24.0.0 Command Reference

Nortel Application Switch Operating System
Command Reference
NN47220-105 (320506-D)
.
Document status: Standard Document version: 01.01 Document date: 28 January 2008 Copyright 2008, Nortel Networks All Rights Reserved. Sourced in Canada, India and the United States of America Part Number: NN47220-105 (320506-D) This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided "as is" without warranty of any kind, either express or implied, including any kind of implied or express warranty of non-infringement or the implied warranties of merchantability or tness for a particular purpose. U.S. Government End Users: This document is provided with a "commercial item" as dened by FAR 2.101 (Oct 1995) and contains "commercial technical data" and "commercial software documentation" as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995). Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc. Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco and EtherChannel are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point and FireWall-1 are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are owned by their respective companies.
Contents
Preface
Who should use this book 23 How this book is organized 23 Related documentation 24 Typographic conventions 25 How to get help 25
23
The Command Line Interface

Connecting to the Switch 27 Establishing a Console Connection 28 Establishing a Telnet Connection 28 Establishing an SSH Connection 29 Accessing the Switch 30 CLI Menu 32 Command Line History and Editing 32 Idle Timeout 33
27
Menu Basics
The Main Menu 35 Menu Summary 36 Global Commands 36 Command Line History and Editing 39 Command Line Interface Shortcuts 40 Command Stacking 40 Command Abbreviation 40 Tab Completion 40 Conguration Ranges 40
35
The Information Menu

/info Information Menu 43 /info/sys System Information Menu 45 /info/sys/snmpv3 SNMPv3 System Information Menu 47 General System Information 54
43
Nortel Application Switch Operating System Command Reference NN47220-105 (320506-D) 01.01 Standard 24.0 28 January 2008
Copyright 2008, Nortel Networks
.
4 Contents /info/sys/time Show System Time 55 /info/sys/log Show Last 64 Syslog Messages 55 /info/sys/slog Last 64 Saved Syslog Messages 56 /info/sys/mgmt Management Port Information 57 /info/sys/sonmp SONMP Information 58 /info/sys/capacity System Capacity Information 59 /info/sys/fan Show switch fan status 62 /info/sys/temp Show switch temperature sensor status 62 /info/sys/encrypt Show encryption licenses 62 /info/sys/user Show current user status 63 /info/sys/dump System Information Dump 63 /info/l2 Layer 2 Information Menu 68 /info/l2/fdb Layer 2 FDB Information 70 Clearing Entries from the Forwarding Database 72 /info/l2/lacp Link Aggregation Control Protocol Information Menu 72 /info/l2/lacp/aggr LACP Aggregator Information 72 /info/l2/lacp/port LACP Port Information 73 /info/l2/lacp/dump LACP Dump Information 74 /info/l2/stg Layer 2 Spanning Tree Group Information 75 /info/l2/cist Show common internal spanning tree (CIST) information 77 /info/l2/trunk Trunk Group Information 78 /info/l2/vlan VLAN Information 78 /info/l2/vlan VLAN Information 79 /info/l2/team Status of port teams 79
.
Contents 5 /info/l2/dump Layer2 Dump Information 79 /info/l3 Layer3 Information Menu 80 /info/l3/route IP Routing Information 82 /info/l3/route6 IPv6 Routing Information Menu 84 /info/l3/arp ARP Information Menu 85 /info/l3/bgp BGP Information Menu 90 /info/l3/ospf OSPF Information Menu 92 /info/ospf/dump OSPF Dump Information 96 /info/l3/ip IP Information 97 /info/l3/vrrp VRRP Information 98 /info/l3/dump Layer3 Dump Information 99 /info/slb Layer 4 Information Menu 100 /info/slb/sess Session Table Information 102 Session dump information 105 /info/slb/gslb Global SLB Information Menu 108 /info/slb/dump Show All Layer 4 Information 109 /info/bwm Bandwidth Management Information 110 /info/bwm/ipuser BWM IP User Information Menu 110 /info/bwm/cont BWM Contract Information 111 /info/security Security Information 113 /info/link Link Status Information 113 /info/port Port Information 114 /info/swkey Software Enabled Keys 115 /info/dump Information Dump 116
.
6 Contents
The Statistics Menu

/stats Statistics Menu 117 /stats/sys System statistics menu 119 /stats/port <port number> Port Statistics Menu 119 /stats/port <port number>/brg Bridging Statistics 120 /stats/port <port number> /ether Ethernet Statistics 121 /stats/port <port number> /if Interface Statistics 125 /stats/port <port number> /ip Interface Protocol Statistics 127 /stats/port <port number> /link Link Statistics 128 /stats/port <port number> /rmon RMON Statistics 129 /stats/pmirr Port mirroring statistics menu 133 /stats/l2 Layer 2 Statistics Menu 134 /stats/l2/fdb FDB Statistics 134 /stats/l3 Layer 3 Statistics Menu 137 /stats/l3/ospf OSPF Statistics Menu 139 /stats/l3/ip IP Statistics 143 /stats/l3/ip6 IP6 Statistics Menu 146 /stats/l3/route Route Statistics 150 /stats/l3/arp ARP statistics 152 /stats/l3/vrrp VRRP Statistics 153 /stats/l3/vrrp6 IPv6 VRRP statistics 154 /stats/l3/dns DNS Statistics 155 /stats/l3/icmp ICMP Statistics 155
117
.
Contents 7 /stats/l3/if <interface number> Interface Statistics 157 /stats/l3/tcp TCP Statistics 159 /stats/l3/udp UDP Statistics 161 /stats/slb Server Load Balancing Statistics Menu 161 /stats/slb/sp Server Load Balancing SP statistics Menu 165 /stats/slb/gslb Global SLB Statistics Menu 170 /stats/slb/real <real server number> Real Server SLB Statistics 175 /stats/slb/Group <real server groups number> Real Server Group Statistics 176 /stats/slb/virt <virtual server number> Virtual Server SLB Statistics 177 /stats/slb/filt <filter number> Filter SLB Statistics 177 /stats/slb/layer7 SLB Layer7 Statistics Menu 177 /stats/slb/ssl SLB Secure Socket Layer Statistics 182 /stats/slb/ftp File Transfer Protocol SLB and Filter Statistics Menu 183 /stats/slb/rtsp RTSP SLB Statistics 185 /stats/slb/dns DNS SLB Statistics 186 /stats/slb/wap WAP SLB Statistics 187 /stats/slb/maint SLB Maintenance Statistics 188 /stats/slb/sip SIP SLB Statistics 192 /stats/slb/wlm <wlm number> Display Workload Manager SASP statistics 193 /stats/slb/wlm <wlm number> /clear Clear Workload Manager SASP Statistics 193 /stats/slb/mirror Display Workload Manager SASP statistics 193 /stats/bwm BWM Statistics Menu 194 /stats/bwm/port <port number> BWM Switch Processor Statistics 195
.
8 Contents /stats/bwm/cont <contract number> BWM Contract Statistics 196 /stats/bwm/rcont BWM Contract Rate Statistics 197 /stats/bwm/hist BWM History Statistics 198 /stats/bwm/maint BWM Maintenance Statistics 201 /stats/bwm/ipusers BWM IP Users Statistics 201 /stats/security Security Statistics 201 /stats/security/dos DOS Attack Statistics Menu 202 Types of DOS Attacks 203 /stats/security/ipacl IP Access Control List Statistics 205 /stats/security/udpblast UDP Blast Statistics 206 /stats/security/udpblast/dump UDP Blast Dump Statistics 206 /stats/security/pgroup UDP Pattern Match Statistics 206 /stats/security/ratelim Rate Limiting Statistics 207 /stats/security/dump Dump Statistics for Security 207 /stats/mp Management Processor Statistics 208 /stats/mp/pkt MP Packet Statistics 209 /stats/mp/tcb TCP Statistics 210 /stats/mp/ucb UCB Statistics 211 /stats/mp/sfd MP-SpecicSFD Statistics 211 /stats/mp/cpu CPU Statistics 212 /stats/sp <SP Number> SP Specic Statistics 212 /stats/sp <SP number> /maint SP-Specic Maintenance Statistics 212 /stats/sp/cpu CPU Statistics 213 /stats/pmirr Port Mirroring Statistics Menu 213
.
Contents 9 /stats/mgmt Management Port Statistics 214 /stats/dump Dump Statistics 215
The Conguration Menu

/cfg Conguration Menu 217 Viewing, Applying, and Saving Changes 219 Viewing Pending Changes 219 Applying Pending Changes 219 Saving the Conguration 219 /cfg/sys System Conguration 220 /cfg/sys/syslog System Host Log Conguration 222 /cfg/sys/mmgmt Management Port Conguration Menu 224 /cfg/sys/mmgmt/port Management Port Link Menu 226 /cfg/sys/radius RADIUS Server Conguration 227 /cfg/sys/tacacs TACACS+ Server Conguration Menu 228 /cfg/sys/ntp NTP Server Conguration 230 /cfg/sys/sonmp SynOptics Network Management Protocol Conguration 231 /cfg/sys/ssnmp System SNMP Conguration 232 /cfg/sys/ssnmp/snmpv3 SNMPv3 Conguration Menu 234 /cfg/sys/health System Health Check Conguration Menu 244 /cfg/sys/access System Access Control Conguration 245 /cfg/sys/access/port Port Management Access Menu 247 /cfg/sys/access/sshd SSH Server Menu 252 /cfg/sys/access/xml XML Conguration Access Menu 253 /cfg/sys/timezone Congure the Timezone 255 /cfg/port <port number> Port Conguration 255 Nortel Application Switch Operating System 2000 Series 255
.
217
10 Contents /cfg/port <port number> fast|gig Port Link Conguration 258 Nortel Application Switch 3000 Series 259 Port Conguration on Nortel Application Switch 3408 260 Temporarily Disabling a Port 268 /cfg/pmirr Port Mirroring Menu 269 /cfg/pmirr monport Port-Mirroring Menu 269 /cfg/bwm Bandwidth Management Conguration 270 /cfg/bwm/cont <contract number> Bandwidth Management Contract Conguration 273 /cfg/bwm/policy <policy number> Bandwidth Management Policy Conguration 276 /cfg/bwm/group Bandwidth Management Group Conguration Menu 277 /cfg/bwm/cur Bandwidth Management Current Conguration 277 /cfg/l2 Layer 2 Conguration Menu 278 /cfg/l2/mrst Multiple Spanning Tree Menu 280 /cfg/l2/mrst/cist Multiple Spanning Tree Menu 280 /cfg/l2/mrst/cist/brg CIST Bridge Menu 281 /cfg/l2/stg Spanning Tree Group Conguration 282 /cfg/l2/stg/brg Bridge Spanning Tree Conguration 284 /cfg/l2/trunk <trunk group number> Trunk Conguration 286 /cfg/l2/lacp Link Aggregation Control Protocol Menu 287 /cfg/l2/lacp/port <port number> LACP Port Conguration Menu 289 /cfg/l2/vlan <VLAN number> VLAN Conguration 290 /cfg/l2/team <team number> Port Team Conguration 292 /cfg/l3 Layer 3 Conguration Menu 293 /cfg/l3/if <interface number> IP Interface Conguration 295
.
Contents 11 /cfg/l3/if/ip6nd IPv6 Neighbor Discovery Menu 296 /cfg/l3/gw <gateway number> Default IP Gateway Conguration 297 /cfg/l3/arp ARP Conguration Menu 300 /cfg/l3/frwd IP Forwarding Conguration Menu 301 DeningIP Address Ranges for the Local Route Cache 303 /cfg/l3/nwf Network Filter Conguration 304 /cfg/l3/rmap <route map number> Route Map Conguration Menu 304 /cfg/l3/rip Routing Information Protocol Conguration 308 /cfg/l3/rip/if RIP Interface Menu 309 /cfg/l3/ospf Open Shortest Path First Conguration 312 /cfg/l3/bgp Border Gateway Protocol Conguration 321 /cfg/l3/port <port number> IP Forwarding Port Conguration Menu 327 /cfg/l3/dns Domain Name System Conguration Menu 327 /cfg/l3/bootp Bootstrap Protocol Relay Conguration Menu 328 /cfg/l3/vrrp VRRP Conguration Menu 329 /cfg/l3/vrrp/vr <router number> Virtual Router Conguration Menu 330 /cfg/l3/vrrp/group Virtual Router Group Conguration 338 /cfg/l3/vrrp/if <interface number> VRRP Interface Conguration 342 /cfg/l3/vrrp/track VRRP Tracking Conguration 342 /cfg/l3/metrc <metric name> Default Gateway Metrics 344 /cfg/security Security Conguration Menu 344 /cfg/security/port Port Security Menu 345 /cfg/security/ipacl IP Address Access Control List Conguration Menu 347 /cfg/security/udpblast UDP Blast Protection Conguration Menu 348
.
12 Contents /cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu 349 /cfg/security/pgroup <pattern group number> Pattern Matching Menu 350 /cfg/sslproc SSL Processor Menu 351 /cfg/dump Dump 352 /cfg/ptcfg Saving theActive Switch Conguration 353 /cfg/gtcfg Restoring the Active Switch Conguration 353
The SLB Conguration Menu
355
/cfg/slb SLB Conguration 355 Filtering and Layer 4 (Server Load Balancing) 358 /cfg/slb/real <server number> Real Server SLB Conguration 358 /cfg/slb/real/adv Real Server Advanced Menu 363 /cfg/slb/real/adv/buddyhc Buddy Server Health Check Menu 364 /cfg/slb/real <server number> /layer7 Real Server Layer 7 Conguration 364 /cfg/slb/real <real server number> /ids Real server IDS Conguration Menu 365 /cfg/slb/group <real server group number> Real Server Group SLB Conguration 366 SLB Health Check Types 370 Server Load Balancing Metrics 373 /cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 376 /cfg/slb/virt <server number> /service <virtual port or name> Virtual Server Service Conguration /cfg/slb/virt/service/wts WTS Load Balancing Menu 385 /cfg/slb/virt/service/http HTTP Load Balancing Menu 385 /cfg/slb/virt/service/sip SIP Load Balancing Menu 386 /cfg/slb/virt/service/rtsp RTSP Load Balancing Menu 387 Cookie-Based Persistence 388 /cfg/slb/filt <filter number> SLB Filter Conguration 390 378
.
Contents 13 Dening IP Address Ranges for Filters 395 /cfg/slb/filt <filter number> /adv Advanced Filter Conguration 395 /cfg/slb/filt/adv/proxyadv Proxy Advanced Menu 404 /cfg/slb/port <port number> Port SLB Conguration 408 /cfg/slb/gslb Global SLB Conguration 410 /cfg/slb/gslb/site <site number> GSLB Remote Site Conguration 413 /cfg/slb/gslb/network <network number> GSLB Network Preference Conguration Menu 415 /cfg/slb/gslb/rule GSLB Rule Conguration Menu 416 /cfg/slb/layer7 Layer 7 SLB Resource Denition Menu 418 /cfg/slb/layer7/redir Web Cache Redirection Conguration 419 /cfg/slb/layer7/slb Server Load Balance Resource Conguration Menu 421 /cfg/slb/layer7/sdp SDP Mapping Menu 422 /cfg/slb/wap WAP Conguration 423 /cfg/slb/sync Synchronize Peer Switch Conguration 423 /cfg/slb/sync/peer <peer switch number> Peer Switch Conguration 425 /cfg/slb/adv Advanced Layer 4 Conguration 425 /cfg/slb/adv/synatk SYN Attack Detection Conguration Menu 429 /cfg/slb/linklb Inbound Link Load Balancing conguration Menu 430 /cfg/slb/linklb/drecord Inbound Link Load Balancing Domain Record Menu 431 /cfg/slb/advhc/script <health script number> Scriptable Health Checks Conguration 433 /cfg/slb/advhc/snmphc SNMP Health Check Conguration 435 /cfg/slb/advhc/waphc WAP Health Check Conguration 436 /cfg/slb/pip Proxy IP Address Conguration Menu 439 /cfg/slb/wlm WorkLoad Management Menu 441
.
14 Contents
The Operations Menu

/oper Operations Menu 443 /oper/port <port number> Operations-Level Port Options 445 /oper/slb Operations-Level SLB Options 445 /oper/slb/group Real Server Group Operations 447 /oper/slb/gslb Global SLB Operations Menu 447 /oper/vrrp Operations-Level VRRP Options 448 /oper/bwm Operations-Level Bandwidth Management Options 449 /oper/security Security Menu 449 /oper/security/ipacl IP ACL Operations Menu 449 /oper/ip Operations-Level IP Options 451 /oper/ip/bgp Operations-Level BGP Options 452 /oper/swkey Activating Optional Software 452 /oper/rmkey Removing Optional Software 453
443
The Boot Options Menu

/boot Boot Menu 455 Scheduled Reboot of the Switch 455 /boot/sched Scheduled Reboot Menu 455 Updating the Switch Software Image 456 Downloading New Software to Your Switch 456 Selecting a Software Image to Run 457 Uploading a Software Image from Your Switch 458 Selecting a Conguration Block 459 Resetting the Switch 460 Enabling Symantec Intelligent Network Protection 460
455
The Maintenance Menu

/maint Maintenance Menu 463
463
.
Contents 15 /maint/sys System Maintenance Options 465 /maint/fdb Forwarding Database Options 465 /maint/arp ARP Cache Options 467 /maint/route IP Route Manipulation 468 /maint/ip6 IPv6 Manipulation Menu 469 /maint/debug Debugging Options 469 /maint/uudmp Uuencode Flash Dump 470 /maint/ptdmp <server filename> System Dump Put 471 /maint/cldmp Clearing Dump Information 471 /maint/panic Panic Command 472 Unscheduled System Dumps 473
The SSL Processor Menu

/ssl SSL Processor Menu 476 /ssl/info SSL Performance information menu 477 /ssl/info/events SSL Performance Menu 482 /ssl/stats SSL Performance Statistics menu 483 /ssl/stats/sslstats SSL Performance Menu 483 /ssl/stats/sslstats/local SSL Performance SSL Local Statistics Menu 485 /ssl/stats/sslstats/local/isdhost SSL Performance: Single ISD SSL Statistics Menu 486 /ssl/stats/ipsec IPSEC Statistics menu 486 /ssl/stats/ipsec/local SSL Performance: Local IPSEC Statistics Menu 488 /ssl/stats/ipsec/local/isdhost SSL Performance: Single IPSEC ISD Statistics Menu 489 /ssl/stats/aaa AAA Statistics Menu 490 /ssl/cfg SSL Performance Conguration Menu 490
475
.
16 Contents /ssl/cfg/ssl SSL Conguration Server Menu 492 /ssl/cfg/ssl/server SSL Conguration Server-specic Menu 493 /ssl/cfg/ssl/server/trace SSL Conguration Server-specic Trace Menu 495 /ssl/cfg/ssl/server/ssl SSL Conguration Server-specic SSL Menu 495 /ssl/cfg/ssl/server/tcp SSL Conguration Server-specic TCP Menu 497 /ssl/cfg/ssl/server/adv SSL Conguration Server-specic Advanced Menu 498 /ssl/cfg/ssl/server/adv/string SSL Conguration Server Advanced String Menu 498 /ssl/cfg/ssl/server/adv/loadbalanc SSL Conguration Server Advanced Load Balancing Menu 500 /ssl/cfg/ssl/server/adv/loadbalanc/cookie SSL Conguration Server Advanced Load Balancing Cookie Menu 501 /ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvips Local VIP Conguration Menu 502 /ssl/cfg/ssl/server/adv/loadbalanc/script SSL Conguration Server Advanced Load Balancing Health Script Menu 502 /ssl/cfg/ssl/server/adv/loadbalanc/remotessl SSL Conguration Server Advanced Load Balancing Remote SSL Menu 503 /ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verify SSL Conguration Server Advanced Load Balancing Remote SSL Verication Menu 504 /ssl/cfg/ssl/server/adv/loadbalanc/backend SSL Conguration Server Advanced Load Balancing Backend Server Menu 505 /ssl/cfg/cert SSL Conguration Certicate Menu 506 /ssl/cfg/cert/revoke SSL Conguration Revoke Certicate Menu 511 /ssl/cfg/cert/revoke/automatic SSL Conguration Revoke Certicate Automatic Menu 511 /ssl/cfg/vpn SSL VPN Conguration Menu 512 /ssl/cfg/vpn/aaa SSL VPN Conguration Menu 514 /ssl/cfg/vpn/aaa/tg SSL VPN Conguration TunnelGuard Menu 516 /ssl/cfg/vpn/aaa/auth SSL VPN Conguration Authentication Menu 517
.
Contents 17 /ssl/cfg/vpn/aaa/auth/radius SSL VPN Conguration Authentication Radius Menu 518 /ssl/cfg/vpn/aaa/auth/radius/servers SSL VPN Conguration Authentication Radius Servers Menu 519 /ssl/cfg/vpn/aaa/auth/radius/sessiontm SSL VPN Conguration Authentication Radius Session Timeout Menu 520 /ssl/cfg/vpn/aaa/auth/radius/macro SSL VPN Conguration Authentication Radius Macro Menu 520 /ssl/cfg/vpn/aaa/auth/adv SSL VPN Conguration Authentication Advanced Menu 521 /ssl/cfg/vpn/aaa/network SSL VPN Conguration Network Menu 521 /ssl/cfg/vpn/aaa/network/subnet SSL VPN Conguration Network Subnet Menu 522 /ssl/cfg/vpn/aaa/service SSL VPN Conguration Service Menu 523 /ssl/cfg/vpn/aaa/appspec SSL VPN Conguration Application specic Menu 524 /ssl/cfg/vpn/aaa/appspec/paths SSL VPN Conguration Application specic Paths Menu 525 /ssl/cfg/vpn/aaa/filter SSL VPN Conguration AAA Filter Menu 526 /ssl/cfg/vpn/aaa/group SSL VPN Conguration AAA Group Menu 528 /ssl/cfg/vpn/aaa/group/access SSL VPN Conguration AAA Group Access Menu 529 /ssl/cfg/vpn/aaa/group/linkset SSL VPN Conguration AAA Group Linkset Menu 530 /ssl/cfg/vpn/aaa/group/extend SSL VPN Conguration AAA Group Extend Proles Menu 531 /ssl/cfg/vpn/aaa/group/extend/access SSL VPN Conguration AAA Group Extend Proles Access Menu 532 /ssl/cfg/vpn/aaa/group/extend/linkset SSL VPN Conguration AAA Group Extend Proles Linkset Menu 532 /ssl/cfg/vpn/aaa/group/ipsec SSL VPN Conguration AAA Group IPsec Menu 533 /ssl/cfg/vpn/aaa/ssodomains SSL VPN Conguration AAA Single-sign on Enabled Domains Menu 533 /ssl/cfg/vpn/aaa/ssoheaders SSL VPN Conguration AAA Single-sign on Headers Menu 534 /ssl/cfg/vpn/aaa/radacct SSL VPN Conguration AAA Radius Accounting Menu 535 ssl/cfg/vpn/aaa/radacct/servers SSL VPN Conguration AAA Radius Accounting Servers Menu 535 ssl/cfg/vpn/aaa/radacct/vpnattribu SSL VPN Conguration AAA Radius Accounting VPN attributes Menu 536
.
18 Contents /ssl/cfg/vpn/server SSL VPN Conguration Server Menu 536 /ssl/cfg/vpn/server/trace SSL VPN Conguration Server Trafc Trace Menu 537 /ssl/cfg/vpn/server/ssl SSL VPN Conguration Server SSL Settings Menu 538 /ssl/cfg/vpn/server/tcp SSL VPN Conguration Server TCP endpoint Settings Menu 540 /ssl/cfg/vpn/server/http SSL VPN Conguration Server HTTP Settings Menu 541 /ssl/cfg/vpn/server/http/rewrite SSL VPN Conguration Server SSL triggered rewrite Menu 542 /ssl/cfg/vpn/server/proxymap SSL VPN Conguration Server Intranet Proxy settings Menu 543 ssl/cfg/vpn/server/portal SSL VPN Conguration Server Portal settings Menu 544 ssl/cfg/vpn/server/adv SSL VPN Conguration Server Advanced Menu 544 ssl/cfg/vpn/server/adv/traflog SSL VPN Conguration Server UDP Syslog Trafc Log Menu 545 ssl/cfg/vpn/server/adv/sslconnect SSL VPN Conguration Server SSL Connect Menu 546 ssl/cfg/vpn/server/adv/sslconnect/verify SSL VPN Conguration Server SSL Connect verify Server Menu 547 /ssl/cfg/vpn/ipsec SSL VPN Conguration IPsec Server Menu 547 /ssl/cfg/vpn/ipsec/ikeprof SSL VPN Conguration IPsec Server IKE Prole Menu 548 /ssl/cfg/vpn/ipsec/ikeprof/enc SSL VPN Conguration IPsec Server IKE Prole Encryption Menu 549 /ssl/cfg/vpn/ipsec/ikeprof/dh SSL VPN Conguration IPsec Server IKE Prole Dife-Hellman Group Mask Menu 550 /ssl/cfg/vpn/ipsec/ikeprof/NAT SSL VPN Conguration IPsec Server IKE Prole NAT Menu 551 /ssl/cfg/vpn/ipsec/ikeprof/deadpeer SSL VPN Conguration IPsec Server IKE Prole Dead Peer Menu 551 /ssl/cfg/vpn/ippool SSL VPN Conguration IP Pool Menu 552 /ssl/cfg/vpn/portal SSL VPN Conguration Portal Menu 553 /ssl/cfg/vpn/portal/colors SSL VPN Conguration Portal Colors Menu 555 /ssl/cfg/vpn/portal/faccess SSL VPN Conguration Portal Full Access Menu 555 /ssl/cfg/vpn/portal/lang SSL VPN Conguration Portal Language Menu 556
.
Contents 19 /ssl/cfg/vpn/portal/whitelist SSL VPN Conguration Portal Whitelist settings Menu 557 /ssl/cfg/vpn/portal/whitelist/domains SSL VPN Conguration Portal Whitelist settings Domains Menu 557 /ssl/cfg/vpn/linkset SSL VPN Conguration Linkset Menu 558 /ssl/cfg/vpn/linkset/link SSL VPN Conguration Linkset Link Menu 559 /ssl/cfg/vpn/linkset/link/internal SSL VPN Conguration Linkset Link Internal Setting Menu 560 /ssl/cfg/vpn/sslclient SSL VPN Conguration SSL Client Menu 560 /ssl/cfg/vpn/adv SSL VPN Conguration Advanced Menu 561 /ssl/cfg/vpn/adv/dns SSL VPN Conguration Advanced DNS settings Menu 561 /ssl/cfg/sys SSL Conguration System Menu 562 /ssl/cfg/sys/host SSL Conguration System Host Menu 563 /ssl/cfg/sys/host/routes SSL Conguration System Host Routes Menu 564 /ssl/cfg/sys/host/interface SSL Conguration System Host Menu 565 /ssl/cfg/sys/host/interface/routes SSL Conguration System Host Interface Routes Menu 566 /ssl/cfg/sys/host/port SSL Conguration System Host Port Menu 566 /ssl/cfg/sys/routes SSL Conguration System Menu 567 /ssl/cfg/sys/time SSL Conguration System Time Menu 567 /ssl/cfg/sys/time/ntp SSL Conguration System Time NTP servers Menu 568 /ssl/cfg/sys/dns SSL Conguration System DNS settings Menu 568 sl/cfg/sys/dns/servers SSL Conguration System DNS Servers settings Menu 569 /ssl/cfg/sys/rsa SSL Conguration System RSA servers Menu 570 /ssl/cfg/sys/syslog SSL Conguration System SysLog Servers Menu 570 /ssl/cfg/sys/accesslist SSL Conguration System Access List Menu 571 /ssl/cfg/sys/adm SSL Conguration System Administrative applications Menu 571
.
20 Contents /ssl/cfg/sys/adm/snmp SSL Conguration System Administrative applications SNMP Menu 573 /ssl/cfg/sys/adm/snmp/snmpv2-mib SSL Conguration System Administrative applications SNMPv2 MIB SNMP Menu 574 /ssl/cfg/sys/adm/snmp/community SSL Conguration System Administrative applications SNMP Community Menu 575 /ssl/cfg/sys/adm/snmp/users SSL Conguration System Administrative applications SNMP Users Menu 575 /ssl/cfg/sys/adm/snmp/target SSL Conguration System Administrative applications SNMP Target Menu 576 /ssl/cfg/sys/adm/audit SSL Conguration System Administrative applications Audit Menu 577 /ssl/cfg/sys/adm/audit/servers SSL Conguration System Administrative applications Audit Servers Menu 577 /ssl/cfg/sys/adm/http SSL Conguration System Administrative applications HTTP Menu 578 /ssl/cfg/sys/adm/https SSL Conguration System Administrative applications HTTPS Menu 579 /ssl/cfg/sys/adm/sshkeys SSL Conguration System Administrative applications SSH Host keys Menu 579 /ssl/cfg/sys/adm/sshkeys/knownhosts SSL Conguration System Administrative applications SSH Known Host keys Menu 579 /ssl/cfg/sys/user SSL Conguration System Menu 580 /ssl/cfg/sys/user/edit SSL Conguration System User Edit Menu 581 /ssl/cfg/sys/user/edit/groups SSL Conguration System User Edit Menu 581 /ssl/cfg/lang SSL Conguration Language Support Menu 582 /ssl/boot SSL Boot Menu 582 /ssl/boot/software SSL Performance Menu 584 /ssl/maint SSL Performance Maintenance Menu 584 /ssl/maint/hsm SSL Performance HSM Menu 585
.
Contents 21
Glossary Index
607 611
.
22 Contents
.
23
Preface
The Nortel Application Switch Operating System 24.0 Command Reference describes how to congure and use the Nortel Application Switch Operating System software with your Nortel Application Switch. For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model.
Who should use this book

This Command Reference is intended for network installers and system administrators engaged in conguring and maintaining a network. The administrator should be familiar with Ethernet concepts, IP addressing, the IEEE 802.1d Spanning Tree Protocol, and SNMP conguration parameters.
How this book is organized

"The Command Line Interface" (page 27) describes how to connect to the switch and access the information and conguration menus. "Menu Basics" (page 35) provides an overview of the menu system, including a menu map, global commands, and menu shortcuts. "The Information Menu" (page 43) describes how to view switch conguration parameters. "The Statistics Menu" (page 117) describes how to view switch performance statistics. "The Conguration Menu" (page 217) describes how to congure switch system parameters, ports, VLANs, Spanning Tree Protocol, SNMP, Port Mirroring, IP Routing, Port Trunking, and more. "The SLB Conguration Menu" (page 355)describes how to congure Server Load Balancing, Filtering, Global Server Load Balancing, and more.
.
24 Preface
"The Operations Menu" (page 443) describes how to use commands which affect switch performance immediately, but do not alter permanent switch congurations (such as temporarily disabling ports). The menu describes how to activate or deactivate optional software features. "The Boot Options Menu" (page 455) describes the use of the primary and alternate switch images, how to load a new software image, and how to reset the software to factory defaults. "The Maintenance Menu" (page 463) describes how to generate and access a dump of critical switch state information, how to clear it, and how to clear part or all of the forwarding database. "Nortel Application Switch Operating System Syslog Messages" (page 587) presents a listing of syslog messages. "Nortel Application Switch Operating System SNMP Agent" (page 597) lists the Management Interface Bases (MIBs) supported in the switch software. "Performing a Serial Download" (page 603) shows how to directly load a binary software image into the switch for upgrade or maintenance. "Glossary" (page 607) denes the terminology used throughout the book. Index includes pointers to the description of the key words used throughout the book.
Related documentation
Nortel Application Switch Operating System 24.0 Application Guide (NN47220-104) Provides application explanations and conguration examples for the Switch. Nortel Application Switch Operating System 24.0 Browser-Based Interface (BBI) Quick Guide (NN47220-103) Provides a description of the Switch BBI and how to congure and access it on the Switch. Nortel Application Switch Hardware Installation Guide (Part Number 315396-F) Provides a description of the Nortel Application Switch hardware, the physical features, how to install it, and how to troubleshoot it. Nortel Application Switch Operating System 24.0 Release Notes (NN47220-401)
.
How to get help
25
This document provides a description of new features and caveats and limitations, if any, in the software.
Typographic conventions
The following table describes the typographic styles used in this book.
Typographic conventions Typeface or Symbol AaBbCc123 Meaning This type is used for names of commands, files, and directories used within the text. It also depicts on-screen computer output and prompts. AaBbCc123 This bold type appears in command examples. It shows text that must be typed in exactly as shown. This italicized type appears in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets. This also shows book titles, special terms, or words to be emphasized. [] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets. Example View the readme.txt file. Main# Main# sys
AaBbCc123
To establish a Telnet session, enter:host# telnet <IP address>
Read your Users Guide thoroughly. host# ls [-a]
How to get help

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nortel service program, contact one of the following Nortel Technical Solutions Centers:
Technical Solutions Center Europe, Middle East, and Africa Telephone 00800 8008 9009 or +44 (0) 870 907 9009 (800) 4NORTEL or (800) 466-7835
North America
.
26 Preface
Technical Solutions Center Asia Pacific China
Telephone (61) (2) 8870-8800 (800) 810-5000
Additional information about the Nortel Technical Solutions Centers is available at the following URL: http://www.nortelnetworks.com/help/contact/global An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer the following URL: http://www.nortelnetworks.com/help/contact/erc/index.html
.
27
The Command Line Interface

Your Nortel Application Switch is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative conguration before they can be used effectively. The extensive Nortel Application Switch Operating System switching software included in your switch provides a variety of options for accessing and conguring the switch: A built-in, text-based command line interface and menu system for access via local terminal or remote Telnet session A GUI-based Application Switch Element Manager (ASEM) for interactive network access SNMP support for access through network management software such as HP OpenView Nortel Application Switch Operating System Browser-Based Interface (BBI)
The command line interface is the most direct method for collecting switch information and performing switch conguration. Using a basic terminal, you are presented with a hierarchy of menus that enable you to view information and statistics about the switch, and to perform any necessary conguration. This chapter explains how to access the Command Line Interface (CLI) of the switch.
Connecting to the Switch

You can access the command line interface in any one of the following ways: Using a console connection via the console port Using a Telnet connection over the network Using an SSH connection to securely log into another computer over a network
.
28 The Command Line Interface
Establishing a Console Connection Requirements

To establish a console connection with the switch, you will need the following: An ASCII terminal or a computer running terminal emulation software set to the parameters shown in the table below:
Console Conguration Parameters Parameter Baud Rate Data Bits Parity Stop Bits Flow Control Value 9600 8 None 1 None
A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specics).
Procedure
1. Connect the terminal to the Console port using the serial cable. 2. Power on the terminal. 3. To establish the connection, press Enter a few times on your terminal. Enter a password for access to the switch.
Establishing a Telnet Connection

A Telnet connection offers the convenience of accessing the switch from any workstation connected to the network. Telnet access provides the same options for user access and administrator access as those available through the console port. To congure the switch for Telnet access, you need to have a device with Telnet software located on the same network as the switch. The switch must have an IP address. The switch can get its IP address in one of two ways: Dynamically, from a BOOTP server on your network. Manually, when you congure the switch IP address. Note: You need to enable Telnet and SSH, using serial connection, before you can use these methods of accessing the switch. Refer "Establishing a Console Connection" (page 28).
.
Connecting to the Switch
29
Using a BOOTP Server

By default, the Nortel Application Switch Operating System software is set up to request its IP address from a BOOTP server. If you have a BOOTP server on your network, add the MAC address of the switch to the BOOTP conguration le located on the BOOTP server. The MAC address can be found on a small white label on the back panel of the switch. The MAC address can also be found in the System Information menu (see "/info/sysSystem Information Menu" (page 45)). Note: If connecting to the management port, BOOTP is not supported. The port must be manually congured with the proper IP address.
Running Telnet
Once the IP parameters on the Nortel Application Switch are congured, you can access the CLI using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet program on your workstation and issue the Telnet command, followed by the switch IP address:
telnet <IP address>
Then, enter a password as explained in "Establishing an SSH Connection" (page 29).
Establishing an SSH Connection

Although a remote network administrator can manage the conguration of an Nortel Application Switch through Telnet, this method does not provide a secure connection. The SSH (Secure Shell) protocol enables you to securely log into another computer over a network to execute commands remotely. As a secure alternative to using Telnet to manage switch conguration, SSH ensures that all data sent over the network is encrypted and secure. The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client is not able to login if the switch is doing key generation at that time or if another client has just logged in before this client. Similarly, the system fails to do the key generation if a SSH/SCP client is logging in at that time. The supported SSH encryption and authentication methods are listed below. Server Host Authentication: Client RSA-authenticates the switch in the beginning of every connection. Key Exchange: RSA Encryption: 3DES-CBC, DES User Authentication: Local password authentication, Radius
.
The following SSH clients have been tested: SSH 1.2.23 and SSH 1.2.27 for Linux (freeware) SecureCRT 3.0.2 and SecureCRT 3.0.3 (Van Dyke Technologies, Inc.) F-Secure SSH 1.1 for Windows (Data Fellows) Note: The Nortel Application Switch Operating System implementation of SSH is based on SSH version 1.5 and supports SSH-1.5-1.X.XX. SSH clients of other versions (especially Version 2) is not supported.
Running SSH
Once the IP parameters are congured and the SSH service is turned on the Nortel Application Switch, you can access the command line interface using an SSH connection. To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IP address:
>> # ssh <switch IP address>
or, if SecurID authentication is required, use the following command:

>> # ssh -1 ace <switch IP address>
Then, prompted to enter your user name and password.
Accessing the Switch

To enable better switch management and user accountability, seven levels or classes of user access have been implemented on the Nortel Application Switch. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are dened as follows: User interaction with the switch is completely passivenothing can be changed on the Nortel Application Switch. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information. Operators can only effect temporary changes on the Nortel Application Switch. These changes are lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch operation.
.
Accessing the Switch
31
Administrators are the only ones that may make permanent changes to the switch congurationchanges that are persistent across a reboot/reset of the switch. Administrators can access switch functions to congure and troubleshoot problems on the Nortel Application Switch. Because administrators can also make temporary (operator-level) changes as well, they must be aware of the interactions between temporary and permanent changes.
Access to switch functions is controlled through the use of unique surnames and passwords. Once you are connected to the switch via local console, Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the following table. Note: It is recommended that you change default switch passwords after initial conguration and as regularly as required under your network security policies.
User Access Levels User Account User Description and Tasks Performed The User has no direct responsibility for switch management. He or she can view all switch status information and statistics, but cannot make any configuration changes to the switch. The SLB Operator manages Web servers and other Internet services and their loads. In addition to being able to view all switch information and statistics, the SLB Operator can enable/disable servers using the Server Load Balancing operation menu. The Layer 4 Operator manages traffic on the lines leading to the shared Internet services. This user currently has the same access level as the SLB operator. and the access level is reserved for future use, to provide access to operational commands for operators managing traffic on the line leading to the shared Internet services. The Operator manages all functions of the switch. In addition to SLB Operator functions, the Operator can reset ports or the entire switch. Password user
SLB Operator
slboper
Layer 4 Operator
l4oper
Operator
oper
SLB Administrator The SLB Administrator configures and manages Web servers and other Internet services and their loads. In addition to SLB Operator functions, the SLB Administrator can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters or bandwidth management.
slbadmin
.
User Account Layer 4 Administrator
Description and Tasks Performed The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services. In addition to SLB Administrator functions, the Layer 4 Administrator can configure all parameters on the Server Load Balancing menus, including filters and bandwidth management. The superuser Administrator has complete access to all menus, information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and administrator passwords.
Password l4admin
Administrator
admin
Note: With the exception of the "admin" user, access to each user level can be disabled by setting the password to an empty value. All user levels below "admin" will by default be initially disabled (empty password) until they are enabled by the "admin" user. This prevents inadvertently leaving the switch open to unauthorized users.
CLI Menu
Once the administrator password is veried, you are given complete access to the switch. The following table shows the Main Menu with administrator privileges.
Note: If you are accessing a user account or Layer 4 administrator account, some menu options are not be available.
Command Line History and Editing

For a description of global commands, shortcuts, and command line editing functions, see "Menu Basics" (page 35).
.
Idle Timeout
33
Idle Timeout
By default, the switch will disconnect your console or Telnet session after ve minutes of inactivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080 minutes. For information on changing this parameter, see "/cfg/sys System Conguration" (page 220).
.
.
35
Menu Basics
The Nortel Application Switchs Command Line Interface (CLI) is used for viewing switch information and statistics. In addition, the administrator can use the CLI for performing all levels of switch conguration. To make the CLI easy to use, the various commands have been logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command does. Below each menu is a prompt where you can enter any command appropriate to the current menu. This chapter describes the Main Menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.
The Main Menu

The Main Menu appears after a successful connection and login. The following table shows the Main Menu for the administrator login. Some features are not available under the user login. Note: The ssl option is only visible on the Nortel Application Switch Operating System 2000-SSL Series.
.
36 Menu Basics
Menu Summary
Information Menu Provides sub-menus for displaying information about the current status of the switch: from basic system settings to VLANs, Layer 4 settings, and more. Statistics Menu Provides sub-menus for displaying switch performance statistics. Included are port, IF, IP, ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics. Conguration Menu This menu is available only from an administrator login. It includes sub-menus for conguring every aspect of the switch. Changes to conguration are not active until explicitly applied. Changes can be saved to non-volatile memory. Operations Command Menu Operations-level commands are used for making immediate and temporary changes to switch conguration. This menu is used for bringing ports temporarily in and out of service, performing port mirroring, and enabling or disabling Server Load Balancing functions. It is also used for activating or deactivating optional software packages. Boot Options Menu This menu is used for upgrading switch software, selecting conguration blocks, and for resetting the switch when necessary. Maintenance Menu This menu is used for debugging purposes, enabling you to generate a dump of the critical state information in the switch, and to clear entries in the forwarding database and the ARP and routing tables. SSL Accelerator Menu This menu is used to connect to the SSL Accelerator in 2424-SSL model switches. Once connected, SSL conguration and maintenance can take place.
Global Commands
Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving conguration changes. For help on a specic command, type help. The following screen appears:
.
Global Commands 37
Description of Global Commands Command ? command or help . or print .. / lines or up Action Provides more information about a specific command on the current menu. When used without the command parameter, a summary of the global commands is displayed. Display the current menu. Go up one level in the menu structure. If placed at the beginning of a command, go to the Main Menu. Otherwise, this is used to separate multiple commands placed on the same line. Set the number of lines (n) that display on the screen at one time. The default is 24 lines. When used without a value, the current setting is displayed. Show any pending configuration changes. Apply pending configuration changes. Write configuration changes to non-volatile flash memory. Remove pending configuration changes between "apply" commands. Use this command to restore configuration parameters set since last "apply" command. Exit from the command line interface and log out. Use this command to verify station-to-station connectivity across the network. The format is as follows: ping <host name> | <IP address> [tries <(1-32)> [msec delay]] [-m|-mgmt|-d|-data] Where IP address is the hostname or IP address of the device, tries (optional) is the number of attempts (1-32), msec delay (optional) is the number of milliseconds between attempts. By default, the -d or -data option for network ports is in effect. If the management port is used, specify
diff apply save revert
exit or quit ping
.
38 Menu Basics
Command
Action the -m or -mgmt option. The DNS parameters must be configured if specifying hostnames (see "/cfg/l3/dnsDomain Name System Configuration Menu" (page 327)). Use this command to verify an IP address and interface connectivity across the network. The format is as follows: ping6 <IP6 address> <Interface number> For example: ping6 3001::1234 - for ping6 global unicast address ping6 fe80::201:2ff:feb1:10e2 20 - for ping6 link-local address
ping6
traceroute
Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows: traceroute <host name> | <IP address> [ <max-hops (1-32)> [msec delay]] [-m|-mgmt|-d|-data] Where IP address is the hostname or IP address of the target station, max-hops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or -mgmt option. As with ping, the DNS parameters must be configured if specifying hostnames.
pwd verbose n
Display the command path used to reach the current menu. Sets the level of information displayed on the screen: 0 =Quiet: Nothing appears except errorsnot even prompts. 1 =Normal: Prompts and requested output are shown, but no menus. 2 =Verbose: Everything is shown. When used without a value, the current setting is displayed.
.
39
Command telnet
Action This command is used to telnet out of the switch. The format is as follows: <hostname> | <IP address> [port] [-m|-mgmt|-d|-data]. Where IP address is the hostname or IP address of the device. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or -mgmt option. This command brings up the history of the last 10 commands. This command stores the current location of the menu tree. Optionally, a new path to change to can be specified. The format is as follows: pushd [ <new_path> ]
history pushd
popd who
This command takes the user one level back to the menu location stored by the last pushd command. This command displays the currently logged users session information.

Using the command line interface, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:
Command Line History and Editing Options Option history !! !n Ctrl-p Description Display a numbered list of the last 10 previously entered commands. Repeat the last entered command. Repeat the n th command shown on the history list. (Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below. (Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled command can be entered as is, or edited using the options below. Move the cursor to the beginning of command line. Move cursor to the end of the command line. (Also the left arrow key.) Move the cursor back one position to the left.
.
Ctrl-n
Ctrl-a Ctrl-e Ctrl-b
40 Menu Basics
Option Ctrl-f Backspace Ctrl-d Ctrl-k Ctrl-l Ctrl-u Other keys
Description (Also the right arrow key.) Move the cursor forward one position to the right. (Also the Delete key.) Erase one character to the left of the cursor position. Delete one character at the cursor position. Kill (erase) all characters from the cursor position to the end of the command line. Redraw the screen. Clear the entire line. Insert new characters at the cursor position.
Command Line Interface Shortcuts

Command Stacking
As a shortcut, you can type multiple commands on a single line, separated by forward slashes (/). You can connect as many commands as required to access the menu option that you want. For example, the keyboard shortcut to access the Spanning Tree Port Conguration Menu from the Main# prompt is as follows:
Main# cfg/l2/stg/port
Command Abbreviation
Most commands can be abbreviated by entering the rst characters which distinguish the command from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:
Main# c/l2/st/p
Tab Completion
By entering the rst letter of a command at any menu prompt and hitting Tab, the CLI displays all commands or options in that menu that begin with that letter. Entering additional letters further renes the list of commands or options displayed. If only one command ts the input text when Tab is pressed, that command will be supplied on the command line, waiting to be entered. If the Tab key is pressed without any input on the command line, the currently active menu is displayed.
Conguration Ranges
Most commands now support the use of conguration ranges. Conguration ranges allow the user to set common parameters on a range of similar items on the switch like ports or VLANs. For example, the command shown below would set the PVID of ports 1 through 10 to 5.
.
Command Line Interface Shortcuts
41
Main# /cfg/real 1-10/enable
The following command menu items support range and enable:

Main# /cfg/bwm/cont Main# cfg/bwm/policy Main# /cfg/bwm/group Main# /cfg/l2/stg Main# /cfg/l2/trunk Main# /cfg/l2/vlan Main# cfg/l2/team Main# /cfg/l3/if Main# /cfg/l3/gw Main# /cfg/l3/nwf Main# /cfg/l3/rmap Main# /cfg/l3/vrrp/vr Main# /cfg/l3/vrrp/vrgroup Main# /cfg/sec/pgroup Main# /cfg/slb/real Main# /cfg/slb/group Main# /cfg/slb/virt Main# /cfg/slb/filt Main# /oper/slb/group Main# /stat/s
.
42 Menu Basics
.
43
The Information Menu

You can view conguration information for the switch in both the user and administrator command modes. This chapter discusses how to use the command line interface to display switch information.
/info Information Menu
The information provided by each menu option is briey described in "Information Menu Options (/info)" (page 43), with pointers to where detailed information can be found.
Information Menu Options (/info) Command Syntax and Usage sys Displays system menu information. To view menu options, see "/info/sysSystem Information Menu" (page 45). l2 Displays the Layer 2 Information Menu. For details, see "/info/l2Layer 2 Information Menu" (page 68). l3 Displays the Layer 3 information menu. For details, see "/info/l3Layer3 Information Menu" (page 80).
.
44 The Information Menu
Command Syntax and Usage slb Displays the Layer 4 Information Menu. To view menu options, see "/info/slbLayer 4 Information Menu" (page 100). bwm Displays Bandwidth Management information. For details, see "/info/bwmBandwidth Management Information" (page 110). security Displays current UDP blast settings and the security status of the port. To view a sample, see "/info/securitySecurity Information" (page 113). link Displays configuration information about each port, including:
Port number Port speed (10, 100, 10/100, or 1000) Duplex mode (half, full, or auto) Flow control for transmit and receive (no, yes, or auto) Link status (up or down)
For details, see "/info/linkLink Status Information" (page 113). port Displays port status information, including:
Port number Whether the port uses VLAN Tagging or not Port VLAN ID ( PVID) Port name VLAN membership
For details, see "/info/portPort Information" (page 114).
swkey Displays a list of all the optional software packages which have been activated or installed on your switch. For details see "/info/swkeySoftware Enabled Keys" (page 115).
.
/info/sys System Information Menu 45 Command Syntax and Usage dump Dumps all switch information available from the Information Menu (10K or more, depending on your configuration). If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands. For details, see "/info/dumpInformation Dump" (page 116).
/info/sys System Information Menu
Information System Menu Options (/info/sys) Command Syntax and Usage snmpv3 Displays SNMPv3 Information Menu. To view the menu options, see "SNMPv3 information Menu Options (/info/sys/snmpv3)" (page 47). general Displays general system information including :
System information like time, day, and date. Switch model name and number How long the switch has been up Time of last boot MAC address of the switch management processor Internal SSL Processor MAC Address if the switch is 2424-SSL IP address of IP interface #1
.
Command Syntax and Usage Hardware order number and part numbers of the Mainboard Hardware, Management Processor Board Hardware, and Fast Ethernet Board Hardware Software image file and version number Configuration name Log-in banner, if one is configured
See "/info/sys/general" (page 54) for a sample output. time Displays the current time. log Displays last 64 syslog messages. See "/info/sys/log" (page 55) for a sample output and detailed information. slog Displays the last 64 syslog messages that are saved in flash. See "/info/sys/slog" (page 56) for a sample output. mgmt Displays Management port information. See "/info/sys/mgmt" (page 57) for detailed information. sonmp Displays SONMP topology table information. See "/info/sys/sonmp" (page 58) for detailed information. capacity gen|bwm|l2|l3|slb|port Displays the switch capacity information. This output displays the maximum switch capacity for the various applications and services that the switch supports. The output contains capacity information about Layer 2, Layer 3, RIP, OSPF, BGP, Route Maps, Network Filters, VRRP, Layer 4-7, which includes Server Load Balancing, Filters, GSLB, Health Checks, Bandwidth Management, General switch information, and SNMPv3. See "/info/sys/capacity" (page 59) for a sample output. fan Displays the fan status of the switch. temp Displays the temperature status of the switch sensors. encrypt Displays the current encryption licenses.
.
/info/sys System Information Menu 47 Command Syntax and Usage user Displays the current user names. dump Displays all system information. See "/info/sys/dump" (page 63) for a sample output.
/info/sys/snmpv3 SNMPv3 System Information Menu

SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote conguration of SNMP parameters
For more details on the SNMPv3 architecture refer RFC2271 to RFC2276.
SNMPv3 information Menu Options (/info/sys/snmpv3) Command Syntax and Usage usm Displays User Security Model (USM) table information. To view the table, see "/info/sys/snmpv3/usm" (page 48). view Displays information about view, sub tress, mask and type of view. To view a sample, see "/info/sys/snmpv3/view" (page 49). access Displays View-based Access Control information. To view a sample, see "/info/sys/snmpv3/access" (page 49). group
.
Command Syntax and Usage Displays information about the group that includes, the security model, user name, and group name. To view a sample, see "/info/sys/snmpv3/group" (page 50). comm Displays information about the community table information. To view a sample, see "/info/sys/snmpv3/comm" (page 51). taddr Displays the Target Address table information. To view a sample, see "/info/sys/snmpv3/taddr" (page 51). tparam Displays the Target parameters table information. To view a sample, see "/info/sys/snmpv3/tparam" (page 52). notify Displays the Notify table information. To view a sample, see "/info/sys/snmpv3/notify" (page 52). dump Displays all the SNMPv3 information. To view a sample, see "/info/sys/snmpv3/dump" (page 53).
/info/sys/snmpv3/usm SNMPv3 USM User Table Information

The User-based Security Model (USM) in SNMPv3 provides security services such as authentication and privacy of messages. This security model makes use of a dened set of user identities displayed in the USM user table. The USM user table contains information like: the user name a security name in the form of a string whose format is independent of the Security Model an authentication protocol, which is an indication that the messages sent on behalf of the user can be authenticated the privacy protocol.
.
/info/sys System Information Menu 49 USM User Table Information Parameters (/info/sys/usm) Field User Name Protocol Description This is a string that represents the name of the user that you can use to access the switch. This indicates whether messages sent on behalf of this user are protected from disclosure using a privacy protocol. The Nortel Application Switch Operating System supports DES algorithm for privacy. The software also supports two authentication algorithms: MD5 and HMAC-SHA.
/info/sys/snmpv3/view SNMPv3 View Table Information

The user can control and restrict the access allowed to a group to only a subset of the management information in the management domain that the group can access within each context by specifying the groups rights in terms of a particular MIB view for security reasons.
View Name -------------org v1v2only v1v2only v1v2only v1v2only Subtree -----------------1.3 1.3 1.3.6.1.6.3.15 1.3.6.1.6.3.16 1.3.6.1.6.3.18 Mask Type ---------- --------included included excluded excluded excluded
SNMPv3 View Table Information Parameters (/info/sys/snmpv3/view) Field View Name Subtree Description Displays the name of the view. Displays the MIB subtree as an OID string. A view subtree is the set of all MIB object instances which have a common Object Identifier prefix to their names. Displays the bit mask. Displays whether a family of view subtrees is included or excluded from the MIB view.
Mask Type
/info/sys/snmpv3/access SNMPv3 Access Table Information

The access control sub system provides authorization services. The vacmAccessTable maps a group name, security information, a context, and a message type, which could be the read or write type of operation or notication into a MIB view.
.
The View-based Access Control Model denes a set of services that an application can use for checking access rights of a group. This groups access rights are determined by a read-view, a write-view and a notify-view. The read-view represents the set of object instances authorized for the group while reading the objects. The write-view represents the set of object instances authorized for the group when writing objects. The notify-view represents the set of object instances authorized for the group when sending a notication.
SNMPv3 Access Table Information (/info/sys/snmpv3/access) Field Group Name Prefix Model Level Description Displays the name of group. Displays the prefix that is configured to match the values. Displays the security model used, for example, SNMPv1, or SNMPv2 or USM. Displays the minimum level of security required to gain rights of access. For example, noAuthNoPriv, authNoPriv, or authPriv. Displays the match for the contextName. The options are: exact and prefix. Displays the MIB view to which this entry authorizes the read access. Displays the MIB view to which this entry authorizes the write access. Displays the Notify view to which this entry authorizes the notify access.
Match ReadV WriteV NotifyV
/info/sys/snmpv3/group SNMPv3 Group Table Information

A group is a combination of security model and security name that denes the access rights assigned to all the security names belonging to that group. The group is identied by a group name.
.
/info/sys System Information Menu 51 SNMPv3 Group Table Information Parameters (/info/sys/snmpv3/group) Field Sec Model User Name Group Name Description Displays the security model used, which is any one of: USM, SNMPv1, SNMPv2, and SNMPv3. Displays the name for the group. Displays the access name of the group.
/info/sys/snmpv3/comm SNMPv3 Community Table Information

This command displays the community table information stored in the SNMP engine.
Index Name User Name Tag ---------- ---------- -------------------- ---------trap1 public v1v2only v1v2trap SNMPv3 Community Table Parameters (/info/sys/snmpv3/comm) Field Index Name User Name Tag Description Displays the unique index value of a row in this table Displays the community string, which represents the configuration. Displays the User Security Model (USM) user name. Displays the community tag. This tag specifies a set of transport endpoints from which a command responder application accepts management requests and to which a command responder application sends an SNMP trap.
/info/sys/snmpv3/taddr SNMPv3 Target Address Table Information

This command displays the SNMPv3 target address table information, which is stored in the SNMP engine.
Name Transport Addr Port Taglist Params ---------- --------------- ---- ---------- --------------trap1 47.81.25.66 162 v1v2trap v1v2param SNMPv3 Target Address Table Information Parameters (/info/sys/snmpv3/taddr) Field Name Transport Addr Description Displays the locally arbitrary, but unique identifier associated with this snmpTargetAddrEntry. Displays the transport addresses.
.
Field Port Taglist
Description Displays the SNMP UDP port number. This column contains a list of tag values which are used to select target addresses for a particular SNMP message. The value of this object identifies an entry in the snmpTargetParamsTable. The identified entry contains SNMP parameters to be used when generating messages to be sent to this transport address.
Params
/info/sys/snmpv3/tparam SNMPv3 Target Parameters Table Information

Name MP Model ------------ -------v1v2param snmpv2c noAuthNoPriv User Name -----------v1v2only Sec Model --------snmpv1 Sec Level ---------
SNMPv3 Target Parameters Table Information (/info/sys/snmpv3/tparam) Field Name MP Model User Name Description Displays the locally arbitrary, but unique identifier associated with this snmpTargeParamsEntry. Displays the Message Processing Model used when generating SNMP messages using this entry. Displays the securityName, which identifies the entry on whose behalf SNMP messages are generated using this entry. Displays the security model used when generating SNMP messages using this entry. The system may choose to return an inconsistentValue error if an attempt is made to set this variable to a value for a security model which the system does not support. Displays the level of security used when generating SNMP messages using this entry.
Sec Model
Sec Level
/info/sys/snmpv3/notify SNMPv3 Notify Table Information

Name Tag -------------------- -------------------v1v2trap v1v2trap
.
/info/sys System Information Menu 53 SNMPv3 Notify Table Information (/info/sys/snmpv3/notify) Field Name Tag Description The locally arbitrary, but unique identifier associated with this snmpNotifyEntry. This represents a single tag value which is used to select entries in the snmpTargetAddrTable. Any entry in the snmpTargetAddrTable that contains a tag value equal to the value of this entry, is selected. If this entry contains a value of zero length, no entries are selected.
/info/sys/snmpv3/dump SNMPv3 Dump Information
.
General System Information

On a Nortel Application Switch 2424:
System Information at 6:56:53 Thu Sep 15, 2005 (DST) Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00) Alteon Application Switch 2424 Switch is up 3 days, 11 hours, 28 minutes and 34 seconds. Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet) Last apply: unknown Last save: 5 MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0 Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: Mainboard Hardware: Part No: P314090-A Rev: Management Processor Board Hardware: Part No: P314080-A Rev: Fast Ethernet Board Hardware: Part No: P314091-A Rev: Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated. Software Version 23.0.1 (FLASH image2), active configuration.
09 00 00 00
On a Nortel Application Switch 2424-SSL:
.
/info/sys System Information Menu 55
Note: The display of temperature comes up only if the temperature of any of the sensors exceeds 60C. The software send a warning message if any of the sensors exceeds this temperature threshold. The switch will shut down if the power supply overheats and the temperature gets to 100C. Information about fan failures is also displayed if one or more fans are not functioning.
/info/sys/time Show System Time
/info/sys/log
.
Show Last 64 Syslog Messages
Each syslog message has a criticality level associated with it, included in text form as a prex to the log message. One of eight different prexes is used, depending on the condition that the administrator is being notied of, as shown below. EMERG: indicates the system is unusable ALERT: Indicates action should be taken immediately CRIT: Indicates critical conditions ERR: indicates error conditions or error operations WARNING: indicates warning conditions NOTICE: indicates a normal but signicant condition INFO: indicates an information message DEBUG: indicates a debut-level message
/info/sys/slog
.
Last 64 Saved Syslog Messages
/info/sys/mgmt Management Port Information
Use this command to display Management port information on an Nortel Application Switch including: Port speed (10/100) Duplex mode (half, full, any, or auto) Link (Up or down) MAC Address of the system
.
IP address of the Interface IP address of the gateway.
/info/sys/sonmp SONMP Information

This command displays the SynOptics Network Management Protocol (SONMP) topology table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/sonmp on command, and is necessary so that a Nortel Application Switch can be discovered by the Nortel Enterprise Switch Manager. When SONMP is enabled, devices on the network exchange multicast packets namely: flatnet hellos and segment hellos. The IP address of the device is written into the hello packets. As the network devices exchange information, a topology table is built like the one shown below.
SONMP Information Parameters Description Parameter Slot Port IP Address Seg ID Description Specifies the slot and port on which the topology message was received. This is the IP address of the sender of the topology message. The "segment identifier" of the segment from which the remote agent send the topology message. Different devices may use different methods for representing the segment identifier. The MAC address of the sender of the topology message. The chassis type of the device that sent the topology message.
Mac Address Chassis Type
.
/info/sys System Information Menu 59 Parameter Local Seg Description Indicates if the sender of the topology message is on the same Ethernet segment (i.e. not across a bridge) as the reporting agent. The current state of the sender of the topology message. the values are:
State
topChangedtopology information has recently changed heartbeattopology information unchanged. newsending agent is in new state.
/info/sys/capacity System Capacity Information

The following sample output from an Nortel Application Switch 2424 displays the maximum and currently enabled switch capacity for various services and applications from Layer 2-7.
.
.
.
/info/sys/fan Show switch fan status
/info/sys/temp Show switch temperature sensor status
/info/sys/encrypt
.
Show encryption licenses
/info/sys/user Show current user status
/info/sys/dump
.
System Information Dump
.
.
.
.
/info/l2
.
/info/l2 Layer 2 Information Menu 69
Layer 2 Information Menu

[Layer 2 Menu] fdb lacp stg cist trunk vlan team dump Forwarding Database Information Menu Link Aggregation Control Protocol Menu Show STG information Show CIST information Show Trunk Group information Show VLAN information Show port team information Dump all layer 2 information
Layer 2 Information Menu Options Command Syntax and Usage fdb Displays the Forwarding Database Information Menu. For details, see "/info/l2/fdb" (page 70). lacp Displays Link Aggregation Control Protocol Information Menu. For details, see "/info/l2/lacp" (page 72). stg <STG index to display or carriage return for all STGs> In addition to seeing if Spanning Tree Protocol is enabled or disabled, you can view the following STP bridge information:
Priority Hello interval Maximum age value Forwarding delay Aging time
You can also see the following port-specific STP information: Port number and priority Cost State
cist Display the CIST information. trunk
.
Command Syntax and Usage When trunk groups are configured, you can view the state of each port in the various trunk groups. For details, see "/info/l2/trunk" (page 78). vlan <VLAN number to display or carriage return to display all VLANs> Displays VLAN configuration information, including:
VLAN Number VLAN Name Status Port membership of the VLAN
For details, see "/info/l2/vlan" (page 78). team Show port team information. dump Displays all Layer 2 information.
/info/l2/fdb Layer 2 FDB Information

The forwarding database (FDB) contains information that maps the media access control (MAC) address of each known device to the switch port where the device address was learned. The FDB also shows which other ports have seen frames destined for a particular MAC address.
[Forwarding Database Menu] find - Show a single FDB entry by MAC address port - Show FDB entries on a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries on a single VLAN refpt - Show FDB entries referenced by a single SP dump - Show all FDB entries
Note: The master forwarding database supports up to 16K MAC address entries on the MP per switch. Each SP supports up to 8K entries.
Layer 2 FDB Information Menu Options (/info/l2/fdb) Command Syntax and Usage find <MAC address> [ <VLAN> ]
.
/info/l2 Layer 2 Information Menu 71 Command Syntax and Usage Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example, 08:00:20:12:34:56. You can also enter the MAC address using the format, xxxxxxxxxxxx. For example, 080020123456. port <port number, 0 for "unknown"> Displays all FDB entries for a particular port. trunk <trunk group number> Displays all FDB entries on a single trunk. vlan <VLAN number (1-4090)> Displays all FDB entries on a single VLAN. refpt <SP number (1-4)> Displays the FDB entries referenced by a single port. dump Displays all entries in the Forwarding Database. For more information, see "/info/l2/fdb/dump" (page 71).
/info/l2/fdb/dump Show All FDB Information
.
An address that is in the forwarding (FWD) state, means that it has been learned by the switch. When in the trunking (TRK) state, the port eld represents the trunk group number. If the state for the port is listed as unknown (UNK), the MAC address has not yet been learned by the switch, but has only been seen as a destination address. When an address is in the unknown state, no outbound port is indicated, although ports which reference the address as a destination are listed under " Reference ports." If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual server routera virtual router with the same IP address as a virtual server.
Clearing Entries from the Forwarding Database

To delete a MAC address from the forwarding database (FDB) or to clear the entire FDB, refer "/maint/fdbForwarding Database Options" (page 465).
/info/l2/lacp Link Aggregation Control Protocol Information Menu

The following menu options display the Link Aggregation Control Protocol (LACP) information on the Nortel Application Switch Operating System
[LACP Menu] aggr port dump - Show LACP aggregator information for the port - Show LACP port information - Show all LACP ports information
Link Aggregation Control Protocol Information Menu Options (/info/l2/lacp) Command Syntax and Usage aggr <aggregator index 1 to max num ports> Displays information an LACP aggregator. port <port index 1 to max num ports> Displays information of an LACP port. dump Displays LACP information of all the ports. Use this command to verify the state of ports in an LACP trunk group. To view a sample output, see .
/info/l2/lacp/aggr
.
/info/l2/lacp Link Aggregation Control Protocol Information Menu 73
LACP Aggregator Information

Aggregator Id 1 ---------------------------------------------MAC address - 00:01:81:2e:a1:d1 Actor System Priority - 32768 Actor System ID - 00:01:81:2e:a1:b0 Individual - FALSE Actor Admin Key - 300 Actor Oper Key - 300 Partner System Priority - 32768 Partner System ID - 00:0d:29:e3:4a:00 Partner Oper Key - 1 ready - TRUE Number of Ports in aggr - 10 index 0 port 1 index 1 port 2 index 2 port 3 index 3 port 4 index 4 port 5 index 5 port 6 index 6 port 7 index 7 port 8 index 8 port 9 index 9 port 10
/info/l2/lacp/port LACP Port Information
.
/info/l2/lacp/dump LACP Dump Information
.
/info/l2/stg Layer 2 Spanning Tree Group Information

When multiple paths exist on a network, Spanning Tree Protocol (STP) congures the network so that a switch uses only the most efcient path. Note: The Nortel Application Switch Operating System supports up to 16 multiple Spanning Trees or Spanning Tree Groups.
The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing if STP is enabled or disabled, you can view the following STP bridge information: Priority Hello interval Maximum age value Forwarding delay Aging time
.
You can also see the following port-specic STP information: Port number and priority Cost State Designated Bridge Designated Port
The following table describes the STP parameters.

Spanning Tree Parameter Descriptions Parameter Priority (bridge) Hello Description The bridge priority parameter controls which bridge on the network will become the STP root bridge. The hello time parameter specifies, in seconds, how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The maximum age parameter specifies, in seconds, the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it reconfigures the STP network. The forward delay parameter specifies, in seconds, the amount of time that a bridge port has to wait before it changes from learning state to forwarding state. The aging time parameter specifies, in seconds, the amount of time the bridge waits without receiving a packet from a station before removing the station from the Forwarding Database. The port priority parameter helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The port path cost parameter is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. A setting of 0 indicates that the cost is set to the appropriate default after the link speed has been auto negotiated. The state field shows the current state of the port. The state field can be either BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.
MaxAge
FwdDel
Aging
priority (port)
Cost
State
.
/info/l2/lacp Link Aggregation Control Protocol Information Menu 77 Parameter Designated Bridge Description The designated bridge resides closest to the root bridge and is responsible for forwarding packets from LAN towards the root bridge. This bridge is displayed as character string starting with the bridge priority (1-65535) followed by a hyphen and six byte MAC address of that switch. The designated port identifies a physical port. This is a number that is the numerical sum of bridge priority and the actual physical port number. For example, a physical port number four with bridge priority 32768 is displayed as 32678+4=32772.
Designated port
/info/l2/cist Show common internal spanning tree (CIST) information

Note: The Nortel Application Switch Operating System supports up to 16 multiple Spanning Trees or Spanning Tree Groups.
---------------------------------------------------------Common Internal Spanning Tree: VLANs: 1 4-4094 Port MaxAge FwdDel 0 20 15
Current Root: Path-Cost 8000 00:01:81:2e:bc:50 0 Cist Regional Root: Path-Cost 8000 00:01:81:2e:bc:50 0
Parameters: Priority MaxAge FwdDel Hops 32768 20 15 20 Port Prio Cost State Role Designated Bridge Des Port Hello Type ---- ---- ------- ---- ---- ------------------- -------- ----- ---1 128 20000 DSB 2 128 20000 DSB 3 128 20000 DSB 4 128 20000 DSB 5 128 20000 DSB 6 128 20000 DSB 7 128 20000 DSB . . . 18 128 20000 DSB 19 128 20000 DSB 20 128 20000 DSB
.
21 22 23 24 25 26 27 28 sslpro
128 128 128 128 128 128 128 128 128
20000 20000 20000 20000 20000 20000 20000 20000 20000
DSB DSB DSB DSB DSB DSB DSB DSB DISC
DESG 8000-00:01:81:2e:bc:50
801d
2 Shared
/info/l2/trunk Trunk Group Information

Trunk groups can provide super-bandwidth, multi-link connections between Nortel Application Switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are congured, you can view the state of each port in the various trunk groups.
Trunk group 1, bw contract 1024, port state: 1: STG 1 forwarding 2: STG 1 forwarding
Note: If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the remaining ports in the trunk group are also set to forwarding.
/info/l2/vlan VLAN Information
This information display includes all congured VLANs and all member ports that have an active link state. Port membership is represented in slot/port format. VLAN information includes: VLAN Number VLAN Name Status Jumbo Frames Bandwidth Contract if BWM is enabled
.
Source MAC Address Learning Port membership of the VLAN
/info/l2/vlan VLAN Information
/info/l2/team Status of port teams

>> Layer 2# team All port teams are disabled.
/info/l2/dump
.
Layer2 Dump Information
/info/l3 Layer3 Information Menu
Layer 3 Information Menu Options Command Syntax and Usage route
.
/info/l3 Layer3 Information Menu 81 Command Syntax and Usage Displays the IP Routing Menu. Using the options of this menu, the system displays the following for each configured or learned route:
Route destination IP address, subnet mask, and gateway address Type of route Tag indicating origin of route Metric for RIP tagged routes, specifying the number of hops to the destination (1-15 hops, or 16 for infinite hops) The IP interface that the route uses
For details, see "/info/l3/route" (page 82). route6 IP6 Routing Information Menu. To view menu options, see "/info/l3/route6" (page 84). arp Displays the Address Resolution Protocol (ARP) Information Menu. For details, see "/info/l3/arp" (page 85). nbrcache IP6 Neighbor Cache Menu. To view menu options, see "/info/l3/nbrcache" (page 88). bgp Displays BGP Information Menu. To view menu options, see "/info/l3/bgp" (page 90). ospf Displays OSPF routing information menu. For details, see "/info/l3/ospf" (page 92). ip Displays IP Information. For details, see "/info/l3/route" (page 82). IP information, includes:
IP interface information: Interface number, IP address, subnet mask, broadcast address, VLAN number, and operational status. Default gateway information: Metric for selecting which configured gateway to use, gateway number, IP address, and health status IP forwarding information: Enable status, lnet and lmask
.
Command Syntax and Usage vrrp Displays the VRRP Information Menu. For details, see "/info/l3/vrrp" (page 98). dump Displays all Layer 3 information. Port status
/info/l3/route IP Routing Information
Using the commands listed below, you can display all or a portion of the IP routes currently held in the switch.
Route Information Menu Options (/info/l3/route) Command Syntax and Usage find <IP address (such as, 192.4.17.101)> Displays a single route by destination IP address. gw <default gateway address (such as, 192.4.17.44)> Displays routes to a single gateway. type indirect|direct|local|broadcast|martian|multicast Displays routes of a single type. For a description of IP routing types, see "IP Routing Type Parameters (/info/l3/route/dump/type)" (page 83). tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip Displays routes of a single tag. For a description of IP routing types, see "IP Routing Tag Parameters (info/l3/route/tag)" (page 83). if <interface number (1-256)> Displays routes on a single interface.
Note: The total number of interfaces on a Nortel Application Switch 2424-SSL is 1-255.
.
/info/l3 Layer3 Information Menu 83 Command Syntax and Usage dump Displays all routes configured in the switch. For more information, see "/info/l3/route/dump" (page 83).
/info/l3/route/dump Show All IP Route Information
Type Parameters
The following table describes the Type parameters.
IP Routing Type Parameters (/info/l3/route/dump/type) Parameter indirect direct local broadcast martian multicast Description The next hop to the host or subnet destination are forwarded through a router at the Gateway address. Packets are delivered to a destination host or subnet attached to the switch. Indicates a route to one of the switchs IP interfaces. Indicates a broadcast route. The destination belongs to a host or subnet which is filtered out. Packets to this destination are discarded. Indicates a multicast route.
Tag Parameters
The following table describes the Tag parameters.
IP Routing Tag Parameters (info/l3/route/tag) Parameter fixed static Description The address belongs to a host or subnet attached to the switch. The address is a static route which has been configured on the Nortel Application Switch.
.
Parameter addr rip ospf
Description The address belongs to one of the switchs IP interfaces. The address was learned by the Routing Information Protocol (RIP). The address was learned by Open Shortest Path First (OSPF). The address was learned via Border Gateway Protocol (BGP) Indicates a broadcast address.
bgp broadcast
The address belongs to a filtered group. martian Indicates a multicast address. multicast vip Indicates a route destination that is a virtual server IP address. VIP routes are needed to advertise virtual server IP addresses via BGP.
/info/l3/route6 IPv6 Routing Information Menu

This menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing table stores routes it learns from network trafc and pre-congured, static routes. Note: Presently there is no mechanism for clearing this IPv6 routing table.
[IP6 Routing Menu] dump - Show all routes
"IPv6 Routing Information Menu Options (/info/l3/route6)" (page 84) provides a description of this menu.
IPv6 Routing Information Menu Options (/info/l3/route6) Command Syntax and Usage dump The /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/10; is not shown for each interface to avoid too many network entries in the table.
.
/info/l3 Layer3 Information Menu 85
The following is an example of output from the /info/l3/route6/dump command.

>> Main# /info/l3/route6/dump IPv6 Forwarding Table: Destination: 0:0:0:0:0:0:0:0/0 NextHop: 2005:0:0:0:0:0:0:16 Destination: 2005:0:0:0:0:0:0:0/64 NextHop: 0:0:0:0:0:0:0:0 Destination: 2005:0:0:0:0:0:0:1/128 NextHop: 0:0:0:0:0:0:0:0 Destination: 2005:0:0:0:0:0:0:16/128 NextHop: 0:0:0:0:0:0:0:0 Destination: fe80:0:0:0:201:81ff:fe2e:a100/128 NextHop: 0:0:0:0:0:0:0:0 Destination: ff02:0:0:0:0:0:0:1/128 NextHop: 0:0:0:0:0:0:0:0 Destination: ff02:0:0:0:0:0:0:2/128 NextHop: 0:0:0:0:0:0:0:0 Destination: ff02:0:0:0:0:1:ff00:0/128 NextHop: 0:0:0:0:0:0:0:0 Destination: ff02:0:0:0:0:1:ff00:1/128 NextHop: 0:0:0:0:0:0:0:0 Destination: ff02:0:0:0:0:1:ff2e:a100/128 NextHop: 0:0:0:0:0:0:0:0 Total number of route6 entries: 10 If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto: If:1 Proto:
STATIC LOCAL LOCAL STATIC LOCAL STATIC STATIC STATIC STATIC STATIC
/info/l3/arp ARP Information Menu

Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
.
[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries help - Show help on the fields of ARP entries addr - Show ARP address list
The ARP information includes IP address and MAC address of each entry, address status ags (see "ARP Dump Flag Parameters" (page 88)), VLAN and port for the address, and port referencing information.
ARP Information Menu Options (/info/l3/arp) Command Syntax and Usage find <IP address (such as, 192.4.17.101)> Displays a single ARP entry by IP address. port <port number> Displays the ARP entries on a single port. vlan <VLAN number (1-4090)> Displays the ARP entries on a single VLAN. refpt <SP number (1-4)> Displays the ARP entries referenced by a single SP. For details, see "/info/l3/arp/refpt" (page 87). dump Displays all ARP entries. including:
IP address and MAC address of each entry Address status flag (see below) The VLAN and port to which the address belongs The ports which have referenced the address (empty if no port has routed traffic to the IP address shown)
For more information, see "/info/l3/arp/dump" (page 87). help Displays help on the ARP field entries. For example: IP address: Flags: IP address of ARP entry J - ARP entry belongs to a Jumbo capable VLAN
.
/info/l3 Layer3 Information Menu 87 Command Syntax and Usage P - Permanent ARP entry (not obtained via ARP request), e.g. IP interface, VIP, etc. R - Indirect ARP (cache) entry for IP address reachable via indirect routes (static/dynamic) 4 - Layer 4 IP address (VIP) u - Unresolved ARP entry. The MAC address has not been learned. MAC address: VLAN: Port: Referenced SPs: addr Displays the ARP address list: IP address, IP mask, MAC address, and VLAN flags. MAC address of ARP entry VLAN of this ARP entry Physical port where this IP address owner is connected SPs on which this ARP entry is present
/info/l3/arp/refpt Show ARP Entries on Referenced SP
/info/l3/arp/dump Show All ARP Entry Information
.
Referenced ports are the ports that request the ARP entry. So the trafc coming into the referenced ports has the destination IP address. From the ARP entry (the referenced ports), this trafc needs to be forwarded to the egress port (port 6 in the above example). Note: If you have VMA turned on, the referenced port is the designated port. If you have VMA turned off, the designated port is the normal ingress port. The Flag eld is interpreted as follows:
ARP Dump Flag Parameters Flag P P 4 R U J Description Permanent entry created for switch IP interface. Permanent entry created for Layer 4 proxy IP address or virtual server IP address. Indirect route entry. Unresolved ARP entry. The MAC address has not been learned. ARP entry belongs to a Jumbo capable VLAN
/info/l3/arp/addr ARP Address List Information
/info/l3/nbrcache IPv6 Neighbor Cache Information

This menu provides a mechanism for viewing IPv6 Neighbor Cache information. IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses and neighbor reachabilty. ND can also auto-congure addresses and detect duplicate addresses. ND enables routers to advertise their presence and address prexes and to inform hosts of a better next-hop address to forward packets. The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache maintains information about each neighbor such as: MAC Address Reachability State
.
Neighbor Type VLAN Ingress Port
Neighbor Cache entries are added in a number of situations: 1. Entries are added when an IPv6 Interface or Virtual IP is operational. 2. Reception of ND messages from neighbor. 3. A switch sends ND packets to resolve a link-layer address that it wishes to send packets to. There are 5 reachability states: INCOMPLETE The link-layer address of the neighbor has not yet been determined. REACHABLE The neighbor is known to have been reachable recently. STALE The neighbor is no longer known to be reachable but until trafc is sent to the neighbor, no attempt should be made to verify its reachability. DELAY The neighbor is no longer known to be reachable and trafc has recently been sent to the neighbor. PROBE The neighbor is no longer known to be reachable, and ND messages are sent to the neighbor to verify reachability. The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch pre-congured addresses and DYNAMIC is for neighbor addresses learnt from ND. Note: Once the Neighbor Cache table reaches 2000 entries, table entries are replaced by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until the entry is replaced by a new one. During this 2000 full entries period, no new entries are used to sort for display.
[IP6 Neighbor Discovery Protocol Menu] dump - Show all IP6 neighbor cache entries
.
"IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)" (page 90) provides a description of this menu.
IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache) Command Syntax and Usage dump Displays all IPv6 neighbor cache entries.
The following is an example of output from the /info/l3/nbrcache/dump command.
/info/l3/bgp BGP Information Menu

Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. For more information, refer BGP section in chapter: "The Conguration Menu" (page 217) and the Application Guide.
[BGP Menu] peer - Show all BGP peers summary - Show all BGP peers in summary dump - Show BGP routing table BGP Peer Information Menu Options (/info/l3/bgp) Command Syntax and Usage peer Displays BGP peer information. See "/info/l3/bgp/peer" (page 91) for a sample output. summary Displays peer summary information such as AS, message received, message sent, up/down, state. See "/info/l3/bgp/summary" (page 91) for a sample output. dump Displays the BGP routing table. See "/info/l3/bgp/dump" (page 91) for a sample output.
.
/info/l3/bgp/peer BGP Peer information

Following is an example of the information that /info/l3/bgp/peer provides.
BGP Peer Information: 3: 2.1.1.1 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0 4: 2.1.1.4 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0
/info/l3/bgp/summary BGP Summary information

Following is an example of the information that /info/l3/bgp/summary provid.
/info/l3/bgp/dump Dump BGP Information

Following is an example of the information that /info/l3/bgp/dump provides.
.
/info/l3/ospf OSPF Information Menu

Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specications detailed in Internet RFC 1583. OSPF is designed for routing trafc within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more information on how to congure OSPF on the switch, refer the OSPF section in chapter "The Conguration Menu" (page 217) and your Nortel Application Switch Operating System Application Guide.
[OSPF Information Menu] general - Show general information aindex - Show area(s) information if - Show interface(s) information virtual - Show details of virtual links nbr - Show neighbor(s) information dbase - Database Menu sumaddr - Show summary address list nsumadd - Show NSSA summary address list routes - Show OSPF routes dump - Show OSPF information OSPF Information Menu (/info/l3/ospf) Command Syntax and Usage general Displays general OSPF information. See "/info/l3/ospf/general" (page 93) for a sample output. aindex <area index [0-2]>
.
/info/l3 Layer3 Information Menu 93 Command Syntax and Usage Displays area information for a particular area index. If no parameter is supplied, it displays area information for all the areas. if <interface number [1-256]> Displays interface information for a particular interface. If no parameter is supplied, it displays information for all the interfaces. See "/info/l3/ospf/if" (page 94) for a sample output. virtual Displays information about all the configured virtual links. nbr <nbr router-id (A.B.C.D)> Displays the status of a neighbor with a particular router ID. If no router ID is supplied, it displays the information about all the current neighbors. dbase Displays OSPF database menu. To view menu options, see "/info/l3/ospf/dbase" (page 94). sumaddr <area index (0-2)> Displays the list of summary ranges belonging to non-NSSA areas. nsumadd <area index (0-2)> Displays the list of summary ranges belonging to NSSA areas. routes Displays OSPF routing table. See "/info/l3/ospf/routes" (page 96) for a sample output. dump Display all the OSPF information. See for a sample output.
/info/l3/ospf/general OSPF General Information

OSPF Version 2 Router ID: 47.80.23.247 Started at 95 and the process uptime is 352315 Area Border Router: yes, AS Boundary Router: no LS types supported are 6 External LSA count 0 External LSA checksum sum 0x0 Number of interfaces in this router is 2 Number of virtual links in this router is 1 16 new lsa received and 34 lsa originated from this router Total number of entries in the LSDB 10 Database checksum sum 0x0 Total neighbors are 1, of which
.
2 are >=INIT state, 2 are >=EXCH state, 2 are =FULL state Number of areas is 2, of which 3-transit 0-nssa Area Id : 0.0.0.0 Authentication : none Import ASExtern : yes Number of times SPF ran : 8 Area Border Router count : 2 AS Boundary Router count : 0 LSA count : 5 LSA Checksum sum : 0x2237B Summary : noSummary
/info/l3/ospf/if OSPF Interface Information

Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP Router ID 10.10.10.1, State DR, Priority 1 Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1 Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2 Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5, Poll interval 0, Transit delay 1 Neighbor count is 1 If Events 4, Authentication type none
/info/l3/ospf/dbase OSPF Database Information

[OSPF Database advrtr asbrsum dbsumm ext nw nssa rtr self summ all Menu] - LS Database info for an Advertising Router - ASBR Summary LS Database info - LS Database summary - External LS Database info - Network LS Database info - NSSA External LS Database info - Router LS Database info - Self Originated LS Database info - Network-Summary LS Database info - All
OSPF Database Information Menu (/info/l3/ospf/dbase) Command Syntax and Usage advrtr <router-id (A.B.C.D)>
.
/info/l3 Layer3 Information Menu 95 Command Syntax and Usage Takes advertising router as a parameter. Displays all the Link State Advertisements (LSAs) in the LS database that have the advertising router with the specified router ID, for example: 20.1.1.1. asbrsum <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self Displays ASBR summary LSAs. The usage of this command is as follows: a) asbrsum adv-rtr 20.1.1.1 displays ASBR summary LSAs having the advertising router 20.1.1.1. b) asbrsum link_state_id 10.1.1.1 displays ASBR summary LSAs having the link state ID 10.1.1.1. c) asbrsum self displays the self advertised ASBR summary LSAs. d) asbrsum with no parameters displays all the ASBR summary LSAs. dbsumm Displays the following information about the LS database in a table format: a) the number of LSAs of each type in each area. b) the total number of LSAs for each area. c) the total number of LSAs for each LSA type for all areas combined. d) the total number of LSAs for all LSA types for all areas combined. No parameters are required. ext <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self Displays the AS-external (type 5) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum. nw <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self Displays the network (type 2) LSAs with detailed information of each field of the LSA.network LS database. The usage of this command is the same as the usage of the command asbrsum. nssa <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self
.
Command Syntax and Usage Displays the NSSA (type 7) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum. rtr <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self Displays the router (type 1) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum. self Displays all the self-advertised LSAs. No parameters are required. summ <adv-rtr (A.B.C.D)> | <link_state_id (A.B.C.D)> | self Displays the network summary (type 3) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum. all Displays all the LSAs.
/info/l3/ospf/routes OSPF Information Route Codes

Codes: IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 IA 10.10.0.0/16 via 200.1.1.2 IA 40.1.1.0/28 via 20.1.1.2 IA 80.1.1.0/24 via 200.1.1.2 IA 100.1.1.0/24 via 20.1.1.2 IA 140.1.1.0/27 via 20.1.1.2 IA 150.1.1.0/28 via 200.1.1.2 E2 172.18.1.1/32 via 30.1.1.2 E2 172.18.1.2/32 via 30.1.1.2 E2 172.18.1.3/32 via 30.1.1.2 E2 172.18.1.4/32 via 30.1.1.2 E2 172.18.1.5/32 via 30.1.1.2 E2 172.18.1.6/32 via 30.1.1.2 E2 172.18.1.7/32 via 30.1.1.2 E2 172.18.1.8/32 via 30.1.1.2
/info/ospf/dump
.
OSPF Dump Information

OSPF Version 2 Router ID: 1.1.1.1 Started at 42 and the process uptime is 1197051 Area Border Router: no, AS Boundary Router: no External LSA count 0 Number of interfaces in this router is 0 Number of virtual links in this router is 0 0 new lsa received and 0 lsa originated from this router Total number of entries in the LSDB 0 Total neighbors are 0, of which 0 are >=INIT state, 0 are >=EXCH state, 0 are =FULL state Number of areas is 0, of which 0-transit 0-nssa OSPF Neighbors: Intf NeighborID ---- ----------
Prio ----
State -----
Address -------
OSPF LS Database: OSPF LSDB breakdown for router with ID (1.1.1.1) No areas enabled.
/info/l3/ip IP Information
Interface information: 1: 47.80.23.81 255.255.254.0 vlan 1, up 2: 172.31.4.1 255.255.255.0 vlan 1, up 3: 172.31.3.1 255.255.255.0 vlan 1, up 47.80.23.255, 172.31.4.255, 172.31.3.255,
Default gateway information: metric strict 2: 47.80.22.1, vlan any, up Current IP forwarding settings: Current local networks: Current IP port settings: All other ports have forwarding ON ON, dirbr disabled
.
Current network filter settings: none Current route map settings: Current OSPF settings: ON Default route none Router ID: 1.1.1.1 lsdb limit 0
/info/l3/vrrp VRRP Information

Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by conguring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Refer Nortel Application Switch Operating System Application Guide for more information on VRRP.
VRRP information: 9: vrid 9, 2005:0:0:0:0:0:10:9 if 9, renter, prio 101, master 10: vrid 10, 10.10.10.50, if 1, renter, prio 101, master 20: vrid 20, 2005:0:0:0:0:0:20:20 if 20, renter, prio 105, master, server
When virtual routers are congured, you can view the status of each virtual router using this command. VRRP information includes: Virtual router number Virtual router ID and IP address Interface number Ownership status owner identies the preferred master virtual router. A virtual router is the owner when the IP address of the virtual router and its IP interface are the same. renter identies virtual routers which are not owned by this device.
.
Priority value. During the election process, the virtual router with the highest priority becomes master. Activity status master identies the elected master virtual router. backup identies that the virtual router is in backup mode.
Server status. The server state identies virtual routers that support Layer 4 services. These are known as virtual server routers: any virtual router whose IP address is the same as any congured virtual server IP address. Proxy status. The proxy state identies virtual proxy routers, where the virtual router shares the same IP address as a proxy IP address. The use of virtual proxy routers enables redundant switches to share the same IP address, minimizing the number of unique IP addresses that must be congured.
/info/l3/dump Layer3 Dump Information

This command dumps all the information about Layer 3 parameters. This dump is a collection of all the individual commands described in the sections above.
.
/info/slb Layer 4 Information Menu

Server Load Balancing (SLB) allows you to congure the Nortel Application Switch to balance user session trafc among a pool of available servers that provide shared services. In an average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become overutilized. Placing this kind of strain on a server can decrease the
.
/info/slb Layer 4 Information Menu 101
performance of the entire network as user requests are rejected by the server and then resubmitted by the user stations. With this software feature, the switch is aware of the services provided by each server and can direct user session trafc to an appropriate server, based on a variety of load-balancing algorithms. Refer to your Nortel Application Switch Operating System Application Guide for detailed information on this feature:
Layer 4 Information Menu Options (/info/slb) Command Syntax and Usage sess Displays the Session Table Information Menu. To view menu options, see "/info/slb/sess" (page 102). gslb Displays the Global SLB Information Menu. To view menu options, see "/info/slb/gslb" (page 108). real <real server number (1-1023)> Displays Real server number, real IP address, MAC address, VLAN, physical switch port, layer where health check is performed, and health check result. group <real server group number, 1-1024> Real server group information virt <virtual server number (1-1024)> Displays Virtual Server State: Virtual server number, IP address, virtual MAC address Virtual Port State: Virtual service or port, server port mapping, real server group, group backup server.
.
Command Syntax and Usage filt <filter ID (1-2048)> |list|allow|deny|redir|nat Displays the filter number, destination port, real server port, real server group, health check layer, group backup server, URL for health checks, and real server group, IP address, backup server, and status. port <port number> Displays the physical port number, proxy IP address, filter status, a list of applied filters, and client and/or server Layer 4 activity. wlm <work_load_manager_number, 1 to 16> Show workload manager information. idshash <IP address 1 IP address 2> Displays the Intrusion Detection System server selected by hash or minmisses metric. bind <IP address mask group number> Displays the real server selected by hash, phash, or minmisses metric. bind6 <IPv6 address prefix length IPv6 group number> Displays the IPv6 real server selected by hash, phash, or minmisses metric. cookie <16 or 20 bytes cookie value in HEX as 0xXXXXXXXXXXX XXXXX> Decodes the hexadecimal value to get the virtual server IP address, real server IP address, and real server port. synatk Displays SYN attack detection information. To identify whether or not the server is under SYN attack, the number of new half open sessions is examined within a set period of time, for example, every two seconds. This feature requires dbind to be enabled. dump Displays all Layer 4 information for the switch. For details, see "/info/slb/dump" (page 109).
/info/slb/sess
.
Session Table Information
Session Information Menu Options (/info/slb/sess) Command Syntax and Usage cip <IP address> Displays all session entries with clients source IP address. cip6 <IP6_address> Display session entries with the specified IP6 address. cport <real port> Displays all session entries with source (client) port. dip <Destination IP address> Displays all session entries with the destination IP address. dip6 <IP6_address> Display session entries with the specified IP6 address. dport <Destination real port> Displays all session entries with destination port. pip <Proxy IP address> Displays all session entries with proxy IP address. pport <proxy port> Displays all session entries with proxy port. filter <filter ID (1-2048)> Displays all session entries with matching filter. flag <E|L|N|P|S|Rt|Ru|Ri|Vi|Vr|Vs|Vm|Vd|U|W> Displays all session entries with matching flag. See "Session dump information" (page 105) for a description of these options. port <port number>
.
Command Syntax and Usage Displays all session entries on the ingress port. real <IP address> Displays all session entries with real server IP address. sp <port number (1-4)> Displays all session entries on switch processor. dump v4 | v6 Displays all session entries. Specify v4 to dump IPv4 information, v6 to dump IPv6 information or no parameter to display all information. Information similar to the following may appear in a session entry dump: 3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c (1) (2) (3) (4) (5) (6) (7a) (7) (8) (9) (10) (11) (12) (13) Note: The fields, 1 to 13 associated with a session as identified in the above example, are described in "Session dump information" (page 105). help Displays the description of the session entry.
Session Dump Samples

L4 HTTP 3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 http age 4 L4-L7 WCR HTTP 2,16: 172.21.8.200 44687, 172.21.8.51 http -> 192.168.1.11 wcr age 4 f:12 E 3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 urlwcr age 6 f:123 E RTSP L4-L7 RTSP 3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P The rst session is RTSP TCP control connection. The second session is RTSP UDP data connection. 3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 P During client-server port negotiation, the destination port shows "rtsp" and server port shows "0"
.
L7 WCR RTSP 3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P Filtering LinkLB 2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E FTP 1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:1 1,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU 1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-data age 10 E NAT 2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E Persistent session 3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3 The destination port, real server IP and server port are not shown for persistent session.
Session dump information

Field (1) SP number (2) Ingress port (3) Source IP address (4) Source port (5) Destination IP address (6) Destination port Description This field indicates the Switch Processor number that created the session. This field shows the physical port through which the client traffic enters the switch. This field contains the source IP address from the clients IP packet in IPv4 or IPv6. This field identifies the source port from the clients TCP/UDP packet. This field identifies the destination IP address from the clients TCP/UDP packet. This field identifies the destination port from clients TCP/UDP packet.
.
Field (7a) Proxy IP address
Description This field contains the Proxy IP address substituted by the switch. This field contains the real server IP address of the corresponding server that the switch selects to forward the client packet to, for load balancing. If the switch does not find a live server, this field contains the same information as the destination IP address mentioned in field (5). This field also shows the real server IP address for filtering. No address is shown if the filter action is Allow, Deny or NAT. It will show "ALLOW", "DENY" or "NAT" instead.
(7) Proxy Port (8) Real Server IP Address
This field identifies the TCP/UDP source port substituted by the switch. For load balancing, this field contains the IP address of the real server that the switch selects to forward client packet to. If the switch does not find live server, this field is the same as destination IP address (as in row 5). For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 P For filtering, this field also shows the real server IP address. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead. For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11 2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E This field is the same as the destination port (field 6) for load balancing except for the RTSP UDP session. For RTSP UDP session, this server port is obtained from the client-server negotiation. This field is the filtering application port for filtering. It is for internal use only. This field can be urlwcr, wcr, idslb, linkslb or nonat.
(9) Server port
.
/info/slb Layer 4 Information Menu 107 Field (10) Age Description This is the session timeout value. If no packet is received within the value specified, the session is freed. For example, if: age 10 - The session is aged out in 10 minutes. age 160 - The session is aged out in 160 minutes. This indicates that slowage is used. The user can configure slowage by using the command: /cfg/slb/adv/slowage. (11) Filter number This field indicates the session created by filtering code as a result of the IP header keys matching the filtering criteria. This field is the ingress ports VLAN. "Ac": Indicates the session is application capping per-contract entry. "Au": Indicates the session is application capping per-user entry. "E": Indicates the session is established and will be aged out if no traffic is received within session timeout value. "L": Indicates the session is a link load balance session. "N": Indicates no NAT, which means the session only translates the destination MAC when forwarding client traffic to the real server. "P": Indicates the session is a persistent session and is not to be aged out. Fields (6), (7) and (8) cannot have persistent session. "S": Indicates the session is a persistent session and the application is SSL session ID, or Cookie Pbind. "Rt": Indicates the session is TCP rate limiting for every client entry. "Ru": Indicates UDP rate limiting for every client entry. "Ri": Indicates the session is ICMP rate limiting per-client entry. "Vr": Indicates the session is a SIP REGISTER session. "Vs": Indicates the session is a SIP SUBSCRIBE session. "Vi": Indicates the session is a SIP INVITE session. "Vm": Indicates the session is a SIP MESSAGE session. "Vd": Indicates the session is a SIP NAT data session. "Sc": Indicates the session is an opened server session used in connection pooling.
(12) VLAN number (13) Flag
.
Field
Description "U": Indicates the session is Layer 7 delayed binding and the switch is trying to open TCP connection to the real server. "W": Indicates the session only translates the destination MAC when forwarding Layer 7 WCR traffic to the real server. "Dcy": Indicates the session is a Symantec client session and Snoop ON "Dcn": Indicates the session is a Symantec client session and Snoop OFF "Dci": Indicates the session is a Symantec client session and Snoop INIT "Dsy": Indicates the session is a Symantec server session and Snoop ON "Dsn": Indicates the session is a Symantec server session and Snoop OFF "Dsi": Indicates the session is a Symantec server session and Snoop INIT This counter indicates the number of client sessions created to associate with this persistent session.
(14) Persistent session user count
/info/slb/gslb Global SLB Information Menu

An Nortel Application Switch Operating System running Global SLB selects the most appropriate site to direct the client trafc for a given domain during the initial client connection. The menu for this feature displays the following information:
Global SLB Information Menu Options (/info/slb/gslb) Command Syntax and Usage virt virtual server number (1-1024) Displays the Global SLB virtual server information such as the domain name of the virtual server, the number of the local and remote virtual servers, the number of virtual services on those virtual servers, and the group of real servers associated with the local and remote virtual servers. site Displays the Global SLB remote site information.
.
/info/slb Layer 4 Information Menu 109 Command Syntax and Usage geo Displays the Global SLB geographical preference information. pers <IP_Address> Display the Global SLB DNS persistence cache information. dump Displays all Global SLB information.
/info/slb/dump Show All Layer 4 Information

Real server state: 1: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up 2: 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up 26: 20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up 27: 20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up Virtual server state: 1: 20.20.20.200, 00:60:cf:47:5c:1e virtual ports: http: rport http, group 88, backup none, dbind HTTP Application: urlslb real servers: 26: 20.20.20.102, backup none, 2 ms, up exclusionary string matching: disabled 1: any 2: urlone 27: 20.20.20.101, backup none, 1 ms, up exclusionary string matching: disabled 3: urltwo 4: urlthree Redirect filter state: Action redir dport http, rport 3128, vlan any 200: group 1, health 3, backup none proxy enabled, radius snoop disabled real servers: 1: 210.1.2.200, backup none, 3 ms, up 2: 210.1.2.1, backup none, 2 ms, up
.
Port 1: 2: 3: 4:
state: filt disabled, filters: 80 idslb filt enabled, filters: 200 idslb filt enabled, filters: 200 filt disabled, filters: 50 200
/info/bwm Bandwidth Management Information

Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specic users or applications. It allows companies to guarantee that critical business trafc, such as e-commerce transactions, receive higher priority versus non-criticaltrafc. Trafc classication can be based on user or application information. BWM policies can be congured to set lower and upper bounds on the bandwidth allocation. You can see the following information on your switch when you execute this command:
[Bandwidth Management Information Menu] ipuser cont - BWM IP User Entries Information Menu - Show Bandwidth Management Contract information
Bandwidth Management Information Command Syntax and Usage ipuser Displays the IP user entries with their IP addresses. See /info/bwm/ipuserBWM IP User Information Menu for sample output. cont Displays the BWM contract information configured on this switch.
/info/bwm/ipuser BWM IP User Information Menu

[BWM IP User Entries Information Menu] ip - Show all IP user entries with IP address cont - Show all IP user entries for a contract sp - Show all IP user entries on sp dump - Show all IP user entries
.
/info/bwm Bandwidth Management Information 111 BWM IP User Information Menu (/info/bwm/ipuser) Command Syntax and Usage ip <IP address> Displays the IP user entries for a specific IP address. cont <BW Contract number, 1-1024> Displays the IP user entries for a specific BWM contract. sp <SP number (1-4)> Displays the IP user entries on the Switch Processor. The same fields as described in cont above are displayed, but only for the specified sp number. dump Displays all the IP user entries.
The format of the output of the above commands:

SP Contract IP Address Age Octets Discards Allowed Offered Rate Rate -- -------- ---------------- --- ---------- -------------2 11 11.0.1.100 86 21500000 301001440 1953 29297 2 10 11.0.1.100 86 1076600 0 97 97 2 10 11.0.1.107 16 199940 0 97 97 2 10 11.0.1.105 16 198402 0 96 96 2 10 11.0.1.106 16 199940 0 97 97 2 10 11.0.1.103 16 196864 0 96 96 2 10 11.0.1.104 16 204554 0 99 99 2 10 11.0.1.101 16 201478 0 98 98 2 10 11.0.1.102 16 198402 0 96 96 2 10 11.0.1.108 16 199940 0 97 97 2 10 11.0.1.109 16 203016 0 99 99
SP Rate: the switch processor number (1-4) of the ipuser entry. Contract Rate: the BWM contract number of the ipuser entry. IP address: the IP address of the ipuser entry. Age: the age of the entry in seconds. Octets: the number of octets processed on this ipuser entry Discards: the number of octets discarded on this ipuser entry Allowed Rate: the rate of trafc allowed for this IP address Offered Rate: the rate including the discards for this IP address
/info/bwm/cont
.
BWM Contract Information

Current Bandwidth Management setting: ON Policy Enforcement:enabled BWM history will be mailed in a minute to abcd at host 100.81.138.26 BWM IP user table entries 64k Contract Policy Num Name Prec Hard Soft 1 123456789012345 2 1 50M 1M 2 vlan 4 1 60M 2M 3 filter 7 20 2M 1M 4 5 1 2M 1M 5 512 1 2M 1M 10 10 1 1M 0K 11 11 1 100M 80M 12 12 1 2M 1M 13 13 1 3M 1M 14 14 1 4M 400K 15 15 1 2M 1M Per User Traffic Resv Limit Key State Shaping 500K - E D 500K - E D 500K - E D 500K - D D 500K - E D 0K 500K sip E D 500K 2M sip E D 500K - E D 500K - E D 100K - E D 500K - E D
This command displays information about any congured contracts and the BWM policies applied to the contracts.
BWM Contract Information Field Contract Policy Description Displays the BWM contract number. Displays specific information about a policy applied to a contract. Includes the following:
Per User
The policy number applied to the contract Prec: the precedence applied to the policy Hard: the hard limit applied to the policy Soft: the soft limit applied to the policy Resv: the reserve limit applied to the policy
These two columns display information for an ipuser limit, if applied to the contract. Includes the following: Limit: the user rate limit applied to the ipuser. Key: If an ipuser rate limit is enforced, this field displays whether the user limit is enforced on a source IP address (sip) or a destination IP address (dip).
.
/info/link Link Status Information 113 Field State Traffic Shaping Description Displays whether the BWM contract is enabled (E) or disabled (D). Displays whether Traffic Shaping is enabled (E) or disabled (D) for this contract.
/info/security Security Information
The information provided by each menu option is described in "Security Information Menu (/info/security)" (page 113).
Security Information Menu (/info/security) Command Syntax and Usage port This menu displays the current port security settings. ipacl This menu displays the current IP ACL settings. udpblast This menu displays UDP blast protection settings. dos This menu displays DoS protection settings. symantec This menu displays Symantec IPS processing information. dump This menu displays all security settings.
/info/link
.
Link Status Information

Alias -----1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Port ---1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 Speed ----10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 1000 1000 1000 1000 Duplex -------any any any any any any any any any any any any any any any any any any any any any any any any full full full full Flow Ctrl --TX-----RX-yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes yes Link -----down down down down down down down down down down down down down down down down down down down down down down down down down down down down
Use this command to display link status information about each port on an Nortel Application Switch slot, including: Port Alias Port number Port speed (10, 100, 10/100, or 1000) Duplex mode (half, full, any, or auto) Flow control for transmit and receive (no, yes, or auto) Link status (up or down)
/info/port
.
/info/swkey Software Enabled Keys 115
Port Information
Port information includes: Port alias Port number Whether the port uses VLAN tagging or not (y or n) Whether Remote Monitor is enabled or disabled Port VLAN ID ( PVID) Port name VLAN membership Whether RMON is enabled or disabled on the port
/info/swkey Software Enabled Keys

For optional Layer 4 switching software, the information would be displayed as follows:
.
Enabled License(s): Layer 4: GSLB Inbound Linklb ITM Symantec subscription * 61 days remaining Expired License(s): none Non-Reusable Demo License(s): none
Software key information includes a list of all the optional software packages which have been activated or installed on your switch. For information on ordering optional software license keys, see "How to Get Help" (page 25).
/info/dump Information Dump

Use the dump command to dump all switch information available from the Information Menu (10K or more, depending on your conguration). This data is useful for tuning and debugging switch performance. If you want to capture dump data to a le, set your communication software on your workstation to capture session data prior to issuing the dump commands.
.
117
The Statistics Menu

You can view switch performance statistics in both the user and administrator command modes. This chapter discusses how to use the command line interface to display switch statistics.
/stats Statistics Menu
Statistics Menu Options (/stats) Command Syntax and Usage sys System statistics menu port <port number> Displays the Port Statistics Menu for the specified port. Use this command to display traffic statistics on a port-by-port basis. Traffic statistics are included in SNMP Management Information Base (MIB) objects. To view menu options, see "/stats/sysSystem statistics menu" (page 119). l2 Displays Layer 2 Statistics Menu. To view menu options, see "/stats/l2Layer 2 Statistics Menu" (page 134). l3
.
118 The Statistics Menu
Command Syntax and Usage Displays Layer3 Statistics Menu. To view menu options, see "/stats/l3Layer 3 Statistics Menu" (page 137). slb Displays the Server Load Balancing (SLB) Menu. To view menu options, see "/stats/slbServer Load Balancing Statistics Menu" (page 161). bwm Displays the Bandwidth Management Menu. To view menu options, see "/stats/bwm/histBWM History Statistics" (page 198). mp Displays the Management Processor Statistics Menu. Use this command to view information on how switch management processes and resources are currently being allocatow. To view menu options, see "/stats/mpManagement Processor Statistics" (page 208). sp <SP number (1-4)> Displays Switch Processor-Specific Menu. To view menu options, see "/stats/sp SP Number SP Specific Statistics" (page 212). security Displays Security Statistics Menu. To view menu options, see "/stats/securitySecurity Statistics" (page 201). snmp Displays SNMP Statistics. ntp clear Displays Network Time Protocol (NTP) Statistics. You can execute the clear command option to delete all statistics. pm Displays Port Mirroring Statistics Menu. To view menu options, see "/stats/pmirrPort Mirroring Statistics Menu" (page 213). mgmt Displays interface statistics for the Management Port. See "/stats/mgmtManagement Port Statistics" (page 214) for sample output. dump Dumps all switch statistics. Use this command to gather data for tuning and debugging switch performance. If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command. For details, see "/stats/dumpDump Statistics" (page 215).
.
/stats/port <port number> Port Statistics Menu 119
/stats/sys System statistics menu

This menu displays trafc statistics on a system basis.
[System Statistics Menu] access - System Access Menu mgmt - Show management port stats ntp - Show NTP server stats snmp - Show SNMP stats dump - Dump system stats System Statistics Menu Options (/stats/sys) Command Syntax and Usage access Go to the System Access menu. mgmt Management port interface statistics. ntp Show NTP server statistics. snmp Show SNMP statistics. dump Dump system statistics.
/stats/port <port number> Port Statistics Menu

This menu displays trafc statistics on a port-by-port basis. Trafc statistics include SNMP Management Information Base (MIB) objects.
[Port Statistics Menu] brg - Show bridging ("dot1") stats ether - Show Ethernet ("dot3") stats if - Show interface ("if") stats ip - Show Internet Protocol ("IP") stats link - Show link stats rmon - Show RMON stats dump - Dump port stats clear - Clear all port stats Port Statistics Menu Options (/stats/port) Command Syntax and Usage brg
.
Command Syntax and Usage Displays bridging ("dot1") statistics for the port. See "/stats/port port number /brgBridging Statistics" (page 120) for a sample output and the description of statistics. ether Displays Ethernet ("dot1") statistics for the port. See "/stats/port port number /etherEthernet Statistics" (page 121) for a sample output and the description of statistics. if Displays interface statistics for the port. See "/stats/port port number /ifInterface Statistics" (page 125) for a sample output and the description of statistics. ip Displays IP statistics for the port. See "/stats/port port number /ipInterface Protocol Statistics" (page 127) for a sample output and the description of statistics. link Displays link statistics for the port. See "/stats/port port number /link LinkStatistics" (page 128) for a sample output and the description of statistics. rmon Displays Remote Monitor (RMON) statistics for the port. See "/stats/port port number /rmonRMON Statistics" (page 129) for a sample output and the description of statistics. dump Displays all the port statistics. clear This command clears all the statistics on this port.
/stats/port <port number>/brg Bridging Statistics

This menu option enables you to display the bridging statistics of the selected port.
Bridging statistics for port 1: dot1PortInFrames: dot1PortOutFrames: dot1PortInDiscards: dot1TpLearnedEntryDiscards: dot1BasePortDelayExceededDiscards: dot1BasePortMtuExceededDiscards: dot1StpPortForwardTransitions:
63242584 63277826 0 0 NA NA 0
.
/stats/port <port number> Port Statistics Menu 121 Bridging Statistics of a Port (/stats/port/brg) Statistics dot1PortInFrames Description The number of frames that have been received by this port from its segment. A frame received on the interface corresponding to this port is only counted by this object if and only if it is for a protocol being processed by the local bridging function, including bridge management frames. The number of frames that have been transmitted by this port to its segment. Note that a frame transmitted on the interface corresponding to this port is only counted by this object if and only if it is for a protocol being processed by the local bridging function, including bridge management frames. Count of valid frames received which were discarded (that is, filtered) by the Forwarding Process. The total number of Forwarding Database entries, which have been or would have been learnt, but have been discarded due to a lack of space to store them in the Forwarding Database. If this counter is increasing, it indicates that the Forwarding Database is regularly becoming full (a condition which has unpleasant performance effects on the subnetwork). If this counter has a significant value but is not presently increasing, it indicates that the problem has been occurring but is not persistent. The number of frames discarded by this port due to excessive transit delay through the bridge. It is incremented by both transparent and source route bridges. The number of frames discarded by this port due to an excessive size. It is incremented by both transparent and source route bridges. The number of times this port has transitioned from the Learning state to the Forwarding state.
dot1PortOutFrames
dot1PortInDiscards dot1TpLearnedEntry Discards
dot1BasePortDelay ExceededDiscards
dot1BasePortMtu ExceededDiscards dot1StpPortForward Transitions
/stats/port <port number> /ether Ethernet Statistics

This menu option enables you to display the ethernet statistics of the selected port
.
Ethernet statistics for port 1: dot3StatsAlignmentErrors: dot3StatsFCSErrors: dot3StatsSingleCollisionFrames: dot3StatsMultipleCollisionFrames: dot3StatsSQETestErrors: dot3StatsDeferredTransmissions: dot3StatsLateCollisions: dot3StatsExcessiveCollisions: dot3StatsInternalMacTransmitErrors: dot3StatsCarrierSenseErrors: dot3StatsFrameTooLongs: dot3StatsInternalMacReceiveErrors: dot3CollFrequencies [1-15]: Ethernet Statistics for Port (/stats/port/ether) Statistics dot3StatsAlignment Errors Description
0 0 0 0 NA 0 0 0 NA 0 0 0 NA
A count of frames received on a particular interface that are not an integral number of octets in length and do not pass the Frame Check Sequence (FCS) check. The count represented by an instance of this object is incremented when the alignmentError status is returned by the MAC service to the Logical Link Control (LLC) (or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC.
dot3StatsFCS Errors
A count of frames received on a particular interface that are an integral number of octets in length but do not pass the Frame Check Sequence (FCS) check. This count does not include frames received with frame-too-long or frame-too-short errors. The count represented by an instance of this object is incremented when the frameCheckError status is returned by the MAC service to the LLC (or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC. Note: Coding errors detected by the physical layer for speeds above 10 Mb/s will cause the frame to fail FCS check.
.
/stats/port <port number> Port Statistics Menu 123 Statistics dot3StatsSingleCollisionFrames Description A count of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision. A frame that is counted by an instance of this object is also counted by the corresponding instance of either the ifOutUcastPkts, ifOutMulticastPkts, or ifOutBroadcastPkts, and is not counted by the corresponding instance of the dot3StatsMultipleCollision-Frame object. This counter does not increment when the interface is operating in full-duplex mode. A count of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision. A frame that is counted by an instance of this object is also counted by the corresponding instance of either the ifOutUcastPkts, ifOutMulticastPkts, or ifOutBroadcastPkts, and is not counted by the corresponding instance of the dot3StatsSingleCollision-Frames object. This counter does not increment when the interface is operating in full-duplex mode. A count of times that the SQE TEST ERROR message is generated by the PLS sub layer for a particular interface. The SQE TEST ERROR is set in accordance with the rules for the verification of the SQE detection mechanism in the PLS Carrier Sense Function as described in IEEE Std.802.3-1998 Edition, section 7.2.4.6. This counter does not increment when the interface is operating in full-duplex mode. A count of frames for which the first transmission attempt on a particular interface is delayed because the medium is busy. The count represented by an instance of this object does not include frames involved in collisions. This counter does not increment when the interface is operating in full-duplex mode.
dot3StatsMultipleCollisionFrames
dot3StatsSQETestErrors
dot3StatsDeferredTransmissions
.
Statistics dot3StatsLateCollisions
Description The number of times that a collision is detected on a particular interface later than one slotTime into the transmission of a packet. Five hundred and twelve bit-times corresponds to 51.2 microseconds on a 10 Mbit/s system. A (late) collision included in a count represented by an instance of this object is also considered as a (generic) collision for purposes of other collision-related statistics. This counter does not increment when the interface is operating in full-duplex mode. A count of frames for which transmission on a particular interface fails due to excessive collisions. This counter does not increment when the interface is operating in full-duplex mode. A count of frames for which transmission on a particular interface fails due to an internal MAC sub layer transmit error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the dot3StatsLateCollisions object, the dot3StatsExcessiveCollisions object, or the dot3Stats-CarrierSenseErrors object. The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of transmission errors on a particular interface that are not otherwise counted. The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame on a particular interface. The count represented by an instance of this object is incremented at most once per transmission attempt, even if the carrier sense condition fluctuates during a transmission attempt. This counter does not increment when the interface is operating in full-duplex mode. A count of frames received on a particular interface that exceed the maximum permitted frame size. The count represented by an instance of this object is incremented when the frameTooLong status is returned by the MAC service to the LLC (or other MAC user). Received frames for which multiple error conditions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC.
dot3StatsExcessive Collisions
dot3StatsInternalMacTransmitErrors
dot3StatsCarrierSenseErrors
dot3StatsFrame Too-Longs
.
/stats/port <port number> Port Statistics Menu 125 Statistics dot3StatsInternalMacReceiveErrors Description A count of frames for which reception on a particular interface fails due to an internal MAC sub layer receive error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the dot3StatsFrameTooLongs object, the dot3Stats-AlignmentErrors object, or the dot3StatsFCSErrors object. The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of received errors on a particular interface that are not otherwise counted. A count of individual MAC frames for which the transmission (successful or otherwise) on a particular interface occurs after the frame has experienced exactly the number of collisions specified by the index. For example, a frame which is transmitted after experiencing exactly 4 collisions would be indicated by incrementing only dot3CollFrequencies [4]. No other instance of dot3CollFrequencies would be incremented in this example. This counter does not increment when the interface is operating in full-duplex mode.
dot3CollFrequencies
/stats/port <port number> /if Interface Statistics

This menu option enables you to display the interface statistics of the selected port.
Interface statistics for port 1: ifHCIn Counters Octets: 51697080313 UcastPkts: 65356399 BroadcastPkts: 0 MulticastPkts: 0 Discards: 0 Errors: 0 Interface Statistics for Port (/stats/port/if) Statistics ifHCInOctets Description The number of octets in valid MAC frames received on the interface, including the MAC header and FCS. This does include the number of octets in valid MAC Control frames received on this interface.
ifHCOut Counters 51721056808 65385714 6516 0 0 0
.
Statistics ifHCInUcastPkts
Description The number of packets, delivered by this sub-layer to a higher sub- layer, which were not addressed to a multicast or broadcast address at this sub-layer. The number of packets, delivered by this sub-layer to a higher sub- layer, which were addressed to a broadcast address at this sub-layer. The number of packets delivered by this sub-layer to a higher (sub) layer, which were addressed to a multicast address at this sub-layer. For a MAC layer protocol, this includes both Group and Functional addresses. The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being delivered to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. The sum for this interface of dot3statsAli gnmentErrors, dot3StatsFCSErrors, dot3StatsFrameTooLongs, dot3StatsInternalMacReceiveErrors and dot3StatsSymbolErrors. The number of octets transmitted in valid MAC frames on this interface, including the MAC header and FCS. This does not include the number of octets in valid MAC Control frames transmitted on this interface. The total number of packets that higher-level protocols requested to be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent.
ifHCInBroadcastPkts
ifHCInMulticastPkts
ifHCInDiscards
ifHCInErrors
ifHCOutOctets
ifHCOutUcastPkts
ifHCOutBroadcastPkts
.
/stats/port <port number> Port Statistics Menu 127 Statistics ifHCOutMulticastPkts Description The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. For a MAC layer protocol, this includes both Group and Functional addresses. The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. The sum for this interface of: dot3statsSQETestErrors, dot3StatsLateCollisions, dot3StatsExcessiveCollisions, dot3StatsInternalMacTransmitErrors and dot3StatsCarrierSenseErrors.
ifHCOutDiscards
ifHCOutErrors
/stats/port <port number> /ip Interface Protocol Statistics

This menu option enables you to display the interface statistics of the selected port.
IP statistics for port 1: ipInReceives: ipInAddrErrors: ipInUnknownProtos: ipInDelivers: ipTtlExceeds: ipLANDattacks:
0 0 0 0 0 0
ipForwDatagrams: ipInDiscards:
0 0
Interface Protocol Statistics (/stats/port/ip) Statistics ipInReceives Description The total number of input datagrams received from interfaces, including those received in error.
.
Statistics ipInAddrErrors
Description The number of input datagrams discarded because the IP address in their IP headers destination field was not a valid address to be received at this entity (the switch). This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported Classes (for example, Class E). For entities which are not IP Gateways and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address. The number of input datagrams for which this entity (the switch) was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity (the switch), and the Source- Route option processing was successful. The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for example, for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP user-protocols (including ICMP). The number of IP datagram for which an ICMP TTL exceeded message was sent. The number of packets that have the same source and destination IP address.
ipForwDatagrams
ipInUnknownProtos
ipInDiscards
ipInDelivers ipTtlExceeds ipLANDattacks
/stats/port <port number> /link Link Statistics

This menu enables you to display the link statistics of the selected port.
Link statistics for port 1: linkStateChange: Link Statistics (/stats/port/link) Statistics linkStateChange Description The total number of link state changes.
.
/stats/port <port number> Port Statistics Menu 129
/stats/port <port number> /rmon RMON Statistics

This menu option enables you to display the remote monitor statistics of the selected port.
RMON statistics for port 1: etherStatsDropEvents: etherStatsOctets: etherStatsPkts: etherStatsBroadcastPkts: etherStatsMulticastPkts: etherStatsCRCAlignErrors: etherStatsUndersizePkts: etherStatsOversizePkts: etherStatsFragments: etherStatsJabbers: etherStatsCollisions: etherStatsPkts64Octets: etherStatsPkts65to127Octets: etherStatsPkts128to255Octets: etherStatsPkts256to511Octets: etherStatsPkts512to1023Octets: etherStatsPkts1024to1518Octets: Remote Monitor Statistics (/stats/port/rmon) Statistics etherStatsDrop Events Description The total number of events in which packets were dropped by the probe due to lack of resources. Note that this number is not necessarily the number of packets dropped; it is just the number of times this condition has been detected. The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets). This object can be used as a reasonable estimate of utilization (which is the percent utilization of the ethernet segment). If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval. The differences in the sampled values are Pkts and Octets, respectively, and the number of seconds in the interval is Interval. These values are used to calculate the utilization as follows:
0 129677 1485 734 712 0 0 0 0 0 0 954 578 35 26 16 8
etherStatsOctets
.
Statistics
Description
The result of this equation is the percent value of utilization. etherStatsPkts etherStatsBroadcast Pkts etherStatsMulticast Pkts The total number of packets (including bad packets, broadcast packets, and multicast packets) received. The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets. The total number of good packets received that were directed to a multicast address. Note that this number does not include packets directed to the broadcast address. The total number of packets received that had a length (excluding framing bits, but including Frame Check Sequence (FCS) octets) of between 64 and 1518 octets, inclusive, but had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). The total number of packets received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed. The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed. The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note that it is entirely normal for etherStatsFr agments to increment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits. (A runt is a packet that is less than 64 bytes.)
etherStatsCRCAlign Errors
etherStatsUndersize Pkts
etherStatsOversizeP kts
etherStatsFragments
.
/stats/port <port number> Port Statistics Menu 131 Statistics etherStatsJabbers Description The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error). Note that this definition of jabber is different than the definition in IEEE-802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 milliseconds and 150 milliseconds. The best estimate of the total number of collisions on this Ethernet segment. The value returned will depend on the location of the RMON probe. Section 8.2.1.3 (10Base-5) and section 10.3.1.3 (10Base-2) of IEEE standard 802.3 states that a station must detect a collision, in the receive mode, if three or more stations are transmitting simultaneously. A repeater port must detect a collision when two or more stations are transmitting simultaneously. Thus a probe placed on a repeater port could record more collisions than a probe connected to a station on the same segment would. Probe location plays a much smaller role when considering 10Base-T. 14.2.1.4 (10Base-T) of IEEE standard 802.3 defines a collision as the simultaneous presence of signals on the DO and RD circuits (transmitting and receiving at the same time). A 10Base-T station can only detect collisions when it is transmitting. Thus probes placed on a station and a repeater, should report the same number of collisions. Note also that an RMON probe inside a repeater should ideally report collisions between the repeater and one or more other hosts (transmit collisions as defined by IEEE 802.3k) plus receiver collisions observed on any coax segments to which the repeater is connected. The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including Frame Check Sequence (FCS) octets).
etherStats-Collisio ns
etherStatsPkts64-Oc tets
.
Statistics etherStatsPkts65-to 127Octets
Description The total number of packets (including bad packets) received that were between 65 and 127 octets in length (excluding framing bits but including FCS octets). The total number of packets (including bad packets) received that were between 128 and 255 octets in length (excluding framing bits but including Frame Check Sequence (FCS) octets). The total number of packets (including bad packets) received that were between 256 and 511 octets in length (excluding framing bits but including FCS octets). The total number of packets (including bad packets) received that were between 512 and 1023 octets in length (excluding framing bits but including FCS octets). The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length (excluding framing bits but including FCS octets).
etherStatsPkts128-t o255Octets
etherStatsPkts-1024 to1518Octets
/stats/port <port number> /dump Port Dump Statistics

Bridging statistics for port 1: dot1PortInFrames: 1284 dot1PortOutFrames: 142 dot1PortInDiscards: 130 dot1TpLearnedEntryDiscards: 0 dot1BasePortDelayExceededDiscards: NA dot1BasePortMtuExceededDiscards: NA dot1StpPortForwardTransitions: 2 --------------------------------------------------------Ethernet statistics for port 1: dot3StatsAlignmentErrors: 0 dot3StatsFCSErrors: 0 dot3StatsSingleCollisionFrames: 0 dot3StatsMultipleCollisionFrames: 0 dot3StatsSQETestErrors: NA dot3StatsDeferredTransmissions: 0 dot3StatsLateCollisions: 0 dot3StatsExcessiveCollisions: 0 dot3StatsInternalMacTransmitErrors: NA dot3StatsCarrierSenseErrors: 1 dot3StatsFrameTooLongs: 0 dot3StatsInternalMacReceiveErrors: 0
.
/stats/pmirr Port mirroring statistics menu 133 dot3CollFrequencies [1-15]: NA --------------------------------------------------------Interface statistics for port 1: ifHCIn Counters ifHCOut Counters Octets: 124166 19560 UcastPkts: 39 27 BroadcastPkts: 631 14 MulticastPkts: 614 101 Discards: 130 0 Errors: 1 0 --------------------------------------------------------IP statistics for port 1: ipInReceives: 0 ipInAddrErrors: 0 ipForwDatagrams: 0 ipInUnknownProtos: 0 ipInDiscards: 0 IpInDelivers: 0 ipTtlExceeds: 0 ipLANDattacks: 0 --------------------------------------------------------Link statistics for port 1: linkStateChange: 3 --------------------------------------------------------RMON statistics for port 1: etherStatsDropEvents: 0 etherStatsOctets: 123840 etherStatsPkts: 1406 etherStatsBroadcastPkts: 698 etherStatsMulticastPkts: 669 etherStatsCRCAlignErrors: 0 etherStatsUndersizePkts: 0 etherStatsOversizePkts: 0 etherStatsFragments: 0 etherStatsJabbers: 0 etherStatsCollisions: 0 etherStatsPkts64Octets: 906 etherStatsPkts65to127Octets: 548 etherStatsPkts128to255Octets: 35 etherStatsPkts256to511Octets: 25 etherStatsPkts512to1023Octets: 16 etherStatsPkts1024to1518Octets: 8
/stats/pmirr Port mirroring statistics menu

This menu displays port mirroring statistics on an all ports basis.
[Port Mirroring Statistics Menu] dump - Show port mirroring stats clear - Clear all port mirroring stats
.
134 The Statistics Menu PMIRR Statistics Menu Options (/stats/pmirr) Command Syntax and Usage dump Displays all mirrored port statistics. clear Clears the port statistics.
/stats/l2 Layer 2 Statistics Menu

[Layer 2 Statistics Menu] fdb - Show FDB stats lacp - Show LACP stats stg - Show STG stats dump - Dump layer 2 stats Layer 2 Statistics Menu Options (/stats/l2) Command Syntax and Usage fdb Displays Forwarding Database statistics. To view statistics and their description, see "/stats/l2/fdbFDB Statistics" (page 134). lacp <port number (1 to max num ports)> Displays Link Aggregation Control Protocol statistics. To view statistics and their description, see "/stats/l2/lacpLACP Statistics" (page 135). stg Displays Spanning Tree Group statistics. To view statistics and their description, see "/stats/l2/stgSpanning Tree Group Statistics" (page 136). dump Dump the Layer 2 statistics.
/stats/l2/fdb FDB Statistics

FDB statistics: creates: current: lookups: finds: find_or_cs: max: 9611 58 850254 5832 11874 16384 deletes: hiwat: lookup fails: find fails: overflows: 9553 65 151373 0 0
.
/stats/l2 Layer 2 Statistics Menu 135
This menu option enables you to display statistics regarding the use of the forwarding database, including the number of new entries, nds, and unsuccessful searches. FDB statistics are described in the following table:
Forwarding Database Statistics (/stats/l2/fdb) Statistic creates current lookups finds find_or_cs deletes hiwat lookup fails find fails overflows max Description Number of entries created in the Forwarding Database. Current number of entries in the Forwarding Database. Number of entry lookups in the Forwarding Database. Number of successful searches in the Forwarding Database. Number of entries found or created in the Forwarding Database. Number of entries deleted from the Forwarding Database. Highest number of entries recorded at any given time in the Forwarding Database. Number of unsuccessful searches made in the Forwarding Database. Number of search failures in the Forwarding Database. Number of entries overflowing the Forwarding Database. Number of maximum Forwarding Database entries supported by the switch.
/stats/l2/lacp LACP Statistics

>> Layer 2 Statistics# lacp 1 port 1 Valid LACPDUs received Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted
9394 0 0 0 0 8516 0
.
Marker Rsp PDUs transmitted
- 0
LACP Statistics Parameters (/stats?l2/lacp) Field Valid LACPDUs received Valid Marker PDUs received Valid Marker Rsp PDUs received Unknown version/TLV type Illegal subtype received LACPDUs transmitted Marker PDUs transmitted Marker Rsp PDUs transmitted Description The number of LACPDUs that the switch received on this port. The number of valid Marker PDUs that the switch received on this port. The number of valid Marker Responses that the switch received on this port. The number of unknown version or TLV type that the switch received on this port. The number of illegal LACP subtype received on this port. The number of LACPDUs transmitted out of this port. The number of Marker PDUs transmitted out of this port. The number of Marker Responses transmitted out of this port.
/stats/l2/stg Spanning Tree Group Statistics

Spanning Tree Group 1: Port Rcv Cfg Rcv TCN ----- ------------------1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 139046 176 10 0 0 11 0 0 12 0 0 13 0 0 14 0 0 15 0 0 16 0 0 17 0 0 18 0 0 Xmt Cfg ---------0 0 0 0 0 0 0 0 27 0 0 0 0 0 0 0 0 0 Xmt TCN ---------0 0 0 0 0 0 0 0 15 0 0 0 0 0 0 0 0 0
.
/stats/l3 Layer 3 Statistics Menu 137 19 20 21 22 23 24 25 26 27 28 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Spanning Tree Group Statistics Parameters (/stats/l2/stg) Field Port Rcv cfg Rcv TCN Xmt Cfg Xmt TCN Description Displays the port number. Displays the number of configuration BPDUs received Displays the number of TCN (Topology Change Notification) messages received. Displays the number of configuration BPDUs transmitted. Displays the number of TCN (Topology Change Notification) messages transmitted
/stats/l3 Layer 3 Statistics Menu

[Layer 3 Statistics Menu] ospf - OSPF Statistics Menu ip - Show IP stats ip6 - Show IP6 stats route - Show route stats arp - Show ARP stats vrrp - Show VRRP stats vrrp6 - Show VRRP6 stats dns - Show DNS stats cmp - Show ICMP stats if - Show IP interface ("if") stats tcp - Show TCP stats udp - Show UDP stats ifclear - Clear IP interface ("if") stats ipclear - Clear IP stats dump - Dump layer 3 stats
.
138 The Statistics Menu Layer 3 Statistics Menu (/stats/l3) Command Syntax and Usage ospf Displays OSPF statistics Menu. See "/stats/l3/ospf OSPF Statistics Menu" (page 139) for sample output. ip Displays IP statistics. See "/stats/l3/ipIP Statistics" (page 143) for sample output. ip6 Displays IP6 statistics.See "/stats/l3/ip6IP6 Statistics Menu" (page 146) for sample output. route Displays route statistics. See "/stats/l3/routeRoute Statistics" (page 150) for sample output. arp Displays Address Resolution Protocol (ARP) statistics. See "/stats/l3/arpARP statistics" (page 152) for sample output. vrrp When virtual routers are configured, you can display the following protocol statistics for VRRP:
Advertisements received (vrrpInAdvers) Advertisements transmitted (vrrpOutAdvers) Advertisements received, but ignored (vrrpBadAdvers)
See "/stats/l3/vrrpVRRP Statistics" (page 153) for sample output. vrrp6 Displays statistical information about IPv6 VRRP support. See ???? for sample output. dns Displays Domain Name Server/System (DNS) statistics. See "/stats/l3/dnsDNS Statistics" (page 155) for sample output. icmp Displays ICMP statistics. See "/stats/l3/icmpICMP Statistics" (page 155) for sample output. if <interface number (1-256)>
.
/stats/l3 Layer 3 Statistics Menu 139 Command Syntax and Usage Displays IP interface statistics for the management processors. See "/stats/l3/if interface numberInterface Statistics" (page 157) for sample output. tcp Displays TCP statistics. See "/stats/l3/tcpTCP Statistics" (page 159) for sample output. udp Displays UDP statistics. See "/stats/l3/udpUDP Statistics" (page 161) for sample output. ifclear Clears IP interface statistics. Use this command with caution as it will delete all the IP interface statistics. ipclear Clears IP statistics. Use this command with caution as it will delete all the IP statistics. dump Dumps all Layer 3 switch statistics. Use this command to gather data for tuning and debugging Layer 3 switch performance. If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command.
/stats/l3/ospf OSPF Statistics Menu

[OSPF stats Menu] general - Show global stats aindex - Show area(s) stats if - Show interface(s) stats OSPF Statistics Menu (/stats/l3/ospf) Command Syntax and Usage general Displays global statistics. See "/stats/l3/ospf/generalOSPF Global Statistics" (page 140) for sample output and details. aindex <area index (0-2)> Displays area index statistics. if <interface number (1-256)> Displays interface statistics.
.
/stats/l3/ospf/general OSPF Global Statistics

The OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF areas and interfaces.
OSPF stats ---------Rx/Tx Stats: Pkts hello database ls requests ls acks ls updates Nbr change stats: hello start n2way adjoint ok negotiation done exchange done bad requests bad sequence loading done n1way rst_ad down Timers kickoff hello retransmit lsa lock lsa ack dbage summary ase export
Rx -------0 23 4 3 7 9
Tx -------0 518 12 1 7 7 Intf change Stats: hello down loop unloop wait timer backup nbr change
2 0 2 2 2 2 0 0 2 0 0 1
4 2 0 0 2 0 5
514 1028 0 0 0 0 0
OSPF General Statistics (stats/l3/ospf/general) Statistics Rx/Tx Stats: Rx Pkts Tx Pkts The sum total of all OSPF packets received on all OSPF areas and interfaces. The sum total of all OSPF packets transmitted on all OSPF areas and interfaces. Description
.
/stats/l3 Layer 3 Statistics Menu 141 Statistics Rx Hello Tx Hello Rx Database Tx Database Rx ls Requests Tx ls Requests Rx ls Acks Tx ls Acks Rx ls Updates Tx ls Updates Nbr Change Stats: hello Start The sum total of all Hello packets received from neighbors on all OSPF areas and interfaces. The sum total number of neighbors in this state (that is, an indication that Hello packets should now be sent to the neighbor at intervals of HelloInterval seconds) across all OSPF areas and interfaces. The sum total number of bidirectional communication establishment between this router and other neighboring routers. The sum total number of decisions to be made (again) as to whether an adjacency should be established/maintained with the neighbor across all OSPF areas and interfaces. The sum total number of neighbors in this state wherein the Master/slave relationship has been negotiated, and sequence numbers have been exchanged, across all OSPF areas and interfaces. Description The sum total of all Hello packets received on all OSPF areas and interfaces. The sum total of all Hello packets transmitted on all OSPF areas and interfaces. The sum total of all Database Description packets received on all OSPF areas and interfaces. The sum total of all Database Description packets transmitted on all OSPF areas and interfaces. The sum total of all Link State Request packets received on all OSPF areas and interfaces. The sum total of all Link State Request packets transmitted on all OSPF areas and interfaces. The sum total of all Link State Acknowledgement packets received on all OSPF areas and interfaces. The sum total of all Link State Acknowledgement packets transmitted on all OSPF areas and interfaces. The sum total of all Link State Update packets received on all OSPF areas and interfaces. The sum total of all Link State Update packets transmitted on all OSPF areas and interfaces.
n2way
adjoint ok
negotiation done
.
Statistics exchange done
Description The sum total number of neighbors in this state (that is, in an adjacencys final state) having transmitted a full sequence of Database Description packets, across all OSPF areas and interfaces. The sum total number of Link State Requests which have been received for a link state advertisement not contained in the database across all interfaces and OSPF areas. The sum total number of Database Description packets which have been received that either:
bad requests
bad sequence
1. Has an unexpected DD sequence number 2. Unexpectedly has the init bit set 3. Has an options field differing from the last Options field received in a Database Description packet.
Any of these conditions indicate that some error has occurred during adjacency establishment for all OSPF areas and interfaces. loading done The sum total number of link state updates received for all out-of-date portions of the database across all OSPF areas and interfaces. The sum total number of Hello packets received from neighbors, in which this router is not mentioned across all OSPF interfaces and areas. The sum total number of times the Neighbor adjacency has been reset across all OPSF areas and interfaces. The total number of Neighboring routers down (that is, in the initial state of a neighbor conversation) across all OSPF areas and interfaces. The sum total number of Hello packets sent on all interfaces and areas. The sum total number of interfaces down in all OSPF areas. The sum total of interfaces no longer connected to the attached network across all OSPF areas and interfaces. The sum total number of interfaces, connected to the attached network in all OSPF areas.
n1way
rst_ad down
Intf Change Stats: hello down loop unloop
.
/stats/l3 Layer 3 Statistics Menu 143 Statistics wait timer Description The sum total number of times the Wait Timer has been fired, indicating the end of the waiting period that is required before electing a (Backup) Designated Router across all OSPF areas and interfaces. The sum total number of Backup Designated Routers on the attached network for all OSPF areas and interfaces. The sum total number of changes in the set of bidirectional neighbors associated with any interface across all OSPF areas. The sum total number of times the Hello timer has been fired (which triggers the send of a Hello packet) across all OPSF areas and interfaces. The sum total number of times the Retransmit timer has been fired across all OPSF areas and interfaces. The sum total number of times the Link State Advertisement (LSA) lock timer has been fired across all OSPF areas and interfaces. The sum total number of times the LSA Ack timer has been fired across all OSPF areas and interfaces. The total number of times the data base age (Dbage) has been fired. The total number of times the Summary timer has been fired. The total number of times the Autonomous System Export (ASE) timer has been fired.
backup nbr change
Timers Kickoff: hello
retransmit lsa lock
lsa ack dbage summary ase export
/stats/l3/ip IP Statistics
IP statistics: ipInReceives: ipInAddrErrors: ipInUnknownProtos: ipInDelivers: ipOutDiscards: ipReasmReqds: ipReasmFails: ipFragFails: ipRoutingDiscards: ipReasmTimeout: 3115873 35447 500504 2334166 4 0 0 0 0 5 ipInHdrErrors: ipForwDatagrams: ipInDiscards: ipOutRequests: ipOutNoRoutes: ipReasmOKs: ipFragOKs: ipFragCreates: ipDefaultTTL: 1 0 0 1010542 4 0 0 0 255
.
144 The Statistics Menu IP Statistics (/stats/l3/ip) Statistics ipInReceives ipInHdrErrors Description The total number of input datagrams received from interfaces, including those received in error. The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, and so forth. The number of input datagrams discarded because the IP address in their IP headers destination field was not a valid address to be received at this entity (the switch). This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported Classes (for example, Class E). For entities which are not IP Gateways and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address. The number of input datagrams for which this entity (the switch) was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets, which were Source-Routed via this entity (the switch), and the Source- Route option processing was successful. The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. The number of input IP datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (for example, for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP user-protocols (including ICMP). The total number of IP datagrams which local IP user-protocols (including ICMP) supplied to IP in requests for transmission. Note that this counter does not include any datagrams counted in ipForwDatagrams.
ipInAddrErrors
ipForwDatagrams
ipInUnknownProtos
ipInDiscards
ipInDelivers ipOutRequests
.
/stats/l3 Layer 3 Statistics Menu 145 Statistics ipOutDiscards Description The number of output IP datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (for example, for lack of buffer space). Note that this counter would include datagrams counted in ipForwDatagrams if any such packets met this (discretionary) discard criterion. The number of IP datagrams discarded because no route could be found to transmit them to their destination. Note that this counter includes any packets counted in ipForwDatagrams, which meet this no-route criterion. Note that this includes any datagrams which a host cannot route because all of its default gateways are down. The number of IP fragments received which needed to be reassembled at this entity (the switch). The number of IP datagrams successfully reassembled. The number of failures detected by the IP reassembly algorithm (for whatever reason: timed out, errors, and so forth). Note that this is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. The number of IP datagrams that have been successfully fragmented at this entity (the switch). The number of IP datagrams that have been discarded because they needed to be fragmented at this entity (the switch) but could not be, for example, because their Dont Fragment flag was set. The number of IP datagram fragments that have been generated as a result of fragmentation at this entity (the switch). The number of routing entries, which were chosen to be discarded even though they are valid. One possible reason for discarding such an entry could be to free-up buffer space for other routing entries.
ipOutNoRoutes
ipReasmReqds ipReasmOKs ipReasmFails
ipFragOKs ipFragFails
ipFragCreates
ipRoutingDiscards
.
Statistics ipDefaultTTL
Description The default value inserted into the Time-To-Live (TTL) field of the IP header of datagrams originated at this entity (the switch), whenever a TTL value is not supplied by the transport layer protocol. The maximum number of seconds, which received fragments are held while they are awaiting reassembly at this entity (the switch).
ipReasmTimeout
/stats/l3/ip6 IP6 Statistics Menu

>> Layer 3 Statistics# /stat/l3/ip6 --------------------------------------------------------IP6 statistics: InReceives: 20519 InDiscards: 2 InDelivers: 24793 ForwDatagrams: 0 UnknownProtos: 0 InAddrErrors: 0 OutRequests: 34548 OutNoRoutes: 0 ReasmOKs: 0 ReasmFails: 0 IcmpInMsgs: 24793 IcmpInErrors: 4268 IcmpOutMsgs: 12829 IcmpOutErrors: 4271 InEchos: 0 OutEchos: 8538 InEchoReplies: 8536 OutEchoReplies: 0 InDestUnreachs: 4268 OutDestUnreachs: 4271 InPktTooBigs: 0 OutPktTooBigs: 0 InTimeExcds: 0 OutTimeExcds: 0 --------------------------------------------------------ICMP6 statistics: Interface: 1 InMsgs: 18929 InErrors: 0 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 4513 InNeighborAdvertisements:4271 InRouterSolicits: 0 InRouterAdvertisements: 5877 InDestUnreachs: 0 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 4280 OutErrors: 0 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 3 OutNeighborAdvertisements:4516 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 ---------------------------------------------------------
.
/stats/l3 Layer 3 Statistics Menu 147 Interface: 7 InMsgs: 5864 InErrors: 4268 InEchos: 0 InEchoReplies: 4268 InNeighborSolicits: 122 InNeighborAdvertisements: 3 InRouterSolicits: 0 InRouterAdvertisements: 1471 InDestUnreachs: 4268 InTimeExcds: 0 InPktTooBigs: 0 InParmProblems: 0 InRedirects: 0 OutMsgs: 8549 OutErrors: 4271 OutEchos: 4269 OutEchoReplies: 0 OutNeighborSolicits: 2 OutNeighborAdvertisements:124 OutRouterSolicits: 0 OutRouterAdvertisements: 1 OutRedirects: 0 --------------------------------------------------------IP6 gateway health check statistics: gateway 5 echo-req 4269 echo-resp fails 0 gateway 7 echo-req 4269 echo-resp fails 4268 IPv6 Statistics (/stats/l3/ip6) Statistics IP6 Statistics Section InReceives InDelivers The total number of input datagrams received by the interface, including those received in error. The total number of datagrams successfully delivered to IPv6 user-protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams. The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams. The total number of IPv6 datagrams which local IPv6 user-protocols (including ICMP) supplied to IPv6 in requests for transmission. Note that this counter does not include any datagrams counted in ipv6IfStatsOutForwDatagrams. Description
4268 0
UnknownProtos
OutRequests
.
Statistics ReasmOKs
Description The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments. The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly. The number of output datagrams which this entity received and forwarded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful. Note that for a successfully forwarded datagram the counter of the outgoing interface is incremented. The number of input datagrams discarded because the IPv6 address in their IPv6 headers destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., ::0) and unsupported addresses (e.g., addresses with unallocated prefixes). For entities which are not IPv6 routers and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address. The number of locally generated IP datagrams discarded because no route could be found to transmit them to their destination. The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. This counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments.
InDiscards
ForwDatagrams
InAddrErrors
OutNoRoutes
ReasmFails
.
/stats/l3 Layer 3 Statistics Menu 149 Statistics IcmpInMsgs Description The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages. The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP messages which this interface did not send due to problems discovered within ICMP such as a lack of buffers. This value should not include errors discovered outside the ICMP layer such as the inability of IPv6 to route the resultant datagram. In some implementations there may be no types of error which contribute to this counters value. The number of ICMP Echo (request) messages received by the interface.
IcmpOutMsgs
IcmpInErrors
IcmpOutErrors
IcmpInEchos ICMP6 Statistics Section InMsgs
The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages. The number of ICMP Neighbor Solicit messages received by the interface. The number of ICMP Router Solicit messages received by the interface. The number of ICMP Destination Unreachable messages received by the interface. The number of ICMP Packet Too Big messages received by the interface. The number of Redirect messages received by the interface. The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.). The number of ICMP Echo Reply messages received by the interface.
InNeighborSolicits InRouterSolicits InDestUnreachs InPktTooBigs InRedirects InErrors
InEchoReplies
.
Statistics InNeighborAdvertisemen ts InRouterAdvertisements InTimeExcds InParmProblems OutMsgs OutEchos OutNeighborSolicits OutRouterSolicits OutRedirects
Description The number of ICMP Neighbor Advertisement messages received by the interface. The number of ICMP Router Advertisement messages received by the interface. The number of ICMP Time Exceeded messages received by the interface. The number of ICMP Parameter Problem messages received by the interface. The total number of ICMP messages which this interface attempted to send. The number of ICMP Echo Request messages sent by the interface. The number of ICMP Neighbor Solicitation messages sent by the interface. The number of ICMP Router Solicitation messages sent by the interface. The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects. The number of ICMP messages which this interface did not send due to problems discovered within ICMP such as a lack of buffers. This value should not include errors discovered outside the ICMP layer such as the inability of IPv6 to route the resultant datagram. In some implementations there may be no types of error which contribute to this counters value. The number of ICMP Echo Reply messages sent by the interface. The number of ICMP Neighbor Advertisement messages sent by the interface. The number of ICMP Router Advertisement messages sent by the interface.
OutErrors
OutEchoReplies OutNeighborAdvertiseme nts OutRouterAdvertistments
/stats/l3/route
.
/stats/l3 Layer 3 Statistics Menu 151
Route Statistics
Route statistics: ipRoutesCur: 3 ipRoutesHighWater: 3 ipRoutesMax: 4096 --------------------------------------------------------SP Route statistics: SP ipRoutesCur ipRoutesHighWater ipRoutesMax --- ------------- ------------------- ------------1 3 3 4096 2 3 3 4096 3 3 3 4096 4 3 3 4096 --------------------------------------------------------RIP statistics: ripInPkts: ripDiscardPkts: ripRoutesAgedOut: BGP statistics: bgpInPkts: bgpBadPkts: bgpRoutesAdded: bgpRoutesCur: bgpRoutesIgnored: Route Statistics (/stats/l3/route) Statistics Route Statistics & SP Route Statistics: ipRoutesCur ipRoutesHighWater ipRoutesMax RIP statistics: ripInPkts ripOutPkts ripDiscardPkts The total number of good RIP advertisement packets received. The total number of RIP advertisement packets sent. The total number of RIP advertisement packets received that were dropped. The total number of outstanding routes in the route table. The highest number of routes ever recorded in the route table. The maximum number of supported routes. Description
0 0
ripOutPkts: 0
0 0 0 0 0
bgpOutPkts: bgpSessFailures: bgpRoutesRemoved: bgpRoutesFailed: bgpRoutesFiltered:
0 0 0 0 0
.
Statistics ripRoutesAgedOut BGP statistics: bgpInPkts bgpOutPkts bgpBadPkts bgpSessFailures bgpRoutesAdded bgpRoutesRemoved bgpRoutesCur bgpRoutesFailed bgpRoutesIgnored
Description The total number of routes learned via RIP that has aged out. The total number of BGP packets received. The total number of BGP packets sent. The total number of BGP packets dropped. The total number of failed sessions. The total number of routes that were added to the routing table. The total number of routes that were removed from the routing table. The total number of current BGP routes. The total number of BGP routes that failed to add in the routing table. The total number of routes ignored because the peer was not connected locally or multihop was not configured. The total number of routes dropped by the filter.
bgpRoutesFiltered
/stats/l3/arp ARP statistics

This menu option enables you to display Address Resolution Protocol statistics
MP ARP statistics: arpEntriesCur: 2 arpEntriesHighWater: 2 arpEntriesMax: 8192 --------------------------------------------------------SP ARP statistics: SP arpEntriesCur arpEntriesHighWater arpEntriesMax --- --------------- --------------------- --------------1 1 1 8192 2 1 1 8192 3 1 1 8192 4 1 1 8192
.
/stats/l3 Layer 3 Statistics Menu 153 ARP Statistics (/stats/l3/arp) Statistics arpEntriesCur arpEntriesHighWater arpEntriesMax Description The total number of outstanding ARP entries in the ARP table. The highest number of ARP entries ever recorded in the ARP table. The maximum number of ARP entries that are supported.
/stats/l3/vrrp VRRP Statistics

Virtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by conguring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. When virtual routers are congured, you can display the following protocol statistics for VRRP: Advertisements received (vrrpInAdvers) Advertisements transmitted (vrrpOutAdvers) Advertisements received, but ignored (vrrpBadAdvers)
The statistics for the VRRP are displayed:

VRRP statistics: vrrpInAdvers: vrrpOutAdvers: vrrpBadVersion: vrrpBadAddress: vrrpBadPassword: VRRP Statistics (/stats/l3/vrrp) Statistics vrrpInAdvers vrrpBadAdvers vrrpOutAdvers Description The total number of VRRP advertisements that have been received. The total number of VRRP advertisements received that were dropped. The total number of VRRP advertisements that have been sent.
0 0 0 0 0
vrrpBadAdvers: vrrpBadVrid: vrrpBadData: vrrpBadInterval:
0 0 0 0
.
Statistics vrrpBadVersion vrrpBadVrid vrrpBadAddress vrrpBadData vrrpBadPassword vrrpBadInterval
Description The total number of VRRP advertisements discarded because of an incorrect version value. The total number of VRRP advertisements discarded because of an incorrect VRID value. The total number of VRRP advertisements discarded because of an incorrect address value. The total number of VRRP advertisements discarded because of incorrect miscellaneous data. The total number of VRRP advertisements discarded because of an incorrect password. The total number of VRRP advertisements discarded because of an incorrect advertisement interval.
/stats/l3/vrrp6 IPv6 VRRP statistics

The Nortel Application Switch Operating System supports VRRP for IPv6. The statistics provided by this command are similar in nature as those presented by the /stats/l3/vrrp command but tailored to the IPv6 environment. The following is a sample output for this command.
VRRP6 statistics: vrrp6InAdvers: vrrp6BadAdvers: vrrp6OutAdvers: vrrp6BadVersion: vrrp6BadVrid: vrrp6BadAddress: vrrp6BadData: vrrp6BadInterval:
7 0 86801 0 0 0 0 0
IPv6 VRRP Statistics (/stats/l3/vrrp6) Statistics vrrp6InAdvers vrrp6BadAdvers vrrp6OutAdvers vrrp6BadVersion vrrp6BadVrid Description The total number of VRRP advertisements that have been received. The total number of VRRP advertisements received that were dropped. The total number of VRRP advertisements that have been sent. The total number of VRRP advertisements discarded because of an incorrect version value. The total number of VRRP advertisements discarded because of an incorrect VRID value.
.
/stats/l3 Layer 3 Statistics Menu 155 Statistics vrrp6BadAddress vrrp6BadData vrrp6BadPassword vrrp6BadInterval Description The total number of VRRP advertisements discarded because of an incorrect address value. The total number of VRRP advertisements discarded because of incorrect miscellaneous data. The total number of VRRP advertisements discarded because of an incorrect password. The total number of VRRP advertisements discarded because of an incorrect advertisement interval.
/stats/l3/dns DNS Statistics

This menu option enables you to display Domain Name System statistics.
DNS statistics: dnsInRequests: dnsBadRequests: DNS Statistics (/stats/l3/dns) Statistics dnsInRequests dnsOutRequests dnsBadRequests Description The total number of DNS request packets that have been received. The total number of DNS response packets that have been transmitted. The total number of DNS request packets received that were dropped.
0 0
dnsOutRequests:
/stats/l3/icmp ICMP Statistics
.
156 The Statistics Menu ICMP Statistics (/stats/l3/icmp) Statistics icmpInMsgs Description The total number of ICMP messages which the entity (the switch) received. Note that this counter includes all those counted by icmpInErrors. The number of ICMP messages which the entity (the switch) received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, and so forth). The number of ICMP Destination Unreachable messages received. The number of ICMP Time Exceeded messages received. The number of ICMP Parameter Problem messages received. The number of ICMP Source Quench (buffer almost full, stop sending data) messages received. The number of ICMP Redirect messages received. The number of ICMP Echo (request) messages received. The number of ICMP Echo Reply messages received. The number of ICMP Timestamp (request) messages received. The number of ICMP Timestamp Reply messages received. The number of ICMP Address Mask Request messages received. The number of ICMP Address Mask Reply messages received. The total number of ICMP messages which this entity (the switch) attempted to send. Note that this counter includes all those counted by icmpOutErrors.
icmpInErrors
icmpInDestUnreachs icmpInTimeExcds icmpInParmProbs icmpInSrcQuenchs
icmpInRedirects icmpInEchos icmpInEchoReps icmpInTimestamps icmpInTimestampReps icmpInAddrMasks icmpInAddrMaskReps icmpOutMsgs
.
/stats/l3 Layer 3 Statistics Menu 157 Statistics icmpOutErrors Description The number of ICMP messages which this entity (the switch) did not send due to problems discovered within ICMP such as a lack of buffer. This value should not include errors discovered outside the ICMP layer such as the inability of IP to route the resultant datagram. In some implementations there may be no types of errors that contribute to this counters value. The number of ICMP Destination Unreachable messages sent. The number of ICMP Time Exceeded messages sent. The number of ICMP Parameter Problem messages sent. The number of ICMP Source Quench (buffer almost full, stop sending data) messages sent. The number of ICMP Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects. The number of ICMP Echo (request) messages sent. The number of ICMP Echo Reply messages sent. The number of ICMP Timestamp (request) messages sent. The number of ICMP Timestamp Reply messages sent. The number of ICMP Address Mask Request messages sent. The number of ICMP Address Mask Reply messages sent.
icmpOutDestUnreachs icmpOutTimeExcds icmpOutParmProbs icmpOutSrcQuenchs icmpOutRedirects
icmpOutEchos icmpOutEchoReps icmpOutTimestamps icmpOutTimestampReps icmpOutAddrMasks icmpOutAddrMaskReps
/stats/l3/if <interface number> Interface Statistics

IP interface 1 statistics: ifInOctets: 48948386 ifInNUCastPkts: 167895 ifInErrors: 0 ifOutOctets: 27100789 ifOutNUcastPkts: 218652 ifOutErrors: 0 ifInUcastPkts: ifInDiscards: ifInUnknownProtos: ifOutUcastPkts: ifOutDiscards: ifStateChanges 220553 0 0 441938 0 1
.
158 The Statistics Menu Interface Statistics (/stats/if) Statistics ifInOctets ifInUcastPkts Description The total number of octets received on the interface, including framing characters. The number of packets, delivered by this sub-layer to a higher (sub- layer), which were not addressed to a multicast or broadcast address at this sub-layer. The number of packets, delivered by this sub-layer to a higher (sub- layer), which were addressed to a multicast or broadcast address at this sub-layer. This object is deprecated in favor of ifInMulticastPkts and ifInBroadcastPkts. The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being delivered to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space. For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being delivered to a higher-layer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. For packet-oriented interfaces, the number of packets received via the interface which were discarded because of an unknown or unsupported protocol. For character-oriented or fixed-length interfaces which support protocol multiplexing the number of transmission units received via the interface which were discarded because of an unknown or unsupported protocol. For any interface which does not support protocol multiplexing, this counter will always be 0. The total number of octets transmitted out of the interface, including framing characters. The total number of packets that higher-level protocols requested to be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent.
ifInNUCastPkts
ifInDiscards
ifInErrors
ifInUnknownProtos
ifOutOctets ifOutUcastPkts
.
/stats/l3 Layer 3 Statistics Menu 159 Statistics ifOutNUcastPkts Description The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. This object is deprecated in favor of ifOutMulticastPkts and ifOutBroadcastPkts. The number of outbound packets, which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors. The number of times an interface has transitioned from either down to up or from up to down.
ifOutDiscards
ifOutErrors
ifStateChanges
/stats/l3/tcp TCP Statistics

TCP statistics: tcpRtoAlgorithm: tcpRtoMax: tcpActiveOpens: tcpAttemptFails: tcpInSegs: tcpRetransSegs: tcpCurBuff: tcpCurInConn: tcpCurLstnConn: tcpAllocTCBFails: 4 240000 0 0 0 0 0 0 3 0 tcpRtoMin: tcpMaxConn: tcpPassiveOpens: tcpEstabResets: tcpOutSegs: tcpInErrs: tcpCurConn: tcpCurOutConn: tcpOutRsts: 0 1600 0 0 0 0 6 0 0
TCP Statistics (/stats/l3/tcp) Statistics tcpRtoAlgorithm Description The algorithm used to determine the timeout value used for retransmitting unacknowledged octets.
.
Statistics tcpRtoMin
Description The minimum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics for objects of this type depend upon the algorithm used to determine the retransmission timeout. In particular, when the timeout algorithm is rsre(3), an object of this type has the semantics of the LBOUND quantity described in RFC 793. The maximum value permitted by a TCP implementation for the retransmission timeout, measured in milliseconds. More refined semantics for objects of this type depend upon the algorithm used to determine the retransmission timeout. In particular, when the timeout algorithm is rsre(3), an object of this type has the semantics of the UBOUND quantity described in RFC 793. The limit on the total number of TCP connections the entity (the switch) can support. In entities where the maximum number of connections is dynamic, this object should contain the value -1. The number of times TCP connections have made a direct transition to the SYN-SENT state from the CLOSED state. The number of times TCP connections have made a direct transition to the SYN-RCVD state from the LISTEN state. The number of times TCP connections have made a direct transition to the CLOSED state from either the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct transition to the LISTEN state from the SYN-RCVD state. The number of times TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT state. The total number of segments received, including those received in error. This count includes segments received on currently established connections. The total number of segments sent, including those on current connections but excluding those containing only retransmitted octets. The total number of segments retransmitted - that is, the number of TCP segments transmitted containing one or more previously transmitted octets.
tcpRtoMax
tcpMaxConn
tcpActiveOpens
tcpPassiveOpens
tcpAttemptFails
tcpEstabResets
tcpInSegs
tcpOutSegs
tcpRetransSegs
.
/stats/slb Server Load Balancing Statistics Menu 161 Statistics tcpInErrs tcpCurBuff tcpCurConn tcpCurInConn tcpCurOutConn tcpCurLstnConn tcpOutRsts tcpAllocTCBFails Description The total number of segments received in error (for example, bad TCP checksums). The total number of outstanding memory allocations from heap by TCP protocol stack. The total number of outstanding TCP sessions that are currently opened. The total number of remotely-initiated TCP connections. The total number of switch-originated TCP connection requests. The total number of TCP ports on which the switch is listening. The number of TCP segments sent containing the RST flag.
/stats/l3/udp UDP Statistics

UDP statistics: udpInDatagrams: udpInErrors: UDP Statistics (/stats/l3/udp) Statistics udpInDatagrams udpOutDatagrams udpInErrors Description The total number of UDP datagrams delivered to the switch. The total number of UDP datagrams sent from this entity (the switch). The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port. The total number of received UDP datagrams for which there was no application at the destination port. 54 0 udpOutDatagrams: udpNoPorts: 43 1578077
udpNoPorts
/stats/slb
.
Server Load Balancing Statistics Menu

[Server Load Balancing Statistics Menu] sp - SLB Switch SP Stats Menu gslb - Global SLB Stats Menu real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats layer7 - Show Layer 7 stats ssl - Show SSL SLB stats ftp - Show FTP SLB parsing and NAT stats rtsp - Show RTSP SLB stats dns - Show DNS SLB stats wap - Show WAP SLB stats maint - Show maintenance stats sip - Show SIP SLB stats wlm - Show Workload Manager SASP stats mirror - Show Session mirroring stats clear - Clear non-operational Server Load Balancing stats aux - Show auxiliary session table stats dump - Dump all SLB statistics SLB Statistics Menu Options (/stats/slb) Command Syntax and Usage sp <SP number (1-4)> Displays the server load balancing statistics menu. To view menu options, see "/stats/slb/spServer Load Balancing SP statistics Menu" (page 165). gslb Displays the Global SLB Statistics menu. For more information, see "/stats/slb/gslbGlobal SLB Statistics Menu" (page 170). real <real server number (1-1023)> Displays the following real server statistics:
Number of times the real server has failed its health checks Number of sessions currently open on the real server Total sessions the real server was assigned Highest number of simultaneous sessions recorded for each real server Real server transmit/receive octets
.
/stats/slb Server Load Balancing Statistics Menu 163 Command Syntax and Usage See "/stats/slb/real real server number Real Server SLB Statistics" (page 175) for sample output. group <real server group number (1-1024)> Displays the following real server group statistics:
Current and total sessions for each real server in the real server group. Current and total sessions for all real servers associated with the real server group. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see "Per ServiceOctet Counters" (page 175).
See "/stats/slb/Group real server groups number Real Server Group Statistics" (page 176) for sample output. virt <virtual server number (1-1024)> Displays the following virtual server statistics:
Current and total sessions for each real server associated with the virtual server. Current and total sessions for all real servers associated with the virtual server. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see "Per ServiceOctet Counters" (page 175).
See "/stats/slb/virt virtual server number Virtual Server SLB Statistics" (page 177) for sample output. filt <filter ID (1-2048)> Displays the total number of times any filter has been used. See "/stats/slb/filt filter number Filter SLB Statistics" (page 177) for sample output. agslb ftp
.
Command Syntax and Usage Displays FTP SLB parsing and NAT statistics. See "/stats/slb/ftpFile Transfer Protocol SLB and Filter Statistics Menu" (page 183) for sample output. rtsp Displays RTSP SLB statistics. See "/stats/slb/rtspRTSP SLB Statistics" (page 185) for sample output. dns Displays DNS SLB statistics. See "/stats/slb/dnsDNS SLB Statistics" (page 186) for sample output. wap Displays WAP SLB statistics. See "/stats/slb/wapWAP SLB Statistics" (page 187) for sample output. maint Displays SLB maintenance statistics. See "/stats/bwm/maintBWM Maintenance Statistics" (page 201) for sample output. sip Displays SIP SLB statistics. See "/stats/slb/sipSIP SLB Statistics" (page 192) for sample output. wlm Workload Manager number, 1-16 clear Display Workload Manager SASP statistics. See "/stats/slb/wlm wlm number Display Workload Manager SASP statistics" (page 193) for sample output. mirror Display session mirroring statistics. See "/stats/slb/mirrorDisplay Workload Manager SASP statistics" (page 193) for sample output. clear [y|n] Clears all non-operating SLB statistics on the Nortel Application Switch, resetting them to zero. This command does not reset the switch and does not affect the following counters:
Counters required for Layer 4 and Layer 7 operation (such as current real server sessions). All related SNMP counters.
To view the statistics reset by this command, refer "/stats/slb/wlm wlm number Display Workload Manager SASP statistics" (page 193). aux Displays auxiliary session table statistics.
.
/stats/slb Server Load Balancing Statistics Menu 165 Command Syntax and Usage dump Dumps all switch SLB statistics. Use this command to gather data for tuning and debugging switch performance. To save dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command.
/stats/slb/sp Server Load Balancing SP statistics Menu

[Server Load Balancing SP Statistics Menu] real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats maint - Show maintenance stats aux - Show auxiliary session table stats clear - Clear SP stats SP Statistics Menu options (/stats/slb/sp) Command Syntax and Usage real <real server number (1-1023)> Displays real server statistics of the switch port. See "/stats/slb/sp/real real server number SP Real Server Statistics" (page 166) for a sample output. group <real server group number (1-1024)> Displays real server group statistics of the switch port. See "/stats/slb/sp sp number /group real group server number SP Real Group Server Statistics" (page 166) for a sample output. virt <virtual server number (1-1024)> Displays statistics of the virtual server. See "/stats/slb/sp sp number /virt virtual server number SP Virtual Server Statistics" (page 166) for a sample output. filt <filter ID (1-2048)> Displays statistics of the filter. See "/stats/slb/sp sp number /filt filter number SP Filter Statistics" (page 166) for a sample output. maint Displays the SP maintenance statistics. See "/stats/slb/sp sp number /maintSP Maintenance Statistics" (page 166) for a sample output. aux Displays the statistics of the auxiliary session table.
.
Command Syntax and Usage clear Deletes all the SP statistics.
/stats/slb/sp/real <real server number> SP Real Server Statistics

Port 1 Real server 1 stats: Current sessions: Total sessions: Octets: 3 3 24
/stats/slb/sp <sp number> /group <real group server number> SP Real Group Server Statistics
/stats/slb/sp <sp number> /virt <virtual server number> SP Virtual Server Statistics
/stats/slb/sp <sp number> /filt <filter number> SP Filter Statistics

SP 1 Filter 1 stats: Total firings: 2
/stats/slb/sp <sp number> /maint
.
/stats/slb Server Load Balancing Statistics Menu 167
SP Maintenance Statistics
SP 1 SLB Maintenance stats: Maximum sessions: Current sessions: 4 second average: 64 second average: Terminated sessions: Allocation failures: Non TCP/IP frames: UDP datagrams: Incorrect VIPs: Incorrect Vports: No available real server: Filtered (denied) frames: LAND attacks: No TCP control bits: Invalid reset packet drops: Total IP fragment sessions: IP fragment sessions: IP fragment discards: IP fragment table full: IPF invalid lengths: IPF Null Payloads: Fragment Overlaps: Duplicate fragments: SYMANTEC MAINT STATISTICS: Symantec Sessions: Symantec Valid segments: Symantec Fragment sessions: Segment allocation fails: Buffer allocation fails: Connection allocation fails: Invalid buffers: Segment reallocation fails: SYMANTEC INSPECTION STATISTICS Packets in: Packets with no data: TCP packets: UDP packets: ICMP packets: Other packets: Match count: Result Fetch errors: Truncated payloads: Packets in fastpath: 524276 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
.
168 The Statistics Menu SP Maintenance Statistics (/stats/slb/sp/maint) Statistic Maximum sessions Current Sessions Terminated Sessions Description The maximum number of simultaneous sessions supported. Number of session bindings currently in use (the last 4 and 64 seconds). Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled. Indicates instances where the Switch ran out of available sessions for a port. Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on. Indicates the number of non-IP based frames received by the virtual server. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing application like SATAN. This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit. This indicates the number of times a real server failure has occurred and caused a backup server to be brought online. This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online.
Allocation Failures UDP Datagrams
Non TCP/IP Frames Incorrect VIPs
Incorrect Vports
No Available Real Server Backup Server Activations Overflow Server Activations
.
/stats/slb Server Load Balancing Statistics Menu 169 Statistic Filtered (Denied) Frames Description This indicates the number of frames that were dropped because of one of the following reasons:
1. They matched an active filter with the deny action set. 2. There are no real servers (in the case of redirection filters.) 3. When there are no available session entries. LAND attacks This counter increases whenever a packet has the same source and destination IP addresses and ports. The number of packets that were dropped because the packet had no control bits set in the TCP header. The number of packets that were dropped because the packet had an invalid reset flag set. This represents the total number of fragment sessions the switch has processed so far. This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources. This counter indicates how many times session table is full. The number of sessions inspected by symantec engine. The number of packets inspected by symantec engine. The number of IP fragment sessions inspected by symantec engine. The number of memory allocation failures for IP fragments. Symantec stream buffer allocation failures. Symantec connection info allocation failures. Invalid stream buffer errors.
No TCP Control Bits
Invalid reset packet drops Total IP fragment sessions Current IP fragment sessions IP fragment discards IP fragment table full
SYMANTEC MAINT STATISTICS Symantec sessions Symantec Valid segments Symantec Fragment sessions Segment allocation fails Buffer allocation fails Connection allocation fails Invalid buffers
.
Statistic Segment reallocation fails
Description Symantec stream buffer segment reallocation failures. Number of packets submitted for symantec inspection. Number of packets with no data - no inspection needed. Number of TCP packets submitted for symantec inspection. Number of UDP packets submitted for symantec inspection. Number of ICMP packets submitted for symantec inspection. Number of non TCP/UDP/ICMP packets for symantec inspection. Number of Symantec signature matches. Number of symantec signature match info fetch errors. Number of truncated symantec match info reported to MP. Number of packets assigned with symantec BWM contracts.
SYMANTEC INSPECTION STATISTICS Packets in Packets with no data TCP packets UDP packets ICMP packets Other packets Match count Result Fetch errors Truncated payloads Packets in fastpath
/stats/slb/gslb Global SLB Statistics Menu
Global SLB Statistics Menu Options (/stats/slb/gslb) Command Syntax and Usage real <real server number (1-1023)>
.
/stats/slb Server Load Balancing Statistics Menu 171 Command Syntax and Usage Where the real server number represents the real server ID on this switch, under which the remote server is configured. To view an example and description of what is displayed on-screen, see "/stats/slb/real real server number Real Server SLB Statistics" (page 175). virt <virtual server number (1-1024)> To view an example and description of what is displayed on-screen, see "/stats/slb/gslb/virt virtual server number Virtual Server Global SLB Statistics" (page 172). site <remote site, 1-64> Displays Global SLB statistics for the remote site. To view an example, see "/stats/slb/gslb/siteGlobal SLB Site Statistics" (page 173). network <network, 1-64> Displays Global SLB statistics for the network. rule <rule,1-64> Displays Global SLB statistics for the rule. pers Displays Global SLB DNS persistence cache statistics. geo Displays Global SLB statistics for the geographical preference. maint To view an example and description of Global SLB maintenance statistics, see Undefined Resource. clear Deletes all Global SLB statistics. dump Displays all Global SLB statistics.
/stats/slb/gslb/real <real server number> Real Server Global SLB Statistics

Real server 1 global stats: DNS directs: HTTP redirects: 3210 12
For any remote real server congured for Global Server Load Balancing, the following statistics can be viewed: Number of DNS responses directed to the remote real server
.
Number of HTTP redirects to the remote real server
/stats/slb/gslb/virt <virtual server number> Virtual Server Global SLB Statistics

--------------------------------------------------------Global SLB virtual server 1 stats: Global SLB virtual server 2 http service stats: Domain: gslb.foocorp.com Server IP address Site DNS directs HTTP redirects preemptions ------ --------------- ---- ----------- ---------------------------v2 200.200.200.1 0 0 2 r4 200.200.200.21 2 0 0 r5 200.200.200.41 3 0 0 r6 200.200.200.61 4 0 0 ------ --------------- ---- ----------- ------------------------Totals 0 0 2 ------ --------------- ---- ----------- -------------------------
Virtual Server Global SLB Statistics (/stats/slb/gslb/virt) Field Server Description Type of server configuration and server ID number.
v# represents a local virtual server number r# represents a remote site. Since each remote sites is configured on its peers as if it were a real server (with certain special properties), the number represents the real server ID on this switch, under which the remote server is configured.
IP Address Site DNS directs HTTP redirects preemptions
IP address of the server. The remote site number. The number of DNS responses that return the IP address of the corresponding server. The number of HTTP requests redirected to the corresponding server. The number of times this server has been preempted due to failover preemption. That is to say, the number of times this device has failed and was preempted from regaining the sessions it previously owned.
.
/stats/slb/gslb/site Global SLB Site Statistics

Global SLB remote site 1 stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: 386 0 0 768 348
Global SLB Site Statistics Parameters (/stats/slb/gslb/site) Field Bad remote site packets received DSSPv1 remote site updates sent DSSPv1 remote site updates received DSSPv2 remote site updates sent DSSPv2 remote site updates received Description The number of bad packets received from remote site. The number of remote site updates sent using DSSP version 1. The number of remote site updates received using DSSP version 1. The number of remote site updates sent using DSSP version 2. The number of remote site updates received using DSSP version 2.
/stats/slb/gslb/maint Global SLB Maintenance Statistics

Global SLB maintenance stats: Bad remote site packets received: DSSPv1 remote site updates sent: DSSPv1 remote site updates received: DSSPv2 remote site updates sent: DSSPv2 remote site updates received: DNS queries received: Bad DNS queries received: DNS responses sent: HTTP requests received: Bad HTTP requests received: HTTP responses sent: Hostname domain hits: Network domain hits: Basic domain hits: No server selected for hostname domain: No server selected for network domain: No server selected for basic domain: No matching domain: Last no result domain: 0 0 0 127746 85164 0 0 0 0 0 0 0 0 0 0 0 0 0
.
Last source IP:
0.0.0.0
Global SLB Maintenance Statistics (/stats/slb/gslb/maint) Field Bad remote site packets received Description The number of bad packets received from the remote site. Bad updates or dropped packets usually indicate that there is a configuration problem at local or remote GSLB switches. If bad updates or dropped packets occur, check your syslog for configuration error messages. The number of Distributed Site State Protocol (DSSP) version one updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version one updates/packets received from the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets sent to the remote sites. The number of Distributed Site State Protocol (DSSP) version two updates/packets received from the remote sites. The number of DNS queries received. The number of bad DNS queries received. The number of DNS responses sent by the switch that includes DNS directs and DNS error responses. The number of HTTP requests received. The number of bad/dropped client HTTP requests. Client HTTP GET request packets that do not contain the entire URL are considered bad and are dropped. The number of HTTP responses sent by the switch that includes HTTP redirects. The number of times the DNS queries received matched for the hostname configured. The number of times the DNS queries received matched for the network domain name configured. The number of times the DNS queries received matched for the basic domain name configured.
DSSPv1 remote site updates sent DSSPv1 remote site updates received DSSPv2 remote site updates sent DSSPv2 remote site updates received DNS queries received Bad DNS queries received DNS responses sent
HTTP requests received Bad HTTP requests received
HTTP responses sent Hostname domain hits Network domain hits
Basic domain hits
.
/stats/slb Server Load Balancing Statistics Menu 175 Field No server selected for hostname domain No server selected for network domain No server selected for basic domain No matching domain Description The number of times no server was selected after matching the host name domain. The number of times no server was selected after matching the network domain name. The number of times no server was selected after matching the basic domain name. The number of times the DNS queries received did not match the host name, domain name, or the network domain configured. The domain in the last DNS query received that did not match the host name, domain name, or the network domain configured. The source IP address of the last DNS query or HTTP request received.
Last no result domain
Last source IP
/stats/slb/real <real server number> Real Server SLB Statistics

Real server 1 stats: Current sessions: Total sessions: Highest sessions: Octets 129 65478 4343 523824000
Note: Octets are provided per server, not per service, unless congured as described in "Per ServiceOctet Counters" (page 175).
Real Server SLB Statistics (/stats/slb/real) Statistics Current sessions Total sessions Highest sessions Octets Description The total number of outstanding sessions that are established to the particular real server. The total number of sessions that have been established to the particular real server. The highest number of sessions ever recorded for the particular real server. The total number of octets sent by the particular real server.
Per ServiceOctet Counters

For each load-balanced real server, the octet counters represent the combined number of transmit and receive bytes (octets). These counters are then added to report the total octets for each virtual server.
.
The octet counters are provided per servernot per service. If you need octet counters on a per-service basis, you can accomplish this through the following conguration: 1. Congure a separate IP address for each service on each server being load balanced. For instance, you can congure IP address 10.1.1.20 for HTTP services, and 10.1.1.21 for FTP services on the same physical server. 2. On the Nortel Application Switch, congure a real server with a real IP address for each service above. Continuing the example above, two real servers would be congured for the physical server (representing each real service). If there were ve physical servers providing the two services (HTTP and FTP), 10 real servers would have to be congured: ve for the HTTP services on each physical server, and ve for the FTP services on each physical server. 3. On the Nortel Application Switch, congure one real server group for each type of service, and group each appropriate real server IP address into the group that handles the specic service. Thus, in keeping with our example, two groups would be congured: one for handling HTTP and one for handling FTP. 4. Congure a virtual server and add the appropriate services to that virtual server.
/stats/slb/Group <real server groups number> Real Server Group Statistics
Real server group statistics include the following: Current and total sessions for each real server in the real server group. Current and total sessions for all real servers associated with the real server group. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see the procedure on "Per ServiceOctet Counters" (page 175).
.
/stats/slb/virt <virtual server number> Virtual Server SLB Statistics
Note: The virtual server IP address is shown on the last line, below the real server IP addresses. Virtual server statistics include the following: Current and total sessions for each real server associated with the virtual server. Current and total sessions for all real servers associated with the virtual server. Highest number of simultaneous sessions recorded for each real server. Real server transmit/receive octets. For per-service octet counters, see "Per ServiceOctet Counters" (page 175).
/stats/slb/filt <filter number> Filter SLB Statistics

Filter 1 stats: Total firings: 1011
You can obtain the total number of times any lter has been matched.
/stats/slb/layer7 SLB Layer7 Statistics Menu

[Layer 7 Statistics Menu] redir - Show URL Redirection stats str - Show SLB String stats maint - Show Layer 7 Maintenance stats pooling - Show connection pooling stats SLB Layer 7 Statistics Menu Options (/stats/slb/layer7) Command Syntax & Usage redir
.
Command Syntax & Usage Displays URL Redirection statistics. See "/stats/slb/layer7/redirLayer 7 Redirection Statistics" (page 178) for a sample output. str Displays SLB string statistics. See "/stats/slb/layer7/strLayer 7 SLB String Statistics" (page 179) for a sample output. maint Displays Layer 7 maintenance statistics. See "/stats/slb/layer7/maintLay er 7 SLB Maintenance Statistics" (page 179) for a sample output. pooling Display the connection pooling statistics. See "/stats/slb/layer7/maintLay er 7 SLB Maintenance Statistics" (page 179) for a sample output.
/stats/slb/layer7/redir Layer 7 Redirection Statistics

Total Total Total Total Total Total Total Total Total Total URL based web cache redirection stats: cache server hits: origin server hits: straight to origin server hits: none-GETs hits: Cookie: hits: no-cache hits: RTSP cache server hits: RTSP origin server hits: HTTP redirection hits: 0 0 0 0 0 0 0 0 0
Layer 7 Redirection Statistics (/stats/slb/layer7/redir) Statistics Total cache server hits Total origin server hits Total straight to origin server hits Total none-GETs hits Total Cookie: hits Total no-cache hits Description The total number of HTTP requests redirected to the cache server. The total number of HTTP requests forwarded to the origin server. The total number of HTTP requests forwarded from straight to the origin server. The total number of none GET requests forwarded to the origin server. The total number of cookie requests forwarded to the origin server. The total number of requests containing no-cache header forwarded to the origin server.
.
/stats/slb Server Load Balancing Statistics Menu 179 Statistics Total RTSP cache server hits Total RTSP origin server hits Total HTTP redirection hits Description The total number of RTSP requests redirected to the cache server. The total number of RTSP requests forwarded to the origin server. The total number of HTTP requests that were redirected by redirection filter.
/stats/slb/layer7/str Layer 7 SLB String Statistics

SLB String stats: ID SLB String 1 any 2 www.[abcdefghijklm]*.com 3 www.[nopqrstuvwxyz]*.com 4 www.junk.com 5 www.abc.com 6 www.[abcdefjhijklm]*.org 7 www.[nopqrstuvwxyz]*.org Layer 7 SLB String Statistics (/stats/slb/layer7/str) Statistics ID SLB String Hits Description The user-defined strings being used in URL matching. The total number of instances that are load-balanced due to matching of the particular URL ID. Hits 1527115 0 0 0 0 0 0
/stats/slb/layer7/maint
.
Layer 7 SLB Maintenance Statistics
SLB Layer 7 Maintenance Statistics (/stats/slb/layer7/maint) Statistics Clients reset by switch on client side Description The number of reset frames sent to the client by the switch during server connection termination. This means that when the switch could not connect to the real sever and the clients retries exceeded the threshold due to delayed binding, the switch will send a reset frame to the client to terminate the connection. The number of reset frames sent to the server by the switch during server connection termination due to delayed binding. The total number of connection swapping between different real servers in supporting multiple HTTP/1.1 client requests.0 The total number of HTTP requests that contain invalid methods sent by the client. The total number of aged delayed binding sessions caused by failed connection initialization between the switch and the server.
Clients reset by switch on server side Connection Splicing to support HTTP/1.1 Invalid HTTP methods Aged delayed binding sessions
.
/stats/slb Server Load Balancing Statistics Menu 181 Statistics Half open connections Description The total numbers of outstanding TCP connections that are half opened. It is incremented when the switch responds to TCP SYN packet and decremented upon receiving TCP SYN ACK packet from the requester. The total number of switch retries to connect to the real server. The total number of SYN frames dropped when the buffer is low. The total number of GET requests that exceeded 4500 bytes. The total number of dropped frames because of invalid 3-way hand shakes. The total number of switch-generated frames that exceeded the maximum allowed frame size. The total number of TCP packets dropped because they were received out of order. The currently available SP memory units. The number of outstanding sequence buffers used. The highest number of sequence buffers ever used. The number of outstanding data buffers used. The highest number of data buffers ever used. The total number of sequence buffer allocated.2 The total number of sequence buffer allocations. The total number of sequence buffer is freed. The total number of buffers allocated to store client request.2 The total of number buffers freed. The number of times sequence buffer allocation failed. The number of times the URL data buffer allocation failed.
Switch retries Random early drops Requests exceeded 4500 bytes Invalid 3-way handshakes Exceeded max frame size Out of order packet drops: Current SP memory units Current SEQ buffer entries Highest SEQ buffer entries Current Data buffer use Highest Data buffer use Total Nonzero SEQ Alloc Total SEQ Buffer Allocs Total SEQ Frees Total Data Buffer Allocs Total Data Frees Alloc Fails - Seq buffers Alloc Fails - Ubufs
.
Statistics Max sessions per bucket Max frames per session Max bytes buffered (sess)
Description The maximum number of items (sessions) allowed in the session table hash bucket chain. The maximum number of frames to be buffered per session. The maximum number of bytes to be buffered per session.
/stats/slb/layer7/pooling Layer7 Pooling Statistics
/stats/slb/ssl SLB Secure Socket Layer Statistics

SSL SLB maintenance stats: SessionId allocation fails: 0 Total number of SSL ID reassignments: 0 Current Total Highest Sessions Sessions Sessions ------------------------- -------- ---------- -------Unique SessionIds 0 0 0 SSL connections 0 0 0 Persistent Port Sessions 0 0 0 SLB Secure Socket Layer Statistics (/stats/slb/ssl) Statistics SSL SLB maintenance stats SessionId allocation fails Description Debug stats for SSL SessionId based persistence. The number of times allocation of a session table entry failed when attempting to store a SessionId in the table.
Total number of SSL ID reassignments The table shows the Current Sessions, the total sessions seen on the switch since last reset and the high water mark of current sessions for the following:
.
/stats/slb Server Load Balancing Statistics Menu 183 Statistics Unique SessionIds Description Many SSL sessions can use the same SessionId, these should all bind to the same server. This number shows the number of unique SSL sessions seen on the switch. The number of different TCP connections using SSL service. The number of SessionIds maintained to allow for persistence across different client ports.
SSL connections Persistent Port Sessions
/stats/slb/ftp File Transfer Protocol SLB and Filter Statistics Menu

[FTP SLB parsing active parsing maint dump and Filter Statistics Menu] Show active FTP NAT filter stats Show FTP SLB parsing server stats Show FTP maintenance stats Dump all FTP SLB/NAT stats
FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp) Command Syntax and Usage active Shows active FTP SLB parsing and filter statistics. See "/stats/slb/ftp/activeActive FTP SLB Parsing and Filter Statistics" (page 183) for sample output. parsing Shows parsing statistics. See "/stats/slb/ftp/parsingPassive FTP SLB Parsing Statistics" (page 184) for sample output. maint Shows maintenance statistics. See "/stats/slb/ftp/maintFTP SLB Maintenance Statistics" (page 184) for sample output. dump Shows all FTP SLB/NAT statistics. See "/stats/slb/ftp/dumpFTP SLB Statistics Dump" (page 184).
/stats/slb/ftp/active Active FTP SLB Parsing and Filter Statistics

Total Active FTP NAT stats(PORT): Total FTP: Total New Active FTP Index: Active FTP NAT ACK/SEQ diff: 0 0 0
.
184 The Statistics Menu Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active) Statistics Total Active FTP NAT stats (PORT) Total FTP Total New Active FTP Index Active FTP NAT ACK/SEQ diff Description The number of times the switch receives the port command from the client. The number of times the switch receives both active and passive FTP connections. The number of times the switch creates a new index due to port command from the client. The difference in the numbers of ACK and SEQ that the Switch needs for packet adjustment.
/stats/slb/ftp/parsing Passive FTP SLB Parsing Statistics

Total FTP SLB Parsing Stats(PASV): Total FTP: Total New FTP SLB parsing Index: FTP SLB parsing ACK/SEQ diff: 0 0 0
Passive FTP SLB Parsing Statistics (/stats/slb/ftp/parsing) Statistics Total FTP Total New FTP SLB parsing Index FTP SLB parsing ACK/SEQ diff Description The number of times the switch receives both active and passive FTP connections. The number of times the switch creates a new index in response to the pasv command from the client. The difference in the numbers of ACK and SEQ that the switch needs FTP SLB parsing.
/stats/slb/ftp/maint FTP SLB Maintenance Statistics

FTP mode switch error: FTP SLB Maintenance Statistics (/stats/slb/ftp/maint) Statistics FTP mode switch error Description The number of times the switch is not able to switch modes from active to passive and vice versa. 0
/stats/slb/ftp/dump
.
FTP SLB Statistics Dump

Total FTP : Total FTP NAT Filtered: Total new active FTP NAT Index: Total new FTP SLB parsing Index: FTP Active FTP NAT ACK/SEQ diff: FTP SLB parsing ACK/SEQ diff: FTP mode switch error: FTP SLB Statistics Dump (/stats/slb/ftp/dump) Statistics Total FTP Total FTP NAT Filtered Total new active FTP NAT Index Total new FTP SLB parsing Index FTP Active FTP NAT ACK/SEQ diff FTP SLB parsing ACK/SEQ diff FTP mode switch error Description The total number of FTP sessions that occurred. The total number of FTP NAT filter sessions that occurred. The total number of new data sessions created for FTP NAT filter in active mode. The number of times the switch creates a new index in response to the pasv command from the client. The total number of times the adjustment between ACK and SEQ occurred on the filter. The difference in the numbers of ACK and SEQ that the switch needs for FTP SLB parsing. The number of times the switch could not switch mode from active to passive and vice versa. 0 0 0 0 0 0 0
/stats/slb/rtsp RTSP SLB Statistics
RTSP SLB Statistics (/stats/slb/rtsp) Statistics ControlConnection Description The total number of TCP connections for RTSP control connection.
.
Statistics UDP Streams
Description The total number of UDP connections for data channels. The number depends upon the type of media player being used. The total number of times the connection got redirected. The total number of times the connections got denied due to shortage of resources or the real server being down. The total number of buffer allocations used. The total number of times the buffer allocation failed.
Redirect ConnectionDenied
BufferAllocs AllocFailures
/stats/slb/dns DNS SLB Statistics

Total Total Total Total Total Total Total number number number number number number number of of of of of of of TCP DNS queries: UDP DNS queries: invalid DNS queries: multiple DNS queries: domain name parse errors: failed real server name matches: DNS parsing internal errors: 0 0 0 0 0 0 0
DNS SLB Statistics (/stats/slb/dns) Statistics Total number of TCP DNS queries Total number of UDP DNS queries Total number of invalid DNS queries Total number of multiple DNS queries Total number of domain name parse errors Description The total number of DNS queries that received through TCP connections. The total number of DNS queries received through UDP requests. The total number of malformed DNS queries received. The total number of DNS queries that contain more than one domain name to be resolved. Currently only one domain name resolution per request is supported. The total number of DNS queries that have short or invalid domain names to be resolved.
.
/stats/slb Server Load Balancing Statistics Menu 187 Statistics Total number of failed real server name matches Total number of DNS parsing internal errors Description The total number of times the user failed to find a real server which has the same layer 7 strings that match the domain name to be resolved. The total number of out of memory and other unexpected errors the user gets while processing the DNS query.
/stats/slb/wap WAP SLB Statistics

This command displays all the Radius and WAP related counters.
WAP SLB Statistics (/stats/slb/wap) Statistics Description
WAP Maintenance stats: current sessions allocation failures incorrect VIPs The number of session bindings currently in use. Indicates instances where the switch ran out of available bindings for a port. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client.
incorrect Vports
.
Statistics no available real server requests to wrong SP
Description This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit. The number of session add/delete requests sent to the wrong SP. The number of WAP session add requests via TPCP. The number of add-request failures due to dead target SP. The number of RADIUS Accounting frames received. The number of wrapped RADIUS Accounting frames received. The number of RADIUS Accounting Start frames received. The number of RADIUS Accounting Update frames. The number of RADIUS Accounting Stop frames received. The number of bad RADIUS Accounting frames received. The number of WAP session add requests via RADIUS snooping. The number of WAP session delete requests via RADIUS snooping. The number of add/delete request failures due to dead target SP. The number of add/delete requests failed due to DMA write failure.
TPCP External Notification stats: add session reqs req fails- SP dead
RADIUS Snooping stats: acct reqs acct wrap reqs acct start reqs acct update reqs acct stop reqs acct bad reqs add session reqs del session reqs req fails- SP dead req fails- DMA
/stats/slb/maint
.
SLB Maintenance Statistics

SLB Maintenance stats: Maximum sessions: Current sessions: 4 second average: 64 second average: Terminated sessions: Allocation failures: UDP datagrams: Non TCP/IP frames: Incorrect VIPs: Incorrect Vports: No available real server: Backup server activations: Overflow server activations: Filtered (denied) frames: LAND attacks: No TCP control bits: Invalid reset packet drops: Total IP fragment sessions: Current IP fragment sessions IP fragment discards: IP fragment table full: Current IPF buffer sessions: Highest IPF buffer sessions: IPF buffer alloc fails: IPF SP buffer alloc fails: SP buffer too low: Exceeded 16 OOO packets: Free Service pool entries: Current IP6 sessions: Incorrect IP6 VIPs: Incorrect IP6 Vports: IP6 packets drops: SYMANTEC MAINT STATISTICS: Symantec sessions: 0 Symantec segments: 0 Symantec Fragment sessions: 0 Segment allocation fails: 0 Buffer allocation fails: 0 Connection allocation fails: 0 Invalid buffers: 0 Segment reallocation fails: 0 SYMANTEC INSPECTION STATISTICS Packets in: 0 Packets with no data: 0 TCP packets: 0 UDP packets: 0 ICMP packets: 0
.
2097104 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 8192 0 0 0 0
190 The Statistics Menu packets not TCP, UDP or ICMP: 0 Symantec Match count: 0 Fetch errors: 0 Truncated payload to MP: 0 Packets in fast path: 0
SLB Maintenance statistics are described in the following table.

Server Load Balancing Maintenance Statistics (/stats/slb/maint) Statistic Maximum sessions Current Sessions Terminated Sessions Description The maximum number of simultaneous sessions supported. Number of session bindings currently in use (the last 4 and 64 seconds). Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled. Indicates instances where the Switch ran out of available sessions for a port. Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on. Indicates the number of non-IP based frames received by the virtual server. Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured. This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing application like SATAN. This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit. This indicates the number of times a real server failure has occurred and caused a backup server to be brought online. This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online.
Allocation Failures UDP Datagrams
Non TCP/IP Frames Incorrect VIPs
Incorrect Vports
No Available Real Server Backup Server Activations Overflow Server Activations
.
/stats/slb Server Load Balancing Statistics Menu 191 Statistic Filtered (Denied) Frames LAND attacks Description This indicates the number of frames that were dropped because they matched an active filter with the deny action set. This counter increases whenever a packet has the same source and destination IP addresses and ports. The number of packets that were dropped because the packet had no control bits set in the TCP header. The number of packets that were dropped because the packet had an invalid reset flag set. This represents the total number of fragment sessions the switch has processed so far. This represents the current number of fragment sessions. The number of fragmented packets that are discarded due to lack of resources. This counter indicates how many times session table is full. This counter indicates the number of free service pool entries. The number of sessions inspected by symantec engine. The number of packets inspected by symantec engine. The number of IP fragment sessions inspected by symantec engine. The number of memory allocation failures for IP fragments. Symantec stream buffer allocation failures. Symantec connection info allocation failures. Invalid stream buffer errors. Symantec stream buffer segment reallocation failures. Number of packets submitted for symantec inspection.
No TCP Control Bits Invalid reset packet drops Total IP fragment sessions Current IP fragment sessions IP fragment discards IP fragment table full Free service pool entries
SYMANTEC MAINT STATISTICS Symantec sessions Symantec segments Symantec Fragment sessions Segment allocation fails Buffer allocation fails Connection allocation fails Invalid buffers Segment reallocatio n fails
SYMANTEC INSPECTION STATISTICS Packets in
.
Statistic Packets with no data TCP packets UDP packets ICMP packets packets not TCP, UDP or ICMP Symantec Match count Fetch errors Truncated payload to MP Packets in fast path
Description Number of packets with no data - no inspection needed. Number of TCP packets submitted for symantec inspection. Number of UDP packets submitted for symantec inspection. Number of ICMP packets submitted for symantec inspection. Number of non TCP/UDP/ICMP packets for symantec inspection. Number of Symantec signature matches. Number of symantec signature match info fetch errors. Number of truncated symantec match info reported to MP. Number of packets assigned with symantec BWM contracts.
/stats/slb/sip SIP SLB Statistics
SIP SLB Statistics (/stats/slb/sip) Statistics Total number of SIP Client Parse Errors Total number of SIP Server Parse Errors Total number of SIP Unknown Method packets Total number of SIP Incomplete Messages Description The total number of errors encountered during client processing when parsing an incoming SIP packet. The total number of errors encountered during server processing when parsing an incoming SIP packet. Total number of packets received with methods not known to the SIP parser on the switch. Total number of packets received which do not have the complete SIP message in a single packet.
.
/stats/slb Server Load Balancing Statistics Menu 193 Statistics Total number of SIP Filter Parse Errors Total number of packets with SIP SDP NAT Description Total number of errors encountered during filter processing when parsing an incoming SIP packet. Total number of packets received that have SIP SDP NAT information.
/stats/slb/wlm <wlm number> Display Workload Manager SASP statistics

SLB WorkLoad Manager SASP (/stats/slb/wlm) Server Load Balancing Statistics# /st/sl/wlm 1 ----------------------------------------------------------Workload Manager 1 Statistics: Registration Requests: 1 Registration Replies: 1 Registration Reply Errors: 0
Deregisteration Requests: Deregisteration Replies: Deregisteration Reply Errors: Set LB State Requests: Set LB State Replies: Set LB State Reply Errors: Set Member State Requests: Set Member State Replies: Set Member State Reply Errors: Send Weights Messages received: Send Weights Message Parse Errors: Total Messages with Invalid LB Name: Total Messages with Invalid Group Name: Total Messages with Invalid Real Server Name: Messages with Invalid SASP Header: Messages with parse errors: Messages with Unsuppored Message Type:
1 1 0 1 1 0 0 0 0 47 0 0 0 0 0 0 0
/stats/slb/wlm <wlm number> /clear Clear Workload Manager SASP Statistics

This command clears statistics for the specied Workload Manager.
/stats/slb/mirror
.
Display Workload Manager SASP statistics

SLB Session Mirroring statistics (/stats/slb/mirror) >> Server Load Balancing Statistics# mirror -------------------------------------------------------Session Mirroring Stats: Rx 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Tx 0 0 0 0 0 0
Total Create Session Messages Total Update Session Messages Total Delete Session Messages Total Create Data Session Messages Total Update Data Session Messages Total Delete Data Session Messages Total Sessions Created Total Sessions Updated Total Sessions Deleted Total Data Sessions Created Total Data Sessions Updated Total Data Sessions Deleted Session table full Unvailable pport Session already present Session not found Control session not found
/stats/bwm BWM Statistics Menu

[Bandwidth Management Statistics Menu] port - Switch Port Contract Stats Menu cont - BW Contract stats rcont - BW Contract rate stats hist - BW History stats maint - Show BWM maint statistics ipusers - Show BWM IP user stats for iplimit contracts dump - Dump all BWM statistics clear - Clear BWM statistics Bandwidth Management Statistics Menu Options (/stats/bwm) Command Syntax and Usage Need information on all following statistics port <port number> Displays Switch Port Contract Statistics Menu. To view menu options, see "/stats/bwm/port port number BWM Switch Processor Statistics" (page 195).
.
/stats/bwm BWM Statistics Menu 195 Command Syntax and Usage Need information on all following statistics cont <BW Contract number (1-1024)> Displays bandwidth management contract statistics. See "/stats/bwm/cont contract number BWM Contract Statistics" (page 196) for details. rcont <BW Contract number (1-1024)> Displays bandwidth management contract rate statistics. See "/stats/bwm/rcontBWM Contract Rate Statistics" (page 197) for details. hist Displays bandwidth management history statistics. See "/stats/bwm/histBWM History Statistics" (page 198) for sample output. maint Displays bandwidth management maintenance statistics. See "/stats/bwm/maintBWM Maintenance Statistics" (page 201) for sample output. ipusers Displays Bandwidth Management IP user stats for iplimit contracts. Each IP address is limited to the user limit configured in /cfg/bwm/contract on "/cfg/bwm/cont contract number Bandwidth Management Contract Configuration" (page 273). See "/stats/bwm/ipusersBWM IP Users Statistics" (page 201) for sample output. dump Displays all bandwidth management statistics. clear Clears all bandwidth management statistics.
/stats/bwm/port <port number> BWM Switch Processor Statistics

[Bandwidth Management Port Statistics Menu] cont - BW Contract stats rcont - BW Contract rate stats Management Port Statistics Menu Options (/stats/bwm/sp) Command Syntax and Usage cont <BW Contract number (1-1024)> Displays bandwidth management contract statistics. See "/stats/bwm/port port number /contBWM Switch Processor Contract Statistics Menu" (page 196) for a sample output.
.
Command Syntax and Usage rcont <BW Contract number (1-1024)> Displays bandwidth management contract rate statistics.
/stats/bwm/port <port number> /cont BWM Switch Processor Contract Statistics Menu
>> Bandwidth Management Port Statistics# cont ----------------------------------------------------------BW Contract statistics Contract Name Octets Discards Total Pkts BufUsed BufMax -------- ------- ------- ---------- ---------- ------- --1024 Default 0 0 0 0 16320
/stats/bwm/port <port number> /rcont BWM Switch Processor Rate Contract Statistics
This command repeats its output when the printed lines are less than the congured CLI lines per screen. If the CLI lines are congured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session. You can congure the number of CLI lines per screen using the global (hidden) command: lines number of lines . For example:
>> AAS_2424 - Bandwidth Management Statistics# lines Current lines-per-screen: 24 >> AAS_2424 - Bandwidth Management Statistics# lines ? lines sets lines-per-screen 0-300, zero for infinite
/stats/bwm/cont <contract number>
.
/stats/bwm BWM Statistics Menu 197
BWM Contract Statistics
The following description of statistics applies on a specic switch port for all enabled contracts. Note: This command displays enabled contracts only.
Bandwidth Management Contract Statistics (/stats/bwm/cont) Statistics Contract Name Octets Description The contract number. The contract name. The number of octets that are being transmitted through a particular contract since the switch is booted. The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limit permits. The total number of packets classified for that contract. The current amount of buffer space used to store the packets that is waiting to be transmitted. Maximum buffer space that can be used to store the packets before they can be transmitted. The switch starts dropping the packets of a particular contract after the maximum buffer space allocated for that contract is being occupied.
Discards
Total Pkts BufUsed BufMax
/stats/bwm/rcont BWM Contract Rate Statistics

Use this command to show the rate statistics of all the enabled contracts. Note: This command displays enabled contracts only. This command repeats its output when the printed lines are less than the congured CLI lines per screen. If the CLI lines are congured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session.
.
You can congure the number of CLI lines per screen using the global (hidden) command: lines number of lines . For example:
>> AAS_2424 - Bandwidth Management Statistics# lines Current lines-per-screen: 24 >> AAS_2424 - Bandwidth Management Statistics# lines ? lines sets lines-per-screen 0-300, zero for infinite
Bandwidth Management Contract Rate Statistics (/stats/bwm/rcont) Statistics Contract Name Rate (in Kbps) Octets Description The contract number. The contract name. Rate at which the packets are going out of the switch on a particular contract. The number of octets that are being transmitted through a particular contract since the switch is booted. The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limits. The current amount of buffer space used to store the packets that is waiting to be transmitted. Maximum buffer space that can be used to store the packets before they can be transmitted. The switch starts dropping the packets of a particular contract after the maximum buffer space allocated for that contract is being occupied.
Discards
BufUsed BufMax
/stats/bwm/hist
.
/stats/bwm BWM Statistics Menu 199
BWM History Statistics
.
You can dump the stats kept in the SMTP history buffer that get dumped periodically when an E-mail is sent. This command is used to keep long term history only for the contracts that are enabled and have history command turned on. Use this command to show the history of all the contracts for which history command is enabled. The sampling is done at one-minute intervals.
Bandwidth Management History Statistics (/stats/bwm/hist) Statistics Contract Octets Description The contract number for which history is enabled. The number of octets sent out on a particular contract.
.
/stats/security Security Statistics 201 Statistics Contract Discards Description The contract number for which history is enabled. The number of octets discarded because of seeing more traffic than the bandwidth contract limit permits. Indicates the time the packets were received or discarded.
TimeStamp
Note: These statistics can only be viewed when the e-mail option is enabled.
/stats/bwm/maint BWM Maintenance Statistics
/stats/bwm/ipusers BWM IP Users Statistics

This command displays the number of BWM IP user entries for each BWM contract for each SP.
BWM IP users statistics Contract SP1 SP2 SP3 SP4 Total ------ ------ ------ ------ ------- -------10 0 10 0 0 10 11 0 10 0 0 10 ------ ----- ------ ------- -------0 20 0 0 20
/stats/security
.
Security Statistics
[Security Statistics Menu] ipacl - IP Address ACL Statistics Menu udpblast - UDP Blast Statistics Menu dos - DoS Attack Statistics Menu pgroup - Show pattern match group statistics ratelim - Show rate limiting statistics symhits - Show symantec hit statistics symclear - Clear symantec hit statistics dump - Dump all security statistics Command Syntax and Usage dos Displays the DOS Attack statistics menu. To view a sample output and a description of the stats, see "/stats/security/dos DOS Attack Statistics Menu" (page 202). ipacl Displays the IP Address Access Control List statistics menu. To view a sample output and a description of the statistics, see "/stats/security/ipaclIP Access Control List Statistics" (page 205). udpblast Displays the UDP Blast statistics menu. To view a sample output and a description of the statistics, see "/stats/security/udpblastUDP Blast Statistics" (page 206). pgroup Displays the Pattern Match Group statistics menu. To view a sample output and a description of the statistics, see "/stats/security/pgroupUDP Pattern Match Statistics" (page 206). ratelim Displays the Rate Limiting statistics menu. To view a sample output and a description of the stats, see "/stats/security/ratelimRate Limiting Statistics" (page 207). symhits Displays Symantec hit statistics. symclear Clears all Symantec hit statistics. dump Displays all security statistics.
/stats/security/dos
.
Types of DOS Attacks
203
DOS Attack Statistics Menu
DOS Attacks Statistics Menu Options (/stats/security/dos) Command Syntax and Usage port <port number> Displays the number of times the packets were dropped for each of the following types of DOS attacks, on the selected port only. dump Displays the number of times the packets were dropped on the switch, for each of the following types of DOS attacks: iplen, ipversion, broadcast, loopback, land, ipreserved, ipttl, ipprot, ipoptlen, fragmoredont, fragdata, fragboundary, fraglast, fragdontoff, fragopt, fragoff, fragoversize, tcplen, tcpportzero, blat, tcpreserved, nullscan, fullxmasscan, finscan, vecnascan, xmasscan, synfinscan, flagabnormal, syndata, synfrag, ftpport, dnsport, seqzero, ackzero, tcpoptlen, udplen, udpportzero, fraggle, pepsi, rc8, snmpnull, icmplen, smurf, icmpdata, icmpoff, icmptype, igmplen, igmpfrag, igmptype, arplen, arpnbcast, arpnucast, arpspoof, garp, ip6len, ip6version For a description of these different types of DOS attacks, see "Types of DOS Attacks" (page 203). clear Deletes all DOS attack statistics. help Displays a description of each type of DOS attack by name and how it works.
Types of DOS Attacks

Nortel Application Switch Operating System can protect switch ports against a variety of Denial of Service (DOS) attacks including Port Smurf, LandAttack, Fraggle, Nullscan, Xmascan, PortZero, and ScanSynFin. Enable DOS protection on ports connected to any network that could be the source of an attack. You can use the help command to obtain a brief explanation of each type of DOS attack detected by the switch.
.
Refer to your Nortel Application Switch Operating System Application Guide for a detailed description of DOS attacks.
.
/stats/security/ipacl IP Access Control List Statistics 205
/stats/security/ipacl IP Access Control List Statistics

The following IP Access Control List statistics can be viewed with this command:
[IP ACL Statistics Menu] dump - IP address access control Stats clear - Clear all access control Stats IPACL Security Statistics Menu Options (/stats/security/ipacl) Command Syntax and Usage dump Displays the accumulated blocked packets for each source or destination IP address and mask pair in the access control list.
.
Command Syntax and Usage
clear Deletes all the statistics of accumulated blocked packets.
/stats/security/udpblast UDP Blast Statistics

[UDP Blast Statistics Menu] dump - UDP Blast Stats clear - Clear all UDP Blast Stats UDP Blast Statistics Menu Options (/stats/security/udpblast) Command Syntax and Usage dump Displays all the accumulated blocked packets for each port, and the current packet rate per second. See "/stats/security/udpblast/dump UDP Blast Dump Statistics" (page 206) for a sample output and a description of the statistics. clear Deletes all the accumulated blocked packets.
/stats/security/udpblast/dump UDP Blast Dump Statistics
UDP Blast Dump Statistics Parameters (/stats/security/udpblast/dump) Field UDP Port Blocked Packets Current Packet Rate/ Second Description UDP ports that experienced UDP blast attacks. The number of blocked packets. Displays the current rate of packet to the UDP port.
/stats/security/pgroup
.
/stats/security/dump Dump Statistics for Security 207
UDP Pattern Match Statistics

Pattern Match Group stats: ID Name 1 Hits 0
This menu displays how many times each congured pattern group has been matched and a subsequent ltering action performed. Pattern groups are congured in the "/cfg/security/pgroup pattern group number Pattern Matching Menu" (page 350).
/stats/security/ratelim Rate Limiting Statistics

Rate limiting stats: TCP: Total hold downs triggered: Current per-client state entries: UDP: Total hold downs triggered: Current per-client state entries: ICMP: Total hold downs triggered: Current per-client state entries: Rate Limiting Statistics (/stats/security/ratelim) Field Total holds down triggered Current per-client state entries Description The total number of packets dropped after the hold-down period expired. The total number of per-client state entries for TCP/UDP/ICMP rate limiting.
0 0
0 0
0 0
/stats/security/dump
.
Dump Statistics for Security
/stats/mp Management Processor Statistics

[MP-specific Statistics Menu] pkt - Show Packet and TCP stats tcb - Show All TCP control blocks in use ucb - Show All UDP control blocks in use sfd - Show All Socket FD in use cpu - Show CPU utilization mem - Show memory stats Management Processor Statistics Menu Options (/stats/mp) Command Syntax and Usage pkt Displays packet statistics, to check for leads and load. To view a sample output and a description of the stats, see "/stats/mp/pktMP Packet Statistics" (page 209). tcb
.
/stats/mp Management Processor Statistics 209 Command Syntax and Usage Displays all TCP control blocks that are in use. To view a sample output and a description of the stats, see "/stats/mp/tcbTCP Statistics" (page 210). ucb Displays all UDP control blocks that are in use. To view a sample output, see "/stats/mp/ucbUCB Statistics" (page 211). sfd Displays all Socket File Descriptors that are in use. To view a sample output, see "/stats/mp/sfdMP-SpecificSFD Statistics" (page 211). cpu Displays CPU utilization for periods of up to 1, 4, and 64 seconds. To view a sample output and a description of the stats, see "/stats/mp/cpuCPU Statistics" (page 212). mem Displays memory statistics.
/stats/mp/pkt MP Packet Statistics
Packet Statistics (/stats/mp/pkt) Statistics Packet counts: allocs frees Total number of packet allocations from the packet buffer pool by the TCP/IP protocol stack. Total number of times the packet buffers are freed (released) to the packet buffer pool by the TCP/IP protocol stack. Total number of packet allocations with size between 128 to 1536 bytes from the packet buffer pool by the TCP/IP protocol stack. Description
mediums
.
Statistics jumbos
Description Total number of packet allocations with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack. Total number of packet allocations with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack. Total number of packet allocation failures from the packet buffer pool by the TCP/IP protocol stack. Total number of packets freed from the packet buffer pool by the TCP/IP protocol stack. The highest number of packet allocation with size between 128 to 1536 bytes from the packet buffer pool by the TCP/IP protocol stack. The highest number of packet allocation with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack. The highest number of packet allocation with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack. The number of packets that are discarded by the MP. The packets are discarded because buffer resources are not available or the buffer threshold is reached and the low priority packets are discarded. Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack. Total number of TCP packet allocation failures from MP memory by the TCP/IP protocol stack. Total number of times the TCP packet buffers are freed (released) to MP memory by the TCP/IP protocol stack. The highest number of TCP packet allocation from MP memory by the TCP/IP protocol stack. The number of TCP packets that are discarded by the MP. The packets are discarded because MP memory resources are not available.
smalls
alloc fails
frees mediums hi-watermark
jumbos hi-watermark
smalls hi-watermark
packet discards
TCP counts: allocs current alloc fails frees
current hi-watermark alloc discards
/stats/mp/tcb
.
/stats/mp Management Processor Statistics 211
TCP Statistics
MP Specied TCP Statistics (/stats/mp/tcb) Statistics 117f6d00/117f81a8 0.0.0.0/47.81.27.6 0/1331 0.0.0.0/47.80.16.59 80/23 listen/established Description Memory Destination IP address Destination port Source IP Source port State
/stats/mp/ucb UCB Statistics

All UDP allocated control blocks: 161: listen 1985: listen 3122: listen UCB Statistics on MP (/stats/mp/ucb) Field 161/1985/3122 Listen Description UDP port number State
/stats/mp/sfd MP-SpecicSFD Statistics
.
/stats/mp/cpu CPU Statistics

This menu option enables you to display the CPU utilization statistics on MP.
CPU utilization: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds: CPU Statistics (stats/mp/cpu) Statistics cpuUtil1Second cpuUtil4Seconds cpuUtil64Seconds Description The percentage of CPU utilization as measured over the last one second interval. The percentage of CPU utilization as measured over the last four second interval. The percentage of CPU utilization as measured over the last 64 second interval.
100% 100% 100%
/stats/sp <SP Number> SP Specic Statistics

[SP-specific Statistics Menu] maint - Show maintenance stats clear - Clear maintenance stats cpu - Show CPU utilization SP Specic Statistics (/stats/sp) Statistics maint Description Displays internal statistics, Layer 2 FDB maintenance statistics, and MP DOS shield statistics. See "/stats/sp SP number /maintSP-Specific Maintenance Statistics" (page 212) for a sample output. Deletes all the maintenance statistics. Displays what percentage of the CPU has been utilized. To view a sample output and a description of the stats, see "/stats/sp/cpuCPU Statistics" (page 213).
clear cpu
/stats/sp <SP number> /maint
.
/stats/pmirr Port Mirroring Statistics Menu 213
SP-Specic Maintenance Statistics

Maintenance statistics for SP 1: Receive Letter success from MP: 158648 Receive Letter success from SP 2: 0 Receive Letter success from SP 3: 0 Receive Letter success from SP 4: 0 Receive Letter errors from MP: 0 Receive Letter errors from SP 2: 0 Receive Letter errors from SP 3: 0 Receive Letter errors from SP 4: 0 Send Letter success to MP: 125516 Send Letter success to SP 2: 0 Send Letter success to SP 3: 6799 Send Letter success to SP 4: 6791 Send Letter failures to MP: 0 Send Letter failures to SP 2: 0 Send Letter failures to SP 3: 0 Send Letter failures to SP 4: 0 learnErrNoddw: 0 resolveErrNoddw: ageMPNoddw: 0 deleteMiss: pfdbFreeEmpty: 0 arpDiscards: 0 icmpDiscards: tcpDiscards: 0 udpDiscards:
0 0 0 0
/stats/sp/cpu CPU Statistics

This menu option enables you to display the CPU utilization statistics on the Switch Processor (SP).
CPU utilization for SP 1: cpuUtil1Second: cpuUtil4Seconds: cpuUtil64Seconds: CPU Statistics (stats/sp/cpu) Statistics cpuUtil1Second cpuUtil4Seconds cpuUtil64Seconds Description The percentage of CPU utilization as measured over the last one second interval. The percentage of CPU utilization as measured over the last four second interval. The percentage of CPU utilization as measured over the last 64 second interval.
6% 6% 6%
/stats/pmirr
.
Port Mirroring Statistics Menu

[Port Mirroring Statistics Menu] dump - Port Mirroring Stats clear - Clear all Port Mirroring Stats Port Mirroring Command Syntax and Usage dump Displays the port number, and the statistics of the traffic on the ingress and egress ports. clear Deletes all the port mirroring statistics.
CAUTION
Use this command carefully as it will delete all statistics permanently.
/stats/mgmt Management Port Statistics

Management port interface RX bytes: RX packets: RX errors: RX dropped: RX overruns: RX frame errors: RX multicast: statistics: 0 TX bytes: 0 TX packets: 0 TX errors: 0 TX dropped: 0 TX overruns: 0 TX carrier errors: 0 TX collisions: 0 0 0 0 0 0 0
Management Port Statistics (/stats/mgmt) Statistics RX bytes RX packets RX errors Description The total number of incoming bytes successfully transferred by the interface. The total number of incoming packets successfully transferred by the interface. The number of bad packets received.
.
/stats/dump Dump Statistics 215 Statistics RX dropped RX overruns Description The number of incoming packets that were dropped due to lack of receive buffers. The number of received packets that were dropped because their size exceeded that of the receive queue. The number of incoming packets dropped due to IP framing errors. The number of multicast packets received. The total number of outgoing bytes successfully transferred by the interface. The total number of outgoing packets successfully transferred by the interface. The number of packets dropped due to transmission problems. The number of packets dropped due to lack of transmit buffers. The number of packets dropped because size exceeded that of the transmit queue. Not applicable. The number of collisions due to congestion on the medium. Collisions occur when two or more stations are transmitting signals at the same time.
RX frame errors RX multicast TX bytes TX packets TX errors TX dropped TX overruns TX carrier errors TX collisions
/stats/dump Dump Statistics

Use the dump command to dump all switch statistics available from the Statistics Menu (40K or more, depending on your conguration). This data can be used to tune or debug switch performance. If you want to capture dump data to a le, set your communication software on your workstation to capture session data prior to issuing the dump commands.
.
.
217
The Conguration Menu

This chapter discusses how to use the Command Line Interface (CLI) for making, viewing, and saving switch conguration changes. Many of the commands, although not new, display more or different information than in the previous version. Important difference are called out in the text. To make nding information easier, the menu options under the Server Load Balancing Menu (/cfg/slb).
/cfg Conguration Menu
Conguration Menu Options (/cfg) Command Syntax and Usage sys Displays the System-wide parameter Configuration Menu. To view menu options, see "/cfg/sys System Configuration" (page 220). port <port number> Displays the Port Configuration Menu. To view menu options, see "/cfg/port port number Port Configuration" (page 255). pmirr
.
218 The Conguration Menu
Command Syntax and Usage Displays the Mirroring Configuration Menu. To view menu options, see "/cfg/pmirrPort Mirroring Menu" (page 269). bwm Displays the Bandwidth Management Configuration Menu. To view menu options, see "/cfg/bwmBandwidth Management Configuration" (page 270). l2 Displays Layer 2 Configuration Menu. To view menu options, see "/cfg/l2Layer 2 Configuration Menu" (page 278). l3 Displays Layer 3 Configuration Menu. To view menu options, see "/cfg/l3 Layer 3 Configuration Menu" (page 293). slb Displays the Server Load Balancing Configuration Menu. To view menu options, see "The SLB Configuration Menu" (page 355). security Displays the Security Menu. To view menu options, see "/cfg/security Security Configuration Menu" (page 344). sslproc Displays the SSL processor setup Menu. To view menu options, see "/cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu" (page 349) setup Step-by-step configuration set-up of the switch. For details, see "/cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu" (page 349). dump Dumps current configuration to a script file. For details, see "/cfg/dump Dump" (page 352). ptcfg <host name or IP address of TFTP server filename on host> Backs up current configuration to TFTP server. For details, see "/cfg/ptcfg Saving theActive Switch Configuration" (page 353). gtcfg <host name or IP address of TFTP server filename on host> Restores current configuration from TFTP server. For details, see "/cfg/gtcfgRestoring the Active Switch Configuration" (page 353).
.
Viewing, Applying, and Saving Changes 219
Viewing, Applying, and Saving Changes

As you use the conguration menus to set switch parameters, the changes you make do not take effect immediately. All changes are considered "pending" until you explicitly apply them. Also, any changes are lost the next time the switch boots unless the changes are explicitly saved. While conguration changes are in the pending state, you can do the following: View the pending changes Apply the pending changes Save the changes to ash memory
Viewing Pending Changes

You can view all pending conguration changes by entering diff at the menu prompt. Note: The diff command is a global command. Therefore, you can enter diff at any prompt in the CLI.
Applying Pending Changes

To make your conguration changes active, you must apply them. To apply conguration changes, enter apply at any prompt in the CLI.
# apply
Note 1: The apply command is a global command. Therefore, you can enter apply at any prompt in the administrative interface. Note 2: All conguration changes take effect immediately when applied, except for starting Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see below), and then reset the switch (see "Resetting the Switch" (page 460)).
Saving the Conguration

In addition to applying the conguration changes, you can save them to ash memory on the Nortel Application Switch. Note: If you do not save the changes, they will be lost the next time the system is rebooted. To save the new conguration, enter the following command at any CLI prompt:
# save
.
When you save conguration changes, the changes are saved to the active conguration block. The conguration being replaced by the save is rst copied to the backup conguration block. If you do not want the previous conguration block copied to the backup conguration block, enter the following instead:
# save n
You can decide which conguration you want to run the next time you reset the switch. Your options include: The active conguration block The backup conguration block Factory default conguration
You can view all pending conguration changes that have been applied but not saved to ash memory using the diff flash command. It is a global command that can be executed from any menu. For instructions on selecting the conguration to run at the next system reset, see "Selecting a Conguration Block" (page 459).
/cfg/sys System Conguration
This menu provides conguration of switch management parameters such as user and administrator privilege mode passwords, Web-based management settings, and management access list.
.
/cfg/sys System Conguration 221 System Conguration Menu Options (/cfg/sys) Command Syntax and Usage syslog Displays the Syslog Menu. To view menu options, see "/cfg/sys/syslog System Host Log Configuration" (page 222). mmgmt Displays Management Port Menu. To view menu options, see "/cfg/sys/mmgmt Management Port Configuration Menu" (page 224) radius Displays the RADIUS Authentication Menu. To view menu options, see "/cfg/sys/radius RADIUS Server Configuration" (page 227). tacacs Displays TACACS+ authentication Menu. To view menu options, see "/cfg/sys/tacacsTACACS+ Server Configuration Menu" (page 228). ntp Displays the Network Time Protocol (NTP) Server Menu. To view menu options, see "/cfg/sys/ntp NTP Server Configuration" (page 230). sonmp Displays the SynOptics Network Management Protocol (SONMP) menu. To view menu options, see "/cfg/sys/sonmp SynOptics Network Management Protocol Configuration" (page 231). ssnmp Displays the System SNMP Menu. To view menu options, see "/cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu" (page 349). health Displays system health check menu. To view menu options, see "/cfg/sys/health System Health Check Configuration Menu" (page 244). access Displays System Access Menu. To view menu options, see "/cfg/sys/access System Access Control Configuration" (page 245). date Prompts the user for the system date. time Configures the system time using a 24-hour clock format. timezone Configures the system time zone. To view an example, see "/cfg/sys/timezoneConfigure the Timezone" (page 255).
.
Command Syntax and Usage idle <idle timeout in minutes; affects both console and Telnet> Sets the idle timeout for CLI sessions, from 1 to 10080 minutes. The default is 5 minutes. notice <max 1024 char multi-line login notice - to end> Displays login notice immediately before the "Enter password:" prompt. This notice can contain up to 1024 characters and new lines. bannr <string, maximum 80 characters> Configures a login banner of up to 80 characters. When a user or administrator logs into the switch, the login banner is displayed. It is also displayed as part of the output from the /info/sys command. smtp <SMTP host name or IP address> Sets the Simple Mail Transfer Protocol (SMTP) host, which is used for sending bandwidth management history information. hprompt disable|enable Enables or disables displaying of the host name (system administrators name) in the Command Line Interface (CLI). bootp disable|enable Enables or disables the use of BOOTP. If you enable BOOTP, the switch will query its BOOTP server for all of the switch IP parameters. This command is disabled by default. cur Displays the current system parameters.
/cfg/sys/syslog System Host Log Conguration

Note: Nortel Application Switch Operating System 24.0 supports the RFC 3164 standard for Syslogs.
[Syslog Menu] hst1 hst2 hst3 hst4 hst5 console - Set IP address of first syslog host - Set IP address of second syslog host - Set IP address of third syslog host - Set IP address of fourth syslog host - Set IP address of fifth syslog host - Enable/disable console output of syslog messages
.
/cfg/sys System Conguration 223 [Syslog Menu] log cur - Enable/disable syslogging of features - Display current syslog settings
System Conguration Menu Options (/cfg/sys/syslog) Command Syntax and Usage hst1 <new syslog host IP address severity facility (such as, 192.4.17.223 5 6)> Sets the IP address of the first syslog host along with severity and facility for this syslog host. hst2 <new syslog host IP address severity facility (such as, 192.4.17.223 5 6)> Sets the IP address of the second syslog host along with severity and facility for this syslog host hst3 <new syslog host IP address severity facility (such as, 192.4.17.223 5 6)> Sets the IP address of the third syslog host along with severity and facility for this syslog host. hst4 <new syslog host IP address severity facility (such as, 192.4.17.223 5 6)> Sets the IP address of the fourth syslog host along with severity and facility for this syslog host. hst5 <new syslog host IP address severity facility (such as, 192.4.17.223 5 6)> Sets the IP address of the fifth syslog host along with severity and facility for this syslog host. console disable|enable Enables or disables delivering syslog messages to the console. When necessary, disabling console ensures the switch is not affected by syslog messages. It is enabled by default. log <feature|all enable|disable> Displays a list of features for which syslog messages can be generated. You can choose to enable/disable specific features (such as vlans, gslb, filter), or enable/disable syslog on all available features. cur Displays the current syslog settings.
Seven Levels of Severity

Following is the description of the seven levels of severity: 0: Emergency. This means that the system is unusable.
.
1: Alert. This means that corrective action must be taken immediately. 2: Critical. This means the condition of the system is critical. 3: Error. This means that the system has errors that should be corrected. 4: Warning. This means that the system is giving a warning. 5: Notice. This means that the condition of the system is normal but with signicant conditions that need attention. 6: Informational. This means that the system is working but giving out information about certain unfavorable conditions. 7. Debug. This means that the system is giving out debug-level messages.
/cfg/sys/mmgmt Management Port Conguration Menu

The Management port is a Fast Ethernet port that is used exclusively to manage the switch. While the switch can be managed from any network port, the Management port saves consuming a port that could otherwise be used for processing data and trafc. This port manages the switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not participate in the networking protocols that run on the network ports. The Management port must be congured with a static IP address, subnet mask, broadcast address, and default gateway, and must be enabled before it can be used. If this port is disabled, the network ports have to perform all switch management (other than the switch management using the console). If this port is enabled, the factory default settings for some of the management features remain with the network ports. You can change the defaults by conguring these features to permanently use the management port, or in some cases, by using the operational commands to set these options on a one-time basis. Note: The Management port does not support BOOTP
.
/cfg/sys System Conguration 225
Management Port Conguration Menu Options (/cfg/sys/mmgmt) Command Syntax and Usage port Displays the management port link menu. To view the menu options, see "/cfg/sys/mmgmt/port Management Port Link Menu" (page 226). addr <IP address (such as, 192.4.17.101)> Sets the IP address. mask <subnet mask (such as, 255.255.255.0)> Sets the subnet mask. gw <gateway address (such as, 192.4.17.1)> Sets the IP address for the default gateway. intr <interval (0 - 60 seconds)> Sets the interval between gateway ping attempts. retry <number of attempts (1-120)> Sets the number of failed ping attempts before a gateway is declared DOWN. dns default port mgmt|data Sets DNS over management or data port. Default is data port. ntp default port mgmt|data Sets NTP over management or data ports. The default is data port. radius default port mgmt|data Sets RADIUS over management or data ports. Default is data port. tacacs mgmt|data
.
Command Syntax and Usage Sets TACACS+ over management or data ports. Default is data port. smtp default port mgmt|data Sets SMTP over management or data ports. Default is data port. snmp default port mgmt|data Sets SNMP trap host over management or data ports. Default is data port. syslog default port mgmt|data Sets syslog host access over management or data ports. Default is data port. sonmp default port mgmt|data Sets default IP address for SONMP hello packets. When this option is set to mgmt then the Management Port IP address is used in the SONMP hello packets transmitted by the switch. But if it is set to data, then the IP address of the data port interface specified by srcif (/cfg/sys/sonmp/srcif) command is used in the hello packets. tftp default port mgmt|data Sets TFTP over management or data port. Default is data port. wlm ["mgmt"|"data"] Set the default port for the workload manager. report ["mgmt"|"data"] Set the default port for the reporting server. ena Enables the Management port. dis Disables the Management port. cur Displays the current configuration.
/cfg/sys/mmgmt/port Management Port Link Menu

[Management Port speed mode auto cur Link Menu] Set link speed Set full or half duplex mode Set autonegotiation Display current link configuration
.
/cfg/sys System Conguration 227 Management Port Link Menu Options (/cfg/sys/mgmt/port) Command Syntax and Usage speed 10|100|any Sets the speed of the link with the Management port. Default is any. mode full|half|any Sets half or full duplex mode. Default is any. auto on|off Sets auto negotiation for the port. By default this command is turned on. cur Displays the current link configuration.
/cfg/sys/radius RADIUS Server Conguration
RADIUS Server Conguration Menu Options (/cfg/sys/radius) Command Syntax and Usage prisrv <IP address> Sets the primary RADIUS server address. secsrv <IP address> Sets the secondary RADIUS server address. secret <1-128 character secret> This is the shared secret password between the switch and the primary RADIUS server(s). secret2 <1-128 character secret> This is the shared secret password between the switch and the secondary RADIUS server(s). port <RADIUS port to configure, default 1645> Enter the number of the UDP port to be configured, between 1500 3000. The default is 1645.
.
Command Syntax and Usage retries <RADIUS server retries (1-3)> Sets the number of failed authentication requests before switching to a different RADIUS server. The default is 3 requests. timeout <RADIUS server timeout seconds (1-10)> Sets the amount of time, in seconds, before a RADIUS server authentication attempt is considered to have failed. The default is 3 seconds. telnet disable|enable Enables or disables the RADIUS back door for telnet. Telnet also applies to SSH/SCP connections. secbd disable|enable Enables or disables the RADIUS secure back door for telnet/ssh/http connections. on Enables the RADIUS server. off Disables the RADIUS server. cur Displays the current RADIUS server parameters.
/cfg/sys/tacacs TACACS+ Server Conguration Menu

TACACS (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a users logon password to an authentication server to determine whether access can be allowed to a given system. TACACS is an encryption protocol and therefore less secure than TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in RFC 1492.) TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmission Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user prole, whereas TACACS+ separates the two operations. TACACS+ protocol has been implemented on Nortel Application Switch Operating System to support the customers that have Ciscos TACACS+ protocol as their network security feature. Apart from that, TACACS+ offers the following advantages over RADIUS as the authentication device: TACACS+ is TCP-based so it facilitates connection-oriented trafc.
.
It supports full-packet encryption as against password-only in authentication requests. Supports decoupled authentication, authorization, and accounting.
TACACS+ Server Menu Options (/cfg/sys/tacacs) Command Syntax and Usage prisrv <IP address> Defines the primary TACACS+ server address. secsrv <IP address> Defines the secondary TACACS+ server address. secret <1-128 character secret> This is the shared secret between the switch and the primary TACACS+ server(s). secret2 <1-128 character secret> This is the shared secret between the switch and the secondary TACACS+ server(s). port <TACACS+ port configure, default 49> Enter the number of the TCP port to be configured, between 1 - 65000. The default is 49. retries <TACACS+ server retries, 1-3> Sets the number of failed authentication requests before switching to a different TACACS+ server. The default is 3 requests. timeout <TACACS+ server timeout seconds, 1-15> Sets the amount of time, in seconds, before a TACACS+ server authentication attempt is considered to have failed. The default is 4 seconds. telnet disable|enable
.
Command Syntax and Usage Enables or disables the TACACS+ back door for telnet. Telnet also applies to SSH/SCP connections. secbd disable|enable Enables or disables TACACS+ secure backdoor access. This when enabled indicates the access in the absence of TACACS+ servers. cmap disable|enable Enable/disable TACACS+ new privilege level mapping. This when enabled increases privilege level from default 0-6 to 0-15. cauth disable|enable Enable/disable TACACS+ command authorization. clog disable|enable Enable/disable TACACS+ command logging. This when enabled, NAS sends command log messages to TACACS+ server when configured by user. on Enables the TACACS+ server off Disables the TACACS+ server cur Displays current TACACS+ configuration parameters.
/cfg/sys/ntp NTP Server Conguration

This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP) server. By default, this option is disabled.
[NTP Server Menu] prisrv - Set primary NTP server address secsrv - Set secondary NTP server address intrval - Set NTP server resync interval tzone - Set NTP timezone offset from GMT on - Turn NTP service ON off - Turn NTP service OFF cur - Display current NTP configuration NTP Server Conguration Menu Options (/cfg/sys/ntp) Command Syntax and Usage prisrv <primary NTP server IP address>
.
/cfg/sys System Conguration 231 Command Syntax and Usage Prompts for the IP address of the primary NTP server to which you want to synchronize the switch clock. secsrv <secondary NTP server IP address> Prompts for the IP address of the secondary NTP server to which you want to synchronize the switch clock. intrval <resync interval in minutes> Specifies how often the switch will re-synchronize the switch clock with the NTP server. This interval of time will be specified in minutes (1-44640). The default value is 1440 minutes. tzone <offset from GMT, in HH:MM> Prompts for the NTP time zone offset, in hours and minutes, of the switch you are synchronizing from Greenwich Mean Time (GMT). on Enables the NTP synchronization service. off Disables the NTP synchronization service. cur Displays the current NTP service settings.
/cfg/sys/sonmp SynOptics Network Management Protocol Conguration

[SONMP Menu] srcif on off cur - Set source interface to be used in hello packets - Turn Ethernet Autotopology ON - Turn Ethernet Autotopology OFF - Display current SONMP configuration
SynOptics Network Management Protocol (SONMP) is a proprietary network management protocol that is used by Nortel Networks Optivitiy Switch Manager (OSM) to discover Nortel Application Switches on the network. The following commands add support for the Ethernet Autotopology algorithm and the Bay Topology MIB. The topology algorithm is executed by each Nortel Application Switch on which SONMP is enabled.
System Conguration Menu Options (/cfg/sys/sonmp) Command Syntax and Usage srcif <interface number (1-256)>
.
Command Syntax and Usage This command specifies the IP address to be used in the hello packets. If the interface specified by this command is not up, then the first interface which is up and running is used in the hello packets. on This command enables the SONMP protocol, and turns Ethernet Autotopology on. off This command disables the SONMP protocol, and turns Ethernet Autotopology off. cur This command displays the current SONMP configuration.
/cfg/sys/ssnmp System SNMP Conguration

Nortel Application Switch Operating System supports SNMP-based network management. In SNMP model of network management, a management station (client/manager) accesses a set of variables known as MIBs (Management Information Base) provided by the managed device (agent). If you are running an SNMP network management station on your network, you can manage the switch using the following standard SNMP MIBs: MIB II (RFC 1213) Ethernet MIB (RFC 1643) Bridge MIB (RFC 1493)
An SNMP agent is a software process on the managed device that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to retrieve or to modify. SNMP parameters that can be modied include: System name System location System contact Use of the SNMP system authentication trap function Read community string Write community string Trap community strings
.
/cfg/sys System Conguration 233 [System SNMP Menu] snmpv3 - SNMPv3 Menu name - Set SNMP "sysName" locn - Set SNMP "sysLocation" cont - Set SNMP "sysContact" rcomm - Set SNMP read community string wcomm - Set SNMP write community string trsrc - Set SNMP trap source interface timeout - Set timeout for the SNMP state machine auth - Enable/disable SNMP "sysAuthenTrap" linkt - Enable/disable SNMP link up/down trap cur - Display current system SNMP configuration SNMP Conguration Menu Options (/cfg/sys/ssnmp) Command Syntax and Usage snmpv3 Displays SNMPv3 menu. To view menu options, see "/cfg/sys/ssnmp/snmpv3 SNMPv3 Configuration Menu" (page 234). name <new string (maximum 64 characters)> Configures the name for the system. The name can have a maximum of 64 characters. locn <new string (maximum 64 characters)> Configures the name of the system location. The location can have a maximum of 64 characters. cont <new string (maximum 64 characters)> Configures the name of the system contact. The contact can have a maximum of 64 characters. rcomm <new SNMP read community string (maximum 32 characters)> Configures the SNMP read community string. The read community string controls SNMP "get" access to the switch. It can have a maximum of 32 characters. The default read community string is public. wcomm <new SNMP write community string (maximum 32 characters)> Configures the SNMP write community string. The write community string controls SNMP "set" and "get" access to the switch. It can have a maximum of 32 characters. The default write community string is private. trsrc <interface number (1-256)>
.
Command Syntax and Usage Defines the interface number for SNMP trap source interface. This command enables the user to select one of the configured interfaces as the source interface using the interface number.
Note: This command is applicable only to SNMPv1 and SNMPv2 traps because only the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be set with this command. The SNMPv3 packets do not contain this field. timeout <SNMP state machine timeout minutes, 1-30> Defines the timeout period for SNMP state machine. When you use diff and apply, memory is allocated to store the output of the command. The timeout period determines when the resources/memory allocated for the output will be freed. auth disable|enable Enables or disables the use of the system authentication trap facility. The default setting is disabled. linkt <port disable|enable> Enables or disables the sending of SNMP link up and link down traps. The default setting is enabled. cur Displays the current STP port parameters.
/cfg/sys/ssnmp/snmpv3 SNMPv3 Conguration Menu

SNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following: a new SNMP message format security for messages access control remote conguration of SNMP parameters
For more details on the SNMPv3 architecture refer RFC2271 to RFC2276.
.
/cfg/sys System Conguration 235 [SNMPv3 Menu] usm view access group comm taddr tparam notify v1v2 cur
usmUser Table menu vacmViewTreeFamily Table menu vacmAccess Table menu vacmSecurityToGroup Table menu community Table menu targetAddr Table menu targetParams Table menu notify Table menu Enable/disable V1/V2 access Display current SNMPv3 configuration
SNMPv3 Conguration Menu Options (/cfg/sys/ssnmp/snmpv3) Command Syntax and Usage usm <usmUser number [1-16]> This command allows you to create a user security model (USM) entry for an authorized user. You can also configure this entry through SNMP. To view menu options, see "/cfg/sys/ssnmp/snmpv3/usm User Security Model Configuration Menu" (page 236). view <vacmViewTreeFamily number [1-128]> This command allows you to create different MIB views. To view menu options, see "cfg/sys/ssnmp/snmpv3/view SNMPv3 View Configuration Menu" (page 237). access <vacmAccess number [1-32]> This command allows you to specify access rights. The View-based Access Control Model defines a set of services that an application can use for checking access rights of the user. You need access control when you have to process retrieval or modification request from an SNMP entity. To view menu options, see "/cfg/sys/ssnmp/snmpv3/access View-based Access Control Model Configuration Menu" (page 238). group <vacmSecurityToGroup number [1-16]> A group maps the user name to the access group names and their access rights needed to access SNMP management objects. A group defines the access rights assigned to all names that belong to a particular group. To view menu options, see "/cfg/sys/ssnmp/snmpv3/group SNMPv3 Group Configuration Menu" (page 240). comm <snmpCommunity number [1-16]> The community table contains objects for mapping community strings and version-independent SNMP message parameters. To view menu options, see "/cfg/sys/ssnmp/snmpv3/comm SNMPv3 Community Table Configuration Menu" (page 240). taddr <snmpTargetAddr number [1-16]>
.
Command Syntax and Usage This command allows you to configure destination information, consisting of a transport domain and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a mechanism for performing source address validation on incoming requests, and for selecting community strings based on target addresses for outgoing notifications. To view menu options, see "/cfg/sys/ssnmp/snmpv3/taddr SNMPv3 Target Address Table Configuration Menu" (page 241). tparam <target params index [1-16]> This command allows you to configure SNMP parameters, consisting of message processing model, security model, security level, and security name information. There may be multiple transport endpoints associated with a particular set of SNMP parameters, or a particular transport endpoint may be associated with several sets of SNMP parameters. To view menu options, see "/cfg/sys/ssnmp/snmpv3/tparam SNMPv3 Target Parameters Table Configuration Menu" (page 242). notify <notify index [1-16]> A notification application typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or conditions. To view menu options, see "/cfg/sys/ssnmp/snmpv3/notify SNMPv3 Notify Table Configuration Menu" (page 244). v1v2 disable|enable This command allows you to enable or disable the access to SNMP version 1 and version 2. This command is enabled by default. cur Displays the current SNMPv3 configuration.
/cfg/sys/ssnmp/snmpv3/usm User Security Model Conguration Menu

You can make use of a dened set of user identities using this Security Model. An SNMP engine must have the knowledge of applicable attributes of a user. This menu helps you create a user security model entry for an authorized user. You need to provide a security name to create the USM entry.
[SNMPv3 usmUser 1 Menu] name - Set USM user name auth - Set authentication protocol authpw - Set authentication password priv - Set privacy protocol privpw - Set privacy password del - Delete usmUser entry cur - Display current usmUser configuration
.
/cfg/sys System Conguration 237 User Security Model Conguration Menu Options (/cfg/sys/ssnmp/snmpv3/usm) Command Syntax and Usage name <32 character name> This command allows you to configure a string up to 32 characters long that represents the name of the user. This is the login name that you need in order to access the switch. auth md5|sha|none This command allows you to configure the authentication protocol between HMAC-MD5-96 or HMAC-SHA-96. The default algorithm is none. authpw If you selected an authentication algorithm using the above command, you need to provide a password, otherwise you will get an error message during validation. This command allows you to create or change your password for authentication. priv des|none This command allows you to configure the type of privacy protocol on your switch. The privacy protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryption Protocol) or none. If you specify des as the privacy protocol, then make sure that you have selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the authentication protocol, you will get an error message. privpw This command allows you to create or change the privacy password. del Deletes the USM user entries. cur Displays the USM user entries.
cfg/sys/ssnmp/snmpv3/view SNMPv3 View Conguration Menu
.
238 The Conguration Menu SNMPv3 View Menu Options (/cfg/sys/ssnmp/snmpv3/view) Command Syntax and Usage name <32 character name> This command defines the name for a family of view subtrees up to a maximum of 32 characters. tree <object identifier, such as,. 32 characters> 1.3.6.1.2.1.1.1.0, max
This command defines MIB tree, a string of maximum 32 characters, which when combined with the corresponding mask defines a family of view subtrees. mask <bitmask, max size 32 characters> This command defines the bit mask, which in combination with the corresponding tree defines a family of view subtrees. type included|excluded This command indicates whether the corresponding instances of vacmViewTreeFamilySubtree and vacmViewTreeFamilyMask define a family of view subtrees, which is included in or excluded from the MIB view. del Deletes the vacmViewTreeFamily group entry. cur Displays the current vacmViewTreeFamily configuration.
/cfg/sys/ssnmp/snmpv3/access View-based Access Control Model Conguration Menu

The view-based Access Control Model denes a set of services that an application can use for checking access rights of the user. Access control is needed when the user has to process SNMP retrieval or modication request from an SNMP entity.
[SNMPv3 vacmAccess 1 Menu] name - Set group name prefix - Set content prefix model - Set security model level - Set minimum level of security match - Set prefix only or exact match rview - Set read view index wview - Set write view index nview - Set notify view index del - Delete vacmAccess entry cur - Display current vacmAccess configuration
.
/cfg/sys System Conguration 239 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/snmpv3/access) Command Syntax and Usage name <32 character name> Defines the name of the group. prefix <32 character name> Defines the name of the context. An SNMP context is a collection of management information that an SNMP entity can access. An SNMP entity has access to many contexts. For more information on naming the management information, see RFC2571, the SNMP Architecture document. The view-based Access Control Model defines a table that lists the locally available contexts by contextName. model usm|snmpv1|snmpv2 Allows you to select the security model to be used. level noAuthNoPriv|authNoPriv|authPriv Defines the minimum level of security required to gain access rights. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol. match exact|prefix If the value is set to exact, then all the rows whose contextName exactly matches the prefix are selected. If the value is set to prefix then the all the rows where the starting octets of the contextName exactly match the prefix are selected. rview <32 character view name> This is a 32 character long read view name that allows you read access to a particular MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. wview <32 character view name> This is a 32 character long write view name that allows you write access to the MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted. nview <32 character view name> This is a 32 character long notify view name that allows you notify access to the MIB view. del Deletes the View-based Access Control entry.
.
Command Syntax and Usage cur Displays the View-based Access Control configuration.
/cfg/sys/ssnmp/snmpv3/group SNMPv3 Group Conguration Menu

[SNMPv3 vacmSecurityToGroup 1 Menu] model - Set security model uname - Set USM user name gname - Set group gname del - Delete vacmSecurityToGroup entry cur - Display current vacmSecurityToGroup configuration SNMPv3 Group Menu Options (/cfg/sys/ssnmp/snmpv3/group) Command Syntax and Usage model usm|snmpv1|snmpv2 Defines the security model. uname <32 character name> Sets the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/na me on "/cfg/sys/ssnmp/snmpv3/usm User Security Model Configuration Menu" (page 236). gname <32 character name> The name for the access group as defined in /cfg/sys/ssnmp/snmpv3/ac cess/name on "/cfg/sys/ssnmp/snmpv3/access View-based Access Control Model Configuration Menu" (page 238). del Deletes the vacmSecurityToGroup entry. cur Displays the current vacmSecurityToGroup configuration.
/cfg/sys/ssnmp/snmpv3/comm SNMPv3 Community Table Conguration Menu

This command is used for conguring the community table entry. The congured entry is stored in the community table list in the SNMP engine. This table is used to congure community strings in the Local Conguration Datastore (LCD) of SNMP engine.
.
/cfg/sys System Conguration 241 [SNMPv3 snmpCommunityTable 1 Menu] index - Set community index name - Set community string uname - Set USM user name tag - Set community tag del - Delete communityTable entry cur - Display current communityTable configuration SNMPv3 Community Table Conguration Menu Options (/cfg/sys/ssnmp/snmpv3/comm) Command Syntax and Usage index <32 character name> Allows you to configure the unique index value of a row in this table consisting of 32 characters maximum. name <32 character name> Defines the user name as defined in /cfg/sys/ssnmp/snmpv3 /usm/name on "/cfg/sys/ssnmp/snmpv3/usm User Security Model Configuration Menu" (page 236). uname <32 character name> Defines a readable 32 character long string that represents the corresponding value of an SNMP community name in a security model. tag <list of tag string, max 255 characters> Allows you to configure a tag of up to 255 characters maximum. This tag specifies a set of transport endpoints to which a command responder application sends an SNMP trap. del Deletes the community table entry. cur Displays the community table configuration.
/cfg/sys/ssnmp/snmpv3/taddr SNMPv3 Target Address Table Conguration Menu

This command is used to congure the target transport entry. The congured entry is stored in the target address table list in the SNMP engine. This table of transport addresses is used in the generation of SNMP messages.
[SNMPv3 snmpTargetAddrTable 1 Menu] name addr port - Set target address name - Set target transport address IP - Set target transport address port
.
[SNMPv3 snmpTargetAddrTable 1 Menu] taglist pname feature del cur - Set tag list - Set targetParams name - Enable/disable traps for selected features - Delete targetAddrTable entry - Display current targetAddrTable configuration
Target Address Table Menu Options (/cfg/sys/ssnmp/snmpv3/taddr) Command Syntax and Usage name <32 character name> Allows you to configure the locally arbitrary, but unique identifier, target address name associated with this entry. addr <transport address ip> Allows you to configure a transport address IP that can be used in the generation of SNMP traps. port <transport address port> Allows you to configure a transport address port that can be used in the generation of SNMP traps. taglist <list of tag string, max 255 characters> Allows you to configure a list of tags that are used to select target addresses for a particular operation. pname <32 character name> Defines the name as defined in /cfg/sys/ssnmp/snmpv3/tparam/ name on "/cfg/sys/ssnmp/snmpv3/tparam SNMPv3 Target Parameters Table Configuration Menu" (page 242). feature <feature|all> <enable|disable> Configure list of features for which trap messages should be generated. User can choose to enable/disable specific features (such as vlans, gslb, slb, filter and etc), or enable/disable traps on all available features for this specific target. By default, all features are enabled. del Deletes the Target Address Table entry. cur Displays the current Target Address Table configuration.
/cfg/sys/ssnmp/snmpv3/tparam
.
SNMPv3 Target Parameters Table Conguration Menu

You can congure the target parameters entry and store it in the target parameters table in the SNMP engine. This table contains parameters that are used to generate a message. The parameters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the security model (for example: USM), the security name, and the security level (noAuthnoPriv, authNoPriv, or authPriv).
[SNMPv3 snmpTargetParamsTable 1 Menu] name - Set target params name mpmodel - Set message processing model model - Set security model uname - Set USM user name level - Set minimum level of security del - Delete targetParamsTable entry cur - Display current targetParamsTable configuration Target Parameters Table Conguration Menu Options (/cfg/sys/ssnmp/snmpv3/tparam) Command Syntax and Usage name <32 character name> Allows you to configure the locally arbitrary, but unique identifier that is associated with this entry. mpmodel snmpv3|snmpv1|snmpv2c Allows you to configure the message processing model that is used to generate SNMP messages. model usm|snmpv1|snmpv2 Allows you to select the security model to be used when generating the SNMP messages. uname <32 character name> Defines the name that identifies the user in the USM table ("/cfg/sys/ssnmp/snmpv3/usm User Security Model Configuration Menu" (page 236)) on whose behalf the SNMP messages are generated using this entry. level noAuthNoPriv|authNoPriv|authPriv Allows you to select the level of security to be used when generating the SNMP messages using this entry. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy protocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol. del
.
Command Syntax and Usage Deletes the targetParamsTable entry. cur Displays the current targetParamsTable configuration.
/cfg/sys/ssnmp/snmpv3/notify SNMPv3 Notify Table Conguration Menu

SNMPv3 uses Notication Originator to send out traps. A notication typically monitors a system for particular events or conditions, and generates Notication-Class messages based on these events or conditions.
[SNMPv3 snmpNotifyTable 1 Menu] name - Set notify name tag - Set notify tag del - Delete notifyTable entry cur - Display current notifyTable configuration Notify Table Menu Options (/cfg/sys/ssnmp/snmpv3/notify) Command Syntax and Usage name <32 character name> Defines a locally arbitrary but unique identifier associated with this SNMP notify entry. tag <list of tag string, max 255 characters> Allows you to configure a tag of 255 characters maximum that contains a tag value which is used to select entries in the Target Address Table. Any entry in the snmpTargetAddrTable, that matches the value of this tag, is selected. del Deletes the notify table entry. cur Displays the current notify table configuration.
/cfg/sys/health System Health Check Conguration Menu

[System TCP Health Menu] add - Add TCP services to listen for health check rem - Remove TCP services from listening on - Turn system TCP health services ON off - Turn system TCP health services OFF cur - Display current TCP health services configuration
.
/cfg/sys System Conguration 245 System Health Check Conguration Menu Options (/cfg/sys/health) Command Syntax and Usage add <TCP port (2-65534)> Adds TCP services to listen to the health checks. Specify a TCP service port number, such as 80 for HTTP. rem <TCP port (2-65534)> Removes TCP services that were added for listening to health checks. Specify a TCP service port number, such as 80 for HTTP. on Turns on the TCP health check services. off Turns off the TCP health check services. cur Displays the current TCP health check services configuration.
/cfg/sys/access System Access Control Conguration

[System Access Menu] mgmt - Management Network Access Menu port - Port Management Access Menu user - User Access Control Menu (passwords) https - HTTPS (Web) Server Access Menu sshd - SSH Server Menu xml - XML Configuration Access Menu http - Enable/disable HTTP (Web) server access wport - Set HTTP (Web) server port number snmp - Set SNMP access control tnport - Set Telnet server port number rlimit - Set max rate of ARP, BPDU, ICMP, TCP, or UDP packets to MP cur - Display current system access configuration System Access Conguration Menu Options (/cfg/sys/access) Command Syntax and Usage mgmt Displays the Management Configuration Menu. To view menu options, see "/cfg/sys/access/mgmt Management Networks Menu" (page 246). port Dispal the port management access menu.To view menu options, see "/cfg/sys/access/portPort Management Access Menu" (page 247).
.
Command Syntax and Usage user Displays the User Access Control Menu. To view menu options, see "/cfg/sys/access/portPort Management Access Menu" (page 247). https Displays HTTPS Server Access Menu. To view menu options, see "/cfg/sys/access/httpsHTTPS Access Configuration Menu" (page 251). http disable|enable Enables or disables HTTP (Web) access to the browser-based interface. It is disabled by default. wport <TCP port number (1-65535)> Sets the switch port used for serving switch Web content. The default is HTTP port 80. If Global Server Load Balancing is to be used, set this to a different port (such as 8080). snmp disable|read-only|read-write Sets the snmp user access level to either disabled, read-only, or read-write. tnet Enables or disables Telnet access to the switch. This command is disabled by default. You will see this command only if you are connected to the switch through the console port. tnport <TCP port number> The TCP port number that the telnet server listens for telnet sessions. Sets an optional telnet server port number for cases where the server listens for telnet sessions on a non-standard port. rlimit <arp|bpdu | icmp|tcp|udp max rate, 0-65535 (pkts/sec)> Sets switch-wide rate limiting on traffic entering the switch over ARP, BPDU, ICMP, TCP, or UDP protocols. Specify which protocol you wish to limit. Then specify the maximum rate, which the maximum number of packets per second that is allowed to enter the switch. Note: It is highly recommended that the rate is left with the factory default value of 20 BDPU packets for each port and for every second. cur Displays the current configuration.
/cfg/sys/access/mgmt
.
Management Networks Menu

This menu is used to dene IP address ranges which are allowed to access the switch for management purposes. Nortel Application Switch Operating System 24.0 supports up to 128 management networks. Note: The add and rem commands below replace the /cfg/sys/mnet and /cfg/sys/mmask commands found in earlier releases of Nortel Application Switch Operating System.
[Management Networks Menu] add rem arem cur - Add management network - Remove management network - Remove all management networks - Display current management networks
Management Network Menu Options (/cfg/sys/access/mgmt) Command Syntax and Usage add mgmt_network_address mgmt_network_mask management_acc ess_protocol Adds a defined network through which switch access is allowed through Telnet, SNMP, SSH, HTTP, HTTPS. The user has the option of selecting all or any of these protocols. In case the user wants to add all these protocol types to the specified network, the user can do it by selecting the option "all". rem mgmt_network_address mgmt_network_mask management_acc ess_protocol Removes the specified Management network address, Management network mask and Management access protocol. arem Removes all the configured management networks at once. cur Displays the current configuration.
/cfg/sys/access/port Port Management Access Menu

[Port Management Access Menu] add - Add port with management access aadd - Add all ports with management access rem - Remove port from management access arem - Remove all ports from management access cur - Display current ports with management access
.
248 The Conguration Menu Port Management Access Menu Options Command Syntax and Usage add <port_number> Add a port with management access. aadd Add all ports with management access. rem <port_number> Remove a port from management access. arem Remove all ports from management access. cur Displays the port numbers that currently have management access.
/cfg/sys/access/user User Access Control Menu

uid usrpw sopw l4opw opw sapw l4apw admpw cur User ID Menu Set user password (user) Set SLB operator password (slboper) Set L4 operator password (l4oper) Set operator password (oper) Set Slb administrator password (slbadmin) Set L4 administrator password (l4admin) Set administrator password (admin) Display current user status
Note: Passwords can be a maximum of 15 characters.

User Access Control Menu Options (/cfg/sys/access/user) Command Syntax and Usage uid <User ID, 1-10> Displays the User ID Menu. To view menu options, see "/cfg/sys/access/user/uidSystem User ID Configuration Menu" (page 250). usrpw Sets the user (user) password. The user has no direct responsibility for switch management. He or she can view switch status information and statistics, but cannot make any configuration changes. sopw
.
/cfg/sys System Conguration 249 Command Syntax and Usage Sets the SLB operator (slboper)password. The SLB operator manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics and can enable/disable servers using the Server Load Balancing configuration menus. Access includes "user" functions. l4opw Sets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics. Access includes "slboper" functions. opw Sets the operator (oper)password. The operator password can have a maximum of 15 characters. The operator manages all functions of the switch. He or she can view all switch information and statistics and can reset ports or the entire switch. Access includes "l4oper" functions. sapw Sets the SLB administrator (slbadmin) password. Administrator who configures and manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics, but can configure changes only on the Server Load Balancing menus. Note that the Filter Menu options are not accessible to the SLB administrator. Access includes "l4oper" functions. l4apw Sets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics and can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters. Access includes "slbadmin" functions. admpw
.
Command Syntax and Usage Sets the administrator (admin) password. The super user administrator has complete access to all menus, information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and administrator passwords. Access includes "oper" and "l4admin" functions. cur Displays the current user status.
/cfg/sys/access/user/uid System User ID Conguration Menu

This feature allows the users to operate the real servers assigned to them. Using this command you can list the current status of the real server including the real server number, the real server name, the operational state of the real server, and the number of current sessions. You can enable or disable the real servers and change the password for accessing these real servers.
[User ID 1 cos name pswd add rem ena dis del cur Menu] - Set class of service - Set user name - Set user password - Add real server - Remove real server - Enable user ID - Disable user ID - Delete user ID - Display current user configuration
User ID Conguration Menu Options (/cfg/sys/access/user/uid) Command Syntax and Usage cos <user|slboper|l4oper|oper|slbadmin|l4admin|admin> Sets the Class-of-Service to define the users authority level. Nortel Application Switch Operating System defines these levels as: User, SLB Operator, Layer 4 Operator, Operator, SLB Administrator, and Administrator, with User being the most restricted level. name <8 char max> Defines the user name of maximum eight characters. pswd <15 char max> Sets the user password of up to 15 characters maximum. add <real server number, 1-1023>
.
/cfg/sys System Conguration 251 Command Syntax and Usage Assigns a real server access to this user. rem <real server number, 1-1023> Removes a real server access from this user. ena Enables the user ID. dis Disables the user ID. del Deletes the user ID. cur Displays the current user ID configuration.
/cfg/sys/access/https HTTPS Access Conguration Menu

[https Menu] https port generate certSave cur - Enable/Disable HTTPS Web access - HTTPS WebServer port number - Generate self-signed HTTPS server certificate - Save HTTPS certificate - Display current SSL Web Access configuration
HTTPS Access Conguration Menu Options (/cfg/sys/access/https) Command Syntax and Usage https Enables or disables BBI access (Web access) using HTTPS. port <TCP port number> Defines the HTTPS Web server port number. generate
.
Command Syntax and Usage Allows you to generate a certificate to connect to the SSL to be used during the key exchange. A default certificate is created when HTTPS is enabled for the first time. The user can create a new certificate defining the information that they want to be used in the various fields. For example:
Country Name (2 letter code) [ ]: CA State or Province Name (full name) []: Ontario Locality Name (for example, city) []: Ottawa Organization Name (for example, company) []: Nortel Networks Organizational Unit Name (for example, section) []: Alteon Common Name (for example, users name) []: Mr Smith Email (for example, email address) []: info@nortelnetworks.com
You will be asked to confirm if you want to generate the certificate. It will take approximately 30 seconds to generate the certificate. Then the switch will restart SSL agent. certSave Allows the client, or the Web browser, to accept the certificate and save the certificate to Flash to be used when the switch is rebooted. cur Displays the current SSL Web Access configuration.
/cfg/sys/access/sshd SSH Server Menu

[SSH Server Menu] sshport - Set SSH server port number sshv1 - Enable ssh v1 support ena - Enable SCP apply and save on - Turn SSH server ON (SSHv1/SSHv2) cur - Display current SSH server configuration SSH Server Menu Options Command Syntax and Usage sshport <TCP_port_number> Set the server port number. sshv1 enable | disable
.
/cfg/sys System Conguration 253 Command Syntax and Usage Enables or disables SSH version 1 support. ena Sets the SCP apply and save. on Set the SSH server to on. cur Display the current SSH server configuration.
Console Port-only commands

The /cfg/sys/access/sshd menu contains four commands that are only accessible if connected to the switch through the console port. These commands are as follows:
SSH Server Menu Console Port-only commands Command Syntax and Usage hkeygen Generates an RSA host key. skeygen Generates an RSA server key. interval <0 - 24> Sets the interval in hours at which the RSA server key is regenerated. scpadmin Enables the usage of the SCP administrator password.
/cfg/sys/access/xml XML Conguration Access Menu

[XML Config Access Menu] xml - Enable/disable XML config access port - Set XML server port number gtcert - Import XML client certificate delcert - Delete XML client certificate dispcert - Display XML client certificate debug - Debug XML operations cur - Display current XML config access configuration
.
254 The Conguration Menu XML Conguration Menu Options Command Syntax and Usage xml Enable or disable XML access. For an example, see "/cfg/sys/access/xml/xmlExample of enabling or disabling XML access" (page 254) port <TCP_port_number> Set the XML server port number. gtcert Import an XML client certificate. Enter hostname or IP address of FTP/TFTP server: Enter name of file on FTP/TFTP server: Enter username for FTP server or hit return for TFTP server: delcert Delete XML client certificate. Current XML client certificate has been deleted from FLASH dispcert Display the current XML certificate. debug Toggle Debug mode on or off. Enabling XML debugging causes all commands in the XML file to be echoed to the Console and prefaces each one with running XML cmd: or Invalid XML cmd:. All responses to the commands will also be output to the Console. Current XML debug: enabled Enter new XML debug [d/e]: cur Display current XML configuration. XML config access currently disabled on TCP port 443 XML debug is enabled
Note: there are pending config changes; use "diff" to see them.
/cfg/sys/access/xml/xml
.
/cfg/port <port number> Port Conguration 255
Example of enabling or disabling XML access

Current XML access: disabled Pending new XML access: enabled Enter new XML access [d/e]:
/cfg/sys/timezone Congure the Timezone
/cfg/port <port number> Port Conguration

The Port Menu enables you to congure settings for individual switch ports. This command is enabled by default. Port conguration is different on Nortel Application Switch Operating System 2000 series and 3000 series.
Nortel Application Switch Operating System 2000 Series

The following table displays the number of Fast Ethernet ports and SFP GBIC ports with the numbering of the ports on Nortel Application Switch Operating System 2000 series:
.
256 The Conguration Menu Port Conguration and Numbering on Nortel Application Switch Operating System 2000 Series Model 10/100 Mbps Fast Ethernet Port Numbers 18 116 124 124 1000 Mbps SFP GBIC Port Numbers 910 1718 2526 2528
Nortel Application Switch 2208 (1U) Nortel Application Switch 2216 (1U) Nortel Application Switch 2224 (1U) Nortel Application Switch 2424 (1U)
Fast Ethernet Ports

The RJ-45 jack is used for connecting 10/100 Mbps Ethernet segments to the port. The ports are auto-sensing, auto-negotiating, and support half or full-duplex operation.
SFP GBIC Ports

The LC jack is used for connecting Gigabit Ethernet ber optic segments. The SFP modules are not shipped with the product. You may order the SFP modules from Nortel Networks. For more information on connectors, refer Hardware Installation Guide for Nortel Application Switch Operating System. The commands on Nortel Application Switch Operating System 2000 series and their description are as follows:
[Port port_number Menu] fast - Fast Phy Menu gig - Gig Phy Menu pvid - Set default port VLAN id alias - Set port alias name - Set port name cont - Set default port BW Contract nonip - Set BW Contract for non-IP traffic egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration
.
/cfg/port <port number> Port Conguration 257 Port Conguration Menu Options (/cfg/port) Command Syntax and Usage fast If a port is configured to support Fast Ethernet, this option displays the Fast Ethernet Physical Link Menu. To view menu options, see "/cfg/port port number (36) copDual-Mode Copper Port Link Configuration" (page 266). gig If a port is configured to support Gigabit Ethernet, this option displays the Gigabit Ethernet Physical Link Menu. To view menu options, see "/cfg/port port number (36) copDual-Mode Copper Port Link Configuration" (page 266). pvid <VLAN number, 1-4090> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. alias <15 characters string> Set an alias for the port number. name <64 character string> |none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to none. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. nonip <BW Contract number, 1-1024> Sets the Bandwidth Management contract for non-IP traffic for this port. egbw <0k-5000k|1m-100m> Sets the egress bandwidth limit for the port to avoid overloading the receiving router or switch. Using this command, you can configure the egress bandwidth limit of the port to match with the bandwidth link of the receiving router or the switch. This means that the ports speed will be taken as the egress bandwidth. For example, the egress bandwidth for an FE port will be 100m. The default is 0.
Note: You need Bandwidth Management license to use this command. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable
.
Command Syntax and Usage Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer "Temporarily Disabling a Port" (page 268).) cur Displays the current port parameters.
/cfg/port <port number> fast|gig Port Link Conguration

[Fast Link Menu] speed - Set link speed mode - Set full or half duplex mode fctl - Set flow control auto - Set auto negotiation cur - Display current fast link configuration
Use these menu options to set port parameters for the port link. Note 1: If the port does not have a Gig Ethernet physical link, the following message is displayed: >> Port 1# gig Current Port 1 does not have Gig Ethernet phy. Note 2: Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these options do not appear on the Gigabit Link Menu. Link menu options are described in "Dual-Mode Copper Port Link Conguration Menu Options (/cfg/port 36 /cop)" (page 267) and appear on the fast and gig port conguration menus for the Nortel Application Switch. Using these conguration menus, you can set port parameters such as speed, ow control, and negotiation mode for the port link.
Port Link Conguration Menu Options (/cfg/port/fast|gig) Command Syntax and Usage speed 10|100|any
.
/cfg/port <port number> Port Conguration 259 Command Syntax and Usage Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default) 10 Mbps 100 Mbps
This menu appears only if a Fast Ethernet port is selected. mode full|half|any Sets the operating mode. This command is available only in the Fast Link Menu.The choices include:
Any for auto negotiation (default) Full-duplex Half-duplex
This menu appears only if a Fast Ethernet port is selected. fctl rx|tx|both|none Sets the flow control. This command is available only in the Fast Link Menu.The choices include:
Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control
auto on|off Enables or disables auto negotiation for the port. cur Displays the current port parameters.
Nortel Application Switch 3000 Series

The following table displays the port conguration and numbering on Nortel Application Switch 3408:
.
260 The Conguration Menu Port conguration on Nortel Application Switch 3408 Model Nortel Applicati on Switch 3408 (1U) 10/100/1000Base-T Copper Port Numbers 1, 2, 7, 8 Dual-Mode Port Numbers 36 1000 Mbps SFP GBIC Port Numbers 912
Port Conguration on Nortel Application Switch 3408

The Nortel Application Switch 3408 contains 12 ports. Their description is as follows: Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The ports are autonegotiating and support half or full duplex operation. Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaces each: 1000 Mbps SFP GBIC and 10/100/1000Base-T Copper. When the 1000 Mbps SFP GBIC port is selected as the preferred link, it is xed at 1000 Mbps, full-duplex with autonegotiation turned on. When the 10/100/1000Base-T copper port is selected as the preferred link, it can be congured at any speed. However, if 1000 Mbps is selected, autonegotiation must be turned on. You can set either interface as the preferred or backup link. See "Dual-Mode Ports" (page 265) for more details. Four Small Form Pluggable (SFP) GBIC Fiber ports (912). These ports are designed to operate at 1000 Mbps and full duplex mode only. Note: For more information on connectors, refer Nortel Application Switch Operating System Hardware Installation Guide Part Number 315393-F.
Single-Mode ports
10/100/1000Base-T Copper Ports When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:
[Port 1 Menu] fast gig pvid alias name cont nonip egbw rmon tag
Fast Phy Menu Gig Phy Menu Set default port VLAN id Set port alias Set port name Set default port BW Contract Set BW Contract for non-IP traffic Set port egress bandwidth Limit Enable/Disable RMON for port Enable/disable VLAN tagging for port
.
/cfg/port <port number> Port Conguration 261 iponly - Enable/disable allow IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration Single-Mode Copper Port Conguration Menu Options (/cfg/port <1, 2, 7, or 8>) Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the Copper Gigabit Ethernet Physical Link Menu. To view menu options, see "/cfg/port port number gigSingle-Mode Copper Port Gigabit Ethernet Link Configuration Menu" (page 261). pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. name <64 character string> |none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer "Temporarily Disabling a Port" (page 268).) cur Displays the current port parameters.
/cfg/port <port number> gig
.
Single-Mode Copper Port Gigabit Ethernet Link Conguration Menu

[GE Copper Link Menu] speed - Set link speed mode - Set duplex mode fctl - Set flow control auto - Set auto negotiate cur - Display current ge copper link configuration
Use these menu options to set port parameters for the port link. Link menu options are described in "Dual-Mode Copper Port Link Conguration Menu Options (/cfg/port 36 /cop)" (page 267) and appear on the gig port conguration menus for the Nortel Application Switch. Using these conguration menus, you can set port parameters such as speed, ow control, and negotiation mode for the port link.
Single-Mode Copper Port Gigabit Ethernet Link Conguration Menu Options (/cfg/port <1, 2, 7, or 8>/gig) Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps
mode full|half|any Sets the operating mode. The choices include:
Any for auto negotiation (default) Full-duplex Half-duplex
fctl rx|tx|both|none
.
/cfg/port <port number> Port Conguration 263 Command Syntax and Usage Sets the flow control. This command is available only in the Fast Link Menu.The choices include:
auto on|off Enables or disables autonegotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
1000 Mpbs SFP GBIC Fiber SFP Ports When you select a single-mode SFP ber port (912), you see a slightly different menu as below
[Port 9 Menu] gig - SFP Gig Phy Menu pvid - Set default port VLAN id name - Set port name cont - Set default port BW Contract egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames ena - Enable port dis - Disable port cur - Display current port configuration Single-Mode SFP Gigabit Ethernet Port Conguration Menu Options (/cfg/port <912>) Command Syntax and Usage gig If a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet Physical Link Menu. To view menu options, see "/cfg/port port number gigSingle-Mode SFP Gigabit Ethernet Port Link Configuration Menu" (page 264). pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1.
.
Command Syntax and Usage name <64 character string> |none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer "Temporarily Disabling a Port" (page 268).) cur Displays the current port parameters.
/cfg/port <port number> gig Single-Mode SFP Gigabit Ethernet Port Link Conguration Menu
[GE SFP Link fctl auto cur Menu] - Set flow control - Set auto negotiate - Display current SFP gig link configuration
Use these menu options to set port parameters for the port link. Link menu options are described in "Dual-Mode Copper Port Link Conguration Menu Options (/cfg/port 36 /cop)" (page 267) and appear on the gig port conguration menus for the Nortel Application Switch. Using these conguration menus, you can set port parameters such as ow control, and negotiation mode for the port link.
.
/cfg/port <port number> Port Conguration 265 Single-Mode SFP Gigabit Ethernet Port Link Conguration Menu Options (/cfg/port <9-12>/gig) Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include:
auto on|off Enables or disables autonegotiation for the port. cur Displays the current SFP Gigabit Ethernet link port parameters.
Dual-Mode Ports
When you select any one of the dual-mode ports (36), you see the menu below:
[Port 3 Menu] cop - Copper Gig Phy Menu sfp - SFP Gig Phy Menu pref - Set preferred link back - Set backup link pvid - Set default port VLAN id name - Set port name cont - Set default port BW Contract rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames ena - Enable port dis - Disable port cur - Display current port configuration Dual-Mode Port Conguration Menu Options (/cfg/port <36>) Command Syntax and Usage cop Displays Copper Gigabit Physical Link Menu. To view menu options, see "/cfg/port port number (36) copDual-Mode Copper Port Link Configuration" (page 266).
.
Command Syntax and Usage sfp Displays SFP Gigabit Physical Link Menu. To view menu options, see "/cfg/port port number (36) sfpDual-Mode SFP Gigabit Link Configuration Menu" (page 268). pref copper|sfp Sets the port preference between copper or SFP mode. The selected port will be used as the preferred port if both the ports are available. back copper|sfp|none Sets the preference for the backup link if the preferred port is not available. You cannot set the preferred port as the backup port. If you choose none, the port will not switch automatically to the backup port if the preferred port goes down. pvid <VLAN number (1-4090)> Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1. name <64 character string> |none Sets a name for the port. The assigned port name appears next to the port number on some information and statistics screens. The default is set to None. cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this port. rmon disable|enable Disables or enables RMON for this port. It is disabled by default. tag disable|enable Disables or enables VLAN tagging for this port. It is disabled by default. iponly disable|enable Disables or enables allowing only IP-related frames. It is disabled by default. ena Enables the port. dis Disables the port. (To temporarily disable a port without changing its configuration attributes, refer "Temporarily Disabling a Port" (page 268).) cur Displays the current port parameters.
/cfg/port <port number (36)> cop
.
/cfg/port <port number> Port Conguration 267
Dual-Mode Copper Port Link Conguration

[GE Copper Link Menu] speed - Set link speed mode - Set duplex mode fctl - Set flow control auto - Set auto negotiate cur - Display current ge copper link configuration
Use these menu options to set port parameters for the port link. Link menu options are described in "Dual-Mode Copper Port Link Conguration Menu Options (/cfg/port 36 /cop)" (page 267) and appear on the cop port conguration menus for the Nortel Application Switch. Using these conguration menus, you can set port parameters such as speed, ow control, and negotiation mode for the port link.
Dual-Mode Copper Port Link Conguration Menu Options (/cfg/port <36>/cop) Command Syntax and Usage speed 10|100|1000|any Sets the link speed. Not all options are valid on all ports. The choices include:
Any for automatic detection (default) 10 Mbps 100 Mbps 1000 Mbps
mode full|half|any Sets the operating mode. The choices include:
Any for autonegotiation (default) Full-duplex Half-duplex
fctl rx|tx|both|none
.
Command Syntax and Usage Sets the flow control. The choices include:
Auto negotiation (default) Receive flow control Transmit flow control Both receive and transmit flow control (default) No flow control
auto on|off Enables or disables auto negotiation for the port. cur Displays the current Gigabit Ethernet copper link port parameters.
/cfg/port <port number (36)> sfp Dual-Mode SFP Gigabit Link Conguration Menu
[GE SFP Link fctl cur Menu] - Set flow control - Display current SFP gig link configuration
Dual-Mode SFP Gigabit Link Conguration Menu Options (/cfg/port/sfp) Command Syntax and Usage fctl rx|tx|both|none Sets the flow control. The choices include:
cur
Displays the current SFP Gigabit link port configuration.
Temporarily Disabling a Port

To temporarily disable a port without changing its stored conguration attributes, enter the following command at any prompt:
Main# /oper/port <port number> /dis
.
/cfg/pmirr Port Mirroring Menu 269
Because this conguration sets a temporary state for the port, you do not need to use apply or save. The port state will revert to its original conguration when the Nortel Application Switch is reset. See the "The Operations Menu" (page 443) for other operations-level commands.
/cfg/pmirr Port Mirroring Menu

[Port Mirroring Menu] mirror monport cur - Enable/Disable Mirroring - Configure Monitor Port - Display All Mirrored and Monitored Ports and VLANs
Port mirroring is disabled by default. The Port Mirroring Menu is used to congure, enable, and disable the monitored port. When enabled, network packets being sent and/or received on a target port are duplicated and sent to a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed information about your network performance and usage.
Port Mirroring menu options (/cfg/pmirr) Command Syntax and Usage mirror disable|enable Enables or disables port mirroring monport <monitoring port (port to mirror to)> Displays port-mirroring menu options that help configure the port. To view menu options, see "/cfg/pmirr monportPort-Mirroring Menu" (page 269). cur Displays the current settings of the mirrored and monitoring ports.
/cfg/pmirr monport
.
Port-Mirroring Menu
>> Port Mirroring# monport Enter port (1-28): port_number -----------------------------------------------------------[Port 1 Menu] add - Add "Mirrored" port and VLANs rem - Rem "Mirrored" port and VLANs cur - Display current Port-based Port Mirroring configuration Port-Based Port-Mirroring Menu Options (/cfg/pmirr/monport) Command Syntax and Usage add <mirrored port (port to mirror from) direction (in, out, or both) vlan index or Carriage Return for all vlans> Adds the port to be mirrored. This command also allows you to enter the direction of the traffic. It is necessary to specify the direction because: If the source port of the frame matches the mirrored port and the mirrored direction is ingress or both (ingress and egress), the frame is sent to the mirrored port. If the destination port of the frame matches the mirrored port and the mirrored direction is egress or both, the frame is sent to the monitoring port. VLAN-based port mirroring allows the user to monitor traffic based on VLANs associated with a port. You can add specific VLAN(s) to a be monitored even if there are multiple VLANs associated with that port. If you do not specify a VLAN, all traffic on that port will be mirrored. rem <mirrored port (port to mirror from) vlan index or Carriage Return for all vlans> Removes the mirrored port. cur Displays the current settings of the monitoring port. For example: >> Port 1# cur Monitoring port (Mirrored port,direction,vlans) 1 none
/cfg/bwm
.
/cfg/bwm Bandwidth Management Conguration 271
Bandwidth Management Conguration

Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specic users or applications. It allows companies to guarantee that critical business trafc, such as e-commerce transactions, receive higher priority versus non-critical trafc. Trafc classication can be based on user or application information. BWM policies can be congured to set lower and upper bounds on the bandwidth allocation. Note: BWM is a software key-enabled feature that requires users to purchase a license and a key. In order to enable BWM, users need to enter the Bandwidth Management key using the /oper/swkey command. By default, BWM is turned off. Refer to your Application Guide for more information.
Note: Up to 1024 bandwidth management contracts can be congured on the Nortel Application Switch Operating System.
Bandwidth Management Menu Options (/cfg/bwm) Command Syntax and Usage cont <BW contract number (1-1024)> Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel Application Switch, you must create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. For further details, see the Nortel Application Switch Operating System Application Guide. By default, this option is disabled. To view menu options, see "/cfg/bwm/cont contract number Bandwidth Management Contract Configuration" (page 273).
.
Command Syntax and Usage policy <BW policy number (1-512)> Displays the Bandwidth Management Policy Menu. Bandwidth policies are bandwidth limitations defined for any set of frames, specifying the guaranteed bandwidth rates. A bandwidth policy is often based on a rate structure whereby a Web host could charge a customer for bandwidth utilization. For further details, see the Nortel Application Switch Operating System Application Guide. To view menu options, see "/cfg/bwm/policy policy number Bandwidth Management Policy Configuration" (page 276). group <BW Group number (1-32)> Displays the Bandwidth Management Group Menu. To view menu options, see "/cfg/bwm/groupBandwidth Management Group Configuration Menu" (page 277). user <user name> Sets the SMTP user name to whom the history statistics will be mailed. The default is set to None. report <IP4 address> | <IP6 address> Set the IP address of the Reporting Server. entries <64k|128k|256k|512k> Sets the number of entries in the Bandwidth Management IP user table. frequen <1-1440 minutes, 0 for default behavior> Sets the frequency of Bandwidth Management email in minutes. The default is set to 0. email disable|enable Enable/disable sending BWM statistics using email. When this option is disabled, these statistics are sent using a socket mechanism. force disable|enable Enables or disables the enforcement of bandwidth policy on the traffic. When disabled, the reordering of the packets does not occur. The packets will exit in the order they came in. This means that no bandwidth limit is applied on the queues. By default, this option is enabled. on Globally enables Bandwidth Management on this switch. off Globally disables Bandwidth Management on this switch. cur Displays the current Bandwidth Management configuration.
.
/cfg/bwm Bandwidth Management Conguration 273
/cfg/bwm/cont <contract number> Bandwidth Management Contract Conguration
Bandwidth Management Policy Menu Options (/cfg/bwm/cont) Command Syntax and Usage timepol <BW Contract time policy number (1-2)> Displays Time Policy Menu. To view menu options, see "/cfg/bwm/cont contract number /timepol Contract time policy number BWM Contract Time Policy Config" (page 275). name <31 character name> Sets the name for this Bandwidth Management contract. >> BW Contract 1# name Current BW Contract name: Enter new BW Contract name: policy <Bandwidth policy number (1-512)> Sets the policy number for this Bandwidth Management contract. The default policy number is 64. prec <Bandwidth precedence value (1-255)> Sets the precedence value for this Bandwidth Management contract. The default value is 1. iptype <sip|dip> Defines the IP type for this contract, whether the user (IP address) limiting is enforced by the source IP address (SIP) or the destination IP address (DIP). pmirr <port | none>
.
Command Syntax and Usage Defines a port to mirror contract packets to. Enter a valid port to enable this feature or none to disable it. This command is available in maintenance mode only. iplimit disable|enable Enables or disables user (IP address) limiting for this contract. If enabled, each IP address is limited to the user limit configured in /cfg/bwm/policy on "/cfg/bwm/policy policy number Bandwidth Management Policy Configuration" (page 276). maxsess <maximum sessions (0-65534)> Sets the maximum number of sessions per user or contract. The default value is 0. history disable|enable Disables or enables saving statistics for this contract on the server. By default, it is enabled. wtos disable|enable Disables or enables overwriting the IP Type of Service (TOS) for this contract. By default, it is disabled. mononly disable|enable Enables or disables monitor-only mode for this Contract. This command is used for design and auditing purposes only. The statistics are generated but no shaping or limiting will apply to this contract. shaping disable|enable Disables or enables shaping of the traffic for this contract. In this context, shaping means buffering a packet and keeping it ready to be sent. wtcpwin disable|enable Enables or disables overwriting TCP Window for this Contract. By overwriting the default window size, the user can modify the TCP window size to a lower value so that when the packet arrives carrying the bytes within that window size, the receiver of that packet does not have to wait for acknowledgement. This may help reduce the traffic congestion. Do not set the value to lower than 1500 bytes. For details, refer Application Guide. ena Enables this Bandwidth Management contract. dis Disables this Bandwidth Management contract. del Removes this contract from the switch.
.
/cfg/bwm Bandwidth Management Conguration 275 Command Syntax and Usage cur Displays the current Bandwidth Management contract configuration.
/cfg/bwm/cont <contract number> /timepol <Contract time policy number> BWM Contract Time Policy Conguration Menu
This feature enables the user to congure different policies based on the time of the day using the following menu and commands
[BW Contract 1 Time Policy 1 Menu] day - Set Time Policy day from - Set Time Policy from hour to - Set Time Policy to hour policy - Set Time Policy enable - Enable Time Policy disable - Disable Time Policy delete - Delete Time Policy cur - Display current Time Policy configuration BWM Contract Time Policy Conguration Menu Options (/cfg/bwm/timepol) Command Syntax and Usage day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday> Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or everyday. The default is everyday. from <1-12am/pm> Defines the time from where you need to start the time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. to <1-12am/pm> Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher. policy <BW Policy number, 1-512> Defines the policy number for the contract. enable Enables the Time Policy command on the switch. disable Disables the Time Policy command on the switch. delete Deletes the current Time Policy.
.
Command Syntax and Usage cur Displays the current Time Policy configuration on the switch. For example: Time Policy 1: Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled
/cfg/bwm/policy <policy number> Bandwidth Management Policy Conguration

[Policy 1 Menu] hard soft resv userlim utos otos buffer del cur Set hard Limit Set soft Limit Set Reservation Limit Set per user (IP address) Limit Set underlimit (soft limit) TOS Set overlimit (soft limit) TOS Set Buffer Limit Delete BW Policy Display current Policy configuration
Bandwidth Management Policy Menu Options (/cfg/bwm/pol) Command Syntax and Usage hard <0k-5000k|1m-1000m> Sets the hard bandwidth limit for this policy. This is the highest amount of bandwidth available to this policy. The default value is 2000 kbps. soft <0k-5000k|1m-1000m> Sets the soft bandwidth limit for this policy. The default value is 1000 kbps. resv <0k-5000k|1m-1000m> Sets the reserve limit for this policy. This is the amount of bandwidth always available to this policy. The default value is 500Kbytes. userlim <0k-5000k|1m-1000m> Sets the bandwidth limit for each IP address in the contract traffic. utos <BW Policy TOS (0-255)> Sets the new utos (underlimit TOS) value to overwrite the original TOS value if the traffic for this contract is under the soft limit. With this option set to the default value of "0," the switch will not overwrite the TOS value. otos <BW Policy TOS (0-255)>
.
/cfg/bwm Bandwidth Management Conguration 277 Command Syntax and Usage Sets the new otos (over the limit TOS) value to overwrite the original TOS value if the traffic for this contract is over the soft limit. With this option set to the default value of "0," the switch will not overwrite the TOS value. buffer <Maximum buffer space (bytes) (8192-128000)> Sets the buffer limit for this policy. The default value is 8192 bytes. del Deletes the bandwidth management policy. cur Displays the current value of the bandwidth policy configuration.
/cfg/bwm/group Bandwidth Management Group Conguration Menu

[BW Group 1 Menu] add - Add Contract to this group rem - Remove Contract from this group del - Delete BW Group cur - Display current BW Group configuration Bandwidth Management Group Menu Options (/cfg/bwm/group) Command Syntax and Usage add <BW Contract number, 1-1023 excluding default> Adds a contract to this group. rem <BW Contract number, 1-1023 excluding default> Removes a contract from this group. del Deletes this Bandwidth Management group. cur Displays all current Bandwidth Management Group configurations.
/cfg/bwm/cur
.
Bandwidth Management Current Conguration

Current Bandwidth Management setting: ON Policy Enforcement: enabled SMTP server user name: Contract Name Policy Prec Hist TOS State Shaping 1 cont_1 1 1 E E E E 2 cont_2 2 1 E D D D 1024 Default -0 E D E D *Default contract gets all the BW that is available on a port after the active contracts reserved BW is taken. Policy 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Hard 25M 10M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M 2M Soft 20M 8M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M 1M Resv oTOS uTOS Buffer 500K 150 100 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320 500K 0 0 16320
/cfg/l2
.
/cfg/l2 Layer 2 Conguration Menu 279
Layer 2 Conguration Menu
Layer 2 Conguration Menu Options (/cfg/l2) Command Syntax and Usage mrst Go to the Multiple/Rapid Spanning Tree menu. See "/cfg/l2/mrstMultiple Spanning Tree Menu" (page 280). stg <group number [1-16]> Displays Spanning Tree Group Menu. To view menu options, see "/cfg/l2/stg Spanning Tree Group Configuration" (page 282). trunk <trunk group number> Displays Trunk Group Menu. To view menu options, see "/cfg/l2/trunk trunk group number Trunk Configuration" (page 286). lacp Displays Link Aggregation Control Protocol (LACP) Menu. To view menu options, see "/cfg/l2/lacp Link Aggregation Control Protocol Menu" (page 287). vlan <VLAN number (1-4090)> Displays VLAN Menu. To view menu options, see "/cfg/l2/vlan VLAN number VLAN Configuration" (page 290). team Go to the port teaming menu. See "/cfg/l2/team team number Port Team Configuration" (page 292). ntmstg disable|enable Enables or disables Nortel Multiple Spanning Tree Group mode. When Nortel multiple STG mode is enabled, the Nortel implementation of multiple STGs will be followed. When Nortel multiple STG mode is disabled, the Cisco implementation of multiple STGs will be followed. The ntmstg enabled device will not work with the device configured for Cisco implementation of Spanning Tree BPDUs. The factory default value of this command is Nortel multiple STG mode disabled. You need to reset the switch with the command /boot/reset for the Spanning Tree Group configuration to change to ntmstg enabled.
.
Command Syntax and Usage cur Displays the current Layer 2 parameters.
/cfg/l2/mrst Multiple Spanning Tree Menu
Multiple Spanning Tree Menu Options Command Syntax and Usage cist Go to the Common and Internal Spanning Tree menu. See "/cfg/l2/mrst/cistMultiple Spanning Tree Menu" (page 280). name <1-32 character region name> Set the MST region name. version <version number 1-65535> Set the MST region version. maxhop <max hops 4-60> Set the maximum MST hop count. mode mstp|rstp Set the spanning tree mode. on Set the spanning tree on (Bridge MSTP/RSTP runs normally). off Set the spanning tree off (Bridge MSTP/RSTP does not run). cur Display the current MST parameters.
/cfg/l2/mrst/cist
.
Multiple Spanning Tree Menu
Mupltiple Spanning Tree CIST Bridge Menu Options Command Syntax and Usage brg Go to the CIST Bridge parameter menu. See "/cfg/l2/mrst/cist/brgCIST Bridge Menu" (page 281). port <port_number> Set the port number. default Resets STG and Group member parameters to factory default. cur Displays current values of all objects settable from this menu.
/cfg/l2/mrst/cist/brg CIST Bridge Menu

[CIST Bridge Menu] prior - Set CIST bridge mxage - Set CIST bridge fwd - Set CIST bridge cur - Display current Priority (0-65535) Max Age (6-40 secs) Forward Delay (4-30 secs) CIST bridge parameters
Mupltiple Spanning Tree CIST Bridge Menu Options Command Syntax and Usage prior <new bridge Priority, 0-65535> Set the bridge priority. mxage <new bridge Max Age, 6-40 secs> Set the port number. fwd <new bridge Forward Delay, 4-30 secs> Set the CIST bridge forward delay. cur Displays current values of all objects settable from the CIST bridge menu.
/cfg/l2/mrst/cist/brg cur
.
Current conguration for CIST Bridge

>> CIST Bridge# cur ----------------------------------------------------------Current Common Internal Spanning Tree settings: Bridge params: Priority MaxAge FwdDel 32768 20 15 CIST bridge conguration Statistics Priority MaxAge Description The current CIST Bridge priority setting. Priority is a value between 0 and 65535. The current CIST Bridge maximum aging setting. MaxAge is a value in seconds between 6 and 40. The current CIST Bridge forwarding delay setting. FwdDel is a value in seconds between 4 and 30.
FwdDel
/cfg/l2/stg Spanning Tree Group Conguration

When multiple paths exist on a network, Spanning Tree Protocol (STP) congures the network so that a switch uses only the most efcient path. Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. When multiple paths exist, Spanning Tree congures the network so that a switch uses only the most efcient path. If that path fails, Spanning Tree automatically sets up another active path on the network to sustain network operations. Thus, STP is used to prevent loops in the network topology. Nortel Application Switch Operating System supports the IEEE 802.1p Spanning Tree Protocol (STP). Nortel Application Switch Operating System supports up to 16 instances of Spanning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree group per switch except for the default Spanning Tree group (STG 1). The default Spanning Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged ports. See your Application Guide for a detailed description of this feature and how to congure Spanning Tree Groups on the switch. This command is turned on by default.
.
/cfg/l2/stg Spanning Tree Group Conguration 283 [Spanning Tree Group 1 Menu] brg - Bridge parameter menu port - Port parameter menu add - Add VLAN(s) to Spanning Tree Group remove - Remove VLAN(s) from Spanning Tree Group clear - Remove all VLANs from Spanning Tree Group on - Globally turn Spanning Tree ON off - Globally turn Spanning Tree OFF default - Default Spanning Tree and Member parameters cur - Display current bridge parameters
Note: When VRRP is used for active/active redundancy, STP must be enabled.
Spanning Tree Conguration Menu (/cfg/l2/stp) Command Syntax and Usage brg Displays the Bridge Spanning Tree Menu. To view menu options, see "/cfg/l2/stg/brg Bridge Spanning Tree Configuration" (page 284). port <port number> Displays the Spanning Tree Port Menu. To view menu options, see "/cfg/l2/stg STG Group Index /port port # Spanning Tree Port Configuration" (page 285). add <VLAN numbers (1-4090)> Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter. remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)> Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as a parameter. clear Removes all VLANs from a spanning tree. on Globally enables Spanning Tree Protocol. off Globally disables Spanning Tree Protocol. default Resets STG and Group member parameters to factory default. cur Displays the current Spanning Tree Protocol parameters.
.
/cfg/l2/stg/brg Bridge Spanning Tree Conguration

[Bridge Spanning Tree Menu] prior - Set bridge Priority [0-65535] hello - Set bridge Hello Time [1-10 secs] mxage - Set bridge Max Age (6-40 secs) fwd - Set bridge Forward Delay (4-30 secs) aging - Set bridge Aging Time (1-65535 secs, 0 to disable) cur - Display current bridge parameters
Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge parameters include: Bridge priority Bridge hello time Bridge maximum age Forwarding delay Bridge aging time
Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg) Command Syntax and Usage prior <new bridge priority (0-65535)> Configures the bridge priority. The bridge priority parameter controls which bridge on the network is the STP root bridge. To make this switch the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge priority. The range is 0 to 65535, and the default is 32768. hello <new bridge hello time (1-10 secs)> Configures the bridge hello time.The hello time specifies how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The range is 1 to 10 seconds, and the default is 2 seconds. mxage <new bridge max age (6-40 secs)> Configures the bridge maximum age. The maximum age parameter specifies the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it re configures the STP network. The range is 6 to 40 seconds, and the default is 20 seconds. fwd <new bridge Forward Delay (4-30 secs)>
.
/cfg/l2/stg Spanning Tree Group Conguration 285 Command Syntax and Usage Configures the bridge forward delay parameter. The forward delay parameter specifies the amount of time that a bridge port has to wait before it changes from the listening state to the learning state and from the learning state to the forwarding state. The range is 4 to 30 seconds, and the default is 15 seconds. aging <new bridge Aging Time (1-65535 secs, 0 to disable)> Configures the forwarding database aging time. The aging time specifies the amount of time the bridge waits without receiving a packet from a station before removing the station from the forwarding database. The range is 1 to 65535 seconds, and the default is 300 seconds. To disable aging, set this parameter to 0. cur Displays the current bridge STP parameters.
When conguring STP bridge parameters, the following formulas must be used: 2*(fwd-1) mxage 2*(hello+1) mxage
/cfg/l2/stg <STG Group Index> /port <port #> Spanning Tree Port Conguration
[Spanning Tree Port 1 Menu] prior - Set port Priority (0-255) cost - Set port Path Cost link - Set port link type (auto,p2p,or shared; default: auto) edge - Enable/disable edge port on - Turn ports Spanning Tree ON off - Turn ports Spanning Tree OFF cur - Display current port Spanning Tree parameters
Spanning Tree port parameters are used to modify STP operation on an individual port basis. STP port parameters include: Port priority Port path cost
STP is turned on by default for the port.

Spanning Tree Port Menu (/cfg/l2/stp/port) Command Syntax and Usage prior <new port Priority (0-255)>
.
Command Syntax and Usage Configures the port priority. The port priority helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The range is 0 to 255, and the default is 128. cost <new port Path Cost (1-65535, 0 for default)> Configures the port path cost. The port path cost is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. The range is 1 to 65535. The default is 10 for 100Mbps ports, and 1 for Gigabit ports. A value of 0 indicates that the default cost will be computed for an auto negotiated link speed. link auto|p2p|shared Set port link type (auto, p2p, or shared; default: auto) edge disable|enable Enable/disable edge port on Enables STP on the port. off Disables STP on the port. cur Displays the current STP port parameters.
/cfg/l2/trunk <trunk group number> Trunk Conguration

Trunk groups can provide super-bandwidth and multi-link connections between Nortel Application Switches or other trunk capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are congured, you can view the state of each port in the various trunk groups. Up to 12 trunk groups can be congured on the Nortel Application Switch, with the following restrictions: Any physical switch port can belong to no more than one trunk group. Up to eight ports/trunks can belong to the same trunk group. Best performance is achieved when all ports in a trunk are congured for the same speed. Trunking from non-Nortel devices must comply with Cisco EtherChannel technology.
.
/cfg/l2/lacp Link Aggregation Control Protocol Menu 287
By default, the trunk group is empty and disabled.

[Trunk group 1 Menu] cont - Set BW contract for this trunk group add - Add port to trunk group rem - Remove port from trunk group ena - Enable trunk group dis - Disable trunk group del - Delete trunk group cur - Display current Trunk Group configuration Trunk Conguration Menu Options (/cfg/l2/trunk) Command Syntax and Usage cont <BWM Contract (1-1024)> Sets the default Bandwidth Management Contract for this trunk group. By default, the contract number is 1024 for Nortel Application Switch. add <port number> Adds a physical port to the current trunk group. rem <port number> Removes a physical port from the current trunk group. ena Enables the current trunk group. dis Turns the current trunk group off. del Removes the current trunk group configuration. cur Displays the current trunk group parameters.
/cfg/l2/lacp Link Aggregation Control Protocol Menu

The Nortel Application Switch Operating System supports IEEE 802.3ad standard. At the core of the 802.3ad standard is Link Aggregation Control Protocol (LACP). This protocol allows the user to group several physical ports into one logical port (LACP trunk group) with any switch that supports IEEE 802.3ad standard (LACP). You can congure the trunk groups manually called the static trunks as well as you can congure dynamic trunk group using the IEEE 802.3ad standard called the LACP trunks. The maximum number of congurable trunk groups are 40: 12 user congurable
.
trunks and 28 LACP trunks depending upon the maximum number of ports in the switch. The maximum number of active physical ports in any trunk group is eight and the number of standby ports is also eight. The 802.3ad standard allows two or more standard Ethernet links to form a single Layer 2 link using the Link Aggregation Control Protocol (LACP). Link aggregation is a method of grouping physical link segments of the same media type and speed in full duplex, and treating them as if they were part of a single, logical link segment. If a link in a LACP trunk group fails, trafc is reassigned dynamically to the remaining links of the LACP trunk group or is assigned to the standby LACP links. Note: Refer to IEEE 802.3ad-2000 for a detailed information about the standard. LACP automatically determines which member links can be aggregated and then aggregates them. It provides for the controlled addition and removal of physical links for the link aggregation. Each external port in the Nortel Application Switch Operating System can have one of the following LACP modes. off (default) The user can congure this port to a regular static trunk group. When the system initializes, all ports are in off mode by default. active The port is capable of forming an LACP trunk. This port initiates negotiation with the partner system port by sending LACPDU (Link Aggregation Control Protocol Data Unit) packets. passive The port is capable of forming an LACP trunk. This port only responds to the negotiation requests sent from an LACP active port. Each LACP active or passive port needs an admin, an operational key, and an aggregator for LACP to start negotiation on these ports. You need to assign the same admin key to a group of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID) based on the operational key. All the aggregatable ports must have the same LAG ID. You can form an active LACP trunk group with all the ports that have the same LAG ID. Refer Nortel Application Switch Operating System Application Guide for a detailed information on this protocol. Note: All ports are in LACP off mode by default.
.
/cfg/l2/lacp Link Aggregation Control Protocol Menu 289
Use the following commands to congure LACP on the Nortel Application Switch Operating System.
[LACP Menu] sysprio - Set LACP system priority timeout - Set LACP system timeout scale for timing out partner info port - LACP port Menu cur - Display current LACP configuration Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp) Command Syntax and Usage sysprio <1-65535> Defines the priority value (1 through 65535) for the Nortel Application Switch Operating System. Lower numbers provide higher priority. System priority is used when there are more than eight ports configured with the same adminkey. The system priority, in conjunction with port priority, decides which eight ports should be combined to form a trunk group between two switches. The rest of the ports stay in standby mode to substitute for any failed ports. The default value is 32768. timeout <short|long> Defines the timeout period before invalidating LACP data from a remote partner. You can choose between short (3 seconds) or long (90 seconds) timeout periods. The default value is long. port <port number> Displays the LACP Port menu. To view menu options, see "/cfg/l2/lacp/port port number LACP Port Configuration Menu" (page 289). cur Displays the current LACP configuration.
/cfg/l2/lacp/port <port number> LACP Port Conguration Menu

[LACP Port 1 Menu] mode - Set LACP mode prio - Set LACP port priority adminkey - Set LACP port admin key cur - Display current LACP port configuration
.
Use the following commands to congure Link Aggregation Control Protocol (LACP) on a selected port.
Link Aggregation Control Protocol Port Conguration Menu Options (/cfg/l2/lacp/port) Command Syntax and Usage mode <off for no LACP or active or passive> off: Using this option, you can turn LACP off for this port. You can use this port to manually configure a static trunk. All ports are in off mode by default. active: Using this option, you can turn LACP on and set this port to active. Only active ports initiate negotiation with the partner system port by sending the LACPDU packets. passive: Using this option, you can turn LACP on and set this port to passive mode. Passive ports do not initiate negotiation, but only respond to the negotiation requests from active ports.
prio <1-65535> Sets the priority value for the selected port. Lower numbers provide higher priority. The default value is 128. adminkey <1-65535> Sets the admin key for this port. Only ports with the same admin key and oper key (operational state generated internally) can form an LACP trunk group. cur Displays the current LACP configuration for this port.
/cfg/l2/vlan <VLAN number> VLAN Conguration

VLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The commands in this menu congure VLAN attributes, change the status of the VLAN, delete the VLAN, and change the port membership of the VLAN. By default, the VLAN menu option is disabled except VLAN 1, which is enabled all the time.
.
/cfg/l2/vlan <VLAN number> VLAN Conguration 291 [VLAN 1 Menu] name stg cont add rem def jumbo learn ena dis del cur
Set VLAN name Assign VLAN to a Spanning Tree Group Set BW contract Add port to VLAN Remove port from VLAN Define VLAN as list of ports Enable/disable Jumbo Frame support Enable/disable smac learning Enable VLAN Disable VLAN Delete VLAN Display current VLAN configuration
VLAN Conguration Menu Options (/cfg/l2/vlan) Command Syntax and Usage name Assigns a name to the VLAN or changes the existing name. The default VLAN name is the first one. stg <Spanning Tree Group index (1-16)> Assigns a VLAN to a Spanning Tree Group. cont <BW Contract number, (1-1024)> Sets the Bandwidth Management contract for this VLAN. The default contract number is 1024 on Nortel Application Switch. add <port number> Adds port(s) or trunk group(s) to the VLAN membership. rem <port number> Removes port(s) or trunk group(s) from this VLAN. def <list of port numbers> Defines which ports are members of this VLAN. Every port must be a member of at least one VLAN. By default, it defines ports between 1-28 for VLAN 1. jumbo disable|enable Enables or disables jumbo frame support on this VLAN. You need to reset the switch using /boot/reset command to enable jumbo frames on the switch. learn disable|enable Enables or disables source MAC address learning on this VLAN. ena Enables this VLAN. dis
.
Command Syntax and Usage Disables this VLAN without removing it from the configuration. del Deletes this VLAN. cur Displays the current VLAN configuration.
Note: All ports must belong to at least one VLAN. Any port which is removed from a VLAN and which is not a member of any other VLAN is automatically added to default VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any other VLAN. Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned on (see the tag command on tag disable|enable).
/cfg/l2/team <team number> Port Team Conguration

Port teams are used to operationally link ports and interfaces together.
[Port team 1 Menu] addport - Add port to team remport - Remove port from team addtrunk - Add trunk group to team remtrunk - Remove trunk group from team ena - Enable port team dis - Disable port team del - Delete port team cur - Display current port team configuration
"Port Team Conguration Menu" (page 292) outlines the commands in this menu.
Port Team Conguration Menu Command Syntax and Usage addport <port number> Adds the specified port to the current team. remport <port number> Removes the specified port from the current team. addtrunk <trunk group number> Adds a trunk group to the current team. remtrunk <trunk group number> Removes a trunk group from the current team.
.
/cfg/l3 Layer 3 Conguration Menu 293 Command Syntax and Usage ena Enables the port team. dis Disables the port team. del Deletes the port team. cur Displays the current port team configuration.
/cfg/l3 Layer 3 Conguration Menu

[Layer 3 Menu] if gw route arp frwd nwf rmap rip ospf bgp port dns bootp vrrp rtrid metrc cur Interface Menu Default Gateway Menu Static Route Menu ARP Menu Forwarding Menu Network Filters Menu Route Map Menu Routing Information Protocol Menu Open Shortest Path First (OSPF) Menu Border Gateway Protocol Menu IP Port Menu Domain Name System Menu Bootstrap Protocol Relay Menu Virtual Router Redundancy Protocol Menu Set router ID Set default gateway metric Display current IP configuration
Layer 3 Conguration Menu Options (/cfg/l3) Command Syntax and Usage if <interface number (1-256)> Displays the IP Interface Menu. To view menu options, see "/cfg/l3/if interface number IP Interface Configuration" (page 295). gw <default gateway number (1-259)> Displays the IP Default Gateway Menu. To view menu options, see "/cfg/l3/gw gateway number Default IP Gateway Configuration" (page 297). route
.
Command Syntax and Usage Displays the IP Static Route Menu. To view menu options, see "/cfg/l3/routeIP Static Route Configuration" (page 298). arp Displays Address Resolution Protocol menu. To view menu options, see "/cfg/l3/arp ARP Configuration Menu" (page 300). frwd Displays the IP Forwarding Menu. To view menu options, see "/cfg/l3/frwd IP Forwarding ConfigurationMenu" (page 301). nwf <Network filter number (1-256)> Displays the Network Filter Configuration Menu. To view menu options see "/cfg/l3/nwf Network Filter Configuration" (page 304). rmap <route map number (1-32)> Displays the Route Map Menu. To view menu options see "/cfg/l3/rmap route map number Route Map Configuration Menu" (page 304). rip Displays the Routing Interface Protocol Menu. To view menu options, see "/cfg/l3/rip Routing Information Protocol Configuration" (page 308). ospf Displays the OSPF Menu. To view menu options, see "/cfg/l3/ospf Open Shortest Path First Configuration" (page 312). bgp Displays the Border Gateway Protocol Menu. To view menu options, see "/cfg/l3/bgpBorder Gateway Protocol Configuration" (page 321). port <port number> Displays the IP Port Menu. To view menu options, see "/cfg/l3/port port number IP Forwarding Port Configuration Menu" (page 327). dns Displays the IP Domain Name System Menu. To view menu options, see "/cfg/l3/dnsDomain Name System Configuration Menu" (page 327). bootp Displays the Bootstrap Protocol Menu. To view menu options, see "/cfg/l3/bootpBootstrap Protocol Relay Configuration Menu" (page 328). dscp Displays Diffserv Bandwidth Menu. To view menu options, see "cfg/sys/ssnmp/snmpv3/view SNMPv3 View Configuration Menu" (page 237). dscp
.
/cfg/l3 Layer 3 Conguration Menu 295 Command Syntax and Usage Displays the Diffserv Bandwidth Management Contract Menu. To view menu options, see "/cfg/bwm/groupBandwidth Management Group Configuration Menu" (page 277). vrrp Displays Virtual Router Redundancy Protocol Menu. To view menu options, see "/cfg/l3/vrrpVRRP Configuration Menu" (page 329). rtrid <IP address (such as, 192.4.17.101)> Defines the router ID. metrc strict|roundrobin Sets the default gateway metric for strict or roundrobin. The default gateway metric is strict. For more information on gateway metrics, see "/cfg/l3/metrc metric name Default Gateway Metrics" (page 344). cur Displays the current IP configuration.
/cfg/l3/if <interface number> IP Interface Conguration

[IP Interface ip6nd ipver addr mask vlan relay ena dis del cur 1 Menu] IP6 Neighbor Discovery Menu Set IP version Set IP address Set subnet mask/prefix len Set VLAN number Enable/disable BOOTP relay Enable IP interface Disable IP interface Delete IP interface Display current interface configuration
The Nortel Application Switch can be congured with up to 256 IP interfaces. Each IP interface represents the Nortel Application Switch on an IP subnet on your network. The Interface option is disabled by default.
IP Interface Menu Options (/cfg/l3/if) Command Syntax and Usage ip6nd Opens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of IPv6 Router Advertisement packets from this interface. For more information on this topic, refer "/cfg/l3/if/ip6nd IPv6 Neighbor Discovery Menu" (page 296).
.
Command Syntax and Usage ipver <IP version (v4 or v6)> Set the IP version. addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)> Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon notation for IPv6. mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for IPv6)> Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or prefix length for IPv6. vlan <VLAN number (1-4090)> Configures the VLAN number for this interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it. relay disable|enable Enables or disables the BOOTP relay on this interface. It is enabled by default. ena Enables this IP interface. dis Disables this IP interface. del Removes this IP interface. cur Displays the current interface settings.
/cfg/l3/if/ip6nd IPv6 Neighbor Discovery Menu

[IP6 Neighbor Discovery Menu] rtradv - Enable/disable router advertisement
This menu is used to congure the sending of IPv6 Neighbor Discovery router advertisements from this interface.
.
/cfg/l3 Layer 3 Conguration Menu 297 IPv6 Neighbor Discovery Menu Options Command Syntax and Usage rtradv disable | enable Enables or disables the sending of IPv6 Neighbor Discovery router advertisements from this interface.
/cfg/l3/gw <gateway number> Default IP Gateway Conguration

[Default gateway 1 Menu] ipver - Set IP version addr - Set IP address intr - Set interval between ping attempts retry - Set number of failed attempts to declare gateway DOWN vlan - Set VLAN number prio - Set priority of default gateway route arp - Enable/disable ARP only health checks ena - Enable default gateway dis - Disable default gateway del - Delete default gateway cur - Display current default gateway configuration
Note: The switch can be congured with up to 255 gateways. Gateways one to four are reserved for default gateway load balancing. Gateways ve to 259 are used for load-balancing of VLAN-based gateways. This option is disabled by default.
Default Gateway Options (/cfg/l3/gw) Command Syntax and Usage ipver <IP version (v4 or v6)> Set the IP version. addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)> Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and colon notation for IPv6. intr <0-60 seconds> The switch pings the default gateway to verify that its up. The intr option sets the time between health checks. The range is from 1 to 120 seconds. The default is 2 seconds. retry <number of attempts (1-120)>
.
Command Syntax and Usage Sets the number of failed health check attempts required before declaring this default gateway inoperative. The range is from 1 to 120 attempts. The default is 8 attempts. vlan <VLAN number (1-4090)> Sets the VLAN to be assigned to this default IP gateway. prio <high|low> Allows you to change the priority of the default gateway route to either high or low, relative to learned default routes. If you set the priority to high, then the default gateway route will always be preferred over learned default routes (such as from OSPF, BGP, or RIP protocols). If you set the priority to low, then learned default routes will always be preferred over the default gateway route.
Note: By default learned default route has higher priority than the configured default gateway route. arp disable|enable Enables or disables Address Resolution Protocol (ARP) health checks. This command is disabled by default. ena Enables the gateway for use. dis Disables the gateway. del Deletes the gateway from the configuration. cur Displays the current gateway settings.
Default Gateway Metrics

For information about conguring which gateway is selected when multiple default gateways are enabled, see "/cfg/l3/metrc metric name Default Gateway Metrics" (page 344).
/cfg/l3/route IP Static Route Conguration

[IP Static Route Menu] ip4 - IP4 Static Route Menu ip6 - IP6 Static Route Menu
.
This menu provides access to the switch static route conguration functionality.
IP Static Route Conguration Menu Options (cfg/l3/route) Command Syntax and Usage ip4 Provides access to the IPv4 static route configuration menu. To view the menu options, see "/cfg/l3/route/ip4IPv4 Static Route Configuration Menu" (page 299). ip6 Provides access to the IPv6 static route configuration menu. To view the menu options, see "/cfg/l3/route/ip6 IPv6 Static Route Configuration Menu" (page 299).
/cfg/l3/route/ip4 IPv4 Static Route Conguration Menu

[IP4 Static Route Menu] add - Add IP4 static route rem - Remove IP4 static route cur - Display current IP4 static route configuration
This menu is used to congure IPv4 static routes.

IP Static Route Conguration Menu Options (cfg/l3/route) Command Syntax and Usage add <destination mask gateway> [interface number] Adds a static route. To complete the entry, enter a destination IP address, destination subnet mask, and gateway address. Enter all addresses using dotted decimal notation. If a gateway address is 0.0.0.0., the route becomes a black hole route. Packets routed to such a destination will be dropped. rem <destination mask> Removes a static route. The destination address of the route to remove must be specified using dotted decimal notation. cur Displays the current IPv4 static routes.
/cfg/l3/route/ip6
.
IPv6 Static Route Conguration Menu

[IP6 Static Route Menu] add - Add IP6 static route rem - Remove IP6 static route cur - Display current IP6 static route configuration
This menu is used to congure IPv6 static routes.

IP Static Route Conguration Menu Options (cfg/l3/route) Command Syntax and Usage add <destination prefix length next hop> [interface number] Adds a static route. To complete the entry, enter a destination IPv6 address, prefix length, and next hop address. Enter all information using the IPv6 addressing format. rem <destination prefix length> Removes a static route. The destination address of the route to remove must be specified using the IPv6 addressing format. cur Displays the current IPv6 static routes.
/cfg/l3/arp ARP Conguration Menu

Address Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the computer or the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.
[ARP Menu] static rearp cur
- Static ARP Menu - Set re-ARP period in minutes - Display current ARP configuration
ARP Conguration Menu Options (/cfg/l3/arp) Command Syntax and Usage static Displays Static ARP menu. To view options, see "/cfg/l3/arp/static ARP Static Configuration Menu" (page 301). rearp <2-120 minutes>
.
/cfg/l3 Layer 3 Conguration Menu 301 Command Syntax and Usage Defines re-ARP period in minutes. You can set this duration between two and 120 minutes. cur Displays the current ARP configurations.
/cfg/l3/arp/static ARP Static Conguration Menu

Static ARP entries are permanent in the ARP cache and do not age out like the ARP entries that are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending an ARP broadcast request to the network. Static ARPs are also useful to communicate with devices that do not respond to ARP requests. Static ARPs can also be congured on some gateways as a protection against malicious ARP Cache corruption and possible DOS attacks. Note: Nortel Application Switch Operating System 21.0 and above allows the static ARP conguration to be retained over reboots. Nortel Application Switch Operating System 20.x and below allow the user to congure the ARP information but that information cannot be retained over a switch reboot.
[Static ARP Menu] add - Add a permanent ARP entry del - Delete an ARP entry cur - Display current static ARP configuration ARP Static Conguration Menu Options (/cfg/l3/arp/static) Command Syntax and Usage add <IP address MAC address VLAN number port number> Adds a permanent ARP entry. del <IP address (such as, 192.4.17.101)> Deletes a permanent ARP entry. cur Displays current static ARP configuration.
/cfg/l3/frwd
.
IP Forwarding Conguration Menu
IP Forwarding Conguration Menu Options (/cfg/l3/frwd) Command Syntax and Usage local Displays the menu used to define local network for route caching. Up to 15 local networks (lnets) can be configured. To view menu options, see "/cfg/l3/frwd/local Local Network Route Caching Definition" (page 302). dirbr disable|enable Enables or disables forwarding directed broadcasts. This command is disabled by default. on Enables IP forwarding (routing) on the Nortel Application Switch. off Disables IP forwarding (routing) on the Nortel Application Switch. Forwarding is turned on by default. cur Displays the current IP forwarding settings.
/cfg/l3/frwd/local Local Network Route Caching Denition

This menu is used for adding local networks by setting the local network address and netmask for the route cache, and to remove local networks.
[IP Local Networks Menu] add - Add local network definition add6 - Add local network v6 definition rem - Remove local network definition rem6 - Remove local network v6 definition cur - Display current local network definitions IP Local Networks Menu Options (/cfg/l3/frwd/local) Command Syntax and Usage add <local network address local network mask>
.
/cfg/l3 Layer 3 Conguration Menu 303 Command Syntax and Usage Adds a definition for a local network. For details, see "DefiningIP Address Ranges for the Local Route Cache" (page 303). add6 <local network IPv6 address prefix length> Adds a definition for an IPv6 local route. rem <local network address local network mask> Removes a definition for a local network. rem6 <local network IPv6 address prefix length> Removes a definition for an IPv6 local route. cur Displays the current local network definitions.
DeningIP Address Ranges for the Local Route Cache

The Local Route Cache lets you use switch resources more efciently, by reducing the size of the ARP table on the Nortel Application Switch. The /cfg/l3/frwd/local/add parameters dene a range of addresses that will be cached on the Nortel Application Switch. The local network address is used to dene the base IP address in the range which will be cached, and the local network mask is the mask which is applied to produce the range. To determine if a route should be added to the memory cache, the destination address is masked (bitwise and) with the local network mask and checked against the local network address. By default, the local network address and mask are both set to 0.0.0.0. This produces a range that includes all Internet addresses for route caching: 0.0.0.0 through 255.255.255.255. Addresses to be cached are subnets that are directly connected and for which there is an interface congured on the Nortel Application Switch. To limit the route cache to your local hosts, you could congure the parameters as shown in the examples in the following table.
Local Routing Cache Address Ranges Local Host Address Range 0.0.0.0 - 127.255.255.255 128.0.0.0 - 255.255.255.255 205.32.0.0 - 205.32.255.255 Address 0.0.0.0 128.0.0.0 205.32.0.0 Mask 128.0.0.0 128.0.0.0 255.255.0.0
Note: All addresses that fall outside the dened range are forwarded to the default gateway. The default gateways must be within range.
.
/cfg/l3/nwf Network Filter Conguration

[IP Network Filter 1 Menu] addr - IP Address mask - IP Subnet mask enable - Enable Network Filter disable - Disable Network Filter delete - Delete Network Filter cur - Display current Network Filter configuration IP Network Filter Menu Options (/cfg/l3/nwf) Command Syntax and Usage addr <IP address (such as, 192.4.17.44)> Sets the starting IP address for this filter. The default address is 0.0.0.0. mask <IP4 subnet mask (such as, 255.255.255.0) | IP6 mask prefix len (eg, 64)> Sets the IP subnet mask that is used with /cfg/l3/nwf/addr to define the range of IP addresses that will be accepted by the peer when the filter is enabled. The default value is 0.0.0.0. For Border Gateway Protocol (BGP), assign the network filter to a route map, then assign the route map to the peer. enable Enables the Network Filter configuration. disable Disables the Network Filter configuration. delete Deletes the Network Filter configuration. cur Displays the current the Network Filter configuration. For example: Current Network Filter 1: addr 0.0.0.0, mask 0.0.0.0, disabled
/cfg/l3/rmap <route map number> Route Map Conguration Menu

Route maps control and modify routing information. Note: The map number (1-32) represents the routing map you wish to congure.
.
/cfg/l3 Layer 3 Conguration Menu 305 [IP Route Map 1 Menu] alist - Access List number aspath - AS Filter Menu ap - Set as-path prepend of the matched route lp - Set local-preference of the matched route metric - Set metric of the matched route type - Set OSPF metric-type of the matched route prec - Set the precedence of this route map weight - Set weight of the matched route enable - Enable route map disable - Disable route map delete - Delete route map cur - Display current route map configuration Routing Map Menu Options (/cfg/l3/rmap) Command Syntax and Usage alist <number (1-8)> Displays the Access List menu. For more information, see "/cfg/l3/rmap route map number /alist access list number IP Access List Configuration Menu" (page 306). aspath <number (1-8)> Displays the Autonomous System (AS) Filter menu. For more information, see "/cfg/l3/rmap route map number aspath autonomous system path Autonomous System Filter Path" (page 307). ap <AS number> [ AS number ] [ <AS number> ]|none Sets the AS path preference of the matched route. One to three path preferences can be configured. lp <(value 0-4294967294)> |none Sets the local preference of the matched route, which affects both inbound and outbound directions. The path with the higher preference is preferred. metric <(value 0-4294967294)> |none Sets the metric of the matched route. type <value (1|2)> |none Assigns the type of OSPF metric. The default is type 1.
Type 1External routes are calculated using both internal and external metrics. Type 2External routes are calculated using only the external metrics. Type 2 routes have more cost than Type 2. noneRemoves the OSPF metric.
.
Command Syntax and Usage prec <value (1-255)> Sets the precedence of the route map. The smaller the value, the higher the precedence. Default value is 10. weight <value (0-65534)> |none Sets the weight of the route map. enable Enables the route map. disable Disables the route map. delete Deletes the route map. cur Displays the current route configuration.
/cfg/l3/rmap <route map number> /alist <access list number> IP Access List Conguration Menu
Note: The route map number (1-32) and the access list number (1-8) represent the IP access list you wish to congure.
[IP Access List 1 Menu] nwf - Network Filter number metric - Metric action - Set Network Filter action enable - Enable Access List disable - Disable Access List delete - Delete Access List cur - Display current Access List configuration IP Access List Menu Options (/cfg/l3/rmap/alist) Command Syntax and Usage nwf <network filter number (1-256)> Sets the network filter number. See "/cfg/l3/nwf Network Filter Configuration" (page 304) for details. metric <(1-4294967294)> |none Sets the metric value in the AS-External (ASE) LSA. action permit|deny or p|d Permits or denies action for the access list.
.
/cfg/l3 Layer 3 Conguration Menu 307 Command Syntax and Usage enable Enables the access list. disable Disables the access list. delete Deletes the access list. cur Displays the current Access List configuration.
/cfg/l3/rmap <route map number> aspath <autonomous system path> Autonomous System Filter Path
Note: The rmap number (1-32) and the path number (1-8) represent the AS path you wish to congure.
[AS Filter 1 Menu] as - AS number action - Set AS Filter action enable - Enable AS Filter disable - Disable AS Filter delete - Delete AS Filter cur - Display current AS Filter configuration AS Filter Menu Options (/cfg/l3/rmap/aspath) Command Syntax and Usage as <AS number (1-65535)> Sets the Autonomous System filters path number. action permit|deny or p|d Permits or denies Autonomous System filter action. enable Enables the Autonomous System filter. disable Disables the Autonomous System filter. delete Deletes the Autonomous System filter. cur Displays the current Autonomous System filter configuration.
.
/cfg/l3/rip Routing Information Protocol Conguration

The Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a class of algorithms known as distance vector algorithms. The distance or hop count is used as the metric to determine the best path to a remote network or host where the hop count does not exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram protocol (UDP) data packets to exchange routing information. RIP sends routing information updates every 30 seconds. This update contains known networks and the distances (hop count) associated with each one. For RIP1, no mask information is exchanged; the natural mask is always applied by the router receiving the update. For RIP2, mask information is sent. There are two timers associated with each route: a timeout and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid but it is retained in the routing table for a short time so that neighbors can be notied that the route has been dropped. Upon expiration of the garbage-collection timer, the route is nally removed from the routing table. The timeout timer is set for 180 seconds and the garbage-collection timer is set for 120 seconds by default. The menu below is used for conguring globally Routing Information Protocol parameters. The Routing Information Protocol is turned off by default.
[Routing Information Protocol Menu] if - RIP Interface Menu update - Set update period in seconds vip - Enable/disable vip advertisement statc - Enable/disable static routes advertisement on - Globally turn RIP ON off - Globally turn RIP OFF current - Display current RIP configuration Routing Information Protocol Menu (/cfg/l3/rip) Command Syntax and Usage if <Interface Number (1-256)> Go to the RIP Interface menu. See "/cfg/l3/rip/if RIP Interface Menu" (page 309). update <update period (1-120 seconds)> Sets the RIP update period in seconds. It is set at 30 seconds by default. vip disable|enable
.
/cfg/l3 Layer 3 Conguration Menu 309 Command Syntax and Usage Enables or disables the advertisement of virtual IP addresses as Host Routes. If a VIP route exists in a routing table, it will always be advertised except when it is included in another network route that is already being advertised.
Note: If all real servers behind a VIP go down, the route gets removed from the routing table, and will not be advertised. If we disable all the real servers using operation command, the VIP route does not get eliminated from the routing table, and the switch will continue to advertise the route. statc disable|enable Enables or disables the advertisement of static routes. on Globally turns RIP ON. off Globally turns RIP OFF. cur Displays the current RIP configuration.
/cfg/l3/rip/if RIP Interface Menu

[RIP Interface 1 Menu] version - Set RIP version supply - Enable/disable supplying route updates listen - Enable/disable listening to route updates poison - Enable/disable poisoned reverse trigg - Enable/disable triggered updates mcast - Enable/disable multicast updates default - Set default route action metric - Set metric auth - Set authentication type key - Set authentication key enable - Enable interface disable - Disable interface current - Display current RIP interface configuration RIP Menu Options Command Syntax and Usage version 1|2|both Set the RIP version. The default value is 2. supply disable|enable
.
Command Syntax and Usage Enables or disables supplying route updates. When enabled, the switch supplies routes to other routers. This is enabled by default. listen disable|enable When enabled, the switch stores routing information from other routers. The default is enabled. poison disable|enable When enabled, the switch uses split horizon with poisoned reverse. The default is disabled. When disabled, the switch uses split horizon only. mcast disable|enable Enable or disable triggered updates. The default is enabled. default none|listen|supply|both Set the default route action. The default action is none. metric <value [1-15]> Set metric value for this RIP interface. The default value is 1. auth none|password Set the type of authentication. The default value is none. key <key|none (to remove existing key value)> Set the authentication key. The default value is none. enable Enable the interface. disable Disable the interface. current Displays current values of all objects settable from this menu.
/cfg/l3/rip/if RIP Interface Conguration Menu

[RIP Interface 1 Menu] version - Set RIP version supply - Enable/disable supplying route updates listen - Enable/disable listening to route updates default - Set default route action poison - Enable/disable poisoned reverse trigg - Enable/disable triggered updates mcast - Enable/disable multicast updates metric - Set metric auth - Set authentication type key - Set authentication key
.
/cfg/l3 Layer 3 Conguration Menu 311 enable disable current - Enable interface - Disable interface - Display current RIP interface configuration
RIP Interface Conguration Menu Options (/cfg/l3/rip/if) Command Syntax and Usage version 1|2 Defines the version of Routing Information Protocol between RIP1 and RIP2. supply disable|enable This command is disabled by default. When enabled, the switch supplies routes to other routers. listen disable|enable This command is disabled by default. When enabled, the switch learns routes from other routers. default disable|enable This command is disabled by default. When enabled, the switch accepts RIP default routes from other routers, but gives them lower priority than configured gateways. When disabled, the switch rejects RIP default routes. poison disable|enable This command is disabled by default. When enabled, the switch uses split horizon with poisoned reverse. When disabled, the switch uses only split horizon. trigg disable|enable This command is disabled by default. When enabled, this command allows sending out the routing updates immediately without waiting for the update interval period to lapse. This happens typically when the metric changes for a route. mcast disable|enable This command is disabled by default. When enabled, this command allows the routing update to be sent to a Multicast address. metric <value [1-15]> This command is disabled by default. When enabled, this command allows you to define the interface metric cost, which is a number (1-15) added to the received routes before they are installed in the routing table. auth none|password This command allows the user to enable or disable authentication for RIP messages. Authentication is disabled by default. You can specify none for no authentication or password for simple text password authentication.
.
Command Syntax and Usage key <key> This command allows the user to define RIP authentication password for authenticating incoming RIP updates. This password can also be added for outgoing RIP messages. enable Enables RIP protocol for individual interfaces. When enabled, listen and supply of RIP routes is enabled for the interface. disable Disables RIP protocol for individual interfaces. RIP protocol is disabled for each configured interface by default. current Displays the current RIP configuration.
/cfg/l3/ospf Open Shortest Path First Conguration

Nortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specications detailed in Internet RFC 1583. OSPF is designed for routing trafc within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more information on how to congure OSPF on the switch, refer Nortel Application Switch Operating System Application Guide.
[Open Shortest Path First Menu] aindex - OSPF Area (index) Menu range - OSPF Summary Range Menu if - OSPF Interface Menu virt - OSPF Virtual Links Menu md5key - OSPF MD5 Key Menu host - OSPF Host Entry Menu redist - OSPF Route Redistribute Menu lsdb - Set the LSDB limit for external LSA default - Export default route information on - Globally turn OSPF ON off - Globally turn OSPF OFF cur - Display current OSPF configuration
.
/cfg/l3 Layer 3 Conguration Menu 313 OSPF Conguration Menu Options (/cfg/l3/ospf) Command Syntax and Usage aindex <area index (0-2)> Displays the area index menu. This area index does not represent the actual OSPF area number. See "/cfg/l3/ospf/aindex Area Index Configuration Menu" (page 314) to view menu options. range <range number (1-16)> Displays summary routes menu for up to 16 IP addresses. See "/cfg/l3/ospf/range OSPF Summary Range Configuration Menu" (page 315) to view menu options. if <interface number (1-255)> Displays the OSPF interface configuration menu. See "/cfg/l3/ospf/if OSPF Interface Configuration Menu" (page 316) to view menu options. virt <virtual link (1-3)> Displays the Virtual Links menu used to configure OSPF for a Virtual Link. See "/cfg/l3/ospf/virtOSPF Virtual Link Configuration Menu" (page 317) to view menu options. md5key <key ID (1-255)> Assigns a string to MD5 authentication key. See host <host entry number (1-128)> Displays the menu for configuring OSPF for the host routes. Up to 128 host routes can be configured. Host routes are used for advertising network device IP addresses to external networks to perform server load balancing within OSPF. It also makes Area Border Route (ABR) load sharing and ABR failover possible. See "/cfg/l3/ospf/hostOSPF Host Entry Configuration Menu" (page 319) to view menu options. redist <fixed|static|rip|ebgp|ibgp> Displays Route Distribution Menu See "/cfg/l3/ospf/redist fixed|static|rip|ebgp|ibgp OSPF Route Redistribution Configuration Menu." (page 320) to view menu options. lsdb <LSDB limit (0-2000, 0 for no limit)> Sets the link state database limit. default <metric (1-16777215) metric-type 1|2> |none Sets one default route among multiple choices in an area. Use none for no default. on Enables OSPF on the Nortel Application Switch. off Disables OSPF on the Nortel Application Switch.
.
Command Syntax and Usage cur Displays the current OSPF configuration settings.
/cfg/l3/ospf/aindex Area Index Conguration Menu

[OSPF Area areaid type metric auth spf enable disable delete cur (index) 1 Menu] - Set area ID - Set area type - Set stub area metric - Set authentication type - Set time interval between two SPF calculations - Enable area - Disable area - Delete area - Display current OSPF area configuration
Area Index Conguration Menu Options (/cfg/l3/ospf/aindex) Command Syntax and Usage areaid <IP address (such as, 192.4.17.101)> Defines the IP address of the OSPF area number. type transit|stub|nssa Defines the type of area. For example, when a virtual link has to be established with the backbone, the area type must be defined as transit. Transit area: allows area summary information to be exchanged between routing devices. Any area that is not a stub area or NSSA is considered to be transit area. Stub area: is an area where external routing information is not distributed. Typically, a stub area is connected to only one other area. NSSA: Not-So-Stubby Area (NSSA) is similar to stub area with additional capabilities. For example, routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the Autonomous System (AS) can be advertised within the NSSA but are not distributed into other areas. metric <metric value (1-65535)>
.
/cfg/l3 Layer 3 Conguration Menu 315 Command Syntax and Usage Configures a stub area to send a numeric metric value. All routes received via that stub area carry the configured metric to potentially influencing routing decisions. Metric value assigns the priority for choosing the switch for default route. Metric type determines the method for influencing routing decisions for external routes. auth none|password|md5 None: No authentication required. Password: Authenticates simple passwords so that only trusted routing devices can participate. MD5: This parameter is used when MD5 cryptographic authentication is required. spf <interval (0-255)> Sets time interval between two successive SPF (shortest path first) calculations of the shortest path tree using the Dijkstras algorithm. enable Enables the OSPF area. disable Disables the OSPF area. delete Deletes the OSPF area. cur Displays the current OSPF configuration.
/cfg/l3/ospf/range OSPF Summary Range Conguration Menu

[OSPF Summary Range 1 Menu] addr - Set IP address mask - Set IP mask aindex - Set area index hide - Enable/disable hide range enable - Enable range disable - Disable range delete - Delete range cur - Display current OSPF summary range configuration
.
316 The Conguration Menu OSPF Summary Range Conguration Menu Options (/cfg/l3/ospf/range) Command Syntax and Usage addr <IP Address (such as, 192.4.17.101)> Displays the base IP address for the range. mask <IP address (such as, 192.4.17.101> Displays the IP address mask for the range. aindex <area index [0-2]> Displays the area index used by the Nortel Application Switch. hide disable|enable Hides the OSPF summary range. enable Enables the OSPF summary range. disable Disables the OSPF summary range. delete Deletes the OSPF summary range. cur Displays the current OSPF summary range.
/cfg/l3/ospf/if OSPF Interface Conguration Menu

[OSPF Interface 1 Menu] aindex - Set area index prio - Set interface router priority cost - Set interface cost hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transit delay in seconds retra - Set retransmit interval in seconds key - Set authentication key mdkey - Set MD5 key ID enable - Enable interface disable - Disable interface delete - Delete interface cur - Display current OSPF interface configuration OSPF Interface Conguration Menu Options (/cfg/l3/ospf/if) Command Syntax and Usage aindex <area index (0-2)>
.
/cfg/l3 Layer 3 Conguration Menu 317 Command Syntax and Usage Displays the OSPF area index. prio <priority value (0-255)> Displays the assigned priority value to the Nortel Application Switchs OSPF interfaces. (A priority value of 127 is the highest and 1 is the lowest. A priority value of 0 specifies that the interface cannot be used as Designated Router (DR) or Backup Designated Router (BDR).) cost <cost value (1-65535)> Displays cost set for the selected pathpreferred or backup. Usually the cost is inversely proportional to the bandwidth of the interface. Low cost indicates high bandwidth. hello <value (1-65535)> Displays the interval in seconds between the hello packets for the interfaces. dead <value (1-65535)> Displays the health parameters of a hello packet, which is set for an interval of seconds before declaring a silent router to be down. trans <value (0-3600)> Displays the transit delay in seconds. retra <value (0-3600)> Displays the retransmit interval in seconds. key <key |none> Sets the authentication key to clear the password. mdkey <key ID (1-255)> |none Assigns an MD5 key to the interface. enable Enables OSPF interface. disable Disables OSPF interface. delete Deletes OSPF interface. cur Displays the current settings for OSPF interface.
/cfg/l3/ospf/virt
.
OSPF Virtual Link Conguration Menu

[OSPF Virtual Link 1 Menu] aindex - Set area index hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transit delay in seconds retra - Set retransmit interval in seconds nbr - Set router ID of virtual neighbor key - Set authentication key mdkey - Set MD5 key ID enable - Enable interface disable - Disable interface delete - Delete interface cur - Display current OSPF interface configuration OSPF Virtual Link Conguration Menu Options (/cfg/l3/ospf/virt) Command Syntax and Usage aindex <area index (0-2)> Displays the OSPF area index. hello <value (1-65535)> Displays the authentication parameters of a hello packet, which is set to be in an interval of seconds. dead <value (1-65535)> Displays the health parameters of a hello packet, which is set to be in an interval of seconds. Default is 40 seconds. trans <value (1-3600)> Displays the delay in transit in seconds. Default is one seconds. retra <value (1-3600)> Displays the retransmit interval in seconds. Default is five seconds. nbr <nbr router ID (IP address)> Displays the router ID of the virtual neighbor. Default is 0.0.0.0. key <key> |none Displays the password (up to eight characters) for each virtual link. Default is none. mdkey <key ID (1-255)> |none Sets MD5 key ID for each virtual link. Default is none. enable Enables OSPF virtual link. disable
.
/cfg/l3 Layer 3 Conguration Menu 319 Command Syntax and Usage Disables OSPF virtual link. delete Deletes OSPF virtual link. cur Displays the current OSPF virtual link settings.
/cfg/l3/ospf/md5key OSPF MD5 Key Conguration Menu

[OSPF MD5 Key key delete cur 1 Menu] Set authentication key Delete key Display current MD5 key configuration
OSPF MD5 Key Conguration Menu Options (/cfg/l3/ospf/md5key) Command Syntax and Usage key <key, up to 16 chars> Sets the authentication key up to 16 characters for this OSPF packet. delete Deletes the authentication key for this OSPF packet. cur Displays the current MD5 key configuration.
/cfg/l3/ospf/host OSPF Host Entry Conguration Menu

[OSPF Host Entry 1 Menu] addr - Set host entry IP address aindex - Set area index cost - Set cost of this host entry enable - Enable host entry disable - Disable host entry delete - Delete host entry cur - Display current OSPF host entry configuration OSPF Host Entry Conguration Menu Options (/cfg/l3/ospf/host) Command Syntax and Usage addr <IP address (such as, 192.4.17.101)> Displays the base IP address for the host entry.
.
Command Syntax and Usage aindex <area index [0-2]> Displays the area index of the host. cost <cost value [1-65535]> Displays the cost value of the host. enable Enables OSPF host entry. disable Disables OSPF host entry. delete Deletes OSPF host entry. cur Displays the current OSPF host entries.
/cfg/l3/ospf/redist <fixed|static|rip|ebgp|ibgp> OSPF Route Redistribution Conguration Menu.

[OSPF Redistribute Fixed Menu] add - Add rmap into route redistribution list rem - Remove rmap from route redistribution list export - Export all routes of this protocol cur - Display current route-maps added OSPF Route Redistribution Menu Options (/cfg/l3/ospf/redist) Command Syntax and Usage add <(route map (1-32) route map (1-32))> |all Adds selected routing maps to the rmap list.To add all the 32 route maps, enter all. To add specific route maps, enter routing map numbers one per line, NULL at the end. This option adds a route map to the route redistribution list. The routes of the redistribution protocol matched by the route maps in the route redistribution list will be redistributed. rem <(route map (1-32) route map (1-32))> ... |all
Removes the route map from the route redistribution list. Removes routing maps from the rmap list. To remove all 32 route maps, enter all. To remove specific route maps, enter routing map numbers one per line, NULL at end.
.
/cfg/l3 Layer 3 Conguration Menu 321 Command Syntax and Usage export <metric (1-16777215) metric type (1|2)> |none Exports the routes of this protocol as external OSPF AS-external LSAs in which the metric and metric type are specified. To remove a previous configuration and stop exporting the routes of the protocol, enter none. cur Displays the current route map settings.
/cfg/l3/bgp Border Gateway Protocol Conguration

Border Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. BGP allows you to decide what is the "best" route for a packet to take from your network to a destination on another network, rather than simply setting a default route from your border router(s) to your upstream provider(s). You can congure BGP either within an autonomous system or between different autonomous systems. When run within an autonomous system, it is called internal BGP (iBGP). When run between different autonomous systems, it is called external BGP (eBGP). BGP is dened in RFC 1771. The BGP Menu enables you to congure the switch to receive routes and to advertise static routes, xed routes and virtual server IP addresses with other internal and external routers. BGP is turned off by default.
[Border Gateway peer aggr as maxpath pref on off cur Protocol Menu] Peer menu Aggregation menu Set Autonomous System (AS) number Set Max AS Path Length Set Local Preference Globally turn BGP ON Globally turn BGP OFF Display current BGP configuration
Note: Fixed routes are subnet routes. There is one xed route per IP interface.
Border Gateway Protocol Menu (/cfg/l3/bgp) Command Syntax and Usage peer <peer number (1-16)>
.
Command Syntax and Usage Displays the menu used to configure each BGP peer. Each border router, within an autonomous system, exchanges routing information with routers on other external networks. To view menu options, see "/cfg/l3/bgp/peer peer number BGP Peer Configuration Menu" (page 322). aggr <aggregate number (1-16)> Displays the Aggregation Menu. To view menu options, see "/cfg/l3/bgp/aggr aggregate number BGP Aggregate Routing Configuration Menu" (page 326). as <autonomous system number (1-65535)> Sets Autonomous System Number for this autonomous system. An autonomous system (AS) is the unit of router policy, either a single network or a group of networks that is controlled by a common network administrator on behalf of an administrative entity (such as a university, a business enterprise, or a business division). An autonomous system is assigned a globally unique number called an Autonomous System Number (ASN). An autonomous system shares routing information with other autonomous systems using the Border Gateway Protocol (BGP). maxpath <max AS path length (1-127)> This command limits the maximum length of an accepted AS Path. The default value is 50. Paths greater than this value will be ignored. The command is designed to protect the MP CPU, memory resources and routing table from BGP-based attacks, BGP errors and probes designed to locate BGP speaking devices that do not limit the maximum AS Path. pref <preference (0-4294967294)> Sets the local preference. The path with the higher value is preferred. When multiple peers advertise the same route, use the route with the shortest AS path as the preferred route if you are using eBGP, or use the local preference if you are using iBGP. on Globally turns BGP on. off Globally turns BGP off. cur Displays the current BGP configuration.
/cfg/l3/bgp/peer <peer number>
.
BGP Peer Conguration Menu

[BGP Peer 1 Menu] redist - Redistribution menu addr - Set remote IP address ras - Set remote autonomous system number hold - Set hold time alive - Set keep alive time advert - Set min time between advertisements retry - Set connect retry interval orig - Set min time between route originations ttl - Set time-to-live of IP datagrams addi - Add rmap into in-rmap list addo - Add rmap into out-rmap list remi - Remove rmap from in-rmap list remo - Remove rmap from out-rmap list enable - Enable peer disable - Disable peer delete - Delete peer cur - Display current peer configuration
This menu is used to congure BGP peers, which are border routers that exchange routing information with routers on internal and external networks. The peer option is disabled by default.
BGP Peer Conguration Options (/cfg/l3/bgp/peer) Command Syntax and Usage redist Displays BGP Redistribution Menu. To view the menu options, see "/cfg/l3/bgp/peer/redistBGP Redistribution Configuration Menu" (page 324). addr <IP address (such as, 192.4.17.101)> Defines the IP address for the specified peer (border router), using dotted decimal notation. The default address is 0.0.0.0. ras <AS number (0-65535)> Sets the remote autonomous system number for the specified peer. hold <hold time (0, 3-65535)> Sets the period of time, in seconds, that will elapse before the peer session is torn down because the switch hasnt received a "keep alive" message from the peer. It is set at 90 seconds by default. alive <keepalive time (0, 1-21845)> Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default. advert <min adv time (1-65535)>
.
Command Syntax and Usage Sets time in seconds between advertisements. retry <connect retry interval (1-65535)> Sets connection retry interval in seconds. orig <min orig time (1-65535)> Sets the minimum time between route originations in seconds. ttl <number of router hops (1-255)> Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. TTL specifies a certain time span in seconds that, when exhausted, would cause the packet to be discarded. The TTL is determined by the number of router hops the packet is allowed before it must be discarded. This command specifies the number of router hops that the IP packet can make. This value is used to restrict the number of "hops" the advertisement makes. It is also used to support multi-hops, which allow BGP peers to talk across a routed network. The default number is set at 1. addi <route map ID (1-32)> Adds route map into in-route map list. addo <route map ID (1-32)> Adds route map into out-route map list. remi <route map ID (1-32)> Removes route map from in-route map list. remo <route map ID (1-32)> Removes route map from out-route map list. ena Enables this peer configuration. dis Disables this peer configuration. del Deletes this peer configuration. cur Displays the current BGP peer configuration.
/cfg/l3/bgp/peer/redist
.
BGP Redistribution Conguration Menu

[Redistribution Menu] metric - Set default-metric of advertised routes default - Set default route action rip - Enable/disable advertising RIP routes ospf - Enable/disable advertising OSPF routes fixed - Enable/disable advertising fixed routes static - Enable/disable advertising static routes vip - Enable/disable advertising VIP routes cur - Display current redistribution configuration BGP Redistribution Conguration Menu Options (/cfg/l3/bgp/peer/redist) Command Syntax and Usage metric <metric (1-4294967294)> |none Sets default metric of advertised routes. default none|import|originate|redistribute Sets default route action. Defaults routes can be configured as import, originate, redistribute, or none. None: No routes are configured Import: Import these routes. Originate: The switch sends a default route to peers even though it does not have any default routes in its routing table. Redistribute: Default routes are either configured through default gateway or learned through other protocols and redistributed to peer. If the routes are learned from default gateway configuration, you have to enable static routes since the routes from default gateway are static routes. Similarly, if the routes are learned from a certain routing protocol, you have to enable that protocol in this redistribute submenu. rip disable|enable Enables or disables advertising RIP routes ospf disable|enable Enables or disables advertising OSPF routes. fixed disable|enable Enables or disables advertising fixed routes.
.
Command Syntax and Usage static disable|enable Enables or disables advertising static routes. vip disable|enable Enables or disables advertising VIP routes. cur Displays the current redistribution configuration.
/cfg/l3/bgp/aggr <aggregate number> BGP Aggregate Routing Conguration Menu

Note: The aggregate number (1-16) represents the aggregation route you wish to congure.
[BGP Aggr 1 Menu] addr - Set aggregation IP address mask - Set aggregation network mask enable - Enable aggregation disable - Disable aggregation delete - Delete aggregation current - Display current aggregation configuration
This menu allows you to congure aggregate routing to condense the number of routes between internal and external peer routers.
BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr) Command Syntax and Usage addr <IP address, such as 192.4.17.101> Adds the IP address to the selected aggregate. mask <IP subnet mask, such as 255.255.255.0> Sets the IP mask for the selected aggregate. enable Enables the selected aggregate. disable Disables the selected aggregate. delete Deletes the selected aggregate. current Displays the current aggregate configuration.
.
/cfg/l3/port <port number> IP Forwarding Port Conguration Menu

[IP Forwarding Port 1 Menu] on - Turn Forwarding ON off - Turn Forwarding OFF cur - Display current port configuration
The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By default, the port forwarding option is turned on.
IP Forwarding Port Conguration Menu Options (/cfg/l3/port) Command Syntax and Usage on Enables IP forwarding for the current port. off Disables IP forwarding for the current port. cur Displays the current IP forwarding settings.
/cfg/l3/dns Domain Name System Conguration Menu

[Domain Name System Menu] prima - Set IP address of primary DNS server secon - Set IP address of secondary DNS server dname - Set default domain name cur - Display current DNS configuration
The Domain Name System (DNS) Menu is used for dening the primary and secondary DNS servers on your local network, and for setting the default domain name served by the switch services. DNS parameters must be congured prior to using hostname parameters with the ping, traceroute, and tftp commands.
Domain Name System Menu Options (/cfg/l3/dns) Command Syntax and Usage prima <IP address (such as, 192.4.17.101)> You will be prompted to set the IP address for your primary DNS server. Use dotted decimal notation. secon <IP address (such as, 192.4.17.101)>
.
Command Syntax and Usage You will be prompted to set the IP address for your secondary DNS server. If the primary DNS server fails, the configured secondary will be used instead. Enter the IP address using dotted decimal notation. dname <dotted DNS notation> |none Sets the default domain name used by the switch. For example: mycompany.com cur Displays the current Domain Name System settings.
/cfg/l3/bootp Bootstrap Protocol Relay Conguration Menu

[Bootstrap Protocol Relay Menu] addr - Set IP address of BOOTP server addr2 - Set IP address of second BOOTP server on - Globally turn BOOTP relay ON off - Globally turn BOOTP relay OFF cur - Display current BOOTP relay configuration
The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their congurations from a Dynamic Host Conguration Protocol (DHCP) server. The BOOTP conguration enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers with IP addresses that have been congured on the Nortel Application Switch. BOOTP relay menu is turned off by default.
Bootstrap Protocol Relay Conguration Menu Options (/cfg/l3/bootp) Command Syntax and Usage addr <IP address (such as, 192.4.17.101)> Sets the IP address of the BOOTP server. addr2 <IP address (such as, 192.4.17.101)> Sets the IP address of the second BOOTP server. on Globally turns on BOOTP relay. off Globally turns off BOOTP relay. cur Displays the current BOOTP relay configuration.
.
/cfg/l3/vrrp VRRP Conguration Menu

[Virtual Router vr vrgroup group if track hotstan on off holdoff cur Redundancy Protocol Menu] VRRP Virtual Router Menu VRRP Virtual Router Vrgroup Menu VRRP Virtual Router Group Menu VRRP Interface Menu VRRP Priority Tracking Menu Enable/disable hot-standby processing Globally turn VRRP ON Globally turn VRRP OFF Globally VRRP hold off time Display current VRRP configuration
Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by conguring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address. Note: The IP address of a VRRP virtual interface router (VIR) and virtual server router (VSR) must be in the same IP subnet as the interface to which it is assigned. By default, VRRP is disabled. Nortel Application Switch Operating System has extended VRRP to include virtual servers as well, allowing for full active/active redundancy between its Layer 4 switches. For more information on VRRP, see the "High Availability" chapter in your Nortel Application Switch Operating System Application Guide.
Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp) Command Syntax and Usage vr <virtual router number (1-1024)> Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual routers on this switch. To view menu options, see "/cfg/l3/vrrp/vr router number Virtual Router Configuration Menu" (page 330). vrgroup <virtual router vrgroup number (1-16)> Displays VR Group Menu. To view menu options, see "/cfg/l3/vrrp/vrgroup Virtual Router Group Menu" (page 335). group
.
Command Syntax and Usage Displays the VRRP virtual router group menu, used to combine all virtual routers together as one logical entity. Group options must be configured when using two or more Nortel Application Switches in a hot-standby failover configuration where only one switch is active at any given time. To view menu options, see "/cfg/l3/vrrp/group Virtual Router Group Configuration" (page 338). if <interface number (1-255)> Displays the VRRP Virtual Router Interface Menu. To view menu options, see "/cfg/l3/vrrp/if interface number VRRP Interface Configuration" (page 342). track Displays the VRRP Tracking Menu. This menu is used for weighting the criteria used when modifying priority levels in the master router election process. To view menu options, see "/cfg/l3/vrrp/trackVRRP Tracking Configuration" (page 342). hotstan disable|enable Enables or disables hot standby processing, in which two or more switches provide redundancy for each other. By default, this option is disabled. on Globally enables VRRP on this switch. off Globally disables VRRP on this switch. holdoff <0-255 seconds> Globally suspends VRRP operation for the specified interval. cur Displays the current VRRP parameters.
/cfg/l3/vrrp/vr <router number> Virtual Router Conguration Menu

[VRRP Virtual track ipver vrid addr if prio adver preem share ena Router 1 Menu] - Priority Tracking Menu - Set IP version - Set virtual router ID - Set IP address - Set interface number - Set renter priority - Set advertisement interval - Enable or disable preemption - Enable or disable sharing - Enable virtual router
.
/cfg/l3 Layer 3 Conguration Menu 331 dis - Disable virtual router del - Delete virtual router cur - Display current VRRP virtual router configuration
This menu is used for conguring up to 256 virtual routers for this switch. A virtual router is dened by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be congured to share the same virtual router ID and IP address. Virtual routers are disabled by default. Note: The VRRP3 VRID for IPv6 VRRP conguration has a range of 1 to 255.
VRRP Virtual Router Options (/cfg/l3/vrrp/vr) Command Syntax and Usage track Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see "/cfg/l3/vrrp/vr router number /track Virtual Router Priority Tracking Configuration" (page 333). ipver v4|v6 Sets the version of the Internet Protocol supported by this virtual router. The default value is v4. vrid <virtual router ID (1-1024)> Defines the virtual router ID. This is used in conjunction with addr (below) to define a virtual router on this switch. To create a pool of VRRP-enabled routing devices which can provide redundancy to each other, each participating VRRP device must be configured with the same virtual router: one that shares the same vrid and addr combination. The vrid for standard virtual routers (where the virtual router IP address is not the same as any virtual server) can be any integer between 1 and 255. The default value is 1. The vrid of virtual server routers where the virtual router IP address is the same as the virtual server can be between 1 and 1024. All vrid values must be unique within the VLAN to which the virtual routers IP interface belongs.
.
Command Syntax and Usage addr <IP address> Defines the IP address for this virtual router using the notation appropriate to the IP version supported by this virtual router. IPv4 addresses use a dotted decimal notation (such as 192.168.0.1) and IPv6 addresses use a hexadecimal format (such as 2006:0:0:0:0:0:20:64). This is used in conjunction with the vrid (above) to configure the same virtual router on each participating VRRP device. The default address is 0.0.0.0. if <interface number (1-256)> Selects a switch IP interface (between 1 and 256). If the IP interface has the same IP address as the addr option above, this switch is considered the "owner" of the defined virtual router. An owner has a special priority of 255 (highest) and will always assume the role of master router, even if it must preempt another virtual router which has assumed master routing authority. This preemption occurs even if the preem option below is disabled. The default value is 1. prio <priority (1-254)> Defines the election priority bias for this virtual server. This can be any integer between 1 and 254. The default value is 100. During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest). When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track), this base priority value can be modified according to a number of performance and operational criteria. adver <seconds (1-255)> Defines the time interval between VRRP master advertisements. This can be any integer between 1 and 255 seconds. The default value is 1. preem disable|enable Enables or disables master preemption. When enabled, if this virtual router is in backup mode but has a higher priority than the current master, this virtual router will preempt the lower priority master and assume control. Note that even when preem is disabled, this virtual router will always preempt any other master if this switch is the owner (the IP interface address and virtual router addr are the same). By default, this option is enabled. share disable|enable
.
/cfg/l3 Layer 3 Conguration Menu 333 Command Syntax and Usage Enables or disables virtual router sharing, an Nortel proprietary extension to VRRP. When enabled, this switch will process any traffic addressed to this virtual router, even when in backup mode. By default, this option is enabled. ena Enables this virtual router. dis Disables this virtual router. del Deletes this virtual router from the switch configuration. cur Displays the current configuration information for this virtual router.
/cfg/l3/vrrp/vr <router number> /track Virtual Router Priority Tracking Conguration

[VRRP Virtual Router 1 Priority Tracking Menu] vrs - Enable/disable tracking master virtual routers ifs - Enable/disable tracking other interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP virtual router configuration
This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount dened through the VRRP Tracking Menu (see "/cfg/l3/vrrp/trackVRRP Tracking Conguration" (page 342)). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled. If the virtual router preemption option (see preem in "VRRP Virtual Router Options (/cfg/l3/vrrp/vr)" (page 331)) is enabled, this virtual router can assume master routing authority when its priority level rises above that of the current master.
.
Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, otherwise called "virtual interface routers." Other tracking criteria (l4pts, reals, and hsrp) apply to "virtual server routers," which perform Layer 4 Server Load Balancing functions. A virtual server router is dened as any virtual router whose IP address (addr) is the same as any congured virtual server IP address.
VRRP Priority Tracking Menu Options (/cfg/l3/vrrp/vr/track) Command Syntax and Usage vrs disable|enable When enabled, the priority for this virtual router will be increased for each virtual router in master mode on this switch. This is useful for making sure that traffic for any particular client/server pairing are handled by the same switch, increasing routing and load balancing efficiency. This command is disabled by default. ifs disable|enable When enabled, the priority for this virtual router will be increased for each IP interface active on this switch. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default. ports disable|enable When enabled, the priority for this virtual router will be increased for each active port on the same VLAN. A port is considered "active" if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default. l4pts disable|enable When enabled for virtual server routers, the priority for this virtual router will be increased for each physical switch port which has active Layer 4 processing on this switch. This helps elect the main Layer 4 switch as the master. This command is disabled by default. reals disable|enable When enabled for virtual server routers, the priority for this virtual router will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this switch. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default. hsrp disable|enable
.
/cfg/l3 Layer 3 Conguration Menu 335 Command Syntax and Usage Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default. hsrv disable|enable Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default. cur Displays the current configuration for priority tracking for this virtual router.
/cfg/l3/vrrp/vrgroup Virtual Router Group Menu

This feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is shared between two or more customers on a single VRRP switch, you can group VIRs and VSRs to serve the high availability of a specic customer. If failover occurs on a customer link, the group of VIRs and VSRs associated with that customer alone will fail over to the backup switch. The VIRs and VSRs congured for the other customers on the master switch are not affected. Up to 16 virtual router groups can be congured on the switch.
[VRRP Virtual Router Vrgroup 1 Menu] track - Priority Tracking Menu name - Set virtual router group name add - Add virtual router to group rem - Remove virtual router from group prio - Set priority for virtual router group trackvr - Set track virtual router for group adver - Set advertisement interval for group preem - Enable/disable preemption for group share - Enable/disable sharing for group ena - Enable virtual router group dis - Disable virtual router group del - Delete virtual router group cur - Display current VRRP virtual router group configuration
.
336 The Conguration Menu Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup) Command Syntax and Usage track Displays VRRP priority tracking menu for this virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. To view menu options, see "/cfg/l3/vrrp/vrgroup vrgroup number /track Virtual Router Group Priority Tracking Configuration Me" (page 337). name Defines virtual router group name up to eight characters. add <virtual router number (1-1024)> Adds a virtual router to the group. Each virtual router group can have up to 64 virtual routers. rem <virtual router number (1-1024)> Removes a virtual router from the group. prio <1-254> Defines the election priority bias for this virtual router group. This can be any integer between 1 and 254. The default value is 100. During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest). When priority tracking is used (/cfg/l3/vrrp/vrgroup #/track), this base priority value can be modified according to a number of performance and operational criteria. trackvr <virtual router number (0-1024)> Set track virtual router for group adver <1-255 seconds> Set advertisement interval for group. preem disable|enable Enable/disable preemption for group. share disable|enable Enable/disable sharing for group. ena Enables the virtual router group. dis
.
/cfg/l3 Layer 3 Conguration Menu 337 Command Syntax and Usage Disables the virtual router group. del Deletes the virtual router group. cur Displays the current VRRP virtual router group configuration.
/cfg/l3/vrrp/vrgroup <vrgroup number> /track Virtual Router Group Priority Tracking Conguration Menu
This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount dened through the VRRP Tracking Menu (see "/cfg/l3/vrrp/trackVRRP Tracking Conguration" (page 342)). Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled.
[VRRP Vrgroup 1 Priority Tracking Menu] ifs - Enable/disable tracking interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP vrgroup tracking configuration Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track) Command Syntax and Usage ifs disable|enable When enabled, the priority will be increased for each IP interface active on this virtual router group. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default. ports disable|enable When enabled, the priority will be increased for each active port on the VLAN on this virtual router group. A port is considered "active" if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default. l4pts disable|enable
.
Command Syntax and Usage When enabled for virtual server routers, the priority will be increased for each physical switch port which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4 switch as the master. This command is disabled by default. reals disable|enable When enabled for virtual server routers, the priority will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this virtual router group. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default. hsrp disable|enable Hot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default. hsrv disable|enable Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance on the virtual router group that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default. cur Displays the current configuration for priority tracking for this virtual router group.
/cfg/l3/vrrp/group Virtual Router Group Conguration

[VRRP Virtual Router Group Menu] track - Priority Tracking Menu ipver - Set IP version vrid - Set virtual router ID if - Set interface number prio - Set renter priority adver - Set advertisement interval preem - Enable or disable preemption share - Enable or disable sharing ena - Enable virtual router dis - Disable virtual router del - Delete virtual router cur - Display current VRRP virtual router configuration
.
The Virtual Router Group menu is used for associating all virtual routers into a single logical virtual router, which forces all virtual routers on the Nortel Application Switch to either be master or backup as a group. A virtual router is dened by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be congured to share the same virtual router ID and IP address. Note: This option is required to be congured only when using at least two Nortel Application Switches in a hot-standby failover conguration, where only one switch is active at any time.
VRRP Virtual Router Group Options (/cfg/l3/vrrp/group) Command Syntax and Usage track Displays theVRRP Priority Tracking Menu for the virtual router group. Tracking is Nortels proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing(share) is enabled. To view menu options, see "/cfg/l3/vrrp/trackVRRP Tracking Configuration" (page 342). ipver v4|v6 Sets the version of the Internet Protocol supported by the virtual router group. The default value is v4. vrid <virtual router ID (1-255)> Defines the virtual router ID for this group. if <interface number (1-256)> Selects a switch IP interface (between 1 and 256). The default switch IP interface number is 1. prio <priority (1-254)> Defines the election priority bias for this virtual router group. This can be any integer between 1 and 254. The default value is 100. During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual routers IP address (addr) is the same as the one used by the IP interface, the priority for this virtual router will automatically be set to 255 (highest). When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track), this base priority value can be modified according to a number of performance and operational criteria. adver <1-255>
.
Command Syntax and Usage Defines the time interval between VRRP master advertisements. This can be any integer between 1 and 255. For IPv4 interfaces, this value is in seconds. For IPv6 interfaces, this value is in centiseconds. The default is 1 for IPv4 interfaces and 100 for IPv6 interfaces.
Note: It is recommended that the default value of 100 or above is used for IPv6 interfaces to avoid a high load on the switch management CPU. preem disable|enable Enables or disables master preemption. When enabled, if the virtual router group is in backup mode but has a higher priority than the current master, this virtual router will preempt the lower priority master and assume control. Note that even when preem is disabled, this virtual router will always preempt any other master if this switch is the owner (the IP interface address and virtual router addr are the same). By default, this option is enabled. share disable|enable Enables or disables virtual router sharing, Nortels proprietary extension to VRRP. When enabled, this switch will process any traffic addressed to this virtual router, even when in backup mode. By default, this option is enabled. ena Enables the virtual router group. dis Disables the virtual router group. del Deletes the virtual router group from the switch configuration. cur Displays the current configuration information for the virtual router group.
/cfg/l3/vrrp/group/track Virtual Router Group Priority Tracking Conguration

[Virtual Router Group Priority Tracking Menu] ifs - Enable/disable tracking other interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP Group Tracking configuration
.
Note: If Virtual Router Group Tracking is enabled, then the tracking option will be available only under group option. The tracking setting for the other individual virtual routers will be ignored.
Virtual Router Group Priority Tracking Options (/cfg/l3/vr/group/track) Command Syntax and Usage ifs disable|enable When enabled, the priority for this virtual router will be increased for each other IP interface active on this switch. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default. ports disable|enable When enabled, the priority for this virtual router will be increased for each active port on the same VLAN. A port is considered "active" if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default. l4pts disable|enable When enabled for virtual server routers, the priority for this virtual router will be increased for each physical switch port which has active Layer 4 processing on this switch. This helps elect the main Layer 4 switch as the master. This command is disabled by default. reals disable|enable When enabled for virtual server routers, the priority for this virtual router will be increased for each healthy real server. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default. hsrp disable|enable Enables Hot Standby Router Protocol (HSRP) for this virtual router group. HSRP is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router for each Layer 4 client-only port that receives HSRP advertisements. This helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default. hsrv disable|enable Hot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default. cur Displays the current configuration for priority tracking for this virtual router.
.
/cfg/l3/vrrp/if <interface number> VRRP Interface Conguration

Note: The interface-number (1 to 256) represents the IP interface on which authentication parameters must be congured.
[VRRP Interface auth passw del cur configuration 1 Menu] Set authentication types Set plain-text password Delete interface Display current VRRP interface
This menu is used for conguring VRRP authentication parameters for the IP interfaces used with the virtual routers.
VRRP Interface Menu Options (/cfg/l3/vrrp/if) Command Syntax and Usage auth none|password Defines the type of authentication that will be used: none (no authentication), or password (password authentication). passw <password> Defines a plain text password up to eight characters long. This password will be added to each VRRP packet transmitted by this interface when password authentication is chosen (see auth above). del Clears the authentication configuration parameters for this IP interface. The IP interface itself is not deleted. cur Displays the current configuration for this IP interfaces authentication parameters.
/cfg/l3/vrrp/track VRRP Tracking Conguration
.
This menu is used for setting weights for the various criteria used to modify priority levels during the master router election process. Each time one of the tracking criteria is met (see "VRRP Virtual Router Priority Tracking Menu" on "/cfg/l3/vrrp/vr router number /track Virtual Router Priority Tracking Conguration" (page 333)), the priority level for the virtual router is increased by an amount dened through this menu.
VRRP Tracking Options (/cfg/l3/vrrp/track) Command Syntax and Usage vrs <0-254> Defines the priority increment value (1 through 254) for virtual routers in master mode detected on this switch. The default value is 2. ifs <0-254> Defines the priority increment value (1 through 254) for active IP interfaces detected on this switch. The default value is 2. ports <0-254> Defines the priority increment value (1 through 254) for active ports on the virtual routers VLAN. The default value is 2. l4pts <0-254> Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4 processing. The default value is 2. reals <0-254> Defines the priority increment value (1 through 254) for healthy real servers behind the virtual server router. The default value is 2. hsrp <0-254> Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only processing that receive HSRP broadcasts. The default value is 10. hsrv <0-254> Defines the priority increment value (1 through 254) for vrrp instances that are on the same VLAN. The default value is 10. cur Displays the current configuration of priority tracking increment values.
These priority tracking options only dene increment values. These options do not affect the VRRP master router election process until options under the VRRP Virtual Router Priority Tracking Menu (see "/cfg/l3/vrrp/vr router number /track Virtual Router Priority Tracking Conguration" (page 333)) are enabled.
.
/cfg/l3/metrc <metric name> Default Gateway Metrics

If multiple default gateways are congured and enabled, a metric can be set to determine which primary gateway is selected. There are two metrics, which are described in the table "Default Gateway Metrics (/cfg/l3/metrc)" (page 344).
Default Gateway Metrics (/cfg/l3/metrc) Option strict Description The gateway number determines its level of preference. Gateway #1 acts as the preferred default IP gateway until it fails or is disabled, at which point the next in line will take over as the default IP gateway. This provides basic gateway load balancing. The switch sends each new gateway request to the next healthy, enabled gateway in line. All gateway requests to the same destination IP address are resolved to the same gateway.
roundrobin
/cfg/slb
/cfg/slb displays the Server Load Balancing Conguration Menu. To view menu options, see "The SLB Conguration Menu" (page 355) ".
/cfg/security Security Conguration Menu
Security Conguration Menu Options (/cfg/security) Command Syntax and Usage port <port number> Displays Port Security Menu. To view menu options, see "/cfg/security/port Port Security Menu" (page 345). ipacl
.
/cfg/security Security Conguration Menu 345 Command Syntax and Usage Displays IP address Access Control Menu. To view options, see "/cfg/security/ipacl IP Address Access Control List Configuration Menu" (page 347). udpblast Displays UDP Blast Menu. To view menu options, see "/cfg/security/udpblast UDP Blast Protection Configuration Menu" (page 348). dos Go to the Protocol Anomaly and DoS Attack Prevention Menu. To view menu options, see "/cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu" (page 349). pgroup <pattern group ID (1-128)> Displays Pattern Match Group Menu. To view menu options, see "/cfg/security/pgroup pattern group number Pattern Matching Menu" (page 350). seclog <rate threshold packets/sec, 0-1048576 (0, no rate threshold)> Defines the rate threshold for security logging by the number of packets per second. Any packets above the current threshold will be logged. pdepth <# of packets, 1-255|none> Defines the search window for pattern matching beginning from the start of the packet stream. The window is in units of packets. symsig <signature id> Sets the action and bandwidth contracts for the specified signature. symdel <signature id> Deletes the specified Symantec signature policy. cur Displays the current security configuration.
/cfg/security/port
.
Port Security Menu
Port Security Menu Options Command Syntax and Usage bogon <enable|disable> Enable or disable bogon IP ACL. ipacl <enable|disable> Enable or disable IP ACL. udpblast <enable|disable> Enable or disable UDP blast protection. dos <enable|disable> Enable or disable protocol anomaly and DoS attack prevention. add <iplen | ipversion | broadcast | loopback | land | ipreerved |ipttl| ipprot | ipoptlen | fragmoredont | fragdata | fragboundary | fraglast | fragdontoff | fragopt | fragoff | frag oversize | tcplen | tcportzero| blat | tcpreserved | nullscan | fullxmasscan | finscan | vecnascan |xmasscan | synfinscan | flagabnormal | syndata | synfrag | ftpport |dnsport | seqzero |ackzero | tcpoptlen | udplen | udpportzero | fraggle | pepsi | rc8 | snmpnull | icmplen | smurf | icmpdata | icmpoff | icmp-type | igmplen | igmpfrag | igmptype | arplen | arpnbcast | arpncast | arpspoof | garp | ip6len | ip6version> Add protocol anomaly/DoS attack to prevention. aadd Add all protocol anomaly/DoS attack to prevention for the port.
.
/cfg/security Security Conguration Menu 347 Command Syntax and Usage rem <iplen | ipversion | broadcast | loopback | land | ipreerved |ipttl| ipprot | ipoptlen | fragmoredont | fragdata | fragboundary | fraglast| fragdontoff | fragopt | fragoff | frag oversize | tcplen | tcportzero| blat | tcpreserved | nullscan | fullxmasscan | finscan | vecnascan | xmasscan | synfinscan | flagabnormal | syndata | synfrag | ftpport | dnsport | seqzero |ackzero | tcpoptlen | udplen | udpportzero | fraggle | pepsi | rc8 | snmpnull | icmplen | smurf | icmpdata | icmpoff | icmp-type | igmplen | igmpfrag | igmptype | arplen | arpnbcast | arpncast | arpspoof | garp | ip6len | ip6version> Remove protocol anomaly/DoS attack from prevention. arem Remove all protocol anomaly/DoS attack from prevention for the port. help Description of Protocol anomaly and DoS attack prevention. cur Display current port configuration. For example: Current port 1: <bogon disabled, ipacl disabled, udpblast disabled, dos disabled>
/cfg/security/ipacl IP Address Access Control List Conguration Menu

Nortel Application Switch Operating System can be congured with IP access control lists (ACLs) composed of ranges of client IP addresses that are to be denied access to the switch. When trafc ingresses the switch, the client source or destination IP address is checked against this pool of addresses. If a match is found, then the client trafc is blocked.
.
348 The Conguration Menu IP Address ACL Menu Options (/cfg/sec/ipacl) Command Syntax and Usage add <IP address IP mask> Adds range of source IP addresses to be denied, defined by the IP address/mask pair. rem <IP address/mask pair index> Removes range of source IP addresses to be denied, defined by the IP address/mask pair index. arem Remove all configuration source IP Address/Mask. dadd <IP address IP subnet mask> Add configuration destination IP Address/Mask. drem <IP address IP subnet mask> Remove configuration destination IP Address/Mask. darem Remove all configuration destination IP Address/Mask. cfg Display configuration IP Address/Mask. bogon Display bogon IP Address/Mask. oper Display operations IP Address/Mask. syslog <threshold | time | none> Sets method for sending IP ACL syslog, defined by threshold/time/none parameter. cur Displays current IP addresses ranges in Access Control List.
/cfg/security/udpblast UDP Blast Protection Conguration Menu

Malicious attacks over UDP protocol ports are becoming a common way to bring down real servers. Nortel Application Switch Operating System can be congured to restrict the amount of trafc allowed on any UDP port, thus ensuring that backend servers are not ooded with data and disabled. You can specify a series of UDP port ranges and the allowed packet limit for that range. When the maximum number of packets/second is reached, UDP trafc is shut down on those ports.
.
/cfg/security Security Conguration Menu 349
Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using any integer from 1 to 65535. The maximum port range is 5000. If the rst port number is 300, the last number that can be used is 5300. While you can congure multiple port ranges, the sum of ranges cannot exceed the maximum of 5000 ports.
UDP Blast Protection Menu Options (/cfg/sec/udpblast) Command Syntax and Usage add <UDP port number or range (first-last)> [packet rate] Adds UDP port or range for UDP blast protection, as well as the maximum packet rate per second. If the number of packets on this port range exceeds the maximum packet rate per second, UDP traffic will be dropped. rem <UDP port number or range (first-last)> Removes UDP port or range for UDP blast protection. default <packet rate> Defines the default packet rate for UDP blast protection. cur Displays all UDP blast protection ports.
/cfg/security/dos Anomaly and Denial of Service Attack Prevention Menu
Anomaly and DoS Menu Options Command Syntax and Usage ipttl <IPv4 TTL, 0-255>
.
Command Syntax and Usage Set the smallest allowable IP ttl for IPTTL. ipprot <highest allowable IPv4 protocol [0-255]> Set the highest allowable IP protocol for IP protection. For example: Current highest allowable IPv4 protocol: 137 Enter new highest allowable IPv4 protocol [0-255]: fragdata <IPv4 fragment payload size in bytes, 16-248> Set the smallest allowable IP fragment payload. fragoff <IPv4 fragment offset in multiples of 8 bytes, 1-255> Set the smallest allowable IP fragment offset. syndata <TCP packet payload size in bytes, 0-255> Set the largest allowable IP SYN payload. icmpdata <ICMP packet payload size in bytes, 1-9026> Set the largest allowable ICMP payload. icmpoff <ICMP fragment offset in multiples of 8 bytes, 1-8190> Set the largest allowable ICMP fragment offset. help Description of the Anomaly and DoS attack prevention. cur Display current protocol anomaly and DoS attack prevention settings. For example: Current protocol anomaly and DoS attack prevention settings: ipttl 1, ipprot 137, fragdata 32, fragoff 4, syndata 0, icmpdata 800, icmpoff 101
/cfg/security/pgroup <pattern group number> Pattern Matching Menu

When a virus or other attack contains multiple patterns or strings, it is useful to combine them into one group and give the group a name that is easy to remember. When a pattern group is applied to a deny lter, the switch will match any of the strings or patterns within that group before denying and dropping the packet. Up to ve patterns can be combined into a single pattern group. Congure the binary or ASCII pattern strings, group them into a pattern group, name the pattern group, and then apply the group to a lter.
.
/cfg/security Security Conguration Menu 351
The ltering commands in Nortel Application Switch Operating System Advanced Denial of Service Pack allow the administrator to dene groups of patterns. By applying the patterns and groups to a deny lter, the packet content can be detected and thus denied access to the network. The Nortel Application Switch Operating System 24.0 supports up to 1024 pattern matching groups.
[Pattern Match Group 1 Menu] name - Set pattern group name add - Add SLB string to group rem - Remove SLB string from group del - Delete pattern group cur - Display current configuration Pattern Matching Group Menu Options (/cfg/sec/pgroup) Command Syntax and Usage name <31 character name> |none Specifies a descriptive name for this pattern group. add <string ID> Adds a pre-configured SLB string to this pattern group by the string ID number. To configure SLB strings, use the /cfg/slb/layer7/slb/add command described on "/cfg/slb/layer7/slb Server Load Balance Resource Configuration Menu" (page 421). To view existing strings and their ID numbers, use the /cfg/slb/layer7/slb/cur command, also on "/cfg/slb/layer7/slb Server Load Balance Resource Configuration Menu" (page 421).
Note: You can only add the binary or ASCII strings to a pattern matching group. Up to five patterns can be combined into a single pattern group. rem <SLB string ID> Removes an SLB string from this pattern group. del Deletes the pattern group. cur Displays the current configuration of this pattern group.
/cfg/sslproc
.
SSL Processor Menu

[SSL Processor Menu] mip - Set SSL processor management IP port - Set SSL processor Web server port rts - Enable/disable RTS processing filt - Enable/disable filtering add - Add filter rem - Remove filter cur - Display current SSL processor configuration SSL Processor Menu Options Command Syntax and Usage mip <SSL processor management IP> Set SSL processor management IP. port <SSL processor Web server port> Set SSL processor Web server port. rts enable|disable Enable/disable RTS processing filt enable|disable Enable/disable filtering. add <filter ID, 1-2048> Add a filter. rem <filter ID, 1-2048> Remove a filter. cur Display current SSL processor configuration.
/cfg/dump Dump
The dump program writes the current switch conguration to the terminal screen. To start the dump program, at the Configuration# prompt, enter:
Configuration# dump
The conguration is displayed with parameters that have been changed from the default values. The screen display can be captured, edited, and placed in a script le, which can be used to congure other switches through a Telnet connection. When using Telnet to congure a new switch, paste the conguration commands from the script le at the command line prompt
.
/cfg/gtcfg Restoring the Active Switch Conguration 353
of the switch. The active conguration can also be saved or loaded via TFTP, as described on "/cfg/gtcfgRestoring the Active Switch Conguration" (page 353).
/cfg/ptcfg Saving theActive Switch Conguration

When the ptcfg command is used, the switchs active conguration commands (as displayed using /cfg/dump) will be uploaded to the specied script conguration le on the TFTP or FTP server. To start the switch conguration upload, at the Configuration# prompt, enter:
Configuration# ptcfg <TFTP/FTP server filename> {-tftp | ftp user name ftp password} [-m | -mgmt | -d | -data]
where server is the TFTP or FTP server IP address or hostname, and lename is the name of the target script conguration le. Note 1: The output le is formatted with line-breaks but no carriage returnsthe le cannot be viewed with editors that require carriage returns (such as Microsoft Notepad). Note 2: If the TFTP server is running SunOS or the Solaris operating system, the specied ptcfg le must exist prior to executing the ptcfg command and must be writable (set with proper permission, and not locked by any application). The contents of the specied le will be replaced with the current conguration data.
/cfg/gtcfg Restoring the Active Switch Conguration

When the gtcfg command is used, the active conguration will be replaced with the commands found in the specied conguration le. The le can contain a full switch conguration or a partial switch conguration. The conguration loaded using gtcfg is not activated until the apply command is used. If the apply command is found in the conguration script le loaded using this command, the apply action will be performed automatically. To start the switch conguration download, at the Configuration# prompt, enter:
Configuration# gtcfg <TFTP/FTP server filename> {-tftp | ftp user name ftp password} [-m | -mgmt | -d | -data]
.
where server is the TFTP or FTP server IP address or hostname, and lename is the name of the target script conguration le.
.
355
The SLB Conguration Menu

Server Load Balancing (SLB) allows you to congure the Nortel Application Switch to balance user session trafc among a pool of available servers that provide shared services. In an average network that employs multiple servers without server load balancing, each server usually specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become overutilized. Placing this kind of strain on a server can decrease the performance of the entire network as user requests are rejected by the server and then resubmitted by the user stations. With this software feature, the switch is aware of the services provided by each server and can direct user session trafc to an appropriate server, based on a variety of load-balancing algorithms. This chapter discusses how to use the Command Line Interface (CLI) for conguring Server Load Balancing (SLB) on the Nortel Application Switch. Refer Nortel Application Switch Operating System Application Guide for detailed information on this feature.
/cfg/slb SLB Conguration

[Layer 4 Menu] real group virt filt port gslb layer7 wap sync adv linklb advhc pip peerpip Real Server Menu Real Server Group Menu Virtual Server Menu Filtering Menu Layer 4 Port Menu Global SLB Menu Layer 7 Resource Definition Menu WAP Menu Config Synch Menu Layer 4 Advanced Menu Inbound Linklb Menu Layer 4 Advanced Health Check Menu Proxy IP Address Menu Peer Proxy IP Address Menu
.
356 The SLB Conguration Menu
wlm on off cur
Workload Manager Menu Globally turn Layer 4 processing ON Globally turn Layer 4 processing OFF Display current Layer 4 configuration
Server Load Balancing Conguration Menu Options (/cfg/slb) Command Syntax and Usage real <real server number (1-1023)> Displays the menu for configuring real servers. To view menu options, see "/cfg/slb/real server number Real Server SLB Configuration" (page 358). Displays iSD menu. To view menu options, see "/cfg/slb/real real server number /ids Real server IDS Configuration Menu" (page 365). group <real server group number (1-1024)> Displays the menu for placing real servers into real server groups. To view menu options, see "/cfg/slb/group real server group number Real Server Group SLB Configuration" (page 366). virt <virtual server number (1-1024)> Displays the menu for defining virtual servers. To view menu options, see "/cfg/slb/virt virtual server number Virtual Server SLB Configuration" (page 376). filt <filter ID (1-2048)> Displays the menu for Filtering and Application Redirection. To view menu options, see "/cfg/slb/filt filter number SLB Filter Configuration" (page 390). port <port number> Displays the menu for setting physical switch port states for Layer 4 activity. To view menu options, see "/cfg/slb/port port number Port SLB Configuration" (page 408). gslb Displays the menu for configuring Global Server Load Balancing. To view menu options, see "/cfg/slb/gslb Global SLB Configuration" (page 410). Displays the Advanced SLB Global Menu. layer7 Displays Layer 7 Resource Definition Menu. To view menu options, see "/cfg/slb/layer7 Layer 7 SLB Resource Definition Menu" (page 418). wap Displays WAP Menu. To view menu options, see "/cfg/slb/layer7/sdp SDP Mapping Menu" (page 422). sync
.
/cfg/slb SLB Conguration 357 Command Syntax and Usage Displays the Synch Peer Switch Menu. To view menu options, see "/cfg/slb/syncSynchronize Peer Switch Configuration" (page 423). adv Displays the Layer 4 Advanced Menu. To view menu options, see "/cfg/slb/advAdvanced Layer 4 Configuration" (page 425). linklb Displays Inbound Link Load Balancing Menu. To view menu options, see "/cfg/slb/linklbInbound Link Load Balancing configuration Menu" (page 430). advhc Displays Layer 4 Advanced Health Check Menu. To view menu options, see "/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page 432). pip This menu is used to set the switch proxy IP address. When the pip is defined, client address information in Layer 4 requests is replaced with this proxy IP address.To view options, see "/cfg/slb/pipProxy IP Address Configuration Menu" (page 439). peerpip Displays Peer Proxy IP address Menu. When this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch. To view menu options, see "/cfg/slb/peerpip SLB Peer Proxy IP Address Menu" (page 440). wlm Displays the menu for workload management of servers. To view menu options, see "/cfg/slb/wlm WorkLoad Management Menu" (page 441). on Globally turns on Layer 4 software services for Server Load Balancing and Application Redirection. This option can be performed only after the optional Layer 4 software is enabled (see "Activating Optional Software on "/oper/swkeyActivating Optional Software" (page 452)). Enabling Layer 4 services is not necessary for using filters only to allow, deny, or NAT traffic. off
.
Command Syntax and Usage Globally disables Layer 4 services. All configuration information will remain in place (if applied or saved), but the software processes will no longer be active in the switch cur Displays the current Server Load Balancing configuration.
Filtering and Layer 4 (Server Load Balancing)

Filters congured to allow, deny, or perform Network Address Translation (NAT) on trafc do not require Layer 4 software to be activated. These lters are not affected by the Server Load Balancing on and off commands in this menu. Application Redirection lters, however, require Layer 4 software services. Layer 4 processing must be turned on before redirection lters will work.
/cfg/slb/real <server number> Real Server SLB Conguration
This menu is used for conguring information about real servers that participate in a server pool for Server Load Balancing or Application Redirection. The required parameters are: Real server IP address Real server enabled (disabled by default)
.
/cfg/slb/real <server number> Real Server SLB Conguration 359 Real Server Conguration Menu Options (/cfg/slb/real) Command Syntax and Usage adv Go to the Real Server Advanced menu. To view menu options, see "/cfg/slb/real server number /layer7 Real Server Layer 7 Configuration" (page 364). layer7 Displays the Layer 7 Menu. To view menu options, see "/cfg/slb/real server number /layer7 Real Server Layer 7 Configuration" (page 364). ids Displays Intrusion Detection Server/system menu. To view menu options, see "/cfg/slb/real real server number /ids Real server IDS Configuration Menu" (page 365). ipver <v4 | v6> Sets the IP version of the real server. rip <real server IP address> Sets the IP address of the real server. The format of the IP address is dependent upon the IP version specified using the ipver commmand. When this command is used, the address entered is PINGed to determine if the server is up, and the administrator will be warned if the server does not respond. name <string, maximum 31 characters> |none Defines a 15-character alias for each real server. This will enable the network administrator to quickly identify the server by a natural language keyword value. weight <real server weight (1-48)> Sets the weighting value (1 to 48) that this real server will be given in the load balancing algorithms. Higher weighting values force the server to receive more connections than the other servers configured in the same real server group. By default, each real server is given a weight setting of 1. A setting of 10 would assign the server roughly 10 times the number of connections as a server with a weight of 1. avail <server weight (1-48)> Displays the currently available real server for Global server load balancing and allows the user to change to another real server for Global server load balancing. maxcon <maximum connections (0-200000)>
.
Command Syntax and Usage Sets the maximum number of connections that this server should simultaneously support. By default, the number of maximum connections is set at 200,000. This option sets a threshold as an artificial barrier, such that new connections will not be issued to this server if the maxcon limit is reached. New connections will be issued again to this server once the number of current connections has decreased below the maxcon setting. If all servers in a real server group for a virtual server reach their maxcon limit at the same time, client requests will be sent to the backup/overflow server or backup/overflow server group. If no backup servers/server group are configured, client requests will be dropped by the virtual server. tmout <even number of minutes (2-32768)> Sets the number of minutes an inactive session remains open (in even numbered increments). Every client-to-server session being load balanced is recorded in the switchs Session Table. When a client makes a request, the session is recorded in the table. The data is transferred until the client ends the session, and the session table entry is then removed. In certain circumstances, such as when a client application is abnormally terminated by the clients system, TCP/UDP connections will remain registered in the switchs binding table. In order to prevent table overflow, these orphaned entries must be aged out of the binding table. Using the tmout option, you can set the number of minutes to wait before removing orphan table entries. Settings must be specified in even numbered increments between 2 and 32768 minutes. The default setting is 10. This option is also used with the Persistent option (see /cfg/slb/virt/pbind). When persistent is activated, this option sets how long an idle client is allowed to remain associated with a particular server. backup <real server number (1-1023)> |none
.
/cfg/slb/real <server number> Real Server SLB Conguration 361 Command Syntax and Usage Sets the real server used as the backup/overflow server for this real server. To prevent loss of service if a particular real server fails, use this option to assign a backup real server number. Then, if the real server becomes inoperative, the switch will activate the backup real server until the original becomes operative again. The backup server is also used in overflow situations. If the real server reaches its maxcon (maximum connections) limit, the backup comes online to provide additional processing power until the original server becomes desaturated. The same backup/overflow server may be assigned to more than one real server at the same time inter <number of seconds between health checks (0-60)> Sets the interval between real server health verification attempts. Determining the health of each real server is a necessary function for Layer 4 switching. For TCP services, the switch verifies that real servers and their corresponding services are operational by opening a TCP connection to each service, using the defined service ports configured as part of each virtual service. For UDP services, the switch pings servers to determine their status. The inter option lets you choose the time between health checks. The range is from 1 to 60 seconds. The default interval is 2 seconds. An interval of "0" disables health checking for the server. retry <number of consecutive health checks (1-63)> Sets the number of failed health check attempts required before declaring this real server inoperative. The range is from 1 to 63 attempts. The default is 4 attempts restr <number of consecutive health checks (1-63)> Sets the number of successful health check attempts required before declaring a TCP and UDP service operational. The range is from 1 to 63 attempts. The default is 2 attempts overflo enable|disable Enable or disable backup upon overflow. addport <real server port (265534)> Add multiple service ports to the server. remport <real server port (265534)>
.
Command Syntax and Usage Remove multiple service ports from the server. remote disable|enable Enables or disables remote site operation for this server. This option should be enabled when the real IP address supplied above represents a remote server (real or virtual) that this switch will access as part of its Global Server Load Balancing network. By default, this option is disabled. For more information, refer Nortel Application Switch Operating System 24.0 Application Guide. proxy disable|enable Enables or disables proxy IP address translation. With this option enabled (default), a client request from any application can be proxied using a load-balancing Proxy IP address (PIP). fasthc disable|enable Enables or disables Fast Health Check operation. When enabled, the real server goes down operationally as soon as the physical port connected to the real server goes down. When disabled, the real server will go down only after the configured health check interval. This command is enabled by default. submac disable|enable Enables or disables source MAC address substitution. By default, this option is disabled. ena You must perform this command to enable this real server for Layer 4 service. When enabled, the real server can process virtual server requests associated with its real server group. This option, when the apply and save commands are used, enables this real server for operation until explicitly disabled. See /oper/slb/ena on "/cfg/slbSLB Configuration" (page 355) for an operations-level command. dis
.
/cfg/slb/real <server number> Real Server SLB Conguration 363 Command Syntax and Usage Disables this real server from Layer 4 service. A disabled server will no longer process virtual server requests as part of the real server group to which it is assigned. This option, when the apply and save commands are used, disables this real server until it is explicitly re-enabled.
Note: This option does not perform a graceful server shutdown.
See /oper/slb/dis on "/oper/slbOperations-Level SLB Options" (page 445) for an operations-level command that permits graceful server shutdown. del Deletes this real server from the Layer 4 switching software configuration. This removes the real server from operation within its real server groups. Use this command with caution, as it will delete any configuration options that have been set for this real server. This option does not perform a graceful server shutdown. cur Displays the current configuration information for this real server.
/cfg/slb/real/adv Real Server Advanced Menu
Real Server Advanced Menu Options Command Syntax and Usage avail <server weight, 1-48> Set Global SLB availability for real server. remote <enable|disable> Enable/disable Global SLB remote site operation proxy <enable|disable> Enable/disable client proxy operation. buddyhc
.
Command Syntax and Usage Go to the Buddy Server Menu. fasthc <enable|disable> Enable/disable fast health check operation. submac <enable|disable> Enable/disable source MAC address substitution. subdmac <enable|disable> Enable/disable destination MAC address substitution. cur <enable|disable> Display current real server advanced configuration.
/cfg/slb/real/adv/buddyhc Buddy Server Health Check Menu

[Real server 1 Buddy Menu] addbd - Add Buddy Server delbd - Delete Buddy Server cur - Display current buddy server configuration Buddy Server Health Check Menu Options Command Syntax and Usage addbd <real server number 1-1023 real server group 1-1024 service 9-65534> Adds a buddy server. delbd <real server number 1-1023 real server group 1-1024 service 9-65534> Deletes a previously added buddy server. cur Displays the current buddy server configuration.
/cfg/slb/real <server number> /layer7 Real Server Layer 7 Conguration

[Real Server 1 Layer 7 Commands Menu] addlb - Add SLB string for content load balance remlb - Remove SLB string for content load balance cookser - Enable/disable cookie assignment server exclude - Enable/disable exclusionary string matching ldapwr - Enable/disable LDAP Write server cur - Display current real server configuration
.
/cfg/slb/real <server number> Real Server SLB Conguration 365
This menu is used for entering commands and strings for Layer 7 processing.
Layer 7 Commands Menu Options (/cfg/slb/real/layer7) Command Syntax and Usage addlb <defined SLB string ID, 1-1024> Adds the predefined URL loadbalance string ID to the real server. remlb <defined SLB string ID, 1-1024> Removes the predefined URL loadbalance string ID from the real server. cookser disable|enable Enables or disables the real server to handle client requests that dont contain a cookie. This option is used if you want to designate a specific server to assign cookies only. This server gets the client request, assigns the cookie, and embeds the IP address of the real server that will handle the subsequent requests from the client. By default, this option is disabled. exclude disable|enable Enables or disables exclusionary string matching. By default, this option is disabled. ldapwr disable|enable Enables or disables LDAP write server. LDAP servers are of two types: read servers and write servers. You need to use read servers when you only want to browse the directory. You need to use the write servers when you want to modify the directory on the server. The write server can conduct both read and write operations. cur Displays the current real server configuration.
/cfg/slb/real <real server number> /ids Real server IDS Conguration Menu
Intrusion Detection System (IDS) is a type of security management system for computers and networks. An Intrusion Detection System gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). Refer Application Guide for more information.
.
[Real Server 1 IDS Menu] idsvlan - Set Vlan ID for ID Server idsport - Set Port for ID Server oid - Override OID for SNMP HC comm - Override community string for SNMP HC cur - Display current real server configuration IDS Conguration Menu options (/cfg/slb/real/ids) Command Syntax and Usage idsvlan <vlan number (1-4090)> Defines VLAN ID for Intrusion Detection Server. idsport <port number> | none Defines port for Intrusion Detection Server.
Note: IDS can only be configured on real servers between one to maximum number of ports on the switch. oid <SNMP health check object identifier to override group OID> Specifies the object identifier (OID). This OID overrides the OID for SNMP health checks. comm <SNMP health check community string to override group community string> Overrides community string for SNMP health checks. cur Displays the current real server configuration.
/cfg/slb/group <real server group number>
.
/cfg/slb/group <real server group number> Real Server Group SLB Conguration 367
Real Server Group SLB Conguration
This menu is used for combining real servers into real server groups. Each real server group should consist of all the real servers which provide a specic service for load balancing. Each group must consist of at least one real server. Each real server can belong to more than one group. Real server groups are used both for Server Load Balancing and Application Redirection.
Real Server Group Conguration Menu Options (/cfg/slb/group) Command Syntax and Usage ipver <v4 | v6> Sets the IP version of the real server group. metric leastconns|roundrobin|minmisses|hash|response|ban dwidth|phash Sets the load balancing metric used for determining which real server in the group will be the target of the next client request. The default setting is leastconns. See "Server Load Balancing Metrics" (page 373) for more information. rmetric Sets the load balancing metric used for determining which port in the real server will be the target of the next client request. content <filename |/ host / filename> |none
.
Command Syntax and Usage This option defines the specific content which is examined during health checks. The content depends on the type of health check specified in the health option (see below). health link|arp|icmp|tcp|http|httphead|dns|pop3|smtp|nntp| ftp|imap| sslh|radius-auth|radius-acc|radius-aa|script n |udpdns|wsp|wtp|wtls|ldap|snmp n |tftp|rtsp|sip|sipoptions|wt s|dhcp http - use GET method, httphead - use HEAD method Sets the type of health checking performed. The default is tcp. See "SLB Health Check Types" (page 370). backup r<real server number (1-1023)> |g <group number (1-1024)> |none Sets the real server or real server group used as the backup/overflow server/server group for this real server group. To prevent loss of service if the entire real server group fails, use this option to assign a backup real server/real server group number. Then, if the real server group becomes inoperative, the switch will activate the backup real server /server group until one of the original real servers becomes operative again. The backup server/server group is also used in overflow situations. If all the servers in the real server group reach their maxcon (maximum connections) limit, the backup server/server group comes online to provide additional processing power until one of the original servers becomes desaturated. The same backup/overflow server/server group may be assigned to more than one real server group at the same time. name <maximum 31 characters> |none Defines a 15-character alias for each Real Server Group. This will enable the network administrator to quickly identify the server group by a natural language keyword value. realthr <real servers (1-15, 0 for disabled)> Specifies a minimum number of real servers available. If any time, the number reaches this minimum limit, a SYSLOG ALERT message is sent to the configured SYSLOG servers stating that the real server threshold has been reached for the concerned server load balancing group. The default threshold is 0, which also means the option is disabled. idsrprt <real server port (2-65534)> |any Sets real server port for the Intrusion Detection Server.
.
/cfg/slb/group <real server group number> Real Server Group SLB Conguration 369 Command Syntax and Usage advhlth (1&2|3..), 128 |none Defines an advanced health check formula expression for the real servers. This command allows you to create a boolean expression to health check the real server group based on the state of the virtual services. This command supports two boolean operators, AND or OR that are used to manipulate TRUE or FLALSE values. Using parenthesis with the boolean operators, you can create a boolean expression to state the health of the server group. This command also supports a string expression which is up to 128 characters long, or you can also set the formula expression as none. mhash 24|32 <number of sip bits used for minmisses hash> Defines the minmisses hash parameter for this real server as either 24 or 32 bits. By default the minmiss algorithm uses the upper 24-bits of the source IP address to calculate the real server that the traffic should be sent to when the minmiss metric is selected.You can also select all 32-bits of the source IP address to hash to the real server. wlm <1 - 16> | none Set Workload Manager number. viphlth disable|enable Enables or disables VIP health checking in a service. This feature is enabled by default. However, it works only when the service has DSR (Direct Server Return) feature enabled. When viphlth is disabled, the switch uses RIP to perform all health checks, whether DSR is enabled or disabled. ids disable|enable Enables or disables Intrusion Detection Server (IDS) load balancing for the designated real server group. This feature can only be configured on real server groups between 1-63. idsfld disable|enable Enables or disables the Intrusion Detection flood. When Intrusion Detection flood is enabled, packets are copied to all IDS servers in the IDS group. When this is disabled, packets are only copied to the load balanced IDS server within the IDS group. oper disable|enable Enables or disables the real server group operation. ena <real server number, 1-1023> Enables a real server in this group gracefully or on a per group basis. For example, if a real server is a member of more than one group, you can configure this real server to accept requests from all the groups or any number of groups that this real server is member of. dis <real server number, 1-1023>
.
Command Syntax and Usage Disables a real server in this group gracefully or on a per group basis. add <real server number (1-1023)> Adds a real server to this real server group. You will be prompted to enter the number of the real server to add to this group. rem <real server number (1-1023)> Remove a real server from this real server group. You will be prompted for the ID number for the real server to remove from this group. del Deletes this real server group from the Layer 4 software configuration. This removes the group from operation under all virtual servers it is assigned to. Use this command with caution: if you remove the only group that is assigned to a virtual server, the virtual server will become inoperative. cur Displays the current configuration parameters for this real server group.
SLB Health Check Types

Using the health command, you can specify the type of health check for the group of real servers. The health check options are described in the following table. Refer Application Guide for their detailed description.
>> Real Server Group 1# health Current health check type: Pending new health check type: Enter health check type:
tcp sipoptions
SLB Health Check Types (/cfg/slb/group/health) Option and Description link Checks status of port for each server for IDSLB group only. arp Sends an ARP request for Layer 2 health checking. icmp For Layer 3 health checking, pings the server. tcp Opens and closes a TCP/IP connection to the server for TCP service. http
.
/cfg/slb/group <real server group number> Real Server Group SLB Conguration 371 Option and Description For HTTP service, use HTTP 1.1 GETS when a HOST: header is required to check that the URL content is specified in content command. Otherwise, an HTTP/1.0 GET occurs.
Note: If the content is not specified, the health check will revert back to TCP on the port that is being load balanced. For examples, refer Nortel Application Switch Operating System 24.0 Application Guide. httphead Allows the switch to declare if the server is up or not just by locating the URL header and not wait until all the URL contents are received. You can use this command to test the validity and access to the hypertext links or to look for any recent modification to the URL. dns For Domain Name Service, check that the domain name specified in content can be resolved by the server. pop3 For user mail service, check that the user:password account specified in content exists on the server. smtp For mail-server services, check that the user specified in content is accessible on the server. nntp For newsgroup services, check that the newsgroup name specified in content is accessible on the server. ftp For FTP services, check that the filename specified in content is accessible on the server through anonymous login. imap For user mail service, check that the user:password value specified in content exists on the serve sslh Enables the switch to query the health of the SSL servers by sending an SSL client "Hello" packet and then verify the contents of the servers "Hello" response. During the handshake, the user and server exchange security certificates, negotiate an encryption and compression method, and establish a session ID for each session. radius-auth, radius-acc, radius-aa
.
Option and Description For RADIUS remote access server authentication, check that the user:password value specified in content exists on the Nortel Application Switch and the server. To perform application health checking to a RADIUS server, the network administrator must also configure the /cfg/slb/secrt parameter. The secrt value is a field of up to 32 alphanumeric characters that is used by the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the RADIUS server to decrypt the password during verification. script n Enables the use of script-based health checks in send/expect format to check for application and content availability. n denotes the health script number (1-64). udpdns Allows the user to perform health checking using UDP DNS queries. wsp Enables connectionless WSP content health checks for WAP gateways. The content under /cfg/slb/adv/waphc (see "/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page 432)) must also be configured. wtp Enables connection-oriented WTP + WSP content health checks for WAP gateways. The content under /cfg/slb/adv/waphc (see "/cfg/slb/advhcAdvanced Health Check Configuration Menu" (page 432)) must also be configured wtls Provides Wireless Transport Layer Security (WTLS) Hello-based health check for encrypted and connection-oriented WTLS traffic on port 9203. ldap Sets the health check type to LDAP. The LDAP health checks enable the switch to determine if the LDAP server is alive. This health check consists of three LDAP messages over one TCP connection: a bind request, a bind result, and an unbind request. The switch sends an anonymous bind request to the server. If the server is up, it will send the bind result message and the switch will mark the server as alive. The switch must send an unbind request so that the server does not hold resources indefinitely. The switch administrator can choose LDAP version 2 or 3 as both versions are compatible with Nortel Application Switch Operating System. snmp n Enables the use of SNMP-based health checks. n denotes the health script number (1-5). tftp
.
/cfg/slb/group <real server group number> Real Server Group SLB Conguration 373 Option and Description Sets the health check type to TFTP. This protocol enables the user to request a file from the server. At regular intervals, the switch transmits TFTP read requests (RRQ) to all servers in the group. The health check is successful if the server responds to the RRQ. The health check fails if the switch receives an error packet from the real server. rtsp Sets the health check type to RTSP. The RTSP health check can operate with or without content. If there is no content configured the switch will issue an RTSP OPTIONS method. If content is supplied the switch will issue the RTSP DESCRIBE method. If the response to either method is RTSP/200 then the health check passes. If this is not the response, the health check will fail. sip Sets the health check type to sip. You can perform the SIP (Session Initiation Protocol) health check by using SIP PING request. You must enable UDP to perform SIP load balancing. sipoptions Sets the health check type to sipoptions. wts Sets the health check type to wts. dhcp Sets the health check type to dhcp. This health check type can operate with or without content. The following content types can be configured:
request - use DHCP request instead of inform packet srequest - use DHCP request with a source port of 68 strict - use DHCP inform but with a source port of 68
If no content is specified, this indicates the usage of a DHCP inform with the UDP offset source port.
Server Load Balancing Metrics

Using the metric command, you can set a number of metrics for selecting which real server in a group gets the next client request.
>> Real Server Group 1# metric Current metric: leastconns Enter metric:
The metrics are described in the following table:

.
374 The SLB Conguration Menu Real Server Group Metrics (/cfg/slb/group/metric) Option and Description minmisses Minimum misses. This metric is optimized for Application Redirection. When minmisses is specified for a real server group performing Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful in caching applications, helping to maximize successful cache hits. Best statistical load balancing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets. Minmisses can also be used for Server Load Balancing. When specified for a real server group performing Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained on the server between sessions. Server load with this metric becomes most evenly balanced as the number of active clients increases. hash Like minmisses, the hash metric uses IP address information in the client request to select a server. For Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful for maximizing successful cache hits. For Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained between sessions. The hash metric should be used if the statistical load balancing achieved using minmisses is not as optimal as desired. Although the hash metric can provide more even load balancing at any given instance, it is not as effective as minmisses when servers leave and reenter service. If the Load Balancing statistics indicate that one server is processing significantly more requests over time than other servers, consider using the hash metric. leastconns
.
/cfg/slb/group <real server group number> Real Server Group SLB Conguration 375 Option and Description Least connections. With this option, the number of connections currently open on each real server is measured in real time. The server with the fewest current connections is considered to be the best choice for the next client connection request. This option is the most self-regulating, with the fastest servers typically getting the most connections over time, due to their ability to accept, process, and shut down connections faster than slower servers. roundrobin Round robin. With this option, new connections are issued to each server in turn: the first real server in this group gets the first connection, the second real server gets the next connection, followed by the third real server, and so on. When all the real servers in this group have received at least one connection, the issuing process starts over with the first real server. response Real server response time. With this option, the switch monitors and records the amount of time that each real server takes to reply to a health check. The response time is used to adjust the real server weights. The weights are adjusted so they are inversely proportional to a moving average of response time. bandwidth Bandwidth Metric. With this option, the real server weights are adjusted so they are inversely proportional to the number of octets that the real server processes during a given interval. The higher the bandwidth used, the smaller is the weight assigned to that server. phash The phash metric utilizes the best features of the hash and minmiss metrics. With phash enabled, the switch supports an even load distribution (hash) and stable server assignment (minmiss) even when a server in the group goes down. With the phash metric, the first hash will always be the same even if a real server is down. If the first hash hits a dead server, it will rehash for that request based on the actual number of servers that are up. This results in a request always being sent to a server that is up. whash
Note: Under the leastconns, roundrobin, hash, and phash metrics, when real servers are congured with weights (see the weight option on "Real Server Conguration Menu Options (/cfg/slb/real)" (page 359)), a higher proportion of connections are given to servers with higher weights. This can improve load balancing among servers
.
of different performance levels. Weights are not applied when using the minmisses metrics.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration
This menu is used for conguring the virtual servers which will be the target for client requests for Server Load Balancing. Conguring a virtual server requires the following parameters: Creating a virtual server IP address Adding TCP/UDP port and real server group Enabling the virtual server (disabled by default)
Virtual Server Conguration Menu Options (/cfg/slb/virt) Command Syntax and Usage service <virtual port or name> Displays the Virtual Services Menu. The virtual port name can be a well-known port name, such as http, ftp, the service number, and so on. The allowable port range is from 9 to 65534. To get more information about well-known ports, see the sport command on sport any|name|port|port|port. To view the services menu options, see "/cfg/slb/virt server number /service virtual port or name Virtual Server Service Configuration" (page 378). ipver <IP version (v4 or v6)> Set the IP version. vip <virtual server IP address for IPv4 or IPv6>
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 377 Command Syntax and Usage Sets the IP address of the virtual server using dotted-decimal notation. The virtual server created within the switch will respond to ARPs and PINGs from network ports as if it was a normal server. Client requests directed to the virtual servers IP address will be balanced among the real servers available to it through real server group assignments. dname <64 character domain name> | none Sets the domain name for this virtual server. The domain name typically includes the name of the company or organization, and the Internet group code (.com, .edu, .gov, .org, and so forth). An example would be foocorp.com. It does not include the hostname portion (www, www2, ftp, and so forth). The maximum number of characters that can be used in a domain name is 64. To define the hostname, see hname below. To clear the dname, specify the name as none. vname <32 character virtual server name> | none Set name of virtual server. cont <BWM contract (1-1024)> Enter a new Bandwidth Management Contract for this virtual service. By default, all services under this virtual server are assigned this BW contract. However, the BW contract can be changed for a selected virtual server with /cfg/slb/virt <number> /service <number> /cont. All the frames that match this virtual server services are assigned this BW contract if the previously assigned contract for the frame has lower or equal precedence of the virtual server contract. The default number of contracts is set at 1024 for Nortel Application Switch Operating System. weight Sets the Global server weight for the virtual server. The higher the weight value, the more connections that will be directed to the local site. The default is 1. The response time of this site is divided by this weight before the best site is assigned to a client. Remote site response times are divided by the real server weight before selection occurs. avail Sets the Global SLB availability for the virtual server. addrule <rule, 1-64> Adds Global SLB rule to domain. Rule allows the server selected for GSLB to use different metric preference based on time of the day. Each domain has one or more rules. Each rule has metric preference list. The server selected for GSLB selects the first rule that matches the domain and starts with the first metric in the preference list of the rule. The default is rule 1.
.
Command Syntax and Usage remrule <rule, 1-64> Removes Global SLB rule from domain. layr3 <enable|disable> Normally, the client IP address is used with the client Layer 4 port number to produce a session identifier. When the layr3 option is enabled (disabled by default), the switch uses only the client IP address as the session identifier. It associates all the connections from the same client with the same real server while any connection exists between them. This option is necessary for some server applications where state information about the client system is divided across different simultaneous connections, and also in applications where TCP fragments are generated. If the real server to which the client is assigned becomes unavailable, the Layer 4 software will allow the client to connect to a different server. creset enable|disable Enable/disable client connection reset invalid VPORT. preempt enable|disable Enable/disable GSLB failover preemption. ena Enables this virtual server. This option activates the virtual server within the switch so that it can service client requests sent to its defined IP address. dis This option disables the virtual server so that it no longer services client requests. del This command removes this virtual server from operation within the switch and deletes it from the Layer 4 switching software configuration. Use this command with caution, as it will delete the options that have been set for this virtual server. cur Displays the current configuration of the specified virtual server.
/cfg/slb/virt <server number> /service <virtual port or name> Virtual Server Service Conguration
This menu is used for conguring services assigned to a virtual server. The following example shows a menu for http (port 80) services.
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 379
Note: Select virtual service port 554 to congure RTSP trafc. See "Cookie-Based Persistence" (page 388) to view the menu options for conguring virtual services on port 554 for RTSP.
[Virtual Server 1 14 Service Menu] wts - WTS Load Balancing Menu http - HTTP Load Balancing Menu sip - SIP Load Balancing Menu rtsp - RTSP Load Balancing Menu group - Set real server group number rport - Set real port hname - Set hostname cont - Set BW contract for this virtual service pbind - Set persistent binding type thash - Set hash parameter tmout - Set minutes inactive connection remains open dbind - Enable/disable delayed binding udp - Enable/disable UDP balancing frag - Enable/disable remapping UDP server fragments nonat - Enable/disable only substituting MAC addresses dnsslb - Enable/disable DNS query load balancing direct - Enable/disable direct access mode mirror - Enable/disable session mirroring epip - Enable/disable pip selection based egress port/vlan del - Delete virtual service cur - Display current virtual service configuration Virtual Server Service Conguration Options (/cfg/slb/virt/service) Command Syntax and Usage wts Go to the WTS Load Balancing Menu. To view the menu options, see "/cfg/slb/virt/service/wts WTS Load Balancing Menu" (page 385). http Enables or disables HTTP Redirection for Global server load balancing on a per VIP basis. Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view the menu options, see "/cfg/slb/virt/service/http HTTP Load Balancing Menu" (page 385). sip
.
Command Syntax and Usage Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel Application Switch Operating System. When enabled, you can configure SIP service on the service port 5060 for a virtual server. SIP is an application-level control protocol for creating, modifying and terminating sessions with one or more participants (documented in RFC3261). NAS supports both TCP and UDP based SIP Servers. Using SIP on your switch, you can load balance Nortels MCS (Multimedia Communication Server) proxy servers. Nortel Networks MCS is a UDP based SIP enabled application Server. Microsoft LCS server is supported in this version of NAS. You need to turn Direct Access Mode (DAM) on to perform SIP load balancing. You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID. To view the menu options, see "/cfg/slb/virt/service/sip SIP Load Balancing Menu" (page 386). rtsp Go to the RTSP Load Balancing Menu. To view the menu options, see "/cfg/slb/virt/service/rtsp RTSP Load Balancing Menu" (page 387). group <real server group number (1-1024)> Sets a real server group for this service. The default is set at 1. You will be prompted to enter the number (1 to 1024) of the real server group to add to this service. rport <real server port (0-65534)> Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number> /service <virtual port>, the switch will map the virtual port to this real port. hname <hostname> |none
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 381 Command Syntax and Usage Sets the hostname for a service added. This is used in conjunction with dname (above) to create a full host/domain name for individual services. The format for this command is: # hname <hostname> www.foocorp.com For example, to add a hostname for Web services, you could specify www as the hostname. If a dname of "foocorp.com" was defined (above), "" would be the full host/domain name for the service. To clear the hostname for a service, use the command: # hname none httpslb urlslb|host|cookie|browser|urlhash|headerhash|oth ers Load balances on the following applications:
urlslb: Enable or disable URL SLB host: Enable or disable for virtual hosting cookie: Enable or disable cookie-based SLB for cookie-based preferential load balancing. You will be prompted for the following: Cookie name, starting point of the cookie value, number of bytes to be extracted, enable/disable checking for cookie in URI browser: Enable or disable SLB, based on browser type urlhash: Enable or disable URL hashing based on URI headerhash: Hashes on any HTTP header value. others: Requires inputs for a particular header field
You may choose to combine or select applications to load balance using the commands and and/or or. For example:
httpslb <application> httpslb application and|or <application>
cont <BWM Contract (0-1024), 0 for VIP default> Sets a Bandwidth Management contract for this virtual service. The default number of contracts is set at 1024 for Nortel Application Switch Operating System.
Note: If you enter 0 for the service contract, it will carry the value entered for the Virtual Server IP (vip) contract.
.
Command Syntax and Usage urlcont <URL path ID BW contract> Sets the Bandwidth Management contract of a string specific to this virtual service. Only use this command when a string is shared by multiple virtual services and each service requires a separate bandwidth. The default is set at 1024. pbind clientip|cookie <p|r|i> |sslid|disable Enables or disables persistent bindings for a real server (disabled by default). This may be necessary for some server applications where state information about the client system is retained on the server over a series of sequential connections, such as with SSL (Secure Socket Layer, HTTPS), Web site search results, or multi-page Web forms.
The clientip option uses the client IP address as an identifier, and associates all connections from the same client with the same real server until the client becomes inactive and the connection is aged out of the binding table. The connection timeout value (set in the Real Server Menu) is used to control how long these inactive but persistent connections remain associated with their real servers. When the client resumes activity after their connection has been aged out, they will be connected to the most appropriate real server based on the load balancing metric. An alternative approach may be to use the real server group metrics minmisses or hash (see "Server Load Balancing Metrics" (page 373)). In Nortel Application Switch Operating System 23.1, with clientip command enabled, HTTP and HTTPs traffic from the same client will map to the same server irrespective of the load balancing metric used, since the services are related. Whereas, different services from the same client may not map to the same server.
The cookie option uses a cookie defined in the HTTP header or placed in the URI for hashing. For more information on cookie option, see "Cookie-Based Persistence" (page 388). For detailed information on Cookie-Based Persistence, see the Persistence chapter in the Nortel Application Switch Operating System Application Guide. The sslid option is for Secure Sockets Layer (SSL), which is a set of protocols built on top of TCP/IP that allow an application server and user to communicate over an encrypted HTTP session. SSL provides authentication, non-repudiation, and security. The session ID is a value comprising 32 random bytes chosen by the SSL server that gets stored in a session hash table. By enabling the sslid option, all subsequent SSL sessions which present the same session ID will be directed to the same real server.
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 383 Command Syntax and Usage The disable option allows you to disable presistent binding, if it has previously been enabled for a particular application.
rcount <response count number (1-16)> Sets the maximum response counter for cookie-based persistence. The Nortel Application Switch will examine each server response until the cookie is found, or until the maximum count is reached. The default number is 1. thash sip|sip+sport Defines hash parameter. Tunable hash feature allows the user to select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, or both source IP address and source port. If the user does not select any, the switch will use default hash parameter, which is sip. tmout To check the time in minutes when an inactive connection remains open. dbind disable|enable Enables or disables Layer 4 Delayed Binding for TCP service and ports. Enabling this command protects the server from Denial of Service (DoS) attacks. This option is disabled by default. udp disable|enable|stateless Enables or disables UDP load balancing for a virtual port (disabled by default). You can configure this option if the service(s) to be load balanced include UDP and TCP. For example, DNS uses UDP and TCP. In those environments, you must activate UDP balancing for the particular virtual servers that clients will communicate with using UDP. When stateless is enabled, no session table entry is created. Since no session is created, you have to bind to a new server every time.
Note: If applying a filter to the same virtual server IP address on which UDP load balancing is enabled, disable caching on that filter for optimal performance. For more information, see the cache command in "Advanced Filter Menu (/cfg/slb/filt/adv)" (page 396). frag disable|enable Enables or disables remapping server fragments for virtual port. This option is enabled by default. nonat disable|enable
.
Command Syntax and Usage Enables or disables substituting only the MAC address of the real server (disabled by default). This option does not substitute IP addresses. This option is used for Direct Server Return (DSR) in an one-armed load balancing setup, so that frames returning from server to the client do not have to pass through the switch. dnsslb disable|enable Enables or disables DNS-based Layer 7 content load balancing. This command appears only when the virtual service is set to ftp or service port 21. Enables or disables FTP SLB parsing for this virtual server (disabled by default). When this option is enabled, the switch modifies the appropriate FTP method/command to support FTP servers on a private network for both active and passive FTP modes. To do this, the switch looks deeper into the packet and modifies the port command for active FTP or the "entering the passive mode" command for passive FTP. direct disable|enable Enables or disables Direct Access Mode (DAM) on the selected virtual service. This command takes precedence over the command to globally enable or disable Direct Access Mode on the switch. mirror disable|enable Enables or disables session mirroring on the selected virtual service. xforward disable|enable Enables or disables inserting the X-Forward-For header into the client HTTP request to preserve the client IP information. X-Forward-For is a special header that stores and identifies the client IP information. This feature is applicable only on HTTP protocol. epip disable|enable Enables or disables proxy IP selection based on egress port or VLAN. By default, the SP selects the proxy IP address based on ingress port or VLAN. Using the epip command, you can configure the SP to select proxy IP address based on the egress port or VLAN. del This command removes this virtual service from operation within the switch and deletes it from the Layer 4 switching software configuration. Use this command with caution, as it will delete the options that have been set for this virtual service.
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 385 Command Syntax and Usage cur Displays the current configuration of services on the specified virtual server.
/cfg/slb/virt/service/wts WTS Load Balancing Menu

[WTS Load Balancing Menu] userhash - Enable userhash when there is no Session Dir. Server ena - Enable WTS loadbalancing and persistence dis - Disable WTS loadbalancing and persistence cur - Display current WTS configuration WTS Load Balancing Menu Options Command Syntax and Usage userhash Enables the userhash if there is no session director server in the server platform. ena [true|false] Enable WTS load balancing. dis [true|false] Disable WTS load balancing. cur Display the current WTS configuration.
/cfg/slb/virt/service/http HTTP Load Balancing Menu
HTTP Load Balancing Menu Options Command Syntax and Usage httpslb
.
Command Syntax and Usage Set HTTP SLB processing. urlcont Set BW cont of an SLB string specific to this service. rcount Set multi response count. http Enable/disable HTTP redirects for Global SLB. xforward Enable/disable X-Forwarded-For for proxy mode. pooling Enable/disable connection pooling for HTTP traffic. cur Display current HTTP configuration.
/cfg/slb/virt/service/sip SIP Load Balancing Menu

[SIP Load Balancing Menu] sip - Enable/disable SIP load balancing sdpnat - Enable/disable SIP SDP Media Portal NAT cur - Display current SIP configuration
These options are the L7 based SIP load balancing. Note: L7 SIP load balancing is supported only in UDP and not in TCP. You must enable UDP for SIP service.
SIP Load Balancing Menu Options Command Syntax and Usage sip Enable SIP load balancing. When this is enabled you can scan and hash calls based on a SIP Call-ID header to an MCS server. You need to turn Direct Access Mode (DAM) on to perform SIP load balancing. You can use only minmiss as the load balancing metric since the load balancing is performed based on the Call-ID. When this is disabled, the load balancing is based on L4 tuple values. sdpnat Enable SIP SDP Media Portal NAT.
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 387 Command Syntax and Usage cur Display the current SIP configuration.
/cfg/slb/virt/service/rtsp RTSP Load Balancing Menu

[RTSP Load Balancing Menu] group - Set real server group number hname - Set hostname rtspslb - Set RTSP URL load balancing type thash - Set hash parameter tmout - Set minutes inactive connection remains open softgrid - Enable/disable SoftGrid load balancing nonat - Enable/disable only substituting MAC addresses nortsp - Enable/disable only RTSP SLB del - Delete virtual service cur - Display current virtual service configuration RTSP Load Balancing Menu Options Command Syntax and Usage group <real server group number (1-1024)> Sets real server group number. hname <hostname> |none Sets the hostname for a service added. This is used in conjunction with dname (above) to create a full host/domain name for individual services. The format for this command is: # hname <hostname> For example, to add a hostname for Web services, you could specify www as the hostname. If a dname of "foocorp.com" was defined (above), "www.foocorp.com" would be the full host/domain name for the service. To clear the hostname for a service, use the command: # hname none rtspslb hash|patternMatch|l4hash|none
.
Command Syntax and Usage This Layer 7 load balancing option sets the type of rtspslb, either hash or patternMatch, thereby enabling the service. The default is hash. hash: If you use hash, RTSP will parse the URL and will hash the URL to select a server to load balance. patternMatch: If you select this option, the switch will match the string or pattern within the URL to select a server based on the string configured on the real server. l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash metric. none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance. thash sip|sip+sport Defines hash parameter. Tunable hash feature allows the user to select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, the destination IP address, or both source IP address and source port. If the user does not select any, the switch will use default hash parameter, which is sip. tmout <minutes (0 - 32768)> Sets the number of minutes an inactive connection remains open. This is an even number of minutes between 0 and 32768. softgrid <Enable|disable> Enable or disable softgrid load balancing. nonat <Enable|disable> Enable or disable NAT for DSR configuration. nortsp <Enable|disable> Enable or disable RTSP SLB for DSR configuration. del Deletes this virtual service. cur Displays the current virtual service configuration.
Cookie-Based Persistence
The cookie option is used to establish cookie-based persistence, and has the following command syntax and usage:
.
/cfg/slb/virt <virtual server number> Virtual Server SLB Conguration 389
pbind cookie <mode name offset length URI> Each parameter is explained in the following table.
Option mode Description Specify the mode for cookie-based persistence. The following three modes are available:
p: Passive mode. In this mode, the network administrator configures the Web server to embed a cookie in the server response that the switch looks for in subsequent requests from the same client. r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch, and not the network administrator, generates the cookie value on behalf of the server. The switch intercepts this persistence cookie and rewrites the value to include server-specific information before sending it to the client. i: Insert mode. When a client sends a request without a cookie, the server responds with the data, and the switch inserts a persistence cookie into the data packet. The switch uses this cookie to bind to the appropriate server. Cookie-insert has some new options as explained below: Domain name: Domain specifies the domain for which the cookie is valid. Enter [y] to enable this option. path: Enter the subset of URLs on the origin server to which this cookie applies. secure flag: The Secure boolean attribute, when True, directs the user agent to use secure connection to obtain content associated with the cookie. Enter [y] to enable this option. Insert cookie mode expiration parameters are as follows:
Enter insert-cookie expiration as either:
... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59) ... a duration <days[:hours[:minutes]]> (e.g. 45:30:90) ... or none <return>
.
Option name offset length URI
Description Enter the name of the cookie. Enter the starting point of the cookie value (1-64) Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length must be 8 or 16. Look for cookie in the URI. If you want to look for cookie name or value in the URI, enter e to enable this option. To look for cookie in the HTTP header, enter d to disable this option.
For more information on Cookie-Based Persistence, see the Nortel Application Switch Operating System 24.0 Application Guide.
/cfg/slb/filt <filter number> SLB Filter Conguration

[Filter 1 Menu] adv - Filter Advanced Menu name - Set filter name smac - Set source MAC address dmac - Set destination MAC address ipver - Set Filter IP version sip - Set source IP address smask - Set source subnet mask/prefix len dip - Set destination IP address dmask - Set destination subnet mask/prefix len proto - Set IP protocol sport - Set source TCP/UDP port or range dport - Set destination TCP/UDP port or range action - Set action group - Set real server group for redirection rport - Set real server port for redirection nat - Set which addresses are network address translated vlan - Set vlan id invert - Enable/disable filter inversion ena - Enable filter dis - Disable filter del - Delete filter cur - Display current filter configuration
The switch supports up to 2048 trafc lters. Each lter can be congured to allow, deny, redirect or perform Network Address Translation on trafc according to a variety of address and protocol specications, and each physical switch port can be congured to use any combination of lters. This command is disabled by default.
.
/cfg/slb/filt <filter number> SLB Filter Conguration 391
There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv, "/cfg/slb/lt lter number /adv Advanced Filter Conguration" (page 395)) that can be used to provide more information through syslog. The types of information include: IP protocol TCP/UDP ports TCP ags ICMP message type
The following parameters are required for ltering: Set the address, masks, and/or protocol that will be affected by the lter Set the lter action (allow, deny, redirect, nat) Enable the lter Add the lter to a switch port Enable ltering on the Nortel Application Switch port
Filter Conguration Menu Options (/cfg/slb/lt) Command Syntax and Usage adv Displays the Filter Advanced Menu. To view menu options, see "/cfg/slb/filt filter number /adv Advanced Filter Configuration" (page 395). name <31 character name> |none Allows the user to assign a name to a filter. smac any| <MAC address (such as, 00:60:cf:40:56:00)> Sets the source MAC address. The default is any. dmac any| <MAC address (such as, 00:60:cf:40:56:00)> Sets the destination MAC address. The default is any. ipver v4 | v6 Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge mode. sip <sip IP4 address (eg, 192.4.17.101) | IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the smask below. The default is any if the source MAC address is any.
.
Command Syntax and Usage smask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)> This IP address mask is used with the sip to select traffic which this filter will affect. See details below for more information on producing address ranges. For more information, see "Defining IP Address Ranges for Filters" (page 395). dip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)> If defined, traffic with this destination IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the dmask below. The default is any if the destination MAC address is any. For more information, see "Defining IP Address Ranges for Filters" (page 395). dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)> This IP address mask is used with the dip to select traffic which this filter will affect. proto any| <number> | name If defined, traffic from the specified protocol is affected by this filter. Specify the protocol number, name, or "any". The default is any. Listed below are some of the well-known protocols. Number 1 2 6 17 58 89 112 Name icmp igmp tcp udp icmp6 ospf vrrp
sport any| <name> | <port> | <port> - <port> If defined, traffic with the specified TCP or UDP source port will be affected by this filter. Specify the port number, range, name, or "any". The default is any. Listed below are some of the well-known ports: Number 20 21 22 23 Name ftp-data ftp ssh telnet
.
/cfg/slb/filt <filter number> SLB Filter Conguration 393 Command Syntax and Usage 25 37 42 43 53 69 70 79 80 109 110 smtp time name whois domain tftp gopher finger http pop2 pop3
dport any| <name> | <port> | <port> - <port> If defined, traffic with the specified real server TCP or UDP destination port will be affected by this filter. Specify the port number, range, name, or "any", just as with sport above. The default is set at any. action allow|deny|redir|nat|goto Specifies the action this filter takes:
Note: IPv6 filters support the allow, deny, and redirection actions. allow deny redir Allow the frame to pass (by default). Discard frames that fit this filters profile. This can be used for building basic security profiles. Redirect frames that fit this filters profile, such as for web cache redirection. In addition, Layer 4 processing must be activated (see the /cfg/slb/on command on "/cfg/slbSLB Configuration" (page 355)). Perform generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to/from the advertised network IP address and ports. This is used in conjunction with the nat option (mentioned in this table) and can also be combined with proxies.
nat
.
Command Syntax and Usage goto Allows the user to specify a target filter ID that the filter search should jump to when a match occurs. The goto action causes filter processing to jump to a designated filter, effectively skipping over a block of filter IDs. Filter searching action will then continue from the designated filter ID. To specify the new filter to goto, use the /cfg.slb/filt/adv/goto command. group <real server group number (1-1024)> This option applies only when redir is specified at the filter action. Define a real server group (1 to 16) to which redirected traffic will be sent. The default is group 1 rport <real server port (0-65535)> This option applies only when redir is specified at the filter action. This defines the real server TCP or UDP port to which redirected traffic will be sent. For valid Layer 4 health checks, this must be configured whenever TCP protocol traffic is redirected. Also, if transparent proxies are used for Network Address Translation (NAT) on the Nortel Application Switch (see the pip option in "Port Configuration Menu Options (/cfg/slb/port)" (page 408)), rport must be configured for all Application Redirection filters. The default is set at 0. nat source|dest When nat is set as the filter action (see above), this command specifies whether Network Address Translation (NAT) is performed on the source or the destination information. Destination (dest) is set as the default filter. If source is specified, the frames source IP address (sip) and port number (sport) are replaced with the dip and dport values. If dest is specified, the frames destination IP address (dip) and port number (dport) are replaced with the sip and sport values. vlan any| <VLAN ID (1 - 4090)> Sets the ID of the VLAN that is to be filtered. This option allows you to match the VLAN ID of the switch against the VLAN ID of the incoming packet. The default is any, which means the switch will match any VLAN ID of the incoming packet This command allows filters to be configured on per VLAN basis, and applies a filter to a VLAN that already has been configured. A VLAN has a set of member ports. But by applying this filter to a VLAN, the filter does not get applied to all the member ports of this VLAN. You have to manually add the filter to the port. invert disable|enable
.
/cfg/slb/filt <filter number> SLB Filter Conguration 395 Command Syntax and Usage Inverts the filter logic. If the conditions of the filter are met, dont act. If the conditions for the filter are not met, perform the assigned action. This option is disabled by default. When using filter inversion for IPv6, be aware the Neighbor Solicitations (NSol) are filtered out if no appropriate NSol filter was set up before inversion. ena Enables this filter. dis Disables this filter. del Deletes this filter. cur Displays the current configuration of the filter.
Dening IP Address Ranges for Filters

You can specify a range of IP address for ltering both the source and/or destination IP address for trafc. When a range of IP addresses is needed, the sip (source) or dip (destination) denes the base IP address in the desired range, and the smask (source) or dmask (destination) is the mask which is applied to produce the range. For example, to determine if a client requests destination IP address should be redirected to the cache servers attached to a particular switch, the destination IP address is masked (bitwise AND) with the dmask and then compared to the dip. As another example, you could congure the switch with two lters so that each would handle trafc ltering for one half of the Internet. To do this, you could dene the following parameters:
Filtering IP Address Ranges Filter #1 #2 Internet Address Range 0.0.0.0 - 127.255.255 .255 128.0.0.0 - 255.255.25 5.255 dip 0.0.0.0 128.0.0.0 dmask 128.0.0.0 128.0.0.0
/cfg/slb/filt <filter number> /adv
.
Advanced Filter Conguration

[Filter 1 Advanced Menu] 8021p tcp ip layer7 proxyadv redir security icmp cont revcont tmout idsgrp idshash thash mcvlan goto reverse cache log mirror nbind cur - 802.1p Advanced Menu - TCP Advanced Menu - IP Advanced Menu - Layer 7 Advanced Menu - Proxy Advanced Menu - Redirection Advanced Menu - Security Menu - Set ICMP message type - Set BW contract - Set BW contract for the reverse session - Set NAT or L7 lookup session timeout - Set IDS server group for intrusion detection SLB - Set hash parameter for intrusion detection SLB - Set hash parameter for Filter - Set MCAST NAT egress VLAN Id - Set GOTO filter ID - Enable/disable creating session reverse side traffic - Enable/disable caching sessions that match filter - Enable/disable logging - Enable/disable session mirroring - Enable/disable subnet binding for redirection - Display current advanced filter configuration
Advanced Filter Menu (/cfg/slb/lt/adv) Command Syntax and Usage 8021p Displays 8021p Advanced Menu. IEEE 802.1p is the specification for prioritizing the network traffic at the Layer 2 level in your switch. Using this command you can preserve 802.1p bits in all the frames that pass through the switch. To view menu options, see "/cfg/slb/filt filter number /adv/8021p 802.1p Advanced Menu" (page 398).
.
/cfg/slb/filt <filter number> SLB Filter Conguration 397 Command Syntax and Usage tcp Displays the TCP Flags advanced menu. To view menu options, see "/cfg/slb/filt filter number /adv/tcp Advanced Filter TCP Configuration" (page 399). ip Sets IP advanced menu. To view menu options, see "/cfg/slb/filt filter number /adv/ip IP Advanced Menu" (page 400). layer7 Displays Layer7 advanced menu. To view menu options, see "/cfg/slb/filt filter number /adv/layer7 Layer 7 Advanced Filter Configuration Menu" (page 402). proxyadv Displays the Proxy Advanced Menu. To view menu options, see "/cfg/slb/filt/adv/proxyadvProxy Advanced Menu" (page 404). redir Redirects to the advance menu. To view menu options, see icmp any| <number> | <type; "icmp list" for list> Sets the ICMP message type. The default is set at any. For a list of ICMP message types, see "ICMP Message Types" (page 401). For a detailed description of filtering and ICMP, see the Nortel Application Switch Operating System 23.1 Application Guide. cont <BWM Contract (1-1024)> Sets the Bandwidth Management Contract. By default, the contract number is set at 1024. revcont <BW Contract (1-1024)> Sets the Bandwidth Management contract for the reverse traffic session. This command helps you assign a different Bandwidth management contract from the one configured on the ingress filter. tmout <even number of minutes (4-32768)> Sets the session timeout in an even number of minutes. The default is set at 4 minutes. Defines the client proxy IP address. idsgrp <real server group number (1-1024)> |none Sets the IDS server group for intrusion detection server load balancing. When filtering is used for IDSLB, each filter added to an IDSLB-enabled port can be assigned a unique IDS real server group. idshash sip|dip|both Sets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP (sip), destination IP (dip), or both.
.
Command Syntax and Usage thash auto|sip|dip|both|sip+sport|dip32 Allows you to choose hash parameter to use for filter redirection. The Default is auto. The sip option allows you to perform tunable hash on source IP address for this filter. The option dip allows you to perform tunable hash on destination IP address for this filter. The option both allows you to perform tunable hash on both source IP address and the destination IP address at the same time. The option sip+sport allows you to perform tunable hash on both source IP address and source port at the same time. The option dip32 allows the user to perform tunable hash on 32 bit destination IP address for the filter. goto <filter ID> Allows the user to specify a target filter ID that the filter search should jump to when a match occurs. Filter searching will then continue from the designated filter ID. Use this command to specify the new filter to go to. In order to use this feature, the action on this filter must be set to goto. reverse disable|enable Enables or disables the creation of a session for traffic coming from the reverse side. This command allows for the creation of a session entry for reverse traffic to avoid inspecting traffic in both directions. cache disable|enable Enables or disables caching sessions that match the filter. Exercise caution while applying cache-enabled and cache-disabled filters to the same switch port. A cache-enabled filter creates a session entry in the switch, so that the switch can bypass checking for subsequent frames that match the same criteria. Cache is enabled by default.
Note: Cache should be disabled if applying a filter to virtual server IP address while performing UDP load balancing (see udp disable|enable|stateless). log disable|enable Enables or disables generating of syslog messages when a filter is hit. This option is disabled by default. mirror disable|enable Enables or disables session mirroring. cur Displays the current advanced filter configuration.
/cfg/slb/filt <filter number> /adv/8021p
.
/cfg/slb/filt <filter number> SLB Filter Conguration 399
802.1p Advanced Menu

This feature provides the Nortel Application Switch Operating System the capability to lter IP packets based on the 802.1p bits in the packets VLAN header. The 802.1p bits specify the priority that you should give to the packets while forwarding them. The packets with a higher (non-zero) priority bits are given forwarding preference over packets with numerically lower priority bits value.
[802.1p Advanced Menu] value - Set 802.1p value match - Enable/disable 802.1p value matching cur - Display current 802.1p configuration 8021p Advanced Menu Options (/cfg/slb/lt/adv/8021p) Command Syntax and Usage value <0-7> Defines 802.1p value. The value is the priority bits information in the packet structure. match <disable|enable> Enables or disables matching of 802.1p value. When the Management Processor needs to reuse the packet to send to the destination, the switch matches the original priority bits information with the priority bits information after the frame processing is complete. cur Displays current 802.1p configuration.
/cfg/slb/filt <filter number> /adv/tcp Advanced Filter TCP Conguration

[TCP Advanced urg ack psh rst syn fin ackrst cur Menu] - Enable/disable TCP URG matching - Enable/disable TCP ACK matching - Enable/disable TCP PSH matching - Enable/disable TCP RST matching - Enable/disable TCP SYN matching - Enable/disable TCP FIN matching - Enable/disable TCP ACK or RST matching - Display current TCP configuration
These commands can be used to congure packet ltering for specic TCP ags.
.
400 The SLB Conguration Menu Advanced Filter TCP Menu (/cfg/slb/lt/adv/tcp) Command Syntax and Usage urg disable|enable Enables or disables TCP URG (urgent) flag matching. By default, this option is disabled. ack disable|enable Enables or disables TCP ACK (acknowledgement) flag matching. By default, this option is disabled. psh disable|enable Enables or disables TCP PSH (push) flag matching. By default, this option is disabled. rst disable|enable Enables or disables TCP RST (reset) flag matching. By default, this option is disabled. syn disable|enable Enables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled. fin disable|enable Enables or disables TCP FIN (finish) flag matching. By default, this option is disabled. ackrst disable|enable Enables or disables TCP acknowledgement or reset flag matching. By default, this option is disabled. cur Displays the current Access Control List TCP filter configuration.
/cfg/slb/filt <filter number> /adv/ip IP Advanced Menu

[IP Advanced Menu] tos - Set IP Type of Service tmask - Set IP TOS mask newtos - Set new IP TOS length - Set IP maximum packet length option - Enable/disable IP option matching cur - Display current IP configuration IP Advanced Menu Options (/cfg/slb/lt /adv/ip) Command Syntax and Usage tos <0-255>
.
/cfg/slb/filt <filter number> SLB Filter Conguration 401 Command Syntax and Usage Sets IP type of service (ToS) and the value of the type of service. For more information on ToS, refer RFC 1340 and 1349. tmask <0-255> Sets IP type of service mask. newtos <0-255> Sets new IP type of service. length <IP packet length (in bytes), 64-65535> |any Defines the limit of the IP packets length, including the IPv4 or IPv6 IP header. Any packet equal or exceeding the specified length will not match the filter. This option supports both IPv4 and IPv6 packets. option <disable|enable> Enables or disables IP option matching. cur Displays the current advanced IP settings for the selected filter.
ICMP Message Types

The following ICMP message types are used with the /cfg/slb/filt/adv/icmp command. You can list all ICMP message types with the /cfg/slb/filt/adv/icmp list command.
ICMP Message Types Type # 0 3 4 5 8 9 10 11 12 13 14 15 16 17 18 Message Type echorep destun quench redir echoreq rtradv rtrsol timex param timereq timerep inforeq inforep maskreq maskrep Description ICMP echo reply ICMP destination unreachable ICMP source quench ICMP redirect ICMP echo request ICMP router advertisement ICMP router solicitation ICMP time exceeded ICMP parameter problem ICMP timestamp request ICMP timestamp reply ICMP information request ICMP information reply ICMP address mask request ICMP address mask reply
.
/cfg/slb/filt <filter number> /adv/layer7 Layer 7 Advanced Filter Conguration Menu

[Layer 7 Advanced Menu] sip - Layer 7 SIP Menu urlcont - Set BW cont of an URL path specific to this filter addrd - Add HTTP redirection mapping remrd - Remove HTTP redirection mapping addstr - Add string for layer 7 filtering remstr - Remove string for layer 7 filtering rdsnp - Enable/disable WAP RADIUS Snooping rdswap - Enable/disable RADIUS/WAP Persistence ftpa - Enable/disable active FTP NAT l7lkup - Enable/disable layer 7 content lookup parseall - Enable/disable layer 7 lookup (parsing) of all packets cur - Display current layer 7 configuration Layer 7 Advanced Filter Menu Options (/cfg/slb/lt/adv/layer7) Command Syntax and Usage sip Go to the Layer 7 SIP menu. To view the menu options, see "/cfg/slb/filt num /adv/layer7/sip Layer 7 SIP Menu" (page 404). urlcont <URL path ID BW contract> Sets the URL path BW contract for this filter. Only use this command when a string is shared by multiple filters and each filter requires a separate bandwidth. addrd [1>2] Adds an HTTP redirection mapping. Strings are defined under: /cfg/slb/layer7/slb/add. This command tells the filter that if it matches on the first string id, then send back an HTTP redirection message back to the client that contains information in the second string ID. remrd <string id to redirect from (1-1024) string id to redirect to (2-1024)> Removes an HTTP redirection mapping that was added using the addrd command described above. addstr <string id (1-1024)> Adds the string ID to this filter for L7 filtering. The string is defined under: /cfg/slb/layer7/slb/add. remstr <string id (1-1024)>
.
/cfg/slb/filt <filter number> SLB Filter Conguration 403 Command Syntax and Usage Removes the string ID for Layer 7 filtering. The string is defined under: /cfg/slb/layer7/slb/add. rdsnp <disable|enable> Enables or disables WAP RADIUS snooping on this filter. Radius snooping allows the Nortel Application Switch Operating System to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries in the switchs session table so that it can perform the required persistency for load balancing. For more details, refer Application Guide. rdswap enable|disable Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server. A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to the bound server. The application switch snoops on the RADIUS accounting start packet for the "framed IP address" attribute. The "framed IP address" attribute is used to rebind the RADIUS accounting session to a new server. For more details, refer Application Guide. ftpa disable|enable Enables or disables active FTP Client Network Address Translation (NAT). When a client in active FTP mode sends a PORT command to a remote FTP server, the switch will look into the data part of the frame and replace the client s private IP address with a proxy IP (PIP) address. The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By default, this option is disabled. l7lkup disable|enable Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny commands found in earlier releases of Nortel Application Switch Operating System. When enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When combined with a filter action (for example, deny, redir ), this feature enables content-intelligent redirection or content-intelligent deny filtering. parseall disable|enable
.
Command Syntax and Usage Enables or disables parsing of all packets in a session where layer 7 lookup is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup is turned off for the remaining packets in the session. cur Displays the current advanced Layer 7 configuration of the filter including the Radius/Wap persistence settings.
/cfg/slb/filt <num> /adv/layer7/sip Layer 7 SIP Menu

[Layer 7 SIP Menu] rtpcont - Set BW contract for the SIP RTP sessions sipp - Enable/disable SIP parsing cur - Display current SIP configuration Layer 7 SIP Menu Options (/cfg/slb/lt/adv/layer7/sip) Command Syntax and Usage rtpcont <BW contract> Set BW contract for the SIP RTP sessions. sipp <enable|disable> Enable or disable SIP parsing. cur Displays the current advanced SIP configuration.
/cfg/slb/filt/adv/proxyadv Proxy Advanced Menu

[Proxy Advanced Menu] proxyip - Set client proxy IP address epip - Enable/disable pip selection based egress port/vlan proxy - Enable/disable client proxy cur - Display current proxy configuration
.
/cfg/slb/filt <filter number> SLB Filter Conguration 405 Proxy Advanced Menu Options Command Syntax and Usage proxyip <IP_address> Set the client proxy IP_address. epip <enable|disable> Enable or disable PIP selection based on the outgoing port or VLAN. proxy <enable|disable> Enable or disable client proxy. cur Shows all Proxy statistics.
/cfg/slb/filt/adv/proxyadv Redirection Advanced Menu

[Redirection Advance Menu] fwlb - Enable/disable firewall redirect hash method linklb - Enable/disable WAN link load balancing vpnflood - Enable/disable two way VPN load balancing dbind - Enable/disable delayed binding for redirection pbind - Enable/disable persistent binding for redirection cur - Display current redirection configuration
/cfg/slb/filt <filter number> /adv/redir Redirection Advanced Menu

[Redirection Advance Menu] fwlb - Enable/disable firewall redirect hash method linklb - Enable/disable WAN link load balancing vpnflood - Enable/disable two way VPN load balancing dbind - Enable/disable delayed binding for redirection pbind - Enable/disable persistent binding for redirection cur - Display current redirection configuration
/cfg/slb/filt <filter number> /adv/security
.
SLB Filter Advanced Security Menu
Layer 7 Advanced Filter Menu Options (/cfg/slb/lt/adv/security) Command Syntax and Usage ratelim Displays the Rate Limiting Menu. The protocol-based rate limiting limits the traffic coming from specific clients based on the IP address of the client. This feature enables the switch to detect and block UDP or ICMP-based DOS attacks that slow down or decapitate the servers. Currently, the switch allows rate limiting to be enabled on TCP, UDP, and ICMP protocols. To view menu options see "/cfg/slb/filt filter number /adv/security/ratelim Advanced Security Rate Limiting Configuration Me" (page 407). addgrp <pattern match group id> Adds a pattern group to this filter. Pattern groups are added using the /cfg/security/pgroup/add command. remgrp <pattern match group id> Removes a pattern group from this filter. pmatch <disable|enable> Enables or disables pattern matching on this filter. matchall <disable|enable> Enables or disables matching of all configured patterns before the filter can perform the deny action. parsechn <enable|disable> Enable/disable chained pgroup match criteria for l7 filtering. parseall <disable|enable> Enables or disables pattern string lookup (parsing) of all packets in a session where pattern matching is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter. However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, pattern matching is turned off for the remaining packets in the session.
.
/cfg/slb/filt <filter number> SLB Filter Conguration 407 Command Syntax and Usage cur Displays the current configuration.
/cfg/slb/filt <filter number> /adv/security/ratelim Advanced Security Rate Limiting Conguration Menu
[Rate Limiting maxconn timewin holddur ena dis cur Menu] Set maximum connections for rate limiting Set time window for rate limiting Set hold down duration for rate limiting Enable TCP, UDP, or ICMP rate limiting Disable TCP, UDP, or ICMP rate limiting Display current rate limiting configuration
Rate Limiting Advanced Menu Options (/cfg/slb/lt/adv/security/ratelim) Command Syntax and Usage maxconn <# of connections in units of 10 (0-255)> Defines maximum connections for rate limiting. timewin <seconds, 1-65535> Defines time window for rate limiting. A time window is a configured period of time (in seconds) during which packets are allowed to be received. The time window can be configured per filter and not globally on all the filters. holddur <minutes, 2-65535> Defines hold down duration for rate limiting. When the number of new connections or packets exceeds the configured limit, any new TCP connection requests or UDP/ICMP packets from the client are blocked. When blocking occurs, the client is said to be held down. The client is held down for a specified number of minutes, after which new TCP connection requests or packets from the client are allowed once again to pass through. The hold-down duration can be configured per filter and not globally on all the filters. ena Enables the protocol for rate limiting. Rate limiting is applied to the protocol configured on the filter. The supported protocols are: TCP, UDP, and ICMP. dis Disables TCP, UDP, or ICMP rate limiting. cur Displays the current rate limiting configuration.
.
/cfg/slb/port <port number> Port SLB Conguration

[SLB port 1 Menu] client - Enable/disable client processing server - Enable/disable server processing rts - Enable/disable RTS processing hotstan - Enable/disable hot-standby processing intersw - Enable/disable inter-switch processing proxy - Enable/disable use of PIP for ingress traffic filt - Enable/disable filtering add - Add filter to port rem - Remove filter from port idslb - Enable/disable intrusion detection server load balancing symantec - Enable/disable symantec processing cur - Display current port configuration
Nortel Application Switch Operating System switch software allows you to enable or disable processing independently for each type of Layer 4 trafc (client and server) on a per port basis, expanding your topology options. Note: When changing the lters on a given port, it may take some time before the port session information is updated so that the lter changes take effect. To make port lter changes take effect immediately, clear the session binding table for the port (see the clear command in "Server Load Balancing Operations Menu Options (/oper/slb)" (page 446)).
Port Conguration Menu Options (/cfg/slb/port) Command Syntax and Usage client disable|enable For Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports configured to process client request traffic bind servers to clients and provide address translation from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses and port values to real server IP addresses and ports. Traffic not associated with virtual servers is switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the switchs potential for effective Server Load Balancing. This option is disabled by default. server disable|enable
.
/cfg/slb/port <port number> Port SLB Conguration 409 Command Syntax and Usage Ports configured to provide real server responses to client requests require real servers to be connected to the Layer 4 switch, directly or through a hub, router, or another switch. When server processing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched normally. This option is disabled by default. rts disable|enable Enables or disables Return to Sender (RTS) load balancing on this port. This option is used for firewall load balancing or VPN load balancing applications. Enable rts on all client-side ports to ensure that traffic ingresses and egresses through the same port. This option is disabled by default. For more information on using rts, see the "Firewall Load Balancing" and "VPN Load Balancing" chapters in the Nortel Application Switch Operating System 23.1 Application Guide . hotstan disable|enable Enables or disables hot-standby processing. Use this option and the intersw option in conjunction with VRRP hot-standby failover. This option is disabled by default. intersw disable|enable Enables or disables inter-switch processing. This option is enabled for ports connected to a peer switch and is disabled by default. proxy disable|enable Enables or disables a proxy for traffic that ingresses this port. When the PIP is defined, client address information in Layer 4 requests is replaced with this proxy IP address. In Server Load Balancing applications, this forces response traffic to return through the switch, rather than around it, as is possible in complex routing environments. Proxies are also useful for Application Redirection and Network Address Translation (NAT). When pip is used with Application Redirection filters, each filters rport parameter must also be defined (see rport on "Filter Configuration Menu Options (/cfg/slb/filt)" (page 391)). This option is disabled by default. filt disable|enable
.
Command Syntax and Usage Enables or disables filtering on this port. Enabling the filter sets up the Real Server to look into the VPN session table. This option is disabled by default. add <filter ID (1 to 2048)|block of IDs (first-last)> Adds a filter or a block of filters for use on this port. Enter filter ID (1 to 2048) or a contiguous block of filter IDs. For example, 1-100. rem <filter ID (1 to 2048)|block of IDs (first-last)> Removes a filter or a block of filters from use on this port. Enter filter ID (1 to 2048) or a contiguous block of filter IDs. For example, 1-100. idslb <disable|enable> Enables or disables Intrusion Detection System Server Load Balancing on this port. In Nortel Application Switch Operating System 23.1, IDSLB is done at the end of filter processing or at the end of client processing where filtering is not enabled. In the case of client processing, IDSLB is enabled on a port and a real server group is designated for IDSLB.This option is disabled by default. symantec <disable|enable> Enables or disables Symantec processing for troubleshooting purposes. cur Displays the current system parameters.
/cfg/slb/gslb Global SLB Conguration

Global Server Load Balancing (GSLB) at any given site performs periodic SLB health checks to determine the health and response time of the remote real server corresponding to the virtual server at the remote site. GSLB uses the health and response time to select the server in the GSLB selection engine. In addition, GSLB sends the health and response time together with the local session and CPU utilization information that are collectively known as remote site updates. The switch performs this periodically on every remote site using Distributed Site State Protocol (DSSP). DSSP is a proprietary protocol that resides above TCP. For more information, refer Application Guide.
.
/cfg/slb/gslb Global SLB Conguration 411
Global SLB Menu Options (/cfg/slb/gslb) Command Syntax and Usage site <remote site (1-64)> Displays the menu for a remote site. To view menu options, see "/cfg/slb/gslb/site site number GSLB Remote Site Configuration" (page 413). network <network (1-128)> Displays Network Preference Menu. To view menu options, see "/cfg/slb/gslb/network network number GSLB Network Preference Configuration Menu" (page 415). rule <rule (1-128)> Displays the Rule Menu. To view menu options, see "/cfg/slb/gslb/rule GSLB Rule Configuration Menu" (page 416). version <DSSP version 1, 2, or 3> Defines the version of Distributed Site State Protocol (DSSP) that is used to send out the remote site updates. port <TCP port number> Sets the TCP port number for remote site updates for Global server load balancing. The default TCP port is 80. sinter <remote site updates interval in seconds, 10-7200> Sets the time interval in seconds for remote site updates. The range is between 10 and 7200 seconds. sesscap <Session utilization capacity threshold (1-100)> Sets the threshold for session utilization capacity. The default configuration is 90%. cpucap <CPU utilization capacity threshold (1-100)>
.
Command Syntax and Usage Sets the threshold for the CPU utilization capacity. The default configuration is 90%. Sets the source IP netmask for DNS persistence cache. The default configuration is 255.255.255.0. Enables or disables switch responses to DNS queries with local virtual server IP addresses. This option is disabled by default. When enabled, the switch will always respond to DNS queries by providing a local virtual server IP address, as long as the virtual server IP address has healthy real servers with an aggregate number of available connections equal to the total from each servers configured maxcons value, minus the servers current number of connections. When the real servers for the local virtual server IP addresses are unavailable or saturated, the switch will respond to DNS requests using normal GSLB rules. The default is 60 minutes. smask smask set IP4 subnet mask (eg, 255.255.255.0) set IP6 prefix len (eg, 64) Set source IP subnet mask for DNS persistence cache. timeout <timeout in minutes, 1-1440> Set timeout in minutes for DNS persistence cache. mincon <available sessions threshold, 0-65535> Defines the capacity threshold for the sessions available on the real server for GSLB. dns <disable|enable> Enables or disables DNS direct-based GSLB. This option is enabled by default. hostlk <disable|enable> Enables or disables lookups based on host or domain name in a GSLB configuration. When enabled, the hostname specified in the Virtual Service configuration, in addition to the domain name, will be used to resolve the IP address for the domain. When disabled, only the domain name will be used to match. http <disable|enable> Enables or disables HTTP redirects to peer sites by this switch. When enabled (default), this switch will redirect client requests to peer sites if its own real servers fail or have reached their maximum connection limits. If disabled, the switch will not perform HTTP Redirects, but will instead drop requests for new connections and cause the clients browser to eventually issue a new DNS request. usern <disable|enable> OR
.
/cfg/slb/gslb Global SLB Conguration 413 Command Syntax and Usage Enables or disables an HTTP redirect to a real server name. When a site redirects a client to another site using an HTTP redirect, the client is redirected to the new sites IP address. This option is disabled by default. If usern is enabled, the client will be redirected to the domain name specified by the remote real server name plus virtual server domain name: <remote real server name virtual server domain name> norem This command enables or disables no-remote real server load balancing. If enabled, the switch will not do remote real server load balancing for non-http protocols. For HTTP protocols, if you want to do no-remote-real-server load balancing, you need to disable the http parameter in the same menu. encrypt This command enables or disables encrypting of DSSP updates. If disabled, the switch will not encrypt the DSSP messages going out of the switch. This option allows the GSLB feature to work with older versions of Web OS that do not encrypt DSSP messages on Activates Global Server Load Balancing (GSLB) for this switch. This option can be performed only once the optional GSLB software is activated (refer "/oper/swkeyActivating Optional Software" (page 452)). off Turns GSLB off for this switch. Any active remote sites will still perform GSLB services with each other, but will not hand off requests to this switch. By default, GSLB is turned off. cur Displays the current Global SLB configuration.
/cfg/slb/gslb/site <site number> GSLB Remote Site Conguration

The switch initiates a global server selection to direct client trafc to the best server for a given domain. Each domain has one or more sites. Each site has a virtual server for the domain. Each virtual server has a number of virtual services. Each virtual service has a group of real servers. Each virtual server has a domain name. Each virtual service has a host name. The combination of a virtual server and a virtual service is called a domain. At a local site for a domain, there is a local virtual server but no remote virtual server. The local virtual server has a number of local virtual services Each local virtual service has a group of local or remote real servers. The remote real servers are the virtual servers at the remote sites.
.
[Remote site 1 Menu] prima - Set primary switch IP address of remote site secon - Set secondary switch IP address of remote site name - Set remote site name update - Enable/disable remote site updates ena - Enable remote site dis - Disable remote site del - Delete remote site cur - Display current remote site configuration
Up to 64 remote sites can be congured.

GSLB Remote Site Menu Options (/cfg/slb/gslb/site) Command Syntax and Usage prima <server IP address> Defines the IP interface IP address of the primary switch at the remote site used for Global Server Load Balancing. Use dotted decimal notation. secon <server IP address> If the remote site is configured with a redundant switch, enter the IP address of the IP interface for the remote secondary switch here. If the remote site primary switch fails, the local switch will address the remote site secondary switch instead. name <31 character name> |none Sets the name of the remote site. The default is set at none. update disable|enable Enables or disables remote site updates. If enabled (default), this switch will send regular Distributed Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the switch will not send state updates. If your local firewall does not permit this traffic, disable the updates.
Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP interface for DSSP updates. By default, the Nortel Application Switch Operating System Web-based interface also uses port 80. Both services cannot use the same port. If both are enabled, configure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a different service port (see the /cfg/sys/access/wport option "/cfg/sys/access System Access Control Configuration" (page 245)).
.
/cfg/slb/gslb Global SLB Conguration 415 Command Syntax and Usage Enables or disables remote site persistence cache. GSLB allows the user to add only up to two selected servers to the cache for each source IP address. GSLB can forward the same information to other remote sites to be added to the cache. GSLB deletes the cached entries when they times out. The cached entries are automatically deleted from the remote sites when they time out. ena Enables this remote site for use with Global Server Load Balancing. dis Disables this remote site. The switch will no longer use this remote site for Global Server Load Balancing. del Removes this remote site from operation and deletes its configuration. cur Displays the current remote site configuration.
/cfg/slb/gslb/network <network number> GSLB Network Preference Conguration Menu

Network preference selects a server based on the preferred network of the source IP address for a given domain. The preferred network contains a subset of the servers for the domain. Up to 128 network preference numbers can be set.
[Network 1 sip mask addvirt remvirt addreal remreal ena dis del cur Menu] - Set source IP address - Set source IP and network netmask - Add virtual server to network - Remove virtual server from network - Add remote real server to network - Remove remote real server from network - Enable network - Disable network - Delete network - Display current network configuration
GSLB Network Menu Options (/cfg/slb/gslb/network) Command Syntax and Usage sip <IP address> Defines the source (client) IP address. Specify an IP address in dotted decimal notation. A range of IP addresses is produced when used with the mask option.
.
Command Syntax and Usage mask <IP subnet mask (such as, 255.255.255.0)> This IP address mask is used with the source IP (SIP) address to find a correct virtual server IP address to respond to a DNS request. addvirt <virtual server number (1-1024)> Adds a virtual server to the network. No virtual server is added by default. remvirt <virtual server number (1-1024)> Removes a virtual server from the network. addreal <real server number (1-1023)> Adds a real server to the network. remreal <real server number (1-1023)> Removes a real server from the network. ena Enables the network. dis Disables the network. del Deletes the network entry. cur Displays the current Internet network entry configuration.
/cfg/slb/gslb/rule GSLB Rule Conguration Menu

Rules allow the GSLB selection to use different metric preferences based on time-of-day. You can congure one or more rules on each domain. Each rule has a metric preference list. The GSLB selection selects the rst rule that matches the domain and starts with the rst metric in the metric preference list of the rule.
[Rule 1 Menu] metric - Metric Menu start - Set start time for rule end - Set end time for rule ttl - Set Time To Live in seconds of DNS resource records rr - Set DNS resource records in DNS response dname - Set network preference domain name for rule ena - Enable rule dis - Disable rule del - Delete rule cur - Display current rule configuration
.
/cfg/slb/gslb Global SLB Conguration 417 GSLB Rule Conguration Menu Options (/cfg/slb/gslb/rule) Command Syntax and Usage metric <metric (1-16)> Displays Metric Preference Menu. To view menu options, see "/cfg/slb/gslb/rule/metric Global SLB Rule Metric Menu" (page 417). start <hour (0-23) minutes (0-59)> Defines the start time for the rule. The default is zero. end <hour (0-23) minutes (0-59)> Defines the end time for the rule. The default is zero. ttl <time to live in seconds (0-65535)> Specifies the duration (from 0 to 65535 seconds, with default at 60) that the DNS response from the switch (indicating site of best service) will remain in the cache of DNS servers. A lower value may increase the ability of the GSLB system to adjust to sudden changes in traffic load, but will generate more DNS traffic. Higher numbers may reduce the amount of DNS traffic, but may slow GSLBs response to sudden traffic changes. rr <rr (1-10)> Sets the DNS resource records that how many DNS resource records will be returned in the DNS response. The default is 2 records. dname <34 character (wildcard "*" allowed) domain name> | none Defines the domain name for the rule for network preference. The maximum length for the domain name can be 34 characters. You can use wildcard "*" while creating the domain name. Default is none. ena Enables the rule. dis Disables the rule. del Deletes the rule. cur Displays the current rule configuration.
/cfg/slb/gslb/rule/metric
.
Global SLB Rule Metric Menu

[Rule 1 Metric gmetric addnet remnet cur 1 Menu] Set metric to use to select next server Add network to gmetric=network Remove network from gmetric=network Display current metric configuration
Global SLB Rule Metric Menu Options (/cfg/slb/gslb/rule/metric) Command Syntax and Usage gmetric leastconns|roundrobin|response|geographical|networ k|random|availability|qos|minmisses|hash|local|always|re mote|none Defines the metric to select the next real server for GSLB. The default is none. addnet Allows you to add a network to the selected metric. This command applies only if you select network as the metric. remnet <1-128> Allows you to delete a network that was added to the selected metric. cur Displays the current configuration of the metric.
/cfg/slb/layer7 Layer 7 SLB Resource Denition Menu

[Layer 7 Resource Definition Menu] redir - Web Cache Redirection Menu slb - Server Load Balancing Menu sdp - SIP SDP Menu dbindtm - Set timeout for incomplete delayed binding connections cur - Display current Layer 7 configuration Layer 7 Resource Denition Menu Options (/cfg/slb/layer7) Command Syntax and Usage redir Displays the Web Cache Redirection Menu. To view menu options, see "/cfg/slb/layer7/redir Web Cache Redirection Configuration" (page 419). slb
.
/cfg/slb/gslb Global SLB Conguration 419 Command Syntax and Usage Displays the Server Load Balancing Menu. To view menu options, see "/cfg/slb/layer7/slb Server Load Balance Resource Configuration Menu" (page 421). sdp Displays the SIP SDP Menu. To view menu options, see "/cfg/slb/layer7/sdp SDP Mapping Menu" (page 422). dbindtm <10-60 seconds> Sets the timeout for incomplete delayed binding connections. cur Displays the current Layer 7 configuration.
/cfg/slb/layer7/redir Web Cache Redirection Conguration
Web Cache Redirection Menu Options (/cfg/slb/layer7/redir) Command Syntax and Usage urlal disable|enable Enables or disables auto-ALLOW for non-GETs to origin servers.
If this command is enabled, the switch will redirect all non-GET requests to the origin server. If this command is disabled, the switch will compare the URI against the expression table to determine whether all non-GET requests should be redirected to a cache server or origin server.
This option is enabled by default. cookie disable|enable
.
Command Syntax and Usage Enables or disables auto-ALLOW for cookie to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cookie: in the HTTP header to the origin server. If this command is disabled, the switch will compare the URI against the expression table to determine whether it should redirect all requests that contain Cookie: in the HTTP header to a cache server or origin server.
This option is disabled by default. nocache disable|enable Enables or disables no-cache control header to origin servers.
If this command is enabled, the switch will redirect all requests that contain Cache-Control: no-cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to the origin server. If this command is disabled, the switch will compare the URI against the expression table to determine whether it should redirect requests that contain Cache-Control: no-cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to a cache server or origin server.
This option is enabled by default. hash disable|enable <number (1-255)> Enables or disables URL hashing based on the URI.
If hashing is enabled, you can set the length of URI that will be used to hash into the cache server by specifying a number from 1-255. If hashing is disabled, the switch will only use the host header field to calculate the hash key.
This option is disabled by default. header disable|enable host|useragent|others Enables or disables server load balancing based on HTTP header. This option is disabled by default. cur Displays the current URL expression table.
.
/cfg/slb/gslb Global SLB Conguration 421
/cfg/slb/layer7/slb Server Load Balance Resource Conguration Menu

[Server Loadbalance Resource Menu] message - Set HTTP error message addstr - Add SLB string for load balance remstr - Remove SLB string for load balance rename - Rename SLB string for load balance addmeth - Add HTTP method type remmeth - Remove HTTP method type case - Enable/disable case sensitive for string matching cont - Set BW contract for the SLB string cur - Display current configuration Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb) Command Syntax and Usage message <64 byte error message> Sets the message that will be displayed when an error occurs. The default message is "No available server to handle this request." addstr <l7lkup|pattern> Allows the user to define a string that can be used for server load balancing or filtering by selecting either a Layer 7 look up string or a pattern match. If you choose l7lkup string, you can define a string for server load balancing or a string for Layer 7 lookup. If you choose pattern string, you will have the option to choose between ascii or binary strings on a specific offset of the IP frame. These strings will only be used for filtering string pattern matching. remstr <SLB string ID> Removes this SLB string from the real server. rename <SLB string ID SLB string> Renames the SLB string for load balancing. addmeth <Method, 1-32>
.
Command Syntax and Usage Allows you to add HTTP request methods of maximum 32 characters to your switch software. HTTP allows an open-ended set of methods to be used to indicate the purpose of a request. Nortel Application Switch Operating System 24.0 supports 22 request methods by default. The methods GET and HEAD must be supported by all general-purpose servers. All other methods are optional. You can see a list of supported default methods by using the command cur in this menu. A method is case-sensitive. The software supports both HTTP 1.0 and HTTP 1.1 to perform HTTP request methods. remmeth <Method ID> Allows you to remove HTTP methods from your switch software. case disable|enable Enables or disables case sensitivity for string matching. Using this command you can do either case sensitive or case insensitive string comparison. If you disable case sensitive, all load balancing strings and all the request strings arriving on the switch will have to be converted to lower case before doing any string comparison. cont <SLB string ID [1-1024]> <BW contract number [1-1024]> Sets the Bandwidth Management contract for a specified string for the SLB string ID. cur Displays the currently configured SLB strings and their associated string IDs (index numbers) and the supported HTTP request methods.
/cfg/slb/layer7/sdp SDP Mapping Menu

[SDP Mapping Menu] add - Add SDP mapping rem - Remove SDP mapping cur - Display current SDP mapping configuration SDP Mapping Menu Options Command Syntax and Usage add private IP public IP Add SDP mapping.
.
/cfg/slb/sync Synchronize Peer Switch Conguration 423 Command Syntax and Usage rem private IP Remove SDP mapping. cur Display current SDP mapping configuration.
/cfg/slb/wap WAP Conguration

[WAP Options Menu] tpcp - Enable/disable WAP TPCP external notification debug - WAP debug level cur - Display current WAP configuration WAP Conguration Menu Options (/cfg/slb/wap) Command Syntax and Usage tpcp disable|enable Enables or disables the TPCP external notification for Add/Delete session requests. This option is disabled by default. debug <wap debug level (0-10)> Sets the debug level for tracing the WAP related messages. The default is set at 0. cur Displays the current WAP configuration
/cfg/slb/sync Synchronize Peer Switch Conguration

[Config Synchronization Menu] peer - Synch Peer Switch Menu filt - Enable/disable syncing filter configuration ports - Enable/disable syncing port configuration prios - Enable/disable syncing VRRP priorities pips - Enable/disable syncing proxy IP addresses peerpips - Enable/disable syncing peer proxy IP addresses bwm - Enable/disable syncing BWM configuration state - Enable/disable syncing persistent session state update - Set stateful failover update period cur - Display current Layer 4 sync configuration
.
To synchronize the conguration between two switches, a peer must be congured and enabled on each switch. Switches being synchronized must use the same administrator password. Peers are sent SLB, FILT, and VRRP conguration updates using /oper/slb/synch. Note: Sessions created in 33-64 auxiliary table are not synced to backup.
Synchronization Menu Options (/cfg/slb/sync) Command Syntax and Usage peer <peer switch number (1-2)> Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see "/cfg/slb/sync/peer peer switch number Peer Switch Configuration" (page 425). filt disable|enable Enables or disables synchronizing filter configuration. This option is disabled by default. ports disable|enable Enables or disables synchronizing Layer 4 port configuration. This option is enabled by default. prios disable|enable Enables or disables syncing VRRP priorities. This option is enabled by default. pips disable|enable Enables or disables synchronizing proxy IP addresses. This option is disabled by default. peerpips disable|enable Enables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in VRRP Active/Active configuration. This option is disabled by default. bwm disable|enable Enables or disables synchronizing Bandwidth Management configuration between Master and backup switches. This option is enabled by default. state disable|enable Enables or disables stateful failover for synchronizing the persistent session state. This option is disabled by default. update <seconds, 160> Sets the stateful failover update interval. The active switch sends update packets of new persistent binding entries, if any, to the backup switch at the specified update interval. The default value is 30 seconds.
.
/cfg/slb/adv Advanced Layer 4 Conguration 425 Command Syntax and Usage cur Displays the current Layer 4 synchronization configuration.
/cfg/slb/sync/peer <peer switch number> Peer Switch Conguration

[Peer Switch 1 Menu] addr - Set peer switch IP address ena - Enable peer switch dis - Disable peer switch del - Delete peer switch cur - Display current peer switch configuration
To synchronize the conguration between two switches, a peer must be congured and enabled on each switch. Switches being synchronized must use the same administrator password.
Peer Switch Conguration Menu Options (/cfg/slb/sync/peer) Command Syntax and Usage addr <IP address> Sets the peer switch IP address. The default is 0.0.0.0 ena Enables the peer for this switch. By default, this option is disabled. dis Disables the peer for this switch. del Deletes the peer for this switch cur Displays the current peer switch configuration.
/cfg/slb/adv Advanced Layer 4 Conguration

[Layer 4 Advanced Menu] synatk smtport imask mnet - SYN Attack Detection Menu - Service Mapping Table Real Port Menu - Set virtual and real IP address mask - Set management network
.
[Layer 4 Advanced Menu] mmask pmask intrval allowlim submac direct grace matrix vmasport vmadip tpcp vstat rtsvlan pvlantag portbind rstchk valcksum riphash fastage slowage cur - Set management subnet mask - Set persistent mask - Set SLB session attack inspection interval - Set SLB session attack alert allowable limit - Enable/disable Source MAC address substitution - Enable/disable Direct Access Mode - Enable/disable graceful real server failure - Enable/disable Virtual Matrix Architecture - Enable/disable VMA with source port - Enable/disable VMA with destination IP - Enable/disable Transparent Proxy Cache Protocol - Enable/disable Virtual Service Statistics - Enable/disable using VLAN info for real server lookup - Enable/disable preserving vlan tag during packet forwarding - Enable/disable Ingress Port For Session Table Binding - Enable/disable TCP RST Secure Sequence Number Check - Enable/disable Layer 7 IP/TCP Checksum Validation - Enable/disable Include RIP in AUX table hashing - Session table fast-age (1 sec) period bit shift - Session table slow-age (2 min) period bit shift - Display current Layer 4 advanced configuration
Layer 4 Advanced Menu Options (/cfg/slb/adv) Command Syntax and Usage synatk Displays SYN Attack Detection Menu. To view menu options, see "/cfg/slb/adv/synatkSYN Attack Detection Configuration Menu" (page 429). smtport
.
/cfg/slb/adv Advanced Layer 4 Conguration 427 Command Syntax and Usage Displays Service Mapping Table (SMT) Real Server Port Menu. Using this command you can add or remove a number of real server service port(s) that will process client traffic by-passing the server. In other words, this service ports client request will not be processed by the server processor. To view menu options, see "/cfg/slb/adv/smtportAdvanced SMT Real Server Port Configuration Menu" (page 430). imask <IP subnet mask (such as 255.255.255.0)> Configures the real and virtual server IP address mask using dotted decimal notation. The default is 255.255.255.255. mnet <IP address> If defined, management traffic with this source IP address will be allowed direct (non-Layer 4) access to the real servers. Specify an IP address in dotted decimal notation. A range of IP addresses is produced when used with the mmask option. mmask <IP subnet mask (such as 255.255.255.0)> This IP address mask is used with the mnet to select management traffic which is allowed direct access to real servers. The default is 255.255.255.255. pmask <IP subnet mask (such as 255.255.255.0)> Sets persistent mask. The default is 255.255.255.255. intrval <time window for collecting sessions (0-3600)> This command allows you to configure the time interval (from one second to one hour) to specify how frequently you want to check the SLB sessions (attacks) the switch received. At the configured interval of time the switch will check if the number of sessions is within the configured limits. You can set this limit by using the next command in this menu: allowlim. allowlim <allowable limit (1-2097104)> This command allows you to specify the maximum number of sessions the switch can receive at any given period of time. If the number of sessions exceeds this limit, the switch will generate a syslog and an SNMP trap to alert the administrator that the switch is under SLB attack. submac disable|enable Enables or disables Source MAC address substitution. Typically, the source MAC is not modified for the packets going to the servers in an SLB environment. But if you enable this command, the switch will substitute the source MAC address (for the packets going to the server) with the MAC address of the switch. direct disable|enable
.
Command Syntax and Usage Enable/disables Direct Access Mode to real servers/services. This option also allows any virtual server to load balance any real server. By default, this option is disabled. grace disable|enable Enables or disables graceful real server failure. Allows existing sessions to remain bound to a server after the server has been placed in the service failed state (for more information, see "Service Failure" in the Nortel Application Switch Operating System 24.0 Application Guide). By default, this option is disabled. matrix disable|enable Enables or disables the use of Virtual Matrix Architecture on the Nortel Application Switch. By default, this option is enabled. vmasport enable|disable Enable/disable VMA with source port. vmadip enable|disable Enables or disables the VMA with destination IP. tpcp disable|enable Enables or disables the TPCP (Transparent Proxy Cache Protocol). This command is used for security reasonsthe UDP port can be closed. By default, this option is disabled. vstat disable|enable Enables or disables reporting of virtual service statistics. rtsvlan disable|enable Enables or disables the use of VLAN for Return to Sender information on the real server. Enables or disables preserving vlan tag during packet forwarding. Enables or disables preserving VLAN tag during packet forwarding. pvlantag Enable/disable preserving vlan tag during packet forwarding. portbind disable|enable Enables or disables the inclusion of the ingress port number in the session table look up. rstchk disable|enable Enables or disables the TCP RST Secure Sequence Number Check. valcksum disable|enable Enables or disables Layer 7 IP/TCP Checksum Validation. riphash disable|enable
.
/cfg/slb/adv Advanced Layer 4 Conguration 429 Command Syntax and Usage Enables or disables to include RIP in AUX table hashing. fastage <shift the fast-age (1sec) period 0-7 bits> Controls how frequently a fastage scan is performed. The default interval is two seconds. Each incremental increase of the value doubles the length of the interval. The fastage scan is used to remove TCP sessions that have been closed with a FIN and sessions that have been identified by the slowage scan as idle for the maximum allowed period. If a large value of fastage is used, a session can remain in the session table for a few minutes. The default is 0. slowage <shift the slow-age (2min) period 0-14 bits> Controls how frequently a slowage scan is performed. The default interval is two minutes. Each incremental increase of the value doubles the length of the interval. (Value is set in bits rather than seconds, which causes the time to double per increment). The slowage scan is used to remove idle or non-TCP sessions from the session at the specified intervals. If a large value of slowage is used, a session can remain in the session table for months. The default is 0. cur Displays the current Layer 4 advanced configuration.
/cfg/slb/adv/synatk SYN Attack Detection Conguration Menu

[SYN Attack Detection Menu] intrval - Set SYN attack detection interval thrshld - Set SYN attack alarm threshold cur - Display current SYN attack detection configuration SYN Attack Detection Menu Options (/cfg/slb/adv/synatk) Command Syntax and Usage intrval <SYN attack check interval in seconds (2-3600)> Sets the interval of SYN attack inspection. thrshld <SYN attack alarm threshold (new half-open sessions/second) (1-100000)> Sets the threshold of SYN attack alarm. cur Displays the current SYN attack detection configuration.
.
/cfg/slb/adv/smtport Advanced SMT Real Server Port Conguration Menu

[SMT Real Port add remove cur Menu] - Add real port - Remove real port - Display real port configuration
Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport) Command Syntax and Usage add <real server port (2-65534)> This command allows you to add a service port to the real server that is configured to process client traffic by-passing the server processor. remove <real server port (2-65534)> This command allows you to remove a service port from the real server that is configured to process client traffic by-passing the server processor. cur Displays real port configuration.
/cfg/slb/linklb Inbound Link Load Balancing conguration Menu

[Inbound Linklb Menu] drecord - Domain Record Menu group - Set real server group ttl - Set Time to Live of DNS resource records ena - Enable Inbound Linklb dis - Disable Inbound Linklb cur - Display current Inbound Linklb configuration Inbound Link Load Balancing Conguration Menu Options (/cfg/slb/linklb) Command Syntax and Usage drecord <domain record number (1-64)> Displays domain record menu. To view menu options, see "/cfg/slb/linklb/drecordInbound Link Load Balancing Domain Record Menu" (page 431). group <real server group number (1-1023)> Sets the real server ISP group number. ttl <time to live in seconds (0-65535)> Sets the time-to-live for DNS resource records. ena
.
/cfg/slb/adv Advanced Layer 4 Conguration 431 Command Syntax and Usage Enables inbound link load balancing. dis Disables inbound link load balancing. cur Displays current inbound link load configuration.
/cfg/slb/linklb/drecord Inbound Link Load Balancing Domain Record Menu

[Domain Record domain_number Menu] entry - Virt Real Mapping Menu domain - Set Domain Name ena - Enable Domain Record dis - Disable Domain Record del - Delete Domain Record cur - Display current Domain Record configuration Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/linklb/drecord) Command Syntax and Usage entry <linklb entry number (1-8)> Displays the link load balancers mapping menu for the virtual and real servers. See cache disable|enable to view menu options. domain <64 character domain name> |none Allows you to configure the domain name. Default is none. ena Enables the domain records. dis Disables the domain records. del Deletes the domain records. cur Displays the current domain records.
/cfg/slb/linklb/drecord/entry
.
Inbound Link Load Balancing Mapping Menu

[Virt Real Mapping 1 Menu] virt - Set Virtual Server Number real - Set Real Server Number ena - Enable Entry dis - Disable Entry del - Delete Entry cur - Display current Entry configuration Command Syntax & Usage virt <virtual server number, 1-1024> Defines the virtual server number for mapping. real Defines the real server number for mapping. ena Enables the entry for drecords. dis Disables the entry for drecords. del Deletes the entry for drecords. cur Displays the current real and virtual server mappings for drecords entries.
/cfg/slb/advhc Advanced Health Check Conguration Menu
Advanced Health Check Menu Options (/cfg/slb/advhc) Command Syntax and Usage script <health script number (1-64)> Displays the Scriptable Health Check Menu. To view menu options, see "/cfg/slb/advhc/script health script number Scriptable Health Checks Configuration" (page 433).
.
/cfg/slb/adv Advanced Layer 4 Conguration 433 Command Syntax and Usage snmphc <SNMP health check number (1-5)> Displays the SNMP Health Check Menu. To view menu options, see "/cfg/slb/advhc/snmphcSNMP Health Check Configuration" (page 435). waphc Displays the WAP Health Check Menu. To view menu options, see "/cfg/slb/advhc/waphcWAP Health Check Configuration" (page 436). aphttp disable|enable Enables or disables HTTP health checks on any port. By default, this option is disabled. When disabled, you can use HTTP health checks only for HTTP service. Enabling it will allow you to use it on any port, like HTTPs. ldapver <LDAP version> Sets the LDAP version to 2 or 3. The default is 2. secret <1-32 character secret> To perform application health checking to a RADIUS server, the network administrator must configure two parameters in the switch: the /cfg/slb/secret value and the cntnt parameter with a username:password value. The secret value is a field of up to 32 alphanumeric characters that is used by the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the RADIUS server to decrypt the password during verification. The default is none. minter <number of seconds between updates (1-256)> This command sets the interval of response and bandwidth metric updates. The default is set at 10. cur Displays the current Layer 4 advanced health check configuration.
/cfg/slb/advhc/script <health script number> Scriptable Health Checks Conguration

Scriptable health checks provide a robust and extensible way to health check a group of real servers. With these health checks, the users can dene their own health checks of varied complexity. The ASCII and binary-based scripts control how a group of real servers are health-checked. So both TCP and UDP services can be health-checked. The Health Script menu provides commands that can be used to dene the health "script." The total number of characters cannot exceed 6144 bytes. Up to 64 scripts can be congured.
.
Scriptable Health Check Menu Options (/cfg/slb/adv/script) Command Syntax and Usage open <real port or name (such as: http)> tcp|udp
Opens a TCP connection or specifies a UDP port for the health check. You need to specify the protocol (TCP or UDP), and the port number. send <text string (TCP), hex string (UDP)> Sends an ASCII request string through an open TCP or UDP port to the server. bsend <hex string> Sends a binary request string in hexadecimal format for the request packet through an open TCP or UDP port to the server. nsend <additional hex string (UDP)> Allows you to append additional content to the packet generated by the bsend command. The Nortel Application Switch Operating System 24.0 allows a maximum of 256 bytes to be entered. Using one or more nsend commands allows you to generate a binary content of more than 256 bytes in length. expect <text string (TCP), hex string (UDP)> Allows you to configure an ASCII request string that you can search in each server response packet for successful health check on an open TCP port. If you do not see this string in any response packet before the health check interval or the configured wait window expires, the server does not pass the expect step and the health check fails. bexpect <hex string> Allows you to configure binary content request string (in hexadecimal format) that you can search in each server response packet for successful health check on an open TCP port. nexpect <additional hex string (UDP)>
.
/cfg/slb/adv Advanced Layer 4 Conguration 435 Command Syntax and Usage Allows you to append additional content to the original content of the response packet specified by the bexpect command. offset <offset, 1-1464> Allows you to specify the offset from the beginning of the UDP data area to start matching the content specified in the expect command. If you need to specify offset, you must do it after executing the bexpect command. depth <depth, 1-1464> Allows you to specify the depth (the window) in bytes beginning from the start of the UDP data area, or beginning from offset if offset was specified, to search for the bexpect content. wait <wait window in milliseconds (1-65535)> Allows the user to configure a wait window for the expected response. The wait window starts when the request is sent from the switch. If the expected response is received within the wait window, the health check passes, otherwise the health check fails. The wait command should follow the offset and depth commands in the script. The wait window is set in the units of milli-seconds. close Closes TCP connection. rem Removes the last entered line from the script. del Deletes the current script. cur Lists the current script configuration.
/cfg/slb/advhc/snmphc SNMP Health Check Conguration
.
436 The SLB Conguration Menu SNMP Health Check Menu Options (/cfg/slb/adv/snmphc) Command Syntax and Usage oid <object identifier, such as, 1.3.6.1.2.1.1.1.0 max 30 sub-identifiers> Specify the Object Identifier (OID) to be sent in the SNMP GET request packet. The format of the OID depends on the MIB file, for example, an OID is of the form 1.3.6.1.4.1.1872.2.5.7.11. comm <community string, maximum 32 characters> Enter the community string used in the SNMP get request packet. The default community string is public. rcvcnt <expected content an integer value or a string> Enter the content the switch expects to receive from the SNMP agent on the real server. invert disable|enable Enables or disables the inversion of the expected value. When the invert option is enabled, the health check fails if the response packet contains the value specified in the receive content (rcvnt) field. weight disable|enable When enabled, the real server weights are dynamically adjusted based on SNMP health check response. del Deletes the current SNMP health check. cur Displays the current SNMP Health Check configuration.
/cfg/slb/advhc/waphc WAP Health Check Conguration

Wireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP) suite to manage sessions between wireless devices and WAP content servers or WAP gateways. The Nortel Application Switch Operating System provides a content-based health check mechanism where customized WSP packets are sent to the WAP gateways, and the switch veries the expected response, in a manner similar to scriptable health checks. WSP content health checks can be congured in two modes: connectionless and connection-oriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connection-oriented (WTP) trafc runs on ports 9201 and 9203. Application switches can be used to load balance the gateways in both modes of operation.
.
/cfg/slb/adv Advanced Layer 4 Conguration 437
The Nortel Application Switch Operating System allows you to congure three WAP gateway health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP), deployed on WAP gateways/servers. For further details, refer Application Guide.
[WAP Health Check Menu] wspcnt - WSP Health Check Content Menu wtpcnt - WTP+WSP Health Check Content Menu wspport - WSP port number to health check wtpport - WTP port number to health check wtlswsp - WTLS+WSP port number to health check wtlsprt - WTLS port number to health check couple - Enable/disable coupling with RADIUS Accounting Service cur - Display current WAP health check configuration WAP Health Check Menu Options (/cfg/slb/adv/waphc) Command Syntax and Usage wspcnt Displays WSP Health Check Content Menu. To view menu options, see "/cfg/slb/advhc/waphc/wspcntWSP Content Health Check" (page 438). wtpcnt Displays WTP and WSP Health Check Content Menu. To view menu options, see "/cfg/slb/advhc/waphc/wtpcntWTP and WSP Content Health Check Menu" (page 438). wspport <wsp port number to health check (0-65534)> Enter the port number on which WSP health checks will be performed. The default port number is 9200. wtpport <wtp port number to health check (0-65534)> Defines the WTP port number to health check. The default port number is 9201. wtlswsp <wtls+wsp port number to health check (0-65534)> Defines the WTLS (Wireless Transport Layer Security) and WSP port number to health check. The connectionless encrypted WTLS traffic uses default port 9202. wtlsprt <port number (0-65534)> Enter the port number on which WTLS health checks will be performed. The connection-oriented WTLS traffic uses default port 9203. couple disable|enable
.
Command Syntax and Usage Enables or disables coupling together of all the four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP) with Radius Accounting Service. If the health check to any one of the four WAP services or Radius Accounting Service fails, then all of the four WAP services and Radius Accounting Service are disabled. cur Displays the current WAP Health Check configuration.
/cfg/slb/advhc/waphc/wspcnt WSP Content Health Check

[WSP Health Check Content Menu] offset - Offset in received WSP packet sndcnt - Content to be sent to the WAP gateway rcvcnt - Content to be received from the WAP gateway cur - Display current WSP health check content configuration WSP Content Health Check Options (/cfg/slb/advhc/waphc/wspcnt) Command Syntax and Usage offset <Offset in the received WSP packet (0-512)> Enter the offset value content of the received WSP packages. An offset value of 0 (default) sets the switch to start comparisons from the beginning of the content of the received packet. sndcnt <send content as hexadecimal string> Enter a hexadecimal string that represents a connectionless WSP request to a WSP gateway. This string will be delivered to the WSP gateway. rcvcnt <receive content as hexadecimal string> Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway. cur Displays the current WAP Health Check configuration.
/cfg/slb/advhc/waphc/wtpcnt WTP and WSP Content Health Check Menu

This menu is used for conguring the health check for connection-oriented unencrypted WAP trafc.
.
/cfg/slb/adv Advanced Layer 4 Conguration 439 [WTP+WSP Health Check Content Menu] offset - Offset in received WSP PDU connect - CONNECT PDU to be sent to the WAP gateway sndcnt - GET PDU to be sent to the WAP gateway rcvcnt - REPLY PDU to be received from the WAP gateway cur - Display current WTP+WSP health check content configuration WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/waphc/wtpcnt) Command Syntax and Usage offset <offset in the received WSP PDU> Enter the offset value content of the received WSP packets. The offset value is the number of bytes from the beginning of the WSP PDU, at which the comparison begins to match with the expected receive content. An offset value of 0 (default) sets the switch to start comparisons from the beginning of WSP PDU of the received packet. connect <connect content as hexstring> Enter the content for the first switch-generated WSP session packet. This command allows you to customize the headers in the connect message. sndcnt <send content as hexadecimal string> Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be delivered to the WSP gateway. rcvcnt <receive content as a hexadecimal string> Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway. cur Displays current WTP+WSP health check content configuration.
/cfg/slb/pip Proxy IP Address Conguration Menu

You need to enable proxy IP address processing on the port to use this command. You can congure multiple proxy IP addresses based on either port or VLAN. You can congure up to 1024 proxy IP addresses on a per switch basis.
.
[Proxy IP Address Menu] type - Set base type of Proxy IP address add - Add port or VLAN to Proxy IP address add6 - Add port or VLAN to IPv6 Proxy IP address rem - Remove port or VLAN from Proxy IP address cur - Display current Proxy IP address configuration Proxy IP Address Conguration Menu Options (/cfg/slb/pip) Command Syntax and Usage type port|vlan Defines the base type of the proxy IP address, whether it is port-based or VLAN-based. add <IP address port number>|<vlan number> | port number-port number|vlan number-vlan number Allows you to add either a port or a VLAN to a proxy IP address. add6 IPv6 address port number|vlan number | port number-port number|vlan number-vlan number Adds a port or VLAN to a proxy IPv6 address. rem <PIP ID port#|vlan#> | <port#-port#|vlan#-vlan#> Allows you to remove a port or a VLAN from a proxy IP address. This command also allows you to remove all ports or VLANs assigned to any proxy IP address. cur Displays the current Proxy IP address configuration.
/cfg/slb/peerpip SLB Peer Proxy IP Address Menu

When this command is enabled, the switch is able to forward trafc from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each others proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch.
[Peer Proxy IP Address Menu] add - Add peer Proxy IP address rem - Rem peer Proxy IP address cur - Display current peer Proxy IP address configuration
.
/cfg/slb/adv Advanced Layer 4 Conguration 441 Peer Proxy IP Address Menu Options (/cfg/slb/peerpip) Command Syntax and Usage add <IP address> Allows you to add a proxy IP address to the server load balancing peer. rem <IP address> Allows you to remove a proxy IP address from the server load balancing peer. cur Displays the current proxy address configuration of the peer.
/cfg/slb/wlm WorkLoad Management Menu

[Workload Manager 1 Menu] addr - Set IP address for Workload Manager port - Set port for Workload Manager del - Delete Workload Manager cur - Display current Workload Manager configuration Workload Manager Menu Options Command Syntax and Usage addr <IP_address> Set the IP address for the Workload Manager. port <TCP_port> Set the port number for the Workload Manager. del Delete the Workload Manager. cur Shows all Workload Manager statistics. For example: Current Workload Manager 1: IP address Port 0.0.0.0 0
.
.
443
The Operations Menu

The Operations Menu is generally used for commands that affect switch performance immediately, but do not alter permanent switch congurations. For example, you can use the Operations Menu to immediately disable a port (without the need to apply or save the change), with the understanding that when the switch is reset, the port returns to its normally congured operation.
/oper Operations Menu

[Operations Menu] port - Operational Port Menu slb - Operational Server Load Balancing Menu vrrp - Operational Virtual Router Redundancy Menu bwm - Operational Bandwidth Management Menu security - Operational Security Menu ip - Operational IP Menu swkey - Enter key to enable software feature rmkey - Enter software feature to be removed passwd - Change current user password clrlog - Clear syslog messages displog - Turn on/off display syslog msgs to telnet/ssh sessions defalias - Set default port alias ntpreq - Send NTP request
The commands of the Operations Menu enable you to alter switch operational characteristics without affecting switch conguration. Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and Nortel Application Switch 184 Web Switches.
Operations Menu Options (/oper) Command Syntax and Usage port port number
.
444 The Operations Menu
Command Syntax and Usage Displays the Operational Port Menu. To view menu options, see "/oper/port port number Operations-Level Port Options" (page 445). slb Displays the Operational Layer 4 Menu. To view menu options, see "/oper/slbOperations-Level SLB Options" (page 445). vrrp Displays the Operational Virtual Router Redundancy Menu. To view menu options, see "/oper/vrrpOperations-Level VRRP Options" (page 448). bwm Operational Bandwidth Management Menu. To view menu options, see "/oper/bwmOperations-Level Bandwidth Management Options" (page 449). security Go to the Operational Security menu. To view menu options, see "/oper/securitySecurity Menu" (page 449). ip Displays the IP Operations Menu, which has one sub-menu/option, the Operational Border Gateway Protocol Menu. To view menu options, see "/oper/vrrpOperations-Level VRRP Options" (page 448). swkey <16-hexadecimal digit key to enable software feature> Sets key to enable software feature. For details, see "/oper/swkeyActivating Optional Software" (page 452). rmkey <software feature to be removed (GSL|BWM|Security)> Defines software feature to be removed. For details, see "/oper/rmkeyRemoving Optional Software" (page 453). passwd <15 char max> Allows the user to change the password. You need to enter the current password in use for validation. clrlog Clears all syslog messages. displog on|off Turn on/off display syslog msgs to telnet/ssh sessions defalias Set the default port alias. ntpreq Allows the user to send requests to the NTP server.
.
/oper/slb Operations-Level SLB Options 445
/oper/port <port number> Operations-Level Port Options

[Operations Port 1 Menu] rmon - Enable/Disable RMON for port ena - Enable port dis - Disable port cur - Current port state
Operations-level port options are used for temporarily disabling or enabling a port, and for changing Remote Monitoring (RMON) status on a port.
Operations-Level Port Menu Options (/oper/port) Command Syntax and Usage rmon disable|enable Temporarily enables/disables Remote Monitoring on the port. The port will be returned to its configured operation mode when the switch is reset. ena Temporarily enables the port. The port will be returned to its configured operation mode when the switch is reset. dis Temporarily disables the port. The port will be returned to its configured operation mode when the switch is reset. cur Displays the current settings for the port.
/oper/slb Operations-Level SLB Options
When the optional Layer 4 software is enabled, the operations-level Server Load Balancing options are used for temporarily disabling or enabling real servers and synchronizing the conguration between the active/active switches.
.
446 The Operations Menu Server Load Balancing Operations Menu Options (/oper/slb) Command Syntax and Usage group <real server group number (1-1024)> Displays the Real Server Group Menu. To view menu options, see "/oper/slb/groupReal Server Group Operations" (page 447). gslb Displays Global SLB Operations Menu. To view menu options, see "/oper/slb/gslbGlobal SLB Operations Menu" (page 447). sync Synchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priorities on a peer switch (a switch that owns the IP address). To take effect, peers must be configured on the Nortel Application Switch and the administrator password on the switch must be identical. ena <real server number (1-1023)> Temporarily enables a real server. The real server will be returned to its configured operation mode when the switch is reset. dis <real server number, 1-1023> [P - allow persistent http 1.0 sessions] p|n The disable command is used to temporarily disable real servers as follows:
Using the p (persistent) optionimmediately suspends assignment of connections to the specified real server (except for persistent http 1.0 sessions) by removing the real server from operation within its real server group and virtual server Using the n (none) optionimmediately suspends assignment of connections to the specified real server by removing the real server from operation within its real server group and virtual server
The real server will be returned to its configured state after a switch reset.
Note: This command provides for orderly server shutdown to allow maintenance on a server. For more information, see "Disabling and Enabling Real Servers" in the Nortel Application Switch Operating System 24.0 Application Guide. sessdel Delete session table entry. smirror
.
/oper/slb Operations-Level SLB Options 447 Command Syntax and Usage Sends request for an update from the VRRP backup switch to the VRRP Master. The request is sent to avoid a situation where the sessions on the backup switch can be updated only by a VRRP failover or a switch reset. Note: VRPP must be enabled and the switch must be a VRRP backup, otherwise the command returns an error message. clear Clears all session tables and allows port filter changes to take effect immediately.
Note: This command disrupts current SLB and Application Redirection sessions. cur Displays the current SLB operational state.
/oper/slb/group Real Server Group Operations

[Real server group 1 Menu] ena - Enable real server in this group dis - Disable real server in this group cur - Current server group operational state Real Server Group Operations Options (oper/slb/group) Command Syntax and Usage ena <real server number (1-1023)> Enables real server in this group. dis <real server number (1-1023)> Disables real server in this group. cur Displays current operational state of the server group.
/oper/slb/gslb Global SLB Operations Menu

[Global SLB Operations Menu] query add - Query Global SLB selection - Add entry to Global SLB DNS persistence cache
.
arem avpersis
- Remove all entries Global SLB DNS persistence cache - Enable/Disable GSLB availability persistence for virtual server
Global SLB Operations Menu Options (/oper/slb/gslb) Command Syntax and Usage query Allows you to query the Global site selection. add Add an entry to the Global SLB DNS persistence cache. arem Remove all entries Global SLB DNS persistence cache. avpersis < virtual server number (1-1024)> enable|disable When enabled, this will cause a virtual server with a lower availability to start advertising an availability of 48 if the remote virtual server with a higher availability becomes unavailable. The GSLB DSSP version must be set to 3 for this command to be issued. This command will only affect GSLB if the GSLB rules are configured to use the availability metric (preferably as rule 1, metric 1). If a virtual server is advertising an availability of 48 to its remote virtual servers, disabling avpersis will cause availabilities to return to their configured values.
/oper/vrrp Operations-Level VRRP Options

[VRRP Operations Menu] back - Set virtual router to backup Virtual Router Redundancy Operations Menu Options (/oper/vrrp) Command Syntax and Usage back <virtual router number (1-1024)> Forces the specified master virtual router on this switch into backup mode. This is generally used for passing master control back to a preferred switch once the preferred switch has been returned to service after a failure. When this command is executed, the current master gives up control and initiates a new election by temporarily advertising its own priority level as 0 (lowest). After the new election, the virtual router forced into backup mode by this command will resume master control in the following cases:
.
/oper/bwm Operations-Level Bandwidth Management Options 449 Command Syntax and Usage
This switch owns the virtual router (the IP addresses of the virtual router and its IP interface are the same) This switchs virtual router has a higher priority and preemption is enabled. There are no other virtual routers available to take master control.
/oper/bwm Operations-Level Bandwidth Management Options

[Bandwidth Management Operations Menu] sndhist - Send BW History to SMTP server clear - Clear BWM IP user entry table Bandwidth Operations Menu Options (/oper/bwm/sndhist) Command Syntax and Usage sndhist Sends the bandwidth history to a system administrator specified under /cfg/bwm/user (see "/cfg/bwmBandwidth Management Configuration" (page 270)). clear Clear the BWM IP user entry table.
/oper/security Security Menu

[Security Menu] ipacl - IP ACL Operations Menu Security Menu Options Command Syntax and Usage ipacl Go to the IP ACL Operation menu. To view menu options, see "/oper/security/ipaclIP ACL Operations Menu" (page 449)
/oper/security/ipacl
.
IP ACL Operations Menu

[IP ACL Operations Menu] add rem arem dadd drem darem cfg bogon oper cur - Add operations source IP Address/Mask - Remove operations source IP Address/Mask - Remove all operations source IP Address/Mask - Add operations destination IP Address/Mask - Remove operations destination IP Address/Mask - Remove all operations destination IP Address/Mask - Display configuration IP Address/Mask - Display bogon IP Address/Mask - Display operations IP Address/Mask - Display all IP Address/Mask
IP ACL Operations Menu Options Command Syntax and Usage add <IP address IP subnet mask timeout in minutes, 1-10080> Add the operations source IP mask. rem <IP address IP subnet mask> Remove the operations source IP mask. arem Remove all operations source IP addresses and Masks. dadd <IP address IP subnet mask timeout in minutes, 1-10080> Add an operations destination IP address and Mask. drem <IP address IP subnet mask> Remove an operations destination IP address and Mask. darem Remove all of the operations destination IP addresses and Masks. cfg Display all configuration IP addresses and Masks. For example: Current configuration IP ACL settings: 0 configuration source IP ACL. 0 configuration destination IP ACL. bogon
.
/oper/ip Operations-Level IP Options 451 Command Syntax and Usage Display bogon IP address and Mask. For example: >> IP ACL Operations# bogon Current bogon IP ACL settings: 0 bogon source IP ACL. oper Display operations IP addresses and Masks. For example: Current operations IP ACL settings: 0 operations source IP ACL. 0 operations destination IP ACL. cur Display all IP addresses and Masks. For example: Current total IP ACL settings: 0 total source IP ACL. 0 total destination IP ACL. Current configuration IP ACL settings: 0 configuration source IP ACL. 0 configuration destination IP ACL. Current bogon IP ACL settings: 0 bogon source IP ACL. Use "bogon" command to display. Current operations IP ACL settings: 0 operations source IP ACL. 0 operations destination IP ACL.
/oper/ip Operations-Level IP Options

[IP Operations Menu] bgp - Operational Border Gateway Protocol Menu garp - Send gratuitous arp IP Operations Menu Options (/oper/ip) Command Syntax and Usage bgp Displays the Border Gateway Protocol Operations Menu. To view the menu options see "/oper/ip/bgpOperations-Level BGP Options" (page 452).
.
Command Syntax and Usage garp <IP address Vlan number> Send gratuitous arp.
/oper/ip/bgp Operations-Level BGP Options

[Border Gateway start stop cur Protocol Operations Menu] Start peer session Stop peer session Current BGP operational state
IP Operations Menu Options (/oper/ip) Command Syntax and Usage start <peer number (1-16)> Starts the peer session. stop <peer number (1-16)> Stops the peer session. cur Displays the current BGP operational state.
/oper/swkey Activating Optional Software

The swkey option is used for activating any optional software you have purchased for your switch. Before you can activate optional software, you must obtain a software license from your Nortel Networks representative or authorized reseller. One software license is needed for each switch where the optional software is to be used. You will receive a Licence Certicate for each software license purchased. Currently the following software packages are available for purchase and installation: Security Pack Bandwidth Management Global Server Load Balancing Intelligent Trafc Management Nortel Symantec Intelligent Network Protection Link Load Balancing
.
/oper/rmkey Removing Optional Software 453
To obtain a software key, you must register each License Certicate with Nortel Networks and provide the MAC address of the Nortel Application Switch Operating System switch that will run the optional software. Nortel Networks will then provide a License Password. Note: Each License Password will work only on the specic switch which has the MAC address you provided when registering your Licence Certicate. Once you have your License Password, perform the following actions: Step 1 2 Action Connect to the switchs command line interface and log in as the administrator (see "The Command Line Interface" (page 27) "). At the Main# prompt, enter:
Main# oper
At the Operations# prompt, enter:

Operations# swkey
When prompted, enter your 16-digit software key code. For example:
Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as, 123456789ABCDEF)>
If the correct code is entered, you will see the following message:
Valid software key entered. Software feature enabled.
End
/oper/rmkey Removing Optional Software

The rmkey option is used for deactivating any optional software. Deactivated software is still present in switch memory and can be reactivated at any later time.
.
To review the deactivation options, enter the following at the Operations Menu:
>> Operations# ? rmk Usage: rmkey software feature to be removed (GSLB||BWM|Security|Linklb|ITM)
To deactivate optional software, enter the following at the Operations Menu:

Operations# rmkey
When prompted, enter the code for software to be removed. For example:
Enter Software Feature to be removed: GSLB [GSLB]|BWM|Security:
.
455
The Boot Options Menu

To use the Boot Options Menu, you must be logged in to the switch as the administrator. The Boot Options Menu provides options for: Selecting a switch software image to be used when the switch is next reset Selecting a conguration block to be used when the switch is next reset Downloading or uploading a new software image to the switch via TFTP
/boot Boot Menu

[Boot Options Menu] sched image conf gtimg ptimg symantec reset cur - Scheduled Switch Reset Menu - Select software image to use on next boot - Select config block to use on next boot - Download new software image via FTP/TFTP - Upload selected software image via FTP/TFTP - Globally Enable/Disable Symantec feature (requires a switch reset) - Reset switch [WARNING: Restarts Spanning Tree] - Display current boot options
Each of these options is discussed in greater detail in the following sections.
Scheduled Reboot of the Switch

This feature allows the switch administrator to schedule a reboot to occur at a particular time in future. This feature is particularly helpful if the user needs to perform switch upgrades during off-peak hours. You can set the reboot time, cancel a previously scheduled reboot, and check the time of the currently set reboot schedule with the help of the following sub-menu:
/boot/sched
.
456 The Boot Options Menu
Scheduled Reboot Menu

[Boot Schedule Menu] set - Set switch reset time cancel - Cancel pending switch reset cur - Display current switch reset schedule
The cur option displays the current scheduled reboot time. For example:
>> Boot Schedule# cur Currently scheduled reboot time:
none
Updating the Switch Software Image

The switch software image is the executable code running on the Nortel Application Switch. A version of the image ships with the switch, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your switch. Upgrading the software image on your switch requires the following: Loading the new image onto a TFTP server on your network Downloading the new image from the TFTP server to your switch Selecting the new software image to be loaded into switch memory the next time the switch is reset
Downloading New Software to Your Switch

The switch can store up to two different software images, called image1 and image2, as well as boot software, called boot. When you download new software, you must specify where it should be placed: either into image1, image2, or boot. For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the original active image (stored in image1), if needed. To download a new software to your switch, you will need the following: The image or boot software loaded on a TFTP server on your network The hostname or IP address of the TFTP server The name of the new software image or boot le Setup the TFTP option (/cfg/sys/mgmt/tftp) for the TFTP connection. This sets the default option for the gtimg and ptimg commands. However, note that you can override this setting with the option provided to these operational commands.
.
Updating the Switch Software Image
457
Note: The DNS parameters must be congured if specifying hostnames. See "/cfg/l3/dnsDomain Name System Conguration Menu" (page 327)). When the above requirements are met, use the following procedure to download the new software to your switch. Step 1 Action At theBoot Options# prompt, enter:
Boot Options# gtimg
Enter the name of the switch software to be replaced:

Enter name of switch software image to be replaced ["image1"/"image2"/"boot"]: <image>
Enter the hostname or IP address of the TFTP server.

Enter hostname or IP address of TFTP server: <server name or IP address>
Enter the name of the new software le on the server.

Enter name of file on TFTP server: <filename>
The exact form of the name will vary by TFTP server. However, the le location is normally relative to the TFTP directory (usually /tftpboot). 5 The system prompts you to conrm your request. You should next select a software image to run, as described below. End
Selecting a Software Image to Run

You can select which software image (image1 or image2) you want to run in switch memory for the next reboot. Step 1 Action At the Boot Options# prompt, enter:
Boot Options# image
.
Enter the name of the image you want the switch to use upon the next boot. The system informs you of which image is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use switch software "image1" on next reset. Specify new image to use on next reset ["image1"/"i mage2"]:
End
Uploading a Software Image from Your Switch

You can upload a software image from the switch to a TFTP server. Step 1 Action At the Boot Options# prompt, enter:
Boot Options# ptimg
The System prompts you for information.Enter the desired image:

Enter name of switch software image to be uploaded ["image1"|"image2"|"boot"]: <image hostname or server-IP-addr server-filename>
Enter the name or the IP address of the TFTP server:

Enter hostname or IP address of TFTP server: <server name or IP address>
Enter the name of the le into which the image will be uploaded on the TFTP server:
Enter name of file on TFTP server: <filename>
The system then requests conrmation of what you have entered. To have the le uploaded, enter Y.
.
Selecting a Conguration Block
459
image2 currently contains Software Version 20.2.0.7 Upload will transfer image2 (1889411 bytes) to file "test" on TFTP server 192.1.1.1. Confirm upload operation [y/n]: y
End
Selecting a Conguration Block

When you make conguration changes to the Nortel Application Switch, you must save the changes so that they are retained beyond the next time the switch is reset. When you perform the save command, your new conguration changes are placed in the active conguration block. The previous conguration is copied into the backup conguration block. There is also a factory conguration block. This holds the default conguration set by the factory when your Nortel Application Switch was manufactured. Under certain circumstances, it may be desirable to reset the switch conguration to the default. This can be useful when a custom-congured Nortel Application Switch is moved to a network environment where it will be re congured for a different purpose. Use the following procedure to set which conguration block you want the switch to load the next time it is reset: Step 1 Action At the Boot Options# prompt, enter:
Boot Options# conf
Enter the name of the conguration block you want the switch to use: The system informs you of which conguration block is currently set to be loaded at the next reset, and prompts you to enter a new choice:
Currently set to use active configuration block on next reset. Specify new block to use ["active"/"backup"/"factory "]:
End
.
Resetting the Switch

You can reset the switch to make your software image le and conguration block changes occur. Note: Resetting the switch causes the Spanning Tree Protocol to restart. This process can be lengthy, depending on the topology of your network. To reset the switch, at the Boot Options# prompt, enter:
>> Boot Options# reset
You are prompted to conrm your request.
Enabling Symantec Intelligent Network Protection

The /boot/symantec command is used to enable and disable the Symantec Intelligent Network Protection on the switch. As this functionality is only active on switches for which a license has been built, the absence of this commands indicates a switch does not currently have an active license. To set the status of this functionality, use the following procedure: Step 1 Action Enter the /boot/symantec command.
>> Main# /boot/symantec
At the prompt, enter either ena to enable the functionality or dis to disable it.
Current state of Global Symantec feature is Disabled Globally [ena|dis] Symantec feature (requires a switch reset): ena
The switch will now prompt for conrmation of the necessary switch reset. Typing n at either of the prompts will cause the process to abort.
.
Enabling Symantec Intelligent Network Protection
461
Confirm Globally enable Symantec feature (requires a switch reset) [y/n]: y Reset will use software "image1" and the active config block. >> Note that this will RESTART the Spanning Tree, >> which will likely cause an interruption in network service. Confirm reset [y/n]: y
The switch will now reset and either enable or disable the functionality globally. Performing this procedure will also determine what memory prole the switch is running. For more information about memory proles, refer Symantec Intelligent Network Protection, of the Nortel Application Switch Operating System 24.0 Application Guide (NN47220-104). End
.
.
463
The Maintenance Menu

The Maintenance Menu is used to manage dump information and forward database information. It also includes a debugging menu to help with troubleshooting.
/maint Maintenance Menu

Note: To use the Maintenance Menu, you must be logged in to the switch as the administrator.
[Maintenance Menu] sys - System Maintenance Menu fdb - Forwarding Database Manipulation Menu arp - ARP Cache Manipulation Menu route - IP Route Manipulation Menu ip6 - IP6 Manipulation Menu debug - Debugging Menu uudmp - Uuencode FLASH dump ptdmp - Upload FLASH dump via FTP/TFTP cldmp - Clear FLASH dump lsdmp - List FLASH dump panic - Dump state information to FLASH and reboot tsdmp - Tech support dump pttsdmp - Upload tech support dump via FTP/TFTP sslrst - Reset SSL card
Dump information contains internal switch state data that is written to ash memory on the Nortel Application Switch after any one of the following occurs: The switch administrator forces a switch panic. The panic option, found in the Maintenance Menu, causes the switch to dump state information to ash memory, and then causes the switch to reboot. The switch administrator enters the switch reset key combination on a device that is attached to the console port. The switch reset key combination is Shift Ctrl - .
.
464 The Maintenance Menu
The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot the switch if the switch software freezes. The switch detects a hardware or software problem that requires a reboot.
Maintenance Menu Options (/maint) Command Syntax and Usage sys Displays the System Maintenance Menu. To view menu options, see "/maint/sysSystem Maintenance Options" (page 465). fdb Displays the Forwarding Database Manipulation Menu. To view menu options, see "/maint/fdbForwarding Database Options" (page 465). arp Displays the ARP Cache Manipulation Menu. To view menu options, see "/maint/arpARP Cache Options" (page 467). route Displays the IP Route Manipulation Menu. To view menu options, see "/maint/routeIP Route Manipulation" (page 468). ip6 Displays the IPv6 Manipulation Menu. To view menu options, see "/maint/ip6IPv6 Manipulation Menu" (page 469). debug Displays the Debugging Menu. To view menu options, see "/maint/debugDebugging Options" (page 469). uudmp Displays dump information in uuencoded format. For details, see "/maint/uudmpUuencode Flash Dump" (page 470). ptdmp hostname filename [-mgmt| -data] Saves the system dump information using TFTP. For details, see "/maint/ptdmp server filenameSystem Dump Put" (page 471). cldmp Clears dump information from flash memory. For details, see "/maint/cldmpClearing Dump Information" (page 471). lsdmp Displays list flash dump. For details, see "/maint/lsdmp" (page 472). panic Dumps MP information to FLASH and reboots. For details, see "/maint/panicPanic Command" (page 472).
.
/maint/fdb Forwarding Database Options 465 Command Syntax and Usage tsdmp Dumps all Nortel Application Switch information, statistics, and configuration.You can log the tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes. For details, see "/maint/tsdmp" (page 473). pttsdmp <hostname filename -tftp|username password> [-mgmt|-data] Upload tech support dump using FTP/TFTP. For details, see "/maint/pttsdmp" (page 473). sslrst Reset the SSL card. For details, see "/maint/sslrst" (page 473).
/maint/sys System Maintenance Options

This menu is reserved for use by Nortel Networks Customer Support group. The options are used to perform system debugging.
[System Maintenance Menu] flags - Set NVRAM flag word sfpinfo - Show SFP information System Maintenance Menu Options (/maint/sys) Command Syntax and Usage flags <new NVRAM flags word as 0xXXXXXXXX> This command sets the flags that are used for debugging purposes by Tech support group. sfpinfo <port_number> Show the SFP information. For example: >> System Maintenance# sfpinfo 1 Probing SFP on port 1 - please wait Invalid: Port 1 does not support SFPs
/maint/fdb
.
Forwarding Database Options

[FDB Manipulation Menu] find - Show a single FDB entry by MAC address port - Show FDB entries for a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries for a single VLAN refpt - Show FDB entries referenced by a single port dump - Show all FDB entries del - Delete an FDB entry clear - Clear entire FDB
The Forwarding Database Manipulation Menu can be used to view information and to delete a MAC address from the forwarding database or clear the entire forwarding database. This is helpful in identifying problems associated with MAC address learning and packet forwarding decisions.
FDB Manipulation Menu Options (/maint/fdb) Command Syntax and Usage find <MAC address> [ <VLAN> ] Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the xx:xx:xx:xx:xx:xx format (such as 08:00:20:12:34:56) or xxxxxxxxxxxx format (such as 080020123456). port <port number, 0 for unknown> Displays all FDB entries for a particular port. Use "0" for unknown port number. trunk <trunk number (1-12)> Displays all FDB entries for the specified trunk group. vlan <VLAN number (1-4090)> Displays all FDB entries on a single VLAN. refpt <SP number (1-4)> Displays all FDB entries reference by a single port. dump Displays all entries in the Forwarding Database. For details, see "/info/l2" (page 68). del <MAC address> [ <VLAN number> ] Removes a single FDB entry. clear Clears the entire Forwarding Database from switch memory.
.
/maint/arp ARP Cache Options 467
/maint/arp ARP Cache Options

[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries clear - Clear ARP cache addr - Show ARP address list Address Resolution Protocol Menu Options (/maint/arp) Command Syntax and Usage find <IP address (such as, 192.4.17.101)> Shows a single ARP entry by IP address. port <port number> Displays ARP entries on a single port. See "/maint/arp/port port number>ARP Entries on a Single Port" (page 467) for a sample output. vlan <VLAN number (1-4090)> Shows ARP entries on a single VLAN. refpt <SP number (1-4)> Shows all ARP entries referenced by a single port. dump Shows all ARP entries. clear Clears the entire ARP list from switch memory. addr Shows the list of IP addresses which the switch will respond to for ARP requests.
/maint/arp/port <port number> ARP Entries on a Single Port
.
Note: To display all ARP entries currently held in the switch, or a portion according to one of the options listed on the menu above (find, port, vlan, refpt, dump), you can also refer "ARP Information" on "/info/l3/arp" (page 85).
/maint/route IP Route Manipulation

[IP Routing Menu] find - Show a single route by destination IP address gw - Show routes to a single type - Show routes of a single tag - Show routes of a single if - Show routes on a single dump - Show all routes clear - Clear route table IP Route Manipulation Menu Options (/maint/route) Command Syntax and Usage find <IP4 address (eg, 192.4.17.101)> | IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)> Shows a single route by destination IP address. gw <default gateway IP4 address (eg, 192.4.17.44)> <default gateway IP6 address (eg, 3001:0:0:0:0:0:abcd: 1234)> Shows routes to a default gateway. type indirect|direct|local|broadcast|martian|multicast Shows routes of a single type. For a description of IP routing types, see "IP Routing Type Parameters (/info/l3/route/dump/type)" (page 83) tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vip Shows routes of a single tag. For a description of IP routing tags, see "IP Routing Tag Parameters (info/l3/route/tag)" (page 83) if <interface number (1-255)> Shows routes on a single interface. dump Shows all routes. clear Clears the route table from switch memory.
gateway type tag interface
.
/maint/debug Debugging Options 469
Note: To display all routes, you can also refer "IP Routing Information" on "/info/l3/route/dump" (page 83).
/maint/ip6 IPv6 Manipulation Menu

[IP6 Menu] nbrcache - Neighbor Cache Manipulation Menu IPv6 Manipulation Menu Options Command Syntax and Usage nbrcache Opens the Neighbor Cache menu whose only option is the clear command. This command is used to clear the IPv6 Neighbor Cache table.
/maint/debug Debugging Options

[Miscellaneous tbuf sptb spall clrcfg portmap vmasp vmasp6 Debug Menu] - Show MP trace buffer - Show SP trace buffer - Show All SPs trace buffers - Clear all flash configs - Show port-SP-MAC mapping - Show designated SP for source IP address - Show designated SP for IP6 address
The Miscellaneous Debug Menu displays trace buffer information about events that can be helpful in understanding switch operation. You can view the following information using the debug menu: Events traced by the Management Processor (MP) Events traced by the Switch Processor (SP) Events traced to a buffer area when a reset occurs
If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the snap trace buffer area. The output from these commands can be interpreted by the Nortel Networks Customer Support division.
Miscellaneous Debug Menu Options (/maint/debug) Command Syntax and Usage tbuf
.
Command Syntax and Usage Displays the Management Processor trace buffer. Header information similar to the following is shown: MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748 The buffer information is displayed after the header. sptb <port number (1-4)> Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008 The buffer information is displayed after the header. spall Displays the Switch Processor trace buffer. Header information similar to the following is shown: SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008. The buffer information is displayed after the header. Displays all SP trace buffers. clrcfg Deletes all flash configuration blocks. portmap Show port to SP to MAC mapping. vmasp <source IP address> [<destination IP adress> If VMA with destination IP address is enabled] Displays the assigned SP (Switch Processor) for a source IP address and a destination IP address when VMA with destination IP is enabled. vmasp6 <IP_address> Show designated SP for IP6 address.
/maint/uudmp Uuencode Flash Dump

Using this command, dump information is presented in uuencoded format. This format makes it easy to capture the dump information as a le or a string of characters. You can then contact Nortel Networks Customer Support for help analyzing the information. If you want to capture dump information to a le, set your communication software on your workstation to capture session data prior to issuing the uudmp command. This will ensure that you do not lose any information. Once entered, the uudmp command will cause approximately 23,300 lines of data to be displayed on your screen and copied into the le. Using the uudmp command, dump information can be read multiple times. The command does not cause the information to be updated or cleared from ash memory.
.
/maint/cldmp Clearing Dump Information 471
Note: Dump information is not cleared automatically. In order for any subsequent dump information to be written to ash memory, you must manually clear the dump region. For more information on clearing the dump region, see "/maint/cldmpClearing Dump Information" (page 471). To access dump information, at the Maintenance# prompt, enter:
Maintenance# uudmp
The dump information is displayed on your screen and, if you have congured your communication software to do so, captured to a le. If there is a dump available, the system prompts as follows:
Maintenance# uu Enter region to dump [main/bkp]: Dumping main region:
main
Use ptdmp to extract panic dumps. Confirm proceed with large dump (15000 lines) [y/n]:
If the dump region is empty, the following message appears:

No FLASH dump available.
/maint/ptdmp <server filename> System Dump Put

Use this command to put (save) the system dump to a TFTP or FTP server. Note: If the TFTP or FTP server is running SunOS or the Solaris operating system, the specied ptdmp le must exist prior to executing the ptdmp command, and must be writable (set with proper permission, and not locked by any application). The contents of the specied le will be replaced with the current dump data. To save dump information via TFTP or FTP, at the Maintenance# prompt, enter:
Maintenance# ptdmp hostname -tftp|username password [-mgmt|-data] filename
Where server is the TFTP or FTP server IP address or hostname, and lename is the target dump le.
/maint/cldmp
.
Clearing Dump Information

To clear dump information from ash memory, at the Maintenance# prompt, enter:
Maintenance# cldmp
The switch clears the dump region of ash memory and displays the following message:
FLASH dump region cleared.
If the ash dump region is already clear, the switch displays the following message:
FLASH dump region is already clear.
/maint/lsdmp
Use the /maint/lsdmp command to view dump statistics. For example:
>> Maintenance# lsdmp The main dump was saved at 8:12:58 Fri Jun 3, 2005. A backup dump was saved at 14:47:31 Mon Jun 20, 2005.
/maint/panic Panic Command

The panic command causes the switch to immediately dump state information to ash memory and automatically reboot. To select panic, at the Maintenance# prompt, enter:
>> Maintenance# panic A FLASH dump already exists. Confirm replacing existing dump and reboot [y/n]:
Enter y to conrm the command:

Confirm dump and reboot [y/n]: y
The following messages are displayed:
.
Unscheduled System Dumps
473
Loading Image:.......... Alteon Application Switch 2424 Rebooted because of Software PANIC. Booting complete 19:15:23 Thu Jan 9, 2003: Version 20.2.7 from FLASH image1, active config block. Jan 9 19:15:32 NOTICE system: link up on port 25 Enter password:
/maint/tsdmp
Use the /maint/tsdmp command to dump all dump information that can be used for technical support. For example:
>> Maintenance# tsdmp Confirm dumping all information, statistics, and configuration [y/n]:
/maint/pttsdmp
Use the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP connection. The dump was performed earlier using the /maint/tsdmp command. For example:
>> Maintenance# ? pttsdmp Usage: pttsdmp hostname filename -tftp|username password [mgmt|-data] >> Maintenance# pttsdmp Enter hostname or IP address of FTP/TFTP server: 0.0.0.0 Enter name of file on FTP/TFTP server: dump.txt Enter username for FTP server or hit return for TFTP server: username Enter password for username on FTP server: Connecting to 0.0.0.0... . .
/maint/sslrst
Use the maint/sslrst command to reset the switch SSL card.
Unscheduled System Dumps

If there is an unscheduled system dump to ash memory, the following message is displayed when you log on to the switch:
.
Note: A system dump exists in FLASH. The dump was saved at 19:15:23 Thu Jan 9, 2003. Use /maint/uudmp to extract the dump for analysis and /maint/cldmp to clear the FLASH region. The region must be cleared before another dump can be saved.
.
475
The SSL Processor Menu

The SSL Menu is used to connect to the SSL processor. Note: To use the SSL Processor Menu, you must be logged in to the processor as the administrator.
Login to the SSL processor

Log into the SSL Processor as described in the following paragraphs. Go to the main menu and enter the SSL processor level.
Enter the appropriate account information to logon to the processor.
.
476 The SSL Processor Menu
Note: Help information on specic commands uses the command "help", and not the "?" symbol used at other directory levels. The command must also be spelled-out in full. For example, to request help on the "apply" command enter: SSL >> Main# help diff Show any pending configuration changes.
/ssl SSL Processor Menu

[Main Menu] info stats cfg boot maint diff apply revert paste help exit - Information menu - Statistics menu - Configuration menu - Boot menu - Maintenance menu - Show pending config changes [global command] - Apply pending config changes [global command] - Revert pending config changes [global command] - Restore saved config with key [global command] - Show command help [global command] - Exit [global command, always available]
.
/ssl/info SSL Performance information menu 477 FDB Manipulation Menu Options (/maint/fdb) Command Syntax and Usage info Go to the Information level of the SSL Processor menu. For details, see "/ssl/infoSSL Performance information menu" (page 477). stats Go to the Statistics level of the SSL Processor menu. For details, see "/ssl/info/eventsSSL Performance Menu" (page 482). cfg Go to the Configuration level of the SSL Processor menu. For details, see "/ssl/stats/ipsecIPSEC Statistics menu" (page 486). boot Go to the Boot level of the SSL Processor menu. For details, see "/ssl/bootSSL Boot Menu" (page 582). maint Go to the Maintenance level of the SSL Processor menu. For details, see "/ssl/maintSSL Performance Maintenance Menu" (page 584). diff Shows any pending configuration changes. For example: SSL >> Main# diff Configuration/ Certificate menu: apply Applies pending configuration changes. revert Remove pending configuration changes. Use this command to undo configuration parameters set since last apply command. For example: paste Lets you restore a saved configuration that includes private keys. Before pasting the configuration, you need to provide the password phrase you specified when selecting to include the private keys in the configuration dump. help Displays a summary of the global commands. exit Leave the SSL Processor menu.
new child "1" created
/ssl/info
.
SSL Performance information menu

[Information Menu] servers certs hsm sslvpn users ipsec ippool ip sys licenses access SSL VPN portal user kick isdlist operational status local ethernet ports events Show configured SSL servers Show configured certificates Show local HSM information Show configured VPNs Show logged in SSL VPN portal users Show logged in IPSEC users Show ip pool allocations Find information about an IP address Show system configuration Show SSL VPN portal license usage Print the access rules of an Kick an SSL VPN portal user Show all iSDs and their Show local iSD information Show local ethernet status information Show local port(s) information Inspect Events menu
Address Resolution Protocol Menu Options (/maint/arp) Command Syntax and Usage servers Displays the current SSL server settings, including SSL specific settings for each configured virtual SSL server. certs Displays the certificate name, serial number, expiration date, and key size for each installed certificate. Information related to the subject of the certificate is also displayed. For example: Certificate 1: Certificate name = No certificate information. Validate: key or certificate not defined. No key has been defined. No key has been defined. Revocation: Automatic CRL: URL to retrieve CRL from = LDAP DN used for bind/authentication = Password to use when to authenticate = Refresh interval = 1d List of accepted signers of CRLs = Enable automatic retrieval = disabled
.
/ssl/info SSL Performance information menu 479 Command Syntax and Usage hsm Displays information related to the HSM card(s) on the iSD310-SSL FIPS device to which you are currently connected. Information about the current security mode (Extended Security mode or FIPS mode) in the iSD310-SSL FIPS cluster is displayed, as well as user login information (SO or USER) for each HSM card on the iSD310-SSL FIPS device. HSM information is only displayed when you are using the iSD310-SSL FIPS model. sslvpn Show the configured VPNs. users Shows all logged in VPN portal users. For example: Number of currently logged in users: 0
VPN Id User Login Source IP Access Group:Profile...Variables... ------ ---- --------------------------------ipsec [ vpnid [ prefix ]]
Show number of IPSEC users logged-in. For example: Number of active ipsec sessions for all VPNs: ippool [ vpnid ] Displays the IP pool allocations. ip <IP_address> Display information about a specific IP address. For example: SSL >> Information# ip Enter IP to search for: 0.0.0.0 IP 0.0.0.0 not allocated from IP pool sys Shows the system configuration. For example (in part): 0
.
Command Syntax and Usage System: Management IP (MIP) address = 10.10.10.72 iSD Host 1: Type of the iSD = master IP address = 10.10.10.71 License = IPSEC user sessions: 10 TPS: 300 SSL user sessions: 10 Default gateway address = 10.10.10.69 Ports = 1 Hardware platform = 2424S Host Routes: No items configured Host Interface 1: IP address = 10.10.10.71 Network mask = 255.255.255.0 Default gateway address = 0.0.0.0 VLAN tag id = 0 Mode = failover Host Interface Routes: No items configured Interface Ports: 1 . . . licenses [ vpn_ID ] Show the SSL VPN port licenses. For example: Global License Pools VPN Used Size -----------------------------------------------------SSL 0 10 IPSEC 0 10 access <vpnid username> Display the access rules for an SSL Portal user. kick <vpnid username> Kick an SSL VPN user. isdlist
.
/ssl/info SSL Performance information menu 481 Command Syntax and Usage Displays the IP addresses, master/slave assignments, CPU usage, memory usage, and operational status for all the iSDs in the cluster. An asterisk (*) in the MIP column indicates which iSD in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates the particular iSD to which you have connected. For example: SSL >> Information# isdlist IP addr type MIP Local cpu(%) mem(%) 10.10.10.71 master * * 2 52 local Displays the current software version, iSD hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For example: SSL >> Information# local Alteon iSD SSL Hardware platform: 2424S Software version: 5.0.0.34 Up time: 11 days 1 hour 52 minutes IP address: 10.10.10.71 MAC address: 00:01:81:2e:bc:6f ethernet Displays statistics for the Ethernet network interface card (NIC) on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. If more than one network is configured in the cluster, ethernet statistics for the respective network is displayed.
op up
RX packets: the total number of received packets TX packets: the total number of transmitted packets errors: packets lost due to error dropped: error due to lack of resources overruns: error due to lack of resources frame: error due to malformed packets carrier: error due to lack of carrier collisions: number of packet collisions
Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonegotiation.
.
Command Syntax and Usage For example: I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0 I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb) ports Displays the status of the local Ethernet interface (NIC) ports on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For each port, link status (up/down) and Ethernet autonegotiation setting (on/off) is shown. If the link is up, current values for speed (10/100/1000) and duplex mode (half/full) are also shown. If the link is down and autonegotiation is set to off, the configured values for speed and duplex mode are shown instead. For example: SSL >> Information# ports Port 1: link = up, autoneg = on, speed = 1000, mode = full events Go to the Inspect events menu. For details, see "/ssl/info/eventsSSL Performance Menu" (page 482).
/ssl/info/events SSL Performance Menu

[Events Menu] alarms download - List all pending alarms - Dump the event log file to a TFTP/FTP/SFTP server
SSL Performance Menu Options Command Syntax and Usage alarms
.
/ssl/stats SSL Performance Statistics menu 483 Command Syntax and Usage Displays all alarms in the active alarm list by their main attributes: severity level, alarm ID number, date and time when triggered, alarm name, sender, and cause. download <protocol IP_address> | <hostname filename> Transmits the event log file from the iSD cluster to a file on a TFTP server. Specify the IP address or host name of the TFTP server, as well as a file name.
/ssl/stats SSL Performance Statistics menu

[Statistics Menu] sslstats ipsec aaa dump SSL stats IPSEC stats AAA specific statistics Dump all information
IP Route Manipulation Menu Options (/maint/route) Command Syntax and Usage sslstats Go to the SSL statistics menu. To view menu options, see "/ssl/stats/sslstatsSSL Performance Menu" (page 483). ipsec Go to the IPSEC statistics menu. To view menu options, see "/ssl/stats/ipsecIPSEC Statistics menu" (page 486). aaa Go to the AAA specific statistics. To view menu options, see "/ssl/stats/aaaAAA Statistics Menu" (page 490). dump Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the number of active request sessions, and the total number of completed request sessions. The total number of initiated SSL client connections, and the total number of established SSL client connections as accumulated values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not included in the output
/ssl/stats/sslstats
.
SSL Performance Menu

[SSL stats Menu] vpn server local clear activesess totalsess sslaccept sslconnect tpshisto clihisto srvhisto - Cluster SSL VPN statistics - Cluster SSL Server statistics - Local statistics for each isdhost - Clear all statistics for all IPs - Number of currently active request sessions - Total completed request sessions - Total completed SSL accept - Total completed SSL connect - Cluster-wide TPS histograms for all servers - Cluster wide client data histograms for all servers - Cluster wide server data histograms for all servers
SSL Performance Menu Options Command Syntax and Usage vpn <VPN_number> Displays the cluster-wide statistics for SSL VPN. server <server_number> Displays the cluster-wide statistics for SSL servers. local Go to the Local SSL Statistics Menu. To view menu options, see "/ssl/stats/sslstats/localSSL Performance SSL Local Statistics Menu" (page 485). clear Erase all statistics for all IPs. activesess Display the number of currently active requests. For example: active_sessions : totalsess Display the total number of completed request sessions. sslaccept Display the total number of completed SSL request sessions. sslconnect 0
.
/ssl/stats SSL Performance Statistics menu 485 Command Syntax and Usage Display the total number of successful SSL connections. tpshisto Display the total number of cluster-wide TPS histograms for all servers. clihisto Display the total number of cluster-wide client data histograms for all servers. srvhisto Display the total number of cluster-wide server data histograms for all servers.
/ssl/stats/sslstats/local SSL Performance SSL Local Statistics Menu
SSL Perfomance: SSL Local Statistics Menu Options Command Syntax and Usage isdhost <host_number> Go to the ISD local SSL Statistics Menu. To view menu options, see "/ssl/stats/sslstats/local/isdhostSSL Performance: Single ISD SSL Statistics Menu" (page 486). overview Display the overall of the isdhost local statistics. tpshisto Display ISD local TPS histograms for all servers/ISDs. clihisto Display ISD local client data histograms for all servers and ISDs. srvhisto Display ISD local server data histograms for all servers and ISDs. license
.
Command Syntax and Usage Display local ISD license statistics. For example: **** License stats at ISD number 1 License Limit reached times tps {ok,0} dump Display all local statistical information. ****
/ssl/stats/sslstats/local/isdhost SSL Performance: Single ISD SSL Statistics Menu

[Single ISD SSL Stats 1 Menu] server tpshisto clihisto srvhisto dump - ISD local SSL server stats - ISD local TPS histograms for all servers - ISD local client byte/s histograms for all servers - ISD local server byte/s histograms for all servers - Dump all information
SSL Perfomance: Single ISD SSL Statistics Menu Options Command Syntax and Usage server Displays statistics for the local ISD SSL server. tpshisto Displays ISD local TPS histograms for all servers. clihisto Displays ISD local client data histograms for all servers. srvhosto Displays ISD local server histograms for all servers. dump Displays all statistical information.
/ssl/stats/ipsec
.
/ssl/stats/ipsec IPSEC Statistics menu 487
IPSEC Statistics menu

[IPSEC stats Menu] vpn local clear activesess totalsess failedsess enctot enc dectot dec sesshisto enchisto dechisto - Cluster IPSEC Server statistics - Local statistics for each isdhost - Clear all ipsec statistics for all IPs - Number of currently active ipsec sessions - Total completed ipsec sessions - Total failed ipsec sessions - Total encoded kBytes - Encoded kB/sec last minute - Total decoded kBytes - Decoded kB/sec last minute - Cluster-wide ipsec session histograms for all servers - Cluster-wide ipsec encrypt histograms for all servers - Cluster-wide ipsec decrypt histograms for all servers
IPSEC Statistics Menu Options Command Syntax and Usage vpn <VPN_number> Displays cluster IPSEC server statistics. local Go to the local statistics menu. To view menu options, see "/ssl/stats/ipsec/localSSL Performance: Local IPSEC Statistics Menu" (page 488). clear Clear all IPSEC statistics. activesess Display the number of currently active IPSEC sessions. totalsess Display the number of completed IPSEC sessions. failedsess Display the number of failed IPSEC sessions. enctot Display the total number of encoded kBytes.
.
Command Syntax and Usage enc Display the total number of encoded kBytes in the last 60 seconds. dectot Display the total number of decoded kBytes. dec Display the total number of decoded kBytes in the last 60 seconds. sesshisto Display the Cluster-wide ipsec session histograms for all servers. enchisto Display the Cluster-wide ipsec encrypt histograms for all servers. dechisto Display the Cluster-wide ipsec decrypt histograms for all servers.
/ssl/stats/ipsec/local SSL Performance: Local IPSEC Statistics Menu

[Local IPSEC Statistics Menu] isdhost sesshisto enchisto dechisto dump - ISD local IPSEC server statistics menu - ISD local ipsec session histograms for all VPNs/ISDs - ISD local ipsec encrypt histograms for all VPNs/ISDs - ISD local ipsec decrypt histograms for all VPNs/ISDs - Dump all information
SSL Perfomance: Local IPSEC Statistics Menu Options Command Syntax and Usage isdhost Go to the ISD Local IPSEC server statistics menu. To view menu options, see "/ssl/stats/ipsec/local/isdhostSSL Performance: Single IPSEC ISD Statistics Menu" (page 489). sesshisto Displays the local IPSEC session histograms for all VPNs and ISDs. enchisto Displays the local IPSEC encryption histograms for all VPNs and ISDs. dechisto
.
/ssl/stats/ipsec IPSEC Statistics menu 489 Command Syntax and Usage Displays the local IPSEC decryption histograms for all VPNs and ISDs. dump Display all IPSEC statistical information.
/ssl/stats/ipsec/local/isdhost SSL Performance: Single IPSEC ISD Statistics Menu
SSL Perfomance: Single IPSEC ISD Statistics Menu Options Command Syntax and Usage vpn <VPN_number> Display the ISD local IPSEC server statistics. activesess Display the locally active IPSEC sessions for all VPNs. totalsess Display the total of locally active IPSEC sessions for all VPNs. failedsess Display the failed IPSEC sessions for all VPNs. enctot Display the total kBytes encoded for all VPNs. enc Display the locally encoded kBytes for all VPNs. dectot Display the total kBytes decoded for all VPNs. dec Display the locally decoded kBytes for all VPNs. sesshisto Display the ISD local IPSEC session histograms for all VPNs.
.
Command Syntax and Usage enchisto Display the ISD local IPSEC encrypted histograms for all VPNs. dechisto Display the ISD local ipsec decrypt histograms for all VPNs. dump Display all ISD statistics.
/ssl/stats/aaa AAA Statistics Menu

[AAA Statistics Menu] total isdhost dump - Cluster-wide authentication statistics (per VPN) - ISD local authentication statistics (per VPN) - Dump all information
AAA Statistics Menu Options Command Syntax and Usage total <VPN_ID> Display the Cluster-wide authentication statistics for each VPN. isdhost </cfg/sys/host number> Display the ISD local authentication statistics for each VPN. dump Display all AA statistics.
/ssl/cfg SSL Performance Conguration Menu

[Configuration Menu] ssl - SSL offload menu cert - Certificate menu vpn - VPN menu test - Create test vpn, portal and certificate quick - Quick vpn setup wizard sys - System-wide parameter menu lang - Language support ptcfg - Backup configuration to TFTP/FTP/SCP/SFTP server gtcfg - Restore configuration from TFTP/FTP/SCP/SFTP server dump - Dump configuration on screen for copy-and-paste
.
/ssl/stats/ipsec IPSEC Statistics menu 491 SSL Perfomance Conguration Menu Options Command Syntax and Usage ssl Go to the SSL offload menu. To view menu options, see "/ssl/cfg/sslSSL Configuration Server Menu" (page 492). cert Go to the Certificate menu. To view menu options, see "/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu" (page 495). vpn Go to the VPN menu. To view menu options, see "/ssl/cfg/vpnSSL VPN Configuration Menu" (page 512). test Create a test VPN, portal and certificate. For example: SSL >> Configuration# test Enter virtual IP address of test portal: 0.0.0.0 VPN user name: Test_vpn VPN password: smith Do you want to configure IPsec? (yes/no) [no]: n Do you want to configure Netdirect? (yes/no) [no]: n Creating VPN 1 Creating Linkset 1 Name: base-links Creating Authentication 1 Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test Creating Group 1 Name: test Creating Access rule 1 Added base-links to linkset Created /cfg/cert 2 Use apply to activate. quick Create a VPN configuration using command prompts. sys Go to the System-wide parameter menu. To view menu options, see "/ssl/cfg/langSSL Configuration Language Support Menu" (page 582). lang Go to the Language Support menu. To view menu options, see "/ssl/bootSSL Boot Menu" (page 582). ptcfg
.
Command Syntax and Usage Saves the current configuration, including private keys and certificates, to a TFTP server. The configuration can later be restored by using the gtcfg command. You are required to specify a password phrase before the information is sent to the TFTP server. If you restore the configuration by using the gtcfg command, you will be prompted for the password phrase you have specified. The password phrase is used to protect the private keys in the configuration.
Note 1: Note 1: If you have fully separated the Administrator user role from the Certificate Administrator user role, the export passphrase defined by the certificate administrator is used to protect the private keys in the configuration - transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase. Note 2: Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.
gtcfg Restores a configuration, including private keys and certificates, from a TFTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP server.
Note: Note: If you have fully separated the Administrator user role from the Certificate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that was defined by him or her using the /cfg/sys/user/caphrase command. dump Display the configuration on-screen for a copy and paste operation.
/ssl/cfg/ssl SSL Conguration Server Menu

[SSL Menu] server test quick - SSL server menu - Create test server and certificate - Quick server setup wizard
.
/ssl/stats/ipsec IPSEC Statistics menu 493 SSL Conguration Server Menu Options Command Syntax and Usage server Go to the SSl Server menu. To view menu options, see "/ssl/cfg/ssl/serverSSL Configuration Server-specific Menu" (page 493). test Create a test VPN, portal and certificate. For example: SSL >> Configuration# test Enter virtual IP address of test portal: 0.0.0.0 VPN user name: Test_vpn VPN password: smith Do you want to configure IPsec? (yes/no) [no]: n Do you want to configure Netdirect? (yes/no) [no]: n Creating VPN 1 Creating Linkset 1 Name: base-links Creating Authentication 1 Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test Creating Group 1 Name: test Creating Access rule 1 Added base-links to linkset Created /cfg/cert 2 Use apply to activate. quick Create a VPN configuration using command prompts.
/ssl/cfg/ssl/server SSL Conguration Server-specic Menu

[Server 1 Menu] name vips standalone port rip rport type proxy trace ssl tcp adv del Set server name Set IP addr(s) of server Set standalone mode Set listen port of server Set real server IP addr Set real server port Set type (generic/http/socks) Set transparent proxy mode (on/off) Traffic trace menu SSL settings menu TCP endpoint settings menu Advanced settings menu Remove virtual server
.
ena dis
- Enable virtual server - Disable virtual server
SSL Conguration Server-specic Menu Options Command Syntax and Usage name <string> Enter the name of the server. vips <IP_address> Enter the virtual IP address for the server. standalone on|off Set the standalone mode. port <integer> Set the listen port for the server. rip <IP_address> Set the actual server IP address. rport <integer> Set the actual server port number. type <generic/http/socks> Set the port type. proxy on|off Set the proxy mode. trace Go to the Trace menu.To view menu options, see "/ssl/cfg/ssl/server/trac eSSL Configuration Server-specific Trace Menu" (page 495). ssl Go to the SSL Settings menu. To view menu options, see "/ssl/cfg/ssl/server/sslSSL Configuration Server-specific SSL Menu" (page 495). tcp Go to the TCP endpoints menu. To view menu options, see "/ssl/cfg/ssl/server/tcpSSL Configuration Server-specific TCP Menu" (page 497). adv Go to the Advanced settings menu. To view menu options, see "/ssl/cfg/ssl/server/advSSL Configuration Server-specific Advanced Menu" (page 498). del Remove the virtual server.
.
/ssl/stats/ipsec IPSEC Statistics menu 495 Command Syntax and Usage ena enabled|disabled Enable the virtual server. dis enabled|diabled Disable the virtual server.
/ssl/cfg/ssl/server/trace SSL Conguration Server-specic Trace Menu

[Trace Menu] ssldump tcpdump ping dnslookup backend interface traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through
- traceroute through backend interface
SSL Conguration Server-specic Trace Menu Options Command Syntax and Usage ssldump Create a traffic dump. Information on creating dump patterns can be found at http://www.tcpdump.org/tcpdump_man.html. tcpdump Create a traffic dump. Information on creating dump patterns can be found at http://www.tcpdump.org/tcpdump_man.html. ping <hostname> Use this command to verify station-to-station connectivity across the network. dnslookup <hostname> Lookup a hostname in DNS. traceroute <hostname> Use this command to identify the route used for station-to-station connectivity across the network.
/ssl/cfg/ssl/server/ssl
.
SSL Conguration Server-specic SSL Menu
SSL Conguration Server-specic SSL Menu Options Command Syntax and Usage cert unset|set Create a server certificate. cachesize <integer> Set the SSL cache size. cachettl <integer> Set the SSL cache timeout (in seconds). cacerts <integerlist> Set the list of authorized signers of client certificates. Separate the signer list using commas. cachain <integerlist> Set the list of CA chain certificates. Separate the list using commas. protocol <issl2/ssl3/ssl23/tls1> Set the protocol version. verify <none|optional|require> Set the verification level of the certificate. ciphers Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently deletes the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesnt add any new ciphers it just moves matching existing ones.
.
/ssl/stats/ipsec IPSEC Statistics menu 497 Command Syntax and Usage Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. ena <yes|no> Enable SSL. dis <yes|no> Disable SSL.
/ssl/cfg/ssl/server/tcp SSL Conguration Server-specic TCP Menu

[TCP Settings Menu] cwrite - Set ckeep - Set swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client client server server client client server server TCP TCP TCP TCP TCP TCP TCP TCP write timeout keep alive timeout write timeout connect timeout send buffer size receive buffer size send buffer size receive buffer size
SSL Conguration Server-specic TCP Menu Options Command Syntax and Usage cwrite <integer> Set the client TCP write timeout (in seconds, 1-2147483647). ckeep <integer> Set the client TCP keep alive timeout (in seconds, 1-2147483647). swrite <integer> Set the server TCP write timeout (in seconds, 1-2147483647). sconnect <integer> Set the server TCP connect timeout (in seconds, 1-2147483647). csendbuf auto| <2000 to 100000> Set the client TCP send buffer size (in bytes). crecbuf auto| <2000 to 100000> Set the client TCP receive buffer size (in bytes). ssendbuf <generic/http/socks> Set the server TCP send buffer size (in bytes). srecbuf on|off Set the server TCP receive buffer size (in bytes).
.
/ssl/cfg/ssl/server/adv SSL Conguration Server-specic Advanced Menu

[Advanced Settings string blockstrin loadbalanc sslconnect Menu] String menu Set strings to block Load balancing menu SSL connect menu
SSL Conguration Server-specic Menu Options Command Syntax and Usage string Go to the String menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/stringSSL Configuration Server Advanced String Menu" (page 498). blockstrin <string> Set the strings to block, separated by commas. loadbalanc Go to the Load Balancing menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalancSSL Configuration Server Advanced Load Balancing Menu" (page 500). sslconnect Go to the SSL Connect menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration Server Advanced Load Balancing Cookie Men" (page 501).
/ssl/cfg/ssl/server/adv/string SSL Conguration Server Advanced String Menu

[LB String 1 Menu] match location icase negate del Set string to match Set locations to perform the match in Set ignore case in to match Set negate the result of the match Remove string
SSL Conguration Server-specic Menu Options Command Syntax and Usage match <string> |*
.
/ssl/stats/ipsec IPSEC Statistics menu 499 Command Syntax and Usage Enter the string to match. For example: SSL >> LB String 1# match Current value: not set Enter match string (may contain *): location <locationlist> Set the match string locations, separated by commas. Possible values are: Macros url, unknown, other, header Methods options, get, head, post, put, delete, trace, connect Special query, params, cookie-override Headers accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authorization, cache-control, connection, content-base, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, keep-alive, last-modified, location, max-forwards, pragma, proxy-authenticate, proxy-authorization, proxy-connection, public, range, referer, retry-after, server, set-cookie, transfer-encoding, upgrade, user-agent, vary, via, warning, www-authenticate, x-forwarded-for, x-ssl icase on|off Set the string match as case respective yes (on) or no (off). negate on|off Set a negative match scheme. The current strings are excluded (on) or included (off). del string <string_number> Delete the string.
.
/ssl/cfg/ssl/server/adv/loadbalanc SSL Conguration Server Advanced Load Balancing Menu

[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing SSL Conguration Server Advanced Load Balancing Menu Options Command Syntax and Usage type all| <string> Set the load balancing type. persistenc none|cookie|session Set the persistence strategy. cookie Go to the Cookie settings menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/cookieSSL Configuration Server Advanced Load Balancing Cookie Men" (page 501). Note that this menu is accessible only when persistenc is set to "cookie". metric hash|roundrobin|leastconn Set the load balancing metric. health none|tcp|ssl|auto|script Set the health check type. script Go to the heath check script menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/scriptSSL Configuration Server Advanced Load Balancing Health Scr" (page 502). interval <integer> Set the health check interval. remotessl Go to the Remote SSL connection menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/remotesslSSL Configuration Server Advanced Load Balancing Remote " (page 503).
.
/ssl/stats/ipsec IPSEC Statistics menu 501 Command Syntax and Usage backend Go to the Backend Servers menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/backendSSL Configuration Server Advanced Load Balancing Backend S" (page 505). ena enable|disable Enable load balancing. dis enable|disable Disable load balancing.
/ssl/cfg/ssl/server/adv/loadbalanc/cookie SSL Conguration Server Advanced Load Balancing Cookie Menu

[Cookie Settings Menu] mode - Set cookie mode name - Set cookie name domain - Set cookie domain expires - Set cookie expires expiresdel - Set cookie expires delta localvips - Configure other local VIPs offset - Set cookie value offset length - Set cookie value length SSL Conguration Server Advanced Load Balancing Cookie Menu Options Command Syntax and Usage mode insert | passive | rewrite Sets the cookie load balancing mode. name <cookie_name> Sets the cookie name. domain <domain_name> Sets the cookie domain name. expires <date_time> Sets the cookie expiration date and time. expiresdel <0(session)-2147483647> Sets the cookie expiration delta value. localvips Opens the Local VIPs menu. For more information on this menu refer "/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvipsLocal VIP Configuration Menu" (page 502). offset <1-64>
.
Command Syntax and Usage Sets the cookie value offset. length <0-64> Sets the cookie length
/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvips Local VIP Conguration Menu

[Local VIPs Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
Local VIP Conguration Menu Command Syntax and Usage list Lists all configured values. del <entry_index> Deletes the entry indicated by the index value. add <ip_address> Adds an entry by IP address. insert entry_index, ip_address Adds an entry at a specific point by index and IP address. move <source_index, destination_index> Moves an entry from the source index to the destination index.
/ssl/cfg/ssl/server/adv/loadbalanc/script SSL Conguration Server Advanced Load Balancing Health Script Menu
[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number
.
/ssl/stats/ipsec IPSEC Statistics menu 503 SSL Conguration Server Advanced Load Balancing Health Script Menu Options Command Syntax and Usage list Display all values. del <index> Delete a specific value. add <command timeout argument> Add a new health script. insert <position command timeout argument> Insert a new value. move <value> <value> Exchange one value for another.
/ssl/cfg/ssl/server/adv/loadbalanc/remotessl SSL Conguration Server Advanced Load Balancing Remote SSL Menu
[Remote SSL Connect Settings Menu] protocol cert ciphers verify - Set protocol version - Set client certificate - Set accepted ciphers for ssl connect - Verify server menu
SSL Conguration Server Advanced Load Balancing Remote SSL Menu Options Command Syntax and Usage protocol aissl2|ssl3|ssl23|tls1 Set the protocol version. cert <integer, 1 to 1500> Set the certificate number. ciphers <string>
.
Command Syntax and Usage Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesnt add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length verify Go to the Verify Server menu. To view the menu options, see "/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verifySSL Configuration Server Advanced Load Balancing " (page 504).
/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verify SSL Conguration Server Advanced Load Balancing Remote SSL Verication Menu
[Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of servers certificate SSL Conguration Server Advanced Load Balancing Remote SSL Verication Menu Options Command Syntax and Usage verify none|require Set the ertification verification level. commonname <nam>e Set the server common name. For example: SSL >> Remote SSL Connect Verify Settings# commonname Current value: [old_server_name] Give common name of server: new_server_name cacerts <integer_list> Enter the certificate numbers, separated by commas.
.
/ssl/cfg/ssl/server/adv/loadbalanc/backend SSL Conguration Server Advanced Load Balancing Backend Server Menu
[Backend Server 1 Menu] ip - Set IP addr of backend server port - Set backend server port sslconnect - Set perform SSL connect if enabled for server remote - Set server is remote rname - Set host name of remote server remotessl - Set remote site is ssl lbstrings - Set load balancing strings lbop - Set string load balancing operation del - Remove backend server ena - Enable backend server dis - Disable backend server SSL Conguration Server Advanced Load Balancing Backend Server Menu Options Command Syntax and Usage ip <IP_address> Set theIP address of the backend server. port <port_number> Set the backend server port number. sslconnect <on|off> Set the SSL connection option. remote <true|false> Set the server as remote, as required. rname <hostname> Set hostname of the remote server. remotessl true|false Set the remote site as SSL. lbstrings <integers> Set the load balance strings, separated by a comma. lbop <any|all|one|none> Set the string load balancing operation. del Remove the backend server. ena enable|disable
.
Command Syntax and Usage Enable the backend server. dis enable|disable Disable the backend server.
/ssl/cfg/cert SSL Conguration Certicate Menu

[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate with TFTP/FTP/SCP/SFTP export - Export certificate and key with TFTP/FTP/SCP/SFTP display - Display certificate and key show - Show certificate information info - Show certificate short information subject - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate SSL Conguration Certicate Menu Options Command Syntax and Usage name <string> Enter the name of the certificate. cert <pasted_certificate_content> Paste the content of a copied certificate. For example: Paste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. key <pasted_key_content>
.
/ssl/stats/ipsec IPSEC Statistics menu 507 Command Syntax and Usage Paste the copied key. For example: Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. revoke Go to the Revoke menu. To view the menu options, see "/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu" (page 511). genkey 512|1024|2048|4096 Generate a private key. gensigned <key certificate_number> Generate a certificate. request Generate a certificate request. SSL >> Certificate 1# request The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): CA State or Province Name (full name): Ontario Locality Name (eg, city): Ottawa Organization Name (eg, company): NoTel Organizational Unit Name (eg, section): MaintCommon Name (eg, your name or your servershostname): NoTel-12 Email Address: maint@notel.ca Key size (512/1024/2048/4096) [1024]: 1024 Request a CA certificate (y/n) [n]: y Specify challenge password (y/n) [n]: n -----BEGIN CERTIFICATE REQUEST----MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OM RAwDgYDVQQH EwdPdHRhd2VhMQ4wDAYDVQQKEwVOb1RlbDEOMAwGA1UECxMFTWFpb nQxETAPBgNV BAMTCE5vVGVsLTEyMR0wGwYJKoZIhvcNAQkBFg5tYWludEBub3Rlb C5jYTCBnzAN BgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2LJNQnjDxHXm1bunZF39o /1CJ7egEupd gXaIiDt1xQ5kWNlCcIhXrsksrpAOss/NMy2DNLmNd/31BO8XSvuZW s6LJxznZyBC 6WcSmOa6r96CnsvPPi/jIqAZQMbklwclH5Qa/JjSWuaoVdlVOAuhe 58PqyQketXm
.
Command Syntax and Usage 58w8n+Iy+a0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAMMhwai0X LkL+YT3qBBo tmtTL7DgH/7czR97lgXsDawZOWaiYq4tAEBSr+Ap1qxAqgS4VJxrj BZIYT6xQW6z MvHE20s+Reaf9cX9OePTvaSH9SUSKz8QNhPLUdBo7LOURUaF7aN5I WPBezGQwgjp Rxxf+chfXa7M8i7VdY9YyAHA -----END CERTIFICATE REQUEST----Use apply to store the private key in the iSD until the signed certificate is entered. The private key will be lost unless you apply or save it elsewhere using export. sign <key certificate_number> Sign a certificate. test Create a test certificate and key. For example: SSL >> Certificate 1# test The combined length of the following parameters may not exceed 225 bytes. Country Name (2 letter code): CA State or Province Name (full name): Ontario Locality Name (eg, city): Ottawa Organization Name (eg, company): NoTel Organizational Unit Name (eg, section): Maint Common Name (eg, your name or your servers hostname): NoTel-12 Email Address: maint@notel.ca Valid for days [365]: 200 Valid for days [365]: 200 Key size (512/1024/2048/4096) [1024]: 1024 Test key and certificate added. Use apply to activate. import <proto server certfile> Import a remote certificate and key. For example: SSL >> Certificate 1# import Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp Enter hostname or IP address of server: NoTel-10 Enter filename on server: key_certificate2389 Retrieving key_certificate2389 from NoTel-10 Error: Host not found, FTP server not found, or connection rejected. export <proto server certfile>
.
/ssl/stats/ipsec IPSEC Statistics menu 509 Command Syntax and Usage Export a key and certificate to a remote host. For example: SSL >> Certificate 1# export Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp Enter hostname or IP address of server: NoTel-10 Enter export format (pem/der/net/pkcs12): pem Enter export pass phrase: hidden_text Reconfirm export pass phrase: hidden_text Enter name of combined key and certificate file on remote host: key_cert_from_NoTel-12 Error: Host not found, FTP server not found, or connection rejected. display Display a certificate and key. For example: -----BEGIN CERTIFICATE----MIID3jCCA0egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBh MCQ0Ex EDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEOMAwGA1UECh MFTm9U . . show Show certificate information. info Show short-form certificate information. For example: SSL >> Certificate 1# display Encrypt private key (yes/no) [yes]: yes Enter export pass phrase: hidden_text Reconfirm export pass phrase: hidden_text Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,8E1E1EB54398437B 1NngBGmeIGxhndoR3+F4DNmYNCtH6tbVMZmmTCAu0ee9Ss9vjy6N3 jXgMUy8RnfV 1dRLixDPlpAB5CwsSUBLROtvq6rhyZnwKbofz4UBon1tE33eX86uN rXGjdvPkfzD x8TrCXdcewY0W1xuPA6mnb0mHCn768fqoNd5YlXPMRbPrK/nTfvCH lfvVmHkzpw3 BrvNfqVpdijQkdv+X53gn7DbYBsFYKSLsjyZ1Dst1JFDS5W594by1 P7WseRYi4Lq XPcmgZA7BtC5JV9d6Fwmd66Cois3WUxBtTeLJDFet6fr/9e3nXfa+ pPyIgGGWAYE . .
.
Command Syntax and Usage . A9xlBRMYzppbzQVjjFK0maFRtuhIiEbexLJwTCEwfyVMk8juHvB WIQ== -----END RSA PRIVATE KEY----SSL >> Certificate 1# info Serial number: 0 (0x0) Expire: Jan 19 14:49:18 2006 GMT Certificate subject: C=CA ST=Ontario L=Ottawa O=NoTel OU=Maint CN=NoTel-12/emailAddress=maint@notel.ca subject Show certificate subject information. For example: SSL >> Certificate 1# subject Certificate subject: C/countryName (2.5.4.6) = CA ST/stateOrProvinceName (2.5.4.8) = Ontario L/localityName (2.5.4.7) = Ottawa O/organizationName (2.5.4.10) = NoTel OU/organizationalUnitName (2.5.4.11) = Maint CN/commonName (2.5.4.3) = NoTel-12 emailAddress/emailAddress (1.2.840.113549.1.9.1) = maint@notel.ca validate <matched_key> <matched_certificate> Check if certificate and key are matched. keysize Display key size (in bytes). keyinfo Displays how the key is stored.
.
/ssl/stats/ipsec IPSEC Statistics menu 511 Command Syntax and Usage del Delete the certificate and key. For example: SSL >> Certificate 1# del Certificate 1 will be deleted when changes are applied.
/ssl/cfg/cert/revoke SSL Conguration Revoke Certicate Menu

[Revocation Menu] add addx del list rev import automatic Add decimal serial number to revocation list Add hex serial number to revocation list Cancel revocation for a serial number List revoked certificates Enter revocation list Import revocation list with TFTP/FTP/SCP/SFTP Automatic CRL retrieval menu
SSL Conguration Revoke Certicate Menu Options Command Syntax and Usage add <integer> Add a decimal serial number to the revocation list. addx <hexidecimal_number> Add a hexadecimal number to the revocation list. del <serial_number> Cancel the revocation of a serial number. list List the revoked certificates. rev Paste a revocation list into another revocation list. import <proto server file> Import a remote revocation list. automatic Go to the automatic retrieval menu.
/ssl/cfg/cert/revoke/automatic
.
SSL Conguration Revoke Certicate Automatic Menu

[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval SSL Conguration Revoke Certicate Automatic Menu Options Command Syntax and Usage url <URL> Set the URL value to retrieve the CRL. authDN <LDAP-Distinguished-Name> Set the LDAP DN to be used for bind and authentication. passwd <string> Set the authentication password. interval <time> Set the refresh interval. cacerts <certificate_numbers> Create a list of accepted signers of CRLs. Separate the lsit elements by commas ena <enabled|disabled> Enable automatic retrieval. dis <enabled|disabled> Disable automatic retrieval.
/ssl/cfg/vpn
.
SSL VPN Conguration Menu

[VPN 1 Menu] ips standalone aaa server ipsec ippool portal linkset sslclient adv del Set IP addr(s) of the VPN Set standalone mode (no switch) AAA menu SSL server menu IPsec server menu IP address pool menu Portal look and feel menu Portal linkset menu SSL VPN client menu Advanced settings menu Remove VPN
SSL VPN Conguration Menu Options Command Syntax and Usage ips <IP_address> Set the IP address of the VPN. standalone on|off Set the standalone mode. aaa Go to the AAA menu. To view the menu options, see "/ssl/cfg/vpnSSL VPN Configuration Menu" (page 512). server Go to the SSL server menu. To view the menu options, see "/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu" (page 517). ipsec Go to the IPsec server menu. To view the menu options, see "/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic Trace Menu" (page 537). ippool Go to the IP POOL menu. To view the menu options, see "/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKE Profile Encryption Menu" (page 549). portal Go to the Portal look and feel menu. To view the menu options, see "/ssl/cfg/vpn/portalSSL VPN Configuration Portal Menu" (page 553). linkset
.
Command Syntax and Usage Go to the Portal lonkset menu. To view the menu options, see "/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu" (page 555). sslclient Go to the SSL VPN client menu.To view the menu options, see "/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu" (page 559). adv Go to the Advanced Settings menu.To view the menu options, see "/ssl/cfg/vpn/advSSL VPN Configuration Advanced Menu" (page 561). del Remove the VPN.
/ssl/cfg/vpn/aaa SSL VPN Conguration Menu

[AAA Menu] quick tg ttl auth authorder fallback order network service appspec filter group defgroup ssodomains ssoheaders radacct AAA setup wizard TunnelGuard menu Set login session TTL Authentication menu Set authentication server Network access menu Service access menu Application specific menu Client filter menu Group menu Set default group Single-Sign on enabled domains menu Single-Sign on headers menu RADIUS accounting menu
SSL VPN Conguration AAA Menu Options Command Syntax and Usage quick <IP_address> AAA setup wizard. tg Go to the TunnelGuard menu. To view the menu options, see "/ssl/cfg/vpn/aaa/tgSSL VPN Configuration TunnelGuard Menu" (page 516). ttl <TTL for idle sessions (max 31d, min 2m)>
.
/ssl/stats/ipsec IPSEC Statistics menu 515 Command Syntax and Usage Set the login session TTL. auth Go to the Authentication menu. To view the menu options, see "/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication Menu" (page 517). authorder <list_of_servers> Set the authetication server fallback order. Use a comma to separate entries. network Go to the Network Access menu. To view the menu options, see "/ssl/cfg/vpn/aaa/networkSSL VPN Configuration Network Menu" (page 521). service Go to the Service Access menu. To view the menu options, see "/ssl/cfg/vpn/aaa/serviceSSL VPN Configuration Service Menu" (page 523). appsec Go to the Application Specific menu. To view the menu options, see "/ssl/cfg/vpn/aaa/appspecSSL VPN Configuration Application specific Menu" (page 524). filter Go to the Client Filter menu.To view the menu options, see "/ssl/cfg/vpn/aaa/filterSSL VPN Configuration AAA Filter Menu" (page 526). group Go to the Group menu.To view the menu options, see "/ssl/cfg/vpn/aaa/groupSSL VPN Configuration AAA Group Menu" (page 528). defgroup <name_of_group> Set the default group. ssodomains Go to the Single sign-on enabled domains menu. To view the menu options, see "/ssl/cfg/vpn/aaa/ssodomainsSSL VPN Configuration AAA Single-sign on Enabled Domains Menu" (page 533). ssoheaders Go to the Single Sugn-on Headers menu. To view the menu options, see "/ssl/cfg/vpn/aaa/ssoheadersSSL VPN Configuration AAA Single-sign on Headers Menu" (page 534).
.
Command Syntax and Usage radacct Go to the Radius Accounting menu. To view the menu options, see "/ssl/cfg/vpn/aaa/radacctSSL VPN Configuration AAA Radius Accounting Menu" (page 535).
/ssl/cfg/vpn/aaa/tg SSL VPN Conguration TunnelGuard Menu

[TG Menu] ena dis quick recheck action retry list loglevel Enable TunnelGuard Disable TunnelGuard Quick TunnelGuard setup wizard Set recheck interval Set fail action Set UDP retry interval List SRS rules Set TunnelGuard applet loglevel
SSL VPN Conguration AAA TunnelGuard Menu Options Command Syntax and Usage ena enable|disable Enable TunnelGuard. dis enable|disable Disable TunnelGuard. quick <TTL for idle sessions (max 31d, min 2m)> Use the Quick TunnelGuard setup wizard. For example: SSL >> TG# quick In the event that the TunnelGuard checks fails on a client, the session can be teardown, or left in restricted mode with limited access. Which action do you want to use for TunnelGuard failure? (teardown/restricted) [restricted]: restricted Do you want to create a tunnelguard test user? (yes/no) [yes]: yes Enabling TunnelGuard Creating Linkset 1 Name: tg_passed This Linkset just prints the TG result Creating Linkset 2 Name: tg_failed
.
/ssl/stats/ipsec IPSEC Statistics menu 517 Command Syntax and Usage This Linkset just prints the TG result Adding test SRS rule srs-rule-test This rule check for the presence of the file C:\tunnelguard\tg.txt Creating Group 1 Name: tunnelguard Creating Extended Profile 1 Giving full access when tg passed Creating Access rule 1 Creating Extended Profile 2 Giving no access when tg failed Using SRS rule: srs-rule-test Creating Authentication 1 Adding user tg with password tg Use diff to view pending changes, and apply to commit recheck <seconds> Set the recheck interval. action teardown|restricted Set the Fail action. retry <seconds, 1-65535> Set the UDP retry interval. list List the SRS rules. loglevel <string> Set the TunnelGuard applet log level.
/ssl/cfg/vpn/aaa/auth SSL VPN Conguration Authentication Menu

To enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if one does not already exist.
Creating Authentication 1 Select one of radius, ldap, ntlm, siteminder, cert, rsa or local: radius Auth name: Authentication_1 Entering: RADIUS settings menu Entering: RADIUS servers menu IP Address to add: 0.0.0.0 Port (default is 1812): 1812 Enter shared secret: shared Leaving: RADIUS servers menu Enter vendor id [alteon]: alteon
.
Enter vendor type [1]: 1 Leaving: RADIUS settings menu -----------------------------------------------------------[Authentication 1 Menu] type - Set authentication mechanism name - Set auth name display - Set auth display name domain - Set windows domain for backend single sign-on radius - RADIUS settings menu adv - Advanced settings menu del - Remove Authentication SSL VPN Conguration AAA Authentication Menu Options Command Syntax and Usage type radius|ldap|ntlm|siteminder|cert|rsa|local Set the authentication scheme. name <string> Set the authentication name. The default is local. display <string> Set the authentication display name. domain <string> Set the current windows domain for backend single sign-on. radius <list_of_servers> Go to the Radius menu. The menu is available only if the type is Radius (# type radius). To view the menu options, see "/ssl/cfg/vpn/aaa/auth/radiusSSL VPN Configuration Authentication Radius Menu" (page 518). adv Go to the Advanced menu. To view the menu options, see "/ssl/cfg/vpn/aaa/auth/advSSL VPN Configuration Authentication Advanced Menu" (page 521). del Remove the authentication.
/ssl/cfg/vpn/aaa/auth/radius SSL VPN Conguration Authentication Radius Menu

To enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to radius. For example, /ssl/vpn/aaa/auth/type radius.
.
/ssl/stats/ipsec IPSEC Statistics menu 519 [RADIUS Menu] servers vendorid vendortype timeout sessiontim macro
RADIUS servers menu Set vendor id for group attribute Set vendor type for group attribute Set RADIUS server timeout Session Timeout menu User-defined Macro menu
SSL VPN Conguration AAA Authentication Radius Menu Options Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see "/ssl/cfg/vpn/aaa/auth/radius/serversSSL VPN Configuration Authentication Radius Servers Menu" (page 519). vendorid <string> Set the switch vendor ID. vendortype vendortype Set the vendor type. timeout <integer, 1 to 1000 seconds> Set the Radius server timeout. sessiontim Go to the Sessiontim menu. To view the menu options, see "/ssl/cfg/vpn/aaa/auth/radius/sessiontmSSL VPN Configuration Authentication Radius Session Timeout Me" (page 520). macro Go to the Macro menu. To view the menu options, see "/ssl/cfg/vpn/aaa/auth/radius/macroSSL VPN Configuration Authentication Radius Macro Menu" (page 520).
/ssl/cfg/vpn/aaa/auth/radius/servers SSL VPN Conguration Authentication Radius Servers Menu

[RADIUS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL VPN Conguration AAA Authentication Radius Menu Options Command Syntax and Usage list
.
Command Syntax and Usage List all values (servers). del <index_number> Delete a server value by name. add <ip port, default=1812> <secret> Add a new value (server). insert <position ip> <port> <secret> Insert a value into the list. move <value> <value> Move a value position in the list.
/ssl/cfg/vpn/aaa/auth/radius/sessiontm SSL VPN Conguration Authentication Radius Session Timeout Menu

[SessionTimeout Menu] vendorid - Set vendor id for session timeout attribute vendortype - Set vendor type for session timeout attribute ena - Enable Session-Timeout dis - Disable Session-Timeout SSL VPN Conguration AAA Authentication Radius Session Timeout Menu Options Command Syntax and Usage vendorid <vendorid> Set the vendor ID number. vendortype <value> Set the Vendor Type number. ena <enable|disable> Enable session timeout. dis <enable|disable> Disable session timeout.
/ssl/cfg/vpn/aaa/auth/radius/macro
.
SSL VPN Conguration Authentication Radius Macro Menu

[Macro Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
SSL VPN Conguration AAA Authentication Radius Macro Menu Options Command Syntax and Usage list List all values. del <value> Delete a value using its number. add <vendorid> <vendortype> <attribute_type (IP, string integer )> Add a value. insert <index_position> <vendorid> <vendortype> <attribute_type_string> Insert a value. move <value> <value> Move a values position in the list.
/ssl/cfg/vpn/aaa/auth/adv SSL VPN Conguration Authentication Advanced Menu

[Advanced Menu] groupauth - Set Authentication server list of group information secondauth - Set Secondary authentication server SSL VPN Conguration AAA Authentication Advamced Menu Options Command Syntax and Usage groupauth <hostnames> Set the list of authentication servers. Separate values using a comma. secondauth <hostname> Set the secondary authentication server.
/ssl/cfg/vpn/aaa/network
.
SSL VPN Conguration Network Menu

To enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# network Enter network number or name: Creating Network 1 Network name: Network_1
(1-1023) 1
-----------------------------------------------------------[Network 1 Menu] name - Set network name subnet - Subnet menu comment - Set comment del - Remove network SSL VPN Conguration AAA Network Menu Options Command Syntax and Usage name <string> Set the network name. subnet Go to the Subnet menu. To view the menu options, see "/ssl/cfg/vpn/aaa/network/subnetSSL VPN Configuration Network Subnet Menu" (page 522). comment <text_string> Create a text description (comment) about the network. del Remove the network. The network will be removed when the global /apply command is entered.
/ssl/cfg/vpn/aaa/network/subnet SSL VPN Conguration Network Subnet Menu

To enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if one does not already exist.
.
/ssl/stats/ipsec IPSEC Statistics menu 523 SSL >> Network 1# sub Enter subnet number: (1-1023) 1 Creating Network Subnet 1 Enter host name: Subnet_1 Enter network address: 0.0.0.0 Enter network netmask: netmask -----------------------------------------------------------[Network Subnet 1 Menu] host - Set Host Name net - Set network address mask - Set network mask del - Remove subnet SSL VPN Conguration AAA Network Subnet Menu Options Command Syntax and Usage host <hostname> Set the hostname for the subnet. net <IP_address> Set the subnet address. mask <IP_address> Set the Network mask. del Remove the Subnet.
/ssl/cfg/vpn/aaa/service SSL VPN Conguration Service Menu

To enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# service Enter service number or name: (1-1023) 1 Creating Service 1 Service name: Service_1 Enter service protocol (list of tcp,udp): Enter service ports: 1,2,3
tcp
-----------------------------------------------------------[Service 1 Menu] name - Set service name protocol - Set allowed protocols ports - Set allowed port comment - Set comment
.
del
- Remove Service
SSL VPN Conguration AAA Service Menu Options Command Syntax and Usage name <service_name> Set the service name. protocol <tcp|udp> Set the protocols that are allowed. ports <integers> Set the allowed ports. If nore than one, use commas to separate. comment <string> Create a description (comment) about the service. del Delete the service.
/ssl/cfg/vpn/aaa/appspec SSL VPN Conguration Application specic Menu

To enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one does not already exist.
SSL >> AAA# appspec Enter appspec number or name: (1-1023) 1 Creating AppSpecific 1 AppSpec name: AppSpec_1 Entering: Paths menu Path format: The paths are formated differently for different applications. For smb you write the path as / WORKGROUP / FILESHARE / FILE PATH , for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as ABSOLUTE FILE PATH , for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root.
.
/ssl/stats/ipsec IPSEC Statistics menu 525 For web servers you write the path SERVER PATH , for example /intranet This will give access to the /intranet path on the web server. Enter path: /path Leaving: Paths menu. ---------------------------------------------[AppSpecific 1 Menu] name - Set appspec name paths - Paths menu comment - Set comment del - Remove AppSpec SSL VPN Conguration AAA Application specic Menu Options Command Syntax and Usage name <appsec_name> Create an application name. paths Go to the Paths menu. To view the menu options, see "/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu" (page 511). comment <string> Create a description (comment) about the Application. del Delete the application.
/ssl/cfg/vpn/aaa/appspec/paths SSL VPN Conguration Application specic Paths Menu

[Paths Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
SSL VPN Conguration AAA Application specic Paths Menu Options Command Syntax and Usage list List all paths.
.
Command Syntax and Usage del <path_value> Delete a path by its number. add Add a new path. For example: SSL >> Paths# list Old: Pending: 1: /info SSL >> Paths# add Path format: The paths are formated differently for different applications. For smb you write the path as / WORKGROUP / FILESHARE / FILE PATH , for example /NORTEL/homes/public This will give access to the public directory in the homes share in the NORTEL workgroup/domain. For ftp you write the path as ABSOLUTE FILE PATH , for example /home/share/public/ This will give access to the /home/share/public. Note that all paths are absolute from the root. For web servers you write the path SERVER PATH , for example /intranet This will give access to the /intranet path on the web server. Enter path: /home/storage
insert <index> Insert a path into the path list. del Delete the path.
/ssl/cfg/vpn/aaa/filter
.
SSL VPN Conguration AAA Filter Menu

To enter the /ssl/cfg/vpn/aaa/lter menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# filter Enter client filter number or name: Creating Client Filter 1 Filter name: Filter_1
(1-63) 1
-----------------------------------------------------------[Client Filter 1 Menu] name - Set filter name cert - Client certificate present iewiper - IE cache wiper present tg - TunnelGuard checks passed methods - Set access methods authserver - Set authentication servers clientnet - Set client network reference comment - Set comment del - Remove client filter SSL VPN Conguration AAA Filter Menu Options Command Syntax and Usage name <filter_name> Set the filter name. cert <true|false|ignore> Enter teh applicability of a certificate. iewiper <true|false|ignore> Set the prescence of the IE cache wiper. tg <true|false|ignore> Set the state of the TunnelGuard checks passed. methods <ssl|ipsec|netdirect> Set the access methods. authserver <hostnames> Set authentication server names. If more than one, separate the names using a comma. clientnet <clientnet_hostname> Set client network reference. comment Create a description (comment) of the filter.
.
Command Syntax and Usage del Remove the client filter.
/ssl/cfg/vpn/aaa/group SSL VPN Conguration AAA Group Menu

To enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one does not already exist.
SSL >> AAA# group Enter group number or name: (1-1023) 1 Creating Group 1 Group name: Group_1 Enter number of sessions (0 is unlimited): 0 Enter user type (advanced/medium/novice): novice -----------------------------------------------------------[Group 1 Menu] name - Set group name access - Access rule menu print - Print access rules restrict - Set number of login sessions usertype - Set portal user type linkset - Linkset menu extend - Extended profiles menu tgsrs - Set TunnelGuard SRS Rule ipsec - IPsec menu comment - Set comment del - Remove group SSL VPN Conguration AAA Group Menu Options Command Syntax and Usage name <string> Set tthe group name. access Go to the Access rule menu. To view the menu options, see "/ssl/cfg/vpn/aaa/group/accessSSL VPN Configuration AAA Group Access Menu" (page 529). print Display the Access rules. For example:
.
/ssl/stats/ipsec IPSEC Statistics menu 529 Command Syntax and Usage SSL >> Group 1# print Network Ports Path Action ------------------restrict <integer> Restrict the number of login sessions. The default is 0 (unlimited) usertype <advanced|medium|novice> Set the user level. linkset Go to the Linkset menu. To view the menu options, see "/ssl/cfg/vpn/aaa/group/linksetSSL VPN Configuration AAA Group Linkset Menu" (page 530). extend Go to the Extended Profiles menu. To view the menu options, see "/ssl/cfg/vpn/aaa/group/extendSSL VPN Configuration AAA Group Extend Profiles Menu" (page 531). tgsrs <string> Set the TunnelGuard SRS rule. ipsec Go to the IPSEC menu.To view the menu options, see "/ssl/cfg/vpn/aaa/group/ipsecSSL VPN Configuration AAA Group IPsec Menu" (page 533). comment Create a decription (comment) of the Group. del Delete the group. Proto -----
/ssl/cfg/vpn/aaa/group/access SSL VPN Conguration AAA Group Access Menu

To enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if one does not already exist.
.
SSL >> Group 1# access Enter access rule number: (1-1023) 1 Creating Access rule 1 Enter network name: Network_1 Enter service name: Service_1 Enter application specific name: Application_1 Enter action (accept/reject): accept -----------------------------------------------------------[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule SSL VPN Conguration AAA Group Access Menu Options Command Syntax and Usage network <network_name> Enter the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the application specific name reference. action <accept|reject> Accept or reject the creation of this Access rule. comment Create a description (comment) of this Access rule. del Delete the Access rule.
/ssl/cfg/vpn/aaa/group/linkset SSL VPN Conguration AAA Group Linkset Menu

[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
.
/ssl/stats/ipsec IPSEC Statistics menu 531 SSL VPN Conguration AAA Group Linkset Menu Options Command Syntax and Usage list List all of the configured linksets. add <linkset_name> Add a linkset name. insert <position name> Insert a linkset into the linkset list. move <value> <value> Move the linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/extend SSL VPN Conguration AAA Group Extend Proles Menu

To enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended service prole if one does not already exist.
SSL >> Group 1# extend Enter profile number or name (1-63): 1 Creating Extended Profile 1 Enter client filter name: Filter_1 Enter user type (advanced/medium/novice):
novice
-----------------------------------------------------------[Extended Profile 1 Menu] filter - Set client filter reference access - Access rule menu print - Print access rules usertype - Set portal user type linkset - Linkset menu del - Remove profile SSL VPN Conguration AAA Group Extend Proles Menu Options Command Syntax and Usage filter <client_filter_name> Set the client filter name reference. access Go to the Access Rule menu. To view the menu options, see "/ssl/cfg/vpn/aaa/group/extend/accessSSL VPN Configuration AAA Group Extend Profiles Access Menu" (page 532). print Display the extended profile information.
.
Command Syntax and Usage usertype <advanced|medium|novice> Set the portal user level. linkset Go to the Linkset menu. To view the menu options, see "/ssl/cfg/vpn/aaa/group/extend/linksetSSL VPN Configuration AAA Group Extend Profiles Linkset Menu" (page 532). del Delete the Extended Profile.
/ssl/cfg/vpn/aaa/group/extend/access SSL VPN Conguration AAA Group Extend Proles Access Menu
[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule SSL VPN Conguration AAA Group Extend Proles Access Menu Options Command Syntax and Usage network <network_name> Set the network name reference. service <service_name> Set the Service name reference. appspec <application_name> Set the Application name reference. action <accept|reject> Accept or reject the Access rule change. comment Create a description (comment) of the Access rule. del Delete the Extended Profile Access rule.
/ssl/cfg/vpn/aaa/group/extend/linkset
.
SSL VPN Conguration AAA Group Extend Proles Linkset Menu

[Linksets Menu] list del add insert move List all values Delete a value by number Add a new value Insert a new value Move a value by number
SSL VPN Conguration AAA Group Extend Proles Linkset Menu Options Command Syntax and Usage list List all of the configured Extended Profile linksets. del <extended_profile_linkset_name> Delete the Extended Profile Linkset. add <extended_profile_linkset_name> Add an Extended Profile linkset name. insert <position name> Insert an Extended Profile linkset into the linkset list. move <value> <value> Move the Extended Profile linkset from one position to another in the linkset list.
/ssl/cfg/vpn/aaa/group/ipsec SSL VPN Conguration AAA Group IPsec Menu

[IPsec Menu] secret utunnel - Set shared secret - Set user tunnel profile
SSL VPN Conguration AAA Group IPsec Menu Options Command Syntax and Usage secret <string> Set the group Secret value. utunnel <string> Set the user tunnel profile name.
/ssl/cfg/vpn/aaa/ssodomains
.
SSL VPN Conguration AAA Single-sign on Enabled Domains Menu

[SSO Domain menu Menu] list - List all values del - Delete a value by number add - Add a new value SSL VPN Conguration AAA Single-sign on enabled Domains Menu Options Command Syntax and Usage list List all of the SSO domains. del <index> Delete an SSO domain. add <domain_name mode> <normal|add_domain> Add an SSO domain.
/ssl/cfg/vpn/aaa/ssoheaders SSL VPN Conguration AAA Single-sign on Headers Menu

[SSO headers menu list del add insert move Menu] - List all values - Delete a value by number - Add a new value - Insert a new value - Move a value by number
SSL VPN Conguration AAA Single-sign on Headers Menu Options Command Syntax and Usage list List all of the configured SSO Headers. del <SSO Headers_name> Delete the SSO Header. add <domain header_pattern> Add an SSO Header. insert <position domain> <header_name> Insert a SSO Header into the headers list. move <value> <value> Move the SSO Headers from one position to another in the SSO Headers list.
.
/ssl/cfg/vpn/aaa/radacct SSL VPN Conguration AAA Radius Accounting Menu

[RADIUS Accounting Menu] servers - RADIUS accounting servers menu vpnattribu - VPN attribute menu ena - Enable RADIUS accounting dis - Disable RADIUS accounting SSL VPN Conguration AAA Radius Accounting Menu Options Command Syntax and Usage servers Go to the Radius servers menu. To view the menu options, see "ssl/cfg/vpn/aaa/radacct/serversSSL VPN Configuration AAA Radius Accounting Servers Menu" (page 535). vpnattribu Go to the VPN attribute menu. To view the menu options, see "ssl/cfg/vpn/aaa/radacct/vpnattribuSSL VPN Configuration AAA Radius Accounting VPN attributes Menu" (page 536). ena enable|disable Enable AAA radius accounting. dis enable|disable Disable AAA radius accounting.
ssl/cfg/vpn/aaa/radacct/servers SSL VPN Conguration AAA Radius Accounting Servers Menu

[RADIUS Accounting Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL VPN Conguration AAA Radius Accounting Menu Options Command Syntax and Usage list List all of the configured Radius Accounting servers. del <Radius_Accounting_server_name> Delete the SSO Header. add <ip_address port> <secret>
.
Command Syntax and Usage Add a Radius Account. insert <position ip_address> <port> <secret> Insert a Radius account into the account list. move <value> <value> Move the Radius account from one position to another in the account list.
ssl/cfg/vpn/aaa/radacct/vpnattribu SSL VPN Conguration AAA Radius Accounting VPN attributes Menu
[VPN Attribute Menu] vendorid - Set vendor id for the VPN attribute vendortype - Set vendor type for the VPN attribute SSL VPN Conguration AAA Radius Accounting VPN attributes Menu Options Command Syntax and Usage vendorid <vendorID> Set the vendor name. vendortype <integer> Set the vendor type.
/ssl/cfg/vpn/server SSL VPN Conguration Server Menu

[Server Menu] port dnsname trace ssl tcp http proxymap portal adv ena dis Set listen port of server Set DNS name of server Traffic trace menu SSL settings menu TCP endpoint settings menu HTTP settings menu Intranet proxy configuration menu Portal settings menu Advanced settings menu Enable virtual server Disable virtual server
SSL VPN Conguration Server Menu Options Command Syntax and Usage port <integer, 1-65534> Set the listen port of the server.
.
/ssl/stats/ipsec IPSEC Statistics menu 537 Command Syntax and Usage dnsname <fully_qualified_DNS_name> Set the DNS name of the server. trace Go to the Trace menu. To view the menu options, see "/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic Trace Menu" (page 537). ssl Go to the SSL settings menu. To view the menu options, see "/ssl/cfg/vpn/server/sslSSL VPN Configuration Server SSL Settings Menu" (page 538). tcp Go to the TCP endpoint settings menu. To view the menu options, see "/ssl/cfg/vpn/server/tcpSSL VPN Configuration Server TCP endpoint Settings Menu" (page 540). http Go to the HTTP settings menu. To view the menu options, see "/ssl/cfg/vpn/server/httpSSL VPN Configuration Server HTTP Settings Menu" (page 541). proxymap Go to the Intranet Proxy configuration menu. To view the menu options, see "/ssl/cfg/vpn/server/proxymapSSL VPN Configuration Server Intranet Proxy settings Menu" (page 543). portal Go to the Portal menu. To view the menu options, see "ssl/cfg/vpn/server/portalSSL VPN Configuration Server Portal settings Menu" (page 544). adv Go to the Advanced settings menu.To view the menu options, see "ssl/cfg/vpn/server/advSSL VPN Configuration Server Advanced Menu" (page 544). ena enable|disable Enable the VPN server. dis enable|disable Disable the VPN server.
/ssl/cfg/vpn/server/trace
.
SSL VPN Conguration Server Trafc Trace Menu

[Trace Menu] ssldump tcpdump ping dnslookup backend interface traceroute Create traffic dump Create traffic dump Ping through backend interface Lookup a name in DNS through
- traceroute through backend interface
SSL VPN Conguration Server Trafc Trace Menu Options Command Syntax and Usage ssldump Create an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tc pdump_man.html). standalone on|off Create a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/t cpdump_man.html) traceroute - traceroute through backend interface ping <hostname> Ping through the backend interface. dnslookup <hostname> Lookup a name in DNS through the backend interface. traceroute Traceroute through backend interface. Use this command to identify the route used for station-to-station connectivity across the network.
/ssl/cfg/vpn/server/ssl SSL VPN Conguration Server SSL Settings Menu

[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version ciphers - Set cipher list verify - Set certificate verification level ena - Enable SSL
.
/ssl/stats/ipsec IPSEC Statistics menu 539 dis - Disable SSL
SSL VPN Conguration Server SSL Settings Menu Options Command Syntax and Usage cert <certicate_nuber, 1 to 1500> Set the IP address of the VPN. cachesize <integer, 0 to 10000> Set the SSL cache size (kBytes). cachettl <integer> Set the SSL cache timeout (in minutes). cacerts <certificate_numbers> Set the list of accepted signers of client certificates. If more than one, use a comma to separate the entries. cachain <certificate_numbers> Set the list of CA chain certificates. If more than one, use a comma to separate the entries. protocol ssl2|ssl3|ssl23|tls1 Set the protocol version. ciphers Set the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option does not add any new ciphers.
Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify none|optional Set the certificate verification level. ena enable|disable
.
Command Syntax and Usage Enable SSL. dis enable|disable Disable SSL.
/ssl/cfg/vpn/server/tcp SSL VPN Conguration Server TCP endpoint Settings Menu

[TCP Settings Menu] cwrite - Set ckeep - Set skeep - Set heartbeat timeout swrite - Set sconnect - Set csendbuf - Set crecbuf - Set ssendbuf - Set srecbuf - Set client TCP write timeout client TCP keep alive timeout socks client TCP keep alive server server client client server server TCP TCP TCP TCP TCP TCP write timeout connect timeout send buffer size receive buffer size send buffer size receive buffer size
SSL VPN Conguration Server TCP endpoint settings Menu Options Command Syntax and Usage ips <integer, 1 to 2147483647s> Set client TCP write timeout, in seconds. crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size ckeep <integer, 1 to 2147483647s> Set client TCP keep alive timeout. skeep <integer, 1 to 2147483647s> Set the SOCKS client TCP keep alive heartbeat timeout. swrite <integer, 1 to 2147483647s> Set the server TCP write timeout. sconnect <integer, 1 to 2147483647s> Set the server TCP connect timeout. csendbuf auto| <integer, 2000 to 100000> Set the client TCP send buffer size (Bytes).
.
/ssl/stats/ipsec IPSEC Statistics menu 541 Command Syntax and Usage crecbuf auto| <integer, 2000 to 100000> Set the client TCP receive buffer size (Bytes). ssendbuf auto| <integer, 2000 to 100000> Set the server TCP send buffer size (Bytes). srecbuf auto| <integer, 2000 to 100000> Set server TCP receive buffer size (Bytes).
/ssl/cfg/vpn/server/http SSL VPN Conguration Server HTTP Settings Menu

[HTTP Settings Menu] downstatus - Set server down reply status rewrite - SSL triggered rewrite menu securecook - Set add secure option to session cookie sslheader - Add SSL header sslxheader - Add SSL header with serial in hex sslsidhead - Add SSL SID header addxfor - Add X-Forwarded-For header addvia - Add Via header addxisd - Add HTTP-X-ISD debug header addclicert - Add Client-Cert as a HTTP header addnostore - Add no-cache/no-store HTTP header allowimage - Allow image caching allowdoc - Allow document caching allowscrip - Set allow script caching allowica - Allow ICA file caching cmsie - Set MSIE session termination bug workaround maxrcount - Set max number of persistant client requests maxline - Set max line length SSL VPN Conguration Server HTTP settings Menu Options Command Syntax and Usage downstatus unavailable|redirect|reset Set the server down reply status. rewrite on|off Go to the SSl triggered Rewrite menu. To view the menu options, see "/ssl/cfg/vpn/server/http/rewriteSSL VPN Configuration Server SSL triggered rewrite Menu" (page 542). securecook on|off
.
Command Syntax and Usage Set the "add secure" option for the session cookie. sslheader on|off Add an SSL session ID header. sslxheader on|off Add an SSL header with serial number in hexadecimal. sslsidhead on|off Add an SSL SID header. addxfor on|off|anonymous|remove Add X-Forwarded-For header. addvia on|off|anonymous|remove Set VIA header addxisd on|off Set HTTP-X-ISD debug header. addclicert on|off Set Client-Cert as a HTTP header. adddnostore on|off Set no-cache/no-store HTTP header. allowimage on|off Set image caching. allowdoc on|off Set document caching allowscrip on|off Set allow script caching. allowica on|off Set ICA file caching. cmsie on|off Set MSIE session termination bug workaround. maxrcount <integer> Set max number of persistant client requests. maxline <integer> Set the maximum line length.
/ssl/cfg/vpn/server/http/rewrite
.
SSL VPN Conguration Server SSL triggered rewrite Menu

[Rewrite Menu] rewrite ciphers response URI Set Set Set Set SSL triggered rewrite accepted ciphers source of response URI with the weak cipher alert
SSL VPN Conguration Server SSL triggered rewrite Menu Options Command Syntax and Usage rewrite on|off Set SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:-SHA1:@STRENGTH ciphers <string> Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +:
! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesnt add any new ciphers it just moves matching existing ones.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. response iSD|WebServer Set the source of response. URI <WebServer response only> Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.
/ssl/cfg/vpn/server/proxymap SSL VPN Conguration Server Intranet Proxy settings Menu

The PROXY menu is not available for type portal and socks servers.
.
[Proxy Mapping Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL VPN Conguration Server Intranet Proxy settings Menu Options Command Syntax and Usage list List all of the server Intranet Proxy settings. del <Proxy_server_name> Delete the Intranet Proxy server. add <ip_address port> Add an Intranet Proxy server. insert <position ip_address> <port> Insert a Intranet Proxy server into the Proxy server list. move <value> <value> Move the Intranet Proxy server from one position to another in the server list.
ssl/cfg/vpn/server/portal SSL VPN Conguration Server Portal settings Menu

[Portal Settings Menu] resetcooki - Set Re-Set session cookie in each request domain - Set cookie domain persistent - Set use persistent session cookies SSL VPN Conguration Server Portal settings Menu Options Command Syntax and Usage resetcoolki <on|off> Set the Reset session cookie in each request. domain <domain_name> Set the cookie domain name for the portal. persistent <on|off> Set the use of persistent session cookies.
ssl/cfg/vpn/server/adv
.
SSL VPN Conguration Server Advanced Menu

[Advanced Settings Menu] traflog - UDP syslog Traffic Log menu sslconnect - SSL connect menu SSL VPN Conguration Server Advanced Menu Options Command Syntax and Usage traflog <IP_address> Go to the UDP syslog Traffic Log menu. To view the menu options, see "ssl/cfg/vpn/server/adv/traflogSSL VPN Configuration Server UDP Syslog Traffic Log Menu" (page 545). sslconnect on|off Go to the SSL Connect menu. To view the menu options, see "ssl/cfg/vpn/server/adv/sslconnectSSL VPN Configuration Server SSL Connect Menu" (page 546).
ssl/cfg/vpn/server/adv/traflog SSL VPN Conguration Server UDP Syslog Trafc Log Menu
[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable traffic UDP syslog logging SSL VPN Conguration Server UDP Syslog Trafc Log Menu Options Command Syntax and Usage sysloghost <IP_address> Set the IP address of the VPN. udpport <UDP_port_number> Set the standalone mode. priority <syslog_name> Set the syslog priority. facility <string> Set the syslog facility. ena <enable|disable> Enable traffic UDP syslog messaging.
.
Command Syntax and Usage dis Disable traffic UDP syslog messaging.
ssl/cfg/vpn/server/adv/sslconnect SSL VPN Conguration Server SSL Connect Menu

[SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu SSL VPN Conguration Server UDP Syslog Trafc Log Menu Options Command Syntax and Usage protocol ssl2|ssl3|ssl23|tls1 Set the Protocol version. cert <certicate_number, 1 to 1500> Set the client certificate. ciphers Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +.
! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list.
Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length. verify Go to the Verify server menu. To view the menu options, see "ssl/cfg/vpn/server/adv/sslconnect/verifySSL VPN Configuration Server SSL Connect verify Server Menu" (page 547).
.
ssl/cfg/vpn/server/adv/sslconnect/verify SSL VPN Conguration Server SSL Connect verify Server Menu
[SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers servers certificate SSL VPN Conguration Server SSL Connect Verify Server Menu Options Command Syntax and Usage verify none|verify Set the Certicate Verication level. commonname <string> Set the server common name. cacerts <certicate_numbers> Set the list of accepted signers for each server certificate. If more than one, use a comma to separate each entry.
/ssl/cfg/vpn/ipsec SSL VPN Conguration IPsec Server Menu

[IPsec Menu] ena - Enable IPsec dis - Disable IPsec quick - Quick IPsec setup wizard ikeprof - IKE profile utunprof - User tunnel profile cacerts - Set list of accepted signers of clients certificate cert - Set server certificate SSL VPN Conguration IPSEC Server Menu Options Command Syntax and Usage ena [enable|disable] Enable IPsec. dis [enable|disable] Disable IPsec. quick
.
Command Syntax and Usage Use the Quick IPsec setup wizard. For example: SSL >> IPsec# quick Do you want to use IPsec Group login? (yes/no) [no]: n Lower IP address in pool range: 0.0.0.0 Upper IP address in pool range: 1.1.1.1 Enabled IPsec Creating IKE Profile 1 Name: vpn_1_1 Creating User Tunnel Profile 1 Name: vpn_1_1 You should create a AAA group for the user tunnel profile Enabled Pool Use apply to activate the changes ikeprof Go to the IKE profile menu. utunprof Set the User tunnel profile. cacerts Set the list of accepted signers of clients certificate. cert Set the server certicate.
/ssl/cfg/vpn/ipsec/ikeprof SSL VPN Conguration IPsec Server IKE Prole Menu

[IKE Profile 1 Menu] name - Set IKE profile name del - Remove IKE Profile enc - Encryption mask menu dh - Diffie-Hellman group mask menu pfs - Enable Perfect Forward Secrecy initcontac - Accept ISAKMP initial contact payload rekeytime - Set rekey time limit rekeytraf - Set rekey traffic limit retransmit - Set ISAKMP retransmit interval maxretrans - Set ISAKMP max attempts retransmits replaywins - Set replay window size nat - NAT menu deadpeer - Dead peer menu
.
/ssl/stats/ipsec IPSEC Statistics menu 549 SSL VPN Conguration IPSEC Server IKE Prole Menu Options Command Syntax and Usage name <string> Set the IKE profile name. del <IKE_profile_name> Disable IPsec. enc Go to the Encryption mask menu.To view the menu options, see "/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKE Profile Encryption Menu" (page 549). dh Go to the Diffie_Hellman group mask menu. To view the menu options, see "/ssl/cfg/vpn/ipsec/ikeprof/dhSSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman Group Mas" (page 550). pfs on|off Enable Perfect Forward Secrecy initcontac on|off Accept ISAKMP intitial contact payload. rekeytime <integer> Set the rekey time limit, in seconds. rekeytraf <integer> Set rekey traffic limit, in KBytes. retransmit <integer> Set ISAKMP retransmit limit, in seconds. maxretrans <integer> Set the maximum ISAKMP attempts to retransmit. replaywins <integer> Set replay window size. nat Go to the NAT menu.To view the menu options, see "/ssl/cfg/vpn/ipsec/ikeprof/NATSSL VPN Configuration IPsec Server IKE Profile NAT Menu" (page 551). deadpeer Go to the Dead Peer menu.To view the menu options, see "/ssl/cfg/vpn/ipsec/ikeprof/deadpeerSSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu" (page 551).
/ssl/cfg/vpn/ipsec/ikeprof/enc
.
SSL VPN Conguration IPsec Server IKE Prole Encryption Menu

[Encryption Menu] hmac_md5 hmac_sha null_md5 null_sha des_md5 des_sha 3des_md5 3des_sha aes_128_sh Set Set Set Set Set Set Set Set Set HMAC with MD5 HMAC with SHA NULL with MD5 NULL with SHA DES with MD5 DES with SHA 3DES with MD5 3DES with SHA 128 bits AES with SHA
SSL VPN Conguration IPSEC Server IKE Prole Encryption Menu Options Command Syntax and Usage hmac_md5 on|off Set HMAC with MD5. hmac_sha on|off Set HMAC with SHA. null_md5 on|off Set NULL with MD5. null_sha on|off Set NULL with SHA. des_md5 on|off Set DES with MD5. des_sha on|off Set DES with SHA. 3des_md5 on|off Set 3DES with MD5. 3des_sha on|off Set 3DES with SHA. aes_128_sh on|off Set 128 bits AES with SHA.
/ssl/cfg/vpn/ipsec/ikeprof/dh
.
SSL VPN Conguration IPsec Server IKE Prole Dife-Hellman Group Mask Menu
[Diffie-Hellman Group Menu] dh1 - Set Diffie-Hellman group 1 dh2 - Set Diffie-Hellman group 2 dh5 - Set Diffie-Hellman group 5 SSL VPN Conguration IPSEC Server IKE Prole Dife-Hellman Group Mask Menu Options Command Syntax and Usage dh1 on|off Set Diffie_Hellman group 1. dh2 on|off Set Diffie_Hellman group 2. dh5 on|off Set Diffie_Hellman group 5.
/ssl/cfg/vpn/ipsec/ikeprof/NAT SSL VPN Conguration IPsec Server IKE Prole NAT Menu
[NAT Menu] natdetect timeout keepalive - Set ESP UDP NAT detect - Set detect timeout - Set keepalive timeout
SSL VPN Conguration IPSEC Server IKE Prole NAT Menu Options Command Syntax and Usage natdetect disabled|auto|ipsec_capable|use_udp_encap Set ESP UDP detection. timeout <integer> Set the detection timeout, in seconds. keepalive <integer> Set the keepalive timeout, in seconds.
/ssl/cfg/vpn/ipsec/ikeprof/deadpeer
.
SSL VPN Conguration IPsec Server IKE Prole Dead Peer Menu
[Dead Peer Menu] ena dis interval retransmit Enable dead peer detection Disable dead peer detection Set detect interval Set max retransmissions
SSL VPN Conguration IPSEC Server IKE Prole Dead Peer Menu Options Command Syntax and Usage ena [enable|disable] Enable dead peer detection. dis [enable|disable] Disable dead peer detection. interval <integer> Set the detection interval, in seconds. retransmit <integer> Set the maximum number retransmissions.
/ssl/cfg/vpn/ippool SSL VPN Conguration IP Pool Menu

[Pool Menu] ena dis lowerip upperip proxyarp info Enable pool Disable pool Set lower IP in pool range Set upper IP in pool range Set proxy arp on clean side interfaces Print alloc info for this VPN
SSL VPN Conguration IP IPool Menu Options Command Syntax and Usage ena enable|disable Enable the IP Pool. dis enable|disable Disable the IP Pool. lowerip <lower_IP_address> Set the lower IP address in the pool range. upperip <upper_IP_address> Set the upper IP address in the pool range.
.
/ssl/stats/ipsec IPSEC Statistics menu 553 Command Syntax and Usage proxyarp <on|off|all> Set proxy ARP on clean side interfaces. info Display all of the IP Pool configuration information.
/ssl/cfg/vpn/portal SSL VPN Conguration Portal Menu

[Portal Menu] import restore banner redirect logintext iconmode linktext linkurl linkcols linkwidth companynam colors faccess lang wiper for clearing cache ieclear whitelist citrix Import banner image gif Restores default Nortel banner Show installed banner file Set redirect URL Set static text on login page Set Home tab icon mode Set static text on link page Set url input field on link page Set number of columns on home tab Set width of link columns on home tab Set company name used on portal pages Portal colors menu Full Access menu Portal language menu Set use ActiveX component Set use IE ClearAuthCache White-list settings menu Set Citrix support
SSL VPN Conguration Portal Menu Options Command Syntax and Usage import [ <protocol hostname> <bannerfilename> ] Import banner image gif. For example: SSL >> Portal# import Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp Enter hostname or IP address of server: 0.0.0.0 Enter filename on server: nortel_banner.gif restore Restores default Nortel banner. banner Show installed banner file. redirect <URL>
.
Command Syntax and Usage Set redirect URL. logintext Set static text on login page. Write or paste the text to show up in the Login window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. iconmode <clean|fancy> Set Home tab icon mode. linktext [ <string> ] Set static text on link page. Write or paste the text, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. linkurl <on|off> Set URL input field on link page. linkcols [ <integer> ] Set number of columns on home tab. Four can be considered a practical maximum. linkwidth [auto|0 to 100%] Set width of link columns on home tab. companynam [ <string> ] Set company name used on portal pages. colors Go to the Portal Colors menu.To view the menu options, see "/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu" (page 555). faccess Go to the Full Access menu. To view the menu options, see "/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full Access Menu" (page 555). lang Go to the Portal language menu. To view the menu options, see "/ssl/cfg/vpn/portal/langSSL VPN Configuration Portal Language Menu" (page 556). wiper [on|off] Set use ActiveX component for clearing cache. ieclear [on|off] Set use IE ClearAuthCache. whitelist
.
/ssl/stats/ipsec IPSEC Statistics menu 555 Command Syntax and Usage Go to the White-list settings menu. To view the menu options, see "/ssl/cfg/vpn/portal/whitelistSSL VPN Configuration Portal Whitelist settings Menu" (page 557). citrix [on|off] Set Citrix support.
/ssl/cfg/vpn/portal/colors SSL VPN Conguration Portal Colors Menu

[Portal Colors Menu] color1 - Set portal color color2 - Set portal color color3 - Set portal color color4 - Set portal color theme - Color theme 1 2 3 4
SSL VPN Conguration Portal Colors Menu Options Command Syntax and Usage color1 [ <HTML_color_syntax> ] Set Portal color 1. For example, #003399 for blue. color2 [ <HTML_color_syntax> ] Set Portal color 2. color3 [ <HTML_color_syntax> ] Set Portal color 3. color4 [ <HTML_color_syntax> ] Set Portal color 4. theme [default|aqua|apple|jeans|cinnamon|candy] Set the color theme.
/ssl/cfg/vpn/portal/faccess
.
SSL VPN Conguration Portal Full Access Menu

[Full Access Menu] ena dis ipsecmode contip contid contpass portalmsg appletmsg Enable Full Access tab Disable Full Access tab Set IPSEC Mode Set Contivity IP address Set Contivity group ID Set Contivity group password Set text in Full Access portal tab Set text in Full Access Applet window
SSL VPN Conguration Portal Full Access Menu Options Command Syntax and Usage ena [enable|disable] Enable Full Access tab. dis [enable|disable] Disable Full Access tab. ipsecmode [contivity|native] Set the IPSEC Mode. contip [ <IP_address> ] Set Contivity IP address. contid [ <string> ] Set the Contivity group ID. contpass [ <string> ] Set a Contivity group password. portalmsg Set text in Full Access portal tab. Write or paste the text to show up in the Full Access Portal window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. appletmsg Set text in Full Access Applet window. Write or paste text to show up in the Full Access Applet window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. If you *only* enter "..." a default text will be generated.
/ssl/cfg/vpn/portal/lang
.
SSL VPN Conguration Portal Language Menu

[Portal Language Menu] setlang - Set the language to be used in the portal charset - Print charset in use list - List supported languages SSL VPN Conguration Portal Language Menu Options Command Syntax and Usage ips [ <ISO 639 Language Code> ] Set the language to be used in the portal. For English, enter en. charset <on|off> Display the current character set. For example: Charset = iso-8859-1 list Display all of the pre-defined languages.
/ssl/cfg/vpn/portal/whitelist SSL VPN Conguration Portal Whitelist settings Menu

[White-list Settings Menu] domains - Configure white-list domains ena - Enable URL rewrite white-list dis - Disable URL rewrite white-list SSL VPN Conguration Portal Whitelist settings Menu Options Command Syntax and Usage domains Go to the Domains menu. To view the menu options, see "/ssl/cfg/vpn/portal/whitelist/domainsSSL VPN Configuration Portal Whitelist settings Domains Menu" (page 557). ena [enable|disable] Enable URL re-write whitelist. dis [enable|disable] Disable URL re-write whitelist.
/ssl/cfg/vpn/portal/whitelist/domains
.
SSL VPN Conguration Portal Whitelist settings Domains Menu

[White-list menu Menu] list - List all values del - Delete a value by number add - Add a new value SSL VPN Conguration Portal Whitelist settings Domains Menu Options Command Syntax and Usage list Go to the Domains menu. To view the menu options, see "/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full Access Menu" (page 555). del [ <index> ] Delete a value. add [ <domain_name> ] Add a domain.
/ssl/cfg/vpn/linkset SSL VPN Conguration Linkset Menu

To enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does not already exist.
SSL >> VPN 1# linkset Enter Linkset number or name (1-1023): 1 Creating Linkset 1 Linkset name: Linkset_1 Linkset text (HTML syntax, eg b A heading /b ): html Autorun Linkset (true/false) [false]: false -----------------------------------------------------------[Linkset 1 Menu] name - Set linkset name text - Set linkset text autorun - Set autorun support link - Link menu del - Remove tunnel SSL VPN Conguration Linkset Menu Options Command Syntax and Usage name <string> Set the linkset name.
.
/ssl/stats/ipsec IPSEC Statistics menu 559 Command Syntax and Usage text [ <text_type> ] Set the text type. In the current release, only HTML is available (default). autorun [true|false ] Set the autorun linkset option. link Go to the Link menu. To view the menu options, see "/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu" (page 559). del [ <linkset_number> ] Remove the linkset.
/ssl/cfg/vpn/linkset/link SSL VPN Conguration Linkset Link Menu

To enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does not already exist.
SSL >> Linkset 1# link Enter Link number or name (1-1023): 1 Creating Link 1 Enter link text: Link_1 Enter type of link (hit TAB to see possible values) [internal]: tab smb ftp proxy custom mail telnet netdrive wts outlook netdirect terminal external internal eauto iauto Enter type of link (hit TAB to see possible values) [internal]: internal Entering: Internal settings menu Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /info Leaving: Internal settings menu -----------------------------------------------------------[Link 1 Menu] move - Move link text - Set link text type - Set link type internal - Internal settings menu del - Remove link
.
560 The SSL Processor Menu SSL VPN Conguration Linkset Link Menu Options Command Syntax and Usage move [ <link_number> ] Move the link. text [ <link_name> ] Set the name of the link. type [link_type ] Set the link type. See the list of link types on "/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link Menu" (page 559). internal Go to the Internal link menu. To view the menu options, see "/ssl/cfg/vpn/linkset/link/internalSSL VPN Configuration Linkset Link Internal Setting Menu" (page 560). del [ <link_number> ] Remove the link.
/ssl/cfg/vpn/linkset/link/internal SSL VPN Conguration Linkset Link Internal Setting Menu

[Internal menu Menu] quick - Quick internal link wizard SSL VPN Conguration Linkset Link Internal Settings Menu Options Command Syntax and Usage quick Configure the link using the internal link wizard. For example: SSL >> Internal menu# quick Enter method (http/https): http Enter host (eg inside.company.com): Enter path (eg /): /
NoTel.ca
/ssl/cfg/vpn/sslclient SSL VPN Conguration SSL Client Menu

[SSL VPN Client Menu] netdirect - Allow Netdirect client xmlconfig - Set XML client configuration
.
/ssl/stats/ipsec IPSEC Statistics menu 561 SSL VPN Conguration SSL Client Menu Options Command Syntax and Usage netdirect [on|off] Allow a Netdirect VPN client. xmlconfig Set the XML client configuration. Write or paste the text, press Enter to create a new line, and then type "..."(without the quotation marks) to terminate.
/ssl/cfg/vpn/adv SSL VPN Conguration Advanced Menu

[Advanced Menu] interface dns log - Set backend interface used by VPN - DNS settings menu - Set log settings
SSL VPN Conguration Advanced Menu Options Command Syntax and Usage interface [ <backend_interface_number> ] Set the backend interface. dns Go to the DNS settings menu. To view the menu options, see "/ssl/cfg/vpn/adv/dnsSSL VPN Configuration Advanced DNS settings Menu" (page 561). log [all|login|http|portal|reject|socks] Set the log option.
/ssl/cfg/vpn/adv/dns SSL VPN Conguration Advanced DNS settings Menu

[DNS Settings Menu] search - Set DNS search list SSL VPN Conguration Advanced DN S settings Menu Options Command Syntax and Usage search <domain_names> Set the domain search list. If more than one domain, use a comma to separate each entry.
.
/ssl/cfg/sys SSL Conguration System Menu

[System Menu] mip host routes time dns rsa syslog accesslist adm user distrace Set management IP (MIP) address iSD host menu Routes menu Date and time menu DNS settings RSA Servers Syslog servers menu Access list menu Administrative applications menu User Access Control menu Disable tracing with tcpdump/ssldump
SSL Conguration System Menu Options Command Syntax and Usage mip <IP_address> Set the management IP (MIP) address. host Go to the Host menu. To view menu options, see "/ssl/cfg/sys/hostSSL Configuration System Host Menu" (page 563). routes Go to the Routes menu. To view menu options, see "/ssl/cfg/sys/host/routesSSL Configuration System Host Routes Menu" (page 564). time Go to the Time menu. To view menu options, see "/ssl/cfg/sys/time/ntpS SL Configuration System Time NTP servers Menu" (page 568). dns Go to the Time menu. To view menu options, see "/ssl/cfg/sys/dnsSSL Configuration System DNS settings Menu" (page 568). rsa Go to the RSA server menu. To view menu options, see "/ssl/cfg/sys/rsaSSL Configuration System RSA servers Menu" (page 570). syslog Go to the RSA server menu. To view menu options, see "/ssl/cfg/sys/syslogSSL Configuration System SysLog Servers Menu" (page 570). accesslist
.
/ssl/stats/ipsec IPSEC Statistics menu 563 Command Syntax and Usage Go to the Access List menu. To view menu options, see "/ssl/cfg/sys/accesslistSSL Configuration System Access List Menu" (page 571). adm Go to the Administrative Applcations menu.To view menu options, see "/ssl/cfg/sys/admSSL Configuration System Administrative applications Menu" (page 571). user Go to the Administrative Applcations menu.To view menu options, see "/ssl/cfg/sys/userSSL Configuration System Menu" (page 580). distrace [yes|no] Deactivate trace. Trace cannot be reactivated during the session.
/ssl/cfg/sys/host SSL Conguration System Host Menu

[iSD Host 1 Menu] type ip license gateway routes interface port ports hwplatform halt reboot delete Set type of the iSD Set IP address Set License Set default gateway address Routes menu iSD host interface menu iSD port configuration menu Display physical ports Display hardware platform Halt the iSD Reboot the iSD Remove iSD Host
SSL Conguration System Host Menu Options Command Syntax and Usage type [master|slave] Set the iSD type. ip [ <IP_address> ] Set the IP address of the host. license [ <string> ] Enter or paste the host license information. Paste the license, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. gateway [ <IP_address> ]
.
Command Syntax and Usage Set default gateway address. routes Go to the Routes menu. To view menu options, see "/ssl/cfg/sys/routesSSL Configuration System Menu" (page 567). interface Go to the iSD host interface menu. To view menu options, see "/ssl/cfg/sys/host/interfaceSSL Configuration System Host Menu" (page 565). port Go to the iSD port configuration menu. To view menu options, see "/ssl/cfg/sys/host/interface/routesSSL Configuration System Host Interface Routes Menu" (page 566). ports Display the number of physical ports. hwplatform Display hardware platform. halt [yes|no] Halt the iSD platform. reboot [yes|no] Reboot the iSD. delete [<hostname>] Remove iSD Host.
/ssl/cfg/sys/host/routes SSL Conguration System Host Routes Menu

[Host Routes Menu] list - List all values del - Delete a value by number add - Add a new value SSL Conguration System Host Routes Menu Options Command Syntax and Usage list List all host routes. del [ <route_number> ] Delete a route by its number.
.
/ssl/stats/ipsec IPSEC Statistics menu 565 Command Syntax and Usage add [ <destination netmask> <gateway> ] Add a route.
/ssl/cfg/sys/host/interface SSL Conguration System Host Menu

[Host Interface 1 Menu] ip - Set IP address netmask - Set network mask gateway - Set default gateway address routes - Routes menu vlanid - Set VLAN tag id mode - Set mode ports - Interface ports menu primary - Set primary port delete - Remove Host Interface SSL Conguration System Host Interface Menu Options Command Syntax and Usage ip [ <IP_address> ] Set the host inteface IP address. netmask [ <IP_address> ] Set the inteface netmask. gateway [ <IP_address> ] Set the Gateway IP address. routes Go to the Routes menu. To view menu options, see "/ssl/cfg/sys/host/interface/routesSSL Configuration System Host Interface Routes Menu" (page 566). vlanid [ <integer> ] Set the VLAN tag ID. mode [failover|trunking] Set the interface mode. ports Go to the Ports menu. To view menu options, see "/ssl/cfg/sys/routesSSL Configuration System Menu" (page 567). primary [ <port_number> ] Set the Primary port.
.
Command Syntax and Usage delete [ <interafce_hostname> ] Delete the interface.
/ssl/cfg/sys/host/interface/routes SSL Conguration System Host Interface Routes Menu

[Host Interface Routes Menu] list - List all values del - Delete a value by number add - Add a new value SSL Conguration System Host Interface Menu Options Command Syntax and Usage list List all of the configured interface routes. del [ <route_number> ] Delete an interface route. add [ <destination netmask> <gateway> ] Add an interface route.
/ssl/cfg/sys/host/port SSL Conguration System Host Port Menu

[Host Port 1 Menu] autoneg - Set autonegotiation speed - Set Speed mode - Set full or half duplex mode SSL Conguration System Host Port Menu Options Command Syntax and Usage autoneg <on | off> Enables or disables autonegotiation on the port. The default is on. speed <10 | 100 | 1000> Sets the port speed in Mbits per second when autonegotiation is not in use. mode <full | half> Sets the duplex mode of the port when autonegotiation is not in use. When autonegotiation is not in use the default mode is full.
.
/ssl/cfg/sys/routes SSL Conguration System Menu

[Routes Menu] list del add - List all values - Delete a value by number - Add a new value
SSL Conguration System Menu Options Command Syntax and Usage list List all of the configured routes. del [ <route_number> ] Delete a route. This command removes the specified static route from the system configuration. Use the list command to display the index numbers of all added static routes. add [ <destination netmask> <gateway> ] Add a static route.
/ssl/cfg/sys/time SSL Conguration System Time Menu

[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers SSL Conguration System Time Menu Options Command Syntax and Usage date [YYYY-MM-DD] Enter the date. time [HH:MM:SS] Set the time, using a 24-hour clock scheme. tzone [ <continent_number> <country_number> <region_number> ] Set the time zone. ntp Configure NTP servers. To view menu options, see "/ssl/cfg/sys/time/ntp SSL Configuration System Time NTP servers Menu" (page 568).
.
/ssl/cfg/sys/time/ntp SSL Conguration System Time NTP servers Menu

[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value SSL Conguration System Time NTP Servers Menu Options Command Syntax and Usage list List the configured NTP servers. del [ <NTP_server> ] Delete the NTP server. Removes the specified NTP server from the system configuration. Use the list command to display the index numbers of all added NTP servers.. add [ <IP_address> ] Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.
/ssl/cfg/sys/dns SSL Conguration System DNS settings Menu

[DNS Settings Menu] servers - DNS cachesize - Set retransmit - Set count - Set ttl - Set health - Set hdown - Set hup - Set servers menu Local DNS cache size DNS Retransmit interval timer DNS Retransmit counter Max TTL Health check interval Health check down counter Health check up counter
SSL Conguration System DNS Settings Menu Options Command Syntax and Usage servers Go to the DNS Servers menu. To view menu options, see "sl/cfg/sys/dns/serversSSL Configuration System DNS Servers settings Menu" (page 569). cachesize [ <integer> ]
.
/ssl/stats/ipsec IPSEC Statistics menu 569 Command Syntax and Usage Set the DNS cache size in kBytes. retransmit [ <integer> ] Set the DNS retransmit interval timer value, in seconds. count [ <integer> ] Set the DNS Retransmit counter value. ttl [ <integer> ] Set the maximum TTL, in seconds. health [ <integer> ] Set Health check interval. hdown [ <integer> ] Set Health check down counter hup [ <integer> ] Set Health check up counter
sl/cfg/sys/dns/servers SSL Conguration System DNS Servers settings Menu

[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL Conguration System DNS Servers Menu Options Command Syntax and Usage list List all of the DNS server settings. del <DNS_server_name> Delete the DNS server. add <ip_address> Add a DNS server. insert <position ip_address> Insert a DNS server into the DNS server list. move <value> <value> Move the DNS server from one position to another in the server list.
.
/ssl/cfg/sys/rsa SSL Conguration System RSA servers Menu

To enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does not already exist.
SSL >> System# rsa Enter RSA Server number or name: Creating RSA Servers 1 RSA server symbolic name: RSA_1
(1-255) 1
-----------------------------------------------------------[RSA Servers 1 Menu] rsaname - Set RSA server symbolic name import - Import sdconf.rec file rmnodesecr - Remove Node Secret del - Remove RSA server SSL Conguration System RSA servers Menu Options Command Syntax and Usage rsname <string> ] Set the RSA server symbolic name. import [ <protocol host file> ] Import a sdconf.rec file. rmnodesecr [ <node_secret_name> ] Remove a Node Secret. del Remove an RSA server.
/ssl/cfg/sys/syslog SSL Conguration System SysLog Servers Menu

[Syslog Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL Conguration System SysLog Servers Menu Options Command Syntax and Usage list List all of the Syslog server settings.
.
/ssl/stats/ipsec IPSEC Statistics menu 571 Command Syntax and Usage del <Syslog_server_name> Delete the Syslog server. add <ip_address> Add a Syslog server. insert [ <position ip_address> <local_facility> ] Insert a Syslog server into the Syslog server list. move <value> <value> Move the Syslog server from one position to another in the server list. Moves a syslog server up or down in the list of configured servers. The index numbers you specify must be in use. To view all syslog servers currently added to the system configuration, use the list command.
/ssl/cfg/sys/accesslist SSL Conguration System Access List Menu

[Access List Menu] list - List all values del - Delete a value by number add - Add a new value SSL Conguration System Menu Options Command Syntax and Usage list List the accesslist values. del [ <acces_list_number> ] Delete an accesslist. add Add a new value to the accesslist. Adds a single machine, or a range of machines on a specific network, to the access list. Only those machines listed will be allowed to access the iSD host via a Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).
/ssl/cfg/sys/adm
.
SSL Conguration System Administrative applications Menu

[Administrative Applications Menu] snmp - SNMP menu clitimeout - Set CLI idle timeout audit - Audit Settings Menu auth - Authentication menu telnet - Set telnet CLI access ssh - Set SSH CLI access http - HTTP access menu https - HTTPS access menu sshkeys - SSH host keys menu SSL Conguration System Administrative applications Menu Options Command Syntax and Usage snmp Go to the SNMP menu. To view menu options, see "/ssl/cfg/sys/adm/snmpSSL Configuration System Administrative applications SNMP Menu" (page 573). clitimeout [ <integer> ] Set the CLI idle timeout value, in seconds. audit Go to the Audit menu. To view menu options, see "/ssl/cfg/sys/adm/a uditSSL Configuration System Administrative applications Audit Menu" (page 577). telnet Set the telnet CLI access. Enables or disables Telnet access. When set to on and not having added machine(s) to the access list, all Telnet connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed Telnet access. When set to off, all Telnet connections are rejected, including connections from machine(s) added to the access list.
The default Telnet setting is off. ssh
.
/ssl/stats/ipsec IPSEC Statistics menu 573 Command Syntax and Usage Set the SSH CLI access. Enables or disables SSH access. When set to on and not having added machine(s) to the access list, all SSH connections are allowed.
When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed SSH access. When set to off, all SSH connections are rejected, including connections from machine(s) added to the access list.
The default SSH setting is off. http Go to the HTTP access menu. To view menu options, see "/ssl/cfg/sys/adm/httpSSL Configuration System Administrative applications HTTP Menu" (page 578). https Go to the HTTP access menu. To view menu options, see "/ssl/cfg/sys/adm/httpsSSL Configuration System Administrative applications HTTPS Menu" (page 579). sshkeys Go to the HTTP access menu. To view menu options, see "/ssl/cfg/sys/adm/sshkeysSSL Configuration System Administrative applications SSH Host keys Menu" (page 579).
/ssl/cfg/sys/adm/snmp SSL Conguration System Administrative applications SNMP Menu

[SNMP Menu] ena dis versions snmpv2-mib community users target Enable SNMP Disable SNMP Set SNMP versions supported SNMPv2-MIB menu SNMP community menu SNMP USM Users Menu Notification target menu
SSL Conguration System Administrative applications SNMP Menu Options Command Syntax and Usage ena [true|false] Enable SNMP. dis [true|false]
.
Command Syntax and Usage Disable SNMP. versions [ <SNMP_version_number> ] Set the SNMP version, such as v1. snmpv2-mib Go to the SNMPv2-MIB menu.To view menu options, see "/ssl/cfg/sys/adm/snmp/snmpv2-mibSSL Configuration System Administrative applications SNMPv2 MIB SNMP" (page 574). community Go to the SNMP community menu. To view menu options, see "/ssl/cfg/sys/adm/snmp/communitySSL Configuration System Administrative applications SNMP Community M" (page 575). users Go to the SNMP USM Users community menu. To view menu options, see "/ssl/cfg/sys/adm/snmp/usersSSL Configuration System Administrative applications SNMP Users Menu" (page 575). target Go to the Notification target menu. To view menu options, see "/ssl/cfg/sys/adm/snmp/targetSSL Configuration System Administrative applications SNMP Target Menu" (page 576).
/ssl/cfg/sys/adm/snmp/snmpv2-mib SSL Conguration System Administrative applications SNMPv2 MIB SNMP Menu
[SNMPv2-MIB Menu] sysContact sysName sysLocatio snmpEnable Set Set Set Set sysContact sysName sysLocation snmpEnableAuthenTraps
SSL Conguration System Administrative applications SNMPv2-MIB Menu Options Command Syntax and Usage sysContact [ <name_of_a_person> ] Set a system contact name. Designates a contact person for the managed iSD cluster, together with information on how to contact this person. sysName [ <string, iSD_cluster_name> ] Assign a name to the managed iSD cluster. sysLocatio [ <string> ]
.
/ssl/stats/ipsec IPSEC Statistics menu 575 Command Syntax and Usage Set the system location. snmpEnable [ <SNMP_trap_value> ] Set the snmpEnableAuthenTraps value.
/ssl/cfg/sys/adm/snmp/community SSL Conguration System Administrative applications SNMP Community Menu

[SNMP Community Menu] read - Set Read Community String write - Set Write Community String trap - Set Trap Community String SSL Conguration System Administrative applications SNMP Community Menu Options Command Syntax and Usage read [ <string> ] Set the Read Community String. Specifies the monitor community name that grants read access to the Management Information Base (MIB). If no monitor community name is specified, read access is not granted. The default monitor community name is public write [ <string> ] Set the Write Community String. Specifies the control community name that grants read and write access to the Management Information Base (MIB). If no control community name is specified, neither write nor read access is granted. trap [ <string> ] Set the Trap Community String. Specifies the trap community name that accompanies trap messages sent to the SNMP manager. If no trap community name is specified, the sending of trap messages is disabled. The default trap community name is trap
/ssl/cfg/sys/adm/snmp/users SSL Conguration System Administrative applications SNMP Users Menu

To enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if one does not already exist.
.
Enter user number or name: (1-1023) 1 Creating SNMP User 1 User name: Maint_Chief Enter security level (none/auth/priv) [priv]: priv Enter permission (list of get,set,trap): get Enter auth password: password> Enter priv password: password> -----------------------------------------------------------[SNMP User 1 Menu] name - Set user name seclevel - Set Security level permission - Set Permission authpasswd - Set Authentication Password privpasswd - Set Encryption Password del - Remove SNMP User SSL Conguration System Administrative applications SNMP Users Menu Options Command Syntax and Usage name [ <string> ] Set the user name. seclevel [none|auth|priv] Set the user Security level. permission [get|set|trap] Set user Permission. authpasswd [ <string> ] Set the Authentication Password. privpasswd [ <string> ] Set the Encryption Password. del [ <SNMP_user_ID> ] Remove the SNMP User.
/ssl/cfg/sys/adm/snmp/target SSL Conguration System Administrative applications SNMP Target Menu

To enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one does not already exist.
.
/ssl/stats/ipsec IPSEC Statistics menu 577 SSL Conguration System Administrative applications SNMP Target Menu Options Command Syntax and Usage ip [ IP_address] Set the target IP address. port [ port_number] Disable SNMP. version [v1|v2|v3] Set the SNMP version. del Delete the SNMP target.
/ssl/cfg/sys/adm/audit SSL Conguration System Administrative applications Audit Menu

[Audit Menu] servers vendorid vendortype ena dis RADIUS Servers Menu Set vendor id for audit attribute Set vendor type for audit attribute Enable Audit Disable Audit
SSL Conguration System Administrative applications Audit Menu Options Command Syntax and Usage servers Go to the Servers menu. To view menu options, see "/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrative applications Audit Servers Men" (page 577). vendorid [ <string> ] Set the vendor ID. vendortype [ <integer> ] Set the vendor type. ena [ true|false ] Enable Audit. dis[ true|false ] Disable audit.
/ssl/cfg/sys/adm/audit/servers
.
SSL Conguration System Administrative applications Audit Servers Menu

[RADIUS Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number SSL Conguration System Administrative applications Audit Servers Menu Options Command Syntax and Usage list List all of the Audit server settings. del <Audit_server_name> Delete the Audit server. add [ <IP_address> <port> <secret> ] Add an Audit server. insert [ <position> <IP_address> <port> <secret> ] Insert a Audit server into the Audit server list. move <value> <value> Move the Audit server from one position to another in the server list.
/ssl/cfg/sys/adm/http SSL Conguration System Administrative applications HTTP Menu

[HTTP Menu] port ena dis - Set HTTP Server port - Enable server - Disable server
SSL Conguration System Administrative applications HTTP Menu Options Command Syntax and Usage port [ <integer> ] Set the HTTP server port. ena [true|false] Enable the HTTP server. dis [true|false] Disable the HTTP server.
.
/ssl/cfg/sys/adm/https SSL Conguration System Administrative applications HTTPS Menu

[HTTPS Menu] port ena dis - Set HTTPS Server port - Enable server - Disable server
SSL Conguration System Administrative applications HTTPS Menu Options Command Syntax and Usage port [ <integer> ] Set the HTTPS server port. ena [true|false] Enable the HTTPS server. dis [true|false] Disable the HTTPS server.
/ssl/cfg/sys/adm/sshkeys SSL Conguration System Administrative applications SSH Host keys Menu
[SSH Host Keys Menu] generate - Generate new SSH host keys for the cluster show - Show current SSH host keys for the cluster knownhosts - SSH known host keys menu SSL Conguration System Administrative applications SSH Host keys Menu Options Command Syntax and Usage generate [yes|no] Generate new SSH host keys for the server cluster. show Show the SSH host keys for the server cluster. knownhosts Go to the Known Host Keys menu. To view menu options, see "/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrative applications Audit Servers Men" (page 577).
/ssl/cfg/sys/adm/sshkeys/knownhosts
.
SSL Conguration System Administrative applications SSH Known Host keys Menu
[SSH Known Host list del add import Keys Menu] - List known SSH keys of remote hosts - Delete known SSH host key by index - Add a new SSH host key - Retrieve SSH key from remote host
SSL Conguration System Administrative applications Known SSH Host keys Menu Options Command Syntax and Usage list [yes|no] Display the known SSH keys of remote hosts. del [ <hostkey_name> ] Delete a host key. add Add a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate import [ <hostname_or_IP_address> ] Retrieve an SSH key from a remote host.
/ssl/cfg/sys/user SSL Conguration System Menu

[User Menu] passwd expire list del add edit caphrase Change own password Set password expire time interval List all users Delete a user Add a new user Edit a user menu Certadmin export passphrase
SSL Conguration System Menu Options Command Syntax and Usage passwd Change your current login password. The password can contain spaces and is case respective. expire [DDdHHhMMmSS] Set the password expiry time and date.
.
/ssl/stats/ipsec IPSEC Statistics menu 581 Command Syntax and Usage list List all user accounts. del Delete a user ID. Removes the specified user account from the system. Of the three built-in users (admin, oper, and root) only the oper user can be deleted. Only users with Administrator rights can delete user accounts. add [ <string> ] Add a new user ID. After a user account is added, you must also assign the user account to a group. Only users with Administrator rights can add user accounts. edit Go to the Edit a user menu. To view menu options, see "/ssl/cfg/sys/user/editSSL Configuration System User Edit Menu" (page 581). caphrase [ <string> ] Set the Certadmin export passphrase.
/ssl/cfg/sys/user/edit SSL Conguration System User Edit Menu

[User User_1 Menu] groups - Groups menu cur - Display current setting SSL Conguration System User Edit Menu Options Command Syntax and Usage groups Go to theGroups menu. To view menu options, see "/ssl/cfg/sslSSL Configuration Server Menu" (page 492). cur Display the user configurations.
/ssl/cfg/sys/user/edit/groups SSL Conguration System User Edit Menu

[Groups Menu] list del add - List all values - Delete a value by number - Add a new value
.
582 The SSL Processor Menu SSL Conguration System User Edit Groups Menu Options Command Syntax and Usage list List all of the user groups information. del [ <user_group_name> ] Delete a user group. add [ <string>, <user_group_name> ] Add a user group.
/ssl/cfg/lang SSL Conguration Language Support Menu

[Language Support Menu] import - Import language definition file export - Export language definition template list - List the loaded languages vlist - List ISO 639 language codes del - Delete (custom) language definition SSL Conguration System Language Support Menu Options Command Syntax and Usage import [ <protocol> <host> <filename> <ISO_language_code> ] Import a language definition file from another host. export[ <protocol> <host> <filename> ] Export a language definition file. list [ <language_number> ] List the pre-defined languages that have been loaded. vlist [ <language_shortform> ] List the ISO 639 language codes. If a language_shortform argument is used (e.g., en for English), all of the codes that contain the argument characters are listed. del [ <language_deinition_filename> ] Delete a language definition.
/ssl/boot
.
SSL Boot Menu

[Boot Menu] software halt reboot delete Software management menu Halt the iSD Reboot the iSD Delete the iSD
SSL Conguration Boot Menu Options Command Syntax and Usage software Go to Software Management menu. To view menu options, see "/ssl/boot/softwareSSL Performance Menu" (page 584). halt Halt the iSD. The command stops the particular iSD host to which you have connected by Telnet, SSH, or a console connection. Always use this command before turning off the device. If you are connected by Telnet or SSH to the Management IP address (MIP), use the halt command in the iSD Host menu (/cfg/sys/cluster/host #) instead. reboot Reboot the iSD. The command reboots the particular iSD host to which you have connected by Telnet, SSH or a console connection. If you are connected by Telnet or SSH to the Management IP address (MIP), use the reboot command in the iSD Host menu (/cfg/sys/cluster/host #) instead. delete Delete an iSD host. Resets the particular iSD host to which you have connected via Telnet, SSH, or a console connection, to its factory default configuration (all IP configuration is lost). The software itself will remain intact. After having performed a delete, you can only access the device via a console connection. Log in as the admin user with the admin password to enter the Setup menu.
Note: Note: If you receive a warning that the iSD you are trying to delete has no contact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or SSH and delete the iSD from the cluster by using the delete command in the iSD Host menu (/cfg/sys/cluster/host #).
.
Command Syntax and Usage The /boot/delete command is primarily intended for situations when you want to delete an iSD host that has either become isolated from the cluster, or has been physically removed from the cluster without first performing the delete command from the iSD Host menu. Under these circumstances, you must use the /boot/delete command to present the Setup menu, from which you can perform the new and join commands.
/ssl/boot/software SSL Performance Menu

[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download new software pkg. via TFTP/FTP/SCP/SFTP del - Remove unpacked/old releases SSL Perfomance Software Menu Options Command Syntax and Usage cur Display the current software status. For example: SSL >> Software Management# cur Version Name Status --------------4.1.1.11 SSL old 5.0.0.34 SSL permanent activate [ <software_version> ] Select the software version to run. download [ <protocol> <host> <filename> ] Download a new software package. del [ <software_version> ] Remove old software releases. Removes a software upgrade package that has been downloaded by using the tftp or ftp command, in case you do not want to activate the unpacked software upgrade package. Only software versions whose status is indicated as unpacked (using the cur command) can be removed.
/ssl/maint
.
SSL Performance Maintenance Menu

[Maintenance Menu] hsm - HSM menu dumplogs - Tech suppt dump log files to TFTP/FTP/SFTP server dumpstat - Tech suppt dump curr. status to TFTP/FTP/SFTP server chkcfg - Check applied configuration starttrace - Start Trace stoptrace - Stop Trace SSL Perfomance Maintenance Menu Options Command Syntax and Usage hsm Go to the HSM menu. To view menu options, see "/ssl/maint/hsmSSL Performance HSM Menu" (page 585). dumplogs Dump the log files. System log file information is collected from the iSD host you are connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP server you have specified. The information can then be used for technical support purposes. The file sent to the TFTP server does not contain any sensitive information related to the system configuration, such as certificates, private keys, and so on. dumpstat Dump the current status. Th current system internal status is collected from the iSD host you are connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP server you have specified. The information can then be used for technical support purposes. chkcfg [all-isds | one-isd] [item...] Check the applied configuration. starttrace [ <tags> ] [ <VPN> ] Start trace. Valid tags are all, aaa, dns, ike, ipsec, ippool, ssl, tg, pptp, upref, netdirect, net and direct_packet. stoptrace Stop the Trace.
/ssl/maint/hsm
.
SSL Performance HSM Menu

The /ssl/maint/hsm menu is only available to HSM enabled iSDs.
[HSM Menu] login - Login to HSM cards on local iSD splitkey - Split a wrap key onto CODE iKeys changepass - Change iKey password SSL Perfomance Maintenance HSM Menu Options Command Syntax and Usage login <HSM-USER password for the currently inserted HSM-USER iKey> Lets you log in to a HSM card, using the HSM-USER iKey and the correct password. splitkey Splits the wrap key used by the hardware security module onto the two black CODE iKeys. changepass <card number [0 | 1] iKey [HSM-SO | HSM-USER] current password for the selected iKey new password for the selected iKey> Sets the password for a HSM-SO or a HSM-USER iKey.
.
587
Appendix Nortel Application Switch Operating System Syslog Messages

The following syntax is used when outputting syslog messages: <Time stamp Log Label> Web OS Thread ID : Message where <Timestamp> The time of the message event is displayed in month day hour:minute:second format. For example: Aug 19 14:20:30 <Log Label> The following types of log messages are recorded: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG <Thread ID> This is the software thread that reports the log message. The following thread IDs are recorded: stp, ip, slb, console, telnet, vrrp, system, web server, ssh, and bgp <Message>: The log message
Following is a list of potential syslog messages. To keep this list as short as possible, only <Thread ID> and Message are shown. The messages are sorted by <Log Label>. Where the <Thread ID> is listed as mgmt, one of the following may be shown: console, telnet, web server, or ssh.
LOG_WARNING
FILTER "lter <filter number> red on port port number> , <source IP address - destination IP address , [ <ICMP type> ] , [ <IP protocol> ], [ <layer-4 ports> ], [ <TCP f1ags> ]"
.
588 Appendix Nortel Application Switch Operating System Syslog Messages
ntp: ntp
cannot contact primary NTP server ip_address cannot contact secondary NTP server ip_address
LOG_ALERT
stp: IP vrrp: vrrp: vrrp: vrrp: slb: slb: gslb: gslb: gslb: gslb: slb: slb: slb: slb: bgp: bgp: vrrp: vrrp: dps: dps: syn_atk tcplim slb; own BPDU received from port port_id cannot contact default gateway ip_address received errored advertisement from ip_address received incorrect password from ip_address received incorrect addresses from ip_address received incorrect advertisement interval seconds from ip_address cannot contact real server ip_address real server ip_address has reached maximum connections received update from ip_address for unknown remote server ip_address received update from ip_address for unknown virtual service received update for unknown remote server ip_address from ip_address received update for unknown service ip_address:service cannot contact real service ip_address:real_port real server failure threshold ( threshold ) has been reach for group group_id real server ip_address disabled through configuration Virtual Service Pool full. gSvcPool=MAX_SERVICES notification ( reason ) received from BGP peer ip_address session with BGP peer ip_address failed ( reason ) Synchronization from non-configured peer ip_address Synchronization from non-configured peer ip_address was blocked hold down triggered: ip_address for min minutes manual hold down: ip_address SYN attack detected: count new half-open sessions per second hold down triggered: ip_address for min minutes real group number is down with advanced health check formula.
.
589
LOG_CRIT
SYSTEM: SYSTEM: SYSTEM: SYSTEM: SSH temperature at sensor sensor_id exceeded threshold internal power supply failed redundant power supply failed fan failure detected cant allocate memory in load_MP_INT
LOG_ERR
mgmt: mgmt: mgmt: ntp: isd: stp: stp: mgmt: mgmt: mgmt: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: port_mirr: cli: cli: cli: PANIC at file : line in thread thread id VERIFY at file : line in thread thread id ASSERT at file : line in thread thread id unable to listen to NTP port unable to listen to BOOTP_SERVER_PORT port Error: Error writing STG config to FLASH Error: Error writing config to FLASH Apply not done Save not done " " "apply" "|" "save" " is issued by another user. Try later" Error: Error writing %s config to FLASH New Path Cost for Port port_id is invalid PVID vlan_id for port port_id is not created RADIUS secret must be 1-32 characters long Please configure primary RADIUS server address STP changes cant be applied since STP is OFF Switch reset is required to turn STP on/off Trunk group trunk_id contains ports with different PVIDs Trunk group trunk_id has more than max_trunk_ports ports Trunk group trunk_id contains no ports but is enabled Not all ports in trunk group trunk_id are in VLAN vlan_id Trunk groups trunk_id and trunk_id can not share the same port Port Mirroring changes are not applied Broadcast address for IP interface interface_id is invalid IP Interfaces interface_id and interface_id are on the same subnet Multiple static routes have same destination
.
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli:
Virtual router vr_id must have sharing disabled when hotstandby is enabled Virtual router group must be enabled when hotstandby is enabled At least one virtual router must be enabled when group is enabled Virtual router group must have sharing disabled when hotstandby is enabled Virtual router group must have preemption enabled when hotstandby is enabled Virtual router vr_id must have an IP address Virtual router vr_id cannot have same VRID and VLAN as vlan_id Virtual router vr_id cannot have same IP address as ip_address Virtual router vr_id corresponding virtual server server_id is not enabled Hot-standby must be enabled when a virtual router has a PIP address Virtual router vr_id IP interface should be interface_id Enabled real server server_id has no IP address Real server server_id has same IP address as IP interface interface_id Real server server_id has same IP address as switch Real server server_id (Backup for server_id ) is not enabled Real server server_id has same IP address as virtual server server_id Real server server_id has same IP address as real server server_id Real server group group_id cannot backup itself Real server server_id cannot be added to same group Enabled virtual server server_id has no IP address Virtual server server_id has same IP address as IP interface interface_id Virtual server server_id has same IP address as switch Virtual servers server_id and server_id with same IP address must support same layr3 configuration Real server server_id cannot be backup server for both real server server_id and group group_id Virtual server server_id has same IP address and vport as virtual server server_id RS server_id cant exist for VS server_id vport virtual_port Switch port port_id has same proxy IP address as port port_id Switch port port_id has same IP address as IP interface interface_id
.
591
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli:
A hot-standby port cannot also be an inter-switch port There must be at least one inter-switch port if any hot-standby port exist "With VMA, ports 1-8 must all have a PIP if any one does" Client bindings are not supported with proxy IP addresses DAM must be turned on or a PIP must be enabled for port port_id in order for virtual server to support FTP parsing Real server server_id and group %u cannot both have backups configured Virtual server server_id : port mapping but layer3 bindings Extracting length has to set to 8 or 16 for cookie rewrite mode DAM must be turned on or a PIP must be enabled for port port_id in order for virtural server server_id to support URL parsing Port filtering must be disabled on port port_id in order to support cookie based persistence for virtual server server_id Virtual server server_id : port mapping but Direct Access Mode Virtual server %lu: support nonat IP but not layer 3 bindings Virtual servers: all that support IP must use same group Virtual servers server_id and server_id that include the same real server server_id cannot map the same real port or balance UDP Virtual server server_id : UDP service virtual_port with out-of-range port number Switch cannot support more than MAX_VIRT_SERVICES virtual services Switch cannot support more than MAX_SMT real services Trunk group ( trunk_id ) ports must have same L4 config Trunk group ( trunk_id ) ports must all have a PIP DAM must be turned on or a PIP must be enabled for ports port_id in order to do URL based redirection "Two services have same hostname, host_name . domain_name " Direct access mode is not supported with default gateway load balancing SLB Radius secret must be 16 characters long Dynamic NAT filter filter_id must be cached NAT filter filter_id must have same smask and dmask NAT filter filter_id cannot have port ranges NAT filter filter_id must be cached NAT filter filter_id dest range includes VIP server_id
.
cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: cli: mgmt: mgmt: mgmt: vrrp: vrrp: vrrp: vrrp: vrrp:
NAT filter filter_id dest range includes RIP server_id Redirection filter filter_id must be cached Filter with L4 ports configured port_id must have IP protocol configured "For Global SLB, Web server must be moved from TCP port 80" Remote site site_id does not have a primary IP address Primary and secondary remote site site_id switches must differ Remote sites site_id and site_id must use different addresses Remote site site_id and real server server_id must use different addresses Remote site site_id and virtual server server_id must use different addresses Only MAX_SLB_SITES remote servers are allowed per group Only MAX_SLB_SERVICES remote services are supported Enabled external lookup IP address has no IP address domain name must be configured Network static_network_id has no VIP address duplicate default entry BGP peer bgp_peer_id must have an IP address BGP peers bgp_peer_id and bgp_peer_id have same address BGP peer bgp_peer_id have same address as IP interface ip_interface_id BGP peer bgp_peer_id IP interface ip_interface_id is not enabled Filter with ICMP types configured ( icmp_type ) must have IP protocol configure to ICMP "Two services have same hostname, host_name . domain_name " Loadbalance string must be added to real server server_id in order to enable exclusionary string matching intrval input value must be in the range [0-24] unapplied changes reverted unsaved changes reverted Attempting to redirect a previously redirected output Attempting to redirect a previously redirected output cfg_sync_tx_putsn: ABORTED Synchronization TX Error Synchronization TX connection RESET Synchronization TX connection TIMEOUT

.
593 vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp:
Synchronization TX connection UNREACEABLE Synchronization TX connection UNKNOWN CLOSE Synchronization RX connection RESET Synchronization RX connection TIMEOUT Synchronization RX connection UNREACEABLE Synchronization RX connection UNKNOWN CLOSE Synchronization connection RCLOSE by peer Synchronization connection RCLOSE before RX Synchronization connection early RCLOSE in RX Synchronization connection Wait-For-Close Timeout Synchronization connection Transmit Timeout Synchronization Receive Timeout Synchronization Receive UNKNOWN Timeout Sync transmit in progress ... cannot start Sync Sync receive in progress ... cannot start Sync Sync already in progress ... cannot start Sync Config Sync route find error Config Sync tcp_open error Config Synchronization Timeout - Resuming Console thread " ""apply""|""save"" is issued by another user. Try later" new configuration did not validate (rc = ) new configuration did not apply (rc = ) new configuration did not save (rc = ) Sync config apply error Restoring Current Config Sync rx tcp open error Sync Version/Password Failed-No Version/Password Line Sync Version Failed - peer:%s config:%s Sync Password Failed-Bad Password Sync receive already in progress ... cannot start Sync receive Sync transmit in progress ... cannot start Sync receive
.
LOG_NOTICE
system: system: system: system: system: system: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: port_mirr: vlan: mgmt: mgmt: internal power supply ok redundant power supply present and ok temperature ok fan ok rebooted last_reset_information rebooted last_reset_information administrator logged in boot config block changed boot image changed switch reset from CLI syslog host changed to ip_address syslog host changed to this host second syslog host changed to ip_address second syslog host changed to this host Next boot will use active config block user password changed SLB operator password changed L4 operator password changed operator password changed SLB administrator password changed L4 administrator password changed administrator password changed scp login_level login "scp login_level ""connection closed""|""idle timeout""|""logout"" " RADIUS server timeouts Failed login attempt via TELNET from host %s PASSWORD FIX-UP MODE IN USE login_level login on Console " login_level ""idle timeout""|""logout"" from Console" PANIC command from CLI "port mirroring is ""enabled""|""disabled"" " Default VLAN can not be deleted login_level login from host ip_address " login_level ""connection closed""|""idle timeout""|""logout"" from"
.
595
IP IP vrrp: vrrp: slb: slb: slb: slb: slb: slb: slb: slb: slb: slb: bgp: slb:
"default gateway ip_address ""enabled""|""disabled"" " default gateway ip_address operational virtual router ip_address is now master virtual router ip_address is now backup "backup server ip_address ""enabled""|""diabled"" for real server server_id " "backup server ip_address ""enabled""|""disabled"" for real server group group_id " "backup group server ip_address ""enabled""|""disabled"" for real server group group_id " "overflow server ip_address ""enabled""|""disabled"" for real server server_id " "overflow server ip_address ""enabled""|""disabled"" for real server group group_id " "overflow group server ip_address ""enabled""|""disabled"" for real server group group_id " real server ip_address operational real service ip_address:real_port operational No services are available for Virtual Server virtual_server Services are available for Virtual Server virtual_server session established with BGP_peer_ip_address real group number is up with advanced health check formula
LOG_INFO
SYSTEM: mgmt: mgmt: mgmt: mgmt: mgmt: mgmt: ssh: ssh: mgmt: mgmt: bootp response from ip_address new configuration applied new configuration saved unsaved changes reverted Could not revert unsaved changes " image1|image2 downloaded from host ip_address , file file_name software_version " serial EEPROM downloaded from host ip_address file file_name scp login_level login "scp login_level ""connection closed""|""idle timeout""|""logout"" " login_level login on Console " login_level ""idle timeout""|""logout"" from Console"
.
mgmt: mgmt: ssh: ssh: ssh: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp: vrrp:
login_level login from host ip_address " login_level ""connection closed""|""idle timeout""|""logout"" from Telnet/SSH." server key autogen starts server key autogen completes server key autogen timer timeouts new synch configuration applied new synch configuration saved Synchronizing from host_name Synchronizing to host_name Config Synchronization Transmit Successful Config Synchronization Receive Successful new configuration VALIDATED
.
597
Appendix Nortel Application Switch Operating System SNMP Agent

The Nortel Application Switch Operating System SNMP agent supports SNMP Version 1, Version 2, and Version 3. Version 3 supports two authentication protocols: MD5 and SHA. Nortel MIBs are registered as Vendor 1872. Detailed SNMP MIBs and trap denitions of the Nortel Application Switch Operating System SNMP agent can be found in the following enterprise MIB documents: altroot.mib aosSwitch.mib aosPhysical.mib aosNetwork.mib aosLayer4.mib aosLayer7.mib aosBwm.mib aosTrap.mib
In addition, the following SynOptics MIBS are also supported: synro193.mib -- SynOptics Root MIB s5roo117.mib -- SynOptics Registration MIB s5tcs112.mib -- Textual Convention MIB s5emt104.mib -- Ethernet Multi segment Autotopology MIB
SNMPv1|v2|v3 traps can be sent to the hosts congured in targetAddr table. Up to 16 IP addresses can be congured in targetAddr table. Nortel Application Switch Operating System SNMP agent supports the following standard MIBs: RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP Groups)
.
598 Appendix Nortel Application Switch Operating System SNMP Agent
RFC 1573 - MIB II Extension (IFX table) RFC 1643 - EtherLike MIB RFC 1493 - Bridge MIB RFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups) RFC 1850 for OSPF RFC 1657 for BGP IEEE 802.3ad MIB for LACP
The following SNMPv3 MIBs are supported: RFC 2571 - SNMP Frame work RFC 2572 - MPD MIB RFC 2573 - Target MIB RFC 2574 - USM MIB RFC 2575 - VACM MIB RFC 2576 - Community MIB
Nortel Application Switch Operating System SNMP agent supports the following generic traps as dened in RFC 1215: ColdStart WarmStart LinkDown LinkUp AuthenticationFailure
The SNMP agent also supports two Spanning Tree traps as dened in RFC 1493: NewRoot TopologyChange
The following are the enterprise SNMP traps supported in Nortel Application Switch Operating System:
Nortel Application Switch Operating System-Supported Enterprise SNMP Traps Trap Name altSwDefGwUp Description Signifies that the default gateway is alive.
.
Appendix
Nortel Application Switch Operating System SNMP Agent
599
Trap Name altSwDefGwDown altSwDefGwInService altSwDefGwNotInService altSwSlbRealServerUp altSwSlbRealServerDown altSwSlbRealServerMaxConn Reached altSwSlbBkupRealServerAct altSwSlbBkupRealServerDea ct altSwSlbBkupRealServerActO verflow altSwSlbBkupRealServerDea ctOverflow altSwfltFilterFired altSwSlbRealServerServiceUp altSwSlbRealServerServiceDo wn altSwVrrpNewMaster altSwVrrpNewBackup altSwVrrpAuthFailure
Description Signifies that the default gateway is down. Signifies that the default gateway is up and in service Signifies that the default gateway is alive but not in service Signifies that the real server is up and operational Signifies that the real server is down and out of service Signifies that the real server has reached maximum connections Signifies that the backup real server is activated due to availablity of the primary real server Signifies that the backup real server is deactivated due to the primary real server is available Signifies that the backup real server is deactivated due to the primary real server is overflowed Signifies that the backup real server is deactivated due to the primary real server is out from overflow situation Signifies that the packet received on a switch port matches the filter rule Signifies that the service port of the real server is up and operational Signifies that the service port of the real server is down and out of service The newMaster trap indicates that the sending agent has transitioned to Master state. The newBackup trap indicates that the sending agent has transitioned to Backup state. A vrrpAuthFailure trap signifies that a packet has been received from a router whose authentication key or authentication type conflicts with this routers authentication key or authentication type. Implementation of this trap is optional. An altSwLoginFailure trap signifies that someone failed to enter a valid username/password combination.
altSwLoginFailure
.
Trap Name altSwSlbSynAttack altSwTcpHoldDown
Description An altSwSlbSynAttack trap signifies that a SYN attack has been detected. An altSwTcpHoldDown trap signifies that new TCP connection requests from a particular client will be blocked for a pre-determined amount of time since the rate of new TCP connections from that client has reached a pre-determined threshold. An altSwTempExceedThreshold trap signifies that the switch temperature has exceeded maximum safety limits. An altSwSlbSessAttack trap signifies that an SLB attack has been detected. An altSwFanFailure trap signifies that a fan failure has occured. An altSwSlbVirtServerServicesUp trap signifies that the service ports of the virtual server is up and operational. An altSwSlbVirtServerServicesDown trap signifies that the service ports of the Virtual server is down and out of service. An altSwSlbRealGroupAdvhlUp trap signifies that the real group is up with advanced health check formula. An altSwSlbRealGroupAdvhlDown trap signifies that the real group is down with advanced health check formula. An altSwSlbBkupGroupAct trap signifies that the backup group is enabled while primary group is going down with advanced health check formula. An altSwSlbBkupGroupDeact trap signifies that the backup group is disabled while primary group is getting up with advanced health check formula. An altSwSlbRemoteRealServerUp trap signifies that the remote real server is up. An altSwSlbRemoteRealServerDown trap signifies that the remote real server has gone down and is out of service. An altSwSlbRealServerOperDis trap signifies that the real server is disabled operationally.
altSwTempExceedThreshold
altSwSlbSessAttack altSwFanFailure altSwSlbVirtServerServicesUp
altSwSlbVirtServerServicesDo wn altSwSlbRealGroupAdvhlUp
altSwSlbRealGroupAdvhlDow n altSwSlbBkupGroupAct
altSwSlbBkupGroupDeact
altSwSlbRemoteRealServerUp altSwSlbRemoteRealServerDo wn altSwSlbRealServerOperDis
.
Appendix
Nortel Application Switch Operating System SNMP Agent
601
Trap Name altSwSlbRealServerOperEna
Description An altSwSlbRealServerOperEna trap signifies that the real server is enabled operationally. An altSwIfcVlanDown trap signifies that all the interfaces in that vlan either disabled or moved to different vlan. An altSwPortVlanDown trap signifies that all the ports either down or moved to different vlan and interfaces are down in that vlan. An altSwIfcVlanUp trap signifies that interfaces are available for this vlan. An altSwPortVlanUp trap signifies that physical ports and interfaces are available for this vlan.
altSwIfcVlanDown
altSwPortVlanDown
altSwIfcVlanUp altSwPortVlanUp
.
.
603
Appendix Performing a Serial Download

You can perform a serial download of the new Nortel Application Switch software if you are upgrading Nortel Application Switch Operating System directly from any image. This procedure requires the following: A computer running terminal emulation software A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specics) A binary switch rmware image (not the tftp le used for TFTP download)
Use the following procedure to perform a serial upgrade. Step 1 Action Using the serial cable, connect the Console port of an Nortel Application Switch to the serial port of your PC that supports XModem/1K XModem. Start hyper terminal (part of Microsoft Windows) and set the following parameters:
Parameter Baud Rate Data Bits Parity Stop Bits Flow Control Value 9600 8 None 1 None
Power on the switch.
.
604 Appendix Performing a Serial Download
Hold the Shift key down and hit D repeatedly until the following message appears:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200
Recongure your terminal emulation software with the following parameters (only after you see the message displayed in step 4):
Parameter Baud Rate Data Bits Parity Stop Bits Flow Control Value 115200 8 None 1 None
Note: You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200 baud rate by pressing Shift d. 6 Press Enter on the key board of the PC that is connected to the console port of the switch. When the Console Port is successfully communicating with the PC, you will see: CCCC... Make sure that the new binary rmware le is available on the computer. This le can be downloaded from the CD that is shipped with the switch. Select Transfer-Send File and choose the following: le: For example, "21.0.0.0_Serial.img" (Or the le previously downloaded to the computer) protocol: 1K XMODEM It will take about 15 minutes for the transfer to complete. Note: Although slower, XMODEM will work too if you choose not to use 1K MODEM. 8 Power off the switch, wait for a few seconds and power the switch on.
CAUTION
Do not power off the switch until you see the message: "Change your baud rate to 9600 bps and power cycle switch", otherwise, the switch will be inoperable.
.
Appendix
Performing a Serial Download 605
The switch will boot with the new software load. You should see the following sample log on your screen:
Nortel Application Switch - PPCBoot 2.2. To download a serial image use 1K Xmodem at 115200 CCCCCCCCCCCCCCCCCCCCCCCCCCCCC Total bytes transferred: 0x4ff400 Extracting images... Do *NOT* power cycle the switch Updating flash... ################################################### ############## Change your baudrate to 9600 bps and power cycle the switch
End
.
606 Appendix Performing a Serial Download
.
607
Glossary
DIP (Destination IP Address)
The destination IP address of a frame.
Dport (Destination Port)

The destination port (application socket: for example, http-80/https443/DNS-53)
NAT (Network Address Translation)

Any time an IP address is changed from one source IP or destination IP address to another address, network address translation can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another. Full NAT is when both addresses are changed from one address to another. No NAT is when neither source nor destination IP addresses are translated. Virtual server-based load balancing uses half NAT by design, because it translates the destination IP address from the Virtual Server IP address, to that of one of the real servers.
Preemption
In VRRP, preemption will cause a Virtual Router that has a lower priority to go into backup should a peer Virtual Router start advertising with a higher priority.
Priority
In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation.
Proto (Protocol)
The protocol of a frame. Can be any value represented by a 8-bit value in the IP header adherent to the IP specication (for example, TCP, UDP, OSPF, ICMP, and so on.)
.
608 Glossary
Real Server Group

A group of real servers that are associated with a Virtual Server IP address, or a lter.
Redirection or Filter-Based Load Balancing

A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and "redirected" to a server group. "Transparently" means that requests are not specically destined for a Virtual Server IP address that the switch owns. Instead, a lter is congured in the switch. This lter intercepts trafc based on certain IP header criteria and load balances it. Filters can be congured to lter on the SIP/Range (via netmask), DIP/Range (via netmask), Protocol, SPort/Range or DPort/Range. The action on a lter can be Allow, Deny, Redirect to a Server Group, or NAT (translation of either the source IP or destination IP address). In redirection-based load balancing, the destination IP address is not translated to that of one of the real servers. Therefore, redirection-based load balancing is designed to load balance devices that normally operate transparently in your networksuch as a rewall, spam lter, or transparent Web cache.
RIP (Real Server)

Real Server IP Address. An IP addresses that the switch load balances to when requests are made to a Virtual Server IP address (VIP).
SIP (Source IP Address)

The source IP address of a frame.
SPort (Source Port)

The source port (application socket: for example, HTTP-80/HTTPS443/DNS-53).
Tracking
In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active conguration. You can track the following: Vrs: Virtual Routers in Master Mode (increments priority by 2 for each) Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by 2 for each) Ports: Active ports on the same VLAN (increments priority by 2 for each) l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2 for each
.
Glossary
609
reals: healthy real servers (increments by 2 for each healthy real server) hsrp: HSRP announcements heard on a client designated port (increments by 10 for each)
VIP (Virtual Server IP Address)

An IP address that the switch owns and uses to load balance particular service requests (like HTTP) to other servers.
VIR (Virtual Interface Router)

A VRRP address that is an IP interface address shared between two or more virtual routers.
Virtual Router
A shared address between two devices utilizing VRRP, as dened in RFC 2338. One virtual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there is more than one VLAN dened on the Nortel Application Switch, then the VRRP broadcasts will only be sent out on the VLAN of which the associated IP interface is a member.
Virtual Server Load Balancing

Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is owned by the switch, are load balanced to a real server contained in the group associated with the VIP. Network address translation is done back and forth, by the switch, as requests come and go. Frames come to the switch destined for the VIP. The switch then replaces the VIP and with one of the real server IP addresses (RIPs), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the destination IP (VIP) with one of the real server addresses is called half NAT. If the frames were not half NATed to the address of one of the RIPs, a server would receive the frame that was destined for its MAC address, forcing the packet up to Layer 3. The server would then drop the frame, since the packet would have the DIP of the VIP and not that of the server (RIP).
VRID (Virtual Router Identier)

In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as dened in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows whom to share with.
.
610 Glossary
VRRP (Virtual Router Redundancy Protocol)

A protocol that acts very similarly to Ciscos proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18. With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broadcasts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as dened by the specication. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertisements. If the backup switch didnt do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer RFC 2338.
VSR (Virtual Server Router)

A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary extension to the VRRP specication. The switches must be able to share Virtual Server IP addresses, as well as IP interfaces. If they didnt, the two switches would ght for ownership of the Virtual Server IP address, and the ARP tables in the devices around them would have two ARP entries with the same IP address but different MAC addresses.
.
611
Index
Symbols/Numerics
(MD5) 433 (SLB real server group option) content 367 / command 37 1K XModem 603 3000 series 259 administrator account 32 admpw (system option) 249 advertisement of virtual IP addresses 308 aging STP bridge option 285 STP information 76 application redirection 358, 393 lter states 102 lters 358 within real server groups 367 apply (global command) 219 applying conguration changes 219 ASCII terminal 28 auto-negotiation conguring ow control 268 enable/disable on port 259, 263, 265, 268 autonomous system lter action 307 autonomous system lter path action 307 as 307 aspath 307
A
abbreviating commands (CLI) 40 access control system 245 action (SLB ltering option) 393 activating optional software 452 active conguration block 220, 459 active FTP SLB parsing statistics 183 active IP interface 341 active Layer 4 processing 341 active port VLAN 341 active switch conguration gtcfg 353 ptcfg 353 restoring 353 active switch, saving and loading conguration 353 add SLB port option 410 addr ARP entries 467 IP route tag 84 Address Resolution Protocol (ARP) address list 467
B
backup SLB real server group option 368 backup conguration block 220, 459 backup server activations (SLB statistics) 168, 190 bandwidth management conguration 270 contracts 271 bandwidth management contract precedence value 273
.
612 Index
bandwidth management contract conguration 224, 273 Bandwidth Management options operations-level options 449 bandwidth management policy conguration 276 buffer limit 277 hard bandwidth limit 276 over the limit TOS 277 reserve limit 276 soft bandwidth limit 276 underlimit TOS 276 bandwidth management statistics 194 banner (system option) 222 baud rate console connection 28 serial download 603, 604 BBI 27 BGP conguration 321 eBGP 321 iBGP 321 in route 324 IP address, border router 323 IP route tag 84 keep-alive time 323 peer 321 peer conguration 322 redistribution conguration 324 remote autonomous system 323 router hops 324 binary 603 binary rmware image 604 binding failure 168, 190 binding table 383 BLOCKING (port state) 76 boot options menu 455 BOOTP 29 system option 222 bootstrap protocol 328 Border Gateway Protocol 84 conguration 321 Border Gateway Protocol (BGP) operations-level options 452 BPDU. See Bridge Protocol Data Unit. 284 bridge parameter menu, for STP 283 bridge priority 76
Bridge Protocol Data Unit (BPDU) 76 STP transmission frequency 284 Bridge Spanning-Tree parameters 284 broadcast IP route tag 84 IP route type 83 broadcast domains 290 Browser-Based Interface 27 BWM contract rate statistics 197 contract statistics 196 history statistics 198 port 195 switch processor contract statistics 196 switch processor rate contract statistics 196
C
capture dump information to a le 470 Cisco Ether Channel 286 clear ARP entries 467 dump information 471 FDB entry 466 routing table 468 clearing SLB statistics 193, 193 client trafc processing 408 command (help) 37 Command-Line Interface (CLI) 27, 33, 35 commands abbreviations 40 conventions used in this manual 25 global commands 36 shortcuts 40 stacking 40 tab completion 40 conguration administrator password 249 apply changes 219 default gateway interval, for health checks 297 default gateway IP address 297 dump command 352 effect on Spanning-Tree Protocol 219 Fast Ethernet 257 ow control 259, 262, 265, 267
.
Index 613
Gigabit Ethernet 257, 261, 263 IP static route 298 date Layer 4 administrator password 249 system option 221 operating mode 259, 262, 267 debugging 463 port link speed 258, 262, 267 default gateway port mirroring 269 information 82 port trunking 286 interval, for health checks 297 route cache 302 metrics 344 save changes 219 round robin, load balancing for 344 setup command 349 default password 32 switch IP address 296 delete TACACS+ 228 FDB entry 466 user password 248 deny (ltering) 191 view changes 219 designated port. 88 VLAN default (PVID) 257, 261, 263, 266 diff (global) command, viewing changes 219 VLAN IP interface 296 dip (destination IP address for ltering) 395 VLAN tagging 257, 261, 264, 266 direct (IP route type) 83 VRRP 329 directed broadcasts 302 conguration block DISABLED (port state) 76 active 459 disconnect idle timeout 33 backup 459 Distributed Site State Protocol (DSSP) factory 459 setting update interval 411 selection 459 dmask conguration menu 217 destination mask for ltering 395 conguring routing information protocol 308 DNS statistics 155 connecting Domain Name System (DNS) via console 28 health checks 371 via Telnet 28 downloading software 456 connection timeout (Real Server Menu dropped frames (No Server Available) option) 383 counter 168, 190 console port dump communication settings 28 conguration command 352 connecting 28 maintenance 463 serial download settings 603, 604 state information 472 content duplex mode SLB real server group option 367 link status 44, 57, 114 contracts, bandwidth management 271 dynamic routes 468 cost STP information 76 STP port option 286 emulation software 603 counters, No Server Available (dropped EtherChannel frames) 168, 190 as used with port trunking 286 CPU statistics 212, 213 CPU utilization 212, 213 cur (system option) 228, 231 current bindings 168, 190 factory conguration block 459
.
614 Index
health check types, SLB 370, 370 Fast Ethernet Physical Link 257 health checks 361 Fast Ethernet, conguring ports for 257 default gateway interval, retries 297 fastage 429 IDSLB 370 FDB statistics 134 layer information 101 ber optic ports 263 parameters for most protocols 371 File Transfer Protocol 183 redirection (rport) 394 lter statistics 177 retry, number of failed health checks 297 ltered (denied) frames 169, 191 script 433 lters SNMP 372, 435 IP address ranges 395 WAP 436 xed hello IP route tag 83 STP information 76 ag eld 88 help 37 ow control 44, 114 host routes 308 conguring 259, 262, 265, 267 Hot Standby Router on VLAN (HSRV) forwarding conguration use with VLAN-tagged environment 335 IP forwarding conguration 301 VRRP priority increment value 343 forwarding database (FDB) 463 Hot Standby Router Protocol (HSRP) delete entry 466 Forwarding Database Information Menu 70 priority increment value for L4 client ports 343 Forwarding Database Menu 465, 476 use with VRRP 334, 341 forwarding state (FWD) 72, 76, 78 VRRP priority increment value 343 FTP server health checks 371 Hot Standby Router VLAN (HSRV) FTP SLB maintenance statistics 184 use with VRRP 341 FTP SLB statistics dump 184 hot-standby failover 339 fwd (STP bridge option) 284 HP-OpenView 27 FwdDel (forward delay), bridge port 76 hprompt system option 222 HSRP. See Hot Standby Router gig (Port Menu option) 257, 261, 263 Protocol. 343 Gigabit Ethernet HSRV. See Hot Standby Router conguration 257, 261, 263 Protocol. 343 Gigabit Ethernet Physical Link 257, 261, HTTP 263 application health checks 371 global commands 36 redirects (Global SLB option) 412 global SLB maintenance statistics 173 system option 246 global SLB statistics 170 http 246 grace HTTP health checks graceful real server failure 428 on any port (aphttp) 433 Greenwich Mean Time (GMT) 231, 231, 231 group 176 ICMP statistics 155 gtcfg (TFTP load command) 353 idle timeout overview 33 IDSLB health checks 370 hash metric 374
.
Index 615
IEEE standards 802.1d Spanning-Tree Protocol 75, 282 l4apw (L4 administrator system option) 249 image Layer 4 downloading 456 administrator account 31, 32 software, selecting 457 Layer 4 processing IMAP server health checks 371 active 341 imask (IP address mask) 427 layer 7 SLB maintenance statistics 179 incorrect VIPs (statistic) 168, 190 layer 7 SLB string statistics 179 incorrect Vports (dropped frames layer7 redirection statistics 178, , 182 counter) 168, 190 LDAP version 433 indirect (IP route type) 83 LEARNING (port state) 76, 76 Information least connections (SLB Real Server Trunk Group Information 78, 78 metric) 370, 374 Information Menu 43 licence certicate 452 Interface change stats 142 license password 453 interface statistics 157 link IP address speed, conguring 258, 262, 267 ARP information 86 link status 44 BOOTP 29 command 114 conguring default gateway 297 duplex mode 44, 57, 114 lter ranges 395 port speed 44, 57, 114 local route cache ranges 303 Link Status Information 113 Telnet 28 linkt (SNMP option) 234 IP address mask for SLB 427 LISTENING (port state) 76 IP forwarding 327 lmask (routing option) 82 directed broadcasts 302 lnet (routing option) 82 local networks for route caching 302 local (IP route type) 83 IP forwarding information 82 local network for route caching 302 IP Information Menu 82, 98 local route cache IP interface 296 IP address ranges for 303 active 341 log conguring address 296 syslog messages 223 conguring VLANs 296 logical segment. See IP subnets. 290 IP interfaces 83 information 82 IP route tag 84 priority increment value (ifs) for VRRP 343MAC (media access control) address 46, 70, 86, 453, 466 IP network lter conguration 304 switch location 29 IP port conguration 327 Main Menu 35 IP Route Manipulation Menu 468 summary 36 IP routing Maintenance Menu 463 tag parameters 83 Management Processor (MP) 469 IP Static Route Menu 298 display MAC address 46 IP statistics 143 manual style conventions 25 IP subnets martian VLANs 290 IP route tag (ltered) 84
.
616 Index
IP route type (ltered out) 83 mask IP interface subnet address 296 MaxAge (STP information) 76 mcon (maximum connections) 168, 168, 190, 190, 368 MD5 authentication key 313 MD5 cryptographic authentication 315 MD5 key 317 media access control. See MAC address. 70 metric SLB real server group option 367 metrics, SLB 373 minimum misses (SLB real server metric) 370, 374 Miscellaneous Debug Menu 469, 486 mmask IP address mask for SLB 427 mnet management trafc IP address for SLB 427 monitor port 269 mp packet 209 MP. See Management Processor. 469 multi-links between switches using port trunking 78, 286 multicast IP route tag 84 IP route type 83 mxage (STP bridge option) 284
N
nbr change statistics 141 Network Address Translation (NAT) lter action 393 network management 27 non TCP/IP frames 168, 190 notice 222 NTP synchronization 231 NTP time zone 231
O
octet counters 175 online help 36, 37
operating mode, conguring 259, 262, 267 operations menu 443 operations-level BGP options 452 operations-level BWM options 449 operations-level IP options 451 Operations-Level Port Options 445 operations-level SLB options 445 operations-level VRRP options 448 optional software 44, 116 activating 452 removing 453 OSPF area types 92, 312 ospf area index 313, 314 authentication key 317 conguration 312 cost of the selected path 317 cost value of the host 320 dead, declaring a silent router to be down 317 dead, health parameter of a hello packet 318 export 321 xed routes 321 general 140 global 140 hello, authentication parameter of a hello packet 318 host entry conguration 319 host routes 313 interface 313 interface conguration 316 link state database 313 MD5 authentication key 313 Not-So-Stubby Area 314 priority value of the switch interface 317 range number 313 redistribution menu 313 route redistribution conguration 320 spf, shortest path rst 315 stub area 314 summary range conguration 315 transit area 314 transit delay 317 type 314 virtual link 313
.
Index 617
virtual link conguration 317 virtual neighbor, router ID 318 OSPF Database Information 94 OSPF general 92 OSPF General Information 93 OSPF Information 92 OSPF Information Route Codes 96 OSPF statistics 139, 146 overow server activations 168, 190 overow servers 361
panic command 472 switch (and Maintenance Menu option) 463 parameters tag 83 type 83 Passive FTP SLB Parsing Statistics 184 password administrator account 32 default 32 L4 administrator account 31, 32 user account 31 VRRP authentication 342 Password user access control 248 passwords 31 persistent bindings real server 383 ping 38, 359 PIP 439 POP3 server health checks 371 port bandwidth management switch processorquiet (screen display option) 38 statistics 195 switch port contract statistics menu 194 port conguration 255 RADIUS Port Menu server authentication 372 conguration options 261 read community string (SNMP option) 233 conguring Fast Ethernet 257 conguring Gigabit Ethernet (gig) 257, real server statistics 175 261, 263 real server global SLB statistics 171 port mirroring real server group options
conguration 269 Port number 114 port speed 44, 57, 114 port states UNK (unknown) 72 port trunking description 286 port trunking conguration 286 ports disabling (temporarily) 268 information 115 IP status 82 membership of the VLAN 70, 79 priority 76 RJ-45 256 SLB state information 102 STP port priority 285 VLAN ID 44, 115 preemption assuming VRRP master routing authority 333 virtual router 332, 340 priority virtual router 339 priority (STP port option) 285 prisrv primary radius server 227 proxies IP address translation 362 proxy IP address (PIP) 102 proxy IP address (PIP) conguration 439 ptcfg (TFTP save command) 353 PVID (port VLAN ID) 44, 115 pwd 38
Q R
.
618 Index
add 370 real server group SLB conguration 366 save (global command) 219 real server group statistics 176 noback option 220 real server groups save command 459 combining servers into 367 script statistics 176 health checks 433 real server SLB conguration 358 scriptable health checks conguration 433 real servers secret backup 368 radius server 227 priority increment value (reals) for secsrv VRRP 343 secondary radius server 227 SLB state information 101 security reboot 463, 472 VLANs 290 receive ow control 259, 263, 265, 268, 268 segmentation. See IP subnets. 290 redir (SLB ltering option) 393 segments. See IP subnets. 290 reference ports 72 serial cable 28 referenced port 88 serial download 603 remote monitoring on the port (rmon) 445 Server Load Balancing remote site servers 362 IDS 365 removing optional software 453 operations-level options 445 reset key combination 463 real server weights 359 retries server load balancing radius server 228 client trafc processing 408 retry health check 370 health checks for default gateway 297 health check types 370 rip metrics 373, 373 IP route tag 84 port options 410 RIP. See Routing Information Protocol. 309 server trafc processing 408 rmkey 453 server load balancing conguration round robin options 355 as used in gateway load balancing 344 Server Load Balancing Maintenance roundrobin Statistics Menu 182, 183, 188 SLB Real Server metric 370, 375 server port mapping 101 route server trafc processing 408 cache conguration 302 Session Binding Table 360 route statistics 150 session identier 378 router hops 324 setup command, conguration 349 routing information protocol SFD statistics conguration 308 mp specic 211 Routing Information Protocol (RIP) 84 SFP GBIC ports 263 options 309 shortcuts (CLI) 40 split horizon 311 single-mode ports copper ports Port Menu rport conguration options 260 SLB virtual server option 380 SIP (source IP address for ltering) 395 RTSP SLB statistics 185 SLB ltering option Rx/Tx statistics 140 action 393
.
Index 619
SLB Information 100 SLB layer7 statistics 177 SLB real server group health checks arp 370 dns 371 ftp 371 http 370 icmp 370 imap 371 ldap 372 radius 371 script 372 smtp 371 SNMP 372 sslh 371 tcp 370 udpdns 372 wsp 372 wtls 372 SLB real server group option application health checking 368 health checking 368 metric 367 SLB real server option backup 360 intr (interval) 361 maxcon (maximum connections) 359 name, alias for each real server 359 restr (restore) SLB real server UDP option 361 retry 361 RIP, real server IP address 359 submac 362 tmout (time out) 360 weights 359 slowage 429 smask source mask for ltering 395 smtp 222 SMTP server health checks 371 snap traces buffer 469 SNMP 27, 118 health checks 435 HP-OpenView 27 menu options set and get access 233
SNMP Agent 597 SNMP health check conguration 435 SNMP health checks 372 software image le and version 46 license 452 software image 456 SP specic statistics 212 spanning tree conguration 282 Spanning-Tree Protocol 78, 219 bridge aging option 285 bridge parameters 284 bridge priority 76 port cost option 286 port priority option 285 root bridge 76, 284 switch reset effect 460 split horizon 311 SSL 383 secure socket layer statistics 182 stacking commands (CLI) 40 state (STP information) 76 state information, client system 383 static IP route tag 83 static route rem 299, 300 statis route add 299, 300 statistics group 176 management processor 208 Statistics Menu 117 subnet address maskconguration IP subnet address 296 subnets IP interface 295 switch resetting 460 Switch Processor (SP) 469 display trace buffer 470 swkey 452 SYN attack detection conguration 429 sync 446 synchronization VRRP switch 424, 445
.
620 Index
time-to-live, DNS response (global SLB syslog menu option) 417 system host log conguration 222 timeout system radius server 228 contact (SNMP option) 233 timeouts date and time 43, 46 idle connection 33 location (SNMP option) 233 system access control conguration 245 timers kickoff 143 tnet System Maintenance Menu 465 system option 246 system options tnport admpw (administrator password) 249 system option 246 BOOTP 222 cur (current system parameters) 228, 231TPCP (Transparent Proxy Cache Protocol) 428 date 221 trace buffer 469 hprompt 222 Switch Processor 470 HTTP access 246 traceroute 38 l4apw (Layer 4 administrator Tracking password) 249 VRRP 331, 336 login banner 222 transmit ow control 259, 263, 265, 268, time 221 268 tnet 246 transparent proxies, when used for NAT 394 tnport 246 Trunk Group Information 78, 78 usrpw (user password) 248 ttl (time to live, global SLB menu option) 411 system parameters, current 228, 231 type of area ospf 314 type parameters 83 tab completion (CLI) 40 typographic conventions, manual 25 TACACS+ 228 tzone 231, 231 TCP
fragments 378 health checking using 361 health checks 371 source and destination ports 392 TCP statistics 159, 210 Telnet 28 BOOTP 29 conguring switches using 352 telnet radius server 228 terminal emulation 28 text conventions 25 TFTP 456 PUT and GET commands 353 TFTP server 353 time system option 221
U
UCB statistics 211 UDP datagrams 168, 190 server status using 361 source and destination ports 392 UDP statistics 161 unknown (UNK) port state 72 Unscheduled System Dump 473 upgrade, switch software 456 URL for health checks 102 user account 31 usrpw (system option) 248 Uuencode Flash Dump 470
V
verbose 38
.
Index 621
VLANs vip ARP entry information 86 advertisement of virtual IP addresses as broadcast domains 290 Host Routes 308 information 78 IP route tag 84 multiple spanning trees 282 virtual IP address (VIP) 101 virtual port state, SLB information about 101 name 70, 78 port membership 70, 79 virtual router security 290 description 331 setting default number (PVID) 257, 261, priority 339 263, 266 tracking criteria 334 Spanning-Tree Protocol 282 virtual router group tagging 44, 115, 292 VRRP priority tracking 339 VLAN Number 78 virtual router group conguration 338 VRID (virtual router ID) 331, 339 virtual router group priority tracking 340 Virtual Router Redundancy Protocol (VRRP)VRRP interface conguration 342 authentication parameters for IP master advertisements 332 interfaces 342 tracking 331, 336 group options (prio) 339 tracking conguration 342 operations-level options 448 virtual router sharing 333 password, authentication 342 priority election for the virtual router 332 VRRP Information 98 priority tracking options , VRRP master advertisements Virtual Router Redundancy Protocol time interval 340 conguration 329 VRRP statistics 153 virtual router sharing 340 virtual routers HSRP failover 334, 341 WAP HSRP priority increment value 343 health checks 436 HSRV 341 WAP health check HSRV priority increment value 343 wspport 436, 437 increasing priority level of 333, 337 wtlsprt 436, 437 incrementing VRRP instance 335 WAP health check conguration 436 master preemption (preem) 340 WAP SLB statistics 187 master preemption (prio) 332 watchdog timer 464 priority increment values (vrs) for web-based management interface 27 VRRP 343 weights virtual server global SLB statistics 172 for SLB real servers 375 virtual server SLB statistics 177 setting virtual router priority values 343 virtual servers 370 write community string (SNMP option) 233 SLB state information 101 wspport statistics 177 WAP health check 436, 437 VLAN wtlsprt active port 341 WAP health check 436, 437 conguration 290 VLAN tagging port conguration 257, 261, 264, 266 XModem 603 port restrictions 292
.
622 Index
.
Nortel Application Switch Operating System
Command Reference
Copyright 2008, Nortel Networks All Rights Reserved. Publication: NN47220-105 (320506-D) Document status: Standard Document version: 01.01 Document date: 28 January 2008 To provide feedback or report a problem in this document, go to www.nortel.com/documentfeedback Sourced in Canada, India and the United States of America The information in this document is subject to change without notice. Nortel Networks reserves the right to make change in design or components as progress in engineering and manufacturing warrant. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Trademarks are acknowledged with an asterisk (*) at their rst appearance in the document. All other trademarks are the property of their respective owners.

24.0.0 Command Reference

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

24.0.0 Command Reference

Transféré par

Droits d'auteur :

Formats disponibles

Nortel Application Switch Operating System

The Command Line Interface

The Information Menu

The Statistics Menu

The Conguration Menu

The SLB Conguration Menu

The Operations Menu

The Boot Options Menu

The Maintenance Menu

The SSL Processor Menu

Who should use this book

How this book is organized

How to get help

To establish a Telnet session, enter:host# telnet <IP address>

Read your Users Guide thoroughly. host# ls [-a]

How to get help

Technical Solutions Center Asia Pacific China

Telephone (61) (2) 8870-8800 (800) 810-5000

The Command Line Interface

Connecting to the Switch

28 The Command Line Interface

Establishing a Console Connection Requirements

Establishing a Telnet Connection

Connecting to the Switch

Using a BOOTP Server

Then, enter a password as explained in "Establishing an SSH Connection" (page 29).

Establishing an SSH Connection

30 The Command Line Interface

or, if SecurID authentication is required, use the following command:

Then, prompted to enter your user name and password.

Accessing the Switch

Accessing the Switch

32 The Command Line Interface

User Account Layer 4 Administrator

Command Line History and Editing

34 The Command Line Interface

The Main Menu

diff apply save revert

exit or quit ping

Command Line History and Editing

Command Line History and Editing

Ctrl-a Ctrl-e Ctrl-b

Option Ctrl-f Backspace Ctrl-d Ctrl-k Ctrl-l Ctrl-u Other keys

Command Line Interface Shortcuts

Command Line Interface Shortcuts

Main# /cfg/real 1-10/enable

The following command menu items support range and enable:

The Information Menu

/info Information Menu

44 The Information Menu

For details, see "/info/portPort Information" (page 114).

/info/sys System Information Menu

46 The Information Menu

/info/sys/snmpv3 SNMPv3 System Information Menu

For more details on the SNMPv3 architecture refer RFC2271 to RFC2276.

48 The Information Menu

/info/sys/snmpv3/usm SNMPv3 USM User Table Information

/info/sys/snmpv3/view SNMPv3 View Table Information

/info/sys/snmpv3/access SNMPv3 Access Table Information

50 The Information Menu

Match ReadV WriteV NotifyV

/info/sys/snmpv3/group SNMPv3 Group Table Information

/info/sys/snmpv3/comm SNMPv3 Community Table Information