35:40 14 11:39:37 14 11:49:12 14 11:58:20 14 13:41:54 14 13:46:18 14 14:37:07 14 14:52:00 14 14:58:57 14 16:09:44 14 16:20:44 14 16:24:58 14 16:30:51 14 16:48:16 14 16:50:34 14 16:57:47 14 16:57:55 14 17:00:02 14 17:04:59 14 17:05:49 14 17:06:05 14 19:54:04 14 20:00:22 14 20:01:47 14 20:22:49 14 20:23:10 14 20:23:55 14 20:29:00 14 20:40:41 14 21:43:51 15 2:06:00 15 6:56:45
ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3 ERROR cli: Error: VLAN 5 doesn't exist; the PVID for port 1 changed ERROR cli: Error: PVID 5 for port 1 is not created ERROR mgmt: Error: Apply not done NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin idle timeout from Telnet/SSH ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3
Continued . . .
85
Last 64 syslog messages saved in FLASH: Sep 8 10:44:06 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:48:43 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 10:49:32 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:50:18 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 10:57:59 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:57:42 ERROR cli: Error: IP interface 2 has no IP address configured Sep 8 10:57:42 ERROR mgmt: Error: Apply not done Sep 8 10:58:19 INFO mgmt: new configuration applied Sep 8 10:58:20 INFO mgmt: Operational change made by Admin from Telnet:192.168.0.3, login since 10:56:59 Sep 8 10:58:33 INFO mgmt: new configuration saved Sep 8 10:58:44 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 11:09:21 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 11:58:21 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 13:11:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 8 15:31:08 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 15:31:21 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 18:48:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 0:25:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 6:02:04 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 9:15:45 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 9:23:27 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 10:32:10 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 10:33:40 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 11:39:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 13:37:24 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 13:37:53 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 13:38:07 NOTICE mgmt: Failed login attempt via BBI. Sep 9 13:38:22 NOTICE mgmt: Failed login attempt via BBI. Sep 9 16:00:10 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 16:00:13 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 17:16:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 22:53:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 4:30:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 10:07:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 15:44:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 21:21:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 2:58:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 8:35:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 14:12:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 19:21:27 NOTICE mgmt: Failed login attempt via TELNET from host 192.168.249.237 Sep 11 19:21:48 NOTICE mgmt: admin login from host 192.168.0.3 Sep 11 19:25:08 INFO mgmt: image2 downloaded from host 192.168.0.10, file 'AAS-23.0.1.0-2000-AlteonOS.img', software version 23.0.1 Sep 11 19:26:39 NOTICE mgmt: Next boot will use new image2. Sep 11 19:26:52 NOTICE mgmt: switch reset from CLI Continued . . .
86
MAC address: 00:03:24:6e:bd:3d Interface information: 192.168.0.13 255.255.255.0 Gateway information: 192.168.0.1
192.168.0.255
Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50 usmUser Table: User Name -------------------------------adminmd5 adminsha v1v2only vacmAccess Table: Group Name Prefix Model ---------- ------ ------v1v2grp snmpv1 admingrp usm
vacmViewTreeFamily Table: View Name Subtree -------------------- -----------------------------iso 1 v1v2only 1 v1v2only 1.3.6.1.6.3.15 v1v2only 1.3.6.1.6.3.16 v1v2only 1.3.6.1.6.3.18 vacmSecurityToGroup Table: Sec Model User Name ---------- ------------------------------snmpv1 v1v2only usm adminmd5 usm adminsha Continued . . .
Mask --------------
87
snmpCommunity Table: Index Name User Name Tag ---------- ---------- -------------------- ---------snmpNotify Table: Name Tag -------------------- -------------------snmpTargetAddr Table: Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------snmpTargetParams Table: Name MP Model User Name Sec Model Sec Level -------------------- -------- -------------------- --------- --------Slot IP address Seg MAC address Chassis Type Local State Port Id Seg ----- --------------- ---- ----------------- ----------------- ----- -------
88
89
/info/l2/fdb
Layer 2 FDB Information
The forwarding database (FDB) contains information that maps the media access control (MAC) address of each known device to the switch port where the device address was learned. The FDB also shows which other ports have seen frames destined for a particular MAC address.
[Forwarding Database Menu] find - Show a single FDB entry by MAC address port - Show FDB entries on a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries on a single VLAN refpt - Show FDB entries referenced by a single SP dump - Show all FDB entries
90
NOTE The master forwarding database supports up to 16K MAC address entries on the MP per switch. Each SP supports up to 8K entries. Table 4-14 Layer 2 FDB Information Menu Options (/info/l2/fdb)
Command Syntax and Usage find <MAC address> [<VLAN>] Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example, 08:00:20:12:34:56. You can also enter the MAC address using the format, xxxxxxxxxxxx. For example, 080020123456. port <port number, 0 for "unknown"> Displays all FDB entries for a particular port. trunk <trunk group number> Displays all FDB entries on a single trunk. vlan <VLAN number (1-4090)> Displays all FDB entries on a single VLAN. refpt <SP number (1-4)> Displays the FDB entries referenced by a single port. dump Displays all entries in the Forwarding Database. For more information, see page 92.
91
/info/l2/fdb/dump
Show All FDB Information
MAC address VLAN Port State Referenced SPs Referenced ports ----------------- ---- ---- ----- -------------- ------------00:02:01:00:00:00 300 23 FWD 1 2 1 23 00:02:01:00:00:01 300 23 FWD 1 2 1 23 00:02:01:00:00:02 300 23 FWD 1 2 1 23 00:02:01:00:00:03 300 23 FWD 1 2 1 23 00:02:01:00:00:04 300 23 FWD 1 2 1 23 00:02:01:00:00:05 300 23 FWD 1 2 1 23 00:02:01:00:00:06 300 23 FWD 1 2 1 23 00:02:01:00:00:07 300 23 FWD 1 2 1 23 00:02:01:00:00:08 300 23 FWD 1 2 1 23 00:02:01:00:00:09 300 23 FWD 1 2 1 23 00:02:01:00:00:0a 300 23 FWD 1 2 1 23 00:02:01:00:00:0b 300 23 FWD 1 2 1 23 00:02:01:00:00:0c 300 23 FWD 1 2 1 23
An address that is in the forwarding (FWD) state, means that it has been learned by the switch. When in the trunking (TRK) state, the port field represents the trunk group number. If the state for the port is listed as unknown (UNK), the MAC address has not yet been learned by the switch, but has only been seen as a destination address. When an address is in the unknown state, no outbound port is indicated, although ports which reference the address as a destination will be listed under Reference ports. If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual server routera virtual router with the same IP address as a virtual server.
92
- Show LACP aggregator information for the port - Show LACP port information - Show all LACP ports information
Table 4-15 Link Aggregation Control Protocol Information Menu Options (/info/ lacp)
Command Syntax and Usage aggr <aggregator index 1 to max num ports> Displays information an LACP aggregator. port <port index 1 to max num ports> Displays information of an LACP port. dump Displays LACP information of all the ports. Use this command to verify the state of ports in an LACP trunk group. To view a sample output, see page 96.
93
/info/lacp/aggr
LACP Aggregator Information
Aggregator Id 1 ---------------------------------------------MAC address - 00:01:81:2e:a1:d1 Actor System Priority - 32768 Actor System ID - 00:01:81:2e:a1:b0 Individual - FALSE Actor Admin Key - 300 Actor Oper Key - 300 Partner System Priority - 32768 Partner System ID - 00:0d:29:e3:4a:00 Partner Oper Key - 1 ready - TRUE Number of Ports in aggr - 10 index 0 port 1 index 1 port 2 index 2 port 3 index 3 port 4 index 4 port 5 index 5 port 6 index 6 port 7 index 7 port 8 index 8 port 9 index 9 port 10
94
/info/lacp/port
LACP Port Information
port 1
---------------------------------------------lacp_enabled - TRUE lacp_admin_enabled - TRUE Actor Actor Actor Actor Actor Actor System ID System Priority Admin Key Oper Key Port Number Port Priority Admin System Priority Oper System Priority Admin System ID Oper System ID Admin Key Oper Key Admin Port Number Admin Port Priority Oper Port Number Oper Port Priority 00:01:81:2e:a1:b0 32768 300 300 1 32768 0 32768 00:00:00:00:00:00 00:0d:29:e3:4a:00 0 1 0 0 4 32768
Partner Partner Partner Partner Partner Partner Partner Partner Partner Partner
Actor Admin Port state Activity: Active Timeout: Synchronization:FALSE Collecting: Defaulted: FALSE Expired: Actor Oper Port state Activity: Active Timeout: Synchronization:TRUE Collecting: Defaulted: FALSE Expired: Partner Admin Port state Partner Oper Port state - 0x0
Aggregation: Distributing:
TRUE FALSE
TRUE TRUE
Continued
95
Individual - TRUE Selected Aggregator ID - 0 Attached Aggregator ID - 0 ready_n - FALSE ntt - FALSE selected - Unselcted port_moved - FALSE Collection and Distribution state turned ON! Rx machine state Mux machine state Periodic machine state - LACP_RX_INIT_STATE - LACP_MUX_DETACHED_STATE - LACP_PERIODIC_NO_STATE
96
/info/lacp/dump
LACP Dump Information
port attached trunk aggr ------------------------------------------------------------------1 active 300 300 y 32768 1 13 2 active 300 300 y 32768 1 13 3 active 300 300 y 32768 1 13 4 active 300 300 y 32768 1 13 5 active 300 300 y 32768 1 13 6 active 300 300 y 32768 1 13 7 active 300 300 y 32768 1 13 8 active 300 300 y 32768 1 13 9 active 300 300 n 32768 --10 active 300 300 n 32768 --11 active 300 300 n 32768 --12 active 300 300 n 32768 --13 active 300 300 n 32768 --14 off 14 14 n 32768 --15 off 15 15 n 32768 --16 off 16 16 n 32768 --17 off 17 17 n 32768 --18 off 18 18 n 32768 --19 off 19 19 n 32768 --20 off 20 20 n 32768 --21 off 21 21 n 32768 --22 off 22 22 n 32768 --23 off 23 23 n 32768 --24 off 24 24 n 32768 --25 off 25 25 n 32768 --26 off 26 26 n 32768 --27 off 27 27 n 32768 --28 off 28 28 n 32768 --lacp adminkey operkey selected prio
97
/info/l2/stg
Layer 2 Spanning Tree Group Information
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
Spanning Tree Group 1: On Current Root: 8000 00:01:81:2e:a1:80 Parameters: Priority 32768 Cost ---0 0 0 0 5 0 0 0 0 0 0 Path-Cost 0 Port Hello MaxAge FwdDel Aging 0 2 20 15 300 FwdDel 15 Aging 300
Hello 2
MaxAge 20
Port ----1 2 3 4 5 6 7 8 9 10 11
Priority -------128 128 128 128 128 128 128 128 128 128 128
State ---------DISABLED DISABLED DISABLED DISABLED FORWARDING DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED
8000-00:01:81:2e:a1:80
32773
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing if STP is enabled or disabled, you can view the following STP bridge information: Priority Hello interval Maximum age value Forwarding delay Aging time
98
You can also see the following port-specific STP information: Port number and priority Cost State Designated Bridge Designated Port The following table describes the STP parameters. Table 4-16 Spanning Tree Parameter Descriptions
Parameter Priority (bridge) Hello Description The bridge priority parameter controls which bridge on the network will become the STP root bridge. The hello time parameter specifies, in seconds, how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The maximum age parameter specifies, in seconds, the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it reconfigure the STP network. The forward delay parameter specifies, in seconds, the amount of time that a bridge port has to wait before it changes from learning state to forwarding state. The aging time parameter specifies, in seconds, the amount of time the bridge waits without receiving a packet from a station before removing the station from the Forwarding Database. The port priority parameter helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The port path cost parameter is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. A setting of 0 indicates that the cost will be set to the appropriate default after the link speed has been auto negotiated. The state field shows the current state of the port. The state field can be either BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.
MaxAge
FwdDel
Aging
priority (port)
Cost
State
99
Designated port
100
/info/l2/cist
Show common internal spanning tree (CIST) information
NOTE Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Spanning Tress or Spanning Tree Groups.
-----------------------------------------------------------------Common Internal Spanning Tree: VLANs: 1 4-4094 Path-Cost 0 Path-Cost 0 Port MaxAge FwdDel 0 20 15
Current Root: 8000 00:01:81:2e:bc:50 Cist Regional Root: 8000 00:01:81:2e:bc:50 Parameters:
Priority MaxAge FwdDel Hops 32768 20 15 20 Port Prio Cost State Role Designated Bridge Des Port Hello Type ----- ---- --------- ----- ---- ---------------------- -------- ----- ---1 128 20000 DSB 2 128 20000 DSB 3 128 20000 DSB 4 128 20000 DSB 5 128 20000 DSB 6 128 20000 DSB 7 128 20000 DSB . . . 18 128 20000 DSB 19 128 20000 DSB 20 128 20000 DSB 21 128 20000 DSB 22 128 20000 DSB 23 128 20000 DSB 24 128 20000 DSB 25 128 20000 DSB 26 128 20000 DSB 27 128 20000 DSB 28 128 20000 DSB sslpro 128 20000 DISC DESG 8000-00:01:81:2e:bc:50 801d 2 Shared
101
/info/l2/trunk
Trunk Group Information
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are configured, you can view the state of each port in the various trunk groups.
Trunk group 1, bw contract 1024, port state: 1: STG 1 forwarding 2: STG 1 forwarding
NOTE If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the remaining ports in the trunk group will also be set to forwarding.
102
/info/l2/vlan
VLAN Information
VLAN ---1 Name Status Jumbo BWC Learn Ports -------------------------------- ------ ----- ---- ----- ----Default VLAN ena n 1024 ena 1-28
This information display includes all configured VLANs and all member ports that have an active link state. Port membership is represented in slot/port format. VLAN information includes: VLAN Number VLAN Name Status Jumbo Frames Bandwidth Contract if BWM is enabled Source MAC Address Learning Port membership of the VLAN
103
/info/l2/vlan
VLAN Information
VLAN ---1 Name Status Jumbo BWC Learn Ports -------------------------------- ------ ----- ---- ----- ----Default VLAN ena n 1024 ena 1-28
104
/info/l2/team
Status of port teams
>> Layer 2# team All port teams are disabled.
/info/l2/dump
Layer2 Dump Information
Spanning Tree Group 1: On Current Root: 8000 00:01:81:2e:a1:80 Parameters: Priority 32768 Cost ---0 0 0 0 5 0 0 0 0 0 0 0 Path-Cost 0 Port Hello MaxAge FwdDel Aging 0 2 20 15 300 FwdDel 15 Aging 300
Hello 2
MaxAge 20
Port -----1 2 3 4 5 6 7 8 9 10 11 12
Priority -------128 128 128 128 128 128 128 128 128 128 128 128
State ---------DISABLED DISABLED DISABLED DISABLED FORWARDING DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED
8000-00:01:81:2e:a1:80
32773
105
106
/info/l3/route
IP Routing Information
[IP Routing Menu] find - Show gw - Show type - Show tag - Show if - Show dump - Show a single route by destination IP address routes to a single gateway routes of a single type routes of a single tag routes on a single interface all routes
Using the commands listed below, you can display all or a portion of the IP routes currently held in the switch. Table 4-18 Route Information Menu Options (/info/route)
Command Syntax and Usage find <IP address (such as, 192.4.17.101)> Displays a single route by destination IP address. gw <default gateway address (such as, 192.4.17.44)> Displays routes to a single gateway. type indirect|direct|local|broadcast|martian|multicast Displays routes of a single type. For a description of IP routing types, see Table 4-19 on page 109.
107
NOTE The total number of interfaces on a Nortel Application Switch 2424-SSL is 1-255.
dump Displays all routes configured in the switch. For more information, see page 108.
/info/l3/route/dump
Show All IP Route Information
Status code: * - best Destination Mask Gateway Type Tag Metr If --------------- --------------- ------------- --------- ----- -* 0.0.0.0 0.0.0.0 47.80.22.1 indirect static 1 * 47.80.22.0 255.255.254.0 47.80.23.249 direct fixed 1 * 47.80.23.249 255.255.255.255 47.80.23.249 local addr 1 * 47.80.23.255 255.255.255.255 47.80.23.255 broadcast broadcast 1 * 127.0.0.0 255.0.0.0 0.0.0.0 martian martian * 224.0.0.0 224.0.0.0 0.0.0.0 martian martian * 224.0.0.5 255.255.255.255 0.0.0.0 multicast addr * 224.0.0.6 255.255.255.255 0.0.0.0 multicast addr * 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast
108
Type Parameters
The following table describes the Type parameters. Table 4-19 IP Routing Type Parameters (/info/l3/route/dump/type)
Parameter indirect direct local broadcast martian multicast Description The next hop to the host or subnet destination will be forwarded through a router at the Gateway address. Packets will be delivered to a destination host or subnet attached to the switch. Indicates a route to one of the switchs IP interfaces. Indicates a broadcast route. The destination belongs to a host or subnet which is filtered out. Packets to this destination are discarded. Indicates a multicast route.
Tag Parameters
The following table describes the Tag parameters. Table 4-20 IP Routing Tag Parameters (info/l3/route/tag)
Parameter fixed static addr rip ospf bgp broadcast martian vip Description The address belongs to a host or subnet attached to the switch. The address is a static route which has been configured on the Nortel Application Switch. The address belongs to one of the switchs IP interfaces. The address was learned by the Routing Information Protocol (RIP). The address was learned by Open Shortest Path First (OSPF). The address was learned via Border Gateway Protocol (BGP) Indicates a broadcast address. The address belongs to a filtered group. Indicates a route destination that is a virtual server IP address. VIP routes are needed to advertise virtual server IP addresses via BGP.
109
/info/l3/route6
IPv6 Routing Information Menu
This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing table stores routes it learns from network traffic and pre-configured, static routes. NOTE Presently there is no mechanism for clearing this IPv6 routing table..
[IP6 Routing Menu] dump - Show all routes
Table 4-21provides a description of this menu. Table 4-21 IPv6 Routing Information Menu Options (/info/l3/route6)
Command Syntax and Usage dump The /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/ 10; is not shown for each interface to avoid too many network entries in the table.
110
STATIC LOCAL LOCAL STATIC LOCAL STATIC STATIC STATIC STATIC STATIC
111
/info/l3/arp
ARP Information Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries help - Show help on the fields of ARP entries addr - Show ARP address list
The ARP information includes IP address and MAC address of each entry, address status flags (see Table 4-23 on page 114), VLAN and port for the address, and port referencing information. Table 4-22 ARP Information Menu Options (/info/l3/arp)
Command Syntax and Usage find <IP address (such as, 192.4.17.101> Displays a single ARP entry by IP address. port <port number> Displays the ARP entries on a single port. vlan <VLAN number (1-4090)> Displays the ARP entries on a single VLAN. refpt <SP number (1-4)> Displays the ARP entries referenced by a single SP. For details, see page 113.
112
addr Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.
/info/l3/arp/refpt
Show ARP Entries on Referenced SP
IP address Flags ------------- ----47.80.23.249 P MAC address VLAN Port ----------------- ---- ----00:0e:40:2f:5b:00 1 Referenced SPs -----------1-4
113
/info/l3/arp/dump
Show All ARP Entry Information
IP address Flags MAC address VLAN Port --------------- ----- ----------------- ---- ---1.1.11.1 P 4 00:09:97:16:5f:01 10.10.10.10 P 4 00:09:97:16:5f:01 47.80.22.1 00:e0:16:7c:28:86 1 23 47.80.23.81 P 00:09:97:16:5f:00 1 172.31.3.1 P 00:09:97:16:5f:00 1 172.31.3.10 00:b0:d0:98:d8:1b 1 3 172.31.3.11 00:b0:d0:98:d8:1b 1 3 Referenced SPs ------------1-4 1-4 empty 1-4 1-4 empty empty
Referenced ports are the ports that request the ARP entry. So the traffic coming into the referenced ports has the destination IP address. From the ARP entry (the referenced ports), this traffic needs to be forwarded to the egress port (port 6 in the above example). NOTE If you have VMA turned on, the referenced port will be the designated port. If you have VMA turned off, the designated port will be the normal ingress port. The Flag field is interpreted as follows: Table 4-23 ARP Dump Flag Parameters
Flag P P 4 R U J Description Permanent entry created for switch IP interface. Permanent entry created for Layer 4 proxy IP address or virtual server IP address. Indirect route entry. Unresolved ARP entry. The MAC address has not been learned. ARP entry belongs to a Jumbo capable VLAN
114
/info/l3/arp/addr
ARP Address List Information
IP address --------------10.10.10.10 1.1.11.1 172.31.4.200 172.31.3.1 172.31.4.1 47.80.23.81 IP mask --------------255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 MAC address ----------------00:09:97:16:5f:01 00:09:97:16:5f:01 00:09:97:16:5f:0e 00:09:97:16:5f:00 00:09:97:16:5f:00 00:09:97:16:5f:00 VLAN ---Flags -----
D 1 1 1
/info/l3/nbrcache
IPv6 Neighbor Cache Information
This menu provides a mechanism for viewing IPv6 Neighbor Cache information. IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate addresses. ND enables routers to advertise their presence and address prefixes and to inform hosts of a better next-hop address to forward packets. The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache maintains information about each neighbor such as: MAC Address Reachability State Neighbor Type VLAN Ingress Port Neighbor Cache entries are added in a number of situations: 1. 2. 3. Entries are added when an IPv6 Interface or Virtual IP is operational. Reception of ND messages from neighbor. A switch sends ND packets to resolve a link-layer address that it wishes to send packets to.
115
There are 5 reachability states: INCOMPLETE The link-layer address of the neighbor has not yet been determined. REACHABLE The neighbor is known to have been reachable recently. STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. DELAY The neighbor is no longer known to be reachable and traffic has recently been sent to the neighbor. PROBE The neighbor is no longer known to be reachable, and ND messages are sent to the neighbor to verify reachability. The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND. NOTE Once the Neighbor Cache table reaches 2000 entries, table entries are replaced by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until the entry is replaced by a new one. During this 2000 full entries period, no new entries will be used to sort for display.
[IP6 Neighbor Discovery Protocol Menu] dump - Show all IP6 neighbor cache entries
Table 4-24 provides a description of this menu. Table 4-24 IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)
Command Syntax and Usage dump Displays all IPv6 neighbor cache entries.
116
Total dynamic neighbor cache entries: 3 Total local neighbor cache entries: 4 Other neighbor cache entries: 0
/info/l3/bgp
BGP Information Menu
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. For more information, refer to BGP section in chapter: The Configuration Menu on page 257 and the Application Guide.
[BGP Menu] peer - Show all BGP peers summary - Show all BGP peers in summary dump - Show BGP routing table
117
/info/l3/bgp/peer
BGP Peer information
Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information: 3: 2.1.1.1 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0 4: 2.1.1.4 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0
118
/info/l3/bgp/summary
BGP Summary information
Following is an example of the information that /info/l3/bgp/summary provides.
BGP Peer Summary Information: Peer V AS MsgRcvd MsgSent Up/Down State --------------- - -------- -------- -------- -------- ---------1: 205.178.23.142 4 142 113 121 00:00:28 established 2: 205.178.15.148 0 148 0 0 never connect
/info/l3/bgp/dump
Dump BGP Information
Following is an example of the information that /info/l3/bgp/dump provides.
>> BGP# dump Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght --------------- --------------- ----- ---- ----*> 10.0.0.0 205.178.21.147 1 256 *>i205.178.15.0 0.0.0.0 * 205.178.21.147 1 128 *> 205.178.17.0 205.178.21.147 1 128 13.0.0.0 205.178.21.147 1 256
/info/l3/ospf
OSPF Information Menu
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more
119
information on how to configure OSPF on the switch, refer to the OSPF section in chapter The Configuration Menu on page 257 and your Nortel Application Switch Operating System Application Guide.
[OSPF Information Menu] general - Show general information aindex - Show area(s) information if - Show interface(s) information virtual - Show details of virtual links nbr - Show neighbor(s) information dbase - Database Menu sumaddr - Show summary address list nsumadd - Show NSSA summary address list routes - Show OSPF routes dump - Show OSPF information
120
/info/l3/ospf/general
OSPF General Information
OSPF Version 2 Router ID: 47.80.23.247 Started at 95 and the process uptime is 352315 Area Border Router: yes, AS Boundary Router: no LS types supported are 6 External LSA count 0 External LSA checksum sum 0x0 Number of interfaces in this router is 2 Number of virtual links in this router is 1 16 new lsa received and 34 lsa originated from this router Total number of entries in the LSDB 10 Database checksum sum 0x0 Total neighbors are 1, of which 2 are >=INIT state, 2 are >=EXCH state, 2 are =FULL state Number of areas is 2, of which 3-transit 0-nssa Area Id : 0.0.0.0 Authentication : none Import ASExtern : yes Number of times SPF ran : 8 Area Border Router count : 2 AS Boundary Router count : 0 LSA count : 5 LSA Checksum sum : 0x2237B Summary : noSummary
121
/info/l3/ospf/if
OSPF Interface Information
Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP Router ID 10.10.10.1, State DR, Priority 1 Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1 Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2 Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5, Poll interval 0, Transit delay 1 Neighbor count is 1 If Events 4, Authentication type none
/info/l3/ospf/dbase
OSPF Database Information
[OSPF Database Menu] advrtr - LS Database info for an Advertising Router asbrsum - ASBR Summary LS Database info dbsumm - LS Database summary ext - External LS Database info nw - Network LS Database info nssa - NSSA External LS Database info rtr - Router LS Database info self - Self Originated LS Database info summ - Network-Summary LS Database info all - All
122
123
/info/l3/ospf/routes
OSPF Information Route Codes
Codes: IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 IA 10.10.0.0/16 via 200.1.1.2 IA 40.1.1.0/28 via 20.1.1.2 IA 80.1.1.0/24 via 200.1.1.2 IA 100.1.1.0/24 via 20.1.1.2 IA 140.1.1.0/27 via 20.1.1.2 IA 150.1.1.0/28 via 200.1.1.2 E2 172.18.1.1/32 via 30.1.1.2 E2 172.18.1.2/32 via 30.1.1.2 E2 172.18.1.3/32 via 30.1.1.2 E2 172.18.1.4/32 via 30.1.1.2 E2 172.18.1.5/32 via 30.1.1.2 E2 172.18.1.6/32 via 30.1.1.2 E2 172.18.1.7/32 via 30.1.1.2 E2 172.18.1.8/32 via 30.1.1.2
124
/info/ospf/dump
OSPF Dump Information
OSPF Version 2 Router ID: 1.1.1.1 Started at 42 and the process uptime is 1197051 Area Border Router: no, AS Boundary Router: no External LSA count 0 Number of interfaces in this router is 0 Number of virtual links in this router is 0 0 new lsa received and 0 lsa originated from this router Total number of entries in the LSDB 0 Total neighbors are 0, of which 0 are >=INIT state, 0 are >=EXCH state, 0 are =FULL state Number of areas is 0, of which 0-transit 0-nssa OSPF Neighbors: Intf NeighborID ---- ----------
Prio ----
State -----
Address -------
OSPF LS Database: OSPF LSDB breakdown for router with ID (1.1.1.1) No areas enabled.
125
/info/l3/ip
IP Information
Interface information: 1: 47.80.23.81 255.255.254.0 2: 172.31.4.1 255.255.255.0 3: 172.31.3.1 255.255.255.0 47.80.23.255, 172.31.4.255, 172.31.3.255, vlan 1, up vlan 1, up vlan 1, up
Default gateway information: metric strict 2: 47.80.22.1, vlan any, up Current IP forwarding settings: ON, dirbr disabled Current local networks: Current IP port settings: All other ports have forwarding ON Current network filter settings: none Current route map settings: Current OSPF settings: ON Default route none Router ID: 1.1.1.1 lsdb limit 0
126
/info/l3/vrrp
VRRP Information
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Refer to your Nortel Application Switch Operating System Application Guide for more information on VRRP.
VRRP information: 10: vrid 10, 10.1.2.200, 11: vrid 11, 11.1.2.200, 12: vrid 12, 12.1.2.200, 13: vrid 13, 13.1.2.200, 14: vrid 14, 14.1.2.200, 20: vrid 20, 20.1.2.200, 27: vrid 27, 27.1.2.200, 28: vrid 28, 28.1.2.200, 100: vrid 100, 172.21.8.100, server 172: vrid 172, 172.21.8.200, 254: vrid 254, 27.1.2.100, server 255: vrid 255, 28.1.2.100, server VRRP information: 1: vrid 2, 205.178.18.210, if 2: vrid 1, 205.178.18.202, if 3: vrid 3, 205.178.18.204, if
if if if if if if if if if
10, renter, prio 110, master 11, renter, prio 118, master 12, renter, prio 102, backup 13, renter, prio 118, master 14, renter, prio 102, backup 20, renter, prio 110, master 27, renter, prio 118, master 28, renter, prio 102, backup 172, renter, prio 110, master,
if 172, renter, prio 110, master if 27, renter, prio 102, backup, if 28, renter, prio 118, master,
1, renter, prio 100, master, server 1, renter, prio 100, backup 1, renter, prio 100, master, proxy
When virtual routers are configured, you can view the status of each virtual router using this command. VRRP information includes: Virtual router number Virtual router ID and IP address Interface number Ownership status owner identifies the preferred master virtual router. A virtual router is the owner when the IP address of the virtual router and its IP interface are the same. renter identifies virtual routers which are not owned by this device.
127
Priority value. During the election process, the virtual router with the highest priority becomes master. Activity status master identifies the elected master virtual router. backup identifies that the virtual router is in backup mode. Server status. The server state identifies virtual routers that support Layer 4 services. These are known as virtual server routers: any virtual router whose IP address is the same as any configured virtual server IP address. Proxy status. The proxy state identifies virtual proxy routers, where the virtual router shares the same IP address as a proxy IP address. The use of virtual proxy routers enables redundant switches to share the same IP address, minimizing the number of unique IP addresses that must be configured.
128
/info/l3/dump
Layer3 Dump Information
This command dumps all the information about Layer 3 parameters. This dump is a collection of all the individual commands described in the sections above.
IP information: IP information: Router ID: 45.1.1.201,
AS number 100
Default gateway information: metric strict Current IP forwarding settings: ON, dirbr disabled Current local networks: Current IP port settings: All other ports have forwarding ON Current network filter settings: none Current route map settings: Current BGP settings: ON, pref 100, AS number 100 Current BGP peer settings: 1: 45.1.1.203, ras 300, hold 180, alive 60, adv 60 retry 120, orig 15, ttl 1, enabled metric none, default none, rip disabled, ospf disabled fixed disabled, static disabled, vip disabled in-rmap: empty out-rmap: empty Current BGP aggr settings:
Continued
129
Virtual Router Redundancy is globally turned OFF. ARP cache information: IP address Flags MAC address VLAN Port Referenced SPs --------------- ----- ----------------- ---- ----- ---------------45.1.1.75 00:0f:06:ec:8a:00 1 24 empty 45.1.1.201 P 00:01:81:2e:a2:20 1 1-4 45.1.1.202 00:09:97:5e:69:00 1 24 empty 172.21.1.254 P 00:01:81:2e:a2:20 1 1-4 205.1.1.1 00:09:6b:b5:0b:d6 1 24 empty 205.1.1.2 00:09:6b:b5:08:48 1 24 empty 205.1.1.3 00:09:6b:00:6f:b7 1 24 empty 205.1.1.4 00:09:6b:00:76:1b 1 24 empty 205.1.1.5 00:09:6b:00:74:97 1 24 empty 205.1.1.6 00:09:6b:00:71:bb 1 24 empty 205.1.1.100 P 4 00:01:81:2e:a2:2e 1-4 205.1.1.201 P 00:01:81:2e:a2:20 1 1-4 ARP address information: IP address IP mask --------------- --------------205.1.1.100 255.255.255.255 172.21.1.254 255.255.255.255 205.1.1.201 255.255.255.255 45.1.1.201 255.255.255.255
MAC address VLAN Flags ----------------- ---- ----00:01:81:2e:a2:2e D 00:01:81:2e:a2:20 1 00:01:81:2e:a2:20 1 00:01:81:2e:a2:20 1
Route table information: Status code: * - best Destination Mask Gateway Type Tag Metr If --------------- ------------- ------------ ------------- -* 45.0.0.0 255.0.0.0 45.1.1.201 direct fixed 2 * 45.1.1.201 255.255.255.255 45.1.1.201 local addr 2 * 45.255.255.255 255.255.255.255 45.255.255.255broadcast broadcast 2 * 127.0.0.0 255.0.0.0 0.0.0.0 martian martian * 172.21.1.0 255.255.255.0 172.21.1.254 direct fixed 4 * 172.21.1.254 255.255.255.255 172.21.1.254 local addr 4 * 172.21.1.255 255.255.255.255 172.21.1.255 broadcast broadcast 4 Continued
130
* 205.1.1.0 255.255.255.0 205.1.1.201 direct fixed 3 * 205.1.1.100 255.255.255.255 205.1.1.100 direct vip * 205.1.1.201 255.255.255.255 205.1.1.201 local addr 3 * 205.1.1.255 255.255.255.255 205.1.1.255 broadcast broadcast 3 * 224.0.0.0 224.0.0.0 0.0.0.0 martian martian * 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast OSPF is disabled. Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght Path --------------- --------------- ----- ----- ----- --------------*> 45.0.0.0 0.0.0.0 0 ? *> 172.21.1.0 0.0.0.0 0 ? *> 205.1.1.0 0.0.0.0 0 ?
131
132
133
/info/slb/sess
Session Table Information
[Session Table Information Menu] cip - Show all session entries with source IP address cip6 - Show all session entries with source IP6 address cport - Show all session entries with source port dip - Show all session entries with destination IP address dip6 - Show all session entries with source IP6 address dport - Show all session entries with destination port pip - Show all session entries with proxy IP address pport - Show all session entries with proxy port filter - Show all session entries with matching filter flag - Show all session entries with matching flag port - Show all session entries with ingress port real - Show all session entries with real IP address sp - Show all session entries on sp dump - Show all session entries help - Session entry description
134
3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c (1) (2) (3) (4) (5) (6) (7a) (7) (8) (9) (10) (11) (12)
(13)
Note: The fields, 1 to 13 associated with a session as identified in the above example, are described in Session dump information in Nortel Application Switch Operating System on page 137. help Displays the description of the session entry.
135
3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P The first session is RTSP TCP control connection. The second session is RTSP UDP data connection. 3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 P During client-server port negotiation, the destination port shows rtsp and server port shows 0 L7 WCR RTSP 3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P Filtering LinkLB 2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E FTP 1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:1 1,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU 1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-data age 10 E NAT 2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E Persistent session 3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3 The destination port, real server IP and server port are not shown for persistent session.
136
This field indicates the Switch Processor number that created the session. This field shows the physical port through which the client traffic enters the switch. This field contains the source IP address from the clients IP packet in IPv4 or IPv6. This field identifies the source port from the clients TCP/UDP packet. This field identifies the destination IP address from the clients TCP/UDP packet. This field identifies the destination port from clients TCP/UDP packet. This field contains the Proxy IP address substituted by the switch. This field contains the real server IP address of the corresponding server that the switch selects to forward the client packet to, for load balancing. If the switch does not find a live server, this field contains the same information as the destination IP address mentioned in field (5). This field also shows the real server IP address for filtering. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead.
This field identifies the TCP/UDP source port substituted by the switch.
For load balancing, this field contains the IP address of the real server that the switch selects to forward client packet to. If the switch does not find live server, this field is the same as destination IP address (as in row 5). For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P For filtering, this field also shows the real server IP address. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead. For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11 2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E
137
Description
This field is the same as the destination port (field 6) for load balancing except for the RTSP UDP session. For RTSP UDP session, this server port is obtained from the client-server negotiation. This field is the filtering application port for filtering. It is for internal use only. This field can be urlwcr, wcr, idslb, linkslb or nonat.
(10) Age
This is the session timeout value. If no packet is received within the value specified, the session is freed. For example, if: age 10 - The session is aged out in 10 minutes.
age < 160 - The session is aged out in 160 minutes. This indicates that slowage is used. The user can configure slowage by using the command: /cfg/slb/adv/slowage.
This field indicates the session created by filtering code as a result of the IP header keys matching the filtering criteria. E: Indicates the session is established and will be aged out if no traffic is received within session timeout value. L: Indicates the session is a link load balance session. N: Indicates no NAT, which means the session only translates the destination MAC when forwarding client traffic to the real server.
P: Indicates the session is a persistent session and is not to be aged out. Fields (6), (7) and (8) cannot have persistent session. S: Indicates the session is a persistent session and the application is SSL session ID, or Cookie Pbind. Rt: Indicates the session is TCP rate limiting for every client entry. Ru: Indicates UDP rate limiting for every client entry. Ri: Indicates the session is ICMP rate limiting per-client entry. Vr: Indicates the session is a SIP REGISTER session. Vs: Indicates the session is a SIP SUBSCRIBE session. Vi: Indicates the session is a SIP INVITE session. Vm: Indicates the session is a SIP MESSAGE session. Vd: Indicates the session is a SIP NAT data session. U: Indicates the session is Layer 7 delayed binding and the switch is trying to open TCP connection to the real server. W: Indicates the session only translates the destination MAC when forwarding Layer 7 WCR traffic to the real server.
This counter indicates the number of client sessions created to associate with this persistent session.
Operating System
138 Chapter 4: The Information Menu
320506-A, January 2006
/info/slb/gslb
Global SLB Information Menu
An Nortel Application Switch Operating System running Global SLB selects the most appropriate site to direct the client traffic for a given domain during the initial client connection. The menu for this feature displays the following information:
[Global SLB Information Menu] virt - Show Global SLB site - Show Global SLB rule - Show Global SLB geo - Show Global SLB pers - Show Global SLB dump - Show all Global
virtual server information remote site information rule information geographical preference information DNS persistence cache information SLB information
139
/info/slb/dump
Show All Layer 4 Information
Real 1: 2: 26: 27: server state: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up 20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up 20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up
Virtual server state: 1: 20.20.20.200, 00:60:cf:47:5c:1e virtual ports: http: rport http, group 88, backup none, dbind HTTP Application: urlslb real servers: 26: 20.20.20.102, backup none, 2 ms, up exclusionary string matching: disabled 1: any 2: urlone 27: 20.20.20.101, backup none, 1 ms, up exclusionary string matching: disabled 3: urltwo 4: urlthree Redirect filter state: Action redir dport http, rport 3128, vlan any 200: group 1, health 3, backup none proxy enabled, radius snoop disabled real servers: 1: 210.1.2.200, backup none, 3 ms, up 2: 210.1.2.1, backup none, 2 ms, up Port 1: 2: 3: 4: state: filt disabled, filters: 80 idslb filt enabled, filters: 200 idslb filt enabled, filters: 200 filt disabled, filters: 50 200
140
141
/info/bwm/ipuser
BWM IP User Information Menu
[BWM IP User Entries Information Menu] ip - Show all IP user entries with IP address cont - Show all IP user entries for a contract sp - Show all IP user entries on sp dump - Show all IP user entries
142
143
/info/bwm/cont
BWM Contract Information
Current Bandwidth Management setting: ON Policy Enforcement:enabled BWM history will be mailed in a minute to 'abcd' at host '100.81.138.26' BWM IP user table entries 64k
Contract Policy Per User Traffic Num Name Prec Hard Soft Resv Limit Key State Shaping 1 123456789012345 2 1 50M 1M 500K E D 2 vlan 4 1 60M 2M 500K E D 3 filter 7 20 2M 1M 500K E D 4 5 1 2M 1M 500K D D 5 512 1 2M 1M 500K E D 10 10 1 1M 0K 0K 500K sip E D 11 11 1 100M 80M 500K 2M sip E D 12 12 1 2M 1M 500K E D 13 13 1 3M 1M 500K E D 14 14 1 4M 400K 100K E D 15 15 1 2M 1M 500K E D
This command displays information about any configured contracts and the BWM policies applied to the contracts. Table 4-33 BWM Contract Information
Field Contract Policy Description
Displays the BWM contract number. Displays specific information about a policy applied to a contract. Includes the following:
The policy number applied to the contract Prec: the precedence applied to the policy Hard: the hard limit applied to the policy Soft: the soft limit applied to the policy Resv: the reserve limit applied to the policy
144
Displays whether Traffic Shaping is enabled (E) or disabled (D) for this contract.
145
The information provided by each menu option is described in Table 4-34. Table 4-34 Security Information Menu (/info/security)
Command Syntax and Usage port This menu displays the current port security settings. ipacl This menu displays the current IP ACL settings. udpblast This menu displays UDP blast protection settings. dos This menu displays DoS protection settings. dump This menu displays all security settings.
146
Use this command to display link status information about each port on an Nortel Application
Switch slot, including:
Port Alias Port number Port speed (10, 100, 10/100, or 1000) Duplex mode (half, full, any, or auto) Flow control for transmit and receive (no, yes, or auto)
147
148
Port information includes: Port alias Port number Whether the port uses VLAN tagging or not (y or n) Whether Remote Monitor is enabled or disabled Port VLAN ID (PVID) Port name VLAN membership
149
Software key information includes a list of all the optional software packages which have been activated or installed on your switch. For information on ordering optional software license keys, see How to Get Help on page 24.
150
CHAPTER 5
151
320506-A, January 2006
152
153
154
155
63242584 63277826 0 0 NA NA 0
dot1PortOutFrames
156
0 0 0 0 NA 0 0 0 NA 0 0 0 NA
157
dot3StatsSingleCollisionFrames
dot3StatsMultipleCollisionFrames
158
dot3StatsDeferredTransmissions
dot3StatsLateCollisions
dot3StatsExcessive Collisions
dot3StatsInternalMacTransmitErrors
159
dot3StatsFrameTooLongs
dot3StatsInternalMacReceiveErrors
dot3CollFrequencies
160
ifHCInUcastPkts
ifHCInErrors
ifHCOutOctets
161
ifHCOutBroadcastPkts ifHCOutMulticastPkts
ifHCOutDiscards
ifHCOutErrors
0 0 0 0 0 0
ipForwDatagrams: ipInDiscards:
0 0
162
ipForwDatagrams
ipInUnknownProtos ipInDiscards
163
164
etherStatsUndersizePkts etherStatsOversizePkts
165
etherStatsJabbers
etherStatsCollisions
etherStatsPkts64Octets
166
167
168
RMON statistics for port 1: etherStatsDropEvents: etherStatsOctets: etherStatsPkts: etherStatsBroadcastPkts: etherStatsMulticastPkts: etherStatsCRCAlignErrors: etherStatsUndersizePkts: etherStatsOversizePkts: etherStatsFragments: etherStatsJabbers: etherStatsCollisions: etherStatsPkts64Octets: etherStatsPkts65to127Octets: etherStatsPkts128to255Octets: etherStatsPkts256to511Octets: etherStatsPkts512to1023Octets: etherStatsPkts1024to1518Octets:
169
170
/stats/l2/fdb
FDB Statistics
FDB statistics: creates: current: lookups: finds: find_or_c's: max: 9611 58 850254 5832 11874 16384 deletes: hiwat: lookup fails: find fails: overflows: 9553 65 151373 0 0
This menu option enables you to display statistics regarding the use of the forwarding database, including the number of new entries, finds, and unsuccessful searches. FDB statistics are described in the following table: Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)
Statistic creates current lookups finds find_or_cs deletes hiwat lookup fails find fails overflows Description Number of entries created in the Forwarding Database. Current number of entries in the Forwarding Database. Number of entry lookups in the Forwarding Database. Number of successful searches in the Forwarding Database. Number of entries found or created in the Forwarding Database. Number of entries deleted from the Forwarding Database. Highest number of entries recorded at any given time in the Forwarding Database. Number of unsuccessful searches made in the Forwarding Database. Number of search failures in the Forwarding Database. Number of entries overflowing the Forwarding Database.
171
/stats/l2/lacp
LACP Statistics
>> Layer 2 Statistics# lacp 1 port 1 Valid LACPDUs received Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted Marker Rsp PDUs transmitted
9394 0 0 0 0 8516 0 0
Valid LACPDUs received The number of LACPDUs that the switch received on this port. Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted The number of valid Marker PDUs that the switch received on this port. The number of valid Marker Responses that the switch received on this port. The number of unknown version or TLV type that the switch received on this port. The number of illegal LACP subtype received on this port. The number of LACPDUs transmitted out of this port. The number of Marker PDUs transmitted out of this port.
Marker Rsp PDUs trans- The number of Marker Responses transmitted out of this port. mitted
172
/stats/l2/stg
Spanning Tree Group Statistics
Spanning Tree Group 1: Port Rcv Cfg Rcv TCN ----- ------------------1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 139046 176 10 0 0 11 0 0 12 0 0 13 0 0 14 0 0 15 0 0 16 0 0 17 0 0 18 0 0 19 0 0 20 0 0 21 0 0 22 0 0 23 0 0 24 0 0 25 0 0 26 0 0 27 0 0 28 0 0 Xmt Cfg ---------0 0 0 0 0 0 0 0 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Xmt TCN ---------0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
173
174
175
/stats/l3/ospf
OSPF Statistics Menu
[OSPF stats Menu] general - Show global stats aindex - Show area(s) stats if - Show interface(s) stats
176
/stats/l3/ospf/general
OSPF Global Statistics
The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF areas and interfaces.
OSPF stats ---------Rx/Tx Stats: Pkts hello database ls requests ls acks ls updates Nbr change stats: hello start n2way adjoint ok negotiation done exchange done bad requests bad sequence loading done n1way rst_ad down Timers kickoff hello retransmit lsa lock lsa ack dbage summary ase export
Rx -------0 23 4 3 7 9
Tx -------0 518 12 1 7 7 Intf change Stats: hello down loop unloop wait timer backup nbr change
2 0 2 2 2 2 0 0 2 0 0 1
4 2 0 0 2 0 5
514 1028 0 0 0 0 0
177
178
n2way adjoint ok
negotiation done
exchange done
bad requests
bad sequence
179
backup nbr change Timers Kickoff: hello retransmit lsa lock lsa ack dbage summary ase export
The sum total number of times the Hello timer has been fired (which triggers the send of a Hello packet) across all OPSF areas and interfaces. The sum total number of times the Retransmit timer has been fired across all OPSF areas and interfaces. The sum total number of times the Link State Advertisement (LSA) lock timer has been fired across all OSPF areas and interfaces. The sum total number of times the LSA Ack timer has been fired across all OSPF areas and interfaces. The total number of times the data base age (Dbage) has been fired. The total number of times the Summary timer has been fired. The total number of times the Autonomous System Export (ASE) timer has been fired.
180
/stats/l3/ip
IP Statistics
IP statistics: ipInReceives: ipInAddrErrors: ipInUnknownProtos: ipInDelivers: ipOutDiscards: ipReasmReqds: ipReasmFails: ipFragFails: ipRoutingDiscards: ipReasmTimeout: 3115873 35447 500504 2334166 4 0 0 0 0 5 ipInHdrErrors: ipForwDatagrams: ipInDiscards: ipOutRequests: ipOutNoRoutes: ipReasmOKs: ipFragOKs: ipFragCreates: ipDefaultTTL: 1 0 0 1010542 4 0 0 0 255
ipInAddrErrors
ipForwDatagrams
ipInUnknownProtos
181
ipInDelivers ipOutRequests
ipOutDiscards
ipOutNoRoutes
ipFragOKs ipFragFails
ipFragCreates
182
ipDefaultTTL
ipReasmTimeout
183
/stats/l3/ip6
IP6 Statistics Menu
>> Layer 3 Statistics# /stat/l3/ip6 -----------------------------------------------------------------IP6 statistics: InReceives: 20519 InDiscards: 2 InDelivers: 24793 ForwDatagrams: 0 UnknownProtos: 0 InAddrErrors: 0 OutRequests: 34548 OutNoRoutes: 0 ReasmOKs: 0 ReasmFails: 0 IcmpInMsgs: 24793 IcmpInErrors: 4268 IcmpOutMsgs: 12829 IcmpOutErrors: 4271 InEchos: 0 OutEchos: 8538 InEchoReplies: 8536 OutEchoReplies: 0 InDestUnreachs: 4268 OutDestUnreachs: 4271 InPktTooBigs: 0 OutPktTooBigs: 0 InTimeExcds: 0 OutTimeExcds: 0 -----------------------------------------------------------------ICMP6 statistics: Interface: 1 InMsgs: 18929 InErrors: 0 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 4513 InNeighborAdvertisements:4271 InRouterSolicits: 0 InRouterAdvertisements: 5877 InDestUnreachs: 0 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 4280 OutErrors: 0 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 3 OutNeighborAdvertisements:4516 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 -----------------------------------------------------------------Interface: 7 InMsgs: 5864 InErrors: 4268 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 122 InNeighborAdvertisements: 3 InRouterSolicits: 0 InRouterAdvertisements: 1471 InDestUnreachs: 4268 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 8549 OutErrors: 4271 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 2 OutNeighborAdvertisements:124 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 -----------------------------------------------------------------IP6 gateway health check statistics: gateway 5 echo-req 4269 echo-resp gateway 7 echo-req 4269 echo-resp 4268 fails 0 fails 0 4268
184
UnknownProtos
OutRequests
ReasmOKs
InDiscards
ForwDatagrams
InAddrErrors
185
IcmpInMsgs
IcmpOutMsgs
IcmpInErrors
IcmpOutErrors
The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages. The number of ICMP Neighbor Solicit messages received by the interface.
InNeighborSolicits
186
InEchoReplies InNeighborAdvertisements InRouterAdvertisements InTimeExcds InParmProblems OutMsgs OutEchos OutNeighborSolicits OutRouterSolicits OutRedirects
187
188
/stats/l3/route
Route Statistics
Route statistics: ipRoutesCur: 3 ipRoutesHighWater: 3 ipRoutesMax: 4096 -----------------------------------------------------------------SP Route statistics: SP ipRoutesCur ipRoutesHighWater ipRoutesMax --- ------------- ------------------- ------------1 3 3 4096 2 3 3 4096 3 3 3 4096 4 3 3 4096 -----------------------------------------------------------------RIP statistics: ripInPkts: ripDiscardPkts: BGP statistics: bgpInPkts: bgpBadPkts: bgpRoutesAdded: bgpRoutesCur: bgpRoutesIgnored:
ripOutPkts: 0 ripRoutesAgedOut:
0 0
0 0 0 0 0
0 0 0 0 0
189
/stats/l3/arp
ARP statistics
This menu option enables you to display Address Resolution Protocol statistics.
MP ARP statistics: arpEntriesCur: 2 arpEntriesHighWater: 2 arpEntriesMax: 8192 -----------------------------------------------------------------SP ARP statistics: SP arpEntriesCur arpEntriesHighWater arpEntriesMax --- --------------- --------------------- --------------1 1 1 8192 2 1 1 8192 3 1 1 8192 4 1 1 8192
190
/stats/l3/vrrp
VRRP Statistics
Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. When virtual routers are configured, you can display the following protocol statistics for VRRP: Advertisements received (vrrpInAdvers) Advertisements transmitted (vrrpOutAdvers) Advertisements received, but ignored (vrrpBadAdvers) The statistics for the VRRP LAN are displayed:
VRRP statistics: vrrpInAdvers: vrrpOutAdvers: vrrpBadVersion: vrrpBadAddress: vrrpBadPassword:
0 0 0 0 0
0 0 0 0
191
/stats/l3/dns
DNS Statistics
This menu option enables you to display Domain Name System statistics.
DNS statistics: dnsInRequests: dnsBadRequests: 0 0 dnsOutRequests: 0
192
/stats/l3/icmp
ICMP Statistics
ICMP statistics: icmpInMsgs: icmpInDestUnreachs: icmpInParmProbs: icmpInRedirects: icmpInEchoReps: icmpInTimestampReps: icmpInAddrMaskReps: icmpOutErrors: icmpOutTimeExcds: icmpOutSrcQuenchs: icmpOutEchos: icmpOutTimestamps: icmpOutAddrMasks: 245802 41 0 0 244350 0 0 0 0 0 253777 0 0 icmpInErrors: icmpInTimeExcds: icmpInSrcQuenchs: icmpInEchos: icmpInTimestamps: icmpInAddrMasks: icmpOutMsgs: icmpOutDestUnreachs: icmpOutParmProbs: icmpOutRedirects: icmpOutEchoReps: icmpOutTimestampReps: icmpOutAddrMaskReps: 1393 0 0 18 0 0 253810 15 0 0 18 0 0
icmpInErrors
icmpInDestUnreachs icmpInTimeExcds icmpInParmProbs icmpInSrcQuenchs icmpInRedirects icmpInEchos icmpInEchoReps icmpInTimestamps icmpInTimestampReps icmpInAddrMasks
193
icmpOutErrors
icmpOutDestUnreachs icmpOutTimeExcds icmpOutParmProbs icmpOutSrcQuenchs icmpOutRedirects icmpOutEchos icmpOutEchoReps icmpOutTimestamps icmpOutTimestampReps icmpOutAddrMasks icmpOutAddrMaskReps
194
ifInNUCastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
195
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifStateChanges
196
/stats/l3/tcp
TCP Statistics
TCP statistics: tcpRtoAlgorithm: tcpRtoMax: tcpActiveOpens: tcpAttemptFails: tcpInSegs: tcpRetransSegs: tcpCurBuff: tcpCurInConn: tcpCurLstnConn: tcpAllocTCBFails: 4 240000 0 0 0 0 0 0 3 0 tcpRtoMin: tcpMaxConn: tcpPassiveOpens: tcpEstabResets: tcpOutSegs: tcpInErrs: tcpCurConn: tcpCurOutConn: tcpOutRsts: 0 1600 0 0 0 0 6 0 0
tcpRtoMax
tcpMaxConn
tcpActiveOpens tcpPassiveOpens
197
tcpEstabResets
tcpInSegs
tcpOutSegs tcpRetransSegs tcpInErrs tcpCurBuff tcpCurConn tcpCurInConn tcpCurOutConn tcpCurLstnConn tcpOutRsts tcpAllocTCBFails
198
/stats/l3/udp
UDP Statistics
UDP statistics: udpInDatagrams: udpInErrors: 54 0 udpOutDatagrams: udpNoPorts: 43 1578077
199
200
201
/stats/slb/sp
Server Load Balancing SP statistics Menu
[Server Load Balancing SP Statistics Menu] real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats maint - Show maintenance stats aux - Show auxiliary session table stats clear - Clear SP stats
202
203
204
No Available Real Server Backup Server Activations Overflow Server Activations Filtered (Denied) Frames
Total IP fragment ses- This represents the total number of fragment sessions the switch has sions processed so far. Current IP fragment sessions IP fragment discards This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources.
IP fragment table full This counter indicates how many times session table is full.
205
/stats/slb/gslb
Global SLB Statistics Menu
[Global SLB Statistics Menu] real - Show Global SLB remote real server stats virt - Show Global SLB virtual server stats site - Show Global SLB remote site stats network - Show Global SLB network preference stats rule - Show Global SLB rule stats geo - Show Global SLB geographical preference stats pers - Show Global SLB DNS persistence cache stats maint - Show Global SLB maintenance stats clear - Clear all Global SLB stats dump - Show all Global SLB stats
206
For any remote real server configured for Global Server Load Balancing, the following statistics can be viewed: Number of DNS responses directed to the remote real server Number of HTTP redirects to the remote real server
207
/stats/slb/gslb/site
Global SLB Site Statistics
Global SLB remote site 1 stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: 386 0 0 768 348
208
/stats/slb/gslb/maint
Global SLB Maintenance Statistics
Global SLB maintenance stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: DNS queries received: Bad DNS queries received: DNS responses sent: HTTP requests received: Bad HTTP requests received: HTTP responses sent: Hostname domain hits: Network domain hits: Basic domain hits: No server selected for hostname domain: No server selected for network domain: No server selected for basic domain: No matching domain: Last no result domain: Last source IP: 0 0 0 127746 85164 0 0 0 0 0 0 0 0 0 0 0 0 0 0.0.0.0
The number of bad packets received from the remote site. Bad updates or dropped packets usually indicate that there is a configuration problem at local or remote GSLB switches. If bad updates or dropped packets occur, check your syslog for configuration error messages. The number of Distributed Site State Protocol (DSSP) version one updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version one updates/packets received from the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets received from the remote sites.
DSSPv1 remote site updates sent DSSPv1 remote site updates received DSSPv2 remote site updates sent DSSPv2 remote site updates received
209
The number of DNS queries received. The number of bad DNS queries received. The number of DNS responses sent by the switch that includes DNS directs and DNS error responses.
HTTP requests received The number of HTTP requests received. Bad HTTP requests received
The number of bad/dropped client HTTP requests. Client HTTP GET request packets that do not contain the entire URL are considered bad and are dropped. The number of HTTP responses sent by the switch that includes HTTP redirects. The number of times the DNS queries received matched for the hostname configured. The number of times the DNS queries received matched for the network domain name configured. The number of times the DNS queries received matched for the basic domain name configured. The number of times no server was selected after matching the host name domain. The number of times no server was selected after matching the network domain name. The number of times no server was selected after matching the basic domain name. The number of times the DNS queries received did not match the host name, domain name, or the network domain configured. The domain in the last DNS query received that did not match the host name, domain name, or the network domain configured. The source IP address of the last DNS query or HTTP request received.
HTTP responses sent Hostname domain hits Network domain hits Basic domain hits No server selected for hostname domain No server selected for network domain No server selected for basic domain No matching domain
Last source IP
210
NOTE Octets are provided per server, not per service, unless configured as described in Per Service Octet Counters on page 211. Table 5-35 Real Server SLB Statistics (/stats/slb/real)
Statistics Current sessions Total sessions Highest sessions Octets Description The total number of outstanding sessions that are established to the particular real server. The total number of sessions that have been established to the particular real server. The highest number of sessions ever recorded for the particular real server. The total number of octets sent by the particular real server.
211
2.
On the Nortel Application Switch, configure a real server with a real IP address for each service above. Continuing the example above, two real servers would be configured for the physical server (representing each real service). If there were five physical servers providing the two services (HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on each physical server, and five for the FTP services on each physical server.
3.
On the Nortel Application Switch, configure one real server group for each type of service, and group each appropriate real server IP address into the group that handles the specific service. Thus, in keeping with our example, two groups would be configured: one for handling HTTP and one for handling FTP.
4.
Configure a virtual server and add the appropriate services to that virtual server.
Real server group statistics include the following: Current and total sessions for each real server in the real server group. Current and total sessions for all real servers associated with the real server group. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see the procedure on Per Service Octet Counters on page 211.
212
NOTE The virtual server IP address is shown on the last line, below the real server IP addresses. Virtual server statistics include the following: Current and total sessions for each real server associated with the virtual server. Current and total sessions for all real servers associated with the virtual server. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see Per Service Octet Counters on page 211.
You can obtain the total number of times any filter has been matched.
213
/stats/slb/layer7
SLB Layer7 Statistics Menu
[Layer 7 Statistics Menu] redir - Show URL Redirection stats str - Show SLB String stats maint - Show Layer 7 Maintenance stats pooling - Show connection pooling stats
/stats/slb/layer7/redir
Layer7 Redirection Statistics
Total Total Total Total Total Total Total Total Total Total URL based web cache redirection stats: cache server hits: origin server hits: straight to origin server hits: none-GETs hits: 'Cookie: ' hits: no-cache hits: RTSP cache server hits: RTSP origin server hits: HTTP redirection hits: 0 0 0 0 0 0 0 0 0
Total cache server hits The total number of HTTP requests redirected to the cache server. Total origin server hits The total number of HTTP requests forwarded to the origin server.
214
Total straight to ori- The total number of HTTP requests forwarded from straight to the gin server hits origin server. Total none-GETs hits Total 'Cookie:' hits Total no-cache hits Total RTSP cache server hits Total RTSP origin server hits Total HTTP redirection hits The total number of none GET requests forwarded to the origin server. The total number of cookie requests forwarded to the origin server. The total number of requests containing no-cache header forwarded to the origin server. The total number of RTSP requests redirected to the cache server. The total number of RTSP requests forwarded to the origin server. The total number of HTTP requests that were redirected by redirection filter.
/stats/slb/layer7/str
Layer 7 SLB String Statistics
SLB String stats: ID SLB String 1 any 2 www.[abcdefghijklm]*.com 3 www.[nopqrstuvwxyz]*.com 4 www.junk.com 5 www.abc.com 6 www.[abcdefjhijklm]*.org 7 www.[nopqrstuvwxyz]*.org Hits 1527115 0 0 0 0 0 0
215
/stats/slb/layer7/maint
Layer 7 SLB Maintenance Statistics
Layer 7 maintenance stats: Clients reset by switch on client side: 0 Clients reset by switch on server side: 0 Connection Splicing to support HTTP/1.1: 0 Invalid HTTP methods: 0 Aged delayed binding sessions: 0 Half open connections: 0 Switch retries: 0 Random early drops: 0 Requests exceeded 9000 bytes: 0 Invalid 3-way handshakes: 0 Exceeded max frame size: 0 Out of order packet drops: 0 Current SP[1] memory units: 1260 Lowest: Current SP[2] memory units: 1260 Lowest: Current SP[3] memory units: 1260 Lowest: Current SP[4] memory units: 1260 Lowest: Current SP memory units: 5040 Current SEQ buffer entries: 0 Highest: Current Data buffer use: 0 Highest: Current SP buffer entries: 0 Highest: Total Nonzero SEQ Alloc: 0 Total SEQ Buffer Allocs: 0 Total SEQ Frees: Total Data Buffer Allocs: 0 Total Data Frees: Alloc Fails - Seq buffers: 0 Alloc Fails - Ubufs: Max sessions per bucket: 0 Max frames per session: Max bytes buffered (sess): 0
216
Switch retries Random early drops Requests exceeded 4500 bytes Invalid 3-way handshakes Exceeded max frame size Out of order packet drops: Current SP memory units Current SEQ buffer entries Highest SEQ buffer entries Current Data buffer use Highest Data buffer use Total Nonzero SEQ Alloc Total SEQ Buffer Allocs Total SEQ Frees
217
Max frames per session The maximum number of frames to be buffered per session. Max bytes buffered (sess) The maximum number of bytes to be buffered per session.
/stats/slb/layer7/pooling
Layer7 Pooling Statistics
>> Layer 7 Statistics# pooling -----------------------------------------------------------------Connection pooling statistics: Current opened server connections: 0 Active server connections: 0 Available server connections: 0 Total number of aged out client connections: 0 Total number of aged out server connections: 0
218
/stats/slb/ssl
SLB Secure Socket Layer Statistics
SSL SLB maintenance stats: SessionId allocation fails: Total number of SSL ID reassignments: 0 0
Current Total Highest Sessions Sessions Sessions ------------------------- -------- ---------- -------Unique SessionIds 0 0 0 SSL connections 0 0 0 Persistent Port Sessions 0 0 0
219
/stats/slb/ftp
File Transfer Protocol SLB and Filter Statistics Menu
[FTP SLB parsing and active - Show parsing - Show maint - Show dump - Dump Filter Statistics Menu] active FTP NAT filter stats FTP SLB parsing server stats FTP maintenance stats all FTP SLB/NAT stats
Table 5-41 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)
Command Syntax and Usage active Shows active FTP SLB parsing and filter statistics. See page 221 for sample output. parsing Shows parsing statistics. See page 221 for sample output. maint Shows maintenance statistics. See page 222 for sample output. dump Shows all FTP SLB/NAT statistics. See page 222.
220
/stats/slb/ftp/active
Active FTP SLB Parsing and Filter Statistics
Total Active FTP NAT stats(PORT): Total FTP: Total New Active FTP Index: Active FTP NAT ACK/SEQ diff: 0 0 0
Table 5-42 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)
Statistics Total Active FTP NAT stats (PORT) Total FTP Total New Active FTP Index Active FTP NAT ACK/SEQ diff Description The number of times the switch receives the port command from the client. The number of times the switch receives both active and passive FTP connections. The number of times the switch creates a new index due to port command from the client. The difference in the numbers of ACK and SEQ that the Switch needs for packet adjustment.
/stats/slb/ftp/parsing
Passive FTP SLB Parsing Statistics
Total FTP SLB Parsing Stats(PASV): Total FTP: Total New FTP SLB parsing Index: FTP SLB parsing ACK/SEQ diff: 0 0 0
221
/stats/slb/ftp/maint
FTP SLB Maintenance Statistics
FTP mode switch error: 0
/stats/slb/ftp/dump
FTP SLB Statistics Dump
Total FTP : Total FTP NAT Filtered: Total new active FTP NAT Index: Total new FTP SLB parsing Index: FTP Active FTP NAT ACK/SEQ diff: FTP SLB parsing ACK/SEQ diff: FTP mode switch error: 0 0 0 0 0 0 0
Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred. Total new active FTP NAT Index Total new FTP SLB parsing Index FTP Active FTP NAT ACK/SEQ diff FTP SLB parsing ACK/ SEQ diff FTP mode switch error The total number of new data sessions created for FTP NAT filter in active mode. The number of times the switch creates a new index in response to the pasv command from the client. The total number of times the adjustment between ACK and SEQ occurred on the filter. The difference in the numbers of ACK and SEQ that the switch needs for FTP SLB parsing. The number of times the switch could not switch mode from active to passive and vice versa.
222
/stats/slb/rtsp
RTSP SLB Statistics
Control UDP Connection Buffer Alloc SP Connection Streams Redirect Denied Allocs Failures -- ---------- ---------- ---------- ---------- ---------- ---------1 0 0 0 0 0 0 2 0 0 0 0 0 0 3 0 0 0 0 0 0 4 0 0 0 0 0 0 -- ---------- ---------- ---------- ---------- ---------- -------0 0 0 0 0 0
223
/stats/slb/dns
DNS SLB Statistics
Total Total Total Total Total Total Total number number number number number number number of of of of of of of TCP DNS queries: UDP DNS queries: invalid DNS queries: multiple DNS queries: domain name parse errors: failed real server name matches: DNS parsing internal errors: 0 0 0 0 0 0 0
224
/stats/slb/wap
WAP SLB Statistics
This command displays all the Radius and WAP related counters.
WAP Maintenance stats: current sessions: 0 allocation failures: 0 incorrect VIPs: 0 incorrect Vports: 0 no available real server: 0 requests to wrong SP: 0 -----------------------------------------------------------------TPCP External Notification stats: add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- SP dead: 0 -----------------------------------------------------------------RADIUS Snooping stats: acct reqs: 0 acct wrap reqs: 0 acct start reqs: 0 acct update reqs: 0 acct stop reqs: 0 acct bad reqs: 0 acct reqs(FIP): 0 acct reqs(no FIP): 0 add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- DMA: 0
WAP Maintenance stats: current sessions allocation failures incorrect VIPs incorrect Vports The number of session bindings currently in use. Indicates instances where the switch ran out of available bindings for a port. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client. This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit.
requests to wrong SP The number of session add/delete requests sent to the wrong SP.
225
TPCP External Notification stats: add session reqs req fails- SP dead The number of WAP session add requests via TPCP. The number of add-request failures due to dead target SP.
RADIUS Snooping stats: acct reqs acct wrap reqs acct start reqs acct update reqs acct stop reqs acct bad reqs add session reqs del session reqs req fails- SP dead req fails- DMA The number of RADIUS Accounting frames received. The number of wrapped RADIUS Accounting frames received. The number of RADIUS Accounting Start frames received. The number of RADIUS Accounting Update frames. The number of RADIUS Accounting Stop frames received. The number of bad RADIUS Accounting frames received. The number of WAP session add requests via RADIUS snooping. The number of WAP session delete requests via RADIUS snooping. The number of add/delete request failures due to dead target SP. The number of add/delete requests failed due to DMA write failure.
226
/stats/slb/maint
SLB Maintenance Statistics
SLB Maintenance stats: Maximum sessions: Current sessions: 4 second average: 64 second average: Terminated sessions: Allocation failures: UDP datagrams: Non TCP/IP frames: Incorrect VIPs: Incorrect Vports: No available real server: Backup server activations: Overflow server activations: Filtered (denied) frames: LAND attacks: No TCP control bits: Invalid reset packet drops: Total IP fragment sessions: Current IP fragment sessions IP fragment discards: IP fragment table full: Current IPF buffer sessions: Highest IPF buffer sessions: IPF buffer alloc fails: IPF SP buffer alloc fails: SP buffer too low: Exceeded 16 OOO packets: Free Service pool entries: Current IP6 sessions: Incorrect IP6 VIPs: Incorrect IP6 Vports: IP6 packets drops: 2097104 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8192 0 0 0 0
SLB Maintenance statistics are described in the following table. Table 5-49 Server Load Balancing Maintenance Statistics (/stats/slb/maint)
Statistic Maximum sessions Current Sessions Description The maximum number of simultaneous sessions supported. Number of session bindings currently in use (the last 4 and 64 seconds).
Terminated Sessions Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled.
227
Allocation Failures Indicates instances where the Switch ran out of available sessions for a port. UDP Datagrams Non TCP/IP Frames Incorrect VIPs Incorrect Vports Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on. Indicates the number of non-IP based frames received by the virtual server. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing application like SATAN. This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit. This indicates the number of times a real server failure has occurred and caused a backup server to be brought online. This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online. This indicates the number of frames that were dropped because they matched an active filter with the deny action set. This counter increases whenever a packet has the same source and destination IP addresses and ports.
No Available Real Server Backup Server Activations Overflow Server Activations Filtered (Denied) Frames LAND attacks
No TCP Control Bits The number of packets that were dropped because the packet had no control bits set in the TCP header. Invalid reset packet drops Total IP fragment sessions Current IP fragment sessions IP fragment discards IP fragment table full Free service pool entries The number of packets that were dropped because the packet had an invalid reset flag set. This represents the total number of fragment sessions the switch has processed so far. This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources. This counter indicates how many times session table is full. This counter indicates the number of free service pool entries.
228
/stats/slb/sip
SIP SLB Statistics
SIP Stats: Total Total Total Total Total Total number number number number number number of of of of of of SIP Client Parse Errors SIP Server Parse Errors SIP Unknown Method packets SIP Incomplete Messages SIP Filter Parse Errors packets with SIP SDP NAT : : : : : : 0 0 0 0 0 0
Total number of SIP Total number of packets received with methods not known to the Unknown Method packets SIP parser on the switch. Total number of SIP Incomplete Messages Total number of SIP Filter Parse Errors Total number of packets with SIP SDP NAT Total number of packets received which do not have the complete SIP message in a single packet. Total number of errors encountered during filter processing when parsing an incoming SIP packet. Total number of packets received that have SIP SDP NAT information.
229
230
/stats/slb/mirror
Display Workload Manager SASP statistics
Table 5-52 SLB Session Mirroring statistics (/stats/slb/mirror)
>> Server Load Balancing Statistics# mirror -----------------------------------------------------------------Session Mirroring Stats: Rx Tx Total Create Session Messages 0 0 Total Update Session Messages 0 0 Total Delete Session Messages 0 0 Total Create Data Session Messages 0 0 Total Update Data Session Messages 0 0 Total Delete Data Session Messages 0 0 Total Sessions Created 0 Total Sessions Updated 0 Total Sessions Deleted 0 Total Data Sessions Created 0 Total Data Sessions Updated 0 Total Data Sessions Deleted 0 Session table full 0 Unvailable pport 0 Session already present 0 Session not found 0 Control session not found 0
231
232
233
BW Contract statistics Contract Name Rate(Kbps) Octets Discards BufUsed BufMax -------- --------------- ---------- ---------- ---------- ------- ----1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5230 682947936 1822133376 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 773974 0 0 16320 1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5238 684289056 1825753104 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 774114 0 0 16320
The following description of statistics applies on a specific switch port for all enabled contracts. NOTE This command displays enabled contracts only. Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)
Statistics Contract Name Octets Discards Total Pkts BufUsed Description The contract number. The contract name. The number of octets that are being transmitted through a particular contract since the switch is booted. The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limit permits. The total number of packets classified for that contract. The current amount of buffer space used to store the packets that is waiting to be transmitted.
234
/stats/bwm/rcont
BWM Contract Rate Statistics
Use this command to show the rate statistics of all the enabled contracts. NOTE This command displays enabled contracts only. This command repeats its output when the printed lines are less than the configured CLI lines per screen. If the CLI lines are configured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session. You can configure the number of CLI lines per screen using the global (hidden) command: lines <number of lines>. For example:
>> AAS_2424 - Bandwidth Management Statistics# lines Current lines-per-screen: 24 >> AAS_2424 - Bandwidth Management Statistics# lines ? lines sets lines-per-screen 0-300, zero for infinite
235
BW Contract statistics Contract Name Rate(Kbps) Octets Discards BufUsed BufMax -------- --------------- ---------- ---------- ---------- ------- ----1 cont1 5222 285408288 735607152 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 285720864 735308784 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 4 517182 0 0 456960 1 cont1 5230 286747296 739228896 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5230 287059872 738930528 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 519400 0 0 456960 1 cont1 5222 288084192 742853160 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 288400992 742550760 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 521578 0 0 456960
236
/stats/bwm/hist
BWM History Statistics
Discards TimeStamp YyyyMmDd:Hr:Mi/TmZone --------------- ---- ---------------- ---------- ---------- ---------47.80.23.124 1 filter_number01 0 0 20030910:15:11/ -8:00 47.80.23.124 2 filter_number02 0 0 20030910:15:11/ -8:00 47.80.23.124 3 filter_number03 0 0 20030910:15:11/ -8:00 47.80.23.124 4 filter_number04 0 0 20030910:15:11/ -8:00 47.80.23.124 5 filter_number05 0 0 20030910:15:11/ -8:00 47.80.23.124 6 filter_number06 0 0 20030910:15:11/ -8:00 47.80.23.124 7 filter_number07 0 0 20030910:15:11/ -8:00 47.80.23.124 8 filter_number08 0 0 20030910:15:11/ -8:00 47.80.23.124 9 filter_number09 0 0 20030910:15:11/ -8:00 47.80.23.124 10 filter_number10 0 0 20030910:15:11/ -8:00 47.80.23.124 1024 Default 608 0 20030910:15:11/ -8:00 Switch IP Cont Name Octets
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an E-mail is sent. This command is used to keep long term history only for the contracts that are enabled and have history command turned on. Use this command to show the history of all the contracts for which history command is enabled. The sampling is done at one-minute intervals. Table 5-57 Bandwidth Management History Statistics (/stats/bwm/hist)
Statistics Contract Octets Discards TimeStamp Description The contract number for which history is enabled. The number of octets sent out on a particular contract. The number of octets discarded because of seeing more traffic than the bandwidth contract limit permits. Indicates the time the packets were received or discarded.
NOTE These statistics can only be viewed when the e-mail option is enabled.
237
/stats/bwm/maint
BWM Maintenance Statistics
BWM Maint statistics -----------------------------------------------------------------Maint Stats for rate limiting contracts Discard pkts 0 Discard octets 0 Out pkts 0 Out octets 0 Transmit failed 0 User Limit entry allocation failures 0 -----------------------------------------------------------------Maint Stats for traffic shaping contracts QFull Discard pkts 0 QFull Discard octets 0 Out of buffers pkts 0 Out of buffers pkts 0 Transmit failed 0 TDT set when qfull 0 TDT set between soft and hard 0 TDT set at soft 0
/stats/bwm/ipusers
BWM IP Users Statistics
This command displays the number of BWM IP user entries for each BWM contract for each SP.
BWM IP users statistics Contract SP1 SP2 SP3 SP4 Total -------- ---------- ---------- ---------- ---------- ---------10 0 10 0 0 10 11 0 10 0 0 10 ---------- ---------- ---------- ---------- ---------0 20 0 0 20
238
239
/stats/security/dos
DOS Attack Statistics Menu
[Protocol Anomaly and DoS Attack Prevention Statistics Menu] port - Show port protocol anomaly and DoS attack prevention stats dump - Dump all protocol anomaly and DoS attack prevention stats clear - Clear all protocol anomaly and DoS attack prevention stats help - Protocol anomaly and DoS attack prevention description
240
241
Refer to your Nortel Application Switch Operating System Application Guide for a detailed description of DOS attacks.
>> /stats/security/dos help iplen : IPv4 packets with bad IP header or payload length. ipversion : IPv4 packets with IP version not 4. broadcast : IPv4 packets with broadcast source or destination IP [0.0.0.0,255.255.255.255]. loopback : IPv4 packets with loopback source or destination IP [127.0.0.0/8]. land : IPv4 packets with same source and destination IP. ipreserved : IPv4 packets with IP reserved bit is set. ipttl : IPv4 packets with small IP TTL. ipprot : IPv4 packets with IP protocol is unassigned or reserved. ipoptlen : IPv4 packets with bad IP options length. fragmoredont: IPv4 packets with more fragments and don't fragment bits are set. fragdata : IPv4 packets with more fragments bit is set and small payload. fragboundary: IPv4 packets with more fragments bit is set and payload not at 8-byte boundary. fraglast : IPv4 packets last fragment without payload. fragdontoff : IPv4 packets with non-zero fragment offset and don't fragment bits are set. fragopt : IPv4 packets with non-zero fragment offset and IP options. fragoff : IPv4 packets with small non-zero fragment offset. fragoversize: IPv4 packets with non-zero fragment offset and oversize payload. tcplen : TCP packets with bad TCP header length. tcpportzero : TCP packets with source or destination port is zero. blat : TCP packets with SIP!=DIP and SPORT=DPORT. tcpreserved : TCP packets with TCP reserved bit is set. nullscan : TCP packets with all control bits are zero. fullxmasscan: TCP packets with all control bits are set. finscan : TCP packets with only FIN bit is set. vecnascan : TCP packets with only URG or PUSH or URG|FIN or PSH|FIN or URG|PSH bits are set.
242
xmasscan : TCP packets with FIN, URG and PSH bits are set. synfinscan : TCP packets with SYN and FIN bits are set. flagabnormal: TCP packets with abnormal control bits combination. syndata : TCP packets with SYN bit is set and with payload. synfrag : TCP packets with SYN bit is set and more fragments bit is set. ftpport : TCP packets with SPORT=20, DPORT<1024 and SYN bit is set. dnsport : TCP packets with SPORT=53, DPORT<1024 and SYN bit is set. seqzero : TCP packets with sequence number is zero. ackzero : TCP packets with acknowledgement number is zero and ACK bit is set. tcpoptlen : TCP packets with bad TCP options length. udplen : UDP packets with bad UDP header length. udpportzero : UDP packets with source or destination port is zero. fraggle : UDP packets to broadcast destination IP (x.x.x.255). pepsi : UDP packets with SPORT=19, DPORT=7 or SPORT=7, DPORT=19. rc8 : UDP packets with SPORT=7 and DPORT=7. snmpnull : UDP packets with DPORT=161 and without payload. icmplen : ICMP packets with bad ICMP header length. smurf : ICMP ping requests to a broadcast destination IP (x.x.x.255). icmpdata : ICMP packets with zero fragment offset and large payload. icmpoff : ICMP packets with large fragment offset. icmptype : ICMP packets with type is unassigned or reserved. igmplen : IGMP packets with bad IGMP header length. igmpfrag : IGMP packets with more fragments bit is set or non-zero fragment offset. igmptype : IGMP packets with type is unassigned or reserved. arplen : ARP request or reply packets with bad length. arpnbcast : ARP request packets with non broadcast destination MAC. arpnucast : ARP reply packets with non unicast destination MAC. arpspoof : ARP request or reply packets with mismatch source with sender MACs or destination with target MACs. garp : ARP request or reply packets with same source and destination IP. ip6len : IPv6 packets with bad header length. ip6version : IPv6 packets with IP version not 6.
243
/stats/security/ipacl
IP Access Control List Statistics
The following IP Access Control List statistics can be viewed with this command:
[IP ACL Statistics Menu] dump - IP address access control Stats clear - Clear all access control Stats
244
/stats/security/udpblast
UDP Blast Statistics
[UDP Blast Statistics Menu] dump - UDP Blast Stats clear - Clear all UDP Blast Stats
/stats/security/udpblast/dump
UDP Blast Dump Statistics
UDP blast protection stats: UDP Port Blocked Packets ------------------------Current Packet Rate/Second --------------------------
245
/stats/security/pgroup
UDP Pattern Match Statistics
Pattern Match Group stats: ID Name 1 Hits 0
This menu displays how many times each configured pattern group has been matched and a subsequent filtering action performed. Pattern groups are configured in the Pattern Matching Menu on page 404.
/stats/security/ratelim
Rate Limiting Statistics
Rate limiting stats: TCP: Total hold downs triggered: Current per-client state entries: UDP: Total hold downs triggered: Current per-client state entries: ICMP: Total hold downs triggered: Current per-client state entries:
0 0
0 0
0 0
246
/stats/security/dump
Dump Statistics for Security
IP ACL stats: Address Blocked Packets ---------------------------------------------------------------------------------------------UDP blast protection stats: UDP Port Blocked Packets Current Packet Rate/Second ------------------------------------------------------------------------------------------------------------------Pattern Match Group stats: ID Name Hits 1 0 100 0 101 0 -----------------------------------------------------------------Rate limiting stats: TCP: Total hold downs triggered: Current per-client state entries: UDP: Total hold downs triggered: Current per-client state entries: ICMP: Total hold downs triggered: Current per-client state entries:
0 0
0 0
0 0
247
248
/stats/mp/pkt
MP Packet Statistics
Packet counts: allocs: mediums: jumbos: smalls: alloc fails: TCP counts: allocs: current: alloc fails: 89262 0 0 0 0 4866 46 0 frees: mediums hi-watermark: jumbos hi-watermark: smalls hi-watermark: packet discards: frees: current hi-watermark: alloc discards: 89262 4 0 4 0 4827 146 0
jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack. smalls hi-watermark The highest number of packet allocation with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack.
249
TCP counts: allocs current alloc fails frees current hi-watermark alloc discards Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocation failures from MP memory by the TCP/IP protocol stack. Total number of times the TCP packet buffers are freed (released) to MP memory by the TCP/IP protocol stack. The highest number of TCP packet allocation from MP memory by the TCP/IP protocol stack. The number of TCP packets that are discarded by the MP. The packets are discarded because MP memory resources are not available.
250
/stats/mp/tcb
TCP Statistics
All TCP allocated control blocks: 117f6d00: 0.0.0.0 0 <=> 0.0.0.0 117f81a8: 47.81.27.6 1331 <=> 47.80.16.59 80 23 listen established
/stats/mp/ucb
UCB Statistics
All UDP allocated control blocks: 161: listen 1985: listen 3122: listen
251
/stats/mp/sfd
MP-Specific SFD Statistics
All Socket FD allocated: 0 -1 16 1180b128: 0.0.0.0 server 1 -1 17 108c5bd8: 0.0.0.0 server 2 -1 18 108d5cfc: 0.0.0.0 server 3 -1 19 1180a258: 0.0.0.0 server 0 <=> 47.133.88.31 0 <=> 47.133.88.31 0 <=> 47.133.88.31 0 <=> 47.133.88.31 81 23 22 443 listen listen listen listen TCP TCP TCP TCP
/stats/mp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds:
252
253
0 0 0 0
/stats/sp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on the Switch Processor (SP).
CPU utilization for SP 1: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds:
6% 6% 6%
254
255
CHAPTER 6
257
320506-A, January 2006
258
NOTE The apply command is a global command. Therefore, you can enter apply at any prompt in the administrative interface.
NOTE All configuration changes take effect immediately when applied, except for starting Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see below), and then reset the switch (see Resetting the Switch on page 517).
259
NOTE If you do not save the changes, they will be lost the next time the system is rebooted. To save the new configuration, enter the following command at any CLI prompt:
# save
When you save configuration changes, the changes are saved to the active configuration block. The configuration being replaced by the save is first copied to the backup configuration block. If you do not want the previous configuration block copied to the backup configuration block, enter the following instead:
# save n
You can decide which configuration you want to run the next time you reset the switch. Your options include: The active configuration block The backup configuration block Factory default configuration You can view all pending configuration changes that have been applied but not saved to flash memory using the diff flash command. It is a global command that can be executed from any menu. For instructions on selecting the configuration to run at the next system reset, see Selecting a Configuration Block on page 515.
260
This menu provides configuration of switch management parameters such as user and administrator privilege mode passwords, Web-based management settings, and management access list. Table 6-2 System Configuration Menu Options (/cfg/sys)
Command Syntax and Usage syslog Displays the Syslog Menu. To view menu options, see page 263. mmgmt Displays Management Port Menu. To view menu options, see page 264. radius Displays the RADIUS Authentication Menu. To view menu options, see page 268. tacacs Displays TACACS+ authentication Menu. To view menu options, see page 270. ntp Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 271.
261
262
/cfg/sys/syslog
System Host Log Configuration
NOTE Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for Syslogs.
[Syslog Menu] host host2 sever sever2 facil facil2 console log cur
Set IP address of first syslog host Set IP address of second syslog host Set the severity of first syslog host Set the severity of second syslog host Set facility of first syslog host Set facility of second syslog host Enable/disable console output of syslog messages Enable/disable syslogging of features Display current syslog settings
263
/cfg/sys/mmgmt
Management Port Configuration Menu
The Management port is a Fast Ethernet port that is used exclusively to manage the switch. While the switch can be managed from any network port, the Management port saves consuming a port that could otherwise be used for processing data and traffic. This port manages the switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not participate in the networking protocols that run on the network ports. The Management port must be configured with a static IP address, subnet mask, broadcast address, and default gateway, and must be enabled before it can be used. If this port is disabled, the network ports have to perform all switch management (other than the switch management
264
using the console). If this port is enabled, the factory default settings for some of the management features remain with the network ports. You can change the defaults by configuring these features to permanently use the management port, or in some cases, by using the operational commands to set these options on a one-time basis. NOTE The Management port does not support BOOTP.
[Management Port Menu] port - Management Port Phy Menu addr - Set IP address mask - Set subnet mask gw - Set default gateway address intr - Set interval between gateway ping attempts retry - Set number of failed attempts to declare gateway DOWN dns - Set default port for DNS ntp - Set default port for NTP radius - Set default port for RADIUS tacacs - Set default port for TACACS+ smtp - Set default port for SMTP snmp - Set default port for SNMP traps syslog - Set default port for SYSLOG sonmp - Set default IP for SONMP hello packets tftp - Set default port for FTP/TFTP wlm - Set default port for Workload Manager report - Set default port for Reporting server ena - Enable management port dis - Disable management port cur - Display current configuration
265
266
267
/cfg/sys/mmgmt/port
Management Port Link Menu
[Management Port Link Menu] speed - Set link speed mode - Set full or half duplex mode auto - Set autonegotiation cur - Display current link configuration
/cfg/sys/radius
RADIUS Server Configuration
[RADIUS Server Menu] prisrv - Set primary RADIUS server address secsrv - Set secondary RADIUS server address secret - Set primary RADIUS server secret secret2 - Set secondary RADIUS server secret port - Set RADIUS port retries - Set RADIUS server retries timeout - Set RADIUS server timeout telnet - Enable/disable RADIUS backdoor for telnet on - Turn RADIUS authentication ON off - Turn RADIUS authentication OFF cur - Display current RADIUS configuration
268
269
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
TACACS (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS is an encryption protocol and therefore less secure than TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in RFC 1492.) TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations. TACACS+ protocol has been implemented on Nortel Application Switch Operating System to support the customers that have Ciscos TACACS+ protocol as their network security feature. Apart from that, TACACS+ offers the following advantages over RADIUS as the authentication device: TACACS+ is TCP-based so it facilitates connection-oriented traffic. It supports full-packet encryption as against password-only in authentication requests. Supports decoupled authentication, authorization, and accounting.
[TACACS+ Server prisrv secsrv secret secret2 port retries timeout telnet on off cur -
Menu] Set primary TACACS+ server address Set secondary TACACS+ server address Set primary TACACS+ server secret Set secondary TACACS+ server secret Set TACACS+ TCP port Set TACACS+ server retries Set TACACS+ server timeout (seconds) Enable/disable TACACS+ backdoor for telnet Turn TACACS+ authentication ON Turn TACACS+ authentication OFF Display current TACACS+ configuration
270
/cfg/sys/ntp
NTP Server Configuration
271
This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP) server. By default, this option is disabled.
[NTP Server Menu] prisrv - Set primary NTP server address secsrv - Set secondary NTP server address intrval - Set NTP server resync interval tzone - Set NTP timezone offset from GMT on - Turn NTP service ON off - Turn NTP service OFF cur - Display current NTP configuration
272
/cfg/sys/sonmp
SynOptics Network Management Protocol Configuration
[SONMP Menu] srcif on off cur Set source interface to be used in hello packets Turn Ethernet Autotopology ON Turn Ethernet Autotopology OFF Display current SONMP configuration
SynOptics Network Management Protocol (SONMP) is a proprietary network management protocol that is used by Nortel Networks Optivitiy Switch Manager (OSM) to discover Nortel Application Switches on the network. The following commands add support for the Ethernet Autotopology algorithm and the Bay Topology MIB. The topology algorithm is executed by each Nortel Application Switch on which SONMP is enabled. Table 6-9 System Configuration Menu Options (/cfg/sys/sonmp)
Command Syntax and Usage srcif <interface number (1-256)> This command specifies the IP address to be used in the hello packets. If the interface specified by this command is not up, then the first interface which is up and running is used in the hello packets. on This command enables the SONMP protocol, and turns Ethernet Autotopology on. off This command disables the SONMP protocol, and turns Ethernet Autotopology off. cur This command displays the current SONMP configuration.
/cfg/sys/ssnmp
System SNMP Configuration
Nortel Application Switch Operating System supports SNMP-based network management. In SNMP model of network management, a management station (client/manager) accesses a set of variables known as MIBs (Management Information Base) provided by the managed device (agent). If you are running an SNMP network management station on your network, you can manage the switch using the following standard SNMP MIBs: MIB II (RFC 1213) Ethernet MIB (RFC 1643)
Chapter 6: The Configuration Menu
320506-A, January 2006
273
Bridge MIB (RFC 1493) An SNMP agent is a software process on the managed device that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to retrieve or to modify. SNMP parameters that can be modified include: System name System location System contact Use of the SNMP system authentication trap function Read community string Write community string Trap community strings
[System SNMP Menu] snmpv3 - SNMPv3 Menu name - Set SNMP "sysName" locn - Set SNMP "sysLocation" cont - Set SNMP "sysContact" rcomm - Set SNMP read community string wcomm - Set SNMP write community string trsrc - Set SNMP trap source interface timeout - Set timeout for the SNMP state machine auth - Enable/disable SNMP "sysAuthenTrap" linkt - Enable/disable SNMP link up/down trap cur - Display current system SNMP configuration
274
NOTE This command is applicable only to SNMPv1 and SNMPv2 traps because only the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be set with this command. The SNMPv3 packets do not contain this field.
timeout <SNMP state machine timeout minutes, 1-30> Defines the timeout period for SNMP state machine. When you use diff and apply, memory is allocated to store the output of the command. The timeout period determines when the resources/memory allocated for the output will be freed. auth disable|enable Enables or disables the use of the system authentication trap facility. The default setting is disabled. linkt <port> <disable|enable> Enables or disables the sending of SNMP link up and link down traps. The default setting is enabled. cur Displays the current STP port parameters.
275
/cfg/sys/ssnmp/snmpv3
SNMPv3 Configuration Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote configuration of SNMP parameters For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Menu] usm view access group comm taddr tparam notify v1v2 cur
usmUser Table menu vacmViewTreeFamily Table menu vacmAccess Table menu vacmSecurityToGroup Table menu community Table menu targetAddr Table menu targetParams Table menu notify Table menu Enable/disable V1/V2 access Display current SNMPv3 configuration
defines a set of services that an application can use for checking access rights of the user. You need access control when you have to process retrieval or modification request from an SNMP entity. To view menu options, see page 280.
276
A group maps the user name to the access group names and their access rights needed to access SNMP management objects. A group defines the access rights assigned to all names that belong to a particular group. To view menu options, see page 282.
comm <snmpCommunity number [1-16]> The community table contains objects for mapping community strings and version-independent SNMP message parameters. To view menu options, see page 283. taddr <snmpTargetAddr number [1-16]> This command allows you to configure destination information, consisting of a transport domain and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a mechanism for performing source address validation on incoming requests, and for selecting community strings based on target addresses for outgoing notifications. To view menu options, see page 284. tparam <target params index [1-16]> This command allows you to configure SNMP parameters, consisting of message processing model, security model, security level, and security name information. There may be multiple transport endpoints associated with a particular set of SNMP parameters, or a particular transport endpoint may be associated with several sets of SNMP parameters. To view menu options, see page 285. notify <notify index [1-16]> A notification application typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. To view menu options, see page 286. v1v2 disable|enable This command allows you to enable or disable the access to SNMP version 1 and version 2. This command is enabled by default. cur Displays the current SNMPv3 configuration.
277
/cfg/sys/ssnmp/snmpv3/usm
User Security Model Configuration Menu
You can make use of a defined set of user identities using this Security Model. An SNMP engine must have the knowledge of applicable attributes of a user. This menu helps you create a user security model entry for an authorized user. You need to provide a security name to create the USM entry.
[SNMPv3 usmUser name auth authpw priv privpw del cur 1 Menu] Set USM user name Set authentication protocol Set authentication password Set privacy protocol Set privacy password Delete usmUser entry Display current usmUser configuration
Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/ snmpv3/usm)
Command Syntax and Usage name <32 character name> This command allows you to configure a string up to 32 characters long that represents the name of the user. This is the login name that you need in order to access the switch. auth md5|sha|none This command allows you to configure the authentication protocol between HMAC-MD5-96 or HMAC-SHA-96. The default algorithm is none. authpw If you selected an authentication algorithm using the above command, you need to provide a password, otherwise you will get an error message during validation. This command allows you to create or change your password for authentication. priv des|none This command allows you to configure the type of privacy protocol on your switch. The privacy protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryption Protocol) or none. If you specify des as the privacy protocol, then make sure that you have selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the authentication protocol, you will get an error message. privpw This command allows you to create or change the privacy password.
278
Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/ snmpv3/usm)
Command Syntax and Usage del Deletes the USM user entries. cur Displays the USM user entries.
cfg/sys/ssnmp/snmpv3/view
SNMPv3 View Configuration Menu
[SNMPv3 vacmViewTreeFamily 1 Menu] name - Set view name tree - Set MIB subtree(OID) which defines a family of view subtrees mask - Set view mask type - Set view type del - Delete vacmViewTreeFamily entry cur - Display current vacmViewTreeFamily configuration
279
/cfg/sys/ssnmp/snmpv3/access
View-based Access Control Model Configuration Menu
The view-based Access Control Model defines a set of services that an application can use for checking access rights of the user. Access control is needed when the user has to process SNMP retrieval or modification request from an SNMP entity.
[SNMPv3 vacmAccess 1 Menu] name - Set group name prefix - Set content prefix model - Set security model level - Set minimum level of security match - Set prefix only or exact match rview - Set read view index wview - Set write view index nview - Set notify view index del - Delete vacmAccess entry cur - Display current vacmAccess configuration
Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/ snmpv3/access)
Command Syntax and Usage name <32 character name> Defines the name of the group. prefix <32 character name> Defines the name of the context. An SNMP context is a collection of management information that an SNMP entity can access. An SNMP entity has access to many contexts. For more information on naming the management information, see RFC2571, the SNMP Architecture document. The view-based Access Control Model defines a table that lists the locally available contexts by contextName. model usm|snmpv1|snmpv2 Allows you to select the security model to be used. level noAuthNoPriv|authNoPriv|authPriv Defines the minimum level of security required to gain access rights. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.
280
Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/ snmpv3/access)
Command Syntax and Usage match exact|prefix If the value is set to exact, then all the rows whose contextName exactly matches the prefix are selected. If the value is set to prefix then the all the rows where the starting octets of the contextName exactly match the prefix are selected. rview <32 character view name> This is a 32 character long read view name that allows you read access to a particular MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. wview <32 character view name> This is a 32 character long write view name that allows you write access to the MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. nview <32 character view name> This is a 32 character long notify view name that allows you notify access to the MIB view. del Deletes the View-based Access Control entry. cur Displays the View-based Access Control configuration.
281
/cfg/sys/ssnmp/snmpv3/group
SNMPv3 Group Configuration Menu
[SNMPv3 vacmSecurityToGroup 1 Menu] model - Set security model uname - Set USM user name gname - Set group gname del - Delete vacmSecurityToGroup entry cur - Display current vacmSecurityToGroup configuration
282
/cfg/sys/ssnmp/snmpv3/comm
SNMPv3 Community Table Configuration Menu
This command is used for configuring the community table entry. The configured entry is stored in the community table list in the SNMP engine. This table is used to configure community strings in the Local Configuration Datastore (LCD) of SNMP engine.
[SNMPv3 snmpCommunityTable 1 Menu] index - Set community index name - Set community string uname - Set USM user name tag - Set community tag del - Delete communityTable entry cur - Display current communityTable configuration
Table 6-16 SNMPv3 Community Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/comm)
Command Syntax and Usage index <32 character name> Allows you to configure the unique index value of a row in this table consisting of 32 characters maximum. name <32 character name> Defines the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 278. uname <32 character name> Defines a readable 32 character long string that represents the corresponding value of an SNMP community name in a security model. tag <list of tag string, max 255 characters> Allows you to configure a tag of up to 255 characters maximum. This tag specifies a set of transport endpoints to which a command responder application sends an SNMP trap. del Deletes the community table entry. cur Displays the community table configuration.
283
/cfg/sys/ssnmp/snmpv3/taddr
SNMPv3 Target Address Table Configuration Menu
This command is used to configure the target transport entry. The configured entry is stored in the target address table list in the SNMP engine. This table of transport addresses is used in the generation of SNMP messages.
[SNMPv3 snmpTargetAddrTable 1 Menu] name - Set target address name addr - Set target transport address IP port - Set target transport address port taglist - Set tag list pname - Set targetParams name del - Delete targetAddrTable entry cur - Display current targetAddrTable configuration
284
/cfg/sys/ssnmp/snmpv3/tparam
SNMPv3 Target Parameters Table Configuration Menu
You can configure the target parameters entry and store it in the target parameters table in the SNMP engine. This table contains parameters that are used to generate a message. The parameters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the security model (for example: USM), the security name, and the security level (noAuthnoPriv, authNoPriv, or authPriv).
[SNMPv3 snmpTargetParamsTable 1 Menu] name - Set target params name mpmodel - Set message processing model model - Set security model uname - Set USM user name level - Set minimum level of security del - Delete targetParamsTable entry cur - Display current targetParamsTable configuration
Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/tparam)
Command Syntax and Usage name <32 character name> Allows you to configure the locally arbitrary, but unique identifier that is associated with this entry. mpmodel snmpv3|snmpv1|snmpv2c Allows you to configure the message processing model that is used to generate SNMP messages. model usm|snmpv1|snmpv2 Allows you to select the security model to be used when generating the SNMP messages. uname <32 character name> Defines the name that identifies the user in the USM table (page 278) on whose behalf the SNMP messages are generated using this entry. level noAuthNoPriv|authNoPriv|authPriv Allows you to select the level of security to be used when generating the SNMP messages using this entry. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.
285
Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/tparam)
Command Syntax and Usage del Deletes the targetParamsTable entry. cur Displays the current targetParamsTable configuration.
/cfg/sys/ssnmp/snmpv3/notify
SNMPv3 Notify Table Configuration Menu
SNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. [SNMPv3 snmpNotifyTable 1 Menu] name - Set notify name tag - Set notify tag del - Delete notifyTable entry cur - Display current notifyTable configuration
286
/cfg/sys/health
System Health Check Configuration Menu
[System TCP Health Menu] add - Add TCP services to listen for health check rem - Remove TCP services from listening on - Turn system TCP health services ON off - Turn system TCP health services OFF cur - Display current TCP health services configuration
287
/cfg/sys/access
System Access Control Configuration
[System Access Menu] mgmt - Management Network Access Menu port - Port Management Access Menu user - User Access Control Menu (passwords) https - HTTPS (Web) Server Access Menu sshd - SSH Server Menu xml - XML Configuration Access Menu http - Enable/disable HTTP (Web) server access wport - Set HTTP (Web) server port number snmp - Set SNMP access control tnport - Set Telnet server port number rlimit - Set max rate of ARP, ICMP, TCP, or UDP packets to MP cur - Display current system access configuration
288
/cfg/sys/access/mgmt
Management Networks Menu
This menu is used to define IP address ranges which are allowed to access the switch for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10 management networks. NOTE The add and rem commands below replace the /cfg/sys/mnet and /cfg/ sys/mmask commands found in earlier releases of Nortel Application Switch Operating System.
[Management Networks Menu] add - Add mgmt network definition rem - Remove mgmt network definition cur - Display current mgmt network definitions
289
NOTE If you configure the management network without including the switch interfaces, it will cause the Firewall Load Balancing health checks to fail and will create a Network Down state on the network.
rem <mgmt network address> <mgmt network mask> Removes a defined network, which consists of a management network address and a management network mask address. cur Displays the current configuration.
290
/cfg/sys/access/port
Port Management Access Menu
[Port Management Access Menu] add - Add port with management access aadd - Add all ports with management access rem - Remove port from management access arem - Remove all ports from management access cur - Display current ports with management access
/cfg/sys/access/user
User Access Control Menu
uid usrpw sopw l4opw opw sapw l4apw admpw cur User ID Menu Set user password (user) Set SLB operator password (slboper) Set L4 operator password (l4oper) Set operator password (oper) Set Slb administrator password (slbadmin) Set L4 administrator password (l4admin) Set administrator password (admin) Display current user status
291
NOTE Passwords can be a maximum of 15 characters. Table 6-24 User Access Control Menu Options (/cfg/sys/access/user)
Command Syntax and Usage uid <User ID, 1-10> Displays the User ID Menu. To view menu options, see page 294. usrpw Sets the user (user) password. The user has no direct responsibility for switch management. He or she can view switch status information and statistics, but cannot make any configuration changes. sopw Sets the SLB operator (slboper)password. The SLB operator manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics and can enable/disable servers using the Server Load Balancing configuration menus. Access includes user functions. l4opw Sets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics. Access includes slboper functions. opw Sets the operator (oper)password. The operator password can have a maximum of 15 characters. The operator manages all functions of the switch. He or she can view all switch information and statistics and can reset ports or the entire switch. Access includes l4oper functions. sapw Sets the SLB administrator (slbadmin) password. Administrator who configures and manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics, but can configure changes only on the Server Load Balancing menus. Note that the Filter Menu options are not accessible to the SLB administrator. Access includes l4oper functions. l4apw Sets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics and can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters. Access includes slbadmin functions.
292
293
/cfg/sys/access/user/uid
System User ID Configuration Menu
This feature allows the users to operate the real servers assigned to them. Using this command you can list the current status of the real server including the real server number, the real server name, the operational state of the real server, and the number of current sessions. You can enable or disable the real servers and change the password for accessing these real servers.
[User ID 1 cos name pswd add rem ena dis del cur Menu] - Set class of service - Set user name - Set user password - Add real server - Remove real server - Enable user ID - Disable user ID - Delete user ID - Display current user configuration
294
/cfg/sys/access/https
HTTPS Access Configuration Menu
[https Menu] https port generate certSave cur Enable/Disable HTTPS Web access HTTPS WebServer port number Generate self-signed HTTPS server certificate save HTTPS certificate Display current SSL Web Access configuration
295
296
/cfg/sys/access/sshd
SSH Server Menu
[SSH Server Menu] sshport - Set SSH server port number ena - Enable SCP apply and save on - Turn SSH server ON (SSHv1/SSHv2) cur - Display current SSH server configuration
297
/cfg/sys/access/xml
XML Configuration Access Menu
[XML Config Access Menu] xml - Enable/disable XML config access port - Set XML server port number gtcert - Import XML client certificate delcert - Delete XML client certificate dispcert - Display XML client certificate debug - Debug XML operations cur - Display current XML config access configuration
298
/cfg/sys/access/xml/xml
Example of enabling or disabling XML access
Current XML access: disabled Pending new XML access: enabled Enter new XML access [d/e]:
299
/cfg/sys/timezone
Configure the Timezone
>> Main# /cfg/sys/timezone Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean 10) Pacific Ocean 11) None - disable timezone setting Enter the number of your choice: 2 Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago 10) Canada 27) Honduras 44) Turks & Caicos Is 11) Cayman Islands 28) Jamaica 45) United States 12) Chile 29) Martinique 46) Uruguay 13) Colombia 30) Mexico 47) Venezuela 14) Costa Rica 31) Montserrat 48) Virgin Islands (UK) 15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US) 16) Dominica 33) Nicaragua 17) Dominican Republic 34) Panama Enter the number of your choice: 10
300
Please select one of the following time zone regions. 1) Newfoundland Island 2) Atlantic Time - Nova Scotia (most places), NB, W Labrador, E Quebec & PEI 3) Atlantic Time - E Labrador 4) Eastern Time - Ontario & Quebec - most locations 5) Eastern Time - Thunder Bay, Ontario 6) Eastern Standard Time - Pangnirtung, Nunavut 7) Eastern Standard Time - east Nunavut 8) Eastern Standard Time - central Nunavut 9) Central Time - Manitoba & west Ontario 10) Central Time - Rainy River & Fort Frances, Ontario 11) Central Time - west Nunavut 12) Central Standard Time - Saskatchewan - most locations 13) Central Standard Time - Saskatchewan - midwest 14) Mountain Time - Alberta, east British Columbia & west Saskatchewan 15) Mountain Time - central Northwest Territories 16) Mountain Time - west Northwest Territories 17) Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia 18) Pacific Time - west British Columbia 19) Pacific Time - south Yukon 20) Pacific Time - north Yukon Enter the number of your choice: 2
301
302
The commands on Nortel Application Switch Operating System 2000 series and their description are as follows:
[Port <port_number> Menu] fast - Fast Phy Menu gig - Gig Phy Menu pvid - Set default port VLAN id alias - Set port alias name - Set port name cont - Set default port BW Contract nonip - Set BW Contract for non-IP traffic egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration
303
Use these menu options to set port parameters for the port link.
304
NOTE If the port does not have a Gig Ethernet physical link, the following message is displayed: >> Port 1# gig Current Port 1 does not have Gig Ethernet phy.
NOTE Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these options do not appear on the Gigabit Link Menu. Link menu options are described in Table 6-38 and appear on the fast and gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 6-31 Port Link Configuration Menu Options (/cfg/port/fast|gig)
Command Syntax and Usage speed 10|100|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps This menu appears only if a Fast Ethernet port is selected. mode full|half|any Sets the operating mode. This command is available only in the Fast Link Menu.The choices include: Any for auto negotiation (default) Full-duplex Half-duplex This menu appears only if a Fast Ethernet port is selected. fctl rx|tx|both|none Sets the flow control. This command is available only in the Fast Link Menu.The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables auto negotiation for the port. cur Displays the current port parameters.
305
306
Single-Mode ports
10/100/1000Base-T Copper Ports
When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:
[Port 1 Menu] fast gig pvid alias name cont nonip egbw rmon tag iponly ena dis cur
Fast Phy Menu Gig Phy Menu Set default port VLAN id Set port alias Set port name Set default port BW Contract Set BW Contract for non-IP traffic Set port egress bandwidth Limit Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allow IP related frames at ingress Enable port Disable port Display current port configuration
Table 6-33 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)
Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the Copper Gigabit Ethernet Physical Link Menu. To view menu options, see page 308. pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. name <64 character string>|none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default.
307
Table 6-33 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)
Command Syntax and Usage ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer to Temporarily Disabling a Port on page 314.) cur Displays the current port parameters.
Use these menu options to set port parameters for the port link. Link menu options are described in Table 6-38 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps mode full|half|any Sets the operating mode. The choices include: Any for auto negotiation (default) Full-duplex Half-duplex
308
Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. This command is available only in the Fast Link Menu.The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables autonegotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
SFP Gig Phy Menu Set default port VLAN id Set port name Set default port BW Contract Set port egress bandwidth Limit Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allowing only IP related frames Enable port Disable port Display current port configuration
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <912>)
Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet Physical Link Menu. To view menu options, see page 310. pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1.
309
Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <912>)
Command Syntax and Usage name <64 character string>|none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer to Temporarily Disabling a Port on page 314.) cur Displays the current port parameters.
Use these menu options to set port parameters for the port link. Link menu options are described in Table 6-38 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as flow control, and negotiation mode for the port link.
310
Table 6-36 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu Options (/cfg/port <9-12>/gig)
Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables autonegotiation for the port. cur Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
When you select any one of the dual-mode ports (36), you see the menu below:
[Port 3 Menu] cop sfp pref back pvid name cont rmon tag iponly ena dis cur
Copper Gig Phy Menu SFP Gig Phy Menu Set preferred link Set backup link Set default port VLAN id Set port name Set default port BW Contract Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allowing only IP related frames Enable port Disable port Display current port configuration
311
312
Use these menu options to set port parameters for the port link. Link menu options are described in Table 6-38 and appear on the cop port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 6-38 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port <36>/cop)
Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps mode full|half|any Sets the operating mode. The choices include: Any for autonegotiation (default) Full-duplex Half-duplex fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables auto negotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
313
Table 6-39 Dual-Mode SFP Gigabit Link Configuration Menu Options (/cfg/port <3-6>/sfp)
Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control cur Displays the current SFP Gigabit link port configuration.
Because this configuration sets a temporary state for the port, you do not need to use apply or save. The port state will revert to its original configuration when the Nortel Application Switch is reset. See the Operations Menu on page 499 for other operations-level commands.
314
Port mirroring is disabled by default. The Port Mirroring Menu is used to configure, enable, and disable the monitored port. When enabled, network packets being sent and/or received on a target port are duplicated and sent to a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed information about your network performance and usage. Table 6-40 Port Mirroring menu options (/cfg/pmirr)
Command Syntax and Usage mirror disable|enable Enables or disables port mirroring monport <monitoring port (port to mirror to)> Displays port-mirroring menu options that help configure the port. To view menu options, see page 315. cur Displays the current settings of the mirrored and monitoring ports.
/cfg/pmirr monport
Port-Mirroring Menu
>> Port Mirroring# monport Enter port (1-28): <port_number> -----------------------------------------------------------[Port 1 Menu] add - Add "Mirrored" port and VLANs rem - Rem "Mirrored" port and VLANs cur - Display current Port-based Port Mirroring configuration
315
316
[Bandwidth Management Menu] cont - Contract Menu policy - Policy Menu group - Group Menu user - Set SMTP server user name report - Set IP address of Reporting server entries - Set number of entries in the BWM IP user table frequen - Set the frequency of BWM statistics in minutes email - Enable/disable sending BWM statistics via email force - Enable/disable enforce policies on - Globally turn Bandwidth Management processing ON off - Globally turn Bandwidth Management processing OFF cur - Display current Bandwidth Management configuration
NOTE Up to 1024 bandwidth management contracts can be configured on the Nortel Application Switch Operating System. Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)
Command Syntax and Usage cont <BW contract number (1-1024)> Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel
Application Switch, you must create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. For further details, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
By default, this option is disabled. To view menu options, see page 319.
policy <BW policy number (1-512)> Displays the Bandwidth Management Policy Menu. Bandwidth policies are bandwidth limita-
tions defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host could charge a customer for bandwidth utilization. For further details, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
To view menu options, see page 322.
group <BW Group number (1-32)> Displays the Bandwidth Management Group Menu. To view menu options, see page 323. user <user name> Sets the SMTP user name to whom the history statistics will be mailed. The default is set to None. report <IP4 address> | <IP6 address> Set the IP address of the Reporting Server.
317
318
319
320
This feature enables the user to configure different policies based on the time of the day using the following menu and commands:
[BW Contract 1 Time Policy 1 Menu] day - Set Time Policy day from - Set Time Policy from hour to - Set Time Policy to hour policy - Set Time Policy enable - Enable Time Policy disable - Disable Time Policy delete - Delete Time Policy cur - Display current Time Policy configuration
Table 6-44 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/ timepol)
Command Syntax and Usage day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday> Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or everyday. The default is everyday. from <1-12am/pm> Defines the time from where you need to start the time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. to <1-12am/pm> Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. policy <BW Policy number, 1-512> Defines the policy number for the contract. enable Enables the Time Policy command on the switch. disable Disables the Time Policy command on the switch. delete Deletes the current Time Policy. cur Displays the current Time Policy configuration on the switch. For example: Time Policy 1: Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled
321
322
/cfg/bwm/group
Bandwidth Management Group Configuration Menu
[BW Group 1 Menu] add - Add Contract to this group rem - Remove Contract from this group del - Delete BW Group cur - Display current BW Group configuration
323
/cfg/bwm/cur
Bandwidth Management Current Configuration
Current Bandwidth Management setting: ON Policy Enforcement: enabled SMTP server user name: Contract Name Policy Prec Hist TOS State Shaping 1 cont_1 1 1 E E E E 2 cont_2 2 1 E D D D 1024 Default -0 E D E D *Default contract gets all the BW that is available on a port after the active contracts reserved BW is taken. Policy 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Hard 25M 10M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M Soft 20M 8M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M Resv oTOS uTOS Buffer 500K 150 100 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320
324
325
/cfg/l2/mrst
Multiple Spanning Tree Menu
[Multiple Spanning Tree Menu] cist - Common and Internal Spanning Tree menu name - Set MST region name version - Set Version of this MST region maxhop - Set Maximum Hop Count for MST (4 - 60) mode - Spanning Tree Mode on - Globally turn Multiple Spanning Tree (MSTP/RSTP) ON off - Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF cur - Display current MST parameters
326
/cfg/l2/mrst/cist
Multiple Spanning Tree Menu
[Common Internal Spanning Tree Menu] brg - CIST Bridge parameter menu port - CIST Port parameter menu default - Default Common Internal Spanning Tree and Member parms cur - Display current CIST parameters
327
/cfg/l2/mrst/cist/brg
CIST Bridge Menu
[CIST Bridge Menu] prior - Set CIST bridge mxage - Set CIST bridge fwd - Set CIST bridge cur - Display current Priority (0-65535) Max Age (6-40 secs) Forward Delay (4-30 secs) CIST bridge parameters
/cfg/l2/mrst/cist/brg cur
Current configuration for CIST Bridge
>> CIST Bridge# cur -----------------------------------------------------------------Current Common Internal Spanning Tree settings: Bridge params: Priority MaxAge FwdDel 32768 20 15
328
329
NOTE When VRRP is used for active/active redundancy, STP must be enabled. Table 6-52 Spanning Tree Configuration Menu (/cfg/l2/stp)
Command Syntax and Usage brg Displays the Bridge Spanning Tree Menu. To view menu options, see page 331. port <port number> Displays the Spanning Tree Port Menu. To view menu options, see page 332. add <VLAN numbers (1-4090)> Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter. remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)> Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as a parameter. clear Removes all VLANs from a spanning tree. on Globally enables Spanning Tree Protocol. off Globally disables Spanning Tree Protocol. default Resets STG and Group member parameters to factory default. cur Displays the current Spanning Tree Protocol parameters.
330
/cfg/l2/stg/brg
Bridge Spanning Tree Configuration
[Bridge Spanning Tree Menu] prior - Set bridge Priority [0-65535] hello - Set bridge Hello Time [1-10 secs] mxage - Set bridge Max Age (6-40 secs) fwd - Set bridge Forward Delay (4-30 secs) aging - Set bridge Aging Time (1-65535 secs, 0 to disable) cur - Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge parameters include: Bridge priority Bridge hello time Bridge maximum age Forwarding delay Bridge aging time Table 6-53 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)
Command Syntax and Usage prior <new bridge priority (0-65535)> Configures the bridge priority. The bridge priority parameter controls which bridge on the network is the STP root bridge. To make this switch the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. The range is 0 to 65535, and the default is 32768. hello <new bridge hello time (1-10 secs)> Configures the bridge hello time.The hello time specifies how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The range is 1 to 10 seconds, and the default is 2 seconds. mxage <new bridge max age (6-40 secs)> Configures the bridge maximum age. The maximum age parameter specifies the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it re configures the STP network. The range is 6 to 40 seconds, and the default is 20 seconds. fwd <new bridge Forward Delay (4-30 secs)> Configures the bridge forward delay parameter. The forward delay parameter specifies the amount of time that a bridge port has to wait before it changes from the listening state to the learning state and from the learning state to the forwarding state. The range is 4 to 30 seconds, and the default is 15 seconds.
331
When configuring STP bridge parameters, the following formulas must be used: 2*(fwd-1) > mxage 2*(hello+1) < mxage
Spanning Tree port parameters are used to modify STP operation on an individual port basis. STP port parameters include: Port priority Port path cost STP is turned on by default for the port.
332
333
Trunking from non-Nortel devices must comply with Cisco EtherChannel technology. By default, the trunk group is empty and disabled.
[Trunk group 1 Menu] cont - Set BW contract for this trunk group add - Add port to trunk group rem - Remove port from trunk group ena - Enable trunk group dis - Disable trunk group del - Delete trunk group cur - Display current Trunk Group configuration
334
335
passive The port is capable of forming an LACP trunk. This port only responds to the negotiation requests sent from an LACP active port. Each LACP active or passive port needs an admin, an operational key, and an aggregator for LACP to start negotiation on these ports. You need to assign the same admin key to a group of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID) based on the operational key. All the aggregatable ports must have the same LAG ID. You can form an active LACP trunk group with all the ports that have the same LAG ID. Please refer to your Nortel Application Switch Operating System Application Guide for a detailed information on this protocol. NOTE All ports are in LACP off mode by default. Use the following commands to configure LACP on the Nortel Application Switch Operating System.
[LACP Menu] sysprio - Set LACP system priority timeout - Set LACP system timeout scale for timing out partner info port - LACP port Menu cur - Display current LACP configuration
336
337
Use the following commands to configure Link Aggregation Control Protocol (LACP) on a selected port. Table 6-57 Link Aggregation Control Protocol Port Configuration Menu Options (/cfg/l2/lacp/port #)
Command Syntax and Usage mode <off for no LACP or active or passive> off: Using this option, you can turn LACP off for this port. You can use this port to manually configure a static trunk. All ports are in off mode by default. active: Using this option, you can turn LACP on and set this port to active. Only active ports initiate negotiation with the partner system port by sending the LACPDU packets. passive: Using this option, you can turn LACP on and set this port to passive mode. Passive ports do not initiate negotiation, but only respond to the negotiation requests from active ports. prio <1-65535> Sets the priority value for the selected port. Lower numbers provide higher priority. The default value is 128. adminkey <1-65535> Sets the admin key for this port. Only ports with the same admin key and oper key (operational state generated internally) can form an LACP trunk group. cur Displays the current LACP configuration for this port.
338
Set VLAN name Assign VLAN to a Spanning Tree Group Set BW contract Add port to VLAN Remove port from VLAN Define VLAN as list of ports Enable/disable Jumbo Frame support Enable/disable smac learning Enable VLAN Disable VLAN Delete VLAN Display current VLAN configuration
339
NOTE All ports must belong to at least one VLAN. Any port which is removed from a VLAN and which is not a member of any other VLAN is automatically added to default VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any other VLAN. Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned on (see the tag command on page 307).
340
Table 6-59 outlines the commands in this menu. Table 6-59 Port Team Configuration Menu
Command Syntax and Usage addport <port number> Adds the specified port to the current team. remport <port number> Removes the specified port from the current team. addtrunk <trunk group number> Adds a trunk group to the current team. remtrunk <trunk group number> Removes a trunk group from the current team. ena Enables the port team. dis Disables the port team. del Deletes the port team. cur Displays the current port team configuration.
341
342
343
The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface represents the Nortel Application Switch on an IP subnet on your network. The Interface option is disabled by default. Table 6-61 IP Interface Menu Options (/cfg/l3/if)
Command Syntax and Usage ip6nd Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of IPv6 Router Advertisement packets from this interface. For more information on this topic, refer to page 345. ipver <IP version (v4 or v6)> Set the IP version. addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)> Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon notation for IPv6. mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for IPv6)> Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or prefix length for IPv6. vlan <VLAN number (1-4090)> Configures the VLAN number for this interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. relay disable|enable Enables or disables the BOOTP relay on this interface. It is enabled by default.
344
/cfg/l3/if/ip6nd
IPv6 Neighbor Discovery Menu
[IP6 Neighbor Discovery Menu] rtradv - Enable/disable router advertisement
This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements from this interface. Table 6-62 IPv6 Neighbor Discovery Menu Options
Command Syntax and Usage rtradv disable | enable Enables or disables the sending of IPv6 Neighbor Discovery router advertisements from this interface.
345
NOTE The switch can be configured with up to 255 gateways. Gateways one to four are reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing of VLAN-based gateways. This option is disabled by default. Table 6-63 Default Gateway Options (/cfg/l3/gw)
Command Syntax and Usage ipver <IP version (v4 or v6)> Set the IP version. addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)> Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and colon notation for IPv6. intr <0-60 seconds> The switch pings the default gateway to verify that its up. The intr option sets the time between health checks. The range is from 1 to 120 seconds. The default is 2 seconds. retry <number of attempts (1-120)> Sets the number of failed health check attempts required before declaring this default gateway inoperative. The range is from 1 to 120 attempts. The default is 8 attempts. vlan <VLAN number (1-4090)> Sets the VLAN to be assigned to this default IP gateway.
346
NOTE By default learned default route has higher priority than the configured default gateway route.
arp disable|enable Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled by default. ena Enables the gateway for use. dis Disables the gateway. del Deletes the gateway from the configuration. cur Displays the current gateway settings.
347
/cfg/l3/route
IP Static Route Configuration
[IP Static Route Menu] add - Add static route rem - Remove static route cur - Display current static routes
Up to 128 static routes can be configured. Table 6-64 IP Static Route Configuration Menu Options (cfg/l3/route)
Command Syntax and Usage add <destination> <mask> <gateway> [interface number] Adds a static route. You will be prompted to enter a destination IP address, destination subnet mask, and gateway address. Enter all addresses using dotted decimal notation. If a gateway address is 0.0.0.0., the route becomes a black hole route, where any packet routed to this destination will be dropped. rem <destination> <mask> Removes a static route. The destination address of the route to remove must be specified using dotted decimal notation. cur Displays the current IP static routes.
/cfg/l3/arp
ARP Configuration Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the computer or the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
[ARP Menu] static rearp cur
- Static ARP Menu - Set re-ARP period in minutes - Display current ARP configuration
348
/cfg/l3/arp/static
ARP Static Configuration Menu
Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending an ARP broadcast request to the network. Static ARPs are also useful to communicate with devices that do not respond to ARP requests. Static ARPs can also be configured on some gateways as a protection against malicious ARP Cache corruption and possible DOS attacks. NOTE Nortel Application Switch Operating System 21.0 and above allows the static ARP configuration to be retained over reboots. Nortel Application Switch Operating System 20.x and below allow the user to configure the ARP information but that information cannot be retained over a switch reboot.
[Static ARP Menu] add - Add a permanent ARP entry del - Delete an ARP entry cur - Display current static ARP configuration
349
/cfg/l3/frwd
IP Forwarding Configuration Menu
[IP Forwarding Menu] local - Local network definition for route caching menu dirbr - Enable or disable forwarding directed broadcasts on - Globally turn IP Forwarding ON off - Globally turn IP Forwarding OFF cur - Display current IP Forwarding configuration
/cfg/l3/frwd/local
Local Network Route Caching Definition
This menu is used for adding local networks by setting the local network address and netmask for the route cache, and to remove local networks.
[IP Local Networks Menu] add - Add local network definition rem - Remove local network definition cur - Display current local network definitions
350
NOTE All addresses that fall outside the defined range are forwarded to the default gateway. The default gateways must be within range.
351
/cfg/l3/nwf
Network Filter Configuration
[IP Network Filter 1 Menu] addr - IP Address mask - IP Subnet mask enable - Enable Network Filter disable - Disable Network Filter delete - Delete Network Filter cur - Display current Network Filter configuration
352
353
354
355
356
/cfg/l3/rip
Routing Information Protocol Configuration
The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a class of algorithms known as distance vector algorithms. The distance or hop count is used as the metric to determine the best path to a remote network or host where the hop count does not exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram protocol (UDP) data packets to exchange routing information. RIP sends routing information updates every 30 seconds. This update contains known networks and the distances (hop count) associated with each one. For RIP1, no mask information is exchanged; the natural mask is always applied by the router receiving the update. For RIP2, mask information is sent. There are two timers associated with each route: a timeout and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid but it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped. Upon expiration of the garbage-collection timer, the route is finally removed from the routing table. The timeout timer is set for 180 seconds and the garbage-collection timer is set for 120 seconds by default. The menu below is used for configuring globally Routing Information Protocol parameters. The Routing Information Protocol is turned off by default.
[Routing Information Protocol Menu] if - RIP Interface Menu update - Set update period in seconds vip - Enable/disable vip advertisement statc - Enable/disable static routes advertisement on - Globally turn RIP ON off - Globally turn RIP OFF current - Display current RIP configuration
357
358
/cfg/l3/rip/if
RIP Interface Menu
[RIP Interface 1 Menu] version - Set RIP version supply - Enable/disable supplying route updates listen - Enable/disable listening to route updates poison - Enable/disable poisoned reverse trigg - Enable/disable triggered updates mcast - Enable/disable multicast updates default - Set default route action metric - Set metric auth - Set authentication type key - Set authentication key enable - Enable interface disable - Disable interface current - Display current RIP interface configuration
359
360
/cfg/l3/ospf
Open Shortest Path First Configuration
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more information on how to configure OSPF on the switch, refer to your Nortel Application Switch Operating System Application Guide.
[Open Shortest Path First Menu] aindex - OSPF Area (index) Menu range - OSPF Summary Range Menu if - OSPF Interface Menu virt - OSPF Virtual Links Menu md5key - OSPF MD5 Key Menu host - OSPF Host Entry Menu redist - OSPF Route Redistribute Menu lsdb - Set the LSDB limit for external LSA default - Export default route information on - Globally turn OSPF ON off - Globally turn OSPF OFF cur - Display current OSPF configuration
361
362
/cfg/l3/ospf/aindex
Area Index Configuration Menu
[OSPF Area (index) 1 Menu] areaid - Set area ID type - Set area type metric - Set stub area metric auth - Set authentication type spf - Set time interval between two SPF calculations enable - Enable area disable - Disable area delete - Delete area cur - Display current OSPF area configuration
363
/cfg/l3/ospf/range
OSPF Summary Range Configuration Menu
[OSPF Summary addr mask aindex hide enable disable delete cur Range 1 Menu] - Set IP address - Set IP mask - Set area index - Enable/disable hide range - Enable range - Disable range - Delete range - Display current OSPF summary range configuration
364
/cfg/l3/ospf/if
OSPF Interface Configuration Menu
[OSPF Interface aindex prio cost hello dead trans retra key mdkey enable disable delete cur 1 Menu] Set area index Set interface router priority Set interface cost Set hello interval in seconds Set dead interval in seconds Set transit delay in seconds Set retransmit interval in seconds Set authentication key Set MD5 key ID Enable interface Disable interface Delete interface Display current OSPF interface configuration
365
366
/cfg/l3/ospf/virt
OSPF Virtual Link Configuration Menu
[OSPF Virtual aindex hello dead trans retra nbr key mdkey enable disable delete cur Link 1 Menu] - Set area index - Set hello interval in seconds - Set dead interval in seconds - Set transit delay in seconds - Set retransmit interval in seconds - Set router ID of virtual neighbor - Set authentication key - Set MD5 key ID - Enable interface - Disable interface - Delete interface - Display current OSPF interface configuration
367
/cfg/l3/ospf/md5key
OSPF MD5 Key Configuration Menu
[OSPF MD5 Key key delete cur 1 Menu] Set authentication key Delete key Display current MD5 key configuration
368
/cfg/l3/ospf/host
OSPF Host Entry Configuration Menu
[OSPF Host Entry 1 Menu] addr - Set host entry IP address aindex - Set area index cost - Set cost of this host entry enable - Enable host entry disable - Disable host entry delete - Delete host entry cur - Display current OSPF host entry configuration
369
/cfg/l3/ospf/redist <fixed|static|rip|ebgp|ibgp>
OSPF Route Redistribution Configuration Menu.
[OSPF Redistribute Fixed Menu] add - Add rmap into route redistribution list rem - Remove rmap from route redistribution list export - Export all routes of this protocol cur - Display current route-maps added
370
/cfg/l3/bgp
Border Gateway Protocol Configuration
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. BGP allows you to decide what is the best route for a packet to take from your network to a destination on another network, rather than simply setting a default route from your border router(s) to your upstream provider(s). You can configure BGP either within an autonomous system or between different autonomous systems. When run within an autonomous system, it is called internal BGP (iBGP). When run between different autonomous systems, it is called external BGP (eBGP). BGP is defined in RFC 1771. The BGP Menu enables you to configure the switch to receive routes and to advertise static routes, fixed routes and virtual server IP addresses with other internal and external routers. BGP is turned off by default.
[Border Gateway peer aggr as maxpath pref on off cur Protocol Menu] Peer menu Aggregation menu Set Autonomous System (AS) number Set Max AS Path Length Set Local Preference Globally turn BGP ON Globally turn BGP OFF Display current BGP configuration
NOTE Fixed routes are subnet routes. There is one fixed route per IP interface. Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)
Command Syntax and Usage peer <peer number (1-16)> Displays the menu used to configure each BGP peer. Each border router, within an autonomous system, exchanges routing information with routers on other external networks. To view menu options, see page 373. aggr <aggregate number (1-16)> Displays the Aggregation Menu. To view menu options, see page 377.
371
When multiple peers advertise the same route, use the route with the shortest AS path as the preferred route if you are using eBGP, or use the local preference if you are using iBGP.
on Globally turns BGP on. off Globally turns BGP off. cur Displays the current BGP configuration.
372
This menu is used to configure BGP peers, which are border routers that exchange routing information with routers on internal and external networks. The peer option is disabled by default. Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)
Command Syntax and Usage redist Displays BGP Redistribution Menu. To view the menu options, see page 375. addr <IP address (such as, 192.4.17.101)> Defines the IP address for the specified peer (border router), using dotted decimal notation. The default address is 0.0.0.0. ras <AS number (0-65535)> Sets the remote autonomous system number for the specified peer. hold <hold time (0, 3-65535)> Sets the period of time, in seconds, that will elapse before the peer session is torn down because the switch hasnt received a keep alive message from the peer. It is set at 90 seconds by default. alive <keepalive time (0, 1-21845)> Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default.
373
374
/cfg/l3/bgp/peer/redist
BGP Redistribution Configuration Menu
[Redistribution metric default rip ospf fixed static vip cur Menu] Set default-metric of advertised routes Set default route action Enable/disable advertising RIP routes Enable/disable advertising OSPF routes Enable/disable advertising fixed routes Enable/disable advertising static routes Enable/disable advertising VIP routes Display current redistribution configuration
375
376
This menu allows you to configure aggregate routing to condense the number of routes between internal and external peer routers. Table 6-86 BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)
Command Syntax and Usage addr <IP address, such as 192.4.17.101> Adds the IP address to the selected aggregate. mask <IP subnet mask, such as 255.255.255.0> Sets the IP mask for the selected aggregate. enable Enables the selected aggregate. disable Disables the selected aggregate. delete Deletes the selected aggregate. current Displays the current aggregate configuration.
377
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By default, the port forwarding option is turned on. Table 6-87 IP Forwarding Port Configuration Menu Options (/cfg/l3/port)
Command Syntax and Usage on Enables IP forwarding for the current port. off Disables IP forwarding for the current port. cur Displays the current IP forwarding settings.
378
/cfg/l3/dns
Domain Name System Configuration Menu
[Domain Name System Menu] prima - Set IP address of primary DNS server secon - Set IP address of secondary DNS server dname - Set default domain name cur - Display current DNS configuration
The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS servers on your local network, and for setting the default domain name served by the switch services. DNS parameters must be configured prior to using hostname parameters with the ping, traceroute, and tftp commands. Table 6-88 Domain Name System Menu Options (/cfg/l3/dns)
Command Syntax and Usage prima <IP address (such as, 192.4.17.101)> You will be prompted to set the IP address for your primary DNS server. Use dotted decimal notation. secon <IP address (such as, 192.4.17.101)> You will be prompted to set the IP address for your secondary DNS server. If the primary DNS server fails, the configured secondary will be used instead. Enter the IP address using dotted decimal notation. dname <dotted DNS notation>|none Sets the default domain name used by the switch. For example: mycompany.com cur Displays the current Domain Name System settings.
379
/cfg/l3/bootp
Bootstrap Protocol Relay Configuration Menu
[Bootstrap Protocol Relay Menu] addr - Set IP address of BOOTP server addr2 - Set IP address of second BOOTP server on - Globally turn BOOTP relay ON off - Globally turn BOOTP relay OFF cur - Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configurations from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers with IP addresses that have been configured on the Nortel Application Switch. BOOTP relay menu is turned off by default. Table 6-89 Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)
Command Syntax and Usage addr <IP address (such as, 192.4.17.101)> Sets the IP address of the BOOTP server. addr2 <IP address (such as, 192.4.17.101)> Sets the IP address of the second BOOTP server. on Globally turns on BOOTP relay. off Globally turns off BOOTP relay. cur Displays the current BOOTP relay configuration.
380
/cfg/l3/vrrp
VRRP Configuration Menu
[Virtual Router vr vrgroup group if track hotstan on off holdoff cur Redundancy Protocol Menu] VRRP Virtual Router Menu VRRP Virtual Router Vrgroup Menu VRRP Virtual Router Group Menu VRRP Interface Menu VRRP Priority Tracking Menu Enable/disable hot-standby processing Globally turn VRRP ON Globally turn VRRP OFF Globally VRRP hold off time Display current VRRP configuration
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. By default, VRRP is disabled. Nortel Application Switch Operating System has extended VRRP to include virtual servers as well, allowing for full active/active redundancy between its Layer 4 switches.For more information on VRRP, see the High Availability chapter in your Nortel Application Switch Operating System 23.0.2 Application Guide. Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)
Command Syntax and Usage vr <virtual router number (1-1024)> Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual routers on this switch. To view menu options, see page 383. vrgroup <virtual router vrgroup number (1-16)> Displays VR Group Menu. To view menu options, see page 387. group Displays the VRRP virtual router group menu, used to combine all virtual routers together as one logical entity. Group options must be configured when using two or more Nortel Application Switches in a hot-standby failover configuration where only one switch is active at any given time. To view menu options, see page 390.
381
382
This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address. Virtual routers are disabled by default. Table 6-91 VRRP Virtual Router Options (/cfg/l3/vrrp/vr)
Command Syntax and Usage track Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 385. vrid <virtual router ID (1-1024)> Defines the virtual router ID. This is used in conjunction with addr (below) to define a virtual router on this switch. To create a pool of VRRP-enabled routing devices which can provide redundancy to each other, each participating VRRP device must be configured with the same virtual router: one that shares the same vrid and addr combination. The vrid for standard virtual routers (where the virtual router IP address is not the same as any virtual server) can be any integer between 1 and 255. The default value is 1. The vrid of virtual server routers where the virtual router IP address is the same as the virtual server can be between 1 and 1024. All vrid values must be unique within the VLAN to which the virtual routers IP interface belongs.
383
384
This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled. If the virtual router preemption option (see preem in Table 6-91 on page 383) is enabled, this virtual router can assume master routing authority when its priority level rises above that of the current master. Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, otherwise called virtual interface routers. Other tracking criteria (l4pts, reals, and hsrp) apply to virtual server routers, which perform Layer 4 Server Load Balancing functions. A virtual server router is defined as any virtual router whose IP address (addr) is the same as any configured virtual server IP address.
385
386
/cfg/l3/vrrp/vrgroup
Virtual Router Group Menu
This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is shared between two or more customers on a single VRRP switch, you can group VIRs and VSRs to serve the high availability of a specific customer. If failover occurs on a customer link, the group of VIRs and VSRs associated with that customer alone will fail over to the backup switch. The VIRs and VSRs configured for the other customers on the master switch are not affected. Up to 16 virtual router groups can be configured on the switch.
[VRRP Virtual Router Vrgroup 1 Menu] track - Priority Tracking Menu name - Set virtual router group name add - Add virtual router to group rem - Remove virtual router from group prio - Set priority for virtual router group trackvr - Set track virtual router for group adver - Set advertisement interval for group preem - Enable/disable preemption for group share - Enable/disable sharing for group ena - Enable virtual router group dis - Disable virtual router group del - Delete virtual router group cur - Display current VRRP virtual router group configuration
387
388
This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled.
[VRRP Vrgroup ifs ports l4pts reals hsrp hsrv cur 1 Priority Tracking Menu] Enable/disable tracking interfaces Enable/disable tracking VLAN switch ports Enable/disable tracking L4 switch ports Enable/disable tracking L4 real servers Enable/disable tracking HSRP Enable/disable tracking HSRP by VLAN Display current VRRP vrgroup tracking configuration
Table 6-94 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)
Command Syntax and Usage ifs disable|enable When enabled, the priority will be increased for each IP interface active on this virtual router group. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default. ports disable|enable When enabled, the priority will be increased for each active port on the VLAN on this virtual router group. A port is considered active if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default. l4pts disable|enable When enabled for virtual server routers, the priority will be increased for each physical switch port which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4 switch as the master. This command is disabled by default. reals disable|enable When enabled for virtual server routers, the priority will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this virtual router group. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default.
389
Table 6-94 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)
Command Syntax and Usage hsrp disable|enable Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default. hsrv disable|enable Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance on the virtual router group that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default. cur Displays the current configuration for priority tracking for this virtual router group.
/cfg/l3/vrrp/group
Virtual Router Group Configuration
[VRRP Virtual track vrid if prio adver preem share ena dis del cur Router Group Menu] - Priority Tracking Menu - Set virtual router ID - Set interface number - Set renter priority - Set advertisement interval - Enable or disable preemption - Enable or disable sharing - Enable virtual router - Disable virtual router - Delete virtual router - Display current VRRP virtual router configuration
The Virtual Router Group menu is used for associating all virtual routers into a single logical virtual router, which forces all virtual routers on the Nortel Application Switch to either be master or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address.
390
NOTE This option is required to be configured only when using at least two Nortel Application Switches in a hot-standby failover configuration, where only one switch is active at any time. Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)
Command Syntax and Usage track Displays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 395. vrid <virtual router ID (1-1024)> Defines the virtual router ID for this group. if <interface number (1-256)> Selects a switch IP interface (between 1 and 256). The default switch IP interface number is 1. prio <priority (1-254)> Defines the election priority bias for this virtual router group. This can be any integer between 1 and 254. The default value is 100. During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest). When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track), this base priority value can be modified according to a number of performance and operational criteria. adver <1-255 (seconds)> Defines the time interval between VRRP master advertisements. This can be any integer between 1 and 255 seconds. The default is 1. preem disable|enable Enables or disables master preemption. When enabled, if the virtual router group is in backup mode but has a higher priority than the current master, this virtual router will preempt the lower priority master and assume control. Note that even when preem is disabled, this virtual router will always preempt any other master if this switch is the owner (the IP interface address and virtual router addr are the same). By default, this option is enabled. share disable|enable Enables or disables virtual router sharing, Nortels proprietary extension to VRRP. When enabled, this switch will process any traffic addressed to this virtual router, even when in backup mode. By default, this option is enabled.
391
/cfg/l3/vrrp/group/track
Virtual Router Group Priority Tracking Configuration
[Virtual Router ifs ports l4pts reals hsrp hsrv cur Group Priority Tracking Menu] Enable/disable tracking other interfaces Enable/disable tracking VLAN switch ports Enable/disable tracking L4 switch ports Enable/disable tracking L4 real servers Enable/disable tracking HSRP Enable/disable tracking HSRP by VLAN Display current VRRP Group Tracking configuration
NOTE If Virtual Router Group Tracking is enabled, then the tracking option will be available only under group option. The tracking setting for the other individual virtual routers will be ignored.
392
393
This menu is used for configuring VRRP authentication parameters for the IP interfaces used with the virtual routers. Table 6-97 VRRP Interface Menu Options (/cfg/l3/vrrp/if)
Command Syntax and Usage auth none|password Defines the type of authentication that will be used: none (no authentication), or password (password authentication). passw <password> Defines a plain text password up to eight characters long. This password will be added to each VRRP packet transmitted by this interface when password authentication is chosen (see auth above). del Clears the authentication configuration parameters for this IP interface. The IP interface itself is not deleted. cur Displays the current configuration for this IP interfaces authentication parameters.
394
/cfg/l3/vrrp/track
VRRP Tracking Configuration
[VRRP Tracking Menu] vrs - Set priority increment for virtual router tracking ifs - Set priority increment for IP interface tracking ports - Set priority increment for VLAN switch port tracking l4pts - Set priority increment for L4 switch port tracking reals - Set priority increment for L4 real server tracking hsrp - Set priority increment for HSRP tracking hsrv - Set priority increment for HSRP by VLAN tracking cur - Display current VRRP Priority Tracking configuration
This menu is used for setting weights for the various criteria used to modify priority levels during the master router election process. Each time one of the tracking criteria is met (see VRRP Virtual Router Priority Tracking Menu on page 385), the priority level for the virtual router is increased by an amount defined through this menu. Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)
Command Syntax and Usage vrs <0-254> Defines the priority increment value (1 through 254) for virtual routers in master mode detected on this switch. The default value is 2. ifs <0-254> Defines the priority increment value (1 through 254) for active IP interfaces detected on this switch. The default value is 2. ports <0-254> Defines the priority increment value (1 through 254) for active ports on the virtual routers VLAN. The default value is 2. l4pts <0-254> Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4 processing. The default value is 2. reals <0-254> Defines the priority increment value (1 through 254) for healthy real servers behind the virtual server router. The default value is 2. hsrp <0-254> Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only processing that receive HSRP broadcasts. The default value is 10.
395
These priority tracking options only define increment values. These options do not affect the VRRP master router election process until options under the VRRP Virtual Router Priority Tracking Menu (see page 385) are enabled.
roundrobin
396
/cfg/slb
/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7, The SLB Configuration Menu.
397
398
/cfg/security/port
Port Security Menu
[Port <port_number> Menu] bogon - Enable/disable bogon IP ACL ipacl - Enable/disable IP ACL udpblast - Enable/disable UDP blast protection dos - Enable/disable protocol anomaly and DoS attack prevention add - Add protocol anomaly/DoS attack to prevention aadd - Add all protocol anomaly/DoS attack to prevention rem - Remove protocol anomaly/DoS attack from prevention arem - Remove all protocol anomaly/DoS attack from prevention help - Protocol anomaly and DoS attack prevention description cur - Display current port configuration
399
/cfg/security/ipacl
IP Address Access Control List Configuration Menu
Nortel Application Switch Operating System can be configured with IP access control lists (ACLs) composed of ranges of client IP addresses that are to be denied access to the switch. When traffic ingresses the switch, the client source or destination IP address is checked against this pool of addresses. If a match is found, then the client traffic is blocked.
[IP ACL Menu] add rem arem dadd drem darem cfg bogon oper cur
Add configuration source IP Address/Mask Remove configuration source IP Address/Mask Remove all configuration source IP Address/Mask Add configuration destination IP Address/Mask Remove configuration destination IP Address/Mask Remove all configuration destination IP Address/Mask Display configuration IP Address/Mask Display bogon IP Address/Mask Display operations IP Address/Mask Display all IP Address/Mask
400
401
/cfg/security/udpblast
UDP Blast Protection Configuration Menu
Malicious attacks over UDP protocol ports are becoming a common way to bring down real servers. Nortel Application Switch Operating System can be configured to restrict the amount of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with data and disabled. You can specify a series of UDP port ranges and the allowed packet limit for that range. When the maximum number of packets/second is reached, UDP traffic is shut down on those ports. Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300, the last number that can be used is 5300. While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum of 5000 ports.
[UDP Blast Protection Menu] add - Add UDP port/range for UDP blast protection rem - Remove UDP port/range for UDP blast protection default - Default packet rate for UDP blast protection cur - Display all UDP blast protection Ports
402
/cfg/security/dos
Anomaly and Denial of Service Attack Prevention Menu
[Protocol Anomaly and DoS Attack Prevention Menu] ipttl - Set the smallest allowable IP ttl for ipttl ipprot - Set the highest allowable IP protocol for ipprot fragdata - Set smallest allowable IP fragment payload for fragdata fragoff - Set the smallest allowable IP fragment offset for fragoff syndata - Set the largest allowable TCP SYN payload for syndata icmpdata - Set the largest allowable ICMP payload for icmpdata icmpoff - Set the largest allowable ICMP fragment offset for icmpoff help - Protocol anomaly and DoS attack prevention description cur - Display current protocol anomaly and DoS attack prevention
403
404
405
/cfg/sslproc
SSL Processor Menu
[SSL Processor Menu] mip - Set SSL processor management IP port - Set SSL processor Web server port rts - Enable/disable RTS processing filt - Enable/disable filtering add - Add filter rem - Remove filter cur - Display current SSL processor configuration
/cfg/setup Setup
The setup program steps you through configuring the system date and time, BOOTP, IP, Spanning Tree, port speed/mode, VLAN parameters, and IP interfaces. For a complete description of how to use setup, see Chapter 2, First-Time Configuration.
406
/cfg/dump Dump
The dump program writes the current switch configuration to the terminal screen. To start the dump program, at the Configuration# prompt, enter:
Configuration# dump
The configuration is displayed with parameters that have been changed from the default values. The screen display can be captured, edited, and placed in a script file, which can be used to configure other switches through a Telnet connection. When using Telnet to configure a new switch, paste the configuration commands from the script file at the command line prompt of the switch. The active configuration can also be saved or loaded via TFTP, as described on page 408.
407
where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file. NOTE The output file is formatted with line-breaks but no carriage returnsthe file cannot be viewed with editors that require carriage returns (such as Microsoft Notepad).
NOTE If the TFTP server is running SunOS or the Solaris operating system, the specified ptcfg file must exist prior to executing the ptcfg command and must be writable (set with proper permission, and not locked by any application). The contents of the specified file will be replaced with the current configuration data.
408
where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file.
409
410
CHAPTER 7
411
320506-A, January 2006
412
413
414
This menu is used for configuring information about real servers that participate in a server pool for Server Load Balancing or Application Redirection. The required parameters are: Real server IP address Real server enabled (disabled by default) Table 7-2 Real Server Configuration Menu Options (/cfg/slb/real)
Command Syntax and Usage adv Go to the Real Server Advanced menu. To view menu options, see page 421. layer7 Displays the Layer 7 Menu. To view menu options, see page 421. ids Displays Intrusion Detection Server/system menu. To view menu options, see page 422. rip <real server IP address> Sets the IP address of the real server in dotted decimal format. When this command is used, the address entered is PINGed to determine if the server is up, and the administrator will be warned if the server does not respond. name <string, maximum 31 characters>|none Defines a 15-character alias for each real server. This will enable the network administrator to quickly identify the server by a natural language keyword value. weight <real server weight (1-48)> Sets the weighting value (1 to 48) that this real server will be given in the load balancing algorithms. Higher weighting values force the server to receive more connections than the other servers configured in the same real server group. By default, each real server is given a weight setting of 1. A setting of 10 would assign the server roughly 10 times the number of connections as a server with a weight of 1. Weights are not applied when using the hash or minmisses metrics (see Server Load Balancing Metrics on page 429). avail <server weight (1-48)> Displays the currently available real server for Global server load balancing and allows the user to change to another real server for Global server load balancing.
415
416
417
418
/cfg/slb/real/adv
Real Server Advanced Menu
[Real Server 1 Advanced Menu] avail - Set Global SLB availability for real server remote - Enable/disable Global SLB remote site operation proxy - Enable/disable client proxy operation buddyhc - Buddy Server Menu fasthc - Enable/disable fast health check operation submac - Enable/disable source MAC address substitution subdmac - Enable/disable destination MAC address substitution cur - Display current real server advanced configuration
419
/cfg/slb/real/adv/buddyhc
Buddy Server Health Check Menu
[Real server 1 Buddy Menu] addbd - Add Buddy Server delbd - Delete Buddy Server cur - Display current buddy server configuration
420
This menu is used for entering commands and strings for Layer 7 processing. Table 7-5 Layer 7 Commands Menu Options (/cfg/slb/real/layer7)
Command Syntax and Usage addlb <defined SLB string ID, 1-1024> Adds the predefined URL loadbalance string ID to the real server. remlb <defined SLB string ID, 1-1024> Removes the predefined URL loadbalance string ID from the real server. cookser disable|enable Enables or disables the real server to handle client requests that dont contain a cookie. This option is used if you want to designate a specific server to assign cookies only. This server gets the client request, assigns the cookie, and embeds the IP address of the real server that will handle the subsequent requests from the client. By default, this option is disabled. exclude disable|enable Enables or disables exclusionary string matching. By default, this option is disabled. ldapwr disable|enable Enables or disables LDAP write server. LDAP servers are of two types: read servers and write servers. You need to use read servers when you only want to browse the directory. You need to use the write servers when you want to modify the directory on the server. The write server can conduct both read and write operations. cur Displays the current real server configuration.
421
422
/cfg/slb/group <real server group number> Real Server Group SLB Configuration
[Real Server Group 1 Menu] metric - Set metric used to select next server in group rmetric - Set metric used to select next rport in server content - Set health check content health - Set health check type backup - Set backup real server or group name - Set real server group name realthr - Set real server failure threshold idsrprt - Set Intrusion Detection Port advhlth - Set an advance group health check formula mhash - Set minmisses hash parameter wlm - Set Workload Manager number viphlth - Enable/disable VIP health checking in DSR mode ids - Enable/disable Intrusion Detection idsfld - Enable/disable Intrusion Detection Group Flood oper - Enable/disable the access to this group for operator ena - Enable real server in this group dis - Disable real server in this group add - Add real server rem - Remove real server del - Delete real server group cur - Display current group configuration
This menu is used for combining real servers into real server groups. Each real server group should consist of all the real servers which provide a specific service for load balancing. Each group must consist of at least one real server. Each real server can belong to more than one group. Real server groups are used both for Server Load Balancing and Application Redirection. Table 7-7 Real Server Group Configuration Menu Options (/cfg/slb/group)
Command Syntax and Usage metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash Sets the load balancing metric used for determining which real server in the group will be the target of the next client request. The default setting is leastconns. See Server Load Balancing Metrics on page 429 for more information. rmetric Sets the load balancing metric used for determining which port in the real server will be the target of the next client request.
423
424
425
tcp sipoptions
426
427
428
The metrics are described in the following table: Table 7-9 Real Server Group Metrics (/cfg/slb/group/metric)
Option and Description minmisses Minimum misses. This metric is optimized for Application Redirection. When minmisses is specified for a real server group performing Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful in caching applications, helping to maximize successful cache hits. Best statistical load balancing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets. Minmisses can also be used for Server Load Balancing. When specified for a real server group performing Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained on the server between sessions. Server load with this metric becomes most evenly balanced as the number of active clients increases.
429
430
NOTE Under the leastconns, roundrobin, hash, and phash metrics, when real servers are configured with weights (see the weight option on page 415), a higher proportion of connections are given to servers with higher weights. This can improve load balancing among servers of different performance levels. Weights are not applied when using the minmisses metrics.
This menu is used for configuring the virtual servers which will be the target for client requests for Server Load Balancing. Configuring a virtual server requires the following parameters:
431
Creating a virtual server IP address Adding TCP/UDP port and real server group Enabling the virtual server (disabled by default) Table 7-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)
Command Syntax and Usage service <virtual port or name> Displays the Virtual Services Menu. The virtual port name can be a well-known port name, such as http, ftp, the service number, and so on. The allowable port range is from 9 to 65534. To get more information about well-known ports, see the sport command on page 447. To view the services menu options, see page 434.
ipver <IP version (v4 or v6)> Set the IP version. vip <virtual server IP address for IPv4 or IPv6> Sets the IP address of the virtual server using dotted-decimal notation. The virtual server created within the switch will respond to ARPs and PINGs from network ports as if it was a normal server. Client requests directed to the virtual servers IP address will be balanced among the real servers available to it through real server group assignments. dname <64 character domain name>|none Sets the domain name for this virtual server. The domain name typically includes the name of the company or organization, and the Internet group code (.com, .edu, .gov, .org, and so forth). An example would be foocorp.com. It does not include the hostname portion (www, www2, ftp, and so forth). The maximum number of characters that can be used in a domain name is 64. To define the hostname, see hname below. To clear the dname, specify the name as none. vname <32 character virtual server name>|none Set name of virtual server. cont <BWM contract (1-1024)> Enter a new Bandwidth Management Contract for this virtual service. By default, all services under this virtual server are assigned this BW contract. However, the BW contract can be changed for a selected virtual server with /cfg/slb/virt <number>/service <number>/cont. All the frames that match this virtual server services are assigned this BW contract if the previously assigned contract for the frame has lower or equal precedence of the virtual server contract. The default number of contracts is set at 1024 for Nortel Application Switch Operating System. weight Sets the Global server weight for the virtual server. The higher the weight value, the more connections that will be directed to the local site. The default is 1. The response time of this site is divided by this weight before the best site is assigned to a client. Remote site response times are divided by the real server weight before selection occurs.
432
433
434
page 440.
http Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis. Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view the menu options, see page 441. sip Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel Application Switch Operating System. When enabled, you can configure SIP service on the service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol for creating, modifying and terminating sessions with one or more participants (documented in RFC3261). The SIP processing occurs at application level in order to parse out messages coming from client side as well as the server side. Using SIP on your switch, you can load balance Nortels MCS (Multimedia Communication Server) proxy servers. Nortel Networks MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls based on a SIP Call-ID header to an MCS server. You need to turn Direct Access Mode (DAM) on to perform SIP load balancing. You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID. To view the menu options, see page 442. rtsp Go to the RTSP Load Balancing Menu. To view the menu options, see
page 443.
group <real server group number (1-1024)> Sets a real server group for this service. The default is set at 1. You will be prompted to enter the number (1 to 1024) of the real server group to add to this service. rport <real server port (0-65534)> Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number>/service <virtual port>, the switch will map the virtual port to this real port.
435
urlslb: Enable or disable URL SLB host: Enable or disable for virtual hosting cookie: Enable or disable cookie-based SLB for cookie-based preferential load balancing. You will be prompted for the following: Cookie name, starting point of the cookie value, number of bytes to be extracted, enable/disable checking for cookie in URI browser: Enable or disable SLB, based on browser type urlhash: Enable or disable URL hashing based on URI headerhash: Hashes on any HTTP header value. others: Requires inputs for a particular header field You may choose to combine or select applications to load balance using the commands and and/or or. For example: httpslb <application> httpslb <application> and|or <application> cont <BWM Contract (0-1024), 0 for VIP default> Sets a Bandwidth Management contract for this virtual service. The default number of contracts is set at 1024 for Nortel Application Switch Operating System. Note: If you enter 0 for the service contract, it will carry the value entered for the Virtual Server IP (vip) contract. urlcont <URL path ID> <BW contract> Sets the Bandwidth Management contract of a string specific to this virtual service. Only use this command when a string is shared by multiple virtual services and each service requires a separate bandwidth. The default is set at 1024.
436
437
438
439
/cfg/slb/virt/service/wts
WTS Load Balancing Menu
[WTS Load Balancing Menu] userhash - Enable userhash when there is no Session Dir. Server ena - Enable WTS loadbalancing and persistence dis - Disable WTS loadbalancing and persistence cur - Display current WTS configuration
440
/cfg/slb/virt/service/http
HTTP Load Balancing Menu
[HTTP Load Balancing Menu] httpslb - Set HTTP SLB processing urlcont - Set BW cont of an SLB string specific to this service rcount - Set multi response count http - Enable/disable HTTP redirects for Global SLB xforward - Enable/disable X-Forwarded-For for proxy mode pooling - Enable/disable connection pooling for HTTP traffic cur - Display current HTTP configuration
441
/cfg/slb/virt/service/sip
SIP Load Balancing Menu
[SIP Load Balancing Menu] sip - Enable/disable SIP load balancing sdpnat - Enable/disable SIP SDP Media Portal NAT cur - Display current SIP configuration
442
/cfg/slb/virt/service/rtsp
RTSP Load Balancing Menu
[RTSP Load Balancing Menu] group - Set real server group number hname - Set hostname rtspslb - Set RTSP URL load balancing type thash - Set hash parameter softgrid - Enable/disable SoftGrid load balancing del - Delete virtual service cur - Display current virtual service configuration
within the URL to select a server based on the string configured on the real server.
l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash metric. none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance. thash sip|sip+sport Defines hash parameter. Tunable hash feature allows the user to select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, the destination IP address, or both source IP address and source port. If the user does not select any, the switch will use default hash parameter, which is sip. softgrid enable|disable Enable or disable softgrid load balancing.
443
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following command syntax and usage: pbind cookie <mode> <name> <offset> <length> <URI> Each parameter is explained in the following table.
Option <mode> Description Specify the mode for cookie-based persistence. The following three modes are available: p: Passive mode. In this mode, the network administrator configures the Web server to embed a cookie in the server response that the switch looks for in subsequent requests from the same client. r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch, and not the network administrator, generates the cookie value on behalf of the server. The switch intercepts this persistence cookie and rewrites the value to include server-specific information before sending it to the client. i: Insert mode. When a client sends a request without a cookie, the server responds with the data, and the switch inserts a persistence cookie into the data packet. The switch uses this cookie to bind to the appropriate server. Insert cookie mode expiration parameters are as follows: Enter insert-cookie expiration as either: ... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59) ... a duration <days[:hours[:minutes]]> (e.g. 45:30:90) ... or none <return> <name> <offset> <length> <URI> Enter the name of the cookie. Enter the starting point of the cookie value (1-64) Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length must be 8 or 16. Look for cookie in the URI. If you want to look for cookie name or value in the URI, enter e to enable this option. To look for cookie in the HTTP header, enter d to disable this option.
444
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operating System 23.0.2 Application Guide.
The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny, redirect or perform Network Address Translation on traffic according to a variety of address and protocol specifications, and each physical switch port can be configured to use any combination of filters. This command is disabled by default. There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv, page 450) that can be used to provide more information through syslog. The types of information include: IP protocol TCP/UDP ports
Chapter 7: The SLB Configuration Menu
320506-A, January 2006
445
TCP flags ICMP message type The following parameters are required for filtering: Set the address, masks, and/or protocol that will be affected by the filter Set the filter action (allow, deny, redirect, nat) Enable the filter Add the filter to a switch port Enable filtering on the Nortel Application Switch port Table 7-16 Filter Configuration Menu Options (/cfg/slb/filt)
Command Syntax and Usage adv Displays the Filter Advanced Menu. To view menu options, see page 450. name <31 character name>|none Allows the user to assign a name to a filter. smac any|<MAC address (such as, 00:60:cf:40:56:00)> Sets the source MAC address. The default is any. dmac any|<MAC address (such as, 00:60:cf:40:56:00)> Sets the destination MAC address. The default is any. ipver v4 | v6 Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge mode. sip sip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the smask below. The default is any if the source MAC address is any. smask <IP4 subnet mask (such as, 255.255.255.0> | <IP6 prefix length (eg, 64)> This IP address mask is used with the sip to select traffic which this filter will affect. See details below for more information on producing address ranges. For more information, see Defining IP Address Ranges for Filters on page 449.
446
sport any|<name>|<port>|<port>-<port> If defined, traffic with the specified TCP or UDP source port will be affected by this filter. Specify the port number, range, name, or any. The default is any. Listed below are some of the well-known ports: Number 20 21 22 23 25 37 42 43 53 69 70 79 80 109 110 Name ftp-data ftp ssh telnet smtp time name whois domain tftp gopher finger http pop2 pop3
447
nat
goto
448
449
As another example, you could configure the switch with two filters so that each would handle traffic filtering for one half of the Internet. To do this, you could define the following parameters: Table 7-17 Filtering IP Address Ranges
Filter #1 #2 Internet Address Range dip dmask 128.0.0.0
128.0.0.0 128.0.0.0
450
work traffic at the Layer 2 level in your switch. Using this command you can preserve 802.1p bits in all the frames that pass through the switch.
To view menu options, see page 453. tcp Displays the TCP Flags advanced menu. To view menu options, see page 453. ip Sets IP advanced menu. To view menu options, see page 454. layer7 Displays Layer7 advanced menu. To view menu options, see page 457. proxyadv Displays the Proxy Advanced Menu. To view menu options, see page 460. icmp any|<number>|<type; "icmp list" for list> Sets the ICMP message type. The default is set at any. For a list of ICMP message types, see Table 7-22 on page 455. For a detailed description of filtering and ICMP, see the Nortel Application Switch Operating System 23.0.2 Application Guide. cont <BWM Contract (1-1024)> Sets the Bandwidth Management Contract. By default, the contract number is set at 1024. revcont <BW Contract (1-1024)> Sets the Bandwidth Management contract for the reverse traffic session. This command helps you assign a different Bandwidth management contract from the one configured on the ingress filter. tmout <even number of minutes (4-32768)> Sets the session timeout in an even number of minutes. The default is set at 4 minutes. idsgrp <real server group number (1-1024)>|none Sets the IDS server group for intrusion detection server load balancing. When filtering is used for IDSLB, each filter added to an IDSLB-enabled port can be assigned a unique IDS real server group. idshash sip|dip|both Sets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP (sip), destination IP (dip), or both.
451
452
453
These commands can be used to configure packet filtering for specific TCP flags. Table 7-20 Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)
Command Syntax and Usage urg disable|enable Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled. ack disable|enable Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is disabled. psh disable|enable Enables or disables TCP PSH (push) flag matching. By default, this option is disabled. rst disable|enable Enables or disables TCP RST (reset) flag matching. By default, this option is disabled. syn disable|enable Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled. fin disable|enable Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled. ackrst disable|enable Enables or disables TCP acknowledgement or reset flag matching. By default, this option is disabled. cur Displays the current Access Control List TCP filter configuration.
454
455
456
457
Radius snooping allows the Nortel Application Switch Operating System to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries in the switchs session table so that it can perform the required persistency for load balancing. For more details, please refer to your Application Guide.
rdswap enable|disable Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server. A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to the bound server. The application switch snoops on the RADIUS accounting start packet for the framed IP address attribute. The framed IP address attribute is used to rebind the RADIUS accounting session to a new server. For more details, please refer to your Application Guide. ftpa disable|enable Enables or disables active FTP Client Network Address Translation (NAT). When a client in active FTP mode sends a PORT command to a remote FTP server, the switch will look into the data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address. The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By default, this option is disabled. l7lkup disable|enable Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny commands found in earlier releases of Nortel Application Switch Operating System. When enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When combined with a filter action (for example, deny, redir), this feature enables content-intelligent redirection or content-intelligent deny filtering. parseall disable|enable Enables or disables parsing of all packets in a session where layer 7 lookup is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup is turned off for the remaining packets in the session. cur Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persistence settings.
458
459
/cfg/slb/filt/adv/proxyadv
Proxy Advanced Menu
[Proxy Advanced proxyip epip proxy cur Menu] Set client proxy IP address Enable/disable pip selection based egress port/vlan Enable/disable client proxy Display current proxy configuration
460
Enables or disables matching of all configured patterns before the filter can perform the deny action.
parsechn enable|disable Enable/disable chained pgroup match criteria for l7 filtering. parseall disable|enable Enables or disables pattern string lookup (parsing) of all packets in a session where pattern matching is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, pattern matching is turned off for the remaining packets in the session. cur Displays the current configuration.
461
462
Nortel Application Switch Operating System switch software allows you to enable or disable processing independently for each type of Layer 4 traffic (client and server) on a per port basis, expanding your topology options. NOTE When changing the filters on a given port, it may take some time before the port session information is updated so that the filter changes take effect. To make port filter changes take effect immediately, clear the session binding table for the port (see the clear command in Table 8-3 on page 502). Table 7-28 Port Configuration Menu Options (/cfg/slb/port)
Command Syntax and Usage client disable|enable For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports configured to process client request traffic bind servers to clients and provide address translation from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses and port values to real server IP addresses and ports. Traffic not associated with virtual servers is switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the switchs potential for effective Server Load Balancing. This option is disabled by default. server disable|enable Ports configured to provide real server responses to client requests require real servers to be connected to the Layer 4 switch, directly or through a hub, router, or another switch. When server processing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched normally. This option is disabled by default.
463
464
465
466
467
At a local site for a domain, there is a local virtual server but no remote virtual server. The local virtual server has a number of local virtual services Each local virtual service has a group of local or remote real servers. The remote real servers are the virtual servers at the remote sites.
[Remote site 1 Menu] prima - Set primary switch IP address of remote site secon - Set secondary switch IP address of remote site name - Set remote site name update - Enable/disable remote site updates ena - Enable remote site dis - Disable remote site del - Delete remote site cur - Display current remote site configuration
Up to 64 remote sites can be configured. Table 7-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)
Command Syntax and Usage prima <server IP address> Defines the IP interface IP address of the primary switch at the remote site used for Global Server Load Balancing. Use dotted decimal notation. secon <server IP address> If the remote site is configured with a redundant switch, enter the IP address of the IP interface for the remote secondary switch here. If the remote site primary switch fails, the local switch will address the remote site secondary switch instead. name <31 character name>|none Sets the name of the remote site. The default is set at none. update disable|enable Enables or disables remote site updates. If enabled (default), this switch will send regular Distributed Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the switch will not send state updates. If your local firewall does not permit this traffic, disable the updates. Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP interface for DSSP updates. By default, the Nortel Application Switch Operating System Webbased interface also uses port 80. Both services cannot use the same port. If both are enabled, configure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a different service port (see the /cfg/sys/access/wport option on page 288). ena Enables this remote site for use with Global Server Load Balancing.
468
469
/cfg/slb/gslb/rule
GSLB Rule Configuration Menu
Rules allow the GSLB selection to use different metric preferences based on time-of-day. You can configure one or more rules on each domain. Each rule has a metric preference list. The GSLB selection selects the first rule that matches the domain and starts with the first metric in the metric preference list of the rule.
[Rule 1 Menu] metric start end ttl rr dname ena dis del cur 470
Metric Menu Set start time for rule Set end time for rule Set Time To Live in seconds of DNS resource records Set DNS resource records in DNS response Set network preference domain name for rule Enable rule Disable rule Delete rule Display current rule configuration
471
/cfg/slb/gslb/rule/metric
Global SLB Rule Metric Menu
[Rule 1 Metric 1 Menu] gmetric - Set metric to use to select next server addnet - Add network to gmetric=network remnet - Remove network from gmetric=network cur - Display current metric configuration
/cfg/slb/layer7
Layer 7 SLB Resource Definition Menu
[Layer 7 Resource Definition Menu] redir - Web Cache Redirection Menu slb - Server Load Balancing Menu sdp - SIP SDP Menu dbindtm - Set timeout for incomplete delayed binding connections cur - Display current Layer 7 configuration
472
/cfg/slb/layer7/redir
Web Cache Redirection Configuration
[Web Cache Redirection Menu] urlal - Enable/disable auto-ALLOW for non-GETs to origin servers cookie - Enable/disable auto-ALLOW for Cookie to origin servers nocache - Enable/disable no-cache control header to origin servers hash - Enable/disable URL hashing based on URI header - Enable/disable server loadbalance based on HTTP header cur - Display current WCR configuration
473
474
/cfg/slb/layer7/slb
Server Load Balance Resource Configuration Menu
[Server Loadbalance Resource Menu] message - Set HTTP error message addstr - Add SLB string for load balance remstr - Remove SLB string for load balance rename - Rename SLB string for load balance addmeth - Add HTTP method type remmeth - Remove HTTP method type case - Enable/disable case sensitive for string matching cont - Set BW contract for the SLB string cur - Display current configuration
475
476
/cfg/slb/layer7/sdp
SDP Mapping Menu
[SDP Mapping Menu] add - Add SDP mapping rem - Remove SDP mapping cur - Display current SDP mapping configuration
477
To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator password. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/ synch. Table 7-39 Synchronization Menu Options (/cfg/slb/sync)
Command Syntax and Usage peer <peer switch number (1-2)> Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see page 479. filt disable|enable Enables or disables synchronizing filter configuration. This option is disabled by default. ports disable|enable Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default. prios disable|enable Enables or disables syncing VRRP priorities. This option is enabled by default. pips disable|enable Enables or disables synchronizing proxy IP addresses. This option is disabled by default. peerpips disable|enable Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in VRRP Active/Active configuration. This option is disabled by default.
478
To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator password. Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)
Command Syntax and Usage addr <IP address> Sets the peer switch IP address. The default is 0.0.0.0 ena Enables the peer for this switch. By default, this option is disabled. dis Disables the peer for this switch.
479
480
481
482
/cfg/slb/adv/synatk
SYN Attack Detection Configuration Menu
[SYN Attack Detection Menu] intrval - Set SYN attack detection interval thrshld - Set SYN attack alarm threshold cur - Display current SYN attack detection configuration
/cfg/slb/adv/smtport
Advanced SMT Real Server Port Configuration Menu
[SMT Real Port Menu] add - Add real port remove - Remove real port cur - Display real port configuration
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage add <real server port (2-65534)> This command allows you to add a service port to the real server that is configured to process client traffic by-passing the server processor.
483
Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage remove <real server port (2-65534)> This command allows you to remove a service port from the real server that is configured to process client traffic by-passing the server processor. cur Displays real port configuration.
/cfg/slb/linklb
Inbound Link Load Balancing configuration Menu
[Inbound Linklb drecord group ttl ena dis cur Menu] Domain Record Menu Set real server group Set Time to Live of DNS resource records Enable Inbound Linklb Disable Inbound Linklb Display current Inbound Linklb configuration
Table 7-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/ linklb)
Command Syntax and Usage drecord <domain record number (1-64)> Displays domain record menu. To view menu options, see page 485. group <real server group number (1-1023)> Sets the real server ISP group number. ttl <time to live in seconds (0-65535)> Sets the time-to-live for DNS resource records. ena Enables inbound link load balancing. dis Disables inbound link load balancing. cur Displays current inbound link load configuration.
484
/cfg/slb/linklb/drecord
Inbound Link Load Balancing Domain Record Menu
[Domain Record <domain_number> Menu] entry - Virt Real Mapping Menu domain - Set Domain Name ena - Enable Domain Record dis - Disable Domain Record del - Delete Domain Record cur - Display current Domain Record configuration
Table 7-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/ linklb/drecord)
Command Syntax and Usage entry <linklb entry number (1-8)> Displays the link load balancers mapping menu for the virtual and real servers. See page 452 to view menu options. domain <64 character domain name>|none Allows you to configure the domain name. Default is none. ena Enables the domain records. dis Disables the domain records. del Deletes the domain records. cur Displays the current domain records.
485
/cfg/slb/linklb/drecord/entry
Inbound Link Load Balancing Mapping Menu
[Virt Real Mapping 1 Menu] virt - Set Virtual Server Number real - Set Real Server Number ena - Enable Entry dis - Disable Entry del - Delete Entry cur - Display current Entry configuration
Table 7-46
Command Syntax & Usage virt <virtual server number, 1-1024> Defines the virtual server number for mapping. real Defines the real server number for mapping. ena Enables the entry for drecords. dis Disables the entry for drecords. del Deletes the entry for drecords. cur Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc
Advanced Health Check Configuration Menu
[Layer 4 Advanced Health Check Menu] script - Scriptable Health Check Menu snmphc - SNMP Health Check Menu waphc - WAP Health Check Menu aphttp - Enable/disable Allow HTTP Health Check on any port ldapver - LDAP version secret - Set RADIUS secret minter - Set interval of response and bandwidth metric updates cur - Display current Layer 4 advanced health check configuration
486
487
488
489
/cfg/slb/advhc/snmphc
SNMP Health Check Configuration
[SNMP Health Check 1 Menu] oid - OID to be sent in the SNMP request packet comm - Community string used in the SNMP request packet rcvcnt - Expected value in the SNMP response packet invert - Enable/disable inversion of expected value weight - Enable/disable readjusting of weights based on response del - Delete SNMP health check cur - Display current SNMP health check configuration
490
491
/cfg/slb/advhc/waphc
WAP Health Check Configuration
Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP) suite to manage sessions between wireless devices and WAP content servers or WAP gateways. The Nortel Application Switch Operating System provides a content-based health check mechanism where customized WSP packets are sent to the WAP gateways, and the switch verifies the expected response, in a manner similar to scriptable health checks. WSP content health checks can be configured in two modes: connectionless and connectionoriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connectionoriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load balance the gateways in both modes of operation. The Nortel Application Switch Operating System allows you to configure three WAP gateway health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP), deployed on WAP gateways/servers. For further details, refer to the Application Guide.
[WAP Health Check Menu] wspcnt - WSP Health Check Content Menu wtpcnt - WTP+WSP Health Check Content Menu wspport - WSP port number to health check wtpport - WTP port number to health check wtlswsp - WTLS+WSP port number to health check wtlsprt - WTLS port number to health check couple - Enable/disable coupling with RADIUS Accounting Service cur - Display current WAP health check configuration
492
493
/cfg/slb/advhc/waphc/wspcnt
WSP Content Health Check
[WSP Health Check Content Menu] offset - Offset in received WSP packet sndcnt - Content to be sent to the WAP gateway rcvcnt - Content to be received from the WAP gateway cur - Display current WSP health check content configuration
494
/cfg/slb/advhc/waphc/wtpcnt
WTP and WSP Content Health Check Menu
This menu is used for configuring the health check for connection-oriented unencrypted WAP traffic.
[WTP+WSP Health Check Content Menu] offset - Offset in received WSP PDU connect - CONNECT PDU to be sent to the sndcnt - GET PDU to be sent to the WAP rcvcnt - REPLY PDU to be received from cur - Display current WTP+WSP health
Table 7-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/ waphc/wtpcnt)
Command Syntax and Usage offset <offset in the received WSP PDU> Enter the offset value content of the received WSP packets. The offset value is the number of bytes from the beginning of the WSP PDU, at which the comparison begins to match with the expected receive content. An offset value of 0 (default) sets the switch to start comparisons from the beginning of WSP PDU of the received packet. connect <connect content as hexstring> Enter the content for the first switch-generated WSP session packet. This command allows you to customize the headers in the connect message. sndcnt <send content as hexadecimal string> Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be delivered to the WSP gateway. rcvcnt <receive content as a hexadecimal string> Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway. cur Displays current WTP+WSP health check content configuration.
495
/cfg/slb/pip
Proxy IP Address Configuration Menu
You need to enable proxy IP address processing on the port to use this command. You can configure multiple proxy IP addresses based on either port or VLAN. You can configure up to 1024 proxy IP addresses on a per switch basis.
[Proxy IP Address Menu] type - Set base type of Proxy IP address add - Add port or VLAN to Proxy IP address rem - Remove port or VLAN from Proxy IP address cur - Display current Proxy IP address configuration
496
/cfg/slb/peerpip
SLB Peer Proxy IP Address Menu
When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch. [Peer Proxy IP Address Menu] add - Add peer Proxy IP address rem - Rem peer Proxy IP address cur - Display current peer Proxy IP address configuration
497
/cfg/slb/wlm
WorkLoad Management Menu
[Workload Manager 1 Menu] addr - Set IP address for Workload Manager port - Set port for Workload Manager del - Delete Workload Manager cur - Display current Workload Manager configuration
498
CHAPTER 8
The commands of the Operations Menu enable you to alter switch operational characteristics without affecting switch configuration. Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and Nortel Application Switch 184 Web Switches.
499
320506-A, January 2006
500
Operations-level port options are used for temporarily disabling or enabling a port, and for changing Remote Monitoring (RMON) status on a port. Table 8-2 Operations-Level Port Menu Options (/oper/port)
Command Syntax and Usage rmon disable|enable Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its configured operation mode when the switch is reset. ena Temporarily enables the port. The port will be returned to its configured operation mode when the switch is reset. dis Temporarily disables the port. The port will be returned to its configured operation mode when the switch is reset. cur Displays the current settings for the port.
501
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing options are used for temporarily disabling or enabling real servers and synchronizing the configuration between the active/active switches. Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)
Command Syntax and Usage group <real server group number (1-1024)> Displays the Real Server Group Menu. To view menu options, see page 503. gslb Displays Global SLB Operations Menu. To view menu options, see page 504. sync Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priorities on a peer switch (a switch that owns the IP address). To take effect, peers must be configured on the Nortel Application Switch and the administrator password on the switch must be identical. ena <real server number (1-1023)> Temporarily enables a real server. The real server will be returned to its configured operation mode when the switch is reset.
502
NOTE This command provides for orderly server shutdown to allow maintenance on a server. For more information, see Disabling and Enabling Real Servers in the Nortel Application Switch Operating System 23.0.2 Application Guide.
sessdel Delete session table entry. clear Clears all session tables and allows port filter changes to take effect immediately.
NOTE This command disrupts current SLB and Application Redirection sessions.
cur Displays the current SLB operational state.
/oper/slb/group
Real Server Group Operations
[Real server group 1 Menu] ena - Enable real server in this group dis - Disable real server in this group cur - Current server group operational state
503
/oper/slb/gslb
Global SLB Operations Menu
[Global SLB Operations Menu] query - Query Global SLB selection add - Add entry to Global SLB DNS persistence cache arem - Remove all entries Global SLB DNS persistence cache
504
/oper/bwm
Operations-Level Bandwidth Management Options
[Bandwidth Management Operations Menu] sndhist - Send BW History to SMTP server clear - Clear BWM IP user entry table
505
/oper/security
Security Menu
[Security Menu] ipacl - IP ACL Operations Menu
/oper/security/ipacl
IP ACL Operations Menu
[IP ACL Operations Menu] add - Add operations source IP Address/Mask rem - Remove operations source IP Address/Mask arem - Remove all operations source IP Address/Mask dadd - Add operations destination IP Address/Mask drem - Remove operations destination IP Address/Mask darem - Remove all operations destination IP Address/Mask cfg - Display configuration IP Address/Mask bogon - Display bogon IP Address/Mask oper - Display operations IP Address/Mask cur - Display all IP Address/Mask
506
507
/oper/ip/bgp
Operations-Level BGP Options
[Border Gateway start stop cur Protocol Operations Menu] Start peer session Stop peer session Current BGP operational state
508
3.
509
4.
When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as, 123456789ABCDEF)>
If the correct code is entered, you will see the following message:
Valid software key entered. Software feature enabled.
When prompted, enter the code for software to be removed. For example:
Enter Software Feature to be removed:[GSLB]|BWM|Security: GSLB
510
CHAPTER 9
511
320506-A, January 2006
/boot/sched
Scheduled Reboot Menu
[Boot Schedule Menu] set - Set switch reset time cancel - Cancel pending switch reset cur - Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
>> Boot Schedule# cur Currently scheduled reboot time: none
512
2.
3.
513
4.
The exact form of the name will vary by TFTP server. However, the file location is normally relative to the TFTP directory (usually /tftpboot). 5. The system prompts you to confirm your request. You should next select a software image to run, as described below.
2.
Enter the name of the image you want the switch to use upon the next boot. The system informs you of which image is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use switch software "image1" on next reset. Specify new image to use on next reset ["image1"/"image2"]:
2.
The system prompts you for information. Enter the desired image:
Enter name of switch software image to be uploaded ["image1"|"image2"|"boot"]: <image> <hostname or server-IP-addr> <server-file-
name>
514
3.
4.
Enter the name of the file into which the image will be uploaded on the TFTP server:
Enter name of file on TFTP server: <filename>
5.
The system then requests confirmation of what you have entered. To have the file uploaded, enter Y.
image2 currently contains Software Version 20.2.0.7 Upload will transfer image2 (1889411 bytes) to file "test" on TFTP server 192.1.1.1. Confirm upload operation [y/n]: y
2.
Enter the name of the configuration block you want the switch to use:
515
The system informs you of which configuration block is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use active configuration block on next reset. Specify new block to use ["active"/"backup"/"factory"]:
516
517
518
CHAPTER 10
Dump information contains internal switch state data that is written to flash memory on the Nortel Application Switch after any one of the following occurs: The switch administrator forces a switch panic. The panic option, found in the Maintenance Menu, causes the switch to dump state information to flash memory, and then causes the switch to reboot.
519
320506-A, January 2006
The switch administrator enters the switch reset key combination on a device that is attached to the console port. The switch reset key combination is <Shift><Ctrl><->. The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot the switch if the switch software freezes. The switch detects a hardware or software problem that requires a reboot. Table 10-1 Maintenance Menu Options (/maint)
Command Syntax and Usage sys Displays the System Maintenance Menu. To view menu options, see page 522. fdb Displays the Forwarding Database Manipulation Menu. To view menu options, see page 522. arp Displays the ARP Cache Manipulation Menu. To view menu options, see page 523. route Displays the IP Route Manipulation Menu. To view menu options, see page 525. ip6 Displays the IPv6 Manipulation Menu. To view menu options, see page 526. debug Displays the Debugging Menu. To view menu options, see page 527. uudmp Displays dump information in uuencoded format. For details, see page 528. ptdmp hostname filename [-mgmt| -data] Saves the system dump information using TFTP. For details, see page 529. cldmp Clears dump information from flash memory. For details, see page 529. lsdmp Displays list flash dump. For details, see page 530. panic Dumps MP information to FLASH and reboots. For details, see page 530. tsdmp Dumps all Nortel Application Switch information, statistics, and configuration.You can log the tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes. For details, see page 531.
520
521
The Forwarding Database Manipulation Menu can be used to view information and to delete a MAC address from the forwarding database or clear the entire forwarding database. This is helpful in identifying problems associated with MAC address learning and packet forwarding decisions.
522 Chapter 10: The Maintenance Menu
320506-A, January 2006
523
NOTE To display all ARP entries currently held in the switch, or a portion according to one of the options listed on the menu above (find, port, vlan, refpt, dump), you can also refer to ARP Information on page 112.
524
NOTE To display all routes, you can also refer to IP Routing Information on page 108.
525
526
The Miscellaneous Debug Menu displays trace buffer information about events that can be helpful in understanding switch operation. You can view the following information using the debug menu: Events traced by the Management Processor (MP) Events traced by the Switch Processor (SP) Events traced to a buffer area when a reset occurs If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the snap trace buffer area. The output from these commands can be interpreted by the Nortel Networks Customer Support division. Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)
Command Syntax and Usage tbuf Displays the Management Processor trace buffer. Header information similar to the following is shown: MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748 The buffer information is displayed after the header. sptb <port number (1-4)> Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008 The buffer information is displayed after the header. spall Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008. The buffer information is displayed after the header. Displays all SP trace buffers. clrcfg Deletes all flash configuration blocks.
527
The dump information is displayed on your screen and, if you have configured your communication software to do so, captured to a file. If there is a dump available, the system prompts as follows:
>> Maintenance# uu Enter region to dump [main/bkp]: main Dumping main region: Use 'ptdmp' to extract panic dumps. Confirm proceed with large dump (15000 lines) [y/n]: 528 Chapter 10: The Maintenance Menu
320506-A, January 2006
Where server is the TFTP or FTP server IP address or hostname, and filename is the target dump file.
The switch clears the dump region of flash memory and displays the following message:
FLASH dump region cleared.
If the flash dump region is already clear, the switch displays the following message:
FLASH dump region is already clear.
529
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
>> Maintenance# lsdmp The main dump was saved at 8:12:58 Fri Jun 3, 2005. A backup dump was saved at 14:47:31 Mon Jun 20, 2005.
530
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical support. For example:
>> Maintenance# tsdmp Confirm dumping all information, statistics, and configuration [y/n]:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP connection. The dump was performed earlier using the /maint/tsdmp command. For example:
>> Maintenance# ? pttsdmp Usage: pttsdmp <hostname> <filename> <-tftp|username password> [mgmt|-data] >> Maintenance# pttsdmp Enter hostname or IP address of FTP/TFTP server: 0.0.0.0 Enter name of file on FTP/TFTP server: dump.txt Enter username for FTP server or hit return for TFTP server: username Enter password for username on FTP server: Connecting to 0.0.0.0... . .
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
531
532
CHAPTER 11
533
320506-A, January 2006
NOTE Help information on specific commands uses the command help, and not the ? symbol used at other directory levels. The command must also be spelled-out in full. For example, to request help on the apply command enter: SSL >> Main# help diff Show any pending configuration changes.
534
[global command] [global command] [global command] [global command] [global command] available]
535
536
ipsec [<vpnid> [<prefix>]] Show number of IPSEC users logged-in. For example: Number of active ipsec sessions for all VPNs: 0 ippool [<vpnid>] Displays the IP pool allocations.
537
538
local Displays the current software version, iSD hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For example: SSL >> Information# local Alteon iSD SSL Hardware platform: 2424S Software version: 5.0.0.34 Up time: 11 days 1 hour 52 minutes IP address: 10.10.10.71 MAC address: 00:01:81:2e:bc:6f ethernet Displays statistics for the Ethernet network interface card (NIC) on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed. RX packets: the total number of received packets TX packets: the total number of transmitted packets errors: packets lost due to error dropped: error due to lack of resources overruns: error due to lack of resources frame: error due to malformed packets carrier: error due to lack of carrier collisions: number of packet collisions Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation. For example: I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0 I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb)
539
/ssl/info/events
SSL Performance Menu
[Events Menu] alarms - List all pending alarms download - Dump the event log file to a TFTP/FTP/SFTP server
540
541
/ssl/stats/sslstats
SSL Performance Menu
[SSL stats Menu] vpn - Cluster SSL VPN statistics server - Cluster SSL Server statistics local - Local statistics for each isdhost clear - Clear all statistics for all IPs activesess - Number of currently active request sessions totalsess - Total completed request sessions sslaccept - Total completed SSL accept sslconnect - Total completed SSL connect tpshisto - Cluster-wide TPS histograms for all servers clihisto - cluster wide client data histograms for all servers srvhisto - cluster wide server data histograms for all servers
542
/ssl/stats/sslstats/local
SSL Performance SSL Local Statistics Menu
[Local SSL isdhost overview tpshisto clihisto srvhisto license dump Statistics Menu] - ISD local SSL server statistics menu - Overview of isdhost local statistics - ISD local TPS histograms for all servers/ISDs - ISD local client byte/s histos for all servers/ISDs - ISD local server data byte/s histos for all servers/ISDs - ISD local license statistics - Dump all information
543
/ssl/stats/sslstats/local/isdhost
SSL Performance: Single ISD SSL Statistics Menu
[Single ISD SSL Stats 1 Menu] server - ISD local SSL server stats tpshisto - ISD local TPS histograms for all servers clihisto - ISD local client byte/s histograms for all servers srvhisto - ISD local server byte/s histograms for all servers dump - Dump all information
Table 11-7 SSL Perfomance: Single ISD SSL Statistics Menu Options
Command Syntax and Usage server Displays statistics for the local ISD SSL server. tpshisto Displays ISD local TPS histograms for all servers. clihisto Displays ISD local client data histograms for all servers. srvhosto Displays ISD local server histograms for all servers. dump Displays all statistical information.
544
545
/ssl/stats/ipsec/local
SSL Performance: Local IPSEC Statistics Menu
[Local IPSEC isdhost sesshisto enchisto dechisto dump Statistics Menu] - ISD local IPSEC server - ISD local ipsec session - ISD local ipsec encrypt - ISD local ipsec decrypt - Dump all information statistics histograms histograms histograms menu for all VPNs/ISDs for all VPNs/ISDs for all VPNs/ISDs
546
/ssl/stats/ipsec/local/isdhost
SSL Performance: Single IPSEC ISD Statistics Menu
[Single ISD IPSEC Stats 1 Menu] vpn - ISD local IPSEC server stats activesess - Locally active ipsec sessions all VPNs totalsess - Locally total ipsec sessions all VPNs failedsess - Locally failed ipsec sessions, all VPNs enctot - Locally total ipsec encoded kBytes all VPNs enc - Locally ipsec encoded kB/sec last minute all VPNs dectot - Locally total ipsec decoded kBytes all VPNs dec - Locally ipsec decoded kB/sec last minute all VPNs sesshisto - ISD local ipsec sess histograms for all VPNs enchisto - ISD local ipsec encrypt histograms for all VPNs dechisto - ISD local ipsec decrypt histograms for all VPNs dump - Dump all information
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage vpn <VPN_number> Display the ISD local IPSEC server statistics. activesess Display the locally active IPSEC sessions for all VPNs. totalsess Display the total of locally active IPSEC sessions for all VPNs. failedsess Display the failed IPSEC sessions for all VPNs. enctot Display the total kBytes encoded for all VPNs. enc Display the locally encoded kBytes for all VPNs. dectot Display the total kBytes decoded for all VPNs. dec Display the locally decoded kBytes for all VPNs. sesshisto Display the ISD local IPSEC session histograms for all VPNs. enchisto Display the ISD local IPSEC encrypted histograms for all VPNs.
547
Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage dechisto Display the ISD local ipsec decrypt histograms for all VPNs. dump Display all ISD statistics.
/ssl/stats/aaa
AAA Statistics Menu
[AAA Statistics Menu] total - Cluster-wide authentication statistics (per VPN) isdhost - ISD local authentication statistics (per VPN) dump - Dump all information
/ssl/cfg
SSL Performance Configuration Menu
[Configuration Menu] ssl - SSL offload menu cert - Certificate menu vpn - VPN menu test - Create test vpn, portal and certificate quick - Quick vpn setup wizard sys - System-wide parameter menu lang - Language support ptcfg - Backup configuration to TFTP/FTP/SCP/SFTP server gtcfg - Restore configuration from TFTP/FTP/SCP/SFTP server dump - Dump configuration on screen for copy-and-paste
548
549
NOTE Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration - transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase.
NOTE Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.
gtcfg Restores a configuration, including private keys and certificates, from a TFTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP server.
NOTE Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that was defined by him or her using the /cfg/sys/user/caphrase command.
dump Display the configuration on-screen for a copy and paste operation.
550
/ssl/cfg/ssl
SSL Configuration Server Menu
[SSL Menu] server test quick - SSL server menu - Create test server and certificate - Quick server setup wizard
551
/ssl/cfg/ssl/server
SSL Configuration Server-specific Menu
[Server 1 Menu] name vips standalone port rip rport type proxy trace ssl tcp adv del ena dis Set server name Set IP addr(s) of server Set standalone mode Set listen port of server Set real server IP addr Set real server port Set type (generic/http/socks) Set transparent proxy mode (on/off) Traffic trace menu SSL settings menu TCP endpoint settings menu Advanced settings menu Remove virtual server Enable virtual server Disable virtual server
552
553
/ssl/cfg/ssl/server/trace
SSL Configuration Server-specific Trace Menu
[Trace Menu] ssldump tcpdump ping dnslookup traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through backend interface traceroute through backend interface
554
/ssl/cfg/ssl/server/ssl
SSL Configuration Server-specific SSL Menu
[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list ena - Enable SSL dis - Disable SSL
555
/ssl/cfg/ssl/server/tcp
SSL Configuration Server-specific TCP Menu
[TCP Settings Menu] cwrite - Set ckeep - Set swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client client server server client client server server TCP TCP TCP TCP TCP TCP TCP TCP write timeout keep alive timeout write timeout connect timeout send buffer size receive buffer size send buffer size receive buffer size
556
/ssl/cfg/ssl/server/adv
SSL Configuration Server-specific Advanced Menu
[Advanced Settings string blockstrin loadbalanc sslconnect Menu] String menu Set strings to block Load balancing menu SSL connect menu
557
/ssl/cfg/ssl/server/adv/string
SSL Configuration Server Advanced String Menu
[LB String 1 Menu] match location icase negate del Set string to match Set locations to perform the match in Set ignore case in to match Set negate the result of the match Remove string
558
/ssl/cfg/ssl/server/adv/loadbalanc
SSL Configuration Server Advanced Load Balancing Menu
[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage type all|<string> Set the load balancing type. persistenc none|cookie|session Set the persistence strategy. cookie Go to the Cookie settings menu. To view the menu options, see page 560. Note that this menu is accessible only when persistenc is set to cookie. metric hash|roundrobin|leastconn Set the load balancing metric. health none|tcp|ssl|auto|script Set the health check type. script Go to the heath check script menu. To view the menu options, see page 562. interval <integer> Set the health check interval. remotessl Go to the Remote SSL connection menu. To view the menu options, see page 563. backend Go to the Backend Servers menu. To view the menu options, see page 565.
559
Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage ena enable|disable Enable load balancing. dis enable|disable Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/ cookie
SSL Configuration Server Advanced Load Balancing Cookie Menu
[Cookie Settings mode name domain expires expiresdel localvips offset length Menu] - Set cookie mode - Set cookie name - Set cookie domain - Set cookie expires - Set cookie expires delta - Configure other local VIPs - Set cookie value offset - Set cookie value length
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options
Command Syntax and Usage mode insert | passive | rewrite Sets the cookie load balancing mode. name <cookie_name> Sets the cookie name. domain <domain_name> Sets the cookie domain name. expires <date_time> Sets the cookie expiration date and time. expiresdel <0(session)-2147483647> Sets the cookie expiration delta value. localvips Opens the Local VIPs menu. For more information on this menu refer to page 562.
560
Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options (Continued)
Command Syntax and Usage offset <1-64> Sets the cookie value offset. length <0-64> Sets the cookie length
561
/ssl/cfg/ssl/server/adv/loadbalanc/ cookie/localvips
Local VIP Configuration Menu
[Local VIPs Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
/ssl/cfg/ssl/server/adv/loadbalanc/ script
SSL Configuration Server Advanced Load Balancing Health Script Menu
[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
562
Table 11-23 SSL Configuration Server Advanced Load Balancing Health Script Menu Options
Command Syntax and Usage list Display all values. del <index> Delete a specific value. add <command> <timeout> <argument> Add a new health script. insert <position> <command> <timeout> <argument> Insert a new value. move <value> <value> Exchange one value for another.
/ssl/cfg/ssl/server/adv/loadbalanc/ remotessl
SSL Configuration Server Advanced Load Balancing Remote SSL Menu
[Remote SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options
Command Syntax and Usage protocol aissl2|ssl3|ssl23|tls1 Set the protocol version. cert <integer, 1 to 1500> Set the certificate number.
563
Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options
Command Syntax and Usage ciphers <string> Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length verify Go to the Verify Server menu. To view the menu options, see page 564.
/ssl/cfg/ssl/server/adv/loadbalanc/ remotessl/verify
SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu
[Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of server's certificate
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu Options
Command Syntax and Usage verify none|require Set the ertification verification level. commonname <name> Set the server common name. For example: SSL >> Remote SSL Connect Verify Settings# commonname Current value: [old_server_name] Give common name of server: <new_server_name>
564
Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu Options
Command Syntax and Usage cacerts <integer_list> Enter the certificate numbers, separated by commas.
/ssl/cfg/ssl/server/adv/loadbalanc/ backend
SSL Configuration Server Advanced Load Balancing Backend Server Menu
[Backend Server 1 Menu] ip - Set IP addr of backend server port - Set backend server port sslconnect - Set perform SSL connect if enabled for server remote - Set server is remote rname - Set host name of remote server remotessl - Set remote site is ssl lbstrings - Set load balancing strings lbop - Set string load balancing operation del - Remove backend server ena - Enable backend server dis - Disable backend server
Table 11-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options
Command Syntax and Usage ip <IP_address> Set theIP address of the backend server. port <port_number> Set the backend server port number. sslconnect on|off Set the SSL connection option. remote true|false Set the server as remote, as required. rname <hostname> Set hostname of the remote server.
565
Table 11-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options
Command Syntax and Usage remotessl true|false Set the remote site as SSL. lbstrings <integers> Set the load balance strings, separated by a comma. lbop any|all|one|none Set the string load balancing operation. del Remove the backend server. ena enable|disable Enable the backend server. dis enable|disable Disable the backend server.
/ssl/cfg/cert
SSL Configuration Certificate Menu
[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate with TFTP/FTP/SCP/SFTP export - Export certificate and key with TFTP/FTP/SCP/SFTP display - Display certificate and key show - Show certificate information info - Show certificate short information subject - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate
566
567
568
569
570
= = = = = = =
/ssl/cfg/cert/revoke
SSL Configuration Revoke Certificate Menu
[Revocation Menu] add addx del list rev import automatic Add decimal serial number to revocation list Add hex serial number to revocation list Cancel revocation for a serial number List revoked certificates Enter revocation list Import revocation list with TFTP/FTP/SCP/SFTP Automatic CRL retrieval menu
571
/ssl/cfg/cert/revoke/automatic
SSL Configuration Revoke Certificate Automatic Menu
[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval
572
/ssl/cfg/vpn
SSL VPN Configuration Menu
[VPN 1 Menu] ips standalone aaa server ipsec ippool portal linkset sslclient adv del Set IP addr(s) of the VPN Set standalone mode (no switch) AAA menu SSL server menu IPsec server menu IP address pool menu Portal look and feel menu Portal linkset menu SSL VPN client menu Advanced settings menu Remove VPN
573
/ssl/cfg/vpn/aaa
SSL VPN Configuration Menu
[AAA Menu] quick tg ttl auth authorder network service appspec filter group defgroup ssodomains ssoheaders radacct AAA setup wizard TunnelGuard menu Set login session TTL Authentication menu Set authentication server fallback order Network access menu Service access menu Application specific menu Client filter menu Group menu Set default group Single-Sign on enabled domains menu Single-Sign on headers menu RADIUS accounting menu
574
575
/ssl/cfg/vpn/aaa/tg
SSL VPN Configuration TunnelGuard Menu
[TG Menu] ena dis quick recheck action retry list loglevel Enable TunnelGuard Disable TunnelGuard Quick TunnelGuard setup wizard Set recheck interval Set fail action Set UDP retry interval List SRS rules Set TunnelGuard applet loglevel
576
577
/ssl/cfg/vpn/aaa/auth
SSL VPN Configuration Authentication Menu
To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if one does not already exist.
Creating Authentication 1 Select one of radius, ldap, ntlm, siteminder, cert, rsa or local: radius Auth name: Authentication_1 Entering: RADIUS settings menu Entering: RADIUS servers menu IP Address to add: 0.0.0.0 Port (default is 1812): 1812 Enter shared secret: shared Leaving: RADIUS servers menu Enter vendor id [alteon]: alteon Enter vendor type [1]: 1 Leaving: RADIUS settings menu -----------------------------------------------------------[Authentication 1 Menu] type - Set authentication mechanism name - Set auth name display - Set auth display name domain - Set windows domain for backend single sign-on radius - RADIUS settings menu adv - Advanced settings menu del - Remove Authentication
578
/ssl/cfg/vpn/aaa/auth/radius
SSL VPN Configuration Authentication Radius Menu
To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to radius. For example, /ssl/vpn/aaa/auth/type radius.
[RADIUS Menu] servers vendorid vendortype timeout sessiontim macro RADIUS servers menu Set vendor id for group attribute Set vendor type for group attribute Set RADIUS server timeout Session Timeout menu User-defined Macro menu
Table 11-34 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see page 580. vendorid <string> Set the switch vendor ID. vendortype <vendortype> Set the vendor type. timeout <integer, 1 to 1000 seconds> Set the Radius server timeout. sessiontim Go to the Sessiontim menu. To view the menu options, see page 580. macro Go to the Macro menu. To view the menu options, see page 581.
579
/ssl/cfg/vpn/aaa/auth/radius/servers
SSL VPN Configuration Authentication Radius Servers Menu
[RADIUS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 11-35 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage list List all values (servers). del <index_number> Delete a server value by name. add <ip> <port, default=1812> <secret> Add a new value (server). insert <position> <ip> <port> <secret> Insert a value into the list. move <value> <value> Move a value position in the list.
/ssl/cfg/vpn/aaa/auth/radius/ sessiontm
SSL VPN Configuration Authentication Radius Session Timeout Menu
[SessionTimeout Menu] vendorid - Set vendor id for session timeout attribute vendortype - Set vendor type for session timeout attribute ena - Enable Session-Timeout dis - Disable Session-Timeout
580
Table 11-36 SSL VPN Configuration AAA Authentication Radius Session Timeout Menu Options
Command Syntax and Usage vendorid <vendorid> Set the vendor ID number. vendortype <value> Set the Vendor Type number. ena enable|disable Enable session timeout. dis enable|disable Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
SSL VPN Configuration Authentication Radius Macro Menu
[Macro Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 11-37 SSL VPN Configuration AAA Authentication Radius Macro Menu Options
Command Syntax and Usage list List all values. del <value> Delete a value using its number. add <vendorid> <vendortype> <attribute_type (IP, <string> <integer>)> Add a value. insert <index_position> <vendorid> <vendortype> <attribute_type_string> Insert a value. move <value> <value> Move a values position in the list.
581
/ssl/cfg/vpn/aaa/auth/adv
SSL VPN Configuration Authentication Advanced Menu
[Advanced Menu] groupauth - Set Authentication server list of group information secondauth - Set Secondary authentication server
Table 11-38 SSL VPN Configuration AAA Authentication Advamced Menu Options
Command Syntax and Usage groupauth <hostnames> Set the list of authentication servers. Separate values using a comma. secondauth <hostname> Set the secondary authentication server.
/ssl/cfg/vpn/aaa/network
SSL VPN Configuration Network Menu
To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# network Enter network number or name: (1-1023) 1 Creating Network 1 Network name: Network_1 -----------------------------------------------------------[Network 1 Menu] name - Set network name subnet - Subnet menu comment - Set comment del - Remove network
582
/ssl/cfg/vpn/aaa/network/subnet
SSL VPN Configuration Network Subnet Menu
To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if one does not already exist.
SSL >> Network 1# sub Enter subnet number: (1-1023) 1 Creating Network Subnet 1 Enter host name: Subnet_1 Enter network address: 0.0.0.0 Enter network netmask: netmask -----------------------------------------------------------[Network Subnet 1 Menu] host - Set Host Name net - Set network address mask - Set network mask del - Remove subnet
Table 11-40 SSL VPN Configuration AAA Network Subnet Menu Options
Command Syntax and Usage host <hostname> Set the hostname for the subnet. net <IP_address> Set the subnet address. mask <IP_address> Set the Network mask. del Remove the Subnet.
583
/ssl/cfg/vpn/aaa/service
SSL VPN Configuration Service Menu
To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# service Enter service number or name: (1-1023) 1 Creating Service 1 Service name: Service_1 Enter service protocol (list of tcp,udp): tcp Enter service ports: 1,2,3 -----------------------------------------------------------[Service 1 Menu] name - Set service name protocol - Set allowed protocols ports - Set allowed port comment - Set comment del - Remove Service
584
/ssl/cfg/vpn/aaa/appspec
SSL VPN Configuration Application specific Menu
To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# appspec Enter appspec number or name: (1-1023) 1 Creating AppSpecific 1 AppSpec name: AppSpec_1 Entering: Paths menu Path format: The paths are formated differently for different applications. For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>, for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root. For web servers you write the path <SERVER PATH>, for example /intranet This will give access to the /intranet path on the web server. Enter path: /path Leaving: Paths menu. ---------------------------------------------[AppSpecific 1 Menu] name - Set appspec name paths - Paths menu comment - Set comment del - Remove AppSpec
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage name <appsec_name> Create an application name. paths Go to the Paths menu. To view the menu options, see page 571.
585
Table 11-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage comment <string> Create a description (comment) about the Application. del Delete the application.
586
/ssl/cfg/vpn/aaa/appspec/paths
SSL VPN Configuration Application specific Paths Menu
[Paths Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu Options
Command Syntax and Usage list List all paths. del <path_value> Delete a path by its number. add Add a new path. For example: SSL >> Paths# list Old: Pending: 1: /info SSL >> Paths# add Path format: The paths are formated differently for different applications. For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>, for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root. For web servers you write the path <SERVER PATH>, for example /intranet This will give access to the /intranet path on the web server. Enter path: /home/storage insert <index> Insert a path into the path list.
587
Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu Options
Command Syntax and Usage del Delete the path.
/ssl/cfg/vpn/aaa/filter
SSL VPN Configuration AAA Filter Menu
To enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# filter Enter client filter number or name: (1-63) 1 Creating Client Filter 1 Filter name: Filter_1 -----------------------------------------------------------[Client Filter 1 Menu] name - Set filter name cert - Client certificate present iewiper - IE cache wiper present tg - TunnelGuard checks passed methods - Set access methods authserver - Set authentication servers clientnet - Set client network reference comment - Set comment del - Remove client filter
588
/ssl/cfg/vpn/aaa/group
SSL VPN Configuration AAA Group Menu
To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# group Enter group number or name: (1-1023) 1 Creating Group 1 Group name: Group_1 Enter number of sessions (0 is unlimited): 0 Enter user type (advanced/medium/novice): novice -----------------------------------------------------------[Group 1 Menu] name - Set group name access - Access rule menu print - Print access rules restrict - Set number of login sessions usertype - Set portal user type linkset - Linkset menu extend - Extended profiles menu tgsrs - Set TunnelGuard SRS Rule ipsec - IPsec menu comment - Set comment del - Remove group
589
restrict <integer> Restrict the number of login sessions. The default is 0 (unlimited) usertype advanced|medium|novice Set the user level. linkset Go to the Linkset menu. To view the menu options, see page 592. extend Go to the Extended Profiles menu. To view the menu options, see page 593. tgsrs <string> Set the TunnelGuard SRS rule. ipsec Go to the IPSEC menu.To view the menu options, see page 595. comment Create a decription (comment) of the Group. del Delete the group.
590
/ssl/cfg/vpn/aaa/group/access
SSL VPN Configuration AAA Group Access Menu
To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if one does not already exist.
SSL >> Group 1# access Enter access rule number: (1-1023) 1 Creating Access rule 1 Enter network name: Network_1 Enter service name: Service_1 Enter application specific name: Application_1 Enter action (accept/reject): accept -----------------------------------------------------------[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule
Table 11-46 SSL VPN Configuration AAA Group Access Menu Options
Command Syntax and Usage network <network_name> Enter the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the application specific name reference. action accept|reject Accept or reject the creation of this Access rule. comment Create a description (comment) of this Access rule. del Delete the Access rule.
591
/ssl/cfg/vpn/aaa/group/linkset
SSL VPN Configuration AAA Group Linkset Menu
[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 11-47 SSL VPN Configuration AAA Group Linkset Menu Options
Command Syntax and Usage list List all of the configured linksets. add <linkset_name> Add a linkset name. insert <position> <name> Insert a linkset into the linkset list. move <value> <value> Move the linkset from one position to another in the linkset list.
592
/ssl/cfg/vpn/aaa/group/extend
SSL VPN Configuration AAA Group Extend Profiles Menu
To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended service profile if one does not already exist.
SSL >> Group 1# extend Enter profile number or name (1-63): 1 Creating Extended Profile 1 Enter client filter name: Filter_1 Enter user type (advanced/medium/novice): novice -----------------------------------------------------------[Extended Profile 1 Menu] filter - Set client filter reference access - Access rule menu print - Print access rules usertype - Set portal user type linkset - Linkset menu del - Remove profile
Table 11-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options
Command Syntax and Usage filter <client_filter_name> Set the client filter name reference. access Go to the Access Rule menu. To view the menu options, see page 594. print Display the extended profile information. usertype advanced|medium|novice Set the portal user level. linkset Go to the Linkset menu. To view the menu options, see page 595. del Delete the Extended Profile.
593
/ssl/cfg/vpn/aaa/group/extend/access
SSL VPN Configuration AAA Group Extend Profiles Access Menu
[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule
Table 11-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu Options
Command Syntax and Usage network <network_name> Set the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the Application name reference.. action accept|reject Accept or reject the Access rule change. comment Create a description (comment) of the Access rule. del Delete the Extended Profile Access rule.
594
/ssl/cfg/vpn/aaa/group/extend/ linkset
SSL VPN Configuration AAA Group Extend Profiles Linkset Menu
[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 11-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu Options
Command Syntax and Usage list List all of the configured Extended Profile linksets. del <extended_profile_linkset_name> Delete the Extended Profile Linkset. add <extended_profile_linkset_name> Add an Extended Profile linkset name. insert <position> <name> Insert an Extended Profile linkset into the linkset list. move <value> <value> Move the Extended Profile linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/ipsec
SSL VPN Configuration AAA Group IPsec Menu
[IPsec Menu] secret utunnel - Set shared secret - Set user tunnel profile
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage secret <string> Set the group Secret value.
595
Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage utunnel <string> Set the user tunnel profile name.
596
/ssl/cfg/vpn/aaa/ssodomains
SSL VPN Configuration AAA Single-sign on Enabled Domains Menu
[SSO Domain menu Menu] list - List all values del - Delete a value by number add - Add a new value
Table 11-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu Options
Command Syntax and Usage list List all of the SSO domains. del <index> Delete an SSO domain. add <domain_name> <mode, normal|add_domain> Add an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders
SSL VPN Configuration AAA Single-sign on Headers Menu
[SSO headers menu Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage list List all of the configured SSO Headers. del <SSO Headers_name> Delete the SSO Header.
597
Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage add <domain> <header_pattern> Add an SSO Header. insert <position> <domain> <header_name> Insert a SSO Header into the headers list. move <value> <value> Move the SSO Headers from one position to another in the SSO Headers list.
598
/ssl/cfg/vpn/aaa/radacct
SSL VPN Configuration AAA Radius Accounting Menu
[RADIUS Accounting servers vpnattribu ena dis Menu] RADIUS accounting servers menu VPN attribute menu Enable RADIUS accounting Disable RADIUS accounting
Table 11-54 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see page 599. vpnattribu Go to the VPN attribute menu. To view the menu options, see page 601. ena enable|disable Enable AAA radius accounting. dis enable|disable Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers
SSL VPN Configuration AAA Radius Accounting Servers Menu
[RADIUS Accounting list del add insert move Servers Menu] List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage list List all of the configured Radius Accounting servers. del <Radius_Accounting_server_name> Delete the SSO Header.
599
Table 11-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage add <ip_address> <port> <secret> Add a Radius Account. insert <position> <ip_address> <port> <secret> Insert a Radius account into the account list. move <value> <value> Move the Radius account from one position to another in the account list.
600
ssl/cfg/vpn/aaa/radacct/vpnattribu
SSL VPN Configuration AAA Radius Accounting VPN attributes Menu
[VPN Attribute Menu] vendorid - Set vendor id for the VPN attribute vendortype - Set vendor type for the VPN attribute
Table 11-56 SSL VPN Configuration AAA Radius Accounting VPN attributes Menu Options
Command Syntax and Usage vendorid <vendorID> Set the vendor name. vendortype <integer> Set the vendor type.
/ssl/cfg/vpn/server
SSL VPN Configuration Server Menu
[Server Menu] port dnsname trace ssl tcp http proxymap portal adv ena dis Set listen port of server Set DNS name of server Traffic trace menu SSL settings menu TCP endpoint settings menu HTTP settings menu Intranet proxy configuration menu Portal settings menu Advanced settings menu Enable virtual server Disable virtual server
601
/ssl/cfg/vpn/server/trace
SSL VPN Configuration Server Traffic Trace Menu
[Trace Menu] ssldump tcpdump ping dnslookup traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through backend interface traceroute through backend interface
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage ssldump Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html).
602
Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage standalone on|off Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html) traceroute - traceroute through backend interface ping <hostname> Ping through the backend interface. dnslookup <hostname> Lookup a name in DNS through the backend interface. traceroute Traceroute through backend interface. Use this command to identify the route used for station-tostation connectivity across the network.
/ssl/cfg/vpn/server/ssl
SSL VPN Configuration Server SSL Settings Menu
[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version ciphers - Set cipher list verify - Set certificate verification level ena - Enable SSL dis - Disable SSL
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage cert <certicate_nuber, 1 to 1500> Set the IP address of the VPN. cachesize <integer, 0 to 10000> Set the SSL cache size (kBytes). cachettl <integer> Set the SSL cache timeout (in minutes).
603
Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage cacerts <certificate_numbers> Set the list of accepted signers of client certificates. If more than one, use a comma to separate the entries. cachain <certificate_numbers> Set the list of CA chain certificates. If more than one, use a comma to separate the entries. protocol ssl2|ssl3|ssl23|tls1 Set the protocol version. ciphers Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +: ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option does not add any new ciphers. Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify none|optional Set the certificate verification level. ena enable|disable Enable SSL. dis enable|disable Disable SSL.
604
/ssl/cfg/vpn/server/tcp
SSL VPN Configuration Server TCP endpoint Settings Menu
[TCP Settings Menu] cwrite - Set ckeep - Set skeep - Set swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client TCP write timeout client TCP keep alive timeout socks client TCP keep alive heartbeat timeout server TCP write timeout server TCP connect timeout client TCP send buffer size client TCP receive buffer size server TCP send buffer size server TCP receive buffer size
Table 11-60 SSL VPN Configuration Server TCP endpoint settings Menu Options
Command Syntax and Usage ips <integer, 1 to 2147483647s> Set client TCP write timeout, in seconds. crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size ckeep <integer, 1 to 2147483647s> Set client TCP keep alive timeout. skeep <integer, 1 to 2147483647s> Set the SOCKS client TCP keep alive heartbeat timeout. swrite <integer, 1 to 2147483647s> Set the server TCP write timeout. sconnect <integer, 1 to 2147483647s> Set the server TCP connect timeout. csendbuf auto|<integer, 2000 to 100000> Set the client TCP send buffer size (Bytes). crecbuf auto|<integer, 2000 to 100000> Set the client TCP receive buffer size (Bytes). ssendbuf auto|<integer, 2000 to 100000> Set the server TCP send buffer size (Bytes). srecbuf auto|<integer, 2000 to 100000> Set server TCP receive buffer size (Bytes).
605
/ssl/cfg/vpn/server/http
SSL VPN Configuration Server HTTP Settings Menu
[HTTP Settings Menu] downstatus - Set server down reply status rewrite - SSL triggered rewrite menu securecook - Set add secure option to session cookie sslheader - Add SSL header sslxheader - Add SSL header with serial in hex sslsidhead - Add SSL SID header addxfor - Add X-Forwarded-For header addvia - Add Via header addxisd - Add HTTP-X-ISD debug header addclicert - Add Client-Cert as a HTTP header addnostore - Add no-cache/no-store HTTP header allowimage - Allow image caching allowdoc - Allow document caching allowscrip - Set allow script caching allowica - Allow ICA file caching cmsie - Set MSIE session termination bug workaround maxrcount - Set max number of persistant client requests maxline - Set max line length
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage downstatus unavailable|redirect|reset Set the server down reply status. rewrite on|off Go to the SSl triggered Rewrite menu. To view the menu options, see page 607. securecook on|off Set the add secure option for the session cookie. sslheader on|off Add an SSL session ID header. sslxheader on|off Add an SSL header with serial number in hexadecimal. sslsidhead on|off Add an SSL SID header. addxfor on|off|anonymous|remove Add X-Forwarded-For header.
606
Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage addvia on|off|anonymous|remove Set VIA header addxisd on|off Set HTTP-X-ISD debug header. addclicert on|off Set Client-Cert as a HTTP header. adddnostore on|off Set no-cache/no-store HTTP header. allowimage on|off Set image caching. allowdoc on|off Set document caching allowscrip on|off Set allow script caching. allowica on|off Set ICA file caching. cmsie on|off Set MSIE session termination bug workaround. maxrcount <integer> Set max number of persistant client requests. maxline <integer> Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
SSL VPN Configuration Server SSL triggered rewrite Menu
[Rewrite Menu] rewrite ciphers response URI Set Set Set Set SSL triggered rewrite accepted ciphers source of response URI with the weak cipher alert
607
Table 11-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options
Command Syntax and Usage rewrite on|off Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:SHA1:@STRENGTH ciphers <string> Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +: ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. response iSD|WebServer Set the source of response. URI <WebServer response only> Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.
/ssl/cfg/vpn/server/proxymap
SSL VPN Configuration Server Intranet Proxy settings Menu
The PROXY menu is not available for type portal and socks servers.
[Proxy Mapping Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage list List all of the server Intranet Proxy settings.
608
Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage del <Proxy_server_name> Delete the Intranet Proxy server. add <ip_address> <port> Add an Intranet Proxy server. insert <position> <ip_address> <port> Insert a Intranet Proxy server into the Proxy server list. move <value> <value> Move the Intranet Proxy server from one position to another in the server list.
ssl/cfg/vpn/server/portal
SSL VPN Configuration Server Portal settings Menu
[Portal Settings resetcooki domain persistent Menu] - Set Re-Set session cookie in each request - Set cookie domain - Set use persistent session cookies
Table 11-64 SSL VPN Configuration Server Portal settings Menu Options
Command Syntax and Usage resetcoolki on|off Set the Reset session cookie in each request. domain <domain_name> Set the cookie domain name for the portal. persistent on|off Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
SSL VPN Configuration Server Advanced Menu
[Advanced Settings Menu] traflog - UDP syslog Traffic Log menu sslconnect - SSL connect menu
609
ssl/cfg/vpn/server/adv/traflog
SSL VPN Configuration Server UDP Syslog Traffic Log Menu
[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable traffic UDP syslog logging
Table 11-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options
Command Syntax and Usage sysloghost <IP_address> Set the IP address of the VPN. udpport <UDP_port_number> Set the standalone mode. priority <syslog_name> Set the syslog priority. facility <string> Set the syslog facility. ena enable|disable Enable traffic UDP syslog messaging. dis Disable traffic UDP syslog messaging.
610
ssl/cfg/vpn/server/adv/sslconnect
SSL VPN Configuration Server SSL Connect Menu
[SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu
Table 11-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options
Command Syntax and Usage protocol ssl2|ssl3|ssl23|tls1 Set the Protocol version. cert <certicate_number, 1 to 1500> Set the client certificate. ciphers Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify Go to the Verify server menu. To view the menu options, see page 612.
611
ssl/cfg/vpn/server/adv/sslconnect/ verify
SSL VPN Configuration Server SSL Connect verify Server Menu
[SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers server's certificate
Table 11-68 SSL VPN Configuration Server SSL Connect Verify Server Menu Options
Command Syntax and Usage verify none|verify Set the Certicate Verication level. commonname <string> Set the server common name. cacerts <certicate_numbers> Set the list of accepted signers for each server certificate. If more than one, use a comma to separate each entry.
/ssl/cfg/vpn/ipsec
SSL VPN Configuration IPsec Server Menu
[IPsec Menu] ena dis quick ikeprof utunprof cacerts cert - Enable IPsec - Disable IPsec - Quick IPsec setup wizard - IKE profile - User tunnel profile - Set list of accepted signers of clients certificate - Set server certificate
612
613
/ssl/cfg/vpn/ipsec/ikeprof
SSL VPN Configuration IPsec Server IKE Profile Menu
[IKE Profile 1 Menu] name - Set IKE profile name del - Remove IKE Profile enc - Encryption mask menu dh - Diffie-Hellman group mask menu pfs - Enable Perfect Forward Secrecy initcontac - Accept ISAKMP initial contact payload rekeytime - Set rekey time limit rekeytraf - Set rekey traffic limit retransmit - Set ISAKMP retransmit interval maxretrans - Set ISAKMP max attempts retransmits replaywins - Set replay window size nat - NAT menu deadpeer - Dead peer menu
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage name <string> Set the IKE profile name. del <IKE_profile_name> Disable IPsec. enc Go to the Encryption mask menu.To view the menu options, see page 615. dh Go to the Diffie_Hellman group mask menu. To view the menu options, see page 616. pfs on|off Enable Perfect Forward Secrecy. initcontac on|off Accept ISAKMP intitial contact payload. rekeytime <integer> Set the rekey time limit, in seconds. rekeytraf <integer> Set rekey traffic limit, in KBytes. retransmit <integer> Set ISAKMP retransmit limit, in seconds.
614
Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage maxretrans <integer> Set the maximum ISAKMP attempts to retransmit. replaywins <integer> Set replay window size. nat Go to the NAT menu.To view the menu options, see page 617. deadpeer Go to the Dead Peer menu.To view the menu options, see page 617.
/ssl/cfg/vpn/ipsec/ikeprof/enc
SSL VPN Configuration IPsec Server IKE Profile Encryption Menu
[Encryption Menu] hmac_md5 hmac_sha null_md5 null_sha des_md5 des_sha 3des_md5 3des_sha aes_128_sh Set Set Set Set Set Set Set Set Set HMAC with MD5 HMAC with SHA NULL with MD5 NULL with SHA DES with MD5 DES with SHA 3DES with MD5 3DES with SHA 128 bits AES with SHA
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options
Command Syntax and Usage hmac_md5 on|off Set HMAC with MD5. hmac_sha on|off Set HMAC with SHA. null_md5 on|off Set NULL with MD5. null_sha on|off Set NULL with SHA.
615
Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options
Command Syntax and Usage des_md5 on|off Set DES with MD5. des_sha on|off Set DES with SHA. 3des_md5 on|off Set 3DES with MD5. 3des_sha on|off Set 3DES with SHA. aes_128_sh on|off Set 128 bits AES with SHA.
/ssl/cfg/vpn/ipsec/ikeprof/dh
SSL VPN Configuration IPsec Server IKE Profile DiffieHellman Group Mask Menu
[Diffie-Hellman Group Menu] dh1 - Set Diffie-Hellman group 1 dh2 - Set Diffie-Hellman group 2 dh5 - Set Diffie-Hellman group 5
Table 11-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman Group Mask Menu Options
Command Syntax and Usage dh1 on|off Set Diffie_Hellman group 1. dh2 on|off Set Diffie_Hellman group 2. dh5 on|off Set Diffie_Hellman group 5.
616
/ssl/cfg/vpn/ipsec/ikeprof/NAT
SSL VPN Configuration IPsec Server IKE Profile NAT Menu
[NAT Menu] natdetect timeout keepalive - Set ESP UDP NAT detect - Set detect timeout - Set keepalive timeout
Table 11-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu Options
Command Syntax and Usage natdetect disabled|auto|ipsec_capable|use_udp_encap Set ESP UDP detection. timeout <integer> Set the detection timeout, in seconds. keepalive <integer> Set the keepalive timeout, in seconds.
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
SSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu
[Dead Peer Menu] ena dis interval retransmit Enable dead peer detection Disable dead peer detection Set detect interval Set max retransmissions
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options
Command Syntax and Usage ena [enable|disable] Enable dead peer detection. dis [enable|disable] Disable dead peer detection.
617
Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options
Command Syntax and Usage interval <integer> Set the detection interval, in seconds. retransmit <integer> Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool
SSL VPN Configuration IP Pool Menu
[Pool Menu] ena dis lowerip upperip proxyarp info Enable pool Disable pool Set lower IP in pool range Set upper IP in pool range Set proxy arp on clean side interfaces Print alloc info for this VPN
618
/ssl/cfg/vpn/portal
SSL VPN Configuration Portal Menu
[Portal Menu] import restore banner redirect logintext iconmode linktext linkurl linkcols linkwidth companynam colors faccess lang wiper ieclear whitelist citrix Import banner image gif Restores default Nortel banner Show installed banner file Set redirect URL Set static text on login page Set Home tab icon mode Set static text on link page Set url input field on link page Set number of columns on home tab Set width of link columns on home tab Set company name used on portal pages Portal colors menu Full Access menu Portal language menu Set use ActiveX component for clearing cache Set use IE ClearAuthCache White-list settings menu Set Citrix support
619
620
/ssl/cfg/vpn/portal/colors
SSL VPN Configuration Portal Colors Menu
[Portal Colors Menu] color1 - Set portal color color2 - Set portal color color3 - Set portal color color4 - Set portal color theme - Color theme 1 2 3 4
/ssl/cfg/vpn/portal/faccess
SSL VPN Configuration Portal Full Access Menu
[Full Access Menu] ena - Enable 'Full Access' tab dis - Disable 'Full Access' tab ipsecmode - Set IPSEC Mode contip - Set Contivity IP address contid - Set Contivity group ID contpass - Set Contivity group password portalmsg - Set text in 'Full Access' portal tab appletmsg - Set text in 'Full Access' Applet window
621
Table 11-78 SSL VPN Configuration Portal Full Access Menu Options
Command Syntax and Usage ena [enable|disable] Enable 'Full Access' tab. dis [enable|disable] Disable 'Full Access' tab. ipsecmode [contivity|native] Set the IPSEC Mode. contip [<IP_address>] Set Contivity IP address. contid [<string>] Set the Contivity group ID. contpass [<string>] Set a Contivity group password. portalmsg Set text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. appletmsg Set text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. If you *only* enter "..." a default text will be generated.
/ssl/cfg/vpn/portal/lang
SSL VPN Configuration Portal Language Menu
[Portal Language setlang charset list Menu] - Set the language to be used in the portal - Print charset in use - List supported languages
622
/ssl/cfg/vpn/portal/whitelist
SSL VPN Configuration Portal Whitelist settings Menu
[White-list Settings Menu] domains - Configure white-list domains ena - Enable URL rewrite white-list dis - Disable URL rewrite white-list
Table 11-80 SSL VPN Configuration Portal Whitelist settings Menu Options
Command Syntax and Usage domains Go to the Domains menu. To view the menu options, see page 623. ena [enable|disable] Enable URL re-write whitelist. dis [enable|disable] Disable URL re-write whitelist.
/ssl/cfg/vpn/portal/whitelist/ domains
SSL VPN Configuration Portal Whitelist settings Domains Menu
[White-list menu Menu] list - List all values del - Delete a value by number add - Add a new value
623
Table 11-81 SSL VPN Configuration Portal Whitelist settings Domains Menu Options
Command Syntax and Usage list Go to the Domains menu. To view the menu options, see page 621. del [<index>] Delete a value. add [<domain_name>] Add a domain.
/ssl/cfg/vpn/linkset
SSL VPN Configuration Linkset Menu
To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does not already exist.
SSL >> VPN 1# linkset Enter Linkset number or name (1-1023): 1 Creating Linkset 1 Linkset name: Linkset_1 Linkset text (HTML syntax, eg <b>A heading</b>): html Autorun Linkset (true/false) [false]: false -----------------------------------------------------------[Linkset 1 Menu] name - Set linkset name text - Set linkset text autorun - Set autorun support link - Link menu del - Remove tunnel
624
/ssl/cfg/vpn/linkset/link
SSL VPN Configuration Linkset Link Menu
To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does not already exist.
SSL >> Linkset 1# link Enter Link number or name (1-1023): 1 Creating Link 1 Enter link text: Link_1 Enter type of link (hit TAB to see possible values) [internal]: <tab> smb ftp proxy custom mail telnet netdrive wts outlook netdirect terminal external internal eauto iauto Enter type of link (hit TAB to see possible values) [internal]: internal Entering: Internal settings menu Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /info Leaving: Internal settings menu -----------------------------------------------------------[Link 1 Menu] move - Move link text - Set link text type - Set link type internal - Internal settings menu del - Remove link
625
/ssl/cfg/vpn/linkset/link/internal
SSL VPN Configuration Linkset Link Internal Setting Menu
[Internal menu Menu] quick - Quick internal link wizard
Table 11-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options
Command Syntax and Usage quick Configure the link using the internal link wizard. For example: SSL >> Internal menu# quick Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /
/ssl/cfg/vpn/sslclient
SSL VPN Configuration SSL Client Menu
[SSL VPN Client Menu] netdirect - Allow Netdirect client xmlconfig - Set XML client configuration
626
/ssl/cfg/vpn/adv
SSL VPN Configuration Advanced Menu
[Advanced Menu] interface dns log - Set backend interface used by VPN - DNS settings menu - Set log settings
/ssl/cfg/vpn/adv/dns
SSL VPN Configuration Advanced DNS settings Menu
[DNS Settings Menu] search - Set DNS search list
627
/ssl/cfg/sys
SSL Configuration System Menu
[System Menu] mip host routes time dns rsa syslog accesslist adm user distrace Set management IP (MIP) address iSD host menu Routes menu Date and time menu DNS settings RSA Servers Syslog servers menu Access list menu Administrative applications menu User Access Control menu Disable tracing with tcpdump/ssldump
628
/ssl/cfg/sys/host
SSL Configuration System Host Menu
[iSD Host 1 Menu] type ip license gateway routes interface port ports hwplatform halt reboot delete Set type of the iSD Set IP address Set License Set default gateway address Routes menu iSD host interface menu iSD port configuration menu Display physical ports Display hardware platform Halt the iSD Reboot the iSD Remove iSD Host
629
/ssl/cfg/sys/host/routes
SSL Configuration System Host Routes Menu
[Host Routes Menu] list - List all values del - Delete a value by number add - Add a new value
630
/ssl/cfg/sys/host/interface
SSL Configuration System Host Menu
[Host Interface 1 Menu] ip - Set IP address netmask - Set network mask gateway - Set default gateway address routes - Routes menu vlanid - Set VLAN tag id mode - Set mode ports - Interface ports menu primary - Set primary port delete - Remove Host Interface
631
/ssl/cfg/sys/host/interface/routes
SSL Configuration System Host Interface Routes Menu
[Host Interface Routes Menu] list - List all values del - Delete a value by number add - Add a new value
/ssl/cfg/sys/host/port
SSL Configuration System Host Port Menu
[Host Port 1 Menu] autoneg - Set autonegotiation speed - Set Speed mode - Set full or half duplex mode
632
/ssl/cfg/sys/routes
SSL Configuration System Menu
[Routes Menu] list del add - List all values - Delete a value by number - Add a new value
/ssl/cfg/sys/time
SSL Configuration System Time Menu
[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers
633
/ssl/cfg/sys/time/ntp
SSL Configuration System Time NTP servers Menu
[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value
Table 11-96 SSL Configuration System Time NTP Servers Menu Options
Command Syntax and Usage list List the configured NTP servers. del [<NTP_server>] Delete the NTP server. Removes the specified NTP server from the system configuration. Use the list command to display the index numbers of all added NTP servers.. add [<IP_address>] Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns
SSL Configuration System DNS settings Menu
[DNS Settings Menu] servers - DNS cachesize - Set retransmit - Set count - Set ttl - Set health - Set hdown - Set hup - Set servers menu Local DNS cache size DNS Retransmit interval timer DNS Retransmit counter Max TTL Health check interval Health check down counter Health check up counter
634
sl/cfg/sys/dns/servers
SSL Configuration System DNS Servers settings Menu
[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
635
/ssl/cfg/sys/rsa
SSL Configuration System RSA servers Menu
To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does not already exist.
SSL >> System# rsa Enter RSA Server number or name: (1-255) 1 Creating RSA Servers 1 RSA server symbolic name: RSA_1 -----------------------------------------------------------[RSA Servers 1 Menu] rsaname - Set RSA server symbolic name import - Import sdconf.rec file rmnodesecr - Remove Node Secret del - Remove RSA server
/ssl/cfg/sys/syslog
SSL Configuration System SysLog Servers Menu
[Syslog Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
636
/ssl/cfg/sys/accesslist
SSL Configuration System Access List Menu
[Access List Menu] list - List all values del - Delete a value by number add - Add a new value
637
/ssl/cfg/sys/adm
SSL Configuration System Administrative applications Menu
[Administrative Applications Menu] snmp - SNMP menu clitimeout - Set CLI idle timeout audit - Audit Settings Menu auth - Authentication menu telnet - Set telnet CLI access ssh - Set SSH CLI access http - HTTP access menu https - HTTPS access menu sshkeys - SSH host keys menu
638
/ssl/cfg/sys/adm/snmp
SSL Configuration System Administrative applications SNMP Menu
[SNMP Menu] ena dis versions snmpv2-mib community users target Enable SNMP Disable SNMP Set SNMP versions supported SNMPv2-MIB menu SNMP community menu SNMP USM Users Menu Notification target menu
Table 11-103 SSL Configuration System Administrative applications SNMP Menu Options
Command Syntax and Usage ena [true|false] Enable SNMP. dis [true|false] Disable SNMP. versions [<SNMP_version_number>] Set the SNMP version, such as v1. snmpv2-mib Go to the SNMPv2-MIB menu.To view menu options, see page 640. community Go to the SNMP community menu. To view menu options, see page 640. users Go to the SNMP USM Users community menu. To view menu options, see page 641.
639
Table 11-103 SSL Configuration System Administrative applications SNMP Menu Options
Command Syntax and Usage target Go to the Notification target menu. To view menu options, see page 642.
/ssl/cfg/sys/adm/snmp/snmpv2-mib
SSL Configuration System Administrative applications SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu] sysContact sysName sysLocatio snmpEnable Set Set Set Set sysContact sysName sysLocation snmpEnableAuthenTraps
Table 11-104 SSL Configuration System Administrative applications SNMPv2MIB Menu Options
Command Syntax and Usage sysContact [<name_of_a_person>] Set a system contact name. Designates a contact person for the managed iSD cluster, together with information on how to contact this person. sysName [<string, iSD_cluster_name>] Assign a name to the managed iSD cluster. sysLocatio [<string>] Set the system location. snmpEnable [<SNMP_trap_value>] Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community
SSL Configuration System Administrative applications SNMP Community Menu
[SNMP Community Menu] read - Set Read Community String write - Set Write Community String trap - Set Trap Community String
640
Table 11-105 SSL Configuration System Administrative applications SNMP Community Menu Options
Command Syntax and Usage read [<string>] Set the Read Community String. Specifies the monitor community name that grants read access to the Management Information Base (MIB). If no monitor community name is specified, read access is not granted. The default monitor community name is public write [<string>] Set the Write Community String. Specifies the control community name that grants read and write access to the Management Information Base (MIB). If no control community name is specified, neither write nor read access is granted. trap [<string>] Set the Trap Community String. Specifies the trap community name that accompanies trap messages sent to the SNMP manager. If no trap community name is specified, the sending of trap messages is disabled. The default trap community name is trap
/ssl/cfg/sys/adm/snmp/users
SSL Configuration System Administrative applications SNMP Users Menu
To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if one does not already exist.
Enter user number or name: (1-1023) 1 Creating SNMP User 1 User name: Maint_Chief Enter security level (none/auth/priv) [priv]: priv Enter permission (list of get,set,trap): get Enter auth password: <password> Enter priv password: <password> -----------------------------------------------------------[SNMP User 1 Menu] name - Set user name seclevel - Set Security level permission - Set Permission authpasswd - Set Authentication Password privpasswd - Set Encryption Password del - Remove SNMP User
641
Table 11-106 SSL Configuration System Administrative applications SNMP Users Menu Options
Command Syntax and Usage name [<string>] Set the user name. seclevel [none|auth|priv] Set the user Security level. permission [get|set|trap] Set user Permission. authpasswd [<string>] Set the Authentication Password. privpasswd [<string>] Set the Encryption Password. del [<SNMP_user_ID>] Remove the SNMP User.
/ssl/cfg/sys/adm/snmp/target
SSL Configuration System Administrative applications SNMP Target Menu
To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one does not already exist.
SSL >> SNMP# target Enter Notification Target number: (1-) 1 Creating Notification Target 1 Enter target ip: 0.0.0.0 Enter snmp version (v1/v2c/v3): v1 -----------------------------------------------------------[Notification Target 1 Menu] ip - Set target IP address port - Set target port version - Set SNMP version del - Remove Notification Target
642
Table 11-107 SSL Configuration System Administrative applications SNMP Target Menu Options
Command Syntax and Usage ip [<IP_address] Set the target IP address. port [<port_number] Disable SNMP. version [v1|v2|v3] Set the SNMP version. del Delete the SNMP target.
/ssl/cfg/sys/adm/audit
SSL Configuration System Administrative applications Audit Menu
[Audit Menu] servers vendorid vendortype ena dis RADIUS Servers Menu Set vendor id for audit attribute Set vendor type for audit attribute Enable Audit Disable Audit
Table 11-108 SSL Configuration System Administrative applications Audit Menu Options
Command Syntax and Usage servers Go to the Servers menu. To view menu options, see page 644. vendorid [<string>] Set the vendor ID. vendortype [<integer>] Set the vendor type. ena [<true|false>] Enable Audit. dis[<true|false>] Disable audit.
643
/ssl/cfg/sys/adm/audit/servers
SSL Configuration System Administrative applications Audit Servers Menu
[RADIUS Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 11-109 SSL Configuration System Administrative applications Audit Servers Menu Options
Command Syntax and Usage list List all of the Audit server settings. del <Audit_server_name> Delete the Audit server. add [<IP_address> <port> <secret>] Add an Audit server. insert [<position> <IP_address> <port> <secret>] Insert a Audit server into the Audit server list. move <value> <value> Move the Audit server from one position to another in the server list.
/ssl/cfg/sys/adm/http
SSL Configuration System Administrative applications HTTP Menu
[HTTP Menu] port ena dis - Set HTTP Server port - Enable server - Disable server
644
Table 11-110 SSL Configuration System Administrative applications HTTP Menu Options
Command Syntax and Usage port [<integer>] Set the HTTP server port. ena [true|false] Enable the HTTP server. dis [true|false] Disable the HTTP server.
/ssl/cfg/sys/adm/https
SSL Configuration System Administrative applications HTTPS Menu
[HTTPS Menu] port ena dis - Set HTTPS Server port - Enable server - Disable server
Table 11-111 SSL Configuration System Administrative applications HTTPS Menu Options
Command Syntax and Usage port [<integer>] Set the HTTPS server port. ena [true|false] Enable the HTTPS server. dis [true|false] Disable the HTTPS server.
645
/ssl/cfg/sys/adm/sshkeys
SSL Configuration System Administrative applications SSH Host keys Menu
[SSH Host Keys generate show knownhosts Menu] - Generate new SSH host keys for the cluster - Show current SSH host keys for the cluster - SSH known host keys menu
Table 11-112 SSL Configuration System Administrative applications SSH Host keys Menu Options
Command Syntax and Usage generate [yes|no] Generate new SSH host keys for the server cluster. show Show the SSH host keys for the server cluster. knownhosts Go to the Known Host Keys menu. To view menu options, see page 644.
/ssl/cfg/sys/adm/sshkeys/knownhosts
SSL Configuration System Administrative applications SSH Known Host keys Menu
[SSH Known Host Keys Menu] list - List known SSH keys of remote hosts del - Delete known SSH host key by index add - Add a new SSH host key import - Retrieve SSH key from remote host
Table 11-113 SSL Configuration System Administrative applications Known SSH Host keys Menu Options
Command Syntax and Usage list [yes|no] Display the known SSH keys of remote hosts. del [<hostkey_name>] Delete a host key.
646
Table 11-113 SSL Configuration System Administrative applications Known SSH Host keys Menu Options
Command Syntax and Usage add Add a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate import [<hostname_or_IP_address>] Retrieve an SSH key from a remote host.
/ssl/cfg/sys/user
SSL Configuration System Menu
[User Menu] passwd expire list del add edit caphrase Change own password Set password expire time interval List all users Delete a user Add a new user Edit a user menu Certadmin export passphrase
647
/ssl/cfg/sys/user/edit
SSL Configuration System User Edit Menu
[User User_1 Menu] groups - Groups menu cur - Display current setting
/ssl/cfg/sys/user/edit/groups
SSL Configuration System User Edit Menu
[Groups Menu] list del add - List all values - Delete a value by number - Add a new value
Table 11-116 SSL Configuration System User Edit Groups Menu Options
Command Syntax and Usage list List all of the user groups information. del [<user_group_name>] Delete a user group. add [<string, user_group_name>] Add a user group.
648
/ssl/cfg/lang
SSL Configuration Language Support Menu
[Language Support Menu] import - Import language definition file export - Export language definition template list - List the loaded languages vlist - List ISO 639 language codes del - Delete (custom) language definition
/ssl/boot
SSL Boot Menu
[Boot Menu] software halt reboot delete Software management menu Halt the iSD Reboot the iSD Delete the iSD
649
NOTE Note: If you receive a warning that the iSD you are trying to delete has no contact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or SSH and delete the iSD from the cluster by using the delete command in the iSD Host menu (/cfg/sys/cluster/host #).
The /boot/delete command is primarily intended for situations when you want to delete an iSD host that has either become isolated from the cluster, or has been physically removed from the cluster without first performing the delete command from the iSD Host menu. Under these circumstances, you must use the /boot/delete command to present the Setup menu, from which you can perform the new and join commands.
650
/ssl/boot/software
SSL Performance Menu
[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download new software pkg. via TFTP/FTP/SCP/SFTP del - Remove unpacked/old releases
651
/ssl/maint
SSL Performance Maintenance Menu
[Maintenance Menu] hsm - HSM menu dumplogs - Tech suppt dump log files to TFTP/FTP/SFTP server dumpstat - Tech suppt dump curr. status to TFTP/FTP/SFTP server chkcfg - Check applied configuration starttrace - Start Trace stoptrace - Stop Trace
652
/ssl/maint/hsm
SSL Performance HSM Menu
The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu] login - Login to HSM cards on local iSD splitkey - Split a wrap key onto CODE iKeys changepass - Change iKey password
653
654
APPENDIX A
LOG_WARNING
FILTER filter <filter number> fired on port <port number>, <source IP address> -> <destination IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]
ntp: ntp cannot contact primary NTP server <ip_address> cannot contact secondary NTP server <ip_address>
655
320506-A, January 2006
LOG_ALERT
stp: IP vrrp: vrrp: vrrp: vrrp: slb: slb: gslb: gslb: gslb: gslb: slb: slb: slb: slb: bgp: bgp: vrrp: vrrp: dps: dps: syn_atk tcplim own BPDU received from port <port_id> cannot contact default gateway <ip_address> received errored advertisement from <ip_address> received incorrect password from <ip_address> received incorrect addresses from <ip_address> received incorrect advertisement interval <seconds> from <ip_address> cannot contact real server <ip_address> real server <ip_address> has reached maximum connections received update from <ip_address> for unknown remote server <ip_address> received update from <ip_address> for unknown virtual service received update for unknown remote server <ip_address> from <ip_address> received update for unknown service <ip_address:service> cannot contact real service <ip_address:real_port> real server failure threshold (<threshold>) has been reach for group <group_id> real server <ip_address> disabled through configuration Virtual Service Pool full. gSvcPool=MAX_SERVICES notification (<reason>) received from <BGP peer ip_address> session with <BGP peer ip_address> failed (<reason>) Synchronization from non-configured peer <ip_address> Synchronization from non-configured peer <ip_address> was blocked hold down triggered: <ip_address> for <min> minutes manual hold down: <ip_address> SYN attack detected: <count> new half-open sessions per second hold down triggered: <ip_address> for <min> minutes
LOG_CRIT
SYSTEM: temperature at sensor <sensor_id> exceeded threshold SYSTEM: internal power supply failed SYSTEM: redundant power supply failed SYSTEM: fan failure detected SSH can't allocate memory in load_MP_INT
LOG_ERR
mgmt: mgmt: mgmt: ntp: isd: stp: stp: mgmt: mgmt: mgmt: cli: cli: cli: cli: cli: cli: cli: cli: cli: PANIC at <file>:<line> in thread <thread id> VERIFY at <file>:<line> in thread <thread id> ASSERT at <file>:<line> in thread <thread id> unable to listen to NTP port unable to listen to BOOTP_SERVER_PORT port Error: Error writing STG config to FLASH Error: Error writing config to FLASH Apply not done Save not done <apply|save> is issued by another user. Try later Error: Error writing %s config to FLASH New Path Cost for Port <port_id> is invalid PVID <vlan_id> for port <port_id> is not created RADIUS secret must be 1-32 characters long Please configure primary RADIUS server address STP changes can't be applied since STP is OFF Switch reset is required to turn STP on/off Trunk group <trunk_id> contains ports with different PVIDs Trunk group <trunk_id> has more than <max_trunk_ports> ports
LOG_ERR (Continued)
cli: cli: cli: Trunk group <trunk_id> contains no ports but is enabled Not all ports in trunk group <trunk_id> are in VLAN <vlan_id> Trunk groups <trunk_id> and <trunk_id> can not share the same port
port_mirr: Port Mirroring changes are not applied cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Broadcast address for IP interface <interface_id> is invalid IP Interfaces <interface_id> and <interface_id> are on the same subnet Multiple static routes have same destination Virtual router <vr_id> must have sharing disabled when hotstandby is enabled Virtual router group must be enabled when hotstandby is enabled At least one virtual router must be enabled when group is enabled Virtual router group must have sharing disabled when hotstandby is enabled Virtual router group must have preemption enabled when hotstandby is enabled Virtual router <vr_id> must have an IP address Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id> Virtual router <vr_id> cannot have same IP address as <ip_address> Virtual router <vr_id> corresponding virtual server <server_id> is not enabled Hot-standby must be enabled when a virtual router has a PIP address Virtual router <vr_id> IP interface should be <interface_id> Enabled real server <server_id> has no IP address Real server <server_id> has same IP address as IP interface <interface_id> Real server <server_id> has same IP address as switch Real server <server_id> (Backup for <server_id>) is not enabled Real server <server_id> has same IP address as virtual server <server_id> Real server <server_id> has same IP address as real server <server_id> Real server group <group_id> cannot backup itself Real server <server_id> cannot be added to same group Enabled virtual server <server_id> has no IP address
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Virtual server <server_id> has same IP address as IP interface <interface_id> Virtual server <server_id> has same IP address as switch Virtual servers <server_id> and <server_id> with same IP address must support same layr3 configuration Real server <server_id> cannot be backup server for both real server <server_id> and group <group_id> Virtual server <server_id> has same IP address and vport as virtual server <server_id> RS <server_id> can't exist for VS <server_id> vport <virtual_port> Switch port <port_id> has same proxy IP address as port <port_id> Switch port <port_id> has same IP address as IP interface <interface_id> A hot-standby port cannot also be an inter-switch port There must be at least one inter-switch port if any hot-standby port exist With VMA, ports 1-8 must all have a PIP if any one does Client bindings are not supported with proxy IP addresses DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual server to support FTP parsing Real server <server_id> and group %u cannot both have backups configured Virtual server <server_id> : port mapping but layer3 bindings Extracting length has to set to 8 or 16 for cookie rewrite mode DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural server <server_id> to support URL parsing Port filtering must be disabled on port <port_id> in order to support cookie based persistence for virtual server <server_id> Virtual server <server_id>: port mapping but Direct Access Mode Virtual server %lu: support nonat IP but not layer 3 bindings Virtual servers: all that support IP must use same group Virtual servers <server_id> and <server_id> that include the same real server <server_id> cannot map the same real port or balance UDP Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Switch cannot support more than <MAX_VIRT_SERVICES> virtual services Switch cannot support more than <MAX_SMT> real services Trunk group (<trunk_id>) ports must have same L4 config Trunk group (<trunk_id>) ports must all have a PIP DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL based redirection Two services have same hostname, <host_name>.<domain_name> Direct access mode is not supported with default gateway load balancing SLB Radius secret must be 16 characters long Dynamic NAT filter <filter_id> must be cached NAT filter <filter_id> must have same smask and dmask NAT filter <filter_id> cannot have port ranges NAT filter <filter_id> must be cached NAT filter <filter_id> dest range includes VIP <server_id> NAT filter <filter_id> dest range includes RIP <server_id> Redirection filter <filter_id> must be cached Filter with L4 ports configured <port_id> must have IP protocol configured For Global SLB, Web server must be moved from TCP port 80 Remote site <site_id> does not have a primary IP address Primary and secondary remote site <site_id> switches must differ Remote sites <site_id> and <site_id> must use different addresses Remote site <site_id> and real server <server_id> must use different addresses Remote site <site_id> and virtual server <server_id> must use different addresses Only <MAX_SLB_SITES> remote servers are allowed per group Only <MAX_SLB_SERVICES> remote services are supported Enabled external lookup IP address has no IP address domain name must be configured
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: mgmt: mgmt: mgmt: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: Network <static_network_id> has no VIP address duplicate default entry BGP peer <bgp_peer_id> must have an IP address BGP peers <bgp_peer_id> and <bgp_peer_id> have same address BGP peer <bgp_peer_id> have same address as IP interface <ip_interface_id> BGP peer <bgp_peer_id> IP interface <ip_interface_id> is not enabled Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to ICMP Two services have same hostname, <host_name>.<domain_name> Loadbalance string must be added to real server <server_id> in order to enable exclusionary string matching intrval input value must be in the range [0-24] unapplied changes reverted unsaved changes reverted Attempting to redirect a previously redirected output Attempting to redirect a previously redirected output cfg_sync_tx_putsn: ABORTED Synchronization TX Error Synchronization TX connection RESET Synchronization TX connection TIMEOUT Synchronization TX connection UNREACEABLE Synchronization TX connection UNKNOWN CLOSE Synchronization RX connection RESET Synchronization RX connection TIMEOUT Synchronization RX connection UNREACEABLE Synchronization RX connection UNKNOWN CLOSE Synchronization connection RCLOSE by peer Synchronization connection RCLOSE before RX
LOG_ERR (Continued)
vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: Synchronization connection early RCLOSE in RX Synchronization connection Wait-For-Close Timeout Synchronization connection Transmit Timeout Synchronization Receive Timeout Synchronization Receive UNKNOWN Timeout Sync transmit in progress cannot start Sync Sync receive in progress cannot start Sync Sync already in progress cannot start Sync Config Sync route find error Config Sync tcp_open error Config Synchronization Timeout - Resuming Console thread <""apply""|""save""> is issued by another user. Try later new configuration did not validate (rc = ) new configuration did not apply (rc = ) new configuration did not save (rc = ) Sync config apply error Restoring Current Config Sync rx tcp open error Sync Version/Password Failed-No Version/Password Line Sync Version Failed - peer:%s config:%s Sync Password Failed-Bad Password Sync receive already in progress cannot start Sync receive Sync transmit in progress cannot start Sync receive
LOG_NOTICE
system: system: system: system: system: system: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: mgmt: mgmt: internal power supply ok redundant power supply present and ok temperature ok fan ok rebooted <last_reset_information> rebooted <last_reset_information> administrator logged in boot config block changed boot image changed switch reset from CLI syslog host changed to <ip_address> syslog host changed to this host second syslog host changed to <ip_address> second syslog host changed to this host Next boot will use active config block user password changed SLB operator password changed L4 operator password changed operator password changed SLB administrator password changed L4 administrator password changed administrator password changed scp <login_level> login scp <login_level> <""connection closed""|""idle timeout""|""logout""> RADIUS server timeouts Failed login attempt via TELNET from host %s PASSWORD FIX-UP MODE IN USE <login_level> login on Console
LOG_NOTICE (Continued)
mgmt: mgmt: <login_level> <""idle timeout""|""logout""> from Console PANIC command from CLI
port_mirr: port mirroring is <""enabled""|""disabled""> vlan: mgmt: mgmt: IP IP vrrp: vrrp: slb: slb: slb: slb: slb: slb: slb: slb: slb: slb: bgp: Default VLAN can not be deleted <login_level> login from host <ip_address> <login_level> <""connection closed""|""idle timeout""|""logout""> from default gateway <ip_address> <""enabled""|""disabled""> default gateway <ip_address> operational virtual router <ip_address> is now master virtual router <ip_address> is now backup backup server <ip_address> <""enabled""|""diabled""> for real server <server_id> backup server <ip_address> <""enabled""|""disabled""> for real server group <group_id> backup group server <ip_address> <""enabled""|""disabled""> for real server group group_id> overflow server <ip_address> <""enabled""|""disabled""> for real server <server_id> overflow server <ip_address> <""enabled""|""disabled""> for real server group <group_id> overflow group server <ip_address> <""enabled""|""disabled""> for real server group <group_id> real server <ip_address> operational real service <ip_address:real_port> operational No services are available for Virtual Server <virtual_server> Services are available for Virtual Server <virtual_server> session established with <BGP_peer_ip_address>
LOG_INFO
SYSTEM: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: mgmt: mgmt: ssh: ssh: ssh: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: bootp response from <ip_address> new configuration applied new configuration saved unsaved changes reverted Could not revert unsaved changes "<image1|image2> downloaded from host <ip_address>, file <file_name> <software_version>" serial EEPROM downloaded from host <ip_address> file <file_name> scp <login_level> login "scp <login_level> <""connection closed""|""idle timeout""|""logout"">" <login_level> login on Console "<login_level> <""idle timeout""|""logout""> from Console" <login_level> login from host <ip_address> "<login_level> <""connection closed""|""idle timeout""|""logout""> from Telnet/SSH." server key autogen starts server key autogen completes server key autogen timer timeouts new synch configuration applied new synch configuration saved Synchronizing from <host_name> Synchronizing to <host_name> Config Synchronization Transmit Successful Config Synchronization Receive Successful new configuration VALIDATED
APPENDIX B
667
320506-A, January 2006
RFC 1643 - EtherLike MIB RFC 1493 - Bridge MIB RFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups) RFC 1850 for OSPF RFC 1657 for BGP IEEE 802.3ad MIB for LACP The following SNMPv3 MIBs are supported: RFC 2571 - SNMP Frame work RFC 2572 - MPD MIB RFC 2573 - Target MIB RFC 2574 - USM MIB RFC 2575 - VACM MIB RFC 2576 - Community MIB Nortel Application Switch Operating System SNMP agent supports the following generic traps as defined in RFC 1215: ColdStart WarmStart LinkDown LinkUp AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493: NewRoot TopologyChange The following are the enterprise SNMP traps supported in Nortel Application Switch Operating System: Table 11-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description
Signifies that the default gateway is alive. Signifies that the default gateway is down. Signifies that the default gateway is up and in service
668
Table 11-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description
altSwDefGwNotInService altSwSlbRealServerUp altSwSlbRealServerDown altSwSlbRealServerMaxConnReached altSwSlbBkupRealServerAct altSwSlbBkupRealServerDeact altSwSlbBkupRealServerActOverflow altSwSlbBkupRealServerDeactOverflow altSwfltFilterFired altSwSlbRealServerServiceUp altSwSlbRealServerServiceDown altSwVrrpNewMaster
altSwVrrpNewBackup
Signifies that the default gateway is alive but not in service Signifies that the real server is up and operational Signifies that the real server is down and out of service Signifies that the real server has reached maximum connections Signifies that the backup real server is activated due to availablity of the primary real server Signifies that the backup real server is deactivated due to the primary real server is available Signifies that the backup real server is deactivated due to the primary real server is overflowed Signifies that the backup real server is deactivated due to the primary real server is out from overflow situation Signifies that the packet received on a switch port matches the filter rule Signifies that the service port of the real server is up and operational Signifies that the service port of the real server is down and out of service
The newMaster trap indicates that the sending agent has transitioned to 'Master' state. The newBackup trap indicates that the sending agent has transitioned to 'Backup' state. A vrrpAuthFailure trap signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this router's authentication key or authentication type. Implementation of this trap is optional. An altSwLoginFailure trap signifies that someone failed to enter a valid username/password combination.
altSwVrrpAuthFailure
altSwLoginFailure
669
Table 11-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description
altSwSlbSynAttack altSwTcpHoldDown
670
APPENDIX C
3. 4.
Power on the switch. Hold the <Shift> key down and hit D repeatedly until the following message appears:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200
671
320506-A, January 2006
5.
Reconfigure your terminal emulation software with the following parameters (only after you see the message displayed in step 4):
Parameter Baud Rate Data Bits Parity Stop Bits Flow Control Value 115200 8 None 1 None
NOTE You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200 baud rate by pressing Shift d.
6.
Press <Enter> on the key board of the PC that is connected to the console port of the switch. When the Console Port is successfully communicating with the PC, you will see: CCCC... Make sure that the new binary firmware file is available on the computer. This file can be downloaded from the CD that is shipped with the switch. Select <Transfer-Send File> and choose the following:
file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)
7.
protocol: 1K XMODEM It will take about 15 minutes for the transfer to complete. NOTE Although slower, XMODEM will work too if you choose not to use 1K MODEM. 8. Power off the switch, wait for a few seconds and power the switch on. CAUTIONDo not power off the switch until you see the message: Change your baud rate to 9600 bps and power cycle switch, otherwise, the switch will be inoperable. 9. The switch will boot with the new software load. You should see the following sample log on your screen:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200 CCCCCCCCCCCCCCCCCCCCCCCCCCCCC Total bytes transferred: 0x4ff400 Extracting images... Do *NOT* power cycle the switch Updating flash... ################################################################# Change your baudrate to 9600 bps and power cycle the switch
672
Glossary
DIP (Destination IP Address) Dport (Destination Port) NAT (Network Address Translation) The destination IP address of a frame.
Any time an IP address is changed from one source IP or destination IP address to another address, network address translation can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another. Full NAT is when both addresses are changed from one address to another. No NAT is when neither source nor destination IP addresses are translated. Virtual server-based load balancing uses half NAT by design, because it translates the destination IP address from the Virtual Server IP address, to that of one of the real servers. In VRRP, preemption will cause a Virtual Router that has a lower priority to go into backup should a peer Virtual Router start advertising with a higher priority. In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation. The protocol of a frame. Can be any value represented by a 8-bit value in the IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.) A group of real servers that are associated with a Virtual Server IP address, or a filter.
Preemption
Priority
Proto (Protocol)
673
320506-A, January 2006
A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and redirected to a server group. Transparently means that requests are not specifically destined for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the switch. This filter intercepts traffic based on certain IP header criteria and load balances it. Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny, Redirect to a Server Group, or NAT (translation of either the source IP or destination IP address). In redirection-based load balancing, the destination IP address is not translated to that of one of the real servers. Therefore, redirection-based load balancing is designed to load balance devices that normally operate transparently in your networksuch as a firewall, spam filter, or transparent Web cache. Real Server IP Address. An IP addresses that the switch load balances to when requests are made to a Virtual Server IP address (VIP). The source IP address of a frame.
The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53). In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration. You can track the following: Vrs: Virtual Routers in Master Mode (increments priority by 2 for each) Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by 2 for each) Ports: Active ports on the same VLAN (increments priority by 2 for each) l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2 for each reals: healthy real servers (increments by 2 for each healthy real server) hsrp: HSRP announcements heard on a client designated port (increments by 10 for each) An IP address that the switch owns and uses to load balance particular service requests (like HTTP) to other servers. A VRRP address that is an IP interface address shared between two or more virtual routers.
674
Glossary
320506-A, January 2006
Virtual Router
A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there is more than one VLAN defined on the Nortel Application Switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is owned by the switch, are load balanced to a real server contained in the group associated with the VIP. Network address translation is done back and forth, by the switch, as requests come and go. Frames come to the switch destined for the VIP. The switch then replaces the VIP and with one of the real server IP addresses (RIP's), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the destination IP (VIP) with one of the real server addresses is called half NAT. If the frames were not half NAT'ed to the address of one of the RIPs, a server would receive the frame that was destined for it's MAC address, forcing the packet up to Layer 3. The server would then drop the frame, since the packet would have the DIP of the VIP and not that of the server (RIP). In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows whom to share with. A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary extension to the VRRP specification. The switches must be able to share Virtual Server IP addresses, as well as IP interfaces. If they didnt, the two switches would fight for ownership of the Virtual Server IP address, and the ARP tables in the devices around them would have two ARP entries with the same IP address but different MAC addresses.
Glossary
320506-A, January 2006
675
676
Glossary
320506-A, January 2006
Index
Symbols
(MD5) .............................................................. 487 (SLB real server group option) content ...................................................... 424 / command .......................................................... 56 [ ]....................................................................... 23 admpw (system option) ...................................... 293 advertisement of virtual IP addresses ................... 358 aging STP bridge option ....................................... 332 STP information ........................................... 99 application redirection ................................ 415, 448 filter states.................................................. 133 filters ......................................................... 414 within real server groups .............................. 423 apply (global command) ..................................... 259 applying configuration changes ........................... 259 ASCII terminal .................................................... 26 autoconfiguration duplex mode ................................................. 39 link........................................................ 39, 40 port speed..................................................... 39 auto-negotiation ................................................... 39 enable/disable on port .......... 305, 309, 311, 313 setup...................................................... 39, 40 autonomous system filter action .......................... 356 autonomous system filter path action ........................................................ 356 as .............................................................. 356 aspath ........................................................ 356
Numerics
1K XModem ..................................................... 671 3000 series........................................................ 306
A
abbreviating commands (CLI) .............................. 60 access control system ....................................................... 288 action (SLB filtering option) ............................... 448 activating optional software ................................ 509 active configuration block .......................... 260, 515 active FTP SLB parsing statistics ........................ 221 active IP interface .............................................. 393 active Layer 4 processing ................................... 393 active port VLAN ....................................................... 393 active switch configuration gtcfg ......................................................... 408 ptcfg ......................................................... 408 restoring .................................................... 408 active switch, saving and loading configuration .... 408 add SLB port option .......................................... 464 addr ARP entries................................................ 524 IP route tag ................................................ 109 Address Resolution Protocol (ARP) address list ................................................. 524 administrator account30, 33
B
backup SLB real server group option ........................ 424 backup configuration block ......................... 260, 515 backup server activations (SLB statistics) .... 205, 228 bandwidth management configuration .............................................. 316 contracts .................................................... 317 bandwidth management contract precedence value ......................................... 319 bandwidth management contract configuration .... 264,
319
677
Nortel Application Switch Operating System 23.0.2 Command Reference Bandwidth Management options operations-level options ................................505 bandwidth management policy configuration ........322 buffer limit .................................................322 hard bandwidth limit ....................................322 over the limit TOS .......................................322 reserve limit ................................................322 soft bandwidth limit .....................................322 underlimit TOS ...........................................322 bandwidth management statistics .........................232 banner (system option)........................................262 baud rate console connection ........................................26 serial download ...................................671, 672 BBI .....................................................................25 BGP configuration...............................................371 eBGP .........................................................371 iBGP..........................................................371 in route .......................................................374 IP address, border router ...............................373 IP route tag .................................................109 keep-alive time ............................................373 peer ...........................................................371 peer configuration ........................................373 redistribution configuration ...........................375 remote autonomous system ...........................373 router hops..................................................374 binary ...............................................................671 binary firmware image ........................................672 binding failure ...........................................204, 228 binding table ......................................................437 BLOCKING (port state)........................................99 boot options menu ..............................................511 BOOTP ...............................................................27 setup (enable/disable) .....................................37 system option ..............................................262 bootstrap protocol ..............................................380 Border Gateway Protocol ....................................109 configuration...............................................371 Border Gateway Protocol (BGP) operations-level options ................................508 BPDU. See Bridge Protocol Data Unit. bridge parameter menu, for STP ..........................330 bridge priority ......................................................99 Bridge Protocol Data Unit (BPDU) ........................99 STP transmission frequency ..........................331 Bridge Spanning-Tree parameters ........................331 broadcast IP route tag ................................................ 109 IP route type ............................................... 109 broadcast domains ............................................. 339 broadcast IP address ............................................ 43 Browser-Based Interface ...................................... 25 BWM contract rate statistics................................... 235 contract statistics......................................... 234 history statistics .......................................... 237 port ........................................................... 233 switch processor contract statistics ................ 233 switch processor rate contract statistics .......... 233
C
capture dump information to a file....................... 528 Cisco Ether Channel .......................................... 334 clear ARP entries ................................................ 524 dump information ....................................... 529 FDB entry .................................................. 523 routing table ............................................... 525 clearing SLB statistics ................................ 230, 231 client traffic processing ...................................... 463 command (help) .................................................. 56 Command-Line Interface (CLI) ....... 25 to 31, 33, 53 commands abbreviations ................................................ 60 conventions used in this manual ...................... 23 global commands .......................................... 56 shortcuts ...................................................... 60 stacking ....................................................... 60 tab completion .............................................. 60
678
Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference configuration administrator password ................................ 293 apply changes ............................................. 259 default gateway interval, for health checks ..... 346 default gateway IP address ........................... 346 dump command .......................................... 407 effect on Spanning-Tree Protocol .................. 259 Fast Ethernet .............................................. 303 flow control ....................... 305, 309, 311, 313 Gigabit Ethernet ......................... 303, 307, 309 IP static route ............................................. 348 Layer 4 administrator password .................... 292 operating mode ........................... 305, 308, 313 port link speed ............................ 305, 308, 313 port mirroring ............................................. 315 port trunking .............................................. 333 route cache................................................. 350 save changes .............................................. 260 setup ......................................................... 406 setup command .......................................... 403 switch IP address ........................................ 344 TACACS+ ................................................. 270 user password ............................................. 292 view changes.............................................. 259 VLAN default (PVID) ......... 303, 307, 309, 312 VLAN IP interface ...................................... 344 VLAN tagging ................... 304, 307, 310, 312 VRRP ....................................................... 381 configuration block active ........................................................ 515 backup....................................................... 515 factory ....................................................... 515 selection .................................................... 515 configuration menu ............................................ 257 configuring routing information protocol ............. 357 connecting via console ................................................... 26 via Telnet..................................................... 27 connection timeout (Real Server Menu option) ..... 437 console port communication settings ................................. 26 connecting ................................................... 26 serial download settings ....................... 671, 672 content SLB real server group option ........................ 424 contracts, bandwidth management ....................... 317 copper ports ...................................................... 307 cost STP information ........................................... 99 STP port option........................................... 333 counters, No Server Available (dropped frames) .. 205,
228
CPU statistics ............................................ 252, 254 CPU utilization .......................................... 252, 254 cur (system option) .................................... 269, 272 current bindings ......................................... 204, 227
D
date setup............................................................ 37 system option ............................................. 262 debugging ......................................................... 519 default gateway information ................................................ 107 interval, for health checks............................. 346 metrics ....................................................... 396 round robin, load balancing for ..................... 396 default password .................................................. 30 delete FDB entry .................................................. 523 deny (filtering) .................................................. 228 designated port. ................................................. 114 diff (global) command, viewing changes .............. 259 dip (destination IP address for filtering) ............... 449 direct (IP route type) .......................................... 109 directed broadcasts............................................. 350 DISABLED (port state) ........................................ 99 disconnect idle timeout ......................................... 31 Distributed Site State Protocol (DSSP) setting update interval .................................. 466 dmask destination mask for filtering ........................ 449 DNS statistics .................................................... 192 Domain Name System (DNS) health checks .............................................. 427 downloading software ........................................ 513 dropped frames (No Server Available) counter .... 205,
228
dump configuration command ............................... 407 maintenance ............................................... 519 state information ......................................... 530 duplex mode........................................................ 39 link status ....................................... 62, 78, 147 setup............................................................ 39
320506-A, January
Index
679
Nortel Application Switch Operating System 23.0.2 Command Reference dynamic routes ...................................................525 Gigabit Ethernet Physical Link ........... 303, 307, 309 global commands................................................. 56 global SLB maintenance statistics ....................... 209 global SLB statistics .......................................... 206 grace graceful real server failure ............................ 482 Greenwich ........................................................ 272 Greenwich Mean Time (GMT) ........................... 272 group ................................................................ 212 gtcfg (TFTP load command) ............................... 408
E
EMS,Alteon EMS ................................................46 emulation software .............................................671 EtherChannel as used with port trunking .............................334
F
factory configuration block .................................515 factory default configuration .....................31, 33, 34 Fast Ethernet Physical Link .................................303 Fast Ethernet, configuring ports for ......................303 fastage ..............................................................482 FDB statistics ....................................................171 fiber optic ports ..................................................309 File Transfer Protocol .........................................220 filter statistics ....................................................213 filtered (denied) frames ...............................205, 228 filters IP address ranges .........................................449 Final Steps...........................................................45 first-time configuration ......................... 31, 33 to 50 fixed IP route tag .................................................109 flag field............................................................114 flow control .................................................62, 147 configuring .........................305, 309, 311, 313 setup ......................................................39, 40 forwarding configuration IP forwarding configuration ..........................350 forwarding database (FDB) .................................519 delete entry .................................................523 Forwarding Database Information Menu ................90 Forwarding Database Menu.........................522, 535 forwarding state (FWD) ..........................92, 99, 102 FTP server health checks ....................................427 FTP SLB maintenance statistics...........................222 FTP SLB statistics dump .....................................222 full-duplex ...........................................................39 fwd (STP bridge option) .....................................331 FwdDel (forward delay), bridge port ......................99
H
half-duplex ......................................................... 39 hash metric ....................................................... 430 health check types, SLB ..................................... 426 health checks..................................................... 417 default gateway interval, retries .................... 346 IDSLB....................................................... 426 layer information ........................................ 132 parameters for most protocols ....................... 427 redirection (rport) ........................................ 448 retry, number of failed health checks ............. 346 script ......................................................... 488 SNMP ............................................... 428, 490 WAP ......................................................... 492 hello STP information ........................................... 99 help .................................................................... 56 host routes ........................................................ 358 Hot Standby Router on VLAN (HSRV) use with VLAN-tagged environment ............. 386 VRRP priority increment value ..................... 396 Hot Standby Router Protocol (HSRP) priority increment value for L4 client ports ..... 395 use with VRRP ................................... 386, 393 VRRP priority increment value ..................... 395 Hot Standby Router VLAN (HSRV) use with VRRP ........................................... 393 hot-standby failover ........................................... 391 HP-OpenView ..................................................... 25 hprompt system option ............................................. 262 HSRP. See Hot Standby Router Protocol. HSRV. See Hot Standby Router Protocol. HTTP application health checks ............................. 427 redirects (Global SLB option) ....................... 466 system option ............................................. 288
G
gig (Port Menu option) .......................303, 307, 309 Gigabit Ethernet configuration...............................303, 307, 309 680 Index
Nortel Application Switch Operating System 23.0.2 Command Reference http .................................................................. 288 HTTP health checks on any port (aphttp) ..................................... 487 IP port configuration .......................................... 378 IP Route Manipulation Menu .............................. 525 IP routing ............................................................ 42 tag parameters ............................................ 109 IP Static Route Menu ......................................... 348 IP statistics ........................................................ 181 IP subnet mask .................................................... 42 IP subnets VLANs ...................................................... 339
I
ICMP statistics .................................................. 193 idle timeout overview...................................................... 31 IDSLB health checks ......................................... 426 IEEE standards 802.1d Spanning-Tree Protocol .............. 98, 329 image downloading .............................................. 513 software, selecting ...................................... 514 IMAP server health checks ................................. 427 imask (IP address mask) ..................................... 481 incorrect VIPs (statistic) ............................. 204, 228 incorrect Vports (dropped frames counter) ... 205, 228 indirect (IP route type) ....................................... 109 Information Trunk Group Information............................. 102 Information Menu ............................................... 61 Interface change stats ......................................... 180 interface statistics .............................................. 195 IP address ........................................................... 42 ARP information ........................................ 113 BOOTP ....................................................... 27 configuring default gateway ......................... 346 filter ranges ................................................ 449 IP interface .................................................. 42 local route cache ranges ............................... 351 Telnet .......................................................... 27 IP address mask for SLB .................................... 481 IP configuration via setup ..................................... 42 IP forwarding .................................................... 378 directed broadcasts ...................................... 350 local networks for route caching ................... 350 IP forwarding information .................................. 107 IP Information Menu ................................. 107, 126 IP interface ....................................................... 344 active ........................................................ 393 configuring address ..................................... 344 configuring VLANs .................................... 344 IP interfaces ................................................ 42, 109 information ................................................ 107 IP route tag ................................................ 109 priority increment value (ifs) for VRRP ......... 395 IP network filter configuration ............................ 352
L
l4apw (L4 administrator system option) ............... 292 Layer 4 administrator account..................................... 30 Layer 4 processing active......................................................... 393 layer 7 SLB maintenance statistics ...................... 216 layer 7 SLB string statistics ................................ 215 layer7 redirection statistics ......................... 214, 218 LDAP version ................................................... 487 LEARNING (port state) ....................................... 99 least connections (SLB Real Server metric) .. 426, 430 licence certificate ............................................... 509 license password ................................................ 509 link speed, configuring ....................... 305, 308, 313 link status............................................................ 62 command ................................................... 148 duplex mode ................................... 62, 78, 147 port speed....................................... 62, 78, 147 Link Status Information ...................................... 147 linkt (SNMP option) .......................................... 275 LISTENING (port state) ....................................... 99 lmask (routing option) ........................................ 107 lnet (routing option) ........................................... 107 local (IP route type) ........................................... 109 local network for route caching ........................... 350 local route cache IP address ranges for.................................... 351 log syslog messages .......................................... 264 logical segment. See IP subnets.
M
MAC (media access control) address ...... 63, 90, 113,
509, 522
320506-A, January
Index
681
Nortel Application Switch Operating System 23.0.2 Command Reference Main Menu ..........................................................53 Command-Line Interface (CLI) .......................31 summary ......................................................54 Maintenance Menu .............................................519 Management Processor (MP)...............................527 display MAC address .....................................63 manual style conventions ......................................23 martian IP route tag (filtered) ....................................109 IP route type (filtered out) .............................109 mask IP interface subnet address ............................344 MaxAge (STP information) ...................................99 mcon (maximum connections) .............205, 228, 424 MD5 authentication key ......................................362 MD5 cryptographic authentication .......................363 MD5 key ...........................................................366 media access control. See MAC address. metric SLB real server group option.........................423 metrics, SLB ......................................................429 minimum misses (SLB real server metric) ....426, 429 Miscellaneous Debug Menu ........................527, 545 mmask IP address mask for SLB ..............................481 mnet management traffic IP address for SLB ..........481 monitor port.......................................................315 mp packet ........................................................249 MP. See Management Processor. multicast IP route type ...............................................109 multi-links between switches using port trunking...............................102, 333 mxage (STP bridge option) .................................331
O
octet counters .................................................... 211 online help .......................................................... 56 operating mode, configuring ............... 305, 308, 313 operations menu ................................................ 499 operations-level BGP options ............................. 508 operations-level BWM options ........................... 505 operations-level IP options ................................. 508 Operations-Level Port Options ............................ 501 operations-level SLB options .............................. 502 operations-level VRRP options ........................... 505 optional software ......................................... 62, 150 activating ................................................... 509 removing ................................................... 510 OSPF area types ........................................... 119, 361 ospf area index .......................................... 361, 363 authentication key ....................................... 366 configuration .............................................. 361 cost of the selected path ............................... 366 cost value of the host ................................... 369 dead, declaring a silent router to be down ....... 366 dead, health parameter of a hello packet ......... 367 export ........................................................ 370 fixed routes ................................................ 371 general ...................................................... 177 global ........................................................ 177 hello, authentication parameter of a hello packet ...
N
nbr change statistics............................................179 Network Address Translation (NAT) filter action .................................................448 network management ............................................25 non TCP/IP frames .....................................204, 228 notice ................................................................262 NTP synchronization ..........................................272 NTP time zone ...................................................272
682
Index
320506-A, January 2006
host entry configuration ............................... 369 host routes ................................................. 362 interface .................................................... 361 interface configuration ................................. 365 link state database ....................................... 362 MD5 authentication key............................... 362 Not-So-Stubby Area .................................... 363 priority value of the switch interface.............. 366 range number ............................................. 361 redistribution menu ..................................... 362 route redistribution configuration .................. 370 spf, shortest path first .................................. 364 stub area .................................................... 363 summary range configuration ....................... 364 transit area ................................................. 363 transit delay ............................................... 366 type........................................................... 363 virtual link ................................................. 361 virtual link configuration ............................. 367 virtual neighbor, router ID ........................... 367 OSPF Database Information ............................... 122 OSPF general .................................................... 120 OSPF General Information ................................. 121 OSPF Information ............................................. 119 OSPF Information Route Codes .......................... 124 OSPF statistics .......................................... 176, 184 overflow server activations ......................... 205, 228 overflow servers ................................................ 416
367
persistent bindings real server .................................................. 437 ping ............................................................ 57, 415 PIP ................................................................... 496 POP3 server health checks..................................... 427 port bandwidth management switch processor statistics switch port contract statistics menu................ 232 port configuration .............................................. 301 port flow control. See flow control. Port Menu configuration options ................................... 307 configuring Fast Ethernet ............................. 303 configuring Gigabit Ethernet (gig) . 303, 307, 309 port mirroring configuration .............................................. 315 Port number ...................................................... 147 port speed ............................................. 62, 78, 147 auto-sense .................................................... 39 setup............................................................ 39 port states UNK (unknown) ........................................... 92 port trunking description ................................................. 333 port trunking configuration ................................. 333 ports configuration ................................................ 38 disabling (temporarily)................................. 314 information ................................................ 149 IP status ..................................................... 107 membership of the VLAN ...................... 90, 103 priority......................................................... 99 RJ-45......................................................... 302 SLB state information .................................. 133 STP port priority ......................................... 333 VLAN ID............................................. 62, 149 preemption assuming VRRP master routing authority ....... 385 virtual router ....................................... 384, 391 priority virtual router ............................................... 391 priority (STP port option) ................................... 333 prisrv primary radius server ................................... 269 proxies IP address translation ................................... 417 proxy IP address (PIP)........................................ 133
233
P
panic command ................................................... 530 switch (and Maintenance Menu option) ......... 519 parameters tag ............................................................ 109 type........................................................... 109 Passive FTP SLB Parsing Statistics ..................... 221 Password user access control ...................................... 292 password administrator account .................................... 30 default ......................................................... 30 L4 administrator account ............................... 30 user account ................................................. 30 VRRP authentication ................................... 394 passwords ........................................................... 29
320506-A, January
Index
683
Nortel Application Switch Operating System 23.0.2 Command Reference proxy IP address (PIP) configuration ....................496 ptcfg (TFTP save command) ...............................408 PVID (port VLAN ID)..................................62, 149 pwd ....................................................................57 roundrobin SLB Real Server metric ....................... 426, 430 route cache configuration ..................................... 350 route statistics ................................................... 189 router hops ........................................................ 374 routing information protocol configuration .............................................. 357 Routing Information Protocol (RIP) .................... 109 options ...................................................... 359 rport SLB virtual server option ............................. 435 RTSP SLB statistics ........................................... 223 rx flow control .............................................. 39, 40 Rx/Tx statistics.................................................. 178
Q
quiet (screen display option) ..................................57
R
RADIUS server authentication ....................................428 read community string (SNMP option) .................275 real server statistics .....................................................211 real server global SLB statistics ...........................207 real server group options add ............................................................425 real server group SLB configuration.....................423 real server group statistics ...................................212 real server groups combining servers into .................................423 statistics .....................................................212 real server SLB configuration ..............................414 real servers backup .......................................................424 priority increment value (reals) for VRRP .......395 SLB state information ..................................132 reboot .......................................................519, 530 receive flow control 39, 40, 305, 309, 311, 313, 314 redir (SLB filtering option) .................................448 reference ports .....................................................92 referenced port ...................................................114 remote monitoring on the port (rmon) ..................501 remote site servers ..............................................417 removing optional software .................................510 reset key combination .........................................520 restarting switch setup ..........................................36 retries radius server ...............................................269 retry health checks for default gateway ..................346 rip IP route tag .................................................109 RIP. See Routing Information Protocol. rmkey ...............................................................510 round robin as used in gateway load balancing..................396
S
save (global command) ...................................... 260 noback option ............................................. 260 save command................................................... 515 script health checks .............................................. 488 scriptable health checks configuration ................. 488 secret radius server ............................................... 269 secsrv secondary radius server ................................ 269 security VLANs...................................................... 339 segmentation. See IP subnets. segments. See IP subnets. serial cable .......................................................... 26 serial download ................................................. 671 Server Load Balancing IDS ........................................................... 422 operations-level options ............................... 502 real server weights ...................................... 415 server load balancing client traffic processing ................................ 463 health check ............................................... 426 health check types ....................................... 426 metrics ...................................................... 429 port options ................................................ 464 server traffic processing ............................... 463 server load balancing configuration options ......... 412 Server Load Balancing Maintenance Statistics Menu .. server port mapping ........................................... 133
684
Index
320506-A, January 2006
Nortel Application Switch Operating System 23.0.2 Command Reference server traffic processing ..................................... 463 Session Binding Table ....................................... 416 session identifier ............................................... 433 setup configuration .............................................. 406 setup command, configuration ............................ 403 setup facility ................................................. 31, 33 BOOTP ....................................................... 37 duplex mode ................................................ 39 IP configuration ............................................ 42 IP subnet mask ............................................. 42 port auto-negotiation mode ...................... 39, 40 port configuration ......................................... 38 port flow control ..................................... 39, 40 port speed .................................................... 39 restarting ..................................................... 36 Spanning-Tree Protocol ................................. 38 starting ........................................................ 34 stopping....................................................... 36 system date .................................................. 37 system time .................................................. 37 VLAN name ................................................ 41 VLAN port numbers ..................................... 41 VLAN tagging ............................................. 40 VLANs ....................................................... 41 SFD statistics mp specific ................................................ 252 SFP GBIC ports ................................................ 309 shortcuts (CLI) .................................................... 60 single-mode ports .............................................. 307 SIP (source IP address for filtering) ..................... 449 SLB filtering option action ........................................................ 448 SLB Information ............................................... 132 SLB layer7 statistics .......................................... 214 SLB real server group health checks arp............................................................. 426 dns ............................................................ 427 ftp ............................................................. 427 http............................................................ 427 icmp .......................................................... 426 imap .......................................................... 427 ldap ........................................................... 428 radius ........................................................ 428 script ......................................................... 428 smtp .......................................................... 427 SNMP ....................................................... 428 sslh............................................................ 427 tcp ............................................................. 426 udpdns ....................................................... 428 wsp ........................................................... 428 wtls ........................................................... 428 SLB real server group option application health checking .......................... 424 health checking ........................................... 424 metric ........................................................ 423 SLB real server option backup ....................................................... 416 intr (interval) .............................................. 417 maxcon (maximum connections) ................... 416 name, alias for each real server ..................... 415 restr (restore) SLB real server UDP option ..... 417 retry .......................................................... 417 RIP, real server IP address ............................ 415 submac ...................................................... 417 tmout (time out) .......................................... 416 weights ...................................................... 415 slowage ............................................................ 482 smask source mask for filtering .............................. 449 smtp ................................................................. 262 SMTP server health checks ................................. 427 snap traces buffer ........................................................ 527 SNMP ........................................................ 25, 152 health checks .............................................. 490 HP-OpenView .............................................. 25 menu options .............................................. 274 set and get access ........................................ 275 SNMP Agent ..................................................... 667 SNMP health check configuration ....................... 490 SNMP health checks .......................................... 428 SNMP Support optional setup for SNMP support .................... 46
320506-A, January
Index
685
Nortel Application Switch Operating System 23.0.2 Command Reference software image file and version ....................................63 license ........................................................509 software image ...................................................512 SP specific statistics ...........................................253 spanning tree configuration...............................................329 Spanning-Tree Protocol ..............................102, 259 bridge aging option ......................................332 bridge parameters ........................................331 bridge priority ...............................................99 port cost option ...........................................333 port priority option.......................................333 root bridge ............................................99, 331 setup (on/off) ................................................38 switch reset effect ........................................517 SSL ..................................................................437 secure socket layer statistics ..........................219 stacking commands (CLI) .....................................60 starting switch setup .............................................34 state (STP information) .........................................99 state information, client system............................437 static IP route tag .................................................109 static route rem ............................................................348 statis route add ............................................................348 statistics group .........................................................212 management processor .................................248 Statistics Menu ..................................................151 stopping switch setup............................................36 subnet address maskconfiguration IP subnet address .........................................344 subnet mask .........................................................42 subnets ................................................................42 IP interface .................................................344 switch resetting .....................................................517 Switch Processor (SP).........................................527 display trace buffer ......................................527 swkey ...............................................................509 SYN attack detection configuration ......................483 sync ..................................................................502 synchronization VRRP switch ......................................478, 502 syslog system host log configuration ........................263 686 Index
320506-A, January 2006
system contact (SNMP option) ................................ 274 date and time .......................................... 61, 63 location (SNMP option) ............................... 274 system access control configuration..................... 288 System Maintenance Menu ................................. 522 system options admpw (administrator password) .................. 293 BOOTP ..................................................... 262 cur (current system parameters) ............ 269, 272 date ........................................................... 262 hprompt ..................................................... 262 HTTP access .............................................. 288 l4apw (Layer 4 administrator password) ........ 292 login banner ............................................... 262 time........................................................... 262 tnet............................................................ 288 tnport ........................................................ 289 usrpw (user password) ................................. 292 system parameters, current ......................... 269, 272
T
tab completion (CLI) ........................................... 60 tacacs ............................................................... 270 TACACS+ ........................................................ 270 TCP fragments ................................................... 433 health checking using .................................. 417 health checks .............................................. 427 source and destination ports.......................... 447 TCP statistics ............................................ 197, 251 Telnet ................................................................. 27 BOOTP ....................................................... 27 configuring switches using ........................... 407 telnet radius server ............................................... 269 Telnet support optional setup for Telnet support ..................... 46 terminal emulation ............................................... 26 text conventions .................................................. 23 TFTP ................................................................ 513 PUT and GET commands ............................ 408 TFTP server ...................................................... 408 time setup ........................................................... 37 system option ............................................. 262 timeout radius server ............................................... 269
Nortel Application Switch Operating System 23.0.2 Command Reference timeouts idle connection ............................................. 31 timers kickoff.................................................... 180 time-to-live, DNS response (global SLB menu option) virtual IP address (VIP) ...................................... 133 virtual port state, SLB information about ............. 133 virtual router description ................................................. 383 priority....................................................... 391 tracking criteria ........................................... 385 virtual router group VRRP priority tracking ................................ 391 virtual router group configuration ........................ 390 virtual router group priority tracking .................... 392 Virtual Router Redundancy Protocol (VRRP) authentication parameters for IP interfaces ..... 394 group options (prio) ..................................... 391 operations-level options ............................... 505 password, authentication .............................. 394 priority election for the virtual router ............. 384 priority tracking options ....................... 373, 386 Virtual Router Redundancy Protocol configuration381 virtual router sharing .......................................... 391 virtual routers HSRP failover .................................... 386, 393 HSRP priority increment value ..................... 395 HSRV........................................................ 393 HSRV priority increment value ..................... 396 increasing priority level of .................... 385, 389 incrementing VRRP instance ........................ 386 master preemption (preem) ........................... 391 master preemption (prio) .............................. 384 priority increment values (vrs) for VRRP ....... 395 virtual server global SLB statistics ...................... 207 virtual server SLB statistics ................................ 213 virtual servers .................................................... 426 SLB state information .................................. 133 statistics ..................................................... 213 VLAN active port .................................................. 393 configuration .............................................. 339 VLAN tagging port configuration................ 304, 307, 310, 312 port restrictions ........................................... 340 setup............................................................ 40
471
tnet system option ............................................. 288 tnport system option ............................................. 289 TPCP (Transparent Proxy Cache Protocol) .......... 482 trace buffer ....................................................... 527 Switch Processor ........................................ 527 traceroute............................................................ 57 Tracking VRRP ............................................... 383, 387 transmit flow control39, 40, 305, 309, 311, 313, 314 transparent proxies, when used for NAT .............. 448 Trunk Group Information ................................... 102 ttl (time to live, global SLB menu option) ............ 466 tx flow control............................................... 39, 40 type of area ospf........................................................... 363 type parameters ................................................. 109 typographic conventions, manual .......................... 23 tzone ................................................................ 272
U
UCB statistics ................................................... 251 UDP datagrams .......................................... 204, 228 server status using ....................................... 417 source and destination ports ......................... 447 UDP statistics ................................................... 199 unknown (UNK) port state ................................... 92 Unscheduled System Dump ................................ 531 upgrade, switch software .................................... 512 URL for health checks ....................................... 133 user account ........................................................ 30 usrpw (system option) ........................................ 292 Uuencode Flash Dump ....................................... 528
V
verbose ............................................................... 57 vip advertisement of virtual IP addresses as Host Routes ................................................ 358 IP route tag ................................................ 109
320506-A, January
Index
687
Nortel Application Switch Operating System 23.0.2 Command Reference VLANs ...............................................................42 ARP entry information .................................113 broadcast domains .......................................339 information .................................................103 interface .......................................................43 multiple spanning trees .................................329 name ....................................................90, 103 name setup....................................................41 port membership....................................90, 103 port numbers .................................................41 security ......................................................339 setting default number (PVID) .....303, 307, 309, setup ............................................................41 Spanning-Tree Protocol ................................329 tagging ...................................40, 62, 149, 340 VLAN Number ...........................................103 VRID (virtual router ID) .............................383, 391 VRRP interface configuration .................................394 master advertisements ..................................384 tracking ..............................................383, 387 tracking configuration ..................................395 virtual router sharing ....................................384 VRRP Information .............................................127 VRRP master advertisements time interval ................................................391 VRRP statistics ..................................................191
X
XModem .......................................................... 671
312
W
WAP health checks ..............................................492 WAP health check wspport ..............................................490, 492 wtlsprt ................................................490, 493 WAP health check configuration .........................492 WAP SLB statistics ............................................225 watchdog timer ..................................................520 web-based management interface...........................25 weights for SLB real servers .....................................431 setting virtual router priority values ................395 write community string (SNMP option) ................275 wspport WAP health check ...............................490, 492 wtlsprt WAP health check ...............................490, 493
688
Index
320506-A, January 2006