24.0.0 Command Reference

Nortel Application Switch Operating System

Command Reference

NN47220-105 (320506-D).

Document status: StandardDocument version: 01.01Document date: 28 January 2008

Copyright © 2008, Nortel NetworksAll Rights Reserved.

Sourced in Canada, India and the United States of America

Part Number: NN47220-105 (320506-D)

This document is protected by copyright and distributed under licenses restricting its use, copying, distribution,and decompilation. No part of this document may be reproduced in any form by any means without prior writtenauthorization of Nortel Networks, Inc. Documentation is provided "as is" without warranty of any kind, eitherexpress or implied, including any kind of implied or express warranty of non-infringement or the implied warrantiesof merchantability or fitness for a particular purpose.

U.S. Government End Users: This document is provided with a "commercial item" as defined by FAR 2.101 (Oct1995) and contains "commercial technical data" and "commercial software documentation" as those terms areused in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only inaccordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).

Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice.Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, exceptas expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey alicense under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.

Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application Switch 2424-SSL,Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e,Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch aretrademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco® and EtherChannel®

are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point®

and FireWall-1® are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any othertrademarks appearing in this manual are owned by their respective companies.

3

Contents

Preface 23Who should use this book 23How this book is organized 23Related documentation 24Typographic conventions 25How to get help 25

The Command Line Interface 27Connecting to the Switch 27

Establishing a Console Connection 28Establishing a Telnet Connection 28Establishing an SSH Connection 29

Accessing the Switch 30CLI Menu 32Command Line History and Editing 32Idle Timeout 33

Menu Basics 35The Main Menu 35Menu Summary 36Global Commands 36Command Line History and Editing 39Command Line Interface Shortcuts 40

Command Stacking 40Command Abbreviation 40Tab Completion 40Configuration Ranges 40

The Information Menu 43/info

Information Menu 43/info/sys

System Information Menu 45/info/sys/snmpv3

SNMPv3 System Information Menu 47General System Information 54

Nortel Application Switch Operating SystemCommand Reference

NN47220-105 (320506-D) 01.01 Standard24.0 28 January 2008

Copyright © 2008, Nortel Networks

.

4 Contents

/info/sys/timeShow System Time 55

/info/sys/logShow Last 64 Syslog Messages 55

/info/sys/slogLast 64 Saved Syslog Messages 56

/info/sys/mgmtManagement Port Information 57

/info/sys/sonmpSONMP Information 58

/info/sys/capacitySystem Capacity Information 59

/info/sys/fanShow switch fan status 62

/info/sys/tempShow switch temperature sensor status 62

/info/sys/encryptShow encryption licenses 62

/info/sys/userShow current user status 63

/info/sys/dumpSystem Information Dump 63

/info/l2Layer 2 Information Menu 68

/info/l2/fdbLayer 2 FDB Information 70

Clearing Entries from the Forwarding Database 72/info/l2/lacp

Link Aggregation Control Protocol Information Menu 72/info/l2/lacp/aggr

LACP Aggregator Information 72/info/l2/lacp/port

LACP Port Information 73/info/l2/lacp/dump

LACP Dump Information 74/info/l2/stg

Layer 2 Spanning Tree Group Information 75/info/l2/cist

Show common internal spanning tree (CIST) information 77/info/l2/trunk

Trunk Group Information 78/info/l2/vlan

VLAN Information 78/info/l2/vlan

VLAN Information 79/info/l2/team

Status of port teams 79




.

Contents 5

/info/l2/dumpLayer2 Dump Information 79

/info/l3Layer3 Information Menu 80

/info/l3/routeIP Routing Information 82

/info/l3/route6IPv6 Routing Information Menu 84

/info/l3/arpARP Information Menu 85

/info/l3/bgpBGP Information Menu 90

/info/l3/ospfOSPF Information Menu 92

/info/ospf/dumpOSPF Dump Information 96

/info/l3/ipIP Information 97

/info/l3/vrrpVRRP Information 98

/info/l3/dumpLayer3 Dump Information 99

/info/slbLayer 4 Information Menu 100

/info/slb/sessSession Table Information 102

Session dump information 105/info/slb/gslb

Global SLB Information Menu 108/info/slb/dump

Show All Layer 4 Information 109/info/bwm

Bandwidth Management Information 110/info/bwm/ipuser

BWM IP User Information Menu 110/info/bwm/cont

BWM Contract Information 111/info/security

Security Information 113/info/link

Link Status Information 113/info/port

Port Information 114/info/swkey

Software Enabled Keys 115/info/dump

Information Dump 116




.

6 Contents

The Statistics Menu 117/stats

Statistics Menu 117/stats/sys

System statistics menu 119/stats/port <port number>

Port Statistics Menu 119/stats/port <port number>/brg

Bridging Statistics 120/stats/port <port number> /ether

Ethernet Statistics 121/stats/port <port number> /if

Interface Statistics 125/stats/port <port number> /ip

Interface Protocol Statistics 127/stats/port <port number> /link Link

Statistics 128/stats/port <port number> /rmon

RMON Statistics 129/stats/pmirr

Port mirroring statistics menu 133/stats/l2

Layer 2 Statistics Menu 134/stats/l2/fdb

FDB Statistics 134/stats/l3

Layer 3 Statistics Menu 137/stats/l3/ospf

OSPF Statistics Menu 139/stats/l3/ip

IP Statistics 143/stats/l3/ip6

IP6 Statistics Menu 146/stats/l3/route

Route Statistics 150/stats/l3/arp

ARP statistics 152/stats/l3/vrrp

VRRP Statistics 153/stats/l3/vrrp6

IPv6 VRRP statistics 154/stats/l3/dns

DNS Statistics 155/stats/l3/icmp

ICMP Statistics 155




.

Contents 7

/stats/l3/if <interface number>Interface Statistics 157

/stats/l3/tcpTCP Statistics 159

/stats/l3/udpUDP Statistics 161

/stats/slbServer Load Balancing Statistics Menu 161

/stats/slb/spServer Load Balancing SP statistics Menu 165

/stats/slb/gslbGlobal SLB Statistics Menu 170

/stats/slb/real <real server number>Real Server SLB Statistics 175

/stats/slb/Group <real server groups number>Real Server Group Statistics 176

/stats/slb/virt <virtual server number>Virtual Server SLB Statistics 177

/stats/slb/filt <filter number>Filter SLB Statistics 177

/stats/slb/layer7SLB Layer7 Statistics Menu 177

/stats/slb/sslSLB Secure Socket Layer Statistics 182

/stats/slb/ftpFile Transfer Protocol SLB and Filter Statistics Menu 183

/stats/slb/rtspRTSP SLB Statistics 185

/stats/slb/dnsDNS SLB Statistics 186

/stats/slb/wapWAP SLB Statistics 187

/stats/slb/maintSLB Maintenance Statistics 188

/stats/slb/sipSIP SLB Statistics 192

/stats/slb/wlm <wlm number>Display Workload Manager SASP statistics 193

/stats/slb/wlm <wlm number> /clearClear Workload Manager SASP Statistics 193

/stats/slb/mirrorDisplay Workload Manager SASP statistics 193

/stats/bwmBWM Statistics Menu 194

/stats/bwm/port <port number>BWM Switch Processor Statistics 195




.

8 Contents

/stats/bwm/cont <contract number>BWM Contract Statistics 196

/stats/bwm/rcontBWM Contract Rate Statistics 197

/stats/bwm/histBWM History Statistics 198

/stats/bwm/maintBWM Maintenance Statistics 201

/stats/bwm/ipusersBWM IP Users Statistics 201

/stats/securitySecurity Statistics 201

/stats/security/dosDOS Attack Statistics Menu 202

Types of DOS Attacks 203/stats/security/ipacl

IP Access Control List Statistics 205/stats/security/udpblast

UDP Blast Statistics 206/stats/security/udpblast/dump

UDP Blast Dump Statistics 206/stats/security/pgroup

UDP Pattern Match Statistics 206/stats/security/ratelim

Rate Limiting Statistics 207/stats/security/dump

Dump Statistics for Security 207/stats/mp

Management Processor Statistics 208/stats/mp/pkt

MP Packet Statistics 209/stats/mp/tcb

TCP Statistics 210/stats/mp/ucb

UCB Statistics 211/stats/mp/sfd

MP-SpecificSFD Statistics 211/stats/mp/cpu

CPU Statistics 212/stats/sp <SP Number>

SP Specific Statistics 212/stats/sp <SP number> /maint

SP-Specific Maintenance Statistics 212/stats/sp/cpu

CPU Statistics 213/stats/pmirr

Port Mirroring Statistics Menu 213




.

Contents 9

/stats/mgmtManagement Port Statistics 214

/stats/dumpDump Statistics 215

The Configuration Menu 217/cfg

Configuration Menu 217Viewing, Applying, and Saving Changes 219

Viewing Pending Changes 219Applying Pending Changes 219Saving the Configuration 219

/cfg/sysSystem Configuration 220

/cfg/sys/syslogSystem Host Log Configuration 222

/cfg/sys/mmgmtManagement Port Configuration Menu 224

/cfg/sys/mmgmt/portManagement Port Link Menu 226

/cfg/sys/radiusRADIUS Server Configuration 227

/cfg/sys/tacacsTACACS+ Server Configuration Menu 228

/cfg/sys/ntpNTP Server Configuration 230

/cfg/sys/sonmpSynOptics Network Management Protocol Configuration 231

/cfg/sys/ssnmpSystem SNMP Configuration 232

/cfg/sys/ssnmp/snmpv3SNMPv3 Configuration Menu 234

/cfg/sys/healthSystem Health Check Configuration Menu 244

/cfg/sys/accessSystem Access Control Configuration 245

/cfg/sys/access/portPort Management Access Menu 247

/cfg/sys/access/sshdSSH Server Menu 252

/cfg/sys/access/xmlXML Configuration Access Menu 253

/cfg/sys/timezoneConfigure the Timezone 255

/cfg/port <port number>Port Configuration 255

Nortel Application Switch Operating System 2000 Series 255




.

10 Contents

/cfg/port <port number> fast|gigPort Link Configuration 258

Nortel Application Switch 3000 Series 259Port Configuration on Nortel Application Switch 3408 260Temporarily Disabling a Port 268

/cfg/pmirrPort Mirroring Menu 269

/cfg/pmirr monportPort-Mirroring Menu 269

/cfg/bwmBandwidth Management Configuration 270

/cfg/bwm/cont <contract number>Bandwidth Management Contract Configuration 273

/cfg/bwm/policy <policy number>Bandwidth Management Policy Configuration 276

/cfg/bwm/groupBandwidth Management Group Configuration Menu 277

/cfg/bwm/curBandwidth Management Current Configuration 277

/cfg/l2Layer 2 Configuration Menu 278

/cfg/l2/mrstMultiple Spanning Tree Menu 280

/cfg/l2/mrst/cistMultiple Spanning Tree Menu 280

/cfg/l2/mrst/cist/brgCIST Bridge Menu 281

/cfg/l2/stgSpanning Tree Group Configuration 282

/cfg/l2/stg/brgBridge Spanning Tree Configuration 284

/cfg/l2/trunk <trunk group number>Trunk Configuration 286

/cfg/l2/lacpLink Aggregation Control Protocol Menu 287

/cfg/l2/lacp/port <port number>LACP Port Configuration Menu 289

/cfg/l2/vlan <VLAN number>VLAN Configuration 290

/cfg/l2/team <team number>Port Team Configuration 292


/cfg/l3/if <interface number>IP Interface Configuration 295




.

Contents 11

/cfg/l3/if/ip6ndIPv6 Neighbor Discovery Menu 296

/cfg/l3/gw <gateway number>Default IP Gateway Configuration 297

/cfg/l3/arpARP Configuration Menu 300

/cfg/l3/frwdIP Forwarding Configuration Menu 301

DefiningIP Address Ranges for the Local Route Cache 303/cfg/l3/nwf

Network Filter Configuration 304/cfg/l3/rmap <route map number>

Route Map Configuration Menu 304/cfg/l3/rip

Routing Information Protocol Configuration 308/cfg/l3/rip/if

RIP Interface Menu 309/cfg/l3/ospf

Open Shortest Path First Configuration 312/cfg/l3/bgp

Border Gateway Protocol Configuration 321/cfg/l3/port <port number>

IP Forwarding Port Configuration Menu 327/cfg/l3/dns

Domain Name System Configuration Menu 327/cfg/l3/bootp

Bootstrap Protocol Relay Configuration Menu 328/cfg/l3/vrrp

VRRP Configuration Menu 329/cfg/l3/vrrp/vr <router number>

Virtual Router Configuration Menu 330/cfg/l3/vrrp/group

Virtual Router Group Configuration 338/cfg/l3/vrrp/if <interface number>

VRRP Interface Configuration 342/cfg/l3/vrrp/track

VRRP Tracking Configuration 342/cfg/l3/metrc <metric name>

Default Gateway Metrics 344/cfg/security

Security Configuration Menu 344/cfg/security/port

Port Security Menu 345/cfg/security/ipacl

IP Address Access Control List Configuration Menu 347/cfg/security/udpblast

UDP Blast Protection Configuration Menu 348




.

12 Contents

/cfg/security/dosAnomaly and Denial of Service Attack Prevention Menu 349

/cfg/security/pgroup <pattern group number>Pattern Matching Menu 350

/cfg/sslprocSSL Processor Menu 351

/cfg/dumpDump 352

/cfg/ptcfgSaving theActive Switch Configuration 353

/cfg/gtcfgRestoring the Active Switch Configuration 353

The SLB Configuration Menu 355/cfg/slb

SLB Configuration 355Filtering and Layer 4 (Server Load Balancing) 358

/cfg/slb/real <server number>Real Server SLB Configuration 358

/cfg/slb/real/advReal Server Advanced Menu 363

/cfg/slb/real/adv/buddyhcBuddy Server Health Check Menu 364

/cfg/slb/real <server number> /layer7Real Server Layer 7 Configuration 364

/cfg/slb/real <real server number> /idsReal server IDS Configuration Menu 365

/cfg/slb/group <real server group number>Real Server Group SLB Configuration 366

SLB Health Check Types 370Server Load Balancing Metrics 373

/cfg/slb/virt <virtual server number>Virtual Server SLB Configuration 376

/cfg/slb/virt <server number> /service <virtual port or name>

Virtual Server Service Configuration 378/cfg/slb/virt/service/wts

WTS Load Balancing Menu 385/cfg/slb/virt/service/http

HTTP Load Balancing Menu 385/cfg/slb/virt/service/sip

SIP Load Balancing Menu 386/cfg/slb/virt/service/rtsp

RTSP Load Balancing Menu 387Cookie-Based Persistence 388

/cfg/slb/filt <filter number>SLB Filter Configuration 390




.

Contents 13

Defining IP Address Ranges for Filters 395/cfg/slb/filt <filter number> /adv

Advanced Filter Configuration 395/cfg/slb/filt/adv/proxyadv

Proxy Advanced Menu 404/cfg/slb/port <port number>

Port SLB Configuration 408/cfg/slb/gslb

Global SLB Configuration 410/cfg/slb/gslb/site <site number>

GSLB Remote Site Configuration 413/cfg/slb/gslb/network <network number>

GSLB Network Preference Configuration Menu 415/cfg/slb/gslb/rule

GSLB Rule Configuration Menu 416/cfg/slb/layer7

Layer 7 SLB Resource Definition Menu 418/cfg/slb/layer7/redir

Web Cache Redirection Configuration 419/cfg/slb/layer7/slb

Server Load Balance Resource Configuration Menu 421/cfg/slb/layer7/sdp

SDP Mapping Menu 422/cfg/slb/wap

WAP Configuration 423/cfg/slb/sync

Synchronize Peer Switch Configuration 423/cfg/slb/sync/peer <peer switch number>

Peer Switch Configuration 425/cfg/slb/adv

Advanced Layer 4 Configuration 425/cfg/slb/adv/synatk

SYN Attack Detection Configuration Menu 429/cfg/slb/linklb

Inbound Link Load Balancing configuration Menu 430/cfg/slb/linklb/drecord

Inbound Link Load Balancing Domain Record Menu 431/cfg/slb/advhc/script <health script number>

Scriptable Health Checks Configuration 433/cfg/slb/advhc/snmphc

SNMP Health Check Configuration 435/cfg/slb/advhc/waphc

WAP Health Check Configuration 436/cfg/slb/pip

Proxy IP Address Configuration Menu 439/cfg/slb/wlm

WorkLoad Management Menu 441




.

14 Contents

The Operations Menu 443/oper

Operations Menu 443/oper/port <port number>

Operations-Level Port Options 445/oper/slb

Operations-Level SLB Options 445/oper/slb/group

Real Server Group Operations 447/oper/slb/gslb

Global SLB Operations Menu 447/oper/vrrp

Operations-Level VRRP Options 448/oper/bwm

Operations-Level Bandwidth Management Options 449/oper/security

Security Menu 449/oper/security/ipacl

IP ACL Operations Menu 449/oper/ip

Operations-Level IP Options 451/oper/ip/bgp

Operations-Level BGP Options 452/oper/swkey

Activating Optional Software 452/oper/rmkey

Removing Optional Software 453

The Boot Options Menu 455/boot

Boot Menu 455Scheduled Reboot of the Switch 455

/boot/schedScheduled Reboot Menu 455

Updating the Switch Software Image 456Downloading New Software to Your Switch 456Selecting a Software Image to Run 457Uploading a Software Image from Your Switch 458

Selecting a Configuration Block 459Resetting the Switch 460Enabling Symantec Intelligent Network Protection 460

The Maintenance Menu 463/maint

Maintenance Menu 463




.

Contents 15

/maint/sysSystem Maintenance Options 465

/maint/fdbForwarding Database Options 465

/maint/arpARP Cache Options 467

/maint/routeIP Route Manipulation 468

/maint/ip6IPv6 Manipulation Menu 469

/maint/debugDebugging Options 469

/maint/uudmpUuencode Flash Dump 470

/maint/ptdmp <server filename>System Dump Put 471

/maint/cldmpClearing Dump Information 471

/maint/panicPanic Command 472

Unscheduled System Dumps 473

The SSL Processor Menu 475/ssl

SSL Processor Menu 476/ssl/info

SSL Performance information menu 477/ssl/info/events

SSL Performance Menu 482/ssl/stats

SSL Performance Statistics menu 483/ssl/stats/sslstats

SSL Performance Menu 483/ssl/stats/sslstats/local

SSL Performance SSL Local Statistics Menu 485/ssl/stats/sslstats/local/isdhost

SSL Performance: Single ISD SSL Statistics Menu 486/ssl/stats/ipsec

IPSEC Statistics menu 486/ssl/stats/ipsec/local

SSL Performance: Local IPSEC Statistics Menu 488/ssl/stats/ipsec/local/isdhost

SSL Performance: Single IPSEC ISD Statistics Menu 489/ssl/stats/aaa

AAA Statistics Menu 490/ssl/cfg

SSL Performance Configuration Menu 490




.

16 Contents

/ssl/cfg/sslSSL Configuration Server Menu 492

/ssl/cfg/ssl/serverSSL Configuration Server-specific Menu 493

/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu 495

/ssl/cfg/ssl/server/sslSSL Configuration Server-specific SSL Menu 495

/ssl/cfg/ssl/server/tcpSSL Configuration Server-specific TCP Menu 497

/ssl/cfg/ssl/server/advSSL Configuration Server-specific Advanced Menu 498

/ssl/cfg/ssl/server/adv/stringSSL Configuration Server Advanced String Menu 498

/ssl/cfg/ssl/server/adv/loadbalancSSL Configuration Server Advanced Load Balancing Menu 500

/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration Server Advanced Load Balancing Cookie Menu 501

/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvipsLocal VIP Configuration Menu 502

/ssl/cfg/ssl/server/adv/loadbalanc/scriptSSL Configuration Server Advanced Load Balancing Health ScriptMenu 502

/ssl/cfg/ssl/server/adv/loadbalanc/remotesslSSL Configuration Server Advanced Load Balancing Remote SSLMenu 503

/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verifySSL Configuration Server Advanced Load Balancing Remote SSLVerification Menu 504

/ssl/cfg/ssl/server/adv/loadbalanc/backendSSL Configuration Server Advanced Load Balancing Backend ServerMenu 505

/ssl/cfg/certSSL Configuration Certificate Menu 506

/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu 511

/ssl/cfg/cert/revoke/automaticSSL Configuration Revoke Certificate Automatic Menu 511

/ssl/cfg/vpnSSL VPN Configuration Menu 512

/ssl/cfg/vpn/aaaSSL VPN Configuration Menu 514

/ssl/cfg/vpn/aaa/tgSSL VPN Configuration TunnelGuard Menu 516

/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu 517




.

Contents 17

/ssl/cfg/vpn/aaa/auth/radiusSSL VPN Configuration Authentication Radius Menu 518

/ssl/cfg/vpn/aaa/auth/radius/serversSSL VPN Configuration Authentication Radius Servers Menu 519

/ssl/cfg/vpn/aaa/auth/radius/sessiontmSSL VPN Configuration Authentication Radius Session Timeout Menu 520

/ssl/cfg/vpn/aaa/auth/radius/macroSSL VPN Configuration Authentication Radius Macro Menu 520

/ssl/cfg/vpn/aaa/auth/advSSL VPN Configuration Authentication Advanced Menu 521

/ssl/cfg/vpn/aaa/networkSSL VPN Configuration Network Menu 521

/ssl/cfg/vpn/aaa/network/subnetSSL VPN Configuration Network Subnet Menu 522

/ssl/cfg/vpn/aaa/serviceSSL VPN Configuration Service Menu 523

/ssl/cfg/vpn/aaa/appspecSSL VPN Configuration Application specific Menu 524

/ssl/cfg/vpn/aaa/appspec/pathsSSL VPN Configuration Application specific Paths Menu 525

/ssl/cfg/vpn/aaa/filterSSL VPN Configuration AAA Filter Menu 526

/ssl/cfg/vpn/aaa/groupSSL VPN Configuration AAA Group Menu 528

/ssl/cfg/vpn/aaa/group/accessSSL VPN Configuration AAA Group Access Menu 529

/ssl/cfg/vpn/aaa/group/linksetSSL VPN Configuration AAA Group Linkset Menu 530

/ssl/cfg/vpn/aaa/group/extendSSL VPN Configuration AAA Group Extend Profiles Menu 531

/ssl/cfg/vpn/aaa/group/extend/accessSSL VPN Configuration AAA Group Extend Profiles Access Menu 532

/ssl/cfg/vpn/aaa/group/extend/linksetSSL VPN Configuration AAA Group Extend Profiles Linkset Menu 532

/ssl/cfg/vpn/aaa/group/ipsecSSL VPN Configuration AAA Group IPsec Menu 533

/ssl/cfg/vpn/aaa/ssodomainsSSL VPN Configuration AAA Single-sign on Enabled Domains Menu 533

/ssl/cfg/vpn/aaa/ssoheadersSSL VPN Configuration AAA Single-sign on Headers Menu 534

/ssl/cfg/vpn/aaa/radacctSSL VPN Configuration AAA Radius Accounting Menu 535

ssl/cfg/vpn/aaa/radacct/serversSSL VPN Configuration AAA Radius Accounting Servers Menu 535

ssl/cfg/vpn/aaa/radacct/vpnattribuSSL VPN Configuration AAA Radius Accounting VPN attributes Menu 536




.

18 Contents

/ssl/cfg/vpn/serverSSL VPN Configuration Server Menu 536

/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic Trace Menu 537

/ssl/cfg/vpn/server/sslSSL VPN Configuration Server SSL Settings Menu 538

/ssl/cfg/vpn/server/tcpSSL VPN Configuration Server TCP endpoint Settings Menu 540

/ssl/cfg/vpn/server/httpSSL VPN Configuration Server HTTP Settings Menu 541

/ssl/cfg/vpn/server/http/rewriteSSL VPN Configuration Server SSL triggered rewrite Menu 542

/ssl/cfg/vpn/server/proxymapSSL VPN Configuration Server Intranet Proxy settings Menu 543

ssl/cfg/vpn/server/portalSSL VPN Configuration Server Portal settings Menu 544

ssl/cfg/vpn/server/advSSL VPN Configuration Server Advanced Menu 544

ssl/cfg/vpn/server/adv/traflogSSL VPN Configuration Server UDP Syslog Traffic Log Menu 545

ssl/cfg/vpn/server/adv/sslconnectSSL VPN Configuration Server SSL Connect Menu 546

ssl/cfg/vpn/server/adv/sslconnect/verifySSL VPN Configuration Server SSL Connect verify Server Menu 547

/ssl/cfg/vpn/ipsecSSL VPN Configuration IPsec Server Menu 547

/ssl/cfg/vpn/ipsec/ikeprofSSL VPN Configuration IPsec Server IKE Profile Menu 548

/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKE Profile Encryption Menu 549

/ssl/cfg/vpn/ipsec/ikeprof/dhSSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman GroupMask Menu 550

/ssl/cfg/vpn/ipsec/ikeprof/NATSSL VPN Configuration IPsec Server IKE Profile NAT Menu 551

/ssl/cfg/vpn/ipsec/ikeprof/deadpeerSSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu 551

/ssl/cfg/vpn/ippoolSSL VPN Configuration IP Pool Menu 552

/ssl/cfg/vpn/portalSSL VPN Configuration Portal Menu 553

/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu 555

/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full Access Menu 555

/ssl/cfg/vpn/portal/langSSL VPN Configuration Portal Language Menu 556




.

Contents 19

/ssl/cfg/vpn/portal/whitelistSSL VPN Configuration Portal Whitelist settings Menu 557

/ssl/cfg/vpn/portal/whitelist/domainsSSL VPN Configuration Portal Whitelist settings Domains Menu 557

/ssl/cfg/vpn/linksetSSL VPN Configuration Linkset Menu 558

/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu 559

/ssl/cfg/vpn/linkset/link/internalSSL VPN Configuration Linkset Link Internal Setting Menu 560

/ssl/cfg/vpn/sslclientSSL VPN Configuration SSL Client Menu 560

/ssl/cfg/vpn/advSSL VPN Configuration Advanced Menu 561

/ssl/cfg/vpn/adv/dnsSSL VPN Configuration Advanced DNS settings Menu 561

/ssl/cfg/sysSSL Configuration System Menu 562

/ssl/cfg/sys/hostSSL Configuration System Host Menu 563

/ssl/cfg/sys/host/routesSSL Configuration System Host Routes Menu 564

/ssl/cfg/sys/host/interfaceSSL Configuration System Host Menu 565

/ssl/cfg/sys/host/interface/routesSSL Configuration System Host Interface Routes Menu 566

/ssl/cfg/sys/host/portSSL Configuration System Host Port Menu 566

/ssl/cfg/sys/routesSSL Configuration System Menu 567

/ssl/cfg/sys/timeSSL Configuration System Time Menu 567

/ssl/cfg/sys/time/ntpSSL Configuration System Time NTP servers Menu 568

/ssl/cfg/sys/dnsSSL Configuration System DNS settings Menu 568

sl/cfg/sys/dns/serversSSL Configuration System DNS Servers settings Menu 569

/ssl/cfg/sys/rsaSSL Configuration System RSA servers Menu 570

/ssl/cfg/sys/syslogSSL Configuration System SysLog Servers Menu 570

/ssl/cfg/sys/accesslistSSL Configuration System Access List Menu 571

/ssl/cfg/sys/admSSL Configuration System Administrative applications Menu 571




.

20 Contents

/ssl/cfg/sys/adm/snmpSSL Configuration System Administrative applications SNMP Menu 573

/ssl/cfg/sys/adm/snmp/snmpv2-mibSSL Configuration System Administrative applications SNMPv2 MIB SNMPMenu 574

/ssl/cfg/sys/adm/snmp/communitySSL Configuration System Administrative applications SNMP CommunityMenu 575

/ssl/cfg/sys/adm/snmp/usersSSL Configuration System Administrative applications SNMP UsersMenu 575

/ssl/cfg/sys/adm/snmp/targetSSL Configuration System Administrative applications SNMP TargetMenu 576

/ssl/cfg/sys/adm/auditSSL Configuration System Administrative applications Audit Menu 577

/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrative applications Audit ServersMenu 577

/ssl/cfg/sys/adm/httpSSL Configuration System Administrative applications HTTP Menu 578

/ssl/cfg/sys/adm/httpsSSL Configuration System Administrative applications HTTPS Menu 579

/ssl/cfg/sys/adm/sshkeysSSL Configuration System Administrative applications SSH Host keysMenu 579

/ssl/cfg/sys/adm/sshkeys/knownhostsSSL Configuration System Administrative applications SSH Known Hostkeys Menu 579

/ssl/cfg/sys/userSSL Configuration System Menu 580

/ssl/cfg/sys/user/editSSL Configuration System User Edit Menu 581

/ssl/cfg/sys/user/edit/groupsSSL Configuration System User Edit Menu 581

/ssl/cfg/langSSL Configuration Language Support Menu 582

/ssl/bootSSL Boot Menu 582

/ssl/boot/softwareSSL Performance Menu 584

/ssl/maintSSL Performance Maintenance Menu 584

/ssl/maint/hsmSSL Performance HSM Menu 585




.

Contents 21

Glossary 607

Index 611




.

22 Contents




.

23

Preface

The Nortel Application Switch Operating System 24.0 Command Referencedescribes how to configure and use the Nortel Application Switch OperatingSystem software with your Nortel Application Switch.

For documentation on installing the switches physically, see the HardwareInstallation Guide for your particular switch model.

Who should use this bookThis Command Reference is intended for network installers and systemadministrators engaged in configuring and maintaining a network. Theadministrator should be familiar with Ethernet concepts, IP addressing, theIEEE 802.1d Spanning Tree Protocol, and SNMP configuration parameters.

How this book is organized"The Command Line Interface" (page 27) describes how to connect to theswitch and access the information and configuration menus.

"Menu Basics" (page 35) provides an overview of the menu system,including a menu map, global commands, and menu shortcuts.

"The Information Menu" (page 43) describes how to view switchconfiguration parameters.

"The Statistics Menu" (page 117) describes how to view switch performancestatistics.

"The Configuration Menu" (page 217) describes how to configure switchsystem parameters, ports, VLANs, Spanning Tree Protocol, SNMP, PortMirroring, IP Routing, Port Trunking, and more.

"The SLB Configuration Menu" (page 355)describes how to configureServer Load Balancing, Filtering, Global Server Load Balancing, and more.




.

24 Preface

"The Operations Menu" (page 443) describes how to use commands whichaffect switch performance immediately, but do not alter permanent switchconfigurations (such as temporarily disabling ports). The menu describeshow to activate or deactivate optional software features.

"The Boot Options Menu" (page 455) describes the use of the primary andalternate switch images, how to load a new software image, and how toreset the software to factory defaults.

"The Maintenance Menu" (page 463) describes how to generate and accessa dump of critical switch state information, how to clear it, and how to clearpart or all of the forwarding database.

"Nortel Application Switch Operating System Syslog Messages" (page587) presents a listing of syslog messages.

"Nortel Application Switch Operating System SNMP Agent" (page 597) liststhe Management Interface Bases (MIBs) supported in the switch software.

"Performing a Serial Download" (page 603) shows how to directly load abinary software image into the switch for upgrade or maintenance.

"Glossary" (page 607) defines the terminology used throughout the book.

Index includes pointers to the description of the key words used throughoutthe book.

Related documentation• Nortel Application Switch Operating System 24.0 Application Guide

(NN47220-104)

Provides application explanations and configuration examples for theSwitch.

• Nortel Application Switch Operating System 24.0 Browser-BasedInterface (BBI) Quick Guide (NN47220-103)

Provides a description of the Switch BBI and how to configure andaccess it on the Switch.

• Nortel Application Switch Hardware Installation Guide (Part Number315396-F)

Provides a description of the Nortel Application Switch hardware, thephysical features, how to install it, and how to troubleshoot it.

• Nortel Application Switch Operating System 24.0 Release Notes(NN47220-401)




.

How to get help 25

This document provides a description of new features and caveats andlimitations, if any, in the software.

Typographic conventionsThe following table describes the typographic styles used in this book.

Typographic conventions

Typeface orSymbol

Meaning Example

This type is used for names ofcommands, files, and directoriesused within the text.

View the readme.txtfile.

AaBbCc123

It also depicts on-screen computeroutput and prompts.

Main#

AaBbCc123 This bold type appears in commandexamples. It shows text that mustbe typed in exactly as shown.

Main# sys

This italicized type appearsin command examples as aparameter placeholder. Replacethe indicated text with theappropriate real name or valuewhen using the command. Do nottype the brackets.

To establish aTelnet session,enter:host# telnet<IP address>

AaBbCc123

This also shows book titles, specialterms, or words to be emphasized.

Read your User’sGuide thoroughly.

[ ] Command items shown insidebrackets are optional and can beused or excluded as the situationdemands. Do not type the brackets.

host# ls [-a]

How to get helpIf you purchased a service contract for your Nortel product from a distributoror authorized reseller, contact the technical support staff for that distributoror reseller for assistance.

If you purchased a Nortel service program, contact one of the followingNortel Technical Solutions Centers:

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009or

+44 (0) 870 907 9009

North America (800) 4NORTEL or (800) 466-7835




.

26 Preface

Technical Solutions Center Telephone

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

Additional information about the Nortel Technical Solutions Centers isavailable at the following URL:

http://www.nortelnetworks.com/help/contact/global

An Express Routing Code (ERC) is available for many Nortel products andservices. When you use an ERC, your call is routed to a technical supportperson who specializes in supporting that product or service. To locate anERC for your product or service, refer the following URL:

http://www.nortelnetworks.com/help/contact/erc/index.html




.

http://www.nortel.com/help/contact/global/

http://www.nortel.com/help/contact/erc/index.html

27

The Command Line Interface

Your Nortel Application Switch is ready to perform basic switching functionsright out of the box. Some of the more advanced features, however, requiresome administrative configuration before they can be used effectively.

The extensive Nortel Application Switch Operating System switchingsoftware included in your switch provides a variety of options for accessingand configuring the switch:

• A built-in, text-based command line interface and menu system foraccess via local terminal or remote Telnet session

• A GUI-based Application Switch Element Manager (ASEM) forinteractive network access

• SNMP support for access through network management software suchas HP OpenView

• Nortel Application Switch Operating System Browser-Based Interface(BBI)

The command line interface is the most direct method for collecting switchinformation and performing switch configuration. Using a basic terminal, youare presented with a hierarchy of menus that enable you to view informationand statistics about the switch, and to perform any necessary configuration.

This chapter explains how to access the Command Line Interface (CLI)of the switch.

Connecting to the SwitchYou can access the command line interface in any one of the following ways:

• Using a console connection via the console port

• Using a Telnet connection over the network

• Using an SSH connection to securely log into another computer over anetwork




.

28 The Command Line Interface

Establishing a Console ConnectionRequirementsTo establish a console connection with the switch, you will need the following:

• An ASCII terminal or a computer running terminal emulation softwareset to the parameters shown in the table below:

Console Configuration Parameters

Parameter Value

Baud Rate 9600

Data Bits 8

Parity None

Stop Bits 1

Flow Control None

• A standard serial cable with a male DB9 connector (see your switchhardware installation guide for specifics).

Procedure

1. Connect the terminal to the Console port using the serial cable.

2. Power on the terminal.

3. To establish the connection, press Enter a few times on yourterminal.

Enter a password for access to the switch.

Establishing a Telnet ConnectionA Telnet connection offers the convenience of accessing the switch fromany workstation connected to the network. Telnet access provides the sameoptions for user access and administrator access as those available throughthe console port.

To configure the switch for Telnet access, you need to have a device withTelnet software located on the same network as the switch. The switch musthave an IP address. The switch can get its IP address in one of two ways:

• Dynamically, from a BOOTP server on your network.

• Manually, when you configure the switch IP address.

Note: You need to enable Telnet and SSH, using serial connection,before you can use these methods of accessing the switch. Refer"Establishing a Console Connection" (page 28).




.

Connecting to the Switch 29

Using a BOOTP ServerBy default, the Nortel Application Switch Operating System software is setup to request its IP address from a BOOTP server. If you have a BOOTPserver on your network, add the MAC address of the switch to the BOOTPconfiguration file located on the BOOTP server. The MAC address canbe found on a small white label on the back panel of the switch. TheMAC address can also be found in the System Information menu (see"/info/sysSystem Information Menu" (page 45)).

Note: If connecting to the management port, BOOTP is not supported.The port must be manually configured with the proper IP address.

Running TelnetOnce the IP parameters on the Nortel Application Switch are configured,you can access the CLI using a Telnet connection. To establish a Telnetconnection with the switch, run the Telnet program on your workstation andissue the Telnet command, followed by the switch IP address:

telnet <IP address>

Then, enter a password as explained in "Establishing an SSH Connection"(page 29).

Establishing an SSH ConnectionAlthough a remote network administrator can manage the configuration ofan Nortel Application Switch through Telnet, this method does not providea secure connection. The SSH (Secure Shell) protocol enables you tosecurely log into another computer over a network to execute commandsremotely. As a secure alternative to using Telnet to manage switchconfiguration, SSH ensures that all data sent over the network is encryptedand secure.

The switch can do only one session of key/cipher generation at a time.Thus, a SSH/SCP client is not able to login if the switch is doing keygeneration at that time or if another client has just logged in before thisclient. Similarly, the system fails to do the key generation if a SSH/SCPclient is logging in at that time.

The supported SSH encryption and authentication methods are listed below.

• Server Host Authentication: Client RSA-authenticates the switch in thebeginning of every connection.

• Key Exchange: RSA

• Encryption: 3DES-CBC, DES

• User Authentication: Local password authentication, Radius




.


The following SSH clients have been tested:

• SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)

• SecureCRT 3.0.2 and SecureCRT 3.0.3 (Van Dyke Technologies, Inc.)

• F-Secure SSH 1.1 for Windows (Data Fellows)

Note: The Nortel Application Switch Operating System implementationof SSH is based on SSH version 1.5 and supports SSH-1.5-1.X.XX.SSH clients of other versions (especially Version 2) is not supported.

Running SSHOnce the IP parameters are configured and the SSH service is turned onthe Nortel Application Switch, you can access the command line interfaceusing an SSH connection.

To establish an SSH connection with the switch, run the SSH program onyour workstation by issuing the SSH command, followed by the switch IPaddress:

>> # ssh <switch IP address>

or, if SecurID authentication is required, use the following command:

>> # ssh -1 ace <switch IP address>

Then, prompted to enter your user name and password.

Accessing the SwitchTo enable better switch management and user accountability, sevenlevels or classes of user access have been implemented on the NortelApplication Switch. Levels of access to CLI, Web management functions,and screens increase as needed to perform various switch managementtasks. Conceptually, access classes are defined as follows:

• User interaction with the switch is completely passive—nothing canbe changed on the Nortel Application Switch. Users may displayinformation that has no security or privacy implications, such as switchstatistics and current operational state information.

• Operators can only effect temporary changes on the Nortel ApplicationSwitch. These changes are lost when the switch is rebooted/reset.Operators have access to the switch management features used fordaily switch operations. Because any changes an operator makes areundone by a reset of the switch, operators cannot severely impactswitch operation.




.

Accessing the Switch 31

• Administrators are the only ones that may make permanent changesto the switch configuration—changes that are persistent across areboot/reset of the switch. Administrators can access switch functions toconfigure and troubleshoot problems on the Nortel Application Switch.Because administrators can also make temporary (operator-level)changes as well, they must be aware of the interactions betweentemporary and permanent changes.

Access to switch functions is controlled through the use of unique surnamesand passwords. Once you are connected to the switch via local console,Telnet, or SSH, you are prompted to enter a password. The default usernames/password for each access level are listed in the following table.

Note: It is recommended that you change default switch passwordsafter initial configuration and as regularly as required under your networksecurity policies.

User Access Levels

User Account Description and Tasks Performed Password

User The User has no direct responsibility for switch management.He or she can view all switch status information and statistics,but cannot make any configuration changes to the switch.

user

SLB Operator The SLB Operator manages Web servers and other Internetservices and their loads. In addition to being able to viewall switch information and statistics, the SLB Operator canenable/disable servers using the Server Load Balancingoperation menu.

slboper

Layer 4 Operator The Layer 4 Operator manages traffic on the lines leadingto the shared Internet services. This user currently has thesame access level as the SLB operator. and the access levelis reserved for future use, to provide access to operationalcommands for operators managing traffic on the line leading tothe shared Internet services.

l4oper

Operator The Operator manages all functions of the switch. In additionto SLB Operator functions, the Operator can reset ports or theentire switch.

oper

SLB Administrator The SLB Administrator configures and manages Web serversand other Internet services and their loads. In addition toSLB Operator functions, the SLB Administrator can configureparameters on the Server Load Balancing menus, with theexception of not being able to configure filters or bandwidthmanagement.

slbadmin




.


User Account Description and Tasks Performed Password

Layer 4Administrator

The Layer 4 Administrator configures and manages traffic on thelines leading to the shared Internet services. In addition to SLBAdministrator functions, the Layer 4 Administrator can configureall parameters on the Server Load Balancing menus, includingfilters and bandwidth management.

l4admin

Administrator The superuser Administrator has complete access to allmenus, information, and configuration commands on the NortelApplication Switch, including the ability to change both the userand administrator passwords.

admin

Note: With the exception of the "admin" user, access to each userlevel can be disabled by setting the password to an empty value. Alluser levels below "admin" will by default be initially disabled (emptypassword) until they are enabled by the "admin" user. This preventsinadvertently leaving the switch open to unauthorized users.

CLI MenuOnce the administrator password is verified, you are given complete accessto the switch.

The following table shows the Main Menu with administrator privileges.

Note: If you are accessing a user account or Layer 4 administratoraccount, some menu options are not be available.

Command Line History and EditingFor a description of global commands, shortcuts, and command line editingfunctions, see "Menu Basics" (page 35).




.

Idle Timeout 33

Idle TimeoutBy default, the switch will disconnect your console or Telnet session afterfive minutes of inactivity. This function is controlled by the idle timeoutparameter, which can be set from 1 to 10080 minutes. For information onchanging this parameter, see "/cfg/sys System Configuration" (page 220).




.





.

35

Menu Basics

The Nortel Application Switch’s Command Line Interface (CLI) is used forviewing switch information and statistics. In addition, the administrator canuse the CLI for performing all levels of switch configuration.

To make the CLI easy to use, the various commands have been logicallygrouped into a series of menus and sub-menus. Each menu displays a listof commands and/or sub-menus that are available, along with a summary ofwhat each command does. Below each menu is a prompt where you canenter any command appropriate to the current menu.

This chapter describes the Main Menu commands, and provides a list ofcommands and shortcuts that are commonly available from all the menuswithin the CLI.

The Main MenuThe Main Menu appears after a successful connection and login. Thefollowing table shows the Main Menu for the administrator login. Somefeatures are not available under the user login.

Note: The ssl option is only visible on the Nortel Application SwitchOperating System 2000-SSL Series.




.

36 Menu Basics

Menu Summary• Information Menu

Provides sub-menus for displaying information about the current statusof the switch: from basic system settings to VLANs, Layer 4 settings,and more.

• Statistics Menu

Provides sub-menus for displaying switch performance statistics.Included are port, IF, IP, ICMP, TCP, UDP, SNMP, routing, ARP, DNS,VRRP, and Layer 4 statistics.

• Configuration Menu

This menu is available only from an administrator login. It includessub-menus for configuring every aspect of the switch. Changes toconfiguration are not active until explicitly applied. Changes can besaved to non-volatile memory.

• Operations Command Menu

Operations-level commands are used for making immediate andtemporary changes to switch configuration. This menu is used forbringing ports temporarily in and out of service, performing portmirroring, and enabling or disabling Server Load Balancing functions. Itis also used for activating or deactivating optional software packages.

• Boot Options Menu

This menu is used for upgrading switch software, selecting configurationblocks, and for resetting the switch when necessary.

• Maintenance Menu

This menu is used for debugging purposes, enabling you to generate adump of the critical state information in the switch, and to clear entries inthe forwarding database and the ARP and routing tables.

• SSL Accelerator Menu

This menu is used to connect to the SSL Accelerator in 2424-SSLmodel switches. Once connected, SSL configuration and maintenancecan take place.

Global CommandsSome basic commands are recognized throughout the menu hierarchy.These commands are useful for obtaining online help, navigating throughmenus, and for applying and saving configuration changes.

For help on a specific command, type help. The following screen appears:




.

Global Commands 37

Description of Global Commands

Command Action

? command orhelp

Provides more information about a specific command on thecurrent menu. When used without the command parameter,a summary of the global commands is displayed.

. or print Display the current menu.

.. or up Go up one level in the menu structure.

/If placed at the beginning of a command, go to theMain Menu. Otherwise, this is used to separate multiplecommands placed on the same line.

lines Set the number of lines (n) that display on the screen at onetime. The default is 24 lines. When used without a value,the current setting is displayed.

diff Show any pending configuration changes.

apply Apply pending configuration changes.

save Write configuration changes to non-volatile flash memory.

revert Remove pending configuration changes between "apply"commands. Use this command to restore configurationparameters set since last "apply" command.

exit or quit Exit from the command line interface and log out.

ping Use this command to verify station-to-station connectivityacross the network. The format is as follows:

ping <host name> | <IP address> [tries<(1-32)> [msec delay]] [-m|-mgmt|-d|-data]

Where IP address is the hostname or IP address of thedevice, tries (optional) is the number of attempts (1-32),msec delay (optional) is the number of milliseconds betweenattempts. By default, the -d or -data option for networkports is in effect. If the management port is used, specify




.

38 Menu Basics

Command Action

the -m or -mgmt option. The DNS parameters must beconfigured if specifying hostnames (see "/cfg/l3/dnsDomainName System Configuration Menu" (page 327)).

ping6 Use this command to verify an IP address and interfaceconnectivity across the network. The format is as follows:

ping6 <IP6 address> <Interface number>

For example:

ping6 3001::1234 - for ping6 global unicast address

ping6 fe80::201:2ff:feb1:10e2 20 - for ping6 link-localaddress

traceroute Use this command to identify the route used forstation-to-station connectivity across the network. Theformat is as follows:

traceroute <host name> | <IP address>[ <max-hops (1-32)> [msec delay]][-m|-mgmt|-d|-data]

Where IP address is the hostname or IP address of thetarget station, max-hops (optional) is the maximum distanceto trace (1-16 devices), and delay (optional) is the numberof milliseconds for wait for the response. By default, the-d or -data option for network ports is in effect. If themanagement port is used, specify the -m or -mgmt option.As with ping, the DNS parameters must be configured ifspecifying hostnames.

pwd Display the command path used to reach the current menu.

verbose n Sets the level of information displayed on the screen:

0 =Quiet: Nothing appears except errors—not even prompts.

1 =Normal: Prompts and requested output are shown, butno menus.

2 =Verbose: Everything is shown.

When used without a value, the current setting is displayed.




.

Command Line History and Editing 39

Command Action

telnet This command is used to telnet out of the switch. Theformat is as follows: <hostname> | <IP address>[port] [-m|-mgmt|-d|-data]. Where IP address is thehostname or IP address of the device. By default, the-d or -data option for network ports is in effect. If themanagement port is used, specify the -m or -mgmt option.

history This command brings up the history of the last 10commands.

pushd This command stores the current location of the menu tree.Optionally, a new path to change to can be specified. Theformat is as follows:

pushd [ <new_path> ]

popd This command takes the user one level back to the menulocation stored by the last pushd command.

who This command displays the currently logged user’s sessioninformation.

Command Line History and EditingUsing the command line interface, you can retrieve and modify previouslyentered commands with just a few keystrokes. The following options areavailable globally at the command line:

Command Line History and Editing Options

Option Description

history Display a numbered list of the last 10 previously enteredcommands.

!! Repeat the last entered command.

!n Repeat the n th command shown on the history list.

Ctrl-p (Also the up arrow key.) Recall the previous command from thehistory list. This can be used multiple times to work backwardthrough the last 10 commands. The recalled command can beentered as is, or edited using the options below.

Ctrl-n (Also the down arrow key.) Recall the next command from thehistory list. This can be used multiple times to work forwardthrough the last 10 commands. The recalled command can beentered as is, or edited using the options below.

Ctrl-a Move the cursor to the beginning of command line.

Ctrl-e Move cursor to the end of the command line.

Ctrl-b (Also the left arrow key.) Move the cursor back one positionto the left.




.

40 Menu Basics

Option Description

Ctrl-f (Also the right arrow key.) Move the cursor forward one positionto the right.

Backspace (Also the Delete key.) Erase one character to the left of thecursor position.

Ctrl-d Delete one character at the cursor position.

Ctrl-k Kill (erase) all characters from the cursor position to the end ofthe command line.

Ctrl-l Redraw the screen.

Ctrl-u Clear the entire line.

Other keys Insert new characters at the cursor position.

Command Line Interface ShortcutsCommand Stacking

As a shortcut, you can type multiple commands on a single line, separatedby forward slashes (/). You can connect as many commands as required toaccess the menu option that you want. For example, the keyboard shortcutto access the Spanning Tree Port Configuration Menu from the Main#prompt is as follows:

Main# cfg/l2/stg/port

Command AbbreviationMost commands can be abbreviated by entering the first characters whichdistinguish the command from the others in the same menu or sub-menu.For example, the command shown above could also be entered as follows:

Main# c/l2/st/p

Tab CompletionBy entering the first letter of a command at any menu prompt and hittingTab, the CLI displays all commands or options in that menu that begin withthat letter. Entering additional letters further refines the list of commandsor options displayed. If only one command fits the input text when Tab ispressed, that command will be supplied on the command line, waiting to beentered. If the Tab key is pressed without any input on the command line,the currently active menu is displayed.

Configuration RangesMost commands now support the use of configuration ranges. Configurationranges allow the user to set common parameters on a range of similar itemson the switch like ports or VLANs. For example, the command shown belowwould set the PVID of ports 1 through 10 to 5.




.

Command Line Interface Shortcuts 41

Main# /cfg/real 1-10/enable

The following command menu items support range and enable:

Main# /cfg/bwm/cont

Main# cfg/bwm/policy

Main# /cfg/bwm/group

Main# /cfg/l2/stg

Main# /cfg/l2/trunk

Main# /cfg/l2/vlan

Main# cfg/l2/team

Main# /cfg/l3/if

Main# /cfg/l3/gw

Main# /cfg/l3/nwf

Main# /cfg/l3/rmap

Main# /cfg/l3/vrrp/vr

Main# /cfg/l3/vrrp/vrgroup

Main# /cfg/sec/pgroup

Main# /cfg/slb/real

Main# /cfg/slb/group

Main# /cfg/slb/virt

Main# /cfg/slb/filt

Main# /oper/slb/group

Main# /stat/s




.

42 Menu Basics




.

43

The Information Menu

You can view configuration information for the switch in both the user andadministrator command modes. This chapter discusses how to use thecommand line interface to display switch information.

/infoInformation Menu

The information provided by each menu option is briefly described in"Information Menu Options (/info)" (page 43), with pointers to where detailedinformation can be found.

Information Menu Options (/info)

Command Syntax and Usage

sys

Displays system menu information. To view menu options, see"/info/sysSystem Information Menu" (page 45).

l2

Displays the Layer 2 Information Menu. For details, see "/info/l2Layer 2Information Menu" (page 68).

l3

Displays the Layer 3 information menu. For details, see "/info/l3Layer3Information Menu" (page 80).




.

44 The Information Menu


slb

Displays the Layer 4 Information Menu. To view menu options, see"/info/slbLayer 4 Information Menu" (page 100).

bwm

Displays Bandwidth Management information. For details, see"/info/bwmBandwidth Management Information" (page 110).

security

Displays current UDP blast settings and the security status of the port.To view a sample, see "/info/securitySecurity Information" (page 113).

link

Displays configuration information about each port, including:

• Port number

• Port speed (10, 100, 10/100, or 1000)

• Duplex mode (half, full, or auto)

• Flow control for transmit and receive (no, yes, or auto)

• Link status (up or down)

For details, see "/info/linkLink Status Information" (page 113).

port

Displays port status information, including:

• Port number

• Whether the port uses VLAN Tagging or not

• Port VLAN ID ( PVID)

• Port name

• VLAN membership

For details, see "/info/portPort Information" (page 114).

swkey

Displays a list of all the optional software packages which have beenactivated or installed on your switch. For details see "/info/swkeySoftwareEnabled Keys" (page 115).




.

/info/sysSystem Information Menu 45


dump

Dumps all switch information available from the Information Menu (10Kor more, depending on your configuration).

If you want to capture dump data to a file, set your communicationsoftware on your workstation to capture session data prior to issuingthe dump commands. For details, see "/info/dumpInformation Dump"(page 116).

/info/sysSystem Information Menu

Information System Menu Options (/info/sys)


snmpv3

Displays SNMPv3 Information Menu. To view the menu options, see"SNMPv3 information Menu Options (/info/sys/snmpv3)" (page 47).

general

Displays general system information including :

• System information like time, day, and date.

• Switch model name and number

• How long the switch has been up

• Time of last boot

• MAC address of the switch management processor

• Internal SSL Processor MAC Address if the switch is 2424-SSL

• IP address of IP interface #1




.



• Hardware order number and part numbers of the MainboardHardware, Management Processor

Board Hardware, and Fast Ethernet Board Hardware

• Software image file and version number

• Configuration name

• Log-in banner, if one is configured

See "/info/sys/general" (page 54) for a sample output.

time

Displays the current time.

log

Displays last 64 syslog messages. See "/info/sys/log" (page 55) for asample output and detailed information.

slog

Displays the last 64 syslog messages that are saved in flash. See"/info/sys/slog" (page 56) for a sample output.

mgmt

Displays Management port information. See "/info/sys/mgmt" (page57) for detailed information.

sonmp

Displays SONMP topology table information. See "/info/sys/sonmp"(page 58) for detailed information.

capacity gen|bwm|l2|l3|slb|port

Displays the switch capacity information. This output displays themaximum switch capacity for the various applications and services thatthe switch supports. The output contains capacity information aboutLayer 2, Layer 3, RIP, OSPF, BGP, Route Maps, Network Filters, VRRP,Layer 4-7, which includes Server Load Balancing, Filters, GSLB, HealthChecks, Bandwidth Management, General switch information, andSNMPv3.

See "/info/sys/capacity" (page 59) for a sample output.

fan

Displays the fan status of the switch.

temp

Displays the temperature status of the switch sensors.

encrypt

Displays the current encryption licenses.




.



user

Displays the current user names.

dump

Displays all system information. See "/info/sys/dump" (page 63) for asample output.

/info/sys/snmpv3SNMPv3 System Information Menu

SNMP version 3 (SNMPv3) is an extensible SNMP Framework thatsupplements the SNMPv2 Framework by supporting the following:

• a new SNMP message format

• security for messages

• access control

• remote configuration of SNMP parameters

For more details on the SNMPv3 architecture refer RFC2271 to RFC2276.

SNMPv3 information Menu Options (/info/sys/snmpv3)


usm

Displays User Security Model (USM) table information. To view thetable, see "/info/sys/snmpv3/usm" (page 48).

view

Displays information about view, sub tress, mask and type of view. Toview a sample, see "/info/sys/snmpv3/view" (page 49).

access

Displays View-based Access Control information. To view a sample, see"/info/sys/snmpv3/access" (page 49).

group




.



Displays information about the group that includes, the securitymodel, user name, and group name. To view a sample, see"/info/sys/snmpv3/group" (page 50).

comm

Displays information about the community table information. To view asample, see "/info/sys/snmpv3/comm" (page 51).

taddr

Displays the Target Address table information. To view a sample, see"/info/sys/snmpv3/taddr" (page 51).

tparam

Displays the Target parameters table information. To view a sample, see"/info/sys/snmpv3/tparam" (page 52).

notify

Displays the Notify table information. To view a sample, see"/info/sys/snmpv3/notify" (page 52).

dump

Displays all the SNMPv3 information. To view a sample, see"/info/sys/snmpv3/dump" (page 53).

/info/sys/snmpv3/usmSNMPv3 USM User Table InformationThe User-based Security Model (USM) in SNMPv3 provides securityservices such as authentication and privacy of messages. This securitymodel makes use of a defined set of user identities displayed in the USMuser table. The USM user table contains information like:

• the user name

• a security name in the form of a string whose format is independent ofthe Security Model

• an authentication protocol, which is an indication that the messagessent on behalf of the user can be authenticated

• the privacy protocol.




.


USM User Table Information Parameters (/info/sys/usm)

Field Description

User Name This is a string that represents the name of the user thatyou can use to access the switch.

Protocol This indicates whether messages sent on behalf ofthis user are protected from disclosure using a privacyprotocol. The Nortel Application Switch OperatingSystem supports DES algorithm for privacy. Thesoftware also supports two authentication algorithms:MD5 and HMAC-SHA.

/info/sys/snmpv3/viewSNMPv3 View Table InformationThe user can control and restrict the access allowed to a group to only asubset of the management information in the management domain that thegroup can access within each context by specifying the group’s rights interms of a particular MIB view for security reasons.

View Name Subtree Mask Type-------------- ------------------ ---------- ---------org 1.3 includedv1v2only 1.3 includedv1v2only 1.3.6.1.6.3.15 excludedv1v2only 1.3.6.1.6.3.16 excludedv1v2only 1.3.6.1.6.3.18 excluded

SNMPv3 View Table Information Parameters (/info/sys/snmpv3/view)

Field Description

View Name Displays the name of the view.

Subtree Displays the MIB subtree as an OID string. A viewsubtree is the set of all MIB object instances which havea common Object Identifier prefix to their names.

Mask Displays the bit mask.

Type Displays whether a family of view subtrees isincluded or excluded from the MIB view.

/info/sys/snmpv3/accessSNMPv3 Access Table InformationThe access control sub system provides authorization services.

The vacmAccessTable maps a group name, security information, a context,and a message type, which could be the read or write type of operation ornotification into a MIB view.




.


The View-based Access Control Model defines a set of services that anapplication can use for checking access rights of a group. This group’saccess rights are determined by a read-view, a write-view and a notify-view.The read-view represents the set of object instances authorized for thegroup while reading the objects. The write-view represents the set of objectinstances authorized for the group when writing objects. The notify-viewrepresents the set of object instances authorized for the group whensending a notification.

SNMPv3 Access Table Information (/info/sys/snmpv3/access)

Field Description

Group Name Displays the name of group.

Prefix Displays the prefix that is configured to match thevalues.

Model Displays the security model used, for example,SNMPv1, or SNMPv2 or USM.

Level Displays the minimum level of security required togain rights of access. For example, noAuthNoPriv,authNoPriv, or authPriv.

Match Displays the match for the contextName. The optionsare: exact and prefix.

ReadV Displays the MIB view to which this entry authorizes theread access.

WriteV Displays the MIB view to which this entry authorizes thewrite access.

NotifyV Displays the Notify view to which this entry authorizesthe notify access.

/info/sys/snmpv3/groupSNMPv3 Group Table InformationA group is a combination of security model and security name that definesthe access rights assigned to all the security names belonging to that group.The group is identified by a group name.




.


SNMPv3 Group Table Information Parameters (/info/sys/snmpv3/group)

Field Description

Sec Model Displays the security model used, which is any one of:USM, SNMPv1, SNMPv2, and SNMPv3.

User Name Displays the name for the group.

Group Name Displays the access name of the group.

/info/sys/snmpv3/commSNMPv3 Community Table InformationThis command displays the community table information stored in theSNMP engine.

Index Name User Name Tag---------- ---------- -------------------- ----------trap1 public v1v2only v1v2trap

SNMPv3 Community Table Parameters (/info/sys/snmpv3/comm)

Field Description

Index Displays the unique index value of a row in this table

Name Displays the community string, which represents theconfiguration.

User Name Displays the User Security Model (USM) user name.

Tag Displays the community tag. This tag specifies a set oftransport endpoints from which a command responderapplication accepts management requests and to whicha command responder application sends an SNMP trap.

/info/sys/snmpv3/taddrSNMPv3 Target Address Table InformationThis command displays the SNMPv3 target address table information,which is stored in the SNMP engine.

Name Transport Addr Port Taglist Params---------- --------------- ---- ---------- ---------------trap1 47.81.25.66 162 v1v2trap v1v2param

SNMPv3 Target Address Table Information Parameters (/info/sys/sn-mpv3/taddr)

Field Description

Name Displays the locally arbitrary, but unique identifierassociated with this snmpTargetAddrEntry.

Transport Addr Displays the transport addresses.




.


Field Description

Port Displays the SNMP UDP port number.

Taglist This column contains a list of tag values which areused to select target addresses for a particular SNMPmessage.

Params The value of this object identifies an entry in thesnmpTargetParamsTable. The identified entry containsSNMP parameters to be used when generatingmessages to be sent to this transport address.

/info/sys/snmpv3/tparamSNMPv3 Target Parameters Table Information

Name MP Model User Name Sec Model Sec Level------------ -------- ------------ --------- ---------v1v2param snmpv2c v1v2only snmpv1noAuthNoPriv

SNMPv3 Target Parameters Table Information (/info/sys/snmpv3/tparam)

Field Description

Name Displays the locally arbitrary, but unique identifierassociated with this snmpTargeParamsEntry.

MP Model Displays the Message Processing Model used whengenerating SNMP messages using this entry.

User Name Displays the securityName, which identifies the entryon whose behalf SNMP messages are generated usingthis entry.

Sec Model Displays the security model used when generatingSNMP messages using this entry. The system maychoose to return an inconsistentValue error if anattempt is made to set this variable to a value for asecurity model which the system does not support.

Sec Level Displays the level of security used when generatingSNMP messages using this entry.

/info/sys/snmpv3/notifySNMPv3 Notify Table Information

Name Tag-------------------- --------------------v1v2trap v1v2trap




.


SNMPv3 Notify Table Information (/info/sys/snmpv3/notify)

Field Description

Name The locally arbitrary, but unique identifier associatedwith this snmpNotifyEntry.

Tag This represents a single tag value which is used to selectentries in the snmpTargetAddrTable. Any entry inthe snmpTargetAddrTable that contains a tag valueequal to the value of this entry, is selected. If this entrycontains a value of zero length, no entries are selected.

/info/sys/snmpv3/dumpSNMPv3 Dump Information




.


General System InformationOn a Nortel Application Switch 2424:

System Information at 6:56:53 Thu Sep 15, 2005 (DST)Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)

Alteon Application Switch 2424

Switch is up 3 days, 11 hours, 28 minutes and 34 seconds.Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet)Last apply: unknownLast save: 5

MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: 09Mainboard Hardware: Part No: P314090-A Rev: 00Management Processor Board Hardware: Part No: P314080-A Rev: 00Fast Ethernet Board Hardware: Part No: P314091-A Rev: 00

Note - When the measured temperature inside the switchEXCEEDs the high threshold at 62 degree Celsius asyslog message will be generated.

Software Version 23.0.1 (FLASH image2), active configuration.

On a Nortel Application Switch 2424-SSL:




.


Note: The display of temperature comes up only if the temperatureof any of the sensors exceeds 60�C. The software send a warningmessage if any of the sensors exceeds this temperature threshold. Theswitch will shut down if the power supply overheats and the temperaturegets to 100�C. Information about fan failures is also displayed if oneor more fans are not functioning.

/info/sys/timeShow System Time

/info/sys/log




.


Show Last 64 Syslog Messages

Each syslog message has a criticality level associated with it, included intext form as a prefix to the log message. One of eight different prefixes isused, depending on the condition that the administrator is being notifiedof, as shown below.

• EMERG: indicates the system is unusable

• ALERT: Indicates action should be taken immediately

• CRIT: Indicates critical conditions

• ERR: indicates error conditions or error operations

• WARNING: indicates warning conditions

• NOTICE: indicates a normal but significant condition

• INFO: indicates an information message

• DEBUG: indicates a debut-level message

/info/sys/slog




.


Last 64 Saved Syslog Messages

/info/sys/mgmtManagement Port Information

Use this command to display Management port information on an NortelApplication Switch including:

• Port speed (10/100)

• Duplex mode (half, full, any, or auto)

• Link (Up or down)

• MAC Address of the system




.


• IP address of the Interface

• IP address of the gateway.

/info/sys/sonmpSONMP Information

This command displays the SynOptics Network Management Protocol(SONMP) topology table. SONMP protocol is enabled on Nortel ApplicationSwitches using the /cfg/sys/sonmp on command, and is necessary sothat a Nortel Application Switch can be discovered by the Nortel EnterpriseSwitch Manager. When SONMP is enabled, devices on the networkexchange multicast packets namely: flatnet hellos and segmenthellos. The IP address of the device is written into the hello packets. Asthe network devices exchange information, a topology table is built likethe one shown below.

SONMP Information Parameters Description

Parameter Description

Slot Port Specifies the slot and port on which the topologymessage was received.

IP Address This is the IP address of the sender of the topologymessage.

Seg ID The "segment identifier" of the segment from which theremote agent send the topology message. Differentdevices may use different methods for representing thesegment identifier.

Mac Address The MAC address of the sender of the topologymessage.

Chassis Type The chassis type of the device that sent the topologymessage.




.



Local Seg Indicates if the sender of the topology message is onthe same Ethernet segment (i.e. not across a bridge) asthe reporting agent.

State The current state of the sender of the topology message.the values are:

• topChanged—topology information has recentlychanged

• heartbeat—topology information unchanged.

• new—sending agent is in new state.

/info/sys/capacitySystem Capacity Information

The following sample output from an Nortel Application Switch 2424displays the maximum and currently enabled switch capacity for variousservices and applications from Layer 2-7.




.





.


/info/sys/fanShow switch fan status

/info/sys/tempShow switch temperature sensor status

/info/sys/encrypt




.


Show encryption licenses

/info/sys/userShow current user status

/info/sys/dump




.


System Information Dump




.





.


/info/l2




.


Layer 2 Information Menu

[Layer 2 Menu]fdb - Forwarding Database Information Menulacp - Link Aggregation Control Protocol Menustg - Show STG informationcist - Show CIST informationtrunk - Show Trunk Group informationvlan - Show VLAN informationteam - Show port team informationdump - Dump all layer 2 information

Layer 2 Information Menu Options


fdb

Displays the Forwarding Database Information Menu. For details, see"/info/l2/fdb" (page 70).

lacp

Displays Link Aggregation Control Protocol Information Menu. Fordetails, see "/info/l2/lacp" (page 72).

stg <STG index to display or carriage return for all STGs>

In addition to seeing if Spanning Tree Protocol is enabled or disabled,you can view the following STP bridge information:

• Priority

• Hello interval

• Maximum age value

• Forwarding delay

• Aging time

You can also see the following port-specific STP information:

• Port number and priority

• Cost

• State

cist

Display the CIST information.

trunk




.



When trunk groups are configured, you can view the state of each port inthe various trunk groups. For details, see "/info/l2/trunk" (page 78).

vlan <VLAN number to display or carriage return to displayall VLANs>

Displays VLAN configuration information, including:

• VLAN Number

• VLAN Name

• Status

• Port membership of the VLAN

For details, see "/info/l2/vlan" (page 78).

team

Show port team information.

dump

Displays all Layer 2 information.

/info/l2/fdbLayer 2 FDB Information

The forwarding database (FDB) contains information that maps the mediaaccess control (MAC) address of each known device to the switch portwhere the device address was learned. The FDB also shows which otherports have seen frames destined for a particular MAC address.

[Forwarding Database Menu]find - Show a single FDB entry by MAC addressport - Show FDB entries on a single porttrunk - Show FDB entries on a single trunkvlan - Show FDB entries on a single VLANrefpt - Show FDB entries referenced by a single SPdump - Show all FDB entries

Note: The master forwarding database supports up to 16K MACaddress entries on the MP per switch. Each SP supports up to 8Kentries.

Layer 2 FDB Information Menu Options (/info/l2/fdb)


find <MAC address> [ <VLAN> ]




.



Displays a single database entry by its MAC address. You are promptedto enter the MAC address of the device. Enter the MAC address using theformat, xx:xx:xx:xx:xx:xx. For example, 08:00:20:12:34:56.

You can also enter the MAC address using the format, xxxxxxxxxxxx.For example, 080020123456.

port <port number, 0 for "unknown">

Displays all FDB entries for a particular port.

trunk <trunk group number>

Displays all FDB entries on a single trunk.

vlan <VLAN number (1-4090)>

Displays all FDB entries on a single VLAN.

refpt <SP number (1-4)>

Displays the FDB entries referenced by a single port.

dump

Displays all entries in the Forwarding Database. For more information,see "/info/l2/fdb/dump" (page 71).

/info/l2/fdb/dumpShow All FDB Information




.


An address that is in the forwarding (FWD) state, means that it has beenlearned by the switch. When in the trunking (TRK) state, the port fieldrepresents the trunk group number. If the state for the port is listed asunknown (UNK), the MAC address has not yet been learned by the switch,but has only been seen as a destination address. When an address is inthe unknown state, no outbound port is indicated, although ports whichreference the address as a destination are listed under " Reference ports."

If the state for the port is listed as an interface (IF), the MAC address isfor a standard VRRP virtual router. If the state is listed as a virtual server(VIP), the MAC address is for a virtual server router—a virtual router withthe same IP address as a virtual server.

Clearing Entries from the Forwarding DatabaseTo delete a MAC address from the forwarding database (FDB) or to clearthe entire FDB, refer "/maint/fdbForwarding Database Options" (page 465).

/info/l2/lacpLink Aggregation Control Protocol Information Menu

The following menu options display the Link Aggregation Control Protocol(LACP) information on the Nortel Application Switch Operating System

[LACP Menu]

aggr - Show LACP aggregator information for the port

port - Show LACP port information

dump - Show all LACP ports information

Link Aggregation Control Protocol Information Menu Options (/info/l2/lacp)


aggr <aggregator index 1 to max num ports>

Displays information an LACP aggregator.

port <port index 1 to max num ports>

Displays information of an LACP port.

dump

Displays LACP information of all the ports. Use this command to verifythe state of ports in an LACP trunk group. To view a sample output, see .

/info/l2/lacp/aggr




.

/info/l2/lacpLink Aggregation Control Protocol Information Menu 73

LACP Aggregator Information

Aggregator Id 1----------------------------------------------MAC address - 00:01:81:2e:a1:d1Actor System Priority - 32768Actor System ID - 00:01:81:2e:a1:b0Individual - FALSEActor Admin Key - 300Actor Oper Key - 300Partner System Priority - 32768Partner System ID - 00:0d:29:e3:4a:00Partner Oper Key - 1ready - TRUENumber of Ports in aggr - 10index 0 port 1index 1 port 2index 2 port 3index 3 port 4index 4 port 5index 5 port 6index 6 port 7index 7 port 8index 8 port 9index 9 port 10

/info/l2/lacp/portLACP Port Information




.


/info/l2/lacp/dumpLACP Dump Information




.


/info/l2/stgLayer 2 Spanning Tree Group Information

When multiple paths exist on a network, Spanning Tree Protocol (STP)configures the network so that a switch uses only the most efficient path.

Note: The Nortel Application Switch Operating System supports up to16 multiple Spanning Trees or Spanning Tree Groups.

The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). Inaddition to seeing if STP is enabled or disabled, you can view the followingSTP bridge information:

• Priority

• Hello interval

• Maximum age value


• Aging time




.


You can also see the following port-specific STP information:

• Port number and priority

• Cost

• State

• Designated Bridge

• Designated Port

The following table describes the STP parameters.

Spanning Tree Parameter Descriptions


Priority (bridge) The bridge priority parameter controls which bridge onthe network will become the STP root bridge.

Hello The hello time parameter specifies, in seconds, howoften the root bridge transmits a configuration bridgeprotocol data unit (BPDU). Any bridge that is not theroot bridge uses the root bridge hello value.

MaxAge The maximum age parameter specifies, in seconds,the maximum time the bridge waits without receivinga configuration bridge protocol data unit before itreconfigures the STP network.

FwdDel The forward delay parameter specifies, in seconds, theamount of time that a bridge port has to wait before itchanges from learning state to forwarding state.

Aging The aging time parameter specifies, in seconds, theamount of time the bridge waits without receiving apacket from a station before removing the station fromthe Forwarding Database.

priority (port) The port priority parameter helps determine whichbridge port becomes the designated port. In a networktopology that has multiple bridge ports connected to asingle segment, the port with the lowest port prioritybecomes the designated port for the segment.

Cost The port path cost parameter is used to help determinethe designated port for a segment. Generally speaking,the faster the port, the lower the path cost. A setting of 0indicates that the cost is set to the appropriate defaultafter the link speed has been auto negotiated.

State The state field shows the current state of the port.The state field can be either BLOCKING, LISTENING,LEARNING, FORWARDING, or DISABLED.




.



DesignatedBridge

The designated bridge resides closest to the rootbridge and is responsible for forwarding packets fromLAN towards the root bridge. This bridge is displayedas character string starting with the bridge priority(1-65535) followed by a hyphen and six byte MACaddress of that switch.

Designated port The designated port identifies a physical port. This isa number that is the numerical sum of bridge priorityand the actual physical port number. For example, aphysical port number four with bridge priority 32768 isdisplayed as 32678+4=32772.

/info/l2/cistShow common internal spanning tree (CIST) information

Note: The Nortel Application Switch Operating System supports up to16 multiple Spanning Trees or Spanning Tree Groups.

----------------------------------------------------------Common Internal Spanning Tree:

VLANs: 1 4-4094

Current Root: Path-Cost Port MaxAge FwdDel8000 00:01:81:2e:bc:50 0 0 20 15

Cist Regional Root: Path-Cost8000 00:01:81:2e:bc:50 0

Parameters: Priority MaxAge FwdDel Hops32768 20 15 20

Port Prio Cost State Role Designated Bridge Des Port Hello Type---- ---- ------- ---- ---- ------------------- -------- ----- ----1 128 20000 DSB2 128 20000 DSB3 128 20000 DSB4 128 20000 DSB5 128 20000 DSB6 128 20000 DSB7 128 20000 DSB...18 128 20000 DSB19 128 20000 DSB20 128 20000 DSB




.


21 128 20000 DSB22 128 20000 DSB23 128 20000 DSB24 128 20000 DSB25 128 20000 DSB26 128 20000 DSB27 128 20000 DSB28 128 20000 DSBsslpro 128 20000 DISC DESG 8000-00:01:81:2e:bc:50 801d 2 Shared

/info/l2/trunkTrunk Group Information

Trunk groups can provide super-bandwidth, multi-link connections betweenNortel Application Switches or other trunk-capable devices. A trunk groupis a group of ports that act together, combining their bandwidth to create asingle, larger virtual link. When trunk groups are configured, you can viewthe state of each port in the various trunk groups.

Trunk group 1, bw contract 1024, port state:1: STG 1 forwarding2: STG 1 forwarding

Note: If Spanning Tree Protocol on any port in the trunk group is setto forwarding, the remaining ports in the trunk group are also set toforwarding.

/info/l2/vlanVLAN Information

This information display includes all configured VLANs and all memberports that have an active link state. Port membership is represented inslot/port format.

VLAN information includes:

• VLAN Number

• VLAN Name

• Status

• Jumbo Frames

• Bandwidth Contract if BWM is enabled




.


• Source MAC Address Learning

• Port membership of the VLAN

/info/l2/vlanVLAN Information

/info/l2/teamStatus of port teams

>> Layer 2# teamAll port teams are disabled.

/info/l2/dump




.


Layer2 Dump Information

/info/l3Layer3 Information Menu

Layer 3 Information Menu Options


route




.



Displays the IP Routing Menu. Using the options of this menu, thesystem displays the following for each configured or learned route:

• Route destination IP address, subnet mask, and gateway address

• Type of route

• Tag indicating origin of route

• Metric for RIP tagged routes, specifying the number of hops to thedestination (1-15 hops, or 16 for infinite hops)

• The IP interface that the route uses

For details, see "/info/l3/route" (page 82).

route6

IP6 Routing Information Menu. To view menu options, see"/info/l3/route6" (page 84).

arp

Displays the Address Resolution Protocol (ARP) Information Menu. Fordetails, see "/info/l3/arp" (page 85).

nbrcache

IP6 Neighbor Cache Menu. To view menu options, see "/info/l3/nbrcache"(page 88).

bgp

Displays BGP Information Menu. To view menu options, see"/info/l3/bgp" (page 90).

ospf

Displays OSPF routing information menu. For details, see "/info/l3/ospf"(page 92).

ip

Displays IP Information. For details, see "/info/l3/route" (page 82).

IP information, includes:

• IP interface information: Interface number, IP address, subnet mask,broadcast address, VLAN number, and operational status.

• Default gateway information: Metric for selecting which configuredgateway to use, gateway number, IP address, and health status

• IP forwarding information: Enable status, lnet and lmask




.



• Port status

vrrp

Displays the VRRP Information Menu. For details, see "/info/l3/vrrp"(page 98).

dump

Displays all Layer 3 information.

/info/l3/routeIP Routing Information

Using the commands listed below, you can display all or a portion of the IProutes currently held in the switch.

Route Information Menu Options (/info/l3/route)


find <IP address (such as, 192.4.17.101)>

Displays a single route by destination IP address.

gw <default gateway address (such as, 192.4.17.44)>

Displays routes to a single gateway.

type indirect|direct|local|broadcast|martian|multicast

Displays routes of a single type. For a description of IP routing types,see "IP Routing Type Parameters (/info/l3/route/dump/type)" (page 83).

tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip

Displays routes of a single tag. For a description of IP routing types, see"IP Routing Tag Parameters (info/l3/route/tag)" (page 83).

if <interface number (1-256)>

Displays routes on a single interface.

Note: The total number of interfaces on a Nortel Application Switch2424-SSL is 1-255.




.



dump

Displays all routes configured in the switch. For more information, see"/info/l3/route/dump" (page 83).

/info/l3/route/dumpShow All IP Route Information

Type ParametersThe following table describes the Type parameters.

IP Routing Type Parameters (/info/l3/route/dump/type)


indirect The next hop to the host or subnet destination areforwarded through a router at the Gateway address.

direct Packets are delivered to a destination host or subnetattached to the switch.

local Indicates a route to one of the switch’s IP interfaces.

broadcast Indicates a broadcast route.

martian The destination belongs to a host or subnet which isfiltered out. Packets to this destination are discarded.

multicast Indicates a multicast route.

Tag ParametersThe following table describes the Tag parameters.

IP Routing Tag Parameters (info/l3/route/tag)


fixedThe address belongs to a host or subnet attached tothe switch.

staticThe address is a static route which has been configuredon the Nortel Application Switch.




.



addrThe address belongs to one of the switch’s IP interfaces.

ripThe address was learned by the Routing InformationProtocol (RIP).

ospf The address was learned by Open Shortest Path First(OSPF).

bgpThe address was learned via Border Gateway Protocol(BGP)

broadcastIndicates a broadcast address.

martianThe address belongs to a filtered group.

multicastIndicates a multicast address.

vipIndicates a route destination that is a virtual server IPaddress. VIP routes are needed to advertise virtualserver IP addresses via BGP.

/info/l3/route6IPv6 Routing Information Menu

This menu provides a mechanism for viewing IPv6 routing information.The IPv6 routing table stores routes it learns from network traffic andpre-configured, static routes.

Note: Presently there is no mechanism for clearing this IPv6 routingtable.

[IP6 Routing Menu]dump - Show all routes

"IPv6 Routing Information Menu Options (/info/l3/route6)" (page 84) providesa description of this menu.

IPv6 Routing Information Menu Options (/info/l3/route6)


dump

The /info/l3/route6/dump command shows all the IPv6 routesmaintained. Since each link-local interface is shown with an entry prefixof /128, the link-local network; such as FE80::/10; is not shown for eachinterface to avoid too many network entries in the table.




.


The following is an example of output from the /info/l3/route6/dumpcommand.

>> Main# /info/l3/route6/dump

IPv6 Forwarding Table:

Destination: 0:0:0:0:0:0:0:0/0 If:1NextHop: 2005:0:0:0:0:0:0:16 Proto: STATIC

Destination: 2005:0:0:0:0:0:0:0/64 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL

Destination: 2005:0:0:0:0:0:0:1/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL

Destination: 2005:0:0:0:0:0:0:16/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Destination: fe80:0:0:0:201:81ff:fe2e:a100/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL

Destination: ff02:0:0:0:0:0:0:1/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Destination: ff02:0:0:0:0:0:0:2/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Destination: ff02:0:0:0:0:1:ff00:0/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Destination: ff02:0:0:0:0:1:ff00:1/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Destination: ff02:0:0:0:0:1:ff2e:a100/128 If:1NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Total number of route6 entries: 10

/info/l3/arpARP Information Menu

Address Resolution Protocol (ARP) is the TCP/IP protocol that resideswithin the Internet layer. ARP resolves a physical address from an IPaddress. ARP queries machines on the local network for their physicaladdresses. ARP also maintains IP to physical address pairs in its cachememory. In any IP communication, the ARP cache is consulted to seeif the IP address of the router is present in the ARP cache. Then thecorresponding physical address is used to send a packet.




.


[Address Resolution Protocol Menu]find - Show a single ARP entry by IP addressport - Show ARP entries on a single portvlan - Show ARP entries on a single VLANrefpt - Show ARP entries referenced by a single SPdump - Show all ARP entrieshelp - Show help on the fields of ARP entriesaddr - Show ARP address list

The ARP information includes IP address and MAC address of each entry,address status flags (see "ARP Dump Flag Parameters" (page 88)), VLANand port for the address, and port referencing information.

ARP Information Menu Options (/info/l3/arp)



Displays a single ARP entry by IP address.

port <port number>

Displays the ARP entries on a single port.


Displays the ARP entries on a single VLAN.


Displays the ARP entries referenced by a single SP. For details, see"/info/l3/arp/refpt" (page 87).

dump

Displays all ARP entries. including:

• IP address and MAC address of each entry

• Address status flag (see below)

• The VLAN and port to which the address belongs

• The ports which have referenced the address (empty if no port hasrouted traffic to the IP address shown)

For more information, see "/info/l3/arp/dump" (page 87).

help

Displays help on the ARP field entries. For example:

IP address: IP address of ARP entry

Flags: J - ARP entry belongs to a Jumbo capable VLAN




.



P - Permanent ARP entry (not obtained via ARPrequest), e.g. IP interface, VIP, etc.

R - Indirect ARP (cache) entry for IP addressreachable via indirect routes (static/dynamic)

4 - Layer 4 IP address (VIP)

u - Unresolved ARP entry. The MAC address hasnot been learned.

MAC address: MAC address of ARP entry

VLAN: VLAN of this ARP entry

Port: Physical port where this IP address owner isconnected

Referenced SPs: SPs on which this ARP entry is present

addr

Displays the ARP address list: IP address, IP mask, MAC address, andVLAN flags.

/info/l3/arp/refptShow ARP Entries on Referenced SP

/info/l3/arp/dumpShow All ARP Entry Information




.


Referenced ports are the ports that request the ARP entry. So the trafficcoming into the referenced ports has the destination IP address. From theARP entry (the referenced ports), this traffic needs to be forwarded to theegress port (port 6 in the above example).

Note: If you have VMA turned on, the referenced port is the designatedport. If you have VMA turned off, the designated port is the normalingress port.

The Flag field is interpreted as follows:

ARP Dump Flag Parameters

Flag Description

P Permanent entry created for switch IP interface.

P 4 Permanent entry created for Layer 4 proxy IP addressor virtual server IP address.

R Indirect route entry.

U Unresolved ARP entry. The MAC address has not beenlearned.

J ARP entry belongs to a Jumbo capable VLAN

/info/l3/arp/addrARP Address List Information

/info/l3/nbrcacheIPv6 Neighbor Cache InformationThis menu provides a mechanism for viewing IPv6 Neighbor Cacheinformation.

IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighborslink-layer addresses and neighbor reachabilty. ND can also auto-configureaddresses and detect duplicate addresses. ND enables routers to advertisetheir presence and address prefixes and to inform hosts of a better next-hopaddress to forward packets.

The information collected from ND is stored in the Neighbor Cache. TheNeighbor Cache maintains information about each neighbor such as:

• MAC Address

• Reachability State




.


• Neighbor Type

• VLAN

• Ingress Port

Neighbor Cache entries are added in a number of situations:

1. Entries are added when an IPv6 Interface or Virtual IP is operational.

2. Reception of ND messages from neighbor.

3. A switch sends ND packets to resolve a link-layer address that itwishes to send packets to.

There are 5 reachability states:

• INCOMPLETE

The link-layer address of the neighbor has not yet been determined.

• REACHABLE

The neighbor is known to have been reachable recently.

• STALE

The neighbor is no longer known to be reachable but until traffic is sentto the neighbor, no attempt should be made to verify its reachability.

• DELAY

The neighbor is no longer known to be reachable and traffic has recentlybeen sent to the neighbor.

• PROBE

The neighbor is no longer known to be reachable, and ND messagesare sent to the neighbor to verify reachability.

The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbortype is for switch pre-configured addresses and DYNAMIC is for neighboraddresses learnt from ND.

Note: Once the Neighbor Cache table reaches 2000 entries, tableentries are replaced by adding the new entry and dropping the 2000thentry off the list. Table entries are kept until the entry is replaced by anew one. During this 2000 full entries period, no new entries are used tosort for display.

[IP6 Neighbor Discovery Protocol Menu]dump - Show all IP6 neighbor cache entries




.


"IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)" (page90) provides a description of this menu.

IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)


dump

Displays all IPv6 neighbor cache entries.

The following is an example of output from the /info/l3/nbrcache/dumpcommand.

/info/l3/bgpBGP Information Menu

Border Gateway Protocol (BGP) is an Internet protocol that enables routerson a network to share routing information with each other and advertiseinformation about the segments of the IP address space they can accesswithin their network with routers on external networks. For more information,refer BGP section in chapter: "The Configuration Menu" (page 217) andthe Application Guide.

[BGP Menu]peer - Show all BGP peerssummary - Show all BGP peers in summarydump - Show BGP routing table

BGP Peer Information Menu Options (/info/l3/bgp)


peer

Displays BGP peer information. See "/info/l3/bgp/peer" (page 91) for asample output.

summary

Displays peer summary information such as AS, message received,message sent, up/down, state. See "/info/l3/bgp/summary" (page 91) fora sample output.

dump

Displays the BGP routing table. See "/info/l3/bgp/dump" (page 91) for asample output.




.


/info/l3/bgp/peerBGP Peer informationFollowing is an example of the information that /info/l3/bgp/peerprovides.

BGP Peer Information:

3: 2.1.1.1 , version 0, TTL 1Remote AS: 0, Local AS: 0, Link type: IBGPRemote router ID: 0.0.0.0, Local

router ID: 1.1.201.5BGP status: idle, Old status: idleTotal received packets: 0, Total sent packets: 0Received updates: 0, Sent updates: 0Keepalive: 0, Holdtime: 0, MinAdvTime: 60LastErrorCode: unknown(0), LastErrorSubcode:

unspecified(0)Established state transitions: 0

4: 2.1.1.4 , version 0, TTL 1Remote AS: 0, Local AS: 0, Link type: IBGPRemote router ID: 0.0.0.0, Local

router ID: 1.1.201.5BGP status: idle, Old status: idleTotal received packets: 0, Total sent packets: 0Received updates: 0, Sent updates: 0Keepalive: 0, Holdtime: 0, MinAdvTime: 60LastErrorCode: unknown(0), LastErrorSubcode:

unspecified(0)Established state transitions: 0

/info/l3/bgp/summaryBGP Summary informationFollowing is an example of the information that /info/l3/bgp/summaryprovid.

/info/l3/bgp/dumpDump BGP InformationFollowing is an example of the information that /info/l3/bgp/dumpprovides.




.


/info/l3/ospfOSPF Information Menu

Nortel Application Switch Operating System supports the Open ShortestPath First (OSPF) routing protocol. The Nortel Application Switch OperatingSystem implementation conforms to the OSPF version 2 specificationsdetailed in Internet RFC 1583. OSPF is designed for routing traffic withina single IP domain called an Autonomous System (AS). The AS can bedivided into smaller logical units known as areas. In any AS with multipleareas, one area must be designated as area 0, known as the backbone. Thebackbone acts as the central OSPF area. All other areas in the AS mustbe connected to the backbone. Areas inject summary routing informationinto the backbone, which then distributes it to other areas as needed. Formore information on how to configure OSPF on the switch, refer the OSPFsection in chapter "The Configuration Menu" (page 217) and your NortelApplication Switch Operating System Application Guide.

[OSPF Information Menu]general - Show general informationaindex - Show area(s) informationif - Show interface(s) informationvirtual - Show details of virtual linksnbr - Show neighbor(s) informationdbase - Database Menusumaddr - Show summary address listnsumadd - Show NSSA summary address listroutes - Show OSPF routesdump - Show OSPF information

OSPF Information Menu (/info/l3/ospf)


general

Displays general OSPF information. See "/info/l3/ospf/general" (page93) for a sample output.

aindex <area index [0-2]>




.



Displays area information for a particular area index. If no parameter issupplied, it displays area information for all the areas.

if <interface number [1-256]>

Displays interface information for a particular interface. If no parameter issupplied, it displays information for all the interfaces. See "/info/l3/ospf/if"(page 94) for a sample output.

virtual

Displays information about all the configured virtual links.

nbr <nbr router-id (A.B.C.D)>

Displays the status of a neighbor with a particular router ID. If no routerID is supplied, it displays the information about all the current neighbors.

dbase

Displays OSPF database menu. To view menu options, see"/info/l3/ospf/dbase" (page 94).

sumaddr <area index (0-2)>

Displays the list of summary ranges belonging to non-NSSA areas.

nsumadd <area index (0-2)>

Displays the list of summary ranges belonging to NSSA areas.

routes

Displays OSPF routing table. See "/info/l3/ospf/routes" (page 96) for asample output.

dump

Display all the OSPF information. See for a sample output.

/info/l3/ospf/generalOSPF General Information

OSPF Version 2Router ID: 47.80.23.247Started at 95 and the process uptime is 352315Area Border Router: yes, AS Boundary Router: noLS types supported are 6External LSA count 0External LSA checksum sum 0x0Number of interfaces in this router is 2Number of virtual links in this router is 116 new lsa received and 34 lsa originated from this routerTotal number of entries in the LSDB 10Database checksum sum 0x0Total neighbors are 1, of which




.


2 are >=INIT state,2 are >=EXCH state,2 are =FULL state

Number of areas is 2, of which 3-transit 0-nssaArea Id : 0.0.0.0Authentication : noneImport ASExtern : yesNumber of times SPF ran : 8Area Border Router count : 2AS Boundary Router count : 0LSA count : 5LSA Checksum sum : 0x2237BSummary : noSummary

/info/l3/ospf/ifOSPF Interface Information

Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UPRouter ID 10.10.10.1, State DR, Priority 1Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1Backup Designated Router (ID) 10.10.14.1, Ip

Address 10.10.12.2Timer intervals, Hello 10, Dead 40, Wait

1663, Retransmit 5,Poll interval 0, Transit delay 1

Neighbor count is 1 If Events 4,Authentication type none

/info/l3/ospf/dbaseOSPF Database Information

[OSPF Database Menu]advrtr - LS Database info for an Advertising Routerasbrsum - ASBR Summary LS Database infodbsumm - LS Database summaryext - External LS Database infonw - Network LS Database infonssa - NSSA External LS Database infortr - Router LS Database infoself - Self Originated LS Database infosumm - Network-Summary LS Database infoall - All

OSPF Database Information Menu (/info/l3/ospf/dbase)


advrtr <router-id (A.B.C.D)>




.



Takes advertising router as a parameter. Displays all the Link StateAdvertisements (LSAs) in the LS database that have the advertisingrouter with the specified router ID, for example: 20.1.1.1.

asbrsum <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self

Displays ASBR summary LSAs. The usage of this command is asfollows:

a) asbrsum adv-rtr 20.1.1.1 displays ASBR summary LSAshaving the advertising router 20.1.1.1.

b) asbrsum link_state_id 10.1.1.1 displays ASBR summaryLSAs having the link state ID 10.1.1.1.

c) asbrsum self displays the self advertised ASBR summary LSAs.

d) asbrsum with no parameters displays all the ASBR summary LSAs.

dbsumm

Displays the following information about the LS database in a tableformat:

a) the number of LSAs of each type in each area.

b) the total number of LSAs for each area.

c) the total number of LSAs for each LSA type for all areas combined.

d) the total number of LSAs for all LSA types for all areas combined.

No parameters are required.

ext <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self

Displays the AS-external (type 5) LSAs with detailed information of eachfield of the LSAs. The usage of this command is the same as the usageof the command asbrsum.

nw <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self

Displays the network (type 2) LSAs with detailed information of each fieldof the LSA.network LS database. The usage of this command is thesame as the usage of the command asbrsum.

nssa <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self




.



Displays the NSSA (type 7) LSAs with detailed information of each fieldof the LSAs. The usage of this command is the same as the usage of thecommand asbrsum.

rtr <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self

Displays the router (type 1) LSAs with detailed information of each fieldof the LSAs. The usage of this command is the same as the usage of thecommand asbrsum.

self

Displays all the self-advertised LSAs. No parameters are required.

summ <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self

Displays the network summary (type 3) LSAs with detailed information ofeach field of the LSAs. The usage of this command is the same as theusage of the command asbrsum.

all

Displays all the LSAs.

/info/l3/ospf/routesOSPF Information Route Codes

Codes: IA - OSPF inter area,N1 - OSPF NSSA external type 1, N2 - OSPF

NSSA external type 2E1 - OSPF external type 1, E2 - OSPF external type 2

IA 10.10.0.0/16 via 200.1.1.2IA 40.1.1.0/28 via 20.1.1.2IA 80.1.1.0/24 via 200.1.1.2IA 100.1.1.0/24 via 20.1.1.2IA 140.1.1.0/27 via 20.1.1.2IA 150.1.1.0/28 via 200.1.1.2E2 172.18.1.1/32 via 30.1.1.2E2 172.18.1.2/32 via 30.1.1.2E2 172.18.1.3/32 via 30.1.1.2E2 172.18.1.4/32 via 30.1.1.2E2 172.18.1.5/32 via 30.1.1.2E2 172.18.1.6/32 via 30.1.1.2E2 172.18.1.7/32 via 30.1.1.2E2 172.18.1.8/32 via 30.1.1.2

/info/ospf/dump




.


OSPF Dump Information

OSPF Version 2Router ID: 1.1.1.1Started at 42 and the process uptime is 1197051Area Border Router: no, AS Boundary Router: noExternal LSA count 0Number of interfaces in this router is 0Number of virtual links in this router is 00 new lsa received and 0 lsa originated from this routerTotal number of entries in the LSDB 0Total neighbors are 0, of which

0 are >=INIT state,0 are >=EXCH state,0 are =FULL state

Number of areas is 0, of which 0-transit 0-nssa

OSPF Neighbors:Intf NeighborID Prio State Address---- ---------- ---- ----- -------

OSPF LS Database:OSPF LSDB breakdown for router with ID (1.1.1.1)

No areas enabled.

/info/l3/ipIP Information

Interface information:1: 47.80.23.81 255.255.254.0 47.80.23.255,

vlan 1, up2: 172.31.4.1 255.255.255.0 172.31.4.255,

vlan 1, up3: 172.31.3.1 255.255.255.0 172.31.3.255,

vlan 1, up

Default gateway information: metric strict2: 47.80.22.1, vlan any, up

Current IP forwarding settings: ON, dirbr disabled

Current local networks:

Current IP port settings:All other ports have forwarding ON




.


Current network filter settings:none

Current route map settings:Current OSPF settings: ON

Default route noneRouter ID: 1.1.1.1lsdb limit 0

/info/l3/vrrpVRRP Information

Virtual Router Redundancy Protocol (VRRP) support on Nortel ApplicationSwitch provides redundancy between routers in a LAN. This is accomplishedby configuring the same virtual router IP address and ID number on eachparticipating VRRP-capable routing device. One of the virtual routers is thenelected as the master, based on a number of priority criteria, and assumescontrol of the shared virtual router IP address. If the master fails, one of thebackup virtual routers will assume routing authority and take control of thevirtual router IP address. Refer Nortel Application Switch Operating SystemApplication Guide for more information on VRRP.

VRRP information:9: vrid 9, 2005:0:0:0:0:0:10:9

if 9, renter,prio 101, master10: vrid 10, 10.10.10.50, if 1, renter,

prio 101, master20: vrid 20, 2005:0:0:0:0:0:20:20

if 20, renter,prio 105, master, server

When virtual routers are configured, you can view the status of each virtualrouter using this command. VRRP information includes:

• Virtual router number

• Virtual router ID and IP address

• Interface number

• Ownership status

— owner identifies the preferred master virtual router. A virtual routeris the owner when the IP address of the virtual router and its IPinterface are the same.

— renter identifies virtual routers which are not owned by this device.




.


• Priority value. During the election process, the virtual router with thehighest priority becomes master.

• Activity status

— master identifies the elected master virtual router.

— backup identifies that the virtual router is in backup mode.

• Server status. The server state identifies virtual routers that supportLayer 4 services. These are known as virtual server routers: any virtualrouter whose IP address is the same as any configured virtual serverIP address.

• Proxy status. The proxy state identifies virtual proxy routers, where thevirtual router shares the same IP address as a proxy IP address. Theuse of virtual proxy routers enables redundant switches to share thesame IP address, minimizing the number of unique IP addresses thatmust be configured.

/info/l3/dumpLayer3 Dump Information

This command dumps all the information about Layer 3 parameters. Thisdump is a collection of all the individual commands described in the sectionsabove.




.


/info/slbLayer 4 Information Menu

Server Load Balancing (SLB) allows you to configure the Nortel ApplicationSwitch to balance user session traffic among a pool of available serversthat provide shared services. In an average network that employs multipleservers without server load balancing, each server usually specializes inproviding one or two unique services. If one of these servers providesaccess to applications or data that is in high demand, it can becomeoverutilized. Placing this kind of strain on a server can decrease the




.


performance of the entire network as user requests are rejected by theserver and then resubmitted by the user stations. With this softwarefeature, the switch is aware of the services provided by each server and candirect user session traffic to an appropriate server, based on a variety ofload-balancing algorithms.

Refer to your Nortel Application Switch Operating System Application Guidefor detailed information on this feature:

Layer 4 Information Menu Options (/info/slb)


sess

Displays the Session Table Information Menu. To view menu options,see "/info/slb/sess" (page 102).

gslb

Displays the Global SLB Information Menu. To view menu options, see"/info/slb/gslb" (page 108).

real <real server number (1-1023)>

Displays Real server number, real IP address, MAC address, VLAN,physical switch port, layer where health check is performed, and healthcheck result.

group <real server group number, 1-1024>

Real server group information

virt <virtual server number (1-1024)>

• Displays Virtual Server State: Virtual server number, IP address,virtual MAC address

• Virtual Port State: Virtual service or port, server port mapping, realserver group, group backup server.




.



filt <filter ID (1-2048)> |list|allow|deny|redir|nat

Displays the filter number, destination port, real server port, real servergroup, health check layer, group backup server, URL for health checks,and real server group, IP address, backup server, and status.

port <port number>

Displays the physical port number, proxy IP address, filter status, a list ofapplied filters, and client and/or server Layer 4 activity.

wlm <work_load_manager_number, 1 to 16>

Show workload manager information.

idshash <IP address 1 IP address 2>

Displays the Intrusion Detection System server selected by hash orminmisses metric.

bind <IP address mask group number>

Displays the real server selected by hash, phash, or minmisses metric.

bind6 <IPv6 address prefix length IPv6 group number>

Displays the IPv6 real server selected by hash, phash, or minmissesmetric.

cookie <16 or 20 bytes cookie value in HEX as 0xXXXXXXXXXXXXXXXX>

Decodes the hexadecimal value to get the virtual server IP address, realserver IP address, and real server port.

synatk

Displays SYN attack detection information. To identify whether or notthe server is under SYN attack, the number of new half open sessions isexamined within a set period of time, for example, every two seconds.This feature requires dbind to be enabled.

dump

Displays all Layer 4 information for the switch. For details, see"/info/slb/dump" (page 109).

/info/slb/sess




.


Session Table Information

Session Information Menu Options (/info/slb/sess)


cip <IP address>

Displays all session entries with client’s source IP address.

cip6 <IP6_address>

Display session entries with the specified IP6 address.

cport <real port>

Displays all session entries with source (client) port.

dip <Destination IP address>

Displays all session entries with the destination IP address.

dip6 <IP6_address>

Display session entries with the specified IP6 address.

dport <Destination real port>

Displays all session entries with destination port.

pip <Proxy IP address>

Displays all session entries with proxy IP address.

pport <proxy port>

Displays all session entries with proxy port.

filter <filter ID (1-2048)>

Displays all session entries with matching filter.

flag <E|L|N|P|S|Rt|Ru|Ri|Vi|Vr|Vs|Vm|Vd|U|W>

Displays all session entries with matching flag. See "Session dumpinformation" (page 105) for a description of these options.

port <port number>




.



Displays all session entries on the ingress port.

real <IP address>

Displays all session entries with real server IP address.

sp <port number (1-4)>

Displays all session entries on switch processor.

dump v4 | v6

Displays all session entries. Specify v4 to dump IPv4 information, v6to dump IPv6 information or no parameter to display all information.Information similar to the following may appear in a session entry dump:3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10EUSPT c(1) (2) (3) (4) (5) (6) (7a) (7) (8) (9) (10) (11) (12) (13)

Note: The fields, 1 to 13 associated with a session as identified in theabove example, are described in "Session dump information" (page 105).

help

Displays the description of the session entry.

Session Dump SamplesL4 HTTP

3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 http age 4

L4-L7 WCR HTTP

2,16: 172.21.8.200 44687, 172.21.8.51 http -> 192.168.1.11 wcr age 4f:12 E3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 urlwcr age 6 f:123 E

RTSP

L4-L7 RTSP

3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 PThe first session is RTSP TCP control connection.The second session is RTSP UDP data connection.

3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 PDuring client-server port negotiation, the destination port shows "rtsp" andserver portshows "0"




.


L7 WCR RTSP

3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10f:100 EU3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P

Filtering LinkLB

2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E

FTP

1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:11,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-dataage 10 E

NAT

2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E

Persistent session

3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3The destination port, real server IP and server port are not shown forpersistent session.

Session dump information

Field Description

(1) SP number This field indicates the Switch Processor number thatcreated the session.

(2) Ingress port This field shows the physical port through which theclient traffic enters the switch.

(3) Source IPaddress

This field contains the source IP address from theclient’s IP packet in IPv4 or IPv6.

(4) Source port This field identifies the source port from the client’sTCP/UDP packet.

(5) DestinationIP address

This field identifies the destination IP address from theclient’s TCP/UDP packet.

(6) Destinationport

This field identifies the destination port from client’sTCP/UDP packet.




.


Field Description

(7a) Proxy IPaddress

This field contains the Proxy IP address substituted bythe switch. This field contains the real server IP addressof the corresponding server that the switch selects toforward the client packet to, for load balancing. If theswitch does not find a live server, this field containsthe same information as the destination IP addressmentioned in field (5).

This field also shows the real server IP address forfiltering. No address is shown if the filter action is Allow,Deny or NAT. It will show "ALLOW", "DENY" or "NAT"instead.

(7) Proxy Port This field identifies the TCP/UDP source port substitutedby the switch.

(8) Real ServerIP Address

For load balancing, this field contains the IP address ofthe real server that the switch selects to forward clientpacket to. If the switch does not find live server, thisfield is the same as destination IP address (as in row 5).For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1http age 10

3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220age 10 PFor filtering, this field also shows the real server IPaddress. No address is shown if the filter action isAllow, Deny or NAT. It will show ALLOW, DENY or NATinstead.For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1http age 10 f:11

2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10linklb age 8 f:10 E

(9) Server port This field is the same as the destination port (field 6) forload balancing except for the RTSP UDP session. ForRTSP UDP session, this server port is obtained fromthe client-server negotiation. This field is the filteringapplication port for filtering. It is for internal use only.This field can be urlwcr, wcr, idslb, linkslb ornonat.




.


Field Description

(10) Age This is the session timeout value. If no packet isreceived within the value specified, the session is freed.For example, if:

age 10 - The session is aged out in 10 minutes.

age 160 - The session is aged out in 160 minutes.

This indicates that slowage is used. The usercan configure slowage by using the command:/cfg/slb/adv/slowage.

(11) Filter number This field indicates the session created by filtering codeas a result of the IP header keys matching the filteringcriteria.

(12) VLAN number This field is the ingress port’s VLAN.

(13) Flag "Ac": Indicates the session is application cappingper-contract entry."Au": Indicates the session is application cappingper-user entry."E": Indicates the session is established and will beaged out if no traffic is received within session timeoutvalue."L": Indicates the session is a link load balance session."N": Indicates no NAT, which means the session onlytranslates the destination MAC when forwarding clienttraffic to the real server."P": Indicates the session is a persistent session and isnot to be aged out. Fields (6), (7) and (8) cannot havepersistent session."S": Indicates the session is a persistent session andthe application is SSL session ID, or Cookie Pbind."Rt": Indicates the session is TCP rate limiting for everyclient entry."Ru": Indicates UDP rate limiting for every client entry."Ri": Indicates the session is ICMP rate limitingper-client entry."Vr": Indicates the session is a SIP REGISTER session."Vs": Indicates the session is a SIP SUBSCRIBEsession."Vi": Indicates the session is a SIP INVITE session."Vm": Indicates the session is a SIP MESSAGE session."Vd": Indicates the session is a SIP NAT data session."Sc": Indicates the session is an opened server sessionused in connection pooling.




.


Field Description"U": Indicates the session is Layer 7 delayed bindingand the switch is trying to open TCP connection to thereal server."W": Indicates the session only translates the destinationMAC when forwarding Layer 7 WCR traffic to the realserver."Dcy": Indicates the session is a Symantec clientsession and Snoop ON"Dcn": Indicates the session is a Symantec clientsession and Snoop OFF"Dci": Indicates the session is a Symantec client sessionand Snoop INIT"Dsy": Indicates the session is a Symantec serversession and Snoop ON"Dsn": Indicates the session is a Symantec serversession and Snoop OFF"Dsi": Indicates the session is a Symantec serversession and Snoop INIT

(14) Persistent sessionuser count

This counter indicates the number of client sessionscreated to associate with this persistent session.

/info/slb/gslbGlobal SLB Information Menu

An Nortel Application Switch Operating System running Global SLB selectsthe most appropriate site to direct the client traffic for a given domain duringthe initial client connection. The menu for this feature displays the followinginformation:

Global SLB Information Menu Options (/info/slb/gslb)


virt virtual server number (1-1024)

Displays the Global SLB virtual server information such as the domainname of the virtual server, the number of the local and remote virtualservers, the number of virtual services on those virtual servers, and thegroup of real servers associated with the local and remote virtual servers.

site

Displays the Global SLB remote site information.




.



geo

Displays the Global SLB geographical preference information.

pers <IP_Address>

Display the Global SLB DNS persistence cache information.

dump

Displays all Global SLB information.

/info/slb/dumpShow All Layer 4 Information

Real server state:1: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1,

port 1, health 3, up2: 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port

8, health 3, up26: 20.20.20.102, 00:03:47:07:a4:9e, vlan 1,port 6, health 3, up27: 20.20.20.101, 00:01:02:71:9c:a6, vlan 1,port 7, health 3, up

Virtual server state:1: 20.20.20.200, 00:60:cf:47:5c:1e

virtual ports:http: rport http, group 88, backup none, dbind

HTTP Application: urlslbreal servers:26: 20.20.20.102, backup none, 2 ms, up

exclusionary string matching: disabled1: any2: urlone

27: 20.20.20.101, backup none, 1 ms, upexclusionary string matching: disabled3: urltwo4: urlthree

Redirect filter state:Action redirdport http, rport 3128, vlan any200: group 1, health 3, backup none

proxy enabled, radius snoop disabledreal servers:1: 210.1.2.200, backup none, 3 ms, up2: 210.1.2.1, backup none, 2 ms, up




.


Port state:1: filt disabled, filters: 802: idslb filt enabled, filters: 2003: idslb filt enabled, filters: 2004: filt disabled, filters: 50 200

/info/bwmBandwidth Management Information

Bandwidth Management (BWM) enables Web site managers to allocatea portion of the available bandwidth for specific users or applications.It allows companies to guarantee that critical business traffic, such ase-commerce transactions, receive higher priority versus non-criticaltraffic.Traffic classification can be based on user or application information. BWMpolicies can be configured to set lower and upper bounds on the bandwidthallocation.

You can see the following information on your switch when you executethis command:

[Bandwidth Management Information Menu]

ipuser - BWM IP User Entries Information Menu

cont - Show Bandwidth Management Contract information

Bandwidth Management Information


ipuser

Displays the IP user entries with their IP addresses. See/info/bwm/ipuserBWM IP User Information Menu for sample output.

cont

Displays the BWM contract information configured on this switch.

/info/bwm/ipuserBWM IP User Information Menu

[BWM IP User Entries Information Menu]ip - Show all IP user entries with IP addresscont - Show all IP user entries for a contractsp - Show all IP user entries on spdump - Show all IP user entries




.

/info/bwmBandwidth Management Information 111

BWM IP User Information Menu (/info/bwm/ipuser)


ip <IP address>

Displays the IP user entries for a specific IP address.

cont <BW Contract number, 1-1024>

Displays the IP user entries for a specific BWM contract.

sp <SP number (1-4)>

Displays the IP user entries on the Switch Processor. The same fieldsas described in cont above are displayed, but only for the specified spnumber.

dump

Displays all the IP user entries.

The format of the output of the above commands:

SP Contract IP Address Age Octets Discards Allowed OfferedRate Rate-- -------- ---------------- --- ---------- ---------------2 11 11.0.1.100 86 21500000 301001440 1953 292972 10 11.0.1.100 86 1076600 0 97 972 10 11.0.1.107 16 199940 0 97 972 10 11.0.1.105 16 198402 0 96 962 10 11.0.1.106 16 199940 0 97 972 10 11.0.1.103 16 196864 0 96 962 10 11.0.1.104 16 204554 0 99 992 10 11.0.1.101 16 201478 0 98 982 10 11.0.1.102 16 198402 0 96 962 10 11.0.1.108 16 199940 0 97 972 10 11.0.1.109 16 203016 0 99 99

• SP Rate: the switch processor number (1-4) of the ipuser entry.

• Contract Rate: the BWM contract number of the ipuser entry.

• IP address: the IP address of the ipuser entry.

• Age: the age of the entry in seconds.

• Octets: the number of octets processed on this ipuser entry

• Discards: the number of octets discarded on this ipuser entry

• Allowed Rate: the rate of traffic allowed for this IP address

• Offered Rate: the rate including the discards for this IP address

/info/bwm/cont




.


BWM Contract Information

Current Bandwidth Management setting: ONPolicy Enforcement:enabledBWM history will be mailed in a minute

to ’abcd’ at host ’100.81.138.26’BWM IP user table entries 64k

Contract Policy Per User TrafficNum Name Prec Hard Soft Resv Limit Key State Shaping1 123456789012345 2 1 50M 1M 500K - - E D2 vlan 4 1 60M 2M 500K - - E D3 filter 7 20 2M 1M 500K - - E D4 5 1 2M 1M 500K - - D D5 512 1 2M 1M 500K - - E D

10 10 1 1M 0K 0K 500K sip E D11 11 1 100M 80M 500K 2M sip E D12 12 1 2M 1M 500K - - E D13 13 1 3M 1M 500K - - E D14 14 1 4M 400K 100K - - E D15 15 1 2M 1M 500K - - E D

This command displays information about any configured contracts and theBWM policies applied to the contracts.

BWM Contract Information

Field Description

Contract Displays the BWM contract number.

Policy Displays specific information about a policy applied to acontract. Includes the following:

• The policy number applied to the contract

• Prec: the precedence applied to the policy

• Hard: the hard limit applied to the policy

• Soft: the soft limit applied to the policy

• Resv: the reserve limit applied to the policy

Per User These two columns display information for an ipuserlimit, if applied to the contract. Includes the following:Limit: the user rate limit applied to the ipuser.Key: If an ipuser rate limit is enforced, this field displayswhether the user limit is enforced on a source IPaddress (sip) or a destination IP address (dip).




.

/info/linkLink Status Information 113

Field Description

State Displays whether the BWM contract is enabled (E) ordisabled (D).

Traffic Shaping Displays whether Traffic Shaping is enabled (E) ordisabled (D) for this contract.

/info/securitySecurity Information

The information provided by each menu option is described in "SecurityInformation Menu (/info/security)" (page 113).

Security Information Menu (/info/security)


port

This menu displays the current port security settings.

ipacl

This menu displays the current IP ACL settings.

udpblast

This menu displays UDP blast protection settings.

dos

This menu displays DoS protection settings.

symantec

This menu displays Symantec IPS processing information.

dump

This menu displays all security settings.

/info/link




.


Link Status Information

Alias Port Speed Duplex Flow Ctrl Link------ ---- ----- -------- --TX-----RX-- ------1 1 10/100 any yes yes down2 2 10/100 any yes yes down3 3 10/100 any yes yes down4 4 10/100 any yes yes down5 5 10/100 any yes yes down6 6 10/100 any yes yes down7 7 10/100 any yes yes down8 8 10/100 any yes yes down9 9 10/100 any yes yes down10 10 10/100 any yes yes down11 11 10/100 any yes yes down12 12 10/100 any yes yes down13 13 10/100 any yes yes down14 14 10/100 any yes yes down15 15 10/100 any yes yes down16 16 10/100 any yes yes down17 17 10/100 any yes yes down18 18 10/100 any yes yes down19 19 10/100 any yes yes down20 20 10/100 any yes yes down21 21 10/100 any yes yes down22 22 10/100 any yes yes down23 23 10/100 any yes yes down24 24 10/100 any yes yes down25 25 1000 full yes yes down26 26 1000 full yes yes down27 27 1000 full yes yes down28 28 1000 full yes yes down

Use this command to display link status information about each port on anNortel Application Switch slot, including:

• Port Alias

• Port number

• Port speed (10, 100, 10/100, or 1000)

• Duplex mode (half, full, any, or auto)

• Flow control for transmit and receive (no, yes, or auto)

• Link status (up or down)

/info/port




.

/info/swkeySoftware Enabled Keys 115

Port Information

Port information includes:

• Port alias

• Port number

• Whether the port uses VLAN tagging or not (y or n)

• Whether Remote Monitor is enabled or disabled

• Port VLAN ID ( PVID)

• Port name

• VLAN membership

• Whether RMON is enabled or disabled on the port

/info/swkeySoftware Enabled Keys

For optional Layer 4 switching software, the information would be displayedas follows:




.


Enabled License(s):Layer 4: GSLBInbound LinklbITMSymantec subscription

* 61 days remaining

Expired License(s):none

Non-Reusable Demo License(s):none

Software key information includes a list of all the optional software packageswhich have been activated or installed on your switch. For information onordering optional software license keys, see "How to Get Help" (page 25).

/info/dumpInformation Dump

Use the dump command to dump all switch information available from theInformation Menu (10K or more, depending on your configuration). Thisdata is useful for tuning and debugging switch performance.

If you want to capture dump data to a file, set your communication softwareon your workstation to capture session data prior to issuing the dumpcommands.




.

117

The Statistics Menu

You can view switch performance statistics in both the user and administratorcommand modes. This chapter discusses how to use the command lineinterface to display switch statistics.

/statsStatistics Menu

Statistics Menu Options (/stats)


sys

System statistics menu

port <port number>

Displays the Port Statistics Menu for the specified port. Use thiscommand to display traffic statistics on a port-by-port basis. Trafficstatistics are included in SNMP Management Information Base (MIB)objects. To view menu options, see "/stats/sysSystem statistics menu"(page 119).

l2

Displays Layer 2 Statistics Menu. To view menu options, see"/stats/l2Layer 2 Statistics Menu" (page 134).

l3




.

118 The Statistics Menu


Displays Layer3 Statistics Menu. To view menu options, see"/stats/l3Layer 3 Statistics Menu" (page 137).

slb

Displays the Server Load Balancing (SLB) Menu. To view menu options,see "/stats/slbServer Load Balancing Statistics Menu" (page 161).

bwm

Displays the Bandwidth Management Menu. To view menu options, see"/stats/bwm/histBWM History Statistics" (page 198).

mp

Displays the Management Processor Statistics Menu. Use thiscommand to view information on how switch management processesand resources are currently being allocatow. To view menu options, see"/stats/mpManagement Processor Statistics" (page 208).


Displays Switch Processor-Specific Menu. To view menu options, see"/stats/sp SP Number SP Specific Statistics" (page 212).

security

Displays Security Statistics Menu. To view menu options, see"/stats/securitySecurity Statistics" (page 201).

snmp

Displays SNMP Statistics.

ntp clear

Displays Network Time Protocol (NTP) Statistics.

You can execute the clear command option to delete all statistics.

pm

Displays Port Mirroring Statistics Menu. To view menu options, see"/stats/pmirrPort Mirroring Statistics Menu" (page 213).

mgmt

Displays interface statistics for the Management Port. See"/stats/mgmtManagement Port Statistics" (page 214) for sample output.

dump

Dumps all switch statistics. Use this command to gather data for tuningand debugging switch performance. If you want to capture dump data toa file, set your communication software on your workstation to capturesession data prior to issuing the dump command. For details, see"/stats/dumpDump Statistics" (page 215).




.

/stats/port <port number>Port Statistics Menu 119

/stats/sysSystem statistics menu

This menu displays traffic statistics on a system basis.

[System Statistics Menu]access - System Access Menumgmt - Show management port statsntp - Show NTP server statssnmp - Show SNMP statsdump - Dump system stats

System Statistics Menu Options (/stats/sys)


access

Go to the System Access menu.

mgmt

Management port interface statistics.

ntp

Show NTP server statistics.

snmp

Show SNMP statistics.

dump

Dump system statistics.

/stats/port <port number>Port Statistics Menu

This menu displays traffic statistics on a port-by-port basis. Traffic statisticsinclude SNMP Management Information Base (MIB) objects.

[Port Statistics Menu]brg - Show bridging ("dot1") statsether - Show Ethernet ("dot3") statsif - Show interface ("if") statsip - Show Internet Protocol ("IP") statslink - Show link statsrmon - Show RMON statsdump - Dump port statsclear - Clear all port stats

Port Statistics Menu Options (/stats/port)


brg




.



Displays bridging ("dot1") statistics for the port. See "/stats/port portnumber /brgBridging Statistics" (page 120) for a sample output and thedescription of statistics.

ether

Displays Ethernet ("dot1") statistics for the port. See "/stats/port portnumber /etherEthernet Statistics" (page 121) for a sample output andthe description of statistics.

if

Displays interface statistics for the port. See "/stats/port port number/ifInterface Statistics" (page 125) for a sample output and the descriptionof statistics.

ip

Displays IP statistics for the port. See "/stats/port port number/ipInterface Protocol Statistics" (page 127) for a sample output and thedescription of statistics.

link

Displays link statistics for the port. See "/stats/port port number /linkLinkStatistics" (page 128) for a sample output and the description ofstatistics.

rmon

Displays Remote Monitor (RMON) statistics for the port. See "/stats/portport number /rmonRMON Statistics" (page 129) for a sample output andthe description of statistics.

dump

Displays all the port statistics.

clear

This command clears all the statistics on this port.

/stats/port <port number>/brgBridging Statistics

This menu option enables you to display the bridging statistics of theselected port.

Bridging statistics for port 1:dot1PortInFrames: 63242584dot1PortOutFrames: 63277826dot1PortInDiscards: 0dot1TpLearnedEntryDiscards: 0dot1BasePortDelayExceededDiscards: NAdot1BasePortMtuExceededDiscards: NAdot1StpPortForwardTransitions: 0




.


Bridging Statistics of a Port (/stats/port/brg)

Statistics Description

dot1PortInFrames The number of frames that have been received bythis port from its segment. A frame received on theinterface corresponding to this port is only countedby this object if and only if it is for a protocol beingprocessed by the local bridging function, includingbridge management frames.

dot1PortOutFrames The number of frames that have been transmittedby this port to its segment. Note that a frametransmitted on the interface corresponding to thisport is only counted by this object if and only if it isfor a protocol being processed by the local bridgingfunction, including bridge management frames.

dot1PortInDiscards Count of valid frames received which were discarded(that is, filtered) by the Forwarding Process.

dot1TpLearnedEntryDiscards

The total number of Forwarding Database entries,which have been or would have been learnt, buthave been discarded due to a lack of space to storethem in the Forwarding Database. If this counteris increasing, it indicates that the ForwardingDatabase is regularly becoming full (a conditionwhich has unpleasant performance effects on thesubnetwork). If this counter has a significant valuebut is not presently increasing, it indicates that theproblem has been occurring but is not persistent.

dot1BasePortDelayExceededDiscards

The number of frames discarded by this port dueto excessive transit delay through the bridge. It isincremented by both transparent and source routebridges.

dot1BasePortMtuExceededDiscards

The number of frames discarded by this port dueto an excessive size. It is incremented by bothtransparent and source route bridges.

dot1StpPortForwardTransitions

The number of times this port has transitioned fromthe Learning state to the Forwarding state.

/stats/port <port number> /etherEthernet Statistics

This menu option enables you to display the ethernet statistics of theselected port




.


Ethernet statistics for port 1:dot3StatsAlignmentErrors: 0dot3StatsFCSErrors: 0dot3StatsSingleCollisionFrames: 0dot3StatsMultipleCollisionFrames: 0dot3StatsSQETestErrors: NAdot3StatsDeferredTransmissions: 0dot3StatsLateCollisions: 0dot3StatsExcessiveCollisions: 0dot3StatsInternalMacTransmitErrors: NAdot3StatsCarrierSenseErrors: 0dot3StatsFrameTooLongs: 0dot3StatsInternalMacReceiveErrors: 0dot3CollFrequencies [1-15]: NA

Ethernet Statistics for Port (/stats/port/ether)


dot3StatsAlignmentErrors

A count of frames received on a particular interfacethat are not an integral number of octets in lengthand do not pass the Frame Check Sequence (FCS)check.

The count represented by an instance of this objectis incremented when the alignmentError statusis returned by the MAC service to the Logical LinkControl (LLC) (or other MAC user). Received framesfor which multiple error conditions are obtained are,according to the conventions of IEEE 802.3 LayerManagement, counted exclusively according to theerror status presented to the LLC.

dot3StatsFCSErrors

A count of frames received on a particular interfacethat are an integral number of octets in length but donot pass the Frame Check Sequence (FCS) check.This count does not include frames received withframe-too-long or frame-too-short errors.The count represented by an instance of this objectis incremented when the frameCheckError statusis returned by the MAC service to the LLC (or otherMAC user). Received frames for which multipleerror conditions are obtained are, according to theconventions of IEEE 802.3 Layer Management,counted exclusively according to the error statuspresented to the LLC.Note: Coding errors detected by the physical layerfor speeds above 10 Mb/s will cause the frame tofail FCS check.




.



dot3StatsSingle-CollisionFrames

A count of successfully transmitted frames ona particular interface for which transmission isinhibited by exactly one collision.A frame that is counted by an instance of this object isalso counted by the corresponding instance of eitherthe ifOutUcastPkts, ifOutMulticastPkts,or ifOutBroadcastPkts, and is notcounted by the corresponding instance of thedot3StatsMultipleCollision-Frame object.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsMultiple-CollisionFrames

A count of successfully transmitted frames ona particular interface for which transmission isinhibited by more than one collision.A frame that is counted by an instance of this object isalso counted by the corresponding instance of eitherthe ifOutUcastPkts, ifOutMulticastPkts,or ifOutBroadcastPkts, and is notcounted by the corresponding instance of thedot3StatsSingleCollision-Frames object.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsSQETest-Errors

A count of times that the SQE TEST ERRORmessage is generated by the PLS sub layer for aparticular interface. The SQE TEST ERROR is setin accordance with the rules for the verification of theSQE detection mechanism in the PLS Carrier SenseFunction as described in IEEE Std.802.3-1998Edition, section 7.2.4.6.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsDeferred-Transmissions

A count of frames for which the first transmissionattempt on a particular interface is delayed becausethe medium is busy.The count represented by an instance of this objectdoes not include frames involved in collisions.This counter does not increment when the interfaceis operating in full-duplex mode.




.



dot3StatsLate-Collisions

The number of times that a collision is detected on aparticular interface later than one slotTime into thetransmission of a packet.Five hundred and twelve bit-times correspondsto 51.2 microseconds on a 10 Mbit/s system. A(late) collision included in a count representedby an instance of this object is also consideredas a (generic) collision for purposes of othercollision-related statistics.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsExcessiveCollisions

A count of frames for which transmission on aparticular interface fails due to excessive collisions.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsInternal-MacTransmitErrors

A count of frames for which transmission ona particular interface fails due to an internalMAC sub layer transmit error. A frame is onlycounted by an instance of this object if it is notcounted by the corresponding instance of eitherthe dot3StatsLateCollisions object, thedot3StatsExcessiveCollisions object, or thedot3Stats-CarrierSenseErrors object.The precise meaning of the count represented by aninstance of this object is implementation-specific. Inparticular, an instance of this object may represent acount of transmission errors on a particular interfacethat are not otherwise counted.

dot3StatsCarrier-SenseErrors

The number of times that the carrier sense conditionwas lost or never asserted when attempting totransmit a frame on a particular interface.The count represented by an instance of this objectis incremented at most once per transmissionattempt, even if the carrier sense conditionfluctuates during a transmission attempt.This counter does not increment when the interfaceis operating in full-duplex mode.

dot3StatsFrameToo-Longs

A count of frames received on a particular interfacethat exceed the maximum permitted frame size.The count represented by an instance of this objectis incremented when the frameTooLong status isreturned by the MAC service to the LLC (or otherMAC user). Received frames for which multipleerror conditions are obtained are, according to theconventions of IEEE 802.3 Layer Management,counted exclusively according to the error statuspresented to the LLC.




.



dot3StatsInternal-MacReceiveErrors

A count of frames for which reception on a particularinterface fails due to an internal MAC sub layerreceive error. A frame is only counted by an instanceof this object if it is not counted by the correspondinginstance of either the dot3StatsFrameTooLongsobject, the dot3Stats-AlignmentErrorsobject, or the dot3StatsFCSErrors object. Theprecise meaning of the count represented by aninstance of this object is implementation-specific. Inparticular, an instance of this object may representa count of received errors on a particular interfacethat are not otherwise counted.

dot3Coll-Frequencies

A count of individual MAC frames for whichthe transmission (successful or otherwise) on aparticular interface occurs after the frame hasexperienced exactly the number of collisionsspecified by the index. For example, a framewhich is transmitted after experiencing exactly 4collisions would be indicated by incrementing onlydot3CollFrequencies [4]. No other instance ofdot3CollFrequencies would be incrementedin this example. This counter does not incrementwhen the interface is operating in full-duplex mode.

/stats/port <port number> /ifInterface Statistics

This menu option enables you to display the interface statistics of theselected port.

Interface statistics for port 1:ifHCIn Counters ifHCOut Counters

Octets: 51697080313 51721056808UcastPkts: 65356399 65385714BroadcastPkts: 0 6516MulticastPkts: 0 0Discards: 0 0Errors: 0 0

Interface Statistics for Port (/stats/port/if)


ifHCInOctets The number of octets in valid MAC framesreceived on the interface, including the MACheader and FCS. This does include the numberof octets in valid MAC Control frames receivedon this interface.




.



ifHCInUcastPkts The number of packets, delivered by thissub-layer to a higher sub- layer, which werenot addressed to a multicast or broadcastaddress at this sub-layer.

ifHCInBroadcastPkts The number of packets, delivered by thissub-layer to a higher sub- layer, which wereaddressed to a broadcast address at thissub-layer.

ifHCInMulticastPkts The number of packets delivered by thissub-layer to a higher (sub) layer, which wereaddressed to a multicast address at thissub-layer. For a MAC layer protocol, thisincludes both Group and Functional addresses.

ifHCInDiscards The number of inbound packets which werechosen to be discarded even though no errorshad been detected to prevent their beingdelivered to a higher-layer protocol. Onepossible reason for discarding such a packetcould be to free up buffer space.

ifHCInErrors The sum for this interface of dot3statsAlignmentErrors, dot3StatsFCSErrors,dot3StatsFrameTooLongs,dot3StatsInternalMacReceiveErrorsand dot3StatsSymbolErrors.

ifHCOutOctets The number of octets transmitted in valid MACframes on this interface, including the MACheader and FCS. This does not include thenumber of octets in valid MAC Control framestransmitted on this interface.

ifHCOutUcastPkts The total number of packets that higher-levelprotocols requested to be transmitted, andwhich were not addressed to a multicast orbroadcast address at this sub-layer, includingthose that were discarded or not sent.

ifHCOutBroadcastPkts The total number of packets that higher-levelprotocols requested to be transmitted, andwhich were addressed to a broadcast addressat this sub-layer, including those that werediscarded or not sent.




.



ifHCOutMulticastPkts The total number of packets that higher-levelprotocols requested to be transmitted, andwhich were addressed to a multicast addressat this sub-layer, including those that werediscarded or not sent. For a MAC layerprotocol, this includes both Group andFunctional addresses.

ifHCOutDiscards The number of outbound packets whichwere chosen to be discarded even thoughno errors had been detected to prevent theirbeing transmitted. One possible reason fordiscarding such a packet could be to free upbuffer space.

ifHCOutErrors The sum for this interface of:dot3statsSQETestErrors,dot3StatsLateCollisions,dot3StatsExcessiveCollisions,dot3StatsInternalMacTransmitErrorsand dot3StatsCarrierSenseErrors.

/stats/port <port number> /ipInterface Protocol Statistics

This menu option enables you to display the interface statistics of theselected port.

IP statistics for port 1:ipInReceives: 0ipInAddrErrors: 0 ipForwDatagrams: 0ipInUnknownProtos: 0 ipInDiscards: 0ipInDelivers: 0ipTtlExceeds: 0ipLANDattacks: 0

Interface Protocol Statistics (/stats/port/ip)


ipInReceives The total number of input datagrams received frominterfaces, including those received in error.




.



ipInAddrErrors The number of input datagrams discarded becausethe IP address in their IP header’s destinationfield was not a valid address to be received atthis entity (the switch). This count includes invalidaddresses (for example, 0.0.0.0) and addresses ofunsupported Classes (for example, Class E). Forentities which are not IP Gateways and thereforedo not forward datagrams, this counter includesdatagrams discarded because the destinationaddress was not a local address.

ipForwDatagrams The number of input datagrams for which this entity(the switch) was not their final IP destination, asa result of which an attempt was made to find aroute to forward them to that final destination. Inentities which do not act as IP Gateways, thiscounter will include only those packets which wereSource-Routed via this entity (the switch), and theSource- Route option processing was successful.

ipInUnknownProtos The number of locally-addressed datagramsreceived successfully but discarded because of anunknown or unsupported protocol.

ipInDiscards The number of input IP datagrams for whichno problems were encountered to prevent theircontinued processing, but which were discarded (forexample, for lack of buffer space). Note that thiscounter does not include any datagrams discardedwhile awaiting re-assembly.

ipInDelivers The total number of input datagrams successfullydelivered to IP user-protocols (including ICMP).

ipTtlExceeds The number of IP datagram for which an ICMP TTLexceeded message was sent.

ipLANDattacks The number of packets that have the same sourceand destination IP address.

/stats/port <port number> /link LinkStatistics

This menu enables you to display the link statistics of the selected port.

Link statistics for port 1:linkStateChange: 4

Link Statistics (/stats/port/link)


linkStateChange The total number of link state changes.




.


/stats/port <port number> /rmonRMON Statistics

This menu option enables you to display the remote monitor statistics ofthe selected port.

RMON statistics for port 1:etherStatsDropEvents: 0etherStatsOctets: 129677etherStatsPkts: 1485etherStatsBroadcastPkts: 734etherStatsMulticastPkts: 712etherStatsCRCAlignErrors: 0etherStatsUndersizePkts: 0etherStatsOversizePkts: 0etherStatsFragments: 0etherStatsJabbers: 0etherStatsCollisions: 0etherStatsPkts64Octets: 954etherStatsPkts65to127Octets: 578etherStatsPkts128to255Octets: 35etherStatsPkts256to511Octets: 26etherStatsPkts512to1023Octets: 16etherStatsPkts1024to1518Octets: 8

Remote Monitor Statistics (/stats/port/rmon)


etherStatsDropEvents

The total number of events in which packets weredropped by the probe due to lack of resources. Notethat this number is not necessarily the number ofpackets dropped; it is just the number of times thiscondition has been detected.

etherStatsOctets The total number of octets of data (including thosein bad packets) received on the network (excludingframing bits but including FCS octets).This object can be used as a reasonable estimateof utilization (which is the percent utilization of theethernet segment). If greater precision is desired,the etherStatsPkts and etherStatsOctetsobjects should be sampled before and after acommon interval. The differences in the sampledvalues are Pkts and Octets, respectively, and thenumber of seconds in the interval is Interval.These values are used to calculate the utilizationas follows:




.



The result of this equation is the percent value ofutilization.

etherStatsPkts The total number of packets (including bad packets,broadcast packets, and multicast packets) received.

etherStatsBroadcastPkts

The total number of good packets received thatwere directed to the broadcast address. Note thatthis does not include multicast packets.

etherStatsMulticastPkts

The total number of good packets received thatwere directed to a multicast address. Note that thisnumber does not include packets directed to thebroadcast address.

etherStatsCRCAlignErrors

The total number of packets received that had alength (excluding framing bits, but including FrameCheck Sequence (FCS) octets) of between 64 and1518 octets, inclusive, but had either a bad FrameCheck Sequence (FCS) with an integral number ofoctets (FCS Error) or a bad FCS with a non-integralnumber of octets (Alignment Error).

etherStatsUndersizePkts

The total number of packets received that wereless than 64 octets long (excluding framing bits,but including FCS octets) and were otherwise wellformed.

etherStatsOversizePkts

The total number of packets received that werelonger than 1518 octets (excluding framing bits,but including FCS octets) and were otherwise wellformed.

etherStatsFragments The total number of packets received that were lessthan 64 octets in length (excluding framing bits butincluding FCS octets) and had either a bad FrameCheck Sequence (FCS) with an integral number ofoctets (FCS Error) or a bad FCS with a non-integralnumber of octets (Alignment Error).Note that it is entirely normal for etherStatsFragments to increment. This is because it countsboth runts (which are normal occurrences due tocollisions) and noise hits. (A runt is a packet that isless than 64 bytes.)




.



etherStatsJabbers The total number of packets received that werelonger than 1518 octets (excluding framing bits, butincluding FCS octets), and had either a bad FrameCheck Sequence (FCS) with an integral number ofoctets (FCS Error) or a bad FCS with a non-integralnumber of octets (Alignment Error).Note that this definition of jabber is different than thedefinition in IEEE-802.3 section 8.2.1.5 (10Base-5)and section 10.3.1.4 (10Base-2). These documentsdefine jabber as the condition where any packetexceeds 20 ms. The allowed range to detect jabberis between 20 milliseconds and 150 milliseconds.

etherStats-Collisions

The best estimate of the total number of collisionson this Ethernet segment.The value returned will depend on the locationof the RMON probe. Section 8.2.1.3 (10Base-5)and section 10.3.1.3 (10Base-2) of IEEE standard802.3 states that a station must detect a collision,in the receive mode, if three or more stations aretransmitting simultaneously. A repeater port mustdetect a collision when two or more stations aretransmitting simultaneously. Thus a probe placedon a repeater port could record more collisionsthan a probe connected to a station on the samesegment would.Probe location plays a much smaller role whenconsidering 10Base-T. 14.2.1.4 (10Base-T) ofIEEE standard 802.3 defines a collision as thesimultaneous presence of signals on the DO andRD circuits (transmitting and receiving at the sametime). A 10Base-T station can only detect collisionswhen it is transmitting. Thus probes placed on astation and a repeater, should report the samenumber of collisions.Note also that an RMON probe inside a repeatershould ideally report collisions between the repeaterand one or more other hosts (transmit collisions asdefined by IEEE 802.3k) plus receiver collisionsobserved on any coax segments to which therepeater is connected.

etherStatsPkts64-Octets

The total number of packets (including bad packets)received that were 64 octets in length (excludingframing bits but including Frame Check Sequence(FCS) octets).




.



etherStatsPkts65-to127Octets

The total number of packets (including bad packets)received that were between 65 and 127 octets inlength (excluding framing bits but including FCSoctets).


The total number of packets (including bad packets)received that were between 128 and 255 octets inlength (excluding framing bits but including FrameCheck Sequence (FCS) octets).


The total number of packets (including bad packets)received that were between 256 and 511 octets inlength (excluding framing bits but including FCSoctets).


The total number of packets (including bad packets)received that were between 512 and 1023 octetsin length (excluding framing bits but including FCSoctets).

etherStatsPkts-1024to1518Octets

The total number of packets (including bad packets)received that were between 1024 and 1518 octetsin length (excluding framing bits but including FCSoctets).

/stats/port <port number> /dumpPort Dump Statistics

Bridging statistics for port 1:dot1PortInFrames: 1284dot1PortOutFrames: 142dot1PortInDiscards: 130dot1TpLearnedEntryDiscards: 0dot1BasePortDelayExceededDiscards: NAdot1BasePortMtuExceededDiscards: NAdot1StpPortForwardTransitions: 2---------------------------------------------------------Ethernet statistics for port 1:dot3StatsAlignmentErrors: 0dot3StatsFCSErrors: 0dot3StatsSingleCollisionFrames: 0dot3StatsMultipleCollisionFrames: 0dot3StatsSQETestErrors: NAdot3StatsDeferredTransmissions: 0dot3StatsLateCollisions: 0dot3StatsExcessiveCollisions: 0dot3StatsInternalMacTransmitErrors: NAdot3StatsCarrierSenseErrors: 1dot3StatsFrameTooLongs: 0dot3StatsInternalMacReceiveErrors: 0




.

/stats/pmirrPort mirroring statistics menu 133

dot3CollFrequencies [1-15]: NA---------------------------------------------------------Interface statistics for port 1:

ifHCIn Counters ifHCOut CountersOctets: 124166 19560UcastPkts: 39 27BroadcastPkts: 631 14MulticastPkts: 614 101Discards: 130 0Errors: 1 0---------------------------------------------------------IP statistics for port 1:ipInReceives: 0ipInAddrErrors: 0 ipForwDatagrams: 0ipInUnknownProtos: 0 ipInDiscards: 0IpInDelivers: 0ipTtlExceeds: 0ipLANDattacks: 0---------------------------------------------------------Link statistics for port 1:linkStateChange: 3---------------------------------------------------------RMON statistics for port 1:etherStatsDropEvents: 0etherStatsOctets: 123840etherStatsPkts: 1406etherStatsBroadcastPkts: 698etherStatsMulticastPkts: 669etherStatsCRCAlignErrors: 0etherStatsUndersizePkts: 0etherStatsOversizePkts: 0etherStatsFragments: 0etherStatsJabbers: 0etherStatsCollisions: 0etherStatsPkts64Octets: 906etherStatsPkts65to127Octets: 548etherStatsPkts128to255Octets: 35etherStatsPkts256to511Octets: 25etherStatsPkts512to1023Octets: 16etherStatsPkts1024to1518Octets: 8

/stats/pmirrPort mirroring statistics menu

This menu displays port mirroring statistics on an all ports basis.

[Port Mirroring Statistics Menu]dump - Show port mirroring statsclear - Clear all port mirroring stats




.


PMIRR Statistics Menu Options (/stats/pmirr)


dump

Displays all mirrored port statistics.

clear

Clears the port statistics.

/stats/l2Layer 2 Statistics Menu

[Layer 2 Statistics Menu]fdb - Show FDB statslacp - Show LACP statsstg - Show STG statsdump - Dump layer 2 stats

Layer 2 Statistics Menu Options (/stats/l2)


fdb

Displays Forwarding Database statistics. To view statistics and theirdescription, see "/stats/l2/fdbFDB Statistics" (page 134).

lacp <port number (1 to max num ports)>

Displays Link Aggregation Control Protocol statistics. To view statisticsand their description, see "/stats/l2/lacpLACP Statistics" (page 135).

stg

Displays Spanning Tree Group statistics. To view statistics and theirdescription, see "/stats/l2/stgSpanning Tree Group Statistics" (page 136).

dump

Dump the Layer 2 statistics.

/stats/l2/fdbFDB Statistics

FDB statistics:creates: 9611 deletes: 9553current: 58 hiwat: 65lookups: 850254 lookup fails: 151373finds: 5832 find fails: 0find_or_c’s: 11874 overflows: 0max: 16384




.

/stats/l2Layer 2 Statistics Menu 135

This menu option enables you to display statistics regarding the use ofthe forwarding database, including the number of new entries, finds, andunsuccessful searches.

FDB statistics are described in the following table:

Forwarding Database Statistics (/stats/l2/fdb)

Statistic Description

creates Number of entries created in the ForwardingDatabase.

current Current number of entries in the ForwardingDatabase.

lookups Number of entry lookups in the ForwardingDatabase.

finds Number of successful searches in the ForwardingDatabase.

find_or_c’s Number of entries found or created in theForwarding Database.

deletes Number of entries deleted from the ForwardingDatabase.

hiwat Highest number of entries recorded at any giventime in the Forwarding Database.

lookup fails Number of unsuccessful searches made in theForwarding Database.

find fails Number of search failures in the ForwardingDatabase.

overflows Number of entries overflowing the ForwardingDatabase.

max Number of maximum Forwarding Database entriessupported by the switch.

/stats/l2/lacpLACP Statistics

>> Layer 2 Statistics# lacp 1port 1Valid LACPDUs received - 9394Valid Marker PDUs received - 0Valid Marker Rsp PDUs received - 0Unknown version/TLV type - 0Illegal subtype received - 0LACPDUs transmitted - 8516Marker PDUs transmitted - 0




.


Marker Rsp PDUs transmitted - 0

LACP Statistics Parameters (/stats?l2/lacp)

Field Description

Valid LACPDUsreceived

The number of LACPDUs that the switch receivedon this port.

Valid Marker PDUsreceived

The number of valid Marker PDUs that the switchreceived on this port.

Valid Marker RspPDUs received

The number of valid Marker Responses that theswitch received on this port.

Unknown version/TLVtype

The number of unknown version or TLV type thatthe switch received on this port.

Illegal subtypereceived

The number of illegal LACP subtype received onthis port.

LACPDUs transmitted The number of LACPDUs transmitted out of thisport.

Marker PDUstransmitted

The number of Marker PDUs transmitted out of thisport.

Marker Rsp PDUstransmitted

The number of Marker Responses transmitted outof this port.

/stats/l2/stgSpanning Tree Group Statistics

Spanning Tree Group 1:Port Rcv Cfg Rcv TCN Xmt Cfg Xmt TCN----- ---------- ---------- ---------- ----------

1 0 0 0 02 0 0 0 03 0 0 0 04 0 0 0 05 0 0 0 06 0 0 0 07 0 0 0 08 0 0 0 09 139046 176 27 15

10 0 0 0 011 0 0 0 012 0 0 0 013 0 0 0 014 0 0 0 015 0 0 0 016 0 0 0 017 0 0 0 018 0 0 0 0




.


19 0 0 0 020 0 0 0 021 0 0 0 022 0 0 0 023 0 0 0 024 0 0 0 025 0 0 0 026 0 0 0 027 0 0 0 028 0 0 0 0

Spanning Tree Group Statistics Parameters (/stats/l2/stg)

Field Description

Port Displays the port number.

Rcv cfg Displays the number of configuration BPDUsreceived

Rcv TCN Displays the number of TCN (Topology ChangeNotification) messages received.

Xmt Cfg Displays the number of configuration BPDUstransmitted.

Xmt TCN Displays the number of TCN (Topology ChangeNotification) messages transmitted

/stats/l3Layer 3 Statistics Menu

[Layer 3 Statistics Menu]ospf - OSPF Statistics Menuip - Show IP statsip6 - Show IP6 statsroute - Show route statsarp - Show ARP statsvrrp - Show VRRP statsvrrp6 - Show VRRP6 statsdns - Show DNS statscmp - Show ICMP statsif - Show IP interface ("if") statstcp - Show TCP statsudp - Show UDP statsifclear - Clear IP interface ("if") statsipclear - Clear IP statsdump - Dump layer 3 stats




.


Layer 3 Statistics Menu (/stats/l3)


ospf

Displays OSPF statistics Menu. See "/stats/l3/ospf OSPF StatisticsMenu" (page 139) for sample output.

ip

Displays IP statistics. See "/stats/l3/ipIP Statistics" (page 143) for sampleoutput.

ip6

Displays IP6 statistics.See "/stats/l3/ip6IP6 Statistics Menu" (page146) for sample output.

route

Displays route statistics. See "/stats/l3/routeRoute Statistics" (page150) for sample output.

arp

Displays Address Resolution Protocol (ARP) statistics. See"/stats/l3/arpARP statistics" (page 152) for sample output.

vrrp

When virtual routers are configured, you can display the followingprotocol statistics for VRRP:

• Advertisements received (vrrpInAdvers)

• Advertisements transmitted (vrrpOutAdvers)

• Advertisements received, but ignored (vrrpBadAdvers)

See "/stats/l3/vrrpVRRP Statistics" (page 153) for sample output.

vrrp6

Displays statistical information about IPv6 VRRP support. See ???? forsample output.

dns

Displays Domain Name Server/System (DNS) statistics. See"/stats/l3/dnsDNS Statistics" (page 155) for sample output.

icmp

Displays ICMP statistics. See "/stats/l3/icmpICMP Statistics" (page155) for sample output.





.



Displays IP interface statistics for the management processors. See"/stats/l3/if interface numberInterface Statistics" (page 157) for sampleoutput.

tcp

Displays TCP statistics. See "/stats/l3/tcpTCP Statistics" (page 159) forsample output.

udp

Displays UDP statistics. See "/stats/l3/udpUDP Statistics" (page 161) forsample output.

ifclear

Clears IP interface statistics. Use this command with caution as it willdelete all the IP interface statistics.

ipclear

Clears IP statistics. Use this command with caution as it will delete allthe IP statistics.

dump

Dumps all Layer 3 switch statistics. Use this command to gather datafor tuning and debugging Layer 3 switch performance. If you want tocapture dump data to a file, set your communication software on yourworkstation to capture session data prior to issuing the dump command.

/stats/l3/ospfOSPF Statistics Menu

[OSPF stats Menu]general - Show global statsaindex - Show area(s) statsif - Show interface(s) stats

OSPF Statistics Menu (/stats/l3/ospf)


general

Displays global statistics. See "/stats/l3/ospf/generalOSPF GlobalStatistics" (page 140) for sample output and details.

aindex <area index (0-2)>

Displays area index statistics.


Displays interface statistics.




.


/stats/l3/ospf/generalOSPF Global StatisticsThe OSPF General Statistics contain the sum total of all OSPF packetsreceived on all OSPF areas and interfaces.

OSPF stats----------Rx/Tx Stats: Rx Tx

-------- --------Pkts 0 0hello 23 518database 4 12ls requests 3 1ls acks 7 7ls updates 9 7

Nbr change stats: Intf change Stats:hello 2 hello 4start 0 down 2n2way 2 loop 0adjoint ok 2 unloop 0negotiation done 2 wait timer 2exchange done 2 backup 0bad requests 0 nbr change 5bad sequence 0loading done 2n1way 0rst_ad 0down 1

Timers kickoffhello 514retransmit 1028lsa lock 0lsa ack 0dbage 0summary 0ase export 0

OSPF General Statistics (stats/l3/ospf/general)


Rx/Tx Stats:

Rx Pkts The sum total of all OSPF packets received on all OSPFareas and interfaces.

Tx Pkts The sum total of all OSPF packets transmitted on allOSPF areas and interfaces.




.



Rx Hello The sum total of all Hello packets received on all OSPFareas and interfaces.

Tx Hello The sum total of all Hello packets transmitted on allOSPF areas and interfaces.

Rx Database The sum total of all Database Description packetsreceived on all OSPF areas and interfaces.

Tx Database The sum total of all Database Description packetstransmitted on all OSPF areas and interfaces.

Rx ls Requests The sum total of all Link State Request packets receivedon all OSPF areas and interfaces.

Tx ls Requests The sum total of all Link State Request packetstransmitted on all OSPF areas and interfaces.

Rx ls Acks The sum total of all Link State Acknowledgementpackets received on all OSPF areas and interfaces.

Tx ls Acks The sum total of all Link State Acknowledgementpackets transmitted on all OSPF areas and interfaces.

Rx ls Updates The sum total of all Link State Update packets receivedon all OSPF areas and interfaces.

Tx ls Updates The sum total of all Link State Update packetstransmitted on all OSPF areas and interfaces.

Nbr ChangeStats:

hello The sum total of all Hello packets received fromneighbors on all OSPF areas and interfaces.

Start The sum total number of neighbors in this state (that is,an indication that Hello packets should now be sent tothe neighbor at intervals of HelloInterval seconds)across all OSPF areas and interfaces.

n2way The sum total number of bidirectional communicationestablishment between this router and other neighboringrouters.

adjoint ok The sum total number of decisions to be made(again) as to whether an adjacency should beestablished/maintained with the neighbor across allOSPF areas and interfaces.

negotiation done The sum total number of neighbors in this state whereinthe Master/slave relationship has been negotiated, andsequence numbers have been exchanged, across allOSPF areas and interfaces.




.



exchange done The sum total number of neighbors in this state (that is,in an adjacency’s final state) having transmitted a fullsequence of Database Description packets, across allOSPF areas and interfaces.

bad requests The sum total number of Link State Requests whichhave been received for a link state advertisement notcontained in the database across all interfaces andOSPF areas.

bad sequence The sum total number of Database Description packetswhich have been received that either:

1. Has an unexpected DD sequence number

2. Unexpectedly has the init bit set

3. Has an options field differing from the lastOptions field received in a Database Descriptionpacket.

Any of these conditions indicate that some error hasoccurred during adjacency establishment for all OSPFareas and interfaces.

loading done The sum total number of link state updates received forall out-of-date portions of the database across all OSPFareas and interfaces.

n1way The sum total number of Hello packets received fromneighbors, in which this router is not mentioned acrossall OSPF interfaces and areas.

rst_ad The sum total number of times the Neighbor adjacencyhas been reset across all OPSF areas and interfaces.

down The total number of Neighboring routers down (that is,in the initial state of a neighbor conversation) across allOSPF areas and interfaces.

Intf Change Stats:

hello The sum total number of Hello packets sent on allinterfaces and areas.

down The sum total number of interfaces down in all OSPFareas.

loop The sum total of interfaces no longer connected to theattached network across all OSPF areas and interfaces.

unloop The sum total number of interfaces, connected to theattached network in all OSPF areas.




.



wait timer The sum total number of times the Wait Timer has beenfired, indicating the end of the waiting period that isrequired before electing a (Backup) Designated Routeracross all OSPF areas and interfaces.

backup The sum total number of Backup Designated Routers onthe attached network for all OSPF areas and interfaces.

nbr change The sum total number of changes in the set ofbidirectional neighbors associated with any interfaceacross all OSPF areas.

Timers Kickoff:

hello The sum total number of times the Hello timer has beenfired (which triggers the send of a Hello packet) acrossall OPSF areas and interfaces.

retransmit The sum total number of times the Retransmit timer hasbeen fired across all OPSF areas and interfaces.

lsa lock The sum total number of times the Link StateAdvertisement (LSA) lock timer has been fired across allOSPF areas and interfaces.

lsa ack The sum total number of times the LSA Ack timer hasbeen fired across all OSPF areas and interfaces.

dbage The total number of times the data base age (Dbage)has been fired.

summary The total number of times the Summary timer has beenfired.

ase export The total number of times the Autonomous SystemExport (ASE) timer has been fired.

/stats/l3/ipIP Statistics

IP statistics:ipInReceives: 3115873 ipInHdrErrors: 1ipInAddrErrors: 35447 ipForwDatagrams: 0ipInUnknownProtos: 500504 ipInDiscards: 0ipInDelivers: 2334166 ipOutRequests: 1010542ipOutDiscards: 4 ipOutNoRoutes: 4ipReasmReqds: 0 ipReasmOKs: 0ipReasmFails: 0 ipFragOKs: 0ipFragFails: 0 ipFragCreates: 0ipRoutingDiscards: 0 ipDefaultTTL: 255ipReasmTimeout: 5




.


IP Statistics (/stats/l3/ip)


ipInReceives The total number of input datagrams received frominterfaces, including those received in error.

ipInHdrErrors The number of input datagrams discarded dueto errors in their IP headers, including badchecksums, version number mismatch, other formaterrors, time-to-live exceeded, errors discovered inprocessing their IP options, and so forth.

ipInAddrErrors The number of input datagrams discarded becausethe IP address in their IP header’s destination fieldwas not a valid address to be received at this entity(the switch). This count includes invalid addresses(for example, 0.0.0.0) and addresses of unsupportedClasses (for example, Class E). For entities whichare not IP Gateways and therefore do not forwarddatagrams, this counter includes datagramsdiscarded because the destination address was nota local address.

ipForwDatagrams The number of input datagrams for which this entity(the switch) was not their final IP destination, asa result of which an attempt was made to find aroute to forward them to that final destination. Inentities which do not act as IP Gateways, thiscounter will include only those packets, which wereSource-Routed via this entity (the switch), and theSource- Route option processing was successful.

ipInUnknownProtos The number of locally addressed datagrams receivedsuccessfully but discarded because of an unknownor unsupported protocol.

ipInDiscards The number of input IP datagrams for whichno problems were encountered to prevent theircontinued processing, but which were discarded (forexample, for lack of buffer space). Note that thiscounter does not include any datagrams discardedwhile awaiting re-assembly.

ipInDelivers The total number of input datagrams successfullydelivered to IP user-protocols (including ICMP).

ipOutRequests The total number of IP datagrams which localIP user-protocols (including ICMP) supplied toIP in requests for transmission. Note that thiscounter does not include any datagrams counted inipForwDatagrams.




.



ipOutDiscards The number of output IP datagrams for whichno problem was encountered to prevent theirtransmission to their destination, but which werediscarded (for example, for lack of buffer space).Note that this counter would include datagramscounted in ipForwDatagrams if any such packetsmet this (discretionary) discard criterion.

ipOutNoRoutes The number of IP datagrams discarded becauseno route could be found to transmit them to theirdestination. Note that this counter includes anypackets counted in ipForwDatagrams, which meetthis no-route criterion. Note that this includes anydatagrams which a host cannot route because all ofits default gateways are down.

ipReasmReqds The number of IP fragments received which neededto be reassembled at this entity (the switch).

ipReasmOKs The number of IP datagrams successfully re-assembled.

ipReasmFails The number of failures detected by the IP re-assembly algorithm (for whatever reason: timed out,errors, and so forth). Note that this is not necessarilya count of discarded IP fragments since somealgorithms (notably the algorithm in RFC 815) canlose track of the number of fragments by combiningthem as they are received.

ipFragOKs The number of IP datagrams that have beensuccessfully fragmented at this entity (the switch).

ipFragFails The number of IP datagrams that have beendiscarded because they needed to be fragmented atthis entity (the switch) but could not be, for example,because their Don’t Fragment flag was set.

ipFragCreates The number of IP datagram fragments that havebeen generated as a result of fragmentation at thisentity (the switch).

ipRoutingDiscards The number of routing entries, which were chosento be discarded even though they are valid. Onepossible reason for discarding such an entry could beto free-up buffer space for other routing entries.




.



ipDefaultTTL The default value inserted into the Time-To-Live(TTL) field of the IP header of datagrams originatedat this entity (the switch), whenever a TTL value isnot supplied by the transport layer protocol.

ipReasmTimeout The maximum number of seconds, which receivedfragments are held while they are awaitingreassembly at this entity (the switch).

/stats/l3/ip6IP6 Statistics Menu

>> Layer 3 Statistics# /stat/l3/ip6---------------------------------------------------------IP6 statistics:InReceives: 20519 InDiscards: 2InDelivers: 24793 ForwDatagrams: 0UnknownProtos: 0 InAddrErrors: 0OutRequests: 34548 OutNoRoutes: 0ReasmOKs: 0 ReasmFails: 0IcmpInMsgs: 24793 IcmpInErrors: 4268IcmpOutMsgs: 12829 IcmpOutErrors: 4271InEchos: 0 OutEchos: 8538InEchoReplies: 8536 OutEchoReplies: 0InDestUnreachs: 4268 OutDestUnreachs: 4271InPktTooBigs: 0 OutPktTooBigs: 0InTimeExcds: 0 OutTimeExcds: 0---------------------------------------------------------

ICMP6 statistics:

Interface: 1InMsgs: 18929 InErrors: 0InEchos: 0 InEchoReplies: 4268InNeighborSolicits: 4513 InNeighborAdvertisements:4271InRouterSolicits: 0 InRouterAdvertisements: 5877InDestUnreachs: 0 InTimeExcds: 0InPktTooBigs: 0 InParmProblems: 0InRedirects: 0OutMsgs: 4280 OutErrors: 0OutEchos: 4269 OutEchoReplies: 0OutNeighborSolicits: 3 OutNeighborAdvertisements:4516OutRouterSolicits: 0 OutRouterAdvertisements: 1OutRedirects: 0---------------------------------------------------------




.


Interface: 7InMsgs: 5864 InErrors: 4268InEchos: 0 InEchoReplies: 4268InNeighborSolicits: 122 InNeighborAdvertisements: 3InRouterSolicits: 0 InRouterAdvertisements: 1471InDestUnreachs: 4268 InTimeExcds: 0InPktTooBigs: 0 InParmProblems: 0InRedirects: 0OutMsgs: 8549 OutErrors: 4271OutEchos: 4269 OutEchoReplies: 0OutNeighborSolicits: 2 OutNeighborAdvertisements:124OutRouterSolicits: 0 OutRouterAdvertisements: 1OutRedirects: 0---------------------------------------------------------

IP6 gateway health check statistics:gateway 5 echo-req 4269 echo-resp 4268fails 0gateway 7 echo-req 4269 echo-resp 0fails 4268

IPv6 Statistics (/stats/l3/ip6)


IP6 Statistics Section

InReceives The total number of input datagrams received by theinterface, including those received in error.

InDelivers The total number of datagrams successfullydelivered to IPv6 user-protocols (including ICMP).This counter is incremented at the interface to whichthese datagrams were addressed which might notbe necessarily the input interface for some of thedatagrams.

UnknownProtos The number of locally-addressed datagrams receivedsuccessfully but discarded because of an unknownor unsupported protocol. This counter is incrementedat the interface to which these datagrams wereaddressed which might not be necessarily the inputinterface for some of the datagrams.

OutRequests The total number of IPv6 datagrams which localIPv6 user-protocols (including ICMP) supplied toIPv6 in requests for transmission. Note that thiscounter does not include any datagrams counted inipv6IfStatsOutForwDatagrams.




.



ReasmOKs The number of IPv6 datagrams successfullyreassembled. Note that this counter is incrementedat the interface to which these datagrams wereaddressed which might not be necessarily the inputinterface for some of the fragments.

InDiscards The number of input IPv6 datagrams for whichno problems were encountered to prevent theircontinued processing, but which were discarded(e.g., for lack of buffer space). Note that this counterdoes not include any datagrams discarded whileawaiting re-assembly.

ForwDatagrams The number of output datagrams which this entityreceived and forwarded to their final destinations.In entities which do not act as IPv6 routers, thiscounter will include only those packets which wereSource-Routed via this entity, and the Source-Routeprocessing was successful. Note that for asuccessfully forwarded datagram the counter of theoutgoing interface is incremented.

InAddrErrors The number of input datagrams discarded becausethe IPv6 address in their IPv6 header’s destinationfield was not a valid address to be received at thisentity. This count includes invalid addresses (e.g.,::0) and unsupported addresses (e.g., addresseswith unallocated prefixes). For entities which are notIPv6 routers and therefore do not forward datagrams,this counter includes datagrams discarded becausethe destination address was not a local address.

OutNoRoutes The number of locally generated IP datagramsdiscarded because no route could be found totransmit them to their destination.

ReasmFails The number of failures detected by the IPv6re-assembly algorithm (for whatever reason: timedout, errors, etc.). Note that this is not necessarilya count of discarded IPv6 fragments since somealgorithms (notably the algorithm in RFC 815)can lose track of the number of fragments bycombining them as they are received. This counteris incremented at the interface to which thesefragments were addressed which might not benecessarily the input interface for some of thefragments.




.



IcmpInMsgs The total number of ICMP messages receivedby the interface which includes all those countedby ipv6IfIcmpInErrors. Note that this interface isthe interface to which the ICMP messages wereaddressed which may not be necessarily the inputinterface for the messages.

IcmpOutMsgs The total number of ICMP messages which thisinterface attempted to send. Note that this counterincludes all those counted by icmpOutErrors

IcmpInErrors The number of ICMP messages which the interfacereceived but determined as having ICMP-specificerrors (bad ICMP checksums, bad length, etc.).

IcmpOutErrors The number of ICMP messages which this interfacedid not send due to problems discovered withinICMP such as a lack of buffers. This value shouldnot include errors discovered outside the ICMP layersuch as the inability of IPv6 to route the resultantdatagram. In some implementations there may be notypes of error which contribute to this counter’s value.

IcmpInEchos The number of ICMP Echo (request) messagesreceived by the interface.

ICMP6 Statistics Section

InMsgs The total number of ICMP messages receivedby the interface which includes all those countedby ipv6IfIcmpInErrors. Note that this interface isthe interface to which the ICMP messages wereaddressed which may not be necessarily the inputinterface for the messages.

InNeighborSolicits The number of ICMP Neighbor Solicit messagesreceived by the interface.

InRouterSolicits The number of ICMP Router Solicit messagesreceived by the interface.

InDestUnreachs The number of ICMP Destination Unreachablemessages received by the interface.

InPktTooBigs The number of ICMP Packet Too Big messagesreceived by the interface.

InRedirects The number of Redirect messages received by theinterface.

InErrors The number of ICMP messages which the interfacereceived but determined as having ICMP-specificerrors (bad ICMP checksums, bad length, etc.).

InEchoReplies The number of ICMP Echo Reply messages receivedby the interface.




.



InNeighborAdvertisements

The number of ICMP Neighbor Advertisementmessages received by the interface.

InRouterAdvertisements The number of ICMP Router Advertisementmessages received by the interface.

InTimeExcds The number of ICMP Time Exceeded messagesreceived by the interface.

InParmProblems The number of ICMP Parameter Problem messagesreceived by the interface.

OutMsgs The total number of ICMP messages which thisinterface attempted to send.

OutEchos The number of ICMP Echo Request messages sentby the interface.

OutNeighborSolicits The number of ICMP Neighbor Solicitation messagessent by the interface.

OutRouterSolicits The number of ICMP Router Solicitation messagessent by the interface.

OutRedirects The number of Redirect messages sent. For a host,this object will always be zero, since hosts do notsend redirects.

OutErrors The number of ICMP messages which this interfacedid not send due to problems discovered withinICMP such as a lack of buffers. This value shouldnot include errors discovered outside the ICMP layersuch as the inability of IPv6 to route the resultantdatagram. In some implementations there may be notypes of error which contribute to this counter’s value.

OutEchoReplies The number of ICMP Echo Reply messages sentby the interface.

OutNeighborAdvertisements

The number of ICMP Neighbor Advertisementmessages sent by the interface.

OutRouterAdvertistments The number of ICMP Router Advertisementmessages sent by the interface.

/stats/l3/route




.


Route Statistics

Route statistics:ipRoutesCur: 3 ipRoutesHighWater: 3ipRoutesMax: 4096---------------------------------------------------------

SP Route statistics:SP ipRoutesCur ipRoutesHighWater ipRoutesMax--- ------------- ------------------- -------------1 3 3 40962 3 3 40963 3 3 40964 3 3 4096

---------------------------------------------------------

RIP statistics:ripInPkts: 0 ripOutPkts: 0ripDiscardPkts: 0ripRoutesAgedOut: 0

BGP statistics:bgpInPkts: 0 bgpOutPkts: 0bgpBadPkts: 0 bgpSessFailures: 0bgpRoutesAdded: 0 bgpRoutesRemoved: 0bgpRoutesCur: 0 bgpRoutesFailed: 0bgpRoutesIgnored: 0 bgpRoutesFiltered: 0

Route Statistics (/stats/l3/route)


Route Statistics & SPRoute Statistics:

ipRoutesCur The total number of outstanding routes in the routetable.

ipRoutesHighWater The highest number of routes ever recorded in theroute table.

ipRoutesMax The maximum number of supported routes.

RIP statistics:

ripInPkts The total number of good RIP advertisementpackets received.

ripOutPkts The total number of RIP advertisement packetssent.

ripDiscardPkts The total number of RIP advertisement packetsreceived that were dropped.




.



ripRoutesAgedOut The total number of routes learned via RIP that hasaged out.

BGP statistics:

bgpInPkts The total number of BGP packets received.

bgpOutPkts The total number of BGP packets sent.

bgpBadPkts The total number of BGP packets dropped.

bgpSessFailures The total number of failed sessions.

bgpRoutesAdded The total number of routes that were added to therouting table.

bgpRoutesRemoved The total number of routes that were removed fromthe routing table.

bgpRoutesCur The total number of current BGP routes.

bgpRoutesFailed The total number of BGP routes that failed to addin the routing table.

bgpRoutesIgnored The total number of routes ignored because thepeer was not connected locally or multihop was notconfigured.

bgpRoutesFiltered The total number of routes dropped by the filter.

/stats/l3/arpARP statistics

This menu option enables you to display Address Resolution Protocolstatistics

MP ARP statistics:arpEntriesCur: 2arpEntriesHighWater: 2arpEntriesMax: 8192---------------------------------------------------------

SP ARP statistics:SP arpEntriesCur arpEntriesHighWater arpEntriesMax--- --------------- --------------------- ---------------1 1 1 81922 1 1 81923 1 1 81924 1 1 8192




.


ARP Statistics (/stats/l3/arp)


arpEntriesCur The total number of outstanding ARP entries in theARP table.

arpEntriesHighWater The highest number of ARP entries ever recordedin the ARP table.

arpEntriesMax The maximum number of ARP entries that aresupported.

/stats/l3/vrrpVRRP Statistics

Virtual Router Redundancy Protocol (VRRP) support on the NortelApplication Switch provides redundancy between routers in a LAN. This isaccomplished by configuring the same virtual router IP address and IDnumber on each participating VRRP-capable routing device. One of thevirtual routers is then elected as the master, based on a number of prioritycriteria, and assumes control of the shared virtual router IP address. If themaster fails, one of the backup virtual routers will assume routing authorityand take control of the virtual router IP address.

When virtual routers are configured, you can display the following protocolstatistics for VRRP:

• Advertisements received (vrrpInAdvers)

• Advertisements transmitted (vrrpOutAdvers)

• Advertisements received, but ignored (vrrpBadAdvers)

The statistics for the VRRP are displayed:

VRRP statistics:vrrpInAdvers: 0 vrrpBadAdvers: 0vrrpOutAdvers: 0vrrpBadVersion: 0 vrrpBadVrid: 0vrrpBadAddress: 0 vrrpBadData: 0vrrpBadPassword: 0 vrrpBadInterval: 0

VRRP Statistics (/stats/l3/vrrp)


vrrpInAdvers The total number of VRRP advertisements that havebeen received.

vrrpBadAdvers The total number of VRRP advertisements received thatwere dropped.

vrrpOutAdvers The total number of VRRP advertisements that havebeen sent.




.



vrrpBadVersion The total number of VRRP advertisements discardedbecause of an incorrect version value.

vrrpBadVrid The total number of VRRP advertisements discardedbecause of an incorrect VRID value.

vrrpBadAddress The total number of VRRP advertisements discardedbecause of an incorrect address value.

vrrpBadData The total number of VRRP advertisements discardedbecause of incorrect miscellaneous data.

vrrpBadPassword The total number of VRRP advertisements discardedbecause of an incorrect password.

vrrpBadInterval The total number of VRRP advertisements discardedbecause of an incorrect advertisement interval.

/stats/l3/vrrp6IPv6 VRRP statistics

The Nortel Application Switch Operating System supports VRRP for IPv6.The statistics provided by this command are similar in nature as thosepresented by the /stats/l3/vrrp command but tailored to the IPv6environment. The following is a sample output for this command.

VRRP6 statistics:vrrp6InAdvers: 7vrrp6BadAdvers: 0vrrp6OutAdvers: 86801vrrp6BadVersion: 0vrrp6BadVrid: 0vrrp6BadAddress: 0vrrp6BadData: 0vrrp6BadInterval: 0

IPv6 VRRP Statistics (/stats/l3/vrrp6)


vrrp6InAdvers The total number of VRRP advertisements that havebeen received.

vrrp6BadAdvers The total number of VRRP advertisements received thatwere dropped.

vrrp6OutAdvers The total number of VRRP advertisements that havebeen sent.

vrrp6BadVersion The total number of VRRP advertisements discardedbecause of an incorrect version value.

vrrp6BadVrid The total number of VRRP advertisements discardedbecause of an incorrect VRID value.




.



vrrp6BadAddress The total number of VRRP advertisements discardedbecause of an incorrect address value.

vrrp6BadData The total number of VRRP advertisements discardedbecause of incorrect miscellaneous data.

vrrp6BadPassword The total number of VRRP advertisements discardedbecause of an incorrect password.

vrrp6BadInterval The total number of VRRP advertisements discardedbecause of an incorrect advertisement interval.

/stats/l3/dnsDNS Statistics

This menu option enables you to display Domain Name System statistics.

DNS statistics:dnsInRequests: 0 dnsOutRequests: 0dnsBadRequests: 0

DNS Statistics (/stats/l3/dns)


dnsInRequests The total number of DNS request packets that havebeen received.

dnsOutRequests The total number of DNS response packets that havebeen transmitted.

dnsBadRequests The total number of DNS request packets received thatwere dropped.

/stats/l3/icmpICMP Statistics




.


ICMP Statistics (/stats/l3/icmp)


icmpInMsgs The total number of ICMP messages which theentity (the switch) received. Note that this counterincludes all those counted by icmpInErrors.

icmpInErrors The number of ICMP messages which the entity(the switch) received but determined as havingICMP-specific errors (bad ICMP checksums,bad length, and so forth).

icmpInDestUnreachs The number of ICMP Destination Unreachablemessages received.

icmpInTimeExcds The number of ICMP Time Exceeded messagesreceived.

icmpInParmProbs The number of ICMP Parameter Problemmessages received.

icmpInSrcQuenchs The number of ICMP Source Quench (bufferalmost full, stop sending data) messagesreceived.

icmpInRedirects The number of ICMP Redirect messagesreceived.

icmpInEchos The number of ICMP Echo (request) messagesreceived.

icmpInEchoReps The number of ICMP Echo Reply messagesreceived.

icmpInTimestamps The number of ICMP Timestamp (request)messages received.

icmpInTimestampReps The number of ICMP Timestamp Replymessages received.

icmpInAddrMasks The number of ICMP Address Mask Requestmessages received.

icmpInAddrMaskReps The number of ICMP Address Mask Replymessages received.

icmpOutMsgs The total number of ICMP messages whichthis entity (the switch) attempted to send. Notethat this counter includes all those counted byicmpOutErrors.




.



icmpOutErrors The number of ICMP messages which thisentity (the switch) did not send due to problemsdiscovered within ICMP such as a lack of buffer.This value should not include errors discoveredoutside the ICMP layer such as the inability ofIP to route the resultant datagram. In someimplementations there may be no types of errorsthat contribute to this counter’s value.

icmpOutDestUnreachs The number of ICMP Destination Unreachablemessages sent.

icmpOutTimeExcds The number of ICMP Time Exceeded messagessent.

icmpOutParmProbs The number of ICMP Parameter Problemmessages sent.

icmpOutSrcQuenchs The number of ICMP Source Quench (bufferalmost full, stop sending data) messages sent.

icmpOutRedirects The number of ICMP Redirect messages sent.For a host, this object will always be zero, sincehosts do not send redirects.

icmpOutEchos The number of ICMP Echo (request) messagessent.

icmpOutEchoReps The number of ICMP Echo Reply messages sent.

icmpOutTimestamps The number of ICMP Timestamp (request)messages sent.

icmpOutTimestampReps The number of ICMP Timestamp Replymessages sent.

icmpOutAddrMasks The number of ICMP Address Mask Requestmessages sent.

icmpOutAddrMaskReps The number of ICMP Address Mask Replymessages sent.

/stats/l3/if <interface number>Interface Statistics

IP interface 1 statistics:ifInOctets: 48948386 ifInUcastPkts: 220553ifInNUCastPkts: 167895 ifInDiscards: 0ifInErrors: 0 ifInUnknownProtos: 0ifOutOctets: 27100789 ifOutUcastPkts: 441938ifOutNUcastPkts: 218652 ifOutDiscards: 0ifOutErrors: 0 ifStateChanges 1




.


Interface Statistics (/stats/if)


ifInOctets The total number of octets received on the interface,including framing characters.

ifInUcastPkts The number of packets, delivered by this sub-layerto a higher (sub- layer), which were not addressedto a multicast or broadcast address at this sub-layer.

ifInNUCastPkts The number of packets, delivered by this sub-layerto a higher (sub- layer), which were addressedto a multicast or broadcast address at thissub-layer. This object is deprecated in favor ofifInMulticastPkts and ifInBroadcastPkts.

ifInDiscards The number of inbound packets that were chosento be discarded even though no errors had beendetected to prevent their being delivered to ahigher-layer protocol. One possible reason fordiscarding such a packet could be to free up bufferspace.

ifInErrors For packet-oriented interfaces, the number ofinbound packets that contained errors preventingthem from being delivered to a higher-layer protocol.For character-oriented or fixed-length interfaces, thenumber of inbound transmission units that containederrors preventing them from being deliverable to ahigher-layer protocol.

ifInUnknownProtos For packet-oriented interfaces, the number ofpackets received via the interface which werediscarded because of an unknown or unsupportedprotocol. For character-oriented or fixed-lengthinterfaces which support protocol multiplexing thenumber of transmission units received via theinterface which were discarded because of anunknown or unsupported protocol. For any interfacewhich does not support protocol multiplexing, thiscounter will always be 0.

ifOutOctets The total number of octets transmitted out of theinterface, including framing characters.

ifOutUcastPkts The total number of packets that higher-levelprotocols requested to be transmitted, and whichwere not addressed to a multicast or broadcastaddress at this sub-layer, including those that werediscarded or not sent.




.



ifOutNUcastPkts The total number of packets that higher-levelprotocols requested to be transmitted, and whichwere addressed to a multicast or broadcastaddress at this sub-layer, including those thatwere discarded or not sent. This object isdeprecated in favor of ifOutMulticastPkts andifOutBroadcastPkts.

ifOutDiscards The number of outbound packets, which werechosen to be discarded even though no errors hadbeen detected to prevent their being transmitted.One possible reason for discarding such a packetcould be to free up buffer space.

ifOutErrors For packet-oriented interfaces, the number ofoutbound packets that could not be transmittedbecause of errors. For character-oriented orfixed-length interfaces, the number of outboundtransmission units that could not be transmittedbecause of errors.

ifStateChanges The number of times an interface has transitionedfrom either down to up or from up to down.

/stats/l3/tcpTCP Statistics

TCP statistics:tcpRtoAlgorithm: 4 tcpRtoMin: 0tcpRtoMax: 240000 tcpMaxConn: 1600tcpActiveOpens: 0 tcpPassiveOpens: 0tcpAttemptFails: 0 tcpEstabResets: 0tcpInSegs: 0 tcpOutSegs: 0tcpRetransSegs: 0 tcpInErrs: 0tcpCurBuff: 0 tcpCurConn: 6tcpCurInConn: 0 tcpCurOutConn: 0tcpCurLstnConn: 3 tcpOutRsts: 0tcpAllocTCBFails: 0

TCP Statistics (/stats/l3/tcp)


tcpRtoAlgorithm The algorithm used to determine the timeout value usedfor retransmitting unacknowledged octets.




.



tcpRtoMin The minimum value permitted by a TCP implementationfor the retransmission timeout, measured inmilliseconds. More refined semantics for objects ofthis type depend upon the algorithm used to determinethe retransmission timeout. In particular, when thetimeout algorithm is rsre(3), an object of this typehas the semantics of the LBOUND quantity describedin RFC 793.

tcpRtoMax The maximum value permitted by a TCP implementationfor the retransmission timeout, measured inmilliseconds. More refined semantics for objects ofthis type depend upon the algorithm used to determinethe retransmission timeout. In particular, when thetimeout algorithm is rsre(3), an object of this type hasthe semantics of the UBOUND quantity described inRFC 793.

tcpMaxConn The limit on the total number of TCP connections theentity (the switch) can support. In entities where themaximum number of connections is dynamic, this objectshould contain the value -1.

tcpActiveOpens The number of times TCP connections have madea direct transition to the SYN-SENT state from theCLOSED state.

tcpPassiveOpens The number of times TCP connections have madea direct transition to the SYN-RCVD state from theLISTEN state.

tcpAttemptFails The number of times TCP connections have made adirect transition to the CLOSED state from either theSYN-SENT state or the SYN-RCVD state, plus thenumber of times TCP connections have made a directtransition to the LISTEN state from the SYN-RCVDstate.

tcpEstabResets The number of times TCP connections have made adirect transition to the CLOSED state from either theESTABLISHED state or the CLOSE-WAIT state.

tcpInSegs The total number of segments received, includingthose received in error. This count includes segmentsreceived on currently established connections.

tcpOutSegs The total number of segments sent, including those oncurrent connections but excluding those containing onlyretransmitted octets.

tcpRetransSegs The total number of segments retransmitted - that is, thenumber of TCP segments transmitted containing one ormore previously transmitted octets.




.



tcpInErrs The total number of segments received in error (forexample, bad TCP checksums).

tcpCurBuff The total number of outstanding memory allocationsfrom heap by TCP protocol stack.

tcpCurConn The total number of outstanding TCP sessions that arecurrently opened.

tcpCurInConn The total number of remotely-initiated TCP connections.

tcpCurOutConn The total number of switch-originated TCP connectionrequests.

tcpCurLstnConn The total number of TCP ports on which the switch islistening.

tcpOutRsts The number of TCP segments sent containing the RSTflag.

tcpAllocTCBFails

/stats/l3/udpUDP Statistics

UDP statistics:udpInDatagrams: 54 udpOutDatagrams: 43udpInErrors: 0 udpNoPorts: 1578077

UDP Statistics (/stats/l3/udp)


udpInDatagrams The total number of UDP datagrams delivered tothe switch.

udpOutDatagrams The total number of UDP datagrams sent from thisentity (the switch).

udpInErrors The number of received UDP datagrams that couldnot be delivered for reasons other than the lack ofan application at the destination port.

udpNoPorts The total number of received UDP datagrams forwhich there was no application at the destinationport.

/stats/slb




.


Server Load Balancing Statistics Menu

[Server Load Balancing Statistics Menu]sp - SLB Switch SP Stats Menugslb - Global SLB Stats Menureal - Show real server statsgroup - Show real server group statsvirt - Show virtual server statsfilt - Show filter statslayer7 - Show Layer 7 statsssl - Show SSL SLB statsftp - Show FTP SLB parsing and NAT statsrtsp - Show RTSP SLB statsdns - Show DNS SLB statswap - Show WAP SLB statsmaint - Show maintenance statssip - Show SIP SLB statswlm - Show Workload Manager SASP statsmirror - Show Session mirroring statsclear - Clear non-operational Server

Load Balancing statsaux - Show auxiliary session table statsdump - Dump all SLB statistics

SLB Statistics Menu Options (/stats/slb)



Displays the server load balancing statistics menu. To view menuoptions, see "/stats/slb/spServer Load Balancing SP statistics Menu"(page 165).

gslb

Displays the Global SLB Statistics menu. For more information, see"/stats/slb/gslbGlobal SLB Statistics Menu" (page 170).


Displays the following real server statistics:

• Number of times the real server has failed its health checks

• Number of sessions currently open on the real server

• Total sessions the real server was assigned

• Highest number of simultaneous sessions recorded for each realserver

• Real server transmit/receive octets




.



See "/stats/slb/real real server number Real Server SLB Statistics" (page175) for sample output.

group <real server group number (1-1024)>

Displays the following real server group statistics:

• Current and total sessions for each real server in the real servergroup.

• Current and total sessions for all real servers associated with thereal server group.

• Highest number of simultaneous sessions recorded for each realserver.

• Real server transmit/receive octets. For per-service octet counters,see "Per ServiceOctet Counters" (page 175).

See "/stats/slb/Group real server groups number Real Server GroupStatistics" (page 176) for sample output.


Displays the following virtual server statistics:

• Current and total sessions for each real server associated with thevirtual server.

• Current and total sessions for all real servers associated with thevirtual server.

• Highest number of simultaneous sessions recorded for each realserver.

• Real server transmit/receive octets. For per-service octet counters,see "Per ServiceOctet Counters" (page 175).

See "/stats/slb/virt virtual server number Virtual Server SLB Statistics"(page 177) for sample output.

filt <filter ID (1-2048)>

Displays the total number of times any filter has been used. See"/stats/slb/filt filter number Filter SLB Statistics" (page 177) for sampleoutput.

agslb

ftp




.



Displays FTP SLB parsing and NAT statistics. See "/stats/slb/ftpFileTransfer Protocol SLB and Filter Statistics Menu" (page 183) for sampleoutput.

rtsp

Displays RTSP SLB statistics. See "/stats/slb/rtspRTSP SLB Statistics"(page 185) for sample output.

dns

Displays DNS SLB statistics. See "/stats/slb/dnsDNS SLB Statistics"(page 186) for sample output.

wap

Displays WAP SLB statistics. See "/stats/slb/wapWAP SLB Statistics"(page 187) for sample output.

maint

Displays SLB maintenance statistics. See "/stats/bwm/maintBWMMaintenance Statistics" (page 201) for sample output.

sip

Displays SIP SLB statistics. See "/stats/slb/sipSIP SLB Statistics" (page192) for sample output.

wlm Workload Manager number, 1-16 clear

Display Workload Manager SASP statistics. See "/stats/slb/wlm wlmnumber Display Workload Manager SASP statistics" (page 193) forsample output.

mirror

Display session mirroring statistics. See "/stats/slb/mirrorDisplayWorkload Manager SASP statistics" (page 193) for sample output.

clear [y|n]

Clears all non-operating SLB statistics on the Nortel Application Switch,resetting them to zero. This command does not reset the switch anddoes not affect the following counters:

• Counters required for Layer 4 and Layer 7 operation (such as currentreal server sessions).

• All related SNMP counters.

To view the statistics reset by this command, refer "/stats/slb/wlm wlmnumber Display Workload Manager SASP statistics" (page 193).

aux

Displays auxiliary session table statistics.




.



dump

Dumps all switch SLB statistics. Use this command to gather data fortuning and debugging switch performance. To save dump data to a file,set your communication software on your workstation to capture sessiondata prior to issuing the dump command.

/stats/slb/spServer Load Balancing SP statistics Menu

[Server Load Balancing SP Statistics Menu]real - Show real server statsgroup - Show real server group statsvirt - Show virtual server statsfilt - Show filter statsmaint - Show maintenance statsaux - Show auxiliary session table statsclear - Clear SP stats

SP Statistics Menu options (/stats/slb/sp)



Displays real server statistics of the switch port. See "/stats/slb/sp/realreal server number SP Real Server Statistics" (page 166) for a sampleoutput.


Displays real server group statistics of the switch port. See "/stats/slb/spsp number /group real group server number SP Real Group ServerStatistics" (page 166) for a sample output.


Displays statistics of the virtual server. See "/stats/slb/sp sp number/virt virtual server number SP Virtual Server Statistics" (page 166) for asample output.


Displays statistics of the filter. See "/stats/slb/sp sp number /filt filternumber SP Filter Statistics" (page 166) for a sample output.

maint

Displays the SP maintenance statistics. See "/stats/slb/sp sp number/maintSP Maintenance Statistics" (page 166) for a sample output.

aux

Displays the statistics of the auxiliary session table.




.



clear

Deletes all the SP statistics.

/stats/slb/sp/real <real server number>SP Real Server Statistics

Port 1 Real server 1 stats:Current sessions: 3Total sessions: 3Octets: 24

/stats/slb/sp <sp number> /group <real group servernumber>SP Real Group Server Statistics

/stats/slb/sp <sp number> /virt <virtual servernumber>SP Virtual Server Statistics

/stats/slb/sp <sp number> /filt <filter number>SP Filter Statistics

SP 1 Filter 1 stats:Total firings: 2

/stats/slb/sp <sp number> /maint




.


SP Maintenance Statistics

SP 1 SLB Maintenance stats:Maximum sessions: 524276Current sessions: 04 second average: 0

64 second average: 0Terminated sessions: 0Allocation failures: 0Non TCP/IP frames: 0UDP datagrams: 0Incorrect VIPs: 0Incorrect Vports: 0No available real server: 0Filtered (denied) frames: 0LAND attacks: 0No TCP control bits: 0Invalid reset packet drops: 0Total IP fragment sessions: 0IP fragment sessions: 0IP fragment discards: 0IP fragment table full: 0IPF invalid lengths: 0IPF Null Payloads: 0Fragment Overlaps: 0Duplicate fragments: 0

SYMANTEC MAINT STATISTICS:Symantec Sessions: 0Symantec Valid segments: 0Symantec Fragment sessions: 0Segment allocation fails: 0Buffer allocation fails: 0Connection allocation fails: 0Invalid buffers: 0Segment reallocation fails: 0

SYMANTEC INSPECTION STATISTICSPackets in: 0Packets with no data: 0TCP packets: 0UDP packets: 0ICMP packets: 0Other packets: 0Match count: 0Result Fetch errors: 0Truncated payloads: 0Packets in fastpath: 0




.


SP Maintenance Statistics (/stats/slb/sp/maint)


Maximum sessions The maximum number of simultaneoussessions supported.

Current Sessions Number of session bindings currently in use(the last 4 and 64 seconds).

Terminated Sessions Number of sessions removed from the sessiontable because the server assigned to themfailed and graceful server failure was notenabled.

Allocation Failures Indicates instances where the Switch ran out ofavailable sessions for a port.

UDP Datagrams Indicates that the virtual server IP address andMAC are receiving UDP frames when UDPbalancing is not turned on.

Non TCP/IP Frames Indicates the number of non-IP based framesreceived by the virtual server.

Incorrect VIPs Indicates the number of times the switchreceived a Layer 4 request for a virtual serverwhich was not configured.

Incorrect Vports This dropped frames counter indicates that thevirtual server has received frames for TCP/UDPservices that have not been configured.Normally this indicates a mis-configuration onthe virtual server or the client, but it may bean indication of a potential security probingapplication like SATAN.

No Available RealServer

This dropped frames counter indicates that allreal servers are either out of service or at theirmaxcon limit.

Backup ServerActivations

This indicates the number of times a real serverfailure has occurred and caused a backupserver to be brought online.

Overflow ServerActivations

This indicates the number of times a real serverhas reached themaxcon

limit and caused an overflow server to bebrought online.




.



Filtered (Denied)Frames

This indicates the number of frames thatwere dropped because of one of the followingreasons:

1. They matched an active filter with the denyaction set.

2. There are no real servers (in the case ofredirection filters.)

3. When there are no available sessionentries.

LAND attacks This counter increases whenever a packet hasthe same source and destination IP addressesand ports.

No TCP Control Bits The number of packets that were droppedbecause the packet had no control bits set inthe TCP header.

Invalid reset packetdrops

The number of packets that were droppedbecause the packet had an invalid reset flag set.

Total IP fragmentsessions

This represents the total number of fragmentsessions the switch has processed so far.

Current IP fragmentsessions

This represents the current number of fragmentsessions.

IP fragment discards The number of fragmented packets that arediscarded due to lack of resources.

IP fragment table full This counter indicates how many times sessiontable is full.

SYMANTEC MAINT STATISTICS

Symantec sessions The number of sessions inspected by symantecengine.

Symantec Validsegments

The number of packets inspected by symantecengine.

Symantec Fragmentsessions

The number of IP fragment sessions inspectedby symantec engine.

Segment allocationfails

The number of memory allocation failures forIP fragments.

Buffer allocationfails

Symantec stream buffer allocation failures.

Connection allocationfails

Symantec connection info allocation failures.

Invalid buffers Invalid stream buffer errors.




.



Segment reallocationfails

Symantec stream buffer segment reallocationfailures.

SYMANTEC INSPECTION STATISTICS

Packets in Number of packets submitted for symantecinspection.

Packets with no data Number of packets with no data - no inspectionneeded.

TCP packets Number of TCP packets submitted for symantecinspection.

UDP packets Number of UDP packets submitted for symantecinspection.

ICMP packets Number of ICMP packets submitted forsymantec inspection.

Other packets Number of non TCP/UDP/ICMP packets forsymantec inspection.

Match count Number of Symantec signature matches.

Result Fetch errors Number of symantec signature match info fetcherrors.

Truncated payloads Number of truncated symantec match inforeported to MP.

Packets in fastpath Number of packets assigned with symantecBWM contracts.

/stats/slb/gslbGlobal SLB Statistics Menu

Global SLB Statistics Menu Options (/stats/slb/gslb)






.



Where the real server number represents the real server ID on thisswitch, under which the remote server is configured.

To view an example and description of what is displayed on-screen, see"/stats/slb/real real server number Real Server SLB Statistics" (page175).


To view an example and description of what is displayed on-screen,see "/stats/slb/gslb/virt virtual server number Virtual Server Global SLBStatistics" (page 172).

site <remote site, 1-64>

Displays Global SLB statistics for the remote site. To view an example,see "/stats/slb/gslb/siteGlobal SLB Site Statistics" (page 173).

network <network, 1-64>

Displays Global SLB statistics for the network.

rule <rule,1-64>

Displays Global SLB statistics for the rule.

pers

Displays Global SLB DNS persistence cache statistics.

geo

Displays Global SLB statistics for the geographical preference.

maint

To view an example and description of Global SLB maintenancestatistics, see Undefined Resource.

clear

Deletes all Global SLB statistics.

dump

Displays all Global SLB statistics.

/stats/slb/gslb/real <real server number>Real Server Global SLB Statistics

Real server 1 global stats:DNS directs: 3210HTTP redirects: 12

For any remote real server configured for Global Server Load Balancing, thefollowing statistics can be viewed:

• Number of DNS responses directed to the remote real server




.


• Number of HTTP redirects to the remote real server

/stats/slb/gslb/virt <virtual server number>Virtual Server Global SLB Statistics

---------------------------------------------------------Global SLB virtual server 1 stats:Global SLB virtual server 2 http service stats:Domain: gslb.foocorp.comServer IP address Site DNS directs HTTP redirects preemptions------ --------------- ---- ----------- ----------------------------

v2 200.200.200.1 0 0 2r4 200.200.200.21 2 0 0 -r5 200.200.200.41 3 0 0 -r6 200.200.200.61 4 0 0 -

------ --------------- ---- ----------- -------------------------Totals 0 0 2

------ --------------- ---- ----------- -------------------------

Virtual Server Global SLB Statistics (/stats/slb/gslb/virt)

Field Description

Server Type of server configuration and server IDnumber.

• v# represents a local virtual server number

• r# represents a remote site. Since eachremote sites is configured on its peers asif it were a real server (with certain specialproperties), the number represents the realserver ID on this switch, under which theremote server is configured.

IP Address IP address of the server.

Site The remote site number.

DNS directs The number of DNS responses that return theIP address of the corresponding server.

HTTP redirects The number of HTTP requests redirected to thecorresponding server.

preemptions The number of times this server has beenpreempted due to failover preemption. Thatis to say, the number of times this device hasfailed and was preempted from regaining thesessions it previously owned.




.


/stats/slb/gslb/siteGlobal SLB Site Statistics

Global SLB remote site 1 stats:Bad remote site packets received: 386DSSPv1 remote site updates sent: 0DSSPv1 remote site updates received: 0DSSPv2 remote site updates sent: 768DSSPv2 remote site updates received: 348

Global SLB Site Statistics Parameters (/stats/slb/gslb/site)

Field Description

Bad remote sitepackets received

The number of bad packets received fromremote site.

DSSPv1 remote siteupdates sent

The number of remote site updates sent usingDSSP version 1.

DSSPv1 remote siteupdates received

The number of remote site updates receivedusing DSSP version 1.


The number of remote site updates sent usingDSSP version 2.


The number of remote site updates receivedusing DSSP version 2.

/stats/slb/gslb/maintGlobal SLB Maintenance Statistics

Global SLB maintenance stats:Bad remote site packets received: 0DSSPv1 remote site updates sent: 0DSSPv1 remote site updates received: 0DSSPv2 remote site updates sent: 127746DSSPv2 remote site updates received: 85164DNS queries received: 0Bad DNS queries received: 0DNS responses sent: 0HTTP requests received: 0Bad HTTP requests received: 0HTTP responses sent: 0Hostname domain hits: 0Network domain hits: 0Basic domain hits: 0No server selected for hostname domain: 0No server selected for network domain: 0No server selected for basic domain: 0No matching domain: 0Last no result domain:




.


Last source IP: 0.0.0.0

Global SLB Maintenance Statistics (/stats/slb/gslb/maint)

Field Description

Bad remote sitepackets received

The number of bad packets received from theremote site. Bad updates or dropped packetsusually indicate that there is a configurationproblem at local or remote GSLB switches. Ifbad updates or dropped packets occur, checkyour syslog for configuration error messages.


The number of Distributed Site State Protocol(DSSP) version one updates/packets sent tothe remote sites.


The number of Distributed Site State Protocol(DSSP) version one updates/packets receivedfrom the remote sites.


The number of Distributed Site State Protocol(DSSP) version two updates/packets sent tothe remote sites.


The number of Distributed Site State Protocol(DSSP) version two updates/packets receivedfrom the remote sites.

DNS queries received The number of DNS queries received.

Bad DNS queriesreceived

The number of bad DNS queries received.

DNS responses sent The number of DNS responses sent by theswitch that includes DNS directs and DNS errorresponses.

HTTP requests received The number of HTTP requests received.

Bad HTTP requestsreceived

The number of bad/dropped client HTTPrequests. Client HTTP GET request packetsthat do not contain the entire URL areconsidered bad and are dropped.

HTTP responses sent The number of HTTP responses sent by theswitch that includes HTTP redirects.

Hostname domain hits The number of times the DNS queries receivedmatched for the hostname configured.

Network domain hits The number of times the DNS queries receivedmatched for the network domain nameconfigured.

Basic domain hits The number of times the DNS queries receivedmatched for the basic domain name configured.




.


Field Description

No server selected forhostname domain

The number of times no server was selectedafter matching the host name domain.

No server selected fornetwork domain

The number of times no server was selectedafter matching the network domain name.

No server selected forbasic domain

The number of times no server was selectedafter matching the basic domain name.

No matching domain The number of times the DNS queries receiveddid not match the host name, domain name, orthe network domain configured.

Last no result domain The domain in the last DNS query received thatdid not match the host name, domain name, orthe network domain configured.

Last source IP The source IP address of the last DNS query orHTTP request received.

/stats/slb/real <real server number>Real Server SLB Statistics

Real server 1 stats:Current sessions: 129Total sessions: 65478Highest sessions: 4343Octets 523824000

Note: Octets are provided per server, not per service, unless configuredas described in "Per ServiceOctet Counters" (page 175).

Real Server SLB Statistics (/stats/slb/real)


Current sessions The total number of outstanding sessions that areestablished to the particular real server.

Total sessions The total number of sessions that have been establishedto the particular real server.

Highest sessions The highest number of sessions ever recorded for theparticular real server.

Octets The total number of octets sent by the particular realserver.

Per ServiceOctet CountersFor each load-balanced real server, the octet counters represent thecombined number of transmit and receive bytes (octets). These countersare then added to report the total octets for each virtual server.




.


The octet counters are provided per server–not per service. If you needoctet counters on a per-service basis, you can accomplish this throughthe following configuration:

1. Configure a separate IP address for each service on each serverbeing load balanced.

For instance, you can configure IP address 10.1.1.20 for HTTP services,and 10.1.1.21 for FTP services on the same physical server.

2. On the Nortel Application Switch, configure a real server with a realIP address for each service above.

Continuing the example above, two real servers would be configured forthe physical server (representing each real service). If there were fivephysical servers providing the two services (HTTP and FTP), 10 realservers would have to be configured: five for the HTTP services on eachphysical server, and five for the FTP services on each physical server.

3. On the Nortel Application Switch, configure one real server groupfor each type of service, and group each appropriate real server IPaddress into the group that handles the specific service.

Thus, in keeping with our example, two groups would be configured: onefor handling HTTP and one for handling FTP.

4. Configure a virtual server and add the appropriate services to thatvirtual server.

/stats/slb/Group <real server groups number>Real Server Group Statistics

Real server group statistics include the following:

• Current and total sessions for each real server in the real server group.

• Current and total sessions for all real servers associated with the realserver group.

• Highest number of simultaneous sessions recorded for each real server.

• Real server transmit/receive octets. For per-service octet counters, seethe procedure on "Per ServiceOctet Counters" (page 175).




.


/stats/slb/virt <virtual server number>Virtual Server SLB Statistics

Note: The virtual server IP address is shown on the last line, below thereal server IP addresses.

Virtual server statistics include the following:

• Current and total sessions for each real server associated with thevirtual server.

• Current and total sessions for all real servers associated with the virtualserver.

• Highest number of simultaneous sessions recorded for each real server.

• Real server transmit/receive octets. For per-service octet counters, see"Per ServiceOctet Counters" (page 175).

/stats/slb/filt <filter number>Filter SLB Statistics

Filter 1 stats:Total firings: 1011

You can obtain the total number of times any filter has been matched.

/stats/slb/layer7SLB Layer7 Statistics Menu

[Layer 7 Statistics Menu]redir - Show URL Redirection statsstr - Show SLB String statsmaint - Show Layer 7 Maintenance statspooling - Show connection pooling stats

SLB Layer 7 Statistics Menu Options (/stats/slb/layer7)

Command Syntax & Usage

redir




.



Displays URL Redirection statistics. See "/stats/slb/layer7/redirLayer 7Redirection Statistics" (page 178) for a sample output.

str

Displays SLB string statistics. See "/stats/slb/layer7/strLayer 7 SLBString Statistics" (page 179) for a sample output.

maint

Displays Layer 7 maintenance statistics. See "/stats/slb/layer7/maintLayer 7 SLB Maintenance Statistics" (page 179) for a sample output.

pooling

Display the connection pooling statistics. See "/stats/slb/layer7/maintLayer 7 SLB Maintenance Statistics" (page 179) for a sample output.

/stats/slb/layer7/redirLayer 7 Redirection Statistics

Total URL based web cache redirection stats:Total cache server hits: 0Total origin server hits: 0Total straight to origin server hits: 0Total none-GETs hits: 0Total ’Cookie: ’ hits: 0Total no-cache hits: 0Total RTSP cache server hits: 0Total RTSP origin server hits: 0Total HTTP redirection hits: 0

Layer 7 Redirection Statistics (/stats/slb/layer7/redir)


Total cache serverhits

The total number of HTTP requests redirectedto the cache server.

Total origin serverhits

The total number of HTTP requests forwardedto the origin server.

Total straight toorigin server hits

The total number of HTTP requests forwardedfrom straight to the origin server.

Total none-GETs hits The total number of none GET requestsforwarded to the origin server.

Total ’Cookie:’ hits The total number of cookie requests forwardedto the origin server.

Total no-cache hits The total number of requests containingno-cache header forwarded to the origin server.




.



Total RTSP cacheserver hits

The total number of RTSP requests redirectedto the cache server.

Total RTSP originserver hits

The total number of RTSP requests forwardedto the origin server.

Total HTTP redirectionhits

The total number of HTTP requests that wereredirected by redirection filter.

/stats/slb/layer7/strLayer 7 SLB String Statistics

SLB String stats:ID SLB String Hits1 any 15271152 www.[abcdefghijklm]*.com 03 www.[nopqrstuvwxyz]*.com 04 www.junk.com 05 www.abc.com 06 www.[abcdefjhijklm]*.org 07 www.[nopqrstuvwxyz]*.org 0

Layer 7 SLB String Statistics (/stats/slb/layer7/str)


ID SLB String The user-defined strings being used in URL matching.

Hits The total number of instances that are load-balanceddue to matching of the particular URL ID.

/stats/slb/layer7/maint




.


Layer 7 SLB Maintenance Statistics

SLB Layer 7 Maintenance Statistics (/stats/slb/layer7/maint)


Clients reset byswitch on clientside

The number of reset frames sent to the client bythe switch during server connection termination.This means that when the switch could not connectto the real sever and the client’s retries exceededthe threshold due to delayed binding, the switch willsend a reset frame to the client to terminate theconnection.

Clients reset byswitch on serverside

The number of reset frames sent to the server bythe switch during server connection termination dueto delayed binding.

Connection Splicingto support HTTP/1.1

The total number of connection swapping betweendifferent real servers in supporting multipleHTTP/1.1 client requests.0

Invalid HTTPmethods

The total number of HTTP requests that containinvalid methods sent by the client.

Aged delayedbinding sessions

The total number of aged delayed binding sessionscaused by failed connection initialization betweenthe switch and the server.




.



Half openconnections

The total numbers of outstanding TCP connectionsthat are half opened. It is incremented whenthe switch responds to TCP SYN packet anddecremented upon receiving TCP SYN ACK packetfrom the requester.

Switch retries The total number of switch retries to connect to thereal server.

Random early drops The total number of SYN frames dropped when thebuffer is low.

Requests exceeded4500 bytes

The total number of GET requests that exceeded4500 bytes.

Invalid 3-wayhandshakes

The total number of dropped frames because ofinvalid 3-way hand shakes.

Exceeded max framesize

The total number of switch-generated frames thatexceeded the maximum allowed frame size.

Out of order packetdrops:

The total number of TCP packets dropped becausethey were received out of order.

Current SP memoryunits

The currently available SP memory units.

Current SEQ bufferentries

The number of outstanding sequence buffers used.

Highest SEQ bufferentries

The highest number of sequence buffers ever used.

Current Data bufferuse

The number of outstanding data buffers used.

Highest Data bufferuse

The highest number of data buffers ever used.

Total Nonzero SEQAlloc

The total number of sequence buffer allocated.2

Total SEQ BufferAllocs

The total number of sequence buffer allocations.

Total SEQ Frees The total number of sequence buffer is freed.

Total Data BufferAllocs

The total number of buffers allocated to store clientrequest.2

Total Data Frees The total of number buffers freed.

Alloc Fails - Seqbuffers

The number of times sequence buffer allocationfailed.

Alloc Fails - Ubufs The number of times the URL data buffer allocationfailed.




.



Max sessions perbucket

The maximum number of items (sessions) allowedin the session table hash bucket chain.

Max frames persession

The maximum number of frames to be buffered persession.

Max bytes buffered(sess)

The maximum number of bytes to be buffered persession.

/stats/slb/layer7/poolingLayer7 Pooling Statistics

/stats/slb/sslSLB Secure Socket Layer Statistics

SSL SLB maintenance stats:SessionId allocation fails: 0Total number of SSL ID reassignments: 0

Current Total HighestSessions Sessions Sessions

------------------------- -------- ---------- --------Unique SessionIds 0 0 0SSL connections 0 0 0Persistent Port Sessions 0 0 0

SLB Secure Socket Layer Statistics (/stats/slb/ssl)


SSL SLB maintenancestats

Debug stats for SSL SessionId basedpersistence.

SessionId allocationfails

The number of times allocation of a sessiontable entry failed when attempting to store aSessionId in the table.

Total number of SSL ID reassignments

The table shows the Current Sessions, the total sessions seen on the switchsince last reset and the high water mark of current sessions for the following:




.



Unique SessionIds Many SSL sessions can use the sameSessionId, these should all bind to the sameserver. This number shows the number of uniqueSSL sessions seen on the switch.

SSL connections The number of different TCP connections usingSSL service.

Persistent PortSessions

The number of SessionIds maintained to allowfor persistence across different client ports.

/stats/slb/ftpFile Transfer Protocol SLB and Filter Statistics Menu

[FTP SLB parsing and Filter Statistics Menu]active - Show active FTP NAT filter statsparsing - Show FTP SLB parsing server statsmaint - Show FTP maintenance statsdump - Dump all FTP SLB/NAT stats

FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)


active

Shows active FTP SLB parsing and filter statistics. See"/stats/slb/ftp/activeActive FTP SLB Parsing and Filter Statistics" (page183) for sample output.

parsing

Shows parsing statistics. See "/stats/slb/ftp/parsingPassive FTP SLBParsing Statistics" (page 184) for sample output.

maint

Shows maintenance statistics. See "/stats/slb/ftp/maintFTP SLBMaintenance Statistics" (page 184) for sample output.

dump

Shows all FTP SLB/NAT statistics. See "/stats/slb/ftp/dumpFTP SLBStatistics Dump" (page 184).

/stats/slb/ftp/activeActive FTP SLB Parsing and Filter Statistics

Total Active FTP NAT stats(PORT):Total FTP: 0Total New Active FTP Index: 0Active FTP NAT ACK/SEQ diff: 0




.


Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)


Total Active FTP NATstats (PORT)

The number of times the switch receives theport command from the client.

Total FTP The number of times the switch receives bothactive and passive FTP connections.

Total New Active FTPIndex

The number of times the switch creates a newindex due to port command from the client.

Active FTP NAT ACK/SEQdiff

The difference in the numbers of ACK and SEQthat the Switch needs for packet adjustment.

/stats/slb/ftp/parsingPassive FTP SLB Parsing Statistics

Total FTP SLB Parsing Stats(PASV):Total FTP: 0Total New FTP SLB parsing Index: 0FTP SLB parsing ACK/SEQ diff: 0

Passive FTP SLB Parsing Statistics (/stats/slb/ftp/parsing)


Total FTP The number of times the switch receives both active andpassive FTP connections.

Total New FTPSLBparsing Index

The number of times the switch creates a new index inresponse to the pasv command from the client.

FTP SLB parsingACK/SEQ diff

The difference in the numbers of ACK and SEQ that theswitch needs FTP SLB parsing.

/stats/slb/ftp/maintFTP SLB Maintenance Statistics

FTP mode switch error: 0

FTP SLB Maintenance Statistics (/stats/slb/ftp/maint)


FTP mode switcherror

The number of times the switch is not able to switchmodes from active to passive and vice versa.

/stats/slb/ftp/dump




.


FTP SLB Statistics Dump

Total FTP : 0Total FTP NAT Filtered: 0Total new active FTP NAT Index: 0Total new FTP SLB parsing Index: 0FTP Active FTP NAT ACK/SEQ diff: 0FTP SLB parsing ACK/SEQ diff: 0FTP mode switch error: 0

FTP SLB Statistics Dump (/stats/slb/ftp/dump)


Total FTP The total number of FTP sessions that occurred.

Total FTP NATFiltered

The total number of FTP NAT filter sessions thatoccurred.

Total new activeFTP NAT Index

The total number of new data sessions created forFTP NAT filter in active mode.

Total new FTP SLBparsing Index

The number of times the switch creates a new indexin response to the pasv command from the client.

FTP Active FTP NATACK/SEQ diff

The total number of times the adjustment betweenACK and SEQ occurred on the filter.

FTP SLB parsingACK/SEQ diff

The difference in the numbers of ACK and SEQ thatthe switch needs for FTP SLB parsing.

FTP mode switcherror

The number of times the switch could not switchmode from active to passive and vice versa.

/stats/slb/rtspRTSP SLB Statistics

RTSP SLB Statistics (/stats/slb/rtsp)


ControlConnection The total number of TCP connections for RTSPcontrol connection.




.



UDP Streams The total number of UDP connections for datachannels. The number depends upon the type ofmedia player being used.

Redirect The total number of times the connection gotredirected.

ConnectionDenied The total number of times the connections gotdenied due to shortage of resources or the realserver being down.

BufferAllocs The total number of buffer allocations used.

AllocFailures The total number of times the buffer allocation failed.

/stats/slb/dnsDNS SLB Statistics

Total number of TCP DNS queries: 0Total number of UDP DNS queries: 0Total number of invalid DNS queries: 0Total number of multiple DNS queries: 0Total number of domain name parse errors: 0Total number of failed real server name matches: 0Total number of DNS parsing internal errors: 0

DNS SLB Statistics (/stats/slb/dns)


Total number of TCPDNS queries

The total number of DNS queries that receivedthrough TCP connections.

Total number of UDPDNS queries

The total number of DNS queries received throughUDP requests.

Total number ofinvalid DNS queries

The total number of malformed DNS queriesreceived.

Total numberof multiple DNSqueries

The total number of DNS queries that contain morethan one domain name to be resolved. Currentlyonly one domain name resolution per request issupported.

Total number ofdomain name parseerrors

The total number of DNS queries that have short orinvalid domain names to be resolved.




.



Total number offailed real servername matches

The total number of times the user failed to find areal server which has the same layer 7 strings thatmatch the domain name to be resolved.

Total number of DNSparsing internalerrors

The total number of out of memory and otherunexpected errors the user gets while processingthe DNS query.

/stats/slb/wapWAP SLB Statistics

This command displays all the Radius and WAP related counters.

WAP SLB Statistics (/stats/slb/wap)


WAP Maintenance stats:

current sessions The number of session bindings currently in use.

allocation failures Indicates instances where the switch ran out ofavailable bindings for a port.

incorrect VIPs Indicates the number of times the switch received aLayer 4 request for a virtual server which was notconfigured.

incorrect Vports This dropped frames counter indicates that thevirtual server has received frames for TCP/UDPservices that have not been configured. Normallythis indicates a mis-configuration on the virtualserver or the client.




.



no available realserver

This dropped frames counter indicates that all realservers are either out of service or at their maxconlimit.

requests to wrongSP

The number of session add/delete requests sent tothe wrong SP.

TPCP External Notification stats:

add session reqs The number of WAP session add requests viaTPCP.

req fails- SP dead The number of add-request failures due to deadtarget SP.

RADIUS Snooping stats:

acct reqs The number of RADIUS Accounting framesreceived.

acct wrap reqs The number of wrapped RADIUS Accountingframes received.

acct start reqs The number of RADIUS Accounting Start framesreceived.

acct update reqs The number of RADIUS Accounting Update frames.

acct stop reqs The number of RADIUS Accounting Stop framesreceived.

acct bad reqs The number of bad RADIUS Accounting framesreceived.

add session reqs The number of WAP session add requests viaRADIUS snooping.

del session reqs The number of WAP session delete requests viaRADIUS snooping.

req fails- SP dead The number of add/delete request failures due todead target SP.

req fails- DMA The number of add/delete requests failed due toDMA write failure.

/stats/slb/maint




.


SLB Maintenance Statistics

SLB Maintenance stats:Maximum sessions: 2097104Current sessions: 04 second average: 0

64 second average: 0Terminated sessions: 0Allocation failures: 0UDP datagrams: 0Non TCP/IP frames: 0Incorrect VIPs: 0Incorrect Vports: 0No available real server: 0Backup server activations: 0Overflow server activations: 0Filtered (denied) frames: 0LAND attacks: 0No TCP control bits: 0Invalid reset packet drops: 0Total IP fragment sessions: 0Current IP fragment sessions 0IP fragment discards: 0IP fragment table full: 0Current IPF buffer sessions: 0Highest IPF buffer sessions: 0IPF buffer alloc fails: 0IPF SP buffer alloc fails: 0SP buffer too low: 0Exceeded 16 OOO packets: 0Free Service pool entries: 8192Current IP6 sessions: 0Incorrect IP6 VIPs: 0Incorrect IP6 Vports: 0IP6 packets drops: 0

SYMANTEC MAINT STATISTICS:Symantec sessions: 0Symantec segments: 0Symantec Fragment sessions: 0Segment allocation fails: 0Buffer allocation fails: 0Connection allocation fails: 0Invalid buffers: 0Segment reallocation fails: 0SYMANTEC INSPECTION STATISTICSPackets in: 0Packets with no data: 0TCP packets: 0UDP packets: 0ICMP packets: 0




.


packets not TCP, UDP or ICMP: 0Symantec Match count: 0Fetch errors: 0Truncated payload to MP: 0Packets in fast path: 0

SLB Maintenance statistics are described in the following table.

Server Load Balancing Maintenance Statistics (/stats/slb/maint)


Maximum sessions The maximum number of simultaneous sessionssupported.

Current Sessions Number of session bindings currently in use (thelast 4 and 64 seconds).

Terminated Sessions Number of sessions removed from the session tablebecause the server assigned to them failed andgraceful server failure was not enabled.

Allocation Failures Indicates instances where the Switch ran out ofavailable sessions for a port.

UDP Datagrams Indicates that the virtual server IP address and MACare receiving UDP frames when UDP balancing isnot turned on.

Non TCP/IP Frames Indicates the number of non-IP based framesreceived by the virtual server.

Incorrect VIPs Indicates the number of times the switch received aLayer 4 request for a virtual server which was notconfigured.

Incorrect Vports This dropped frames counter indicates that thevirtual server has received frames for TCP/UDPservices that have not been configured. Normallythis indicates a mis-configuration on the virtualserver or the client, but it may be an indication of apotential security probing application like SATAN.

No Available RealServer

This dropped frames counter indicates that all realservers are either out of service or at their maxconlimit.

Backup ServerActivations

This indicates the number of times a real serverfailure has occurred and caused a backup server tobe brought online.

Overflow ServerActivations

This indicates the number of times a real server hasreached the maxcon limit and caused an overflowserver to be brought online.




.



Filtered (Denied)Frames

This indicates the number of frames that weredropped because they matched an active filter withthe deny action set.

LAND attacks This counter increases whenever a packet has thesame source and destination IP addresses andports.

No TCP Control Bits The number of packets that were dropped becausethe packet had no control bits set in the TCP header.

Invalid resetpacket drops

The number of packets that were dropped becausethe packet had an invalid reset flag set.

Total IP fragmentsessions

This represents the total number of fragmentsessions the switch has processed so far.

Current IP fragmentsessions

This represents the current number of fragmentsessions.

IP fragmentdiscards

The number of fragmented packets that arediscarded due to lack of resources.

IP fragment tablefull

This counter indicates how many times sessiontable is full.

Free service poolentries

This counter indicates the number of free servicepool entries.

SYMANTEC MAINT STATISTICS

Symantec sessions The number of sessions inspected by symantecengine.

Symantec segments The number of packets inspected by symantecengine.

Symantec Fragmentsessions

The number of IP fragment sessions inspected bysymantec engine.

Segment allocationfails

The number of memory allocation failures for IPfragments.

Buffer allocationfails

Symantec stream buffer allocation failures.

Connectionallocation fails

Symantec connection info allocation failures.

Invalid buffers Invalid stream buffer errors.

Segment reallocation fails

Symantec stream buffer segment reallocationfailures.

SYMANTEC INSPECTION STATISTICS

Packets in Number of packets submitted for symantecinspection.




.



Packets with nodata

Number of packets with no data - no inspectionneeded.

TCP packets Number of TCP packets submitted for symantecinspection.

UDP packets Number of UDP packets submitted for symantecinspection.

ICMP packets Number of ICMP packets submitted for symantecinspection.

packets not TCP,UDP or ICMP

Number of non TCP/UDP/ICMP packets forsymantec inspection.

Symantec Matchcount

Number of Symantec signature matches.

Fetch errors Number of symantec signature match info fetcherrors.

Truncated payloadto MP

Number of truncated symantec match info reportedto MP.

Packets in fastpath

Number of packets assigned with symantec BWMcontracts.

/stats/slb/sipSIP SLB Statistics

SIP SLB Statistics (/stats/slb/sip)


Total number of SIPClient Parse Errors

The total number of errors encountered during clientprocessing when parsing an incoming SIP packet.

Total number of SIPServer Parse Errors

The total number of errors encountered duringserver processing when parsing an incoming SIPpacket.

Total number ofSIP Unknown Methodpackets

Total number of packets received with methods notknown to the SIP parser on the switch.

Total number of SIPIncomplete Messages

Total number of packets received which do not havethe complete SIP message in a single packet.




.



Total number of SIPFilter Parse Errors

Total number of errors encountered during filterprocessing when parsing an incoming SIP packet.

Total number ofpackets with SIPSDP NAT

Total number of packets received that have SIPSDP NAT information.

/stats/slb/wlm <wlm number>Display Workload Manager SASP statistics

SLB WorkLoad Manager SASP (/stats/slb/wlm)

Server Load Balancing Statistics# /st/sl/wlm 1-----------------------------------------------------------Workload Manager 1 Statistics:Registration Requests: 1Registration Replies: 1Registration Reply Errors: 0

Deregisteration Requests: 1Deregisteration Replies: 1Deregisteration Reply Errors: 0

Set LB State Requests: 1Set LB State Replies: 1Set LB State Reply Errors: 0

Set Member State Requests: 0Set Member State Replies: 0Set Member State Reply Errors: 0

Send Weights Messages received: 47Send Weights Message Parse Errors: 0Total Messages with Invalid LB Name: 0Total Messages with Invalid Group Name: 0Total Messages with Invalid Real Server Name: 0Messages with Invalid SASP Header: 0Messages with parse errors: 0Messages with Unsuppored Message Type: 0

/stats/slb/wlm <wlm number> /clearClear Workload Manager SASP Statistics

This command clears statistics for the specified Workload Manager.

/stats/slb/mirror




.


Display Workload Manager SASP statistics

SLB Session Mirroring statistics (/stats/slb/mirror)

>> Server Load Balancing Statistics# mirror--------------------------------------------------------Session Mirroring Stats:

Rx TxTotal Create Session Messages 0 0Total Update Session Messages 0 0Total Delete Session Messages 0 0Total Create Data Session Messages 0 0Total Update Data Session Messages 0 0Total Delete Data Session Messages 0 0Total Sessions Created 0Total Sessions Updated 0Total Sessions Deleted 0Total Data Sessions Created 0Total Data Sessions Updated 0Total Data Sessions Deleted 0Session table full 0Unvailable pport 0Session already present 0Session not found 0Control session not found 0

/stats/bwmBWM Statistics Menu

[Bandwidth Management Statistics Menu]port - Switch Port Contract Stats Menucont - BW Contract statsrcont - BW Contract rate statshist - BW History statsmaint - Show BWM maint statisticsipusers - Show BWM IP user stats for iplimit contractsdump - Dump all BWM statisticsclear - Clear BWM statistics

Bandwidth Management Statistics Menu Options (/stats/bwm)

Command Syntax and Usage Need information on all following statistics

port <port number>

Displays Switch Port Contract Statistics Menu. To view menu options,see "/stats/bwm/port port number BWM Switch Processor Statistics"(page 195).




.


Command Syntax and Usage Need information on all following statistics

cont <BW Contract number (1-1024)>

Displays bandwidth management contract statistics. See"/stats/bwm/cont contract number BWM Contract Statistics" (page196) for details.

rcont <BW Contract number (1-1024)>

Displays bandwidth management contract rate statistics. See"/stats/bwm/rcontBWM Contract Rate Statistics" (page 197) for details.

hist

Displays bandwidth management history statistics. See"/stats/bwm/histBWM History Statistics" (page 198) for sample output.

maint

Displays bandwidth management maintenance statistics. See"/stats/bwm/maintBWM Maintenance Statistics" (page 201) for sampleoutput.

ipusers

Displays Bandwidth Management IP user stats for iplimitcontracts. Each IP address is limited to the user limit configured in/cfg/bwm/contract on "/cfg/bwm/cont contract number BandwidthManagement Contract Configuration" (page 273).

See "/stats/bwm/ipusersBWM IP Users Statistics" (page 201) for sampleoutput.

dump

Displays all bandwidth management statistics.

clear

Clears all bandwidth management statistics.

/stats/bwm/port <port number>BWM Switch Processor Statistics

[Bandwidth Management Port Statistics Menu]cont - BW Contract statsrcont - BW Contract rate stats

Management Port Statistics Menu Options (/stats/bwm/sp)


cont <BW Contract number (1-1024)>

Displays bandwidth management contract statistics. See "/stats/bwm/portport number /contBWM Switch Processor Contract Statistics Menu"(page 196) for a sample output.




.



rcont <BW Contract number (1-1024)>

Displays bandwidth management contract rate statistics.

/stats/bwm/port <port number> /contBWM Switch Processor Contract Statistics Menu

>> Bandwidth Management Port Statistics# cont-----------------------------------------------------------BW Contract statisticsContract Name Octets Discards Total Pkts BufUsed BufMax-------- ------- ------- ---------- ---------- ------- ---1024 Default 0 0 0 0 16320

/stats/bwm/port <port number> /rcontBWM Switch Processor Rate Contract StatisticsThis command repeats its output when the printed lines are less than theconfigured CLI lines per screen. If the CLI lines are configured at zero perscreen, the command will continue to repeat its output until you type a keyon the console or telnet session.

You can configure the number of CLI lines per screen using the global(hidden) command: lines number of lines . For example:

>> AAS_2424 - Bandwidth Management Statistics# linesCurrent lines-per-screen: 24>> AAS_2424 - Bandwidth Management Statistics# lines ?lines sets lines-per-screen 0-300, zero for infinite

/stats/bwm/cont <contract number>




.


BWM Contract Statistics

The following description of statistics applies on a specific switch port forall enabled contracts.

Note: This command displays enabled contracts only.

Bandwidth Management Contract Statistics (/stats/bwm/cont)


Contract The contract number.

Name The contract name.

Octets The number of octets that are being transmittedthrough a particular contract since the switch isbooted.

Discards The number of octets that are being discardedbecause of seeing more traffic than the bandwidthcontract limit permits.

Total Pkts The total number of packets classified for thatcontract.

BufUsed The current amount of buffer space used to storethe packets that is waiting to be transmitted.

BufMax Maximum buffer space that can be used to store thepackets before they can be transmitted. The switchstarts dropping the packets of a particular contractafter the maximum buffer space allocated for thatcontract is being occupied.

/stats/bwm/rcontBWM Contract Rate Statistics

Use this command to show the rate statistics of all the enabled contracts.

Note: This command displays enabled contracts only.

This command repeats its output when the printed lines are less than theconfigured CLI lines per screen. If the CLI lines are configured at zero perscreen, the command will continue to repeat its output until you type a keyon the console or telnet session.




.


You can configure the number of CLI lines per screen using the global(hidden) command: lines number of lines . For example:

>> AAS_2424 - Bandwidth Management Statistics# linesCurrent lines-per-screen: 24>> AAS_2424 - Bandwidth Management Statistics# lines ?lines sets lines-per-screen 0-300, zero for infinite

Bandwidth Management Contract Rate Statistics (/stats/bwm/rcont)


Contract The contract number.

Name The contract name.

Rate (in Kbps) Rate at which the packets are going out of theswitch on a particular contract.

Octets The number of octets that are being transmittedthrough a particular contract since the switch isbooted.

Discards The number of octets that are being discardedbecause of seeing more traffic than the bandwidthcontract limits.

BufUsed The current amount of buffer space used to storethe packets that is waiting to be transmitted.

BufMax Maximum buffer space that can be used to store thepackets before they can be transmitted. The switchstarts dropping the packets of a particular contractafter the maximum buffer space allocated for thatcontract is being occupied.

/stats/bwm/hist




.


BWM History Statistics




.


You can dump the stats kept in the SMTP history buffer that get dumpedperiodically when an E-mail is sent. This command is used to keep longterm history only for the contracts that are enabled and have historycommand turned on.

Use this command to show the history of all the contracts for which historycommand is enabled. The sampling is done at one-minute intervals.

Bandwidth Management History Statistics (/stats/bwm/hist)


Contract The contract number for which history isenabled.

Octets The number of octets sent out on a particularcontract.




.

/stats/securitySecurity Statistics 201


Contract The contract number for which history isenabled.

Discards The number of octets discarded because of seeingmore traffic than the bandwidth contract limitpermits.

TimeStamp Indicates the time the packets were received ordiscarded.

Note: These statistics can only be viewed when the e-mail option isenabled.

/stats/bwm/maintBWM Maintenance Statistics

/stats/bwm/ipusersBWM IP Users Statistics

This command displays the number of BWM IP user entries for each BWMcontract for each SP.

BWM IP users statisticsContract SP1 SP2 SP3 SP4 Total------ ------ ------ ------ ------- --------

10 0 10 0 0 1011 0 10 0 0 10

------ ----- ------ ------- --------0 20 0 0 20

/stats/security




.


Security Statistics

[Security Statistics Menu]ipacl - IP Address ACL Statistics Menuudpblast - UDP Blast Statistics Menudos - DoS Attack Statistics Menupgroup - Show pattern match group statisticsratelim - Show rate limiting statisticssymhits - Show symantec hit statisticssymclear - Clear symantec hit statisticsdump - Dump all security statistics


dos

Displays the DOS Attack statistics menu. To view a sample output and adescription of the stats, see "/stats/security/dos DOS Attack StatisticsMenu" (page 202).

ipacl

Displays the IP Address Access Control List statistics menu. Toview a sample output and a description of the statistics, see"/stats/security/ipaclIP Access Control List Statistics" (page 205).

udpblast

Displays the UDP Blast statistics menu. To view a sample output anda description of the statistics, see "/stats/security/udpblastUDP BlastStatistics" (page 206).

pgroup

Displays the Pattern Match Group statistics menu. To view a sampleoutput and a description of the statistics, see "/stats/security/pgroupUDPPattern Match Statistics" (page 206).

ratelim

Displays the Rate Limiting statistics menu. To view a sample outputand a description of the stats, see "/stats/security/ratelimRate LimitingStatistics" (page 207).

symhits

Displays Symantec hit statistics.

symclear

Clears all Symantec hit statistics.

dump

Displays all security statistics.

/stats/security/dos




.

Types of DOS Attacks 203

DOS Attack Statistics Menu

DOS Attacks Statistics Menu Options (/stats/security/dos)


port <port number>

Displays the number of times the packets were dropped for each of thefollowing types of DOS attacks, on the selected port only.

dump

Displays the number of times the packets were dropped on the switch,for each of the following types of DOS attacks:

iplen, ipversion, broadcast, loopback, land, ipreserved, ipttl, ipprot,ipoptlen, fragmoredont, fragdata, fragboundary, fraglast, fragdontoff,fragopt, fragoff, fragoversize, tcplen, tcpportzero, blat, tcpreserved,nullscan, fullxmasscan, finscan, vecnascan, xmasscan, synfinscan,flagabnormal, syndata, synfrag, ftpport, dnsport, seqzero, ackzero,tcpoptlen, udplen, udpportzero, fraggle, pepsi, rc8, snmpnull, icmplen,smurf, icmpdata, icmpoff, icmptype, igmplen, igmpfrag, igmptype, arplen,arpnbcast, arpnucast, arpspoof, garp, ip6len, ip6version

For a description of these different types of DOS attacks, see "Types ofDOS Attacks" (page 203).

clear

Deletes all DOS attack statistics.

help

Displays a description of each type of DOS attack by name and howit works.

Types of DOS AttacksNortel Application Switch Operating System can protect switch portsagainst a variety of Denial of Service (DOS) attacks including Port Smurf,LandAttack, Fraggle, Nullscan, Xmascan, PortZero, and ScanSynFin.Enable DOS protection on ports connected to any network that could be thesource of an attack.

You can use the help command to obtain a brief explanation of each typeof DOS attack detected by the switch.




.


Refer to your Nortel Application Switch Operating System Application Guidefor a detailed description of DOS attacks.




.

/stats/security/ipaclIP Access Control List Statistics 205

/stats/security/ipaclIP Access Control List Statistics

The following IP Access Control List statistics can be viewed with thiscommand:

[IP ACL Statistics Menu]dump - IP address access control Statsclear - Clear all access control Stats

IPACL Security Statistics Menu Options (/stats/security/ipacl)


dump

Displays the accumulated blocked packets for each source or destinationIP address and mask pair in the access control list.




.



clear

Deletes all the statistics of accumulated blocked packets.

/stats/security/udpblastUDP Blast Statistics

[UDP Blast Statistics Menu]dump - UDP Blast Statsclear - Clear all UDP Blast Stats

UDP Blast Statistics Menu Options (/stats/security/udpblast)


dump

Displays all the accumulated blocked packets for each port, and thecurrent packet rate per second. See "/stats/security/udpblast/dump UDPBlast Dump Statistics" (page 206) for a sample output and a descriptionof the statistics.

clear

Deletes all the accumulated blocked packets.

/stats/security/udpblast/dumpUDP Blast Dump Statistics

UDP Blast Dump Statistics Parameters (/stats/security/udpblast/dump)

Field Description

UDP Port UDP ports that experienced UDP blast attacks.

Blocked Packets The number of blocked packets.

Current PacketRate/ Second

Displays the current rate of packet to the UDP port.

/stats/security/pgroup




.

/stats/security/dumpDump Statistics for Security 207

UDP Pattern Match Statistics

Pattern Match Group stats:ID Name Hits1 0

This menu displays how many times each configured pattern group hasbeen matched and a subsequent filtering action performed. Pattern groupsare configured in the "/cfg/security/pgroup pattern group number PatternMatching Menu" (page 350).

/stats/security/ratelimRate Limiting Statistics

Rate limiting stats:

TCP:Total hold downs triggered: 0Current per-client state entries: 0

UDP:Total hold downs triggered: 0Current per-client state entries: 0

ICMP:Total hold downs triggered: 0Current per-client state entries: 0

Rate Limiting Statistics (/stats/security/ratelim)

Field Description

Total holds downtriggered

The total number of packets dropped after thehold-down period expired.

Current per-clientstate entries

The total number of per-client state entries forTCP/UDP/ICMP rate limiting.

/stats/security/dump




.


Dump Statistics for Security

/stats/mpManagement Processor Statistics

[MP-specific Statistics Menu]pkt - Show Packet and TCP statstcb - Show All TCP control blocks in useucb - Show All UDP control blocks in usesfd - Show All Socket FD in usecpu - Show CPU utilizationmem - Show memory stats

Management Processor Statistics Menu Options (/stats/mp)


pkt

Displays packet statistics, to check for leads and load. To view a sampleoutput and a description of the stats, see "/stats/mp/pktMP PacketStatistics" (page 209).

tcb




.

/stats/mpManagement Processor Statistics 209


Displays all TCP control blocks that are in use. To view a sample outputand a description of the stats, see "/stats/mp/tcbTCP Statistics" (page210).

ucb

Displays all UDP control blocks that are in use. To view a sample output,see "/stats/mp/ucbUCB Statistics" (page 211).

sfd

Displays all Socket File Descriptors that are in use. To view a sampleoutput, see "/stats/mp/sfdMP-SpecificSFD Statistics" (page 211).

cpu

Displays CPU utilization for periods of up to 1, 4, and 64 seconds. To viewa sample output and a description of the stats, see "/stats/mp/cpuCPUStatistics" (page 212).

mem

Displays memory statistics.

/stats/mp/pktMP Packet Statistics

Packet Statistics (/stats/mp/pkt)


Packet counts:

allocs Total number of packet allocations from thepacket buffer pool by the TCP/IP protocol stack.

frees Total number of times the packet buffers arefreed (released) to the packet buffer pool by theTCP/IP protocol stack.

mediums Total number of packet allocations with sizebetween 128 to 1536 bytes from the packetbuffer pool by the TCP/IP protocol stack.




.



jumbos Total number of packet allocations with sizebetween 1536 bytes to 9K bytes from the packetbuffer pool by the TCP/IP protocol stack.

smalls Total number of packet allocations with size lessthan 128 bytes from the packet buffer pool bythe TCP/IP protocol stack.

alloc fails Total number of packet allocation failures fromthe packet buffer pool by the TCP/IP protocolstack.

frees Total number of packets freed from the packetbuffer pool by the TCP/IP protocol stack.

mediums hi-watermark The highest number of packet allocation withsize between 128 to 1536 bytes from the packetbuffer pool by the TCP/IP protocol stack.

jumbos hi-watermark The highest number of packet allocation withsize between 1536 bytes to 9K bytes from thepacket buffer pool by the TCP/IP protocol stack.

smalls hi-watermark The highest number of packet allocation withsize less than 128 bytes from the packet bufferpool by the TCP/IP protocol stack.

packet discards The number of packets that are discarded bythe MP. The packets are discarded becausebuffer resources are not available or the bufferthreshold is reached and the low priority packetsare discarded.

TCP counts:

allocs Total number of TCP packet allocations fromMP memory by the TCP/IP protocol stack.

current Total number of TCP packet allocations fromMP memory by the TCP/IP protocol stack.

alloc fails Total number of TCP packet allocation failuresfrom MP memory by the TCP/IP protocol stack.

frees Total number of times the TCP packet buffersare freed (released) to MP memory by theTCP/IP protocol stack.

current hi-watermark The highest number of TCP packet allocationfrom MP memory by the TCP/IP protocol stack.

alloc discards The number of TCP packets that are discardedby the MP. The packets are discarded becauseMP memory resources are not available.

/stats/mp/tcb




.

/stats/mpManagement Processor Statistics 211

TCP Statistics

MP Specified TCP Statistics (/stats/mp/tcb)


117f6d00/117f81a8 Memory

0.0.0.0/47.81.27.6 Destination IP address

0/1331 Destination port

0.0.0.0/47.80.16.59 Source IP

80/23 Source port

listen/established State

/stats/mp/ucbUCB Statistics

All UDP allocated control blocks:161: listen1985: listen3122: listen

UCB Statistics on MP (/stats/mp/ucb)

Field Description

161/1985/3122 UDP port number

Listen State

/stats/mp/sfdMP-SpecificSFD Statistics




.


/stats/mp/cpuCPU Statistics

This menu option enables you to display the CPU utilization statistics on MP.

CPU utilization:cpuUtil1Second: 100%cpuUtil4Seconds: 100%cpuUtil64Seconds: 100%

CPU Statistics (stats/mp/cpu)


cpuUtil1Second The percentage of CPU utilization as measured over thelast one second interval.

cpuUtil4Seconds The percentage of CPU utilization as measured over thelast four second interval.

cpuUtil64Seconds The percentage of CPU utilization as measured overthe last 64 second interval.

/stats/sp <SP Number>SP Specific Statistics

[SP-specific Statistics Menu]maint - Show maintenance statsclear - Clear maintenance statscpu - Show CPU utilization

SP Specific Statistics (/stats/sp)


maint Displays internal statistics, Layer 2 FDBmaintenance statistics, and MP DOSshield statistics. See "/stats/sp SP number/maintSP-Specific Maintenance Statistics" (page212) for a sample output.

clear Deletes all the maintenance statistics.

cpu Displays what percentage of the CPU has beenutilized. To view a sample output and a descriptionof the stats, see "/stats/sp/cpuCPU Statistics" (page213).

/stats/sp <SP number> /maint




.

/stats/pmirrPort Mirroring Statistics Menu 213

SP-Specific Maintenance Statistics

Maintenance statistics for SP 1:Receive Letter success from MP: 158648Receive Letter success from SP 2: 0Receive Letter success from SP 3: 0Receive Letter success from SP 4: 0Receive Letter errors from MP: 0Receive Letter errors from SP 2: 0Receive Letter errors from SP 3: 0Receive Letter errors from SP 4: 0Send Letter success to MP: 125516Send Letter success to SP 2: 0Send Letter success to SP 3: 6799Send Letter success to SP 4: 6791Send Letter failures to MP: 0Send Letter failures to SP 2: 0Send Letter failures to SP 3: 0Send Letter failures to SP 4: 0learnErrNoddw: 0 resolveErrNoddw: 0ageMPNoddw: 0 deleteMiss: 0pfdbFreeEmpty: 0arpDiscards: 0 icmpDiscards: 0tcpDiscards: 0 udpDiscards: 0

/stats/sp/cpuCPU Statistics

This menu option enables you to display the CPU utilization statistics onthe Switch Processor (SP).

CPU utilization for SP 1:cpuUtil1Second: 6%cpuUtil4Seconds: 6%cpuUtil64Seconds: 6%

CPU Statistics (stats/sp/cpu)


cpuUtil1Second The percentage of CPU utilization as measured over thelast one second interval.

cpuUtil4Seconds The percentage of CPU utilization as measured over thelast four second interval.

cpuUtil64Seconds The percentage of CPU utilization as measured overthe last 64 second interval.

/stats/pmirr




.


Port Mirroring Statistics Menu

[Port Mirroring Statistics Menu]dump - Port Mirroring Statsclear - Clear all Port Mirroring Stats

Port Mirroring


dump

Displays the port number, and the statistics of the traffic on the ingressand egress ports.

clear

Deletes all the port mirroring statistics.

CAUTIONUse this command carefully as it will delete all statisticspermanently.

/stats/mgmtManagement Port Statistics

Management port interface statistics:RX bytes: 0 TX bytes: 0RX packets: 0 TX packets: 0RX errors: 0 TX errors: 0RX dropped: 0 TX dropped: 0RX overruns: 0 TX overruns: 0RX frame errors: 0 TX carrier errors: 0RX multicast: 0 TX collisions: 0

Management Port Statistics (/stats/mgmt)


RX bytes The total number of incoming bytes successfullytransferred by the interface.

RX packets The total number of incoming packetssuccessfully transferred by the interface.

RX errors The number of bad packets received.




.

/stats/dumpDump Statistics 215


RX dropped The number of incoming packets that weredropped due to lack of receive buffers.

RX overruns The number of received packets that weredropped because their size exceeded that ofthe receive queue.

RX frame errors The number of incoming packets dropped dueto IP framing errors.

RX multicast The number of multicast packets received.

TX bytes The total number of outgoing bytes successfullytransferred by the interface.

TX packets The total number of outgoing packetssuccessfully transferred by the interface.

TX errors The number of packets dropped due totransmission problems.

TX dropped The number of packets dropped due to lack oftransmit buffers.

TX overruns The number of packets dropped because sizeexceeded that of the transmit queue.

TX carrier errors Not applicable.

TX collisions The number of collisions due to congestion onthe medium. Collisions occur when two or morestations are transmitting signals at the sametime.

/stats/dumpDump Statistics

Use the dump command to dump all switch statistics available from theStatistics Menu (40K or more, depending on your configuration). This datacan be used to tune or debug switch performance.

If you want to capture dump data to a file, set your communication softwareon your workstation to capture session data prior to issuing the dumpcommands.




.





.

217

The Configuration Menu

This chapter discusses how to use the Command Line Interface (CLI) formaking, viewing, and saving switch configuration changes. Many of thecommands, although not new, display more or different information than inthe previous version. Important difference are called out in the text.

To make finding information easier, the menu options under the ServerLoad Balancing Menu (/cfg/slb).

/cfgConfiguration Menu

Configuration Menu Options (/cfg)


sys

Displays the System-wide parameter Configuration Menu. To view menuoptions, see "/cfg/sys System Configuration" (page 220).

port <port number>

Displays the Port Configuration Menu. To view menu options, see"/cfg/port port number Port Configuration" (page 255).

pmirr




.

218 The Configuration Menu


Displays the Mirroring Configuration Menu. To view menu options, see"/cfg/pmirrPort Mirroring Menu" (page 269).

bwm

Displays the Bandwidth Management Configuration Menu. To viewmenu options, see "/cfg/bwmBandwidth Management Configuration"(page 270).

l2

Displays Layer 2 Configuration Menu. To view menu options, see"/cfg/l2Layer 2 Configuration Menu" (page 278).

l3

Displays Layer 3 Configuration Menu. To view menu options, see "/cfg/l3Layer 3 Configuration Menu" (page 293).

slb

Displays the Server Load Balancing Configuration Menu. To view menuoptions, see "The SLB Configuration Menu" (page 355).

security

Displays the Security Menu. To view menu options, see "/cfg/securitySecurity Configuration Menu" (page 344).

sslproc

Displays the SSL processor setup Menu. To view menu options, see"/cfg/security/dos Anomaly and Denial of Service Attack PreventionMenu" (page 349)

setup

Step-by-step configuration set-up of the switch. For details, see"/cfg/security/dos Anomaly and Denial of Service Attack PreventionMenu" (page 349).

dump

Dumps current configuration to a script file. For details, see "/cfg/dumpDump" (page 352).

ptcfg <host name or IP address of TFTP server filename onhost>

Backs up current configuration to TFTP server. For details, see"/cfg/ptcfg Saving theActive Switch Configuration" (page 353).

gtcfg <host name or IP address of TFTP server filename onhost>

Restores current configuration from TFTP server. For details, see"/cfg/gtcfgRestoring the Active Switch Configuration" (page 353).




.

Viewing, Applying, and Saving Changes 219

Viewing, Applying, and Saving ChangesAs you use the configuration menus to set switch parameters, the changesyou make do not take effect immediately. All changes are considered"pending" until you explicitly apply them. Also, any changes are lost the nexttime the switch boots unless the changes are explicitly saved.

While configuration changes are in the pending state, you can do thefollowing:

• View the pending changes

• Apply the pending changes

• Save the changes to flash memory

Viewing Pending ChangesYou can view all pending configuration changes by entering diff at themenu prompt.

Note: The diff command is a global command. Therefore, you canenter diff at any prompt in the CLI.

Applying Pending ChangesTo make your configuration changes active, you must apply them. To applyconfiguration changes, enter apply at any prompt in the CLI.

# apply

Note 1: The apply command is a global command. Therefore, you canenter apply at any prompt in the administrative interface.

Note 2: All configuration changes take effect immediately when applied,except for starting Spanning Tree Protocol. To turn STP on or off, youmust apply the changes, save them (see below), and then reset theswitch (see "Resetting the Switch" (page 460)).

Saving the ConfigurationIn addition to applying the configuration changes, you can save them toflash memory on the Nortel Application Switch.

Note: If you do not save the changes, they will be lost the next time thesystem is rebooted.

To save the new configuration, enter the following command at any CLIprompt:

# save




.


When you save configuration changes, the changes are saved to the activeconfiguration block. The configuration being replaced by the save is firstcopied to the backup configuration block. If you do not want the previousconfiguration block copied to the backup configuration block, enter thefollowing instead:

# save n

You can decide which configuration you want to run the next time you resetthe switch. Your options include:

• The active configuration block

• The backup configuration block

• Factory default configuration

You can view all pending configuration changes that have been applied butnot saved to flash memory using the diff flash command. It is a globalcommand that can be executed from any menu.

For instructions on selecting the configuration to run at the next systemreset, see "Selecting a Configuration Block" (page 459).

/cfg/sysSystem Configuration

This menu provides configuration of switch management parameterssuch as user and administrator privilege mode passwords, Web-basedmanagement settings, and management access list.




.


System Configuration Menu Options (/cfg/sys)


syslog

Displays the Syslog Menu. To view menu options, see "/cfg/sys/syslogSystem Host Log Configuration" (page 222).

mmgmt

Displays Management Port Menu. To view menu options, see"/cfg/sys/mmgmt Management Port Configuration Menu" (page 224)

radius

Displays the RADIUS Authentication Menu. To view menu options, see"/cfg/sys/radius RADIUS Server Configuration" (page 227).

tacacs

Displays TACACS+ authentication Menu. To view menu options, see"/cfg/sys/tacacsTACACS+ Server Configuration Menu" (page 228).

ntp

Displays the Network Time Protocol (NTP) Server Menu. To view menuoptions, see "/cfg/sys/ntp NTP Server Configuration" (page 230).

sonmp

Displays the SynOptics Network Management Protocol (SONMP)menu. To view menu options, see "/cfg/sys/sonmp SynOptics NetworkManagement Protocol Configuration" (page 231).

ssnmp

Displays the System SNMP Menu. To view menu options, see"/cfg/security/dos Anomaly and Denial of Service Attack PreventionMenu" (page 349).

health

Displays system health check menu. To view menu options, see"/cfg/sys/health System Health Check Configuration Menu" (page 244).

access

Displays System Access Menu. To view menu options, see"/cfg/sys/access System Access Control Configuration" (page 245).

date

Prompts the user for the system date.

time

Configures the system time using a 24-hour clock format.

timezone

Configures the system time zone. To view an example, see"/cfg/sys/timezoneConfigure the Timezone" (page 255).




.



idle <idle timeout in minutes; affects both console andTelnet>

Sets the idle timeout for CLI sessions, from 1 to 10080 minutes. Thedefault is 5 minutes.

notice <max 1024 char multi-line login notice ’-’ to end>

Displays login notice immediately before the "Enter password:" prompt.This notice can contain up to 1024 characters and new lines.

bannr <string, maximum 80 characters>

Configures a login banner of up to 80 characters. When a user oradministrator logs into the switch, the login banner is displayed. It is alsodisplayed as part of the output from the /info/sys command.

smtp <SMTP host name or IP address>

Sets the Simple Mail Transfer Protocol (SMTP) host, which is used forsending bandwidth management history information.

hprompt disable|enable

Enables or disables displaying of the host name (system administrator’sname) in the Command Line Interface (CLI).

bootp disable|enable

Enables or disables the use of BOOTP. If you enable BOOTP, the switchwill query its BOOTP server for all of the switch IP parameters. Thiscommand is disabled by default.

cur

Displays the current system parameters.

/cfg/sys/syslogSystem Host Log Configuration

Note: Nortel Application Switch Operating System 24.0 supports theRFC 3164 standard for Syslogs.

[Syslog Menu]

hst1 - Set IP address of first syslog host

hst2 - Set IP address of second syslog host

hst3 - Set IP address of third syslog host

hst4 - Set IP address of fourth syslog host

hst5 - Set IP address of fifth syslog host

console - Enable/disable console output of syslogmessages




.


[Syslog Menu]

log - Enable/disable syslogging of features

cur - Display current syslog settings

System Configuration Menu Options (/cfg/sys/syslog)


hst1 <new syslog host IP address severity facility (suchas, 192.4.17.223 5 6)>

Sets the IP address of the first syslog host along with severity and facilityfor this syslog host.


Sets the IP address of the second syslog host along with severity andfacility for this syslog host


Sets the IP address of the third syslog host along with severity andfacility for this syslog host.


Sets the IP address of the fourth syslog host along with severity andfacility for this syslog host.


Sets the IP address of the fifth syslog host along with severity and facilityfor this syslog host.

console disable|enable

Enables or disables delivering syslog messages to the console. Whennecessary, disabling console ensures the switch is not affected bysyslog messages. It is enabled by default.

log <feature|all enable|disable>

Displays a list of features for which syslog messages can be generated.You can choose to enable/disable specific features (such as vlans, gslb,filter), or enable/disable syslog on all available features.

cur

Displays the current syslog settings.

Seven Levels of SeverityFollowing is the description of the seven levels of severity:

0: Emergency. This means that the system is unusable.




.


1: Alert. This means that corrective action must be taken immediately.

2: Critical. This means the condition of the system is critical.

3: Error. This means that the system has errors that should be corrected.

4: Warning. This means that the system is giving a warning.

5: Notice. This means that the condition of the system is normal but withsignificant conditions that need attention.

6: Informational. This means that the system is working but giving outinformation about certain unfavorable conditions.

7. Debug. This means that the system is giving out debug-level messages.

/cfg/sys/mmgmtManagement Port Configuration Menu

The Management port is a Fast Ethernet port that is used exclusively tomanage the switch. While the switch can be managed from any networkport, the Management port saves consuming a port that could otherwise beused for processing data and traffic. This port manages the switch usingeither telnet CLI, SNMP, or HTTP. This port is isolated from and does notparticipate in the networking protocols that run on the network ports.

The Management port must be configured with a static IP address, subnetmask, broadcast address, and default gateway, and must be enabled beforeit can be used. If this port is disabled, the network ports have to performall switch management (other than the switch management using theconsole). If this port is enabled, the factory default settings for some of themanagement features remain with the network ports. You can change thedefaults by configuring these features to permanently use the managementport, or in some cases, by using the operational commands to set theseoptions on a one-time basis.

Note: The Management port does not support BOOTP




.


Management Port Configuration Menu Options (/cfg/sys/mmgmt)


port

Displays the management port link menu. To view the menu options, see"/cfg/sys/mmgmt/port Management Port Link Menu" (page 226).

addr <IP address (such as, 192.4.17.101)>

Sets the IP address.

mask <subnet mask (such as, 255.255.255.0)>

Sets the subnet mask.

gw <gateway address (such as, 192.4.17.1)>

Sets the IP address for the default gateway.

intr <interval (0 - 60 seconds)>

Sets the interval between gateway ping attempts.

retry <number of attempts (1-120)>

Sets the number of failed ping attempts before a gateway is declaredDOWN.

dns default port mgmt|data

Sets DNS over management or data port. Default is data port.

ntp default port mgmt|data

Sets NTP over management or data ports. The default is data port.

radius default port mgmt|data

Sets RADIUS over management or data ports. Default is data port.

tacacs mgmt|data




.



Sets TACACS+ over management or data ports. Default is data port.

smtp default port mgmt|data

Sets SMTP over management or data ports. Default is data port.

snmp default port mgmt|data

Sets SNMP trap host over management or data ports. Default is dataport.

syslog default port mgmt|data

Sets syslog host access over management or data ports. Default is dataport.

sonmp default port mgmt|data

Sets default IP address for SONMP hello packets.

When this option is set to mgmt then the Management Port IP addressis used in the SONMP hello packets transmitted by the switch. But if itis set to data, then the IP address of the data port interface specifiedby srcif (/cfg/sys/sonmp/srcif) command is used in the hellopackets.

tftp default port mgmt|data

Sets TFTP over management or data port. Default is data port.

wlm ["mgmt"|"data"]

Set the default port for the workload manager.

report ["mgmt"|"data"]

Set the default port for the reporting server.

ena

Enables the Management port.

dis

Disables the Management port.

cur

Displays the current configuration.

/cfg/sys/mmgmt/portManagement Port Link Menu

[Management Port Link Menu]speed - Set link speedmode - Set full or half duplex modeauto - Set autonegotiationcur - Display current link configuration




.


Management Port Link Menu Options (/cfg/sys/mgmt/port)


speed 10|100|any

Sets the speed of the link with the Management port. Default is any.

mode full|half|any

Sets half or full duplex mode. Default is any.

auto on|off

Sets auto negotiation for the port. By default this command is turned on.

cur

Displays the current link configuration.

/cfg/sys/radiusRADIUS Server Configuration

RADIUS Server Configuration Menu Options (/cfg/sys/radius)


prisrv <IP address>

Sets the primary RADIUS server address.

secsrv <IP address>

Sets the secondary RADIUS server address.

secret <1-128 character secret>

This is the shared secret password between the switch and the primaryRADIUS server(s).

secret2 <1-128 character secret>

This is the shared secret password between the switch and thesecondary RADIUS server(s).

port <RADIUS port to configure, default 1645>

Enter the number of the UDP port to be configured, between 1500 -3000. The default is 1645.




.



retries <RADIUS server retries (1-3)>

Sets the number of failed authentication requests before switching to adifferent RADIUS server. The default is 3 requests.

timeout <RADIUS server timeout seconds (1-10)>

Sets the amount of time, in seconds, before a RADIUS serverauthentication attempt is considered to have failed. The default is 3seconds.

telnet disable|enable

Enables or disables the RADIUS back door for telnet. Telnet alsoapplies to SSH/SCP connections.

secbd disable|enable

Enables or disables the RADIUS secure back door for telnet/ssh/httpconnections.

on

Enables the RADIUS server.

off

Disables the RADIUS server.

cur

Displays the current RADIUS server parameters.

/cfg/sys/tacacsTACACS+ Server Configuration Menu

TACACS (Terminal Access Controller Access Control System) is anauthentication protocol that allows a remote access server to forward auser’s logon password to an authentication server to determine whetheraccess can be allowed to a given system. TACACS is an encryption protocoland therefore less secure than TACACS+ and Remote AuthenticationDial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+are described in RFC 1492.)

TACACS+ protocol is seen as more reliable than RADIUS as TACACS+uses the Transmission Control Protocol (TCP) whereas RADIUS uses theUser Datagram Protocol (UDP). Also, RADIUS combines authenticationand authorization in a user profile, whereas TACACS+ separates the twooperations.

TACACS+ protocol has been implemented on Nortel Application SwitchOperating System to support the customers that have Cisco’s TACACS+protocol as their network security feature. Apart from that, TACACS+ offersthe following advantages over RADIUS as the authentication device:

• TACACS+ is TCP-based so it facilitates connection-oriented traffic.




.


• It supports full-packet encryption as against password-only inauthentication requests.

• Supports decoupled authentication, authorization, and accounting.

TACACS+ Server Menu Options (/cfg/sys/tacacs)


prisrv <IP address>

Defines the primary TACACS+ server address.

secsrv <IP address>

Defines the secondary TACACS+ server address.


This is the shared secret between the switch and the primary TACACS+server(s).

secret2 <1-128 character secret>

This is the shared secret between the switch and the secondaryTACACS+ server(s).

port <TACACS+ port configure, default 49>

Enter the number of the TCP port to be configured, between 1 - 65000.The default is 49.

retries <TACACS+ server retries, 1-3>

Sets the number of failed authentication requests before switching to adifferent TACACS+ server. The default is 3 requests.

timeout <TACACS+ server timeout seconds, 1-15>

Sets the amount of time, in seconds, before a TACACS+ serverauthentication attempt is considered to have failed. The default is 4seconds.

telnet disable|enable




.



Enables or disables the TACACS+ back door for telnet. Telnet alsoapplies to SSH/SCP connections.

secbd disable|enable

Enables or disables TACACS+ secure backdoor access. This whenenabled indicates the access in the absence of TACACS+ servers.

cmap disable|enable

Enable/disable TACACS+ new privilege level mapping. This whenenabled increases privilege level from default 0-6 to 0-15.

cauth disable|enable

Enable/disable TACACS+ command authorization.

clog disable|enable

Enable/disable TACACS+ command logging. This when enabled, NASsends command log messages to TACACS+ server when configuredby user.

on

Enables the TACACS+ server

off

Disables the TACACS+ server

cur

Displays current TACACS+ configuration parameters.

/cfg/sys/ntpNTP Server Configuration

This menu enables you to synchronize the switch clock to a Network TimeProtocol (NTP) server. By default, this option is disabled.

[NTP Server Menu]prisrv - Set primary NTP server addresssecsrv - Set secondary NTP server addressintrval - Set NTP server resync intervaltzone - Set NTP timezone offset from GMTon - Turn NTP service ONoff - Turn NTP service OFFcur - Display current NTP configuration

NTP Server Configuration Menu Options (/cfg/sys/ntp)


prisrv <primary NTP server IP address>




.



Prompts for the IP address of the primary NTP server to which you wantto synchronize the switch clock.

secsrv <secondary NTP server IP address>

Prompts for the IP address of the secondary NTP server to which youwant to synchronize the switch clock.

intrval <resync interval in minutes>

Specifies how often the switch will re-synchronize the switch clockwith the NTP server. This interval of time will be specified in minutes(1-44640). The default value is 1440 minutes.

tzone <offset from GMT, in HH:MM>

Prompts for the NTP time zone offset, in hours and minutes, of the switchyou are synchronizing from Greenwich Mean Time (GMT).

on

Enables the NTP synchronization service.

off

Disables the NTP synchronization service.

cur

Displays the current NTP service settings.

/cfg/sys/sonmpSynOptics Network Management Protocol Configuration

[SONMP Menu]

srcif - Set source interface to be used in hello packets

on - Turn Ethernet Autotopology ON

off - Turn Ethernet Autotopology OFF

cur - Display current SONMP configuration

SynOptics Network Management Protocol (SONMP) is a proprietarynetwork management protocol that is used by Nortel Networks OptivitiySwitch Manager (OSM) to discover Nortel Application Switches onthe network. The following commands add support for the EthernetAutotopology algorithm and the Bay Topology MIB. The topology algorithmis executed by each Nortel Application Switch on which SONMP is enabled.

System Configuration Menu Options (/cfg/sys/sonmp)


srcif <interface number (1-256)>




.



This command specifies the IP address to be used in the hello packets. Ifthe interface specified by this command is not up, then the first interfacewhich is up and running is used in the hello packets.

on

This command enables the SONMP protocol, and turns EthernetAutotopology on.

off

This command disables the SONMP protocol, and turns EthernetAutotopology off.

cur

This command displays the current SONMP configuration.

/cfg/sys/ssnmpSystem SNMP Configuration

Nortel Application Switch Operating System supports SNMP-based networkmanagement. In SNMP model of network management, a managementstation (client/manager) accesses a set of variables known as MIBs(Management Information Base) provided by the managed device (agent).If you are running an SNMP network management station on your network,you can manage the switch using the following standard SNMP MIBs:

• MIB II (RFC 1213)

• Ethernet MIB (RFC 1643)

• Bridge MIB (RFC 1493)

An SNMP agent is a software process on the managed device that listenson UDP port 161 for SNMP messages. Each SNMP message sent to theagent contains a list of management objects to retrieve or to modify.

SNMP parameters that can be modified include:

• System name

• System location

• System contact

• Use of the SNMP system authentication trap function

• Read community string

• Write community string

• Trap community strings




.


[System SNMP Menu]snmpv3 - SNMPv3 Menuname - Set SNMP "sysName"locn - Set SNMP "sysLocation"cont - Set SNMP "sysContact"rcomm - Set SNMP read community stringwcomm - Set SNMP write community stringtrsrc - Set SNMP trap source interfacetimeout - Set timeout for the SNMP state machineauth - Enable/disable SNMP "sysAuthenTrap"linkt - Enable/disable SNMP link up/down trapcur - Display current system SNMP configuration

SNMP Configuration Menu Options (/cfg/sys/ssnmp)


snmpv3

Displays SNMPv3 menu. To view menu options, see"/cfg/sys/ssnmp/snmpv3 SNMPv3 Configuration Menu" (page 234).

name <new string (maximum 64 characters)>

Configures the name for the system. The name can have a maximum of64 characters.

locn <new string (maximum 64 characters)>

Configures the name of the system location. The location can have amaximum of 64 characters.

cont <new string (maximum 64 characters)>

Configures the name of the system contact. The contact can have amaximum of 64 characters.

rcomm <new SNMP read community string (maximum 32characters)>

Configures the SNMP read community string. The read community stringcontrols SNMP "get" access to the switch. It can have a maximum of 32characters. The default read community string is public.

wcomm <new SNMP write community string (maximum 32characters)>

Configures the SNMP write community string. The write communitystring controls SNMP "set" and "get" access to the switch. It can have amaximum of 32 characters. The default write community string is private.

trsrc <interface number (1-256)>




.



Defines the interface number for SNMP trap source interface. Thiscommand enables the user to select one of the configured interfaces asthe source interface using the interface number.

Note: This command is applicable only to SNMPv1 and SNMPv2 trapsbecause only the SNMPv1 and SNMPv2 trap packets contain the sourceIP address that can be set with this command. The SNMPv3 packets donot contain this field.

timeout <SNMP state machine timeout minutes, 1-30>

Defines the timeout period for SNMP state machine. When you use diffand apply, memory is allocated to store the output of the command.The timeout period determines when the resources/memory allocatedfor the output will be freed.

auth disable|enable

Enables or disables the use of the system authentication trap facility.The default setting is disabled.

linkt <port disable|enable>

Enables or disables the sending of SNMP link up and link down traps.The default setting is enabled.

cur

Displays the current STP port parameters.

/cfg/sys/ssnmp/snmpv3SNMPv3 Configuration Menu

SNMP version 3 (SNMPv3) is an extensible SNMP Framework thatsupplements the SNMPv2 Framework by supporting the following:

• a new SNMP message format

• security for messages

• access control

• remote configuration of SNMP parameters

For more details on the SNMPv3 architecture refer RFC2271 to RFC2276.




.


[SNMPv3 Menu]usm - usmUser Table menuview - vacmViewTreeFamily Table menuaccess - vacmAccess Table menugroup - vacmSecurityToGroup Table menucomm - community Table menutaddr - targetAddr Table menutparam - targetParams Table menunotify - notify Table menuv1v2 - Enable/disable V1/V2 accesscur - Display current SNMPv3 configuration

SNMPv3 Configuration Menu Options (/cfg/sys/ssnmp/snmpv3)


usm <usmUser number [1-16]>

This command allows you to create a user security model (USM) entryfor an authorized user. You can also configure this entry through SNMP.To view menu options, see "/cfg/sys/ssnmp/snmpv3/usm User SecurityModel Configuration Menu" (page 236).

view <vacmViewTreeFamily number [1-128]>

This command allows you to create different MIB views. To view menuoptions, see "cfg/sys/ssnmp/snmpv3/view SNMPv3 View ConfigurationMenu" (page 237).

access <vacmAccess number [1-32]>

This command allows you to specify access rights. The View-basedAccess Control Model defines a set of services that an application canuse for checking access rights of the user. You need access control whenyou have to process retrieval or modification request from an SNMPentity. To view menu options, see "/cfg/sys/ssnmp/snmpv3/accessView-based Access Control Model Configuration Menu" (page 238).

group <vacmSecurityToGroup number [1-16]>

A group maps the user name to the access group names and theiraccess rights needed to access SNMP management objects. A groupdefines the access rights assigned to all names that belong to a particulargroup. To view menu options, see "/cfg/sys/ssnmp/snmpv3/groupSNMPv3 Group Configuration Menu" (page 240).

comm <snmpCommunity number [1-16]>

The community table contains objects for mapping community stringsand version-independent SNMP message parameters. To view menuoptions, see "/cfg/sys/ssnmp/snmpv3/comm SNMPv3 Community TableConfiguration Menu" (page 240).

taddr <snmpTargetAddr number [1-16]>




.



This command allows you to configure destination information, consistingof a transport domain and a transport address. This is also termedas transport endpoint. The SNMP MIB provides a mechanism forperforming source address validation on incoming requests, and forselecting community strings based on target addresses for outgoingnotifications. To view menu options, see "/cfg/sys/ssnmp/snmpv3/taddrSNMPv3 Target Address Table Configuration Menu" (page 241).

tparam <target params index [1-16]>

This command allows you to configure SNMP parameters, consisting ofmessage processing model, security model, security level, and securityname information. There may be multiple transport endpoints associatedwith a particular set of SNMP parameters, or a particular transportendpoint may be associated with several sets of SNMP parameters. Toview menu options, see "/cfg/sys/ssnmp/snmpv3/tparam SNMPv3 TargetParameters Table Configuration Menu" (page 242).

notify <notify index [1-16]>

A notification application typically monitors a system for particularevents or conditions, and generates Notification-Class messagesbased on these events or conditions. To view menu options, see"/cfg/sys/ssnmp/snmpv3/notify SNMPv3 Notify Table ConfigurationMenu" (page 244).

v1v2 disable|enable

This command allows you to enable or disable the access to SNMPversion 1 and version 2. This command is enabled by default.

cur

Displays the current SNMPv3 configuration.

/cfg/sys/ssnmp/snmpv3/usmUser Security Model Configuration MenuYou can make use of a defined set of user identities using this SecurityModel. An SNMP engine must have the knowledge of applicable attributesof a user.

This menu helps you create a user security model entry for an authorizeduser. You need to provide a security name to create the USM entry.

[SNMPv3 usmUser 1 Menu]name - Set USM user nameauth - Set authentication protocolauthpw - Set authentication passwordpriv - Set privacy protocolprivpw - Set privacy passworddel - Delete usmUser entrycur - Display current usmUser configuration




.


User Security Model Configuration Menu Options (/cfg/sys/ssnmp/sn-mpv3/usm)


name <32 character name>

This command allows you to configure a string up to 32 characters longthat represents the name of the user. This is the login name that youneed in order to access the switch.

auth md5|sha|none

This command allows you to configure the authentication protocolbetween HMAC-MD5-96 or HMAC-SHA-96. The default algorithm isnone.

authpw

If you selected an authentication algorithm using the above command,you need to provide a password, otherwise you will get an error messageduring validation. This command allows you to create or change yourpassword for authentication.

priv des|none

This command allows you to configure the type of privacy protocol onyour switch. The privacy protocol protects messages from disclosure.The options are des (CBC-DES Symmetric Encryption Protocol) ornone. If you specify des as the privacy protocol, then make surethat you have selected one of the authentication protocols (MD5 orHMAC-SHA-96). If you select none as the authentication protocol, youwill get an error message.

privpw

This command allows you to create or change the privacy password.

del

Deletes the USM user entries.

cur

Displays the USM user entries.

cfg/sys/ssnmp/snmpv3/viewSNMPv3 View Configuration Menu




.


SNMPv3 View Menu Options (/cfg/sys/ssnmp/snmpv3/view)



This command defines the name for a family of view subtrees up to amaximum of 32 characters.

tree <object identifier, such as,. 1.3.6.1.2.1.1.1.0, max32 characters>

This command defines MIB tree, a string of maximum 32 characters,which when combined with the corresponding mask defines a family ofview subtrees.

mask <bitmask, max size 32 characters>

This command defines the bit mask, which in combination with thecorresponding tree defines a family of view subtrees.

type included|excluded

This command indicates whether the corresponding instances ofvacmViewTreeFamilySubtree and vacmViewTreeFamilyMaskdefine a family of view subtrees, which is included in or excluded fromthe MIB view.

del

Deletes the vacmViewTreeFamily group entry.

cur

Displays the current vacmViewTreeFamily configuration.

/cfg/sys/ssnmp/snmpv3/accessView-based Access Control Model Configuration MenuThe view-based Access Control Model defines a set of services that anapplication can use for checking access rights of the user. Access controlis needed when the user has to process SNMP retrieval or modificationrequest from an SNMP entity.

[SNMPv3 vacmAccess 1 Menu]name - Set group nameprefix - Set content prefixmodel - Set security modellevel - Set minimum level of securitymatch - Set prefix only or exact matchrview - Set read view indexwview - Set write view indexnview - Set notify view indexdel - Delete vacmAccess entrycur - Display current vacmAccess configuration




.


View-based Access Control Model Menu Options (/cfg/sys/ssnmp/snmpv3/ac-cess)



Defines the name of the group.

prefix <32 character name>

Defines the name of the context. An SNMP context is a collection ofmanagement information that an SNMP entity can access. An SNMPentity has access to many contexts. For more information on namingthe management information, see RFC2571, the SNMP Architecturedocument. The view-based Access Control Model defines a table thatlists the locally available contexts by contextName.

model usm|snmpv1|snmpv2

Allows you to select the security model to be used.

level noAuthNoPriv|authNoPriv|authPriv

Defines the minimum level of security required to gain access rights.The level noAuthNoPriv means that the SNMP message will besent without authentication and without using a privacy protocol. Thelevel authNoPriv means that the SNMP message will be sent withauthentication but without using a privacy protocol. The authPrivmeans that the SNMP message will be sent both with authenticationand using a privacy protocol.

match exact|prefix

If the value is set to exact, then all the rows whose contextName exactlymatches the prefix are selected. If the value is set to prefix then the allthe rows where the starting octets of the contextName exactly match theprefix are selected.

rview <32 character view name>

This is a 32 character long read view name that allows you read accessto a particular MIB view. If the value is empty or if there is no active MIBview having this value then no access is granted.

wview <32 character view name>

This is a 32 character long write view name that allows you write accessto the MIB view. If the value is empty or if there is no active MIB viewhaving this value then no access is granted.

nview <32 character view name>

This is a 32 character long notify view name that allows you notify accessto the MIB view.

del

Deletes the View-based Access Control entry.




.



cur

Displays the View-based Access Control configuration.

/cfg/sys/ssnmp/snmpv3/groupSNMPv3 Group Configuration Menu

[SNMPv3 vacmSecurityToGroup 1 Menu]model - Set security modeluname - Set USM user namegname - Set group gnamedel - Delete vacmSecurityToGroup entrycur - Display current vacmSecurityToGroup

configuration

SNMPv3 Group Menu Options (/cfg/sys/ssnmp/snmpv3/group)



Defines the security model.

uname <32 character name>

Sets the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on "/cfg/sys/ssnmp/snmpv3/usm User Security Model ConfigurationMenu" (page 236).

gname <32 character name>

The name for the access group as defined in /cfg/sys/ssnmp/snmpv3/access/name on "/cfg/sys/ssnmp/snmpv3/access View-based Access ControlModel Configuration Menu" (page 238).

del

Deletes the vacmSecurityToGroup entry.

cur

Displays the current vacmSecurityToGroup configuration.

/cfg/sys/ssnmp/snmpv3/commSNMPv3 Community Table Configuration MenuThis command is used for configuring the community table entry. Theconfigured entry is stored in the community table list in the SNMP engine.This table is used to configure community strings in the Local ConfigurationDatastore (LCD) of SNMP engine.




.


[SNMPv3 snmpCommunityTable 1 Menu]index - Set community indexname - Set community stringuname - Set USM user nametag - Set community tagdel - Delete communityTable entrycur - Display current communityTable

configuration

SNMPv3 Community Table Configuration Menu Options (/cfg/sys/ssnmp/sn-mpv3/comm)


index <32 character name>

Allows you to configure the unique index value of a row in this tableconsisting of 32 characters maximum.


Defines the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on "/cfg/sys/ssnmp/snmpv3/usm User Security ModelConfiguration Menu" (page 236).


Defines a readable 32 character long string that represents thecorresponding value of an SNMP community name in a security model.

tag <list of tag string, max 255 characters>

Allows you to configure a tag of up to 255 characters maximum. Thistag specifies a set of transport endpoints to which a command responderapplication sends an SNMP trap.

del

Deletes the community table entry.

cur

Displays the community table configuration.

/cfg/sys/ssnmp/snmpv3/taddrSNMPv3 Target Address Table Configuration MenuThis command is used to configure the target transport entry. The configuredentry is stored in the target address table list in the SNMP engine. This tableof transport addresses is used in the generation of SNMP messages.

[SNMPv3 snmpTargetAddrTable 1 Menu]

name - Set target address name

addr - Set target transport address IP

port - Set target transport address port




.


[SNMPv3 snmpTargetAddrTable 1 Menu]

taglist - Set tag list

pname - Set targetParams name

feature - Enable/disable traps for selected features

del - Delete targetAddrTable entry

cur - Display current targetAddrTable configuration

Target Address Table Menu Options (/cfg/sys/ssnmp/snmpv3/taddr)



Allows you to configure the locally arbitrary, but unique identifier, targetaddress name associated with this entry.

addr <transport address ip>

Allows you to configure a transport address IP that can be used in thegeneration of SNMP traps.

port <transport address port>

Allows you to configure a transport address port that can be used in thegeneration of SNMP traps.

taglist <list of tag string, max 255 characters>

Allows you to configure a list of tags that are used to select targetaddresses for a particular operation.

pname <32 character name>

Defines the name as defined in /cfg/sys/ssnmp/snmpv3/tparam/name on "/cfg/sys/ssnmp/snmpv3/tparam SNMPv3 Target ParametersTable Configuration Menu" (page 242).

feature <feature|all> <enable|disable>

Configure list of features for which trap messages should be generated.User can choose to enable/disable specific features (such as vlans, gslb,slb, filter and etc), or enable/disable traps on all available features forthis specific target. By default, all features are enabled.

del

Deletes the Target Address Table entry.

cur

Displays the current Target Address Table configuration.

/cfg/sys/ssnmp/snmpv3/tparam




.


SNMPv3 Target Parameters Table Configuration MenuYou can configure the target parameters entry and store it in the targetparameters table in the SNMP engine. This table contains parameters thatare used to generate a message. The parameters include the messageprocessing model (for example: SNMPv3, SNMPv2c, SNMPv1), thesecurity model (for example: USM), the security name, and the securitylevel (noAuthnoPriv, authNoPriv, or authPriv).

[SNMPv3 snmpTargetParamsTable 1 Menu]name - Set target params namempmodel - Set message processing modelmodel - Set security modeluname - Set USM user namelevel - Set minimum level of securitydel - Delete targetParamsTable entrycur - Display current targetParamsTable

configuration

Target Parameters Table Configuration Menu Options (/cfg/sys/ssnmp/sn-mpv3/tparam)



Allows you to configure the locally arbitrary, but unique identifier that isassociated with this entry.

mpmodel snmpv3|snmpv1|snmpv2c

Allows you to configure the message processing model that is used togenerate SNMP messages.


Allows you to select the security model to be used when generatingthe SNMP messages.


Defines the name that identifies the user in the USM table("/cfg/sys/ssnmp/snmpv3/usm User Security Model Configuration Menu"(page 236)) on whose behalf the SNMP messages are generated usingthis entry.

level noAuthNoPriv|authNoPriv|authPriv

Allows you to select the level of security to be used when generating theSNMP messages using this entry. The level noAuthNoPriv meansthat the SNMP message will be sent without authentication and withoutusing a privacy protocol. The level authNoPriv means that the SNMPmessage will be sent with authentication but without using a privacyprotocol. The authPriv means that the SNMP message will be sentboth with authentication and using a privacy protocol.

del




.



Deletes the targetParamsTable entry.

cur

Displays the current targetParamsTable configuration.

/cfg/sys/ssnmp/snmpv3/notifySNMPv3 Notify Table Configuration MenuSNMPv3 uses Notification Originator to send out traps. A notificationtypically monitors a system for particular events or conditions, and generatesNotification-Class messages based on these events or conditions.

[SNMPv3 snmpNotifyTable 1 Menu]name - Set notify nametag - Set notify tagdel - Delete notifyTable entrycur - Display current notifyTable configuration

Notify Table Menu Options (/cfg/sys/ssnmp/snmpv3/notify)



Defines a locally arbitrary but unique identifier associated with thisSNMP notify entry.

tag <list of tag string, max 255 characters>

Allows you to configure a tag of 255 characters maximum that contains atag value which is used to select entries in the Target Address Table.Any entry in the snmpTargetAddrTable, that matches the value ofthis tag, is selected.

del

Deletes the notify table entry.

cur

Displays the current notify table configuration.

/cfg/sys/healthSystem Health Check Configuration Menu

[System TCP Health Menu]add - Add TCP services to listen for health checkrem - Remove TCP services from listeningon - Turn system TCP health services ONoff - Turn system TCP health services OFFcur - Display current TCP health

services configuration




.


System Health Check Configuration Menu Options (/cfg/sys/health)


add <TCP port (2-65534)>

Adds TCP services to listen to the health checks. Specify a TCP serviceport number, such as 80 for HTTP.

rem <TCP port (2-65534)>

Removes TCP services that were added for listening to health checks.Specify a TCP service port number, such as 80 for HTTP.

on

Turns on the TCP health check services.

off

Turns off the TCP health check services.

cur

Displays the current TCP health check services configuration.

/cfg/sys/accessSystem Access Control Configuration

[System Access Menu]mgmt - Management Network Access Menuport - Port Management Access Menuuser - User Access Control Menu (passwords)https - HTTPS (Web) Server Access Menusshd - SSH Server Menuxml - XML Configuration Access Menuhttp - Enable/disable HTTP (Web) server accesswport - Set HTTP (Web) server port numbersnmp - Set SNMP access controltnport - Set Telnet server port numberrlimit - Set max rate of ARP, BPDU, ICMP,

TCP, or UDP packets to MPcur - Display current system access configuration

System Access Configuration Menu Options (/cfg/sys/access)


mgmt

Displays the Management Configuration Menu. To view menu options,see "/cfg/sys/access/mgmt Management Networks Menu" (page 246).

port

Dispal the port management access menu.To view menu options, see"/cfg/sys/access/portPort Management Access Menu" (page 247).




.



user

Displays the User Access Control Menu. To view menu options, see"/cfg/sys/access/portPort Management Access Menu" (page 247).

https

Displays HTTPS Server Access Menu. To view menu options, see"/cfg/sys/access/httpsHTTPS Access Configuration Menu" (page 251).

http disable|enable

Enables or disables HTTP (Web) access to the browser-based interface.It is disabled by default.

wport <TCP port number (1-65535)>

Sets the switch port used for serving switch Web content. The default isHTTP port 80. If Global Server Load Balancing is to be used, set thisto a different port (such as 8080).

snmp disable|read-only|read-write

Sets the snmp user access level to either disabled, read-only, orread-write.

tnet

Enables or disables Telnet access to the switch. This command isdisabled by default. You will see this command only if you are connectedto the switch through the console port.

tnport <TCP port number>

The TCP port number that the telnet server listens for telnet sessions.Sets an optional telnet server port number for cases where the serverlistens for telnet sessions on a non-standard port.

rlimit <arp|bpdu | icmp|tcp|udp max rate, 0-65535(pkts/sec)>

Sets switch-wide rate limiting on traffic entering the switch over ARP,BPDU, ICMP, TCP, or UDP protocols. Specify which protocol you wishto limit. Then specify the maximum rate, which the maximum number ofpackets per second that is allowed to enter the switch.

Note: It is highly recommended that the rate is left with the factory defaultvalue of 20 BDPU packets for each port and for every second.

cur


/cfg/sys/access/mgmt




.


Management Networks MenuThis menu is used to define IP address ranges which are allowed to accessthe switch for management purposes. Nortel Application Switch OperatingSystem 24.0 supports up to 128 management networks.

Note: The add and rem commands below replace the /cfg/sys/mnetand /cfg/sys/mmask commands found in earlier releases of NortelApplication Switch Operating System.

[Management Networks Menu]

add - Add management network

rem - Remove management network

arem - Remove all management networks

cur - Display current management networks

Management Network Menu Options (/cfg/sys/access/mgmt)


add mgmt_network_address mgmt_network_mask management_access_protocol

Adds a defined network through which switch access is allowed throughTelnet, SNMP, SSH, HTTP, HTTPS. The user has the option of selectingall or any of these protocols. In case the user wants to add all theseprotocol types to the specified network, the user can do it by selectingthe option "all".

rem mgmt_network_address mgmt_network_mask management_access_protocol

Removes the specified Management network address, Managementnetwork mask and Management access protocol.

arem

Removes all the configured management networks at once.

cur


/cfg/sys/access/portPort Management Access Menu

[Port Management Access Menu]add - Add port with management accessaadd - Add all ports with management accessrem - Remove port from management accessarem - Remove all ports from management access

cur - Display current ports with management access




.


Port Management Access Menu Options


add <port_number>

Add a port with management access.

aadd

Add all ports with management access.

rem <port_number>

Remove a port from management access.

arem

Remove all ports from management access.

cur

Displays the port numbers that currently have management access.

/cfg/sys/access/userUser Access Control Menu

uid - User ID Menuusrpw - Set user password (user)sopw - Set SLB operator password (slboper)l4opw - Set L4 operator password (l4oper)opw - Set operator password (oper)sapw - Set Slb administrator password (slbadmin)l4apw - Set L4 administrator password (l4admin)admpw - Set administrator password (admin)cur - Display current user status

Note: Passwords can be a maximum of 15 characters.

User Access Control Menu Options (/cfg/sys/access/user)


uid <User ID, 1-10>

Displays the User ID Menu. To view menu options, see"/cfg/sys/access/user/uidSystem User ID Configuration Menu" (page250).

usrpw

Sets the user (user) password. The user has no direct responsibility forswitch management. He or she can view switch status information andstatistics, but cannot make any configuration changes.

sopw




.



Sets the SLB operator (slboper)password. The SLB operator managesWeb servers and other Internet services and their loads. He or she canview all switch information and statistics and can enable/disable serversusing the Server Load Balancing configuration menus.

Access includes "user" functions.

l4opw

Sets the Layer 4 operator (l4oper)password. The Layer 4 operatormanages traffic on the lines leading to the shared Internet services. Heor she can view all switch information and statistics.

Access includes "slboper" functions.

opw

Sets the operator (oper)password. The operator password can havea maximum of 15 characters. The operator manages all functions ofthe switch. He or she can view all switch information and statistics andcan reset ports or the entire switch.

Access includes "l4oper" functions.

sapw

Sets the SLB administrator (slbadmin) password. Administrator whoconfigures and manages Web servers and other Internet services andtheir loads. He or she can view all switch information and statistics, butcan configure changes only on the Server Load Balancing menus. Notethat the Filter Menu options are not accessible to the SLB administrator.

Access includes "l4oper" functions.

l4apw

Sets the Layer 4 administrator (l4admin) password. The Layer 4administrator configures and manages traffic on the lines leading to theshared Internet services. He or she can view all switch information andstatistics and can configure parameters on the Server Load Balancingmenus, with the exception of not being able to configure filters.

Access includes "slbadmin" functions.

admpw




.



Sets the administrator (admin) password. The super user administratorhas complete access to all menus, information, and configurationcommands on the Nortel Application Switch, including the ability tochange both the user and administrator passwords.

Access includes "oper" and "l4admin" functions.

cur

Displays the current user status.

/cfg/sys/access/user/uidSystem User ID Configuration MenuThis feature allows the users to operate the real servers assigned to them.Using this command you can list the current status of the real serverincluding the real server number, the real server name, the operational stateof the real server, and the number of current sessions. You can enableor disable the real servers and change the password for accessing thesereal servers.

[User ID 1 Menu]cos - Set class of servicename - Set user namepswd - Set user passwordadd - Add real serverrem - Remove real serverena - Enable user IDdis - Disable user IDdel - Delete user IDcur - Display current user configuration

User ID Configuration Menu Options (/cfg/sys/access/user/uid)


cos <user|slboper|l4oper|oper|slbadmin|l4admin|admin>

Sets the Class-of-Service to define the user’s authority level. NortelApplication Switch Operating System defines these levels as: User,SLB Operator, Layer 4 Operator, Operator, SLB Administrator, andAdministrator, with User being the most restricted level.

name <8 char max>

Defines the user name of maximum eight characters.

pswd <15 char max>

Sets the user password of up to 15 characters maximum.

add <real server number, 1-1023>




.



Assigns a real server access to this user.

rem <real server number, 1-1023>

Removes a real server access from this user.

ena

Enables the user ID.

dis

Disables the user ID.

del

Deletes the user ID.

cur

Displays the current user ID configuration.

/cfg/sys/access/httpsHTTPS Access Configuration Menu

[https Menu]

https - Enable/Disable HTTPS Web access

port - HTTPS WebServer port number

generate - Generate self-signed HTTPS server certificate

certSave - Save HTTPS certificate

cur - Display current SSL Web Access configuration

HTTPS Access Configuration Menu Options (/cfg/sys/access/https)


https

Enables or disables BBI access (Web access) using HTTPS.

port <TCP port number>

Defines the HTTPS Web server port number.

generate




.



Allows you to generate a certificate to connect to the SSL to be usedduring the key exchange. A default certificate is created when HTTPSis enabled for the first time. The user can create a new certificatedefining the information that they want to be used in the various fields.For example:

• Country Name (2 letter code) [ ]: CA

• State or Province Name (full name) []: Ontario

• Locality Name (for example, city) []: Ottawa

• Organization Name (for example, company) []: Nortel Networks

• Organizational Unit Name (for example, section) []: Alteon

• Common Name (for example, user’s name) []: Mr Smith

• Email (for example, email address) []: [email protected]

You will be asked to confirm if you want to generate the certificate. Itwill take approximately 30 seconds to generate the certificate. Thenthe switch will restart SSL agent.

certSave

Allows the client, or the Web browser, to accept the certificate and savethe certificate to Flash to be used when the switch is rebooted.

cur

Displays the current SSL Web Access configuration.

/cfg/sys/access/sshdSSH Server Menu

[SSH Server Menu]sshport - Set SSH server port numbersshv1 - Enable ssh v1 supportena - Enable SCP apply and saveon - Turn SSH server ON (SSHv1/SSHv2)cur - Display current SSH server configuration

SSH Server Menu Options


sshport <TCP_port_number>

Set the server port number.

sshv1 enable | disable




.



Enables or disables SSH version 1 support.

ena

Sets the SCP apply and save.

on

Set the SSH server to on.

cur

Display the current SSH server configuration.

Console Port-only commandsThe /cfg/sys/access/sshd menu contains four commands that areonly accessible if connected to the switch through the console port. Thesecommands are as follows:

SSH Server Menu Console Port-only commands


hkeygen

Generates an RSA host key.

skeygen

Generates an RSA server key.

interval <0 - 24>

Sets the interval in hours at which the RSA server key is regenerated.

scpadmin

Enables the usage of the SCP administrator password.

/cfg/sys/access/xmlXML Configuration Access Menu

[XML Config Access Menu]xml - Enable/disable XML config accessport - Set XML server port numbergtcert - Import XML client certificatedelcert - Delete XML client certificatedispcert - Display XML client certificatedebug - Debug XML operations

cur - Display current XML configaccess configuration




.


XML Configuration Menu Options


xml

Enable or disable XML access. For an example, see"/cfg/sys/access/xml/xmlExample of enabling or disabling XML access"(page 254)

port <TCP_port_number>

Set the XML server port number.

gtcert

Import an XML client certificate.

Enter hostname or IP address of FTP/TFTP server:Enter name of file on FTP/TFTP server:Enter username for FTP server or hit return for TFTP server:

delcert

Delete XML client certificate.

Current XML client certificate has been deleted from FLASH

dispcert

Display the current XML certificate.

debug

Toggle Debug mode on or off. Enabling XML debugging causes allcommands in the XML file to be echoed to the Console and prefaceseach one with running XML cmd: or Invalid XML cmd:. All responses tothe commands will also be output to the Console.

Current XML debug: enabledEnter new XML debug [d/e]:

cur

Display current XML configuration.

XML config access currently disabled on TCP port 443XML debug is enabled

Note: there are pending config changes; use "diff" to see them.

/cfg/sys/access/xml/xml




.


Example of enabling or disabling XML access

Current XML access: disabledPending new XML access: enabledEnter new XML access [d/e]:

/cfg/sys/timezoneConfigure the Timezone

/cfg/port <port number>Port Configuration

The Port Menu enables you to configure settings for individual switch ports.This command is enabled by default.

Port configuration is different on Nortel Application Switch Operating System2000 series and 3000 series.

Nortel Application Switch Operating System 2000 SeriesThe following table displays the number of Fast Ethernet ports and SFPGBIC ports with the numbering of the ports on Nortel Application SwitchOperating System 2000 series:




.


Port Configuration and Numbering on Nortel Application Switch OperatingSystem 2000 Series

Model 10/100 Mbps Fast EthernetPort Numbers

1000 Mbps SFP GBICPortNumbers

Nortel ApplicationSwitch 2208 (1U)

1–8 9–10


1–16 17–18


1–24 25–26


1–24 25–28

Fast Ethernet PortsThe RJ-45 jack is used for connecting 10/100 Mbps Ethernet segments tothe port. The ports are auto-sensing, auto-negotiating, and support half orfull-duplex operation.

SFP GBIC PortsThe LC jack is used for connecting Gigabit Ethernet fiber optic segments.The SFP modules are not shipped with the product. You may order theSFP modules from Nortel Networks.

For more information on connectors, refer Hardware Installation Guide forNortel Application Switch Operating System.

The commands on Nortel Application Switch Operating System 2000 seriesand their description are as follows:

[Port port_number Menu]fast - Fast Phy Menugig - Gig Phy Menupvid - Set default port VLAN idalias - Set port aliasname - Set port namecont - Set default port BW Contractnonip - Set BW Contract for non-IP trafficegbw - Set port egress bandwidth Limitrmon - Enable/Disable RMON for porttag - Enable/disable VLAN tagging for portiponly - Enable/disable allowing only IP

related frames at ingressena - Enable portdis - Disable portcur - Display current port configuration




.


Port Configuration Menu Options (/cfg/port)


fast

If a port is configured to support Fast Ethernet, this option displays theFast Ethernet Physical Link Menu. To view menu options, see "/cfg/portport number (3–6) copDual-Mode Copper Port Link Configuration" (page266).

gig

If a port is configured to support Gigabit Ethernet, this option displaysthe Gigabit Ethernet Physical Link Menu. To view menu options,see "/cfg/port port number (3–6) copDual-Mode Copper Port LinkConfiguration" (page 266).

pvid <VLAN number, 1-4090>

Sets the default VLAN number which will be used to forward frameswhich are not VLAN tagged. The default number is 1.

alias <15 characters string>

Set an alias for the port number.

name <64 character string> |none

Sets a name for the port. The assigned port name appears next to theport number on some information and statistics screens. The defaultis set to none.

cont <BWM Contract (1-1024)>

Sets the default Bandwidth Management Contract for this port.

nonip <BW Contract number, 1-1024>

Sets the Bandwidth Management contract for non-IP traffic for this port.

egbw <0k-5000k|1m-100m>

Sets the egress bandwidth limit for the port to avoid overloading thereceiving router or switch. Using this command, you can configure theegress bandwidth limit of the port to match with the bandwidth link of thereceiving router or the switch. This means that the port’s speed will betaken as the egress bandwidth. For example, the egress bandwidth foran FE port will be 100m. The default is 0.

Note: You need Bandwidth Management license to use this command.

rmon disable|enable

Disables or enables RMON for this port. It is disabled by default.

tag disable|enable

Disables or enables VLAN tagging for this port. It is disabled by default.

iponly disable|enable




.



Disables or enables allowing only IP-related frames. It is disabled bydefault.

ena

Enables the port.

dis

Disables the port. (To temporarily disable a port without changing itsconfiguration attributes, refer "Temporarily Disabling a Port" (page 268).)

cur

Displays the current port parameters.

/cfg/port <port number> fast|gigPort Link Configuration

[Fast Link Menu]speed - Set link speedmode - Set full or half duplex modefctl - Set flow controlauto - Set auto negotiationcur - Display current fast link configuration

Use these menu options to set port parameters for the port link.

Note 1: If the port does not have a Gig Ethernet physical link, thefollowing message is displayed:

>> Port 1# gigCurrent Port 1 does not have Gig Ethernet phy.

Note 2: Since the speed and mode parameters cannot be set forGigabit Ethernet ports, these options do not appear on the GigabitLink Menu.

Link menu options are described in "Dual-Mode Copper Port LinkConfiguration Menu Options (/cfg/port 3–6 /cop)" (page 267) and appearon the fast and gig port configuration menus for the Nortel ApplicationSwitch. Using these configuration menus, you can set port parameters suchas speed, flow control, and negotiation mode for the port link.

Port Link Configuration Menu Options (/cfg/port/fast|gig)


speed 10|100|any




.



Sets the link speed. Not all options are valid on all ports. The choicesinclude:

• Any for automatic detection (default)

• 10 Mbps

• 100 Mbps

This menu appears only if a Fast Ethernet port is selected.

mode full|half|any

Sets the operating mode. This command is available only in the FastLink Menu.The choices include:

• Any for auto negotiation (default)

• Full-duplex

• Half-duplex

This menu appears only if a Fast Ethernet port is selected.

fctl rx|tx|both|none

Sets the flow control. This command is available only in the Fast LinkMenu.The choices include:

• Receive flow control

• Transmit flow control

• Both receive and transmit flow control (default)

• No flow control

auto on|off

Enables or disables auto negotiation for the port.

cur


Nortel Application Switch 3000 SeriesThe following table displays the port configuration and numbering on NortelApplication Switch 3408:




.


Port configuration on Nortel Application Switch 3408

Model 10/100/1000Base-TCopper Port Numbers

Dual-Mode PortNumbers

1000 Mbps SFP GBICPort Numbers

NortelApplication Switch3408 (1U)

1, 2, 7, 8 3–6 9–12

Port Configuration on Nortel Application Switch 3408The Nortel Application Switch 3408 contains 12 ports. Their descriptionis as follows:

• Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The portsare autonegotiating and support half or full duplex operation.

• Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaceseach: 1000 Mbps SFP GBIC and 10/100/1000Base-T Copper. Whenthe 1000 Mbps SFP GBIC port is selected as the preferred link, it isfixed at 1000 Mbps, full-duplex with autonegotiation turned on. Whenthe 10/100/1000Base-T copper port is selected as the preferred link, itcan be configured at any speed. However, if 1000 Mbps is selected,autonegotiation must be turned on. You can set either interface as thepreferred or backup link. See "Dual-Mode Ports" (page 265) for moredetails.

• Four Small Form Pluggable (SFP) GBIC Fiber ports (9–12). These portsare designed to operate at 1000 Mbps and full duplex mode only.

Note: For more information on connectors, refer Nortel ApplicationSwitch Operating System Hardware Installation Guide Part Number315393-F.

Single-Mode ports10/100/1000Base-T Copper Ports When you select a single-modecopper port (1, 2, 7, or 8), you see the menu below:

[Port 1 Menu]fast - Fast Phy Menugig - Gig Phy Menupvid - Set default port VLAN idalias - Set port aliasname - Set port namecont - Set default port BW Contractnonip - Set BW Contract for non-IP trafficegbw - Set port egress bandwidth Limitrmon - Enable/Disable RMON for porttag - Enable/disable VLAN tagging for port




.


iponly - Enable/disable allow IP relatedframes at ingress

ena - Enable portdis - Disable portcur - Display current port configuration

Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7,or 8>)


gig

If a port is configured to support Gigabit Ethernet, this option displays theCopper Gigabit Ethernet Physical Link Menu. To view menu options, see"/cfg/port port number gigSingle-Mode Copper Port Gigabit Ethernet LinkConfiguration Menu" (page 261).

pvid <VLAN number (1-4090)>



Sets a name for the port. The assigned port name appears next to theport number on some information and statistics screens. The defaultis set to None.



rmon disable|enable


tag disable|enable




ena

Enables the port.

dis


cur


/cfg/port <port number> gig




.


Single-Mode Copper Port Gigabit Ethernet Link ConfigurationMenu

[GE Copper Link Menu]speed - Set link speedmode - Set duplex modefctl - Set flow controlauto - Set auto negotiatecur - Display current ge copper link configuration

Use these menu options to set port parameters for the port link. Linkmenu options are described in "Dual-Mode Copper Port Link ConfigurationMenu Options (/cfg/port 3–6 /cop)" (page 267) and appear on the gigport configuration menus for the Nortel Application Switch. Using theseconfiguration menus, you can set port parameters such as speed, flowcontrol, and negotiation mode for the port link.

Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options(/cfg/port <1, 2, 7, or 8>/gig)


speed 10|100|1000|any



• 10 Mbps

• 100 Mbps

• 1000 Mbps

mode full|half|any

Sets the operating mode. The choices include:

• Any for auto negotiation (default)

• Full-duplex

• Half-duplex





.



Sets the flow control. This command is available only in the Fast LinkMenu.The choices include:




• No flow control

auto on|off

Enables or disables autonegotiation for the port.

cur

Displays the current Gigabit Ethernet copper link port parameters.

1000 Mpbs SFP GBIC Fiber SFP Ports When you select a single-modeSFP fiber port (9–12), you see a slightly different menu as below

[Port 9 Menu]gig - SFP Gig Phy Menupvid - Set default port VLAN idname - Set port namecont - Set default port BW Contractegbw - Set port egress bandwidth Limitrmon - Enable/Disable RMON for porttag - Enable/disable VLAN tagging for portiponly - Enable/disable allowing only

IP related framesena - Enable portdis - Disable portcur - Display current port configuration

Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port<9–12>)


gig

If a port is configured to support Gigabit Ethernet, this option displays theSFP Gigabit Ethernet Physical Link Menu. To view menu options, see"/cfg/port port number gigSingle-Mode SFP Gigabit Ethernet Port LinkConfiguration Menu" (page 264).






.







rmon disable|enable


tag disable|enable




ena

Enables the port.

dis


cur


/cfg/port <port number> gigSingle-Mode SFP Gigabit Ethernet Port Link Configuration Menu

[GE SFP Link Menu]fctl - Set flow controlauto - Set auto negotiatecur - Display current SFP gig link configuration

Use these menu options to set port parameters for the port link. Linkmenu options are described in "Dual-Mode Copper Port Link ConfigurationMenu Options (/cfg/port 3–6 /cop)" (page 267) and appear on the gigport configuration menus for the Nortel Application Switch. Using theseconfiguration menus, you can set port parameters such as flow control, andnegotiation mode for the port link.




.


Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu Options(/cfg/port <9-12>/gig)



Sets the flow control. The choices include:




• No flow control

auto on|off

Enables or disables autonegotiation for the port.

cur

Displays the current SFP Gigabit Ethernet link port parameters.

Dual-Mode PortsWhen you select any one of the dual-mode ports (3–6), you see the menubelow:

[Port 3 Menu]cop - Copper Gig Phy Menusfp - SFP Gig Phy Menupref - Set preferred linkback - Set backup linkpvid - Set default port VLAN idname - Set port namecont - Set default port BW Contractrmon - Enable/Disable RMON for porttag - Enable/disable VLAN tagging for portiponly - Enable/disable allowing only

IP related framesena - Enable portdis - Disable portcur - Display current port configuration

Dual-Mode Port Configuration Menu Options (/cfg/port <3–6>)


cop

Displays Copper Gigabit Physical Link Menu. To view menu options,see "/cfg/port port number (3–6) copDual-Mode Copper Port LinkConfiguration" (page 266).




.



sfp

Displays SFP Gigabit Physical Link Menu. To view menu options,see "/cfg/port port number (3–6) sfpDual-Mode SFP Gigabit LinkConfiguration Menu" (page 268).

pref copper|sfp

Sets the port preference between copper or SFP mode. The selectedport will be used as the preferred port if both the ports are available.

back copper|sfp|none

Sets the preference for the backup link if the preferred port is notavailable. You cannot set the preferred port as the backup port. If youchoose none, the port will not switch automatically to the backup port ifthe preferred port goes down.







rmon disable|enable


tag disable|enable




ena

Enables the port.

dis


cur


/cfg/port <port number (3–6)> cop




.


Dual-Mode Copper Port Link Configuration

[GE Copper Link Menu]speed - Set link speedmode - Set duplex modefctl - Set flow controlauto - Set auto negotiatecur - Display current ge copper link configuration

Use these menu options to set port parameters for the port link.

Link menu options are described in "Dual-Mode Copper Port LinkConfiguration Menu Options (/cfg/port 3–6 /cop)" (page 267) and appear onthe cop port configuration menus for the Nortel Application Switch. Usingthese configuration menus, you can set port parameters such as speed,flow control, and negotiation mode for the port link.

Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port<3–6>/cop)


speed 10|100|1000|any



• 10 Mbps

• 100 Mbps

• 1000 Mbps

mode full|half|any

Sets the operating mode. The choices include:

• Any for autonegotiation (default)

• Full-duplex

• Half-duplex





.




• Auto negotiation (default)




• No flow control

auto on|off

Enables or disables auto negotiation for the port.

cur

Displays the current Gigabit Ethernet copper link port parameters.

/cfg/port <port number (3–6)> sfpDual-Mode SFP Gigabit Link Configuration Menu

[GE SFP Link Menu]fctl - Set flow controlcur - Display current SFP gig link configuration

Dual-Mode SFP Gigabit Link Configuration Menu Options (/cfg/port/sfp)







• No flow control

cur

Displays the current SFP Gigabit link port configuration.

Temporarily Disabling a PortTo temporarily disable a port without changing its stored configurationattributes, enter the following command at any prompt:

Main# /oper/port <port number> /dis




.

/cfg/pmirrPort Mirroring Menu 269

Because this configuration sets a temporary state for the port, you donot need to use apply or save. The port state will revert to its originalconfiguration when the Nortel Application Switch is reset. See the "TheOperations Menu" (page 443) for other operations-level commands.

/cfg/pmirrPort Mirroring Menu

[Port Mirroring Menu]

mirror - Enable/Disable Mirroring

monport - Configure Monitor Port

cur - Display All Mirrored and Monitored Ports andVLANs

Port mirroring is disabled by default.

The Port Mirroring Menu is used to configure, enable, and disable themonitored port. When enabled, network packets being sent and/or receivedon a target port are duplicated and sent to a monitor port. By attaching anetwork analyzer to the monitor port, you can collect detailed informationabout your network performance and usage.

Port Mirroring menu options (/cfg/pmirr)


mirror disable|enable

Enables or disables port mirroring

monport <monitoring port (port to mirror to)>

Displays port-mirroring menu options that help configure the port. Toview menu options, see "/cfg/pmirr monportPort-Mirroring Menu" (page269).

cur

Displays the current settings of the mirrored and monitoring ports.

/cfg/pmirr monport




.


Port-Mirroring Menu

>> Port Mirroring# monportEnter port (1-28): port_number------------------------------------------------------------[Port 1 Menu]

add - Add "Mirrored" port and VLANsrem - Rem "Mirrored" port and VLANscur - Display current Port-based Port

Mirroring configuration

Port-Based Port-Mirroring Menu Options (/cfg/pmirr/monport)


add <mirrored port (port to mirror from) direction (in, out,or both) vlan index or Carriage Return for all vlans>

Adds the port to be mirrored. This command also allows you to enter thedirection of the traffic. It is necessary to specify the direction because:

If the source port of the frame matches the mirrored port and the mirroreddirection is ingress or both (ingress and egress), the frame is sent tothe mirrored port.

If the destination port of the frame matches the mirrored port and themirrored direction is egress or both, the frame is sent to the monitoringport.

VLAN-based port mirroring allows the user to monitor traffic based onVLANs associated with a port. You can add specific VLAN(s) to a bemonitored even if there are multiple VLANs associated with that port. Ifyou do not specify a VLAN, all traffic on that port will be mirrored.

rem <mirrored port (port to mirror from) vlan index orCarriage Return for all vlans>

Removes the mirrored port.

cur

Displays the current settings of the monitoring port. For example:

>> Port 1# curMonitoring port (Mirrored port,direction,vlans)

1 none

/cfg/bwm




.


Bandwidth Management ConfigurationBandwidth Management (BWM) enables Web site managers to allocatea portion of the available bandwidth for specific users or applications.It allows companies to guarantee that critical business traffic, such ase-commerce transactions, receive higher priority versus non-critical traffic.Traffic classification can be based on user or application information. BWMpolicies can be configured to set lower and upper bounds on the bandwidthallocation.

Note: BWM is a software key-enabled feature that requires users topurchase a license and a key. In order to enable BWM, users needto enter the Bandwidth Management key using the /oper/swkeycommand.

By default, BWM is turned off.

Refer to your Application Guide for more information.

Note: Up to 1024 bandwidth management contracts can be configuredon the Nortel Application Switch Operating System.

Bandwidth Management Menu Options (/cfg/bwm)


cont <BW contract number (1-1024)>

Displays the Bandwidth Management Contract Menu. To managebandwidth on an Nortel Application Switch, you must create one or morebandwidth management contracts. The switch uses these contracts tolimit individual traffic flows. For further details, see the Nortel ApplicationSwitch Operating System Application Guide.

By default, this option is disabled. To view menu options, see"/cfg/bwm/cont contract number Bandwidth Management ContractConfiguration" (page 273).




.



policy <BW policy number (1-512)>

Displays the Bandwidth Management Policy Menu. Bandwidth policiesare bandwidth limitations defined for any set of frames, specifyingthe guaranteed bandwidth rates. A bandwidth policy is often basedon a rate structure whereby a Web host could charge a customer forbandwidth utilization. For further details, see the Nortel ApplicationSwitch Operating System Application Guide.

To view menu options, see "/cfg/bwm/policy policy number BandwidthManagement Policy Configuration" (page 276).

group <BW Group number (1-32)>

Displays the Bandwidth Management Group Menu. To viewmenu options, see "/cfg/bwm/groupBandwidth Management GroupConfiguration Menu" (page 277).

user <user name>

Sets the SMTP user name to whom the history statistics will be mailed.The default is set to None.

report <IP4 address> | <IP6 address>

Set the IP address of the Reporting Server.

entries <64k|128k|256k|512k>

Sets the number of entries in the Bandwidth Management IP user table.

frequen <1-1440 minutes, 0 for default behavior>

Sets the frequency of Bandwidth Management email in minutes. Thedefault is set to 0.

email disable|enable

Enable/disable sending BWM statistics using email. When this option isdisabled, these statistics are sent using a socket mechanism.

force disable|enable

Enables or disables the enforcement of bandwidth policy on the traffic.When disabled, the reordering of the packets does not occur. Thepackets will exit in the order they came in. This means that no bandwidthlimit is applied on the queues. By default, this option is enabled.

on

Globally enables Bandwidth Management on this switch.

off

Globally disables Bandwidth Management on this switch.

cur

Displays the current Bandwidth Management configuration.




.


/cfg/bwm/cont <contract number>Bandwidth Management Contract Configuration

Bandwidth Management Policy Menu Options (/cfg/bwm/cont)


timepol <BW Contract time policy number (1-2)>

Displays Time Policy Menu. To view menu options, see "/cfg/bwm/contcontract number /timepol Contract time policy number BWM ContractTime Policy Config" (page 275).


Sets the name for this Bandwidth Management contract.

>> BW Contract 1# nameCurrent BW Contract name:Enter new BW Contract name:

policy <Bandwidth policy number (1-512)>

Sets the policy number for this Bandwidth Management contract. Thedefault policy number is 64.

prec <Bandwidth precedence value (1-255)>

Sets the precedence value for this Bandwidth Management contract.The default value is 1.

iptype <sip|dip>

Defines the IP type for this contract, whether the user (IP address)limiting is enforced by the source IP address (SIP) or the destination IPaddress (DIP).

pmirr <port | none>




.



Defines a port to mirror contract packets to. Enter a valid port toenable this feature or none to disable it. This command is available inmaintenance mode only.

iplimit disable|enable

Enables or disables user (IP address) limiting for this contract. If enabled,each IP address is limited to the user limit configured in /cfg/bwm/policyon "/cfg/bwm/policy policy number Bandwidth Management PolicyConfiguration" (page 276).

maxsess <maximum sessions (0-65534)>

Sets the maximum number of sessions per user or contract. The defaultvalue is 0.

history disable|enable

Disables or enables saving statistics for this contract on the server. Bydefault, it is enabled.

wtos disable|enable

Disables or enables overwriting the IP Type of Service (TOS) for thiscontract. By default, it is disabled.

mononly disable|enable

Enables or disables monitor-only mode for this Contract. This commandis used for design and auditing purposes only. The statistics aregenerated but no shaping or limiting will apply to this contract.

shaping disable|enable

Disables or enables shaping of the traffic for this contract. In this context,shaping means buffering a packet and keeping it ready to be sent.

wtcpwin disable|enable

Enables or disables overwriting TCP Window for this Contract. Byoverwriting the default window size, the user can modify the TCP windowsize to a lower value so that when the packet arrives carrying the byteswithin that window size, the receiver of that packet does not have to waitfor acknowledgement. This may help reduce the traffic congestion.

Do not set the value to lower than 1500 bytes. For details, referApplication Guide.

ena

Enables this Bandwidth Management contract.

dis

Disables this Bandwidth Management contract.

del

Removes this contract from the switch.




.



cur

Displays the current Bandwidth Management contract configuration.

/cfg/bwm/cont <contract number> /timepol<Contract time policy number>BWM Contract Time Policy Configuration MenuThis feature enables the user to configure different policies based on thetime of the day using the following menu and commands

[BW Contract 1 Time Policy 1 Menu]day - Set Time Policy dayfrom - Set Time Policy from hourto - Set Time Policy to hourpolicy - Set Time Policyenable - Enable Time Policydisable - Disable Time Policydelete - Delete Time Policycur - Display current Time Policy configuration

BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/timepol)


day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday>

Defines the day(s) of the week, weekdays (Monday to Friday), weekend(Saturday and Sunday) or everyday. The default is everyday.

from <1-12am/pm>

Defines the time from where you need to start the time in hours. If am orpm is not specified, the switch will default to am for numbers lower than12 and will default to pm for numbers 13 or higher.

to <1-12am/pm>

Sets the end limit of time in hours. If am or pm is not specified, the switchwill default to am for numbers lower than 12 and will default to pm fornumbers 13 or higher.

policy <BW Policy number, 1-512>

Defines the policy number for the contract.

enable

Enables the Time Policy command on the switch.

disable

Disables the Time Policy command on the switch.

delete

Deletes the current Time Policy.




.



cur

Displays the current Time Policy configuration on the switch. Forexample:

Time Policy 1:Day everyday, From Hour 12am, To Hour 12am, Policy512, disabled

/cfg/bwm/policy <policy number>Bandwidth Management Policy Configuration

[Policy 1 Menu]hard - Set hard Limitsoft - Set soft Limitresv - Set Reservation Limituserlim - Set per user (IP address) Limitutos - Set underlimit (soft limit) TOSotos - Set overlimit (soft limit) TOSbuffer - Set Buffer Limitdel - Delete BW Policycur - Display current Policy configuration

Bandwidth Management Policy Menu Options (/cfg/bwm/pol)


hard <0k-5000k|1m-1000m>

Sets the hard bandwidth limit for this policy. This is the highest amountof bandwidth available to this policy. The default value is 2000 kbps.

soft <0k-5000k|1m-1000m>

Sets the soft bandwidth limit for this policy. The default value is 1000kbps.

resv <0k-5000k|1m-1000m>

Sets the reserve limit for this policy. This is the amount of bandwidthalways available to this policy. The default value is 500Kbytes.

userlim <0k-5000k|1m-1000m>

Sets the bandwidth limit for each IP address in the contract traffic.

utos <BW Policy TOS (0-255)>

Sets the new utos (underlimit TOS) value to overwrite the original TOSvalue if the traffic for this contract is under the soft limit. With this optionset to the default value of "0," the switch will not overwrite the TOS value.

otos <BW Policy TOS (0-255)>




.



Sets the new otos (over the limit TOS) value to overwrite the originalTOS value if the traffic for this contract is over the soft limit. With thisoption set to the default value of "0," the switch will not overwrite theTOS value.

buffer <Maximum buffer space (bytes) (8192-128000)>

Sets the buffer limit for this policy. The default value is 8192 bytes.

del

Deletes the bandwidth management policy.

cur

Displays the current value of the bandwidth policy configuration.

/cfg/bwm/groupBandwidth Management Group Configuration Menu

[BW Group 1 Menu]add - Add Contract to this grouprem - Remove Contract from this groupdel - Delete BW Groupcur - Display current BW Group configuration

Bandwidth Management Group Menu Options (/cfg/bwm/group)


add <BW Contract number, 1-1023 excluding default>

Adds a contract to this group.

rem <BW Contract number, 1-1023 excluding default>

Removes a contract from this group.

del

Deletes this Bandwidth Management group.

cur

Displays all current Bandwidth Management Group configurations.

/cfg/bwm/cur




.


Bandwidth Management Current Configuration

Current Bandwidth Management setting: ONPolicy Enforcement: enabledSMTP server user name:

Contract Name Policy Prec HistTOS State Shaping

1 cont_1 1 1 E E E E2 cont_2 2 1 E D D D

1024 Default -- 0 E D E D*Default contract gets all the BW that is available ona port after the active contracts reserved BW is taken.

Policy Hard Soft Resv oTOS uTOS Buffer1 25M 20M 500K 150 100 163202 10M 8M 500K 0 0 163203 2M 1M 500K 0 0 163204 2M 1M 500K 0 0 163205 2M 1M 500K 0 0 163206 2M 1M 500K 0 0 163207 2M 1M 500K 0 0 163208 2M 1M 500K 0 0 163209 2M 1M 500K 0 0 16320

10 2M 1M 500K 0 0 1632011 2M 1M 500K 0 0 1632012 2M 1M 500K 0 0 1632013 2M 1M 500K 0 0 1632014 2M 1M 500K 0 0 1632015 2M 1M 500K 0 0 1632016 2M 1M 500K 0 0 1632017 2M 1M 500K 0 0 1632018 2M 1M 500K 0 0 1632019 2M 1M 500K 0 0 1632020 2M 1M 500K 0 0 1632021 2M 1M 500K 0 0 1632022 2M 1M 500K 0 0 1632023 2M 1M 500K 0 0 1632024 2M 1M 500K 0 0 1632025 2M 1M 500K 0 0 1632026 2M 1M 500K 0 0 1632027 2M 1M 500K 0 0 1632028 2M 1M 500K 0 0 1632029 2M 1M 500K 0 0 1632030 2M 1M 500K 0 0 16320

/cfg/l2




.


Layer 2 Configuration Menu

Layer 2 Configuration Menu Options (/cfg/l2)


mrst

Go to the Multiple/Rapid Spanning Tree menu. See "/cfg/l2/mrstMultipleSpanning Tree Menu" (page 280).

stg <group number [1-16]>

Displays Spanning Tree Group Menu. To view menu options, see"/cfg/l2/stg Spanning Tree Group Configuration" (page 282).

trunk <trunk group number>

Displays Trunk Group Menu. To view menu options, see "/cfg/l2/trunktrunk group number Trunk Configuration" (page 286).

lacp

Displays Link Aggregation Control Protocol (LACP) Menu. To viewmenu options, see "/cfg/l2/lacp Link Aggregation Control Protocol Menu"(page 287).


Displays VLAN Menu. To view menu options, see "/cfg/l2/vlan VLANnumber VLAN Configuration" (page 290).

team

Go to the port teaming menu. See "/cfg/l2/team team number Port TeamConfiguration" (page 292).

ntmstg disable|enable

Enables or disables Nortel Multiple Spanning Tree Group mode. WhenNortel multiple STG mode is enabled, the Nortel implementation ofmultiple STGs will be followed. When Nortel multiple STG mode isdisabled, the Cisco implementation of multiple STGs will be followed.The ntmstg enabled device will not work with the device configured forCisco implementation of Spanning Tree BPDUs. The factory defaultvalue of this command is Nortel multiple STG mode disabled.

You need to reset the switch with the command /boot/reset for theSpanning Tree Group configuration to change to ntmstg enabled.




.



cur

Displays the current Layer 2 parameters.

/cfg/l2/mrstMultiple Spanning Tree Menu

Multiple Spanning Tree Menu Options


cist

Go to the Common and Internal Spanning Tree menu. See"/cfg/l2/mrst/cistMultiple Spanning Tree Menu" (page 280).

name <1-32 character region name>

Set the MST region name.

version <version number 1-65535>

Set the MST region version.

maxhop <max hops 4-60>

Set the maximum MST hop count.

mode mstp|rstp

Set the spanning tree mode.

on

Set the spanning tree on (Bridge MSTP/RSTP runs normally).

off

Set the spanning tree off (Bridge MSTP/RSTP does not run).

cur

Display the current MST parameters.

/cfg/l2/mrst/cist




.


Multiple Spanning Tree Menu

Mupltiple Spanning Tree CIST Bridge Menu Options


brg

Go to the CIST Bridge parameter menu. See "/cfg/l2/mrst/cist/brgCISTBridge Menu" (page 281).

port <port_number>

Set the port number.

default

Resets STG and Group member parameters to factory default.

cur

Displays current values of all objects settable from this menu.

/cfg/l2/mrst/cist/brgCIST Bridge Menu

[CIST Bridge Menu]prior - Set CIST bridge Priority (0-65535)mxage - Set CIST bridge Max Age (6-40 secs)fwd - Set CIST bridge Forward Delay (4-30 secs)cur - Display current CIST bridge parameters

Mupltiple Spanning Tree CIST Bridge Menu Options


prior <new bridge Priority, 0-65535>

Set the bridge priority.

mxage <new bridge Max Age, 6-40 secs>

Set the port number.

fwd <new bridge Forward Delay, 4-30 secs>

Set the CIST bridge forward delay.

cur

Displays current values of all objects settable from the CIST bridge menu.

/cfg/l2/mrst/cist/brg cur




.


Current configuration for CIST Bridge

>> CIST Bridge# cur-----------------------------------------------------------Current Common Internal Spanning Tree settings:Bridge params: Priority MaxAge FwdDel

32768 20 15

CIST bridge configuration


Priority The current CIST Bridge priority setting. Priorityis a value between 0 and 65535.

MaxAge The current CIST Bridge maximum agingsetting. MaxAge is a value in seconds between6 and 40.

FwdDel The current CIST Bridge forwarding delaysetting. FwdDel is a value in seconds between4 and 30.

/cfg/l2/stgSpanning Tree Group Configuration

When multiple paths exist on a network, Spanning Tree Protocol (STP)configures the network so that a switch uses only the most efficient path.Spanning Tree Protocol (STP) detects and eliminates logical loops ina bridged or switched network. STP forces redundant data paths intoa standby (blocked) state. When multiple paths exist, Spanning Treeconfigures the network so that a switch uses only the most efficient path. Ifthat path fails, Spanning Tree automatically sets up another active path onthe network to sustain network operations. Thus, STP is used to preventloops in the network topology.

Nortel Application Switch Operating System supports the IEEE 802.1pSpanning Tree Protocol (STP). Nortel Application Switch Operating Systemsupports up to 16 instances of Spanning Trees or Spanning Tree groups.Each VLAN can be placed in only one Spanning Tree group per switchexcept for the default Spanning Tree group (STG 1). The default SpanningTree group (1) can have more than one VLAN. All other Spanning Treegroups (2-16) can have only one VLAN associated with it. Spanning Treecan be enabled or disabled for each port. Multiple Spanning Trees canbe enabled on tagged or untagged ports. See your Application Guide fora detailed description of this feature and how to configure Spanning TreeGroups on the switch.

This command is turned on by default.




.


[Spanning Tree Group 1 Menu]brg - Bridge parameter menuport - Port parameter menuadd - Add VLAN(s) to Spanning Tree Groupremove - Remove VLAN(s) from Spanning Tree Groupclear - Remove all VLANs from Spanning Tree Groupon - Globally turn Spanning Tree ONoff - Globally turn Spanning Tree OFFdefault - Default Spanning Tree and Member parameterscur - Display current bridge parameters

Note: When VRRP is used for active/active redundancy, STP mustbe enabled.

Spanning Tree Configuration Menu (/cfg/l2/stp)


brg

Displays the Bridge Spanning Tree Menu. To view menu options, see"/cfg/l2/stg/brg Bridge Spanning Tree Configuration" (page 284).

port <port number>

Displays the Spanning Tree Port Menu. To view menu options,see "/cfg/l2/stg STG Group Index /port port # Spanning Tree PortConfiguration" (page 285).

add <VLAN numbers (1-4090)>

Associates a VLAN with a spanning tree and requires an external VLANID as a parameter.

remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094(MSTP)>

Breaks the association between a VLAN and a spanning tree andrequires an external VLAN ID as a parameter.

clear

Removes all VLANs from a spanning tree.

on

Globally enables Spanning Tree Protocol.

off

Globally disables Spanning Tree Protocol.

default

Resets STG and Group member parameters to factory default.

cur

Displays the current Spanning Tree Protocol parameters.




.


/cfg/l2/stg/brgBridge Spanning Tree Configuration

[Bridge Spanning Tree Menu]prior - Set bridge Priority [0-65535]hello - Set bridge Hello Time [1-10 secs]mxage - Set bridge Max Age (6-40 secs)fwd - Set bridge Forward Delay (4-30 secs)aging - Set bridge Aging Time (1-65535

secs, 0 to disable)cur - Display current bridge parameters

Spanning Tree bridge parameters affect the global STP operation of theswitch. STP bridge parameters include:

• Bridge priority

• Bridge hello time

• Bridge maximum age


• Bridge aging time

Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)


prior <new bridge priority (0-65535)>

Configures the bridge priority. The bridge priority parameter controlswhich bridge on the network is the STP root bridge. To make this switchthe root bridge, configure the bridge priority lower than all other switchesand bridges on your network. The lower the value, the higher the bridgepriority. The range is 0 to 65535, and the default is 32768.

hello <new bridge hello time (1-10 secs)>

Configures the bridge hello time.The hello time specifies how often theroot bridge transmits a configuration bridge protocol data unit (BPDU).Any bridge that is not the root bridge uses the root bridge hello value.The range is 1 to 10 seconds, and the default is 2 seconds.

mxage <new bridge max age (6-40 secs)>

Configures the bridge maximum age. The maximum age parameterspecifies the maximum time the bridge waits without receiving aconfiguration bridge protocol data unit before it re configures the STPnetwork. The range is 6 to 40 seconds, and the default is 20 seconds.

fwd <new bridge Forward Delay (4-30 secs)>




.



Configures the bridge forward delay parameter. The forward delayparameter specifies the amount of time that a bridge port has to waitbefore it changes from the listening state to the learning state and fromthe learning state to the forwarding state. The range is 4 to 30 seconds,and the default is 15 seconds.

aging <new bridge Aging Time (1-65535 secs, 0 to disable)>

Configures the forwarding database aging time. The aging time specifiesthe amount of time the bridge waits without receiving a packet from astation before removing the station from the forwarding database. Therange is 1 to 65535 seconds, and the default is 300 seconds. To disableaging, set this parameter to 0.

cur

Displays the current bridge STP parameters.

When configuring STP bridge parameters, the following formulas must beused:

• 2*(fwd-1) ≥ mxage

• 2*(hello+1) ≤ mxage

/cfg/l2/stg <STG Group Index> /port <port #>Spanning Tree Port Configuration

[Spanning Tree Port 1 Menu]prior - Set port Priority (0-255)cost - Set port Path Costlink - Set port link type (auto,p2p,or

shared; default: auto)edge - Enable/disable edge porton - Turn port’s Spanning Tree ONoff - Turn port’s Spanning Tree OFFcur - Display current port Spanning Tree parameters

Spanning Tree port parameters are used to modify STP operation on anindividual port basis. STP port parameters include:

• Port priority

• Port path cost

STP is turned on by default for the port.

Spanning Tree Port Menu (/cfg/l2/stp/port)


prior <new port Priority (0-255)>




.



Configures the port priority. The port priority helps determine whichbridge port becomes the designated port. In a network topology that hasmultiple bridge ports connected to a single segment, the port with thelowest port priority becomes the designated port for the segment. Therange is 0 to 255, and the default is 128.

cost <new port Path Cost (1-65535, 0 for default)>

Configures the port path cost. The port path cost is used to helpdetermine the designated port for a segment. Generally speaking, thefaster the port, the lower the path cost. The range is 1 to 65535. Thedefault is 10 for 100Mbps ports, and 1 for Gigabit ports. A value of 0indicates that the default cost will be computed for an auto negotiatedlink speed.

link auto|p2p|shared

Set port link type (auto, p2p, or shared; default: auto)

edge disable|enable

Enable/disable edge port

on

Enables STP on the port.

off

Disables STP on the port.

cur

Displays the current STP port parameters.

/cfg/l2/trunk <trunk group number>Trunk Configuration

Trunk groups can provide super-bandwidth and multi-link connectionsbetween Nortel Application Switches or other trunk capable devices. Atrunk group is a group of ports that act together, combining their bandwidthto create a single, larger virtual link. When trunk groups are configured,you can view the state of each port in the various trunk groups. Up to 12trunk groups can be configured on the Nortel Application Switch, with thefollowing restrictions:

• Any physical switch port can belong to no more than one trunk group.

• Up to eight ports/trunks can belong to the same trunk group.

• Best performance is achieved when all ports in a trunk are configuredfor the same speed.

• Trunking from non-Nortel devices must comply with CiscoE

¨therChannel t¨ echnology.




.


By default, the trunk group is empty and disabled.

[Trunk group 1 Menu]cont - Set BW contract for this trunk groupadd - Add port to trunk grouprem - Remove port from trunk groupena - Enable trunk groupdis - Disable trunk groupdel - Delete trunk groupcur - Display current Trunk Group configuration

Trunk Configuration Menu Options (/cfg/l2/trunk)



Sets the default Bandwidth Management Contract for this trunk group.By default, the contract number is 1024 for Nortel Application Switch.

add <port number>

Adds a physical port to the current trunk group.

rem <port number>

Removes a physical port from the current trunk group.

ena

Enables the current trunk group.

dis

Turns the current trunk group off.

del

Removes the current trunk group configuration.

cur

Displays the current trunk group parameters.

/cfg/l2/lacpLink Aggregation Control Protocol Menu

The Nortel Application Switch Operating System supports IEEE 802.3adstandard. At the core of the 802.3ad standard is Link Aggregation ControlProtocol (LACP). This protocol allows the user to group several physicalports into one logical port (LACP trunk group) with any switch that supportsIEEE 802.3ad standard (LACP). You can configure the trunk groupsmanually called the static trunks as well as you can configure dynamictrunk group using the IEEE 802.3ad standard called the LACP trunks. Themaximum number of configurable trunk groups are 40: 12 user configurable




.


trunks and 28 LACP trunks depending upon the maximum number of portsin the switch. The maximum number of active physical ports in any trunkgroup is eight and the number of standby ports is also eight.

The 802.3ad standard allows two or more standard Ethernet links to forma single Layer 2 link using the Link Aggregation Control Protocol (LACP).Link aggregation is a method of grouping physical link segments of thesame media type and speed in full duplex, and treating them as if they werepart of a single, logical link segment. If a link in a LACP trunk group fails,traffic is reassigned dynamically to the remaining links of the LACP trunkgroup or is assigned to the standby LACP links.

Note: Refer to IEEE 802.3ad-2000 for a detailed information aboutthe standard.

LACP automatically determines which member links can be aggregated andthen aggregates them. It provides for the controlled addition and removal ofphysical links for the link aggregation.

Each external port in the Nortel Application Switch Operating System canhave one of the following LACP modes.

• off (default)

The user can configure this port to a regular static trunk group. Whenthe system initializes, all ports are in off mode by default.

• active

The port is capable of forming an LACP trunk. This port initiatesnegotiation with the partner system port by sending LACPDU (LinkAggregation Control Protocol Data Unit) packets.

• passive

The port is capable of forming an LACP trunk. This port only respondsto the negotiation requests sent from an LACP active port.

Each LACP active or passive port needs an admin, an operationalkey, and an aggregator for LACP to start negotiation on these ports. Youneed to assign the same admin key to a group of ports to make themaggregatable. The link can generate Link Aggregation ID (LAG ID) basedon the operational key. All the aggregatable ports must have the sameLAG ID. You can form an active LACP trunk group with all the ports thathave the same LAG ID.

Refer Nortel Application Switch Operating System Application Guide for adetailed information on this protocol.

Note: All ports are in LACP off mode by default.




.


Use the following commands to configure LACP on the Nortel ApplicationSwitch Operating System.

[LACP Menu]sysprio - Set LACP system prioritytimeout - Set LACP system timeout scale for

timing out partner infoport - LACP port Menucur - Display current LACP configuration

Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp)


sysprio <1-65535>

Defines the priority value (1 through 65535) for the Nortel ApplicationSwitch Operating System. Lower numbers provide higher priority.

System priority is used when there are more than eight ports configuredwith the same adminkey. The system priority, in conjunction with portpriority, decides which eight ports should be combined to form a trunkgroup between two switches. The rest of the ports stay in standby modeto substitute for any failed ports.

The default value is 32768.

timeout <short|long>

Defines the timeout period before invalidating LACP data from a remotepartner. You can choose between short (3 seconds) or long (90 seconds)timeout periods. The default value is long.

port <port number>

Displays the LACP Port menu. To view menu options, see"/cfg/l2/lacp/port port number LACP Port Configuration Menu" (page289).

cur

Displays the current LACP configuration.

/cfg/l2/lacp/port <port number>LACP Port Configuration Menu

[LACP Port 1 Menu]mode - Set LACP modeprio - Set LACP port priorityadminkey - Set LACP port admin keycur - Display current LACP port configuration




.


Use the following commands to configure Link Aggregation Control Protocol(LACP) on a selected port.

Link Aggregation Control Protocol Port Configuration Menu Options(/cfg/l2/lacp/port)


mode <off for no LACP or active or passive>

• off: Using this option, you can turn LACP off for this port. Youcan use this port to manually configure a static trunk. All ports arein off mode by default.

• active: Using this option, you can turn LACP on and set this portto active. Only active ports initiate negotiation with the partnersystem port by sending the LACPDU packets.

• passive: Using this option, you can turn LACP on and set this portto passive mode. Passive ports do not initiate negotiation, but onlyrespond to the negotiation requests from active ports.

prio <1-65535>

Sets the priority value for the selected port. Lower numbers providehigher priority. The default value is 128.

adminkey <1-65535>

Sets the admin key for this port. Only ports with the same admin keyand oper key (operational state generated internally) can form an LACPtrunk group.

cur

Displays the current LACP configuration for this port.

/cfg/l2/vlan <VLAN number>VLAN Configuration

VLANs are commonly used to split up groups of network users intomanageable broadcast domains, to create logical segmentation ofworkgroups, and to enforce security policies among logical segments. Thecommands in this menu configure VLAN attributes, change the status of theVLAN, delete the VLAN, and change the port membership of the VLAN.

By default, the VLAN menu option is disabled except VLAN 1, which isenabled all the time.




.

/cfg/l2/vlan <VLAN number>VLAN Configuration 291

[VLAN 1 Menu]name - Set VLAN namestg - Assign VLAN to a Spanning Tree Groupcont - Set BW contractadd - Add port to VLANrem - Remove port from VLANdef - Define VLAN as list of portsjumbo - Enable/disable Jumbo Frame supportlearn - Enable/disable smac learningena - Enable VLANdis - Disable VLANdel - Delete VLANcur - Display current VLAN configuration

VLAN Configuration Menu Options (/cfg/l2/vlan)


name

Assigns a name to the VLAN or changes the existing name. The defaultVLAN name is the first one.

stg <Spanning Tree Group index (1-16)>

Assigns a VLAN to a Spanning Tree Group.

cont <BW Contract number, (1-1024)>

Sets the Bandwidth Management contract for this VLAN. The defaultcontract number is 1024 on Nortel Application Switch.

add <port number>

Adds port(s) or trunk group(s) to the VLAN membership.

rem <port number>

Removes port(s) or trunk group(s) from this VLAN.

def <list of port numbers>

Defines which ports are members of this VLAN. Every port must be amember of at least one VLAN. By default, it defines ports between 1-28for VLAN 1.

jumbo disable|enable

Enables or disables jumbo frame support on this VLAN. You need toreset the switch using /boot/reset command to enable jumbo frameson the switch.

learn disable|enable

Enables or disables source MAC address learning on this VLAN.

ena

Enables this VLAN.

dis




.



Disables this VLAN without removing it from the configuration.

del

Deletes this VLAN.

cur

Displays the current VLAN configuration.

Note: All ports must belong to at least one VLAN. Any port which isremoved from a VLAN and which is not a member of any other VLAN isautomatically added to default VLAN #1. You cannot remove a port fromVLAN #1 if the port has no membership in any other VLAN.Also, you cannot add a port to more than one VLAN unless the port hasVLAN tagging turned on (see the tag command on tag disable|enable).

/cfg/l2/team <team number>Port Team Configuration

Port teams are used to operationally link ports and interfaces together.

[Port team 1 Menu]addport - Add port to teamremport - Remove port from teamaddtrunk - Add trunk group to teamremtrunk - Remove trunk group from teamena - Enable port teamdis - Disable port teamdel - Delete port teamcur - Display current port team configuration

"Port Team Configuration Menu" (page 292) outlines the commands in thismenu.

Port Team Configuration Menu


addport <port number>

Adds the specified port to the current team.

remport <port number>

Removes the specified port from the current team.

addtrunk <trunk group number>

Adds a trunk group to the current team.

remtrunk <trunk group number>

Removes a trunk group from the current team.




.



ena

Enables the port team.

dis

Disables the port team.

del

Deletes the port team.

cur

Displays the current port team configuration.

/cfg/l3Layer 3 Configuration Menu

[Layer 3 Menu]if - Interface Menugw - Default Gateway Menuroute - Static Route Menuarp - ARP Menufrwd - Forwarding Menunwf - Network Filters Menurmap - Route Map Menurip - Routing Information Protocol Menuospf - Open Shortest Path First (OSPF) Menubgp - Border Gateway Protocol Menuport - IP Port Menudns - Domain Name System Menubootp - Bootstrap Protocol Relay Menuvrrp - Virtual Router Redundancy Protocol Menurtrid - Set router IDmetrc - Set default gateway metriccur - Display current IP configuration

Layer 3 Configuration Menu Options (/cfg/l3)



Displays the IP Interface Menu. To view menu options, see "/cfg/l3/ifinterface number IP Interface Configuration" (page 295).

gw <default gateway number (1-259)>

Displays the IP Default Gateway Menu. To view menu options, see"/cfg/l3/gw gateway number Default IP Gateway Configuration" (page297).

route




.



Displays the IP Static Route Menu. To view menu options, see"/cfg/l3/routeIP Static Route Configuration" (page 298).

arp

Displays Address Resolution Protocol menu. To view menu options, see"/cfg/l3/arp ARP Configuration Menu" (page 300).

frwd

Displays the IP Forwarding Menu. To view menu options, see"/cfg/l3/frwd IP Forwarding ConfigurationMenu" (page 301).

nwf <Network filter number (1-256)>

Displays the Network Filter Configuration Menu. To view menu optionssee "/cfg/l3/nwf Network Filter Configuration" (page 304).

rmap <route map number (1-32)>

Displays the Route Map Menu. To view menu options see "/cfg/l3/rmaproute map number Route Map Configuration Menu" (page 304).

rip

Displays the Routing Interface Protocol Menu. To view menu options,see "/cfg/l3/rip Routing Information Protocol Configuration" (page 308).

ospf

Displays the OSPF Menu. To view menu options, see "/cfg/l3/ospf OpenShortest Path First Configuration" (page 312).

bgp

Displays the Border Gateway Protocol Menu. To view menu options, see"/cfg/l3/bgpBorder Gateway Protocol Configuration" (page 321).

port <port number>

Displays the IP Port Menu. To view menu options, see "/cfg/l3/port portnumber IP Forwarding Port Configuration Menu" (page 327).

dns

Displays the IP Domain Name System Menu. To view menu options, see"/cfg/l3/dnsDomain Name System Configuration Menu" (page 327).

bootp

Displays the Bootstrap Protocol Menu. To view menu options, see"/cfg/l3/bootpBootstrap Protocol Relay Configuration Menu" (page 328).

dscp

Displays Diffserv Bandwidth Menu. To view menu options, see"cfg/sys/ssnmp/snmpv3/view SNMPv3 View Configuration Menu" (page237).

dscp




.



Displays the Diffserv Bandwidth Management Contract Menu. To viewmenu options, see "/cfg/bwm/groupBandwidth Management GroupConfiguration Menu" (page 277).

vrrp

Displays Virtual Router Redundancy Protocol Menu. To view menuoptions, see "/cfg/l3/vrrpVRRP Configuration Menu" (page 329).

rtrid <IP address (such as, 192.4.17.101)>

Defines the router ID.

metrc strict|roundrobin

Sets the default gateway metric for strict or roundrobin. The defaultgateway metric is strict. For more information on gateway metrics,see "/cfg/l3/metrc metric name Default Gateway Metrics" (page 344).

cur

Displays the current IP configuration.

/cfg/l3/if <interface number>IP Interface Configuration

[IP Interface 1 Menu]ip6nd - IP6 Neighbor Discovery Menuipver - Set IP versionaddr - Set IP addressmask - Set subnet mask/prefix lenvlan - Set VLAN numberrelay - Enable/disable BOOTP relayena - Enable IP interfacedis - Disable IP interfacedel - Delete IP interfacecur - Display current interface configuration

The Nortel Application Switch can be configured with up to 256 IP interfaces.Each IP interface represents the Nortel Application Switch on an IP subneton your network. The Interface option is disabled by default.

IP Interface Menu Options (/cfg/l3/if)


ip6nd

Opens the IPv6 Neighbor Discovery menu This menu is used to enableor disable the sending of IPv6 Router Advertisement packets from thisinterface. For more information on this topic, refer "/cfg/l3/if/ip6nd IPv6Neighbor Discovery Menu" (page 296).




.



ipver <IP version (v4 or v6)>

Set the IP version.

addr <IP address (such as 192.4.17.101 for IPv4 or3001::abcd:5678 for IPv6)>

Configures the IP address of the switch interface using dotted decimalnotation for IPv4 and colon notation for IPv6.

mask <IP subnet mask for IPv4 or prefix length for IPv6(such as 255.255.255.0 for IPv4 or 64 for IPv6)>

Configures the IP subnet address mask for the interface using dotteddecimal notation for IPv4 or prefix length for IPv6.


Configures the VLAN number for this interface. Each interface canbelong to one VLAN, though any VLAN can have multiple IP interfacesin it.

relay disable|enable

Enables or disables the BOOTP relay on this interface. It is enabledby default.

ena

Enables this IP interface.

dis

Disables this IP interface.

del

Removes this IP interface.

cur

Displays the current interface settings.

/cfg/l3/if/ip6ndIPv6 Neighbor Discovery Menu

[IP6 Neighbor Discovery Menu]rtradv - Enable/disable router advertisement

This menu is used to configure the sending of IPv6 Neighbor Discoveryrouter advertisements from this interface.




.


IPv6 Neighbor Discovery Menu Options


rtradv disable | enable

Enables or disables the sending of IPv6 Neighbor Discovery routeradvertisements from this interface.

/cfg/l3/gw <gateway number>Default IP Gateway Configuration

[Default gateway 1 Menu]ipver - Set IP versionaddr - Set IP addressintr - Set interval between ping attempts

retry - Set number of failed attempts todeclare gateway DOWN

vlan - Set VLAN numberprio - Set priority of default gateway routearp - Enable/disable ARP only health checksena - Enable default gatewaydis - Disable default gatewaydel - Delete default gatewaycur - Display current default gateway configuration

Note: The switch can be configured with up to 255 gateways. Gatewaysone to four are reserved for default gateway load balancing. Gatewaysfive to 259 are used for load-balancing of VLAN-based gateways.

This option is disabled by default.

Default Gateway Options (/cfg/l3/gw)



Set the IP version.

addr <default gateway address (such as, 192.4.17.44 for IPv4or 3001::abcd:1234 for IPv6)>

Configures the IP address of the default IP gateway using dotted decimalnotation for IPv4 and colon notation for IPv6.

intr <0-60 seconds>

The switch pings the default gateway to verify that it’s up. The introption sets the time between health checks. The range is from 1 to 120seconds. The default is 2 seconds.

retry <number of attempts (1-120)>




.



Sets the number of failed health check attempts required before declaringthis default gateway inoperative. The range is from 1 to 120 attempts.The default is 8 attempts.


Sets the VLAN to be assigned to this default IP gateway.

prio <high|low>

Allows you to change the priority of the default gateway route to eitherhigh or low, relative to learned default routes. If you set the priorityto high, then the default gateway route will always be preferred overlearned default routes (such as from OSPF, BGP, or RIP protocols). Ifyou set the priority to low, then learned default routes will always bepreferred over the default gateway route.

Note: By default learned default route has higher priority than theconfigured default gateway route.

arp disable|enable

Enables or disables Address Resolution Protocol (ARP) health checks.This command is disabled by default.

ena

Enables the gateway for use.

dis

Disables the gateway.

del

Deletes the gateway from the configuration.

cur

Displays the current gateway settings.

Default Gateway MetricsFor information about configuring which gateway is selected when multipledefault gateways are enabled, see "/cfg/l3/metrc metric name DefaultGateway Metrics" (page 344).

/cfg/l3/routeIP Static Route Configuration

[IP Static Route Menu]ip4 - IP4 Static Route Menuip6 - IP6 Static Route Menu




.


This menu provides access to the switch static route configurationfunctionality.

IP Static Route Configuration Menu Options (cfg/l3/route)


ip4

Provides access to the IPv4 static route configuration menu. To viewthe menu options, see "/cfg/l3/route/ip4IPv4 Static Route ConfigurationMenu" (page 299).

ip6

Provides access to the IPv6 static route configuration menu. To viewthe menu options, see "/cfg/l3/route/ip6 IPv6 Static Route ConfigurationMenu" (page 299).

/cfg/l3/route/ip4IPv4 Static Route Configuration Menu

[IP4 Static Route Menu]add - Add IP4 static routerem - Remove IP4 static routecur - Display current IP4 static route configuration

This menu is used to configure IPv4 static routes.



add <destination mask gateway> [interface number]

Adds a static route. To complete the entry, enter a destination IPaddress, destination subnet mask, and gateway address. Enter alladdresses using dotted decimal notation. If a gateway address is0.0.0.0., the route becomes a black hole route. Packets routed to such adestination will be dropped.

rem <destination mask>

Removes a static route. The destination address of the route to removemust be specified using dotted decimal notation.

cur

Displays the current IPv4 static routes.

/cfg/l3/route/ip6




.


IPv6 Static Route Configuration Menu

[IP6 Static Route Menu]add - Add IP6 static routerem - Remove IP6 static routecur - Display current IP6 static route configuration

This menu is used to configure IPv6 static routes.



add <destination prefix length next hop> [interface number]

Adds a static route. To complete the entry, enter a destination IPv6address, prefix length, and next hop address. Enter all information usingthe IPv6 addressing format.

rem <destination prefix length>

Removes a static route. The destination address of the route to removemust be specified using the IPv6 addressing format.

cur

Displays the current IPv6 static routes.

/cfg/l3/arpARP Configuration Menu

Address Resolution Protocol (ARP) is the TCP/IP protocol that resideswithin the Internet layer. ARP resolves a physical address from an IPaddress. ARP queries machines on the local network for their physicaladdresses. ARP also maintains IP to physical address pairs in its cachememory. In any IP communication, the ARP cache is consulted to see if theIP address of the computer or the router is present in the ARP cache. Thenthe corresponding physical address is used to send a packet.

[ARP Menu]static - Static ARP Menurearp - Set re-ARP period in minutescur - Display current ARP configuration

ARP Configuration Menu Options (/cfg/l3/arp)


static

Displays Static ARP menu. To view options, see "/cfg/l3/arp/static ARPStatic Configuration Menu" (page 301).

rearp <2-120 minutes>




.



Defines re-ARP period in minutes. You can set this duration betweentwo and 120 minutes.

cur

Displays the current ARP configurations.

/cfg/l3/arp/staticARP Static Configuration MenuStatic ARP entries are permanent in the ARP cache and do not age out likethe ARP entries that are learnt dynamically. Static ARP entries enable theswitch to reach the hosts without sending an ARP broadcast request to thenetwork. Static ARPs are also useful to communicate with devices thatdo not respond to ARP requests. Static ARPs can also be configured onsome gateways as a protection against malicious ARP Cache corruptionand possible DOS attacks.

Note: Nortel Application Switch Operating System 21.0 and aboveallows the static ARP configuration to be retained over reboots. NortelApplication Switch Operating System 20.x and below allow the user toconfigure the ARP information but that information cannot be retainedover a switch reboot.

[Static ARP Menu]add - Add a permanent ARP entrydel - Delete an ARP entrycur - Display current static ARP configuration

ARP Static Configuration Menu Options (/cfg/l3/arp/static)


add <IP address MAC address VLAN number port number>

Adds a permanent ARP entry.

del <IP address (such as, 192.4.17.101)>

Deletes a permanent ARP entry.

cur

Displays current static ARP configuration.

/cfg/l3/frwd




.


IP Forwarding Configuration Menu

IP Forwarding Configuration Menu Options (/cfg/l3/frwd)


local

Displays the menu used to define local network for route caching. Up to15 local networks (lnets) can be configured. To view menu options, see"/cfg/l3/frwd/local Local Network Route Caching Definition" (page 302).

dirbr disable|enable

Enables or disables forwarding directed broadcasts. This command isdisabled by default.

on

Enables IP forwarding (routing) on the Nortel Application Switch.

off

Disables IP forwarding (routing) on the Nortel Application Switch.Forwarding is turned on by default.

cur

Displays the current IP forwarding settings.

/cfg/l3/frwd/localLocal Network Route Caching DefinitionThis menu is used for adding local networks by setting the local networkaddress and netmask for the route cache, and to remove local networks.

[IP Local Networks Menu]add - Add local network definitionadd6 - Add local network v6 definitionrem - Remove local network definitionrem6 - Remove local network v6 definitioncur - Display current local network definitions

IP Local Networks Menu Options (/cfg/l3/frwd/local)


add <local network address local network mask>




.



Adds a definition for a local network. For details, see "DefiningIP AddressRanges for the Local Route Cache" (page 303).

add6 <local network IPv6 address prefix length>

Adds a definition for an IPv6 local route.

rem <local network address local network mask>

Removes a definition for a local network.

rem6 <local network IPv6 address prefix length>

Removes a definition for an IPv6 local route.

cur

Displays the current local network definitions.

DefiningIP Address Ranges for the Local Route CacheThe Local Route Cache lets you use switch resources more efficiently, byreducing the size of the ARP table on the Nortel Application Switch. The/cfg/l3/frwd/local/add parameters define a range of addresses thatwill be cached on the Nortel Application Switch. The local network addressis used to define the base IP address in the range which will be cached,and the local network mask is the mask which is applied to produce therange. To determine if a route should be added to the memory cache, thedestination address is masked (bitwise and) with the local network maskand checked against the local network address.

By default, the local network address and mask are both set to 0.0.0.0. Thisproduces a range that includes all Internet addresses for route caching:0.0.0.0 through 255.255.255.255.

Addresses to be cached are subnets that are directly connected and forwhich there is an interface configured on the Nortel Application Switch. Tolimit the route cache to your local hosts, you could configure the parametersas shown in the examples in the following table.

Local Routing Cache Address Ranges

Local Host Address Range Address Mask

0.0.0.0 - 127.255.255.255 0.0.0.0 128.0.0.0

128.0.0.0 - 255.255.255.255 128.0.0.0 128.0.0.0

205.32.0.0 - 205.32.255.255 205.32.0.0 255.255.0.0

Note: All addresses that fall outside the defined range are forwarded tothe default gateway. The default gateways must be within range.




.


/cfg/l3/nwfNetwork Filter Configuration

[IP Network Filter 1 Menu]addr - IP Addressmask - IP Subnet maskenable - Enable Network Filterdisable - Disable Network Filterdelete - Delete Network Filtercur - Display current Network

Filter configuration

IP Network Filter Menu Options (/cfg/l3/nwf)



Sets the starting IP address for this filter. The default address is 0.0.0.0.

mask <IP4 subnet mask (such as, 255.255.255.0) | IP6 maskprefix len (eg, 64)>

Sets the IP subnet mask that is used with /cfg/l3/nwf/addr to definethe range of IP addresses that will be accepted by the peer when thefilter is enabled. The default value is 0.0.0.0.

For Border Gateway Protocol (BGP), assign the network filter to a routemap, then assign the route map to the peer.

enable

Enables the Network Filter configuration.

disable

Disables the Network Filter configuration.

delete

Deletes the Network Filter configuration.

cur

Displays the current the Network Filter configuration. For example:Current Network Filter 1:addr 0.0.0.0, mask 0.0.0.0, disabled

/cfg/l3/rmap <route map number>Route Map Configuration Menu

Route maps control and modify routing information.

Note: The map number (1-32) represents the routing map you wishto configure.




.


[IP Route Map 1 Menu]alist - Access List numberaspath - AS Filter Menuap - Set as-path prepend of the matched routelp - Set local-preference of the matched routemetric - Set metric of the matched routetype - Set OSPF metric-type of the matched routeprec - Set the precedence of this route mapweight - Set weight of the matched routeenable - Enable route mapdisable - Disable route mapdelete - Delete route mapcur - Display current route map configuration

Routing Map Menu Options (/cfg/l3/rmap)


alist <number (1-8)>

Displays the Access List menu. For more information, see "/cfg/l3/rmaproute map number /alist access list number IP Access List ConfigurationMenu" (page 306).

aspath <number (1-8)>

Displays the Autonomous System (AS) Filter menu. For moreinformation, see "/cfg/l3/rmap route map number aspath autonomoussystem path Autonomous System Filter Path" (page 307).

ap <AS number> [ AS number ] [ <AS number> ]|none

Sets the AS path preference of the matched route. One to three pathpreferences can be configured.

lp <(value 0-4294967294)> |none

Sets the local preference of the matched route, which affects bothinbound and outbound directions. The path with the higher preferenceis preferred.

metric <(value 0-4294967294)> |none

Sets the metric of the matched route.

type <value (1|2)> |none

Assigns the type of OSPF metric. The default is type 1.

• Type 1—External routes are calculated using both internal andexternal metrics.

• Type 2—External routes are calculated using only the externalmetrics. Type 2 routes have more cost than Type 2.

• none—Removes the OSPF metric.




.



prec <value (1-255)>

Sets the precedence of the route map. The smaller the value, the higherthe precedence. Default value is 10.

weight <value (0-65534)> |none

Sets the weight of the route map.

enable

Enables the route map.

disable

Disables the route map.

delete

Deletes the route map.

cur

Displays the current route configuration.

/cfg/l3/rmap <route map number> /alist<access list number>IP Access List Configuration Menu

Note: The route map number (1-32) and the access list number (1-8)represent the IP access list you wish to configure.

[IP Access List 1 Menu]nwf - Network Filter numbermetric - Metricaction - Set Network Filter actionenable - Enable Access Listdisable - Disable Access Listdelete - Delete Access Listcur - Display current Access List configuration

IP Access List Menu Options (/cfg/l3/rmap/alist)


nwf <network filter number (1-256)>

Sets the network filter number. See "/cfg/l3/nwf Network FilterConfiguration" (page 304) for details.

metric <(1-4294967294)> |none

Sets the metric value in the AS-External (ASE) LSA.

action permit|deny or p|d

Permits or denies action for the access list.




.



enable

Enables the access list.

disable

Disables the access list.

delete

Deletes the access list.

cur

Displays the current Access List configuration.

/cfg/l3/rmap <route map number> aspath<autonomous system path>Autonomous System Filter Path

Note: The rmap number (1-32) and the path number (1-8) representthe AS path you wish to configure.

[AS Filter 1 Menu]as - AS numberaction - Set AS Filter actionenable - Enable AS Filterdisable - Disable AS Filterdelete - Delete AS Filtercur - Display current AS Filter configuration

AS Filter Menu Options (/cfg/l3/rmap/aspath)


as <AS number (1-65535)>

Sets the Autonomous System filter’s path number.

action permit|deny or p|d

Permits or denies Autonomous System filter action.

enable

Enables the Autonomous System filter.

disable

Disables the Autonomous System filter.

delete

Deletes the Autonomous System filter.

cur

Displays the current Autonomous System filter configuration.




.


/cfg/l3/ripRouting Information Protocol Configuration

The Routing Information Protocol (RIP) is an interior gateway protocol (IGP).RIP is one of a class of algorithms known as distance vector algorithms.The distance or hop count is used as the metric to determine the bestpath to a remote network or host where the hop count does not exceed 15hops assuming a cost of one for each network. RIP uses broadcast UserDatagram protocol (UDP) data packets to exchange routing information.

RIP sends routing information updates every 30 seconds. This updatecontains known networks and the distances (hop count) associated witheach one. For RIP1, no mask information is exchanged; the natural maskis always applied by the router receiving the update. For RIP2, maskinformation is sent. There are two timers associated with each route: atimeout and garbage-collection timer. Upon expiration of the timeout timer,the route is no longer valid but it is retained in the routing table for a shorttime so that neighbors can be notified that the route has been dropped.Upon expiration of the garbage-collection timer, the route is finally removedfrom the routing table. The timeout timer is set for 180 seconds and thegarbage-collection timer is set for 120 seconds by default.

The menu below is used for configuring globally Routing InformationProtocol parameters. The Routing Information Protocol is turned off bydefault.

[Routing Information Protocol Menu]if - RIP Interface Menuupdate - Set update period in secondsvip - Enable/disable vip advertisementstatc - Enable/disable static routes advertisementon - Globally turn RIP ONoff - Globally turn RIP OFFcurrent - Display current RIP configuration

Routing Information Protocol Menu (/cfg/l3/rip)


if <Interface Number (1-256)>

Go to the RIP Interface menu. See "/cfg/l3/rip/if RIP Interface Menu"(page 309).

update <update period (1-120 seconds)>

Sets the RIP update period in seconds. It is set at 30 seconds by default.

vip disable|enable




.



Enables or disables the advertisement of virtual IP addresses as HostRoutes. If a VIP route exists in a routing table, it will always be advertisedexcept when it is included in another network route that is already beingadvertised.

Note: If all real servers behind a VIP go down, the route gets removedfrom the routing table, and will not be advertised. If we disable all the realservers using operation command, the VIP route does not get eliminatedfrom the routing table, and the switch will continue to advertise the route.

statc disable|enable

Enables or disables the advertisement of static routes.

on

Globally turns RIP ON.

off

Globally turns RIP OFF.

cur

Displays the current RIP configuration.

/cfg/l3/rip/ifRIP Interface Menu

[RIP Interface 1 Menu]version - Set RIP versionsupply - Enable/disable supplying route updateslisten - Enable/disable listening to route updatespoison - Enable/disable poisoned reversetrigg - Enable/disable triggered updatesmcast - Enable/disable multicast updatesdefault - Set default route actionmetric - Set metricauth - Set authentication typekey - Set authentication keyenable - Enable interfacedisable - Disable interfacecurrent - Display current RIP interface configuration

RIP Menu Options


version 1|2|both

Set the RIP version. The default value is 2.

supply disable|enable




.



Enables or disables supplying route updates. When enabled, the switchsupplies routes to other routers. This is enabled by default.

listen disable|enable

When enabled, the switch stores routing information from other routers.The default is enabled.

poison disable|enable

When enabled, the switch uses split horizon with poisoned reverse. Thedefault is disabled. When disabled, the switch uses split horizon only.

mcast disable|enable

Enable or disable triggered updates. The default is enabled.

default none|listen|supply|both

Set the default route action. The default action is none.

metric <value [1-15]>

Set metric value for this RIP interface. The default value is 1.

auth none|password

Set the type of authentication. The default value is none.

key <key|none (to remove existing key value)>

Set the authentication key. The default value is none.

enable

Enable the interface.

disable

Disable the interface.

current

Displays current values of all objects settable from this menu.

/cfg/l3/rip/ifRIP Interface Configuration Menu

[RIP Interface 1 Menu]version - Set RIP versionsupply - Enable/disable supplying route updateslisten - Enable/disable listening to route updatesdefault - Set default route actionpoison - Enable/disable poisoned reversetrigg - Enable/disable triggered updatesmcast - Enable/disable multicast updatesmetric - Set metricauth - Set authentication typekey - Set authentication key




.


enable - Enable interfacedisable - Disable interfacecurrent - Display current RIP interface configuration

RIP Interface Configuration Menu Options (/cfg/l3/rip/if)


version 1|2

Defines the version of Routing Information Protocol between RIP1 andRIP2.

supply disable|enable

This command is disabled by default. When enabled, the switch suppliesroutes to other routers.

listen disable|enable

This command is disabled by default. When enabled, the switch learnsroutes from other routers.

default disable|enable

This command is disabled by default. When enabled, the switch acceptsRIP default routes from other routers, but gives them lower priority thanconfigured gateways. When disabled, the switch rejects RIP defaultroutes.

poison disable|enable

This command is disabled by default. When enabled, the switch usessplit horizon with poisoned reverse. When disabled, the switch usesonly split horizon.

trigg disable|enable

This command is disabled by default. When enabled, this commandallows sending out the routing updates immediately without waiting forthe update interval period to lapse. This happens typically when themetric changes for a route.

mcast disable|enable

This command is disabled by default. When enabled, this commandallows the routing update to be sent to a Multicast address.

metric <value [1-15]>

This command is disabled by default. When enabled, this commandallows you to define the interface metric cost, which is a number (1-15)added to the received routes before they are installed in the routing table.

auth none|password

This command allows the user to enable or disable authentication forRIP messages. Authentication is disabled by default. You can specifynone for no authentication or password for simple text passwordauthentication.




.



key <key>

This command allows the user to define RIP authentication passwordfor authenticating incoming RIP updates. This password can also beadded for outgoing RIP messages.

enable

Enables RIP protocol for individual interfaces. When enabled, listen andsupply of RIP routes is enabled for the interface.

disable

Disables RIP protocol for individual interfaces. RIP protocol is disabledfor each configured interface by default.

current

Displays the current RIP configuration.

/cfg/l3/ospfOpen Shortest Path First Configuration

Nortel Application Switch Operating System supports the Open ShortestPath First (OSPF) routing protocol. The Nortel Application Switch OperatingSystem implementation conforms to the OSPF version 2 specificationsdetailed in Internet RFC 1583.

OSPF is designed for routing traffic within a single IP domain called anAutonomous System (AS). The AS can be divided into smaller logicalunits known as areas. In any AS with multiple areas, one area must bedesignated as area 0, known as the backbone. The backbone acts as thecentral OSPF area. All other areas in the AS must be connected to thebackbone. Areas inject summary routing information into the backbone,which then distributes it to other areas as needed. For more informationon how to configure OSPF on the switch, refer Nortel Application SwitchOperating System Application Guide.

[Open Shortest Path First Menu]aindex - OSPF Area (index) Menurange - OSPF Summary Range Menuif - OSPF Interface Menuvirt - OSPF Virtual Links Menumd5key - OSPF MD5 Key Menuhost - OSPF Host Entry Menuredist - OSPF Route Redistribute Menulsdb - Set the LSDB limit for external LSAdefault - Export default route informationon - Globally turn OSPF ONoff - Globally turn OSPF OFFcur - Display current OSPF configuration




.


OSPF Configuration Menu Options (/cfg/l3/ospf)



Displays the area index menu. This area index does not representthe actual OSPF area number. See "/cfg/l3/ospf/aindex Area IndexConfiguration Menu" (page 314) to view menu options.

range <range number (1-16)>

Displays summary routes menu for up to 16 IP addresses. See"/cfg/l3/ospf/range OSPF Summary Range Configuration Menu" (page315) to view menu options.


Displays the OSPF interface configuration menu. See "/cfg/l3/ospf/ifOSPF Interface Configuration Menu" (page 316) to view menu options.

virt <virtual link (1-3)>

Displays the Virtual Links menu used to configure OSPF for a VirtualLink. See "/cfg/l3/ospf/virtOSPF Virtual Link Configuration Menu" (page317) to view menu options.

md5key <key ID (1-255)>

Assigns a string to MD5 authentication key. See

host <host entry number (1-128)>

Displays the menu for configuring OSPF for the host routes. Up to 128host routes can be configured. Host routes are used for advertisingnetwork device IP addresses to external networks to perform server loadbalancing within OSPF. It also makes Area Border Route (ABR) loadsharing and ABR failover possible. See "/cfg/l3/ospf/hostOSPF HostEntry Configuration Menu" (page 319) to view menu options.

redist <fixed|static|rip|ebgp|ibgp>

Displays Route Distribution Menu See "/cfg/l3/ospf/redistfixed|static|rip|ebgp|ibgp OSPF Route Redistribution ConfigurationMenu." (page 320) to view menu options.

lsdb <LSDB limit (0-2000, 0 for no limit)>

Sets the link state database limit.

default <metric (1-16777215) metric-type 1|2> |none

Sets one default route among multiple choices in an area. Use none forno default.

on

Enables OSPF on the Nortel Application Switch.

off

Disables OSPF on the Nortel Application Switch.




.



cur

Displays the current OSPF configuration settings.

/cfg/l3/ospf/aindexArea Index Configuration Menu

[OSPF Area (index) 1 Menu]areaid - Set area IDtype - Set area typemetric - Set stub area metricauth - Set authentication typespf - Set time interval between two SPF calculationsenable - Enable areadisable - Disable areadelete - Delete areacur - Display current OSPF area configuration

Area Index Configuration Menu Options (/cfg/l3/ospf/aindex)


areaid <IP address (such as, 192.4.17.101)>

Defines the IP address of the OSPF area number.

type transit|stub|nssa

Defines the type of area. For example, when a virtual link has to beestablished with the backbone, the area type must be defined as transit.

Transit area: allows area summary information to be exchangedbetween routing devices. Any area that is not a stub area or NSSA isconsidered to be transit area.

Stub area: is an area where external routing information is notdistributed. Typically, a stub area is connected to only one other area.

NSSA: Not-So-Stubby Area (NSSA) is similar to stub area with additionalcapabilities. For example, routes originating from within the NSSA canbe propagated to adjacent transit and backbone areas. External routesfrom outside the Autonomous System (AS) can be advertised within theNSSA but are not distributed into other areas.

metric <metric value (1-65535)>




.



Configures a stub area to send a numeric metric value. All routesreceived via that stub area carry the configured metric to potentiallyinfluencing routing decisions.

Metric value assigns the priority for choosing the switch for default route.Metric type determines the method for influencing routing decisions forexternal routes.

auth none|password|md5

None: No authentication required.

Password: Authenticates simple passwords so that only trusted routingdevices can participate.

MD5: This parameter is used when MD5 cryptographic authenticationis required.

spf <interval (0-255)>

Sets time interval between two successive SPF (shortest path first)calculations of the shortest path tree using the Dijkstra’s algorithm.

enable

Enables the OSPF area.

disable

Disables the OSPF area.

delete

Deletes the OSPF area.

cur

Displays the current OSPF configuration.

/cfg/l3/ospf/rangeOSPF Summary Range Configuration Menu

[OSPF Summary Range 1 Menu]addr - Set IP addressmask - Set IP maskaindex - Set area indexhide - Enable/disable hide rangeenable - Enable rangedisable - Disable rangedelete - Delete rangecur - Display current OSPF summary

range configuration




.


OSPF Summary Range Configuration Menu Options (/cfg/l3/ospf/range)


addr <IP Address (such as, 192.4.17.101)>

Displays the base IP address for the range.

mask <IP address (such as, 192.4.17.101>

Displays the IP address mask for the range.


Displays the area index used by the Nortel Application Switch.

hide disable|enable

Hides the OSPF summary range.

enable

Enables the OSPF summary range.

disable

Disables the OSPF summary range.

delete

Deletes the OSPF summary range.

cur

Displays the current OSPF summary range.

/cfg/l3/ospf/ifOSPF Interface Configuration Menu

[OSPF Interface 1 Menu]aindex - Set area indexprio - Set interface router prioritycost - Set interface costhello - Set hello interval in secondsdead - Set dead interval in secondstrans - Set transit delay in secondsretra - Set retransmit interval in secondskey - Set authentication keymdkey - Set MD5 key IDenable - Enable interfacedisable - Disable interfacedelete - Delete interfacecur - Display current OSPF interface configuration

OSPF Interface Configuration Menu Options (/cfg/l3/ospf/if)






.



Displays the OSPF area index.

prio <priority value (0-255)>

Displays the assigned priority value to the Nortel Application Switch’sOSPF interfaces.

(A priority value of 127 is the highest and 1 is the lowest. A priority valueof 0 specifies that the interface cannot be used as Designated Router(DR) or Backup Designated Router (BDR).)

cost <cost value (1-65535)>

Displays cost set for the selected path—preferred or backup. Usually thecost is inversely proportional to the bandwidth of the interface. Low costindicates high bandwidth.

hello <value (1-65535)>

Displays the interval in seconds between the hello packets for theinterfaces.

dead <value (1-65535)>

Displays the health parameters of a hello packet, which is set for aninterval of seconds before declaring a silent router to be down.

trans <value (0-3600)>

Displays the transit delay in seconds.

retra <value (0-3600)>

Displays the retransmit interval in seconds.

key <key |none>

Sets the authentication key to clear the password.

mdkey <key ID (1-255)> |none

Assigns an MD5 key to the interface.

enable

Enables OSPF interface.

disable

Disables OSPF interface.

delete

Deletes OSPF interface.

cur

Displays the current settings for OSPF interface.

/cfg/l3/ospf/virt




.


OSPF Virtual Link Configuration Menu

[OSPF Virtual Link 1 Menu]aindex - Set area indexhello - Set hello interval in secondsdead - Set dead interval in secondstrans - Set transit delay in secondsretra - Set retransmit interval in secondsnbr - Set router ID of virtual neighborkey - Set authentication keymdkey - Set MD5 key IDenable - Enable interfacedisable - Disable interfacedelete - Delete interfacecur - Display current OSPF interface configuration

OSPF Virtual Link Configuration Menu Options (/cfg/l3/ospf/virt)



Displays the OSPF area index.

hello <value (1-65535)>

Displays the authentication parameters of a hello packet, which is set tobe in an interval of seconds.

dead <value (1-65535)>

Displays the health parameters of a hello packet, which is set to be inan interval of seconds. Default is 40 seconds.

trans <value (1-3600)>

Displays the delay in transit in seconds. Default is one seconds.

retra <value (1-3600)>

Displays the retransmit interval in seconds. Default is five seconds.

nbr <nbr router ID (IP address)>

Displays the router ID of the virtual neighbor. Default is 0.0.0.0.

key <key> |none

Displays the password (up to eight characters) for each virtual link.Default is none.

mdkey <key ID (1-255)> |none

Sets MD5 key ID for each virtual link. Default is none.

enable

Enables OSPF virtual link.

disable




.



Disables OSPF virtual link.

delete

Deletes OSPF virtual link.

cur

Displays the current OSPF virtual link settings.

/cfg/l3/ospf/md5keyOSPF MD5 Key Configuration Menu

[OSPF MD5 Key 1 Menu]key - Set authentication keydelete - Delete keycur - Display current MD5 key configuration

OSPF MD5 Key Configuration Menu Options (/cfg/l3/ospf/md5key)


key <key, up to 16 chars>

Sets the authentication key up to 16 characters for this OSPF packet.

delete

Deletes the authentication key for this OSPF packet.

cur

Displays the current MD5 key configuration.

/cfg/l3/ospf/hostOSPF Host Entry Configuration Menu

[OSPF Host Entry 1 Menu]addr - Set host entry IP addressaindex - Set area indexcost - Set cost of this host entryenable - Enable host entrydisable - Disable host entrydelete - Delete host entrycur - Display current OSPF host

entry configuration

OSPF Host Entry Configuration Menu Options (/cfg/l3/ospf/host)



Displays the base IP address for the host entry.




.




Displays the area index of the host.

cost <cost value [1-65535]>

Displays the cost value of the host.

enable

Enables OSPF host entry.

disable

Disables OSPF host entry.

delete

Deletes OSPF host entry.

cur

Displays the current OSPF host entries.

/cfg/l3/ospf/redist<fixed|static|rip|ebgp|ibgp>OSPF Route Redistribution Configuration Menu.

[OSPF Redistribute Fixed Menu]add - Add rmap into route redistribution listrem - Remove rmap from route redistribution listexport - Export all routes of this protocolcur - Display current route-maps added

OSPF Route Redistribution Menu Options (/cfg/l3/ospf/redist)


add <(route map (1-32) route map (1-32))> |all

Adds selected routing maps to the rmap list.To add all the 32 route maps,enter all. To add specific route maps, enter routing map numbers oneper line, NULL at the end.

This option adds a route map to the route redistribution list. The routesof the redistribution protocol matched by the route maps in the routeredistribution list will be redistributed.

rem <(route map (1-32) route map (1-32))> ... |all

Removes the route map from the route redistribution list.

Removes routing maps from the rmap list. To remove all 32 route maps,enter all. To remove specific route maps, enter routing map numbersone per line, NULL at end.




.



export <metric (1-16777215) metric type (1|2)> |none

Exports the routes of this protocol as external OSPF AS-external LSAs inwhich the metric and metric type are specified. To remove a previousconfiguration and stop exporting the routes of the protocol, enter none.

cur

Displays the current route map settings.

/cfg/l3/bgpBorder Gateway Protocol Configuration

Border Gateway Protocol (BGP) is an Internet protocol that enables routerson a network to share routing information with each other and advertiseinformation about the segments of the IP address space they can accesswithin their network with routers on external networks. BGP allows you todecide what is the "best" route for a packet to take from your network to adestination on another network, rather than simply setting a default routefrom your border router(s) to your upstream provider(s). You can configureBGP either within an autonomous system or between different autonomoussystems. When run within an autonomous system, it is called internalBGP (iBGP). When run between different autonomous systems, it is calledexternal BGP (eBGP). BGP is defined in RFC 1771.

The BGP Menu enables you to configure the switch to receive routes andto advertise static routes, fixed routes and virtual server IP addresses withother internal and external routers.

BGP is turned off by default.

[Border Gateway Protocol Menu]peer - Peer menuaggr - Aggregation menuas - Set Autonomous System (AS) numbermaxpath - Set Max AS Path Lengthpref - Set Local Preferenceon - Globally turn BGP ONoff - Globally turn BGP OFFcur - Display current BGP configuration

Note: Fixed routes are subnet routes. There is one fixed route per IPinterface.

Border Gateway Protocol Menu (/cfg/l3/bgp)


peer <peer number (1-16)>




.



Displays the menu used to configure each BGP peer. Each borderrouter, within an autonomous system, exchanges routing informationwith routers on other external networks. To view menu options, see"/cfg/l3/bgp/peer peer number BGP Peer Configuration Menu" (page322).

aggr <aggregate number (1-16)>

Displays the Aggregation Menu. To view menu options, see"/cfg/l3/bgp/aggr aggregate number BGP Aggregate RoutingConfiguration Menu" (page 326).

as <autonomous system number (1-65535)>

Sets Autonomous System Number for this autonomous system.

An autonomous system (AS) is the unit of router policy, either a singlenetwork or a group of networks that is controlled by a common networkadministrator on behalf of an administrative entity (such as a university,a business enterprise, or a business division). An autonomous systemis assigned a globally unique number called an Autonomous SystemNumber (ASN). An autonomous system shares routing information withother autonomous systems using the Border Gateway Protocol (BGP).

maxpath <max AS path length (1-127)>

This command limits the maximum length of an accepted AS Path. Thedefault value is 50. Paths greater than this value will be ignored. Thecommand is designed to protect the MP CPU, memory resources androuting table from BGP-based attacks, BGP errors and probes designedto locate BGP speaking devices that do not limit the maximum AS Path.

pref <preference (0-4294967294)>

Sets the local preference. The path with the higher value is preferred.

When multiple peers advertise the same route, use the route with theshortest AS path as the preferred route if you are using eBGP, or use thelocal preference if you are using iBGP.

on

Globally turns BGP on.

off

Globally turns BGP off.

cur

Displays the current BGP configuration.

/cfg/l3/bgp/peer <peer number>




.


BGP Peer Configuration Menu

[BGP Peer 1 Menu]redist - Redistribution menuaddr - Set remote IP addressras - Set remote autonomous system numberhold - Set hold timealive - Set keep alive timeadvert - Set min time between advertisementsretry - Set connect retry intervalorig - Set min time between route originationsttl - Set time-to-live of IP datagramsaddi - Add rmap into in-rmap listaddo - Add rmap into out-rmap listremi - Remove rmap from in-rmap listremo - Remove rmap from out-rmap listenable - Enable peerdisable - Disable peerdelete - Delete peercur - Display current peer configuration

This menu is used to configure BGP peers, which are border routers thatexchange routing information with routers on internal and external networks.The peer option is disabled by default.

BGP Peer Configuration Options (/cfg/l3/bgp/peer)


redist

Displays BGP Redistribution Menu. To view the menu options, see"/cfg/l3/bgp/peer/redistBGP Redistribution Configuration Menu" (page324).


Defines the IP address for the specified peer (border router), usingdotted decimal notation. The default address is 0.0.0.0.

ras <AS number (0-65535)>

Sets the remote autonomous system number for the specified peer.

hold <hold time (0, 3-65535)>

Sets the period of time, in seconds, that will elapse before the peersession is torn down because the switch hasn’t received a "keep alive"message from the peer. It is set at 90 seconds by default.

alive <keepalive time (0, 1-21845)>

Sets the keep-alive time for the specified peer in seconds. It is set at 0by default.

advert <min adv time (1-65535)>




.



Sets time in seconds between advertisements.

retry <connect retry interval (1-65535)>

Sets connection retry interval in seconds.

orig <min orig time (1-65535)>

Sets the minimum time between route originations in seconds.

ttl <number of router hops (1-255)>

Time-to-live (TTL) is a value in an IP packet that tells a network routerwhether or not the packet has been in the network too long and shouldbe discarded. TTL specifies a certain time span in seconds that,when exhausted, would cause the packet to be discarded. The TTL isdetermined by the number of router hops the packet is allowed before itmust be discarded.

This command specifies the number of router hops that the IP packetcan make. This value is used to restrict the number of "hops" theadvertisement makes. It is also used to support multi-hops, which allowBGP peers to talk across a routed network. The default number is setat 1.

addi <route map ID (1-32)>

Adds route map into in-route map list.

addo <route map ID (1-32)>

Adds route map into out-route map list.

remi <route map ID (1-32)>

Removes route map from in-route map list.

remo <route map ID (1-32)>

Removes route map from out-route map list.

ena

Enables this peer configuration.

dis

Disables this peer configuration.

del

Deletes this peer configuration.

cur

Displays the current BGP peer configuration.

/cfg/l3/bgp/peer/redist




.


BGP Redistribution Configuration Menu

[Redistribution Menu]metric - Set default-metric of advertised routesdefault - Set default route actionrip - Enable/disable advertising RIP routesospf - Enable/disable advertising OSPF routesfixed - Enable/disable advertising fixed routesstatic - Enable/disable advertising static routesvip - Enable/disable advertising VIP routescur - Display current redistribution configuration

BGP Redistribution Configuration Menu Options (/cfg/l3/bgp/peer/redist)


metric <metric (1-4294967294)> |none

Sets default metric of advertised routes.

default none|import|originate|redistribute

Sets default route action.

Defaults routes can be configured as import, originate, redistribute, ornone.

None: No routes are configured

Import: Import these routes.

Originate: The switch sends a default route to peers even though it doesnot have any default routes in its routing table.

Redistribute: Default routes are either configured through defaultgateway or learned through other protocols and redistributed to peer. Ifthe routes are learned from default gateway configuration, you have toenable static routes since the routes from default gateway are staticroutes. Similarly, if the routes are learned from a certain routing protocol,you have to enable that protocol in this redistribute submenu.

rip disable|enable

Enables or disables advertising RIP routes

ospf disable|enable

Enables or disables advertising OSPF routes.

fixed disable|enable

Enables or disables advertising fixed routes.




.



static disable|enable

Enables or disables advertising static routes.

vip disable|enable

Enables or disables advertising VIP routes.

cur

Displays the current redistribution configuration.

/cfg/l3/bgp/aggr <aggregate number>BGP Aggregate Routing Configuration Menu

Note: The aggregate number (1-16) represents the aggregation routeyou wish to configure.

[BGP Aggr 1 Menu]addr - Set aggregation IP addressmask - Set aggregation network maskenable - Enable aggregationdisable - Disable aggregationdelete - Delete aggregationcurrent - Display current aggregation configuration

This menu allows you to configure aggregate routing to condense thenumber of routes between internal and external peer routers.

BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)


addr <IP address, such as 192.4.17.101>

Adds the IP address to the selected aggregate.

mask <IP subnet mask, such as 255.255.255.0>

Sets the IP mask for the selected aggregate.

enable

Enables the selected aggregate.

disable

Disables the selected aggregate.

delete

Deletes the selected aggregate.

current

Displays the current aggregate configuration.




.


/cfg/l3/port <port number>IP Forwarding Port Configuration Menu

[IP Forwarding Port 1 Menu]on - Turn Forwarding ONoff - Turn Forwarding OFFcur - Display current port configuration

The Layer 3 Port Menu allows you to turn IP forwarding on or off on aport-by-port basis. By default, the port forwarding option is turned on.

IP Forwarding Port Configuration Menu Options (/cfg/l3/port)


on

Enables IP forwarding for the current port.

off

Disables IP forwarding for the current port.

cur

Displays the current IP forwarding settings.

/cfg/l3/dnsDomain Name System Configuration Menu

[Domain Name System Menu]prima - Set IP address of primary DNS serversecon - Set IP address of secondary DNS serverdname - Set default domain namecur - Display current DNS configuration

The Domain Name System (DNS) Menu is used for defining the primary andsecondary DNS servers on your local network, and for setting the defaultdomain name served by the switch services. DNS parameters must beconfigured prior to using hostname parameters with the ping, traceroute,and tftp commands.

Domain Name System Menu Options (/cfg/l3/dns)


prima <IP address (such as, 192.4.17.101)>

You will be prompted to set the IP address for your primary DNS server.Use dotted decimal notation.

secon <IP address (such as, 192.4.17.101)>




.



You will be prompted to set the IP address for your secondary DNSserver. If the primary DNS server fails, the configured secondary will beused instead. Enter the IP address using dotted decimal notation.

dname <dotted DNS notation> |none

Sets the default domain name used by the switch.

For example: mycompany.com

cur

Displays the current Domain Name System settings.

/cfg/l3/bootpBootstrap Protocol Relay Configuration Menu

[Bootstrap Protocol Relay Menu]addr - Set IP address of BOOTP serveraddr2 - Set IP address of second BOOTP serveron - Globally turn BOOTP relay ONoff - Globally turn BOOTP relay OFFcur - Display current BOOTP relay configuration

The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts toobtain their configurations from a Dynamic Host Configuration Protocol(DHCP) server. The BOOTP configuration enables the switch to forwarda client request for an IP address to two DHCP/BOOTP servers with IPaddresses that have been configured on the Nortel Application Switch.

BOOTP relay menu is turned off by default.

Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)



Sets the IP address of the BOOTP server.

addr2 <IP address (such as, 192.4.17.101)>

Sets the IP address of the second BOOTP server.

on

Globally turns on BOOTP relay.

off

Globally turns off BOOTP relay.

cur

Displays the current BOOTP relay configuration.




.


/cfg/l3/vrrpVRRP Configuration Menu

[Virtual Router Redundancy Protocol Menu]vr - VRRP Virtual Router Menuvrgroup - VRRP Virtual Router Vrgroup Menugroup - VRRP Virtual Router Group Menuif - VRRP Interface Menutrack - VRRP Priority Tracking Menuhotstan - Enable/disable hot-standby processingon - Globally turn VRRP ONoff - Globally turn VRRP OFFholdoff - Globally VRRP hold off timecur - Display current VRRP configuration

Virtual Router Redundancy Protocol (VRRP) support on Nortel ApplicationSwitch provides redundancy between routers in a LAN. This is accomplishedby configuring the same virtual router IP address and ID number on eachparticipating VRRP-capable routing device. One of the virtual routers is thenelected as the master, based on a number of priority criteria, and assumescontrol of the shared virtual router IP address. If the master fails, one ofthe backup virtual routers will assume routing authority and take control ofthe virtual router IP address.

Note: The IP address of a VRRP virtual interface router (VIR) andvirtual server router (VSR) must be in the same IP subnet as theinterface to which it is assigned.

By default, VRRP is disabled. Nortel Application Switch Operating Systemhas extended VRRP to include virtual servers as well, allowing for fullactive/active redundancy between its Layer 4 switches. For more informationon VRRP, see the "High Availability" chapter in your Nortel ApplicationSwitch Operating System Application Guide.

Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)


vr <virtual router number (1-1024)>

Displays the VRRP Virtual Router Menu. This menu is used forconfiguring up to 1024 virtual routers on this switch. To view menuoptions, see "/cfg/l3/vrrp/vr router number Virtual Router ConfigurationMenu" (page 330).

vrgroup <virtual router vrgroup number (1-16)>

Displays VR Group Menu. To view menu options, see "/cfg/l3/vrrp/vrgroupVirtual Router Group Menu" (page 335).

group




.



Displays the VRRP virtual router group menu, used to combine all virtualrouters together as one logical entity. Group options must be configuredwhen using two or more Nortel Application Switches in a hot-standbyfailover configuration where only one switch is active at any given time.To view menu options, see "/cfg/l3/vrrp/group Virtual Router GroupConfiguration" (page 338).


Displays the VRRP Virtual Router Interface Menu. To view menu options,see "/cfg/l3/vrrp/if interface number VRRP Interface Configuration" (page342).

track

Displays the VRRP Tracking Menu. This menu is used for weighting thecriteria used when modifying priority levels in the master router electionprocess. To view menu options, see "/cfg/l3/vrrp/trackVRRP TrackingConfiguration" (page 342).

hotstan disable|enable

Enables or disables hot standby processing, in which two or moreswitches provide redundancy for each other. By default, this option isdisabled.

on

Globally enables VRRP on this switch.

off

Globally disables VRRP on this switch.

holdoff <0-255 seconds>

Globally suspends VRRP operation for the specified interval.

cur

Displays the current VRRP parameters.

/cfg/l3/vrrp/vr <router number>Virtual Router Configuration Menu

[VRRP Virtual Router 1 Menu]track - Priority Tracking Menuipver - Set IP versionvrid - Set virtual router IDaddr - Set IP addressif - Set interface numberprio - Set renter priorityadver - Set advertisement intervalpreem - Enable or disable preemptionshare - Enable or disable sharingena - Enable virtual router




.


dis - Disable virtual routerdel - Delete virtual routercur - Display current VRRP virtual

router configuration

This menu is used for configuring up to 256 virtual routers for this switch. Avirtual router is defined by its virtual router ID and an IP address. On eachVRRP-capable routing device participating in redundancy for this virtualrouter, a virtual router will be configured to share the same virtual router IDand IP address.

Virtual routers are disabled by default.

Note: The VRRP3 VRID for IPv6 VRRP configuration has a range of 1to 255.

VRRP Virtual Router Options (/cfg/l3/vrrp/vr)


track

Displays the VRRP Priority Tracking Menu for this virtual router. Trackingis Nortel’s proprietary extension to VRRP, used for modifying thestandard priority system used for electing the master router. Trackingis not needed if sharing (share) is enabled. To view menu options,see "/cfg/l3/vrrp/vr router number /track Virtual Router Priority TrackingConfiguration" (page 333).

ipver v4|v6

Sets the version of the Internet Protocol supported by this virtual router.The default value is v4.

vrid <virtual router ID (1-1024)>

Defines the virtual router ID. This is used in conjunction with addr(below) to define a virtual router on this switch. To create a pool ofVRRP-enabled routing devices which can provide redundancy to eachother, each participating VRRP device must be configured with the samevirtual router: one that shares the same vrid and addr combination.

The vrid for standard virtual routers (where the virtual router IP addressis not the same as any virtual server) can be any integer between 1and 255. The default value is 1.

The vrid of virtual server routers where the virtual router IP address isthe same as the virtual server can be between 1 and 1024.

All vrid values must be unique within the VLAN to which the virtualrouter’s IP interface belongs.




.



addr <IP address>

Defines the IP address for this virtual router using the notation appropriateto the IP version supported by this virtual router. IPv4 addresses use adotted decimal notation (such as 192.168.0.1) and IPv6 addresses usea hexadecimal format (such as 2006:0:0:0:0:0:20:64). This is used inconjunction with the vrid (above) to configure the same virtual router oneach participating VRRP device. The default address is 0.0.0.0.


Selects a switch IP interface (between 1 and 256). If the IP interface hasthe same IP address as the addr option above, this switch is consideredthe "owner" of the defined virtual router. An owner has a special priorityof 255 (highest) and will always assume the role of master router, even ifit must preempt another virtual router which has assumed master routingauthority. This preemption occurs even if the preem option below isdisabled. The default value is 1.

prio <priority (1-254)>

Defines the election priority bias for this virtual server. This can be anyinteger between 1 and 254. The default value is 100.

During the master router election process, the routing device with thehighest virtual router priority number wins. If there is a tie, the device withthe highest IP interface address wins. If this virtual router’s IP address(addr) is the same as the one used by the IP interface, the priority forthis virtual router will automatically be set to 255 (highest).

When priority tracking is used (/cfg/l3/vrrp/track or/cfg/l3/vrrp/vr #/track), this base priority value can be modifiedaccording to a number of performance and operational criteria.

adver <seconds (1-255)>

Defines the time interval between VRRP master advertisements. Thiscan be any integer between 1 and 255 seconds. The default value is 1.

preem disable|enable

Enables or disables master preemption. When enabled, if this virtualrouter is in backup mode but has a higher priority than the currentmaster, this virtual router will preempt the lower priority master andassume control. Note that even when preem is disabled, this virtualrouter will always preempt any other master if this switch is the owner(the IP interface address and virtual router addr are the same). Bydefault, this option is enabled.

share disable|enable




.



Enables or disables virtual router sharing, an Nortel proprietary extensionto VRRP. When enabled, this switch will process any traffic addressedto this virtual router, even when in backup mode. By default, this optionis enabled.

ena

Enables this virtual router.

dis

Disables this virtual router.

del

Deletes this virtual router from the switch configuration.

cur

Displays the current configuration information for this virtual router.

/cfg/l3/vrrp/vr <router number> /trackVirtual Router Priority Tracking Configuration

[VRRP Virtual Router 1 Priority Tracking Menu]vrs - Enable/disable tracking master

virtual routersifs - Enable/disable tracking other interfacesports - Enable/disable tracking VLAN switch portsl4pts - Enable/disable tracking L4 switch portsreals - Enable/disable tracking L4 real servershsrp - Enable/disable tracking HSRPhsrv - Enable/disable tracking HSRP by VLANcur - Display current VRRP virtual


This menu is used for modifying the priority system used when electing themaster router from a pool of virtual routers. Various tracking criteria can beused to bias the election results. Each time one of the tracking criteria ismet, the priority level for the virtual router is increased by an amount definedthrough the VRRP Tracking Menu (see "/cfg/l3/vrrp/trackVRRP TrackingConfiguration" (page 342)).

Criteria are tracked dynamically, continuously updating virtual router prioritylevels when enabled. If the virtual router preemption option (see preem in"VRRP Virtual Router Options (/cfg/l3/vrrp/vr)" (page 331)) is enabled, thisvirtual router can assume master routing authority when its priority levelrises above that of the current master.




.


Some tracking criteria (vrs, ifs, and ports below) apply to standardvirtual routers, otherwise called "virtual interface routers." Other trackingcriteria (l4pts, reals, and hsrp) apply to "virtual server routers," whichperform Layer 4 Server Load Balancing functions. A virtual server router isdefined as any virtual router whose IP address (addr) is the same as anyconfigured virtual server IP address.

VRRP Priority Tracking Menu Options (/cfg/l3/vrrp/vr/track)


vrs disable|enable

When enabled, the priority for this virtual router will be increased for eachvirtual router in master mode on this switch. This is useful for makingsure that traffic for any particular client/server pairing are handled bythe same switch, increasing routing and load balancing efficiency. Thiscommand is disabled by default.

ifs disable|enable

When enabled, the priority for this virtual router will be increased for eachIP interface active on this switch. An IP interface is considered activewhen there is at least one active port on the same VLAN. This helps electthe virtual routers with the most available routes as the master. Thiscommand is disabled by default.

ports disable|enable

When enabled, the priority for this virtual router will be increased for eachactive port on the same VLAN. A port is considered "active" if it has a linkand is forwarding traffic. This helps elect the virtual routers with the mostavailable ports as the master. This command is disabled by default.

l4pts disable|enable

When enabled for virtual server routers, the priority for this virtual routerwill be increased for each physical switch port which has active Layer 4processing on this switch. This helps elect the main Layer 4 switch asthe master. This command is disabled by default.

reals disable|enable

When enabled for virtual server routers, the priority for this virtual routerwill be increased for each healthy real server behind the virtual serverIP address of the same IP address as the virtual router on this switch.This helps elect the switch with the largest server pool as the master,increasing Layer 4 efficiency. This command is disabled by default.

hsrp disable|enable




.



Hot Standby Router Protocol (HSRP) is used with some types of routersfor establishing router failover. In networks where HSRP is used, enablethis switch option to increase the priority of this virtual router for eachLayer 4 client-only port that receives HSRP advertisements. EnablingHSRP helps elect the switch closest to the master HSRP router as themaster, optimizing routing efficiency. This command is disabled bydefault.

hsrv disable|enable

Hot Standby Router on VLAN (HSRV) is used to work in VLAN-taggedenvironments. Enable this switch option to increment only that vrrpinstance that is on the same VLAN as the tagged hsrp master flaggedpacket. This command is disabled by default.

cur

Displays the current configuration for priority tracking for this virtualrouter.

/cfg/l3/vrrp/vrgroupVirtual Router Group MenuThis feature allows the failover of individual groups of VIRs and VSRs.When Web hosting is shared between two or more customers on a singleVRRP switch, you can group VIRs and VSRs to serve the high availabilityof a specific customer. If failover occurs on a customer link, the group ofVIRs and VSRs associated with that customer alone will fail over to thebackup switch. The VIRs and VSRs configured for the other customers onthe master switch are not affected.

Up to 16 virtual router groups can be configured on the switch.

[VRRP Virtual Router Vrgroup 1 Menu]track - Priority Tracking Menuname - Set virtual router group nameadd - Add virtual router to grouprem - Remove virtual router from groupprio - Set priority for virtual router grouptrackvr - Set track virtual router for groupadver - Set advertisement interval for grouppreem - Enable/disable preemption for groupshare - Enable/disable sharing for groupena - Enable virtual router groupdis - Disable virtual router groupdel - Delete virtual router groupcur - Display current VRRP virtual router

group configuration




.


Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup)


track

Displays VRRP priority tracking menu for this virtual router group.Tracking is Nortel’s proprietary extension to VRRP, used for modifyingthe standard priority system used for electing the master router. To viewmenu options, see "/cfg/l3/vrrp/vrgroup vrgroup number /track VirtualRouter Group Priority Tracking Configuration Me" (page 337).

name

Defines virtual router group name up to eight characters.

add <virtual router number (1-1024)>

Adds a virtual router to the group. Each virtual router group can have upto 64 virtual routers.

rem <virtual router number (1-1024)>

Removes a virtual router from the group.

prio <1-254>

Defines the election priority bias for this virtual router group. This can beany integer between 1 and 254. The default value is 100.


When priority tracking is used (/cfg/l3/vrrp/vrgroup #/track),this base priority value can be modified according to a number ofperformance and operational criteria.

trackvr <virtual router number (0-1024)>

Set track virtual router for group

adver <1-255 seconds>

Set advertisement interval for group.


Enable/disable preemption for group.


Enable/disable sharing for group.

ena

Enables the virtual router group.

dis




.



Disables the virtual router group.

del

Deletes the virtual router group.

cur

Displays the current VRRP virtual router group configuration.

/cfg/l3/vrrp/vrgroup <vrgroup number> /trackVirtual Router Group Priority Tracking Configuration MenuThis menu is used for modifying the priority system used when electing themaster router from a pool of virtual routers. Various tracking criteria can beused to bias the election results. Each time one of the tracking criteria ismet, the priority level for the virtual router is increased by an amount definedthrough the VRRP Tracking Menu (see "/cfg/l3/vrrp/trackVRRP TrackingConfiguration" (page 342)). Criteria are tracked dynamically, continuouslyupdating virtual router priority levels when enabled.

[VRRP Vrgroup 1 Priority Tracking Menu]ifs - Enable/disable tracking interfacesports - Enable/disable tracking VLAN switch portsl4pts - Enable/disable tracking L4 switch portsreals - Enable/disable tracking L4 real servershsrp - Enable/disable tracking HSRPhsrv - Enable/disable tracking HSRP by VLANcur - Display current VRRP vrgroup

tracking configuration

Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vr-group/track)


ifs disable|enable

When enabled, the priority will be increased for each IP interface activeon this virtual router group. An IP interface is considered active whenthere is at least one active port on the same VLAN. This helps electthe virtual routers with the most available routes as the master. Thiscommand is disabled by default.


When enabled, the priority will be increased for each active port on theVLAN on this virtual router group. A port is considered "active" if it has alink and is forwarding traffic. This helps elect the virtual routers with themost available ports as the master. This command is disabled by default.





.



When enabled for virtual server routers, the priority will be increased foreach physical switch port which has active Layer 4 processing on thisvirtual router group. This helps elect the main Layer 4 switch as themaster. This command is disabled by default.


When enabled for virtual server routers, the priority will be increased foreach healthy real server behind the virtual server IP address of the sameIP address as the virtual router on this virtual router group. This helpselect the switch with the largest server pool as the master, increasingLayer 4 efficiency. This command is disabled by default.

hsrp disable|enable

Hot Standby Router Protocol (HSRP) is used with some types of routersfor establishing router failover. In networks where HSRP is used, enablethis switch option to increase the priority of this virtual router groupfor each Layer 4 client-only port that receives HSRP advertisements.Enabling HSRP helps elect the switch closest to the master HSRP routeras the master, optimizing routing efficiency. This command is disabledby default.

hsrv disable|enable

Hot Standby Router on VLAN (HSRV) is used to work in VLAN-taggedenvironments. Enable this switch option to increment only that vrrpinstance on the virtual router group that is on the same VLAN as thetagged hsrp master flagged packet. This command is disabled by default.

cur

Displays the current configuration for priority tracking for this virtualrouter group.

/cfg/l3/vrrp/groupVirtual Router Group Configuration

[VRRP Virtual Router Group Menu]track - Priority Tracking Menuipver - Set IP versionvrid - Set virtual router IDif - Set interface numberprio - Set renter priorityadver - Set advertisement intervalpreem - Enable or disable preemptionshare - Enable or disable sharingena - Enable virtual routerdis - Disable virtual routerdel - Delete virtual routercur - Display current VRRP virtual





.


The Virtual Router Group menu is used for associating all virtual routers intoa single logical virtual router, which forces all virtual routers on the NortelApplication Switch to either be master or backup as a group. A virtual routeris defined by its virtual router ID and an IP address. On each VRRP-capablerouting device participating in redundancy for this virtual router, a virtualrouter will be configured to share the same virtual router ID and IP address.

Note: This option is required to be configured only when using at leasttwo Nortel Application Switches in a hot-standby failover configuration,where only one switch is active at any time.

VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)


track

Displays theVRRP Priority Tracking Menu for the virtual router group.Tracking is Nortel’s proprietary extension to VRRP, used for modifyingthe standard priority system used for electing the master router. Trackingis not needed if sharing(share) is enabled.To view menu options, see "/cfg/l3/vrrp/trackVRRP TrackingConfiguration" (page 342).

ipver v4|v6

Sets the version of the Internet Protocol supported by the virtual routergroup. The default value is v4.

vrid <virtual router ID (1-255)>

Defines the virtual router ID for this group.


Selects a switch IP interface (between 1 and 256). The default switchIP interface number is 1.

prio <priority (1-254)>

Defines the election priority bias for this virtual router group. This can beany integer between 1 and 254. The default value is 100.


When priority tracking is used (/cfg/l3/vrrp/track or/cfg/l3/vrrp/vr #/track), this base priority value can be modifiedaccording to a number of performance and operational criteria.

adver <1-255>




.



Defines the time interval between VRRP master advertisements. Thiscan be any integer between 1 and 255. For IPv4 interfaces, this valueis in seconds. For IPv6 interfaces, this value is in centiseconds. Thedefault is 1 for IPv4 interfaces and 100 for IPv6 interfaces.

Note: It is recommended that the default value of 100 or above is usedfor IPv6 interfaces to avoid a high load on the switch management CPU.


Enables or disables master preemption. When enabled, if the virtualrouter group is in backup mode but has a higher priority than the currentmaster, this virtual router will preempt the lower priority master andassume control. Note that even when preem is disabled, this virtualrouter will always preempt any other master if this switch is the owner(the IP interface address and virtual router addr are the same). Bydefault, this option is enabled.


Enables or disables virtual router sharing, Nortel’s proprietary extensionto VRRP. When enabled, this switch will process any traffic addressedto this virtual router, even when in backup mode. By default, this optionis enabled.

ena

Enables the virtual router group.

dis

Disables the virtual router group.

del

Deletes the virtual router group from the switch configuration.

cur

Displays the current configuration information for the virtual router group.

/cfg/l3/vrrp/group/trackVirtual Router Group Priority Tracking Configuration

[Virtual Router Group Priority Tracking Menu]ifs - Enable/disable tracking other interfacesports - Enable/disable tracking VLAN switch portsl4pts - Enable/disable tracking L4 switch portsreals - Enable/disable tracking L4 real servershsrp - Enable/disable tracking HSRPhsrv - Enable/disable tracking HSRP by VLANcur - Display current VRRP Group

Tracking configuration




.


Note: If Virtual Router Group Tracking is enabled, then the trackingoption will be available only under group option. The tracking setting forthe other individual virtual routers will be ignored.

Virtual Router Group Priority Tracking Options (/cfg/l3/vr/group/track)


ifs disable|enable

When enabled, the priority for this virtual router will be increased for eachother IP interface active on this switch. An IP interface is consideredactive when there is at least one active port on the same VLAN. Thishelps elect the virtual routers with the most available routes as themaster. This command is disabled by default.


When enabled, the priority for this virtual router will be increased for eachactive port on the same VLAN. A port is considered "active" if it has a linkand is forwarding traffic. This helps elect the virtual routers with the mostavailable ports as the master. This command is disabled by default.


When enabled for virtual server routers, the priority for this virtual routerwill be increased for each physical switch port which has active Layer 4processing on this switch. This helps elect the main Layer 4 switch asthe master. This command is disabled by default.


When enabled for virtual server routers, the priority for this virtual routerwill be increased for each healthy real server. This helps elect the switchwith the largest server pool as the master, increasing Layer 4 efficiency.This command is disabled by default.

hsrp disable|enable

Enables Hot Standby Router Protocol (HSRP) for this virtual routergroup. HSRP is used with some types of routers for establishing routerfailover. In networks where HSRP is used, enable this switch option toincrease the priority of this virtual router for each Layer 4 client-only portthat receives HSRP advertisements. This helps elect the switch closestto the master HSRP router as the master, optimizing routing efficiency.This command is disabled by default.

hsrv disable|enable

Hot Standby Router on VLAN (HSRV) is used to work in VLAN-taggedenvironments. Enable this switch option to increment only that vrrpinstance that is on the same VLAN as the tagged hsrp master flaggedpacket. This command is disabled by default.

cur

Displays the current configuration for priority tracking for this virtualrouter.




.


/cfg/l3/vrrp/if <interface number>VRRP Interface Configuration

Note: The interface-number (1 to 256) represents the IP interface onwhich authentication parameters must be configured.

[VRRP Interface 1 Menu]auth - Set authentication typespassw - Set plain-text passworddel - Delete interfacecur - Display current VRRP interface

configuration

This menu is used for configuring VRRP authentication parameters for theIP interfaces used with the virtual routers.

VRRP Interface Menu Options (/cfg/l3/vrrp/if)


auth none|password

Defines the type of authentication that will be used: none (noauthentication), or password (password authentication).

passw <password>

Defines a plain text password up to eight characters long. This passwordwill be added to each VRRP packet transmitted by this interface whenpassword authentication is chosen (see auth above).

del

Clears the authentication configuration parameters for this IP interface.The IP interface itself is not deleted.

cur

Displays the current configuration for this IP interface’s authenticationparameters.

/cfg/l3/vrrp/trackVRRP Tracking Configuration




.


This menu is used for setting weights for the various criteria used to modifypriority levels during the master router election process. Each time oneof the tracking criteria is met (see "VRRP Virtual Router Priority TrackingMenu" on "/cfg/l3/vrrp/vr router number /track Virtual Router PriorityTracking Configuration" (page 333)), the priority level for the virtual router isincreased by an amount defined through this menu.

VRRP Tracking Options (/cfg/l3/vrrp/track)


vrs <0-254>

Defines the priority increment value (1 through 254) for virtual routers inmaster mode detected on this switch. The default value is 2.

ifs <0-254>

Defines the priority increment value (1 through 254) for active IPinterfaces detected on this switch. The default value is 2.

ports <0-254>

Defines the priority increment value (1 through 254) for active ports onthe virtual router’s VLAN. The default value is 2.

l4pts <0-254>

Defines the priority increment value (1 through 254) for physical switchports with active Layer 4 processing. The default value is 2.

reals <0-254>

Defines the priority increment value (1 through 254) for healthy realservers behind the virtual server router. The default value is 2.

hsrp <0-254>

Defines the priority increment value (1 through 254) for switch portswith Layer 4 client-only processing that receive HSRP broadcasts. Thedefault value is 10.

hsrv <0-254>

Defines the priority increment value (1 through 254) for vrrp instancesthat are on the same VLAN.

The default value is 10.

cur

Displays the current configuration of priority tracking increment values.

These priority tracking options only define increment values. These optionsdo not affect the VRRP master router election process until options underthe VRRP Virtual Router Priority Tracking Menu (see "/cfg/l3/vrrp/vr routernumber /track Virtual Router Priority Tracking Configuration" (page 333))are enabled.




.


/cfg/l3/metrc <metric name>Default Gateway Metrics

If multiple default gateways are configured and enabled, a metric can beset to determine which primary gateway is selected. There are two metrics,which are described in the table "Default Gateway Metrics (/cfg/l3/metrc)"(page 344).

Default Gateway Metrics (/cfg/l3/metrc)

Option Description

strict The gateway number determines its level of preference.Gateway #1 acts as the preferred default IP gateway until it failsor is disabled, at which point the next in line will take over asthe default IP gateway.

roundrobin This provides basic gateway load balancing. The switch sendseach new gateway request to the next healthy, enabled gatewayin line. All gateway requests to the same destination IP addressare resolved to the same gateway.

/cfg/slb/cfg/slb displays the Server Load Balancing Configuration Menu. To viewmenu options, see "The SLB Configuration Menu" (page 355) ".

/cfg/securitySecurity Configuration Menu

Security Configuration Menu Options (/cfg/security)


port <port number>

Displays Port Security Menu. To view menu options, see"/cfg/security/port Port Security Menu" (page 345).

ipacl




.

/cfg/securitySecurity Configuration Menu 345


Displays IP address Access Control Menu. To view options, see"/cfg/security/ipacl IP Address Access Control List Configuration Menu"(page 347).

udpblast

Displays UDP Blast Menu. To view menu options, see"/cfg/security/udpblast UDP Blast Protection Configuration Menu" (page348).

dos

Go to the Protocol Anomaly and DoS Attack PreventionMenu. To view menu options, see "/cfg/security/dos Anomaly and Denialof Service Attack Prevention Menu" (page 349).

pgroup <pattern group ID (1-128)>

Displays Pattern Match Group Menu. To view menu options, see"/cfg/security/pgroup pattern group number Pattern Matching Menu"(page 350).

seclog <rate threshold packets/sec, 0-1048576 (0, no ratethreshold)>

Defines the rate threshold for security logging by the number of packetsper second. Any packets above the current threshold will be logged.

pdepth <# of packets, 1-255|none>

Defines the search window for pattern matching beginning from the startof the packet stream. The window is in units of packets.

symsig <signature id>

Sets the action and bandwidth contracts for the specified signature.

symdel <signature id>

Deletes the specified Symantec signature policy.

cur

Displays the current security configuration.

/cfg/security/port




.


IP Address ACL Menu Options (/cfg/sec/ipacl)


add <IP address IP mask>

Adds range of source IP addresses to be denied, defined by the IPaddress/mask pair.

rem <IP address/mask pair index>

Removes range of source IP addresses to be denied, defined by the IPaddress/mask pair index.

arem

Remove all configuration source IP Address/Mask.

dadd <IP address IP subnet mask>

Add configuration destination IP Address/Mask.

drem <IP address IP subnet mask>

Remove configuration destination IP Address/Mask.

darem

Remove all configuration destination IP Address/Mask.

cfg

Display configuration IP Address/Mask.

bogon

Display bogon IP Address/Mask.

oper

Display operations IP Address/Mask.

syslog <threshold | time | none>

Sets method for sending IP ACL syslog, defined by threshold/time/noneparameter.

cur

Displays current IP addresses ranges in Access Control List.

/cfg/security/udpblastUDP Blast Protection Configuration Menu

Malicious attacks over UDP protocol ports are becoming a common way tobring down real servers. Nortel Application Switch Operating System canbe configured to restrict the amount of traffic allowed on any UDP port, thusensuring that backend servers are not flooded with data and disabled.

You can specify a series of UDP port ranges and the allowed packet limit forthat range. When the maximum number of packets/second is reached, UDPtraffic is shut down on those ports.




.


Nortel Application Switch Operating System supports up to 5000 UDP portnumbers, using any integer from 1 to 65535. The maximum port rangeis 5000. If the first port number is 300, the last number that can be usedis 5300.

While you can configure multiple port ranges, the sum of ranges cannotexceed the maximum of 5000 ports.

UDP Blast Protection Menu Options (/cfg/sec/udpblast)


add <UDP port number or range (first-last)> [packet rate]

Adds UDP port or range for UDP blast protection, as well as themaximum packet rate per second. If the number of packets on thisport range exceeds the maximum packet rate per second, UDP trafficwill be dropped.

rem <UDP port number or range (first-last)>

Removes UDP port or range for UDP blast protection.

default <packet rate>

Defines the default packet rate for UDP blast protection.

cur

Displays all UDP blast protection ports.

/cfg/security/dosAnomaly and Denial of Service Attack Prevention Menu

Anomaly and DoS Menu Options


ipttl <IPv4 TTL, 0-255>




.



Set the smallest allowable IP ttl for IPTTL.

ipprot <highest allowable IPv4 protocol [0-255]>

Set the highest allowable IP protocol for IP protection. For example:

Current highest allowable IPv4 protocol: 137Enter new highest allowable IPv4 protocol [0-255]:

fragdata <IPv4 fragment payload size in bytes, 16-248>

Set the smallest allowable IP fragment payload.

fragoff <IPv4 fragment offset in multiples of 8 bytes,1-255>

Set the smallest allowable IP fragment offset.

syndata <TCP packet payload size in bytes, 0-255>

Set the largest allowable IP SYN payload.

icmpdata <ICMP packet payload size in bytes, 1-9026>

Set the largest allowable ICMP payload.

icmpoff <ICMP fragment offset in multiples of 8 bytes,1-8190>

Set the largest allowable ICMP fragment offset.

help

Description of the Anomaly and DoS attack prevention.

cur

Display current protocol anomaly and DoS attack prevention settings.For example:

Current protocol anomaly and DoS attackprevention settings:ipttl 1, ipprot 137, fragdata 32, fragoff4, syndata 0,icmpdata 800, icmpoff 101

/cfg/security/pgroup <pattern group number>Pattern Matching Menu

When a virus or other attack contains multiple patterns or strings, it is usefulto combine them into one group and give the group a name that is easy toremember. When a pattern group is applied to a deny filter, the switch willmatch any of the strings or patterns within that group before denying anddropping the packet. Up to five patterns can be combined into a singlepattern group. Configure the binary or ASCII pattern strings, group them intoa pattern group, name the pattern group, and then apply the group to a filter.




.


The filtering commands in Nortel Application Switch Operating SystemAdvanced Denial of Service Pack allow the administrator to define groups ofpatterns. By applying the patterns and groups to a deny filter, the packetcontent can be detected and thus denied access to the network.

The Nortel Application Switch Operating System 24.0 supports up to 1024pattern matching groups.

[Pattern Match Group 1 Menu]name - Set pattern group nameadd - Add SLB string to grouprem - Remove SLB string from groupdel - Delete pattern groupcur - Display current configuration

Pattern Matching Group Menu Options (/cfg/sec/pgroup)


name <31 character name> |none

Specifies a descriptive name for this pattern group.

add <string ID>

• Adds a pre-configured SLB string to this pattern group bythe string ID number. To configure SLB strings, use the/cfg/slb/layer7/slb/add command described on"/cfg/slb/layer7/slb Server Load Balance Resource ConfigurationMenu" (page 421).

• To view existing strings and their ID numbers, usethe /cfg/slb/layer7/slb/cur command, also on"/cfg/slb/layer7/slb Server Load Balance Resource ConfigurationMenu" (page 421).

Note: You can only add the binary or ASCII strings to a pattern matchinggroup. Up to five patterns can be combined into a single pattern group.

rem <SLB string ID>

Removes an SLB string from this pattern group.

del

Deletes the pattern group.

cur

Displays the current configuration of this pattern group.

/cfg/sslproc




.


SSL Processor Menu

[SSL Processor Menu]mip - Set SSL processor management IPport - Set SSL processor Web server portrts - Enable/disable RTS processingfilt - Enable/disable filteringadd - Add filterrem - Remove filtercur - Display current SSL processor configuration

SSL Processor Menu Options


mip <SSL processor management IP>

Set SSL processor management IP.

port <SSL processor Web server port>

Set SSL processor Web server port.

rts enable|disable

Enable/disable RTS processing

filt enable|disable

Enable/disable filtering.

add <filter ID, 1-2048>

Add a filter.

rem <filter ID, 1-2048>

Remove a filter.

cur

Display current SSL processor configuration.

/cfg/dumpDump

The dump program writes the current switch configuration to the terminalscreen. To start the dump program, at the Configuration# prompt, enter:

Configuration# dump

The configuration is displayed with parameters that have been changedfrom the default values. The screen display can be captured, edited, andplaced in a script file, which can be used to configure other switches througha Telnet connection. When using Telnet to configure a new switch, pastethe configuration commands from the script file at the command line prompt




.

/cfg/gtcfgRestoring the Active Switch Configuration 353

of the switch. The active configuration can also be saved or loaded viaTFTP, as described on "/cfg/gtcfgRestoring the Active Switch Configuration"(page 353).

/cfg/ptcfgSaving theActive Switch Configuration

When the ptcfg command is used, the switch’s active configurationcommands (as displayed using /cfg/dump) will be uploaded to thespecified script configuration file on the TFTP or FTP server. To start theswitch configuration upload, at the Configuration# prompt, enter:

Configuration# ptcfg <TFTP/FTP server filename> {-tftp | ftp username ftp password}[-m | -mgmt | -d | -data]

where server is the TFTP or FTP server IP address or hostname, andfilename is the name of the target script configuration file.

Note 1: The output file is formatted with line-breaks but no carriagereturns—the file cannot be viewed with editors that require carriagereturns (such as Microsoft Notepad).

Note 2: If the TFTP server is running SunOS or the Solaris operatingsystem, the specified ptcfg file must exist prior to executing the ptcfgcommand and must be writable (set with proper permission, and notlocked by any application). The contents of the specified file will bereplaced with the current configuration data.

/cfg/gtcfgRestoring the Active Switch Configuration

When the gtcfg command is used, the active configuration will be replacedwith the commands found in the specified configuration file. The file cancontain a full switch configuration or a partial switch configuration. Theconfiguration loaded using gtcfg is not activated until the apply commandis used. If the apply command is found in the configuration script file loadedusing this command, the apply action will be performed automatically.

To start the switch configuration download, at the Configuration#prompt, enter:

Configuration# gtcfg <TFTP/FTP server filename> {-tftp | ftp username ftp password}[-m | -mgmt | -d | -data]




.


where server is the TFTP or FTP server IP address or hostname, andfilename is the name of the target script configuration file.




.

355

The SLB Configuration Menu

Server Load Balancing (SLB) allows you to configure the Nortel ApplicationSwitch to balance user session traffic among a pool of available serversthat provide shared services. In an average network that employs multipleservers without server load balancing, each server usually specializes inproviding one or two unique services. If one of these servers providesaccess to applications or data that is in high demand, it can becomeoverutilized. Placing this kind of strain on a server can decrease theperformance of the entire network as user requests are rejected by theserver and then resubmitted by the user stations. With this softwarefeature, the switch is aware of the services provided by each server and candirect user session traffic to an appropriate server, based on a variety ofload-balancing algorithms.

This chapter discusses how to use the Command Line Interface (CLI) forconfiguring Server Load Balancing (SLB) on the Nortel Application Switch.Refer Nortel Application Switch Operating System Application Guide fordetailed information on this feature.

/cfg/slbSLB Configuration

[Layer 4 Menu]real - Real Server Menugroup - Real Server Group Menuvirt - Virtual Server Menufilt - Filtering Menuport - Layer 4 Port Menugslb - Global SLB Menulayer7 - Layer 7 Resource Definition Menuwap - WAP Menusync - Config Synch Menuadv - Layer 4 Advanced Menulinklb - Inbound Linklb Menuadvhc - Layer 4 Advanced Health Check Menupip - Proxy IP Address Menupeerpip - Peer Proxy IP Address Menu




.

356 The SLB Configuration Menu

wlm - Workload Manager Menuon - Globally turn Layer 4 processing ONoff - Globally turn Layer 4 processing OFFcur - Display current Layer 4 configuration

Server Load Balancing Configuration Menu Options (/cfg/slb)



Displays the menu for configuring real servers. To view menu options,see "/cfg/slb/real server number Real Server SLB Configuration" (page358).

Displays iSD menu. To view menu options, see "/cfg/slb/real real servernumber /ids Real server IDS Configuration Menu" (page 365).


Displays the menu for placing real servers into real server groups. Toview menu options, see "/cfg/slb/group real server group number RealServer Group SLB Configuration" (page 366).


Displays the menu for defining virtual servers. To view menu options,see "/cfg/slb/virt virtual server number Virtual Server SLB Configuration"(page 376).


Displays the menu for Filtering and Application Redirection. To viewmenu options, see "/cfg/slb/filt filter number SLB Filter Configuration"(page 390).

port <port number>

Displays the menu for setting physical switch port states for Layer 4activity. To view menu options, see "/cfg/slb/port port number Port SLBConfiguration" (page 408).

gslb

Displays the menu for configuring Global Server Load Balancing. To viewmenu options, see "/cfg/slb/gslb Global SLB Configuration" (page 410).

Displays the Advanced SLB Global Menu.

layer7

Displays Layer 7 Resource Definition Menu. To view menu options, see"/cfg/slb/layer7 Layer 7 SLB Resource Definition Menu" (page 418).

wap

Displays WAP Menu. To view menu options, see "/cfg/slb/layer7/sdpSDP Mapping Menu" (page 422).

sync




.

/cfg/slbSLB Configuration 357


Displays the Synch Peer Switch Menu. To view menu options, see"/cfg/slb/syncSynchronize Peer Switch Configuration" (page 423).

adv

Displays the Layer 4 Advanced Menu. To view menu options, see"/cfg/slb/advAdvanced Layer 4 Configuration" (page 425).

linklb

Displays Inbound Link Load Balancing Menu. To view menu options,see "/cfg/slb/linklbInbound Link Load Balancing configuration Menu"(page 430).

advhc

Displays Layer 4 Advanced Health Check Menu. To view menu options,see "/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page432).

pip

This menu is used to set the switch proxy IP address. When the pip isdefined, client address information in Layer 4 requests is replaced withthis proxy IP address.To view options, see "/cfg/slb/pipProxy IP AddressConfiguration Menu" (page 439).

peerpip

Displays Peer Proxy IP address Menu. When this command is enabled,the switch is able to forward traffic from the other switch, using Layer 2,without performing server processing on the packets of the other switch.This happens because the peer switches are aware of each other’s proxyIP addresses. This prevents the dropping of a packet or being sent to thebackup switch in the absence of the proxy IP address of the peer switch.

To view menu options, see "/cfg/slb/peerpip SLB Peer Proxy IP AddressMenu" (page 440).

wlm

Displays the menu for workload management of servers. To view menuoptions, see "/cfg/slb/wlm WorkLoad Management Menu" (page 441).

on

Globally turns on Layer 4 software services for Server Load Balancingand Application Redirection. This option can be performed only after theoptional Layer 4 software is enabled (see "Activating Optional Softwareon "/oper/swkeyActivating Optional Software" (page 452)). EnablingLayer 4 services is not necessary for using filters only to allow, deny, orNAT traffic.

off




.



Globally disables Layer 4 services. All configuration information willremain in place (if applied or saved), but the software processes willno longer be active in the switch

cur

Displays the current Server Load Balancing configuration.

Filtering and Layer 4 (Server Load Balancing)Filters configured to allow, deny, or perform Network Address Translation(NAT) on traffic do not require Layer 4 software to be activated. These filtersare not affected by the Server Load Balancing on and off commands inthis menu.

Application Redirection filters, however, require Layer 4 software services.Layer 4 processing must be turned on before redirection filters will work.

/cfg/slb/real <server number>Real Server SLB Configuration

This menu is used for configuring information about real servers thatparticipate in a server pool for Server Load Balancing or ApplicationRedirection. The required parameters are:

• Real server IP address

• Real server enabled (disabled by default)




.


Real Server Configuration Menu Options (/cfg/slb/real)


adv

Go to the Real Server Advanced menu. To view menu options, see"/cfg/slb/real server number /layer7 Real Server Layer 7 Configuration"(page 364).

layer7

Displays the Layer 7 Menu. To view menu options, see "/cfg/slb/realserver number /layer7 Real Server Layer 7 Configuration" (page 364).

ids

Displays Intrusion Detection Server/system menu. To view menuoptions, see "/cfg/slb/real real server number /ids Real server IDSConfiguration Menu" (page 365).

ipver <v4 | v6>

Sets the IP version of the real server.

rip <real server IP address>

Sets the IP address of the real server. The format of the IP address isdependent upon the IP version specified using the ipver commmand.When this command is used, the address entered is PINGed todetermine if the server is up, and the administrator will be warned if theserver does not respond.

name <string, maximum 31 characters> |none

Defines a 15-character alias for each real server. This will enable thenetwork administrator to quickly identify the server by a natural languagekeyword value.

weight <real server weight (1-48)>

Sets the weighting value (1 to 48) that this real server will be given in theload balancing algorithms. Higher weighting values force the server toreceive more connections than the other servers configured in the samereal server group. By default, each real server is given a weight setting of1. A setting of 10 would assign the server roughly 10 times the numberof connections as a server with a weight of 1.

avail <server weight (1-48)>

Displays the currently available real server for Global server loadbalancing and allows the user to change to another real server for Globalserver load balancing.

maxcon <maximum connections (0-200000)>




.



Sets the maximum number of connections that this server shouldsimultaneously support. By default, the number of maximum connectionsis set at 200,000. This option sets a threshold as an artificial barrier, suchthat new connections will not be issued to this server if the maxcon limitis reached. New connections will be issued again to this server once thenumber of current connections has decreased below the maxcon setting.

If all servers in a real server group for a virtual server reach their maxconlimit at the same time, client requests will be sent to the backup/overflowserver or backup/overflow server group. If no backup servers/servergroup are configured, client requests will be dropped by the virtual server.

tmout <even number of minutes (2-32768)>

Sets the number of minutes an inactive session remains open (in evennumbered increments).

Every client-to-server session being load balanced is recorded in theswitch’s Session Table. When a client makes a request, the session isrecorded in the table. The data is transferred until the client ends thesession, and the session table entry is then removed.

In certain circumstances, such as when a client application is abnormallyterminated by the client’s system, TCP/UDP connections will remainregistered in the switch’s binding table. In order to prevent table overflow,these orphaned entries must be aged out of the binding table.

Using the tmout option, you can set the number of minutes to waitbefore removing orphan table entries. Settings must be specified ineven numbered increments between 2 and 32768 minutes. The defaultsetting is 10.

This option is also used with the Persistent option (see/cfg/slb/virt/pbind). When persistent is activated, this option setshow long an idle client is allowed to remain associated with a particularserver.

backup <real server number (1-1023)> |none




.



Sets the real server used as the backup/overflow server for this realserver.

To prevent loss of service if a particular real server fails, use this optionto assign a backup real server number. Then, if the real server becomesinoperative, the switch will activate the backup real server until theoriginal becomes operative again.

The backup server is also used in overflow situations. If the real serverreaches its maxcon (maximum connections) limit, the backup comesonline to provide additional processing power until the original serverbecomes desaturated.

The same backup/overflow server may be assigned to more than onereal server at the same time

inter <number of seconds between health checks (0-60)>

Sets the interval between real server health verification attempts.

Determining the health of each real server is a necessary function forLayer 4 switching. For TCP services, the switch verifies that real serversand their corresponding services are operational by opening a TCPconnection to each service, using the defined service ports configured aspart of each virtual service. For UDP services, the switch pings serversto determine their status.

The inter option lets you choose the time between health checks. Therange is from 1 to 60 seconds. The default interval is 2 seconds. Aninterval of "0" disables health checking for the server.

retry <number of consecutive health checks (1-63)>

Sets the number of failed health check attempts required beforedeclaring this real server inoperative. The range is from 1 to 63 attempts.The default is 4 attempts

restr <number of consecutive health checks (1-63)>

Sets the number of successful health check attempts required beforedeclaring a TCP and UDP service operational. The range is from 1 to 63attempts. The default is 2 attempts

overflo enable|disable

Enable or disable backup upon overflow.

addport <real server port (2–65534)>

Add multiple service ports to the server.

remport <real server port (2–65534)>




.



Remove multiple service ports from the server.

remote disable|enable

Enables or disables remote site operation for this server. This optionshould be enabled when the real IP address supplied above representsa remote server (real or virtual) that this switch will access as part ofits Global Server Load Balancing network. By default, this option isdisabled. For more information, refer Nortel Application Switch OperatingSystem 24.0 Application Guide.

proxy disable|enable

Enables or disables proxy IP address translation. With this optionenabled (default), a client request from any application can be proxiedusing a load-balancing Proxy IP address (PIP).

fasthc disable|enable

Enables or disables Fast Health Check operation. When enabled,the real server goes down operationally as soon as the physical portconnected to the real server goes down. When disabled, the real serverwill go down only after the configured health check interval.

This command is enabled by default.

submac disable|enable

Enables or disables source MAC address substitution. By default, thisoption is disabled.

ena

You must perform this command to enable this real server for Layer4 service. When enabled, the real server can process virtual serverrequests associated with its real server group. This option, when theapply and save commands are used, enables this real server foroperation until explicitly disabled.

See /oper/slb/ena on "/cfg/slbSLB Configuration" (page 355) for anoperations-level command.

dis




.



Disables this real server from Layer 4 service. A disabled server will nolonger process virtual server requests as part of the real server group towhich it is assigned. This option, when the apply and save commandsare used, disables this real server until it is explicitly re-enabled.

Note: This option does not perform a graceful server shutdown.

See /oper/slb/dis on "/oper/slbOperations-Level SLB Options"(page 445) for an operations-level command that permits graceful servershutdown.

del

Deletes this real server from the Layer 4 switching software configuration.This removes the real server from operation within its real server groups.Use this command with caution, as it will delete any configuration optionsthat have been set for this real server. This option does not perform agraceful server shutdown.

cur

Displays the current configuration information for this real server.

/cfg/slb/real/advReal Server Advanced Menu

Real Server Advanced Menu Options


avail <server weight, 1-48>

Set Global SLB availability for real server.

remote <enable|disable>

Enable/disable Global SLB remote site operation

proxy <enable|disable>

Enable/disable client proxy operation.

buddyhc




.



Go to the Buddy Server Menu.

fasthc <enable|disable>

Enable/disable fast health check operation.

submac <enable|disable>

Enable/disable source MAC address substitution.

subdmac <enable|disable>

Enable/disable destination MAC address substitution.

cur <enable|disable>

Display current real server advanced configuration.

/cfg/slb/real/adv/buddyhcBuddy Server Health Check Menu

[Real server 1 Buddy Menu]addbd - Add Buddy Serverdelbd - Delete Buddy Servercur - Display current buddy server configuration

Buddy Server Health Check Menu Options


addbd <real server number 1-1023 real server group 1-1024service 9-65534>

Adds a buddy server.

delbd <real server number 1-1023 real server group 1-1024service 9-65534>

Deletes a previously added buddy server.

cur

Displays the current buddy server configuration.

/cfg/slb/real <server number> /layer7Real Server Layer 7 Configuration

[Real Server 1 Layer 7 Commands Menu]addlb - Add SLB string for content load balanceremlb - Remove SLB string for content load balancecookser - Enable/disable cookie assignment serverexclude - Enable/disable exclusionary string matchingldapwr - Enable/disable LDAP Write servercur - Display current real server configuration




.


This menu is used for entering commands and strings for Layer 7processing.

Layer 7 Commands Menu Options (/cfg/slb/real/layer7)


addlb <defined SLB string ID, 1-1024>

Adds the predefined URL loadbalance string ID to the real server.

remlb <defined SLB string ID, 1-1024>

Removes the predefined URL loadbalance string ID from the real server.

cookser disable|enable

Enables or disables the real server to handle client requests that don’tcontain a cookie. This option is used if you want to designate a specificserver to assign cookies only. This server gets the client request, assignsthe cookie, and embeds the IP address of the real server that will handlethe subsequent requests from the client.

By default, this option is disabled.

exclude disable|enable

Enables or disables exclusionary string matching. By default, this optionis disabled.

ldapwr disable|enable

Enables or disables LDAP write server. LDAP servers are of two types:read servers and write servers. You need to use read servers when youonly want to browse the directory. You need to use the write serverswhen you want to modify the directory on the server. The write servercan conduct both read and write operations.

cur

Displays the current real server configuration.

/cfg/slb/real <real server number> /idsReal server IDS Configuration Menu

Intrusion Detection System (IDS) is a type of security management systemfor computers and networks. An Intrusion Detection System gathers andanalyzes information from various areas within a computer or a networkto identify possible security breaches, which include both intrusions(attacks from outside the organization) and misuse (attacks from within theorganization). Refer Application Guide for more information.




.


[Real Server 1 IDS Menu]idsvlan - Set Vlan ID for ID Serveridsport - Set Port for ID Serveroid - Override OID for SNMP HCcomm - Override community string for SNMP HCcur - Display current real server configuration

IDS Configuration Menu options (/cfg/slb/real/ids)


idsvlan <vlan number (1-4090)>

Defines VLAN ID for Intrusion Detection Server.

idsport <port number> | none

Defines port for Intrusion Detection Server.

Note: IDS can only be configured on real servers between one tomaximum number of ports on the switch.

oid <SNMP health check object identifier to override groupOID>

Specifies the object identifier (OID). This OID overrides the OID forSNMP health checks.

comm <SNMP health check community string to override groupcommunity string>

Overrides community string for SNMP health checks.

cur

Displays the current real server configuration.

/cfg/slb/group <real server group number>




.


Real Server Group SLB Configuration

This menu is used for combining real servers into real server groups. Eachreal server group should consist of all the real servers which provide aspecific service for load balancing. Each group must consist of at least onereal server. Each real server can belong to more than one group. Realserver groups are used both for Server Load Balancing and ApplicationRedirection.

Real Server Group Configuration Menu Options (/cfg/slb/group)


ipver <v4 | v6>

Sets the IP version of the real server group.

metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phash

Sets the load balancing metric used for determining which real serverin the group will be the target of the next client request. The defaultsetting is leastconns. See "Server Load Balancing Metrics" (page373) for more information.

rmetric

Sets the load balancing metric used for determining which port in the realserver will be the target of the next client request.

content <filename |/ host / filename> |none




.



This option defines the specific content which is examined during healthchecks. The content depends on the type of health check specified inthe health option (see below).

health link|arp|icmp|tcp|http|httphead|dns|pop3|smtp|nntp|ftp|imap|sslh|radius-auth|radius-acc|radius-aa|script n |udp-dns|wsp|wtp|wtls|ldap|snmp n |tftp|rtsp|sip|sipoptions|wts|dhcphttp - use GET method, httphead - use HEAD method

Sets the type of health checking performed. The default is tcp. See"SLB Health Check Types" (page 370).

backup r<real server number (1-1023)> |g <group number(1-1024)> |none

Sets the real server or real server group used as the backup/overflowserver/server group for this real server group.

To prevent loss of service if the entire real server group fails, use thisoption to assign a backup real server/real server group number. Then, ifthe real server group becomes inoperative, the switch will activate thebackup real server /server group until one of the original real serversbecomes operative again.

The backup server/server group is also used in overflow situations. Ifall the servers in the real server group reach their maxcon (maximumconnections) limit, the backup server/server group comes online toprovide additional processing power until one of the original serversbecomes desaturated.

The same backup/overflow server/server group may be assigned tomore than one real server group at the same time.

name <maximum 31 characters> |none

Defines a 15-character alias for each Real Server Group. This willenable the network administrator to quickly identify the server group by anatural language keyword value.

realthr <real servers (1-15, 0 for disabled)>

Specifies a minimum number of real servers available. If any time, thenumber reaches this minimum limit, a SYSLOG ALERT message is sentto the configured SYSLOG servers stating that the real server thresholdhas been reached for the concerned server load balancing group. Thedefault threshold is 0, which also means the option is disabled.

idsrprt <real server port (2-65534)> |any

Sets real server port for the Intrusion Detection Server.




.



advhlth (1&2|3..), 128 |none

Defines an advanced health check formula expression for the realservers. This command allows you to create a boolean expression tohealth check the real server group based on the state of the virtualservices. This command supports two boolean operators, AND or ORthat are used to manipulate TRUE or FLALSE values. Using parenthesiswith the boolean operators, you can create a boolean expression tostate the health of the server group. This command also supports astring expression which is up to 128 characters long, or you can also setthe formula expression as none.

mhash 24|32 <number of sip bits used for minmisses hash>

Defines the minmisses hash parameter for this real server as either 24or 32 bits. By default the minmiss algorithm uses the upper 24-bits ofthe source IP address to calculate the real server that the traffic shouldbe sent to when the minmiss metric is selected.You can also select all32-bits of the source IP address to hash to the real server.

wlm <1 - 16> | none

Set Workload Manager number.

viphlth disable|enable

Enables or disables VIP health checking in a service. This feature isenabled by default. However, it works only when the service has DSR(Direct Server Return) feature enabled. When viphlth is disabled, theswitch uses RIP to perform all health checks, whether DSR is enabledor disabled.

ids disable|enable

Enables or disables Intrusion Detection Server (IDS) load balancing forthe designated real server group. This feature can only be configured onreal server groups between 1-63.

idsfld disable|enable

Enables or disables the Intrusion Detection flood. When IntrusionDetection flood is enabled, packets are copied to all IDS servers in theIDS group. When this is disabled, packets are only copied to the loadbalanced IDS server within the IDS group.

oper disable|enable

Enables or disables the real server group operation.

ena <real server number, 1-1023>

Enables a real server in this group gracefully or on a per group basis.For example, if a real server is a member of more than one group, youcan configure this real server to accept requests from all the groups orany number of groups that this real server is member of.

dis <real server number, 1-1023>




.



Disables a real server in this group gracefully or on a per group basis.

add <real server number (1-1023)>

Adds a real server to this real server group. You will be prompted toenter the number of the real server to add to this group.

rem <real server number (1-1023)>

Remove a real server from this real server group. You will be promptedfor the ID number for the real server to remove from this group.

del

Deletes this real server group from the Layer 4 software configuration.This removes the group from operation under all virtual servers it isassigned to. Use this command with caution: if you remove the onlygroup that is assigned to a virtual server, the virtual server will becomeinoperative.

cur

Displays the current configuration parameters for this real server group.

SLB Health Check TypesUsing the health command, you can specify the type of health check forthe group of real servers. The health check options are described in thefollowing table. Refer Application Guide for their detailed description.

>> Real Server Group 1# healthCurrent health check type: tcpPending new health check type: sipoptionsEnter health check type:

SLB Health Check Types (/cfg/slb/group/health)

Option and Description

link

Checks status of port for each server for IDSLB group only.

arp

Sends an ARP request for Layer 2 health checking.

icmp

For Layer 3 health checking, pings the server.

tcp

Opens and closes a TCP/IP connection to the server for TCP service.

http




.



For HTTP service, use HTTP 1.1 GETS when a HOST: header is requiredto check that the URL content is specified in content command.Otherwise, an HTTP/1.0 GET occurs.

Note: If the content is not specified, the health check will revert back toTCP on the port that is being load balanced. For examples, refer NortelApplication Switch Operating System 24.0 Application Guide.

httphead

Allows the switch to declare if the server is up or not just by locating theURL header and not wait until all the URL contents are received. Youcan use this command to test the validity and access to the hypertextlinks or to look for any recent modification to the URL.

dns

For Domain Name Service, check that the domain name specified incontent can be resolved by the server.

pop3

For user mail service, check that the user:password account specifiedin content exists on the server.

smtp

For mail-server services, check that the user specified in content isaccessible on the server.

nntp

For newsgroup services, check that the newsgroup name specified incontent is accessible on the server.

ftp

For FTP services, check that the filename specified in content isaccessible on the server through anonymous login.

imap

For user mail service, check that the user:password value specified incontent exists on the serve

sslh

Enables the switch to query the health of the SSL servers by sendingan SSL client "Hello" packet and then verify the contents of the server’s"Hello" response. During the handshake, the user and server exchangesecurity certificates, negotiate an encryption and compression method,and establish a session ID for each session.

radius-auth, radius-acc, radius-aa




.



For RADIUS remote access server authentication, check that theuser:password value specified in content exists on the NortelApplication Switch and the server. To perform application healthchecking to a RADIUS server, the network administrator must alsoconfigure the /cfg/slb/secrt parameter. The secrt value is a fieldof up to 32 alphanumeric characters that is used by the switch to encrypta password during the RSA Message Digest Algorithm (MD5) and by theRADIUS server to decrypt the password during verification.

script n

Enables the use of script-based health checks in send/expect format tocheck for application and content availability. n denotes the health scriptnumber (1-64).

udpdns

Allows the user to perform health checking using UDP DNS queries.

wsp

Enables connectionless WSP content health checks for WAPgateways. The content under /cfg/slb/adv/waphc (see"/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page 432))must also be configured.

wtp

Enables connection-oriented WTP + WSP content health checks forWAP gateways. The content under /cfg/slb/adv/waphc (see"/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page 432))must also be configured

wtls

Provides Wireless Transport Layer Security (WTLS) Hello-based healthcheck for encrypted and connection-oriented WTLS traffic on port 9203.

ldap

Sets the health check type to LDAP. The LDAP health checks enablethe switch to determine if the LDAP server is alive. This health checkconsists of three LDAP messages over one TCP connection: a bindrequest, a bind result, and an unbind request. The switch sends ananonymous bind request to the server. If the server is up, it will sendthe bind result message and the switch will mark the server as alive.The switch must send an unbind request so that the server does nothold resources indefinitely. The switch administrator can choose LDAPversion 2 or 3 as both versions are compatible with Nortel ApplicationSwitch Operating System.

snmp n

Enables the use of SNMP-based health checks. n denotes the healthscript number (1-5).

tftp




.



Sets the health check type to TFTP. This protocol enables the user torequest a file from the server. At regular intervals, the switch transmitsTFTP read requests (RRQ) to all servers in the group. The health checkis successful if the server responds to the RRQ. The health check fails ifthe switch receives an error packet from the real server.

rtsp

Sets the health check type to RTSP. The RTSP health check can operatewith or without content. If there is no content configured the switch willissue an RTSP OPTIONS method. If content is supplied the switch willissue the RTSP DESCRIBE method. If the response to either method isRTSP/200 then the health check passes. If this is not the response, thehealth check will fail.

sip

Sets the health check type to sip. You can perform the SIP (SessionInitiation Protocol) health check by using SIP PING request. You mustenable UDP to perform SIP load balancing.

sipoptions

Sets the health check type to sipoptions.

wts

Sets the health check type to wts.

dhcp

Sets the health check type to dhcp. This health check type can operatewith or without content. The following content types can be configured:

• request - use DHCP request instead of inform packet

• srequest - use DHCP request with a source port of 68

• strict - use DHCP inform but with a source port of 68

If no content is specified, this indicates the usage of a DHCP informwith the UDP offset source port.

Server Load Balancing MetricsUsing the metric command, you can set a number of metrics for selectingwhich real server in a group gets the next client request.

>> Real Server Group 1# metricCurrent metric: leastconnsEnter metric:

The metrics are described in the following table:




.


Real Server Group Metrics (/cfg/slb/group/metric)


minmisses

Minimum misses. This metric is optimized for Application Redirection.When minmisses is specified for a real server group performingApplication Redirection, all requests for a specific IP destination addresswill be sent to the same server. This is particularly useful in cachingapplications, helping to maximize successful cache hits. Best statisticalload balancing is achieved when the IP address destinations of loadbalanced frames are spread across a broad range of IP subnets.

Minmisses can also be used for Server Load Balancing. When specifiedfor a real server group performing Server Load Balancing, all requestsfrom a specific client will be sent to the same server. This is useful forapplications where client information must be retained on the serverbetween sessions. Server load with this metric becomes most evenlybalanced as the number of active clients increases.

hash

Like minmisses, the hash metric uses IP address information in theclient request to select a server.

For Application Redirection, all requests for a specific IP destinationaddress will be sent to the same server. This is particularly useful formaximizing successful cache hits.

For Server Load Balancing, all requests from a specific client will besent to the same server. This is useful for applications where clientinformation must be retained between sessions.

The hash metric should be used if the statistical load balancing achievedusing minmisses is not as optimal as desired. Although the hash metriccan provide more even load balancing at any given instance, it is not aseffective as minmisses when servers leave and reenter service.

If the Load Balancing statistics indicate that one server is processingsignificantly more requests over time than other servers, consider usingthe hash metric.

leastconns




.



Least connections. With this option, the number of connections currentlyopen on each real server is measured in real time. The server with thefewest current connections is considered to be the best choice for thenext client connection request.

This option is the most self-regulating, with the fastest servers typicallygetting the most connections over time, due to their ability to accept,process, and shut down connections faster than slower servers.

roundrobin

Round robin. With this option, new connections are issued to eachserver in turn: the first real server in this group gets the first connection,the second real server gets the next connection, followed by the thirdreal server, and so on. When all the real servers in this group havereceived at least one connection, the issuing process starts over withthe first real server.

response

Real server response time. With this option, the switch monitors andrecords the amount of time that each real server takes to reply to a healthcheck. The response time is used to adjust the real server weights. Theweights are adjusted so they are inversely proportional to a movingaverage of response time.

bandwidth

Bandwidth Metric. With this option, the real server weights are adjustedso they are inversely proportional to the number of octets that the realserver processes during a given interval. The higher the bandwidth used,the smaller is the weight assigned to that server.

phash

The phash metric utilizes the best features of the hash and minmissmetrics. With phash enabled, the switch supports an even loaddistribution (hash) and stable server assignment (minmiss) even whena server in the group goes down. With the phash metric, the first hashwill always be the same even if a real server is down. If the first hashhits a dead server, it will rehash for that request based on the actualnumber of servers that are up. This results in a request always beingsent to a server that is up.

whash

Note: Under the leastconns, roundrobin, hash, and phashmetrics, when real servers are configured with weights (see the weightoption on "Real Server Configuration Menu Options (/cfg/slb/real)"(page 359)), a higher proportion of connections are given to serverswith higher weights. This can improve load balancing among servers




.


of different performance levels. Weights are not applied when usingthe minmisses metrics.

/cfg/slb/virt <virtual server number>Virtual Server SLB Configuration

This menu is used for configuring the virtual servers which will be the targetfor client requests for Server Load Balancing. Configuring a virtual serverrequires the following parameters:

• Creating a virtual server IP address

• Adding TCP/UDP port and real server group

• Enabling the virtual server (disabled by default)

Virtual Server Configuration Menu Options (/cfg/slb/virt)


service <virtual port or name>

Displays the Virtual Services Menu. The virtual port name can bea well-known port name, such as http, ftp, the service number, andso on. The allowable port range is from 9 to 65534. To get moreinformation about well-known ports, see the sport command on sportany|name|port|port|port. To view the services menu options, see"/cfg/slb/virt server number /service virtual port or name Virtual ServerService Configuration" (page 378).


Set the IP version.

vip <virtual server IP address for IPv4 or IPv6>




.



Sets the IP address of the virtual server using dotted-decimal notation.The virtual server created within the switch will respond to ARPs andPINGs from network ports as if it was a normal server. Client requestsdirected to the virtual server’s IP address will be balanced among thereal servers available to it through real server group assignments.

dname <64 character domain name> | none

Sets the domain name for this virtual server. The domain name typicallyincludes the name of the company or organization, and the Internetgroup code (.com, .edu, .gov, .org, and so forth). An example would befoocorp.com. It does not include the hostname portion (www, www2, ftp,and so forth). The maximum number of characters that can be used in adomain name is 64. To define the hostname, see hname below. To clearthe dname, specify the name as none.

vname <32 character virtual server name> | none

Set name of virtual server.

cont <BWM contract (1-1024)>

Enter a new Bandwidth Management Contract for this virtual service.By default, all services under this virtual server are assigned this BWcontract. However, the BW contract can be changed for a selected virtualserver with /cfg/slb/virt <number> /service <number> /cont.

All the frames that match this virtual server services are assigned thisBW contract if the previously assigned contract for the frame has loweror equal precedence of the virtual server contract.

The default number of contracts is set at 1024 for Nortel ApplicationSwitch Operating System.

weight

Sets the Global server weight for the virtual server. The higher theweight value, the more connections that will be directed to the local site.The default is 1. The response time of this site is divided by this weightbefore the best site is assigned to a client. Remote site response timesare divided by the real server weight before selection occurs.

avail

Sets the Global SLB availability for the virtual server.

addrule <rule, 1-64>

Adds Global SLB rule to domain. Rule allows the server selected forGSLB to use different metric preference based on time of the day. Eachdomain has one or more rules. Each rule has metric preference list.The server selected for GSLB selects the first rule that matches thedomain and starts with the first metric in the preference list of the rule.The default is rule 1.




.



remrule <rule, 1-64>

Removes Global SLB rule from domain.

layr3 <enable|disable>

Normally, the client IP address is used with the client Layer 4 port numberto produce a session identifier. When the layr3 option is enabled(disabled by default), the switch uses only the client IP address as thesession identifier. It associates all the connections from the same clientwith the same real server while any connection exists between them.

This option is necessary for some server applications where stateinformation about the client system is divided across differentsimultaneous connections, and also in applications where TCP fragmentsare generated.

If the real server to which the client is assigned becomes unavailable,the Layer 4 software will allow the client to connect to a different server.

creset enable|disable

Enable/disable client connection reset invalid VPORT.

preempt enable|disable

Enable/disable GSLB failover preemption.

ena

Enables this virtual server. This option activates the virtual server withinthe switch so that it can service client requests sent to its defined IPaddress.

dis

This option disables the virtual server so that it no longer services clientrequests.

del

This command removes this virtual server from operation within theswitch and deletes it from the Layer 4 switching software configuration.Use this command with caution, as it will delete the options that havebeen set for this virtual server.

cur

Displays the current configuration of the specified virtual server.

/cfg/slb/virt <server number> /service <virtual port orname>Virtual Server Service Configuration

This menu is used for configuring services assigned to a virtual server. Thefollowing example shows a menu for http (port 80) services.




.


Note: Select virtual service port 554 to configure RTSP traffic. See"Cookie-Based Persistence" (page 388) to view the menu options forconfiguring virtual services on port 554 for RTSP.

[Virtual Server 1 14 Service Menu]wts - WTS Load Balancing Menuhttp - HTTP Load Balancing Menusip - SIP Load Balancing Menurtsp - RTSP Load Balancing Menugroup - Set real server group numberrport - Set real porthname - Set hostnamecont - Set BW contract for this virtual servicepbind - Set persistent binding typethash - Set hash parametertmout - Set minutes inactive connection remains opendbind - Enable/disable delayed bindingudp - Enable/disable UDP balancingfrag - Enable/disable remapping UDP server fragmentsnonat - Enable/disable only substituting

MAC addressesdnsslb - Enable/disable DNS query load balancingdirect - Enable/disable direct access modemirror - Enable/disable session mirroringepip - Enable/disable pip selection based

egress port/vlandel - Delete virtual servicecur - Display current virtual service configuration

Virtual Server Service Configuration Options (/cfg/slb/virt/service)


wts

Go to the WTS Load Balancing Menu. To view the menuoptions, see "/cfg/slb/virt/service/wts WTS Load Balancing Menu"(page 385).

http

Enables or disables HTTP Redirection for Global server load balancingon a per VIP basis. Disabling HTTP Redirection causes GSLB to useproxy IP address for HTTP. To view the menu options, see"/cfg/slb/virt/service/http HTTP Load Balancing Menu" (page 385).

sip




.



Enables or disables Session Initiation Protocol (SIP) server loadbalancing on the Nortel Application Switch Operating System. Whenenabled, you can configure SIP service on the service port 5060 for avirtual server. SIP is an application-level control protocol for creating,modifying and terminating sessions with one or more participants(documented in RFC3261). NAS supports both TCP and UDP based SIPServers. Using SIP on your switch, you can load balance Nortel’s MCS(Multimedia Communication Server) proxy servers. Nortel Networks’MCS is a UDP based SIP enabled application Server. Microsoft LCSserver is supported in this version of NAS.

You need to turn Direct Access Mode (DAM) on to perform SIP loadbalancing.

You can use only minmiss as the load balancing metric since the loadbalancing is performed based on the Call-ID.

To view the menu options, see "/cfg/slb/virt/service/sip SIP LoadBalancing Menu" (page 386).

rtsp

Go to the RTSP Load Balancing Menu. To view the menuoptions, see "/cfg/slb/virt/service/rtsp RTSP Load Balancing Menu"(page 387).


Sets a real server group for this service. The default is set at 1. You willbe prompted to enter the number (1 to 1024) of the real server group toadd to this service.

rport <real server port (0-65534)>

Defines the real server TCP or UDP port assigned to this service.By default, this is the same as the virtual port (service virtual port).If rport is configured to be different than the virtual port defined in/cfg/slb/virt <number> /service <virtual port>, the switchwill map the virtual port to this real port.

hname <hostname> |none




.



Sets the hostname for a service added. This is used in conjunction withdname (above) to create a full host/domain name for individual services.

The format for this command is: # hname <hostname>

www.foocorp.comFor example, to add a hostname for Web services, you could specifywww as the hostname. If a dname of "foocorp.com" was defined (above),"" would be the full host/domain name for the service.

To clear the hostname for a service, use the command: # hname none

httpslb urlslb|host|cookie|browser|urlhash|headerhash|others

Load balances on the following applications:

• urlslb: Enable or disable URL SLB

• host: Enable or disable for virtual hosting

• cookie: Enable or disable cookie-based SLB for cookie-basedpreferential load balancing. You will be prompted for the following:Cookie name, starting point of the cookie value, number of bytes tobe extracted, enable/disable checking for cookie in URI

• browser: Enable or disable SLB, based on browser type

• urlhash: Enable or disable URL hashing based on URI

• headerhash: Hashes on any HTTP header value.

• others: Requires inputs for a particular header field

You may choose to combine or select applications to load balance usingthe commands and and/or or. For example:

• httpslb <application>

• httpslb application and|or <application>

cont <BWM Contract (0-1024), 0 for VIP default>

Sets a Bandwidth Management contract for this virtual service. Thedefault number of contracts is set at 1024 for Nortel Application SwitchOperating System.

Note: If you enter 0 for the service contract, it will carry the value enteredfor the Virtual Server IP (vip) contract.




.

http://www.foocorp.com/



urlcont <URL path ID BW contract>

Sets the Bandwidth Management contract of a string specific to thisvirtual service. Only use this command when a string is shared bymultiple virtual services and each service requires a separate bandwidth.The default is set at 1024.

pbind clientip|cookie <p|r|i> |sslid|disable

Enables or disables persistent bindings for a real server (disabled bydefault). This may be necessary for some server applications wherestate information about the client system is retained on the server overa series of sequential connections, such as with SSL (Secure SocketLayer, HTTPS), Web site search results, or multi-page Web forms.

• The clientip option uses the client IP address as an identifier,and associates all connections from the same client with the samereal server until the client becomes inactive and the connection isaged out of the binding table. The connection timeout value (set inthe Real Server Menu) is used to control how long these inactive butpersistent connections remain associated with their real servers.When the client resumes activity after their connection has beenaged out, they will be connected to the most appropriate real serverbased on the load balancing metric.

An alternative approach may be to use the real server group metricsminmisses or hash (see "Server Load Balancing Metrics" (page373)).

In Nortel Application Switch Operating System 23.1, with clientipcommand enabled, HTTP and HTTPs traffic from the same client willmap to the same server irrespective of the load balancing metricused, since the services are related. Whereas, different servicesfrom the same client may not map to the same server.

• The cookie option uses a cookie defined in the HTTP header orplaced in the URI for hashing. For more information on cookieoption, see "Cookie-Based Persistence" (page 388). For detailedinformation on Cookie-Based Persistence, see the Persistencechapter in the Nortel Application Switch Operating SystemApplication Guide.

• The sslid option is for Secure Sockets Layer (SSL), which is a setof protocols built on top of TCP/IP that allow an application serverand user to communicate over an encrypted HTTP session. SSLprovides authentication, non-repudiation, and security. The sessionID is a value comprising 32 random bytes chosen by the SSL serverthat gets stored in a session hash table. By enabling the sslidoption, all subsequent SSL sessions which present the same sessionID will be directed to the same real server.




.



• The disable option allows you to disable presistent binding, if it haspreviously been enabled for a particular application.

rcount <response count number (1-16)>

Sets the maximum response counter for cookie-based persistence. TheNortel Application Switch will examine each server response until thecookie is found, or until the maximum count is reached. The defaultnumber is 1.

thash sip|sip+sport

Defines hash parameter. Tunable hash feature allows the user to selectdifferent parameters for computing the hash value used by the hash,phash, and minmisses SLB metrics. For example, the source IPaddress, or both source IP address and source port. If the user does notselect any, the switch will use default hash parameter, which is sip.

tmout

To check the time in minutes when an inactive connection remains open.

dbind disable|enable

Enables or disables Layer 4 Delayed Binding for TCP service and ports.Enabling this command protects the server from Denial of Service (DoS)attacks. This option is disabled by default.

udp disable|enable|stateless

Enables or disables UDP load balancing for a virtual port (disabledby default). You can configure this option if the service(s) to be loadbalanced include UDP and TCP. For example, DNS uses UDP andTCP. In those environments, you must activate UDP balancing for theparticular virtual servers that clients will communicate with using UDP.

When stateless is enabled, no session table entry is created.

Since no session is created, you have to bind to a new server every time.

Note: If applying a filter to the same virtual server IP address onwhich UDP load balancing is enabled, disable caching on that filter foroptimal performance. For more information, see the cache command in"Advanced Filter Menu (/cfg/slb/filt/adv)" (page 396).

frag disable|enable

Enables or disables remapping server fragments for virtual port. Thisoption is enabled by default.

nonat disable|enable




.



Enables or disables substituting only the MAC address of the real server(disabled by default). This option does not substitute IP addresses. Thisoption is used for Direct Server Return (DSR) in an one-armed loadbalancing setup, so that frames returning from server to the client do nothave to pass through the switch.

dnsslb disable|enable

Enables or disables DNS-based Layer 7 content load balancing.

This command appears only when the virtual service is set to ftp orservice port 21.

Enables or disables FTP SLB parsing for this virtual server (disabled bydefault). When this option is enabled, the switch modifies the appropriateFTP method/command to support FTP servers on a private network forboth active and passive FTP modes.

To do this, the switch looks deeper into the packet and modifies theport command for active FTP or the "entering the passive mode"command for passive FTP.

direct disable|enable

Enables or disables Direct Access Mode (DAM) on the selected virtualservice. This command takes precedence over the command to globallyenable or disable Direct Access Mode on the switch.


Enables or disables session mirroring on the selected virtual service.

xforward disable|enable

Enables or disables inserting the X-Forward-For header into the clientHTTP request to preserve the client IP information. X-Forward-For is aspecial header that stores and identifies the client IP information. Thisfeature is applicable only on HTTP protocol.

epip disable|enable

Enables or disables proxy IP selection based on egress port or VLAN.By default, the SP selects the proxy IP address based on ingress portor VLAN. Using the epip command, you can configure the SP to selectproxy IP address based on the egress port or VLAN.

del

This command removes this virtual service from operation within theswitch and deletes it from the Layer 4 switching software configuration.Use this command with caution, as it will delete the options that havebeen set for this virtual service.




.



cur

Displays the current configuration of services on the specified virtualserver.

/cfg/slb/virt/service/wtsWTS Load Balancing Menu

[WTS Load Balancing Menu]userhash - Enable userhash when there is no

Session Dir. Serverena - Enable WTS loadbalancing and persistencedis - Disable WTS loadbalancing and persistencecur - Display current WTS configuration

WTS Load Balancing Menu Options


userhash

Enables the userhash if there is no session director server in the serverplatform.

ena [true|false]

Enable WTS load balancing.

dis [true|false]

Disable WTS load balancing.

cur

Display the current WTS configuration.

/cfg/slb/virt/service/httpHTTP Load Balancing Menu

HTTP Load Balancing Menu Options


httpslb




.



Set HTTP SLB processing.

urlcont

Set BW cont of an SLB string specific to this service.

rcount

Set multi response count.

http

Enable/disable HTTP redirects for Global SLB.

xforward

Enable/disable X-Forwarded-For for proxy mode.

pooling

Enable/disable connection pooling for HTTP traffic.

cur

Display current HTTP configuration.

/cfg/slb/virt/service/sipSIP Load Balancing Menu

[SIP Load Balancing Menu]sip - Enable/disable SIP load balancingsdpnat - Enable/disable SIP SDP Media Portal NATcur - Display current SIP configuration

These options are the L7 based SIP load balancing.

Note: L7 SIP load balancing is supported only in UDP and not in TCP.You must enable UDP for SIP service.

SIP Load Balancing Menu Options


sip

Enable SIP load balancing. When this is enabled you can scan andhash calls based on a SIP Call-ID header to an MCS server. You needto turn Direct Access Mode (DAM) on to perform SIP load balancing.You can use only minmiss as the load balancing metric since the loadbalancing is performed based on the Call-ID. When this is disabled, theload balancing is based on L4 tuple values.

sdpnat

Enable SIP SDP Media Portal NAT.




.



cur

Display the current SIP configuration.

/cfg/slb/virt/service/rtspRTSP Load Balancing Menu

[RTSP Load Balancing Menu]group - Set real server group numberhname - Set hostnamertspslb - Set RTSP URL load balancing typethash - Set hash parametertmout - Set minutes inactive connection remains opensoftgrid - Enable/disable SoftGrid load balancingnonat - Enable/disable only substituting

MAC addressesnortsp - Enable/disable only RTSP SLBdel - Delete virtual service

cur - Display current virtual service configuration

RTSP Load Balancing Menu Options



Sets real server group number.

hname <hostname> |none

Sets the hostname for a service added. This is used in conjunction withdname (above) to create a full host/domain name for individual services.

The format for this command is: # hname <hostname>

For example, to add a hostname for Web services, you could specifywww as the hostname. If a dname of "foocorp.com" was defined (above),"www.foocorp.com" would be the full host/domain name for the service.

To clear the hostname for a service, use the command: # hname none

rtspslb hash|patternMatch|l4hash|none




.

http://www.foocorp.com/



This Layer 7 load balancing option sets the type of rtspslb, either hashor patternMatch, thereby enabling the service. The default is hash.

hash: If you use hash, RTSP will parse the URL and will hash the URLto select a server to load balance.

patternMatch: If you select this option, the switch will match thestring or pattern within the URL to select a server based on the stringconfigured on the real server.

l4hash: The l4hash option configures Server Load Balancing to bebased on the Layer 4 hash metric.

none: If set at none, RTSP will use Layer 4 metrics to select a serverto load balance.

thash sip|sip+sport

Defines hash parameter. Tunable hash feature allows the user to selectdifferent parameters for computing the hash value used by the hash,phash, and minmisses SLB metrics. For example, the source IPaddress, the destination IP address, or both source IP address andsource port. If the user does not select any, the switch will use defaulthash parameter, which is sip.

tmout <minutes (0 - 32768)>

Sets the number of minutes an inactive connection remains open. This isan even number of minutes between 0 and 32768.

softgrid <Enable|disable>

Enable or disable softgrid load balancing.

nonat <Enable|disable>

Enable or disable NAT for DSR configuration.

nortsp <Enable|disable>

Enable or disable RTSP SLB for DSR configuration.

del

Deletes this virtual service.

cur

Displays the current virtual service configuration.

Cookie-Based PersistenceThe cookie option is used to establish cookie-based persistence, and hasthe following command syntax and usage:




.


pbind cookie <mode name offset length URI>

Each parameter is explained in the following table.

Option Description

mode Specify the mode for cookie-based persistence. Thefollowing three modes are available:

• p: Passive mode. In this mode, the networkadministrator configures the Web server to embed acookie in the server response that the switch looksfor in subsequent requests from the same client.

• r: Rewrite mode. In active cookie mode (orcookie rewrite mode), the switch, and not thenetwork administrator, generates the cookie valueon behalf of the server. The switch intercepts thispersistence cookie and rewrites the value to includeserver-specific information before sending it to theclient.

• i: Insert mode. When a client sends a requestwithout a cookie, the server responds with the data,and the switch inserts a persistence cookie into thedata packet. The switch uses this cookie to bind tothe appropriate server.Cookie-insert has some new options as explainedbelow:Domain name: Domain specifies the domain forwhich the cookie is valid. Enter [y] to enable thisoption.path: Enter the subset of URLs on the origin serverto which this cookie applies.secure flag: The Secure boolean attribute,when True, directs the user agent to use secureconnection to obtain content associated with thecookie. Enter [y] to enable this option.Insert cookie mode expiration parameters are asfollows:

Enter insert-cookie expiration as either:

• ... a date <MM/dd/yy[@hh:mm]> (e.g.12/31/01@23:59)

• ... a duration <days[:hours[:minutes]]> (e.g.45:30:90)

• ... or none <return>




.


Option Description

name Enter the name of the cookie.

offset Enter the starting point of the cookie value (1-64)

length Enter number of bytes to extract (1-64). For cookierewrite, the extracting length must be 8 or 16.

URI Look for cookie in the URI. If you want to look for cookiename or value in the URI, enter e to enable this option.To look for cookie in the HTTP header, enter d todisable this option.

For more information on Cookie-Based Persistence, see the NortelApplication Switch Operating System 24.0 Application Guide.

/cfg/slb/filt <filter number>SLB Filter Configuration

[Filter 1 Menu]adv - Filter Advanced Menuname - Set filter namesmac - Set source MAC addressdmac - Set destination MAC addressipver - Set Filter IP versionsip - Set source IP addresssmask - Set source subnet mask/prefix lendip - Set destination IP addressdmask - Set destination subnet mask/prefix lenproto - Set IP protocolsport - Set source TCP/UDP port or rangedport - Set destination TCP/UDP port or rangeaction - Set actiongroup - Set real server group for redirectionrport - Set real server port for redirectionnat - Set which addresses are network

address translatedvlan - Set vlan idinvert - Enable/disable filter inversionena - Enable filterdis - Disable filterdel - Delete filtercur - Display current filter configuration

The switch supports up to 2048 traffic filters. Each filter can be configuredto allow, deny, redirect or perform Network Address Translation on trafficaccording to a variety of address and protocol specifications, and eachphysical switch port can be configured to use any combination of filters.This command is disabled by default.




.


There are several options available in the Filter Advanced Menu(/cfg/slb/filt/adv, "/cfg/slb/filt filter number /adv Advanced FilterConfiguration" (page 395)) that can be used to provide more informationthrough syslog. The types of information include:

• IP protocol

• TCP/UDP ports

• TCP flags

• ICMP message type

The following parameters are required for filtering:

• Set the address, masks, and/or protocol that will be affected by the filter

• Set the filter action (allow, deny, redirect, nat)

• Enable the filter

• Add the filter to a switch port

• Enable filtering on the Nortel Application Switch port

Filter Configuration Menu Options (/cfg/slb/filt)


adv

Displays the Filter Advanced Menu. To view menu options, see"/cfg/slb/filt filter number /adv Advanced Filter Configuration" (page 395).


Allows the user to assign a name to a filter.

smac any| <MAC address (such as, 00:60:cf:40:56:00)>

Sets the source MAC address. The default is any.

dmac any| <MAC address (such as, 00:60:cf:40:56:00)>

Sets the destination MAC address. The default is any.

ipver v4 | v6

Sets the IP version that the filter will use. Filtering using IPv6 is onlysupported in bridge mode.

sip <sip IP4 address (eg, 192.4.17.101) | IP6 address (eg,3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>

If defined, traffic with this source IP address will be affected by thisfilter. Specify an IP address in dotted decimal notation for IPv4 or colonnotation for IPv6, or any. A range of IP addresses is produced whenused with the smask below. The default is any if the source MACaddress is any.




.



smask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6prefix length (eg, 64)>

This IP address mask is used with the sip to select traffic which this filterwill affect. See details below for more information on producing addressranges. For more information, see "Defining IP Address Ranges forFilters" (page 395).

dip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg,3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>

If defined, traffic with this destination IP address will be affected by thisfilter. Specify an IP address in dotted decimal notation for IPv4 or colonnotation for IPv6, or any. A range of IP addresses is produced whenused with the dmask below. The default is any if the destination MACaddress is any. For more information, see "Defining IP Address Rangesfor Filters" (page 395).

dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6prefix length (eg, 64)>

This IP address mask is used with the dip to select traffic which thisfilter will affect.

proto any| <number> | name

If defined, traffic from the specified protocol is affected by this filter.Specify the protocol number, name, or "any". The default is any. Listedbelow are some of the well-known protocols.

Number Name

1 icmp

2 igmp

6 tcp

17 udp

58 icmp6

89 ospf

112 vrrp

sport any| <name> | <port> | <port> - <port>

If defined, traffic with the specified TCP or UDP source port will beaffected by this filter. Specify the port number, range, name, or "any".The default is any. Listed below are some of the well-known ports:

Number Name

20 ftp-data

21 ftp

22 ssh

23 telnet




.



25 smtp

37 time

42 name

43 whois

53 domain

69 tftp

70 gopher

79 finger

80 http

109 pop2

110 pop3

dport any| <name> | <port> | <port> - <port>

If defined, traffic with the specified real server TCP or UDP destinationport will be affected by this filter. Specify the port number, range, name,or "any", just as with sport above. The default is set at any.

action allow|deny|redir|nat|goto

Specifies the action this filter takes:

Note: IPv6 filters support the allow, deny, and redirection actions.

allow Allow the frame to pass (by default).

deny Discard frames that fit this filter’s profile. This can beused for building basic security profiles.

redir Redirect frames that fit this filter’s profile, such as forweb cache redirection. In addition, Layer 4 processingmust be activated (see the /cfg/slb/on command on"/cfg/slbSLB Configuration" (page 355)).

nat Perform generic Network Address Translation (NAT).This can be used to map the source or destinationIP address and port information of a private networkscheme to/from the advertised network IP address andports. This is used in conjunction with the nat option(mentioned in this table) and can also be combined withproxies.




.



goto Allows the user to specify a target filter ID that the filtersearch should jump to when a match occurs. The gotoaction causes filter processing to jump to a designatedfilter, effectively skipping over a block of filter IDs. Filtersearching action will then continue from the designatedfilter ID.

To specify the new filter to goto, use the/cfg.slb/filt/adv/goto command.


This option applies only when redir is specified at the filter action.Define a real server group (1 to 16) to which redirected traffic will besent. The default is group 1

rport <real server port (0-65535)>

This option applies only when redir is specified at the filter action. Thisdefines the real server TCP or UDP port to which redirected traffic will besent. For valid Layer 4 health checks, this must be configured wheneverTCP protocol traffic is redirected. Also, if transparent proxies are usedfor Network Address Translation (NAT) on the Nortel Application Switch(see the pip option in "Port Configuration Menu Options (/cfg/slb/port)"(page 408)), rport must be configured for all Application Redirectionfilters. The default is set at 0.

nat source|dest

When nat is set as the filter action (see above), this command specifieswhether Network Address Translation (NAT) is performed on the sourceor the destination information. Destination (dest) is set as the defaultfilter. If source is specified, the frame’s source IP address (sip) andport number (sport) are replaced with the dip and dport values. Ifdest is specified, the frame’s destination IP address (dip) and portnumber (dport) are replaced with the sip and sport values.

vlan any| <VLAN ID (1 - 4090)>

Sets the ID of the VLAN that is to be filtered. This option allows you tomatch the VLAN ID of the switch against the VLAN ID of the incomingpacket. The default is any, which means the switch will match any VLANID of the incoming packet

This command allows filters to be configured on per VLAN basis, andapplies a filter to a VLAN that already has been configured. A VLAN hasa set of member ports. But by applying this filter to a VLAN, the filterdoes not get applied to all the member ports of this VLAN. You have tomanually add the filter to the port.

invert disable|enable




.



Inverts the filter logic. If the conditions of the filter are met, don’t act. Ifthe conditions for the filter are not met, perform the assigned action.This option is disabled by default.

When using filter inversion for IPv6, be aware the Neighbor Solicitations(NSol) are filtered out if no appropriate NSol filter was set up beforeinversion.

ena

Enables this filter.

dis

Disables this filter.

del

Deletes this filter.

cur

Displays the current configuration of the filter.

Defining IP Address Ranges for FiltersYou can specify a range of IP address for filtering both the source and/ordestination IP address for traffic. When a range of IP addresses is needed,the sip (source) or dip (destination) defines the base IP address in thedesired range, and the smask (source) or dmask (destination) is the maskwhich is applied to produce the range.

For example, to determine if a client request’s destination IP address shouldbe redirected to the cache servers attached to a particular switch, thedestination IP address is masked (bitwise AND) with the dmask and thencompared to the dip.

As another example, you could configure the switch with two filters so thateach would handle traffic filtering for one half of the Internet. To do this, youcould define the following parameters:

Filtering IP Address Ranges

Filter Internet Address Range dip dmask

#1 0.0.0.0 - 127.255.255.255

0.0.0.0 128.0.0.0

#2 128.0.0.0 - 255.255.255.255

128.0.0.0 128.0.0.0

/cfg/slb/filt <filter number> /adv




.


Advanced Filter Configuration

[Filter 1 Advanced Menu]

8021p - 802.1p Advanced Menu

tcp - TCP Advanced Menu

ip - IP Advanced Menu

layer7 - Layer 7 Advanced Menu

proxyadv - Proxy Advanced Menu

redir - Redirection Advanced Menu

security - Security Menu

icmp - Set ICMP message type

cont - Set BW contract

revcont - Set BW contract for the reverse session

tmout - Set NAT or L7 lookup session timeout

idsgrp - Set IDS server group for intrusion detectionSLB

idshash - Set hash parameter for intrusion detection SLB

thash - Set hash parameter for Filter

mcvlan - Set MCAST NAT egress VLAN Id

goto - Set GOTO filter ID

reverse - Enable/disable creating session reverse sidetraffic

cache - Enable/disable caching sessions that matchfilter

log - Enable/disable logging

mirror - Enable/disable session mirroring

nbind - Enable/disable subnet binding for redirection

cur - Display current advanced filter configuration

Advanced Filter Menu (/cfg/slb/filt/adv)


8021p

Displays 8021p Advanced Menu. IEEE 802.1p is the specification forprioritizing the network traffic at the Layer 2 level in your switch. Usingthis command you can preserve 802.1p bits in all the frames that passthrough the switch.

To view menu options, see "/cfg/slb/filt filter number /adv/8021p 802.1pAdvanced Menu" (page 398).




.



tcp

Displays the TCP Flags advanced menu. To view menu options, see"/cfg/slb/filt filter number /adv/tcp Advanced Filter TCP Configuration"(page 399).

ip

Sets IP advanced menu. To view menu options, see "/cfg/slb/filt filternumber /adv/ip IP Advanced Menu" (page 400).

layer7

Displays Layer7 advanced menu. To view menu options, see "/cfg/slb/filtfilter number /adv/layer7 Layer 7 Advanced Filter Configuration Menu"(page 402).

proxyadv

Displays the Proxy Advanced Menu. To view menu options, see"/cfg/slb/filt/adv/proxyadvProxy Advanced Menu" (page 404).

redir

Redirects to the advance menu. To view menu options, see

icmp any| <number> | <type; "icmp list" for list>

Sets the ICMP message type. The default is set at any. For a list ofICMP message types, see "ICMP Message Types" (page 401). For adetailed description of filtering and ICMP, see the Nortel ApplicationSwitch Operating System 23.1 Application Guide.


Sets the Bandwidth Management Contract. By default, the contractnumber is set at 1024.

revcont <BW Contract (1-1024)>

Sets the Bandwidth Management contract for the reverse traffic session.This command helps you assign a different Bandwidth managementcontract from the one configured on the ingress filter.

tmout <even number of minutes (4-32768)>

Sets the session timeout in an even number of minutes. The defaultis set at 4 minutes.

Defines the client proxy IP address.

idsgrp <real server group number (1-1024)> |none

Sets the IDS server group for intrusion detection server load balancing.When filtering is used for IDSLB, each filter added to an IDSLB-enabledport can be assigned a unique IDS real server group.

idshash sip|dip|both

Sets the hash metric parameter for Intrusion Detection System ServerLoad Balancing: source IP (sip), destination IP (dip), or both.




.



thash auto|sip|dip|both|sip+sport|dip32

Allows you to choose hash parameter to use for filter redirection. TheDefault is auto. The sip option allows you to perform tunable hash onsource IP address for this filter. The option dip allows you to performtunable hash on destination IP address for this filter. The option bothallows you to perform tunable hash on both source IP address and thedestination IP address at the same time. The option sip+sport allowsyou to perform tunable hash on both source IP address and source portat the same time. The option dip32 allows the user to perform tunablehash on 32 bit destination IP address for the filter.

goto <filter ID>

Allows the user to specify a target filter ID that the filter search shouldjump to when a match occurs. Filter searching will then continue from thedesignated filter ID. Use this command to specify the new filter to go to.In order to use this feature, the action on this filter must be set to goto.

reverse disable|enable

Enables or disables the creation of a session for traffic coming from thereverse side. This command allows for the creation of a session entry forreverse traffic to avoid inspecting traffic in both directions.

cache disable|enable

Enables or disables caching sessions that match the filter. Exercisecaution while applying cache-enabled and cache-disabled filters to thesame switch port. A cache-enabled filter creates a session entry in theswitch, so that the switch can bypass checking for subsequent framesthat match the same criteria. Cache is enabled by default.

Note: Cache should be disabled if applying a filter to virtualserver IP address while performing UDP load balancing (see udpdisable|enable|stateless).

log disable|enable

Enables or disables generating of syslog messages when a filter is hit.This option is disabled by default.


Enables or disables session mirroring.

cur

Displays the current advanced filter configuration.

/cfg/slb/filt <filter number> /adv/8021p




.


802.1p Advanced MenuThis feature provides the Nortel Application Switch Operating System thecapability to filter IP packets based on the 802.1p bits in the packet’sVLAN header. The 802.1p bits specify the priority that you should give tothe packets while forwarding them. The packets with a higher (non-zero)priority bits are given forwarding preference over packets with numericallylower priority bits value.

[802.1p Advanced Menu]value - Set 802.1p valuematch - Enable/disable 802.1p value matchingcur - Display current 802.1p configuration

8021p Advanced Menu Options (/cfg/slb/filt/adv/8021p)


value <0-7>

Defines 802.1p value. The value is the priority bits information in thepacket structure.

match <disable|enable>

Enables or disables matching of 802.1p value. When the ManagementProcessor needs to reuse the packet to send to the destination, theswitch matches the original priority bits information with the priority bitsinformation after the frame processing is complete.

cur

Displays current 802.1p configuration.

/cfg/slb/filt <filter number> /adv/tcpAdvanced Filter TCP Configuration

[TCP Advanced Menu]urg - Enable/disable TCP URG matchingack - Enable/disable TCP ACK matchingpsh - Enable/disable TCP PSH matchingrst - Enable/disable TCP RST matchingsyn - Enable/disable TCP SYN matchingfin - Enable/disable TCP FIN matchingackrst - Enable/disable TCP ACK or RST matchingcur - Display current TCP configuration

These commands can be used to configure packet filtering for specific TCPflags.




.


Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)


urg disable|enable

Enables or disables TCP URG (urgent) flag matching. By default, thisoption is disabled.

ack disable|enable

Enables or disables TCP ACK (acknowledgement) flag matching. Bydefault, this option is disabled.

psh disable|enable

Enables or disables TCP PSH (push) flag matching. By default, thisoption is disabled.

rst disable|enable

Enables or disables TCP RST (reset) flag matching. By default, thisoption is disabled.

syn disable|enable

Enables or disables TCP SYN (synchronize) flag matching. By default,this option is disabled.

fin disable|enable

Enables or disables TCP FIN (finish) flag matching. By default, thisoption is disabled.

ackrst disable|enable

Enables or disables TCP acknowledgement or reset flag matching. Bydefault, this option is disabled.

cur

Displays the current Access Control List TCP filter configuration.

/cfg/slb/filt <filter number> /adv/ipIP Advanced Menu

[IP Advanced Menu]tos - Set IP Type of Servicetmask - Set IP TOS masknewtos - Set new IP TOSlength - Set IP maximum packet lengthoption - Enable/disable IP option matchingcur - Display current IP configuration

IP Advanced Menu Options (/cfg/slb/filt /adv/ip)


tos <0-255>




.



Sets IP type of service (ToS) and the value of the type of service. Formore information on ToS, refer RFC 1340 and 1349.

tmask <0-255>

Sets IP type of service mask.

newtos <0-255>

Sets new IP type of service.

length <IP packet length (in bytes), 64-65535> |any

Defines the limit of the IP packet’s length, including the IPv4 or IPv6IP header. Any packet equal or exceeding the specified length will notmatch the filter. This option supports both IPv4 and IPv6 packets.

option <disable|enable>

Enables or disables IP option matching.

cur

Displays the current advanced IP settings for the selected filter.

ICMP Message TypesThe following ICMP message types are used with the/cfg/slb/filt/adv/icmp command. You can list all ICMPmessage types with the /cfg/slb/filt/adv/icmp list command.

ICMP Message Types

Type # Message Type Description

0 echorep ICMP echo reply

3 destun ICMP destination unreachable

4 quench ICMP source quench

5 redir ICMP redirect

8 echoreq ICMP echo request

9 rtradv ICMP router advertisement

10 rtrsol ICMP router solicitation

11 timex ICMP time exceeded

12 param ICMP parameter problem

13 timereq ICMP timestamp request

14 timerep ICMP timestamp reply

15 inforeq ICMP information request

16 inforep ICMP information reply

17 maskreq ICMP address mask request

18 maskrep ICMP address mask reply




.


/cfg/slb/filt <filter number> /adv/layer7Layer 7 Advanced Filter Configuration Menu

[Layer 7 Advanced Menu]sip - Layer 7 SIP Menuurlcont - Set BW cont of an URL path

specific to this filteraddrd - Add HTTP redirection mappingremrd - Remove HTTP redirection mappingaddstr - Add string for layer 7 filteringremstr - Remove string for layer 7 filteringrdsnp - Enable/disable WAP RADIUS Snoopingrdswap - Enable/disable RADIUS/WAP Persistenceftpa - Enable/disable active FTP NATl7lkup - Enable/disable layer 7 content lookupparseall - Enable/disable layer 7 lookup

(parsing) of all packetscur - Display current layer 7 configuration

Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/layer7)


sip

Go to the Layer 7 SIP menu. To view the menu options, see "/cfg/slb/filtnum /adv/layer7/sip Layer 7 SIP Menu" (page 404).

urlcont <URL path ID BW contract>

Sets the URL path BW contract for this filter. Only use this commandwhen a string is shared by multiple filters and each filter requires aseparate bandwidth.

addrd [1>2]

Adds an HTTP redirection mapping. Strings are defined under:/cfg/slb/layer7/slb/add.

This command tells the filter that if it matches on the first string id, thensend back an HTTP redirection message back to the client that containsinformation in the second string ID.

remrd <string id to redirect from (1-1024) string id toredirect to (2-1024)>

Removes an HTTP redirection mapping that was added using the addrdcommand described above.

addstr <string id (1-1024)>

Adds the string ID to this filter for L7 filtering. The string is defined under:/cfg/slb/layer7/slb/add.

remstr <string id (1-1024)>




.



Removes the string ID for Layer 7 filtering. The string is defined under:/cfg/slb/layer7/slb/add.

rdsnp <disable|enable>

Enables or disables WAP RADIUS snooping on this filter.

Radius snooping allows the Nortel Application Switch Operating Systemto examine RADIUS accounting packets for client information. Thisinformation is needed to add to or delete static session entries in theswitch’s session table so that it can perform the required persistency forload balancing. For more details, refer Application Guide.

rdswap enable|disable

Enables or disables WAP RADIUS persistence on this filter. This featureallows for RADIUS and WAP persistence by binding both (RADIUSaccounting and WAP) sessions to the same server.

A WAP client is first authenticated by the RADIUS server on UDP port1812. The server replies with a Radius Accept or Reject frame. Theswitch forwards this reply to the RAS. After the RAS receives the Radiusaccept packet, it sends a RADIUS accounting start packet on UDP port1813 to the bound server. The application switch snoops on the RADIUSaccounting start packet for the "framed IP address" attribute. The"framed IP address" attribute is used to rebind the RADIUS accountingsession to a new server. For more details, refer Application Guide.

ftpa disable|enable

Enables or disables active FTP Client Network Address Translation(NAT). When a client in active FTP mode sends a PORT command to aremote FTP server, the switch will look into the data part of the frame andreplace the client ’s private IP address with a proxy IP (PIP) address.The real server port (RPORT) will be replaced with a proxy port (PPORT),that is PIP:PPORT. By default, this option is disabled.

l7lkup disable|enable

Enables or disables layer 7 lookup on this filter. This command replacesthe urlp and l7deny commands found in earlier releases of NortelApplication Switch Operating System. When enabled, the filter performsa lookup on layer 7 content such as HTTP strings or headers. Whencombined with a filter action (for example,deny, redir

), this feature enables content-intelligent redirection or content-intelligentdeny filtering.

parseall disable|enable




.



Enables or disables parsing of all packets in a session where layer 7lookup is being performed. This command is enabled by default, andnormally all data packets in a session are examined by the filter.

However, some sessions may contain only one packet containing thelayer 7 content. Once this packet is found, subsequent packets can beignored. When parseall is disabled, layer 7 lookup is turned off for theremaining packets in the session.

cur

Displays the current advanced Layer 7 configuration of the filter includingthe Radius/Wap persistence settings.

/cfg/slb/filt <num> /adv/layer7/sipLayer 7 SIP Menu

[Layer 7 SIP Menu]rtpcont - Set BW contract for the SIP RTP sessionssipp - Enable/disable SIP parsingcur - Display current SIP configuration

Layer 7 SIP Menu Options (/cfg/slb/filt/adv/layer7/sip)


rtpcont <BW contract>

Set BW contract for the SIP RTP sessions.

sipp <enable|disable>

Enable or disable SIP parsing.

cur

Displays the current advanced SIP configuration.

/cfg/slb/filt/adv/proxyadvProxy Advanced Menu

[Proxy Advanced Menu]proxyip - Set client proxy IP addressepip - Enable/disable pip selection based

egress port/vlanproxy - Enable/disable client proxycur - Display current proxy configuration




.


Proxy Advanced Menu Options


proxyip <IP_address>

Set the client proxy IP_address.

epip <enable|disable>

Enable or disable PIP selection based on the outgoing port or VLAN.

proxy <enable|disable>

Enable or disable client proxy.

cur

Shows all Proxy statistics.

/cfg/slb/filt/adv/proxyadvRedirection Advanced Menu

[Redirection Advance Menu]fwlb - Enable/disable firewall redirect hash methodlinklb - Enable/disable WAN link load balancingvpnflood - Enable/disable two way VPN load balancingdbind - Enable/disable delayed binding for redirectionpbind - Enable/disable persistent bindingfor redirectioncur - Display current redirection configuration

/cfg/slb/filt <filter number> /adv/redirRedirection Advanced Menu

[Redirection Advance Menu]fwlb - Enable/disable firewall redirect hash methodlinklb - Enable/disable WAN link load balancingvpnflood - Enable/disable two way VPN load balancingdbind - Enable/disable delayed binding for redirectionpbind - Enable/disable persistent bindingfor redirectioncur - Display current redirection configuration

/cfg/slb/filt <filter number> /adv/security




.


SLB Filter Advanced Security Menu

Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/security)


ratelim

Displays the Rate Limiting Menu. The protocol-based rate limiting limitsthe traffic coming from specific clients based on the IP address of theclient. This feature enables the switch to detect and block UDP orICMP-based DOS attacks that slow down or decapitate the servers.Currently, the switch allows rate limiting to be enabled on TCP, UDP,and ICMP protocols. To view menu options see "/cfg/slb/filt filter number/adv/security/ratelim Advanced Security Rate Limiting Configuration Me"(page 407).

addgrp <pattern match group id>

Adds a pattern group to this filter. Pattern groups are added using the/cfg/security/pgroup/add command.

remgrp <pattern match group id>

Removes a pattern group from this filter.

pmatch <disable|enable>

Enables or disables pattern matching on this filter.

matchall <disable|enable>

Enables or disables matching of all configured patterns before the filtercan perform the deny action.

parsechn <enable|disable>

Enable/disable chained pgroup match criteria for l7 filtering.

parseall <disable|enable>

Enables or disables pattern string lookup (parsing) of all packets in asession where pattern matching is being performed. This commandis enabled by default, and normally all data packets in a session areexamined by the filter.

However, some sessions may contain only one packet containing thelayer 7 content. Once this packet is found, subsequent packets can beignored. When parseall is disabled, pattern matching is turned off forthe remaining packets in the session.




.



cur


/cfg/slb/filt <filter number> /adv/security/ratelimAdvanced Security Rate Limiting Configuration Menu

[Rate Limiting Menu]maxconn - Set maximum connections for rate limitingtimewin - Set time window for rate limitingholddur - Set hold down duration for rate limitingena - Enable TCP, UDP, or ICMP rate limitingdis - Disable TCP, UDP, or ICMP rate limitingcur - Display current rate limiting configuration

Rate Limiting Advanced Menu Options (/cfg/slb/filt/adv/security/ratelim)


maxconn <# of connections in units of 10 (0-255)>

Defines maximum connections for rate limiting.

timewin <seconds, 1-65535>

Defines time window for rate limiting. A time window is a configuredperiod of time (in seconds) during which packets are allowed to bereceived. The time window can be configured per filter and not globallyon all the filters.

holddur <minutes, 2-65535>

Defines hold down duration for rate limiting. When the number of newconnections or packets exceeds the configured limit, any new TCPconnection requests or UDP/ICMP packets from the client are blocked.When blocking occurs, the client is said to be held down. The clientis held down for a specified number of minutes, after which new TCPconnection requests or packets from the client are allowed once againto pass through. The hold-down duration can be configured per filterand not globally on all the filters.

ena

Enables the protocol for rate limiting. Rate limiting is applied to theprotocol configured on the filter. The supported protocols are: TCP,UDP, and ICMP.

dis

Disables TCP, UDP, or ICMP rate limiting.

cur

Displays the current rate limiting configuration.




.


/cfg/slb/port <port number>Port SLB Configuration

[SLB port 1 Menu]client - Enable/disable client processingserver - Enable/disable server processingrts - Enable/disable RTS processinghotstan - Enable/disable hot-standby processingintersw - Enable/disable inter-switch processingproxy - Enable/disable use of PIP for

ingress trafficfilt - Enable/disable filteringadd - Add filter to portrem - Remove filter from portidslb - Enable/disable intrusion detection

server load balancingsymantec - Enable/disable symantec processingcur - Display current port configuration

Nortel Application Switch Operating System switch software allows you toenable or disable processing independently for each type of Layer 4 traffic(client and server) on a per port basis, expanding your topology options.

Note: When changing the filters on a given port, it may take some timebefore the port session information is updated so that the filter changestake effect. To make port filter changes take effect immediately, clear thesession binding table for the port (see the clear command in "ServerLoad Balancing Operations Menu Options (/oper/slb)" (page 446)).

Port Configuration Menu Options (/cfg/slb/port)


client disable|enable

For Server Load Balancing, the port can be enabled or disabled toprocess client Layer 4 traffic. Ports configured to process client requesttraffic bind servers to clients and provide address translation from thevirtual server IP address to the real server IP address, re-mapping virtualserver IP addresses and port values to real server IP addresses andports. Traffic not associated with virtual servers is switched normally.Maximizing the number of these ports on the Layer 4 switch will improvethe switch’s potential for effective Server Load Balancing. This option isdisabled by default.

server disable|enable




.

/cfg/slb/port <port number>Port SLB Configuration 409


Ports configured to provide real server responses to client requestsrequire real servers to be connected to the Layer 4 switch, directly orthrough a hub, router, or another switch. When server processing isenabled, the switch port re-maps real server IP addresses and Layer4 port values to virtual server IP addresses and Layer 4 ports. Trafficnot associated with virtual servers is switched normally. This option isdisabled by default.

rts disable|enable

Enables or disables Return to Sender (RTS) load balancing on this port.This option is used for firewall load balancing or VPN load balancingapplications. Enable rts on all client-side ports to ensure that trafficingresses and egresses through the same port. This option is disabledby default.

For more information on using rts, see the "Firewall Load Balancing"and "VPN Load Balancing" chapters in the Nortel Application SwitchOperating System 23.1 Application Guide

.

hotstan disable|enable

Enables or disables hot-standby processing. Use this option and theintersw option in conjunction with VRRP hot-standby failover. Thisoption is disabled by default.

intersw disable|enable

Enables or disables inter-switch processing. This option is enabled forports connected to a peer switch and is disabled by default.

proxy disable|enable

Enables or disables a proxy for traffic that ingresses this port. When thePIP is defined, client address information in Layer 4 requests is replacedwith this proxy IP address.

In Server Load Balancing applications, this forces response traffic toreturn through the switch, rather than around it, as is possible in complexrouting environments.

Proxies are also useful for Application Redirection and Network AddressTranslation (NAT). When pip is used with Application Redirection filters,each filter’s rport parameter must also be defined (see rport on"Filter Configuration Menu Options (/cfg/slb/filt)" (page 391)). This optionis disabled by default.

filt disable|enable




.



Enables or disables filtering on this port. Enabling the filter sets up theReal Server to look into the VPN session table. This option is disabledby default.

add <filter ID (1 to 2048)|block of IDs (first-last)>

Adds a filter or a block of filters for use on this port. Enter filter ID (1 to2048) or a contiguous block of filter IDs. For example, 1-100.

rem <filter ID (1 to 2048)|block of IDs (first-last)>

Removes a filter or a block of filters from use on this port. Enter filter ID(1 to 2048) or a contiguous block of filter IDs. For example, 1-100.

idslb <disable|enable>

Enables or disables Intrusion Detection System Server Load Balancingon this port. In Nortel Application Switch Operating System 23.1, IDSLBis done at the end of filter processing or at the end of client processingwhere filtering is not enabled. In the case of client processing, IDSLB isenabled on a port and a real server group is designated for IDSLB.Thisoption is disabled by default.

symantec <disable|enable>

Enables or disables Symantec processing for troubleshooting purposes.

cur

Displays the current system parameters.

/cfg/slb/gslbGlobal SLB Configuration

Global Server Load Balancing (GSLB) at any given site performs periodicSLB health checks to determine the health and response time of the remotereal server corresponding to the virtual server at the remote site. GSLB usesthe health and response time to select the server in the GSLB selectionengine. In addition, GSLB sends the health and response time togetherwith the local session and CPU utilization information that are collectivelyknown as remote site updates. The switch performs this periodically onevery remote site using Distributed Site State Protocol (DSSP). DSSP is aproprietary protocol that resides above TCP.

For more information, refer Application Guide.




.

/cfg/slb/gslbGlobal SLB Configuration 411

Global SLB Menu Options (/cfg/slb/gslb)


site <remote site (1-64)>

Displays the menu for a remote site. To view menu options, see"/cfg/slb/gslb/site site number GSLB Remote Site Configuration" (page413).

network <network (1-128)>

Displays Network Preference Menu. To view menu options, see"/cfg/slb/gslb/network network number GSLB Network PreferenceConfiguration Menu" (page 415).

rule <rule (1-128)>

Displays the Rule Menu. To view menu options, see "/cfg/slb/gslb/ruleGSLB Rule Configuration Menu" (page 416).

version <DSSP version 1, 2, or 3>

Defines the version of Distributed Site State Protocol (DSSP) that is usedto send out the remote site updates.

port <TCP port number>

Sets the TCP port number for remote site updates for Global server loadbalancing. The default TCP port is 80.

sinter <remote site updates interval in seconds, 10-7200>

Sets the time interval in seconds for remote site updates. The rangeis between 10 and 7200 seconds.

sesscap <Session utilization capacity threshold (1-100)>

Sets the threshold for session utilization capacity. The defaultconfiguration is 90%.

cpucap <CPU utilization capacity threshold (1-100)>




.



Sets the threshold for the CPU utilization capacity. The defaultconfiguration is 90%.

Sets the source IP netmask for DNS persistence cache. The defaultconfiguration is 255.255.255.0.

Enables or disables switch responses to DNS queries with local virtualserver IP addresses. This option is disabled by default. When enabled,the switch will always respond to DNS queries by providing a local virtualserver IP address, as long as the virtual server IP address has healthyreal servers with an aggregate number of available connections equalto the total from each server’s configured maxcons value, minus theserver’s current number of connections. When the real servers for thelocal virtual server IP addresses are unavailable or saturated, the switchwill respond to DNS requests using normal GSLB rules. The default is60 minutes.

smask set IP4 subnet mask (eg, 255.255.255.0) OR

smask set IP6 prefix len (eg, 64)

Set source IP subnet mask for DNS persistence cache.

timeout <timeout in minutes, 1-1440>

Set timeout in minutes for DNS persistence cache.

mincon <available sessions threshold, 0-65535>

Defines the capacity threshold for the sessions available on the realserver for GSLB.

dns <disable|enable>

Enables or disables DNS direct-based GSLB. This option is enabledby default.

hostlk <disable|enable>

Enables or disables lookups based on host or domain name in a GSLBconfiguration. When enabled, the hostname specified in the VirtualService configuration, in addition to the domain name, will be used toresolve the IP address for the domain. When disabled, only the domainname will be used to match.

http <disable|enable>

Enables or disables HTTP redirects to peer sites by this switch. Whenenabled (default), this switch will redirect client requests to peer sites if itsown real servers fail or have reached their maximum connection limits.If disabled, the switch will not perform HTTP Redirects, but will insteaddrop requests for new connections and cause the client’s browser toeventually issue a new DNS request.

usern <disable|enable>




.



Enables or disables an HTTP redirect to a real server name. When asite redirects a client to another site using an HTTP redirect, the clientis redirected to the new site’s IP address. This option is disabled bydefault. If usern is enabled, the client will be redirected to the domainname specified by the remote real server name plus virtual serverdomain name:<remote real server name virtual server domain name>

norem

This command enables or disables no-remote real server loadbalancing. If enabled, the switch will not do remote real server loadbalancing for non-http protocols. For HTTP protocols, if you want todo no-remote-real-server load balancing, you need to disable the httpparameter in the same menu.

encrypt

This command enables or disables encrypting of DSSP updates. Ifdisabled, the switch will not encrypt the DSSP messages going out of theswitch. This option allows the GSLB feature to work with older versionsof Web OS that do not encrypt DSSP messages

on

Activates Global Server Load Balancing (GSLB) for this switch. Thisoption can be performed only once the optional GSLB software isactivated (refer "/oper/swkeyActivating Optional Software" (page 452)).

off

Turns GSLB off for this switch. Any active remote sites will still performGSLB services with each other, but will not hand off requests to thisswitch. By default, GSLB is turned off.

cur

Displays the current Global SLB configuration.

/cfg/slb/gslb/site <site number>GSLB Remote Site Configuration

The switch initiates a global server selection to direct client traffic to thebest server for a given domain. Each domain has one or more sites. Eachsite has a virtual server for the domain. Each virtual server has a numberof virtual services. Each virtual service has a group of real servers. Eachvirtual server has a domain name. Each virtual service has a host name.The combination of a virtual server and a virtual service is called a domain.

At a local site for a domain, there is a local virtual server but no remotevirtual server. The local virtual server has a number of local virtual servicesEach local virtual service has a group of local or remote real servers. Theremote real servers are the virtual servers at the remote sites.




.


[Remote site 1 Menu]prima - Set primary switch IP address of remote sitesecon - Set secondary switch IP address

of remote sitename - Set remote site nameupdate - Enable/disable remote site updatesena - Enable remote sitedis - Disable remote sitedel - Delete remote sitecur - Display current remote site configuration

Up to 64 remote sites can be configured.

GSLB Remote Site Menu Options (/cfg/slb/gslb/site)


prima <server IP address>

Defines the IP interface IP address of the primary switch at the remotesite used for Global Server Load Balancing. Use dotted decimal notation.

secon <server IP address>

If the remote site is configured with a redundant switch, enter the IPaddress of the IP interface for the remote secondary switch here. If theremote site primary switch fails, the local switch will address the remotesite secondary switch instead.


Sets the name of the remote site. The default is set at none.

update disable|enable

Enables or disables remote site updates. If enabled (default), this switchwill send regular Distributed Site State Protocol (DSSP) updates to itsremote peers using HTTP port 80. If disabled, the switch will not sendstate updates. If your local firewall does not permit this traffic, disablethe updates.

Note: When update is enabled, Global Server Load Balancing usesservice port 80 on the IP interface for DSSP updates. By default, theNortel Application Switch Operating System Web-based interface alsouses port 80. Both services cannot use the same port. If both areenabled, configure the Nortel Application Switch Operating SystemBrowser-Based Interface (BBI) to use a different service port (see the/cfg/sys/access/wport option "/cfg/sys/access System AccessControl Configuration" (page 245)).




.



Enables or disables remote site persistence cache. GSLB allows theuser to add only up to two selected servers to the cache for each sourceIP address. GSLB can forward the same information to other remotesites to be added to the cache. GSLB deletes the cached entries whenthey times out. The cached entries are automatically deleted from theremote sites when they time out.

ena

Enables this remote site for use with Global Server Load Balancing.

dis

Disables this remote site. The switch will no longer use this remote sitefor Global Server Load Balancing.

del

Removes this remote site from operation and deletes its configuration.

cur

Displays the current remote site configuration.

/cfg/slb/gslb/network <network number>GSLB Network Preference Configuration Menu

Network preference selects a server based on the preferred network of thesource IP address for a given domain. The preferred network contains asubset of the servers for the domain.

Up to 128 network preference numbers can be set.

[Network 1 Menu]sip - Set source IP addressmask - Set source IP and network netmaskaddvirt - Add virtual server to networkremvirt - Remove virtual server from networkaddreal - Add remote real server to networkremreal - Remove remote real server from networkena - Enable networkdis - Disable networkdel - Delete networkcur - Display current network configuration

GSLB Network Menu Options (/cfg/slb/gslb/network)


sip <IP address>

Defines the source (client) IP address. Specify an IP address in dotteddecimal notation. A range of IP addresses is produced when used withthe mask option.




.



mask <IP subnet mask (such as, 255.255.255.0)>

This IP address mask is used with the source IP (SIP) address to find acorrect virtual server IP address to respond to a DNS request.

addvirt <virtual server number (1-1024)>

Adds a virtual server to the network. No virtual server is added by default.

remvirt <virtual server number (1-1024)>

Removes a virtual server from the network.

addreal <real server number (1-1023)>

Adds a real server to the network.

remreal <real server number (1-1023)>

Removes a real server from the network.

ena

Enables the network.

dis

Disables the network.

del

Deletes the network entry.

cur

Displays the current Internet network entry configuration.

/cfg/slb/gslb/ruleGSLB Rule Configuration Menu

Rules allow the GSLB selection to use different metric preferences basedon time-of-day. You can configure one or more rules on each domain.Each rule has a metric preference list. The GSLB selection selects the firstrule that matches the domain and starts with the first metric in the metricpreference list of the rule.

[Rule 1 Menu]metric - Metric Menustart - Set start time for ruleend - Set end time for rulettl - Set Time To Live in seconds of DNS

resource recordsrr - Set DNS resource records in DNS responsedname - Set network preference domain name for ruleena - Enable ruledis - Disable ruledel - Delete rulecur - Display current rule configuration




.


GSLB Rule Configuration Menu Options (/cfg/slb/gslb/rule)


metric <metric (1-16)>

Displays Metric Preference Menu. To view menu options, see"/cfg/slb/gslb/rule/metric Global SLB Rule Metric Menu" (page 417).

start <hour (0-23) minutes (0-59)>

Defines the start time for the rule. The default is zero.

end <hour (0-23) minutes (0-59)>

Defines the end time for the rule. The default is zero.

ttl <time to live in seconds (0-65535)>

Specifies the duration (from 0 to 65535 seconds, with default at 60) thatthe DNS response from the switch (indicating site of best service) willremain in the cache of DNS servers. A lower value may increase theability of the GSLB system to adjust to sudden changes in traffic load, butwill generate more DNS traffic. Higher numbers may reduce the amountof DNS traffic, but may slow GSLB’s response to sudden traffic changes.

rr <rr (1-10)>

Sets the DNS resource records that how many DNS resource recordswill be returned in the DNS response. The default is 2 records.

dname <34 character (wildcard "*" allowed) domain name> |none

Defines the domain name for the rule for network preference. Themaximum length for the domain name can be 34 characters. You canuse wildcard "*" while creating the domain name. Default is none.

ena

Enables the rule.

dis

Disables the rule.

del

Deletes the rule.

cur

Displays the current rule configuration.

/cfg/slb/gslb/rule/metric




.


Global SLB Rule Metric Menu

[Rule 1 Metric 1 Menu]gmetric - Set metric to use to select next serveraddnet - Add network to gmetric=networkremnet - Remove network from gmetric=networkcur - Display current metric configuration

Global SLB Rule Metric Menu Options (/cfg/slb/gslb/rule/metric)


gmetric leastconns|roundrobin|response|geographical|network|random|availability|qos|minmisses|hash|local|always|remote|none

Defines the metric to select the next real server for GSLB. The defaultis none.

addnet

Allows you to add a network to the selected metric. This commandapplies only if you select network as the metric.

remnet <1-128>

Allows you to delete a network that was added to the selected metric.

cur

Displays the current configuration of the metric.

/cfg/slb/layer7Layer 7 SLB Resource Definition Menu

[Layer 7 Resource Definition Menu]redir - Web Cache Redirection Menuslb - Server Load Balancing Menusdp - SIP SDP Menudbindtm - Set timeout for incomplete delayed

binding connectionscur - Display current Layer 7 configuration

Layer 7 Resource Definition Menu Options (/cfg/slb/layer7)


redir

Displays the Web Cache Redirection Menu. To view menu options, see"/cfg/slb/layer7/redir Web Cache Redirection Configuration" (page 419).

slb




.



Displays the Server Load Balancing Menu. To view menu options, see"/cfg/slb/layer7/slb Server Load Balance Resource Configuration Menu"(page 421).

sdp

Displays the SIP SDP Menu. To view menu options, see"/cfg/slb/layer7/sdp SDP Mapping Menu" (page 422).

dbindtm <10-60 seconds>

Sets the timeout for incomplete delayed binding connections.

cur

Displays the current Layer 7 configuration.

/cfg/slb/layer7/redirWeb Cache Redirection Configuration

Web Cache Redirection Menu Options (/cfg/slb/layer7/redir)


urlal disable|enable

Enables or disables auto-ALLOW for non-GETs to origin servers.

• If this command is enabled, the switch will redirect all non-GETrequests to the origin server.

• If this command is disabled, the switch will compare the URI againstthe expression table to determine whether all non-GET requestsshould be redirected to a cache server or origin server.

This option is enabled by default.

cookie disable|enable




.



Enables or disables auto-ALLOW for cookie to origin servers.

• If this command is enabled, the switch will redirect all requests thatcontain Cookie: in the HTTP header to the origin server.

• If this command is disabled, the switch will compare the URI againstthe expression table to determine whether it should redirect allrequests that contain Cookie: in the HTTP header to a cache serveror origin server.


nocache disable|enable

Enables or disables no-cache control header to origin servers.

• If this command is enabled, the switch will redirect all requests thatcontain Cache-Control: no-cache in HTTP/1.1 header, or Pragma:no-cache in HTTP/1.0 header to the origin server.

• If this command is disabled, the switch will compare the URI againstthe expression table to determine whether it should redirect requeststhat contain Cache-Control: no-cache in HTTP/1.1 header, orPragma: no-cache in HTTP/1.0 header to a cache server or originserver.

This option is enabled by default.

hash disable|enable <number (1-255)>

Enables or disables URL hashing based on the URI.

• If hashing is enabled, you can set the length of URI that will be usedto hash into the cache server by specifying a number from 1-255.

• If hashing is disabled, the switch will only use the host header fieldto calculate the hash key.


header disable|enable host|useragent|others

Enables or disables server load balancing based on HTTP header. Thisoption is disabled by default.

cur

Displays the current URL expression table.




.


/cfg/slb/layer7/slbServer Load Balance Resource Configuration Menu

[Server Loadbalance Resource Menu]message - Set HTTP error messageaddstr - Add SLB string for load balanceremstr - Remove SLB string for load balancerename - Rename SLB string for load balanceaddmeth - Add HTTP method typeremmeth - Remove HTTP method typecase - Enable/disable case sensitive

for string matchingcont - Set BW contract for the SLB stringcur - Display current configuration

Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb)


message <64 byte error message>

Sets the message that will be displayed when an error occurs. Thedefault message is "No available server to handle this request."

addstr <l7lkup|pattern>

Allows the user to define a string that can be used for server loadbalancing or filtering by selecting either a Layer 7 look up string or apattern match.

If you choose l7lkup string, you can define a string for server loadbalancing or a string for Layer 7 lookup.

If you choose pattern string, you will have the option to choosebetween ascii or binary strings on a specific offset of the IP frame.These strings will only be used for filtering string pattern matching.

remstr <SLB string ID>

Removes this SLB string from the real server.

rename <SLB string ID SLB string>

Renames the SLB string for load balancing.

addmeth <Method, 1-32>




.



Allows you to add HTTP request methods of maximum 32 characters toyour switch software. HTTP allows an open-ended set of methods to beused to indicate the purpose of a request. Nortel Application SwitchOperating System 24.0 supports 22 request methods by default. Themethods GET and HEAD must be supported by all general-purposeservers. All other methods are optional.

You can see a list of supported default methods by using the commandcur in this menu.

A method is case-sensitive.

The software supports both HTTP 1.0 and HTTP 1.1 to perform HTTPrequest methods.

remmeth <Method ID>

Allows you to remove HTTP methods from your switch software.

case disable|enable

Enables or disables case sensitivity for string matching. Using thiscommand you can do either case sensitive or case insensitive stringcomparison. If you disable case sensitive, all load balancing strings andall the request strings arriving on the switch will have to be converted tolower case before doing any string comparison.

cont <SLB string ID [1-1024]> <BW contract number [1-1024]>

Sets the Bandwidth Management contract for a specified string for theSLB string ID.

cur

Displays the currently configured SLB strings and their associated stringIDs (index numbers) and the supported HTTP request methods.

/cfg/slb/layer7/sdpSDP Mapping Menu

[SDP Mapping Menu]add - Add SDP mappingrem - Remove SDP mapping

cur - Display current SDP mapping configuration

SDP Mapping Menu Options


add private IP public IP

Add SDP mapping.




.

/cfg/slb/syncSynchronize Peer Switch Configuration 423


rem private IP

Remove SDP mapping.

cur

Display current SDP mapping configuration.

/cfg/slb/wapWAP Configuration

[WAP Options Menu]tpcp - Enable/disable WAP TPCP external

notificationdebug - WAP debug levelcur - Display current WAP configuration

WAP Configuration Menu Options (/cfg/slb/wap)


tpcp disable|enable

Enables or disables the TPCP external notification for Add/Deletesession requests. This option is disabled by default.

debug <wap debug level (0-10)>

Sets the debug level for tracing the WAP related messages. The defaultis set at 0.

cur

Displays the current WAP configuration

/cfg/slb/syncSynchronize Peer Switch Configuration

[Config Synchronization Menu]peer - Synch Peer Switch Menufilt - Enable/disable syncing filter configurationports - Enable/disable syncing port configurationprios - Enable/disable syncing VRRP prioritiespips - Enable/disable syncing proxy IP addressespeerpips - Enable/disable syncing peer

proxy IP addressesbwm - Enable/disable syncing BWM configurationstate - Enable/disable syncing persistent

session stateupdate - Set stateful failover update periodcur - Display current Layer 4 sync configuration




.


To synchronize the configuration between two switches, a peer must beconfigured and enabled on each switch. Switches being synchronized mustuse the same administrator password. Peers are sent SLB, FILT, and VRRPconfiguration updates using /oper/slb/synch.

Note: Sessions created in 33-64 auxiliary table are not synced tobackup.

Synchronization Menu Options (/cfg/slb/sync)


peer <peer switch number (1-2)>

Displays the Sync Peer Switch Menu. This option is enabled by default.To view menu options, see "/cfg/slb/sync/peer peer switch number PeerSwitch Configuration" (page 425).

filt disable|enable

Enables or disables synchronizing filter configuration. This option isdisabled by default.


Enables or disables synchronizing Layer 4 port configuration. This optionis enabled by default.

prios disable|enable

Enables or disables syncing VRRP priorities. This option is enabledby default.

pips disable|enable

Enables or disables synchronizing proxy IP addresses. This option isdisabled by default.

peerpips disable|enable

Enables or disables synchronizing the peer proxy IP addresses. Peerproxy IP addresses are used in VRRP Active/Active configuration. Thisoption is disabled by default.

bwm disable|enable

Enables or disables synchronizing Bandwidth Management configurationbetween Master and backup switches. This option is enabled by default.

state disable|enable

Enables or disables stateful failover for synchronizing the persistentsession state. This option is disabled by default.

update <seconds, 1–60>

Sets the stateful failover update interval. The active switch sends updatepackets of new persistent binding entries, if any, to the backup switch atthe specified update interval. The default value is 30 seconds.




.

/cfg/slb/advAdvanced Layer 4 Configuration 425


cur

Displays the current Layer 4 synchronization configuration.

/cfg/slb/sync/peer <peer switch number>Peer Switch Configuration

[Peer Switch 1 Menu]addr - Set peer switch IP addressena - Enable peer switchdis - Disable peer switchdel - Delete peer switchcur - Display current peer switch configuration

To synchronize the configuration between two switches, a peer must beconfigured and enabled on each switch. Switches being synchronized mustuse the same administrator password.

Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)


addr <IP address>

Sets the peer switch IP address. The default is 0.0.0.0

ena

Enables the peer for this switch. By default, this option is disabled.

dis

Disables the peer for this switch.

del

Deletes the peer for this switch

cur

Displays the current peer switch configuration.

/cfg/slb/advAdvanced Layer 4 Configuration

[Layer 4 Advanced Menu]

synatk - SYN Attack Detection Menu

smtport - Service Mapping Table Real Port Menu

imask - Set virtual and real IP address mask

mnet - Set management network




.


[Layer 4 Advanced Menu]

mmask - Set management subnet mask

pmask - Set persistent mask

intrval - Set SLB session attack inspection interval

allowlim - Set SLB session attack alert allowable limit

submac - Enable/disable Source MAC address substitution

direct - Enable/disable Direct Access Mode

grace - Enable/disable graceful real server failure

matrix - Enable/disable Virtual Matrix Architecture

vmasport - Enable/disable VMA with source port

vmadip - Enable/disable VMA with destination IP

tpcp - Enable/disable Transparent Proxy Cache Protocol

vstat - Enable/disable Virtual Service Statistics

rtsvlan - Enable/disable using VLAN info for real serverlookup

pvlantag - Enable/disable preserving vlan tag duringpacket forwarding

portbind - Enable/disable Ingress Port For Session TableBinding

rstchk - Enable/disable TCP RST Secure Sequence NumberCheck

valcksum - Enable/disable Layer 7 IP/TCP ChecksumValidation

riphash - Enable/disable Include RIP in AUX table hashing

fastage - Session table fast-age (1 sec) period bit shift

slowage - Session table slow-age (2 min) period bit shift

cur - Display current Layer 4 advanced configuration

Layer 4 Advanced Menu Options (/cfg/slb/adv)


synatk

Displays SYN Attack Detection Menu. To view menu options, see"/cfg/slb/adv/synatkSYN Attack Detection Configuration Menu" (page429).

smtport




.



Displays Service Mapping Table (SMT) Real Server Port Menu. Usingthis command you can add or remove a number of real server serviceport(s) that will process client traffic by-passing the server. In other words,this service port’s client request will not be processed by the serverprocessor. To view menu options, see "/cfg/slb/adv/smtportAdvancedSMT Real Server Port Configuration Menu" (page 430).

imask <IP subnet mask (such as 255.255.255.0)>

Configures the real and virtual server IP address mask using dotteddecimal notation. The default is 255.255.255.255.

mnet <IP address>

If defined, management traffic with this source IP address will be alloweddirect (non-Layer 4) access to the real servers. Specify an IP addressin dotted decimal notation. A range of IP addresses is produced whenused with the mmask option.

mmask <IP subnet mask (such as 255.255.255.0)>

This IP address mask is used with the mnet to select managementtraffic which is allowed direct access to real servers. The default is255.255.255.255.

pmask <IP subnet mask (such as 255.255.255.0)>

Sets persistent mask. The default is 255.255.255.255.

intrval <time window for collecting sessions (0-3600)>

This command allows you to configure the time interval (from onesecond to one hour) to specify how frequently you want to check the SLBsessions (attacks) the switch received. At the configured interval of timethe switch will check if the number of sessions is within the configuredlimits. You can set this limit by using the next command in this menu:allowlim.

allowlim <allowable limit (1-2097104)>

This command allows you to specify the maximum number of sessionsthe switch can receive at any given period of time. If the number ofsessions exceeds this limit, the switch will generate a syslog and anSNMP trap to alert the administrator that the switch is under SLB attack.

submac disable|enable

Enables or disables Source MAC address substitution. Typically, thesource MAC is not modified for the packets going to the servers in anSLB environment. But if you enable this command, the switch willsubstitute the source MAC address (for the packets going to the server)with the MAC address of the switch.

direct disable|enable




.



Enable/disables Direct Access Mode to real servers/services. Thisoption also allows any virtual server to load balance any real server.By default, this option is disabled.

grace disable|enable

Enables or disables graceful real server failure. Allows existing sessionsto remain bound to a server after the server has been placed in theservice failed state (for more information, see "Service Failure" in theNortel Application Switch Operating System 24.0 Application Guide).By default, this option is disabled.

matrix disable|enable

Enables or disables the use of Virtual Matrix Architecture on the NortelApplication Switch. By default, this option is enabled.

vmasport enable|disable

Enable/disable VMA with source port.

vmadip enable|disable

Enables or disables the VMA with destination IP.

tpcp disable|enable

Enables or disables the TPCP (Transparent Proxy Cache Protocol). Thiscommand is used for security reasons—the UDP port can be closed.By default, this option is disabled.

vstat disable|enable

Enables or disables reporting of virtual service statistics.

rtsvlan disable|enable

Enables or disables the use of VLAN for Return to Sender information onthe real server.

Enables or disables preserving vlan tag during packet forwarding.

Enables or disables preserving VLAN tag during packet forwarding.

pvlantag

Enable/disable preserving vlan tag during packet forwarding.

portbind disable|enable

Enables or disables the inclusion of the ingress port number in thesession table look up.

rstchk disable|enable

Enables or disables the TCP RST Secure Sequence Number Check.

valcksum disable|enable

Enables or disables Layer 7 IP/TCP Checksum Validation.

riphash disable|enable




.



Enables or disables to include RIP in AUX table hashing.

fastage <shift the fast-age (1sec) period 0-7 bits>

Controls how frequently a fastage scan is performed. The default intervalis two seconds. Each incremental increase of the value doubles thelength of the interval.

The fastage scan is used to remove TCP sessions that have beenclosed with a FIN and sessions that have been identified by theslowage scan as idle for the maximum allowed period. If a large valueof fastage is used, a session can remain in the session table for a fewminutes. The default is 0.

slowage <shift the slow-age (2min) period 0-14 bits>

Controls how frequently a slowage scan is performed. The defaultinterval is two minutes. Each incremental increase of the value doublesthe length of the interval. (Value is set in bits rather than seconds, whichcauses the time to double per increment).

The slowage scan is used to remove idle or non-TCP sessions from thesession at the specified intervals. If a large value of slowage is used, asession can remain in the session table for months. The default is 0.

cur

Displays the current Layer 4 advanced configuration.

/cfg/slb/adv/synatkSYN Attack Detection Configuration Menu

[SYN Attack Detection Menu]intrval - Set SYN attack detection intervalthrshld - Set SYN attack alarm thresholdcur - Display current SYN attack

detection configuration

SYN Attack Detection Menu Options (/cfg/slb/adv/synatk)


intrval <SYN attack check interval in seconds (2-3600)>

Sets the interval of SYN attack inspection.

thrshld <SYN attack alarm threshold (new half-opensessions/second) (1-100000)>

Sets the threshold of SYN attack alarm.

cur

Displays the current SYN attack detection configuration.




.


/cfg/slb/adv/smtportAdvanced SMT Real Server Port Configuration Menu

[SMT Real Port Menu]add - Add real portremove - Remove real portcur - Display real port configuration

Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)


add <real server port (2-65534)>

This command allows you to add a service port to the real server that isconfigured to process client traffic by-passing the server processor.

remove <real server port (2-65534)>

This command allows you to remove a service port from the real serverthat is configured to process client traffic by-passing the server processor.

cur

Displays real port configuration.

/cfg/slb/linklbInbound Link Load Balancing configuration Menu

[Inbound Linklb Menu]drecord - Domain Record Menugroup - Set real server groupttl - Set Time to Live of DNS resource recordsena - Enable Inbound Linklbdis - Disable Inbound Linklbcur - Display current Inbound Linklb configuration

Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/linklb)


drecord <domain record number (1-64)>

Displays domain record menu. To view menu options, see"/cfg/slb/linklb/drecordInbound Link Load Balancing Domain RecordMenu" (page 431).


Sets the real server ISP group number.

ttl <time to live in seconds (0-65535)>

Sets the time-to-live for DNS resource records.

ena




.



Enables inbound link load balancing.

dis

Disables inbound link load balancing.

cur

Displays current inbound link load configuration.

/cfg/slb/linklb/drecordInbound Link Load Balancing Domain Record Menu

[Domain Record domain_number Menu]entry - Virt Real Mapping Menudomain - Set Domain Nameena - Enable Domain Recorddis - Disable Domain Recorddel - Delete Domain Recordcur - Display current Domain Record configuration

Inbound Link Load Balancing Domain Record Menu Options(/cfg/slb/linklb/drecord)


entry <linklb entry number (1-8)>

Displays the link load balancer’s mapping menu for the virtual and realservers. See cache disable|enable to view menu options.

domain <64 character domain name> |none

Allows you to configure the domain name. Default is none.

ena

Enables the domain records.

dis

Disables the domain records.

del

Deletes the domain records.

cur

Displays the current domain records.

/cfg/slb/linklb/drecord/entry




.


Inbound Link Load Balancing Mapping Menu

[Virt Real Mapping 1 Menu]virt - Set Virtual Server Numberreal - Set Real Server Numberena - Enable Entrydis - Disable Entrydel - Delete Entrycur - Display current Entry configuration


virt <virtual server number, 1-1024>

Defines the virtual server number for mapping.

real

Defines the real server number for mapping.

ena

Enables the entry for drecords.

dis

Disables the entry for drecords.

del

Deletes the entry for drecords.

cur

Displays the current real and virtual server mappings for drecordsentries.

/cfg/slb/advhcAdvanced Health Check Configuration Menu

Advanced Health Check Menu Options (/cfg/slb/advhc)


script <health script number (1-64)>

Displays the Scriptable Health Check Menu. To view menu options, see"/cfg/slb/advhc/script health script number Scriptable Health ChecksConfiguration" (page 433).




.



snmphc <SNMP health check number (1-5)>

Displays the SNMP Health Check Menu. To view menu options, see"/cfg/slb/advhc/snmphcSNMP Health Check Configuration" (page 435).

waphc

Displays the WAP Health Check Menu. To view menu options, see"/cfg/slb/advhc/waphcWAP Health Check Configuration" (page 436).

aphttp disable|enable

Enables or disables HTTP health checks on any port. By default, thisoption is disabled. When disabled, you can use HTTP health checksonly for HTTP service. Enabling it will allow you to use it on any port,like HTTPs.

ldapver <LDAP version>

Sets the LDAP version to 2 or 3. The default is 2.


To perform application health checking to a RADIUS server, thenetwork administrator must configure two parameters in the switch:the /cfg/slb/secret value and the cntnt parameter with ausername:password value. The secret value is a field of up to 32alphanumeric characters that is used by the switch to encrypt a passwordduring the RSA Message Digest Algorithm (MD5) and by the RADIUSserver to decrypt the password during verification. The default is none.

minter <number of seconds between updates (1-256)>

This command sets the interval of response and bandwidth metricupdates. The default is set at 10.

cur

Displays the current Layer 4 advanced health check configuration.

/cfg/slb/advhc/script <health script number>Scriptable Health Checks Configuration

Scriptable health checks provide a robust and extensible way to health checka group of real servers. With these health checks, the users can define theirown health checks of varied complexity. The ASCII and binary-based scriptscontrol how a group of real servers are health-checked. So both TCP andUDP services can be health-checked.

The Health Script menu provides commands that can be used to define thehealth "script." The total number of characters cannot exceed 6144 bytes.Up to 64 scripts can be configured.




.


Scriptable Health Check Menu Options (/cfg/slb/adv/script)


open <real port or name (such as: http)> tcp|udp

Opens a TCP connection or specifies a UDP port for the health check.You need to specify the protocol (TCP or UDP), and the port number.

send <text string (TCP), hex string (UDP)>

Sends an ASCII request string through an open TCP or UDP port tothe server.

bsend <hex string>

Sends a binary request string in hexadecimal format for the requestpacket through an open TCP or UDP port to the server.

nsend <additional hex string (UDP)>

Allows you to append additional content to the packet generated by thebsend command. The Nortel Application Switch Operating System24.0 allows a maximum of 256 bytes to be entered. Using one or morensend commands allows you to generate a binary content of more than256 bytes in length.

expect <text string (TCP), hex string (UDP)>

Allows you to configure an ASCII request string that you can search ineach server response packet for successful health check on an openTCP port. If you do not see this string in any response packet before thehealth check interval or the configured wait window expires, the serverdoes not pass the expect step and the health check fails.

bexpect <hex string>

Allows you to configure binary content request string (in hexadecimalformat) that you can search in each server response packet forsuccessful health check on an open TCP port.

nexpect <additional hex string (UDP)>




.



Allows you to append additional content to the original content of theresponse packet specified by the bexpect command.

offset <offset, 1-1464>

Allows you to specify the offset from the beginning of the UDP data areato start matching the content specified in the expect command. If youneed to specify offset, you must do it after executing the bexpectcommand.

depth <depth, 1-1464>

Allows you to specify the depth (the window) in bytes beginning from thestart of the UDP data area, or beginning from offset if offset wasspecified, to search for the bexpect content.

wait <wait window in milliseconds (1-65535)>

Allows the user to configure a wait window for the expected response.The wait window starts when the request is sent from the switch. If theexpected response is received within the wait window, the health checkpasses, otherwise the health check fails. The wait command shouldfollow the offset and depth commands in the script. The wait windowis set in the units of milli-seconds.

close

Closes TCP connection.

rem

Removes the last entered line from the script.

del

Deletes the current script.

cur

Lists the current script configuration.

/cfg/slb/advhc/snmphcSNMP Health Check Configuration




.


SNMP Health Check Menu Options (/cfg/slb/adv/snmphc)


oid <object identifier, such as, 1.3.6.1.2.1.1.1.0 max 30sub-identifiers>

Specify the Object Identifier (OID) to be sent in the SNMP GET requestpacket. The format of the OID depends on the MIB file, for example, anOID is of the form 1.3.6.1.4.1.1872.2.5.7.11.

comm <community string, maximum 32 characters>

Enter the community string used in the SNMP get request packet. Thedefault community string is public.

rcvcnt <expected content an integer value or a string>

Enter the content the switch expects to receive from the SNMP agent onthe real server.

invert disable|enable

Enables or disables the inversion of the expected value. When the invertoption is enabled, the health check fails if the response packet containsthe value specified in the receive content (rcvnt) field.

weight disable|enable

When enabled, the real server weights are dynamically adjusted basedon SNMP health check response.

del

Deletes the current SNMP health check.

cur

Displays the current SNMP Health Check configuration.

/cfg/slb/advhc/waphcWAP Health Check Configuration

Wireless Session Protocol (WSP) is used within the Wireless ApplicationProtocol (WAP) suite to manage sessions between wireless devices andWAP content servers or WAP gateways. The Nortel Application SwitchOperating System provides a content-based health check mechanismwhere customized WSP packets are sent to the WAP gateways, and theswitch verifies the expected response, in a manner similar to scriptablehealth checks.

WSP content health checks can be configured in two modes: connectionlessand connection-oriented. Connectionless WSP runs on UDP/IP protocol,ports 9200 and 9202 and connection-oriented (WTP) traffic runs on ports9201 and 9203. Application switches can be used to load balance thegateways in both modes of operation.




.


The Nortel Application Switch Operating System allows you to configurethree WAP gateway health check types for all four WAP services(WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP), deployed on WAPgateways/servers. For further details, refer Application Guide.

[WAP Health Check Menu]wspcnt - WSP Health Check Content Menuwtpcnt - WTP+WSP Health Check Content Menuwspport - WSP port number to health checkwtpport - WTP port number to health checkwtlswsp - WTLS+WSP port number to health checkwtlsprt - WTLS port number to health checkcouple - Enable/disable coupling with RADIUS

Accounting Servicecur - Display current WAP health

check configuration

WAP Health Check Menu Options (/cfg/slb/adv/waphc)


wspcnt

Displays WSP Health Check Content Menu. To view menu options, see"/cfg/slb/advhc/waphc/wspcntWSP Content Health Check" (page 438).

wtpcnt

Displays WTP and WSP Health Check Content Menu. To view menuoptions, see "/cfg/slb/advhc/waphc/wtpcntWTP and WSP Content HealthCheck Menu" (page 438).

wspport <wsp port number to health check (0-65534)>

Enter the port number on which WSP health checks will be performed.The default port number is 9200.

wtpport <wtp port number to health check (0-65534)>

Defines the WTP port number to health check. The default port numberis 9201.

wtlswsp <wtls+wsp port number to health check (0-65534)>

Defines the WTLS (Wireless Transport Layer Security) and WSP portnumber to health check. The connectionless encrypted WTLS trafficuses default port 9202.

wtlsprt <port number (0-65534)>

Enter the port number on which WTLS health checks will be performed.The connection-oriented WTLS traffic uses default port 9203.

couple disable|enable




.



Enables or disables coupling together of all the four WAP services (WSP,WTP+WSP, WTLS+WSP, WTLS+WTP+WSP) with Radius AccountingService. If the health check to any one of the four WAP services orRadius Accounting Service fails, then all of the four WAP services andRadius Accounting Service are disabled.

cur

Displays the current WAP Health Check configuration.

/cfg/slb/advhc/waphc/wspcntWSP Content Health Check

[WSP Health Check Content Menu]offset - Offset in received WSP packetsndcnt - Content to be sent to the WAP gatewayrcvcnt - Content to be received from the WAP gatewaycur - Display current WSP health check

content configuration

WSP Content Health Check Options (/cfg/slb/advhc/waphc/wspcnt)


offset <Offset in the received WSP packet (0-512)>

Enter the offset value content of the received WSP packages. Anoffset value of 0 (default) sets the switch to start comparisons from thebeginning of the content of the received packet.

sndcnt <send content as hexadecimal string>

Enter a hexadecimal string that represents a connectionless WSPrequest to a WSP gateway. This string will be delivered to the WSPgateway.

rcvcnt <receive content as hexadecimal string>

Enter a hexadecimal string that represents the content that the switchexpects to receive from the WSP gateway.

cur

Displays the current WAP Health Check configuration.

/cfg/slb/advhc/waphc/wtpcntWTP and WSP Content Health Check MenuThis menu is used for configuring the health check for connection-orientedunencrypted WAP traffic.




.


[WTP+WSP Health Check Content Menu]offset - Offset in received WSP PDUconnect - CONNECT PDU to be sent to the WAP gatewaysndcnt - GET PDU to be sent to the WAP gatewayrcvcnt - REPLY PDU to be received from

the WAP gatewaycur - Display current WTP+WSP health check

content configuration

WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/waphc/wt-pcnt)


offset <offset in the received WSP PDU>

Enter the offset value content of the received WSP packets. The offsetvalue is the number of bytes from the beginning of the WSP PDU, atwhich the comparison begins to match with the expected receive content.An offset value of 0 (default) sets the switch to start comparisons fromthe beginning of WSP PDU of the received packet.

connect <connect content as hexstring>

Enter the content for the first switch-generated WSP session packet.This command allows you to customize the headers in the connectmessage.

sndcnt <send content as hexadecimal string>

Enter a hexadecimal string that represents a WSP request to a WSPgateway. This string will be delivered to the WSP gateway.

rcvcnt <receive content as a hexadecimal string>

Enter a hexadecimal string that represents the content that the switchexpects to receive from the WSP gateway.

cur

Displays current WTP+WSP health check content configuration.

/cfg/slb/pipProxy IP Address Configuration Menu

You need to enable proxy IP address processing on the port to use thiscommand. You can configure multiple proxy IP addresses based on eitherport or VLAN.

You can configure up to 1024 proxy IP addresses on a per switch basis.




.


[Proxy IP Address Menu]type - Set base type of Proxy IP addressadd - Add port or VLAN to Proxy IP addressadd6 - Add port or VLAN to IPv6 Proxy IP addressrem - Remove port or VLAN from Proxy IP addresscur - Display current Proxy IP

address configuration

Proxy IP Address Configuration Menu Options (/cfg/slb/pip)


type port|vlan

Defines the base type of the proxy IP address, whether it is port-basedor VLAN-based.

add <IP address port number>|<vlan number> | port number-portnumber|vlan number-vlan number

Allows you to add either a port or a VLAN to a proxy IP address.

add6 IPv6 address port number|vlan number | port number-portnumber|vlan number-vlan number

Adds a port or VLAN to a proxy IPv6 address.

rem <PIP ID port#|vlan#> | <port#-port#|vlan#-vlan#>

Allows you to remove a port or a VLAN from a proxy IP address. Thiscommand also allows you to remove all ports or VLANs assigned toany proxy IP address.

cur

Displays the current Proxy IP address configuration.

/cfg/slb/peerpipSLB Peer Proxy IP Address MenuWhen this command is enabled, the switch is able to forward traffic from theother switch, using Layer 2, without performing server processing on thepackets of the other switch. This happens because the peer switches areaware of each other’s proxy IP addresses. This prevents the dropping of apacket or being sent to the backup switch in the absence of the proxy IPaddress of the peer switch.

[Peer Proxy IP Address Menu]add - Add peer Proxy IP addressrem - Rem peer Proxy IP addresscur - Display current peer Proxy IP

address configuration




.


Peer Proxy IP Address Menu Options (/cfg/slb/peerpip)


add <IP address>

Allows you to add a proxy IP address to the server load balancing peer.

rem <IP address>

Allows you to remove a proxy IP address from the server load balancingpeer.

cur

Displays the current proxy address configuration of the peer.

/cfg/slb/wlmWorkLoad Management Menu

[Workload Manager 1 Menu]addr - Set IP address for Workload Managerport - Set port for Workload Managerdel - Delete Workload Managercur - Display current Workload

Manager configuration

Workload Manager Menu Options


addr <IP_address>

Set the IP address for the Workload Manager.

port <TCP_port>

Set the port number for the Workload Manager.

del

Delete the Workload Manager.

cur

Shows all Workload Manager statistics. For example:

Current Workload Manager 1:IP address Port0.0.0.0 0




.





.

443

The Operations Menu

The Operations Menu is generally used for commands that affect switchperformance immediately, but do not alter permanent switch configurations.For example, you can use the Operations Menu to immediately disable aport (without the need to apply or save the change), with the understandingthat when the switch is reset, the port returns to its normally configuredoperation.

/operOperations Menu

[Operations Menu]port - Operational Port Menuslb - Operational Server Load Balancing Menuvrrp - Operational Virtual Router Redundancy Menubwm - Operational Bandwidth Management Menusecurity - Operational Security Menuip - Operational IP Menuswkey - Enter key to enable software featurermkey - Enter software feature to be removedpasswd - Change current user passwordclrlog - Clear syslog messagesdisplog - Turn on/off display syslog msgs

to telnet/ssh sessionsdefalias - Set default port aliasntpreq - Send NTP request

The commands of the Operations Menu enable you to alter switchoperational characteristics without affecting switch configuration.

Port Mirroring menu options are accessible only to the Nortel ApplicationSwitch AD4 and Nortel Application Switch 184 Web Switches.

Operations Menu Options (/oper)


port port number




.

444 The Operations Menu


Displays the Operational Port Menu. To view menu options, see"/oper/port port number Operations-Level Port Options" (page 445).

slb

Displays the Operational Layer 4 Menu. To view menu options, see"/oper/slbOperations-Level SLB Options" (page 445).

vrrp

Displays the Operational Virtual Router Redundancy Menu. To viewmenu options, see "/oper/vrrpOperations-Level VRRP Options" (page448).

bwm

Operational Bandwidth Management Menu. To view menu options, see"/oper/bwmOperations-Level Bandwidth Management Options" (page449).

security

Go to the Operational Security menu. To view menu options, see"/oper/securitySecurity Menu" (page 449).

ip

Displays the IP Operations Menu, which has one sub-menu/option, theOperational Border Gateway Protocol Menu. To view menu options, see"/oper/vrrpOperations-Level VRRP Options" (page 448).

swkey <16-hexadecimal digit key to enable software feature>

Sets key to enable software feature. For details, see"/oper/swkeyActivating Optional Software" (page 452).

rmkey <software feature to be removed (GSL|BWM|Security)>

Defines software feature to be removed. For details, see"/oper/rmkeyRemoving Optional Software" (page 453).

passwd <15 char max>

Allows the user to change the password. You need to enter the currentpassword in use for validation.

clrlog

Clears all syslog messages.

displog on|off

Turn on/off display syslog msgs to telnet/ssh sessions

defalias

Set the default port alias.

ntpreq

Allows the user to send requests to the NTP server.




.

/oper/slbOperations-Level SLB Options 445

/oper/port <port number>Operations-Level Port Options

[Operations Port 1 Menu]rmon - Enable/Disable RMON for portena - Enable portdis - Disable portcur - Current port state

Operations-level port options are used for temporarily disabling or enablinga port, and for changing Remote Monitoring (RMON) status on a port.

Operations-Level Port Menu Options (/oper/port)


rmon disable|enable

Temporarily enables/disables Remote Monitoring on the port. The portwill be returned to its configured operation mode when the switch is reset.

ena

Temporarily enables the port. The port will be returned to its configuredoperation mode when the switch is reset.

dis

Temporarily disables the port. The port will be returned to its configuredoperation mode when the switch is reset.

cur

Displays the current settings for the port.

/oper/slbOperations-Level SLB Options

When the optional Layer 4 software is enabled, the operations-level ServerLoad Balancing options are used for temporarily disabling or enabling realservers and synchronizing the configuration between the active/activeswitches.




.


Server Load Balancing Operations Menu Options (/oper/slb)



Displays the Real Server Group Menu. To view menu options, see"/oper/slb/groupReal Server Group Operations" (page 447).

gslb

Displays Global SLB Operations Menu. To view menu options, see"/oper/slb/gslbGlobal SLB Operations Menu" (page 447).

sync

Synchronizes the SLB, filter, VRRP, port, Bandwidth Managementconfiguration, and VR priorities on a peer switch (a switch that ownsthe IP address). To take effect, peers must be configured on the NortelApplication Switch and the administrator password on the switch mustbe identical.

ena <real server number (1-1023)>

Temporarily enables a real server. The real server will be returned to itsconfigured operation mode when the switch is reset.

dis <real server number, 1-1023> [P - allow persistent http1.0 sessions] p|n

The disable command is used to temporarily disable real servers asfollows:

• Using the p (persistent) option—immediately suspendsassignment of connections to the specified real server (exceptfor persistent http 1.0 sessions) by removing the real server fromoperation within its real server group and virtual server

• Using the n (none) option—immediately suspends assignment ofconnections to the specified real server by removing the real serverfrom operation within its real server group and virtual server

The real server will be returned to its configured state after a switch reset.

Note: This command provides for orderly server shutdown to allowmaintenance on a server. For more information, see "Disabling andEnabling Real Servers" in the Nortel Application Switch Operating System24.0 Application Guide.

sessdel

Delete session table entry.

smirror




.

/oper/slbOperations-Level SLB Options 447


Sends request for an update from the VRRP backup switch to the VRRPMaster. The request is sent to avoid a situation where the sessions on thebackup switch can be updated only by a VRRP failover or a switch reset.

Note: VRPP must be enabled and the switch must be a VRRP backup,otherwise the command returns an error message.

clear

Clears all session tables and allows port filter changes to take effectimmediately.

Note: This command disrupts current SLB and Application Redirectionsessions.

cur

Displays the current SLB operational state.

/oper/slb/groupReal Server Group Operations

[Real server group 1 Menu]ena - Enable real server in this groupdis - Disable real server in this groupcur - Current server group operational state

Real Server Group Operations Options (oper/slb/group)


ena <real server number (1-1023)>

Enables real server in this group.

dis <real server number (1-1023)>

Disables real server in this group.

cur

Displays current operational state of the server group.

/oper/slb/gslbGlobal SLB Operations Menu

[Global SLB Operations Menu]

query - Query Global SLB selection

add - Add entry to Global SLB DNS persistence cache




.


arem - Remove all entries Global SLB DNS persistencecache

avpersis - Enable/Disable GSLB availability persistencefor virtual server

Global SLB Operations Menu Options (/oper/slb/gslb)


query

Allows you to query the Global site selection.

add

Add an entry to the Global SLB DNS persistence cache.

arem

Remove all entries Global SLB DNS persistence cache.

avpersis < virtual server number (1-1024)> enable|disable

When enabled, this will cause a virtual server with a lower availability tostart advertising an availability of 48 if the remote virtual server with ahigher availability becomes unavailable. The GSLB DSSP version mustbe set to 3 for this command to be issued. This command will only affectGSLB if the GSLB rules are configured to use the availability metric(preferably as rule 1, metric 1).

If a virtual server is advertising an availability of 48 to its remote virtualservers, disabling avpersis will cause availabilities to return to theirconfigured values.

/oper/vrrpOperations-Level VRRP Options

[VRRP Operations Menu]back - Set virtual router to backup

Virtual Router Redundancy Operations Menu Options (/oper/vrrp)


back <virtual router number (1-1024)>

Forces the specified master virtual router on this switch into backupmode. This is generally used for passing master control back to apreferred switch once the preferred switch has been returned to serviceafter a failure. When this command is executed, the current master givesup control and initiates a new election by temporarily advertising its ownpriority level as 0 (lowest). After the new election, the virtual routerforced into backup mode by this command will resume master control inthe following cases:




.

/oper/bwmOperations-Level Bandwidth Management Options 449


• This switch owns the virtual router (the IP addresses of the virtualrouter and its IP interface are the same)

• This switch’s virtual router has a higher priority and preemptionis enabled.

• There are no other virtual routers available to take master control.

/oper/bwmOperations-Level Bandwidth Management Options

[Bandwidth Management Operations Menu]sndhist - Send BW History to SMTP serverclear - Clear BWM IP user entry table

Bandwidth Operations Menu Options (/oper/bwm/sndhist)


sndhist

Sends the bandwidth history to a system administrator specified under/cfg/bwm/user (see "/cfg/bwmBandwidth Management Configuration"(page 270)).

clear

Clear the BWM IP user entry table.

/oper/securitySecurity Menu

[Security Menu]ipacl - IP ACL Operations Menu

Security Menu Options


ipacl

Go to the IP ACL Operation menu. To view menu options, see"/oper/security/ipaclIP ACL Operations Menu" (page 449)

/oper/security/ipacl




.


IP ACL Operations Menu

[IP ACL Operations Menu]

add - Add operations source IP Address/Mask

rem - Remove operations source IP Address/Mask

arem - Remove all operations source IP Address/Mask

dadd - Add operations destination IP Address/Mask

drem - Remove operations destination IP Address/Mask

darem - Remove all operations destination IPAddress/Mask

cfg - Display configuration IP Address/Mask

bogon - Display bogon IP Address/Mask

oper - Display operations IP Address/Mask

cur - Display all IP Address/Mask

IP ACL Operations Menu Options


add <IP address IP subnet mask timeout in minutes, 1-10080>

Add the operations source IP mask.

rem <IP address IP subnet mask>

Remove the operations source IP mask.

arem

Remove all operations source IP addresses and Masks.

dadd <IP address IP subnet mask timeout in minutes, 1-10080>

Add an operations destination IP address and Mask.

drem <IP address IP subnet mask>

Remove an operations destination IP address and Mask.

darem

Remove all of the operations destination IP addresses and Masks.

cfg

Display all configuration IP addresses and Masks. For example:

Current configuration IP ACL settings:0 configuration source IP ACL.0 configuration destination IP ACL.

bogon




.

/oper/ipOperations-Level IP Options 451


Display bogon IP address and Mask. For example:

>> IP ACL Operations# bogonCurrent bogon IP ACL settings:0 bogon source IP ACL.

oper

Display operations IP addresses and Masks. For example:

Current operations IP ACL settings:0 operations source IP ACL.0 operations destination IP ACL.

cur

Display all IP addresses and Masks. For example:

Current total IP ACL settings:0 total source IP ACL.0 total destination IP ACL.

Current configuration IP ACL settings:0 configuration source IP ACL.0 configuration destination IP ACL.

Current bogon IP ACL settings:0 bogon source IP ACL.Use "bogon" command to display.

Current operations IP ACL settings:0 operations source IP ACL.0 operations destination IP ACL.

/oper/ipOperations-Level IP Options

[IP Operations Menu]bgp - Operational Border Gateway Protocol Menugarp - Send gratuitous arp

IP Operations Menu Options (/oper/ip)


bgp

Displays the Border Gateway Protocol Operations Menu. To view themenu options see "/oper/ip/bgpOperations-Level BGP Options" (page452).




.



garp <IP address Vlan number>

Send gratuitous arp.

/oper/ip/bgpOperations-Level BGP Options

[Border Gateway Protocol Operations Menu]start - Start peer sessionstop - Stop peer sessioncur - Current BGP operational state

IP Operations Menu Options (/oper/ip)


start <peer number (1-16)>

Starts the peer session.

stop <peer number (1-16)>

Stops the peer session.

cur

Displays the current BGP operational state.

/oper/swkeyActivating Optional Software

The swkey option is used for activating any optional software you havepurchased for your switch.

Before you can activate optional software, you must obtain a softwarelicense from your Nortel Networks representative or authorized reseller.One software license is needed for each switch where the optional softwareis to be used. You will receive a Licence Certificate for each softwarelicense purchased.

Currently the following software packages are available for purchase andinstallation:

• Security Pack

• Bandwidth Management

• Global Server Load Balancing

• Intelligent Traffic Management

• Nortel Symantec Intelligent Network Protection

• Link Load Balancing




.

/oper/rmkeyRemoving Optional Software 453

To obtain a software key, you must register each License Certificate withNortel Networks and provide the MAC address of the Nortel ApplicationSwitch Operating System switch that will run the optional software. NortelNetworks will then provide a License Password.

Note: Each License Password will work only on the specific switchwhich has the MAC address you provided when registering your LicenceCertificate.

Once you have your License Password, perform the following actions:

Step Action

1 Connect to the switch’s command line interface and log in asthe administrator (see "The Command Line Interface" (page 27) ").

2 At the Main# prompt, enter:

Main# oper

3 At the Operations# prompt, enter:

Operations# swkey

4 When prompted, enter your 16-digit software key code. Forexample:

Enter Software Key: <16 hexadecimal-digit key toenable software feature (such as, 123456789ABCDEF)>

If the correct code is entered, you will see the following message:

Valid software key entered.Software feature enabled.

—End—

/oper/rmkeyRemoving Optional Software

The rmkey option is used for deactivating any optional software.Deactivated software is still present in switch memory and can bereactivated at any later time.




.


To review the deactivation options, enter the following at the OperationsMenu:

>> Operations# ? rmkUsage: rmkey software feature to be removed(GSLB||BWM|Security|Linklb|ITM)

To deactivate optional software, enter the following at the Operations Menu:

Operations# rmkey

When prompted, enter the code for software to be removed. For example:

Enter Software Feature to be removed: [GSLB]|BWM|Security:GSLB




.

455

The Boot Options Menu

To use the Boot Options Menu, you must be logged in to the switch as theadministrator. The Boot Options Menu provides options for:

• Selecting a switch software image to be used when the switch is nextreset

• Selecting a configuration block to be used when the switch is next reset

• Downloading or uploading a new software image to the switch via TFTP

/bootBoot Menu

[Boot Options Menu]

sched - Scheduled Switch Reset Menu

image - Select software image to use on next boot

conf - Select config block to use on next boot

gtimg - Download new software image via FTP/TFTP

ptimg - Upload selected software image via FTP/TFTP

symantec - Globally Enable/Disable Symantec feature(requires a switch reset)

reset - Reset switch [WARNING: Restarts Spanning Tree]

cur - Display current boot options

Each of these options is discussed in greater detail in the following sections.

Scheduled Reboot of the SwitchThis feature allows the switch administrator to schedule a reboot to occurat a particular time in future. This feature is particularly helpful if the userneeds to perform switch upgrades during off-peak hours. You can set thereboot time, cancel a previously scheduled reboot, and check the time ofthe currently set reboot schedule with the help of the following sub-menu:

/boot/sched




.

456 The Boot Options Menu

Scheduled Reboot Menu

[Boot Schedule Menu]set - Set switch reset timecancel - Cancel pending switch resetcur - Display current switch reset schedule

The cur option displays the current scheduled reboot time. For example:

>> Boot Schedule# curCurrently scheduled reboot time: none

Updating the Switch Software ImageThe switch software image is the executable code running on the NortelApplication Switch. A version of the image ships with the switch, and comespre-installed on the device. As new versions of the image are released, youcan upgrade the software running on your switch.

Upgrading the software image on your switch requires the following:

• Loading the new image onto a TFTP server on your network

• Downloading the new image from the TFTP server to your switch

• Selecting the new software image to be loaded into switch memorythe next time the switch is reset

Downloading New Software to Your SwitchThe switch can store up to two different software images, called image1and image2, as well as boot software, called boot. When you downloadnew software, you must specify where it should be placed: either intoimage1, image2, or boot.

For example, if your active image is currently loaded into image1, youwould probably load the new image software into image2. This lets you testthe new software and reload the original active image (stored in image1), ifneeded.

To download a new software to your switch, you will need the following:

• The image or boot software loaded on a TFTP server on your network

• The hostname or IP address of the TFTP server

• The name of the new software image or boot file

• Setup the TFTP option (/cfg/sys/mgmt/tftp) for the TFTPconnection. This sets the default option for the gtimg and ptimgcommands. However, note that you can override this setting with theoption provided to these operational commands.




.

Updating the Switch Software Image 457

Note: The DNS parameters must be configured if specifying hostnames.See "/cfg/l3/dnsDomain Name System Configuration Menu" (page 327)).

When the above requirements are met, use the following procedure todownload the new software to your switch.

Step Action

1 At theBoot Options# prompt, enter:

Boot Options# gtimg

2 Enter the name of the switch software to be replaced:

Enter name of switch software image to be replaced["image1"/"image2"/"boot"]: <image>

3 Enter the hostname or IP address of the TFTP server.

Enter hostname or IP address of TFTP server: <servername or IP address>

4 Enter the name of the new software file on the server.

Enter name of file on TFTP server: <filename>

The exact form of the name will vary by TFTP server. However,the file location is normally relative to the TFTP directory (usually/tftpboot).

5 The system prompts you to confirm your request.

You should next select a software image to run, as described below.

—End—

Selecting a Software Image to RunYou can select which software image (image1 or image2) you want to runin switch memory for the next reboot.

Step Action

1 At the Boot Options# prompt, enter:

Boot Options# image




.


2 Enter the name of the image you want the switch to use uponthe next boot.

The system informs you of which image is currently set to be loadedat the next reset, and prompts you to enter a new choice:

Currently set to use switch software "image1" on nextreset.Specify new image to use on next reset ["image1"/"image2"]:

—End—

Uploading a Software Image from Your SwitchYou can upload a software image from the switch to a TFTP server.

Step Action


Boot Options# ptimg

2 The System prompts you for information.Enter the desiredimage:

Enter name of switch software image to be uploaded["image1"|"image2"|"boot"]: <image hostname orserver-IP-addr server-filename>

3 Enter the name or the IP address of the TFTP server:

Enter hostname or IP address of TFTP server: <servername or IP address>

4 Enter the name of the file into which the image will be uploadedon the TFTP server:

Enter name of file on TFTP server: <filename>

5 The system then requests confirmation of what you haveentered. To have the file uploaded, enter Y.




.

Selecting a Configuration Block 459

image2 currently contains Software Version 20.2.0.7Upload will transfer image2 (1889411 bytes)to file "test"on TFTP server 192.1.1.1.

Confirm upload operation [y/n]: y

—End—

Selecting a Configuration BlockWhen you make configuration changes to the Nortel Application Switch,you must save the changes so that they are retained beyond the next timethe switch is reset. When you perform the save command, your newconfiguration changes are placed in the active configuration block. Theprevious configuration is copied into the backup configuration block.

There is also a factory configuration block. This holds the defaultconfiguration set by the factory when your Nortel Application Switchwas manufactured. Under certain circumstances, it may be desirable toreset the switch configuration to the default. This can be useful whena custom-configured Nortel Application Switch is moved to a networkenvironment where it will be re configured for a different purpose.

Use the following procedure to set which configuration block you want theswitch to load the next time it is reset:

Step Action


Boot Options# conf

2 Enter the name of the configuration block you want the switchto use:

The system informs you of which configuration block is currentlyset to be loaded at the next reset, and prompts you to enter a newchoice:

Currently set to use active configuration block onnext reset.Specify new block to use ["active"/"backup"/"factory"]:

—End—




.


Resetting the SwitchYou can reset the switch to make your software image file and configurationblock changes occur.

Note: Resetting the switch causes the Spanning Tree Protocol torestart. This process can be lengthy, depending on the topology of yournetwork.

To reset the switch, at the Boot Options# prompt, enter:

>> Boot Options# reset

You are prompted to confirm your request.

Enabling Symantec Intelligent Network ProtectionThe /boot/symantec command is used to enable and disable theSymantec Intelligent Network Protection on the switch. As this functionalityis only active on switches for which a license has been built, the absence ofthis commands indicates a switch does not currently have an active license.

To set the status of this functionality, use the following procedure:

Step Action

1 Enter the /boot/symantec command.

>> Main# /boot/symantec

2 At the prompt, enter either ena to enable the functionality ordis to disable it.

Current state of Global Symantec feature is DisabledGlobally [ena|dis] Symantec feature (requires aswitch reset): ena

3 The switch will now prompt for confirmation of the necessaryswitch reset. Typing n at either of the prompts will cause theprocess to abort.




.

Enabling Symantec Intelligent Network Protection 461

Confirm Globally enable Symantec feature (requires aswitch reset) [y/n]: y

Reset will use software "image1" and the activeconfig block.>> Note that this will RESTART the Spanning Tree,>> which will likely cause an interruption in networkservice.Confirm reset [y/n]: y

The switch will now reset and either enable or disable the functionalityglobally. Performing this procedure will also determine what memoryprofile the switch is running. For more information about memoryprofiles, refer Symantec Intelligent Network Protection, of theNortel Application Switch Operating System 24.0 Application Guide(NN47220-104).

—End—




.





.

463

The Maintenance Menu

The Maintenance Menu is used to manage dump information and forwarddatabase information. It also includes a debugging menu to help withtroubleshooting.

/maintMaintenance Menu

Note: To use the Maintenance Menu, you must be logged in to theswitch as the administrator.

[Maintenance Menu]sys - System Maintenance Menufdb - Forwarding Database Manipulation Menuarp - ARP Cache Manipulation Menuroute - IP Route Manipulation Menuip6 - IP6 Manipulation Menudebug - Debugging Menuuudmp - Uuencode FLASH dumpptdmp - Upload FLASH dump via FTP/TFTPcldmp - Clear FLASH dumplsdmp - List FLASH dumppanic - Dump state information to FLASH and reboottsdmp - Tech support dumppttsdmp - Upload tech support dump via FTP/TFTPsslrst - Reset SSL card

Dump information contains internal switch state data that is written to flashmemory on the Nortel Application Switch after any one of the followingoccurs:

• The switch administrator forces a switch panic. The panic option, foundin the Maintenance Menu, causes the switch to dump state informationto flash memory, and then causes the switch to reboot.

• The switch administrator enters the switch reset key combination ona device that is attached to the console port. The switch reset keycombination is Shift Ctrl - .




.

464 The Maintenance Menu

• The watchdog timer forces a switch reset. The purpose of the watchdogtimer is to reboot the switch if the switch software freezes.

• The switch detects a hardware or software problem that requires areboot.

Maintenance Menu Options (/maint)


sys

Displays the System Maintenance Menu. To view menu options, see"/maint/sysSystem Maintenance Options" (page 465).

fdb

Displays the Forwarding Database Manipulation Menu. To view menuoptions, see "/maint/fdbForwarding Database Options" (page 465).

arp

Displays the ARP Cache Manipulation Menu. To view menu options, see"/maint/arpARP Cache Options" (page 467).

route

Displays the IP Route Manipulation Menu. To view menu options, see"/maint/routeIP Route Manipulation" (page 468).

ip6

Displays the IPv6 Manipulation Menu. To view menu options, see"/maint/ip6IPv6 Manipulation Menu" (page 469).

debug

Displays the Debugging Menu. To view menu options, see"/maint/debugDebugging Options" (page 469).

uudmp

Displays dump information in uuencoded format. For details, see"/maint/uudmpUuencode Flash Dump" (page 470).

ptdmp hostname filename [-mgmt| -data]

Saves the system dump information using TFTP. For details, see"/maint/ptdmp server filenameSystem Dump Put" (page 471).

cldmp

Clears dump information from flash memory. For details, see"/maint/cldmpClearing Dump Information" (page 471).

lsdmp

Displays list flash dump. For details, see "/maint/lsdmp" (page 472).

panic

Dumps MP information to FLASH and reboots. For details, see"/maint/panicPanic Command" (page 472).




.

/maint/fdbForwarding Database Options 465


tsdmp

Dumps all Nortel Application Switch information, statistics, andconfiguration.You can log the tsdump output into a file, and send it toNortel Networks Tech Support for debugging purposes. For details, see"/maint/tsdmp" (page 473).

pttsdmp <hostname filename -tftp|username password>[-mgmt|-data]

Upload tech support dump using FTP/TFTP. For details, see"/maint/pttsdmp" (page 473).

sslrst

Reset the SSL card. For details, see "/maint/sslrst" (page 473).

/maint/sysSystem Maintenance Options

This menu is reserved for use by Nortel Networks Customer Support group.The options are used to perform system debugging.

[System Maintenance Menu]flags - Set NVRAM flag wordsfpinfo - Show SFP information

System Maintenance Menu Options (/maint/sys)


flags <new NVRAM flags word as 0xXXXXXXXX>

This command sets the flags that are used for debugging purposes byTech support group.

sfpinfo <port_number>

Show the SFP information. For example:

>> System Maintenance# sfpinfo 1Probing SFP on port 1 - please waitInvalid: Port 1 does not support SFP’s

/maint/fdb




.


Forwarding Database Options

[FDB Manipulation Menu]find - Show a single FDB entry by MAC addressport - Show FDB entries for a single porttrunk - Show FDB entries on a single trunkvlan - Show FDB entries for a single VLANrefpt - Show FDB entries referenced

by a single portdump - Show all FDB entriesdel - Delete an FDB entryclear - Clear entire FDB

The Forwarding Database Manipulation Menu can be used to viewinformation and to delete a MAC address from the forwarding database orclear the entire forwarding database. This is helpful in identifying problemsassociated with MAC address learning and packet forwarding decisions.

FDB Manipulation Menu Options (/maint/fdb)


find <MAC address> [ <VLAN> ]

Displays a single database entry by its MAC address. You are promptedto enter the MAC address of the device. Enter the MAC address usingthe xx:xx:xx:xx:xx:xx format (such as 08:00:20:12:34:56) orxxxxxxxxxxxx format (such as 080020123456).

port <port number, 0 for unknown>

Displays all FDB entries for a particular port. Use "0" for unknown portnumber.

trunk <trunk number (1-12)>

Displays all FDB entries for the specified trunk group.


Displays all FDB entries on a single VLAN.


Displays all FDB entries reference by a single port.

dump

Displays all entries in the Forwarding Database. For details, see "/info/l2"(page 68).

del <MAC address> [ <VLAN number> ]

Removes a single FDB entry.

clear

Clears the entire Forwarding Database from switch memory.




.

/maint/arpARP Cache Options 467

/maint/arpARP Cache Options

[Address Resolution Protocol Menu]find - Show a single ARP entry by IP addressport - Show ARP entries on a single portvlan - Show ARP entries on a single VLANrefpt - Show ARP entries referenced by a single SPdump - Show all ARP entriesclear - Clear ARP cacheaddr - Show ARP address list

Address Resolution Protocol Menu Options (/maint/arp)



Shows a single ARP entry by IP address.

port <port number>

Displays ARP entries on a single port. See "/maint/arp/port portnumber>ARP Entries on a Single Port" (page 467) for a sample output.


Shows ARP entries on a single VLAN.


Shows all ARP entries referenced by a single port.

dump

Shows all ARP entries.

clear

Clears the entire ARP list from switch memory.

addr

Shows the list of IP addresses which the switch will respond to for ARPrequests.

/maint/arp/port <port number>ARP Entries on a Single Port




.


Note: To display all ARP entries currently held in the switch, or aportion according to one of the options listed on the menu above (find,port, vlan, refpt, dump), you can also refer "ARP Information" on"/info/l3/arp" (page 85).

/maint/routeIP Route Manipulation

[IP Routing Menu]find - Show a single route by

destination IP addressgw - Show routes to a single gatewaytype - Show routes of a single typetag - Show routes of a single tagif - Show routes on a single interfacedump - Show all routesclear - Clear route table

IP Route Manipulation Menu Options (/maint/route)


find <IP4 address (eg, 192.4.17.101)> |IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)>

Shows a single route by destination IP address.

gw <default gateway IP4 address (eg, 192.4.17.44)><default gateway IP6 address (eg, 3001:0:0:0:0:0:abcd:

1234)>

Shows routes to a default gateway.

type indirect|direct|local|broadcast|martian|multicast

Shows routes of a single type. For a description of IP routing types, see"IP Routing Type Parameters (/info/l3/route/dump/type)" (page 83)

tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip

Shows routes of a single tag. For a description of IP routing tags, see "IPRouting Tag Parameters (info/l3/route/tag)" (page 83)


Shows routes on a single interface.

dump

Shows all routes.

clear

Clears the route table from switch memory.




.

/maint/debugDebugging Options 469

Note: To display all routes, you can also refer "IP Routing Information"on "/info/l3/route/dump" (page 83).

/maint/ip6IPv6 Manipulation Menu

[IP6 Menu]nbrcache - Neighbor Cache Manipulation Menu

IPv6 Manipulation Menu Options


nbrcache

Opens the Neighbor Cache menu whose only option is the clearcommand. This command is used to clear the IPv6 Neighbor Cachetable.

/maint/debugDebugging Options

[Miscellaneous Debug Menu]tbuf - Show MP trace buffersptb - Show SP trace bufferspall - Show All SPs trace buffersclrcfg - Clear all flash configsportmap - Show port-SP-MAC mappingvmasp - Show designated SP for source IP addressvmasp6 - Show designated SP for IP6 address

The Miscellaneous Debug Menu displays trace buffer information aboutevents that can be helpful in understanding switch operation. You can viewthe following information using the debug menu:

• Events traced by the Management Processor (MP)

• Events traced by the Switch Processor (SP)

• Events traced to a buffer area when a reset occurs

If the switch resets for any reason, the MP trace buffer and SP trace buffersare saved into the snap trace buffer area. The output from these commandscan be interpreted by the Nortel Networks Customer Support division.

Miscellaneous Debug Menu Options (/maint/debug)


tbuf




.



Displays the Management Processor trace buffer. Header informationsimilar to the following is shown: MP trace buffer at 13:28:15Fri May 25, 2001; mask: 0x2ffdf748 The buffer information isdisplayed after the header.

sptb <port number (1-4)>

Displays the Switch Processor trace buffer. Header information similarto the following is shown: SP 1 trace buffer at 10:56:35 TueJul 30, 2002; mask: 0x00800008 The buffer information isdisplayed after the header.

spall

Displays the Switch Processor trace buffer. Header information similarto the following is shown: SP 1 trace buffer at 10:56:35 TueJul 30, 2002; mask: 0x00800008. The buffer information isdisplayed after the header. Displays all SP trace buffers.

clrcfg

Deletes all flash configuration blocks.

portmap

Show port to SP to MAC mapping.

vmasp <source IP address> [<destination IP adress>

If VMA with destination IP address is enabled]

Displays the assigned SP (Switch Processor) for a source IP addressand a destination IP address when VMA with destination IP is enabled.

vmasp6 <IP_address>

Show designated SP for IP6 address.

/maint/uudmpUuencode Flash Dump

Using this command, dump information is presented in uuencoded format.This format makes it easy to capture the dump information as a file ora string of characters. You can then contact Nortel Networks CustomerSupport for help analyzing the information.

If you want to capture dump information to a file, set your communicationsoftware on your workstation to capture session data prior to issuing theuudmp command. This will ensure that you do not lose any information.Once entered, the uudmp command will cause approximately 23,300 linesof data to be displayed on your screen and copied into the file.

Using the uudmp command, dump information can be read multiple times.The command does not cause the information to be updated or clearedfrom flash memory.




.

/maint/cldmpClearing Dump Information 471

Note: Dump information is not cleared automatically. In order for anysubsequent dump information to be written to flash memory, you mustmanually clear the dump region. For more information on clearing thedump region, see "/maint/cldmpClearing Dump Information" (page 471).

To access dump information, at the Maintenance# prompt, enter:

Maintenance# uudmp

The dump information is displayed on your screen and, if you haveconfigured your communication software to do so, captured to a file. If thereis a dump available, the system prompts as follows:

Maintenance# uuEnter region to dump [main/bkp]: mainDumping main region:

Use ’ptdmp’ to extract panic dumps.Confirm proceed with large dump (15000 lines) [y/n]:

If the dump region is empty, the following message appears:

No FLASH dump available.

/maint/ptdmp <server filename>System Dump Put

Use this command to put (save) the system dump to a TFTP or FTP server.

Note: If the TFTP or FTP server is running SunOS or the Solarisoperating system, the specified ptdmp file must exist prior to executingthe ptdmp command, and must be writable (set with proper permission,and not locked by any application). The contents of the specified file willbe replaced with the current dump data.

To save dump information via TFTP or FTP, at the Maintenance# prompt,enter:

Maintenance# ptdmp hostname filename-tftp|username password

[-mgmt|-data]

Where server is the TFTP or FTP server IP address or hostname, andfilename is the target dump file.

/maint/cldmp




.


Clearing Dump InformationTo clear dump information from flash memory, at the Maintenance#prompt, enter:

Maintenance# cldmp

The switch clears the dump region of flash memory and displays thefollowing message:

FLASH dump region cleared.

If the flash dump region is already clear, the switch displays the followingmessage:

FLASH dump region is already clear.

/maint/lsdmpUse the /maint/lsdmp command to view dump statistics. For example:

>> Maintenance# lsdmpThe main dump was saved at 8:12:58

Fri Jun 3, 2005.A backup dump was saved at 14:47:31

Mon Jun 20, 2005.

/maint/panicPanic Command

The panic command causes the switch to immediately dump stateinformation to flash memory and automatically reboot.

To select panic, at the Maintenance# prompt, enter:

>> Maintenance# panicA FLASH dump already exists.Confirm replacing existing dump and reboot [y/n]:

Enter y to confirm the command:

Confirm dump and reboot [y/n]: y

The following messages are displayed:




.

Unscheduled System Dumps 473

Loading Image:..........Alteon Application Switch 2424Rebooted because of Software PANIC.Booting complete 19:15:23 Thu Jan 9, 2003:Version 20.2.7 from FLASH image1, active config block.Jan 9 19:15:32 NOTICE system: link up on port 25Enter password:

/maint/tsdmpUse the /maint/tsdmp command to dump all dump information that can beused for technical support. For example:

>> Maintenance# tsdmpConfirm dumping all information, statistics, andconfiguration [y/n]:

/maint/pttsdmpUse the /maint/pttsdmp command to upload a technical support dump usingan FTP or TFTP connection. The dump was performed earlier using the/maint/tsdmp command. For example:

>> Maintenance# ? pttsdmpUsage: pttsdmp hostname filename -tftp|usernamepassword [-mgmt|-data]>> Maintenance# pttsdmpEnter hostname or IP address of FTP/TFTP server: 0.0.0.0Enter name of file on FTP/TFTP server: dump.txtEnter username for FTP server or hit return forTFTP server: usernameEnter password for username on FTP server:Connecting to 0.0.0.0.....

/maint/sslrstUse the maint/sslrst command to reset the switch SSL card.

Unscheduled System DumpsIf there is an unscheduled system dump to flash memory, the followingmessage is displayed when you log on to the switch:




.


Note: A system dump exists in FLASH. The dump was savedat 19:15:23 Thu Jan 9, 2003. Use /maint/uudmp toextract the dump for analysis and /maint/cldmp toclear the FLASH region. The region must be clearedbefore another dump can be saved.




.

475

The SSL Processor Menu

The SSL Menu is used to connect to the SSL processor.

Note: To use the SSL Processor Menu, you must be logged in to theprocessor as the administrator.

Login to the SSL processorLog into the SSL Processor as described in the following paragraphs.

Go to the main menu and enter the SSL processor level.

Enter the appropriate account information to logon to the processor.




.

476 The SSL Processor Menu

Note: Help information on specific commands uses the command"help", and not the "?" symbol used at other directory levels. Thecommand must also be spelled-out in full. For example, to request helpon the "apply" command enter:

SSL >> Main# help diffShow any pending configuration changes.

/sslSSL Processor Menu

[Main Menu]

info - Information menu

stats - Statistics menu

cfg - Configuration menu

boot - Boot menu

maint - Maintenance menu

diff - Show pending config changes [global command]

apply - Apply pending config changes [global command]

revert - Revert pending config changes [global command]

paste - Restore saved config with key [global command]

help - Show command help [global command]

exit - Exit [global command, always available]




.

/ssl/infoSSL Performance information menu 477

FDB Manipulation Menu Options (/maint/fdb)


info

Go to the Information level of the SSL Processor menu. For details, see"/ssl/infoSSL Performance information menu" (page 477).

stats

Go to the Statistics level of the SSL Processor menu. For details, see"/ssl/info/eventsSSL Performance Menu" (page 482).

cfg

Go to the Configuration level of the SSL Processor menu. For details,see "/ssl/stats/ipsecIPSEC Statistics menu" (page 486).

boot

Go to the Boot level of the SSL Processor menu. For details, see"/ssl/bootSSL Boot Menu" (page 582).

maint

Go to the Maintenance level of the SSL Processor menu. For details,see "/ssl/maintSSL Performance Maintenance Menu" (page 584).

diff

Shows any pending configuration changes. For example:

SSL >> Main# diffConfiguration/Certificate menu: new child "1" created

apply

Applies pending configuration changes.

revert

Remove pending configuration changes. Use this command to undoconfiguration parameters set since last apply command. For example:

paste

Lets you restore a saved configuration that includes private keys. Beforepasting the configuration, you need to provide the password phrase youspecified when selecting to include the private keys in the configurationdump.

help

Displays a summary of the global commands.

exit

Leave the SSL Processor menu.

/ssl/info




.


SSL Performance information menu

[Information Menu]servers - Show configured SSL serverscerts - Show configured certificateshsm - Show local HSM informationsslvpn - Show configured VPNsusers - Show logged in SSL VPN portal usersipsec - Show logged in IPSEC usersippool - Show ip pool allocationsip - Find information about an IP addresssys - Show system configurationlicenses - Show SSL VPN portal license usageaccess - Print the access rules of an

SSL VPN portal userkick - Kick an SSL VPN portal userisdlist - Show all iSDs and their

operational statuslocal - Show local iSD informationethernet - Show local ethernet status informationports - Show local port(s) informationevents - Inspect Events menu

Address Resolution Protocol Menu Options (/maint/arp)


servers

Displays the current SSL server settings, including SSL specific settingsfor each configured virtual SSL server.

certs

Displays the certificate name, serial number, expiration date, and keysize for each installed certificate. Information related to the subject ofthe certificate is also displayed. For example:

Certificate 1:Certificate name =No certificate information.Validate: key or certificate not defined.No key has been defined.No key has been defined.

Revocation:Automatic CRL:URL to retrieve CRL from =LDAP DN used for bind/authentication =Password to use when to authenticate =Refresh interval = 1dList of accepted signers of CRLs =Enable automatic retrieval = disabled




.



hsm

Displays information related to the HSM card(s) on the iSD310-SSLFIPS device to which you are currently connected. Information about thecurrent security mode (Extended Security mode or FIPS mode) in theiSD310-SSL FIPS cluster is displayed, as well as user login information(SO or USER) for each HSM card on the iSD310-SSL FIPS device.

HSM information is only displayed when you are using the iSD310-SSLFIPS model.

sslvpn

Show the configured VPNs.

users

Shows all logged in VPN portal users. For example:

Number of currently logged in users: 0

VPN Id User Login Source IP AccessGroup:Profile...Variables...------ ---- ----- --------- ----------------------

ipsec [ vpnid [ prefix ]]

Show number of IPSEC users logged-in. For example:

Number of active ipsec sessions for all VPNs: 0

ippool [ vpnid ]

Displays the IP pool allocations.

ip <IP_address>

Display information about a specific IP address. For example:

SSL >> Information# ipEnter IP to search for: 0.0.0.0IP 0.0.0.0 not allocated from IP pool

sys

Shows the system configuration. For example (in part):




.



System:Management IP (MIP) address = 10.10.10.72

iSD Host 1:Type of the iSD = masterIP address = 10.10.10.71License =

IPSEC user sessions: 10TPS: 300SSL user sessions: 10

Default gateway address = 10.10.10.69Ports = 1Hardware platform = 2424S

Host Routes:No items configured

Host Interface 1:IP address = 10.10.10.71Network mask = 255.255.255.0Default gateway address = 0.0.0.0VLAN tag id = 0Mode = failover

Host Interface Routes:No items configured

Interface Ports:1

.

.

.

licenses [ vpn_ID ]

Show the SSL VPN port licenses. For example:

Global License Pools VPN UsedSize------------------------------------------------------SSL - 010IPSEC - 010

access <vpnid username>

Display the access rules for an SSL Portal user.

kick <vpnid username>

Kick an SSL VPN user.

isdlist




.



Displays the IP addresses, master/slave assignments, CPU usage,memory usage, and operational status for all the iSDs in the cluster.An asterisk (*) in the MIP column indicates which iSD in the cluster iscurrently is control of the Management IP. An asterisk (*) in the Localcolumn indicates the particular iSD to which you have connected. Forexample:

SSL >> Information# isdlistIP addr type MIP Local cpu(%) mem(%) op10.10.10.71 master * * 2 52 up

local

Displays the current software version, iSD hardware platform, up time(since last boot), IP address, and Ethernet MAC address for the particulariSD host to which you have connected. If you have connected to the MIPaddress, the information displayed relates to the iSD host in the clusterthat currently is in control of the MIP. For example:

SSL >> Information# localAlteon iSD SSLHardware platform: 2424SSoftware version: 5.0.0.34Up time: 11 days 1 hour 52 minutesIP address: 10.10.10.71MAC address: 00:01:81:2e:bc:6f

ethernet

Displays statistics for the Ethernet network interface card (NIC) on theparticular iSD host to which you have connected. If you have connectedto the MIP address, the information displayed relates to the iSD hostin the cluster that currently is in control of the MIP. If more than onenetwork is configured in the cluster, ethernet statistics for the respectivenetwork is displayed.

• RX packets: the total number of received packets

• TX packets: the total number of transmitted packets errors: packetslost due to error

• dropped: error due to lack of resources

• overruns: error due to lack of resources frame: error due tomalformed packets carrier: error due to lack of carrier

• collisions: number of packet collisions

Note: A non-zero collision value may indicate an incorrect configurationof the Ethernet autonegotiation.




.



For example:

I/f 1: RX packets:3438 errors:0 dropped:0overruns:0 frame:0I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0

carrier:0 collisions:0I/f 1: RX bytes:220060 (214.9 Kb) TXbytes:205486 (200.6 Kb)

ports

Displays the status of the local Ethernet interface (NIC) ports on theparticular iSD host to which you have connected. If you have connectedto the MIP address, the information displayed relates to the iSD host inthe cluster that currently is in control of the MIP.

For each port, link status (up/down) and Ethernet autonegotiation setting(on/off) is shown. If the link is up, current values for speed (10/100/1000)and duplex mode (half/full) are also shown. If the link is down andautonegotiation is set to off, the configured values for speed and duplexmode are shown instead.

For example:

SSL >> Information# portsPort 1: link = up, autoneg = on, speed = 1000, mode= full

events

Go to the Inspect events menu. For details, see "/ssl/info/eventsSSLPerformance Menu" (page 482).

/ssl/info/eventsSSL Performance Menu

[Events Menu]

alarms - List all pending alarms

download - Dump the event log file to a TFTP/FTP/SFTPserver

SSL Performance Menu Options


alarms




.

/ssl/statsSSL Performance Statistics menu 483


Displays all alarms in the active alarm list by their main attributes:severity level, alarm ID number, date and time when triggered, alarmname, sender, and cause.

download <protocol IP_address> | <hostname filename>

Transmits the event log file from the iSD cluster to a file on a TFTPserver. Specify the IP address or host name of the TFTP server, aswell as a file name.

/ssl/statsSSL Performance Statistics menu

[Statistics Menu]sslstats - SSL statsipsec - IPSEC statsaaa - AAA specific statisticsdump - Dump all information

IP Route Manipulation Menu Options (/maint/route)


sslstats

Go to the SSL statistics menu. To view menu options, see"/ssl/stats/sslstatsSSL Performance Menu" (page 483).

ipsec

Go to the IPSEC statistics menu. To view menu options, see"/ssl/stats/ipsecIPSEC Statistics menu" (page 486).

aaa

Go to the AAA specific statistics. To view menu options, see"/ssl/stats/aaaAAA Statistics Menu" (page 490).

dump

Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, aswell as the number of active request sessions, and the total number of completedrequest sessions. The total number of initiated SSL client connections, and thetotal number of established SSL client connections as accumulated values forall virtual SSL servers in the cluster are also displayed. Histograms, however,are not included in the output

/ssl/stats/sslstats




.


SSL Performance Menu

[SSL stats Menu]

vpn - Cluster SSL VPN statistics

server - Cluster SSL Server statistics

local - Local statistics for each isdhost

clear - Clear all statistics for all IPs

activesess - Number of currently active request sessions

totalsess - Total completed request sessions

sslaccept - Total completed SSL accept

sslconnect - Total completed SSL connect

tpshisto - Cluster-wide TPS histograms for all servers

clihisto - Cluster wide client data histograms for allservers

srvhisto - Cluster wide server data histograms for allservers

SSL Performance Menu Options


vpn <VPN_number>

Displays the cluster-wide statistics for SSL VPN.

server <server_number>

Displays the cluster-wide statistics for SSL servers.

local

Go to the Local SSL Statistics Menu. To view menu options, see"/ssl/stats/sslstats/localSSL Performance SSL Local Statistics Menu"(page 485).

clear

Erase all statistics for all IPs.

activesess

Display the number of currently active requests. For example:

active_sessions : 0

totalsess

Display the total number of completed request sessions.

sslaccept

Display the total number of completed SSL request sessions.

sslconnect




.

/ssl/statsSSL Performance Statistics menu 485


Display the total number of successful SSL connections.

tpshisto

Display the total number of cluster-wide TPS histograms for all servers.

clihisto

Display the total number of cluster-wide client data histograms for allservers.

srvhisto

Display the total number of cluster-wide server data histograms for allservers.

/ssl/stats/sslstats/localSSL Performance SSL Local Statistics Menu

SSL Perfomance: SSL Local Statistics Menu Options


isdhost <host_number>

Go to the ISD local SSL Statistics Menu. To view menu options, see"/ssl/stats/sslstats/local/isdhostSSL Performance: Single ISD SSLStatistics Menu" (page 486).

overview

Display the overall of the isdhost local statistics.

tpshisto

Display ISD local TPS histograms for all servers/ISDs.

clihisto

Display ISD local client data histograms for all servers and ISDs.

srvhisto

Display ISD local server data histograms for all servers and ISDs.

license




.



Display local ISD license statistics. For example:

**** License stats at ISD number ’1’ ****License Limit reached timestps {ok,0}

dump

Display all local statistical information.

/ssl/stats/sslstats/local/isdhostSSL Performance: Single ISD SSL Statistics Menu

[Single ISD SSL Stats 1 Menu]

server - ISD local SSL server stats

tpshisto - ISD local TPS histograms for all servers

clihisto - ISD local client byte/s histograms for allservers

srvhisto - ISD local server byte/s histograms for allservers

dump - Dump all information

SSL Perfomance: Single ISD SSL Statistics Menu Options


server

Displays statistics for the local ISD SSL server.

tpshisto

Displays ISD local TPS histograms for all servers.

clihisto

Displays ISD local client data histograms for all servers.

srvhosto

Displays ISD local server histograms for all servers.

dump

Displays all statistical information.

/ssl/stats/ipsec




.

/ssl/stats/ipsecIPSEC Statistics menu 487

IPSEC Statistics menu

[IPSEC stats Menu]

vpn - Cluster IPSEC Server statistics

local - Local statistics for each isdhost

clear - Clear all ipsec statistics for all IPs

activesess - Number of currently active ipsec sessions

totalsess - Total completed ipsec sessions

failedsess - Total failed ipsec sessions

enctot - Total encoded kBytes

enc - Encoded kB/sec last minute

dectot - Total decoded kBytes

dec - Decoded kB/sec last minute

sesshisto - Cluster-wide ipsec session histograms for allservers

enchisto - Cluster-wide ipsec encrypt histograms for allservers

dechisto - Cluster-wide ipsec decrypt histograms for allservers

IPSEC Statistics Menu Options


vpn <VPN_number>

Displays cluster IPSEC server statistics.

local

Go to the local statistics menu. To view menu options, see"/ssl/stats/ipsec/localSSL Performance: Local IPSEC Statistics Menu"(page 488).

clear

Clear all IPSEC statistics.

activesess

Display the number of currently active IPSEC sessions.

totalsess

Display the number of completed IPSEC sessions.

failedsess

Display the number of failed IPSEC sessions.

enctot

Display the total number of encoded kBytes.




.



enc

Display the total number of encoded kBytes in the last 60 seconds.

dectot

Display the total number of decoded kBytes.

dec

Display the total number of decoded kBytes in the last 60 seconds.

sesshisto

Display the Cluster-wide ipsec session histograms for all servers.

enchisto

Display the Cluster-wide ipsec encrypt histograms for all servers.

dechisto

Display the Cluster-wide ipsec decrypt histograms for all servers.

/ssl/stats/ipsec/localSSL Performance: Local IPSEC Statistics Menu

[Local IPSEC Statistics Menu]

isdhost - ISD local IPSEC server statistics menu

sesshisto - ISD local ipsec session histograms for allVPNs/ISDs

enchisto - ISD local ipsec encrypt histograms for allVPNs/ISDs

dechisto - ISD local ipsec decrypt histograms for allVPNs/ISDs


SSL Perfomance: Local IPSEC Statistics Menu Options


isdhost

Go to the ISD Local IPSEC server statistics menu. To view menuoptions, see "/ssl/stats/ipsec/local/isdhostSSL Performance: SingleIPSEC ISD Statistics Menu" (page 489).

sesshisto

Displays the local IPSEC session histograms for all VPNs and ISDs.

enchisto

Displays the local IPSEC encryption histograms for all VPNs and ISDs.

dechisto




.



Displays the local IPSEC decryption histograms for all VPNs and ISDs.

dump

Display all IPSEC statistical information.

/ssl/stats/ipsec/local/isdhostSSL Performance: Single IPSEC ISD Statistics Menu

SSL Perfomance: Single IPSEC ISD Statistics Menu Options


vpn <VPN_number>

Display the ISD local IPSEC server statistics.

activesess

Display the locally active IPSEC sessions for all VPNs.

totalsess

Display the total of locally active IPSEC sessions for all VPNs.

failedsess

Display the failed IPSEC sessions for all VPNs.

enctot

Display the total kBytes encoded for all VPNs.

enc

Display the locally encoded kBytes for all VPNs.

dectot

Display the total kBytes decoded for all VPNs.

dec

Display the locally decoded kBytes for all VPNs.

sesshisto

Display the ISD local IPSEC session histograms for all VPNs.




.



enchisto

Display the ISD local IPSEC encrypted histograms for all VPNs.

dechisto

Display the ISD local ipsec decrypt histograms for all VPNs.

dump

Display all ISD statistics.

/ssl/stats/aaaAAA Statistics Menu

[AAA Statistics Menu]

total - Cluster-wide authentication statistics (per VPN)

isdhost - ISD local authentication statistics (per VPN)


AAA Statistics Menu Options


total <VPN_ID>

Display the Cluster-wide authentication statistics foreach VPN.

isdhost </cfg/sys/host number>

Display the ISD local authentication statistics for each VPN.

dump

Display all AA statistics.

/ssl/cfgSSL Performance Configuration Menu

[Configuration Menu]ssl - SSL offload menucert - Certificate menuvpn - VPN menutest - Create test vpn, portal and certificatequick - Quick vpn setup wizardsys - System-wide parameter menulang - Language supportptcfg - Backup configuration to TFTP/FTP/SCP/SFTP servergtcfg - Restore configuration from TFTP/FTP/SCP/SFTP serverdump - Dump configuration on screen for copy-and-paste




.


SSL Perfomance Configuration Menu Options


ssl

Go to the SSL offload menu. To view menu options, see "/ssl/cfg/sslSSLConfiguration Server Menu" (page 492).

cert

Go to the Certificate menu. To view menu options, see"/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu"(page 495).

vpn

Go to the VPN menu. To view menu options, see "/ssl/cfg/vpnSSL VPNConfiguration Menu" (page 512).

test

Create a test VPN, portal and certificate. For example:

SSL >> Configuration# testEnter virtual IP address of test portal: 0.0.0.0VPN user name: Test_vpnVPN password: smithDo you want to configure IPsec? (yes/no) [no]: nDo you want to configure Netdirect? (yes/no) [no]: nCreating VPN 1Creating Linkset 1Name: base-linksCreating Authentication 1Calling /cfg/vpn 1/aaa/auth 1/local/addTest_vpn smith testCreating Group 1Name: testCreating Access rule 1Added base-links to linksetCreated /cfg/cert 2Use ’apply’ to activate.

quick

Create a VPN configuration using command prompts.

sys

Go to the System-wide parameter menu. To view menu options, see"/ssl/cfg/langSSL Configuration Language Support Menu" (page 582).

lang

Go to the Language Support menu. To view menu options, see"/ssl/bootSSL Boot Menu" (page 582).

ptcfg




.



Saves the current configuration, including private keys and certificates,to a TFTP server. The configuration can later be restored by using thegtcfg command. You are required to specify a password phrase beforethe information is sent to the TFTP server.

If you restore the configuration by using the gtcfg command, you will beprompted for the password phrase you have specified. The passwordphrase is used to protect the private keys in the configuration.

Note 1: Note 1: If you have fully separated the Administrator user rolefrom the Certificate Administrator user role, the export passphrase definedby the certificate administrator is used to protect the private keys in theconfiguration - transparently to the user. When a configuration backup isrestored by using the gtcfg command, the certificate administrator mustenter the correct passphrase.

Note 2: Note 2: When using the ptcfg command on an iSD310-SSL FIPS,private keys are encrypted using the wrap key that was generated whenthe first HSM card in the cluster was initialized.

gtcfg

Restores a configuration, including private keys and certificates, from aTFTP server. You need to provide the password phrase you specifiedwhen saving the configuration to the TFTP server.

Note: Note: If you have fully separated the Administrator user rolefrom the Certificate Administrator user role (by removing the adminuser from the certadmin group), the certificate administrator mustenter the passphrase that was defined by him or her using the/cfg/sys/user/caphrase command.

dump

Display the configuration on-screen for a copy and paste operation.

/ssl/cfg/sslSSL Configuration Server Menu

[SSL Menu]server - SSL server menutest - Create test server and certificatequick - Quick server setup wizard




.


SSL Configuration Server Menu Options


server

Go to the SSl Server menu. To view menu options, see"/ssl/cfg/ssl/serverSSL Configuration Server-specific Menu" (page 493).

test

Create a test VPN, portal and certificate. For example:

SSL >> Configuration# testEnter virtual IP address of test portal: 0.0.0.0VPN user name: Test_vpnVPN password: smithDo you want to configure IPsec? (yes/no) [no]: nDo you want to configure Netdirect? (yes/no) [no]: nCreating VPN 1Creating Linkset 1Name: base-linksCreating Authentication 1Calling /cfg/vpn 1/aaa/auth 1/local/addTest_vpn smith testCreating Group 1Name: testCreating Access rule 1Added base-links to linksetCreated /cfg/cert 2Use ’apply’ to activate.

quick

Create a VPN configuration using command prompts.

/ssl/cfg/ssl/serverSSL Configuration Server-specific Menu

[Server 1 Menu]name - Set server namevips - Set IP addr(s) of serverstandalone - Set standalone modeport - Set listen port of serverrip - Set real server IP addrrport - Set real server porttype - Set type (generic/http/socks)proxy - Set transparent proxy mode (on/off)trace - Traffic trace menussl - SSL settings menutcp - TCP endpoint settings menuadv - Advanced settings menudel - Remove virtual server




.


ena - Enable virtual serverdis - Disable virtual server

SSL Configuration Server-specific Menu Options


name <string>

Enter the name of the server.

vips <IP_address>

Enter the virtual IP address for the server.

standalone on|off

Set the standalone mode.

port <integer>

Set the listen port for the server.

rip <IP_address>

Set the actual server IP address.

rport <integer>

Set the actual server port number.

type <generic/http/socks>

Set the port type.

proxy on|off

Set the proxy mode.

trace

Go to the Trace menu.To view menu options, see "/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu" (page 495).

ssl

Go to the SSL Settings menu. To view menu options, see"/ssl/cfg/ssl/server/sslSSL Configuration Server-specific SSL Menu"(page 495).

tcp

Go to the TCP endpoints menu. To view menu options, see"/ssl/cfg/ssl/server/tcpSSL Configuration Server-specific TCP Menu"(page 497).

adv

Go to the Advanced settings menu. To view menu options, see"/ssl/cfg/ssl/server/advSSL Configuration Server-specific AdvancedMenu" (page 498).

del

Remove the virtual server.




.



ena enabled|disabled

Enable the virtual server.

dis enabled|diabled

Disable the virtual server.

/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu

[Trace Menu]ssldump - Create traffic dumptcpdump - Create traffic dumpping - Ping through backend interfacednslookup - Lookup a name in DNS through

backend interfacetraceroute - traceroute through backend interface

SSL Configuration Server-specific Trace Menu Options


ssldump

Create a traffic dump. Information on creating dump patterns can befound athttp://www.tcpdump.org/tcpdump_man.html.

tcpdump

Create a traffic dump. Information on creating dump patterns can befound athttp://www.tcpdump.org/tcpdump_man.html.

ping <hostname>

Use this command to verify station-to-station connectivity across thenetwork.

dnslookup <hostname>

Lookup a hostname in DNS.

traceroute <hostname>

Use this command to identify the route used for station-to-stationconnectivity across the network.

/ssl/cfg/ssl/server/ssl




.

http://www.tcpdump.org/tcpdump_man.html



SSL Configuration Server-specific SSL Menu

SSL Configuration Server-specific SSL Menu Options


cert unset|set

Create a server certificate.

cachesize <integer>

Set the SSL cache size.

cachettl <integer>

Set the SSL cache timeout (in seconds).

cacerts <integerlist>

Set the list of authorized signers of client certificates. Separate thesigner list using commas.

cachain <integerlist>

Set the list of CA chain certificates. Separate the list using commas.

protocol <issl2/ssl3/ssl23/tls1>

Set the protocol version.

verify <none|optional|require>

Set the verification level of the certificate.

ciphers

Set the cipher list. The cipher list consists of one or more cipher stringsseparated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can becombined using a logical and operation (+) (e.g. SHA1+DES representsall cipher suites containing the SHA1 and the DES algorithms).

Each cipher string can be optionally preceded by the characters !, - or +.! permanently deletes the ciphers from the list (e.g. !RSA). - deletes theciphers from the list, but the ciphers can be added again by later options.+ moves the ciphers to the end of the list. This option doesn’t add anynew ciphers it just moves matching existing ones.




.



Additionally the cipher string @STRENGTH sorts the current cipher listin order of encryption algorithm key length.

ena <yes|no>

Enable SSL.

dis <yes|no>

Disable SSL.

/ssl/cfg/ssl/server/tcpSSL Configuration Server-specific TCP Menu

[TCP Settings Menu]cwrite - Set client TCP write timeoutckeep - Set client TCP keep alive timeoutswrite - Set server TCP write timeoutsconnect - Set server TCP connect timeoutcsendbuf - Set client TCP send buffer sizecrecbuf - Set client TCP receive buffer sizessendbuf - Set server TCP send buffer sizesrecbuf - Set server TCP receive buffer size

SSL Configuration Server-specific TCP Menu Options


cwrite <integer>

Set the client TCP write timeout (in seconds, 1-2147483647).

ckeep <integer>

Set the client TCP keep alive timeout (in seconds, 1-2147483647).

swrite <integer>

Set the server TCP write timeout (in seconds, 1-2147483647).

sconnect <integer>

Set the server TCP connect timeout (in seconds, 1-2147483647).

csendbuf auto| <2000 to 100000>

Set the client TCP send buffer size (in bytes).

crecbuf auto| <2000 to 100000>

Set the client TCP receive buffer size (in bytes).

ssendbuf <generic/http/socks>

Set the server TCP send buffer size (in bytes).

srecbuf on|off

Set the server TCP receive buffer size (in bytes).




.


/ssl/cfg/ssl/server/advSSL Configuration Server-specific Advanced Menu

[Advanced Settings Menu]string - String menublockstrin - Set strings to blockloadbalanc - Load balancing menusslconnect - SSL connect menu



string

Go to the String menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/stringSSL Configuration Server Advanced StringMenu" (page 498).

blockstrin <string>

Set the strings to block, separated by commas.

loadbalanc

Go to the Load Balancing menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalancSSL Configuration Server AdvancedLoad Balancing Menu" (page 500).

sslconnect

Go to the SSL Connect menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration ServerAdvanced Load Balancing Cookie Men" (page 501).

/ssl/cfg/ssl/server/adv/stringSSL Configuration Server Advanced String Menu

[LB String 1 Menu]match - Set string to matchlocation - Set locations to perform the match inicase - Set ignore case in to matchnegate - Set negate the result of the matchdel - Remove string



match <string> |*




.



Enter the string to match. For example:

SSL >> LB String 1# matchCurrent value: not setEnter match string (may contain *):

location <locationlist>

Set the match string locations, separated by commas.

Possible values are:

Macros

url, unknown, other, header

Methods

options, get, head, post, put, delete, trace, connect

Special

query, params, cookie-override

Headers

accept, accept-charset, accept-encoding, accept-language,accept-ranges, age, allow, authorization, cache-control, connection,content-base, content-encoding, content-language, content-length,content-location, content-md5, content-range, content-type, cookie,cookie2, date, etag, expires, from, host, if-match, if-modified-since,if-none-match, if-range, if-unmodified-since, keep-alive, last-modified,location, max-forwards, pragma, proxy-authenticate, proxy-authorization,proxy-connection, public, range, referer, retry-after, server, set-cookie,transfer-encoding, upgrade, user-agent, vary, via, warning,www-authenticate, x-forwarded-for, x-ssl

icase on|off

Set the string match as case respective yes (on) or no (off).

negate on|off

Set a negative match scheme. The current strings are excluded (on)or included (off).

del string <string_number>

Delete the string.




.


/ssl/cfg/ssl/server/adv/loadbalancSSL Configuration Server Advanced Load Balancing Menu

[Load Balancing Settings Menu]type - Set load balancing typepersistenc - Set persistence strategycookie - Cookie settings menumetric - Set load balancing metrichealth - Set health check typescript - Health check script menuinterval - Set health check interval (s)remotessl - Remote SSL connect menubackend - Backend servers menuena - Enable load balancingdis - Disable load balancing

SSL Configuration Server Advanced Load Balancing Menu Options


type all| <string>

Set the load balancing type.

persistenc none|cookie|session

Set the persistence strategy.

cookie

Go to the Cookie settings menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration ServerAdvanced Load Balancing Cookie Men" (page 501). Note that this menuis accessible only when persistenc is set to "cookie".

metric hash|roundrobin|leastconn

Set the load balancing metric.

health none|tcp|ssl|auto|script

Set the health check type.

script

Go to the heath check script menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/scriptSSL Configuration ServerAdvanced Load Balancing Health Scr" (page 502).

interval <integer>

Set the health check interval.

remotessl

Go to the Remote SSL connection menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/remotesslSSL Configuration ServerAdvanced Load Balancing Remote " (page 503).




.



backend

Go to the Backend Servers menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/backendSSL Configuration ServerAdvanced Load Balancing Backend S" (page 505).

ena enable|disable

Enable load balancing.

dis enable|disable

Disable load balancing.

/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration Server Advanced Load Balancing Cookie Menu

[Cookie Settings Menu]mode - Set cookie modename - Set cookie namedomain - Set cookie domainexpires - Set cookie expiresexpiresdel - Set cookie expires deltalocalvips - Configure other local VIPsoffset - Set cookie value offsetlength - Set cookie value length

SSL Configuration Server Advanced Load Balancing Cookie Menu Options


mode insert | passive | rewrite

Sets the cookie load balancing mode.

name <cookie_name>

Sets the cookie name.

domain <domain_name>

Sets the cookie domain name.

expires <date_time>

Sets the cookie expiration date and time.

expiresdel <0(session)-2147483647>

Sets the cookie expiration delta value.

localvips

Opens the Local VIPs menu. For more information on this menurefer "/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvipsLocal VIPConfiguration Menu" (page 502).

offset <1-64>




.



Sets the cookie value offset.

length <0-64>

Sets the cookie length

/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvipsLocal VIP Configuration Menu

[Local VIPs Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

Local VIP Configuration Menu


list

Lists all configured values.

del <entry_index>

Deletes the entry indicated by the index value.

add <ip_address>

Adds an entry by IP address.

insert entry_index, ip_address

Adds an entry at a specific point by index and IP address.

move <source_index, destination_index>

Moves an entry from the source index to the destination index.

/ssl/cfg/ssl/server/adv/loadbalanc/scriptSSL Configuration Server Advanced Load Balancing Health Script Menu

[Health Check Script Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number




.


SSL Configuration Server Advanced Load Balancing Health Script MenuOptions


list

Display all values.

del <index>

Delete a specific value.

add <command timeout argument>

Add a new health script.

insert <position command timeout argument>

Insert a new value.

move <value> <value>

Exchange one value for another.

/ssl/cfg/ssl/server/adv/loadbalanc/remotesslSSL Configuration Server Advanced Load Balancing Remote SSL Menu

[Remote SSL Connect Settings Menu]

protocol - Set protocol version

cert - Set client certificate

ciphers - Set accepted ciphers for ssl connect

verify - Verify server menu

SSL Configuration Server Advanced Load Balancing Remote SSL MenuOptions


protocol aissl2|ssl3|ssl23|tls1


cert <integer, 1 to 1500>

Set the certificate number.

ciphers <string>




.



Set the accepted ciphers for SSL connection. The cipher list consistsof one or more cipher strings separated by colons (e.g. SSLv3:TLSv1).Lists of cipher suites can be combined using a logical and operation(+) (e.g. SHA1+DES represents all cipher suites containing the SHA1and the DES algorithms).

Each cipher string can be optionally preceded by the characters !, - or +.! permanently delets the ciphers from the list (e.g. !RSA). - deletes theciphers from the list, but the ciphers can be added again by later options.+ moves the ciphers to the end of the list.

This option doesn’t add any new ciphers it just moves matching existingones. Additionally the cipher string @STRENGTH sorts the currentcipher list in order of encryption algorithm key length

verify

Go to the Verify Server menu. To view the menu options, see"/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verifySSL ConfigurationServer Advanced Load Balancing " (page 504).

/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verifySSL Configuration Server Advanced Load Balancing Remote SSLVerification Menu

[Remote SSL Connect Verify Settings Menu]verify - Set certificate verification levelcommonname - Set server common namecacerts - Set list of accepted signers

of server’s certificate

SSL Configuration Server Advanced Load Balancing Remote SSL VerificationMenu Options


verify none|require

Set the ertification verification level.

commonname <nam>e

Set the server common name. For example:

SSL >> Remote SSL Connect Verify Settings# commonnameCurrent value: [old_server_name]Give common name of server: new_server_name

cacerts <integer_list>

Enter the certificate numbers, separated by commas.




.


/ssl/cfg/ssl/server/adv/loadbalanc/backendSSL Configuration Server Advanced Load Balancing Backend ServerMenu

[Backend Server 1 Menu]ip - Set IP addr of backend serverport - Set backend server portsslconnect - Set perform SSL connect if

enabled for serverremote - Set server is remotername - Set host name of remote serverremotessl - Set remote site is ssllbstrings - Set load balancing stringslbop - Set string load balancing operationdel - Remove backend serverena - Enable backend serverdis - Disable backend server

SSL Configuration Server Advanced Load Balancing Backend Server MenuOptions


ip <IP_address>

Set theIP address of the backend server.

port <port_number>

Set the backend server port number.

sslconnect <on|off>

Set the SSL connection option.

remote <true|false>

Set the server as remote, as required.

rname <hostname>

Set hostname of the remote server.

remotessl true|false

Set the remote site as SSL.

lbstrings <integers>

Set the load balance strings, separated by a comma.

lbop <any|all|one|none>

Set the string load balancing operation.

del

Remove the backend server.

ena enable|disable




.



Enable the backend server.

dis enable|disable

Disable the backend server.

/ssl/cfg/certSSL Configuration Certificate Menu

[Certificate 1 Menu]name - Set certificate namecert - Set certificatekey - Set private keyrevoke - Revocation menugenkey - Generate private keygensigned - Generate signed client/server certificaterequest - Generate certificate requestsign - Sign a certificate requesttest - Generate test certificate and keyimport - Import key and certificate with TFTP/FTP/SCP/SFTPexport - Export certificate and key with TFTP/FTP/SCP/SFTPdisplay - Display certificate and keyshow - Show certificate informationinfo - Show certificate short informationsubject - Show certificate subject informationvalidate - Check if key and certificate matchkeysize - Show key sizekeyinfo - Show how key is storeddel - Remove certificate

SSL Configuration Certificate Menu Options


name <string>

Enter the name of the certificate.

cert <pasted_certificate_content>

Paste the content of a copied certificate. For example:

Paste the certificate, press Enter to create a newline, and thentype "..."(without the quotation marks) to terminate.

key <pasted_key_content>




.



Paste the copied key. For example:

Paste the key, press Enter to create a new line, andthentype "..."(without the quotation marks) to terminate.

revoke

Go to the Revoke menu. To view the menu options, see"/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu" (page511).

genkey 512|1024|2048|4096

Generate a private key.

gensigned <key certificate_number>

Generate a certificate.

request

Generate a certificate request.SSL >> Certificate 1# requestThe combined length of the following parameters maynot exceed 225bytes.Country Name (2 letter code): CAState or Province Name (full name): OntarioLocality Name (eg, city): OttawaOrganization Name (eg, company): NoTelOrganizational Unit Name (eg, section): MaintCommonName (eg, yourname or your server’shostname): NoTel-12Email Address: [email protected] size (512/1024/2048/4096) [1024]: 1024Request a CA certificate (y/n) [n]: ySpecify challenge password (y/n) [n]: n-----BEGIN CERTIFICATE REQUEST-----MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdPdHRhd2VhMQ4wDAYDVQQKEwVOb1RlbDEOMAwGA1UECxMFTWFpbnQxETAPBgNVBAMTCE5vVGVsLTEyMR0wGwYJKoZIhvcNAQkBFg5tYWludEBub3RlbC5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2LJNQnjDxHXm1bunZF39o/1CJ7egEupdgXaIiDt1xQ5kWNlCcIhXrsksrpAOss/NMy2DNLmNd/31BO8XSvuZWs6LJxznZyBC6WcSmOa6r96CnsvPPi/jIqAZQMbklwclH5Qa/JjSWuaoVdlVOAuhe58PqyQketXm




.



58w8n+Iy+a0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAMMhwai0XLkL+YT3qBBotmtTL7DgH/7czR97lgXsDawZOWaiYq4tAEBSr+Ap1qxAqgS4VJxrjBZIYT6xQW6zMvHE20s+Reaf9cX9OePTvaSH9SUSKz8QNhPLUdBo7LOURUaF7aN5IWPBezGQwgjpRxxf+chfXa7M8i7VdY9YyAHA-----END CERTIFICATE REQUEST-----

Use ’apply’ to store the private key in the iSD untilthe signed certificate is entered.The private key will be lost unless you ’apply’ orsave it elsewhere using ’export’.

sign <key certificate_number>

Sign a certificate.

test

Create a test certificate and key. For example:SSL >> Certificate 1# testThe combined length of the following parameters maynot exceed 225bytes.Country Name (2 letter code): CAState or Province Name (full name): OntarioLocality Name (eg, city): OttawaOrganization Name (eg, company): NoTelOrganizational Unit Name (eg, section): MaintCommon Name (eg, your name or your server’shostname): NoTel-12Email Address: [email protected] for days [365]: 200Valid for days [365]: 200Key size (512/1024/2048/4096) [1024]: 1024Test key and certificate added.Use ’apply’ to activate.

import <proto server certfile>

Import a remote certificate and key. For example:SSL >> Certificate 1# importSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: NoTel-10Enter filename on server: key_certificate2389Retrieving key_certificate2389 from NoTel-10Error: Host not found, FTP server not found, orconnection rejected.

export <proto server certfile>




.



Export a key and certificate to a remote host. For example:SSL >> Certificate 1# exportSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: NoTel-10Enter export format (pem/der/net/pkcs12): pemEnter export pass phrase: hidden_textReconfirm export pass phrase: hidden_textEnter name of combined key and certificatefile on remote host:

key_cert_from_NoTel-12Error: Host not found, FTP server not found,or connection rejected.

display

Display a certificate and key. For example:

-----BEGIN CERTIFICATE-----MIID3jCCA0egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEOMAwGA1UEChMFTm9U..

show

Show certificate information.

info

Show short-form certificate information. For example:SSL >> Certificate 1# displayEncrypt private key (yes/no) [yes]: yesEnter export pass phrase: hidden_textReconfirm export pass phrase: hidden_textProc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,8E1E1EB54398437B

1NngBGmeIGxhndoR3+F4DNmYNCtH6tbVMZmmTCAu0ee9Ss9vjy6N3jXgMUy8RnfV1dRLixDPlpAB5CwsSUBLROtvq6rhyZnwKbofz4UBon1tE33eX86uNrXGjdvPkfzDx8TrCXdcewY0W1xuPA6mnb0mHCn768fqoNd5YlXPMRbPrK/nTfvCHlfvVmHkzpw3BrvNfqVpdijQkdv+X53gn7DbYBsFYKSLsjyZ1Dst1JFDS5W594by1P7WseRYi4LqXPcmgZA7BtC5JV9d6Fwmd66Cois3WUxBtTeLJDFet6fr/9e3nXfa+pPyIgGGWAYE..




.



.A9xlBRMYzppbzQVjjFK0maFRtuhIiEbexLJwTCEwfyVMk8juHvBWIQ==-----END RSA PRIVATE KEY-----

SSL >> Certificate 1# infoSerial number: 0 (0x0)Expire: Jan 19 14:49:18 2006 GMTCertificate subject:

C=CAST=OntarioL=OttawaO=NoTelOU=MaintCN=NoTel-12/[email protected]

subject

Show certificate subject information. For example:

SSL >> Certificate 1# subjectCertificate subject:

C/countryName (2.5.4.6) =CA

ST/stateOrProvinceName (2.5.4.8)= Ontario

L/localityName (2.5.4.7) =Ottawa

O/organizationName (2.5.4.10) =NoTel

OU/organizationalUnitName (2.5.4.11)= Maint

CN/commonName (2.5.4.3)= NoTel-12

emailAddress/emailAddress (1.2.840.113549.1.9.1)= [email protected]

validate <matched_key> <matched_certificate>

Check if certificate and key are matched.

keysize

Display key size (in bytes).

keyinfo

Displays how the key is stored.




.



del

Delete the certificate and key. For example:

SSL >> Certificate 1# delCertificate 1 will be deleted when changes areapplied.

/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu

[Revocation Menu]add - Add decimal serial number to revocation listaddx - Add hex serial number to revocation listdel - Cancel revocation for a serial numberlist - List revoked certificatesrev - Enter revocation listimport - Import revocation list with TFTP/FTP/SCP/SFTPautomatic - Automatic CRL retrieval menu

SSL Configuration Revoke Certificate Menu Options


add <integer>

Add a decimal serial number to the revocation list.

addx <hexidecimal_number>

Add a hexadecimal number to the revocation list.

del <serial_number>

Cancel the revocation of a serial number.

list

List the revoked certificates.

rev

Paste a revocation list into another revocation list.

import <proto server file>

Import a remote revocation list.

automatic

Go to the automatic retrieval menu.

/ssl/cfg/cert/revoke/automatic




.


SSL Configuration Revoke Certificate Automatic Menu

[Automatic CRL Menu]url - Set URL to retrieve CRL fromauthDN - Set LDAP DN used for

bind/authenticationpasswd - Set password to use when

to authenticateinterval - Set refresh intervalcacerts - Set list of accepted signers of CRLsena - Enable automatic retrievaldis - Disable automatic retrieval

SSL Configuration Revoke Certificate Automatic Menu Options


url <URL>

Set the URL value to retrieve the CRL.

authDN <LDAP-Distinguished-Name>

Set the LDAP DN to be used for bind and authentication.

passwd <string>

Set the authentication password.

interval <time>

Set the refresh interval.

cacerts <certificate_numbers>

Create a list of accepted signers of CRLs. Separate the lsit elementsby commas

ena <enabled|disabled>

Enable automatic retrieval.

dis <enabled|disabled>

Disable automatic retrieval.

/ssl/cfg/vpn




.


SSL VPN Configuration Menu

[VPN 1 Menu]ips - Set IP addr(s) of the VPNstandalone - Set standalone mode (no switch)aaa - AAA menuserver - SSL server menuipsec - IPsec server menuippool - IP address pool menuportal - Portal look and feel menulinkset - Portal linkset menusslclient - SSL VPN client menuadv - Advanced settings menudel - Remove VPN

SSL VPN Configuration Menu Options


ips <IP_address>

Set the IP address of the VPN.

standalone on|off


aaa

Go to the AAA menu. To view the menu options, see "/ssl/cfg/vpnSSLVPN Configuration Menu" (page 512).

server

Go to the SSL server menu. To view the menu options, see"/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu"(page 517).

ipsec

Go to the IPsec server menu. To view the menu options, see"/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic TraceMenu" (page 537).

ippool

Go to the IP POOL menu. To view the menu options, see"/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKEProfile Encryption Menu" (page 549).

portal

Go to the Portal look and feel menu. To view the menu options, see"/ssl/cfg/vpn/portalSSL VPN Configuration Portal Menu" (page 553).

linkset




.



Go to the Portal lonkset menu. To view the menu options, see"/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu"(page 555).

sslclient

Go to the SSL VPN client menu.To view the menu options, see"/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu" (page559).

adv

Go to the Advanced Settings menu.To view the menu options, see"/ssl/cfg/vpn/advSSL VPN Configuration Advanced Menu" (page 561).

del

Remove the VPN.

/ssl/cfg/vpn/aaaSSL VPN Configuration Menu

[AAA Menu]quick - AAA setup wizardtg - TunnelGuard menuttl - Set login session TTLauth - Authentication menuauthorder - Set authentication server

fallback ordernetwork - Network access menuservice - Service access menuappspec - Application specific menufilter - Client filter menugroup - Group menudefgroup - Set default groupssodomains - Single-Sign on enabled domains menussoheaders - Single-Sign on headers menuradacct - RADIUS accounting menu

SSL VPN Configuration AAA Menu Options


quick <IP_address>

AAA setup wizard.

tg

Go to the TunnelGuard menu. To view the menu options, see"/ssl/cfg/vpn/aaa/tgSSL VPN Configuration TunnelGuard Menu" (page516).

ttl <TTL for idle sessions (max 31d, min 2m)>




.



Set the login session TTL.

auth

Go to the Authentication menu. To view the menu options, see"/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu"(page 517).

authorder <list_of_servers>

Set the authetication server fallback order. Use a comma to separateentries.

network

Go to the Network Access menu. To view the menu options, see"/ssl/cfg/vpn/aaa/networkSSL VPN Configuration Network Menu" (page521).

service

Go to the Service Access menu. To view the menu options, see"/ssl/cfg/vpn/aaa/serviceSSL VPN Configuration Service Menu" (page523).

appsec

Go to the Application Specific menu. To view the menu options, see"/ssl/cfg/vpn/aaa/appspecSSL VPN Configuration Application specificMenu" (page 524).

filter

Go to the Client Filter menu.To view the menu options, see"/ssl/cfg/vpn/aaa/filterSSL VPN Configuration AAA Filter Menu" (page526).

group

Go to the Group menu.To view the menu options, see"/ssl/cfg/vpn/aaa/groupSSL VPN Configuration AAA Group Menu" (page528).

defgroup <name_of_group>

Set the default group.

ssodomains

Go to the Single sign-on enabled domains menu. To view the menuoptions, see "/ssl/cfg/vpn/aaa/ssodomainsSSL VPN Configuration AAASingle-sign on Enabled Domains Menu" (page 533).

ssoheaders

Go to the Single Sugn-on Headers menu. To view the menu options, see"/ssl/cfg/vpn/aaa/ssoheadersSSL VPN Configuration AAA Single-sign onHeaders Menu" (page 534).




.



radacct

Go to the Radius Accounting menu. To view the menu options, see"/ssl/cfg/vpn/aaa/radacctSSL VPN Configuration AAA Radius AccountingMenu" (page 535).

/ssl/cfg/vpn/aaa/tgSSL VPN Configuration TunnelGuard Menu

[TG Menu]ena - Enable TunnelGuarddis - Disable TunnelGuardquick - Quick TunnelGuard setup wizardrecheck - Set recheck intervalaction - Set fail actionretry - Set UDP retry intervallist - List SRS rulesloglevel - Set TunnelGuard applet loglevel

SSL VPN Configuration AAA TunnelGuard Menu Options


ena enable|disable

Enable TunnelGuard.

dis enable|disable

Disable TunnelGuard.

quick <TTL for idle sessions (max 31d, min 2m)>

Use the Quick TunnelGuard setup wizard. For example:

SSL >> TG# quickIn the event that the TunnelGuard checks fails on a client,the session can be teardown, or left in restricted modewith limited access.Which action do you want to use for TunnelGuardfailure? (teardown/restricted) [restricted]: restrictedDo you want to create a tunnelguard test user? (yes/no)[yes]: yes

Enabling TunnelGuardCreating Linkset 1

Name: tg_passedThis Linkset just prints the TG result

Creating Linkset 2Name: tg_failed




.



This Linkset just prints the TG resultAdding test SRS rule srs-rule-testThis rule check for the presence of the fileC:\tunnelguard\tg.txt

Creating Group 1Name: tunnelguard

Creating Extended Profile 1Giving full access when tg passed

Creating Access rule 1Creating Extended Profile 2Giving no access when tg failed

Using SRS rule: srs-rule-testCreating Authentication 1Adding user ’tg’ with password ’tg’

Use ’diff’ to view pending changes, and ’apply’ to commit

recheck <seconds>

Set the recheck interval.

action teardown|restricted

Set the Fail action.

retry <seconds, 1-65535>

Set the UDP retry interval.

list

List the SRS rules.

loglevel <string>

Set the TunnelGuard applet log level.

/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu

To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to createan authentication if one does not already exist.

Creating Authentication 1Select one of radius, ldap, ntlm, siteminder, cert, rsa orlocal: radiusAuth name: Authentication_1Entering: RADIUS settings menuEntering: RADIUS servers menuIP Address to add: 0.0.0.0Port (default is 1812): 1812Enter shared secret: sharedLeaving: RADIUS servers menuEnter vendor id [alteon]: alteon




.


Enter vendor type [1]: 1Leaving: RADIUS settings menu

------------------------------------------------------------[Authentication 1 Menu]

type - Set authentication mechanismname - Set auth namedisplay - Set auth display namedomain - Set windows domain for

backend single sign-onradius - RADIUS settings menuadv - Advanced settings menudel - Remove Authentication

SSL VPN Configuration AAA Authentication Menu Options


type radius|ldap|ntlm|siteminder|cert|rsa|local

Set the authentication scheme.

name <string>

Set the authentication name. The default is local.

display <string>

Set the authentication display name.

domain <string>

Set the current windows domain for backend single sign-on.

radius <list_of_servers>

Go to the Radius menu. The menu is available only if thetype is Radius (# type radius). To view the menu options, see"/ssl/cfg/vpn/aaa/auth/radiusSSL VPN Configuration AuthenticationRadius Menu" (page 518).

adv

Go to the Advanced menu. To view the menu options, see"/ssl/cfg/vpn/aaa/auth/advSSL VPN Configuration AuthenticationAdvanced Menu" (page 521).

del

Remove the authentication.

/ssl/cfg/vpn/aaa/auth/radiusSSL VPN Configuration Authentication Radius Menu

To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication typemust be set to radius. For example, /ssl/vpn/aaa/auth/type radius.




.


[RADIUS Menu]servers - RADIUS servers menuvendorid - Set vendor id for group attributevendortype - Set vendor type for group attributetimeout - Set RADIUS server timeoutsessiontim - Session Timeout menumacro - User-defined Macro menu

SSL VPN Configuration AAA Authentication Radius Menu Options


servers

Go to the Radius servers menu. To view the menu options,see "/ssl/cfg/vpn/aaa/auth/radius/serversSSL VPN ConfigurationAuthentication Radius Servers Menu" (page 519).

vendorid <string>

Set the switch vendor ID.

vendortype vendortype

Set the vendor type.

timeout <integer, 1 to 1000 seconds>

Set the Radius server timeout.

sessiontim

Go to the Sessiontim menu. To view the menu options, see"/ssl/cfg/vpn/aaa/auth/radius/sessiontmSSL VPN ConfigurationAuthentication Radius Session Timeout Me" (page 520).

macro

Go to the Macro menu. To view the menu options, see"/ssl/cfg/vpn/aaa/auth/radius/macroSSL VPN ConfigurationAuthentication Radius Macro Menu" (page 520).

/ssl/cfg/vpn/aaa/auth/radius/serversSSL VPN Configuration Authentication Radius Servers Menu

[RADIUS Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Authentication Radius Menu Options


list




.



List all values (servers).

del <index_number>

Delete a server value by name.

add <ip port, default=1812> <secret>

Add a new value (server).

insert <position ip> <port> <secret>

Insert a value into the list.


Move a value position in the list.

/ssl/cfg/vpn/aaa/auth/radius/sessiontmSSL VPN Configuration Authentication Radius Session Timeout Menu

[SessionTimeout Menu]vendorid - Set vendor id for session

timeout attributevendortype - Set vendor type for session

timeout attributeena - Enable Session-Timeoutdis - Disable Session-Timeout

SSL VPN Configuration AAA Authentication Radius Session Timeout MenuOptions


vendorid <vendorid>

Set the vendor ID number.

vendortype <value>

Set the Vendor Type number.

ena <enable|disable>

Enable session timeout.

dis <enable|disable>

Disable session timeout.

/ssl/cfg/vpn/aaa/auth/radius/macro




.


SSL VPN Configuration Authentication Radius Macro Menu

[Macro Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Authentication Radius Macro Menu Options


list

List all values.

del <value>

Delete a value using its number.

add <vendorid> <vendortype> <attribute_type (IP, stringinteger )>

Add a value.

insert <index_position> <vendorid> <vendortype><attribute_type_string>

Insert a value.


Move a value’s position in the list.

/ssl/cfg/vpn/aaa/auth/advSSL VPN Configuration Authentication Advanced Menu

[Advanced Menu]groupauth - Set Authentication server list

of group informationsecondauth - Set Secondary authentication server

SSL VPN Configuration AAA Authentication Advamced Menu Options


groupauth <hostnames>

Set the list of authentication servers. Separate values using a comma.

secondauth <hostname>

Set the secondary authentication server.

/ssl/cfg/vpn/aaa/network




.


SSL VPN Configuration Network MenuTo enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted tocreate a network if one does not already exist.

SSL >> AAA# networkEnter network number or name: (1-1023) 1Creating Network 1Network name: Network_1

------------------------------------------------------------[Network 1 Menu]

name - Set network namesubnet - Subnet menucomment - Set commentdel - Remove network

SSL VPN Configuration AAA Network Menu Options


name <string>

Set the network name.

subnet

Go to the Subnet menu. To view the menu options, see"/ssl/cfg/vpn/aaa/network/subnetSSL VPN Configuration Network SubnetMenu" (page 522).

comment <text_string>

Create a text description (comment) about the network.

del

Remove the network. The network will be removed when the global/apply command is entered.

/ssl/cfg/vpn/aaa/network/subnetSSL VPN Configuration Network Subnet Menu

To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are promptedto create a subnet if one does not already exist.




.


SSL >> Network 1# subEnter subnet number: (1-1023) 1Creating Network Subnet 1Enter host name: Subnet_1Enter network address: 0.0.0.0Enter network netmask: netmask

------------------------------------------------------------[Network Subnet 1 Menu]

host - Set Host Namenet - Set network addressmask - Set network maskdel - Remove subnet

SSL VPN Configuration AAA Network Subnet Menu Options


host <hostname>

Set the hostname for the subnet.

net <IP_address>

Set the subnet address.

mask <IP_address>

Set the Network mask.

del

Remove the Subnet.

/ssl/cfg/vpn/aaa/serviceSSL VPN Configuration Service Menu

To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to createa service if one does not already exist.

SSL >> AAA# serviceEnter service number or name: (1-1023) 1Creating Service 1Service name: Service_1Enter service protocol (list of tcp,udp): tcpEnter service ports: 1,2,3

------------------------------------------------------------[Service 1 Menu]

name - Set service nameprotocol - Set allowed protocolsports - Set allowed portcomment - Set comment




.


del - Remove Service

SSL VPN Configuration AAA Service Menu Options


name <service_name>

Set the service name.

protocol <tcp|udp>

Set the protocols that are allowed.

ports <integers>

Set the allowed ports. If nore than one, use commas to separate.

comment <string>

Create a description (comment) about the service.

del

Delete the service.

/ssl/cfg/vpn/aaa/appspecSSL VPN Configuration Application specific Menu

To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted tocreate a network if one does not already exist.

SSL >> AAA# appspecEnter appspec number or name: (1-1023) 1Creating AppSpecific 1AppSpec name: AppSpec_1Entering: Paths menuPath format:The paths are formated differently for differentapplications.For smb you write the path as / WORKGROUP /FILESHARE / FILE PATH ,for example

/NORTEL/homes/publicThis will give access to the public directoryin the homes sharein the NORTEL workgroup/domain.

For ftp you write the path as ABSOLUTE FILEPATH , for example

/home/share/public/This will give access to the /home/share/public.Note that all pathsare absolute from the root.




.


For web servers you write the path SERVERPATH , for example

/intranetThis will give access to the /intranet path onthe web server.

Enter path: /pathLeaving: Paths menu.----------------------------------------------[AppSpecific 1 Menu]

name - Set appspec namepaths - Paths menucomment - Set commentdel - Remove AppSpec

SSL VPN Configuration AAA Application specific Menu Options


name <appsec_name>

Create an application name.

paths

Go to the Paths menu. To view the menu options, see"/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu" (page511).

comment <string>

Create a description (comment) about the Application.

del

Delete the application.

/ssl/cfg/vpn/aaa/appspec/pathsSSL VPN Configuration Application specific Paths Menu

[Paths Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Application specific Paths Menu Options


list

List all paths.




.



del <path_value>

Delete a path by its number.

add

Add a new path. For example:

SSL >> Paths# listOld:Pending:

1: /info

SSL >> Paths# addPath format:The paths are formated differently for differentapplications.For smb you write the path as / WORKGROUP /FILESHARE / FILE PATH ,for example

/NORTEL/homes/publicThis will give access to the public directoryin the homes sharein the NORTEL workgroup/domain.

For ftp you write the path as ABSOLUTE FILEPATH , for example

/home/share/public/This will give access to the /home/share/public.Note that all pathsare absolute from the root.

For web servers you write the path SERVERPATH , for example

/intranetThis will give access to the /intranet path onthe web server.

Enter path: /home/storage

insert <index>

Insert a path into the path list.

del

Delete the path.

/ssl/cfg/vpn/aaa/filter




.


SSL VPN Configuration AAA Filter MenuTo enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create aservice if one does not already exist.

SSL >> AAA# filterEnter client filter number or name: (1-63) 1Creating Client Filter 1Filter name: Filter_1

------------------------------------------------------------[Client Filter 1 Menu]

name - Set filter namecert - Client certificate presentiewiper - IE cache wiper presenttg - TunnelGuard checks passedmethods - Set access methodsauthserver - Set authentication serversclientnet - Set client network referencecomment - Set commentdel - Remove client filter

SSL VPN Configuration AAA Filter Menu Options


name <filter_name>

Set the filter name.

cert <true|false|ignore>

Enter teh applicability of a certificate.

iewiper <true|false|ignore>

Set the prescence of the IE cache wiper.

tg <true|false|ignore>

Set the state of the TunnelGuard checks passed.

methods <ssl|ipsec|netdirect>

Set the access methods.

authserver <hostnames>

Set authentication server names. If more than one, separate the namesusing a comma.

clientnet <clientnet_hostname>

Set client network reference.

comment

Create a description (comment) of the filter.




.



del

Remove the client filter.

/ssl/cfg/vpn/aaa/groupSSL VPN Configuration AAA Group Menu

To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to createa service if one does not already exist.

SSL >> AAA# groupEnter group number or name: (1-1023) 1Creating Group 1Group name: Group_1Enter number of sessions (0 is unlimited): 0Enter user type (advanced/medium/novice): novice

------------------------------------------------------------[Group 1 Menu]

name - Set group nameaccess - Access rule menuprint - Print access rulesrestrict - Set number of login sessionsusertype - Set portal user typelinkset - Linkset menuextend - Extended profiles menutgsrs - Set TunnelGuard SRS Ruleipsec - IPsec menucomment - Set commentdel - Remove group

SSL VPN Configuration AAA Group Menu Options


name <string>

Set tthe group name.

access

Go to the Access rule menu. To view the menu options, see"/ssl/cfg/vpn/aaa/group/accessSSL VPN Configuration AAA GroupAccess Menu" (page 529).

print

Display the Access rules. For example:




.



SSL >> Group 1# printNetwork Ports ProtoPath Action------- ----- --------- ------

restrict <integer>

Restrict the number of login sessions. The default is 0 (unlimited)

usertype <advanced|medium|novice>

Set the user level.

linkset

Go to the Linkset menu. To view the menu options, see"/ssl/cfg/vpn/aaa/group/linksetSSL VPN Configuration AAA GroupLinkset Menu" (page 530).

extend

Go to the Extended Profiles menu. To view the menu options, see"/ssl/cfg/vpn/aaa/group/extendSSL VPN Configuration AAA GroupExtend Profiles Menu" (page 531).

tgsrs <string>

Set the TunnelGuard SRS rule.

ipsec

Go to the IPSEC menu.To view the menu options, see"/ssl/cfg/vpn/aaa/group/ipsecSSL VPN Configuration AAA Group IPsecMenu" (page 533).

comment

Create a decription (comment) of the Group.

del

Delete the group.

/ssl/cfg/vpn/aaa/group/accessSSL VPN Configuration AAA Group Access Menu

To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are promptedto create a service if one does not already exist.




.


SSL >> Group 1# accessEnter access rule number: (1-1023) 1Creating Access rule 1Enter network name: Network_1Enter service name: Service_1Enter application specific name: Application_1Enter action (accept/reject): accept

------------------------------------------------------------[Access rule 1 Menu]

network - Set network referenceservice - Set service referenceappspec - Set application specific referenceaction - Set actioncomment - Set access rule commentdel - Remove access rule

SSL VPN Configuration AAA Group Access Menu Options


network <network_name>

Enter the network name reference.

service <service_name>

Set the Service name reference.

appspec <application_name>

Set the application specific name reference.

action <accept|reject>

Accept or reject the creation of this Access rule.

comment

Create a description (comment) of this Access rule.

del

Delete the Access rule.

/ssl/cfg/vpn/aaa/group/linksetSSL VPN Configuration AAA Group Linkset Menu

[Linksets Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number




.


SSL VPN Configuration AAA Group Linkset Menu Options


list

List all of the configured linksets.

add <linkset_name>

Add a linkset name.

insert <position name>

Insert a linkset into the linkset list.


Move the linkset from one position to another in the linkset list.

/ssl/cfg/vpn/aaa/group/extendSSL VPN Configuration AAA Group Extend Profiles Menu

To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted tocreate an extended service profile if one does not already exist.

SSL >> Group 1# extendEnter profile number or name (1-63): 1Creating Extended Profile 1Enter client filter name: Filter_1Enter user type (advanced/medium/novice): novice

------------------------------------------------------------[Extended Profile 1 Menu]

filter - Set client filter referenceaccess - Access rule menuprint - Print access rulesusertype - Set portal user typelinkset - Linkset menudel - Remove profile

SSL VPN Configuration AAA Group Extend Profiles Menu Options


filter <client_filter_name>

Set the client filter name reference.

access

Go to the Access Rule menu. To view the menu options, see"/ssl/cfg/vpn/aaa/group/extend/accessSSL VPN Configuration AAAGroup Extend Profiles Access Menu" (page 532).

print

Display the extended profile information.




.



usertype <advanced|medium|novice>

Set the portal user level.

linkset

Go to the Linkset menu. To view the menu options, see"/ssl/cfg/vpn/aaa/group/extend/linksetSSL VPN Configuration AAAGroup Extend Profiles Linkset Menu" (page 532).

del

Delete the Extended Profile.

/ssl/cfg/vpn/aaa/group/extend/accessSSL VPN Configuration AAA Group Extend Profiles Access Menu

[Access rule 1 Menu]network - Set network referenceservice - Set service referenceappspec - Set application specific referenceaction - Set actioncomment - Set access rule commentdel - Remove access rule

SSL VPN Configuration AAA Group Extend Profiles Access Menu Options


network <network_name>

Set the network name reference.

service <service_name>

Set the Service name reference.

appspec <application_name>

Set the Application name reference.

action <accept|reject>

Accept or reject the Access rule change.

comment

Create a description (comment) of the Access rule.

del

Delete the Extended Profile Access rule.

/ssl/cfg/vpn/aaa/group/extend/linkset




.


SSL VPN Configuration AAA Group Extend Profiles Linkset Menu

[Linksets Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Group Extend Profiles Linkset Menu Options


list

List all of the configured Extended Profile linksets.

del <extended_profile_linkset_name>

Delete the Extended Profile Linkset.

add <extended_profile_linkset_name>

Add an Extended Profile linkset name.

insert <position name>

Insert an Extended Profile linkset into the linkset list.


Move the Extended Profile linkset from one position to another in thelinkset list.

/ssl/cfg/vpn/aaa/group/ipsecSSL VPN Configuration AAA Group IPsec Menu

[IPsec Menu]secret - Set shared secretutunnel - Set user tunnel profile

SSL VPN Configuration AAA Group IPsec Menu Options


secret <string>

Set the group Secret value.

utunnel <string>

Set the user tunnel profile name.

/ssl/cfg/vpn/aaa/ssodomains




.


SSL VPN Configuration AAA Single-sign on Enabled Domains Menu

[SSO Domain menu Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value

SSL VPN Configuration AAA Single-sign on enabled Domains Menu Options


list

List all of the SSO domains.

del <index>

Delete an SSO domain.

add <domain_name mode> <normal|add_domain>

Add an SSO domain.

/ssl/cfg/vpn/aaa/ssoheadersSSL VPN Configuration AAA Single-sign on Headers Menu

[SSO headers menu Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Single-sign on Headers Menu Options


list

List all of the configured SSO Headers.

del <SSO Headers_name>

Delete the SSO Header.

add <domain header_pattern>

Add an SSO Header.

insert <position domain> <header_name>

Insert a SSO Header into the headers list.


Move the SSO Headers from one position to another in the SSO Headerslist.




.


/ssl/cfg/vpn/aaa/radacctSSL VPN Configuration AAA Radius Accounting Menu

[RADIUS Accounting Menu]servers - RADIUS accounting servers menuvpnattribu - VPN attribute menuena - Enable RADIUS accountingdis - Disable RADIUS accounting

SSL VPN Configuration AAA Radius Accounting Menu Options


servers

Go to the Radius servers menu. To view the menu options, see"ssl/cfg/vpn/aaa/radacct/serversSSL VPN Configuration AAA RadiusAccounting Servers Menu" (page 535).

vpnattribu

Go to the VPN attribute menu. To view the menu options, see"ssl/cfg/vpn/aaa/radacct/vpnattribuSSL VPN Configuration AAA RadiusAccounting VPN attributes Menu" (page 536).

ena enable|disable

Enable AAA radius accounting.

dis enable|disable

Disable AAA radius accounting.

ssl/cfg/vpn/aaa/radacct/serversSSL VPN Configuration AAA Radius Accounting Servers Menu

[RADIUS Accounting Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration AAA Radius Accounting Menu Options


list

List all of the configured Radius Accounting servers.

del <Radius_Accounting_server_name>

Delete the SSO Header.

add <ip_address port> <secret>




.



Add a Radius Account.

insert <position ip_address> <port> <secret>

Insert a Radius account into the account list.


Move the Radius account from one position to another in the account list.

ssl/cfg/vpn/aaa/radacct/vpnattribuSSL VPN Configuration AAA Radius Accounting VPN attributes Menu

[VPN Attribute Menu]vendorid - Set vendor id for the VPN attributevendortype - Set vendor type for the VPN attribute

SSL VPN Configuration AAA Radius Accounting VPN attributes Menu Options


vendorid <vendorID>

Set the vendor name.

vendortype <integer>


/ssl/cfg/vpn/serverSSL VPN Configuration Server Menu

[Server Menu]port - Set listen port of serverdnsname - Set DNS name of servertrace - Traffic trace menussl - SSL settings menutcp - TCP endpoint settings menuhttp - HTTP settings menuproxymap - Intranet proxy configuration menuportal - Portal settings menuadv - Advanced settings menuena - Enable virtual serverdis - Disable virtual server

SSL VPN Configuration Server Menu Options


port <integer, 1-65534>

Set the listen port of the server.




.



dnsname <fully_qualified_DNS_name>

Set the DNS name of the server.

trace

Go to the Trace menu. To view the menu options, see"/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic TraceMenu" (page 537).

ssl

Go to the SSL settings menu. To view the menu options, see"/ssl/cfg/vpn/server/sslSSL VPN Configuration Server SSL SettingsMenu" (page 538).

tcp

Go to the TCP endpoint settings menu. To view the menu options, see"/ssl/cfg/vpn/server/tcpSSL VPN Configuration Server TCP endpointSettings Menu" (page 540).

http

Go to the HTTP settings menu. To view the menu options, see"/ssl/cfg/vpn/server/httpSSL VPN Configuration Server HTTP SettingsMenu" (page 541).

proxymap

Go to the Intranet Proxy configuration menu. To view the menu options,see "/ssl/cfg/vpn/server/proxymapSSL VPN Configuration Server IntranetProxy settings Menu" (page 543).

portal

Go to the Portal menu. To view the menu options, see"ssl/cfg/vpn/server/portalSSL VPN Configuration Server Portal settingsMenu" (page 544).

adv

Go to the Advanced settings menu.To view the menu options, see"ssl/cfg/vpn/server/advSSL VPN Configuration Server Advanced Menu"(page 544).

ena enable|disable

Enable the VPN server.

dis enable|disable

Disable the VPN server.

/ssl/cfg/vpn/server/trace




.


SSL VPN Configuration Server Traffic Trace Menu

[Trace Menu]ssldump - Create traffic dumptcpdump - Create traffic dumpping - Ping through backend interfacednslookup - Lookup a name in DNS through

backend interfacetraceroute - traceroute through backend interface

SSL VPN Configuration Server Traffic Trace Menu Options


ssldump

Create an SSL traffic dump. See the tcpdump documentation for adesription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html).

standalone on|off

Create a TCP traffic dump. See the tcpdump documentation for adesription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html)

traceroute - traceroute through backend interface

ping <hostname>

Ping through the backend interface.

dnslookup <hostname>

Lookup a name in DNS through the backend interface.

traceroute

Traceroute through backend interface. Use this command to identify theroute used for station-to-station connectivity across the network.

/ssl/cfg/vpn/server/sslSSL VPN Configuration Server SSL Settings Menu

[SSL Settings Menu]cert - Set server certificatecachesize - Set SSL cache sizecachettl - Set SSL cache timeoutcacerts - Set list of accepted signers

of client certificatescachain - Set list of CA chain certificatesprotocol - Set protocol versionciphers - Set cipher listverify - Set certificate verification levelena - Enable SSL




.






dis - Disable SSL

SSL VPN Configuration Server SSL Settings Menu Options


cert <certicate_nuber, 1 to 1500>


cachesize <integer, 0 to 10000>

Set the SSL cache size (kBytes).

cachettl <integer>

Set the SSL cache timeout (in minutes).

cacerts <certificate_numbers>

Set the list of accepted signers of client certificates. If more than one,use a comma to separate the entries.

cachain <certificate_numbers>

Set the list of CA chain certificates. If more than one, use a comma toseparate the entries.

protocol ssl2|ssl3|ssl23|tls1


ciphers

Set the cipher list. The cipher list consists of one or more cipher stringsseparated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can becombined using a logical and operation (+) (e.g. SHA1+DES representsall cipher suites containing the SHA1 and the DES algorithms).

Each cipher string can be optionally preceded by the characters !, - or +:

• ! permanently delets the ciphers from the list (e.g. !RSA).

• - deletes the ciphers from the list, but the ciphers can be addedagain by later options.

• + moves the ciphers to the end of the list. This option does not addany new ciphers.

Additionally, the cipher string @STRENGTH sorts the current cipher listin order of encryption algorithm key length.

verify none|optional

Set the certificate verification level.

ena enable|disable




.



Enable SSL.

dis enable|disable

Disable SSL.

/ssl/cfg/vpn/server/tcpSSL VPN Configuration Server TCP endpoint Settings Menu

[TCP Settings Menu]cwrite - Set client TCP write timeoutckeep - Set client TCP keep alive timeoutskeep - Set socks client TCP keep alive

heartbeat timeoutswrite - Set server TCP write timeoutsconnect - Set server TCP connect timeoutcsendbuf - Set client TCP send buffer sizecrecbuf - Set client TCP receive buffer sizessendbuf - Set server TCP send buffer sizesrecbuf - Set server TCP receive buffer size

SSL VPN Configuration Server TCP endpoint settings Menu Options


ips <integer, 1 to 2147483647s>

Set client TCP write timeout, in seconds.

crecbuf - Set client TCP receive buffer size

ssendbuf - Set server TCP send buffer size

srecbuf - Set server TCP receive buffer size

ckeep <integer, 1 to 2147483647s>

Set client TCP keep alive timeout.

skeep <integer, 1 to 2147483647s>

Set the SOCKS client TCP keep alive heartbeat timeout.

swrite <integer, 1 to 2147483647s>

Set the server TCP write timeout.

sconnect <integer, 1 to 2147483647s>

Set the server TCP connect timeout.

csendbuf auto| <integer, 2000 to 100000>

Set the client TCP send buffer size (Bytes).




.



crecbuf auto| <integer, 2000 to 100000>

Set the client TCP receive buffer size (Bytes).

ssendbuf auto| <integer, 2000 to 100000>

Set the server TCP send buffer size (Bytes).

srecbuf auto| <integer, 2000 to 100000>

Set server TCP receive buffer size (Bytes).

/ssl/cfg/vpn/server/httpSSL VPN Configuration Server HTTP Settings Menu

[HTTP Settings Menu]downstatus - Set server down reply statusrewrite - SSL triggered rewrite menusecurecook - Set add secure option to session cookiesslheader - Add SSL headersslxheader - Add SSL header with serial in hexsslsidhead - Add SSL SID headeraddxfor - Add X-Forwarded-For headeraddvia - Add Via headeraddxisd - Add HTTP-X-ISD debug headeraddclicert - Add Client-Cert as a HTTP headeraddnostore - Add no-cache/no-store HTTP headerallowimage - Allow image cachingallowdoc - Allow document cachingallowscrip - Set allow script cachingallowica - Allow ICA file cachingcmsie - Set MSIE session termination

bug workaroundmaxrcount - Set max number of persistant

client requestsmaxline - Set max line length

SSL VPN Configuration Server HTTP settings Menu Options


downstatus unavailable|redirect|reset

Set the server down reply status.

rewrite on|off

Go to the SSl triggered Rewrite menu. To view the menu options, see"/ssl/cfg/vpn/server/http/rewriteSSL VPN Configuration Server SSLtriggered rewrite Menu" (page 542).

securecook on|off




.



Set the "add secure" option for the session cookie.

sslheader on|off

Add an SSL session ID header.

sslxheader on|off

Add an SSL header with serial number in hexadecimal.

sslsidhead on|off

Add an SSL SID header.

addxfor on|off|anonymous|remove

Add X-Forwarded-For header.

addvia on|off|anonymous|remove

Set VIA header

addxisd on|off

Set HTTP-X-ISD debug header.

addclicert on|off

Set Client-Cert as a HTTP header.

adddnostore on|off

Set no-cache/no-store HTTP header.

allowimage on|off

Set image caching.

allowdoc on|off

Set document caching

allowscrip on|off

Set allow script caching.

allowica on|off

Set ICA file caching.

cmsie on|off

Set MSIE session termination bug workaround.

maxrcount <integer>

Set max number of persistant client requests.

maxline <integer>

Set the maximum line length.

/ssl/cfg/vpn/server/http/rewrite




.


SSL VPN Configuration Server SSL triggered rewrite Menu

[Rewrite Menu]rewrite - Set SSL triggered rewriteciphers - Set accepted ciphersresponse - Set source of responseURI - Set URI with the weak cipher alert

SSL VPN Configuration Server SSL triggered rewrite Menu Options


rewrite on|off

Set SSL triggered rewrite. For step-up certificates we recommendALL:-RC2:-SHA1:@STRENGTH

ciphers <string>

Set the accepted ciphers. The cipher list consists of one or morecipher strings separated by colons (e.g. SSLv3:TLSv1). Lists ofcipher suites can be combined using a logical and operation (+) (e.g.SHA1+DES represents all cipher suites containing the SHA1 and theDES algorithms).

Each cipher string can be optionally preceded by the characters !, - or +:



• + moves the ciphers to the end of the list. This option doesn’t addany new ciphers it just moves matching existing ones.


response iSD|WebServer

Set the source of response.

URI <WebServer response only>

Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.

/ssl/cfg/vpn/server/proxymapSSL VPN Configuration Server Intranet Proxy settings Menu

The PROXY menu is not available for type portal and socks servers.




.


[Proxy Mapping Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL VPN Configuration Server Intranet Proxy settings Menu Options


list

List all of the server Intranet Proxy settings.

del <Proxy_server_name>

Delete the Intranet Proxy server.

add <ip_address port>

Add an Intranet Proxy server.

insert <position ip_address> <port>

Insert a Intranet Proxy server into the Proxy server list.


Move the Intranet Proxy server from one position to another in the serverlist.

ssl/cfg/vpn/server/portalSSL VPN Configuration Server Portal settings Menu

[Portal Settings Menu]resetcooki - Set Re-Set session cookie in each requestdomain - Set cookie domainpersistent - Set use persistent session cookies

SSL VPN Configuration Server Portal settings Menu Options


resetcoolki <on|off>

Set the Reset session cookie in each request.

domain <domain_name>

Set the cookie domain name for the portal.

persistent <on|off>

Set the use of persistent session cookies.

ssl/cfg/vpn/server/adv




.


SSL VPN Configuration Server Advanced Menu

[Advanced Settings Menu]traflog - UDP syslog Traffic Log menusslconnect - SSL connect menu

SSL VPN Configuration Server Advanced Menu Options


traflog <IP_address>

Go to the UDP syslog Traffic Log menu. To view the menu options,see "ssl/cfg/vpn/server/adv/traflogSSL VPN Configuration Server UDPSyslog Traffic Log Menu" (page 545).

sslconnect on|off

Go to the SSL Connect menu. To view the menu options, see"ssl/cfg/vpn/server/adv/sslconnectSSL VPN Configuration Server SSLConnect Menu" (page 546).

ssl/cfg/vpn/server/adv/traflogSSL VPN Configuration Server UDP Syslog Traffic Log Menu

[Traffic Log Settings Menu]sysloghost - Set syslog host IPudpport - Set syslog portnumberpriority - Set syslog priorityfacility - Set syslog facilityena - Enable traffic UDP syslog loggingdis - Disable traffic UDP syslog logging

SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options


sysloghost <IP_address>


udpport <UDP_port_number>


priority <syslog_name>

Set the syslog priority.

facility <string>

Set the syslog facility.

ena <enable|disable>

Enable traffic UDP syslog messaging.




.



dis

Disable traffic UDP syslog messaging.

ssl/cfg/vpn/server/adv/sslconnectSSL VPN Configuration Server SSL Connect Menu

[SSL Connect Settings Menu]protocol - Set protocol versioncert - Set client certificateciphers - Set accepted ciphers for ssl connectverify - Verify server menu

SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options


protocol ssl2|ssl3|ssl23|tls1

Set the Protocol version.

cert <certicate_number, 1 to 1500>

Set the client certificate.

ciphers

Set the accepted ciphers for SSL connection. The cipher list consistsof one or more cipher strings separated by colons (e.g. SSLv3:TLSv1).Lists of cipher suites can be combined using a logical and operation(+) (e.g. SHA1+DES represents all cipher suites containing the SHA1and the DES algorithms).

Each cipher string can be optionally preceded by the characters !, - or +.



• + moves the ciphers to the end of the list.


verify

Go to the Verify server menu. To view the menu options, see"ssl/cfg/vpn/server/adv/sslconnect/verifySSL VPN Configuration ServerSSL Connect verify Server Menu" (page 547).




.


ssl/cfg/vpn/server/adv/sslconnect/verifySSL VPN Configuration Server SSL Connect verify Server Menu

[SSL Connect Verify Settings Menu]verify - Set certificate verification levelcommonname - Set server common namecacerts - Set list of accepted signers

server’s certificate

SSL VPN Configuration Server SSL Connect Verify Server Menu Options


verify none|verify

Set the Certicate Verication level.

commonname <string>

Set the server common name.

cacerts <certicate_numbers>

Set the list of accepted signers for each server certificate. If more thanone, use a comma to separate each entry.

/ssl/cfg/vpn/ipsecSSL VPN Configuration IPsec Server Menu

[IPsec Menu]ena - Enable IPsecdis - Disable IPsecquick - Quick IPsec setup wizardikeprof - IKE profileutunprof - User tunnel profilecacerts - Set list of accepted signers

of clients certificatecert - Set server certificate

SSL VPN Configuration IPSEC Server Menu Options


ena [enable|disable]

Enable IPsec.

dis [enable|disable]

Disable IPsec.

quick




.



Use the Quick IPsec setup wizard. For example:SSL >> IPsec# quickDo you want to use IPsec Group login?(yes/no) [no]: nLower IP address in pool range: 0.0.0.0Upper IP address in pool range: 1.1.1.1Enabled IPsecCreating IKE Profile 1

Name: vpn_1_1Creating User Tunnel Profile 1

Name: vpn_1_1You should create a AAA group for the usertunnel profileEnabled PoolUse apply to activate the changes

ikeprof

Go to the IKE profile menu.

utunprof

Set the User tunnel profile.

cacerts

Set the list of accepted signers of clients certificate.

cert

Set the server certicate.

/ssl/cfg/vpn/ipsec/ikeprofSSL VPN Configuration IPsec Server IKE Profile Menu

[IKE Profile 1 Menu]name - Set IKE profile namedel - Remove IKE Profileenc - Encryption mask menudh - Diffie-Hellman group mask menupfs - Enable Perfect Forward Secrecyinitcontac - Accept ISAKMP initial contact payloadrekeytime - Set rekey time limitrekeytraf - Set rekey traffic limitretransmit - Set ISAKMP retransmit intervalmaxretrans - Set ISAKMP max attempts retransmitsreplaywins - Set replay window sizenat - NAT menudeadpeer - Dead peer menu




.


SSL VPN Configuration IPSEC Server IKE Profile Menu Options


name <string>

Set the IKE profile name.

del <IKE_profile_name>

Disable IPsec.

enc

Go to the Encryption mask menu.To view the menu options, see"/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKEProfile Encryption Menu" (page 549).

dh

Go to the Diffie_Hellman group mask menu. To view the menu options,see "/ssl/cfg/vpn/ipsec/ikeprof/dhSSL VPN Configuration IPsec ServerIKE Profile Diffie-Hellman Group Mas" (page 550).

pfs on|off

Enable Perfect Forward Secrecy

initcontac on|off

Accept ISAKMP intitial contact payload.

rekeytime <integer>

Set the rekey time limit, in seconds.

rekeytraf <integer>

Set rekey traffic limit, in KBytes.

retransmit <integer>

Set ISAKMP retransmit limit, in seconds.

maxretrans <integer>

Set the maximum ISAKMP attempts to retransmit.

replaywins <integer>

Set replay window size.

nat

Go to the NAT menu.To view the menu options, see"/ssl/cfg/vpn/ipsec/ikeprof/NATSSL VPN Configuration IPsec Server IKEProfile NAT Menu" (page 551).

deadpeer

Go to the Dead Peer menu.To view the menu options, see"/ssl/cfg/vpn/ipsec/ikeprof/deadpeerSSL VPN Configuration IPsec ServerIKE Profile Dead Peer Menu" (page 551).

/ssl/cfg/vpn/ipsec/ikeprof/enc




.


SSL VPN Configuration IPsec Server IKE Profile Encryption Menu

[Encryption Menu]hmac_md5 - Set HMAC with MD5hmac_sha - Set HMAC with SHAnull_md5 - Set NULL with MD5null_sha - Set NULL with SHAdes_md5 - Set DES with MD5des_sha - Set DES with SHA3des_md5 - Set 3DES with MD53des_sha - Set 3DES with SHAaes_128_sh - Set 128 bits AES with SHA

SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options


hmac_md5 on|off

Set HMAC with MD5.

hmac_sha on|off

Set HMAC with SHA.

null_md5 on|off

Set NULL with MD5.

null_sha on|off

Set NULL with SHA.

des_md5 on|off

Set DES with MD5.

des_sha on|off

Set DES with SHA.

3des_md5 on|off

Set 3DES with MD5.

3des_sha on|off

Set 3DES with SHA.

aes_128_sh on|off

Set 128 bits AES with SHA.

/ssl/cfg/vpn/ipsec/ikeprof/dh




.


SSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman GroupMask Menu

[Diffie-Hellman Group Menu]dh1 - Set Diffie-Hellman group 1dh2 - Set Diffie-Hellman group 2dh5 - Set Diffie-Hellman group 5

SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman Group MaskMenu Options


dh1 on|off

Set Diffie_Hellman group 1.

dh2 on|off


dh5 on|off


/ssl/cfg/vpn/ipsec/ikeprof/NATSSL VPN Configuration IPsec Server IKE Profile NAT Menu

[NAT Menu]natdetect - Set ESP UDP NAT detecttimeout - Set detect timeoutkeepalive - Set keepalive timeout

SSL VPN Configuration IPSEC Server IKE Profile NAT Menu Options


natdetect disabled|auto|ipsec_capable|use_udp_encap

Set ESP UDP detection.

timeout <integer>

Set the detection timeout, in seconds.

keepalive <integer>

Set the keepalive timeout, in seconds.

/ssl/cfg/vpn/ipsec/ikeprof/deadpeer




.


SSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu

[Dead Peer Menu]ena - Enable dead peer detectiondis - Disable dead peer detectioninterval - Set detect intervalretransmit - Set max retransmissions

SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options



Enable dead peer detection.


Disable dead peer detection.

interval <integer>

Set the detection interval, in seconds.

retransmit <integer>

Set the maximum number retransmissions.

/ssl/cfg/vpn/ippoolSSL VPN Configuration IP Pool Menu

[Pool Menu]ena - Enable pooldis - Disable poollowerip - Set lower IP in pool rangeupperip - Set upper IP in pool rangeproxyarp - Set proxy arp on clean side interfacesinfo - Print alloc info for this VPN

SSL VPN Configuration IP IPool Menu Options


ena enable|disable

Enable the IP Pool.

dis enable|disable

Disable the IP Pool.

lowerip <lower_IP_address>

Set the lower IP address in the pool range.

upperip <upper_IP_address>

Set the upper IP address in the pool range.




.



proxyarp <on|off|all>

Set proxy ARP on clean side interfaces.

info

Display all of the IP Pool configuration information.

/ssl/cfg/vpn/portalSSL VPN Configuration Portal Menu

[Portal Menu]import - Import banner image gifrestore - Restores default Nortel bannerbanner - Show installed banner fileredirect - Set redirect URLlogintext - Set static text on login pageiconmode - Set Home tab icon modelinktext - Set static text on link pagelinkurl - Set url input field on link pagelinkcols - Set number of columns on home tablinkwidth - Set width of link columns on home tabcompanynam - Set company name used on portal pagescolors - Portal colors menufaccess - Full Access menulang - Portal language menuwiper - Set use ActiveX component

for clearing cacheieclear - Set use IE ClearAuthCachewhitelist - White-list settings menucitrix - Set Citrix support

SSL VPN Configuration Portal Menu Options


import [ <protocol hostname> <bannerfilename> ]

Import banner image gif. For example:SSL >> Portal# importSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: 0.0.0.0Enter filename on server: nortel_banner.gif

restore

Restores default Nortel banner.

banner

Show installed banner file.

redirect <URL>




.



Set redirect URL.

logintext

Set static text on login page. Write or paste the text to show up in theLogin window, press Enter to create a new line, and then type "..."(without the quotation marks) to terminate.

iconmode <clean|fancy>

Set Home tab icon mode.

linktext [ <string> ]

Set static text on link page. Write or paste the text, press Enter to createa new line, and then type "..." (without the quotation marks) to terminate.

linkurl <on|off>

Set URL input field on link page.

linkcols [ <integer> ]

Set number of columns on home tab. Four can be considered a practicalmaximum.

linkwidth [auto|0 to 100%]

Set width of link columns on home tab.

companynam [ <string> ]

Set company name used on portal pages.

colors

Go to the Portal Colors menu.To view the menu options, see"/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu"(page 555).

faccess

Go to the Full Access menu. To view the menu options, see"/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full AccessMenu" (page 555).

lang

Go to the Portal language menu. To view the menu options, see"/ssl/cfg/vpn/portal/langSSL VPN Configuration Portal Language Menu"(page 556).

wiper [on|off]

Set use ActiveX component for clearing cache.

ieclear [on|off]

Set use IE ClearAuthCache.

whitelist




.



Go to the White-list settings menu. To view the menu options, see"/ssl/cfg/vpn/portal/whitelistSSL VPN Configuration Portal Whitelistsettings Menu" (page 557).

citrix [on|off]

Set Citrix support.

/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu

[Portal Colors Menu]color1 - Set portal color 1color2 - Set portal color 2color3 - Set portal color 3color4 - Set portal color 4theme - Color theme

SSL VPN Configuration Portal Colors Menu Options


color1 [ <HTML_color_syntax> ]

Set Portal color 1. For example, #003399 for blue.


Set Portal color 2.


Set Portal color 3.


Set Portal color 4.

theme [default|aqua|apple|jeans|cinnamon|candy]

Set the color theme.

/ssl/cfg/vpn/portal/faccess




.


SSL VPN Configuration Portal Full Access Menu

[Full Access Menu]ena - Enable ’Full Access’ tabdis - Disable ’Full Access’ tabipsecmode - Set IPSEC Modecontip - Set Contivity IP addresscontid - Set Contivity group IDcontpass - Set Contivity group passwordportalmsg - Set text in ’Full Access’ portal tabappletmsg - Set text in ’Full Access’ Applet window

SSL VPN Configuration Portal Full Access Menu Options



Enable ’Full Access’ tab.


Disable ’Full Access’ tab.

ipsecmode [contivity|native]

Set the IPSEC Mode.

contip [ <IP_address> ]

Set Contivity IP address.

contid [ <string> ]

Set the Contivity group ID.

contpass [ <string> ]

Set a Contivity group password.

portalmsg

Set text in ’Full Access’ portal tab. Write or paste the text to show up inthe Full Access Portal window, press Enter to create a new line, and thentype "..." (without the quotation marks) to terminate.

appletmsg

Set text in ’Full Access’ Applet window. Write or paste text to show upin the Full Access Applet window, press Enter to create a new line, andthen type "..." (without the quotation marks) to terminate. If you *only*enter "..." a default text will be generated.

/ssl/cfg/vpn/portal/lang




.


SSL VPN Configuration Portal Language Menu

[Portal Language Menu]setlang - Set the language to be used in the portalcharset - Print charset in uselist - List supported languages

SSL VPN Configuration Portal Language Menu Options


ips [ <ISO 639 Language Code> ]

Set the language to be used in the portal. For English, enter en.

charset <on|off>

Display the current character set. For example:

Charset = iso-8859-1

list

Display all of the pre-defined languages.

/ssl/cfg/vpn/portal/whitelistSSL VPN Configuration Portal Whitelist settings Menu

[White-list Settings Menu]domains - Configure white-list domainsena - Enable URL rewrite white-listdis - Disable URL rewrite white-list

SSL VPN Configuration Portal Whitelist settings Menu Options


domains

Go to the Domains menu. To view the menu options, see"/ssl/cfg/vpn/portal/whitelist/domainsSSL VPN Configuration PortalWhitelist settings Domains Menu" (page 557).


Enable URL re-write whitelist.


Disable URL re-write whitelist.

/ssl/cfg/vpn/portal/whitelist/domains




.


SSL VPN Configuration Portal Whitelist settings Domains Menu

[White-list menu Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value

SSL VPN Configuration Portal Whitelist settings Domains Menu Options


list

Go to the Domains menu. To view the menu options, see"/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full AccessMenu" (page 555).

del [ <index> ]

Delete a value.

add [ <domain_name> ]

Add a domain.

/ssl/cfg/vpn/linksetSSL VPN Configuration Linkset Menu

To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create alinkset if one does not already exist.

SSL >> VPN 1# linksetEnter Linkset number or name (1-1023): 1Creating Linkset 1Linkset name: Linkset_1Linkset text (HTML syntax, eg b A heading /b ): htmlAutorun Linkset (true/false) [false]: false

------------------------------------------------------------[Linkset 1 Menu]

name - Set linkset nametext - Set linkset textautorun - Set autorun supportlink - Link menudel - Remove tunnel

SSL VPN Configuration Linkset Menu Options


name <string>

Set the linkset name.




.



text [ <text_type> ]

Set the text type. In the current release, only HTML is available (default).

autorun [true|false ]

Set the autorun linkset option.

link

Go to the Link menu. To view the menu options, see"/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu" (page559).

del [ <linkset_number> ]

Remove the linkset.

/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu

To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to createa link if one does not already exist.

SSL >> Linkset 1# linkEnter Link number or name (1-1023): 1Creating Link 1Enter link text: Link_1Enter type of link (hit TAB to see possible values)[internal]: tab

smb ftp proxy custommail telnet

netdrive wts outlook netdirectterminal external

internal eauto iautoEnter type of link (hit TAB to see possible values)[internal]: inter-nalEntering: Internal settings menuEnter method (http/https): httpEnter host (eg inside.company.com): NoTel.caEnter path (eg /): /infoLeaving: Internal settings menu

------------------------------------------------------------[Link 1 Menu]

move - Move linktext - Set link texttype - Set link typeinternal - Internal settings menudel - Remove link




.


SSL VPN Configuration Linkset Link Menu Options


move [ <link_number> ]

Move the link.

text [ <link_name> ]

Set the name of the link.

type [link_type ]

Set the link type. See the list of link types on "/ssl/cfg/vpn/linkset/linkSSLVPN Configuration Linkset Link Menu" (page 559).

internal

Go to the Internal link menu. To view the menu options, see"/ssl/cfg/vpn/linkset/link/internalSSL VPN Configuration Linkset LinkInternal Setting Menu" (page 560).

del [ <link_number> ]

Remove the link.

/ssl/cfg/vpn/linkset/link/internalSSL VPN Configuration Linkset Link Internal Setting Menu

[Internal menu Menu]quick - Quick internal link wizard

SSL VPN Configuration Linkset Link Internal Settings Menu Options


quick

Configure the link using the internal link wizard. For example:

SSL >> Internal menu# quickEnter method (http/https): httpEnter host (eg inside.company.com): NoTel.caEnter path (eg /): /

/ssl/cfg/vpn/sslclientSSL VPN Configuration SSL Client Menu

[SSL VPN Client Menu]netdirect - Allow Netdirect clientxmlconfig - Set XML client configuration




.


SSL VPN Configuration SSL Client Menu Options


netdirect [on|off]

Allow a Netdirect VPN client.

xmlconfig

Set the XML client configuration. Write or paste the text, press Enterto create a new line, and then type "..."(without the quotation marks)to terminate.

/ssl/cfg/vpn/advSSL VPN Configuration Advanced Menu

[Advanced Menu]interface - Set backend interface used by VPNdns - DNS settings menulog - Set log settings

SSL VPN Configuration Advanced Menu Options


interface [ <backend_interface_number> ]

Set the backend interface.

dns

Go to the DNS settings menu. To view the menu options, see"/ssl/cfg/vpn/adv/dnsSSL VPN Configuration Advanced DNS settingsMenu" (page 561).

log [all|login|http|portal|reject|socks]

Set the log option.

/ssl/cfg/vpn/adv/dnsSSL VPN Configuration Advanced DNS settings Menu

[DNS Settings Menu]search - Set DNS search list

SSL VPN Configuration Advanced DN S settings Menu Options


search <domain_names>

Set the domain search list. If more than one domain, use a comma toseparate each entry.




.


/ssl/cfg/sysSSL Configuration System Menu

[System Menu]mip - Set management IP (MIP) addresshost - iSD host menuroutes - Routes menutime - Date and time menudns - DNS settingsrsa - RSA Serverssyslog - Syslog servers menuaccesslist - Access list menuadm - Administrative applications menuuser - User Access Control menudistrace - Disable tracing with tcpdump/ssldump

SSL Configuration System Menu Options


mip <IP_address>

Set the management IP (MIP) address.

host

Go to the Host menu. To view menu options, see "/ssl/cfg/sys/hostSSLConfiguration System Host Menu" (page 563).

routes

Go to the Routes menu. To view menu options, see"/ssl/cfg/sys/host/routesSSL Configuration System Host Routes Menu"(page 564).

time

Go to the Time menu. To view menu options, see "/ssl/cfg/sys/time/ntpSSL Configuration System Time NTP servers Menu" (page 568).

dns

Go to the Time menu. To view menu options, see "/ssl/cfg/sys/dnsSSLConfiguration System DNS settings Menu" (page 568).

rsa

Go to the RSA server menu. To view menu options, see"/ssl/cfg/sys/rsaSSL Configuration System RSA servers Menu" (page570).

syslog

Go to the RSA server menu. To view menu options, see"/ssl/cfg/sys/syslogSSL Configuration System SysLog Servers Menu"(page 570).

accesslist




.



Go to the Access List menu. To view menu options, see"/ssl/cfg/sys/accesslistSSL Configuration System Access List Menu"(page 571).

adm

Go to the Administrative Applcations menu.To view menu options, see"/ssl/cfg/sys/admSSL Configuration System Administrative applicationsMenu" (page 571).

user

Go to the Administrative Applcations menu.To view menu options, see"/ssl/cfg/sys/userSSL Configuration System Menu" (page 580).

distrace [yes|no]

Deactivate trace. Trace cannot be reactivated during the session.

/ssl/cfg/sys/hostSSL Configuration System Host Menu

[iSD Host 1 Menu]type - Set type of the iSDip - Set IP addresslicense - Set Licensegateway - Set default gateway addressroutes - Routes menuinterface - iSD host interface menuport - iSD port configuration menuports - Display physical portshwplatform - Display hardware platformhalt - Halt the iSDreboot - Reboot the iSDdelete - Remove iSD Host

SSL Configuration System Host Menu Options


type [master|slave]

Set the iSD type.

ip [ <IP_address> ]

Set the IP address of the host.

license [ <string> ]

Enter or paste the host license information. Paste the license, pressEnter to create a new line, and then type "..." (without the quotationmarks) to terminate.

gateway [ <IP_address> ]




.



Set default gateway address.

routes

Go to the Routes menu. To view menu options, see"/ssl/cfg/sys/routesSSL Configuration System Menu" (page 567).

interface

Go to the iSD host interface menu. To view menu options, see"/ssl/cfg/sys/host/interfaceSSL Configuration System Host Menu" (page565).

port

Go to the iSD port configuration menu. To view menu options, see"/ssl/cfg/sys/host/interface/routesSSL Configuration System HostInterface Routes Menu" (page 566).

ports

Display the number of physical ports.

hwplatform

Display hardware platform.

halt [yes|no]

Halt the iSD platform.

reboot [yes|no]

Reboot the iSD.

delete [<hostname>]

Remove iSD Host.

/ssl/cfg/sys/host/routesSSL Configuration System Host Routes Menu

[Host Routes Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value

SSL Configuration System Host Routes Menu Options


list

List all host routes.

del [ <route_number> ]

Delete a route by its number.




.



add [ <destination netmask> <gateway> ]

Add a route.

/ssl/cfg/sys/host/interfaceSSL Configuration System Host Menu

[Host Interface 1 Menu]ip - Set IP addressnetmask - Set network maskgateway - Set default gateway addressroutes - Routes menuvlanid - Set VLAN tag idmode - Set modeports - Interface ports menuprimary - Set primary portdelete - Remove Host Interface

SSL Configuration System Host Interface Menu Options


ip [ <IP_address> ]

Set the host inteface IP address.

netmask [ <IP_address> ]

Set the inteface netmask.

gateway [ <IP_address> ]

Set the Gateway IP address.

routes

Go to the Routes menu. To view menu options, see"/ssl/cfg/sys/host/interface/routesSSL Configuration System HostInterface Routes Menu" (page 566).

vlanid [ <integer> ]

Set the VLAN tag ID.

mode [failover|trunking]

Set the interface mode.

ports

Go to the Ports menu. To view menu options, see "/ssl/cfg/sys/routesSSLConfiguration System Menu" (page 567).

primary [ <port_number> ]

Set the Primary port.




.



delete [ <interafce_hostname> ]

Delete the interface.

/ssl/cfg/sys/host/interface/routesSSL Configuration System Host Interface Routes Menu

[Host Interface Routes Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value

SSL Configuration System Host Interface Menu Options


list

List all of the configured interface routes.


Delete an interface route.


Add an interface route.

/ssl/cfg/sys/host/portSSL Configuration System Host Port Menu

[Host Port 1 Menu]autoneg - Set autonegotiationspeed - Set Speedmode - Set full or half duplex mode

SSL Configuration System Host Port Menu Options


autoneg <on | off>

Enables or disables autonegotiation on the port. The default is on.

speed <10 | 100 | 1000>

Sets the port speed in Mbits per second when autonegotiation is notin use.

mode <full | half>

Sets the duplex mode of the port when autonegotiation is not in use.When autonegotiation is not in use the default mode is full.




.


/ssl/cfg/sys/routesSSL Configuration System Menu

[Routes Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value



list

List all of the configured routes.


Delete a route. This command removes the specified static route fromthe system configuration. Use the list command to display the indexnumbers of all added static routes.


Add a static route.

/ssl/cfg/sys/timeSSL Configuration System Time Menu

[Date and Time Menu]date - Set system datetime - Set system timetzone - Set Timezonentp - Configure NTP servers

SSL Configuration System Time Menu Options


date [YYYY-MM-DD]

Enter the date.

time [HH:MM:SS]

Set the time, using a 24-hour clock scheme.

tzone [ <continent_number> <country_number> <region_number>]

Set the time zone.

ntp

Configure NTP servers. To view menu options, see "/ssl/cfg/sys/time/ntpSSL Configuration System Time NTP servers Menu" (page 568).




.


/ssl/cfg/sys/time/ntpSSL Configuration System Time NTP servers Menu

[NTP Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value

SSL Configuration System Time NTP Servers Menu Options


list

List the configured NTP servers.

del [ <NTP_server> ]

Delete the NTP server. Removes the specified NTP server from thesystem configuration. Use the list command to display the index numbersof all added NTP servers..

add [ <IP_address> ]

Add an NTP server. Adds an NTP server to the system configuration.The NTP server you add is used by the NTP client on the iSD tosynchronize its clock. NTP should have access to a number of servers (atleast three) in order to compensate for any discrepancies in the servers.

/ssl/cfg/sys/dnsSSL Configuration System DNS settings Menu

[DNS Settings Menu]servers - DNS servers menucachesize - Set Local DNS cache sizeretransmit - Set DNS Retransmit interval timercount - Set DNS Retransmit counterttl - Set Max TTLhealth - Set Health check intervalhdown - Set Health check down counterhup - Set Health check up counter

SSL Configuration System DNS Settings Menu Options


servers

Go to the DNS Servers menu. To view menu options, see"sl/cfg/sys/dns/serversSSL Configuration System DNS Servers settingsMenu" (page 569).

cachesize [ <integer> ]




.



Set the DNS cache size in kBytes.

retransmit [ <integer> ]

Set the DNS retransmit interval timer value, in seconds.

count [ <integer> ]

Set the DNS Retransmit counter value.

ttl [ <integer> ]

Set the maximum TTL, in seconds.

health [ <integer> ]

Set Health check interval.

hdown [ <integer> ]

Set Health check down counter

hup [ <integer> ]

Set Health check up counter

sl/cfg/sys/dns/serversSSL Configuration System DNS Servers settings Menu

[DNS Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL Configuration System DNS Servers Menu Options


list

List all of the DNS server settings.

del <DNS_server_name>

Delete the DNS server.

add <ip_address>

Add a DNS server.

insert <position ip_address>

Insert a DNS server into the DNS server list.


Move the DNS server from one position to another in the server list.




.


/ssl/cfg/sys/rsaSSL Configuration System RSA servers Menu

To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSAserver if one does not already exist.

SSL >> System# rsaEnter RSA Server number or name: (1-255) 1Creating RSA Servers 1RSA server symbolic name: RSA_1

------------------------------------------------------------[RSA Servers 1 Menu]

rsaname - Set RSA server symbolic nameimport - Import sdconf.rec filermnodesecr - Remove Node Secretdel - Remove RSA server

SSL Configuration System RSA servers Menu Options


rsname <string> ]

Set the RSA server symbolic name.

import [ <protocol host file> ]

Import a sdconf.rec file.

rmnodesecr [ <node_secret_name> ]

Remove a Node Secret.

del

Remove an RSA server.

/ssl/cfg/sys/syslogSSL Configuration System SysLog Servers Menu

[Syslog Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL Configuration System SysLog Servers Menu Options


list

List all of the Syslog server settings.




.



del <Syslog_server_name>

Delete the Syslog server.

add <ip_address>

Add a Syslog server.

insert [ <position ip_address> <local_facility> ]

Insert a Syslog server into the Syslog server list.


Move the Syslog server from one position to another in the server list.Moves a syslog server up or down in the list of configured servers. Theindex numbers you specify must be in use. To view all syslog serverscurrently added to the system configuration, use the list command.

/ssl/cfg/sys/accesslistSSL Configuration System Access List Menu

[Access List Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value



list

List the accesslist values.

del [ <acces_list_number> ]

Delete an accesslist.

add

Add a new value to the accesslist. Adds a single machine, or a rangeof machines on a specific network, to the access list. Only thosemachines listed will be allowed to access the iSD host via a Telnet orSSH connection (assuming that Telnet or SSH connections, or both,are enabled).

/ssl/cfg/sys/adm




.


SSL Configuration System Administrative applications Menu

[Administrative Applications Menu]snmp - SNMP menuclitimeout - Set CLI idle timeoutaudit - Audit Settings Menuauth - Authentication menutelnet - Set telnet CLI accessssh - Set SSH CLI accesshttp - HTTP access menuhttps - HTTPS access menusshkeys - SSH host keys menu

SSL Configuration System Administrative applications Menu Options


snmp

Go to the SNMP menu. To view menu options, see"/ssl/cfg/sys/adm/snmpSSL Configuration System Administrativeapplications SNMP Menu" (page 573).

clitimeout [ <integer> ]

Set the CLI idle timeout value, in seconds.

audit

Go to the Audit menu. To view menu options, see "/ssl/cfg/sys/adm/auditSSL Configuration System Administrative applications Audit Menu"(page 577).

telnet

Set the telnet CLI access. Enables or disables Telnet access. Whenset to on and not having added machine(s) to the access list, all Telnetconnections are allowed.

• When set to on and having added machine(s) to the access list, onlythe specified machine(s) are allowed Telnet access.

• When set to off, all Telnet connections are rejected, includingconnections from machine(s) added to the access list.

The default Telnet setting is off.

ssh




.



Set the SSH CLI access. Enables or disables SSH access. Whenset to on and not having added machine(s) to the access list, all SSHconnections are allowed.

• When set to on and having added machine(s) to the access list, onlythe specified machine(s) are allowed SSH access.

• When set to off, all SSH connections are rejected, includingconnections from machine(s) added to the access list.

The default SSH setting is off.

http

Go to the HTTP access menu. To view menu options, see"/ssl/cfg/sys/adm/httpSSL Configuration System Administrativeapplications HTTP Menu" (page 578).

https

Go to the HTTP access menu. To view menu options, see"/ssl/cfg/sys/adm/httpsSSL Configuration System Administrativeapplications HTTPS Menu" (page 579).

sshkeys

Go to the HTTP access menu. To view menu options, see"/ssl/cfg/sys/adm/sshkeysSSL Configuration System Administrativeapplications SSH Host keys Menu" (page 579).

/ssl/cfg/sys/adm/snmpSSL Configuration System Administrative applications SNMP Menu

[SNMP Menu]ena - Enable SNMPdis - Disable SNMPversions - Set SNMP versions supportedsnmpv2-mib - SNMPv2-MIB menucommunity - SNMP community menuusers - SNMP USM Users Menutarget - Notification target menu

SSL Configuration System Administrative applications SNMP Menu Options


ena [true|false]

Enable SNMP.

dis [true|false]




.



Disable SNMP.

versions [ <SNMP_version_number> ]

Set the SNMP version, such as v1.

snmpv2-mib

Go to the SNMPv2-MIB menu.To view menu options, see"/ssl/cfg/sys/adm/snmp/snmpv2-mibSSL Configuration SystemAdministrative applications SNMPv2 MIB SNMP" (page 574).

community

Go to the SNMP community menu. To view menu options, see"/ssl/cfg/sys/adm/snmp/communitySSL Configuration SystemAdministrative applications SNMP Community M" (page 575).

users

Go to the SNMP USM Users community menu. To view menuoptions, see "/ssl/cfg/sys/adm/snmp/usersSSL Configuration SystemAdministrative applications SNMP Users Menu" (page 575).

target

Go to the Notification target menu. To view menu options, see"/ssl/cfg/sys/adm/snmp/targetSSL Configuration System Administrativeapplications SNMP Target Menu" (page 576).

/ssl/cfg/sys/adm/snmp/snmpv2-mibSSL Configuration System Administrative applications SNMPv2 MIBSNMP Menu

[SNMPv2-MIB Menu]sysContact - Set sysContactsysName - Set sysNamesysLocatio - Set sysLocationsnmpEnable - Set snmpEnableAuthenTraps

SSL Configuration System Administrative applications SNMPv2-MIB MenuOptions


sysContact [ <name_of_a_person> ]

Set a system contact name. Designates a contact person for themanaged iSD cluster, together with information on how to contact thisperson.

sysName [ <string, iSD_cluster_name> ]

Assign a name to the managed iSD cluster.

sysLocatio [ <string> ]




.



Set the system location.

snmpEnable [ <SNMP_trap_value> ]

Set the snmpEnableAuthenTraps value.

/ssl/cfg/sys/adm/snmp/communitySSL Configuration System Administrative applications SNMPCommunity Menu

[SNMP Community Menu]read - Set Read Community Stringwrite - Set Write Community Stringtrap - Set Trap Community String

SSL Configuration System Administrative applications SNMP CommunityMenu Options


read [ <string> ]

Set the Read Community String. Specifies the monitor community namethat grants read access to the Management Information Base (MIB). Ifno monitor community name is specified, read access is not granted.The default monitor community name is public

write [ <string> ]

Set the Write Community String. Specifies the control community namethat grants read and write access to the Management Information Base(MIB). If no control community name is specified, neither write nor readaccess is granted.

trap [ <string> ]

Set the Trap Community String. Specifies the trap community namethat accompanies trap messages sent to the SNMP manager. If no trapcommunity name is specified, the sending of trap messages is disabled.

The default trap community name is trap

/ssl/cfg/sys/adm/snmp/usersSSL Configuration System Administrative applications SNMP UsersMenu

To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted tocreate a userID if one does not already exist.




.


Enter user number or name: (1-1023) 1Creating SNMP User 1User name: Maint_ChiefEnter security level (none/auth/priv) [priv]: privEnter permission (list of get,set,trap): getEnter auth password: password>Enter priv password: password>

------------------------------------------------------------[SNMP User 1 Menu]

name - Set user nameseclevel - Set Security levelpermission - Set Permissionauthpasswd - Set Authentication Passwordprivpasswd - Set Encryption Passworddel - Remove SNMP User

SSL Configuration System Administrative applications SNMP Users MenuOptions


name [ <string> ]

Set the user name.

seclevel [none|auth|priv]

Set the user Security level.

permission [get|set|trap]

Set user Permission.

authpasswd [ <string> ]

Set the Authentication Password.

privpasswd [ <string> ]

Set the Encryption Password.

del [ <SNMP_user_ID> ]

Remove the SNMP User.

/ssl/cfg/sys/adm/snmp/targetSSL Configuration System Administrative applications SNMP TargetMenu

To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted tocreate a target if one does not already exist.




.


SSL Configuration System Administrative applications SNMP Target MenuOptions


ip [ IP_address]

Set the target IP address.

port [ port_number]

Disable SNMP.

version [v1|v2|v3]

Set the SNMP version.

del

Delete the SNMP target.

/ssl/cfg/sys/adm/auditSSL Configuration System Administrative applications Audit Menu

[Audit Menu]servers - RADIUS Servers Menuvendorid - Set vendor id for audit attributevendortype - Set vendor type for audit attributeena - Enable Auditdis - Disable Audit

SSL Configuration System Administrative applications Audit Menu Options


servers

Go to the Servers menu. To view menu options, see"/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrativeapplications Audit Servers Men" (page 577).

vendorid [ <string> ]

Set the vendor ID.

vendortype [ <integer> ]


ena [ true|false ]

Enable Audit.

dis[ true|false ]

Disable audit.

/ssl/cfg/sys/adm/audit/servers




.


SSL Configuration System Administrative applications Audit ServersMenu

[RADIUS Audit Servers Menu]list - List all valuesdel - Delete a value by numberadd - Add a new valueinsert - Insert a new valuemove - Move a value by number

SSL Configuration System Administrative applications Audit Servers MenuOptions


list

List all of the Audit server settings.

del <Audit_server_name>

Delete the Audit server.

add [ <IP_address> <port> <secret> ]

Add an Audit server.

insert [ <position> <IP_address> <port> <secret> ]

Insert a Audit server into the Audit server list.


Move the Audit server from one position to another in the server list.

/ssl/cfg/sys/adm/httpSSL Configuration System Administrative applications HTTP Menu

[HTTP Menu]port - Set HTTP Server portena - Enable serverdis - Disable server

SSL Configuration System Administrative applications HTTP Menu Options


port [ <integer> ]

Set the HTTP server port.

ena [true|false]

Enable the HTTP server.

dis [true|false]

Disable the HTTP server.




.


/ssl/cfg/sys/adm/httpsSSL Configuration System Administrative applications HTTPS Menu

[HTTPS Menu]port - Set HTTPS Server portena - Enable serverdis - Disable server

SSL Configuration System Administrative applications HTTPS Menu Options


port [ <integer> ]

Set the HTTPS server port.

ena [true|false]

Enable the HTTPS server.

dis [true|false]

Disable the HTTPS server.

/ssl/cfg/sys/adm/sshkeysSSL Configuration System Administrative applications SSH Host keysMenu

[SSH Host Keys Menu]generate - Generate new SSH host keys

for the clustershow - Show current SSH host keys

for the clusterknownhosts - SSH known host keys menu

SSL Configuration System Administrative applications SSH Host keys MenuOptions


generate [yes|no]

Generate new SSH host keys for the server cluster.

show

Show the SSH host keys for the server cluster.

knownhosts

Go to the Known Host Keys menu. To view menu options, see"/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrativeapplications Audit Servers Men" (page 577).

/ssl/cfg/sys/adm/sshkeys/knownhosts




.


SSL Configuration System Administrative applications SSH KnownHost keys Menu

[SSH Known Host Keys Menu]list - List known SSH keys of remote hostsdel - Delete known SSH host key by indexadd - Add a new SSH host keyimport - Retrieve SSH key from remote host

SSL Configuration System Administrative applications Known SSH Hostkeys Menu Options


list [yes|no]

Display the known SSH keys of remote hosts.

del [ <hostkey_name> ]

Delete a host key.

add

Add a new SSH host key. Paste the key, press Enter to create a newline, and then type "..." (without the quotation marks) to terminate

import [ <hostname_or_IP_address> ]

Retrieve an SSH key from a remote host.

/ssl/cfg/sys/userSSL Configuration System Menu

[User Menu]passwd - Change own passwordexpire - Set password expire time intervallist - List all usersdel - Delete a useradd - Add a new useredit - Edit a user menucaphrase - Certadmin export passphrase



passwd

Change your current login password. The password can contain spacesand is case respective.

expire [DDdHHhMMmSS]

Set the password expiry time and date.




.



list

List all user accounts.

del

Delete a user ID. Removes the specified user account from the system.Of the three built-in users (admin, oper, and root) only the oper usercan be deleted. Only users with Administrator rights can delete useraccounts.

add [ <string> ]

Add a new user ID. After a user account is added, you must also assignthe user account to a group. Only users with Administrator rights canadd user accounts.

edit

Go to the Edit a user menu. To view menu options, see"/ssl/cfg/sys/user/editSSL Configuration System User Edit Menu" (page581).

caphrase [ <string> ]

Set the Certadmin export passphrase.

/ssl/cfg/sys/user/editSSL Configuration System User Edit Menu

[User User_1 Menu]groups - Groups menucur - Display current setting

SSL Configuration System User Edit Menu Options


groups

Go to theGroups menu. To view menu options, see "/ssl/cfg/sslSSLConfiguration Server Menu" (page 492).

cur

Display the user configurations.

/ssl/cfg/sys/user/edit/groupsSSL Configuration System User Edit Menu

[Groups Menu]list - List all valuesdel - Delete a value by numberadd - Add a new value




.


SSL Configuration System User Edit Groups Menu Options


list

List all of the user groups information.

del [ <user_group_name> ]

Delete a user group.

add [ <string>, <user_group_name> ]

Add a user group.

/ssl/cfg/langSSL Configuration Language Support Menu

[Language Support Menu]import - Import language definition fileexport - Export language definition templatelist - List the loaded languagesvlist - List ISO 639 language codesdel - Delete (custom) language definition

SSL Configuration System Language Support Menu Options


import [ <protocol> <host> <filename> <ISO_language_code> ]

Import a language definition file from another host.

export[ <protocol> <host> <filename> ]

Export a language definition file.

list [ <language_number> ]

List the pre-defined languages that have been loaded.

vlist [ <language_shortform> ]

List the ISO 639 language codes. If a language_shortform argument isused (e.g., en for English), all of the codes that contain the argumentcharacters are listed.

del [ <language_deinition_filename> ]

Delete a language definition.

/ssl/boot




.


SSL Boot Menu

[Boot Menu]software - Software management menuhalt - Halt the iSDreboot - Reboot the iSDdelete - Delete the iSD

SSL Configuration Boot Menu Options


software

Go to Software Management menu. To view menu options, see"/ssl/boot/softwareSSL Performance Menu" (page 584).

halt

Halt the iSD. The command stops the particular iSD host to which youhave connected by Telnet, SSH, or a console connection. Always usethis command before turning off the device.

If you are connected by Telnet or SSH to the Management IP address(MIP), use the halt command in the iSD Host menu (/cfg/sys/cluster/host#) instead.

reboot

Reboot the iSD. The command reboots the particular iSD host to whichyou have connected by Telnet, SSH or a console connection. If youare connected by Telnet or SSH to the Management IP address (MIP),use the reboot command in the iSD Host menu (/cfg/sys/cluster/host#) instead.

delete

Delete an iSD host. Resets the particular iSD host to which you haveconnected via Telnet, SSH, or a console connection, to its factory defaultconfiguration (all IP configuration is lost). The software itself will remainintact.

After having performed a delete, you can only access the device via aconsole connection. Log in as the admin user with the admin passwordto enter the Setup menu.

Note: Note: If you receive a warning that the iSD you are trying to deletehas no contact with any (other) master iSD in the cluster, connect to theMIP address by Telnet or SSH and delete the iSD from the cluster byusing the delete command in the iSD Host menu (/cfg/sys/cluster/host #).




.



The /boot/delete command is primarily intended for situations when youwant to delete an iSD host that has either become isolated from thecluster, or has been physically removed from the cluster without firstperforming the delete command from the iSD Host menu. Under thesecircumstances, you must use the /boot/delete command to present theSetup menu, from which you can perform the new and join commands.

/ssl/boot/softwareSSL Performance Menu

[Software Management Menu]cur - Display current software statusactivate - Select software version to rundownload - Download new software pkg. via

TFTP/FTP/SCP/SFTPdel - Remove unpacked/old releases

SSL Perfomance Software Menu Options


cur

Display the current software status. For example:SSL >> Software Management# curVersion Name Status------- ---- ------4.1.1.11 SSL old5.0.0.34 SSL permanent

activate [ <software_version> ]

Select the software version to run.

download [ <protocol> <host> <filename> ]

Download a new software package.

del [ <software_version> ]

Remove old software releases. Removes a software upgrade packagethat has been downloaded by using the tftp or ftp command, in case youdo not want to activate the unpacked software upgrade package.

Only software versions whose status is indicated as unpacked (using thecur command) can be removed.

/ssl/maint




.


SSL Performance Maintenance Menu

[Maintenance Menu]hsm - HSM menudumplogs - Tech suppt dump log files to

TFTP/FTP/SFTP serverdumpstat - Tech suppt dump curr. status

to TFTP/FTP/SFTP serverchkcfg - Check applied configurationstarttrace - Start Tracestoptrace - Stop Trace

SSL Perfomance Maintenance Menu Options


hsm

Go to the HSM menu. To view menu options, see "/ssl/maint/hsmSSLPerformance HSM Menu" (page 585).

dumplogs

Dump the log files. System log file information is collected from the iSDhost you are connected to (or optionally, all iSD hosts in the cluster) andsends the information to a file in the gzip compressed tar format on theTFTP server you have specified. The information can then be used fortechnical support purposes.

The file sent to the TFTP server does not contain any sensitiveinformation related to the system configuration, such as certificates,private keys, and so on.

dumpstat

Dump the current status. Th current system internal status is collectedfrom the iSD host you are connected to (or optionally, all iSD hosts inthe cluster) and sends the information to a file in the gzip compressedtar format on the TFTP server you have specified. The information canthen be used for technical support purposes.

chkcfg [all-isds | one-isd] [item...]

Check the applied configuration.

starttrace [ <tags> ] [ <VPN> ]

Start trace. Valid tags are all, aaa, dns, ike, ipsec, ippool, ssl, tg, pptp,upref, netdirect, net and direct_packet.

stoptrace

Stop the Trace.

/ssl/maint/hsm




.


SSL Performance HSM MenuThe /ssl/maint/hsm menu is only available to HSM enabled iSDs.

[HSM Menu]login - Login to HSM cards on local iSDsplitkey - Split a wrap key onto CODE iKeyschangepass - Change iKey password

SSL Perfomance Maintenance HSM Menu Options


login <HSM-USER password for the currently inserted HSM-USERiKey>

Lets you log in to a HSM card, using the HSM-USER iKey and thecorrect password.

splitkey

Splits the wrap key used by the hardware security module onto the twoblack CODE iKeys.

changepass <card number [0 | 1] iKey [HSM-SO | HSM-USER]current password for the selected iKey new password for theselected iKey>

Sets the password for a HSM-SO or a HSM-USER iKey.




.

587

AppendixNortel Application Switch OperatingSystem Syslog Messages

The following syntax is used when outputting syslog messages:

<Time stamp Log Label> Web OS Thread ID : Message where

• <Timestamp>

The time of the message event is displayed in month dayhour:minute:second format. For example: Aug 19 14:20:30

• <Log Label>

The following types of log messages are recorded: LOG_EMERG,LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING,LOG_NOTICE, LOG_INFO, and LOG_DEBUG

• <Thread ID>

This is the software thread that reports the log message. The followingthread IDs are recorded: stp, ip, slb, console, telnet,vrrp, system, web server, ssh, and bgp

• <Message>: The log message

Following is a list of potential syslog messages. To keep this list as shortas possible, only <Thread ID> and Message are shown. The messagesare sorted by <Log Label>.

Where the <Thread ID> is listed as mgmt, one of the following may beshown: console, telnet, web server, or ssh.

LOG_WARNINGFILTER "filter <filter number> fired on port port number> , <sourceIP address - destination IP address , [ <ICMP type> ] ,[ <IP protocol> ], [ <layer-4 ports> ], [ <TCP f1ags> ]"




.

588 Appendix Nortel Application Switch Operating System Syslog Messages

ntp: cannot contact primary NTP server ip_address

ntp cannot contact secondary NTP server ip_address

LOG_ALERT

stp: own BPDU received from port port_id

IP cannot contact default gateway ip_address

vrrp: received errored advertisement from ip_address

vrrp: received incorrect password from ip_address

vrrp: received incorrect addresses from ip_address

vrrp: received incorrect advertisement interval seconds from ip_address

slb: cannot contact real server ip_address

slb: real server ip_address has reached maximum connections

gslb: received update from ip_address for unknown remote serverip_address

gslb: received update from ip_address for unknown virtual service

gslb: received update for unknown remote server ip_address fromip_address

gslb: received update for unknown service ip_address:service

slb: cannot contact real service ip_address:real_port

slb: real server failure threshold ( threshold ) has been reach for groupgroup_id

slb: real server ip_address disabled through configuration

slb: Virtual Service Pool full. gSvcPool=MAX_SERVICES

bgp: notification ( reason ) received from BGP peer ip_address

bgp: session with BGP peer ip_address failed ( reason )

vrrp: Synchronization from non-configured peer ip_address

vrrp: Synchronization from non-configured peer ip_address was blocked

dps: hold down triggered: ip_address for min minutes

dps: manual hold down: ip_address

syn_atk SYN attack detected: count new half-open sessions per second

tcplim hold down triggered: ip_address for min minutes

slb; real group number is down with advanced health check formula.




.

589

LOG_CRIT

SYSTEM: temperature at sensor sensor_id exceeded threshold

SYSTEM: internal power supply failed

SYSTEM: redundant power supply failed

SYSTEM: fan failure detected

SSH can’t allocate memory in load_MP_INT

LOG_ERR

mgmt: PANIC at file : line in thread thread id

mgmt: VERIFY at file : line in thread thread id

mgmt: ASSERT at file : line in thread thread id

ntp: unable to listen to NTP port

isd: unable to listen to BOOTP_SERVER_PORT port

stp: Error: Error writing STG config to FLASH

stp: Error: Error writing config to FLASH

mgmt: Apply not done

mgmt: Save not done

mgmt: " " "apply" "|" "save" " is issued by another user. Try later"

cli: Error: Error writing %s config to FLASH

cli: New Path Cost for Port port_id is invalid

cli: PVID vlan_id for port port_id is not created

cli: RADIUS secret must be 1-32 characters long

cli: Please configure primary RADIUS server address

cli: STP changes can’t be applied since STP is OFF

cli: Switch reset is required to turn STP on/off

cli: Trunk group trunk_id contains ports with different PVIDs

cli: Trunk group trunk_id has more than max_trunk_ports ports

cli: Trunk group trunk_id contains no ports but is enabled

cli: Not all ports in trunk group trunk_id are in VLAN vlan_id

cli: Trunk groups trunk_id and trunk_id can not share the same port

port_mirr: Port Mirroring changes are not applied

cli: Broadcast address for IP interface interface_id is invalid

cli: IP Interfaces interface_id and interface_id are on the same subnet

cli: Multiple static routes have same destination




.


cli: Virtual router vr_id must have sharing disabled when hotstandbyis enabled

cli: Virtual router group must be enabled when hotstandby is enabled

cli: At least one virtual router must be enabled when group is enabled

cli: Virtual router group must have sharing disabled when hotstandbyis enabled

cli: Virtual router group must have preemption enabled when hotstandbyis enabled

cli: Virtual router vr_id must have an IP address

cli: Virtual router vr_id cannot have same VRID and VLAN as vlan_id

cli: Virtual router vr_id cannot have same IP address as ip_address

cli: Virtual router vr_id corresponding virtual server server_id is notenabled

cli: Hot-standby must be enabled when a virtual router has a PIP address

cli: Virtual router vr_id IP interface should be interface_id

cli: Enabled real server server_id has no IP address

cli: Real server server_id has same IP address as IP interfaceinterface_id

cli: Real server server_id has same IP address as switch

cli: Real server server_id (Backup for server_id ) is not enabled

cli: Real server server_id has same IP address as virtual serverserver_id

cli: Real server server_id has same IP address as real server server_id

cli: Real server group group_id cannot backup itself

cli: Real server server_id cannot be added to same group

cli: Enabled virtual server server_id has no IP address

cli: Virtual server server_id has same IP address as IP interfaceinterface_id

cli: Virtual server server_id has same IP address as switch

cli: Virtual servers server_id and server_id with same IP address mustsupport same layr3 configuration

cli: Real server server_id cannot be backup server for both real serverserver_id and group group_id

cli: Virtual server server_id has same IP address and vport as virtualserver server_id

cli: RS server_id can’t exist for VS server_id vport virtual_port

cli: Switch port port_id has same proxy IP address as port port_id

cli: Switch port port_id has same IP address as IP interface interface_id




.

591

cli: A hot-standby port cannot also be an inter-switch port

cli: There must be at least one inter-switch port if any hot-standby portexist

cli: "With VMA, ports 1-8 must all have a PIP if any one does"

cli: Client bindings are not supported with proxy IP addresses

cli: DAM must be turned on or a PIP must be enabled for port port_id inorder for virtual server to support FTP parsing

cli: Real server server_id and group %u cannot both have backupsconfigured

cli: Virtual server server_id : port mapping but layer3 bindings

cli: Extracting length has to set to 8 or 16 for cookie rewrite mode

cli: DAM must be turned on or a PIP must be enabled for port port_id inorder for virtural server server_id to support URL parsing

cli: Port filtering must be disabled on port port_id in order to supportcookie based persistence for virtual server server_id

cli: Virtual server server_id : port mapping but Direct Access Mode

cli: Virtual server %lu: support nonat IP but not layer 3 bindings

cli: Virtual servers: all that support IP must use same group

cli: Virtual servers server_id and server_id that include the same realserver server_id cannot map the same real port or balance UDP

cli: Virtual server server_id : UDP service virtual_port with out-of-rangeport number

cli: Switch cannot support more than MAX_VIRT_SERVICES virtualservices

cli: Switch cannot support more than MAX_SMT real services

cli: Trunk group ( trunk_id ) ports must have same L4 config

cli: Trunk group ( trunk_id ) ports must all have a PIP

cli: DAM must be turned on or a PIP must be enabled for ports port_id inorder to do URL based redirection

cli: "Two services have same hostname, host_name . domain_name "

cli: Direct access mode is not supported with default gateway loadbalancing

cli: SLB Radius secret must be 16 characters long

cli: Dynamic NAT filter filter_id must be cached

cli: NAT filter filter_id must have same smask and dmask

cli: NAT filter filter_id cannot have port ranges

cli: NAT filter filter_id must be cached

cli: NAT filter filter_id dest range includes VIP server_id




.


cli: NAT filter filter_id dest range includes RIP server_id

cli: Redirection filter filter_id must be cached

cli: Filter with L4 ports configured port_id must have IP protocolconfigured

cli: "For Global SLB, Web server must be moved from TCP port 80"

cli: Remote site site_id does not have a primary IP address

cli: Primary and secondary remote site site_id switches must differ

cli: Remote sites site_id and site_id must use different addresses

cli: Remote site site_id and real server server_id must use differentaddresses

cli: Remote site site_id and virtual server server_id must use differentaddresses

cli: Only MAX_SLB_SITES remote servers are allowed per group

cli: Only MAX_SLB_SERVICES remote services are supported

cli: Enabled external lookup IP address has no IP address

cli: domain name must be configured

cli: Network static_network_id has no VIP address

cli: duplicate default entry

cli: BGP peer bgp_peer_id must have an IP address

cli: BGP peers bgp_peer_id and bgp_peer_id have same address

cli: BGP peer bgp_peer_id have same address as IP interfaceip_interface_id

cli: BGP peer bgp_peer_id IP interface ip_interface_id is not enabled

cli: Filter with ICMP types configured ( icmp_type ) must have IP protocolconfigure to ICMP

cli: "Two services have same hostname, host_name . domain_name "

cli: Loadbalance string must be added to real server server_id in orderto enable exclusionary string matching

cli: intrval input value must be in the range [0-24]

mgmt: unapplied changes reverted

mgmt: unsaved changes reverted

mgmt: Attempting to redirect a previously redirected output

vrrp: Attempting to redirect a previously redirected output

vrrp: cfg_sync_tx_putsn: ABORTED

vrrp: Synchronization TX Error

vrrp: Synchronization TX connection RESET

vrrp: Synchronization TX connection TIMEOUT




.

593

vrrp: Synchronization TX connection UNREACEABLE

vrrp: Synchronization TX connection UNKNOWN CLOSE

vrrp: Synchronization RX connection RESET

vrrp: Synchronization RX connection TIMEOUT

vrrp: Synchronization RX connection UNREACEABLE

vrrp: Synchronization RX connection UNKNOWN CLOSE

vrrp: Synchronization connection RCLOSE by peer

vrrp: Synchronization connection RCLOSE before RX

vrrp: Synchronization connection early RCLOSE in RX

vrrp: Synchronization connection Wait-For-Close Timeout

vrrp: Synchronization connection Transmit Timeout

vrrp: Synchronization Receive Timeout

vrrp: Synchronization Receive UNKNOWN Timeout

vrrp: Sync transmit in progress ... cannot start Sync

vrrp: Sync receive in progress ... cannot start Sync

vrrp: Sync already in progress ... cannot start Sync

vrrp: Config Sync route find error

vrrp: Config Sync tcp_open error

vrrp: Config Synchronization Timeout - Resuming Console thread

vrrp: " ""apply""|""save"" is issued by another user. Try later"

vrrp: new configuration did not validate (rc = )

vrrp: new configuration did not apply (rc = )

vrrp: new configuration did not save (rc = )

vrrp: Sync config apply error

vrrp: Restoring Current Config

vrrp: Sync rx tcp open error

vrrp: Sync Version/Password Failed-No Version/Password Line

vrrp: Sync Version Failed - peer:%s config:%s

vrrp: Sync Password Failed-Bad Password

vrrp: Sync receive already in progress ... cannot start Sync receive

vrrp: Sync transmit in progress ... cannot start Sync receive




.


LOG_NOTICE

system: internal power supply ok

system: redundant power supply present and ok

system: temperature ok

system: fan ok

system: rebooted last_reset_information

system: rebooted last_reset_information administrator logged in

mgmt: boot config block changed

mgmt: boot image changed

mgmt: switch reset from CLI

mgmt: syslog host changed to ip_address

mgmt: syslog host changed to this host

mgmt: second syslog host changed to ip_address

mgmt: second syslog host changed to this host

mgmt: Next boot will use active config block

mgmt: user password changed

mgmt: SLB operator password changed

mgmt: L4 operator password changed

mgmt: operator password changed

mgmt: SLB administrator password changed

mgmt: L4 administrator password changed

mgmt: administrator password changed

ssh: scp login_level login

ssh: "scp login_level ""connection closed""|""idle timeout""|""logout"" "

mgmt: RADIUS server timeouts

mgmt: Failed login attempt via TELNET from host %s

mgmt: PASSWORD FIX-UP MODE IN USE

mgmt: login_level login on Console

mgmt: " login_level ""idle timeout""|""logout"" from Console"

mgmt: PANIC command from CLI

port_mirr: "port mirroring is ""enabled""|""disabled"" "

vlan: Default VLAN can not be deleted

mgmt: login_level login from host ip_address

mgmt: " login_level ""connection closed""|""idle timeout""|""logout"" from"




.

595

IP "default gateway ip_address ""enabled""|""disabled"" "

IP default gateway ip_address operational

vrrp: virtual router ip_address is now master

vrrp: virtual router ip_address is now backup

slb: "backup server ip_address ""enabled""|""diabled"" for real serverserver_id "

slb: "backup server ip_address ""enabled""|""disabled"" for real servergroup group_id "

slb: "backup group server ip_address ""enabled""|""disabled"" for realserver group group_id "

slb: "overflow server ip_address ""enabled""|""disabled"" for real serverserver_id "

slb: "overflow server ip_address ""enabled""|""disabled"" for real servergroup group_id "

slb: "overflow group server ip_address ""enabled""|""disabled"" for realserver group group_id "

slb: real server ip_address operational

slb: real service ip_address:real_port operational

slb: No services are available for Virtual Server virtual_server

slb: Services are available for Virtual Server virtual_server

bgp: session established with BGP_peer_ip_address

slb: real group number is up with advanced health check formula

LOG_INFO

SYSTEM: bootp response from ip_address

mgmt: new configuration applied

mgmt: new configuration saved

mgmt: unsaved changes reverted

mgmt: Could not revert unsaved changes

mgmt: " image1|image2 downloaded from host ip_address , file file_namesoftware_version "

mgmt: serial EEPROM downloaded from host ip_address file file_name

ssh: scp login_level login

ssh: "scp login_level ""connection closed""|""idle timeout""|""logout"" "

mgmt: login_level login on Console

mgmt: " login_level ""idle timeout""|""logout"" from Console"




.


mgmt: login_level login from host ip_address

mgmt: " login_level ""connection closed""|""idle timeout""|""logout"" fromTelnet/SSH."

ssh: server key autogen starts

ssh: server key autogen completes

ssh: server key autogen timer timeouts

vrrp: new synch configuration applied

vrrp: new synch configuration saved

vrrp: Synchronizing from host_name

vrrp: Synchronizing to host_name

vrrp: Config Synchronization Transmit Successful

vrrp: Config Synchronization Receive Successful

vrrp: new configuration VALIDATED




.

597

AppendixNortel Application Switch OperatingSystem SNMP Agent

The Nortel Application Switch Operating System SNMP agent supportsSNMP Version 1, Version 2, and Version 3. Version 3 supports twoauthentication protocols: MD5 and SHA. Nortel MIBs are registered asVendor 1872. Detailed SNMP MIBs and trap definitions of the NortelApplication Switch Operating System SNMP agent can be found in thefollowing enterprise MIB documents:

• altroot.mib -

• aosSwitch.mib

• aosPhysical.mib

• aosNetwork.mib

• aosLayer4.mib

• aosLayer7.mib

• aosBwm.mib

• aosTrap.mib

In addition, the following SynOptics MIBS are also supported:

• synro193.mib -- SynOptics Root MIB

• s5roo117.mib -- SynOptics Registration MIB

• s5tcs112.mib -- Textual Convention MIB

• s5emt104.mib -- Ethernet Multi segment Autotopology MIB

SNMPv1|v2|v3 traps can be sent to the hosts configured in targetAddrtable. Up to 16 IP addresses can be configured in targetAddr table.

Nortel Application Switch Operating System SNMP agent supports thefollowing standard MIBs:

• RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP,TCP, UDP, SNMP Groups)




.

598 Appendix Nortel Application Switch Operating System SNMP Agent

• RFC 1573 - MIB II Extension (IFX table)

• RFC 1643 - EtherLike MIB

• RFC 1493 - Bridge MIB

• RFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups)

• RFC 1850 for OSPF

• RFC 1657 for BGP

• IEEE 802.3ad MIB for LACP

The following SNMPv3 MIBs are supported:

• RFC 2571 - SNMP Frame work

• RFC 2572 - MPD MIB

• RFC 2573 - Target MIB

• RFC 2574 - USM MIB

• RFC 2575 - VACM MIB

• RFC 2576 - Community MIB

Nortel Application Switch Operating System SNMP agent supports thefollowing generic traps as defined in RFC 1215:

• ColdStart

• WarmStart

• LinkDown

• LinkUp

• AuthenticationFailure

The SNMP agent also supports two Spanning Tree traps as defined inRFC 1493:

• NewRoot

• TopologyChange

The following are the enterprise SNMP traps supported in Nortel ApplicationSwitch Operating System:

Nortel Application Switch Operating System-Supported Enterprise SNMPTraps

Trap Name Description

altSwDefGwUp Signifies that the default gateway is alive.




.

Appendix Nortel Application Switch Operating System SNMP Agent 599


altSwDefGwDown Signifies that the default gateway is down.

altSwDefGwInService Signifies that the default gateway is up and inservice

altSwDefGwNotInService Signifies that the default gateway is alive butnot in service

altSwSlbRealServerUp Signifies that the real server is up andoperational

altSwSlbRealServerDown Signifies that the real server is down and outof service

altSwSlbRealServerMaxConnReached

Signifies that the real server has reachedmaximum connections

altSwSlbBkupRealServerAct Signifies that the backup real server is activateddue to availablity of the primary real server

altSwSlbBkupRealServerDeact

Signifies that the backup real server isdeactivated due to the primary real server isavailable

altSwSlbBkupRealServerActOverflow

Signifies that the backup real server isdeactivated due to the primary real server isoverflowed

altSwSlbBkupRealServerDeactOverflow

Signifies that the backup real server isdeactivated due to the primary real server is outfrom overflow situation

altSwfltFilterFired Signifies that the packet received on a switchport matches the filter rule

altSwSlbRealServerServiceUp Signifies that the service port of the real serveris up and operational

altSwSlbRealServerServiceDown

Signifies that the service port of the real serveris down and out of service

altSwVrrpNewMaster The newMaster trap indicates that the sendingagent has transitioned to ’Master’ state.

altSwVrrpNewBackup The newBackup trap indicates that the sendingagent has transitioned to ’Backup’ state.

altSwVrrpAuthFailure A vrrpAuthFailure trap signifies that apacket has been received from a router whoseauthentication key or authentication typeconflicts with this router’s authentication key orauthentication type. Implementation of this trapis optional.

altSwLoginFailure An altSwLoginFailure trap signifiesthat someone failed to enter a validusername/password combination.




.



altSwSlbSynAttack An altSwSlbSynAttack trap signifies that aSYN attack has been detected.

altSwTcpHoldDown An altSwTcpHoldDown trap signifies that newTCP connection requests from a particular clientwill be blocked for a pre-determined amount oftime since the rate of new TCP connectionsfrom that client has reached a pre-determinedthreshold.

altSwTempExceedThreshold An altSwTempExceedThreshold trapsignifies that the switch temperature hasexceeded maximum safety limits.

altSwSlbSessAttack An altSwSlbSessAttack trap signifies thatan SLB attack has been detected.

altSwFanFailure An altSwFanFailure trap signifies that a fanfailure has occured.

altSwSlbVirtServerServicesUp An altSwSlbVirtServerServicesUp trapsignifies that the service ports of the virtualserver is up and operational.

altSwSlbVirtServerServicesDown

An altSwSlbVirtServerServicesDowntrap signifies that the service ports of the Virtualserver is down and out of service.

altSwSlbRealGroupAdvhlUp An altSwSlbRealGroupAdvhlUp trapsignifies that the real group is up with advancedhealth check formula.

altSwSlbRealGroupAdvhlDown

An altSwSlbRealGroupAdvhlDown trapsignifies that the real group is down withadvanced health check formula.

altSwSlbBkupGroupAct An altSwSlbBkupGroupAct trap signifiesthat the backup group is enabled while primarygroup is going down with advanced healthcheck formula.

altSwSlbBkupGroupDeact An altSwSlbBkupGroupDeact trap signifiesthat the backup group is disabled while primarygroup is getting up with advanced health checkformula.

altSwSlbRemoteRealServerUp An altSwSlbRemoteRealServerUp trapsignifies that the remote real server is up.

altSwSlbRemoteRealServerDown

An altSwSlbRemoteRealServerDown trapsignifies that the remote real server has gonedown and is out of service.

altSwSlbRealServerOperDis An altSwSlbRealServerOperDis trapsignifies that the real server is disabledoperationally.




.

Appendix Nortel Application Switch Operating System SNMP Agent 601


altSwSlbRealServerOperEna An altSwSlbRealServerOperEna trapsignifies that the real server is enabledoperationally.

altSwIfcVlanDown An altSwIfcVlanDown trap signifies that allthe interfaces in that vlan either disabled ormoved to different vlan.

altSwPortVlanDown An altSwPortVlanDown trap signifies that allthe ports either down or moved to different vlanand interfaces are down in that vlan.

altSwIfcVlanUp An altSwIfcVlanUp trap signifies thatinterfaces are available for this vlan.

altSwPortVlanUp An altSwPortVlanUp trap signifies thatphysical ports and interfaces are available forthis vlan.




.





.

603

AppendixPerforming a Serial Download

You can perform a serial download of the new Nortel Application Switchsoftware if you are upgrading Nortel Application Switch Operating Systemdirectly from any image.

This procedure requires the following:

• A computer running terminal emulation software

• A standard serial cable with a male DB9 connector (see your switchhardware installation guide for specifics)

• A binary switch firmware image (not the tftp file used for TFTPdownload)

Use the following procedure to perform a serial upgrade.

Step Action

1 Using the serial cable, connect the Console port of an NortelApplication Switch to the serial port of your PC that supportsXModem/1K XModem.

2 Start hyper terminal (part of Microsoft Windows) and set thefollowing parameters:

Parameter Value

Baud Rate 9600

Data Bits 8

Parity None

Stop Bits 1

Flow Control None

3 Power on the switch.




.

604 Appendix Performing a Serial Download

4 Hold the Shift key down and hit D repeatedly until the followingmessage appears:

Nortel Application Switch - PPCBoot 2.2.To download a serial image use 1K Xmodem at 115200

5 Reconfigure your terminal emulation software with the followingparameters (only after you see the message displayed in step 4):

Parameter Value

Baud Rate 115200

Data Bits 8

Parity None

Stop Bits 1

Flow Control None

Note: You can perform serial downloads at 57600 baud rate bypressing Shift f or at 115200 baud rate by pressing Shift d.

6 Press Enter on the key board of the PC that is connectedto the console port of the switch. When the Console Port issuccessfully communicating with the PC, you will see: CCCC...

7 Make sure that the new binary firmware file is available on thecomputer. This file can be downloaded from the CD that isshipped with the switch. Select Transfer-Send File and choosethe following:

file: For example, "21.0.0.0_Serial.img" (Or the file previouslydownloaded to the computer) protocol: 1K XMODEM

It will take about 15 minutes for the transfer to complete.

Note: Although slower, XMODEM will work too if you choosenot to use 1K MODEM.

8 Power off the switch, wait for a few seconds and power theswitch on.

CAUTIONDo not power off the switch until you see the message:"Change your baud rate to 9600 bps and power cycleswitch", otherwise, the switch will be inoperable.




.

Appendix Performing a Serial Download 605

9 The switch will boot with the new software load. You should seethe following sample log on your screen:

Nortel Application Switch - PPCBoot 2.2.To download a serial image use 1K Xmodem at 115200CCCCCCCCCCCCCCCCCCCCCCCCCCCCCTotal bytes transferred: 0x4ff400Extracting images... Do *NOT* power cycle the switchUpdating flash...#################################################################Change your baudrate to 9600 bps and power cycle theswitch

—End—




.

606 Appendix Performing a Serial Download




.

607

Glossary

DIP (Destination IP Address)The destination IP address of a frame.

Dport (Destination Port)The destination port (application socket: for example, http-80/https-443/DNS-53)

NAT (Network Address Translation)Any time an IP address is changed from one source IP or destination IPaddress to another address, network address translation can be said tohave taken place. In general, half NAT is when the destination IP or sourceIP address is changed from one address to another. Full NAT is whenboth addresses are changed from one address to another. No NAT iswhen neither source nor destination IP addresses are translated. Virtualserver-based load balancing uses half NAT by design, because it translatesthe destination IP address from the Virtual Server IP address, to that ofone of the real servers.

PreemptionIn VRRP, preemption will cause a Virtual Router that has a lower priority togo into backup should a peer Virtual Router start advertising with a higherpriority.

PriorityIn VRRP, the value given to a Virtual Router to determine its ranking with itspeer(s). Minimum value is 1 and maximum value is 254. Default is 100. Ahigher number will win out for master designation.

Proto (Protocol)The protocol of a frame. Can be any value represented by a 8-bit valuein the IP header adherent to the IP specification (for example, TCP, UDP,OSPF, ICMP, and so on.)




.

608 Glossary

Real Server GroupA group of real servers that are associated with a Virtual Server IP address,or a filter.

Redirection or Filter-Based Load BalancingA type of load balancing that operates differently from virtual server-basedload balancing. With this type of load balancing, requests are transparentlyintercepted and "redirected" to a server group. "Transparently" means thatrequests are not specifically destined for a Virtual Server IP address that theswitch owns. Instead, a filter is configured in the switch. This filter interceptstraffic based on certain IP header criteria and load balances it.

Filters can be configured to filter on the SIP/Range (via netmask),DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. Theaction on a filter can be Allow, Deny, Redirect to a Server Group, orNAT (translation of either the source IP or destination IP address). Inredirection-based load balancing, the destination IP address is nottranslated to that of one of the real servers. Therefore, redirection-basedload balancing is designed to load balance devices that normally operatetransparently in your network—such as a firewall, spam filter, or transparentWeb cache.

RIP (Real Server)Real Server IP Address. An IP addresses that the switch load balances towhen requests are made to a Virtual Server IP address (VIP).

SIP (Source IP Address)The source IP address of a frame.

SPort (Source Port)The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53).

TrackingIn VRRP, a method to increase the priority of a virtual router and thus masterdesignation (with preemption enabled). Tracking can be very valuable in anactive/active configuration.

You can track the following:

• Vrs: Virtual Routers in Master Mode (increments priority by 2 for each)

• Ifs: Active IP interfaces on the Nortel Application Switch (incrementspriority by 2 for each)

• Ports: Active ports on the same VLAN (increments priority by 2 for each)

• l4pts: Active Layer 4 Ports, client or server designation (incrementspriority by 2 for each




.

Glossary 609

• reals: healthy real servers (increments by 2 for each healthy real server)

• hsrp: HSRP announcements heard on a client designated port(increments by 10 for each)

VIP (Virtual Server IP Address)An IP address that the switch owns and uses to load balance particularservice requests (like HTTP) to other servers.

VIR (Virtual Interface Router)A VRRP address that is an IP interface address shared between two ormore virtual routers.

Virtual RouterA shared address between two devices utilizing VRRP, as defined in RFC2338. One virtual router is associated with an IP interface. This is one ofthe IP interfaces that the switch is assigned. All IP interfaces on the NortelApplication Switch must be in a VLAN. If there is more than one VLANdefined on the Nortel Application Switch, then the VRRP broadcasts will onlybe sent out on the VLAN of which the associated IP interface is a member.

Virtual Server Load BalancingClassic load balancing. Requests destined for a Virtual Server IP address(VIP), which is owned by the switch, are load balanced to a real servercontained in the group associated with the VIP. Network address translationis done back and forth, by the switch, as requests come and go.

Frames come to the switch destined for the VIP. The switch then replacesthe VIP and with one of the real server IP addresses (RIP’s), updates therelevant checksums, and forwards the frame to the server for which it is nowdestined. This process of replacing the destination IP (VIP) with one of thereal server addresses is called half NAT. If the frames were not half NAT’edto the address of one of the RIPs, a server would receive the frame that wasdestined for it’s MAC address, forcing the packet up to Layer 3. The serverwould then drop the frame, since the packet would have the DIP of theVIP and not that of the server (RIP).

VRID (Virtual Router Identifier)In VRRP, a value between 1 and 255 that is used by each virtual routerto create its MAC address and identify its peer for which it is sharingthis VRRP address. The VRRP MAC address as defined in the RFC is00-00-5E-00-01-{VRID}. If you have a VRRP address that two switches aresharing, then the VRID number needs to be identical on both switches soeach virtual router on each switch knows whom to share with.




.

610 Glossary

VRRP (Virtual Router Redundancy Protocol)A protocol that acts very similarly to Cisco’s proprietary HSRP addresssharing protocol. The reason for both of these protocols is so devices havea next hop or default gateway that is always available. Two or more devicessharing an IP interface are either advertising or listening for advertisements.These advertisements are sent via a broadcast message to an addresssuch as 224.0.0.18.

With VRRP, one switch is considered the master and the other the backup.The master is always advertising via the broadcasts. The backup switch isalways listening for the broadcasts. Should the master stop advertising,the backup will take over ownership of the VRRP IP and MAC addressesas defined by the specification. The switch announces this change inownership to the devices around it by way of a Gratuitous ARP, andadvertisements. If the backup switch didn’t do the Gratuitous ARP the Layer2 devices attached to the switch would not know that the MAC address hadmoved in the network. For a more detailed description, refer RFC 2338.

VSR (Virtual Server Router)A VRRP address that is a shared Virtual Server IP address. VSR is a Nortelproprietary extension to the VRRP specification. The switches must be ableto share Virtual Server IP addresses, as well as IP interfaces. If they didn’t,the two switches would fight for ownership of the Virtual Server IP address,and the ARP tables in the devices around them would have two ARP entrieswith the same IP address but different MAC addresses.




.

611

Index

Symbols/Numerics(MD5) 433(SLB real server group option)

content 367/ command 371K XModem 6033000 series 259

Aabbreviating commands (CLI) 40access control

system 245action (SLB filtering option) 393activating optional software 452active configuration block 220, 459active FTP SLB parsing statistics 183active IP interface 341active Layer 4 processing 341active port

VLAN 341active switch configuration

gtcfg 353ptcfg 353restoring 353

active switch, saving and loadingconfiguration 353

addSLB port option 410

addrARP entries 467IP route tag 84

Address Resolution Protocol (ARP)address list 467

administrator account 32admpw (system option) 249advertisement of virtual IP addresses 308aging

STP bridge option 285STP information 76

application redirection 358, 393filter states 102filters 358within real server groups 367

apply (global command) 219applying configuration changes 219ASCII terminal 28auto-negotiation

configuring flow control 268enable/disable on port 259, 263, 265,

268autonomous system filter action 307autonomous system filter path

action 307as 307aspath 307

Bbackup

SLB real server group option 368backup configuration block 220, 459backup server activations (SLB

statistics) 168, 190bandwidth management

configuration 270contracts 271

bandwidth management contractprecedence value 273




.

612 Index

bandwidth management contractconfiguration 224, 273

Bandwidth Management optionsoperations-level options 449

bandwidth management policyconfiguration 276

buffer limit 277hard bandwidth limit 276over the limit TOS 277reserve limit 276soft bandwidth limit 276underlimit TOS 276

bandwidth management statistics 194banner (system option) 222baud rate

console connection 28serial download 603, 604

BBI 27BGP

configuration 321eBGP 321iBGP 321in route 324IP address, border router 323IP route tag 84keep-alive time 323peer 321peer configuration 322redistribution configuration 324remote autonomous system 323router hops 324

binary 603binary firmware image 604binding failure 168, 190binding table 383BLOCKING (port state) 76boot options menu 455BOOTP 29

system option 222bootstrap protocol 328Border Gateway Protocol 84

configuration 321Border Gateway Protocol (BGP)

operations-level options 452BPDU. See Bridge Protocol Data Unit. 284bridge parameter menu, for STP 283bridge priority 76

Bridge Protocol Data Unit (BPDU) 76STP transmission frequency 284

Bridge Spanning-Tree parameters 284broadcast

IP route tag 84IP route type 83

broadcast domains 290Browser-Based Interface 27BWM

contract rate statistics 197contract statistics 196history statistics 198port 195switch processor contract statistics 196switch processor rate contract

statistics 196

Ccapture dump information to a file 470Cisco Ether Channel 286clear

ARP entries 467dump information 471FDB entry 466routing table 468

clearing SLB statistics 193, 193client traffic processing 408command (help) 37Command-Line Interface (CLI) 27, 33, 35commands

abbreviations 40conventions used in this manual 25global commands 36shortcuts 40stacking 40tab completion 40

configurationadministrator password 249apply changes 219default gateway interval, for health

checks 297default gateway IP address 297dump command 352effect on Spanning-Tree Protocol 219Fast Ethernet 257flow control 259, 262, 265, 267




.

Index 613

Gigabit Ethernet 257, 261, 263IP static route 298Layer 4 administrator password 249operating mode 259, 262, 267port link speed 258, 262, 267port mirroring 269port trunking 286route cache 302save changes 219setup command 349switch IP address 296TACACS+ 228user password 248view changes 219VLAN default (PVID) 257, 261, 263, 266VLAN IP interface 296VLAN tagging 257, 261, 264, 266VRRP 329

configuration blockactive 459backup 459factory 459selection 459

configuration menu 217configuring routing information protocol 308connecting

via console 28via Telnet 28

connection timeout (Real Server Menuoption) 383

console portcommunication settings 28connecting 28serial download settings 603, 604

contentSLB real server group option 367

contracts, bandwidth management 271cost

STP information 76STP port option 286

counters, No Server Available (droppedframes) 168, 190

CPU statistics 212, 213CPU utilization 212, 213cur (system option) 228, 231current bindings 168, 190

Ddate

system option 221debugging 463default gateway

information 82interval, for health checks 297metrics 344round robin, load balancing for 344

default password 32delete

FDB entry 466deny (filtering) 191designated port. 88diff (global) command, viewing changes 219dip (destination IP address for filtering) 395direct (IP route type) 83directed broadcasts 302DISABLED (port state) 76disconnect idle timeout 33Distributed Site State Protocol (DSSP)

setting update interval 411dmask

destination mask for filtering 395DNS statistics 155Domain Name System (DNS)

health checks 371downloading software 456dropped frames (No Server Available)

counter 168, 190dump

configuration command 352maintenance 463state information 472

duplex modelink status 44, 57, 114

dynamic routes 468

Eemulation software 603EtherChannel

as used with port trunking 286

Ffactory configuration block 459




.

614 Index

Fast Ethernet Physical Link 257Fast Ethernet, configuring ports for 257fastage 429FDB statistics 134fiber optic ports 263File Transfer Protocol 183filter statistics 177filtered (denied) frames 169, 191filters

IP address ranges 395fixed

IP route tag 83flag field 88flow control 44, 114

configuring 259, 262, 265, 267forwarding configuration

IP forwarding configuration 301forwarding database (FDB) 463

delete entry 466Forwarding Database Information Menu 70Forwarding Database Menu 465, 476forwarding state (FWD) 72, 76, 78FTP server health checks 371FTP SLB maintenance statistics 184FTP SLB statistics dump 184fwd (STP bridge option) 284FwdDel (forward delay), bridge port 76

Ggig (Port Menu option) 257, 261, 263Gigabit Ethernet

configuration 257, 261, 263Gigabit Ethernet Physical Link 257, 261,

263global commands 36global SLB maintenance statistics 173global SLB statistics 170grace

graceful real server failure 428Greenwich Mean Time (GMT) 231, 231,

231group 176gtcfg (TFTP load command) 353

Hhash metric 374

health check types, SLB 370, 370health checks 361

default gateway interval, retries 297IDSLB 370layer information 101parameters for most protocols 371redirection (rport) 394retry, number of failed health checks 297script 433SNMP 372, 435WAP 436

helloSTP information 76

help 37host routes 308Hot Standby Router on VLAN (HSRV)

use with VLAN-tagged environment 335VRRP priority increment value 343

Hot Standby Router Protocol (HSRP)priority increment value for L4 client

ports 343use with VRRP 334, 341VRRP priority increment value 343

Hot Standby Router VLAN (HSRV)use with VRRP 341

hot-standby failover 339HP-OpenView 27hprompt

system option 222HSRP. See Hot Standby Router

Protocol. 343HSRV. See Hot Standby Router

Protocol. 343HTTP

application health checks 371redirects (Global SLB option) 412system option 246

http 246HTTP health checks

on any port (aphttp) 433

IICMP statistics 155idle timeout

overview 33IDSLB health checks 370




.

Index 615

IEEE standards802.1d Spanning-Tree Protocol 75, 282

imagedownloading 456software, selecting 457

IMAP server health checks 371imask (IP address mask) 427incorrect VIPs (statistic) 168, 190incorrect Vports (dropped frames

counter) 168, 190indirect (IP route type) 83Information

Trunk Group Information 78, 78Information Menu 43Interface change stats 142interface statistics 157IP address

ARP information 86BOOTP 29configuring default gateway 297filter ranges 395local route cache ranges 303Telnet 28

IP address mask for SLB 427IP forwarding 327

directed broadcasts 302local networks for route caching 302

IP forwarding information 82IP Information Menu 82, 98IP interface 296

active 341configuring address 296configuring VLANs 296

IP interfaces 83information 82IP route tag 84priority increment value (ifs) for VRRP 343

IP network filter configuration 304IP port configuration 327IP Route Manipulation Menu 468IP routing

tag parameters 83IP Static Route Menu 298IP statistics 143IP subnets

VLANs 290

Ll4apw (L4 administrator system option) 249Layer 4

administrator account 31, 32Layer 4 processing

active 341layer 7 SLB maintenance statistics 179layer 7 SLB string statistics 179layer7 redirection statistics 178, , 182LDAP version 433LEARNING (port state) 76, 76least connections (SLB Real Server

metric) 370, 374licence certificate 452license password 453link

speed, configuring 258, 262, 267link status 44

command 114duplex mode 44, 57, 114port speed 44, 57, 114

Link Status Information 113linkt (SNMP option) 234LISTENING (port state) 76lmask (routing option) 82lnet (routing option) 82local (IP route type) 83local network for route caching 302local route cache

IP address ranges for 303log

syslog messages 223logical segment. See IP subnets. 290

MMAC (media access control) address 46,

70, 86, 453, 466switch location 29

Main Menu 35summary 36

Maintenance Menu 463Management Processor (MP) 469

display MAC address 46manual style conventions 25martian

IP route tag (filtered) 84




.

616 Index

IP route type (filtered out) 83mask

IP interface subnet address 296MaxAge (STP information) 76mcon (maximum connections) 168, 168,

190, 190, 368MD5 authentication key 313MD5 cryptographic authentication 315MD5 key 317media access control. See MAC

address. 70metric

SLB real server group option 367metrics, SLB 373minimum misses (SLB real server

metric) 370, 374Miscellaneous Debug Menu 469, 486mmask

IP address mask for SLB 427mnet

management traffic IP address forSLB 427

monitor port 269mp

packet 209MP. See Management Processor. 469multi-links between switches

using port trunking 78, 286multicast

IP route tag 84IP route type 83

mxage (STP bridge option) 284

Nnbr change statistics 141Network Address Translation (NAT)

filter action 393network management 27non TCP/IP frames 168, 190notice 222NTP synchronization 231NTP time zone 231

Ooctet counters 175online help 36, 37

operating mode, configuring 259, 262, 267operations menu 443operations-level BGP options 452operations-level BWM options 449operations-level IP options 451Operations-Level Port Options 445operations-level SLB options 445operations-level VRRP options 448optional software 44, 116

activating 452removing 453

OSPFarea types 92, 312

ospfarea index 313, 314authentication key 317configuration 312cost of the selected path 317cost value of the host 320dead, declaring a silent router to be

down 317dead, health parameter of a hello

packet 318export 321fixed routes 321general 140global 140hello, authentication parameter of a hello

packet 318host entry configuration 319host routes 313interface 313interface configuration 316link state database 313MD5 authentication key 313Not-So-Stubby Area 314priority value of the switch interface 317range number 313redistribution menu 313route redistribution configuration 320spf, shortest path first 315stub area 314summary range configuration 315transit area 314transit delay 317type 314virtual link 313




.

Index 617

virtual link configuration 317virtual neighbor, router ID 318

OSPF Database Information 94OSPF general 92OSPF General Information 93OSPF Information 92OSPF Information Route Codes 96OSPF statistics 139, 146overflow server activations 168, 190overflow servers 361

Ppanic

command 472switch (and Maintenance Menu

option) 463parameters

tag 83type 83

Passive FTP SLB Parsing Statistics 184password

administrator account 32default 32L4 administrator account 31, 32user account 31VRRP authentication 342

Passworduser access control 248

passwords 31persistent bindings

real server 383ping 38, 359PIP 439POP3

server health checks 371port

bandwidth management switch processorstatistics 195

switch port contract statistics menu 194port configuration 255Port Menu

configuration options 261configuring Fast Ethernet 257configuring Gigabit Ethernet (gig) 257,

261, 263port mirroring

configuration 269Port number 114port speed 44, 57, 114port states

UNK (unknown) 72port trunking

description 286port trunking configuration 286ports

disabling (temporarily) 268information 115IP status 82membership of the VLAN 70, 79priority 76RJ-45 256SLB state information 102STP port priority 285VLAN ID 44, 115

preemptionassuming VRRP master routing

authority 333virtual router 332, 340

priorityvirtual router 339

priority (STP port option) 285prisrv

primary radius server 227proxies

IP address translation 362proxy IP address (PIP) 102proxy IP address (PIP) configuration 439ptcfg (TFTP save command) 353PVID (port VLAN ID) 44, 115pwd 38

Qquiet (screen display option) 38

RRADIUS

server authentication 372read community string (SNMP option) 233real server

statistics 175real server global SLB statistics 171real server group options




.

618 Index

add 370real server group SLB configuration 366real server group statistics 176real server groups

combining servers into 367statistics 176

real server SLB configuration 358real servers

backup 368priority increment value (reals) for

VRRP 343SLB state information 101

reboot 463, 472receive flow control 259, 263, 265, 268, 268redir (SLB filtering option) 393reference ports 72referenced port 88remote monitoring on the port (rmon) 445remote site servers 362removing optional software 453reset key combination 463retries

radius server 228retry

health checks for default gateway 297rip

IP route tag 84RIP. See Routing Information Protocol. 309rmkey 453round robin

as used in gateway load balancing 344roundrobin

SLB Real Server metric 370, 375route

cache configuration 302route statistics 150router hops 324routing information protocol

configuration 308Routing Information Protocol (RIP) 84

options 309split horizon 311

rportSLB virtual server option 380

RTSP SLB statistics 185Rx/Tx statistics 140

Ssave (global command) 219

noback option 220save command 459script

health checks 433scriptable health checks configuration 433secret

radius server 227secsrv

secondary radius server 227security

VLANs 290segmentation. See IP subnets. 290segments. See IP subnets. 290serial cable 28serial download 603Server Load Balancing

IDS 365operations-level options 445real server weights 359

server load balancingclient traffic processing 408health check 370health check types 370metrics 373, 373port options 410server traffic processing 408

server load balancing configurationoptions 355

Server Load Balancing MaintenanceStatistics Menu 182, 183, 188

server port mapping 101server traffic processing 408Session Binding Table 360session identifier 378setup command, configuration 349SFD statistics

mp specific 211SFP GBIC ports 263shortcuts (CLI) 40single-mode ports copper ports Port Menu

configuration options 260SIP (source IP address for filtering) 395SLB filtering option

action 393




.

Index 619

SLB Information 100SLB layer7 statistics 177SLB real server group health checks

arp 370dns 371ftp 371http 370icmp 370imap 371ldap 372radius 371script 372smtp 371SNMP 372sslh 371tcp 370udpdns 372wsp 372wtls 372

SLB real server group optionapplication health checking 368health checking 368metric 367

SLB real server optionbackup 360intr (interval) 361maxcon (maximum connections) 359name, alias for each real server 359restr (restore) SLB real server UDP

option 361retry 361RIP, real server IP address 359submac 362tmout (time out) 360weights 359

slowage 429smask

source mask for filtering 395smtp 222SMTP server health checks 371snap traces

buffer 469SNMP 27, 118

health checks 435HP-OpenView 27menu optionsset and get access 233

SNMP Agent 597SNMP health check configuration 435SNMP health checks 372software

image file and version 46license 452

software image 456SP specific statistics 212spanning tree

configuration 282Spanning-Tree Protocol 78, 219

bridge aging option 285bridge parameters 284bridge priority 76port cost option 286port priority option 285root bridge 76, 284switch reset effect 460

split horizon 311SSL 383

secure socket layer statistics 182stacking commands (CLI) 40state (STP information) 76state information, client system 383static

IP route tag 83static route

rem 299, 300statis route

add 299, 300statistics

group 176management processor 208

Statistics Menu 117subnet address maskconfiguration

IP subnet address 296subnets

IP interface 295switch

resetting 460Switch Processor (SP) 469

display trace buffer 470swkey 452SYN attack detection configuration 429sync 446synchronization

VRRP switch 424, 445




.

620 Index

syslogsystem host log configuration 222

systemcontact (SNMP option) 233date and time 43, 46location (SNMP option) 233

system access control configuration 245System Maintenance Menu 465system options

admpw (administrator password) 249BOOTP 222cur (current system parameters) 228, 231date 221hprompt 222HTTP access 246l4apw (Layer 4 administrator

password) 249login banner 222time 221tnet 246tnport 246usrpw (user password) 248

system parameters, current 228, 231

Ttab completion (CLI) 40TACACS+ 228TCP

fragments 378health checking using 361health checks 371source and destination ports 392

TCP statistics 159, 210Telnet 28

BOOTP 29configuring switches using 352

telnetradius server 228

terminal emulation 28text conventions 25TFTP 456

PUT and GET commands 353TFTP server 353time

system option 221

time-to-live, DNS response (global SLBmenu option) 417

timeoutradius server 228

timeoutsidle connection 33

timers kickoff 143tnet

system option 246tnport

system option 246TPCP (Transparent Proxy Cache

Protocol) 428trace buffer 469

Switch Processor 470traceroute 38Tracking

VRRP 331, 336transmit flow control 259, 263, 265, 268,

268transparent proxies, when used for NAT 394Trunk Group Information 78, 78ttl (time to live, global SLB menu option) 411type of area

ospf 314type parameters 83typographic conventions, manual 25tzone 231, 231

UUCB statistics 211UDP

datagrams 168, 190server status using 361source and destination ports 392

UDP statistics 161unknown (UNK) port state 72Unscheduled System Dump 473upgrade, switch software 456URL for health checks 102user account 31usrpw (system option) 248Uuencode Flash Dump 470

Vverbose 38




.

Index 621

vipadvertisement of virtual IP addresses as

Host Routes 308IP route tag 84

virtual IP address (VIP) 101virtual port state, SLB information about 101virtual router

description 331priority 339tracking criteria 334

virtual router groupVRRP priority tracking 339

virtual router group configuration 338virtual router group priority tracking 340Virtual Router Redundancy Protocol (VRRP)

authentication parameters for IPinterfaces 342

group options (prio) 339operations-level options 448password, authentication 342priority election for the virtual router 332priority tracking options ,

Virtual Router Redundancy Protocolconfiguration 329

virtual router sharing 340virtual routers

HSRP failover 334, 341HSRP priority increment value 343HSRV 341HSRV priority increment value 343increasing priority level of 333, 337incrementing VRRP instance 335master preemption (preem) 340master preemption (prio) 332priority increment values (vrs) for

VRRP 343virtual server global SLB statistics 172virtual server SLB statistics 177virtual servers 370

SLB state information 101statistics 177

VLANactive port 341configuration 290

VLAN taggingport configuration 257, 261, 264, 266port restrictions 292

VLANsARP entry information 86broadcast domains 290information 78multiple spanning trees 282name 70, 78port membership 70, 79security 290setting default number (PVID) 257, 261,

263, 266Spanning-Tree Protocol 282tagging 44, 115, 292VLAN Number 78

VRID (virtual router ID) 331, 339VRRP

interface configuration 342master advertisements 332tracking 331, 336tracking configuration 342virtual router sharing 333

VRRP Information 98VRRP master advertisements

time interval 340VRRP statistics 153

WWAP

health checks 436WAP health check

wspport 436, 437wtlsprt 436, 437

WAP health check configuration 436WAP SLB statistics 187watchdog timer 464web-based management interface 27weights

for SLB real servers 375setting virtual router priority values 343

write community string (SNMP option) 233wspport

WAP health check 436, 437wtlsprt

WAP health check 436, 437

XXModem 603




.

622 Index




.

Nortel Application Switch Operating System

Command ReferenceCopyright © 2008, Nortel NetworksAll Rights Reserved.

Publication: NN47220-105 (320506-D)Document status: StandardDocument version: 01.01Document date: 28 January 2008

To provide feedback or report a problem in this document, go to www.nortel.com/documentfeedback

Sourced in Canada, India and the United States of America

The information in this document is subject to change without notice. Nortel Networks reserves the right to make change in designor components as progress in engineering and manufacturing warrant.

*Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks.Trademarks are acknowledged with an asterisk (*) at their first appearance in the document.All other trademarks are the property of their respective owners.

http://www.nortel.com/documentfeedback

24.0.0 Command Reference

Documents

Transcript of 24.0.0 Command Reference