A10 Thunder AX 271-P2 CLI Ref-2013.08.05

Command
Line Interface Reference
A10 Thunder™ Series and AX Series

Document No.: D-030-01-00-0065
ACOS 2.7.1 8/5/2013
©
2013 A10 Networks, Inc. - All Rights Reserved
Information in this document is subject to change without notice.
Trademarks
A10 Networks, A10 Thunder, vThunder, the A10 logo, aACI, aCloud, ACOS, aDCS, aDNS, aELB, aFleX, aFlow, aGal-
axy, aPlatform, aUSG, aVCS, aWAF, aXAPI, IDAccess, IDSENTRIE, IP to ID, SmartFlow, SoftAX, Thunder, Unified
Service Gateway, Virtual Chassis, VirtualADC, and VirtualN are trademarks or registered trademarks of A10 Networks,
Inc. All other trademarks are property of their respective owners.
Patents Protection
A10 Networks products including all AX Series products are protected by one or more of the following US patents and
patents pending: 20120216266, 20120204236, 20120179770, 20120144015, 20120084419, 20110239289, 20110093522,
20100235880, 20100217819, 20090049537, 20080229418, 20080148357, 20080109887, 20080040789, 20070283429,
20070282855, 20070271598, 20070195792, 20070180101, 8423676, 8387128, 8332925, 8312507, 8291487, 8266235,
8151322, 8079077, 7979585, 7716378, 7675854, 7647635, 7552126
Confidentiality
This document contains confidential materials proprietary to A10 Networks, Inc. This document and information and ideas
herein may not be disclosed, copied, reproduced or distributed to anyone outside A10 Networks, Inc. without prior written
consent of A10 Networks, Inc.
A10 Networks Inc. Software License and End User Agreement

Software for all A10 Networks products contains trade secrets of A10 Networks and its subsidiaries and Customer agrees
to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of the End User License Agreement (EULA),
provided later in this document or available separately. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
This document does not create any express or implied warranty about A10 Networks or about its products or services,
including but not limited to fitness for a particular use and non-infringement. A10 Networks has made reasonable efforts to
verify that the information contained herein is accurate, but A10 Networks assumes no responsibility for its use. All infor-
mation is provided "as-is." The product specifications and features described in this publication are based on the latest
information available; however, specifications are subject to change without notice, and certain features may not be avail-
able upon initial product release. Contact A10 Networks for current information regarding its products or services. A10
Networks’ products and services are subject to A10 Networks’ standard terms and conditions.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types,
please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper dis-
posal of electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and pricing, contact your nearest A10
Networks location, which can be found by visiting www.a10networks.com.
A10 Thunder Series and AX Series—Command Line Interface Reference
Obtaining Technical Assistance
For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Net-
works Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.

3 West Plumeria Dr
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)

Tel: +1-888-822-7210 (support – toll-free in USA)
Tel: +1-408-325-8676 (support – direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

Your A10 Networks device provides a simple method to collect configura-
tion and status information for Technical Support to use when diagnosing
system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1. Log into the GUI.
2. On the main page (Monitor Mode > Overview > Summary), click
. This option downloads a text log file.
3. Email the file as an attachment to support@a10networks.com.
Customer Driven Innovation 3 of 1084

Document No.: D-030-01-00-0065—ACOS 2.7.1 8/5/2013
USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture output
generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a text file.
6. Email the file as an attachment to support@a10networks.com.
Note: As an alternative to saving the output in a log file captured by your termi-
nal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the CLI Reference for the software version
you are running.)
4 of 1084 Customer Driven Innovation

About This Document
About This Document
This document describes features of the A10 Networks Advanced Core

Operating System (ACOS). These features are supported on the following
product lines:
• A10 ThunderTM Series Unified Application Service Gateway
• AX Series Advanced Traffic Manager / Application Delivery Controller.
FIGURE 1 A10 Thunder 6430
FIGURE 2 AX 5630
For details about feature support on specific models, see the release notes.

About This Document
User Documentation
Information is available for ACOS products in the following documents.
These documents are included on the documentation CD shipped with your
product, and also are available on the A10 Networks support site.
Basic Setup
• Installation Guides
• System Configuration and Administration Guide
Security Guides
• Management Access Security Guide
• Application Access Management and DDoS Mitigation Guide
• Web Application Firewall Guide
Application Delivery Guides

• Application Delivery and Server Load Balancing Guide
• Global Server Load Balancing Guide
References
• LOM Reference
• GUI Reference
• CLI Reference
• aFleX Reference
• MIB Reference
• aXAPI Reference
Make sure to use the basic deployment instructions in the Installation Guide
for your Thunder or AX model, and in the System Configuration and
Administration Guide. Also make sure to set up your device’s Lights Out
Management (LOM) interface, if applicable.
Note: Some guides include GUI configuration examples. In these examples,

some GUI pages may have new options that are not shown in the example
screen images. In these cases, the new options are not applicable to the
examples. For information about any option in the GUI, see the GUI Ref-
erence or the GUI online help.

About This Document
Audience
This document is intended for use by network architects for determining
applicability and planning implementation, and for system administrators
for provision and maintenance of A10 Networks products.
Documentation Updates
Updates to these documents are published periodically to the A10 Networks
support site, on an updated documentation CD (posted as a zip archive). To
access the latest version, please log onto your A10 support account.
http://www.a10networks.com
A10 Virtual Application Delivery Community

You can use your A10 support login to access the A10 Virtual Application
Delivery Community (VirtualADC). The VirtualADC is an interactive
forum where you can find detailed information from product specialists.
You also can ask questions and leave comments. To access the VirtualADC,
navigate here:
http://www.a10networks.com/adc/

About This Document

Contents
Obtaining Technical Assistance 3

Collecting System Information.............................................................................................................. 3
About This Document 5

User Documentation............................................................................................................................... 6
Audience.................................................................................................................................................. 7
Documentation Updates ........................................................................................................................ 7
A10 Virtual Application Delivery Community....................................................................................... 7
Using the CLI 33

System Access ..................................................................................................................................... 33
Session Access Levels ........................................................................................................................ 33
HA / VRRP-A / aVCS Status in Command Prompt ............................................................................. 35
IP Version Support................................................................................................................................ 36
Partition Name in Command Prompt .................................................................................................. 36
CLI Quick Reference............................................................................................................................. 37
Context-Sensitive Help ................................................................................................................... 38
The “no” Form of Commands ......................................................................................................... 39
Command History ........................................................................................................................... 39
Editing Features and Shortcuts ...................................................................................................... 41
Searching and Filtering CLI Output ................................................................................................ 45
Regular Expressions ....................................................................................................................... 46
Special Character Support in Strings .............................................................................................. 47
aVCS Device Numbers in Commands ................................................................................................ 49
Device ID Syntax ............................................................................................................................ 49
Device ID in Other Commands ....................................................................................................... 50
CLI Message for Commands That Affect Only the Local Device ..................................................... 50
EXEC Commands 53
active-partition ........................................................................................................................................ 53
backup log ............................................................................................................................................. 54
backup system ....................................................................................................................................... 56
enable .................................................................................................................................................... 57
exit ......................................................................................................................................................... 57
health-test .............................................................................................................................................. 58
help ........................................................................................................................................................ 59
no ........................................................................................................................................................... 59
ping ........................................................................................................................................................ 59
show ...................................................................................................................................................... 61

Contents
ssh ......................................................................................................................................................... 61
telnet ...................................................................................................................................................... 62
traceroute .............................................................................................................................................. 63
Privileged EXEC mode Commands 65

active-partition ....................................................................................................................................... 65
axdebug ................................................................................................................................................. 65
backup log ............................................................................................................................................. 65
backup system ....................................................................................................................................... 65
clear ....................................................................................................................................................... 66
clock ...................................................................................................................................................... 69
configure ................................................................................................................................................ 70
debug ..................................................................................................................................................... 70
diff .......................................................................................................................................................... 70
disable ................................................................................................................................................... 72
exit ......................................................................................................................................................... 72
export ..................................................................................................................................................... 73
health-test .............................................................................................................................................. 75
help ........................................................................................................................................................ 75
import ..................................................................................................................................................... 76
locale ..................................................................................................................................................... 78
no ........................................................................................................................................................... 79
ping ........................................................................................................................................................ 79
reboot .................................................................................................................................................... 79
reload ..................................................................................................................................................... 81
repeat .................................................................................................................................................... 82
show ...................................................................................................................................................... 83
shutdown ............................................................................................................................................... 83
ssh ......................................................................................................................................................... 84
telnet ...................................................................................................................................................... 84
terminal .................................................................................................................................................. 84
traceroute .............................................................................................................................................. 85
vcs ......................................................................................................................................................... 85
write ....................................................................................................................................................... 86
write terminal ......................................................................................................................................... 88
Config Commands: Global 89

access-list (standard) ............................................................................................................................ 89
access-list (extended) ............................................................................................................................ 92
accounting ............................................................................................................................................. 97
admin ..................................................................................................................................................... 99
admin lockout ...................................................................................................................................... 103
aflex ..................................................................................................................................................... 104
arp ....................................................................................................................................................... 104
arp timeout ........................................................................................................................................... 105
audit ..................................................................................................................................................... 105
authentication ...................................................................................................................................... 107

Contents
authentication enable ........................................................................................................................... 109
authentication login privilege-mode ..................................................................................................... 109
authentication mode ............................................................................................................................ 110
authentication-logon ............................................................................................................................ 111
authentication-relay .............................................................................................................................. 111
authentication-server ........................................................................................................................... 111
authorization ........................................................................................................................................ 112
axdebug ............................................................................................................................................... 114
backup periodically .............................................................................................................................. 114
banner .................................................................................................................................................. 116
bfd echo ............................................................................................................................................... 117
bfd enable ............................................................................................................................................ 117
bfd interval ........................................................................................................................................... 118
bgp extended-asn-cap ......................................................................................................................... 119
bgp nexthop-trigger .............................................................................................................................. 119
big-buff-pool ......................................................................................................................................... 120
boot-block-fix ........................................................................................................................................ 120
bootimage ............................................................................................................................................ 121
bpdu-fwd-group .................................................................................................................................... 122
bridge-vlan-group ................................................................................................................................. 124
bw-list ................................................................................................................................................... 125
class-list (for IP limiting) ....................................................................................................................... 127
class-list (for VIP-based DNS caching) ................................................................................................ 129
class-list (for many pools, non-LSN) .................................................................................................... 131
class-list (string) ................................................................................................................................... 132
clock timezone ..................................................................................................................................... 133
convert-passwd .................................................................................................................................... 133
copy ..................................................................................................................................................... 134
debug ................................................................................................................................................... 136
delete startup-config ............................................................................................................................ 136
disable reset statistics .......................................................................................................................... 137
disable slb ............................................................................................................................................ 138
disable-failsafe ..................................................................................................................................... 138
disable-management ........................................................................................................................... 139
dnssec ................................................................................................................................................. 142
do ......................................................................................................................................................... 142
drop-icmp-to-vip-when-vip-down .......................................................................................................... 143
enable .................................................................................................................................................. 143
enable reset statistics .......................................................................................................................... 144
enable-core .......................................................................................................................................... 144
enable-def-vlan-l2-forwarding .............................................................................................................. 145
enable-jumbo ....................................................................................................................................... 145
enable-management ............................................................................................................................ 147
enable-password .................................................................................................................................. 150
end ....................................................................................................................................................... 150
erase .................................................................................................................................................... 151
event .................................................................................................................................................... 152

Contents
exit ....................................................................................................................................................... 152
extended-stats ..................................................................................................................................... 153
fail-safe ................................................................................................................................................ 153
floating-ip ............................................................................................................................................. 155
glid ....................................................................................................................................................... 155
gslb ...................................................................................................................................................... 158
ha ......................................................................................................................................................... 158
health check-rate ................................................................................................................................. 159
health disable-auto-adjust ................................................................................................................... 160
health external ..................................................................................................................................... 160
health external-rate .............................................................................................................................. 161
health global ........................................................................................................................................ 162
health monitor ...................................................................................................................................... 163
health postfile ...................................................................................................................................... 164
hostname ............................................................................................................................................. 165
hsm ...................................................................................................................................................... 166
icmp-rate-limit ...................................................................................................................................... 166
icmpv6-rate-limit .................................................................................................................................. 167
interface ............................................................................................................................................... 168
ip .......................................................................................................................................................... 169
ipv6 ...................................................................................................................................................... 169
key ....................................................................................................................................................... 169
l3-vlan-fwd-disable ............................................................................................................................... 170
lacp system-priority .............................................................................................................................. 171
lacp-passthrough ................................................................................................................................. 171
lacp-trunk ............................................................................................................................................. 172
ldap-server ........................................................................................................................................... 174
link ....................................................................................................................................................... 175
lldp enable ........................................................................................................................................... 177
lldp tx interval ....................................................................................................................................... 177
lldp tx hold ........................................................................................................................................... 178
lldp tx reinit-delay ................................................................................................................................. 178
lldp notification interval ........................................................................................................................ 179
lldp tx fast-count .................................................................................................................................. 179
lldp tx fast-interval ................................................................................................................................ 180
lldp system-description ........................................................................................................................ 180
lldp system-name ................................................................................................................................ 180
lldp management-address ................................................................................................................... 181
locale ................................................................................................................................................... 181
logging auditlog host ............................................................................................................................ 182
logging single-priority severity-level ..................................................................................................... 183
logging target severity-level ................................................................................................................. 183
logging buffered ................................................................................................................................... 184
logging email buffer ............................................................................................................................. 185
logging email filter ................................................................................................................................ 186
logging email-address ......................................................................................................................... 188
logging export ...................................................................................................................................... 189

Contents
logging facility ...................................................................................................................................... 190
logging host ......................................................................................................................................... 190
mac-address ........................................................................................................................................ 191
mac-age-time ....................................................................................................................................... 192
maximum-paths ................................................................................................................................... 193
mirror-port ............................................................................................................................................ 193
monitor ................................................................................................................................................. 195
multi-config ........................................................................................................................................... 196
no ......................................................................................................................................................... 197
ntp ........................................................................................................................................................ 197
object-group network ........................................................................................................................... 199
object-group service ............................................................................................................................. 200
packet-handling ................................................................................................................................... 203
partition ................................................................................................................................................ 204
ping ...................................................................................................................................................... 205
poap ..................................................................................................................................................... 205
radius-server ........................................................................................................................................ 206
raid ....................................................................................................................................................... 208
restore .................................................................................................................................................. 208
route-map ............................................................................................................................................ 209
router device-context ........................................................................................................................... 211
router protocol ...................................................................................................................................... 212
router log file ........................................................................................................................................ 213
router log log-buffer .............................................................................................................................. 214
router log record-priority ....................................................................................................................... 214
router log stdout ................................................................................................................................... 214
router log syslog ................................................................................................................................... 215
router log trap ...................................................................................................................................... 215
run-hw-diag .......................................................................................................................................... 216
session-filter ......................................................................................................................................... 217
slb ........................................................................................................................................................ 218
smtp ..................................................................................................................................................... 219
snmp-server community ....................................................................................................................... 220
snmp-server contact ............................................................................................................................ 221
snmp-server enable ............................................................................................................................. 222
snmp-server group ............................................................................................................................... 226
snmp-server host ................................................................................................................................. 227
snmp-server location ............................................................................................................................ 228
snmp-server user ................................................................................................................................. 228
snmp-server view ................................................................................................................................. 229
stats-data-disable ................................................................................................................................. 230
stats-data-enable ................................................................................................................................. 231
switch ................................................................................................................................................... 231
syn-cookie ............................................................................................................................................ 232
system {all-vlan-limit | per-vlan-limit} .................................................................................................... 233
system glid ........................................................................................................................................... 234
system module-ctrl-cpu ........................................................................................................................ 235
system pbslb bw-list ............................................................................................................................. 235

Contents
system pbslb id .................................................................................................................................... 236
system pbslb over-limit ........................................................................................................................ 236
system pbslb sockstress-disable ......................................................................................................... 237
system pbslb timeout ........................................................................................................................... 237
system resource-usage ....................................................................................................................... 238
system resource-usage template ........................................................................................................ 241
system template .................................................................................................................................. 245
system ve-mac-scheme ....................................................................................................................... 245
system-reset ........................................................................................................................................ 246
tacacs-server ....................................................................................................................................... 247
techreport ............................................................................................................................................ 249
terminal ................................................................................................................................................ 249
tftp blksize ............................................................................................................................................ 251
trunk ..................................................................................................................................................... 252
tx-congestion-ctrl ................................................................................................................................. 255
update .................................................................................................................................................. 255
upgrade ............................................................................................................................................... 255
vcs ....................................................................................................................................................... 257
ve-stats ................................................................................................................................................ 257
vlan ...................................................................................................................................................... 257
vrrp-a ................................................................................................................................................... 258
waf ....................................................................................................................................................... 258
web-service ......................................................................................................................................... 258
write ..................................................................................................................................................... 260
write terminal ....................................................................................................................................... 260
Config Commands: Application Access Management 261

AAM Configuration Commands .........................................................................................................262
authentication-logon form-based ......................................................................................................... 262
authentication-logon http-basic ............................................................................................................ 264
authentication-relay http-basic ............................................................................................................. 265
authentication-relay kerberos .............................................................................................................. 265
authentication-server ldap ................................................................................................................... 266
authentication-server ocsp .................................................................................................................. 268
authentication-server radius ................................................................................................................ 268
slb template authentication .................................................................................................................. 270
AAM Show Commands .......................................................................................................................271
show auth klist ..................................................................................................................................... 271
show auth logon .................................................................................................................................. 271
show auth portal .................................................................................................................................. 272
show auth relay ................................................................................................................................... 272
show auth server ................................................................................................................................. 272
show auth statistics ............................................................................................................................. 273

Contents
Config Commands: DNSSEC 275

DNSSEC Configuration Commands.................................................................................................. 276
dnssec standalone ............................................................................................................................... 276
dnssec template ................................................................................................................................... 276
hsm template ....................................................................................................................................... 278
DNSSEC Operational Commands ..................................................................................................... 279
dnssec dnskey delete .......................................................................................................................... 279
dnssec ds delete .................................................................................................................................. 280
dnssec key-rollover .............................................................................................................................. 280
dnssec sign-zone-now ......................................................................................................................... 281
hsm thales-kmdata delete .................................................................................................................... 281
hsm thales-kmdata secworld ............................................................................................................... 282
DNSSEC Show Commands................................................................................................................ 282
show dnssec dnskey ............................................................................................................................ 282
show dnssec ds ................................................................................................................................... 283
show dnssec statistics ......................................................................................................................... 283
show dnssec status .............................................................................................................................. 283
show dnssec template ......................................................................................................................... 284
show dnssec thales-kmdata ................................................................................................................. 284
show dnssec thales-secworld .............................................................................................................. 284
show hsm config .................................................................................................................................. 285
Config Commands: Interface 287

access-list ............................................................................................................................................ 287
bfd ........................................................................................................................................................ 288
cpu-process ......................................................................................................................................... 290
disable ................................................................................................................................................. 290
duplexity ............................................................................................................................................... 291
enable .................................................................................................................................................. 291
flow-control ........................................................................................................................................... 292
icmp-rate-limit ...................................................................................................................................... 292
icmpv6-rate-limit ................................................................................................................................... 293
interface ............................................................................................................................................... 294
ip address ............................................................................................................................................ 295
ip address dhcp ................................................................................................................................... 296
ip allow-promiscuous-vip ...................................................................................................................... 297
ip cache-spoofing-port ......................................................................................................................... 298
ip control-apps-use-mgmt-port (management interface only) .............................................................. 298
ip default-gateway (management interface only) ................................................................................. 299
ip helper-address ................................................................................................................................. 300
ip igmp ................................................................................................................................................. 301
ip nat .................................................................................................................................................... 304
ip ospf .................................................................................................................................................. 305
ip rip authentication .............................................................................................................................. 308

Contents
ip rip receive version ............................................................................................................................ 309
ip rip receive-packet ............................................................................................................................ 309
ip rip send version ............................................................................................................................... 309
ip rip send-packet ................................................................................................................................ 310
ip rip split-horizon ................................................................................................................................ 310
{ip | ipv6} router isis ............................................................................................................................. 310
ip slb-partition-redirect ......................................................................................................................... 311
ip tcp syn-cookie .................................................................................................................................. 311
ipv6 (on management interface) .......................................................................................................... 312
ipv6 access-list .................................................................................................................................... 312
ipv6 address ........................................................................................................................................ 312
ipv6 enable .......................................................................................................................................... 314
ipv6 nat inside ...................................................................................................................................... 314
ipv6 nat outside ................................................................................................................................... 314
ipv6 ndisc router-advertisement .......................................................................................................... 315
ipv6 ospf cost ....................................................................................................................................... 319
ipv6 ospf dead-interval ........................................................................................................................ 319
ipv6 ospf hello-interval ......................................................................................................................... 320
ipv6 ospf mtu-ignore ............................................................................................................................ 320
ipv6 ospf neighbor ............................................................................................................................... 321
ipv6 ospf network ................................................................................................................................. 322
ipv6 ospf priority .................................................................................................................................. 322
ipv6 ospf retransmit-interval ................................................................................................................ 323
ipv6 ospf transmit-delay ....................................................................................................................... 323
ipv6 rip split-horizon ............................................................................................................................. 324
ipv6 router isis ..................................................................................................................................... 324
ipv6 router ospf .................................................................................................................................... 324
ipv6 router rip ....................................................................................................................................... 325
isis authentication ................................................................................................................................ 325
isis bfd ................................................................................................................................................. 326
isis circuit-type ..................................................................................................................................... 327
isis csnp-interval .................................................................................................................................. 327
isis hello padding ................................................................................................................................. 328
isis hello-interval .................................................................................................................................. 328
isis hello-multiplier ............................................................................................................................... 329
isis lsp-interval ..................................................................................................................................... 329
isis mesh-group ................................................................................................................................... 330
isis metric ............................................................................................................................................. 330
isis network .......................................................................................................................................... 331
isis password ....................................................................................................................................... 331
isis priority ............................................................................................................................................ 332
isis restart-hello-interval ....................................................................................................................... 332
isis retransmit-interval .......................................................................................................................... 333
isis wide-metric .................................................................................................................................... 333
l3-vlan-fwd-disable ............................................................................................................................... 334
lacp port-priority ................................................................................................................................... 335
lacp timeout ......................................................................................................................................... 335

Contents
lacp trunk ............................................................................................................................................. 336
lacp udld-timeout .................................................................................................................................. 337
lldp enable ........................................................................................................................................... 338
lldp notification enable ......................................................................................................................... 338
lldp tx-tlvs ............................................................................................................................................. 338
lldp tx-dot1-tlvs ..................................................................................................................................... 339
load-interval ......................................................................................................................................... 339
monitor ................................................................................................................................................. 340
mtu ....................................................................................................................................................... 341
name .................................................................................................................................................... 342
ospf ...................................................................................................................................................... 342
snmp-server trap-source ...................................................................................................................... 344
speed ................................................................................................................................................... 345
Config Commands: VLAN 347

name .................................................................................................................................................... 347
router-interface ..................................................................................................................................... 348
tagged .................................................................................................................................................. 349
untagged .............................................................................................................................................. 349
Config Commands: IP 351

ip access-list ........................................................................................................................................ 351
ip address ............................................................................................................................................ 355
ip anomaly-drop ................................................................................................................................... 356
ip as-path ............................................................................................................................................. 358
ip community-list .................................................................................................................................. 359
ip default-gateway ................................................................................................................................ 360
ip dns ................................................................................................................................................... 361
ip extcommunity-list ............................................................................................................................. 361
ip frag buff ............................................................................................................................................ 362
ip frag max-reassembly-sessions ........................................................................................................ 362
ip frag timeout ...................................................................................................................................... 363
ip icmp disable ..................................................................................................................................... 363
ip map-list ............................................................................................................................................. 364
ip mgmt-traffic ...................................................................................................................................... 365
ip nat alg pptp ...................................................................................................................................... 366
ip nat allow-static-host ......................................................................................................................... 367
ip nat inside .......................................................................................................................................... 367
ip nat pool ............................................................................................................................................ 369
ip nat pool-group .................................................................................................................................. 371
ip nat range-list .................................................................................................................................... 373
ip nat reset-idle-tcp-conn ..................................................................................................................... 374
ip nat translation .................................................................................................................................. 374
ip prefix-list ........................................................................................................................................... 376
ip prefix-list list-id description ............................................................................................................... 378
ip prefix-list sequence-number ............................................................................................................. 379

Contents
ip route ................................................................................................................................................. 380
ip tcp syn-cookie threshold .................................................................................................................. 381
Config Commands: IPv6 383

ipv6 access-list .................................................................................................................................... 384
ipv6 address ........................................................................................................................................ 387
ipv6 default-gateway ............................................................................................................................ 388
ipv6 frag timeout .................................................................................................................................. 389
ipv6 icmpv6 disable ............................................................................................................................. 389
ipv6 nat inside source list .................................................................................................................... 390
ipv6 nat pool ........................................................................................................................................ 390
ipv6 neighbor ....................................................................................................................................... 391
ipv6 ospf display .................................................................................................................................. 392
ipv6 prefix-list sequence-number ......................................................................................................... 392
ipv6 route ............................................................................................................................................. 393
Config Commands: Router – RIP 395

Enabling RIP ........................................................................................................................................396
Interface-level RIP Commands...........................................................................................................397
IPv4 RIP Configuration Commands...................................................................................................397
cisco-metric-behavior .......................................................................................................................... 397
default-information originate ................................................................................................................ 398
default-metric ....................................................................................................................................... 398
distance ............................................................................................................................................... 398
distribute-list ........................................................................................................................................ 399
maximum-prefix ................................................................................................................................... 401
neighbor ............................................................................................................................................... 401
network ................................................................................................................................................ 402
offset-list .............................................................................................................................................. 402
passive-interface ................................................................................................................................. 403
recv-buffer-size .................................................................................................................................... 404
redistribute ........................................................................................................................................... 404
route .................................................................................................................................................... 407
timers ................................................................................................................................................... 408
version ................................................................................................................................................. 409
IPv6 RIP Configuration Commands...................................................................................................409
aggregate-address .............................................................................................................................. 409
cisco-metric-behavior .......................................................................................................................... 410
default-metric ....................................................................................................................................... 411
distribute-list ........................................................................................................................................ 411
neighbor ............................................................................................................................................... 412
offset-list .............................................................................................................................................. 413

Contents
recv-buffer-size .................................................................................................................................... 415
redistribute ........................................................................................................................................... 415
route ..................................................................................................................................................... 418
route-map ............................................................................................................................................ 418
timers ................................................................................................................................................... 419
RIP Show Commands......................................................................................................................... 420
show ip rip database ............................................................................................................................ 420
show ipv6 rip database ........................................................................................................................ 420
RIP Clear Commands ......................................................................................................................... 421
clear ip rip route ................................................................................................................................... 421
clear ipv6 rip route ............................................................................................................................... 421
Config Commands: Router – OSPF 423

Enabling OSPF.................................................................................................................................... 424
Configuration Commands Applicable to OSPFv2 or OSPFv3........................................................ 425
abr-type ................................................................................................................................................ 425
area area-id default-cost ...................................................................................................................... 425
area area-id range ............................................................................................................................... 426
area area-id stub .................................................................................................................................. 427
area area-id virtual-link ........................................................................................................................ 427
auto-cost reference bandwidth ............................................................................................................. 429
bfd ........................................................................................................................................................ 429
clear ..................................................................................................................................................... 429
default-metric ....................................................................................................................................... 431
distribute-internal ................................................................................................................................. 432
ha-standby-extra-cost .......................................................................................................................... 433
max-concurrent-dd ............................................................................................................................... 434
passive-interface .................................................................................................................................. 434
redistribute ........................................................................................................................................... 435
router-id ............................................................................................................................................... 439
timers spf exp ....................................................................................................................................... 440
Configuration Commands Applicable to OSPFv2 Only .................................................................. 440
area area-id authentication .................................................................................................................. 440
area area-id filter-list ............................................................................................................................ 441
area area-id multi-area-adjacency ....................................................................................................... 442
area area-id nssa ................................................................................................................................. 442
area area-id shortcut ............................................................................................................................ 443
compatible rfc1583 ............................................................................................................................... 444
distance ............................................................................................................................................... 445
distribute-list ......................................................................................................................................... 446
host ipaddr area ................................................................................................................................... 447
log-adjacency-changes ........................................................................................................................ 448

Contents
maximum-area ..................................................................................................................................... 448
neighbor ............................................................................................................................................... 448
network ................................................................................................................................................ 449
ospf abr-type ........................................................................................................................................ 450
ospf router-id ....................................................................................................................................... 450
overflow database ............................................................................................................................... 451
summary-address ................................................................................................................................ 452
Configuration Commands Applicable to OSPFv3 Only...................................................................452
OSPF Show Commands .....................................................................................................................453
show {ip | ipv6} ospf ............................................................................................................................. 453
show ip ospf border-routers ................................................................................................................. 454
show ip ospf database ......................................................................................................................... 455
show ipv6 ospf database ..................................................................................................................... 457
show {ip | ipv6} ospf interface .............................................................................................................. 459
show ip ospf multi-area-adjacencies ................................................................................................... 459
show {ip | ipv6} ospf neighbor .............................................................................................................. 460
show ip ospf redistributed .................................................................................................................... 461
show {ip | ipv6} ospf route ................................................................................................................... 462
show ipv6 ospf topology ...................................................................................................................... 463
show {ip | ipv6} ospf virtual-links .......................................................................................................... 463
Config Commands: Router – IS-IS 465

address-family ..................................................................................................................................... 466
adjacency-check .................................................................................................................................. 467
area-password ..................................................................................................................................... 468
authentication ...................................................................................................................................... 469
bfd ........................................................................................................................................................ 470
distance ............................................................................................................................................... 471
domain-password ................................................................................................................................ 471
ha-standby-extra-cost .......................................................................................................................... 472
ignore-lsp-errors .................................................................................................................................. 472
is-type .................................................................................................................................................. 473
log-adjacency-changes ........................................................................................................................ 473
lsp-gen-interval .................................................................................................................................... 473
lsp-refresh-interval ............................................................................................................................... 474
max-lsp-lifetime ................................................................................................................................... 474
metric-style .......................................................................................................................................... 475
net ........................................................................................................................................................ 476
protocol-topology ................................................................................................................................. 478
redistribute ........................................................................................................................................... 479
restart-timer ......................................................................................................................................... 482
set-overload-bit .................................................................................................................................... 482
spf-interval-exp .................................................................................................................................... 484
summary-address ................................................................................................................................ 484

Contents
IS-IS Show Commands....................................................................................................................... 485
show ip isis [tag] route ......................................................................................................................... 485
show ipv6 isis [tag] route ...................................................................................................................... 486
show ipv6 isis [tag] topology ................................................................................................................ 486
show isis counter ................................................................................................................................. 487
show isis [tag] database ....................................................................................................................... 488
show isis interface ................................................................................................................................ 489
show isis [tag] topology ........................................................................................................................ 490
Config Commands: Router – BGP 491

Enabling BGP...................................................................................................................................... 492
BGP Configuration Commands......................................................................................................... 493
Commands at the Global Configuration Level .............................................................................. 493
bgp extended-asn-cap ......................................................................................................................... 493
bgp nexthop-trigger .............................................................................................................................. 493
Commands at the BGP Router Configuration Level ..................................................................... 494
address-family ...................................................................................................................................... 494
aggregate-address ............................................................................................................................... 495
auto-summary ...................................................................................................................................... 496
bgp always-compare-med .................................................................................................................... 496
bgp bestpath ........................................................................................................................................ 496
bgp dampening .................................................................................................................................... 497
bgp default ........................................................................................................................................... 498
bgp deterministic-med .......................................................................................................................... 499
bgp enforce-first-as .............................................................................................................................. 499
bgp fast-external-failover ..................................................................................................................... 499
bgp log-neighbor-changes ................................................................................................................... 500
bgp router-id ........................................................................................................................................ 500
bgp scan-time ...................................................................................................................................... 500
distance ............................................................................................................................................... 501
neighbor activate ................................................................................................................................. 502
neighbor advertisement-interval ........................................................................................................... 502
neighbor allowas-in .............................................................................................................................. 503
neighbor as-origination-interval ............................................................................................................ 503
neighbor capability ............................................................................................................................... 504
neighbor collide-established ................................................................................................................ 505
neighbor connection-retry-time ............................................................................................................ 506
neighbor default-originate .................................................................................................................... 506
neighbor description ............................................................................................................................. 507
neighbor disallow-infinite-holdtime ....................................................................................................... 507
neighbor distribute-list .......................................................................................................................... 508
neighbor dont-capability-negotiate ....................................................................................................... 508
neighbor ebgp-multihop ....................................................................................................................... 509
neighbor enforce-multihop ................................................................................................................... 509
neighbor filter-list .................................................................................................................................. 509

Contents
neighbor maximum-prefix .................................................................................................................... 510
neighbor next-hop-self ......................................................................................................................... 511
neighbor override-capability ................................................................................................................ 511
neighbor passive ................................................................................................................................. 512
neighbor password .............................................................................................................................. 512
neighbor peer-group ............................................................................................................................ 513
neighbor prefix-list ............................................................................................................................... 513
neighbor remote-as ............................................................................................................................. 514
neighbor remove-private-as ................................................................................................................. 515
neighbor route-map ............................................................................................................................. 515
neighbor send-community ................................................................................................................... 516
neighbor shutdown .............................................................................................................................. 517
neighbor soft-reconfiguration ............................................................................................................... 517
neighbor strict-capability-match ........................................................................................................... 518
neighbor timers .................................................................................................................................... 518
neighbor unsuppress-map ................................................................................................................... 519
neighbor update-source ....................................................................................................................... 520
neighbor version .................................................................................................................................. 520
neighbor weight ................................................................................................................................... 521
network ................................................................................................................................................ 521
synchronization .................................................................................................................................... 522
redistribute ........................................................................................................................................... 523
timers ................................................................................................................................................... 525
BGP Show Commands .......................................................................................................................526
show bgp ipv4addr .............................................................................................................................. 526
show bgp ipv6addr .............................................................................................................................. 526
show bgp ipv4 {multicast | unicast} ...................................................................................................... 527
show bgp ipv4 neighbors ..................................................................................................................... 529
show bgp ipv4 prefix-list ...................................................................................................................... 530
show bgp ipv4 quote-regexp ............................................................................................................... 530
show bgp ipv4 summary ...................................................................................................................... 530
show bgp ipv6 ...................................................................................................................................... 531
show bgp nexthop-tracking .................................................................................................................. 534
show bgp nexthop-tree-details ............................................................................................................ 534
show ip bgp attribute-info .................................................................................................................... 534
show ip bgp cidr-only ........................................................................................................................... 534
show [ip] bgp community ..................................................................................................................... 534
show ip bgp community-info ................................................................................................................ 535
show [ip] bgp community-list ............................................................................................................... 535
show [ip] bgp dampening ..................................................................................................................... 536
show [ip] bgp filter-list .......................................................................................................................... 536
show [ip] bgp inconsistent-as .............................................................................................................. 536
show ip bgp ipv4 .................................................................................................................................. 537
show [ip] bgp neighbors ....................................................................................................................... 539
show [ip] bgp paths .............................................................................................................................. 541
show [ip] bgp prefix-list ........................................................................................................................ 541

Contents
show [ip] bgp quote-regexp .................................................................................................................. 541
show [ip] bgp regexp ............................................................................................................................ 541
show [ip] bgp route-map ...................................................................................................................... 541
show ip bgp scan ................................................................................................................................. 542
show [ip] bgp summary ........................................................................................................................ 542
show ip bgp view .................................................................................................................................. 542
BGP Clear Commands ....................................................................................................................... 543
clear [ip] bgp {* | AS-num} .................................................................................................................... 543
clear [ip] bgp ipv4addr .......................................................................................................................... 544
clear [ip] bgp ipv6addr .......................................................................................................................... 545
clear ip bgp dampening ........................................................................................................................ 545
clear [ip] bgp external ........................................................................................................................... 545
clear ip bgp flap-statistics ..................................................................................................................... 546
clear [ip] bgp ipv4 ................................................................................................................................. 546
clear [ip] bgp ipv6 ................................................................................................................................. 547
clear [ip] bgp peer-group ...................................................................................................................... 547
clear [ip] bgp view ................................................................................................................................ 548
Config Commands: Server Load Balancing 549

slb buff-thresh ...................................................................................................................................... 549
slb compress-block-size ....................................................................................................................... 550
slb conn-rate-limit ................................................................................................................................. 550
slb dns-cache-age ................................................................................................................................ 552
slb dns-cache-enable ........................................................................................................................... 553
slb dns-cache-entry-size ...................................................................................................................... 554
slb dsr-health-check-enable ................................................................................................................. 554
slb enable-ddos ................................................................................................................................... 555
slb enable-l7-req-acct .......................................................................................................................... 555
slb fast-path-disable ............................................................................................................................. 556
slb gateway-health-check .................................................................................................................... 556
slb graceful-shutdown .......................................................................................................................... 557
slb hw-compression ............................................................................................................................. 558
slb hw-syn-rr ........................................................................................................................................ 558
slb l2l3-trunk-lb-disable ........................................................................................................................ 559
slb max-buff-queued-per-conn ............................................................................................................. 559
slb msl-time .......................................................................................................................................... 559
slb mss-table ........................................................................................................................................ 560
slb rate-limit-logging ............................................................................................................................. 561
slb reset-stale-session ......................................................................................................................... 562
slb scale-out ......................................................................................................................................... 562
slb server ............................................................................................................................................. 562
slb service-group .................................................................................................................................. 564
slb snat-gwy-for-l3 ................................................................................................................................ 565
slb snat-on-vip ...................................................................................................................................... 565
slb sort-res ........................................................................................................................................... 566
slb ssl-create certificate ....................................................................................................................... 567

Contents
slb ssl-create csr .................................................................................................................................. 569
slb ssl-delete ........................................................................................................................................ 571
slb ssl-expire-check email-address ..................................................................................................... 571
slb ssl-expire-check exception ............................................................................................................. 572
slb ssl-load ........................................................................................................................................... 572
slb ssl-module ...................................................................................................................................... 574
slb template ......................................................................................................................................... 575
slb transparent-tcp-template ................................................................................................................ 576
slb virtual-server .................................................................................................................................. 576
Config Commands: SLB Templates 579

slb template authentication .................................................................................................................. 580
slb template cache ............................................................................................................................... 581
slb template cipher .............................................................................................................................. 586
slb template client-ssl .......................................................................................................................... 587
slb template connection-reuse ............................................................................................................. 594
slb template dblb ................................................................................................................................. 595
slb template diameter .......................................................................................................................... 596
slb template dns (DNS caching) .......................................................................................................... 601
slb template dns (DNS security) .......................................................................................................... 604
slb template external-service ............................................................................................................... 605
slb template fix ..................................................................................................................................... 607
slb template ftp .................................................................................................................................... 609
slb template http .................................................................................................................................. 610
slb template http-policy ........................................................................................................................ 622
slb template logging ............................................................................................................................. 623
slb template monitor ............................................................................................................................ 625
slb template persist cookie .................................................................................................................. 626
slb template persist destination-ip ....................................................................................................... 630
slb template persist source-ip .............................................................................................................. 633
slb template persist ssl-sid .................................................................................................................. 638
slb template policy ............................................................................................................................... 639
slb template port .................................................................................................................................. 646
slb template server .............................................................................................................................. 654
slb template server-ssl ......................................................................................................................... 660
slb template sip (SIP over UDP) .......................................................................................................... 664
slb template sip (SIP over TCP/TLS) ................................................................................................... 668
slb template smpp ............................................................................................................................... 672
slb template smtp ................................................................................................................................ 673
slb template streaming-media ............................................................................................................. 677
slb template tcp ................................................................................................................................... 678
slb template tcp-proxy ......................................................................................................................... 681
slb template udp .................................................................................................................................. 688
slb template virtual-port ....................................................................................................................... 690
slb template virtual-server ................................................................................................................... 696
slb template waf ................................................................................................................................... 700

Contents
Config Commands: SLB Servers 701

alternate ............................................................................................................................................... 701
conn-limit .............................................................................................................................................. 702
conn-resume ........................................................................................................................................ 703
disable ................................................................................................................................................. 703
enable .................................................................................................................................................. 704
extended-stats ..................................................................................................................................... 704
external-ip ............................................................................................................................................ 704
fire-wall ................................................................................................................................................. 705
ha-priority-cost ..................................................................................................................................... 705
health-check ........................................................................................................................................ 706
ipv6 ...................................................................................................................................................... 707
port ....................................................................................................................................................... 707
slow-start .............................................................................................................................................. 711
spoofing-cache .................................................................................................................................... 712
template server .................................................................................................................................... 713
weight .................................................................................................................................................. 714
Config Commands: SLB Service Groups 715

backup-server-event-log ...................................................................................................................... 715
extended-stats ..................................................................................................................................... 717
health-check ........................................................................................................................................ 717
member ................................................................................................................................................ 718
method ................................................................................................................................................. 720
min-active-member .............................................................................................................................. 726
priority .................................................................................................................................................. 727
priority-affinity ....................................................................................................................................... 729
reset auto-switch .................................................................................................................................. 730
reset-on-server-selection-fail ............................................................................................................... 730
template ............................................................................................................................................... 731
traffic-replication-type ........................................................................................................................... 732
Config Commands: SLB Virtual Servers 735

arp-disable ........................................................................................................................................... 735
description ........................................................................................................................................... 736
disable ................................................................................................................................................. 736
enable .................................................................................................................................................. 737
extended-stats ..................................................................................................................................... 737
ha-dynamic .......................................................................................................................................... 738
ha-group .............................................................................................................................................. 738
port ....................................................................................................................................................... 739
redistribution-flagged ........................................................................................................................... 741

Contents
stats-data-disable ................................................................................................................................ 741
template logging .................................................................................................................................. 742
template policy ..................................................................................................................................... 742
template virtual-server ......................................................................................................................... 742
vrid ....................................................................................................................................................... 743
Config Commands: SLB Virtual Server Ports 745

access-list ............................................................................................................................................ 745
aflex ..................................................................................................................................................... 747
alternate ............................................................................................................................................... 748
clientip-sticky-nat ................................................................................................................................. 749
conn-limit ............................................................................................................................................. 749
def-selection-if-pref-failed .................................................................................................................... 750
disable ................................................................................................................................................. 751
enable .................................................................................................................................................. 752
extended-stats ..................................................................................................................................... 752
ha-conn-mirror ..................................................................................................................................... 752
ip-map-list ............................................................................................................................................ 753
ipinip .................................................................................................................................................... 754
name .................................................................................................................................................... 754
no-dest-nat .......................................................................................................................................... 754
pbslb .................................................................................................................................................... 756
reset-on-server-selection-fail ............................................................................................................... 758
service-group ....................................................................................................................................... 758
snat-on-vip ........................................................................................................................................... 759
source-nat auto .................................................................................................................................... 759
source-nat pool .................................................................................................................................... 760
stats-data-disable ................................................................................................................................ 761
syn-cookie ........................................................................................................................................... 762
template ............................................................................................................................................... 763
template virtual-port ............................................................................................................................. 764
use-default-if-no-server ....................................................................................................................... 764
use-rcv-hop-for-resp ............................................................................................................................ 765
Config Commands: Health Monitors 767

disable-after-down ............................................................................................................................... 767
method ................................................................................................................................................. 768
override-ipv4 ........................................................................................................................................ 782
override-ipv6 ........................................................................................................................................ 783
override-port ........................................................................................................................................ 783
passive ................................................................................................................................................ 784
strictly-retry-on-server-error-response ................................................................................................. 786

Contents
aVCS Commands 787

aVCS Operational Commands........................................................................................................... 788
router device-context ........................................................................................................................... 788
vcs device-context ............................................................................................................................... 788
vcs disable ........................................................................................................................................... 789
vcs enable ............................................................................................................................................ 790
vcs vmaster-maintenance .................................................................................................................... 790
vcs vmaster-message-buffer ................................................................................................................ 791
vcs vmaster-take-over .......................................................................................................................... 792
aVCS Configuration Commands ....................................................................................................... 794
vcs dead-interval .................................................................................................................................. 794
vcs debug ............................................................................................................................................ 794
vcs device ............................................................................................................................................ 795
vcs failure-retry-count .......................................................................................................................... 796
vcs floating-ip ....................................................................................................................................... 797
vcs multicast-ip .................................................................................................................................... 797
vcs multicast-port ................................................................................................................................. 798
vcs reload ............................................................................................................................................ 798
vcs ssl-enable ...................................................................................................................................... 799
vcs time-interval ................................................................................................................................... 799
vcs vmaster-maintenance .................................................................................................................... 799
vcs vmaster-message-buffer ................................................................................................................ 800
Config Commands: VRRP-A Commands 801

vrrp-a arp-retry ..................................................................................................................................... 802
vrrp-a dead-timer ................................................................................................................................. 802
vrrp-a device-id .................................................................................................................................... 803
vrrp-a disable-default-vrid .................................................................................................................... 803
vrrp-a enable ........................................................................................................................................ 803
vrrp-a fail-over-policy-template ............................................................................................................ 804
vrrp-a force-self-standby ...................................................................................................................... 806
vrrp-a ha-migration ............................................................................................................................... 806
vrrp-a ha-migration-restore .................................................................................................................. 807
vrrp-a hello-interval .............................................................................................................................. 807
vrrp-a interface ..................................................................................................................................... 807
vrrp-a preemption-delay ....................................................................................................................... 808
vrrp-a preferred-session-sync-port ethernet ........................................................................................ 809
vrrp-a set-id .......................................................................................................................................... 809
vrrp-a track-event-delay ....................................................................................................................... 810
vrrp-a vrid ............................................................................................................................................. 810
vrrp-a vrid-lead ..................................................................................................................................... 813

Contents
Config Commands: High Availability 815

ha arp-retry .......................................................................................................................................... 816
ha check gateway ................................................................................................................................ 816
ha check route ..................................................................................................................................... 817
ha check vlan ....................................................................................................................................... 819
ha conn-mirror ..................................................................................................................................... 820
ha force-self-standby ........................................................................................................................... 821
ha forward-l4-packet-on-standby ......................................................................................................... 822
ha group .............................................................................................................................................. 823
ha id ..................................................................................................................................................... 823
ha inline-mode ..................................................................................................................................... 824
ha interface .......................................................................................................................................... 825
ha l3-inline-mode ................................................................................................................................. 827
ha link-event-delay .............................................................................................................................. 828
ha ospf-inline vlan ................................................................................................................................ 828
ha preemption-enable .......................................................................................................................... 829
ha restart-port-list ................................................................................................................................ 829
ha restart-time ..................................................................................................................................... 830
ha sync ................................................................................................................................................ 831
ha time-interval .................................................................................................................................... 836
ha timeout-retry-count ......................................................................................................................... 837
Show Commands 839

show access-list .................................................................................................................................. 839
show active-partition ............................................................................................................................ 839
show admin ......................................................................................................................................... 840
show aflex ............................................................................................................................................ 844
show arp .............................................................................................................................................. 844
show audit ........................................................................................................................................... 845
show auth ............................................................................................................................................ 846
show axdebug capture ........................................................................................................................ 846
show axdebug config ........................................................................................................................... 846
show axdebug config-file ..................................................................................................................... 847
show axdebug file ................................................................................................................................ 847
show axdebug filter .............................................................................................................................. 848
show axdebug status ........................................................................................................................... 848
show backup ........................................................................................................................................ 849
show bfd .............................................................................................................................................. 849
show bgp ............................................................................................................................................. 855
show bootimage .................................................................................................................................. 855
show bpdu-fwd-group .......................................................................................................................... 856
show bridge-vlan-group ....................................................................................................................... 856
show bw-list ......................................................................................................................................... 857
show class-list ..................................................................................................................................... 858
show clns ............................................................................................................................................. 860
show clock ........................................................................................................................................... 860

Contents
show core ............................................................................................................................................ 861
show cpu .............................................................................................................................................. 862
show debug ......................................................................................................................................... 864
show disk ............................................................................................................................................. 865
show dns statistics ............................................................................................................................... 866
show dns cache ................................................................................................................................... 867
show dumpthread ................................................................................................................................ 869
show environment ................................................................................................................................ 869
show errors .......................................................................................................................................... 870
show event-action ................................................................................................................................ 876
show fail-safe ....................................................................................................................................... 876
show feature-license ............................................................................................................................ 878
show glid .............................................................................................................................................. 879
show gslb ............................................................................................................................................. 880
show ha ............................................................................................................................................... 880
show hardware ..................................................................................................................................... 884
show health .......................................................................................................................................... 885
show history ......................................................................................................................................... 889
show hsm ............................................................................................................................................. 890
show icmp ............................................................................................................................................ 890
show icmpv6 ........................................................................................................................................ 891
show interfaces .................................................................................................................................... 892
show interfaces media ......................................................................................................................... 894
show interfaces statistics ..................................................................................................................... 895
show ip dns .......................................................................................................................................... 896
show ip ................................................................................................................................................. 896
show ip active-vrid ............................................................................................................................... 896
show {ip | ipv6} fib ................................................................................................................................ 899
show ip helper-address ........................................................................................................................ 900
show {ip | ipv6} interfaces .................................................................................................................... 904
show {ip | ipv6} nat ............................................................................................................................... 905
show ipv6 ndisc .................................................................................................................................... 909
show ipv6 neighbor .............................................................................................................................. 910
show ip protocols ................................................................................................................................. 911
show ipv6 protocols ............................................................................................................................. 911
show ip route ....................................................................................................................................... 911
show ipv6 route .................................................................................................................................... 912
show ipv6 traffic ................................................................................................................................... 913
show isis .............................................................................................................................................. 913
show key-chain .................................................................................................................................... 913
show lacp ............................................................................................................................................. 914
show lacp-passthrough ........................................................................................................................ 915
show license ........................................................................................................................................ 915
show lldp statistics ............................................................................................................................... 916
show lldp neighbor statistics ................................................................................................................ 916
show locale .......................................................................................................................................... 916
show log ............................................................................................................................................... 917

Contents
show mac-address-table ..................................................................................................................... 918
show management .............................................................................................................................. 919
show memory ...................................................................................................................................... 921
show mirror .......................................................................................................................................... 923
show monitor ....................................................................................................................................... 924
show ntp .............................................................................................................................................. 924
show object-group ............................................................................................................................... 925
show partition ...................................................................................................................................... 925
show pbslb ........................................................................................................................................... 926
show poap ........................................................................................................................................... 928
show process ....................................................................................................................................... 929
show radius-server .............................................................................................................................. 930
show reboot ......................................................................................................................................... 930
show router log file .............................................................................................................................. 930
show running-config ............................................................................................................................ 931
show session ....................................................................................................................................... 934
show shutdown .................................................................................................................................... 942
show slb ............................................................................................................................................... 942
show smtp ........................................................................................................................................... 943
show snmp .......................................................................................................................................... 943
show snmp-stats .................................................................................................................................. 945
show startup-config ............................................................................................................................. 946
show statistics ..................................................................................................................................... 948
show store ........................................................................................................................................... 949
show switch ......................................................................................................................................... 950
show system platform .......................................................................................................................... 951
show system resource-usage .............................................................................................................. 952
show tacacs-server .............................................................................................................................. 954
show techsupport ................................................................................................................................ 954
show terminal ...................................................................................................................................... 955
show tftp .............................................................................................................................................. 955
show trunk ........................................................................................................................................... 956
show vcs debug ................................................................................................................................... 957
show vcs images ................................................................................................................................. 957
show vcs message-buffer .................................................................................................................... 958
show vcs stat ....................................................................................................................................... 958
show vcs summary .............................................................................................................................. 973
show version ........................................................................................................................................ 974
show vlans ........................................................................................................................................... 975
show vrrp-a .......................................................................................................................................... 975
show vrrp-a config ............................................................................................................................... 978
show vrrp-a detail ................................................................................................................................ 978
show vrrp-a fail-over-policy-template ................................................................................................... 979
show vrrp-a mac .................................................................................................................................. 979
show vrrp-a setid-monitor .................................................................................................................... 980
show waf-policy ................................................................................................................................... 980
show web-service ................................................................................................................................ 980

Contents
SLB Show Commands 983

show slb aflow ...................................................................................................................................... 983
show slb attack-prevention .................................................................................................................. 984
show slb cache .................................................................................................................................... 985
show slb compression .......................................................................................................................... 990
show slb connection-reuse .................................................................................................................. 991
show slb conn-rate-limit ....................................................................................................................... 993
show slb diameter ................................................................................................................................ 994
show slb fast-http-proxy ....................................................................................................................... 997
show slb fix ........................................................................................................................................ 1000
show slb ftp ........................................................................................................................................ 1001
show slb generic-proxy ...................................................................................................................... 1002
show slb geo-location ........................................................................................................................ 1002
show slb http-proxy ............................................................................................................................ 1003
show slb hw-compression .................................................................................................................. 1007
show slb l4 ......................................................................................................................................... 1008
show slb mssql ................................................................................................................................... 1016
show slb mysql ................................................................................................................................... 1016
show slb passthrough ........................................................................................................................ 1017
show slb performance ........................................................................................................................ 1017
show slb persist ................................................................................................................................. 1018
show slb rate-limit-logging ................................................................................................................. 1021
show slb server .................................................................................................................................. 1022
show slb service-group ...................................................................................................................... 1033
show slb sip ....................................................................................................................................... 1038
show slb smpp ................................................................................................................................... 1039
show slb smtp .................................................................................................................................... 1044
show slb ssl ........................................................................................................................................ 1047
show slb ssl-expire-check .................................................................................................................. 1050
show slb ssl-forward-proxy-cert ......................................................................................................... 1051
show slb switch .................................................................................................................................. 1051
show slb syn-cookie-buffer ................................................................................................................ 1056
show slb tcp stack .............................................................................................................................. 1056
show slb template .............................................................................................................................. 1059
show slb virtual-server ....................................................................................................................... 1060
show slb waf ...................................................................................................................................... 1068
AX Debug Commands 1069

capture ............................................................................................................................................... 1070
count .................................................................................................................................................. 1073
delete ................................................................................................................................................. 1073
filter .................................................................................................................................................... 1074
incoming | outgoing ............................................................................................................................ 1076
length ................................................................................................................................................. 1076
maxfile ............................................................................................................................................... 1077
outgoing ............................................................................................................................................. 1077
timeout ............................................................................................................................................... 1077

Contents
show health stat Up / Down Causes 1079

Up Causes..........................................................................................................................................1079
Down Causes.....................................................................................................................................1080

Using the CLI
Using the CLI
This chapter describes how to use the Command Line Interface (CLI) for
the A10 Thunder Series and AX Series from A10 Networks. The commands
and their options are described in the other chapters.
System Access
You can access the CLI through a console connection, an SSH session, or a
Telnet session. Regardless of which connection method is used, access to the
A10 Advanced Core Operating System (ACOS) CLI generally is referred to
as an EXEC session or simply a CLI session.
Note: By default, Telnet access is disabled on all interfaces, including the man-
agement interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
Session Access Levels

As a security feature, the A10 Thunder Series and AX Series operating sys-
tem separates EXEC sessions into two different access levels – “User
EXEC” level and “Privileged EXEC” level. User EXEC level allows you to
access only a limited set of basic monitoring commands. The privileged
EXEC level allows you to access all A10 Thunder Series and AX Series
commands (configuration mode, configuration sub-modes and management
mode) and can be password protected to allow only authorized users the
ability to configure or maintain the system.
User EXEC Level: ACOS>

This is the first level entered when a CLI session begins. At this level, users
can view basic system information but cannot configure system or port
parameters.
• A10 Thunder Series models contain “ACOS” plus the model number in
the prompt. For example, when an EXEC session is started, the
A10 Thunder 6430 will display the following prompt: ACOS6430>
• AX Series models contain “AX” plus the model number in the prompt.
For example, when an EXEC session is started, the AX 3030 will dis-
play the following prompt: AX3030>

Using the CLI
The right arrow (>) in the prompt indicates that the system is at the “User
EXEC” level. The User EXEC level does not contain any commands that
might control (for example, reload or configure) the operation of the ACOS
device. To list the commands available at the User EXEC level, type a ques-
tion mark (?) then press Enter at the prompt; for example, ACOS>?.
Note: For simplicity, this document uses “ACOS” in CLI prompts, unless refer-
ring to a specific model. Likewise, A10 Thunder Series or AX Series
devices are referred to as “ACOS devices”, since they both run ACOS
software.
Privileged EXEC Level: ACOS#

This level is also called the “enable” level because the enable command
is used to gain access. Privileged EXEC level can be password secured. The
“privileged” user can perform tasks such as manage files in the flash mod-
ule, save the system configuration to flash, and clear caches at this level.
Critical commands (configuration and management) require that the user be

at the “Privileged EXEC” level. To change to the Privileged EXEC level,
type enable then press Enter at the ACOS> prompt. If an “enable” pass-
word is configured, the A10 Thunder Series and AX Series will then prompt
for that password. When the correct password is entered, the A10 Thunder
Series and AX Series prompt will change from ACOS> to ACOS# to indi-
cate that the user is now at the “Privileged EXEC” level. To switch back to
the “User EXEC” level, type disable at the ACOS# prompt. Typing a
question mark (?) at the Privileged EXEC level will now reveal many more
command options than those available at the User EXEC level.
Privileged EXEC Level - Config Mode: ACOS(config)#

The Privileged EXEC level’s configuration mode is used to configure the
system IP address and to configure switching and routing features. To
access the configuration mode, you must first be logged into the Privileged
EXEC level.
From the opening CLI prompt, enter the following command to change to
the Privileged level of the EXEC mode:
ACOS>enable
To access the configuration level of the CLI, enter the config command:
ACOS#config
The prompt changes to include “(config)”:

ACOS(config)#

Using the CLI
HA / VRRP-A / aVCS Status in Command Prompt

You can configure the following information to be included in the CLI
prompt:
• High Availability (HA) status of the ACOS device: Active, Standby, or
ForcedStandby
• Hostname of the ACOS device
• aVCS status (vMaster or vBlade), virtual chassis ID, and device ID
Example Here is an example of a CLI prompt that shows all these information items:
ACOS-Active-vMaster[1/1]>
This prompt contains the following information:

• ACOS – Hostname of the ACOS device.
• Active – This ACOS device is a member of an HA or VRRP-A set,

and is currently the active device for at least one virtual port.
• vMaster[1/1] – This ACOS device is currently acting as the vMas-
ter for virtual chassis 1, and is device ID 1 within that virtual chassis.
By default, all these information items are included in the CLI prompt. You
can customize the CLI prompt by explicitly enabling the individual infor-
mation items to be displayed.
Using the CLI
To explicitly enable display of information items in the CLI prompt, use the
following command at the global configuration level of the CLI:
terminal prompt info-item-list
The info-item-list can contain on or more of the following values:

• vcs-status [chassis-device-id] – Enables display of the
aVCS status of the device.
The chassis-device-id option enables display of the virtual chassis ID
and device ID.
• ha-status – Enables display of the HA status of the ACOS device
(Active, Standby, or ForcedStandby).

Using the CLI
• hostname – Enables display of the ACOS hostname.
• chassis-device-id—Display aVCS device id in the prompt. For

example, this can be 7/1, where the number 7 indicates the chassis ID
and 1 indicates the device ID within the aVCS set.
Note: The aVCS Chassis ID and the aVCS Device ID are configurable as part of
the prompt if aVCS is running. The prompt that you specify will be syn-
chronized and reflected on all the other devices in the aVCS set.
Note: The no-ha-prompt option has been deprecated as of release 2.7.0. To dis-
able display of HA status in the CLI prompt, use the following command:
no terminal prompt ha-status
Restoring the Default Prompt Display

To re-enable display of all the information items, use the following
command at the global configuration level of the CLI:
no terminal prompt
Example The following command disables display of the aVCS status and hostname
in the CLI prompt:
ACOS2-Active-vMaster[1/1](config)#terminal prompt ha-status
Active(config)#
The following command re-enables display of all the information items:

Active(config)#no terminal prompt
ACOS2-Active-vMaster[1/1](config)#
IP Version Support
Unless otherwise noted, where “ipaddr” is shown as a command option, an
IPv4 or IPv6 address can be specified.
Partition Name in Command Prompt

Application Delivery Partitioning (ADP) allows resources on the ACOS
device to be allocated to independent application delivery partitions.
Depending on the access privileges allowed to an admin, the active partition
for a CLI session is either the shared partition or a private partition.

Using the CLI
If the CLI session is on a private partition, the partition name is included in
the CLI prompt. For example, for private partition “corpa”, the prompt for
the global configuration level of the CLI looks like the following:
ACOS[corpa](config)#
In this example, the partition name is shown in bold type. This example
assumes that the hostname of the device is “ACOS”.
If the partition is the shared partition and not a private partition, the CLI
prompt is as shown without a partition name.
CLI Quick Reference

Entering the help command (available at any command level) returns the
CLI Quick Reference, as follows:
ACOS>help
CLI Quick Reference
===============
1. Online Help
Enter “?” at a command prompt to list the commands available at that CLI level.
Enter "?" at any point within a command to list the available options.
Two types of help are provided:

1) When you are ready to enter a command option, type "?" to display each
possible option and its description. For example: show ?
2) If you enter part of an option followed by "?", each command or option that
matches the input is listed. For example: show us?
2. Word Completion
The CLI supports command completion, so you do not need to enter the entire
name of a command or option. As long as you enter enough characters of the
command or option name to avoid ambiguity with other commands or options, the
CLI can complete the command or option.
After entering enough characters to avoid ambiguity, press "tab" to
auto-complete the command or option.
ACOS>

Using the CLI
Context-Sensitive Help
Enter a question mark (?) at the system prompt to display a list of available
commands for each command mode. The context-sensitive help feature pro-
vides a list of the arguments and keywords available for any command.
To view help specific to a command name, a command mode, a keyword, or
an argument, enter any of the following commands:
Prompt Command Purpose

Help Displays the CLI Quick Reference
abbreviated- Lists all commands beginning with abbreviation before
command-help? the (?). If the abbreviation is not found, the A10 Thun-
ACOS>
der Series and AX Series returns:
% Ambiguous command
or
abbreviated- Completes a partial command name if unambiguous.
ACOS# command-com-
plete<Tab>
or ? Lists all valid commands available at the current level
command ? Lists the available syntax options (arguments and key-
(config)#
words) for the entered command.
command key- Lists the next available syntax option for the command.
word ?
A space (or lack of a space) before the question mark (?) is significant when
using context-sensitive help. To determine which commands begin with a
specific character sequence, type in those characters followed directly by
the question mark; e.g. ACOS#te?. Do not include a space. This help form
is called “word help”, because it completes the word for you.
To list arguments or keywords, enter a question mark (?) in place of the
argument or the keyword. Include a space before the (?); e.g.
ACOS# terminal ?. This form of help is called “command syntax
help”, because it shows you which keywords or arguments are available
based on the command, keywords, and arguments that you already entered.
Users can abbreviate commands and keywords to the minimum number of
characters that constitute a unique abbreviation. For example, you can
abbreviate the config terminal command to conf t. If the abbrevi-
ated form of the command is unique, then the A10 Thunder Series and AX
Series accepts the abbreviated form and executes the command.

Using the CLI
Context Sensitive Help Examples
The following example illustrates how the context-sensitive help feature
enables you to create an access list from configuration mode.
Enter the letters co at the system prompt followed by a question mark (?).
Do not leave a space between the last letter and the question mark. The sys-
tem provides the commands that begin with co.
ACOS#co?
config Entering config mode
Enter the config command followed by a space and a question mark to

list the keywords for the command and a brief explanation:
ACOS#config ?
terminal Config from the terminal
<cr>
The <cr> symbol (cr stands for carriage return) appears in the list to indi-
cate that one of your options is to press the Return or Enter key to execute
the command, without adding any additional keywords.
In this example, the output indicates that your only option for the config
command is config terminal (configure manually from the terminal
connection).
The “no” Form of Commands

Most configuration commands have a no form. Typically, you use the no
form to disable a feature or function. The command without the no key-
word is used to re-enable a disabled feature or to enable a feature that is dis-
abled by default; for example, if the terminal auto-size has been enabled
previously. To disable terminal auto-size, use the no terminal auto-
size form of the terminal auto-size command. To re-enable it, use
the terminal auto-size form. This document describes the function
of the no form of the command whenever a no form is available.
Command History
The CLI provides a history or record of commands that you have entered.
This feature is particularly useful for recalling long or complex commands
or entries, including access lists. To use the command history feature, per-
form any of the tasks described in the following sections:
• Setting the command history buffer size
• Recalling commands
• Disabling the command history feature

Using the CLI
Setting the Command History Buffer Size

The A10 Thunder Series and AX Series records ten command lines in its
history buffer, by default. To change the number of command lines that the
system will record during the current terminal session, use the following
command in EXEC mode:
Convention Description
ACOS# terminal history Enables the command history feature for the cur-
[size number-of-lines] rent terminal session.
ACOS# no terminal history size Resets the number of commands saved in the history
buffer to the default of 256 commands.
ACOS(config)# terminal history Enables the command history feature for the all the
[size number-of-lines] configuration sessions.
Recalling Commands
To recall commands from the history buffer, use one of the following com-
mands or key combinations:
Command or
Key Combination Description
Ctrl+P or Up Arrow key.* Recalls commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successively older commands.
Ctrl+N or Down Arrow key. *. Returns to more recent commands in the history buffer after
recalling commands with Ctrl+P or the Up Arrow key.
Repeat the key sequence to recall successively more recent
commands.
ACOS> show history While in EXEC mode, lists the most recent commands
entered.
*. The arrow keys function only on ANSI-compatible terminals.

Using the CLI
Editing Features and Shortcuts

A variety of shortcuts and editing features are enabled for the A10 Thunder
Series and AX Series CLI. The following subsections describe these fea-
tures:
• Positioning the cursor on the command line
• Completing a partial command name
• Recalling deleted entries
• Editing command lines that wrap
• Deleting entries
• Continuing output at the --MORE-- prompt
• Re-displaying the current command line
• Editing Pre-configured SLB Items
Positioning the Cursor on the Command Line

The table below lists key combinations used to position the cursor on the
command line for making corrections or changes. The Control key (ctrl)
must be pressed simultaneously with the associated letter key. The Escape
key (esc) must be pressed first, followed by its associated letter key. The let-
ters are not case sensitive. Many letters used for CLI navigation and editing
were chosen to simplify remembering their functions. In the following
table, characters bolded in the Function Summary column indicate the rela-
tion between the letter used and the function.
Function
Keystrokes Summary Function Details
Left Arrow Back character Moves the cursor left one character. When entering a command
or ctrl+B that extends beyond a single line, press the Left Arrow or
Ctrl+B keys repeatedly to move back toward the system prompt
to verify the beginning of the command entry, or you can also
press Ctrl+A.
Right Arrow Forward character Moves the cursor right one character.
or ctrl+F
ctrl+A Beginning of line Moves the cursor to the very beginning of the command line.
ctrl+E End of line Moves the cursor to the very end of the line.

Using the CLI
Completing a Partial Command Name

If you do not remember a full command name, or just to reduce the amount
of typing you have to do, enter the first few letters of a command, then press
tab. The CLI parser then completes the command if the string entered is
unique to the command mode. If the keyboard has no tab key, you can also
press ctrl+I.
The CLI will recognize a command once you enter enough text to make the
command unique. For example, if you enter conf while in the privileged
EXEC mode, the CLI will associate your entry with the config command,
because only the config command begins with conf.
In the next example, the CLI recognizes the unique string conf for privi-
leged EXEC mode of config after pressing the tab key:
ACOS# conf<tab>
ACOS# config
When using the command completion feature, the CLI displays the full
command name. Commands are not executed until the Enter key is pressed.
This way you can modify the command if the derived command is not what
you expected from the abbreviation. Entering a string of characters that
indicate more than one possible command (for example, te) results in the
following response from the CLI:
ACOS#te
% Ambiguous command
ACOS#
If the CLI can not complete the command, enter a question mark (?) to
obtain a list of commands that begin with the character set entered. Do not
leave a space between the last letter you enter and the question mark (?).
In the example above, te is ambiguous. It is the beginning of both the telnet

and terminal commands, as shown in the following example:
ACOS#te?
telnet Open a tunnel connection
terminal Set terminal line parameters
ACOS#te
The letters entered before the question mark (te) are reprinted to the screen
to allow continuation of command entry from where you left off.

Using the CLI
Deleting Command Entries

If you make a mistake or change your mind, you can use the following keys
or key combinations to delete command entries:
Keystrokes Purpose
backspace The character immediately left of the cursor is deleted.
delete or The character that the cursor is currently on is deleted.
ctrl+D
ctrl+K All characters from the cursor to the end of the com-
mand line are deleted.
ctrl+U or All characters from the cursor to the beginning of the
ctrl+X command line are deleted.
ctrl+W The word to the left of the cursor is deleted.
Editing Command Lines that Wrap

The CLI provides a wrap-around feature for commands extending beyond a
single line on the display.
When the cursor reaches the right margin, the command line shifts ten
spaces to the left. You cannot see the first ten characters of the line, but you
can scroll back and check the syntax at the beginning of the command. To
scroll back, press ctrl+B or the left arrow key repeatedly until you scroll
back to the command entry, or press ctrl+A to return directly to the begin-
ning of the line.
The A10 Thunder Series and AX Series software assumes you have a termi-
nal screen that is 80 columns wide. If you have a different screen-width, use
the terminal width EXEC command to set the width of the terminal.
Use line wrapping in conjunction with the command history feature to recall
and modify previous complex command entries. See the Recalling
Commands section in this chapter for information about recalling previous
command entries.
Continuing Output at the --MORE-- Prompt

When working with the CLI, output often extends beyond the visible screen
length. For cases where output continues beyond the bottom of the screen,
such as with the output of many ?, show, or more commands, the output is
paused and a --MORE-- prompt is displayed at the bottom of the screen.
To proceed, press the Enter key to scroll down one line, or press the space-
bar to display the next full screen of output.

Using the CLI
Redisplaying the Current Command Line

If you are entering a command and the system suddenly sends a message to
your screen, you can easily recall your current command line entry. To
redisplay the current command line (refresh the screen), use either of the
following key combinations:
Keystrokes Purpose
ctrl+L or ctrl+R Re-displays the current command line
Editing Pre-Configured SLB Items

You can display a list of SLB items that have been configured on the ACOS
device by entering the partial command, followed by the ‘?’ character.
Previous releases required you to know the exact name of the real server or
other item you wanted to modify, but this feature enables you to display the
items that are already configured without having to remember the exact
name.
The following SLB items can be viewed in this manner:

• slb server
• slb service-group
• slb virtual-server
• member (at service-group configuration level)
• service-group (at virtual-port configuration level)
Example The following example displays the names of real servers that are already
configured on the ACOS device. All options displayed in the output except
“NAME” are real servers.
ACOS(config)#slb server ?
NAME<length:1-63> Server Name
a1
a2
ddd
rs1
rs1-a1
rs1-a2
rs1-a3
ACOS2-Active(config)#slb server

Using the CLI
Example You can further refine the list that appears by entering part of the name. For
example:
ACOS2-Active(config)#slb server a?
NAME<length:1-63> Server Name
a1
a2
Example In the same manner that commands can be auto-completed by partially

entering the command name and pressing <TAB>, the ACOS device sup-
ports the ability to auto-complete the names of configured items. For exam-
ple:
ACOS(config)#slb server d<TAB>
ACOS(config)#slb server ddd
Searching and Filtering CLI Output

The CLI permits searching through large amounts of command output by
filtering the output to exclude information that you do not need. The show
command supports the following output filtering options:
• begin string – Begins the output with the line containing the speci-
fied string
• include string – Displays only the output lines that contain the
specified string
• exclude string – Displays only the output lines that do not contain
the specified string
• section string – Displays only the lines for the specified section
(for example, “slb server”, “virtual-server”, or “logging”). To display all
server-related configuration lines, you can enter “server”.
Use “ | ” as a delimiter between the show command and the display filter.
You can use regular expressions in the filter string, as shown in this exam-
ple:
ACOS(config)#show arp | include 192.168.1.3*
192.168.1.3 001d.4608.1e40 Dynamic ethernet4
192.168.1.33 0019.d165.c2ab Dynamic ethernet4
The output filter in this example displays only the ARP entries that contain
IP addresses that match “192.168.1.3” and any value following “3”. The

Using the CLI
asterisk ( * ) matches on any pattern following the “3”. (See “Regular
Expressions” on page 46.)
The following example displays the startup-config lines for “logging”:

ACOS(config)#show startup-config | section logging
logging console error
logging buffered debugging
logging monitor debugging
logging buffered 30000
logging facility local0
Regular Expressions
Regular expressions are patterns (e.g. a phrase, number, or more complex
pattern) used by the CLI string search feature to match against show or
more command output. Regular expressions are case sensitive and allow
for complex matching requirements. A simple regular expression can be an
entry like Serial, misses, or 138. Complex regular expressions can be an
entry like 00210... , ( is ), or [Oo]utput.
A regular expression can be a single-character pattern or a multiple-charac-

ter pattern. This means that a regular expression can be a single character
that matches the same single character in the command output or multiple
characters that match the same multiple characters in the command output.
The pattern in the command output is referred to as a string. This section
describes creating single-character patterns.
Single-Character Patterns
The simplest regular expression is a single character that matches the same
single character in the command output. You can use any letter (A–Z, a–z)
or digit (0–9) as a single-character pattern. You can also use other keyboard
characters (such as ! or ~) as single-character patterns, but certain keyboard
characters have special meaning when used in regular expressions. The fol-
lowing table lists the keyboard characters that have special meaning.
Character Meaning
. Matches any single character, including white space
* Matchers 0 or more sequences of the pattern
+ Matches 1 or more sequences of the pattern
? Matches 0 or 1 occurrences of the pattern
^ Matches the beginning of the string

Using the CLI
Character Meaning
$ Matches the end of the string
_ (under- Matches a comma (,), left brace ({), right brace (}), left
score) parenthesis ( ( ), right parenthesis ( ) ), the beginning of
the string, the end of the string, or a space.
Special Character Support in Strings

Special characters are supported in password strings and various other
strings. To use special characters in a string, enclose the entire string in dou-
ble quotation marks.
Special Character Support in Password Strings

The following subsections list the special characters supported for each type
of password you can enter in the CLI.
For information about the supported password length, see the CLI help or
the command entry in this document.
Admin and Enable Passwords

Admin and enable passwords can contain any ASCII characters in the fol-
lowing ranges: 0x20-0x7e and 0x80-0xFF.
RADIUS Shared Secrets

Same as admin and enable passwords.
MD5 Passwords for OSPF or BGP

MD5 passwords can be up to 16 characters long. A password string can con-
tain any ASCII characters in the range 0x20-0x7e. The password string can
not begin with a blank space, and can not contain any of the following spe-
cial characters: ' " < > & \ / ?
SNMPv3 user authentication passwords

Same as admin and enable passwords.
Passwords used for file import / export

All of the characters in the following range are supported: 0x20-0x7E.

Using the CLI
Passwords used for server access in health monitors
Most of the characters in the following range are supported: 0x20-0x7E.
However, the following characters are not supported in the current release:
' " < > & \ / ?
SSL certificate passwords

Most of the characters in the following ranges are supported: 0x20-0x7E
and 0x80-0xFF. However, the following characters are not supported in the
current release:
' " < > & \ / ?
SMTP passwords
Same as SSL certificate passwords.
How To Enter Special Characters in the Password String
You can use an opening single-or double-quotation mark without an ending

one. In this case, '" becomes ", and "' becomes '.
Escape sequences are required for a few of the special characters:

• " – To use a double-quotation mark in a string, enter the following: \"
• ? – To use a question mark in a string, enter the following sequence:

\077
• \ – To use a back slash in a string, enter another back slash in front of it:
\\
For example, to use the string a"b?c\d, enter the following:

"a\"b\077c\\d"
The \ character will be interpreted as the start of an escape sequence only if

it is enclosed in double quotation marks. (The ending double quotation mark
can be omitted.) If the following characters do not qualify as an escape
sequence, they are take verbatim; for example, \ is taken as \, "\x41" is
taken as A (hexadecimal escape), "\101" is taken as A (octal escape), and
"\10" is taken as \10.
Note: To use a double-quotation mark as the entire string, "\"". If you enter
\", the result is \. (Using a single character as a password is not recom-
mended.)

Using the CLI
Note: It is recommended not to use i18n characters. The character encoding
used on the terminal during password change might differ from the char-
acter encoding on the terminal used during login.
aVCS Device Numbers in Commands

Some commands either include or support an AX Series Virtual Chassis
System (aVCS) device ID. The device ID indicates the device to which the
command applies.
Device ID Syntax
In an aVCS virtual chassis, configuration items that are device-specific
include the device ID. For these items, use the following syntax:
• interface ethernet DeviceID/Portnum
• interface ve DeviceID/VEnum
• interface loopback DeviceID/Loopbacknum
• trunk DeviceID/Trunknum
• vlan DeviceID/VLAN-ID
• bpdu-fwd-group DeviceID/VLAN-ID
• bridge-vlan-group DeviceID/VLAN-ID
• ha group group-id priority DeviceID/Priority
This format also appears in the running-config and startup-config.
To determine whether a command supports the DeviceID/ syntax, use the

CLI help.
CLI Example
The following command accesses the configuration level for Ethernet data
port 5 on device 4:
ACOS(config)#interface ethernet 4/5
ACOS(config-if:ethernet4/5)#

Using the CLI
Device ID in Other Commands

Other commands that can refer to a specific aVCS device have the follow-
ing option:
device DeviceID
For example, the following command supports this option:

show mac-address-table [device DeviceID] ...
The DeviceID specifies the aVCS ID of the device.
CLI Example
The following command shows the MAC address table on device 2 in a vir-
tual chassis:
ACOS(config)#show mac-address-table device 2
MAC-Address Port Type Index Vlan Age
---------------------------------------------------------
0013.72E3.C773 1 Dynamic 13 2 88
0013.72E3.C775 2 Dynamic 16 10 90
Total active entries: 2 Age time: 300 secs
Without the device option, the command shows the MAC address table on
the vMaster.
To determine whether a command supports the device option, use the CLI
help.
CLI Message for Commands That Affect Only the Local

Device
You can display a message when entering a configuration command that
applies to only the local device. When this option is enabled, a message is
displayed if you enter a configuration command that affects only the local
device, and the command does not explicitly indicate the device.
This enhancement is enabled by default and can not be disabled.

Using the CLI
Local Device
The “local device” is the device your CLI session is on.
• If you log directly onto one of the devices in the virtual chassis, that
device is the local device. For example, if you log on through the man-
agement IP address of a vBlade, that vBlade is the local device.
• If you change the device context or router content to another ACOS
device, that device becomes the local device.
• If you log onto the virtual chassis’ floating IP address, the vMaster is the
local device.
Message Example
The following command configures a static MAC address:
ACOS(config)#mac-age-time 444
This operation applied to device 1
This type of configuration change is device-specific. However, the com-

mand does not specify the device ID to which to apply the configuration
change. Therefore, the change is applied to the local device. In this exam-
ple, the local device is device 1 in the aVCS virtual chassis.
The message is not necessary if you explicitly specify the device, and there-
fore is not displayed:
ACOS(config)#mac-age-time 444 device 2
Notes
• For commands that access the configuration level for a specific configu-
ration item, the message is displayed only for the command that
accesses the configuration level. For example:
ACOS(config)#interface ethernet 2
This operation applied to device 1
ACOS(config-if:ethernet2/1)#ip address 1.1.1.1 /24
ACOS(config-if:ethernet2/1)#
The message is not displayed after the ip address command is entered,
because the message is already displayed after the interface ethernet 2
command is entered.
The same is true for commands at the configuration level for a routing
protocol. The message is displayed only for the command that accesses
the configuration level for the protocol.

Using the CLI
• In most cases, the message also is displayed following clear commands
for device-specific items. An exceptio is clear commands for routing
information. The message is not displayed following these commands.
• The message is not displayed after show commands.

active-partition
EXEC Commands
The EXEC commands (sometimes referred to as the User EXEC com-

mands) are available at the CLI level that is presented when you log into the
CLI.
The EXEC level command prompt ends with >, as in the following exam-
ple:
ACOS>
active-partition
Description Change the partition on an ACOS device configured for Application Deliv-
ery Partitioning (ADP).
Syntax active-partition {partition-name | shared}
Parameter Description
partition-name Name of a private partition.
shared The shared partition.
Default See “Usage” below.
Mode EXEC, Privileged EXEC, or global configuration mode
Usage Admins with Root, Read-write, or Read-only privileges can select the parti-
tion to view. When an admin with one of these privilege levels logs in, the
view is set to the shared partition by default, which means all resources are
visible.
Example The following command changes the view to private partition “companyA”:
AX#active-partition companyA
Currently active partition: companyA
AX[companyA]#
The name of the partition is shown in the CLI prompt.

backup log
backup log
Description Configure log backup options and save a backup of the system log.
Syntax [no] backup log expedite
[no] backup log period {all | day | month | week}
backup log stats-data [use-mgmt-port] url
backup log [use-mgmt-port] url
expedite Allocates additional CPU to the backup process.
This option allows up to 80% CPU utilization to
be devoted to the log backup process.
period
{all | day |
month | week} Specifies the period to back up:
all – Backs up all log messages contained in the
log buffer.
day – Backs up the log messages generated dur-
ing the most recent 24 hours.
month – Backs up the log messages generated
during the most recent 30 days.
week – Backs up the log messages generated
during the most recent 7 days.
stats-data
[use-mgmt-port]
url Backs up statistical data from the GUI. The use-
mgmt-port and url options are the same as
described above.
[use-mgmt-port]
url Saves a backup of the log to a remote server.
The use-mgmt-port option uses the management
interface as the source interface for the connec-
tion to the remote device. The management route
table is used to reach the device. Without this
option, the ACOS device attempts to use the data
route table to reach the remote device through a
data interface.

backup log
The url specifies the file transfer protocol, user-

name (if required), and directory path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
a password is required, you will still be prompted
for the password. The password can be up to 255
characters long.
To enter the entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
scp://[user@]host/file
rcp://[user@]host/file
sftp://[user@]host/file
Default The configurable backup options have the following default values:
• expedite – The ACOS device allows up to 50% CPU utilization for log
backup.
• period – month
Usage The expedite option controls the percentage of CPU utilization allowed
exclusively to the log backup process. The actual CPU utilization during log
backup may be higher, if other management processes also are running at
the same time.
Example The following commands change the backup period to all, allow up to 80%
CPU utilization for the backup process, and back up the log:
AX>backup log period all
AX>backup log expedite
AX>backup log scp://192.168.20.161:/log.tgz
...
Example The following command backs up statistical data from the GUI:
AX>backup log stats-data scp://192.168.20.161:/log.tgz
Note: The log period and expedite settings also apply to backups of the GUI sta-
tistical data.

backup system
backup system
Back up the system.
Syntax Description backup system [use-mgmt-port] url
system Backs up the startup-config file, aFleX policy
files, and SSL certificates and keys into a tar file.
use-mgmt-port Uses the management interface as the source
interface for the connection to the remote device.
The management route table is used to reach the
device. Without this option, the ACOS device
attempts to use the data route table to reach the
remote device through a data interface.
url File transfer protocol, username (if required), and
directory path.
characters long.
tftp://host/file
Default N/A
Example The following command backs up the system:

ACOS>backup system tftp://1.1.1.1/back_file

enable
enable
Description Enter privileged EXEC mode, or any other security level set by a system
administrator.
Syntax enable
Mode EXEC
Usage Entering privileged EXEC mode enables the use of privileged commands.
Because many of the privileged commands set operating parameters, privi-
leged access should be password-protected to prevent unauthorized use. If
the system administrator has set a password with the enable password
global configuration command, you are prompted to enter it before being
allowed access to privileged EXEC mode. The password is case sensitive.
The user will enter the default mode of privileged EXEC.
Example In the following example, the user enters privileged EXEC mode using the
enable command. The system prompts the user for a password before
allowing access to the privileged EXEC mode. The password is not printed
to the screen. The user then exits back to user EXEC mode using the disable
command. Note that the prompt for user EXEC mode is >, and the prompt
for privileged EXEC mode is #.
ACOS>enable
Password: <letmein>
ACOS# disable
ACOS>
exit
Description Close an active terminal session by logging off the system.
Syntax exit
Mode EXEC
Usage Use the exit command in EXEC mode to exit the active session (log off
the device).
Example In the following example, the exit (global) command is used to move
from global configuration mode to privileged EXEC mode, the disable
command is used to move from privileged EXEC mode to user EXEC
mode, and the exit (EXEC) command is used to log off (exit the active
session):

health-test
ACOS(config)#exit
ACOS#disable
ACOS>exit
health-test
Description Test the status of a device using a configured health monitor.
Syntax health-test {ipaddr | ipv6 ipv6addr} [count num]

[monitorname monitor-name] [port portnum]
ipaddr |
ipv6 ipv6addr Specifies the IPv4 or IPv6 address of the device
to test.
count num Specifies the number of health checks to send to
the device. You can specify 1-65535.
monitorname
monitor-name Specifies the health monitor to use. The health
monitor must already be configured.
port portnum Specifies the protocol port to test, 1-65535.
Default Only the IP address is required. The other parameters have the following
defaults:
• count – 1
• monitorname – ICMP ping, the default Layer 3 health check
• port – Override port number set in the health monitor configuration, if

one is set. Otherwise, this option is not set by default.
Mode EXEC, Privileged EXEC, and global config
Usage If an override IP address and protocol port are set in the health monitor con-
figuration, the ACOS device will use the override address and port, even if
you specify an address and port with the health-test command.
Example The following command tests port 80 on server 192.168.1.66, using config-
ured health monitor hm80:
AX#health-test 192.168.1.66 monitorname hm80
node status UP.

help
help
Description Display a description of the interactive help system of the A10 Thunder
Series and AX Series.
Syntax help
Example (See “CLI Quick Reference” on page 37.)
no
Description See “no” on page 79. This command is not used at this level.
ping
Description Send an ICMP echo packet to test network connectivity.
Syntax ping [ipv6] {hostname | ipaddr}

[data HEX-word]
[flood]
[interface {ethernet port-num | ve ve-num |
management}]
[repeat count]
[size num]
[source {ipaddr | ethernet port-num | ve ve-num}]
[timeout secs]
[ttl num]
[ipv6]
hostname |
ipaddr Target of the ping.
data HEX-word Hexadecimal data pattern to send in the ping.
The pattern can be 1-8 hexadecimal characters
long.
flood Sends a continuous stream of ping packets, by
sending a new packet as soon as a reply to the
previous packet is received.

ping
interface
{ethernet port-
num |
ve ve-num |
management} Uses the specified interface as the source address
of the ping.
repeat count Number of times to send the ping, 1-10000000
(ten million).
size num Size of the datagram, 1-10000.
source ipaddr |
ethernet port-
num | ve ve-num Forces the ACOS device to give the specified IP
address, or the IP address configured on the spec-
ified interface, as the source address of the ping.
timeout secs Number of seconds the ACOS device waits for a
reply to a sent ping packet, 1-2100 seconds.
ttl num Maximum number of hops the ping is allowed to
traverse, 1-255.
Default This command has the following defaults:

• data – not set
• flood – disabled
• interface – not set. The ACOS device looks up the route to the ping tar-
get in the main route table and uses the interface associated with the
route. (The management interface is not used unless you specify the
management IP address as the source interface.)
• repeat – 5
• size – datagram size is 84 bytes
• source – not set. The ACOS device looks up the route to the ping target
and uses the interface associated with the route.
• timeout – 10 seconds
• ttl – 1
Mode EXEC and Privileged EXEC
Usage The ping command sends an echo request packet to a remote address, and
then awaits a reply. Unless you use the flood option, the interval between
sending of each ping packet is 1 second.
To terminate a ping session, type ctrl+c.

show
Example The following command sends a ping to IP address 192.168.3.116:

ACOS>ping 192.168.3.116
PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data
64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206 ms
--- 192.168.3.116 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms
Example The following command sends a ping to IP address 10.10.1.20, from AX

Ethernet port 1. The ping has data pattern “ffff”, is 1024 bytes long, and is
sent 100 times.
ACOS#ping data ffff repeat 100 size 1024 source ethernet 1 10.10.1.20
show
Description Show system or configuration information.
Syntax show options
Default N/A
Usage For information about the show commands, see “Show Commands” on
page 839 and “SLB Show Commands” on page 983.
ssh
Description Establish a Secure Shell (SSH) connection from the A10 Thunder Series
and AX Series to another device.
Syntax ssh [use-mgmt-port] {host-name | ipaddr}

login-name [protocol-port]
device. By default, the ACOS device attempts to

telnet
use the data route table to reach the remote

device through a data interface.
host-name Host name of a remote system.
ipaddr The IP address of a remote system.
login-name User name to log into the remote system.
protocol-port TCP port number on which the remote system
listens for SSH client traffic.
Default By default, the ACOS device will use a data interface as the source inter-
face. The management interface is not used unless you specify the use-
mgmt-port option. The default protocol-port is 22.
Usage SSH version 2 is supported. SSH version 1 is not supported.
telnet
Description Open a Telnet tunnel connection from the A10 Thunder Series and AX
Series to another device.
Syntax telnet [use-mgmt-port] {host-name | ipaddr)

[protocol-port]
host-name Host name of a remote system.
ipaddr The IP address of a remote system.
protocol-port TCP port number on which the remote system
listens for Telnet traffic.
Default By default, the ACOS device will use a data interface as the source inter-
face. The management interface is not used unless you specify the use-
mgmt-port option. The default protocol-port is 23.

traceroute
Example The following command opens a Telnet session from the AX to another AX
at IP address 10.10.4.55:
ACOS>telnet 10.10.4.55
Trying 10.10.4.55...
Connected to 10.10.4.55.
Escape character is '^]'.
Welcome to AX3200
AX login:
traceroute
Description Display the router hops through which a packet sent from the A10 Thunder
Series and AX Series device can reach a remote device.
Syntax traceroute [ipv6] [use-mgmt-port]

{host-name | ipaddr)
ipv6 Indicates that the target address is an IPv6
address.
interface. The management route table is used to
reach the device. By default, the ACOS device
{hostname |
ipaddr) Device at the remote end of the route to be
traced.
Default N/A
Usage If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the
row for that hop.
Example The following command traces a route to 192.168.10.99:

AX#traceroute 192.168.10.99
traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte pack-
ets
1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms
2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms
...

traceroute

active-partition
Privileged EXEC mode Commands
The Privileged EXEC mode commands are available at the CLI level that is
presented when you enter the enable command and a valid enable password
from the EXEC level of the CLI.
The Privileged EXEC mode level command prompt ends with #, as in the
following example:
ACOS#
active-partition
Description Change the partition on an ACOS device configured for Role-Based
Administration (RBA). (See “active-partition” on page 53.)
axdebug
Description Enters the AX debug subsystem. (See “AX Debug Commands” on
page 1069.)
backup log
Description Configure log backup options and save a backup of the system log. (See
“backup log” on page 54.)
backup system
Description Back up the system. (See “backup system” on page 56.)

clear
clear
Description Clear statistics or reset functions. Sub-command parameters are required for
specific sub-commands.
Syntax clear sub-command parameter
Sub-Command Description
access-list
{acl-num | all} Clears ACL statistics.
admin session
{session-id |
all} Clears admin sessions.
aflex
[aflex-name] Clears aFleX statistics.
arp {options} Clears ARP entries.
audit Clears the CLI command audit log.
auth
{kcache
[Kerberos-
relay-name] |
statistics} Clears cached authentication credentials.
bfd statistics Clears Bidirectional Forwarding Detection
(BFD) statistics.
bgp {options} Clears information and statistics for Border Gate
way Protocol (BGP). See “BGP Clear Com-
mands” on page 543.
clns neighbors Clears Connectionless-mode Network Service
(CLNS) neighbor routes.
console Kills the current login process and starts a new
one.
core Clears system core dump files.
dns Clears DNS statistics.
dumpthread Clears dumpthread files.
gslb See the Global Server Load Balancing Guide.
ha Clears High-Availability (HA) statistics.
health Clears health monitor statistics.
icmp Clears ICMP statistics.

clear
icmpv6 Clears ICMPv6 statistics.

ip helper-
address
statistics Clears IPv4 DHCP helper statistics.
ip nat
{options} Clears IPv4 NAT information or statistics.
ip ospf
[process-id]
process Terminates OSPFv2 processing. The process-id
option specifies the OSPFv2 process. If you omit
this option, processing is terminated for all run-
ning OSPFv2 processes.
ip route kernel Clears stale IPv4 kernel routes.
ipv6 access-
list
{all | acl-id} Clears IPv6 ACL statistics.
ipv6 nat pool
statistics
[pool-name] Clears IPv6 NAT statistics.
ipv6 neighbor Clears the IPv6 neighbor cache.
ipv6 ospf [tag]
process Terminates OSPFv3 processing. The tag option
specifies the OSPFv3 instance (tag). If you omit
this option, processing is terminated for all run-
ning OSPFv3 instances.
ipv6 route
kernel Clears stale IPv6 kernel routes.
ipv6 traffic Clears IPv6 traffic statistics.
isis database Clears the database for Intermediate System to
Intermediate System (IS-IS).
lacp Clears LACP information or statistics.
logging Clears the system log buffer.
mac-address
{options} Clears the MAC address table.
pbslb {options} Clears Policy-Based Server Load Balancing
(SLB) client entries or statistics.

clear
router log file

[type] Clears router log files. The type can be one of the
following:
nsm [file-num] – Clears the specified Network
Services Module (NSM) log file, or all NSM log
files.
ospf6d [file-num] – Clears the specified IPv6
OSPFv3 log file, or all OSPFv3 log files.
ospfd [file-num] – Clears the specified IPv4
OSPFv2 log file, or all OSPFv2 log files.
If you do not specify a type, router logs of all
types above are cleared.
sessions
{options} Clears Layer 4 sessions.
sip Clears SIP statistics.
slb {options} Clears SLB statistics.
snmp-stats Clears SNMP statistics counter.
statistics
interface
ethernet
portnum Clears physical Ethernet interface statistics.
store
[[backup |
export |
import]
profile-url] Clears credentials stored for use when importing
or exporting files between the ACOS device and
a remote server.
vcs {options} Clears AX Virtual Chassis System (aVCS) debug
information or statistics.
virtual-server Clears virtual server statistics.
vrrp-a
{options} Clears VRRP-A statistics.
waf-policy
[policy-file] Clears WAF policy-file statistics.
Default N/A
Mode Privileged EXEC mode or global configuration mode

clock
Usage To list the options available for a clear command, enter ? after the com-
mand name. For example, to display the clear gslb options, enter the fol-
lowing command: clear gslb ?
On some ACOS models, entering either the clear slb switch or clear slb l4
command clears all anomaly counters for both show slb switch and
show slb l4. This applies to the following AX models: AX 2200, AX 2200-
11, AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 3530,
AX 5100, AX 5200, and AX 5200-11.
Note on Clearing Sessions

After entering the clear session command, the ACOS device may remain in
session-clear mode for up to 10 seconds. During this time, any new connec-
tions are sent to the delete queue for clearing.
Example The following command clears the counters on Ethernet interface 3:

ACOS#clear statistics interface ethernet 3
clock
Description Set the system time and date.
Syntax clock set time day month year
time Format hh:mm:ss (24 hr.)
day Format 1-31 – day of month
month Format January, February, and so on.
year Format 2007, 2008, and so on.
Note: The default time zone is GMT.
Mode Privileged EXEC mode
Usage Use this command to manually set the system time and date.
If you use the GUI or CLI to change the ACOS timezone or system time, the
statistical database is cleared. This database contains general system statis-
tics (performance, and CPU, memory, and disk utilization) and SLB statis-
tics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.

configure
If the system clock is adjusted while OSPF or IS-IS is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and IS-IS before adjusting the system clock.
Example Set the system clock to 5:51 p.m. and the date to February 22nd, 2007.
ACOS#clock set 17:51:00 22 February 2007
configure
Description Enter the configuration mode from the Privileged EXEC mode.
Syntax configure [terminal]
Example Enter configuration mode.

ACOS#config
ACOS(config)#
debug
Note: It is recommended to use the AXdebug subsystem instead of these debug
commands. See “AX Debug Commands” on page 1069.
diff
Description Display a side-by-side comparison of the commands in a pair of locally
stored configurations.
Syntax diff {startup-config | profile-name}

{running-config | profile-name}
Default N/A
Usage The diff startup-config running-config command compares the configura-

tion profile that is currently linked to “startup-config” with the running-con-
fig. Similarly, the diff startup-config profile-name command compares the
configuration profile that is currently linked to “startup-config” with the
specified configuration profile.

diff
To compare a configuration profile other than the startup-config to the run-

ning-config, enter the configuration profile name instead of startup-config.
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other pro-
file that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The follow-
ing flags indicate how the two profiles differ:
• | – This command has different settings in the two profiles.
• > – This command is in the second profile but not in the first one.
• < – This command is in the first profile but not in the second one.
Example The following command compares the configuration profile currently

linked to “startup-config” with configuration profile “testcfg1”. This exam-
ple is abbreviated for clarity. The differences between the profiles are
shown in this example in bold type.
ACOS#diff startup-config testcfg1
!Current configuration: 13378 bytes (
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008 (
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008 (
!version 1.2.1 (
! (
hostname AX (
! (
clock timezone America/Tijuana (
! (
ntp server 10.1.11.100 1440 (
! (
...
! (
interface ve 30 (
ip address 30.30.31.1 255.255.255.0 | ip address
10.10.20.1 255.255.255.0
ipv6 address 2001:144:121:3::5/64 | ipv6 address
fc00:300::5/64
! (
! (
> ip nat range-
list v6-1 fc00:300::300/64 2001:144:121:1::900/6
! (
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
! <
slb server ss100 2001:144:121:1::100 <
port 22 tcp <

disable
disable
Description Exit the Privileged EXEC mode and enter the EXEC mode.
Syntax disable
Example The following command exits Privileged EXEC mode.

ACOS#disable
ACOS>
Note: The prompt changes from # to >, indicating change to EXEC mode.
exit
Description Exit the Privileged EXEC mode and enter the EXEC Mode.
Syntax exit
Example In the following example, the exit command is used to exit the Privileged
EXEC mode level and return to the User EXEC level of the CLI:
ACOS#exit
ACOS>
Note: The prompt changes from # to >, indicating change to EXEC mode.

export
export
Description Put a file to a remote site using the specified transport method.
Syntax export
{
aflex |
axdebug |
bw-list |
class-list |
debug_monitor |
dnssec-dnskey |
dnssec-ds |
ip-map-list |
running-config |
ssl-cert |
ssl-cert-key |
ssl-crl |
ssl-key |
startup-config |
syslog |
thales-kmdata |
thales-secworld |
profile-name
}
[local-file-name]
[remote-file-name]
[use-mgmt-port]
url
aflex Exports an aFleX file.
axdebug Exports an AX debug capture file.
bw-list Exports a black/white list.
class-list Exports an IP class list.
debug_monitor Exports a debug monitor file.
dnssec-dnskey Exports a DNSEC key-signing key (KSK) file.
dnssec-ds Exports a DNSSEC DS file.
ip-map-list Exports an IP map list.
license Exports a license file, if applicable to your
model.
profile-name Name of a startup configuration file to export.

export
running-config Exports the running-config to a file.

ssl-cert Exports a certificate.
ssl-cert-key Exports a certificate and key together as a single
file.
ssl-key Exports a certificate key.
ssl-crl Exports a Certificate Revocation List (CRL).
startup-config Exports the startup-config.
syslog Exports the messages from the local log buffer.
thales-kmdata Exports Thales Kmdata files (if applicable), in
.tgz format.
thales-secworld Exports Thales security world files (if applica-
ble), in .tgz format.
local-file-name Local name of the file, if applicable.
remote-file-
name Name to use for the file on the target server.
directory path.
characters long.
tftp://host/file

health-test
Usage Due to a limitation in Windows, it is recommended to use names shorter

than 255 characters. Windows allows a maximum of 256 characters for both
the file name and the directory path. If the combination of directory path
and file name is too long, Windows will not recognize the file. This limita-
tion is not present on machines running Linux/Unix.
Example The following command exports an aFleX policy from the A10 Thunder
Series and AX Series device to an FTP server, to a directory named “back-
ups”.
ACOS#export aflex aflex-01 ftp://192.168.1.101/backups/aflex-01
health-test
Description See “health-test” on page 58.
help
Description Display a description of the interactive help system of the A10 Thunder
Series and AX Series.
Syntax help
Example (See “CLI Quick Reference” on page 37.)

import
import
Description Get a file from a remote site.
Syntax import
{
aflex |
auth-portal |
bw-list |
class-list |
dnssec-dnskey |
dnssec-ds |
geo-location |
ip-map-list |
license |
ssl-cert [bulk] |
ssl-cert-key [bulk] |
ssl-crl |
ssl-key [bulk] |
thales-kmdata |
thales-secworld
}
[use-mgmt-port]
remote-file-name
url
[period seconds]
aflex Imports an aFleX file.
auth-portal Imports an archive of files for form-based logon.
bw-list Imports a black/white list.
class-list Imports an IP class list.
dnssec-dnskey Imports a DNSEC key-signing key (KSK) file.
dnssec-ds Imports a DNSSEC DS file.
geo-location Imports a geo-location data file for Global Server
Load Balancing (GSLB).
ip-map-list Imports an IP map list.
license Imports a license file, if applicable to your
model.
ssl-cert [bulk] Imports a certificate. Specify bulk to import
multiple files simultaneously as a .tgz archive.

import
ssl-cert-key
[bulk] Imports a certificate and key together in a single
file. Specify bulk to import multiple files simul-
taneously as a .tgz archive.
ssl-crl Imports a Certificate Revocation List (CRL).
ssl-key [bulk] Imports a certificate key. Specify bulk to import
multiple files simultaneously as a .tgz archive.
thales-kmdata Imports Thales Kmdata files (if applicable), in
.tgz format.
thales-secworld Imports Thales security world files (if applica-
ble), in .tgz format.
remote-file-
name Specifies the filename on the remote server.
url Specifies the file transfer protocol, username (if
required), and directory path.
characters long.
tftp://host/file
period seconds Enables automated updates of the file. You can
specify 60-31536000 seconds. (See “Usage”
below.)
Usage For SSL certificates and keys, this command is equivalent to the slb ssl-
load command. You can use either one to import SSL certificates and keys.
Periodic Updates
The period option simplifies update of imported files, especially files that
are used by multiple ACOS devices. You can edit a single instance of the

locale
file, on the remote server, then configure each of ACOS device to automati-
cally update the file to import the latest changes.
When you use this option, the ACOS device periodically replaces the speci-
fied file with the version that is currently on the remote server. If the file is
in use in the running-config, the updated version of the file is placed into
memory.
The updated file affects only new sessions that begin after the update but
does not affect existing sessions. For example, when an aFleX script that is
bound to a virtual port is updated, the update affects new sessions that begin
after the update, but does not affect existing sessions that began before the
update.
Example The following command imports an aFleX policy onto the A10 Thunder
Series and AX Series device from a TFTP server, from its directory named
“backups”:
ACOS#import aflex aflex-01 tftp://192.168.1.101/backups/aflex-01
locale
Description Set the locale for the current terminal session.
Syntax locale parameter
test To test current terminal encodings for specific
locale
en_US.UTF-8 English locale for the USA, encoding with UTF-
8 (default)
zh_CN.UTF-8 Chinese locale for PRC, encoding with UTF-8
zh_CN.GB18030 Chinese locale for PRC, encoding with GB18030
zh_CN.GBK Chinese locale for PRC, encoding with GBK
zh_CN.GB2312 Chinese locale for PRC, encoding with GB2312
zh_TW.UTF-8 Chinese locale for Taiwan, encoding with UTF-8
zh_TW.BIG5 Chinese locale for Taiwan, encoding with BIG5
zh_TW.EUCTW Chinese locale for Taiwan, encoding with EUC-
TW

no
ja_JP.UTF-8 Japanese locale for Japan, encoding with UTF-8

ja_JP.EUC-JP Japanese locale for Japan, encoding with EUC-
JP
Default en_US.UTF-8
no
Description Negate a command or set it to its default setting.
Syntax no command
Mode All
Example The following command disables the terminal command history feature:
ACOS#no terminal history
ACOS#
ping
Test network connectivity. For syntax information, see “ping” on page 59.
reboot
Reboot the A10 Thunder Series and AX Series device.
Syntax reboot
[text |
in [hh:]mm [text] |
at hh:mm [month day | day month] [text] |
cancel]
text Reason for the reboot, 1-255 characters long.
in [hh:]mm Schedule a reboot to take effect in the specified
minutes or hours and minutes. The reboot must
take place within approximately 24 hours.
at hh:mm Schedule a reboot to take place at the specified
time (using a 24-hour clock). If you specify the
month and day, the reboot is scheduled to take

reboot
place at the specified time and date. If you do not

specify the month and day, the reboot takes place
at the specified time on the current day (if the
specified time is later than the current time), or
on the next day (if the specified time is earlier
than the current time). Specifying 00:00 sched-
ules the reboot for midnight.
month Name of the month, any number of characters in
a unique string.
day Number of the day, 1-31.
cancel Cancel a scheduled reboot.
Usage The reboot command halts the system. If the system is set to restart on
error, it reboots itself. Use the reboot command after configuration infor-
mation is entered into a file and saved to the startup configuration.
You cannot reboot from a virtual terminal if the system is not set up for auto-
matic booting. This prevents the system from dropping to the ROM monitor
and thereby taking the system out of the remote user’s control.
If you modify your configuration file, the system will prompt you to save the
configuration.
The at keyword can be used only if the system clock has been set on the A10
Thunder Series and AX Series (either through NTP, the hardware calendar,
or manually). The time is relative to the configured time zone on the A10
Thunder Series and AX Series. To schedule reboots across several A10
Thunder Series and AX Series to occur simultaneously, the time on each
A10 Thunder Series and AX Series must be synchronized with NTP. To dis-
play information about a scheduled reboot, use the show reboot command.
Example The following example immediately reboots the A10 Thunder Series and
AX Series device:
ACOS(config)# reboot
System configuration has been modified. Save? [yes/no]:yes
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
The following example reboots the A10 Thunder Series and AX Series device
in 10 minutes:
ACOS(config)# reboot in 10
ACOS(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)
Proceed with reboot? [yes/no]yes
ACOS(config)#

reload
at 1:00 p.m. today:
ACOS(config)# reboot at 13:0013:00
ACOS(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and
2 minutes)
ACOS(config)#
on Apr 20 at 4:20 p.m.:
ACOS(config)# reboot at 16:20 apr 20
ACOS(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2008 (in 38 hours
and 9 minutes)
ACOS(config)#
The following example cancels a pending reboot:

ACOS(config)# reboot cancel
%Reboot cancelled.
***
*** --- REBOOT ABORTED ---
***
reload
Description Restart AX system processes and reload the startup-config, without reboot-
ing.
Syntax reload
Usage The reload command restarts AX system processes and reloads the startup-
config, without reloading the system image. To also reload the system
image, use the reboot command instead. (See “reboot” on page 79.)
The ACOS device closes all sessions as part of the reload.
Example The following command reloads an ACOS device:

ACOS(config)#reload
Reload AX ....Done.
ACOS(config)#

repeat
repeat
Description Periodically re-enter a show command.
Syntax repeat seconds show command-options
seconds Interval at which to re-enter the command. You
can specify 1-300 seconds.
command-options Options of the show command. See “Show Com-
mands” on page 839 and “SLB Show Com-
Usage The repeat command is especially useful when monitoring or troubleshoot-

ing the system.
The elapsed time indicates how much time has passed since you entered the
repeat command. To stop the command, press Ctrl+C.
Example The following command displays SLB TCP-stack statistics every 30 sec-
onds:
ACOS#repeat 30 show slb tcp stack
Total
------------------------------------------------------------------
Currently EST conns 29
Active open conns 6968
Passive open conns 7938
Connect attempt failures 0
Total in TCP packets 678804
Total out TCP packets 712974
Retransmitted packets 359
Resets rcvd on EST conn 5369
Reset Sent 4303
Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:00
Total
------------------------------------------------------------------
Connect attempt failures 0
Retransmitted packets 367

show
Reset Sent 4305

Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:30
show
Description Display system or configuration information. See “Show Commands” on
page 839 and “SLB Show Commands” on page 983.
shutdown
Schedule a system shutdown at a specified time or after a specified interval,
or cancel a scheduled system shutdown.
Syntax shutdown {at hh:mm | in hh:mm | cancel [text]}
at Shutdown at a specific time/date (hh:mm)
in Shutdown after time interval (mm or hh:mm)
cancel Cancel pending shutdown
text Reason for shutdown
Example The following command schedules a system shutdown to occur at 11:59

p.m.:
ACOS#shutdown at 23:59
System configuration has been modified. Save? [yes/no]:yes

Building configuration...
[OK]
Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes)
by admin on 192.168.1.102
Proceed with shutdown? [confirm]
ACOS#
Example The following command cancels a scheduled system shutdown:

ACOS#shutdown cancel
***
*** --- SHUTDOWN ABORTED ---
***

ssh
ssh
Description Establish a Secure Shell (SSH) connection from the ACOS device to
another device. (See “ssh” on page 61.)
telnet
Description Establish a Telnet connection from the ACOS device to another device. (See
“telnet” on page 62.)
terminal
Description Set terminal display parameters.
Syntax terminal
{
auto-size |
editing |
gslb-prompt options |
history [size number] |
length number |
monitor |
width lines
}
auto-size Enables the terminal length and width to auto-
matically change to match the terminal window
size.
editing Enables command-line editing.
gslb-prompt
options Enables display of the ACOS device’s role
within a GSLB group at the CLI prompt.
disable – Disables display of the GSLB group
status.
group-role – Displays “Member” or “Master” in
the CLI prompt; for example:
AX2500:Master(config)#
symbol – Displays “gslb” in the CLI prompt
after the name of the ACOS device; for example:
AX2500-gslb:Master(config)#

traceroute
history [size] Enables and controls the command history func-

tion. The size option specifies the number of
command lines that will be held in the history
buffer. You can specify 0-1000.
length num Sets the number of lines on a screen. You can
specify 0-512. Specifying 0 disables pausing.
monitor Copies debug output to the current terminal.
width num Sets the width of the display terminal. You can
specify 0-512. The setting 0 means “infinite”.
Default The terminal settings have the following defaults:

• auto-size – enabled
• editing – enabled
• history – enabled; default size is 256
• length – 24
• monitor – disabled
• width – 80
Example The following command changes the terminal length to 40:

ACOS#terminal length 40
traceroute
Description Trace a route. See “traceroute” on page 63.
vcs
Description Enter operational commands for the AX Series Virtual Chassis System
(aVCS). See “aVCS Operational Commands” on page 788.

write
write
Description Write the running-config to a configuration profile.
Syntax write {memory | force}

[primary | secondary | profile-name]
[cf]
[all-partitions |
partition {shared | private-partition-name}]
[all-partitions |
memory Writes (saves) the running-config to a configura-
tion profile.
force Forces the ACOS device to save the configura-
tion regardless of whether the system is ready.
primary Replaces the configuration profile stored in the
primary image area with the running-config.
secondary Replaces the configuration profile stored in the
secondary image area with the running-config.
profile-name Replaces the commands in the specified configu-
ration profile with the running-config.
cf Replaces the configuration profile in the speci-
fied image area (primary or secondary) on the
compact flash rather than the hard disk. If you
omit this option, the configuration profile in the
specified area on the hard disk is replaced.
all-partitions Saves changes for all resources in all partitions.
partition
{shared |
private-
partition-name} Saves changes only for the resources in the spec-
ified partition.
Default If you enter write memory without additional options, the command
replaces the configuration profile that is currently linked to by “startup-con-
fig” with the commands in the running-config. If startup-config is set to its
default (linked to the configuration profile stored in the image area that was
used for the last reboot), then write memory replaces the configuration pro-
file in the image area with the running-config.

write
The all-partitions and partition partition-name options are applicable on

ACOS devices that are configured for Role-Based Administration (RBA). If
you omit both options, only the resources in the shared partition are saved.
(If RBA is not configured, all resources are in the shared partition, so you
can omit both options.)
The all-partitions option is applicable only to admins with Root, Read-

write, or Read-only privileges. (See “show admin” on page 840 for descrip-
tions of the admin privilege levels.)
Mode Configuration mode
Usage CAUTION! Using the write force command can result in an incomplete or
empty configuration! A10 Networks recommends that you use this com-
mand only with the advice of A10 Networks Technical Support.
Unless you use the force option, the command checks for system readiness
and saves the configuration only if the system is ready.
After saving the configuration to the local image area, the CLI displays a
prompt asking whether you also want to save the same configuration to the
other image area. This option is helpful for keeping the configurations in
sync between the two image areas, if that is your enterprise’s policy.
For more information about configuration profiles, see the A10 Thunder
Series and AX Series System Configuration and Administration Guide.
Example The following command saves the running-config to the configuration pro-
file stored in the primary image area of the hard disk:
ACOS#write memory primary
Write configuration to primary default startup-config
Do you also want to write configuration to secondary default startup-
config as well?
(y/n):y
[OK]
Example The following command saves the running-config to a configuration profile

named "slbconfig2":
ACOS#write memory slbconfig2
Example The following command attempts to save the running-config but the system
is not ready:
ACOS#write memory
AX system is not ready. Cannot save the configuration.

write terminal
Example The following commands attempt to save the running-config on a system

that is not ready, then force the save operation to take place anyway:
ACOS#write memory
System is not ready. Cannot save the configuration.
ACOS#write force
write terminal
Description Display the running-config on the terminal.
Syntax write terminal

[all-partitions |
all-partitions Displays configuration information for all system
partitions.
partition
{shared |
private-
partition-name} Displays configuration information only for the
specified partition.
Usage The optional parameters are applicable to ACOS devices on which Role-
Based Administration (RBA) is configured.

access-list (standard)
Config Commands: Global
This chapter describes the commands for configuring global AX parame-

ters.
To access this configuration level, enter the configure [terminal] command

at the Privileged EXEC level.
To display global settings, use show commands. (See “Show Commands”

on page 839.)
This CLI level also has the following commands, which are available at all
configuration levels:
• backup – See “backup system” on page 56 and “backup log” on
page 54.
• clear – See “clear” on page 66.
• debug – See “debug” on page 70.
• diff – See “diff” on page 70.
• export – See “export” on page 73.
• health-test – See “health-test” on page 75.
• help – See “CLI Quick Reference” on page 37.
• import – See “import” on page 76.
• repeat – See “repeat” on page 82.
• show – See “Show Commands” on page 839.
• write – See “write terminal” on page 260.
Description Configure a standard Access Control List (ACL) to permit or deny source
IP addresses.
Syntax [no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable |
remark string}
source-ipaddr {filter-mask | /mask-length}
[log [transparent-session-only]]

acl-num Standard ACL number. You can specify 1-99.
seq-num Sequence number of this rule in the ACL. You
can use this option to resequence the rules in the
ACL.
deny | permit Action to take for traffic that matches the ACL.
deny – For ACLs applied to interfaces or used
for management access, drops the traffic.
permit – For ACLs applied to interfaces or
used for management access, allows the traffic.
For ACLS used for IP source NAT, specifies the
inside host addresses to be translated into exter-
nal addresses.
Note: If you are configuring an ACL for source NAT, use the permit action. For
ACLs used with source NAT, the deny action does not drop traffic, it sim-
ply does not use the denied addresses for NAT translations.
l3-vlan-fwd-
disable Disables Layer 3 forwarding between VLANs
for IP addresses that match the ACL rule.
remark string Adds a remark to the ACL. The remark appears
at the top of the ACL when you display it in the
CLI.
Note: An ACL and its individual rules can have
multiple remarks.
To use blank spaces in the remark, enclose the
entire remark string in double quotes. The ACL
must already exist before you can configure a
remark for it.
source-ipaddr
{filter-mask |
/mask-length} Denies or permits traffic received from the speci-
fied host or subnet. The filter-mask specifies the
portion of the address to filter:
– Use 0 to match.
– Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify
the portion of the address to filter. For example,

you can specify “/24” instead “0.0.0.255” to fil-

ter on a 24-bit subnet.
log
[transparent-
session-only] Configures the ACOS device to generate log
messages when traffic matches the ACL.
The transparent-session-only option limits log-
ging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule.
Default No ACLs are configured by default. When you configure one, the log
option is disabled by default.
Usage An ACL can contain multiple rules. Each access-list command configures
one rule. Rules are added to the ACL in the order you configure them. The
first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first rule, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a
new sequence number.
Access lists do not take effect until you apply them.

• To use an ACL to filter traffic on an interface, see “access-list” on
page 287.
• To use an ACL to filter traffic on a virtual server port, see “access-list”
on page 745.
• To use an ACL to control management access, see “disable-manage-
ment” on page 139 and “enable-management” on page 147.
• To use an ACL with source NAT, see “ip nat inside” on page 367.
The syntax shown in this section configures a standard ACL, which filters
based on source IP address. To filter on additional values such as destination
address, IP protocol, or TCP/UDP ports, configure an extended ACL. (See
“access-list (extended)” on page 92.)

access-list (extended)
Example The following commands configure a standard ACL and use it to deny traf-
fic sent from subnet 10.10.10.x, and apply the ACL to inbound traffic
received on Ethernet interface 4:
ACOS(config)#access-list 1 deny 10.10.10.0 0.0.0.255
ACOS(config-if:ethernet4)#access-list 1 in
Description Configure an extended Access Control List (ACL) to permit or deny traffic
based on source and destination IP addresses, IP protocol, and TCP/UDP
ports.

remark string} ip
{any | host host-src-ipaddr |

net-src-ipaddr {filter-mask | /mask-length}}
{any | host host-dst-ipaddr |

net-dst-ipaddr {filter-mask | /mask-length}}
[fragments] [vlan vlan-id] [dscp num]
or

remark string} icmp
[type icmp-type [code icmp-code]]


or


remark string} {tcp | udp}

[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]

[eq dst-port | gt dst-port | lt dst-port |

range start-dst-port end-dst-port]

[established]
acl-num Extended ACL number. You can specify 100-
199.
ACL.
deny – Drops the traffic.
permit – Allows the traffic.
l3-vlan-fwd-
disable Disables Layer 3 forwarding between VLANs
for IP addresses that match the ACL rule.
CLI.
To use blank spaces in the remark, enclose the
entire remark string in double quotes. The ACL
must already exist before you can configure a
remark for it.
ip Filters on IP packets.
icmp Filters on ICMP packets.

tcp | udp Filters on TCP or UDP packets. The tcp and udp
options enable you to filter on protocol port num-
bers.
type type-
option This option is applicable if the protocol type is
icmp. Matches based on the specified ICMP
type. You can specify one of the following. Enter
the type name or the type number (for example,
dest-unreachable or 3).
any-type – Matches on any ICMP type.
dest-unreachable | 3 – Type 3, destination
unreachable
echo-reply | 0 – Type 0, echo reply
echo-request | 8 – Type 8, echo request
info-reply | 16 – Type 16, information reply
info-request | 15 – Type 15, information request
mask-reply | 18 – Type 18, address mask reply
mask-request | 17 – Type 17, address mask
request
parameter-problem | 12 – Type 12, parameter
problem
redirect | 5 – Type 5, redirect message
source-quench | 4 – Type 4, source quench
time-exceeded | 11 – Type 11, time exceeded
timestamp | 13 – Type 13, timestamp
timestamp-reply | 14 – Type 14, timestamp
reply
type-num – ICMP type number, 0-254
code code-num This option is applicable if the protocol type is
icmp. Matches based on the specified ICMP
code.
any-code – Matches on any ICMP code.
code-num – ICMP code number, 0-254

any |
host host-src-
ipaddr |
net-src-ipaddr
{filter-mask |
/mask-length} Source IP address(es) to filter.
any – The ACL matches on all source IP
addresses.
host host-src-ipaddr – The ACL
matches only on the specified host IP address.
net-src-ipaddr
{filter-mask | /mask-length} – The
ACL matches on any host in the specified subnet.
The filter-mask specifies the portion of the
address to filter:
– Use 0 to match.
a 24-bit subnet: 0.0.0.255
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port For tcp or udp, the source protocol ports to filter.
eq src-port – The ACL matches on traffic
from the specified source port.
gt src-port – The ACL matches on traffic
from any source port with a higher number than
the specified port.
lt src-port – The ACL matches on traffic
from any source port with a lower number than
the specified port.
range start-src-port end-src-port
– The ACL matches on traffic from any source
port within the specified range.

any |
host host-dst-
ipaddr |
net-dst-ipaddr
{filter-mask |
/mask-length} Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range start-
dst-port
end-dst-port For tcp or udp, the destination protocol ports to
filter.
fragments Matches on packets in which the More bit in the
header is set (1) or has a non-zero offset.
vlan vlan-id Matches on the specified VLAN. VLAN match-
ing occurs for incoming traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP
header, 1-63.
established Matches on TCP packets in which the ACK or
RST bit is not set. This option is useful for pro-
tecting against attacks from outside. Since a TCP
connection from the outside does not have the
ACK bit set (SYN only), the connection is
dropped. Similarly, a connection established
from the inside always has the ACK bit set. (The
first packet to the network from outside is a
SYN/ACK.)
log
[transparent-
ACL rule.
Default No ACLs are configured by default. When you configure one, the log
option is disabled by default.

accounting
Usage An ACL can contain multiple rules. Each access-list command configures
one rule. Rules are added to the ACL in the order you configure them. The
first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first, rule downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a
new sequence number.
Access lists do not take effect until you apply them:

• To use an ACL to filter traffic on an interface, see “access-list” on
page 287.
• To use an ACL to filter traffic on a virtual server port, see “access-list”
on page 745.
• To use an ACL with source NAT, see “ip nat inside” on page 367.
• To use an ACL to control management access, configure a standard

ACL instead. (See “access-list (standard)” on page 89.)
accounting
Description Configure TACACS+ as the accounting method for recording information
about user activities. The A10 Thunder Series and AX Series device sup-
ports the following types of accounting:
• EXEC accounting – provides information about EXEC terminal ses-
sions (user shells) on the ACOS device.
• Command accounting – provides information about the EXEC shell
commands executed under a specified privilege level. This command
also allows you to specify the debug level.
Syntax [no] accounting exec {start-stop | stop-only}

{radius | tacplus}
[no] accounting commands cmd-level stop-only

tacplus
[no] accounting debug debug-level

accounting
start-stop Sends an Accounting START packet to
TACACS+ servers when a user establishes a CLI
session, and an Accounting STOP packet when
the user logs out or the session times out.
stop-only Only sends an Accounting STOP packet when
the user logs out or the session times out.
radius |
tacplus Specifies the type of accounting server to use.
cmd-level Specifies which level of commands will be
accounted. The commands are divided into the
following levels:
15(admin) – Commands available for admin
(all commands)
14(config) – Commands available in config
mode (not include the command of “admin”
and those under the admin mode)
1(priv EXEC) – Commands available in
privileged EXEC mode
0 (user EXEC) – Commands available in
user EXEC mode
Command levels 2-13 are the same as command
level 1.
debug-level Specifies the debug level for accounting. The
debug level is set as flag bits for different types
of debug messages. The ACOS device has the
following types of debug messages:
0x1 – Common information such as “trying
to connect with TACACS+ servers”, “getting
response from TACACS+ servers”; they are
recorded in syslog.
0x2 – Packet fields sent out and received by
AX, not including the length fields; they are
printed out on the terminal.
0x4 – Length fields of the TACACS+ pack-
ets will also be printed on the terminal.
0x8 – Information about the TACACS+
MD5 encryption is recorded in syslog.
Default N/A

admin
Usage The accounting server also must be configured. See “radius-server” on

page 206 or “tacacs-server” on page 247.
Example The following command configures the ACOS device to send an Account-
ing START packet to the previously defined TACACS+ servers when a user
establishes a CLI session on the device. The ACOS device also will send an
Accounting STOP packet when a user logs out or their session times out.
ACOS(config)#accounting exec start-stop tacplus
The following command configures the ACOS device to send an

Accounting STOP packet when a user logs out or a session times out.
ACOS(config)#accounting exec stop-only tacplus
The following command configures the ACOS device to send an

Accounting STOP packet to TACACS+ servers before a CLI command of
level 14 is executed.
ACOS(config)#accounting commands 14 stop-only tacplus
The following command specifies debug level 15 for accounting.

ACOS(config)#accounting debug l5
admin
Configure an admin account for management access to the A10 Thunder
Series and AX Series device.
Syntax [no] admin admin-username
admin-username Admin username, 1-31 characters.
This command changes the CLI to the configuration level for the specified
admin account, where the following admin-related commands are available:
Command Description
access
{cli | web |
axapi} Specifies the management interfaces through
which the admin is allowed to access the ACOS
device.

admin
admin Enters the configuration level for another admin

account. If you are configuring multiple admin
accounts, this command simplifies navigation of
the CLI because you do not need to return to the
Configuration mode level to begin configuration
of the next account.
disable Disables the admin account.
enable Enables the admin account.
password string Sets the password, 1-63 characters. Passwords
are case sensitive and can contain special charac-
ters. (For more information, see “Special Charac-
ter Support in Strings” on page 47.)
privilege
priv-level |
[partition-
name]} Sets the privilege level for the account.
read – The admin can access the User EXEC
and Privileged EXEC levels of the CLI only.
write – The admin can access all levels of the
CLI.
partition-read – The admin has read-only
privileges within the private partition to which
the admin is assigned, and read-only privileges
for the shared partition.
partition-write – The admin has read-
write privileges within the private partition to
which the admin is assigned. The admin has
read-only privileges for the shared partition.
partition-enable-disable – The admin
has read-only privileges for real servers, with
permission to view service port statistics and to
disable or re-enable the servers and their service
ports. No other read-only or read-write privileges
are granted.
partition-name – The name of the private
partition to which the admin is assigned. This
option applies only to admins that have privilege
level partition-read, partition-write, or parti-
tion-enable-disable.
Note: Private partitions are used in Application Delivery Partitioning (ADP).

For information, see the System Configuration and Administration Guide.

admin
ssh-pubkey
options Manage public key authentication for the admin.
ssh-pubkey import url – Imports the
public key onto the ACOS device.
The url specifies the file transfer protocol, user-
name (if required), and directory path.
characters long.
tftp://host/file
ssh-pubkey delete num – Deletes a pub-
lic key. The num option specifies the key number
on the ACOS device. The key numbers are dis-
played along with the keys themselves by the
ssh-pubkey list command. (See below.)
ssh-pubkey list – Verifies installation of
the public key.
(For information about creating the public key,
see the Application Access Management and
DDoS Mitigation Guide.)
trusted-host
ipaddr
{subnet-mask |
/mask-length} Specifies the host or subnet address from which
the admin is allowed to log onto the ACOS
device.
unlock Unlocks the account. Use this option if the admin
has been locked out due to too many login
attempts with an incorrect password. (To config-
ure lockout parameters, see “admin lockout” on
page 103.)

admin
Default The system has a default admin account, with username “admin” and pass-
word “a10”. The default admin account has write privilege and can log on
from any host or subnet address.
Other admin accounts have the following defaults:

• access – Access is allowed through the CLI, GUI, and aXAPI interfaces.
• enable / disable – Admin accounts are enabled by default as soon as

you add them.
• password – “a10”. This is the default for the “admin” account and for
any admin account you configure if you do not configure the password
for the account.
• privilege – read
• trusted-host – 0.0.0.0 /0, which allows access from any host or subnet.
• unlock – N/A. Admin accounts are unlocked by default. They can

become locked based on admin lockout settings.
Usage An additional session is reserved for the “admin” account to ensure access.
If the maximum number of concurrent open sessions is reached, the
“admin” admin can still log in using the reserved session. This reserved ses-
sion is available only to the “admin” account.
Example The following commands add admin “adminuser1” with password “1234”:
ACOS(config)#admin adminuser1
ACOS(config-admin:adminuser1)#password 1234
Example The following commands add admin “adminuser2” with password

“12345678” and write privilege:
ACOS(config-admin:adminuser2)#password 12345678
ACOS(config-admin:adminuser2)#write
Example The following commands add admin “adminuser3” with password “abc-
defgh” and write privilege, and restrict login access to the 10.10.10.x subnet
only:
ACOS(config-admin:adminuser3)#password abcdefgh
ACOS(config-admin:adminuser3)#write
ACOS(config-admin:adminuser3)#trusted-host 10.10.10.0 /24

admin lockout
Example The following commands configure an admin account for a private parti-
tion:
ACOS(config)#admin compAadmin password compApwd
ACOS(config-admin:compAadmin)#privilege partition-write companyA
Modify Admin User successful !
Example The following commands deny management access by admin “admin2”

using the CLI or aXAPI:
ACOS(config)#admin admin2
ACOS(config-admin:admin2)#no access cli
ACOS(config-admin:admin2)#no access axapi
admin lockout
Description Set lockout parameters for admin sessions.
Syntax [no] admin lockout

{duration minutes | enable | reset-time minutes |
threshold number}
duration
minutes Number of minutes a lockout remains in effect.
After the lockout times out, the admin can try
again to log in. You can specify 0-1440 minutes.
To keep accounts locked until you or another
authorized administrator unlocks them, specify 0.
enable Enables the lockout feature.
reset-time
minutes Number of minutes the ACOS device remembers
failed login attempts. You can specify 1-1440
minutes.
threshold
number Number of consecutive failed login attempts
allowed before an administrator is locked out.
You can specify 1-10.
Default The lockout feature is disabled by default. This command has the following
defaults:
• duration – 10 minutes
• reset-time – 10 minutes
• threshold – 5

aflex
Example The following command enables admin lockout:

ACOS(config)#admin lockout enable
aflex
Description Configure an aFleX policy. For complete information about aFleX policies,
see the aFleX Scripting Language Reference Guide.
arp
Description Create a static ARP entry or change the timeout for dynamic entries.
Syntax [no] arp ipaddr mac-address

[interface ethernet number
[vlan vlan-id]]
[device DeviceID]
ipaddr IP address of the static entry.
mac-address MAC address of the static entry.
number Specifies the Ethernet data interface.
vlan vlan-id If the ACOS device is deployed in transparent
mode, and the interface is a tagged member of
multiple VLANs, use this option to specify the
VLAN for which to add the ARP entry.
device
DeviceID If the ACOS device is a member of an aVCS vir-
tual chassis, use this option to specify the device
ID to which to apply this command. If you omit
this option, the command is applied to the vMas-
ter. If applicable, the vMaster then applies the
command to the other devices in the virtual chas-
sis.
However, if you have changed the device context
of the management session from the vMaster to
another device, and you omit the device option,
the command is applied only to the other device
(the one to which you set the device context).
Default The default timeout for learned entries is 300 seconds. Static entries do not
time out.

arp timeout
arp timeout
Description Change the aging timer for dynamic ARP entries.
Syntax [no] arp timeout seconds

[device DeviceID]
seconds Number of seconds a dynamic entry can remain
unused before being removed from the ARP
table. You can specify 60-86400 seconds.
device
sis.
Default 300 seconds (5 minutes)
audit
Description Configure command auditing.
Syntax [no] audit enable [privilege]
[no] audit size num-entries

audit
enable
[privilege] Enables command auditing.
The privilege option enables logging of Privi-
leged EXEC commands also. Without this
option, only configuration commands are logged.
size num-
entries Specifies the number of entries the audit log file
can hold. You can specify 1000-30000 entries.
When the log is full, the oldest entries are
removed to make room for new entries.
Default Command auditing is disabled by default. When the feature is enabled, the
audit log can hold 20,000 entries by default.
Usage Command auditing logs the following types of system management events:
• Admin logins and logouts for CLI, GUI, and aXAPI sessions
• Unsuccessful admin login attempts
• Configuration changes. All attempts to change the configuration are

logged, even if they are unsuccessful.
• CLI commands at the Privileged EXEC level (if audit logging is enabled
for this level)
• HA configuration synchronization
The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admin’s role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
Note: Backups of the system log include the audit log.

authentication
authentication
Description Set the authentication method used to authenticate administrative access to
the AX.
Syntax [no] authentication type method1

[method2 [method3 [method4]]]
Syntax [no] authentication disable-local
[console] type Uses the ACOS configuration for authentication.
If the administrative username and password
match an entry in the configuration, the adminis-
trator is granted access.
The console option applies the authentication
settings only to access through the console
(serial) port. Without this option, the settings
apply to all types of admin access.
ldap – Uses an external LDAP server for
authentication.
local – Uses the ACOS configuration for
authentication. If the administrative username
and password match an entry in the configura-
tion, the administrator is granted access.
radius – Uses an external RADIUS server for
authentication.
tacplus – Uses an external TACACS+ server
for authentication.
disable-local Disables automatic local authentication of the
“admin” account. Without this option, the
“admin” account is always authenticated locally,
regardless of the authentication configuration
used for the other admin accounts.
Default By default, only local authentication is used.
Usage The local database (local option) must be included as one of the authentica-
tion sources, regardless of the order is which the sources are used. Authenti-
cation using only a remote server is not supported.

authentication
You can specify more than 2 authentication methods for authentication of

AX admins. For example, you can configure the ACOS device to try the
methods in the following order when authenticating an admin: (1) LDAP,
(2) TACACS+, (3) RADIUS, (4) Local database.
In this case, the ACOS device tries to use the LDAP servers first. If no
LDAP servers respond, then the ACOS device tries to use the TACACS+
servers. If no TACACS+ servers respond either, the ACOS device then tries
the RADIUS servers. If no RADIUS servers respond either, the ACOS
device uses the local database.
The authentication server(s) also must be configured. See “radius-server”

on page 206 or “tacacs-server” on page 247.
If the RADIUS or TACACS+ server responds, the local database is not

checked.
• If the admin name and password are found on the RADIUS or
TACACS+ server, the admin is granted access.
• If the admin name and password are not found on the RADIUS or
TACACS+ server, the admin is denied access.
Only if there is no response from any RADIUS or TACACS+ server, does

the ACOS device check its local database for the admin name and pass-
word.
Note: An exception is made for the “admin” account. By default, the ACOS
device always uses local authentication for “admin”. You can use the dis-
able-local option to disable automatic local authentication for “admin”, in
which case the authentication process is the same as for other admin
accounts.
Example The following commands configure a pair of RADIUS servers and config-
ure the ACOS device to try them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.
The local database will be used only if both RADIUS servers are unavail-
able.
ACOS(config)#radius-server host 10.10.10.12 secret radp1
ACOS(config)#authentication type radius local

authentication enable
authentication enable
Description Configuration authentication of admin enable (Privileged mode) access.
Syntax [no] authentication enable

{local [tacplus] | tacplus [local]}
local Uses the ACOS configuration for authentication
of the enable password.
tacplus Uses TACACS+ for authentication of the enable
password.
Default local
Introduced in Release 2.7.1
Usage The authentication enable command operates differently depending on the

authentication mode command setting:
• For authentication mode multiple, the ACOS device will attempt
to authenticate the admin with the first specified method. If the first
method fails, the next specified method is used.
• For authentication mode single, the ACOS device will attempt to
authenticate the admin with the first specified method. If the method
fails, the ACOS device will return an error. By default, authentica-
tion mode single is selected.
See “authentication mode” on page 110.
authentication login privilege-mode

Description Places TACACS+-authenticated admins who log into the CLI at the Privi-
leged EXEC level of the CLI instead of at the User EXEC level.
Syntax [no] authentication login privilege-mode
Default Disabled

authentication mode
authentication mode
Description Enable tiered authentication.
Syntax [no] authentication mode {multiple | single}
cmd-level Specifies the level of commands that will be
authorized.
Default By default, single authentication mode is used.
Usage The default behavior is without tiered authentication, in which case the
backup authentication method will only be used if the primary method does
not respond. If the primary method does respond but denies access, then the
secondary method is simply not used. The admin is not granted access.
You can enable “tiered authentication”, in which case the ACOS device will
check the next method even if the primary method does respond but authen-
tication fails using that method.
For example, if the primary method is RADIUS and the next method is
TACACS+, and RADIUS rejects the admin, tiered authentication attempts
to authenticate the admin using TACACS+.

authentication-logon
Table 1 describes the AX authentication behavior based on the tiered

authentication setting.
TABLE 1 Authentication Process Based on Tiered Authentication Setting

Tiered
Authentication AX Behavior
Setting
1. Try method1. If a method1 server replies, permit or deny access based on the server
reply.
2. Only if no method1 servers reply, try method2. If a method2 server replies, permit or
Single deny access based on the server reply.
(default) 3. Only if no method2 servers reply, try method3. If a method3 server replies, permit or
deny access based on the server reply.
4. Only if no method3 servers reply, try method4. If authentication succeeds, the admin
is permitted. Otherwise, the admin is denied.
1. Try method1. If a method1 server replies, permit or deny access based on the server
reply.
2. If no method1 servers reply or a method1 server denies access, try method2.
Multiple
3. If no method2 servers reply or a method2 server denies access, try method3.
4. If no method3 servers reply or a method3 server denies access, try method4. If
authentication succeeds, the admin is permitted. Otherwise, the admin is denied.
Tiered authentication is disabled (set to single) by default. You can enable it

on a global basis.
authentication-logon
Description See “Config Commands: Application Access Management” on page 261.
authentication-relay
authentication-server

authorization
authorization
Description Configure authorization for controlling access to functions in the CLI. The
ACOS device can use TACACS+ for authorizing commands executed under
a specified privilege level. This command also allows the user to specify the
level for authorization debugging.
Syntax [no] authorization commands cmd-level method

{[tacplus [none] | none}
[no] authorization debug debug-level
cmd-level Specifies the level of commands that will be
authorized. The commands are divided into the
following levels:
15(admin) – This is the most extensive level
of authorization. Commands at all CLI lev-
els, including those used to configure admin
accounts, are sent to TACACS+ for authori-
zation.
14(config) – Commands at all CLI levels
except those used to configure admin
accounts are sent to TACACS+ for authori-
zation. Commands for configuring admin
accounts are automatically allowed.
1(priv EXEC) – Commands at the Privileged
EXEC and User EXEC levels are sent to
TACACS+ for authorization. Commands at
other levels are automatically allowed.
0 (user EXEC) – Commands at the User
EXEC level are sent to TACACS+ for autho-
rization. Commands at other levels are auto-
matically allowed.
Command levels 2-13 are equivalent to com-
mand level 1.
tacplus Specifies TACACS+ as the authorization
method. (If you omit this option, you must spec-

authorization
ify none as the method, in which case no authori-

zation will be performed.)
tacplus none If all the TACACS+ servers fail to respond, then
no further authorization will be performed and
the command is allowed to execute.
none No authorization will be performed.
debug-level Specifies the debug level for authorization. The
debug level is set as flag bits for different types
of debug messages. The A10 Thunder Series and
AX Series has the following types of debug mes-
sages:
0x1 – Common system events such as “try-
ing to connect with TACACS+ servers” and
“getting response from TACACS+ servers”.
These events are recorded in the syslog.
0x2 – Packet fields sent out and received by
the A10 Thunder Series and AX Series
device, not including the length fields. These
events are written to the terminal.
0x4 – Length fields of the TACACS+ pack-
ets will also be displayed on the terminal.
0x8 – Information about TACACS+ MD5
encryption will be sent to the syslog.
Default Not set
Usage The authorization server also must be configured. See “radius-server” on

page 206 or “tacacs-server” on page 247.
Example The following command specifies the authorization method for commands
executed at level 14: try TACACS+ first but if it fails to respond, then allow
the command to execute without authorization.
ACOS(config)#authorization commands 14 method tacplus none
The following command specifies debug level 15 for authorization:

ACOS(config)#authorization debug l5

axdebug
axdebug
Description Access the AX debug subsystem. See “AX Debug Commands” on
page 1069.
backup periodically
Description Schedule periodic backups.
Caution: After configuring this feature, make sure to save the configuration. If
the device resets before the configuration is saved, the backups will
not occur.
Syntax [no] backup periodically {system | log}

{hour num | day num | week num}
[use-mgmt-port] url
system Backs up the following system files:
– Startup-config files
– Admin accounts and login and enable pass-
words
– aFleX scripts
– Class lists and black/white lists
– Scripts for external health monitors
– SSL certificates, keys, and certificate revoca-
tion lists
If custom configuration profiles are mapped to
the startup-config, they also are backed up.
log Backs up the system log.
hour num |
day num |
week num Specifies how often to perform the back ups. You
can specify one of the following:
hour num – Performs the backup each time the
specified number of hours passes. For example,
specifying hour 3 causes the backup to occur
every 3 hours. You can specify 1-65534 hours.
There is no default.

backup periodically
day num – Performs the backup each time the

specified number of days passes. For example,
specifying day 5 causes the backup to occur
every 5 days. You can specify 1-199 days. There
is no default.
week num – Performs the backup each time the
specified number of weeks passes. For example,
specifying week 4 causes the backup to occur
every 4 weeks. You can specify 1-199 weeks.
device. Without this option, the ACOS device
url Specifies the file transfer protocol, username (if
required), and directory path to which to save the
backups.
characters long.
tftp://host/file
Default Not set
Example The following commands schedule weekly backups of the entire system,
verify the configuration, and save the backup schedule to the startup-config:
ACOS(config)#backup periodically system week 1 ftp:
Address or name of remote host []?10.10.10.4
User name []?admin2
Password []?********

banner
File name [/]?weekly-sys-backup

ACOS(config)#show backup
backup periodically system hour 168 ftp://admin2@10.10.10.4//weekly-sys-backup
Next backup will occur at 14:37:00 PDT Thu Aug 19 2010
ACOS(config)#write memory
[OK]
banner
Set the banners to be displayed when an admin logs onto the CLI or
accesses the Privileged EXEC mode.
Syntax Description [no] banner {exec | login} [multi-line end-marker]

line
exec Configures the EXEC mode banner.
login Configures the login banner.
multi-line
end-marker Hexadecimal number to indicate the end of a
multi-line message. The end marker is a simple
string up to 2-characters long, each of the which
must be an ASCII character from the following
range: 0x21-0x7e.
The multi-line banner text starts from the first
line and ends at the marker. If the end marker is
on a new line by itself, the last line of the banner
text will be empty. If you do not want the last line
to be empty, put the end marker at the end of the
last non-empty line.
line Specifies the banner text.
Default The default login banner is as follows: “Welcome to AX”
The default EXEC banner is as follows: “[type ? for help]”
Example The following examples set the login banner to “welcome to login mode”
and set the EXEC banner to a multi-line greeting:

bfd echo
ACOS(config)#banner exec welcome to exec mode

ACOS(config)#banner login multi-line bb
Enter text message, end with string 'bb'.
Here is a multi-line
Greeting.
bb
ACOS(config)#
bfd echo
Description Enables echo support for Bidirectional Forwarding Detection (BFD).
Syntax [no] bfd echo
Default Disabled
Usage BFD echo enables a device to test data path to the neighbor and back. When
a device generates a BFD echo packet, the packet uses the routing link to the
neighbor device to reach the device. The neighbor device is expected to
send the packet back over the same link.
bfd enable
Description Enable Bidirectional Forwarding Detection (BFD) on a global basis.
Syntax [no] bfd {echo | enable | interval}
echo Globally enables the echo function. When the
echo option is enabled, the detection interval, (or
the time that the ACOS device waits for a BFD
control packet from a BFD neighbor), is set auto-
matically to 3200 ms.
enable Globally enable BFD packet processing.
interval [ms]
min-rx [ms]
multiplier Transmit interval between BFD packets. The ms
option allows you to specify a value from 48-
1000 milliseconds. The multiplier option is a

bfd interval
value used to multiply the interval and can range

from 3-50.
Default Disabled
bfd interval
Description Configure BFD timers.
Syntax [no] bfd interval ms min-rx ms multiplier num
interval ms Rate at which the ACOS device sends BFD con-
trol packets to its BFD neighbors. You can spec-
ify 48-1000 milliseconds (ms).
min-rx ms Minimum amount of time in milliseconds that
the ACOS device waits to receive a BFD control
packet from a BFD neighbor. If a control packet
is not received within the specified time, the mul-
tiplier (below) is incremented by 1. You can
specify 48-1000 ms. The default is 800 ms.
multiplier num Maximum number of consecutive times the
ACOS device will wait for a BFD control packet
from a neighbor. If the multiplier value is
reached, the ACOS device concludes that the
routing process on the neighbor is down. You can
specify 3-50.
Default The BFD timers have the following defaults:

• interval – 800 ms
• min-rx – 800 ms
• multiplier – 4
Usage If you configure the interval timers on an individual interface, then the inter-
face settings are used instead of the global settings. Similarly, if the BFD

bgp extended-asn-cap
timers have not been configured on an interface, then the interface will use
the global settings.
Note: BFD always uses the globally configured interval timer if it's for a BGP
loopback neighbor.
Description Enable the ACOS device to send 4-octet BGP Autonomous System Number
(ASN) capabilities.
Syntax [no] bgp extended-asn-cap
Default Disabled; 2-octet ASN capabilities are enabled instead.
Usage To configure other BGP parameters, see “Config Commands: Router –

BGP” on page 491.
bgp nexthop-trigger
Description Configure BGP nexthop tracking.
Syntax [no] bgp nexthop-trigger delay seconds
[no] bgp nexthop-trigger enable
delay seconds Specifies the how long BGP waits before walk-
ing the full BGP table to determine which pre-
fixes are affected by the nexthop changes, after
receiving a trigger about nexthop changes. You
enable Enables nexthop tracking.
Default BGP nexthop tracking is disabled by default. When you enable it, the
default delay is 5 seconds.

big-buff-pool
Usage To configure other BGP parameters, see “Config Commands: Router –

BGP” on page 491.
big-buff-pool
Description On high-end models only, you can enable the big-buff-pool option to
expand support from 4 million to 8 million buffers and increase the buffer
index from 22 to 24 bits.
Note: The AX 5200-11 requires 96 Gb of memory to support this feature. To

check that your system meets this requirement, use the show memory
system CLI command.
Syntax [no] big-buff-pool
Default Disabled
Example The following commands enable a larger I/O buffer pool for an AX 5630:
ACOS(config)#no big-buff-pool
This will modify your boot profile to disable big I/O buffer pool.
It will take effect starting from the next reboot.
Please confirm: You want to disable the big I/O buffer pool(N/Y)?:
Y
boot-block-fix
Description Repair the master boot record (MBR) on the hard drive or compact flash.
Note: AX Release 2.6.1 provides a new boot menu that allows you to select the
image area from which to boot. This command is used in the procedure to
install the new boot menu. See “Usage” below.
Syntax boot-block-fix {cf | hd}
cf | hd Medium to be repaired:
cf – compact flash
hd – hard disk

bootimage
Default N/A
Usage The MBR is the boot sector located at the very beginning of a boot drive.
Under advisement from A10 Networks, you can use the command if your
compact flash or hard drive cannot boot. If this occurs, boot from the other
drive, then use this command.
Installing the New Boot Loader Menu Introduced in AX Release

2.6.1
The new bootloader menu provided as part of AX Release 2.6.1 is not auto-
matically installed when you upgrade from an earlier release. To install the
new bootloader menu:
1. Upgrade to AX Release 2.6.1. (For instructions, see the release notes.)
2. Reboot using the new image, if you have not already done so. To reboot,
change to the Privileged EXEC level of the CLI and enter the reboot
command:
enable (to access the Privileged EXEC level)
reboot
3. After the reboot is finished, log in.
4. Access the the global configuration level of the CLI:

enable
configure
5. Enter the following command at the global configuration level of the

CLI:
boot-block-fix hd
bootimage
Description Specify the boot image location from which to load the system image the
next time the A10 Thunder Series and AX Series is rebooted.
Syntax bootimage {both | cf | hd} {pri | sec}

[device DeviceID]

bpdu-fwd-group
cf | hd Boot medium. The A10 Thunder Series and AX
Series device always tries to boot using the hard
disk (hd) first. The compact flash (cf) is used
only if the hard disk is unavailable.
pri | sec Boot image location, primary or secondary.
device
sis.
Default The default location is primary, for both the hard disk and the compact
flash.
Example The following command configures the A10 Thunder Series and AX Series
to boot from the secondary image area on the hard disk the next time the
device is rebooted:
ACOS(config)#bootimage hd sec
bpdu-fwd-group
Description Configure a group of tagged Ethernet interfaces for forwarding Bridge Pro-
tocol Data Units (BPDUs). BPDU forwarding groups enable you to use the
ACOS device in a network that runs Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will

accept and broadcast STP BPDUs among themselves. When an interface in
a BPDU forwarding group receives an STP BPDU (a packet addressed to
MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all
the other interfaces in the group.
Syntax [no] bpdu-fwd-group group-num

bpdu-fwd-group
group-num BPDU forwarding group number, 1-8.
If the ACOS device is a member of an aVCS vir-
tual chassis, specify the group number as fol-
lows:
DeviceID/group-num
This command changes the CLI to the configuration level for the BPDU
forwarding group, where the following command is available.
Command Description
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ... Ethernet interfaces to add to the BPDU forward-
ing group.
Default None
Usage This command is specifically for configuring VLAN-tagged interfaces to

accept and forward BPDUs.
Rules for trunk interfaces:

• BPDUs are broadcast only to the lead interface in the trunk.
• If a BPDU is received on an Ethernet interface that belongs to a trunk,

the BPDU is not broadcast to any other members of the same trunk.
Example The following commands create BPDU forwarding group 1 containing

Ethernet ports 1-3, and verify the configuration:
ACOS(config)#bpdu-fwd-group 1
ACOS(config-bpdu-fwd-group:1)#ethernet 1 to 3
ACOS(config-bpdu-fwd-group:1)#show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3

bridge-vlan-group
bridge-vlan-group
Description Configure a bridge VLAN group for VLAN-to-VLAN bridging.
Syntax [no] bridge-vlan-group group-num
group-num Bridge VLAN group number.
tual chassis, specify the group number as fol-
lows:
DeviceID/group-num
bridge VLAN group, where the following configuration commands are
available:
Command Description
forward-all-
traffic |
forward-ip-
traffic Specifies the types of traffic the bridge VLAN
group is allowed to forward:
forward-all-traffic – This option forwards all
types of traffic.
forward-ip-traffic – This option includes typical
traffic between end hosts, such as ARP requests
and responses.
[no] name
string Specifies a name for the group. The string can be
1-63 characters long. If the string contains blank
spaces, use double quotation marks around the
entire string.
[no] router-
interface ve
num Adds a Virtual Ethernet (VE) interface to the
group. This command is applicable only on
ACOS devices deployed in gateway mode. The
VE number must be the same as the lowest num-
bered VLAN in the group.

bw-list
[no]
vlan vlan-id
[vlan vlan-id
... | to vlan
vlan-id] Adds VLANs to the group.
Default By default, the configuration does not contain any bridge VLAN groups.
When you create a bridge VLAN group, it has the following default set-
tings:
• forward-all-traffic | forward-ip-traffic – forward-ip-traffic
• name – Not set
• router-interface – Not set
• vlan – Not set
Usage VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts

on the network either into the same VLAN, or into different IP subnets, is
not desired or is impractical.
In bridge VLAN group configurations, the VE number must be the same as

the lowest numbered VLAN in the group.
Example For more information, including configuration notes and examples, see the
“VLAN-to-VLAN Bridging” chapter in the System Configuration and
Administration Guide.
bw-list
Description Import a black/white list for Policy-based SLB (PBSLB).
Syntax [no] bw-list name [use-mgmt-port] url

[period seconds] [load]
name Black/white list name, 1-63 characters.

bw-list
url File transfer protocol, username (if required),

directory path, and filename. The following URL
format is supported:
tftp://host/file
period seconds Specifies how often the A10 Thunder Series and
AX Series device re-imports the list to ensure
that changes to the list are automatically repli-
cated on the ACOS device. You can specify 60-
86400 seconds.
load Immediately re-imports the list to get the latest
changes. Use this option if you change the list
and want to immediately replicate the changes on
the ACOS device, without waiting for the update
period.
Note: If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
Default The default period is 300 seconds.
Usage A TFTP server is required on the PC and the TFTP server must be running
when you enter the bw-list command.
If a connection limit is specified in a black/white list, the ACOS device does

not support using the list for both system-wide PBSLB and for PBSLB on
an individual virtual port. In this case, the ACOS device may increase the
current connection counter more than once, resulting in a much lower con-
nection limit than the configured value. To work around this issue, use sepa-
rate black/white lists.
Example The following command imports black/white list “sample-bwlist.txt” onto

the ACOS device:
ACOS(config)#bw-list sample-bwlist tftp://myhost/TFTP-Root/AX_bwlists/sample-
bwlist.txt

class-list (for IP limiting)

Description Configure an IP class list for use with the IP limiting feature.
Syntax [no] class-list list-name [file filename]

[ipv4 | ipv6 | dns | string]
list-name Adds the list to the running-config.
filename file Saves the list to a standalone file on the ACOS
device.
ipv4 | ipv6 Identifies this as an IPv4 or IPv6 class list.
Note: A class list can be exported only if you use the file option.
class list, where the following command is available.
(The other commands are common to all CLI configuration levels. See
“Config Commands: Global” on page 89.)
Command Description
[no] {ipaddr
/network-mask |
ipv6-
addr/prefix-
length}
[glid num |
lid num]
[age seconds] Adds an entry to the class list.
ipaddr /network-mask – Specifies the IPv4 host
or subnet address of the client. The network-
mask specifies the network mask.
To configure a wildcard IP address, specify
0.0.0.0 /0. The wildcard address matches on all
addresses that do not match any entry in the class
list.
ipv6-addr/prefix-length – Specifies the IPv6 host
or network address of the client.
glid num | lid num – Specifies the ID of the IP
limiting rule to use for matching clients. You can
use a system-wide (global) IP limiting rule or an

IP limiting rule configured in a PBSLB policy

template.
– To use an IP limiting rule configured at the
Configuration mode level, use the glid num
option.
– To use an IP limiting rule configured at the
same level (in the same PBSLB policy template)
as the class list, use the lid num option.
To exclude a host or subnet from being limited,
do not specify an IP limiting rule.
age seconds – Removes a host entry from the
class list after the specified number of minutes.
You can specify 1-2000 minutes.
When you assign an age value, the host entry
remains in the class list only for the specified
number of minutes. After the age expires
(reaches 0), the host entry is removed from the
class list within the next minute.
You can use the age option in combination with
IP limiting options in the LID or GLID to tempo-
rarily control client access. Any traffic limiting
settings in the LID or GLID assigned to the host
entry take effect only until the age expires.
Note: The age option applies only to host entries (IPv4 /32 or IPv6 /128). The
age option is not supported for subnet entries.
Default None
Usage Configure the GLIDs or LIDs before configuring the class list entries. To
configure a GLID or LID for IP limiting, see “glid” on page 155 or “slb
template policy” on page 639.
As an alternative to configuring class entries on the ACOS device, you can

configure the class list using a text editor on another device, then import the
class list onto the ACOS device. To import a class list, see “import” on
page 76.
Note: If you use a class-list file that is periodically re-imported, the age for
class-list entries added to the system from the file does not reset when the
class-list file is re-imported. Instead, the entries are allowed to continue
aging normally. This is by design.

class-list (for VIP-based DNS caching)
For more information about IP limiting, see the Application Access Man-
agement and DDoS Mitigation Guide.
Request Limiting and Request-rate Limiting in Class Lists

If a LID or GLID in a class list contains settings for request limiting or
request-rate limiting, the settings apply only if the following conditions are
true:
1. The LID or GLID is used within a policy template.
2. The policy template is bound to a virtual port.
In this case, the settings apply only to the virtual port. The settings do not
apply in any of the following cases:
• The policy template is applied to the virtual server, instead of the virtual
port.
• The settings are in a system-wide GLID.
• The settings are in a system-wide policy template.
Note: This limitation does not apply to connection limiting or connection-rate

limiting. Those settings are valid in all the cases listed above.
Example The following commands configure class list “global”, which matches on
all clients, and uses IP limiting rule 1:
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1

Description Configure an IP class list for use VIP-based DNS caching.
Syntax [class-list list-name [file filename] [dns]
filename file Saves the list to a file.
dns Identifies this list as a DNS class list.
class list, where the following command is available.

Command Description
[no] dns
match-option
domain-string
lid num Specifies the match conditions for domain strings
and maps matching strings to LIDs.
match-option – Specifies the match criteria for
the domain-string. The match-option can be one
of the following:
dns contains – The entry matches if the
DNS request is for a domain name that con-
tains the domain-string anywhere within the
requested domain name.
dns starts-with – The entry matches if the
DNS request is for a domain name that
begins with the domain-string.
dns ends-with – The entry matches if the
DNS request is for a domain name that ends
with the domain-string.
domain-string – Specifies all or part of the
domain name on which to match. You can use the
wildcard character * (asterisk) to match on any
single character.
For example, “www.example*.com” matches on
all the following domain names:
www.example1.com, www.example2.com,
www.examplea.com, www.examplez.com, and
so on.
For wildcard matching on more than one charac-
ter, you can use the dns contains, dns starts-
with, and dns ends-with options. For example,
“dns ends-with example.com” matches on both
abc.example.com and www.example.com.
lid num – Specifies a list ID (LID) in the DNS
template. LIDs contain DNS caching policies.
The ACOS device applies the DNS caching pol-
icy in the specified LID to the domain-string.
Default None

class-list (for many pools, non-LSN)
Usage Configure the LIDs before configuring the class-list entries. LIDs for DNS
caching can be configured in DNS templates. (See “slb template dns (DNS
caching)” on page 601.)

page 76.
Example See the “DNS Optimization and Security” chapter in the Application Deliv-
ery and Server Load Balancing Guide.
class-list (for many pools, non-LSN)

Description Configure IP class lists for deployment that use a large number of NAT
pools.

[ipv4 | ipv6]
list-name. Adds the list to the running-config.
filename file. Saves the list to a standalone file on the ACOS
device.
ipv4 | ipv6. Identifies this list as an IPv4 or IPv6 class list.
class list, where the following commands are available.
Command Description
[no] ipaddr
/network-mask
glid num. Specifies the inside subnet that requires NAT.
The network-mask specifies the network mask.
To configure a wildcard IP address, specify
0.0.0.0 /0. The wildcard address matches on all
addresses that do not match any entry in the class
list.
The glid num option specifies the global LID that
refers to the pool.

class-list (string)
Default None
Usage First configure the IP pools. Then configure the global LIDs. In each global
LID, use the use-nat-pool pool-name command to map clients to the pool.
Then configure the class list entries.

page 76.
Example See the “Configuring Dynamic IP NAT with Many Pools” section in the
“Network Address Translation” chapter of the System Configuration and
class-list (string)
Description Configure a class list that you can use to modify aFleX scripts, without he
need to edit the script files themselves.

[string]
filename file Saves the list to a standalone file on the ACOS
device.
string Identifies this as a string class list.
Note: A class list can be exported only if you use the file option.
Note: For more information, see the aFleX Scripting Language Reference.

clock timezone
clock timezone
Set the clock timezone.
Syntax Description clock timezone timezone [nodst]
timezone Timezone to use. To view the available time-
zones, enter the following command:
clock timezone ?
nodst Disables Daylight Savings Time.
Default Europe/Dublin (GMT)
Usage If you use the GUI or CLI to change the ACOS timezone or system time, the
statistical database is cleared. This database contains general system statis-
tics (performance, and CPU, memory, and disk utilization) and SLB statis-
tics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
Example The following commands list the available timezones, then set the timezone
to America/Los_Angeles:
ACOS(config)#clock timezone ?
Pacific/Midway (GMT-11:00)Midway Island, Samoa
Pacific/Honolulu (GMT-10:00)Hawaii
America/Anchorage (GMT-09:00)Alaska
...
ACOS(config)#clock timezone America/Los_Angeles
convert-passwd
Description Convert admin accounts and enable passwords into pre-1.2.7 format before
downgrade to AX Release 1.2.6 or earlier.
Syntax convert-passwd {pri | sec}
pri | sec Specifies the image area to which you want to
save the admin accounts and passwords. Specify
the image area from which you to plan to boot
using the 1.2.6 or earlier image.

copy
Default N/A
Usage Use this command only if you are planning to downgrade to AX Release
1.2.6 or earlier. Use the command before you downgrade.
In AX Release 1.2.7 and later, the ACOS device maintains all admin
accounts and enable passwords in a single file, which applies to both the pri-
mary and secondary image areas. In software releases prior to 1.2.7, the
ACOS device maintained separate files for the primary and secondary
image areas. During runtime, the ACOS device used the admin accounts
and enable passwords that were in the file corresponding to the image area
from which the device was booted.
To keep the new admin accounts and enable passwords, perform the follow-
ing steps before you downgrade:
1. Log onto the CLI, with an admin account that has Root or global Read-
Write (Super User) privileges. Partition admin accounts can not be used.
2. Save the configuration (write memory), to save any new or changed

admin accounts or passwords. (If you perform step 2 without first saving
the configuration, any unsaved admin account or password changes will
be lost.)
3. Use the following command at the Configuration mode level of the CLI:
convert-passwd {pri | sec}
The pri | sec option specifies the image area to which you want to save
the admin accounts and passwords. Specify the image area from which
you to plan to boot using the 1.x image.
copy
Copy a running-config or startup-config.
Syntax Description copy {running-config | startup-config |

from-profile-name}
[use-mgmt-port]
{url | to-profile-name [cf]}

copy
running-config Copies the commands in the running-config to
the specified URL or local profile name.
startup-config Copies the configuration profile that is currently
linked to “startup-config” and saves the copy
under the specified URL or local profile name.
url Copies the running-config or configuration pro-
file to a remote device. The URL specifies the
file transfer protocol, username, and directory
path.
characters long.
tftp://host/file
from-profile-
name Configuration profile you are copying from.
to-profile-name
[cf] Configuration profile you are copying to. The cf
option copies the profile to the compact flash
instead of the hard disk.
Note: Copying a profile from the compact flash to the hard disk is not sup-
ported.
Note: You cannot use the profile name “default”. This name is reserved and
always refers to the configuration profile that is stored in the image area
from which the ACOS device most recently rebooted.

debug
Default None
Usage If you are planning to configure a new ACOS device by loading the config-
uration from another ACOS device:
1. On the configured ACOS device, use the copy startup-config url com-
mand to save the startup-config to a remote server.
2. On the new ACOS device, use the copy url startup-config command to
copy the configured ACOS device’s startup-config from the remote
server onto the new ACOS device.
3. Use the reboot command (at the Privileged EXEC level) to reboot the
new ACOS device.
4. Modify parameters as needed (such as IP addresses).
If you attempt to copy the configuration by copying-and-pasting it from a

CLI session on the configured ACOS device, some essential parameters
such as interface states will not be copied.
Example The following command copies the configuration profile currently linked to
“startup-config” to a profile named “slbconfig3” and stores the profile
locally on the ACOS device:
ACOS(config)#copy startup-config slbconfig3
debug
Note: A10 Networks Technical Support recommends using the AXdebug com-
mands instead of the debug command. (See “AX Debug Commands” on
page 1069.)
delete startup-config
Description Delete a locally stored configuration profile.
Syntax delete startup-config profile-name [cf]
profile-name Configuration profile name.
cf Deletes the specified profile from compact flash
instead of the hard disk. If you omit this option,
the profile is deleted from the hard disk.

disable reset statistics
Default N/A
Usage Although the command uses the startup-config option, the command only
deletes the configuration profile linked to “startup-config” if you enter that
profile’s name. The command deletes only the profile you specify.
If the configuration profile you specify is linked to “startup-config”,

“startup-config” is automatically relinked to the default. (The default is the
configuration profile stored in the image area from which the ACOS device
most recently rebooted).
Example The following command deletes configuration profile “slbconfig2”:

ACOS(config)#delete startup-config slbconfig2
disable reset statistics

Description Prevents resetting (clearing) of statistics for the following resources: SLB
servers, service groups, virtual servers, and Ethernet interfaces.
Syntax disable reset statistics
Default Disabled (clearing of statistics is allowed)
Usage Admins with the following CLI roles are allowed to disable or re-enable
clearing of SLB and Ethernet statistics:
• write
• partition-write
Example The following command disables reset of SLB and Ethernet statistics:
ACOS(config)#disable reset statistics

disable slb
disable slb
Description Disable real or virtual servers.
Syntax disable slb server [server-name] [port port-num]
disable slb virtual-server [server-name]

[port port-num]
server-name Disables the specified real or virtual server.
port port-num Disables only the specified service port. If you
omit the server-name option, the port is disabled
on all real or virtual servers. Otherwise, the port
is disabled only on the server you specify.
Default Enabled
Example The following command disables all virtual servers:

ACOS(config)#disable slb virtual-server
Example The following command disables port 80 on all real servers:

ACOS(config)#disable slb server port 80
Example The following command disables port 8080 on real server “rs1”:
ACOS(config)#disable slb server rs1 port 8080
disable-failsafe
Description Disable fail-safe monitoring for software-related errors.
Syntax [no] disable-failsafe

[all | io-buffer | session-memory | system-memory]
all Disables fail-safe monitoring for all the follow-
ing types of software errors.
io-buffer Disables fail-safe monitoring for IO-buffer
errors.

disable-management
session-memory Disables fail-safe monitoring for session-mem-

ory errors.
system-memory Disables fail-safe monitoring for system-memory
errors.
Default Fail-safe monitoring and automatic recovery are disabled by default, for
both hardware and software errors.
disable-management
Description Disable management access to the A10 Thunder Series and AX Series
device.
Syntax [no] disable-management

[device DeviceID]
service
{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
Syntax [no] disable-management

[device DeviceID]
service acl acl-num
device
sis.

disable-management

all Disables access to all the management services
listed in Table 2.
ssh Disables SSH access to the CLI.
telnet Disables Telnet access to the CLI.
http Disables HTTP access to the management GUI.
https Disables HTTPS access to the management GUI.
snmp Disables SNMP access to the ACOS device’s
SNMP agent.
ping Disables ping replies from AX interfaces. This
option does not affect the ACOS device’s ability
to ping other devices.
acl acl-num Permits or denies management access based on
permit or deny rules in the ACL.
management |
ethernet
port-num
[to port-num] |
ve ve-num
[to ve-num] Specifies the interfaces for which you are config-
uring access control.
Note: Disabling ping replies from being sent by the device does not affect the
device’s ability to ping other devices.
Default Table 2 lists the default settings for each management service.
TABLE 2 Default Management Access

Ethernet
Management Management Ethernet and VE
Service Interface Data Interfaces
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled

disable-management
Usage If you disable the type of access you are using on the interface you are using
at the time you enter this command, your management session will end. If
you accidentally lock yourself out of the device altogether (for example, if
you use the all option for all interfaces), you can still access the CLI by con-
necting a PC to the ACOS device’s serial port.
To enable management access, see “enable-management” on page 147.
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
ACL Support on the Management Interface

The management interface supports only a single ACL. The ACL can be
applied (bound to the interface) as an enable-management ACL, or can be
applied directly to the interface as a filter. In either case, only one ACL is
supported. To replace the ACL with a different one, you must remove the
ACL that is already on the interface first.
For example, either of the following sets of commands is valid but not both:
ACOS(config)#enable-management service acl 1 manage-
ment
or
ACOS(config)#interface management
ACOS(config-if:management)#access-list 1 in
Additionally, if you apply an enable-management ACL to the management

interface, an ACL for an individual service is not supported. For example,
the following rule is not supported on the management interface:
enable-management service
{ping | ssh | telnet | http | https}
acl {id | name} management
ACL Support on Data Interfaces

Data interfaces can support multiple ACLs, including multiple enable-
management ACLs. If a data interface has multiple enable-management
ACLs, they are applied in the following order of precedence:
1. enable-management service
acl {id | name}
{ethernet port-num [to port-num] | ve ve-num
[to ve-num]}

dnssec
2. enable-management service acl {id | name}

[to ve-num]}
[to ve-num]}
Implicit Deny Rule
Each ACL has an implicit deny any any rule at the end. If the management
traffic’s source address does not match a permit rule in the ACL, the implicit
deny any any rule is used to deny access.
Example The following command disables HTTP access to the out-of-band manage-
ment interface:
ACOS(config)#disable-management service http management
You may lose connection by disabling the http service.
Continue? [yes/no]:yes
dnssec
Description Configure and manage Domain Name System Security Extensions
(DNSSEC). See “Config Commands: DNSSEC” on page 275.
do
Description Run a Privileged EXEC level command from a configuration level prompt,
without leaving the configuration level.
Syntax do command
Default N/A
Usage For information about the Privileged EXEC commands, see “Privileged
EXEC mode Commands” on page 65.

drop-icmp-to-vip-when-vip-down
Example The following command runs the traceroute command from the Configura-
tion mode level:
ACOS(config)#do traceroute 10.10.10.9
drop-icmp-to-vip-when-vip-down
Description Drop ICMP traffic to a VIP if the VIP is down, even if the VIP address is
also used by NAT.
Syntax [no] drop-icmp-to-vip-when-vip-down
Default Disabled
Usage This command is applicable for addresses that are used by both a VIP and
NAT.
enable
Description Enable real or virtual servers.
Syntax enable slb server [server-name] [port port-num]
enable slb virtual-server [server-name]

[port port-num]
server-name Enables the specified real or virtual server.
port port-num Enables only the specified service port. If you
omit the server-name option, the port is enabled
on all real or virtual servers. Otherwise, the port
is enabled only on the server you specify.
Default Enabled
Example The following command enables all virtual servers:

ACOS(config)#enable slb virtual-server

enable reset statistics
Example The following command enables port 80 on all real servers:

ACOS(config)#enable slb server port 80
Example The following command enables port 8080 on real server “rs1”:
ACOS(config)#enable slb server rs1 port 8080
enable reset statistics

Description Enable the ability to reset statistics for the following resources:
SLB servers, service groups, virtual servers, and Ethernet interfaces.
Syntax enable reset statistics
Default Reset statistics is enabled by default.
Usage Admins with the following CLI roles are allowed to disable or re-enable
clearing of SLB and Ethernet statistics:
• write
• partition-write
Example The following command can be used to re-enable the ability to clear SLB
and Ethernet statistics, if the disable reset statistics command was used to
disable this feature:
ACOS(config)#enable reset statistics
enable-core
Description Change the file size of core dumps.
Syntax [no] enable-core [a10]
a10 Enables A10 core dump files. Without this
option, system core dump files are used instead.
System core dump files are larger than A10 core
dump files.

enable-def-vlan-l2-forwarding
Default If HA is configured, system core dump files are enabled by default. If HA is

not configured, A10 core dump files are enabled by default.
enable-def-vlan-l2-forwarding
Description Enable Layer 2 forwarding on the default VLAN (VLAN 1).
Syntax [no] enable-def-vlan-l2-forwarding
Default Layer 2 forwarding is disabled on VLAN 1, on ACOS devices deployed in

route mode.
Usage This command applies only to routed mode deployments.
On a new or unconfigured ACOS device, as soon as you configure an IP

interface on any individual Ethernet data port or trunk interface, Layer 2
forwarding on VLAN 1 is disabled.
When Layer 2 forwarding on VLAN 1 is disabled, broadcast, multicast, and

unknown unicast packets are dropped instead of being forwarded. Learning
is also disabled on the VLAN. However, packets for the ACOS device itself
(ex: LACP, HA, OSPF) are not dropped.
Note: Configuring an IP interface on an individual Ethernet interface indicates

you are deploying in route mode (also called “gateway mode”). If you
deploy in transparent mode instead, in which the ACOS device has a sin-
gle IP address for all data interfaces, Layer 2 forwarding is left enabled by
default on VLAN 1.
enable-jumbo
Description Globally enable jumbo frame support. In this release, a jumbo frame is an
Ethernet frame that is more than 1522 bytes long.
Syntax [no] enable-jumbo
Note: This is the only command required to enable jumbo support on FPGA
models. See the Usage section below for details on enabling jumbo sup-
port on non-FPGA models.

enable-jumbo
Default Disabled
Usage Notes:
• If your configuration uses VEs, you must enable jumbo on the individ-
ual Ethernet ports first, then enable it on the VEs that use the ports. If
the VE uses more than port, the MTU on the VE should be the same or
smaller than the MTU on each port.
• Enabling jumbo support does not automatically change the MTU on any
interfaces. You must explicitly increase the MTU on those interfaces
you plan to use for jumbo packets.
• Jumbo support is not recommended on 10/100 Mbps ports.
• On FPGA models only, for any incoming jumbo frame, if the outgoing
MTU is less than the incoming frame size, the ACOS device fragments
the frame into 1500-byte fragments, regardless of the MTU set on the
outbound interface. If it is less than 1500 bytes, it will be fragmented
into the configured MTU.
• Setting the MTU on an interface indirectly sets the frame size of incom-
ing packets to the same value. (This is the maximum receive unit
[MRU]).
• In previous releases, the default MTU is 1500 and can not be set to a
higher value.
• Jumbo frames are not supported on model AX 1030, AX 2500, or
AX2600.
If you are enabling jumbo support on a non-FPGA model, you must follow
the enable-jumbo command with the write-memory command to save the
configuration, and then use the reboot command at the Privileged EXEC
level to reboot.
Caution: On non-FPGA models, after you enable (or disable) jumbo frame
support, you must save the configuration and reboot to place the
change into effect.
If jumbo support is enabled on a non-FPGA model and you erase the

startup-config, the device is rebooted after the configuration is
erased.

enable-management
enable-management
Description Enable management access to the A10 Thunder Series and AX Series
device.
Syntax [no] enable-management

[device DeviceID]
service
{all | ssh | telnet | http | https | snmp | ping}
or
Syntax [no] enable-management

[device DeviceID]
service acl acl-num
device
sis.
all Enables access to all the management services
listed in Table 2.
ssh Enables SSH access to the CLI.
telnet Enables Telnet access to the CLI.
http Enables HTTP access to the management GUI.
https Enables HTTPS access to the management GUI.
snmp Enables SNMP access to the ACOS device’s
SNMP agent.

enable-management
ping Enables ping replies from AX interfaces. This

option does not affect the ACOS device’s ability
to ping other devices.
acl acl-num Permits or denies management access based on
permit or deny rules in the ACL.
Note: The management interface supports only a single ACL.
Note: IPv6 ACLs are supported for management access through Ethernet data
interfaces and the management interface.
management |
ethernet port-
num [to port-
num] |
ve ve-num
[to ve-num] Specifies the interfaces for which you are config-
uring access control.
Default Table 3 lists the default settings for each management service.
TABLE 3 Default Management Access

Management Management
Service Interface Data Interfaces
SSH Enabled Disabled
Telnet Disabled Disabled
HTTP Enabled Disabled
HTTPS Enabled Disabled
SNMP Enabled Disabled
Ping Enabled Enabled
Usage IPv6 ACLs are supported for management access through Ethernet data
interfaces and the management interface.
The management interface supports only a single ACL. The ACL can be
applied (bound to the interface) as an enable-management ACL, or can be
applied directly to the interface as a filter. In either case, only one ACL is
supported. To replace the ACL with a different one, you must remove the
ACL that is already on the interface first.
For example, either of the following sets of commands is valid but not both:
ACOS(config)#enable-management service acl 1 manage-
ment

enable-management
or
ACOS(config-if:management)#access-list 1 in
Additionally, if you apply an enable-management ACL to the management

interface, an ACL for an individual service is not supported. For example,
the following rule is not supported on the management interface:
acl {id | name} management
See the “Usage” section in “disable-management” on page 139.
Example The following command enables Telnet access to Ethernet data interface 6:
ACOS(config)#enable-management service telnet ethernet 6
Example The following commands configure IPv6 traffic filtering on the manage-
ment interface and display the resulting configuration:
ACOS(config)#ipv6 access-list ipv6-acl1
ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config-access-list:ipv6-acl1)#interface management
ACOS(config-if:management)#ipv6 access-list ipv6-acl1 in
ACOS(config-if:management)#show running-config
ipv6 access-list ipv6-acl1
permit ipv6 any any
!
interface management device 1
ip address 192.168.217.28 255.255.255.0
ipv6 address 2001:192:168:217::28/64
ipv6 access-list ipv6-acl1 in
Example The following commands configure an IPv6 ACL, then apply it to Ethernet
data ports 5 and 6 to secure SSH access over IPv6:
ACOS(config)#ipv6 access-list ipv6-acl1
ACOS(config-access-list:ipv6-acl1)#permit ipv6 any any
ACOS(config)#enable-management service ssh acl name ipv6-acl1 ethernet 5 to 6

enable-password
enable-password
Description Set the enable password, which secures access to the Privileged EXEC level
of the CLI.
Syntax [no] enable-password password-string
password-string Password string, 1-63 characters. Passwords are
case sensitive and can contain special characters.
(For more information, see “Special Character
Support in Strings” on page 47.)
Default By default, the password is blank. (Just press Enter.)
Example The following command sets the Privileged EXEC password to “execad-
min”:
ACOS(config)#enable-password execadmin
end
Description Return to the Privileged EXEC level of the CLI.
Syntax end
Default N/A
Mode Config
Usage The end command is valid at all configuration levels of the CLI. From any
configuration level, the command returns directly to the Privileged EXEC
level.
Example The following command returns from the Configuration mode level to the
Privileged EXEC level:
ACOS(config)#end
ACOS#

erase
erase
Description Erase the startup-config file. This command returns the device to its factory
default configuration after the next reload or reboot.
Syntax erase
[preserve-management]
[preserve-accounts]
[reload]
preserve-
management Keeps the configured management IP address
and default gateway, instead of erasing them and
resetting them to their factory defaults following
reload or reboot.
preserve-
accounts Keeps the configured admin accounts, instead of
erasing them. Likewise, this option keeps any
modifications to the “admin” account, and does
not reset the account to its defaults following
reload or reboot.
reload Reloads ACOS after the configuration erasure is
completed.
Default N/A
Usage The “no” form of this command is not valid.
The erasure of the startup-config occurs following the next reload or reboot.
Until the next reload or reboot, the ACOS device continues to run based on
the running-config.
The management IP address is not erased. This is true even if you do not use
the preserve-management option. However, without this option, the
default management gateway is erased and reset to its factory default.
To recover the configuration, you can save the running-config or reload the
configuration from another copy of the startup-config file.
Example The following command erases the startup-config file. The change takes
place following the next reload or reboot.
ACOS(config)#erase

event
Example The following command erases the startup-config file, except for manage-
ment interface access and admin accounts, and reloads to place the change
into effect.
ACOS(config)#erase preserve-management preserve-accounts reload
event
Description Contact A10 Networks for information.
Syntax event vnp [part-create | part-delete] email [on |

off] logging [on | off]
Default N/A
exit
Description Return to the Privileged EXEC level of the CLI.
Syntax exit
Default N/A
Usage The exit command is valid at all CLI levels. At each level, the command
returns to the previous CLI level. For example, from the server port level,
the command returns to the server level. From the Configuration mode
level, the command returns to the Privileged EXEC level. From the user
EXEC level, the command terminates the CLI session.
From the Configuration mode level, you also can use the end command to
return to the Privileged EXEC level.
Example The following command returns from the Configuration mode level to the
Privileged EXEC level:
ACOS(config)#exit
ACOS#

extended-stats
extended-stats
Description Globally enable collection of SLB peak connection statistics.
Syntax [no] extended-stats
Default Disabled
fail-safe
Description Configure fail-safe automatic recovery.
Syntax [no] fail-safe

{
fpga-buff-recovery-threshold 256-buffer-units |
hw-error-monitor-disable
hw-error-monitor-enable |
hw-error-recovery-timeout minutes |
session-memory-recovery-threshold percentage |
sw-error-monitor-enable |
sw-error-recovery-timeout minutes
}
fpga-buff-
recovery-
threshold
256-buffer-
units Minimum required number of free (available)
FPGA buffers. If the number of free buffers
remains below this value until the recovery time-
out, fail-safe software recovery is triggered.
You can specify 1-10 units. Each unit contains
256 buffers. The default is 2 units (512 buffers).
hw-error-
monitor-disable Disables fail-safe monitoring and recovery for
hardware errors. This is enabled by default.
hw-error-
monitor-enable Enables fail-safe monitoring and recovery for
hardware errors. This is enabled by default.

fail-safe
hw-error-
recovery-
timeout minutes Number of minutes fail-safe waits after a hard-
ware error occurs to reboot the ACOS device.
You can specify 1-1440 minutes. The default is 0
(not set).
session-memory-
recovery-
threshold
percentage Minimum required percentage of system mem-
ory that must be free. If the amount of free mem-
ory remains below this value long enough for the
recovery timeout to occur, fail-safe software
recovery is triggered.
You can specify 1-100 percent. The default is 30
percent.
sw-error-
monitor-enable Enables fail-safe monitoring and recovery for
software errors. This is disabled by default.
sw-error-
recovery-
timeout minutes Number of minutes the software error condition
must remain in effect before fail-safe occurs.
– If the system resource that is low becomes free
again within the recovery timeout period, fail-
safe allows the ACOS device to continue normal
operation. Fail-safe recovery is not triggered.
– If the system resource does not become free,
then fail-safe recovery is triggered.
Default By default, fail-safe automatic recovery is enabled for hardware errors and
disabled software errors. You can enable the feature for hardware errors,
software errors, or both. When you enable the feature, the other options
have the following default values:
• fpga-buff-recovery-threshold – 2 units (512 buffers)
• hw-error-recovery-timeout – 0 (not set)
• session-memory-recovery-threshold – 30 percent
• sw-error-recovery-timeout – 3 minutes

floating-ip
Usage Fail-safe hardware recovery also can be triggered by a “PCI not ready” con-
dition. This fail-safe recovery option is enabled by default and can not be
disabled.
floating-ip
Description Set a virtual IP address in a High-Availability configuration.
Syntax [no] floating-ip ipaddr ha-group group-id
ipaddr Virtual IP address of the HA group.
group-id HA group ID.
Default None
Usage Use this command to specify the IP address of a next-hop upstream or

downstream router used by real servers. (Also see “Config Commands:
High Availability” on page 815.)
A floating IP address can not be the same as an address that already belongs
to a device. For example, the IP address of an AX interface can not be a
floating IP address.
glid
Description Configure a global set of IP limiting rules for system-wide IP limiting.
Note: This command configures a limit ID (LID) for use with the IP limiting
feature. To configure a LID for use with Large-Scale NAT (LSN) instead,
see the IPv4-to-IPv6 Transition Solutions Guide.
Syntax [no] glid num
num Limit ID, 1-1023.
global LID, where the following command is available.

glid
Command Description
[no] conn-limit
num Specifies the maximum number of concurrent
connections allowed for a client. You can specify
0-1048575. Connection limit 0 immediately
locks down matching clients.
[no] conn-rate-
limit num per
num-of-100ms Specifies the maximum number of new connec-
tions allowed for a client within the specified
limit period. You can specify 1-4294967295 con-
nections. The limit period can be 100-6553500
milliseconds (ms), specified in increments of 100
ms.
[no] over-
limit-action
[forward |
reset]
[lockout
minutes]
[log minutes] Specifies the action to take when a client exceeds
one or more of the limits. The command also
configures lockout and enables logging. The
action can be one of the following:
– drop – The ACOS device drops that traffic. If
logging is enabled, the ACOS device also gener-
ates a log message. (There is no drop keyword.
This is the default action.)
– forward – The ACOS device forwards the traf-
fic. If logging is enabled, the ACOS device also
generates a log message.
– reset – For TCP, the ACOS device sends a TCP
RST to the client. If logging is enabled, the
ACOS device also generates a log message.
The lockout option specifies the number of min-
utes during which to apply the over-limit action
after the client exceeds a limit. The lockout

glid
period is activated when a client exceeds any

limit. The lockout period can be 1-1023 minutes.
The log option generates log messages when cli-
ents exceed a limit. When you enable logging, a
separate message is generated for each over-limit
occurrence, by default. You can specify a logging
period, in which case the ACOS device holds
onto the repeated messages for the specified
period, then sends one message at the end of the
period for all instances that occurred within the
period. The logging period can be 0-255 minutes.
The default is 0 (no wait period).
[no] request-
limit num Specifies the maximum number of concurrent
Layer 7 requests allowed for a client. You can
specify 1-1048575.
[no] request-
rate-limit num
per num-of-
100ms Specifies the maximum number of Layer 7
requests allowed for the client within the speci-
fied limit period. You can specify 1-4294967295
connections. The limit period can be 100-
6553500 milliseconds (ms), specified in incre-
ments of 100 ms.
[no] use-nat-
pool pool-name Binds a NAT pool to the GLID. The pool is used
to provide reverse NAT for class-list members
that are mapped to this GLID. (The use-nat-pool
option, available in GLIDs, is applicable only to
transparent traffic, not to SLB traffic.)
Default The global LID options have the following default values:
• conn-limit – Not set
• conn-rate-limit – Not set
• over-limit-action – Drop. There is no default lockout period. Logging is

disabled by default. The default logging period is 0 (no wait period).
• request-limit – Not set
• request-rate-limit – Not set
• use-nat-pool – Not set

gslb
Usage This command uses a single class list for IP limiting. To use multiple class
lists for system-wide IP limiting, use a policy template instead. See “slb
template policy” on page 639.
A policy template is also required if you plan to apply IP limiting rules to

individual virtual servers or virtual ports.
The request-limit and request-rate-limit options apply only to HTTP, fast-

HTTP, and HTTPS virtual ports. For details on configuring these options,
see “Request Limiting and Request-rate Limiting in Class Lists” on
page 129.
The over-limit-action log option, when used with the request-limit or

request-rate-limit option, always lists Ethernet port 1 as the interface.
The use-nat-pool option is applicable only to transparent traffic, not to SLB

traffic.
Example The following commands configure a global IP limiting rule to be applied to

all IP clients (the clients that match class list “global”):
ACOS(config)#glid 1
ACOS(config-global lid)#conn-rate-limit 10000 per 1
ACOS(config-global lid)#conn-limit 2000000
ACOS(config-global lid)#over-limit forward logging
ACOS(config-global lid)#exit
ACOS(config)#system glid 1
ACOS(config)#class-list global
ACOS(config-class list)#0.0.0.0/0 glid 1
gslb
Description Configure Global Server Load Balancing (GSLB) parameters. See the
Global Server Load Balancing Guide.
ha
Description Configure High-Availability (HA) parameters. See “Config Commands:
High Availability” on page 815.

health check-rate
health check-rate
Description Change the health-check rate limiting threshold.
Syntax [no] health check-rate threshold
threshold Specifies the maximum number of health-check
packets the ACOS device will send in a given
500-millisecond (ms) period.
The valid range depends on whether the ACOS
device is a 32-bit ACOS model or a 64-bit ACOS
model:
Models with 64-bit ACOS (includes all
Thunder models) – 1-5000 health-check
packets per 500-ms period
Models with 32-bit ACOS (if applicable) –
1-2000 health-check packets per 500-ms
period
Default When you disable auto-adjust mode, the default threshold is changed to one
of the following:
• Models with 64-bit ACOS – 1000 health-check packets per 500-ms
period
• Models with 32-bit ACOS – 400 health-check packets per 500-ms
period
Usage When auto-adjust mode is enabled, you can not manually change the thresh-
old. To change the threshold, you first must disable auto-adjust mode. (See
“health disable-auto-adjust” on page 160.)
(For more information, see the Application Delivery and Server Load Bal-
ancing Guide.)

health disable-auto-adjust
health disable-auto-adjust
Description Disable the auto-adjust mode of health-check rate limiting.
Syntax [no] health disable-auto-adjust
Default Auto-adjust mode is enabled by default.
Usage When necessary, the auto-adjust mode dynamically increases the default
interval and timeout for health checks. By increasing these timers, health-
check rate limiting provides more time for health-check processing. (For
more information, see the “Health Monitoring” chapter in the System Con-
figuration and Administration Guide.)
health external
Use an external program for health monitoring.
Syntax health external

{delete program-name |
import [use-mgmt-port] [description] url |
export [use-mgmt-port] program-name url}
program-name Program file name, 1-31 characters.
description Description of the program file, 1-63 characters.
directory path.
characters long.

health external-rate

tftp://host/program-name
ftp://[user@]host[:port]/program
-name
scp://[user@]host/program-name
rcp://[user@]host/program-name
sftp://[user@]host/program-name
Default N/A
Usage There is no “no” form of this command. To use an imported program for
health monitoring, you also must configure a health method and apply the
method to the server ports you want to monitor. See the description of the
external option for “method” on page 768 and see “health-check” on
page 706.
Example The following example imports external program “mail.tcl” from FTP
server 192.168.0.1:
ACOS(config)#health external import "checking mail server"
ftp://192.168.0.1/mail.tcl
health external-rate
Description Specify the maximum number of external health-checks scripts the ACOS
device is allowed to perform during a given interval.
Syntax [no] health external-rate scripts

per 100-ms-units
scripts Maximum number of external health-check
scripts, 1-999.
100-ms-units Interval to which the scripts option applies, 1-20
100-ms units.
Default The default is 2 scripts per every 200-ms.

health global
health global
Description Globally change health monitor parameters.
Syntax health global

{
interval seconds |
retry number |
timeout seconds |
up-retry number
}
interval
seconds Number of seconds between health check
attempt, 1-180 seconds. A health check attempt
consists of the ACOS device sending a packet to
the server. The packet type and payload depend
on the health monitor type. For example, an
HTTP health monitor might send an HTTP GET
request packet. Default is 5 seconds.
retry number Maximum number of times ACOS will send the
same health check to an unresponsive server
before determining that the server is down. You
can specify 1-5. Default is 3.
timeout seconds Number of seconds ACOS waits for a reply to a
health check, 1-12 seconds. Default is 5 seconds.
up-retry number Number of consecutive times the device must
pass the same periodic health check, in order to
be marked Up. You can specify 1-10. The default
is 1.
Note: The timeout parameter is not applicable to external health monitors.
You can change one or more parameters on the same command line.
Default See above.
Note: To change a global parameter back to its factory default, use the
health global form of the command and specify the parameter value to
use.

health monitor
Usage Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
If a parameter is explicitly set on a health monitor, globally changing the

parameter does not affect the health monitor. For example, if the interval on
health monitor hm1 is explicitly set to 20 seconds, the interval remains 20
seconds on hm1 regardless of the global setting.
Note: Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the ACOS device.
Example The following command globally changes the default number of retries to 5:
ACOS(config)#health global retry 5
Example The following command globally changes the timeout to 10 seconds and
default number of retries to 4:
ACOS(config)#health global timeout 10 retry 4
health monitor
Description Configure a health monitor.
Syntax [no] health monitor monitor-name

[interval seconds]
[retry number]
[timeout seconds]
[up-retry number]
monitor-name Name of the health monitor, 1-31 characters.
interval
seconds Number of seconds between health check
attempt, 1-180 seconds. A health check attempt
consists of the ACOS device sending a packet to
the server. The packet type and payload depend
on the health monitor type. For example, an
HTTP health monitor might send an HTTP GET
request packet. Default is 5 seconds.
retry number Maximum number of times ACOS will send the
same health check to an unresponsive server

health postfile
before determining that the server is down. You

can specify 1-5. Default is 3.
timeout seconds Number of seconds ACOS waits for a reply to a
health check, 1-180 seconds. Default is 5 sec-
onds.
up-retry number Number of consecutive times the device must
pass the same periodic health check, in order to
be marked Up. You can specify 1-10. The default
is 1.
Note: The timeout parameter is not applicable to external health monitors.
Default See above.
Usage For information about the commands available at the health-monitor config-
uration level, see “Config Commands: Health Monitors” on page 767.
For more usage information about health monitors, see the Application
Delivery and Server Load Balancing Guide.
Example The following command creates a health monitor named “hm1” and
accesses the configuration level for it:
ACOS(config)#health monitor hm1
ACOS(config-health:monitor)#
health postfile
Description Import or delete a POST data file for an HTTP or HTTPS health check.
Syntax health postfile {import | delete} filename
import | delete Specifies whether you are importing a POST data
file or deleting one.
filename Specifies the filename.
Default N/A

hostname
Usage The maximum length of POST data you can specify in the CLI or GUI is
255 bytes. For longer data (up to 2 Kbytes), you must import the data in a
file and refer to the file in the HTTP or HTTPS health check.
To use a POST data payload file in an HTTP/HTTPS health monitor, use the
postfile filename option in the method http or method https command, at
the configuration level for the health monitor.
Example The following commands import a file containing a large HTTP POST data
payload (up to 2 Kbytes), and add the payload to an HTTP health monitor:
ACOS(config)#health postfile import long-post
ACOS(config)#health monitor http1
AX2000(config-health:monitor)#method http url post / postfile long-post expect
def
In this example, health checks that use this health monitor will send a POST
request containing the data in “postfile”, and expect the string “def” in
response.
hostname
Set the A10 Thunder Series and AX Series device’s hostname.
Syntax Description [no] hostname string

[device DeviceID]
string String of 1-31 characters.
device
sis.
Default ACOS

hsm
Usage The CLI command prompt also is changed to show the new hostname.
Example The following example sets the hostname to “SLBswitch2”:

ACOS(config)#hostname SLBswitch2
hsm
Description Configures settings for DNSSEC Hardware Security Module (HSM) sup-
port. (See “Config Commands: DNSSEC” on page 275.)
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS)
attacks.
Syntax [no] icmp-rate-limit normal-rate lockup max-rate

lockup-time
normal-rate Maximum number of ICMP packets allowed per
second. If the ACOS device receives more than
the normal rate of ICMP packets, the excess
packets are dropped until the next one-second
interval begins. The normal rate can be 1-65535
packets per second.
lockup max-rate Maximum number of ICMP packets allowed per
second before the ACOS device locks up ICMP
traffic. When ICMP traffic is locked up, all
ICMP packets are dropped until the lockup
expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be
larger than the normal rate.
lockup-time Number of seconds for which the ACOS device
drops all ICMP traffic, after the maximum rate is
exceeded. The lockup time can be 1-16383 sec-
onds.
Default None

icmpv6-rate-limit
Usage This command configures ICMP rate limiting globally for all traffic to or
through the ACOS device. To configure ICMP rate limiting on individual
Ethernet interfaces, see “icmp-rate-limit” on page 292. To configure it in a
virtual server template, see “slb template virtual-server” on page 696. If you
configure ICMP rate limiting filters at more than one of these levels, all fil-
ters are applicable.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Log messages are generated only if the lockup option is used and lockup
occurs. Otherwise, the ICMP rate-limiting counters are still incremented but
log messages are not generated.
Example The following command globally configures ICMP rate limiting to allow up
to 2048 ICMP packets per second, and to lock up all ICMP traffic for 10
seconds if the rate exceeds 3000 ICMP packets per second:
ACOS(config)#icmp-rate-limit 2048 lockup 3000 10
icmpv6-rate-limit
Description Configure ICMPv6 rate limiting for IPv6 to protect against denial-of-ser-
vice (DoS) attacks.
Syntax [no] icmpv6-rate-limit normal-rate lockup max-

rate lockup-time
normal-rate Maximum number of ICMPv6 packets allowed
per second. If the ACOS device receives more
than the normal rate of ICMPv6 packets, the
excess packets are dropped until the next one-
second interval begins. The normal rate can be 1-
65535 packets per second.
lockup max-rate Maximum number of ICMPv6 packets allowed
per second before the ACOS device locks up
ICMPv6 traffic. When ICMPv6 traffic is locked
up, all ICMPv6 packets are dropped until the
lockup expires. The maximum rate can be 1-
65535 packets per second. The maximum rate
must be larger than the normal rate.
drops all ICMPv6 traffic, after the maximum rate

interface
is exceeded. The lockup time can be 1-16383

seconds.
Default None
Usage This command configures ICMPv6 rate limiting globally for all traffic to or
through the ACOS device. To configure ICMPv6 rate limiting on individual
Ethernet interfaces, see “icmpv6-rate-limit” on page 293. To configure it in
a virtual server template, see “slb template virtual-server” on page 696. If
you configure ICMPv6 rate limiting filters at more than one of these levels,
all filters are applicable.
occurs. Otherwise, the ICMPv6 rate-limiting counters are still incremented
but log messages are not generated.
interface
Description Access the CLI configuration level for an interface.
Syntax interface {ethernet port-num | ve ve-num |

loopback num | management | trunk num}
Default N/A
Usage If the ACOS device is a member of an aVCS virtual chassis, specify the
interface number as follows: DeviceID/Portnum
For information about the commands available at the interface configura-

tion level, see “Config Commands: Interface” on page 287.
Example The following command changes the CLI to the configuration level for
Ethernet interface 3:
ACOS(config-if:ethernet3)#

ip
ip
Description Configure global IP settings. For information, see “Config Commands: IP”
on page 351.
ipv6
Description Configure global IPv6 settings. For information, see “Config Commands:
IPv6” on page 383.
key
Configure a key chain for use by RIP or IS-IS MD5 authentication.
Syntax Description [no] key chain name
name Name of the key chain, 1-31 characters.
key chain, where the following key-chain related command is available:
Command Description
[no] key num Adds a key and enters configuration mode for the
key. The key number can be 1-255. This com-
mand changes the CLI to the configuration level
for the specified key, where the following key-
related command is available:
[no] key-string string – Configures
the authentication string of the key, 1-16 charac-
ters.
Default By default, no key chains are configured.
Mode Global Config
Usage Although you can configure multiple key chains, A10 Networks recom-
mends using one key chain per interface, per routing protocol.

l3-vlan-fwd-disable
Example The following commands configure a key chain named “example_chain”.

ACOS(config)#key chain example_chain
ACOS(config-keychain)#key 1
ACOS(config-keychain-key)#key-string thisiskey1
ACOS(config-keychain-key)#exit
ACOS(config-keychain-key)#exit
l3-vlan-fwd-disable
Description Globally disable Layer 3 forwarding between VLANs.
Syntax [no] l3-vlan-fwd-disable
Default By default, the ACOS device can forward Layer 3 traffic between VLANs.
Usage This option is applicable only on ACOS devices deployed in gateway

(route) mode. If the option to disable Layer 3 forwarding between VLANs
is configured at any level, the ACOS device can not be changed from gate-
way mode to transparent mode, until the option is removed.
Depending on the granularity of control required for your deployment, you

can disable Layer 3 forwarding between VLANs at any of the following
• Global – Layer 3 forwarding between VLANs is disabled globally, for
all VLANs. (Use this command at the Configuration mode level.)
• Individual interfaces – Layer 3 forwarding between VLANs is disabled
for incoming traffic on specific interfaces. (See“l3-vlan-fwd-disable” on
page 334.)
• Access Control Lists (ACLs) – Layer 3 forwarding between VLANs is
disabled for all traffic that matches ACL rules that use the l3-vlan-fwd-
disable action. (See “access-list (standard)” on page 89 or “access-list
(extended)” on page 92.)
To display statistics for this option, see “show slb switch” on page 1051.

lacp system-priority
lacp system-priority
Description Set the Link Aggregation Control Protocol (LACP) priority.
Syntax [no] lacp system-priority num
num Specifies the LACP system priority, 1-65535. A
low priority number indicates a high priority
value. The highest priority is 1 and the lowest
priority is 65535.
Default 32768
Usage In cases where LACP settings on the local device (the ACOS device) and
the remote device at the other end of the link differ, the settings on the
device with the higher priority are used.
lacp-passthrough
Syntax lacp-passthrough ethernet num ethernet num
ethernet num Specifies the Ethernet interface of the peer mem-
ber to forward LACP packets.
Default Not set

lacp-trunk
lacp-trunk
Description Configure settings for an LACP trunk.
Syntax [no] lacp-trunk Trunknum
Trunknum Specifies the LACP trunk ID.
tual chassis, specify the trunk ID as follows:
DeviceID/Trunknum
trunk, where the following trunk-related commands are available:
Command Description
disable-lacp
[ethernet
portnum
[to portnum]
[ethernet
portnum ...]] Disables the trunk or specific interfaces in the
trunk.
enable-lacp
[ethernet
portnum
[to portnum]
[ethernet
portnum ...]] Enables the trunk or specific interfaces in the
trunk.
[no] name
string Assign a name to a trunk.
[no] ports-
threshold num
[do-manual-
recovery] Specifies the minimum number of ports that must
be up in order for the trunk to remain up. If the
number of up ports falls below the configured
threshold, the AX automatically disables the

lacp-trunk
trunk’s member ports. The ports are disabled in

the running-config. You can specify 2-8.
The do-manual-recovery option disables auto-
matic recovery of the trunk when the required
number of ports come back up. If you use this
option, the trunk remains disabled until you re-
enable it.
[no] ports-
threshold-timer
seconds Specifies how many seconds to wait after a port
goes down before marking the trunk down, if the
configured threshold is exceeded. You can set the
ports-threshold timer to 1-300 seconds.
Default The global LACP trunk parameters have the following default settings:
• disable-lacp / enable-lacp – Enabled
• ports-threshold – Not set. By default, a trunk’s status remains Up so

long as at least one of its member ports is up
• ports-threshold-timer – 10 seconds
Usage Notes Regarding the Ports Threshold

If the number of up ports falls below the configured threshold, the AX auto-
matically disables the trunk’s member ports. The ports are disabled in the
running-config. The ACOS device also generates a log message and an
SNMP trap, if these services are enabled.
In some situations, a timer is used to delay the ports-threshold action. The

configured port threshold is not enforced until the timer expires. The ports-
threshold timer for a trunk is used in the following situations:
• When a member of the trunk links up.
• A port is added to or removed from the trunk.
• The port threshold for the trunk is configured during runtime. (If the
threshold is set in the startup-config, the timer is not used.)

ldap-server
ldap-server
Description Set Lightweight Directory Access Protocol (LDAP) parameters for authen-
ticating administrative access to the A10 Thunder Series and AX Series
device.
Syntax [no] ldap-server host {hostname | ipaddr}

cn cn-name
dn dn-name
[port portnum]
[timeout seconds]
[ssl]
hostname |
ipaddr Hostname or IP address of the LDAP server.
cn
cn-name The cn option specifies the value for the Com-
mon Name (CN) attribute.
dn dn-name The dn option specifies the value for the Distin-
guished Name (DN) attribute.
Note: For the dn option, do not use quotation
marks. For example, the following DN string
syntax is valid:
cn=xxx3,dc=maxcrc,dc=com
The following string is not valid:
“cn=xxx3,dc=maxcrc,dc=com”
port portnum The port option specifies the protocol port on
which the server listens for LDAP traffic.
timeout seconds The timeout specifies the maximum number of
seconds the ACOS device waits for a reply from
the LDAP server for a given request. You can
specify 1-60 seconds. If the LDAP server does
not reply before the timeout, authentication of
the admin fails.
Default No LDAP servers are configured by default. When you add an LDAP
server, it has the following default settings:
• port – 389

link
Usage LDAP is a AAA protocol that the ACOS device can use to authenticate
admins and authorize their management access based on admin account
information on external LDAP servers.
This release supports the following types of LDAP servers:

• OpenLDAP
• Microsoft Active Directory (AD)
To enable LDAP authentication, use the following command at the global

configuration level of the CLI:
[no] authentication type ldap

[method2 [method3 [method4]]]
To use backup methods, specify them in the order you want to use them.
Nested OUs
To use nested OUs, specify the nested OU first, then the root. For example,
a user account could be nested as follows:
Root OU= Service Accounts -> OU=StaffElevatedAccounts -> UserAccUser1
To configure the ACOS device to provide LDAP AAA for

“UserAccUser1”, use a command such as the following:
ldap-server host ldapserver.ad.example.edu cn cn dn ou=StaffElevatedAccounts,
ou=Service Accounts,dc=ad,dc=example,dc=edu
Example The following commands enable LDAP authentication and add LDAP
server 192.168.101.24:
ACOS(config)#authentication type ldap
ACOS(config)#ldap-server host 192.168.101.24 cn cn dn ou=UserAccount,dc=exam-
ple,dc=com
link
Description Link the “startup-config” token to the specified configuration profile. By
default, “startup-config” is linked to “default”, which means the configura-
tion profile stored in the image area from which the ACOS device most
recently rebooted.

link
Syntax link startup-config {default | profile-name}

[primary | secondary] [cf]
default Links “startup-config” to the configuration pro-
file stored in the image area from which the
ACOS device was most recently rebooted.
profile-name Links “startup-config” to the specified configura-
tion profile.
primary |
secondary Specifies the image area. If you omit this option,
the image area last used to boot is selected.
cf Links the profile to the specified image area in
compact flash instead of the hard disk.
Default The “startup-config” token is linked to the configuration profile stored in

the image area from which the ACOS device was most recently rebooted.
Usage This command enables you to easily test new configurations without replac-
ing the configuration stored in the image area.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device (hard disk) selection, the profile
you link to must be stored on the hard disk. If you specify cf, the profile
must be stored on the compact flash. (To display the profiles stored on the
boot devices, use the show startup-config all and show startup-config all
cf commands. See “show startup-config” on page 946.)
After you link “startup-config” to a different configuration profile, configu-

ration management commands that affect “startup-config” affect the linked
profile instead of affecting the configuration stored in the image area. For
example, if you enter the write memory command without specifying a
profile name, the command saves the running-config to the linked profile
instead of saving it to the configuration stored in the image area.
Likewise, the next time the ACOS device is rebooted, the linked configura-
tion profile is loaded instead of the configuration that is in the image area.
To relink “startup-config” to the configuration profile stored in the image

area, use the default option (link startup-config default).
Example The following command links configuration profile “slbconfig3” with

“startup-config”:

lldp enable
ACOS(config)#link startup-config slbconfig3
Example The following command relinks “startup-config” to the configuration pro-

file stored in the image area from which the ACOS device was most
recently rebooted”:
ACOS(config)#link startup-config default
lldp enable
Description Use this command to enable or disable LLDP from the global level. You can
enable LLDP to either receive only, transmit only, or transmit and receive.
Syntax [no] lldp enable [rx] [tx]
Example To enable LLDP transmission and receipt from the global level, issue the
following command:
ACOS(config)#lldp enable rx tx
lldp tx interval
Description Defines the transmission (tx) interval between a normal transmission
period.
Syntax [no] lldp tx interval value

In the above command, value represents the transmission interval that can be
from 1 to 3600 seconds.
Default 30 seconds
Example The following command will set the transmission interval to 200:
ACOS(config)#lldp tx interval 200

lldp tx hold
lldp tx hold
Description Determines the value of the message transmission time to live (TTL) inter-
val that is carried in LLDP frames. The hold-value can be from 1 to 100 sec-
onds.
Syntax [no] lldp tx hold hold-value
Default Default 4 seconds
Example The following command will set the transmission hold time to 255:
ACOS(config)#lldp tx hold 255
lldp tx reinit-delay
Description Indicates the delay interval when the administrative status indicates ‘disa-
bled’ after which re-initialization is attempted. The range for the
reinit-delay-value is 1-5 seconds.
Syntax [no] lldp tx reinit-delay reinit-delay-value
Default 2 seconds
Example The following command will set the retransmission delay to 3 seconds:
ACOS(config)#lldp tx reinit-delay 3

lldp notification interval
lldp notification interval

Description This object controls the interval between transmission of LLDP notifica-
tions during normal transmission periods.
Syntax [no] lldp notification interval notification-

value
Default
lldp tx fast-count
Description This value is used as the initial value for the Fast transmission variable. This
value determines the number of LLDP data packets that are transmitted dur-
ing a fast transmission period. This value can range from 1-8 seconds.
Syntax [no] lldp tx fast-count value
Default 4
Example The following command will set the LLDP fast count transmission value to
3 seconds:
ACOS(config)#lldp tx fast-count 3

lldp tx fast-interval
lldp tx fast-interval
Description This variable defines the time interval in timer ticks between transmissions
during fast transmission periods (that is, txFast is non-zero). The range for
this variable is 1-3600 seconds.
Syntax [no] lldp tx fast-interval
Default 1 second
Example The following command will set the LLDP fast transmission interval value
to 2000 seconds:
ACOS(config)#lldp tx fast-interval 2000
lldp system-description
Description Defines the alpha-numeric string that describes the system in the network.
Syntax [no] lldp system-description sys-description-

value
Default None
lldp system-name
Description Defines the string that will be assigned as the system name.
Syntax [no] lldp system-name system-name-value
Default hostname

lldp management-address
Example The following command will set the LLDP system name to “testsystem”:
ACOS(config)#lldp system-name testsystem
lldp management-address
Description Configures the management-address that can include the following infor-
mation:
• DNS name
• IPv4 address
• IPv6 address
Optionally, you can specify the interface on which the management address
is configured. The management interface can be either a physical Ethernet
interface or a virtual interface (VE).
Syntax [no] lldp management-address {dns dns-value | ipv4

ipv4-value ipv6 ipv6-value} interface {Ethernet
eth-num | management | ve ve-num}
Default Not set
locale
Set the CLI locale.
Syntax Description [no] locale {test | locale}
Default en_US.UTF-8
Usage Use this command to configure the locale or to test the supported locales.
Example The following commands test the Chinese locales and set the locale to
zh_CN.GB2312:
ACOS(config)#locale test zh_CN
ACOS(config)#locale zh_CN.GB2312

logging auditlog host
logging auditlog host

Description Configure audit logging to an external server.
Syntax [no] logging auditlog host {ipaddr | hostname}

[facility facility-name]
ipaddr |
hostname IP address or hostname of the server.
facility-name Name of a log facility:
local0
local1
local2
local3
local4
local5
local6
local7
Default Not set
Usage The audit log is automatically included in system log backups. You do not
need this command in order to back up audit logs that are within the system
log. To back up the system log, see “backup log” on page 54 or “backup
periodically” on page 114.
In the current release, only a single log server is supported for remote audit
logging.

logging single-priority severity-level
logging single-priority severity-level

Description Configure single-priority logging to log one specific severity level from
among the standard syslog message severity levels 0–7
Syntax [no] logging single-priority severity-level
severity-level Specifies the severity level to log. You can enter
the name of the severity level or the number that
corresponds to the severity level. :
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default Not set
logging target severity-level

Description Specify the severity levels of event messages to send to message targets
other than the ACOS log buffer.
Syntax [no] logging target severity-level
target Specifies where event messages are sent:
console – serial console
email – email
monitor – Telnet and SSH sessions
syslog – external Syslog host
trap – external SNMP trap host

logging buffered
Note: For information about the email option, see “logging email buffer” on
page 185. and “logging email filter” on page 186.
severity-level Specifies the severity levels to log. You can enter
the name or the number of the severity level.
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default The default severity level depends on the target:

• console – 3 (error)
• email – not set (no logging)
• monitor – not set (no logging)
• syslog – not set (no logging)
• trap – not set (no logging)
Usage To send log messages to an external host, you must configure the external
host using the logging host command.
Example The following command sets the severity level for event messages sent to
the console to 2 (critical):
ACOS(config)#logging console 2
logging buffered
Description Configure the event log on the A10 Thunder Series and AX Series device.
Syntax [no] logging buffered

{maximum-messages | severity-level}

logging email buffer
maximum-
messages Specifies the maximum number of messages the
event log buffer will hold.
severity-level Specifies the severity levels to log. You can enter
the name or the number of the severity level.
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default The default buffer size (maximum messages) is 30000. The default severity
level is 7 (debugging).
Example The following command sets the severity level for log messages to 7
(debugging):
ACOS(config)#logging buffered 7
logging email buffer

Description Configure log email settings.
Syntax [no] logging email buffer [number num]

[time minutes]
number num Specifies the maximum number of messages to
buffer. You can specify 16-256.
time minutes Specifies how long to wait before sending all
buffered messages, if the buffer contains fewer
than the maximum allowed number of messages.

logging email filter
Default By default, emailing of log messages is disabled. When you enable the fea-
ture, the buffer options have the following default values:
• number – 50
• time – 10
Usage To configure the ACOS device to send log messages by email, you also
must configure an email filter and specify the email address to which to
email the log messages. See “logging email filter” on page 186 and “log-
ging email-address” on page 188.
Example The following command configures the ACOS device to buffer log mes-
sages to be emailed. Messages will be emailed only when the buffer reaches
32 messages, or 30 minutes passes since the previous log message email,
whichever happens first.
ACOS(config)#logging email buffer number 32 time 30

Description Configure a filter for emailing log messages.
Syntax [no] logging email filter filter-num

conditions operators
[trigger]
filter-num Specifies the filter number, 1-8.
conditions Message attributes on which to match. The con-
ditions list can contain one or more of the follow-
ing:
level severity-levels – Specifies the severity lev-
els of messages to send in email. You can specify
the severity levels by number (0-7) or by name:
emergency, alert, critical, error, warning, noti-
fication, information, or debugging.
mod software-module-name – Specifies the soft-
ware modules for which to email messages. Mes-
sages are emailed only if they come from one of
the specified software modules. For a list of
module names, enter ? instead of a module name,
and press Enter.

pattern regex – Specifies the string require-

ments. Standard regular expression syntax is sup-
ported. Only messages that meet the criteria of
the regular expression will be emailed. The regu-
lar expression can be a simple text string or a
more complex expression using standard regular
expression logic.
operators Set of Boolean operators (AND, OR, NOT) that
specify how the conditions should be compared.
The CLI Boolean expression syntax is based on
Reverse Polish Notation (also called Postfix
Notation), a notation method that places an oper-
ator (AND, OR, NOT) after all of its operands (in
this case, the conditions list).
After listing all the conditions, specify the Bool-
ean operator(s). The following operators are sup-
ported:
AND – All conditions must match in order
for a log message to be emailed.
OR – Any one or more of the conditions
must match in order for a log message to be
emailed.
NOT – A log message is emailed only if it
does not match the conditions
(For more information about Reverse Polish
Notation, see the following link:
http://en.wikipe-
dia.org/wiki/Reverse_Polish_notation.)
trigger Immediately sends the matching messages in an
email instead of buffering them. If you omit this
option, the messages are buffered based on the
logging email buffer settings.
Default Not set. Emailing of log messages is disabled by default.
must specify the email address to which to email the log messages. See
“logging email-address” on page 188.

logging email-address
Considerations
• You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
• A maximum of 8 conditions are supported in a filter.
• The total number of conditions plus the number of Boolean operators

supported in a filter is 16.
• For backward compatibility, the following syntax from previous releases
is still supported:
logging email severity-level
The severity-level can be one or more of the following: 0, 1, 2, 5, emer-
gency, alert, critical, notification.
The command is treated as a special filter. This filter is placed into effect
only if the command syntax shown above is in the configuration. The
filter has an implicit trigger option for emergency, alert, and critical
messages, to emulate the behavior in previous releases.
Example The following command configures a filter that matches on log messages if
they are information-level messages and contain the string “abc”. The trig-
ger option is not used, so the messages will be buffered rather than emailed
immediately.
ACOS(config)#logging email filter 1 level information pattern "abc" and
Example The following command reconfigures the filter to immediately email

matching messages.
ACOS(config)#logging email filter 1 level information pattern "abc" and trigger
logging email-address
Description Specify the email addresses to which to send event messages.
Syntax [no] logging email-address address [...]
address Specifies an email address. You can enter more
than one address on the command line. Use a
space between each address.
Default None

logging export
must configure an email filter. See “logging email filter” on page 186.
Example The following command sets two email addresses to which to send log mes-
sages:
ACOS(config)#logging email-address admin1@example.com admin2@example.com
logging export
Description Send the messages that are in the event buffer to an external file server.
Syntax [no] logging export [all] url
all Include system support messages.
directory path.
characters long.
tftp://host/file
Default N/A

logging facility
logging facility
Description Enable logging facilities.
Syntax [no] logging facility facility-name
facility-name Name of a log facility:
local0
local1
local2
local3
local4
local5
local6
local7
Default The default facility is local0.
logging host
Description Specify a Syslog server to which to send event messages.
Syntax [no] logging host ipaddr [ipaddr...]

[port protocol-port]
ipaddr IP address of the Syslog server. You can enter
multiple IP addresses. Up to 10 remote logging
servers are supported.
port protocol-
port Protocol port number to which to send messages.
You can specify only one protocol port with the
command. All servers must use the same proto-
col port to listen for syslog messages.
Default The default protocol port is 514.

mac-address
Usage If you use the command to add some log servers, then need to add a new log
server later, you must enter all server IP addresses in the new command.
Each time you enter the logging host command, it replaces any set of serv-
ers and syslog port configured by the previous logging host command.
Example The following command configures 4 external log servers. In this example,
the servers use the default syslog protocol port, 514, to listen for log mes-
sages.
ACOS(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4
Example The following command reconfigures the set of external log servers, with a
different protocol port. All the log servers must use this port.
ACOS(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 port 8899
mac-address
Description Configure a static MAC address.
Syntax [no] mac-address mac-address port port-num

vlan vlan-id [trap {source | dest | both}]
mac-address Hardware address, in the following format:
aabb.ccdd.eeff
port port-num AX Ethernet port to which to assign the MAC
address.
tual chassis, specify the interface as follows:
DeviceID/Portnum
vlan vlan-id Layer 2 broadcast domain in which to place the
device.
trap Send packets to the CPU for processing, instead
of switching them in hardware.
source – Send packets that have this MAC
as a source address to the CPU.
dest – Send packets that have this MAC as
a destination address to the CPU.
both – Send packets that have this MAC as
either a source or destination address to the
CPU.

mac-age-time
Note: The trap option is supported on only some AX models: AX 2200,

AX 2200-11, AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400,
AX 5100, AX 5200, AX 5200-11 and AX 5630.
Default No static MAC addresses are configured by default.
Example The following command configures static MAC address abab.cdcd.efef on

port 5 in VLAN 3:
ACOS(config)#mac-address abab.cdcd.efef port 5 vlan 3
mac-age-time
Description Set the aging time for dynamic (learned) MAC entries. An entry that
remains unused for the duration of the aging time is removed from the MAC
table.
Syntax [no] mac-age-time seconds

[device DeviceID]
seconds Number of seconds a learned MAC entry can
remain unused before it is removed from the
MAC table. You can specify 10-600 seconds.
device
sis.
Default 300 seconds

maximum-paths
On some AX models, the actual MAC aging time can be up to 2 times the
configured value. For example, if the aging time is set to 50 seconds, the
actual aging time will be between 50 and 100 seconds. (This applies to the
AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11, AX 3200-12,
AX 3400, AX 5100, AX 5200, AX 5200-11 and AX 5630.)
On other models, the actual MAC aging time can be +/- 10 seconds from the
configured value.
Example The following command changes the MAC aging time to 600 seconds:
ACOS(config)#mac-age-time 600
maximum-paths
Description Change the maximum number of paths a route can have in the forwarding
Information Base (FIB).
Syntax [no] maximum-paths num
num Maximum number of paths a route can have. You
can specify 1-10.
Default 4
mirror-port
Description Specify a port to which to copy monitored traffic to or from another port.
Syntax [no] mirror-port mirror-id ethernet portnum

[input | output]
mirror-id A mirror port can be a physical Ethernet data
interface. The mirror-id can be 1-4.
port-num Ethernet port number out which the monitored
traffic will be sent.

mirror-port
[input |
output] Specifies the traffic direction to mirror:
input – Ingress traffic on the monitored
port(s) is mirrored to the mirror port.
output – Egress traffic on the monitored
port(s) is mirrored to the mirror port.
Default By default, both traffic directions are mirrored.
Usage When enabling monitoring on a port, you can specify the mirror port to use.
You also can specify the traffic direction. A monitored port can use multiple
mirror ports.
To specify the port to monitor, use the monitor command at the interface
configuration level. (See “monitor” on page 195.)
Example The following commands enable monitoring of input traffic on Ethernet

port 5, and enable the monitored traffic to be copied (“mirrored”) to Ether-
net port 3:
ACOS(config)#mirror-port ethernet 3
ACOS(config-if:ethernet5)#monitor input
Example The following commands access the configuration level for Ethernet inter-
face 1 and enable monitoring of its traffic.
ACOS(config-if:ethernet1)#monitor ?
both Both incoming and outgoing packets
input Incoming packets
output Outgoing packets
ACOS(config-if:ethernet1)#monitor input ?
<1-4> Mirror index
ACOS(config-if:ethernet1)#monitor input 1

monitor
monitor
Description Specify event thresholds for utilization of resources.
Syntax [no] monitor {buffer-drop | buffer-usage | ctrl-

cpu | data-cpu | disk | memory | warn-temp}
threshold-value [conn-type] [smp-type]
buffer-drop Packet drops (dropped IO buffers)
buffer-usage Control buffer utilization
ctrl-cpu Control CPU utilization
data-cpu Data CPUs utilization
disk Hard disk utilization
memory Memory utilization
warn-temp CPU temperature
threshold-value The values you can specify depend on the event
type and on the ACOS model. For information,
see the CLI help.
smp-type Sets the threshold for Symmetric Multi-Process-
ing (SMP) resources for the global session mem-
ory pool, shared across all of the ACOS device’s
CPUs:
smp-type0 – 32 bytes
You can enter a value between 32767 to
256000000 (256 million). The default is 32767.
conn-type Sets the threshold for SMP resources per CPU:
conn-type0 – 32 bytes

multi-config
You can enter a value between 32767 to

256000000 (256 million). The default is 32767.
Default The default threshold values depend on the event type and on the ACOS
model. For information, see the CLI help.
Usage If utilization of a system resource crosses the configured threshold, a log

message is generated. If applicable, an SNMP trap is also generated.
To display the configured event thresholds, see “show monitor” on

page 924.
The buffer-drop and buffer-usage options are not applicable to some

device types. The options are applicable to hardware-based ACOS models
and SoftAX.
Example The following command sets the event threshold for data CPU utilization to
80%:
ACOS(config)#monitor data-cpu 80
multi-config
Description Enable simultaneous admin sessions.
Syntax [no] multi-config enable
Default Enabled
Mode Config
Usage Use the “no” form of the command to disable multiple admin access.
Note: Disabling multiple admin access does not terminate currently active
admin sessions. For example, if there are 4 active config sessions, dis-
abling multi-user access will cause the display of a permission prompt
when a 5th user attempts to log onto the device. However, the previous 4
admin sessions will continue to run unaffected.

no
no
Description Remove a configuration command from the running configuration.
Syntax no command-string
Default N/A
Mode Config
Usage Use the “no” form of a command to disable a setting or remove a config-
ured item. Configuration commands at all Config levels of the CLI have a
“no” form, unless otherwise noted.
The command is removed from the running-config. To permanently remove

the command from the configuration, use the write memory command to
save the configuration changes to the startup-config. (See “write terminal”
on page 88.)
Example The following command removes server “http99” from the running-config:
ACOS(config)#no slb server http99
ntp
Description Configure Network Time Protocol (NTP) parameters.
Syntax [no] ntp server {hostname | ipaddr} [prefer]
[no] ntp {disable | enable}
[no] ntp [auth-key ID-num M string]
[no] ntp [trusted-key ID-num]
hostname |
ipaddr Hostname or IP address of the NTP server.
prefer Directs ACOS to use this NTP server by default.
Additional NTP servers are used as backup serv-
ers if the preferred NTP server is unavailable.
disable Disables synchronization with the NTP server.
enable Enables synchronization with the NTP server.

ntp
auth-key ID-num
M string Creates an authentication key. For ID-num, enter
a value between 1-65535. For string, enter a
series of 1-31 alphanumeric characters for the
key. This value is stored in the system using the
A10 encryption algorithm.
Note: Do not enter the encrypted option when

configuring an authentication key. This option is
placed into configuration by the ACOS to indi-
cate that the authentication key string is in
encrypted form.
trusted-key
ID-num Adds an authentication key to the list of trusted
keys. For num, enter the identification number of
a configured authentication key to add the key to
the trusted key list. You can enter more than one
number, separated by whitespace, to simultane-
ously add multiple authentication keys to the
trusted key list.
Default NTP synchronization is disabled by default. If you enable it, DST is enabled
by default, if applicable to the specified timezone.
Usage You can configure a maximum of 4 NTP servers.
If the system clock is adjusted while OSPF or IS-IS is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and IS-IS before adjusting the system clock.
Example The following commands configure an NTP server and enable NTP:
ACOS(config)#ntp server 10.1.4.20
ACOS(config)#ntp server enable
Example The following example creates 3 authentication keys (1337, 1001, and
1012) and adds these keys to the list of trusted keys. The NTP server located
at 10.10.3.18 is configured to use a trusted key (1337) for authentication:
ACOS(config)#ntp auth-key 1337 M XxEnc192
ACOS(config)#ntp auth-key 1001 M Vke1324as
ACOS(config)#ntp auth-key 1012 M 28fj039
ACOS(config)#ntp trusted-key 1337 1001 1012
ACOS(config)#ntp server 10.10.3.18 key 1337

object-group network
You can verify the NTP server and authentication key configuration with
the show run command. The following example includes an output modi-
fier to display only NTP-related configuration:
ACOS(config)#show run | include ntp
ntp auth-key 1001 M encrypted
FSNiuf10Dtzc4aY0tk2J4DwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
NEMuh8GgapM8EIy41dsA5zwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
zIJptJHuaQaw/5o10esBTDwQjLjV2wDnPBCMuNXbAOc8EIy41dsA5zwQjLjV2wDn
ntp trusted-key 1001 1012 1337
ntp server 10.10.3.18 key 1337
object-group network
Description Create a network object group.
[no] object-group network group-name
This command changes the CLI to the configuration level for the network
object group, where the following commands are available:
Command Description
[no] any Matches on all IP addresses.
[no] host host-
src-ipaddr Matches only on the specified host IPv4 or IPv6
address.
[no] net-src-
ipaddr
{filter-mask |
/mask-length} Matches on any host in the specified IPv4 subnet.
address to filter:
– Use 0 to match.
a 24-bit subnet: 0.0.0.255

object-group service

[no] net-src-
ipv6addr
/prefix-length Matches on any host in the specified subnet. The
prefix-length specifies the portion of the address
to filter.
Default Not set
Example The following commands configure network object groups INT_CLIENTS,

HTTP_SERVERS and FTP_SERVERS:
ACOS(config)#object-group network INT_CLIENTS
ACOS(config-network-group:INT_CLIENTS)#host 10.9.9.1
ACOS(config-network-group:INT_CLIENTS)#host 10.9.9.2
ACOS(config-network-group:INT_CLIENTS)#10.1.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)#10.2.0.0 0.0.255.255
ACOS(config-network-group:INT_CLIENTS)#exit
ACOS(config)#object-group network HTTPS_SERVERS
ACOS(config-network-group:HTTPS_SERVERS)#host 192.168.230.215
ACOS(config-network-group:HTTPS_SERVERS)#exit
ACOS(config)#object-group network FTP_SERVERS
ACOS(config-network-group:FTP_SERVERS)#host 192.168.230.5
ACOS(config-network-group:FTP_SERVERS)#host 192.168.230.216
ACOS(config-network-group:FTP_SERVERS)#exit
Description Create a service object group.
[no] object-group service group-name
This command changes the CLI to the configuration level for the service
object group, where the following commands are available:

Command Description
[no] icmp
[type {type-
option}
[code {any-code
| code-num}]] Matches on ICMP traffic.
type type-option – Matches based on the
specified ICMP type. You can specify one of the
following. Enter the type name or the type num-
ber (for example, dest-unreachable or 3).
any-type – Matches on any ICMP type.
dest-unreachable | 3 – Type 3, destination
unreachable
echo-reply | 0 – Type 0, echo reply
echo-request | 8 – Type 8, echo request
info-reply | 16 – Type 16, information reply
info-request | 15 – Type 15, information request
mask-reply | 18 – Type 18, address mask reply
mask-request | 17 – Type 17, address mask
request
parameter-problem | 12 – Type 12, parameter
problem
redirect | 5 – Type 5, redirect message
source-quench | 4 – Type 4, source quench
time-exceeded | 11 – Type 11, time exceeded
timestamp | 13 – Type 13, timestamp
timestamp-reply | 14 – Type 14, timestamp
reply
type-num – ICMP type number, 0-254
code code-num – This option is applicable if
the protocol type is icmp. Matches based on the
specified ICMP code.
any-code – Matches on any ICMP code.
code-num – ICMP code number, 0-254

[no] icmpv6
[type {type-
option}
[code {any-code
| code-num}]] Matches on ICMPv6 traffic.
type type-option – Specifies the message
type:
any-type – Matches on any ICMPv6 type.
dest-unreachable – Matches on type 1,
destination unreachable messages.
echo-reply – Matches on type 129, echo
reply messages.
echo-request – Matches on type 128, echo
request messages.
packet-too-big – Matches on type 2,
packet too big messages.
param-prob – Matches on type 4, parameter
problem messages.
time-exceeded – Matches on type 3, time
exceeded messages.
type-num – Matches on the specified type
value, 0-254.
{tcp | udp}
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port Specifies the protocol ports on which to match:
eq src-port – The ACL matches on traffic on
the specified port.
gt src-port – The ACL matches on traffic on
any port with a higher number than the specified
port.
lt src-port – The ACL matches on traffic on
any port with a lower number than the specified
port.
– The ACL matches on traffic on any port within
the specified range.

packet-handling
Default Not set
Example The following commands configure service object group WEB_SERVICES

and display the configuration:
ACOS(config)#object-group service WEB-SERVICES
ACOS(config-service-group:WEB-SERVICES)#tcp eq 80
ACOS(config-service-group:WEB-SERVICES)#tcp source range 1025 65535 eq 8080
ACOS(config-service-group:WEB-SERVICES)#tcp source range 1025 65535 eq 443
ACOS(config-service-group:WEB-SERVICES)#exit
ACOS#show object-group
object-group service WEB-SERVICES
tcp eq 80
tcp source range 1025 65535 eq 8080
tcp source range 1025 65535 eq 443
The following command configures an ACL that uses service object group
configured above:
ACOS(config)#access-list 111 permit object-group WEB-SERVICES any any
packet-handling
Description Set handling of Layer 2 broadcast packets.
Syntax packet-handling broadcast {trap | flood}
trap Sends broadcast packets to the CPU for process-
ing, instead of forwarding them in hardware.
flood Forwards broadcast packets in hardware.
Default trap
Usage This command is supported only on models AX 2200, AX 3100, and

AX 3200.

partition
partition
Description Configure a private partition for Role-Based Administration (RBA).
Syntax [no] partition partition-name

[[max-aflex-file num [network-partition]] id num]
partition-name Specifies the name of the private partition, 1-14
characters.
max-aflex-file
num Specifies the maximum number of aFleX poli-
cies the partition can have, 1-128.
network-
partition Enables Layer 2/3 virtualization, which allows
the partition to have its own network resources,
separate from the shared partition and other pri-
vate partitions.
id num Assigns an ID to the partition. The partition ID
ensures that a partition’s configuration remains
consistent across devices in multi-device deploy-
ments (HA, VRRP-A, aVCS). The partition ID
can be 1-128.
Default The ACOS device has a shared partition but no private partitions by default.
When you create a private partition, it can have a maximum of 32 aFleX
policies by default. Layer 2/3 virtualization is disabled by default. The
ACOS device does not automatically assign an ID.
Usage To use this command, you must be logged in with an admin account that has
Root or Read-write privileges. (See “show admin” on page 840 for descrip-
The Index number displayed in show partition output is not necessarily the
same as the partition ID, and does not ensure consistent partition configura-
tion across devices.
If you delete a partition, resources associated with the partition are perma-
nently deleted. This includes SSL certificates and keys, and aFleX scripts.
These resources are deleted even if you reload or reboot without saving the
configuration. In this case, the partition configuration is restored but the
resources are still gone.

ping
Example The following commands configure two private partitions, “companyA”

and “companyB”:
ACOS(config)#partition companyA id 1
ACOS(config)#partition companyB id 2
Example The following command adds partition “dmz1” and enables Layer 2/3 virtu-
alization for the partition:
ACOS(config)#partition dmz1 network-partition id 3
Example The following command removes all private partitions:

ACOS(config)#no partition
Remove all RBA partitions and configurations therein? (y/n) y
ping
Ping is used to diagnose basic network connectivity. For syntax informa-
tion, see “ping” on page 59.
poap
Description Enables Power On Auto Provisioning (POAP).
Note: After using the poap command, you must reboot the system. The device
will return to service in POAP mode.
Syntax [no] poap
Default POAP mode is enabled by default on SoftAX virtual appliances. However,

the feature is disabled by default on all physical devices.

radius-server
radius-server
Description Set RADIUS parameters, for authenticating administrative access to the
ACOS device.
Syntax [no] radius-server host {hostname | ipaddr}

secret secret-string
[acct-port protocol-port]
[auth-port protocol-port]
[retransmit num]
[timeout seconds]
[default-privilege-read-write]
hostname |
ipaddr Hostname or IP address of the RADIUS server.
secret
secret-string Password, 1-128 characters, required by the
RADIUS server for authentication requests.
acct-port
protocol-port Protocol port to which the ACOS device sends
RADIUS accounting information.
auth-port
protocol-port Protocol port to which the ACOS device sends
authentication requests.
retransmit num Maximum number of times the ACOS device can
resend an unanswered authentication request to
the server. If the ACOS device does not receive a
reply to the final request, the ACOS device tries
the secondary server, if one is configured.
If no secondary server is available, or if the sec-
ondary server also fails to reply after the maxi-
mum number of retries, authentication fails and
the admin is denied access.
You can specify 0-5 retries.
timeout seconds Maximum number of seconds the ACOS device
will wait for a reply to an authentication request
before resending the request. You can specify
1-15 seconds.

radius-server
default-
privilege-read-
write Change the default privilege authorized by
RADIUS from read-only to read-write. The
default privilege is used if the Service-Type attri-
bute is not used, or the A10 vendor attribute is
not used.
Default No RADIUS servers are configured by default. When you add a RADIUS
server, it has the following default settings:
• acct-port – 1813
• auth-port – 1812
• retransmit – 3 retries
• default-privilege-read-write – Disabled. By default, if the Service-

Type attribute is not used, or the A10 vendor attribute is not used, suc-
cessfully authenticated admins are authorized for read-only access.
You can configure up to 2 RADIUS servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The sec-
ondary server is used only if the primary server does not respond.
Example The following commands configure a pair of RADIUS servers and config-
ure the ACOS device to use them first, before using the local database.
Since 10.10.10.12 is added first, this server will be used as the primary
server. Server 10.10.10.13 will be used only if the primary server is unavail-
able.
ACOS(config)#authentication type radius local

raid
raid
Description Enter the configuration level for RAID.
Syntax raid
CAUTION! RAID configuration should be performed only by or with

the assistance of A10 Networks. A10 strongly advises that you do not
experiment with these commands.
restore
Description Restore the startup-config, aFleX policy files, and SSL certificates and keys
from a tar file previously created by the backup command. The restored
configuration takes effect following a reboot.
Syntax restore [use-mgmt-port] url
directory path.
characters long.
tftp://host/file
Default N/A

route-map
Usage Do not save the configuration (write memory) after restoring the startup-
config. If you do, the startup-config will be replaced by the running-config
and you will need to restore the startup-config again.
To place the restored configuration into effect, reboot the ACOS device.
The “no” form of this command is invalid.
route-map
Description Configure a rule in a route map. You can use route maps to provide input to
the following OSPF commands:
• “redistribute” on page 435
• “default-information originate” on page 444
Syntax [no] route-map map-name {deny | permit}

sequence-num
map-name Route map name.
deny | permit Action to perform on data that matches the rule.
sequence-num Sequence number of the rule within the route
map, 1-65535. Rules are used in ascending
sequence order.
The action in the first matching rule is used, and
no further matching is performed.
You do not need to configure route map rules in
numerical order. The CLI automatically places
them in the configuration (running-config) in
ascending numerical order.
route map rule, where the following match commands are available.
Note: Some match options apply only to BGP, which is not supported in the cur-
rent release.

route-map
Command Description
match as-path
acl-id Matches on the BGP AS paths listed in the speci-
fied ACL.
match community
acl-id
[exact-match] Matches on the BGP communities listed in the
specified ACL.
match
extcommunity
acl-id
[exact-match] Matches on the BGP external communities listed
in the specified ACL.
match interface
{ethernet
portnum |
loopback num |
management |
ve ve-num} Matches on the interface used as the first hop for
a route.
match ip
address
{acl-id |
prefix-list
list-name} Matches on the route IP addresses in the speci-
fied ACL or prefix list.
match ip
next-hop
{acl-id |
prefix-list
list-name} Matches on the next-hop router IP addresses in
the specified ACL or prefix list.
match ip peer
acl-id Matches on the peer router IP addresses in the
specified ACL.
match ipv6
address
{acl-id |
prefix-list
list-name} Matches on the route IP addresses in the speci-
fied ACL or prefix list.

router device-context
match ipv6
next-hop
{acl-id |
prefix-list
list-name |
ipv6-addr} Matches on the next-hop router IP addresses in
the specified ACL or prefix list, or the specified
IPv6 address.
match ipv6 peer
acl-id Matches on the peer router IP addresses in the
specified ACL.
match metric
num Matches on the specified metric value,
0-4294967295.
match origin
{egp | igp |
incomplete} Matches on the specified BGP origin code.
match
route-type
external
{type-1 |
type-2} Matches on the specified external route type.
match tag Matches on the specified TAG value,
0-4294967295.
Default None
Usage For options that use an ACL, the ACL must use a permit action. Otherwise,
the route map action is deny.
Description Change the context of the CLI session on an AX Virtual Chassis System
(aVCS) vMaster to a vBlade, in order to configure routing on the vBlade.
See “router device-context” on page 788.

router protocol
router protocol
Description Enter the configuration mode for a dynamic routing protocol.
Syntax [no] router protocol
protocol Specifies the routing protocol:
bgp AS-num – Specifies an Autonomous Sys-
tem (AS) for which to run BGP on the ACOS
device.
ipv6 ospf [tag] – Specifies an IPv6
OSPFv3 process (1-65535) to run on the IPv6
link.
isis [tag] – Enables Intermediate System
to Intermediate System (IS-IS).
log – See the following sections:
“router log file” on page 213
“router log record-priority” on page 214
“router log stdout” on page 214
“router log syslog” on page 215
“router log trap” on page 215
ospf [process-id] – Specifies an IPv4
OSPFv2 process (1-65535) to run on the ACOS
device.
Note: After you enter the command, the CLI changes to the configuration level
for the specified protocol.
Default Dynamic routing protocols are disabled by default.
Usage This command is valid only when the AX is configured for gateway mode
(Layer 3).
For more information, see the following:

• “Config Commands: Router – OSPF” on page 423

router log file
• “Config Commands: Router – IS-IS” on page 465
• “Config Commands: Router – BGP” on page 491
Example The following command enters the configuration level for OSPFv2
process 1:
ACOS(config)#router ospf 1
ACOS(config-router)#
router log file

Description Configure router logging to a local file.
Syntax [no] router log file

{
name string |
per-protocol |
rotate num |
size Mbytes
}
name string Name of the log file.
per-protocol Uses separate log files for each protocol. Without
this option, log messages for all protocols are
written to the same file.
rotate num Specifies the number of backups to allow for
each log file. When a log file becomes full, the
logs are saved to a backup file and the log file is
cleared for new logs. You can specify 0-100
backups. If the maximum number of backups is
reached, the oldest backups are purged to make
way for new ones.
size Mbytes Specifies the size of each log file. You can spec-
ify 0-1000000 Mbytes. If you specify 0, the file
size is unlimited.
Default This command has the following default values:

• per-protocol – disabled
• rotate – 0
• size – 0 (unlimited)

router log log-buffer
Usage When you enable logging, the default minimum severity level that is logged
is debugging. To change the minimum severity level that is logged, see
“router log trap” on page 215.
The per-protocol option is recommended. Without this option, messages

from all routing protocols will be written to the same file, which may make
troubleshooting more difficult.
router log log-buffer

Description Sends router logs to the logging buffer.
Syntax router log log-buffer
Default Please contact A10 Support for details.
router log record-priority

Description Include the message priority within each router log message.
Syntax [no] router log record-priority
Default Disabled
router log stdout

Description Enable router logging to the terminal.
Syntax [no] router log stdout
Default Disabled

router log syslog
router log syslog

Description Enable router logging to the local log buffer.
Syntax [no] router log syslog
Default Disabled
To display the log messages in the local log buffer, use the show log com-
mand.
router log trap

Description Specify the minimum severity level to log for router logs.
Syntax [no] router log trap severity-level
severity-level Minimum severity level to log. You can specify
one of the following:
emergencies
alerts
critical
errors
warnings
notifications
informational
debugging
Default debugging

run-hw-diag
run-hw-diag
Description Access the hardware diagnostics menu.
Caution: The system will be unavailable for normal operations while a test is
running.
Note: A reboot is required before the hardware diagnostics menu appears. If you
reboot to a software release that does not support the hardware diagnos-
tics menu, the menu is not available. Currently, the hardware diagnostics
menu is supported in AX Release 2.4.3-P3 and later 2.4.x releases, and in
AX Release 2.6.1.
Syntax run-hw-diag
Usage The hardware diagnostic menu is available only on serial console sessions.
To run a test, you must use a serial console connection.
The run-hw-diag command requires a reboot. After the reboot is com-

pleted, a menu with the following options appears:
• 1 - Memory Test
• 2 - HDD/CF Scan Test (1-2 hours)
• 3 - MBR (Master Boot Record) check
• 4 - Complete Test (all above)
• x - Reboot
Note: As indicated in the description for option 2, the media scan test, the test
takes 1-2 hours to complete.
After a test is completed, you can use the x option to reboot. If you do not
enter an option to run another test or reboot, the system automatically
reboots after 5 minutes. The same software image that was running when
you entered the run-hw-diag command is reloaded during the reboot.
Example The following example shows how to access the hardware diagnostic menu:
ACOS(config)#run-hw-diag
Please confirm: You want to run HW diagnostics (N/Y)?:y
Please reboot the system when you are ready.
HW diagnostic will run when the system comes back up.
ACOS(config)#end
AX#reboot
Proceed with reboot? [yes/no]:yes

session-filter
Rebooting......
INIT: version 2.86 booting

Booting.........mdadm: stopped /dev/md1
mdadm: stopped /dev/md0
00000000000
------------------------------------------------------
| Hardware Diagnostic Menu |
------------------------------------------------------
| 1 - Memory Test |
| 2 - HDD/CF Scan Test (1-2 hours) |
| 3 - MBR (Master Boot Record) check |
| 4 - Complete Test (all above) |
| x - Reboot |
------------------------------------------------------
Please select an option [1-4, x]:
session-filter
Description Configure a session filter.
session-filter filter-name
{
ipv4addr-suboptions |
ipv6 |
sip |
filter filter-name
}
ipv4addr-
suboptions Matches on sessions that have a source or desti-
nation IPv4 address. The following address sub-
options are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] – Matches on
IPv4 sessions that have the specified source IP
address.
source-port port-num – Matches on IPv4 ses-
sions that have the specified source protocol port
number, 1-65535.

slb
dest-addr ipaddr
[{subnet-mask | /mask-length}] – Matches on
IPv4 sessions that have the specified destination
IP address.
dest-port port-num – Matches on IPv4 sessions
that have the specified destination protocol port
number, 1-65535.
You can use one or more of the suboptions, in the
order listed above. For example, if the first sub-
option you enter is dest-addr, the only additional
suboption you can specify is dest-port.
ipv6 Matches on all sessions that have a source or des-
tination IPv6 address.
sip Matches on all SIP sessions.
Default No session filters are configured by default.
Usage Session filters allows you to save session display options for use with the
clear session and show session commands. Configuring a session filter
allows you to specify a given set of options one time rather than re-entering
the options each time you use the clear session or show session command.
Example The following commands configure a session filter and use it to filter show
session output:
ACOS(config)#session-filter f1 source-addr 1.0.4.147
ACOS(config)#show session filter f1
Prot Forward Source Forward Dest Reverse Source Reverse Dest
Age Hash
---------------------------------------------------------------------------------------
--------------------
Tcp 1.0.4.147:51613 1.0.100.1:21 1.0.3.148:21 1.0.4.147:51613
120 1
slb
Description Configure Server Load Balancing (SLB) parameters. For information about
the slb commands, see “Config Commands: Server Load Balancing” on
page 549.

smtp
smtp
Description Configure a Simple Mail Transfer Protocol (SMTP) server to use for send-
ing emails from the ACOS device.
Syntax [no] smtp {hostname | ipaddr}

[mailfrom email-src-addr]
[needauthentication]
[port protocol-port]
[username string password string]
hostname |
ipaddr Specifies an SMTP server.
mailfrom
email-src-addr Specifies the email address to use as the sender
(From) address.
needauthenticat
ion Specifies that authentication is required.
port
protocol-port Specifies the protocol port on which the server
listens for SMTP traffic.
username string
password string Specifies the username and password required
for access. The password can be 1-31 characters
long.
Default No SMTP servers are configured by default. When you configure one, it has
the following default settings:
• port – 25
• needauthentication – disabled
• mailfrom – not set
Example The following command configures the A10 Thunder Series and AX Series
device to use SMTP server “ourmailsrvr”:
ACOS(config)#smtp ourmailsrvr

snmp-server community
snmp-server community
Description Configure an SNMP community string.
Syntax [no] snmp-server community

read ro-community-string
[oid oid-value]
[remote {hostname | ipaddr mask-length |
ipv6-addr/prefix-length}]
ro-community-
string The read-only community string.
oid oid-value Object ID. This option restricts the objects that
the A10 Thunder Series and AX Series device
returns in response to GET requests. Values are
returned only for the objects within or under the
specified OID.
remote
{hostname |
ipaddr mask-
length |
ipv6-
addr/prefix-
length]} Restricts SNMP access to a specific host or sub-
net. When you use this option, only the specified
host or subnet can receive SNMP data from the
A10 Thunder Series and AX Series device by
sending a GET request to this community.
Default The configuration does not have any default SNMP communities. When
you configure one, all OIDs are allowed by default and all remote hosts are
allowed by default.
Usage All SNMP communities are read-only. Read-write communities are not sup-
ported. The OID for A10 Networks A10 Thunder Series and AX Series
objects is 1.3.6.1.4.1.22610.
The “no” form removes the read-only community string.

snmp-server contact
Example The following commands enable SNMP, define community string

“A10_AX”, and restrict access to hosts in subnet 10.10.20.x/24 and to AX
MIB objects only:
ACOS(config)#snmp-server enable
ACOS(config)#snmp-server community read A10_AX oid AxMgmt remote 10.10.20.0 24
Example The following commands enable SNMP, define community string

“A10_AX2”, and restrict access to hosts in IPv6 network a101::1111:
ACOS(config)#snmp-server enable
ACOS(config)#snmp-server community read A10_AX2 remote a101::1111
snmp-server contact
Description Configure SNMP contact information.
Syntax [no] snmp-server contact contact-name on-device

DeviceID contact-name
contact-name The contact person’s name.
on-device
DeviceID The DeviceID specifies the aVCS ID of the
device.
Default Empty string
Usage The “no” form removes the contact information.
By default, the SNMP syscontact OID value is synchronized among all

member ACOS devices of an aVCS virtual chassis. You can disable this
synchronization, on an individual device basis.
Note: After configuring this option for an ACOS device, if you disable aVCS on
that device, the running-config is automatically updated to continue using
the same syscontact value you specified for the device. You do not need to
reconfigure the syscontact on the device after disabling aVCS.
Example The following command defines the contact person as “snmp-admin”:

ACOS(config)#snmp-server contact snmp-admin

snmp-server enable
snmp-server enable
Description Enable the A10 Thunder Series and AX Series device to accept SNMP MIB
data queries and to send SNMP v1/v2c traps.
To use SNMP on the device, you must enter this command. Enter this com-
mand first, then enter the other snmp-server commands to further configure
the feature.
Syntax [no] snmp-server enable

[
traps [
snmp [trap-name]
system [trap-name]
network [trap-name]
lldp
routing [trap-name]
ha [trap-name]
slb [trap-name]
gslb [trap-name]
ssl [trap-name]
]
]
traps Specifies the traps to enable. You can enable all
traps, all traps of a specific type, or individual
traps.
To enable all traps, specify traps, without any
additional options.
To enable all traps of a specific type, specify one
of the following:
traps snmp – Enables the following traps:
linkdown – Indicates that an Ethernet
interface has gone down.
linkup – Indicates that an Ethernet inter-
face has come up.
traps system – Enables the following traps:
control-cpu-high – Indicates that the
control CPU utilization is higher than the
configured threshold. (See “monitor” on
page 195.)

snmp-server enable
data-cpu-high – Indicates that data

CPU utilization is higher than the configured
threshold. (See “monitor” on page 195.)
fan – Indicates that a system fan has failed.
Contact A10 Networks.
high-disk-use – Indicates that hard disk
usage on the ACOS device is higher than the
page 195.)
high-memory-use – Indicates that the
memory usage on the ACOS device is higher
than the configured threshold. (See “moni-
tor” on page 195.)
high-temp – Indicates that the tempera-
ture inside the AX chassis is higher than the
page 195.)
packet-drop – Indicates that the number
of dropped packets during the previous
10-second interval exceeded the configured
threshold. (See “monitor” on page 195.)
Note: This trap is not applicable to some device types. The trap is applicable to
Thunder Series and AX Series hardware-based models and software-
based models.
power – Indicates that a power supply has
failed. Contact A10 Networks.
pri-disk – Indicates that the primary
Hard Disk has failed or the RAID system has
failed. In dual-disk models, the primary Hard
Disk is the one on the left, as you are facing
the front of the AX chassis.
restart – Indicates that the ACOS device
is going to reboot or reload.
sec-disk – Indicates that the secondary
Hard Disk has failed or the RAID system has
failed. The secondary Hard Disk is the one
on the right, as you are facing the front of the
AX chassis.
Note: This trap applies only to models that use disk drives.
shutdown – Indicates that the ACOS
device has shut down.

snmp-server enable
start – Indicates that the ACOS device

has started.
traps lldp – Enables traps for Link Layer
Detection Protocol (LLDP).
traps network – Enables the following trap:
trunk-port-threshold – Indicates
that the trunk ports threshold feature has dis-
abled trunk members because the number of
up ports in the trunk has fallen below the
configured threshold. (To configure the
threshold, see “trunk” on page 252.)
traps routing – Enables the following
traps:
isis – Enables traps for Intermediate Sys-
tem To Intermediate System (IS-IS) routing.
To list the individual traps you enable or dis-
able, enter the following:
snmp-server enable traps routing isis ?

ospf – Enables traps for Open Shortest
Path First (OSPF) routing. To list the indi-
vidual traps you enable or disable, enter the
following:
snmp-server enable traps routing ospf

traps ha – Enables the following traps:
active – Indicates that the ACOS device is
going from HA Standby mode to Active
mode.
standby – Indicates that the ACOS device
is going from HA Active mode to Standby
mode.
active-active – Indicates that an
Active-Active HA configuration has been
enabled.
vrrp – Indicates that a VRID has changed
state between active and standby.
traps slb – Enables the following traps:
application-buffer-limit – Indi-
cates that the configured SLB application

snmp-server enable
buffer threshold has been exceeded. (See

“monitor” on page 195.)
server-conn-limit – Indicates that an
SLB server has reached its configured con-
nection limit.
server-conn-resume – Indicates that
an SLB server has reached its configured
connection-resume value.
server-down – Indicates that an SLB
server has gone down.
server-up – Indicates that an SLB server
has come up.
service-conn-limit – Indicates that
an SLB service has reached its configured
connection limit.
service-conn-resume – Indicates that
an SLB service has reached its configured
connection-resume value.
service-down – Indicates that an SLB
service has gone down.
service-up – Indicates that an SLB ser-
vice has come up.
vip-connlimit – Indicates that the con-
nection limit configured on a virtual server
has been exceeded.
vip-connratelimit – Indicates that the
connection rate limit configured on a virtual
server has been exceeded.
vip-port-connlimit – Indicates that
the connection limit configured on a virtual
port has been exceeded.
vip-port-connratelimit – Indicates
that the connection rate limit configured on a
virtual port has been exceeded.
vip-port-down – Indicates that an SLB
virtual service port has gone down.
vip-port-up – Indicates that an SLB vir-
tual service port has come up. An SLB vir-
tual server’s service port is up when at least
one member (real server and real port) in the
service group bound to the virtual port is up.

snmp-server group
traps gslb – Enables the following traps:

group – Group-related traps.
service-ip – Traps related to service-
IPs.
site – Site-related traps.
zone – Zone-related traps.
traps ssl – Enables the following trap:
server-certificate-error – Indi-
cates a certificate error.
Note: If you enter the snmp-server enable command without a trap option, the
SNMP service is enabled but no traps are enabled.
Default The SNMP service is disabled by default and all traps are disabled by
default.
Usage The “no” form disables traps.
Example The following command enables all traps:

ACOS(config)#snmp-server enable traps
Example The following command enables all SLB traps:

ACOS(config)#snmp-server enable traps slb
Example The following commands enable SLB traps server-conn-limit and server-
conn-resume:
ACOS(config)#snmp-server enable traps slb server-conn-limit
ACOS(config)#snmp-server enable traps slb server-conn-resume
snmp-server group
Description Configure an SNMP group.
Syntax [no] snmp-server group group-name {v1 | v2c | v3

{auth | noauth | priv}} read view-name
group-name Specifies the name of the SNMP group.
v1 Uses the least secure of the security models.

snmp-server host
v2c Uses the second-least secure of the security mod-

els.
v3 Uses the most secure of the security models.
auth Uses packet authentication but does not encrypt
the packets. (This is the authNoPriv security
level.)
noauth Does not use any authentication of packets.
(This is the noAuthNoPriv security level.)
priv Uses packet authentication and encryption.
(This is the authPriv security level.)
view-name Specifies the name of a read-only view for
accessing the MIB object values.
Default The configuration does not have any default SNMP groups.
Example The following commands add SNMP v3 group “group1” with authPriv
security and read-only view “view1”:
ACOS(config)#snmp-server group group1 v3 priv read view1
snmp-server host
Description Configure an SNMP v1/v2c trap receiver.
Syntax [no] snmp-server host trap-receiver

[version {v1 | v2c}]
community-string
[udp-port port-num]
trap-receiver Hostname or IP address of the remote device to
which traps will be sent.
version
{v1 | v2c} SNMP version. If you omit this option, the trap
receiver can use SNMP v1 or v2c.
community-
string Community string for the traps.
port-num UDP port to which the A10 Thunder Series and
AX Series device will send the traps.

snmp-server location
Default No SNMP hosts are defined. When you configure one, the default SNMP
version is v2c and the default UDP port is 162.
Usage You can configure up to 16 trap receivers.
The “no” form removes the trap receiver.
Example The following command configures SNMP trap receiver 100.10.10.12 to

use community string “public” and UDP port 166 for SNMP v2c traps.
ACOS(config)#snmp-server host 100.10.10.12 public udp-port 166
snmp-server location
Description Configure SNMP location information.
Syntax [no] snmp-server location location
location The location of this ACOS device.
Default Empty string
Usage The “no” form removes the location information.
Example The following command configures the location as “A10-HQ”:

ACOS(config)#snmp-server location A10-HQ
snmp-server user
Description Configure SNMP user-based groups.
Syntax [no] snmp-server user username group groupname

{v1 | v2 | v3 [auth {md5 | sha} password
[encrypted]]}

snmp-server view
username Specifies the SNMP user name.
groupname Specifies the group to which the SNMP user
belongs.
v1 | v2c Specifies SNMP version 1 or v2c.
v3
[auth {md5 |
sha} password
[encrypted]] Specifies SNMP version 3 and the authentication
to use.
md5 | sha – HMAC MD5 (md5) or HMAC
SHA (sha).
password [encrypted] – Password, 8-31
characters, for SNMP messages. To encrypt the
password, use the encrypted option.
Default No SNMP users are configured by default. When you configure one, all
remote hosts are allowed by default. For v3, there is no authentication by
default.
Example The following command adds an SNMP user belonging to group “group1”.
The SNMP version is 3 and the authentication method is HMAC MD5. The
password is “12345678”. The password is not encrypted.
ACOS(config)#snmp-server user user1 group group1 v3 auth md5 12345678
snmp-server view
Description Configure an SNMP view.
Syntax [no] snmp-server view view-name oid [oid-mask]

{included | excluded}
view-name SNMP views name.
oid MIB view family name or OID.
oid-mask OID mask. Use hex octets, separated by ‘.’.
included MIB family is included in the view.
excluded MIB family is excluded from the view.

stats-data-disable
Default N/A
Usage The OID for A10 Networks A10 Thunder Series and AX Series objects is
1.3.6.1.4.1.22610.
Example The following command adds SNMP view “view1” and includes all objects
in the 1.3.6 tree:
ACOS(config)#snmp-server view view1 1.3.6 included
stats-data-disable
Description Globally disable collection of statistical data.
Syntax stats-data-disable
Default Statistical data collection is enabled by default.
Usage This command disables statistical data collection for system resources,
including the following:
• CPU
• Memory
• Disk
• Interfaces
This command also disables statistical data collection for any of the follow-
ing types of load-balancing resources, if collection is enabled on those
resources:
• SLB resources:
• Real server
• Real server port
• Service group
• Virtual server
• Virtual server port

stats-data-enable
• FWLB resources:
• Firewall node
• Firewall group
• Virtual firewall
stats-data-enable
Description Globally re-enable collection of statistical data.
Syntax stats-data-enable
Default Statistical data collection is enabled by default.
Usage This command re-enables statistical data collection for system resources,
including the following:
• CPU
• Memory
• Disk
• Interfaces
The command also re-enables statistical data collection for any individual
load-balancing resources on which collection had been enabled before it
was globally disabled.
switch
Description Configure hardware settings on Ethernet ports.
CAUTION! Do not use this command unless advised to do so by A10

Networks. The command is used for troubleshooting and can affect
performance of the A10 Thunder Series and AX Series.
Usage This command is not supported on some models. There is no “no” form of
this command.

syn-cookie
syn-cookie
Description Enable hardware-based SYN cookies, which protect against TCP SYN
flood attacks.
Syntax [no] syn-cookie

[on-threshold num off-threshold num]
on-threshold
num Maximum number of concurrent half-open TCP
connections allowed on the ACOS device, before
SYN cookies are enabled. If the number of half-
open TCP connections exceeds the on-threshold,
the ACOS device enables SYN cookies. You can
specify 0-2147483647 half-open connections.
off-threshold
num Minimum number of concurrent half-open TCP
connections for which to keep SYN cookies ena-
bled. If the number of half-open TCP connec-
tions falls below this level, SYN cookies are
disabled. You can specify 0-2147483647 half-
open connections.
Note: It may take up to 10 milliseconds for the ACOS device to detect and
respond to crossover of either threshold.
Default Hardware-based SYN cookies are disabled by default. When the feature is
enabled, there are no default settings for the on and off thresholds.
Usage Hardware-based SYN cookies are available only on some models.
If both hardware-based and software-based SYN cookies are enabled, only

hardware-based SYN cookies are used. You can leave software-based SYN
cookies enabled but they are not used. (Software-based SYN cookies are
enabled at the virtual port level using the syn-cookie enable command.)
If you omit the on-threshold and off-threshold options, SYN cookies are
enabled and are always on regardless of the number of half-open TCP con-
nections present on the ACOS device.
This command globally enables SYN cookie support for SLB and also
enables SYN cookie support for Layer 2/3 traffic. No additional configura-
tion is required for SLB SYN cookie support. However, to use Layer 2/3

system {all-vlan-limit | per-vlan-limit}
SYN cookie support, you also must enable it at the configuration level for
individual interfaces. See “ip tcp syn-cookie threshold” on page 381.
If Role-Based Administration (RBA) partitions are configured, hardware-

based SYN cookies apply to all partitions. The feature is not partition-
aware.
Example The following command enables hardware-based SYN cookies:

ACOS(config)#syn-cookie
Example The command in the following example configures dynamic SYN cookies
when the number of concurrent half-open TCP connections exceeds 50000,
and disables SYN cookies when the number falls below 30000:
ACOS(config)#syn-cookie on-threshold 50000 off-threshold 30000
system {all-vlan-limit | per-vlan-limit}

Description Set traffic limits for VLANs. You can set a global limit for all VLANs or per
VLAN.
Syntax [no] system {all-vlan-limit | per-vlan-limit}

{bcast | ipmcast | mcast | unknown_ucast} num
all-vlan-limit
| per-vlan-
limit Specifies whether the limit is system-wide for all
VLANs or for each individual VLAN.
all-vlan-limit – Limit applies system-
wide to all VLANs. Collectively, all the A10
Thunder Series and AX Series device’s
VLANs together cannot exceed the specified
limit.
per-vlan-limit – Limit applies to each
VLAN. No individual can exceed the speci-
fied limit.
bcast |
ipmcast |
mcast |
unknown_ucast Specifies the type of traffic to limit:
bcast – Broadcast traffic
ipmcast – IP multicast traffic

system glid
mcast – All multicast packets except IP

multicast packets
unknown_ucast – Unknown unicast traf-
fic
num Specifies the maximum number of packets per
second that are allowed of the specified traffic
type.
Default The default per-VLAN limit for each type of traffic is 1000 packets per sec-
ond. The default all-VLAN limit for each type of traffic is 5000 packets per
second.
Example The following command limits each VLAN to 1000 multicast packets per
second:
ACOS(config)#system per-vlan-limit mcast 1000
system glid
Description Apply a combined set of IP limiting rules to the whole system.
Syntax [no] system glid num
num Specifies the global LID to use.
Default None
Usage This command uses a single global LID. To configure the global LID, see
“glid” on page 155.
Example The following commands configure a standalone IP limiting rule to be

applied globally to all IP clients (the clients that match class list “global”):
ACOS(config)#glid 1
ACOS(config-global lid)#conn-rate-limit 10000 per 1
ACOS(config-global lid)#conn-limit 2000000
ACOS(config-global lid)#over-limit forward logging
ACOS(config-global lid)#exit
ACOS(config)#system glid 1

system module-ctrl-cpu
system module-ctrl-cpu
Description Throttle CLI and SNMP output when control CPU utilization reaches a spe-
cific threshold.
Syntax [no] system module-ctrl-cpu

{low | medium | high}
low Throttles CLI and SNMP output when control
CPU utilization reaches 10 percent. This is the
most aggressive setting.
medium Throttles CLI and SNMP output when control
CPU utilization reaches 25 percent.
high Throttles CLI and SNMP output when control
CPU utilization reaches 45 percent. This is the
least aggressive setting.
Default Not set. Throttling does not occur.
Usage The command takes effect only for new CLI sessions that are started after
you enter the command. After entering the command, close currently open
CLI sessions and start a new one.
system pbslb bw-list

Description Specify the name of a black/white list to use for system-wide Policy-Based
SLB (BPSLB).
Syntax [no] system pbslb bw-list name
Default None
Usage If a connection limit is specified in a black/white list, the ACOS device does

system pbslb id
system pbslb id
Description Specify the action to take for clients in a black/white list used for system-
wide PBSLB.
Syntax [no] system pbslb id id {drop | reset}

[logging minutes]
id Group ID within the black/white list.
drop | reset Specifies the action to take for clients in the spec-
ified group:
drop – Drops the connections.
reset – Resets the connections.
logging minutes Enables logging. The minutes option specifies
how often messages can be generated.
Default Not set
system pbslb over-limit

Description Specify the action to take for system-wide PBSLB clients who either exceed
the connection limit specified in the black/white list, or exceed the threshold
of any IP anomaly filter used for system-wide PBSLB.
Syntax [no] system pbslb over-limit

[reset]
[lockup minutes]
[logging minutes]
reset Resets all new connection attempts from the cli-
ent. If you omit this option, new connection
attempts are dropped instead.
lockup minutes Continues to apply the over-limit action to all
new connection attempts from the client, for the
specified number of minutes.
logging minutes Enables logging. The minutes option specifies
how often messages can be generated.

system pbslb sockstress-disable
Default Not set
Usage The IP anomaly filters used by system-wide PBSLB are bad-content, out-
of-sequence, and zero-window. These filters are enabled automatically
when you configure system-wide PBSLB. To modify the filters, see “ip
anomaly-drop” on page 356.
system pbslb sockstress-disable

Description Disable Sockstress protection, if enabled by a system-wide PBSLB policy.
Syntax [no] system pbslb sockstress-disable
Default By default, Sockstress protection is enabled when you configure and enable
system-wide PBSLB.
Usage Sockstress protection can be configured (and enabled) using a system-wide

PBSLB policy. This command provides a simple way to disable Sockstress
protection, without the need to remove the system-wide PBSLB policy.
If you disable Sockstress protection, the following IP anomaly counters are

no longer incremented:
• Invalid HTTP or SSL payload
• Zero-length TCP window
• Out-of-sequence packet
These counters are incremented only when Sockstress protection is enabled.
system pbslb timeout

Description Set the timeout for dynamic black/white-list entries, used by system-wide
PBSLB.
Syntax [no] system pbslb timeout minutes
minutes Specifies the timeout, 1-127 minutes.

system resource-usage
Default 5 minutes
Usage If the lockup option is used with the system pbslb over-limit command,
aging of the dynamic entry for a locked up client begins only after the
lockup expires.
Description Change the capacity of a system resource.
Syntax [no] system resource-usage resource-type maximum
resource-type Specifies the system resource you are resizing:
class-list-ipv6-addr-count –
Maximum number of IPv6 addresses
allowed within each IPv6 class list
client-ssl-template-count
– Total configurable client SSL templates
conn-reuse-template-count –
Total configurable connection reuse tem-
plates
fast-tcp-template-count – Total
configurable Fast TCP templates
fast-udp-template-count – Total
configurable Fast UDP templates
http-template-count – Total config-
urable HTTP templates
l4-session-count – Total Layer 4 ses-
sions
nat-pool-addr-count – Total IP
source NAT pools
persist-cookie-template-count
– Total configurable persistent cookie tem-
plates
persist-srcip-template-count –
Total configurable source IP persistence
templates

proxy-template-count – Total con-

figurable proxy templates
real-port-count – Total real server
ports
real-server-count – Total real servers
server-ssl-template-count
– Total configurable server SSL templates
service-group-count – Total service
groups
stream-template-count – Total con-
figurable streaming-media templates
virtual-port-count – Total virtual
server ports
virtual-server-count – Total vir-
tual servers
maximum The maximum number of the specified resource
you want to allow on the A10 Thunder Series and
AX Series.
Default The default maximum number for each type of system resource depends on
the Thunder Series or AX Series model. To display the defaults and current
values for your device, enter the following command: “show system
resource-usage” on page 952.
Usage The maximum number you can configure depends on the resource type and
the A10 Thunder Series and AX Series model. To display the range of val-
ues that are valid for a resource, enter a question mark instead of a quantity.
• For all the following types of SLB templates, the total number allowed
is 256 each, and is not configurable in the current release:
• SIP
• SMTP
• Policy (PBSLB)
• For RAM caching templates, the total number allowed is 128 each.
• The total number of health monitors allowed is 1024 and is not configu-
rable.

• For every type of system resource that has a default, the ACOS device
reserves one instance of the resource.
For example, the device allows a total of 256 RAM caching templates.
However, the device reserves one RAM caching template for the default
template, which leaves a maximum of 255 additional RAM caching
templates that can be configured.
Reload or Reboot Required

To place a change to l4-session-count into effect, a reboot is required. A
reload will not place this change into effect. For changes to any of the other
system resources, a reload is required but a reboot is not required.
Example The following commands display the current usage and settings for maxi-
mum URI count, then display the range of values to which the default max-
imum can be set, then reset the default maximum to 512.
ACOS(config)#show system resource-usage
Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 8388608 8388608 524288 33554432
...
stream-uri-count 256 256 32 1024
...
ACOS(config)system resource-usage stream-uri-count ?
<32-1024> Total configurable URI strings in the System
ACOS(config)system resource-usage stream-uri-count 512
Changes will take effect next time the software is reloaded.

system resource-usage template

Description Change the capacity of a system resource.
Syntax [no] system resource-usage template template-name
template-name Name of the template, up to 31 characters long.
resource usage template, where the following commands are available:
Command Description
app-resources Contains configuration parameters for applica-
tion resources such as the number of health mon-
itors, real servers, service groups, virtual servers,
as well as a number of GSLB parameters, such as
GSLB devices, GSLB sites, and GSLB zones.*
At the template configuration level, set the fol-
lowing application resource parameters:
virtual-server-count – Number of vir-
tual-servers allowed
service-group-count
– Number of service groups allowed
real-server-count – Number of real-
servers allowed
health-monitor-count – Number of
health monitor checks a server uses
gslb-device-count – Number of
GSLB devices allowed
gslb-geo-location-count – Num-
ber of GSLB geo-locations allowed
gslb-ip-list-count – Number of
GSLB IP lists allowed
gslb-policy-count – Number of
GSLB policies allowed
*.
GSLB parameters are configurable on a per-partition basis hard-coded (and thus non-con-
figurable) at the system level.

gslb-service-count – Number of
GSLB services allowed
gslb-service-ip-count – Number of
GSLB service IPs allowed
gslb-service-port-count – Num-
ber of GSLB service-ports allowed
gslb-site-count – Number of GSLB
sites allowed
gslb-template-count – Number of
GSLB templates allowed
gslb-zone-count – Number of GSLB
zones allowed
network-
resources Contains configuration parameters for available
network resources such as static ARPs, static
IPv4 routes, static IPv6 routes, MAC addresses,
and static neighbors.
static-mac-count – Number of static
MAC addresses allowed
static-arp-count – Number of static
IPv4 ARPs or IPv6 neighbors allowed
static-neighbor-count – Number of
static neighbors allowed
static-ipv4-route-count – Number of
static IPv4 routes allowed
static-ipv6-route-count – Number of
static IPv6 routes allowed
system-
resources Contains configuration parameters for system
resources such as limits for bandwidth, concur-
rent sessions, Layer 4 Connections Per Second
(CPS), Layer 7 CPS, NAT CPS, SSL throughput,
and SSL CPS.
bw-limit – Enter the bandwidth limit in
Mbps. Right after you indicate a bandwidth
limit in Mbps, optionally, disable a water-

mark using a watermark-disable key-

word. A watermark is enabled by default.
This means that when the bandwidth
approaches the 90% mark, existing sessions
will be maintained, but any new sessions
will be dropped. Indicating the water-
mark-disable keyword will turn off the
watermark option and result in accepting
new connections until 100% of the band-
width in that second is utilized.
concurrent-session-limit – Enter the
concurrent session limit.
l4cps-limit – The Layer 4 CPS limit
l7cps-limit – The Layer 7 CPS limit
natcps-limit – The NAT CPS limit
sslcps-limit – Enter the SSL CPS limit
ssl-throughput-limit – Enter the SSL
throughput limit in Mbps. Right after you
indicate a bandwidth limit in Mbps, option-
ally, disable a watermark using a water-
mark-disable keyword. A watermark is
enabled by default. This means that when the
bandwidth approaches the 90% mark, exist-
ing sessions will be maintained, but any new
sessions will be dropped. Indicating the
watermark-disable keyword will turn
off the watermark option and result in
accepting new connections until 100% of the
bandwidth in that second is utilized.
Default The valid ranges and defaults for resource-usage parameters differ depend-
ing on model. To view this information, enter the following command at the
configuration level of the CLI:
show system resource-usage
Usage The system resource limits that you configure in a default template are
applied to all partitions, unless you explicitly apply a custom template
(where you may choose to change some default values) to a partition. Create

a custom template to modify the limits for any application, network, or sys-
tem resources from their default values.
The following steps will help you create, use, or remove a custom resource
template:
1. To modify the default template, specify default. To create or modify a
custom template instead, specify a unique name other than “default”.
2. Within the template, specify the application, network, and system

parameters you want to define from the appropriate sub-level.
3. To use your custom template, apply the template to a particular parti-

tion.
Note: Though partitions need to bound to a template one at a time, several parti-
tions may be bound to the same custom template.
4. Unbind a template to revert to the default values for resources per parti-
tion. This step assumes that you have created a default template.
Example The following example shows you how to enter the application resources
configuration mode. From this location, you can set values for the available
application resources:
ACOS(config-resource template)#app-resources
ACOS(config-resource template-node app)#gslb-zone-count 10
ACOS(config-resource template-node app)#health-monitor-count 50
ACOS(config-resource template-node app)#real-server-count 100
ACOS(config-resource template-node app)#service-group-count 150
ACOS(config-resource template-node app)#virtual-server-count 250
Example The following example shows you how to enter the network resources con-
figuration mode. From this location, you can set values for the available net-
work resources:
ACOS(config-resource template)#network-resources
ACOS(config-resource template-node network)#static-arp-count 100
ACOS(config-resource template-node network)#static-ipv4-route-count 1000
ACOS(config-resource template-node network)#static-ipv6-route-count 2000
ACOS(config-resource template-node network)#static-mac-count 200
ACOS(config-resource template-node network)#static-neighbor-count 128

system template
Example The following example shows you how to enter the system resources con-
figuration mode. From this location, you can set values for the available
system resources. Note that the watermark-disable optional keyword is
used to disable the automatically-enabled watermark. However, the optional
keyword, though available, is not used with the SSL throughput limit
resource:
ACOS(config-resource template)#system-resources
ACOS(config-resource template-node system)#bw-limit 500 watermark-disable
ACOS(config-resource template-node system)#concurrent-session-limit 3200
ACOS(config-resource template-node system)#l4cps-limit 2000
ACOS(config-resource template-node system)#l7cps-limit 4000
ACOS(config-resource template-node system)#natcps-limit 100000
ACOS(config-resource template-node system)#ssl-throughput-limit 1000
ACOS(config-resource template-node system)#sslcps-limit 10000
system template
Description Globally applies a PBSLB policy template to the ACOS device.
Syntax [no] system template policy template-name
Default N/A
Usage You can use this command to globally apply IP limits to the ACOS device,
configured on a per-client basis. For more information, see the “IP Limit-
ing” chapter in the Application Delivery and Server Load Balancing Guide.
system ve-mac-scheme
Description Configure MAC address assignment for Virtual Ethernet (VE) interfaces.
Syntax [no] system ve-mac-scheme

{round-robin | system-mac | hash-based}
round-robin Assigns MAC addresses in round-robin fashion,
beginning with the address for port 1. Each new
VE, regardless of the VE number, is assigned the
MAC address of the next Ethernet data port.

system-reset
For example:
– The MAC address of Ethernet data port 1 is
assigned to the first VE you configure.
assigned to the second VE you configure.
assigned to the third VE you configure.
This process continues until the MAC address of
the highest-numbered Ethernet data port on the
ACOS device is assigned to a VE. After the last
Ethernet data port’s MAC address is assigned to
a VE, MAC assignment begins again with Ether-
net data port 1. The number of physical Ethernet
data ports on the ACOS device differs depending
on the ACOS model.
system-mac Assigns the system MAC address (the MAC
address of Ethernet data port 1) to all VEs. This
method provides the same MAC assignment used
in AX releases earlier than 2.6.1.
hash-based Uses a hash value based on the VE number to
select an Ethernet data port, and assigns that data
port’s MAC address to the VE. This method
always assigns the same Ethernet data port’s
MAC address to a given VE number, on any
model, regardless of the order in which VEs are
configured.
Default hash-based
Usage This command is supported only for VEs that belong to the shared partition,
not to VEs that belong to private partitions.
A reload or reboot is required to place the change into effect.
system-reset
Description Restore the ACOS device to its factory default configuration.
Syntax system-reset
Default N/A

tacacs-server
Usage This command is helpful when you need to redeploy an ACOS device in a
new environment or at a new customer site, or you need to start over the
configuration at the same site.
The command erases any saved configuration profiles, as well as system

files such as SSL certificates and keys, aFleX policies, black/white lists, and
system logs. The management IP address and admin-configured admin and
enable passwords are also removed.
However, the command does not remove the running-config and does not
automatically reboot or power down the device. The device continues to
operate using the running-config and any other system files in memory,
until you reboot or power down the device.
Reboot the ACOS device to erase the running-config and place the system
reset into effect.
Command’s Effect in aVCS Deployments

If the ACOS device is a member of an aVCS virtual chassis, the command
applies to all ACOS devices in the virtual chassis. On each of the devices,
the configuration and all system files are removed as described above.
Example The following commands reset an ACOS device to its factory default con-
figuration, then reboot the device to erase the running-config:
ACOS(config)#system-reset
ACOS(config)#end
ACOS#reboot
tacacs-server
Description Configure TACACS+ for authorization and accounting. If authorization or
accounting is specified, the ACOS device will attempt to use the TACACS+
servers in the order they are configured. If one server fails to respond, the
next server will be used.
Syntax [no] tacacs-server host {hostname | ipaddr}

secret secret-string [port protocol-portnum]
[timeout seconds]

tacacs-server
hostname |
ipaddr Hostname or IP address of the TACACS+ server.
If a hostname is to be used, make sure a DNS
server has been configured.
secret-string Password, 1-128 characters, required by the
TACACS+ server for authentication requests.
protocol-
portnum The port used for setting up a connection with a
TACACS+ server.
seconds The maximum number of seconds allowed for
setting up a connection with a TACACS+ server.
You can specify 1-12 seconds.
Default The default port number is 49. The default timeout is 12 seconds.
Usage You can configure up to 2 TACACS+ servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The sec-
ondary server is used only if the primary server does not respond.
Example The following command adds a TACACS+ server "192.168.3.45" and sets
its shared secret as "SharedSecret":
ACOS(config)#tacacs-server host 192.168.3.45 secret SharedSecret
The following command adds a TACACS+ server "192.168.3.72", sets the
shared secret as "NewSecret", sets the port number as 1980, and sets the
connection timeout value as 6 seconds:
ACOS(config)#tacacs-server host 192.168.3.72 secret NewSecret port 1980 timeout
6
The following command deletes TACACS+ server “192.168.3.45:
ACOS(config)#no tacacs-server host 192.168.3.45
The following command deletes all TACACS+ servers:
ACOS(config)#no tacacs-server

techreport
techreport
Description Configure automated collection of system information. If you need to con-
tact Technical Support, they may ask you to for the techreports to help diag-
nose system issues.
Syntax [no] techreport {interval minutes | disable}
interval
minutes Specifies how often to collect new information.
disable Disables automated collection of system infor-
mation.
Default Automated collection of system information is enabled by default. The

default interval is 15 minutes.
Usage The ACOS device saves all techreport information for a given day in a sin-
gle file. Timestamps identify when each set of information is gathered. The
ACOS device saves techreport files for the most recent 31 days. Each day’s
reports are saved in a separate file.
The techreports are a light version of the output generated by the show
techsupport command. To export the information, use the show techsup-
port command. (See “show techsupport” on page 954.)
terminal
Description Set the terminal configuration.
Syntax [no] terminal

{
auto-size |
editing |
gslb-prompt options |
history [size number] |
idle-timeout minutes |
length number |
no-ha-prompt |
width lines
}

terminal
auto-size Automatically adjusts the length and width of the
terminal display.
gslb-prompt
options Enables display of the ACOS device’s role
within a GSLB group at the CLI prompt.
disable – Disables display of the GSLB group
status.
group-role – Displays “Member” or “Master” in
the CLI prompt; for example:
AX2500:Master(config)#
symbol – Displays “gslb” in the CLI prompt
after the name of the ACOS device; for example:
AX2500-gslb:Master(config)#
editing Enables command editing.
history
[size number] Enables the command history and specifies the
number of commands it can contain, 0-1000.
idle-timeout
minutes Specifies the number of minutes a CLI session
can be idle before it times out and is terminated,
0-60 minutes. To disable timeout, enter 0.
length number Specifies the number of lines to display per page,
0-512. To disable paging, enter 0.
no-ha-prompt Disables display of the HA status in the CLI
prompt. (For more information, see “HA /
VRRP-A / aVCS Status in Command Prompt” on
page 35.)
width lines Specifies the number of columns to display, 0-
512. To use an unlimited number of columns,
enter 0.

• auto-size – enabled
• editing – enabled
• history – enabled, for up to 256 commands
• idle-timeout – 10 minutes
• length – 24 lines

tftp blksize
• no-ha-prompt – Disabled. (Display of the HA status is enabled.)
• width – 80 columns
Example The following example sets the idle-timeout to 30 minutes:

ACOS(config)#terminal idle-timeout 30
tftp blksize
Description Change the TFTP block size.
Syntax [no] tftp blksize bytes
bytes Maximum packet length the AX TFTP client can
use when sending or receiving files to or from a
TFTP server. You can specify from 512-32768
bytes.
Default 512 bytes
Usage Increasing the TFTP block size can provide the following benefits:
• TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.
• File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated.
To determine the maximum file size a block size will allow, use the follow-
ing formula:
1K-blocksize = 64MB-filesize
Here are some examples.
Block Size Maximum File Size

1024 64 MB
8192 512 MB
32768 2048 MB

trunk
Increasing the TFTP block size of the ACOS device only increases the max-
imum block size supported by the ACOS device. The TFTP server also
must support larger block sizes. If the block size is larger than the TFTP
server supports, the file transfer will fail and a communication error will be
displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Example The following commands display the current TFTP block size, increase it,
then verify the change:
ACOS(config)#show tftp
TFTP client block size is set to 512
ACOS(config)#tftp blksize 4096
trunk
Description Configure a trunk group, which is a single logical link consisting of multiple
Ethernet ports.
Syntax [no] trunk Trunknum
Trunknum Specifies the trunk ID.
tual chassis, specify the trunk ID as follows:
DeviceID/Trunknum
trunk, where the following trunk-related commands are available:
Command Description
disable
ethernet
portnum
[to portnum]
[ethernet
portnum] ... Disables ports in the trunk.

trunk
enable ethernet
portnum
[to portnum]
[ethernet
portnum] ... Enables ports in the trunk.
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ... Adds ports to the trunk.
[no] name
string] Assign a name to a trunk.
[no]
ports-threshold
num Specifies the minimum number of ports that must
be up in order for the trunk to remain up. You can
specify 2-8.
If the number of up ports falls below the config-
ured threshold, the AX automatically disables the
trunk’s member ports. The ports are disabled in
the running-config. The ACOS device also gen-
erates a log message and an SNMP trap, if these
services are enabled.
[no] ports-
threshold-timer
seconds Specifies how many seconds to wait after a port
goes down before marking the trunk down, if the
threshold is exceeded. You can set the ports-
threshold timer to 1-300 seconds. The default is
10 seconds.
Default N/A
Usage Each trunk group can have a maximum of 8 ports. Trunk group port num-
bers do not need to be consecutive.
Configuration of port-level parameters can be performed at the configura-

tion level for the trunk.
Up to 16 trunks are supported, in any combination of static and dynamic

(LACP) trunks.

trunk
Ports-Threshold
By default, a trunk’s status remains UP so long as at least one of its member
ports is up. You can change the ports threshold of a trunk to 2-8 ports.
If the number of up ports falls below the configured threshold, the AX auto-
matically disables the trunk’s member ports. The ports are disabled in the
running-config. The ACOS device also generates a log message and an
SNMP trap, if these services are enabled.
Note: After the feature has disabled the members of the trunk group, the ports
are not automatically re-enabled. The ports must be re-enabled manually
after the issue that caused the ports to go down has been resolved.
In some situations, a timer is used to delay the ports-threshold action. The

configured port threshold is not enforced until the timer expires. The ports-
threshold timer for a trunk is used in the following situations:
• When a member of the trunk links up.
• A port is added to or removed from the trunk.
• The port threshold for the trunk is configured during runtime. (If the
threshold is set in the startup-config, the timer is not used.)
Example The following commands configure trunk 1 and add ports 6-8 and 14 to it:
ACOS(config)#trunk 1
ACOS(config-trunk:1)#ethernet 6 to 8 ethernet 14
Example The following commands configure an 8-port trunk, set the port threshold
to 6, and display the trunk’s configuration:
ACOS(config-trunk:1)#ethernet 1 to 8
ACOS(config-trunk:1)#ports-threshold 6
ACOS(config-trunk:1)#show trunk
Trunk ID : 1 Member Count: 8
Trunk Status : Up
Members : 1 2 3 4 5 6 7 8
Cfg Status : Enb Enb Enb Enb Enb Enb Enb Enb
Oper Status : Up Up Up Up Up Up Up Up
Ports-Threshold : 6 Timer: 10 sec(s) Running: No
Working Lead : 1

tx-congestion-ctrl
tx-congestion-ctrl
Description Configure looping on the polling driver, on applicable models.
Note: This command can impact system performance. It is recommended not to

use this command unless advised by A10 Networks technical support.
Syntax tx-congestion-ctrl retries
Default 1
update
Description Copy the currently running system image from the hard disk to the compact
flash (cf).
Syntax Description update cf {pri | sec}
pri | sec Image to replace:
pri – primary image
sec – secondary image
Default N/A
Usage This command does not save the configuration or reboot. To verify the
update, enter the show version command.
Example The following command copies the currently running system image from
the hard disk to the secondary image area on the compact flash.
ACOS(config)#update cf sec
upgrade
Upgrade the system.
Syntax Description upgrade {cf | hd} {pri | sec} [use-mgmt-port] url

upgrade
cf | hd System location to which write the upgrade
image:
cf – compact flash
hd – hard drive
pri | sec Image to replace:
pri – primary image
sec – secondary image
directory path.
characters long.
tftp://host/file
Default N/A
Usage For complete upgrade instructions, see the release notes for the AX release
to which you plan to upgrade.
There is no “no” form of this command.

vcs
Example The following example uses TFTP to upgrade the system image in the sec-
ondary image area of the hard disk:
ACOS(config)#upgrade hd sec tftp://192.168.1.144/ax2k_upg_1_2_0_107.tgz
Do you want to reboot the system after the upgrade?[yes/no]:yes
vcs
Description Configure AX Series Virtual Chassis System (aVCS). See “aVCS Com-
Note: The vcs commands are available only when aVCS is enabled. To enable
aVCS, see “vcs enable” on page 790.
ve-stats
Description Enable statistics collection for Virtual Ethernet (VE) interfaces.
Syntax [no] ve-stats enable
Default Disabled
vlan
Description Configure a virtual LAN (VLAN). This command changes the CLI to the
configuration level for the VLAN.
Syntax [no] vlan vlan-id
vlan-id VLAN ID, from 1 to 4094.
tual chassis, specify the VLAN ID as follows:
DeviceID/vlan-id
Default VLAN 1 is configured by default. All Ethernet data ports are members of
VLAN 1 by default.

vrrp-a
Usage You can add or remove ports in VLAN 1 but you cannot delete VLAN 1
itself.
For information about the commands available at the VLAN configuration

level, see “Config Commands: VLAN” on page 347.
Example The following command adds VLAN 69 and enters the configuration level
for it:
ACOS(config)#vlan 69
ACOS(config-vlan:69)#
vrrp-a
Description Configure VRRP-A, Virtual Router Redundancy Protocol (VRRP) for the
AX Series. See “Config Commands: VRRP-A Commands” on page 801.
waf
Description Configure Web Application Firewall (WAF) parameters. See the Web Appli-
cation Firewall Guide.
web-service
Description Configure access parameters for the Graphical User Interface (GUI).
Syntax [no] web-service

{
auto-redir |
axapi-timeout-policy idle minutes |
certificate-reset |
port protocol-port |
secure-port protocol-port |
server |
secure-server |
timeout-policy idle minutes
}
auto-redir Enables requests for the unsecured port (HTTP)
to be automatically redirected to the secure port
(HTTPS).

web-service
axapi-timeout-
policy idle
minutes Specifies the number of minutes an aXAPI ses-
sion can remain idle before being terminated.
Once the aXAPI session is terminated, the ses-
sion ID generated by the ACOS device for the
session is no longer valid. You can specify 0-60
minutes. If you specify 0, sessions never time
out.
certificate-
reset Resets the web server certificate that the ACOS
device presents when an AX administrator tries
to log onto the AX GUI. Note that this is unre-
lated to the certificates used for SLB.
port protocol-
port Specifies the protocol port number for the unse-
cured (HTTP) port.
secure-port
protocol-port Specifies the protocol port number for the secure
(HTTPS) port.
server Enables the HTTP server.
secure-server Enables the HTTPS server.
timeout-policy
idle minutes Specifies the number of minutes a Web manage-
ment session can remain idle before it times out
and is terminated by the ACOS device. You can
specify 0-60 minutes. To disable the timeout,
enter 0.

• auto-redir – enabled
• axapi-timeout-policy idle – 5 minutes
• certificate-reset – uses the factory-installed certificate by default
• port – 80
• secure-port – 443
• server – enabled
• secure-server – enabled
• timeout-policy – 10 minutes

write
Usage If you disable HTTP or HTTPS access, any sessions on the management
GUI are immediately terminated.
Example The following command disables management access on HTTP:

ACOS(config)#no web-service server
write
Description Write the running-config to a configuration profile. (See “write” on
page 86.)
write terminal
Description Display the running-config on the terminal. (See “write” on page 86.)

Config Commands: Application Access

Management
This chapter describes the commands for configuring Application Access

Management (AAM).


on page 839.)
page 54.

authentication-logon form-based
AAM Configuration Commands

The following commands configure AAM.
Description Configure an authentication-logon profile for form-based logon.
Syntax [no] authentication-logon form-based profile-name
This command changes the CLI to the configuration level for the profile,
where the following commands are available.
Command Description
[no] action-url
url-string URL for the POST action to be performed by the
client browser after the end-user enters their cre-
dentials. Use this option if the URL is not the
same as the URL for the page that contains the
form. Use the following format: /url-string
[no]
changepassword-
new-password-
variable string Name of the data field for the new password
entered into the change-password form by the
end-user.
[no]
changepassword-
old-password-
variable string Name of the data field for the old password
entered into the change-password form by the
end-user.
[no]
changepassword-
password-
confirm-
variable string Name of the data field for the confirmed new
password entered into the change-password form
by the end-user.

[no]
changepassword-
url string URL for the POST action to be performed by the
client browser after the end-user enters their
expired and new credentials.
[no]
changepassword-
username-
variable string Name of the data field for the username entered
into the change-password form by the end-user.
[no] password-
variable string Name of the data field for the password entered
into the logon form by the end-user.
[no] portal
portal-name
logon page-name
failpage page-
name
changepasswordp
age page-name Names of the web pages sent by the Logon Portal
to end-users for logon and password mainte-
nance.
portal-name – Name of the portal profile.
logon page-name – Name of the logon
page sent to clients. This page should contain a
form that includes the data fields identified by
the following commands (also described below):
username-variable string
password-variable string
failpage page-name – Name of the logon
failure page sent to clients.
changepasswordpage page-name –
Name of the change password page sent to cli-
ents. This page should contain a form that
includes the data fields identified by the follow-
ing commands (described in this command list):
changepassword-username-vari-
able string
changepassword-old-password-
variable string

authentication-logon http-basic
changepassword-new-password-
variable string
changepassword-password-con-
firm-variable string
[no] retry num Number of times ACOS will resend the authenti-
cation request to the client, to allow the end-user
to re-enter their credentials. You can specify
1-32.
[no] username-
variable string Name of the data field for the username entered
into the logon form by the end-user.
Default There are no default authentication-logon profiles. When you create one for
form-based logon, the profile has no default values.
Mode Configuration Mode
authentication-logon http-basic
Description Configure an authentication-logon profile for form-based logon.
Syntax [no] authentication-logon http-basic profile-name
Command Description
[no] realm
realm-string Name of the realm secured by the AAA server.
[no] retry num Number of times ACOS will resend the authenti-
cation request to the client, to allow the end-user
to re-enter their credentials. You can specify
1-32.
Default There are no default authentication-logon profiles. When you create one for
basic HTTP logon, the default retry value is 3.

authentication-relay http-basic
authentication-relay http-basic
Description Configure an authentication-relay profile for basic HTTP authentication.
Syntax [no] authentication-relay http-basic profile-name
This command changes the CLI to the configuration level for the profile. In
the current release, no commands specific to this type of profile are avail-
able.
Default None
authentication-relay kerberos
Description Configure an authentication-relay profile for Kerberos authentication.
Syntax [no] authentication-relay kerberos profile-name
Command Description
[no] kerberos-
account name
[...] Kerberos admin account name required to log
onto the KDC.
[no] kerberos-
kdc {hostname |
ipaddr} Hostname or IP address of the KDC.
[no] kerberos-
realm realm-
string Name of the Kerberos realm secured by the AAA
servers.
[no] password
string Password required for logging onto the KDC.
[no] port port-
num Protocol port number on which the KDC listens
for requests.

authentication-server ldap
[no] timeout
seconds Maximum number of seconds ACOS waits for
the Kerberos server to respond to a request. If a
request times out, ACOS aborts that request. You
Default There are no default authentication-relay profiles. When you create one, it
has the following default values:
• port – 88
• timeout – 10
Description Configure an authentication-server profile for a Lightweight Directory
Access Protocol (LDAP) server.
Syntax [no] authentication-server ldap profile-name
Command Description
[no] admin-dn
string Distinguished Name (DN) of the LDAP admin
account required for access to the server.
[no] admin-
secret string Admin password.
[no]
authorization-
check Checks the list of allowed URIs provided by the
AAA server. (This capability requires configura-
tion on the ACOS device and on the AAA server.
For information, see the Application Access
Management and DDoS Mitigation Guide.)
[no] base
string LDAP server’s search base.

[no] host
{hostname |
ipaddr} Hostname or IP address of the LDAP server.
[no] port
port-num Protocol port on which the server listens for
LDAP traffic.
[no] pwdmaxage
seconds Maximum amount of time an end-user’s pass-
word can be cached. You can specify
1-4294967295 seconds.
[no] timeout
seconds Maximum number of seconds ACOS waits for
the LDAP server to respond to a request. If a
request times out, ACOS aborts that request. You
[no] use-uid Uses the UID instead of the CN for the admin
name.
Default There are no default authentication-server profiles. When you create one for
LDAP, it has the following default values:
• admin-dn – not set
• admin-secret – not set
• authorization-check – disabled
• base – not set
• host – not set
• port – 389
• pwdmaxage – not set
• timeout – 10
• use-uid – disabled

authentication-server ocsp
authentication-server ocsp
Description Configure an authentication-server profile for an Online Certificate Status
Protocol (OCSP) server.
Syntax [no] authentication-server ocsp profile-name
Command Description
[no] responder-
ca Filename of the OCSP responder’s CA certifi-
cate.
[no] responder-
cert Filename of the OCSP responder’s certificate.
[no] url OCSP responder’s address, in the following for-
mat:
http://hostname-or-ipaddr[:port-num]/
Default There are no default authentication-server profiles. When you create one for
OCSP, it has no default values.
authentication-server radius
Description Configure an authentication-server profile for a RADIUS server.
Syntax [no] authentication-server radius profile-name

authentication-server radius
Command Description
[no]
authorization-
check Checks the list of allowed URIs provided by the
AAA server. (This capability requires configura-
tion on the ACOS device and on the AAA server.
For information, see the Application Access
Management and DDoS Mitigation Guide.)
[no] host
{hostname |
ipaddr} Hostname or IP address of the RADIUS server.
[no] interval
seconds Maximum number of seconds ACOS will wait
for a reply to a request before resending the
request. You can specify 1-1024 seconds.
[no] port
port-num Protocol port on which the server listens for
RADIUS traffic.
[no] retry num Maximum number of times ACOS will send the
same request before giving up. You can specify
1-32.
[no] secret
string Password, 1-128 characters, required by the
RADIUS server for authentication requests.
Default There are no default authentication-server profiles. When you create one, it
has the following default values:
• authorization-check – disabled
• host – not set
• interval – 3
• port – 1812
• retry – 5
• secret – not set

slb template authentication

Description Configure an authentication template. You can use authentication templates
to bind security resources to SLB resources (typically, an HTTP virtual
port).
Syntax [no] slb template authentication template-name
This command changes the CLI to the configuration level for the template,
Command Description
[no] logon
profile-name Name of a configured authentication-logon pro-
file.
[no] logout-
idle-timeout
seconds Maximum amount of time an authenticated end-
user session can be idle before being terminated
by ACOS. You can specify 1-86400 seconds.
[no] logout-url
url-string
[...] Web page to serve to end-users after they log out.
[no] relay
profile-name Name of a configured authentication-relay pro-
file.
[no] server
profile-name Name of a configured authentication-server pro-
file. Use this option instead of the service-group
option, if you have only one AAA server.
[no] service-
group group-
name Name of a configured service group of AAA
servers.
Default There are no default authentication templates. When you create one, the
default logout-idle-timeout value is 300 seconds.

show auth klist
AAM Show Commands

The following commands show AAM information.
show auth klist

Description Show a list of cached Kerberos tickets.
Syntax show auth klist [relay-profile-name]
Option Description
relay-profile-
name Name of a configured authentication-relay pro-
file.
Mode Privileged EXEC and all configuration levels
show auth logon

Description Show the configured AAM authentication-logon profiles.
Syntax show auth logon [logon-profile-name]
Option Description
logon-profile-
name Name of a configured authentication-logon pro-
file.

show auth portal
show auth portal

Description List the AAM logon portal archives imported onto the ACOS device.
Syntax show auth portal [portal-archive-name]
Option Description
portal-archive-
name Filename of the imported archive for a logon por-
tal.
show auth relay

Description Show the configured AAM authentication-relay profiles.
Syntax show auth relay [relay-profile-name]
Option Description
relay-profile-
name Name of a configured authentication-relay pro-
file.
show auth server

Description Show the configured AAM authentication-server profiles.
Syntax show auth server

[authentication-server-profile-name]
Option Description
authentication-
server-profile-
name Name of a configured authentication-server pro-
file.

show auth statistics

Description Show AAM statistics.
Syntax show auth statistics

[
kerberos [relay-profile-name] |
ldap |
radius
]


Config Commands: DNSSEC
This chapter lists the CLI commands for DNS Security Extensions
(DNSSEC).


on page 839.)
page 54.

dnssec standalone
DNSSEC Configuration Commands

This section shows the configuration commands for DNSSEC.
dnssec standalone
Description Enable the ACOS device to run DNSSEC without being a member of a
GSLB controller group.
Syntax [no] standalone
Default Disabled
Usage GSLB is still required. The ACOS device must be configured to act as a
GSLB controller, and as an authoritative DNS server for the GSLB zone.
dnssec template
Description Configure a DNSSEC template.
Syntax [no] dnssec template template-name
DNSSEC template, where the following commands are available.
Command Description
[no] algorithm
{RSASHA1 |
RSASHA256 |
RSASHA512} Cryptographic algorithm to use for encrypting
DNSSEC keys.
[no]
combinations-
limit num Maximum number of combinations per Resource
Record Set (RRset), where RRset is defined as
all the records of a particular type for a particular
domain, such as all the “quad-A” (IPv6) records

dnssec template
for www.example.com. You can specify

1-65535.
[no] dnskey-ttl
seconds Lifetime for DNSSEC key resource records. The
TTL can range from 1-864,000 seconds.
[no] enable-
nsec3 Enables NSEC3 support.
[no] hsm
template-name Binds a Hardware Security Module (HSM) tem-
plate to this DNSSEC template.
[no] ksk
keysize bits Key length for KSKs. You can specify
1024-4096 bits.
[no] ksk
lifetime
seconds
[rollover-time
seconds] Lifetime for KSKs, 1-2147483647 seconds
(about 68 years). The rollover-time specifies
how long to wait before generating a standby key
to replace the current key. The rollover-time set-
ting also can be 1-2147483647 seconds. Gener-
ally, the rollover-time setting should be shorter
than the lifetime, to allow the new key to be
ready when needed.
[no] return-
nsec-on-failure Returns an NSEC or NSEC3 record in response
to a client request for an invalid domain. As orig-
inally designed, DNSSEC would expose the list
of device names within a zone, allowing an
attacker to gain a list of network devices that
could be used to create a map of the network.
[no] signature-
validity-period
days Period for which a signature will remain valid.
The time can range from 5 to 30 days.
[no] zsk
lifetime
seconds
[rollover-time
seconds] Lifetime for ZSKs, 1-2147483647 seconds. The
rollover-time specifies how long to wait before
generating a standby key to replace the current

hsm template
key. The rollover-time setting also can be

1-2147483647 seconds. Generally, the rollover-
time setting should be shorter than the lifetime,
to allow the new key to be ready when needed.
Default The “default” DNSSEC template has the following defaults:

• algorithm – RSASHA256
• combinations-limit – 31
• dnskey-ttl – 14,400 seconds (4 hours)
• enable-nsec3 – disabled
• hsm – Not set
• ksk keysize – 2048
• ksk lifetime – 31536000 seconds (365 days), with rollover-time

30931200 seconds (358 days)
• return-nsec-on-failure – enabled
• signature-validity-period – 10
• zsk keysize – 2048
• zsk lifetime – 7776000 seconds (90 days), with rollover-time 7171200

seconds (83 days)
Mode Global configuration mode
hsm template
Description Configure a template for DNSSEC Hardware Security Module (HSM) sup-
port.
Syntax [no] hsm template template-name softHSM
template, where the following command is available.
“Config Commands: DNSSEC” on page 275.)

dnssec dnskey delete
Command Description
password
hsm-passphrase HSM passphrase.
Default Not set
DNSSEC Operational Commands

This section describes the operational commands for DNSSEC and for
HSM support. Because these are operational commands, they are not added
to the running-config or saved to the startup-config.
dnssec dnskey delete

Description Delete DNS Public Key (DNSKEY) resource records.
Syntax dnssec dnskey delete [zone-name]
zone-name Name of the zone for which to delete DNSKEY
resource records. If you do not specify a zone
name, the DNSKEY resource records for all
child zones are deleted.
Default N/A

dnssec ds delete
dnssec ds delete
Description Delete Delegation Signer (DS) resource records for child zones.
Syntax dnssec dnskey delete [zone-name]
zone-name Name of the zone for which to delete DS
resource records. If you do not specify a zone
name, the DS resource records for all child zones
are deleted.
Default N/A
dnssec key-rollover
Description Perform key change (rollover) for ZSKs or KSKs.
Syntax dnssec key-rollover zone-name

{
KSK {ds-ready-in-parent-zone | start} |
ZSK start
}
zone-name Name of the child zone for which to regenerate
keys. If you do not specify a zone name, all child
zones are re-signed.
KSK
{ds-ready-in-
parent-zone |
start} Regenerates key-signing keys (KSKs).
ds-ready-in-parent-zone – Indicates
that the DS resource record has already been
transferred to the parent zone, so it is ok to
remove the old active key.
start – Immediately begins KSK rollover.
ZSK start Immediately begins ZSK rollover.

dnssec sign-zone-now
Default N/A
dnssec sign-zone-now
Description Force re-signing of zone-signing keys (ZSKs).
Syntax dnssec sign-zone-now [zone-name]
zone-name Name of the child zone for which to re-sign the
ZSKs. If you do not specify a zone name, all
child zones are re-signed.
Default N/A
hsm thales-kmdata delete

Description Delete a Thales key data file.
Syntax [no] hsm thales-kmdata delete [filename]
filename Name of the Thales key data file to delete.
Default N/A

hsm thales-kmdata secworld
hsm thales-kmdata secworld

Description Delete a Thales Security World file.
Syntax [no] hsm thales-secworld delete [filename]
filename Name of the Thales Security World file to delete.
Default N/A
DNSSEC Show Commands

This section describes the show commands for DNSSEC and HSM.
show dnssec dnskey

Description Show the DNS Public Key (DNSKEY) resource records for child zones.
Syntax show dnssec dnskey [zone-name]

[all-partitions | partition partition-name]
zone-name Name of the child zone. If you do not specify a
zone name, DNSKEY resource records for all
child zones are displayed.
To display the information for a specific parti-
tion, use the partition partition-name option.

show dnssec ds
show dnssec ds
Description Show the Delegation Signer (DS) resource records for child zones.
Syntax show dnssec ds [zone-name]

zone-name Name of the child zone. If you do not specify a
zone name, DS resource records for all child
zones are displayed.
To display the information for a specific parti-
tion, use the partition partition-name option.
show dnssec statistics

Description Show memory statistics for DNSSEC.
Syntax show dnssec statistics memory
show dnssec status

Description Show the DNSSEC status for each zone.
Syntax show dnssec status

show dnssec template
show dnssec template

Description Show DNSSEC templates.
Syntax show dnssec template [default | template-name]

default |
template-name Name of the template. If you do not specify a
template name, all DNSSEC templates are
shown.
To display template information for a specific
partition, use the partition partition-name
option.
show dnssec thales-kmdata

Description List the Thales key data files imported onto the ACOS device.
Syntax show dnssec thales-kmdata
show dnssec thales-secworld

Description List the Thales Security World files imported onto the ACOS device.
Syntax show dnssec thales-secworld

show hsm config
show hsm config

Description Display the configured HSM templates.
Syntax show hsm config
Mode All

show hsm config

access-list
Config Commands: Interface
This chapter describes the commands for configuring AX interface parame-

ters.
To access this configuration level, enter the following command at the

Global Config level:
interface {ethernet port-num | ve ve-num |

If the ACOS device is a member of an aVCS virtual chassis, specify the

interface number as follows: DeviceID/num, where DeviceID is the
device’s aVCS ID and num is the interface or trunk number.
• do – See “do” on page 142.
• end – See “end” on page 150.
• exit – See “exit” on page 152.
• no – See “no” on page 197.
access-list
Description Apply an Access Control List (ACL) to an interface.
Syntax [no] access-list acl-num in
acl-num Number of a configured ACL.
in Applies the ACL to inbound traffic received on
the interface.
Default N/A

bfd
Mode Interface
Usage The ACL must be configured before you can apply it to an interface. To
configure an ACL, see “access-list (standard)” on page 89 and “access-list
(extended)” on page 92.
You can apply ACLs to Ethernet data interfaces, Virtual Ethernet (VE)
interfaces, the management interface, trunks, and virtual server ports.
Applying ACLs to the out-of-band management interface is not supported.
You can apply ACLs only to the inbound traffic direction. This restriction
ensures that ACLs are used most efficiently by filtering traffic as it attempts
to enter the A10 Thunder Series and AX Series device, before being further
processed by the device.
Example The following commands configure a standard ACL to deny traffic from
subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
Ethernet interface 4:
ACOS(config-if:ethernet4)#access-list 1 in
bfd
Description Enable or disable BFD on an individual interface.
Syntax [no] bfd {authentication | echo | interval}
authentication
key-id {md5 |
meticulous-md5
| meticulous-
sha1 | sha1 |
simple} The authentication option specifies the authenti-
cation type to be used for BFD. You can specify a
key-id from 0-255. The authentication options
include the following:
md5 – Keyed MD5
meticulous-md5 – Meticulous keyed MD5
meticulous-sha1 –Meticulous keyedSHA1
sha1 – Keyed SHA1
simple – Simple password

bfd
echo [demand] Specify echo mode. You can enable the demand
mode to work in conjunction with the echo func-
tion. When demand mode is enabled (and a BFD
session has been established), the system will be
able to verify connectivity with another system at
will instead of routinely.
interval ms
min-rx ms
multiplier num The interval value is the transmit timer, and it
specifies the rate at which the ACOS device
sends BFD control packets to its BFD neighbors.
You can specify 48-1000 milliseconds (ms). The
default is 800 ms. This timer is used in Asyn-
chronous mode only.
The min-rx option is the detection timer, and this
allows you to specify the maximum number of
ms the ACOS device will wait for a BFD control
packet from a BFD neighbor. The min-rx value
can be 48-1000 ms, and is 800 ms by default.
This timer is used in Asynchronous mode only.
The multiplier value is the wait multiplier, and
this enables you to specify the maximum number
of consecutive times the ACOS device will wait
for a BFD control packet from a neighbor. If the
multiplier value is reached, the ACOS device
concludes that the routing process on the neigh-
bor is down. The multiplier value can be 3-50
and is 4 by default.
Mode Interface
Usage If you configure the timers on an individual interface, the interface’s set-
tings are used instead of the global settings. Likewise, if the BFD timers are
not set on an interface, that interface uses the global settings. For BGP loop-
back neighbors, BFD always uses the global timer.
Note: For a BFD session for BGP using a loopback address, for an OSPFv2 vir-
tual link, and for an OSPFv3 virtual link, the ACOS device will always
Example The following command is configured under the BGP (router bgp)
configuration mode:
ACOS(config-router)# neighbor 1.2.3.4 fall-over bfd authentication 1 md5
password-string

cpu-process
cpu-process
Description Enable software-based switching or routing of Layer 2/Layer 3 traffic.
Note: This command is applicable only to AX models AX 2200, AX 2200-11,

AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 5100,
AX 5200, AX 5200-11 and AX 5630.
Syntax [no] cpu-process
Default Disabled. Traffic is switched or routed in hardware.
Mode Interface
disable
Description Disable an interface.
Syntax disable
Default The management interface is enabled by default. Data interfaces are dis-
abled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-
of-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
and loopback interfaces.
The command also applies to trunks. When you disable a trunk at the inter-
face configuration level for the trunk, Layer 3 forwarding is disabled on the
trunk.
Example The following command disables Ethernet interface 3:

ACOS(config-if:ethernet3)#disable
Example The following commands access the interface configuration level for
trunk 7 and disable Layer 3 forwarding on the trunk:
ACOS(config)#interface trunk 7
ACOS(config-if:trunk7)#disable

duplexity
duplexity
Description Set the duplex mode for an Ethernet interface.
Syntax [no] duplexity {Full | Half | auto}
Full Full-duplex mode.
Half Half-duplex mode.
auto The mode is negotiated based on the mode of the
other end of the link.
Default auto
Mode Interface
Usage This command applies only to physical interfaces (Ethernet ports or the
management port).
Example The following command changes the mode on Ethernet interface 6 to half-
duplex:
ACOS(config-if:ethernet6)#duplexity Half
enable
Description Enable an interface.
Syntax enable
Default The management interface is enabled by default. Data interfaces are dis-
abled by default.
Mode Interface
Usage This command applies to all interface types: Ethernet data interfaces, out-
of-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
trunks, and loopback interfaces.
Example The following command enables Ethernet interface 3:

ACOS(config-if:ethernet3)#enable

flow-control
flow-control
Description Enable 802.3x flow control on a full-duplex Ethernet interface.
Syntax [no] flow-control
Default Disabled. The AX Ethernet interface auto-negotiates flow control settings

with the other end of the link.
Mode Interface
Usage This command can cause the interface to briefly go down, then come back
up again.
icmp-rate-limit
Description Configure ICMP rate limiting, to protect against denial-of-service (DoS)
attacks.
Syntax [no] icmp-rate-limit normal-rate lockup max-rate

lockup-time
normal-rate Maximum number of ICMP packets allowed per
second on the interface. If the AX interface
receives more than the normal rate of ICMP
packets, the excess packets are dropped until the
next one-second interval begins. The normal rate
can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMP packets allowed per
second before the ACOS device locks up ICMP
traffic on the interface. When ICMP traffic is
locked up, all ICMP packets on the interface are
dropped until the lockup expires. The maximum
rate can be 1-65535 packets per second. The
maximum rate must be larger than the normal
rate.
drops all ICMP traffic on the interface, after the
maximum rate is exceeded. The lockup time can
be 1-16383 seconds.
Default None

icmpv6-rate-limit
Mode Global Config
Usage This command configures ICMP rate limiting on a physical, virtual Ether-
net, trunk, or loopback interface. To configure ICMP rate limiting globally,
see “icmp-rate-limit” on page 166. To configure it in a virtual server tem-
plate, see “slb template virtual-server” on page 696. If you configure ICMP
rate limiting filters at more than one of these levels, all filters are applicable.
occurs. Otherwise, the ICMP rate-limiting counters are still incremented but
log messages are not generated.
Example The following command configures ICMP rate limiting on Ethernet inter-
face 3:
ACOS(config-if:ethernet3)#icmp-rate-limit 1024 lockup 1200 10
icmpv6-rate-limit
Description Configure ICMPv6 rate limiting, to protect against denial-of-service (DoS)
attacks.
Syntax [no] icmpv6-rate-limit normal-rate lockup max-

rate lockup-time
normal-rate Maximum number of ICMPv6 packets allowed
per second on the interface. If the AX interface
receives more than the normal rate of ICMPv6
lockup max-rate Maximum number of ICMPv6 packets allowed
per second before the ACOS device locks up
ICMPv6 traffic on the interface. When ICMPv6
traffic is locked up, all ICMPv6 packets on the
interface are dropped until the lockup expires.
The maximum rate can be 1-65535 packets per
second. The maximum rate must be larger than
the normal rate.
drops all ICMPv6 traffic on the interface, after

interface
the maximum rate is exceeded. The lockup time

can be 1-16383 seconds.
Default None
Mode Global Config
Usage This command configures ICMPv6 rate limiting on a physical, virtual

Ethernet, trunk, or loopback interface. To configure ICMPv6 rate limiting
globally, see “icmpv6-rate-limit” on page 167. To configure it in a virtual
server template, see “slb template virtual-server” on page 696. If you con-
figure ICMPv6 rate limiting filters at more than one of these levels, all fil-
ters are applicable.
occurs. Otherwise, the ICMPv6 rate-limiting counters are still incremented
but log messages are not generated.
Example The following command configures ICMPv6 rate limiting on Ethernet inter-
face 3:
ACOS(config-if:ethernet3)#icmpv6-rate-limit 1024 lockup 1200 10
interface
Description Access the interface configuration level for another interface.
Syntax interface {ethernet port-num | ve number |

loopback number | trunk num | management}
Default N/A
Mode Interface
Usage This command allows you to go directly to the configuration level for
another interface, without the need to return to the global Config level first.

interface number as follows: DeviceID/Portnum

ip address
Example The following command changes the CLI from the configuration level for
Ethernet interface 3 to the configuration level for Ethernet interface 4:
ACOS(config-if:ethernet3)#interface ethernet 4
ACOS(config-if:ethernet4)#
ip address
Description Assign an IP address to an interface.
Syntax [no] ip address ipaddr

{subnet-mask | /mask-length}
Default There are no IP addresses configured by default.
Mode Interface
Usage This command applies only when the A10 Thunder Series and AX Series is
used in gateway mode.
You can configure multiple IP addresses on Ethernet and Virtual Ethernet

(VE) data interfaces, trunks, and on loopback interfaces, on ACOS devices
deployed in gateway (route) mode.
Each IP address must be unique on the ACOS device. Addresses within a

given subnet can be configured on only one interface on the device. (The
ACOS device can have only one data interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.
The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
It does not matter which address is the primary address. OSPF can run on all
subnets configured on a data interface.
The ACOS device automatically generates a directly connected route to

each IP address. If you enable redistribution of directly connected routes,
those protocols can advertise the routes to the IP addresses.
The ACOS device allows the same IP address to be configured as the ACOS
device’s global IP address, and as a NAT pool address. However, in Layer 2

ip address dhcp
(transparent) deployments, if you do configure the same address in both

places, and later delete one of the addresses, you must reload the ACOS
device to place the change into effect.
Example The following command assigns IP address 10.2.4.69 to Ethernet

interface 9:
ACOS(config-if:ethernet9)#ip address 10.2.4.69 /24
Example The following commands configure multiple IP addresses on an Ethernet

data interface, display the addresses, then delete the primary IP address and
display the results.
ACOS(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
10.10.20.2 /24
20.20.20.1 /24
ACOS(config-if:ethernet1)#no ip address 10.10.20.2 /24
ACOS(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
20.20.20.1 /24
ip address dhcp
Description Enable Dynamic Host Configuration Protocol (DHCP) to configure multi-
ple IP addresses on an Ethernet data interface.
Syntax [no] ip address dhcp
Default Disabled
Mode Interface
Usage You can configure VIPs and IP NAT pools to use the DHCP-assigned
address of a given data interface. If this option is enabled, ACOS updates
the VIP or pool address any time the specified data interface’s IP address is
changed by DHCP.

ip allow-promiscuous-vip
Notes
• DHCP can be enabled on an interface only if that interface does not
already have any statically assigned IP addresses.
• On ACOS devices deployed in gateway (Layer 3) mode, Ethernet data
interfaces can have multiple IP addresses. An interface can have a com-
bination of dynamically assigned addresses (by DHCP) and statically
configured addresses. However, if you plan to use both methods of
address configuration, static addresses can be configured only after you
finish using DHCP to dynamically configure addresses. To use DHCP in
this case, you must first delete all the statically configured IP addresses
from the interface.
• On SoftAX models, if single-IP mode is used, DHCP can be enabled
only at the physical interface level.
• On devices deployed in Transparent (Layer 2) mode:
• you can enable DHCP on the management interface and at the
global level.
• The VIP address and pool NAT address (if used) should match the
global data IP address of the device. Make sure to enable this option
when configuring the VIP or pool.
ip allow-promiscuous-vip
Description Enable client traffic received on this interface and addressed to TCP port 80
to be load balanced for any VIP address.
Syntax [no] ip allow-promiscuous-vip
Default Disabled
Mode Interface
Usage This feature also requires configuration of a virtual server that has IP
address 0.0.0.0. For more information, see the Application Delivery and
Server Load Balancing Guide.

ip cache-spoofing-port
ip cache-spoofing-port
Description Configure the interface to support a spoofing cache server. A spoofing
cache server uses the client’s IP address instead of its own as the source
address when obtaining content requested by the client.
Syntax [no] ip cache-spoofing-port
Default Disabled
Mode Interface
Usage This command applies to the Transparent Cache Switching (TCS) feature.
Enter the command on the interface that is attached to the spoofing cache.
For more information about TCS, including additional configuration
requirements and examples, see the Application Delivery and Server Load
Balancing Guide.
Example The following command configures interface 9 to support a spoofing cache

server that is attached to the interface.
ACOS(config-if:ethernet9)#cache-spoofing-port
ip control-apps-use-mgmt-port (management interface

only)
Description Enable use of the management interface as the source interface for auto-
mated management traffic.
Syntax [no] ip control-apps-use-mgmt-port
Default By default, use of the management interface as the source interface for auto-
mated management traffic is disabled.
Mode Interface
Usage The ACOS device uses separate route tables for management traffic and
data traffic.
• Management route table – Contains all static routes whose next hops are
connected to the management interface. The management route table
also contains the route to the device configured as the management
default gateway.
• Main route table – Contains all routes whose next hop is connected to a
data interface. Also contains copies of all static routes in the manage-

ip default-gateway (management interface only)
ment route table, excluding the management default gateway route.

Only the data routes are used for load-balanced traffic.
By default, the ACOS device attempts to use a route from the main route
table for management connections originated on the ACOS device. The ip
control-apps-use-mgmt-port command enables the ACOS device to use
the management route table for these connections instead.
The ACOS device will use the management route table for reply traffic on
connections initiated by a remote host that reaches the ACOS device on the
management port. For example, this occurs for SSH or HTTP connections
from remote hosts to the ACOS device.
Example The following command enables use of the management interface as the
source interface for automated management traffic:
ACOS(config-if:management)#ip control-apps-use-mgmt-port
ip default-gateway (management interface only)

Description Specify the default gateway for the out-of-band management interface.
Syntax [no] ip default-gateway ipaddr
Default None
Mode Interface
Configuring a default gateway for the management interface provides the

following benefits:
• Ensures that reply management traffic sent by the A10 Thunder Series
and AX Series travels through the correct gateway
• Keeps reply management traffic off the data interfaces
The default gateway configured on the management interface applies only

to traffic sent from this interface. For traffic sent through data interfaces,
either the globally configured default gateway is used instead (if the ACOS
device is deployed in transparent mode) or an IP route is used (if the ACOS
device is deployed in route mode).
To configure the default gateway for data interfaces on an ACOS device

device deployed in transparent mode, use the ip default-gateway command
at the global Config level. (See “ip default-gateway” on page 360.)

ip helper-address
Note: Normally, if the ACOS device is deployed in transparent mode, outbound

traffic through the management interface is limited to the same subnet.
However, outbound traffic through data interfaces is not restricted to the
same subnet. To perform operations that require exchanging files with a
host (upgrade, import, export, and so on) that is in a different subnet from
the management interface:
• For automated management traffic such as syslog messages and
SNMP traps, see “ip control-apps-use-mgmt-port (management
interface only)” on page 298.
• For management traffic that you initiate using a command, use the
use-mgmt-port option with the command.
Example The following commands configure an IP address and default gateway for
the management interface:
ACOS(config-if:management)#ip address 10.10.20.1 /24
ACOS(config-if:management)#ip default-gateway 10.10.20.1
ip helper-address
Description Configure a helper address for Dynamic Host Configuration Protocol
(DHCP).
Syntax [no] ip helper-address ipaddr
ipaddr IP address of the DHCP server.
Default None
Mode Interface
Usage In the current release, the helper-address feature provides service for DHCP
packets only.
The ACOS interface on which the helper address is configured must have
an IP address.
The helper address can not be the same as the IP address on any ACOS
interface or an IP address used for SLB.
The current release supports DHCP relay service for IPv4 only.

ip igmp
Example The following commands configure two helper addresses. The helper
address for DHCP server 100.100.100.1 is configured on AX Ethernet inter-
face 1 and on Virtual Ethernet (VE) interfaces 5 and 7. The helper address
for DHCP server 20.20.20.102 is configured on VE 9.
ACOS(config-if:ethernet1)#ip helper-address 100.100.100.1
ACOS(config-if:ethernet1)#interface ve 5
ACOS(config-if:ve5)#ip helper-address 100.100.100.1
ACOS(config-if:ve5)#interface ve 7
ACOS(config-if:ve7)#interface ve 9
ip igmp
Description Configure IGMPv2 membership request queries.
Syntax [no] ip igmp generate-membership-query query-

timer max-resp-time response-timer
query-timer Sets the time interval (1-255 seconds) after
which your device (using the interface under
which you are configuring this feature) will initi-
ate an IGMP membership query request. The
default query timer is 125 seconds. This means
that IGMP membership queries will be sent
every 125 seconds from the configured interface.
response-timer Sets the time interval (in 1/10 of a second) before
which receiving devices will send an ICMP
query message response to indicate intention to
join the IGMP group or not. The default response
timer is 100. This means that receiving devices
have 10 seconds in which to indicate if they will
join the IGMP membership group or not.
Default None
Mode Interface

ip igmp
Usage The configured timer is valid only per interface and it must be set for each
individual interface.
To configure IGMP membership request queries on a physical interface, do
the following:
ACOS(config-if)#interface ethernet 2
ACOS(config-if:ethernet2)#ip igmp generate-membership-query 10 max-resp-
time 50
To view your IGMP membership request query configuration for a a physi-

cal interface, do the following:
ACOS(config)#show interfaces ethernet 2
Ethernet 2 is up, line protocol is up
Hardware is GigabitEthernet, Address is 001f.a004.2e71
Internet address is 192.168.1.1, Subnet mask is 255.255.255.0
Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
IGMP Membership Query is enabled, IGMP Membership Queries sent 3
Flow Control is disabled, IP MTU is 1500 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts
0 input errors, 0 CRC 0 frame
0 runts 0 giants
3003 packets output 264264 bytes
Transmitted 0 broadcasts 3003 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 0 bits/sec, 0 packets/sec, 0% utilization
300 second output rate: 12768 bits/sec, 18 packets/sec, 0% utilization
To configure IGMP membership request queries on an virtual Ethernet

interface, do the following:
ACOS(config-vlan:50)#tagged ethernet 1
ACOS(config-vlan:50)#router-interface ve 50
ACOS(config)#interface ve 50
ACOS(config-if:ve50)#ip address 10.10.10.219 /24
ACOS(config-if:ve50)#ip igmp generate-membership-query 10 max-resp-time
50

ip igmp
To view your IGMP membership request query configuration for a virtual

Ethernet interface, do the following:
ACOS(config)#show interfaces ve 50
VirtualEthernet 50 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.2e72
Router Interface for L2 Vlan 50
IP MTU is 1500 bytes
0 packets input 0 bytes
Transmitted 0 broadcasts, Transmitted 0 multicasts, Transmitted 0 unicasts
300 second input rate: 0 bits/sec, 0 packets/sec
300 second output rate: 0 bits/sec, 0 packets/sec
To configure IGMP membership request queries on a trunk, do the follow-

ing:
ACOS(config-trunk:2)#ethernet 2
ACOS(config-trunk:2)#exit
ACOS(config)#interface trunk 2
ACOS(config-if:trunk2)#enable
ACOS(config-if:trunk2)#ip address 11.11.11.219 /24
ACOS(config-if:trunk2)#ip igmp generate-membership-query 20 max-resp-time
80
ACOS(config-if:trunk2)#exit
To view your IGMP membership request query configuration for a trunk, do

the following:
ACOS(config)#show interfaces trunk 2
Trunk 2 is up, line protocol is up
Hardware is TrunkGroup, Address is 001f.a004.2e71

ip nat
ip nat
Description Enable source Network Address Translation (NAT) on an interface.
Syntax [no] ip nat {inside | outside}
inside Specifies that this AX interface is connected to
the internal hosts on the private network that
need to be translated into external addresses for
routing.
outside Specifies that this AX interface is connected to
the external network or Internet. Before sending
traffic from an inside host out on this interface,
the ACOS device translates the host’s private
address into a public, routable address.
Default None
Mode Interface
Usage On an ACOS device deployed in transparent mode, this command is valid

only on Ethernet data ports. On an ACOS device deployed in route mode,
this command is valid on Ethernet data ports, Virtual Ethernet (VE) inter-
faces, and trunks.
To use source NAT, you also must configure global NAT parameters. See
the ip nat commands in “Config Commands: IP” on page 351.
In addition, on some AX models, if Layer 2 IP NAT is required, you also

must enable CPU processing on the interface. (See “cpu-process” on
page 290.) This applies to AX models AX 2200, AX 2200-11, AX 3100,
AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 5100, AX 5200,
AX 5200-11, and AX 5630.
Example The following commands configure IP source NAT for internal addresses in
the 10.1.1.x/24 subnet connected to interface 14. The addresses are trans-
lated into addresses in the range 10.153.60.120-150 before traffic from the
internal hosts is sent onto the Internet on interface 15. Likewise, return traf-
fic is translated back from public addresses into the private host addresses.
ACOS(config)#access-list 3 permit 10.1.1.0 0.0.0.255
ACOS(config)#ip nat pool 1 10.153.60.120 10.153.60.150 netmask /24
ACOS(config)#ip nat inside source list 3 pool 1
ACOS(config-if:ethernet14)#ip address 10.1.1.1 255.255.255.0

ip ospf
ACOS(config-if:ethernet14)#ip nat inside

ACOS(config-if:ethernet14)#interface ethernet 15
ACOS(config-if:ethernet15)#ip address 10.153.60.100 255.255.255.0
ACOS(config-if:ethernet15)#ip nat outside
ip ospf
Description Configure OSPFv2 parameters on a data interface.
Syntax [no] ip ospf [ipaddr] parameter
ipaddr Configures the parameter only for the specified
IP address. Without this option, the parameter is
configured for all IP addresses on the interface.
authentication
[message-digest
| null] Type of authentication used to validate OSPF
route updates sent or received on this interface:
message-digest – Message Digest 5
(MD5)
null – No authentication is used.
If you enter the authentication com-
mand without either of the options above, a
simple key is used for authentication.
authentication-
key key-string Password used by the interface to authenticate
link-state messages exchanged with neighbor
OSPF routers. Applies to simple authentication
only. Can be a string up to 8 characters long, with
no blanks.
cost number Numeric cost for using the interface, 1-65535.
database-filter
all out Blocks flooding of LSAs to the OSPF interface.
dead-interval
seconds Number of seconds that neighbor OSPF routers
will wait for a new OSPF Hello packet from
ACOS before declaring this OSPF router (the
ACOS device) to be down, 1-65535 seconds.
disable all Disables all OSPF packet processing on the inter-
face.

ip ospf
hello-interval
seconds Number of seconds between transmission of
OSPF Hello packets on this interface, 1-65535
seconds.
message-digest-
key key-id
md5 key-string Set of MD passwords used by the interface to
authenticate link-state messages exchanged with
neighbor OSPF routers. You can enter up to four
key strings. Applies only to MD authentication.
Key strings can be up to 16 characters long, with
no blanks.
mtu Specifies the Maximum Transmission Unit
(MTU) for OSPF packets transmitted on the
interface. You can specify 576-65535 bytes.
mtu-ignore Disables MTU size checking during Database
Description (DD) exchange. This option is useful
when the MTU at the remote end of the link is
larger than the maximum MTU supported on the
local end of the link.
network
network-type OSPF network type from the default for the
media. You can specify one of the following:
broadcast – Broadcast network.
non-broadcast – Non-broadcast multiaccess
(NBMA) network.
point-to-multipoint – Point-to-multipoint net-
work.
point-to-point – Point-to-point network.
priority number Eligibility of this OSPF router to be elected as
the designated router (DR) or backup designated
router (BDRs) for the routing domain, 0-255. 1 is
the lowest priority and 255 is the highest priority.
resync-timeout
seconds Time to wait before resetting the adjacency with
a neighbor, after receiving a restart signal from
the neighbor. The resync-timeout is applicable if
out-of-band resynchronization does not occur
following the restart signal. You can specify
1-65535 seconds.

ip ospf
retransmit-
interval
seconds Number of seconds between retransmissions of
link-state advertisements (LSAs) to adjacent
routers for this interface, 3-65535 seconds.
transmit-delay
seconds Number of seconds it takes to transmit Link State
Update packets (route updates) on this interface,
1-65535 seconds. This amount is added to the
ages of LSAs sent in the updates.
Default The OSPF interface options have the following defaults:

• authentication – Not set
• authentication-key – Not set
• cost – By default, an interface’s cost is calculated based on the inter-

face’s bandwidth. If the auto-cost reference bandwidth is set to its
default value (100 Mbps), the default interface cost is 10.
• database-filter all out – Disabled. LSA flooding is permitted.
• dead-interval – 40 seconds
• hello-interval – 10 seconds
• message-digest-key – Not set
• mtu – The IP MTU set on the interface is used.
• mtu-ignore – MTU size checking is enabled. If the MTU size in DD

packets from a neighbor does not match the interface MTU, adjacency is
not established.
• network – depends on the media type
• priority – 1
• resync-timeout – 40 seconds
• retransmit-interval – 5 seconds
• transmit-delay – 1 second
Mode Interface
Usage The OSPF router with the highest priority is elected as the DR and the
router with the second highest priority is elected as the BDR. If more than
one router has the highest priority, the router with the highest OSPF router
ID is selected. Priority applies only to multi-access networks, not to point-

ip rip authentication
to-point networks. If you set the priority to 0, the A10 Thunder Series and
AX Series does not participate in DR and BDR election.
For the message-digest-key key-id md5 key-string option, the CLI lists the
encrypted keyword. This keyword encrypts display of the string in the
startup-config and running-config. Do not enter this keyword. The ACOS
device automatically applies the keyword. Entering the keyword manually
is not valid.
Example The following command sets the OSPF priority on Ethernet interface 10 to
100:
ACOS(config-if:ethernet10)#ip ospf priority 100
ip rip authentication
Description Configure IPv4 RIP authentication on the interface.
Syntax [no] ip rip authentication

{
key-chain name [name ...] |
mode {md5 | text} |
string auth-string [auth-string ...]
}
key-chain name
[name ...] Enables authentication using the specified key
chains. (To configure a key-chain file, use the
key chain command at the global configuration
level of the CLI.)
mode
{md5 | text} Authentication mode:
md5 – Message Digest 5
text – Clear text
string
auth-string
[auth-string
...] Enables authentication using the specified pass-
words.
Default None
Mode Interface

ip rip receive version
ip rip receive version

Description Specify the RIP version allowed in RIP packets received on the interface.
Syntax [no] ip rip receive version {1 [2] | 2}
1 RIP version 1.
2 RIP version 2.
Default 2
Mode Interface
ip rip receive-packet
Description Enable the interface to receive RIP packets.
Syntax [no] ip rip receive-packet
Default Enabled
Mode Interface
ip rip send version

Description Specify the RIP version allowed to be sent on the interface.
Syntax [no] ip rip send version {1 [2] | 2}
1 RIP version 1.
2 RIP version 2.
Default 2
Mode Interface

ip rip send-packet
ip rip send-packet
Description Enable the interface to send RIP packets.
Syntax [no] ip rip send-packet
Default Enabled
Mode Interface
ip rip split-horizon
Description Configure the split-horizon method. Split horizon prevents the ACOS
device from advertising a route to the neighbor that advertised the same
route to the ACOS device.
Syntax [no] ip rip split-horizon [poisoned]
poisoned Enables advertisement of a route to the neighbor
that advertised the route to the ACOS device, but
sets the metric value to infinity, thus making the
route advertised by the ACOS device unusable
by the neighbor.
If you omit the poisoned option, advertisement
of a route to the neighbor that advertised the
route to the ACOS device is not allowed.
Default Split-horizon with poison is enabled.
Mode Interface
{ip | ipv6} router isis

Description Enable Intermediate System to Intermediate System (IS-IS) routing on the
interface.
Syntax [no] {ip | ipv6} router isis [tag]
Default Not set
Mode Interface

ip slb-partition-redirect
ip slb-partition-redirect
Description Enable routing redirection on an ingress Ethernet data port that will receive
traffic addressed to the VIP in a private partition.
Syntax [no] ip slb-partition-redirect
Default Not set
Mode Interface
Example
ACOS(config-if:ethernet4)#ip slb-partition-redirect
ACOS(config-if:ethernet4)#exit
ACOS(config)#ip route 10.2.4.0 /24 partition p69
ACOS(config)#active-partition p69
ACOS(config)#ip route 0.0.0.0 /24 partition shared
ip tcp syn-cookie
Description Enable Layer 2/3 SYN cookies on the interface.
Syntax [no] ip tcp syn-cookie
Default Disabled
Mode Interface
Usage To globally enable SYN cookie support, see “syn-cookie” on page 232. To
configure the SYN cookie expire threshold, see “ip tcp syn-cookie thresh-
old” on page 381.
Example The following commands globally enable SYN cookie support, then enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
ACOS(config)#syn-cookie on-threshold 50000 off-threshold 30000
ACOS(config-if: ethernet4)#ip tcp syn-cookie
ACOS(config-if: ethernet4)#interface ethernet 5
ACOS(config-if: ethernet5)#ip tcp syn-cookie

ipv6 (on management interface)
ipv6 (on management interface)

Description Configure an IP version 6 address and default gateway on the management
interface.
Syntax [no] ipv6 address ipaddr/mask-length
Syntax [no] ipv6 default-gateway gateway-ipaddr
Default None.
Mode Interface
Usage The ipv6 default-gateway command applies only to the management inter-
face. To configure IPv6 on a data interface, see “ipv6 address” on page 312.
Example The following commands configure an IPv6 address and default gateway on
the management port:
ACOS(config-if:management)#ipv6 address 2001:db8:11:2/32
ACOS(config-if:management)#ipv6 default-gateway 2001:db8:11:1/32
ipv6 access-list
Description Apply an IPv6 Access Control List (ACL) to an interface.
Syntax [no] ipv6 access-list name in
name Name of a configured IPv6 ACL.
in Applies the ACL to inbound IPv6 traffic received
on the interface.
Default N/A
Mode Interface
ipv6 address
Description Configure an IPv6 address on the interface.
Syntax [no] ipv6 address ipaddr/prefix-length

[link-local] [any-cast]

ipv6 address
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6
address for the interface, instead of a global
address. Without this option, the address is a
global address.
any-cast Configures the address as an anycast address. An
anycast address can be assigned to more than one
interface. A packet sent to an anycast address is
routed to the “nearest” interface with that
address, based on the distance in the routing pro-
tocol.
Default None.
Mode Interface
Usage Use this command to configure the link-local and global IP addresses for
the interface.
• The ipv6 address command, used without the link-local option, config-
ures a global address. If you use the link-local option, the address is
instead configured as the link-local address.
• To enable automatic configuration of the link-local IPv6 address instead,
use the ipv6 enable command.
To configure IPv6 on the management interface, see “ipv6 (on management

interface)” on page 312.
Example The following command configures a global IPv6 address on Ethernet

interface 8:
ACOS(config-if:ethernet8)#ipv6 address e101::1112/64
Example The following command overrides any auto-generated link-local address on

interface 6 and explicitly configures a new link-local address:
ACOS(config-if:ethernet6)#ipv6 address fe80::1/64 link-local

ipv6 enable
ipv6 enable
Description Enable automatic configuration of a link-local IPv6 address on the interface.
Syntax [no] ipv6 enable
Default Disabled
Mode Interface
Usage Use this command to enable automatic configuration of the link-local IPv6
address.
To manually configure the address instead, see “ipv6 address” on page 312.
Example The following command enables an automatically generated link-local IPv6

address on Ethernet interface 6:
ACOS(config-if:ethernet6)#ipv6 enable
ipv6 nat inside

Description Enable inside NAT on the interface.
Syntax [no] ipv6 nat inside
Default Disabled
Mode Interface
ipv6 nat outside

Description Enable outside NAT for IPv6 on the interface.
Syntax [no] ipv6 nat outside
Default Disabled
Mode Interface

ipv6 ndisc router-advertisement

Description Configure IPv6 router discovery (RFC 4861).
Syntax [no] ipv6 ndisc router-advertisement

{
default-lifetime seconds |
disable |
enable |
ha-group-id group-id
[use-floating-ip ipv6-addr/prefix-length] |
hop-limit num |
max-interval seconds |
min-interval seconds |
mtu {disable | bytes} |
prefix ipv6-addr/prefix-length
[not-autonomous | not-on-link |
preferred-lifetime seconds |
valid-lifetime seconds] |
rate-limit num |
reachable-time ms |
retransmit-timer seconds
}
default-
lifetime
seconds Specifies the number of seconds for which router
advertisements sent on this interface are valid.
You can specify 0 or 4-9000 seconds. The value
can not be less than the maximum advertisement
interval. If you specify 0, the host will not use
this interface (IPv6 router) as a default route.
disable Disables IPv6 router discovery.
enable Enables IPv6 router discovery.
ha-group-id
group-id
[use-floating-
ip ipv6-addr/
prefix-length] Specifies an HA group for which to send router
advertisements.
The use-floating-ip option specifies a floating
IPv6 address to use as the source address for
router advertisements for the HA group. The

address must be a link-local address on this inter-

face. The HA virtual MAC address will be used
as the source address.
hop-limit num Specifies the default hop count value that should
be used by hosts. For a given packet, the hop
count is decremented at each router hop. If the
hop count reaches 0, the packet becomes invalid.
You can specify 0-255. If you specify 0, the
value is unspecified by this IPv6 router.
max-interval
seconds Specifies the maximum number of seconds
between transmission of unsolicited router adver-
tisement messages on this interface. You can
specify 4-1800 seconds.
min-interval
seconds Specifies the minimum number of seconds
between transmission of unsolicited router adver-
tisement messages on this interface. You can
mtu
{disable |
bytes} Specifies the MTU value to include in the MTU
options field. You can specify 1200-1500 bytes
(on 1-Gbps interfaces) or disabled.
Note: If the option is disabled, no MTU value is included.

prefix
ipv6-addr/
prefix-length
[options] Specifies the IPv6 prefixes to advertise on this
interface. A maximum of 32 prefixes can be
advertised on an interface.
The following options are supported:
not-autonomous – Disables support for auto-
configuration of IPv6 addresses by clients.
not-on-link – Disables the On-Link flag. When
enabled, the On-Link flag indicates that the pre-
fix is assigned to this interface. If you enable this
option, the valid-lifetime is 2592000 seconds
(30 days).
preferred-lifetime seconds – Specifies the num-
ber of seconds for which auto-generated

addresses remain preferred. You can specify

0-4294967295 seconds. The default is 604800.
valid-lifetime seconds – specifies the number of
seconds for which advertisement of the prefix is
valid. You can specify 1-4294967295 seconds.
The default is 2592000.
rate-limit num Specifies the maximum number of router solici-
tation requests per second that will be processed
on the interface. You can specify 1-100000 mes-
sages per second.
reachable-time
ms Specifies the number of milliseconds (ms) for
which the host should assume a neighbor is
reachable, after receiving a reachability confir-
mation from the neighbor. You can specify
0-3600000 ms. If you specify 0, the value is
unspecified by this IPv6 router.
retransmit-
timer seconds Specifies the number of seconds a host should
wait between sending neighbor solicitation mes-
sages. You can specify 0-4294967295 seconds. If
you specify 0, the value is unspecified by this
IPv6 router.
Default IPv6 router discovery is disabled by default. The command options have the
following default values:
• default-lifetime – 1800 seconds
• disable – Disabled
• enable – Disabled
• ha-group-id – Not set. Advertisements are sent regardless of HA group.
• hop-limit – 255
• max-interval – 600 seconds
• min-interval – 200 seconds
• mtu – disabled
• prefix – All prefixes for IPv6 addresses that are configured on this inter-
face are advertised. The prefix options have the following defaults:
• not-autonomous – disabled (Auto-configuration of IPv6 addresses
by clients is enabled.)
• not-on-link – enabled (On-Link is disabled.)

• preferred-lifetime – 604800 seconds

• valid-lifetime – 2592000 seconds
• rate-limit – 100000 messages per second
• reachable-time – 0 (The value is unspecified by this IPv6 router.)
• retransmit-timer – 0 (The value is unspecified by this IPv6 router.)
Mode Interface
Usage When router discovery is enabled, the ACOS device:

• Sends IPv6 router advertisements out the IPv6 interfaces on which
router discovery is enabled. IPv6 hosts that receive the router advertise-
ments will use the ACOS device as their default gateway.
• Replies to IPv6 router solicitations received by IPv6 interfaces on which
router discovery is enabled.
IPv6 router discovery is not supported in transparent mode. The ACOS

device must be deployed in gateway mode.
When IPv6 router discovery is enabled on an interface, any new IPv6

addresses that you add to the interface are automatically added to the set of
prefixes to advertise.
Router advertisements are sent to the all-nodes multicast address at an inter-

val that is uniformly distributed between the minimum and maximum
advertisement intervals. If a host sends a router solicitation message, the
ACOS device sends a router advertisement as a unicast to that host instead.
The source address of router advertisements is always a link-local IPv6

address.
For the reachable-time, hop-limit, and retransmit-timer options, the

ACOS device recommends the configured value to hosts but does not itself
use the value.
Example The following commands configure an IPv6 address on Ethernet interface 1,

enable IPv6 router discovery, change the minimum and maximum adver-
tisement intervals, and add two prefixes to the prefix advertisement list.
ACOS(config-if:ethernet1)#ipv6 address 2001::1/64
ACOS(config-if:ethernet1)#ipv6 ndisc router-advertisement enable
ACOS(config-if:ethernet1)#ipv6 ndisc router-advertisement max-interval 300
ACOS(config-if:ethernet1)#ipv6 ndisc router-advertisement min-interval 150

ipv6 ospf cost
ACOS(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001::/64

on-link
ACOS(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001:a::/96
on-link
ipv6 ospf cost

Description Explicitly set the link-state metric (cost) for this OSPF interface.
Syntax [no] ipv6 ospf cost num
num Specifies the cost, 1-65535.
Default By default, an interface’s cost is calculated based on the interface’s band-

width. If the auto-cost reference bandwidth is set to its default value (100
Mbps), the default interface cost is 10.
Mode Interface
ipv6 ospf dead-interval

Description Specify the maximum time to wait for a reply to a hello message, before
declaring the neighbor to be offline.
Syntax [no] ipv6 ospf dead-interval seconds
seconds Number of seconds this OSPF router will wait
for a reply to a hello message sent out this inter-
face to an OSPF neighbor, before declaring the
neighbor to be offline. You can specify 1-65535
seconds.
Default 40
Mode Interface

ipv6 ospf hello-interval
ipv6 ospf hello-interval

Description Specify the time to wait between sending hello packets to OSPF neighbors.
Syntax [no] ipv6 ospf hello-interval seconds
between transmission of hello packets out this
interface to OSPF neighbors. You can specify
1-65535 seconds.
Default 10
Mode Interface
ipv6 ospf mtu-ignore

Description Disable checking of the maximum transmission unit (MTU) during OSPFv3
Database Description (DD) exchange.
Syntax [no] ipv6 ospf mtu-ignore [instance-id num]
num Specifies an OSPFv3 process, 0-255. If you do
not use this option, MTU checking on the inter-
face is disabled for all OSPFv3 processes.
Default MTU checking is enabled by default.
Mode Interface

ipv6 ospf neighbor
ipv6 ospf neighbor

Description Configure an OSPFv3 neighbor that is located on a non-broadcast network
reachable through this interface.
Syntax [no] ipv6 ospf neighbor ipv6-addr

[
cost num [instance-id num] |
instance-id num |
poll-interval seconds [priority num]
[instance-id num] |
priority num [poll-interval seconds]
[instance-id num]
]
ipv6-addr IPv6 address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor,
1-65535.
poll-interval
seconds Number of seconds this OSPFv3 interface will
wait for a reply to a hello message sent to the
neighbor, before declaring the neighbor to be
offline. You can specify 1-65535 seconds.
priority num Router priority of the neighbor, 1-255.
Default No neighbors on non-broadcast networks are configured by default. When

you configure one, the other parameters have the following default settings:
• cost – not set
• poll-interval – 120 seconds
• priority – 0

ipv6 ospf network
ipv6 ospf network

Description Specify the network type.
Syntax [no] ipv6 ospf network

{
broadcast |
non-broadcast |
point-to-multipoint |
point-to-point
}
[instance-id num]
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess (NBMA) network.
point-to-
multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
num Specifies an OSPFv3 process, 0-255. If you do
not use this option, MTU checking on the inter-
face is disabled for all OSPFv3 processes.
Default Depends on the media type.
Mode Interface
ipv6 ospf priority

Description Priority of this OSPF router (and process) on this interface for becoming the
designated router for the OSPF domain.
Syntax [no] ipv6 ospf priority num
num Priority of this OSPF process on this interface, 0-
255. The lowest priority is 0 and the highest pri-
ority is 255.
Default 1

ipv6 ospf retransmit-interval
Mode Interface
Usage If more than one OSPF router has the highest priority, the router with the
highest router ID is selected as the designated router.
ipv6 ospf retransmit-interval

Description Specify the time to wait before resending an unacknowledged packet out
this interface to an OSPF neighbor.
Syntax [no] ipv6 ospf retransmit-interval seconds
seconds Number of seconds this OSPF router waits
before resending an unacknowledged packet out
this interface to a neighbor. You can specify
1-65535 seconds.
Default 5
Mode Interface
ipv6 ospf transmit-delay

Description Specify the time to wait between sending packets out this interface to an
OSPF neighbor.
Syntax [no] ipv6 ospf transmit-delay seconds
between transmission of packets out this inter-
face to OSPF neighbors. You can specify
1-65535 seconds.
Default 1
Mode Interface

ipv6 rip split-horizon
ipv6 rip split-horizon

Description Configure the split-horizon method. Split horizon prevents the ACOS
device from advertising a route to the neighbor that advertised the same
route to the ACOS device.
Syntax [no] ipv6 rip split-horizon [poisoned]
poisoned Enables advertisement of a route to the neighbor
that advertised the route to the ACOS device, but
sets the metric value to infinity, thus making the
route advertised by the ACOS device unusable
by the neighbor.
If you omit the poisoned option, advertisement
of a route to the neighbor that advertised the
route to the ACOS device is not allowed.
Default Split-horizon with poison is enabled.
Mode Interface
ipv6 router isis

Description Configure options for Intermediate System to Intermediate System (IS-IS)
on an IPv6 data interface.
Syntax [no] ipv6 router isis [options]
Default None
Mode Interface
ipv6 router ospf

Description Configure an OSPFv3 area.
Syntax [no] ipv6 router ospf

{
area {num | ipaddr} [tag tag [instance-id num]] |
tag tag area {num | ipaddr} [instance-id num]
}

ipv6 router rip
Mode Interface
Usage For OSPFv3, the area tag ID configured on an interface must be the same as
the tag ID for the OSPF instance.
ipv6 router rip

Description Configure RIP routing for IPv6.
Syntax [no] ipv6 router rip
Mode Interface
isis authentication
Description Configure authentication for this IS-IS interface.
Syntax [no] isis authentication send-only

[level-1 | level-2]
[no] isis authentication mode md5

[level-1 | level-2]
[no] isis authentication key-chain name

[level-1 | level-2]
send-only
[level-1 |
level-2] Disables checking for keys in IS-IS packets
received by this interface.
level-1 – Disables key checking only for Level-1
(intra-area) IS-IS traffic.
(inter-area) IS-IS traffic.

isis bfd
mode md5
[level-1 |
level-2] Enables MD5 authentication.
level-1 – Enables MD5 only for Level-1 (intra-
area) IS-IS traffic.
level-2 – Enables MD5 only for Level-2 (inter-
key-chain name
[level-1 |
level-2] Specifies the name of the certificate key chain to
use for authenticating IS-IS traffic.
level-1 – Applies only to Level-1 (intra-area)
IS-IS traffic.
level-2 – Applies only to Level-2 (inter-area)
IS-IS traffic.
Default Clear-text authentication is enabled by default. MD5 authentication is dis-

abled by default. No key chain is set by default. The send-only option is
disabled by default. All options apply to Level-1 and Level-2, unless you
specify one level or the other.
Mode IS-IS
Usage This command overrides the globally configured authentication settings for
the IS-IS instance.
Use the send-only option to temporarily disable key checking, then use the
key-chain option to specify the key chain. To use MD5, use the md5 option
to disable clear-text authentication and enable MD5 authentication. After
key-chains are installed on the other IS-IS routers, disable the send-only
option.
Example The following command disables MD5 authentication for IS-IS on interface
VE 2. Clear-text authentication will be used instead.
ACOS(config-if:ve3)#no isis authentication mode md5
isis bfd
Description Disable BFD on an individual interface.
Syntax [no] bfd disable
Default Takes the value from the global BFD configuration.

isis circuit-type
Mode Interface
isis circuit-type
Description Specify the IS-IS routing level (circuit type) for this interface.
Syntax [no] circuit-type [level-1 | level-1-2 | level-2]
level-1 |
level-1-2 |
level-2 Specifies the IS-IS routing level.
Default level-1-2
Mode Interface
isis csnp-interval
Description Configure the interval between transmission of complete sequence number
PDUs (CSNPs).
Syntax [no] isis csnp-interval seconds

[level-1 | level-2]
seconds Specifies the number of seconds to wait between
transmission of CSNPs. You can specify 0-65535
seconds.
level-1 |
level-2 Specifies the IS-IS routing level to which the
interval setting applies.
Default 10 seconds, for both level-1 and level-2
Mode Interface
Usage This command is valid only on broadcast interfaces (network type broad-
cast).

isis hello padding
isis hello padding

Description Enable padding of IS-IS HEllo packets.
Syntax [no] isis hello padding
Default Enabled
Mode Interface
Usage When padding is enabled, extra bytes are added to IS-IS Hello packets to
make them equal to the MTU size of the interface. This option informs
neighbors of the interface’s MTU, so that neighbors do not send Hello pack-
ets that are longer than the MTU.
isis hello-interval
Description Configure the interval between transmission of IS-IS Hello packets on this
interface.
Syntax [no] isis hello-interval {seconds | minimal}

[level-1 | level-2]
seconds |
minimal Specifies the number of seconds between trans-
mission of Hello packets to neighbors. You can
For information about the minimal option, see
“Usage” below.
level-1 |
interval setting applies.
Default 10 seconds, for both level-1 and level-2
Mode Interface
Usage The minimal option bases the hello interval on the hello multiplier, by set-
ting the hold time to 1, and dividing the hold time by the hello multiplier:
hello-interval = hold-time % hello-multiplier
hello-interval = 1 % hello-multiplier

isis hello-multiplier
(For more information, see “isis hello-multiplier” on page 329.)
isis hello-multiplier
Description Configure the multiplier used for calculating the neighbor hold time for
Hello packets.
Syntax [no] isis hello-multiplier num [level-1 | level-2]
num Specifies the multiplier. You can specify 3-1000.
level-1 |
multiplier setting applies.
Default 3
Mode Interface
Usage The hold time specifies the maximum number of seconds IS-IS neighbors
should allow between Hello packets from this IS-IS interface. If the neigh-
bor does not receive a Hello packet before the hold time expires, the neigh-
bor terminates the adjacency with this IS-IS router on this interface.
To calculate the hold time, IS-IS multiplies the IS-IS hello interval by the
multiplier:
hello-interval x hello-multiplier = hold-time
The hold-time value is included in Hello packets sent to IS-IS neighbors.
Note: If the minimal option is used with the isis hello-interval command, the
hold time is set to 1. This overrides the hold time calculated based on the
hello-multiplier value.
isis lsp-interval
Description Configure the minimum LSP transmission interval.
Syntax [no] isis lsp-interval ms

isis mesh-group
ms Specifies the minimum number of ms IS-IS will
wait between transmission of LSPs. You can
specify 1-4294967295 ms.
Default 33 ms
Mode Interface
Usage The LSP transmission interval helps avoid high CPU utilization on IS-IS
neighbors during LSP floods, by allowing the neighbors time to send,
receive, and process LSPs.
isis mesh-group
Description Configure mesh-group membership to control LSP flooding from this inter-
face.
Syntax [no] isis mesh-group {group-num | blocked}
group-num Specifies the mesh group number. You can spec-
ify 1-4294967295. LSPs are flooded to all Level-
1 or Level-2 IS-IS neighbors (as applicable),
except to the neighbors who are in the same mesh
group. LSPs are not flooded to the neighbors
who are in the same mesh group as this interface.
blocked Blocks flooding of LSPs on this interface.
Default None
Mode Interface
isis metric
Description Configure the default IS-IS metric (cost) for the interface.
Syntax [no] isis metric num [level-1 | level-2]
num Specifies the cost of using this interface as a link
in an IS-IS route. You can specify 1-63.

isis network
level-1 |
default metric setting applies.
Default 10, for Level-1 and Level-2 routing levels
Mode Interface
Usage The default metric is used for SPF calculation. Links with lower metrics are
preferred to links with higher metrics.
The default metric is applicable only when the metric style is narrow. (See
“metric-style” on page 475.)
isis network
Description Configure the network type.
Syntax [no] isis network {broadcast | point-to-point}
broadcast The network is a broadcast network.
point-to-point The network is a point-to-point network.
Default broadcast
Mode Interface
isis password
Description Configure the plain-text password for authentication of Hello packets sent
and received on this interface.
Syntax [no] isis password string [level-1 | level-2]
string Specifies the password.
level-1 |
password applies.
Default None

isis priority
Mode Interface
Usage The password is applicable only if the authentication type is plain-text. (See
“isis authentication” on page 325.)
isis priority
Description Configure this interface’s priority for Designated Integrated System (DIS)
election.
Syntax [no] isis priority num [level-1 | level-2]
num Specifies the priority, 0-127.
level-1 |
level-2 Specifies the IS-IS routing level to which the pri-
ority applies.
Mode Interface
Usage During DIS election, the IS-IS router with the highest priority is elected as
the DIS for the LAN. If more than one IS-IS router has the highest priority,
the router that has the IS-IS interface with the highest MAC address is
elected as the DIS.
The priority is applicable only if the network type is broadcast. (See “isis
network” on page 331.)
isis restart-hello-interval
Description Configure the amount of time this interface waits for acknowledgement
from neighbors of its notification to restart IS-IS, before resending the noti-
fication.
Syntax [no] isis restart-hello-interval seconds

[level-1 | level-2]
seconds Specifies the number of seconds IS-IS waits to
receive an acknowledgement of its restart notifi-
cation. You can specify 1-65535 seconds.

isis retransmit-interval
level-1 |
interval applies.
Default 3 seconds, for Level-1 and Level-2 routing levels
Mode Interface
Usage To notify its IS-IS neighbors of an intent to restart the IS-IS process, the
ACOS device inserts a Restart TLV in IS-IS Hello packets sent to neighbors
on this interface. If the an acknowledgement of the restart notification si not
received on this interface before the restart hello interval expires, IS-IS
resends the notification.
isis retransmit-interval
Description Configure the interval between transmission of LSPs on point-to-point
links.
Syntax [no] isis retransmit-interval seconds
seconds Specifies the number of seconds IS-IS waits
before resending an LSP that was dropped. You
can specify 0-65535 seconds. Use a value that is
greater than the expected round-trip delay
between any two routers on the attached net-
work.
Default 5
Mode Interface
Usage The retransmit interval is applicable only if the network type is point-to-
point. (See “isis network” on page 331.)
isis wide-metric
Description Configure the length of a wide metric on the interface.
Syntax [no] isis wide-metric num [level-1 | level-2]

l3-vlan-fwd-disable
num Specifies the metric length. You can specify
1-16777214.
level-1 |
metric applies.
Mode Interface
Usage The wide metric is applicable only if the metric style is set to wide or transi-
tion. (See “metric-style” on page 475.)
l3-vlan-fwd-disable
Description Disable Layer 3 forwarding between VLANs on tis interface.
Syntax [no] l3-vlan-fwd-disable
Default By default, the ACOS device can forward Layer 3 traffic between VLANs.
Mode Interface
Usage This command is applicable only on ACOS devices deployed in gateway

(route) mode. If the option to disable Layer 3 forwarding between VLANs
is configured at any level, the ACOS device can not be changed from gate-
way mode to transparent mode, until the option is removed.
The command is applicable to inbound traffic on the interface.
The command is valid on physical Ethernet interfaces, Virtual Ethernet

(VE) interfaces, trunks, and on the lead interface in trunks.
However, if the command is configured on a physical Ethernet interface,

that interface can not be added to a trunk or VE.
If the command is used on a trunk or VE and that trunk or VE is removed

from the configuration, the command is also removed from all physical
Ethernet interfaces that were members of the trunk or VE. Likewise, if a
VLAN is removed, the command is removed from any physical Ethernet
interfaces that were members of the VLAN.
To display statistics for this option, see “show slb switch” on page 1051.

lacp port-priority
lacp port-priority
Description Set the Link Aggregation Control Protocol (LACP) priority of the interface.
Syntax [no] lacp port-priority num
num Specifies the priority, 1-65535. A low priority
number indicates a high priority value. The high-
est priority is 1 and the lowest priority is 65535.
Default 32768
Mode Interface
Usage If the LACP trunk has more candidate members than are allowed by the
device at the other end of the link, LACP selects the interfaces with the
highest port priority values as the active interfaces. The other interfaces are
standbys, and are used only if an active interface goes down.
lacp timeout
Description Set the aging timeout for LACP data units from the other end of the LACP
link.
Syntax [no] lacp timeout {short | long}
short | long Specifies the timeout:
short – 3 seconds
long – 90 seconds
Default long
Mode Interface

lacp trunk
lacp trunk
Description Add the interface to an LACP trunk.
Syntax [no] lacp trunk lacp-trunk-id [admin-key num]

mode {active | passive}
[unidirectional-detection]
lacp-trunk-id Specifies the trunk ID, 1-16.
admin-key num Specifies the key value for the trunk, 10000-
65535. The admin key must match on all inter-
faces in the trunk.
mode
{active |
passive} Specifies whether LACP will run in active or
passive mode on the interface.
active – Initiates link formation with the other
end of the link.
passive – Waits for the other end of the link to
initiate link formation.
unidirectional-
detection Enables Unidirectional Link Detection (UDLD).
UDLD checks the links in LACP trunks to ensure
that both the send and receive sides of each link
are operational.
Default No LACP trunks are configured by default. When you add an interface to an
LACP trunk, it has the following defaults:
• lacp-trunk-id – not set
• admin-key – 1000 plus the trunk ID. For example, for trunk 3, the
default admin-key is “1003”.
• mode – active
• unidirectional-detection – disabled
Mode Interface
Usage Up to 16 trunks are supported, in any combination of static and dynamic

(LACP) trunks.

lacp udld-timeout
ACOS UDLD uses LACP protocol packets as heartbeat messages. If an

LACP link on the ACOS device does not receive an LACP protocol packet
within a specified timeout, LACP blocks traffic on the port. This corrects
the problem by forcing the devices connected by the non-operational link to
use other, fully operational links.
A link that is blocked by LACP can still receive LACP protocol packets but
blocks all other traffic.
lacp udld-timeout
Description Set the timeout interval for receiving LACP protocol packets from other
ports.
Syntax [no] lacp udld-timeout {fast | slow} num
fast | slow Specifies the time unit:
fast – Allows the timeout to be set in increments
of milliseconds (ms). In this case, the num value
can be 100-1000.
slow – Allows the timeout to be set in increments
of seconds. In this case, the num value can be
1-60.
num Specifies the timeout. For supported values, see
above.
Default slow 1
Mode Interface
Usage The local port waits for the UDLD timeout to receive an LACP protocol
packet from the remote port. If an LACP protocol packet does not arrive
before the timeout expires, LACP disables the local port.

lldp enable
lldp enable
Description Configure this interface to send only, receive only, or send and receive
LLDP data packets.
Syntax [no] lldp enable [rx] [tx]
Default Contact A10 Networks for information.
Mode Port configuration mode
lldp notification enable

Description Configure this port to send notifications.
Syntax [no] lldp notification enable
Mode Interface
lldp tx-tlvs
Description Configure the four mandatory transmission TLV packets for the chassis ID,
port ID, Time to Live, and End. In addition, you can configure which
optional TLV should be sent.
Syntax [no] lldp tx tlvs [port-description] [system-

name] [system-description] [system-capabilities]
[management-address]
Mode Interface

lldp tx-dot1-tlvs
lldp tx-dot1-tlvs
Description The TLVs VLAN name and link-aggregation are dictated by 802.1ab Annex
E.
Syntax [no] lldp tx-dot1-tlvs [vlan] [link-aggregation]
vlan Assign a name to the VLAN and map the VLAN
ID to the VLAN.
link-
aggregation Link-aggregation TLV, dictated by 802.1ab 2005
and 802.1ab 2009.
Default Since 802.1ab 2009 and 802.1ab2005 are inherently different, some older
devices do support these TLVs by default. The TLVs will not automatically
be included in the transmitted frame.
Mode Interface
load-interval
Description Change the interval for utilization statistics for the interface.
Syntax [no] load-interval seconds
seconds You can specify 5-300 seconds.
You must specify the amount in 5-second inter-
vals. For example, 290 and 295 are valid interval
values. However, 291, 292, 293, and 294 are not
valid interval values.
Default 300 seconds
Mode Interface
Usage This command applies only to data interfaces.
To display interface utilization statistics, see and “show interfaces” on

page 892 and “show statistics” on page 948.

monitor
Example The following command changes the utilization statistics interval for Ether-
net interface 1 to 200 seconds:
ACOS(config-if:ethernet1)#load-interval 200
monitor
Description Configure an Ethernet interface to send a copy of its traffic to another Ether-
net interface.
Syntax [no] monitor [both | input | output]
both | input |
output Traffic direction to mirror. If you do not specify a
direction, traffic in both directions is copied.
Default By default, no traffic is mirrored. When you enable a port to be monitored,

both traffic directions are mirrored by default.
Mode Interface
Usage This command is valid only on Ethernet data interfaces. To specify the port
to which to mirror the traffic, use the mirror-port command at the global
Config level. (See “mirror-port” on page 193.)
Note: Only one mirror port is supported. All mirrored traffic for the directions
you specify goes to that port.
Example The following commands enable monitoring of input traffic on Ethernet

port 5, and enable the monitored traffic to be copied (“mirrored”) to Ether-
net port 3:
ACOS(config)#mirror-port ethernet 3
ACOS(config-if:ethernet5)#monitor input

mtu
mtu
Description Change the Maximum Transmission Unit (MTU) for an Ethernet interface.
Syntax [no] mtu bytes
bytes Largest packet size that can be forwarded out the
interface. You can specify 1200-1522 bytes.
Note: See Usage section below for details on jumbo frame support.
Default 1522 bytes
Mode Interface
Usage This command applies to the management interface and Ethernet data inter-
faces.
If the ACOS device needs to forward a packet that is larger than the MTU of
the AX egress interface to the next hop, but the Do Not Fragment bit is set
in the packet, the ACOS device drops the packet and sends an ICMP Desti-
nation Unreachable code 4 (Fragmentation required, and DF set) message to
the sender.
To display a counter of how many outbound packets have been dropped

because they were longer than the outbound interface's MTU, use the fol-
lowing command:
show slb switch
[detail | ethernet port-num [detail]]
The counter is labeled “MTU exceeded Drops”. The counter includes pack-
ets that had the Do Not Fragment bit set and packets that did not have the bit
set.
You can enable jumbo support on a global basis. In this case, the MTU is
not automatically changed on any interfaces, but you can increase the MTU
on individual interfaces.
• On FPGA models, you can increase the MTU on individual Ethernet
interfaces up to 12000 bytes.
• On non-FPGA models, you can increase the MTU on individual Ether-
net interfaces up to 9216 bytes.

name
name
Description Assign a name to the interface.
Syntax [no] name string
string Name for the interface, 1-63 characters.
Default None
Mode Interface
Usage This command applies to physical and virtual Ethernet data interfaces, and
trunks. This command does not apply to the management interface.
Example The following commands assign the name "WLAN-interface" to an inter-

face and show the result:
ACOS(config)#interface ve 1
ACOS(config-if:ve1)#name WLAN-interface
ACOS(config-if:ve1)#show ip interfaces
Port IP Netmask PrimaryIP Name
----------------------------------------------------------------------------
mgm 192.168.20.136 255.255.255.0 Yes
ve1 192.168.217.1 255.255.255.0 Yes WLAN-interface
ve2 50.50.50.1 255.255.255.0 Yes
ospf
Description Configure OSPF on the interface.
Syntax [no] ospf [ipaddr] parameter
authentication
[message-digest
| null] Type of authentication used to validate OSPF
route updates sent or received on this interface:
message-digest – Message Digest 5
(MD5)
null – No authentication is used.

ospf
If you enter the authentication com-

mand without either of the options above, a
simple key is used for authentication.
authentication-
key key-string Password used by the interface to authenticate
link-state messages exchanged with neighbor
OSPF routers. Applies to simple authentication
only. Can be a string up to 8 characters long, with
no blanks.
cost number Numeric cost for using the interface, 1-65535.
dead-interval
seconds Number of seconds that neighbor OSPF routers
will wait for a new OSPF Hello packet from
ACOS before declaring this OSPF router (the
ACOS device) to be down, 1-65535 seconds.
hello-interval
seconds Number of seconds between transmission of
OSPF Hello packets on this interface, 1-65535
seconds.
priority number Eligibility of this OSPF router to be elected as
the designated router (DR) or backup designated
router (BDRs) for the routing domain, 0-255. 1 is
the lowest priority and 255 is the highest priority.
retransmit-
interval
seconds Number of seconds between retransmissions of
link-state advertisements (LSAs) to adjacent
routers for this interface, 3-65535 seconds.
transmit-delay
seconds Number of seconds it takes to transmit Link State
Update packets (route updates) on this interface,
1-65535 seconds. This amount is added to the
ages of LSAs sent in the updates.
Default The OSPF interface options have the following defaults:

• authentication – Not set
• authentication-key – Not set
• cost – By default, an interface’s cost is calculated based on the inter-

face’s bandwidth. If the auto-cost reference bandwidth is set to its
default value (100 Mbps), the default interface cost is 10.
• dead-interval – 40 seconds

snmp-server trap-source
• hello-interval – 10 seconds
• priority – 1
• retransmit-interval – 5 seconds
• transmit-delay – 1 second
Mode Interface
snmp-server trap-source
Description Specify a data interface to use as the source interface for SNMP traps.
Syntax [no] snmp-server trap-source
Default Management interface
Mode Interface
Usage Select a data interfaces from which to send SNMP traps. The interface can
be any of the following types:
• Ethernet
• VLAN / VE
• Loopback
When the ACOS device sends an SNMP trap from the specified data inter-
face, the “agent-address” in the SNMP trap is the data interface’s IP
address.
Details:
• This feature does not support IPv6.
• This feature supports SNMPv1 but not SNMPv2c or SNMPv3.
Example The following command attempts to set a loopback interface as the SNMP
trap source. However, the feature has already been enabled on Ethernet port
1, and only one interface can be enabled for SNMP traps, so this example
shows that the existing trap source will be overwritten with the new one:

speed
ACOS(config)#interface loopback 1
ACOS(config-if:loopback1)#snmp-server trap-source
The trap source already exists for interface eth1. Do you want to overwrite?
[yes/no]:yes
ACOS(config-if:loopback1)#
speed
Description Set the maximum speed on an Ethernet interface.
Syntax [no] speed {10 | 100 | 1000 | 10000 | auto}
10 10 Megabits per second (Mbs/sec)
100 100 Megabits per second (Mbs/sec)
1000 1 Gigabit per second (Gb/sec)
10000 10 Gigabits per second (Gbs/sec)
auto The interface speed is negotiated based on the
speed of the other end of the link.
Default auto
Mode Interface
Usage This command applies to the management interface and Ethernet data inter-
faces.
Example The following command changes the speed of Ethernet interface 6 to 10

Mbs/sec:
ACOS(config-if:ethernet6)#speed 10

speed

name
Config Commands: VLAN
The commands in this chapter configure parameters on individual VLANs.

To access this CLI level, enter the vlan vlan-id command from the global
Config level.

VLAN ID as follows: DeviceID/vlan-id, where DeviceID is the
device’s aVCS ID and vlan-id is the VLAN ID.
name
Description Assign a name to the VLAN.
Syntax [no] name string
string Name for the VLAN, 1-63 characters.
Default The default name for VLAN 1 is “DEFAULT VLAN”. For other VLANs, if
a name is not configured, “None” appears in place of the name.

router-interface
Mode VLAN
Example The following commands assign the name “Test100” to VLAN 100 and
show the result:
ACOS(config-vlan:100)#name Test100
ACOS(config-vlan:100)#show vlan
Total VLANs: 3
VLAN 1, Name [DEFAULT VLAN]:
Untagged Ports: 3 4 5 6 7 9 10
Tagged Ports: None
VLAN 100, Name [Test100]:

Untagged Ports: 1
Tagged Ports: None
Router Interface: ve 1
VLAN 200, Name [None]:

Untagged Ports: 2
Tagged Ports: None
Router Interface: ve 2
router-interface
Description Add a virtual Ethernet (VE) router interface to the VLAN. A VE is required
in order to configure an IP address on a VLAN.
Syntax [no] router-interface ve ve-num
ve-num VE number, 1-4094. The VE number must be the
same as the VLAN number.
Default By default, a VLAN does not have a VE.
Mode VLAN
Usage This command is valid only on ACOS devices deployed in route mode.
The VE interface on a VLAN must have the same number as the VLAN.
For example, in VLAN 69, the VE number also must be 69.

tagged
MAC Address Assignment

The MAC addresses used by the ACOS device’s physical Ethernet data
ports also are used for VEs. (See “system ve-mac-scheme” on page 245.)
Example The following command configures VE 4 on VLAN 4:

ACOS(config-vlan:4)#router-interface ve 4
tagged
Description Add tagged ports to a VLAN. A tagged port can be a member of more than
one VLAN. An untagged port can be a member of only a single VLAN.
Syntax [no] tagged

{
ethernet port-num
[ethernet port-num ... | to port-num] |
tagged trunk num [trunk num ... | to num]
}
Default A VLAN has no ports by default.
Mode VLAN
Introduced in Release 2.x.x
Usage A port can be a tagged member of a maximum of 128 VLANs.
Example The following command adds ports 4 and 5 to VLAN 4 as tagged ports:
ACOS(config-vlan:4)#tagged ethernet 4 to 5
untagged
Description Add untagged ports to a VLAN. An untagged port can be a member of only
a single VLAN.
Syntax [no] untagged

{
ethernet port-num
[ethernet port-num ... | to port-num] |
tagged trunk num [trunk num ... | to num]
}

untagged
Default VLAN 1 contains all ports by default. New VLANs do not contain any ports
by default.
Mode VLAN
Example The following command adds port 6 to VLAN 4 as an untagged port:

ACOS(config-vlan:4)#untagged ethernet 6

ip access-list
Config Commands: IP
The IP commands configure global IPv4 parameters.
page 54.
Note: To configure global IPv6 parameters, see “Config Commands: IPv6” on

page 383.
ip access-list
Description Configures an IPv4 access control list (ACL).
[no] ip access-list acl-name
acl-name Name of the IP ACL, 1-16 characters.
IPv4 ACL, where the following commands are available.

ip access-list
Match Option Description

ACL.
deny – For ACLs applied to interfaces or used
for management access, drops the traffic.
permit – For ACLs applied to interfaces or
used for management access, allows the traffic.
For ACLS used for IP source NAT, specifies the
inside host addresses to be translated into exter-
nal addresses.
l3-vlan-fwd-disable – Disables Layer 3
forwarding between VLANs for IP addresses that
match the ACL rule.
Note: If you are configuring an ACL for source NAT, use the permit action. For
ACLs used with source NAT, the deny action does not drop traffic, it sim-
ply does not use the denied addresses for NAT translations.
traffic-type Specifies the type of traffic on which to match:
icmp [type {type-option}
[code {any-code | code-num}]] –
Matches on ICMP traffic. (For information about
the type and code options, see “object-group ser-
vice” on page 200.)
ip – Matches on any type of IP traffic.
object-group group-name – Matches on
the values in the specified service object group.
(See “object-group service” on page 200.)
tcp – Matches on TCP traffic.
udp – Matches on UDP traffic.
source Specifies the source address(es) on which to
match:
addresses.
host host-src-ipaddr – The ACL
matches only on the specified host IP address.
net-src-ipaddr
{filter-mask | /mask-length} – The
ACL matches on any host in the specified subnet.

ip access-list

address to filter:
– Use 0 to match.
a 24-bit subnet: 0.0.0.255
object-group group-name – Matches on
the addresses in the specified network object
group. (See “object-group service” on page 200.)
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port For tcp or udp, the source protocol ports on
which to match.
the specified port.
the specified port.
destination Specifies the destination address(es) on which to
match. (The options are the same as those for
source address.)
CLI. To use blank spaces in the remark, enclose
the entire remark string in double quotes. The
ACL must already exist before you can configure
a remark for it. An ACL and its individual rules
can have multiple remarks.

ip access-list
more-options Specifies additional match criteria:

fragments – Matches on packets in which the
More bit in the header is set (1) or has a non-zero
offset.
vlan vlan-id – Matches on the specified
VLAN. VLAN matching occurs for incoming
traffic only.
dscp num – Matches on the 6-bit Diffserv
value in the IP header, 1-63.
established – Matches on TCP packets in
which the ACK or RST bit is not set. This option
is useful for protecting against attacks from out-
side. Since a TCP connection from the outside
does not have the ACK bit set (SYN only), the
connection is dropped. Similarly, a connection
established from the inside always has the ACK
bit set. (The first packet to the network from out-
side is a SYN/ACK.)
log [transparent-session-only] –
Configures the ACOS device to generate log
ACL rule.
Mode Configuration mode.
Usage The support for named IPv4 ACLs supplements the support for IPv4 ACLs
configured by ID. You can use a named IPv4 ACL in any place a standard
or extended IPv4 ACL is supported. In the CLI, use the name option in
front of the IPv4 ACL name.
Example The following commands configure a named, extended IPv4 ACL called
“Deny-Rules” to deny traffic sent from subnet 10.10.10.x to 10.10.20.5:80,
and apply the ACL to inbound traffic received on Ethernet interface 7:
ACOS(config)#ip access-list Deny-Rules
ACOS(config-ext-access-list:Deny-Rules)#deny tcp 10.10.10.0 0.0.0.255
10.10.20.5 /32 eq 80
ACOS(config-ext-access-list:Deny-Rules)#exit
ACOS(config-if:ethernet7)#access-list name Deny-Rules in

ip address
ip address
Description Configure the global IP address of the A10 Thunder Series and AX Series
device, when the device is deployed in transparent mode (Layer 2 mode).
Syntax [no] ip address ipaddr

[device DeviceID]
Default None.
Usage This command applies only when the A10 Thunder Series and AX Series
device is deployed in transparent mode. To assign IP addresses to individual
interfaces instead (gateway mode), use the ip address command at the
interface configuration level. (See “ip address” on page 295.)
If the ACOS device is a member of an aVCS virtual chassis, use the device
DeviceID option to specify the device ID to which to apply this command.
If you omit this option, the command is applied to the vMaster. If applica-
ble, the vMaster then applies the command to the other devices in the virtual
chassis.
However, if you have changed the device context of the management ses-
sion from the vMaster to another device, and you omit the device option,
the command is applied only to the other device (the one to which you set
the device context).
Loopback Interface Support for OSPF

If an IP address is configured on a loopback interface, and the address is in a
subnet that is also configured as an OSPF network subnet, the loopback
interface is automatically included in the OSPF subnet.
The ACOS device’s table of OSPF interfaces will include the loopback
interface. Likewise, the ACOS device will include the loopback interface in
link-state advertisements sent to neighbor OSPF routers.
Multiple OSPF Networks on the Same Interface Not Supported

The ACOS device does not support multiple OSPF networks on a data inter-
face. One OSPF network configuration can enable at most one network per
interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area

ip anomaly-drop
A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running
OSPF. S2 and S3 will not be known to other OSPF routers.
To work around this limitation, enable OSPF redistribution of directly con-

nected routes so that OSPF will redistribute S2 and S3 via the network run-
ning on S1.
Example The following command configures global IP address 10.10.10.4/24:

ACOS(config)#ip address 10.10.10.4 /24
ip anomaly-drop
Description Enable protection against distributed denial-of-service (DDoS) attacks.
Syntax [no] ip anomaly-drop anomaly-type
anomaly-type Specifies the type of IP anomaly to protect
against:
bad-content [threshold] – Checks for
invalid HTTP or SSL payloads in new HTTP or
HTTPS connection requests from clients. (For
more information, see “IP Anomaly Filters Used
for System-Wide Policy-Based SLB” in the
“Usage” section below.)
drop-all – Enables all the DDoS protection
options listed below.
frag – Drops all IP fragments, which can be
used to attack hosts running IP stacks that have
known vulnerabilities in their fragment reassem-
bly code.
ip-option – Drops all packets that contain
any IP options.
land-attack – Drops spoofed SYN packets
containing the same IP address as the source and
destination, which can be used to launch an “IP
land attack”.
out-of-sequence [threshold] –
Checks for out-of-sequence packets in new
HTTP or HTTPS connection requests from cli-
ents. (For more information, see “IP Anomaly

ip anomaly-drop
Filters Used for System-Wide Policy-Based

SLB” in the “Usage” section below.)
ping-of-death – Drops all jumbo IP packets
longer than the maximum valid IP packet size
(65535 bytes), known as “ping of death” packets.
Note: On AX models AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11,

AX 3200-12, AX 3400, AX 5100, AX 5200, AX 5200-11, and AX 5630,
the ping-of-death option drops IP packets longer than 65535 bytes. On
other models, the option drops all IP packets longer than 32000 bytes.
tcp-no-flag – Drops all TCP packets that do
not have any TCP flags set.
tcp-syn-fin – Drops all TCP packets in
which both the SYN and FIN flags are set.
tcp-syn-frag – Drops incomplete (frag-
mented) TCP Syn packets, which can be used to
launch TCP Syn flood attacks.
zero-window [threshold] – Checks for
a zero-length TCP window in new HTTP or
HTTPS connection requests from clients. (For
more information, see “IP Anomaly Filters Used
for System-Wide Policy-Based SLB” in the
“Usage” section below.)
Default All IP anomaly drop options are disabled by default.
Usage All filters are supported for IPv4. All filters except ip-option are supported
for IPv6.
DDoS protection applies only to Layer 3, Layer 4, and Layer 7 traffic.

Layer 2 traffic is not affected by the feature.
IP Anomaly Filters Used for System-Wide Policy-Based SLB

The bad-content, out-of-sequence, and zero-window filters apply only to
system-wide Policy-Based SLB (PBSLB).
Filtering for these anomalies is disabled by default. However, if you config-

ure a system-wide PBSLB policy, the filters are automatically enabled. You
also can configure the filters on an individual basis.
Each of these filters has a configurable threshold. The threshold specifies
the number of times the anomaly is allowed to occur in a client’s connection

ip as-path
requests. If a client exceeds the threshold, the ACOS device applies the sys-
tem-wide PBSLB policy’s over-limit action to the client.
For each of the new IP anomaly filters, the threshold can be set to 1-127
occurrences of the anomaly. The default is 10.
Note: The thresholds are not tracked by PBSLB policies bound to individual
virtual ports.
The ACOS device tracks each of these types of anomaly for each client in
each black/white list. For dynamic black/white-list clients, the statistics
counters for these anomalies are reset to 0 when the client’s dynamic entry
ages out.
Example The following command enables DDoS protection against ping-of-death

attacks:
ACOS(config)#ip anomaly-drop ping-of-death
ip as-path
Description Configure an AS-path list for BGP.
Syntax [no] ip as-path access-list

regular-expression {deny | permit}
regular-
expression Access list name.
deny | permit Action to perform on matching entries.
Default None

ip community-list
ip community-list
Description Specify BGP community attributes.
Syntax [no] ip community-list num

{deny | permit}
[community-number]
[local-AS]
[no-advertise]
[no-export]
Syntax [no] ip community-list {expanded | standard}

list-name
{deny | permit}
[community-number]
[local-AS]
[no-advertise]
[no-export]
num List number.
{expanded |
standard}
list-name List type and name.
deny | permit Action to perform for matching communities.
community-
number Community number.
local-AS Advertises routes only within the local Autono-
mous System (AS), not to external BGP peers.
no-advertise Does not advertise routes.
no-export Does not advertise routes outside the AS bound-
ary.
Default None

ip default-gateway
ip default-gateway
Description Specify the default gateway to use to reach other subnets, when the A10
Thunder Series and AX Series device is deployed in transparent mode
(Layer 2 mode).
Syntax [no] ip default-gateway ipaddr

[device DeviceID]
Default None.
device is used in transparent mode. If you instead want to use the device in
gateway mode (Layer 3 mode), configure routing.
To configure the default gateway for the out-of-band management interface,

use the interface management command to go to the configuration level
for the interface, then enter the ip default-gateway command. (See “ip
default-gateway (management interface only)” on page 299.)
If the ACOS device is a member of an aVCS virtual chassis, use the device
DeviceID option to specify the device ID to which to apply this command.
If you omit this option, the command is applied to the vMaster. If applica-
ble, the vMaster then applies the command to the other devices in the virtual
chassis.
Example The following command configures an A10 Thunder Series and AX Series
device deployed in transparent mode to use router 10.10.10.1 as the default
gateway for data traffic:
ACOS(config)#ip default-gateway 10.10.10.1

ip dns
ip dns
Description Configure DNS servers and the default domain name (DNS suffix) for host-
names on the ACOS device.
Syntax [no] ip dns {primary | secondary} ipaddr

[no] ip dns suffix string
Default None
Usage This command applies to transparent mode and gateway mode.
Example The following command sets primary DNS server 20.20.20.5:

ACOS(config)#ip dns primary 20.20.20.5
ip extcommunity-list
Description Configure an extended community list for BGP.
Syntax [no] ip community-list num

{deny | permit}
{rt | soo {AS-num:nn | ipaddr:nn}}
Syntax [no] ip community-list

{expanded | standard} list-name
{deny | permit}
{rt | soo {AS-num:nn | ipaddr:nn}}
num List number.
{expanded |
standard}
list-name List type and name.
deny | permit Action to perform for matching communities.
rt | soo
{AS-num:nn |
ipaddr:nn} Community type and ID:
rt – Route-target extended community.
soo – Site-of-origin extended community.

ip frag buff
Default None
ip frag buff
Description Maximum buffer size used for fragmentation.
Syntax [no] ip frag buff num
num Specifies the maximum number of buffers the
ACOS device will allow for fragmentation ses-
sions. You can specify 10000-3000000 (3 mil-
lion). The specified maximum applies to both
IPv4 and IPv6.
Default The default range on 64-bit ACOS models is 5% of total buffers
ip frag max-reassembly-sessions
Description Configure the IP fragment queue size.
Syntax [no] ip frag max-reassembly-sessions num
num specifies the maximum number of simultaneous
fragmentation sessions the ACOS device will
allow. You can specify 1-200000. The specified
maximum applies to both IPv4 and IPv6.
Default 100000

ip frag timeout
ip frag timeout
Description Configure the timeout for IP packet fragments.
Syntax [no] ip frag timeout ms
ms Specifies the number of milliseconds (ms) the
ACOS device buffers fragments for fragmented
IP packets. If any fragments of an IP packet do
not arrive within the specified time, the frag-
ments are discarded and the packet is not re-
assembled. You can specify 4-16000 ms (16 sec-
onds), in 10-ms increments.
Default 1000 ms (1 second)
ip icmp disable
Description Disable ICMP messages.
Syntax [no] ip icmp disable {redirect | unreachable}
redirect Disables sending of ICMP Redirect messages.
unreachable Disables sending of ICMP Destination Unreach-
able messages.
Default Both types of ICMP messages are enabled.
Usage The following command disables sending of IPv4 ICMP Redirect mes-
sages:
ACOS(config)#ip icmp disable redirect

ip map-list
ip map-list
Description Configure an IP mapping entry for 1-to-1 NAT.
Syntax ip map-list map-name [file]
map-name
Name of the IP map, up to 63 characters long.
[file]
Saves the IP map to a standalone file on the
ACOS device.
This command changes the CLI to the configuration level for the IP map,
where the following command is are available.
Command Description
from-addr
to-addr
Specifies the beginning client address and begin-
ning NAT address of the mapping entry.
count num
Number of mappings to create.
Default Not set
Example The following commands configure an IP map:

ACOS(config)#ip map-list IPmap1
ACOS(config-ip map)#10.1.1.1 192.168.20.1 count 100

ip mgmt-traffic
ip mgmt-traffic
Description Allows a loopback interface IP address to be used as the source interface for
management traffic originated by the ACOS device.
Syntax {all | ftp | ntp | rcp | snmp | ssh | syslog |

telnet | tftp | web}
source-interface loopback num
To apply the command only to a specific type of traffic (SNMP, NTP, and so
on), use the option for that traffic type. To apply the command to all man-
agement traffic types, use the all option.
Default Not set
Usage Notes:
• Loopback interface IP address – The loopback interface you specify
when configuring this feature must have an IP address configured on it.
Otherwise, this feature does not take effect.
• Management interface – If use of the management interface as the
source for management traffic is also enabled, the loopback interface
takes precedence over the management interface. The loopback inter-
face’s IP address will be used instead of the management interface’s IP
address as the source for the management traffic.
Likewise, the use-mgmt-port option has no effect.
• Ping traffic – Configuration for use of a loopback interface as the source
for management traffic does not apply to ping traffic. By default, ping
packets are sourced from the best interface based on the AX route table.
You can override the default interface selection by specifying a loop-
back or other type of interface as part of the ping command.
• Layer 2/3 Virtualization – This feature is supported only for loopback
interfaces that belong to the shared partition. When this feature is con-
figured, management traffic initiated from a private partition will use the
IP address of the specified loopback interface as the source address, and
will use the shared partition’s data routing table to select the outbound
interface.

ip nat alg pptp
Limitations
The current release has the following limitations related to this feature:
• Floating loopback interfaces are not supported.
• IPv6 interfaces are not supported.
• aVCS is not supported.
Example The following commands configure an IP address on loopback interface 2:

ACOS(config)#interface loopback 2
ACOS(config-if:loopback2)#ip address 10.10.10.66 /24
ACOS(config-if:loopback2)#exit
Example The following command configures the ACOS device to use loopback inter-
face 2 as the source interface for management traffic of all types listed
above:
ACOS(config)#ip mgmt-traffic all loopback 2
ip nat alg pptp

Description Disable or re-enable NAT Application-Layer Gateway (ALG) support for
the Point-to-Point Tunneling Protocol (PPTP). This feature enables clients
and servers to exchange Point-to-Point (PPP) traffic through the ACOS
device over a Generic Routing Encapsulation (GRE) tunnel. PPTP is used to
connect Microsoft Virtual Private Network (VPN) clients and VPN hosts.
Syntax ip nat alg pptp {enable | disable}
Default Enabled
Usage NAT ALG for PPTP has additional configuration requirements. For infor-
mation, see the “NAT ALG Support for PPTP” section in the “Network
Address Translation” chapter of the Application Delivery and Server Load
Balancing Guide.

ip nat allow-static-host
ip nat allow-static-host
Description Enable static Network Address Translation (NAT).
Syntax [no] ip nat allow-static-host
Default Disabled
Usage This command is required only if you configure individual static source
mappings, using the ip nat inside source static command. If you configure
a static range list instead, you do not need the ip nat allow-static-host com-
mand.
Example The following command enables static NAT support:

ACOS(config)#ip nat allow-static-host
ip nat inside
Description Configure inside Network Address Translation (NAT).
Syntax [no] ip nat inside source

{
class-list name |
list acl-name pool pool-or-group-name
[msl seconds] |
static inside-ipaddr nat-ipaddr
[ha-group-id group-id]
[vrid {num | default}]
}
class-list name Specifies a class list. Entries in the class list map
internal IP addresses to IP NAT pools.
list acl-name Specifies an Access Control List (ACL) that
matches on the inside addresses to be translated.
(To configure the ACL, see “access-list (stan-
dard)” on page 89 or “access-list (extended)” on
page 92.)

ip nat inside
pool pool-or-
group-name
[msl seconds] Dynamically assigns addresses from a range
defined in a pool or pool group.
The msl seconds option sets the TCP Maximum
Segment Life (MSL) for source-NAT connec-
tions that use the specified pool or pool group.
This option is useful for NAT connections to
devices with older TCP/IP stacks, where the
MSL is up to 2 minutes, resulting in a wait of up
to 240 seconds (4 minutes) after a FIN before the
endpoint can enter a new connection. You can set
the MSL to 1-1800 seconds.
static
inside-ipaddr
nat-ipaddr Statically maps the specified inside address to a
specific NAT address.
vrid {num |
default} VRRP-A VRID. In the shared partition, you can
specify 1-31 or default. In private partitions, you
can specify default.
Note: You can use the vrid option or the ha-group-id option.
ha-group-id
group-id HA group ID, 1-31.
Default None
Usage In deployments that use the older implementation of HA, the number of pro-
tocol ports available per NAT pool address is half the number of ports that
are available in non-HA deployments. This is because one half of the ports
is dedicated to the active ACOS device, while the other half of the ports is
dedicated to the standby ACOS device. This limitation does not apply to
VRRP-A. If you use VRRP-A, all the ports are available.
For static NAT mappings, the following limitations apply:

• Application Layer Gateway (ALG) services other than FTP are not sup-
ported when the server is on the inside.
• HA session synchronization is not supported. However, sessions will
not be interrupted by HA failovers.
• Syn-cookies are not supported.

ip nat pool
• The ACOS device can run VRRP-A (vrid option) or HA (ha-group-id)

but not both. If you plan to use a standby ACOS device to back up the
static mapping, configure only one of these options.
Example The following command configures static inside NAT translation of

10.10.10.55 to 192.168.20.44:
ACOS(config)#ip nat inside source static 10.10.10.55 192.168.20.44
ip nat pool
Description Configure a named set of IP addresses for use by NAT.
Syntax [no] ip nat pool pool-name

start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[gateway ipaddr]
[ha-group-id group-id [ha-use-all-ports]]
[ip-rr]
pool-name Name of the address pool.
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask
{subnet-mask |
/mask-length} Network mask for the IP addresses in the pool.
gateway ipaddr Default gateway to use for NATted traffic.
vrid {num |
ha-group-id
group-id
[ha-use-all-
ports] HA group ID, 1-31.
The ha-use-all-ports option disables division of
the pool’s ports between ACOS devices. Without
this option, the ACOS device automatically allo-
cates half of each pool address’s ports to one of

ip nat pool
the ACOS devices and allocates the other half of

the ports to the other ACOS device. (See
“Usage” below.)
Note: It is recommended to use the ha-use-all-ports option only for DNS vir-
tual ports. Using this option with other virtual port types is not valid.
ip-rr Uses pool IP addresses in round robin fashion.
Without this option, the ACOS device creates
NAT translations by using all the protocol ports
of the first IP address in the pool, then using all
the ports of the next IP address, and so on.
Default None.
Usage The pool can be used by other ip nat commands. The IP addresses must be
IPv4 addresses. To configure a pool of IPv6 addresses, see “ipv6 nat pool”
on page 390.
To enable inside or outside NAT on interfaces, see “ip nat” on page 304.
In deployments that use the older implementation of HA, the number of pro-
tocol ports available per NAT pool address is half the number of ports that
are available in non-HA deployments. This is because one half of the ports
is dedicated to the active ACOS device, while the other half of the ports is
dedicated to the standby ACOS device. This limitation does not apply to
VRRP-A. If you use VRRP-A, all the ports are available.
When you use the gateway option, the gateway you specify is used as fol-
lows:
• For forward traffic (traffic from a client to a server), the NAT gateway is
used if the source NAT address (the address from the pool) and the
server address are not in the same IP subnet.
• On reverse traffic (reply traffic from a server to a client), the NAT gate-
way is used if all the following conditions are true:
• The session is using translated addresses (is source NATted).
• The source protocol port is in the source NAT subnet.
• The destination is not in the source NAT subnet.
For conditions under which the NAT gateway is needed, if no NAT gateway
is configured, the ACOS device uses the default gateway configured for the
ACOS device’s other traffic instead.

ip nat pool-group
High Availability Protocol – VRRP-A or HA

The ACOS device can run VRRP-A (vrid option) or HA (ha-group-id) but
not both. If you plan to use a standby ACOS device to back up the pool,
configure only one of these options.
Port Allocation Between AX Devices in High Availability Deploy-

ments (ha-use-all-ports option)
By default, when you assign an IP NAT pool to an HA group, the ACOS
device automatically allocates half of each pool address’s ports to one of the
ACOS devices and allocates the other half of the ports to the other ACOS
device.
This automatic allocation is used to prevent simultaneous use of the same

port number by both ACOS devices. For example, without this protection, it
would be possible for the same IP address and protocol port number to be in
use on both ACOS devices in an Active-Active configuration.
However, this protection also requires the pool to be configured with more
addresses than will actually be needed.
In some cases, there is no benefit to dividing the pool’s ports between the
ACOS devices. In particular, there is no benefit for DNS virtual ports. DNS
sessions are very short-lived and are never synchronized between the ACOS
devices. For this reason, there is no risk that the same NAT port will be in
use on more than one session at the same time. You can use the ha-use-all-
ports option to disable division of the ports between ACOS devices.
Note: It is recommended to use the ha-use-all-ports option only for DNS vir-
tual ports. Using this option with other virtual port types is not valid.
Example The following command configures an IP address pool named “pool1” that
contains addresses from 30.30.30.1 to 30.30.30.254:
ACOS(config)#ip nat pool pool1 30.30.30.1 30.30.30.254 netmask /24
ip nat pool-group
Description Configure a set of IP pools for use by NAT. Pool groups enable you to use
non-contiguous IP address ranges, by combining multiple IP address pools.
Syntax [no] ip nat pool-group pool-group-name

pool-group-name Name of the pool group.

ip nat pool-group
ha-group-id
pool group, where the following command is available.
member
pool-name Name of a configured IP address pool.
Default None.
Usage To use a non-contiguous range of addresses, configure a separate pool for

each contiguous portion of the range, then configure a pool group that con-
tains the pools.
The addresses within an individual pool still must be contiguous, but you
can have gaps between the ending address in one pool and the starting
address in another pool. You also can use pools that are in different subnets.
For Large-Scale NAT (LSN), a pool group can contain up to 25 pools. For
other types of NAT, a pool group can contain up to 5 pools. Pool group
members must belong to the same protocol family (IPv4 or IPv6) and must
use the same HA ID. A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the ACOS device selects
the pool that matches the outbound subnet. For example, of there are two
routes to a given destination, in different subnets, and the pool group has a
pool for one of those subnets, the AX selects the pool that is in the subnet
for the outbound route.
The ACOS device selects the pool whose addresses are in the same subnet
as the next-hop interface used by the data route table to reach the server.
Example The following commands create a pool group containing 3 pools:

ACOS(config)#ip nat pool-group group1
ACOS(config-pool-group)member pool1

ip nat range-list
ip nat range-list
Description Configure a range of IP addresses to use with static NAT.
Syntax [no] ip nat range-list list-name

local-ipaddr /mask-length
global-ipaddr /mask-length
count number
list-name Name of the static NAT address range.
local-ipaddr
/mask-length Beginning (lowest) IP address in the range of
local addresses.
global-ipaddr
/mask-length Beginning (lowest) IP address in the range of
global addresses.
count number Number of addresses to be translated, 1-200000.
The range contains a contiguous block of the
number of addresses you specify.
The block of local addresses starts with the
address you specify for local-ipaddr. Likewise,
the block of global addresses begins with the
address you specify for global-ipaddr.
vrid {num |
ha-group-id
group-id HA group ID, 1-31. Specifying the HA group ID
allows a newly Active ACOS device to properly
continue management of NATted IP resources
following a failover.
Default None.

ip nat reset-idle-tcp-conn
Usage You can configure up to 2000 ranges. You can specify IPv4 or IPv6
addresses within a range.
The ACOS device can run VRRP-A (vrid option) or HA (ha-group-id) but
not both. If you plan to use a standby ACOS device to back up range list
mappings, configure only one of these options.
Example The following command configures an IP address range named “nat-list-1”

that maps up to 100 local addresses starting from 10.10.10.97 to Internet
addresses starting from 192.168.22.50:
ACOS(config)#ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /
16 count 100
ip nat reset-idle-tcp-conn
Description Enable client and server TCP Resets for NATted TCP sessions that become
idle.
Syntax [no] ip nat reset-idle-tcp-conn
Default Disabled.
ip nat translation
Description Configure NAT timers.
Syntax [no] ip nat translation

{
icmp-timeout {seconds | fast} |
service-timeout {seconds | fast} |
syn-timeout seconds |
tcp-timeout seconds |
udp-timeout seconds
}
icmp-timeout
seconds | fast Specifies the minimum number of seconds NAT-
ted ICMP sessions can remain idle before being
terminated. You can specify 60-15000 seconds,
or fast. The fast option terminates the session as
soon as a response is received.

ip nat translation
service-timeout
seconds | fast Specifies the minimum number of seconds NAT-
ted sessions on a specific protocol port can
remain idle before being terminated. The timeout
set for an individual protocol port overrides the
global TCP or UDP timeout for NATted sessions.
You can specify 60-15000 seconds, or fast. The
fast option terminates the session as soon as a
response is received.
syn-timeout
seconds Timeout after a SYN. You can specify 60-300
seconds, in intervals of 60 seconds.
tcp-timeout
seconds Timeout for TCP sessions that are not ended nor-
mally by a FIN or RST. You can specify a value
in either of the following ranges:
2-31 seconds - The timeout takes place very rap-
idly, as close to the configured timeout as possi-
ble.
32-12000 seconds - The timeout value must be
divisible by 60, and can be a minimum of 1 min-
ute. If the timeout is set to a value in the range
32-59, the timeout value is rounded up to 60. Val-
ues in the range 61-11999 are rounded down to
the nearest multiple of 60.
udp-timeout
seconds The supported values and timer behavior for
UDP sessions are the same as those for tcp-time-
out (described above).
Default The NAT timers have the following defaults:

• icmp-timeout – fast
• service-timeout – Not set. For all service ports except UDP 53, the tcp-
timeout or udp-timeout setting is used. For UDP port 53, the SLB MSL
time is used.
• syn-timeout – 120 seconds
• tcp-timeout – 300 seconds
• udp-timeout – 300 seconds

ip prefix-list
Usage The timeout value you specify is the minimum number of seconds the ses-
sion can remain idle. It takes up to 60 seconds following expiration of the
configured timeout value for the session to be removed.
Example The following command changes the SYN timeout to 120 seconds:
ACOS(config)#ip nat translation syn-timeout 120
ip prefix-list
Description Configure an IP prefix list.
Syntax [no] prefix-list {name | sequence-num}

[seq sequence-num]
{deny | permit}
{any | ipaddr/mask-length}
[ge prefix-length] [le prefix-length]
name |
sequence-num Name or sequence number of the IP prefix-list
rule. The name can not contain blanks. The
sequence number can be 1-4294967295.
seq sequence-
num Changes the sequence number of the IP prefix-
list rule. The sequence number can be
1-4294967295.
deny | permit Action to take for IP addresses that match the
prefix list.
any | ipaddr
/mask-length IP address and number of mask bits, from left to
right, on which to match. If you omit the ge and
le options (described below), the mask-length is
also the subnet mask on which to match.
ge prefix-
length Specifies a range of prefix lengths on which to
match. Any prefix length equal to or greater than
the one specified will match. For example, ge 25
will match on any of the following mask lengths:
/25, /26, /27, /28, /29, /30, /31, or /32.
le prefix-
length Specifies a range of prefix lengths on which to
match. Any prefix length less than or equal to the
one specified will match. The lowest prefix

ip prefix-list
length in the range is the prefix specified with the

IP address. For example, 192.168.1.0/24 le 28
will match on any of the following mask lengths:
/24, /25, /26, /27, or /28.
Default N/A
Usage You can use IP prefix lists to provide input to the OSPFv2 command “area
area-id filter-list” on page 441.
How Matching Occurs

Matching begins with the lowest numbered IP prefix-list rule and continues
until the first match is found. The action in the first matching rule is applied
to the IP address. For example, if the IP prefix list contains the following
two rules, rule 5 is used for IP address 192.168.1.9, even though the address
also matches rule 10.
ip prefix-list 5 permit any
ip prefix-list 10 deny 192.168.1.0/24
The ge prefix-length and le prefix-length options enable you to specify a

range of mask lengths on which to match. If you do not use either option,
the mask-length in the address (/24 in the example above) specifies both the
following:
• Number of bits to match, from left to right
• Mask length on which to match
If you use one or both of the ge or le options, the mask-length specifies only
the number of bits to match. The ge or le option specifies the mask length(s)
on which to match.
The following rule matches on any address whose first octet is 10 and
whose mask-length is 8:
ip prefix-list match_on_8bit_mask_only permit 10.0.0.0/8
IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would

not.
The following rule uses the le option to extend the range of mask lengths
that match:
ip prefix-list match_on_24bit_mask_or_less permit 10.0.0.0/8 le 24

ip prefix-list list-id description
This rule matches on any address that has 10 in the first octet, and whose
mask length is 24 bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/
24 would both match this rule.
The following rule permits any address from any network that has a mask
16-24 bits long.
ip prefix-list match_any_on_16-24bit_mask permit 0.0.0.0/0 ge 16 le 24
Implied Deny any Rule

The IP prefix list has an implied deny any rule at the end. This rule is not
visible and can not be changed or deleted. If an IP address does not match
any of the rules in the IP prefix list, the ACOS device uses the implied deny
any rule to deny the address.
Sequence Numbering
As described above, the sequence of rules in the IP prefix list can affect
whether a given address matches a permit rule or a deny rule.
When you configure the first IP prefix-list rule, the ACOS device assigns
sequence number 5 to the rule by default. After that, the sequence number
for each new rule is incremented by 5. If you explicitly set the sequence
number of a rule, subsequent rules are still sequenced in increasing incre-
ments of 5. For example, if you set the sequence number of the first rule to
7, the next rule is 12 by default.
You can explicitly set the sequence number of a rule when you configure the
rule. You also can change the sequence number of a rule that is already con-
figured.
ip prefix-list list-id description

Description Add a description to an IP prefix list.
Syntax [no] prefix-list {name | sequence-num}

description string
name |
sequence-num Name or sequence number of the IP prefix-list
rule.
description
string Description of the IP prefix list. The string can be
up to 80 characters, and can contain blanks. Quo-
tation marks are not required.

ip prefix-list sequence-number
Default None
Usage The description is placed above the rule it describes. (See the CLI example.)
Example The following commands add descriptions to some IP prefix-list rule and
display the results:
ACOS(config)#ip prefix-list aaa description Here is a string to describe the
rule.
ACOS(config)#ip prefix-list ccc description And here is a string to describe
this rule.
ACOS(config)#show running-config | section ip prefix-list
ip prefix-list aaa description Here is a string to describe the rule.
ip prefix-list aaa seq 5 permit any
ip prefix-list bbb seq 10 permit 192.168.1.0/24
ip prefix-list ccc description And here is a string to describe this rule.
ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
ip prefix-list sequence-number
Description Enable or disable display of the sequence numbers of IP prefix-list rules.
Syntax [no] prefix-list sequence-number
Default Enabled
Usage When this option is enabled, the sequence numbers are displayed in the run-
ning-config. After you save the configuration, the sequence numbers also
are displayed in the startup-config.
Example The following commands configure some IP prefix-list rules, then display
them in the running-config. Display of sequence numbers is enabled.
ACOS(config)#ip prefix-list aaa deny 10.10.10.0/8 le 24
ACOS(config)#ip prefix-list bbb permit 192.168.1.0/24
ACOS(config)#ip prefix-list ccc permit any
ip prefix-list aaa seq 5 permit any
ip prefix-list bbb seq 10 permit 192.168.1.0/24
ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24

ip route
Example The following commands disable display of sequence numbers, then re-dis-
play the IP prefix-list rules:
ACOS(config)#no ip prefix-list sequence-number
ip prefix-list aaa deny 10.10.10.0/8 le 24
ip prefix-list bbb permit 192.168.1.0/24
ip prefix-list ccc permit any
ip route
Description Configure a static IP route.
Syntax [no] ip route destination-ipaddr

next-hop-ipaddr
[distance]
[cpu-process]
[device DeviceID]
destination-
ipaddr
{subnet-mask |
/mask-length} Specifies the destination of the route. To config-
ure a default route, specify 0.0.0.0/0.
next-hop-ipaddr Specifies the next-hop router to use to reach the
route destination. The address must be in the
same subnet as the A10 Thunder Series and AX
Series device.
distance Distance value for the route, 1-255.
cpu-process Sends traffic that uses this route to the CPU for
processing. This option is applicable only to AX
models AX 2200, AX 2200-11, AX 3100,
AX 3200, AX 3200-11, AX 3200-12, AX 3400,
AX 5100, AX 5200, AX 5200-11, and AX 5630.
device
sis.

ip tcp syn-cookie threshold

Default There are no static routes configured by default.
Usage If a destination can be reached by an explicit route (a route that is not a

default route), then the explicit route is used. If an explicit route is not avail-
able to reach a given destination, the default route is used (if a default route
is configured).
Example The following command configures a default route using gateway

10.10.10.1 and the default metric:
ACOS(config)#ip route 0.0.0.0/0 10.10.10.1

Description Modify the threshold for TCP handshake completion. The TCP handshake
threshold is applicable when SYN cookies are active.
Syntax [no] ip tcp syn-cookie threshold seconds
seconds Specifies the number of seconds allowed for a
TCP handshake to be completed. If the hand-
shake is not completed within the allowed time,
the ACOS device drops the session. You can
Default 4 seconds
Usage The TCP handshake threshold is applicable only when hardware-based

SYN cookies are active. To enable support for hardware-based SYN cook-
ies, see “syn-cookie” on page 232.
Example The following command changes the TCP TCP handshake threshold to 15
seconds:
ACOS(config)#ip tcp syn-cookie threshold 15


Config Commands: IPv6
The IPv6 commands configure global IPv6 parameters.
page 54.
Note: To configure global IPv4 parameters, see “Config Commands: IP” on

page 351.

ipv6 access-list
ipv6 access-list
Description Configure an extended IPv6 ACL.
Syntax [no] ipv6 access-list name
This command changes the CLI to the configuration level for the ACL,
where the following ACL-related commands are available.
Syntax [no] [seq-num] {permit | deny} {ipv6 | icmp}
{any | host host-src-ipv6addr |

net-src-ipv6addr /mask-length}
{any | host host-dst-ipv6addr |

net-dst-ipv6addr /mask-length}
or
Syntax [no] {permit | deny} {tcp | udp}
{any | host host-src-ipv6addr |

net-src-ipv6addr /mask-length}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
{any | host host-dst-ipv6addr |

net-dst-ipv6addr /mask-length}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]

[established]
ACL.

ipv6 access-list
deny – Drops the traffic.
permit – Allows the traffic.
ipv6 | icmp Filters on IPv6 or ICMP packets.
tcp | udp Filters on TCP or UDP packets. The tcp and udp
options enable you to filter on protocol port num-
bers.
any |
host host-src-
ipv6addr |
net-src-
ipv6addr /
prefix-length Source IP address(es) to filter.
addresses.
host host-src-ipv6addr – The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /prefix-length –
The ACL matches on any host in the specified
subnet. The prefix-length specifies the portion of
the address to filter.
eq src-port |
gt src-port |
lt src-port |
range start-
src-port
end-src-port For tcp or udp, the source protocol ports to filter.
the specified port.
the specified port.

ipv6 access-list
any |
host host-dst-
ipv6addr |
net-dst-
ipv6addr /mask-
length Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range start-
dst-port
end-dst-port For tcp or udp, the destination protocol ports to
filter.
fragments Matches on packets in which the More bit in the
header is set (1) or has a non-zero offset.
vlan vlan-id Matches on the specified VLAN. VLAN match-
ing occurs for incoming traffic only.
dscp num Matches on the 6-bit Diffserv value in the IP
header, 1-63.
established Matches on TCP packets in which the ACK or
RST bit is not set. This option is useful for pro-
tecting against attacks from outside. Since a TCP
connection from the outside does not have the
ACK bit set (SYN only), the connection is
dropped. Similarly, a connection established
from the inside always has the ACK bit set. (The
first packet to the network from outside is a
SYN/ACK.)
log
[transparent-
ACL rule.
Syntax [no] remark string
The remark command adds a remark to the ACL. The remark appears at
the top of the ACL when you display it in the CLI. The string can be 1-63
characters. To use blank spaces in the remark, enclose the entire remark
string in double quotes.

ipv6 address
Default None
ipv6 address
Description Configure the global IPv6 address of the A10 Thunder Series and AX Series
device, when the device is deployed in transparent mode (Layer 2 mode).
Syntax [no] ipv6 address ipv6-addr/prefix-length

[device DeviceID]
ipv6-addr Valid unicast IPv6 address.
prefix-length Prefix length, up to 128.
link-local Configures the address as the link-local IPv6
address for the interface, instead of a global
address. Without this option, the address is a
global address.
any-cast Configures the address as an anycast address. An
anycast address can be assigned to more than one
interface. A packet sent to an anycast address is
routed to the “nearest” interface with that
address, based on the distance in the routing pro-
tocol.
device
sis.
Default N/A

ipv6 default-gateway
device is deployed in transparent mode. To assign IPv6 addresses to individ-
ual interfaces instead (gateway mode), use the ipv6 address command at
the interface configuration level. (See “ipv6 address” on page 312.)
Example The following command configures global IPv6 address

2001:db8::1521:31ab/32:
ACOS(config)#ipv6 address 2001:db8::1521:31ab/32
ipv6 default-gateway
Description Specify the default gateway to use to reach other IPv6 networks, when the
A10 Thunder Series and AX Series device is used in transparent mode
(Layer 2 mode).
Syntax [no] ipv6 default-gateway ipv6-addr

[device DeviceID]
ipv6-addr IPv6 address of the next-hop gateway.
device
sis.
Default N/A
device is used in transparent mode. If you instead want to use the device in
gateway mode (Layer 3 mode), configure routing.

ipv6 frag timeout
Example The following command configures default IPv6 gateway

2001:db8::1521:31ac:
ACOS(config)#ipv6 default-gateway 2001:db8::1521:31ac
ipv6 frag timeout

Description Configure the timeout for IPv6 packet fragments.
Syntax [no] ipv6 frag timeout ms
ms Specifies the number of milliseconds (ms) the
ACOS device buffers fragments for fragmented
IPv6 packets. If any fragments of an IPv6 packet
do not arrive within the specified time, the frag-
ments are discarded and the packet is not re-
assembled. You can specify 4-16000 ms (16 sec-
onds), in 10-ms increments.
Default 1000 ms (1 second)
ipv6 icmpv6 disable

Description Disable ICMPv6 messages.
Syntax [no] ipv6 icmpv6 disable {redirect | unreachable}
redirect Disables sending of ICMPv6 Redirect messages.
unreachable Disables sending of ICMPv6 Destination
Unreachable messages.
Default Both types of ICMP messages are enabled.
Usage The following command disables sending of IPv6 ICMP Destination

Unreachable messages:
ACOS(config)#ipv6 icmpv6 disable unreachable

ipv6 nat inside source list
ipv6 nat inside source list

Description Inside configuration for IPv6 NAT.
Syntax [no] ipv6 nat inside source list list-name pool

pool-name
list-name Name of the source list.
Default Please contact A10 Networks.
ipv6 nat pool

Description Configure a named set of IPv6 addresses for use by Network Address
Translation (NAT).
Syntax [no] ipv6 nat pool pool-name

start-ipv6-addr end-ipv6-addr
netmask mask-length
[gateway ipaddr]
[ip-rr]
start-ipaddr Beginning (lowest) IP address in the range.
end-ipaddr Ending (highest) IP address in the range.
netmask mask-
length Network mask for the IP addresses in the pool,
96-128.
gateway
ipv6-addr Next-hop gateway address.

ipv6 neighbor
vrid {num |
ha-group-id
ip-rr Uses pool IP addresses in round robin fashion.
Without this option, the ACOS device creates
NAT translations by using all the protocol ports
of the first IP address in the pool, then using all
the ports of the next IP address, and so on.
Default None.
Usage The ACOS device can run VRRP-A (vrid option) or HA (ha-group-id) but
not both. If you plan to use a standby ACOS device to back up the pool,
configure only one of these options.
Example The following command configures an IPv6 address pool named

“ipv6pool2”:
ACOS(config)#ipv6 nat pool ipv6pool2 abc1::1 abc1::10 netmask 96
ipv6 neighbor
Description Configure a static IPv6 neighbor.
Syntax [no] ipv6 neighbor ipv6-addr macaddr

ethernet port-num [vlan vlan-id]
[device DeviceID]
ipv6-addr IPv6 unicast address of the neighbor.
macaddr MAC address of the IPv6 neighbor.
port-num Ethernet interface connected to the neighbor.
vlan-id VLAN for which to add the IPv6 neighbor entry.
If you do not specify the VLAN, the entry is
added for all VLANs.

ipv6 ospf display
device
sis.
Default N/A
Usage The neighbor must be directly connected to the A10 Thunder Series and AX
Series device’s Ethernet port you specify, or connected through a Layer 2
switch.
Example The following command configures IPv6 neighbor 2001:db8::1111:2222

with MAC address abab.cdcd.efef, connected to the A10 Thunder Series
and AX Series device’s Ethernet port 5:
ACOS(config)#ipv6 neighbor 2001:db8::1111:2222 abab.cdcd.efef ethernet 5
ipv6 ospf display

Description Change how IPv6 routes are displayed in show ipv6 ospf route output.
Syntax [no] ipv6 ospf display route single-line
Default By default, this option is disabled. Routes are displayed on multiple lines.
ipv6 prefix-list sequence-number

Description Enable or disable display of the sequence numbers of IPv6 prefix-list rules.
Syntax [no] ipv6 prefix-list sequence-number
Default Enabled

ipv6 route
Usage When this option is enabled, the sequence numbers are displayed in the run-
ning-config. After you save the configuration, the sequence numbers also
are displayed in the startup-config.
ipv6 route
Description Configure a static IPv6 route.
Syntax [no] ipv6 route ipv6-addr/prefix-length

gateway-addr
[distance]
[device DeviceID]
ipv6-addr IPv6 unicast address of the route destination.
prefix-length Prefix length, 1-128.
gateway-addr IPv6 unicast address of the next-hop gateway to
the destination.
distance Distance value for the route, 1-255.
device
sis.
Default N/A

ipv6 route
Usage The ethernet, trunk, and ve options are available only if the gateway-addr
is a link-local address. Otherwise, the options are not displayed in the online
help and are not supported.
• If you use an individual Ethernet port, the port can not be a member of a
trunk or a VE. If you use a trunk, the trunk can not be a member of a VE.
• After you configure the static route, you can not change the interface’s
membership in trunks or VEs. For example, if you configure a static
route that uses Ethernet port 6’s link-local address as the next hop, it is
not supported to later add the interface to a trunk or VE. The static route
must be removed first.
Example The following command configures a static IPv6 route to destination

2001:db8::3333:3333/32, though gateway 2001:db8::3333:4444:
ACOS(config)#ipv6 route 2001:db8::3333:3333/32 2001:db8::3333:4444
Example The following command configures a default IPv6 route:

ACOS(config)#ipv6 route ::/0 abc1::1111
The following command configures an IPv6 static route that uses Ethernet
port 6’s link-local address as the next hop:
ACOS(config)#ipv6 route abaa:3::0/64 fe80::2 ethernet 6

Config Commands: Router – RIP
This chapter describes the syntax for the Routing Information Protocol
(RIP) commands. The commands are described in the following sections:
• “Enabling RIP” on page 396
• “Interface-level RIP Commands” on page 397
• “IPv4 RIP Configuration Commands” on page 397
• “IPv6 RIP Configuration Commands” on page 409
• “RIP Show Commands” on page 420
• “RIP Clear Commands” on page 421
Note: This CLI level also has the following commands, which are available at
all configuration levels:

Enabling RIP
You can enable RIP for IPv4 and RIP for IPv6. Each version runs indepen-
dently of the other. The ACOS device supports a single IPv4 RIP process
and a single IPv6 RIP process.
Note: Optionally you also can enable RIPv1. RIPv1 and RIPv2 can be enabled
separately for inbound and outbound RIP traffic.
Enabling RIP for IPv4
1. To enable the protocol and access the configuration level for global
IPv4 RIP parameters, enter the following command at the global con-
figuration level:
router rip
2. To enable IPv4 RIP for specific networks, enter the following command
separately for each network:
network {ipaddr/mask-length | interface}
This is the minimum required configuration. Additional configuration may

be required depending on your deployment.
Enabling RIP for IPv6
1. To enable the protocol and access the configuration level for global
IPv6 RIP parameters, enter the following command at the global con-
figuration level:
router ipv6 rip
2. To enable IPv6 RIP on an individual interface:

a. Use the following command to return to the global configuration
level of the CLI:
exit
b. Use the following command to access the interface:
interface
{ethernet port-num | ve ve-num |
c. Use the following command to enable IPv6 RIP on the interface:
ipv6 router rip


cisco-metric-behavior
Interface-level RIP Commands

In addition to global parameters, RIP has parameters on the individual inter-
face level. To configure RIP on an interface, use the interface command to
access the configuration level for the interface, then use the ip rip or ipv6
rip command. (See “Config Commands: Interface” on page 287.)
IPv4 RIP Configuration Commands

The configuration commands in the following sections are applicable to
IPv4 RIP.
Global IPv4 RIP Commands

The commands in this section apply globally to the IPv4 RIP process.
To access the configuration level for a IPv4 RIP process, use the router
ipv4 rip command at the global configuration level of the CLI.

access the configuration level for the interface, then use the ip rip com-
mand. (See “Config Commands: Interface” on page 287.)
Description Enable Cisco-compatible metric behavior. This option affects the display of
metric values in the RIP routing table.
Syntax [no] cisco-metric-behavior {enable | disable}
enable The metric values displayed for routes in the RIP
routing table are the values before modification
by this RIP router (the ACOS device).
disable The metric values displayed for routes in the RIP
routing table are the values after modification by
this RIP router (the ACOS device).
Default disable

default-information originate
Mode IPv4 RIP
Description Enable generation of a default route into RIP.
Syntax [no] default-information originate
Default Disabled
Mode IPv4 RIP
default-metric
Description Configure the default metric value for routes that are redistributed into IPv4
RIP.
Syntax [no] default-metric num
num Specifies the default metric, 1-16.
Default 1
Mode IPv4 RIP
distance
Description Set the administrative distance for IPv4 RIP routes.
Syntax [no] distance num [ipaddr/mask-length [acl-id]]
num Administrative distance, 1-255.
ipaddr/mask-
length Network prefix and mask length. The specified
distance is applied only to routes with a matching
source address.
acl-id ACL ID. The specified distance is applied only
to routes that match the source IP address in the
ACL.

distribute-list
Note: In the ACL, use the permit action, not the deny action.
Default The default distance is 120.
Mode IPv4 RIP
Usage The administrative distance specifies the trustworthiness of routes. In cases

where there are multiple routes to the same destination, from different rout-
ing protocols, the administrative distance can be used as a tie-breaker.
A low administrative distance value indicates a high level of trust. Like-

wise, a high administrative distance value indicates a low level of trust. For
example, setting the administrative distance value for external routes to 255
means those routes are very untrustworthy and should not be used.
distribute-list
Description Configure filtering of route updates.
Syntax [no] distribute-list {acl-id | prefix list-name}

{in | out} [interface]
acl-id |
prefix list-
name ACL or prefix list that specifies the routes to fil-
ter. The action you use in the ACL or prefix list
determines whether matching routes are allowed:
permit – Matching routes are allowed.
deny – Matching routes are prohibited.
in | out Traffic direction for which to filter updates:
in – Inbound route updates are filtered.
out – Outbound route updates are filtered.
interface Interface on which updates are filtered. You can
specify the following types of interfaces:
ethernet portnum – Ethernet data inter-
face.
loopback [num] – Loopback interface. If
you do not specify an interface number, route
updates are filtered out on all loopback inter-
faces.

distribute-list
management – Ethernet management interface.

trunk trunknum – Trunk interface.
ve ve-num – Virtual Ethernet (VE) interface.
If you do not specify an interface, the filter
applies to all interfaces.
Note: The internal option is not applicable.
Default Route updates are not filtered out.
Mode IPv4 RIP
Usage Distribute lists can be global or interface-specified:

• If you do not specify an interface with the distribute list, the list is
global.
• If you do specify an interface with the distribute list, the list applies only
to routes received (in) or advertised (out) on that interface.
The ACOS device can have one global inbound distribute list and one
global outbound distribute list. Likewise, each interface can have one
inbound distribute list and one outbound distribute list.
For inbound updates, if the interface on which the update is received has a
distribute list, that distribute list is checked before the global distribute list.
Likewise, for outbound updates, the distribute list on the outbound interface
is checked before the global distribute list. The action (permit or deny) in
the first distribute list that matches is used.
ACL Implicit Deny Rule

Every ACL has an implicit “deny any” rule at the end. Traffic that does not
match any of the explicitly configured rules in an ACL will match the
implicit deny rule.
Example The following commands allow incoming RIP routes only for network
30.30.30.0/24, and only when received through Ethernet interface 4:
ACOS(config)#ip prefix-list rip-subnet-only permit 30.30.30.0/24
ACOS(config)#router rip
ACOS(config-router)#distribute-list prefix rip-subnet-only in ethernet 4
Example The following commands allow advertisement of RIP routes only for net-
work 10.0.0.0/8, and only when advertised through VE interface 45:
ACOS(config)#access-list 23 permit 10.0.0.0 0.255.255.255
ACOS(config-router)#distribute-list 23 out ve 45

maximum-prefix
maximum-prefix
Description Specify the maximum number of routes allowed in the IPv4 RIP route table.
Syntax [no] maximum-prefix num [threshold]
num Maximum number of RIP routes allowed. You
can specify 1-2048.
threshold Percentage of the maximum number of routes at
which a warning is generated. You can specify
1-100. The warnings appear in the routing log.
Default 256. The default threshold is 75 percent.
Mode IPv4 RIP
neighbor
Description Specify a neighboring IPv4 RIP router.
Syntax [no] neighbor ipaddr
ipaddr IP address of the neighboring IPv4 RIP router.
Default None
Mode IPv4 RIP
Usage Enter the command separately for each IPv4 RIP neighbor.

network
network
Description Enable IPv4 RIP on a network.
Syntax [no] network {ipaddr/mask-length | interface}
ipaddr/mask-
length Prefix and mask length of a IPv4 RIP network.
interface Interface on which to enable RIP. You can spec-
ify the following types of interfaces:
face.
you do not specify an interface number, RIP is
enabled on all loopback interfaces.
If you do not specify an interface, RIP is enabled
on all the interfaces.
Default None
Mode IPv4 RIP
offset-list
Description Increase the metric for specific routes.
Syntax [no] offset-list acl-id {in | out} offset

[interface]
acl-id ACL that matches on the routes for which to
increase the metric.

passive-interface
in | out Direction to which to apply the metric:

in – Applies the additional metric value to
routes received in updates from RIP neighbors.
out – Applies the additional metric value to
routes advertised to RIP neighbors.
offset Additional metric to add to routes. You can spec-
ify 0-16.
interface Interface on which to increase the metric. You
can specify the following types of interfaces:
face.
you do not specify an interface number, the met-
ric is increased on all loopback interfaces.
If you do not specify an interface, the metric is
increased on all interfaces.
Default Not set. The metric that is otherwise applied to the route by the RIP process
is used.
Mode IPv4 RIP
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Syntax [no] passive-interface interface
interface Interface on which to block RIP broadcasts. You
face.
you do not specify an interface number, RIP

recv-buffer-size
broadcasts are blocked on all loopback inter-

faces.
Default None. RIP broadcasts are not blocked on any interfaces.
Mode IPv4 RIP
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Syntax [no] recv-buffer-size bytes
bytes Maximum RIP UDP packet size allowed. You
can specify 8192-2147483647 bytes.
Default 8192
Mode IPv4 RIP
redistribute
Description Redistribute route information from other sources into RIP.
Syntax [no] redistribute

{
bgp [options] |
connected [options] |
floating-ip [options] |
ip-nat [options] |
ip-nat-list [options] |
isis [options] |
ospf [options] |
static [options] |
vip [only-flagged | only-not-flagged [options]]
}

redistribute
bgp [options] Redistributes route information from Border
Gateway Protocol (BGP) into RIP. For options,
see the end of this parameter list.
connected
[options] Redistributes route information for directly con-
nected networks into RIP. For options, see the
end of this parameter list.
floating-ip
[options] Redistributes route information for floating IP
addresses into RIP. For options, see the end of
this parameter list.
ip-nat
[options] Redistributes routes into RIP for reaching trans-
lated NAT addresses allocated from a pool. For
options, see the end of this parameter list.
ip-nat-list
lated NAT addresses allocated from a range list.
For options, see the end of this parameter list.
isis [options] Redistributes route information from Intermedi-
ate System to Intermediate System (IS-IS) into
RIP. For options, see the end of this parameter
list.
ospf [options] Redistributes route information from Open
Shortest Path First (OSPF) into RIP. For options,
static
[options] Redistributes routes into RIP for reaching net-
works through static routes. For options, see the
vip
[only-flagged |
only-not-
flagged
[options]] Redistributes routes into RIP for reaching virtual
server IP addresses.
By default, all VIPs are redistributed when you
use the vip option. To restrict redistribution to a
subset of VIPs, use one of the following options:

redistribute
only-flagged – Redistributes only the

VIPs on which the redistribution-flagged
command is used.
only-not-flagged – Redistributes all
VIPs except those on which the redistribu-
tion-flagged command is used.
For more information, see “Usage”.
For options, see below.
options Optional parameters supported for all the options
listed above:
metric num – Metric for the route, 0-16.
route-map map-name – Name of a route
map. (To configure a route map, use the route-
map map-name command at the global configu-
ration level of the CLI.)
Note: The kernel option is not applicable.
Default Disabled. By default, RIP routes are not redistributed. For other defaults,
see above.
Mode IPv4 RIP
Usage When you enable redistribution, routes to all addresses of the specified type
are redistributed. For example, if you use the vip option, routes to all VIPs
are redistributed into RIP.
VIP Redistribution
You can exclude redistribution of individual VIPs using one or the other of
the following methods. They are mutually exclusive.
• If more VIPs will be excluded than will be allowed to be redistributed:
• At the configuration level for each of the VIPs to allow to be redis-
tributed, enter the following command: redistribution-flagged
• At the configuration level for the RIP process, enter the following
command: redistribute vip only-flagged
• If fewer VIPs will be excluded than will be allowed to be redistributed:
• At the configuration level for each of the VIPs to exclude from
redistribution, enter the following command: redistribution-
flagged

route
• At the configuration level for the RIP process, enter either of the
following commands: redistribute vip only-not-flagged or redis-
tribute vip
Note: In the configuration, the redistribute vip only-not-flagged command is

automatically converted into the redistribute vip command. When you
display the configuration, it will contain the redistribute vip command,
not the redistribute vip only-not-flagged command. This command con-
version makes the behavior in the current release backwards compatible
with the behavior in previous releases.
VIP Redistribution Usage Examples:

• If you have 10 VIPs and all of them need to be redistributed by RIP, use
the redistribute vip command at the configuration level for the RIP
process.
• If you have 10 VIPs but only 2 of them need to be redistributed, use the
redistribution-flagged command at the configuration level for each of
the 2 VIPs, then use the redistribute vip only-flagged command at the
configuration level for the RIP process.
• If you have 10 VIPs and need to redistribute 8 of them, use the redistri-
bution-flagged command at the configuration level for the 2 VIPs that
should not be redistributed. Enter the redistribute vip only-not-flagged
command at the configuration level for the RIP process. (In this case,
alternatively, you could enter redistribute vip instead of redistribute
vip only-not-flagged.)
Example The following commands redistribute floating IP addresses and VIP

addresses into RIP:
ACOS(config-router)#redistribute floating-ip
ACOS(config-router)#redistribute vip
Example The following commands flag a VIP, then configure RIP to redistribute only
that flagged VIP. The other (unflagged) VIPs will not be redistributed.
ACOS(config)#slb virtual-server vip1
ACOS(config-slb virtual server)#redistribution-flagged
ACOS(config-slb virtual server)#exit
ACOS(config-router)redistribute vip only-flagged
route
Description Configure static RIP routes.
Syntax [no] route ipaddr/prefix-length

timers
ipaddr/prefix-
length Destination of the route.
Default None
Mode IPv4 RIP
timers
Description Configure RIP timers.
Syntax [no] timers basic update timeout

garbage-collection
update Amount of time between transmission of RIP
route updates to neighbors. You can specify
5-2147483647 seconds.
timeout Maximum number of seconds the ACOS device
waits for an update to a RIP route before the
route becomes invalid. You can specify
5-2147483647 seconds.
An invalid route remains in the route table and is
not actually removed until the garbage-collection
timer expires. (See below.)
garbage-
collection Amount of time after a route becomes invalid
that the route remains in the route table before
being removed. You can specify 5-2147483647
seconds.
Default The RIP timers have the following default values:

• update – 30
• timeout – 180
• garbage-collection – 120
Mode IPv4 RIP
Usage All RIP routers in the network should use the same timer values. However,
the timers should not be synchronized among multiple routers, since this
can cause unnecessary collisions.

version
version
Description Specify the RIP version to run.
Syntax [no] version {1 [2] | 2}
1 RIP version 1.
2 RIP version 2.
Default 2
Mode IPv4 RIP
Usage The version you specify runs on all RIP interfaces on the ACOS device.
Caution: RIPv1 is less secure than RIPv2. It is recommended to run RIPv2 if

your other routers support it.
IPv6 RIP Configuration Commands

The configuration commands in the following sections are applicable to
IPv6 RIP.
Global IPv6 RIP Commands

The commands in this section apply globally to the IPv6 RIP process.
To access the configuration level for a IPv6 RIP process, use the router
ipv6 rip command at the global configuration level of the CLI.

access the configuration level for the interface, then use the ip rip or ipv6
rip command. (See “Config Commands: Interface” on page 287.)
aggregate-address
Description Configure an aggregate of multiple IPv6 RIP routes.
Syntax [no] aggregate-address ipv6addr/mask-length

ipv6addr/mask-
length IPv6 address and prefix length of the aggregate.
The aggregate route will be used instead of the
individual routes to destinations that match the
aggregate’s address and prefix.
Default None
Mode IPv6 RIP
Description Enable Cisco-compatible metric behavior. This option affects the display of
metric values in the RIP routing table.
Syntax [no] cisco-metric-behavior {enable | disable}
enable The metric values displayed for routes in the RIP
routing table are the values before modification
by this RIP router (the ACOS device).
disable The metric values displayed for routes in the RIP
routing table are the values after modification by
this RIP router (the ACOS device).
Default disable
Mode IPv6 RIP
Description Enable generation of a default route into RIP.
Default Disabled
Mode IPv6 RIP

default-metric
default-metric
Description Configure the default metric value for routes that are redistributed into IPv6
RIP.
num Specifies the default metric, 1-16.
Default 1
Mode IPv6 RIP
distribute-list
Description Configure filtering of route updates.
Syntax [no] distribute-list {acl-id | prefix list-name}

{in | out} [interface]
acl-id |
prefix list-
name ACL or prefix list that specifies the routes to fil-
ter. The action you use in the ACL or prefix list
determines whether matching routes are allowed:
permit – Matching routes are allowed.
deny – Matching routes are prohibited.
in | out Traffic direction for which to filter updates:
in – Inbound route updates are filtered.
out – Outbound route updates are filtered.
interface Interface on which updates are filtered. You can
specify the following types of interfaces:
face.
you do not specify an interface number, route
updates are filtered out on all loopback inter-
faces.

neighbor

If you do not specify an interface, the filter
applies to all interfaces.
Default Route updates are not filtered out.
Mode IPv6 RIP
Usage Distribute lists can be global or interface-specified:

• If you do not specify an interface with the distribute list, the list is
global.
• If you do specify an interface with the distribute list, the list applies only
to routes received (in) or advertised (out) on that interface.
The ACOS device can have one global inbound distribute list and one
global outbound distribute list. Likewise, each interface can have one
inbound distribute list and one outbound distribute list.
For inbound updates, if the interface on which the update is received has a
distribute list, that distribute list is checked before the global distribute list.
Likewise, for outbound updates, the distribute list on the outbound interface
is checked before the global distribute list. The action (permit or deny) in
the first distribute list that matches is used.
ACL Implicit Deny Rule

Every ACL has an implicit “deny any” rule at the end. Traffic that does not
match any of the explicitly configured rules in an ACL will match the
implicit deny rule.
neighbor
Description Specify a neighboring IPv6 RIP router.
Syntax [no] neighbor ipv6addr interface
ipv6addr Link-local IPv6 address of the neighboring IPv6
RIP router.

offset-list
interface Interface on which the neighbor can be reached.

You can specify the following types of interfaces:
face.
you do not specify an interface number, the
neighbor is added for all loopback interfaces.
Default None
Mode IPv6 RIP
Usage Enter the command separately for each IPv4 RIP neighbor.
offset-list
Description Increase the metric for specific routes.
Syntax [no] offset-list acl-id {in | out} offset

[interface]
acl-id ACL that matches on the routes for which to
increase the metric.
in | out Direction to which to apply the metric:
in – Applies the additional metric value to
routes received in updates from RIP neighbors.
out – Applies the additional metric value to
routes advertised to RIP neighbors.
offset Additional metric to add to routes. You can spec-
ify 0-16.

passive-interface
interface Interface on which to increase the metric. You

face.
you do not specify an interface number, the met-
ric is increased on all loopback interfaces.
If you do not specify an interface, the metric is
increased on all interfaces.
Default Not set. The metric that is otherwise applied to the route by the RIP process
is used.
Mode IPv6 RIP
passive-interface
Description Block RIP broadcasts from being sent on an interface.
Syntax [no] passive-interface interface
interface Interface on which to block RIP broadcasts. You
face.
you do not specify an interface number, RIP
broadcasts are blocked on all loopback inter-
faces.
Default None. RIP broadcasts are not blocked on any interfaces.
Mode IPv6 RIP

recv-buffer-size
recv-buffer-size
Description Configure the receive buffer size for RIP UDP packets.
Syntax [no] recv-buffer-size bytes
bytes Maximum RIP UDP packet size allowed. You
Default 8192
Mode IPv6 RIP
redistribute
Description Redistribute route information from other sources into RIP.

{
bgp [options] |
ip-nat [options] |
isis [options] |
ospf [options] |
static [options] |
vip [only-flagged | only-not-flagged [options]]
}
bgp [options] Redistributes route information from Border
Gateway Protocol (BGP) into RIP. For options,
connected
[options] Redistributes route information for directly con-
nected networks into RIP. For options, see the
floating-ip
[options] Redistributes route information for floating IP
addresses into RIP. For options, see the end of

redistribute
ip-nat
ip-nat-list
isis [options] Redistributes route information from Intermedi-
RIP. For options, see the end of this parameter
list.
ospf [options] For options, see the end of this parameter list.
static
[options] Redistributes routes into RIP for reaching net-
vip
[only-flagged |
only-not-
flagged
[options]] Redistributes routes into RIP for reaching virtual
server IP addresses.
command is used.
listed above:
metric num – Metric for the route, 0-16. There is
no default.
route-map map-name – Name of a route map.
(To configure a route map, use the route-map

redistribute
map-name command at the global configuration

level of the CLI.)
Default Disabled. By default, RIP routes are not redistributed. For other defaults,
see above.
Mode IPv6 RIP
are redistributed into RIP.
VIP Redistribution
• At the configuration level for the RIP process, enter the following
command: redistribute vip only-flagged
flagged
• At the configuration level for the RIP process, enter either of the
following commands: redistribute vip only-not-flagged or redis-
tribute vip


• If you have 10 VIPs and all of them need to be redistributed by RIP, use
the redistribute vip command at the configuration level for the RIP
process.

route
configuration level for the RIP process.
command at the configuration level for the RIP process. (In this case,
alternatively, you could enter redistribute vip instead of redistribute
vip only-not-flagged.)
route
Description Configure static RIP routes.
Syntax [no] route ipv6addr/prefix-length
ipv6addr/
prefix-length Destination of the route.
Default None
Mode IPv6 RIP
route-map
Description Configure a list of interfaces to use as input to other RIP commands.
Syntax [no] route-map map-name {in | out} interface
map-name Name of the route map.
in | out Direction to which the map applies:
in – Applies to incoming routes received in
updates from RIP neighbors.
out – Applies to routes advertised to RIP
neighbors.

timers
interface Interface to which to apply the route map. You

face.
you do not specify an interface number, the route
map is applied to all loopback interfaces.
Default None
Mode IPv6 RIP
timers
Description Configure RIP timers.
Syntax [no] timers basic update timeout

garbage-collection
update Amount of time between transmission of RIP
route updates to neighbors. You can specify
5-2147483647 seconds.
timeout Maximum number of seconds the ACOS device
waits for an update to a RIP route before the
route becomes invalid. You can specify
5-2147483647 seconds.
An invalid route remains in the route table and is
not actually removed until the garbage-collection
timer expires. (See below.)
garbage-
collection Amount of time after a route becomes invalid
that the route remains in the route table before
being removed. You can specify 5-2147483647
seconds.

show ip rip database
Default The RIP timers have the following default values:

• update – 30
• timeout – 180
• garbage-collection – 120
Mode IPv6 RIP
Usage All RIP routers in the network should use the same timer values. However,
the timers should not be synchronized among multiple routers, since this
can cause unnecessary collisions.
RIP Show Commands

This section lists the RIP show commands.
show ip rip database

Description Display the RIP IPv4 route database.
Syntax show ip rip database
Mode All
show ipv6 rip database

Description Display the RIP IPv4 route database.
Syntax show ipv6 rip database
Mode All

clear ip rip route
RIP Clear Commands

This section lists the RIP clear commands.
clear ip rip route

Description Clears routes from the IPv4 RIP table.
Syntax clear ip rip route {ipaddr/mask-length | rip}
ipaddr/mask-
length Clears the route to the specified network.
rip Clears all RIP routes from the table.
Mode Privileged EXEC or any configuration level
clear ipv6 rip route

Description Clears routes from the IPv6 RIP table.
Syntax clear ipv6 rip route

{
ipv6addr/mask-length |
all |
bgp |
connected |
floating-ip |
ip-nat |
ip-nat-list |
isis |
ospf |
rip |
static |
vip [only-flagged | only-not-flagged]
}
ipv6addr/mask-
length Clears the route to the specified network.
all Clears all RIP routes from the table.
bgp Clears all RIP routes received from BGP.

clear ipv6 rip route
connected Clears all RIP routes to directly connected net-

works.
floating-ip Clears all RIP routes to floating IP addresses.
ip-nat Clears all RIP routes to translated NAT addresses
allocated from a pool.
ip-nat-list Clears all RIP routes to translated NAT addresses
allocated from a range list.
isis Clears all RIP routes received from IS-IS.
ospf Clears all RIP routes received from OSPF.
static Clears all static RIP routes.
vip
[only-flagged |
only-not-
flagged] Clears all RIP routes to virtual server IP
addresses.
By default, routes to all VIPs are cleared. To
clear routes to a subset of VIPs, use one of the
following options:
only-flagged – Clears the RIP routes to
only the VIPs on which the redistribution-
flagged command is used.
only-not-flagged – Clears the RIP
routes to all VIPs except those on which the
redistribution-flagged command is used.
Mode Privileged EXEC or any configuration level

Config Commands: Router – OSPF
This chapter describes the commands for configuring global OSPFv2 and
OSPFv3 parameters.

Enabling OSPF
To enable OSPF, use one of the following commands at the global configu-
ration level of the CLI. Each command changes the CLI to the configuration
level for the specified OSPFv2 process ID or OSPFv3 process tag.
OSPFv2
router ospf [process-id]
The process-id specifies the IPv4 OSPFv2 process to run on the ACOS
device, and can be 1-65535.
OSPFv3
router ipv6 ospf [tag]
The tag specifies the IPv6 OSPFv3 process to run on the IPv6 link, and can
be 1-65535.
Note: It is recommended to set a fixed router-ID for all dynamic routing proto-
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by HA or VRRP-A failover.
Note: For OSPFv3, the area tag ID configured on an interface must be the same
as the tag ID for the OSPF instance.
Interface-level OSPF Commands

In addition to global parameters, OSPF has parameters on the individual
interface level. To configure OSPF on an interface, use the interface com-
mand to access the configuration level for the interface, then use the ip ospf
or ipv6 ospf command. (See “Config Commands: Interface” on page 287.)
Show Commands
To display OSPF settings, use show ip ospf or show ipv6 ospf commands.
(See “Show Commands” on page 839.)

abr-type
Configuration Commands Applicable to OSPFv2 or

OSPFv3
The following configuration commands are applicable to OSPFv2 and
OSPFv3.
The commands in this section apply throughout the OSPFv2 process or

OSPFv3 process in which the commands are entered.
abr-type
Description Specify the Area Border Router (ABR) type.
Syntax [no] abr-type

{cisco | ibm | standard}
cisco Alternative ABR using Cisco implementation
(RFC 3509).
ibm Alternative ABR using IBM implementation
(RFC 3509).
standard Standard ABR behavior (RFC 2328)
Default cisco
Mode OSPFv3
area area-id default-cost

Description Specify the cost of a default summary route sent into a stub area.
Syntax [no] area area-id default-cost num
area-id Area ID, either an IP address or a number.
num Cost of the default summary route, 0-16777214.
Default The default is 1.

area area-id range
Mode OSPFv2 or OSPFv3
Example The following command assigns a cost of 4400 to default summary routes
injected into stub areas:
ACOS(config-router)#area 5.5.5.5 default-cost 4400
area area-id range

Description Summarize routes at an area boundary.
Syntax [no] area area-id range ipaddr/mask-length

[advertise | not-advertise]
area-id Beginning area ID.
range area-id Ending area ID.
ipaddr Subnet address for the range.
/mask-length Network mask length for the range.
advertise Generates Type 3 summary LSAs for the areas in
the range.
not-advertise Does not generate Type 3 summary LSAs. The
networks are hidden from other networks.
Default There is no default range configuration. When you configure a range, the
default advertisement string is advertise.
Example The following command configures a range and disables advertisement of

routes into the areas:
ACOS(config-router)#area 8.8.8.8 range 10.10.10.10/16 not-advertise

area area-id stub
area area-id stub

Description Configure a stub area.
Syntax [no] area area-id stub [no-summary]
area-id Area ID.
no-summary ABRs do not send summary LSAs into the stub
area.
Default None
Example The following command configures a stub area with area ID 10.2.4.5:
ACOS(config-router)#area 10.2.4.5 stub
area area-id virtual-link

Description Configure a link between two backbone areas that are separated by non-
backbone areas.
Syntax [no] area area-id virtual-link ipaddr

[authentication]
[authentication-key string [string ...]]
[dead-interval seconds]
[hello-interval seconds]
[message-digest-key num md5 string [string ...]]
[retransmit-interval seconds]
[transmit-delay seconds]
ipaddr IP address of the OSPF neighbor at the other end
of the link.
authentication Enables authentication on the link.
authentication-
key string
[string ...] Specifies a simple text password for authenticat-
ing OSPF traffic between this router and the

area area-id virtual-link
neighbor at the other end of the virtual link. The

string is an 8-character authentication password.
dead-interval
for a reply to a hello message sent to the neighbor
on the other end of the virtual link, before declar-
ing the neighbor to be offline. You can specify
1-65535 seconds.
hello-interval
between sending hello messages to the neighbor
on the other end of the virtual link. You can spec-
ify 1-65535 seconds.
message-digest-
key num md5
string
[string ...] Specifies an MD5 key, 1-255. The string is a 16-
character authentication password.
retransmit-
interval
before resending an unacknowledged packet to
the neighbor on the other end of the virtual link.
transmit-delay
between sending packets to the neighbor on the
other end of the virtual link. You can specify
1-65535 seconds.
Default None. When you configure a virtual link, it has the following default set-
tings:
• authentication – disabled
• authentication-key – not set
• dead-interval – 40
• hello-interval – 10
• message-digest-key – not set
• retransmit-interval – 5
• transmit-delay – 1

auto-cost reference bandwidth
auto-cost reference bandwidth

Description Change the reference bandwidth used by OSPF to calculate default metrics.
Syntax [no] auto-cost reference-bandwidth mbps
mbps Specifies the reference bandwidth, in Mbps. You
can specify 1-4294967.
Default 100 Mbps
Usage By default, OSPF calculates the OSPF metric for an interface by dividing
the reference bandwidth by the interface bandwidth. This command differ-
entiates high-bandwidth links from lower-bandwidth links. If multiple links
have high bandwidth, specify a larger reference bandwidth so that the cost
of those links is differentiated from the cost of lower-bandwidth links.
bfd
Description Enable BFD on all interfaces for which OSPF is running.
Syntax [no] bfd all-interfaces
Default Disabled
clear
Description Clear all or specific OSPF neighbors.
Syntax clear ip ospf [process-id]

{
process |
neighbor
{all | neighbor-id | interface
{interface-ip-address [neighbor-ip-address]}}
}

clear
clear ipv6 ospf [process-tag]

{
process |
neighbor
{all | neighbor-id |
interface-name [neighbor-id]}
}
process-id Specifies the IPv4 OSPFv2 process to run on the
device, and can be 1-65535.
process-tag Specifies the IPv6 OSPFv3 process to run on the
IPv6 link, and can be 1-65535.
neighbor-id Router-id of the OSPF device.
neighbor-ip-
address IP address of the interface for the neighboring
device.
interface-ip-
address IP address of the interface of the device on which
the OSPF neighbor exists.
Default N/A
Usage Using OSPFv2, the CLI enables you to indicate an interface IP Address of
the ACOS device. Using OSPFv3, the CLI enables you to specify the inter-
face name for a specific neighbor.
Example The following command clears all OSPFv2 neighbors:

ACOS(config)#clear ip ospf neighbor all
The following command clears all neighbors to a specific router:

ACOS(config)#clear ip ospf neighbor 192.1.1.1
The following command clears all neighbors on an interface:

ACOS(config)#clear ip ospf neighbor interface 10.1.1.10

default-metric
The following command clears a neighbor on a specified interface to a spec-

ified router:
ACOS(config)#clear ip ospf neighbor interface 10.1.1.10 192.1.1.10
The following command clears all OSPFv3 neighbors:

ACOS(config)#clear ipv6 ospf 5 neighbor all
The following command clears all neighbors to a specific router:

ACOS(config)#clear ipv6 ospf neighbor 192.1.1.1
The following command clears all OSPFv3 neighbors on a specified

interface:
ACOS(config)#clear ipv6 ospf neighbor ethernet 1
The following command clears all neighbors on a specified interface to a

specific router:
ACOS(config)#clear ipv6 ospf neighbor ethernet 1 192.1.1.1
default-metric
Description Set the numeric cost that is assigned to OSPF routes by default. The metric
(cost) is added to routes when they are redistributed.
num Default cost, 0-16777214.
Default 20
Example The following command configures a default metric of 6666:

ACOS(config-router)#default-metric 6666

distribute-internal
distribute-internal
Description Enable redistribution of AX-specific resources as internal routes (type-1
LSAs).
Syntax [no] distribute-internal

{floating-ip | ip-nat | ip-nat-list | vip |
vip-only-flagged}
area area-id
[cost num]
floating-ip
[options] Redistributes routes into OSPF for reaching HA
floating IP addresses.
ip-nat Redistributes routes into OSPF for reaching
translated NAT addresses allocated from a pool.
ip-nat-list Redistributes routes into OSPF for reaching
translated NAT addresses allocated from a range
list.
vip Redistributes routes into OSPF for reaching vir-
tual server IP addresses.
vip-only-
flagged Same as the vip option, but applies only to VIPs
on which the redistribution-flagged option is
enabled.
area area-id Specifies the OSPF area into which to redistrib-
ute the internal routes.
cost num Specifies the cost for using the internally redis-
tributed routes. You can specify 1-65535. The
default is 1.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults,
see above.
Usage Routes that are redistributed into OSPF as external routes are redistributed
as type-5 link state advertisement (LSAs). Routes that are redistributed into
OSPF as internal routes are redistributed as type-1 LSAs.
You can enable either external or internal redistribution for a given AX-spe-
cific resource type.

ha-standby-extra-cost
Example The following command enables internal distribution into OSPF area 0, of
routes to all VIPs configured on the ACOS device, and assigns cost 11 to
the routes:
ACOS(config-router)#distribute-internal vip area 0 cost 11
routes to VIPs that have the redistribution-flagged option, and assigns cost
21 to the routes:
ACOS(config-router)#distribute-internal vip-only-flagged area 1 cost 21
routes to HA floating IP addresses, and assigns cost 555 to the routes:
ACOS(config-router)#distribute-internal floating-ip area 5 cost 555
Example The following command displays the OSPF IPv4 route table. The routes
configured for internal distribution are indicated by “internal”.
ACOS(config-router)#show ip ospf route
OSPF process 11: counter = 6

Codes: C - connected, D - Discard, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
C 6.1.1.0/24 [10] is directly connected, ve 6, Area 0.0.0.0

C 111.1.1.2/32 [21] is directly connected, internal vip-only-flagged, Area 0.0.0.1
C 111.1.1.3/32 [11] is directly connected, internal vip, Area 0.0.0.0
C 114.1.1.1/32 [21] is directly connected, internal vip-only-flagged, Area 0.0.0.1
C 200.1.1.2/32 [555] is directly connected, internal floating-ip, Area 0.0.0.5
Description Enable OSPF awareness of High Availability (HA).
Syntax [no] ha-standby-extra-cost num
num Specifies the extra cost to add to the ACOS
device’s OSPF interfaces, if the HA status of one
or more of the device’s HA groups is Standby.
You can specify 1-65535. If the resulting cost
value is more than 65535, the cost is set to
65535.

max-concurrent-dd
Default Not set. The OSPF protocol on the ACOS device is not aware of the HA
state (Active or Standby) of the ACOS device.
Usage Enter the command on each of the ACOS devices in the HA pair.
max-concurrent-dd
Description Set the maximum number of OSPF neighbors that can be processed concur-
rently during database exchange between this OSPF router and its OSPF
neighbors.
Syntax [no] max-concurrent-dd num
num Specifies the maximum number of neighbors that
can be processed at the same time during data-
base exchange. You can specify 1-65535.
Default Not set (no limit)
Usage This command is useful in cases where router performance is being

adversely affected by processing of neighbor adjacencies.
passive-interface
Description Disable Link-State Advertisements (LSAs) from being sent on an interface.
Syntax [no] passive-interface

{ethernet portnum | loopback num | management |
ve ve-num}
Default LSAs are enabled. (No interfaces are passive.)
Example The following command configures a passive interface on the Virtual Ether-
net (VE) interface on VLAN 3:
ACOS(config-router)#passive-interface ve 3

redistribute
redistribute
Description Enable distribution of routes from other sources into OSPF.
[no] redistribute
{
ip-nat [ipaddr/mask-length
floating-IP-forward-address ipaddr] [options] |
ospf [process-id] [options] |
static [options] |
vip [ipaddr floating-IP-forward-address ipaddr |
{only-flagged | only-not-flagged}] [options]
}
connected
[options] Redistributes routes into OSPF for reaching
directly connected networks. For options, see the
floating-ip
[options] Redistributes routes into OSPF for reaching HA
floating IP addresses. For options, see the end of
ip-nat
[ipaddr/mask-
length
floating-IP-
forward-address
ipaddr]
translated NAT addresses allocated from a pool.
By default, the forward address for all redistrib-
uted NAT pool addresses is 0.0.0.0. To set a
floating IP address as the forward address, use
the ipaddr/mask-length] option to specify the
NAT pool address. The floating-IP-forward-
address ipaddr option specifies the forward
address to use when redistributing the route to
the NAT pool address.

redistribute
ip-nat-list
translated NAT addresses allocated from a range
list. For options, see the end of this parameter
list.
ospf
[process-id]
[options] Redistributes routes into this OSPFv2 process for
reaching networks in another OSPFv2 process.
static
[options] Redistributes routes into OSPF for reaching net-
vip [ipaddr
floating-IP-
forward-address
ipaddr |
{only-flagged |
only-not-
flagged}]
[options] Redistributes routes into OSPF for reaching vir-
By default, the forward address for all redistrib-
uted VIPs is 0.0.0.0. To set a floating IP address
as the forward address, use the ipaddr option to
specify the VIP address. Use the floating-IP-for-
ward-address ipaddr option to specify the for-
ward address to use when redistributing the route
to the VIP.
only-flagged – Redistributes only the VIPs
on which the redistribution-flagged com-
mand is used.
only-not-flagged – Redistributes all VIPs
except those on which the redistribution-

redistribute

listed above:
metric-type {1 | 2} – External link type associ-
ated with the route advertised into the OSPF
routing domain:
1 – Type 1 external route
metric num – Metric for the route, 0-16777214.
The default is 20.
(To configure a route map, see “route-map” on
page 209.)
tag num – Includes the specified tag value in
external Link-State Advertisements (LSAs).
Inter-domain routers running Border Gateway
Protocol (BGP) can be configured to make rout-
ing decisions based on the tag value. The tag
value can be 0-4294967295. The default is 0.
Note: The bgp, isis, and kernel options are not applicable to the current release
and are not supported.
Default Disabled. By default, OSPF routes are not redistributed. For other defaults,
see above.
are redistributed into OSPF.
By default, the ACOS device uses 0.0.0.0 as the forward address in routes
that are redistributed in OSPF type-5 link state advertisement (LSAs). In
this case, other OSPF routers find a route to reach the ACOS device (which
is acting as OSPF ASBR), then use the corresponding next-hop address as
the next hop for the destination network. You can specify a floating IP
address to use as the forward address, for individual NAT pools or VIPs.
(See the syntax above.)

redistribute
VIP Redistribution
• At the configuration level for the OSPFv2 process or OSPFv3 pro-
cess, enter the following command: redistribute vip only-flagged
flagged
• At the configuration level for the OSPFv2 process or OSPFv3 pro-
cess, enter either of the following commands: redistribute vip
only-not-flagged or redistribute vip


• If you have 10 VIPs and all of them need to be redistributed by OSPF,
use the redistribute vip command at the configuration level for the
OSPF process.
configuration level for the OSPFv2 process or OSPFv3 process.
command at the configuration level for the OSPFv2 process or OSPFv3
process. (In this case, alternatively, you could enter redistribute vip
instead of redistribute vip only-not-flagged.)

addresses into OSPF:

router-id
Example The following commands flag a VIP, then configure OSPF to redistribute
only that flagged VIP. The other (unflagged) VIPs will not be redistributed.
ACOS(config)#router ospf
Example The following command enables redistribution of VIPs, and sets tag value
555 to be included in external LSAs that advertise the route to the VIP:
ACOS(config-router)#redistribute vip metric-type 1 metric 1 tag 555
router-id
Description Set the value used by this OSPF router to identify itself when exchanging
route information with other OSPF routers.
Syntax [no] router-id ipaddr
Note: The syntax for this command is slightly different for OSPFv2. See “ospf
router-id” on page 450.
Default The default router ID is the highest-numbered IP address configured on any

of the ACOS device’s loopback interfaces. If no loopback interfaces are
configured, the highest-numbered IP address configured on any of the
ACOS device’s other Ethernet data interfaces is used.
Note: Setting the router ID is required for OSPFv3 and is strongly recom-
mended for OSPFv2.
Usage The ACOS device has only one router ID. The address does not need to
match an address configured on the ACOS device. However, the address
must be an IPv4 address and must be unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart
the OSPF process, use the clear ip ospf process command.
Example The following commands set the router ID to 3.3.3.3 and reload OSPF to
place the new router ID into effect:
ACOS(config-router)#router-id 3.3.3.3
ACOS(config-router)#clear ip ospf process

timers spf exp
timers spf exp

Description Change Shortest Path First (SPF) timers used for route recalculation follow-
ing a topology change. This command enables exponential back-off delays
for route recalculation.
Syntax [no] timers spf exp min-delay max-delay
min-delay Specifies the minimum number of milliseconds
(ms) the OSPF process waits after receiving a
topology change, before recalculating its OSPF
routes. You can specify 0-2147483647.
max-delay Specifies the maximum number of milliseconds
(ms) the OSPF process waits after receiving a
topology change, before recalculating its OSPF
routes. You can specify 0-2147483647.
Default The default min-delay is 500 ms. The default max-delay is 50000 ms.
Usage After you enter this command, any pending route recalculations are
rescheduled based on the new timer values.
Configuration Commands Applicable to OSPFv2 Only

The following configuration commands are applicable to OSPFv2 only.
The commands in this section apply throughout the OSPFv2 process in

which the commands are entered.
area area-id authentication

Description Enable authentication for an OSPF area.
Syntax [no] area area-id authentication [message-digest]
message-digest Enables MD5 authentication. If you omit this
option, simple text authentication is used.

area area-id filter-list
Default Disabled. No authentication is used.
Mode OSPFv2
Usage To configure a simple text password or MD5 key, see “ip ospf” on page 305.
area area-id filter-list

Description Filter the summary routes advertised by this OSPF router, if it is acting as an
Area Border Router (ABR).
Syntax [no] area area-id filter-list

{
access acl-id {in | out} |
prefix list-name {in | out}
}
access acl-id
{in | out} ID of an Access Control List (ACL). The only
routes that are advertised are routes to the sub-
nets permitted by the ACL.
prefix
list-name
{in | out} ID of an IP prefix list. The only routes that are
advertised are routes to the subnets that match
the list.
Default Not set.
Mode OSPFv2
Usage You can specify an ACL or an IP prefix list. To configure an ACL, see
“access-list (standard)” on page 89, “access-list (extended)” on page 92, or
“ipv6 access-list” on page 384. To configure a prefix list, see “ip prefix-list”
on page 376.

area area-id multi-area-adjacency
area area-id multi-area-adjacency

Description Enables support for multiple OSPF area adjacencies on the specified inter-
face.
Syntax [no] area area-id multi-area-adjacency

ve ve-num}
neighbor ipaddr
Default Disabled. By default, only one OSPF adjacency is allowed on an interface

for a given OSPF process.
Mode OSPFv2
Usage This command is applicable only if this OSPF router is an ABR.
area area-id nssa

Description Configure a not-so-stubby area (NSSA).
Syntax [no] area area-id nssa

[
default-information-originate
[metric num] [metric-type {1 | 2}] |
no-redistribution |
no-summary |
translator-role {always | candidate | never}
]
area-id Area ID.
default-
information-
originate
[metric num]
[metric-type
{1 | 2}] Generates a Type 7 LSA into the NSSA area.
(This option takes effect only on Area Border
Routers (ABRs)).
metric num – Metric for the default route,
0-16777214. The default is 20.

area area-id shortcut
metric-type {1 | 2} – External link type associ-

ated with the route advertised into the OSPF
routing domain:
no-
redistribution Disables redistribution of routes into the area.
no-summary Disables sending summary LSAs into the NSSA.
translator-role
{always |
candidate |
never} Specifies the types of LSA translation performed
by this OSPF router for the NSSA:
always – If this OSPF router is an NSSA border
router, the router will always translate Type 7
LSAs into Type 5 LSAs, regardless of the trans-
lator state of other NSSA border routers.
candidate – If this OSPF router is an NSSA bor-
der router, the router is eligible to be elected the
Type 7 NSSA translator.
never – This OSPF router is ineligible to be
elected the Type 7 NSSA translator.
Default None
Mode OSPFv2
Example The following command configures an NSSA with area ID 6.6.6.6:

ACOS(config-router)#area 6.6.6.6 nssa
area area-id shortcut

Description Configure short-cutting through an area.
Syntax [no] area area-id shortcut

{default | disable | enable}
area-id Area ID.
default Enables the default shortcut behavior. (See
below.)

compatible rfc1583
disable Disables shortcutting through the area.

enable Forces shortcutting through the area.
Default None
Mode OSPFv2
Usage A shortcut enables traffic to go through a non-backbone area with a lower

metric, regardless of whether the ABR router is attached to the backbone
area.
compatible rfc1583
Description Enable calculation of summary route costs per RFC 1583.
Syntax [no] compatible rfc1583
Default Disabled. Summary route costs are calculated based on RFC 2328.
Mode OSPFv2
Description Create a default route into the OSPF domain.

[always]
[metric num]
[metric-type {1 | 2}]
[route-map name]
always Configures the ACOS device to automatically
declare itself a default gateway for other OSPF
routers, even if the ACOS device does not have a
default route to 0.0.0.0/0.
metric num Metric for the default route, 0-16777214.
metric-type
{1 | 2} External link type associated with the default
route advertised into the OSPF routing domain:

distance

route-map
map-name Name of a route map. (To configure a route map,
see “route-map” on page 209.)
Default This option is disabled by default. If you enable it, the default metric is 10.
The default metric type is 2.
Mode OSPF
Example The following command creates a default route into the OSPF domain with
a metric of 20:
ACOS(config-router)#default-information originate metric 20
distance
Description Set the administrative distance for OSPF routes, based on route type.
Syntax [no] distance

{
num |
ospf {external | inter-area | intra-area} num
}
num Sets the administrative distance for all route
types. You can specify 1-255.
ospf
{external |
inter-area |
intra-area}
num Sets the administrative distance for specific route
types:
external – Routes that OSPF learns from other
routing domains by redistribution.
intra-area – Routes within the same OSPF area.
inter-area – Routes between OSPF areas.
You can use the ospf option with one or more of
its suboptions. For each route type, you can spec-
ify 1-255.

distribute-list
Default For all route types, the default administrative distance is 110.
Mode OSPFv2
Usage The administrative distance specifies the trustworthiness of routes. A low

administrative distance value indicates a high level of trust. Likewise, a
administrative distance value indicates a low level of trust. For example,
setting the administrative distance value for external routes to 255 means
those routes are very untrustworthy and should not be used.
distribute-list
Description Filter the networks received or sent in route updates.
Syntax [no] distribute-list acl-id

{
in |
out {connected | floating-ip | ip-nat |
ip-nat-list | ospf | static | vip}
acl-id ID of an ACL. Only the networks permitted by
the ACL will be allowed.
in Uses the specified ACL to filter routes received
by OSPF from other sources. The filter applies to
routes from all sources.
out route-type Uses the specified ACL to filter routes advertised
by OSPF to other routing domains. The route-
type can be one of the following:
connected – Filters advertisement of directly
connected networks.
floating-ip – Filters advertisement of networks
for HA floating IP addresses.
ip-nat – Filters advertisement of networks that
are translated NAT addresses allocated from a
pool.
ip-nat-list – Filters advertisement of networks
that are translated NAT addresses allocated from
a range list.
ospf [process-id] – Filters advertisement of net-
works to another OSPF process.

host ipaddr area
static [only-flagged | only-not-flagged] – Filters

advertisement of networks reached by static
routes.
vip [only-flagged | only-not-flagged] – Filters
advertisement of networks to reach VIPs.
By default, the option applies to all VIPs. To
restrict the option to a subset of VIPs, use one of
the following options:
only-flagged – Redistributes only the VIPs on
which the redistribution-flagged command is
used.
only-not-flagged – Redistributes all VIPs except
those on which the redistribution-flagged com-
mand is used.
Default None
Mode OSPFv2
host ipaddr area

Description Configure a stub host entry for an area.
Syntax [no] host ipaddr area area-id [cost num]
ipaddr IP address of the host.
area area-id OSPF area where the host is located.
cost num Cost of the stub host entry, 0-65535.
Default None
Mode OSPFv2
Usage Routes to the host are listed in router LSAs as stub links.

log-adjacency-changes
Description Log adjacency changes.
Syntax [no] log-adjacency-changes [detail]
Default Disabled
Mode OSPFv2
maximum-area
Description Set the maximum number of OSPF areas supported for this OSPF process.
Syntax [no] maximum-area num
num Specifies the maximum number of areas allowed
for this OSPF process. You can specify
1-4294967294.
Default 4294967294
Mode OSPFv2
neighbor
Description Configure an OSPF neighbor that is located on a non-broadcast network.
Syntax [no] neighbor ipaddr

[
cost num |
poll-interval seconds [priority num] |
priority num [poll-interval seconds]
]
ipaddr IP address of the OSPF neighbor.
cost num Specifies the link-state metric to the neighbor,
1-65535.

network
poll-interval
for a reply to a hello message sent to the neigh-
bor, before declaring the neighbor to be offline.
priority num Router priority of the neighbor, 1-255.
Default No neighbors on non-broadcast networks are configured by default. When

you configure one, the other parameters have the following default settings:
• cost – not set
• poll-interval – 120 seconds
• priority – 0
Mode OSPFv2
Usage This command is required only for neighbors on networks. Adjacencies to

neighbors on other types of networks are automatically established by the
OSPF protocol.
It is recommended to set the poll-interval to a much higher value than the

hello interval.
network
Description Enable OSPF routing for an area, on interfaces that have IP addresses in the
specified area subnet.
Syntax [no] network

ipaddr {/mask-length | wildcard-mask}
area area-id
[instance-id num]
ipaddr
{/mask-length |
wildcard-mask} Subnet of the area. You can specify the subnet in
CIDR format (ipaddr/mask-length) or as ipaddr
wildcard-mask. In a wildcard-mask, 0s represent
the network portion and 1s represent the host
portion. For example, for a subnet that has 254
hosts and a 24-bit network mask, the wildcard-
mask is 0.0.0.255.
area area-id Area ID.

ospf abr-type
instance-id num Range of OSPF instances for which to enable

OSPF routing for the area, 0-255. If you omit this
option, OSPF routing is enabled for all OSPF
instances that are running on interfaces that have
IP addresses in the specified area subnet.
Default None
Mode OSPFv2
Example The following command configures an OSPF network:

ACOS(config-router)#network 10.10.20.20/24 area 10.10.20.30
ospf abr-type
Description Specify the Area Border Router (ABR) type.
Syntax [no] ospf abr-type

{cisco | ibm | shortcut | standard}
cisco Alternative ABR using Cisco implementation
(RFC 3509).
ibm Alternative ABR using IBM implementation
(RFC 3509).
shortcut Shortcut ABR (draft-ietf-ospf-shortcut-abr-
02.txt).
standard Standard ABR behavior (RFC 2328)
Default cisco
Mode OSPFv2
ospf router-id
Description Set the value used by this OSPF router to identify itself when exchanging
route information with other OSPF routers.
Syntax [no] ospf router-id ipaddr
Default For OSPFv2, the default router ID is the highest-numbered IP address con-
figured on any of the ACOS device’s loopback interfaces. If no loopback

overflow database
interfaces are configured, the highest-numbered IP address configured on

any of the ACOS device’s other Ethernet data interfaces is used.
Note: Setting the router ID is strongly recommended for OSPFv2.
Mode OSPFv2
Usage The ACOS device has only one router ID. The address does not need to
match an address configured on the ACOS device. However, the address
must be an IPv4 address and must be unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart
the OSPF process, use the clear ip ospf process command.
Example The following commands set the router ID to 2.2.2.2 and reload OSPF to
place the new router ID into effect:
ACOS(config-router)#router-id 2.2.2.2
ACOS(config-router)#clear ip ospf process
overflow database
Description Specify the maxim number of LSAs or the maximum size of the external
database.
Syntax [no] overflow database

{
max-lsa [hard | soft] |
external max-lsa recover-time
}
max-lsa
[hard | soft] Specifies the maximum number of LSAs per
OSPF process, 0-4294967294. The hard | soft
option specifies the action to take if the LSA
limit is exceeded:
hard – Shut down the OSPF process for the pro-
cess.
soft – Issue a warning message without shutting
down the OSPF process for the process.
external
max-lsa
recover-time Specifies the maximum number of AS-external-
LSAs the OSPF router can receive,

summary-address
0-2147483647. The recover-time option specifies

the number of seconds OSPF waits before
attempting to recover after max-lsa is exceeded.
You can specify 0-65535 seconds. To disable
recovery, specify 0.
Default The default max-lsa is 2147483647.
Mode OSPFv2
summary-address
Description Summarize or disable advertisement of external routes for a specific IP
address range. A summary-address helps reduce the size of the OSPF link-
state database.
Syntax [no] summary-address ipaddr/mask

{not-advertise | tag num}
ipaddr/mask Specifies the address range.
not-advertise Disables advertisement of routes for the specified
range.
tag num Includes the specified tag value in external LSAs
for IP addresses within the specified range. The
tag value can be 0-4294967295. The default tag
value is 0.
Default None
Mode OSPFv2
Configuration Commands Applicable to OSPFv3 Only

All the global OSPF commands that are applicable to OSPFv3 are also
applicable to OSPFv2. (See “Configuration Commands Applicable to
OSPFv2 or OSPFv3” on page 425.)

show {ip | ipv6} ospf
OSPF Show Commands

This section lists the OSPF show commands.
show {ip | ipv6} ospf

Description Display configuration information and statistics for OSPFv2 processes or
OSPFv3 processes.
Syntax show ip ospf [process-id]
show ipv6 ospf [tag]
process-id Specifies the OSPFv2 process. If you omit this
option, settings for all configured OSPFv2 pro-
cesses are displayed.
tag Specifies the OSPFv3 process. If you omit this
option, settings for all configured OSPFv3 pro-
cesses are displayed.
Example The following command shows information for OSPFv2 process 0:

AX#show ip ospf 0
Routing Process "ospf 0" with ID 1.1.1.1
Process uptime is 3 hours 12 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Graceful Restart
This router is an ASBR (injecting external routing information)
SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 0/5
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 79

show ip ospf border-routers
Number of areas attached to this router: 1

Area 1 (NSSA)
Number of interfaces in this area is 2(2)
Number of fully adjacent neighbors in this area is 2
Number of fully adjacent virtual neighbors through this area is 0
Area has no authentication
SPF algorithm last executed 02:07:40.860 ago
SPF algorithm executed 16 times
Number of LSA 10. Checksum 0x06b2fa
NSSA Translator State is disabled
Shortcutting mode: Default, S-bit consensus: ok
show ip ospf border-routers

Description Display route information for OSPFv2 ABRs and ASBRs.
Syntax show ip ospf border-routers
Example The following command shows route information for ABRs and ASBRs:
AX#show ip ospf border-routers
OSPF process 0 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 3.3.3.3 [1] via 10.0.0.1, ve 1, ABR, ASBR, Area 0.0.0.1

show ip ospf database

Description Displays information about the OSPFv2 databases on the device.
Note: The options are different for OSPFv3. See “show ipv6 ospf database” on
page 457.
Syntax show ip ospf database

[
adv-router ipaddr |
{asbr-summary | external | network |
nssa-external | opaque-area | opaque-as |
opaque-link | router | summary}
[[ipaddr [adv-router ipaddr]
[self-originate]] | [adv-router ipaddr] |
[self-originate]] |
max-age |
self-originate
]
adv-router
ipaddr Displays LSA information for the specified
advertising router.
asbr-summary Displays information about ASBR summary
LSAs.
max-age Displays information for the LSAs that have
reached the maximum age allowed, which is
3600 seconds.
self-originate Displays information for LSAs originated by this
OSPF router.
external Displays information about external LSAs.
network Displays information about network LSAs.
nssa-external Displays information about NSSA external
LSAs.
opaque-area Displays information about Type-10 Opaque
LSAs. Type-10 Opaque LSAs are LSAs with
local-area scope (link state type 10), and are not
flooded outside the local area.
opaque-as Displays information about Type-11 LSAs,
which are flooded throughout the Autonomous
System (AS).

opaque-link Displays information about Type-9 LSAs.

Type-9 LSAs have link-local scope, and are not
flooded beyond the local network.
router Displays information about router LSAs.
summary Displays information about summary LSAs.
The following suboptions are available for the external, network, nssa-
external, opaque-area, opaque-as, opaque-link, router, and summary
options:
ipaddr Displays LSA information for a specific link-
state ID (expressed as an IP address).
adv-router
advertising router.
self-originate Displays information for LSAs originated by this
OSPF router.
Example The following command shows the OSPFv2 database:

AX#show ip ospf database
Router Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Link count

1.1.1.1 1.1.1.1 1105 0x800000c9 0xcb72 2
2.2.2.2 2.2.2.2 638 0x80000008 0xdb92 2
3.3.3.3 3.3.3.3 1998 0x800000cb 0x47c1 2
4.4.4.4 4.4.4.4 1717 0x800000f6 0xe1d2 3
Net Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum

10.0.0.1 3.3.3.3 1998 0x80000006 0xec1b
11.0.0.1 3.3.3.3 203 0x80000005 0x14ef
13.0.0.2 4.4.4.4 1717 0x80000006 0xbf3c
14.0.0.1 4.4.4.4 1962 0x80000004 0xf207
Summary Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Route

0.0.0.0 3.3.3.3 1998 0x800000a3 0x99ed 0.0.0.0/0
NSSA-external Link States (Area 0.0.0.1 [NSSA])
Link ID ADV Router Age Seq# CkSum Route Tag

1.0.100.1 1.1.1.1 1105 0x8000008e 0x942a E2 1.0.100.1/32 0

show ipv6 ospf database

Description Displays information about the OSPFv3 databases on the device.
Syntax show ipv6 ospf [tag] database

[
external |
grace |
inter-prefix |
inter-router |
intra-prefix |
link |
network |
router}
[adv-router ipaddr]
]
external Displays information about external LSAs.
grace Displays information about grace LSAs, used
during graceful restart.
inter-prefix Displays information about Inter-Area-Prefix
LSAs.
inter-router Displays information about Inter-Area-Router
LSAs.
intra-prefix Displays information about Intra-Area-Prefix
LSAs.
links Displays information about link LSAs.
network Displays information about network LSAs.
router Displays information about router LSAs.
Each option above supports the following suboption:

adv-router
advertising router.

Example The following command shows the OSPFv3 database:

AX#show ipv6 ospf database
OSPFv3 Router with ID (1.1.1.1) (Process *null*)
Link-LSA (Interface ve 1)
Link State ID ADV Router Age Seq# CkSum Prefix

0.0.0.49 1.1.1.1 1121 0x8000008a 0xc927 1
0.0.0.8 3.3.3.3 1953 0x80000007 0x30cd 1
Link-LSA (Interface ve 2)
Link State ID ADV Router Age Seq# CkSum Prefix

0.0.0.50 1.1.1.1 1121 0x80000096 0x08d8 1
0.0.0.8 4.4.4.4 1893 0x80000007 0xe638 1
Router-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum Link

0.0.0.0 1.1.1.1 1114 0x800000b1 0xcafa 2
0.0.0.0 2.2.2.2 904 0x800000ab 0x61a6 2
0.0.0.0 3.3.3.3 1953 0x80000094 0xe52a 2
0.0.0.0 4.4.4.4 1893 0x800000a8 0x846b 2
Network-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum

0.0.0.8 3.3.3.3 1953 0x80000006 0xd40b
0.0.0.9 3.3.3.3 179 0x80000005 0xfedc
0.0.0.8 4.4.4.4 1893 0x80000006 0xd8fe
0.0.0.9 4.4.4.4 124 0x80000005 0x03d0
Intra-Area-Prefix-LSA (Area 0.0.0.0)
Link State ID ADV Router Age Seq# CkSum Prefix Reference

0.0.32.0 3.3.3.3 1953 0x80000006 0x9cb3 1 Network-LSA
0.0.36.0 3.3.3.3 179 0x80000005 0x90ba 1 Network-LSA
0.0.32.0 4.4.4.4 1893 0x80000006 0xec58 1 Network-LSA
0.0.36.0 4.4.4.4 124 0x80000005 0xe05f 1 Network-LSA

show {ip | ipv6} ospf interface
show {ip | ipv6} ospf interface

Description Display OSPF information for an interface.
Syntax show {ip | ipv6} ospf interface

trunk num | udld num | ve ve-num}
Example The following command shows OSPFv2 information for interface VE 1:

AX#show ip ospf interface ve 1
ve 1 is up, line protocol is up
Internet Address 10.0.0.2/24, Area 0.0.0.1 [NSSA], MTU 1500
Process ID 0, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.0.0.1
Backup Designated Router (ID) 1.1.1.1, Interface Address 10.0.0.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 1274173120
Hello received 1218 sent 1158, DD received 3 sent 4
LS-Req received 0 sent 1, LS-Upd received 52 sent 49
LS-Ack received 27 sent 35, Discarded 0
show ip ospf multi-area-adjacencies

Description Display OSPFv2 multi-area adjacency information.
Syntax show ip ospf multi-area-adjacencies
Example The following command shows multi-area adjacency information:

AX#show ip ospf 1 multi-area-adjacencies
Multi-area-adjacency on interface eth1 to neighbor 20.20.20.10
Internet Address 20.20.20.11/24, Area 0.0.0.1, MTU 1500
Process ID 1, Router ID 10.10.10.10, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Neighbor Count is 0, Adjacent neighbor count is 0
Crypt Sequence Number is 1229928206
Hello received 0 sent 513, DD received 0 sent 0
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0

show {ip | ipv6} ospf neighbor
show {ip | ipv6} ospf neighbor

Description Display information about OSPF neighbors.
Syntax show ip ospf [process-id] neighbor

[ipaddr [detail]] |
[all] |
[detail [all]] |
[interface ipaddr]
Syntax show ipv6 ospf [tag] neighbor

[ipaddr [detail]] |
[detail [all]] |
[interface ipaddr]
Note: The all option applies only to OSPFv2.
option, information for all configured OSPFv2
processes are displayed.
ipaddr [detail] Displays information for the specified neighbor.
For detailed information, use the detail option.
For summary information, omit the detail option.
all Includes neighbors whose status is Down. With-
out this option, down neighbors are not included
in the output.
detail [all] Displays detailed information for all neighbors.
To include down neighbors in the output, use the
all option.
interface
ipaddr Displays information for neighbors reachable
through the specified IP interface.

show ip ospf redistributed
Example The following command shows information for OSPFv2 neighbors:

AX#show ip ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface Instance ID
3.3.3.3 1 Full/DR 00:00:31 10.0.0.1 ve 1 0
4.4.4.4 1 Full/DR 00:00:30 13.0.0.2 ve 2 0
show ip ospf redistributed

Description Display the routes that are being redistributed into OSPFv2.
Syntax show ip ospf [process-id] redistributed

[
connected |
floating-ip |
ip-nat |
ip-nat-list |
isis |
kernel |
ospf [process-id] |
selected-vip
static |
vip
]
option, information for all configured OSPF pro-
cesses is displayed.
connected Displays redistributed routes to directly-con-
nected networks.
floating-ip Displays redistributed routes to floating IP
addresses.
ip-nat Displays redistributed routes to IP addresses
assigned from an IP NAT pool.
ip-nat-list Displays redistributed routes to IP addresses
assigned from an IP NAT range list.
isis Displays redistributed routes from IS-IS.
kernel Displays redistributed kernel routes.

show {ip | ipv6} ospf route
ospf
[process-id] Displays redistributed routes from other OSPFv2
processes.
selected-vip Displays redistributed routes to SLB VIPs that
are explicitly flagged for redistribution. This
option is applicable if the only-flagged option
was used with the redistribute vip command.
static Displays redistributed static routes.
vip Displays redistributed routes to SLB VIPs that
are implicitly flagged for redistribution. This
option is applicable if the only-not-flagged
option was used with the redistribute vip com-
mand.
Usage For more information on VIP redistribution, see “Usage” in “redistribute”

on page 435.
show {ip | ipv6} ospf route

Description Display information for OSPFv2 routes.
Syntax show ip ospf [process-id] route
show ipv6 ospf [tag] route
Example The following command shows OSPFv2 routes:

AX#show ip ospf route
IA 0.0.0.0/0 [2] via 10.0.0.1, ve 1, Area 0.0.0.1
O 1.0.4.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1
C 10.0.0.0/24 [1] is directly connected, ve 1, Area 0.0.0.1
O 11.0.0.0/24 [2] via 10.0.0.1, ve 1, Area 0.0.0.1

show ipv6 ospf topology
show ipv6 ospf topology

Description Display OSPFv3 topology information.
Syntax show ipv6 ospf [tag] topology

[area area-id]
processes is displayed.
area area-id Displays OSPFv3 topology information for the
specified area.
Example The following command shows the OSPFv3 topology:

AX#show ipv6 ospf topology
OSPFv3 Process (*null*)

OSPFv3 paths to Area (0.0.0.0) routers
Router ID Bits Metric Next-Hop Interface
1.1.1.1 E --
2.2.2.2 2 3.3.3.3 ve 1
4.4.4.4 ve 2
3.3.3.3 E 1 3.3.3.3 ve 1
4.4.4.4 E 1 4.4.4.4 ve 2
show {ip | ipv6} ospf virtual-links

Description Display virtual link information.
Syntax show ip ospf [process-id] virtual-links
show ipv6 ospf [tag] virtual-links

show {ip | ipv6} ospf virtual-links
Example The following command shows information for OSPFv2 virtual links:
ACOS(config)#show ip ospf virtual-link
Virtual Link VLINK1 to router 143.0.0.143 is up
Transit area 0.0.0.1 via interface ethernet 1
Local address 13.0.0.2/32
Remote address 13.0.0.1/32
Transmit Delay is 1 sec, State Point-To-Point,
Adjacency state Full

Config Commands: Router – IS-IS
This chapter describes the commands for configuring global Intermediate

System to Intermediate System (IS-IS) parameters.
Enabling IS-IS
To enable IS-IS, use the following command at the global configuration
level of the CLI.
router isis [tag]
The tag specifies the IS-IS instance to configure, and can be 1-65535.
IS-IS instance. At this level, use the following command to configure the
Network Entity Title (NET):
[no] net area-address.system-id.00
cols you plan to use on the ACOS device, to prevent router-ID changes
caused by HA or VRRP-A failover.
Interface-level IS-IS Commands

In addition to global parameters, IS-IS has parameters on the individual
interface level. To configure IS-IS on an interface, use the interface com-
mand to access the configuration level for the interface, then use the ip isis
commands. (See “Config Commands: Interface” on page 287.)

address-family
Show Commands
To display IS-IS settings, use show isis, show ip isis, and show ipv6 isis
commands. (See “Show Commands” on page 839.)
address-family
Description Configure this IS-IS instance to exchange IPv6 addresses with other IS-IS
routers.
Syntax [no] address-family ipv6 [unicast]
unicast Enables unicast IPv6 addresses to be exchanged,
in addition to multicast addresses. Without this
option, only multicast addresses can be
exchanged.
This command changes the CLI to the address-family configuration level,

Command Description
adjacency-check Enables IS-IS router adjacency based on Type-
Length-Value (TLV) fields in IS-IS Hello packets
between routers.
default-
information
originate Enables advertisement of the default route in
Link State Packets (LSPs) sent by this IS-IS
instance.
distance Sets the administrative distance, 1-255, for IS-IS
routes.
exit-address-
family Exits from the address-family configuration
level.

adjacency-check
[no] multi-
topology
[level-1 |
level-1-2 |
level-2]
[transition] Enables multi-topology mode. The transition
option accepts and generates both IS-IS IPv6 and
multi-topology IPv6 TLVs.
redistribute
option Enables distribution of routes from other sources
into IS-IS. For available options, see “redistrib-
ute” on page 479.
summary-prefix
ipv6-addr/
prefix
[level-1 |
level-1-2 |
level-2] Configures an IPv6 summary prefix.
Default Disabled. When you enable IPv6 exchange, the unicast option is disabled by
default.
Mode IS-IS
Example The following command enables exchange of IPv6 multicast and unicast
addresses with other IS-IS routers:
ACOS(config-router)#address-family ipv6 unicast
adjacency-check
Description Enable IS-IS router adjacency based on Type-Length-Value (TLV) fields in
IS-IS Hello packets between routers.
Syntax [no] adjacency-check
Default Enabled.
Mode IS-IS

area-password
area-password
Description Configure the password for authenticating IS-IS traffic between Level-1
routers.
Syntax [no] area-password string

[authenticate snp {send-only | validate}]
authenticate
snp
{send-only |
validate} Uses the password for authentication of
Sequence Number Packets (SNPs).
send-only – Inserts the password into SNP PDUs
before sending them, but does not check for the
password in SNP PDUs received from other rout-
ers.
validate – Inserts the password into SNP PDUs
before sending them, and also checks for the
ers.
Default None. If you configure a Level-1 password, the snp option is disabled by
default.
Mode IS-IS
Usage This command applies only to Level-1. To configure authentication for

Level-2, see “domain-password” on page 471.
Example The following command configures IS-IS to use password “isisl1pwd” to

authenticate Level-1 IS-IS traffic within the area, including inbound and
outbound SNP PDUs:
ACOS(config-router)#area-password isisl1pwd authenticate snp validate

authentication
authentication
Description Configure authentication for this IS-IS instance.
Syntax [no] authentication send-only [level-1 | level-2]
[no] authentication mode md5 [level-1 | level-2]
[no] authentication key-chain name

[level-1 | level-2]
send-only
[level-1 |
level-2] Disables checking for keys in IS-IS packets
received by this IS-IS instance.
(intra-area) IS-IS traffic.
(inter-area) IS-IS traffic.
mode md5
[level-1 |
level-2] Enables MD5 authentication.
level-1 – Enables MD5 only for Level-1 (intra-
level-2 – Enables MD5 only for Level-2 (inter-
key-chain name
[level-1 |
level-2] Specifies the name of the certificate key chain to
use for authenticating IS-IS traffic.
level-1 – Applies only to Level-1 (intra-area)
IS-IS traffic.
level-2 – Applies only to Level-2 (inter-area)
IS-IS traffic.
Default Clear-text authentication is enabled by default. MD5 authentication is dis-

abled by default. No key chain is set by default. The send-only option is
disabled by default. All options apply to Level-1 and Level-2, unless you
specify one level or the other.
Mode IS-IS

bfd
Usage Use the send-only option to temporarily disable key checking, then use the
key-chain option to specify the key chain. To use MD5, use the md5 option
to disable clear-text authentication and enable MD5 authentication. After
key-chains are installed on the other IS-IS routers, disable the send-only
option.
Example The following commands configure MD5 authentication for this IS-IS
instance:
ACOS(config-router)#authentication send-only
ACOS(config-router)#authentication mode md5
ACOS(config-router)#key-chain chain1
ACOS(config-router)#no authentication send-only
bfd
Description Enable BFD on all interfaces for which IS-IS is running.
Syntax [no] bfd all-interfaces
Default Disabled
Mode IS-IS
Description Enable advertisement of the default route in Link State Packets (LSPs) sent
by this IS-IS instance.
Default Disabled
Mode IS-IS
Usage If the IPv4 or IPv6 data route tables contain a default route, the default route
is included in Level-2 LSPs sent by this IS-IS instance. This command does
not apply to Level-1 LSPs.

distance
distance
Description Set the administrative distance for IS-IS routes.
Syntax [no] distance num [system-id]
num Specifies the distance, 1-255.
system-id Assigns the distance only to routes from the
router with the specified IS-IS system ID.
Default None
Mode IS-IS
Usage The administrative distance specifies the trustworthiness of routes. A low

administrative distance value indicates a high level of trust. Likewise, a
administrative distance value indicates a low level of trust. For example,
setting the administrative distance value for external routes to 255 means
those routes are very untrustworthy and should not be used.
domain-password
Description Configure the password for authenticating IS-IS traffic between Level-2
routers.
Syntax [no] domain-password string

[authenticate snp {send-only | validate}]
authenticate
snp
{send-only |
validate} Uses the password for authentication of
Sequence Number Packets (SNPs).
send-only – Inserts the password into SNP PDUs
before sending them, but does not check for the
ers.
validate – Inserts the password into SNP PDUs
before sending them, and also checks for the
ers.
Default None. If you configure a Level-2 password, the snp option is disabled by
default.
Mode IS-IS
Usage This command applies only to Level-2. To configure authentication for

Level-1, see “area-password” on page 468.
Example The following command configures IS-IS to use password “isisl2pwd” to

authenticate Level-2 IS-IS traffic, including inbound and outbound SNP
PDUs:
ACOS(config-router)#domain-password isisl2pwd authenticate snp validate
Description Enable IS-IS awareness of High Availability (HA).
Syntax [no] ha-standby-extra-cost num
num Specifies the extra cost to add to the ACOS
device’s IS-IS interfaces, if the HA status of one
or more of the device’s HA groups is Standby.
You can specify 1-65535. If the resulting cost
value is more than 65535, the cost is set to
65535.
Default Not set. The IS-IS protocol on the ACOS device is not aware of the HA
state (Active or Standby) of the ACOS device.
Mode IS-IS
Usage Enter the command on each of the ACOS devices in the HA pair.
ignore-lsp-errors
Description Disable checksum verification for inbound LSPs.
Syntax [no] ignore-lsp-errors
Default Disabled. The checksums of inbound LSPs are verified.
Mode IS-IS

is-type
is-type
Description Specify the IS-IS routing level for this IS-IS instance.
Syntax [no] is-type {level-1 | level-1-2 | level-2-only}
level-1 Level-1 (intra-area) only.
level-1-2 Level-1 and Level-2.
level-2-only Level-2 (inter-area) only.
Default Level-1-2, unless another IS-IS instance on the ACOS device already is run-
ning at Level-2. In this case, the default is Level-1.
Mode IS-IS
Usage Only one IS-IS instance on the ACOS device can run Level-2 routing.
Description Log adjacency changes.
Syntax [no] log-adjacency-changes [detail]
Default Disabled
Mode IS-IS
lsp-gen-interval
Description Configure the minimum interval for LSP regeneration.
Syntax [no] lsp-gen-interval [level-1 | level-2] seconds
level-1 |
level-2 Specifies the circuit type to which to apply the
interval configuration.
seconds Specifies the minimum number of seconds
between each regeneration of the LSP. You can

lsp-refresh-interval
Default 30 seconds, for both Level-1 and Level2
Mode IS-IS
lsp-refresh-interval
Description Configure the LSP refresh interval.
Syntax [no] lsp-refresh-interval seconds
seconds Specifies the minimum number of seconds IS-IS
must wait before refreshing an LSP. You can
Default 900
Mode IS-IS
Usage The lsp-refresh-interval must be smaller than the max-lsp-lifetime.
max-lsp-lifetime
Description Configure the LSP maximum lifetime.
Syntax [no] max-lsp-lifetime seconds
seconds Specifies the maximum number of seconds an
LSP can remain in the database without being
refreshed. You can specify 350-65535 seconds.
Default 1200
Mode IS-IS
Usage The max-lsp-lifetime must be larger than the lsp-refresh-interval.

metric-style
metric-style
Description Configure the metric style to use for SPF calculation and for TLV encoding
in LSPs.
Syntax [no] metric-style

{
narrow
[transition [level-1 | level-1-2 | level-2]] |
transition
[level-1 | level-1-2 | level-2] |
wide
[transition [level-1 | level-1-2 | level-2]]
}
narrow
[transition
[level-1 |
level-1-2 |
level-2]] Supports 6-bit metric length for SPF calculation
and TLV encoding.
The transition option also allows 24-bit metrics
for SPF calculation, but not for TLV encoding.
level-1 – Supports 24-bit SPF calculation
only for circuit type Level-1.
level-2 – Supports 24-bit SPF calculation
only for circuit type Level-2.
level-1-2 – Supports 24-bit SPF calculation
for circuit types Level-1 and Level-2. (This
is the default, if the transition option is
used.)

net
transition
[level-1 |
level-1-2 |
level-2] Supports 6-bit and 24-bit metric lengths for SPF
calculation and TLV encoding.
level-1 – Supports both metric lengths only
for circuit type Level-1.
level-2 – Supports both metric lengths only
level-1-2 – Supports both metric lengths for
circuit types Level-1 and Level-2. (This is
the default, if the transition option is used.)
wide
[transition
[level-1 |
level-1-2 |
level-2]] Supports 24-bit metric length for SPF calculation
and TLV encoding.
The transition option also allows 6-bit metrics
for SPF calculation, but not for TLV encoding.
level-1 – Supports 6-bit SPF calculation only
level-2 – Supports 6-bit SPF calculation only
level-1-2 – Supports 6-bit SPF calculation
for circuit types Level-1 and Level-2. (This
is the default, if the transition option is
used.)
Default Narrow, for Level-1 and Level-2 routing levels (level-1-2)
Mode IS-IS
net
Description Configure a Network Entity Title (NET) for the instance.
Syntax [no] net area-address.system-id.00
area-address Specifies the address of the IS-IS area.
system-id Specifies the system ID.

passive-interface
Default None
Mode IS-IS
Usage Each IS-IS instance must have at least 1 NET.
The total length of the NET can be 8-20 bytes.

• The last (right-most) byte must be 00.
• The system-id must be 6 bytes long. For Level-1, the system-id must be
unique within the area. For Level-2, the system-id must be unique within
the entire domain.
• The area-address can be up to 13 bytes long.
You can configure more than 1 NET. This is useful in cases where you are
reconfiguring the network and need to temporarily merge or split existing
areas.
If you configure more than 1 NET, the area-address must be unique in each
NET but the system-id must be the same.
passive-interface
Description Disable routing IS-IS routing updates on AX interfaces.
Syntax [no] passive-interface

[
ethernet port-num |
loopback num |
management |
trunk num |
udld num |
ve ve-num
]
ethernet
port-num Disables routing updates from being sent on the
specified Ethernet data port.
loopback num Disables routing updates from being sent on the
specified loopback interface.
management Disables routing updates from being sent on the
Ethernet management port.

protocol-topology
trunk num Disables routing updates from being sent on the

specified trunk interface.
udld num Disables routing updates from being sent on the
specified Unidirectional Link Detection (UDLD)
link.
ve ve-num Disables routing updates from being sent on the
specified Virtual Ethernet (VE) interface.
Note: The current release does not support the loopback, trunk, or udld option.
Default Disabled
Mode IS-IS
Usage This command removes all IS-IS configuration from the specified interface.
For proper operation of IS-IS, routing updates must be enabled on at least

one interface.
protocol-topology
Description Enable IS-IS protocol topology support, which provides IPv4/IPv6/dual-
stack support.
Syntax [no] protocol-topology
Default Disabled
Mode IS-IS
Usage For standard IS-IS support, leave this option disabled.

redistribute
redistribute
Description Enable distribution of routes from other sources into IS-IS.
[no] redistribute
{
ip-nat [options] |
isis [options] |
ospf [process-id] [options] |
static [options] |
vip [only-flagged | only-not-flagged] [options]
}
connected
[options] Redistributes routes into IS-IS for reaching
directly connected networks. For options, see the
floating-ip
[options] Redistributes routes into IS-IS for reaching HA
floating IP addresses. For options, see the end of
ip-nat
[options] Redistributes routes into IS-IS for reaching trans-
ip-nat-list
[options] Redistributes routes into IS-IS for reaching trans-
ospf
[options] Redistributes OSPF routes into IS-IS. For
static
[options] Redistributes routes into IS-IS for reaching net-

redistribute
vip
[only-flagged |
only-not-
flagged]
[options] Redistributes routes into IS-IS for reaching vir-
only-flagged – Redistributes only the VIPs
on which the redistribution-flagged com-
mand is used.
only-not-flagged – Redistributes all VIPs
except those on which the redistribution-
listed above:
level-1 – Redistributes only at the IS-IS area
level.
level-1-2 – Redistributes at both the IS-IS area
and domain levels.
level-2 – Redistributes only at the IS-IS domain
level. (This is the default.)
metric num – Metric for the default route,
0-4261412864. The default is 0.
metric-type – Specifies the metric information
used when comparing the route to other routes:
external – Uses the route’s metric for com-
parison.
internal – Uses the route’s metric for com-
parison and also uses the cost of the router
that advertised the route. (This is the
default.)
(To configure a route map, use the route-map
command. See “route-map” on page 209.)
Default Disabled. By default, IS-IS routes are not redistributed. For other defaults,
see above.

redistribute
Mode IS-IS
are redistributed into IS-IS.
VIP Redistribution
• At the configuration level for IS-IS, enter the following command:
redistribute vip only-flagged
flagged
• At the configuration level for IS-IS, enter either of the following
commands: redistribute vip only-not-flagged or redistribute vip


• If you have 10 VIPs and all of them need to be redistributed by IS-IS,
use the redistribute vip command at the configuration level for IS-IS.
configuration level for IS-IS.
command at the configuration level for IS-IS. (In this case, alternatively,
you could enter redistribute vip instead of redistribute vip only-not-
flagged.)

restart-timer
Example The following command enables redistribution of IS-IS routes into OSPF:
ACOS(config-router)#redistribute ospf

addresses into IS-IS:
Example The following commands flag a VIP, then configure IS-IS to redistribute
only that flagged VIP. The other (unflagged) VIPs will not be redistributed.
ACOS(config)#router isis
restart-timer
Description Configure the graceful-restart timer.
Note: The current release does not support graceful restart.
Syntax [no] restart-timer seconds

[level-1 | level-1-2 | level-2]
seconds Specifies the number of seconds IS-IS waits for
LSP database synchronization. You can specify
5-65535 seconds.
level-1 |
level-1-2 |
level-2 Specifies the router level.
Default 60 seconds, for both Level-1 and Level-2.
Mode IS-IS
set-overload-bit
Description Disable use of this IS-IS router as a transit router during SPF calculation.
Syntax [no] set-overload-bit

[on-startup {seconds | wait-for-bgp}]
[suppress {[external] [interlevel]}]

set-overload-bit
on-startup
{seconds |
wait-for-bgp} Sets the overload bit only after startup of the
IS-IS instance, and clears the bit based on one of
the following options:
seconds – Clears the overload bit after the speci-
fied number of seconds. You can specify 5-86400
seconds.
wait-for-bgp – Clears the overload bit after BGP
signals that it has finished convergence.
– If BGP is not running, the overload bit is
immediately cleared.
– If BGP is running but does not signal con-
vergence within 10 minutes after the IS-IS
instance starts, the overload bit is cleared.
Note: The current release does not support BGP.

suppress
{[external]
[interlevel]} Suppresses redistribution of specific types of
reachability information during the overload
state.
external – Suppresses redistribution of IP pre-
fixes learned from other protocols. For example,
redistribution of IP prefixes from OSPF is sup-
pressed.
interlevel – Suppresses redistribution of IP pre-
fixes learned from other IS-IS levels. For exam-
ple, redistribution of IP prefixes from Level-2 to
Level-1 is suppressed.
Default Disabled. The overload bit is not set, and this IS-IS router can be used as a
transit (intermediate hop) router during SPF calculation.
Mode IS-IS
Usage IP prefixes that are directly connected to this IS-IS router continue to be
reachable even when the overload bit is set.

spf-interval-exp
spf-interval-exp
Description Configure the minimum and maximum delay between receiving a link-state
or IS-IS configuration change, and SPF recalculation.
Syntax [no] spf-interval-exp [level-1 | level-2]

min-delay max-delay
level-1 |
level-2 Specifies the IS-IS level to which to apply the
interval setting.
min-delay Specifies the minimum number of milliseconds
(ms) to wait before SPF recalculation following a
link-state or IS-IS configuration change. You can
specify 0-2147483647 ms.
max-delay Specifies the maximum number of ms to wait.
You can specify 0-2147483647 ms.
Default The default min-delay is 500 ms and the default max-delay is 50000 ms, for
Level-1 and Level-2 routing levels.
Mode IS-IS
summary-address
Description Configure an IPv4 summary address to aggregate multiple IPv4 prefixes for
advertisement.
Syntax [no] summary-address ipaddr/mask-length

[level-1 | level-1-2 | level-2]
ipaddr/mask-
length Specifies the summary IPv4 address to advertise.
level-1 |
level-1-2 |
level-2 Specifies the IS-IS routing level to which to
advertise the summary address. If you do not
specify a routing level, the summary address is
advertised at Level-2 only.
Default None

show ip isis [tag] route
Mode IS-IS
Usage The summary address is advertised instead of the individual IP prefixes

contained in the summary address. For example, if the IPv4 route table has
routes to 192.168.1.x/24, 192.168.2.x/24, and 192.168.11.x/24, you can
configure IS-IS to advertise summary address 192.168.0.0/16 instead of
each of the individual prefixes.
IS-IS Show Commands

This section lists the IS-IS show commands.
show ip isis [tag] route

Description Display the IPv4 IS-IS route table.
Syntax show ip isis [tag] route
tag Specifies the IS-IS tag (area). If you do not spec-
ify a tag value, IPv4 routes for all areas are dis-
played.
Mode All
Example The following command shows the IPv4 IS-IS route table:
ACOS(config)#show ip isis route
Codes: C - connected, E - external, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, D - discard, e - external metric
Area (null):
Destination Metric Next-Hop Interface Tag
C 1.0.0.0/24 10 -- ethernet 11 --
L2 2.2.2.2/32 10 1.0.0.2 ethernet 11 0

show ipv6 isis [tag] route
show ipv6 isis [tag] route

Description Display the IPv6 IS-IS route table.
Syntax show ipv6 isis [tag] route
ify a tag value, IPv6 routes for all areas are dis-
played.
Mode All
Example The following command shows the IPv6 IS-IS route table:
ACOS(config)#show ipv6 isis route
Codes: C - connected, E - external, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, D - discard, e - external metric
Area (null):
C 3000::/64 [10]
via ::, ethernet 11
L2 3222::/64 [10]
via fe80::21f:a0ff:fe01:a423, ethernet 11
show ipv6 isis [tag] topology

Description Display IPv6 IS-IS topology information.
Syntax show ipv6 isis [tag]

topology [l1 | l2 | level-1 | level-2]
ify a tag value, topology information for all areas
is displayed.
l1 | l2 |
level-1 |
level-2 Specifies the IS-IS routing level for which to dis-
play topology information.
Mode All

show isis counter
Example The following command shows IPv6 IS-IS topology information:

ACOS(config)#show ipv6 isis topology
Area (null):
IS-IS paths to level-1 routers
System Id Metric Next-Hop Interface SNPA
0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 11 001f.a001.a423

0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 11 001f.a001.a423
show isis counter

Description Display IS-IS statistics.
Syntax show isis counter
Mode All
Example The following command shows IS-IS counters:

ACOS(config)#show isis counter
Area (null):
IS-IS Level-1 isisSystemCounterEntry:
isisSysStatCorrLSPs: 0
isisSysStatAuthTypeFails: 0
isisSysStatAuthFails: 0
isisSysStatLSPDbaseOloads: 0
isisSysStatManAddrDropFromAreas: 1
isisSysStatAttmptToExMaxSeqNums: 0
isisSysStatSeqNumSkips: 0
isisSysStatOwnLSPPurges: 0
isisSysStatIDFieldLenMismatches: 0
isisSysStatMaxAreaAddrMismatches: 0
isisSysStatPartChanges: 0
isisSysStatSPFRuns: 6
IS-IS Level-2 isisSystemCounterEntry:

isisSysStatCorrLSPs: 0
isisSysStatAuthTypeFails: 0
isisSysStatAuthFails: 0
isisSysStatLSPDbaseOloads: 0
isisSysStatManAddrDropFromAreas: 1
isisSysStatAttmptToExMaxSeqNums: 0
isisSysStatSeqNumSkips: 0
isisSysStatOwnLSPPurges: 0

show isis [tag] database
isisSysStatIDFieldLenMismatches: 0
isisSysStatMaxAreaAddrMismatches: 0
isisSysStatPartChanges: 0
isisSysStatSPFRuns: 8
show isis [tag] database

Description Display the IS-IS database entries.
Syntax show isis [tag] database

[lspid]
[detail]
[l1 | l2 | level-1 | level-2]
ify a tag value, database entries for all areas is
displayed.
lspid Specifies the ID of a specific LSP to display.
detail Displays detailed contents of the LSPs. Without
this option, summary information is displayed.
l1 | l2 |
level-1 |
play database entries.
Mode All
Example The following command shows the IS-IS database:

ACOS(config)#show isis database
Area (null):
IS-IS Level-1 Link State Database:
LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.0001.00-00* 0x00000003 0xB670 1002 0/0/0
0000.0000.0001.01-00* 0x00000001 0x21B9 1002 0/0/0
0000.0000.0002.00-00 0x00000007 0xD649 1013 0/0/0
IS-IS Level-2 Link State Database:

LSPID LSP Seq Num LSP Checksum LSP Holdtime ATT/P/OL
0000.0000.0001.00-00* 0x00000004 0xB471 1012 0/0/0
0000.0000.0001.01-00* 0x00000001 0x21B9 1002 0/0/0
0000.0000.0002.00-00 0x00000007 0x6401 1166 0/0/0

show isis interface
show isis interface

Description Display IS-IS information for interfaces.
Syntax show isis interface

[
counter |
ethernet port-num |
loopback num |
management |
trunk num |
udld num |
ve ve-num
}
counter Displays IS-IS interface status information and
statistics.
ethernet
port-num Displays IS-IS information for the specified
Ethernet data port.
loopback num Displays IS-IS information for the specified
loopback interface.
management Displays IS-IS information for the specified
loopback interface.
trunk num Displays IS-IS information for the specified
trunk interface.
udld num Displays IS-IS information for the specified
UDLD interface.
ve ve-num Displays IS-IS information for the specified VE
interface.
Mode All
Example The following command shows IS-IS interface information:

ACOS(config)#show isis interface
ethernet 11 is up, line protocol is up
Routing Protocol: IS-IS ((null))
Network Type: Broadcast
Circuit Type: level-1-2
Local circuit ID: 0x01
Extended Local circuit ID: 0x0000000D
Local SNPA: 001f.a002.78ce

show isis [tag] topology
IP interface address:
1.0.0.1/24
IPv6 interface address:
3000::1/64
fe80::21f:a0ff:fe02:78ce/64
Level-1 Metric: 10/10, Priority: 64, Circuit ID: 0000.0000.0001.01
Number of active level-1 adjacencies: 1
Level-2 Metric: 10/10, Priority: 64, Circuit ID: 0000.0000.0001.01
Number of active level-2 adjacencies: 1
Next IS-IS LAN Level-1 Hello in 1 seconds
Next IS-IS LAN Level-2 Hello in 2 seconds
show isis [tag] topology

Description Display IPv4 IS-IS topology information.
Syntax show isis topology [l1 | l2 | level-1 | level-2]
l1 | l2 |
level-1 |
play topology information.
Mode All
Example The following command shows IPv4 IS-IS topology information:

ACOS(config)#show isis topology
Area (null):
0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 11 001f.a001.a423

0000.0000.0001 --
0000.0000.0002 10 0000.0000.0002 ethernet 11 001f.a001.a42

Config Commands: Router – BGP
This chapter describes the syntax for the Border Gateway Protocol (BGP)
commands. The commands are described in the following sections:
• “Enabling BGP” on page 492
• “BGP Configuration Commands” on page 493
• “BGP Show Commands” on page 526
• “BGP Clear Commands” on page 543

Enabling BGP
To enable BGP on the ACOS device:
1. Enable the protocol and specify the Autonomous System (AS) number,
using the following command at the global configuration level of the
CLI:
router bgp AS-num
The AS-num specifies the Autonomous System Number (ASN), which

can be 1-4294967295. The ACOS device supports configuration of one
local AS.
2. Specify the ACOS device’s BGP router ID:
bgp router-id ipaddr
Note: It is strongly recommended to manually set a unique BGP router ID for

each BGP instance within the ACOS device's partitions.
3. Specify each of the ACOS device’s neighbor (peer) BGP routers:
neighbor neighbor-id remote-as AS-num

cols you plan to use on the ACOS device, to prevent router ID changes
caused by HA or VRRP-A failover. If you do not explicitly configure the
ACOS device’s BGP router ID, BGP sessions may become reset when-
ever there is an interface state change.

BGP Configuration Commands

The commands in this section apply globally to the BGP process running on
the ACOS device.
Commands at the Global Configuration Level

The commands in this section are available at the global configuration level
of the CLI.
Description Enable the ACOS device to send 4-octet BGP Autonomous System Number
(ASN) capabilities.
Syntax [no] bgp extended-asn-cap
Default Disabled; 2-octet ASN capabilities are enabled instead.
bgp nexthop-trigger
Description Configure BGP nexthop tracking.
Syntax [no] bgp nexthop-trigger delay seconds
[no] bgp nexthop-trigger enable
delay seconds Specifies the how long BGP waits before walk-
ing the full BGP table to determine which pre-
fixes are affected by the nexthop changes, after
receiving a trigger about nexthop changes. You
enable Enables nexthop tracking.
Default BGP nexthop tracking is disabled by default. When you enable it, the
default delay is 5 seconds.

address-family
Commands at the BGP Router Configuration Level

The commands in this section are available at the configuration level for the
BGP routing process for an AS.
To access the BGP router configuration level, use the router bgp AS-num
command at the global configuration level of the CLI.
address-family
Description Configure address family parameters.
Syntax [no] address-family

{
ipv4 [multicast | unicast] |
ipv6 [unicast]
}
ipv4
[multicast |
unicast] Enters configuration mode for an IPv4 address
family.
ipv6 [unicast] Enters configuration mode for an IPv6 address
family.
address family, where the following commands are available.
Command Description
[no] aggregate-
address options See “aggregate-address” on page 495.
[no] dampening
options See “bgp dampening” on page 497.
[no] distance See “distance” on page 501.
exit-address-
family Exits the address-family configuration level.

aggregate-address
[no] neighbor
options See the following sections:
– “neighbor activate” on page 502
– “neighbor allowas-in” on page 503
– “neighbor capability” on page 504
– “neighbor default-originate” on page 506
– “neighbor distribute-list” on page 508
– “neighbor filter-list” on page 509
– “neighbor maximum-prefix” on page 510
– “neighbor next-hop-self” on page 511
– “neighbor peer-group” on page 513
– “neighbor prefix-list” on page 513
– “neighbor route-map” on page 515
– “neighbor send-community” on page 516
– “neighbor soft-reconfiguration” on page 517
– “neighbor unsuppress-map” on page 519
– “neighbor weight” on page 521
[no] network
options See “network” on page 521.
[no]
redistribute
options See “redistribute” on page 523.
Default None
Mode BGP
aggregate-address
Description Configure an aggregate address.
Syntax [no] aggregate-address ipaddr/mask-length

[as-set] [summary-only]
ipaddr/mask-
length IPv4 aggregate network address.

auto-summary
Note: If you are using the command at the address-family configuration level,
the ipv6addr option is also supported.
as-set Generates AS set path information.
summary-only Filters more specific routes from updates.
Default None
Mode BGP
auto-summary
Description Enable sending of summarized routes to BGP peers.
Syntax [no] auto-summary
Default Disabled
Mode BGP
bgp always-compare-med
Description Enable comparison of the Multi Exit Discriminators (MEDs) for paths from
neighbors in different ASs.
Syntax [no] bgp always-compare-med
Default Disabled. By default, MED comparison is done only among paths from the
same AS.
Mode BGP
bgp bestpath
Description Configure options to select the best of multiple paths for a route.
Syntax [no] bgp bestpath

{as-path [ignore] | compare-routerid}

bgp dampening
as-path
[ignore] Specifies whether to consider the AS path when
selecting the best path for a route.
– To consider the AS path, use the as-path
option without the ignore option.
– To ignore the AS path, use the as-path ignore
option.
compare-
routerid Enables comparison of router IDs when compar-
ing identical routes received from different
neighbors. In this case, the route from the neigh-
bor with the lowest route ID is selected.
Default This command has the following default settings:

• as-path – AS-path consideration is enabled by default.
• compare-routerid – BGP receives routes with identical eBGP paths

from eBGP peers and selects the first route received as the best path.
Mode BGP
bgp dampening
Description Configure the BGP response to route flapping, to minimize network disrup-
tion.
Syntax [no] bgp dampening

{dampening-options | route-map map-name}
dampening-
options Configures the dampening options:
reachability-half-life – Specifies the
reachability half-life, which is the time it takes
the penalty to decrease to one-half of its current
value. You can specify 1-45 minutes.
reuse-start – Specifies the reuse limit
value. When the penalty for a suppressed route
decays below the reuse value, the routes become
unsuppressed. You can specify 1-20000.

bgp default
suppress-start – Specifies the suppress

limit value. When the penalty for a route exceeds
the suppress value, the route is suppressed. You
can specify 1-20000.
max-suppress-duration – Specifies the
maximum time that a dampened route is sup-
pressed. You can specify 1-255 minutes.
route-map
map-name Applies the dampening settings only to routes
that match the specified route map.

• reachability-half-life – 15 minutes
• reuse-start – 750
• suppress-start – 2000
• max-suppress-duration – 60 minutes (4 times the half-life time)
• route-map – none
Mode BGP
bgp default
Description Change BGP default settings.
Syntax [no] bgp default

{ipv4-unicast | local-preference num}
ipv4-unicast Activates IPv4 unicast for communication with
peers.
local-
preference num Specifies the local preference value for routes.

• ipv4-unicast – enabled
• local-preference – 100
Mode BGP

bgp deterministic-med
bgp deterministic-med
Description Enable comparison of the Multi Exit Discriminator (MED) values during
selection of a route among routes advertised by different peers in the same
AS.
Syntax [no] bgp deterministic-med
Default Disabled
Mode BGP
bgp enforce-first-as
Description Enable the ACOS device to deny any updates received from an external
neighbor that do not have the neighbor’s configured AS at the beginning of
the AS_PATH.
Syntax [no] bgp enforce-first-as
Default Enabled
Mode BGP
bgp fast-external-failover
Description Enable immediate reset of a BGP session if the interface used for the BGP
connection goes down.
Syntax [no] bgp fast-external-failover
Default Enabled
Mode BGP

bgp log-neighbor-changes
bgp log-neighbor-changes
Description Enable logging of status change messages without enabling BGP debug-
ging.
Syntax [no] bgp log-neighbor-changes
Default Disabled
Mode BGP
bgp router-id
Description Configure the router ID.
Syntax [no] bgp router-id ipaddr
ipaddr IPv4 address.
Default If a loopback interface is configured, the router ID is set to the IP address of

the loopback interface. If there are multiple loopback interfaces, the loop-
back interface with the highest numbered IP address is used.
If there are no loopback interfaces, the interface with the highest numbered
IP address is used.
Mode BGP
bgp scan-time
Description Set the interval for BGP route next-hop scanning.
Syntax [no] bgp scan-time seconds
seconds Amount of time between scans. You can specify
0-60 seconds.
Default 60
Mode BGP

distance
distance
Description Configure the administrative distance for BGP. The administrative distance
is a rating of trustworthiness of the BGP process relative to other routing
processes running on the ACOS device. The greater the distance, the lower
the trust rating.
Syntax [no] distance

{
admin-distance ipaddr/mask-length [acl-id] |
bgp external internal local
}
admin-distance
ipaddr/mask-
length
[acl-id] Overrides the configured administrative distance
for specific prefixes.
The acl-id option specifies an ACL that matches
on the routes for which to override the default
administrative distance. If you do not use this
option, the distance is applied to all IPv4 BGP
routes.
bgp external
internal local Administrative distance for different route types:
external – Specifies the administrative dis-
tance for BGP routes learned from another AS.
internal – Specifies the administrative dis-
tance for BGP routes learned from a neighbor
within the same AS.
local – Specifies the administrative distance
for BGP routes redistributed from another route
source on this ACOS device.
For each route type, you can specify a distance
value of 1-255.
Default The following administrative distance values are used by default:

• external – 20
• internal – 200
• local – 200

neighbor activate
Mode BGP
neighbor activate
Description Enable the exchange of address family routes with a neighboring BGP
router.
Syntax [no] neighbor neighbor-id activate
neighbor-id ID of the neighbor, which can be one of the fol-
lowing types of values:
ipv4ipaddr – IPv4 address.
ipv6addr – IPv6 address.
tag – Name of a peer group.
Default N/A
Mode BGP
Usage After the TCP connection is opened with the neighbor, use this command to
enable or disable the exchange of address family information with the
neighboring router.
neighbor advertisement-interval
Description Configure the minimum interval between transmission of BGP route
updates to a neighbor.
Syntax [no] neighbor neighbor-id

advertisement-interval seconds
seconds Minimum interval between route updates. You

neighbor allowas-in
Default The advertisement interval has the following default settings:

• eBGP – 30 seconds
• iBGP – 5 seconds
Mode BGP
neighbor allowas-in
Description Allow re-advertisement of all prefixes containing duplicate AS numbers.
Syntax [no] neighbor neighbor-id allowas-in

[occurrences]
occurrences Maximum number of occurrences of a given AS
number. You can specify 1-10.
Default Disabled
Mode BGP
neighbor as-origination-interval
Description Configure the interval between transmission of AS origination route
updates.

as-origination-interval seconds

neighbor capability

seconds Time between AS origination route updates. You
Default 15 seconds
Mode BGP
neighbor capability
Description Configure capability settings for the ACOS device’s BGP communication
with a neighbor.
Syntax [no] neighbor neighbor-id capability

{
dynamic |
orf prefix-list {both | receive | send} |
route-refresh
}
dynamic Enables the ACOS device to advertise or with-
draw an address family capability with the neigh-
bor, without bringing down the BGP session with
the peer.
orf prefix-list
{both |
receive |
send} Enables Outbound Router Filtering (ORF) and
advertises the ACOS device’s ORF capability to
the neighbor.
both – ACOS device can send ORF entries to
the neighbor, as well as receive ORF entries from
the neighbor.
receive – ACOS device can receive ORF
entries from the neighbor, but can not send ORF
entries to the neighbor.

neighbor collide-established
send – ACOS device can send ORF entries to

the neighbor, but can not receive ORF entries
from the neighbor.
route-refresh Enables advertisement of route-refresh capability
to the neighbor. When this option is enabled, the
ACOS device can dynamically request the neigh-
bor to re-advertise its Adj-RIB-Out.
Default None. (This assumes that the neighbor has no special capabilities or func-
tions.)
Mode BGP
Usage BGP neighbors exchange ORFs reduce the number of updates exchanged
between neighbors. By filtering updates, this option minimizes generating
and processing of updates.
The local router (ACOS device) advertises the ORF capability in send
mode, and the remote router receives the ORF capability in receive mode
applying the filter as outbound policy. The two routers exchange updates to
maintain the ORF for each router. Only an individual router or a peer group
can be configured to be in receive or send mode. A peer-group member can-
not be configured to be in receive or send mode.
neighbor collide-established
Description Include the neighbor, if already in TCP established state, in conflict resolu-
tion if a TCP connection collision is detected.
Syntax [no] neighbor neighbor-id collide-established
Default Use this command only if necessary. Generally, the command is not
required.

neighbor connection-retry-time
Inclusion of a neighbor with an established TCP connection into resolution

of TCP connection collision conflicts is automatically enabled when the
neighbor is configured for BGP graceful-restart.
Mode BGP
neighbor connection-retry-time
Description Configure the connection retry time for a neighbor.
Syntax [no] neighbor neighbor-id connection-retry-time

seconds
seconds Connection retry time. You can specify 1-65535
seconds.
Default 120 seconds
Mode BGP
neighbor default-originate
Description Enable transmission of a default route (0.0.0.0) to a neighbor.
Syntax [no] neighbor neighbor-id default-originate

[route-map map-name]
map-name Route map that specifies the nexthop IP address.

neighbor description
Default Disabled
Mode BGP
neighbor description
Description Configure a description for a neighbor.
Syntax [no] neighbor neighbor-id description string

[string ...]
string String of up to 80 characters describing the
neighbor.
Default None
Mode BGP
neighbor disallow-infinite-holdtime
Description Disallow a neighbor to set the holdtime to “infinite” (0 seconds).

disallow-infinite-holdtime
Default Disabled. Infinite holdtime is allowed.

neighbor distribute-list
Mode BGP
neighbor distribute-list
Description Filter route updates to or from a neighbor.
Syntax [no] neighbor neighbor-id distribute-list

ip-access-list {in | out}
ip-access-list ACL that matches on the routes to filter.
in | out Specifies the update direction to filter:
in – Updates received from the neighbor are fil-
tered.
out – Updates sent to the neighbor are filtered
before transmission.
Default None. By default, updates are not filtered.
Mode BGP
neighbor dont-capability-negotiate
Description Disable capability negotiation with a neighbor.

dont-capability-negotiate

neighbor ebgp-multihop
Default Capability negotiation is enabled by default.
Mode BGP
neighbor ebgp-multihop
Description Allow BGP connections with external peers on indirectly connected net-
works.
Syntax [no] neighbor neighbor-id ebgp-multihop count
count Maximum number of hops allowed, 1-255.
Default Please contact A10 Support.
Mode BGP
neighbor enforce-multihop
Description Enforce eBGP neighbors to perform multihop.
Syntax [no] neighbor neighbor-id enforce-multihop
Default Enabled
Mode BGP
neighbor filter-list
Description Filter route updates to or from a neighbor based on AS path.
Syntax [no] neighbor neighbor-id filter-list

AS-path-access-list {in | out}

neighbor maximum-prefix

AS-path-access-
list AS path list. To configure an AS path list, use the
following command at the global configuration
level of the CLI: ip as-path access-list
tered.
Default None. By default, updates are not filtered.
Mode BGP
neighbor maximum-prefix
Description Configure the maximum number of network prefixes that can be received in
route updates from a neighbor.
Syntax [no] neighbor neighbor-id maximum-prefix num

[threshold]
num Maximum number of prefixes allowed. You can
specify 1-1024.
threshold Percentage of the allowed maximum at which a
warning message is generated. You can specify
1-100.
Default The default maximum is 128. The default threshold is 75 percent.
Mode BGP

neighbor next-hop-self
Usage If the maximum is reached, the ACOS device brings down the BGP session
with the peer.
neighbor next-hop-self
Description Configure the ACOS device as the BGP next hop for a neighbor.
Syntax [no] neighbor neighbor-id next-hop-self
Default Disabled
Mode BGP
neighbor override-capability
Description Override the results of capability negotiation with a neighbor.
Syntax [no] neighbor neighbor-id override-capability
Default Disabled
Mode BGP

neighbor passive
neighbor passive
Description Do not initiate a TCP connection with the specified neighbor, but allow the
neighbor to initiate a TCP connection with the ACOS device. Once the con-
nection is up, BGP will work over the connection.
Syntax [no] neighbor neighbor-id passive
Default Disabled
Mode BGP
neighbor password
Example Enable MD5 authentication for sessions with a BGP neighbor.
Syntax [no] neighbor neighbor-id password string
password string The string can be up to 80 characters long. The
string can include the printable ASCII characters,
which are [0-9], [a-z], and [A-Z] and are fully
defined by hexadecimal value range 0x20-0x7e.
The string can not begin with a blank space, and
can not contain any of the following special char-
acters: ' " < > & \ / ?
Default Disabled
Mode BGP

neighbor peer-group
Usage Message Digest 5 (MD5) authentication of TCP segments (as introduced in

RFC 2385), provides protection of BGP sessions via the TCP MD5 Signa-
ture Option. This feature is enabled on a per-neighbor basis for the individ-
ual BGP peer configuration, and a password is required. The password must
be the same on the ACOS device and on the peer (BGP neighbor).
Example The following command enables MD5 for the connection with eBGP neigh-
bor 10.10.10.22:
ACOS(config)#router bgp 123
ACOS(config-router:device1)#neighbor 10.10.10.22 remote-as 456
ACOS(config-router:device1)#neighbor 10.10.10.22 password 1234567890abcde
neighbor peer-group
Description Add the ACOS device to a BGP peer group.
Syntax [no] neighbor neighbor-id peer-group group-name
group-name Name of the peer group.
Default None
Mode BGP
neighbor prefix-list
Description Use a prefix list to filter route updates to or from a neighbor.
Syntax [no] neighbor neighbor-id prefix-list list-name

{in | out}

neighbor remote-as
list-name Name of the prefix list.
tered.
Default By default, updates are not filtered.
Mode BGP
Usage Filtering by prefix list matches the prefixes of routes with those listed in the
prefix list. If there is a match, the route is used. An empty prefix list permits
all prefixes. If a given prefix does not match any entries of a prefix list, the
route is denied access. When multiple entries of a prefix list match a prefix,
the entry with the smallest sequence number is considered to be a real
match.
The ACOS device begins the search at the top of the prefix list, with rule
sequence number 1. Once a match or deny occurs, the ACOS device does
not need to go through the rest of the prefix list. For efficiency the most
common matches or denies are listed at the top.
The neighbor distribute-list command is an alternative to the neighbor

prefix-list command. Only one of these commands can be used for filtering
to the same neighbor in any direction.
neighbor remote-as
Description Configure an internal or external BGP (iBGP or eBGP) TCP session with
another router.
Syntax [no] neighbor neighbor-id remote-as AS-num

neighbor remove-private-as
AS-num Neighbor’s AS number.
Note: AS number 23456 is a reserved 2-octet AS number. An old BGP speaker

(2-byte implementation) should be configured with 23456 as its remote
AS number while peering with a non-mappable new BGP speaker (4-byte
implementation).
Default None
Mode BGP
neighbor remove-private-as
Description Remove the private AS number from outbound updates.
Syntax [no] neighbor neighbor-id remove-private-as
Default Disabled
Mode BGP
neighbor route-map
Description Apply a route map to incoming or outgoing routes.
Syntax [no] neighbor neighbor-id route-map map-name

{in | out}

neighbor send-community

map-name Name of the route map.
in | out Specifies the traffic direction to which to apply
the route map:
in – The route map is applied to routes received
from the neighbor.
out – The route map is applied to routes sent to
the neighbor.
Default None
Mode BGP
neighbor send-community
Description Send community attributes to a neighbor.
Syntax [no] neighbor neighbor-id send-community

[both | extended | standard]
both Sends both standard and extended community
attributes.
extended Sends only extended community attributes.
standard Sends only standard community attributes.
Default By default, both standard and extended community attributes are sent to a
neighbor. To explicitly send only the standard or extended community attri-
bute, run the bgp config-type command with the standard parameter, before
running this command.
Mode BGP
Usage The community attribute groups destinations in a certain community and

applies routing decisions according to those communities. Upon receiving
community attributes, the ACOS device re-announces them to the neighbor.

neighbor shutdown
Usage To prevent community attributes from being re-announced to the neighbor,

use the “no” form of this command.
neighbor shutdown
Description Disable a neighbor.
Syntax [no] neighbor neighbor-id shutdown
Default None
Mode BGP
Usage This command shuts down any active session for the specified neighbor and
clears all related routing data.
neighbor soft-reconfiguration
Description Configure the ACOS device to begin storing updates, without any consider-
ation of the applied route policy.
Syntax [no] neighbor neighbor-id soft-reconfiguration

inbound
Default Disabled
Mode BGP

neighbor strict-capability-match
Usage Use this command to store updates for inbound soft reconfiguration. Soft-
reconfiguration can be used as an alternative to BGP route refresh capabil-
ity. Using this command enables local storage of all the received routes and
their attributes. When a soft reset (inbound) is performed on the neighbor,
the locally stored routes are reprocessed according to the inbound policy.
The BGP neighbor connection is not affected.
neighbor strict-capability-match
Description Close the BGP connection to a neighbor if a capability value does not com-
pletely match the value on the ACOS device.
Syntax [no] neighbor neighbor-id strict-capability-match
Default Enabled
Mode BGP
neighbor timers
Description Configure the timers for a neighbor.
Syntax [no] neighbor neighbor-id timers

{interval holdtime | connect seconds}

neighbor unsuppress-map
interval
holdtime The interval specifies the amount of time
between transmission of keepalive messages to
the neighbor. You can specify 0-65535 seconds.
The holdtime specifies the maximum amount of
time the ACOS device will wait for a keepalive
message from the neighbor before declaring the
neighbor dead. You can specify 0-65535 seconds.
connect seconds Connect timer. You can specify 0-65535 seconds.
In ACTIVE state, the BGP router (ACOS device)
will accept an incoming connection request from
the peer before the connect time expires.
Default The default interval is 60 seconds. The default holdtime is 180 seconds. The
default connect time is 0.
Mode BGP
neighbor unsuppress-map
Description Selectively leak more-specific routes to a neighbor.
Syntax [no] neighbor neighbor-id unsuppress-map map-name
map-name Route map used to select routes to be unsup-
pressed.
Default Disabled
Mode BGP
Usage When the aggregate-address command is used with the summary-only

option, the more-specific routes of the aggregate are suppressed to all neigh-
bors. Use the unsuppress-map command to selectively leak more-specific
routes to a particular neighbor.

neighbor update-source
neighbor update-source
Description Allow internal BGP sessions to use any operational interface for TCP con-
nections with a neighbor.
Syntax [no] neighbor neighbor-id update-source interface
interface Interface name or address.
Default IP address of the outgoing interface to the neighbor.
Mode BGP
neighbor version
Description Specify the BGP version supported by the ACOS device for BGP communi-
cation with a neighbor.
Syntax [no] neighbor neighbor-id version 4
Default 4
Mode BGP

neighbor weight
neighbor weight
Description Assign a weight value to routes learned from a neighbor.
Syntax [no] neighbor neighbor-id weight num
num Weight value assigned to routes learned from the
neighbor. You can specify 0-65535.
Default 0 (zero)
Mode BGP
Usage Use this command to specify a weight value, per address-family, to all
routes learned from a neighbor. The route with the highest weight gets pref-
erence when the same prefix is learned from more than one peer.
Unlike the local-preference attribute, the weight attribute is relevant only

to the local router.
The weights assigned using the set weight command override the weights
assigned using this command.
When the weight is set for a peer group, all members of the peer group will
have the same weight. The command can also be used to assign a different
weight to a particular peer-group member. When a separately configured
weight of the peer-group member is unconfigured, its weight will be reset to
its peer group’s weight.
network
Description Specify the networks to be advertised by the ACOS device’s BGP routing
process.
Syntax [no] network

{ipaddr/mask-length | ipaddr mask network-mask}
[route-map map-name]

synchronization
ipaddr/mask-
length |
ipaddr mask
network-mask Network address and mask.
map-name Route map used to set or modify a value.
Default None
Mode BGP
Usage A unicast network address without a mask is accepted if it falls into the nat-
ural boundary of its class. A class-boundary mask is derived if the address
matches its natural class-boundary.
synchronization
Description Enable IGP synchronization of iBGP learned routes.
Syntax synchronization
Default Disabled
Mode BGP
Usage Enable synchronization if the ACOS device should not advertise routes
learned from iBGP neighbors, unless those routes also are present in an IGP
(for example, OSPF). Synchronization may be enabled when all the routers
in an AS do not speak BGP and the AS is a transit for other ASs.

redistribute
redistribute
Description Redistribute route information from other sources into BGP.

{
connected [route-map map-name] |
floating-ip [route-map map-name] |
ip-nat [route-map map-name] |
ip-nat-list [route-map map-name] |
isis [route-map map-name] |
ospf [route-map map-name] |
rip [route-map map-name] |
static [route-map map-name] |
vip
[only-flagged [route-map map-name] |
only-not-flagged [route-map map-name] |
[route-map map-name]]
}
connected
[route-map
map-name] Redistributes route information for directly con-
nected networks into BGP. The route-map
option specifies the name of a configured route
map.
floating-ip
[route-map
map-name] Redistributes route information for floating IP
addresses into BGP. The route-map option spec-
ifies the name of a configured route map.
ip-nat
[route-map
map-name] Redistributes routes into BGP for reaching trans-
lated NAT addresses allocated from a pool. The
route-map option specifies the name of a config-
ured route map.
ip-nat-list
[route-map
map-name] Redistributes routes into BGP for reaching trans-
The route-map option specifies the name of a
configured route map.

redistribute
isis
[route-map
map-name] Redistributes route information from Intermedi-
BGP. The route-map option specifies the name
of a configured route map.
ospf
[route-map
map-name] Redistributes route information from Open
Shortest Path First (OSPF) into BGP. The route-
map option specifies the name of a configured
route map.
static
[route-map
map-name] Redistributes routes into BGP for reaching net-
works through static routes. The route-map
option specifies the name of a configured route
map.
vip
[only-flagged
[route-map
map-name] |
only-not-
flagged
[route-map
map-name] |
[route-map
map-name]] Redistributes routes into BGP for reaching vir-
command is used.
The route-map option specifies the name of a
configured route map.

timers
Default None
Mode BGP
timers
Description Configure the BGP keepalive and holdtime timer values.
Syntax [no] timers bgp interval holdtime
interval Specifies the amount of time between transmis-
sion of keepalive messages to neighbors. You can
holdtime Specifies the maximum amount of time the
ACOS device will wait for a keepalive message
from a neighbor before declaring the neighbor
dead. You can specify 0-65535 seconds.
Default The default interval is 30 seconds. The default holdtime is 90 seconds.
Mode BGP

show bgp ipv4addr
BGP Show Commands

This section lists the BGP show commands.
show bgp ipv4addr

Description Display BGP network information for IPv4.
Syntax show bgp

{
ipv4addr |
ipv4addr/mask-length [longer-prefixes]
}
ipv4addr |
ipv4addr/mask-
length IPv4 prefix and mask length.
The longer-prefixes option includes prefixes that
have a longer mask than the one specified.
Mode All
show bgp ipv6addr

Description Display BGP network information for IPv6.
Syntax show bgp

{
ipv6addr |
ipv6addr/mask-length [longer-prefixes]
}
ipv6addr |
ipv6addr/mask-
length IPv6 prefix and mask length.
Mode All

show bgp ipv4 {multicast | unicast}

Description Display BGP information for IPv4.
Syntax show bgp ipv4 {multicast | unicast}

[
ipv4addr |
community [community-number] [exact-match]
[local-AS] [no-advertise] [no-export] |
community-list list-name [exact-match] |
dampening {dampened-paths | flap-statistics |
parameters} |
filter-list list-name |
inconsistent-as |
neighbors [ipv4addr | ipv6addr
[advertised-routes | received prefix-filter |
received-routes | routes]] |
prefix-list list-name |
quote-regexp string |
regexp string [string ...] |
route-map map-name |
summary
]
multicast |
unicast Specifies the IPv4 address family for which to
display information.
ipv4addr |
ipv4addr/mask-
length Network and mask information.
community
[community-
number]
[options] Displays routes matching the communities. Enter
the community number in AA:NN format.
exact-match – Displays only communities
that exactly match.
local-AS – Displays only communities that
are not sent outside the local AS.

no-advertise – Displays only communities

that are not sent advertised to neighbors.
no-export – Displays only communities that
are not exported to the next AS.
community-list
list-name
[exact-match] Displays routes matching the specified commu-
nity list. The exact-match option displays only
the routes that have exactly the same communi-
ties.
dampening
{options} Displays route-flap dampening information. You
must specify one of the following options:
dampened-paths – Displays paths sup-
pressed due to dampening.
flap-statistics – Displays flap statistics
for routes.
parameters – Displays details for configured
dampening parameters.
filter-list
list-name Displays routes that match the specified filter
list.
inconsistent-as Displays routes that have inconsistent AS Paths.
neighbors
[ipv4addr |
ipv6addr
[options]] Displays detailed information about TCP and
BGP neighbor connections. The following
advertised-routes – Displays the routes
advertised to a BGP neighbor.
received prefix-filter – Displays all
received routes, both accepted and rejected.
received-routes – Displays the received
routes from neighbor. To display all the received
routes from the neighbor, configure BGP soft
reconfiguration first.
routes – Displays all accepted routes learned
from neighbors.

show bgp ipv4 neighbors
prefix-list
list-name Displays routes that match the specified prefix
list.
quote-regexp
string Displays routes that match the specified AS-path
regular expression. Enclose the regular expres-
sion string in double quotation marks (example:
“regexp-string-1”).
regexp string
[string ...] Displays routes that match the specified AS-path
regular expression(s).
route-map
map-name Displays routes that match the specified route
map.
summary Displays a summary of BGP neighbor status.
Mode All
show bgp ipv4 neighbors

Description Display information about IPv4 BGP neighbors.
Syntax show bgp ipv4 neighbors

[ipv4addr | ipv6addr
[advertised-routes |
received prefix-filter |
received-routes |
routes]]
ipv4addr |
ipv6addr Network and mask information.
advertised-
routes Displays the routes advertised to a BGP neigh-
bor.
received
prefix-filter Displays all received routes, both accepted and
rejected.
received-routes Displays the received routes from neighbor. To
display all the received routes from the neighbor,
configure BGP soft reconfiguration first.

show bgp ipv4 prefix-list
routes Displays all accepted routes learned from neigh-

bors.
Mode All
show bgp ipv4 prefix-list

Description Display IPv4 routes that match the specified prefix list.
Syntax show bgp ipv4 prefix-list list-name
Mode All
show bgp ipv4 quote-regexp

Description Display IPv4 routes that match the specified AS-path regular expression.
Enclose the regular expression string in double quotation marks (example:
Syntax show bgp ipv4 quote-regexp string
Mode All
show bgp ipv4 summary

Description Display a summary of BGP IPv4 neighbor status.
Syntax show bgp ipv4 summary
Mode All

show bgp ipv6
show bgp ipv6

Syntax show bgp ipv6

[
ipv6addr |
parameters} |
inconsistent-as |
multicast {ipv6addr |
ipv6addr/mask-length [longer-prefixes]} |
paths |
summary |
unicast {ipv6addr |
ipv6addr/mask-length [longer-prefixes]} |
view view-name
]
ipv6addr |
ipv6addr/mask-
length Network and mask information.
community
[community-
number]
[options] Displays routes for communities. Enter the com-
munity number in AA:NN format.
that exactly match.

show bgp ipv6

community-list
list-name
ties.
dampening
for routes.
filter-list
list.
multicast
{ipv6addr |
ipv6addr/mask-
length
[longer-
prefixes]} Displays IPv6 routes for the specified multicast
address family.
neighbors
[ipv4addr |
ipv6addr

show bgp ipv6

from neighbors.
paths Displays BGP path information.
prefix-list
list.
quote-regexp
regexp string
route-map
map.
unicast
{ipv6addr |
ipv6addr/mask-
length
[longer-
prefixes]} Displays IPv6 routes for the specified unicast
address family.
view view-name Displays neighbors within the specified view.
Note: The labeled option is not applicable.
Mode All

show bgp nexthop-tracking
show bgp nexthop-tracking

Description Display the status of nexthop address tracking.
Syntax show bgp nexthop-tracking
Mode All
show bgp nexthop-tree-details

Description Display nexthop tree details.
Syntax show bgp nexthop-tree-details
Mode All
show ip bgp attribute-info

Description Display internal attribute hash information.
Syntax show ip bgp attribute-info
Mode All
show ip bgp cidr-only

Description Display routes with non-natural network masks.
Syntax show ip bgp cidr-only
Mode All
show [ip] bgp community

Description Display routes for communities.
Syntax show [ip] bgp community [community-number]

[exact-match] [local-AS] [no-advertise]
[no-export]

show ip bgp community-info
community-
number Community number, in AA:NN format.
exact-match Displays only communities that exactly match.
local-AS Displays only communities that are not sent out-
side the local AS.
no-advertise Displays only communities that are not sent
advertised to neighbors.
no-export Displays only communities that are not exported
to the next AS.
Mode All
show ip bgp community-info

Description Display all BGP community information.
Syntax show ip bgp community-info
Mode All
show [ip] bgp community-list

Description Display routes for a specific community list.
Syntax show [ip] bgp community-list list-name

[exact-match]
list-name Displays routes matching the specified commu-
nity list.
exact-match Displays only the routes that have exactly the
same communities.
Mode All

show [ip] bgp dampening
show [ip] bgp dampening

Description Display route-flap dampening information.
Syntax show [ip] bgp dampening

{dampened-paths | flap-statistics | parameters}
dampened-paths Displays paths suppressed due to dampening.
flap-statistics Displays flap statistics for routes.
parameters Displays details for configured dampening
parameters.
Mode All
show [ip] bgp filter-list

Description Display routes that match a specific filter list.
Syntax show [ip] bgp filter-list list-name
Mode All
show [ip] bgp inconsistent-as

Description Display routes that have inconsistent AS Paths.
Syntax show [ip] bgp inconsistent-as
Mode All

show ip bgp ipv4
show ip bgp ipv4

Syntax show ip bgp ipv4 {multicast | unicast}

[
ipv4addr |
cidr-only |
parameters} |
inconsistent-as |
paths |
summary
]
multicast |
unicast Specifies the IPv4 address family for which to
display information.
cidr-only Displays routes with non-natural network masks.
community
[community-
number]
[options] Displays routes matching the communities. Enter
the community number in AA:NN format.
that exactly match.

show ip bgp ipv4

community-list
list-name
ties.
dampening
for routes.
filter-list
list.
neighbors
[ipv4addr |
ipv6addr
from neighbors.
paths Displays BGP path information.

show [ip] bgp neighbors
prefix-list
list.
quote-regexp
regexp string
route-map
map.
Mode All

Description Display information about BGP neighbors.
Syntax show [ip] bgp neighbors

[
ipv4addr | ipv6addr
[
advertised-routes |
connection-retrytime |
hold-time |
keepalive |
keepalive-interval |
notification |
open |
rcvd-msgs |
received prefix-filter |
received-routes |
routes |
sent-msgs |
update
]
]

ipv4addr |
ipv6addr Network and mask information.
advertised-
routes Displays the routes advertised to a BGP neigh-
bor.
connection-
retrytime Displays the configured connection-retry-time
value at the session establishment time with the
neighbor.
hold-time Displays the configured hold-time value of the
neighbor at the session establishment time with
the neighbor.
keepalive Displays the number of keepalive messages sent
to the neighbor throughout the session.
keepalive-
interval Displays the configured keepalive-interval value
at the session establishment time with the neigh-
bor.
notification Displays the number of Notification messages
sent to the neighbor throughout the session.
open Displays the number of Open messages sent to
the neighbor throughout the session.
rcvd-msgs Displays the number of messages received from
received
prefix-filter Displays all received routes, both accepted and
rejected.
received-routes Displays the received routes from neighbor. To
display all the received routes from the neighbor,
configure BGP soft reconfiguration first.
routes Displays all accepted routes learned from neigh-
bors.
sent-msgs Displays the number of messages sent to the
neighbor throughout the session.
update Displays the number of Update messages sent to
Mode All

show [ip] bgp paths
show [ip] bgp paths

Description Display BGP path information.
Syntax show [ip] bgp paths
Mode All
show [ip] bgp prefix-list

Description Display routes that match a specific prefix list.
Syntax show [ip] bgp prefix-list list-name
Mode All
show [ip] bgp quote-regexp

Description Display routes that match the specified AS-path regular expression. Enclose
the regular expression string in double quotation marks (example: “regexp-
string-1”).
Syntax show [ip] bgp quote-regexp string
Mode All
show [ip] bgp regexp

Description Display routes that match the specified AS-path regular expression(s).
Syntax show [ip] bgp regexp string [string ...]
Mode All
show [ip] bgp route-map

Description Display routes that match the specified route map.
Syntax show [ip] bgp route-map map-name
Mode All

show ip bgp scan
show ip bgp scan

Description Display BGP scan status.
Syntax show ip bgp scan
Mode All
show [ip] bgp summary

Description Display a summary of BGP neighbor status.
Syntax show [ip] bgp summary
Mode All
show ip bgp view

Description Display neighbors of a specific view.
Syntax show ip bgp view view-name

[
ipv4addr |
ipv4 {multicast | unicast} summary |
neighbors [ipv4addr | ipv6addr] |
summary
]
view-name Name of the view.
ipv4addr |
ipv4addr/mask-
length Prefix and mask.
ipv4
{multicast |
unicast}
summary Displays information for the specified IPv4
address family.
neighbors
[ipv4addr |
ipv6addr] Displays information for the specified neighbor.

clear [ip] bgp {* | AS-num}
summary Displays summary neighbor information.
Mode All
BGP Clear Commands

This section lists the BGP clear commands.
clear [ip] bgp {* | AS-num}

Description Reset the BGP connection to all neighbors or a specific neighbor.
Syntax clear [ip] bgp {* | AS-num}

[
in [prefix-filter] |
ipv4 {multicast | unicast}
{in [prefix-filter] | out | soft [in | out]} |
ipv6 unicast [soft] {in | out} |
out |
soft {in | out}
]
in
[prefix-filter] Clears incoming advertised routes. The prefix-
filters option pushes out prefix-list outbound
routing filters, and performs inbound soft recon-
figuration.
ipv4
{multicast |
unicast}
{options} Clears routes for the specified IPv4 address fam-
ily.
You must specify one of the following options:
in [prefix-filter] – Clears incoming
advertised routes. The prefix-filters option
pushes out prefix-list outbound routing filters,
and performs inbound soft reconfiguration.
out – Clears outgoing advertised routes.
soft [in | out] – Clears the specified
routes without resetting the BGP neighbor con-
nection.

clear [ip] bgp ipv4addr
in – Requests route updates from the speci-

fied neighbor.
out – Sends route updates to the specified
neighbor.
ipv6 unicast
[soft]
{in | out} Clears routes for the IPv6 address family.
out Clears outgoing advertised routes.
soft {in | out} Activates routing policy changes without reset-
ting the BGP neighbor connection.
in – Requests route updates from the specified
neighbor.
out – Sends route updates to the specified
neighbor.
Note: The ipv4 and ipv6 options apply only to the clear ip bgp command, not
the clear bgp command.

Description Reset the BGP connection for a specific IPv4 neighbor.
Syntax clear [ip] bgp ipv4addr

[
out |
soft {in | out}
]
For option information, see “clear [ip] bgp {* | AS-num}” on page 543.
Note: The ipv4 option applies only to the clear ip bgp command, not the clear
bgp command.


Description Reset the BGP connection for a specific IPv6 neighbor.
Syntax clear [ip] bgp ipv6addr

[
out |
soft {in | out}
]
bgp command.
clear ip bgp dampening

Description Reset all dampened BGP routes.
Syntax clear ip bgp dampening

[ipv4addr | ipv4addr/mask-length]
ipv4addr |
ipv4addr/mask-
length Resets dampened routes only for the specified
IPv4 prefix.
clear [ip] bgp external

Description Reset the BGP connection to external neighbors.
Syntax clear [ip] bgp external

[
out |
soft {in | out}
]

clear ip bgp flap-statistics
bgp command.
clear ip bgp flap-statistics

Description Reset route-flap statistics counters and history.
Syntax clear ip bgp flap-statistics

ipv4addr |
ipv4addr/mask-
length Resets route-flap statistics only for the specified
IPv4 prefix.
clear [ip] bgp ipv4

Description Reset dampened routes or route-flap statistics counters and history for IPv4.
Syntax clear [ip] bgp ipv4 {multicast | unicast}

{dampening | flap-statistics}
dampening Resets dampened routes.
flap-statistics Resets route-flap statistics and history.
ipv4addr |
ipv4addr/mask-
length Resets dampened routes or route-flap statistics
and history only for the specified IPv4 prefix.

clear [ip] bgp ipv6
clear [ip] bgp ipv6

Description Reset dampened routes or route-flap statistics counters and history for IPv6.
Syntax clear [ip] bgp ipv6 unicast

{dampening | flap-statistics}
dampening Resets dampened routes.
flap-statistics Resets route-flap statistics and history.
ipv6addr |
ipv6addr/mask-
length Resets dampened routes or route-flap statistics
and history only for the specified IPv6 prefix.
clear [ip] bgp peer-group

Description Reset the BGP connection to all members of a peer group.
Syntax clear [ip] bgp peer-group group-name

[
out |
soft {in | out}
]
bgp command.

clear [ip] bgp view
clear [ip] bgp view

Description Reset the BGP connection to a specific view.
Syntax clear [ip] bgp view view-name *

[
{in [prefix-filter] | soft {in | out}} |
soft {in | out}
]
Note: The in and ipv4 options apply only to the clear ip bgp command, not the
clear bgp command.

slb buff-thresh
Config Commands: Server Load Balancing
The commands in this chapter configure SLB parameters. In some cases,

the commands create an SLB configuration item and change the CLI to the
configuration level for that item.
page 54.
slb buff-thresh
Description Fine-tune thresholds for SLB buffer queues.
Caution: Do not use this command except under advisement by A10 Networks.
Syntax [no] slb buff-thresh hw-buff num

relieve-thresh num sys-buff-low num
sys-buff-high num
hw-buff num IO buffer threshold. For each CPU, if the number
of queued entries in the IO buffer reaches this
threshold, fast aging is enabled and no more IO
buffer entries are allowed to be queued on the
CPU’s IO buffer.

slb compress-block-size
relieve-thresh
num Threshold at which fast aging is disabled, to
allow IO buffer entries to be queued again.
sys-buff-low
num Threshold of queued system buffer entries at
which the AX begins refusing new incoming
connections.
sys-buff-high
num Threshold of queued system buffer entries at
which the ACOS device drops a connection
whenever a packet is received for that connec-
tion.
slb compress-block-size
Description Change the default compression block size used for SLB.
Syntax [no] compress-block-size bytes
bytes Default compression block size, 6000-32000
bytes.
Default 16000
slb conn-rate-limit
Description Configure source-IP based connection rate limiting.
Syntax [no] slb conn-rate-limit src-ip {tcp | udp}

conn-limit per {100 | 1000}
[shared]
[exceed-action [log] [lock-out lockout-period]]
tcp | udp Specifies the Layer 4 protocol for which the filter
applies.

slb conn-rate-limit
conn-limit Specifies the connection limit. The connection

limit is the maximum number of connection
requests allowed from a client, within the limit
period. You can specify 1-1000000.
per
{100 | 1000} Specifies the limit period, The limit period is the
interval to which the connection limit is applied.
A client is conforming to the rate limit if the
number of new connection requests within the
limit period does not exceed the connection limit.
You can specify 100 milliseconds or 1000 milli-
seconds.
shared Specifies that the connection limit applies in
aggregate to all virtual ports. If you omit this
option, the limit applies separately to each virtual
port.
exceed-action
[log]
[lock-out
lockout-period] Enables optional exceed actions:
log – Enables logging. Logging generates a log
message when a client exceeds the connection
limit.
lock-out lockout-period – Locks out the client
for a specified number of seconds. During the
lockout period, all connection requests from the
client are dropped. The lockout period can be 1-
3600 seconds (1 hour). There is no default.
Note: All connection requests in excess of the connection limit that are received
from a client within the limit period are dropped. This action is enabled by
default when you enable the feature, and can not be disabled.
Default Not set
Example The following command allows up to 1000 connection requests per one-
second interval from any individual client. If a client sends more than 1000
requests within a given limit period, the client is locked out for 3 seconds.
The limit applies separately to each individual virtual port. Logging is not
enabled.
ACOS(config)#slb conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3

slb dns-cache-age
Example The following command allows up to 2000 connection requests per 100-
millisecond interval. The limit applies to all virtual ports together. Logging
is enabled but lockout is not enabled.
ACOS(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log
Example The following command allows up to 2000 connection requests per 100-
millisecond interval. The limit applies to all virtual ports together. Logging
is enabled and lockout is enabled. If a client sends a total of more than 2000
requests within a given limit period, to one or more virtual ports, the client
is locked out for 3 seconds.
ACOS(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log
lock-out 3
slb dns-cache-age
Description Configure the amount of time the ACOS device locally caches DNS replies.
Syntax [no] slb dns-cache-age seconds
seconds Number of seconds the ACOS device caches
DNS replies. You can specify 1-1000000 sec-
onds.
Default 300
Usage A DNS reply begins aging as soon as it is cached and continues aging even
if the cached reply is used after aging starts. Use of a cached reply does not
reset the age of that reply.
DNS cache aging is applicable only when DNS caching is enabled. (See
“slb dns-cache-enable” on page 553.)

slb dns-cache-enable
slb dns-cache-enable
Description Globally enable caching of replies to DNS queries.
Syntax [no] slb dns-cache-enable

[
round-robin [ttl-threshold seconds] |
single-answer [ttl-threshold seconds] |
ttl-threshold seconds
]
round-robin For DNS replies that contain multiple IP
addresses in the ANSWER section, the ACOS
device rotates the addresses when replying to cli-
ent requests. (For information about the ttl-
threshold option, see below.)
single-answer Caches only replies that have a single IP address
in the ANSWER section. (For information about
the ttl-threshold option, see below.)
ttl-threshold
seconds Specifies the minimum Time-To-Live (TTL) a
reply from the DNS server must have, in order
for the ACOS device to cache the reply. You can
Default Disabled. When you globally enable DNS caching, the round-robin and
single-answer options are disabled by default. The default TTL threshold
is 0 (unset).
Usage When DNS caching is enabled, the ACOS device sends the first request for
a given name (hostname, fully-qualified domain name, URL, and so on) to
the DNS server. The ACOS device caches the reply from the DNS server,
and sends the cached reply in response to the next request for the same
name.
The ACOS device continues to use the cached DNS reply until the reply
times out. After the reply times out, the ACOS device sends the next request
for that URL to the DNS server, and caches the reply, and so on.
Enabling the single-answer option prevents the caching of DNS replies that
have multiple IP addresses. For example, if a DNS response to a query for
“www.example1.com” and the DNS reply has only one IP address (1.1.1.1),

slb dns-cache-entry-size
then the reply will be cached on the ACOS device. However, if the DNS
response to a query for “www.example2.com” has two IP addresses (2.2.2.2
and 3.3.3.3), then the entry would not be cached on the ACOS device.
If the ttl-threshold option is configured on the ACOS device, then DNS

replies will only be cached if they have a TTL value that is larger than the
TTL threshold configured on the ACOS device. This prevents the ACOS
device from caching DNS entries that will expire shortly thereafter.
For example, if the ACOS device’s TTL threshold is set to 7200 seconds
and the ACOS device receives a DNS response for a domain with a TTL of
only 10 seconds, there would be little benefit in caching that DNS reply,
since it will soon expire. Despite the cached information, subsequent client
requests for that same domain would bypass the “stale” information cached
on the ACOS device to perform another DNS lookup just 10 seconds later.
DNS caching applies only to DNS requests sent to a UDP virtual port in a
DNS SLB configuration. DNS caching is not supported for DNS requests
sent over TCP.
slb dns-cache-entry-size
Description Sets the maximum size in bytes for DNS cache entries. The num can be 1 to
4096 bytes.
Syntax [no] slb dns-cache-entry-size num
Default 256 bytes
slb dsr-health-check-enable
Description Enable health checking of the virtual server IP addresses instead of the real
server IP addresses in Direct server Return (DSR) configurations.
Syntax [no] slb dsr-health-check-enable
Default Disabled

slb enable-ddos
Usage This feature also requires configuration of a Layer 3 health method (ICMP),
with the transparent option enabled, and with the alias address set to the
virtual IP address. (See “method” on page 768.) The health monitor must be
applied to the real server ports.
Example The following commands configure a Layer 3 health monitor for DSR
health checking, apply it to the real server ports, and enable DSR health
checking:
ACOS(config)#health monitor dsr-hm
ACOS(config-health:monitor)#method icmp transparent 10.10.10.99
ACOS(config-health:monitor)#exit
ACOS(config)#slb dsr-health-check-enable
slb enable-ddos
Description Please contact A10 Networks for information about this command.
Syntax [no] slb enable-ddos
Usage For information about DDoS mitigation features, please see the Application
Access Management and DDoS Mitigation Guide.
slb enable-l7-req-acct
Description Globally enable Layer 7 request accounting.
Syntax [no] slb enable-l7-req-acct
Default Disabled
Usage If you use the least-request load-balancing method in a service group,

Layer 7 request accounting is automatically enabled for the service group’s
members, and for the virtual service ports that are bound to the service
group’s members.

slb fast-path-disable
To display Layer 7 request statistics, use the show slb service-group group-
name command. See “show slb server” on page 1022, “show slb service-
group” on page 1033, and “show slb virtual-server” on page 1060.
slb fast-path-disable
Description Disable fast-path packet inspection.
Syntax [no] slb fast-path-disable
Default Fast processing of packets is enabled by default.
Usage Fast processing of packets maximizes performance by using all the underly-
ing hardware assist facilities. Typically, the feature should remain enabled.
The option to disable it is provided only for troubleshooting, in case it is
suspected that the fast processing logic is causing an issue. If you disable
fast-path processing, ACOS does not perform a deep inspection of every
field within a packet.
slb gateway-health-check
Description Enable gateway health monitoring.
Syntax [no] slb gateway-health-check

[interval seconds [timeout seconds]]
interval
seconds Specifies the amount of time between health
check attempts, 1-180 seconds.
timeout seconds Specifies how long the ACOS device waits for a
reply to any of the ARP requests, 1-60 seconds.
Default The default interval is 5 seconds. The default timeout is 15 seconds.
Usage Gateway health monitoring uses ARP to test the availability of nexthop
gateways. When the ACOS device needs to send a packet through a gate-
way, the ACOS device begins sending ARP requests to the gateway.

slb graceful-shutdown
• If the gateway replies to any ARP request within a configurable timeout,

the ACOS device forwards the packet to the gateway.
• The ARP requests are sent at a configurable interval. The ACOS device
waits for a configurable timeout for a reply to any request. If the gate-
way does not respond to any request before the timeout expires, the
ACOS device selects another gateway and begins the health monitoring
process again.
slb graceful-shutdown
Description Allow currently active sessions time to terminate normally before shutting
down a service when you delete or disable the real or virtual server or port
providing the service.
Syntax [no] slb graceful-shutdown grace-period

[server | virtual-server] [after-disable]
grace-period Number of seconds existing connections on a
disabled or deleted server or port are allowed to
remain up before being terminated. You can
server Limits the graceful shutdown to real servers only.
virtual-server Limits the graceful shutdown to virtual servers
only.
after-disable Applies graceful shutdown to disabled servers
and service ports, as well as deleted servers.
Without this option, graceful shutdown applies
only to deleted servers.
Default Disabled. When you delete a real or virtual service port, the ACOS device
places all the port’s sessions in the delete queue, and stops accepting new
sessions on the port.
Usage When graceful shutdown is enabled, the ACOS device stops accepting new
sessions on a disabled or deleted port, but waits for the specified grace
period before moving active sessions to the delete queue.
Example The following command enables graceful shutdown and sets the grace
period to one hour:
ACOS(config)#slb graceful-shutdown 3600

slb hw-compression
slb hw-compression
Description Enable hardware-based compression.
Syntax [no] slb hw-compression
Default Disabled.
Usage Hardware-based compression is available using an optional hardware mod-

ule on the following AX models: AX 2100, AX 2200, AX 2200-11,
AX 2500, AX 2600, AX 3000, AX 3000-11, AX 3100, AX 3200, AX 3200-
11, AX 3200-12, AX 3400, AX 3530, AX 5200, AX 5200-11 and AX 5630.
If this command does not appear on your ACOS device, the device does not
contain a compression module.
Note: Installation of the compression module into ACOS devices in the field is
not supported. Contact A10 Networks for information on obtaining an
ACOS device that includes the module.
When you enable hardware-based compression, all compression settings

configured in HTTP templates, except the compression level, are used.
Hardware-based compression always uses the same compression level,
regardless of the compression level configured in an HTTP template.
Example The following command enables hardware-based compression:

ACOS(config)#slb hw-compression
slb hw-syn-rr
Syntax [no] slb hw-syn-rr num

slb l2l3-trunk-lb-disable
slb l2l3-trunk-lb-disable
Description Disable or re-enable trunk load balancing.
Syntax [no] slb l2l3-trunk-lb-disable
Default Enabled
Usage When trunk load balancing is enabled, the ACOS device load balances out-
bound Layer 2/3 traffic among all the ports in a trunk. The round-robin
method is used to load balance the traffic. For example, in a trunk contain-
ing ports 1-4, the first Layer 2/3 packet is sent on port 1. The second packet
is sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port was always used for out-
bound traffic. The other ports were standby ports in case the lead port went
down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load bal-
ancing, in case there is a need to do so. Disabling trunk load balancing
causes the ACOS device to use only the lead port for outbound traffic.
Note: Trunk load balancing does not apply to Layer 4-7 traffic.
slb max-buff-queued-per-conn
Description Please contact A10 Networks for information.
Syntax [no] max-buff-queued-per-conn num
slb msl-time
Description Configure the maximum session life for client sessions. The maximum ses-
sion life controls how long the ACOS device maintains a session table entry
for a client-server session after the session ends.
Syntax [no] slb msl-time seconds

slb mss-table
seconds Number of seconds a client session can remain in
the session table following completion of the ses-
sion. You can specify 1-40 seconds.
Default 2 seconds
Usage The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retrans-
mission occurs while the ACOS device still has a session entry for the ses-
sion, the ACOS device is able to forward the retransmission. However, if
the session table entry has already aged out, the ACOS device drops the
retransmission instead.
The maximum session life begins aging out a session table entry when the
session ends:
• TCP – The session ends when the ACOS device receives a TCP FIN
from the client or server.
• UDP – The session ends after the ACOS device receives a server
response to the client’s request. If the reply is fragmented, the maximum
session life begins only after the last fragment is received.
Note: For UDP sessions, the maximum session life is used only if UDP aging is
set to short, instead of immediate. UDP aging is set in the UDP template
bound to the UDP virtual port. The default setting is short.
slb mss-table
Description Configure the TCP Maximum Segment Size (MSS) allowed for client traf-
fic.
Syntax [no] slb mss-table num
num Minimum MSS allowed in traffic from clients.
Default 538

slb rate-limit-logging
Usage Clients who can only transmit TCP segments that are smaller than the MSS
are unable to reach servers.
This command globally changes the MSS. You also can change the MSS in
individual TCP-proxy templates. (See “slb template tcp-proxy” on
page 681.)
slb rate-limit-logging
Description Configure rate limiting settings for system logging.
Syntax slb rate-limit-logging

[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
max-local-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to the local log buffer.
max-remote-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to remote log servers.
exclude-
destination
{local |
remote} Excludes logging to the specified destination,
local or remote.
Default Log rate limiting is enabled by default and can not be disabled. The config-
urable settings have the following default values:
• max-local-rate – 32 messages per second
• max-remote-rate – 15000 messages per second
• exclude-destination – Logging to both destinations is enabled.
Usage The log rate limiting mechanism works as follows:

slb reset-stale-session
• If the number of new messages within a one-second interval exceeds the

internal maximum (32 by default), then during the next one-second
interval, the AX sends log messages only to the external log servers.
• If the number of new messages generated within the new one-second
interval is the internal maximum or less, then during the following one-
second interval, the AX will again send messages to the local logging
buffer as well as the external log server.
• In any case, all messages (up to the external maximum) are sent to the
external log servers.
Example The following command increases the maximum number of external mes-
sages per second:
ACOS(config)#slb rate-limit-logging max-remote-rate 30000
slb reset-stale-session
Description Please contact A10 Networks for information.
Syntax [no] slb reset-stale-session
slb scale-out
Description Enables the scale-out option for Layer 3 Direct Server Return (DSR).
Syntax [no] slb scale-out
slb server
Description Configure a real server. Use the first command shown below to create or a
delete a server. Use the second command to edit a server.
Syntax [no] slb server server-name {ipaddr | hostname}

slb server
server-name Server name, 1-63 characters.
After you have created a real server, you can use
this command to rename the real server.
hostname Fully-qualified hostname, for dynamic real
server creation.
ipaddr IP address of the server in either IPv4 or IPv6
format. The address is required only if you are
creating a new server.
Default N/A
Usage The normal form of this command creates a new or edits an existing real
server. The CLI changes to the configuration level for the server. See “Con-
fig Commands: SLB Servers” on page 701.
The IP address of the server can be in either IPv4 or IPv6 format. The A10
Thunder Series and AX Series supports both address formats.
The “no” form of this command removes an existing real server.
The maximum number of real servers is configurable. See “system

Note: Real-servers are automatically created when added to a service group, so

it is not necessary to manually create real servers prior to adding them to a
service group.
Example The following example creates a new real server with an IPv4 address:
ACOS(config)#slb server rs1 10.10.10.99
ACOS(config-real server)#
Example The following example creates a new real server with an IPv6 address:
ACOS(config)#slb server rs2 2020:3e8::3
ACOS(config-real server)#

slb service-group
Example The following command changes the name of the real server that has IP
address 10.14.11.100:
ACOS(config)#slb server test1 10.14.11.100
Address specified is used by a real server.
Do you want to modify real server's name? [yes/no]:yes

ACOS(config-real server)#?
Example The following commands configure a hostname server for dynamic server
creation using DNS, add a port to it, and bind the server template to it:
ACOS(config)#slb server s-test1 s1.test.com
ACOS(config-real server)#template server temp-server
ACOS(config-real server)#port 80 tcp
ACOS(config-real server-node port)#exit
ACOS(config-real server)#exit
slb service-group
Description Configure an SLB service group.
Syntax [no] slb service-group group-name {tcp | udp}
group-name Name of the group, 1-31 characters.
tcp | udp Application type of the group.
Default There are no service groups configured by default.
Usage The normal form of this command creates a new or edits an existing service
group. The CLI changes to the configuration level for the service group. See
“Config Commands: SLB Service Groups” on page 715.
Example The following example adds TCP service group “my-service-group”:

ACOS(config)#slb service-group my-service-group tcp
ACOS(config-slb service group)#

slb snat-gwy-for-l3
slb snat-gwy-for-l3
Description Use an IP pool’s default gateway to forward traffic from a real server.
Syntax [no] slb snat-gwy-for-l3
Default Disabled
Usage When this feature is enabled, ACOS checks the server IP subnet against the
IP NAT pool subnet. If they are on the same subnet, then ACOS uses the
gateway as defined in the IP NAT pool for Layer 2 / Layer 3 forwarding.
This feature is useful if the server does not have its own upstream router and
ACOS can leverage the same upstream router for Layer 2 / Layer 3.
slb snat-on-vip
Description Globally enable IP NAT support for VIPs.
Syntax [no] slb snat-on-vip
Default Disabled
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at Configuration mode

level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-on-
vip command is also used, then a pool assigned by the ACL is used for traf-
fic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
Note: The current release does not support source IP NAT on FTP or RTSP vir-
tual ports.

slb sort-res
slb sort-res
Description Enable the sort display option for SLB configuration. When this option is
enabled, SLB resources in the configuration are listed in alphabetical order.
Syntax [no] slb sort-res
Default Disabled. With this default behavior, SLB resources of a specific type
appear in the order they are configured.
Usage The sort feature takes effect only after you configure at least one SLB
resource, after you enable the sort feature. Before you configure at least one
new SLB resource, the SLB resources still appear in the order they were
configured.
Example The following command displays the configured SLB servers, before the
sort option is enabled and activated:
ACOS(config)#show running-config | include slb server
slb server ee 5.5.5.5
slb server rs20_10 20.20.20.10
slb server Server07 110.20.20.20
slb server MSSQLServer02 110.13.13.21
slb server srv266 10.10.100.10
slb server rs_http 10.1.2.10
slb server ldap-sr 172.16.2.10
slb server s1 20.20.20.30
slb server woo 10.10.99.99
slb server o1 10.10.10.5
slb server http1 20.20.25.10
The following commands enable the sort option, configure a new SLB
server, and redisplay the configured SLB servers. The slb server commands
are now alphabetically sorted.
ACOS(config)#slb sort-res
ACOS(config)#slb server s88 4.3.3.3
ACOS(config-real server-node port)#show running-config | include slb server

slb ssl-create certificate
slb server MSSQLServer02 110.13.13.21

slb server ee 5.5.5.5
slb server fsort2 4.3.9.58
slb server fsort88 4.3.9.55
slb server ldap-sr 172.16.2.10
slb server o1 10.10.10.5
slb server rs20_10 20.20.20.10
slb server rs_http 10.1.2.10
slb server woo 10.10.99.99
slb server zsort2 4.3.3.9
ACOS(config-real server-node port)#

Description Create a self-signed certificate for use with SLB.
Syntax slb ssl-create certificate certificate-name
certificate-
name Name of the certificate, 1-31 characters.
This command displays a series of prompts for the following information:

• Key length, which can be 1024, 2048, or 4096 bits
• Common name, 1-64 characters
• Division, 0-31 characters
• Organization, 0-63 characters
• Locality, 0-31 characters
• State or Province, 0-31 characters

• Country, 2 characters
• Email address, 0-64 characters
• Number of days the certificate is valid, 30-3650 days
The key length, common name, and number of days the certificate is valid
are required. The other information is optional.
The certificate is created when you press enter after answering the last
prompt.
Default The default key length is 1024 bits. The default number of days the certifi-
cate is valid is 730.
Usage To use the certificate, add it to a client-SSL or server-SSL template. (See

“slb template client-ssl” on page 587 or “slb template server-ssl” on
page 660.)
If you need to create a wildcard certificate, use an asterisk as the first part of
the common name. For example, to create a wildcard certificate for domain
example.com and it sub-domains, enter the following common name:
*.example.com
Example The following commands create a self-signed certificate named "slbcert1"

and verify the configuration:
ACOS(config)#slb ssl-create certificate slbcert1
input key bits(1024,2048,4096) default 1024:<Enter>
input Common Name, 1~64:slbcert1
input Division, 0~31:Div1
input Organization, 0~63:Org2
input Locality, 0~31:WestCoast
input State or Province, 0~31:CA
input Country, 2 characters:US
input email address, 0~64:axadmin@example.com
input valid days, 30~3650, default 730:<Enter>
ACOS(config)#show slb ssl cert
name: slbcert1
type: certificate/key
Common Name: slbcert1
Organization: Org2
Expiration: Apr 10 00:34:34 2010 GMT
Issuer: Self
key size: 1024

slb ssl-create csr
slb ssl-create csr

Description Create a Certificate Signing Request (CSR), to use for requesting a signed
certificate from an external Certificate Authority (CA).
Syntax slb ssl-create csr csr-name url
csr-name Name of the CSR, 1-31 characters.
directory path, for exporting the CSR request.
characters long.
tftp://host/file
This command displays a series of prompts for the following information:

• IP address of the server to which to export the CSR
• Username for write access to the server
• Password for write access to the server
• Path and filename
• Key length, which can be 1024, 2048, or 4096 bits
• Common name, 1-64 characters
• Division, 0-31 characters
• Organization, 0-63 characters
• Locality, 0-31 characters
• State or Province, 0-31 characters
• Country, 2 characters

slb ssl-create csr
• Email address, 0-64 characters
• Passphrase to use for the key, 0-31 characters
The CSR is created when you press enter after answering the last prompt.
The key for the certificate is also created.
Default The default key length is 1024 bits. The default number of days the certifi-
cate will be valid is 730.
Usage After the CSR is generated and exported by this command, send the CSR to
the CA. After you receive the signed certificate from the CA, use the import
command to import the CA onto the ACOS device. (See “import” on
page 76.) The key does not need to be imported. The key is generated along
with the CSR.
If you need to create a request for a wildcard certificate, use an asterisk as

the first part of the common name. For example, to request a wildcard cer-
tificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
Example The following commands generate and export a CSR, then import the
signed certificate.
ACOS(config)#slb ssl-create csr slbcsr1 ftp:
User name []?axadmin
File name [/]?slbcsr1
input key bits(1024,2048,4096) default 1024:<Enter>
input Common Name, 1~64:slbcsr1
input Division, 0~31:div1
input Organization, 0~63:org2
input Locality, 0~31:westcoast
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:axadmin@example.com
input Pass Phrase, 0~31:csrpword
Confirm Pass Phrase:csrpword
ACOS(config)#import ca-signedcert1 ftp:
File name [/]?ca-signedcert1

slb ssl-delete
slb ssl-delete
Description Delete an SSL certificate or private key from the A10 Thunder Series and
AX Series device.
Syntax [no] slb ssl-delete

{certificate cert-name | private-key key-string}
Default None.
Usage This command does not affect the server certificate of the Web management
interface. The command applies only to certificates that have been imported
for use with SSL offload.
Example The following commands delete SSL certificate “testcert.crt” and its key:
ACOS(config)#slb ssl-delete certificate testcert.crt
ACOS(config)#slb ssl-delete private-key testcertkey.pem
slb ssl-expire-check email-address

Description Configure email notification for certificate expiration.
Syntax [no] slb ssl-expire-check

email-address address [...]
[before days] [interval days]
address Specifies the email addresses to which to send
the notifications. You can specify up to 2 email
addresses. Use a space between them.
before days Specifies how many days before expiration to
begin sending notification emails. You can spec-
ify 1-5. The default is 5 days.
interval days Specifies how many days after expiration to con-
tinue sending notification emails. You can spec-
ify 1-5. The default is 2 days.
Default Not set

slb ssl-expire-check exception
Usage One notification is sent per day. If a certificate is updated before expiration
or at least before the configured interval, no more notification emails are
sent for that certificate.
Example The following command enables certificate notifications to be sent to email

address “admin1@example.com”. Expiration notifications are sent begin-
ning 4 days before expiration and continue for 3 days after expiration.
ACOS(config)#slb ssl-expire-check email-address admin1@example.com before 4
interval 3
slb ssl-expire-check exception

Description Exclude specific certificates from expiration notification emails.
Syntax [no] slb ssl-expire-check exception

{add cert-name | delete cert-name | clean}
add cert-name Adds a certificate to the exception list.
delete cert-
name Removes a certificate from the exception list.
clean Removes all certificates from the exception list.
Default Not set
slb ssl-load
Description Load an SSL certificate, private key, or Certificate Revocation List (CRL)
for use with SSL offload.
Note: The ACOS device only supports certificates that are in Privacy-Enhanced
Mail (PEM) format. The maximum supported certificate size is 16KB.
Syntax [no] slb ssl-load

{
certificate file-name
[type {der | pem | pfx [password string]}] |
private-key file-name |
crl file-name
}
[use-mgmt-port]
url

slb ssl-load
file-name File name of the certificate, key, or CRL.
If you are importing a certificate, use the type
option to specify the format of the certificate.
The ACOS device supports PEM format only. If
you specify the certificate format, the ACOS
device can convert the certificate into PEM for-
mat.
type
{der | pem |
pfx [password
string]} Specifies the certificate file type. For PFX certif-
icates, the password can be 1-15 characters long.
directory path.
characters long.
tftp://host/file
http://[user@]host/file
https://[user@]host/file
Default None.

slb ssl-module
Usage This command is equivalent to the import ssl-cert and import ssl-key
commands. You can use those commands or slb ssl-load to import SSL cer-
tificates and keys.
Example The following commands load SSL certificate “testcert.crt” and its key:
ACOS(config)#slb ssl-load certificate testcert.pem scp:
Password []?*********
File name [/]?testcert.pem
ACOS(config)#slb ssl-load certificate testcertkey.pem scp:
Password []?*********
File name [/]?testcertkey.pem
Example The following commands import a CA certificate and its key, and a CRL
file:
ACOS(config)#slb ssl-load certificate ca-cert.pem scp:
User name []?admin
Password []?*********
File name [/]?ca-cert.pem
ACOS(config)#slb ssl-load private-key ca-certkey.pem scp:
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
ACOS(config)#slb ssl-load certificate ca-crl.pem scp:
User name []?admin
Password []?*********
File name [/]?ca-crl.pem
slb ssl-module
Description Disable the SSL acceleration module.
Note: This command only applies to the SoftAX and does not appear in the CLI
for all other hardware-based models.
Syntax [no] slb ssl-module software
Default SSL acceleration modules are enabled.

slb template
Usage This command applies only to add-on SSL acceleration modules, not to the
on-board SSL processors.
slb template
Description Configure an SLB template.
Syntax [no] slb template template-type template-name
template-type Type of template. For a list, enter the following
command: slb template ?
(For information about SLB templates, see “Con-
fig Commands: SLB Templates” on page 579.)
template-name Name of the template.
Default The templates have default settings, and some template types are automati-
cally added to a virtual port depending on its service type. For information,
see the Application Delivery and Server Load Balancing Guide.
Usage The normal form of this command creates a new or edits an existing tem-
plate. The CLI changes to the configuration level for the template. See
“Config Commands: SLB Templates” on page 579.
The “no” form of this command removes an existing template.
The maximum number of templates is configurable. See “system resource-

usage” on page 238.
Example The following command creates a TCP-proxy template named “proxy1”:

ACOS(config)#slb template tcp-proxy proxy1
ACOS(config-TCP proxy template)#

slb transparent-tcp-template
slb transparent-tcp-template
Description Set the idle timeout for pass-through TCP sessions. A pass-through TCP
session is one that is not terminated by the ACOS device (for example, a
session for which the ACOS device is not serving as a proxy for SLB).
Syntax [no] slb transparent-tcp-template template-name
template-name Specifies the name of a TCP template. The idle
timeout specified in the TCP template is used for
pass-through TCP sessions.
Note: To use the default TCP template, specify the name “default”.
Default The default idle timeout for pass-through TCP sessions is 30 minutes. The
default idle timeout in TCP templates is 120 seconds.
Usage Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
The maximum idle timeout supported for transparent sessions is 15300 sec-
onds. This is true even if the idle timeout in the TCP template itself is set to
a higher value. Higher idle timeout values apply only to SLB sessions, not
to transparent sessions. This is because transparent sessions are stateless and
can be recreated if timed out.
Example The following command changes the idle timeout for pass-through TCP
sessions to the idle timeout set in the default TCP template:
ACOS(config)#slb transparent-tcp-template default
slb virtual-server
Description Configure a virtual server.
Syntax [no] slb virtual-server name [ipaddr]
or
[no] slb virtual-server server-name starting-ip


slb virtual-server
name Virtual server name, 1-31 characters.
After you have created a virtual server, you can
use this command to rename the virtual server in
order to associate this IP with a different name.
ipaddr IP address of the virtual server in either IPv4 or
IPv6 format. The address is required only if you
are creating a new virtual server.
If you are configuring a wildcard VIP, enter one
of the following for the IP address:
0.0.0.0 – IPv4 wildcard VIP
:: – IPv6 wildcard VIP
You can use the acl acl-id option to specify the
IP addresses to be handled as wildcard VIPs.
(For more information, see the “Wildcard VIPs”
chapter in the Application Delivery and Server
Load Balancing Guide.)
After you have created a virtual server, you can
use this command to change the IP address asso-
ciated with this name.
starting-ip
{subnet-mask |
/mask-length} Configures a contiguous set of IPv4 or IPv6
VIPs, beginning with the starting-ip.
Default N/A
Usage The normal form of this command creates a new or edits an existing virtual
server. The CLI changes to the configuration level for the virtual server. See
“Config Commands: SLB Virtual Servers” on page 735.
The “no” form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See “system

Notes on VIP Ranges

• The IP addresses in the specified subnet range can not belong to an IP
interface, real server, or other virtual server configured on the ACOS
device.

slb virtual-server
• The largest supported IPv4 subnet length is /16.
• Statistics are aggregated for all VIPs in the subnet virtual server.
• The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53).
Example The following command configures a new virtual server named “vs1”:
ACOS(config)#slb virtual vs1 10.10.2.1
ACOS(config-slb virtual server)#
Example The following command configures a set of VIPs for IP addresses 1.1.1.5-
1.1.1.255:
ACOS(config)#slb virtual-server vs1 1.1.1.5 /24
Example The following command changes the name of the virtual server that has IP
address 10.6.6.6:
ACOS(config)#slb virtual-server vip1066 10.6.6.6
Address specified is used by a virtual server.
Do you want to modify virtual server's name? [yes/no]:yes

ACOS(config-slb vserver)#?
If you specify “no” instead, the CLI responds as shown in the following
example:
Address specified is used by a virtual server.
Do you want to modify virtual server's name? [yes/no]:no

Cancelling request.
Example The following command changes the IP address of virtual server “hastings”:
ACOS(config)#slb virtual-server hastings 1.0.6.6
Virtual Server already exists
Do you want to modify virtual server's IP? [yes/no]:yes

ACOS(config-slb vserver)#?

Config Commands: SLB Templates
This chapter describes the commands and subcommands for configuring

SLB configuration templates.
To access this configuration level, enter the slb template template-type tem-
plate-name command at the global configuration level.
To display configured templates, use the show template command.
To apply a template to a virtual port, use the template template-type tem-

plate-name command at the configuration level for the virtual port.
For more information about how to use templates, including configuration
examples, see the “Server and Port Templates” chapter in the Application
Note: DNS templates have the highest priority and are used first, followed by
policy templates. Then the other types of templates are used as applicable.


Description Configure parameters for Application Access Management (AAM).
Syntax [no] slb template authentication template-name
template, where the following commands are available.
Command Description
[no] logon
logon-template-
name Binds the specified authentication-logon profile
to the template.
[no] logout-
idle-timeout
seconds Specifies the amount of time a cached authenti-
cation entry for a client can remain idle, before
the cached entry is removed. AAA server to
reauthenticate the client. You can specify from
1-86400 seconds.
ACOS uses the cached authentication entry for a
client for subsequent requests from that client, to
verify that the client has been authenticated.
While an authentication cache entry is in effect,
ACOS does not need to contact the external
[no] logout-url
url-string
[...] URL(s) to which to forward logout requests from
clients.
[no] relay
relay-template-
name Binds the specified authentication-relay profile
to the template.
[no] server
{name | ipaddr} Binds the specified authentication-server profile
to the template.

slb template cache
[no] service-
group group-
name Binds the specified group of authentication serv-
ers to the template.
Default There is no default authentication template. When you create one, the
default logout-idle-timeout setting is 300 seconds. The other options do not
have timeouts.
slb template cache

Description Configure the ACOS device to perform transparent Web caching.
Syntax [no] slb template cache template-name
RAM caching template, where the following commands are available.
Command Description
[no] accept-
reload-req Enables support for the following Cache-Control
headers:
– Cache-Control: no-cache
– Cache-Control: max-age=0
When support for these headers is enabled, either
header causes the ACOS device to reload the
cached object from the origin server.
[no] age
seconds Specifies how long a cached object can remain in
the AX RAM cache without being requested.
You can specify 1-999999 seconds (about 11-1/2
days).

slb template cache
Note: This value is used if the web server specifies that the object is cacheable
but does not specify for how long. If the server does specify how long the
object is cacheable, then the server value is used instead.
[no] default-
policy-nocache Changes the default cache policy in the template
from cache to nocache. This option gives you
tighter control over content caching. When you
use the default no-cache policy, the only content
that is cached is cacheable content whose URI
matches an explicit cache policy.
[no] disable-
insert-age Disables insertion of Age headers into cached
responses. Insertion of Age headers is enabled by
default.
[no] disable-
insert-via Disables insertion of Via headers into cached
responses. Insertion of Via headers is enabled by
default.
[no] max-cache-
size MB Specifies the size of the AX RAM cache.
[no] max-
content-size
bytes Specifies the maximum object size that can be
cached. The ACOS device will not cache objects
larger than this size. You can specify 0-4194303
bytes (256 MB). If you specify 0, no objects can
be cached.
[no] min-
content-size
bytes Specifies the minimum object size that can be
cached. The ACOS device will not cache objects
smaller than this size. You can specify
0-4194303 bytes (4 MB). If you specify 0, all
objects smaller than or equal to the maximum
content size can be cached.

slb template cache
[no] policy uri

pattern
{cache
[seconds] |
nocache |
invalidate
inv-pattern} Configures a policy for dynamic caching.
pattern – Specifies the portion of the URL
string to match on. The options below specify the
action to take for URLs that match the pattern:
cache [seconds] – Caches the content. By
default, the content is cached for the number of
seconds configured in the template (set by the
age command). To override the aging period set
in the template, specify the number of seconds
with the cache command.
nocache – Does not cache the content.
invalidate inv-pattern – Invalidates the
content that has been cached for inv-pattern.
[no] remove-
cookies Removes cookies from server replies so the
replies can be cached. RAM caching does not
cache server replies that contain cookies. (Image
files are an exception. RAM caching can cache
images that have cookies.)
[no]
replacement-
policy LFU Specifies the policy used to make room for new
objects when the RAM cache is full.
The policy supported in the current release is
Least Frequently Used (LFU). When the RAM
cache becomes more than 90% full, the ACOS
device discards the least-frequently used objects
to ensure there is sufficient room for new objects.
[no] template
logging
template-name Specifies a logging template to use for external
logging of RAM caching events over TCP.
[no] verify-
host Enables the ACOS device to cache the host name
in addition to the URI for cached content. Use
this command if a real server that contains cache-

slb template cache
able content will host more than one host name

(for example, www.abc.com and www.xyz.com).
Default The “default” RAM caching template has the following defaults:
• accept-reload-req – Disabled
• age – 3600 seconds (1 hour), if the server specifies that the object is
cacheable but does not specify for how long.
• disable-insert-age – Insertion of Age headers is enabled by default.
• disable-insert-via – Insertion of Via headers is enabled by default.
• max-cache-size – 80 MB
• max-content-size – 81920 bytes (80 KB)
• min-content-size – 512 bytes
• remove-cookies – disabled
• replacement-policy – Least Frequently Used (LFU)
• verify-host – Disabled. Host names are not cached along with URIs for
cached content.
Usage The normal form of this command creates a RAM caching configuration
template. The “no” form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However,
you can bind the same RAM caching template to multiple ports.
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used. For example, if a template
has the following commands, content for page122 is cached whereas con-
tent for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM Cach-
ing policies. For example, if the string pattern contains “*”, it is interpreted
literally, as the “*” character.
In the current release, matching is performed based on containment. All

URIs that contain the pattern string match the rule. For example, the follow-
ing policy matches all URIs that contain the string “.jpg” and sets the cache
timeout for the matching objects to 7200 seconds: policy uri .jpg cache
7200

slb template cache
Example The following commands configure a RAM caching template. In this exam-
ple, all the default RAM cache settings are used.
ACOS(config)#slb template cache ramcache
ACOS(config-RAM caching template)#
Example The following commands configure some dynamic caching policies. The
policy that matches on “/list” caches content for 5 minutes. The policy that
matches on “/private” does not cache content.
ACOS(config)#slb template cache ram-cache
ACOS(config-RAM caching template)#policy uri /list cache 300
ACOS(config-RAM caching template)#policy uri /private nocache
Example The following commands configure a RAM caching template that will only
cache content from www.xyz.com/news-clips.
ACOS(config)#slb template cache ramcache
ACOS(config-RAM caching template)#default-policy-nocache
ACOS(config-RAM caching template)#policy uri www.xyz.com/news-clips cache

slb template cipher
slb template cipher

Description Configure a template of SSL cipher settings.
Syntax [no] slb template cipher template-name

{
{
SSL3_RSA_DES_192_CBC3_SHA |
SSL3_RSA_DES_40_CBC_SHA |
SSL3_RSA_DES_64_CBC_SHA |
SSL3_RSA_RC4_128_MD5 |
SSL3_RSA_RC4_128_SHA |
SSL3_RSA_RC4_40_MD5 |
TLS1_RSA_AES_128_SHA |
TLS1_RSA_AES_128_SHA256 |
TLS1_RSA_AES_256_SHA |
TLS1_RSA_AES_256_SHA256 |
TLS1_RSA_EXPORT1024_RC4_56_MD5 |
TLS1_RSA_EXPORT1024_RC4_56_SHA
}
[priority num]
}
cipher template, where the ciphers listed above are available. Each com-
mand adds the cipher named by the command to the template.
The cipher priority value can be 1-100. The highest priority (most favored)
is 100.
More than one cipher can have the same priority. In this case, the strongest
(most secure) cipher is used.
Default The default priority is 1, and all ciphers within a template are enabled by
default.

slb template client-ssl
Usage A cipher template contains a list of ciphers. A client who connects to a vir-
tual port that uses the cipher template can use only the ciphers that are listed
in the template.
Optionally, you can assign a priority value to each cipher in the template. In
this case, the ACOS device tries to use the ciphers based on priority. If the
client supports the cipher that has the highest priority, that cipher is used. If
the client does not support the highest-priority cipher, the ACOS device
attempts to use the cipher that has the second-highest priority, and so on.
Notes
• An SSL cipher template takes effect only when you apply it to a client-
SSL template or server-SSL template.
• When you apply (bind) a cipher template to a client-SSL or server-SSL
template, the settings in the cipher template override any cipher settings
in that client-SSL or server-SSL template.
• Priority values are supported only for client-SSL templates. If a cipher
template is used by a server-SSL template, the priority values in the
cipher template are ignored.
Example The following commands configure a cipher template:

ACOS(config)#slb template cipher cipher_tmplt1
ACOS(config-cipher)#SSL3_RSA_DES_64_CBC_SHA priority 5
ACOS(config-cipher)#TLS1_RSA_AES_128_SHA priority 10
ACOS(config-cipher)#TLS1_RSA_AES_256_SHA
ACOS(config-cipher)#end
This template contains 3 ciphers. The ACOS device attempts to use

TLS1_RSA_AES_128_SHA first. If the client does not support this cipher,
the ACOS device attempts to use SSL3_RSA_DES_64_CBC_SHA. If the
client does not support this cipher either, the ACOS device tries to use
TLS1_RSA_AES_256_SHA.

Description Configure offload of SSL validation of clients from real servers.
Syntax [no] slb template client-ssl template-name

client-SSL template, where the following commands are available.
Command Description
[no] auth-
username
{common-name |
subject-alt-
name-email} Specifies the field to check in SSL certificates
from clients, to find the client name.
common-name – Typically used if the client cer-
tificate has only one name (validates only one
client).
subject-alt-name-email – Used if the cer-
tificate has more than one name.
[no] ca-cert
cert-name Specifies the name of the Certificate Authority
(CA) certificate to use for validating client certif-
icates. The CA certificate must be installed on
the ACOS device. (You can use the import or slb
ssl-load command. They are equivalent. See
“import” on page 76 or “slb ssl-load” on
page 572.)
[no] cert
cert-name Specifies the name of the certificate to use for
terminating or initiating an SSL connection. The
certificate must be installed on the AX.
[no] chain-cert
chain-cert-name Specifies a certificate-key chain.
[no] cipher
cipher Specifies the cipher suite to support for certifi-
cates from clients:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5

TLS1_RSA_AES_128_SHA
TLS1_RSA_EXPORT1024_RC4_56_MD5
[no] client-
certificate
{ignore |
request |
require} Specifies the action that the ACOS device takes
in response to a client’s connection request:
ignore – The ACOS device does not request
the client to send its certificate.
request – The ACOS device requests the cli-
ent to send its certificate. With this action, the
SSL handshake proceeds even if either of the fol-
lowing occurs:
– The client sends a NULL certificate (one
with zero length).
– The certificate is invalid, causing client
verification to fail.
Use this option if you want the request to trigger
an aFleX policy for further processing.
require – The ACOS device requires the cli-
ent certificate. This action requests the client to
send its certificate. However, the SSL handshake
does not proceed (it fails) if the client sends a
NULL certificate or the certificate is invalid.
[no] close-
notify Enables closure alerts for SSL sessions. When
this option is enabled, the ACOS device sends a
close_notify message when an SSL transaction
ends, before sending a FIN. This behavior is
required by certain types of client applications,
including PHP cgi. For this type of client, if the
ACOS device does not send a close_notify, an
error or warning appears on the client.
[no] crl
filename Specifies the Certificate Revocation List (CRL)
to use for verifying that client certificates have
not been revoked. The CRL must be installed on
the ACOS device first. (You can use the slb ssl-
load command. See “slb ssl-load” on page 572.)

When you add a CRL to a client SSL template,

the ACOS device checks the CRL to ensure that
the certificates presented by clients have not been
revoked by the issuing CA.
Note: If you plan to use a CRL, you must set the

client-certificate mode to require. The CRL
should be signed by the same issuer as the CA
certificate. Otherwise, the client and ACOS
device will not be able to establish a connection.
[no] disable-
sslv3 Disables support for SSLv3 in client-SSL tem-
plates. SSLv3 support is enabled by default.
Note: If you disable SSLv3 support, when

ACOS receives an SSL Hello message from a
client, ACOS responds by sending a TCP-FIN to
the client to end the session.
[no] forward-
proxy-bypass
option Sets the match criteria to bypass SSL intercept
for specific traffic, based on the Server Name
Indication (SNI) value. You can specify the fol-
lowing options to enforce match rules for SSL
intercept bypass:
[no] class-list list-name – Applies
a class-list with match rules.
[no] equals sni-string – Matches
only if the SNI value completely matches the
specified string.
[no] starts-with sni-string –
Matches only if the SNI value starts with the
specified string.
[no] contains sni-string – Matches
if the specified string appears anywhere within
the SNI value.
[no] ends-with sni-string –
Matches only if the SNI value ends with the
specified string.
[no] case-insensitive – Disables case
sensitivity for rule matching.

[no] forward-
proxy-ca-cert
certificate-
name Name of the certificate. Specify the same name
you specified when you uploaded the certificate
to the ACOS device.
[no] forward-
proxy-ca-key
key-name Name of the private key. Specify the same name
you specified when you uploaded the key to the
ACOS device.
[no] forward-
proxy-enable Enable SSL Intercept support.
[no] key
key-name
[passphrase
passphrase-
string] Specifies the key for the certificate, and the pass-
phrase used to encrypt the key.
[no] server-
name domain-
name cert
certificate-
name key
private-key-
name
[partition
shared]
[pass-phrase
string] The domain-name is the domain that is requested
by clients. The certificate-name is the certificate
to map to the domain. The private-key-name is
the key to map to the domain.
Note: In the current release, the partition shared
option has no effect on the configuration. The
configuration always applies only to the shared
partition.
The pass-phrase string specifies the passphrase
used to encrypt the key, if applicable.
[no] session-
cache-size
entries Maximum number of cached sessions for SSL
session ID reuse, 0-131072. The value 0 disables
session ID reuse.

[no] session-
cache-timeout
seconds Sets the maximum number of seconds a cache
entry can remain unused before being removed
from the cache, 1-7200 seconds. The default is
7200 seconds. Cache entries age according to the
ticket age time. The age time is not reset when a
cache entry is used.
[no] session-
ticket-lifetime
seconds Sets the lifetime for stateless SSL session ticket-
ing. After a client’s SSL ticket expires, they must
complete an SSL handshake in order to set up the
next secure session with ACOS. You can set the
lifetime between 0 to 2147483647 seconds. Set-
ting the lifetime to 0 disables the feature.
[no] ssl-false-
start-disable SSL False Start support for the Google Chrome
browser.
Note: The following ciphers are not supported for SSL False Start in the current
release:
• SSL3_RSA_DES_64_CBC_SHA
• SSL3_RSA_RC4_40_MD5
• TLS1_RSA_EXPORT1024_RC4_56_MD5
If no other ciphers but these are enabled in the client-SSL template, SSL
False Start handshakes will fail.
[no] sslv2-
bypass service-
group group-
name Redirects clients who request SSLv2 sessions to
the specified service group.
Default The configuration does not have a default client-side SSL template. If you
create one, the template has the following defaults:
• cipher – All options are enabled. (This is equivalent to entering the
cipher command multiple times, once with each of the options listed in
the Syntax section.)
• client-certificate – ignore
• close-notify – disabled
• session cache-size – 0 (Session ID reuse is disabled.)
• ssl-false-start-disable – SSL False Start support is enabled by default.

Usage The normal form of this command creates a client-SSL configuration tem-
plate. The “no” form of this command removes the template.
For the forward-proxy-bypass option, match rules are always applied in

the following order:
• equals sni-string
• starts-with sni-string
• contains sni-string
• ends-with sni-string
A client-SSL template can contain up to 128 certificates or certificate

chains. They must be imported onto the ACOS device. To import a certifi-
cate or certificate chain, see “import” on page 76 or “slb ssl-load” on
page 572.
You can bind only one client-SSL template to a virtual port. However, you
can bind the same client-SSL template to multiple ports.
If you replace a certificate and key in a client-SSL template, you must

unbind the template from the virtual ports that use it, then rebind the tem-
plate to the virtual ports, to place the change into effect.
The close-notify option can not be used along with the TCP-proxy template
force-delete-timeout option. Doing so may cause unexpected behavior.
Example The following commands configure a client-SSL template named “client-

ssl1” that uses imported CA certificates and requires clients to present their
certificates when requesting connections to servers:
ACOS(config)#slb template client-ssl client-ssl1
ACOS(config-client SSL template)#ca-cert ca-bundle.crt
ACOS(config-client SSL template)#client-certificate require
Example The following commands configure a client SSL template to use an

imported CA certificate and key, and an imported Certificate Revocation
List (CRL) from the CA:
ACOS(config)#slb template client-ssl client-ssl1
ACOS(config-client SSL template)#ca-cert ca-cert.pem
ACOS(config-client SSL template)#ca-cert ca-crl.pem
ACOS(config-client SSL template)#client-certificate require

slb template connection-reuse
slb template connection-reuse

Description Configure re-use of established connections.
Syntax [no] slb template connection-reuse template-name
template-name Name of the template, 1-31 characters.
connection-reuse template, where the following commands are available.
Command Description
[no] keep-
alive-conn
number Specifies the number of new reusable connec-
tions to open before beginning to reuse existing
connections. You can specify 1-1024 connec-
tions.
Note: This option is applicable only for SIP-over-TCP sessions. The option is
not applicable to other types of sessions, such as HTTP sessions.
[no] limit-per-
server number Maximum number of reusable connections per
server port. You can specify 0-65535. 0 means
unlimited.
[no] timeout
seconds Maximum number of seconds a connection can
remain idle before it times out. You can specify
1-3600 seconds.
Default The “default” connection reuse template has the following defaults:
• keep-alive-conn – 100
• limit-per-server – 1000
• timeout – 2400 seconds (40 minutes)
To display the default template settings, use the show slb template connec-
tion-reuse default command.

slb template dblb
Usage The normal form of this command creates a connection reuse template. The
“no” form of this command removes the template.
You can bind only one connection-reuse template to a virtual port. However,
you can bind the same connection-reuse template to multiple ports.
The keep-alive-conn option is applicable only for SIP-over-TCP sessions.

The option is not applicable to other types of sessions, such as HTTP ses-
sions.
Due to the way the connection-reuse feature operates, backend sessions

with servers will not be reused in either of the following cases:
• The limit-per-server option is set to a very low value, lower than the
number of data CPUs on the ACOS device.
• The keep-alive-conn option is set to a lower value than the limit-per-
server option.
Example The following commands configure a connection reuse template named

“conn-reuse1” and set the limit per server to 2000 re-used connections:
ACOS(config)#slb template connection-reuse conn-reuse1
ACOS(config-connection reuse template)#limit-per-server 2000
slb template dblb

Description Create a template for database load-balancing (DBLB).
Syntax [no] slb template dblb template-name
DBLB template, where the following commands are available.
Command Description
[no] calc-sha1
password Displays the SHA1-encrypted version of a clear
text string.

slb template diameter
[no] class-list
name Applies a class list of username-password pairs
for DBLB client authentication to access the
database server.
[no] server-
version type Specifies the type of database system for the
DBLB server that processes database requests.
For type you can specify one of the following:
MSSQL2008 – MS-SQL server (version 2008 or
2008 R2)
MSSQL2012 – MS-SQL server (version 2012)
MySQL – Any version of MySQL
Default The configuration does not have a default DBLB template.

Description Configure Diameter load balancing.
Syntax [no] slb template diameter template-name
Diameter template, where the following commands are available.

Command Description
[no]
avp avp-num
[mandatory]
{int32 | int64
| string} value Specifies a custom AVP value to insert into
Capabilities-Exchange-Request messages sent by
the ACOS device to Diameter servers.
For each custom AVP value to insert, you must
specify the following information:
avp-num – Diameter AVP number.
mandatory – Sets the AVP mandatory flag
on. By default, this flag is off (not set).
int32 | int64 | string – Specifies the data for-
mat of the value to insert.
value – Specifies the value to insert.
You can configure up to 6 custom AVP values for
insertion. Enter the command separately for each
AVP value.
[no] customize-
cea Replaces the AVPs in Capabilities-Exchange-
Answer (CEA) messages with the custom AVP
values you configure before forwarding the mes-
sages.
[no] duplicate
avp-num pattern
service-group Duplicates Accounting-Request messages and
sends them to a separate service group. This
option is useful for logging, accounting, and so
on.
To configure message duplication, configure real
servers and the service group, and use the dupli-
cate command to configure the following param-
eters:
avp-num – Diameter AVP number.
pattern – String pattern within the message.
service-group – The duplication service
group, which is the service group to which to
send the duplicate messages.

Note: To place the message duplication configuration into effect, you must
unbind the Diameter template from the Diameter virtual port, then rebind
it.
A Diameter template in which message duplication is configured can be
bound to only a single virtual port.
[no] dwr-time
ms Specifies the maximum number of seconds the
ACOS device will wait for the reply to a device-
watch-dog message sent to a Diameter server
before marking the server Down. You can spec-
ify 0-2147483647 milliseconds (ms), in 100-ms
increments.
[no]
idle-timeout
minutes Specifies the number of minutes a Diameter ses-
sion can remain idle before the session is deleted.
[no]
message-code
num Enables load balancing of Diameter message
codes, in addition to those already load balanced
by default. You can enable load balancing of up
to 10 additional message codes.
[no] multiple-
origin-host Prepends the AX CPU ID onto the origin-host
string to identify the CPU used for a given Diam-
eter peer connection.
The ACOS device establishes a separate peer
connection with each Diameter server on each
CPU. The multiple-origin-host option does not
enable or disable this behavior. The option sim-
ply shows or hides the CPU ID in the origin-host
string.
[no]
origin-host
host.realm Sets the value of Diameter AVP 264. This AVP
can be a character string and specifies the iden-
tity of the originating host for Diameter mes-
sages. Since the ACOS device acts as a proxy for
Diameter, this AVP refers to the ACOS device
itself, not to the actual clients. From the Diameter
server’s standpoint, the ACOS device is the
Diameter client.

Specify the origin-host in the following format:

host.realm
The host is a string unique to the client (ACOS
device). The realm is the Diameter realm, speci-
fied by the origin-realm option (described
below).
[no]
origin-realm
string Sets the value of Diameter AVP 296. This AVP
can be a character string and specifies the Diame-
ter realm from which Diameter messages, includ-
ing requests, are originated.
[no]
product-name
string Sets the value of Diameter AVP 269. This AVP
can be a character string and specifies the prod-
uct; for example, “a10dra”.
[no]
session-age
minutes Specifies the absolute limit for Diameter ses-
sions. Any Diameter session that is still in effect
when the session age is reached is removed from
the AX session table. You can specify 1-65535
minutes.
[no] vendor-id
num Sets the value of Diameter AVP 266. This AVP
can be a numeric value and specifies the vendor;
for example, “156”. Make sure to use a non-zero
value. Zero is reserved by the Diameter protocol.
Default The configuration does not have a default Diameter template. If you config-
ure one, the template has the following default values:
• avp – none configured
• customize-cea – disabled
• duplicate – not set
• dwr-time – 10 seconds
• idle-timeout – 5 minutes

• message-code – Diameter load balancing applies only to the following

message codes:
• Accounting-Request (code 271)
• Accounting-Answer (code 271)
• Capabilities-Exchange-Request (code 257)
• Capabilities-Exchange-Answer (code 257)
• Device-Watchdog-Request (code 280)
• Device-Watchdog-Answer (code 280)
• Session-Termination-Request (code 275)
• Session-Termination-Answer (code 275)
• Abort-Session-Request (code 274)
• Abort-Session-Answer (code 274)
• Disconnect-Peer-Request/Disconnect-Peer-Answer (code 282)
The ACOS device drops all other Diameter message codes by default.
• multiple-origin-host – disabled
• origin-host – not set
• origin-realm – not set
• product-name – not set
• session-age – 10 minutes
• vendor-id – not set
Mode Configure
Usage The normal form of this command creates a Diameter template. The “no”
form of this command removes the template.
You can bind only one Diameter template to a virtual port. However, you
can bind the same Diameter template to multiple ports.
Bind the template to virtual port type diameter.
Example For configuration examples, see the “Diameter Load Balancing” chapter in
the Application Delivery and Server Load Balancing Guide.

slb template dns (DNS caching)

Description Configure DNS caching.
Syntax [no] slb template dns template-name
DNS template, where the following commands are available.
Note: To configure DNS security, see “slb template dns (DNS security)” on
page 604.
Command Description
[no] class-list
lid num Configures a DNS caching rule. The settings in
the rule apply to queries for the domain names
mapped to this rule in the class list.
[no] conn-rate-limit rate per interval – Speci-
fies the maximum rate allowed for queries. If
queries exceed the specified rate, the over-limit
action is applied. You can specify 1-4294967295
DNS connections per 1-65535 100-millisecond
(ms) intervals.
dns {cache-enable | cache-disable} – Specifies
whether to cache replies to queries for the
domain name.
[no] dns ttl num – Number of seconds the ACOS
device caches DNS replies. You can specify
1-65535 seconds.
[no] dns weight num – Specifies the numeric
value used when cache entries need to be
removed to make room for new entries. You can
assign a weight of 1-7. Lower-weighted objects
are removed before higher weighted objects.

Cache more than 60% full, entries with

weight 1 are eligible to be removed.
weight 1 or 2 are eligible to be removed.
weights 1-4 are eligible to be removed.
weights 1-6 are eligible to be removed.
Note: A DNS reply begins aging as soon as it is cached and continues aging
even if the cached reply is used after aging starts. Use of a cached reply
does not reset the age of that reply.
[no] over-limit-action action – Specifies the
action to take if the query rate exceeds the con-
figured limit:
dns-cache-disable – Disables caching.
dns-cache-enable – Enables caching.
forward – Forwards the request to the DNS
server.
lockout minutes – Stops accepting new
requests for the specified number of minutes,
1-1023.
log – Generates a log message when the
query rate is exceeded.
reset – Resets the connection with the client.
[no] class-list
name name Applies a class list to the template.
[no] default-
policy [cache |
nocache] Specifies the default action to take when a query
does not match any class-list entries.
[no] disable-
cache Disables DNS caching on all virtual DNS ports
that use the template.
[no] dns-log-
enable period
minutes Enables logging for DNS caching. The period
option specifies how often log messages are gen-
erated. You can specify 1-10000 minutes.

[no] max-cache-
size num Specifies the maximum number of entries that
can be cached per VIP. The maximum configu-
rable amount depends on the amount of RAM
installed on the ACOS device. For details, con-
tact A10 Networks.
[no] max-cache-
entry-size num Specifies the maximum number of bytes each
cache entry can have, 1-4096.
[no] max-query-
length num Specifies the maximum length for DNS queries,
1-4095.
• class-list name – not set
• class-list lid – Not set. When you configure an LID, it has the following
default values:
• conn-rate-limit – not set
• dns {cache-enable | cache-disable} – cache-disable
• dns ttl – Global DNS caching TTL value, which is 300 seconds by
default. (See “slb dns-cache-age” on page 552.)
• dns weight – 1
• over-limit-action – cache-enable
• default-policy – nocache
• disable-cache – caching is enabled
• dns-log-enable – disabled
• max-cache-size – maximum allowed on the entire system
• max-cache-entry-size – 256
• max-query-length – unlimited
Mode Configure
Usage The normal form of this command creates a DNS template. The “no” form
of this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
For DNS caching, bind the template to virtual port type dns-udp. Virtual
port type dns applies only to DNS security.
DNS templates are not supported with stateless load-balancing methods.

slb template dns (DNS security)
slb template dns (DNS security)

Description Configure DNS security.
Syntax [no] slb template dns template-name
DNS template, where the following commands are available.
Command Description
[no] malformed-
query
{drop | forward
service-group-
name} Specifies the action to take for malformed DNS
queries:
drop – Drops malformed queries.
forward – Sends the queries to the specified ser-
vice group. With either option, the malformed
queries are not sent to the DNS virtual port.
Default The configuration does not have a default DNS template. If you configure
one, the default action is to drop malformed DNS queries.
Usage The normal form of this command creates a DNS template. The “no” form
of this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
DNS templates are not supported with stateless load-balancing methods.
Example The following commands configure a DNS template for DNS security and
bind the template to the DNS virtual port on a virtual server:
ACOS(config)#slb template dns dns-sec
ACOS(config-dns-policy)#malformed-query drop

slb template external-service
ACOS(config-dns-policy)#exit
ACOS(config)#slb virtual-server dnsvip1 192.168.1.53
ACOS(config-slb vserver)#port 53 udp
ACOS(config-slb vserver-vport)#template dns dns-sec
Since the drop action is specified, malformed DNS queries sent to the vir-
tual DNS server are dropped by the ACOS device.

Description Configure an External Service template to steer traffic to external servers
for additional processing, based on application.
Syntax [no] slb template external-service template-name
External Service template, where the following commands are available.
Command Description
[no] bypass-ip
IPv4-address
{/nn | netmask} If configuring for Skyfire, specifies the Skyfire
controller IP address.
[no] failure-
action
{continue |
drop | reset} Specifies the action performed by ACOS when
any of the following types of events occurs:
ACOS fails to select an external-service server.
Failure occurs during creation of a new connec-
tion to the external-service server.
The response from the external-service server
does not contain HTTP status code 200 or 403.
Exhaustion of memory when creating a request
to the external-service server.

The failure action can be one of the following:

continue – Allows the client’s request to go to
the content server.
drop – Silently drops the connection and does
not send a reset to the client.
reset – Sends a connection reset to the client.
Note: If a TCP error occurs while ACOS is waiting for a response, ACOS resets
the connection. For example, this occurs in the case of a connection reset
by a URL filtering server.
[no] template
template-type
template-name Applies a template to the external-service tem-
plate. Specify one or both of the following:
persist source-ip template-name –
Applies a source-IP persistence template to the
external-service template.
tcp-proxy template-name – Applies a
custom TCP-proxy template to use for managing
the TCP connections with the servers.
[no] service-
group group-
name Binds the service group that contains the exter-
nal-service servers to this template. Specify the
service group that contains the external-service
servers (for example, Skyfire servers or URL-fil-
tering servers). Do not specify the service group
containing the content servers (HTTP servers).
If configuring for Skyfire, specify the group of
Skyfire servers here, but not the Skyfire control-
ler. Specify the controller using the bypass-ip
command (described below).
[no] timeout
num action
[continue |
drop | reset] Sets the maximum number of seconds ACOS
waits for a response from the server. If the server
does not reply before the timeout expires, ACOS
takes the configured action, which can be one of
the following:

slb template fix
continue – Allows the client’s request to go to

the content server.
drop – ACOS silently drops the connection and
does not send a reset to the client.
reset – ACOS sends a connection reset to the cli-
ent.
[no] type
[skyfire-icap |
url-filter] Specifies the traffic type to redirect:
skyfire-icap – Steers Internet Content Adapta-
tion Protocol (ICAP) to external Skyfire control-
lers.
url-filter – Steers HTTP requests from clients to
external URL-filtering servers.
Default The configuration does not have a default External Service template. If you
configure one, the template has the following default values:
• bypass-ip – Not set
• failure-action – continue
• template – The default TCP proxy template
• timeout – 1000 ms; continue
• type – url-filter
slb template fix

Description Configure a template for Financial Information Exchange (FIX) load bal-
ancing.
Syntax [no] slb template fix template-name
FIX template, where the following commands are available.

slb template fix
Command Description
[no] insert-
client-ip Inserts an AVP with the original client IP address
to the tag 11447. For example, if the client IP
address is 40.40.40.20, this option will modify
the tag to “11447=40.40.40.20” when the server
receives this client’s PUSH data.
[no] tag-
switching
[sender-comp-id
|
target-comp-id]
equals string
service-group
name Inspects the FIX message header for a Sender-
CompID or TargetCompID tag value and uses a
specific service group if the tag matches the
Equals keyword. The ACOS device can inspect
FIX messages and perform service group switch-
ing with one of the following options:
sender-comp-id – Selects a service group for
FIX requests based on the value of the Sender-
CompID tag. This tag identifies the financial
institution that is sending the request.
target-comp-id – Selects a service group for FIX
requests based on the value of the TargetCompID
tag. This tag identifies the financial institution to
which the request is being sent.
If you select the Sender Comp ID or Target
Comp ID radio button, the following options are
displayed:
equals string – Specifies a keyword which
ACOS matches against the TargetCompID or
SenderCompID tag of a FIX message header.
Note: The keyword is case sensitive and must match exactly with the SendCom-
pID tag or TargetCompID tag. For example, “ABC” is different from
“Abc”.
service-group name – Selects the service-group
to use for a client request when the SenderCom-
pID or TargetCompID tag in the FIX message

slb template ftp
header of the request matches the specified key-

word.
Default The configuration does not have a default FIX template.
slb template ftp

Description Configure a template for FTP load balancing.
Syntax [no] slb template ftp template-name
FTP template, where the following commands are available.
Command Description
[no] active-
mode-port If you plan to use a non-standard FTP port num-
ber, use this option to specify the port number,
1-65535.
Default The configuration does not have a default FTP template.

slb template http
slb template http

Description Configure HTTP modifications to server replies to clients and configure
load balancing based on HTTP information.
Syntax [no] slb template http template-name
template-name Name of the template
HTTP template, where the following commands are available.
Command Description
[no]
compression
option Offloads Web servers from CPU-intensive HTTP
compression operations.
Options:
auto-disable-on-high-cpu percent
Configures an automatic disable of HTTP
compression based on CPU utilization. The
percent option specifies the threshold. You
can specify 1-100.
content-type content-string
Specifies the type of content to compress,
based on a string in the content-type header
of the HTTP response. The content-string
can be 1-31 characters long.
enable
Enables compression.
exclude-content-type
content-string
Excludes the specified content type from
being compressed. The content-string can be
1-31 characters long.

slb template http
For a list of media type strings, see the Internet

Assigned Numbers Authority Web site:
http://www.iana.org/assignments/media-types
exclude-uri uri-string
Excludes an individual URI from being com-
pressed. The URI string can be 1-31 charac-
ters. An HTTP template can exclude up to 10
URI strings.
The order in which content-type, exclude-con-
tent-type, and exclude-uri filters appear in the
configuration does not matter.
keep-accept-encoding enable
Configures the ACOS device to leave the
Accept-Encoding header in HTTP requests
from clients instead of removing the header.
When keep-accept-encoding is enabled,
compression is performed by the real server
instead of the ACOS device, if the server is
configured to perform the compression. The
ACOS device compresses the content that
the real server does not compress. This
option is disabled by default, which means
the ACOS device performs all the compres-
sion.
level number
Specifies the compression level. You can use
compression level 1-9. Each level provides a
higher compression ratio, beginning with
level 1, which provides the lowest compres-
sion ratio. A higher compression ratio results
in a smaller file size after compression.
However, higher compression levels also
require more CPU processing than lower
compression levels, so performance can be
affected.
minimum-content-length bytes
Specifies the minimum length (in bytes) a
server response can be in order to be com-
pressed. The length applies to the content
(payload) only and does not include the
headers. You can specify 0-2147483647
bytes.

slb template http
Note: Compression is supported only for HTTP and HTTPS virtual ports. Com-
pression is not supported for fast-HTTP virtual ports.
[no] failover-
url url-string Specifies the fallback URL to send in an HTTP
302 response when all real servers are down.
[no] host-
switching
{starts-with
|contains |
ends-with}
host-string
service-group
service-group-
name Selects a service group based on the value in the
Host field of the HTTP header. The selection
overrides the service group configured on the vir-
tual port.
For host-string, you can specify an IP address or
a hostname. If the host-string does not match, the
service group configured on the virtual port is
used.
starts-with host-string – matches only
if the hostname or IP address starts with host-
string.
contains host-string – matches if the
host-string appears anywhere within the host-
name or host IP address.
ends-with host-string – matches only if
the hostname or IP address ends with host-string.
[no] insert-
client-ip
[http-header-
name] [replace] Inserts the client’s source IP address into HTTP
headers. If you specify an HTTP header name,
the source address is inserted only into headers
with that name.
The replace option replaces any client addresses
that are already in the header. Without this
option, the client IP address is appended to the
lists of client IP addresses already in the header.
For example, if the header already contains
“X-Forwarded-For:1.1.1.1” and the current cli-
ent’s IP address is 2.2.2.2, the replace option
changes the field:value pair to

slb template http
“X-Forwarded-For:2.2.2.2”. Without the replace

option, the field:value pair becomes
“X-Forwarded-For:1.1.1.1, 2.2.2.2”.
[no] keep-
client-alive Keeps the session between ACOS and the ses-
sion up even after the part of the session between
ACOS and the backend server is terminated.
[no] log-retry Logs HTTP retries. An HTTP retry occurs when
the ACOS device resends a client’s HTTP
request to a server because the server did not
reply to the first request. (HTTP retries are ena-
bled using the retry-on-5xx or retry-on-5xx-
per-req command in the HTTP template.)
[no] non-http-
bypass service-
group group-
name Redirects non-HTTP traffic to a specific service
group. By default, the ACOS device will drop
non-HTTP requests that are sent to an HTTP
port.
[no] redirect-
rewrite match
url-string
rewrite-to
url-string Modifies redirects sent by servers by rewriting
the matching URL string to the specified value
before sending the redirects to clients.
[no] redirect-
rewrite secure
{port tcp-
portnum} Changes HTTP redirects sent by servers into
HTTPS redirects before sending the redirects to
clients.
To redirect clients to the default HTTPS port
(443), enter the following command:
redirect-rewrite secure
To redirect clients to an HTTPS port other than
the default, enter the following command
instead: redirect-rewrite secure port port-num
[no] req-hdr-
wait-time
seconds Sets a request header wait time to prevent Slow-
loris attacks. All portions of a client’s request

slb template http
header must be receieved within the specified

amount of time. Otherwise, ACOS terminates the
connection. You can specify 1-31 seconds. The
default is 7.
[no] request-
header-erase
field Erases the specified header (field) from HTTP
requests.
[no] request-
header-insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into HTTP requests.
The field:value pair indicates the header field
name and the value to insert.
If you use the insert-always option, the com-
mand always inserts the field:value pair. If the
request already contains a header with the same
field name, the new field:value pair is added after
the existing field:value pair. Existing headers are
not replaced.
If you use the insert-if-not-exist option, the
command inserts the header only if the request
does not already contain a header with the same
field name.
Without either option, if a request already con-
tains one or more headers with the specified field
name, the command replaces the last header.
[no] request-
line-case-
insensitive Parses HTTP request lines with no case sensitiv-
ity.
[no] response-
content-replace
original-
content
new-content Replaces data in the HTTP response from the
server. The original-content specifies the content
to look for in server responses. The new-content
specifies the content to use to replace the original
content. For each value, you can specify a string
of 1-127 characters. If a string contains blank
spaces, use double quotation marks around the

slb template http
string.
Note: A maximum of 8 content-replacement

rules are supported in a given HTTP template.
[no] response-
header-erase
field Erases the specified header (field) from HTTP
responses.
[no] response-
header-insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into HTTP
responses. The field:value pair indicates the
header field name and the value to insert.
If you use the insert-always option, the com-
mand always inserts the field:value pair. If the
response already contains a header with the same
field name, the new field:value pair is added after
the existing field:value pair. Existing headers are
not replaced.
If you use the insert-if-not-exist option, the
command inserts the header only if the response
does not already contain a header with the same
field name.
Without either option, if a response already con-
name, the command replaces the first header.
[no] retry-on-
5xx num Configures the ACOS device to retry sending a
client’s request to a service port that replies with
an HTTP 5xx status code, and reassign the
request to another server if the first server replies
with a 5xx status code. The retry number speci-
fies the number of times the ACOS device is
allowed to reassign the request.
For example, assume that a service group has
three members (s1, s2, and s3), and the retry is
set to 1. In this case, if s1 replies with a 5xx sta-
tus code, the ACOS device reassigns the request
to s2. If s2 also responds with a 5xx status code,
the ACOS device will not reassign the request to

slb template http
s3, because the maximum number of retries has

already been used.
If you use this command, the ACOS device stops
sending client requests to a service port for 30
seconds following reassignment. If you want the
service port to remain eligible for client requests,
use the following command instead. An HTTP
template can contain one or the other of these
commands, but not both.
Note: The 5xx options are supported only for virtual port types HTTP and
HTTPS. They are not supported for fast-HTTP or any other virtual port
type.
[no] retry-on-
5xx-per-req num This command provides the same function as the
retry-on-5xx command (described above). How-
ever, the retry-on-5xx-per-req command does
not briefly stop using a service port following
reassignment. An HTTP template can contain
one or the other of these commands, but not both.
[no] strict-
transaction-
switch Forces the ACOS device to perform the server
selection process anew for every HTTP request.
Without this option, the ACOS device reselects
the same server for subsequent requests (assum-
ing the same server group is used), unless over-
ridden by other template options.
[no] template
logging
template-name Specifies a logging template to use for external
logging of HTTP events over TCP.
[no] term-
11client-hdr-
conn-close Enables the ACOS device to terminate HTTP 1.1
client connections when the “Connection: close”
header exists in the HTTP request. This option is
applicable to connection-reuse deployments that
have HTTP 1.1 clients that are not compliant
with the HTTP 1.1 standard. Without this option,
sessions for non-compliant HTTP 1.1. clients are
not terminated.

slb template http
[no] url-hash-
persist
[offset offset-
bytes]
{first | last}
bytes
[use-server-
status} Enables server stickiness based on hash values. If
this feature is configured, for each URL request,
the ACOS device calculates a hash value based
on part of the URL string. The ACOS device
then selects a real server based on the hash value.
A given hash value always results in selection of
the same real server. Thus, requests for a given
URL always go to the same real server.
The offset option specifies how far into the string
to begin hash calculation.
The first | last option specifies which end of the
URL string to use to calculate the hash value.
The bytes option specifies how many bytes to use
to calculate the hash value.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL
hash switching uses the hash value to choose a
server within the default service group (the one
bound to the virtual port). If URL switching or
host switching is configured, for each HTTP
request, the ACOS device first selects a service
group based on the URL or host switching val-
ues, then calculates the hash value and uses it to
choose a server within the selected service group.
The use-server-status option enables server load
awareness, which allows servers to act as back-
ups to other servers, based on server load.
Note: This feature requires some custom configuration on the server. For infor-
mation, see the “URL Hash Switching” section in the “HTTP Options for
SLB” chapter of the Application Delivery and Server Load Balancing
Guide.

slb template http
[no] url-
switching
{starts-with |
contains |
ends-with |
url-case-
insensitive |
url-hits-
enable}
url-string
service-group
service-group-
name Selects a service group based on the URL string
requested by the client. The selection overrides
the service group configured on the virtual port.
starts-with /url-string – matches only
if the URL starts with url-string.
contains url-string – matches if the url-
string appears anywhere within the URL.
ends-with url-string – matches only if
the URL ends with url-string.
url-case-insensitive – enable case-
insensitive matching for URL switching rules.
url-hits-enable – enable URL hits.
Each URL matching pattern can be up to 64
bytes long.
Note: You can use URL switching or Host switching in an HTTP template, but
not both. However, if you need to use both types of switching, you can do
so with an aFleX script.
Default The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the following
default settings:
• content-type – “text” and “application” included by default
• exclude-content-type – not set (nothing excluded)
• exclude-uri – not set (no URIs excluded)
• keep-accept-encoding – disabled

slb template http
• level – 1
• minimum-content-length – 120 bytes
To display the default HTTP template settings, use the show slb template
http default command.
Usage The normal form of this command creates an HTTP configuration template.
The “no” form of this command removes the template.
You can bind only one HTTP template to a virtual port. However, you can
bind the same HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
When the keep-client-alive option is enabled, the way ACOS keeps the ses-
sion with the client up depends on the way the server session is terminated:
• Normal TCP/IP connection termination by a TCP RST or FIN – ACOS
does not forward the RST or FIN to the client, and instead leaves the cli-
ent session open. (Technically, the session is left in the client-request-
state, wherein ACOS awaits the client’s next request.)
• “Connection: Close” header option in the response – ACOS removes
this header from the server reply before forwarding the reply to the cli-
ent.
• Client is using HTTP 1.0, and did not use the “Connection: Keep-Alive”
header option – ACOS inserts this header from the server reply before
forwarding the reply to the client.
Starts-with, Contains, and Ends-with Rule Matching

The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in
the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with
If a template has more than one command with the same option (starts-
with, contains, or ends-with) and a host name or URL matches on more
than one of them, the most-specific match is always used. For example, if a
template has the following commands, host "ddeeff" will always be directed
to service group http-sgf:

slb template http
slb template http http-host

host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching

If a URL matches on more than redirect-rewrite rule within the same HTTP
template, the ACOS device selects the rule that has the most specific match
to the URL. For example, if a server sends redirect URL 66.1.1.222/
000.html, and the HTTP template has the redirect-rewrite rules shown
below, the ACOS device will use the last rule because it is the most specific
match to the URL:
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/003.bmp
Example The following commands configure an HTTP template called “http-com-

pression” that enables compression. The minimum length a packet must be
for it to be compressed is set at 120 bytes.
ACOS(config)#slb template http http-compression
ACOS(config-HTTP template)#compression enable
ACOS(config-HTTP template)#compression minimum-content-length 120
Example The following commands configure an HTTP template called “http-header”

that inserts the client IP address and a Cookie field into HTTP headers in
requests from clients before sending the requests to servers:
ACOS(config)#slb template http http-header
ACOS(config-HTTP template)#insert-client-ip
ACOS(config-HTTP template)#header-insert Cookie:a = b
Example The following commands configure an HTTP template called “http-host”

that selects a service group based on the contents of the Host field in the
HTTP headers of client requests. Requests for hostnames that start with
“Gossip” are directed to service group “http-sg1”. Requests for hostnames
that contain “NewsDeskA” are directed to service group “http-sg2”.
Requests for hostnames that end with “weather.com” are directed to service
group “http-sg3”.

slb template http
ACOS(config)#slb template http http-host

ACOS(config-HTTP template)#host-switching starts-with Gossip service-group
http-sg1
ACOS(config-HTTP template)#host-switching contains NewsDeskA service-group
http-sg2
ACOS(config-HTTP template)#host-switching ends-with weather.com service-group
http-sg3
Example The following commands configure an HTTP template to use URL hashing.
Hash values will be calculated based on the last 8 bytes of the URL. In this
example, URL switching is also configured in the template. As a result, the
ACOS device uses URL switching to select a service group first, then uses
URL hashing to select a server within that service group. If the template did
not also contain URL switching commands, this template would always
select a server from service group sg3.
ACOS(config)#slb template http hash
ACOS(config-HTTP template)#url-hash-switching last 8
ACOS(config-HTTP template)#url-switching starts-with /news service-group sg1
ACOS(config-HTTP template)#url-switching starts-with /sports service-group sg2
ACOS(config-HTTP template)#exit
ACOS(config)#slb virtual-server vs1 1.1.1.1
ACOS(config-slb virtual server)#port 80 http
ACOS(config-slb virtual server-slb virtua...)#service-group sg3
ACOS(config-slb virtual server-slb virtua...)#template http hash
Example The following commands configure an HTTP template called “http-com-

press”, that uses compression level 5 to compress files with media type
“application” or “image”. Files with media type “application/zip” are
explicitly excluded from compression.
ACOS(config)#slb template http http-compress
ACOS(config-HTTP template)#compression enable
ACOS(config-HTTP template)#compression level 5
ACOS(config-HTTP template)#compression content-type image
ACOS(config-HTTP template)#compression exclude-content-type application/zip
Example The following commands configure an HTTP template that replaces the cli-
ent IP addresses in the X-Forwarded-For field with the current client IP
address:
ACOS(config)#slb template http clientip-replace
ACOS(config-HTTP template)#insert-client-ip X-Forwarded-For replace

slb template http-policy
slb template http-policy

Description Configure an HTTP-policy template to override WAF template application
for different types of client traffic.
Syntax [no] slb template http-policy template-name
logging template, where the following command is are available.
Command Description
[no] cookie
match-option
cookie-value
template waf-
template-name Matches based on cookie values. For descrip-
tions of the other options, see below.
[no] cookie-
name match-
option
cookie-name
template waf-
template-name Matches based on cookie names. For descrip-
tions of the other options, see below.
[no] host
match-option
host-name
template waf-
template-name Matches based on host names. For descriptions
of the other options, see below.
[no] url
match-option
url-string
template waf-
template-name Matches based on URL strings. For descriptions
of the other options, see below.

slb template logging
match-option Type of matching to perform:

equals – Matches only if the URL, hostname,
or cookie name completely matches the specified
string.
starts-with – Matches only if the URL,
hostname, or cookie name starts with the speci-
fied string.
contains – Matches if the specified string
appears anywhere within the URL, hostname, or
cookie name.
ends-with – Matches only if the URL, host-
name, or cookie name ends with the specified
string.
Usage These match options are always applied in the order shown above, regard-
less of the order in which the rules appear in the configuration. The WAF
template associated with the rule that matches first is used.
If a template has more than one rule with the same match option (equals,
starts-with, contains, or ends-with) and a URL matches on more than one of
them, the most-specific match is always used.
For more information, see the Web Application Firewall Guide.

Description Configure external logging over TCP.
Syntax [no] slb template logging template-name
template-name
Name of the template, up to 31 characters long.
logging template, where the following command is are available.

Command Description
[no] format
string Configures a log string. For syntax information,
see the Application Delivery and Server Load
Balancing Guide.
[no] local-
logging {0 | 1} Enables or disables local logging:
0 – Disables local logging.
1 – Enables local logging.
[no] service-
group group-
name For remote logging, specifies the name of the
service group that contains the log servers.
[no] template
tcp-proxy
template-name Binds a TCP-proxy template to the logging tem-
plate.
Default The configuration does not have a default logging template. When you add
one, it has the following default values:
• format – The following format is used:
Client-Src-IP -- Timestamp-on-AX-device Request-info
Payload-length Referer-info User-agent Virtual-
server-name:Virtual-port
• service-group – Not set
• template tcp-proxy – Not set
Usage Logging over TCP also requires some additional configuration. See the
Application Delivery and Server Load Balancing Guide.

slb template monitor
slb template monitor

Description Configure a link monitoring template.
Syntax [no] slb template monitor num
num Identification number of the template. This can
be a number between 1 to 16.
monitor template, where the following commands are available.
Command Description
[no] action
[clear |
link-disable |
link-enable]
sessions Specifies the action to perform when a monitored
event is detected.
[no] monitor
[link-up |
link-down] eth
num sequence
num Specifies the links (Ethernet data ports) to moni-
tor.
[no] monitor-
and Uses the logical operator “AND” for link moni-
toring. The actions are performed only if all of
the monitored events are detected. This is
selected by default.
[no] monitor-or Uses the logical operator “OR”. The actions are
performed if any of the monitored events are
detected.
Default The ports within a given monitor entry are always ANDed. If you specify
more than one port (eth portnum option) in the same monitor entry, the
specified event must occur on all the ports in the entry. For example, if you
specify link-down eth 9 eth 11, the link must go down on ports 9 and 11, for
the link-state changes to count as a monitored event.

slb template persist cookie
Usage The logical operator applies only to monitor entries, not to action entries.
For example, if the logical operator is OR, and at least one of the monitored
events occurs, all the actions configured in the template are applied.
You can configure the entries in any order. In the configuration, the entries
of each type are ordered based on sequence number.
Example The following commands configure monitor template 1:

ACOS(config)#slb template monitor 1
ACOS(config-monitor)#monitor-or
ACOS(config-monitor)#monitor link-down eth 5 sequence 1
ACOS(config-monitor)#action clear sessions sequence 1
ACOS(config-monitor)#action link-disable eth 5 sequence 2

Description Configure session persistence by inserting persistence cookies into server
replies to clients.
Syntax [no] slb template persist cookie template-name
persistence template, where the following commands are available.

Command Description
[no] domain
domain-name Adds the specified domain name to the cookie.
[no] dont-
honor-conn-
rules Ignores connection limit settings configured on
real servers and real ports. This option is useful
for applications in which multiple sessions (con-
nections) are likely to be used for the same per-
sistent cookie.
[no] expire
expire-seconds Specifies the number of seconds a cookie persists
on a client’s PC before being deleted by the cli-
ent’s browser. You can specify from 0 to
31,536,000 seconds (one year). (Do not enter the
commas.) If you specify 0, cookies persist only
for the current session.
[no] insert-
always Specifies whether to insert a new persistence
cookie in every reply, even if the request already
had a persistence cookie previously inserted by
the ACOS device.
[no] match-type
{server
[service-group]
| service-
group}
[scan-all-
members] Changes the granularity of cookie persistence.
server – The cookie inserted into the HTTP
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with match-
type set to server.)
Without this option, the default behavior is used:
subsequent requests from the client will be sent
to the same real port on the same real server.
server service-group – Sets the granular-
ity to the same as server, and also enables cookie
persistence to be used along with URL switching
or host switching. Without the service-group

option, URL switching or host switching can be

used only for the initial request from the client.
After the initial request, subsequent requests are
always sent to the same service group.
service-group – This option enables sup-
port for URL switching and host switching,
along with the default cookie persistence behav-
ior.
scan-all-members – This option scans all
members bound to the template. This option is
useful in configurations where match-type
“server” is used, and where some members have
different priorities or are disabled. (For more
information about this option, see the “Scan-All-
Members Option in Persistence Templates”
Note: To use URL switching or host switching, you also must configure an
HTTP template with the host-switching or url-switching command.
[no] name
cookie-name Specifies the name of the persistence cookie,
1-63 characters.
[no] path
path-name Adds path information to the cookie, 1-31 char-
acters.
Default The configuration does not have a default cookie-persistence template. If

you create one, it has the following defaults:
• domain – Not set
• dont-honor-conn-rules – Disabled; by default, the connection limit set

on real servers and real ports is used.
• expire – about 10 years
Note: Although the default is 10 years (essentially, unlimited), the maximum

configurable expiration is one year.
• insert-always – Disabled. The ACOS device inserts a persistence
cookie only if the client request does not already contain a persistence
cookie inserted by the ACOS device, or if the server referenced by the
cookie is unavailable.
• match-type – The default match type is port. (There is no port key-
word. See “Usage” for more information.)

• name – “sto-id”
• path – “ / ”
Usage The normal form of this command creates a cookie-persistence template.

You can bind only one cookie-persistence template to a virtual port.

However, you can bind the same cookie-persistence template to multiple
ports.
When cookie persistence is configured, the ACOS device adds a persistence

cookie to the server reply before sending the reply to the client. The client’s
browser re-inserts the cookie into each request.
Note: For security, address information in the cookie is encrypted.
The format of the cookie depends on the match-type setting:

• match-type (port) – This is the default setting. Subsequent requests
from the client will be sent to the same real port on the same real server.
URL switching or host switching can be used only for the first request.
The cookie that the ACOS device inserts into the server reply has the
following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
Note: The port option is shown in parentheses because the CLI does not have a
“port” keyword. If you do not set the match type to server (see below),
the match type is automatically “port”.
• match-type server – Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching can be used only for the first
request.
following format:
Set-Cookie: cookiename=rserverIP
• match-type (port) service-group – Subsequent requests from the client
will be sent to the same real port on the same real server, within the ser-

slb template persist destination-ip
vice group selected by URL switching or host switching. URL switch-

ing or host switching, if configured, is still used for every request.
following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
• match-type server service-group – Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the ser-
vice group selected by URL switching or host switching. URL
switching or host switching, if configured, is still used for every request.
following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
Example The following commands configure a cookie persistence template named

“persist-cookie”. The template inserts a cookie named “MyCookie”, con-
taining the real server’s IP address and protocol port in encrypted form, into
server responses before sending the responses to clients. The template also
sets the cookie to persist on client PCs for only 10 minutes (600 seconds).
ACOS(config)#slb template persist cookie persist-cookie
ACOS(config-cookie persistence template)#name MyCookie
ACOS(config-cookie persistence template)#expire 600

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on destination IP address.
Syntax [no] slb template persist destination-ip

template-name

Command Description
[no] dont-
honor-conn-
sistent destination IP address.
[no] hash-
persist Enables hash-based persistence. Hash-based per-
sistence provides the persistence and perfor-
mance benefits of hash-based load balancing,
while allowing use of advanced SLB features
that require stateful load balancing.
(For more information, see “Hash-based IP Per-
sistence” in the Application Delivery and Server
[no] match-type
{server |
service-group}
[scan-all-
members] Specifies the granularity of persistence:
server – Traffic to a given destination IP
address is always sent to the same real server, for
any service port.
By default (without the server option), traffic to
the same destination IP address and virtual port is
always sent to the same real port. This is the most
granular setting.
service-group – This option is applicable if
you also plan to use URL switching or host
switching. If you use the service-group option,
URL or host switching is used for every request
to select a service group. The first time URL or
host switching selects a given service group, the
load-balancing method is used to select a real
port within the service group. The next time URL
or host switching selects the same service group,
the same real port is used. Thus, service group
selection is performed for every request, but once
a service group is selected for a request, the
request goes to the same real port that was
selected the first time that service group was
selected.

scan-all-members – This option scans all

members bound to the template. This option is
useful in configurations where match-type
“server” is used, and where some members have
different priorities or are disabled. (For more
information about this option, see the “Scan-All-
Members Option in Persistence Templates”
[no] netmask
ipaddr Specifies the granularity of IPv4 address hashing
for initial server port selection.
You can specify an IPv4 network mask in dotted
decimal notation.
– To configure initial server port selection to
occur once per destination VIP subnet, configure
the network mask to indicate the subnet length.
For example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (“class C”
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
– To configure initial server port selection to
occur independently for each requested VIP, use
mask 255.255.255.255. (This is the default.)
[no] netmask6
mask-length Specifies the granularity of IPv6 address hashing
for initial server port selection. (See above for
more information.)
[no] timeout
timeout-minutes Specifies how many minutes the mapping
remains persistent after the last time it is used.
Default The configuration does not have a default destination-IP persistence tem-
plate. If you configure one, it has the following defaults:

slb template persist source-ip
• hash-persist – Disabled
• match-type – For SLB, by default, traffic to a given destination IP

address and port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
• netmask – 255.255.255.255
• timeout – 5 minutes
Usage The normal form of this command creates a destination-IP persistence tem-
You can bind only one destination-IP persistence template to a virtual port.
However, you can bind the same destination-IP persistence template to
multiple ports.
Use of the service-group match-type option scan-all-members is not useful

in conjunction with destination-IP persistence templates, and is not sup-
ported.
Example The following command creates a destination-IP persistence template

named “persist-dest”:
ACOS(config)#slb template persist destination-ip persist-source

Description Configure the granularity of load balancing persistence (selection of the
same server resources) for clients, based on source IP address.
Syntax [no] slb template persist source-ip template-name

Command Description
[no] dont-
honor-conn-
sistent client source IP address.
[no] enforce-
higher-priority Enables Source-IP Persistence Override and
Reselect. When this feature is enabled, the
ACOS device continually checks for the pres-
ence of higher-priority servers, even if source-IP
persistence is enabled and sessions are already
established between client and server.
[no] hash-
persist Enables hash-based persistence. Hash-based per-
sistence provides the persistence and perfor-
mance benefits of hash-based load balancing,
while allowing use of advanced SLB features
that require stateful load balancing.
[no] incl-dst-
ip Used to support the ALG protocol firewall load
balancing feature for protocols such as FTP. This
option helps ensure that special persistent session
will be matched on both the source IP and desti-
nation IP addresses.
[no] incl-sport Includes the source port in persistent sessions.
[no] match-type
{server
[scan-all-
members] |
service-group} Specifies the granularity of persistence:
server – Traffic from a given client to the
same VIP is always sent to the same real server,
for any service port requested by the client.
By default (without the server option), traffic
from a given client to the same virtual port is
always sent to the same real port. This is the most
granular setting.
The scan-all-members option scans all members
bound to the template. This option is useful in
configurations where match-type “server” is

used, and where some members have different

priorities or are disabled.
service-group – This option is applicable if
you also plan to use URL switching or host
switching. If you use the service-group option,
URL or host switching is used for every request
to select a service group. The first time URL or
host switching selects a given service group, the
load-balancing method is used to select a real
port within the service group. The next time URL
or host switching selects the same service group,
the same real port is used. Thus, service group
selection is performed for every request, but once
a service group is selected for a request, the
request goes to the same real port that was
selected the first time that service group was
selected.
Note: The match type for FWLB is always server, which sets the granularity of
source-IP persistence to individual firewalls, not firewall groups or indi-
vidual service ports.
[no] netmask
ipaddr Specifies the granularity of IP address hashing
for server port selection.
You can specify an IPv4 network mask in dotted
decimal notation.
– To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (“class C” subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same
subnet to the same port.
– To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)

[no] netmask6
mask-length Specifies the granularity of IPv6 address hashing
for initial server port selection. (See above for
more information.)
[no] timeout
remains persistent after the last time traffic from
the client is sent to the server. You can specify
1-2000 minutes (about 33 hours).
Note: The timeout for a source-IP persistent session will not be reset if the time-
out in the source-IP persistence template is set to 1 minute. If the timeout
is set to 1 minute, sessions will always age out after 1 minute, even if they
are active.
Default The configuration does not have a default source-IP persistence template. If
you configure one, it has the following defaults:
• hash-persist – Disabled
• incl-sport – Disabled
• match-type – For SLB, by default, traffic from a given client to the

same virtual port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
For FWLB, the default is server and none of the other match-type
options are applicable.
• netmask – 255.255.255.255
Usage The normal form of this command creates a source-IP persistence template.
You can bind only one source-IP persistence template to a virtual port.
However, you can bind the same source-IP persistence template to multiple
ports.
The timeout for a source-IP persistent session will not be reset if the timeout
in the source-IP persistence template is set to 1 minute. If the timeout is set
to 1 minute, sessions will always age out after 1 minute, even if they are
active.

If you use the incl-sport option, the IP address in the Forward Source col-
umn of show session output is modified to include the source port. For
example, “155.1.1.151:33067” is shown as “1.151.129.43”.
Using the Same VIP and Port Number for TCP and UDP Ports
If you apply the source-IP persistence template to two virtual ports that have
the same VIP and protocol port number but different Layer 4 protocols
(TCP or UDP), the member lists for the ports must be identical in both the
TCP and UDP service groups.
For example, the following configuration will work because service groups
5060-tcp and 5060-udp have the same member list although their protocols
are different.
slb virtual-server vip2 13.0.0.100

port 5060 sip-tcp
service-group 5060-tcp
template persist source-ip per-sip
port 5060 sip
service-group 5060-udp
template persist source-ip per-sip
!
slb service-group 5060-tcp tcp
member s1:5060
member s2:5060
!
slb service-group 5060-udp udp
member s1:5060
member s2:5060
The configuration will not work if the member lists in the service groups are
different. For example, the configuration will not work if the TCP group's
member list is changed to either of the following:

member s3:5060
member s4:5060
or

member s1:5061
member s2:5061

slb template persist ssl-sid
Example The following commands configure a source-IP persistence template named

“persist-source” and set the granularity to service-group:
ACOS(config)#slb template persist source-ip persist-source
ACOS(config-source ip persistence template)#match-type service-group
slb template persist ssl-sid

Description Direct clients based on SSL session ID.
SSL session-ID persistence directs all client requests for a given virtual
port, and that have a given SSL session ID, to the same real server and real
port. For example, with SSL session-ID persistence configured, all client
requests for virtual port 443 on virtual server 1.2.3.4 that have the same SSL
session ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP address.
Syntax [no] slb template persist ssl-sid template-name
Command Description
[no] dont-
honor-conn-
sistent SSL session ID.
[no] timeout
remains persistent after the last time traffic with
the SSL session ID is sent to the server. You can
specify 1-250 minutes.
Default The configuration does not have a default SSL session-ID persistence tem-
plate. If you configure one, it has the following defaults:

slb template policy

Usage The normal form of this command creates an SSL session-ID persistence
template. The “no” form of this command removes the template.
You can bind only one SSL session-ID persistence template to a virtual port.
However, you can bind the same SSL session-ID persistence template to
multiple ports.
To display statistics for SSL session-ID persistence, use the following com-
mand: show slb l4
Example The following commands configure an SSL session-ID persistence template

named “ssl-persist1” and apply it to virtual port 443 on virtual server
“vip1”:
ACOS(config)#slb template persist ssl-sid ssl-persist1
ACOS(config-SSL session ID persistence te...)#exit
ACOS(config-slb virtual server)#port 443 tcp
ACOS(config-slb virtual server-slb virtua...)#service-group https-sg1
ACOS(config-slb virtual server-slb virtua...)#template ssl-sid ssl-persist1
slb template policy

Description Configure a template of Policy-Based SLB (PBSLB) settings.
Syntax [no] slb template policy template-name
PBSLB template, where the following commands are available.

slb template policy
Command Description
[no] bw-list
id id
service
{service-group-
name |
drop | reset}
[logging
[minutes]
[fail]] Specifies the action to take for clients in the
black/white list:
id – Group ID in the black/white list.
service-group-name – Sends clients to the
SLB service group associated with this group ID
on the ACOS device.
drop – Drops connections for IP addresses that
are in the specified group.
reset – Resets connections for IP addresses
that are in the specified group.
logging [minutes] [fail] – Enables
logging. The minutes option specifies how often
messages can be generated. This option reduces
overhead caused by frequent recurring messages.
For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times
within a five-minute period, the ACOS device
generates only a single message. The message
indicates the number of times the rule was
applied since the last message. You can specify a
logging interval from 0 to 60 minutes. To send a
separate message for each event, set the interval
to 0.
PBSLB rules that use the service service-group-
name option also have a fail option for logging.
The fail option configures the ACOS device to
generate log messages only when there is a failed
attempt to reach a service group. Messages are
not generated for successful connections to the
service group. The fail option is disabled by
default. The option is available only for PBSLB
rules that use the service service-group-name
option, not for rules with the drop or reset
option, since any time a drop or reset rule affects
traffic, this indicates a failure condition.

slb template policy
Logging is disabled by default. If you enable it,

the default for minutes is 3.
[no] bw-list
name file-name Binds a black/white list to the virtual ports that
use this template.
[no] bw-list
over-limit
{lockup min |
logging min |
reset} Specifies the action to take for traffic that is over
the limit. The default is drop.
lockup min – Continues to apply the over-
limit action to all new connection attempts from
the client, for the specified number of minutes
(1-127).
logging min – Generates a log message when
traffic goes over the limit. The min option speci-
fies the log interval and can be 1-255 minutes.
reset – Resets new connections until the num-
ber of concurrent connections on the virtual port
falls below the connection limit.
[no] bw-list
timeout minutes Specifies the number of minutes dynamic black/
white-list client entries can remain idle before
aging out. You can specify 1-127 minutes.
[no] bw-list
use-
destination-ip Matches black/white list entries based on the cli-
ent’s destination IP address, instead of matching
by client source address. By default, matching is
based on the client’s source IP address. Gener-
ally, this option is applicable when wildcard
VIPs are used.
[no] class-list
client-ip
{l3-dest |
l7-header
[header-name]} Specifies the IP address to use for matching
entries in an IP class list.
l3-dest – Matches based on the destination IP
address in packets from clients.
l7-header [header-name] – Matches based on
the IP address in the specified header in packets

slb template policy
from clients. The header-name specifies the

name of the header to use. If you do not specify a
header name, the X-Forwarded-For header is
used.
[no] class-list
lid num Configures an IP limiting rule for the IP limiting
feature. This command changes the CLI to the
configuration level for the rule, where the fol-
lowing commands are available:
[no] conn-limit num – Specifies the maximum
number of concurrent connections allowed for a
client. You can specify 0-1048575. Connection
limit 0 immediately locks down matching clients.
[no] conn-rate-limit num per num-of-100ms –
Specifies the maximum number of new connec-
tions allowed for a client within the specified
limit period. You can specify 1-4294967295 con-
nections. The limit period can be 100-6553500
milliseconds (ms), specified in increments of 100
ms.
[no] request-limit num – Specifies the maxi-
mum number of concurrent Layer 7 requests
allowed for a client. You can specify 1-1048575.
[no] request-rate-limit num per num-of-100ms
– Specifies the maximum number of Layer 7
requests allowed for the client within the speci-
fied limit period. You can specify 1-4294967295
connections. The limit period can be 100-
6553500 milliseconds (ms), specified in incre-
ments of 100 ms.
Note: The class-list request-limit and request-rate-limit options apply only to

HTTP, fast-HTTP, and HTTPS virtual ports.
These options, when configured in a policy template, are applicable only
in policy templates that are bound to virtual ports. These options are not
applicable in policy templates bound to virtual servers (rather than indi-
vidual ports), or in policy templates used for system-wide PBSLB.
The over-limit-action log option, when used with the request-limit or
request-rate-limit option, always lists Ethernet port 1 as the interface.

slb template policy
[no] over-limit-action [forward | reset]

[lockout minutes] [log minutes] – Specifies the
action to take when a client exceeds one or more
of the limits. The command also configures lock-
out and enables logging. The action can be one of
the following:
– drop – The ACOS device drops that traffic. If
logging is enabled, the ACOS device also gener-
ates a log message. (There is no drop keyword.
This is the default action.)
– forward – The ACOS device forwards the traf-
fic. If logging is enabled, the ACOS device also
generates a log message.
– reset – For TCP, the ACOS device sends a TCP
RST to the client. If logging is enabled, the
ACOS device also generates a log message.
The lockout option specifies the number of min-
utes during which to apply the over-limit action
after the client exceeds a limit. The lockout
period is activated when a client exceeds any
limit. The lockout period can be 1-1023 minutes.
The logging option generates log messages when
clients exceed a limit. When you enable logging,
a separate message is generated for each over-
limit occurrence, by default. You can specify a
logging period, in which case the ACOS device
holds onto the repeated messages for the speci-
fied period, then sends one message at the end of
the period for all instances that occurred within
the period. The logging period can be 0-255 min-
utes. The default is 0 (no wait period).
[no] class-list
name name Applies an IP class list to the template.
Note: Class lists can be configured only in the shared partition. A policy tem-
plate configured in the shared partition or in a private partition can use a
class list configured in the shared partition.
[no] geo-
location
full-domain-
tree Checks the current connection count not only for
the client’s specific geo-location, but for all geo-
locations higher up in the domain tree.

slb template policy
Note: It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
[no] geo-
location
overlap Enables overlap matching mode. If there are
overlapping addresses in the black/white-list or
class list, use this option to enable the ACOS
device to find the most precise match.
[no] geo-
location share Enables sharing of PBLSB statistics counters for
all virtual servers and virtual ports that use the
template. This option causes the following coun-
ters to be shared:
– Permit
– Deny
– Connection number
– Connection limit
Note: It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
Default The ACOS device does not have a default PBSLB template. When you con-
figure one, the template has the following default settings:
• bw-list id – None. Logging is disabled by default. If you enable it, the
default for minutes is 3.
• bw-list name – None
• bw-list over-limit – drop
• bw-list timeout – 5
• bw-list use-destination-ip – Disabled. By default, the ACOS device

matches by client source IP address.
• class-list client-ip – Client’s IP address is used.
• class-list name – not set
• class-list lid – Not set. When you create one, the limiting rule has the
following default values:
• conn-limit – Not set
• conn-rate-limit – Not set
• request-limit – Not set

slb template policy
• request-rate-limit – Not set

• over-limit-action – Drop. There is no default lockout period. Log-
ging is disabled by default. The default logging period is 0 (no wait
period).
• geo-location full-domain-tree – Disabled. When a client requests a
connection, the ACOS device checks the connection count only for the
specific geo-location level of the client. If the connection limit for that
specific geo-location level has not been reached, the client’s connection
is permitted.
• geo-location overlap – disabled
• geo-location share – disabled
Usage The normal form of this command creates a PBSLB template. The “no”
You can bind only one PBSLB template to a virtual port. However, you can
bind the same PBSLB template to multiple ports.
If a connection limit is specified in a black/white list, the ACOS device does

If the template uses a black/white list, the lockup over-limit action is appli-
cable only if the template is applied at the system level, for system-wide
PBSLB deployed for Sockstress protection. If the template uses a class list,
the lockup over-limit action is applicable regardless of whether the template
is applied at the system level or to an individual virtual server or virtual
port.
PBSLB configuration on a virtual port can be set either using a template or

by configuring the individual settings on the port. Individual PBSLB set-
tings and a PBSLB template can not be configured on the same virtual port.
Apply the Policy Globally or on Individual Virtual Ports

The ACOS device also allows policy templates to be applied at the virtual-
server level. However, PBSLB does not take effect if you apply the policy
template at the virtual-server level. Only class lists are supported at the vir-
tual-server level. To use PBSLB, apply the policy template globally or on
individual virtual ports.

slb template port
Example The following commands configure a PBSLB template and bind it to a vir-
tual port:
ACOS(config)#slb template policy bw1
ACOS(config-policy)#bw-list name bw1
ACOS(config-policy)#bw-list id 2 service srvcgroup2
ACOS(config-policy)#bw-list id 4 drop
ACOS(config-policy)#exit
ACOS(config)#slb virtual-server PBSLB_VS1 10.10.10.69
ACOS(config-slb virtual server-slb virtua...)#template policy bw1
slb template port

Description Configure a template of SLB settings for service ports on real servers.
Syntax [no] slb template port template-name
real port template, where the following commands are available.
Command Description
[no] conn-limit
max-connections
[resume
connections]
[no-logging] Specifies the maximum number of connections
allowed on ports that use this template.
The max-connections option specifies the maxi-
mum number of concurrent connections,
0-8000000.
The resume connections option specifies
the maximum number of connections the port
can have before the ACOS device resumes use of
the port. You can specify 1-1048575 connections.
The no-logging option disables logging for the
feature.

slb template port
[no] conn-rate-
limit
connections
[per {100ms |
1sec}]
[no-logging] Limits the rate of new connections the ACOS
device is allowed to send to ports that use this
template. When a real port reaches its connection
limit, the ACOS device stop selecting the port to
serve client requests.
connections – Maximum of new connections
allowed on the port. You can specify 1-1048575
connections.
per {100ms | 1sec} – Specifies whether
the connection rate limit applies to one-second
intervals or 100-ms intervals. The default is one-
second intervals (1sec).
feature.
[no] dest-nat Enables destination Network Address Transla-
tion (NAT) on ports that use this template.
Destination NAT is enabled by default, but is
automatically disabled in Direct Server Return
(DSR) configurations. You can re-enable destina-
tion NAT on individual ports for deployment of
mixed DSR configurations, which use backup
servers across Layer 3 (in different subnets).
[no] down-
grace-period
seconds Specifies the number of seconds the ACOS
device will continue to forward packets to a
Down port. This option is useful for taking serv-
ers down for maintenance without immediately
impacting existing sessions on the servers. You
Note: The service group must contain 2 or more
servers for this feature to work.
Note: This feature supports stateless and stateful
load balancing. However, the feature is not sup-
ported for stateful hash load-balancing methods,
such as source-IP-based or destination-IP-based
hashing.

slb template port
[no] dscp
number Sets the differentiated services code point
(DSCP) value in the IP header of a client request
before sending the request to ports that use this
template. The number specifies the DSCP value
and can be 1-63. By default, DSCP is not set by
the ACOS device.
[no] dynamic-
member-priority
num decrement
delta Configure service-group priority settings for
ports on dynamically created servers. The num
option sets the initial TTL for dynamically cre-
ated service-group members, and can be 1-16.
The delta option specifies how much to decre-
ment the TTL if the IP address is not included in
the DNS reply, and can be 0-7. When configuring
the service group, add the port template to the
member.
[no] extended-
stats Enables collection of SLB peak connection sta-
tistics for the port.
[no] ha-
priority-cost
weight [ha-
group group-id] Enables HA priority changes based on the health
status of the port.
The weight option specifies the amount to sub-
tract from the HA group’s priority value, if this
server or port’s health status changes to Down.
You can specify 1-255. The HA group ID can be
1-31. If you do not specify an HA group ID, the
weight applies to all HA groups.
[no] health-
check
[monitor-name] Enables health monitoring of ports that use this
template. The monitor-name specifies the name
of a configured health monitor.

slb template port
[no] inband-
health-check
[retry maximum-
retries]
[reassign
maximum-
reassigns] Supplements the standard Layer 4 health checks
by using client-server traffic to check the health
of service ports.
retry maximum-retries – Each client-server ses-
sion has its own retry counter. The ACOS device
increments a session’s retry counter each time a
SYN ACK is late. If the retry counter exceeds the
configured maximum number of retries allowed,
the ACOS device sends the next SYN for the ses-
sion to a different server. The ACOS device also
resets the retry counter to 0. You can set the retry
counter to 0-7 retries.
reassign maximum-reassigns – Each real port
has its own reassign counter. Each time the retry
counter for any session is exceeded, the ACOS
device increments the reassign counter for the
server port. If the reassign counter exceeds the
configured maximum number of reassignments
allowed, the ACOS device marks the port down.
In this case, the port remains down until the next
time the port successfully passes a standard
health check. Once the port passes a standard
health check, the ACOS device starts using the
port again and resets the reassign counter to 0.
You can set the reassign counter to 0-255 reas-
signments. The default is 25 reassignments.
Note: A10 Networks recommends that you continue to use standard Layer 4
health monitoring even if you enable in-band health monitoring. Without
standard health monitoring, a server port marked down by an in-band
health check remains down.
[no] no-ssl Disables SSL for server-side connections. This
command is useful if a server-SSL template is
bound to the virtual port that uses this real port,
and you want to disable encryption on this real
port.
Encryption is disabled by default, but it is ena-
bled for server-side connections when the real

slb template port
port is used by a virtual port that is bound to a

server-SSL template.
Using the double-negative form of the command
(no no-ssl) enables SSL for server-side connec-
tions.
[no] request-
rate-limit num
[per {100ms |
second} [reset]
[no-logging]] Limits the number of new requests that can be
received by the virtual port.
num – Maximum number of new connection
requests allowed per the interval specified below.
per {100ms | second} – Interval for the
rate. Up to num new connection requests are
allowed per one-tenth second (100-ms) or per
one second.
reset – Sends a RST to a client that sends a
new request during an interval in which the
request rate has been exceeded. By default,
requests that are received after the limit is
exceeded are dropped with no RST.
no-logging – Disables logging for this fea-
ture.
Note: In the current release, this command

applies only to configurations that use an exter-
nal-service template.
[no] slow-start
[from starting-
conn-limit]
[times scale-
factor | add
conn-incr]
[every
interval]
[till ending-
conn-limit] Provides time for real ports that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connec-
tions on the ports.
from starting-conn-limit – Maximum number of
concurrent connections to allow on the service

slb template port
port after it first comes up. You can specify from

1-4095 concurrent connections. The default is
128.
times scale-factor | add conn-incr – Amount by
which to increase the maximum number of con-
current connections allowed. You can use one of
the following methods to specify the increment:
times scale-factor – The scale factor is the
number by which to multiply the starting
connection limit. For example, if the scale
factor is 2 and the starting connection limit is
128, the ACOS device increases the connec-
tion limit to 256 after the first ramp-up inter-
val. The scale factor can be 2-10. The default
is 2.
add conn-incr – As an alternative to specify-
ing a scale factor, you can instead specify
how many more concurrent connections to
allow. You can specify 1-4095 new connec-
tions.
every interval – Number of seconds between
each increase of the number of concurrent con-
nections allowed. For example, if the ramp-up
interval is 10 seconds, the number of concurrent
connections to allow is increased every 10 sec-
onds. The ramp-up interval can be 1-60 seconds.
The default is 10 seconds.
till ending-conn-limit – Maximum number of
concurrent connections to allow during the final
ramp-up interval. After the final ramp-up inter-
val, the slow start is over and does not limit fur-
ther connections to the server. You can specify
from 1-65535 connections. The default is 4096.
Note: If a normal runtime connection limit is also configured (for example, by

the conn-limit command), and the normal connection limit is smaller than
the slow-start ending connection limit, the ACOS device limits slow-start
connections to the maximum allowed by the normal connection limit.
Note: The initial ramp-up interval can be any duration from 0 up to the config-
ured interval (10 seconds by default). After the initial ramp up, each sub-
sequent ramp-up occurs at the end of the configured interval.

slb template port
source-nat
pool-name Specifies the IP NAT pool to use for assigning
source IP addresses to client traffic sent to ports
that use this template. When the ACOS device
performs NAT for a port that is bound to the tem-
plate, the device selects an IP address from the
pool.
stats-data-
disable |
stats-data-
enable Disables or enables statistical data collection for
the port.
[no] weight
number Specifies the load-balancing preference for ports
that use this template. You can specify 1-100. A
higher weight gives more favor to the server and
port relative to the other servers and ports.
Default is 1.
This option applies only to the service-
weighted-least-connection load-balancing
method. This option does not apply to the
weighted-least-connection or weighted-round-
robin load-balancing methods.
Default The ACOS device has a default real port template, called “default”. The
default port template has the same default settings as the individual parame-
ters you can configure in the template. Here are the defaults:
• conn-limit – 8000000 (8 million)
• conn-rate-limit – Not set; when enabled, the default sampling rate is

per 1-sec.
• dest-nat – Not set
• down-grace-period – Please contact A10 Networks.
• dscp – Not set
• dynamic-member-priority – Priority 16 and delta 0
• extended-stats – Not set
• ha-priority-cost – Not set

slb template port
• health-check – If you omit this command or you enter it without the

monitor-name option, the default TCP or UDP health monitor is used:
• TCP – Every 30 seconds, the ACOS device sends a connection
request (TCP SYN) to the specified TCP port on the server. The port
passes the health check if the server replies to the ACOS device by
sending a TCP SYN ACK.
• UDP – Every 30 seconds, the ACOS device sends a packet with a
valid UDP header and a garbage payload to the UDP port. The port
passes the health check if the server either does not reply, or replies
with any type of packet except an ICMP Error message.
• inband-health-check – Disabled. When enabled, the feature has the fol-
lowing defaults: maximum-retries – 2; maximum-reassigns – 25.
• no-ssl – Enabled
• request-rate-limit – Please contact A10 Networks.
• slow-start – Not set
• source-nat – Not set
• stats-data-disable/stats-data-enable – Enabled
• weight – 1
Note: In addition to configuring custom port templates, you can modify the
default port template.
Caution: Before changing a default template, make sure the changes you plan
to make are applicable to all virtual ports that use the template.
Usage The normal form of this command creates a real port template. The “no”
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual port.
• If a parameter is set (or changed from its default) in both a template and
on the individual port, the setting on the individual port takes prece-
dence.
• If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual port, the setting in the
template takes precedence.

slb template server
If you change the connection limiting configuration on a virtual port or vir-

tual server that has active sessions, or in a virtual-port or virtual-server tem-
plate bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
Example The following commands configure a real port template named “common-
rpsettings”, enable slow-start in the template, and bind the template to a real
port:
ACOS(config)#slb template port common-rpsettings
ACOS(config-rport)#slow-start from 256
ACOS(config-rport)#exit
ACOS(config-real server-node port)#template port common-rpsettings
slb template server

Syntax [no] slb template server template-name
real server template, where the following commands are available.
Command Description
[no] conn-limit
max-connections
[resume
connections]
allowed on real servers that use this template.
0-8000000.
The resume connections option specifies
the maximum number of connections the server
can have before the ACOS device resumes use of

slb template server
the server. You can specify 1-1048575 connec-

tions.
feature.
[no] conn-rate-
limit
connections
[per {100ms |
1sec}]
device is allowed to send to servers that use this
template. When a real server reaches its connec-
tion limit, the ACOS device stops selecting the
server for client requests.
allowed on a server. You can specify 1-1048575
connections.
intervals or 100-ms intervals.
feature.
[no] dns-query-
interval
minutes Specifies how often the ACOS device sends
DNS queries for the IP addresses of dynamic real
servers. You can specify 1-1440 minutes (one
day).
[no] dynamic-
server-prefix
string Specifies the prefix added to the front of dynami-
cally created servers. You can specify a string of
1-3 characters.
[no] extended-
stats Enables collection of peak connection statistics
for a server.
[no] ha-
priority-cost
weight [ha-
group group-id] Enables HA priority changes based on the health
status of the server.

slb template server

The ha-group group-id option specifies
the HA group from which to subtract the weight.
If you do not specify an HA group ID, the weight
is subtracted from all HA groups.
[no] health-
check
[monitor-name] Enables health monitoring of ports that use this
template. The monitor-name specifies the name
of a configured health monitor.
If you omit this command or you enter it without
the monitor-name option, the default ICMP
health monitor is used: an ICMP ping (echo
request) is sent every 30 seconds. If the ping fails
2 times consecutively, the ACOS device sets the
server state to DOWN.
[no] log-
selection-
failure Enables real-time logging for server-selection
failures.
[no] max-
dynamic-server
num Specifies the maximum number of dynamic real
servers that can be created for a given hostname.
[no] min-ttl-
ratio num Specifies the minimum initial value for the TTL
of dynamic real servers. The ACOS device mul-
tiplies this value by the DNS query interval to
calculate the minimum TTL value to assign to
the dynamically created server. The min-ttl-ratio
can be 1-15.
[no] slow-start
[from starting-
conn-limit]
[times scale-
factor | add
conn-incr]
[every
interval]
[till ending-
conn-limit] Provides time for real ports that use the template
to ramp-up after TCP/UDP service is enabled, by

slb template server
temporarily limiting the number of new connec-

tions on the ports.
from starting-conn-limit – Maximum number of
concurrent connections to allow on the server
after it first comes up. You can specify from 1-
4095 concurrent connections. The default is 128.
times scale-factor | add conn-incr – Amount by
which to increase the maximum number of con-
current connections allowed. You can use one of
the following methods to specify the increment:
times scale-factor – The scale factor is the
number by which to multiply the starting
connection limit. For example, if the scale
factor is 2 and the starting connection limit is
128, the ACOS device increases the connec-
tion limit to 256 after the first ramp-up inter-
val. The scale factor can be 2-10. The default
is 2.
add conn-incr – As an alternative to specify-
ing a scale factor, you can instead specify
how many more concurrent connections to
allow. You can specify 1-4095 new connec-
tions.
every interval – Number of seconds between
each increase of the number of concurrent con-
nections allowed. For example, if the ramp-up
interval is 10 seconds, the number of concurrent
connections to allow is increased every 10 sec-
onds. The ramp-up interval can be 1-60 seconds.
The default is 10 seconds.
till ending-conn-limit – Maximum number of
concurrent connections to allow during the final
ramp-up interval. After the final ramp-up inter-
val, the slow start is over and does not limit fur-
ther connections to the server. You can specify
from 1-65535 connections. The default is 4096.
Note: If a normal runtime connection limit is also configured on the server (for
example, by the conn-limit command), and the normal connection limit is
smaller than the slow-start ending connection limit, the ACOS device lim-
its slow-start connections to the maximum allowed by the normal connec-
tion limit.

slb template server
[no] spoofing
cache Enables support for a spoofing cache server. A
spoofing cache server uses the client’s IP address
instead of its own as the source address when
obtaining content requested by the client.
[no] stats-
data-disable/
stats-data-
enable Enables or disables collection of statistical data
for the server.
[no] weight num Assigns an administrative weight to the server,
for weighted load balancing.
The num parameter is the administrative weight
assigned to the server. You can specify 1-100.
Default The ACOS device has a default real server template, called “default”. The
default server template has the same default settings as the individual
parameters you can configure in the template. Here are the defaults:

per 1-sec.
• dns-query-interval – 10 minutes
• dynamic-server-prefix – DRS (for “Dynamic Real Servers”)
• extended-stats – Disabled
• ha-priority-cost – None
• health-check – If you omit this command or you enter it without the

monitor-name option, the default ICMP health monitor is used. An
ICMP ping (echo request), sent every 30 seconds. If the ping fails 2
times consecutively, the ACOS device sets the server state to DOWN.
• log-selection-failure – disabled
• max-dynamic-server – 255
• min-ttl-ratio – 2
• slow-start – Not set
• spoofing cache – Disabled
• stats-data-disable/stats-data-enable – Enabled
• weight – 1

slb template server
Note: In addition to configuring custom server templates, you can modify the
default server template.
Usage The normal form of this command creates a real server template. The “no”
You can bind only one real server template to a real server. However, you
can bind the real server template to multiple real servers.
changed on the individual server.
on the individual server, the setting on the individual server takes prece-
dence.
set or changed from its default on the individual server, the setting in the
template takes precedence.

active connections.
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)#slb template server rs-tmplt1
ACOS(config-rserver)#health-check ping2
ACOS(config-rserver)#conn-limit 500000
ACOS(config-rserver)#exit
ACOS(config-real server)#template server rs-tmplt1

slb template server-ssl
Example The following commands configure hostname server parameters in a server

port template and a server template:
ACOS(config)#slb template port temp-port
ACOS(config-rport)#dynamic-member-priority 12
ACOS(config-rport)#exit
ACOS(config)#slb template server temp-server
ACOS(config-rserver)#dns-query-interval 5
ACOS(config-rserver)#min-ttl-ratio 3
ACOS(config-rserver)#max-dynamic-server 16

Description Configure the ACOS device to validate real servers based on their certifi-
cates.
Syntax [no] slb template server-ssl template-name
server-SSL template, where the following commands are available.
Command Description
[no] ca-cert
certificate-
name Name of the CA certificate. A server-SSL tem-
plate can have multiple CA-signed certificates.
Support for multiple certificates is required for
SSL Intercept, and may also be useful in other
deployments that use server-SSL templates.
You can add the CA certificates to the server-
SSL template in either of the following ways:
~ As separate files (one for each certificate)
~ As a single file containing multiple certificates

Note: In the current release, import of certifi-

cates from a PKCS #7 file is not supported. Con-
sequently, CA certificate files exported from IE
version 6 or 7 are not supported, since those
browser versions can export the certificates only
in PKCS #7 format. IE version 9 can export the
certificates in PFX format as well as PKCS #7
format.
[no] cert
cert-name Specifies the name of the certificate to use for
terminating or initiating an SSL connection. The
certificate must be installed on the ACOS device.
[no] cipher Specifies the cipher suite to support for certifi-
cates from servers:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
[no] close-
notify Enables support for close notification
(close_notify) alerts. When this option is
enabled, the ACOS device sends a close_notify
message when an SSL transaction ends, before
sending a FIN. This behavior is required by cer-
tain types of applications, including PHP cgi.
Note: The close notification option may not work if connection reuse is also
configured on the same virtual port. In this case, when the server sends a
FIN to the ACOS device, the ACOS device will not send a FIN followed
by a close notification. Instead, the ACOS device will send a RST.
[no] forward-
proxy-enable Enable SSL Intercept support.

[no] key
key-name
[passphrase
passphrase-
string] Specifies the key for the certificate, and the pass-
phrase used to encrypt the key.
[no] server-
certificate-
error options Specifies the ACOS response if there is a server
certificate error.
email – Sends an email.
ignore – Ignores the error and allows the traf-
fic.
logging – Generates a log message.
trap – Generates an SNMP trap.
[no] session-
cache-size
entries Sets the maximum number of session-ID entries,
0-8000000. If you set the size to 0, caching is dis-
abled.
[no] session-
cache-timeout
seconds Sets the maximum number of seconds a cache
entry can remain unused before being removed
from the cache, 1-7200 seconds. The default is
7200 seconds. Cache entries age according to the
ticket age time. The age time is not reset when a
cache entry is used. After a client’s SSL ticket
expires, they must complete an SSL handshake
in order to set up the next secure session with
ACOS.
[no] session-
ticket-enable Enables stateless SSL session ticketing.
[no] version
{30 | 31 | 32 |
33} Specifies the security version:
30 – Secure Sockets Layer (SSL) v3.0
31 – Transport Layer Security (TLS) v1.0
32 – TLS v1.1
33 – TLS v1.2

Default The configuration does not have a default server-side SSL template. If you
create one, it has the following default options:
• ca-cert – Not set
• cert – Not set
• cipher – All enabled
• close-notify – Disabled
• forward-proxy-enable – Disabled
• key – Not set
• server-certificate-error – Not set (connection refused with no notifica-

tion)
• session-cache-size – Not set
• session-cache-timeout – 7200 seconds
• session-ticket-enable – Disabled
• template – Not set
• version – 31
Usage The normal form of this command creates a server-SSL configuration tem-
plate.
To import a certificate (and key, if applicable), use the import or slb ssl-
load command. They are equivalent. (See “import” on page 76 or “slb ssl-
load” on page 572.)
You can bind only one server-SSL template to a virtual port. However, you
can bind the same server-SSL template to multiple ports.
If you replace a certificate and key in a server-SSL template, you must

unbind the template from the virtual ports that use it, then rebind the tem-
plate to the virtual ports, to place the change into effect.
If you add, remove, or replace a certificate in a server-SSL template that is

already bound to a VIP, the ACOS device does not use the changes. To
change the certificates in a server-SSL template, unbind the template from
the VIP and delete the template. Configure a new template with the changed
certificates and bind the new template to the VIP.

slb template sip (SIP over UDP)
The close-notify option can not be used along with the TCP-proxy template
force-delete-timeout option. Doing so may cause unexpected behavior.

Description Configure separate load balancing of Session Initiation Protocol (SIP) regis-
tration traffic and non-registration traffic for SIP clients.
Note: Except for the timeout command, none of the commands in this section
are applicable to SIP over TCP/TLS. To configure a template for SIP over
TCP/TLS, see “slb template sip (SIP over TCP/TLS)” on page 668.
Syntax [no] slb template sip template-name
SIP template, where the following commands are available:
Command Description
[no] alg-dest-
nat Translates the VIP address into the real server IP
address in SIP messages, when destination NAT
is used. Disabled by default.
[no] alg-
source-nat Translates source IP address in to the NAT IP
address in SIP messages, when source NAT is
used. Disabled by default.
Note: The status of ALG support does not affect address translation at the IP
layer. Address translation at the IP layer is still performed, if applicable,
even if ALG support is disabled.
Note: In releases earlier than 2.6.0 that support SIP load balancing, ALG sup-
port is automatically enabled for SIP load balancing. In 2.6.1-P1 and later,
SIP ALG support is available only if you enable it.
[no] client-
request-header
erase
header-name
[all] Erases the specified header. If you specify all, all
instances are erased. Otherwise, only the first
instance is erased.

[no] client-
request-header
insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into requests. The
field:value pair indicates the header field name
and the value to insert.
Use a colon between the header name and the
value. To use a blank space between the header
name and the value, use double quotation marks.
Examples:
header-insert Max-Forwards:15
header-insert “Max-Forwards: 15”
insert-always – Always inserts the
field:value pair. If the request already contains a
header with the same field name, the new
field:value pair is added after the existing
field:value pair. Existing headers are not
replaced.
insert-if-not-exist – Inserts the header
only if the request does not already contain a
header with the same field name.
Without either option, if a request already con-
name, the command replaces the last header.
[no] client-
response-header
erase
header-name
instance is erased.
[no] client-
response-header
insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into responses. The

and the value to insert. The options are the same

as those for client-request-header insert.
[no] client-
response-header
erase
header-name
instance is erased.
[no] keep-real-
server-ip-if-
match-acl acl-
id Disables reverse NAT based on the IP addresses
in an extended ACL. This command is useful in
cases where a SIP server needs to reach another
server, and the traffic must pass through the
ACOS device.
[no] registrar
service-group
group-name Specifies the name of a service group of SIP
Registrar servers.
[no] server-
request-header
erase
header-name
instance is erased.
[no] server-
request-header
insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into requests. The

[no] server-
response-header
erase
header-name
instance is erased.
[no] server-
response-header
insert
field:value
[insert-always
| insert-if-
not-exist] Inserts the specified header into responses. The
[no] timeout
minutes Specifies the number of minutes a call can
remain idle before the A10 Thunder Series and
AX Series terminates it. You can specify 1-250
minutes.
Default The configuration does not have a default SIP over UDP template. If you
create one, the default timeout is 30 minutes. The other parameters are unset
by default.
Usage The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
In the current release, the header-erase, header-insert, and header-

replace options apply to both traffic directions, client-to-server and server-
to-client traffic.
Example The following commands configure a SIP template named

“Registrar_template”:
ACOS(config)#slb template sip Registrar_template
ACOS(config-SIP LB template)#registrar service-group Registrar_gp
ACOS(config-SIP LB template)#header-replace Max-Forwards 15
ACOS(config-SIP LB template)#header-erase Contact

slb template sip (SIP over TCP/TLS)

Description Configure separate load balancing of Session Initiation Protocol (SIP) regis-
tration traffic and non-registration traffic for SIP over TCP/TLS.
Note: Except for the timeout command, none of the commands in this section
are applicable to SIP over UDP. To configure a template for SIP over
UDP, see “slb template sip (SIP over UDP)” on page 664.
Syntax [no] slb template sip template-name
SIP template, where the following commands are available:
Command Description
[no] alg-dest-
nat Enables SIP ALG support for the destination IP
address. Disabled by default.
[no] alg-
source-nat Enables SIP ALG support for the source IP
address. Disabled by default.
Note: The status of ALG support does not affect address translation at the IP
layer. Address translation at the IP layer is still performed, if applicable,
even if ALG support is disabled.
In releases earlier than 2.6.0 that support SIP load balancing, ALG sup-
port is automatically enabled for SIP load balancing. In 2.6.1-P1 and later,
SIP ALG support is available only if you enable it.
[no] call-id-
persist Enables call-ID persistence.
[no] client-
keep-alive Enables the ACOS device to respond to SIP
pings from clients on behalf of SIP servers.
When this option is enabled, the ACOS device
responds to a SIP ping from a client with a
“pong”. This option is disabled by default.
Note: If connection reuse is configured, even if client keepalive is disabled, the

ACOS device will respond to a client SIP ping with a pong.

[no] exclude-
translation
{body |
header string |
start-line} Disables translation of the virtual IP address and
virtual port in specific portions of SIP messages:
body – Does not translate virtual IP addresses
and virtual ports in the body of the message.
header string – Does not translate virtual IP
addresses and virtual ports in the specified
header.
start-line – Does not translate virtual IP
addresses and virtual ports in the SIP request line
or status line.
Note: Regardless of the settings for this option, the ACOS device never trans-
lates addresses in “Call-ID” or “X-Forwarded-For” headers.
[no] insert-
client-ip Inserts an “X-Forwarded-For: IP-address:port”
header into SIP packets from the client to the SIP
server. The header contains the client IP address
and source protocol port number. The ACOS
device uses the header to identify the client when
forwarding a server reply. This option is disabled
by default.
[no] failed-
client-
selection
{string | drop} Specifies the AX response when selection of a
SIP client fails. You can specify one of the fol-
lowing:
string – Message string to send to the server; for
example: “480 Temporarily Unavailable”. If the
message string contains a blank, use double quo-
tation marks around the string.
drop – Drops the traffic.
Note: This option is applicable only if the configuration includes a connection-

reuse template.

[no] failed-
server-
selection
{string | drop} Specifies the AX response when selection of a
SIP server fails. You can specify one of the fol-
lowing:
string – Message string to send to the client; for
example: “504 Server Time-out”. If the message
string contains a blank, use double quotation
marks around the string.
drop – Drops the traffic.
[no] keep-real-
server-ip-if-
match-acl acl-
id This option uses the real server’s IP for addresses
that match the ACL for a call ID.
[no] server-
keep-alive
seconds For configurations that use a connection-reuse
template, this option specifies how often the
ACOS device sends a SIP ping on each persistent
connection. The ACOS device silently drops the
server’s reply.
If the server does not reply to a SIP ping within
the connection-reuse timeout, the ACOS device
closes the persistent connection. (The connec-
tion-reuse timeout is configured by the timeout
command at the configuration level for the con-
nection-reuse template. See “slb template con-
nection-reuse” on page 594.)
[no] server-
selection-per-
request Forces the ACOS device to perform the server
selection process anew for every SIP request.
Without this option, the ACOS device reselects
the same server for subsequent requests (assum-
ing the same server group is used), unless over-
ridden by other template options.
This option applies to SIP-TCP and SIPS virtual
ports. The option is unnecessary for SIP over
UDP. Strict transaction switching is automati-
cally used for SIP over UDP.

[no] timeout
minutes Specifies the number of minutes a SIP session
can remain idle before the ACOS device termi-
nates it. You can specify 1-250 minutes.
Default The configuration does not have a default SIP over TCP/TLS template. If
you create one, the template has the following default settings, for the
parameters that are applicable to SIP over TCP/TLS:
• call-id-persist – Enabled
• client-keep-alive – Disabled
• exclude-translation – Not set. The ACOS device does not translate

addresses in any header except the top Via header.
• insert-client-ip – Disabled
• failed-client-selection – Not set. The ACOS device resets the connec-

tion.
• failed-server-selection – Not set. The ACOS device resets the connec-
tion.
• keep-real-server-ip-if-match-acl – Disabled
• server-keep-alive – Disabled
• failed-server-selection – Not set. The ACOS device resets the connec-

tion.
• server-selection-per-request – Disabled
• timeout – 30
Usage The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example The following commands configure a SIP over TCP/TLS template:

ACOS(config)#slb template sip siptls-tmplt
ACOS(config-SIP LB template)#insert-client-ip
ACOS(config-SIP LB template)#client-keep-alive
ACOS(config-SIP LB template)#failed-client-selection "480 Temporarily
Unavailable"
ACOS(config-SIP LB template)#failed-server-selection "504 Server Time-out"
ACOS(config-SIP LB template)#exclude-translation header Authentication

slb template smpp
slb template smpp

Description Configure a template for Short Message Peer-to-Peer (SMPP 3.3) protocol
load balancing.
Syntax [no] slb template smpp template-name
template-name Name of the template, 1-31 characters long.
SMPP template, where the following commands are available.
Command Description
[no] client-
enquire-link If enabled, ACOS replies to clients directly with
an ENQUIRE_LINK message. The
ENQUIRE_LINK message prevents the client
connection from timing out and serves the same
purpose as a keepalive message.
[no] server-
enquire-link
interval Prevents reusable connections to the SMPP
server from aging out. When this option is
enabled, ACOS regularly sends an
ENQUIRE_LINK message to the SMPP server
to maintain the client-to-server connection. For
interval, set the number of seconds at which the
keepalive message is sent. You can set the inter-
val to 5-300 seconds. The default is 30 seconds.
[no] server-
selection-per-
request Forces the ACOS to perform the server selection
process for every SMPP request. Without this
option, the ACOS device reselects the same
server for subsequent requests (assuming the
same server group is used), unless overridden by
other template options.
[no] user name
password string Sets a username and password which the ACOS
device will use to authenticate SMPP clients.

slb template smtp
Default The configuration does not have a default SMPP template.
Usage The normal form of this command creates an SMPP template. The “no”
The server-selection-per-request option works only in con-

junction with connection-reuse template. In addition, this option requires
that a username-password pair is configured in the SMPP template, so that
ACOS can immediately authenticate SMPP clients for every instance of
server selection.
If you configure a user name password string, you must config-

ure the same username-password pair for all SMPP clients and servers. Oth-
erwise, the ACOS device will never open a TCP connection between the
clients and servers.
slb template smtp

Description Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP)
clients.
Syntax [no] slb template smtp template-name
SMTP template, where the following commands are available.

slb template smtp
Command Description
[no] client-
domain-
switching
{starts-with |
contains |
ends-with}
string
service-group
group-name Selects a service group based on the domain of
the client. You can specify all or part of the client
domain name. This command is applicable when
you have multiple SMTP service groups.
starts-with string – matches only if the
client’s domain name starts with string.
contains string – matches if the string
appears anywhere within the domain name of the
client.
ends-with string – matches only if the cli-
ent’s domain name ends with string.
[no] command-
disable [vrfy]
[expn] [turn] Disables support of the specified SMTP com-
mands. If a client tries to issue a disabled SMTP
command, the AX sends the following message
to the client: “502 - Command not implemented”
If you enter this command without specifying a
command name, all the listed SMTP commands
(VRFY, EXPN, and TURN) are disabled.
[no] server-
domain name Specifies the email server domain. This is the
domain for which the ACOS device provides
SMTP load balancing.
[no] service-
ready-message
string Specifies the text of the SMTP service-ready
message sent to clients. The complete message
sent to the client is constructed as follows: 200 -
smtp-domain service-ready-string
200 - smtp-domain service-ready-string

slb template smtp
starttls
{disable |
optional |
enforced} Specifies whether use of STARTTLS by clients
is required:
disable – Clients cannot use STARTTLS.
Use this option if you need to disable START-
TLS support but you do not want to remove the
configuration.
optional – Clients can use STARTTLS but
are not required to do so.
enforced – Before any mail transactions are
allowed, the client must issue the STARTTLS
command to establish a secured session. If the
client does not issue the STARTTLS command,
the AX sends the following message to the client:
"530 - Must issue a STARTTLS command first”
Default The configuration has a default SMTP template, with the following settings:
• client-domain-switching – Not set. All client domains match, and any
service group can be used.
• command-disable – VRFY, EXPN, and TURN are enabled.
• server-domain – “mail-server-domain”
• service-ready-message – "ESMTP mail service ready"
• starttls – disabled
To display the default SMTP template settings, use the show slb template
smtp default command.
Usage The normal form of this command creates an SMTP template. The “no”
You can bind only one SMTP template to a virtual port. However, you can
bind the same SMTP template to multiple ports.
The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in
the configuration. The service group for the first match is used.
• starts-with
• contains
• ends-with

slb template smtp
If a template has more than one command with the same option (starts-
with, contains, or ends-with) and a client domain matches on more than
one of them, the most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match. Here is
an example of a set of client-domain-switching rules in an SMTP template.
The numbers to the right indicate the precedence of the rules when match-
ing on client domain name “localhost”. In this case, the last rule is the best
match and will be used.
client-domain-switching contains localhost service-group sg-a (4)
client-domain-switching contains local service-group sg-b (5)
client-domain-switching ends-with host service-group sg-c (6)
client-domain-switching ends-with localhost service-group sg-d (3)
client-domain-switching starts-with local service-group sg-e (2)
client-domain-switching starts-with localhost service-group sg-f (1)
Example The following commands configure an SMTP template named “secure-

mail”. The template enforces use of STARTTLS by mail clients, disables
client use of certain SMTP commands, and directs clients to a service group
based on client domain.
ACOS(config)#slb template smtp secure-mail
ACOS(config-SMTP template)#starttls enforced
ACOS(config-SMTP template)#command-disable expn turn vrfy
ACOS(config-SMTP template)#client-domain-switching contains hq service-group
smtp-sg1
ACOS(config-SMTP template)#client-domain-switching contains northdakota ser-
vice-group smtp-sg2
Example The following commands configure an SMTP template called “smtp-

domain”. The template uses client domain switching to select a service
group based on the email client’s domain. Clients from any domain that
starts with “smb” are sent to service group “smtp-sg1”. Clients whose
domain name does not start with “smb” and whose domain name contains
“company1” are sent to service group “smtp-sg2”. Clients whose domain
name does not match on the starts-with or contains strings and ends with
“.com” are sent to service group “smtp-sg3”.
ACOS(config)#slb template smtp smtp-domain
ACOS(config-SMTP template)#client-domain-switching starts-with smb service-
group smtp-sg1
ACOS(config-SMTP template)#client-domain-switching contains company1 service-
group smtp-sg2
ACOS(config-SMTP template)#client-domain-switching ends-with .com service-
group smtp-sg3

slb template streaming-media
slb template streaming-media

Description Configure load balancing of multimedia content.
Syntax [no] slb template streaming-media template-name
streaming-media template, where the following commands are available.
Command Description
[no] uri-
switching
stream
uri-string
service-group
group-name Specifies the service group to which to send
requests for the URI.
Note: This option is supported only for Windows Media Server.
Default The configuration does not have a default streaming-media template.
If the URI string in a request does not match any uri-switching stream
commands in the template, by default the request is sent to the service group
that is bound to the virtual port.
Usage The normal form of this command creates a streaming-media template. The
You can bind only one streaming-media template to a virtual port. However,
you can bind the same streaming-media template to multiple ports.
Example The following command creates a streaming-media template named

“media1”:
ACOS(config)#slb template streaming-media media1
ACOS(config-Streaming-media-template)#

slb template tcp
slb template tcp

Description Configure TCP connection settings.
Syntax [no] slb template tcp template-name
TCP template, where the following commands are available.
Command Description
[no] force-
delete-timeout
seconds
[alive-if-
active] Specifies the maximum number of seconds a ses-
sion can remain active, and forces deletion of any
session that is still active after the specified num-
ber of seconds.
This option is useful for small, fast transactions
for which the completion time of sessions is
guaranteed. When used in combination with the
reset-fwd and reset-rev options, the force-
delete-timeout option can help clean up user
connections with RSTs instead of allowing the
connections to hang.
The timeout can be 1-31 seconds.
The alive-if-active option quickly terminates
half-open TCP sessions on the virtual port while
allowing active sessions to continue without
being terminated.
[no] force-
delete-timeout-
100ms 100-ms-
units Specifies the maximum number of milliseconds a
session can remain active, and forces deletion of
any session that is still active after the specified
number of milliseconds. The timeout can be 1-31
milliseconds.

slb template tcp
[no] half-
close-idle-
timeout seconds Enables aging of half-closed TCP sessions. A
half-closed TCP session is a session in which the
server sends a FIN but the client does not reply
with an ACK. You can set the timeout to
60-15000 seconds.
[no] idle-
timeout seconds Specifies the number of seconds a connection
nates it. You can specify 1-2097151 seconds
(about 24 days).
[no] initial-
window-size
bytes Sets the initial TCP window size in SYN ACK
packets to clients. The TCP window size in a
SYN ACK or ACK packet specifies the amount
of data that a client can send before it needs to
receive an ACK. You can set the initial TCP win-
dow size to 1-65535 bytes.
The initial TCP window size applies only to the
SYN ACKs sent to the client. After the SYN
ACK, the ACOS device does not modify the
TCP window size for any other packets in the
session.
[no] insert-
client-ip Places the client IP address into a TCP option
field of type 0x1c, with a length of 6 bytes.
[no] lan-fast-
ack Increases performance of bidirectional peer ses-
sions by acknowledging receipt of data on behalf
of clients and servers.
[no] qos Marks the DSCP (Layer 3) and 802.1p priority
(Layer 2) values in client-server SLB traffic. You
can set a value between 1 to 63. Based on the
value you specify, ACOS marks the traffic as fol-
lows:
Layer 3 marking – ACOS sets the The Diffserv

Control Point (DSCP) value in the IP header to
value you specify.
Layer 2 marking – ACOS sets the 802.1p value

in the MAC header to the value you specify,
divided by 9

slb template tcp
[no] reset-fwd Sends a TCP RST to the real server after a ses-
sion times out.
[no] reset-rev Sends a TCP RST to the client after a session
times out.
Note: If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
Default The configuration has a default TCP template, with the following default
settings:
• force-delete-timeout – Not set
• half-close-idle-timeout – Not set. The ACOS device keeps half-closed

sessions open indefinitely.
• idle-timeout – 120 seconds
• initial-window-size – By default, the ACOS device uses the TCP win-

dow size set by the client or server.
The initial TCP window size applies to SYN ACKs generated by the
ACOS device and sent to clients. By default, the ACOS device uses the
TCP window size in the client’s SYN.
Note: If SYN cookies are enabled, either globally or on the virtual service port,
the ACOS device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device.
• lan-fast-ack – Disabled
• reset-fwd – Disabled
• reset-rev – Disabled
Note: In addition to configuring custom TCP templates, you can modify the
default TCP template.
Usage The normal form of this command creates a TCP configuration template.
You can bind only one TCP template to a virtual port. However, you can
bind the same TCP template to multiple ports.

slb template tcp-proxy
In AX releases prior to 2.2.2, the reset-rev option sent a RST to a client if a

server selection failure occurred. In AX Release 2.2.2 and later, the reset-
rev option does not send an RST if a server selection failure occurs. Instead,
use the reset-on-server-selection-fail option at the configuration level for
the service group or virtual port.
The force-delete-timeout option can not be used along with the client-SSL
or server-SSL template close-notify option. Doing so may cause unex-
pected behavior.
Example The following commands change the idle timeout in TCP template “tcp-
tmpl2” to 120 seconds:
ACOS(config)#slb template tcp tcp-tmpl2
ACOS(config-L4 TCP LB template)#idle-timeout 120
Example The following commands configure a TCP template named “test” that sets
the TCP window size to 1460 bytes, and bind the template to virtual service
port 22 on virtual server vs1:
ACOS(config)#slb template tcp test
ACOS(config-L4 TCP LB template)#initial-window-size 1460
ACOS(config-L4 TCP LB template)#exit
ACOS(config-slb virtual server-slb virtua...)#template tcp test
Example The following commands configure a TCP template that quickly terminates
half-open sessions while allowing active sessions to continue.
ACOS(config)#slb template tcp halfopen-tcp
ACOS(config-l4 tcp)#force-delete-timeout 3 alive-if-active
ACOS(config-l4 tcp)#reset-fwd
ACOS(config-l4 tcp)#reset-rev

Description Configure TCP/IP stack parameters.
Syntax [no] slb template tcp-proxy template-name
TCP-proxy template, where the following commands are available.

Command Description
[no] ack-
aggressiveness
{high |
medium | low} Specifies the cases in which the ACOS device
sends an ACK to the client. You can set ACK
aggressiveness to one of the following levels:
high – ACK for each packet
medium – Delayed ACK, with ACK on each
packet with PUSH flag
low – Delayed ACK
A high ACK aggressiveness helps reduce the
delay of interactive client-server applications,
but at a cost of more ACKs.
[no] backend-
wscale num Specifies the TCP window scaling factor for
backend connections to servers. You can specify
1-14.
The TCP window scaling factor is applicable to
virtual ports for which the ACOS device acts as a
TCP proxy.
The TCP window scaling factor is used to calcu-
late the TCP receive window, which is the maxi-
mum amount of data (in bytes) the receiver on a
TCP connection will buffer. The sender is not
allowed to send more than this amount of data
before receiving an acknowledgement that the
data has arrived.
[no] dynamic-
buffer-
allocation Contact A10 Networks for information.
[no] fin-
timeout seconds Specifies the number of seconds that a connec-
tion can be in the FIN-WAIT or CLOSING state
before the ACOS device terminates the connec-
tion. You can specify 1-60 seconds.

[no] force-
delete-timeout
seconds Specifies the maximum number of seconds a ses-
sion can remain active, and forces deletion of any
session that is still active after the specified num-
ber of seconds.
This option is useful for small, fast transactions
for which the completion time of sessions is
guaranteed. When used in combination with the
reset-fwd and reset-rev options, the force-
delete-timeout option can help clean up user
connections with RSTs instead of allowing the
connections to hang.
The timeout can be 1-31 seconds.
The alive-if-active option quickly terminates
half-open TCP sessions on the virtual port while
allowing active sessions to continue without
being terminated.
[no] force-
delete-timeout-
100ms 100-ms-
units Specifies the maximum number of milliseconds a
session can remain active, and forces deletion of
any session that is still active after the specified
number of milliseconds.
The timeout can be 1-31 milliseconds.
[no] half-
close-idle-
timeout seconds Enables aging of half-closed TCP sessions. A
half-closed TCP session is a session in which the
server sends a FIN but the client does not reply
with an ACK. You can set the timeout to
60-15000 seconds.
[no] idle-
timeout seconds Specifies the number of minutes that a connec-
tion can be idle before the ACOS device termi-
nates the connection. You can specify 1-2097151
seconds (about 24 days).
[no] init-cwnd
num Specifies the maximum number of unacknowl-
edged packets that can be sent on a TCP connec-
tion. You can specify 1-10.

A large initial congestion-control window size

helps reduce HTTP response latency, especially
for short web pages.
[no] initial-
window-size
bytes Sets the initial TCP window size in SYN ACK
packets to clients. The TCP window size in a
SYN ACK or ACK packet specifies the amount
of data that a client can send before it needs to
receive an ACK. You can set the initial TCP win-
dow size to 1-65535 bytes.
The initial TCP window size applies only to the
SYN ACKs sent to the client. After the SYN
ACK, the ACOS device does not modify the
TCP window size for any other packets in the
session.
[no] keepalive-
interval
seconds Number of seconds a TCP-proxy session can
remain idle before the ACOS device sends a TCP
ACK to the devices on both ends of the session.
[no] keepalive-
probes num Maximum number of times the ACOS device
sends a keepalive ACK, before deleting the ses-
sion. You can specify 2-10 probes.
[no] mss octets Change the minimum supported TCP Maximum
Segment Size (MSS). You can specify 128-4312
octets.
[no] nagle Enables Nagle congestion compression
(described in RFC 896).
lows:

value you specify.

divided by 9

[no] receive-
buffer number Specifies the maximum number of bytes
addressed to the port that the A10 Thunder Series
and AX Series will buffer. You can specify 1-
2147483647 bytes.
[no] reno Enables the TCP Reno congestion control algo-
rithm, and disables Cubic.
[no] reset-fwd Sends a TCP RST to the real server after a ses-
sion times out.
[no] reno-rev Sends a TCP RST to the client after a session
times out.
[no]
retransmit-
retries number Specifies the maximum number of times the
ACOS device can retransmit a data segment for
which the ACOS device does not receive an
ACK. You can specify 1-20.
[no] syn-
retries number Specifies the maximum number of times the
ACOS device can retransmit a SYN for which
the A10 Thunder Series and AX Series does not
receive an ACK. You can specify 1-20.
[no] timewait
number Specifies the number of seconds that a connec-
tion can be in the TIME-WAIT state before the
ACOS device transitions it to the CLOSED state.
[no] transmit-
buffer number Specifies the maximum number of bytes sent by
the port that the ACOS device will buffer. You
Default The configuration has a default TCP template, with the following default
settings:
• ack-aggressiveness – low
• backend-wscale – 1
• fin-timeout – 5 seconds
• force-delete-timeout – Not set
• half-close-idle-timeout – Not set. The ACOS device keeps half-closed

sessions open indefinitely.

• init-cwnd – 4 segments
• initial-window-size – By default, the ACOS device uses the TCP win-

dow size set by the client or server.
• If the virtual port is one of the service types that is proxied by the
ACOS device, initial TCP window size applies to SYN ACKs gen-
erated by the ACOS device and sent to clients. By default, the
ACOS device uses the TCP window size in the client’s SYN. The
following service types are proxied by the ACOS device: http, https,
fast-http, ssl-proxy, and smtp
• If the virtual port is not one of the service types that is proxied by
the ACOS device (for example, the tcp service type), initial TCP
window size applies to SYN ACKs generated by servers and for-
warded by the ACOS device to clients. By default, the ACOS
device uses the TCP window size in the server’s SYN ACK.
Note: If SYN cookies are enabled, either globally or on the virtual service port,
the ACOS device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the ACOS device.
• keepalive-interval – 75 seconds
• keepalive-probes – 9
• mss – 538
• nagle – disabled
• receive-buffer – 51200 bytes
• reno – disabled. Cubic is used instead.
• retransmit-retries – 3
• syn-retries – 5
• timewait – 5 seconds
• transmit-buffer – 51200 bytes
Note: In addition to configuring custom TCP-proxy templates, you can modify

the default TCP-proxy template.
Usage The normal form of this command creates a TCP-proxy configuration tem-

You can bind only one TCP-proxy template to a virtual port. However, you
can bind the same TCP-proxy template to multiple ports.
The keepalive feature, which for TCP-proxy templates, periodically verifies

that a TCP-proxy session is still up on both ends of the session. The keepal-
ive feature uses keepalive interval to establish the number of seconds a
TCP-proxy session can remain idle before the ACOS device sends a TCP
ACK to the devices on both ends of the session, and the keepalive probe
count allows you to set the maximum number of times the ACOS device
sends a keepalive ACK, before deleting the session.
The ACOS device sends the first keepalive ACK if a session remains idle
for the duration of the keepalive interval:
• If both devices respond with an ACK before the next keepalive interval
expires, the ACOS device resets the keepalive time to 0. This starts a
new keepalive interval.
• If either device does not respond with an ACK before the next keepalive
interval expires, the action taken by the ACOS device depends on the
setting of the keepalive probe count.
• Keepalive probe count set to value greater than 1 – The ACOS
device sends another ACK to each device.
• If both devices respond, the ACOS device resets the keepalive
time to 0, to begin a new keepalive interval.
• If either device does not respond, the ACOS device sends
another ACK to each device. This action can be repeated up to
the configured maximum number of probes (the probe count).
• Keepalive probe count set to 1 – The ACOS device does not send
new probe ACKs. Instead, the ACOS device deletes the session.
Relation of Keepalive to Idle-timeout

The keepalive and idle-timeout options work independently of one another.
By default, the keepalive interval is shorter than the idle timeout. In this
case, keepalive probes are triggered before the idle timeout expires.
• If both devices respond with an ACK before either of the following
occurs, the keepalive interval time and the idle time are both reset to 0.
• Idle timeout expires – If this occurs, the session is deleted, even if
the maximum number of keepalive probes have not been sent.
• Maximum number of keepalive probes are sent, but at least one of
the devices still does not respond – In this case, the session is
deleted even if the idle timeout has not expired.

slb template udp
If you change the keepalive or idle-timeout settings so that the idle timeout
is shorter than the keepalive interval, the keepalive mechanism is never trig-
gered. The idle timeout always expires first, causing the session to be
deleted. No keepalive probes are ever sent.
Example The following commands create a TCP-proxy template named “ftp-proxy”

and set the idle timeout to 240 minutes:
ACOS(config)#slb template tcp-proxy ftp-proxy
ACOS(config-TCP proxy template)#idle-timeout 240
slb template udp

Description Configure UDP connection settings.
Syntax [no] slb template udp template-name
UDP template, where the following commands are available.
Command Description
aging
{immediate |
short
[seconds]} Specifies how quickly sessions are terminated
when the request is received.
immediate
short
(See “Usage” below.)
Note: It is recommended to explicitly set the aging in UDP templates used for
DNS virtual ports.
[no] idle-
timeout seconds Specifies the number of seconds a connection
nates it. You can specify 1-2097151 seconds
(about 24 days).

slb template udp
Note: The maximum idle timeout supported for

TFTP virtual ports is 255 minutes.
lows:

value you specify.

divided by 9
[no] re-select-
if-server-down Configures the ACOS device to select another
real server if the server that is bound to an active
connection goes down. Without this option,
another server is not selected.
Default The configuration has a default UDP template. The template has the follow-
ing defaults:
• aging – See “Usage” below.
• re-select-if-server-down – disabled
Note: In addition to configuring custom UDP templates, you can modify the
default UDP template.
Usage The normal form of this command creates a UDP configuration template.
You can bind only one UDP template to a virtual port. However, you can
bind the same UDP template to multiple ports.

slb template virtual-port
UDP Session Aging

Table 4 describes UDP session aging in the current release and previous
releases.
Note: You can configure aging short or aging immediate, or leave aging unset.
Aging short and aging immediate can not both be enabled.
TABLE 4 UDP Session Aging

Aging
Configuration Aging Short Aging Immediate Not Set (Default)
• Response Received – • Response Received – • Response Received –
Session is terminated Session is terminated Behavior differs based on
within 1 second. within 1 second. port number:
• No Response – Session is • No Response – Idle time- • Port 53 (default DNS
terminated after config- out value in UDP template port) – Session is termi-
ured short aging period. is used. nated within 1 second.
Current
Release • Any other port number
– Session is terminated
after the idle timeout
expires.
• No Response – Idle time-
out value in UDP template
is used.
If you enable short aging, you can set the aging interval to 1-6 seconds. The
default short aging period is 3 seconds.
Example The following commands create a UDP template named “udp-quickterm”

and set session termination to occur immediately after a response is
received:
ACOS(config)#slb template udp udp-quickterm
ACOS(config-L4 UDP LB template)#aging immediate

Description Configure a template of SLB settings for virtual service ports.
Syntax [no] slb template virtual-port template-name
virtual port template, where the following commands are available.

Command Description
[no] aflow Enables aFlow control. aFlow helps avoid packet
drops and retransmissions when a real server port
reaches its configured connection limit.
When aFlow is enabled, the ACOS device
queues HTTP/HTTPS packets from clients when
a server port reaches a configured connection
limit, instead of dropping them. The ACOS
device then monitors the port, and begins for-
warding the queued packets when connections
become available again. To prevent flooding of
the port, the ACOS device forwards the queued
packets at a steady rate.
aFlow applies only to HTTP and HTTPS virtual
ports.
[no] allow-syn-
otherflags Contact A10 Networks for information.
[no] allow-vip-
to-rport-
mapping Enables the VIP to Real Port Mapping feature for
a subnet VIP.
Note: The virtual port template containing this
option must be bound to the VIP, and the VIP
itself must use a subnet for the last octet (e.g.
10.10.10.0 /24), or the feature will not work.
[no] conn-limit
max-connections
[reset]
allowed on virtual ports that use this template.
0-8000000.
The reset option specifies the action to take for
connections after the connection limit is reached
on the virtual server port. By default, excess con-
nections are dropped. If you change the action to
reset, the connections are reset instead. Excess

connections are dropped by default. The no-log-

ging option disables logging for the feature.
[no] conn-rate-
limit
connections
[per {100ms |
1sec}]
[reset]
device is allowed to send to virtual service ports
that use this template. When a virtual service port
reaches its connection limit, the ACOS device
stop selecting the port to serve client requests.
allowed on the virtual service port. You can spec-
ify 1-1048575 connections.
reset – Send a reset (RST) to a client after the
connection rate has been exceeded. By default
(without this option), the ACOS device silently
drops the request.
If you configure a limit for a virtual server and
also for an individual virtual service port, the
ACOS device uses the lower limit.
feature.
[no] dscp num Sets the Differentiated Services Code Point
(DSCP) value in client requests before forward-
ing them to the server. You can set the DSCP
value to 1-63.
[no] ignore-
tcp-msl Immediately reuse TCP sockets after session ter-
mination, without waiting for the SLB Maximum
Session Life (MSL) time to expire.
[no] reset-l7-
on-failover Resets a Layer 7 connection upon failover.
[no] reset-
unknown-conn Enables sending of a TCP Reset (RST) in
response to a session mismatch. A session mis-
match occurs when the ACOS device receives a

TCP packet for a TCP session that is not in the

active session table on the ACOS device. (For
more information, see the “TCP Reset Option for
Session Mismatch” section in the “Server and
Port Templates” chapter of the Application
Delivery and Server Load Balancing Guide.)
[no] snat-msl
seconds Set the Maximum Segment Life (MSL) for
source-NAT connections. This option is useful
for servers that have older TCP/IP stacks, which
wait up to 240 seconds (4 minutes) after a FIN
before the endpoint can enter a new connection.
You can set the MSL to 1-1800 seconds.
[no] snat-port-
preserve Attempts to preserve the client’s source port for
traffic destined for the virtual port.
Notes
~ Port preservation is not always guaranteed and
is performed on a best-effort basis.
~ Port preservation does not work for FTP active
mode sessions.
~ Port preservation works only if source NAT is
enabled for the virtual port.
~ For high availability, it is recommended to use
VRRP-A, instead of the older implementation
(HA).
Default The ACOS device has a default virtual port template, called “default”. The
default virtual port template has the same default settings as the individual
parameters you can configure in the template. Here are the defaults:
• aflow – disabled
• allow-vip-to-rport-mapping – disabled

per 1-sec.
• dscp – Not set
• ignore-tcp-msl – disabled
• reset-l7-on-failover – disabled
• reset-unknown-conn – disabled

• snat-msl – Not set
• snat-port-preserve – disabled
Note: In addition to configuring custom virtual-port templates, you can modify

the default virtual-port template.
Usage The normal form of this command creates a virtual service port template.
You can bind only one virtual service port template to a virtual service port.
However, you can bind the virtual service port template to multiple virtual
service ports.
changed on the individual virtual port.
on the individual virtual port, the setting on the individual virtual port
takes precedence.
set or changed from its default on the individual virtual port, the setting
in the template takes precedence.

active connections.
aFlow Operation
aFlow control is triggered when either of the following occurs:
• If connection limit is configured on the real server or real port – The
backend real server or real port reaches its configured connection limit.
• If connection limit is not configured on the real server or real port – The
response time of the backend real server or real port increases dramati-
cally. The response time is the time between when the ACOS device for-
wards a request to the server, when the ACOS device receives the first
reply packet from the server.

When aFlow control is triggered, the ACOS device queues request packets
instead of forwarding them to the server. After the response time returns to
normal, the ACOS device sends the queued packets to the server.
Note: In the current release, it is recommended to use the first method for trig-
gering aFlow, by configuring connection limits on the real servers or real
ports. The second method of triggering aFlow is still being refined and is
considered to be in Beta status.
Example The following commands configure a virtual service port template named
“common-vpsettings”, set the connection limit, and bind the template to a
virtual port:
ACOS(config)#slb template virtual-port common-vpsettings
ACOS(config-Virtual port template)#conn-limit 500000
ACOS(config-Virtual port template)#exit
ACOS(config-slb vserver)#port 80 http
ACOS(config-slb vserver-vport)#template virtual-port common-vpsettings
Example The following commands create real servers “s1” at 5.5.5.1 (with a real port
range of 10), real server “s2” at 5.5.5.2 (with a range of 25), and real server
“s3” at 5.5.5.3 (which does not have a range configured and will not be used
for this feature). These real servers are then bound to a service group “sg1”,
which is in turn, bound to a VIP (“vip3”) at 10.10.10.0 /24. A virtual port
template “vport1” is created, and the allow-vip-to-rport-map option is
used, and the template is bound to the “vip3.
ACOS(config-real server)#port 80 tcp range 10
ACOS(config-real server)#port 80 tcp range 25
ACOS(config)#slb service-group sg1 tcp

ACOS(config-slb svc group)#member s1:80
ACOS(config-slb svc group)#exit
ACOS(config-slb vserver-vport)#template virtual-port vport1

ACOS(config-slb vserver-vport)#allow-vip-to-rport-map

slb template virtual-server
ACOS(config)#slb virtual-server vip3 10.10.10.0 /24

ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#service-group sg1
ACOS(config-slb vserver-vport)#exit

ACOS(config-slb vserver-vport)#exit

Description Configure a template of SLB settings for virtual servers.
Syntax [no] slb template virtual-server template-name
virtual server template, where the following commands are available.
Command Description
[no] conn-limit
max-connections
[reset]
allowed on virtual servers that use this template.
0-8000000.
The reset option specifies the action to take for
connections after the connection limit is reached
on the virtual server. By default, excess connec-
tions are dropped. If you change the action to

reset, the connections are reset instead. Excess

connections are dropped by default.
feature.
[no] conn-rate-
limit
connections
[per {100ms |
1sec}]
[reset]
device is allowed to send to servers that use this
template. When a real server reaches its connec-
tion limit, the ACOS device stop selecting the
server for client requests.
allowed on a server. You can specify 1-1048575
connections.
reset – Send a reset (RST) to a client after the
connection rate has been exceeded. By default
(without this option), the ACOS device silently
drops the request.
If you configure a limit for a server and also for
an individual port, the ACOS device uses the
lower limit.
feature.
[no]
icmp-rate-limit
normal-rate
lockup max-rate
lockup-time Configures ICMP (v4) rate limiting for the vir-
tual server, to protect against denial-of-service
(DoS) attacks.
normal-rate – Maximum number of ICMP pack-
ets allowed per second. If the virtual server


lockup max-rate – Maximum number of ICMP
packets allowed per second before the ACOS
device locks up ICMP traffic to the virtual server.
When ICMP traffic is locked up, all ICMP pack-
ets are dropped until the lockup expires. The
maximum rate can be 1-65535 packets per sec-
ond. The maximum rate must be larger than the
normal rate.
lockup-time – Number of seconds for which the
ACOS device drops all ICM6 traffic to the vir-
tual server, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
[no]
icmpv6-rate-
limit
normal-rate
lockup max-rate
lockup-time Configures ICMPv6 rate limiting for the virtual
server, to protect against denial-of-service (DoS)
attacks.
normal-rate – Maximum number of ICMPv6
packets allowed per second. If the virtual server
lockup max-rate – Maximum number of
ICMPv6 packets allowed per second before the
ACOS device locks up ICMPv6 traffic to the vir-
tual server. When ICMPv6 traffic is locked up,
all ICMPv6 packets are dropped until the lockup
expires. The maximum rate can be 1-65535
packets per second. The maximum rate must be
larger than the normal rate.
lockup-time – Number of seconds for which the
ACOS device drops all ICMPv6 traffic to the vir-
tual server, after the maximum rate is exceeded.
The lockup time can be 1-16383 seconds.
[no] subnet-
gratuitous-arp Enables gratuitous ARPs for all VIPs in subnet
VIPs. A subnet VIP is a range of VIPs created
from a range of IP addresses within a subnet.

Note: This option applies only to VIPs that are created using a range of subnet
IP addresses. The option has no effect on VIPs created with a single IP
address.
Default The ACOS device has a default virtual server template, called “default”.
The default virtual server template has the same default settings as the indi-
vidual parameters you can configure in the template. Here are the defaults:

per 1-sec.
• icmp-rate-limit – Not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
• icmpv6-rate-limit – Not set. If you enable it, specifying a maximum
rate (lockup rate) and lockup time is optional. If you do not specify
them, lockup does not occur.
• subnet-gratuitous-arp – Disabled. The ACOS device sends gratuitous
ARPs for only the first IP address in a subnet VIP.
Note: In addition to configuring custom virtual-server templates, you can mod-

ify the default virtual-server template.
Usage The normal form of this command creates a virtual server template. The
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
changed on the individual virtual server.
on the individual virtual server, the setting on the individual virtual
server takes precedence.
set or changed from its default on the individual virtual server, the set-
ting in the template takes precedence.

slb template waf

active connections.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting and bind the template to a virtual
server:
ACOS(config)#slb template virtual-server vs-tmplt1
ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)#exit
ACOS(config-slb virtual server)#template virtual-server vs-tmplt1
slb template waf

Description Configure parameters for a Web Application Firewall (WAF) template. See
the Web Application Firewall Guide.

alternate
Config Commands: SLB Servers
This chapter describes the commands for configuring SLB servers.
To access this configuration level, enter the slb server server-name com-
mand at the global Config level.
To display configured servers, use the show slb server command.
Note: The commands in this chapter apply to real servers, not to virtual servers.
To configure virtual servers, see “Config Commands: SLB Virtual Serv-
ers” on page 735.
alternate
Description Assign an alternate server as a dedicated backup for a primary server.
Syntax [no] alternate sequence-num server-name
sequence-num Priority of the server as a backup. You can spec-
ify 1-16.
server-name Name of the alternate server.
Default Not set

conn-limit
Mode Real server
Usage You can assign up to 16 alternate servers to a primary server. Only 1 alter-
nate server for a given primary server can be active at a time.
This feature places an alternate server into service only if the primary server
goes down. Other features such as connection limiting or connection-rate
limiting can not cause an alternate server to be used.
Do not add alternate servers to the service group.
For more information, see the “Alternate Servers for Server-specific

Backup” chapter in the Application Delivery and Server Load Balancing
Guide.
conn-limit
Description Specify the maximum number of concurrent connections allowed on a real
server.
Syntax [no] conn-limit max-connections
max-connections Maximum number of concurrent connections
allowed on the server. You can specify
1-8000000 (eight million).
Default 8000000
Mode Real server
Usage If you set a connection limit, A10 Networks recommends that you also set
the conn-resume interval. (See “conn-resume” on page 703.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server
level.
Example The following command sets the connection limit to 10,000:

ACOS(config-real server)#conn-limit 10000

conn-resume
conn-resume
Description Specify the maximum number of connections the server can have before the
ACOS device resumes use of the server. Use does not resume until the num-
ber of connections reaches the configured maximum or less.
Syntax [no] conn-resume connections
connections Maximum number of connections the server can
have before the ACOS device resumes use of the
server. You can specify 1-1000000 (1 million)
connections.
Default By default, this option is not set. The ACOS device is allowed to start send-
ing new connection requests to the server as soon as the number of connec-
tions on the server falls back below the connection limit threshold set by the
conn-limit command.
Mode Real server
Usage You also can set the conn-resume value on individual protocol ports. In this
case, the value specified for the port overrides the value set at the server
level.
Example The following command sets the conn-resume option to 500,000 connec-
tions:
ACOS(config-real server)#conn-resume 500000
disable
Description Disable a real server.
Syntax [no] disable
Default Enabled
Mode Real server
Example The following commands disable a server named “rs123”:

ACOS(config)#slb server rs123
ACOS(config-real server)#disable

enable
enable
Description Re-enable a real server.
Syntax [no] enable
Default Enabled
Mode Real server
Example The following commands re-enable a disabled server named “rs123”:

ACOS(config-real server)#enable
extended-stats
Description Enable collection of peak connection statistics for a server.
Default Disabled
Mode Real server
external-ip
Description Assign an external Network Address Translation (NAT) IP address to the
server. The external IP address allows a server that has an internal IP
address to be reached from outside the internal network.
Syntax [no] external-ip ipaddr
Default None
Mode Real server
Example The following commands configure external IP address 192.168.10.11 on

real server “rs123”:
ACOS(config-real server)#external-ip 192.168.10.11

fire-wall
fire-wall
Description Used when configuring the ALG FWLB feature to inform the ACOS device
that a real server configuration is actually a firewall and not a real server.
Syntax fire-wall
Default Disabled
Mode Real server
Usage The ACOS device can be configured to provide load balancing for Applica-
tion Level Gateway (ALG) protocols, such as FTP and SIP, across a firewall
deployment.
The ALG FWLB Firewall Load Balancing (FWLB) feature enables the
ACOS device to properly load balance complex ALG protocols, which can
have multiple connections, through a firewall, without breaking session per-
sistence.
When configuring the ACOS device for ALG FWLB, the fire-wall
command is used at the SLB server configuration level to inform the ACOS
device that the real server configuration is actually for a firewall node. This
option allows the ACOS device to learn the MAC address of this firewall.
ha-priority-cost
Description Enable HA priority changes based on the health status of the server.
Syntax [no] ha-priority-cost weight [ha-group group-id]
weight Specifies the amount to subtract from the HA
group’s priority value, if this server or port’s
health status changes to Down. You can specify
1-255.
ha-group
group-id Specifies the HA group from which to subtract
the weight. If you do not specify an HA group
ID, the weight is subtracted from all HA groups.
Default None

health-check
Mode Real server
Usage If the server or port’s status changes back to Up, the weight value is added
back to the HA group’s priority value.
If the HA priority of a group falls below the priority of the same group on
the other ACOS device, HA failover can be triggered.
• The lowest HA priority value a server or port can have is 1.
• If HA weights for an HA group are assigned to both the server and an

individual port, and both health checks are unsuccessful, only the server
weight is subtracted from the HA group’s priority.
• For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
health-check
Description Enable health monitoring for a server.
Syntax [no] health-check [monitor-name]
monitor-name Name of a configured health monitor.
the monitor-name option, the default ICMP
health monitor is used. (See below.)
Default ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times
consecutively (the first attempt followed by 3 retries), the ACOS device sets
the server state to DOWN.
Mode Real server
Usage Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example The following command sets a server to use the “RUthere” health monitor:
ACOS(config-real server)#health-check RUthere

ipv6
ipv6
Description Assign an IPv6 address to the real server for GSLB.
Syntax [no] ipv6 ipv6-addr
Default None
Mode Real server
port
Description Configure a TCP or UDP port on a server.
Syntax [no] port port-num {tcp | udp} [range num]
port-num Protocol port number, 0-65534.
Note: Port number 0 is a wildcard port used for
IP protocol load balancing. (For more informa-
tion, see the “IP Protocol Load Balancing” chap-
ter of the Application Delivery and Server Load
Balancing Guide.)
tcp | udp Protocol type.
range num Specifies the range of real ports you want to cre-
ate within the real server configuration. This
value can range from 0-254.
Note: The port number (port-num) specified will

be the base number for the range of real ports.
port, where the following port-related commands are available:
Command Description
[no] alternate
sequence-num
server-name
port portnum Configure an alternate port for the primary port.
The sequence-num and server-name can be 1-16.
(For more information, see “Dedicated Backups

port
for Real Server Ports” in the Application Deliv-

ery and Server Load Balancing Guide.)
[no]
authentication-
server profile-
name Binds an authentication-server profile to the port.
Note: This option applies to Application Access

Management (AAM).
[no] conn-limit
max-connections Specifies the maximum number of concurrent
connections allowed on the server for this port,
0-8000000 (eight million). The default is
8000000.
[no] conn-
resume
connections Specifies the maximum number of connections
the service port can have before the ACOS
device resumes use of the port. Use does not
resume until the number of connections reaches
the configured maximum or less. You can specify
1-1000000 (1 million) connections.
By default, this option is not set. The ACOS
device is allowed to start sending new connection
requests to the service port as soon as the number
of connections on the port falls back below the
connection limit threshold set by the conn-limit
command.
[no] disable Disables the port.
[no] enable Re-enables the port.
[no] extended-
stats Enables collection of SLB peak connection sta-
tistics for the port.
[no] ha-
priority-cost
weight
[ha-group
group-id] Enable HA priority changes based on the health
status of the port.
You can specify 1-255. The HA group ID can be

port
1-31. If you do not specify an HA group ID, the

weight applies to all HA groups. By default, this
option is not set. (For more information, see
“Usage” under “ha-priority-cost” on page 705.)
[no] health-
check
[monitor-name]
[follow-port
port-num] Enables health monitoring of the port. The moni-
tor-name specifies the name of a configured
health monitor.
the monitor-name option, the default TCP or
UDP health monitor is used:
TCP – Every 5 seconds, the ACOS device
sends a connection request (TCP SYN) to
the specified TCP port on the server. The
port passes the health check if the server
replies to the ACOS device by sending a
TCP SYN ACK.
UDP – Every 5 seconds, the ACOS device
sends a packet with a valid UDP header and
a garbage payload to the UDP port. The port
passes the health check if the server either
does not reply, or replies with any type of
packet except an ICMP Error message.
The follow-port port-num option specifies
another real port upon which to base this port’s
health status. Both the real port and the port to
use for the real port’s health status must be the
same type, TCP or UDP. By default, this option
is not set.
[no] no-ssl Disables SSL for server-side connections. This
command is useful if a server-SSL template is
bound to the virtual port that uses this real port,
and you want to disable encryption on this real
port.
Encryption is disabled by default, but it is ena-
bled for server-side connections when the real
port is used by a virtual port that is bound to a
server-SSL template.
Using the double-negative form of the command
(no no-ssl) enables SSL for server-side connec-
tions.

port
[no] service-
principal-name
string [...] Specifies the Kerberos principal name of this
server port. This is the ACOS client name pre-
sented to the application server.
Note: This option applies to Application Access

Management (AAM).
stats-data-
disable |
stats-data-
enable Disable or enable statistical data collection for
the port.
[no] template
{port template-
name | server-
ssl template-
name} The port option binds a port template to the port.
The parameter settings in the template are
applied to the port.
The real port template named “default” is bound
to real ports by default. The parameter settings in
the default real port template are automatically
applied to the port, unless you bind a different
real port template to the port.
If a parameter is set individually on this port and
also is set in a port template bound to this port,
the individual setting on this port is used instead
of the setting in the template.
To configure a port template, see “slb template
port” on page 646.
The server-ssl option binds a server-side SSL
template to the port. The parameter settings in
the template are applied to the port. This may be
useful in cases where the real servers load bal-
anced by a VIP have different SSL settings.
[no] weight
number Specifies the load-balancing preference for this
port, 1-100. A higher weight gives more favor to
this server for this port relative to the other serv-
ers. Default is 1.
This option applies only to the
service-weighted-least-connection load-balanc-
ing method.

slow-start
Default No ports are configured by default. The defaults for the command options
are described with the options, above. Statistical data collection of load-bal-
ancing resources is enabled by default.
Mode Real server
The “no” form of this command resets the port’s connection limit, health
monitoring, or weight to its default value. To collect statistical data for a
load-balancing resource, statistical data collection also must be enabled
globally. (See “stats-data-enable” on page 231.)
Usage Include the range option for each real server that will be included in the ser-
vice group, but only if you want that real server to be included in the map-
ping feature. The service group can be “mixed”. That is, some real servers
within a service group can have the range option set, but it is not mandatory
for all servers in a service group to be configured for “VIP to real port map-
ping”.
Example The following commands configure server “terap” and add TCP port 69 to
the server. The health-check command is not entered, so by default the
ACOS device will check the service port’s health by sending a connection
request to 69 on terap every 30 seconds.
ACOS(config)#slb server terap 10.2.4.69
ACOS(config-real server-node port)#
Example The following commands bind the server-SSL template directly to TCP port
80 on the real server at IP 10.8.8.8:
ACOS(config-real server-node port)#template server-ssl server-ssl1
slow-start
Description Enable slow-start for a server. Slow start allows time for a server to ramp up
after the server is enabled or comes online, by temporarily limiting the num-
ber of new connections on the server.
Note: It is recommended to configure this feature in the real server template or

real port template instead. See the “Behavior When Slow Start Is Also
Configured on the Real Server Itself” section in the “Server and Port
Templates” chapter of the Application Delivery and Server Load Balanc-
ing Guide.

spoofing-cache
Syntax [no] slow-start
Default Disabled
Mode Real server
Usage Slow-start allows a maximum of 128 new connections during the first inter-
val (anywhere between 0 and 10 seconds). During each subsequent 10-sec-
ond interval, the total number of concurrent connections allowed to the
server is doubled. Thus, during the first 20 seconds, the server is allowed to
have a total of 256 concurrent connections. After 59 seconds, slow-start
ends the ramp-up and no longer limits the number of concurrent connec-
tions.
After the ramp-up period ends, the number of new connections is controlled
by the conn-limit setting. (See “conn-limit” on page 702 and the description
of conn-limit in “port” on page 707.)
Slow-start is also configurable in server and port templates. (See “slb tem-
plate server” on page 654 and “slb template port” on page 646.)
Example The following command enables slow-start:

ACOS(config-real server)#slow-start
spoofing-cache
Description Enable support for a spoofing cache server. A spoofing cache server uses
the client’s IP address instead of its own as the source address when obtain-
ing content requested by the client.
Syntax [no] spoofing-cache
Default Disabled
Mode Real server
Usage This command applies to the Transparent Cache Switching (TCS) feature.
For more information about TCS, including additional configuration
requirements and examples, see the “Transparent Cache Switching” chapter
in the Application Delivery and Server Load Balancing Guide.

stats-data-disable
Example The following commands configure a real server for a spoofing cache
server:
ACOS(config)#slb server cache-rs 110.110.110.10
ACOS(config-real server)#spoofing-cache
stats-data-disable
Description Disable collection of statistical data for the server.
Default Statistical data collection for load-balancing resources is enabled by default.
Mode Real server
stats-data-enable
Description Enable collection of statistical data for the server.
Mode Real server
Usage To collect statistical data for a load-balancing resource, statistical data col-
lection also must be enabled globally. (See “stats-data-enable” on
page 231.)
template server
Description Bind a a real server template to the server.
Syntax [no] template server template-name
Default The real server template named “default” is bound to servers by default. The
parameter settings in the default real server template are automatically
applied to the new server, unless you bind a different real server template to
the server.
Mode Real server

weight
Usage If a parameter is set individually on this server and also is set in a server
template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see “slb template server” on page 654.
Example The following commands configure a real server template called “rs-
tmplt1” and bind the template to two real servers:
ACOS(config)#slb template server rs-tmplt1
ACOS(config-rserver)#health-check ping2
ACOS(config-rserver)#conn-limit 500000
weight
Description Assign an administrative weight to the server, for weighted load balancing.
Syntax [no] weight num
num Administrative weight assigned to the server.
Default 1
Mode Real server
Usage This parameter applies only to the weighted-least-connection and

weighted-rr (weighted round robin) load-balancing methods.
Example The following command assigns a weight of 20 to a server:

ACOS(config-real server)#weight 20

backup-server-event-log
Config Commands: SLB Service Groups
This chapter describes the commands for configuring SLB service groups.
To access this configuration level, enter the slb service-group group-name

{tcp | udp} command at the global Config level.
To display configured service groups, use the show slb service-group com-
mand.
Description Enable log messages to indicate when a backup service-group member is
placed into service or is removed from service.
Syntax [no] backup-server-event-log
Default Disabled
Mode Service group
A backup member is a member that has a lower priority than the primary
(highest priority) members of the same service group. The ACOS device
will not use a lower-priority member (backup server) unless high priority
members (primary servers) exceed their connection limits or connection-
rate limits, or are down.

The backup-server-event-log command generates a log message when a

backup service-group member is placed into service for either of the follow-
ing reasons:
• The connection limit on the primary servers or member ports is
exceeded.
• The primary servers or member ports go down.
Likewise, the command generates a log message when a backup service-

group member is removed from service, and a primary server is returned to
service for either of the following reasons:
• The primary server or member port’s connection-resume limit is
reached.
• The primary server or member port comes back up.
Generation of log messages for these events is rate-limited to once per min-
ute. The events described in a message occur at some point within the 60
seconds prior to the log message’s timestamp.
Note: By default, the backup servers are placed into service only when both pri-
mary servers exceed their connection limits or go down. You can use the
min-active-member command to allow secondary servers to be placed
into service even when some primary servers are still available. (See
“min-active-member” on page 726.)
SNMP Trap Requirements

To also generate SNMP notifications, the following SLB traps must be
enabled:
• slb server-conn-limit
• slb server-conn-resume
• slb service-conn-limit
• slb service-conn-resume
(See “snmp-server enable” on page 222.)
Log Message Examples

A message such as the following is generated when a backup member is
placed into service:
Enabled new connections on server rs-backup1 port 80 in sg1 group
In this example, member rs-backup1:80 in service group sg1 is placed into

service.

extended-stats
When the backup member is removed from service, a message such as one
of the following is generated:
Disabled new connections on backup server(s) on group sg1, resume primary
server rs1 port 80
Disabled new connections on backup server(s), resume primary server rs1 port 80
In the first message, the service group name is included. The service group
name is not included in the second message.
• If the primary server is a member of only one service group, or the ser-
vice group can otherwise be determined, the first message is used.
• If the primary server is a member of more than one service group, and
the service group can not be determined, the second message is used.
extended-stats
Description Enable collection of peak connection statistics for a service group.
Default Disabled
Mode Service group
health-check
Description Use a health monitor to check the health of all members of the service
group.
Syntax [no] health-check monitor-name
monitor-name Specifies the health monitor to use.
Default None
Mode Service group
Usage The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the context of the service
group. For example, a health check of the same port from another service

member
group can result in a different health status, depending on the resource

requested by the health check.
Health checks can be applied to the same resource (real server or port) at the
following levels:
• In a service group that contains the server and port as a member
• In a server or server port configuration template that is bound to the

server or port
• Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real server’s port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that ser-
vice group member in that service group is marked Down.
Example The following commands configure a health monitor and apply it to a ser-
vice group:
ACOS(config)#health monitor qrs
ACOS(config-health:monitor)#method http url GET /media-qrs/index.html
ACOS(config)#slb service-group qrs tcp
ACOS(config-slb svc group)#member media-rs:80
ACOS(config-slb svc group)#health-check qrs
member
Description Add a server to a service group.
Syntax [no] member server-name:portnum

[disable | enable]
[priority num]
[template template-name]
[stats-data-disable | stats-data-enable]

member
server-
name:portnum Real server name, and protocol port number on
the server.
disable |
enable Disables or re-enables the server and port, for
this service group only.
priority num Sets the preference for this server and port, 1-16.
The highest priority is 16.
template
template-name Binds a real port template to this member port.
Note: The port template option slow-start is not supported if the port template
is applied using this command.
stats-data-
disable Disable statistical data collection for the service-
group member.
Default There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default pri-
ority is 1. Statistical data collection of load-balancing resources is enabled
by default.
To configure a real port template, see “slb template port” on page 646.
Mode Service group
Usage The normal form of this command adds a configured server to the service
group. The “no” form of this command removes the server from the group.
If you disable or re-enable a port, the state change applies only to this ser-
vice group. The state of the port is unchanged in other service groups.
To collect statistical data for a load-balancing resource, statistical data col-

page 231.)
Example The following commands add servers “slaughterhouse5” and “catscradle”

to service group “vonnegut”:
ACOS(config)#slb service-group vonnegut
ACOS(config-slb service group)#member slaughterhouse5:80
ACOS(config-slb service group)#member catscradle:80

method
Example The following command adds a member server and port to a service group
and binds a real port template to the port:
ACOS(config-slb service group)#member rs1:80 template port rptmp1
method
Description Set the load-balancing method for a service group.
Syntax [no] method lb-method

[auto-switch
[
stateless-lb-method
{
conn-rate rate duration
[revert-rate revert-duration]
[grace-period seconds] [log] |
l4-session-usage percent duration
[revert-rate revert-duration]
[grace-period seconds] [log]
]
}
]
lb-method Load-balancing method:
dest-ip-hash – Calculates a hash value
based on the destination IP address and protocol
port of the client’s request.
dest-ip-only-hash – Calculates a hash
value based on only the destination IP address of
the client’s request.
fastest-response – Selects the server with
the fastest first data packet response time (after
three-way handshake) from end-user traffic
requests.
Note: The fastest-response method is not applicable in Direct Server Return

(DSR) deployments.
least-connection
[pseudo-round-robin] – Selects the
server that currently has the fewest connections.

method
Note: For this and the other least-connection methods, if there is a tie, the
default behavior is to select the port (among those tied) that has the lowest
number of request bytes plus response bytes. If there is still a tie, a port is
randomly selected from among the ones that are still tied.
To override this tie-breaker behavior, use the pseudo-round-robin
option. This option selects the server that has not been selected for the
longest time.
service-least-connection
[pseudo-round-robin] – Selects the
server port that currently has the fewest connec-
tions.
weighted-least-connection
[pseudo-round-robin] – Selects a server
based on a combination of the server’s adminis-
tratively assigned weight and the number of con-
nections on the server. (To assign a weight to a
server, see “weight” on page 714.)
service-weighted-least-connec-
tion [pseudo-round-robin] – Same as
weighted-least-connection, but per service. (To
assign a weight to a service, see “port” on
page 707. Use the weight option.)
src-ip-hash – Calculates a hash value based
on the source IP address and protocol port of the
client’s request.
src-ip-only-hash – Calculates a hash
value based on only the source IP address of the
client’s request.
least-request – Selects the real server port
for which the ACOS device is currently process-
ing the fewest HTTP requests. This method is
applicable to HTTP load balancing.
weighted-rr – Selects servers in rotation,
based on the servers’ administratively assigned
weights.
To use this method, you also need to assign
weights to the servers. (See “weight” on
page 714.) If the weight value is the same on
each server, this load-balancing method simply
selects the servers in rotation.
The weighted-rr method uses only the server
weight. Server port weight is not used. (Instead,

method
server port weight is used by the service-

weighted-least-connection method).
round-robin – Selects servers in simple rota-
tion.
round-robin-strict – Provides a more
exact round-robin method. The standard, default
round robin method is optimized for high perfor-
mance. Over time, this optimization can result in
a slight imbalance in server selection. Server
selection is still basically round robin, but over
time some servers may be selected slightly more
often than others.
Note: The following methods apply only to stateless SLB. (See “Usage” for
more information.)
stateless-src-ip-hash – Balances
server load based on a hash value calculated
using the source IP address and source TCP or
UDP port.
stateless-src-dst-ip-hash – Bal-
ances server load based on a hash value calcu-
lated using both the source and destination IP
addresses, and the source and destination TCP or
UDP ports.
stateless-dst-ip-hash – Balances
server load based on a hash value calculated
using the destination IP address and destination
TCP or UDP port.
stateless-per-pkt-round-robin –
Balances server load by sending each packet to a
different server, in rotation. This method is appli-
cable only for UDP DNS traffic.
stateless-src-ip-only-hash – Calcu-
lates a hash value based only on the source IP
address of the request, and selects a server based
on the hash value. Subsequently, all requests
from the same client address are sent to the same
server.
auto-switch
[options] You can configure the following options for this
feature.
The stateless-lb-method option specifies the
stateless load-balancing method to use if the traf-

method
fic reaches the configured threshold, and can be

~ stateless-dst-ip-hash
~ stateless-per-pkt-round-robin
~ stateless-src-dst-ip-hash
~ stateless-src-ip-hash
~ stateless-src-ip-only-hash
You can specify either of the following sets of
thresholds:
conn-rate rate duration – Rate of
new connection requests per second at which the
load balancing method is changed. The rate
applies collectively to all servers in the service
group. The threshold can be 1-1000000 connec-
tion requests per second.
l4-session-usage percent duration
– Percentage of the system-wide Layer 4 session
capacity that is currently in use. The threshold
can be 1-100 percent.
For each set of thresholds, you can specify the
following options:
revert-rate – (Optional) Rate to revert
to stateful method. You can specify
1-1000000 connections per second.
revert-duration – (Optional) Number
of seconds during which the specified revert
trigger must continue to occur before the ser-
vice group changes to stateful load balancing
again. You can specify 1-600 seconds.
grace-period seconds – (Optional)
Number of seconds the ACOS device contin-
ues to use the current load balancing method
for active sessions, before changing to the
other load balancing method. You can spec-
ify 1-600 seconds.
Note: The grace period applies only to ses-
sions that are active when the load balancing
change is triggered. The change applies
immediately to new sessions that begin after
the change is triggered.

method
log – Logs changes between stateful and

stateless load balancing that occur due to this
feature.
Default The default method is round-robin. The auto-switch options have the fol-
lowing defaults:
• conn-rate rate duration – None
• l4-session-usage rate duration – None
• revert-rate – None
• revert-duration – None
• grace-period seconds – None
• log – Disabled
Mode Service group
Usage The fastest-response method takes effect only if the traffic rate on the serv-
ers is at least 5 connections per second (per server). If the traffic rate is
lower, the first server in the service group usually is selected.
To set a server’s weight, see “weight” on page 714.
Stateless SLB
Stateless SLB conserves system resources by operating without session
table entries on the ACOS device. The stateless SLB methods are valid for
the following types of traffic:
• Traffic with very short-lived sessions, such as DNS
• Layer 2 Direct Server Return (DSR) traffic
• Other types of traffic that do not require features that use session-table
entries. (See list of limitations below.)
You can enable stateless SLB on an individual service-group basis, by

selecting a stateless SLB load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
• Rate limiting
• ACLs
• IP source NAT
• HA session synchronization

method
• Application Layer Gateway (ALG)
• Layer 3 DSR
• SLB-PT
• aFleX
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group can not be used in any
other service groups.
If the virtual port is on a wildcard VIP, destination NAT must be disabled on

the virtual port. To disable destination NAT, see “no-dest-nat” on page 754.
Graceful transitions between stateful and stateless SLB in a service group

are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the state-
less-per-pkt-round-robin method.
Note: The stateless-per-pkt-round-robin method is applicable only for traffic

that uses a single packet for a request. Examples include DNS queries or
RADIUS requests without a Challenge-request/Response message used
for EAP.
Example The following example sets the load-balancing method for a service group
to least-connection:
ACOS(config-slb service group)#method least-connection
Example The following commands configure a stateless SLB service group for UDP
traffic:
ACOS(config)#slb service-group dns-stateless udp
ACOS(config-slb svc group)#member dns1:53
ACOS(config-slb svc group)#member dns2:53
ACOS(config-slb svc group)#method stateless-src-dst-ip-hash
Example The following commands configure a service group that uses the stateless-
per-pkt-round-robin stateless load-balancing method. This method is used if
the rate of new connection requests to the virtual port bound to the service
group reaches 80,000 connections per second, and remains at least this high
for 300 seconds.
ACOS(config)#slb service-group auto-stateless tcp
ACOS(config-slb svc group)#method weighted-rr auto-switch stateless-per-pkt-
round-robin conn-rate 80000 300 60000 300 grace-period 15 log

min-active-member
To return to using the stateful load-balancing method (weighted round-robin

in this example), the rate of new connection requests to the virtual port must
drop to 60,000 per second, and remain that low for at least 300 seconds.
Once this occurs, the ACOS device waits for and additional 15 seconds (the
grace period) before returning to use of stateful load balancing. Logging is
enabled.
Example In the following configuration, if Layer 4 session usage reaches 2 percent

and stays at least this high for 5 seconds, both service-group members begin
using the stateless-dst-ip-hash method. The ACOS device reverts back to
stateful load balancing when 1 percent or less is reached for 5 seconds.
slb service-group sg-auto1 tcp
method dst-ip-hash auto-switch stateless-dst-ip-hash l4-session-usage 2 5 1 5
member s1:80
member s2:80
slb service-group sg-auto tcp

method dst-ip-hash auto-switch stateless-dst-ip-hash l4-session-usage 2 5 1 5
member s3:80
member s4:80
min-active-member
Description Use backup servers even if some primary servers are still up.
Syntax [no] min-active-member num [skip-pri-set]
num Minimum number of primary servers that can
still be active (available), before the backup serv-
ers are used. You can specify 1-63. There is no
default.
skip-pri-set Specifies whether the remaining primary servers
continue to be used. If you use this option, the
ACOS device uses only the backup servers and
stops using any of the primary servers.
Default By default, the servers with the highest priority value are the primary serv-
ers. All other servers are backups only, and are used only if all the primary
servers are unavailable.
When you use this command, the skip-pri-set option is disabled by default.
Mode Service group

priority
Usage Primary and backup servers are designated based on member priority (set
with the member command). For example, if a service group contains real
servers with the following priority settings, real servers s1, s2, and s3 are the
primary servers. Real servers s4 and s5 are backup servers.
• s1 – priority 16
When the minimum number of active members (primary servers) comes

back up, the ACOS device immediately returns to using only the primary
servers.
Example The following commands add members with different priorities to a service
group, and configure promiscuous VIP to begin using backup servers if any
of the primary servers becomes unavailable:
ACOS(config)#slb service-group sg-prom tcp
ACOS(config-slb service group)#method least-connection
ACOS(config-slb service group)#member s1:80 priority 16
ACOS(config-slb service group)#min-active-member 1
priority
Description Configure the ACOS device to respond to the failure of service-group mem-
bers of a certain priority by taking a designated action, such as dropping the
request or sending a TCP reset back to the client.
Syntax priority num

[
drop |
drop-if-exceed-limit |
proceed |
reset |
reset-if-exceed-limit |
]

priority
num Priority of the port, ranging from 1-16. Higher-
priority nodes are preferred over nodes with
lower numbers. There is no default.
drop Drops the request if all nodes with this same pri-
ority fail for any reason.
drop-if-exceed
limit Drops the request if all nodes with this same pri-
ority fail, and if one or more nodes exceed the
configured connection limit or connection-rate-
limit.
proceed The ACOS device uses the node(s) with the next-
highest priority if all nodes with the currently-
selected priority fail (this is the default behavior).
reset Sends a reset to the client if all nodes with this
same priority fail for any reason.
reset-if-exceed
limit Sends a reset to the client if all nodes with this
same priority fail, and if failure is due to one or
more nodes exceeding the configured connec-
tion-limit or connection-rate-limit.
Default By default, the ACOS device will use the node(s) with the next-highest pri-
ority if all nodes with the currently-selected priority fail.
Mode Service group
Usage Use this feature to define specific actions that should occur when higher-pri-
ority service-group members fail. By default, the ACOS device uses the
highest priority service-group members until they are no longer available.
When the higher-priority nodes fail, the ACOS device fails over to the
nodes with the next-highest priority.
This priority option enables you to tie actions (drop, reset, and others) to a
general failure, such as service group members becoming disabled or failing
a health check. Alternatively, actions can be tied to connection-limits or
connection-rate-limits being exceeded.
Configuring the "priority option" feature allows you to prevent lower-prior-

ity servers, which are presumably less robust than higher-priority servers,
from being overwhelmed by a flood of traffic when a failover occurs.
Note: The actions are mutually exclusive. Only one action can be configured for
each priority level.

priority-affinity
The reset or drop actions can be triggered for the following reasons:
• If a health check fails
• If a user disables a server or port
• If another Load Balancing feature causes the currently-used priority to

become unavailable (for example, min-active-member feature)
• If a connection-limit or connection-rate-limit is exceeded
Example The following commands create the TCP service group “sg1” with several
servers with a priority of 10, and one server with a priority of 1. The com-
mands also assign the reset-if-exceed-limit action for members with prior-
ity 10, and assign the drop action for members with priority 5.
ACOS(config)#slb service-group sg1 tcp
ACOS(config-slb svc group)#priority 10 reset-if-exceed-limit
ACOS(config-slb svc group)#priority 5 drop
ACOS(config-slb svc group)#member s1:80 priority 10
priority-affinity
Description Configure the ACOS device to continue using backup servers (servers with
lower priority) even when the primary (high priority) servers come back up.
Syntax [no] priority-affinity [reset]
reset Resets the priority affinity feature so that the pri-
mary servers can be used again.
Default Disabled.
By default, the ACOS device uses only the service-group members with the
highest priority. If all the highest-priority servers go down, the ACOS
device starts using the secondary (lower-priority) members. Also by default,
when one or more of the highest-priority servers comes back up, the ACOS
device returns to using only those highest-priority servers and stops using
the backup servers.
Mode Service group

reset auto-switch
Usage The min-active-member option continues using backup servers in order to

maintain a minimum number of active servers, but does not continue using
only the backup servers after the primary servers come back up.
If the ACOS device stops using the primary servers due to other features
(for example, exceeding connection limits), the priority affinity feature will
take effect just as if the switchover to the backup servers were triggered by a
change in the status of the primary servers. If those higher-priority servers
become available due to the number of connections dropping below the
configured threshold, the AX will not use them, but will instead continue
using the lower-priority backup servers.
reset auto-switch
Description Reset load balancing from stateless back to the configured stateful method.
This command applies to configurations that use the auto-switch feature,
which automatically switches from the configured stateful load-balancing
method to a stateless load-balancing method, based on a configured thresh-
old. (See “method” on page 720.)
Syntax reset auto-switch
Default N/A
Mode Configuration
Usage This command is operational only and does not affect the configuration.
The command is not saved in the startup-config.
reset-on-server-selection-fail
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Service group
Usage The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is

stats-data-disable
no longer true. The reset-on-server-selection-fail option must be used

instead.
stats-data-disable
Description Disable collection of statistical data for the service group.
Mode Service group
stats-data-enable
Description Enable collection of statistical data for the service group.
Mode Service group
page 231.)
template
Description Apply a server or port configuration template to a service group.
Syntax template
{policy template-name | port template-name |
server template-name}
policy
template-name Name of a policy template.
port template-
name Name of a port template.
server
template-name Name of a server template.

traffic-replication-type
Default The settings in the server or port template applied to the server or port are
used, unless overridden by settings in the individual server or port configu-
ration.
Mode Service group
Description Replicate or “mirror” traffic to one or more collector servers in a service
group using one of the traffic replication types.
Syntax traffic-replication-type
{
mirror |
mirror-da-repl |
mirror-ip-repl |
mirror-sa-da-repl |
mirror-sa-repl
}
mirror The ACOS device sends the packets “as is” to the
collector server(s). Forwarding is based on the IP
address in the original packet. This mode does
not change the packet header at all. The original
Layer 2 Destination Address (DA) or Source
Address (SA) and Layer 3 IP addresses are left
intact.
mirror-da-repl Mirror Destination MAC Address replacement
mode uses Layer 2 forwarding, with the ACOS
device replacing the destination MAC address on
the incoming packet with the destination MAC
for each of the collector servers within the desig-
nated service group.
mirror-ip-repl Mirror IP-replacement mode replaces the incom-
ing packet’s IP address with the IP address of the
collector server(s) and then forwards the dupli-
cated packet to those servers. This option affects
the packet at Layer 4, with minor changes made
to the L4 source and destination ports. This
option is recommended for scenarios in which
collector servers are directly connected to the
ACOS device.

mirror-sa-da-
repl Mirror Source MAC Address and Destination
MAC Address replacement mode replaces both
the source and destination MAC addresses at
Layer 2 but does not change the Layer 3 IP
addressing information.
mirror-sa-repl Mirror Source MAC Address replacement mode
replaces the source MAC address on the incom-
ing packet with the MAC address corresponding
to virtual server on the ACOS device.
Note: In general, most of the traffic replication options modify the headers of
the duplicated packets at Layer 2 by changing the MAC address. Only one
of the Traffic Replication modes alters the packets’ IP address.
Default Disabled
Mode Service group
Usage The traffic replication feature intercepts traffic feeds, such as SNMP or Sys-
log packets, copies them to a buffer, and forwards the duplicated packet to
multiple collector servers, where the data can be used to track users and
devices. This can be helpful for organizations that need Network Monitor-
ing feeds to be replicated to multiple destinations.
When configuring the feature, after defining the VIP and setting up the real
collector servers, configure a service group for the collector servers, add the
real collector servers to the service group, and specify the traffic which rep-
lication mode will be used.
Example The following commands configure a service group for the collector servers
and add the real collector servers to the service group. Then, the commands
specify that the mirror-da-repl traffic replication mode will be used to for-
ward duplicated network monitoring traffic to the collector servers.
ACOS(config)#slb service-group SG-RS tcp
ACOS(config-slb svc group)#member RS-1:0
ACOS(config-slb svc group)#member RS-2:0
ACOS(config-slb svc group)#traffic-replication-type mirror-da-repl


arp-disable
Config Commands: SLB Virtual Servers
This chapter describes the commands for configuring SLB virtual servers.
To access this configuration level, enter the slb virtual-server vipaddr vip-
name command at the global Config level.
To display configured virtual servers, use the show slb virtual-server com-
mand.
Note: The commands in this chapter apply to virtual servers (also called
“VIPs”), not to real servers. To configure real servers, see “Config Com-
mands: SLB Servers” on page 701.
arp-disable
Description Disable ARP replies from a virtual server.
Syntax [no] arp-disable
Default ARP replies are enabled by default.
Mode Virtual server
Usage Use this command if you do not want the A10 Thunder Series and AX
Series device to reply to ARP requests to the virtual server’s IP address. For
example, you can use this command to put a VIP out of service on one

description
ACOS device and use that device as a switch or router for another ACOS
device providing SLB for the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP
is automatically disabled.
Example The following command disables ARP replies:

ACOS(config-slb virtual server)#arp-disable
description
Description Add a description to a VIP.
Syntax description string
string String up to 63 characters long. The string can
contain blanks. Quotation marks are not
required.
Default None
Mode Virtual server
disable
Description Disable a virtual server.
Syntax [no] disable

[when-all-ports-down | when-any-port-down]
when-all-ports-
down Automatically disables the virtual server if all its
service ports are down. If OSPF redistribution of
the VIP is enabled, the ACOS device also with-
draws the route to the VIP in addition to dis-
abling the virtual server.

enable
when-any-port-
down Automatically disables the virtual server if any
of its service ports is down. If OSPF redistribu-
tion of the VIP is enabled, the ACOS device also
withdraws the route to the VIP in addition to dis-
abling the virtual server.
Default Virtual servers are enabled by default. The when-all-ports-down option is

enabled by default. The when-any-port-down option is disabled by default.
Mode Virtual server
Example The following commands disable virtual server “vs1”:

ACOS(config)#slb virtual-server vs1
ACOS(config-slb virtual server)#disable
enable
Description Enable a virtual server.
Syntax [no] enable
Default Enabled
Mode Virtual server
Example The following commands re-enable virtual server “vs1”:

ACOS(config-slb virtual server)#enable
extended-stats
Description Enable collection of peak connection statistics for a virtual server.
Default Disabled
Mode Virtual server

ha-dynamic
ha-dynamic
Description Enable VIP-based failover.
Syntax [no] ha-dynamic server-weight
server-weight Amount to subtract from the HA group’s priority
value for each real server that becomes unavail-
able. The weight can be 1-255.
Default Not set
Mode Virtual server
Example The following commands assign virtual server VIP2 to HA group 6 and
enable VIP-based failover for the virtual server.
ACOS(config)#slb virtual VIP2 192.168.10.22
ACOS(config-slb virtual server)#ha group 6
ACOS(config-slb virtual server)#ha-dynamic 10
ha-group
Description Add a virtual server to a High-Availability (HA) group.
Syntax [no] ha-group group-id
Default None.
Mode Virtual server
Example The following commands assign virtual server “vs1” to HA group 1:

ACOS(config-slb virtual server)#ha-group 1

port
port
Description Configure a virtual port on a virtual server.
Syntax [no] port port-number service-type

[range length]
[alternate]
port Port number, 0-65534.
service-type Service type of the port:
diameter – Diameter AAA load balancing
dns-tcp – DNS service over TCP
dns-udp – DNS caching
fast-http – Streamlined Hypertext Transfer
Protocol (HTTP) service
fix – File Information Exchange (FIX) load
balancing
ftp – File Transfer Protocol
http – HTTP
https – Secure HTTP (SSL)
mms – Microsoft Media Server
mssql – Database load balancing for MS-SQL
servers
mysql – Database load balancing for MySQL
servers
radius – RADIUS
rtsp – Real Time Streaming Protocol
sip – Session Initiation Protocol (SIP) over
UDP
sip-tcp – SIP over TCP
sips – SIP over TCP / TLS
smpp-tcp – Short Message Peer-to-Peer
(SMPP 3.3) load balancing over TCP
smtp – Simple Mail Transfer Protocol
spdy – Google SPeeDy protocol

port
spdys – Secure SPDY

ssl-proxy – SSL proxy service
tcp – Layer 4 Transmission Control Protocol
(TCP)
tcp-proxy – Full TCP-stack service for load-
balanced Layer 7 applications
tftp – Trivial File Transfer Protocol
udp – User Datagram Protocol
others – Wildcard port used for IP protocol
load balancing. (For more information, see the
“IP Protocol Load Balancing” chapter of the
Application Delivery and Server Load Balancing
Guide.)
Note: Fast-HTTP is optimized for very high performance information

transfer in comparison to regular HTTP. Due to this optimization,
fast-HTTP does not support all the comprehensive capabilities of
HTTP such as header insertion and manipulation. It is recom-
mended not to use fast-HTTP for applications that require complete
data transfer integrity.
range length Assigns a range of ports to the VIP for the speci-
fied virtual-service type. The length specifies the
number of contiguous ports to add to the base
port, 0-254.
alternate Designates this virtual port as an alternate port
for another virtual port. An alternate port is a
standby for the primary port. (See “alternate” on
page 748.)
Default N/A
Mode Virtual server
Usage The normal form of this command creates a new or edits an existing virtual
port. The CLI changes to the configuration level for the virtual port. (See
“Config Commands: SLB Virtual Server Ports” on page 745.)
The “no” form of this command removes the specified virtual port from
current virtual server.
The maximum number of virtual service ports allowed and the maximum
number per virtual server depend on the ACOS model.

redistribution-flagged
The ACOS device allocates processing resources to HTTPS virtual ports

when you bind them to an SSL template. This results in increased CPU uti-
lization, regardless of whether traffic is active on the virtual port.
Example The following example creates a new (or edits an existing) virtual port:
ACOS(config-slb virtual server)#port 443 https
ACOS(config-slb virtual server-slb virtua...)#
redistribution-flagged
Description Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax [no] redistribution-flagged
Default Not set. The VIP is automatically redistributed if VIP redistribution is enabled in
OSPF.
Mode Virtual server
Usage Use this option if you want to redistribute only some of the VIPs rather than
all of them.
Selective VIP redistribution also requires configuration in OSPF. See the

description of the vip option in “redistribute” on page 435.
stats-data-disable
Description Disable collection of statistical data for the virtual server.
Mode Virtual server
stats-data-enable
Description Enable collection of statistical data for the virtual server.

template logging
Mode Virtual server
page 231.)
template logging
Description Bind a logging template to the virtual server.
Syntax [no] template logging template-name
Default None
Mode Virtual server
template policy
Description Bind a PBSLB policy template to the virtual server.
Syntax [no] template policy template-name
Default None
Mode Virtual server
Usage This command is applicable only for PBSLB policy templates configured
for IP limiting. (See the Application Access Management and DDoS Mitiga-
tion Guide.)
template virtual-server
Description Bind a virtual server template to the virtual server.
Syntax [no] template virtual-server template-name
Default The virtual server template named “default” is bound to virtual servers by
default. The parameter settings in the default virtual server template are
automatically applied to the new virtual server, unless you bind a different
virtual server template to the virtual server.

vrid
Mode Virtual server
Usage If a parameter is set individually on this virtual server and also is set in a vir-
tual server template bound to this virtual server, the individual setting on
this virtual server is used instead of the setting in the template.
To configure a virtual server template, see “slb template virtual-server” on

page 696.
Example The following commands configure a virtual server template called “vs-
tmplt1” that sets ICMP rate limiting, and bind the template to a virtual
server:
ACOS(config)#slb template server vs-tmplt1
ACOS(config-vserver)#icmp-rate-limit 25000 lock 30000 60
ACOS(config-vserver)#exit
ACOS(config-slb virtual server)#template virtual-server vs-tmplt1
vrid
Description Assign the virtual server to a VRRP-A VRID.
Syntax [no] vrid {num | default}
num | default Specifies the VRID. In the shared partition, you
can specify 1-31 or default. In private partitions,
you can specify default.
Default In private partitions, virtual servers are assigned to the default VRID by
default. In the shared partition, virtual servers are not assigned to any VRID
by default.
Mode Virtual server configuration mode

vrid

access-list
Config Commands: SLB Virtual Server Ports
This chapter describes the commands for configuring virtual ports.
To access this configuration level, enter the port port-num port-type com-
mand at the configuration level for a virtual server.
access-list
Description Apply an Access Control List (ACL) to a virtual server port.
Syntax [no] access-list {acl-num | name acl-name}

[source-nat-pool
{pool-name | pool-group-name}
[sequence-number num]]
acl-num | name
acl-name Number of a configured IPv4 ACL (acl-num), or
the name of a configured IPv6 ACL
(name acl-name).

access-list
source-nat-pool
pool-name |
pool-group-name
[sequence-
number num] Name of a configured IP source NAT pool or
pool group. Use this option if you are configur-
ing policy-based source NAT. Source NAT is
required if the real servers are in a different sub-
net than the VIP.
The sequence-number num option specifies the
position of this ACL in the sequence of ACLs
that are associated with IP source NAT pools and
which are assigned to this virtual port. The
sequence number is important because the ACOS
device will use the IP addresses in the pool asso-
ciated with the first ACL that matches the traffic.
By default, the ACL sequence is based on the
order in which you apply them to the virtual port.
The first ACL has sequence number 1, the sec-
ond ACL has sequence number 2, and so on. You
can specify 1-32 as the sequence number. To
view the sequence, use the show running-config
command to view the configuration for this vir-
tual port.
Default N/A
Mode Virtual port
Usage The ACL must be configured before you can apply it to a virtual port. To
configure an ACL, see “access-list (standard)” on page 89 and “access-list
(extended)” on page 92.
To permit or deny traffic on the virtual port, specify an ACL but do not
specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool.

Use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server address.
The action must be permit. The NAT pool is used only for traffic that
matches the ACL. This configuration allows the virtual port to have multi-
ple pools, and to select a pool based on the traffic.

aflex
Example The following commands configure a standard ACL to deny traffic from
subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
virtual port 8080 on virtual server “slb1”:
ACOS(config)#slb server slb1
ACOS(config-slb virtual server-slb virtua...)#access-list 99
Example The following commands configure policy-based source NAT, by binding

ACLs to NAT pools on the virtual port.
ACOS(config-slb virtual server-slb virtua...)#access-list 30 source-nat-pool
pool1
ACOS(config-slb virtual server-slb virtua...)#access-list 50 source-nat-pool
pool2
aflex
Description Apply an aFleX policy to a virtual port.
Syntax [no] aflex policy-name
policy-name Name of a configured aFleX policy.
Default N/A
Mode Virtual port
Usage The normal form of this command applies the specified aFleX policy to the
port.
The “no” form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the aFleX Scripting
Language Reference.
Example The following command applies aFleX policy “aflex1” to a virtual port:
ACOS(config-slb virtual server-slb virtua...)#aflex aflex1

alternate
alternate
Description Enables switchover to another virtual port, based on specific conditions.
Syntax [no] alternate port port-num

{
alt-port-service-type [switchover-event]
}
port-num Port number of the alternate virtual port.
alt-port-
service-type Service type of the alternate port, tcp or http.
switchover-
event The event types that cause switchover from the
primary port to the alternate port:
For TCP alternate ports, you can specify the fol-
lowing:
req-fail – Switches over if a request
fails.
when-down – Switches over if the service
group for the primary port is down.
For HTTP alternate ports, you can specify the
following:
serv-sel-fail – Switches over if SLB
server selection fails.
when-down – Switches over if the service
group for the primary port is down.
Default Not set
Mode Virtual port

clientip-sticky-nat
clientip-sticky-nat
Description Configure client stickiness for outbound LLB.
Syntax [no] clientip-sticky-nat
Default Disabled
Mode Virtual port
Usage Sticky NAT for outbound Link Load Balancing (LLB) provides a virtual-
port option to ensure the ACOS device always uses the same outbound link
for a given client’s traffic. You can enable it on individual virtual ports.
Note: The Sticky NAT option applies only to LLB. The option does not apply to
other features, such as SLB.
Note: The sticky NAT option is not supported with the ip-rr (IP round-robin)
option.
conn-limit
Description Set the connection limit for a virtual port.
Syntax [no] conn-limit number [reset] [no-logging]
number Connection limit, 0-8000000 (8 million);
0 means no limit.
reset Sends a connection reset to the client, if the con-
nection limit has been reached. If you omit this
option, the connection is silently dropped and no
reset is sent to the client.
no-logging Disables logging for this feature.
Default Not set. If you set a limit, the default action for any new connection request
after the limit has been reached is to silently drop the connection, without
sending a reset to the client. Logging is enabled by default.
Mode Virtual port

def-selection-if-pref-failed
Usage The normal form of this command changes the current port’s connection
limit.
The “no” form of this command resets the port’s connection limit to its
default value.
The connection limit puts a hard limit on the number of concurrent

connections supported by the port. No more connections will be put on the
port if its number of current connections is already equal to or bigger than
the limit.

active connections.
Example The following command changes a virtual port’s connection limit to 10000:
ACOS(config-slb virtual server-slb virtua...)#conn-limit 10000
def-selection-if-pref-failed
Description Configure SLB to continue checking for an available server in other service
groups if all of the servers are down in the first service group selected by
SLB.
Syntax [no] def-selection-if-pref-failed
Default Enabled
Mode Virtual port
Usage During SLB selection of the preferred server to use for a client request, SLB
checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
a. aFleX policies triggered by Layer 4 events
b. Policy-based SLB (black/white lists). PBSLB is a Layer 3 configu-
ration item because it matches on IP addresses in black/white lists.

disable
2. Layer 7 configuration items:

a. Cookie switching
b. aFleX policies triggered by Layer 7 events
c. URL switching
d. Host switching
3. Default service group. If none of the items above results in selection of a

server, the default service group is used.
• If the configuration uses only one service group, this is the default
service group.
• If the configuration uses multiple service groups, the default service
group is the one that is used if none of the templates used by the
configuration selects another service group instead.
For example, if the CLIENT_ACCEPTED event triggers the aFleX policy,

the policy is consulted first. Similarly, if the HTTP_REQUEST event trig-
gers the aFleX policy, the policy is consulted only if none of the Layer 4
configuration items results in selection of a server.
The first configuration area that matches the client or VIP (as applicable) is
used, and the client request is sent to a server in the service group that is
applicable to that configuration area. For example, if the client's IP address
is in a black/white list, the service group specified by the list is used for the
client request.
When the def-selection-if-pref-failed option is enabled, SLB continues to

check for an available server in other service groups if all servers are down
in the first service group selected by SLB.
If Policy-Based SLB (PBSLB) is also configured on the same virtual port,

PBSLB server-selection failures are not logged. This limitation does not
affect failures that occur because a client is over their PBSLB connection
limit. These failures are still logged.
Example The following command enables this option:

ACOS(config-slb virtual server-slb virtua...)#def-selection-if-pref-failed
disable
Description Disable a virtual port.
Syntax [no] disable

enable
Default Enabled
Mode Virtual port
Example The following command disables a virtual port:

ACOS(config-slb virtual server-slb virtua...)#disable
enable
Description Enable a virtual port.
Syntax [no] enable
Default Enabled
Mode Virtual port
Example The following command re-enables a virtual port:

ACOS(config-slb virtual server-slb virtua...)#enable
extended-stats
Description Enable collection of peak connection statistics for a virtual port.
Default Disabled
Mode Virtual port
ha-conn-mirror
Description Enable connection mirroring (session synchronization) for the virtual port.
Syntax [no] ha-conn-mirror
Default Disabled.
Mode Virtual port
Usage Connection mirroring applies to HA configurations. When connection mir-

roring is enabled, the Active A10 Thunder Series and AX Series device

ip-map-list
sends information about active client connections to the Standby ACOS

device. If a failover occurs, the newly Active ACOS device continues ser-
vice for the session. The client perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost.

Clients must establish new connections.
In HA deployments, HA session synchronization is required for persistent

sessions (source-IP persistence, and so on), and is therefore automatically
enabled for these sessions by the ACOS device. Persistent sessions are syn-
chronized even if session synchronization is disabled in the configuration.
Example The following command enables connection mirroring:

ACOS(config-slb virtual server-slb virtua...)#ha-conn-mirror
ip-map-list
Description Applies an IP map list to the virtual port.
Syntax [no] ip-map-list list-name
Default Not set
Mode Virtual port
Usage For map-list information, see “ip map-list” on page 364.

ipinip
ipinip
Description Enables IP-in-IP tunneling. Contact A10 Networks for more information.
Syntax [no] ipinip
Mode Virtual port
name
Description Change the name assigned to the virtual port.
Syntax name string
string Name for the virtual port.
Default The ACOS device assigns a name that uses the following format:
_vip-addr_service-type_portnum
Mode Virtual port
no-dest-nat
Description Disable destination NAT.
Syntax [no] no-dest-nat [port-translation]
port-
translation For wildcard VIPs, enables the ACOS device to
translate the destination protocol port in a client
request before sending the request to a server.
This option is useful if the real port number on
the server is different from the virtual port num-
ber of the VIP. Without this option, the ACOS

no-dest-nat
device sends the request to the server without

changing the destination port number.
This option does not change the destination IP
address of the request.
Note: This option is supported only for virtual ports that are on wildcard VIPs.
Default Destination NAT is enabled by default.
Mode Virtual port
Usage This option can be used for Direct Server Return (DSR) or for wildcard
VIPs.
Direct Server Return

For virtual servers that have a specific virtual IP address (VIP), disabling
destination NAT enables Direct Server Return (DSR). When DSR is
enabled, only the destination MAC address is translated from the VIP’s
MAC address to the real server’s MAC address. The destination IP address
is still the VIP.
In DSR topologies, reply traffic from the server to the client is expected to
bypass the ACOS device.
In the current release, for IPv4 VIPs, DSR is supported on virtual port types
(service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported
on virtual port types TCP, UDP, and RTSP.
Wildcard VIPs
For wildcard VIPs (VIPs that can have any IP address), this option enables
the ACOS device to send the client request to the server without changing
the destination IP address of the request.
The destination port of the request also is unchanged, unless you use the
port-translation option. (See above.)
Depending on the network topology and the application, reply traffic from
the server to the client may or may not pass back through the ACOS device.
If the port-translation option is used, and reply traffic passes through the
ACOS device, the ACOS device translates the source port of the server
reply back into the destination port to which the client sent the request,
before forwarding the reply to the client.
The port-translation option is supported only for the following virtual port
types: TCP, UDP, and HTTP/HTTPS.

pbslb
pbslb
Description Configure settings for Policy-based SLB (PBSLB).
Syntax [no] pbslb bw-list name
Syntax [no] pbslb id id

{service service-group-name | drop | reset}
[logging [minutes] [fail]]]
Syntax [no] pbslb over-limit {drop | reset}
bw-list name Binds a black/white list to the virtual port.
id id
{service
service-group-
name | drop |
reset} Specifies the action to take for clients in the
black/white list:
id – Group ID in the black/white list.
service-group-name – Name of an SLB
service group on the A10 Thunder Series and AX
Series device.
drop – Drops new connections until the number
of concurrent connections on the virtual port falls
below the port’s connection limit. (The connec-
tion limit is set in the black/white list.)
reset – Resets new connections until the num-
ber of concurrent connections on the virtual port
falls below the connection limit.
logging
[minutes]
[fail]] Enables logging. The minutes option specifies
how often messages can be generated. This
option reduces overhead caused by frequent
recurring messages.
For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times
within a five-minute period, the ACOS device
generates only a single message. The message
indicates the number of times the rule was
applied since the last message. You can specify a

pbslb
logging interval from 0 to 60 minutes. To send a

separate message for each event, set the interval
to 0.
PBSLB rules that use the service service-group-
name option also have a fail option for logging.
The fail option configures the ACOS device to
generate log messages only when there is a failed
attempt to reach a service group. Messages are
not generated for successful connections to the
service group. The fail option is disabled by
default. The option is available only for PBSLB
rules that use the service service-group-name
option, not for rules with the drop or reset
option, since any time a drop or reset rule affects
traffic, this indicates a failure condition.
Note: If the def-selection-if-pref-failed option is enabled on the virtual port, log

messages will never be generated for server-selection failures. To ensure
that messages are generated to log server-selection failures, disable the
def-selection-if-pref-failed option on the virtual port. This limitation does
not affect failures that occur because a client is over their PBSLB connec-
tion limit. These failures are still logged.
Default This command has the following default settings:

• bw-list – N/A
• id – N/A
• logging – Disabled. When logging is enabled, the default for minutes

is 3.
• over-limit – drop
Mode Virtual port
Usage The black/white list specified by bw-list name must already be imported
onto the A10 Thunder Series and AX Series device. To import a black/white
list file, see “bw-list” on page 125.
If you use the logging option, the ACOS device uses a log rate limiting
mechanism and load balances logging among multiple log servers, if more
than one is configured. For more information, see the System Configuration
and Administration Guide.

Example The following commands bind black/white list “sample-bwlist” to the vir-
tual port, assign clients in group 2 to service group “srvcgroup2”, and drop
clients in group 4:
ACOS(config-slb virtual server-slb virtua...)#pbslb bw-list sample-bwlist
ACOS(config-slb virtual server-slb virtua...)#pbslb id 2 service srvcgroup2
ACOS(config-slb virtual server-slb virtua...)#pbslb id 4 drop
Description Send a TCP reset (RST) to the client if server selection fails.
Syntax [no] reset-on-server-selection-fail
Default Disabled
Mode Virtual port
Usage The TCP template reset-rev option also can be used to send a RST to cli-
ents. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is
no longer true. The reset-on-server-selection-fail option must be used
instead.
service-group
Description Bind a virtual port to a service group.
Syntax [no] service-group group-name
group-name Service-group name.
Default N/A
Mode Virtual port
Usage The normal form of this command binds the virtual port to the specified ser-
vice group. The “no” form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports.
The type of service group and type of virtual port should match. For
example, a UDP service group can not be bound to an HTTP virtual port.

snat-on-vip
Example The following examples bind a service group to a virtual port, then remove
the binding, respectively.
ACOS(config-slb virtual server-slb virtua...)#service-group tcp-grp
ACOS(config-slb virtual server-slb virtua...)#no service-group tcp-grp
snat-on-vip
Description Enable IP NAT support for the virtual port.
Syntax [no] snat-on-vip
Default Disabled
Mode Virtual port
Usage Source IP NAT can be configured on a virtual port in the following ways:
1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration

level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-on-
vip command is also used, then a pool assigned by the ACL is used for traf-
fic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
Note: The current release does not support source IP NAT on FTP or RTSP vir-
tual ports.
source-nat auto
Description Configure Smart NAT, to automatically create NAT mappings using the AX
interface connected to the real server.
Syntax [no] source-nat auto [precedence]
precedence This option is applicable if standard NAT pools
are also used by the virtual port. In this case,

source-nat pool
using the precedence option causes Smart NAT

to be used before the standard NAT pools are
used.
Default Disabled
Mode Virtual port
Usage Up to 45 K mappings per real server port are supported. The ACOS device
can use the same AX interface IP address and port for more than one server
connection. The combination of AX IP address and port number (source)
and server IP address and port (destination) uniquely identifies each map-
ping.
Smart NAT can be used along with standard NAT pools or pool groups. In
this case, by default, the standard pool addresses are used first. Smart NAT
is used only when the standard pools can not support any more mappings.
You can change this behavior so that Smart NAT is used first.
Additional Notes
• Smart NAT applies only to ACOS devices deployed in route mode (also
called “gateway” mode). The feature is not applicable to devices
deployed in transparent mode.
• Smart NAT uses only the primary IP address on an interface, even if
multiple addresses are configured on the interface.
• Smart NAT uses protocol ports 20032-65535.
• Smart NAT is not supported in HA or VRRP-A deployments. Smart

NAT sessions are not synchronized to the backup device.
• Smart NAT is not supported on SIP, SIP-TCP, or SIPS virtual ports.
source-nat pool
Description Enable source NAT. Source NAT is required if the real servers are in a dif-
ferent subnet than the VIP.
Note: This command is not applicable to the mms or rtsp service types.
Syntax [no] source-nat pool

{pool-name | pool-group-name}

stats-data-disable
pool-name Specifies the name of an IP pool of addresses to
use as source addresses.
pool-group-name Specifies the name of a group of IP address pools
to use as source addresses.
Default Disabled.
Mode Virtual port
Usage By default, source NAT is disabled.
This command enables source NAT.
This command enables source NAT using a single NAT pool or pool group,
for all source addresses. If you want the ACOS device to select from among
multiple pools based on source IP address, configure policy-based source
NAT instead. See “access-list” on page 745.
Example The following example enables source NAT for the virtual port:
ACOS(config-slb virtual server-slb virtua...)#source-nat pool pool2
stats-data-disable
Description Disable collection of statistical data for the virtual port.
Mode Virtual port
stats-data-enable
Description Enable collection of statistical data for the virtual port.
Mode Virtual port

syn-cookie
page 231.)
syn-cookie
Description Enable software-based SYN cookies for a virtual port. SYN cookies provide
protection against TCP SYN flood attacks.
Syntax [no] syn-cookie [expand]
expand Enable expanded SYN cookie support. When
enabled, the ACOS device can encode values for
the following TCP options in the SYN-ACK:
~ Windows Scale for outbound traffic (send)
~ Windows Scale for inbound traffic (receive)
~ Selective acknowledgement (SACK) flag
Note: These options are described in RFC 1323,
TCP Extensions for High Performance.
Default Disabled.
Mode Virtual port
Usage If hardware-based SYN cookies are enabled, software-based SYN cookies

are not needed and are not used. (Hardware-based SYN cookies are enabled
at the global configuration level. See “syn-cookie” on page 232.)
For software-based SYN cookies, the ACOS device bases Selective

Acknowledgment (SACK) support, and the maximum segment size (MSS)
setting, in software-based SYN cookies on server replies to TCP health
checks sent to the servers.
SACK
The ACOS device includes the Sack-Permitted option in TCP SYN health
check packets sent to servers.
• If all up servers in the service group reply with a TCP SYN-ACK that
contains a SACK option, the ACOS device uses SACK with the soft-
ware-based SYN-cookie feature, for all servers in the service group.

template
• If any of the up servers in the service group does not send a SACK
option, the ACOS device does not use SACK with the software-based
SYN-cookie feature, for any servers in the service group.
In releases earlier than AX Release 2.6.1-P3, the software-based SYN-

cookie feature has an option to enable SACK. This option is no longer
applicable. If you are upgrading an ACOS device whose startup-config con-
tains the SACK option, the option is ignored.
MSS
The lowest MSS value supported by any of the servers in the service group
is the MSS value used by the ACOS device for software-based SYN-cook-
ies.
template
Description Applies an SLB configuration template to a virtual port.
Syntax [no] template template-type template-name
template-type Type of template. The template types that are
available depend on the service type of the vir-
tual port. To list the available template types,
enter the following command: template ?
For information about the virtual-port template
type, see “template virtual-port” on page 764.
template-name Name of the template.
Default If the ACOS device has a default template that is applicable to the service
type, the default template is automatically applied. The ACOS device has a
default virtual-port template, which is applied to a virtual port when you
create it.
Mode Virtual port
Usage The normal form of this command applies the specified template to the vir-
tual port. The “no” form of this command removes the template from the
virtual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one virtual
port.

template virtual-port
To bind a virtual-port template to the port, see “template virtual-port” on

page 764.
Example The following example applies connection reuse template “reuse-template”

to a virtual port:
ACOS(config-slb virtual server-slb virtua...)#template connection-reuse
reuse-template
template virtual-port
Description Bind a a virtual service port template to the virtual port.
Syntax [no] template virtual-port template-name
Default The virtual port template named “default” is bound to virtual ports by
default. The parameter settings in the default virtual port template are auto-
matically applied to the new virtual port, unless you bind a different virtual
port template to the virtual port.
Mode Virtual port
Usage If a parameter is set individually on this virtual port and also is set in a vir-
tual port template bound to this virtual port, the individual setting on this
port is used instead of the setting in the template.
To configure a virtual port template, see “slb template virtual-port” on

page 690.
Example The following commands configure a virtual service port template named
“common-vpsettings”, set the connection limit, and bind the template to a
virtual port:
ACOS(config)#slb template virtual-port common-vpsettings
ACOS(config-Virtual port template)#conn-limit 500000
ACOS(config-Virtual port template)#exit
ACOS(config-slb vserver-vport)#template virtual-port common-vpsettings
use-default-if-no-server
Description Forward client traffic at Layer 3, if SLB server selection fails.
Syntax [no] use-default-if-no-server

use-rcv-hop-for-resp
Default Disabled. If SLB server selection fails, the traffic is dropped.
Mode Virtual port
Usage This command applies only to wildcard VIPs (VIP address 0.0.0.0).
Description Force the A10 Thunder Series and AX Series device to send replies to cli-
ents back through the last hop on which the request for the virtual port's ser-
vice was received.
Syntax use-rcv-hop-for-resp
[
src-dst-ip-swap-persist |
use-src-ip-for-dst-persist |
use-dst-ip-for-src-persist
]
src-dst-ip-
swap-persist Creates a persistent session after the source IP
and destination IP have been swapped. The new
persistent session that is created should match
both the source IP and the destination IP. This
option should be used with the incl-dst-ip option
for the ALG FWLB feature.
Note: This option cannot be used for the SIP pro-
tocol, because a SIP transaction may involve
three or more parties.
use-src-ip-for-
dst-persist Creates a destination persistent session based on
the source IP.
use-dst-ip-for-
src-persist The ACOS device uses the destination IP to cre-
ate source-IP persistent sessions for SIP or FTP
sessions. With this option, the response packet
will go through the same firewall as the client’s
request packet, and the SIP session and commu-
nication sessions will be load balanced through
the same firewall node.
Default Disabled.

Mode Virtual port
Usage Last hop information is not included in the information sent to the Standby
ACOS device during HA session synchronization. If an HA failover occurs,
the last hop might not be used for the reply.
For Use with ALG FWLB Feature

For simple protocols, load balancing across a firewall is relatively easy.
However, load balancing Application Layer Gateway (ALG) protocols,
such as SIP and FTP, which have multiple connections that can originate
from either side of the firewall deployment can be more challenging. The
lack of predictability that occurs with ALG protocols can cause the proto-
col’s control connection and data connection to be sent to different fire-
walls, thus causing the application to break.
The ACOS device uses the use-rcv-hop-for-resp command and its sub-
options to load balance ALG protocols through a firewall deployment con-
sisting of paired firewalls.
For more information, refer to the “ALG Protocol FWLB Support for FTP
and SIP” chapter in the A10 Thunder Series and AX Series Application

disable-after-down
Config Commands: Health Monitors
The commands in this chapter configure SLB health monitors.
To access this configuration level, enter the health monitor monitor-name

command at the global config level.
For more information about health monitors, see the “Health Monitoring”
chapter of the Application Delivery and Server Load Balancing Guide.
disable-after-down
Description Disable the target of a health check if the target fails the health check.
Syntax [no] disable-after-down
Default Disabled
Mode Health monitor configuration
Usage This command applies to all servers, ports, or service groups that use the
health monitor. When a server, port, or service group is disabled based on
this command, the server, port, or service group’s state is changed to disa-
ble in the running-config. If you save the configuration while the server,
port, or service group is disabled, the state change is written to the startup-
config.

method
The server, port, or service group remains disabled until you explicitly
enable it.
method
Description Configure a health method.
Syntax [no] method method-options
method-options Description
compound sub
monitor-name
[sub monitor-
name ...]
Boolean-
operators Configures a compound health monitor. A com-
pound health monitor consists of a set of health
monitors joined in a Boolean expression
(AND / OR / NOT). For more information, see
the “Compound Health Monitors” section in the
“Health Monitoring” chapter of the Application
[no] database
database-type
db-name name
username
username-string
password
password-string
[query-options] Configures a database health monitor. The
ACOS device sends a database query to the spec-
ified server.
database database-type – Specifies the type of
database to test:
mssql
mysql
oracle
postgresql
db-name name – Specifies the name of the data-
base to query.

method
username username-string password password-

string – Specifies the login information required
to access the database.
query-options – Specifies query information:
send query
[receive expected-reply
[row row-num column col-num]]
send query – SQL query to send to the data-
base.
receive expected-reply – Query result
expected from the database in order to pass
the health check. To use the receive option,
you also must use the send option. If you do
not use the send, the ACOS device does not
send a query.
row row-num column col-num – For replies
that consist of multiple results, the results are
in a table. You can specify the row and col-
umn location within the results table to use
as the receive string. If you do not specify
the row and column, row 1 and column 1 are
queried by default.
dns
{ipaddr |
domain domain-
name}
[options] Sends a lookup request to the specified port num-
ber for the specified domain name. By default,
expects reply with code 0. You can specify a
domain name or a server IP address as the target
of the health check.
You also can configure the following options:
expect response-code code-list – Specifies a list
of response codes, in the range 0-15, that are
valid responses to a health check. The DNS
server can respond with any of the expected
response codes. By default, the expect list is
empty, in which case the ACOS device expects
status code 0 (No error condition).
port port-num – Specifies the protocol port num-
ber on which the DNS server listens for DNS
queries. Use this option if the server is not using
the default DNS port, 53.

method
recurse {enabled | disabled} – Specifies

whether the tested DNS server is allowed to send
the health check’s request to another DNS server
if the tested server can not fulfill the request
using its own database. Recursion is enabled by
default.
tcp – Enables use of TCP for a DNS health mon-
itor.
type {A | CNAME | SOA | PTR | MX | TXT |
AAAA} – For health checks sent to a domain
name, specifies the record type the responding
server is expected to send in reply to health
checks.
You can specify one of the following record
types:
A – IPv4 address record
CNAME – Canonical name record for a DNS
alias
SOA – Start of authority record
PTR – Pointer record for a domain name
MX – Mail Exchanger record
TXT – Text string
AAAA – IPv6 address record
By default, the ACOS device expects the DNS
server to respond to the health check with an A
record.
external
[port port-num]
program
program-name
[arguments
argument-
string]
[preference] Runs an external program (for example, a Tcl
script) and bases the health status on the outcome
of the program. See “Usage” below for more
information on health check using an external
program.
The preference option applies to weighted load-
balancing methods such as SNMP-based load

method
balancing. (See the “SNMP-based Load Balanc-

ing” chapter in the Application Delivery and
Server Load Balancing Guide.)
Note: External health methods are not supported in Direct Server Return (DSR)
deployments.
ftp
[[username name
password
string] port
port-num] Sends an FTP login request to the specified port.
Expects OK message, or Password message fol-
lowed by OK message. Unless you use anony-
mous login, the username and password must be
specified in the health check configuration.
http [options] Sends an HTTP request to the specified TCP port
and URL. Expects OK message (200). You can
specify the following options:
expect {string | response-code code-list} –
Specifies a response code or string expected from
the server, in which case this value is also
expected. To specify a range of response codes,
use a dash ( - ) between the low and high num-
bers of the range. Use commas to delimit individ-
ual code numbers or separate ranges. By default,
the ACOS device expects response code 200
(OK).
host {ipv4-addr | ipv6-addr | domain-name}
[:port-num] – Replaces the information in the
Host field of the request sent to the real server.
By default, the real server’s IP address is placed
in the field.
maintenance-code code-list – Specifies a
response code that indicates the server needs to
be placed into maintenance mode. If the ACOS
device receives the specified status code in
response to a health check, the ACOS device
changes the server’s health status to Mainte-
nance.
When a server’s health status is Maintenance, the
server will accept new requests on existing

method
cookie-persistent or source-IP persistent connec-

tions, but will not accept any other requests.
To leave maintenance mode, the server must do
– Successfully reply to a health check by sending
the expected string or response code, but without
including the maintenance code. In this case, the
server’s health status changes to Up.
– Fail a health check. In this case, the server’s
status changes to Down.
The Maintenance health status applies to server
ports and service-group members. When a port’s
status changes to Maintenance, this change
applies to all service-group members that use the
port.
Note: The expect maintenance-code option applies only to servers in cookie-

persistence or source-IP persistence configurations, and can be used only
for HTTP and HTTPS ports.
port port-num – Specifies the protocol port on
which the server listens for HTTP traffic. Use
this option if the server does not use the default
HTTP port, 80.
url string – Specifies the request type and the
page (url-path) to which to send the request. By
default, GET requests are sent for “ / ”, the
index.html page. You can specify one of the fol-
lowing:
GET url-path
HEAD url-path
POST url-path postdata string
POST / postfile filename
Note: In a postdata string, use “=” between a field name and the value you are
posting to it. If you post to multiple fields, use “&” between the fields.
For example: postdata fieldname1=value&fieldname1=value. The string
can be up to 255 bytes long.
To use POST data longer than 255 bytes, you must import a POST data
file and use the POST / postfile filename option. (See “health postfile” on
page 164.)

method
username name – Specifies the username

required for HTTP access to the server. Unless
anonymous login is used, the username must be
specified.
https [options] Similar to an HTTP health check, except SSL is
used to secure the connection. The default port is
443.
The disable-sslv2hello option disables encapsu-
lation of SSLv3, TLSv1, or TLSv1.1 hello mes-
sages within the SSLv2 hello messages for
HTTPS health checks.
The cert cert-name and key key-name options
are used to add an SSL certificate and key to an
HTTPS health monitor. When you use this
option, the ACOS device uses the certificate and
key during the SSL handshake with the HTTPS
port on the server.
The certificate you plan to use with the health
monitor must be present on the ACOS device
before you configure the health monitor.
icmp
[transparent
ipaddr] Sends an ICMP echo request to the server.
Expects ICMP echo reply message.
The transparent ipaddr option is applicable if
the target of the health monitor is reached
through an intermediary device. The option tests
the path through the intermediary device to the
target device.
imap
[port port-num]
[username name
password
string] Sends an IMAP login request with the specified
username and password. Expects reply with OK
message.

method
kerberos-kdc
kinit
principal
password
{kdc-hostname |
kdc-ipaddr}
[port port-num]
[tcp-only] Configures a method to check accessibility of the
KDC for obtaining a TGT.
principal – Name of the Kerberos principal.
This is the ACOS client name presented to the
server.
password – Kerberos admin password.
{kdc-hostname | kdc-ipaddr}
[port port-num] – Hostname or IP address
of the server where the KDC is running. The
port option specifies the protocol port on which
the server listens for TGT requests. The default
KDC port is 88.
tcp-only – Sends health checks only over
TCP.
kerberos-kdc
kadmin
realm-name
principal
password
{kdc-hostname |
kdc-ipaddr}
[port port-num]
{admin-hostname
| admin-ipaddr}
[port port-num] Configures a method to check accessibility of the
Kerberos server for user account administration.
realm-name – Name of the Kerberos realm.
principal – Name of the Kerberos principal.
{kdc-hostname | kdc-ipaddr}
of the Kerberos server. The port option specifies
the TCP port on which the server listens for user
account administration requests. The default
TCP port is 749.

method
For information about the other options, see the

descriptions for kerberos-kdc kinit (described
above).
kerberos-kdc
kpasswd
principal
password
{kdc-hostname |
kdc-ipaddr}
[port port-num]
{pwd-hostname |
pwd-ipaddr}
[port port-num] Configures a method to check accessibility of the
Kerberos server for user password change.
{pwd-hostname | pwd-ipaddr}
of the Kerberos server. The port option specifies
the UDP port on which the server listens for user
password-change requests. The default UDP port
is UDP port 464.
For information about the other options, see the
descriptions for kerberos-kdc kinit (described
above).
ldap
[StartTLS]
[binddn dn-
string
password]
[overssl]
[port port-num]
[run-search
options] Configures a method to check accessibility the
KDC for obtaining a TGT.
StartTLS – Begins the health check by send-
ing a StartTLS request.
binddn dn-string password – DN
name and password.
overssl – Uses TLS to secure the connection.
port port-num – UDP port on which the
server listens for user password-change requests.
The default UDP port is UDP port 464.

method
run-search options – PErforms the spec-

ified database search. The following options are
supported:
BaseDN dn-string – Searched the
database for the specified DN.
query query-string
[AcceptNotFound] – Sends the speci-
fied query string to the server.
The AcceptNotFound option allows the health
check to pass even if the search query is unsuc-
cessful.
ntp Sends an NTP client message to UDP port 123.
Expects a standard NTP 48-byte reply packet.
pop3
port port-num
username name
password string Sends a POP3 user login request with the speci-
fied username and password. Expects reply with
OK message.
radius
port port-num
secret string
username name
password string Sends a Password Authentication Protocol (PAP)
request to the specified port to authenticate the
specified username. Expects Access Accepted
message (reply code 2). The secret option speci-
fies the shared secret required by the RADIUS
server.
rtsp
port port-num
rtspurl string Sends a request to the specified port for informa-
tion about the file specified by rtspurl. Expects
reply with information about the specified file.
sip
[register]
[port port-num]
[expect-
response-code
values]
[tcp] Sends a SIP request to the SIP port. Expects 200
OK in response by default. The request is an

method
OPTION request, unless you use the register

option to send a REGISTER request instead.
The expect-response-code option specifies a set
of SIP status codes. In this case, a SIP health
check is successful only if the server reply
includes one of the specified SIP status codes.
You can specify any or a combination of individ-
ual code numbers and code ranges. Use commas
as delimiters, with no spaces. Use a dash and no
spaces to delimit the lower and upper values of a
range. Examples:
expect-response-code
100,101,121,200
expect-response-code
100-121,200
expect-response-code any
The tcp option configures the health method for

SIP over TCP/TLS. Without this option, the
health method is for SIP over UDP.
smtp
port port-num
domain domain-
name Sends an SMTP Hello message to the specified
server in the specified domain. Expects reply
with OK message (reply code 250).
snmp
[port port-num]
[community
string]
[oid oid-name]
[operation
{get |
getnext}] Sends an SNMP Get or Get Next request to the
specified OID, from the specified community.
Expects reply with the value of the OID. The
OID can be sysDescr, sysUpTime, sysName, or
another name in ASN.1 style.
Note: Although you can enter these objects in ASN.1 format, only MIB-2 OIDs
are supported.
tcp
port port-num
[halfopen]

method
[send send-
string response
contains
response-
string] Sends a connection request (TCP SYN) to the
specified TCP port on the server. Expects TCP
SYN ACK in reply.
By default, ACOS responds to the SYN ACK by
sending an ACK. To configure ACOS to send a
RST (Reset) instead, use the halfopen option.
Use the send and response contains options to
send and receive text strings in TCP health
checks.
The send-string is the string the ACOS device
sends to the TCP port after the three-way hand-
shake is completed. The response-string is the
string that must be present in the server reply.
Each string can be 1-127 characters long. If a
string contain blank spaces or other special char-
acters (for example, “ / ” or “ \ ”), use double
quotation marks around the entire string.
udp
port port-num Sends a packet with a valid UDP header and a
garbage payload to the specified UDP port on the
server. Expects either of the following:
– server reply from the specified UDP port, with
any type of packet.
– server does not reply at all.
The server fails the health check only if the
server replies with an ICMP Error message.
Default The configuration has a default “ping” health monitor that uses the icmp
method. The ACOS device applies the ping monitor by default. The ACOS
device also applies the TCP or UDP health monitor by default, depending
on the port type. These default monitors are used even if you also apply con-
figured monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new

monitors with the ICMP, TCP, or UDP method and apply those monitors
instead.
When specifying a protocol port number, specify the port number on the
real server, not the port number of the virtual port. By default, the well-

method
known port number for the service type of the health monitor is used. For
example, for LDAP, the default port is 389 (or 636 if the overssl option is
used).
If you specify the protocol port number in the health monitor, the protocol
port number configured in the health monitor is used if you send an on-
demand health check to a server without specifying the protocol port. (See
“health-test” on page 58.) After you bind the health monitor to a real server
port, health checks using the monitor are addressed to the real server port
number instead of the port number specified in the health monitor’s config-
uration. In this case, you can override the IP address or port using the over-
ride commands described later in this chapter.
Usage To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assigning
one of the health methods listed above to it. Use the health monitor
command at the global Config level to create and name the monitor.
(See “health monitor” on page 163.) Use the method command at the
monitor configuration level to assign a health method to the monitor.
Note: To configure a health monitor that uses a script, use the health external
command to create it, instead of using the health monitor command.
(See “health external” on page 160 and the external health check example
below.)
2. Apply the health monitor to a real server or real server port, using the
health-check command at the configuration level for the server or the
server port. Apply monitors that use the ICMP method to real servers.
(See “health-check” on page 706.) Apply monitors that use any of the
other types of methods to individual server ports. (See “port” on
page 707.)
Example The following commands apply health monitor “ping” to server “rs0”. The
ping monitor is included in the A10 Thunder Series and AX Series device’s
configuration by default, so you do not need to configure it.
ACOS(config-real server)#health-check ping

method
Example The following commands configure health monitor “hm1” to use the TCP
health method, and apply the monitor to a TCP port on real server “rs1”.
The TCP health checks are sent to TCP port 23 on the server.
ACOS(config-health:monitor)#method tcp port 23
ACOS(config-real server)#port 23 TCP
ACOS(config-real server-node port)#health-check hm1
Example The following commands configure health monitor “hm2” and set it to use
the HTTP method. The health monitor is applied to port 80 on real server
“rs1”.
ACOS(config-health:monitor)#method http
ACOS(config-real server)#port 80 http
ACOS(config-real server-node port)#health-check hm2
Example The following commands configure a TCP health monitor that sends an
HTTP GET request to TCP port 80, and expects the string “200” to be pres-
ent in the reply:
ACOS(config)#health monitor tcp-with-http-get
ACOS(config-health:monitor)#method tcp port 80 send "GET / HTTP/1.1\r\nHost:
22.1.2.2\r\nUser-Agent: a10\r\nAccept: */*\r\n\r\n" response contains 200
This health monitor sends an HTTP GET request to TCP port 80 on the tar-
get server. This particular request uses the following header fields:
• Host – Specifies the host (server) to which the request is being sent.
• User-Agent – Identifies the entity (user agent) that is sending the

request. In this example, the sending entity is “a10”.
• Accept – Specifies the types of media that are allowed in the response.
This example uses wildcards (*/*) to indicate that any valid media type
and range are acceptable.
If the string “200” is present anywhere in the reply from the port, the port
passes the health check.

method
Example External Health Check Example
Besides internal health checks, which use a predefined health check

method, you can use external health checks with any of the following types
of scripts are supported:
• Perl
• Shell
• TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the “.tcl” extension.
To use the external method, you must import the program onto the A10
Thunder Series and AX Series device. The script execution result indicates
the server status, which must be stored in ax_env(Result).
The following commands import external program “ext.tcl” from FTP

server 192.168.0.1, and configure external health method “hm3” to use the
imported program to check the health of port 80 on the real server:
ACOS(config)#health external import "checking HTTP server" ftp://192.168.0.1/
ext.tcl
ACOS(config-health:monitor)#method external port 80 program ext.tcl

override-ipv4
Here is the ext.tcl file:

# Init server status to "DOWN"
set ax_env(Result) 1
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
# Send the request

puts $sock "GET /1.html HTTP/1.0\n"
# Wait for the response from http server

set line [read $sock]
if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {

puts "server $ax_env(serverHost) response : $status"
# Check exit code

if { $status == 200 } {
# Set server to be "UP"
}
}
close $sock
}
For additional information and more examples, see the “External Health
Method Examples” section in the “Health Monitoring” chapter of the
Application Delivery and Server Load Balancing Guide.
override-ipv4
Description Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to
which the health monitor is bound. This command and the other override
commands are particularly useful for testing the health of remote links.
Syntax [no] override-ipv4 ipaddr
Default By default, a health check is addressed to the real server IP address of the
server to which the health monitor is bound.

override-ipv6
Example The following commands configure a health monitor to check 192.168.1.1:

ACOS(config)#health monitor site1-hm
ACOS(config-health:monitor)#method icmp
ACOS(config-health:monitor)#override-ipv4 192.168.1.1
override-ipv6
Description Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health monitor
is bound.
Syntax [no] override-ipv6 ipv6addr
Default By default, a health check is addressed to the real server IP address of the
server to which the health monitor is bound.
Example The following commands configure a health monitor to check

2001:db8::1521:31ab:
ACOS(config-health:monitor)#override-ipv6 2001:db8::1521:31ab
override-port
Description Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
Syntax [no] override-port portnum
Default By default, a health check is addressed to the protocol port number to which
the health monitor is bound.

passive
Example The following commands configure a health monitor to check port 8081 on
192.168.1.1:
ACOS(config-health:monitor)#override-ipv4 192.168.1.1
ACOS(config-health:monitor)#override-prt 8081
passive
Description Configures inband health monitoring based on HTTP status code.
Syntax [no] passive

{status-code-2xx | status-code-non-5xx}
[passive-interval seconds]
[sample-threshold samples-per-second]
[threshold percent]
status-code-2xx
| status-code-
non-5xx Healthy status code numbers – The set of status
codes that indicate the HTTP service is healthy.
You can specify any 2xx status code or any status
code other than a 5xx code.
passive-
interval
seconds The health-monitor interval that is used when
passive health monitoring is activated. For
proper operation of the feature, the passive inter-
val should be longer than the health monitor’s
interval. You can specify 1-180 seconds. The
default is 10 seconds.
sample-
threshold
samples-per-
second Minimum number of server replies that must
contain one of the specified status codes, within a
given one-second interval, before passive health
monitoring is is enabled. The sample threshold
helps prevent passive health monitoring from
taking effect after only a small total number of
samples are taken. You can specify 1-10000 sam-
ples per second. The default is 50.

passive
threshold
percent Minimum percentage of server replies that must
contain a healthy status code, within a given one-
second interval, before passive health monitoring
is activated. You can specify 0-100 percent. The
default is 75 percent. If you specify 0, this
parameter is disabled, in which case there is no
minimum threshold.
Default The passive health monitor has the following defaults:

• status-code – Not set
• passive-interval – 10 seconds
• sample-threshold – 50
• threshold – 75 percent
Example The following commands create a new health monitor, and enable passive
health-monitoring mode:
ACOS(config)#health monitor http-passive
ACOS(config-health:monitor)#passive status-code-2xx
The following command sets the method to HTTP:

The following commands configure a real server, service group, and virtual
server. The HTTP health monitor configured above is applied to the TCP
port on the real server.
ACOS(config-health:monitor)#slb server ser1 172.168.1.107
ACOS(config-real server)#no health-check
ACOS(config-real server-node port)#health-check http-passive
ACOS(config-real server-node port)#slb service-group sg1 tcp
ACOS(config-slb svc group)#member ser1:80
ACOS(config-slb svc group)#slb virtual-server vs1 172.168.6.100
ACOS(config-slb vserver)#port 80 tcp
ACOS(config-slb vserver-vport)#

strictly-retry-on-server-error-response
strictly-retry-on-server-error-response
Description Force the ACOS device to wait until all retries are unsuccessful before
marking a server or port Down.
Syntax [no] strictly-retry-on-server-error-response
Default Disabled. For some health method types, the ACOS device marks the server
or port Down after the first failed health check attempt, even if the retries
option for the health monitor is set to higher than 0.
Usage This command is applicable only to some types of health monitors, such as
HTTP health monitors. For example, this command applies to HTTP health
monitors that expect a string in the server reply. By default, if the server’s
HTTP port does not reply to the first health check attempt with the expected
string, the ACOS device immediately marks the port Down.
Example The following commands configure an HTTP health monitor that checks for
the presence of “testpage.html”, and enable strict retries for the monitor.
ACOS(config)#health monitor http-exhaust
ACOS(config-health:monitor)#method http url GET /testpage.html
ACOS(config-health:monitor)#strictly-retry-on-server-error-response

aVCS Commands
The commands in this chapter configure AX Series Virtual Chassis System

(aVCS) parameters.
Note: This chapter provides reference information for individual commands.

For information about how aVCS works and how to configure it, see the
System Configuration and Administration Guide.
Note: aVCS reload is required to place any aVCS-related configuration changes

into effect.
page 54.

aVCS Operational Commands
Description Change the context of the CLI session from the vMaster to a vBlade, in
order to configure routing on the vBlade.
Syntax router device-context DeviceID
Default By default, the vMaster for the virtual chassis is the context of the manage-
ment session.
Usage This command applies only to router configuration commands. To change

the context so you can enter routing-related clear or show commands, or
other types of commands, use the vcs device-context command instead.
The router device-context command creates an SSH connection to the

vBlade. The session setup works the same as it does for the vcs device-con-
text command. (See “vcs device-context” on page 788.)
vcs device-context
Description Change the context of the CLI session to another device in the aVCS virtual
chassis.
Syntax vcs device-context DeviceID
DeviceID Specifies the target device. The target device is
the device you plan to access.
Default By default, the CLI session is on the device you logged onto.
Mode Privileged EXEC or Global Config (on vMaster only)
Usage This command does not apply to router configuration commands. To enter
router configuration commands on another device, use the router device-
context command instead.

vcs disable
Entering the vcs device-context or router device-context command on the

vMaster creates an SSH connection to the vBlade, without a password
prompt. After the connection is established, you can enter configuration
commands to take effect on the vBlade.
While the connection to the vBlade is in effect, configuration commands

can not be entered directly on the vBlade through any other management
connections.
If an SSH security warning about the RSA fingerprint is displayed:

• If the RSA fingerprint is correct, enter yes.
• If the RSA fingerprint does not match, enter no. Someone may be
attempting to spoof the device in order to gain information about the
system or network access.
Example The following command changes the CLI session to aVCS device 2. In this
example, this is the first time the command has been used to access
device 2.
AX-device1(config)#vcs device-context 2
spawn ssh -l admin 192.168.100.126
The authenticity of host '192.168.100.126 (192.168.100.126)' can't be estab-
lished.
RSA key fingerprint is ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.126' (RSA) to the list of known hosts.
Password:***
Last login: Thu Jul 22 21:06:46 2010 from 192.168.3.77
AX-device2#
At the Password prompt, enter the password for the admin account on the
target device.
Example The following example shows the CLI response if you accidentally try to
switch to the device you are already on:
AX-device1(config)#vcs device-context 1
This device is currently an aVCS vBlade. Try using the virtual chassis floating
IP address instead.
vcs disable
Description Disable aVCS on the device.
Syntax disable
Default N/A. This is an operational command rather than a configuration command.

vcs enable
Mode Privileged EXEC (vMaster or vBlade)
vcs enable
Description Enable aVCS on the device.
Syntax enable
Default N/A. This is an operational command rather than a configuration command.
Mode Privileged EXEC (vMaster or vBlade)
Usage After you enter the vcs enable command, you must enter the vcs reload
command to place any aVCS configuration changes into effect and activate
the feature.
vcs vmaster-maintenance
Description Change the length of the vMaster maintenance window.
Syntax [no] vcs vMaster-maintenance seconds
seconds You can specify 0-3600 seconds.
Default The default is 60 seconds.
Mode Privileged EXEC (on vBlade); Privileged EXEC and Global Config (on
vMaster)
Usage aVCS option that allows the vMaster to briefly be placed into maintenance,
without triggering failover of the vMaster role to a vBlade. During the
maintenance window, the vBlades continue to operate, without attempting
to failover to the vMaster role.

vcs vmaster-message-buffer
Description Configure a message buffer for messages between the vMaster and vBlades.
Syntax [no] vcs vMaster-message-buffer aging seconds
or
Syntax [no] vcs vMaster-message-buffer length num-msgs
aging seconds Maximum number of seconds a configuration
change message can be buffered. You can specify
0-900 seconds.
length num-msgs Maximum number of messages that can be buff-
ered. You can specify 15-180 messages.
Default Message buffering is disabled by default. When the feature is enabled, the
default aging time is 90 seconds ad the default number of messages is 30.
vMaster)
Usage Message buffering is useful in cases where occasional burstiness or jitter in

the network causes unnecessary vBlade reloads.
If the vMaster and vBlade briefly lose communication and message buffer-
ing is disabled, and if configuration is performed on the vMaster during this
brief downtime, when the vBlade comes back and discovers its configura-
tion is out of date, it requests the whole configuration from the vMaster and
reloads itself.
However, with message buffering, when the vBlade comes back, instead of
getting the whole configuration from the vMaster, the vBlade gets only the
incremental changes, which are buffered on the vMaster, and the vBlade
does not need to reload.

vcs vmaster-take-over
Description Force vMaster re-election, by temporarily changing a device’s aVCS prior-
ity. This command is useful for changing a vBlade to vMaster without
changing the aVCS configuration profile for either device.
Syntax [no] vcs vmaster-take-over temp-priority
temp-priority Priority value, 1-255.
Default N/A
vMaster)
Usage This command does not change the configured aVCS priority on the device.
The command only temporarily overrides the configured priority.
If you enter this command on only one vBlade, you can specify any value
within the valid range (1-255). The takeover occurs regardless of priority
settings on the current vMaster.
If you enter the vcs vmaster-take-over command on more than one device,
the device on which you enter the highest temp-priority value becomes the
vMaster.
If you enter the same temp-priority value on more than one device, the same
parameters used for initial vMaster election are used to select the new
vMaster:
• The device with the highest configured aVCS priority is selected. (This
is the priority configured by the priority command at the configuration
level for the aVCS device.)
• If there is a tie (more than one of the devices has the same highest con-
figured aVCS priority), then the device with the lowest device ID is
selected.
In either case, the new vMaster is selected from among only the devices on
which you enter the vcs vmaster-take-over command.

Example The following commands change the management context to a vBlade, then
force the device to become the vMaster:
AX-1#vcs device-context 2
spawn ssh -l admin 192.168.100.126
The authenticity of host '192.168.100.126 (192.168.100.126)' can't be estab-
lished.
RSA key fingerprint is ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.100.126' (RSA) to the list of known hosts.
Password:
Last login: Wed Aug 11 20:27:24 2010 from 192.168.3.74
[type ? for help]
AX>enable
Password:********
AX-2#vcs vmaster-take-over 255

vcs dead-interval
aVCS Configuration Commands
vcs dead-interval
Description Configure the number of seconds vBlade devices wait for a keepalive mes-
sage from the vMaster, before assuming the vMaster is unavailable and trig-
gering vMaster re-election.
Syntax [no] vcs dead-interval seconds
seconds Maximum number of seconds to wait for a kee-
palive message from the vMaster before trigger-
ing vMaster re-election. You can specify 5-60
seconds.
Default 10
Mode Global Config (vMaster only)
vcs debug
Description Enable aVCS debugging.
Syntax [no] vcs debug

{daemon | election | info | vmaster | vblade}
daemon Enables debugging for the aVCS process.
election Enables debugging for vMaster election.
info Enables display of informational messages in the
debugging output.
vmaster Enables debugging for vMaster-related opera-
tions.
vblade Enables debugging for vBlade-related opera-
tions.
You can enter one or more of these options on the same command line.
Default Disabled

vcs device
vMaster)
Example The following commands enable debugging for aVCS vMaster operations,
and display the output:
ACOS(config)#vcs debug vmaster
ACOS(config)#show vcs debug
Debugging switches: vMaster,
Debugging Buffer Size: 0x00800000
2010/08/02 10:46:02, [vMaster], vBlade 0, msg loop, received msg 21
2010/08/02 10:46:02, [vMaster], vBlade 0, msg loop, sent msg 20
...
vcs device
Description Configure device settings for an ACOS device in the aVCS virtual chassis.
Syntax [no] vcs device device-id
device-id Specifies the device ID, 1-8.
aVCS device, where the following aVCS-related commands are available.
Command Description
[no] affinity-
vrrp-vrid vrid-
group Configures a vMaster failover to the Active
device on a specified VRID (device running
VRRP-A). Use this command on each device
that is part of the aVCS cluster, including the
Active device.
[no] enable Enables aVCS on the device.
[no] interfaces
{ethernet
portnum |
management |
trunk trunk-num
| ve ve-num} Device interfaces used for aVCS vMaster elec-
tion traffic. You can specify up to 6 election
interfaces.

vcs failure-retry-count
For vMaster election to work, the other devices

in the virtual chassis must be able to reach the
device on the specified interface(s).
[no] priority
num Priority of this device for vMaster election,
1-255. Higher priority values are preferred over
lower ones.
[no] unicast-
port portnum Protocol port used to create TCP connection
between the vMaster and vBlade. This connec-
tion is used for configuration synchronization.
Default No aVCS devices are configured by default. When you add an aVCS
device, its parameters have the following default values:
• enable – disabled
• interfaces – not set
• priority – 0 (not set)
• unicast-port – 41216
Usage The election interfaces for devices in an aVCS virtual chassis must be in the
shared partition. Use of an L3V private partition’s interface as an aVCS
election interface is not supported.
Example The following commands configure aVCS device 3:

ACOS(config)#vcs device 3
ACOS(config-vcs-dev)#interfaces management
ACOS(config-vcs-dev)#priority 3
ACOS(config-vcs-dev)#enable
vcs failure-retry-count
Description Configure the maximum number of retries for an aVCS device to join a vir-
tual chassis.
Syntax [no] vcs failure-retry-count retries
retries Maximum number of retries for an aVCS device
to join a virtual chassis. You can specify 0-255 or
-1 (unlimited).

vcs floating-ip
Default 2
Mode Global Config (vMaster or vBlade)
Usage If the device is unable to join the virtual chassis after all allowed retries are
used, aVCS stops on the device. In this case, you use the vcs reload com-
mand to restart aVCS on the device.
vcs floating-ip
Description Configure the management IP address for the aVCS virtual chassis.
Syntax [no] vcs floating-ip ipaddr

ipaddr
{subnet-mask |
/mask-length} Specifies the IP address and subnet mask.
Default Not set
Example The following command sets the management address for the aVCS virtual
chassis to 192.168.1.69/24:
ACOS(config)#vcs floating-ip 192.168.1.69 /24
vcs multicast-ip
Description Configure the multicast IP address used for aVCS vMaster election.
Syntax [no] vcs multicast-ip ipaddr
ipaddr Specifies the multicast address.
Default 224.0.0.210
Usage To configure the protocol port, see “vcs multicast-port” on page 798.

vcs multicast-port
vcs multicast-port
Description Configure the protocol port used for aVCS vMaster election.
Syntax [no] vcs multicast-port portnum
portnum Specifies the protocol port number, 1-65535.
Default 41217
Usage To configure the multicast address, see “vcs multicast-ip” on page 797.
vcs reload
Description Reload the aVCS process.
Syntax vcs reload [disable-merge]
disable-merge Prevents configuration information from being
migrated from the vBlades to the vMaster fol-
lowing the reload. This option is useful when you
are replacing a virtual chassis vBlade by remov-
ing an ACOS device and replacing it with
another AX of the same model. In this case, the
option allows the replacement device to be con-
figured by the vMaster.
After the initial configuration migration, config-
uration synchronization operates normally.
Without this option, when you add an ACOS
device to a virtual chassis that is already running,
the device’s configuration information is
migrated to the vMaster
Default N/A
Usage aVCS reload is required to place any aVCS-related configuration changes

into effect.

vcs ssl-enable
vcs ssl-enable
Description Enable or disable SSL for configuration synchronization traffic between
aVCS devices.
Syntax [no] vcs ssl-enable
Default Disabled
vcs time-interval
Description Number of seconds between keepalive messages from the vMaster to
vBlades.
Syntax [no] vcs time-interval seconds
seconds Specifies the number of seconds between trans-
mission of keepalive messages from the vMaster
to vBlades. You can specify 1-60 seconds.
Default 3
vcs vmaster-maintenance
Description Briefly place the vMaster into maintenance mode without triggering a
failover to a vBlade.
Syntax vcs vmaster-maintenance period
period 0-3600 seconds
Default 60 seconds

Usage The vMaster can be placed into maintenance mode without triggering a
failover to a vBlade. During this maintenance window, the vBlades continue
to operate without attempting to take over the vMaster role. At the end of
the configurable maintenance period, the vMaster returns to the vMaster
role.
Description Configure a buffer for messages exchanged between the vMaster and
vBlades.
Syntax vcs vmaster-message-buffer [aging seconds |

length num-msgs]
aging The maximum number of seconds a configura-
tion change message can be buffered (in sec-
onds). For default, please refer to CLI.
length The maximum number of messages that can be
buffered. For default, please refer to CLI.
Default Disabled
Mode Global Config (vMaster)
Usage Configuring a buffer for messages exchanged between the vMaster and
vBlades can be useful in cases where occasional burstiness or jitter in the
network can cause unnecessary vBlade reloads.
Without a buffer, if the vMaster and vBlade lose communication while con-
figurations are being done on the vMaster, when the vBlade comes back up
the configuration will be out of date. So, the vBlade will ask for the whole
configuration from the vMaster and reload itself.
With message buffering, when the vBlade comes back up, instead of getting
the whole configuration from the vMaster, the vBlade gets only the incre-
mental changes that have been stored in the buffer on the vMaster. In this
case, the vBlade does not need to reload.

Config Commands: VRRP-A Commands
The commands in this chapter configure parameters for VRRP-A, the Vir-
tual Router Redundancy Protocol (VRRP) for ACOS.
The commands in this chapter configure parameters for VRRP-A. VRRP-A
is the ACOS implementation of the High Availability protocol that is com-
pletely different from the industry-standard implementation of Virtual
Router Redundancy Protocol (VRRP). For purposes of operational familiar-
ity, it borrows concepts from VRRP, but is significantly different from
VRRP. VRRP-A will not inter-operate with VRRP.
In this release, VRRP-A, a High Availability (HA) implementation, is mutu-

ally exclusive of the HA feature and is configured separately and not as part
of the HA functionality.

For information about how VRRP-A works and how to configure it, see
the System Configuration and Administration Guide.
page 65.

vrrp-a arp-retry
vrrp-a arp-retry
Description Change the number of additional gratuitous ARPs, in addition to the first
one, an ACOS device sends after transitioning from Standby to Active.
These ARPs are sent at intervals of 500 milliseconds.
Syntax [no] vrrp-a arp-retry num
num Specifies the number of additional gratuitous
ARPs to send, after sending the first one. You
can specify 1-255.
Default VRRP-A sends 4 additional gratuitous ARPs by default, for a total of 5.
vrrp-a dead-timer
Description Change the number of hello intervals during which a standby device will
wait for a hello message from the Active VRRP-A device, before declaring
the device to be down and beginning failover.
Syntax [no] vrrp-a dead-timer num
num Specifies the maximum number of hello intervals
to wait for a hello message. You can specify
2-255.
Default 3
Usage For information about the hello interval, see “vrrp-a hello-interval” on
page 807.

vrrp-a device-id
vrrp-a device-id
Description Specify the VRRP-A device ID of the device.
Syntax [no] vrrp-a device-id num
num Specifies the device ID, 1-8.
Default N/A
Usage If aVCS is configured, use the same number as the aVCS device ID.
vrrp-a disable-default-vrid
Description Disable the default VRID on the shared partition.
Syntax [no] vrrp-a disable-default-vrid
Default The default VRID is enabled by default.
Usage This command applies only to the shared partition.
vrrp-a enable
Description Enable VRRP-A on the device.
Syntax [no] vrrp-a enable
Default Disabled

vrrp-a fail-over-policy-template
Description Create a failover policy template for VRRP-A. The template provides a
mechanism for event tracking and can enable a policy-based failover to
occur. Using a template, assign weight-related values per event that will be
reduced from the fixed total weight of an ACOS device of 65534. The
weight of a device can determine whether the device will serve as an Active
or Standby device. This command allows you to specify the weight value
per event that may cause a device to failover when the event occurs.
Syntax [no] vrrp-a fail-over-policy-template

template-name
[
gateway |
interface |
route |
trunk |
vlan
]
template-name Indicate the name that you are assigning for the
VRRP-A failover policy template. This template
must be associated to a particular VRID to take
effect.
failover-policy template, where the following commands are available.
Command Description
[no] gateway
gateway-IP-
address weight
value Specify the IP Address of an IPv4 or IPv6 default
gateway. VRRP-A periodically tests connectivity
to the IPv4 and IPv6 default gateways connection
to a real server by pinging them. If a gateway
stops responding, VRRP-A reduces the weight
for the VRID. The weight value to subtract can
be specified individually for each gateway’s IP
address that you configure in the tracking events
list.

[no] interface
interface-type
interface-
number weight
value Specify a weight for each interface that you are
planning to track. If the link goes down on an
Ethernet data port, VRRP-A reduces the weight
for the VRID. The weight value to subtract can
be specified individually for each Ethernet data
port.
[no] route
route route-
number subnet
weight value Indicate the IPv4 or IPv6 route that you wish to
track. If the route matching the specified options
is not in the data route table, VRRP-A reduces
the weight for the VRID.
[no] trunk
trunk-id weight
value Indicate the trunk you wish to track. If the trunk
or individual ports in the trunk go down,
VRRP-A reduces the weight for the VRID. The
weight value to subtract can be specified for the
trunk and for individual ports within the trunk.
[no] vlan vlan-
id timeout
timeout-value
weight value Indicate the VLAN you wish to track. If
VRRP-A stops detecting traffic on a VLAN,
VRRP-A reduces the weight for the VRID. The
weight value to subtract can be specified individ-
ually for each VLAN.
Default None
Mode Global Config
Usage Use this command on any ACOS device to indicate weight values per
tracked event via a failover policy template.

vrrp-a force-self-standby
Example The following commands help you to create a template called “template1”
and specify events that will reduce the weight of the VRID:
ACOS(config)#vrrp-a fail-over-policy-template template1
ACOS(config-failover-policy)#interface ethernet 1 weight 200
ACOS(config-failover-policy)#gateway 20.20.20.20 weight 200
ACOS(config-failover-policy)#vlan 10 timeout 2 weight 200
ACOS(config-failover-policy)#route 20.20.20.0 /24 weight 200
ACOS(config-failover-policy)#trunk 1 weight 200
vrrp-a force-self-standby
Description Force the ACOS device to change from active to standby or backup.
Syntax [no] vrrp-a force-self-standby

num | default Specifies the VRID. You can specify 1-31 or
default.
Default N/A
Usage This command provides a simple method to force a failover, without the
need to change VRRP-A configuration settings. The command is not added
to the configuration and does not persist across reboots.
vrrp-a ha-migration
Description Migrate a configuration that uses High Availability (HA) to one that uses
VRRP-A. (For more information, see the “HA to VRRP-A Migration”
chapter in the System Configuration and Administration Guide.)
Syntax [no] vrrp-a ha-migration

vrrp-a ha-migration-restore
vrrp-a ha-migration-restore
Description Revert a previously migrated configuration back from VRRP-A to HA. (For
more information, see the “HA to VRRP-A Migration” chapter in the
System Configuration and Administration Guide.)
Syntax [no] vrrp-a ha-migration-restore
vrrp-a hello-interval
Description Change the interval at which the active device sends VRRP-A hello mes-
sages out its VRRP-A interfaces.
Syntax [no] vrrp-a hello-interval 100-ms-units
100-ms-units Specifies the number of milliseconds (ms)
between each hello message. You can specify
1-255 intervals of 100 ms.
Default 2 (200 ms)
vrrp-a interface
Description Configure a VRRP-A interface.
Syntax [no] vrrp-a interface ethernet port-num

[router-interface | server-interface | both]
[no-heartbeat | vlan vlan-id]
port-num Specifies the VRRP-A interface.
router-
interface |
server-
interface |
both Identifies the type of device connected to the
VRRP-A interface:
router-interface – The VRRP-A inter-
face is connected to an upstream router.

vrrp-a preemption-delay
server-interface – The VRRP-A inter-

face is connected to a real server.
both – The VRRP-A interface is connected to
an upstream router and a real server.
no-heartbeat |
vlan vlan-id Disables VRRP-A heartbeat messages on the
interface, or enables them only on the specified
VLAN.
If the port is tagged and heartbeat messages are
enabled, you must specify the VLAN.
Default All up data interfaces within a partition are VRRP-A interfaces for that par-
tition. If an interface is a tagged member of multiple VLANs, only the
VLAN that has the lowest-numbered IP address for the interface is used as
an VRRP-A interface.
Usage This command is valid only in the shared partition. However, the inter-
face(s) specified by the command are used by the shared partition and by all
private partitions on which Layer 2/3 virtualization is enabled.
vrrp-a preemption-delay
Description Configure a delay between VRRP-A configuration changes and the failover
that occurs due to the changes.
Syntax [no] vrrp-a preemption-delay 100-ms
100-ms Specifies the number of milliseconds (ms) to
wait before beginning failover. The delay is con-
figured in 100 ms units. You can configure the
delay to range from 1-255 units, with each unit
equal to 100 ms. The maximum value is 25.5 sec-
onds (255 units of 100ms).
Default 6 seconds (6 units of 100 ms)

vrrp-a preferred-session-sync-port ethernet
Usage If VRRP-A pre-emption is enabled, failover can be triggered by VRRP-A

configuration changes or network changes, and occurs approximately 6 sec-
onds after an applicable configuration change takes effect. Therefore, it can
be helpful to configure a delay between the VRRP-A configuration changes
and the subsequent failover. In deployments where many sessions are syn-
chronized, setting the pre-emption delay to a longer value can help ensure
there will be enough time for all sessions to finish synchronizing before
failover occurs.
vrrp-a preferred-session-sync-port ethernet

Description Specify the Ethernet interfaces on which to receive synchronized sessions.
Syntax [no] vrrp-a preferred-session-sync-port ethernet

portnum
portnum Specifies the Ethernet interface number, 1-12.
Default The default behavior is for VRRP-A (on the backup device) to automati-
cally select the Ethernet interface on which to receive sync sessions.
vrrp-a set-id
Description Specify the VRRP-A set ID.
Syntax [no] vrrp-a set-id num
num Specifies the set ID, 1-7.
Default 1

vrrp-a track-event-delay
vrrp-a track-event-delay
Description Change the delay waited by the ACOS device before beginning failover in
response to priority changes.
Syntax [no] vrrp-a track-event-delay 100-ms-units
100-ms-units Specifies the number of milliseconds (ms) to
wait before beginning failover. You can specify
1-100 intervals of 100 ms.
Default 30 (3 seconds)
vrrp-a vrid
Description Access the configuration level for a VRID.
Syntax [no] vrrp-a vrid {num | default}
num | default Specifies the VRID. You can specify 1-31 or
default.
VRID, where the following commands are available.
Command Description
[no]
floating-ip
{ipaddr |
ipv6addr}
[ethernet port-
num | ve ve-num
| trunk num] Specifies the IP addresses that downstream
devices should use as their default IPv4 or IPv6
gateways. Regardless of which device is active
for the VRID, downstream devices can reach

vrrp-a vrid
their default IPv4 or IPv6 gateway at the floating

IP address.
Specifying the interface is valid only for link-
local IPv6 addresses. This option is useful in
cases where you do not want the floating IPv6
address to be associated with all AX interfaces.
[no] preempt-
mode disable Disables ability for failovers to be caused by con-
figuration changes to VRRP-A priority or device
ID.
[no] preempt-
mode threshold
num Controls whether failovers can be caused by con-
figuration changes to VRRP-A priority or device
ID.
The threshold specifies the maximum difference
in priority value that can exist between the active
and standby devices without failover occurring.
[no] priority
num Specifies the preference of the device to become
the active device for the VRID. The device that
has the highest priority value for the VRID
becomes the active device for the VRID. You can
specify 1-255.
[no] tracking-
options Accesses the configuration level for tracking
options. Tracking options can dynamically
reduce the priority value used in dynamic
failover.
You can configure tracking of the following net-
work resources:
– Ethernet data port
– VLAN
– Gateway IP address
The following commands are available at this
level:
[no] gateway {ipaddr | ipv6addr}
priority-cost num
The priority-cost option specifies the value
to subtract from the VRID priority, 1-255.

vrrp-a vrid
[no] interface ethernet portnum

priority-cost num
[no] route dest-network
priority-cost num
[gateway {ipaddr | ipv6addr}]
[protocol {static | dynamic}]
[distance num]
The dest-network option specifies the desti-
nation IPv4 or IPv6 network.
The destination-ipv6-addr option specifies
the destination IPv6 subnet of the route.
The gateway option specifies the next-hop
gateway for the route.
The protocol option specifies the source of
the route, which can be one of the following:
– static: The route was added by an adminis-
trator.
– dynamic: The route was added by a rout-
ing protocol.
This distance option specifies the metric
value (cost) of the route.
[no] trunk num priority-cost num
[per-port-pri num]
The per-port-pri option tracks individual
ports in the trunk. If a port goes down, the
VRID’s priority is reduced by the per-port-
pri amount. You can specify 1-255.
[no] vlan vlan-id timeout seconds
priority-cost num
The timeout option specifies how long the
VLAN can remain idle, 2-600 seconds.

vrrp-a vrid-lead
Default The VRID parameters have the following default values:

• floating-ip – not set
• preempt-mode disable – Preempt mode is enabled by default.
• preempt-mode threshold – 0
• priority – 150
• tracking-options – not set
vrrp-a vrid-lead
Description Configure a VRID as the “leader” VRID, with other VRIDs to operate as
followers.
Syntax [no] vrrp-a vrid-lead name
name Specifies the name of the VRID. You can enter 1-
63 characters.
VRID leader, where the following commands are available.
Command Description
[no] partition
[shared | name]
vrid
[ID-num |
default] Designates this VRID as the leader for a specific
partition.
Default Not set
Usage For the leader VRID only, you can configure all capabilities, such as config-
uring the failover policy template, the preempt mode, priority, and tracking

vrrp-a vrid-lead
options. For follower VRIDs, you can only configure Floating IP

Addresses.
Example If you try to remove a VRID that is configured as a lead VRID and that has
other VRIDs that follow it, you will not be allowed to remove it. You must
remove the VRIDs that are configured as followers before you remove the
lead VRID.
Example The following command configures a VRID lead in the shared partition:
ACOS(config)#vrrp-a vrid-lead lead1
ACOS(config-vrid-lead)#partition shared vrid 1

Config Commands: High Availability
The commands in this chapter configure global High Availability (HA)

parameters. (Also see “floating-ip” on page 155.)

For information about how HA works and how to configure it, see the
System Configuration and Administration Guide.
Note: Except for the ha sync commands, the commands in this chapter do
not apply to VRRP-A. To configure VRRP-A, see “Config Com-
mands: VRRP-A Commands” on page 801.
Beginning in AX Release 2.7.0, heartbeat messages in Layer 2 Inline mode

deployments are sent in unicast packets with the unicast MAC address and uni-
cast IP address of the peer ACOS device in the HA pair. They no longer are sent
in IP multicast packets addressed to IP multicast destination MAC and IP
addresses. Like previous releases, they also are not sent as broadcasts.
This behavior applies to all A10 Thunder Series and AX Series models. This
change does not require any configuration changes and should not affect the
operation of your HA deployment.
page 54.

ha arp-retry
ha arp-retry
Description Change the number of additional gratuitous ARPs, in addition to the first
one, an AX sends after transitioning from Standby to Active in an HA con-
figuration. These ARPs are sent at intervals of 500 milliseconds.
Syntax [no] ha arp-retry num
num Specifies the number of additional gratuitous
ARPs to send, after sending the first one. You
can specify 1-255.
Default The ACOS device sends 4 additional gratuitous ARPs by default, for a total
of 5.
Example The following command increases the number of additional gratuitous

ARPs to 9, for a total of 10 ARPs:
ACOS(config)#ha arp-retry 9
ha check gateway
Description Configure an ACOS device to detect the status of its gateway routers, and
change HA status based on gateway status changes.
Syntax [no] ha check gateway ipaddr
ipaddr IP address of the gateway.
Default Not set
Usage This feature uses health monitors to check the availability of the gateways.
If any of the active ACOS device’s gateways fails a health check, the ACOS
device changes its HA status to Down. If the HA status of the other ACOS
device is higher than Down, a failover occurs.
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the ACOS device recalculates its HA status according to

ha check route
the HA interface counts. If the new HA status of the ACOS device is higher
than the other ACOS device’s HA status, a failover occurs.
Configuration of gateway-based failover requires the following steps:

1. Configure a health monitor that uses the ICMP method. (See “health
monitor” on page 163.)
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server. (See “method” on page 768.)
3. Enable HA checking for the gateway, using the command described in
this section.
Example The following commands configure gateway-based failover for gateway

10.10.10.1:
ACOS(config)#health monitor gatewayhm1
ACOS(config)#slb server gateway1 10.10.10.1
ACOS(config-real server)#health-check gatewayhm1
ACOS(config)#ha check gateway 10.10.10.1
ha check route
Description Reduces the HA priority of all HA groups on the ACOS device, if the spec-
ified route is missing from the IPv4 or IPv6 route table.
Syntax For IPv4 routes:
[no] ha check route destination-ipaddr /mask-

length
priority-cost weight
[gateway ipaddr]
[distance num]
For IPv6 routes:
[no] ha check route

destination-ipv6addr/mask-length
priority-cost weight
[gateway ipv6addr]
[distance num]

ha check route
destination-
ipaddr
/mask-length Specifies the destination IPv4 subnet of the
route.
destination-
ipv6addr/mask-
length Specifies the destination IPv6 address of the
route.
priority-cost
weight Specifies the value to subtract from the HA prior-
ity of each HA group, if the IP route table does
not have a route to the destination subnet.
gateway ipaddr Specifies the next-hop gateway for the route.
protocol
{static |
dynamic} Specifies the source of the route:
static – The route was added by an administrator.
dynamic – The route was added by a routing
protocol. (This includes redistributed routes.)
distance num Specifies the metric value (cost) of the route.
Default None
Usage This feature applies only to routes in the data route table. The feature does
not apply to routes in the management route table.
For failover to occur due to HA priority changes, the HA pre-emption

option must be enabled.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static and OSPF and IS-IS).
If the priority of an HA group falls below the priority for the same group on
the other ACOS device in an HA pair, a failover can be triggered.
Omitting an optional parameter matches on all routes. For example, if you

do not specify the next-hop gateway, routes that match based on the other
parameters can have any next-hop gateway.

ha check vlan
Example The following command configures HA route awareness for a default IPv4
route. If this route is not in the IP route table, 255 is subtracted from the HA
priority of all HA groups.
ACOS(config)#ha check route 0.0.0.0 /0 priority-cost 255
Note: The lowest possible HA priority value is 1. Deleting 255 sets the HA pri-
ority value to 1, regardless of the original priority value.
Example The following command configures HA route awareness for a dynamic

route to subnet 10.10.10.x with route cost 10. If the IP route table does not
have a dynamic route to this destination with the specified cost, 10 is sub-
tracted from the HA priority value for each HA group.
ACOS(config)#ha check route 10.10.10.0 /24 priority-cost 10 protocol dynamic
distance 10
Example The following commands configure HA route awareness for an IPv6 route
to 3000::/64. Based on the combination of these commands, if the IPv6
route table does not contain any routes to the destination, 105 is subtracted
from the HA priority of each HA group.
If the IPv6 route table does contain a static route to the destination, but the
next-hop gateway is not 2001::1, the ACOS device subtracts only 5 from the
HA priority of each HA group.
ACOS(config)#ha check route 3000::/64 priority-cost 100
ACOS(config)#ha check route 3000::/64 priority-cost 5 protocol static gateway
2001::1
ha check vlan
Description Configure an ACOS device to detect the status of its VLANs, and change
HA status based on VLAN status changes.
Syntax [no] ha check vlan vlan-id timeout seconds
vlan-id VLAN ID.
seconds Number of seconds a VLAN can be inactive
before a failover is triggered. The timeout can be
2-600 seconds. You must specify the timeout.
Although there is no default, A10 recommends
trying 30 seconds.
Default Not set

ha conn-mirror
Usage When HA checking is enabled for a VLAN, the active ACOS device in the
HA pair monitors traffic activity on the VLAN. If there is no traffic on the
VLAN for half the duration of a configurable timeout, the ACOS device
attempts to generate traffic by issuing ping requests to servers if configured,
or broadcast ARP requests through the VLAN.
If the ACOS device does not receive any traffic on the VLAN before the
timeout expires, a failover occurs.
This HA checking method provides a passive means to detect network

health, whereas heartbeat messages are an active mechanism. You can use
either or both methods to check VLAN health. If you use both methods on a
VLAN, A10 recommends that you specify an HA checking interval (time-
out) that is much longer than the heartbeat interval.
Example The following command enables VLAN-based failover for VLAN 10 and
sets the timeout to 30 seconds:
ACOS(config)#ha check vlan 10 timeout 30
ha conn-mirror
Description Set the peer IP address to use for session synchronization (also called “con-
nection mirroring”) and config sync.
Syntax [no] ha conn-mirror ip ipaddr
ipaddr Specifies the IP address of a data interface on the
other ACOS device in the HA configuration.
Default None
Usage This command sets the IP address to which to mirror sessions. However,
you also must use the ha-conn-mirror command on individual virtual ports
to enable connection mirroring on the virtual ports. (See “ha-conn-mirror”
on page 752.)
Connection mirroring is required for config sync. Config sync uses the con-
nection mirroring link.

ha force-self-standby
HA session synchronization applies primarily to Layer 4 sessions. HA ses-

sion synchronization does not apply to DNS sessions. Since these sessions
are typically very short lived, there is no benefit to synchronizing them.
Likewise, session synchronization does not apply to static NAT sessions.
Synchronization of these sessions is not needed since the newly Active
ACOS device will create a new flow for the session following failover.
Layer 2 Inline Mode

The ACOS device requires a connection mirror IP address to be configured
in Layer 2 inline mode HA deployments. A connection mirror interface is a
unicast IP address on the peer ACOS device in the HA pair. This peer IP
address is optional in earlier releases but usually is configured anyway for
session synchronization purposes. Beginning in AX Release 2.7.0, specify-
ing a connection mirror IP address is mandatory for proper operation of
ACOS devices in Layer 2 Inline mode HA.
The connection mirror IP address is used for session synchronization (also

called “connection mirroring”). Until a connection mirror IP address is
specified, the ACOS device remains in Standby state.
If a connection mirror IP address is not configured, a log message such as

the following is generated every 5 minutes:
Sep 01 2012 03:01:30 Warning [HA]:HA Peer IP is not configured. Peer IP is
required in Inline Mode.
Example The following command sets the session synchronization address to

10.10.10.66, the IP address of the other AX in this HA pair:
ACOS(config)#ha conn-mirror ip 10.10.10.66
ha force-self-standby
Description Force HA groups to change from Active to Standby status.
Syntax [no] ha force-self-standby [group-id]

[ha-group-id group-num [persistent] | persistent]
group-id Specifies the group ID. Only the specified group
is forced to change from Active to Standby. If
you do not specify a group ID, all Active groups
are forced to change to Standby status.

ha forward-l4-packet-on-standby
ha-group-id
group-num
[persistent]] |
[persistent Allows a single partition, multiple partitions, or
device to remain in a forced self-standby state
even though the device or partition goes through
a reload or device restart.
Default N/A
Usage This command provides a simple method to force a failover, without the
need to change HA group priorities and enable pre-emption. The command
is not added to the configuration and does not persist across reboots.
Example The following command forces HA group 1 to change from Active to

Standby status:
ACOS(config)#ha force-self-standby 1
Example The following command places the VRRP-A VRID 2 into a self-standby
state even after a restart or reload:
ACOS(config)#vrrp-a force-self-standby vrid 2 persistent
Example The following command places all VRIDs in partition (partA) in self-
standby state even after a restart or reload:
ACOS[partA](config)#vrrp-a force-self-standby persistent
ha forward-l4-packet-on-standby
Description Enable Layer 2/3 forwarding of Layer 4 traffic on the Standby ACOS
device.
Syntax [no] ha forward-l4-packet-on-standby
Default Disabled. Layer 4 traffic is dropped by the Standby ACOS device.

ha group
ha group
Description Configure an HA group and set its priority.
Syntax [no] ha group group-id priority num
num Number from 1 (low priority) to 255 (high prior-
ity).
tual chassis, specify the priority value as follows:
DeviceID/num
Default The configuration does not have a default HA group. HA groups do not
have a default priority. You must set the priority.
Usage In Active-Standby configurations, configure only one HA group. Use the

same group ID on each ACOS device.
In Layer 3 Active-Active configurations, to make one AX active for some

virtual servers and make the other AX active for the other virtual servers,
configure multiple HA groups and give them different priorities. Use the
same group IDs for the same virtual servers on each AX.
Example The following command configures HA group 1 and sets its priority to 100:
ACOS(config)#ha group 1 priority 100
ha id
Description Enable HA.
Syntax [no] ha id {1 | 2} [set-id num]
1 | 2 HA ID for the ACOS device.
set-id num HA set ID, 1-7.
Default Neither parameter is set.

ha inline-mode
Usage Use HA ID 1 on one of the A10 Thunder Series and AX Series devices in
the HA pair. Use HA ID 2 on the other A10 Thunder Series and AX Series
device in the HA pair.
The set-id option allows you to use multiple HA pairs. The set ID must be
unique for each AX pair.
Example The following command enables HA with ID 1:

ACOS(config)#ha id 1
ha inline-mode
Description Enable blocking of Layer 2 loops in a transparent (Layer 2) hot-standby HA
configuration.
Syntax [no] ha inline-mode [preferred-port port-num]
port-num Specifies the port to use for session synchroniza-
tion and for management traffic between the A10
Thunder Series and AX Series devices in the HA
pair. For example, if you use the CLI on one AX
to ping the other ACOS device, the ping packets
are sent only on the preferred HA port. Likewise,
the other ACOS device sends the ping reply only
on its preferred HA port.
Management traffic between A10 Thunder Series
and AX Series devices includes any of the fol-
lowing types of traffic: Telnet, SSH, or Ping.
Default Disabled. If you enable inline mode but you do not specify the preferred
port, the preferred port is selected as follows:
1. The first HA interface that comes up on the AX is used as the preferred
HA port.
2. If the preferred HA port selected above goes down, the HA interface
with the lowest port number is used. If that port also goes down, the HA
interface with the next-lowest port number is used, and so on.
This selection mechanism is also used if the preferred port is configured but
goes down.
Note: The preferred port must be added as an HA interface and heartbeat mes-
sages must be enabled on the interface.

ha interface
Usage Inline support applies specifically to network topologies where inserting a

pair of A10 Thunder Series and AX Series devices would cause a Layer 2
loop. In this type of topology, inline mode enables you to deploy the A10
Thunder Series and AX Series devices in an HA pair without the need to
enable Spanning Tree Protocol (STP) on any of the devices in the network.
Inline mode is designed for one HA group in Hot-Standby mode. Do not

configure more than one HA group on an AX running in inline mode.
Example The following command enables HA inline mode and sets the preferred port
to Ethernet port 5:
ACOS(config)#ha inline-mode preferred-port 5
ha interface
Description Configure an HA interface.
Syntax [no] ha interface ethernet port-num

[router-interface | server-interface | both]
[no-heartbeat | vlan vlan-id]
port-num Specifies the HA interface.
router-
interface |
server-
interface |
both Identifies the type of device connected to the HA
interface:
router-interface – The HA interface is
connected to an upstream router.
server-interface – The HA interface is
connected to a real server.
both – The HA interface is connected to an
upstream router and a real server.
no-heartbeat |
vlan vlan-id Disables HA heartbeat messages on the HA
interface, or enables them only on the specified
VLAN.

ha interface
If the port is tagged and heartbeat messages are

enabled, you must specify the VLAN.
Default No HA interfaces are set by default. When you set an HA interface, the
device type is not set by default. Heartbeat messages are enabled on the
interface by default.
Usage The maximum number of HA interfaces you can configure is the same as
the number of Ethernet data ports on the ACOS device.
If the heartbeat messages from one ACOS device to the other will pass
through a Layer 2 switch, the switch must be able to pass UDP IP multicast
packets. (This requirement does not apply to Layer 2 inline HA because it
uses unicast to transmit the heartbeat.)
Set each interface connected to the real servers or clients (for example, con-
nected through upstream routers) as an HA interface. Also set the interface
that connects an A10 Thunder Series and AX Series device to its HA peer
(the other ACOS device in the HA pair) as an HA interface.
Setting the device type increases the granularity of the HA state.

• If the device type is not set, the HA state of the ACOS device can be one
of the following:
• Up – All configured interfaces are up.
• Down – At least one of the HA interfaces is down.
• If you set the device type, the HA status of the ACOS device is based on
the status of the AX link with the real server or upstream router:
• Up – All configured HA router and server interfaces are up.
• Partially Up – Some HA router or server interfaces are down but at
least one server link and one router link are up.
• Down – All router interfaces, or all server interfaces, or both are
down. The status also is Down if neither router interfaces nor server
interfaces are configured and an HA interface goes down.
If both types of interfaces (router interfaces and server interfaces) are
configured, the HA interfaces for which a type has not been configured
are not included in the HA interface status determination.
VLAN ID Requirement for Tagged HA Interfaces

If an HA interface is a tagged member of one or more VLANs, it is required
to specify one of the member VLAN IDs when configuring the interface to
be an HA interface.

ha l3-inline-mode
If the VLAN ID is not specified, the ACOS device does not transmit any
heartbeat packets on the interface. This is an invalid configuration. Previous
releases incorrectly allowed the invalid configuration but AX Release 2.7.0
does not.
For example, the following command is valid, if Ethernet port 5 is a tagged

interface:
ha interface ethernet 5 vlan 2
The following command is invalid:

ha interface ethernet 5
Note: If you do not want heartbeat messages to be sent on a tagged interface,

you still can use the no-heartbeat option. For example:
ha interface ethernet 5 no-heartbeat
Example The following command configures Ethernet port 2 as an HA interface,

indicates that it is connected to a router, and disables heartbeat messages on
the interface:
ACOS(config)#ha interface ethernet 2 router-interface no-heartbeat
ha l3-inline-mode
Description Enable blocking of traffic loops in a gateway (Layer 3) hot-standby HA
configuration.
Syntax [no] ha l3-inline-mode
Default Disabled.
Usage Layer 3 inline support applies specifically to network topologies where

inserting a pair of A10 Thunder Series and AX Series devices would cause a
traffic loop. In this type of topology, Layer 3 inline mode enables you to
deploy the A10 Thunder Series and AX Series devices in an HA pair with-
out the need to change the network topology or enable Spanning Tree Proto-
col (STP) on any of the devices in the network.
Inline mode is designed for one HA group in Hot-Standby mode. Do not

configure more than one HA group on an AX running in inline mode.

ha link-event-delay
Example The following command enables Layer 3 inline mode:

ACOS(config)#ha l3-inline-mode
ha link-event-delay
Description Change the delay waited by the ACOS device before changing the HA state
(Up, Partially Up, or Down) in response to link-state changes on HA inter-
faces.
Syntax [no] ha link-event-delay 100-ms-unit
100-ms-unit Specifies how many 100-ms units (one tenth of a
second units) to use for the delay. You can set the
delay to a value from 100 milliseconds (ms) to
10000 ms, in increments of 100 ms.
Default 3000 ms (3 seconds)
Usage This command applies only to inline mode (Layer 2 or Layer 3). The delay
is applicable in the following situations:
• The ACOS device is Active and a link goes down.
• The ACOS device is Standby and a link comes up. (There is an addi-
tional 10-20 second delay in this case.)
The delay helps prevent HA flapping.
Example The following command changes the HA state change delay to 5 seconds:
ACOS(config)#ha link-event-delay 50
ha ospf-inline vlan
Description In HA Layer 3 inline mode, leave OSPF enabled on the Standby ACOS
device, on the specified VLAN.
Syntax [no] ha ospf-inline vlan vlan-id
Default Enabled for all VLANs.

ha preemption-enable
Usage When this option is enabled, OSPF on the Standby ACOS device will
always participate in OSPF routing. There is no additional time gap when
failover happens.
To limit OSPF adjacency formation to a specific VLAN only, explicitly

configure adjacency formation for that VLAN. In this case, OSPF adja-
cency formation does not occur for any other VLANs.
Description Allow the high-priority HA group to take over from the currently active
one. This command enables you to force HA failovers based on HA config-
uration changes.
Syntax [no] ha preemption-enable
Default Pre-emption is disabled by default. By default, a failover occurs only in the

following cases:
• The Standby ACOS device stops receiving HA heartbeat messages from
the other ACOS device in the HA pair.
• The HA interface state changes give the Standby ACOS device a better
HA state than the Active ACOS device.
By default, failover does not occur due to HA configuration changes to the

HA priority.
Note: To force failover without changing HA group priorities or enable pre-

emption, see “ha force-self-standby” on page 821.
Example The following command enables HA pre-emption mode:

ACOS(config)#ha preemption-enable
ha restart-port-list
Description Configure HA interfaces on the previously Active ACOS device to toggle
(shut down and restart) following HA failover.
Syntax [no] ha restart-port-list ethernet port-list
port-list Specifies the HA interfaces to restart.

ha restart-time
Note: You must omit at least one port connecting the ACOS devices from the
restart port-list, and heartbeat messages must be enabled on the port. This
is so that heartbeat messages between the ACOS devices are maintained;
otherwise, flapping might occur.
Note: On model AX 2000 or AX 2100, A10 recommends that you do not

include Fiber ports in the restart port list.
Default Disabled. HA interfaces are not restarted after a failover.
Usage Use this command in inline mode configurations to cause the router con-
nected to the A10 Thunder Series and AX Series device to relearn MACs,
including MACs for the real servers. Without this command, the router
might continue to try to reach the real servers through the A10 Thunder
Series and AX Series device that becomes the Standby ACOS device after a
failover.
HA port restart toggles a specified set of ports on the formerly Active AX

by disabling the ports, waiting for a specified number of milliseconds, then
re-enabling the ports. Toggling the ports causes the links to go down, which
in turn causes the devices on the other ends of the links to flush their learned
MAC entries on the links. The devices then can relearn MACs through links
with the newly Active AX.
Example The following command enables restart of HA interfaces 1 and 2, to occur if

the A10 Thunder Series and AX Series device transitions to Standby:
ACOS(config)#ha restart-port-list ethernet 1 to 2
ha restart-time
Description Configure the amount of time HA interfaces remain disabled following a
failover.
Syntax [no] ha restart-time 100-msec-units
100-msec-units Amount of time to keep the HA interfaces disa-
bled. You can specify 1-100 units of 100 ms
(from 0.1 seconds to 10 seconds).
Default The default is 20 units of 100 milliseconds (ms) each, for a total of 2 sec-
onds.

ha sync
Usage This command applies only to HA interfaces in a restart port list configured
by the ha restart-port-list command. (See “ha restart-port-list” on
page 829.)
Example The following command changes the restart interval to 4 seconds:

ACOS(config)#ha restart-time 40
ha sync
Description Synchronize the Layer 4-7 configuration information of the standby A10
Thunder Series and AX Series device with the active ACOS device in an
HA pair.
Syntax ha sync all

{to-startup-config [with-reload] |
to-running-config}
ipaddr [auto-authentication]
Syntax ha sync startup-config

to-running-config}
Syntax ha sync running-config

to-running-config}
Syntax ha sync data-files

all Synchronizes data files and the running-config.
(See “Usage” for a list of the types of data files
that are synchronized.) You can synchronize the
running-config to one of the following on the
other A10 Thunder Series and AX Series device:

ha sync
startup-config – Replaces the startup-con-

fig on the other ACOS device with the running-
config on this device. For information about the
with-reload option, see “Usage” below.
Note: If the HA status is Standby for all the HA groups on the other ACOS
device, the ACOS device is reloaded anyway, even if the with-reload
option is not used.
running-config – Replaces the running-
config on the other ACOS device with the run-
ning-config on this device.
data-files Synchronizes data files but not the running-con-
fig or startup-config. (See “Usage” for a list of
the types of data files that are synchronized.)
running-config Synchronizes the running-config. You can syn-
chronize it to one of the following on the other
A10 Thunder Series and AX Series device:
fig on the other ACOS device with the running-
config on the other ACOS device with the run-
ning-config on this device.
Note: Configuration synchronization to the standby device’s running-config

does not require a reload of the standby device to take effect. When syn-
chronizing to the startup-config, the with-reload option is supported but
is not required.
startup-config Synchronizes the startup-config. See above for
descriptions of the options. You can synchronize
it to one of the following on the other ACOS
device:
fig on the other ACOS device with the startup-
config on the other ACOS device with the
startup-config on this device.
all-partitions Synchronizes the configuration for all partitions.

ha sync
partition
partition-name Synchronizes the configuration only for the spec-
ified partition.
ipaddr Specifies the IP address of the target ACOS
device.
auto-
authentication Enables single login for configuration synchroni-
zation, so you can start your management session
and also log onto the target ACOS device with
the same username and password.
Note: Single login works only if the admin username and password you use to
log into your management session are the same as the username and pass-
word required for read-write access to the target ACOS device.
Default The option to reload following synchronization to the running-config is dis-

abled by default.
Usage Connection mirroring is required for config sync. Config sync uses the con-
nection mirroring link. (See “ha conn-mirror” on page 820.)
SSH management access must be enabled on both ends of the link. (See
“enable-management” on page 147.)
The following configuration items are backed up during HA config sync:

• Admin accounts and settings
• Floating IP addresses
• IP NAT configuration
• Access control lists (ACLs)
• Health monitors
• Policy-based SLB (black/white lists)
• SLB
• FWLB
• GSLB
• Data Files:
• aFleX files
• External health check files

ha sync
• SSL certificate and private-key files

• Black/white-list files
The following configuration items are not backed up during HA config

sync:
• Management access settings (the ones described in “enable-manage-
ment” on page 147)
• AX Hostname
• MAC addresses
• Management IP addresses
• Trunks or VLANs
• Interface settings
• OSPF and IS-IS settings
• ARP entries or settings
VRRP-A Configuration Items Backed Up

If VRRP-A is configured, the non-device-specific VRRP-A configuration
information is included in the configuration synchronized to the other
ACOS device.
The following VRRP-A commands are synchronized:

• vrrp-a arp-retry
• vrrp-a hello-interval
• vrrp-a dead-timer
• vrrp-a track-event-delay
• vrrp-a enable
• vrrp-a disable-default-vrid
• vrrp-a set-id
• vrrp-a vrid
• floating-ip
• preempt-mode
Device-specific commands, such as commands that include the vrid option,

are not synchronized.

ha sync
Reload of the target ACOS device following synchronization

In certain cases, the target ACOS device is automatically reloaded, but in
other cases, reload is either optional or is not allowed.
Table 5 lists the cases in which reload is automatic, optional, or not allowed.
TABLE 5 Reload of Target AX Device After Config-Sync

Admin Role Status of Target AX Target Config Reload?
Root or Super User Standby startup-config Automatic
(Read-Write) running-config Optional*
Active startup-config Optional*
Not reloaded by default
running-config Automatic
Partition Write Standby startup-config Not Allowed
running-config Not Allowed
Active startup-config Not Allowed
running-config Not Allowed
*. If the target ACOS device is not reloaded, the GUI Save button on the Standby ACOS device does not blink to indicate
unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next
reboot.
An admin who is logged on with Root or Read-Write (Super Admin) privi-

leges can synchronize for all Role-Based Administration (RBA) partitions
or for a specific partition.
An admin who is logged on with Partition Write privileges can synchronize

only for the partition to which the admin is assigned, and can only synchro-
nize to the startup-config on the other device. The with-reload and to-run-
ning-config options are not available to Partition Write admins.
Data that is synchronized from a Standby ACOS device to an Active ACOS

device is not available on the Active ACOS device until that device is
rebooted or the software is reloaded.
Synchronization on an AX Device configured for RBA

The all-partitions and partition partition-name options are applicable on
you omit both options, only the resources in the shared partition are syn-
chronized. (If RBA is not configured, all resources are in the shared parti-
tion, so you can omit both options.)


ha time-interval
Note: If you plan to synchronize the Active ACOS device’s running-config to

the Standby ACOS device’s running-config, make sure to use one of the
following synchronization options. Performing any one of these options
ensures that new private partitions appear correctly in the Standby ACOS
device’s configuration.
– Synchronize all partitions
– Synchronize the shared partition to the startup-config first, then syn-
chronize the private partition to the running-config.
– On the Active ACOS device, synchronize the shared partition to the
running-config first. Log onto the Standby ACOS device and save the
shared partition (write memory partition shared). Then, on the Active
ACOS device, synchronize the private partition to the running-config.
Example The following command synchronizes the running-config and data files by
copying them from this A10 Thunder Series and AX Series device to the
other one in the HA pair. The running-config is copied to the other ACOS
device’s startup-config, and the other ACOS device is then reloaded:
ACOS(config)#ha sync all startup-config 10.10.10.77
User name []?admin
Password []?***
Example The following commands synchronize the Active ACOS device’s running-
config with the Standby ACOS device’s running-config, for ACOS devices
that are configured for Role-Based Administration (RBA):
ACOS(config)#ha sync running-config to-running-config partition shared
10.10.10.77
User name []?admin
Password []?***
ACOS(config)#ha sync running-config to-running-config all-partitions

10.10.10.77
User name []?admin
Password []?***
ha time-interval
Description Configure the interval between HA heartbeat messages.
Syntax [no] ha time-interval 100-msec-units
100-msec-units Amount of time between sending each heartbeat
message. You can specify 1-255 units of 100 ms
each.

ha timeout-retry-count
Default 200 milliseconds
Example The following command changes the HA time interval to 400 ms:
ACOS(config)#ha time-interval 4
Description Configure the number of HA heartbeat intervals the Standby A10 Thunder
Series and AX Series device will wait for a heartbeat message from the
Active ACOS device before failing over.
Syntax [no] ha timeout-retry-count num
num Number of times the HA time interval can expire
before the Standby ACOS device fails over to
become the Active ACOS device. You can spec-
ify 2-255.
Default 5
Example The following command changes the HA timeout retry count to 10:
ACOS(config)#ha timeout-retry-count 10


show access-list
Show Commands
The show commands display configuration and system information.
In addition to the command options provided with some show commands,

you can use output modifiers to search and filter the output. See “Searching
and Filtering CLI Output” on page 45.
To automatically re-enter a show command at regular intervals, see “repeat”

on page 82.
Note: The show slb commands are described in a separate chapter. See “SLB
Show Commands” on page 983.
show access-list
Description Display the configured Access Control Lists (ACLs). The output lists the
configuration commands for the ACLs in the running-config.
Syntax show access-list [ipv4 | ipv6] [acl-id]
ipv4 | ipv6 IP address type.
acl-id ACL name or number.
Mode All
Example The following command displays the configuration commands for ACL 1:
ACOS#show access-list ipv4 1
access-list 1 permit 198.162.11.0 0.0.0.255 Hits: 3
access-list 1 deny 198.162.12.0 0.0.0.255 Hits: 1
Note: The ACL Hits counter is not applicable to ACLs applied to the manage-
ment port.
show active-partition
Description Show the active partition, which is the system partition the CLI session is
currently managing.
Partitions are used by Application Delivery Partitioning (ADP).

show admin
Syntax show active-partition
Mode All
Example The following command shows that the partition currently being managed
by the CLI session is the shared partition:
ACOS#show active-partition
Currently active partition: shared
show admin
Description Display the administrator accounts.
Syntax show admin [admin-name] [detail | session]
admin-name Administrator name.
detail Shows detailed information about the admin
account.
session Shows the current management sessions.
Mode Privileged EXEC mode and configuration mode
Example The following command lists the admins configured on an ACOS device:
ACOS(config)#show admin
UserName Status Privilege Partition
-------------------------------------------------------
admin Enabled R/W
admin2 Enabled R
compAadmin Enabled P.R/W companyA
compBadmin Enabled P.R/W companyB
Table 6 describes the fields in the command output.
TABLE 6 show admin fields

Field Description
UserName Name of the AX admin.
Status Administrative status of the account.

show admin
TABLE 6 show admin fields (Continued)

Field Description
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the sys-
tem.
• R – Read-only. Allows monitoring access to the system
but not configuration access. In the CLI, this account can
only access the User EXEC and Privileged EXEC levels,
not the configuration levels. In the GUI, this account can-
not modify configuration information.
• P.R/W – The admin has read-write privileges within the
private partition to which the admin has been assigned.
The admin has read-only privileges for the shared parti-
tion.
• P.R – The admin has read-only privileges within the pri-
vate partition to which the admin has been assigned, and
read-only privileges for the shared partition.
• P.RS Op – The admin is assigned to a private partition but
has permission only to view service port statistics for real
servers in the partition, and to disable or re-enable the real
servers or their service ports.
Note: The “P” (partition) privilege levels apply to Applica-
tion Delivery Partitioning (ADP). See the System Configura-
tion and Administration Guide.
Partition Private partition to which the admin is assigned.
Note: A partition name appears only for admins with P.R/W,
P.R, or P.RS Op privileges. For other privilege levels, this
field is blank.
Example The following command lists details for the “admin” account:
ACOS#show admin admin detail
User Name ...... admin
Status ...... Enabled
Privilege ...... R/W
Partition ......
Access type .....cli web axapi
GUI role ......
Trusted Host(Netmask) ...... Any
Lock Status ...... No
Lock Time ......
Unlock Time ......
Password Type ...... Encrypted
Password ...... $1$6334ba07$CKbWL/LuSNdY12kcE.KdS0

show admin
TABLE 7 show admin detail fields

Field Description
User Name Name of the AX admin.
Status Administrative status of the account.
Privilege Access privilege level for the account:
• R/W – Read-write. Allows access to all levels of the sys-
tem.
• R – Read-only. Allows monitoring access to the system
but not configuration access. In the CLI, this account can
only access the User EXEC and Privileged EXEC levels,
not the configuration levels. In the GUI, this account can-
not modify configuration information.
• Partition-write – The admin has read-write privileges
within the private partition to which the admin has been
assigned. The admin has read-only privileges for the
shared partition.
• Partition-read – The admin has read-only privileges within
the private partition to which the admin has been assigned,
and read-only privileges for the shared partition.
• Partition-enable-disable – The admin is assigned to a pri-
vate partition but has permission only to view service port
statistics for real servers in the partition, and to disable or
re-enable the real servers and their service ports.
Partition Private partition to which the admin is assigned.
Note: A partition name appears only for admins with Parti-
tion-write, Partition-read, or Partition-enable-disable privi-
leges. For other privilege levels, this field is blank.
Access type Management interfaces the admin is allowed to access,
which can be one or more of the following:
• cli
• web
• axapi
GUI role Role assigned to the admin for GUI access.
Note: If the admin is configured using the GUI, assignment
of a role is required. However, if the admin is configured
using the CLI, a GUI access role can not be assigned. In this
case, the GUI role is equivalent to ReadWriteAdmin.
Trusted IP host or subnet address from which the admin must log in.
Host(Netmask)
Lock Status Indicates whether the admin account is currently locked.
Lock Time If the account is locked, indicates how long the account has
been locked.

show admin
TABLE 7 show admin detail fields (Continued)

Field Description
Unlock Time If the account is locked, indicates how long the account will
continue to be locked.
Password Type Indicates whether the password is encrypted when displayed
in the CLI or GUI and in the startup-config and running-con-
fig.
Password The admin’s password.
Example The following command lists all the currently active admin sessions:
ACOS#show admin session
Id User Name Start Time Source IP Type Partition Authen
Role Cfg
---------------------------------------------------------------------------------------
---------------------
*91 admin 18:03:03 GMT Thu Jan 27 2011 192.168.32.162 CLI Local
ReadWriteAdmin No
TABLE 8 show admin session fields

Field Description
Id Admin session ID assigned by the ACOS device. The ID
applies only to the current session.
User Name Admin name.
Start Time System time when the admin logged onto the ACOS device
to start the current management session.
Source IP IP address from which the admin logged on.
Type Management interface through which the admin logged on.
Partition Role-Based Administration (RBA) partition that is currently
active for the management session.
Authen Indicates the database used to authenticate the admin:
• Local – Admin database on the ACOS device
• RADIUS – Admin database on a RADIUS server
• TACACS – Admin database on a TACACS+ server
Role Indicates the role assigned to the admin for GUI access.
Note: If the admin is configured using the GUI, assignment
of a role is required. However, if the admin is configured
using the CLI, a GUI access role can not be assigned. In this
case, the GUI role is equivalent to ReadWriteAdmin.
Cfg Indicates whether the admin is at the configuration level.

show aflex
show aflex
Description Display the configured aFleX policies.
Syntax show aflex [aflex-name]

[all-partitions | partition name]
Mode All
Usage To display the aFleX policies for a specific partition only, use the partition
name option.
Example The following command shows the aFleX policies on an ACOS device:
ACOS#show aflex
Total aFleX number: 6
Name Syntax Virtual port
------------------------------------------------------------
aFleX_Remote No No
aFleX_check_agent No No
aFleX_relay_client Check No
bugzilla_proxy_fix Check Bind
http_to_https Check No
louis No No
TABLE 9 show aflex fields

Field Description
Total aFleX Total number of aFleX policies on the A10 Thunder Series
number and AX Series.
Name Name of the aFleX policy.
Syntax Indicates whether the aFleX policy has passed the syntax
check performed by the ACOS device:
• Check – The aFleX policy passed the syntax check.
• No – The aFleX policy did not pass the syntax check.
Virtual port Indicates whether the aFleX policy is bound to a virtual port.
show arp
Description Display ARP table entries.
Syntax show arp [all | ipaddr]

[device DeviceID]

show audit
Mode All
Usage If the ACOS device is a member of an aVCS virtual chassis, you can use the
device DeviceID option to specify the device ID to which to apply the com-
mand. If you omit this option, the command is applied to the vMaster.
Example The following command lists the ARP entry for host 192.168.1.144:
ACOS#show arp 192.168.1.144
Total arp entries: 1 Age time: 300 secs
IP Address MAC Address Type Age Interface Vlan
---------------------------------------------------------------------------
192.168.1.144 0011.2F7C.1A75 Dynamic 293 Management 1
TABLE 10 show arp fields

Field Description
Total arp entries Total number of entries in the ARP table. This total includes
static and learned (dynamic) entries.
Age time Number of seconds a dynamic ARP entry can remain in the
table before being removed.
IP Address IP address of the device.
MAC Address MAC address of the device.
Type Indicates whether the entry is static or dynamic.
Age For dynamic entries, the number of seconds since the entry
was last used.
Interface AX interface through which the device that has the displayed
MAC address and IP address can be reached.
Vlan VLAN through which the device that has the MAC address
can be reached.
show audit
Description Show the command audit log.
Syntax show audit [all-partitions | partition name]
Mode All

show auth
Usage The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admin’s role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions. To display the messages for a specific
Role-Based Administration (RBA) partition only, use the partition name
option.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
show auth
Description Display information for Application Access Management (AAM). See
“AAM Show Commands” on page 271.
show axdebug capture

Description Display a list of AX Debug files.
Syntax show axdebug capture [partition name] [file-name]
[partition
name] Displays files only for a select partition.
[file-name] Filters the show output for only files that par-
tially match a specified file-name
Mode All
show axdebug config

Description Display the AX Debug filter configuration currently applied on ACOS.
Syntax show axdebug config
Mode All

show axdebug config-file
Example
ACOS(config)#show axdebug config
timeout 5
no incoming
no outgoing
count 3000
length 1518
show axdebug config-file

Description Display a list of the AX debug configuration files.
Syntax show axdebug config-file
Mode All
show axdebug file

Description Display AX debug capture files or their contents.
Syntax show axdebug file [filename]
Mode All
Example The following command displays the list of AX debug capture files on the
device:
AX(axdebug)#show axdebug file
------------------------------------+--------------+----------------------------
Filename | Size(Byte) | Date
------------------------------------+--------------+----------------------------
file1 | 58801 | Tue Sep 23 22:49:07 2008
file123 | 192 | Fri Sep 26 17:06:51 2008
------------------------------------+--------------+----------------------------
Total: 2
Maximum file number is: 100

show axdebug filter
Example The following command displays the packet capture data in file “file123”:
AX(axdebug)#show axdebug file file123
Parse file for cpu #1:
Parse file for cpu #2:
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack

3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack
3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54
<nop,nop,timestamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: F 192:192(0) ack 151 win 54
show axdebug filter

Description Display the configured AXdebug output filters.
Syntax show axdebug filter [filter-num]
Mode All
show axdebug status

Description Display per-CPU packet capture counts for AXdebug.
Syntax show axdebug status [cpu-num [...]]
Mode All
Example
ACOS(config)#show axdebug status
axdebug is enabled
6660 seconds left
debug incoming interface 1
debug outgoing interface 2 3 5 8 9 10 11 12
maximum 111 packets

show backup
Captured packet length 1111

cpu#1 captured 4 packets.
show backup
Description Display information about scheduled backups.
Syntax show backup
Mode All
show bfd
Description Display information for Bidirectional Forwarding Detection (BFD).
Syntax show bfd {neighbors [detail] | statistics}
neighbors
[detail] Displays summarized or detailed information for
BFD neighbors.
statistics Displays overall statistics for BFD packets.
Mode All
Example
ACOS(config)#show bfd statistics
IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator 0
Multihop config mismatch 0
BFD Version mismtach 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0

show bfd
BFD Packet my_discriminator is invalid 0

BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 0
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 0
BFD Destination unreachable 0
BFD Other error 0
Example The following command displays the BFD neighbor status:

ACOS# show bfd neighbors
Our Address Neighbor Address State Holddown txint mult diag
219.0.0.1 219.0.0.2 Up 150 50 3 3/0
219.0.1.1 219.0.1.2 Up 150 50 3 3/0
219.0.2.1 219.0.2.2 Up 150 50 3 0/0
219.0.3.1 219.0.3.2 Up 150 50 3 0/0
219.0.4.1 219.0.4.2 Up 150 50 3 3/0
219.0.5.1 219.0.5.2 Up 150 50 3 3/0
219.0.6.1 219.0.6.2 Up 150 50 3 0/0
219.0.7.1 219.0.7.2 Up 150 50 3 3/0
TABLE 11 show bfd neighbors fields

Field Description
Our Address AX interface associated with the BFD session.
Neighbor Neighbor interface associated with the BFD session.
Address
State Shows the local state of the session.
Holdtime Maximum amount of time the ACOS device waits for a BFD
control packet from the neighbor.
txint Configured interval at which the ACOS device sends BFD
control packets to the neighbor.
mult Maximum number of consecutive times the ACOS device
will wait for a BFD control packet from the neighbor.
diag Diagnostic codes for the local and remote ends of the BFD
session. For information, contact A10 Networks.

show bfd
Example The following command displays detailed BFD neighbor status:

ACOS# show bfd neighbors detail
Our Address 219.0.0.1
Neighbor Address 219.0.0.2
Clients OSPFv2, IS-IS
Singlehop, Echo disabled, Demand disabled, UDP source port 53214
Asynchronous mode, Authentication None
CPU ID 2, Interface index 93
Local State Up, Remote State Up, 2h:29m:45s up
Local discriminator 0x00000fdf, Remote discriminator 0x0000006f
Config DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milli-
seconds
Local DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 millisec-
onds
Remote DesiredMinTxInterval 50 milliseconds, RequiredMinRxInterval 50 milli-
seconds
Local Multiplier 3, Remote Multiplier 3
Hold Down Time 150 milliseconds, Transmit Interval 50 milliseconds
Local Diagnostic: Neighbor Signalled Session Down(3)
Remote Diagnostic: No Diagnostic(0)
Last sent echo sequence number 0x00000000
Control Packet sent 215226, received 215195
Echo Packet sent 0, received 0
TABLE 12 show bfd neighbors detail fields

Field Description
Our Address AX interface associated with the BFD session.
Neighbor Neighbor interface associated with the BFD session.
Address
Clients Protocol that initiates this BFD session. It can be one or more
of the following: Static, OSPFv2, OSPFv3, IS-IS, or BGP.
Singlehop (or BFD session can be either singlehop or multihop.
Multihop)
Echo Indicates whether Echo functionality has been enabled or
disabled.
Demand Indicates whether Demand mode functionality has been
enabled or disabled.
UDP source port UDP source port used for this BFD session.

show bfd
TABLE 12 show bfd neighbors detail fields (Continued)

Field Description
Asynchronous If configured and running, indicates whether BFD is operat-
mode (or ing in Asynchronous mode or Demand mode.
Demand) mode
Authentication Authentication method. This can be either “None” (if it is not
configured) or one of the following supported authentication
schemes:
• Simple password
• Keyed MD5
• Meticulous Keyed MD5
• Keyed SHA1
• Meticulous Keyed SHA1
CPU ID Since BFD traffic is distributed across multiple data CPUs,
this CPU ID refers to the one associated with the current
BFD session.
Interface index Interface index associated with the current BFD session.
This index is used mostly for debugging purposes
Local State Shows the local state the session. The state can be one of the
following:
• Init
• Up
• AdminDown
• Down
Remote State Shows the remote state the session. The state can be one of
the following:
• Init
• Up
• AdminDown
• Down
Local discrimi- The local discriminator value that the ACOS device assigns
nator for the current BFD session.
Remote discrimi- The remote discriminator value that the neighboring router
nator claims.
Config The configured timer values.
Local The configured timer values sent in the last BFD control
packet. This value is determined based on BFD package
exchange and negotiation.
Remote The timer values received in the last BFD control packet
from the BFD neighbor.
Local Multiplier The local multiplier sent in the last BFD packet.
Remote Multi- The remote multiplier received in the last BFD packet from
plier the neighbor.

show bfd
TABLE 12 show bfd neighbors detail fields (Continued)

Field Description
Hold Down Time The expiration time after which the BFD session will be
brought down. This value is determined with the negotiated
interval value and the remote multiplier value.
Transmit Interval The periodic interval to send BFD control packets.
Local Diagnos- The diagnostic value sent in the last BFD control packet.
tic:
Remote Diag- The diagnostic value received in the last BFD control packet
nostic: from the neighbor.
Last sent echo A10 Network’s proprietary sequence number sent in the last
sequence number echo packet.
Control Packet Statistics of control packets for this BFD session.
sent....received
Echo Packet Statistics of echo packets received for this BFD session.
sent...received
Example The following command shows BFD statistics:

ACOS(config)# show bfd statistics
IP Checksum error 0
UDP Checksum error 0
No session found with your_discriminator 39958
Multihop config mismatch 0
BFD Version mismatch 0
BFD Packet length field is too small 0
BFD Packet data is short 0
BFD Packet DetectMult is invalid 0
BFD Packet Multipoint is invalid 0
BFD Packet my_discriminator is invalid 0
BFD Packet TTL/Hop Limit is invalid 0
BFD Packet auth length is invalid 0
BFD Packet auth mismatch 0
BFD Packet auth type mismatch 0
BFD Packet auth key ID mismatch 0
BFD Packet auth key mismatch 103
BFD Packet auth seq# invalid 0
BFD Packet auth failed 0
BFD local state is AdminDown 2
BFD Destination unreachable 1
BFD Other error 0

show bfd
TABLE 13 show bfd statistics fields

Field Description
IP Checksum Number of BFD packets that had an invalid IP checksum.
error
UDP Checksum Number of BFD packets that had an invalid UDP checksum.
error
No session found Number of BFD packets whose Your Discriminator value
with your_ did not match a My Discriminator value on the ACOS
discriminator device.
Multihop config A multihop configuration mismatch occurs when an ACOS
mismatch device receives a BFD packet with a source or destination
that matches an existing BFD session. It can also be caused
in two other scenarios:
• Local is configured as singlehop, but the packet is
received on the UDP port for multihop.
• Local is configured as multihop, but packet is received on
the UDP port for singlehop.
BFD Version Number of BFD packets with a different BFD version than
mismatch the one in use by the ACOS device.
BFD Packet Number of BFD packets whose Length field value was
length field is too shorter than the minimum BFD packet length (24 bytes with-
small out authentication or 26 bytes with authentication).
BFD Packet data The packet payload size is smaller than the BFD length
is short value.
BFD Packet The value of the received DetectMult is “0”.
DetectMult is
invalid
BFD Packet The value of the received multipoint flag is set to “1”.
Multipoint is
invalid
BFD Packet my_ Number of BFD packets whose My Discriminator value was
discriminator is invalid.
invalid
BFD Packet In a singlehop BFD session, the IP time-to-live or IPv6 hop
TTL/Hop Limit limit value must be 255. If a value other than 255 is detected,
is invalid this field is incremented.
BFD Packet auth The BFD length without the BFD packet header does not
length is invalid match the expected authentication length byte value. The
number of BFD control packets have wrong authentication
lengths in bytes
BFD Packet auth Number of BFD packets carrying an authentication type that
type mismatch does not match the BFD authentication type configured on
the ACOS device.
BFD Packet auth This field is incremented when the key ID in the authentica-
key ID mismatch tion header does not match the one configured on the ACOS
device.

show bgp
TABLE 13 show bfd statistics fields (Continued)

Field Description
BFD Packet auth This field is incremented when the received authentication
key mismatch key does not match the one configured on the ACOS device.
BFD Packet auth This field is incremented when the received authentication
seq# invalid sequence number is not equal to or greater than the sequence
number received previously.
BFD Packet auth Number of BFD packets with an incorrect authentication
failed value.
BFD local state Number of BFD packets received while the BFD session was
is AdminDown administratively down.
BFD Number of times the destination IP address for a BFD neigh-
Destination bor was unreachable while the ACOS device was attempting
unreachable to transmit a BFD packet to the neighbor.
BFD Other error Number of BFD errors not counted in any of the fields
above.
show bgp
Description Display information for Border Gateway Protocol (BGP). See “show bgp”
on page 855.
show bootimage
Description Display the software images stored on the A10 Thunder Series and AX
Series device.
Syntax show bootimage

[device DeviceID]
Mode All
sion from the vMaster to another device, and you omit the device option, the
command is applied only to the other device (the one to which you set the
device context).

show bpdu-fwd-group
Example The following command shows the software images on an A10 Thunder
Series and AX Series device:
ACOS#show bootimage
(* = Default)
Version
-----------------------------------------------
Hard disk primary 1.2.0.153 (*)
Hard disk secondary 1.2.1.24
Compact flash primary 1.1.1.68 (*)
Compact flash secondary 1.1.1.51
The asterisk ( * ) indicates the default image for each boot device (hard disk
and compact flash). The default image is the one that the A10 Thunder
Series and AX Series device will try to use first, if trying to boot from that
boot device. (The order in which the AX tries to use the image areas is con-
trolled by the bootimage command. See “bootimage” on page 121.)
show bpdu-fwd-group
Description Display the configured BPDU forwarding groups.
Syntax show bpdu-fwd-group [number]
Option Description
number Displays the configuration of the specified
BPDU forwarding group. If you omit this option,
all configured BPDU forwarding groups are
shown.
Mode All
Example The following command shows all configured BPDU forwarding groups:
AX#show bpdu-fwd-group
show bridge-vlan-group
Description Display information for a bridge VLAN group.
Syntax show bridge-vlan-group [group-id]
Mode All

show bw-list
show bw-list
Description Show black/white list information.
Syntax show bw-list [name [detail | ipaddr]]
name Name of a black/white list.
detail Displays the IP addresses contained in a black/
white list.
ipaddr IP address within the black/white list.
Default N/A
Mode Config
Example The following command shows all the black/white lists on an A10 Thunder
ACOS#show bw-list
Name Url Size(Byte) Date
----------------------------------------------------------------------------
bw1 tftp://192.168.1.143/bwl.txt 106 Jan/22 12:48:01
bw2 tftp://192.168.1.143/bw2.txt 211 Jan/23 10:02:44
bw3 tftp://192.168.1.143/bw3.txt 192 Feb/11 08:02:01
bw4 Local 82 Dec/12 21:01:05
Total: 4
Example The following command shows the IP addresses in black/white list “test”:
AX#show bw-list test detail
Name: test
URL: tftp://192.168.20.143/bwl_test.txt
Size: 226 bytes
Date: May/11 12:04:00
Update period: 120 seconds
Update times: 2
Content
------------------------------------------------------------------------------
1.1.1.0 #13
1.1.1.1 #13
1.1.1.2 #13
1.1.1.3 #13
1.1.1.4 #13

show class-list
9.9.99.9 9
1.2.3.4/32 31
4.3.2.1/24 4
10.1.2.1/32 1
10.1.2.2/32 2
10.1.2.3/32 3
10.1.2.4/32 4
10.3.2.1/32 3
10.3.2.2/32 4
10.5.2.1/32 5
10.5.2.2/32 6
128.0.0.0/1 11
show class-list
Description Display information for IP class lists.
Syntax show class-list [name [ipaddr]]
name [ipaddr] Specifies the class list name or an IP address in
the class list. If you omit both options, the list of
configured class lists is displayed instead.
Mode All
Example The following command displays the class-list files on the ACOS device:
AX#show class-list
Name IP Subnet Location
test 4 3 file
user-limit 14 4 config
Total: 2
TABLE 14 show class-list fields

Field Description
Name Name of the class list.
IP Number of host IP addresses in the class list.
Subnet Number of subnets in the class list.

show class-list
TABLE 14 show class-list fields (Continued)

Field Description
Location Indicates whether the class list is in the startup-config or in a
standalone file:
• config – Class list is located in the startup-config.
• file – Class list is located in a standalone file.
Total Total number of class lists on the ACOS device.
The following command shows details for a class list:

AX#show class-list test
Name: test
Total single IP: 4
Total IP subnet: 3
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1
20.1.2.0 /24 lid 2
0.0.0.0 /0 lid 31
The following commands show the closest matching entries for specific IP
addresses in class list “test”:
AX#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
AX#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.

show clns
show clns
Description Show Connectionless Network Service (CLNS) information.
Syntax show clns [tag]

[is-neighbors options | neighbors options]
is-neighbors Displays IS neighbor adjacencies.
neighbors Displays CLNS neighbor adjacencies.
options Optional display filters:
detail
ethernet portnum [detail]
loopback [portnum] [detail]
management [detail]
trunk num [detail]
udld num [detail]
ve ve-num [detail]
Mode All
show clock
Description Display the time, timezone, and date.
Syntax show clock [detail]

[device DeviceID]
detail Shows the clock source, which can be one of the
following:
– Time source is NTP
– Time source is user configuration
Mode All

show core
device context).
Example The following command shows clock information for an A10 Thunder
ACOS#show clock detail
20:27:16 Europe/Dublin Sat Apr 28 2007
Time source is NTP
Example If a dot appears in front of the time, the A10 Thunder Series and AX Series
has been configured to use NTP but NTP is not synchronized. The clock
was in sync, but has since lost contact with all configured NTP servers.
ACOS#show clock
.20:27:16 Europe/Dublin Sat Apr 28 2007
Example If an asterisk appears in front of the time, the clock is not in sync or has
never been set.
ACOS#show clock
*20:27:16 Europe/Dublin Sat Apr 28 2007
show core
Description Display core dump statistics.
Syntax show core [process]
process Shows core dump statistics for AX processes.
Without this option, system core dump statistics
are shown instead.
Mode Privileged EXEC level and configuration levels
Example The following command shows system core dump statistics:

ACOS#show core
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 71048 sec.

show cpu
show cpu
Description Display CPU statistics.
Syntax show cpu

[
history
[
seconds |
minutes |
hours |
control-cpu |
data-cpu
]
]
[overall]
[interval seconds]
[device DeviceID]
history Show control CPU and data CPU usage informa-
tion.
seconds Show CPU usage information in last 60 seconds.
minutes Show CPU usage information in last hour.
hours Show CPU usage information in last 72 hours.
control-cpu Show Control CPU usage information.
data-cpu Show Data CPU usage information.
interval
seconds Automatically refreshes the output at the speci-
fied interval. If you omit this option, the output is
shown one time. If you use this option, the output
is repeatedly refreshed at the specified interval
until you press ctrl+c.

show cpu
device context).
Scope of show cpu Command When Entered from a Private Par-

tition
On AX device that is configured with private partitions, the scope of the
show cpu command, when entered from a private partition, depends on
whether the partition has Layer 2/3 virtualization enabled:
• Layer 2/3 virtualization enabled – The show cpu command shows utili-
zation for only the private partition.
• Layer 2/3 virtualization disabled – The show cpu command shows utili-
zation for only the shared partition.
Example The following command shows CPU statistics on an AX 2000, in 10-second

intervals:
ACOS#show cpu interval 10
Cpu Usage: (press ^C to quit)
1Sec 5Sec 10Sec 30Sec 60Sec
--------------------------------------------------------
Time: 16:28:57 PST Wed Jan 16 2008
Control 2% 2% 2% 2% 2%
Data0 0% 0% 0% 0% 0%
Data1 0% 0% 0% 0% 0%
Time: 16:29:07 PST Wed Jan 16 2008

Control 2% 2% 2% 2% 2%
Data0 0% 0% 0% 0% 0%
Data1 0% 0% 0% 0% 0%
...
<ctrl+c>
ACOS#
TABLE 15 show cpu fields

Field Description
Time System time when the statistics were gathered.
Control Control CPU.
Data0-7 Data CPU. The number of data CPUs depends on the ACOS
model.
1Sec-60sec Time intervals at which statistics are collected.

show debug
Example The following command output displays CPU utilization rates plotted over
the last 60 seconds. The x-axis represents the time elapsed and the y-axis
represents the CPU utilization rate. Asterisks appear along the bottom of the
output to illustrate the CPU utilization rates over time. The figure below
only shows the usage for the Control CPU. The usage for the Control CPU
and Data CPU are displayed in separate figures. The CLI command prints 1
asterisk for every 10 percent utilization. This means no asterisk will be
printed if the CPU usage is from 0-4; one asterisk will be printed if the CPU
usage is 5-14; two asterisks will be printed if the CPU usage is 15-24; and
so on.
ACOS(config)#show cpu history seconds
Time: 11:36:52 IST Wed Apr 11 2012
535445345454455344455335434543435655247343454425435445352373
100
90
80
70
60
50
40
30 *
20 **
10* * * * * ** ** * * **** * * * * * * *
0....0....1....1....2....2....3....3....4....4....5....5....
5 0 5 0 5 0 5 0 5 0 5
control CPU: CPU% per second (last 60 seconds)
Note: The Data CPU chart is identical to that of the Control CPU chart shown
above, except the last line of the chart will say "data CPU 1".
show debug
Description This command applies to debug output. It is recommended to use the AXde-
bug subsystem commands instead of the debug commands. See the follow-
ing:
• “AX Debug Commands” on page 1069
• “show axdebug file” on page 847
• “show axdebug filter” on page 848
• “show axdebug status” on page 848

show disk
show disk
Description Display status information for the AX hard disks.
Syntax show disk

[device DeviceID]
Example The following command shows hard disk information for an A10 Thunder
ACOS#show disk
Total(MB) Used Free Usage
-----------------------------------------
154104 5895 148209 4.0%
Device Primary Disk Secondary Disk

----------------------------------------------
md0 Active Active
md1 Active Active
TABLE 16 show disk fields

Field Description
Total(MB) Total amount of data the hard disk can hold.
Note: The hard disk statistics apply to a single disk. This is
true even if your AX device contains two disks. In systems
with two disks, the second disk is a hot standby for the pri-
mary disk and is not counted separately in the statistics.
Used Number of MB used.
Free Number of MB free.
Usage Percentage of the disk that is in use.
Device Virtual partition on the disk:
• md0 – The boot partition
• md1 – The A10 data partition

show dns statistics
TABLE 16 show disk fields (Continued)

Field Description
Primary Disk Status of the left hard disk in the redundant pair:
• Active – The disk is operating normally.
• Inactive – The disk has failed and must be replaced. Con-
tact your A10 Networks representative.
• Synchronizing – The disk has just been installed and is
synchronizing itself with the other disk.
Secondary Disk Status of the right hard disk in the redundant pair.
show dns statistics

Description Show DNS statistics.
Syntax show dns statistics

[device DeviceID]
Usage This command lists statistics values only if the configuration contains a vir-
tual port that is bound to a UDP template.
If the ACOS device is a member of an aVCS virtual chassis, you can use the
device context).
Example The following command displays DNS statistics:

AX#show dns statistics
DNS statistics for SLB:
-----------------------
No. of requests: 510
No. of responses: 508
No. of request retransmits: 0
No. of requests with no response: 2
No. of responses with no matching session: 0
No. of resource failures: 0
DNS statistics for IP NAT:

show dns cache
--------------------------
No. of requests: 0
No. of responses: 0
No. of request retransmits: 0
No. of requests with no response: 0
No. of responses with no matching session: 0
No. of resource failures: 0
show dns cache

Description Display DNS caching information.
Syntax show dns cache {client | entry | statistics}
client DNS client statistics.
entry DNS cache entries.
statistics DNS caching statistics.
Mode All
Example The following command shows DNS caching statistics:

ACOS#show dns cache statistics
Total allocated: 0
Total freed: 0
Total query: 0
Total server response: 0
Total cache hit: 0
Query not passed: 0
Response not passed: 0
Response exceed cache size: 0
Response answer not passed: 0
Query encoded: 0
Response encoded: 0
Query with multiple questions: 0
Response with multiple questions: 0
Response with multiple answers: 0
Response with short TTL: 0
Total aged out: 0
Total aged for lower weight: 0
Total stats log sent: 0
Current allocate: 0
Current data allocate: 0

show dns cache
TABLE 17 show dns cache statistics fields

Field Description
Total Allocated Total memory allocated for cached entries.
Total Freed Total memory freed.
Total Query Total number of DNS queries received by the ACOS device.
Total Server Total number of responses form DNS servers received by the
Response ACOS device.
Total Cache Hit Total number of times the ACOS device was able to use a
cached reply in response to a query.
Query Not Number of queries that did not pass a packet sanity check.
Passed
Response Not Number of responses that did not pass a packet sanity check.
Passed The ACOS device checks the DNS header and question in
the packet, but does not parse the entire packet.
Response Please contact A10 Networks for information..
Exceed Cache
Size
Response Please contact A10 Networks for information..
Answer Not
Passed
Query Encoded Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.
Response Number of queries that were not cached because the domain
Encoded name in the question was encoded in the DNS response
packet.
Query With Number of queries that were not cached because they con-
Multiple tained multiple questions.
Questions
Response With Number of responses that were not cached because they con-
Multiple tained answers for multiple questions.
Questions
Response With Number of responses that were not cached because they con-
Multiple tained more than one answer.
Answers
Response with Number of responses that had a short time to live (TTL).
Short TTL
Total Aged Out Total number of DNS cache entries that have aged out of the
cache.
Total Aged for Number of cache entries aged out due to their weight value.
Lower Weight
Total Stats Log Total number of logs sent.
Sent
Current Allocate Current memory allocation.

show dumpthread
TABLE 17 show dns cache statistics fields (Continued)

Field Description
Current Data Current data allocation.
Allocate
show dumpthread
Description Show status information about the SLB process.
Syntax show dumpthread
Example The following command shows status information for the SLB process:
ACOS#show dumpthread
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 101102 sec.
show environment
Description Display temperature, fan, and power supply status.
Syntax show environment

[device DeviceID]
Mode All
device context).
The power supply voltage statistics apply only to the following AX models:
AX 2500, AX 2600, AX 3000, AX 3000-11, AX 3200-12, AX 3530,
AX 3400, AX 5100, AX 5200, AX 5200-11 and AX 5630.

show errors
Example The following command shows environment information for an A10 Thun-
der Series and AX Series device:
ACOS#show environment
Physical System temperature: 31C / 87F
Fan1A : OK-low/med Fan1B : OK-low/med
Fan2A : FAILED Fan2B : FAILED
System Voltage 12V : OK
System Voltage 5V : OK
System Voltage DDR3 1.5V : OK
System Voltage IOH 1.1V : OK
System Voltage SB 5V : OK
Right Power Unit(view from front) State: On
Left Power Unit(view from front) State: Off
show errors
Description Show error information for the system. This command provides a simple
way to quickly view system status and error statistics.
Syntax show errors

[
application [sub-options] |
critical [detail] |
detail |
informational [detail] |
system [sub-options]
]
Option Description
application
[sub-options] Displays error information for AX applications.
The following sub-options are available.
critical [detail]
detail
ha
[critical [detail]]
[detail]
[informational [detail]]

show errors
hw-compression
[critical [detail]]
[detail]
informational [detail]
ipnat
[critical [detail]]
[detail]
l2-l3-forward
[critical [detail]]
[detail]
ram-cache
[critical [detail]]
[detail]
slb
[critical [detail]]
[detail]
[health-monitor
[critical [detail]]
[detail]
[layer4
[critical [detail]]
[detail]
[tcp
[critical [detail]]
[detail]
[udp
[critical [detail]]
[detail]
[layer7
[critical [detail]]
[detail]

show errors
[fast-http
[critical [detail]]
[detail]
[http
[critical [detail]]
[detail]
[sip
[critical [detail]]
[detail]
[smtp
[critical [detail]]
[detail]
[ssl-slb
[critical [detail]]
[detail]
[persist
[cookie
[critical [detail]]
[detail]
[critical [detail]]
[dest-ip
[critical [detail]]
[detail]
[detail]
[informational [detail]
[source-ip
[critical [detail]]
[detail]
[ssl-sid
[critical [detail]]
[detail]
[url-hash
[critical [detail]]
[detail]
ssl

show errors
[critical [detail]]
[detail]
critical
[detail] Displays information about critical errors only.
detail Displays detailed error information only.
informational
[detail] Displays informational output only.
system
[sub-options] Displays system-level errors. The following sub-
options are available.
critical [detail]
detail
hardware
[critical [detail]]
[detail]
informational [detail]
software
[critical [detail]]
[detail]
Mode All
Example The following shows high-level error information for the system:
AX#show errors
Hardware components status

===========================
Physical System temperature: 36C / 96F
CPU Fan1 speed: 5818 RPM
CPU Fan2 speed: 5720 RPM
Upper Power Unit State: On
Lower Power Unit State: Off
Total(MB) Used Free Usage

-----------------------------------------
157065 5777 151287 3.6%

show errors
Device Primary Disk

------------------------------
md0 Active
md1 Active
System Memory Usage:

Total(KB) Free Shared Buffers Cached Usage
---------------------------------------------------------------------------
2074308 316048 0 37324 256232 72.4%
Time: 21:22:12 IST Mon May 17 2010

1Sec 5Sec 10Sec 30Sec 60Sec
--------------------------------------------------------
Control 31% 30% 25% 25% 26%
Data1 0% 0% 0% 0% 0%
Data2 0% 0% 0% 0% 0%
Data3 0% 0% 0% 0% 0%
Data4 0% 0% 0% 0% 0%
Data5 0% 0% 0% 0% 0%
System software Error Counters

==========================================
Error packets drops: : 16
Hardware compression device is not installed.
L2-L3 Fwd (Switch) Error Counters

==========================================
Link Down Drop : 57
VLAN Flood : 175313
Health Monitor Error Counters

==========================================
Send packet failed: : 1741315
Retries: : 28982
Timeouts: : 9

show errors
Example The following command shows detailed system-software error statistics:

AX#show errors system software detail
System software Error Counters

==========================================
buff alloc failed: : 0
buff alloc from sys failed: : 0
Error packets drops: : 16
Packet drops: : 0
Example The following command shows detailed error statistics for SLB health mon-
itoring:
AX#show errors application slb health-monitor detail
Health Monitor Error Counters

==========================================
Open socket failed: : 0
Receive packet failed: : 0
Unexpected error: : 0
Retries: : 29002
Timeouts: : 9
The Error packets drops counter indicates the number of packets that were
dropped before ACOS applied any load balancing logic, because the con-
tents of the packet were invalid. Some examples:
• Attack packets
• Packets whose IP total length does not correspond with the size of the
Ethernet frame
The Packets received error counter is the same as the Error packets drops
counter, but does not count packets from the AX Linux IP Stack.
The Packet drops counter indicates the number of packets that were dropped
because due to a load balancing logic error. As an example, this counter
includes packets dropped because the session has been deleted.

show event-action
show event-action
Syntax show event-action vnp {part-create | part-del}
Mode All
Example
ACOS(config)#show event-action vnp part-create
Event VNP part-create action configuration: logging off, snmp off, email off
show fail-safe
Description Display fail-safe information.
Syntax show fail-safe {config | information}
Option Description
config Displays the fail-safe configuration entered by
you or other admins.
information Displays fail-safe settings and statistics. The out-
put differs between models that use FPGAs in
hardware and models that do not. (See “Exam-
ple” below.)
Mode All
Example The following commands configure some fail-safe settings and verify the
changes.
AX3400(config)#fail-safe session-memory-recovery-threshold 30
AX3400(config)#fail-safe fpga-buff-recovery-threshold 2
AX3400(config)#fail-safe sw-error-recovery-timeout 3
AX3400(config)#show fail-safe config
fail-safe session-memory-recovery-threshold 30
fail-safe fpga-buff-recovery-threshold 2
fail-safe sw-error-recovery-timeout 3

show fail-safe
Example The following command shows fail-safe settings and statistics on an AX

model that uses FPGAs in hardware:
AX3400(config)#show fail-safe information
Total Session Memory (2M blocks): 1012
Free Session Memory (2M blocks): 1010
Session Memory Recovery Threshold (2M blocks): 809
Total Configured FPGA Buffers (# of buffers): 4194304
Free FPGA Buffers in Domain 1 (# of buffers): 507787
Free FPGA Buffers in Domain 2 (# of buffers): 508078
Total Free FPGA Buffers (# of buffers): 1015865
FPGA Buffer Recovery Threshold (# of buffers): 256
Total System Memory (Bytes): 2020413440
TABLE 18 show fail-safe information fields (FPGA models)

Field Description
Total Session Total amount of the ACOS device’s memory that is allocated
Memory for session processing.
Free Session Amount of the ACOS device’s session memory that is free
Memory for new sessions.
Session Memory Minimum percentage of session memory that must be free
Recovery before fail-safe occurs.
Threshold
Total Total number of configured FPGA buffers the ACOS device
Configured has. These buffers are allocated when the ACOS device is
FPGA Buffers booted. This number does not change during system opera-
tion.
The FPGA device is logically divided into 2 domains, which
each have their own buffers. The next two counters are for
these logical FPGA domains.
Free FPGA Number of FPGA buffers in Domain 1 that are currently free
Buffers in for new data.
Domain 1
Free FPGA Number of FPGA buffers in Domain 2 that are currently free
Buffers in for new data.
Domain 2
Total Free FPGA Total number of free FPGA buffers in both FPGA domains.
Buffers
FPGA Buffer Minimum number of packet buffers that must be free before
Recovery fail-safe occurs.
Threshold
Total System Total size the ACOS device’s system memory.
Memory

show feature-license
Example The following command shows fail-safe settings and statistics on an AX

model that does not use FPGAs in hardware. (The FPGA buffer is an I/O
buffer instead.)
AX2500(config)#show fail-safe information
Total Session Memory (2M blocks): 1018
Free Session Memory (2M blocks): 1017
Session Memory Recovery Threshold (2M blocks): 305
Total Configured FPGA Buffers (# of buffers): 2097152
Free FPGA Buffers (# of buffers): 2008322
FPGA Buffer Recovery Threshold (# of buffers): 1280
Total System Memory (Bytes): 4205674496
TABLE 19 show fail-safe information fields (non-FPGA models)

Field Description
Total Session Total amount of the ACOS device’s memory that is allocated
Memory for session processing.
Free Session Amount of the ACOS device’s session memory that is free
Memory for new sessions.
Session Memory Minimum percentage of session memory that must be free
Recovery before fail-safe occurs.
Threshold
Total Total number of configured FPGA buffers the ACOS device
Configured has. These buffers are allocated when the ACOS device is
FPGA Buffers booted. This number does not change during system opera-
tion.
Free FPGA Number of FPGA that are free for new data.
Buffers
FPGA Buffer Minimum number of packet buffers that must be free before
Recovery fail-safe occurs.
Threshold
Total System Total size the ACOS device’s system memory.
Memory
show feature-license
Description Display feature license information.
Syntax show feature-license

show glid
Usage Feature licenses apply only to the SoftAX. None of the features on AX
hardware models require separate licensing.
show glid
Description Show information for global IP limiting rules.
Syntax show glid [num]
Mode All
Example The following command the configuration of each global IP limiting rule:
AX#show glid
glid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
glid 2
conn-limit 20000
request-limit 200
glid 30
conn-limit 10000
over-limit-action forward log
Example The following command shows the configuration of global IP limiting

rule 1:
AX#show glid 1
glid 1
conn-limit 100
request-limit 1

show gslb
show gslb
Description See the Global Server Load Balancing Guide.
show ha
Description Show the status of each HA group. The output shows information for the
ACOS device on which you enter the command, and the device’s HA peer.
Syntax show ha [config | detail | mac | setid-monitor |

statistics]
config Shows the HA configuration commands in the
running-config.
detail Shows detailed HA information.
mac Shows the virtual MAC addresses associated
with HA groups.
show ha setid-
monitor Shows the HA or VRRP-A set IDs in use on the
network, which can be useful when adding an
ACOS device to an existing HA or VRRP-A set,
or when deploying a new set.
statistics Shows HA statistics.
Mode All
Usage Notes About Show HA Mac

Each HA group has a shared MAC address, 021f.a0000.00xx. The 02 por-
tion of the address indicates this is an HA virtual MAC address, instead of a
system MAC address (00). The xx portion of the address is unique to the
HA group. The shared MAC address is used for all IP addresses for which
HA is provided (SLB VIPs, source NAT addresses, floating IP addresses,
and so on).
Note: If hardware-based SYN-cookies are enabled, a second MAC address can

appear in the output. The second address is related to SYN-cookie protec-
tion. For example, if both 021f.a000.0081 and 021f.a020.0081 are listed,
021f.a020.0081 is for hardware-based SYN cookies.

show ha
Example The following command shows basic HA information:

ACOS#show ha
Local Unit: UP Peer Unit: UP
HA Group Unit State Priority
1 Local Active 200
Peer Standby 100
2 Local Active 255
Peer Standby 100
Example The following command shows basic HA information with HA statistics:

ACOS#show ha detail
Local Unit: UP Peer Unit: UP
HA Group Unit State Priority
1 Local Active 200
Peer Standby 100
Active Standby
Transitions 2 2
Pkts processed 559826 568
Connectivity: Server Ports 2 Router Ports 2

HA packets: Sent 806870 Received 397769
Conn Sync: Sent 2039 Received 0
HA errors:
Dup HA ID 0 Invalid Group 0
Version Mismatch 0 SetId Mismatch 0
Missed Heartbeat 6 Timer Msgs 0
HA Port Sent Recvd Missed Heartbeat

1 0 0 0
3 0 0 0
4 403435 0 0
5 0 0 0
6 0 0 0
9 403435 397769 6
Inline L2 HA Peer Port: 9
Misc Packet statistics:

Self packets MAC: 0 IP: 0
Packets for AX Broadcast: 0 IP: 235
Active mode stats:
IP 20092 Non-peer port 20821 MAC: 0
Standby mode stats:
IP 3 Non-peer port 101

show ha
TABLE 20 show ha detail fields

Field Description
Local Unit Shows the HA operational status of this AX device:
• Up – All configured HA router and server interfaces are
up.
• Partially Up – Some HA router or server interfaces are
down but at least one server link and one router link are
up.
• Down – All router interfaces, or all server interfaces, or
both are down. The status also is Down if both router
interfaces and server interfaces are not configured and an
HA interface goes down.
Peer Unit Shows the HA operational status of the other AX device.
Note: If the status is Incompatible Version, the ACOS
devices are running different software versions and the HA
feature is not compatible between the two versions. This
message is normal during upgrade, after one of the ACOS
devices has been upgraded and before the other device is
upgraded. If the devices are not being upgraded, it is recom-
mended to upgrade one of the devices so that they both are
running the same software version.
HA Group Shows HA group information:
• Unit – Indicates whether the information below is for this
AX device (Local) or the other AX device (Peer).
• State – Indicates whether the ACOS device is active or is a
standby.
• Priority – HA priorities configured for this group on this
AX device and on its peer AX device.
Transitions Number of times this AX device has transitioned to the
active or standby state.
Pkts processed (Inline mode only) Shows the number of packets processed
by the HA inline handler when in active or standby mode.
Connectivity Shows the number of HA interfaces designated as server or
router interfaces that are currently up.
HA packets Shows the number of HA hello (heartbeat) packets sent or
received by this AX device.
Conn Sync Shows the number of HA connection synchronization (ses-
sion mirroring) packets sent or received by this AX device.

show ha
TABLE 20 show ha detail fields (Continued)

Field Description
HA errors Shows HA error statistics:
• Dup HA ID – Number of incoming HA hello (heartbeat)
packets that had the same HA ID as the HA ID of this AX
device (the local AX device).
• Invalid Group – Number of incoming HA hello packets
that had an invalid group ID.
• Version Mismatch – Number of incoming HA hello pack-
ets that had a packet version mismatch.
• SetId Mismatch – Number of incoming HA hello packets
that had an HA set ID mismatch.
• Missed Heartbeat – Total number of heartbeat (hello)
packets expected from the peer HA device that were not
received.
• Timer Msgs – Number of times HA internal timers
detected a variance.
HA Port Shows statistics for each HA interface:
• Sent – Number of hello (heartbeat) messages sent on the
interface.
• Recvd – Number of hello messages received on the inter-
face.
• Missed Heartbeat – Number of hello messages that were
expected to be received on the interface but that did not
arrive.
Inline L2 HA (Inline mode only) Shows the interface number used to com-
Peer Port municate with the peer HA device.
Misc Packet sta- These fields show internal statistics used by A10 Customer
tistics Support.
Active mode
stats
Standby mode
stats

show hardware
Example The following command shows the HA commands in the running-config:

ACOS#show ha config
ha id 1
ha group 1 priority 255
ha group 2 priority 255
ha time-interval 3
ha conn-mirror ip 172.22.66.2
Example The following commands show HA set information for the vMaster in an
aVCS deployment:
AX-vMaster[6/2]#show running-config | section ha
ha id 2 set-id 6
vcs chassis-id 6
ha interface ethernet 1 device 1
ha interface ethernet 1 device 2
AX-vMaster[6/2]#show ha setid-monitor
set id 6
interface ethernet1, ha id 1, IP: 1.1.1.2, MAC: 000c.29a3.a87e VLAN: 1, last
observed 0 seconds ago
Example The following command shows the virtual MAC addresses for configured
HA groups 1 and 2:
AX#show ha mac
HA Group MACs
1 021f.a000.0001
2 021f.a000.0022
show hardware
Description Displays hardware information for the ACOS device.
Syntax show hardware
Default All

show health
Example The following example shows output for the show hardware command:
AX#show hardware
AX Series Advanced Traffic Manager AX2500
Serial No : AX25061111001096
CPU : Intel(R) Xeon(R) CPU
8 cores
5 stepping
Storage : Single 74G drive
Memory : Total System Memory 6123 Mbyte, Free Memory 1465 Mbyte
SMBIOS : Build Version: 080015
Release Date: 02/01/2010
SSL Cards : 1 device(s) present
1 Nitrox PX
GZIP : 0 compression device(s) present
FPGA : 0 instance(s) present
L2/3 ASIC : 0 device(s) present
show health
Description Show status information for health monitors.
Syntax show health

{
external [name] |
gateway |
monitor [name] |
postfile [name] |
stat
}
external [name] Shows configuration settings for the specified
external health monitoring program.
gateway Shows configuration settings and statistics for
gateway health monitoring.
monitor [name] Shows configuration settings and status for the
specified health monitor.
postfile [name] Shows the files used for POST requests in HTTP/
HTTPS health checks.

show health
stat Shows health monitoring statistics. The statistics

apply to all health monitoring activity on the A10
Thunder Series and AX Series device.
Mode All
Usage To display health monitor information for a specific Role-Based Adminis-

tration (RBA) partition only, use the partition name option.
Example The following command shows configuration settings and status for health
monitor “ping”:
ACOS#show health monitor ping
Monitor Name: ping
Interval: 30
Max Retry: 3
Timeout: 5
Status: In use
Method: ICMP
The output shows the method used for the monitor, and the settings for each
of the parameters that are configurable for that method.
Example The following command shows the configuration settings of external health
monitoring program “http.tcl”:
ACOS#show health external http.tcl
External Program Description
http.tcl check http method
!!! Content Begin !!!
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
# Send the request

puts $sock "GET / HTTP/1.0\n"
# Wait for the response from http server

set line [read $sock]
if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {

puts "server $ax_env(ServerHost) response : $status"
}
close $sock
# Check exit code

if { $status == 200 } {

show health
}
}
!!! Content End !!!
Example The following command shows health monitoring statistics:

ACOS#show health stat
Health monitor statistics
Total run time: : 2 hours 1345 seconds
Number of burst: : 0
max scan jiffie: : 326
min scan jiffie: : 1
average scan jiffie: : 1
Opened socket: : 1140
Open socket failed: : 0
Close socket: : 1136
Send packet: : 0
Receive packet: : 0
Receive packet failed : 0
Retry times: : 4270
Timeout: : 0
Unexpected error: : 0
Conn Immediate Success: : 0
Socket closed before l7: : 0
Socket closed without fd notify: : 0
Get retry send: : 0
Get retry recv: : 0
Configured health-check rate (/500ms) : Auto configured
Current health-check rate (/500ms): : 1600
External health-check max rate(/200ms) : 2
Total number: : 8009
Status UP: : 8009
Status DOWN: : 0
Status UNKN: : 0
Status OTHER: : 0
IP address Port Health monitor Status Cause(Up/Down) Retry PIN

--------------------------------------------------------------------------------
10.0.0.11 80 http UP 11 /0 @0 0 0 /0 0
10.0.0.12 80 http UP 10 /0 @0 0 0 /0 0
TABLE 21 show health stat fields

Field Description
Total run time Time elapsed since the health monitoring process started.
Number of burst Number of times the system detected that a health check
would leave the ACOS device as a traffic burst, and reme-
died the situation.

show health
TABLE 21 show health stat fields (Continued)

Field Description
max scan jiffie Used by A10 Networks Technical Support.
min scan jiffie
average scan
jiffie
Opened socket Number of sockets opened.
Open socket Number of failed attempts to open a socket.
failed
Close socket Number of sockets closed.
Send packet Number of health check packets sent to the target of the
health monitor.
Send packet Number of sent health check packets that failed. (This is the
failed number of times a target server or service failed its health
check.)
Receive packet Number of packets received from the target in reply to health
checks.
Receive packet Number of failed receive attempts.
failed
Retry times Number of times a health check was resent because the target
did not reply.
Timeout Number of times a response was not received before the
health check timed out.
Unexpected error Number of unexpected errors that occurred.
Conn Immediate Used by A10 Networks Technical Support.
Success
Socket closed
before l7
Socket closed
without fd notify
Get retry send
Get retry recv
Configured If auto-adjust is enabled, shows “Auto configured”.
health-check rate If auto-adjust is disabled, shows the manually configured
threshold.
Current health- If auto-adjust is enabled, shows the total number of health
check rate monitors divided by the global health-check timeout:
total-monitors / global-timeout
If auto-adjust is disabled, shows the manually configured
threshold.
External health- Please contact A10 Networks for information..
check max rate
Total number Total number of health checks performed.
Status UP Number of health checks that resulted in status UP.
Status DOWN Number of health checks that resulted in status DOWN.
Status UNKN Number of health checks that resulted in status UNKN.

show history
TABLE 21 show health stat fields (Continued)

Field Description
Status OTHER Number of health checks that resulted in status OTHER.
IP address IP address of the real server.
Port Protocol port on the server.
Health monitor Name of the health monitor.
If the name is “default”, the default health monitor settings
for the protocol port type are being used. (See “health-check”
on page 706 for Layer 3 health checks or “port” on page 707
for Layer 4-7 health checks.)
Status Indicates whether the service passed the most recent health
check.
Cause Up and Down show internal codes for the reasons the health
(Up/Down) check reported the server or service to be up or down. (See
“show health stat Up / Down Causes” on page 1079.)
Retry Number of retries.
PIN Indicates the following:
• Current number of retries – Displayed to the left of the
slash ( / ). The number of times the most recent health
check was retried before a response was received or the
maximum number of retries was used.
• Current successful up-retries – Displayed to the right of
the slash ( / ). Number of successful health check replies
received for the current health check. This field is applica-
ble if the up-retry option is configured for the health
check. (See “health monitor” on page 163.)
show history
Description Show the CLI command history for the current session.
Syntax show history
Usage Commands are listed starting with the oldest command, which appears at
the top of the list.
Example The following example shows commands entered by the tech writer while
drafting this chapter:
ACOS#show history
enable
show version
show access-list
show admin

show hsm
show admin admin

show admin detail
show admin session
show admin admin detail
show arp
show arp 192.168.1.144
show aflex
show bootimage
show bw-list sample-bw-list 1.1.1.1
show bw-list
show clock
show clock detail
show core
show cpu interval 1
show cpu interval 10
show debug
show disk
show dumpthread
--MORE--
show hsm
Description Show the configured HSM templates.
Syntax show hsm config
Mode All
Example The following command shows the HSM templates configured on the
ACOS device:
ACOS(config)#show hsm config
hsm template example1 softhsm
hsm template hsm-example-2 softhsm
show icmp
Description Show ICMP rate limiting configuration settings and statistics.
Syntax show icmp

[active-vrid | device DeviceID]
Mode All

show icmpv6
The active-vrid option displays information for the active VRRP-A device.
This can be useful in aVCS deployments that also use VRRP-A.
Example The following command shows ICMP rate limiting settings, and the number
of ICMP packets dropped because the threshold has been exceeded:
ACOS(config)#show icmp
Global rate limit: 5
Global lockup rate limit: 10
Lockup period: 20
Current global rate: 0
Global rate limit drops: 0
Interfaces rate limit drops: 0
Virtual server rate limit drops: 0
Total rate limit drops: 0
show icmpv6
Description Show ICMPv6 rate limiting configuration settings and statistics.
Syntax show icmpv6

[device DeviceID]
Mode All

show interfaces
show interfaces
Description Display interface configuration and status information.
Syntax show interfaces

[brief] |
[ethernet [port-num]] | [ve [vlan-id]] |
[loopback num] | [management] | [trunk [num]]
[device DeviceID]
Note: For information about the statistics options, see “show interfaces statis-
tics” on page 895.
Example The following example shows brief interface information:

ACOS#show interfaces brief
Port Link Dupl Speed Trunk Vlan MAC IP Address Total IPs
-----------------------------------------------------------------------------
mgmt Up Full 100 N/A N/A 0090.0b0a.a594 192.168.20.241/24 1
1 Up Full 1000 None 1 0090.0b0a.a596 10.10.10.241/24 5
2 Up Full 1000 None 1 0090.0b0a.a597 20.20.20.241/24 1
3 Down None None None 1 0090.0b0a.a598 0.0.0.0/0 0
4 Down None None None 1 0090.0b0a.a599 0.0.0.0/0 0
5 Disb None None None 1 0090.0b0a.a59a 0.0.0.0/0 0
6 Disb None None None 1 0090.0b0a.a59b 0.0.0.0/0 0
7 Up Full 1000 None 1 0090.0b0a.a59c 70.70.70.241/24 4
8 Disb None None None 1 0090.0b0a.a59d 0.0.0.0/0 0
...
ve4 Down N/A N/A N/A 4 0090.0b0a.a597 60.60.60.241/24 2
ve6 Up N/A N/A N/A 5 0090.0b0a.a597 99.99.99.241/24 1
lo2 Up N/A N/A N/A N/A N/A 68.67.65.64/23 3
Example The following example shows information for Ethernet port 1:

ACOS#show interfaces ethernet 1
Ethernet 1 is up, line protocol is up
Hardware is GigabitEthernet, Address is 0090.0b0a.a596

show interfaces

Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
Member of L2 Vlan 1, Port is Untagged
Flow Control is enabled, IP MTU is 1500 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
0 input errors, 0 CRC 0 frame
0 runts 0 giants
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
300 second input rate: 158073232 bits/sec, 154368 packets/sec, 15% utiliza-
tion
300 second output rate: 35704 bits/sec, 5 packets/sec, 0% utilization
Example The following example shows information for loopback interface 8:

ACOS#show interfaces loopback 8
Loopback 8 is up, line protocol is up
Hardware is Loopback
Example The following example shows Virtual Ethernet (VE) interface statistics:
ACOS#show interface ve 10
VirtualEthernet 10 is up, line protocol is up
Hardware is VirtualEthernet, Address is 001f.a004.c0e2
IPv6 address is 2001:10::241 Prefix 64 Type: unicast
IPv6 link-local address is fe80::21f:a0ff:fe04:c0e2 Prefix 64 Type: unicast
Router Interface for L2 Vlan 10
28 packets input 2024 bytes
Transmitted 8 broadcasts, Transmitted 2 multicasts, Transmitted 0 unicasts
300 second input rate: 48 bits/sec, 0 packets/sec
300 second output rate: 16 bits/sec, 0 packets/sec

show interfaces media
show interfaces media

Description Display information about 1-Gbps and 10-Gbps small form-factor plugga-
ble (SFP+) interfaces.
Syntax show interfaces media
Usage On Virtual Chassis System (VCS), the show interfaces media CLI com-
mand provides device-specific media information.
Note: In a Layer 3 virtualization mode, the show interfaces media command

does not show information on media installed in ports that belong to a pri-
vate partition.
On platforms that do not have a 1 Gigabit Ethernet port installed, on FPGA

platforms, or on a SoftAX, the following message is displayed when you
issue the show interfaces media command: No SPF/SPF+ ports
found in this model.
Example The following example displays the output of the show interfaces media
command. The example displays output on ports with an installed 1 Gigabit
SFP and a 10 Gigabit SFP+ module. When an SFP is not installed, or if the
port has not been enabled, an error message appears in the output, as shown
below:
ACOS-Active#show interface media
port 10:
Type: SFP 1000BASE-SX
Vendor: JDS UNIPHASE
Part#: JSH-21S3AB3 Serial#:F549470401B0
port 11:
No media detected.
port 18:
Type: SFP+ 10G Base-SR
Vendor: FINISAR CORP.
Part#: FTLX8571D3BCL Serial#:UG505PM
port 19:
No media detected.

show interfaces statistics
port 20:
Cannot retrieve media information when port is disabled.
In this example, the SFP+ interface for port 18 is installed and its link is up.
The other 10-Gbps interfaces either are down or do not have an SFP+
installed.
Example The following example shows the CLI response if you enter the show inter-
faces media on an ACOS device that does not support SFP+ interfaces:
AX#show interfaces media
No 10G fiber port installed.
show interfaces statistics

Description Display interface statistics.
Syntax show interfaces statistics

[ethernet portnum [ethernet portnum ...]]
[{in-pps | in-bps | out-pps | out-bps}]
[interval seconds]
ethernet
portnum Ethernet data interface numbers for which to dis-
play statistics. If you omit this option, statistics
are displayed for all Ethernet data interfaces.
in-pps Inbound traffic, in packets per second (PPS).
in-bps Inbound traffic, in bytes per second (BPS).
out-pps Outbound traffic, in packets per second (PPS).
out-bps Incoming traffic, in bytes per second (BPS).
interval
seconds Refreshes the statistics at the specified interval,
1-32 seconds. If you do not use this option, the
statistics are displayed only once.

show ip dns
show ip dns
Description Display the DNS configuration.
Syntax show ip dns
Mode All
show ip
Description Show the IP mode in which the ACOS device is running, gateway or trans-
parent mode.
Syntax show ip
Mode All
Example The following command shows that the ACOS device is running in gateway
mode:
ACOS#show ip
System is running in Gateway Mode
show ip active-vrid
Description Show information for the active VRRP-A device.
Syntax show ip active-vrid [num | default]
Option Description
num Specify VRRP vrid number (1-31).
default The default VRRP vrid number.
Mode All
Usage This command displays information for the active VRRP-A device in aVCS
deployments that also use VRRP-A. In aVCS deployments, the virtual chas-
sis has a floating IP address that serves as the management interface. When
you enter show commands from within a session on the virtual chassis’
floating IP address, the information in the output comes from the vMaster.

show ip active-vrid
In some cases, the information can differ depending on whether the vMaster
is also the active VRRP-A device.
Note: The active-vrid option is displayed in the CLI help only if aVCS and
VRRP-A both are enabled. Otherwise, the option is inapplicable and is
not displayed.
The following commands support the active-vrid option:
• All commands that support the device DeviceID option
• vcs device-context command
• All show slb commands that include statistics in the output
Example The following examples show how the output can differ depending on
whether the vMaster is also the active VRRP-A device. These examples
also show use of the active-vrid option.
All of the commands are entered in the CLI session on the virtual chassis’s
floating IP address.
Output Examples for show arp

The following command displays the ARP table. In this example, the ACOS
device is the vMaster for an aVCS virtual chassis, and is also the active
VRRP-A device.
AX-Active-vMaster[1/1]#show arp
---------------------------------------------------------------------------
192.168.18.1 aaaa.aaaa.aaaa Dynamic 9 Management 1
192.168.18.120 bbbb.bbbb.bbbb Dynamic 251 Management 1
Since neither the device nor the active-vrid option is used, by default the
ARP table of the vMaster is displayed. In the following example, a failover
has occurred. The vMaster is a standby VRRP-A device instead of the
active device.
AX-Standby-vMaster[1/1]#show arp
---------------------------------------------------------------------------
192.168.18.1 aaaa.aaaa.aaaa Dynamic 11 Management 1
192.168.18.120 bbbb.bbbb.bbbb Dynamic 253 Management 1
Notice that the ARP entries are the same. The information is still from the
vMaster.

show ip active-vrid
In the current release and previous releases, you can use show commands to
determine which device is the active VRRP-A device for a VRID, then use
the device option with the show command to display the information from
the active VRRP-A device. The active-vrid option provides a simpler way
to access the information, as shown in the following example:
AX-Standby-vMaster[1/1]#show arp active-vrid default
---------------------------------------------------------------------------
192.168.20.11 cccc.cccc.cccc Dynamic 15 Management 1
192.168.20.13 dddd.dddd.dddd Dynamic 257 Management 1
This output shows the ARP table on the active VRRP-A device for the
default VRID. The CLI prompt does not change, because the CLI session is
still on the virtual chassis’ floating IP address, which is managed by the
vMaster. The information, however, comes from the active device for the
VRID.
Output Examples for show virtual-server

This example is similar to the previous one. The information in the first two
output examples shown below comes from the vMaster, even though the
vMaster is a VRRP-A standby in the second set of output.
AX-Active-vMaster[1/1]#show slb virtual-server
Total Number of Virtual Services configured: 20
Virtual Server Name IP Current Total Request Response Peak
Service-Group Service connection connection packets packets connection
---------------------------------------------------------------------------------------
*vip1(A) 70.70.70.51 Partial Up
port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 816531 3035452 0
Total received conn attempts on this port: 0
AX-Standby-vMaster[1/1]#show slb virtual-server

---------------------------------------------------------------------------------------
*vip1(S) 70.70.70.51 Partial Up
port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 816531 3035452 0

show {ip | ipv6} fib
In both sets of output, the counters for request packets and response packets
are the same, indicating that the statistics come from the same AX device,
which is the vMaster.
In the following example, the active-vrid option is used. The statistics

counter values are from the active VRRP-A device for the default VRID. In
this example, the counters show 0; it is likely that failover very recently
occurred.
AX-Standby-vMaster[1/1]#show slb virtual-server active-vrid default
----------------------------------------------------------------------------------------
*vip1(A) 70.70.70.51 Partial Up
port 8080 http 0 0 0 0 0

sg-80 8080/http 0 23 0 0 0
show {ip | ipv6} fib

Description Display Forwarding Information Base (FIB) entries.
Note: This command is applicable only on A10 Thunder Series and AX Series
devices that are configured in route mode. The command returns an error
if you enter it on a device configured for transparent mode.
Syntax show {ip | ipv6} fib
Mode All
Example The following command shows the IPv4 FIB entries on an A10 Thunder
Series and AX Series device configured in route mode:
ACOS#show ip fib
Prefix Next Hop Interface Distance
------------------------------------------------------------------------
0.0.0.0 /0 192.168.20.1 ve10 0
192.168.20.0 /24 0.0.0.0 ve10 0
Total routes = 2

show ip helper-address
Example The following command shows IPv6 FIB entries:

ACOS(config)#show ipv6 fib
Prefix Next Hop Interface Metric Index
----------------------------------------------------------------------------
b101::/64 :: Ethernet 6 256 0
Total routes = 1
Description Display DHCP relay information.
Syntax show ip helper-address [detail]
Mode All
Example The following command shows summary DHCP relay information:

AX3200(config)#show ip helper-address
Interface Helper-Address RX TX No-Relay Drops
--------- -------------- ------------ ------------ ------------ ------------
eth1 100.100.100.1 0 0 0 0
ve5 100.100.100.1 1669 1668 0 1
ve7 1668 1668 0 0
ve8 100.100.100.1 0 0 0 0
ve9 20.20.20.102 0 0 0 0
TABLE 22 show ip helper-address fields

Field Description
Interface AX interface. Interfaces appear in the output in either of the
following cases:
• A helper address is configured on the interface.
• DHCP packets are sent or received on the interface.
Helper-Address Helper address configured on the interface.
RX Number of DHCP packets received on the interface.
TX Number of DHCP packets sent on the interface.

TABLE 22 show ip helper-address fields (Continued)

Field Description
No-Relay Number of packets that were examined for DHCP relay but
were not relayed, and instead received regular Layer 2/3 pro-
cessing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not
have a helper address and the packets are not destined to
the relay.
• DHCP packets are received on an interface that does have
a helper address, but the packets are unicast directly from
the client to the server and do not need relay intervention.
Drops Number of packets that were ineligible for relay and were
dropped.
Example The following command shows detailed DHCP relay information:

AX#show ip helper-address detail
IP Interface: eth1
------------
Helper-Address: 100.100.100.1
Packets:
RX: 0
BootRequest Packets : 0
BootReply Packets : 0
TX: 0
No-Relay: 0
Drops:
Invalid BOOTP Port : 0
Invalid IP/UDP Len : 0
Invalid DHCP Oper : 0
Exceeded DHCP Hops : 0
Invalid Dest IP : 0
Exceeded TTL : 0
No Route to Dest : 0
Dest Processing Err : 0
IP Interface: ve5
------------
Helper-Address: 100.100.100.1
Packets:

RX: 16
TX: 14
No-Relay: 0
Drops:
Invalid Dest IP : 0
Exceeded TTL : 0
IP Interface: ve7
------------
Helper-Address: None
Packets:
RX: 14
TX: 14
No-Relay: 0
Drops:
Invalid Dest IP : 0
Exceeded TTL : 0

TABLE 23 show ip helper-address detail fields

Field Description
IP Interface AX interface.
Helper-Address IP address configured on the AX interface as the DHCP
helper address.
Packets DHCP packet statistics:
• RX – Total number of DHCP packets received on the
interface.
• BootRequest Packets – Number of DHCP boot request
packets (Op = BOOTREQUEST) received on the inter-
face.
• BootReply Packets – Number of DHCP boot reply
packets (Op = BOOTREPLY) received on the interface.
• TX – Total number of DHCP packets sent on the interface.
• BootRequest Packets – Number of DHCP boot request
packets (Op = BOOTREQUEST) sent on the interface.
• BootReply Packets – Number of DHCP boot reply
packets (Op = BOOTREPLY) sent on the interface.
No-Relay Number of packets that were examined for DHCP relay but
were not relayed, and instead received regular Layer 2/3 pro-
cessing.
Generally, this counter increments in the following cases:
• DHCP packets are received on an interface that does not
have a helper address and the packets are not destined to
the relay.
• DHCP packets are received on an interface that does have
a helper address, but the packets are unicast directly from
the client to the server and do not need relay intervention.

show {ip | ipv6} interfaces
TABLE 23 show ip helper-address detail fields (Continued)

Field Description
Drops Lists the following counters for packets dropped on the inter-
face:
• Invalid BOOTP Port – Number of packets dropped
because they had UDP destination port 68 (BOOTPC).
• Invalid IP/UDP Len – Number of packets dropped because
the IP or UDP length of the packet was shorter than the
minimum required length for DHCP headers.
• Invalid DHCP Oper – Number of packets dropped because
the Op field in the packet header did not contain
BOOTREQUEST or BOOTREPLY.
• Exceeded DHCP Hops – Number of packets dropped
because the number in the Hops field was higher than 16.
• Invalid Dest IP – Number of packets dropped because the
destination was invalid for relay.
• Exceeded TTL – Number of packets dropped because the
TTL value was too low (less than or equal to 1).
• No Route to Dest – Number of packets dropped because
the relay agent (AX device) did not have a valid forward-
ing entry towards the destination.
• Dest Processing Err – Number of packets dropped because
the relay agent experienced an error in sending the packet
towards the destination.

Description Display IP interfaces.
[ethernet port-num] |
[ve ve-num] |
[loopback lb-num] |
[management]
Mode All
Example The following command shows the IPv4 interfaces configured on Ethernet
interface 1:
AX#show ip interfaces ethernet 1
IP addresses on ethernet 1:
ip 10.10.10.241 netmask 255.255.255.0 (Primary)
ip 10.10.10.242 netmask 255.255.255.0
ip 10.10.10.243 netmask 255.255.255.0

show {ip | ipv6} nat
ip 10.10.10.244 netmask 255.255.255.0

ip 10.10.11.244 netmask 255.255.255.0
Example The following command shows the IPv4 interfaces configured on VEs:
AX#show ip interfaces ve
Port IP Netmask PrimaryIP
--------------------------------------------------
--------------------------------------------------
ve4 60.60.60.241 255.255.255.0 Yes
50.60.60.241 255.255.252.0 No
--------------------------------------------------
ve6 99.99.99.241 255.255.255.0 Yes
The PrimaryIP column indicates whether the address is the primary IP

address for the interface. (For more information, see “ip address” on
page 295.)

Description Display NAT information.
Syntax show ip nat option
Option Description
alg pptp
{statistics |
status} Shows information for NAT Application Layer
Gateway (ALG) for Point-to-Point Tunneling
Protocol (PPTP).
statistics – Shows statistics.
status – Shows whether the feature is enabled.
interfaces Shows the NAT direction enabled on each inter-
face.
pool
[pool-name]
[statistics] Shows pool information.
pool-group
[pool-group-
name] Shows pool group information.
range-list
range-name Shows configured static NAT ranges.

static-binding
[ipaddr] |
[statistics
[ipaddr]] Shows configuration information or statistics for
static NAT bindings.
statistics Shows NAT statistics.
template
logging Shows information for external logging tem-
plates, if configured.
timeouts Shows the timer settings.
translations Shows currently active NAT translations.
Mode All
Example The following command shows the NAT interface settings:

ACOS#show ip nat interfaces
Total IP NAT Interfaces configured: 2
Interface NAT Direction
-----------------------------
ve10 outside
ve11 inside
Example The following command shows the configured NAT pools:

ACOS#show ip nat pool
Total IP NAT Pools: 6
Pool Name Start Address End Address Mask Gateway HA Group
-----------------------------------------------------------------------------
172.pool1 192.168.66.201 192.168.66.201 /24 0.0.0.0 1
172.pool3 192.168.66.215 192.168.66.217 /24 0.0.0.0 1
Example The following command shows NAT pool statistics:

ACOS#show ip nat pool statistics
Pool Address Port Usage Total Used Total Freed
----------------------------------------------------------------------------
172.pool1 192.168.66.201 0 0 0
Pool Address Port Usage Total Used Total Freed
----------------------------------------------------------------------------
172.pool3 192.168.66.215 0 0 0
192.168.66.216 0 0 0
192.168.66.217 0 0 0
In the show ip nat pool statistics output, the Address column lists the
source addresses that are bound to NAT addresses. The Port Usage column
indicates how many sessions are currently being NATted for each address.
Each session counted here uses a unique TCP or UDP protocol port. ICMP
traffic does not cause this counter to increment.

The Total Used column indicates the total number of sessions that have
been NATted for the source address. The Total Freed column indicates how
many NATted sessions have been terminated, thus freeing up a port for
another session.
Example The following command displays statistics for static source NAT bindings:
AX#show ip nat static-binding statistics
Source Address Port Usage Total Used Total Freed
------------------------------------------------------------------------------
30.30.31.35 1727 329756 328029
30.30.31.36 1799 343950 342151
30.30.31.37 1793 346257 344464
30.30.31.38 1829 232605 230776
30.30.31.39 1738 241147 240937
30.30.31.40 1774 286022 284248
Example The following command shows NAT statistics:

ACOS#show ip nat statistics
Outside interfaces: ethernet1
Inside interfaces: ethernet3
Hits: 1 Misses: 0
Outbound TCP sessions created: 6
Outbound UDP sessions created: 7
Outbound ICMP sessions created: 8
Inbound TCP sessions created: 8
Inbound UDP sessions created: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool p2
start 192.168.217.200 end 192.168.217.200
total addresses 1, allocated 0, misses 0
Example The following command shows NAT timeout settings:

AX#show ip nat timeouts
NAT Timeout values in seconds:
SYN TCP UDP ICMP
------------------------
60 300 300 fast
Service 53/udp has fast-aging configured
In this example, the output indicates that fast aging is used for IP NATted
ICMP sessions, and for IP NATted DNS sessions on port 53.

The message at the bottom of the display indicates that the fast aging setting
(SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If
the message is not shown in the output, then the timeout shown under
“UDP” will be used instead.
The following command displays PPTP NAT ALG statistics.

ACOS(config-if:ethernet2)#show ip nat alg pptp statistics
Statistics for PPTP NAT ALG:
-----------------------------
Calls In Progress: 10
Call Creation Failure: 0
Truncated PNS Message: 0
Truncated PAC Message: 0
Mismatched PNS Call ID: 1
Mismatched PAC Call ID: 0
Retransmitted PAC Message: 3
Truncated GRE Packets: 0
Unknown GRE Packets: 0
No Matching Session Drops: 4
TABLE 24 show ip nat alg pptp statistics fields

Field Description
Calls In Progress Current call attempts, counted by inspecting the TCP control
session. This counter will decrease once the first GRE packet
arrives.
Call Creation Number of times a call could not be set up because the
Failure ACOS device ran out of memory or other system resources.
Truncated PNS Number of runt TCP PPTP messages received from clients.
Message
Truncated PAC Number of runt TCP PPTP messages received from servers.
Message
Mismatched Number of calls that were disconnected because the GRE
PNS Call ID session had the wrong Call ID.
Mismatched Number of calls that were disconnected because they had the
PAC Call ID wrong Call ID.
Retransmitted Number of TCP packets retransmitted from PAC servers.
PAC Message
Truncated GRE Number of runt GRE packets received by the ACOS device.
Packets
Unknown GRE Number of GRE packets that were not used for PPTP and
Packets were dropped.

show ipv6 ndisc
TABLE 24 show ip nat alg pptp statistics fields (Continued)

Field Description
No Matching Number of GRE PPTP packets sent with no current call.
Session Drops
show ipv6 ndisc

Description Display information for IPv6 router discovery.
Syntax show ipv6 ndisc router-advertisement

{ethernet portnum | ve ve-num | statistics}
Mode All
The following command displays configuration information for IPv6 router

discovery on an Ethernet interface. In this example, the interface is VE 10.
AX#show ipv6 ndisc router-advertisement ve 10
Interface VE 10
Send Advertisements: Enabled
Max Advertisement Interval: 200
Min Advertisement Interval: 150
Advertise Link MTU: Disabled
Reachable Time: 0
Retransmit Timer: 0
Current Hop Limit: 255
Default Lifetime: 200
Max Router Solicitations Per Second: 100000
HA Group ID: None
Number of Advertised Prefixes: 2
Prefix 1:
Prefix: 2001:a::/96
On-Link: True
Valid Lifetime: 4400
Prefix 2:
Prefix: 2001:32::/64
On-Link: True
Valid Lifetime: 2592000

show ipv6 neighbor
The following command displays router discovery statistics:

ACOS(config)#show ipv6 ndisc router-advertisement statistics
IPv6 Router Advertisement/Solicitation Statistics:
--------------------------------------------------
Good Router Solicitations (R.S.) Received: 1320
Periodic Router Advertisements (R.A.) Sent: 880
R.S. Rate Limited: 2
R.S. Bad Hop Limit: 1
R.S. Truncated: 0
R.S. Bad ICMPv6 Checksum: 0
R.S. Unknown ICMPv6 Code: 0
R.S. Bad ICMPv6 Option: 0
R.S. Src Link-Layer Option and Unspecified Address: 0
No Free Buffers to send R.A.: 0
The error counters apply to router solicitations (R.S.) that are dropped by
the ACOS device.
The Src Link-Layer Option and Unspecified Address counter indicates the
number of times the ACOS device received a router solicitation with source
address “::” (unspecified IPv6 address) and with the source link-layer
(MAC address) option set.
Note: In the current release, the ACOS device does not drop IPCMv6 packets
that have bad (invalid) checksums.
show ipv6 neighbor

Description Display information about neighboring IPv6 devices.
Syntax show ipv6 neighbor [ipv6-addr]
Mode All
Example The following command shows IPv6 neighbors:

ACOS(config)#show ipv6 neighbor
Total IPv6 neighbor entries: 2
IPv6 Address MAC Address Type Age State Interface Vlan
---------------------------------------------------------------------------------------
b101::1112 0007.E90A.4402 Dynamic 30 Reachable ethernet 6 1
fe80::207:e9ff:fe0a:4402 0007.E90A.4402 Dynamic 20 Reachable ethernet 6 1

show ip protocols
show ip protocols
Description Show information for dynamic routing protocols.
Syntax show ip protocols [bgp | isis | ospf | rip]
show ip protocols
Mode All
show ipv6 protocols

Description Show information for dynamic routing protocols.
Syntax show ip protocols [isis | rip]
show ipv6 protocols
Mode All
show ip route
Description Display the IPv4 routing table.
Syntax show ip route

[
ipaddr[/mask-length] |
all |
connected |
database |
floating-ip |
ip-nat |
ip-nat-list |
isis |
kernel |
mgmt |
ospf |
selected-vip |
static |
summary |
vip
]
Mode All

show ipv6 route
Usage The show ip route summary command displays summary information for
all IP routes, including the total number of routes. The command output
applies to both the data route table and the management route table, which
are separate route tables.
The following commands display routes for only one of the route tables:
• show ip route – Shows information for the data route table only.
• show ip route mgmt – Shows information for the management route

table only.
The total number of routes listed by the output differs depending on the
command you use. For example, the total number of routes listed by the
show ip route command includes only data routes, whereas the total num-
ber of routes listed by the show ip route summary command includes data
routes and management routes.
Example The following example shows the IP route table:

ACOS#show ip route
Codes: C - connected, S - static, O - OSPF
S* 0.0.0.0/0 [1/0] via 192.168.20.1, ve 10

S* 192.168.1.0/24 [1/0] is directly connected, Management
C* 192.168.1.0/24 is directly connected, Management
C* 192.168.19.0/24 is directly connected, ve 10
Total number of routes : 4
show ipv6 route

Description Display the IPv6 routing table.
Syntax show ipv6 route

[
ipv6-addr[/mask-length] |
connected |
database |
isis |
kernel |
mgmt |
ospf |
static |
summary |
]
Mode All

show ipv6 traffic
show ipv6 traffic

Description Display IPv6 traffic statistics.
Syntax show ipv6 traffic

[device DeviceID]
Mode All
Example The following command shows IPv6 traffic statistics:

AX#show ipv6 traffic
Traffic Type Received Sent
--------------------------------------
Neigh Solicit 2 0
Neigh Adverts 2 2
Echo Request 0 0
Echo Replies 5 0
Errors 0 0
show isis
Description See “Config Commands: Router – IS-IS” on page 465.
show key-chain
Description Show configuration information for an authentication key chain.
Syntax show key-chain key name [key num]
Option Description
name Name of the key chain.
key num Key number (1-255).

show lacp
Mode Privileged EXEC and all Config levels
show lacp
Description Show configuration information and statistics for Link Aggregation Control
Protocol (LACP).
Syntax show lacp sys-id
Syntax show lacp counter [lacp-trunk-id]
Syntax show lacp trunk

[
admin-key-list-details |
detail |
port {ethernet portnum | loopback num |
management | trunk lacp-trunk-id | udld num |
ve ve-num} |
summary |
lacp-trunk-id
]
Option Description
sys-id Shows the LACP system ID of the ACOS device.
lacp-trunk-id Shows information only for the specified LACP
trunk.
port interface Shows information only for the specified inter-
face.
summary Shows summary information.
Mode All
Example The following command shows LACP statistics:

AX-1#show lacp counters
Traffic statistics
Port LACPDUs Marker Pckt err
Sent Recv Sent Recv Sent Recv
Aggregator po5 1000000
ethernet 1 81 81 0 0 0 0
ethernet 2 81 81 0 0 0 0
ethernet 6 233767 233765 0 0 0 0

show lacp-passthrough
In this example, LACP has dynamically created two trunks, 5 and 10.
Trunk 5 contains ports 1 and 2. Trunk 10 contains port 6.
Example The following command shows summary trunk information:

AX-1#show lacp trunk summary
Admin Key: 0005 - Oper Key 0005
Link: ethernet 1 (3) sync: 1
Admin Key: 0010 - Oper Key 0010
show lacp-passthrough
Description Show information for the LACP passthrough feature.
Syntax show lacp-passthrough
Mode All
show license
Description Display the host ID and, if applicable, serial number of the license applied
to this ACOS device.
Syntax show license [uid]
Option Description
uid Show the serial number associated with the UID.
Mode All
Example
ACOS(config)#show license
Host ID: 029984E1BC8EF50901B63DC0DCD1FE8A02017B9B
ACOS(config)#show license uid
029984E1BC8EF50901B63DC0DCD1FE8A02017B9B

show lldp statistics
show lldp statistics

Description Displays LLDP receive or send error statistics, You can display information
on all interfaces or only display information on a specified interface.
Syntax show lldp statistics [interface Ethernet eth-num]
Mode All
show lldp neighbor statistics

Description Displays information on all remote neighbors or on the specified interface.
Syntax show lldp neighbor statistics

[interface Ethernet eth-num]
Mode All
show locale
Description Display the configured CLI locale.
Syntax show locale
Mode All
Example The following command shows the locale configured on an A10 Thunder
ACOS#show locale
en_US.UTF-8 English locale for the USA, encoding with UTF-8 (default)

show log
show log
Description Display entries in the syslog buffer or display current log settings (policy).
Log entries are listed starting with the most recent entry on top.
Syntax show log [length num] [policy]
Option Description
length num Shows the most recent log entries, up to the num-
ber of entries you specify. You can specify
1-1000000 entries.
policy Shows the log settings. To display log entries,
omit this option.
Mode All
Example The following command shows the log settings:

ACOS#show log policy
Syslog facility: local0
Flow-control: disable
Name Level
----------------------------
Console error
Buffer debugging
Email disable
Trap disable
Syslog debugging
Monitor debugging
Example The following command shows log entries.

ACOS#show log
Log Buffer: 30000
Jan 17 11:32:02 Warning A10LB HTTP request has p-conn
Jan 17 11:31:01 Notice The session [1] is closed
Jan 17 11:31:00 Info Load libraries in 0.044 secs
Jan 17 11:26:19 Warning A10LB HTTP response not beginning of header: m coun-
terType="1" hourlyCount="2396" dailyCount="16295" weeklyCount="16295" monthly

show mac-address-table

Jan 17 11:12:47 Notice The session for user admin from 192.168.1.166 is
opened. Session ID is [4]
Jan 17 11:09:18 Warning A10LB HTTP response not beginning of header: 5a8^M
p; ^M Korn shell programming
la
--MORE--
show mac-address-table
Description Display MAC table entries.
Syntax show mac-address-table

[macaddr | port port-num | vlan vlan-id]
[device DeviceID]
Option Description
macaddr Shows the MAC table entry for the specified
MAC address. Enter the MAC address in the fol-
lowing format: aaaa.bbbb.cccc
port port-num Shows the MAC table entries for the specified
Ethernet port.
vlan vlan-id Shows the MAC table entries for the specified
VLAN.
device
DeviceID See “Usage” below.
Mode All

show management
Example The following command displays the MAC table entry for MAC address
0013.72E3.C773:
ACOS#show mac-address-table 0013.72E3.C773
Total active entries: 1 Age time: 300 secs
MAC-Address Port Type Index Vlan Age
---------------------------------------------------------
0013.72E3.C773 1 Dynamic 16 10 90
TABLE 25 show mac-address-table fields

Field Description
Total active Total number of active MAC entries in the table. An active
entries entry is one that has not aged out.
Age time Number of seconds a dynamic (learned) MAC entry can
remain unused before it is removed from the table.
MAC-Address MAC address of the entry.
Port Ethernet port through which the MAC address is reached.
Type Indicates whether the entry is dynamic or static.
Index The MAC entry’s position in the MAC table.
Vlan VLAN the MAC address is on.
Age Number of seconds since the entry was last used.
show management
Description Show the types of management access allowed on each of the A10 Thunder
Series and AX Series device’s Ethernet interfaces.
Syntax show management [ipv4 | ipv6]
Mode All
Usage To configure the management access settings, see “enable-management” on

page 147 and “disable-management” on page 139.
Note: If you do not use either option, IPv4 access information is shown.
Example The following command shows IPv4 management access information:

ACOS(config)#show management ipv4
PING SSH Telnet HTTP HTTPS SNMP ACL
---------------------------------------------------------------------------------------
mgmt on on off on on on -
eth1 on ACL 1 off off off off -
eth2 on off off off off off -

show management
If access is controlled by an ACL, the ACL ID listed. In this example, man-

agement access through Ethernet interface 1 using SSH over IPv4 is con-
trolled by ACL “1”.
Example The following command shows IPv6 management access information:

ACOS(config)#show management ipv6
PING SSH Telnet HTTP HTTPS SNMP ACL
---------------------------------------------------------------------------------------
mgmt on on off on on on -
eth1 on ACL test off off off off -

show memory
In this example, management access through Ethernet interface 1 using SSH

over IPv6 is controlled by ACL “test”.
show memory
Description Display memory usage information.
Syntax show memory [cache | system]

[device DeviceID]
Option Description
cache Shows cache statistics.
system Shows summary statistics for memory usage.
device
DeviceID See “Usage” below.
Example The following command shows summary statistics for memory usage:
ACOS#show memory system
System Memory Usage:
Total(KB) Free Shared Buffers Cached Usage
---------------------------------------------------------------------------
2070368 751580 0 269560 96756 59.0%
Example The following command shows memory usage for individual system mod-
ules:
ACOS#show memory
Total(KB) Used Free Usage
----------------------------------------------------
Memory: 2070368 1222016 848352 59.0%

show memory
System memory:
Object size(byte) Allocated(#) Max(#)
----------------------------------------------------------------
16 195 10240
48 21 10240
112 536 10240
240 20 10240
496 3 10240
1008 1 1280
2032 1 1280
4080 0 1280
aFleX memory:
----------------------------------------------------------------
16 438 10240
48 1204 163840
--MORE--
48 1204 163840
112 759 163840
240 53 320
496 25 160
1008 10 80
2032 1 40
4080 8 40
N2 memory:
----------------------------------------------------------------
96 1 10240
224 0 10240
480 0 10240
992 2000 10240
2016 1512 10240
SSL memory:
----------------------------------------------------------------
48 2786 10240
112 72 10240
240 81 10240
--MORE--
Example The following command shows memory cache information:

ACOS#show memory cache
System block 16:
Object size: 16, Total in pool: 10240, Allocated to control: 195
Allocated to 8 data threads: 0, 0, 0, 0, 0, 0, 0, 0,

show mirror
System block 48:

Object size: 48, Total in pool: 10240, Allocated to control: -46510
Allocated to 8 data threads: -426, 29556, 17401, 0, 0, 0, 0, 0,
System block 112:

System block 240:

System block 496:

System block 1008:

--MORE--
show mirror
Description Display port mirroring information.
Syntax show mirror
Mode All
Example The following example shows the port mirroring configuration on an A10
Thunder Series and AX Series device:
ACOS#show mirror
Mirror Port : 4
Port monitored at ingress : 2
Port monitored at egress : 2
TABLE 26 show mirror fields

Field Description
Mirror Port Port to which the traffic is copied. This is the port to which
the protocol analyzer should be attached.
Port monitored at Port(s) whose inbound traffic is copied to the monitor port.
ingress
Port monitored at Port(s) whose outbound traffic is copied to the monitor port.
egress

show monitor
show monitor
Description Display the event thresholds for system resources.
Syntax show monitor
Mode All
show ntp
Description Show the Network Time Protocol (NTP) configuration and status.
Syntax show ntp {servers | status}
Option Description
servers Shows the NTP configuration and shows whether
the A10 Thunder Series and AX Series device is
synchronized with the NTP server.
status Shows whether the A10 Thunder Series and AX
Series device is synchronized with the NTP
server.
Example The following command shows the NTP configuration and the synchroniza-
tion status:
ACOS#show ntp servers
( * = The NTP server is currently synchronized with AX system )
Ntp server Mode
---------------------------
*10.1.4.20 enabled
TABLE 27 show ntp fields

Field Description
NTP server IP address of the NTP server.
The asterisk ( * ) in front of the address indicates that the
A10 Thunder Series and AX Series device is synchronized
with the NTP server. If there is no asterisk, the device is not
synchronized with the NTP server.
Status Indicates whether NTP is enabled.

show object-group
Example The following command shows the NTP synchronization status:

ACOS#show ntp status
NTP sync status: success
show object-group
Description Show object groups, a named set of IP addresses or protocol values used for
extended IPv4 or IPv6 ACLs.
Syntax show object-group [network name | service name]
Option Description
network name Show a network object group which contains IP
address match criteria.
service name Show a service object group which contains pro-
tocol match criteria.
Mode All
show partition
Description Show the private partitions, used by Role-Based Administration (RBA),
that are configured on the ACOS device.
Syntax show partition
Mode All
Usage To use this command, you must be logged in with an admin account that has
Root, Read-write, or Read-only privileges. (See “show admin” on page 840
for descriptions of the admin privilege levels.)
Example The following command displays the private partitions configured on an

ACOS device:
ACOS(config)#show partition
Total Number of partitions configured: 2
Partition Name L3V Index Max. Aflex Admin Count
--------------------------------------------------
companyA No 1 32 2
companyA No 2 32 3

show pbslb
TABLE 28 show partition fields

Field Description
Max Number Maximum number of partitions the ACOS device can have.
allowed
Total Number of Total number of partitions the ACOS device currently has.
partitions config-
ured
Partition Name Name of the private partition.
L3V Indicates whether Layer 2/3 virtualization is enabled for the
partition:
• No
• Yes
Index Partition ID assigned to the partition by the admin who cre-
ated the partition.
Note: This field also lists potential IDs for partitions to
which IDs have not been assigned. However, these potential
IDs do not appear in the configuration (running-config or
startup-config).
Max. aFleX Maximum number of aFleX policies that can belong to the
partition.
Admin Count Number of admins configured for the partition.
show pbslb
Description Show configuration information and statistics for Policy-based SLB
(PBSLB).
Syntax show pbslb [name]
show pbslb client [ipaddr]
show pbslb system
show pbslb virtual-server virtual-server-name

[port port-num service-type]
Option Description
name Shows information for virtual servers.
client [ipaddr] Shows information for black/white list clients.
system Shows statistics for system-wide PBSLB.

show pbslb
virtual-server
virtual-server-
name
[port port-num
service-type] Shows statistics for IP limiting on the specified
virtual server.
Mode All
Example The following command shows PBSLB class-list information for an A10
ACOS#show pbslb
Virtual server class list statistics:
F = Flag (C-Connection, R-Request), Over-RL = Over rate limit
Source Destination F Current Rate Over-limit Over-RL
---------------+---------------------+-+---------+---------+----------+----------
10.1.2.1 10.1.11.1:80 C 15 1 0 0
Total: 1
TABLE 29 show pbslb fields

Field Description
Source Client IP address.
Destination VIP address.
Flag Indicates whether the row of information applies to connec-
tions or requests:
• C – The statistics listed in this row are for connections.
• R – The statistics listed in this row are for HTTP requests.
Current Current number of connections or requests.
Rate Current connection or request rate, which is the number of
connections or requests per second.
Over Limit Number of times client connections or requests exceeded the
configured limit.
Over Rate Limit Number of times client connections or requests exceeded the
configured rate limit.
Example The following command shows PBSLB black/white-list information for an

A10 Thunder Series and AX Series device:
ACOS#show pbslb
Total number of PBSLB configured: 1
Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
------------------------------------------------------------------------------
PBSLB_VS1 80 sample-bwlist 2 0 0 0
4 0 0 0

show poap
TABLE 30 show pbslb fields

Field Description
Total number of Number of black/white lists imported onto the A10 Thunder
PBSLB config- Series and AX Series device.
ured
Virtual server SLB virtual server to which the black/white list is bound.
Port Protocol port.
Blacklist/ Name of the black/white list.
whitelist
GID Group ID.
Connection # Number of client connections established to the group and
Establish protocol port.
Connection # Number of client connections to the group and protocol port
Reset that were reset.
Connection # Number of client connections to the group and protocol port
Drop that were dropped.
Example The following command shows PBSLB information for VIP “vs-22-4”:
AX#show pbslb vs-22-4
GID = Group ID, A = Action, OL = Over-limit
GID Establish Reset(A) Drop(A) Reset(OL) Drop(OL) Ser-sel-fail
-------+-----------+-----------+-----------+-----------|-----------+------------
Virtual server: vs-22-4 Port: 80 B/W list: test
1 88 0 3 2 0 0
2 112 0 2 0 0 1
3 29 0 0 0 0 0
4 11 1 0 0 0 0
show poap
Description Display the Power On Auto Provisioning (POAP) mode.
Syntax show poap
Mode All
Example
ACOS(config)#show poap
Disabled

show process
show process
Description Display the status of system processes.
Syntax show process system

[device DeviceID]
Usage For descriptions of the system processes, see the “AX Software Processes”
section in the “System Overview” chapter of the System Configuration and
If the ACOS device is a member of an aVCS virtual chassis, you can use the
Example The following command shows the status of system processes on an A10
ACOS#show process system
a10mon is running
syslogd is running
a10logd is running
a10timer is running
a10Stat is running
a10hm is running
a10switch is running
a10rt is running
a10rip is running
a10ospf is running
a10snmpd is running
a10gmpd is running
a10wa is running
a10lb is running

show radius-server
show radius-server
Description Display RADIUS statistics.
Syntax show radius-server
Mode All
show reboot
Description Display scheduled system reboots.
Syntax show reboot
Mode All
Example The following command shows a scheduled reboot on an A10 Thunder

ACOS#show reboot
Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16 minutes)
by admin on 192.168.1.144
Reboot reason: Outlook_upgrade
show router log file

Description Show router logs.
Syntax show router log file

[
file-num |
isisd [file-num] |
nsm [file-num] |
ospf6d [file-num] |
ospfd [file-num]
]
file-num Log file number.
nsm [file-num] Displays the specified Network Services Module
(NSM) log file, or all NSM log files.

show running-config
ospf6d
[file-num] Displays the specified IPv6 OSPFv3 log file, or
all OSPFv3 log files.
ospfd
[file-num] Displays the specified IPv4 OSPFv2 log file, or
all OSPFv2 log files.
Mode Any
show running-config
Description Display the running-config.
Syntax show running-config

[
ha |
health-monitor [name]
[all-partitions | partition partition-name] |
interfaces [ethernet [portnum] | ve [num] |
loopback [num] | management |
slb [server [name] | service-group [ip] [name] |
virtual-server [name]]
[all-partitions | partition partition-name] |
vlan [vlan-id] |
all-partitions |
partition partition-name |
with-default
]
Option Description
ha Shows High Availability configuration com-
mands in the running-config.
health-monitor
[name]
[all-partitions
| partition
partition-name] Shows health-monitor configuration commands
in the running-config.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.

show running-config
slb
[server [name]
| service-group
[ip] [name] |
virtual-server
[name]]
[all-partitions
| partition
partition-name] Shows SLB server, service-group, and virtual-
server configuration commands in the running-
config.
The ip option lists the following information:
For real servers with static IP addresses –
Displays the IP addresses of the real servers
instead of the server names. (See the exam-
ple below.)
For dynamically created real servers – Dis-
plays the hostnames of the dynamic real
servers.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.
vlan [vlan-id] Shows VLAN configuration commands in the
running-config.
all-partitions Shows all resources in all partitions. In this case,
the resources in the shared partition are listed
first. Then the resources in each private partition
are listed, organized by partition.
partition
partition-name Shows only the resources in the specified parti-
tion.
with-default Shows commands that are set to their default val-
ues. Without this option, only commands that are
set to non-default values are listed in the output.
Mode All
Usage The all-partitions and partition partition-name options are applicable on

you omit both options, only the resources in the shared partition are shown.

show running-config

Example The following command shows the running-config on an A10 Thunder

ACOS#show running-config
!Current configuration : 10577 bytes
!Configuration last updated at 18:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 2.6.1, build 169 (Jan-24-2011,12:30)
!
hostname AX2K-B
!
clock timezone America/Tijuana
!
!
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 11
untagged ethernet 2
!
vlan 20
tagged ethernet 4
--MORE--
Example In the example above, the members are listed by server name. To list them
by server IP address instead, use the ip option. Here is an example:
AX#show running-config slb service-group http1 ip
slb service-group http1 tcp
member 3.3.3.3:80
member 3.3.3.4:80

show session
show session
Description Display session information.
show session
[
brief |
filter {filter-name | config} |
ipv4 [addr-suboptions] |
ipv4v6 [addr-suboptions] |
ipv6 [addr-suboptions] |
radius |
persist [persistence-type [addr-suboptions]] |
sip [addr-suboptions]
]
brief Displays summary statistics for all session types.
filter
filter-name |
config Displays information about configured session
filters.
filter-name – Displays the specified session filter.
config – Displays all configured session filters.
ipv4 [addr-
suboptions] Displays information for IPv4 sessions. The fol-
lowing address suboptions are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] – Displays IPv4
sessions that have the specified source IP
address.
source-port port-num – Displays IPv4 sessions
that have the specified source protocol port num-
ber, 1-65535.
dest-addr ipaddr
[{subnet-mask | /mask-length}] – Displays IPv4
sessions that have the specified destination IP
address.
dest-port port-num – Displays IPv4 sessions that
have the specified destination protocol port num-
ber, 1-65535.

show session

ipv4v6 [addr-
suboptions] Displays information for IPv4-IPv6 or IPv6-IPv4
sessions. The following address suboptions are
supported:
source-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} – Displays sessions that
have the specified IPv4 or IPv6 source IP
address.
source-port port-num – Displays sessions that
have the specified source protocol port number,
1-65535.
dest-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} – Displays sessions that
have the specified IPv4 or IPv6 destination IP
address.
dest-port port-num – Displays sessions that have
the specified destination protocol port number,
1-65535.
ipv6 [addr-
suboptions] Displays information for IPv6 sessions. The fol-
lowing address suboptions are supported:
source-addr ipv6addr/mask-length – Displays
sessions that have the specified IPv6 source IP
address.
source-port port-num – Displays IPv6 sessions
that have the specified source protocol port num-
ber, 1-65535.
dest-addr ipv6addr/mask-length – Displays ses-
sions that have the specified IPv6 destination IP
address.

show session
dest-port port-num – Displays IPv6 sessions that

have the specified destination protocol port num-
ber, 1-65535.
persist
[persistence-
type [addr-
suboptions]] Displays information for persistent sessions. The
following options are supported:
persistence-type – Displays sessions of the speci-
fied persistence type:
dst-ip – Displays destination-IP persistent
sessions.
src-ip – Displays source-IP persistent ses-
sions.
ssl-sid – Displays SSl-session-ID persistent
sessions.
uie – Displays sessions that are made persis-
tent by the aFleX persist uie command.
The addr-suboptions are the same as those sup-
ported for show session ipv4. (See above.)
radius Displays information for RADIUS sessions.
sip [addr-
suboptions] Displays information for Session Initiation Pro-
tocol (SIP) sessions.
The addr-suboptions are the same as those sup-
ported for show session ipv4v6. (See above.)
Mode All
Usage For convenience, you can save session display options as a session filter.
(See “session-filter” on page 217.)
Note on Clearing Sessions

After entering the clear session command, the ACOS device may remain in
session-clear mode for up to 10 seconds. During this time, any new connec-
tions are sent to the delete queue for clearing.

show session
Example The following command lists information for all IPv4 sessions:
ACOS(config)#show session ipv4
Traffic Type Total
--------------------------------------------
TCP Established 2
TCP Half Open 0
UDP 0
Non TCP/UDP IP sessions 0
Other 0
Reverse NAT TCP 0
Reverse NAT UDP 0
Free Buff Count 0
Curr Free Conn 2007033
Conn Count 10
Conn Freed 8
TCP SYN Half Open 0
Conn SMP Alloc 13
Conn SMP Free 2
Conn SMP Aged 2

Age Hash Flags
---------------------------------------------------------------------------------------
--------------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Tcp 1.0.16.2:58736 1.0.100.1:21 1.0.3.148:21 1.0.16.2:58736
60 2 OS
Total Sessions: 2
Note: The following counters apply only to the current partition:

• TCP Established
• TCP Half Open
• UDP
• Non TCP/UDP IP sessions
• Other
• Reverse NAT TCP
• Reverse NAT UDP
The other counters apply to all partitions, regardless of the partition from
which the command is entered.

show session
TABLE 31 show session fields

Field Description
TCP Established Number of established TCP sessions.
TCP Half Open Number of half-open TCP sessions. A half-open session is
one for which the A10 Thunder Series and AX Series device
has not yet received a SYN ACK from the backend server.
UDP Number of UDP sessions.
Non TCP/UDP Number of IP sessions other than TCP or UDP sessions.
IP sessions This counter applies specifically to IP protocol load balanc-
ing. (See the “IP Protocol Load Balancing” chapter in the
Application Delivery and Server Load Balancing Guide.)
Other Number of internally used sessions. As an example, internal
sessions are used to hold fragmentation information.
Reverse NAT Number of reverse-NAT TCP sessions.
TCP
Reverse NAT Number of reverse-NAT UDP sessions.
UDP
Free Buff Count Number of IO buffers currently available.
Curr Free Conn Number of Layer 4 sessions currently available.
Conn Count Number of connections.
Conn Freed Number of connections freed after use.
TCP SYN Half Number of half-open TCP sessions. These are sessions that
Open are half-open from the client’s perspective.
Conn SMP Alloc Statistics used by A10 Technical Support.
Conn SMP Free
Conn SMP Aged
Prot Transport protocol.

show session
TABLE 31 show session fields (Continued)

Field Description
Forward Source Client IP address when connecting to a VIP.
Notes:
• For DNS sessions, the client’s DNS transaction ID is
shown instead of a protocol port number.
• The output for connection-reuse sessions shows 0.0.0.0
for the forward source and forward destination addresses.
• For source-IP persistent sessions, if the option to include
the client source port (incl-sport) is enabled in the persis-
tence template, the client address shown in the Forward
Source column includes the port number.
• IPv4 client addresses – The first two bytes of the dis-
played value are the third and fourth octets of the client
IP address. The last two bytes of the displayed value
represent the client source port. For example,
“155.1.1.151:33067” is shown as “1.151.129.43”.
• IPv6 client addresses – The first two bytes in the dis-
played value are a “binary OR” of the first two bytes of
the client’s IPv6 address and the client’s source port
number. For example, “2001:ff0:2082:1:1:1:d1:f000”
with source port 38287 is shown as
“b58f:ff0:2082:1:1:1:d1:f000”.
Also see the output examples below.
Forward Dest VIP to which the client is connected.
Reverse Source Real server’s IP address.
Note: If the ACOS device is functioning as a cache server
(RAM caching), asterisks ( * ) in this field and the Reverse
Dest field indicate that the ACOS device directly served the
requested content to the client from the ACOS RAM cache.
In this case, the session is actually between the client and the
ACOS device rather than the real server.
Reverse Dest IP address to which the real server responds.
• If source NAT is used for the virtual port, this address is
the source NAT address used by the ACOS device when
connecting to the real server.
• If source IP NAT is not used for the virtual port, this
address is the client IP address.
Age Number of seconds since the session started.
Hash CPU ID.
Flags This value is used by A10 Technical Support.

show session
TABLE 31 show session fields (Continued)

Field Description
Type Indicates the session type, which can be one of the following:
• SLB-L4 – SLB session for Layer 4 traffic.
• SLB-L7 – SLB session for Layer 7 traffic.
• NAT – Network Address Translation (NAT) session for
dynamic NAT.
• ST-NAT – NAT session for static NAT.
• ACL – Session for an ACL.
• TCS – Transparent Cache Switching session.
• XNT – Transparent session.
Example The following command displays the IPv4 session for a specific source IP
address:
ACOS(config)#show session ipv4 source-addr 1.0.4.147
Age Hash Flags
---------------------------------------------------------------------------------------
--------------------
Tcp 1.0.4.147:49107 1.0.100.1:21 1.0.3.148:21 1.0.4.147:49107
120 2 OS
Total Sessions: 1
Example The following commands display IPv4 source-IP persistent sessions, clear
one of the sessions, then verify that the session has been cleared:
ACOS(config)#show session persist src-ip
Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.16.2 1.0.100.1:21 1.0.3.148 6000 120 2 OS
src 1.0.4.147 1.0.100.1:21 1.0.3.148 6000 120 2 OS
Total Sessions: 2
ACOS(config)#clear sessions persist src-ip source-addr 1.0.16.2
ACOS(config)#show session persist src-ip
Prot Forward Source Forward Dest Reverse Source Age Hash Flags
------------------------------------------------------------------------------------
src 1.0.4.147 1.0.100.1:21 1.0.3.148 5880 2 OS
In this example, IPv4 source-IP persistent sessions are shown. The incl-
sport option in the source-IP persistence template is enabled, so the value
shown in the Forward Source column is a combination of the client source
IP address and source port number. The first two bytes of the displayed
value are the third and fourth octets of the client IP address. The last two
bytes of the displayed value represent the client source port.

show session
Example The following commands display IPv6 source-IP persistent sessions:

ACOS(config)#show session persist ipv6
Prot Forward Source
Forward Dest
Reverse Source Age
------------------------------------------------------------------------------
src [2001:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80
[2001:ff0:2082:4:1:1:f000:1e4]:6880 300
In the output above, the Forward Source column shows the client’s IPv6
address but does not show the port number. The port number is omitted
because the incl-sport option in the source-IP persistence template is dis-
abled.
In the output below, the same client IPv6 address is shown. However, in this
case, the incl-sport option in the source-IP persistence template is enabled.
Therefore, the Forward Source column includes the port number. The first
two bytes in the displayed value are a “binary OR” of the first two bytes of
the client’s IPv6 address and the client's source port number. In this exam-
ple, the Forward source value is “b58f:ff0:2082:1:1:1:d1:f000”. The first
two bytes, “b58f”, are a “binary OR” value of “2001” and port number
38287.
ACOS(config)#show session persist ipv6
Prot Forward Source
Forward Dest
Reverse Source Age
------------------------------------------------------------------------------
src [b58f:ff0:2082:1:1:1:d1:f000]
[2001:ff0:2082:1:1:1:f000:1111]:80
[2001:ff0:2082:4:1:1:f000:1e3]:6880 300
Example The following command shows active RADIUS sessions:

AX#show session radius
Traffic Type Total
--------------------------------------------
TCP Established 0
TCP Half Open 0
UDP 30
...

show shutdown
Age Hash Flags Radius ID
----------------------------------------------------------------------------------------
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.15:1812 10.11.11.50:32836
120 1 NSe0 104
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.12:1812 10.11.11.50:32836
120 1 NSe0 111
...
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.14:1812 10.11.11.50:32836
120 7 NSe0 103
Udp 10.11.11.50:32836 10.11.11.90:1812 10.11.11.11:1812 10.11.11.50:32836
120 7 NSe0 222
Total Sessions: 30
The session table contains a separate session for each RADIUS Identifier
value. The following address information is shown for each session:
• Forward Source – The sender of the RADIUS message. This is the IP
address of the BRAS.
• Forward Dest – The RADIUS VIP on the ACOS device.
• Reverse Source – The RADIUS server to which the ACOS device sends
requests that have the Identifier listed in the RADIUS ID field.
• Reverse Dest – The destination of the RADIUS server reply forwarded
by the ACOS device. (This is the sender of the initial RADIUS message
that started the session, the BRAS in the example above.)
show shutdown
Description Display scheduled system shutdowns.
Syntax show shutdown
Example The following command shows a scheduled shutdown on an A10 Thunder

ACOS#show shutdown
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and 23 min-
utes) by admin on 192.168.1.144
Shutdown reason: Scheduled shutdown
show slb
Description See “SLB Show Commands” on page 983.

show smtp
show smtp
Description Display SMTP information.
Syntax show smtp
Mode All
Example The following command show the SMTP server address:

ACOS#show smtp
SMTP server address: 192.168.1.99
show snmp
Description Display SNMP OIDs.
For more information, see the MIB Reference.
Syntax show snmp oid

{virtual-server | server | service-group
[addr-type {firewall | tcp | udp} |
server-member member]} name [port port-num]
Option Description
virtual-server
[name] Returns OIDs for the axVirtualServerStatTable.
If a name is specified, this command returns
OIDs for the axVirtualServerPortStatTable.
server [name] Returns OIDs for the axServerStatTable.
OIDs for the axServerPortStatTable.
service-group
[name] Returns OIDs for the axServiceGroupStatTable.
OIDs for the axServerPortStatTable.
For the service-group option only, you can nar-
row the command output by entering the IP
address type for addr-type or specific service-
group member.

show snmp
port port-num Returns OIDs for the specific port of a virtual

server.
If port num is not specified, this command
returns OIDs for all virtual port entries of the
specified VIP.
Mode All
Example The sample command output below narrows the displayed OIDs for TCP IP
addresses:
ACOS#show snmp oid service-group sg1 addr-type tcp
OID for axServiceGroupMemberStatTable
service-group-name sg1: type 2: server-name s1-v6: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.5.115.49.45.118.54.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.5.115.49.45.118.54.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.5.115.49.45.118.54.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.5.115.49.45.118.54.80
...
Example This output narrows the displayed OIDs for the service-group member “s1-
v6”:
ACOS#show snmp oid service-group sg1 server-member s1-v6
OID for axServiceGroupMemberStatTable
service-group-name sg1: type 2: server-name s1-v6: port 80
==========================================================================
axServiceGroupMemberStatName:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.1.3.115.103.49.2.5.115.49.45.118.54.80
axServiceGroupMemberStatAddrType:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.2.3.115.103.49.2.5.115.49.45.118.54.80
axServerNameInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.3.3.115.103.49.2.5.115.49.45.118.54.80
axServerPortNumInServiceGroupMemberStat:
1.3.6.1.4.1.22610.2.4.3.3.4.1.1.4.3.115.103.49.2.5.115.49.45.118.54.80
...

show snmp-stats
show snmp-stats
Description Display SNMP statistics.
Note: SNMP statistics also are included automatically in show techsupport

output.
Syntax show snmp-stats
Mode All
Example The following command displays SNMP statistics:

AX#show snmp-stats
SNMP Statistics:
---------------------------------------------
SNMP packets input
Bad SNMP version errors: 0
Unknown community name: 0
Illegal operation for community name: 0
Encoding Error: 0
Unknown security models: 0
Invalid ID: 0
Input packets: 0
Number of requested variables: 0
Get-Request PDUs: 0
Get-Next PDUs: 0
Packets drop: 0
SNMP packets output
Too big errors: 0
No such name errors: 0
Bad values errors: 0
General errors: 0
Output packets: 0
Get-Response PDUs: 0
SNMP traps
SNMP output traps: 0

show startup-config
show startup-config
Description Display a configuration profile or display a list of all the locally saved con-
figuration profiles.
Syntax show startup-config

[
all [cf] |
all-partitions |
partition {shared | partition-name} |
profile profile-name [cf]
[all-partitions |
partition {shared | partition-name}]
]
Mode All
Option Description
all [cf] Displays a list of the locally stored configuration
profiles.
The cf option displays all the configuration pro-
files stored on the compact flash.
all-partitions Shows all resources in all partitions. In this case,
the resources in the shared partition are listed
first. Then the resources in each private partition
are listed, organized by partition.
partition
{shared |
partition-name} Shows only the resources in the specified parti-
tion.
profile
profile-name
[options] Displays the commands that are in the specified
configuration profile.
The cf option displays the configuration profile
on the compact flash rather than the hard disk. If
you omit this option, the configuration profile on
the hard disk is displayed.
The all-partitions option shows all resources in
all partitions.
The partitions option shows only the resources
in the specified partition.

show startup-config
Mode All
Usage The all-partitions and partition partition-name options are applicable on

you omit both options, only the resources in the shared partition are shown.

When entered without the all or profile-name option, this command dis-
plays the contents of the configuration profile that is currently linked to
“startup-config”. Unless you have relinked “startup-config”, the configura-
tion profile that is displayed is the one that is stored in the image area from
which the ACOS device most recently rebooted.
Example The following command shows the configuration profile currently linked to
startup-config on an A10 Thunder Series and AX Series device:
ACOS#show startup-config
!Current configuration: 10580 bytes

!Configuration last updated at 15:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 2.6.1, build 169 (Jan-24-2011,12:30)
!
hostname AX2K-B
!
clock timezone America/Tijuana
!
!
vlan 10
untagged ethernet 1
!
vlan 11
untagged ethernet 2
!
vlan 20
--MORE--
Example The following command shows a list of the configuration profiles locally
saved on the ACOS device. The first line of output lists the configuration
profile that is currently linked to “startup-config”. If the profile name is
“default”, then “startup-config” is linked to the configuration profile stored
in the image area from which the ACOS device most recently rebooted.

show statistics
AX#show startup-config all

Current Startup-config Profile: default
Profile-Name Size Time
------------------------------------------------------------
1210test 1957 Jan 28 18:39
lb-v6 13414 Jan 23 19:19
show statistics
Description Display packet statistics for Ethernet interfaces.
Syntax show statistics [interface ethernet port-num]

[device DeviceID]
Mode All
Example The following command shows brief statistics for all Ethernet interfaces on
an A10 Thunder Series and AX Series device:
ACOS#show statistics
Port Good Rcv Good Sent Bcast Rcv Bcast Sent Errors
---------------------------------------------------------------------------
1 3026787 3013699 91573 154220 0
2 0 0 0 0 0
3 0 0 0 0 0
...
XAUI 3171070 3118342 275613 216063 0
Note: The XAUI port is an internal port, not a user-configured interface.

show store
Example The following command shows detailed statistics for Ethernet interface 1:
ACOS#show statistics interface ethernet 1
Port Link Dupl Speed IsTagged MAC Address
---------------------------------------------------
1 Up Full 1000 Untagged 0090.0B0A.D860
Port 1 Counters:
InPkts 6926 OutPkts 427659
InOctets 477802 OutOctets 323788182
InBroadcastPkts 5573 OutBroadcastPkts 62389
InMulticastPkts 0 OutMulticastPkts 359729
InBadPkts 0 OutBadPkts 0
OutDiscards 0 Collisions 0
InLongOctet 477802 InAlignErr 0
InLengthErr 0 InOverErr 0
InFrameErr 0 InCrcErr 0
InNoBufErr 0 InMissErr 48
InLongLenErr 0 InShortLenErr 0
OutAbortErr 0 OutCarrierErr 0
OutFifoErr 0 OutLateCollisions 0
InFlowCtrlXon 0 OutFlowCtrlXon 0
InFlowCtrlXoff 0 OutFlowCtrlXoff 0
InBufAllocFailed 0
InUtilization 15 OutUtilization 0
show store
Description Display the configured file transfer profiles in the credential store. The cre-
dential store is a saved set of access information for file transfer between the
ACOS device and remote file servers.
Syntax show store [backup | export | import] name
Mode All
Example
ACOS(config)#show store export
Export Store Information
StoreName url SuccessRate FailedRate
==============================================================================
1k_ca_cert_2.crt scp://bxgu:****@192.168.12.12/home/exp/1k_ca_cert_2.crt 0 0

show switch
show switch
Description Display internal system information for troubleshooting.
Note: This command is applicable to only the following AX models: AX 2200,

AX 2200-11, AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400,
AX 3530, AX 5100, AX 5200, AX 5200-11, and AX 5630.
Syntax show switch bridge-egress-filtering
show switch bridge-global
show switch cascading-header-insertion
show switch debug
show switch dump-all
show switch fdb-global
show switch ingress-drop-counter
show switch ingress-port-bridge port-num
show switch mac-table
show switch phy-10g-reg port port-num register

number-hex
show switch phy-10g-reg-ext device number port

port-num register number-hex
show switch phy-dump port port-num
show switch phy-reg port port-num register number-

hex
show switch port-counter port-num
show switch port-mib-counters port-num
show switch port-vlan-register port-num
show switch register number-hex [bitmask number]

[field-offset number field-length number]

show system platform
show switch route-table
show switch trunk-table
show switch unicast-routing-engine
show switch vlan-table
show switch xfp-temp
Mode All
Usage Some options apply only to certain models. Only the mac-table, vlan-table,
and xfp-temp options are supported on AX models AX 5100, AX 5200,
and AX 5200-11 and AX 5630.
show system platform

Description Display platform-related information and statistics.
Syntax show system platform

{
statistics |
interface-stats |
buffer-stats |
busy-counter |
drop-counter |
register-info
}
Option Description
statistics Shows counters for internal statistics.
interface-stats Shows counters for interface statistics.
buffer-stats Shows counters for buffer statistics.
busy-counter Shows counters for system busy statistics.
drop-counter Shows counters for drop statistics.
register-info Shows register information.
Mode All

Example The following command shows platform buffer statistics:

AX#show system platform buffer-stats
# buffers in Q0 cache: 2049 App: 0 TCPQ: 0 misc: 0
Approximate # buffers in App 0
Approximate # buffers in App_cp 0
Approximate # buffers in Cache_cp 1023
Approximate # buffers in Cache 30721
Approximate # buffers in Queue 0
Approximate # buffers in misc 0
Approximate # buffers free 100351
Approximate # buffers avail from HW 99309

Description Display the minimum and maximum numbers of each type of system
resource that can be configured or used, the default maximum number
allowed by the configuration, and the number currently in use.
For example, the “l4-session-count” row of the output shows the number of
Layer 4 sessions that are currently in use, as well as the maximum number
currently supported by the configuration (the default maximum), and the
range of values that can be assigned to the default maximum.
In general, if a resource listed in the output has the same value in the Cur-
rent and Maximum columns (GSLB resources, for example), then the allo-
cation for that resource can not be changed.
Syntax show system resource-usage
Mode All
Usage To change system resource usage settings, see “system resource-usage” on

page 238 command.
You must reload or reboot the system after making changes to system
resource-usage settings in order to place the changes into effect. For most

system resource-usage settings, a reload is sufficient. However, a change to

the l4-session-count setting requires a reboot.
If the target device is not reloaded, the system resource-usage settings syn-
chronized from the active device appear in the standby device’s running-
config, but do not actually take effect until the reload or reboot.
• If you manually synchronize the configuration, you have the option to
reload the target device immediately following the synchronization. If
you do not use this option, you can reload the device later.
• If you are using VRRP-A in combination with aVCS, configuration syn-
chronization is automatic. In this case, you must reload or reboot the tar-
get device to place the system resource-usage changes into effect.
Note: The target device is not automatically reloaded following configuration

synchronization.
Example The following command shows system resource usage:

AX2500#show system resource-usage
Resource Current Default Minimum Maximum
--------------------------------------------------------------------------
l4-session-count 16777216 16777216 4194304 33554432
nat-pool-addr-count 500 500 500 2000
real-server-count 1024 1024 512 4096
real-port-count 2048 2048 512 8192
service-group-count 512 512 512 8192
virtual-port-count 512 512 256 4096
virtual-server-count 512 512 512 2048
http-template-count 256 256 32 2048
proxy-template-count 256 256 32 2048
conn-reuse-template-count 256 256 32 2048
fast-tcp-template-count 256 256 32 2048
fast-udp-template-count 256 256 32 2048
client-ssl-template-count 256 256 32 4096
server-ssl-template-count 256 256 32 4096
stream-template-count 256 256 32 2048
persist-cookie-template-count 256 256 32 2048
persist-srcip-template-count 256 256 32 2048
class-list-ipv6-addr-count 1024000 1024000 1024000 2048000
gslb-site-count 500 500 500 500
gslb-device-count 1000 1000 1000 1000
gslb-service-ip-count 1024 1024 512 5000
gslb-service-port-count 2048 2048 512 10000
gslb-zone-count 5000 5000 5000 5000
gslb-service-count 10000 10000 10000 10000
gslb-policy-count 10000 10000 10000 10000
gslb-geo-location-count 5000000 5000000 5000000 5000000
gslb-ip-list-count 500 500 500 500

show tacacs-server
gslb-view-count 15 15 15 15
gslb-template-count 1000 1000 1000 1000
show tacacs-server
Description Display TACACS statistics.
Syntax show tacacs-server [hostname | ipaddr]
Mode All
Example The following command shows information for TACACS server 5.5.5.5:
ACOS#show tacacs-server 5.5.5.5
TACACS+ server : 5.5.5.5:49
Socket opens: 0
Socket closes: 0
Socket aborts: 0
Socket errors: 0
Socket timeouts: 0
Failed connect attempts: 0
Total packets recv: 0
Total packets send: 0
show techsupport
Description Display or export system information for use when troubleshooting.
Syntax show techsupport

[export [use-mgmt-port] url]
[page]
Option Description
export
[use-mgmt-port]
url Exports the output to a remote server. The url
specifies the file transfer protocol, username (if
required), and directory path.
for the password. To enter the entire URL:

show terminal
tftp://host/file
page Shows the information page by page. Without
this option, all the command’s output is sent to
the terminal at once.
show terminal
Description Show the terminal settings.
Syntax show terminal
Mode All
Example The following command shows the terminal settings.

ACOS#show terminal
Idle-timeout is 00:10:00
Length: 24 lines, Width: 80 columns
Editing is enabled
History is enabled, history size is 256
Auto size is enabled
Terminal monitor is off
show tftp
Description Display the currently configured TFTP block size.
Syntax show tftp
Mode All
Example The following command shows the TFTP block size.


show trunk
show trunk
Description Show information about a trunk group.
Syntax show trunk num
Option Description
num Trunk number
Mode All
Example The following command shows information for trunk group 1:

ACOS#show trunk 1
Trunk ID : 1 Member Count: 8
Trunk Status : Up
Members : 1 2 3 4 5 6 7 8
Cfg Status : Enb Enb Enb Enb Enb Enb Enb Enb
Oper Status : Up Up Up Up Up Up Up Up
Ports-Threshold : 6 Timer: 10 sec(s) Running: No
Working Lead : 1
TABLE 32 show trunk fields

Field Description
Trunk ID ID assigned to the trunk by the admin who configured it.
Member Count Number of ports in the trunk.
Trunk Status Indicates whether the trunk is up.
Members Port numbers in the trunk.
Cfg Status Configuration status of the port.
Oper Status Operational status of the port.
Ports-Threshold Indicates the minimum number of ports that must be up in
order for the trunk to remain up.
If the number of up ports falls below the configured thresh-
old, the AX automatically disables the trunk’s member ports.
The ports are disabled in the running-config. The ACOS
device also generates a log message and an SNMP trap, if
these services are enabled.
Timer Indicates how many seconds the ACOS device waits after a
port goes down before marking the trunk down, if the ports
threshold is exceeded.
Running Indicates whether the ports-threshold timer is currently run-
ning. When the timer is running, a port has gone down but
the state change has not yet been applied to the trunk’s state.

show vcs debug
TABLE 32 show trunk fields (Continued)

Field Description
Working Lead Port number used for responding to ARP requests and for
Layer 2 processing.
Note: If the lead port is shown as 0 or “None”, the trunk
interface is down.
show vcs debug

Description Display aVCS debug messages.
Syntax show vcs debug [old_first]
Option Description
old_first Lists messages beginning with the most recent.
Without this option, the list begins with the old-
est message in the buffer.
Mode All
show vcs images

Description Display the aVCS-capable AX software images stored on the ACOS device.
Note: Only images that support aVCS are listed. To list all images, use the show
bootimage command instead.
Syntax show vcs images
Mode All
Example The following command shows the aVCS-capable AX software images

stored on the device:
AX#show vcs images
Image Name Type
aximage_2_6_1_478.tar.gz hd_pri
aximage_2_6_1_478.tar.gz hd_sec
-------- cf_pri
-------- cf_sec
aximage_2_6_1_462.tar.gz ext

show vcs message-buffer
TABLE 33 show vcs images fields

Field Description
Image Name Name of the software image.
Type Location of the image:
• hd_pri – Primary image area of the hard drive or Solid State
Drive (SSD)
• hd_sec – Secondary image area of the hard drive or SSD
• cf_pri – Primary image area of the compact flash drive
• cf_sec – Secondary image area of the compact flash drive
• ext – Extended image, used for staged upgrades during which
multiple AX software versions run in the virtual chassis.
Note: If dashes (--------) are displayed instead of an image name,
the image does not support aVCS.
show vcs message-buffer

Description Show the current settings for aVCS message buffering.
Syntax show vcs message-buffer
Mode All
show vcs stat

Description Display aVCS statistics.
Syntax show vcs stat
Mode All
Example The following example shows aVCS statistics. In this example, the com-
mand is entered on the vMaster.
AX#show vcs stat
Parameters:
Chassis-ID: 3
time-interval: 3

show vcs stat
failure-retry-count: 2
Floating-IPv4: 5.5.5.254/24
Floating-IPv4: 192.168.148.14/24
SSL-enabled: No
Multicast-IP: 224.0.0.210
Multicast-Port: 41217
Dev-ID: 1
Dev-Prio: 200
Unicast-Port: 41216
Interfaces: management
Enabled: Yes
Dev-ID: 2
Dev-Prio: 199
Unicast-Port: 41216
Enabled: Yes
Dev-ID: 3
Dev-Prio: 100
Unicast-Port: 41216
Interfaces: ethernet 1
Enabled: Yes
Local-Dev-ID: 1
Running parameters:
Chassis-ID: 3
time-interval: 3
failure-retry-count: 2
Floating-IPv4: 5.5.5.254/24
Floating-IPv4: 192.168.148.14/24
SSL-enabled: No
Multicast-IP: 224.0.0.210
Multicast-Port: 41217
Dev-ID: 1
Dev-Prio: 200
Dev-IPv4: 192.168.148.16
Unicast-Port: 41216
Enabled: Yes
Dev-ID: 2
Dev-Prio: 199
Dev-IPv4: 192.168.148.15
Unicast-Port: 41216
Enabled: Yes
Dev-ID: 3
Dev-Prio: 100
Unicast-Port: 41216
Interfaces: ethernet 1
Enabled: Yes
Local-Dev-ID: 1
Dev-State: vMaster
Version: 2.6.1.b478

show vcs stat
Config: 68163521ab9b064f, 2962

Election context:
Stop-Request: No
Parameters:
Num-Sockets: 1
Dev-State: vMaster
Dev-DynPrio: 4294967295
PDU-Seq: 916
vMasterTakeOverPrio: 0
vMaster-Sent: 2011-05-03 10:35:56.363158
Neighbour: seen 911 times, last seen 2011-
05-03 10:35:56.461260
Ident: VCE
Version: 1.0
Type: vBlade-PDU
Length: 4
Seq: 912
HW-Model: 5200
Chassis-ID: 3
Device-ID: 2
Device-Prio: 199
Device-DynPrio: 4294967295
Config: 2962
vMaster context:
Stop-Request: No
Server-Connection:
Local-Addr: 192.168.148.16:41216
Remote-Addr: 0.0.0.0:0
State: Listen
IO-State:
SSL: No
Local-Addr: 0.0.0.0:0
State: Closed
IO-State:
SSL: No
State: Closed
IO-State:
SSL: No
State: Closed
IO-State:
SSL: No
State: Closed
IO-State:
SSL: No

show vcs stat
State: Closed
IO-State:
SSL: No
vBlade:
ID: 0
Device-ID: 2
vBlade-State: Ready
Stop-Request: No
Connection:
Local-Addr: 192.168.148.16:41216
Remote-Addr: 192.168.148.15:35768
State: Connected
IO-State: R
SSL: No
Counters:
Daemon:
Start Time: 2011-05-03 09:46:09.279027
Election Started: 2 times
Election Stopped: 1 times
Receive Errors: 0
Send Errors: 0
Received Bytes: 6273103
Sent Bytes: 658841766
Received Messages: 70440
Sent Messages: 70440
Invalid Messages: 0
Message Handling Failure: 0
Election:
Start Time: 2011-05-03 09:49:06.865468
Receive Errors: 0
Send Errors: 0
Received Bytes: 98280
Sent Bytes: 56644
Received vMaster-PDU: 0
Received MC-PDU: 2
Received vBlade-PDU: 1818
Received MTO-PDU: 0
Received Unknown-PDU: 0
Sent vMaster-PDU: 911
Sent MC-PDU: 3
Sent vBlade-PDU: 0
Sent MTO-PDU: 0
Sent Unknown-PDU: 0
Invalid PDU: 0

show vcs stat
PDU HW mismatch: 0
PDU Chassis-ID mismatch: 0
PDU Device-ID collision: 0
MC, discarded vMaster-PDU: 0
MC, replaced vMaster-PDU: 0
MC, duplicate vMaster-PDU: 0
MC, timers reset by MC-PDU: 0
MC, timers reset by MTO-PDU: 0
vBlade, duplicate vMaster-PDU: 0
vBlade, discard challenger: 0
vBlade, replace challenger: 0
vBlade, duplicate challenger: 0
vBlade, discard neighbour: 0
vBlade, too many neighbours: 0
vBlade, duplicate neighbours: 0
vMaster, discard challenger: 0
vMaster, new challenger: 0
vMaster, replace challenger: 0
vMaster, duplicate challenger: 0
vMaster, discard neighbour: 0
vMaster, too many neighbours: 0
vMaster, duplicate neighbours: 909
Enter MC: 0
Enter vBlade: 0
Enter vMaster: 1
Enter MTO: 0
Leave MC: 1
Leave vBlade: 0
Leave vMaster: 0
Leave MTO: 0
vMaster:
Start Time: 2011-05-03 09:49:15.971189
Start vBlade Errors: 0
vBlades Started: 1
vBlades stopped: 0
Received Configuration Updates: 0
Last Configuration Update: N/A
Local Configuration Update Errors: 0
Remote Configuration Update Errors: 0
Configuration Update Notif Errors: 0
Configuration Update Result Errors: 0
vBlade:
Start Time: N/A
Receive Errors: 0
Send Errors: 0
Received Bytes: 0
Sent Bytes: 0
Received Messages: 0
Sent Messages: 0
Invalid Messages: 0
Received Keepalives: 0

show vcs stat
Received Configuration Updates: 0

Last Configuration Update: N/A
Configuration Update Failures: 0
TABLE 34 show vcs stat fields

Field Description
Parameters Fields
Chassis-ID ID of the virtual chassis.
time-interval Number of seconds between transmission of keepalive messages
from the vMaster to vBlades.
failure-retry-count Maximum number of retries allowed for the device to join the
virtual chassis, before aVCS stops on the device.
Floating-IPv4 Lists the IPv4 interfaces associated with the aVCS floating IP
address.
Floating-IPv6 Lists the IPv6 interfaces associated with the aVCS floating IP
address.
SSL-enabled State of SSL for management traffic between aVCS devices, Yes
(enabled) or No (disabled).
Multicast-IP Multicast IP address used during aVCS vMaster election.
Multicast-Port Multicast port used during aVCS vMaster election.
Dev-ID For each device in the virtual chassis, shows the following aVCS
configuration information:
• Dev-Prio – Priority of the device for vMaster election.
• Unicast-Port – Protocol port on which the device listens for
aVCS management traffic.
• Interfaces – Device interfaces used for aVCS vMaster election
traffic.
• Enabled – State of aVCS on the device.
Local-Dev-ID aVCS device ID (1-8) of the device on which this show command
was issued.
Running Parameters Fields
These fields show the aVCS parameters currently in effect on the devices in the virtual chassis. The field descrip-
tions are the same as those under “Parameters” above.
The running parameters are listed separately in case an aVCS parameter is changed but the change is not yet saved.
In this case, the running parameter is in the running-config but not in the startup-config.
Dev-State Field
Current aVCS state of this device. The state can be vMaster-candidate, vMaster, or vBlade.
Version Field
AX software version running on this device.
Config Field
Configuration tag and sequence number.

show vcs stat
TABLE 34 show vcs stat fields (Continued)

Field Description
Election Context Fields
These fields show statistics and configuration information for vMaster election.
Stop-Request Number of times an administrator-initiated aVCS stop request
was received.
Note: aVCS stop requests are initiated by a hidden diagnostic
command used by A10 Networks for troubleshooting. This coun-
ter is not incremented when you disable aVCS.
Parameters Lists the settings for the following parameters:
• Num-Sockets – Number of sockets used by the vMaster-elec-
tion protocol. This number equals the number of vMaster-elec-
tion interfaces on this device.
• Dev-State – Election state of the device when the show vcs
stat command was entered:
• vMaster-candidate – Election of the vMaster is in progress.
During the vMaster election process, all the devices in the
virtual chassis are in the vMaster-candidate state.
• vMaster – vMaster election is complete, and this device is
the vMaster.
• vBlade – vMaster election is complete, and this device is a
vBlade.
• Dev-DynPrio – Dynamic vMaster-election priority value for
the device.
• PDU-Seq – PDU sequence number. This number is incre-
mented each time a vMaster-election PDU is sent by this
device.
• vMasterTakeOverPrio – Priority value assigned to the device
to force vMaster reelection.
• vMaster-Sent / vBlade-Sent – Most recent system time when
this device sent a vMaster PDU or vBlade PDU, depending on
the device’s aVCS state.
• Neighbor – Lists the following information about the most
recent vMaster-election PDUs received from each of the other
devices in the virtual chassis. This information is listed sepa-
rately for each neighbor device.
• Ident – aVCS protocol ID, which is “VCE”.
• Version – aVCS protocol version.
• Type – PDU type: vMaster-candidate-pdu, vMaster-pdu, or
vBlade-pdu.
• Length – PDU length.
(cont.)

show vcs stat

Field Description
Parameters • Seq – PDU sequence number.
(cont.) • HW-Model – Hardware model of the device. For example,
model AX 5200 is listed as “5200”.
• Chassis-ID – Virtual chassis ID.
• Device-ID – aVCS device ID.
• Device-Prio – Configured vMaster-election priority.
• Device-DynPrio – Temporary vMaster election priority con-
figured to force vMaster reelection.
• Config – Configuration tag and sequence number.
vMaster Context Fields
Note: vMaster Context fields appear only on the vMaster. On vBlade devices, vBlade Context fields appear
instead. (See below.)
was received.
Server-Connection Shows information about the aVCS management connections
with each of the other devices.
• Local-Addr – aVCS unicast address of this device.
• Remote-Addr – aVCS unicast address of the device at the other
end of the connection.
• State – State of the connection:
• Closed
• Listen
• Accept
• Connecting
• Connected
• IO-State – State of the connection, R (read) or W (write).
• SSL – State of SSL on the connection, Yes (enabled) or No
(disabled).

show vcs stat

Field Description
vBlade Shows the following information for each aVCS vBlade in the
virtual chassis:
• ID – Internal index number for the device.
• Device-ID – aVCS ID of the device.
• vBlade-State – aVCS state of the vBlade:
• Ready
• Init
• Invalid
• Stop-Request – Number of times an administrator-initiated
aVCS stop request was received.
command used by A10 Networks for troubleshooting. This
counter is not incremented when you disable aVCS.
• Connection – Shows the following information about the
device’s aVCS connection to the vMaster:
• Local-Addr – IP address and protocol port of the device’s
connection to the vMaster.
• Remote-Addr – IP address and protocol port on the vMaster.
• State – State of the aVCS connection to the vMaster:
– Closed
– Listen
– Accept
– Connecting
– Connected
• SSL – State of SSL on the connection:
– Yes (enabled)
– No (disabled)
vBlade Context Fields
Note: vBlade Context fields appear only on vBlades. On vMaster devices, vMaster Context fields appear instead.
(See above.)
was received.
vMaster-Addr IP address and protocol port of the vMaster’s aVCS management
interface.

show vcs stat

Field Description
Connection Shows the following information about the device’s aVCS con-
nection to the vMaster:
• Local-Addr – IP address and protocol port of the device’s con-
nection to the vMaster.
• Remote-Addr – IP address and protocol port on the vMaster.
• State – State of the aVCS connection to the vMaster:
• Closed
• Listen
• Accept
• Connecting
• Connected
• SSL – State of SSL on the connection, Yes (enabled) or No
(disabled).
Counters Fields
Daemon Shows statistics for the aVCS process:
• Start Time – System time when the aVCS was started on this
device.
• Election Started – Number of times vMaster election occurred
after the aVCS process started.
• Election Stopped – Number of times vMaster election stopped.
The following statistics apply to communication between the
aVCS process and the CLI or GUI.
• Receive Errors – Number of errors when the aVCS process
received a request from the CLI or GUI.
• Send Errors – Number of errors when the aVCS process sends
a response to the CLI or GUI.
• Received Bytes – Number of bytes received from the CLI or
GUI.
• Sent Bytes – Number of bytes sent to the CLI or GUI.
• Received Messages – Number of requests received from the
CLI or GUI.
• Sent Messages – Number of responses sent to the CLI or GUI.
• Invalid Messages – Number of requests that were invalid.
• Message Handling Failure – Number of times handling of a
request failed.

show vcs stat

Field Description
Election Shows statistics for aVCS vMaster election:
• Start Time – System time when vMaster election started.
• Receive Errors – Number of errors in election PDUs received
by this device.
• Send Errors – Number of times this device failed to send an
election PDU.
• Received Bytes – Number of election PDU bytes received.
• Sent Bytes – Number of election PDU bytes sent.
• Received vMaster-PDU – Number of vMaster PDUs received.
• Received MC-PDU – Number of vMaster-candidate PDUs
received.
• Received vBlade-PDU – Number of vBlade PDUs received.
• Received MTO-PDU – Number of vMaster-take-over PDUs
received.
• Received Unknown-PDU – Number of Unknown PDUs
received.
• Sent vMaster-PDU – Number of vMaster PDUs sent.
• Sent MC-PDU – Number of vMaster-candidate PDUs sent.
• Sent vBlade-PDU – Number of vBlade PDUs sent.
• Sent MTO-PDU – Number of vMaster-take-over PDUs sent.
• Sent Unknown-PDU – Number of Unknown PDUs sent.
• Invalid PDU – Number of invalid PDUs, such as short PDUs
or PDUs with the wrong election ID.
• PDU HW mismatch – Number of PDUs in which the hardware
model did not match this device’s hardware model.
• PDU Chassis-ID mismatch – Number of PDUs in which the
virtual chassis ID did not match.
• PDU Device-ID collision – Number of PDUs in which the
other device’s aVCS device ID was the same as this device’s
aVCS device ID.
• MC, discarded vMaster-PDU – Number of vMaster PDUs dis-
carded by this device when it was in the vMaster-candidate
state.
• MC, replaced vMaster-PDU – Number of vMaster PDUs
replaced when this device was in the vMaster-candidate state.
A vMaster PDU is replaced when another vMaster PDU
received from a different device has more favorable vMaster
election values.
(cont.)

show vcs stat

Field Description
Election • MC, duplicate vMaster-PDU – Number of duplicate vMaster
(cont.) PDUs received when this device was in the vMaster-candidate
state.
• MC, timers reset by MC-PDU – Number of times vMaster
election timers were reset because this device received a vMas-
ter-candidate PDU from another device with more favorable
vMaster-election values, when this device (the device on
which the show stat command was entered) was in the vMas-
ter-candidate state.
• MC, timers reset by MTO-PDU – Number of times vMaster
election timers were reset because this device received a vMas-
ter-takeover PDU from another device, when this device was
in the vMaster-candidate state. A vMaster-takeover PDU is
generated by forced re-election.
• vBlade, duplicate vMaster-PDU – Number of times this
device, when in the vBlade state, received a duplicate vMaster
PDU.
• vBlade, discard challenger – Number of times this device,
when in the vBlade state, discarded a PDU from a device with
more favorable election values than the current vMaster.
• vBlade, replace challenger – Number of times this device,
when in the vBlade state, replaced the current vMaster with a
new vMaster that had more favorable election values.
• vBlade, duplicate challenger – Number of times this device,
when in the vBlade state, received a vMaster PDU from a
device with election values just as favorable as the current
vMaster’s.
• vBlade, discard neighbor – Number of times this device, when
in the vBlade state, discarded an election PDU from another
device in the virtual chassis.
• vBlade, too many neighbors – Number of times this device,
when in the vBlade state, discarded an election PDU because
the virtual chassis contained more devices than the maximum
allowed.
• vBlade, duplicate neighbors – Number of times this device,
when in the vBlade state, discarded an election PDU because
the other device’s aVCS ID was a duplicate.
• vMaster, discard challenger – Number of times this device,
when in the vMaster state, discarded a PDU from a device with
more favorable election values.
(cont.)

show vcs stat

Field Description
Election • vMaster, new challenger – Number of times this device, when
(cont.) in the vMaster state, received a vMaster PDU from a device
with more favorable election values.
• vMaster, replace challenger – Number of times this device,
when in the vMaster state, remained vMaster despite receiving
a vMaster PDU from another device that had more favorable
election values.
• vMaster, duplicate challenger – Number of times this device,
when in the vMaster state, received a vMaster PDU from a
device with election values just as favorable as the current
vMaster’s.
• vMaster, discard neighbor – Number of times this device,
when in the vMaster state, discarded an election PDU from
another device in the virtual chassis.
• vMaster, too many neighbors – Number of times this device,
when in the vMaster state, discarded an election PDU because
the virtual chassis contained more devices than the maximum
allowed.
• vMaster, duplicate neighbors – Number of times this device,
when in the vMaster state, discarded an election PDU because
the other device’s aVCS ID was a duplicate.
• Enter MC – Number of times this device entered the vMaster-
candidate state.
• Enter vBlade – Number of times this device entered the vBlade
state.
• Enter vMaster – Number of times this device entered the
vMaster state.
• Enter MTO – Number of times this device entered the vMas-
ter-takeover state.
• Leave MC – Number of times this device left the vMaster-can-
didate state.
• Leave vBlade – Number of times this device left the vBlade
state.
• Leave vMaster – Number of times this device left the vMaster
state.
• Leave MTO – Number of times this device left the vMaster-
takeover state.

show vcs stat

Field Description
vMaster Shows vMaster statistics.
Note: These counters are applicable only when this device is the
vMaster.
• Start Time – System time when this device became the vMas-
ter. If the value is “N/A”, this device is not the vMaster.
• Start vBlade Errors – Number of times this vMaster started a
vBlade thread with another device.
• vBlades Started – Number of times this vMaster started a
vBlade.
• vBlades stopped – Number of times this vMaster stopped a
vBlade.
• Received Configuration Updates – Number of times this
vMaster received a configuration update from the aVCS pro-
cess.
• Last Configuration Update – Latest system time when this
vMaster received a configuration update.
• Local Configuration Update Errors – Number of errors that
occurred during local configuration update.
• Remote Configuration Update Errors – Number of errors that
occurred during remote configuration update.
• Configuration Update Notif Errors – Number of configuration
update notification errors.
• Configuration Update Result Errors – Number of configuration
update result errors.
• vBlade – Shows the following statistics for each vBlade:
• Start Time – System time when the device became a vBlade.
• Receive Errors – Number of times the vMaster did not
receive acknowledgement of a configuration synchroniza-
tion request sent to the vBlade.
• Send Errors – Number of times transmission of a configura-
tion synchronization request to the vBlade failed.
• Received Bytes – Number of bytes for configuration update
requests received from the vBlade.
• Sent Bytes – Number of bytes for configuration update
requests sent to the vBlade.
• Received Messages – Number of aVCS messages received
from the device.
(cont.)

show vcs stat

Field Description
vMaster • Sent Messages – Number of aVCS messages sent to the
(cont.) device.
• Invalid Messages – Number of invalid aVCS messages
received from the device.
• Received Keepalives – Number of keepalive messages
received from the device.
• Received Configuration Updates – Number of configuration
updates received from the device.
• Last Configuration Update – System time when the most
recent configuration update was received from the device.
• Configuration Update Failures – Number of configuration
update failures.
vBlade Shows vBlade statistics.
Note: These counters are applicable only when this device is a
vBlade.
• Start Time – System time when this device became a vBlade. If
the value is “N/A”, this device is not a vBlade.
• Receive Errors – Number of times the device did not receive
acknowledgement of a configuration synchronization request.
• Send Errors – Number of times transmission of a configuration
synchronization request failed.
• Received Bytes – Number of bytes for configuration update
requests received by the device.
• Sent Bytes – Number of bytes for configuration update
requests sent by the device.
• Received Messages – Number of aVCS messages received by
the device.
• Sent Messages – Number of aVCS messages sent by the
device.
• Invalid Messages – Number of invalid aVCS messages
received by the device.
• Received Keepalives – Number of keepalive messages
received by the device.
• Received Configuration Updates – Number of configuration
updates received by the device.
• Last Configuration Update – System time when the most
recent configuration update was received by the device.
• Configuration Update Failures – Number of configuration
update failures.

show vcs summary
show vcs summary

Description Display aVCS virtual chassis information.
Syntax show vcs summary
Mode All
Example The following command shows summary aVCS information:

AX#show vcs summary
VCS Chassis:
VCS Enabled: Yes
Chassis ID: 3
Floating IP: 5.5.5.254
Mask: 255.255.255.0
Floating IP: 192.168.148.14
Mask: 255.255.255.0
Multicast IP: 224.0.0.210
Multicast Port: 41217
Version: 2.6.1.b478
Members(* means local device):

ID State Priority IP:Port Location
-------------------------------------------------------------------------------
1 vMaster(*) 200 192.168.148.16:41216 Local
2 vBlade 199 192.168.148.15:41216 Remote
Total: 2
TABLE 35 show vcs summary fields

Field Description
aVCS Chassis Fields
VCS Enabled State of the aVCS feature, Enabled or Disabled.
Chassis ID ID of the virtual chassis.
Floating IP IP interface associated with the virtual chassis floating IP
address.
Mask Network mask of the Floating IP interface.
Multicast IP Multicast IP address used for aVCS vMaster election.
Multicast Port Protocol port used for vMaster election.
Version Software version and build running on the ACOS device.
Members Fields
ID aVCS ID of the member device.

show version
TABLE 35 show vcs summary fields (Continued)

Field Description
State Current role of the device, vMaster or vBlade.
Note: If you enter this command in a session that is logged onto
the aVCS floating IP address, the “local device” is always the
vMaster, unless you change the context ID of the management
session.
Priority vMaster election priority of the device.
Note: This is the admin-configured priority value, not the
dynamic priority assigned by aVCS.
IP:Port IP address and protocol port used for configuration synchroniza-
tion with the member device.
Location Indicates whether this is the device context on which you entered
the show vcs summary command:
• Local – This is the device context on which you entered the
command.
• Remote – This is not the device context on which you entered
the command.
show version
Description Display software, hardware, and firmware version information.
Syntax show version
Mode All
Example The following command shows version information for an AX 2200:

ACOS#show version
Copyright 2007-2011 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
64-bit Advanced Core OS (ACOS) version 2.6.1-GR1, build 107 (Feb-27-2012,17:58)

Booted from Hard Disk secondary image
Serial Number: AX25061111010069
aFleX version: 2.0.0
aXAPI version: 2.0
Hard Disk primary image version 2.6.2, build 421
Hard Disk secondary image (default) version 2.6.1-GR1, build 107
Compact Flash primary image version 2.4.1, build 139
Compact Flash secondary image (default) version 2.4.1, build 139
Last configuration saved at Apr-27-2011, 02:11
Hardware: 8 CPUs(Stepping 5), Single 74G Hard disk

show vlans
Memory 6123 Mbyte, Free Memory 795 Mbyte
Current time is May-2-2011, 21:51
The system has been up 5 days, 19 hours, 40 minutes
show vlans
Description Display the configured VLANs.
Syntax show vlans [vlan-id]
Mode All
Example The following command lists all the VLANs configured on an A10 Thunder
AX#show vlans
Total VLANs: 2
VLAN 1:
Untagged Ports: 2 3 4 5 6 7 8 9
10 11 12 13 14 15 17 18
19 20
Tagged Ports: None
VLAN 199:
Untagged Ports: 1 16
Tagged Ports: None
show vrrp-a
Description Display VRRP-A information.
Syntax show vrrp-a [detail]
Mode All
Example The following command shows VRRP-A information for private partition
“corpa”:
AX[corpa](config)#show vrrp-a detail
vrid default
Unit State Priority
1 (Local) Standby 100
2 (Peer) Active 150
vrid that is running: default

show vrrp-a
VRRP-A stats
Peer: 2, vrid default
Port 1: received 2830 missed 0
Heartbeat missed: 0
Total packets received from peer: 2830
Conn Sync Pkts: Sent 0 Received 0

Conn Query Pkts: Sent 0 Received 0
Conn Sync Create Session Pkts: Received 0
Conn Sync Update Age Pkts: Received 0
Conn Sync Delete Session Pkts: Received 0
Total packets sent for vrid default: 9835

Sent from port 1: 3289
Dup device id: 0 Set id mismatch: 0

Version mismatch: 0
error port: 0 error device id: 0
Vrid 0: switch to active 1, switch to standby 2
Peer IP[2]: 1.1.1.183
TABLE 36 show vrrp fields

Field Description
VRID Virtual router ID
Unit VRRP-A device ID.
“Local” indicates this ACOS device. “Peer” indicates another AX
device in the same VRRP-A set.
State VRRP-A state:
• Active
• Standby
Priority Current VRRP-A priority of this device.
VRID that is running VRID that is currently running on the partition.
VRRP-A Stats
The following information is listed for each VRRP-A peer device.
Peer Device ID of the peer device, and the VRID.

show vrrp-a
TABLE 36 show vrrp fields (Continued)

Field Description
Port Data port that connects this device (the Local device) to the peer
device.
The received counter indicates the number of Hello packets
received for the VRID from the peer on this port.
The missed counter indicates the number of Hello packets that
were expected for the VRID but did not arrive from the peer on
this port.
Heartbeat missed Number of Hello packets that were expected for the VRID from
the peer but did not arrive on any port.
Total packets received from peer Total number of Hello packets received from the peer.
Detail Fields
Note: The following fields appear only if you use the detail option.
Conn Sync Pkts Number of connection (session) synchronization packets sent by
this partition for the VRID.
Conn Query Pkts Number of session synchronization query packets sent by this
partition for the VRID. Query packets are sent by the standby
device to request session information.
Conn Sync Create Session Pkts Number of creation packets for synchronized connections sent by
Conn Sync Update Age Pkts Number of update packets for synchronized connections sent by
Conn Sync Delete Session Pkts Number of delete packets for synchronized connections sent by
Total packets sent for vrid N Total number of Hello packets sent by this partition for the VRID.
Separate counters are listed for each data port used by this parti-
tion to send the packets.
Dup device ID Number of incoming hello packets that had the same device ID as
this device (the local device).
Set ID mismatch Number of incoming hello packets in which the VRRP-A set ID
was different from this device’s set ID.
Version mismatch Number of incoming hello packets that had a different VRRP-A
software version that the one running on this device.
Error port Number of hello messages received from a non-existent port.
Error device ID Number of hello messages received from an invalid device ID
(any device ID higher than 8).
Switch to active, switch to standby Number of times the partition transitioned to Active or Standby
for the VRID.
Peer IP IP address of the active peer for the VRID. The active peer is the
device to which this device (the local device) sends sessions for
synchronization.

show vrrp-a config
show vrrp-a config

Description Display the VRRP-A configuration on the device.
Syntax show vrrp-a config
Mode All
Usage Parameters that are set to their default values are not listed.
show vrrp-a detail

Description Display the VRRP-A detailed configuration on the device.
Syntax show vrrp-a detail
Mode All
Example The following command shows comprehensive information on your current

VRRP-A configuration:
ACOS(config)#show vrrp-a detail
vrid default
Unit State Weight Priority
2 (Local) Standby 65534 150 *
1 (Peer) Active 65534 150
...
VRRP-A stats
Peer: 1, vrid default
Port 1: received 25685 missed 3
...
Total packets sent for vrid default: 58524

...
Peer IP[1]: 7.7.7.1

show vrrp-a fail-over-policy-template
show vrrp-a fail-over-policy-template

Description Display the VRRP-A fail-over policy template details.
Syntax show vrrp-a fail-over-policy-template
Mode All
Example The following command shows VRRP-A information for all the fail-over
policy templates:
ACOS(config)#show vrrp-a fail-over-policy-template
vrrp-a fail-over-policy-template interface
interface ethernet 1 weight 200
vrrp-a fail-over-policy-template trunk
trunk 1 priority-weight 200
vrrp-a fail-over-policy-template gateway
gateway 41.41.41.20 weight 200
vrrp-a fail-over-policy-template route
route 4.4.4.0 255.255.255.0 weight 200
vrrp-a fail-over-policy-template vlan
vlan 10 timeout 2 weight 200
vrrp-a fail-over-policy-template template1
interface ethernet 1 weight 200
vlan 10 timeout 2 weight 200
trunk 1 priority-weight 200
route 20.20.20.0 255.255.255.0 weight 200
If you specify the name of the template, the show vrrp-a fail-over-policy
template command displays the contents of that template only.
show vrrp-a mac

Description Display the virtual MAC addresses of the VRIDs.
Syntax show vrrp-a mac
Mode All

show vrrp-a setid-monitor
Example The following command shows the virtual MAC addresses for the default
VRID (0) and VRIDs 1 and 2:
AX#show vrrp-a mac
VRRP-A vrid MACs
0 021f.a000.0020
1 021f.a000.0021
2 021f.a000.0022
In this example, the VRRP-A set ID is 1.
show vrrp-a setid-monitor

Description Display the VRRP-A set information.
Syntax show vrrp-a setid-monitor

[active-vrid | device DeviceID]
Mode All
show waf-policy
Description Display policy file information for the Web Application Firewall (WAF).
See the Web Application Firewall Guide.
show web-service
Description Show settings for Web-management access.
Syntax show web-service
Mode All
Example The following command shows the settings for access to the management
GUI on an A10 Thunder Series and AX Series device:
ACOS#show web-service
AX Web server:
Idle time: 10 minutes
Http port: 80
Https port: 443
Auto redirect: Enabled
Https: Enabled

show web-service
Http: Enabled
aXAPI Idle time: 5 minutes
TABLE 37 show web-service fields

Field Description
Idle time Number of minutes a web management session can remain
idle before the ACOS device terminates the session.
HTTP port HTTP port number on which the ACOS device listens for
connections to the management GUI.
HTTPS port HTTPS port number on which the ACOS device listens for
connections to the management GUI.
Auto redirect Indicates whether requests for the HTTP port are automati-
cally redirected to the HTTPS port.
HTTPS State of the GUI HTTPS port.
HTTPS State of the GUI HTTP port.
aXAPI Idle time Number of minutes an aXAPI session can remain idle before
bering terminated. Once the aXAPI session is terminated, the
session ID generated by the ACOS device for the session is
no longer valid.

show web-service

show slb aflow
SLB Show Commands
The show slb commands display information for Server Load Balancing
(SLB).
To automatically re-enter a show slb command at regular intervals, see

“repeat” on page 82.
In addition to the command options provided with some show commands,

you can use output modifiers to search and filter the output. See “Searching
and Filtering CLI Output” on page 45.
Note: For information about other show commands, see “Show Commands” on
page 839.
show slb aflow

Description Show aFlow statistics.
Syntax show slb aflow [detail]

[device DeviceID]
Option Description
detail Lists separate counters for each CPU.
device
ter.
Mode All

show slb attack-prevention
show slb attack-prevention

Description Show SYN-cookie statistics for the number of packets received during dif-
ferent intervals of time.
Syntax show slb attack-prevention
Mode All
Usage When running the show slb attack-prevention command on an FPGA-

based model, the “SYN attack” field does not show output for the historical
counters (1s/5s/30s/1min/5min). Output is only provided for the “current”
column.
This feature is supported for L3V private partitions in non-FPGA-based

models. If the show slb attack-prevention command is run from an L3V
network partition on an FPGA-based model, the “SYN attack” counter dis-
plays zero for all columns.
Example The following command shows SYN-cookie statistics:

ACOS(config)#show slb attack-prevention
Current 1 sec 5 sec 30 sec 1 min 5
min
------------------------------------------------------------------
SYN cookie snt 0 0 0 0 0 0
SYN cookie snt ts 0 0 0 0 0 0
SYN cookie snt fail 0 0 0 0 0 0
SYN cookie chk fail 0 0 0 0 0 0
SYN attack 0 0 0 0 0 0
TABLE 38 show slb attack-prevention fields

Field Description
SYN cookie snt Number of TCP SYN cookies sent.
SYN cookie snt ts Number of expanded TCP SYN cookies sent.
SYN cookie snt fail Number of TCP SYN cookie send attempts that failed.
SYN cookie chk fail Number of TCP SYN cookies for which the responding
ACK failed the SYN cookie check.
SYN attack Total number of SYN connections that did not receive
an ACK from the client and assumed to be SYN attack.

show slb cache
show slb cache

Description Display statistics and other information for RAM caching.
Syntax show slb cache

[entries vip-name port-num |
memory-usage |
replacement vip-name port-num |
stats [vip-name port-num]]
[device DeviceID]
Option Description
entries
vip-name
port-num Shows a list of the cached objects.
memory-usage Shows memory usage for RAM caching.
replacement
vip-name
port-num Shows replacement information for the specified
virtual port on the specified virtual server.
stats
[vip-name
port-num] Lists RAM caching statistics by VIP. If you spec-
ify a VIP or port number, statistics are displayed
only for that VIP or port number.
device
ter.
Mode All
Usage If you do not use any of the optional parameters, RAM caching statistics are
displayed. This is equivalent to entering the show slb cache stats com-
mand.

show slb cache
Example The following command shows RAM caching statistics:

AX#show slb cache
Cache Hits 0
Cache Misses 6
Memory Used 27648
Bytes Served 0
Entries Cached 6
Entries Replaced 0
Entries Aged Out 0
Entries Cleaned 0
Total Requests 0
Cacheable Requests 0
No-cache Requests 0
No-cache Responses 0
IMS Requests 0
304 Responses 0
Revalidation Successes 0
Revalidation Failures 0
Policy URI nocache 0
Policy URI cache 0
Policy URI invalidate 0
Content Too Big 0
Content Too Small 0
Srvr Resp - Cont Len 220
Srvr Resp - Chnk Enc 37
Srvr Resp - 304 Status 0
Srvr Resp - Other 0
Cache Resp - No Comp 383579
Cache Resp - Gzip 0
Cache Resp - Deflate 0
Cache Resp - Other 0
Entry create failures 0
TABLE 39 show slb cache fields

Field Description
Cache Hits Number of times a requested page was found in the cache
and served from the cache.
Cache Misses Number of times a requested page was not found in the
cache.
Memory Used Amount of RAM currently used by cached content.
Bytes Served Number of bytes served.
Entries Cached Number of objects currently in the cache.
Entries Replaced Number of cached items that were removed to make room
for newer entries, per the replacement policy.

show slb cache
TABLE 39 show slb cache fields (Continued)

Field Description
Entries Aged Out Number of entries that were removed because they are older
than their expiration time.
Entries Cleaned Number of cached objects that have aged out and therefore
been removed from the cache.
Total Requests Total number of requests received on all virtual server ports
on which caching is configured.
Cacheable Number of requests that are potentially cacheable.
Requests
No-cache Number of requests with no-cache header directives.
Requests
No-cache Number of responses with no-cache header directives.
Responses
IMS Requests Number of requests that contained an If-Modified-Since
header.
304 Responses Number of 304 – Not Modified responses sent to clients.
Revalidation Number of entries that were successfully revalidated by the
Successes server.
Revalidation Number of times revalidation failed.
Failures
Policy URI Number of times requested content was not cached due to a
nocache URI policy.
Policy URI Number of times a request was cached due to a URI policy.
cache
Policy URI Number of times a request was invalidated due to a URI pol-
invalidate icy.
Content Too Big Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.
Content Too Number of cacheable items that were not cached because the
Small file size was smaller than the configured minimum content
size.
Srvr Resp - Number of responses that contained Content-Length head-
Cont Len ers.
Srvr Resp - Number of responses that were chunk encoded.
Chnk Enc
Srvr Resp - Number of responses that had status code 304.
304 Status
Srvr Resp - Number of responses that were of other types.
Other
Cache Resp - Object is uncompressed.
No Comp
Cache Resp - Object was compressed using gzip. Gzip is an encoding for-
Gzip mat produced by the file compression program “gzip” (GNU
zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77]
with a 32 bit CRC).

show slb cache
TABLE 39 show slb cache fields (Continued)

Field Description
Cache Resp - Object was compressed using deflate. Deflate is the “zlib”
Deflate format defined in RFC 1950 in combination with the
“deflate” compression mechanism described in RFC 1951.
Cache Resp - Object was compressed using compress. Compress is the
Other encoding format produced by the common UNIX file com-
pression program “compress” (adaptive Lempel-Ziv-Welch
coding [LZW]).
Entry create Counter used by A10 technical support for troubleshooting.
failures
Example The following command shows cached objects:

AX#show slb cache entries vs-cookie-cache 80
vs-cookie-cache:80
Host Object URL Bytes Type Status Expires in
---------------------------------------------------------------------------------------
10.20.0.120 /static2/1000.txt 1365 CL,No FR 3410 s
10.20.0.120 /static2/1000000.txt 636152 CE,Gz FR 3594 s
10.20.0.120 /ewen/index.html 1479 CL,Mo FR -57 s
TABLE 40 show slb cache entries fields

Field Description
cached-vip Virtual port number on which RAM caching is enabled.
Host IP address of the content server.
Object URL URL from which the cached object was obtained by the
ACOS device.
Bytes Length of the cached object.

show slb cache
TABLE 40 show slb cache entries fields (Continued)

Field Description
Type Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded.
The value after the comma indicates the type of compression
used:
• No – Object is uncompressed.
• Gz – Object was compressed using gzip. Gzip is an encod-
ing format produced by the file compression program
“gzip” (GNU zip) as described in RFC 1952 (Lempel-Ziv
coding [LZ77] with a 32 bit CRC).
• Cm – Object was compressed using compress. Compress
is the encoding format produced by the common UNIX
file compression program “compress” (adaptive Lempel-
Ziv-Welch coding [LZW]).
• Df – Object was compressed using deflate. Deflate is the
“zlib” format defined in RFC 1950 in combination with
the “deflate” compression mechanism described in RFC
1951.
Status Status of the entry:
• FR – Fresh
• ST – Stale
• IN – Incomplete
• FA – Failed
• UN – Unknown
• R – The entry must be revalidated.
Expires in Number of seconds the object can remain unused before it
ages out.
Example The following command shows RAM caching memory usage:

AX#show slb cache memory-usage
VIP Port Memory Configured Memory Used Percent Used
---------------------------------------------------------------------------------------
vs120 80 10485760 8386560 79.98%
---------------------------------------------------------------------------------------
Total 10485760 8386560 79.98%
Example The following command shows replacement statistics:

AX#show slb cache replacement cached-vip 80
Frequency Total
---------------------------------------------------------------
1/256 6
1/128 0
1/64 0

show slb compression
1/32 0
1/16 0
1/8 0
1/4 0
1/2 0
1 0
2 0
4 0
8 0
16 0
32 0
64 0
128 2
The output shows the distribution of requests for the cached entries. Entries
listed for 1/256 (one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.
show slb compression

Description Show HTTP compression statistics in bytes.
Syntax show slb compression [virtual-server port-num]

[all-partition | partition {shared | name}]
Option Description
virtual-server
port-num Show HTTP compression statistics for the speci-
fied virtual server only.
The port-num option shows information only for

the specified virtual port on the virtual server.
all-partition Show HTTP compression statistics in all parti-
tions.
partition
{shared | name} Show HTTP compression statistics in the speci-
fied partition or shared partition.
Mode All

show slb connection-reuse

Description Show SLB connection-reuse statistics.
Syntax show slb connection-reuse [detail]

[device DeviceID]
Option Description
device
ter.
Mode All
Example The following command shows summary connection-reuse statistics:

ACOS#show slb connection-reuse
Total
------------------------------------------------------------------
Open persist 0
Active persist 0
Total established 1787
Total terminated 1787
Total bind 1277
Total unbind 2389
Delayed unbind 4
Long resp 0
Missed resp 0
Unbound data rcvd 0
TABLE 41 show slb connection-reuse fields

Field Description
Open persist Number of new client connections directed to the same
server as previous connections by the persistence feature.

TABLE 41 show slb connection-reuse fields (Continued)

Field Description
Active persist Number of currently active connections that were sent to the
same real server by the persistence feature.
Total established Total number of established connections to the backend
server.
Total terminated Total number of terminated connections to the backend
server.
Total bind Total number of client persistent connections bound to the
backend server.
Total unbind Total number of client persistent connections unbound from
the backend server.
Delayed unbind Number of connections whose unbinding was delayed.
Note: In the current release, this counter is unused and is
always 0.
Long resp Number of responses that took too long.
Missed resp Number of missed responses to HTTP requests.
Unbound data
rcvd
Example The following command shows detailed connection-reuse statistics for each
data processor (DP):
ACOS#show slb connection-reuse detail
DP0 DP1 DP2 DP3 Total
------------------------------------------------------------------
Open persist 0 0 0 0 0
Active persist 0 0 0 0 0
Total established 0 537 597 653 1787
Total terminated 0 537 597 653 1787
Total bind 0 349 420 508 1277
Total unbind 0 676 797 916 2389
Delayed unbind 0 1 1 2 4
Long resp 0 0 0 0 0
Missed resp 0 0 0 0 0
Unbound data rcvd 0 0 0 0 0

show slb conn-rate-limit
show slb conn-rate-limit

Description Show statistics for source-IP based connection rate limiting.
Syntax show slb conn-rate-limit src-ip

{
[tcp | udp] locked-out-ips |
[tcp | udp] statistics |
tcp |
udp
}
Mode All
Example The following command shows statistics for source-IP based connection
rate limiting:
ACOS(config)#show slb conn-rate-limit src-ip statistics
Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted 1000
No DNS response for request 1021000
Table 42 describes the fields in the show command output.
TABLE 42 show slb conn-rate-limit src-ip statistics fields

Field Description
Sessions Number of sessions allocated.
allocated
Sessions freed Number of sessions freed.
Too many Number of times too many sessions were consumed.
sessions
consumed
Out of sessions Number of times the device ran out of sessions.
Threshold check Number of times the ACOS device has checked for connec-
count tion-limit violations.

show slb diameter
TABLE 42 show slb conn-rate-limit src-ip statistics fields (Continued)

Field Description
Honor threshold Number of requests permitted because they were within the
count connection limit.
Threshold Number of requests denied because they exceeded the con-
exceeded count nection limit.
Lockout drops Number of requests dropped because a client was locked out.
Log messages Number of log messages generated by this feature.
sent
DNS requests Number of re-transmitted DNS requests detected. These are
re-transmitted DNS requests for which no response was received by the
ACOS device.
No DNS Number of DNS requests for which no response was
response for received.
request
show slb diameter

Description Show statistics for Diameter load balancing.
Syntax show slb diameter [detail]

[device DeviceID]
Option Description
device
ter.
Mode All

show slb diameter
Example The following command shows statistics for Diameter load balancing:
AX#show slb diameter
Total
------------------------------------------------------------------
Current proxy conns 0
Total proxy conns 0
client fail 0
server fail 0
Server selection failure 0
no route failure 0
Source NAT failure 0
concurrent user-session 0
acr out 0
acr in 0
aca out 0
aca in 0
cea out 0
cea in 0
cer out 0
cer in 0
dwr out 0
dwr in 0
dwa out 0
dwa in 0
str out 0
str in 0
sta out 0
sta in 0
asr out 0
asr in 0
asa out 0
asa in 0
other out 0
other in 0
TABLE 43 show slb diameter fields

Field Description
Current proxy Number of currently active Diameter connections using the
conns ACOS device as an Diameter proxy.
Total proxy Total number of Diameter connections that have used the
conns ACOS device as an Diameter proxy.
client fail Please contact A10 Networks for information.
server fail Please contact A10 Networks for information.
Server selection Number of times selection of a real server failed.
failure
no route failure Please contact A10 Networks for information.

show slb diameter
TABLE 43 show slb diameter fields (Continued)

Field Description
Source NAT Number of source NAT failures.
failure
concurrent Please contact A10 Networks for information.
user-session
acr out Number of Accounting-Request messages sent by the ACOS
device.
acr in Number of Accounting-Request messages received by the
ACOS device.
aca out Number of Accounting-Answer messages sent by the ACOS
device.
aca in Number of Accounting-Answer messages received by the
ACOS device.
cea out Number of Capabilities-Exchange-Answer messages sent by
the ACOS device.
cea in Number of Capabilities-Exchange-Answer messages
received by the ACOS device.
cer out Number of Capabilities-Exchange-Request messages sent by
the ACOS device.
cer in Number of Capabilities-Exchange-Request messages
received by the ACOS device.
dwr out Number of Device-Watchdog-Request messages sent by the
ACOS device.
dwr in Number of Device-Watchdog-Request messages received by
the ACOS device.
dwa out Number of Device-Watchdog-Answer messages sent by the
ACOS device.
dwa in Number of Device-Watchdog-Answer messages received by
the ACOS device.
str out Number of Session-Termination-Request messages sent by
the ACOS device.
str in Number of Session-Termination-Request messages received
by the ACOS device.
sta out Number of Session-Termination-Answer messages sent by
the ACOS device.
sta in Number of Session-Termination-Answer messages received
by the ACOS device.
asr out Number of Abort-Session-Request messages sent by the
ACOS device.
asr in Number of Abort-Session-Request messages received by the
ACOS device.
asa out Number of Abort-Session-Answer messages sent by the
ACOS device.
asa in Number of Abort-Session-Answer messages received by the
ACOS device.

show slb fast-http-proxy
TABLE 43 show slb diameter fields (Continued)

Field Description
other out Number of Diameter messages of other types (other message
codes) sent by the ACOS device.
other in Number of Diameter messages of other types received by the
ACOS device.

Description Show statistics for SLB fast-HTTP proxy.
Syntax show slb fast-http-proxy [detail]

[device DeviceID]
Option Description
device
ter.
Mode All
Example The following command shows summary fast-HTTP-proxy statistics:

ACOS#show slb fast-http-proxy
Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 0
HTTP requests 0
HTTP requests(succ) 0
No proxy error 0
Client RST 0
Server RST 0
No tuple error 0
Parse req fail 0

Server selection fail 0

Fwd req fail 0
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server reselection 0
Server premature close 0
Server conn made 0
Tot data before compress 0
Tot data after compress 0
Request over limit 0
Request rate over limit 0
Out RSTs 0
TABLE 44 show slb fast-http-proxy fields

Field Description
Curr Proxy Number of currently active connections using the fast-HTTP
Conns proxy.
Total Proxy Total number of connections that have used the fast-HTTP
Conns proxy.
HTTP requests Number of HTTP requests received by the fast-HTTP proxy.
HTTP Number of HTTP requests successfully fulfilled (by estab-
requests(succ) lishing a connection to a real server).
No proxy error Number of proxy errors.
Client RST Number of times TCP connections with clients were reset.
Server RST Number of times TCP connections with servers were reset.
No tuple error Number of tuple errors.
Parse req fail Number of times the HTTP parser failed to parse a received
HTTP request.
fail
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt Number of request packets received from clients out of
out-of-order sequence.
Server Number of times initial selection of a real server for an
reselection HTTP request failed (for example, due to a TCP Reset sent
by the server).
Server Number of times the connection with a server closed prema-
premature close turely.
Server conn Number of connections made with servers.
made

TABLE 44 show slb fast-http-proxy fields (Continued)

Field Description
failure
Tot data before These counters show statistics for HTTP compression, in
compress bytes.
Tot data after
compress
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit
Out RSTs Please contact A10 Networks for information.
Example The following command shows detailed fast-HTTP-proxy statistics for each
ACOS#show slb fast-http-proxy detail
------------------------------------------------------------------
Curr Proxy Conns 0 0 0 0 0
Total Proxy Conns 0 0 0 0 0
HTTP requests 0 0 0 0 0
HTTP requests(succ) 0 0 0 0 0
No proxy error 0 0 0 0 0
Client RST 0 0 0 0 0
Server RST 0 0 0 0 0
No tuple error 0 0 0 0 0
Parse req fail 0 0 0 0 0
Server selection fail 0 0 0 0 0
Fwd req fail 0 0 0 0 0
Fwd req data fail 0 0 0 0 0
Req retransmit 0 0 0 0 0
Req pkt out-of-order 0 0 0 0 0
Server reselection 0 0 0 0 0
Server premature close 0 0 0 0 0
Server conn made 0 0 0 0 0
Source NAT failure 0 0 0 0 0
Tot data before compress 0 0 0 0 0
Tot data after compress 0 0 0 0 0
Request over limit 0 0 0 0 0
Request rate over limit 0 0 0 0 0
Out RSTs 0 0 0 0 0

show slb fix
show slb fix

Description Show SLB statistics for the Financial Information Exchange (FIX) proxy.
Syntax show slb fix [detail]
Option Description
Mode All
Example The following command shows FIX SLB statistics.

ACOS(config)#show slb fix
Total
------------------------------------------------------------------
Total proxy conns 2
client fail 7
server fail 2
no route failure 0
Insert client IP 5
Default switching 1
Sender ID switching 4
Target ID switching 0
TABLE 45 show slb fix fields

Field Description
Current Number of currently active connections using the FIX proxy.
proxy conns
Total proxy Total number of connections that have used the FIX proxy.
conns
client fail Number of times that the connection was terminated due to
an error on the client side.
server fail Number of times that the connection was terminated due to
an error on the server side.
Server Number of times selection of a real server failed.
selection
failure
no route Number of times FIX failed due to a route lookup failure.
failure

show slb ftp
TABLE 45 show slb fix fields

Field Description
Failure
Insert Number of times that the ACOS inserted the client’s IP
client IP address into tag 11447 and forwarded the recalculated
request packet to the FIX server.
Default Number of times that the ACOS parsed the tag value from a
switching client’s request and selected a service-group based on a
match with the configured tag keyword.
Sender ID Instances of content switching based on the sender’s
Switching identification tag (SenderCompID).
Target ID Instances of content switching based on the receiver’s
Switching identification tag (TargetCompID).
show slb ftp

Description Show SLB FTP statistics.
Syntax show slb ftp
Mode All
Example The following command shows SLB FTP statistics.

ACOS#show slb ftp
Total Control Sessions 0
Total ALG packets 0
ALG packets rexmitted 0
Out of Connections 0
Total Data Sessions 0

Out of Connections 0
TABLE 46 show slb ftp fields

Field Description
Total Control Total number of FTP control sessions load-balanced by the
Sessions A10 Thunder Series and AX Series device.
Total ALG Total number of Application Layer Gateway (ALG) packets.
packets
ALG packets Number of ALG packets that have been retransmitted.
rexmitted

show slb generic-proxy
TABLE 46 show slb ftp fields (Continued)

Field Description
Out of Number of times an FTP control session could not be estab-
Connections lished because none of the real servers had available connec-
tions.
Total Data Total number of FTP data sessions load-balanced by the A10
Sessions Thunder Series and AX Series device.
Out of Number of times an FTP data session could not be estab-
Connections lished because none of the real servers had available connec-
tions.
show slb generic-proxy

Description Display generic-proxy statistics.
Syntax show slb generic-proxy [detail]
Option Description
Mode All
show slb geo-location

Description Display geo-location information.
Syntax show gslb geo-location

[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option Description
virtual-server-
name Displays geo-location information for only the
specified virtual server.

show slb http-proxy
port-num Displays geo-location information for only the

specified virtual port.
bad-only Displays only the invalid entries.
depth num Specifies how many nodes within the geo-loca-
tion data tree to display. For example, to display
only continent and country entries and hide indi-
vidual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed. You
can specify 1-5.
id group-id Displays geo-location information for only the
specified black/white-list group ID.
ip ipaddr Displays geo-location database entries for only
the specified IP address.
location
location-name Displays geo-location database entries for only
the specified location.
statistics Displays statistics for the specified geo-location.
Mode All
Usage Some options can be combined on the same command line. See the CLI
help for information.
show slb http-proxy

Description Show statistics for SLB HTTP proxy.
Syntax show slb http-proxy [virtual-server port-num]

[detail]
[device DeviceID]
Option Description
virtual-server
port-num Displays counters for HTTP response codes. For
the virtual-server port-num, enter the name of a
virtual server and its port. The port-num can be
1-65534.
device

show slb http-proxy

ter.
Mode All
Example The following command shows summary HTTP-proxy statistics:

ACOS#show slb http-proxy
Total
------------------------------------------------------------------
Curr Proxy Conns 2
Total Proxy Conns 3266
HTTP requests 3860
HTTP requests(succ) 3605
No proxy error 0
Client RST 351
Server RST 1
No tuple error 0
Parse req fail 0
Fwd req fail 10
Fwd req data fail 0
Req retransmit 0
Req pkt out-of-order 0
Server conn made 1791
Tot data before compress 1373117
Tot data after compress 404410
Request over limit 0
Request rate over limit 0
TABLE 47 show slb http-proxy fields

Field Description
Curr Proxy Number of currently active HTTP connections using the A10
Conns Thunder Series and AX Series device as an HTTP proxy.
Total Proxy Total number of HTTP connections that have used the A10
Conns Thunder Series and AX Series device as an HTTP proxy.
HTTP requests Total number of HTTP requests received by the HTTP
proxy.

show slb http-proxy
TABLE 47 show slb http-proxy fields (Continued)

Field Description
HTTP Number of HTTP requests received by the HTTP proxy that
requests(succ) were successfully fulfilled (by connection to a real server).
Parse req fail Number of times parsing of an HTTP request failed.
fail
Fwd req fail Number of forward request failures.
Fwd req data fail Number of forward request data failures.
Req retransmit Number of retransmitted requests.
Req pkt Number of request packets received from clients out of
Server Number of times a request was forwarded to another server
reselection because the current server was failing.
made
failure
Tot data before These counters show statistics for HTTP compression, in
compress bytes.
Tot data after
compress
Request Over Please contact A10 Networks for information.
Limit
Request Rate Please contact A10 Networks for information.
Over Limit
Example The following command shows detailed HTTP-proxy statistics for each
ACOS#show slb http-proxy detail
------------------------------------------------------------------
Curr Proxy Conns 0 0 0 2 2
Total Proxy Conns 0 1026 1102 1138 3266
HTTP requests 0 1218 1282 1360 3860
HTTP requests(succ) 0 1064 1176 1365 3605
No proxy error 0 0 0 0 0
Client RST 0 102 118 131 351
Server RST 0 0 1 0 1
No tuple error 0 0 0 0 0
Parse req fail 0 0 0 0 0

show slb http-proxy
Server selection fail 0 0 0 0 0

Fwd req fail 0 5 3 2 10
Fwd req data fail 0 0 0 0 0
Req retransmit 0 0 0 0 0
Req pkt out-of-order 0 0 0 0 0
Server reselection 0 0 0 0 0
Server premature close 0 0 0 0 0
Server conn made 0 537 598 656 1791
Source NAT failure 0 0 0 0 0
Tot data before compress 0 0 0 0 0
Tot data after compress 0 0 0 0 0
Request over limit 0 0 0 0 0
Request rate over limit 0 0 0 0 0
Example The following command shows HTTP response code statistics:

ACOS(config)#show slb http-proxy vs800-http 80
Total
------------------------------------------------------------------
status code 1XX 3
status code 2XX 1
status code 3XX 12
status code 4XX 8
status code 5XX 2
status code 6XX 3
...
Rsp time < 200m 0
Rsp time < 500m 1
Rsp time < 1s 3
Rsp time < 2s 7
Rsp time < 5s 13
Rsp time >= 5s 22

show slb hw-compression
show slb hw-compression

Description Show statistics for hardware-based compression.
Syntax show slb hw-compression

[device DeviceID]
Option Description
device
ter.
Mode All
Usage Hardware-based compression is available using an optional hardware mod-

ule in the following models: AX 2100, AX 2200, AX 3100, and AX 3200.
If this command does not appear on your ACOS device, the device does not
contain a compression module.
Example The following commands enable hardware-based compression and display

statistics for the feature:
ACOS(config)#show slb hw-compression
Hardware compression device is installed.
Hardware compression module is enabled.
Total
------------------------------------------------------------------
total request count 177157
total submit count 177157
total response count 177157
total failure count 0
last failure code 0
compression queue full 0
max queued request count 84
max queued submit count 68

show slb l4
show slb l4
Description Show Layer-4 SLB statistics.
Syntax show slb l4 [detail]

[device DeviceID]
Option Description
device
ter.
Mode All
Example The following command shows summary statistics for Layer 4 SLB:
ACOS#show slb l4
Total
------------------------------------------------------------------
IP out noroute 0
TCP out RST 0
TCP out RST no SYN 0
TCP out RST L4 proxy 0
TCP out RST ACK attack 0
TCP out RST aFleX 0
TCP out RST stale sess 0
TCP out RST TCP proxy 0
TCP SYN received 226510
TCP SYN cookie snt 226510
TCP SYN cookie expd snt 0
TCP SYN cookie snt fail 0
TCP received 1042844
UDP received 0
L2 DSR received 0
L3 DSR received 0
Server sel failure 0
Source NAT no fwd route 0

show slb l4
Source NAT no rev route 0

Source NAT ICMP Process 0
Source NAT ICMP No Match 0
Auto NAT id mismatch 0
TCP SYN cookie failed 0
L4 SYN attack 226510
NAT no session drops 0
vport not matching drops 0
No SYN pkt drops 0
No SYN pkt drops - FIN 0
No SYN pkt drops - RST 0
No SYN pkt drops - ACK 0
Conn Limit drops 0
Conn Limit resets 0
Conn rate limit drops 0
Conn rate limit resets 0
Proxy no sock drops 0
aFleX drops 0
Session aged out 0
TCP Session aged out 0
UDP Session aged out 0
Other Session aged out 0
TCP no SLB 0
UDP no SLB 0
SYN Throttle 0
Inband HM retry 0
Inband HM reassign 0
Auto-reselect server 0
Fast aging set 0
Fast aging reset 0
TCP invalid drop 0
Out of sequence ACK drop 0
SYN stale sess drop 589824
Anomaly out of sequence 0
Anomaly zero window 0
Anomaly bad content 0
Anomaly pbslb drop 0
No resource drop 0
Reset unknown conn 0
RST L7 on failover 0
TCP SYN Other Flags Drop 0
TCP SYN With Data Drop 0
ignore msl 0
NAT Port Preserve Try 0
NAT Port Preserve Succ 0
BW-Limit Exceed drop 0
BW-Watermark drop 0
L4 CPS exceed drop 0
NAT CPS exceed drop 0
L7 CPS exceed drop 0
SSL CPS exceed drop 0

show slb l4
SSL TPT exceed drop 0

SSL TPT-Watermark drop 0
L3V Conn Limit Drop 0
L4 server handshake fail 0
L4 AX re-xmit SYN 0
L4 rcv ACK on SYN 0
L4 rcv RST on SYN 0
TCP no-Est Sess aged out 0
no-Est CSYN rcv aged out 0
no-Est SSYN snt aged out 0
L4 rcv rexmit SYN 589824
L4 rcv rexmit SYN (delq) 589824
L4 rcv rexmit SYN|ACK 0
L4 rcv rexmit SYN|ACK DQ 0
L4 rcv fwd last ACK 0
L4 rcv rev last ACK 0
L4 rcv fwd FIN 0
L4 rcv fwd FIN dup 0
L4 rcv fwd FIN|ACK 0
L4 rcv rev FIN 0
L4 rcv rev FIN dup 0
L4 rcv rev FIN|ACK 0
L4 rcv fwd RST 226510
L4 rcv rev RST 0
L4 UDP reqs no rsp 0
L4 UDP req rsps 0
L4 UDP req/rsp not match 0
L4 UDP req > rsps 0
L4 UDP rsps > reqs 0
L4 UDP reqs 0
L4 UDP rsps 0
L4 TCP Established 0
TABLE 48 show slb l4 fields

Field Description
IP out noroute Number of IP packets that could not be routed.
TCP out RST Number of TCP Resets sent.
TCP out RST no Number of Resets sent for which there was no SYN.
SYN
TCP out RST L4 Number of TCP Reset packets the ACOS device has sent as
proxy a Layer 4 proxy.
TCP out RST Number of TCP Resets sent in response to a TCP ACK
ACK attack attack.
TCP out RST Number of TCP Reset packets the ACOS device has sent due
aFleX to an aFleX policy.

show slb l4
TABLE 48 show slb l4 fields (Continued)

Field Description
TCP out RST Number of TCP Reset packets the ACOS device has sent due
stale sess to stale TCP sessions.
TCP out RST Number of TCP Reset packets the ACOS device has sent as
TCP proxy a TCP proxy.
TCP SYN Number of TCP SYN packets received.
received
TCP SYN cookie Number of TCP SYN cookies sent.
snt
TCP SYN cookie Number of TCP SYN cookies with expanded options that
expd snt were sent.
Note: Expanded SYN cookie options are disabled by default
but can be enabled. (See “syn-cookie” on page 762.)
TCP SYN cookie Number of TCP SYN cookie send attempts that failed.
snt fail
TCP received Number of TCP packets received.
UDP received Number of UDP packets received.
L2 DSR received Number of reply packets received for Layer 2 DSR sessions.
L3 DSR received Number of reply packets received for Layer 3 DSR sessions.
Server sel failure Number of times selection of a real server failed.
Source NAT Number of times a source NAT failure occurred.
failure
Source NAT no Number of times there was no route to the destination for
fwd route Layer 3 NAT traffic.
Source NAT no Number of times there was no route to the source for Layer 3
rev route NAT traffic.
Source NAT Number of times an ICMP error related to source NAT
ICMP Process occurred.
Source NAT Number of times an ICMP error related to source NAT
ICMP No Match occurred, and there was no matching session for the traffic.
Auto NAT ID Number of times a mismatch has occurred between a Smart
mismatch NAT resource and a VRRP-A VRID or HA group ID.
TCP SYN cookie Number of times a TCP SYN cookie failure occurred.
failed
L4 SYN attack Total number of TCP SYNs received by the ACOS device
that were not followed by a valid client ACK to establish the
connection.
This counter is calculated as follows:
(Total-SYNs-Received-by-Hardware +
Total-SYNs-Received-by-Software) -
Total-Number-of-Successful-Connections =
L4-SYN-Attack-Count
NAT no session Number of times non-ICMP traffic to a NAT IP address was
drops dropped because there was no matching session.

show slb l4

Field Description
vport not Number of times either of the following conditions has
matching drops occurred:
• Virtual port is down.
• Virtual port is not configured.
No SYN pkt Number of SYN packets dropped.
drops
No SYN pkt Number of SYN packets dropped due to a TCP FIN.
drops - FIN
No SYN pkt Number of SYN packets dropped due to a TCP Reset.
drops - RST
No SYN pkt Number of SYN packets dropped due to an ACK.
drops - ACK
Conn Limit Number of connections dropped because the server connec-
drops tion limit had been reached.
Conn Limit Number of connections reset because the server connection
resets limit had been reached.
Conn rate limit Number of connections dropped by connection rate limiting.
drops
Conn rate limit Number of connections reset by connection rate limiting.
resets
Proxy no sock Number of packets dropped because the proxy did not have
drops an available socket.
aFleX drops Number of packets dropped due to an aFleX policy.
Session aged out Total number of sessions that have aged out.
TCP Session Number of TCP sessions that have aged out.
aged out
UDP Session Number of UDP sessions that have aged out.
aged out
Other Session Number of sessions of other types (not TCP or UDP) that
aged out have aged out.
TCP no SLB Number of non-SLB TCP packets received by the ACOS
device.
UDP no SLB Number of non-SLB UDP packets received by the ACOS
device.
SYN Throttle Number of SYN packets that have been throttled.
Inband HM retry Number of times the ACOS device retried an inband health
check, because a SYN-ACK was not received for the previ-
ous SYN.
Inband HM Number of times the ACOS device reassigned a client’s traf-
reassign fic to another server, because the initial server exceeded the
maximum number of retries allowed by the inband health
check.

show slb l4

Field Description
Auto-reselect Number of times the ACOS device has reperformed server
server selection automatically because the initially selected server
did not respond to the TCP-SYN from the ACOS device.
Note: In the current release, this counter applies only to traf-
fic on HTTP/HTTPS virtual ports.
Fast aging set Number of times fast aging of idle connections was automat-
ically enabled by the ACOS device due to low availability of
I/O buffers.
Fast aging reset Number of times fast aging of idle connections was disabled.
This occurs after a sufficient number of buffers become
available again.
TCP invalid drop Number of TCP packets received by the ACOS device that
did not conform to the standard format for TCP packets. For
example, this counter is incremented if the ACOS device
receives a packet whose total length is less than the follow-
ing:
Internet-Header-Length * 4 +
TCP-data-offset *4
Out of sequence Number of TCP ACKs that were dropped because they were
ACK drop out of sequence.
SYN stale sess Number of sessions for which a SYN was received when the
drop session was no longer active, but was instead in the delete
queue.
Anomaly out of Number of packets that matched an IP anomaly out-of-
sequence sequence filter.
Note: To configure IP anomaly filters, see “ip anomaly-
drop” on page 356.
Anomaly zero Number of packets that matched an IP anomaly zero-win-
window dow filter.
Anomaly bad Number of packets that matched an IP anomaly bad-content
content filter.
Anomaly Number of packets that matched an IP anomaly filter used
PBSLB drop for system-wide Policy-Based SLB (PBSLB).
No resource drop Number of times traffic has been dropped because the ACOS
device had run out of Layer 4 session resources.
Reset unknown Number of times the ACOS device sent a RST in response to
conn a non-SYN packet for a non-existent session.
Note: This feature is enabled using the reset-unknown-
conn option in virtual port templates. See “slb template vir-
tual-port” on page 690.
RST L7 on Number of Layer 7 sessions that were reset following HA
failover failover.
TCP SYN Other Number of TCP SYN packets that were dropped by the
Flags Drop ACOS device because they contained a flag other than the
SYN flag.

show slb l4

Field Description
TCP SYN With Number of TCP SYN packets that were dropped by the
Data Drop ACOS device because they contained data.
Ignore MSL Number of packets dropped by the ignore-tcp-msl option.
(See “slb template virtual-port” on page 690.)
NAT Port Number of times the client port preservation feature
Preserve Try attempted to preserve a client’s source port for traffic des-
tined to a virtual port.
Note: This feature is enabled using the snat-port-preserve
option in virtual port templates. See “slb template virtual-
port” on page 690.
NAT Port Number of times the client port preservation feature success-
Preserve Succ fully preserved a client’s source port for traffic destined to a
virtual port.
BW-Limit Number of times traffic was dropped because a configured
Exceed drop bandwidth limit was exceeded.
BW-Watermark Number of times traffic was dropped because a configured
drop bandwidth watermark was exceeded.
L4 CPS exceed Number of times traffic was dropped because the maximum
drop allowed number of Layer 4 connections per second (CPS)
was exceeded.
NAT CPS exceed Number of times traffic was dropped because the maximum
drop allowed number of NAT CPS was exceeded.
L7 CPS exceed Number of times traffic was dropped because the maximum
drop allowed number of Layer 7 CPS was exceeded.
SSL CPS exceed Number of times traffic was dropped because the maximum
drop allowed number of SSL CPS was exceeded.
SSL TPT exceed Number of times SSL traffic was dropped because SSL
drop throughput exceeded the maximum allowed by a system-
resource template.
SSL TPT- Number of times SSL traffic was dropped because SSL
Watermark drop throughput exceeded the configured watermark.
L3V Conn Limit Number of times Layer 3 traffic was dropped because a con-
Drop figured connection limit was exceeded.
L4 server Number of times traffic was dropped because the Layer 4
handshake fail handshake with a server failed.
L4 AX re-xmit Number of times the ACOS device needed to retransmit a
SYN TCP SYN.
L4 rcv ACK on Number of SYN-ACKs (ACKs in response to TCP-SYNs)
SYN received by the ACOS device.
L4 rcv RST on Number of times the ACOS device received a TCP Reset
SYN (RST) in response to a SYN.
TCP no-Est Sess Number of TCP sessions that aged out before they were
aged out established.

show slb l4

Field Description
no-Est CSYN Number of TCP sessions that aged out before a SYN was
rcv aged out received from the client, and therefore could not be estab-
lished.
no-Est SSYN snt Number of TCP sessions that aged out before a SYN was
aged out received from the server, and therefore could not be estab-
lished.
L4 rcv rexmit Total number of retransmitted SYNs received by the ACOS
SYN device.
L4 rcv rexmit Number of retransmitted SYNs received by the ACOS
SYN (delq) device for sessions that had already been moved to the delete
queue.
L4 rcv rexmit Total number of retransmitted SYN-ACKs received by the
SYN|ACK ACOS device.
L4 rcv rexmit Number of retransmitted SYN-ACKs received by the ACOS
SYN|ACK DQ device for sessions that had already been moved to the delete
queue.
L4 rcv fwd last Number of final ACKs (last ACKs of a given TCP session)
ACK received by the ACOS device from clients.
Note: In this field and the following fields, the following
terms describe the traffic origination and direction:
• rcv fwd – Final ACKs received from the client.
• rcv rev – Final ACKs received from the server.
L4 rcv rev last Number of final ACKs (last ACKs of a given TCP session)
ACK received by the ACOS device from servers.
L4 rcv fwd FIN Number of TCP FINs received from clients.
L4 rcv fwd FIN Number of duplicate TCP FINs received from clients.
dup
L4 rcv fwd Number of TCP FIN-ACKs received from clients.
FIN|ACK
L4 rcv rev FIN Number of TCP FINs received from servers.
L4 rcv rev FIN Number of duplicate TCP FINs received from servers.
dup
L4 rcv rev Number of TCP FIN-ACKs received from servers.
FIN|ACK
L4 rcv fwd RST Number of TCP RSTs received from clients.
L4 rcv rev RST Number of TCP RSTs received from servers.
L4 UDP reqs no Number of UDP requests received to which there was no
rsp response.
L4 UDP req rsps Number of UDP requests received to which there was a
response.
L4 UDP req/rsp Number of mismatches between UDP request and response.
not match
L4 UDP req > Number of UDP requests received for which there was no
rsps corresponding response.

show slb mssql

Field Description
L4 UDP rsps > Number of UDP responses received for which there was no
reqs corresponding request.
L4 UDP reqs Total number of UDP requests received by the ACOS
device.
L4 UDP rsps Total number of UDP responses received by the ACOS
device.
L4 TCP Number of ACKS received from clients in reply to SYN-
Established ACKs from the ACOS device.
show slb mssql

Description Display statistics for database load-balancing (DBLB) for a MS-SQL data-
base system.
Syntax show slb mssql [detail]
Option Description
Mode All
show slb mysql

Description Display statistics for database load-balancing (DBLB) for a MySQL data-
base system.
Syntax show slb mysql [detail]
Option Description
Mode All

show slb passthrough
show slb passthrough

Description Display statistics for pass-through TCP sessions. A pass-through TCP ses-
sion is one that is not terminated by the ACOS device (for example, a ses-
sion for which the ACOS device is not serving as a proxy for SLB).
Syntax show slb passthrough
Mode All
Example The following command displays TCP pass-through session statistics:

AX#show slb passthrough
Request packets: 10741 Response packets: 38195
Request bytes: 570272 Response bytes: 56562872
Current connections: 0 Total connections: 4
show slb performance

Description Show SLB performance statistics.
Syntax show slb performance

[interval number [detail]]
[{l4cpi | l7cpi | l7tpi | natcpi | sslcpi}
[detail]]
Option Description
interval number Automatically refreshes the output at the speci-
fied interval. The interval can be 1-32 seconds.
If you omit this option, the output is shown one
time. If you use this option, the output is repeat-
edly refreshed at the specified interval until you
press ctrl+c.
l4cpi Shows only Layer 4 connections per interval.
l7cpi Shows only Layer 7 connections per interval.
l7tpi Shows only Layer 7 transactions per interval.
natcpi Shows only Network Address Translation (NAT)
connections per interval.
sslcpi Shows only SSL connections per interval.
detail This option is not used in the current release.

show slb persist
Mode All
Example The following command shows SLB performance statistics:

ACOS#show slb performance
Refreshing SLB performance every 1 seconds. (press ^C to quit)
Note: cpi conn/interval, tpi transactions/interval
CPU Usage L4cpi L7cpi L7tpi SSLcpi Natcpi Time

------------------------------------------------------------------------
8/9 0 0 0 0 0 11:46:10
4/4 4222 0 0 0 0 11:46:11
4/4 3 0 0 0 0 11:46:12
TABLE 49 show slb performance fields

Field Description
Refreshing SLB Interval at which the statistics are refreshed.
performance
every # seconds
CPU Usage Utilization on each data CPU.
Each number is the utilization on one data CPU. In the exam-
ple shown above, the ACOS model has three data CPUs, and
the utilization on each one is 1%.
L4cpi Layer 4 connections per interval.
L7cpi Layer 7 connections per interval.
L7tpi Layer 7 transactions per interval.
SSLcpi SSL connections per interval.
Natcpi NAT connections per interval.
Time System time when the statistics were collected.
show slb persist

Description Show persistence load-balancing statistics.
Syntax show slb persist [detail]

[device DeviceID]
Option Description
device

show slb persist

ter.
Example The following command shows summary persistence statistics:

ACOS#show slb persist
Total
------------------------------------------------------------------
URL hash persist(pri) 0
URL hash persist(sec) 0
URL hash persist fail 0
SRC IP persist ok 0
SRC IP persist fail 0
SRC IP hash persist(pri) 0
SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
DST IP persist ok 0
DST IP persist fail 0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok 0
SSL SID persist fail 0
Cookie persist ok 0
Cookie persist fail 0
Persist cookie not found 0
Enforce higher priority 30
TABLE 50 show slb persist fields

Field Description
URL hash Number of requests successfully sent to the primary server
persist(pri) selected by URL hashing. The primary server is the one that
was initially selected and then re-used based on the hash
value.
URL hash Number of requests that were sent to another server (a sec-
persist(sec) ondary server) because the primary server selected by URL
hashing was unavailable.
URL hash persist Number of requests that could not be fulfilled using URL
fail hashing.

show slb persist
TABLE 50 show slb persist fields (Continued)

Field Description
SRC IP persist Number of requests successfully sent to the same server as
ok previous requests from the same client, based on source-IP
persistence.
SRC IP persist Number of requests that could not be fulfilled by the same
fail server as previous requests from the same client, based on
source-IP persistence.
SRC IP hash These fields are used by A10 Networks technical support for
persist(pri) troubleshooting.
SRC IP hash
persist(sec)
SRC IP hash
persist fail
DST IP persist Number of requests that were sent to the same resource,
ok based on destination-IP persistence.
DST IP persist Number of requests that were sent to the same resource
fail based on destination-IP persistence.
DST IP hash These fields are used by A10 Networks technical support for
persist(pri) troubleshooting.
DST IP hash
persist(sec)
DST IP hash
persist fail
SSL SID persist Number of requests successfully sent to the same server as
ok previous requests that had the same SSL session ID, based
on SSL session-ID persistence.
SSL SID persist Number of requests that could not be fulfilled by the same
fail server as previous requests that had the same SSL session
ID, based on SSL session-ID persistence.
Cookie persist ok Number of requests successfully sent to the same server as
previous requests based on a persistence cookie.
Cookie persist Number of requests that could not be fulfilled by the same
fail server as previous requests based on a persistence cookie.
Persist cookie Number of requests in which a persistence cookie was not
not found found in the request header.
Enforce higher Number of times the enforce-higher-priority option overrode
priority server persistence and selected another server.

show slb rate-limit-logging
show slb rate-limit-logging

Description Show log rate-limiting statistics.
Syntax show slb rate-limit-logging [detail]
Option Description
Mode All
Example The following command shows log rate-limiting statistics:

ACOS#show slb rate-limit-logging
Total
------------------------------------------------------------------
Total log times 51
Total log messages 26
Local log messages 190
Remote log messages 1959
Local rate (per sec) 32
Remote rate (per sec) 453
Log message too big 0
No route 0
Buffer alloc fail 0
Buffer send fail 0
Log-session alloc 15
Log-session free 15
Log-session alloc fail 0
No repeat message 4
TABLE 51 show slb rate-limit-logging fields

Field Description
Total log times Total number of times log rate limiting has been used.
Total log Total number of log messages generated by the ACOS
messages device.
Note: The ACOS device combines repeated messages into a
single message. For this reason, the Total log times count
will differ from the Total log messages count.
Local log Total number of log messages in the ACOS device’s log buf-
messages fer. These messages can be displayed using the show log
command.
Remote log Total number of log messages the ACOS device has sent to
messages external log servers.
Local rate Number of messages sent to the ACOS device’s log buffer
(per sec) during the most recent one-second interval.

show slb server
TABLE 51 show slb rate-limit-logging fields (Continued)

Field Description
Remote rate Number of messages sent to external log servers during the
(per sec) most recent one-second interval.
Log message too Number of log messages dropped by the ACOS device
big because they were too long.
No route Number of log messages dropped by the ACOS device
because the device did not have a route to the log server.
Buffer alloc fail Number of times the ACOS device was unable to allocate a
buffer for sending a log message to an external log server.
Buffer send fail Number of times the ACOS device was unable to send a log
message that had been placed in the buffer for sending to an
external log server.
Log-session Number of times the ACOS device allocated a log session
alloc for repeated log messages.
Log-session free Number of times the ACOS device freed a log session that
was allocated for repeated log messages.
Log-session Number of times the ACOS device was unable to allocate a
alloc fail log session for repeated log messages.
No repeat Number of times there was no repeated message for a log
message session allocated for repeated messages.
show slb server

Description Show information about real servers.
Syntax show slb server

[[server-name [port-num] detail]
bindings |
config |
connection-reuse]
[auto-nat-stats]
Option Description
server-name
[[port-num]
detail] Shows information only for the specified server
or port. If you omit this option, information is
shown for all real servers and ports.
The detail option shows statistics for the speci-
fied server or port. This option also displays the
name of the server or port template bound to the
server or port.

show slb server
bindings Shows the bindings for real server ports.

config Shows the SLB configuration of the real servers.
connection-
reuse Shows connection-reuse state information and
statistics for the real servers.
auto-nat-stats Shows statistics for Smart NAT.
Mode All
Usage To display server information for a specific Role-Based Administration

(RBA) partition only, use the partition name option.
Example The following command shows SLB statistics for real server “http1”. This
server is in a service group that is bound to an HTTP virtual port:
AX#show slb server http1
Total Number of Services configured on Server http1: 1
Service: http1:80/tcp (Status: Up)
Forward packets: 0 Reverse packets: 0
Forward bytes: 0 Reverse bytes: 0
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 0 Total requests succ: 0
Response time: 0 tick
Peak connections: 0
Health-check:
--------------------------------------------------------
Up reason: HTTP Status Code OK
Monitor name: http
Method: HTTP
Attribute: port=80
url="GET /"
Wait for HTTP response:False
L4 conn made: 938
L4 errors: 0
Health-check average RTT (us):15930
Health-check current RTT (us):15958
Health-check average TCP RTT (us):7895
Health-check current TCP RTT (us):7933
HTTP requests sent: 938
HTTP errors: 0
Received OK: 938

show slb server
Received error: 0
Response timeout: 0
Table 52 describes fields in the output for the show slb server command.
The output from this command includes statistics for health check fields.
Keep in mind that these health check fields only appear in the output for
HTTP traffic. The counters begin when the health check is configured and
increment until the statistics are cleared or the health check is deleted.
TABLE 52 show slb server fields

Field Description
Total Number of Services Total number of services configured on the A10 Thunder Series and AX Series
configured device (if a server name is not specified) or on the specified server.
Service Real server name, service protocol port, and transport protocol (TCP or UDP),
and Status (Up/Down/Disabled)
Forward packets Number of request packets received for the service.
Reverse packets Number of response packets sent on behalf of the real server.
Forward bytes Number of request bytes received for the service.
Reverse bytes Number of response bytes sent on behalf of the real server.
Current Current number of connections to the service.
Persistent connections Number of persistent connections to the service.
Current requests Current number of requests to the service.
Total requests Total number of requests to the service.
Total connections Total number of connections to the service.
Total requests succ Total number of requests to the service successfully received.
Response time Server response time.
tick Please call A10 Support for details.
Peak-conn Peak connection rate.
Note: Peak connection statistics are collected only if the extended-stats option is
enabled. To enable extended-stats, see the following:
• “extended-stats” on page 153 (global)
• “extended-stats” on page 704 (individual server)
Health check fields (HTTP traffic only)
Up / Down Reason the ACOS device marked the port up or down.
reason
Monitor name Name of the health monitor used to perform the health check.
Method Health method in the monitor used for the health check.
Attribute The destination TCP port of the health check, and the HTTP request sent to the
port.
Wait for HTTP response Indicates whether the ACOS device is still waiting for a response to the HTTP
request.
L4 conn made Total number of Layer 4 connections made to the destination TCP port for health
checking.

show slb server
TABLE 52 show slb server fields (Continued)

Field Description
L4 errors Total number of Layer 4 errors that occurred during health checking.
Health-check average RTT The average length of time it took for each health check. The time is expressed in
microseconds (us).
This counter includes the entire health-check process.
Health-check current RTT The length of time it took to perform the most recent health check.
Health-check average TCP The average length of time it took to complete the 3-way handshake with the
RTT server port.
Health-check current TCP The length of time it took to complete the 3-way handshake in the most recent
RTT health check.
HTTP requests sent Total number of HTTP requests sent to the server as part of health checks.
HTTP errors Total number of HTTP errors that occurred during health checking.
Received OK Number of times the payload of a Layer 4 health check reply was successfully
read by the ACOS device.
Received error Number of times a a read failure occurred in the a10hm module.
Response Number of times a health check to the port timed out.
timeout
Note: The same health check fields appear in the output for the show slb ser-
vice-group group-name and similarly only apply to HTTP traffic.
Example The following command shows details for a real server:

AX#show slb server dang0 detail
Server name: dang0
Server IP address: 192.168.120.21
Server gateway ARP: 0000:0000:0000
State: Down
Server template: default
Health check: default
Current connection: 0
Current request: 0
Total connection: 0
Total request: 0
Total request success: 0
Total forward bytes: 0
Total forward packets: 0
Total reverse bytes: 0
Total reverse packets: 0
Peak connection: 0

show slb server
TABLE 53 show slb server <server-name> detail fields

Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway Server ARP value (if directly connected) or nexthop ARP
ARP value (if connected through a gateway).
State Current state of the service:
• Up
• Down
• Disabled
Server template Name of the real server template bound to the server.
Health check Name of the health monitor used to check the health of the
real port.
Current Current number of connections to the port.
connection
Current request Current number of HTTP requests being processed by
the port.
Note: In this field and the Total request and Total request
success fields, Layer 7 requests are counted only if Layer 7
request accounting is enabled. See “slb enable-l7-req-acct”
on page 555.
Total Total number of connections that have been made to the port.
connection
Total request Total number of HTTP requests processed by the port.
Total request Total number of HTTP requests that were successful.
success
Total forward Number of request bytes forwarded to the port.
bytes
Total forward Number of request packets forwarded to the port.
packets
Total reverse Number of request bytes received from the port.
bytes
Total reverse Number of request packets received from the port.
packets
Peak connection Peak connection count.
Note: Peak connection statistics are collected only if the
extended-stats option is enabled. To enable extended-stats,
see the following:

show slb server
Example The following command shows details for a real port on a server:
ACOS(config)#show slb server dang1 80 detail
Server name: dang1
Port: 1.1.1.1:80
State: Up
Port template: default
Health check: default
Current request: 42
Total connection: 10011
Total request: 20090
Peak connection: 24411
TABLE 54 show slb server <server-name> <portnum> detail fields

Field Description
Server name Name of the server.
Server IP address IP address of the server.
Server gateway Server ARP value (if directly connected) or nexthop ARP
ARP value (if connected through a gateway).
Port Real port number.
• Up
• Down
• Disabled
Port template Name of the real port template bound to the port.
Health check Name of the health monitor used to check the health of the
real port.
Current Current number of connections to the port.
connection
the port.
on page 555.
Total Total number of connections that have been made to the port.
connection
Total request Total number of HTTP requests processed by the port.

show slb server
TABLE 54 show slb server <server-name> <portnum> detail fields

Field Description
success
Total forward Number of request bytes forwarded to the port.
bytes
Total forward Number of request packets forwarded to the port.
packets
Total reverse Number of request bytes received from the port.
bytes
Total reverse Number of request packets received from the port.
packets
see the following:
The following command displays detailed information for a dynamic host-

name server. The configuration details are shown first, followed by details
for the dynamically created servers.
AX#show slb server s-test1 detail
Server name: s-test1
Hostname: s1.test.com
Last DNS reply: Tue Nov 17 03:41:59 2009
State: Up
Server template: temp-server
DNS query interval: 5
Minimum TTL ratio: 3
Maximum dynamic server: 16
Health check: none
Current request: 0
Total request: 1919
Total forwarded byte: 546650
Total forwarded packet: 5715
Total received byte: 919730
Total received packet: 5631

show slb server
Dynamic server name: DRS-10.4.2.5-s1.test.com

Last DNS reply: Tue Nov 17 03:41:59 2009
TTL: 4500
State: Up
Server template: test
DNS query interval: 5
Minimum TTL ratio: 15
Maximum dynamic server: 1023
Health check: none
Current request: 0
Total request: 1919
Example The following command shows SLB configuration information for real
servers:
ACOS#show slb server config
Total Number of Services configured: 30
H-check = Health check Max conn = Max. Connection Wgt = Weight
Service Address H-check Status Max conn Wgt
------------------------------------------------------------------------------
1_yahoo_finance:80/tcp 69.147.86.163 None Enable 1000000 1
1_yahoo_finance 69.147.86.163 None Enable 1000000 1
1_cybozu:80/tcp 202.218.147.129 None Enable 1000000 1

1_cybozu 202.218.147.129 None Enable 1000000 1
win20:25/tcp 172.22.66.20 Default Enable 1000000 1

win20 172.22.66.20 ping Disable 1000000 1
win21:25/tcp 172.22.66.21 Default Enable 1000000 1

--MORE--

show slb server
TABLE 55 show slb server config fields

Field Description
Total Number of Total number of SLB services configured on the A10 Thun-
Services config- der Series and AX Series device.
ured
Service Real server name, service protocol port, and transport proto-
col (TCP or UDP).
Address Real IP address of the server.
H-check Health check enabled for the service:
• None – No health check has been applied to the service.
• Default – The default health monitor for the service type
was automatically applied to the service by the A10 Thun-
der Series and AX Series device.
• Name of a configured health monitor (for example,
“ping”) – The named health monitor was applied to the
service by an AX administrator.
Status Current administrative status of the service:
• Enable
• Disable
Max conn Maximum number of connections allowed to the service.
Wgt Administrative weight assigned to the service.
Example The following command shows connection-reuse state information and sta-
tistics for real servers:
ACOS#show slb server connection-reuse
Service State Persistent-Conn
----------------------------------------------------
1_yahoo_finance:80/tcp Up 0
1_cybozu:80/tcp Up 0
win20:25/tcp Down 0
win21:25/tcp Up 0
win21:110/tcp Up 0
win21:80/tcp Up 0
win21:443/tcp Down 0
linux22:25/tcp Disb 0
linux22:80/tcp Up 0
linux22:53/udp Disb 0

show slb server
TABLE 56 show slb server connection-reuse fields

Field Description
Total Number of Total number of SLB services configured on the A10 Thun-
Services config- der Series and AX Series device.
ured
Service Real server name, service protocol port, and transport proto-
col (TCP or UDP).
• Up
• Down
• Disabled
Persistent-Conn Number of connections sent to the server by the persistence
feature.
Example The following command shows Smart NAT statistics:

ACOS(config-slb vserver-vport)#show slb server auto-nat-stats
Service HA/VR ID Nat Address Port Usage Total Used Total Freed Failed
---------------------------------------------------------------------------------------
s1:80/tcp 0 160.160.160.1 5 1513 1508 0
s1:21/tcp 0 160.160.160.1 0 0 0 0
In this example, both virtual ports are using Smart NAT. The Nat Address,
Port Usage, Total Used, Total Freed, and Failed columns show the same
information shown in show ip nat pool statistics output. (See the CLI Ref-
erence.)
The Service column lists the server, protocol port, and Layer 4 protocol.
The HA/VR ID column lists the HA group ID or VRRP-A VRID, if applica-
ble. In this example, the ACOS device is deployed as a standalone device,
so “0” is shown in this column. Table 57 describes the fields in the com-
mand output.
TABLE 57 show slb server auto-nat-stats fields

Field Description
Service Real server name and port number, and the Layer 4 protocol
(TCP or UDP).
HA/VR ID The HA group ID or VRRP-A VRID, if applicable.
NAT Address The IP address used for the NAT mapping.
Port Usage Number of mappings currently in use by sessions.

show slb server
TABLE 57 show slb server auto-nat-stats fields (Continued)

Field Description
Total Used Total number of sessions that have been NATted for the
source address.
Total Freed Total number of NATted sessions that have been terminated,
thus freeing up a port for another session.
Failed Number of times a mapping attempt failed. Generally, this
type of error occurs if the system does not have any
resources for new mappings.
Example The following command shows a list of server bindings:

show slb server bindings
AX#show slb server bindings
Total Number of Servers configured: 24
Service Port Address State
----------------------------------------------------------------------------
rs1 8080 20.20.20.20
+sg-8080 All Up
+=>vip2 10.10.10.200:8080
+linux:8080 Functional Up
+=>ITA-VIP-01 192.168.19.120:8080
This example shows server bindings for server “rs1”.
The service groups are indicated by “+”. In this example, the server is a
member of the following service groups:
• sg-8080
• linux:8080
The VIP bindings are indicated by “+=>”. In this example, “rs1” has the fol-
lowing bindings:
• Bound to “vip2” through service group “sg-8080”
• Bound to “ITA-VIP-01” through service group “linux:8080”
The state of each service group is shown. In this example, service group
“sg-8080” is All Up. This indicates all service ports on all real servers in the
service group are up. Service group “linux:8080” is Functionally Up. The
service is up on at least one real server in the service group, but not on all
the servers in the group.

show slb service-group

Description Show SLB service-group information.
Syntax show slb service-group [group-name] [brief] [con-

fig] [all-partitions | partition name]
Option Description
group-name Shows information only for the specified service
group. If you omit this option, information is
shown for all service groups configured on the
A10 Thunder Series and AX Series device.
brief Shows a summary view of the configured service
groups and their operational status. If you specify
a service-group name, summary information is
displayed for only that group. Otherwise, sum-
mary information for all groups is displayed.
config Shows the SLB configuration of the service
groups.
Mode All
Usage To display service-group information for a specific Role-Based Administra-

tion (RBA) partition only, use the partition name option.
Example The following command shows statistics for SLB service groups:
ACOS#show slb service-group
Current = Current Connections, Total = Total Connections
Fwd-p = Forward packets, Rev-p = Reverse packets
Peak-c = Peak connections
Service Group Name
Service Current Total Fwd-p Rev-p Peak-c
------------------------------------------------------------------------------
*sg-80-1 State: Down
rs-http:80 0 0 0 0 0
*sg-80-2 State: All Up
rs-http-2:80 1 1 1 4 5

TABLE 58 show slb service-group fields

Field Description
Total Number of Total number of SLB service groups configured on the A10
Service Groups Thunder Series and AX Series device.
configured
Service Group Name of the service group.
Name
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service
group are up.
• Functional Up – Each service port number is up on at least
one real server in the service group.
• Partially Up – Some service ports are up but others are
down.
• Down – Either all the service ports are down, or some but
not all of them are Disabled.
• Disabled – All the service ports are disabled.
Total Total number of connections to the service.
Fwd-p Total number of request packets received by the A10 Thun-
der Series and AX Series device for the service.
Rev-p Total number of server response packets sent to clients by
the ACOS device on behalf of real servers.
Peak-c Peak connection count.
see the following:
• “extended-stats” on page 717 (individual service group)
Example The following command shows configuration information and statistics for
SLB service group “louis”:
AX#show slb service-group louis
Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service peak connection: 0
Priority affinity: 10
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0


Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Peak conn: 0
Note: A separate set of health check fields appears in the show slb service-
group command output for HTTP traffic. For details on these fields, see
Table 52 on page 1024.
TABLE 59 show slb service-group <group-name> fields

Field Description
Service group Name of the service group.
name
State Indicates the state of the service group:
• All Up – All service ports on all real servers in the service
group are up.
• Functional Up – Each service port number is up on at least
one real server in the service group.
• Partially Up – Some service ports are up but others are
down.
• Down – Either all the service ports are down, or some but
not all of them are Disabled.
• Disabled – All the service ports are disabled.
Service Number of server selection failures for which the ACOS
selection fail device dropped the client request.
drop
Service Number of server selection failures for which the ACOS
selection fail device sent a RST to the client.
reset
Service peak Please contact A10 Networks for information.
connection

TABLE 59 show slb service-group <group-name> fields (Continued)

Field Description
Priority affinity Number associated with the currently active priority level.
By default, the primary service-group members with the
highest priority are active and appear in the output. However,
if failover occurs, then the priority of the lower-priority sec-
ondary members appears in the output.
Service Service bound to the service group. Also indicates the state
of the service.
Forward packets Total number of request packets received by the A10 Thun-
der Series and AX Series device for the service.
Reverse Total number of server response packets sent to clients by
packets the A10 Thunder Series and AX Series device on behalf of
real servers.
Forward bytes Total number of request bytes received by the A10 Thunder
Series and AX Series device for the service.
Reverse bytes Total number of server response bytes sent to clients by the
A10 Thunder Series and AX Series device on behalf of real
servers.
connections
Persistent Number of connections established on the server due to an
connections SLB persistence feature.
Current Current number of HTTP requests being processed by
requests the server.
Note: In this field and the Total Requests and Total requests
on page 555.
Total Total number of HTTP requests processed by the server.
requests
Total Total number of connections to the service.
connections
Response time Server response time.
Total Total number of HTTP requests that were successful.
requests succ
Peak conn Peak connection count.
see the following:
• “extended-stats” on page 717 (individual service group)

Example The following command shows configuration information for SLB service
groups:
ACOS#show slb service-group config
slb service-group sg1 tcp
member s1:80
!
member s2:80
member s1:80
!
member s3:80
!
Example The following command displays a brief, summarized display of service-

group information for all service groups:
AX#show slb service-group brief
Total Number of Service Groups configured: 2
slb service-group rontest tcp
Service group name: rontest
Type: tcp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
slb service-group udptest udp
Service group name: udptest
Type: udp Distribution: Round Robin
Health Check: None
Servers Up = 0
Servers Down = 1
Servers Disabled = 0
Total Servers in Group = 1
In this example, 2 service groups are configured. Each service group has 1 server. In each of the groups, the
server is down.

show slb sip
show slb sip

Description Display SIP SLB statistics.
Syntax show slb sip [detail]

[device DeviceID]
Option Description
device
ter.
Mode All
Example The following command shows SIP SLB statistics:

ACOS#show slb sip
Total
------------------------------------------------------------------
Curr Proxy Conns 0
Total Proxy Conns 115
Client message 125
Client message (fail) 0
Server message 12
Server message (fail) 0
Client request 119
Client request (succ) 12
Client RST 0
Server RST 113
Parse message fail 0
Server conn made 115

show slb smpp
TABLE 60 show slb sip fields

Field Description
Curr Proxy Current number of SIP connections between the ACOS
Conns device and SIP servers.
Total Proxy Total number of SIP connections between the ACOS device
Conns and SIP servers.
Client message Total number of SIP messages received from clients.
Client message Number of SIP messages received from clients that were not
(fail) forwarded to servers.
Server message Total number of SIP messages received from servers.
Server message Number of SIP messages received from servers that were not
(fail) forwarded to clients.
Client request Total number of SIP requests received from clients.
Client request Number of SIP requests received from clients that were suc-
(succ) cessful.
Parse message Number of times the SIP parser failed to parse a received SIP
fail request.
fail
made
failure
show slb smpp

Description Display Short Message Peer-to-Peer (SMPP) protocol SLB statistics.
Syntax show slb smpp [detail]
Option Description
Mode All

show slb smpp
Example The following command shows SMPP SLB statistics.

AX2500(config)#show slb smpp
Total
------------------------------------------------------------------
Curr SMPP Proxy 0
Total SMPP Proxy 0
Client message rcvd 0
Sent to server 0
Incomplete 0
AX responds directly 0
Drop 0
Connecting server 0
Failed 0
Server message rcvd 0
Sent to client 0
Incomplete 0
Drop 0
Failed 0
Server conn created 0
Created successfully 0
Failed 0
Client conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
Server conn selection 0
Select by request 0
Select by roundbin 0
Select by conn 0
Select failed 0
TABLE 61 show slb smpp fields

Field Description
SMPP msg Total amount of memory currently in use for SMPP connec-
mem allocated tions.
SMPP msg Total amount of memory cached for SMPP connections.
mem cached
SMPP msg Total amount of memory freed after an SMPP connection has
mem freed closed.
SMPP msg Total amount of memory allocated for the SMPP packet pay-
payload load.
allocated
SMPP msg Total amount of memory freed from the SMPP packet pay-
payload freed load.

show slb smpp

Field Description
Curr SMPP Number of currently active connections using the SMPP
Proxy proxy.
Total SMPP Total number of connections that have used the SMPP proxy.
Proxy
Client message Total number of SMPP messages received from clients.
rcvd • Sent to server – Number of SMPP messages received by
the client and forwarded to the server.
• Incomplete – Number of packets which contain incom-
plete messages.
• AX responds directly – Number of times the ACOS
device responded directly to a client’s request.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Connecting server – Number of times the ACOS device
forwarded a client’s request to the SMPP server.
• Failed – The following counters display the number of
failed connections, listed by the cause:
• Failed to parse
• Failed to process
• Failed to SNAT
• Exceeded buff
• Failed to send
• Server conn start failed
Server message Total number of SMPP messages received from servers.
rcvd • Sent to client – Number of SMPP messages received by
the server and forwarded to the client.
• Incomplete – Number of packets which contain incom-
plete messages.
• Drop – Number of packets dropped due to the configured
SMP resource limit.
• Failed – Number of SMPP messages received by the
server that were not forwarded to the client. The following
counters display the number of failed connections, listed
by cause:
• Failed to parse
• Failed to process
• Failed to sel client conn
• Failed to SNAT
• Exceeded buff
• Failed to send

show slb smpp

Field Description
Server conn • Created successfully – Number of server connections cre-
created ated successfully.
• Failed – Number of failed server connection attempts,
listed by cause:
• Failed to SNAT
• Failed to construct
• Failed to reserve
• Failed to start
• Server conn already exists
• Failed to insert
Message parsing Number of SMPP messages that the ACOS failed to parse.
failed The following sub-counters describe the cause:
• The packet size too small – Number of SMPP messages
that were not parsed because the message size was less
than 4 bytes.
• Invalid sequence number – SMPP messages are incre-
mented by +1. This counter indicates the total number of
SMPP messages that were not parsed because of an incor-
rect sequence number.
Message Number of times the ACOS could not process the SMPP
processing failed message. The following sub-counters describe the cause:
• No vport – There was no virtual port that matched the des-
tination of the SMPP message.
• Failed to select server – Server selection failure to forward
the SMPP request.
Client conn The following counters apply to SMPP client selection:
selection • Select by request – Number of client connections, selected
by the type of request message.
• Select by roundbin – Number of client connection selected
by the Round Robin algorithm.
• Select by conn – Number of client connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a client for the SMPP connection.
Server conn The following counters apply to SMPP server selection:
selection • Select by request – Number of server connections,
selected by the type of request message.
• Select by roundbin – Number of server connection
selected by the Round Robin algorithm.
• Select by conn – Number of server connections, selected
by the connection type.
• Select failed – Number of times the ACOS failed to select
a server for the SMPP connection.

show slb smpp

Field Description
Bind client and Number of times the ACOS successfully forwarded the ini-
server tial BIND message from a client an SMPP server.
Unbind client Number of times the ACOS disconnected the client to an
and server SMPP server.
Receive Total number of ENQUIRE_LINK messages that the ACOS
enquire_link received from the SMPP client or server.
Receive Total number of ENQUIRE_LINK_RESP messages that the
enquire_link_res ACOS received from the SMPP client or server.
p
Send Total number of ENQUIRE_LINK messages that the ACOS
enquire_link device has sent.
Send Total number of ENQUIRE_LINK_RES messages that the
enquire_link_res ACOS device has sent.
p
Put client conn in Please contact A10 Networks for information.
list
Get client conn
from list
Put server conn
in list
Get server conn
from list
Fail to bind Total number of times the ACOS device received a BIND
server message and failed to connect the client to an SMPP server.
Single message Total number of single messages that were sent to the ACOS
and did not require a response.
Transfer msg Number of SMPP messages that the ACOS transferred from
from L4 to L7 a Layer 4 CPU to a Layer 7 CPU.
CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
L7 CPU the Layer 7 CPU to a Layer 4 CPU.
from proxy to the proxy CPU to the connection CPU.
conn CPU
Fetch msg from Number of SMPP messages that the ACOS transferred from
conn CPU the connection CPU to the proxy CPU.
from L7 to L4 a Layer 7 CPU to a Layer 4 CPU.
CPU
from conn to the connection CPU to the proxy CPU.
proxy CPU

show slb smtp

Field Description
Fail to dcmsg Please contact A10 Networks for information.
Conn is
deprecated
during dcmsg
Alloc mem failed Number of times a connection failed because the ACOS
device did not have access to sufficient memory resources.
Unexpected error Number of unexpected errors that are not categorized by the
other counters.
Identify L7 CPU Please contact A10 Networks for information.
failed
AX holds msg Number of messages that the ACOS device has received
from a client or server and has yet to forward.
Splited packet Number of times the ACOS split TCP packets which contain
multiple SMPP messages.
Message in Number of SMPP messages that the ACOS processed using
pipeline an HTTP pipeline.
show slb smtp

Description Shows SLB information for SMTP.
Syntax show slb smtp [detail]

[device DeviceID]
Option Description
device
ter.

show slb smtp
Mode All
Example The following command shows summary SMTP SLB statistics:

ACOS#show slb smtp
Total
------------------------------------------------------------------
Total proxy conns 0
SMTP requests 0
SMTP requests (success) 0
No proxy error 0
Client reset 0
Server reset 0
No tuple error 0
Parse request failure 0
Forward request failure 0
Forward REQ data failure 0
Request retransmit 0
Request pkt out-of-order 0
Server connection made 0
TABLE 62 show slb smtp fields

Field Description
Current proxy Number of currently active SMTP connections using the
conns ACOS device as an SMTP proxy.
Total proxy Total number of SMTP connections that have used the
conns ACOS device as an SMTP proxy.
SMTP requests Total number of SMTP requests received by the SMTP
proxy.
SMTP requests Number of SMTP requests received by the ACOS device
(success) that were successfully fulfilled (by connection to a real
server).
Client reset Number of times TCP connections with clients were reset.
Server reset Number of times TCP connections with servers were reset.
Parse request Number of times parsing of an SMTP request failed.
failure
failure

show slb smtp
TABLE 62 show slb smtp fields (Continued)

Field Description
Forward request Number of forward request failures.
failure
Forward REQ Number of forward request data failures.
data failure
Request Number of retransmitted requests.
retransmit
Request pkt Number of request packets received from clients out of
Server Number of times a request was forwarded to another server
reselection because the current server was failing.
Server Number of connections made with servers.
connection made
failure
Example The following command shows detailed SMTP SLB statistics for each data
processor (DP):
ACOS#show slb smtp detail
DP0 DP1 DP2 Total
------------------------------------------------------------------
Current proxy conns 0 0 0 0
Total proxy conns 0 0 0 0
SMTP requests 0 0 0 0
SMTP requests (success) 0 0 0 0
No proxy error 0 0 0 0
Client reset 0 0 0 0
Server reset 0 0 0 0
No tuple error 0 0 0 0
Parse request failure 0 0 0 0
Server selection failure 0 0 0 0
Forward request failure 0 0 0 0
Forward REQ data failure 0 0 0 0
Request retransmit 0 0 0 0
Request pkt out-of-order 0 0 0 0
Server reselection 0 0 0 0
Server premature close 0 0 0 0
Server connection made 0 0 0 0
Source NAT failure 0 0 0 0

show slb ssl
show slb ssl

Description Show SLB information for SSL.
Syntax show slb ssl

{cert [cert-name [detail]] | crl | stats}
Option Description
cert Shows information about the certificates on the
ACOS device. To display information for a spe-
cific certificate, use the cert-name option. To dis-
play additional details about the certificate, also
use the detail option.
crl Shows information about the Certificate Revoca-
tion Lists (CRLs) imported onto the ACOS
device.
stats Shows SSL SLB statistics.
Note: The stats option includes all partitions. The partition options are not sup-
ported with the stats option.
Mode All
Usage To display SSL information for a specific Role-Based Administration

Example The following command shows SSL certificate information:

ACOS#show slb ssl cert
name: dang
type: certificate/key
Common Name:Dan G
Organization:Techpubs
Expiration: Jul 28 03:23:17 2008 GMT
Issuer: Self
key size: 512
Example The following command shows SSL SLB statistics:

ACOS#show slb ssl stats
Number of SSL modules: 1
SSL module 1
number of enabled crypto engines: 8
number of available crypto engines: 8
number of requests handled: 98

show slb ssl
Current SSL connections: 0

Total SSL connections: 0
Failed SSL handshakes: 0
Failed crypto operations: 0
SSL memory usage: 18980 bytes
SSL fail CA verification 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
TABLE 63 show slb ssl stats fields

Field Description
Number of SSL Total number of SSL processing modules on the device.
modules
SSL module n ID number of the SSL module to which the following statis-
tics apply.
number of Number of SSL encryption/decryption processing
enabled crypto engines that are enabled.
engines
number of Number of SSL encryption/decryption processing
available crypto engines that are available on the device.
engines
number of Number of SSL requests handled by the SSL process-
requests handled ing engine.
Current SSL Number of currently active SSL sessions.
connections
Total SSL con- Total number of SSL sessions since the last time statis-
nections tics were cleared.
Failed SSL hand- Number of SSL sessions in which the SSL security hand-
shakes shake failed.
Failed crypto Number of times an encryption/decryption failure occurred
operations for an SSL record.
SSL memory Amount of memory in use by the SSL processing module.
usage
SSL fail CA ver- Number of times an SSL session was terminated due to
ification a certificate verification failure.
HW Context Number of times the encryption processor was unable to
Memory alloc allocate memory.
failed

show slb ssl
TABLE 63 show slb ssl stats fields (Continued)

Field Description
HW ring full Number of times the ACOS software was unable to enqueue
an SSL record to the SSL processor for encryption/decryp-
tion. (Number of times the processor reached its perfor-
mance limit.)
Record too big Number of times the ACOS device received an SSL record
that spanned across more than 64 packets.
Example The following command displays summary information for a certificate

named “IIS-SSL”:
AX#show slb ssl cert IIS-SSL
Certificate:
Data:
Version: 4 (0x3)
Serial Number:
d7:c1:47:4e:06:f5:9a:9a
Signature Algorithm: md5WithRSAEncryption
Issuer: CN=iis, O=A10networks, OU=QA, L=SJ, ST=CA, C=US/emailAd-
dress=iisuser@a10networks.com
Validity
Not Before: Apr 6 14:10:46 2009 GMT
Not After : Apr 6 14:10:46 2011 GMT
Subject: CN=iis, O=A10networks, OU=QA, L=SJ, ST=CA, C=US/emailAd-
key size: 1024
Example The following command displays detailed information for the certificate:
AX#show slb ssl cert IIS-SSL detail
Certificate:
Data:
Version: 4 (0x3)
Serial Number:
d7:c1:47:4e:06:f5:9a:9a
Issuer: CN=iis, O=A10networks, OU=QA, L=SJ, ST=CA, C=US/emailAd-
Validity
Not Before: Apr 6 14:10:46 2009 GMT
Not After : Apr 6 14:10:46 2011 GMT
Subject: CN=iis, O=A10networks, OU=QA, L=SJ, ST=CA, C=US/emailAd-
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:9d:f3:db:37:c9:c5:f6:69:47:e3:7d:73:32:2e:

show slb ssl-expire-check
f6:a7:83:4e:d4:8c:1b:51:9e:d8:77:01:76:c6:f1:
99:a6:20:49:86:65:b7:48:c0:e2:0c:d4:9b:fa:76:
0c:e2:18:c7:a4:21:8c:5d:50:45:fe:77:b1:58:43:
42:38:ff:7b:bc:82:73:af:e7:be:a3:e6:73:f1:00:
cb:4b:ec:9e:4a:8c:78:59:a0:0b:94:6b:5a:70:32:
95:c9:22:ab:ce:93:cc:3b:9f:d2:52:02:d2:c8:6d:
70:71:2e:d1:1a:15:a2:20:63:ee:66:d0:72:2c:d4:
44:d7:25:d9:71:5d:8d:6d:5d
Exponent: 65537 (0x10001)
6f:81:16:e5:e8:05:60:a0:92:94:14:0d:b9:34:cc:83:d7:ba:
da:a4:4d:be:e4:fc:0c:48:78:4f:d2:3e:0f:11:da:2c:e9:9e:
e7:1b:29:7b:64:e7:d7:99:32:b1:55:2a:2f:d7:57:87:a9:74:
c4:17:d1:9e:11:1e:e8:a3:9b:76:8b:fa:9c:66:34:1a:f3:37:
29:46:58:c9:84:c3:8b:07:c9:e7:ec:19:f8:5f:86:12:f2:31:
aa:c2:25:32:b0:03:b3:79:7f:07:61:d1:ad:81:1c:3d:de:c9:
88:10:7a:ff:09:e9:c6:62:b5:d6:a7:73:4e:93:31:4b:62:05:
5c:81
SHA1 Fingerprint=57:56:E4:DB:29:3B:F2:3E:1C:F5:44:8E:D5:31:7F:93:5A:74:6E:F3
-----BEGIN CERTIFICATE-----
MIICfjCCAeegAwIBAwIJANfBR04G9ZqaMA0GCSqGSIb3DQEBBAUAMIGAMQwwCgYD
VQQDEwNpaXMxFDASBgNVBAoTC0ExMG5ldHdvcmtzMQswCQYDVQQLEwJRQTELMAkG
A1UEBxMCU0oxCzAJBgNVBAgTAkNBMQswCQYDVQQGEwJVUzEmMCQGCSqGSIb3DQEJ
ARYXaWlzdXNlckBhMTBuZXR3b3Jrcy5jb20wHhcNMDkwNDA2MTQxMDQ2WhcNMTEw
NDA2MTQxMDQ2WjCBgDEMMAoGA1UEAxMDaWlzMRQwEgYDVQQKEwtBMTBuZXR3b3Jr
czELMAkGA1UECxMCUUExCzAJBgNVBAcTAlNKMQswCQYDVQQIEwJDQTELMAkGA1UE
BhMCVVMxJjAkBgkqhkiG9w0BCQEWF2lpc3VzZXJAYTEwbmV0d29ya3MuY29tMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCd89s3ycX2aUfjfXMyLvang07UjBtR
nth3AXbG8ZmmIEmGZbdIwOIM1Jv6dgziGMekIYxdUEX+d7FYQ0I4/3u8gnOv576j
5nPxAMtL7J5KjHhZoAuUa1pwMpXJIqvOk8w7n9JSAtLIbXBxLtEaFaIgY+5m0HIs
1ETXJdlxXY1tXQIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAG+BFuXoBWCgkpQUDbk0
zIPXutqkTb7k/AxIeE/SPg8R2izpnucbKXtk59eZMrFVKi/XV4epdMQX0Z4RHuij
m3aL+pxmNBrzNylGWMmEw4sHyefsGfhfhhLyMarCJTKwA7N5fwdh0a2BHD3eyYgQ
ev8J6cZitdanc06TMUtiBVyB
-----END CERTIFICATE-----
key size: 1024
show slb ssl-expire-check

Description Display information about email notification of expired certificates.
Syntax show slb ssl-expire-check
Mode All

show slb ssl-forward-proxy-cert
show slb ssl-forward-proxy-cert

Description Display hash entries for server certificates created by the ACOS device for
SSL Intercept.
Syntax show slb ssl-forward-proxy-cert name num

{ipaddr | all}
name Wildcard VIP name.
num Virtual port number to which clients send
requests (for example, 443).
ipaddr | all Displays entries for the certificate associated
with a specific server IP address or for all server
IP addresses.
Mode All
show slb switch

Description Show SLB switching statistics.
Syntax show slb switch

[detail | ethernet port-num [detail]]
Option Description
detail Shows detailed statistics.
ethernet port-
num Shows statistics only for the specified Ethernet
port.
Mode All
Example The following command shows summary SLB switching statistics:

ACOS#show slb switch
Total
------------------------------------------------------------------
L2 Forward 2793
L3 IP Forward 0
IPv4 No Route Drop 0
L3 IPv6 Forward 0

show slb switch
IPv6 No Route Drop 0

L4 Process 709223
Incorrect Len Drop 0
Prot Down Drop 289
Unknown Prot Drop 32136
TTL Exceeded Drop 0
Link Down Drop 0
SRC Port Suppresion 0
VLAN Flood 141022
IP Fragment Rcvd 0
ARP REQ Rcvd 80272
ARP RESP Rcvd 15939
Forward Kernel 91163
IP(TCP) Fragment Rcvd 0
IP Fragment Overlap 0
IP Frag Overload Drops 0
IP Fragment Reasm OKs 23
IP Fragment Reasm Fails 0
IP Fragment Timeout 0
Anomaly Land Attack Drop 0
Anomaly IP OPT Drops 0
Anomaly PingDeath Drop 0
Anomaly All Frag Drop 0
Anomaly TCP noFlag Drop 0
Anomaly SYN Frag Drop 0
Anomaly TCP SYNFIN Drop 0
Anomaly Any Drops 0
BPDUs Received 0
BPDUs Sent 0
ACL Denys 0
SYN rate exceeded Drop 0
Packet Error Drops 0
IPv6 Frag UDP 0
IPv6 Frag TCP 0
IPv6 Frag ICMP 0
IPv6 Frag Reasm OKs 0
IPv6 Frag Reasm Fails 0
IPv6 Frag Invalid Pkts 0
Bad Pkt Drop 0
IP Frag Exceed Drop 0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0
L2 Default Vlan FWD Drop 507865
BW Limit Drop 0
License Expire Drop 0
L2 Default Vlan FWD Drop 0
L4 Misc Er 0

show slb switch
TABLE 64 show slb switch fields

Field Description
L2 Forward Number of packets that have been Layer 2 switched.
L3 IP Forward Number of packets that have been Layer 3 routed.
IPv4 No Route Number of IPv4 packets that were dropped due to routing
Drop failures.
L3 IPv6 Forward Number of IPv6 packets that have been Layer 3 routed.
IPv6 No Route Number of IPv6 packets that were dropped due to routing
Drop failures.
L4 Process Number of packets that went to a VIP or NAT for processing.
Incorrect Len Number of packets dropped due to incorrect protocol length.
Drop Note: A high value for this counter can indicate a packet
length attack.
Prot Down Drop Number of packets dropped because the corresponding pro-
tocol was disabled.
Unknown Prot Number of packets dropped because the protocol was
Drop unknown.
TTL Exceeded Number of packets dropped due to TTL expiration.
Drop
Link Down Drop Number of packets dropped because the outgoing link was
down.
SRC Port Packet drops because of source port suppression.
Suppression
VLAN Flood Number of packets that have been broadcast to a VLAN.
IP Fragment Number of IPv4 fragments that have been received.
Rcvd
ARP REQ Rcvd Number of ARP requests that have been received.
ARP RESP Rcvd Number of ARP responses that have been received.
Forward Kernel Number of packets received by the kernel from data inter-
faces.
IP(TCP) Number of IP TCP fragments received.
Fragment Rcvd
IP Fragment Number of overlapping fragments received.
Overlap
IP Frag Overload Number of fragments dropped due to overload.
Drops
IP Fragment Number of successfully reassembled IP fragments.
Reasm OKs
IP Fragment Please contact A10 Networks for information.
Timeout
IP Fragment Number of IP fragment reassembly failures.
Reasm Fails

show slb switch
TABLE 64 show slb switch fields (Continued)

Field Description
Anomaly Land Number of SYN packets dropped because they were spoofed
Attack Drop (used the destination IP address as the source IP address).
Anomaly IP OPT Number of packets dropped because they had IP options set.
Drops
Anomaly Ping- Number of oversized (longer than 32 K) ICMP packets
Death Drop dropped.
An oversized ICMP packet can trigger Denial of Service
(DoS), crashing, freezing, or rebooting.
Anomaly All Number of IP fragments dropped.
Frag Drop
Anomaly TCP Number of TCP packets dropped because they had no flags
noFlag Drop set.
TCP packets are normally sent with at least one bit in the
flags field set.
Anomaly SYN Number TCP SYN fragments dropped that had the fragmen-
Frag Drop tation bit set.
A SYN fragment attack floods the target host with SYN
packet fragments. An unprotected host will store the frag-
ments, in order to reassemble them. By not completing the
connection, and flooding the server or host with such frag-
mented SYN packets, the attacker can cause the host’s mem-
ory buffer to fill up eventually.
Anomaly TCP Number of TCP packets dropped that had TCP SYN and
SYNFIN Drop FIN bits set.
An attacker can send a packet with both bits set to determine
what kind of system reply is returned, and then use the sys-
tem information for further attacks using known system vul-
nerabilities. Also, some older devices will let such packets
through even though there is an established ACL defined and
the state of the TCP connection is not considered to be estab-
lished.
Anomaly Any Total number of packets dropped by IP anomaly filtering.
Drops
BPDUs Number of Bridge Protocol Data Units (BPDUs) received.
Received
BPDUs Sent Number of Bridge Protocol Data Units (BPDUs) sent.
ACL Denys Number of times traffic was not forwarded due to a deny rule
in an Access Control List (ACL).
This counter also includes traffic dropped due to the l3-vlan-
fwd-disable action in ACL rules.
SYN rate Number of packets dropped because the TCP SYN threshold
exceeded Drop had been exceeded.
Packet Error Number of packets dropped due to a packet error.
Drops

show slb switch
TABLE 64 show slb switch fields (Continued)

Field Description
IPv6 Frag UDP Number of IPv6 UDP fragments received by the ACOS
device.
IPv6 Frag TCP Number of IPv6 TCP fragments received by the ACOS
device.
IPv6 Frag ICMP Number of IPv6 ICMP fragments received by the ACOS
device.
IPv6 Frag Reasm Number of successfully reassembled IPv6 fragments.
OKs
IPv6 Frag Reasm Number of IPv6 fragment reassembly failures.
Fails
IPv6 Frag Number of IPv6 fragments that were invalid.
Invalid Pkts
Bad Pkt Drop Number of bad packets dropped.
IP Frag Exceed Number of fragmented IP packets that were dropped because
Drop they exceeded the allowed maximum.
IPv4 No L3 Number of IP packets that were dropped by the l3-vlan-fwd-
VLAN FWD disable action in an IPv4 ACL.
Drop
IPv6 No L3 Number of IP packets that were dropped by the l3-vlan-fwd-
VLAN FWD disable action in an IPv6 ACL.
Drop
L2 Default Please contact A10 Networks for information.
VLAN FWD
Drop
BW Limit Drop Number of packets dropped because they exceeded the band-
width limit.
Note: This field applies only to the SoftAX.
License Expire Number of packets dropped due to an invalid license.
Drop Note: This field applies only to the SoftAX.
L2 Default Please contact A10 Networks for information.
VLAN FWD
Drop
L4 Misc Er Number of Layer 4 packets dropped due to miscellaneous
errors.
Example The following command shows detailed SLB switching statistics for Ether-
net port 1:
ACOS#show slb switch ethernet 1 detail
DP0 DP1 DP2 Total
------------------------------------------------------------------
L2 Forward 2115 227 453 2795
L3 IP Forward 0 0 0 0
IPv4 No Route Drop 0 0 0 0
...

show slb syn-cookie-buffer
show slb syn-cookie-buffer

Description Show SYN-cookie buffer statistics.
Syntax show slb syn-cookie-buffer
Mode All
Example The following command shows SYN-cookie buffer information:

ACOS#show slb syn-cookie-buffer
Maximum SYN cookie buffer size : 10
Total SYN cookie buffer queued : 0
Total SYN cookie buffer drop : 0
show slb tcp stack

Description Show statistics for TCP SLB.
Syntax show slb tcp stack [detail]

[device DeviceID]
Option Description
device
ter.
Mode All
Example The following command shows summary TCP stack statistics:

ACOS#show slb tcp stack
Total
------------------------------------------------------------------

show slb tcp stack
Connect attemp failures 0

Retransmited packets 359
Reset Sent 4303
TABLE 65 show slb tcp stack fields

Field Description
Currently EST Current number of established TCP connections being han-
conns dled by the proxy.
Active open Number of active connections open.
conns
Passive open Number of passive connections open.
conns
Connect attemp Number of TCP connection attempts that failed.
failures
Total in TCP Total number of TCP packets received by the TCP proxy.
packets
Total out TCP Total number of TCP packets sent by the TCP proxy.
packets
Retransmitted Number of TCP packets retransmitted by the TCP proxy.
packets
Resets rcvd on Number of TCP Resets received for established connections.
EST conn
Reset Sent Number of TCP Resets sent by the A10 Thunder Series and
AX Series device.
Example The following command shows detailed TCP stack statistics for each data
processor (DP):
ACOS#show slb tcp stack detail
DP0 DP1 DP2 Total
------------------------------------------------------------------
Currently EST conns 0 14 13 27
Active open conns 0 3479 3490 6969
Passive open conns 0 3955 3984 7939
Connect attemp failures 0 0 0 0
Total in TCP packets 0 269216 409613 678829
Total out TCP packets 0 272092 440907 712999
Retransmited packets 0 204 155 359
Resets rcvd on EST conn 0 2657 2712 5369
Reset Sent 0 2138 2165 4303
Input errors 0 0 0 0
Sockets allocated 0 14 15 29
Orphan sockets 0 0 0 0

show slb tcp stack
Memory alloc 0 0 0 0
Total rx buffer 0 0 8 8
Total tx buffer 0 0 0 0
TCP in SYN-SNT state 0 0 0 0
TCP in SYN-RCV state 0 0 0 0
TCP in FIN-W1 state 0 2 3 5
TCP FIN-W2 state 0 0 1 1
TCP TimeW state 0 0 0 0
TCP in Close state 0 3907 3929 7836
TCP in CloseW state 0 31 38 69
TCP in LastACK state 0 1 0 1
TCP in Listen state 0 0 0 0
TCP in Closing state 0 0 0 0
TABLE 66 show slb tcp stack detail fields

Field Description
Currently EST Current number of established TCP connections being han-
conns dled by the proxy.
Active open Number of connections opened actively.
conns
Passive open Number of connections opened passively.
conns
Connect attemp Number of TCP connection attempts that failed.
failures
Total in TCP Total number of TCP packets received by the TCP proxy.
packets
Total out TCP Total number of TCP packets sent by the TCP proxy.
packets
Retransmitted Number of TCP packets retransmitted by the TCP proxy.
packets
Resets rcvd on Number of TCP Resets received for established connections.
EST conn
Reset Sent Number of TCP Resets sent by the ACOS device.
Input errors Number of invalid TCP packets received by the ACOS
device.
Sockets allocated Number of TCP sockets currently allocated.
Orphan sockets Current number of orphan sockets.
Memory alloc Total memory allocated for TCP.
Total rx buffer Total RX buffers allocated for TCP.
Total tx buffer Total TX buffers occupied by TCP.
TCP in SYN- Current number of TCP connections in the SYN-SNT state.
SNT state
TCP in SYN- Current number of TCP connections in the SYN-RCV state.
RCV state

show slb template
TABLE 66 show slb tcp stack detail fields (Continued)

Field Description
TCP in FIN-W1 Current number of TCP connections in the Fin-Wait-1 state.
state
TCP FIN-W2 Current number of TCP connections in the Fin-Wait-2 state.
state
TCP TimeW Current number of TCP connections in the Time Wait state.
state
TCP in Close Current number of TCP connections in the Close state.
state
TCP in CloseW Current number of TCP connections in the Close-Wait state.
state
TCP in LastACK Current number of TCP connections in the Last-ACK state.
state
TCP in Listen Current number of TCP connections in the Listening state.
state
TCP in Closing Current number of TCP connections in the Closing state.
state
show slb template

Description Show configuration information for SLB templates. The template configu-
ration commands in the running-config are displayed.
Syntax show slb template [template-type [template-name]]

Mode All
Usage To display template information for a specific Role-Based Administration

Example The following command shows the template configuration commands in the
running-config on an A10 Thunder Series and AX Series device:
ACOS#show slb template
slb template udp udp-aging
aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete
header-erase "Cookie"
slb template http hostdelete
header-erase "Host"

show slb virtual-server
slb template http hostinsert

header-insert "Host: www.example.com"
slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--

Description Show information for SLB virtual servers.
Syntax show slb virtual-server

[
virtual-server-name
[[virtual-port-num service-type
[service-group-name]]
detail |
host-hits-counter
{host-name | all} |
url-hits-counter |
{url-string | all}
]
[bind]
[config]
Option Description
virtual-server-
name Shows information only for the specified virtual
server.
The virtual-port-num service-type option shows
information only for the specified virtual port on
the virtual server.
The service-group-name option further restricts
the output, to show information only for the
specified service group.
The detail option displays connection and packet
statistics.

The host-hits-counter option displays rule-

matching statistics for host switching. Each time
traffic matches a host-matching rule in an HTTP
template, the applicable “hits” counter is incre-
mented.
The url-hits-counter option displays rule-
matching statistics for URL switching. Each time
traffic matches a URL-switching rule in an
HTTP template, the applicable “hits” counter is
incremented.
bind Includes the service groups and real servers and
ports bound to the virtual ports.
config Displays virtual-server configuration informa-
tion.
Mode All
Usage To display virtual-server information for a specific Role-Based Administra-

tion (RBA) partition only, use the partition name option.
Example The following command shows summary information for all virtual servers:
AX#show slb virtual-server
-------------------------------------------------------------------------------------------
*v-server(A) 3.1.1.99
port 80 http 0 3 14 10 611
abctcp 80/http 0 2 14 10 2112
port 53 udp 0 0 0 0 411
abcudp 53/udp 0 0 0 0 696969
...
TABLE 67 show slb virtual-server fields

Field Description
Total Number of Total number of virtual services (virtual server ports) config-
Virtual Services ured on the A10 Thunder Series and AX Series device.
configured

TABLE 67 show slb virtual-server fields (Continued)

Field Description
Virtual Server Name of the virtual server.
Name Underneath the virtual server name, each of the virtual ports
on the server is listed, followed by the service groups in
which the virtual server and the virtual port are members.
In the example above, virtual server “v-server” has two vir-
tual ports, HTTP port 80 and UDP port 53. HTTP port 80 is a
member of service group “abctcp”, and UDP port 53 is a
member of service group “abcudp”.
For each VIP, its HA state on the ACOS device is shown by
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
The primary servers are listed under the virtual port. If alter-
nates are configured for a primary server, the alternates are
listed under the primary server. If an asterisk is shown at the
end of an alternate server name, the primary server is down
and the alternate server is active instead.
IP Virtual IP address of the virtual server.
Current Current number of connections to the virtual service port.
connection Note: Connection and packet counters are listed separately
for virtual ports and for service groups.
Total Total number of connections to the virtual service port.
connection
Request Number of request packets received for the virtual service.
packets
Response Number of server reply packets sent by the ACOS device for
packets the virtual service.
see the following:
• “extended-stats” on page 737 (individual virtual server)
• “extended-stats” on page 752 (individual virtual service
port)
Total received Total number of connection requests received for this port.
conn attempts on
this port
Service-Group Service group bound to the virtual service.
Service Virtual service port number and service type.

Example The following command shows status information for SLB virtual server
“v-server”:
ACOS(config)#show slb virtual-server v-server
Virtual server: v-server State: All Up IP: 3.1.1.99
Port Curr-conn Total-conn Rev-Pkt Fwd-Pkt Peak-conn
-------------------------------------------------------------------------------------
Virtual Port:80 / service:abctcp / state:All Up

port 80 http 0 3 10 14 1011
Source NAT Pool: pootest
Virtual Port:53 / service:abcudp / state:All Up

port 53 udp 0 0 0 0 811
Source NAT Pool: pootest
Total Traffic 0 3 10 14 1822
...
TABLE 68 show slb virtual-server <server-name> fields

Field Description
Virtual server Name of the virtual server.
State State information is shown separately for virtual servers and
for individual virtual ports.
Virtual server state:
• All Up – All virtual ports on the virtual server are Run-
ning.
• Functional Up – Some of the virtual ports are Running or
Functional Running, but at least one of them is not Run-
ning.
• Partial Up – At least one virtual port is Running or Func-
tional Running, but at least one other virtual port is Down.
• Down – All the virtual ports are Down.
• Disb – The virtual server has been administratively dis-
abled.
Virtual port state:
• All Up – All members (real servers and ports) in all ser-
vice groups bound to the virtual port are up.
• Functional Up – At least one member in a service group
bound to the virtual port is up, but not all members are up.
• Down – All members in all service groups bound to the
virtual port are down.
Disb – The virtual port has been administratively disabled.
IP Virtual IP address of the virtual server.
Port Virtual port number and service type.

TABLE 68 show slb virtual-server <server-name> fields (Continued)

Field Description
Curr-conn Current number of connections to the virtual service port.
Total-conn Total number of connections to the virtual service port.
Rev-Pkt Number of server reply packets sent by the ACOS device for
the virtual service.
Fwd-Pkt Number of request packets received for the virtual service.
Peak-conn Peak connection count.
see the following:
port)
Example The following command shows configuration information:

ACOS#show slb virtual-server config
Virtual server Name Address
------------------------------------------------
louis2 192.168.20.253
member0:louis 80/http
Source NAT Pool: p1 HTTP Template: clientip-insert
Reuse Template: cr Persist Cookie:cookie-persist
aFleX: bugzilla_proxy_fix
TABLE 69 show slb virtual-server config fields

Field Description
Total Number of Total number of virtual services (virtual server ports) config-
Virtual Services ured on the A10 Thunder Series and AX Series device.
configured
Name
Address Virtual IP address of the virtual server.
membern Real server bound to the virtual server. The number at the
end is assigned by the A10 Thunder Series and AX Series for
this show command output.
Under the member name, the NAT pools and SLB templates
bound to the virtual server are listed.

Example The following command shows details for a virtual server:

ACOS(config)#show slb virtual-server dang-vip99 detail
Virtual server name: dang-vip99
Virtual server IP address: 192.168.215.46
Virtual server MAC: 0290:0b0b:ea3b
Virtual server template: default
Current request: 0
Total connection: 0
Total request: 0
Peak connections: 0
TABLE 70 show slb virtual-server detail fields

Field Description
name
Virtual server IP IP address of the virtual server.
address
Virtual server MAC address of the VIP.
MAC
Virtual server Name of the virtual server template bound to the virtual
template server.
Current Current number of connections to the virtual port.
connection
the virtual port.
on page 555.
Total Total number of connections that have been made to the vir-
connection tual port.
Total request Total number of HTTP requests processed by the virtual
port.
success
Total forward Number of request bytes forwarded to the virtual port.
bytes
Total forward Number of request packets forwarded to the virtual port.
packets

TABLE 70 show slb virtual-server detail fields (Continued)

Field Description
Total reverse Number of request bytes received from the virtual port.
bytes
Total reverse Number of request packets received from the virtual port.
packets
Peak connections Peak connection count.
see the following:
port)
Example The following command shows details for a virtual port on a virtual server:
ACOS(config)#show slb virtual-server dangvip1 80 detail
Virtual port name: dangvip1:80
Virtual port number: 4.4.4.4:80
Virtual port template: default
Current request: 0
Total connection: 0
Total request: 0
Peak connections: 0
TABLE 71 show slb virtual-server detail fields

Field Description
Virtual port Name of the virtual server and virtual port.
name
Virtual port IP address of the virtual server and protocol port number of
number the virtual port.
Virtual port Name of the virtual port template bound to the virtual port.
template
Current Current number of connections to the virtual port.
connection

TABLE 71 show slb virtual-server detail fields (Continued)

Field Description
the virtual port.
on page 555.
Total Total number of connections that have been made to the vir-
connection tual port.
Total request Total number of HTTP requests processed by the virtual
port.
success
Total forward Number of request bytes forwarded to the virtual port.
bytes
Total forward Number of request packets forwarded to the virtual port.
packets
Total reverse Number of request bytes received from the virtual port.
bytes
Total reverse Number of request packets received from the virtual port.
packets
Peak connections Peak connection count.
see the following:
port)
Example The following command shows service group and port bindings:
AX#show slb virtual-server bind
---------------------------------------------------------------------------------
*Virtual Server : SanJose(A) 192.192.100.100 Down
+port 80 tcp ====>sg-80-1 State :Down

+rs-http:80 192.168.215.16 State : Down
*Virtual Server : Chicago(A) 192.192.200.200 All Up
+port 80 tcp ====>sg-80-2 State :All Up

+rs-http-2:80 192.168.215.13 State : Up

show slb waf
In this example, virtual port 80 on virtual server SanJose is bound to real

port 80 on real server rs-http in service group sg-80-1. Likewise, virtual port
80 on virtual server Chicago is bound to real port 80 on real server rs-http-2
in service group sg-80-2.
For each VIP, its HA state on the ACOS device is shown by one of the fol-
lowing:
• (A) – VIP is in active state on this ACOS device.
• (S) – VIP is in standby state on this ACOS device.
Example The following example shows the information displayed if alternate

(backup) servers are configured:
ACOS(config)#show slb virtual-server bind
---------------------------------------------------------------------------------
*Virtual Server : http-with-alternates(A) 192.168.10.10 Functional Up
+port 80 http ====>http1 State :Functional Up

+rs1:80 10.10.10.10 State : Up
Alternate: rs1-a1, rs1-a2, rs1-a3
+rs2:80 10.10.10.20 State : Down
Alternate: rs2-a1*, rs2-a2, rs2-a3
The primary servers are listed under the virtual port. Under each primary
server, that server’s alternate servers are listed.
If an asterisk is shown at the end of an alternate server name, the primary

server is down and the alternate server is active instead. In the example
above, rs2 is down, so alternate rs2-a1 is being used instead.
show slb waf

Description Show Web Application Firewall (WAF) information. See the Web Applica-
tion Firewall Guide.

AX Debug Commands
The AX debug subsystem enables you to trace packets on the ACOS device.
To access the AX debug subsystem, enter the following command at the
Privileged EXEC level of the CLI:
axdebug
The CLI prompt changes as follows:

AX(axdebug)#
This chapter describes the debug-related commands in the AX debug sub-

system.
To perform AX debugging using this subsystem:

1. Use the filter command to configure packet filters to match on the types
of packets to capture.
2. (Optional) Use the count command to change the maximum number of
packets to capture.
3. (Optional) Use the timeout command to change the maximum number
of minutes during which to capture packets.
4. (Optional) Use the incoming or outgoing command to limit the inter-
faces on which to capture traffic.
5. Use the capture command to start capturing packets. The ACOS device
begins capturing packets that match the filter, and saves the packets to a
file or displays them, depending on the capture options you specify.
6. To display capture files, use the show axdebug file command. (See
“show axdebug file” on page 847.)
7. To export capture files, use the export axdebug command at the Privi-
leged EXEC or global configuration level of the CLI. (See “export” on
page 73.)
The AXdebug utility creates a debug file in packet capture (PCAP) format.
The PCAP format can be read by third-party diagnostic applications such as
Wireshark, Ethereal (the older name for Wireshark) and tcpdump. To sim-
plify export of the PCAP file, the ACOS device compresses it into a zip file
in tar format. To use a PCAP file, you must untar it first.

capture
capture
Description Start capturing packets.
Syntax [no] capture parameter
brief
[save ...] Captures basic information about packets. (For
save options, see save filename below.)
detail
[save ...] Captures packet content in addition to basic
information. (For save options, see save filename
below.)
non-display
[save ...] Does not display the captured packets on the ter-
minal screen. Use the save options to configure a
file in which to save the captured packets.
save filename
[max-packets]
[incoming
[portnum ...]]
[outgoing
[portnum ...]] Saves captured packets in a file.
filename – Specifies the name of the packet cap-
ture file.
max-packets – Specifies the maximum number of
packets to capture in the file, 0-65535. To save an
unlimited number of packets in the file,
specify 0.
incoming [portnum ...] – Captures inbound pack-
ets. You can specify one or more physical Ether-
net interface numbers. Separate the interface
numbers with spaces. If you do not specify inter-
face numbers, inbound traffic on all physical
Ethernet interfaces is captured.
outgoing [portnum ...] – Captures outbound
packets on the specified physical Ethernet inter-
faces or on all physical Ethernet interfaces. If
you do not specify interface numbers, outbound
traffic on all physical Ethernet interfaces is cap-
tured.

capture
Default By default, packets in both directions on all Ethernet data interfaces are cap-
tured.
Note: The traffic also must match the AX debug filters.
Mode AX debug
Usage To minimize the impact of packet capture on system performance, A10 Net-
works recommends that you configure an AX debug filter before beginning
the packet capture.
To display a list of AX debug capture files or to display the contents of a

capture file, see “show axdebug file” on page 847.
Example The following command captures brief packet information for display on
the terminal screen. The output is not saved to a file.
AX(axdebug)#capture brief
Wait for debug output, enter <ctrl c> to exit
(0,1738448) i( 1, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) o( 3, 0, cca8)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 SA
78f07ab8:dbffc02d(0)
(0,1738448) i( 1, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A
78f07ab9:dbffc0c2(0)
(0,1738448) o( 3, 0, cca9)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 A
(1,1738450) i( 1, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
(1,1738450) o( 3, 0, ccaa)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 PA
(1,1738450) i( 1, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
(1,1738450) o( 3, 0, ccab)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13632 FA
78f07b78:dbffc0c3(0)
...
These lines of debug output show the following:

• 0 – CPU ID. Indicates the CPU that processed the packet. CPU 0 is the
control CPU.
• 1738448 – Time delay between packets. This is a jiffies value that incre-
ments in 4-millisecond (4-ms) intervals.
• i – Traffic direction: 1 (input) or o (output).
• (1, 0, cca8) – Ethernet interface, VLAN tag, and packet buffer index. If
the VLAN tag is 0, then the port is untagged. In this example, the first
packet is received on Ethernet port 1, and the VLAN is not yet known.
The packet is assigned to buffer index cca8.

capture
Note: Generally, the VLAN tag for ingress packets is 0. It is normal for the
ingress VLAN tag to be 0 even when the egress VLAN tag is not 0.
The source and destination IP addresses are listed next, followed by the
source and destination protocol port numbers.
The TCP flag is shown next:

• S – Syn
• SA – Syn Ack
• A – Ack
• F – Fin
• PA – Push Ack
The TCP sequence number and ACK sequence number are then shown.
Finally, the packet payload is shown. The header size is excluded.
Example The following command captures packet information and packet contents
for display on the terminal screen. The output is not saved to a file.
AX(axdebug)#capture detail
Wait for debug output, enter <ctrl c> to exit
i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@.@..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>...E.
0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0)
0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O......
0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+..
0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD......Q.lV.<
0xa6657888: 1d4041de e3380000 00000000 00000000 : .@A..8..........
0xa6657898: 00000000 00000000 00000000 00000000 : ................
...

count
Example The following command saves captured packet information in file

“file123”. The captured traffic is not displayed on the terminal screen.
AX(axdebug)#capture save file123
count
Description Specify the maximum number of packets to capture.
Syntax [no] count num
num. Maximum number of packets to capture, 0-
65535. To capture an unlimited number of pack-
ets, specify 0.
Default 3000
Mode AX debug
Example The following command sets the maximum number of packets to capture to
2048:
AX(axdebug)#count 2048
delete
Description Delete an axdebug capture file.
Syntax delete filename
Default N/A
Mode AX debug
Example The following command deletes capture file “file123”:

AX(axdebug)#delete file123

filter
filter
Description Configure an AX debug filter, to specify the types of packets to capture.
Syntax [no] filter filter-id
filter-id ID of the filter, 1-255.
AX debug filter, where the following AX debug filter-related commands are
available:
Command Description
dst
{ip ipaddr |
mac macaddr |
port portnum} Matches on the specified destination IP address,
MAC address, or protocol port number.
l3-proto {arp |
ip | ipv6} Matches on the specified Layer 3 protocol.
ip ipaddr
{subnet-mask |
/mask-length} Matches on the specified IPv4 address.
mac macaddr Matches on the specified MAC address.
offset position
length bytes
operator value Matches on the specified length of bytes and
value of those bytes within the packet.
position – Starting position within the packet,
1-65535 bytes.
bytes – Number of consecutive bytes to filter
on, from 1-65535, beginning at the offset posi-
tion.
operator – One of the following:
> (greater than)
>= (greater than or equal to)
<= (smaller than or equal to)
< (smaller than)
= (equal to)

filter
range min-value max-value (select a

range)
value – String to filter on.
port min-
portnum max-
portnum Matches on the specified range of protocol port
numbers.
proto
{icmp |
icmpv6 |
tcp | udp |
portnum} Matches on the specified protocol or protocol
port number.
src
{ip ipaddr |
mac macaddr |
port port-num} Matches on the specified source IP address,
MAC address, or protocol port number.
Default No filters are configured by default. When you create one, all packets match
the filter by default.
Mode AX debug
Usage If a packet capture is running and you change the filter, there will be a 5-sec-
ond delay while the ACOS device clears the older filter. The delay does not
occur if a packet capture is not already running.
The packet filter for the debug command is internally numbered filter 0. In
AXdebug, you can create multiple filters, which are uniquely identified by
filter ID. If you create filter 0 in AXdebug, this filter will overwrite the
debug packet filter. Likewise, if you configure filter 0 in AXdebug, then
configure the debug packet filter, the debug packet filter will overwrite
AXdebug filter 0.
Example The following commands configure an AX debug filter to match on source

IP address 10.10.10.30, destination protocol port number 80, and source
MAC address aabb.ccdd.eeff. The show axdebug filter command displays
the filter.
AX(axdebug)#filter 1
AX(axdebug-filter:1)#src ip 10.10.10.30
AX(axdebug-filter:1)#dst port 80
AX(axdebug-filter:1)#src mac aabb.ccdd.eeff
AX(axdebug-filter:1)#exit

incoming | outgoing
AX(axdebug)#show axdebug filter

axdebug filter 1
src ip 10.10.10.30
dst port 80
src mac aabb.ccdd.eeff
incoming | outgoing
Description Specify the Ethernet interfaces and traffic direction for which to capture
packets.
Syntax [no] incoming [portnum ...]

[outgoing [portnum ...]]
outgoing [portnum ...]
Default Disabled
Note: The traffic also must match the AX debug filters.
Mode AX debug
Example The following command limits the packet capture to inbound packets on
Ethernet interface 3 and outbound packets on Ethernet interface 4:
AX(axdebug)#incoming 3 outgoing 4
Example The following command limits the packet capture to outbound packets on
Ethernet interface 7. Inbound packets on all Ethernet interfaces are cap-
tured, unless specified otherwise in AX debug filters.
AX(axdebug)#outgoing 7
length
Description Specify the maximum length of packets to capture. Packets that are longer
are not captured.
Syntax [no] length bytes
bytes Maximum packet length, 64-1518 bytes.
Default 1518
Mode AX debug

maxfile
Example The following command changes the maximum packet length to capture to
128:
AX(axdebug)#length 128
maxfile
Description Specify the maximum number of axdebug packet capture files to keep.
Syntax [no] maxfile num
num Maximum number of files to keep, 1-65535.
Default 100
Mode AX debug
Usage Once the maximum is reached, new axdebug files can not be created until
existing files are removed.
Example The following command changes the maximum number of AX debug cap-
ture files to keep to 125:
AX(axdebug)#maxfile 125
outgoing
Description See “incoming | outgoing” on page 1076.
timeout
Description Specify the maximum number of minutes to capture packets.
Syntax [no] timeout minutes
minutes Maximum number of minutes to capture packets,
0-65535.
Default 5
Mode AX debug

timeout
Example The following command changes the capture timeout to 10 minutes:

AX(axdebug)#timeout 10

show health stat Up / Down Causes
This chapter lists the cause strings for the numeric cause codes that appear
in the Up and Down fields of the show health stat output. The Up / Down
cause codes are shown in the output under “Cause(Up/Down/Retry)”.
Up Causes
Table 72 lists the Up causes.
TABLE 72 show health stat Up Causes

Cause Code Cause String
0 HM_INVALID_UP_REASON
1 HM_DNS_PARSE_RESPONSE_OK
2 HM_EXT_REPORT_UP
3 HM_EXT_TCL_REPORT_UP
4 HM_FTP_ACK_USER_LOGIN
5 HM_FTP_ACK_PASS_LOGIN
6 HM_HTTP_RECV_URL_FIRST
7 HM_HTTP_RECV_URL_NEARBY_FIRST
8 HM_HTTP_RECV_URL_FOLLOWING
9 HM_HTTP_RECV_URL_NEARBY_FOLLOWING
10 HM_HTTP_STATUS_CODE
11 HM_ICMP_RECV_OK
12 HM_ICMP_RECV6_OK
13 HM_LDAP_RECV_ACK
14 HM_POP3_RECV_ACK_PASS_OK
15 HM_RADIUS_RECV_OK
16 HM_RTSP_RECV_STATUS_OK
17 HM_SIP_RECV_OK
18 HM_SMTP_RECV_OK
19 HM_SNMP_RECV_OK
20 HM_TCP_VERIFY_CONN_OK
21 HM_TCP_CONN_OK
22 HM_TCP_HALF_CONN_OK
23 HM_UDP_RECV_OK
24 HM_UDP_NO_RESPOND
25 HM_COMPOUND_UP

Down Causes
Table 73 lists the Down causes.
TABLE 73 show health stat Down Causes

0 HM_INVALID_DOWN_REASON
1 HM_DNS_TIMEOUT
2 HM_EXT_TIMEOUT
3 HM_EXT_TCL_TIMEOUT
4 HM_FTP_TIMEOUT
5 HM_HTTP_TIMEOUT
6 HM_HTTPS_TIMEOUT
7 HM_ICMP_TIMEOUT
8 HM_LDAP_TIMEOUT
9 HM_POP3_TIMEOUT
10 HM_RADIUS_TIMEOUT
11 HM_RTSP_TIMEOUT
12 HM_SIP_TIMEOUT
13 HM_SMTP_TIMEOUT
14 HM_SNMP_TIMEOUT
15 HM_TCP_TIMEOUT
16 HM_TCP_HALF_TIMEOUT
17 HM_DNS_RECV_ERROR
18 HM_DNS_PARSE_RESPONSE_ERROR
19 HM_DNS_RECV_LEN_ZERO
20 HM_EXT_WAITPID_FAIL
21 HM_EXT_TERM_BY_SIG
22 HM_EXT_REPORT_DOWN
23 HM_EXT_TCL_REPORT_DOWN
24 HM_FTP_RECV_TIMEOUT
25 HM_FTP_SEND_TIMEOUT
26 HM_FTP_NO_SERVICE
27 HM_FTP_ACK_USER_WRONG_CODE
28 HM_FTP_ACK_PASS_WRONG_CODE
29 HM_COM_CONN_CLOSED_IN_WRITE
30 HM_COM_OTHER_ERR_IN_WRITE
31 HM_COM_CONN_CLOSED_IN_READ
32 HM_COM_OTHER_ERR_IN_READ
33 HM_COM_SEND_TIMEOUT
34 HM_COM_CONN_TIMEOUT
35 HM_COM_SSL_CONN_ERR

TABLE 73 show health stat Down Causes (Continued)

36 HM_HTTP_SEND_URL_ERR
37 HM_HTTP_RECV_URL_ERR
38 HM_HTTP_RECV_MSG_ERR
39 HM_HTTP_NO_LOCATION
40 HM_HTTP_WRONG_STATUS_CODE
41 HM_HTTP_WRONG_CHUNK
42 HM_HTTP_AUTH_ERR
43 HM_HTTPS_SSL_WRITE_ERR
44 HM_HTTPS_SSL_WRITE_OTHERS
45 HM_HTTPS_SSL_READ_ERR
46 HM_HTTPS_SSL_READ_OTHERS
47 HM_ICMP_RECV_ERR
48 HM_ICMP_SEND_ERR
49 HM_ICMP_RECV6_ERR
50 HM_LDAP_RECV_ACK_ERR
51 HM_LDAP_SSL_READ_ERR
52 HM_LDAP_SSL_READ_OTHERS
53 HM_LDAP_RECV_ACK_WRONG_PACKET
54 HM_LDAP_SSL_WRITE_ERR
55 HM_LDAP_SSL_WRITE_OTHERS
56 HM_LDAP_SEND_ERR
57 HM_POP3_RECV_TIMEOUT
58 HM_POP3_SEND_TIMEOUT
59 HM_POP3_NO_SERVICE
60 HM_POP3_RECV_ACK_USER_ERR
61 HM_POP3_RECV_ACK_PASS_ERR
62 HM_RADIUS_RECV_ERR
63 HM_RADIUS_RECV_ERR_PACKET
64 HM_RADIUS_RECV_NONE
65 HM_RTSP_RECV_STATUS_ERR
66 HM_RTSP_RECV_ERR
67 HM_RTSP_SEND_ERR
68 HM_SIP_RECV_ERR
69 HM_SIP_RECV_ERR_PACKET
70 HM_SIP_CONN_CLOSED
71 HM_SIP_NO_MEM
72 HM_SIP_STARTUP_ERR
73 HM_SMTP_RECV_ERR
74 HM_SMTP_NO_SERVICE
75 HM_SMTP_SEND_HELO_TIMEOUT
76 HM_SMTP_SEND_QUIT_TIMEOUT

TABLE 73 show health stat Down Causes (Continued)

77 HM_SMTP_WRONG_CODE
78 HM_SNMP_RECV_ERR
79 HM_SNMP_RECV_ERR_PACKET
80 HM_SNMP_RECV_ERR_OTHER
81 HM_TCP_PORT_CLOSED
82 HM_TCP_ERROR
83 HM_TCP_INVALID_TCP_FLAG
84 HM_TCP_HALF_NO_ROUTE
85 HM_TCP_HALF_NO_MEM
86 HM_TCP_HALF_SEND_ERR
87 HM_UDP_RECV_ERR
88 HM_UDP_RECV_ERR_OTHERS
89 HM_UDP_NO_SERVICE
90 HM_UDP_ERR
91 HM_COMPOUND_INVAL_RPN
92 HM_COMPOUND_DOWN
93 HM_COMPOUND_TIMEOUT


Customer Driven Innovation
Corporate Headquarters
A10 Networks, Inc.

3 West Plumeria Dr.
San Jose, CA 95134 USA
Tel: +1-408-325-8668 (main)

Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
© 2013 A10 Networks Corporation. All rights reserved.
1084

A10 Thunder AX 271-P2 CLI Ref-2013.08.05

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 Thunder AX 271-P2 CLI Ref-2013.08.05

Uploaded by

Copyright:

Available Formats

Command

A10 Thunder™ Series and AX Series

A10 Networks Inc. Software License and End User Agreement

Obtaining Technical Assistance

A10 Networks, Inc.

Tel: +1-408-325-8668 (main)

Collecting System Information

To collect system information, use either of the following methods.

USING THE GUI (RECOMMENDED)

3. Email the file as an attachment to support@a10networks.com.

Customer Driven Innovation 3 of 1084

USING THE CLI

4 of 1084 Customer Driven Innovation

About This Document

This document describes features of the A10 Networks Advanced Core

• AX Series Advanced Traffic Manager / Application Delivery Controller.

FIGURE 1 A10 Thunder 6430

Customer Driven Innovation 5 of 1084

• System Configuration and Administration Guide

• Application Access Management and DDoS Mitigation Guide

• Web Application Firewall Guide

Application Delivery Guides

• Global Server Load Balancing Guide

Note: Some guides include GUI configuration examples. In these examples,

6 of 1084 Customer Driven Innovation

A10 Virtual Application Delivery Community

Customer Driven Innovation 7 of 1084

8 of 1084 Customer Driven Innovation

Obtaining Technical Assistance 3

About This Document 5

Using the CLI 33

Customer Driven Innovation 9 of 1084

Privileged EXEC mode Commands 65

Config Commands: Global 89

10 of 1084 Customer Driven Innovation

Customer Driven Innovation 11 of 1084

12 of 1084 Customer Driven Innovation

Customer Driven Innovation 13 of 1084

Config Commands: Application Access Management 261

14 of 1084 Customer Driven Innovation

Config Commands: DNSSEC 275

Config Commands: Interface 287

Customer Driven Innovation 15 of 1084

16 of 1084 Customer Driven Innovation

Config Commands: VLAN 347

Config Commands: IP 351

Customer Driven Innovation 17 of 1084

Config Commands: IPv6 383

Config Commands: Router – RIP 395

18 of 1084 Customer Driven Innovation

Config Commands: Router – OSPF 423

Customer Driven Innovation 19 of 1084

Config Commands: Router – IS-IS 465

20 of 1084 Customer Driven Innovation

Config Commands: Router – BGP 491

Customer Driven Innovation 21 of 1084

22 of 1084 Customer Driven Innovation

Config Commands: Server Load Balancing 549

Customer Driven Innovation 23 of 1084

Config Commands: SLB Templates 579

24 of 1084 Customer Driven Innovation

Config Commands: SLB Servers 701

Config Commands: SLB Service Groups 715