Professional Documents
Culture Documents
Command Reference
4655 Great America Parkway Santa Clara, CA 95054 Phone 1-800-4Nortel http://www.nortel.com
Copyright 2006 - 2007 Nortel Networks. All rights reserved. Part Number: 320506-C Rev. 02. This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided as is without warranty of any kind, either express or implied, including any kind of implied or express warranty of noninfringement or the implied warranties of merchantability or fitness for a particular purpose. U.S. Government End Users: This document is provided with a commercial item as defined by FAR 2.101 (Oct 1995) and contains commercial technical data and commercial software documentation as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.
Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application
Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point and FireWall-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are owned by their respective companies. Originated in the U.S.A.
2
320506-C Rev. 02, Feb 2007
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22 The Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Connecting to the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Establishing a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . .24 Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Establishing a Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Using a BOOTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25 Establishing an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Running SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26 Accessing the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27 CLI Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29 Menu Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 The Main Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31 Menu Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32 Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Command Line Interface Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Command Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38 Command Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
3
320506-C Rev. 02, Feb 2007
Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41 System Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 SNMPv3 System Information Menu . . . . . . . . . . . . . . . . . . . 45 SNMPv3 USM User Table Information . . . . . . . . . . . . . . 46 SNMPv3 View Table Information . . . . . . . . . . . . . . . . . . 47 SNMPv3 Access Table Information . . . . . . . . . . . . . . . . . 48 SNMPv3 Group Table Information . . . . . . . . . . . . . . . . . 49 SNMPv3 Community Table Information . . . . . . . . . . . . . 49 SNMPv3 Target Address Table Information . . . . . . . . . . 50 SNMPv3 Target Parameters Table Information . . . . . . . . 51 SNMPv3 Notify Table Information . . . . . . . . . . . . . . . . . 52 SNMPv3 Dump Information . . . . . . . . . . . . . . . . . . . . . . 53 General System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Show System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Show Last 64 Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 56 Last 64 Saved Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 57 Management Port Information . . . . . . . . . . . . . . . . . . . . . . . . 58 SONMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 System Capacity Information . . . . . . . . . . . . . . . . . . . . . . . . . 60 Show switch fan status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Show switch temperature sensor status . . . . . . . . . . . . . . . . . 63 Show encryption licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Show current user status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 System Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Layer 2 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Layer 2 FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 Show All FDB Information . . . . . . . . . . . . . . . . . . . . . . . 72
Clearing Entries from the Forwarding Database . . . . . . . . . . . . . . . 72
Link Aggregation Control Protocol Information Menu . . . . . . . . 73 LACP Aggregator Information . . . . . . . . . . . . . . . . . . . . . . . . 74 LACP Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 LACP Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77 Layer 2 Spanning Tree Group Information . . . . . . . . . . . . . . 78 Show common internal spanning tree (CIST) information . . 81
4 Contents
320506-C Rev. 02, Feb 2007
Trunk Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82 VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84 Status of port teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Layer2 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Layer3 Information Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86 IP Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Show All IP Route Information . . . . . . . . . . . . . . . . . . . . 88
Type Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89 Tag Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
IPv6 Routing Information Menu. . . . . . . . . . . . . . . . . . . . . . . 90 ARP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 Show ARP Entries on Referenced SP. . . . . . . . . . . . . . . . 93 Show All ARP Entry Information . . . . . . . . . . . . . . . . . . 93 ARP Address List Information . . . . . . . . . . . . . . . . . . . . . 94 IPv6 Neighbor Cache Information . . . . . . . . . . . . . . . . . . 95 BGP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 BGP Peer information. . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 BGP Summary information . . . . . . . . . . . . . . . . . . . . . . . 99 Dump BGP Information . . . . . . . . . . . . . . . . . . . . . . . . . . 99 OSPF Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 OSPF General Information . . . . . . . . . . . . . . . . . . . . . . . 101 OSPF Interface Information . . . . . . . . . . . . . . . . . . . . . . 102 OSPF Database Information . . . . . . . . . . . . . . . . . . . . . . 102 OSPF Information Route Codes . . . . . . . . . . . . . . . . . . . 104 OSPF Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 IP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 VRRP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 Layer3 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Layer 4 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 Session Table Information . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Session Dump Samples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Session dump information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Global SLB Information Menu. . . . . . . . . . . . . . . . . . . . . . . 120 Show All Layer 4 Information . . . . . . . . . . . . . . . . . . . . . . . 121 Bandwidth Management Information . . . . . . . . . . . . . . . . . . . . . 122 BWM IP User Information Menu . . . . . . . . . . . . . . . . . . . . . 123 BWM Contract Information . . . . . . . . . . . . . . . . . . . . . . . . . 125
Contents
320506-C Rev. 02, Feb 2007
Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Link Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Software Enabled Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
The Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133
Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 System statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Port Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Bridging Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Ethernet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Interface Protocol Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 144 Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 RMON Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 Port Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Port mirroring statistics menu. . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Layer 2 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 FDB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 LACP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Spanning Tree Group Statistics . . . . . . . . . . . . . . . . . . . 155 Layer 3 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156 OSPF Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158 OSPF Global Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 159 IP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 IP6 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Route Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 ARP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 VRRP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 IPv6 VRRP statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174 DNS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 ICMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180 UDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 Server Load Balancing Statistics Menu . . . . . . . . . . . . . . . . . . . 182 Server Load Balancing SP statistics Menu . . . . . . . . . . . . . . 185
6 Contents
320506-C Rev. 02, Feb 2007
SP Real Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . 185 SP Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 SP Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 187 Global SLB Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 190 Real Server Global SLB Statistics . . . . . . . . . . . . . . . . . 191 Virtual Server Global SLB Statistics . . . . . . . . . . . . . . . 192 Global SLB Site Statistics. . . . . . . . . . . . . . . . . . . . . . . . 193 Global SLB Maintenance Statistics . . . . . . . . . . . . . . . . 194 Real Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 196
Per Service Octet Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Real Server Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 197 Virtual Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . 198 Filter SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 SLB Layer7 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 199 Layer7 Redirection Statistics . . . . . . . . . . . . . . . . . . . . . 199 Layer 7 SLB String Statistics . . . . . . . . . . . . . . . . . . . . . 200 Layer 7 SLB Maintenance Statistics. . . . . . . . . . . . . . . . 201 Layer7 Pooling Statistics . . . . . . . . . . . . . . . . . . . . . . . . 203 SLB Secure Socket Layer Statistics . . . . . . . . . . . . . . . . . . . 204 File Transfer Protocol SLB and Filter Statistics Menu. . . . . 205 Active FTP SLB Parsing and Filter Statistics. . . . . . . . . 206 Passive FTP SLB Parsing Statistics . . . . . . . . . . . . . . . . 206 FTP SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . 207 FTP SLB Statistics Dump. . . . . . . . . . . . . . . . . . . . . . . . 207 RTSP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 DNS SLB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 WAP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 212 SIP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215 Display Workload Manager SASP statistics . . . . . . . . . . . . 217 Clear Workload Manager SASP Statistics . . . . . . . . . . . . . . 217 Display Workload Manager SASP statistics . . . . . . . . . . . . 218 BWM Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219 BWM Switch Processor Statistics . . . . . . . . . . . . . . . . . . . . 220 BWM Switch Processor Contract Statistics Menu . . . . . 220 BWM Switch Processor Rate Contract Statistics . . . . . . 220 BWM Contract Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 221 BWM Contract Rate Statistics . . . . . . . . . . . . . . . . . . . . . . . 222
Contents
320506-C Rev. 02, Feb 2007
BWM History Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 BWM Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 225 BWM IP Users Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Security Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226 DOS Attack Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 227
Types of DOS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
IP Access Control List Statistics. . . . . . . . . . . . . . . . . . . . . . 231 UDP Blast Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 UDP Blast Dump Statistics. . . . . . . . . . . . . . . . . . . . . . . 232 UDP Pattern Match Statistics . . . . . . . . . . . . . . . . . . . . . . . . 233 Rate Limiting Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233 Dump Statistics for Security . . . . . . . . . . . . . . . . . . . . . . . . . 234 Management Processor Statistics . . . . . . . . . . . . . . . . . . . . . . . . 235 MP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236 TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 UCB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238 MP-Specific SFD Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 239 CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239 SP Specific Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240 SP-Specific Maintenance Statistics . . . . . . . . . . . . . . . . . . . 241 CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Port Mirroring Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Management Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
The Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245
Management Port Configuration Menu . . . . . . . . . . . . . . . . 253 Management Port Link Menu . . . . . . . . . . . . . . . . . . . . . . . . 256 RADIUS Server Configuration. . . . . . . . . . . . . . . . . . . . . . . 256 TACACS+ Server Configuration Menu . . . . . . . . . . . . . . . . 258
8 Contents
320506-C Rev. 02, Feb 2007
NTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 259 SynOptics Network Management Protocol Configuration . . 261 System SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . 261 SNMPv3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . 264 User Security Model Configuration Menu . . . . . . . . . . . 266 View Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . 267 Access Control Model Configuration Menu. . . . . . . . . . 268 Group Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 270 Community Table Configuration Menu . . . . . . . . . . . . . 271 Target Address Table Configuration Menu . . . . . . . . . . 272 Target Parameters Table Configuration Menu . . . . . . . . 273 Notify Table Configuration Menu . . . . . . . . . . . . . . . . . 274 System Health Check Configuration Menu . . . . . . . . . . . . . 275 System Access Control Configuration . . . . . . . . . . . . . . . . . 276 Management Networks Menu. . . . . . . . . . . . . . . . . . . . . 277 Port Management Access Menu . . . . . . . . . . . . . . . . . . . . . . 279 User Access Control Menu . . . . . . . . . . . . . . . . . . . . . . . 279 System User ID Configuration Menu . . . . . . . . . . . . . . . 282 HTTPS Access Configuration Menu . . . . . . . . . . . . . . . 283 SSH Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 Console Port-only commands . . . . . . . . . . . . . . . . . . . . . 285 XML Configuration Access Menu . . . . . . . . . . . . . . . . . . . . 286 Example of enabling or disabling XML access . . . . . . . 287 Configure the Timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288 Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Nortel Application Switch Operating System 2000 Series. . . . . . .290 Fast Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290 SFP GBIC Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .290
Single-Mode Copper Port Gigabit Ethernet Link Menu. 297 Single-Mode SFP Gigabit Ethernet Port Link Menu . . . 300
Dual-Mode Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Dual-Mode Copper Port Link Menu. . . . . . . . . . . . . . . . 302 Dual-Mode SFP Gigabit Link Menu . . . . . . . . . . . . . . . 304
Temporarily Disabling a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Contents
320506-C Rev. 02, Feb 2007
Port Mirroring Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Port-Mirroring Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Bandwidth Management Configuration . . . . . . . . . . . . . . . . . . . 306 Bandwidth Management Contract Configuration . . . . . . . . 309 BWM Contract Time Policy Configuration Menu . . . . . 310 Bandwidth Management Policy Configuration . . . . . . . . . . 312 Bandwidth Management Group Configuration Menu . . . . . 313 Bandwidth Management Current Configuration . . . . . . . . . 314 Layer 2 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 316 Multiple Spanning Tree Menu . . . . . . . . . . . . . . . . . . . . . . . 317 CIST Bridge Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Current configuration for CIST Bridge . . . . . . . . . . . . . 318 Spanning Tree Group Configuration . . . . . . . . . . . . . . . . . . . . . 319 Bridge Spanning Tree Configuration . . . . . . . . . . . . . . . . . . 321 Spanning Tree Port Configuration . . . . . . . . . . . . . . . . . 322 Trunk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Link Aggregation Control Protocol Menu . . . . . . . . . . . . . . . . . 325 LACP Port Configuration Menu . . . . . . . . . . . . . . . . . . . . . 327 VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Port Team Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330 Layer 3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 331 IP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 333 IPv6 Neighbor Discovery Menu . . . . . . . . . . . . . . . . . . . . . . 334 Default IP Gateway Configuration . . . . . . . . . . . . . . . . . . . . 335
Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
IP Static Route Configuration. . . . . . . . . . . . . . . . . . . . . . . . 337 IPv4 Static Route Configuration Menu . . . . . . . . . . . . . 338 IPv6 Static Route Configuration Menu . . . . . . . . . . . . . 339 ARP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 339 ARP Static Configuration Menu. . . . . . . . . . . . . . . . . . . 340 IP Forwarding Configuration Menu . . . . . . . . . . . . . . . . . . . 341 Local Network Route Caching Definition . . . . . . . . . . . 341
Defining IP Address Ranges for the Local Route Cache . . . . . . . . 342
Network Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . 343 Route Map Configuration Menu. . . . . . . . . . . . . . . . . . . . . . 344 IP Access List Configuration Menu . . . . . . . . . . . . . . . . 346 Autonomous System Filter Path . . . . . . . . . . . . . . . . . . . 347
10 Contents
320506-C Rev. 02, Feb 2007
Routing Information Protocol Configuration . . . . . . . . . . . . 348 RIP Interface Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350 Open Shortest Path First Configuration . . . . . . . . . . . . . . . . 352 Area Index Configuration Menu. . . . . . . . . . . . . . . . . . . 354 OSPF Summary Range Configuration Menu . . . . . . . . 355 OSPF Interface Configuration Menu . . . . . . . . . . . . . . . 356 OSPF Virtual Link Configuration Menu . . . . . . . . . . . . 358 OSPF MD5 Key Configuration Menu . . . . . . . . . . . . . . 359 OSPF Host Entry Configuration Menu . . . . . . . . . . . . . 360 OSPF Route Redistribution Configuration Menu. . . . . . 361 Border Gateway Protocol Configuration . . . . . . . . . . . . . . . 362 BGP Peer Configuration Menu. . . . . . . . . . . . . . . . . . . . 364 BGP Redistribution Configuration Menu . . . . . . . . . . . . 366 BGP Aggregate Routing Configuration Menu . . . . . . . . 368 IP Forwarding Port Configuration Menu . . . . . . . . . . . . . . . 369 Domain Name System Configuration Menu . . . . . . . . . . . . 370 Bootstrap Protocol Relay Configuration Menu . . . . . . . . . . 371 VRRP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . 372 Virtual Router Configuration Menu . . . . . . . . . . . . . . . . . . . 374 Priority Tracking Configuration . . . . . . . . . . . . . . . . . . . 376 Group Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Group Priority Tracking Configuration Menu . . . . . . . . 380 Virtual Router Group Configuration. . . . . . . . . . . . . . . . . . . 382 Virtual Router Group Priority Tracking Configuration . 384 VRRP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . 386 VRRP Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . 387 Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Security Configuration Menus . . . . . . . . . . . . . . . . . . . . . . . . . . 389 Port Security Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 IP Address Access Control List Configuration Menu . . . . . 393 UDP Blast Protection Configuration Menu . . . . . . . . . . . . . 395 Anomaly and Denial of Service Attack Prevention Menu . . 396 Pattern Matching Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397 SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Saving the Active Switch Configuration . . . . . . . . . . . . . . . . . . 401 Restoring the Active Switch Configuration . . . . . . . . . . . . . . . . 401
Contents
320506-C Rev. 02, Feb 2007
11
Real Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 406 Real Server Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . 411 Buddy Server Health Check Menu . . . . . . . . . . . . . . . . . . . . 412 Real Server Layer 7 Configuration . . . . . . . . . . . . . . . . . . . . 413 Real server IDS Configuration Menu . . . . . . . . . . . . . . . . . . 414 Real Server Group SLB Configuration. . . . . . . . . . . . . . . . . . . . 415
SLB Health Check Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418 Server Load Balancing Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Virtual Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . 424 Virtual Server Service Configuration . . . . . . . . . . . . . . . . . . 427 WTS Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . 433 HTTP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 434 SIP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 435 RTSP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 436
Cookie-Based Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Advanced Filter Configuration . . . . . . . . . . . . . . . . . . . . . . 445 802.1p Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . 448 Advanced Filter TCP Configuration. . . . . . . . . . . . . . . . 448 IP Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
ICMP Message Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Layer 7 Advanced Filter Configuration Menu . . . . . . . . 452 Layer 7 SIP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454 Proxy Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455 SLB Filter Advanced Security Menu . . . . . . . . . . . . . . . 455 Advanced Security Rate Limiting Configuration Menu. 457 Port SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458 Global SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460 GSLB Remote Site Configuration . . . . . . . . . . . . . . . . . . . . 463 GSLB Network Preference Configuration Menu . . . . . . . . . 464 GSLB Rule Configuration Menu . . . . . . . . . . . . . . . . . . . . . 466 Global SLB Rule Metric Menu. . . . . . . . . . . . . . . . . . . . 467 Layer 7 SLB Resource Definition Menu . . . . . . . . . . . . . . . 468 Web Cache Redirection Configuration. . . . . . . . . . . . . . . . . 468
12 Contents
320506-C Rev. 02, Feb 2007
Server Load Balance Resource Configuration Menu . . . . . . 470 SDP Mapping Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 WAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472 Synchronize Peer Switch Configuration. . . . . . . . . . . . . . . . . . . 473 Peer Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 474 Advanced Layer 4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . 475 SYN Attack Detection Configuration Menu . . . . . . . . . . . . 478 Advanced SMT Real Server Port Configuration Menu . 478 Inbound Link Load Balancing configuration Menu . . . . . . . 479 Inbound Link Load Balancing Domain Record Menu . . . . . 480 Inbound Link Load Balancing Mapping Menu . . . . . . . 481 Advanced Health Check Configuration Menu . . . . . . . . 481 Scriptable Health Checks Configuration . . . . . . . . . . . . . . . 483 SNMP Health Check Configuration . . . . . . . . . . . . . . . . . . . 485 WAP Health Check Configuration . . . . . . . . . . . . . . . . . . . . 487 WSP Content Health Check . . . . . . . . . . . . . . . . . . . . . . 489 WTP and WSP Content Health Check Menu . . . . . . . . . 490 Proxy IP Address Configuration Menu . . . . . . . . . . . . . . . . 491 SLB Peer Proxy IP Address Menu . . . . . . . . . . . . . . . . . 492 WorkLoad Management Menu . . . . . . . . . . . . . . . . . . . . . . . 493
The Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495
Operations Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495 Operations-Level Port Options . . . . . . . . . . . . . . . . . . . . . . . . . . 497 Operations-Level SLB Options . . . . . . . . . . . . . . . . . . . . . . . . . 498 Real Server Group Operations . . . . . . . . . . . . . . . . . . . . . . . 499 Global SLB Operations Menu . . . . . . . . . . . . . . . . . . . . . . . 500 Operations-Level VRRP Options. . . . . . . . . . . . . . . . . . . . . . . . 501 Operations-Level Bandwidth Management Options . . . . . . . . . 501 Security Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 IP ACL Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 502 Operations-Level IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 504 Operations-Level BGP Options . . . . . . . . . . . . . . . . . . . . . . 504 Activating Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 505 Removing Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
The Boot Options Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
13
Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515 System Maintenance Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 518 Forwarding Database Options . . . . . . . . . . . . . . . . . . . . . . . . . . 518 ARP Cache Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 ARP Entries on a Single Port . . . . . . . . . . . . . . . . . . . . . . . . 520 IP Route Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521 IPv6 Manipulation Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522 Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523 Uuencode Flash Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524 System Dump Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Clearing Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525 Panic Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526
Unscheduled System Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527 The SSL Processor Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . .529
Login to the SSL processor. . . . . . . . . . . . . . . . . . . . . . . . . . 529 SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531 SSL Performance information menu . . . . . . . . . . . . . . . . . . . . . 532 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 536 SSL Performance Statistics menu . . . . . . . . . . . . . . . . . . . . . . . 537 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 538 SSL Performance SSL Local Statistics Menu . . . . . . . . . . . 539 SSL Performance: Single ISD SSL Statistics Menu. . . . . . . 540 IPSEC Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541 SSL Performance: Local IPSEC Statistics Menu . . . . . . . . . 542 SSL Performance: Single IPSEC ISD Statistics Menu . . . . 543 AAA Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 544
14 Contents
320506-C Rev. 02, Feb 2007
SSL Performance Configuration Menu . . . . . . . . . . . . . . . . 544 SSL Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 547 SSL Server-specific Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 548 SSL Server-specific Trace Menu . . . . . . . . . . . . . . . . . . . . . 550 SSL Server-specific SSL Menu . . . . . . . . . . . . . . . . . . . . . . 551 SSL Server-specific TCP Menu . . . . . . . . . . . . . . . . . . . . . . 552 SSL Server-specific Advanced Menu. . . . . . . . . . . . . . . . . . 553 SSL Server Advanced String Menu . . . . . . . . . . . . . . . . . . . 554 SSL Server Advanced Load Balancing Menu . . . . . . . . . . . 555 SSL Server Advanced Load Balancing Cookie Menu . . . . . 556 Local VIP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558 SSL Server Advanced Load Balancing Health Script Menu 558 SSL Server Advanced Load Balancing Remote SSL Menu. 559 SSL Server Remote SSL Verification Menu . . . . . . . . . . . . 560 SSL Server Backend Server Menu . . . . . . . . . . . . . . . . . . . . 561 SSL Certificate Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562 SSL Revoke Certificate Menu . . . . . . . . . . . . . . . . . . . . . . . 566 SSL Revoke Certificate Automatic Menu . . . . . . . . . . . . . . 567 SSL VPN Configuration Menu. . . . . . . . . . . . . . . . . . . . . . . 568 SSL VPN AAA Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 569 SSL VPN TunnelGuard Menu . . . . . . . . . . . . . . . . . . . . . . . 571 SSL VPN Authentication Menu . . . . . . . . . . . . . . . . . . . . . . 573 SSL VPN Authentication Radius Menu . . . . . . . . . . . . . . . . 574 SSL VPN Authentication Radius Servers Menu . . . . . . . . . 575 SSL VPN Authentication Radius Session Timeout Menu . . 575 SSL VPN Authentication Radius Macro Menu . . . . . . . . . . 576 SSL VPN Authentication Advanced Menu . . . . . . . . . . . . . 577 SSL VPN Network Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 577 SSL VPN Network Subnet Menu . . . . . . . . . . . . . . . . . . . . . 578 SSL VPN Service Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579 SSL VPN Application specific Menu . . . . . . . . . . . . . . . . . . 580 SSL VPN Application specific Paths Menu . . . . . . . . . . . . . 582 SSL VPN AAA Filter Menu . . . . . . . . . . . . . . . . . . . . . . . . . 583 SSL VPN AAA Group Menu . . . . . . . . . . . . . . . . . . . . . . . . 584 SSL VPN AAA Group Access Menu . . . . . . . . . . . . . . . . . . 586 SSL VPN AAA Group Linkset Menu . . . . . . . . . . . . . . . . . 587 SSL VPN AAA Group Extend Profiles Menu . . . . . . . . . . . 588 SSL VPN AAA Group Extend Profiles Access Menu . . . . . 589
Contents
320506-C Rev. 02, Feb 2007
15
SSL VPN AAA Group Extend Profiles Linkset Menu. . . . . 590 SSL VPN AAA Group IPsec Menu . . . . . . . . . . . . . . . . . . . 590 SSL VPN AAA Single-sign on Enabled Domains Menu. . . 592 SSL VPN AAA Single-sign on Headers Menu . . . . . . . . . . 592 SSL VPN AAA Radius Accounting Menu . . . . . . . . . . . . . 594 SSL VPN AAA Radius Accounting Servers Menu . . . . . . . 594 SSL VPN AAA Radius Accounting VPN attributes Menu . 595 SSL VPN Configuration Server Menu . . . . . . . . . . . . . . . . . 595 SSL VPN Server Traffic Trace Menu. . . . . . . . . . . . . . . . . . 596 SSL VPN Server SSL Settings Menu . . . . . . . . . . . . . . . . . . 597 SSL VPN Server TCP endpoint Settings Menu . . . . . . . . . . 599 SSL VPN Server HTTP Settings Menu . . . . . . . . . . . . . . . . 600 SSL VPN Server SSL triggered rewrite Menu . . . . . . . . . . . 601 SSL VPN Server Intranet Proxy settings Menu . . . . . . . . . . 602 SSL VPN Server Portal settings Menu . . . . . . . . . . . . . . . . . 603 SSL VPN Configuration Server Advanced Menu . . . . . . . . 603 SSL VPN Server UDP Syslog Traffic Log Menu . . . . . . . . 604 SSL VPN Server SSL Connect Menu. . . . . . . . . . . . . . . . . . 605 SSL VPN Server SSL Connect verify Server Menu. . . . . . . 605 SSL VPN Configuration IPsec Server Menu . . . . . . . . . . . . 606 SSL VPN IPsec Server IKE Profile Menu . . . . . . . . . . . . . . 607 SSL VPN IPsec Server IKE Profile Encryption Menu. . . . . 609 SSL VPN IPsec Server Diffie-Hellman Group Mask Menu 610 SSL VPN IPsec Server IKE Profile NAT Menu . . . . . . . . . 610 SSL VPN IPsec Server IKE Profile Dead Peer Menu . . . . . 611 SSL VPN IP Pool Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611 SSL VPN Portal Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612 SSL VPN Portal Colors Menu . . . . . . . . . . . . . . . . . . . . . . . 614 SSL VPN Portal Full Access Menu . . . . . . . . . . . . . . . . . . . 615 SSL VPN Portal Language Menu . . . . . . . . . . . . . . . . . . . . . 616 SSL VPN Portal Whitelist settings Menu. . . . . . . . . . . . . . . 616 SSL VPN Portal Whitelist settings Domains Menu . . . . . . . 617 SSL VPN Linkset Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617 SSL VPN Linkset Link Menu. . . . . . . . . . . . . . . . . . . . . . . . 619 SSL VPN Linkset Link Internal Setting Menu . . . . . . . . . . . 620 SSL VPN SSL Client Menu . . . . . . . . . . . . . . . . . . . . . . . . . 620 SSL VPN Configuration Advanced Menu . . . . . . . . . . . . . . 620 SSL VPN Advanced DNS settings Menu. . . . . . . . . . . . . . . 621
16 Contents
320506-C Rev. 02, Feb 2007
SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 621 SSL System Host Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623 SSL System Host Routes Menu . . . . . . . . . . . . . . . . . . . . . . 624 SSL System Host Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624 SSL System Host Interface Routes Menu. . . . . . . . . . . . . . . 625 SSL System Host Port Menu . . . . . . . . . . . . . . . . . . . . . . . . 626 SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 626 SSL System Time Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627 SSL System Time NTP servers Menu . . . . . . . . . . . . . . . . . 627 SSL Configuration System DNS settings Menu. . . . . . . . . . 628 SSL System DNS Servers settings Menu . . . . . . . . . . . . . . . 629 SSL System RSA servers Menu . . . . . . . . . . . . . . . . . . . . . . 630 SSL System SysLog Servers Menu . . . . . . . . . . . . . . . . . . . 630 SSL System Access List Menu . . . . . . . . . . . . . . . . . . . . . . . 631 SSL System Administrative applications Menu . . . . . . . . . . 632 SSL System Administrative applications SNMP Menu . . . . 633 SSL System Administrative SNMPv2 MIB SNMP Menu . 634 SSL System Administrative SNMP Community Menu . . . . 634 SSL System Administrative SNMP Users Menu . . . . . . . . . 635 SSL System Administrative SNMP Target Menu . . . . . . . . 636 SSL System Administrative Audit Menu . . . . . . . . . . . . . . . 637 SSL System Administrative Audit Servers Menu . . . . . . . . 638 SSL System Administrative HTTP Menu . . . . . . . . . . . . . . 638 SSL System Administrative HTTPS Menu . . . . . . . . . . . . . 639 SSL System Administrative SSH Host keys Menu . . . . . . . 639 SSL System Administrative SSH Known Host Menu . . . . . 640 SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 641 SSL System User Edit Menu . . . . . . . . . . . . . . . . . . . . . . . . 641 SSL System User Edit Menu . . . . . . . . . . . . . . . . . . . . . . . . 642 SSL Language Support Menu. . . . . . . . . . . . . . . . . . . . . . . . 642 SSL Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643 SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 645 SSL Performance Maintenance Menu . . . . . . . . . . . . . . . . . 646 SSL Performance HSM Menu . . . . . . . . . . . . . . . . . . . . . . . 647
Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649 LOG_WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .649 LOG_ALERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .650
Contents
320506-C Rev. 02, Feb 2007
17
LOG_CRIT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 LOG_ERR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 651 LOG_NOTICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657 LOG_INFO. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659 SNMP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .661 Performing a Serial Download . . . . . . . . . . . . . . . . . . . . . . . .665 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .667 Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .671
18
Contents
320506-C Rev. 02, Feb 2007
Preface
The Nortel Application Switch Operating System 23.2 Command Reference describes how to configure and use the Nortel Application Switch Operating System software with your Nortel Application Switch. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model.
19
320506-C Rev. 02, Feb 2007
The Operations Menu describes how to use commands which affect switch performance immediately, but do not alter permanent switch configurations (such as temporarily disabling ports). The menu describes how to activate or deactivate optional software features. The Boot Options Menu describes the use of the primary and alternate switch images, how to load a new software image, and how to reset the software to factory defaults. The Maintenance Menu describes how to generate and access a dump of critical switch state information, how to clear it, and how to clear part or all of the forwarding database. Appendix A, Syslog Messages presents a listing of syslog messages. Appendix B, SNMP Agent lists the Management Interface Bases (MIBs) supported in the switch software. Appendix C, Performing a Serial Download shows how to directly load a binary software image into the switch for upgrade or maintenance. Glossary defines the terminology used throughout the book. Index includes pointers to the description of the key words used throughout the book.
Related Documentation
Nortel Application Switch Operating System 23.2 Application Guide (Part Number 320507-C) Provides application explanations and configuration examples for the Switch. Nortel Application Switch Operating System 23.2 Browser-Based Interface (BBI) Quick Guide (Part Number 320508-C) Provides a description of the Switch BBI and how to configure and access it on the Switch. Nortel Application Switch Hardware Installation Guide (Part Number 315396-E) Provides a description of the Nortel Application Switch hardware, the physical features, how to install it, and how to troubleshoot it. Nortel Application Switch Operating System 23.2 Release Notes (Part Number 320509-C). This document provides a description of new features and caveats and limitations, if any, in the software.
20
Preface
320506-C Rev. 02, Feb 2007
Technical configuration guides are available for many of the features present in the Nortel Application Switch Operating System. These configuration guides can be accessed at the following location: http://www130.nortelnetworks.com/go/main.jsp?cscat=DOCUMENTATION&resetFilter=1&poid=12334.
Typographic Conventions
The following table describes the typographic styles used in this book. Table 1 Typographic Conventions
Typeface or Symbol AaBbCc123 Meaning This type is used for names of commands, files, and directories used within the text. Example View the readme.txt file.
It also depicts on-screen computer output and Main# prompts. AaBbCc123 This bold type appears in command examples. It shows text that must be typed in exactly as shown. Main# sys
<AaBbCc123> This italicized type appears in command To establish a Telnet session, enter: examples as a parameter placeholder. Replace host# telnet <IP address> the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, special terms, or words to be emphasized. [ ] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. Read your Users Guide thoroughly. host# ls [-a]
Preface
320506-C Rev. 02, Feb 2007
21
Additional information about the Nortel Technical Solutions Centers is available at the following URL: http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL: http://www.nortelnetworks.com/help/contact/erc/index.html
22
Preface
320506-C Rev. 02, Feb 2007
CHAPTER 1
23
320506-C Rev. 02, Feb 2007
A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specifics).
Procedure
1. 2. 3. Connect the terminal to the Console port using the serial cable. Power on the terminal. To establish the connection, press <Enter> a few times on your terminal. You will next be required to enter a password for access to the switch.
24
Running Telnet
Once the IP parameters on the Nortel Application Switch are configured, you can access the CLI using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <IP address>
25
Running SSH
Once the IP parameters are configured and the SSH service is turned on the Nortel Application Switch, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IP address:
>> # ssh <switch IP address>
26
You will then be prompted to enter your user name and password.
27
SLB Operator
The SLB Operator manages Web servers and other Internet ser- slboper vices and their loads. In addition to being able to view all switch information and statistics, the SLB Operator can enable/disable servers using the Server Load Balancing operation menu. The Layer 4 Operator manages traffic on the lines leading to the l4oper shared Internet services. This user currently has the same access level as the SLB operator. and the access level is reserved for future use, to provide access to operational commands for operators managing traffic on the line leading to the shared Internet services. The Operator manages all functions of the switch. In addition to oper SLB Operator functions, the Operator can reset ports or the entire switch. The SLB Administrator configures and manages Web servers and other Internet services and their loads. In addition to SLB Operator functions, the SLB Administrator can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters or bandwidth management. The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services. In addition to SLB Administrator functions, the Layer 4 Administrator can configure all parameters on the Server Load Balancing menus, including filters and bandwidth management. The superuser Administrator has complete access to all menus, information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and administrator passwords. slbadmin
Layer 4 Operator
Operator
SLB Administrator
Layer 4 Administrator
l4admin
Administrator
admin
NOTE With the exception of the admin user, access to each user level can be disabled by setting the password to an empty value. All user levels below admin will by default be initially disabled (empty password) until they are enabled by the admin user. This prevents inadvertently leaving the switch open to unauthorized users.
28
CLI Menu
Once the administrator password is verified, you are given complete access to the switch. The following table shows the Main Menu with administrator privileges.
[Main Menu] info stats cfg oper boot maint diff apply save revert exit
Information Menu Statistics Menu Configuration Menu Operations Command Menu Boot Options Menu Maintenance Menu Show pending config changes [global command] Apply pending config changes [global command] Save updated config to FLASH [global command] Revert pending or applied changes [global command] Exit [global command, always available]
NOTE If you are accessing a user account or Layer 4 administrator account, some menu options will not be available.
Idle Timeout
By default, the switch will disconnect your console or Telnet session after five minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080 minutes. For information on changing this parameter, see System Configuration on page 249.
29
30
CHAPTER 2
Menu Basics
The Nortel Application Switchs Command Line Interface (CLI) is used for viewing switch information and statistics. In addition, the administrator can use the CLI for performing all levels of switch configuration. To make the CLI easy to use, the various commands have been logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu. This chapter describes the Main Menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
31
320506-C Rev. 02, Feb 2007
NOTE The ssl option is only visible on the Nortel Application Switch Operating System 2000-SSL Series.
[Main Menu] info stats cfg oper boot maint ssl diff apply save revert exit
Information Menu Statistics Menu Configuration Menu Operations Command Menu Boot Options Menu Maintenance Menu SSl Accelerator Menu Show pending config changes [global command] Apply pending config changes [global command] Save updated config to FLASH [global command] Revert pending or applied changes [global command] Exit [global command, always available]
Menu Summary
Information Menu Provides sub-menus for displaying information about the current status of the switch: from basic system settings to VLANs, Layer 4 settings, and more. Statistics Menu Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP, ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics. Configuration Menu This menu is available only from an administrator login. It includes sub-menus for configuring every aspect of the switch. Changes to configuration are not active until explicitly applied. Changes can be saved to non-volatile memory. Operations Command Menu Operations-level commands are used for making immediate and temporary changes to switch configuration. This menu is used for bringing ports temporarily in and out of service, performing port mirroring, and enabling or disabling Server Load Balancing functions. It is also used for activating or deactivating optional software packages. Boot Options Menu This menu is used for upgrading switch software, selecting configuration blocks, and for resetting the switch when necessary.
32
Maintenance Menu This menu is used for debugging purposes, enabling you to generate a dump of the critical state information in the switch, and to clear entries in the forwarding database and the ARP and routing tables. SSL Accelerator Menu This menu is used to connect to the SSL Accelerator in 2424-SSL model switches. Once connected, SSL configuration and maintenance can take place.
33
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes. For help on a specific command, type help. You will see the following screen:
Global Commands: [can be issued from any menu] help up print lines verbose exit diff apply save ping ping6 traceroute history pushd popd
The following are used to navigate the menu structure: . Print current menu .. Move up one menu level / Top menu if first, or command separator ! Execute command from history
exit or quit 34
ping6
traceroute
pwd verbose n
telnet
history
35
popd who
36
<Ctrl-n>
<Ctrl-a> <Ctrl-e> <Ctrl-b> <Ctrl-f> <Backspace> <Ctrl-d> <Ctrl-k> <Ctrl-l> <Ctrl-u> Other keys
37
Command Abbreviation
Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will display all commands or options in that menu that begin with that letter. Entering additional letters will further refine the list of commands or options displayed. If only one command fits the input text when <Tab> is pressed, that command will be supplied on the command line, waiting to be entered. If the <Tab> key is pressed without any input on the command line, the currently active menu will be displayed.
38
Configuration Ranges
Most commands now support the use of configuration ranges. Configuration ranges allow the user to set common parameters on a range of similar items on the switch like ports or VLANs. For example, the command shown below would set the PVID of ports 1 through 10 to 5.
Main# /cfg/port 1-10/pvid 5
NOTE When applying a change across a large range, the user may lose control of the switch for 3 to 4 minutes as iterative messages are displayed. This is especially evident through console connections.
39
40
CHAPTER 3
mation.
The information provided by each menu option is briefly described in Table 3-1 on page 41, with pointers to where detailed information can be found. Table 3-1 Information Menu Options (/info)
Command Syntax and Usage sys Displays system menu information. To view menu options, see page 43. l2 Displays the Layer 2 Information Menu. For details, see page 69. l3 Displays the Layer 3 information menu. For details, see page 86.
41
320506-C Rev. 02, Feb 2007
42
43
44
/info/sys/snmpv3
SNMPv3 System Information Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote configuration of SNMP parameters For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Information Menu] usm - Show usmUser table information view - Show vacmViewTreeFamily table information access - Show vacmAccess table information group - Show vacmSecurityToGroup table information comm - Show community table information taddr - Show targetAddr table information tparam - Show targetParams table information notify - Show notify table information dump - Show all SNMPv3 information
45
/info/sys/snmpv3/usm
SNMPv3 USM User Table Information
The User-based Security Model (USM) in SNMPv3 provides security services such as authentication and privacy of messages. This security model makes use of a defined set of user identities displayed in the USM user table. The USM user table contains information like: the user name a security name in the form of a string whose format is independent of the Security Model an authentication protocol, which is an indication that the messages sent on behalf of the user can be authenticated the privacy protocol.
usmUser Table: User Name -------------------------------admin adminmd5 adminsha v1v2only
Protocol -------------------------------NO AUTH, NO PRIVACY HMAC_MD5, DES PRIVACY HMAC_SHA, DES PRIVACY NO AUTH, NO PRIVACY
46
/info/sys/snmpv3/view
SNMPv3 View Table Information
The user can control and restrict the access allowed to a group to only a subset of the management information in the management domain that the group can access within each context by specifying the groups rights in terms of a particular MIB view for security reasons.
View Name ----------------org v1v2only v1v2only v1v2only v1v2only Subtree -----------------1.3 1.3 1.3.6.1.6.3.15 1.3.6.1.6.3.16 1.3.6.1.6.3.18 Mask -------------Type -------included included excluded excluded excluded
Mask Type
47
/info/sys/snmpv3/access
SNMPv3 Access Table Information
The access control sub system provides authorization services. The vacmAccessTable maps a group name, security information, a context, and a message type, which could be the read or write type of operation or notification into a MIB view. The View-based Access Control Model defines a set of services that an application can use for checking access rights of a group. This group's access rights are determined by a read-view, a write-view and a notify-view. The read-view represents the set of object instances authorized for the group while reading the objects. The write-view represents the set of object instances authorized for the group when writing objects. The notify-view represents the set of object instances authorized for the group when sending a notification.
Group Name Prefix Model Level Match ReadV WriteV NotifyV ---------- ------ ------- ----------- ------ ---------admin usm noAuthNoPriv exact org org org v1v2grp snmpv1 noAuthNoPriv exact org org v1v2only admingrp usm authPriv exact org org org
48
/info/sys/snmpv3/group
SNMPv3 Group Table Information
A group is a combination of security model and security name that defines the access rights assigned to all the security names belonging to that group. The group is identified by a group name.
Sec Model ---------snmpv1 usm usm usm User Name ------------------------------v1v2only admin adminmd5 adminsha Group Name -------------------v1v2grp admin admingrp admingrp
/info/sys/snmpv3/comm
SNMPv3 Community Table Information
This command displays the community table information stored in the SNMP engine.
Index Name User Name Tag ---------- ---------- -------------------- ---------trap1 public v1v2only v1v2trap
49
/info/sys/snmpv3/taddr
SNMPv3 Target Address Table Information
This command displays the SNMPv3 target address table information, which is stored in the SNMP engine.
Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------trap1 47.81.25.66 162 v1v2trap v1v2param
Table 3-9 SNMPv3 Target Address Table Information Parameters (/info/sys/ snmpv3/taddr)
Field Name Transport Addr Port Taglist Params Description Displays the locally arbitrary, but unique identifier associated with this snmpTargetAddrEntry. Displays the transport addresses. Displays the SNMP UDP port number. This column contains a list of tag values which are used to select target addresses for a particular SNMP message. The value of this object identifies an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used when generating messages to be sent to this transport address.
50
/info/sys/snmpv3/tparam
SNMPv3 Target Parameters Table Information
Name MP Model --------------- -------v1v2param snmpv2c User Name -------------v1v2only Sec Model --------snmpv1 Sec Level --------noAuthNoPriv
Sec Level
51
/info/sys/snmpv3/notify
SNMPv3 Notify Table Information
Name Tag -------------------- -------------------v1v2trap v1v2trap
52
/info/sys/snmpv3/dump
SNMPv3 Dump Information
usmUser Table: User Name -------------------------------admin adminmd5 adminsha v1v2only Protocol -------------------------------NO AUTH, NO PRIVACY HMAC_MD5, DES PRIVACY HMAC_SHA, DES PRIVACY NO AUTH, NO PRIVACY
vacmAccess Table: Group Name Prefix Model Level Match ReadV WriteV NotifyV ---------- ------ ------- ---------- ------ ------- -------- -----admin usm noAuthNoPriv exact org org org v1v2grp snmpv1 noAuthNoPriv exact org org v1v2only admingrp usm authPriv exact org org org vacmViewTreeFamily Table: View Name Subtree -------------------- --------------org 1.3 v1v2only 1.3 v1v2only 1.3.6.1.6.3.15 v1v2only 1.3.6.1.6.3.16 v1v2only 1.3.6.1.6.3.18
Mask ------------
vacmSecurityToGroup Table: Sec Model User Name ---------- ------------------------------snmpv1 v1v2only usm admin usm adminsha
snmpCommunity Table: Index Name User Name Tag ---------- ---------- -------------------- ---------snmpNotify Table: Name Tag -------------------- -------------------snmpTargetAddr Table: Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------snmpTargetParams Table: Name MP Model User Name Sec Model Sec Level -------------------- -------- ------------------ --------- -------
53
/info/sys/general
General System Information
On a Nortel Application Switch 2424:
System Information at 6:56:53 Thu Sep 15, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00) Alteon Application Switch 2424 Switch is up 3 days, 11 hours, 28 minutes and 34 seconds. Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet) Last apply: unknown Last save: 5 MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0 Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: Mainboard Hardware: Part No: P314090-A Rev: Management Processor Board Hardware: Part No: P314080-A Rev: Fast Ethernet Board Hardware: Part No: P314091-A Rev:
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration.
54
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration.
NOTE The display of temperature will come up only if the temperature of any of the sensors exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this temperature threshold. The switch will shut down if the power supply overheats and the temperature gets to 100oC. Information about fan failures will also be displayed if one or more fans are not functioning.
55
/info/sys/time
Show System Time
>> Main# /info/sys/time 12:52:49 Fri Jul 8, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia DST on first Sunday of April at 02:00 DST off last Sunday of October at 02:00
/info/sys/log
Show Last 64 Syslog Messages
Date Time Criticality level Message Nov 19 12:16:51 ALERT stp: STG 1, new root bridge Nov 19 13:52:03 ALERT ip: cannot contact default gateway 47.80.22.1 Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 operational Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 enabled Nov 19 14:21:27 ALERT ip: cannot contact default gateway 47.80.22.1 Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 operational Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 enabled Nov 19 14:38:55 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 14:44:02 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 16:15:06 INFO mgmt: new configuration applied Nov 19 16:15:20 INFO mgmt: new configuration saved Nov 19 16:18:44 INFO mgmt: new configuration applied Nov 19 16:19:37 ERROR mgmt: Error: Apply not done Nov 19 16:19:57 INFO mgmt: new configuration applied Nov 19 16:34:35 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 16:39:43 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 16:39:59 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 16:54:13 NOTICE mgmt: admin idle timeout from Telnet/SSH Nov 19 17:20:37 NOTICE mgmt: admin login from host 47.81.27.4 Nov 19 17:26:21 NOTICE mgmt: admin login from host 47.81.25.49 Nov 19 17:31:53 NOTICE mgmt: admin idle timeout from Telnet/SSH
Each syslog message has a criticality level associated with it, included in text form as a prefix to the log message. One of eight different prefixes is used, depending on the condition that the administrator is being notified of, as shown below. EMERG: indicates the system is unusable ALERT: Indicates action should be taken immediately
56
CRIT: Indicates critical conditions ERR: indicates error conditions or error operations WARNING: indicates warning conditions NOTICE: indicates a normal but significant condition INFO: indicates an information message DEBUG: indicates a debut-level message
/info/sys/slog
Last 64 Saved Syslog Messages
Aug 20 13:54:21 NOTICE 47.80.22.1 operational Aug 20 13:57:53 ALERT gateway 47.80.22.1 Aug 20 13:57:57 NOTICE 47.80.22.1 operational Aug 20 13:58:23 ALERT gateway 47.80.22.1 Aug 20 13:58:33 NOTICE 47.80.22.1 operational Aug 24 14:43:43 NOTICE Aug 24 14:49:50 NOTICE Aug 24 14:51:38 NOTICE Aug 24 14:57:30 NOTICE Aug 24 15:05:54 NOTICE Aug 24 15:11:40 NOTICE Aug 24 16:00:40 NOTICE Aug 24 16:00:52 NOTICE ip: management port default gateway ip: cannot contact management port default ip: management port default gateway ip: cannot contact management port default ip: management port default gateway mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 admin idle timeout from Telnet/SSH admin login from host 47.81.25.12 switch reset from CLI
57
/info/sys/mgmt
Management Port Information
Speed ----100 Duplex -----full Link ---up
MAC address: 00:01:81:2e:a4:8d Interface information: 47.80.23.251 255.255.254.0 Gateway information: 47.80.22.1
47.80.23.255
Use this command to display Management port information on an Nortel Application Switch including: Port speed (10/100) Duplex mode (half, full, any, or auto) Link (Up or down) MAC Address of the system IP address of the Interface IP address of the gateway.
58
/info/sys/sonmp
SONMP Information
This command displays the SynOptics Network Management Protocol (SONMP) topology table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/ sonmp on command, and is necessary so that a Nortel Application Switch can be discovered by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network exchange multicast packets namely: flatnet hellos and segment hellos. The IP address of the device is written into the hello packets. As the network devices exchange information, a topology table is built like the one shown below.
Slot Port ----0 /0 1 /11 1 /11 1 /11 1 /11 1 /11 Seg Id --------------- --47.80.23.247 0 47.80.22.1 770 47.80.23.25 259 47.80.23.25 260 47.80.23.241 257 50.10.10.1 263 IP address MAC address ----------------00:01:81:2e:a3:60 00:e0:16:7c:28:24 00:60:cf:81:54:28 00:60:cf:81:54:38 00:60:cf:43:a2:10 00:60:cf:46:d5:60 Local State Seg ------------------ ----- ----Alteon2224 true topChanged Passport1200 true heartbeat Passport8610 true heartbeat Passport8610 true heartbeat AlteonAD4 true topChanged Alteon184 true topChanged Chassis Type
59
/info/sys/capacity
System Capacity Information
The following sample output from an Nortel Application Switch 2424 displays the maximum and currently enabled switch capacity for various services and applications from Layer 2-7.
Maximum LAYER 2 FDB FDB per SP VLANs Static Trunk Groups LACP Trunk Groups Trunks per Trunk Group Spanning Tree Groups Port Teams Monitor Ports LAYER 3 IP Interfaces IP Gateways IP Routes Static Routes ARP Entries Static ARP Entries Local Nets DNS Servers BOOTP Servers RIP Interfaces OSPF OSPF OSPF OSPF OSPF LSDB Interfaces Areas Summary Ranges Virtual Links Hosts Limit 16384 8192 1024 12 28 8 16 8 1 Current(Enabled) 54 1(1) 0(0)
16(1) 8(0)
256 4+255 4096 128 8192 128 5 2 2 256 256 3 16 3 128 12288
60
BGP Peers BGP Route Aggregators Route Maps Network Filters AS Filters VRRP Routers VRRP Router Groups VRRP Interfaces SLB (LAYER 4-7) Real Servers Server Groups Virtual Servers Virtual Services Real Services Real IDS Servers IDS Server Groups Global Global Global Global Global Global Global Global Global Global Global SLB SLB SLB SLB SLB SLB SLB SLB SLB SLB SLB Domains Services Local Servers Remote Servers Remote Sites Failovers per Remote Site Networks Geographical Regions Rules Metrics Per Rule DNS Persistence Cache Entries
0(0) 0(0) 0
1024 1024 1024 1024 8192 62 63 1024 8192 1024 1024 64 2 128 7 128 8 100000
0(0) 0 0(0)
0(0) 0(0) 0(0) 0(0) 0(0) 2(2) 0(0) 7(7) 0(1) 8(8) 100000(100000)
Filters PIPs Scriptable Health Checks SNMP Health Checks Rules for URL Parsing SLB Sessions Number of Rports to Vport Domain Records Mapping Per Domain Record LAYER 4 - PORTS Port # Client Server
0(0) 0 0 0 1 0 0(0)
Filter
RTS Continued...
61
BWM Policies Contracts Groups Contracts per Group Time Policies per Contract Security Configuration source IP ACLs Bogon source IP ACLs Operations source IP ACLs Total source IP ACLs Configuration destination IP ACLs Operations destination IP ACLs Total destination IP ACLs IP DoS attacks prevention TCP DoS attacks prevention UDP DoS attacks prevention ICMP DoS attacks prevention IGMP DoS attacks prevention ARP DoS attacks prevention IPv6 DoS attacks prevention Total DoS attacks prevention UDP ports for UDP blast protection GENERAL Syslog hosts RADIUS servers NTP servers SMTP hosts Mnet/Mmask End Users Panic Dumps MP memory SP memory SNMPv3 SNMPv3 SNMPv3 SNMPv3 SNMPv3 Users Views Access Groups Target Address Entries Target Params Entries
512 1024 32 8 2
0 1(1) 0
0 0 0 0 0 0 0
0 0 0 1 0
3 5 2 0 0
62
/info/sys/fan
Show switch fan status
>> System# fan Fans OK.
/info/sys/temp
Show switch temperature sensor status
>> System# temp Temperature OK.
/info/sys/encrypt
Show encryption licenses
AOS contains the following encryption licenses: BLOWFISH DES & 3DES MD5 RC4 SHA-1
/info/sys/user
Show current user status
Usernames: user slboper l4oper oper slbadmin l4admin admin enabled disabled disabled disabled disabled disabled Always Enabled
Note: there are pending config changes; use "diff" to see them. Current User ID table:
63
/info/sys/dump
System Information Dump
System Information at 7:02:06 Thu Sep 15, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00) Alteon Application Switch 2424-SSL Switch is up 3 days, 11 hours, 33 minutes and 48 seconds. Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet) Last apply: unknown Last save: 5 MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0 Internal SSL Processor MAC Address: 00:01:81:2e:bc:6f Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: Mainboard Hardware: Part No: P314090-A Rev: Management Processor Board Hardware: Part No: P314080-A Rev: Fast Ethernet Board Hardware: Part No: P314091-A Rev:
09 00 00 00
Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration. Last 64 syslog messages: Sep 12 10:42:19 NOTICE mgmt: Sep 12 11:03:13 NOTICE mgmt: Sep 12 11:27:48 NOTICE mgmt: Sep 12 11:54:07 NOTICE mgmt: Sep 12 12:19:01 ERROR mgmt: Sep 12 13:57:54 NOTICE mgmt: Sep 12 14:02:58 NOTICE mgmt: Sep 12 14:07:27 NOTICE mgmt: Sep 12 14:10:03 NOTICE mgmt: Sep 12 14:19:44 NOTICE mgmt: Sep 12 14:59:20 NOTICE mgmt: Sep 12 15:08:06 NOTICE mgmt: Sep 12 15:09:43 NOTICE mgmt: Sep 12 15:15:08 NOTICE mgmt: Sep 12 15:15:32 NOTICE mgmt: Sep 12 15:58:30 NOTICE mgmt: Sep 12 16:00:02 NOTICE mgmt: Sep 12 17:56:01 ERROR mgmt: Sep 12 23:33:01 ERROR mgmt: Sep 13 5:10:01 ERROR mgmt: Sep 13 10:47:01 ERROR mgmt: Continued . . .
admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH tcp open error, cannot contact reporting admin login from host 192.168.0.3 admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin idle timeout from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH admin login from host 192.168.0.3 admin connection closed from Telnet/SSH tcp open error, cannot contact reporting tcp open error, cannot contact reporting tcp open error, cannot contact reporting tcp open error, cannot contact reporting
server
64
Sep Sep Sep Sep Sep Sep (5) Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep
13 16:24:00 13 22:01:00 14 3:38:00 14 9:15:00 14 10:23:04 14 10:23:05 needs to be 14 10:23:05 14 10:23:05 14 10:24:45 14 11:30:36 14 11:35:25 14 11:35:40 14 11:39:37 14 11:49:12 14 11:58:20 14 13:41:54 14 13:46:18 14 14:37:07 14 14:52:00 14 14:58:57 14 16:09:44 14 16:20:44 14 16:24:58 14 16:30:51 14 16:48:16 14 16:50:34 14 16:57:47 14 16:57:55 14 17:00:02 14 17:04:59 14 17:05:49 14 17:06:05 14 19:54:04 14 20:00:22 14 20:01:47 14 20:22:49 14 20:23:10 14 20:23:55 14 20:29:00 14 20:40:41 14 21:43:51 15 2:06:00 15 6:56:45
ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3 ERROR cli: Error: VLAN 5 doesn't exist; the PVID for port 1 changed ERROR cli: Error: PVID 5 for port 1 is not created ERROR mgmt: Error: Apply not done NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin connection closed from Telnet/SSH ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3 NOTICE mgmt: admin idle timeout from Telnet/SSH ERROR mgmt: tcp open error, cannot contact reporting server NOTICE mgmt: admin login from host 192.168.0.3
Continued . . .
65
Last 64 syslog messages saved in FLASH: Sep 8 10:44:06 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:48:43 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 10:49:32 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:50:18 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 10:57:59 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 10:57:42 ERROR cli: Error: IP interface 2 has no IP address configured Sep 8 10:57:42 ERROR mgmt: Error: Apply not done Sep 8 10:58:19 INFO mgmt: new configuration applied Sep 8 10:58:20 INFO mgmt: Operational change made by Admin from Telnet:192.168.0.3, login since 10:56:59 Sep 8 10:58:33 INFO mgmt: new configuration saved Sep 8 10:58:44 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 11:09:21 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 11:58:21 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 13:11:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 8 15:31:08 NOTICE mgmt: admin login from host 192.168.0.3 Sep 8 15:31:21 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 8 18:48:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 0:25:00 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 6:02:04 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 9:15:45 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 9:23:27 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 10:32:10 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 10:33:40 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 11:39:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 13:37:24 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 13:37:53 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 13:38:07 NOTICE mgmt: Failed login attempt via BBI. Sep 9 13:38:22 NOTICE mgmt: Failed login attempt via BBI. Sep 9 16:00:10 NOTICE mgmt: admin login from host 192.168.0.3 Sep 9 16:00:13 NOTICE mgmt: admin connection closed from Telnet/SSH Sep 9 17:16:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 9 22:53:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 4:30:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 10:07:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 15:44:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 10 21:21:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 2:58:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 8:35:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 14:12:03 ERROR mgmt: tcp open error, cannot contact reporting server Sep 11 19:21:27 NOTICE mgmt: Failed login attempt via TELNET from host 192.168.249.237 Sep 11 19:21:48 NOTICE mgmt: admin login from host 192.168.0.3 Sep 11 19:25:08 INFO mgmt: image2 downloaded from host 192.168.0.10, file 'AAS-23.0.1.0-2000-AlteonOS.img', software version 23.0.1 Sep 11 19:26:39 NOTICE mgmt: Next boot will use new image2. Sep 11 19:26:52 NOTICE mgmt: switch reset from CLI Continued . . .
66
MAC address: 00:03:24:6e:bd:3d Interface information: 192.168.0.13 255.255.255.0 Gateway information: 192.168.0.1
192.168.0.255
Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50 usmUser Table: User Name -------------------------------adminmd5 adminsha v1v2only vacmAccess Table: Group Name Prefix Model ---------- ------ ------v1v2grp snmpv1 admingrp usm
vacmViewTreeFamily Table: View Name Subtree -------------------- -----------------------------iso 1 v1v2only 1 v1v2only 1.3.6.1.6.3.15 v1v2only 1.3.6.1.6.3.16 v1v2only 1.3.6.1.6.3.18 vacmSecurityToGroup Table: Sec Model User Name ---------- ------------------------------snmpv1 v1v2only usm adminmd5 usm adminsha Continued . . .
Mask --------------
67
snmpCommunity Table: Index Name User Name Tag ---------- ---------- -------------------- ---------snmpNotify Table: Name Tag -------------------- -------------------snmpTargetAddr Table: Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------snmpTargetParams Table: Name MP Model User Name Sec Model Sec Level -------------------- -------- -------------------- --------- --------Slot IP address Seg MAC address Chassis Type Local State Port Id Seg ----- --------------- ---- ----------------- ----------------- ----- -------
68
69
/info/l2/fdb
Layer 2 FDB Information
The forwarding database (FDB) contains information that maps the media access control (MAC) address of each known device to the switch port where the device address was learned. The FDB also shows which other ports have seen frames destined for a particular MAC address.
[Forwarding Database Menu] find - Show a single FDB entry by MAC address port - Show FDB entries on a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries on a single VLAN refpt - Show FDB entries referenced by a single SP dump - Show all FDB entries
70
NOTE The master forwarding database supports up to 16K MAC address entries on the MP per switch. Each SP supports up to 8K entries. Table 3-14 Layer 2 FDB Information Menu Options (/info/l2/fdb)
Command Syntax and Usage find <MAC address> [<VLAN>] Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example, 08:00:20:12:34:56. You can also enter the MAC address using the format, xxxxxxxxxxxx. For example, 080020123456. port <port number, 0 for "unknown"> Displays all FDB entries for a particular port. trunk <trunk group number> Displays all FDB entries on a single trunk. vlan <VLAN number (1-4090)> Displays all FDB entries on a single VLAN. refpt <SP number (1-4)> Displays the FDB entries referenced by a single port. dump Displays all entries in the Forwarding Database. For more information, see page 72.
71
/info/l2/fdb/dump
Show All FDB Information
MAC address VLAN Port State Referenced SPs Referenced ports ----------------- ---- ---- ----- -------------- ------------00:02:01:00:00:00 300 23 FWD 1 2 1 23 00:02:01:00:00:01 300 23 FWD 1 2 1 23 00:02:01:00:00:02 300 23 FWD 1 2 1 23 00:02:01:00:00:03 300 23 FWD 1 2 1 23 00:02:01:00:00:04 300 23 FWD 1 2 1 23 00:02:01:00:00:05 300 23 FWD 1 2 1 23 00:02:01:00:00:06 300 23 FWD 1 2 1 23 00:02:01:00:00:07 300 23 FWD 1 2 1 23 00:02:01:00:00:08 300 23 FWD 1 2 1 23 00:02:01:00:00:09 300 23 FWD 1 2 1 23 00:02:01:00:00:0a 300 23 FWD 1 2 1 23 00:02:01:00:00:0b 300 23 FWD 1 2 1 23 00:02:01:00:00:0c 300 23 FWD 1 2 1 23
An address that is in the forwarding (FWD) state, means that it has been learned by the switch. When in the trunking (TRK) state, the port field represents the trunk group number. If the state for the port is listed as unknown (UNK), the MAC address has not yet been learned by the switch, but has only been seen as a destination address. When an address is in the unknown state, no outbound port is indicated, although ports which reference the address as a destination will be listed under Reference ports. If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual server routera virtual router with the same IP address as a virtual server.
72
- Show LACP aggregator information for the port - Show LACP port information - Show all LACP ports information
Table 3-15 Link Aggregation Control Protocol Information Menu Options (/info/ lacp)
Command Syntax and Usage aggr <aggregator index 1 to max num ports> Displays information an LACP aggregator. port <port index 1 to max num ports> Displays information of an LACP port. dump Displays LACP information of all the ports. Use this command to verify the state of ports in an LACP trunk group. To view a sample output, see page 76.
73
/info/lacp/aggr
LACP Aggregator Information
Aggregator Id 1 ---------------------------------------------MAC address - 00:01:81:2e:a1:d1 Actor System Priority - 32768 Actor System ID - 00:01:81:2e:a1:b0 Individual - FALSE Actor Admin Key - 300 Actor Oper Key - 300 Partner System Priority - 32768 Partner System ID - 00:0d:29:e3:4a:00 Partner Oper Key - 1 ready - TRUE Number of Ports in aggr - 10 index 0 port 1 index 1 port 2 index 2 port 3 index 3 port 4 index 4 port 5 index 5 port 6 index 6 port 7 index 7 port 8 index 8 port 9 index 9 port 10
74
/info/lacp/port
LACP Port Information
port 1
---------------------------------------------lacp_enabled - TRUE lacp_admin_enabled - TRUE Actor Actor Actor Actor Actor Actor System ID System Priority Admin Key Oper Key Port Number Port Priority Admin System Priority Oper System Priority Admin System ID Oper System ID Admin Key Oper Key Admin Port Number Admin Port Priority Oper Port Number Oper Port Priority 00:01:81:2e:a1:b0 32768 300 300 1 32768 0 32768 00:00:00:00:00:00 00:0d:29:e3:4a:00 0 1 0 0 4 32768
Partner Partner Partner Partner Partner Partner Partner Partner Partner Partner
Actor Admin Port state Activity: Active Timeout: Synchronization:FALSE Collecting: Defaulted: FALSE Expired: Actor Oper Port state Activity: Active Timeout: Synchronization:TRUE Collecting: Defaulted: FALSE Expired: Partner Admin Port state Partner Oper Port state - 0x0
Aggregation: Distributing:
TRUE FALSE
TRUE TRUE
Continued
75
Individual - TRUE Selected Aggregator ID - 0 Attached Aggregator ID - 0 ready_n - FALSE ntt - FALSE selected - Unselcted port_moved - FALSE Collection and Distribution state turned ON! Rx machine state Mux machine state Periodic machine state - LACP_RX_INIT_STATE - LACP_MUX_DETACHED_STATE - LACP_PERIODIC_NO_STATE
76
/info/lacp/dump
LACP Dump Information
port attached trunk aggr ------------------------------------------------------------------1 active 300 300 y 32768 1 13 2 active 300 300 y 32768 1 13 3 active 300 300 y 32768 1 13 4 active 300 300 y 32768 1 13 5 active 300 300 y 32768 1 13 6 active 300 300 y 32768 1 13 7 active 300 300 y 32768 1 13 8 active 300 300 y 32768 1 13 9 active 300 300 n 32768 --10 active 300 300 n 32768 --11 active 300 300 n 32768 --12 active 300 300 n 32768 --13 active 300 300 n 32768 --14 off 14 14 n 32768 --15 off 15 15 n 32768 --16 off 16 16 n 32768 --17 off 17 17 n 32768 --18 off 18 18 n 32768 --19 off 19 19 n 32768 --20 off 20 20 n 32768 --21 off 21 21 n 32768 --22 off 22 22 n 32768 --23 off 23 23 n 32768 --24 off 24 24 n 32768 --25 off 25 25 n 32768 --26 off 26 26 n 32768 --27 off 27 27 n 32768 --28 off 28 28 n 32768 --lacp adminkey operkey selected prio
77
/info/l2/stg
Layer 2 Spanning Tree Group Information
When multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. NOTE The Nortel Application Switch Operating System supports up to 16 multiple Spanning Trees or Spanning Tree Groups.
Spanning Tree Group 1: On Current Root: 8000 00:01:81:2e:a1:80 Parameters: Priority 32768 Cost ---0 0 0 0 5 0 0 0 0 0 0 Path-Cost 0 Port Hello MaxAge FwdDel Aging 0 2 20 15 300 FwdDel 15 Aging 300
Hello 2
MaxAge 20
Port ----1 2 3 4 5 6 7 8 9 10 11
Priority -------128 128 128 128 128 128 128 128 128 128 128
State ---------DISABLED DISABLED DISABLED DISABLED FORWARDING DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED
8000-00:01:81:2e:a1:80
32773
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing if STP is enabled or disabled, you can view the following STP bridge information: Priority Hello interval Maximum age value Forwarding delay Aging time
78
You can also see the following port-specific STP information: Port number and priority Cost State Designated Bridge Designated Port The following table describes the STP parameters. Table 3-16 Spanning Tree Parameter Descriptions
Parameter Priority (bridge) Hello Description The bridge priority parameter controls which bridge on the network will become the STP root bridge. The hello time parameter specifies, in seconds, how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The maximum age parameter specifies, in seconds, the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it reconfigure the STP network. The forward delay parameter specifies, in seconds, the amount of time that a bridge port has to wait before it changes from learning state to forwarding state. The aging time parameter specifies, in seconds, the amount of time the bridge waits without receiving a packet from a station before removing the station from the Forwarding Database. The port priority parameter helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The port path cost parameter is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. A setting of 0 indicates that the cost will be set to the appropriate default after the link speed has been auto negotiated. The state field shows the current state of the port. The state field can be either BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.
MaxAge
FwdDel
Aging
priority (port)
Cost
State
79
Designated port
80
/info/l2/cist
Show common internal spanning tree (CIST) information
NOTE The Nortel Application Switch Operating System supports up to 16 multiple Spanning Trees or Spanning Tree Groups.
-----------------------------------------------------------------Common Internal Spanning Tree: VLANs: 1 4-4094 Path-Cost 0 Path-Cost 0 Port MaxAge FwdDel 0 20 15
Current Root: 8000 00:01:81:2e:bc:50 Cist Regional Root: 8000 00:01:81:2e:bc:50 Parameters:
Priority MaxAge FwdDel Hops 32768 20 15 20 Port Prio Cost State Role Designated Bridge Des Port Hello Type ----- ---- --------- ----- ---- ---------------------- -------- ----- ---1 128 20000 DSB 2 128 20000 DSB 3 128 20000 DSB 4 128 20000 DSB 5 128 20000 DSB 6 128 20000 DSB 7 128 20000 DSB . . . 18 128 20000 DSB 19 128 20000 DSB 20 128 20000 DSB 21 128 20000 DSB 22 128 20000 DSB 23 128 20000 DSB 24 128 20000 DSB 25 128 20000 DSB 26 128 20000 DSB 27 128 20000 DSB 28 128 20000 DSB sslpro 128 20000 DISC DESG 8000-00:01:81:2e:bc:50 801d 2 Shared
81
/info/l2/trunk
Trunk Group Information
Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are configured, you can view the state of each port in the various trunk groups.
Trunk group 1, bw contract 1024, port state: 1: STG 1 forwarding 2: STG 1 forwarding
NOTE If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the remaining ports in the trunk group will also be set to forwarding.
82
/info/l2/vlan
VLAN Information
VLAN ---1 Name Status Jumbo BWC Learn Ports -------------------------------- ------ ----- ---- ----- ----Default VLAN ena n 1024 ena 1-28
This information display includes all configured VLANs and all member ports that have an active link state. Port membership is represented in slot/port format. VLAN information includes: VLAN Number VLAN Name Status Jumbo Frames Bandwidth Contract if BWM is enabled Source MAC Address Learning Port membership of the VLAN
83
/info/l2/vlan
VLAN Information
VLAN ---1 Name Status Jumbo BWC Learn Ports -------------------------------- ------ ----- ---- ----- ----Default VLAN ena n 1024 ena 1-28
84
/info/l2/team
Status of port teams
>> Layer 2# team All port teams are disabled.
/info/l2/dump
Layer2 Dump Information
Spanning Tree Group 1: On Current Root: 8000 00:01:81:2e:a1:80 Parameters: Priority 32768 Cost ---0 0 0 0 5 0 0 0 0 0 0 0 Path-Cost 0 Port Hello MaxAge FwdDel Aging 0 2 20 15 300 FwdDel 15 Aging 300
Hello 2
MaxAge 20
Port -----1 2 3 4 5 6 7 8 9 10 11 12
Priority -------128 128 128 128 128 128 128 128 128 128 128 128
State ---------DISABLED DISABLED DISABLED DISABLED FORWARDING DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED DISABLED
8000-00:01:81:2e:a1:80
32773
85
86
/info/l3/route
IP Routing Information
[IP Routing Menu] find - Show gw - Show type - Show tag - Show if - Show dump - Show a single route by destination IP address routes to a single gateway routes of a single type routes of a single tag routes on a single interface all routes
Using the commands listed below, you can display all or a portion of the IP routes currently held in the switch. Table 3-18 Route Information Menu Options (/info/route)
Command Syntax and Usage find <IP address (such as, 192.4.17.101)> Displays a single route by destination IP address. gw <default gateway address (such as, 192.4.17.44)> Displays routes to a single gateway. type indirect|direct|local|broadcast|martian|multicast Displays routes of a single type. For a description of IP routing types, see Table 3-19 on page 89.
87
NOTE The total number of interfaces on a Nortel Application Switch 2424-SSL is 1-255.
dump Displays all routes configured in the switch. For more information, see page 88.
/info/l3/route/dump
Show All IP Route Information
Status code: * - best Destination Mask Gateway Type Tag Metr If --------------- --------------- ------------- --------- ----- -* 0.0.0.0 0.0.0.0 47.80.22.1 indirect static 1 * 47.80.22.0 255.255.254.0 47.80.23.249 direct fixed 1 * 47.80.23.249 255.255.255.255 47.80.23.249 local addr 1 * 47.80.23.255 255.255.255.255 47.80.23.255 broadcast broadcast 1 * 127.0.0.0 255.0.0.0 0.0.0.0 martian martian * 224.0.0.0 224.0.0.0 0.0.0.0 martian martian * 224.0.0.5 255.255.255.255 0.0.0.0 multicast addr * 224.0.0.6 255.255.255.255 0.0.0.0 multicast addr * 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast
88
Type Parameters
The following table describes the Type parameters. Table 3-19 IP Routing Type Parameters (/info/l3/route/dump/type)
Parameter indirect direct local broadcast martian multicast Description The next hop to the host or subnet destination will be forwarded through a router at the Gateway address. Packets will be delivered to a destination host or subnet attached to the switch. Indicates a route to one of the switchs IP interfaces. Indicates a broadcast route. The destination belongs to a host or subnet which is filtered out. Packets to this destination are discarded. Indicates a multicast route.
Tag Parameters
The following table describes the Tag parameters. Table 3-20 IP Routing Tag Parameters (info/l3/route/tag)
Parameter fixed static addr rip ospf bgp broadcast martian vip Description The address belongs to a host or subnet attached to the switch. The address is a static route which has been configured on the Nortel Application Switch. The address belongs to one of the switchs IP interfaces. The address was learned by the Routing Information Protocol (RIP). The address was learned by Open Shortest Path First (OSPF). The address was learned via Border Gateway Protocol (BGP) Indicates a broadcast address. The address belongs to a filtered group. Indicates a route destination that is a virtual server IP address. VIP routes are needed to advertise virtual server IP addresses via BGP.
89
/info/l3/route6
IPv6 Routing Information Menu
This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing table stores routes it learns from network traffic and pre-configured, static routes. NOTE Presently there is no mechanism for clearing this IPv6 routing table..
[IP6 Routing Menu] dump - Show all routes
Table 3-21provides a description of this menu. Table 3-21 IPv6 Routing Information Menu Options (/info/l3/route6)
Command Syntax and Usage dump The /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/ 10; is not shown for each interface to avoid too many network entries in the table.
90
STATIC LOCAL LOCAL STATIC LOCAL STATIC STATIC STATIC STATIC STATIC
91
/info/l3/arp
ARP Information Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries help - Show help on the fields of ARP entries addr - Show ARP address list
The ARP information includes IP address and MAC address of each entry, address status flags (see Table 3-23 on page 94), VLAN and port for the address, and port referencing information. Table 3-22 ARP Information Menu Options (/info/l3/arp)
Command Syntax and Usage find <IP address (such as, 192.4.17.101> Displays a single ARP entry by IP address. port <port number> Displays the ARP entries on a single port. vlan <VLAN number (1-4090)> Displays the ARP entries on a single VLAN. refpt <SP number (1-4)> Displays the ARP entries referenced by a single SP. For details, see page 93. dump Displays all ARP entries. including: IP address and MAC address of each entry Address status flag (see below) The VLAN and port to which the address belongs The ports which have referenced the address (empty if no port has routed traffic to the IP address shown) For more information, see page 93.
92
addr Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.
/info/l3/arp/refpt
Show ARP Entries on Referenced SP
IP address Flags ------------- ----47.80.23.249 P MAC address VLAN Port ----------------- ---- ----00:0e:40:2f:5b:00 1 Referenced SPs -----------1-4
/info/l3/arp/dump
Show All ARP Entry Information
IP address Flags MAC address VLAN Port --------------- ----- ----------------- ---- ---1.1.11.1 P 4 00:09:97:16:5f:01 10.10.10.10 P 4 00:09:97:16:5f:01 47.80.22.1 00:e0:16:7c:28:86 1 23 47.80.23.81 P 00:09:97:16:5f:00 1 172.31.3.1 P 00:09:97:16:5f:00 1 172.31.3.10 00:b0:d0:98:d8:1b 1 3 172.31.3.11 00:b0:d0:98:d8:1b 1 3 Referenced SPs ------------1-4 1-4 empty 1-4 1-4 empty empty
93
Referenced ports are the ports that request the ARP entry. So the traffic coming into the referenced ports has the destination IP address. From the ARP entry (the referenced ports), this traffic needs to be forwarded to the egress port (port 6 in the above example). NOTE If you have VMA turned on, the referenced port will be the designated port. If you have VMA turned off, the designated port will be the normal ingress port. The Flag field is interpreted as follows: Table 3-23 ARP Dump Flag Parameters
Flag P P 4 R U J Description Permanent entry created for switch IP interface. Permanent entry created for Layer 4 proxy IP address or virtual server IP address. Indirect route entry. Unresolved ARP entry. The MAC address has not been learned. ARP entry belongs to a Jumbo capable VLAN
/info/l3/arp/addr
ARP Address List Information
IP address --------------10.10.10.10 1.1.11.1 172.31.4.200 172.31.3.1 172.31.4.1 47.80.23.81 IP mask --------------255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 255.255.255.255 MAC address ----------------00:09:97:16:5f:01 00:09:97:16:5f:01 00:09:97:16:5f:0e 00:09:97:16:5f:00 00:09:97:16:5f:00 00:09:97:16:5f:00 VLAN ---Flags -----
D 1 1 1
94
/info/l3/nbrcache
IPv6 Neighbor Cache Information
This menu provides a mechanism for viewing IPv6 Neighbor Cache information. IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate addresses. ND enables routers to advertise their presence and address prefixes and to inform hosts of a better next-hop address to forward packets. The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache maintains information about each neighbor such as: MAC Address Reachability State Neighbor Type VLAN Ingress Port Neighbor Cache entries are added in a number of situations: 1. 2. 3. Entries are added when an IPv6 Interface or Virtual IP is operational. Reception of ND messages from neighbor. A switch sends ND packets to resolve a link-layer address that it wishes to send packets to. There are 5 reachability states: INCOMPLETE The link-layer address of the neighbor has not yet been determined. REACHABLE The neighbor is known to have been reachable recently. STALE The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability. DELAY The neighbor is no longer known to be reachable and traffic has recently been sent to the neighbor.
95
PROBE The neighbor is no longer known to be reachable, and ND messages are sent to the neighbor to verify reachability. The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND. NOTE The Neighbor Cache table display is limited to 2000 entries. Once the Neighbor Cache table reaches 2000 entries, the entries are displayed on a sorted basis and are kept for display until the entry is aged out and replaced by a new one. No new entries will be used to sort for display once the table reaches this limit. The Application Switch itself has no neighbor cache limit and maintains and processes more than 2000 entries internally but displays only 2000 entries.
NOTE The ASEM and BBI may encounter difficulty displaying a Neighbor Cache table that has reached the 2000 entry limit noted above. In this instance, use of the CLI for viewing the Neighbor Cache table is recommended.
[IP6 Neighbor Discovery Protocol Menu] dump - Show all IP6 neighbor cache entries
Table 3-24 provides a description of this menu. Table 3-24 IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)
Command Syntax and Usage dump Displays all IPv6 neighbor cache entries.
96
Total dynamic neighbor cache entries: 3 Total local neighbor cache entries: 4 Other neighbor cache entries: 0
/info/l3/bgp
BGP Information Menu
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. For more information, refer to BGP section in chapter: The Configuration Menu on page 245 and the Application Guide.
[BGP Menu] peer - Show all BGP peers summary - Show all BGP peers in summary dump - Show BGP routing table
97
/info/l3/bgp/peer
BGP Peer information
Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information: 3: 2.1.1.1 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0 4: 2.1.1.4 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0
98
/info/l3/bgp/summary
BGP Summary information
Following is an example of the information that /info/l3/bgp/summary provides.
BGP Peer Summary Information: Peer V AS MsgRcvd MsgSent Up/Down State --------------- - -------- -------- -------- -------- ---------1: 205.178.23.142 4 142 113 121 00:00:28 established 2: 205.178.15.148 0 148 0 0 never connect
/info/l3/bgp/dump
Dump BGP Information
Following is an example of the information that /info/l3/bgp/dump provides.
>> BGP# dump Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght --------------- --------------- ----- ---- ----*> 10.0.0.0 205.178.21.147 1 256 *>i205.178.15.0 0.0.0.0 * 205.178.21.147 1 128 *> 205.178.17.0 205.178.21.147 1 128 13.0.0.0 205.178.21.147 1 256
/info/l3/ospf
OSPF Information Menu
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more
99
information on how to configure OSPF on the switch, refer to the OSPF section in chapter The Configuration Menu on page 245 and your Nortel Application Switch Operating System Application Guide.
[OSPF Information Menu] general - Show general information aindex - Show area(s) information if - Show interface(s) information virtual - Show details of virtual links nbr - Show neighbor(s) information dbase - Database Menu sumaddr - Show summary address list nsumadd - Show NSSA summary address list routes - Show OSPF routes dump - Show OSPF information
100
/info/l3/ospf/general
OSPF General Information
OSPF Version 2 Router ID: 47.80.23.247 Started at 95 and the process uptime is 352315 Area Border Router: yes, AS Boundary Router: no LS types supported are 6 External LSA count 0 External LSA checksum sum 0x0 Number of interfaces in this router is 2 Number of virtual links in this router is 1 16 new lsa received and 34 lsa originated from this router Total number of entries in the LSDB 10 Database checksum sum 0x0 Total neighbors are 1, of which 2 are >=INIT state, 2 are >=EXCH state, 2 are =FULL state Number of areas is 2, of which 3-transit 0-nssa Area Id : 0.0.0.0 Authentication : none Import ASExtern : yes Number of times SPF ran : 8 Area Border Router count : 2 AS Boundary Router count : 0 LSA count : 5 LSA Checksum sum : 0x2237B Summary : noSummary
101
/info/l3/ospf/if
OSPF Interface Information
Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP Router ID 10.10.10.1, State DR, Priority 1 Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1 Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2 Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5, Poll interval 0, Transit delay 1 Neighbor count is 1 If Events 4, Authentication type none
/info/l3/ospf/dbase
OSPF Database Information
[OSPF Database Menu] advrtr - LS Database info for an Advertising Router asbrsum - ASBR Summary LS Database info dbsumm - LS Database summary ext - External LS Database info nw - Network LS Database info nssa - NSSA External LS Database info rtr - Router LS Database info self - Self Originated LS Database info summ - Network-Summary LS Database info all - All
102
103
/info/l3/ospf/routes
OSPF Information Route Codes
Codes: IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 IA 10.10.0.0/16 via 200.1.1.2 IA 40.1.1.0/28 via 20.1.1.2 IA 80.1.1.0/24 via 200.1.1.2 IA 100.1.1.0/24 via 20.1.1.2 IA 140.1.1.0/27 via 20.1.1.2 IA 150.1.1.0/28 via 200.1.1.2 E2 172.18.1.1/32 via 30.1.1.2 E2 172.18.1.2/32 via 30.1.1.2 E2 172.18.1.3/32 via 30.1.1.2 E2 172.18.1.4/32 via 30.1.1.2 E2 172.18.1.5/32 via 30.1.1.2 E2 172.18.1.6/32 via 30.1.1.2 E2 172.18.1.7/32 via 30.1.1.2 E2 172.18.1.8/32 via 30.1.1.2
104
/info/ospf/dump
OSPF Dump Information
OSPF Version 2 Router ID: 1.1.1.1 Started at 42 and the process uptime is 1197051 Area Border Router: no, AS Boundary Router: no External LSA count 0 Number of interfaces in this router is 0 Number of virtual links in this router is 0 0 new lsa received and 0 lsa originated from this router Total number of entries in the LSDB 0 Total neighbors are 0, of which 0 are >=INIT state, 0 are >=EXCH state, 0 are =FULL state Number of areas is 0, of which 0-transit 0-nssa OSPF Neighbors: Intf NeighborID ---- ----------
Prio ----
State -----
Address -------
OSPF LS Database: OSPF LSDB breakdown for router with ID (1.1.1.1) No areas enabled.
105
/info/l3/ip
IP Information
Interface information: 1: 47.80.23.81 255.255.254.0 2: 172.31.4.1 255.255.255.0 3: 172.31.3.1 255.255.255.0 47.80.23.255, 172.31.4.255, 172.31.3.255, vlan 1, up vlan 1, up vlan 1, up
Default gateway information: metric strict 2: 47.80.22.1, vlan any, up Current IP forwarding settings: ON, dirbr disabled Current local networks: Current IP port settings: All other ports have forwarding ON Current network filter settings: none Current route map settings: Current OSPF settings: ON Default route none Router ID: 1.1.1.1 lsdb limit 0
106
/info/l3/vrrp
VRRP Information
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Refer to your Nortel Application Switch Operating System Application Guide for more information on VRRP.
VRRP information: 9: vrid 9, 2005:0:0:0:0:0:10:9 if 9, renter, prio 101, master 10: vrid 10, 10.10.10.50, if 1, renter, prio 101, master 20: vrid 20, 2005:0:0:0:0:0:20:20 if 20, renter, prio 105, master, server
When virtual routers are configured, you can view the status of each virtual router using this command. VRRP information includes: Virtual router number Virtual router ID and IP address Interface number Ownership status owner identifies the preferred master virtual router. A virtual router is the owner when the IP address of the virtual router and its IP interface are the same. renter identifies virtual routers which are not owned by this device. Priority value. During the election process, the virtual router with the highest priority becomes master. Activity status master identifies the elected master virtual router. backup identifies that the virtual router is in backup mode. Server status. The server state identifies virtual routers that support Layer 4 services. These are known as virtual server routers: any virtual router whose IP address is the same as any configured virtual server IP address.
107
Proxy status. The proxy state identifies virtual proxy routers, where the virtual router shares the same IP address as a proxy IP address. The use of virtual proxy routers enables redundant switches to share the same IP address, minimizing the number of unique IP addresses that must be configured.
108
/info/l3/dump
Layer3 Dump Information
This command dumps all the information about Layer 3 parameters. This dump is a collection of all the individual commands described in the sections above.
IP information: IP information: Router ID: 45.1.1.201,
AS number 100
Default gateway information: metric strict Current IP forwarding settings: ON, dirbr disabled Current local networks: Current IP port settings: All other ports have forwarding ON Current network filter settings: none Current route map settings: Current BGP settings: ON, pref 100, AS number 100 Current BGP peer settings: 1: 45.1.1.203, ras 300, hold 180, alive 60, adv 60 retry 120, orig 15, ttl 1, enabled metric none, default none, rip disabled, ospf disabled fixed disabled, static disabled, vip disabled in-rmap: empty out-rmap: empty Current BGP aggr settings:
Continued
109
Virtual Router Redundancy is globally turned OFF. ARP cache information: IP address Flags MAC address VLAN Port Referenced SPs --------------- ----- ----------------- ---- ----- ---------------45.1.1.75 00:0f:06:ec:8a:00 1 24 empty 45.1.1.201 P 00:01:81:2e:a2:20 1 1-4 45.1.1.202 00:09:97:5e:69:00 1 24 empty 172.21.1.254 P 00:01:81:2e:a2:20 1 1-4 205.1.1.1 00:09:6b:b5:0b:d6 1 24 empty 205.1.1.2 00:09:6b:b5:08:48 1 24 empty 205.1.1.3 00:09:6b:00:6f:b7 1 24 empty 205.1.1.4 00:09:6b:00:76:1b 1 24 empty 205.1.1.5 00:09:6b:00:74:97 1 24 empty 205.1.1.6 00:09:6b:00:71:bb 1 24 empty 205.1.1.100 P 4 00:01:81:2e:a2:2e 1-4 205.1.1.201 P 00:01:81:2e:a2:20 1 1-4 ARP address information: IP address IP mask --------------- --------------205.1.1.100 255.255.255.255 172.21.1.254 255.255.255.255 205.1.1.201 255.255.255.255 45.1.1.201 255.255.255.255
MAC address VLAN Flags ----------------- ---- ----00:01:81:2e:a2:2e D 00:01:81:2e:a2:20 1 00:01:81:2e:a2:20 1 00:01:81:2e:a2:20 1
Route table information: Status code: * - best Destination Mask Gateway Type Tag Metr If --------------- ------------- ------------ ------------- -* 45.0.0.0 255.0.0.0 45.1.1.201 direct fixed 2 * 45.1.1.201 255.255.255.255 45.1.1.201 local addr 2 * 45.255.255.255 255.255.255.255 45.255.255.255broadcast broadcast 2 * 127.0.0.0 255.0.0.0 0.0.0.0 martian martian * 172.21.1.0 255.255.255.0 172.21.1.254 direct fixed 4 * 172.21.1.254 255.255.255.255 172.21.1.254 local addr 4 * 172.21.1.255 255.255.255.255 172.21.1.255 broadcast broadcast 4 Continued
110
* 205.1.1.0 255.255.255.0 205.1.1.201 direct fixed 3 * 205.1.1.100 255.255.255.255 205.1.1.100 direct vip * 205.1.1.201 255.255.255.255 205.1.1.201 local addr 3 * 205.1.1.255 255.255.255.255 205.1.1.255 broadcast broadcast 3 * 224.0.0.0 224.0.0.0 0.0.0.0 martian martian * 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast OSPF is disabled. Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght Path --------------- --------------- ----- ----- ----- --------------*> 45.0.0.0 0.0.0.0 0 ? *> 172.21.1.0 0.0.0.0 0 ? *> 205.1.1.0 0.0.0.0 0 ?
111
112
113
/info/slb/sess
Session Table Information
[Session Table Information Menu] cip - Show all session entries with source IP address cip6 - Show all session entries with source IP6 address cport - Show all session entries with source port dip - Show all session entries with destination IP address dip6 - Show all session entries with source IP6 address dport - Show all session entries with destination port pip - Show all session entries with proxy IP address pport - Show all session entries with proxy port filter - Show all session entries with matching filter flag - Show all session entries with matching flag port - Show all session entries with ingress port real - Show all session entries with real IP address sp - Show all session entries on sp dump - Show all session entries help - Session entry description
114
3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c (1) (2) (3) (4) (5) (6) (7a) (7) (8) (9) (10) (11) (12)
(13)
Note: The fields, 1 to 13 associated with a session as identified in the above example, are described in Session dump information on page 117. help Displays the description of the session entry.
115
3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P The first session is RTSP TCP control connection. The second session is RTSP UDP data connection. 3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 P During client-server port negotiation, the destination port shows rtsp and server port shows 0 L7 WCR RTSP 3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P Filtering LinkLB 2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E FTP 1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:1 1,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU 1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-data age 10 E NAT 2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E Persistent session 3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3 The destination port, real server IP and server port are not shown for persistent session.
116
This field indicates the Switch Processor number that created the session. This field shows the physical port through which the client traffic enters the switch. This field contains the source IP address from the clients IP packet in IPv4 or IPv6. This field identifies the source port from the clients TCP/UDP packet. This field identifies the destination IP address from the clients TCP/UDP packet. This field identifies the destination port from clients TCP/UDP packet. This field contains the Proxy IP address substituted by the switch. This field contains the real server IP address of the corresponding server that the switch selects to forward the client packet to, for load balancing. If the switch does not find a live server, this field contains the same information as the destination IP address mentioned in field (5). This field also shows the real server IP address for filtering. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead.
This field identifies the TCP/UDP source port substituted by the switch.
For load balancing, this field contains the IP address of the real server that the switch selects to forward client packet to. If the switch does not find live server, this field is the same as destination IP address (as in row 5). For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P For filtering, this field also shows the real server IP address. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead. For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11 2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E
117
Description
This field is the same as the destination port (field 6) for load balancing except for the RTSP UDP session. For RTSP UDP session, this server port is obtained from the client-server negotiation. This field is the filtering application port for filtering. It is for internal use only. This field can be urlwcr, wcr, idslb, linkslb or nonat.
(10) Age
This is the session timeout value. If no packet is received within the value specified, the session is freed. For example, if: age 10 - The session is aged out in 10 minutes.
age < 160 - The session is aged out in 160 minutes. This indicates that slowage is used. The user can configure slowage by using the command: /cfg/slb/adv/slowage.
This field indicates the session created by filtering code as a result of the IP header keys matching the filtering criteria. This field is the ingress ports VLAN.
118
Field
Description
(13) Flag
Ac: Indicates the session is application capping per-contract entry. Au: Indicates the session is application capping per-user entry. E: Indicates the session is established and will be aged out if no traffic is received within session timeout value. L: Indicates the session is a link load balance session. N: Indicates no NAT, which means the session only translates the destination MAC when forwarding client traffic to the real server.
P: Indicates the session is a persistent session and is not to be aged out. Fields (6), (7) and (8) cannot have persistent session. S: Indicates the session is a persistent session and the application is SSL session ID, or Cookie Pbind. Rt: Indicates the session is TCP rate limiting for every client entry. Ru: Indicates UDP rate limiting for every client entry. Ri: Indicates the session is ICMP rate limiting per-client entry. Vr: Indicates the session is a SIP REGISTER session. Vs: Indicates the session is a SIP SUBSCRIBE session. Vi: Indicates the session is a SIP INVITE session. Vm: Indicates the session is a SIP MESSAGE session. Vd: Indicates the session is a SIP NAT data session. Sc: Indicates the session is an opened server session used in connection pooling. U: Indicates the session is Layer 7 delayed binding and the switch is trying to open TCP connection to the real server. W: Indicates the session only translates the destination MAC when forwarding Layer 7 WCR traffic to the real server. Dcy: Indicates the session is a Symantec client session and Snoop ON Dcn: Indicates the session is a Symantec client session and Snoop OFF Dci: Indicates the session is a Symantec client session and Snoop INIT Dsy: Indicates the session is a Symantec server session and Snoop ON Dsn: Indicates the session is a Symantec server session and Snoop OFF Dsi: Indicates the session is a Symantec server session and Snoop INIT
This counter indicates the number of client sessions created to associate with this persistent session.
119
/info/slb/gslb
Global SLB Information Menu
An Nortel Application Switch Operating System running Global SLB selects the most appropriate site to direct the client traffic for a given domain during the initial client connection. The menu for this feature displays the following information:
[Global SLB Information Menu] virt - Show Global SLB site - Show Global SLB rule - Show Global SLB geo - Show Global SLB pers - Show Global SLB dump - Show all Global
virtual server information remote site information rule information geographical preference information DNS persistence cache information SLB information
120
/info/slb/dump
Show All Layer 4 Information
Real 1: 2: 26: 27: server state: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up 20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up 20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up
Virtual server state: 1: 20.20.20.200, 00:60:cf:47:5c:1e virtual ports: http: rport http, group 88, backup none, dbind HTTP Application: urlslb real servers: 26: 20.20.20.102, backup none, 2 ms, up exclusionary string matching: disabled 1: any 2: urlone 27: 20.20.20.101, backup none, 1 ms, up exclusionary string matching: disabled 3: urltwo 4: urlthree Redirect filter state: Action redir dport http, rport 3128, vlan any 200: group 1, health 3, backup none proxy enabled, radius snoop disabled real servers: 1: 210.1.2.200, backup none, 3 ms, up 2: 210.1.2.1, backup none, 2 ms, up Port 1: 2: 3: 4: state: filt disabled, filters: 80 idslb filt enabled, filters: 200 idslb filt enabled, filters: 200 filt disabled, filters: 50 200
121
122
/info/bwm/ipuser
BWM IP User Information Menu
[BWM IP User Entries Information Menu] ip - Show all IP user entries with IP address cont - Show all IP user entries for a contract sp - Show all IP user entries on sp dump - Show all IP user entries
123
124
/info/bwm/cont
BWM Contract Information
Current Bandwidth Management setting: ON Policy Enforcement:enabled BWM history will be mailed in a minute to 'abcd' at host '100.81.138.26' BWM IP user table entries 64k
Contract Policy Per User Traffic Num Name Prec Hard Soft Resv Limit Key State Shaping 1 123456789012345 2 1 50M 1M 500K E D 2 vlan 4 1 60M 2M 500K E D 3 filter 7 20 2M 1M 500K E D 4 5 1 2M 1M 500K D D 5 512 1 2M 1M 500K E D 10 10 1 1M 0K 0K 500K sip E D 11 11 1 100M 80M 500K 2M sip E D 12 12 1 2M 1M 500K E D 13 13 1 3M 1M 500K E D 14 14 1 4M 400K 100K E D 15 15 1 2M 1M 500K E D
This command displays information about any configured contracts and the BWM policies applied to the contracts. Table 3-33 BWM Contract Information
Field Contract Policy Description
Displays the BWM contract number. Displays specific information about a policy applied to a contract. Includes the following:
The policy number applied to the contract Prec: the precedence applied to the policy Hard: the hard limit applied to the policy Soft: the soft limit applied to the policy Resv: the reserve limit applied to the policy
125
Displays whether Traffic Shaping is enabled (E) or disabled (D) for this contract.
126
The information provided by each menu option is described in Table 3-34. Table 3-34 Security Information Menu (/info/security)
Command Syntax and Usage port This menu displays the current port security settings. ipacl This menu displays the current IP ACL settings. udpblast This menu displays UDP blast protection settings. dos This menu displays DoS protection settings. symantec This menu displays Symantec IPS processing information. dump This menu displays all security settings.
127
Use this command to display link status information about each port on an Nortel Application
Switch slot, including:
Port Alias Port number Port speed (10, 100, 10/100, or 1000) Duplex mode (half, full, any, or auto) Flow control for transmit and receive (no, yes, or auto)
128
129
Port information includes: Port alias Port number Whether the port uses VLAN tagging or not (y or n) Whether Remote Monitor is enabled or disabled Port VLAN ID (PVID) Port name VLAN membership
130
Software key information includes a list of all the optional software packages which have been activated or installed on your switch. For information on ordering optional software license keys, see How to Get Help on page 22.
131
132
CHAPTER 4
133
320506-C Rev. 02, Feb 2007
134
135
136
137
63242584 63277826 0 0 NA NA 0
dot1PortOutFrames
138
0 0 0 0 NA 0 0 0 NA 0 0 0 NA
139
dot3StatsSingleCollisionFrames
dot3StatsMultipleCollisionFrames
140
dot3StatsDeferredTransmissions
dot3StatsLateCollisions
dot3StatsExcessive Collisions
dot3StatsInternalMacTransmitErrors
141
dot3StatsFrameTooLongs
dot3StatsInternalMacReceiveErrors
dot3CollFrequencies
142
ifHCInUcastPkts
ifHCInErrors
ifHCOutOctets
143
ifHCOutBroadcastPkts ifHCOutMulticastPkts
ifHCOutDiscards
ifHCOutErrors
0 0 0 0 0 0
ipForwDatagrams: ipInDiscards:
0 0
144
ipForwDatagrams
ipInUnknownProtos ipInDiscards
145
146
etherStatsUndersizePkts etherStatsOversizePkts
147
etherStatsJabbers
etherStatsCollisions
etherStatsPkts64Octets
148
149
150
RMON statistics for port 1: etherStatsDropEvents: etherStatsOctets: etherStatsPkts: etherStatsBroadcastPkts: etherStatsMulticastPkts: etherStatsCRCAlignErrors: etherStatsUndersizePkts: etherStatsOversizePkts: etherStatsFragments: etherStatsJabbers: etherStatsCollisions: etherStatsPkts64Octets: etherStatsPkts65to127Octets: etherStatsPkts128to255Octets: etherStatsPkts256to511Octets: etherStatsPkts512to1023Octets: etherStatsPkts1024to1518Octets:
151
152
/stats/l2/fdb
FDB Statistics
FDB statistics: creates: current: lookups: finds: find_or_c's: max: 9611 58 850254 5832 11874 16384 deletes: hiwat: lookup fails: find fails: overflows: 9553 65 151373 0 0
This menu option enables you to display statistics regarding the use of the forwarding database, including the number of new entries, finds, and unsuccessful searches. FDB statistics are described in the following table: Table 4-12 Forwarding Database Statistics (/stats/l2/fdb)
Statistic creates current lookups finds find_or_cs deletes hiwat lookup fails find fails overflows Description Number of entries created in the Forwarding Database. Current number of entries in the Forwarding Database. Number of entry lookups in the Forwarding Database. Number of successful searches in the Forwarding Database. Number of entries found or created in the Forwarding Database. Number of entries deleted from the Forwarding Database. Highest number of entries recorded at any given time in the Forwarding Database. Number of unsuccessful searches made in the Forwarding Database. Number of search failures in the Forwarding Database. Number of entries overflowing the Forwarding Database.
153
/stats/l2/lacp
LACP Statistics
>> Layer 2 Statistics# lacp 1 port 1 Valid LACPDUs received Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted Marker Rsp PDUs transmitted
9394 0 0 0 0 8516 0 0
Valid LACPDUs received The number of LACPDUs that the switch received on this port. Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted The number of valid Marker PDUs that the switch received on this port. The number of valid Marker Responses that the switch received on this port. The number of unknown version or TLV type that the switch received on this port. The number of illegal LACP subtype received on this port. The number of LACPDUs transmitted out of this port. The number of Marker PDUs transmitted out of this port.
Marker Rsp PDUs trans- The number of Marker Responses transmitted out of this port. mitted
154
/stats/l2/stg
Spanning Tree Group Statistics
Spanning Tree Group 1: Port Rcv Cfg Rcv TCN ----- ------------------1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 139046 176 10 0 0 11 0 0 12 0 0 13 0 0 14 0 0 15 0 0 16 0 0 17 0 0 18 0 0 19 0 0 20 0 0 21 0 0 22 0 0 23 0 0 24 0 0 25 0 0 26 0 0 27 0 0 28 0 0 Xmt Cfg ---------0 0 0 0 0 0 0 0 27 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Xmt TCN ---------0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
155
156
157
/stats/l3/ospf
OSPF Statistics Menu
[OSPF stats Menu] general - Show global stats aindex - Show area(s) stats if - Show interface(s) stats
158
/stats/l3/ospf/general
OSPF Global Statistics
The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF areas and interfaces.
OSPF stats ---------Rx/Tx Stats: Pkts hello database ls requests ls acks ls updates Nbr change stats: hello start n2way adjoint ok negotiation done exchange done bad requests bad sequence loading done n1way rst_ad down Timers kickoff hello retransmit lsa lock lsa ack dbage summary ase export
Rx -------0 23 4 3 7 9
Tx -------0 518 12 1 7 7 Intf change Stats: hello down loop unloop wait timer backup nbr change
2 0 2 2 2 2 0 0 2 0 0 1
4 2 0 0 2 0 5
514 1028 0 0 0 0 0
159
160
n2way adjoint ok
negotiation done
exchange done
bad requests
bad sequence
161
backup nbr change Timers Kickoff: hello retransmit lsa lock lsa ack dbage summary ase export
The sum total number of times the Hello timer has been fired (which triggers the send of a Hello packet) across all OPSF areas and interfaces. The sum total number of times the Retransmit timer has been fired across all OPSF areas and interfaces. The sum total number of times the Link State Advertisement (LSA) lock timer has been fired across all OSPF areas and interfaces. The sum total number of times the LSA Ack timer has been fired across all OSPF areas and interfaces. The total number of times the data base age (Dbage) has been fired. The total number of times the Summary timer has been fired. The total number of times the Autonomous System Export (ASE) timer has been fired.
162
/stats/l3/ip
IP Statistics
IP statistics: ipInReceives: ipInAddrErrors: ipInUnknownProtos: ipInDelivers: ipOutDiscards: ipReasmReqds: ipReasmFails: ipFragFails: ipRoutingDiscards: ipReasmTimeout: 3115873 35447 500504 2334166 4 0 0 0 0 5 ipInHdrErrors: ipForwDatagrams: ipInDiscards: ipOutRequests: ipOutNoRoutes: ipReasmOKs: ipFragOKs: ipFragCreates: ipDefaultTTL: 1 0 0 1010542 4 0 0 0 255
ipInAddrErrors
ipForwDatagrams
ipInUnknownProtos
163
ipInDelivers ipOutRequests
ipOutDiscards
ipOutNoRoutes
ipFragOKs ipFragFails
ipFragCreates
164
ipDefaultTTL
ipReasmTimeout
165
/stats/l3/ip6
IP6 Statistics Menu
>> Layer 3 Statistics# /stat/l3/ip6 -----------------------------------------------------------------IP6 statistics: InReceives: 20519 InDiscards: 2 InDelivers: 24793 ForwDatagrams: 0 UnknownProtos: 0 InAddrErrors: 0 OutRequests: 34548 OutNoRoutes: 0 ReasmOKs: 0 ReasmFails: 0 IcmpInMsgs: 24793 IcmpInErrors: 4268 IcmpOutMsgs: 12829 IcmpOutErrors: 4271 InEchos: 0 OutEchos: 8538 InEchoReplies: 8536 OutEchoReplies: 0 InDestUnreachs: 4268 OutDestUnreachs: 4271 InPktTooBigs: 0 OutPktTooBigs: 0 InTimeExcds: 0 OutTimeExcds: 0 -----------------------------------------------------------------ICMP6 statistics: Interface: 1 InMsgs: 18929 InErrors: 0 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 4513 InNeighborAdvertisements:4271 InRouterSolicits: 0 InRouterAdvertisements: 5877 InDestUnreachs: 0 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 4280 OutErrors: 0 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 3 OutNeighborAdvertisements:4516 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 -----------------------------------------------------------------Interface: 7 InMsgs: 5864 InErrors: 4268 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 122 InNeighborAdvertisements: 3 InRouterSolicits: 0 InRouterAdvertisements: 1471 InDestUnreachs: 4268 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 8549 OutErrors: 4271 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 2 OutNeighborAdvertisements:124 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 -----------------------------------------------------------------IP6 gateway health check statistics: gateway 5 echo-req 4269 echo-resp gateway 7 echo-req 4269 echo-resp 4268 fails 0 fails 0 4268
166
UnknownProtos
OutRequests
ReasmOKs
InDiscards
ForwDatagrams
InAddrErrors
167
IcmpInMsgs
IcmpOutMsgs
IcmpInErrors
IcmpOutErrors
The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages. The number of ICMP Neighbor Solicit messages received by the interface.
InNeighborSolicits
168
InEchoReplies InNeighborAdvertisements InRouterAdvertisements InTimeExcds InParmProblems OutMsgs OutEchos OutNeighborSolicits OutRouterSolicits OutRedirects
169
170
/stats/l3/route
Route Statistics
Route statistics: ipRoutesCur: 3 ipRoutesHighWater: 3 ipRoutesMax: 4096 -----------------------------------------------------------------SP Route statistics: SP ipRoutesCur ipRoutesHighWater ipRoutesMax --- ------------- ------------------- ------------1 3 3 4096 2 3 3 4096 3 3 3 4096 4 3 3 4096 -----------------------------------------------------------------RIP statistics: ripInPkts: ripDiscardPkts: BGP statistics: bgpInPkts: bgpBadPkts: bgpRoutesAdded: bgpRoutesCur: bgpRoutesIgnored:
ripOutPkts: 0 ripRoutesAgedOut:
0 0
0 0 0 0 0
0 0 0 0 0
171
/stats/l3/arp
ARP statistics
This menu option enables you to display Address Resolution Protocol statistics.
MP ARP statistics: arpEntriesCur: 2 arpEntriesHighWater: 2 arpEntriesMax: 8192 -----------------------------------------------------------------SP ARP statistics: SP arpEntriesCur arpEntriesHighWater arpEntriesMax --- --------------- --------------------- --------------1 1 1 8192 2 1 1 8192 3 1 1 8192 4 1 1 8192
172
/stats/l3/vrrp
VRRP Statistics
Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. When virtual routers are configured, you can display the following protocol statistics for VRRP: Advertisements received (vrrpInAdvers) Advertisements transmitted (vrrpOutAdvers) Advertisements received, but ignored (vrrpBadAdvers) The statistics for the VRRP are displayed:
VRRP statistics: vrrpInAdvers: vrrpOutAdvers: vrrpBadVersion: vrrpBadAddress: vrrpBadPassword:
0 0 0 0 0
0 0 0 0
173
/stats/l3/vrrp6
IPv6 VRRP statistics
The Nortel Application Switch Operating System supports VRRP for IPv6. The statistics provided by this command are similar in nature as those presented by the /stats/ l3/vrrp command but tailored to the IPv6 environment. The following is a sample output for this command.
VRRP6 statistics: vrrp6InAdvers: vrrp6OutAdvers: vrrp6BadVersion: vrrp6BadAddress: vrrp6BadInterval:
7 86801 0 0 0
0 0 0
174
/stats/l3/dns
DNS Statistics
This menu option enables you to display Domain Name System statistics.
DNS statistics: dnsInRequests: dnsBadRequests: 0 0 dnsOutRequests: 0
175
/stats/l3/icmp
ICMP Statistics
ICMP statistics: icmpInMsgs: icmpInDestUnreachs: icmpInParmProbs: icmpInRedirects: icmpInEchoReps: icmpInTimestampReps: icmpInAddrMaskReps: icmpOutErrors: icmpOutTimeExcds: icmpOutSrcQuenchs: icmpOutEchos: icmpOutTimestamps: icmpOutAddrMasks: 245802 41 0 0 244350 0 0 0 0 0 253777 0 0 icmpInErrors: icmpInTimeExcds: icmpInSrcQuenchs: icmpInEchos: icmpInTimestamps: icmpInAddrMasks: icmpOutMsgs: icmpOutDestUnreachs: icmpOutParmProbs: icmpOutRedirects: icmpOutEchoReps: icmpOutTimestampReps: icmpOutAddrMaskReps: 1393 0 0 18 0 0 253810 15 0 0 18 0 0
icmpInErrors
icmpInDestUnreachs icmpInTimeExcds icmpInParmProbs icmpInSrcQuenchs icmpInRedirects icmpInEchos icmpInEchoReps icmpInTimestamps icmpInTimestampReps icmpInAddrMasks
176
icmpOutErrors
icmpOutDestUnreachs icmpOutTimeExcds icmpOutParmProbs icmpOutSrcQuenchs icmpOutRedirects icmpOutEchos icmpOutEchoReps icmpOutTimestamps icmpOutTimestampReps icmpOutAddrMasks icmpOutAddrMaskReps
177
ifInNUCastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
178
ifOutNUcastPkts
ifOutDiscards
ifOutErrors
ifStateChanges
179
/stats/l3/tcp
TCP Statistics
TCP statistics: tcpRtoAlgorithm: tcpRtoMax: tcpActiveOpens: tcpAttemptFails: tcpInSegs: tcpRetransSegs: tcpCurBuff: tcpCurInConn: tcpCurLstnConn: tcpAllocTCBFails: 4 240000 0 0 0 0 0 0 3 0 tcpRtoMin: tcpMaxConn: tcpPassiveOpens: tcpEstabResets: tcpOutSegs: tcpInErrs: tcpCurConn: tcpCurOutConn: tcpOutRsts: 0 1600 0 0 0 0 6 0 0
tcpRtoMax
tcpMaxConn
tcpActiveOpens tcpPassiveOpens
180
tcpEstabResets
tcpInSegs
tcpOutSegs tcpRetransSegs tcpInErrs tcpCurBuff tcpCurConn tcpCurInConn tcpCurOutConn tcpCurLstnConn tcpOutRsts tcpAllocTCBFails
181
/stats/l3/udp
UDP Statistics
UDP statistics: udpInDatagrams: udpInErrors: 54 0 udpOutDatagrams: udpNoPorts: 43 1578077
182
183
184
/stats/slb/sp
Server Load Balancing SP statistics Menu
[Server Load Balancing SP Statistics Menu] real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats maint - Show maintenance stats aux - Show auxiliary session table stats clear - Clear SP stats
185
186
0 0 0 0 0 0 0 0
187
SYMANTEC INSPECTION STATISTICS Packets in: Packets with no data: TCP packets: UDP packets: ICMP packets: Other packets: Match count: Result Fetch errors: Truncated payloads: Packets in fastpath:
0 0 0 0 0 0 0 0 0 0
Allocation Failures UDP Datagrams Non TCP/IP Frames Incorrect VIPs Incorrect Vports
188
Overflow Server Activations This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online. Filtered (Denied) Frames This indicates the number of frames that were dropped because of one of the following reasons: 1. They matched an active filter with the deny action set. 2. There are no real servers (in the case of redirection filters.) 3. When there are no available session entries. This counter increases whenever a packet has the same source and destination IP addresses and ports. The number of packets that were dropped because the packet had no control bits set in the TCP header. The number of packets that were dropped because the packet had an invalid reset flag set. This represents the total number of fragment sessions the switch has processed so far. This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources. This counter indicates how many times session table is full.
LAND attacks No TCP Control Bits Invalid reset packet drops Total IP fragment sessions Current IP fragment sessions IP fragment discards IP fragment table full SYMANTEC MAINT STATISTICS Symantec sessions Symantec Valid segments Symantec Fragment sessions Segment allocation fails Buffer allocation fails
The number of sessions inspected by symantec engine. The number of packets inspected by symantec engine. The number of IP fragment sessions inspected by symantec engine. The number of memory allocation failures for IP fragments. Symantec stream buffer allocation failures.
Connection allocation fails Symantec connection info allocation failures. Invalid buffers Invalid stream buffer errors.
189
SYMANTEC INSPECTION STATISTICS Packets in Packets with no data TCP packets UDP packets ICMP packets Other packets Match count Result Fetch errors Truncated payloads Packets in fastpath Number of packets submitted for symantec inspection. Number of packets with no data - no inspection needed. Number of TCP packets submitted for symantec inspection. Number of UDP packets submitted for symantec inspection. Number of ICMP packets submitted for symantec inspection. Number of non TCP/UDP/ICMP packets for symantec inspection. Number of Symantec signature matches. Number of symantec signature match info fetch errors. Number of truncated symantec match info reported to MP. Number of packets assigned with symantec BWM contracts.
/stats/slb/gslb
Global SLB Statistics Menu
[Global SLB Statistics Menu] real - Show Global SLB remote real server stats virt - Show Global SLB virtual server stats site - Show Global SLB remote site stats network - Show Global SLB network preference stats rule - Show Global SLB rule stats geo - Show Global SLB geographical preference stats pers - Show Global SLB DNS persistence cache stats maint - Show Global SLB maintenance stats clear - Clear all Global SLB stats dump - Show all Global SLB stats
190
For any remote real server configured for Global Server Load Balancing, the following statistics can be viewed: Number of DNS responses directed to the remote real server
Chapter 4: The Statistics Menu
320506-C Rev. 02, Feb 2007
191
192
/stats/slb/gslb/site
Global SLB Site Statistics
Global SLB remote site 1 stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: 386 0 0 768 348
193
/stats/slb/gslb/maint
Global SLB Maintenance Statistics
Global SLB maintenance stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: DNS queries received: Bad DNS queries received: DNS responses sent: HTTP requests received: Bad HTTP requests received: HTTP responses sent: Hostname domain hits: Network domain hits: Basic domain hits: No server selected for hostname domain: No server selected for network domain: No server selected for basic domain: No matching domain: Last no result domain: Last source IP: 0 0 0 127746 85164 0 0 0 0 0 0 0 0 0 0 0 0 0 0.0.0.0
The number of bad packets received from the remote site. Bad updates or dropped packets usually indicate that there is a configuration problem at local or remote GSLB switches. If bad updates or dropped packets occur, check your syslog for configuration error messages. The number of Distributed Site State Protocol (DSSP) version one updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version one updates/packets received from the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets received from the remote sites.
DSSPv1 remote site updates sent DSSPv1 remote site updates received DSSPv2 remote site updates sent DSSPv2 remote site updates received
194
The number of DNS queries received. The number of bad DNS queries received. The number of DNS responses sent by the switch that includes DNS directs and DNS error responses.
HTTP requests received The number of HTTP requests received. Bad HTTP requests received
The number of bad/dropped client HTTP requests. Client HTTP GET request packets that do not contain the entire URL are considered bad and are dropped. The number of HTTP responses sent by the switch that includes HTTP redirects. The number of times the DNS queries received matched for the hostname configured. The number of times the DNS queries received matched for the network domain name configured. The number of times the DNS queries received matched for the basic domain name configured. The number of times no server was selected after matching the host name domain. The number of times no server was selected after matching the network domain name. The number of times no server was selected after matching the basic domain name. The number of times the DNS queries received did not match the host name, domain name, or the network domain configured. The domain in the last DNS query received that did not match the host name, domain name, or the network domain configured. The source IP address of the last DNS query or HTTP request received.
HTTP responses sent Hostname domain hits Network domain hits Basic domain hits No server selected for hostname domain No server selected for network domain No server selected for basic domain No matching domain
Last source IP
195
NOTE Octets are provided per server, not per service, unless configured as described in Per Service Octet Counters on page 196. Table 4-36 Real Server SLB Statistics (/stats/slb/real)
Statistics Current sessions Total sessions Highest sessions Octets Description The total number of outstanding sessions that are established to the particular real server. The total number of sessions that have been established to the particular real server. The highest number of sessions ever recorded for the particular real server. The total number of octets sent by the particular real server.
196
2.
On the Nortel Application Switch, configure a real server with a real IP address for each service above. Continuing the example above, two real servers would be configured for the physical server (representing each real service). If there were five physical servers providing the two services (HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on each physical server, and five for the FTP services on each physical server.
3.
On the Nortel Application Switch, configure one real server group for each type of service, and group each appropriate real server IP address into the group that handles the specific service. Thus, in keeping with our example, two groups would be configured: one for handling HTTP and one for handling FTP.
4.
Configure a virtual server and add the appropriate services to that virtual server.
Real server group statistics include the following: Current and total sessions for each real server in the real server group. Current and total sessions for all real servers associated with the real server group. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see the procedure on Per Service Octet Counters on page 196.
197
NOTE The virtual server IP address is shown on the last line, below the real server IP addresses. Virtual server statistics include the following: Current and total sessions for each real server associated with the virtual server. Current and total sessions for all real servers associated with the virtual server. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see Per Service Octet Counters on page 196.
You can obtain the total number of times any filter has been matched.
198
/stats/slb/layer7
SLB Layer7 Statistics Menu
[Layer 7 Statistics Menu] redir - Show URL Redirection stats str - Show SLB String stats maint - Show Layer 7 Maintenance stats pooling - Show connection pooling stats
/stats/slb/layer7/redir
Layer7 Redirection Statistics
Total Total Total Total Total Total Total Total Total Total URL based web cache redirection stats: cache server hits: origin server hits: straight to origin server hits: none-GETs hits: 'Cookie: ' hits: no-cache hits: RTSP cache server hits: RTSP origin server hits: HTTP redirection hits: 0 0 0 0 0 0 0 0 0
Total cache server hits The total number of HTTP requests redirected to the cache server. Total origin server hits The total number of HTTP requests forwarded to the origin server.
199
Total straight to ori- The total number of HTTP requests forwarded from straight to the gin server hits origin server. Total none-GETs hits Total 'Cookie:' hits Total no-cache hits Total RTSP cache server hits Total RTSP origin server hits Total HTTP redirection hits The total number of none GET requests forwarded to the origin server. The total number of cookie requests forwarded to the origin server. The total number of requests containing no-cache header forwarded to the origin server. The total number of RTSP requests redirected to the cache server. The total number of RTSP requests forwarded to the origin server. The total number of HTTP requests that were redirected by redirection filter.
/stats/slb/layer7/str
Layer 7 SLB String Statistics
SLB String stats: ID SLB String 1 any 2 www.[abcdefghijklm]*.com 3 www.[nopqrstuvwxyz]*.com 4 www.junk.com 5 www.abc.com 6 www.[abcdefjhijklm]*.org 7 www.[nopqrstuvwxyz]*.org Hits 1527115 0 0 0 0 0 0
200
/stats/slb/layer7/maint
Layer 7 SLB Maintenance Statistics
Layer 7 maintenance stats: Clients reset by switch on client side: 0 Clients reset by switch on server side: 0 Connection Splicing to support HTTP/1.1: 0 Invalid HTTP methods: 0 Aged delayed binding sessions: 0 Half open connections: 0 Switch retries: 0 Random early drops: 0 Requests exceeded 9000 bytes: 0 Invalid 3-way handshakes: 0 Exceeded max frame size: 0 Out of order packet drops: 0 Current SP[1] memory units: 1260 Lowest: Current SP[2] memory units: 1260 Lowest: Current SP[3] memory units: 1260 Lowest: Current SP[4] memory units: 1260 Lowest: Current SP memory units: 5040 Current SEQ buffer entries: 0 Highest: Current Data buffer use: 0 Highest: Current SP buffer entries: 0 Highest: Total Nonzero SEQ Alloc: 0 Total SEQ Buffer Allocs: 0 Total SEQ Frees: Total Data Buffer Allocs: 0 Total Data Frees: Alloc Fails - Seq buffers: 0 Alloc Fails - Ubufs: Max sessions per bucket: 0 Max frames per session: Max bytes buffered (sess): 0
201
Switch retries Random early drops Requests exceeded 4500 bytes Invalid 3-way handshakes Exceeded max frame size Out of order packet drops: Current SP memory units Current SEQ buffer entries Highest SEQ buffer entries Current Data buffer use Highest Data buffer use Total Nonzero SEQ Alloc Total SEQ Buffer Allocs Total SEQ Frees
202
Max frames per session The maximum number of frames to be buffered per session. Max bytes buffered (sess) The maximum number of bytes to be buffered per session.
/stats/slb/layer7/pooling
Layer7 Pooling Statistics
>> Layer 7 Statistics# pooling -----------------------------------------------------------------Connection pooling statistics: Current opened server connections: 0 Active server connections: 0 Available server connections: 0 Total number of aged out client connections: 0 Total number of aged out server connections: 0
203
/stats/slb/ssl
SLB Secure Socket Layer Statistics
SSL SLB maintenance stats: SessionId allocation fails: Total number of SSL ID reassignments: 0 0
Current Total Highest Sessions Sessions Sessions ------------------------- -------- ---------- -------Unique SessionIds 0 0 0 SSL connections 0 0 0 Persistent Port Sessions 0 0 0
204
/stats/slb/ftp
File Transfer Protocol SLB and Filter Statistics Menu
[FTP SLB parsing and active - Show parsing - Show maint - Show dump - Dump Filter Statistics Menu] active FTP NAT filter stats FTP SLB parsing server stats FTP maintenance stats all FTP SLB/NAT stats
Table 4-42 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)
Command Syntax and Usage active Shows active FTP SLB parsing and filter statistics. See page 206 for sample output. parsing Shows parsing statistics. See page 206 for sample output. maint Shows maintenance statistics. See page 207 for sample output. dump Shows all FTP SLB/NAT statistics. See page 207.
205
/stats/slb/ftp/active
Active FTP SLB Parsing and Filter Statistics
Total Active FTP NAT stats(PORT): Total FTP: Total New Active FTP Index: Active FTP NAT ACK/SEQ diff: 0 0 0
Table 4-43 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)
Statistics Total Active FTP NAT stats (PORT) Total FTP Total New Active FTP Index Active FTP NAT ACK/SEQ diff Description The number of times the switch receives the port command from the client. The number of times the switch receives both active and passive FTP connections. The number of times the switch creates a new index due to port command from the client. The difference in the numbers of ACK and SEQ that the Switch needs for packet adjustment.
/stats/slb/ftp/parsing
Passive FTP SLB Parsing Statistics
Total FTP SLB Parsing Stats(PASV): Total FTP: Total New FTP SLB parsing Index: FTP SLB parsing ACK/SEQ diff: 0 0 0
206
/stats/slb/ftp/maint
FTP SLB Maintenance Statistics
FTP mode switch error: 0
/stats/slb/ftp/dump
FTP SLB Statistics Dump
Total FTP : Total FTP NAT Filtered: Total new active FTP NAT Index: Total new FTP SLB parsing Index: FTP Active FTP NAT ACK/SEQ diff: FTP SLB parsing ACK/SEQ diff: FTP mode switch error: 0 0 0 0 0 0 0
Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred. Total new active FTP NAT Index Total new FTP SLB parsing Index FTP Active FTP NAT ACK/SEQ diff FTP SLB parsing ACK/ SEQ diff FTP mode switch error The total number of new data sessions created for FTP NAT filter in active mode. The number of times the switch creates a new index in response to the pasv command from the client. The total number of times the adjustment between ACK and SEQ occurred on the filter. The difference in the numbers of ACK and SEQ that the switch needs for FTP SLB parsing. The number of times the switch could not switch mode from active to passive and vice versa.
207
/stats/slb/rtsp
RTSP SLB Statistics
Control UDP Connection Buffer Alloc SP Connection Streams Redirect Denied Allocs Failures -- ---------- ---------- ---------- ---------- ---------- ---------1 0 0 0 0 0 0 2 0 0 0 0 0 0 3 0 0 0 0 0 0 4 0 0 0 0 0 0 -- ---------- ---------- ---------- ---------- ---------- -------0 0 0 0 0 0
208
/stats/slb/dns
DNS SLB Statistics
Total Total Total Total Total Total Total number number number number number number number of of of of of of of TCP DNS queries: UDP DNS queries: invalid DNS queries: multiple DNS queries: domain name parse errors: failed real server name matches: DNS parsing internal errors: 0 0 0 0 0 0 0
209
/stats/slb/wap
WAP SLB Statistics
This command displays all the Radius and WAP related counters.
WAP Maintenance stats: current sessions: 0 allocation failures: 0 incorrect VIPs: 0 incorrect Vports: 0 no available real server: 0 requests to wrong SP: 0 -----------------------------------------------------------------TPCP External Notification stats: add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- SP dead: 0 -----------------------------------------------------------------RADIUS Snooping stats: acct reqs: 0 acct wrap reqs: 0 acct start reqs: 0 acct update reqs: 0 acct stop reqs: 0 acct bad reqs: 0 acct reqs(FIP): 0 acct reqs(no FIP): 0 add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- DMA: 0
WAP Maintenance stats: current sessions allocation failures incorrect VIPs incorrect Vports The number of session bindings currently in use. Indicates instances where the switch ran out of available bindings for a port. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client. This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit.
requests to wrong SP The number of session add/delete requests sent to the wrong SP.
210
TPCP External Notification stats: add session reqs req fails- SP dead The number of WAP session add requests via TPCP. The number of add-request failures due to dead target SP.
RADIUS Snooping stats: acct reqs acct wrap reqs acct start reqs acct update reqs acct stop reqs acct bad reqs add session reqs del session reqs req fails- SP dead req fails- DMA The number of RADIUS Accounting frames received. The number of wrapped RADIUS Accounting frames received. The number of RADIUS Accounting Start frames received. The number of RADIUS Accounting Update frames. The number of RADIUS Accounting Stop frames received. The number of bad RADIUS Accounting frames received. The number of WAP session add requests via RADIUS snooping. The number of WAP session delete requests via RADIUS snooping. The number of add/delete request failures due to dead target SP. The number of add/delete requests failed due to DMA write failure.
211
/stats/slb/maint
SLB Maintenance Statistics
SLB Maintenance stats: Maximum sessions: Current sessions: 4 second average: 64 second average: Terminated sessions: Allocation failures: UDP datagrams: Non TCP/IP frames: Incorrect VIPs: Incorrect Vports: No available real server: Backup server activations: Overflow server activations: Filtered (denied) frames: LAND attacks: No TCP control bits: Invalid reset packet drops: Total IP fragment sessions: Current IP fragment sessions IP fragment discards: IP fragment table full: Current IPF buffer sessions: Highest IPF buffer sessions: IPF buffer alloc fails: IPF SP buffer alloc fails: SP buffer too low: Exceeded 16 OOO packets: Free Service pool entries: Current IP6 sessions: Incorrect IP6 VIPs: Incorrect IP6 Vports: IP6 packets drops: 2097104 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8192 0 0 0 0
212
SYMANTEC MAINT STATISTICS: Symantec sessions: Symantec segments: Symantec Fragment sessions: Segment allocation fails: Buffer allocation fails: Connection allocation fails: Invalid buffers: Segment reallocation fails: SYMANTEC INSPECTION STATISTICS Packets in: Packets with no data: TCP packets: UDP packets: ICMP packets: packets not TCP, UDP or ICMP: Symantec Match count: Fetch errors: Truncated payload to MP: Packets in fast path:
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
SLB Maintenance statistics are described in the following table. Table 4-50 Server Load Balancing Maintenance Statistics (/stats/slb/maint)
Statistic Maximum sessions Current Sessions Description The maximum number of simultaneous sessions supported. Number of session bindings currently in use (the last 4 and 64 seconds).
Terminated Sessions Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled. Allocation Failures Indicates instances where the Switch ran out of available sessions for a port. UDP Datagrams Non TCP/IP Frames Incorrect VIPs Incorrect Vports Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on. Indicates the number of non-IP based frames received by the virtual server. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing application like SATAN.
213
No TCP Control Bits The number of packets that were dropped because the packet had no control bits set in the TCP header. Invalid reset packet drops Total IP fragment sessions Current IP fragment sessions IP fragment discards IP fragment table full Free service pool entries The number of packets that were dropped because the packet had an invalid reset flag set. This represents the total number of fragment sessions the switch has processed so far. This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources. This counter indicates how many times session table is full. This counter indicates the number of free service pool entries.
SYMANTEC MAINT STATISTICS Symantec sessions Symantec segments Symantec Fragment sessions Segment allocation fails Buffer allocation fails The number of sessions inspected by symantec engine. The number of packets inspected by symantec engine. The number of IP fragment sessions inspected by symantec engine. The number of memory allocation failures for IP fragments. Symantec stream buffer allocation failures.
214
SYMANTEC INSPECTION STATISTICS Packets in Packets with no data TCP packets UDP packets ICMP packets packets not TCP, UDP or ICMP Symantec Match count Fetch errors Truncated payload to MP Packets in fast path Number of packets submitted for symantec inspection. Number of packets with no data - no inspection needed. Number of TCP packets submitted for symantec inspection. Number of UDP packets submitted for symantec inspection. Number of ICMP packets submitted for symantec inspection. Number of non TCP/UDP/ICMP packets for symantec inspection. Number of Symantec signature matches. Number of symantec signature match info fetch errors. Number of truncated symantec match info reported to MP. Number of packets assigned with symantec BWM contracts.
/stats/slb/sip
SIP SLB Statistics
SIP Stats: Total Total Total Total Total Total number number number number number number of of of of of of SIP Client Parse Errors SIP Server Parse Errors SIP Unknown Method packets SIP Incomplete Messages SIP Filter Parse Errors packets with SIP SDP NAT : : : : : : 0 0 0 0 0 0
215
Total number of SIP Total number of packets received with methods not known to the Unknown Method packets SIP parser on the switch. Total number of SIP Incomplete Messages Total number of SIP Filter Parse Errors Total number of packets with SIP SDP NAT Total number of packets received which do not have the complete SIP message in a single packet. Total number of errors encountered during filter processing when parsing an incoming SIP packet. Total number of packets received that have SIP SDP NAT information.
216
217
/stats/slb/mirror
Display Workload Manager SASP statistics
Table 4-53 SLB Session Mirroring statistics (/stats/slb/mirror)
>> Server Load Balancing Statistics# mirror -----------------------------------------------------------------Session Mirroring Stats: Rx Tx Total Create Session Messages 0 0 Total Update Session Messages 0 0 Total Delete Session Messages 0 0 Total Create Data Session Messages 0 0 Total Update Data Session Messages 0 0 Total Delete Data Session Messages 0 0 Total Sessions Created 0 Total Sessions Updated 0 Total Sessions Deleted 0 Total Data Sessions Created 0 Total Data Sessions Updated 0 Total Data Sessions Deleted 0 Session table full 0 Unvailable pport 0 Session already present 0 Session not found 0 Control session not found 0
218
219
220
BW Contract statistics Contract Name Rate(Kbps) Octets Discards BufUsed BufMax -------- --------------- ---------- ---------- ---------- ------- ----1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5230 682947936 1822133376 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 773974 0 0 16320 1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5238 684289056 1825753104 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 774114 0 0 16320
The following description of statistics applies on a specific switch port for all enabled contracts. NOTE This command displays enabled contracts only. Table 4-56 Bandwidth Management Contract Statistics (/stats/bwm/cont)
Statistics Contract Name Octets Discards Total Pkts BufUsed Description The contract number. The contract name. The number of octets that are being transmitted through a particular contract since the switch is booted. The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limit permits. The total number of packets classified for that contract. The current amount of buffer space used to store the packets that is waiting to be transmitted.
221
/stats/bwm/rcont
BWM Contract Rate Statistics
Use this command to show the rate statistics of all the enabled contracts. NOTE This command displays enabled contracts only. This command repeats its output when the printed lines are less than the configured CLI lines per screen. If the CLI lines are configured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session. You can configure the number of CLI lines per screen using the global (hidden) command: lines <number of lines>. For example:
>> AAS_2424 - Bandwidth Management Statistics# lines Current lines-per-screen: 24 >> AAS_2424 - Bandwidth Management Statistics# lines ? lines sets lines-per-screen 0-300, zero for infinite
222
BW Contract statistics Contract Name Rate(Kbps) Octets Discards BufUsed BufMax -------- --------------- ---------- ---------- ---------- ------- ----1 cont1 5222 285408288 735607152 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 285720864 735308784 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 4 517182 0 0 456960 1 cont1 5230 286747296 739228896 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5230 287059872 738930528 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 519400 0 0 456960 1 cont1 5222 288084192 742853160 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 288400992 742550760 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 521578 0 0 456960
223
/stats/bwm/hist
BWM History Statistics
Discards TimeStamp YyyyMmDd:Hr:Mi/TmZone --------------- ---- ---------------- ---------- ---------- ---------47.80.23.124 1 filter_number01 0 0 20030910:15:11/ -8:00 47.80.23.124 2 filter_number02 0 0 20030910:15:11/ -8:00 47.80.23.124 3 filter_number03 0 0 20030910:15:11/ -8:00 47.80.23.124 4 filter_number04 0 0 20030910:15:11/ -8:00 47.80.23.124 5 filter_number05 0 0 20030910:15:11/ -8:00 47.80.23.124 6 filter_number06 0 0 20030910:15:11/ -8:00 47.80.23.124 7 filter_number07 0 0 20030910:15:11/ -8:00 47.80.23.124 8 filter_number08 0 0 20030910:15:11/ -8:00 47.80.23.124 9 filter_number09 0 0 20030910:15:11/ -8:00 47.80.23.124 10 filter_number10 0 0 20030910:15:11/ -8:00 47.80.23.124 1024 Default 608 0 20030910:15:11/ -8:00 Switch IP Cont Name Octets
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an E-mail is sent. This command is used to keep long term history only for the contracts that are enabled and have history command turned on. Use this command to show the history of all the contracts for which history command is enabled. The sampling is done at one-minute intervals. Table 4-58 Bandwidth Management History Statistics (/stats/bwm/hist)
Statistics Contract Octets Discards TimeStamp Description The contract number for which history is enabled. The number of octets sent out on a particular contract. The number of octets discarded because of seeing more traffic than the bandwidth contract limit permits. Indicates the time the packets were received or discarded.
NOTE These statistics can only be viewed when the e-mail option is enabled.
224
/stats/bwm/maint
BWM Maintenance Statistics
BWM Maint statistics -----------------------------------------------------------------Maint Stats for rate limiting contracts Discard pkts 0 Discard octets 0 Out pkts 0 Out octets 0 Transmit failed 0 User Limit entry allocation failures 0 -----------------------------------------------------------------Maint Stats for traffic shaping contracts QFull Discard pkts 0 QFull Discard octets 0 Out of buffers pkts 0 Out of buffers pkts 0 Transmit failed 0 TDT set when qfull 0 TDT set between soft and hard 0 TDT set at soft 0
/stats/bwm/ipusers
BWM IP Users Statistics
This command displays the number of BWM IP user entries for each BWM contract for each SP.
BWM IP users statistics Contract SP1 SP2 SP3 SP4 Total -------- ---------- ---------- ---------- ---------- ---------10 0 10 0 0 10 11 0 10 0 0 10 ---------- ---------- ---------- ---------- ---------0 20 0 0 20
225
226
/stats/security/dos
DOS Attack Statistics Menu
[Protocol Anomaly and DoS Attack Prevention Statistics Menu] port - Show port protocol anomaly and DoS attack prevention stats dump - Dump all protocol anomaly and DoS attack prevention stats clear - Clear all protocol anomaly and DoS attack prevention stats help - Protocol anomaly and DoS attack prevention description
227
228
Refer to your Nortel Application Switch Operating System Application Guide for a detailed description of DOS attacks.
>> /stats/security/dos help iplen : IPv4 packets with bad IP header or payload length. ipversion : IPv4 packets with IP version not 4. broadcast : IPv4 packets with broadcast source or destination IP [0.0.0.0,255.255.255.255]. loopback : IPv4 packets with loopback source or destination IP [127.0.0.0/8]. land : IPv4 packets with same source and destination IP. ipreserved : IPv4 packets with IP reserved bit is set. ipttl : IPv4 packets with small IP TTL. ipprot : IPv4 packets with IP protocol is unassigned or reserved. ipoptlen : IPv4 packets with bad IP options length. fragmoredont: IPv4 packets with more fragments and don't fragment bits are set. fragdata : IPv4 packets with more fragments bit is set and small payload. fragboundary: IPv4 packets with more fragments bit is set and payload not at 8-byte boundary. fraglast : IPv4 packets last fragment without payload. fragdontoff : IPv4 packets with non-zero fragment offset and don't fragment bits are set. fragopt : IPv4 packets with non-zero fragment offset and IP options. fragoff : IPv4 packets with small non-zero fragment offset. fragoversize: IPv4 packets with non-zero fragment offset and oversize payload. tcplen : TCP packets with bad TCP header length. tcpportzero : TCP packets with source or destination port is zero. blat : TCP packets with SIP!=DIP and SPORT=DPORT. tcpreserved : TCP packets with TCP reserved bit is set. nullscan : TCP packets with all control bits are zero. fullxmasscan: TCP packets with all control bits are set. finscan : TCP packets with only FIN bit is set. vecnascan : TCP packets with only URG or PUSH or URG|FIN or PSH|FIN or URG|PSH bits are set.
229
xmasscan : TCP packets with FIN, URG and PSH bits are set. synfinscan : TCP packets with SYN and FIN bits are set. flagabnormal: TCP packets with abnormal control bits combination. syndata : TCP packets with SYN bit is set and with payload. synfrag : TCP packets with SYN bit is set and more fragments bit is set. ftpport : TCP packets with SPORT=20, DPORT<1024 and SYN bit is set. dnsport : TCP packets with SPORT=53, DPORT<1024 and SYN bit is set. seqzero : TCP packets with sequence number is zero. ackzero : TCP packets with acknowledgement number is zero and ACK bit is set. tcpoptlen : TCP packets with bad TCP options length. udplen : UDP packets with bad UDP header length. udpportzero : UDP packets with source or destination port is zero. fraggle : UDP packets to broadcast destination IP (x.x.x.255). pepsi : UDP packets with SPORT=19, DPORT=7 or SPORT=7, DPORT=19. rc8 : UDP packets with SPORT=7 and DPORT=7. snmpnull : UDP packets with DPORT=161 and without payload. icmplen : ICMP packets with bad ICMP header length. smurf : ICMP ping requests to a broadcast destination IP (x.x.x.255). icmpdata : ICMP packets with zero fragment offset and large payload. icmpoff : ICMP packets with large fragment offset. icmptype : ICMP packets with type is unassigned or reserved. igmplen : IGMP packets with bad IGMP header length. igmpfrag : IGMP packets with more fragments bit is set or non-zero fragment offset. igmptype : IGMP packets with type is unassigned or reserved. arplen : ARP request or reply packets with bad length. arpnbcast : ARP request packets with non broadcast destination MAC. arpnucast : ARP reply packets with non unicast destination MAC. arpspoof : ARP request or reply packets with mismatch source with sender MACs or destination with target MACs. garp : ARP request or reply packets with same source and destination IP. ip6len : IPv6 packets with bad header length. ip6version : IPv6 packets with IP version not 6.
230
/stats/security/ipacl
IP Access Control List Statistics
The following IP Access Control List statistics can be viewed with this command:
[IP ACL Statistics Menu] dump - IP address access control Stats clear - Clear all access control Stats
231
/stats/security/udpblast
UDP Blast Statistics
[UDP Blast Statistics Menu] dump - UDP Blast Stats clear - Clear all UDP Blast Stats
/stats/security/udpblast/dump
UDP Blast Dump Statistics
UDP blast protection stats: UDP Port Blocked Packets ------------------------Current Packet Rate/Second --------------------------
232
/stats/security/pgroup
UDP Pattern Match Statistics
Pattern Match Group stats: ID Name 1 Hits 0
This menu displays how many times each configured pattern group has been matched and a subsequent filtering action performed. Pattern groups are configured in the Pattern Matching Menu on page 397.
/stats/security/ratelim
Rate Limiting Statistics
Rate limiting stats: TCP: Total hold downs triggered: Current per-client state entries: UDP: Total hold downs triggered: Current per-client state entries: ICMP: Total hold downs triggered: Current per-client state entries:
0 0
0 0
0 0
233
/stats/security/dump
Dump Statistics for Security
IP ACL stats: Address Blocked Packets ---------------------------------------------------------------------------------------------UDP blast protection stats: UDP Port Blocked Packets Current Packet Rate/Second ------------------------------------------------------------------------------------------------------------------Pattern Match Group stats: ID Name Hits 1 0 100 0 101 0 -----------------------------------------------------------------Rate limiting stats: TCP: Total hold downs triggered: Current per-client state entries: UDP: Total hold downs triggered: Current per-client state entries: ICMP: Total hold downs triggered: Current per-client state entries:
0 0
0 0
0 0
234
235
/stats/mp/pkt
MP Packet Statistics
Packet counts: allocs: mediums: jumbos: smalls: alloc fails: TCP counts: allocs: current: alloc fails: 89262 0 0 0 0 4866 46 0 frees: mediums hi-watermark: jumbos hi-watermark: smalls hi-watermark: packet discards: frees: current hi-watermark: alloc discards: 89262 4 0 4 0 4827 146 0
jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack. smalls hi-watermark The highest number of packet allocation with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack.
236
TCP counts: allocs current alloc fails frees current hi-watermark alloc discards Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocation failures from MP memory by the TCP/IP protocol stack. Total number of times the TCP packet buffers are freed (released) to MP memory by the TCP/IP protocol stack. The highest number of TCP packet allocation from MP memory by the TCP/IP protocol stack. The number of TCP packets that are discarded by the MP. The packets are discarded because MP memory resources are not available.
237
/stats/mp/tcb
TCP Statistics
All TCP allocated control blocks: 117f6d00: 0.0.0.0 0 <=> 0.0.0.0 117f81a8: 47.81.27.6 1331 <=> 47.80.16.59 80 23 listen established
/stats/mp/ucb
UCB Statistics
All UDP allocated control blocks: 161: listen 1985: listen 3122: listen
238
/stats/mp/sfd
MP-Specific SFD Statistics
All Socket FD allocated: 0 -1 16 1180b128: 0.0.0.0 server 1 -1 17 108c5bd8: 0.0.0.0 server 2 -1 18 108d5cfc: 0.0.0.0 server 3 -1 19 1180a258: 0.0.0.0 server 0 <=> 47.133.88.31 0 <=> 47.133.88.31 0 <=> 47.133.88.31 0 <=> 47.133.88.31 81 23 22 443 listen listen listen listen TCP TCP TCP TCP
/stats/mp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds:
239
240
0 0 0 0
/stats/sp/cpu
CPU Statistics
This menu option enables you to display the CPU utilization statistics on the Switch Processor (SP).
CPU utilization for SP 1: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds:
6% 6% 6%
241
242
243
244
CHAPTER 5
245
320506-C Rev. 02, Feb 2007
246
NOTE The apply command is a global command. Therefore, you can enter apply at any prompt in the administrative interface.
NOTE All configuration changes take effect immediately when applied, except for starting Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see below), and then reset the switch (see Resetting the Switch on page 512).
247
NOTE If you do not save the changes, they will be lost the next time the system is rebooted. To save the new configuration, enter the following command at any CLI prompt:
# save
When you save configuration changes, the changes are saved to the active configuration block. The configuration being replaced by the save is first copied to the backup configuration block. If you do not want the previous configuration block copied to the backup configuration block, enter the following instead:
# save n
You can decide which configuration you want to run the next time you reset the switch. Your options include: The active configuration block The backup configuration block Factory default configuration You can view all pending configuration changes that have been applied but not saved to flash memory using the diff flash command. It is a global command that can be executed from any menu. For instructions on selecting the configuration to run at the next system reset, see Selecting a Configuration Block on page 511.
248
This menu provides configuration of switch management parameters such as user and administrator privilege mode passwords, Web-based management settings, and management access list. Table 5-2 System Configuration Menu Options (/cfg/sys)
Command Syntax and Usage syslog Displays the Syslog Menu. To view menu options, see page 251. mmgmt Displays Management Port Menu. To view menu options, see page 253. radius Displays the RADIUS Authentication Menu. To view menu options, see page 256. tacacs Displays TACACS+ authentication Menu. To view menu options, see page 258. ntp Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 259.
249
250
/cfg/sys/syslog
System Host Log Configuration
NOTE Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for Syslogs.
[Syslog Menu] host host2 sever sever2 facil facil2 console log cur
Set IP address of first syslog host Set IP address of second syslog host Set the severity of first syslog host Set the severity of second syslog host Set facility of first syslog host Set facility of second syslog host Enable/disable console output of syslog messages Enable/disable syslogging of features Display current syslog settings
251
252
/cfg/sys/mmgmt
Management Port Configuration Menu
The Management port is a Fast Ethernet port that is used exclusively to manage the switch. While the switch can be managed from any network port, the Management port saves consuming a port that could otherwise be used for processing data and traffic. This port manages the switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not participate in the networking protocols that run on the network ports. The Management port must be configured with a static IP address, subnet mask, broadcast address, and default gateway, and must be enabled before it can be used. If this port is disabled, the network ports have to perform all switch management (other than the switch management using the console). If this port is enabled, the factory default settings for some of the management features remain with the network ports. You can change the defaults by configuring these features to permanently use the management port, or in some cases, by using the operational commands to set these options on a one-time basis. NOTE The Management port does not support BOOTP.
[Management Port Menu] port - Management Port Phy Menu addr - Set IP address mask - Set subnet mask gw - Set default gateway address intr - Set interval between gateway ping attempts retry - Set number of failed attempts to declare gateway DOWN dns - Set default port for DNS ntp - Set default port for NTP radius - Set default port for RADIUS tacacs - Set default port for TACACS+ smtp - Set default port for SMTP snmp - Set default port for SNMP traps syslog - Set default port for SYSLOG sonmp - Set default IP for SONMP hello packets tftp - Set default port for FTP/TFTP wlm - Set default port for Workload Manager report - Set default port for Reporting server ena - Enable management port dis - Disable management port cur - Display current configuration
253
254
255
/cfg/sys/mmgmt/port
Management Port Link Menu
[Management Port Link Menu] speed - Set link speed mode - Set full or half duplex mode auto - Set autonegotiation cur - Display current link configuration
/cfg/sys/radius
RADIUS Server Configuration
[RADIUS Server Menu] prisrv - Set primary RADIUS server address secsrv - Set secondary RADIUS server address secret - Set primary RADIUS server secret secret2 - Set secondary RADIUS server secret port - Set RADIUS port retries - Set RADIUS server retries timeout - Set RADIUS server timeout telnet - Enable/disable RADIUS backdoor for telnet on - Turn RADIUS authentication ON off - Turn RADIUS authentication OFF cur - Display current RADIUS configuration
256
257
/cfg/sys/tacacs
TACACS+ Server Configuration Menu
TACACS (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS is an encryption protocol and therefore less secure than TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in RFC 1492.) TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ separates the two operations. TACACS+ protocol has been implemented on Nortel Application Switch Operating System to support the customers that have Ciscos TACACS+ protocol as their network security feature. Apart from that, TACACS+ offers the following advantages over RADIUS as the authentication device: TACACS+ is TCP-based so it facilitates connection-oriented traffic. It supports full-packet encryption as against password-only in authentication requests. Supports decoupled authentication, authorization, and accounting.
[TACACS+ Server prisrv secsrv secret secret2 port retries timeout telnet on off cur -
Menu] Set primary TACACS+ server address Set secondary TACACS+ server address Set primary TACACS+ server secret Set secondary TACACS+ server secret Set TACACS+ TCP port Set TACACS+ server retries Set TACACS+ server timeout (seconds) Enable/disable TACACS+ backdoor for telnet Turn TACACS+ authentication ON Turn TACACS+ authentication OFF Display current TACACS+ configuration
258
/cfg/sys/ntp
NTP Server Configuration
259
This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP) server. By default, this option is disabled.
[NTP Server Menu] prisrv - Set primary NTP server address secsrv - Set secondary NTP server address intrval - Set NTP server resync interval tzone - Set NTP timezone offset from GMT on - Turn NTP service ON off - Turn NTP service OFF cur - Display current NTP configuration
260
/cfg/sys/sonmp
SynOptics Network Management Protocol Configuration
[SONMP Menu] srcif on off cur Set source interface to be used in hello packets Turn Ethernet Autotopology ON Turn Ethernet Autotopology OFF Display current SONMP configuration
SynOptics Network Management Protocol (SONMP) is a proprietary network management protocol that is used by Nortel Networks Optivitiy Switch Manager (OSM) to discover Nortel Application Switches on the network. The following commands add support for the Ethernet Autotopology algorithm and the Bay Topology MIB. The topology algorithm is executed by each Nortel Application Switch on which SONMP is enabled. Table 5-9 System Configuration Menu Options (/cfg/sys/sonmp)
Command Syntax and Usage srcif <interface number (1-256)> This command specifies the IP address to be used in the hello packets. If the interface specified by this command is not up, then the first interface which is up and running is used in the hello packets. on This command enables the SONMP protocol, and turns Ethernet Autotopology on. off This command disables the SONMP protocol, and turns Ethernet Autotopology off. cur This command displays the current SONMP configuration.
/cfg/sys/ssnmp
System SNMP Configuration
Nortel Application Switch Operating System supports SNMP-based network management. In SNMP model of network management, a management station (client/manager) accesses a set of variables known as MIBs (Management Information Base) provided by the managed device (agent). If you are running an SNMP network management station on your network, you can manage the switch using the following standard SNMP MIBs: MIB II (RFC 1213) Ethernet MIB (RFC 1643)
Chapter 5: The Configuration Menu
320506-C Rev. 02, Feb 2007
261
Bridge MIB (RFC 1493) An SNMP agent is a software process on the managed device that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to retrieve or to modify. SNMP parameters that can be modified include: System name System location System contact Use of the SNMP system authentication trap function Read community string Write community string Trap community strings
[System SNMP Menu] snmpv3 - SNMPv3 Menu name - Set SNMP "sysName" locn - Set SNMP "sysLocation" cont - Set SNMP "sysContact" rcomm - Set SNMP read community string wcomm - Set SNMP write community string trsrc - Set SNMP trap source interface timeout - Set timeout for the SNMP state machine auth - Enable/disable SNMP "sysAuthenTrap" linkt - Enable/disable SNMP link up/down trap cur - Display current system SNMP configuration
262
NOTE This command is applicable only to SNMPv1 and SNMPv2 traps because only the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be set with this command. The SNMPv3 packets do not contain this field.
timeout <SNMP state machine timeout minutes, 1-30> Defines the timeout period for SNMP state machine. When you use diff and apply, memory is allocated to store the output of the command. The timeout period determines when the resources/memory allocated for the output will be freed. auth disable|enable Enables or disables the use of the system authentication trap facility. The default setting is disabled. linkt <port> <disable|enable> Enables or disables the sending of SNMP link up and link down traps. The default setting is enabled. cur Displays the current STP port parameters.
263
/cfg/sys/ssnmp/snmpv3
SNMPv3 Configuration Menu
SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote configuration of SNMP parameters For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.
[SNMPv3 Menu] usm view access group comm taddr tparam notify v1v2 cur
usmUser Table menu vacmViewTreeFamily Table menu vacmAccess Table menu vacmSecurityToGroup Table menu community Table menu targetAddr Table menu targetParams Table menu notify Table menu Enable/disable V1/V2 access Display current SNMPv3 configuration
defines a set of services that an application can use for checking access rights of the user. You need access control when you have to process retrieval or modification request from an SNMP entity. To view menu options, see page 268.
264
A group maps the user name to the access group names and their access rights needed to access SNMP management objects. A group defines the access rights assigned to all names that belong to a particular group. To view menu options, see page 270.
comm <snmpCommunity number [1-16]> The community table contains objects for mapping community strings and version-independent SNMP message parameters. To view menu options, see page 271. taddr <snmpTargetAddr number [1-16]> This command allows you to configure destination information, consisting of a transport domain and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a mechanism for performing source address validation on incoming requests, and for selecting community strings based on target addresses for outgoing notifications. To view menu options, see page 272. tparam <target params index [1-16]> This command allows you to configure SNMP parameters, consisting of message processing model, security model, security level, and security name information. There may be multiple transport endpoints associated with a particular set of SNMP parameters, or a particular transport endpoint may be associated with several sets of SNMP parameters. To view menu options, see page 273. notify <notify index [1-16]> A notification application typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. To view menu options, see page 274. v1v2 disable|enable This command allows you to enable or disable the access to SNMP version 1 and version 2. This command is enabled by default. cur Displays the current SNMPv3 configuration.
265
/cfg/sys/ssnmp/snmpv3/usm
User Security Model Configuration Menu
You can make use of a defined set of user identities using this Security Model. An SNMP engine must have the knowledge of applicable attributes of a user. This menu helps you create a user security model entry for an authorized user. You need to provide a security name to create the USM entry.
[SNMPv3 usmUser name auth authpw priv privpw del cur 1 Menu] Set USM user name Set authentication protocol Set authentication password Set privacy protocol Set privacy password Delete usmUser entry Display current usmUser configuration
Table 5-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/ snmpv3/usm)
Command Syntax and Usage name <32 character name> This command allows you to configure a string up to 32 characters long that represents the name of the user. This is the login name that you need in order to access the switch. auth md5|sha|none This command allows you to configure the authentication protocol between HMAC-MD5-96 or HMAC-SHA-96. The default algorithm is none. authpw If you selected an authentication algorithm using the above command, you need to provide a password, otherwise you will get an error message during validation. This command allows you to create or change your password for authentication. priv des|none This command allows you to configure the type of privacy protocol on your switch. The privacy protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryption Protocol) or none. If you specify des as the privacy protocol, then make sure that you have selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the authentication protocol, you will get an error message. privpw This command allows you to create or change the privacy password.
266
Table 5-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/ snmpv3/usm)
Command Syntax and Usage del Deletes the USM user entries. cur Displays the USM user entries.
cfg/sys/ssnmp/snmpv3/view
View Configuration Menu
[SNMPv3 vacmViewTreeFamily 1 Menu] name - Set view name tree - Set MIB subtree(OID) which defines a family of view subtrees mask - Set view mask type - Set view type del - Delete vacmViewTreeFamily entry cur - Display current vacmViewTreeFamily configuration
267
/cfg/sys/ssnmp/snmpv3/access
Access Control Model Configuration Menu
The view-based Access Control Model defines a set of services that an application can use for checking access rights of the user. Access control is needed when the user has to process SNMP retrieval or modification request from an SNMP entity.
[SNMPv3 vacmAccess 1 Menu] name - Set group name prefix - Set content prefix model - Set security model level - Set minimum level of security match - Set prefix only or exact match rview - Set read view index wview - Set write view index nview - Set notify view index del - Delete vacmAccess entry cur - Display current vacmAccess configuration
Table 5-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/ snmpv3/access)
Command Syntax and Usage name <32 character name> Defines the name of the group. prefix <32 character name> Defines the name of the context. An SNMP context is a collection of management information that an SNMP entity can access. An SNMP entity has access to many contexts. For more information on naming the management information, see RFC2571, the SNMP Architecture document. The view-based Access Control Model defines a table that lists the locally available contexts by contextName. model usm|snmpv1|snmpv2 Allows you to select the security model to be used. level noAuthNoPriv|authNoPriv|authPriv Defines the minimum level of security required to gain access rights. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.
268
Table 5-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/ snmpv3/access)
Command Syntax and Usage match exact|prefix If the value is set to exact, then all the rows whose contextName exactly matches the prefix are selected. If the value is set to prefix then the all the rows where the starting octets of the contextName exactly match the prefix are selected. rview <32 character view name> This is a 32 character long read view name that allows you read access to a particular MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. wview <32 character view name> This is a 32 character long write view name that allows you write access to the MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. nview <32 character view name> This is a 32 character long notify view name that allows you notify access to the MIB view. del Deletes the View-based Access Control entry. cur Displays the View-based Access Control configuration.
269
/cfg/sys/ssnmp/snmpv3/group
Group Configuration Menu
[SNMPv3 vacmSecurityToGroup 1 Menu] model - Set security model uname - Set USM user name gname - Set group gname del - Delete vacmSecurityToGroup entry cur - Display current vacmSecurityToGroup configuration
270
/cfg/sys/ssnmp/snmpv3/comm
Community Table Configuration Menu
This command is used for configuring the community table entry. The configured entry is stored in the community table list in the SNMP engine. This table is used to configure community strings in the Local Configuration Datastore (LCD) of SNMP engine.
[SNMPv3 snmpCommunityTable 1 Menu] index - Set community index name - Set community string uname - Set USM user name tag - Set community tag del - Delete communityTable entry cur - Display current communityTable configuration
Table 5-16 SNMPv3 Community Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/comm)
Command Syntax and Usage index <32 character name> Allows you to configure the unique index value of a row in this table consisting of 32 characters maximum. name <32 character name> Defines the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 266. uname <32 character name> Defines a readable 32 character long string that represents the corresponding value of an SNMP community name in a security model. tag <list of tag string, max 255 characters> Allows you to configure a tag of up to 255 characters maximum. This tag specifies a set of transport endpoints to which a command responder application sends an SNMP trap. del Deletes the community table entry. cur Displays the community table configuration.
271
/cfg/sys/ssnmp/snmpv3/taddr
Target Address Table Configuration Menu
This command is used to configure the target transport entry. The configured entry is stored in the target address table list in the SNMP engine. This table of transport addresses is used in the generation of SNMP messages.
[SNMPv3 snmpTargetAddrTable 1 Menu] name - Set target address name addr - Set target transport address IP port - Set target transport address port taglist - Set tag list pname - Set targetParams name del - Delete targetAddrTable entry cur - Display current targetAddrTable configuration
272
/cfg/sys/ssnmp/snmpv3/tparam
Target Parameters Table Configuration Menu
You can configure the target parameters entry and store it in the target parameters table in the SNMP engine. This table contains parameters that are used to generate a message. The parameters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the security model (for example: USM), the security name, and the security level (noAuthnoPriv, authNoPriv, or authPriv).
[SNMPv3 snmpTargetParamsTable 1 Menu] name - Set target params name mpmodel - Set message processing model model - Set security model uname - Set USM user name level - Set minimum level of security del - Delete targetParamsTable entry cur - Display current targetParamsTable configuration
Table 5-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/tparam)
Command Syntax and Usage name <32 character name> Allows you to configure the locally arbitrary, but unique identifier that is associated with this entry. mpmodel snmpv3|snmpv1|snmpv2c Allows you to configure the message processing model that is used to generate SNMP messages. model usm|snmpv1|snmpv2 Allows you to select the security model to be used when generating the SNMP messages. uname <32 character name> Defines the name that identifies the user in the USM table (page 266) on whose behalf the SNMP messages are generated using this entry. level noAuthNoPriv|authNoPriv|authPriv Allows you to select the level of security to be used when generating the SNMP messages using this entry. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.
273
Table 5-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ ssnmp/snmpv3/tparam)
Command Syntax and Usage del Deletes the targetParamsTable entry. cur Displays the current targetParamsTable configuration.
/cfg/sys/ssnmp/snmpv3/notify
Notify Table Configuration Menu
SNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. [SNMPv3 snmpNotifyTable 1 Menu] name - Set notify name tag - Set notify tag del - Delete notifyTable entry cur - Display current notifyTable configuration
274
/cfg/sys/health
System Health Check Configuration Menu
[System TCP Health Menu] add - Add TCP services to listen for health check rem - Remove TCP services from listening on - Turn system TCP health services ON off - Turn system TCP health services OFF cur - Display current TCP health services configuration
275
/cfg/sys/access
System Access Control Configuration
[System Access Menu] mgmt - Management Network Access Menu port - Port Management Access Menu user - User Access Control Menu (passwords) https - HTTPS (Web) Server Access Menu sshd - SSH Server Menu xml - XML Configuration Access Menu http - Enable/disable HTTP (Web) server access wport - Set HTTP (Web) server port number snmp - Set SNMP access control tnport - Set Telnet server port number rlimit - Set max rate of ARP, BPDU, ICMP, TCP, or UDP packets to MP cur - Display current system access configuration
276
/cfg/sys/access/mgmt
Management Networks Menu
This menu is used to define IP address ranges which are allowed to access the switch for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10 management networks. NOTE The add and rem commands below replace the /cfg/sys/mnet and /cfg/ sys/mmask commands found in earlier releases of Nortel Application Switch Operating System.
[Management Networks Menu] add - Add mgmt network definition rem - Remove mgmt network definition cur - Display current mgmt network definitions
277
NOTE If you configure the management network without including the switch interfaces, it will cause the Firewall Load Balancing health checks to fail and will create a Network Down state on the network.
rem <mgmt network address> <mgmt network mask> Removes a defined network, which consists of a management network address and a management network mask address. cur Displays the current configuration.
278
/cfg/sys/access/port
Port Management Access Menu
[Port Management Access Menu] add - Add port with management access aadd - Add all ports with management access rem - Remove port from management access arem - Remove all ports from management access cur - Display current ports with management access
/cfg/sys/access/user
User Access Control Menu
uid usrpw sopw l4opw opw sapw l4apw admpw cur User ID Menu Set user password (user) Set SLB operator password (slboper) Set L4 operator password (l4oper) Set operator password (oper) Set Slb administrator password (slbadmin) Set L4 administrator password (l4admin) Set administrator password (admin) Display current user status
279
NOTE Passwords can be a maximum of 15 characters. Table 5-24 User Access Control Menu Options (/cfg/sys/access/user)
Command Syntax and Usage uid <User ID, 1-10> Displays the User ID Menu. To view menu options, see page 282. usrpw Sets the user (user) password. The user has no direct responsibility for switch management. He or she can view switch status information and statistics, but cannot make any configuration changes. sopw Sets the SLB operator (slboper)password. The SLB operator manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics and can enable/disable servers using the Server Load Balancing configuration menus. Access includes user functions. l4opw Sets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics. Access includes slboper functions. opw Sets the operator (oper)password. The operator password can have a maximum of 15 characters. The operator manages all functions of the switch. He or she can view all switch information and statistics and can reset ports or the entire switch. Access includes l4oper functions. sapw Sets the SLB administrator (slbadmin) password. Administrator who configures and manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics, but can configure changes only on the Server Load Balancing menus. Note that the Filter Menu options are not accessible to the SLB administrator. Access includes l4oper functions. l4apw Sets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics and can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters. Access includes slbadmin functions.
280
281
/cfg/sys/access/user/uid
System User ID Configuration Menu
This feature allows the users to operate the real servers assigned to them. Using this command you can list the current status of the real server including the real server number, the real server name, the operational state of the real server, and the number of current sessions. You can enable or disable the real servers and change the password for accessing these real servers.
[User ID 1 cos name pswd add rem ena dis del cur Menu] - Set class of service - Set user name - Set user password - Add real server - Remove real server - Enable user ID - Disable user ID - Delete user ID - Display current user configuration
282
/cfg/sys/access/https
HTTPS Access Configuration Menu
[https Menu] https port generate certSave cur Enable/Disable HTTPS Web access HTTPS WebServer port number Generate self-signed HTTPS server certificate save HTTPS certificate Display current SSL Web Access configuration
283
284
/cfg/sys/access/sshd
SSH Server Menu
[SSH Server Menu] sshport - Set SSH server port number sshv1 - Enable ssh v1 support ena - Enable SCP apply and save on - Turn SSH server ON (SSHv1/SSHv2) cur - Display current SSH server configuration
285
/cfg/sys/access/xml
XML Configuration Access Menu
[XML Config Access Menu] xml - Enable/disable XML config access port - Set XML server port number gtcert - Import XML client certificate delcert - Delete XML client certificate dispcert - Display XML client certificate debug - Debug XML operations cur - Display current XML config access configuration
286
/cfg/sys/access/xml/xml
Example of enabling or disabling XML access
Current XML access: disabled Pending new XML access: enabled Enter new XML access [d/e]:
287
/cfg/sys/timezone
Configure the Timezone
>> Main# /cfg/sys/timezone Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean 10) Pacific Ocean 11) None - disable timezone setting Enter the number of your choice: 2 Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago 10) Canada 27) Honduras 44) Turks & Caicos Is 11) Cayman Islands 28) Jamaica 45) United States 12) Chile 29) Martinique 46) Uruguay 13) Colombia 30) Mexico 47) Venezuela 14) Costa Rica 31) Montserrat 48) Virgin Islands (UK) 15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US) 16) Dominica 33) Nicaragua 17) Dominican Republic 34) Panama Enter the number of your choice: 10
288
Please select one of the following time zone regions. 1) Newfoundland Island 2) Atlantic Time - Nova Scotia (most places), NB, W Labrador, E Quebec & PEI 3) Atlantic Time - E Labrador 4) Eastern Time - Ontario & Quebec - most locations 5) Eastern Time - Thunder Bay, Ontario 6) Eastern Standard Time - Pangnirtung, Nunavut 7) Eastern Standard Time - east Nunavut 8) Eastern Standard Time - central Nunavut 9) Central Time - Manitoba & west Ontario 10) Central Time - Rainy River & Fort Frances, Ontario 11) Central Time - west Nunavut 12) Central Standard Time - Saskatchewan - most locations 13) Central Standard Time - Saskatchewan - midwest 14) Mountain Time - Alberta, east British Columbia & west Saskatchewan 15) Mountain Time - central Northwest Territories 16) Mountain Time - west Northwest Territories 17) Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia 18) Pacific Time - west British Columbia 19) Pacific Time - south Yukon 20) Pacific Time - north Yukon Enter the number of your choice: 2
289
290
The commands on Nortel Application Switch Operating System 2000 series and their description are as follows:
[Port <port_number> Menu] fast - Fast Phy Menu gig - Gig Phy Menu pvid - Set default port VLAN id alias - Set port alias name - Set port name cont - Set default port BW Contract nonip - Set BW Contract for non-IP traffic egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration
291
292
Use these menu options to set port parameters for the port link. NOTE If the port does not have a Gig Ethernet physical link, the following message is displayed: >> Port 1# gig Current Port 1 does not have Gig Ethernet phy.
NOTE Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these options do not appear on the Gigabit Link Menu. Link menu options are described in Table 5-39 and appear on the fast and gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 5-32 Port Link Configuration Menu Options (/cfg/port/fast|gig)
Command Syntax and Usage speed 10|100|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps This menu appears only if a Fast Ethernet port is selected. mode full|half|any Sets the operating mode. This command is available only in the Fast Link Menu.The choices include: Any for auto negotiation (default) Full-duplex Half-duplex This menu appears only if a Fast Ethernet port is selected.
293
294
295
Single-Mode ports
10/100/1000Base-T Copper Ports
When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:
[Port 1 Menu] fast gig pvid alias name cont nonip egbw rmon tag iponly ena dis cur
Fast Phy Menu Gig Phy Menu Set default port VLAN id Set port alias Set port name Set default port BW Contract Set BW Contract for non-IP traffic Set port egress bandwidth Limit Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allow IP related frames at ingress Enable port Disable port Display current port configuration
Table 5-34 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)
Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the Copper Gigabit Ethernet Physical Link Menu. To view menu options, see page 297. pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. alias <15 characters string> Set an alias for the port number. When implementing port aliases, considering the following items: Although up to 15 characters can be defined for a port alias, only 6 characters are displayed in informational outputs that display the alias. No shortcuts are allowed for port aliases. When using a port alias in a command, the entire alias must be used. name <64 character string>|none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port.
296
Table 5-34 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)
Command Syntax and Usage rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer to Temporarily Disabling a Port on page 304.) cur Displays the current port parameters.
297
Use these menu options to set port parameters for the port link. Link menu options are described in Table 5-39 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 5-35 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options (/cfg/port <1, 2, 7, or 8>/gig)
Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps mode full|half|any Sets the operating mode. The choices include: Any for auto negotiation (default) Full-duplex Half-duplex fctl rx|tx|both|none Sets the flow control. This command is available only in the Fast Link Menu.The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables autonegotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
298
When you select a single-mode SFP fiber port (912), you see a slightly different menu as below:
[Port 9 Menu] gig pvid name cont egbw rmon tag iponly ena dis cur
SFP Gig Phy Menu Set default port VLAN id Set port name Set default port BW Contract Set port egress bandwidth Limit Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allowing only IP related frames Enable port Disable port Display current port configuration
Table 5-36 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <912>)
Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet Physical Link Menu. To view menu options, see page 300. pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. name <64 character string>|none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port.
299
Table 5-36 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <912>)
Command Syntax and Usage dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer to Temporarily Disabling a Port on page 304.) cur Displays the current port parameters.
Use these menu options to set port parameters for the port link. Link menu options are described in Table 5-39 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as flow control, and negotiation mode for the port link.
Table 5-37 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu Options (/cfg/port <9-12>/gig)
Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables autonegotiation for the port. cur Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
300 Chapter 5: The Configuration Menu
320506-C Rev. 02, Feb 2007
When you select any one of the dual-mode ports (36), you see the menu below:
[Port 3 Menu] cop sfp pref back pvid name cont rmon tag iponly ena dis cur
Copper Gig Phy Menu SFP Gig Phy Menu Set preferred link Set backup link Set default port VLAN id Set port name Set default port BW Contract Enable/Disable RMON for port Enable/disable VLAN tagging for port Enable/disable allowing only IP related frames Enable port Disable port Display current port configuration
301
Use these menu options to set port parameters for the port link.
302
Link menu options are described in Table 5-39 and appear on the cop port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link. Table 5-39 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port <36>/cop)
Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include: Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps mode full|half|any Sets the operating mode. The choices include: Any for autonegotiation (default) Full-duplex Half-duplex fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control auto on|off Enables or disables auto negotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
303
Table 5-40 Dual-Mode SFP Gigabit Link Configuration Menu Options (/cfg/port <3-6>/sfp)
Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include: Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control cur Displays the current SFP Gigabit link port configuration.
Because this configuration sets a temporary state for the port, you do not need to use apply or save. The port state will revert to its original configuration when the Nortel Application Switch is reset. See the Operations Menu on page 495 for other operations-level commands.
304
Port mirroring is disabled by default. The Port Mirroring Menu is used to configure, enable, and disable the monitored port. When enabled, network packets being sent and/or received on a target port are duplicated and sent to a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed information about your network performance and usage. Table 5-41 Port Mirroring menu options (/cfg/pmirr)
Command Syntax and Usage mirror disable|enable Enables or disables port mirroring monport <monitoring port (port to mirror to)> Displays port-mirroring menu options that help configure the port. To view menu options, see page 305. cur Displays the current settings of the mirrored and monitoring ports.
/cfg/pmirr monport
Port-Mirroring Menu
>> Port Mirroring# monport Enter port (1-28): <port_number> -----------------------------------------------------------[Port 1 Menu] add - Add "Mirrored" port and VLANs rem - Rem "Mirrored" port and VLANs cur - Display current Port-based Port Mirroring configuration
305
306
[Bandwidth Management Menu] cont - Contract Menu policy - Policy Menu group - Group Menu user - Set SMTP server user name report - Set IP address of Reporting server entries - Set number of entries in the BWM IP user table frequen - Set the frequency of BWM statistics in minutes email - Enable/disable sending BWM statistics via email force - Enable/disable enforce policies on - Globally turn Bandwidth Management processing ON off - Globally turn Bandwidth Management processing OFF cur - Display current Bandwidth Management configuration
NOTE Up to 1024 bandwidth management contracts can be configured on the Nortel Application Switch Operating System. Table 5-43 Bandwidth Management Menu Options (/cfg/bwm)
Command Syntax and Usage cont <BW contract number (1-1024)> Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel
Application Switch, you must create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. For further details, see the Nortel Application Switch Operating System Application Guide.
By default, this option is disabled. To view menu options, see page 309.
policy <BW policy number (1-512)> Displays the Bandwidth Management Policy Menu. Bandwidth policies are bandwidth limita-
tions defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host could charge a customer for bandwidth utilization. For further details, see the Nortel Application Switch Operating System Application Guide.
To view menu options, see page 312.
group <BW Group number (1-32)> Displays the Bandwidth Management Group Menu. To view menu options, see page 313. user <user name> Sets the SMTP user name to whom the history statistics will be mailed. The default is set to None. report <IP4 address> | <IP6 address> Set the IP address of the Reporting Server.
307
308
309
This feature enables the user to configure different policies based on the time of the day using the following menu and commands:
[BW Contract 1 Time Policy 1 Menu] day - Set Time Policy day from - Set Time Policy from hour to - Set Time Policy to hour policy - Set Time Policy enable - Enable Time Policy disable - Disable Time Policy delete - Delete Time Policy cur - Display current Time Policy configuration
Table 5-45 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/ timepol)
Command Syntax and Usage day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday> Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or everyday. The default is everyday. from <1-12am/pm> Defines the time from where you need to start the time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. to <1-12am/pm> Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. policy <BW Policy number, 1-512> Defines the policy number for the contract. enable Enables the Time Policy command on the switch. disable Disables the Time Policy command on the switch. delete Deletes the current Time Policy. cur Displays the current Time Policy configuration on the switch. For example: Time Policy 1: Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled
311
312
/cfg/bwm/group
Bandwidth Management Group Configuration Menu
[BW Group 1 Menu] add - Add Contract to this group rem - Remove Contract from this group del - Delete BW Group cur - Display current BW Group configuration
313
/cfg/bwm/cur
Bandwidth Management Current Configuration
Current Bandwidth Management setting: ON Policy Enforcement: enabled SMTP server user name: Contract Name Policy Prec Hist TOS State Shaping 1 cont_1 1 1 E E E E 2 cont_2 2 1 E D D D 1024 Default -0 E D E D *Default contract gets all the BW that is available on a port after the active contracts reserved BW is taken. Policy 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Hard 25M 10M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M Soft 20M 8M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M Resv oTOS uTOS Buffer 500K 150 100 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320
314
315
/cfg/l2/mrst
Multiple Spanning Tree Menu
[Multiple Spanning Tree Menu] cist - Common and Internal Spanning Tree menu name - Set MST region name version - Set Version of this MST region maxhop - Set Maximum Hop Count for MST (4 - 60) mode - Spanning Tree Mode on - Globally turn Multiple Spanning Tree (MSTP/RSTP) ON off - Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF cur - Display current MST parameters
316
/cfg/l2/mrst/cist
Multiple Spanning Tree Menu
[Common Internal Spanning Tree Menu] brg - CIST Bridge parameter menu port - CIST Port parameter menu default - Default Common Internal Spanning Tree and Member parms cur - Display current CIST parameters
317
/cfg/l2/mrst/cist/brg
CIST Bridge Menu
[CIST Bridge Menu] prior - Set CIST bridge mxage - Set CIST bridge fwd - Set CIST bridge cur - Display current Priority (0-65535) Max Age (6-40 secs) Forward Delay (4-30 secs) CIST bridge parameters
/cfg/l2/mrst/cist/brg cur
Current configuration for CIST Bridge
>> CIST Bridge# cur -----------------------------------------------------------------Current Common Internal Spanning Tree settings: Bridge params: Priority MaxAge FwdDel 32768 20 15
318
319
NOTE When VRRP is used for active/active redundancy, STP must be enabled. Table 5-53 Spanning Tree Configuration Menu (/cfg/l2/stp)
Command Syntax and Usage brg Displays the Bridge Spanning Tree Menu. To view menu options, see page 321. port <port number> Displays the Spanning Tree Port Menu. To view menu options, see page 322. add <VLAN numbers (1-4090)> Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter. remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)> Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as a parameter. clear Removes all VLANs from a spanning tree. on Globally enables Spanning Tree Protocol. off Globally disables Spanning Tree Protocol. default Resets STG and Group member parameters to factory default. cur Displays the current Spanning Tree Protocol parameters.
320
/cfg/l2/stg/brg
Bridge Spanning Tree Configuration
[Bridge Spanning Tree Menu] prior - Set bridge Priority [0-65535] hello - Set bridge Hello Time [1-10 secs] mxage - Set bridge Max Age (6-40 secs) fwd - Set bridge Forward Delay (4-30 secs) aging - Set bridge Aging Time (1-65535 secs, 0 to disable) cur - Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge parameters include: Bridge priority Bridge hello time Bridge maximum age Forwarding delay Bridge aging time Table 5-54 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)
Command Syntax and Usage prior <new bridge priority (0-65535)> Configures the bridge priority. The bridge priority parameter controls which bridge on the network is the STP root bridge. To make this switch the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. The range is 0 to 65535, and the default is 32768. hello <new bridge hello time (1-10 secs)> Configures the bridge hello time.The hello time specifies how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The range is 1 to 10 seconds, and the default is 2 seconds. mxage <new bridge max age (6-40 secs)> Configures the bridge maximum age. The maximum age parameter specifies the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it re configures the STP network. The range is 6 to 40 seconds, and the default is 20 seconds. fwd <new bridge Forward Delay (4-30 secs)> Configures the bridge forward delay parameter. The forward delay parameter specifies the amount of time that a bridge port has to wait before it changes from the listening state to the learning state and from the learning state to the forwarding state. The range is 4 to 30 seconds, and the default is 15 seconds.
321
When configuring STP bridge parameters, the following formulas must be used: 2*(fwd-1) > mxage 2*(hello+1) < mxage
Spanning Tree port parameters are used to modify STP operation on an individual port basis. STP port parameters include: Port priority Port path cost STP is turned on by default for the port.
322
323
Trunking from non-Nortel devices must comply with Cisco EtherChannel technology. By default, the trunk group is empty and disabled.
[Trunk group 1 Menu] cont - Set BW contract for this trunk group add - Add port to trunk group rem - Remove port from trunk group ena - Enable trunk group dis - Disable trunk group del - Delete trunk group cur - Display current Trunk Group configuration
324
325
Each LACP active or passive port needs an admin, an operational key, and an aggregator for LACP to start negotiation on these ports. You need to assign the same admin key to a group of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID) based on the operational key. All the aggregatable ports must have the same LAG ID. You can form an active LACP trunk group with all the ports that have the same LAG ID. Please refer to your Nortel Application Switch Operating System Application Guide for a detailed information on this protocol. NOTE All ports are in LACP off mode by default. Use the following commands to configure LACP on the Nortel Application Switch Operating System.
[LACP Menu] sysprio - Set LACP system priority timeout - Set LACP system timeout scale for timing out partner info port - LACP port Menu cur - Display current LACP configuration
326
Use the following commands to configure Link Aggregation Control Protocol (LACP) on a selected port. Table 5-58 Link Aggregation Control Protocol Port Configuration Menu Options (/cfg/l2/lacp/port #)
Command Syntax and Usage mode <off for no LACP or active or passive> off: Using this option, you can turn LACP off for this port. You can use this port to manually configure a static trunk. All ports are in off mode by default. active: Using this option, you can turn LACP on and set this port to active. Only active ports initiate negotiation with the partner system port by sending the LACPDU packets. passive: Using this option, you can turn LACP on and set this port to passive mode. Passive ports do not initiate negotiation, but only respond to the negotiation requests from active ports. prio <1-65535> Sets the priority value for the selected port. Lower numbers provide higher priority. The default value is 128. adminkey <1-65535> Sets the admin key for this port. Only ports with the same admin key and oper key (operational state generated internally) can form an LACP trunk group. cur Displays the current LACP configuration for this port.
327
Set VLAN name Assign VLAN to a Spanning Tree Group Set BW contract Add port to VLAN Remove port from VLAN Define VLAN as list of ports Enable/disable Jumbo Frame support Enable/disable smac learning Enable VLAN Disable VLAN Delete VLAN Display current VLAN configuration
328
NOTE All ports must belong to at least one VLAN. Any port which is removed from a VLAN and which is not a member of any other VLAN is automatically added to default VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any other VLAN. Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned on (see the tag command on page 297).
329
Table 5-60 outlines the commands in this menu. Table 5-60 Port Team Configuration Menu
Command Syntax and Usage addport <port number> Adds the specified port to the current team. remport <port number> Removes the specified port from the current team. addtrunk <trunk group number> Adds a trunk group to the current team. remtrunk <trunk group number> Removes a trunk group from the current team. ena Enables the port team. dis Disables the port team. del Deletes the port team. cur Displays the current port team configuration.
330
331
332
The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface represents the Nortel Application Switch on an IP subnet on your network. The Interface option is disabled by default. Table 5-62 IP Interface Menu Options (/cfg/l3/if)
Command Syntax and Usage ip6nd Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of IPv6 Router Advertisement packets from this interface. For more information on this topic, refer to page 334. ipver <IP version (v4 or v6)> Set the IP version. addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)> Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon notation for IPv6. mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for IPv6)> Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or prefix length for IPv6. vlan <VLAN number (1-4090)> Configures the VLAN number for this interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. relay disable|enable Enables or disables the BOOTP relay on this interface. It is enabled by default.
333
/cfg/l3/if/ip6nd
IPv6 Neighbor Discovery Menu
[IP6 Neighbor Discovery Menu] rtradv - Enable/disable router advertisement
This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements from this interface. Table 5-63 IPv6 Neighbor Discovery Menu Options
Command Syntax and Usage rtradv disable | enable Enables or disables the sending of IPv6 Neighbor Discovery router advertisements from this interface.
334
NOTE The switch can be configured with up to 255 gateways. Gateways one to four are reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing of VLAN-based gateways.
NOTE In instances where numerous IPv6 gateways have been configured (the maximum 259 gateways for example), some of the gateways may fail because they exceed the timeout value in ICMPv6 health checking. This option is disabled by default. Table 5-64 Default Gateway Options (/cfg/l3/gw)
Command Syntax and Usage ipver <IP version (v4 or v6)> Set the IP version. addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)> Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and colon notation for IPv6. intr <0-60 seconds> The switch pings the default gateway to verify that its up. The intr option sets the time between health checks. The range is from 1 to 120 seconds. The default is 2 seconds. retry <number of attempts (1-120)> Sets the number of failed health check attempts required before declaring this default gateway inoperative. The range is from 1 to 120 attempts. The default is 8 attempts.
335
NOTE By default learned default route has higher priority than the configured default gateway route.
arp disable|enable Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled by default. ena Enables the gateway for use. dis Disables the gateway. del Deletes the gateway from the configuration. cur Displays the current gateway settings.
336
/cfg/l3/route
IP Static Route Configuration
[IP Static Route Menu] ip4 - IP4 Static Route Menu ip6 - IP6 Static Route Menu
This menu provides access to the switch static route configuration functionality. Table 5-65 IP Static Route Configuration Menu Options (cfg/l3/route)
Command Syntax and Usage ip4 Provides access to the IPv4 static route configuration menu. To view the menu options, see page 338. ip6 Provides access to the IPv6 static route configuration menu. To view the menu options, see page 339.
337
/cfg/l3/route/ip4
IPv4 Static Route Configuration Menu
[IP4 Static Route Menu] add - Add IP4 static route rem - Remove IP4 static route cur - Display current IP4 static route configuration
This menu is used to configure IPv4 static routes. Table 5-66 IP Static Route Configuration Menu Options (cfg/l3/route)
Command Syntax and Usage add <destination> <mask> <gateway> [interface number] Adds a static route. To complete the entry , enter a destination IP address, destination subnet mask, and gateway address. Enter all addresses using dotted decimal notation. If a gateway address is 0.0.0.0., the route becomes a black hole route. Packets routed to such a destination will be dropped. rem <destination> <mask> Removes a static route. The destination address of the route to remove must be specified using dotted decimal notation. cur Displays the current IPv4 static routes.
338
/cfg/l3/route/ip6
IPv6 Static Route Configuration Menu
[IP6 Static Route Menu] add - Add IP6 static route rem - Remove IP6 static route cur - Display current IP6 static route configuration
This menu is used to configure IPv6 static routes. Table 5-67 IP Static Route Configuration Menu Options (cfg/l3/route)
Command Syntax and Usage add <destination> <prefix length> <next hop> [interface number] Adds a static route. To complete the entry, enter a destination IPv6 address, prefix length, and next hop address. Enter all information using the IPv6 addressing format. rem <destination> <prefix length> Removes a static route. The destination address of the route to remove must be specified using the IPv6 addressing format. cur Displays the current IPv6 static routes.
/cfg/l3/arp
ARP Configuration Menu
Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the computer or the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
[ARP Menu] static rearp cur
- Static ARP Menu - Set re-ARP period in minutes - Display current ARP configuration
339
/cfg/l3/arp/static
ARP Static Configuration Menu
Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending an ARP broadcast request to the network. Static ARPs are also useful to communicate with devices that do not respond to ARP requests. Static ARPs can also be configured on some gateways as a protection against malicious ARP Cache corruption and possible DOS attacks. NOTE Nortel Application Switch Operating System 21.0 and above allows the static ARP configuration to be retained over reboots. Nortel Application Switch Operating System 20.x and below allow the user to configure the ARP information but that information cannot be retained over a switch reboot.
[Static ARP Menu] add - Add a permanent ARP entry del - Delete an ARP entry cur - Display current static ARP configuration
340
/cfg/l3/frwd
IP Forwarding Configuration Menu
[IP Forwarding Menu] local - Local network definition for route caching menu dirbr - Enable or disable forwarding directed broadcasts on - Globally turn IP Forwarding ON off - Globally turn IP Forwarding OFF cur - Display current IP Forwarding configuration
/cfg/l3/frwd/local
Local Network Route Caching Definition
This menu is used for adding local networks by setting the local network address and netmask for the route cache, and to remove local networks.
[IP Local Networks Menu] add - Add local network definition add6 - Add local network v6 definition rem - Remove local network definition rem6 - Remove local network v6 definition cur - Display current local network definitions
341
342
NOTE All addresses that fall outside the defined range are forwarded to the default gateway. The default gateways must be within range.
/cfg/l3/nwf
Network Filter Configuration
[IP Network Filter 1 Menu] addr - IP Address mask - IP Subnet mask enable - Enable Network Filter disable - Disable Network Filter delete - Delete Network Filter cur - Display current Network Filter configuration
343
344
345
346
347
/cfg/l3/rip
Routing Information Protocol Configuration
The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a class of algorithms known as distance vector algorithms. The distance or hop count is used as the metric to determine the best path to a remote network or host where the hop count does not exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram protocol (UDP) data packets to exchange routing information. RIP sends routing information updates every 30 seconds. This update contains known networks and the distances (hop count) associated with each one. For RIP1, no mask information is exchanged; the natural mask is always applied by the router receiving the update. For RIP2, mask information is sent. There are two timers associated with each route: a timeout and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid but it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped. Upon expiration of the garbage-collection timer, the route is finally removed from the routing table. The timeout timer is set for 180 seconds and the garbage-collection timer is set for 120 seconds by default. The menu below is used for configuring globally Routing Information Protocol parameters. The Routing Information Protocol is turned off by default.
[Routing Information Protocol Menu] if - RIP Interface Menu update - Set update period in seconds vip - Enable/disable vip advertisement statc - Enable/disable static routes advertisement on - Globally turn RIP ON off - Globally turn RIP OFF current - Display current RIP configuration
348
349
/cfg/l3/rip/if
RIP Interface Menu
[RIP Interface 1 Menu] version - Set RIP version supply - Enable/disable supplying route updates listen - Enable/disable listening to route updates poison - Enable/disable poisoned reverse trigg - Enable/disable triggered updates mcast - Enable/disable multicast updates default - Set default route action metric - Set metric auth - Set authentication type key - Set authentication key enable - Enable interface disable - Disable interface current - Display current RIP interface configuration
350
351
/cfg/l3/ospf
Open Shortest Path First Configuration
Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more information on how to configure OSPF on the switch, refer to your Nortel Application Switch Operating System Application Guide.
[Open Shortest Path First Menu] aindex - OSPF Area (index) Menu range - OSPF Summary Range Menu if - OSPF Interface Menu virt - OSPF Virtual Links Menu md5key - OSPF MD5 Key Menu host - OSPF Host Entry Menu redist - OSPF Route Redistribute Menu lsdb - Set the LSDB limit for external LSA default - Export default route information on - Globally turn OSPF ON off - Globally turn OSPF OFF cur - Display current OSPF configuration
352
353
/cfg/l3/ospf/aindex
Area Index Configuration Menu
[OSPF Area (index) 1 Menu] areaid - Set area ID type - Set area type metric - Set stub area metric auth - Set authentication type spf - Set time interval between two SPF calculations enable - Enable area disable - Disable area delete - Delete area cur - Display current OSPF area configuration
354
/cfg/l3/ospf/range
OSPF Summary Range Configuration Menu
[OSPF Summary addr mask aindex hide enable disable delete cur Range 1 Menu] - Set IP address - Set IP mask - Set area index - Enable/disable hide range - Enable range - Disable range - Delete range - Display current OSPF summary range configuration
355
/cfg/l3/ospf/if
OSPF Interface Configuration Menu
[OSPF Interface aindex prio cost hello dead trans retra key mdkey enable disable delete cur 1 Menu] Set area index Set interface router priority Set interface cost Set hello interval in seconds Set dead interval in seconds Set transit delay in seconds Set retransmit interval in seconds Set authentication key Set MD5 key ID Enable interface Disable interface Delete interface Display current OSPF interface configuration
356
357
/cfg/l3/ospf/virt
OSPF Virtual Link Configuration Menu
[OSPF Virtual aindex hello dead trans retra nbr key mdkey enable disable delete cur Link 1 Menu] - Set area index - Set hello interval in seconds - Set dead interval in seconds - Set transit delay in seconds - Set retransmit interval in seconds - Set router ID of virtual neighbor - Set authentication key - Set MD5 key ID - Enable interface - Disable interface - Delete interface - Display current OSPF interface configuration
358
/cfg/l3/ospf/md5key
OSPF MD5 Key Configuration Menu
[OSPF MD5 Key key delete cur 1 Menu] Set authentication key Delete key Display current MD5 key configuration
359
/cfg/l3/ospf/host
OSPF Host Entry Configuration Menu
[OSPF Host Entry 1 Menu] addr - Set host entry IP address aindex - Set area index cost - Set cost of this host entry enable - Enable host entry disable - Disable host entry delete - Delete host entry cur - Display current OSPF host entry configuration
360
/cfg/l3/ospf/redist <fixed|static|rip|ebgp|ibgp>
OSPF Route Redistribution Configuration Menu.
[OSPF Redistribute Fixed Menu] add - Add rmap into route redistribution list rem - Remove rmap from route redistribution list export - Export all routes of this protocol cur - Display current route-maps added
361
/cfg/l3/bgp
Border Gateway Protocol Configuration
Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. BGP allows you to decide what is the best route for a packet to take from your network to a destination on another network, rather than simply setting a default route from your border router(s) to your upstream provider(s). You can configure BGP either within an autonomous system or between different autonomous systems. When run within an autonomous system, it is called internal BGP (iBGP). When run between different autonomous systems, it is called external BGP (eBGP). BGP is defined in RFC 1771. The BGP Menu enables you to configure the switch to receive routes and to advertise static routes, fixed routes and virtual server IP addresses with other internal and external routers. BGP is turned off by default.
[Border Gateway peer aggr as maxpath pref on off cur Protocol Menu] Peer menu Aggregation menu Set Autonomous System (AS) number Set Max AS Path Length Set Local Preference Globally turn BGP ON Globally turn BGP OFF Display current BGP configuration
NOTE Fixed routes are subnet routes. There is one fixed route per IP interface. Table 5-86 Border Gateway Protocol Menu (/cfg/l3/bgp)
Command Syntax and Usage peer <peer number (1-16)> Displays the menu used to configure each BGP peer. Each border router, within an autonomous system, exchanges routing information with routers on other external networks. To view menu options, see page 364. aggr <aggregate number (1-16)> Displays the Aggregation Menu. To view menu options, see page 368.
362
When multiple peers advertise the same route, use the route with the shortest AS path as the preferred route if you are using eBGP, or use the local preference if you are using iBGP.
on Globally turns BGP on. off Globally turns BGP off. cur Displays the current BGP configuration.
363
This menu is used to configure BGP peers, which are border routers that exchange routing information with routers on internal and external networks. The peer option is disabled by default. Table 5-87 BGP Peer Configuration Options (/cfg/l3/bgp/peer)
Command Syntax and Usage redist Displays BGP Redistribution Menu. To view the menu options, see page 366. addr <IP address (such as, 192.4.17.101)> Defines the IP address for the specified peer (border router), using dotted decimal notation. The default address is 0.0.0.0. ras <AS number (0-65535)> Sets the remote autonomous system number for the specified peer. hold <hold time (0, 3-65535)> Sets the period of time, in seconds, that will elapse before the peer session is torn down because the switch hasnt received a keep alive message from the peer. It is set at 90 seconds by default. alive <keepalive time (0, 1-21845)> Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default.
364
365
/cfg/l3/bgp/peer/redist
BGP Redistribution Configuration Menu
[Redistribution metric default rip ospf fixed static vip cur Menu] Set default-metric of advertised routes Set default route action Enable/disable advertising RIP routes Enable/disable advertising OSPF routes Enable/disable advertising fixed routes Enable/disable advertising static routes Enable/disable advertising VIP routes Display current redistribution configuration
366
367
This menu allows you to configure aggregate routing to condense the number of routes between internal and external peer routers. Table 5-89 BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)
Command Syntax and Usage addr <IP address, such as 192.4.17.101> Adds the IP address to the selected aggregate. mask <IP subnet mask, such as 255.255.255.0> Sets the IP mask for the selected aggregate. enable Enables the selected aggregate. disable Disables the selected aggregate. delete Deletes the selected aggregate. current Displays the current aggregate configuration.
368
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By default, the port forwarding option is turned on. Table 5-90 IP Forwarding Port Configuration Menu Options (/cfg/l3/port)
Command Syntax and Usage on Enables IP forwarding for the current port. off Disables IP forwarding for the current port. cur Displays the current IP forwarding settings.
369
/cfg/l3/dns
Domain Name System Configuration Menu
[Domain Name System Menu] prima - Set IP address of primary DNS server secon - Set IP address of secondary DNS server dname - Set default domain name cur - Display current DNS configuration
The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS servers on your local network, and for setting the default domain name served by the switch services. DNS parameters must be configured prior to using hostname parameters with the ping, traceroute, and tftp commands. Table 5-91 Domain Name System Menu Options (/cfg/l3/dns)
Command Syntax and Usage prima <IP address (such as, 192.4.17.101)> You will be prompted to set the IP address for your primary DNS server. Use dotted decimal notation. secon <IP address (such as, 192.4.17.101)> You will be prompted to set the IP address for your secondary DNS server. If the primary DNS server fails, the configured secondary will be used instead. Enter the IP address using dotted decimal notation. dname <dotted DNS notation>|none Sets the default domain name used by the switch. For example: mycompany.com cur Displays the current Domain Name System settings.
370
/cfg/l3/bootp
Bootstrap Protocol Relay Configuration Menu
[Bootstrap Protocol Relay Menu] addr - Set IP address of BOOTP server addr2 - Set IP address of second BOOTP server on - Globally turn BOOTP relay ON off - Globally turn BOOTP relay OFF cur - Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configurations from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers with IP addresses that have been configured on the Nortel Application Switch. BOOTP relay menu is turned off by default. Table 5-92 Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)
Command Syntax and Usage addr <IP address (such as, 192.4.17.101)> Sets the IP address of the BOOTP server. addr2 <IP address (such as, 192.4.17.101)> Sets the IP address of the second BOOTP server. on Globally turns on BOOTP relay. off Globally turns off BOOTP relay. cur Displays the current BOOTP relay configuration.
371
/cfg/l3/vrrp
VRRP Configuration Menu
[Virtual Router vr vrgroup group if track hotstan on off holdoff cur Redundancy Protocol Menu] VRRP Virtual Router Menu VRRP Virtual Router Vrgroup Menu VRRP Virtual Router Group Menu VRRP Interface Menu VRRP Priority Tracking Menu Enable/disable hot-standby processing Globally turn VRRP ON Globally turn VRRP OFF Globally VRRP hold off time Display current VRRP configuration
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. NOTE The IP address of a VRRP virtual interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the interface to which it is assigned. By default, VRRP is disabled. Nortel Application Switch Operating System has extended VRRP to include virtual servers as well, allowing for full active/active redundancy between its Layer 4 switches.For more information on VRRP, see the High Availability chapter in your Nortel Application Switch Operating System Application Guide. Table 5-93 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)
Command Syntax and Usage vr <virtual router number (1-1024)> Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual routers on this switch. To view menu options, see page 374. vrgroup <virtual router vrgroup number (1-16)> Displays VR Group Menu. To view menu options, see page 378.
372
373
This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address. Virtual routers are disabled by default. NOTE The VRRP3 VRID for IPv6 VRRP configuration has a range of 1 to 255. Table 5-94 VRRP Virtual Router Options (/cfg/l3/vrrp/vr)
Command Syntax and Usage track Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 376. ipver v4|v6 Sets the version of the Internet Protocol supported by this virtual router. The default value is v4.
374
375
This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount defined through the VRRP Tracking Menu (see page 387).
376
Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled. If the virtual router preemption option (see preem in Table 5-94 on page 374) is enabled, this virtual router can assume master routing authority when its priority level rises above that of the current master. Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, otherwise called virtual interface routers. Other tracking criteria (l4pts, reals, and hsrp) apply to virtual server routers, which perform Layer 4 Server Load Balancing functions. A virtual server router is defined as any virtual router whose IP address (addr) is the same as any configured virtual server IP address.
377
/cfg/l3/vrrp/vrgroup
Group Menu
This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is shared between two or more customers on a single VRRP switch, you can group VIRs and VSRs to serve the high availability of a specific customer. If failover occurs on a customer link, the group of VIRs and VSRs associated with that customer alone will fail over to the backup switch. The VIRs and VSRs configured for the other customers on the master switch are not affected. Up to 16 virtual router groups can be configured on the switch.
[VRRP Virtual Router Vrgroup 1 Menu] track - Priority Tracking Menu name - Set virtual router group name add - Add virtual router to group rem - Remove virtual router from group prio - Set priority for virtual router group trackvr - Set track virtual router for group adver - Set advertisement interval for group preem - Enable/disable preemption for group share - Enable/disable sharing for group ena - Enable virtual router group dis - Disable virtual router group del - Delete virtual router group cur - Display current VRRP virtual router group configuration
378
379
Table 5-97 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)
Command Syntax and Usage ifs disable|enable When enabled, the priority will be increased for each IP interface active on this virtual router group. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default. ports disable|enable When enabled, the priority will be increased for each active port on the VLAN on this virtual router group. A port is considered active if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default.
380
Table 5-97 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)
Command Syntax and Usage l4pts disable|enable When enabled for virtual server routers, the priority will be increased for each physical switch port which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4 switch as the master. This command is disabled by default. reals disable|enable When enabled for virtual server routers, the priority will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this virtual router group. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default. hsrp disable|enable Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default. hsrv disable|enable Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance on the virtual router group that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default. cur Displays the current configuration for priority tracking for this virtual router group.
381
/cfg/l3/vrrp/group
Virtual Router Group Configuration
[VRRP Virtual track ipver vrid if prio adver preem share ena dis del cur Router Group Menu] - Priority Tracking Menu - Set IP version - Set virtual router ID - Set interface number - Set renter priority - Set advertisement interval - Enable or disable preemption - Enable or disable sharing - Enable virtual router - Disable virtual router - Delete virtual router - Display current VRRP virtual router configuration
The Virtual Router Group menu is used for associating all virtual routers into a single logical virtual router, which forces all virtual routers on the Nortel Application Switch to either be master or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address. NOTE This option is required to be configured only when using at least two Nortel Application Switches in a hot-standby failover configuration, where only one switch is active at any time. Table 5-98 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)
Command Syntax and Usage track Displays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 387. ipver v4|v6 Sets the version of the Internet Protocol supported by the virtual router group. The default value is v4. vrid <virtual router ID (1-255)> Defines the virtual router ID for this group.
382
383
/cfg/l3/vrrp/group/track
Virtual Router Group Priority Tracking Configuration
[Virtual Router ifs ports l4pts reals hsrp hsrv cur Group Priority Tracking Menu] Enable/disable tracking other interfaces Enable/disable tracking VLAN switch ports Enable/disable tracking L4 switch ports Enable/disable tracking L4 real servers Enable/disable tracking HSRP Enable/disable tracking HSRP by VLAN Display current VRRP Group Tracking configuration
NOTE If Virtual Router Group Tracking is enabled, then the tracking option will be available only under group option. The tracking setting for the other individual virtual routers will be ignored.
384
385
This menu is used for configuring VRRP authentication parameters for the IP interfaces used with the virtual routers. Table 5-100 VRRP Interface Menu Options (/cfg/l3/vrrp/if)
Command Syntax and Usage auth none|password Defines the type of authentication that will be used: none (no authentication), or password (password authentication). passw <password> Defines a plain text password up to eight characters long. This password will be added to each VRRP packet transmitted by this interface when password authentication is chosen (see auth above). del Clears the authentication configuration parameters for this IP interface. The IP interface itself is not deleted. cur Displays the current configuration for this IP interfaces authentication parameters.
386
/cfg/l3/vrrp/track
VRRP Tracking Configuration
[VRRP Tracking Menu] vrs - Set priority increment for virtual router tracking ifs - Set priority increment for IP interface tracking ports - Set priority increment for VLAN switch port tracking l4pts - Set priority increment for L4 switch port tracking reals - Set priority increment for L4 real server tracking hsrp - Set priority increment for HSRP tracking hsrv - Set priority increment for HSRP by VLAN tracking cur - Display current VRRP Priority Tracking configuration
This menu is used for setting weights for the various criteria used to modify priority levels during the master router election process. Each time one of the tracking criteria is met (see VRRP Virtual Router Priority Tracking Menu on page 376), the priority level for the virtual router is increased by an amount defined through this menu. Table 5-101 VRRP Tracking Options (/cfg/l3/vrrp/track)
Command Syntax and Usage vrs <0-254> Defines the priority increment value (1 through 254) for virtual routers in master mode detected on this switch. The default value is 2. ifs <0-254> Defines the priority increment value (1 through 254) for active IP interfaces detected on this switch. The default value is 2. ports <0-254> Defines the priority increment value (1 through 254) for active ports on the virtual routers VLAN. The default value is 2. l4pts <0-254> Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4 processing. The default value is 2. reals <0-254> Defines the priority increment value (1 through 254) for healthy real servers behind the virtual server router. The default value is 2. hsrp <0-254> Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only processing that receive HSRP broadcasts. The default value is 10.
387
These priority tracking options only define increment values. These options do not affect the VRRP master router election process until options under the VRRP Virtual Router Priority Tracking Menu (see page 376) are enabled.
roundrobin
388
/cfg/slb
/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 6, The SLB Configuration Menu.
389
symsig <signature id> Sets the action and bandwidth contracts for the specified signature. symdel <signature id> Deletes the specified Symantec signature policy. cur Displays the current security configuration.
390
/cfg/security/port
Port Security Menu
[Port <port_number> Menu] bogon - Enable/disable bogon IP ACL ipacl - Enable/disable IP ACL udpblast - Enable/disable UDP blast protection dos - Enable/disable protocol anomaly and DoS attack prevention add - Add protocol anomaly/DoS attack to prevention aadd - Add all protocol anomaly/DoS attack to prevention rem - Remove protocol anomaly/DoS attack from prevention arem - Remove all protocol anomaly/DoS attack from prevention help - Protocol anomaly and DoS attack prevention description cur - Display current port configuration
391
392
/cfg/security/ipacl
IP Address Access Control List Configuration Menu
Nortel Application Switch Operating System can be configured with IP access control lists (ACLs) composed of ranges of client IP addresses that are to be denied access to the switch. When traffic ingresses the switch, the client source or destination IP address is checked against this pool of addresses. If a match is found, then the client traffic is blocked.
[IP ACL Menu] add rem arem dadd drem darem cfg bogon oper syslog cur
Add configuration source IP Address/Mask Remove configuration source IP Address/Mask Remove all configuration source IP Address/Mask Add configuration destination IP Address/Mask Remove configuration destination IP Address/Mask Remove all configuration destination IP Address/Mask Display configuration IP Address/Mask Display bogon IP Address/Mask Display operations IP Address/Mask Set IP ACL syslog setting Display all IP Address/Mask
393
394
/cfg/security/udpblast
UDP Blast Protection Configuration Menu
Malicious attacks over UDP protocol ports are becoming a common way to bring down real servers. Nortel Application Switch Operating System can be configured to restrict the amount of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with data and disabled. You can specify a series of UDP port ranges and the allowed packet limit for that range. When the maximum number of packets/second is reached, UDP traffic is shut down on those ports. Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300, the last number that can be used is 5300. While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum of 5000 ports.
[UDP Blast Protection Menu] add - Add UDP port/range for UDP blast protection rem - Remove UDP port/range for UDP blast protection default - Default packet rate for UDP blast protection cur - Display all UDP blast protection Ports
395
/cfg/security/dos
Anomaly and Denial of Service Attack Prevention Menu
[Protocol Anomaly and DoS Attack Prevention Menu] ipttl - Set the smallest allowable IP ttl for ipttl ipprot - Set the highest allowable IP protocol for ipprot fragdata - Set smallest allowable IP fragment payload for fragdata fragoff - Set the smallest allowable IP fragment offset for fragoff syndata - Set the largest allowable TCP SYN payload for syndata icmpdata - Set the largest allowable ICMP payload for icmpdata icmpoff - Set the largest allowable ICMP fragment offset for icmpoff help - Protocol anomaly and DoS attack prevention description cur - Display current protocol anomaly and DoS attack prevention
396
397
398
/cfg/sslproc
SSL Processor Menu
[SSL Processor Menu] mip - Set SSL processor management IP port - Set SSL processor Web server port rts - Enable/disable RTS processing filt - Enable/disable filtering add - Add filter rem - Remove filter cur - Display current SSL processor configuration
399
/cfg/dump Dump
The dump program writes the current switch configuration to the terminal screen. To start the dump program, at the Configuration# prompt, enter:
Configuration# dump
The configuration is displayed with parameters that have been changed from the default values. The screen display can be captured, edited, and placed in a script file, which can be used to configure other switches through a Telnet connection. When using Telnet to configure a new switch, paste the configuration commands from the script file at the command line prompt of the switch. The active configuration can also be saved or loaded via TFTP, as described on page 401.
400
where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file. NOTE The output file is formatted with line-breaks but no carriage returnsthe file cannot be viewed with editors that require carriage returns (such as Microsoft Notepad).
NOTE If the TFTP server is running SunOS or the Solaris operating system, the specified ptcfg file must exist prior to executing the ptcfg command and must be writable (set with proper permission, and not locked by any application). The contents of the specified file will be replaced with the current configuration data.
401
where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file.
402
CHAPTER 6
403
320506-C Rev. 02, Feb 2007
404
405
406
This menu is used for configuring information about real servers that participate in a server pool for Server Load Balancing or Application Redirection. The required parameters are: Real server IP address Real server enabled (disabled by default) Table 6-2 Real Server Configuration Menu Options (/cfg/slb/real)
Command Syntax and Usage adv Go to the Real Server Advanced menu. To view menu options, see page 413. layer7 Displays the Layer 7 Menu. To view menu options, see page 413. ids Displays Intrusion Detection Server/system menu. To view menu options, see page 414. ipver <v4 | v6> Sets the IP version of the real server. rip <real server IP address> Sets the IP address of the real server. The format of the IP address is dependent upon the IP version specified using the ipver commmand. When this command is used, the address entered is PINGed to determine if the server is up, and the administrator will be warned if the server does not respond. name <string, maximum 31 characters>|none Defines a 15-character alias for each real server. This will enable the network administrator to quickly identify the server by a natural language keyword value. weight <real server weight (1-48)> Sets the weighting value (1 to 48) that this real server will be given in the load balancing algorithms. Higher weighting values force the server to receive more connections than the other servers configured in the same real server group. By default, each real server is given a weight setting of 1. A setting of 10 would assign the server roughly 10 times the number of connections as a server with a weight of 1. Weights are not applied when using the minmisses metric (see Server Load Balancing Metrics on page 421). avail <server weight (1-48)> Displays the currently available real server for Global server load balancing and allows the user to change to another real server for Global server load balancing.
407
408
409
410
/cfg/slb/real/adv
Real Server Advanced Menu
[Real Server 1 Advanced Menu] avail - Set Global SLB availability for real server remote - Enable/disable Global SLB remote site operation proxy - Enable/disable client proxy operation buddyhc - Buddy Server Menu fasthc - Enable/disable fast health check operation submac - Enable/disable source MAC address substitution subdmac - Enable/disable destination MAC address substitution cur - Display current real server advanced configuration
411
/cfg/slb/real/adv/buddyhc
Buddy Server Health Check Menu
[Real server 1 Buddy Menu] addbd - Add Buddy Server delbd - Delete Buddy Server cur - Display current buddy server configuration
412
This menu is used for entering commands and strings for Layer 7 processing. Table 6-5 Layer 7 Commands Menu Options (/cfg/slb/real/layer7)
Command Syntax and Usage addlb <defined SLB string ID, 1-1024> Adds the predefined URL loadbalance string ID to the real server. remlb <defined SLB string ID, 1-1024> Removes the predefined URL loadbalance string ID from the real server. cookser disable|enable Enables or disables the real server to handle client requests that dont contain a cookie. This option is used if you want to designate a specific server to assign cookies only. This server gets the client request, assigns the cookie, and embeds the IP address of the real server that will handle the subsequent requests from the client. By default, this option is disabled. exclude disable|enable Enables or disables exclusionary string matching. By default, this option is disabled. ldapwr disable|enable Enables or disables LDAP write server. LDAP servers are of two types: read servers and write servers. You need to use read servers when you only want to browse the directory. You need to use the write servers when you want to modify the directory on the server. The write server can conduct both read and write operations. cur Displays the current real server configuration.
413
414
/cfg/slb/group <real server group number> Real Server Group SLB Configuration
[Real Server Group 1 Menu] ipver - Set IP version metric - Set metric used to select next server in group rmetric - Set metric used to select next rport in server content - Set health check content health - Set health check type backup - Set backup real server or group name - Set real server group name realthr - Set real server failure threshold idsrprt - Set Intrusion Detection Port advhlth - Set an advance group health check formula mhash - Set minmisses hash parameter wlm - Set Workload Manager number viphlth - Enable/disable VIP health checking in DSR mode ids - Enable/disable Intrusion Detection idsfld - Enable/disable Intrusion Detection Group Flood oper - Enable/disable the access to this group for operator ena - Enable real server in this group dis - Disable real server in this group add - Add real server rem - Remove real server del - Delete real server group cur - Display current group configuration
This menu is used for combining real servers into real server groups. Each real server group should consist of all the real servers which provide a specific service for load balancing. Each group must consist of at least one real server. Each real server can belong to more than one group. Real server groups are used both for Server Load Balancing and Application Redirection. Table 6-7 Real Server Group Configuration Menu Options (/cfg/slb/group)
Command Syntax and Usage ipver <v4 | v6> Sets the IP version of the real server group. metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash Sets the load balancing metric used for determining which real server in the group will be the target of the next client request. The default setting is leastconns. See Server Load Balancing Metrics on page 421 for more information.
415
416
417
tcp sipoptions
418
419
420
421
The metrics are described in the following table: Table 6-9 Real Server Group Metrics (/cfg/slb/group/metric)
Option and Description minmisses Minimum misses. This metric is optimized for Application Redirection. When minmisses is specified for a real server group performing Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful in caching applications, helping to maximize successful cache hits. Best statistical load balancing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets. Minmisses can also be used for Server Load Balancing. When specified for a real server group performing Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained on the server between sessions. Server load with this metric becomes most evenly balanced as the number of active clients increases. hash Like minmisses, the hash metric uses IP address information in the client request to select a server. For Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful for maximizing successful cache hits. For Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained between sessions. The hash metric should be used if the statistical load balancing achieved using minmisses is not as optimal as desired. Although the hash metric can provide more even load balancing at any given instance, it is not as effective as minmisses when servers leave and reenter service. If the Load Balancing statistics indicate that one server is processing significantly more requests over time than other servers, consider using the hash metric. Please note that the Nortel Application Switch Operating System contains a hidden grouping border of 32 when indexing real servers. Problems can occur with non-linear hashing when real server groups move outside of this hidden boundary leastconns Least connections. With this option, the number of connections currently open on each real server is measured in real time. The server with the fewest current connections is considered to be the best choice for the next client connection request. This option is the most self-regulating, with the fastest servers typically getting the most connections over time, due to their ability to accept, process, and shut down connections faster than slower servers. roundrobin Round robin. With this option, new connections are issued to each server in turn: the first real server in this group gets the first connection, the second real server gets the next connection, followed by the third real server, and so on. When all the real servers in this group have received at least one connection, the issuing process starts over with the first real server.
422
NOTE Under the leastconns, roundrobin, hash, and phash metrics, when real servers are configured with weights (see the weight option on page 407), a higher proportion of connections are given to servers with higher weights. This can improve load balancing among servers of different performance levels. Weights are not applied when using the minmisses metrics.
423
This menu is used for configuring the virtual servers which will be the target for client requests for Server Load Balancing. Configuring a virtual server requires the following parameters: Creating a virtual server IP address Adding TCP/UDP port and real server group Enabling the virtual server (disabled by default) Table 6-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)
Command Syntax and Usage service <virtual port or name> Displays the Virtual Services Menu. The virtual port name can be a well-known port name, such as http, ftp, the service number, and so on. The allowable port range is from 9 to 65534. To get more information about well-known ports, see the sport command on page 442. To view the services menu options, see page 427.
424
425
426
427
page 433.
http Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis. Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view the menu options, see page 434. sip Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel Application Switch Operating System. When enabled, you can configure SIP service on the service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol for creating, modifying and terminating sessions with one or more participants (documented in RFC3261). The SIP processing occurs at application level in order to parse out messages coming from client side as well as the server side. Using SIP on your switch, you can load balance Nortels MCS (Multimedia Communication Server) proxy servers. Nortel Networks MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls based on a SIP Call-ID header to an MCS server. You need to turn Direct Access Mode (DAM) on to perform SIP load balancing. You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID. To view the menu options, see page 435. rtsp Go to the RTSP Load Balancing Menu. To view the menu options, see
page 436.
group <real server group number (1-1024)> Sets a real server group for this service. The default is set at 1. You will be prompted to enter the number (1 to 1024) of the real server group to add to this service. rport <real server port (0-65534)> Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number>/service <virtual port>, the switch will map the virtual port to this real port.
428
urlslb: Enable or disable URL SLB host: Enable or disable for virtual hosting cookie: Enable or disable cookie-based SLB for cookie-based preferential load balancing. You will be prompted for the following: Cookie name, starting point of the cookie value, number of bytes to be extracted, enable/disable checking for cookie in URI browser: Enable or disable SLB, based on browser type urlhash: Enable or disable URL hashing based on URI headerhash: Hashes on any HTTP header value. others: Requires inputs for a particular header field You may choose to combine or select applications to load balance using the commands and and/or or. For example: httpslb <application> httpslb <application> and|or <application> cont <BWM Contract (0-1024), 0 for VIP default> Sets a Bandwidth Management contract for this virtual service. The default number of contracts is set at 1024 for Nortel Application Switch Operating System. Note: If you enter 0 for the service contract, it will carry the value entered for the Virtual Server IP (vip) contract. urlcont <URL path ID> <BW contract> Sets the Bandwidth Management contract of a string specific to this virtual service. Only use this command when a string is shared by multiple virtual services and each service requires a separate bandwidth. The default is set at 1024.
429
430
431
432
/cfg/slb/virt/service/wts
WTS Load Balancing Menu
[WTS Load Balancing Menu] userhash - Enable userhash when there is no Session Dir. Server ena - Enable WTS loadbalancing and persistence dis - Disable WTS loadbalancing and persistence cur - Display current WTS configuration
433
/cfg/slb/virt/service/http
HTTP Load Balancing Menu
[HTTP Load Balancing Menu] httpslb - Set HTTP SLB processing urlcont - Set BW cont of an SLB string specific to this service rcount - Set multi response count http - Enable/disable HTTP redirects for Global SLB xforward - Enable/disable X-Forwarded-For for proxy mode pooling - Enable/disable connection pooling for HTTP traffic cur - Display current HTTP configuration
434
/cfg/slb/virt/service/sip
SIP Load Balancing Menu
[SIP Load Balancing Menu] sip - Enable/disable SIP load balancing sdpnat - Enable/disable SIP SDP Media Portal NAT cur - Display current SIP configuration
435
/cfg/slb/virt/service/rtsp
RTSP Load Balancing Menu
[RTSP Load Balancing Menu] group - Set real server group number hname - Set hostname rtspslb - Set RTSP URL load balancing type thash - Set hash parameter tmout - Set minutes inactive connection remains open softgrid - Enable/disable SoftGrid load balancing nonat - Enable/disable only substituting MAC addresses nortsp - Enable/disable only RTSP SLB del - Delete virtual service cur - Display current virtual service configuration
within the URL to select a server based on the string configured on the real server.
l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash metric. none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance.
436
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following command syntax and usage: pbind cookie <mode> <name> <offset> <length> <URI>
437
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operating System 23.1 Application Guide.
438
The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny, redirect or perform Network Address Translation on traffic according to a variety of address and protocol specifications, and each physical switch port can be configured to use any combination of filters. This command is disabled by default.
439
There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv, page 445) that can be used to provide more information through syslog. The types of information include: IP protocol TCP/UDP ports TCP flags ICMP message type The following parameters are required for filtering: Set the address, masks, and/or protocol that will be affected by the filter Set the filter action (allow, deny, redirect, nat) Enable the filter Add the filter to a switch port Enable filtering on the Nortel Application Switch port Table 6-16 Filter Configuration Menu Options (/cfg/slb/filt)
Command Syntax and Usage adv Displays the Filter Advanced Menu. To view menu options, see page 445. name <31 character name>|none Allows the user to assign a name to a filter. smac any|<MAC address (such as, 00:60:cf:40:56:00)> Sets the source MAC address. The default is any. dmac any|<MAC address (such as, 00:60:cf:40:56:00)> Sets the destination MAC address. The default is any. ipver v4 | v6 Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge mode. sip sip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the smask below. The default is any if the source MAC address is any.
440
441
dport any|<name>|<port>|<port>-<port> If defined, traffic with the specified real server TCP or UDP destination port will be affected by this filter. Specify the port number, range, name, or any, just as with sport above. The default is set at any.
442
nat
goto
443
444
As another example, you could configure the switch with two filters so that each would handle traffic filtering for one half of the Internet. To do this, you could define the following parameters: Table 6-17 Filtering IP Address Ranges
Filter #1 #2 Internet Address Range dip dmask 128.0.0.0
128.0.0.0 128.0.0.0
445
work traffic at the Layer 2 level in your switch. Using this command you can preserve 802.1p bits in all the frames that pass through the switch.
To view menu options, see page 448. tcp Displays the TCP Flags advanced menu. To view menu options, see page 448. ip Sets IP advanced menu. To view menu options, see page 449. layer7 Displays Layer7 advanced menu. To view menu options, see page 452. proxyadv Displays the Proxy Advanced Menu. To view menu options, see page 455. icmp any|<number>|<type; "icmp list" for list> Sets the ICMP message type. The default is set at any. For a list of ICMP message types, see Table 6-22 on page 450. For a detailed description of filtering and ICMP, see the Nortel Application Switch Operating System 23.1 Application Guide. cont <BWM Contract (1-1024)> Sets the Bandwidth Management Contract. By default, the contract number is set at 1024. revcont <BW Contract (1-1024)> Sets the Bandwidth Management contract for the reverse traffic session. This command helps you assign a different Bandwidth management contract from the one configured on the ingress filter. tmout <even number of minutes (4-32768)> Sets the session timeout in an even number of minutes. The default is set at 4 minutes. idsgrp <real server group number (1-1024)>|none Sets the IDS server group for intrusion detection server load balancing. When filtering is used for IDSLB, each filter added to an IDSLB-enabled port can be assigned a unique IDS real server group. idshash sip|dip|both Sets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP (sip), destination IP (dip), or both.
446
447
448
These commands can be used to configure packet filtering for specific TCP flags. Table 6-20 Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)
Command Syntax and Usage urg disable|enable Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled. ack disable|enable Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is disabled. psh disable|enable Enables or disables TCP PSH (push) flag matching. By default, this option is disabled. rst disable|enable Enables or disables TCP RST (reset) flag matching. By default, this option is disabled. syn disable|enable Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled. fin disable|enable Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled. ackrst disable|enable Enables or disables TCP acknowledgement or reset flag matching. By default, this option is disabled. cur Displays the current Access Control List TCP filter configuration.
449
450
451
452
Radius snooping allows the Nortel Application Switch Operating System to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries in the switchs session table so that it can perform the required persistency for load balancing. For more details, please refer to your Application Guide.
rdswap enable|disable Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server. A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to the bound server. The application switch snoops on the RADIUS accounting start packet for the framed IP address attribute. The framed IP address attribute is used to rebind the RADIUS accounting session to a new server. For more details, please refer to your Application Guide. ftpa disable|enable Enables or disables active FTP Client Network Address Translation (NAT). When a client in active FTP mode sends a PORT command to a remote FTP server, the switch will look into the data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address. The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By default, this option is disabled. l7lkup disable|enable Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny commands found in earlier releases of Nortel Application Switch Operating System. When enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When combined with a filter action (for example, deny, redir), this feature enables content-intelligent redirection or content-intelligent deny filtering. parseall disable|enable Enables or disables parsing of all packets in a session where layer 7 lookup is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup is turned off for the remaining packets in the session. cur Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persistence settings.
453
454
/cfg/slb/filt/adv/proxyadv
Proxy Advanced Menu
[Proxy Advanced proxyip epip proxy cur Menu] Set client proxy IP address Enable/disable pip selection based egress port/vlan Enable/disable client proxy Display current proxy configuration
455
Enables or disables matching of all configured patterns before the filter can perform the deny action.
parsechn enable|disable Enable/disable chained pgroup match criteria for l7 filtering. parseall disable|enable Enables or disables pattern string lookup (parsing) of all packets in a session where pattern matching is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, pattern matching is turned off for the remaining packets in the session. cur Displays the current configuration.
456
457
Nortel Application Switch Operating System switch software allows you to enable or disable processing independently for each type of Layer 4 traffic (client and server) on a per port basis, expanding your topology options. NOTE When changing the filters on a given port, it may take some time before the port session information is updated so that the filter changes take effect. To make port filter changes take effect immediately, clear the session binding table for the port (see the clear command in Table 7-3 on page 498). Table 6-28 Port Configuration Menu Options (/cfg/slb/port)
Command Syntax and Usage client disable|enable For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports configured to process client request traffic bind servers to clients and provide address translation from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses and port values to real server IP addresses and ports. Traffic not associated with virtual servers is switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the switchs potential for effective Server Load Balancing. This option is disabled by default.
458
459
460
port <TCP port number> Sets the TCP port number for remote site updates for Global server load balancing. The default TCP port is 80. sinter <remote site updates interval in seconds, 10-7200> Sets the time interval in seconds for remote site updates. The range is between 10 and 7200 seconds.
461
462
463
Up to 64 remote sites can be configured. Table 6-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)
Command Syntax and Usage prima <server IP address> Defines the IP interface IP address of the primary switch at the remote site used for Global Server Load Balancing. Use dotted decimal notation. secon <server IP address> If the remote site is configured with a redundant switch, enter the IP address of the IP interface for the remote secondary switch here. If the remote site primary switch fails, the local switch will address the remote site secondary switch instead. name <31 character name>|none Sets the name of the remote site. The default is set at none. update disable|enable Enables or disables remote site updates. If enabled (default), this switch will send regular Distributed Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the switch will not send state updates. If your local firewall does not permit this traffic, disable the updates. Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP interface for DSSP updates. By default, the Nortel Application Switch Operating System Webbased interface also uses port 80. Both services cannot use the same port. If both are enabled, configure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a different service port (see the /cfg/sys/access/wport option on page 276). ena Enables this remote site for use with Global Server Load Balancing. dis Disables this remote site. The switch will no longer use this remote site for Global Server Load Balancing. del Removes this remote site from operation and deletes its configuration. cur Displays the current remote site configuration.
465
/cfg/slb/gslb/rule
GSLB Rule Configuration Menu
Rules allow the GSLB selection to use different metric preferences based on time-of-day. You can configure one or more rules on each domain. Each rule has a metric preference list. The GSLB selection selects the first rule that matches the domain and starts with the first metric in the metric preference list of the rule.
[Rule 1 Menu] metric start end ttl rr dname ena dis del cur
Metric Menu Set start time for rule Set end time for rule Set Time To Live in seconds of DNS resource records Set DNS resource records in DNS response Set network preference domain name for rule Enable rule Disable rule Delete rule Display current rule configuration
466
/cfg/slb/gslb/rule/metric
Global SLB Rule Metric Menu
[Rule 1 Metric 1 Menu] gmetric - Set metric to use to select next server addnet - Add network to gmetric=network remnet - Remove network from gmetric=network cur - Display current metric configuration
467
/cfg/slb/layer7
Layer 7 SLB Resource Definition Menu
[Layer 7 Resource Definition Menu] redir - Web Cache Redirection Menu slb - Server Load Balancing Menu sdp - SIP SDP Menu dbindtm - Set timeout for incomplete delayed binding connections cur - Display current Layer 7 configuration
/cfg/slb/layer7/redir
Web Cache Redirection Configuration
[Web Cache Redirection Menu] urlal - Enable/disable auto-ALLOW for non-GETs to origin servers cookie - Enable/disable auto-ALLOW for Cookie to origin servers nocache - Enable/disable no-cache control header to origin servers hash - Enable/disable URL hashing based on URI header - Enable/disable server loadbalance based on HTTP header cur - Display current WCR configuration
468
469
/cfg/slb/layer7/slb
Server Load Balance Resource Configuration Menu
[Server Loadbalance Resource Menu] message - Set HTTP error message addstr - Add SLB string for load balance remstr - Remove SLB string for load balance rename - Rename SLB string for load balance addmeth - Add HTTP method type remmeth - Remove HTTP method type case - Enable/disable case sensitive for string matching cont - Set BW contract for the SLB string cur - Display current configuration
470
471
/cfg/slb/layer7/sdp
SDP Mapping Menu
[SDP Mapping Menu] add - Add SDP mapping rem - Remove SDP mapping cur - Display current SDP mapping configuration
472
To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator password. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/ synch. Table 6-39 Synchronization Menu Options (/cfg/slb/sync)
Command Syntax and Usage peer <peer switch number (1-2)> Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see page 474. filt disable|enable Enables or disables synchronizing filter configuration. This option is disabled by default. ports disable|enable Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default. prios disable|enable Enables or disables syncing VRRP priorities. This option is enabled by default. pips disable|enable Enables or disables synchronizing proxy IP addresses. This option is disabled by default. peerpips disable|enable Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in VRRP Active/Active configuration. This option is disabled by default.
473
To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator password. Table 6-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)
Command Syntax and Usage addr <IP address> Sets the peer switch IP address. The default is 0.0.0.0 ena Enables the peer for this switch. By default, this option is disabled. dis Disables the peer for this switch.
474
475
476
477
/cfg/slb/adv/synatk
SYN Attack Detection Configuration Menu
[SYN Attack Detection Menu] intrval - Set SYN attack detection interval thrshld - Set SYN attack alarm threshold cur - Display current SYN attack detection configuration
/cfg/slb/adv/smtport
Advanced SMT Real Server Port Configuration Menu
[SMT Real Port Menu] add - Add real port remove - Remove real port cur - Display real port configuration
Table 6-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage add <real server port (2-65534)> This command allows you to add a service port to the real server that is configured to process client traffic by-passing the server processor.
478
Table 6-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)
Command Syntax and Usage remove <real server port (2-65534)> This command allows you to remove a service port from the real server that is configured to process client traffic by-passing the server processor. cur Displays real port configuration.
/cfg/slb/linklb
Inbound Link Load Balancing configuration Menu
[Inbound Linklb drecord group ttl ena dis cur Menu] Domain Record Menu Set real server group Set Time to Live of DNS resource records Enable Inbound Linklb Disable Inbound Linklb Display current Inbound Linklb configuration
Table 6-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/ linklb)
Command Syntax and Usage drecord <domain record number (1-64)> Displays domain record menu. To view menu options, see page 480. group <real server group number (1-1023)> Sets the real server ISP group number. ttl <time to live in seconds (0-65535)> Sets the time-to-live for DNS resource records. ena Enables inbound link load balancing. dis Disables inbound link load balancing. cur Displays current inbound link load configuration.
479
/cfg/slb/linklb/drecord
Inbound Link Load Balancing Domain Record Menu
[Domain Record <domain_number> Menu] entry - Virt Real Mapping Menu domain - Set Domain Name ena - Enable Domain Record dis - Disable Domain Record del - Delete Domain Record cur - Display current Domain Record configuration
Table 6-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/ linklb/drecord)
Command Syntax and Usage entry <linklb entry number (1-8)> Displays the link load balancers mapping menu for the virtual and real servers. See page 447 to view menu options. domain <64 character domain name>|none Allows you to configure the domain name. Default is none. ena Enables the domain records. dis Disables the domain records. del Deletes the domain records. cur Displays the current domain records.
480
/cfg/slb/linklb/drecord/entry
Inbound Link Load Balancing Mapping Menu
[Virt Real Mapping 1 Menu] virt - Set Virtual Server Number real - Set Real Server Number ena - Enable Entry dis - Disable Entry del - Delete Entry cur - Display current Entry configuration
Table 6-46
Command Syntax & Usage virt <virtual server number, 1-1024> Defines the virtual server number for mapping. real Defines the real server number for mapping. ena Enables the entry for drecords. dis Disables the entry for drecords. del Deletes the entry for drecords. cur Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc
Advanced Health Check Configuration Menu
[Layer 4 Advanced Health Check Menu] script - Scriptable Health Check Menu snmphc - SNMP Health Check Menu waphc - WAP Health Check Menu aphttp - Enable/disable Allow HTTP Health Check on any port ldapver - LDAP version secret - Set RADIUS secret minter - Set interval of response and bandwidth metric updates cur - Display current Layer 4 advanced health check configuration
481
482
483
484
/cfg/slb/advhc/snmphc
SNMP Health Check Configuration
[SNMP Health Check 1 Menu] oid - OID to be sent in the SNMP request packet comm - Community string used in the SNMP request packet rcvcnt - Expected value in the SNMP response packet invert - Enable/disable inversion of expected value weight - Enable/disable readjusting of weights based on response del - Delete SNMP health check cur - Display current SNMP health check configuration
485
486
/cfg/slb/advhc/waphc
WAP Health Check Configuration
Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP) suite to manage sessions between wireless devices and WAP content servers or WAP gateways. The Nortel Application Switch Operating System provides a content-based health check mechanism where customized WSP packets are sent to the WAP gateways, and the switch verifies the expected response, in a manner similar to scriptable health checks. WSP content health checks can be configured in two modes: connectionless and connectionoriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connectionoriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load balance the gateways in both modes of operation. The Nortel Application Switch Operating System allows you to configure three WAP gateway health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP), deployed on WAP gateways/servers. For further details, refer to the Application Guide.
[WAP Health Check Menu] wspcnt - WSP Health Check Content Menu wtpcnt - WTP+WSP Health Check Content Menu wspport - WSP port number to health check wtpport - WTP port number to health check wtlswsp - WTLS+WSP port number to health check wtlsprt - WTLS port number to health check couple - Enable/disable coupling with RADIUS Accounting Service cur - Display current WAP health check configuration
487
488
/cfg/slb/advhc/waphc/wspcnt
WSP Content Health Check
[WSP Health Check Content Menu] offset - Offset in received WSP packet sndcnt - Content to be sent to the WAP gateway rcvcnt - Content to be received from the WAP gateway cur - Display current WSP health check content configuration
489
/cfg/slb/advhc/waphc/wtpcnt
WTP and WSP Content Health Check Menu
This menu is used for configuring the health check for connection-oriented unencrypted WAP traffic.
[WTP+WSP Health Check Content Menu] offset - Offset in received WSP PDU connect - CONNECT PDU to be sent to the sndcnt - GET PDU to be sent to the WAP rcvcnt - REPLY PDU to be received from cur - Display current WTP+WSP health
Table 6-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/ waphc/wtpcnt)
Command Syntax and Usage offset <offset in the received WSP PDU> Enter the offset value content of the received WSP packets. The offset value is the number of bytes from the beginning of the WSP PDU, at which the comparison begins to match with the expected receive content. An offset value of 0 (default) sets the switch to start comparisons from the beginning of WSP PDU of the received packet. connect <connect content as hexstring> Enter the content for the first switch-generated WSP session packet. This command allows you to customize the headers in the connect message. sndcnt <send content as hexadecimal string> Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be delivered to the WSP gateway. rcvcnt <receive content as a hexadecimal string> Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway. cur Displays current WTP+WSP health check content configuration.
490
/cfg/slb/pip
Proxy IP Address Configuration Menu
You need to enable proxy IP address processing on the port to use this command. You can configure multiple proxy IP addresses based on either port or VLAN. You can configure up to 1024 proxy IP addresses on a per switch basis.
[Proxy IP Address Menu] type - Set base type of Proxy IP address add - Add port or VLAN to Proxy IP address add6 - Add port or VLAN to IPv6 Proxy IP address rem - Remove port or VLAN from Proxy IP address cur - Display current Proxy IP address configuration
491
/cfg/slb/peerpip
SLB Peer Proxy IP Address Menu
When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch. [Peer Proxy IP Address Menu] add - Add peer Proxy IP address rem - Rem peer Proxy IP address cur - Display current peer Proxy IP address configuration
492
/cfg/slb/wlm
WorkLoad Management Menu
[Workload Manager 1 Menu] addr - Set IP address for Workload Manager port - Set port for Workload Manager del - Delete Workload Manager cur - Display current Workload Manager configuration
493
494
CHAPTER 7
The commands of the Operations Menu enable you to alter switch operational characteristics without affecting switch configuration. Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and Nortel Application Switch 184 Web Switches.
495
320506-C Rev. 02, Feb 2007
496
Operations-level port options are used for temporarily disabling or enabling a port, and for changing Remote Monitoring (RMON) status on a port. Table 7-2 Operations-Level Port Menu Options (/oper/port)
Command Syntax and Usage rmon disable|enable Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its configured operation mode when the switch is reset. ena Temporarily enables the port. The port will be returned to its configured operation mode when the switch is reset. dis Temporarily disables the port. The port will be returned to its configured operation mode when the switch is reset. cur Displays the current settings for the port.
497
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing options are used for temporarily disabling or enabling real servers and synchronizing the configuration between the active/active switches. Table 7-3 Server Load Balancing Operations Menu Options (/oper/slb)
Command Syntax and Usage group <real server group number (1-1024)> Displays the Real Server Group Menu. To view menu options, see page 499. gslb Displays Global SLB Operations Menu. To view menu options, see page 500. sync Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priorities on a peer switch (a switch that owns the IP address). To take effect, peers must be configured on the Nortel Application Switch and the administrator password on the switch must be identical. ena <real server number (1-1023)> Temporarily enables a real server. The real server will be returned to its configured operation mode when the switch is reset.
498
NOTE This command provides for orderly server shutdown to allow maintenance on a server. For more information, see Disabling and Enabling Real Servers in the Nortel Application Switch Operating System 23.1 Application Guide.
sessdel Delete session table entry. clear Clears all session tables and allows port filter changes to take effect immediately.
NOTE This command disrupts current SLB and Application Redirection sessions.
cur Displays the current SLB operational state.
/oper/slb/group
Real Server Group Operations
[Real server group 1 Menu] ena - Enable real server in this group dis - Disable real server in this group cur - Current server group operational state
499
/oper/slb/gslb
Global SLB Operations Menu
[Global SLB Operations Menu] query - Query Global SLB selection add - Add entry to Global SLB DNS persistence cache arem - Remove all entries Global SLB DNS persistence cache avpersis - Enable/Disable GSLB availability persistence for virtual server
500
/oper/bwm
Operations-Level Bandwidth Management Options
[Bandwidth Management Operations Menu] sndhist - Send BW History to SMTP server clear - Clear BWM IP user entry table
501
/oper/security
Security Menu
[Security Menu] ipacl - IP ACL Operations Menu
/oper/security/ipacl
IP ACL Operations Menu
[IP ACL Operations Menu] add - Add operations source IP Address/Mask rem - Remove operations source IP Address/Mask arem - Remove all operations source IP Address/Mask dadd - Add operations destination IP Address/Mask drem - Remove operations destination IP Address/Mask darem - Remove all operations destination IP Address/Mask cfg - Display configuration IP Address/Mask bogon - Display bogon IP Address/Mask oper - Display operations IP Address/Mask cur - Display all IP Address/Mask
502
503
/oper/ip/bgp
Operations-Level BGP Options
[Border Gateway start stop cur Protocol Operations Menu] Start peer session Stop peer session Current BGP operational state
504
3.
505
4.
When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as, 123456789ABCDEF)>
If the correct code is entered, you will see the following message:
Valid software key entered. Software feature enabled.
When prompted, enter the code for software to be removed. For example:
Enter Software Feature to be removed:[GSLB]|BWM|Security: GSLB
506
CHAPTER 8
507
320506-C Rev. 02, Feb 2007
/boot/sched
Scheduled Reboot Menu
[Boot Schedule Menu] set - Set switch reset time cancel - Cancel pending switch reset cur - Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
>> Boot Schedule# cur Currently scheduled reboot time: none
508
2.
3.
509
4.
The exact form of the name will vary by TFTP server. However, the file location is normally relative to the TFTP directory (usually /tftpboot). 5. The system prompts you to confirm your request. You should next select a software image to run, as described below.
2.
Enter the name of the image you want the switch to use upon the next boot. The system informs you of which image is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use switch software "image1" on next reset. Specify new image to use on next reset ["image1"/"image2"]:
2.
The system prompts you for information. Enter the desired image:
Enter name of switch software image to be uploaded ["image1"|"image2"|"boot"]: <image> <hostname or server-IP-addr> <server-file-
name>
510
3.
4.
Enter the name of the file into which the image will be uploaded on the TFTP server:
Enter name of file on TFTP server: <filename>
5.
The system then requests confirmation of what you have entered. To have the file uploaded, enter Y.
image2 currently contains Software Version 20.2.0.7 Upload will transfer image2 (1889411 bytes) to file "test" on TFTP server 192.1.1.1. Confirm upload operation [y/n]: y
511
2.
Enter the name of the configuration block you want the switch to use: The system informs you of which configuration block is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use active configuration block on next reset. Specify new block to use ["active"/"backup"/"factory"]:
2.
At the prompt, enter either ena to enable the functionality or dis to disable it.
Current state of Global Symantec feature is Disabled Globally [ena|dis] Symantec feature (requires a switch reset): ena
512
3.
The switch will now prompt for confirmation of the necessary switch reset. Typing n at either of the prompts will cause the process to abort.
Confirm Globally enable Symantec feature (requires a switch reset) [y/n]: y Reset will use software "image1" and the active config block. >> Note that this will RESTART the Spanning Tree, >> which will likely cause an interruption in network service. Confirm reset [y/n]: y
The switch will now reset and either enable or disable the functionality globally. Performing this procedure will also determine what memory profile the switch is running. For more information about memory profiles, refer to Chapter 21, Symantec Intelligent Network Protection, of the Nortel Application Switch Operating System 23.2 Application Guide (Part Number 320507-C).
513
514
CHAPTER 9
Dump information contains internal switch state data that is written to flash memory on the Nortel Application Switch after any one of the following occurs: The switch administrator forces a switch panic. The panic option, found in the Maintenance Menu, causes the switch to dump state information to flash memory, and then causes the switch to reboot.
515
320506-C Rev. 02, Feb 2007
The switch administrator enters the switch reset key combination on a device that is attached to the console port. The switch reset key combination is <Shift><Ctrl><->. The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot the switch if the switch software freezes. The switch detects a hardware or software problem that requires a reboot. Table 9-1 Maintenance Menu Options (/maint)
Command Syntax and Usage sys Displays the System Maintenance Menu. To view menu options, see page 518. fdb Displays the Forwarding Database Manipulation Menu. To view menu options, see page 518. arp Displays the ARP Cache Manipulation Menu. To view menu options, see page 519. route Displays the IP Route Manipulation Menu. To view menu options, see page 521. ip6 Displays the IPv6 Manipulation Menu. To view menu options, see page 522. debug Displays the Debugging Menu. To view menu options, see page 523. uudmp Displays dump information in uuencoded format. For details, see page 524. ptdmp hostname filename [-mgmt| -data] Saves the system dump information using TFTP. For details, see page 525. cldmp Clears dump information from flash memory. For details, see page 525. lsdmp Displays list flash dump. For details, see page 526. panic Dumps MP information to FLASH and reboots. For details, see page 526. tsdmp Dumps all Nortel Application Switch information, statistics, and configuration.You can log the tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes. For details, see page 527.
516
517
The Forwarding Database Manipulation Menu can be used to view information and to delete a MAC address from the forwarding database or clear the entire forwarding database. This is helpful in identifying problems associated with MAC address learning and packet forwarding decisions.
518 Chapter 9: The Maintenance Menu
320506-C Rev. 02, Feb 2007
519
NOTE To display all ARP entries currently held in the switch, or a portion according to one of the options listed on the menu above (find, port, vlan, refpt, dump), you can also refer to ARP Information on page 92.
520
NOTE To display all routes, you can also refer to IP Routing Information on page 88.
521
522
The Miscellaneous Debug Menu displays trace buffer information about events that can be helpful in understanding switch operation. You can view the following information using the debug menu: Events traced by the Management Processor (MP) Events traced by the Switch Processor (SP) Events traced to a buffer area when a reset occurs If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the snap trace buffer area. The output from these commands can be interpreted by the Nortel Networks Customer Support division. Table 9-7 Miscellaneous Debug Menu Options (/maint/debug)
Command Syntax and Usage tbuf Displays the Management Processor trace buffer. Header information similar to the following is shown: MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748 The buffer information is displayed after the header. sptb <port number (1-4)> Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008 The buffer information is displayed after the header. spall Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008. The buffer information is displayed after the header. Displays all SP trace buffers. clrcfg Deletes all flash configuration blocks.
523
The dump information is displayed on your screen and, if you have configured your communication software to do so, captured to a file. If there is a dump available, the system prompts as follows:
>> Maintenance# uu Enter region to dump [main/bkp]: main Dumping main region: Use 'ptdmp' to extract panic dumps. Confirm proceed with large dump (15000 lines) [y/n]: 524 Chapter 9: The Maintenance Menu
320506-C Rev. 02, Feb 2007
Where server is the TFTP or FTP server IP address or hostname, and filename is the target dump file.
The switch clears the dump region of flash memory and displays the following message:
FLASH dump region cleared.
If the flash dump region is already clear, the switch displays the following message:
FLASH dump region is already clear.
525
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
>> Maintenance# lsdmp The main dump was saved at 8:12:58 Fri Jun 3, 2005. A backup dump was saved at 14:47:31 Mon Jun 20, 2005.
526
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical support. For example:
>> Maintenance# tsdmp Confirm dumping all information, statistics, and configuration [y/n]:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP connection. The dump was performed earlier using the /maint/tsdmp command. For example:
>> Maintenance# ? pttsdmp Usage: pttsdmp <hostname> <filename> <-tftp|username password> [mgmt|-data] >> Maintenance# pttsdmp Enter hostname or IP address of FTP/TFTP server: 0.0.0.0 Enter name of file on FTP/TFTP server: dump.txt Enter username for FTP server or hit return for TFTP server: username Enter password for username on FTP server: Connecting to 0.0.0.0... . .
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
527
528
CHAPTER 10
529
320506-C Rev. 02, Feb 2007
NOTE Help information on specific commands uses the command help, and not the ? symbol used at other directory levels. The command must also be spelled-out in full. For example, to request help on the apply command enter: SSL >> Main# help diff Show any pending configuration changes.
530
[global command] [global command] [global command] [global command] [global command] available]
531
532
ipsec [<vpnid> [<prefix>]] Show number of IPSEC users logged-in. For example: Number of active ipsec sessions for all VPNs: 0 ippool [<vpnid>] Displays the IP pool allocations.
533
534
local Displays the current software version, iSD hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For example: SSL >> Information# local Alteon iSD SSL Hardware platform: 2424S Software version: 5.0.0.34 Up time: 11 days 1 hour 52 minutes IP address: 10.10.10.71 MAC address: 00:01:81:2e:bc:6f ethernet Displays statistics for the Ethernet network interface card (NIC) on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed. RX packets: the total number of received packets TX packets: the total number of transmitted packets errors: packets lost due to error dropped: error due to lack of resources overruns: error due to lack of resources frame: error due to malformed packets carrier: error due to lack of carrier collisions: number of packet collisions Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation. For example: I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0 I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb)
535
/ssl/info/events
SSL Performance Menu
[Events Menu] alarms - List all pending alarms download - Dump the event log file to a TFTP/FTP/SFTP server
536
537
/ssl/stats/sslstats
SSL Performance Menu
[SSL stats Menu] vpn - Cluster SSL VPN statistics server - Cluster SSL Server statistics local - Local statistics for each isdhost clear - Clear all statistics for all IPs activesess - Number of currently active request sessions totalsess - Total completed request sessions sslaccept - Total completed SSL accept sslconnect - Total completed SSL connect tpshisto - Cluster-wide TPS histograms for all servers clihisto - cluster wide client data histograms for all servers srvhisto - cluster wide server data histograms for all servers
538
/ssl/stats/sslstats/local
SSL Performance SSL Local Statistics Menu
[Local SSL isdhost overview tpshisto clihisto srvhisto license dump Statistics Menu] - ISD local SSL server statistics menu - Overview of isdhost local statistics - ISD local TPS histograms for all servers/ISDs - ISD local client byte/s histos for all servers/ISDs - ISD local server data byte/s histos for all servers/ISDs - ISD local license statistics - Dump all information
539
/ssl/stats/sslstats/local/isdhost
SSL Performance: Single ISD SSL Statistics Menu
[Single ISD SSL Stats 1 Menu] server - ISD local SSL server stats tpshisto - ISD local TPS histograms for all servers clihisto - ISD local client byte/s histograms for all servers srvhisto - ISD local server byte/s histograms for all servers dump - Dump all information
Table 10-7 SSL Perfomance: Single ISD SSL Statistics Menu Options
Command Syntax and Usage server Displays statistics for the local ISD SSL server. tpshisto Displays ISD local TPS histograms for all servers. clihisto Displays ISD local client data histograms for all servers. srvhosto Displays ISD local server histograms for all servers. dump Displays all statistical information.
540
541
/ssl/stats/ipsec/local
SSL Performance: Local IPSEC Statistics Menu
[Local IPSEC isdhost sesshisto enchisto dechisto dump Statistics Menu] - ISD local IPSEC server - ISD local ipsec session - ISD local ipsec encrypt - ISD local ipsec decrypt - Dump all information statistics histograms histograms histograms menu for all VPNs/ISDs for all VPNs/ISDs for all VPNs/ISDs
542
/ssl/stats/ipsec/local/isdhost
SSL Performance: Single IPSEC ISD Statistics Menu
[Single ISD IPSEC Stats 1 Menu] vpn - ISD local IPSEC server stats activesess - Locally active ipsec sessions all VPNs totalsess - Locally total ipsec sessions all VPNs failedsess - Locally failed ipsec sessions, all VPNs enctot - Locally total ipsec encoded kBytes all VPNs enc - Locally ipsec encoded kB/sec last minute all VPNs dectot - Locally total ipsec decoded kBytes all VPNs dec - Locally ipsec decoded kB/sec last minute all VPNs sesshisto - ISD local ipsec sess histograms for all VPNs enchisto - ISD local ipsec encrypt histograms for all VPNs dechisto - ISD local ipsec decrypt histograms for all VPNs dump - Dump all information
Table 10-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage vpn <VPN_number> Display the ISD local IPSEC server statistics. activesess Display the locally active IPSEC sessions for all VPNs. totalsess Display the total of locally active IPSEC sessions for all VPNs. failedsess Display the failed IPSEC sessions for all VPNs. enctot Display the total kBytes encoded for all VPNs. enc Display the locally encoded kBytes for all VPNs. dectot Display the total kBytes decoded for all VPNs. dec Display the locally decoded kBytes for all VPNs. sesshisto Display the ISD local IPSEC session histograms for all VPNs. enchisto Display the ISD local IPSEC encrypted histograms for all VPNs.
543
Table 10-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options
Command Syntax and Usage dechisto Display the ISD local ipsec decrypt histograms for all VPNs. dump Display all ISD statistics.
/ssl/stats/aaa
AAA Statistics Menu
[AAA Statistics Menu] total - Cluster-wide authentication statistics (per VPN) isdhost - ISD local authentication statistics (per VPN) dump - Dump all information
/ssl/cfg
SSL Performance Configuration Menu
[Configuration Menu] ssl - SSL offload menu cert - Certificate menu vpn - VPN menu test - Create test vpn, portal and certificate quick - Quick vpn setup wizard sys - System-wide parameter menu lang - Language support ptcfg - Backup configuration to TFTP/FTP/SCP/SFTP server gtcfg - Restore configuration from TFTP/FTP/SCP/SFTP server dump - Dump configuration on screen for copy-and-paste
544
545
NOTE Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration - transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase.
NOTE Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.
gtcfg Restores a configuration, including private keys and certificates, from a TFTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP server.
NOTE Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that was defined by him or her using the /cfg/sys/user/caphrase command.
dump Display the configuration on-screen for a copy and paste operation.
546
/ssl/cfg/ssl
SSL Server Menu
[SSL Menu] server test quick - SSL server menu - Create test server and certificate - Quick server setup wizard
547
/ssl/cfg/ssl/server
SSL Server-specific Menu
[Server 1 Menu] name vips standalone port rip rport type proxy trace ssl tcp adv del ena dis Set server name Set IP addr(s) of server Set standalone mode Set listen port of server Set real server IP addr Set real server port Set type (generic/http/socks) Set transparent proxy mode (on/off) Traffic trace menu SSL settings menu TCP endpoint settings menu Advanced settings menu Remove virtual server Enable virtual server Disable virtual server
548
549
/ssl/cfg/ssl/server/trace
SSL Server-specific Trace Menu
[Trace Menu] ssldump tcpdump ping dnslookup traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through backend interface traceroute through backend interface
550
/ssl/cfg/ssl/server/ssl
SSL Server-specific SSL Menu
[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list ena - Enable SSL dis - Disable SSL
551
/ssl/cfg/ssl/server/tcp
SSL Server-specific TCP Menu
[TCP Settings Menu] cwrite - Set ckeep - Set swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client client server server client client server server TCP TCP TCP TCP TCP TCP TCP TCP write timeout keep alive timeout write timeout connect timeout send buffer size receive buffer size send buffer size receive buffer size
552
/ssl/cfg/ssl/server/adv
SSL Server-specific Advanced Menu
[Advanced Settings string blockstrin loadbalanc sslconnect Menu] String menu Set strings to block Load balancing menu SSL connect menu
553
/ssl/cfg/ssl/server/adv/string
SSL Server Advanced String Menu
[LB String 1 Menu] match location icase negate del Set string to match Set locations to perform the match in Set ignore case in to match Set negate the result of the match Remove string
554
/ssl/cfg/ssl/server/adv/loadbalanc
SSL Server Advanced Load Balancing Menu
[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing
Table 10-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage type all|<string> Set the load balancing type. persistenc none|cookie|session Set the persistence strategy. cookie Go to the Cookie settings menu. To view the menu options, see page 556. Note that this menu is accessible only when persistenc is set to cookie. metric hash|roundrobin|leastconn Set the load balancing metric. health none|tcp|ssl|auto|script Set the health check type. script Go to the heath check script menu. To view the menu options, see page 558. interval <integer> Set the health check interval. remotessl Go to the Remote SSL connection menu. To view the menu options, see page 559. backend Go to the Backend Servers menu. To view the menu options, see page 561. ena enable|disable Enable load balancing.
555
Table 10-20 SSL Configuration Server Advanced Load Balancing Menu Options
Command Syntax and Usage dis enable|disable Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/ cookie
SSL Server Advanced Load Balancing Cookie Menu
[Cookie Settings mode name domain expires expiresdel localvips offset length Menu] - Set cookie mode - Set cookie name - Set cookie domain - Set cookie expires - Set cookie expires delta - Configure other local VIPs - Set cookie value offset - Set cookie value length
Table 10-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options
Command Syntax and Usage mode insert | passive | rewrite Sets the cookie load balancing mode. name <cookie_name> Sets the cookie name. domain <domain_name> Sets the cookie domain name. expires <date_time> Sets the cookie expiration date and time. expiresdel <0(session)-2147483647> Sets the cookie expiration delta value. localvips Opens the Local VIPs menu. For more information on this menu refer to page 558. offset <1-64> Sets the cookie value offset.
556
Table 10-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options (Continued)
Command Syntax and Usage length <0-64> Sets the cookie length
557
/ssl/cfg/ssl/server/adv/loadbalanc/ cookie/localvips
Local VIP Menu
[Local VIPs Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
/ssl/cfg/ssl/server/adv/loadbalanc/ script
SSL Server Advanced Load Balancing Health Script Menu
[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
558
Table 10-23 SSL Configuration Server Advanced Load Balancing Health Script Menu Options
Command Syntax and Usage list Display all values. del <index> Delete a specific value. add <command> <timeout> <argument> Add a new health script. insert <position> <command> <timeout> <argument> Insert a new value. move <value> <value> Exchange one value for another.
/ssl/cfg/ssl/server/adv/loadbalanc/ remotessl
SSL Server Advanced Load Balancing Remote SSL Menu
[Remote SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu
Table 10-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options
Command Syntax and Usage protocol aissl2|ssl3|ssl23|tls1 Set the protocol version. cert <integer, 1 to 1500> Set the certificate number.
559
Table 10-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options
Command Syntax and Usage ciphers <string> Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length verify Go to the Verify Server menu. To view the menu options, see page 560.
/ssl/cfg/ssl/server/adv/loadbalanc/ remotessl/verify
SSL Server Remote SSL Verification Menu
[Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of server's certificate
Table 10-25 SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu Options
Command Syntax and Usage verify none|require Set the ertification verification level. commonname <name> Set the server common name. For example: SSL >> Remote SSL Connect Verify Settings# commonname Current value: [old_server_name] Give common name of server: <new_server_name> cacerts <integer_list> Enter the certificate numbers, separated by commas.
560
/ssl/cfg/ssl/server/adv/loadbalanc/ backend
SSL Server Backend Server Menu
[Backend Server 1 Menu] ip - Set IP addr of backend server port - Set backend server port sslconnect - Set perform SSL connect if enabled for server remote - Set server is remote rname - Set host name of remote server remotessl - Set remote site is ssl lbstrings - Set load balancing strings lbop - Set string load balancing operation del - Remove backend server ena - Enable backend server dis - Disable backend server
Table 10-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options
Command Syntax and Usage ip <IP_address> Set theIP address of the backend server. port <port_number> Set the backend server port number. sslconnect on|off Set the SSL connection option. remote true|false Set the server as remote, as required. rname <hostname> Set hostname of the remote server. remotessl true|false Set the remote site as SSL. lbstrings <integers> Set the load balance strings, separated by a comma. lbop any|all|one|none Set the string load balancing operation. del Remove the backend server.
561
Table 10-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options
Command Syntax and Usage ena enable|disable Enable the backend server. dis enable|disable Disable the backend server.
/ssl/cfg/cert
SSL Certificate Menu
[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate with TFTP/FTP/SCP/SFTP export - Export certificate and key with TFTP/FTP/SCP/SFTP display - Display certificate and key show - Show certificate information info - Show certificate short information subject - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate
562
563
564
565
= = = = = = =
/ssl/cfg/cert/revoke
SSL Revoke Certificate Menu
[Revocation Menu] add addx del list rev import automatic Add decimal serial number to revocation list Add hex serial number to revocation list Cancel revocation for a serial number List revoked certificates Enter revocation list Import revocation list with TFTP/FTP/SCP/SFTP Automatic CRL retrieval menu
566
/ssl/cfg/cert/revoke/automatic
SSL Revoke Certificate Automatic Menu
[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval
567
/ssl/cfg/vpn
SSL VPN Configuration Menu
[VPN 1 Menu] ips standalone aaa server ipsec ippool portal linkset sslclient adv del Set IP addr(s) of the VPN Set standalone mode (no switch) AAA menu SSL server menu IPsec server menu IP address pool menu Portal look and feel menu Portal linkset menu SSL VPN client menu Advanced settings menu Remove VPN
568
/ssl/cfg/vpn/aaa
SSL VPN AAA Menu
[AAA Menu] quick tg ttl auth authorder network service appspec filter group defgroup ssodomains ssoheaders radacct AAA setup wizard TunnelGuard menu Set login session TTL Authentication menu Set authentication server fallback order Network access menu Service access menu Application specific menu Client filter menu Group menu Set default group Single-Sign on enabled domains menu Single-Sign on headers menu RADIUS accounting menu
569
570
/ssl/cfg/vpn/aaa/tg
SSL VPN TunnelGuard Menu
[TG Menu] ena dis quick recheck action retry list loglevel Enable TunnelGuard Disable TunnelGuard Quick TunnelGuard setup wizard Set recheck interval Set fail action Set UDP retry interval List SRS rules Set TunnelGuard applet loglevel
571
572
/ssl/cfg/vpn/aaa/auth
SSL VPN Authentication Menu
To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if one does not already exist.
Creating Authentication 1 Select one of radius, ldap, ntlm, siteminder, cert, rsa or local: radius Auth name: Authentication_1 Entering: RADIUS settings menu Entering: RADIUS servers menu IP Address to add: 0.0.0.0 Port (default is 1812): 1812 Enter shared secret: shared Leaving: RADIUS servers menu Enter vendor id [alteon]: alteon Enter vendor type [1]: 1 Leaving: RADIUS settings menu -----------------------------------------------------------[Authentication 1 Menu] type - Set authentication mechanism name - Set auth name display - Set auth display name domain - Set windows domain for backend single sign-on radius - RADIUS settings menu adv - Advanced settings menu del - Remove Authentication
573
/ssl/cfg/vpn/aaa/auth/radius
SSL VPN Authentication Radius Menu
To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to radius. For example, /ssl/vpn/aaa/auth/type radius.
[RADIUS Menu] servers vendorid vendortype timeout sessiontim macro RADIUS servers menu Set vendor id for group attribute Set vendor type for group attribute Set RADIUS server timeout Session Timeout menu User-defined Macro menu
Table 10-34 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see page 575. vendorid <string> Set the switch vendor ID. vendortype <vendortype> Set the vendor type. timeout <integer, 1 to 1000 seconds> Set the Radius server timeout. sessiontim Go to the Sessiontim menu. To view the menu options, see page 575. macro Go to the Macro menu. To view the menu options, see page 576.
574
/ssl/cfg/vpn/aaa/auth/radius/servers
SSL VPN Authentication Radius Servers Menu
[RADIUS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 10-35 SSL VPN Configuration AAA Authentication Radius Menu Options
Command Syntax and Usage list List all values (servers). del <index_number> Delete a server value by name. add <ip> <port, default=1812> <secret> Add a new value (server). insert <position> <ip> <port> <secret> Insert a value into the list. move <value> <value> Move a value position in the list.
/ssl/cfg/vpn/aaa/auth/radius/ sessiontm
SSL VPN Authentication Radius Session Timeout Menu
[SessionTimeout Menu] vendorid - Set vendor id for session timeout attribute vendortype - Set vendor type for session timeout attribute ena - Enable Session-Timeout dis - Disable Session-Timeout
575
Table 10-36 SSL VPN Configuration AAA Authentication Radius Session Timeout Menu Options
Command Syntax and Usage vendorid <vendorid> Set the vendor ID number. vendortype <value> Set the Vendor Type number. ena enable|disable Enable session timeout. dis enable|disable Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
SSL VPN Authentication Radius Macro Menu
[Macro Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 10-37 SSL VPN Configuration AAA Authentication Radius Macro Menu Options
Command Syntax and Usage list List all values. del <value> Delete a value using its number. add <vendorid> <vendortype> <attribute_type (IP, <string> <integer>)> Add a value. insert <index_position> <vendorid> <vendortype> <attribute_type_string> Insert a value. move <value> <value> Move a values position in the list.
576
/ssl/cfg/vpn/aaa/auth/adv
SSL VPN Authentication Advanced Menu
[Advanced Menu] groupauth - Set Authentication server list of group information secondauth - Set Secondary authentication server
Table 10-38 SSL VPN Configuration AAA Authentication Advamced Menu Options
Command Syntax and Usage groupauth <hostnames> Set the list of authentication servers. Separate values using a comma. secondauth <hostname> Set the secondary authentication server.
/ssl/cfg/vpn/aaa/network
SSL VPN Network Menu
To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# network Enter network number or name: (1-1023) 1 Creating Network 1 Network name: Network_1 -----------------------------------------------------------[Network 1 Menu] name - Set network name subnet - Subnet menu comment - Set comment del - Remove network
577
/ssl/cfg/vpn/aaa/network/subnet
SSL VPN Network Subnet Menu
To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if one does not already exist.
SSL >> Network 1# sub Enter subnet number: (1-1023) 1 Creating Network Subnet 1 Enter host name: Subnet_1 Enter network address: 0.0.0.0 Enter network netmask: netmask -----------------------------------------------------------[Network Subnet 1 Menu] host - Set Host Name net - Set network address mask - Set network mask del - Remove subnet
Table 10-40 SSL VPN Configuration AAA Network Subnet Menu Options
Command Syntax and Usage host <hostname> Set the hostname for the subnet. net <IP_address> Set the subnet address. mask <IP_address> Set the Network mask. del Remove the Subnet.
578
/ssl/cfg/vpn/aaa/service
SSL VPN Service Menu
To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# service Enter service number or name: (1-1023) 1 Creating Service 1 Service name: Service_1 Enter service protocol (list of tcp,udp): tcp Enter service ports: 1,2,3 -----------------------------------------------------------[Service 1 Menu] name - Set service name protocol - Set allowed protocols ports - Set allowed port comment - Set comment del - Remove Service
579
/ssl/cfg/vpn/aaa/appspec
SSL VPN Application specific Menu
To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# appspec Enter appspec number or name: (1-1023) 1 Creating AppSpecific 1 AppSpec name: AppSpec_1 Entering: Paths menu Path format: The paths are formated differently for different applications. For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>, for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root. For web servers you write the path <SERVER PATH>, for example /intranet This will give access to the /intranet path on the web server. Enter path: /path Leaving: Paths menu. ---------------------------------------------[AppSpecific 1 Menu] name - Set appspec name paths - Paths menu comment - Set comment del - Remove AppSpec
Table 10-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage name <appsec_name> Create an application name. paths Go to the Paths menu. To view the menu options, see page 566.
580
Table 10-42 SSL VPN Configuration AAA Application specific Menu Options
Command Syntax and Usage comment <string> Create a description (comment) about the Application. del Delete the application.
581
/ssl/cfg/vpn/aaa/appspec/paths
SSL VPN Application specific Paths Menu
[Paths Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 10-43 SSL VPN Configuration AAA Application specific Paths Menu Options
Command Syntax and Usage list List all paths. del <path_value> Delete a path by its number. add Add a new path. For example: SSL >> Paths# list Old: Pending: 1: /info SSL >> Paths# add Path format: The paths are formated differently for different applications. For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>, for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root. For web servers you write the path <SERVER PATH>, for example /intranet This will give access to the /intranet path on the web server. Enter path: /home/storage insert <index> Insert a path into the path list.
582
Table 10-43 SSL VPN Configuration AAA Application specific Paths Menu Options
Command Syntax and Usage del Delete the path.
/ssl/cfg/vpn/aaa/filter
SSL VPN AAA Filter Menu
To enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# filter Enter client filter number or name: (1-63) 1 Creating Client Filter 1 Filter name: Filter_1 -----------------------------------------------------------[Client Filter 1 Menu] name - Set filter name cert - Client certificate present iewiper - IE cache wiper present tg - TunnelGuard checks passed methods - Set access methods authserver - Set authentication servers clientnet - Set client network reference comment - Set comment del - Remove client filter
583
/ssl/cfg/vpn/aaa/group
SSL VPN AAA Group Menu
To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# group Enter group number or name: (1-1023) 1 Creating Group 1 Group name: Group_1 Enter number of sessions (0 is unlimited): 0 Enter user type (advanced/medium/novice): novice -----------------------------------------------------------[Group 1 Menu] name - Set group name access - Access rule menu print - Print access rules restrict - Set number of login sessions usertype - Set portal user type linkset - Linkset menu extend - Extended profiles menu tgsrs - Set TunnelGuard SRS Rule ipsec - IPsec menu comment - Set comment del - Remove group
584
restrict <integer> Restrict the number of login sessions. The default is 0 (unlimited) usertype advanced|medium|novice Set the user level. linkset Go to the Linkset menu. To view the menu options, see page 587. extend Go to the Extended Profiles menu. To view the menu options, see page 588. tgsrs <string> Set the TunnelGuard SRS rule. ipsec Go to the IPSEC menu.To view the menu options, see page 590. comment Create a decription (comment) of the Group. del Delete the group.
585
/ssl/cfg/vpn/aaa/group/access
SSL VPN AAA Group Access Menu
To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if one does not already exist.
SSL >> Group 1# access Enter access rule number: (1-1023) 1 Creating Access rule 1 Enter network name: Network_1 Enter service name: Service_1 Enter application specific name: Application_1 Enter action (accept/reject): accept -----------------------------------------------------------[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule
Table 10-46 SSL VPN Configuration AAA Group Access Menu Options
Command Syntax and Usage network <network_name> Enter the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the application specific name reference. action accept|reject Accept or reject the creation of this Access rule. comment Create a description (comment) of this Access rule. del Delete the Access rule.
586
/ssl/cfg/vpn/aaa/group/linkset
SSL VPN AAA Group Linkset Menu
[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 10-47 SSL VPN Configuration AAA Group Linkset Menu Options
Command Syntax and Usage list List all of the configured linksets. add <linkset_name> Add a linkset name. insert <position> <name> Insert a linkset into the linkset list. move <value> <value> Move the linkset from one position to another in the linkset list.
587
/ssl/cfg/vpn/aaa/group/extend
SSL VPN AAA Group Extend Profiles Menu
To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended service profile if one does not already exist.
SSL >> Group 1# extend Enter profile number or name (1-63): 1 Creating Extended Profile 1 Enter client filter name: Filter_1 Enter user type (advanced/medium/novice): novice -----------------------------------------------------------[Extended Profile 1 Menu] filter - Set client filter reference access - Access rule menu print - Print access rules usertype - Set portal user type linkset - Linkset menu del - Remove profile
Table 10-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options
Command Syntax and Usage filter <client_filter_name> Set the client filter name reference. access Go to the Access Rule menu. To view the menu options, see page 589. print Display the extended profile information. usertype advanced|medium|novice Set the portal user level. linkset Go to the Linkset menu. To view the menu options, see page 590. del Delete the Extended Profile.
588
/ssl/cfg/vpn/aaa/group/extend/access
SSL VPN AAA Group Extend Profiles Access Menu
[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule
Table 10-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu Options
Command Syntax and Usage network <network_name> Set the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the Application name reference.. action accept|reject Accept or reject the Access rule change. comment Create a description (comment) of the Access rule. del Delete the Extended Profile Access rule.
589
/ssl/cfg/vpn/aaa/group/extend/ linkset
SSL VPN AAA Group Extend Profiles Linkset Menu
[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 10-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu Options
Command Syntax and Usage list List all of the configured Extended Profile linksets. del <extended_profile_linkset_name> Delete the Extended Profile Linkset. add <extended_profile_linkset_name> Add an Extended Profile linkset name. insert <position> <name> Insert an Extended Profile linkset into the linkset list. move <value> <value> Move the Extended Profile linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/ipsec
SSL VPN AAA Group IPsec Menu
[IPsec Menu] secret utunnel - Set shared secret - Set user tunnel profile
Table 10-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage secret <string> Set the group Secret value.
590
Table 10-51 SSL VPN Configuration AAA Group IPsec Menu Options
Command Syntax and Usage utunnel <string> Set the user tunnel profile name.
591
/ssl/cfg/vpn/aaa/ssodomains
SSL VPN AAA Single-sign on Enabled Domains Menu
[SSO Domain menu Menu] list - List all values del - Delete a value by number add - Add a new value
Table 10-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu Options
Command Syntax and Usage list List all of the SSO domains. del <index> Delete an SSO domain. add <domain_name> <mode, normal|add_domain> Add an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders
SSL VPN AAA Single-sign on Headers Menu
[SSO headers menu Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 10-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage list List all of the configured SSO Headers. del <SSO Headers_name> Delete the SSO Header. add <domain> <header_pattern> Add an SSO Header.
592
Table 10-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options
Command Syntax and Usage insert <position> <domain> <header_name> Insert a SSO Header into the headers list. move <value> <value> Move the SSO Headers from one position to another in the SSO Headers list.
593
/ssl/cfg/vpn/aaa/radacct
SSL VPN AAA Radius Accounting Menu
[RADIUS Accounting servers vpnattribu ena dis Menu] RADIUS accounting servers menu VPN attribute menu Enable RADIUS accounting Disable RADIUS accounting
Table 10-54 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see page 594. vpnattribu Go to the VPN attribute menu. To view the menu options, see page 595. ena enable|disable Enable AAA radius accounting. dis enable|disable Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers
SSL VPN AAA Radius Accounting Servers Menu
[RADIUS Accounting list del add insert move Servers Menu] List all values Delete a value by number Add a new value Insert a new value Move a value by number
Table 10-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage list List all of the configured Radius Accounting servers. del <Radius_Accounting_server_name> Delete the SSO Header. add <ip_address> <port> <secret> Add a Radius Account. 594 Chapter 10: The SSL Processor Menu
320506-C Rev. 02, Feb 2007
Table 10-55 SSL VPN Configuration AAA Radius Accounting Menu Options
Command Syntax and Usage insert <position> <ip_address> <port> <secret> Insert a Radius account into the account list. move <value> <value> Move the Radius account from one position to another in the account list.
ssl/cfg/vpn/aaa/radacct/vpnattribu
SSL VPN AAA Radius Accounting VPN attributes Menu
[VPN Attribute Menu] vendorid - Set vendor id for the VPN attribute vendortype - Set vendor type for the VPN attribute
Table 10-56 SSL VPN Configuration AAA Radius Accounting VPN attributes Menu Options
Command Syntax and Usage vendorid <vendorID> Set the vendor name. vendortype <integer> Set the vendor type.
/ssl/cfg/vpn/server
SSL VPN Configuration Server Menu
[Server Menu] port dnsname trace ssl tcp http proxymap portal adv ena dis Set listen port of server Set DNS name of server Traffic trace menu SSL settings menu TCP endpoint settings menu HTTP settings menu Intranet proxy configuration menu Portal settings menu Advanced settings menu Enable virtual server Disable virtual server
595
/ssl/cfg/vpn/server/trace
SSL VPN Server Traffic Trace Menu
[Trace Menu] ssldump tcpdump ping dnslookup traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through backend interface traceroute through backend interface
596
Table 10-58 SSL VPN Configuration Server Traffic Trace Menu Options
Command Syntax and Usage ssldump Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html). standalone on|off Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html) traceroute - traceroute through backend interface ping <hostname> Ping through the backend interface. dnslookup <hostname> Lookup a name in DNS through the backend interface. traceroute Traceroute through backend interface. Use this command to identify the route used for station-tostation connectivity across the network.
/ssl/cfg/vpn/server/ssl
SSL VPN Server SSL Settings Menu
[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version ciphers - Set cipher list verify - Set certificate verification level ena - Enable SSL dis - Disable SSL
Table 10-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage cert <certicate_nuber, 1 to 1500> Set the IP address of the VPN. cachesize <integer, 0 to 10000> Set the SSL cache size (kBytes).
597
Table 10-59 SSL VPN Configuration Server SSL Settings Menu Options
Command Syntax and Usage cachettl <integer> Set the SSL cache timeout (in minutes). cacerts <certificate_numbers> Set the list of accepted signers of client certificates. If more than one, use a comma to separate the entries. cachain <certificate_numbers> Set the list of CA chain certificates. If more than one, use a comma to separate the entries. protocol ssl2|ssl3|ssl23|tls1 Set the protocol version. ciphers Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +: ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option does not add any new ciphers. Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify none|optional Set the certificate verification level. ena enable|disable Enable SSL. dis enable|disable Disable SSL.
598
/ssl/cfg/vpn/server/tcp
SSL VPN Server TCP endpoint Settings Menu
[TCP Settings Menu] cwrite - Set ckeep - Set skeep - Set swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client TCP write timeout client TCP keep alive timeout socks client TCP keep alive heartbeat timeout server TCP write timeout server TCP connect timeout client TCP send buffer size client TCP receive buffer size server TCP send buffer size server TCP receive buffer size
Table 10-60 SSL VPN Configuration Server TCP endpoint settings Menu Options
Command Syntax and Usage ips <integer, 1 to 2147483647s> Set client TCP write timeout, in seconds. crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size ckeep <integer, 1 to 2147483647s> Set client TCP keep alive timeout. skeep <integer, 1 to 2147483647s> Set the SOCKS client TCP keep alive heartbeat timeout. swrite <integer, 1 to 2147483647s> Set the server TCP write timeout. sconnect <integer, 1 to 2147483647s> Set the server TCP connect timeout. csendbuf auto|<integer, 2000 to 100000> Set the client TCP send buffer size (Bytes). crecbuf auto|<integer, 2000 to 100000> Set the client TCP receive buffer size (Bytes). ssendbuf auto|<integer, 2000 to 100000> Set the server TCP send buffer size (Bytes). srecbuf auto|<integer, 2000 to 100000> Set server TCP receive buffer size (Bytes).
599
/ssl/cfg/vpn/server/http
SSL VPN Server HTTP Settings Menu
[HTTP Settings Menu] downstatus - Set server down reply status rewrite - SSL triggered rewrite menu securecook - Set add secure option to session cookie sslheader - Add SSL header sslxheader - Add SSL header with serial in hex sslsidhead - Add SSL SID header addxfor - Add X-Forwarded-For header addvia - Add Via header addxisd - Add HTTP-X-ISD debug header addclicert - Add Client-Cert as a HTTP header addnostore - Add no-cache/no-store HTTP header allowimage - Allow image caching allowdoc - Allow document caching allowscrip - Set allow script caching allowica - Allow ICA file caching cmsie - Set MSIE session termination bug workaround maxrcount - Set max number of persistant client requests maxline - Set max line length
Table 10-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage downstatus unavailable|redirect|reset Set the server down reply status. rewrite on|off Go to the SSl triggered Rewrite menu. To view the menu options, see page 601. securecook on|off Set the add secure option for the session cookie. sslheader on|off Add an SSL session ID header. sslxheader on|off Add an SSL header with serial number in hexadecimal. sslsidhead on|off Add an SSL SID header. addxfor on|off|anonymous|remove Add X-Forwarded-For header.
600
Table 10-61 SSL VPN Configuration Server HTTP settings Menu Options
Command Syntax and Usage addvia on|off|anonymous|remove Set VIA header addxisd on|off Set HTTP-X-ISD debug header. addclicert on|off Set Client-Cert as a HTTP header. adddnostore on|off Set no-cache/no-store HTTP header. allowimage on|off Set image caching. allowdoc on|off Set document caching allowscrip on|off Set allow script caching. allowica on|off Set ICA file caching. cmsie on|off Set MSIE session termination bug workaround. maxrcount <integer> Set max number of persistant client requests. maxline <integer> Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
SSL VPN Server SSL triggered rewrite Menu
[Rewrite Menu] rewrite ciphers response URI Set Set Set Set SSL triggered rewrite accepted ciphers source of response URI with the weak cipher alert
601
Table 10-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options
Command Syntax and Usage rewrite on|off Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:SHA1:@STRENGTH ciphers <string> Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +: ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. response iSD|WebServer Set the source of response. URI <WebServer response only> Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.
/ssl/cfg/vpn/server/proxymap
SSL VPN Server Intranet Proxy settings Menu
The PROXY menu is not available for type portal and socks servers.
[Proxy Mapping Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 10-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage list List all of the server Intranet Proxy settings.
602
Table 10-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options
Command Syntax and Usage del <Proxy_server_name> Delete the Intranet Proxy server. add <ip_address> <port> Add an Intranet Proxy server. insert <position> <ip_address> <port> Insert a Intranet Proxy server into the Proxy server list. move <value> <value> Move the Intranet Proxy server from one position to another in the server list.
ssl/cfg/vpn/server/portal
SSL VPN Server Portal settings Menu
[Portal Settings resetcooki domain persistent Menu] - Set Re-Set session cookie in each request - Set cookie domain - Set use persistent session cookies
Table 10-64 SSL VPN Configuration Server Portal settings Menu Options
Command Syntax and Usage resetcoolki on|off Set the Reset session cookie in each request. domain <domain_name> Set the cookie domain name for the portal. persistent on|off Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
SSL VPN Configuration Server Advanced Menu
[Advanced Settings Menu] traflog - UDP syslog Traffic Log menu sslconnect - SSL connect menu
603
ssl/cfg/vpn/server/adv/traflog
SSL VPN Server UDP Syslog Traffic Log Menu
[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable traffic UDP syslog logging
Table 10-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options
Command Syntax and Usage sysloghost <IP_address> Set the IP address of the VPN. udpport <UDP_port_number> Set the standalone mode. priority <syslog_name> Set the syslog priority. facility <string> Set the syslog facility. ena enable|disable Enable traffic UDP syslog messaging. dis Disable traffic UDP syslog messaging.
604
ssl/cfg/vpn/server/adv/sslconnect
SSL VPN Server SSL Connect Menu
[SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu
Table 10-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options
Command Syntax and Usage protocol ssl2|ssl3|ssl23|tls1 Set the Protocol version. cert <certicate_number, 1 to 1500> Set the client certificate. ciphers Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify Go to the Verify server menu. To view the menu options, see page 605.
ssl/cfg/vpn/server/adv/sslconnect/ verify
SSL VPN Server SSL Connect verify Server Menu
[SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers server's certificate
605
Table 10-68 SSL VPN Configuration Server SSL Connect Verify Server Menu Options
Command Syntax and Usage verify none|verify Set the Certicate Verication level. commonname <string> Set the server common name. cacerts <certicate_numbers> Set the list of accepted signers for each server certificate. If more than one, use a comma to separate each entry.
/ssl/cfg/vpn/ipsec
SSL VPN Configuration IPsec Server Menu
[IPsec Menu] ena dis quick ikeprof utunprof cacerts cert - Enable IPsec - Disable IPsec - Quick IPsec setup wizard - IKE profile - User tunnel profile - Set list of accepted signers of clients certificate - Set server certificate
606
/ssl/cfg/vpn/ipsec/ikeprof
SSL VPN IPsec Server IKE Profile Menu
[IKE Profile 1 Menu] name - Set IKE profile name del - Remove IKE Profile enc - Encryption mask menu dh - Diffie-Hellman group mask menu pfs - Enable Perfect Forward Secrecy initcontac - Accept ISAKMP initial contact payload rekeytime - Set rekey time limit rekeytraf - Set rekey traffic limit retransmit - Set ISAKMP retransmit interval maxretrans - Set ISAKMP max attempts retransmits replaywins - Set replay window size nat - NAT menu deadpeer - Dead peer menu
607
Table 10-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options
Command Syntax and Usage name <string> Set the IKE profile name. del <IKE_profile_name> Disable IPsec. enc Go to the Encryption mask menu.To view the menu options, see page 609. dh Go to the Diffie_Hellman group mask menu. To view the menu options, see page 610. pfs on|off Enable Perfect Forward Secrecy. initcontac on|off Accept ISAKMP intitial contact payload. rekeytime <integer> Set the rekey time limit, in seconds. rekeytraf <integer> Set rekey traffic limit, in KBytes. retransmit <integer> Set ISAKMP retransmit limit, in seconds. maxretrans <integer> Set the maximum ISAKMP attempts to retransmit. replaywins <integer> Set replay window size. nat Go to the NAT menu.To view the menu options, see page 610. deadpeer Go to the Dead Peer menu.To view the menu options, see page 611.
608
/ssl/cfg/vpn/ipsec/ikeprof/enc
SSL VPN IPsec Server IKE Profile Encryption Menu
[Encryption Menu] hmac_md5 hmac_sha null_md5 null_sha des_md5 des_sha 3des_md5 3des_sha aes_128_sh Set Set Set Set Set Set Set Set Set HMAC with MD5 HMAC with SHA NULL with MD5 NULL with SHA DES with MD5 DES with SHA 3DES with MD5 3DES with SHA 128 bits AES with SHA
Table 10-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options
Command Syntax and Usage hmac_md5 on|off Set HMAC with MD5. hmac_sha on|off Set HMAC with SHA. null_md5 on|off Set NULL with MD5. null_sha on|off Set NULL with SHA. des_md5 on|off Set DES with MD5. des_sha on|off Set DES with SHA. 3des_md5 on|off Set 3DES with MD5. 3des_sha on|off Set 3DES with SHA. aes_128_sh on|off Set 128 bits AES with SHA.
609
/ssl/cfg/vpn/ipsec/ikeprof/dh
SSL VPN IPsec Server Diffie-Hellman Group Mask Menu
[Diffie-Hellman Group Menu] dh1 - Set Diffie-Hellman group 1 dh2 - Set Diffie-Hellman group 2 dh5 - Set Diffie-Hellman group 5
Table 10-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman Group Mask Menu Options
Command Syntax and Usage dh1 on|off Set Diffie_Hellman group 1. dh2 on|off Set Diffie_Hellman group 2. dh5 on|off Set Diffie_Hellman group 5.
/ssl/cfg/vpn/ipsec/ikeprof/NAT
SSL VPN IPsec Server IKE Profile NAT Menu
[NAT Menu] natdetect timeout keepalive - Set ESP UDP NAT detect - Set detect timeout - Set keepalive timeout
Table 10-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu Options
Command Syntax and Usage natdetect disabled|auto|ipsec_capable|use_udp_encap Set ESP UDP detection. timeout <integer> Set the detection timeout, in seconds. keepalive <integer> Set the keepalive timeout, in seconds.
610
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
SSL VPN IPsec Server IKE Profile Dead Peer Menu
[Dead Peer Menu] ena dis interval retransmit Enable dead peer detection Disable dead peer detection Set detect interval Set max retransmissions
Table 10-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options
Command Syntax and Usage ena [enable|disable] Enable dead peer detection. dis [enable|disable] Disable dead peer detection. interval <integer> Set the detection interval, in seconds. retransmit <integer> Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool
SSL VPN IP Pool Menu
[Pool Menu] ena dis lowerip upperip proxyarp info Enable pool Disable pool Set lower IP in pool range Set upper IP in pool range Set proxy arp on clean side interfaces Print alloc info for this VPN
611
/ssl/cfg/vpn/portal
SSL VPN Portal Menu
[Portal Menu] import restore banner redirect logintext iconmode linktext linkurl linkcols linkwidth companynam colors faccess lang wiper ieclear whitelist citrix Import banner image gif Restores default Nortel banner Show installed banner file Set redirect URL Set static text on login page Set Home tab icon mode Set static text on link page Set url input field on link page Set number of columns on home tab Set width of link columns on home tab Set company name used on portal pages Portal colors menu Full Access menu Portal language menu Set use ActiveX component for clearing cache Set use IE ClearAuthCache White-list settings menu Set Citrix support
612
613
/ssl/cfg/vpn/portal/colors
SSL VPN Portal Colors Menu
[Portal Colors Menu] color1 - Set portal color color2 - Set portal color color3 - Set portal color color4 - Set portal color theme - Color theme 1 2 3 4
614
/ssl/cfg/vpn/portal/faccess
SSL VPN Portal Full Access Menu
[Full Access Menu] ena - Enable 'Full Access' tab dis - Disable 'Full Access' tab ipsecmode - Set IPSEC Mode contip - Set Contivity IP address contid - Set Contivity group ID contpass - Set Contivity group password portalmsg - Set text in 'Full Access' portal tab appletmsg - Set text in 'Full Access' Applet window
Table 10-78 SSL VPN Configuration Portal Full Access Menu Options
Command Syntax and Usage ena [enable|disable] Enable 'Full Access' tab. dis [enable|disable] Disable 'Full Access' tab. ipsecmode [contivity|native] Set the IPSEC Mode. contip [<IP_address>] Set Contivity IP address. contid [<string>] Set the Contivity group ID. contpass [<string>] Set a Contivity group password. portalmsg Set text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. appletmsg Set text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. If you *only* enter "..." a default text will be generated.
615
/ssl/cfg/vpn/portal/lang
SSL VPN Portal Language Menu
[Portal Language setlang charset list Menu] - Set the language to be used in the portal - Print charset in use - List supported languages
/ssl/cfg/vpn/portal/whitelist
SSL VPN Portal Whitelist settings Menu
[White-list Settings Menu] domains - Configure white-list domains ena - Enable URL rewrite white-list dis - Disable URL rewrite white-list
Table 10-80 SSL VPN Configuration Portal Whitelist settings Menu Options
Command Syntax and Usage domains Go to the Domains menu. To view the menu options, see page 617. ena [enable|disable] Enable URL re-write whitelist. dis [enable|disable] Disable URL re-write whitelist.
616
/ssl/cfg/vpn/portal/whitelist/ domains
SSL VPN Portal Whitelist settings Domains Menu
[White-list menu Menu] list - List all values del - Delete a value by number add - Add a new value
Table 10-81 SSL VPN Configuration Portal Whitelist settings Domains Menu Options
Command Syntax and Usage list Go to the Domains menu. To view the menu options, see page 615. del [<index>] Delete a value. add [<domain_name>] Add a domain.
/ssl/cfg/vpn/linkset
SSL VPN Linkset Menu
To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does not already exist.
SSL >> VPN 1# linkset Enter Linkset number or name (1-1023): 1 Creating Linkset 1 Linkset name: Linkset_1 Linkset text (HTML syntax, eg <b>A heading</b>): html Autorun Linkset (true/false) [false]: false -----------------------------------------------------------[Linkset 1 Menu] name - Set linkset name text - Set linkset text autorun - Set autorun support link - Link menu del - Remove tunnel
617
618
/ssl/cfg/vpn/linkset/link
SSL VPN Linkset Link Menu
To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does not already exist.
SSL >> Linkset 1# link Enter Link number or name (1-1023): 1 Creating Link 1 Enter link text: Link_1 Enter type of link (hit TAB to see possible values) [internal]: <tab> smb ftp proxy custom mail telnet netdrive wts outlook netdirect terminal external internal eauto iauto Enter type of link (hit TAB to see possible values) [internal]: internal Entering: Internal settings menu Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /info Leaving: Internal settings menu -----------------------------------------------------------[Link 1 Menu] move - Move link text - Set link text type - Set link type internal - Internal settings menu del - Remove link
619
/ssl/cfg/vpn/linkset/link/internal
SSL VPN Linkset Link Internal Setting Menu
[Internal menu Menu] quick - Quick internal link wizard
Table 10-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options
Command Syntax and Usage quick Configure the link using the internal link wizard. For example: SSL >> Internal menu# quick Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /
/ssl/cfg/vpn/sslclient
SSL VPN SSL Client Menu
[SSL VPN Client Menu] netdirect - Allow Netdirect client xmlconfig - Set XML client configuration
/ssl/cfg/vpn/adv
SSL VPN Configuration Advanced Menu
[Advanced Menu] interface dns log - Set backend interface used by VPN - DNS settings menu - Set log settings
620
/ssl/cfg/vpn/adv/dns
SSL VPN Advanced DNS settings Menu
[DNS Settings Menu] search - Set DNS search list
/ssl/cfg/sys
SSL Configuration System Menu
[System Menu] mip host routes time dns rsa syslog accesslist adm user distrace Set management IP (MIP) address iSD host menu Routes menu Date and time menu DNS settings RSA Servers Syslog servers menu Access list menu Administrative applications menu User Access Control menu Disable tracing with tcpdump/ssldump
621
622
/ssl/cfg/sys/host
SSL System Host Menu
[iSD Host 1 Menu] type ip license gateway routes interface port ports hwplatform halt reboot delete Set type of the iSD Set IP address Set License Set default gateway address Routes menu iSD host interface menu iSD port configuration menu Display physical ports Display hardware platform Halt the iSD Reboot the iSD Remove iSD Host
623
/ssl/cfg/sys/host/routes
SSL System Host Routes Menu
[Host Routes Menu] list - List all values del - Delete a value by number add - Add a new value
/ssl/cfg/sys/host/interface
SSL System Host Menu
[Host Interface 1 Menu] ip - Set IP address netmask - Set network mask gateway - Set default gateway address routes - Routes menu vlanid - Set VLAN tag id mode - Set mode ports - Interface ports menu primary - Set primary port delete - Remove Host Interface
624
/ssl/cfg/sys/host/interface/routes
SSL System Host Interface Routes Menu
[Host Interface Routes Menu] list - List all values del - Delete a value by number add - Add a new value
625
/ssl/cfg/sys/host/port
SSL System Host Port Menu
[Host Port 1 Menu] autoneg - Set autonegotiation speed - Set Speed mode - Set full or half duplex mode
/ssl/cfg/sys/routes
SSL Configuration System Menu
[Routes Menu] list del add - List all values - Delete a value by number - Add a new value
626
/ssl/cfg/sys/time
SSL System Time Menu
[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers
/ssl/cfg/sys/time/ntp
SSL System Time NTP servers Menu
[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value
627
Table 10-96 SSL Configuration System Time NTP Servers Menu Options
Command Syntax and Usage list List the configured NTP servers. del [<NTP_server>] Delete the NTP server. Removes the specified NTP server from the system configuration. Use the list command to display the index numbers of all added NTP servers.. add [<IP_address>] Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns
SSL Configuration System DNS settings Menu
[DNS Settings Menu] servers - DNS cachesize - Set retransmit - Set count - Set ttl - Set health - Set hdown - Set hup - Set servers menu Local DNS cache size DNS Retransmit interval timer DNS Retransmit counter Max TTL Health check interval Health check down counter Health check up counter
628
sl/cfg/sys/dns/servers
SSL System DNS Servers settings Menu
[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
629
/ssl/cfg/sys/rsa
SSL System RSA servers Menu
To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does not already exist.
SSL >> System# rsa Enter RSA Server number or name: (1-255) 1 Creating RSA Servers 1 RSA server symbolic name: RSA_1 -----------------------------------------------------------[RSA Servers 1 Menu] rsaname - Set RSA server symbolic name import - Import sdconf.rec file rmnodesecr - Remove Node Secret del - Remove RSA server
/ssl/cfg/sys/syslog
SSL System SysLog Servers Menu
[Syslog Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
630
/ssl/cfg/sys/accesslist
SSL System Access List Menu
[Access List Menu] list - List all values del - Delete a value by number add - Add a new value
631
/ssl/cfg/sys/adm
SSL System Administrative applications Menu
[Administrative Applications Menu] snmp - SNMP menu clitimeout - Set CLI idle timeout audit - Audit Settings Menu auth - Authentication menu telnet - Set telnet CLI access ssh - Set SSH CLI access http - HTTP access menu https - HTTPS access menu sshkeys - SSH host keys menu
632
/ssl/cfg/sys/adm/snmp
SSL System Administrative applications SNMP Menu
[SNMP Menu] ena dis versions snmpv2-mib community users target Enable SNMP Disable SNMP Set SNMP versions supported SNMPv2-MIB menu SNMP community menu SNMP USM Users Menu Notification target menu
Table 10-103 SSL Configuration System Administrative applications SNMP Menu Options
Command Syntax and Usage ena [true|false] Enable SNMP. dis [true|false] Disable SNMP. versions [<SNMP_version_number>] Set the SNMP version, such as v1. snmpv2-mib Go to the SNMPv2-MIB menu.To view menu options, see page 634. community Go to the SNMP community menu. To view menu options, see page 634. users Go to the SNMP USM Users community menu. To view menu options, see page 635. target Go to the Notification target menu. To view menu options, see page 636.
633
/ssl/cfg/sys/adm/snmp/snmpv2-mib
SSL System Administrative SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu] sysContact sysName sysLocatio snmpEnable Set Set Set Set sysContact sysName sysLocation snmpEnableAuthenTraps
Table 10-104 SSL Configuration System Administrative applications SNMPv2MIB Menu Options
Command Syntax and Usage sysContact [<name_of_a_person>] Set a system contact name. Designates a contact person for the managed iSD cluster, together with information on how to contact this person. sysName [<string, iSD_cluster_name>] Assign a name to the managed iSD cluster. sysLocatio [<string>] Set the system location. snmpEnable [<SNMP_trap_value>] Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community
SSL System Administrative SNMP Community Menu
[SNMP Community Menu] read - Set Read Community String write - Set Write Community String trap - Set Trap Community String
Table 10-105 SSL Configuration System Administrative applications SNMP Community Menu Options
Command Syntax and Usage read [<string>] Set the Read Community String. Specifies the monitor community name that grants read access to the Management Information Base (MIB). If no monitor community name is specified, read access is not granted. The default monitor community name is public
634
Table 10-105 SSL Configuration System Administrative applications SNMP Community Menu Options
Command Syntax and Usage write [<string>] Set the Write Community String. Specifies the control community name that grants read and write access to the Management Information Base (MIB). If no control community name is specified, neither write nor read access is granted. trap [<string>] Set the Trap Community String. Specifies the trap community name that accompanies trap messages sent to the SNMP manager. If no trap community name is specified, the sending of trap messages is disabled. The default trap community name is trap
/ssl/cfg/sys/adm/snmp/users
SSL System Administrative SNMP Users Menu
To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if one does not already exist.
Enter user number or name: (1-1023) 1 Creating SNMP User 1 User name: Maint_Chief Enter security level (none/auth/priv) [priv]: priv Enter permission (list of get,set,trap): get Enter auth password: <password> Enter priv password: <password> -----------------------------------------------------------[SNMP User 1 Menu] name - Set user name seclevel - Set Security level permission - Set Permission authpasswd - Set Authentication Password privpasswd - Set Encryption Password del - Remove SNMP User
Table 10-106 SSL Configuration System Administrative applications SNMP Users Menu Options
Command Syntax and Usage name [<string>] Set the user name.
635
Table 10-106 SSL Configuration System Administrative applications SNMP Users Menu Options
Command Syntax and Usage seclevel [none|auth|priv] Set the user Security level. permission [get|set|trap] Set user Permission. authpasswd [<string>] Set the Authentication Password. privpasswd [<string>] Set the Encryption Password. del [<SNMP_user_ID>] Remove the SNMP User.
/ssl/cfg/sys/adm/snmp/target
SSL System Administrative SNMP Target Menu
To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one does not already exist.
SSL >> SNMP# target Enter Notification Target number: (1-) 1 Creating Notification Target 1 Enter target ip: 0.0.0.0 Enter snmp version (v1/v2c/v3): v1 -----------------------------------------------------------[Notification Target 1 Menu] ip - Set target IP address port - Set target port version - Set SNMP version del - Remove Notification Target
Table 10-107 SSL Configuration System Administrative applications SNMP Target Menu Options
Command Syntax and Usage ip [<IP_address] Set the target IP address. port [<port_number] Disable SNMP.
636
Table 10-107 SSL Configuration System Administrative applications SNMP Target Menu Options
Command Syntax and Usage version [v1|v2|v3] Set the SNMP version. del Delete the SNMP target.
/ssl/cfg/sys/adm/audit
SSL System Administrative Audit Menu
[Audit Menu] servers vendorid vendortype ena dis RADIUS Servers Menu Set vendor id for audit attribute Set vendor type for audit attribute Enable Audit Disable Audit
Table 10-108 SSL Configuration System Administrative applications Audit Menu Options
Command Syntax and Usage servers Go to the Servers menu. To view menu options, see page 638. vendorid [<string>] Set the vendor ID. vendortype [<integer>] Set the vendor type. ena [<true|false>] Enable Audit. dis[<true|false>] Disable audit.
637
/ssl/cfg/sys/adm/audit/servers
SSL System Administrative Audit Servers Menu
[RADIUS Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
Table 10-109 SSL Configuration System Administrative applications Audit Servers Menu Options
Command Syntax and Usage list List all of the Audit server settings. del <Audit_server_name> Delete the Audit server. add [<IP_address> <port> <secret>] Add an Audit server. insert [<position> <IP_address> <port> <secret>] Insert a Audit server into the Audit server list. move <value> <value> Move the Audit server from one position to another in the server list.
/ssl/cfg/sys/adm/http
SSL System Administrative HTTP Menu
[HTTP Menu] port ena dis - Set HTTP Server port - Enable server - Disable server
Table 10-110 SSL Configuration System Administrative applications HTTP Menu Options
Command Syntax and Usage port [<integer>] Set the HTTP server port.
638
Table 10-110 SSL Configuration System Administrative applications HTTP Menu Options
Command Syntax and Usage ena [true|false] Enable the HTTP server. dis [true|false] Disable the HTTP server.
/ssl/cfg/sys/adm/https
SSL System Administrative HTTPS Menu
[HTTPS Menu] port ena dis - Set HTTPS Server port - Enable server - Disable server
Table 10-111 SSL Configuration System Administrative applications HTTPS Menu Options
Command Syntax and Usage port [<integer>] Set the HTTPS server port. ena [true|false] Enable the HTTPS server. dis [true|false] Disable the HTTPS server.
/ssl/cfg/sys/adm/sshkeys
SSL System Administrative SSH Host keys Menu
[SSH Host Keys generate show knownhosts Menu] - Generate new SSH host keys for the cluster - Show current SSH host keys for the cluster - SSH known host keys menu
639
Table 10-112 SSL Configuration System Administrative applications SSH Host keys Menu Options
Command Syntax and Usage generate [yes|no] Generate new SSH host keys for the server cluster. show Show the SSH host keys for the server cluster. knownhosts Go to the Known Host Keys menu. To view menu options, see page 638.
/ssl/cfg/sys/adm/sshkeys/knownhosts
SSL System Administrative SSH Known Host Menu
[SSH Known Host Keys Menu] list - List known SSH keys of remote hosts del - Delete known SSH host key by index add - Add a new SSH host key import - Retrieve SSH key from remote host
Table 10-113 SSL Configuration System Administrative applications Known SSH Host keys Menu Options
Command Syntax and Usage list [yes|no] Display the known SSH keys of remote hosts. del [<hostkey_name>] Delete a host key. add Add a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate import [<hostname_or_IP_address>] Retrieve an SSH key from a remote host.
640
/ssl/cfg/sys/user
SSL Configuration System Menu
[User Menu] passwd expire list del add edit caphrase Change own password Set password expire time interval List all users Delete a user Add a new user Edit a user menu Certadmin export passphrase
/ssl/cfg/sys/user/edit
SSL System User Edit Menu
[User User_1 Menu] groups - Groups menu cur - Display current setting
641
/ssl/cfg/sys/user/edit/groups
SSL System User Edit Menu
[Groups Menu] list del add - List all values - Delete a value by number - Add a new value
Table 10-116 SSL Configuration System User Edit Groups Menu Options
Command Syntax and Usage list List all of the user groups information. del [<user_group_name>] Delete a user group. add [<string, user_group_name>] Add a user group.
/ssl/cfg/lang
SSL Language Support Menu
[Language Support Menu] import - Import language definition file export - Export language definition template list - List the loaded languages vlist - List ISO 639 language codes del - Delete (custom) language definition
642
/ssl/boot
SSL Boot Menu
[Boot Menu] software halt reboot delete Software management menu Halt the iSD Reboot the iSD Delete the iSD
643
NOTE Note: If you receive a warning that the iSD you are trying to delete has no contact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or SSH and delete the iSD from the cluster by using the delete command in the iSD Host menu (/cfg/sys/cluster/host #).
The /boot/delete command is primarily intended for situations when you want to delete an iSD host that has either become isolated from the cluster, or has been physically removed from the cluster without first performing the delete command from the iSD Host menu. Under these circumstances, you must use the /boot/delete command to present the Setup menu, from which you can perform the new and join commands.
644
/ssl/boot/software
SSL Performance Menu
[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download new software pkg. via TFTP/FTP/SCP/SFTP del - Remove unpacked/old releases
645
/ssl/maint
SSL Performance Maintenance Menu
[Maintenance Menu] hsm - HSM menu dumplogs - Tech suppt dump log files to TFTP/FTP/SFTP server dumpstat - Tech suppt dump curr. status to TFTP/FTP/SFTP server chkcfg - Check applied configuration starttrace - Start Trace stoptrace - Stop Trace
646
/ssl/maint/hsm
SSL Performance HSM Menu
The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu] login - Login to HSM cards on local iSD splitkey - Split a wrap key onto CODE iKeys changepass - Change iKey password
647
648
APPENDIX A
Syslog Messages
The following syntax is used when outputting syslog messages: <Time stamp><Log Label>Web OS<Thread ID>:<Message> where <Timestamp> The time of the message event is displayed in month day hour:minute:second format. For example: Aug 19 14:20:30 <Log Label> The following types of log messages are recorded: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG <Thread ID> This is the software thread that reports the log message. The following thread IDs are recorded: stp, ip, slb, console, telnet, vrrp, system, web server, ssh, and bgp <Message>: The log message Following is a list of potential syslog messages. To keep this list as short as possible, only <Thread ID> and <Message> are shown. The messages are sorted by <Log Label>. Where the <Thread ID> is listed as mgmt, one of the following may be shown: console, telnet, web server, or ssh.
LOG_WARNING
FILTER filter <filter number> fired on port <port number>, <source IP address> -> <destination IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]
ntp: ntp cannot contact primary NTP server <ip_address> cannot contact secondary NTP server <ip_address>
649
320506-C Rev. 02, Feb 2007
LOG_ALERT
stp: IP vrrp: vrrp: vrrp: vrrp: slb: slb: gslb: gslb: gslb: gslb: slb: slb: slb: slb: bgp: bgp: vrrp: vrrp: dps: dps: syn_atk tcplim own BPDU received from port <port_id> cannot contact default gateway <ip_address> received errored advertisement from <ip_address> received incorrect password from <ip_address> received incorrect addresses from <ip_address> received incorrect advertisement interval <seconds> from <ip_address> cannot contact real server <ip_address> real server <ip_address> has reached maximum connections received update from <ip_address> for unknown remote server <ip_address> received update from <ip_address> for unknown virtual service received update for unknown remote server <ip_address> from <ip_address> received update for unknown service <ip_address:service> cannot contact real service <ip_address:real_port> real server failure threshold (<threshold>) has been reach for group <group_id> real server <ip_address> disabled through configuration Virtual Service Pool full. gSvcPool=MAX_SERVICES notification (<reason>) received from <BGP peer ip_address> session with <BGP peer ip_address> failed (<reason>) Synchronization from non-configured peer <ip_address> Synchronization from non-configured peer <ip_address> was blocked hold down triggered: <ip_address> for <min> minutes manual hold down: <ip_address> SYN attack detected: <count> new half-open sessions per second hold down triggered: <ip_address> for <min> minutes
650
LOG_CRIT
SYSTEM: temperature at sensor <sensor_id> exceeded threshold SYSTEM: internal power supply failed SYSTEM: redundant power supply failed SYSTEM: fan failure detected SSH can't allocate memory in load_MP_INT
LOG_ERR
mgmt: mgmt: mgmt: ntp: isd: stp: stp: mgmt: mgmt: mgmt: cli: cli: cli: cli: cli: cli: cli: cli: cli: PANIC at <file>:<line> in thread <thread id> VERIFY at <file>:<line> in thread <thread id> ASSERT at <file>:<line> in thread <thread id> unable to listen to NTP port unable to listen to BOOTP_SERVER_PORT port Error: Error writing STG config to FLASH Error: Error writing config to FLASH Apply not done Save not done <apply|save> is issued by another user. Try later Error: Error writing %s config to FLASH New Path Cost for Port <port_id> is invalid PVID <vlan_id> for port <port_id> is not created RADIUS secret must be 1-32 characters long Please configure primary RADIUS server address STP changes can't be applied since STP is OFF Switch reset is required to turn STP on/off Trunk group <trunk_id> contains ports with different PVIDs Trunk group <trunk_id> has more than <max_trunk_ports> ports
651
LOG_ERR (Continued)
cli: cli: cli: Trunk group <trunk_id> contains no ports but is enabled Not all ports in trunk group <trunk_id> are in VLAN <vlan_id> Trunk groups <trunk_id> and <trunk_id> can not share the same port
port_mirr: Port Mirroring changes are not applied cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Broadcast address for IP interface <interface_id> is invalid IP Interfaces <interface_id> and <interface_id> are on the same subnet Multiple static routes have same destination Virtual router <vr_id> must have sharing disabled when hotstandby is enabled Virtual router group must be enabled when hotstandby is enabled At least one virtual router must be enabled when group is enabled Virtual router group must have sharing disabled when hotstandby is enabled Virtual router group must have preemption enabled when hotstandby is enabled Virtual router <vr_id> must have an IP address Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id> Virtual router <vr_id> cannot have same IP address as <ip_address> Virtual router <vr_id> corresponding virtual server <server_id> is not enabled Hot-standby must be enabled when a virtual router has a PIP address Virtual router <vr_id> IP interface should be <interface_id> Enabled real server <server_id> has no IP address Real server <server_id> has same IP address as IP interface <interface_id> Real server <server_id> has same IP address as switch Real server <server_id> (Backup for <server_id>) is not enabled Real server <server_id> has same IP address as virtual server <server_id> Real server <server_id> has same IP address as real server <server_id> Real server group <group_id> cannot backup itself Real server <server_id> cannot be added to same group Enabled virtual server <server_id> has no IP address
652
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Virtual server <server_id> has same IP address as IP interface <interface_id> Virtual server <server_id> has same IP address as switch Virtual servers <server_id> and <server_id> with same IP address must support same layr3 configuration Real server <server_id> cannot be backup server for both real server <server_id> and group <group_id> Virtual server <server_id> has same IP address and vport as virtual server <server_id> RS <server_id> can't exist for VS <server_id> vport <virtual_port> Switch port <port_id> has same proxy IP address as port <port_id> Switch port <port_id> has same IP address as IP interface <interface_id> A hot-standby port cannot also be an inter-switch port There must be at least one inter-switch port if any hot-standby port exist With VMA, ports 1-8 must all have a PIP if any one does Client bindings are not supported with proxy IP addresses DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual server to support FTP parsing Real server <server_id> and group %u cannot both have backups configured Virtual server <server_id> : port mapping but layer3 bindings Extracting length has to set to 8 or 16 for cookie rewrite mode DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural server <server_id> to support URL parsing Port filtering must be disabled on port <port_id> in order to support cookie based persistence for virtual server <server_id> Virtual server <server_id>: port mapping but Direct Access Mode Virtual server %lu: support nonat IP but not layer 3 bindings Virtual servers: all that support IP must use same group Virtual servers <server_id> and <server_id> that include the same real server <server_id> cannot map the same real port or balance UDP Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number
653
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: Switch cannot support more than <MAX_VIRT_SERVICES> virtual services Switch cannot support more than <MAX_SMT> real services Trunk group (<trunk_id>) ports must have same L4 config Trunk group (<trunk_id>) ports must all have a PIP DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL based redirection Two services have same hostname, <host_name>.<domain_name> Direct access mode is not supported with default gateway load balancing SLB Radius secret must be 16 characters long Dynamic NAT filter <filter_id> must be cached NAT filter <filter_id> must have same smask and dmask NAT filter <filter_id> cannot have port ranges NAT filter <filter_id> must be cached NAT filter <filter_id> dest range includes VIP <server_id> NAT filter <filter_id> dest range includes RIP <server_id> Redirection filter <filter_id> must be cached Filter with L4 ports configured <port_id> must have IP protocol configured For Global SLB, Web server must be moved from TCP port 80 Remote site <site_id> does not have a primary IP address Primary and secondary remote site <site_id> switches must differ Remote sites <site_id> and <site_id> must use different addresses Remote site <site_id> and real server <server_id> must use different addresses Remote site <site_id> and virtual server <server_id> must use different addresses Only <MAX_SLB_SITES> remote servers are allowed per group Only <MAX_SLB_SERVICES> remote services are supported Enabled external lookup IP address has no IP address domain name must be configured
654
LOG_ERR (Continued)
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: mgmt: mgmt: mgmt: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: Network <static_network_id> has no VIP address duplicate default entry BGP peer <bgp_peer_id> must have an IP address BGP peers <bgp_peer_id> and <bgp_peer_id> have same address BGP peer <bgp_peer_id> have same address as IP interface <ip_interface_id> BGP peer <bgp_peer_id> IP interface <ip_interface_id> is not enabled Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to ICMP Two services have same hostname, <host_name>.<domain_name> Loadbalance string must be added to real server <server_id> in order to enable exclusionary string matching intrval input value must be in the range [0-24] unapplied changes reverted unsaved changes reverted Attempting to redirect a previously redirected output Attempting to redirect a previously redirected output cfg_sync_tx_putsn: ABORTED Synchronization TX Error Synchronization TX connection RESET Synchronization TX connection TIMEOUT Synchronization TX connection UNREACEABLE Synchronization TX connection UNKNOWN CLOSE Synchronization RX connection RESET Synchronization RX connection TIMEOUT Synchronization RX connection UNREACEABLE Synchronization RX connection UNKNOWN CLOSE Synchronization connection RCLOSE by peer Synchronization connection RCLOSE before RX
655
LOG_ERR (Continued)
vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: Synchronization connection early RCLOSE in RX Synchronization connection Wait-For-Close Timeout Synchronization connection Transmit Timeout Synchronization Receive Timeout Synchronization Receive UNKNOWN Timeout Sync transmit in progress cannot start Sync Sync receive in progress cannot start Sync Sync already in progress cannot start Sync Config Sync route find error Config Sync tcp_open error Config Synchronization Timeout - Resuming Console thread <""apply""|""save""> is issued by another user. Try later new configuration did not validate (rc = ) new configuration did not apply (rc = ) new configuration did not save (rc = ) Sync config apply error Restoring Current Config Sync rx tcp open error Sync Version/Password Failed-No Version/Password Line Sync Version Failed - peer:%s config:%s Sync Password Failed-Bad Password Sync receive already in progress cannot start Sync receive Sync transmit in progress cannot start Sync receive
656
LOG_NOTICE
system: system: system: system: system: system: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: mgmt: mgmt: internal power supply ok redundant power supply present and ok temperature ok fan ok rebooted <last_reset_information> rebooted <last_reset_information> administrator logged in boot config block changed boot image changed switch reset from CLI syslog host changed to <ip_address> syslog host changed to this host second syslog host changed to <ip_address> second syslog host changed to this host Next boot will use active config block user password changed SLB operator password changed L4 operator password changed operator password changed SLB administrator password changed L4 administrator password changed administrator password changed scp <login_level> login scp <login_level> <""connection closed""|""idle timeout""|""logout""> RADIUS server timeouts Failed login attempt via TELNET from host %s PASSWORD FIX-UP MODE IN USE <login_level> login on Console
657
LOG_NOTICE (Continued)
mgmt: mgmt: <login_level> <""idle timeout""|""logout""> from Console PANIC command from CLI
port_mirr: port mirroring is <""enabled""|""disabled""> vlan: mgmt: mgmt: IP IP vrrp: vrrp: slb: slb: slb: slb: slb: slb: slb: slb: slb: slb: bgp: Default VLAN can not be deleted <login_level> login from host <ip_address> <login_level> <""connection closed""|""idle timeout""|""logout""> from default gateway <ip_address> <""enabled""|""disabled""> default gateway <ip_address> operational virtual router <ip_address> is now master virtual router <ip_address> is now backup backup server <ip_address> <""enabled""|""diabled""> for real server <server_id> backup server <ip_address> <""enabled""|""disabled""> for real server group <group_id> backup group server <ip_address> <""enabled""|""disabled""> for real server group group_id> overflow server <ip_address> <""enabled""|""disabled""> for real server <server_id> overflow server <ip_address> <""enabled""|""disabled""> for real server group <group_id> overflow group server <ip_address> <""enabled""|""disabled""> for real server group <group_id> real server <ip_address> operational real service <ip_address:real_port> operational No services are available for Virtual Server <virtual_server> Services are available for Virtual Server <virtual_server> session established with <BGP_peer_ip_address>
658
LOG_INFO
SYSTEM: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: mgmt: mgmt: ssh: ssh: ssh: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: bootp response from <ip_address> new configuration applied new configuration saved unsaved changes reverted Could not revert unsaved changes "<image1|image2> downloaded from host <ip_address>, file <file_name> <software_version>" serial EEPROM downloaded from host <ip_address> file <file_name> scp <login_level> login "scp <login_level> <""connection closed""|""idle timeout""|""logout"">" <login_level> login on Console "<login_level> <""idle timeout""|""logout""> from Console" <login_level> login from host <ip_address> "<login_level> <""connection closed""|""idle timeout""|""logout""> from Telnet/SSH." server key autogen starts server key autogen completes server key autogen timer timeouts new synch configuration applied new synch configuration saved Synchronizing from <host_name> Synchronizing to <host_name> Config Synchronization Transmit Successful Config Synchronization Receive Successful new configuration VALIDATED
659
660
APPENDIX B
SNMP Agent
The Nortel Application Switch Operating System SNMP agent supports SNMP Version 1, Version 2, and Version 3. Version 3 supports two authentication protocols: MD5 and SHA. Nortel MIBs are registered as Vendor 1872. Detailed SNMP MIBs and trap definitions of the Nortel Application Switch Operating System SNMP agent can be found in the following enterprise MIB documents: altroot.mib aosSwitch.mib aosPhysical.mib aosNetwork.mib aosLayer4.mib aosLayer7.mib aosBwm.mib aosTrap.mib In addition, the following SynOptics MIBS are also supported: synro193.mib -- SynOptics Root MIB s5roo117.mib -- SynOptics Registration MIB s5tcs112.mib -- Textual Convention MIB s5emt104.mib -- Ethernet Multi segment Autotopology MIB SNMPv1|v2|v3 traps can be sent to the hosts configured in targetAddr table. Up to 16 IP addresses can be configured in targetAddr table. Nortel Application Switch Operating System SNMP agent supports the following standard MIBs: RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP Groups) RFC 1573 - MIB II Extension (IFX table) RFC 1643 - EtherLike MIB RFC 1493 - Bridge MIB
661
320506-C Rev. 02, Feb 2007
RFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups) RFC 1850 for OSPF RFC 1657 for BGP IEEE 802.3ad MIB for LACP The following SNMPv3 MIBs are supported: RFC 2571 - SNMP Frame work RFC 2572 - MPD MIB RFC 2573 - Target MIB RFC 2574 - USM MIB RFC 2575 - VACM MIB RFC 2576 - Community MIB Nortel Application Switch Operating System SNMP agent supports the following generic traps as defined in RFC 1215: ColdStart WarmStart LinkDown LinkUp AuthenticationFailure The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493: NewRoot TopologyChange The following are the enterprise SNMP traps supported in Nortel Application Switch Operating System: Table 10-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description
Signifies that the default gateway is alive. Signifies that the default gateway is down. Signifies that the default gateway is up and in service Signifies that the default gateway is alive but not in service
662
Table 10-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description
altSwSlbRealServerUp altSwSlbRealServerDown altSwSlbRealServerMaxConnReached altSwSlbBkupRealServerAct altSwSlbBkupRealServerDeact altSwSlbBkupRealServerActOverflow altSwSlbBkupRealServerDeactOverflow altSwfltFilterFired altSwSlbRealServerServiceUp altSwSlbRealServerServiceDown altSwVrrpNewMaster
altSwVrrpNewBackup
Signifies that the real server is up and operational Signifies that the real server is down and out of service Signifies that the real server has reached maximum connections Signifies that the backup real server is activated due to availablity of the primary real server Signifies that the backup real server is deactivated due to the primary real server is available Signifies that the backup real server is deactivated due to the primary real server is overflowed Signifies that the backup real server is deactivated due to the primary real server is out from overflow situation Signifies that the packet received on a switch port matches the filter rule Signifies that the service port of the real server is up and operational Signifies that the service port of the real server is down and out of service
The newMaster trap indicates that the sending agent has transitioned to 'Master' state. The newBackup trap indicates that the sending agent has transitioned to 'Backup' state. A vrrpAuthFailure trap signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this router's authentication key or authentication type. Implementation of this trap is optional. An altSwLoginFailure trap signifies that someone failed to enter a valid username/password combination.
altSwVrrpAuthFailure
altSwLoginFailure altSwSlbSynAttack
663
Table 10-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps
Trap Name Description An altSwTcpHoldDown trap signifies that new TCP connection requests from a particular client will be blocked for a pre-determined amount of time since the rate of new TCP connections from that client has reached a pre-determined threshold. An altSwTempExceedThreshold trap signifies that the switch temperature has exceeded maximum safety limits. An altSwSlbSessAttack trap signifies that an SLB attack has been detected. An altSwFanFailure trap signifies that a fan failure has occured.
altSwTcpHoldDown
664
APPENDIX C
3. 4.
Power on the switch. Hold the <Shift> key down and hit D repeatedly until the following message appears:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200
665
320506-C Rev. 02, Feb 2007
5.
Reconfigure your terminal emulation software with the following parameters (only after you see the message displayed in step 4):
Parameter Baud Rate Data Bits Parity Stop Bits Flow Control Value 115200 8 None 1 None
NOTE You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200 baud rate by pressing Shift d.
6.
Press <Enter> on the key board of the PC that is connected to the console port of the switch. When the Console Port is successfully communicating with the PC, you will see: CCCC... Make sure that the new binary firmware file is available on the computer. This file can be downloaded from the CD that is shipped with the switch. Select <Transfer-Send File> and choose the following:
file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)
7.
protocol: 1K XMODEM It will take about 15 minutes for the transfer to complete. NOTE Although slower, XMODEM will work too if you choose not to use 1K MODEM. 8. Power off the switch, wait for a few seconds and power the switch on. CAUTIONDo not power off the switch until you see the message: Change your baud rate to 9600 bps and power cycle switch, otherwise, the switch will be inoperable. 9. The switch will boot with the new software load. You should see the following sample log on your screen:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200 CCCCCCCCCCCCCCCCCCCCCCCCCCCCC Total bytes transferred: 0x4ff400 Extracting images... Do *NOT* power cycle the switch Updating flash... ################################################################# Change your baudrate to 9600 bps and power cycle the switch
666
Glossary
DIP (Destination IP Address) Dport (Destination Port) NAT (Network Address Translation) The destination IP address of a frame.
Any time an IP address is changed from one source IP or destination IP address to another address, network address translation can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another. Full NAT is when both addresses are changed from one address to another. No NAT is when neither source nor destination IP addresses are translated. Virtual server-based load balancing uses half NAT by design, because it translates the destination IP address from the Virtual Server IP address, to that of one of the real servers. In VRRP, preemption will cause a Virtual Router that has a lower priority to go into backup should a peer Virtual Router start advertising with a higher priority. In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation. The protocol of a frame. Can be any value represented by a 8-bit value in the IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.) A group of real servers that are associated with a Virtual Server IP address, or a filter.
Preemption
Priority
Proto (Protocol)
667
320506-C Rev. 02, Feb 2007
A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and redirected to a server group. Transparently means that requests are not specifically destined for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the switch. This filter intercepts traffic based on certain IP header criteria and load balances it. Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny, Redirect to a Server Group, or NAT (translation of either the source IP or destination IP address). In redirection-based load balancing, the destination IP address is not translated to that of one of the real servers. Therefore, redirection-based load balancing is designed to load balance devices that normally operate transparently in your networksuch as a firewall, spam filter, or transparent Web cache. Real Server IP Address. An IP addresses that the switch load balances to when requests are made to a Virtual Server IP address (VIP). The source IP address of a frame.
The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53). In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration. You can track the following: Vrs: Virtual Routers in Master Mode (increments priority by 2 for each) Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by 2 for each) Ports: Active ports on the same VLAN (increments priority by 2 for each) l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2 for each reals: healthy real servers (increments by 2 for each healthy real server) hsrp: HSRP announcements heard on a client designated port (increments by 10 for each) An IP address that the switch owns and uses to load balance particular service requests (like HTTP) to other servers. A VRRP address that is an IP interface address shared between two or more virtual routers.
668
Glossary
320506-C Rev. 02, Feb 2007
Virtual Router
A shared address between two devices utilizing VRRP, as defined in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there is more than one VLAN defined on the Nortel Application Switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member. Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is owned by the switch, are load balanced to a real server contained in the group associated with the VIP. Network address translation is done back and forth, by the switch, as requests come and go. Frames come to the switch destined for the VIP. The switch then replaces the VIP and with one of the real server IP addresses (RIP's), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the destination IP (VIP) with one of the real server addresses is called half NAT. If the frames were not half NAT'ed to the address of one of the RIPs, a server would receive the frame that was destined for it's MAC address, forcing the packet up to Layer 3. The server would then drop the frame, since the packet would have the DIP of the VIP and not that of the server (RIP). In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows whom to share with. A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338. A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary extension to the VRRP specification. The switches must be able to share Virtual Server IP addresses, as well as IP interfaces. If they didnt, the two switches would fight for ownership of the Virtual Server IP address, and the ARP tables in the devices around them would have two ARP entries with the same IP address but different MAC addresses.
Glossary
320506-C Rev. 02, Feb 2007
669
670
Glossary
320506-C Rev. 02, Feb 2007
Index
Symbols
(MD5) .............................................................. 482 (SLB real server group option) content ...................................................... 416 / command .......................................................... 34 [ ]....................................................................... 21 administrator account ........................................... 28 admpw (system option) ...................................... 281 advertisement of virtual IP addresses ................... 349 aging STP bridge option ....................................... 322 STP information ........................................... 79 application redirection ................................ 407, 443 filter states.................................................. 113 filters ......................................................... 406 within real server groups .............................. 415 apply (global command) ..................................... 247 applying configuration changes ........................... 247 ASCII terminal .................................................... 24 auto-negotiation enable/disable on port .......... 294, 298, 300, 303 autonomous system filter action .......................... 347 autonomous system filter path action ........................................................ 347 as .............................................................. 347 aspath ........................................................ 347
Numerics
1K XModem ..................................................... 665 3000 series........................................................ 295
A
abbreviating commands (CLI) .............................. 38 access control system ....................................................... 276 action (SLB filtering option) ............................... 443 activating optional software ................................ 505 active configuration block .......................... 248, 511 active FTP SLB parsing statistics ........................ 206 active IP interface .............................................. 384 active Layer 4 processing ................................... 384 active port VLAN ....................................................... 384 active switch configuration gtcfg ......................................................... 401 ptcfg ......................................................... 401 restoring .................................................... 401 active switch, saving and loading configuration .... 401 add SLB port option .......................................... 459 addr ARP entries................................................ 520 IP route tag .................................................. 89 Address Resolution Protocol (ARP) address list ................................................. 520
B
backup SLB real server group option ........................ 416 backup configuration block ......................... 248, 511 backup server activations (SLB statistics) .... 189, 214 bandwidth management configuration .............................................. 306 contracts .................................................... 307 bandwidth management contract precedence value ......................................... 309 bandwidth management contract configuration .... 253,
309
671
320506-C Rev. 02, Feb 2007
Nortel Application Switch Operating System 23.2 Command Reference bandwidth management policy configuration ........312 buffer limit .................................................312 hard bandwidth limit ....................................312 over the limit TOS .......................................312 reserve limit ................................................312 soft bandwidth limit .....................................312 underlimit TOS ...........................................312 bandwidth management statistics .........................219 banner (system option)........................................250 baud rate console connection ........................................24 serial download ...................................665, 666 BBI .....................................................................23 BGP configuration...............................................362 eBGP .........................................................362 iBGP..........................................................362 in route .......................................................365 IP address, border router ...............................364 IP route tag ...................................................89 keep-alive time ............................................364 peer ...........................................................362 peer configuration ........................................364 redistribution configuration ...........................366 remote autonomous system ...........................364 router hops..................................................365 binary ...............................................................665 binary firmware image ........................................666 binding failure ...........................................188, 213 binding table ......................................................430 BLOCKING (port state)........................................79 boot options menu ..............................................507 BOOTP ...............................................................25 system option ..............................................251 bootstrap protocol ..............................................371 Border Gateway Protocol ......................................89 configuration...............................................362 Border Gateway Protocol (BGP) operations-level options ................................504 BPDU. See Bridge Protocol Data Unit. bridge parameter menu, for STP ..........................320 bridge priority ......................................................79 Bridge Protocol Data Unit (BPDU) ........................79 STP transmission frequency ..........................321 Bridge Spanning-Tree parameters ........................321 broadcast IP route tag ...................................................89 IP route type .................................................89 broadcast domains ..............................................328 672 Index
320506-C Rev. 02, Feb 2007
Browser-Based Interface ...................................... 23 BWM contract rate statistics................................... 222 contract statistics......................................... 221 history statistics .......................................... 224 port ........................................................... 220 switch processor contract statistics ................ 220 switch processor rate contract statistics .......... 220
C
capture dump information to a file....................... 524 Cisco Ether Channel .......................................... 324 clear ARP entries ................................................ 520 dump information ....................................... 525 FDB entry .................................................. 519 routing table ............................................... 521 clearing SLB statistics ................................ 217, 218 client traffic processing ...................................... 458 command (help) .................................................. 34 Command-Line Interface (CLI) ............. 23 to 29, 31 commands abbreviations ................................................ 38 conventions used in this manual ...................... 21 global commands .......................................... 34 shortcuts ...................................................... 38 stacking ....................................................... 38 tab completion .............................................. 38
Nortel Application Switch Operating System 23.2 Command Reference configuration administrator password ................................ 281 apply changes ............................................. 247 default gateway interval, for health checks ..... 335 default gateway IP address ........................... 335 dump command .......................................... 400 effect on Spanning-Tree Protocol .................. 247 Fast Ethernet .............................................. 291 flow control ....................... 294, 298, 300, 303 Gigabit Ethernet ......................... 291, 296, 299 IP static route ............................................. 337 Layer 4 administrator password .................... 280 operating mode ........................... 293, 298, 303 port link speed ............................ 293, 298, 303 port mirroring ............................................. 305 port trunking .............................................. 323 route cache................................................. 341 save changes .............................................. 248 setup command .......................................... 396 switch IP address ........................................ 333 TACACS+ ................................................. 258 user password ............................................. 280 view changes.............................................. 247 VLAN default (PVID) ......... 291, 296, 299, 301 VLAN IP interface ...................................... 333 VLAN tagging ................... 292, 297, 299, 302 VRRP ....................................................... 372 configuration block active ........................................................ 511 backup....................................................... 511 factory ....................................................... 511 selection .................................................... 511 configuration menu ............................................ 245 configuring routing information protocol ............. 348 connecting via console ................................................... 24 via Telnet..................................................... 25 connection timeout (Real Server Menu option) ..... 430 console port communication settings ................................. 24 connecting ................................................... 24 serial download settings ....................... 665, 666 content SLB real server group option ........................ 416 contracts, bandwidth management ....................... 307 copper ports ...................................................... 296 cost STP information ........................................... 79 STP port option .......................................... 323 Index 673 counters, No Server Available (dropped frames) .. 188,
214
CPU statistics ............................................ 239, 241 CPU utilization .......................................... 239, 241 cur (system option) .................................... 257, 260 current bindings ......................................... 188, 213
D
date system option ............................................. 250 debugging ......................................................... 515 default gateway information .................................................. 87 interval, for health checks............................. 335 metrics ....................................................... 388 round robin, load balancing for ..................... 388 default password .................................................. 28 delete FDB entry .................................................. 519 deny (filtering) .................................................. 214 designated port. ................................................... 94 diff (global) command, viewing changes .............. 247 dip (destination IP address for filtering) ............... 444 direct (IP route type) ............................................ 89 directed broadcasts............................................. 341 DISABLED (port state) ........................................ 79 disconnect idle timeout ......................................... 29 Distributed Site State Protocol (DSSP) setting update interval .................................. 461 dmask destination mask for filtering ........................ 444 DNS statistics .................................................... 175 Domain Name System (DNS) health checks .............................................. 419 downloading software ........................................ 509 dropped frames (No Server Available) counter .... 188,
214
dump configuration command ............................... 400 maintenance ............................................... 515 state information ......................................... 526 duplex mode link status ....................................... 42, 58, 128 dynamic routes .................................................. 521
E
emulation software............................................. 665
Nortel Application Switch Operating System 23.2 Command Reference EtherChannel as used with port trunking .............................324
H
hash metric ....................................................... 422 health check types, SLB ..................................... 418 health checks..................................................... 409 default gateway interval, retries .................... 335 IDSLB....................................................... 418 layer information ........................................ 112 parameters for most protocols ....................... 419 redirection (rport) ........................................ 443 retry, number of failed health checks ............. 335 script ......................................................... 483 SNMP ............................................... 420, 485 WAP ......................................................... 487 hello STP information ........................................... 79 help .................................................................... 34 host routes ........................................................ 349 Hot Standby Router on VLAN (HSRV) use with VLAN-tagged environment ............. 378 VRRP priority increment value ..................... 388 Hot Standby Router Protocol (HSRP) priority increment value for L4 client ports ..... 387 use with VRRP ................................... 378, 385 VRRP priority increment value ..................... 387 Hot Standby Router VLAN (HSRV) use with VRRP ........................................... 385 hot-standby failover ........................................... 382 HP-OpenView ..................................................... 23 hprompt system option ............................................. 250 HSRP. See Hot Standby Router Protocol. HSRV. See Hot Standby Router Protocol. HTTP application health checks ............................. 419 redirects (Global SLB option) ....................... 462 system option ............................................. 276 http .................................................................. 276 HTTP health checks on any port (aphttp) ..................................... 482
F
factory configuration block .................................511 Fast Ethernet Physical Link .................................291 Fast Ethernet, configuring ports for ......................291 fastage ..............................................................477 FDB statistics ....................................................153 fiber optic ports ..................................................298 File Transfer Protocol .........................................205 filter statistics ....................................................198 filtered (denied) frames ...............................189, 214 filters IP address ranges .........................................444 fixed IP route tag ...................................................89 flag field..............................................................94 flow control .................................................42, 128 configuring .........................294, 298, 300, 303 forwarding configuration IP forwarding configuration ..........................341 forwarding database (FDB) .................................515 delete entry .................................................519 Forwarding Database Information Menu ................70 Forwarding Database Menu.........................518, 531 forwarding state (FWD) ............................72, 79, 82 FTP server health checks ....................................419 FTP SLB maintenance statistics...........................207 FTP SLB statistics dump .....................................207 fwd (STP bridge option) .....................................321 FwdDel (forward delay), bridge port ......................79
G
gig (Port Menu option) .......................291, 296, 299 Gigabit Ethernet configuration...............................291, 296, 299 Gigabit Ethernet Physical Link ............291, 296, 299 global commands .................................................34 global SLB maintenance statistics ........................194 global SLB statistics ...........................................190 grace graceful real server failure ............................477 Greenwich .........................................................260 Greenwich Mean Time (GMT) ............................260 group ................................................................197 gtcfg (TFTP load command) ...............................401
I
ICMP statistics .................................................. 176 idle timeout overview ...................................................... 29 IDSLB health checks ......................................... 418 IEEE standards 802.1d Spanning-Tree Protocol............... 78, 319
674
Index
320506-C Rev. 02, Feb 2007
Nortel Application Switch Operating System 23.2 Command Reference image downloading .............................................. 509 software, selecting ...................................... 510 IMAP server health checks ................................. 419 imask (IP address mask) ..................................... 476 incorrect VIPs (statistic) ............................. 188, 213 incorrect Vports (dropped frames counter) ... 188, 213 indirect (IP route type) ......................................... 89 Information Trunk Group Information............................... 82 Information Menu ............................................... 41 Interface change stats ......................................... 162 interface statistics .............................................. 178 IP address ARP information .......................................... 92 BOOTP ....................................................... 25 configuring default gateway ......................... 335 filter ranges ................................................ 444 local route cache ranges ............................... 342 Telnet .......................................................... 25 IP address mask for SLB .................................... 476 IP forwarding .................................................... 369 directed broadcasts ...................................... 341 local networks for route caching ................... 341 IP forwarding information .................................... 87 IP Information Menu ................................... 87, 106 IP interface ....................................................... 333 active ........................................................ 384 configuring address ..................................... 333 configuring VLANs .................................... 333 IP interfaces ........................................................ 89 information .................................................. 87 IP route tag .................................................. 89 priority increment value (ifs) for VRRP ......... 387 IP network filter configuration ............................ 343 IP port configuration .......................................... 369 IP Route Manipulation Menu .............................. 521 IP routing tag parameters .............................................. 89 IP Static Route Menu ......................................... 337 IP statistics ....................................................... 163 IP subnets VLANs ..................................................... 328 Layer 4 processing active......................................................... 384 layer 7 SLB maintenance statistics ...................... 201 layer 7 SLB string statistics ................................ 200 layer7 redirection statistics ......................... 199, 203 LDAP version ................................................... 482 LEARNING (port state) ....................................... 79 least connections (SLB Real Server metric) .. 418, 422 licence certificate ............................................... 505 license password ................................................ 505 link speed, configuring ....................... 293, 298, 303 link status............................................................ 42 command ................................................... 129 duplex mode ................................... 42, 58, 128 port speed....................................... 42, 58, 128 Link Status Information ...................................... 128 linkt (SNMP option) .......................................... 263 LISTENING (port state) ....................................... 79 lmask (routing option) .......................................... 87 lnet (routing option) ............................................. 87 local (IP route type) ............................................. 89 local network for route caching ........................... 341 local route cache IP address ranges for.................................... 342 log syslog messages .......................................... 252 logical segment. See IP subnets.
M
MAC (media access control) address 43, 70, 92, 505, switch location .............................................. 25 Main Menu ......................................................... 31 summary ...................................................... 32 Maintenance Menu ............................................ 515 Management Processor (MP) .............................. 523 display MAC address..................................... 43 manual style conventions ...................................... 21 martian IP route tag (filtered) ..................................... 89 IP route type (filtered out) .............................. 89 mask IP interface subnet address ........................... 333 MaxAge (STP information) .................................. 79 mcon (maximum connections) .... 188, 189, 214, 416 MD5 authentication key ..................................... 353 MD5 cryptographic authentication ...................... 354
518
L
l4apw (L4 administrator system option) ............... 280 Layer 4 administrator account .................................... 28
Index
675
Nortel Application Switch Operating System 23.2 Command Reference MD5 key ...........................................................357 media access control. See MAC address. metric SLB real server group option.........................415 metrics, SLB ......................................................421 minimum misses (SLB real server metric) ....418, 422 Miscellaneous Debug Menu ........................523, 541 mmask IP address mask for SLB ..............................476 mnet management traffic IP address for SLB ..........476 monitor port.......................................................305 mp packet ........................................................236 MP. See Management Processor. multicast IP route type .................................................89 multi-links between switches using port trunking.................................82, 323 mxage (STP bridge option) .................................321 ospf area index .......................................... 352, 354 authentication key ....................................... 357 configuration .............................................. 352 cost of the selected path ............................... 357 cost value of the host ................................... 360 dead, declaring a silent router to be down ....... 357 dead, health parameter of a hello packet ......... 358 export ........................................................ 361 fixed routes ................................................ 362 general ...................................................... 159 global ........................................................ 159 hello, authentication parameter of a hello packet ...
358
N
nbr change statistics............................................161 Network Address Translation (NAT) filter action .................................................443 network management ............................................23 non TCP/IP frames .....................................188, 213 notice ................................................................250 NTP synchronization ..........................................260 NTP time zone ...................................................260
O
octet counters.....................................................196 online help...........................................................34 operating mode, configuring ................293, 298, 303 operations menu .................................................495 operations-level BGP options ..............................504 operations-level BWM options ............................501 operations-level IP options ..................................504 Operations-Level Port Options ............................497 operations-level SLB options...............................498 operations-level VRRP options ............................501 optional software..........................................42, 131 activating ....................................................505 removing ....................................................506 OSPF area types .............................................99, 352
host entry configuration ............................... 360 host routes.................................................. 353 interface..................................................... 352 interface configuration ................................. 356 link state database ....................................... 353 MD5 authentication key ............................... 353 Not-So-Stubby Area .................................... 354 priority value of the switch interface .............. 357 range number ............................................. 352 redistribution menu ..................................... 353 route redistribution configuration .................. 361 spf, shortest path first................................... 355 stub area .................................................... 354 summary range configuration ....................... 355 transit area ................................................. 354 transit delay................................................ 357 type ........................................................... 354 virtual link ................................................. 352 virtual link configuration.............................. 358 virtual neighbor, router ID............................ 358 OSPF Database Information ............................... 102 OSPF general .................................................... 100 OSPF General Information ................................. 101 OSPF Information ............................................... 99 OSPF Information Route Codes .......................... 104 OSPF statistics .......................................... 158, 166 overflow server activations ......................... 189, 214 overflow servers ................................................ 408
P
panic command ................................................... 526 switch (and Maintenance Menu option) ......... 515
676
Index
320506-C Rev. 02, Feb 2007
Nortel Application Switch Operating System 23.2 Command Reference parameters tag .............................................................. 89 type............................................................. 89 Passive FTP SLB Parsing Statistics ..................... 206 Password user access control ...................................... 280 password administrator account .................................... 28 default ......................................................... 28 L4 administrator account ............................... 28 user account ................................................. 28 VRRP authentication ................................... 386 passwords ........................................................... 27 persistent bindings real server .................................................. 430 ping ........................................................... 35, 407 PIP ................................................................... 491 POP3 server health checks .................................... 419 port bandwidth management switch processor statistics switch port contract statistics menu ............... 219 port configuration .............................................. 289 Port Menu configuration options................................... 296 configuring Fast Ethernet ............................. 291 configuring Gigabit Ethernet (gig) 291, 296, 299 port mirroring configuration .............................................. 305 Port number ...................................................... 128 port speed ............................................. 42, 58, 128 port states UNK (unknown) ........................................... 72 port trunking description ................................................. 323 port trunking configuration ................................. 323 ports disabling (temporarily) ................................ 304 information ................................................ 130 IP status ....................................................... 87 membership of the VLAN........................ 70, 83 priority ........................................................ 79 RJ-45 ........................................................ 290 SLB state information ................................. 113 STP port priority ......................................... 323 VLAN ID ............................................ 42, 130 preemption assuming VRRP master routing authority ....... 377 virtual router ....................................... 376, 383 priority virtual router ............................................... 383 priority (STP port option) ................................... 323 prisrv primary radius server ................................... 257 proxies IP address translation ................................... 409 proxy IP address (PIP)........................................ 113 proxy IP address (PIP) configuration ................... 491 ptcfg (TFTP save command) ............................... 401 PVID (port VLAN ID) ................................. 42, 130 pwd .................................................................... 35
Q
quiet (screen display option) ................................. 35
220
R
RADIUS server authentication .................................... 420 read community string (SNMP option) ................ 263 real server statistics ..................................................... 196 real server global SLB statistics .......................... 191 real server group options add ............................................................ 417 real server group SLB configuration .................... 415 real server group statistics................................... 197 real server groups combining servers into ................................. 415 statistics ..................................................... 197 real server SLB configuration ............................. 406 real servers backup ....................................................... 416 priority increment value (reals) for VRRP ...... 387 SLB state information .................................. 112 reboot ....................................................... 515, 526 receive flow control ........... 294, 298, 300, 303, 304 redir (SLB filtering option) ................................. 443 reference ports ..................................................... 72 referenced port .................................................... 94 remote monitoring on the port (rmon) .................. 497 remote site servers ............................................. 409 removing optional software ................................ 506 reset key combination ........................................ 516
Index
677
Nortel Application Switch Operating System 23.2 Command Reference retries radius server ...............................................257 retry health checks for default gateway ..................335 rip IP route tag ...................................................89 RIP. See Routing Information Protocol. rmkey ...............................................................506 round robin as used in gateway load balancing..................388 roundrobin SLB Real Server metric ........................418, 422 route cache configuration ......................................341 route statistics ....................................................171 router hops ........................................................365 routing information protocol configuration...............................................348 Routing Information Protocol (RIP) .......................89 options .......................................................350 rport SLB virtual server option ..............................428 RTSP SLB statistics ...........................................208 Rx/Tx statistics ..................................................160 server load balancing client traffic processing ................................ 458 health check ............................................... 418 health check types ....................................... 418 metrics ...................................................... 421 port options ................................................ 459 server traffic processing ............................... 459 server load balancing configuration options ......... 404 Server Load Balancing Maintenance Statistics Menu .. server port mapping ........................................... 113 server traffic processing ..................................... 459 Session Binding Table ....................................... 408 session identifier................................................ 426 setup command, configuration ............................ 396 SFD statistics mp specific................................................. 239 SFP GBIC ports ................................................ 298 shortcuts (CLI) .................................................... 38 single-mode ports .............................................. 296 SIP (source IP address for filtering) ..................... 444 SLB filtering option action ........................................................ 443 SLB Information ............................................... 112 SLB layer7 statistics .......................................... 199 SLB real server group health checks arp ............................................................ 418 dns ............................................................ 419 ftp ............................................................. 419 http ........................................................... 419 icmp .......................................................... 418 imap .......................................................... 419 ldap ........................................................... 420 radius ........................................................ 420 script ......................................................... 420 smtp .......................................................... 419 SNMP ....................................................... 420 sslh ........................................................... 419 tcp............................................................. 418 udpdns ....................................................... 420 wsp ........................................................... 420 wtls ........................................................... 420 SLB real server group option application health checking .......................... 416 health checking ........................................... 416 metric ........................................................ 415
S
save (global command) .......................................248 noback option .............................................248 save command ...................................................511 script health checks ..............................................483 scriptable health checks configuration ..................483 secret radius server ...............................................257 secsrv secondary radius server ................................257 security VLANs ......................................................328 segmentation. See IP subnets. segments. See IP subnets. serial cable ..........................................................24 serial download ..................................................665 Server Load Balancing IDS ............................................................414 operations-level options ................................498 real server weights .......................................407
678
Index
320506-C Rev. 02, Feb 2007
Nortel Application Switch Operating System 23.2 Command Reference SLB real server option backup....................................................... 408 intr (interval) .............................................. 409 maxcon (maximum connections) .................. 408 name, alias for each real server ..................... 407 restr (restore) SLB real server UDP option ..... 409 retry .......................................................... 409 RIP, real server IP address ........................... 407 submac ...................................................... 409 tmout (time out) .......................................... 408 weights ...................................................... 407 slowage ............................................................ 477 smask source mask for filtering .............................. 444 smtp ................................................................. 250 SMTP server health checks ................................ 419 snap traces buffer ........................................................ 523 SNMP ........................................................ 23, 134 health checks .............................................. 485 HP-OpenView .............................................. 23 menu options .............................................. 262 set and get access ........................................ 263 SNMP Agent .................................................... 661 SNMP health check configuration ....................... 485 SNMP health checks .......................................... 420 software image file and version ................................... 43 license ....................................................... 505 software image .................................................. 508 SP specific statistics........................................... 240 spanning tree configuration .............................................. 319 Spanning-Tree Protocol ............................... 82, 247 bridge aging option ..................................... 322 bridge parameters ....................................... 321 bridge priority .............................................. 79 port cost option ........................................... 323 port priority option ...................................... 323 root bridge ........................................... 79, 321 switch reset effect ....................................... 512 SSL .................................................................. 430 secure socket layer statistics ......................... 204 stacking commands (CLI) .................................... 38 state (STP information) ........................................ 79 state information, client system ........................... 430 static IP route tag .................................................. 89 static route rem.................................................... 338, 339 statis route add .................................................... 338, 339 statistics group ......................................................... 197 management processor ................................. 235 Statistics Menu .................................................. 133 subnet address maskconfiguration IP subnet address ........................................ 333 subnets IP interface ................................................. 333 switch resetting ..................................................... 512 Switch Processor (SP) ........................................ 523 display trace buffer ...................................... 523 swkey ............................................................... 505 SYN attack detection configuration ..................... 478 sync .................................................................. 498 synchronization VRRP switch ...................................... 473, 498 syslog system host log configuration ....................... 251 system contact (SNMP option) ................................ 262 date and time .......................................... 41, 43 location (SNMP option) ............................... 262 system access control configuration ..................... 276 System Maintenance Menu ................................. 518 system options admpw (administrator password)................... 281 BOOTP ..................................................... 251 cur (current system parameters)............. 257, 260 date ........................................................... 250 hprompt ..................................................... 250 HTTP access .............................................. 276 l4apw (Layer 4 administrator password) ......... 280 login banner ............................................... 250 time ........................................................... 250 tnet ............................................................ 276 tnport......................................................... 277 usrpw (user password) ................................. 280 system parameters, current.......................... 257, 260
T
tab completion (CLI) ............................................ 38 tacacs ............................................................... 258 TACACS+ ........................................................ 258
Index
679
Nortel Application Switch Operating System 23.2 Command Reference TCP fragments ...................................................426 health checking using ...................................409 health checks ..............................................419 source and destination ports ..........................442 TCP statistics .............................................180, 238 Telnet .................................................................25 BOOTP ........................................................25 configuring switches using ............................400 telnet radius server ...............................................257 terminal emulation ...............................................24 text conventions ...................................................21 TFTP ................................................................509 PUT and GET commands .............................401 TFTP server.......................................................401 time system option ..............................................250 timeout radius server ...............................................257 timeouts idle connection ..............................................29 timers kickoff ....................................................162 time-to-live, DNS response (global SLB menu option) UDP datagrams .......................................... 188, 213 server status using ....................................... 409 source and destination ports.......................... 442 UDP statistics.................................................... 182 unknown (UNK) port state ................................... 72 Unscheduled System Dump ................................ 527 upgrade, switch software .................................... 508 URL for health checks ....................................... 113 user account ........................................................ 28 usrpw (system option) ........................................ 280 Uuencode Flash Dump ....................................... 524
V
verbose ............................................................... 35 vip advertisement of virtual IP addresses as Host Routes ................................................ 349 IP route tag .................................................. 89 virtual IP address (VIP) ...................................... 113 virtual port state, SLB information about ............. 113 virtual router description ................................................. 374 priority ...................................................... 383 tracking criteria........................................... 377 virtual router group VRRP priority tracking ................................ 382 virtual router group configuration........................ 382 virtual router group priority tracking ................... 384 Virtual Router Redundancy Protocol (VRRP) authentication parameters for IP interfaces ..... 386 group options (prio)..................................... 383 operations-level options ............................... 501 password, authentication .............................. 386 priority election for the virtual router ............. 375 priority tracking options ....................... 364, 377 Virtual Router Redundancy Protocol configuration 372 virtual router sharing .......................................... 383 virtual routers HSRP failover .................................... 378, 385 HSRP priority increment value ..................... 387 HSRV ....................................................... 385 HSRV priority increment value..................... 388 increasing priority level of.................... 376, 380 incrementing VRRP instance ........................ 378 master preemption (preem)........................... 383 master preemption (prio) .............................. 376 priority increment values (vrs) for VRRP ....... 387
466
tnet system option ..............................................276 tnport system option ..............................................277 TPCP (Transparent Proxy Cache Protocol) ...........477 trace buffer ........................................................523 Switch Processor .........................................523 traceroute ............................................................35 Tracking VRRP ................................................374, 379 transmit flow control ..........294, 298, 300, 303, 304 transparent proxies, when used for NAT ...............443 Trunk Group Information ......................................82 ttl (time to live, global SLB menu option) .............461 type of area ospf ...........................................................354 type parameters ....................................................89 typographic conventions, manual ...........................21 tzone .................................................................260
U
UCB statistics ....................................................238
680
Index
320506-C Rev. 02, Feb 2007
Nortel Application Switch Operating System 23.2 Command Reference virtual server global SLB statistics ...................... 192 virtual server SLB statistics ................................ 198 virtual servers ................................................... 418 SLB state information ................................. 113 statistics ..................................................... 198 VLAN active port .................................................. 384 configuration .............................................. 328 VLAN tagging port configuration ............... 292, 297, 299, 302 port restrictions........................................... 329 VLANs ARP entry information .................................. 92 broadcast domains ...................................... 328 information .................................................. 83 multiple spanning trees ................................ 319 name ..................................................... 70, 83 port membership ..................................... 70, 83 security...................................................... 328 setting default number (PVID)..... 291, 296, 299, Spanning-Tree Protocol ............................... 319 tagging ........................................ 42, 130, 329 VLAN Number ............................................ 83 VRID (virtual router ID) ............................ 375, 382 VRRP interface configuration ................................. 386 master advertisements ................................. 375 tracking ............................................. 374, 379 tracking configuration ................................. 387 virtual router sharing ................................... 376 VRRP Information ............................................ 107 VRRP master advertisements time interval ............................................... 383 VRRP statistics ................................................. 173 weights for SLB real servers ..................................... 423 setting virtual router priority values ............... 387 write community string (SNMP option) ............... 263 wspport WAP health check............................... 485, 487 wtlsprt WAP health check............................... 485, 488
X
XModem .......................................................... 665
301
W
WAP health checks .............................................. 487 WAP health check wspport ............................................. 485, 487 wtlsprt ............................................... 485, 488 WAP health check configuration......................... 487 WAP SLB statistics ........................................... 210 watchdog timer ................................................. 516 web-based management interface .......................... 23
Index
681
682
Index
320506-C Rev. 02, Feb 2007