AX CLI Ref v2 4 3-20100621 PDF

P e r f o r m a n c e
b y
D e s i g n
AX Series Advanced Traffic Manager
Command Line Interface

Reference
Document No.: D-030-01-00-0003
Ver. 2.4.3 6/21/2010
Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support)
Fax: +1-408-325-8666
www.a10networks.com
A10 Networks, Inc. 6/21/2010 - All Rights Reserved
Information in this document is subject to change without notice.

Trademarks:
A10 Networks, the A10 logo, ACOS, aFleX, aXAPI, IDaccess, IDsentrie, IP-to-ID,
SoftAX, Virtual Chassis, and VirtualN are trademarks or registered trademarks of
A10 Networks, Inc. All other trademarks are property of their respective owners.
Patents Protection:
A10 Networks products including all AX Series products are protected by one or
more of the following US patents and patents pending: 7716378, 7675854, 7647635,
7552126, 20090049537, 20080229418, 20080040789, 20070283429, 20070271598,
20070180101
A10 Networks Inc. software license and end users agreement
Software for all AX Series products contains trade secrets of A10 Networks and its
subsidiaries and Customer agrees to treat Software as confidential information.
Anyone who uses the Software does so only in compliance with the terms of this
Agreement. Customer shall not:
1) reverse engineer, reverse compile, reverse de-assemble or otherwise translate the
Software by any means
2) sublicense, rent or lease the Software.
Disclaimer
The information presented in this document describes the specific products noted
and does not imply nor grant a guarantee of any technical performance nor does it
provide cause for any eventual claims resulting from the use or misuse of the products described herein or errors and/or omissions. A10 Networks, Inc. reserves the
right to make technical and other changes to their products and documents at any
time and without prior notification.
No warranty is expressed or implied; including and not limited to warranties of noninfringement, regarding programs, circuitry, descriptions and illustrations herein.
Environmental Considerations
Some electronic components may possibly contain dangerous substances. For information on specific component types, please contact the manufacturer of that component. Always consult local authorities for regulations regarding proper disposal of
electronic components in your area.
Further Information
For additional information about A10 products, terms and conditions of delivery, and
pricing, contact your nearest A10 Networks, Inc. location which can be found by visiting www.a10networks.com.
AX Series - Command Line Interface - Reference

About This Document
Obtaining Technical Assistance

For all customers, partners, resellers, and distributors who hold valid A10
Networks Regular and Technical Support service contracts, the A10 Networks Technical Assistance Center provides support services online and
over the phone.
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
Collecting System Information

The AX device provides a simple method to collect configuration and status
information for Technical Support to use when diagnosing system issues.
To collect system information, use either of the following methods.
USING THE GUI (RECOMMENDED)

1.
2.
3.
4.
5.
6.
7.
b y
Log into the GUI.

Select Monitor > System > Logging.
On the menu bar, click Show Tech.
Click Export. The File Download dialog appears.
Click Save. The Save As dialog appears.
Navigate to the location where you want to save the file, and click Save.
Email the file as an attachment to support@A10Networks.com.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
3 of 718

About This Document
USING THE CLI

1. Log into the CLI.
2. Enable logging in your terminal emulation application, to capture output generated by the CLI.
3. Enter the enable command to access the Privileged EXEC mode of the
CLI. Enter your enable password at the Password prompt.
4. Enter the show techsupport command.
5. After the command output finishes, save the output in a file.
6. Email the file as an attachment to support@A10Networks.com.
Note:
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
4 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

About This Document
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
5 of 718

About This Document
6 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

About This Document
About This Document

This document describes the Command Line Interface (CLI) of the A10
Networks AX Series Advanced Traffic Manager. The CLI enables
administrators to configure and manage the device. Descriptions of all commands and their options are provided.
Additional information is available for AX Series systems in the following
documents. These documents are included on the documentation CD
shipped with your AX Series system, and also are available on the A10 Networks support site:
AX Series Installation Guide
AX Series Configuration Guide
AX Series GUI Reference guide
AX Series aFleX Reference Guide
AX Series MIB Reference
AX Series aXAPI Reference
System Description - The AX Series

FIGURE 1
The AX Series Advanced Traffic Manager
The AX Series is the industrys best performing application acceleration

switch that helps organizations scale and maximize application availability
through the worlds most advanced application delivery platform. The
AX Series Advanced Core Operating System (ACOS) accelerates and
secures critical business applications, provides the highest performance and
reliability, and establishes a new industry-leading price/performance
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
7 of 718

About This Document
Audience
This document is for network architects for determining applicability and
planning implementation, and for system administrators for provisioning
and maintenance of A10 Networks AX Series devices.
8 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
Obtaining Technical Assistance
Collecting System Information.............................................................................................................. 3
5
About This Document
System Description - The AX Series..................................................................................................... 7

Audience.................................................................................................................................................. 8
Using the CLI
25
System Access ..................................................................................................................................... 25

Session Access Levels ........................................................................................................................ 25
High Availability Status in Command Prompt.................................................................................... 26
CLI Quick Reference............................................................................................................................. 27
Context-Sensitive Help ................................................................................................................... 27
The no Form of Commands ......................................................................................................... 29
Command History ........................................................................................................................... 30
Editing Features and Shortcuts ...................................................................................................... 31
Searching and Filtering CLI Output ................................................................................................ 34
Regular Expressions ....................................................................................................................... 35
Special Character Support in Strings .............................................................................................. 36
EXEC Commands
37
enable .................................................................................................................................................... 37
exit ......................................................................................................................................................... 38
health-test .............................................................................................................................................. 38
help ........................................................................................................................................................ 39
no ........................................................................................................................................................... 39
ping ........................................................................................................................................................ 40
show ...................................................................................................................................................... 42
ssh ......................................................................................................................................................... 42
telnet ...................................................................................................................................................... 43
traceroute ............................................................................................................................................... 43
Privileged EXEC Commands
45
active-partition ........................................................................................................................................ 45
axdebug ................................................................................................................................................. 45
backup config ......................................................................................................................................... 46
backup log ............................................................................................................................................. 47
clear ....................................................................................................................................................... 49
clock ....................................................................................................................................................... 51
config ..................................................................................................................................................... 51
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
9 of 718

Contents
debug ..................................................................................................................................................... 52
diff .......................................................................................................................................................... 56
disable ................................................................................................................................................... 57
exit ......................................................................................................................................................... 58
export ..................................................................................................................................................... 58
health-test .............................................................................................................................................. 59
import ..................................................................................................................................................... 59
locale ..................................................................................................................................................... 61
no ........................................................................................................................................................... 61
ping ........................................................................................................................................................ 62
reboot .................................................................................................................................................... 62
reload ..................................................................................................................................................... 64
repeat .................................................................................................................................................... 64
show ...................................................................................................................................................... 65
shutdown ............................................................................................................................................... 65
ssh ......................................................................................................................................................... 66
telnet ...................................................................................................................................................... 66
terminal .................................................................................................................................................. 66
traceroute .............................................................................................................................................. 67
write terminal ......................................................................................................................................... 67
Config Commands: Global
69
access-list (standard) ............................................................................................................................ 69

access-list (extended) ............................................................................................................................ 72
accounting ............................................................................................................................................. 77
admin ..................................................................................................................................................... 79
admin lockout ........................................................................................................................................ 81
aflex ....................................................................................................................................................... 82
arp ......................................................................................................................................................... 82
arp timeout ............................................................................................................................................. 83
audit ....................................................................................................................................................... 83
authentication ........................................................................................................................................ 85
authorization .......................................................................................................................................... 86
axdebug ................................................................................................................................................. 87
backup config ........................................................................................................................................ 88
backup log ............................................................................................................................................. 88
banner ................................................................................................................................................... 88
boot-block-fix ......................................................................................................................................... 89
bootimage .............................................................................................................................................. 89
bpdu-fwd-group ..................................................................................................................................... 90
bridge-vlan-group .................................................................................................................................. 91
bw-list .................................................................................................................................................... 92
class-list (for IP limiting) ......................................................................................................................... 93
class-list (for LSN) ................................................................................................................................. 95
clock timezone ....................................................................................................................................... 96
convert-passwd ..................................................................................................................................... 97
copy ....................................................................................................................................................... 98
10 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
delete startup-config ............................................................................................................................ 100
disable ................................................................................................................................................. 100
disable-management ........................................................................................................................... 101
do ......................................................................................................................................................... 103
enable .................................................................................................................................................. 104
enable-core .......................................................................................................................................... 104
enable-management ............................................................................................................................ 105
enable-password .................................................................................................................................. 106
end ....................................................................................................................................................... 107
erase .................................................................................................................................................... 107
exit ....................................................................................................................................................... 107
floating-ip ............................................................................................................................................. 108
fwlb ...................................................................................................................................................... 108
gslb ...................................................................................................................................................... 109
ha ......................................................................................................................................................... 109
health external ..................................................................................................................................... 109
health global ........................................................................................................................................ 110
health monitor ...................................................................................................................................... 111
health postfile ....................................................................................................................................... 113
hostname ............................................................................................................................................. 113
icmp-rate-limit ...................................................................................................................................... 114
interface ............................................................................................................................................... 115
ip .......................................................................................................................................................... 115
ipv6 ...................................................................................................................................................... 115
key chain .............................................................................................................................................. 116
l3-vlan-fwd-disable ............................................................................................................................... 117
lid ......................................................................................................................................................... 117
link ....................................................................................................................................................... 120
locale ................................................................................................................................................... 121
logging target severity-level ................................................................................................................. 122
logging buffered ................................................................................................................................... 123
logging email buffer .............................................................................................................................. 124
logging email filter ................................................................................................................................ 124
logging email-address .......................................................................................................................... 127
logging export ...................................................................................................................................... 127
logging facility ...................................................................................................................................... 128
logging flow-control .............................................................................................................................. 128
logging host ......................................................................................................................................... 129
lsn-lid ................................................................................................................................................... 130
mac-address ........................................................................................................................................ 131
mac-age-time ....................................................................................................................................... 132
mirror-port ............................................................................................................................................ 133
monitor ................................................................................................................................................. 133
no ......................................................................................................................................................... 135
ntp ........................................................................................................................................................ 135
packet-handling ................................................................................................................................... 136
partition ................................................................................................................................................ 136
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
11 of 718

Contents
ping ...................................................................................................................................................... 137
radius-server ........................................................................................................................................ 137
raid ....................................................................................................................................................... 139
restore ................................................................................................................................................. 139
route-map ............................................................................................................................................ 140
router ................................................................................................................................................... 143
router log file ........................................................................................................................................ 143
router log record-priority ...................................................................................................................... 144
router log stdout ................................................................................................................................... 145
router log syslog .................................................................................................................................. 145
router log trap ...................................................................................................................................... 145
session-filter ........................................................................................................................................ 146
slb ........................................................................................................................................................ 147
smtp ..................................................................................................................................................... 147
snat-on-vip ........................................................................................................................................... 148
snmp-server community ...................................................................................................................... 149
snmp-server contact ............................................................................................................................ 150
snmp-server enable ............................................................................................................................. 151
snmp-server group .............................................................................................................................. 155
snmp-server host ................................................................................................................................. 155
snmp-server location ........................................................................................................................... 156
snmp-server user ................................................................................................................................. 157
snmp-server view ................................................................................................................................ 157
stats-data-disable ................................................................................................................................ 158
stats-data-enable ................................................................................................................................. 159
switch ................................................................................................................................................... 159
syn-cookie ........................................................................................................................................... 160
system ................................................................................................................................................. 161
system lid ............................................................................................................................................. 163
system pbslb bw-list ............................................................................................................................ 163
system pbslb id .................................................................................................................................... 164
system pbslb over-limit ........................................................................................................................ 164
system pbslb timeout ........................................................................................................................... 165
system resource-usage ....................................................................................................................... 165
system-reset ........................................................................................................................................ 168
tacacs-server ....................................................................................................................................... 168
techreport ............................................................................................................................................ 169
terminal ................................................................................................................................................ 170
tftp blksize ............................................................................................................................................ 171
trunk ..................................................................................................................................................... 173
tx-congestion-ctrl ................................................................................................................................. 175
update .................................................................................................................................................. 175
upgrade ............................................................................................................................................... 176
vlan ...................................................................................................................................................... 177
web-service ......................................................................................................................................... 178
write memory ....................................................................................................................................... 179
write terminal ....................................................................................................................................... 181
12 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
Config Commands: Interface
183
access-list ............................................................................................................................................ 183

cpu-process ......................................................................................................................................... 184
disable ................................................................................................................................................. 184
duplexity ............................................................................................................................................... 185
enable .................................................................................................................................................. 185
flow-control ........................................................................................................................................... 186
icmp-rate-limit ...................................................................................................................................... 186
interface ............................................................................................................................................... 187
ip address ............................................................................................................................................ 188
ip allow-promiscuous-vip ...................................................................................................................... 189
ip cache-spoofing-port ......................................................................................................................... 189
ip control-apps-use-mgmt-port (management interface only) .............................................................. 190
ip default-gateway (management interface only) ................................................................................. 191
ip helper-address ................................................................................................................................. 192
ip nat .................................................................................................................................................... 193
ip ospf .................................................................................................................................................. 194
ip rip ..................................................................................................................................................... 197
ip tcp syn-cookie .................................................................................................................................. 198
ipv6 (on management interface) .......................................................................................................... 198
ipv6 access-list ..................................................................................................................................... 199
ipv6 address ........................................................................................................................................ 199
ipv6 enable .......................................................................................................................................... 200
ipv6 nat ................................................................................................................................................ 200
ipv6 ndisc router-advertisement ........................................................................................................... 201
l3-vlan-fwd-disable ............................................................................................................................... 205
load-interval ......................................................................................................................................... 206
monitor ................................................................................................................................................. 206
mtu ....................................................................................................................................................... 207
name .................................................................................................................................................... 208
speed ................................................................................................................................................... 208
Config Commands: VLAN
211
name .................................................................................................................................................... 212

router-interface ..................................................................................................................................... 213
tagged .................................................................................................................................................. 213
untagged .............................................................................................................................................. 214
Config Commands: IP
215
ip address ............................................................................................................................................ 215

ip anomaly-drop ................................................................................................................................... 216
ip default-gateway ................................................................................................................................ 218
ip dns ................................................................................................................................................... 219
ip frag timeout ...................................................................................................................................... 219
ip nat alg pptp ...................................................................................................................................... 220
ip nat allow-static-host ......................................................................................................................... 220
ip nat inside .......................................................................................................................................... 221
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
13 of 718

Contents
ip nat inside (for LSN) .......................................................................................................................... 222
ip nat lsn enable-full-cone-for-well-known ........................................................................................... 222
ip nat lsn ip-selection ........................................................................................................................... 222
ip nat lsn logging default-template ....................................................................................................... 223
ip nat lsn logging pool .......................................................................................................................... 224
ip nat lsn port-reservation .................................................................................................................... 225
ip nat lsn stun-timeout ......................................................................................................................... 226
ip nat lsn syn-timeout ........................................................................................................................... 226
ip nat pool ............................................................................................................................................ 226
ip nat pool-group .................................................................................................................................. 229
ip nat range-list .................................................................................................................................... 230
ip nat reset-idle-tcp-conn ..................................................................................................................... 231
ip nat template logging ........................................................................................................................ 231
ip nat translation .................................................................................................................................. 233
ip prefix-list .......................................................................................................................................... 234
ip prefix-list list-id description ............................................................................................................... 237
ip prefix-list sequence-number ............................................................................................................ 238
ip route ................................................................................................................................................. 238
ip tcp syn-cookie threshold .................................................................................................................. 239
Config Commands: IPv6
241
ipv6 access-list .................................................................................................................................... 241

ipv6 address ........................................................................................................................................ 244
ipv6 default-gateway ............................................................................................................................ 244
ipv6 nat pool ........................................................................................................................................ 245
ipv6 neighbor ....................................................................................................................................... 246
ipv6 ospf cost ....................................................................................................................................... 246
ipv6 ospf dead-interval ........................................................................................................................ 247
ipv6 ospf hello-interval ......................................................................................................................... 247
ipv6 ospf neighbor ............................................................................................................................... 248
ipv6 network ........................................................................................................................................ 248
ipv6 ospf priority .................................................................................................................................. 249
ipv6 ospf retransmit-interval ................................................................................................................ 249
ipv6 transmit-delay .............................................................................................................................. 250
ipv6 route ............................................................................................................................................. 250
Config Commands: Router OSPF
253
Configuration Commands Applicable to OSPFv2 or OSPFv3 ........................................................254

area area-id default-cost ...................................................................................................................... 254
area area-id range ............................................................................................................................... 254
area area-id stub ................................................................................................................................. 255
area area-id virtual-link ........................................................................................................................ 256
auto-cost reference bandwidth ............................................................................................................ 257
capability restart .................................................................................................................................. 258
default-metric ....................................................................................................................................... 258
ha-standby-extra-cost .......................................................................................................................... 258
14 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
max-concurrent-dd ............................................................................................................................... 259
maximum-area ..................................................................................................................................... 259
passive-interface .................................................................................................................................. 260
redistribute ........................................................................................................................................... 260
router-id ............................................................................................................................................... 265
timers spf exp ....................................................................................................................................... 265
Configuration Commands Applicable to OSPFv2 Only .................................................................. 266

area area-id authentication .................................................................................................................. 266
area area-id filter-list ............................................................................................................................ 267
area area-id multi-area-adjacency ....................................................................................................... 268
area area-id nssa ................................................................................................................................. 268
area area-id shortcut ............................................................................................................................ 269
capability opaque ................................................................................................................................. 270
compatible rfc1583 ............................................................................................................................... 270
default-information originate ................................................................................................................ 270
distance ............................................................................................................................................... 271
distribute-list ......................................................................................................................................... 272
host ipaddr area ................................................................................................................................... 273
neighbor ............................................................................................................................................... 274
network ................................................................................................................................................ 275
ospf abr-type ........................................................................................................................................ 276
overflow database ................................................................................................................................ 276
summary-address ................................................................................................................................ 277
Configuration Commands Applicable to OSPFv3 Only .................................................................. 277
Config Commands: Router RIP
279
network ................................................................................................................................................ 280

passive-interface .................................................................................................................................. 280
redistribute ........................................................................................................................................... 280
Config Commands: Server Load Balancing
281
slb buff-thresh ...................................................................................................................................... 281

slb compress-block-size ....................................................................................................................... 282
slb conn-rate-limit ................................................................................................................................. 282
slb dns-cache-age ................................................................................................................................ 284
slb dns-cache-enable ........................................................................................................................... 284
slb dsr-health-check-enable ................................................................................................................. 285
slb enable-l7-req-acct .......................................................................................................................... 285
slb fast-path-disable ............................................................................................................................. 286
slb graceful-shutdown .......................................................................................................................... 286
slb hw-compression ............................................................................................................................. 287
slb l2l3-trunk-lb-disable ........................................................................................................................ 288
slb msl-time .......................................................................................................................................... 288
slb mss-table ........................................................................................................................................ 289
slb new-path-enable ............................................................................................................................. 290
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
15 of 718

Contents
slb rate-limit-logging ............................................................................................................................ 290
slb server ............................................................................................................................................. 291
slb service-group ................................................................................................................................. 292
slb snat-gwy-for-l3 ............................................................................................................................... 293
slb snat-on-vip ..................................................................................................................................... 293
slb ssl-create certificate ....................................................................................................................... 294
slb ssl-create csr .................................................................................................................................. 295
slb ssl-delete ........................................................................................................................................ 297
slb ssl-load ........................................................................................................................................... 298
slb template ......................................................................................................................................... 300
slb transparent-tcp-template ................................................................................................................ 301
slb virtual-server .................................................................................................................................. 302
Config Commands: SLB Templates
305
slb template cache ............................................................................................................................... 305

slb template client-ssl .......................................................................................................................... 310
slb template connection-reuse ............................................................................................................. 313
slb template dns .................................................................................................................................. 316
slb template http .................................................................................................................................. 317
slb template persist cookie .................................................................................................................. 327
slb template persist destination-ip ....................................................................................................... 331
slb template persist source-ip .............................................................................................................. 334
slb template persist ssl-sid .................................................................................................................. 337
slb template policy ............................................................................................................................... 338
slb template port .................................................................................................................................. 344
slb template server .............................................................................................................................. 350
slb template server-ssl ......................................................................................................................... 355
slb template sip (SIP over UDP) .......................................................................................................... 356
slb template sip (SIP over TCP/TLS) ................................................................................................... 358
slb template smtp ................................................................................................................................ 361
slb template streaming-media ............................................................................................................. 364
slb template tcp ................................................................................................................................... 365
slb template tcp-proxy ......................................................................................................................... 368
slb template udp .................................................................................................................................. 371
slb template virtual-port ....................................................................................................................... 373
slb template virtual-server ................................................................................................................... 375
Config Commands: SLB Servers
379
conn-limit ............................................................................................................................................. 379

conn-resume ........................................................................................................................................ 380
disable ................................................................................................................................................. 381
enable .................................................................................................................................................. 381
external-ip ............................................................................................................................................ 381
ha-priority-cost ..................................................................................................................................... 382
health-check ........................................................................................................................................ 382
ipv6 ...................................................................................................................................................... 383
16 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
port ....................................................................................................................................................... 383
slow-start .............................................................................................................................................. 387
spoofing-cache .................................................................................................................................... 387
stats-data-disable ................................................................................................................................. 388
template server .................................................................................................................................... 388
weight .................................................................................................................................................. 389
Config Commands: SLB Service Groups
391
health-check ........................................................................................................................................ 392

member ................................................................................................................................................ 393
method ................................................................................................................................................. 394
min-active-member .............................................................................................................................. 397
reset-on-server-selection-fail ............................................................................................................... 399
Config Commands: SLB Virtual Servers
401
arp-disable ........................................................................................................................................... 401

disable ................................................................................................................................................. 402
enable .................................................................................................................................................. 402
ha-dynamic .......................................................................................................................................... 403
ha-group .............................................................................................................................................. 403
port ....................................................................................................................................................... 404
redistribution-flagged ........................................................................................................................... 405
template policy ..................................................................................................................................... 406
template virtual-server ......................................................................................................................... 406
Config Commands: SLB Virtual Server Ports
409
access-list ............................................................................................................................................ 409

aflex ..................................................................................................................................................... 411
conn-limit .............................................................................................................................................. 412
def-selection-if-pref-failed .................................................................................................................... 413
disable ................................................................................................................................................. 414
enable .................................................................................................................................................. 414
gslb-enable .......................................................................................................................................... 414
ha-conn-mirror ..................................................................................................................................... 415
no-dest-nat ........................................................................................................................................... 416
pbslb .................................................................................................................................................... 416
reset-on-server-selection-fail ............................................................................................................... 418
service-group ....................................................................................................................................... 419
snat-on-vip ........................................................................................................................................... 419
source-nat ............................................................................................................................................ 420
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
17 of 718

Contents
syn-cookie ........................................................................................................................................... 421
template ............................................................................................................................................... 422
template virtual-port ............................................................................................................................. 424
use-default-if-no-server ....................................................................................................................... 424
use-rcv-hop-for-resp ............................................................................................................................ 425
Config Commands: Global Server Load Balancing
427
gslb active-rtt ....................................................................................................................................... 427

gslb dns action ..................................................................................................................................... 429
gslb dns logging ................................................................................................................................... 429
gslb geo-location ................................................................................................................................. 430
gslb geo-location delete ....................................................................................................................... 431
gslb geo-location load .......................................................................................................................... 431
gslb ip-list ............................................................................................................................................. 432
gslb ping .............................................................................................................................................. 433
gslb policy ............................................................................................................................................ 433
gslb protocol ........................................................................................................................................ 434
gslb protocol limit ................................................................................................................................. 436
gslb service-ip ...................................................................................................................................... 436
gslb site ............................................................................................................................................... 439
gslb system wait .................................................................................................................................. 443
gslb template csv ................................................................................................................................. 443
gslb template snmp ............................................................................................................................. 445
gslb zone ............................................................................................................................................. 447
Config Commands: GSLB Policy
455
active-rtt ............................................................................................................................................... 455

active-servers ...................................................................................................................................... 458
admin-preference ................................................................................................................................ 459
alias-admin-preference ........................................................................................................................ 459
bw-cost ................................................................................................................................................ 460
capacity ............................................................................................................................................... 461
connection-load ................................................................................................................................... 462
dns ....................................................................................................................................................... 464
geo-location ......................................................................................................................................... 471
geo-location full-domain-share ............................................................................................................ 472
geo-location match-first ....................................................................................................................... 472
geo-location overlap ............................................................................................................................ 473
geographic ........................................................................................................................................... 473
health-check ........................................................................................................................................ 474
ip-list .................................................................................................................................................... 474
least-response ..................................................................................................................................... 475
metric-fail-break ................................................................................................................................... 475
metric-force-check ............................................................................................................................... 475
metric-order ......................................................................................................................................... 476
18 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
num-session ......................................................................................................................................... 477
ordered-ip ............................................................................................................................................ 478
passive-rtt ............................................................................................................................................ 479
round-robin .......................................................................................................................................... 480
weighted-alias ...................................................................................................................................... 481
weighted-ip .......................................................................................................................................... 482
weighted-site ........................................................................................................................................ 482
Config Commands: Firewall Load Balancing
485
fwlb node ............................................................................................................................................. 485

fwlb service-group ................................................................................................................................ 486
fwlb virtual-firewall ................................................................................................................................ 488
Config Commands: SLB Health Monitors
493
disable-after-down ............................................................................................................................... 493

method ................................................................................................................................................. 494
override-ipv4 ........................................................................................................................................ 503
override-ipv6 ........................................................................................................................................ 503
override-port ......................................................................................................................................... 503
strictly-retry-on-server-error-response ................................................................................................. 504
Config Commands: High Availability
505
ha arp-retry .......................................................................................................................................... 505

ha check gateway ................................................................................................................................ 506
ha check route ..................................................................................................................................... 507
ha check vlan ....................................................................................................................................... 509
ha conn-mirror ...................................................................................................................................... 510
ha force-self-standby ........................................................................................................................... 511
ha forward-l4-packet-on-standby ......................................................................................................... 511
ha group ............................................................................................................................................... 511
ha id ..................................................................................................................................................... 512
ha inline-mode ..................................................................................................................................... 513
ha interface .......................................................................................................................................... 514
ha l3-inline-mode ................................................................................................................................. 515
ha link-event-delay ............................................................................................................................... 516
ha ospf-inline vlan ................................................................................................................................ 517
ha preemption-enable .......................................................................................................................... 517
ha restart-port-list ................................................................................................................................. 518
ha restart-time ...................................................................................................................................... 519
ha sync ................................................................................................................................................ 519
ha time-interval .................................................................................................................................... 524
ha timeout-retry-count .......................................................................................................................... 524
AX Debug Commands
525
capture ................................................................................................................................................. 526

count .................................................................................................................................................... 529
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
19 of 718

Contents
delete ................................................................................................................................................... 529
filter ...................................................................................................................................................... 530
incoming | outgoing ............................................................................................................................. 532
length ................................................................................................................................................... 533
maxfile ................................................................................................................................................. 533
outgoing ............................................................................................................................................... 533
timeout ................................................................................................................................................. 534
Show Commands
535
show access-list .................................................................................................................................. 535

show active-partition ............................................................................................................................ 535
show admin ......................................................................................................................................... 536
show aflex ............................................................................................................................................ 539
show arp .............................................................................................................................................. 540
show audit ........................................................................................................................................... 541
show axdebug file ................................................................................................................................ 541
show bootimage .................................................................................................................................. 542
show bpdu-fwd-group .......................................................................................................................... 543
show bridge-vlan-group ....................................................................................................................... 543
show bw-list ......................................................................................................................................... 544
show class-list ..................................................................................................................................... 545
show clock ........................................................................................................................................... 546
show core ............................................................................................................................................ 547
show cpu ............................................................................................................................................. 548
show debug ......................................................................................................................................... 549
show disk ............................................................................................................................................. 549
show dns ............................................................................................................................................. 550
show dns-cache-stat ............................................................................................................................ 551
show dumpthread ................................................................................................................................ 552
show environment ............................................................................................................................... 552
show errors .......................................................................................................................................... 553
show fwlb node .................................................................................................................................... 558
show fwlb service-group ...................................................................................................................... 560
show fwlb virtual-firewall ...................................................................................................................... 562
show gslb cache .................................................................................................................................. 563
show gslb geo-location ........................................................................................................................ 565
show gslb policy .................................................................................................................................. 568
show gslb protocol ............................................................................................................................... 570
show gslb rtt ........................................................................................................................................ 571
show gslb samples conn ..................................................................................................................... 573
show gslb samples conn-load ............................................................................................................. 574
show gslb samples rtt .......................................................................................................................... 576
show gslb service ................................................................................................................................ 577
show gslb service-ip ............................................................................................................................ 578
show gslb service-port ......................................................................................................................... 579
show gslb session ............................................................................................................................... 579
show gslb site ...................................................................................................................................... 582
20 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
show gslb slb-device ............................................................................................................................ 584
show gslb state .................................................................................................................................... 585
show gslb statistics .............................................................................................................................. 585
show gslb zone .................................................................................................................................... 586
show ha ............................................................................................................................................... 588
show ha mac ........................................................................................................................................ 592
show health .......................................................................................................................................... 592
show history ......................................................................................................................................... 595
show icmp ............................................................................................................................................ 596
show interfaces .................................................................................................................................... 597
show ip dns .......................................................................................................................................... 598
show ip fib ............................................................................................................................................ 598
show ip helper-address ........................................................................................................................ 599
show ip interfaces ................................................................................................................................ 603
show ip nat ........................................................................................................................................... 604
show ip nat lsn ..................................................................................................................................... 608
show {ip | ipv6} ospf ............................................................................................................................. 610
show ip ospf border-routers ................................................................................................................. 611
show ip ospf database ......................................................................................................................... 611
show ipv6 ospf database ..................................................................................................................... 614
show {ip | ipv6} ospf interface .............................................................................................................. 616
show ip ospf multi-area-adjacencies .................................................................................................... 616
show {ip | ipv6} ospf neighbor .............................................................................................................. 617
show ip ospf redistributed .................................................................................................................... 618
show ip ospf route ................................................................................................................................ 619
show ipv6 ospf topology ....................................................................................................................... 620
show {ip | ipv6} ospf virtual-links .......................................................................................................... 620
show ip rip ............................................................................................................................................ 621
show ip route ....................................................................................................................................... 621
show ipv6 ............................................................................................................................................. 623
show key-chain .................................................................................................................................... 625
show lid ................................................................................................................................................ 626
show locale .......................................................................................................................................... 627
show log ............................................................................................................................................... 627
show mac-address-table ...................................................................................................................... 628
show management ............................................................................................................................... 629
show memory ....................................................................................................................................... 630
show mirror .......................................................................................................................................... 632
show monitor ........................................................................................................................................ 633
show ntp .............................................................................................................................................. 634
show partition ....................................................................................................................................... 635
show pbslb ........................................................................................................................................... 636
show process ....................................................................................................................................... 637
show reboot ......................................................................................................................................... 638
show router .......................................................................................................................................... 638
show router log file ............................................................................................................................... 639
show running-config ............................................................................................................................. 639
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
21 of 718

Contents
show session ....................................................................................................................................... 641
show shutdown .................................................................................................................................... 647
show sip ............................................................................................................................................... 647
show slb ............................................................................................................................................... 647
show smtp ........................................................................................................................................... 648
show startup-config ............................................................................................................................. 648
show statistics ..................................................................................................................................... 650
show switch ......................................................................................................................................... 651
show system resource-usage .............................................................................................................. 652
show tacacs-server .............................................................................................................................. 653
show techsupport ................................................................................................................................ 653
show terminal ...................................................................................................................................... 654
show tftp .............................................................................................................................................. 655
show trunk ........................................................................................................................................... 655
show version ........................................................................................................................................ 656
show vlans ........................................................................................................................................... 657
show web-service ................................................................................................................................ 657
SLB Show Commands
659
show slb cache .................................................................................................................................... 659

show slb connection-reuse .................................................................................................................. 664
show slb conn-rate-limit ....................................................................................................................... 666
show slb fast-http-proxy ....................................................................................................................... 667
show slb ftp .......................................................................................................................................... 669
show slb geo-location .......................................................................................................................... 670
show slb http-proxy .............................................................................................................................. 671
show slb hw-compression ................................................................................................................... 673
show slb l4 ........................................................................................................................................... 674
show slb passthrough .......................................................................................................................... 677
show slb performance ......................................................................................................................... 678
show slb persist ................................................................................................................................... 679
show slb rate-limit-logging ................................................................................................................... 681
show slb server .................................................................................................................................... 682
show slb service-group ........................................................................................................................ 688
show slb sip ......................................................................................................................................... 693
show slb smtp ...................................................................................................................................... 695
show slb ssl ......................................................................................................................................... 697
show slb ssl-proxy ............................................................................................................................... 698
show slb switch .................................................................................................................................... 699
show slb syn-cookie ............................................................................................................................ 703
show slb tcp-proxy ............................................................................................................................... 704
show slb template ................................................................................................................................ 706
show slb virtual-server ......................................................................................................................... 707
show health stat Up / Down Causes
713
Up Causes............................................................................................................................................713
22 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Contents
Down Causes ...................................................................................................................................... 714
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
23 of 718

Contents
24 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

System Access
Using the CLI

This chapter describes how to use the Command Line Interface (CLI) for
the AX Series Advanced Traffic Manager from A10 Networks. The commands and their options are described in the other chapters.
System Access
You can access the CLI through a console connection, an SSH session, or a
Telnet session. Regardless of which connection method is used, access to the
AX CLI is generally referred to as an EXEC session or simply a CLI session.
Note:
By default, Telnet access is disabled on all interfaces, including the management interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
Session Access Levels

As a security feature, the AX Series operating system separates EXEC sessions into two different access levels User EXEC level and Privileged
EXEC level. User EXEC level allows you to access only a limited set of
basic monitoring commands. The privileged EXEC level allows you to
access all AX Series commands (configuration mode, configuration submodes and management mode) and can be password protected to allow only
authorized users the ability to configure or maintain the system.
User EXEC Level: AX>
This is the first level entered when a CLI session begins. At this level, users
can view basic system information but cannot configure system or port
parameters.
For example, when an EXEC session is started, the AX Series will display
the AX> prompt. The right arrow (>) in the prompt indicates that the system
is at the User EXEC level. The User EXEC level does not contain any
commands that might control (for example, reload or configure) the operation of the AX device. To list the commands available at the User EXEC
level, type a question mark (?) then press Enter at the prompt; for example,
AX>?.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
25 of 718

High Availability Status in Command Prompt
Privileged EXEC Level: AX#
This level is also called the enable level because the enable command
is used to gain access. Privileged EXEX level can be password secured. The
privileged user can perform tasks such as manage files in the flash module, save the system configuration to flash, and clear caches at this level.
Critical commands (configuration and management) require that the user be
at the Privileged EXEC level. To change to the Privileged EXEC level,
type enable then press Enter at the AX> prompt. If an enable password is
configured, the AX Series will then prompt for that password. When the
correct enable password is entered, the AX Series prompt will change from
AX> to AX# indicating that the user is now at the Privileged EXEC
level. To switch back to the User EXEC level, type disable at the AX#
prompt. Typing a question mark (?) at the Privileged EXEC level will now
reveal many more command options than those available at the User EXEC
level.
Privileged EXEC Level - Config Mode: AX(config)#
The Privileged EXEC levels configuration mode is used to configure the
system IP address and to configure switching and routing features. To
access the configuration mode, you must first be logged into the Privileged
EXEC level.
From the opening CLI prompt, enter the following command to change to
the Privileged level of the EXEC mode:
AX>enable
To access the CONFIG level of the CLI, enter the config command:
AX#config
The prompt changes to include (config):
AX(config)#
High Availability Status in Command Prompt

If High Availability (HA) is configured on the AX device, the command
prompt shows the HA status:
AX-Active#
or
AX-Standby#
26 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

CLI Quick Reference
If HA is not configured, the prompt is simply the hostname (AX by
default).
Note:
Display of the HA status is configurable. (See terminal on page 170.)
CLI Quick Reference

Entering the help command (available at any command level) returns the
CLI Quick Reference, as follows:
AX>help
CLI Quick Reference
===============
1. Online Help
Enter "?" at any point in a command to display available commands or command
options.
Two types of help are provided:
1) When you are ready to enter a command token, type "?" (e.g. 'show ?') will
display each possible command or command option and also the comment.
2) When you have entered part of a token, type "?" (e.g. 'show us?') will display each command or command option that matches the input.
2. Word Completion
The CLI supports command completion, so you do not need to enter the entire
name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI
understands what you are typing.
When you have entered enough characters of the command keyword without ambiguity with other keywords, you can type "tab" to auto complete the keyword.
AX>
Context-Sensitive Help
Enter a question mark (?) at the system prompt to display a list of available
commands for each command mode. The context-sensitive help feature provides a list of the arguments and keywords available for any command.
To view help specific to a command name, a command mode, a keyword, or
an argument, enter any of the following commands:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
27 of 718

CLI Quick Reference
Prompt
Command
Purpose
Help
Displays the CLI Quick Reference
abbreviatedcommand-help?
Lists all commands beginning with abbreviation before

the (?). If the abbreviation is not found, the AX Series
returns:
% Ambiguous command
Completes a partial command name if unambiguous.
AX#
abbreviatedcommand-complete<Tab>
or
Lists all valid commands available at the current level
command ?
Lists the available syntax options (arguments and keywords) for the entered command.
command keyword ?
Lists the next available syntax option for the command.
AX>
or
(config)#
A space (or lack of a space) before the question mark (?) is significant when
using context-sensitive help. To determine which commands begin with a
specific character sequence, type in those characters followed directly by
the question mark; e.g. AX>te?. Do not include a space. This help form is
called word help, because it completes the word for you.
To list arguments or keywords, enter a question mark (?) in place of the
argument or the keyword. Include a space before the (?); e.g.
AX> terminal ?. This form of help is called command syntax help,
because it shows you which keywords or arguments are available based on
the command, keywords, and arguments that you already entered.
Users can abbreviate commands and keywords to the minimum number of
characters that constitute a unique abbreviation. For example, you can
abbreviate the config terminal command to conf t. If the abbreviated form of the command is unique, then the AX Series accepts the abbreviated form and executes the command.
28 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

CLI Quick Reference
Context Sensitive Help Examples
The following example illustrates how the context-sensitive help feature
enables you to create an access list from configuration mode.
Enter the letters co at the system prompt followed by a question mark (?).
Do not leave a space between the last letter and the question mark. The system provides the commands that begin with co.
AX#co?
config
Entering config mode
Enter the config command followed by a space and a question mark to

list the keywords for the command and a brief explanation:
AX#config ?
terminal
<cr>
Config from the terminal
The <cr> symbol (cr stands for carriage return) appears in the list to indicate that one of your options is to press the Return or Enter key to execute
the command, without adding any additional keywords.
In this example, the output indicates that your only option for the config
command is config terminal (configure manually from the terminal
connection).
The no Form of Commands

Most configuration commands have a no form. Typically, you use the no
form to disable a feature or function. The command without the no keyword is used to re-enable a disabled feature or to enable a feature that is disabled by default; for example, if the terminal auto-size has been enabled
previously. To disable terminal auto-size, use the no terminal autosize form of the terminal auto-size command. To re-enable it, use
the terminal auto-size form. This document describes the function
of the no form of the command whenever a no form is available.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
29 of 718

CLI Quick Reference
Command History
The CLI provides a history or record of commands that you have entered.
This feature is particularly useful for recalling long or complex commands
or entries, including access lists. To use the command history feature, perform any of the tasks described in the following sections:
Setting the command history buffer size
Recalling commands
Disabling the command history feature
Setting the Command History Buffer Size

The AX Series records ten command lines in its history buffer, by default.
To change the number of command lines that the system will record during
the current terminal session, use the following command in EXEC mode:
Convention
Description
AX# terminal history

[size number-of-lines]
Enables the command history feature for the current terminal session.
AX# no terminal history size
Resets the number of commands saved in the history

buffer to the default of 256 commands.
AX(config)# terminal history

[size number-of-lines]
Enables the command history feature for the all the

configuration sessions.
Recalling Commands
To recall commands from the history buffer, use one of the following commands or key combinations:
Command or
Key Combination
Description
Recalls commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successively older commands.
Ctrl+P or Up Arrow key.1
Ctrl+N or Down Arrow key.
AX> show history
1.
Returns to more recent commands in the history buffer after

recalling commands with Ctrl+P or the Up Arrow key.
Repeat the key sequence to recall successively more recent
commands.
While in EXEC mode, lists the most recent commands
entered.
1. The arrow keys function only on ANSI-compatible terminals.
30 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

CLI Quick Reference
Editing Features and Shortcuts

A variety of shortcuts and editing features are enabled for the AX Series
CLI. The following subsections describe these features:
Moving the cursor on the command line
Completing a partial command name
Recalling deleted entries
Editing command lines that wrap
Deleting entries
Continuing output at the --MORE-- prompt
Re-displaying the current command line
Positioning the Cursor on the Command Line

The table below lists key combinations used to position the cursor on the
command line for making corrections or changes. The Control key (ctrl)
must be pressed simultaneously with the associated letter key. The Escape
key (esc) must be pressed first, followed by its associated letter key. The letters are not case sensitive. Many letters used for CLI navigation and editing
were chosen to simplify remembering their functions. In the following
table, characters bolded in the Function Summary column indicate the relation between the letter used and the function.
Keystrokes
Function
Summary
Function Details
Left Arrow
or ctrl+B
Back character
Moves the cursor left one character. When entering a command

that extends beyond a single line, press the Left Arrow or
Ctrl+B keys repeatedly to move back toward the system prompt
to verify the beginning of the command entry, or you can also
press Ctrl+A.
Right Arrow
or ctrl+F
Forward character
Moves the cursor right one character.
ctrl+A
Beginning of line
Moves the cursor to the very beginning of the command line.
ctrl+E
End of line
Moves the cursor to the very end of the line.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
31 of 718

CLI Quick Reference
Completing a Partial Command Name

If you do not remember a full command name, or just to reduce the amount
of typing you have to do, enter the first few letters of a command, then press
tab. The CLI parser then completes the command if the string entered is
unique to the command mode. If the keyboard has no tab key, you can also
press ctrl+I.
The CLI will recognize a command once you enter enough text to make the
command unique. For example, if you enter conf while in the privileged
EXEC mode, the CLI will associate your entry with the config command,
because only the config command begins with conf.
In the next example, the CLI recognizes the unique string conf for privileged EXEC mode of config after pressing the tab key:
AX# conf<tab>
AX# config
When using the command completion feature, the CLI displays the full
command name. Commands are not executed until the Enter key is pressed.
This way you can modify the command if the derived command is not what
you expected from the abbreviation. Entering a string of characters that
indicate more than one possible command (for example, te) results in the
following response from the CLI:
AX>te
% Ambiguous command
AX
If the CLI can not complete the command, enter a question mark (?) to
obtain a list of commands that begin with the character set entered. Do not
leave a space between the last letter you enter and the question mark (?).
In the example above, te is ambiguous. It is the beginning of both the telnet
and terminal commands, as shown in the following example:
AX>te?
telnet
terminal
AX>te
Open a tunnel connection

Set terminal line parameters
The letters entered before the question mark (te) are reprinted to the screen
to allow continuation of command entry from where you left off.
32 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

CLI Quick Reference
Deleting Command Entries

If you make a mistake or change your mind, you can use the following keys
or key combinations to delete command entries:
Keystrokes
Purpose
backspace
The character immediately left of the cursor is deleted.
delete or
ctrl+D
The character that the cursor is currently on is deleted.
ctrl+K
All characters from the cursor to the end of the command line are deleted.
ctrl+U or
ctrl+X
All characters from the cursor to the beginning of the

command line are deleted.
ctrl+W
The word to the left of the cursor is deleted.
Editing Command Lines that Wrap

The CLI provides a wrap-around feature for commands extending beyond a
single line on the display.
When the cursor reaches the right margin, the command line shifts ten
spaces to the left. You cannot see the first ten characters of the line, but you
can scroll back and check the syntax at the beginning of the command. To
scroll back, press ctrl+B or the left arrow key repeatedly until you scroll
back to the command entry, or press ctrl+A to return directly to the beginning of the line.
The AX Series software assumes you have a terminal screen that is 80 columns wide. If you have a different screen-width, use the terminal
width EXEC command to set the width of the terminal.
Use line wrapping in conjunction with the command history feature to recall
and modify previous complex command entries. See the Recalling
Commands section in this chapter for information about recalling previous
command entries.
Continuing Output at the --MORE-- Prompt

When working with the CLI, output often extends beyond the visible screen
length. For cases where output continues beyond the bottom of the screen,
such as with the output of many ?, show, or more commands, the output is
paused and a --MORE-- prompt is displayed at the bottom of the screen.
To proceed, press the Enter key to scroll down one line, or press the spacebar to display the next full screen of output.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
33 of 718

CLI Quick Reference
Redisplay the Current Command Line

If you are entering a command and the system suddenly sends a message to
your screen, you can easily recall your current command line entry. To
redisplay the current command line (refresh the screen), use either of the
following key combinations:
Keystrokes
ctrl+L or ctrl+R
Purpose
Re-displays the current command line
Searching and Filtering CLI Output

The CLI permits searching through large amounts of command output by
filtering the output to exclude information that you do not need. The show
command supports the following output filtering options:
begin string Begins the output with the line containing the speci-
fied string
include string Displays only the output lines that contain the
specified string
exclude string Displays only the output lines that do not contain
the specified string
section string Displays only the lines for the specified section
(for example, slb server, virtual-server, or logging). To display all
server-related configuration lines, you can enter server.
Use | as a delimiter between the show command and the display filter.
You can use regular expressions in the filter string, as shown in this example:
AX(config)#show arp | include 192.168.1.3*
192.168.1.3
001d.4608.1e40
Dynamic
192.168.1.33
0019.d165.c2ab
Dynamic
ethernet4
ethernet4
The output filter in this example displays only the ARP entries that contain
IP addresses that match 192.168.1.3 and any value following 3. The
asterisk ( * ) matches on any pattern following the 3. (See Regular
Expressions on page 35.)
34 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

CLI Quick Reference
The following example displays the startup-config lines for logging:
AX(config)#show startup-config | section logging
logging console error
logging buffered debugging
logging monitor debugging
logging buffered 30000
logging facility local0
Regular Expressions
Regular expressions are patterns (e.g. a phrase, number, or more complex
pattern) used by the CLI string search feature to match against show or
more command output. Regular expressions are case sensitive and allow
for complex matching requirements. A simple regular expression can be an
entry like Serial, misses, or 138. Complex regular expressions can be an
entry like 00210... , ( is ), or [Oo]utput.
A regular expression can be a single-character pattern or a multiple-character pattern. This means that a regular expression can be a single character
that matches the same single character in the command output or multiple
characters that match the same multiple characters in the command output.
The pattern in the command output is referred to as a string. This section
describes creating single-character patterns.
Single-Character Patterns
The simplest regular expression is a single character that matches the same
single character in the command output. You can use any letter (AZ, az)
or digit (09) as a single-character pattern. You can also use other keyboard
characters (such as ! or ~) as single-character patterns, but certain keyboard
characters have special meaning when used in regular expressions. The following table lists the keyboard characters that have special meaning.
Character
.
Matches any single character, including white space
Matchers 0 or more sequences of the pattern
Matches 1 or more sequences of the pattern
Matches 0 or 1 occurrences of the pattern
Matches the beginning of the string
Matches the end of the string
_ (underscore)
b y
Meaning
Matches a comma (,), left brace ({), right brace (}), left
parenthesis ( ( ), right parenthesis ( ) ), the beginning of
the string, the end of the string, or a space.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
35 of 718

CLI Quick Reference
Special Character Support in Strings

Special characters are supported in password strings and various other
strings. To use special characters in a string, enclose the entire string in double quotation marks.
Admin and enable passwords can contain any ASCII characters in the range
0x20-0x7e (inclusive).
You can use an opening single-or double-quotation mark without an ending
one. In this case, '" becomes ", and "' becomes '.
Escape sequences are required for a few of the special characters:
" To use a double-quotation mark in a string, enter the following: \"
? To use a question mark in a string, enter the following sequence:
\077
\ To use a back slash in a string, enter another back slash in front of it:
\\
For example, to use
"a\"b\077c\\d"
the
string
a"b?c\d,
enter
the
following:
The \ character will be interpreted as the start of an escape sequence only if

it is enclosed in double quotation marks. (The ending double quotation mark
can be omitted.) If the following characters do not qualify as an escape
sequence, they are take verbatim; for example, \ is taken as \, "\x41" is
taken as A (hexadecimal escape), "\101" is taken as A (octal escape), and
"\10" is taken as \10.
36 of 718
Note:
To use a double-quotation mark as the entire string, "\"". If you enter

\", the result is \. (Using a single character as a password is not recommended.)
Note:
It is recommended not to use i18n characters. The character encoding

used on the terminal during password change might differ from the character encoding on the terminal used during login.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

enable
EXEC Commands
The EXEC commands (sometimes referred to as the User EXEC commands) are available at the CLI level that is presented when you log into the
CLI.
The EXEC level command prompt ends with >, as in the following example:
AX>
enable
Description
Enter privileged EXEC mode, or any other security level set by a system
administrator.
Syntax
enable
Mode
EXEC
Usage
Entering privileged EXEC mode enables the use of privileged commands.

Because many of the privileged commands set operating parameters, privileged access should be password-protected to prevent unauthorized use. If
the system administrator has set a password with the enable password global configuration command, you are prompted to enter it before being
allowed access to privileged EXEC mode. The password is case sensitive.
The user will enter the default mode of privileged EXEC.
Example
In the following example, the user enters privileged EXEC mode using the
enable command. The system prompts the user for a password before
allowing access to the privileged EXEC mode. The password is not printed
to the screen. The user then exits back to user EXEC mode using the disable
command. Note that the prompt for user EXEC mode is >, and the prompt
for privileged EXEC mode is #.
AX>enable
Password: <letmein>
AX# disable
AX>
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
37 of 718

exit
exit
Description
Syntax
Close an active terminal session by logging off the system.

exit
Mode
EXEC and Privileged EXEC
Usage
Use the exit command in EXEC mode to exit the active session (log off
the device).
Example
In the following example, the exit (global) command is used to move

from global configuration mode to privileged EXEC mode, the disable
command is used to move from privileged EXEC mode to user EXEC
mode, and the exit (EXEC) command is used to log off (exit the active
session):
AX(config)#exit
AX#disable
AX>exit
health-test
Description
Syntax
Test the status of a device using a configured health monitor.

health-test {ipaddr | ipv6 ipv6addr} [count num]
[monitorname monitor-name] [port portnum]
Parameter
Description
ipaddr |
ipv6 ipv6addr
count num
monitorname
monitor-name
port portnum
38 of 718
Specifies the IPv4 or IPv6 address of the device

to test.
Specifies the number of health checks to send to
the device. You can specify 1-65535.
Specifies the health monitor to use. The health
monitor must already be configured.
Specifies the protocol port to test, 1-65535.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

help
Default
Only the IP address is required. The other parameters have the following
defaults:
count 1
monitorname ICMP ping, the default Layer 3 health check
port Override port number set in the health monitor configuration, if
one is set. Otherwise, this option is not set by default.

Mode
EXEC, Privileged EXEC, and global config
Usage
If an override IP address and protocol port are set in the health monitor configuration, the AX device will use the override address and port, even if you
specify an address and port with the health-test command.
Example
The following command tests port 80 on server 192.168.1.66, using configured health monitor hm80:
AX#health-test 192.168.1.66 monitorname hm80

node status UP.
help
Description
Display a description of the interactive help system of the AX Series.
Syntax
Example
help
(See CLI Quick Reference on page 27.)
no
Description
See no on page 61. This command is not used at this level.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
39 of 718

ping
ping
Description
Syntax
Send an ICMP echo packet to test network connectivity.

ping [ipv6] {hostname | ipaddr}
[data HEX-word]
[flood]
[interface {ethernet port-num | ve ve-num |
management}]
[repeat count]
[size num]
[timeout secs]
[ttl num]
[source {ipaddr | ethernet port-num | ve ve-num}]
Parameter
Description
[ipv6]
hostname |
ipaddr
Target of the ping.
data HEX-word
Hexadecimal data pattern to send in the ping.

The pattern can be 1-8 hexadecimal characters
long.
flood
Sends a continuous stream of ping packets, by

sending a new packet as soon as a reply to the
previous packet is received.
interface
{ethernet portnum |
ve ve-num |
management}
Uses the specified interface as the source address
of the ping.
40 of 718
repeat count
Number of times to send the ping, 1-10000000

(ten million).
size num
Size of the datagram, 1-10000.
timeout secs
Number of seconds the AX device waits for a

reply to a sent ping packet, 1-2100 seconds.
ttl num
Maximum number of hops the ping is allowed to

traverse, 1-255.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ping
source ipaddr |
ethernet portnum | ve ve-num Forces the AX device to give the specified IP
address, or the IP address configured on the specified interface, as the source address of the ping.
Default
This command has the following defaults:

data not set
flood disabled
interface not set. The AX device looks up the route to the ping target
in the main route table and uses the interface associated with the route.
(The management interface is not used unless you specify the management IP address as the source interface.)
repeat 5
size datagram size is 84 bytes
timeout 10 seconds
ttl 1
source not set. The AX device looks up the route to the ping target and
uses the interface associated with the route.

Mode
Usage
The ping command sends an echo request packet to a remote address, and
then awaits a reply. Unless you use the flood option, the interval between
sending of each ping packet is 1 second.
To terminate a ping session, type ctrl+c.
Example
The following command sends a ping to IP address 192.168.3.116:
AX>ping 192.168.3.116
PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data
64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206 ms
--- 192.168.3.116 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
41 of 718

show
Example
The following command sends a ping to IP address 10.10.1.20, from AX

Ethernet port 1. The ping has data pattern ffff, is 1024 bytes long, and is
sent 100 times.
AX#ping data ffff repeat 100 size 1024 source ethernet 1 10.10.1.20
show
Description
Syntax
Show system or configuration information.

show options
Default
N/A
Mode
Usage
For information about the show commands, see Show Commands on

page 535 and SLB Show Commands on page 659.
ssh
Description
Syntax
Establish a Secure Shell (SSH) connection from the AX Series to another

device.
ssh [use-mgmt-port] {host-name | ipaddr}
login-name [protocol-port]
Parameter
Default
42 of 718
Description
use-mgmt-port
Uses the management interface as the source

interface for the connection to the remote device.
The management route table is used to reach the
device. By default, the AX device attempts to use
the data route table to reach the remote device
through a data interface.
host-name
Host name of a remote system.
ipaddr
The IP address of a remote system.
login-name
User name to log into the remote system.
protocol-port
TCP port number on which the remote system

listens for SSH client traffic.
By default, the AX device will use a data interface as the source interface.
The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 22.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

telnet
Mode
telnet
Description
Open a Telnet tunnel connection from the AX Series to another device.
Syntax
telnet [use-mgmt-port] {host-name | ipaddr)

[protocol-port]
Parameter
Description
use-mgmt-port

host-name
Host name of a remote system.
ipaddr
The IP address of a remote system.
protocol-port
TCP port number on which the remote system

listens for Telnet traffic.
Default
By default, the AX device will use a data interface as the source interface.
The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 23.
Mode
Example
The following command opens a Telnet session from the AX to another AX

at IP address 10.10.4.55:
AX>telnet 10.10.4.55
Trying 10.10.4.55...
Connected to 10.10.4.55.
Escape character is '^]'.
Welcome to AX3200
AX login:
traceroute
Description
Display the router hops through which a packet sent from the AX Series
device can reach a remote device.
Syntax
traceroute [ipv6] [use-mgmt-port]

{host-name | ipaddr)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
43 of 718

traceroute
Parameter
Description
ipv6
Indicates that the target address is an IPv6

address.
use-mgmt-port

interface. The management route table is used to
reach the device. By default, the AX device
attempts to use the data route table to reach the
remote device through a data interface.
{hostname |
ipaddr)
Device at the remote end of the route to be

traced.
Default
N/A
Mode
Usage
If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the
row for that hop.
Example
The following command traces a route to 192.168.10.99:
AX#traceroute 192.168.10.99
traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte packets
1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms
2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms
...
44 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

active-partition
Privileged EXEC Commands

The Privileged EXEC commands are available at the CLI level that is presented when you enter the enable command and a valid enable password
from the EXEC level of the CLI.
The Privileged EXEC level command prompt ends with #, as in the following example:
AX#
active-partition
Description
Change the partition on an AX device configured for Role-Based Administration (RBA).
Syntax
active-partition {partition-name | shared}

Parameter
Description
partition-name
Name of a private partition.
shared
The shared partition.
Default
See Usage below.
Mode
Privileged EXEC
Usage
Admins with Root, Read-write, or Read-only privileges can select the partition to view. When an admin with one of these privilege levels logs in, the
view is set to the shared partition by default, which means all resources are
visible.
Example
The following command changes the view to private partition companyA:

AX#active-partition companyA
Currently active partition: companyA
axdebug
Description
Enters the AX debug subsystem. (See AX Debug Commands on

page 525.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
45 of 718

backup config
backup config
Back up the system.
Syntax Description
backup config [use-mgmt-port] url

Parameter
Description
config
Backs up the startup-config file, aFleX policy

files, and SSL certificates and keys into a tar file.
use-mgmt-port

device. Without this option, the AX device
attempts to use the data route table to reach the
remote device through a data interface.
url
File transfer protocol, username (if required), and

directory path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
a password is required, you will still be prompted
for the password. To enter the entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
scp://[user@]host/file
rcp://[user@]host/file
Default
N/A
Mode
Privileged EXEC or global configuration
Example
The following command backs up the system:
AX(config)#backup tftp://1.1.1.1/back_file
46 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

backup log
backup log
Description
Configure log backup options and save a backup of the system log.
Syntax
[no] backup log period {all | day | month | week}

[no] backup log expedite
backup log [use-mgmt-port] url
backup log stats-data [use-mgmt-port] url
Parameter
expedite
period
{all | day |
month | week}
Description
Allocates additional CPU to the backup process.
This option allows up to 80% CPU utilization to
be devoted to the log backup process.
Specifies the period to back up:

all Backs up all log messages contained in the
log buffer.
day Backs up the log messages generated during the most recent 24 hours.
month Backs up the log messages generated
during the most recent 30 days.
week Backs up the log messages generated
during the most recent 7 days.
[use-mgmt-port]
url
Saves a backup of the log to a remote server.
The use-mgmt-port option uses the management
interface as the source interface for the connection to the remote device. The management route
table is used to reach the device. Without this
option, the AX device attempts to use the data
route table to reach the remote device through a
data interface.
The url specifies the file transfer protocol, username (if required), and directory path.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
47 of 718

backup log
tftp://host/file
stats-data
[use-mgmt-port]
url
Backs up statistical data from the GUI. The usemgmt-port and url options are the same as
described above.
Default
The configurable backup options have the following default values:

expedite The AX device allows up to 50% CPU utilization for log
backup.
period month
Mode
Privileged EXEC or global configuration
Usage
The expedite option controls the percentage of CPU utilization allowed

exclusively to the log backup process. The actual CPU utilization during log
backup may be higher, if other management processes also are running at
the same time.
Example
The following commands change the backup period to all, allow up to 80%
CPU utilization for the backup process, and back up the log:
AX(config)#backup log period all

AX(config)#backup log expedite
AX(config)#backup log scp://192.168.20.161:/log.tgz
...
Example
The following command backs up statistical data from the GUI:
AX(config)#backup log stats-data scp://192.168.20.161:/log.tgz
Note:
48 of 718
The log period and expedite settings also apply to backups of the GUI statistical data.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

clear
clear
Description
Clear statistics or reset functions. Sub-command parameters are required for

specific sub-commands.
Syntax
clear sub-command parameter

Sub-Command
Description
access-list
{acl-num | all} Clears ACL statistics.
admin session
{session-id |
all}
Clears admin sessions.
aflex
[aflex-name]
Clears aFleX statistics.
arp {options}
Clears ARP entries.
core
Clears system core dump files.
debug
Clears GSLB debug messages.
dns
Clears DNS statistics.
fwlb {options}
Clears Firewall Load Balancing (FWLB) statistics.
gslb {options}
Clears Global Server Load Balancing (GSLB)

information or statistics.
ha
Clears High-Availability (HA) statistics.
health
Clears health monitor statistics.
icmp
Clears ICMP statistics.
ip nat
{options}
Clears IPv4 NAT statistics.
ip nat lsn
{options}
ip ospf
[process-id |
tag] process
b y
Clears Large-Scale NAT (LSN) information and

statistics.
Terminates OSPF processing. The process-id |

tag option specifies the OSPFv2 process or
OSPFv3 instance (tag). If you omit this option,
processing is terminated for all running OSPFv2
processes and OSPFv3 instances.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
49 of 718

clear
ipv6 nat pool
statistics
Clears IPv6 NAT statistics.
ipv6 neighbor
Clears the IPv6 neighbor cache.
ipv6 traffic
Clears the IPv6 traffic statistics.
logging
Clears the system log buffer.
mac-address
{options}
Clears the MAC address table.
pbslb {options} Clears Policy-Based Server Load Balancing

(SLB) client entries or statistics.
router log file
[type]
Clears router log files. The type can be one of the

following:
nsm [file-num] Clears the specified Network
Services Module (NSM) log file, or all NSM log
files.
ospf6d [file-num] Clears the specified IPv6
OSPFv3 log file, or all OSPFv3 log files.
ospfd [file-num] Clears the specified IPv4
OSPFv2 log file, or all OSPFv2 log files.
If you do not specify a type, router logs of all
types above are cleared.
sessions
{options}
Clears Layer 4 sessions.
sip
Clears SIP statistics.
slb {options}
Clears SLB statistics.
statistics
{options}
Clears physical Ethernet interface statistics.
Default
N/A
Mode
Privileged EXEC and Config
Usage
To list the options available for a clear command, enter ? after the command name. For example, to display the clear gslb options, enter the following command: clear gslb ?
Example
The following command clears the counters on Ethernet interface 3:

AX#clear statistics interface ethernet 3
50 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

clock
clock
Description
Set the system time and date.
Syntax
clock set time day month year

Parameter
Note:
Description
time
Format hh:mm:ss (24 hr.)
day
Format 1-31 day of month
month
Format January, February, and so on.
year
Format 2007, 2008, and so on.
The default time zone is GMT.
Mode
Privileged EXEC
Usage
Use this command to manually set the system time and date.
If you use the GUI or CLI to change the AX timezone or system time, the
statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
If the system clock is adjusted while OSPF or RIP is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and RIP before adjusting the system clock.
Example
Set the system clock to 5:51 p.m. and the date to February 22nd, 2007.
AX#clock set 17:51:00 22 February 2007
config
Description
Enter the configuration mode from the Privileged Exec mode.
Syntax
config [terminal]
Mode
Privileged EXEC
Example
Enter configuration mode.
AX#config
AX(config)#
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
51 of 718

debug
debug
Description
Enable debugging functions.

Note:
Syntax
Generally, it is recommended to use the AXdebug subsystem instead of

the debug packet commands. AXdebug is useful for collecting packet
traces, and provides more flexible filtering options. Additionally, the output is streamlined to show end-to-end session information. However,
AXdebug does not have options to debug specific processes (TCP-proxy,
HTTP-proxy, and so on). The debug packet commands are an older
debugging implementation, and provide options to debug specific processes. See AX Debug Commands on page 525.
debug sub-command
Sub-command
Description
cache
Enables debugging of RAM caching.
conn-reuse
Enables debugging of the SLB connection-reuse

feature.
dumpthread
Enables debugging of the SLB process.
gslb
Enables debugging of Global SLB.
http-proxy
Enables debugging of the HTTP-proxy process.
hw-compression
Enables debugging of the process for hardwarebased HTTP compression.
ip
Enables debugging of the IP process.
monitor
[filename
[cpu-id]]
Begins output of debugging information.

filename Specifies the name of a file to which
to write the output. If you do not specify a
filename, the output is written to the terminal
instead. To export the file, use the export
debug_monitor filename url command. (See
export on page 58.) The data in the file is text.
To read the file, open it with a text editor.
cpu-id Specifies an individual CPU to monitor,
0-n. The control CPU is 0. The other CPUs are
data CPUs. If you do not specify a CPU ID, all
CPUs are monitored.
52 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

debug
packet
Enables debugging of packet-handling processes.

(Enter debug packet ? for the list of available
suboptions.)
sip
Enables debugging of the SIP process.
ssl
Enables debugging of the SSL process.
tcp-proxy
Enables debugging of the TCP-proxy process.
Default
N/A
Mode
Privileged EXEC
Usage
Some debug sub-commands have additional options. Use the CLI help ( ? )
to display the additional options.
The no form of the command turns off debugging.
Enabling Debugging
To enable debugging, use the debug packet command first. Next, enter
additional debug commands for each of the processes you need to debug.
Finally, use the debug monitor command to begin output to the terminal or
into a file.
The following commands enable Layer 3, TCP-proxy, and HTTP-proxy
packet debugging for VIP 20.20.1.134, then begin output to the terminal.
The AX device is acting as an HTTP proxy for the VIP.
AX#debug packet l3 ip 20.20.1.134

AX#debug tcp-proxy
AX#debug http-proxy
AX#debug monitor
Wait for debug output, enter <ctrl c> to exit
To display SLB debug information, enter the show dumpthread command.

To display output for other debugging options, enable the option, then enter
debug monitor to begin output of the debug information to the terminal. To
stop the output, press ctrl+c.
Deleting a Debug Monitor File
The AX device does not provide a direct method to delete a file generated
by the debug monitor filename command. As a workaround, you can enter
the debug monitor filename command again, using the same filename, to
overwrite the debug file by creating a new one with the same name. The
new file will have 0 length.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
53 of 718

debug
Count Parameter
The count parameter specifies the maximum number of packets that will be
captured. It is possible for the number of packets displayed in the output to
differ from the count. Generally, this occurs for the following reasons:
Fewer packets displayed The AX device begins capturing packets as
soon as you enter the debug packet command, but does not begin displaying them until you enter the debug monitor command. Any packets
that are captured after you enter debug packet but before you enter
debug monitor are included in the count but are not displayed.
More packets displayed The count is per CPU thread, not per system.
Since ACOS uses multiple CPUs, it is possible that more than one CPU
will be used for the traffic you are monitoring.
Note:
This behavior also applies to AXdebug, which uses the same count
parameter.
By default, the maximum number of packets that will be captured by the
debug packet command is 3000. To change the default maximum, use the
AX debug count command. (See count on page 529.)
Filtering
If you are monitoring SLB traffic, packets for both sides of a session (the
client side and the server side) will be captured, even if only one side of the
session matches the debug filter.
For example, if you configure the filter to capture packets only for Ethernet
interface 4, and an SLB client sends a request that is received on interface 4,
the request packet that the AX device sends to the server on behalf of the
client is also captured, even if the server is connected to a different interface.
Example
54 of 718
Note:
If a packet capture is running and you change the filter, there will be a
5-second delay while the AX device clears the older filter. The delay does
not occur if a packet capture is not already running.
Note:
The debug packet filter is internally numbered filter 0. In AXdebug, you

can create multiple filters, which are uniquely identified by filter ID. If
you create filter 0 in AXdebug, this filter will overwrite the debug packet
filter. Likewise, if you configure filter 0 in AXdebug, then configure the
debug packet filter, the debug packet filter will overwrite AXdebug filter
0.
The following commands enable debugging of Layer 4 TCP packets for all
protocol ports, enable display of the debugging information on the terminal,
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

debug
then stop display of the debugging information and turn packet debugging
back off:
AX#debug packet l4-protocol tcp all
AX#debug monitor
(0,1738448) i( 2,
0, d821)> ip 50.50.50.10 > 192.168.217.11 tcp 3807 > 22 S
b85767f9:0(0) <mss 1460>
(0,1738448) o( 1,
0, d821)> ip 192.168.217.2 > 192.168.217.11 tcp 2049 > 22 S
b85767f9:0(0) <mss 1460>
(0,1738448) i( 1,
0, c00b)> ip 192.168.217.11 > 192.168.217.2 tcp 22 > 2049 SA
7fa2a81e:b85767fa(0) <mss 1460>
(0,1738448) o( 2,
0, c00b)> ip 192.168.217.11 > 50.50.50.10 tcp 22 > 3807 SA
7fa2a81e:b85767fa(0) <mss 1460>
(0,1738448) i( 2,
0, d822)> ip 50.50.50.10 > 192.168.217.11 tcp 3807 > 22 A
b85767fa:7fa2a81f(0)
(0,1738452) o( 1,
0, d822)> ip 192.168.217.2 > 192.168.217.11 tcp 2049 > 22 A
b85767fa:7fa2a81f(0)
(0,1738452) i( 1,
0, c00c)> ip 192.168.217.11 > 192.168.217.2 tcp 22 > 2049 PA
7fa2a81f:b85767fa(20)
(0,1738452) o( 2,
0, c00c)> ip 192.168.217.11 > 50.50.50.10 tcp 22 > 3807 PA
7fa2a81f:b85767fa(20)
(0,1738452) i( 2,
0, d823)> ip 50.50.50.10 > 192.168.217.11 tcp 3807 > 22 A
b85767fa:7fa2a833(0)
(0,1738452) o( 1,
0, d823)> ip 192.168.217.2 > 192.168.217.11 tcp 2049 > 22 A
b85767fa:7fa2a833(0)
...
ctrl+c
AX#no debug packet
These lines of debug output show the following:

0 CPU ID. Indicates the CPU that processed the packet. CPU 0 is the
control CPU.
1738448 Time delay between packets. This is a jiffies value that incre-
ments in 4-millisecond (4-ms) intervals.

i Traffic direction: 1 (input) or o (output).
(2, 0, d821) Ethernet interface, VLAN tag, and packet buffer index. If
the VLAN tag is 0, then the port is untagged. In this example, the first
packet is received on Ethernet port 2, and the VLAN is not yet known.
The packet is assigned to buffer index d821.
Generally, the VLAN tag for ingress packets is 0. It is normal for the
ingress VLAN tag to be 0 even when the egress VLAN tag is not 0.
Note:
ip > 50.50.50.10 > 192.168.217.11 Ethertype (ip, ipv6, or arp), source
IP address and destination IP address.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
55 of 718

diff
tcp 3807 > 22 Layer 4 protocol, source Layer 4 port, and destination
Layer 4 port.
S For TCP, shows the packet type:
S Syn
SA Syn Ack
A Ack
F Fin
PA Push Ack
b85767f9:0(0) The number in parentheses is the number of bytes in
the packet payload. The other numbers are used by A10 Networks for
troubleshooting.
diff
Description
Syntax
Display a side-by-side comparison of the commands in a pair of locally

stored configurations.
diff {startup-config | profile-name}
{running-config | profile-name}
Default
N/A
Mode
Privileged EXEC
Usage
The diff startup-config running-config command compares the configuration profile that is currently linked to startup-config with the running-config. Similarly, the diff startup-config profile-name command compares the
configuration profile that is currently linked to startup-config with the
specified configuration profile.
To compare a configuration profile other than the startup-config to the running-config, enter the configuration profile name instead of startup-config.
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other profile that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The following flags indicate how the two profiles differ:
56 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

disable
| This command has different settings in the two profiles.
> This command is in the second profile but not in the first one.
< This command is in the first profile but not in the second one.
Example
The following command compares the configuration profile currently

linked to startup-config with configuration profile testcfg1. This example is abbreviated for clarity. The differences between the profiles are
shown in this example in bold type.
AX#diff startup-config testcfg1

!Current configuration: 13378 bytes
!Configuration last updated at 19:18:57 PST Wed Jan 23 2008
!Configuration last saved at 19:19:37 PST Wed Jan 23 2008
!version 1.2.1
!
hostname AX
!
clock timezone America/Tijuana
!
ntp server 10.1.11.100 1440
!
...
!
interface ve 30
ip address 30.30.31.1 255.255.255.0
10.10.20.1 255.255.255.0
ipv6 address 2001:144:121:3::5/64
fc00:300::5/64
!
!
(
(
(
(
(
(
(
(
(
(
(
(
(
|
ip address
ipv6 address
(
(
> ip nat range-
list v6-1 fc00:300::300/64 2001:144:121:1::900/6

!
(
ipv6 nat pool p1 2001:144:121:3::996 2001:144:121:3::999 netm <
!
<
slb server ss100 2001:144:121:1::100
<
port 22 tcp
<
--MORE--
disable
Description
Exit the Privileged EXEC mode and enter the EXEC mode.
Syntax
Mode
disable
Privileged EXEC
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
57 of 718

exit
Example
The following command exits Privileged EXEC mode.

AX#disable
AX>
Note:
The prompt changes from # to >, indicating change to EXEC mode.
exit
Description
Exit the Privileged EXEC mode and enter the EXEC Mode.
Syntax
exit
Mode
Privileged EXEC
Example
In the following example, the exit command is used to exit the Privileged
EXEC level and return to the User EXEC level of the CLI:
AX#exit
AX>
Note:
The prompt changes from # to >, indicating change to EXEC mode.
export
Description
Syntax
Put a file to a remote site using the specified transport method.

export {aflex | class-list | ssl-cert | ssl-key |
ssl-crl | axdebug | debug_monitor}
file-name
[use-mgmt-port]
url
Parameter
58 of 718
Description
aflex
Exports an aFleX file.
class-list
Exports an IP class list.
ssl-cert
Exports a certificate.
ssl-key
Exports a certificate key.
ssl-crl
Exports a Certificate Revocation List (CRL).
axdebug
Exports an AX debug capture file.
debug_monitor
Exports a debug monitor file.
file-name
Name of the file to export.

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

health-test
use-mgmt-port

url

directory path.
tftp://host/file
Mode
Privileged EXEC, Config
Example
The following command exports an aFleX policy from the AX Series

device to an FTP server, to a directory named backups.
AX#export aflex aflex-01 ftp://192.168.1.101/backups/aflex-01
health-test
Description
See health-test on page 38.
import
Description
Get a file from a remote site.
Syntax
import
{aflex | bw-list | class-list | geo-location |
ssl-cert | ssl-key | ssl-crl }
file-name url
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
59 of 718

import
Parameter
Description
aflex
Imports an aFleX file.
bw-list
Imports a black/white list.
class-list
Imports an IP class list.
geo-location
Imports a geo-location data file for Global Server

Load Balancing (GSLB).
ssl-cert
Imports a certificate.
ssl-ley
Imports a certificate key.
ssl-crl
Imports a Certificate Revocation List (CRL).
file-name
Specifies the filename to use on the target server.
url
Specifies the file transfer protocol, username (if

required), and directory path.
tftp://host/file
Mode
Usage
For SSL certificates and keys, this command is equivalent to the slb sslload command. You can use either one to import SSL certificates and keys.
Note:
Example
The AX device only supports certificates that are in Privacy-Enhanced

Mail (PEM) format. The maximum supported certificate size is 16KB. To
convert a certificate from Windows format to PEM format, see the
Importing SSL Certificates chapter in the AX Series Configuration
Guide.
The following command imports an aFleX policy onto the AX Series device
from a TFTP server, from its directory named backups:
AX#import aflex aflex-01 tftp://192.168.1.101/backups/aflex-01
60 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

locale
locale
Description
Set the locale for the current terminal session.
Syntax
locale parameter
Parameter
Description
test
To test current terminal encodings for specific

locale
en_US.UTF-8
English locale for the USA, encoding with UTF8 (default)
zh_CN.UTF-8
Chinese locale for PRC, encoding with UTF-8
zh_CN.GB18030
Chinese locale for PRC, encoding with GB18030
zh_CN.GBK
Chinese locale for PRC, encoding with GBK
zh_CN.GB2312
Chinese locale for PRC, encoding with GB2312
zh_TW.UTF-8
Chinese locale for Taiwan, encoding with UTF-8
zh_TW.BIG5
Chinese locale for Taiwan, encoding with BIG5
zh_TW.EUCTW
Chinese locale for Taiwan, encoding with EUCTW
ja_JP.UTF-8
Japanese locale for Japan, encoding with UTF-8
ja_JP.EUC-JP
Japanese locale for Japan, encoding with EUCJP
Default
en_US.UTF-8
Mode
no
Description
Negate a command or set it to its default setting.
Syntax
no command
Mode
All
Example
The following command disables the terminal command history feature:
AX#no terminal history

AX#
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
61 of 718

ping
ping
Test network connectivity. For syntax information, see ping on page 40.
reboot
Reboot the AX Series device.
Syntax
reboot
[text |
in [hh:]mm [text] |
at hh:mm [month day | day month] [text] |
cancel]
Parameter
Description
text
Reason for the reboot, 1-255 characters long.
in [hh:]mm
Schedule a reboot to take effect in the specified

minutes or hours and minutes. The reboot must
take place within approximately 24 hours.
at hh:mm
Schedule a reboot to take place at the specified

time (using a 24-hour clock). If you specify the
month and day, the reboot is scheduled to take
place at the specified time and date. If you do not
specify the month and day, the reboot takes place
at the specified time on the current day (if the
specified time is later than the current time), or
on the next day (if the specified time is earlier
than the current time). Specifying 00:00 schedules the reboot for midnight.
month
Name of the month, any number of characters in

a unique string.
day
Number of the day, 1-31.
cancel
Cancel a scheduled reboot.
Mode
Privileged EXEC
Usage
The reboot command halts the system. If the system is set to restart on
error, it reboots itself. Use the reboot command after configuration information is entered into a file and saved to the startup configuration.
You cannot reboot from a virtual terminal if the system is not set up for automatic booting. This prevents the system from dropping to the ROM monitor
and thereby taking the system out of the remote users control.
62 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

reboot
If you modify your configuration file, the system will prompt you to save the
configuration.
The at keyword can be used only if the system clock has been set on the
AX Series (either through NTP, the hardware calendar, or manually). The
time is relative to the configured time zone on the AX Series. To schedule
reboots across several AX Series to occur simultaneously, the time on each
AX Series must be synchronized with NTP. To display information about a
scheduled reboot, use the show reboot command.
Example
The following example immediately reboots the AX Series device:
AX(config)# reboot
System configuration has been modified. Save? [yes/no]:yes
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
The following example reboots the AX Series device in 10 minutes:
AX(config)# reboot in 10
AX(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)
Proceed with reboot? [yes/no]yes
AX(config)#
The following example reboots the AX Series device at 1:00 p.m. today:
AX(config)# reboot at 13:0013:00
AX(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and 2
minutes)
AX(config)#
The following example reboots the AX Series device on Apr 20 at 4:20 p.m.:
AX(config)# reboot at 16:20 apr 20
AX(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2008 (in 38 hours and
9 minutes)
AX(config)#
The following example cancels a pending reboot:

AX(config)# reboot cancel
%Reboot cancelled.
***
*** --- REBOOT ABORTED --***
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
63 of 718

reload
reload
Description
Syntax
Restart AX system processes and reload the startup-config, without rebooting.

reload
Mode
Privileged EXEC
Usage
The reload command restarts AX system processes and reloads the startupconfig, without reloading the system image. To also reload the system
image, use the reboot command instead. (See reboot on page 62.)
The AX device closes all sessions as part of the reload.
Example
The following command reloads an AX device:
AX(config)#reload
Reload AX ....Done.
AX(config)#
repeat
Description
Syntax
Periodically re-enter a show command.

repeat seconds show command-options
Parameter
Description
Interval at which to re-enter the command. You
can specify 1-300 seconds.
seconds
command-options Options of the show command. See Show Commands on page 535 and SLB Show Commands on page 659.
Mode
Privileged EXEC
Usage
The repeat command is especially useful when monitoring or troubleshooting the system.
The elapsed time indicates how much time has passed since you entered the
repeat command. To stop the command, press Ctrl+C.
Example
64 of 718
The following command displays SLB TCP-proxy statistics every 30 seconds:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show
AX#repeat 30 show slb tcp-proxy
Total
-----------------------------------------------------------------Currently EST conns
29
Active open conns
6968
Passive open conns
7938
Connect attempt failures 0
Total in TCP packets
678804
Total out TCP packets
712974
Retransmitted packets
359
Resets rcvd on EST conn
5369
Reset Sent
4303
Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:00
Total
30
Active open conns
6992
Passive open conns
7939
Connect attempt failures 0
679433
712986
Retransmitted packets
367
Resets rcvd on EST conn
5781
Reset Sent
4305
Refreshing command every 30 seconds. (press ^C to quit) Elapsed Time: 00:00:30
show
Description
Display system or configuration information. See Show Commands on

page 535 and SLB Show Commands on page 659.
shutdown
Schedule a system shutdown at a specified time or after a specified interval,
or cancel a scheduled system shutdown.
Syntax
shutdown {at hh:mm | in hh:mm | cancel [text]}

Parameter
b y
Description
at
Shutdown at a specific time/date (hh:mm)
in
Shutdown after time interval (mm or hh:mm)
cancel
Cancel pending shutdown
text
Reason for shutdown
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
65 of 718

ssh
Mode
Privileged EXEC
Example
The following command schedules a system shutdown to occur at 11:59

p.m.:
AX#shutdown at 23:59
System configuration has been modified. Save? [yes/no]:yes
Building configuration...
[OK]
Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes)
by admin on 192.168.1.102
Proceed with shutdown? [confirm]
AX#
Example
The following command cancels a scheduled system shutdown:
AX#shutdown cancel
***
*** --- SHUTDOWN ABORTED --***
ssh
Description
Establish a Secure Shell (SSH) connection from the AX device to another

device. (See ssh on page 42.)
telnet
Description
Establish a Telnet connection from the AX device to another device. (See

telnet on page 43.)
terminal
Description
Syntax
Set terminal display parameters.

terminal option value
Parameter
66 of 718
Description
auto-size
Enables the terminal length and width to automatically change to match the terminal window
size.
editing
Enables command-line editing.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

traceroute
Default
history [size]
Enables and controls the command history function. The size option specifies the number of
command lines that will be held in the history
buffer. You can specify 0-1000.
length num
Sets the number of lines on a screen. You can

specify 0-512. Specifying 0 disables pausing.
monitor
Copies debug output to the current terminal.
width num
Sets the width of the display terminal. You can

specify 0-512. The setting 0 means infinite.
The terminal settings have the following defaults:

auto-size enabled
editing enabled
history enabled; default size is 256
length 24
monitor disabled
width 80
Mode
Example
The following command changes the terminal length to 40:

AX#terminal length 40
traceroute
Description
Trace a route. See traceroute on page 43.
write terminal
Description
Display the running-config on the terminal.
Syntax
write terminal
[all-partitions |
partition {shared | private-partition-name}]
Parameter
all-partitions
b y
Description
Displays configuration information for all system
partitions.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
67 of 718

write terminal
partition
{shared |
privatepartition-name} Displays configuration information only for the
specified partition.
Usage
68 of 718
The optional parameters are applicable to AX devices on which Role-Based

Administration (RBA) is configured.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

access-list (standard)
Config Commands: Global

This chapter describes the commands for configuring global AX parameters.
To access this configuration level, enter the configure [terminal] command
at the Privileged EXEC level.
To display global settings, use show commands. (See Show Commands
on page 535.)
This CLI level also has the following commands, which are available at all
configuration levels:
clear See clear on page 49.
debug See debug on page 52.
diff See diff on page 56.
export See export on page 58.
health-test See health-test on page 38.
help See CLI Quick Reference on page 27.
import See import on page 59.
repeat See repeat on page 64.
show See Show Commands on page 535.
write See write terminal on page 67.
Description
Configure a standard Access Control List (ACL) to permit or deny source

IP addresses.
Syntax
[no] access-list acl-num [seq-num]

{permit | deny | l3-vlan-fwd-disable |
remark string}
source-ipaddr {filter-mask | /mask-length}
[log [transparent-session-only]]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
69 of 718

Parameter
Description
acl-num
Standard ACL number. You can specify 1-99.
seq-num
Sequence number of this rule in the ACL. You

can use this option to resequence the rules in the
ACL.
deny | permit
Action to take for traffic that matches the ACL.

deny For ACLs applied to interfaces or used
for management access, drops the traffic.
permit For ACLs applied to interfaces or
used for management access, allows the traffic.
For ACLS used for IP source NAT, specifies the
inside host addresses to be translated into external addresses.
Note:
If you are configuring an ACL for source NAT, use the permit action. For
ACLs used with source NAT, the deny action does not drop traffic, it simply does not use the denied addresses for NAT translations.
l3-vlan-fwddisable
remark string
Disables Layer 3 forwarding between VLANs

for IP addresses that match the ACL rule.
Adds a remark to the ACL. The remark appears
at the top of the ACL when you display it in the
CLI.
To use blank spaces in the remark, enclose the
entire remark string in double quotes. The ACL
must already exist before you can configure a
remark for it.
source-ipaddr
{filter-mask |
/mask-length}
Denies or permits traffic received from the specified host or subnet. The filter-mask specifies the
portion of the address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify
the portion of the address to filter. For example,
you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet.
70 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

log
[transparentsession-only]
Configures the AX device to generate log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule.
Default
No ACLs are configured by default. When you configure one, the log
option is disabled by default.
Mode
Global Config
Usage
An ACL can contain multiple rules. Each access-list command configures

one rule. Rules are added to the ACL in the order you configure them. The
first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first rule, downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a
new sequence number.
Access lists do not take effect until you apply them.
To use an ACL to filter traffic on an interface, see access-list on
page 183.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 409.
To use an ACL to control management access, see disable-manage-
ment on page 101 and enable-management on page 105.

To use an ACL with source NAT, see ip nat inside on page 221.
The syntax shown in this section configures a standard ACL, which filters
based on source IP address. To filter on additional values such as destination
address, IP protocol, or TCP/UDP ports, configure an extended ACL. (See
access-list (extended) on page 72.)
Example
The following commands configure a standard ACL and use it to deny traffic sent from subnet 10.10.10.x, and apply the ACL to inbound traffic
received on Ethernet interface 4:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
71 of 718

access-list (extended)
AX(config)#access-list 1 deny 10.10.10.0 0.0.0.255
AX(config)#interface ethernet 4
AX(config-if:ethernet4)#access-list 1 in
Description
Syntax
Configure an extended Access Control List (ACL) to permit or deny traffic

based on source and destination IP addresses, IP protocol, and TCP/UDP
ports.
remark string} ip
{any | host host-src-ipaddr |
net-src-ipaddr {filter-mask | /mask-length}}
{any | host host-dst-ipaddr |
net-dst-ipaddr {filter-mask | /mask-length}}
or
Related Commands

remark string} icmp
[type icmp-type [code icmp-code]]
72 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

or
Syntax

remark string} {tcp | udp}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]
Parameter
Description
acl-num
Extended ACL number. You can specify 100199.
seq-num

ACL.
deny | permit

deny Drops the traffic.
permit Allows the traffic.
l3-vlan-fwddisable
remark string
Disables Layer 3 forwarding between VLANs

for IP addresses that match the ACL rule.
Adds a remark to the ACL. The remark appears
at the top of the ACL when you display it in the
CLI.
To use blank spaces in the remark, enclose the
entire remark string in double quotes. The ACL
must already exist before you can configure a
remark for it.
b y
ip
Filters on IP packets.
icmp
Filters on ICMP packets.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
73 of 718

tcp | udp
type typeoption
Filters on TCP or UDP packets. The tcp and udp

options enable you to filter on protocol port numbers.
This option is applicable if the protocol type is
icmp. Matches based on the specified ICMP
type. You can specify one of the following. Enter
the type name or the type number (for example,
dest-unreachable or 3).
any-type Matches on any ICMP type.
dest-unreachable | 3 Type 3, destination
unreachable
echo-reply | 0 Type 0, echo reply
echo-request | 8 Type 8, echo request
info-reply | 16 Type 16, information reply
info-request | 15 Type 15, information request
mask-reply | 18 Type 18, address mask reply
mask-request | 17 Type 17, address mask
request
parameter-problem | 12 Type 12, parameter
problem
redirect | 5 Type 5, redirect message
source-quench | 4 Type 4, source quench
time-exceeded | 11 Type 11, time exceeded
timestamp | 13 Type 13, timestamp
timestamp-reply | 14 Type 14, timestamp
reply
type-num ICMP type number, 0-254
code code-num
This option is applicable if the protocol type is

icmp. Matches based on the specified ICMP
code.
any-code Matches on any ICMP code.
code-num ICMP code number, 0-254
74 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

any |
host host-srcipaddr |
net-src-ipaddr
{filter-mask |
/mask-length}
Source IP address(es) to filter.

any The ACL matches on all source IP
addresses.
host host-src-ipaddr The ACL
matches only on the specified host IP address.
net-src-ipaddr
{filter-mask | /mask-length} The
ACL matches on any host in the specified subnet.
The filter-mask specifies the portion of the
address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify
the portion of the address to filter. For example,
you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet.
eq src-port |
gt src-port |
lt src-port |
range startsrc-port
end-src-port
For tcp or udp, the source protocol ports to filter.

eq src-port The ACL matches on traffic
from the specified source port.
gt src-port The ACL matches on traffic
from any source port with a higher number than
the specified port.
lt src-port The ACL matches on traffic
from any source port with a lower number than
the specified port.
range start-src-port end-src-port
The ACL matches on traffic from any source
port within the specified range.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
75 of 718

any |
host host-dstipaddr |
net-dst-ipaddr
{filter-mask |
/mask-length}
eq dst-port |
gt dst-port |
lt dst-port |
range startdst-port
end-dst-port
log
Destination IP address(es) to filter.
For tcp or udp, the destination protocol ports to

filter.
ACL rule.
Default
No ACLs are configured by default. When you configure one, the log
option is disabled by default.
Mode
Global Config
Usage
An ACL can contain multiple rules. Each access-list command configures

one rule. Rules are added to the ACL in the order you configure them. The
first rule you add appears at the top of the ACL.
Rules are applied to the traffic in the order they appear in the ACL (from the
top, which is the first, rule downward). The first rule that matches traffic is
used to permit or deny that traffic. After the first rule match, no additional
rules are compared against the traffic.
To move a rule within the sequence, delete the rule, then re-add it with a
new sequence number.
Access lists do not take effect until you apply them:
To use an ACL to filter traffic on an interface, see access-list on
page 183.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 409.
76 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

accounting
To use an ACL with source NAT, see ip nat inside on page 221.
To use an ACL to control management access, configure a standard
ACL instead. (See access-list (standard) on page 69.)
accounting
Description
Configure TACACS+ as the accounting method for recording information

about user activities. The AX Series device supports the following types of
accounting:
EXEC accounting provides information about EXEC terminal ses-
sions (user shells) on the AX device.

Command accounting provides information about the EXEC shell
commands executed under a specified privilege level. This command

also allows you to specify the debug level.
Syntax
[no] accounting exec {start-stop | stop-only}

{radius | tacplus}
[no] accounting commands cmd-level stop-only
tacplus
[no] accounting debug debug-level
Parameter
Description
start-stop
Sends an Accounting START packet to

TACACS+ servers when a user establishes a CLI
session, and an Accounting STOP packet when
the user logs out or the session times out.
stop-only
Only sends an Accounting STOP packet when

the user logs out or the session times out.
radius |
tacplus
cmd-level
Specifies the type of accounting server to use.

Specifies which level of commands will be
accounted. The commands are divided into the
following levels:
15(admin) Commands available for admin
(all commands)
14(config) Commands available in config
mode (not include the command of admin
and those under the admin mode)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
77 of 718

accounting
1(priv EXEC) Commands available in
privileged EXEC mode
0 (user EXEC) Commands available in
user EXEC mode
Command levels 2-13 are the same as command
level 1.
debug-level
Specifies the debug level for accounting. The

debug level is set as flag bits for different types
of debug messages. The AX device has the following types of debug messages:
0x1 Common information such as trying
to connect with TACACS+ servers, getting
response from TACACS+ servers; they are
recorded in syslog.
0x2 Packet fields sent out and received by
AX, not including the length fields; they are
printed out on the terminal.
0x4 Length fields of the TACACS+ packets will also be printed on the terminal.
0x8 Information about the TACACS+
MD5 encryption is recorded in syslog.
Default
N/A
Mode
Global configuration.
Usage
The accounting server also must be configured. See radius-server on

page 137 or tacacs-server on page 168.
Example
The following command configures the AX device to send an Accounting

START packet to the previously defined TACACS+ servers when a user
establishes a CLI session on the device. The AX device also will send an
Accounting STOP packet when a user logs out or their session times out.
AX(config)#accounting exec start-stop tacplus

STOP packet when a user logs out or a session times out.
AX(config)#accounting exec stop-only tacplus

STOP packet to TACACS+ servers before a CLI command of level 14 is
executed.
AX(config)#accounting commands 14 stop-only tacplus
78 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

admin
The following command specifies debug level 15 for accounting.
AX(config)#accounting debug l5
admin
Configure an admin account for management access to the AX Series
device.
This command is available only to admins who have Root privileges.
Note:
Syntax
[no] admin admin-username

admin-username
Admin username, 1-31 characters.
This command changes the CLI to the configuration level for the specified
admin account, where the following admin-related commands are available:
Command
Description
admin
Enters the configuration level for another admin

account. If you are configuring multiple admin
accounts, this command simplifies navigation of
the CLI because you do not need to return to the
global Config level to begin configuration of the
next account.
disable
Disables the admin account.
enable
Enables the admin account.
password string Sets the password, 1-63 characters. Passwords

are case sensitive and can contain special characters. (For more information, see Special Character Support in Strings on page 36.)
privilege
priv-level |
[partitionname]}
Sets the privilege level for the account.

read The admin can access the User EXEC
and Privileged EXEC levels of the CLI only.
write The admin can access all levels of the
CLI.
partition-read The admin has read-only
privileges within the private partition to which
the admin is assigned, and read-only privileges
for the shared partition.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
79 of 718

admin
partition-write The admin has readwrite privileges within the private partition to
which the admin is assigned. The admin has
read-only privileges for the shared partition.
partition-enable-disable The admin
has read-only privileges for real servers, with
permission to view service port statistics and to
disable or re-enable the servers and their service
ports. No other read-only or read-write privileges
are granted.
partition-name The name of the private
partition to which the admin is assigned. This
option applies only to admins that have privilege
level partition-read, partition-write, or partition-enable-disable.
Note:
Private partitions are used in Role-Based Administration (RBA). For information, see the Role-Based Administration chapter of the AX Series Configuration Guide.
trusted-host
ipaddr
{subnet-mask |
/mask-length}
Unlocks the account. Use this option if the admin

has been locked out due to too many login
attempts with an incorrect password. (To configure lockout parameters, see admin lockout on
page 81.)
unlock
Default
Specifies the host or subnet address from which

the admin is allowed to log onto the AX device.
The system has a default admin account, with username admin and password a10. The default admin account has write privilege and can log on
from any host or subnet address.
Other admin accounts have the following defaults:
enable / disable Admin accounts are enabled by default as soon as
you add them.

password a10. This is the default for the admin account and for
any admin account you configure if you do not configure the password
for the account.
privilege read
80 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

admin lockout
trusted-host 0.0.0.0 /0, which allows access from any host or subnet.
unlock N/A. Admin accounts are unlocked by default. They can
become locked based on admin lockout settings.

Mode
Global Config
Example
The following commands add admin adminuser1 with password 1234:
AX(config)#admin adminuser1
AX(config-admin:adminuser1)#password 1234
Example
The following commands add admin adminuser2 with password

12345678 and write privilege:
AX(config-admin:adminuser2)#password 12345678
AX(config-admin:adminuser2)#write
Example
The following commands add admin adminuser3 with password abcdefgh and write privilege, and restrict login access to the 10.10.10.x subnet
only:
AX(config-admin:adminuser3)#password abcdefgh
AX(config-admin:adminuser3)#write
AX(config-admin:adminuser3)#trusted-host 10.10.10.0 /24
Example
The following commands configure an admin account for a private partition:
AX(config)#admin compAadmin password compApwd

AX(config-admin:compAadmin)#privilege partition-write companyA
Modify Admin User successful !
admin lockout
Description
Set lockout parameters for admin sessions.
Syntax
[no] admin lockout

{duration minutes | enable | reset-time minutes |
threshold number}
Parameter
duration
minutes
b y
Description
Number of minutes a lockout remains in effect.
After the lockout times out, the admin can try
again to log in. You can specify 0-1440 minutes.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
81 of 718

aflex
To keep accounts locked until you or another
authorized administrator unlocks them, specify 0.
Enables the lockout feature.
enable
reset-time
minutes
Number of minutes the AX device remembers

failed login attempts. You can specify 1-1440
minutes.
threshold
number
Default
Number of consecutive failed login attempts

allowed before an administrator is locked out.
You can specify 1-10.
The lockout feature is disabled by default. This command has the following
defaults:
duration 10 minutes
reset-time 10 minutes
threshold 5
Example
This following command enables admin lockout:
AX(config)#admin lockout enable
aflex
Description
Configure an aFleX policy. For complete information about aFleX policies,

see the aFleX Scripting Language Reference Guide.
arp
Description
Syntax
Create a static ARP entry or change the timeout for dynamic entries.
[no] arp ipaddr mac-address
[interface ethernet number
[vlan vlan-id]]
[no] arp timeout seconds
Parameter
82 of 718
Description
ipaddr
IP address of the static entry.
mac-address
MAC address of the static entry.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

arp timeout
interface
Specifies the Ethernet data interface.
timeout seconds Number of seconds a dynamic entry can remain

unused before it is removed from the ARP cache.
You can specify 60-86400 seconds.
vlan vlan-id
If the AX device is deployed in transparent

mode, and the interface is a tagged member of
multiple VLANS, use this option to specify the
VLAN for which to add the ARP entry.
Default
The default timeout for learned entries is 300 seconds. Static entries do not
time out.
Mode
Global Config
arp timeout
Description
Change the aging timer for dynamic ARP entries.
Syntax
[no] arp timeout seconds

Parameter
seconds
Default
300 seconds (5 minutes)
Mode
Global Config
Description
Number of seconds a dynamic entry can remain
unused before being removed from the ARP
table. You can specify 60-86400 seconds.
audit
Description
Configure command auditing.
Syntax
[no] audit enable [privilege]

[no] audit size num-entries
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
83 of 718

audit
Parameter
Description
enable
[privilege]
Enables command auditing.

The privilege option enables logging of Privileged EXEC commands also. Without this
option, only configuration commands are logged.
size numentries
Specifies the number of entries the audit log file

can hold. You can specify 1000-30000 entries.
When the log is full, the oldest entries are
removed to make room for new entries.
Default
Command auditing is disabled by default. When the feature is enabled, the

audit log can hold 20,000 entries by default.
Mode
Global Config
Usage
Command auditing logs the following types of system management events:

Admin logins and logouts for CLI, GUI, and aXAPI sessions
Unsuccessful admin login attempts
Configuration changes made by CLI commands. All attempts to change
the configuration are logged, even if they are unsuccessful.

CLI commands at the Privileged EXEC level (if audit logging is enabled
for this level)

HA configuration synchronization
The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admins role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
Note:
Example
Backups of the system log include the audit log.

The following command enables command auditing:
AX(config)#show audit
84 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

authentication
authentication
Description
Set the authentication method used to authenticate administrative access to

the AX.
Syntax
[no] authentication type

{
local [radius | tacplus] |
[radius | tacplus] local
}
Parameter
Description
local
Uses the AX configuration for authentication. If

the administrative username and password match
an entry in the configuration, the administrator is
granted access.
radius
Uses an external RADIUS server for authentication.
tacplus
Uses an external TACACS+ server for authentication.
Default
By default, only local authentication is used.
Mode
Global Config
Usage
The local database (local option) must be included as one of the authentication sources, regardless of the order is which the sources are used. Authentication using only a remote server is not supported.
If the same username is configured in the local database and on the remote
server but the passwords do not match, the order in which the authentication
sources are used determines whether the admin is granted access. (For more
information, see the Configuring AAA for Admin Access section in the
Management Security Features chapter of the AX Series Configuration
Guide.)
Usage
The authentication server(s) also must be configured. See radius-server

on page 137 or tacacs-server on page 168.
Example
The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
85 of 718

authorization
AX(config)#radius-server host 10.10.10.12 secret radp1
AX(config)#authentication type radius local
authorization
Description
Syntax
Configure authorization for controlling access to functions in the CLI. The

AX device can use TACACS+ for authorizing commands executed under a
specified privilege level. This command also allows the user to specify the
level for authorization debugging.
[no] authorization commands cmd-level method
{[tacplus [none] | none}
[no] authorization debug debug-level
Parameter
Description
cmd-level
Specifies the level of commands that will be

authorized. The commands are divided into the
following levels:
15(admin) This is the most extensive level
of authorization. Commands at all CLI levels, including those used to configure admin
accounts, are sent to TACACS+ for authorization.
14(config) Commands at all CLI levels
except those used to configure admin
accounts are sent to TACACS+ for authorization. Commands for configuring admin
accounts are automatically allowed.
1(priv EXEC) Commands at the Privileged
EXEC and User EXEC levels are sent to
TACACS+ for authorization. Commands at
other levels are automatically allowed.
0 (user EXEC) Commands at the User
EXEC level are sent to TACACS+ for authorization. Commands at other levels are automatically allowed.
Command levels 2-13 are equivalent to command level 1.
tacplus
86 of 718
Specifies TACACS+ as the authorization

method. (If you omit this option, you must specP e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

axdebug
ify none as the method, in which case no authorization will be performed.)
tacplus none
If all the TACACS+ servers fail to respond, then

no further authorization will be performed and
the command is allowed to execute.
none
No authorization will be performed.
debug-level
Specifies the debug level for authorization. The

debug level is set as flag bits for different types
of debug messages. The AX Series has the following types of debug messages:
0x1 Common system events such as trying to connect with TACACS+ servers and
getting response from TACACS+ servers.
These events are recorded in the syslog.
0x2 Packet fields sent out and received by
the AX Series device, not including the
length fields. These events are written to the
terminal.
0x4 Length fields of the TACACS+ packets will also be displayed on the terminal.
0x8 Information about TACACS+ MD5
encryption will be sent to the syslog.
Default
Not set
Mode
Usage
The authorization server also must be configured. See radius-server on

page 137 or tacacs-server on page 168.
Example
The following command specifies the authorization method for commands

executed at level 14: try TACACS+ first but if it fails to respond, then allow
the command to execute without authorization.
AX(config)#authorization commands 14 method tacplus none
The following command specifies debug level 15 for authorization:

AX(config)#authorization debug l5
axdebug
Description
Access the AX debug subsystem. See AX Debug Commands on

page 525.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
87 of 718

backup config
backup config
Back up the system. See backup config on page 46.
backup log
Description
Configure log backup options and save a backup of the system log. See
backup log on page 47.
banner
Set the banners to be displayed when an admin logs onto the CLI or
accesses the Privileged EXEC mode.
Syntax Description
[no] banner {exec | login} [multi-line end-marker]

line
Parameter
Description
exec
Configures the EXEC mode banner.
login
Configures the login banner.
multi-line
end-marker
Hexadecimal number to indicate the end of a

multi-line message. The end marker is a simple
string up to 2-characters long, each of the which
must be an ASCII character from the following
range: 0x21-0x7e.
The multi-line banner text starts from the first
line and ends at the marker. If the end marker is
on a new line by itself, the last line of the banner
text will be empty. If you do not want the last line
to be empty, put the end marker at the end of the
last non-empty line.
line
Default
Specifies the banner text.
The default login banner is as follows: Welcome to AX

The default EXEC banner is as follows: [type ? for help]
Mode
88 of 718
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

boot-block-fix
Example
The following examples set the login banner to welcome to login mode
and set the EXEC banner to a multi-line greeting:
AX(config)#banner exec welcome to exec mode

AX(config)#banner login multi-line bb
Enter text message, end with string 'bb'.
Here is a multi-line
Greeting.
bb
AX(config)#
boot-block-fix
Description
Repair the master boot record (MBR) on the hard drive or compact flash.
Syntax
boot-block-fix {cf | hd}

Parameter
cf | hd
Description
Medium to be repaired:
cf compact flash
hd hard disk
Default
N/A
Mode
Global Config
Usage
The MBR is the boot sector located at the very beginning of a boot drive.
Under advisement from A10 Networks, you can use the command if your
compact flash or hard drive cannot boot. If this occurs, boot from the other
drive, then use this command.
bootimage
Description
Specify the boot image location from which to load the system image the
next time the AX Series is rebooted.
Syntax
bootimage {both | cf | hd} {pri | sec}

Parameter
cf | hd
b y
Description
Boot medium. The AX Series device always tries
to boot using the hard disk (hd) first. The compact flash (cf) is used only if the hard disk is unavailable.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
89 of 718

bpdu-fwd-group
pri | sec
Boot image location, primary or secondary.
Default
The default location is primary, for both the hard disk and the compact
flash.
Mode
Global Config
Example
The following command configures the AX Series to boot from the secondary image area on the hard disk the next time the device is rebooted:
AX(config)#bootimage hd sec
bpdu-fwd-group
Description
Configure a group of tagged Ethernet interfaces for forwarding Bridge Protocol Data Units (BPDUs). BPDU forwarding groups enable you to use the
AX device in a network that runs Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will
accept and broadcast STP BPDUs among themselves. When an interface in
a BPDU forwarding group receives an STP BPDU (a packet addressed to
MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all
the other interfaces in the group.
Syntax
[no] bpdu-fwd-group number

Parameter
Description
BPDU forwarding group number, 1-8.
number
This command changes the CLI to the configuration level for the BPDU
forwarding group, where the following command is available.
Command
Description
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ...
Default
None
Mode
Global config
90 of 718
Ethernet interfaces to add to the BPDU forwarding group.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

bridge-vlan-group
Usage
This command is specifically for configuring VLAN-tagged interfaces to

accept and forward BPDUs.
Rules for trunk interfaces:
BPDUs are broadcast only to the lead interface in the trunk.
If a BPDU is received on an Ethernet interface that belongs to a trunk,
the BPDU is not broadcast to any other members of the same trunk.
Example
The following commands create BPDU forwarding group 1 containing

Ethernet ports 1-3, and verify the configuration:
AX(config)#bpdu-fwd-group 1
AX(config-bpdu-fwd-group:1)#ethernet 1 to 3
AX(config-bpdu-fwd-group:1)#show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3
bridge-vlan-group
Description
Configure a bridge VLAN group for VLAN-to-VLAN bridging.
Syntax
[no] bridge-vlan-group group-num

bridge VLAN group, where the following configuration commands are
available:
Command
forward-alltraffic |
forward-iptraffic
Description
Specifies the types of traffic the bridge VLAN

group is allowed to forward:
forward-all-traffic This option forwards all
types of traffic.
forward-ip-traffic This option includes typical
traffic between end hosts, such as ARP requests
and responses.
[no] name
string
b y
Specifies a name for the group. The string can be

1-63 characters long. If the string contains blank
spaces, use double quotation marks around the
entire string.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
91 of 718

bw-list
[no] routerinterface ve
num
[no]
vlan vlan-id
[vlan vlan-id
... | to vlan
vlan-id]
Default
Adds a Virtual Ethernet (VE) interface to the

group. This command is applicable only on AX
devices deployed in gateway mode.
Adds VLANs to the group.
By default, the configuration does not contain any bridge VLAN groups.
When you create a bridge VLAN group, it has the following default settings:
forward-all-traffic | forward-ip-traffic forward-ip-traffic
name Not set
router-interface Not set
vlan Not set
Mode
Global Config
Usage
VLAN-to-VLAN bridging is useful in cases where reconfiguring the hosts

on the network either into the same VLAN, or into different IP subnets, is
not desired or is impractical.
Example
For more information, including configuration notes and examples, see the
VLAN-to-VLAN Bridging chapter in the AX Series Configuration Guide.
bw-list
Description
Syntax
Import a black/white list for Policy-based SLB (PBSLB).

[no] bw-list name [use-mgmt-port] url
[period seconds] [load]
Parameter
92 of 718
Description
name
Black/white list name, 1-63 characters.
use-mgmt-port

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

class-list (for IP limiting)
url
File transfer protocol, username (if required),

directory path, and filename. The following URL
format is supported:
tftp://host/file
period seconds
Specifies how often the AX Series device reimports the list to ensure that changes to the list
are automatically replicated on the AX device.
load
Immediately re-imports the list to get the latest

changes. Use this option if you change the list
and want to immediately replicate the changes on
the AX device, without waiting for the update
period.
If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
Note:
Default
The default period is 300 seconds.
Mode
Global Config
Usage
A TFTP server is required on the PC and the TFTP server must be running
when you enter the bw-list command.
Example
The following command imports black/white list sample-bwlist.txt onto

the AX device:
AX(config)#bw-list sample-bwlist tftp://myhost/TFTP-Root/AX_bwlists/samplebwlist.txt

Description
Configure an IP class list for use with the IP limiting feature.

Note:
Syntax
To configure an IP class list for Large-Scale NAT (LSN), see class-list

(for LSN) on page 95 instead.
[no] class-list {list-name | filename file}
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
93 of 718

Parameter
Note:
Description
list-name
Adds the list to the running-config.
filename file
Saves the list to a standalone file on the AX

device.
A class list can be exported only if you use the file option.
class list, where the following command is available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] ipaddr
/network-mask
[glid num |
lid num]
Adds an entry to the class list.

ipaddr /network-mask Specifies the host or
subnet address of the client. The network-mask
specifies the network mask.
To configure a wildcard IP address, specify
0.0.0.0 /0. The wildcard address matches on all
addresses that do not match any entry in the class
list.
glid num | lid num Specifies the ID of the IP
limiting rule to use for matching clients. You can
use a system-wide (global) IP limiting rule or an
IP limiting rule configured in a PBSLB policy
template.
To use an IP limiting rule configured at the
global configuration level, use the glid num
option.
To use an IP limiting rule configured at the
same level (in the same PBSLB policy template)
as the class list, use the lid num option.
To exclude a host or subnet from being limited,
do not specify an IP limiting rule.
Default
None
Mode
Global Config
94 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

class-list (for LSN)
Usage
Configure the LIDs before configuring the class list entries. To configure a
LID for IP limiting, see lid on page 117.
As an alternative to configuring class entries on the AX device, you can
configure the class list using a text editor on another device, then import the
class list onto the AX device. To import a class list, see import on
page 59.
For more information about IP limiting, see the IP Limiting chapter in the
AX Series Configuration Guide.
Example
The following commands configure class list global, which matches on

all clients, and uses IP limiting rule 1:
AX(config)#class-list global
AX(config-class list)#0.0.0.0/0 glid 1
class-list (for LSN)

Description
Configure an IP class list for use with Large-Scale NAT (LSN).

To configure an IP class list for IP limiting, see class-list (for IP limiting) on page 93 instead.
Note:
Syntax
[no] class-list {list-name | filename file}

Parameter
Description
list-name
Adds the list to the running-config.
filename file
Saves the list to a file.
class list, where the following commands are available.
Command
[no] priv-addr
{subnet-mask |
/mask-length}
lsn-lid num
b y
Description
Specifies the internal clients. The priv-addr

option specifies the internal host or subnet
address. Use the subnet-mask or /mask-length
option to specify the subnet mask or mask length.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
95 of 718

clock timezone
The lsn-lid num option specifies the LSN LID
number.
Default
None
Mode
Global Config
Usage
Configure the LSN LIDs before configuring the class list entries. To configure an LSN LID for IP limiting, see lsn-lid on page 130.
As an alternative to configuring class entries on the AX device, you can
configure the class list using a text editor on another device, then import the
class list onto the AX device. To import a class list, see import on
page 59.
For more information about LSN, see the Large-Scale NAT chapter in the
Example
The following commands configure a class list to bind internal subnet

5.5.5.x/24 to LSN LID 5:
AX(config)#class-list list1
AX(config-class list)#5.5.5.0 /24 lsn-lid 5
clock timezone
Set the clock timezone.
Syntax Description
clock timezone timezone [nodst]

Parameter
Description
timezone
Timezone to use. To view the available timezones, enter the following command:
clock timezone ?
nodst
Disables Daylight Savings Time.
Default
Europe/Dublin (GMT)
Mode
Global Config
Usage
If you use the GUI or CLI to change the AX timezone or system time, the
statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
96 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

convert-passwd
Example
The following commands list the available timezones, then set the timezone
to America/Los_Angeles:
AX(config)#clock timezone ?
Pacific/Midway
(GMT-11:00)Midway Island, Samoa
Pacific/Honolulu
(GMT-10:00)Hawaii
America/Anchorage
(GMT-09:00)Alaska
...
AX(config)#clock timezone America/Los_Angeles
convert-passwd
Description
Convert admin accounts and enable passwords into pre-1.2.7 format before
downgrade to AX Release 1.2.6 or earlier.
Syntax
convert-passwd {pri | sec}

Parameter
pri | sec
Description
Specifies the image area to which you want to
save the admin accounts and passwords. Specify
the image area from which you to plan to boot
using the 1.2.6 or earlier image.
Default
N/A
Mode
Global Config
Usage
Use this command only if you are planning to downgrade to AX Release

1.2.6 or earlier. Use the command before you downgrade.
In AX Release 1.2.7 and later, the AX device maintains all admin accounts
and enable passwords in a single file, which applies to both the primary and
secondary image areas. In software releases prior to 1.2.7, the AX device
maintained separate files for the primary and secondary image areas. During
runtime, the AX device used the admin accounts and enable passwords that
were in the file corresponding to the image area from which the device was
booted.
To keep the new admin accounts and enable passwords, perform the following steps before you downgrade:
1. Log onto the CLI, with an admin account that has Root or global ReadWrite (Super User) privileges. Partition admin accounts can not be used.
2. Save the configuration (write memory), to save any new or changed
admin accounts or passwords. (If you perform step 2 without first saving
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
97 of 718

copy
the configuration, any unsaved admin account or password changes will
be lost.)
3. Use the following command at the global configuration level of the CLI:
convert-passwd {pri | sec}
The pri | sec option specifies the image area to which you want to save
the admin accounts and passwords. Specify the image area from which
you to plan to boot using the 1.x image.
copy
Copy a running-config or startup-config.
Syntax Description
copy {running-config | startup-config |

from-profile-name}
[use-mgmt-port]
{url | to-profile-name [cf]}
Parameter
Description
running-config
Copies the commands in the running-config to

the specified URL or local profile name.
startup-config
Copies the configuration profile that is currently

linked to startup-config and saves the copy
under the specified URL or local profile name.
use-mgmt-port

url
Copies the running-config or configuration profile to a remote device. The URL specifies the
file transfer protocol, username, and directory
path.
tftp://host/file
98 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

copy
from-profilename
Configuration profile you are copying from.
to-profile-name
[cf]
Configuration profile you are copying to. The cf
option copies the profile to the compact flash
instead of the hard disk.
Note:
Copying a profile from the compact flash to the hard disk is not supported.
Note:
You cannot use the profile name default. This name is reserved and
always refers to the configuration profile that is stored in the image area
from which the AX device most recently rebooted.
Default
None
Mode
Global Config
Usage
If you are planning to configure a new AX device by loading the configuration from another AX device:
1. On the configured AX device, use the copy startup-config url command to save the startup-config to a remote server.
2. On the new AX device, use the copy url startup-config command to
copy the configured AX devices startup-config from the remote server
onto the new AX device.
3. Use the reboot command (at the Privileged EXEC level) to reboot the
new AX device.
4. Modify parameters as needed (such as IP addresses).
If you attempt to copy the configuration by copying-and-pasting it from a
CLI session on the configured AX device, some essential parameters such
as interface states will not be copied.
Example
The following command copies the configuration profile currently linked to

startup-config to a profile named slbconfig3 and stores the profile
locally on the AX device:
AX(config)#copy startup-config slbconfig3
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
99 of 718

delete startup-config
delete startup-config
Description
Syntax
Delete a locally stored configuration profile.

delete startup-config profile-name [cf]
Parameter
Description
profile-name
Configuration profile name.
cf
Deletes the specified profile from compact flash

instead of the hard disk. If you omit this option,
the profile is deleted from the hard disk.
Default
N/A
Mode
Global Config
Usage
Although the command uses the startup-config option, the command only
deletes the configuration profile linked to startup-config if you enter that
profiles name. The command deletes only the profile you specify.
If the configuration profile you specify is linked to startup-config,
startup-config is automatically relinked to the default. (The default is the
configuration profile stored in the image area from which the AX device
most recently rebooted).
Example
The following command deletes configuration profile slbconfig2:
AX(config)#delete startup-config slbconfig2
disable
Description
Syntax
Disable real or virtual servers.

disable slb server [server-name] [port port-num]
disable slb virtual-server [server-name] [port
port-num]
Parameter
100 of 718
Description
server-name
Disables the specified real or virtual server.
port port-num
Disables only the specified service port. If you

omit the server-name option, the port is disabled
on all real or virtual servers. Otherwise, the port
is disabled only on the server you specify.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

disable-management
Default
Enabled
Mode
Global Config
Example
The following command disables all virtual servers:
AX(config)#disable slb virtual-server
Example
The following command disables port 80 on all real servers:
AX(config)#disable slb server port 80
Example
The following command disables port 8080 on real server rs1:
AX(config)#disable slb server rs1 port 8080
disable-management
Description
Disable management access to the AX Series device.
Syntax
[no] disable-management service

{all | ssh | telnet | http | https | snmp | ping}
{management | ethernet port-num [to port-num] |
ve ve-num [to ve-num]}
or
Syntax
[no] disable-management service acl acl-num

Parameter
b y
Description
all
Disables access to all the management services

listed in Table 1.
ssh
Disables SSH access to the CLI.
telnet
Disables Telnet access to the CLI.
http
Disables HTTP access to the management GUI.
https
Disables HTTPS access to the management GUI.
snmp
Disables SNMP access to the AX devices

SNMP agent.
ping
Disables ping replies from AX interfaces. This

option does not affect the AX devices ability to
ping other devices.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
101 of 718

disable-management
acl acl-num
management |
ethernet
port-num
[to port-num] |
ve ve-num
[to ve-num]
Note:
Default
Permits or denies management access based on

permit or deny rules in the ACL.
Specifies the interfaces for which you are configuring access control.
Disabling ping replies from being sent by the device does not affect the
devices ability to ping other devices.
Table 1 lists the default settings for each management service.
TABLE 1
Default Management Access
Management
Service
SSH
Telnet
HTTP
HTTPS
SNMP
Ping
Ethernet
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Ethernet and VE
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Mode
Global Config
Usage
If you disable the type of access you are using on the interface you are using
at the time you enter this command, your management session will end. If
you accidentally lock yourself out of the device altogether (for example, if
you use the all option for all interfaces), you can still access the CLI by connecting a PC to the AX devices serial port.
To enable management access, see enable-management on page 105.
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
Notes Regarding Use of ACLs
If you use an ACL to secure management access, the action in the ACL rule
that matches the management traffics source address is used to permit or
deny access, regardless of other management access settings.
102 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

do
For example, if you disable Telnet access to a data interface, but you also
enable access to the interface using an ACL with permit rules, the ACL permits Telnet (and all other) access to the interface, for traffic that matches the
permit rules in the ACL.
If you want certain types of management access to be disabled on an interface, do not use a permit ACL to control management access to the interface.
Each ACL has an implicit deny any any rule at the end. If the management
traffics source address does not match a permit rule in the ACL, the
implicit deny any any rule is used to deny access.
On data interfaces, you can disable or enable access to specific services and
also use an ACL to control access. However, on the management interface,
you can disable or enable access to specific services or control access using
an ACL, but you can not do both.
Example
The following command disables HTTP access to the out-of-band management interface:
AX(config)#disable-management service http management

You may lose connection by disabling the http service.
Continue? [yes/no]:yes
do
Description
Run a Privileged EXEC level command from a configuration level prompt,

without leaving the configuration level.
Syntax
do command
Default
N/A
Mode
Global Config
Usage
For information about the Privileged EXEC commands, see Privileged

EXEC Commands on page 45.
Example
The following command runs the traceroute command from the global
CONFIG level:
AX(config)#do traceroute 10.10.10.9
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
103 of 718

enable
enable
Description
Syntax
Enable real or virtual servers.

enable slb server [server-name] [port port-num]
enable slb virtual-server [server-name]
[port port-num]
Parameter
Description
server-name
Enables the specified real or virtual server.
port port-num
Enables only the specified service port. If you

omit the server-name option, the port is enabled
on all real or virtual servers. Otherwise, the port
is enabled only on the server you specify.
Default
Enabled
Mode
Global Config
Example
The following command enables all virtual servers:
AX(config)#enable slb virtual-server
Example
The following command enables port 80 on all real servers:
AX(config)#enable slb server port 80
Example
The following command enables port 8080 on real server rs1:
AX(config)#enable slb server rs1 port 8080
enable-core
Description
Syntax
Change the file size of core dumps.

[no] enable-core [a10]
Parameter
a10
Default
104 of 718
Description
Enables A10 core dump files. Without this
option, system core dump files are used instead.
System core dump files are larger than A10 core
dump files.
If HA is configured, system core dump files are enabled by default. If HA is

not configured, A10 core dump files are enabled by default.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

enable-management
Mode
Global config
enable-management
Description
Enable management access to the AX Series device.
Syntax
[no] enable-management service

{all | ssh | telnet | http | https | snmp | ping}
or
Syntax
[no] enable-management service acl acl-num

Parameter
all
Enables access to all the management services

listed in Table 1.
ssh
Enables SSH access to the CLI.
telnet
Enables Telnet access to the CLI.
http
Enables HTTP access to the management GUI.
https
Enables HTTPS access to the management GUI.
snmp
Enables SNMP access to the AX devices SNMP

agent.
ping
Enables ping replies from AX interfaces. This

option does not affect the AX devices ability to
ping other devices.
acl acl-num
Permits or denies management access based on

permit or deny rules in the ACL.
management |
ethernet portnum [to portnum] |
ve ve-num
[to ve-num]
Default
Description
Specifies the interfaces for which you are configuring access control.
Table 2 lists the default settings for each management service.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
105 of 718

enable-password
TABLE 2
Default Management Access
Management
Service
SSH
Telnet
HTTP
HTTPS
SNMP
Ping
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Mode
Global Config
Usage
See the Usage section in disable-management on page 101.
Example
The following command enables Telnet access to Ethernet data interface 6:
AX(config)#enable-management service telnet ethernet 6
enable-password
Description
Syntax
Set the enable password, which secures access to the Privileged EXEC level
of the CLI.
[no] enable-password password-string
Parameter
Description
password-string Password string, 1-63 characters. Passwords are

case sensitive and can contain special characters.
(For more information, see Special Character
Support in Strings on page 36.)
Default
By default, the password is blank. (Just press Enter.)
Mode
Global Config
Example
The following command sets the Privileged EXEC password to execadmin:
AX(config)#enable-password execadmin
106 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

end
end
Description
Return to the Privileged EXEC level of the CLI.
Syntax
end
Default
N/A
Mode
Config
Usage
The end command is valid at all configuration levels of the CLI. From any
configuration level, the command returns directly to the Privileged EXEC
level.
Example
The following command returns from the global Config level to the Privileged EXEC level:
AX(config)#end
AX#
erase
Description
Erase the startup-config file.
Syntax
erase
Default
N/A
Mode
Global Config
Usage
The no form of this command is not valid.

To recover the configuration, you can save the running-config or reload the
configuration from another copy of the startup-config file.
Example
The following command erases the startup-config file.
AX(config)#erase
exit
Description
Return to the Privileged EXEC level of the CLI.
Syntax
Default
exit
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
107 of 718

floating-ip
Mode
Config
Usage
The exit command is valid at all CLI levels. At each level, the command
returns to the previous CLI level. For example, from the server port level,
the command returns to the server level. From the global Config level, the
command returns to the Privileged EXEC level. From the user EXEC level,
the command terminates the CLI session.
From the global configuration level, you also can use the end command to
return to the Privileged EXEC level.
Example
The following command returns from the global Config level to the Privileged EXEC level:
AX(config)#exit
AX#
floating-ip
Description
Syntax
Set a virtual IP address in a High-Availability configuration.

[no] floating-ip ipaddr ha-group group-id
Parameter
Description
ipaddr
Virtual IP address of the HA group.
group-id
HA group ID.
Default
None
Mode
Global Config
Usage
Use this command to specify the IP address of a next-hop upstream or

downstream router used by real servers. (Also see Config Commands:
High Availability on page 505.)
fwlb
Description
108 of 718
Configure Firewall Load Balancing (FWLB) parameters. See Config Commands: Firewall Load Balancing on page 485.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb
gslb
Description
Configure Global Server Load Balancing (GSLB) parameters. See Config

Commands: Global Server Load Balancing on page 427.
ha
Description
Configure High-Availability (HA) parameters. See Config Commands:

High Availability on page 505.
health external
Use an external program for health monitoring.
Syntax
health external
{delete program-name |
import [use-mgmt-port] [description] url |
export [use-mgmt-port] program-name url}
Parameter
Description
program-name
Program file name, 1-31 characters.
use-mgmt-port

description
Description of the program file, 1-63 characters.
url

directory path.
tftp://host/program-name
ftp://[user@]host[:port]/program
-name
scp://[user@]host/program-name
rcp://[user@]host/program-name
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
109 of 718

health global
Default
N/A
Mode
Global Config
Usage
There is no no form of this command. To use an imported program for

health monitoring, you also must configure a health method and apply the
method to the server ports you want to monitor. See the description of the
external option for method on page 494 and see health-check on
page 382.
Example
The following example imports external program mail.tcl from FTP

server 192.168.0.1:
AX(config)#health external import "checking mail server"

ftp://192.168.0.1/mail.tcl
health global
Description
Syntax
Globally change health monitor parameters.

[no] health global
{
interval seconds |
retry number |
timeout seconds |
up-retry number
}
Parameter
Description
monitor-name
interval
seconds
Name of the health monitor, 1-31 characters.

Number of seconds between health check
attempt, 1-180 seconds. A health check attempt
consists of the AX device sending a packet to the
server. The packet type and payload depend on
the health monitor type. For example, an HTTP
health monitor might send an HTTP GET request
packet. Default is 5 seconds.
retry number
Maximum number of times the AX Series will

send the same health check to an unresponsive
server before determining that the server is
down. You can specify 1-5. Default is 3.
timeout seconds Number of seconds the AX Series waits for a

reply to a health check, 1-12 seconds. Default is
5 seconds.
110 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

health monitor
up-retry number Number of consecutive times the device must
pass the same periodic health check, in order to
be marked Up. You can specify 1-10. The default
is 1.
The timeout parameter is not applicable to external health monitors.
Note:
You can change one or more parameters on the same command line.
Default
See above.
Mode
Global Config
Usage
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
If a parameter is explicitly set on a health monitor, globally changing the
parameter does not affect the health monitor. For example, if the interval on
health monitor hm1 is explicitly set to 20 seconds, the interval remains 20
seconds on hm1 regardless of the global setting.
Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the AX device.
Note:
Example
The following command globally changes the default number of retries to 5:
AX(config)#health global retry 5
Example
The following command globally changes the timeout to 10 seconds and

default number of retries to 4:
AX(config)#health global timeout 10 retry 4
health monitor
Description
Configure a health monitor.
Syntax
[no] health monitor monitor-name

[interval seconds]
[retry number]
[timeout seconds]
[up-retry number]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
111 of 718

health monitor
Parameter
Description
monitor-name
interval
seconds
Name of the health monitor, 1-31 characters.

Number of seconds between health check
attempt, 1-180 seconds. A health check attempt
consists of the AX device sending a packet to the
server. The packet type and payload depend on
the health monitor type. For example, an HTTP
health monitor might send an HTTP GET request
packet. Default is 5 seconds.
retry number
Maximum number of times the AX Series will

send the same health check to an unresponsive
server before determining that the server is
down. You can specify 1-5. Default is 3.
timeout seconds Number of seconds the AX Series waits for a

reply to a health check, 1-12 seconds. Default is
5 seconds.
up-retry number Number of consecutive times the device must
pass the same periodic health check, in order to
be marked Up. You can specify 1-10. The default
is 1.
Note:
The timeout parameter is not applicable to external health monitors.
Default
See above.
Mode
Global Config
Usage
For information about the commands available at the health-monitor configuration level, see Config Commands: SLB Health Monitors on page 493.
For more usage information about health monitors, see the Health Monitoring chapter of the AX Series Configuration Guide.
Example
The following command creates a health monitor named hm1 and

accesses the configuration level for it:
AX(config)#health monitor hm1

AX(config-health:monitor)#
112 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

health postfile
health postfile
Description
Import or delete a POST data file for an HTTP or HTTPS health check.
Syntax
health postfile {import | delete} filename

Parameter
Description
import | delete Specifies whether you are importing a POST data

file or deleting one.
filename
Specifies the filename.
Default
N/A
Mode
Global Config
Usage
The maximum length of POST data you can specify in the CLI or GUI is
255 bytes. For longer data (up to 2 Kbytes), you must import the data in a
file and refer to the file in the HTTP or HTTPS health check.
To use a POST data payload file in an HTTP/HTTPS health monitor, use the
postfile filename option in the method http or method https command, at
the configuration level for the health monitor.
Example
The following commands import a file containing a large HTTP POST data
payload (up to 2 Kbytes), and add the payload to an HTTP health monitor:
AX(config)#health postfile import long-post

AX(config)#health monitor http1
AX2000(config-health:monitor)#method http url post / postfile long-post expect
def
In this example, health checks that use this health monitor will send a POST
request containing the data in postfile, and expect the string def in
response.
hostname
Set the AX Series devices hostname.
Syntax Description
[no] hostname string
Default
AX
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
113 of 718

icmp-rate-limit
Usage
The CLI command prompt also is changed to show the new hostname.
Example
The following example sets the hostname to SLBswitch2:
AX(config)#hostname SLBswitch2
icmp-rate-limit
Description
Syntax
Configure ICMP rate limiting, to protect against denial-of-service (DoS)

attacks.
[no] icmp-rate-limit normal-rate lockup max-rate
lockup-time
Parameter
Description
normal-rate
Maximum number of ICMP packets allowed per

second. If the AX device receives more than the
normal rate of ICMP packets, the excess packets
are dropped until the next one-second interval
begins. The normal rate can be 1-65535 packets
per second.
lockup max-rate

second before the AX device locks up ICMP traffic. When ICMP traffic is locked up, all ICMP
packets are dropped until the lockup expires. The
maximum rate can be 1-65535 packets per second. The maximum rate must be larger than the
normal rate.
lockup-time
Number of seconds for which the AX device

drops all ICMP traffic, after the maximum rate is
exceeded. The lockup time can be 1-16383 seconds.
Default
None
Mode
Global Config
Usage
This command configures ICMP rate limiting globally for all traffic to or
through the AX device. To configure ICMP rate limiting on individual
Ethernet interfaces, see icmp-rate-limit on page 186. To configure it in a
virtual server template, see slb template virtual-server on page 375. If you
configure ICMP rate limiting filters at more than one of these levels, all filters are applicable.
114 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

interface
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Example
The following command globally configures ICMP rate limiting to allow up

to 2048 ICMP packets per second, and to lock up all ICMP traffic for 10
seconds if the rate exceeds 3000 ICMP packets per second:
AX(config)#icmp-rate-limit 2048 lockup 3000 10
interface
Description
Access the CLI configuration level for an interface.
Syntax
interface {ethernet port-num | ve ve-num |

loopback number | management}
Default
N/A
Mode
Global Config
Usage
For information about the commands available at the interface configuration level, see Config Commands: Interface on page 183.
Example
The following command changes the CLI to the configuration level for
Ethernet interface 3:
AX(config-if:ethernet3)#
ip
Description
Configure global IP settings. For information, see Config Commands: IP

on page 215.
ipv6
Description
Configure global IPv6 settings. For information, see Config Commands:

IPv6 on page 241.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
115 of 718

key chain
key chain
Configure a key chain for use by RIP.
Syntax Description
[no] key chain name

Parameter
Description
Name of the key chain, 1-31 characters.
name
key chain, where the following key-chain related command is available:
Command
Description
[no] key num
Adds a key and enters configuration mode for the

key. The key number can be 1-255. This command changes the CLI to the configuration level
for the specified key, where the following keyrelated command is available:
[no] key-string string Configures
the authentication string of the key, 1-16 characters.
Default
By default, no key chains are configured.
Mode
Global Config
Usage
Although you can configure multiple key chains, A10 Networks recommends using one key chain per interface, per routing protocol.
Example
The following commands configure a key chain named example_chain.
AX(config)#key chain example_chain

AX(config-keychain)#key 1
AX(config-keychain-key)#key-string thisiskey1
AX(config-keychain-key)#exit
AX(config-keychain-key)#exit
116 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

l3-vlan-fwd-disable
l3-vlan-fwd-disable
Description
Globally disable Layer 3 forwarding between VLANs.
Syntax
[no] l3-vlan-fwd-disable
Default
By default, the AX device can forward Layer 3 traffic between VLANs.
Mode
Global Config
Usage
This option is applicable only on AX devices deployed in gateway (route)

mode. If the option to disable Layer 3 forwarding between VLANs is configured at any level, the AX device can not be changed from gateway mode
to transparent mode, until the option is removed.
Depending on the granularity of control required for your deployment, you
can disable Layer 3 forwarding between VLANs at any of the following
Global Layer 3 forwarding between VLANs is disabled globally, for
all VLANs. (Use this command at the global configuration level.)

Individual interfaces Layer 3 forwarding between VLANs is disabled
for incoming traffic on specific interfaces. (Seel3-vlan-fwd-disable on

page 205.)
Access Control Lists (ACLs) Layer 3 forwarding between VLANs is
disabled for all traffic that matches ACL rules that use the l3-vlan-fwddisable action. (See access-list (standard) on page 69 or access-list
(extended) on page 72.)
To display statistics for this option, see show slb switch on page 699.
lid
Description
Configure a global set of IP limiting rules for system-wide IP limiting.

This command configures a limit ID (LID) for use with the IP limiting
feature. To configure a LID for use with Large-Scale NAT (LSN) instead,
see lsn-lid on page 130.
Note:
Syntax
[no] lid num

Parameter
num
b y
Description
Limit ID, 1-31.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
117 of 718

lid
LID, where the following command is available.
Command
Description
[no] conn-limit
num
Specifies the maximum number of concurrent

connections allowed for a client. You can specify
1-1048575.
[no] conn-ratelimit num per

num-of-100ms
Specifies the maximum number of new connections allowed for a client within the specified
limit period. You can specify 1-4294967295 connections. The limit period can be 100-6553500
milliseconds (ms), specified in increments of 100
ms.
[no] requestlimit num
[no] requestrate-limit num

per num-of100ms
[no] overlimit-action
[forward |
reset]
[lockout
minutes]
[log minutes]
118 of 718

Layer 7 requests allowed for a client. Maximum
number of concurrent Layer 7 requests allowed
for a client. You can specify 1-1048575.
Specifies the maximum number of Layer 7

requests allowed for the client within the specified limit period. You can specify 1-4294967295
connections. The limit period can be 1006553500 milliseconds (ms), specified in increments of 100 ms.
Specifies the action to take when a client exceeds

one or more of the limits. The command also
configures lockout and enables logging. The
action can be one of the following:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

lid
drop The AX device drops that traffic. If logging is enabled, the AX device also generates a
log message. (There is no drop keyword. This is
the default action.)
forward The AX device forwards the traffic.
If logging is enabled, the AX device also generates a log message.
reset For TCP, the AX device sends a TCP
RST to the client. If logging is enabled, the AX
device also generates a log message.
The lockout option specifies the number of minutes during which to apply the over-limit action
after the client exceeds a limit. The lockout
period is activated when a client exceeds any
limit. The lockout period can be 1-1023 minutes.
The logging option generates log messages when
clients exceed a limit. When you enable logging,
a separate message is generated for each overlimit occurrence, by default. You can specify a
logging period, in which case the AX device
holds onto the repeated messages for the specified period, then sends one message at the end of
the period for all instances that occurred within
the period. The logging period can be 0-255 minutes. The default is 0 (no wait period).
Default
The LID options have the following default values:

conn-limit Not set
conn-rate-limit Not set
request-limit Not set
request-rate-limit Not set
over-limit-action Drop. There is no default lockout period. Logging is
disabled by default. The default logging period is 0 (no wait period).

Mode
Global Config
Usage
This command uses a single class list for IP limiting. To use multiple class
lists for system-wide IP limiting, use a PBSLB policy template instead. See
slb template policy on page 338.
A PBSLB policy template is also required if you plan to apply IP limiting
rules to individual virtual servers or virtual ports.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
119 of 718

link
Example
The following commands configure a global IP limiting rule to be applied to

all IP clients (the clients that match class list global):
AX(config)#lid 1
AX(config-global lid)#conn-rate-limit 10000 per 1
AX(config-global lid)#conn-limit 2000000
AX(config-global lid)#over-limit forward logging
AX(config-global lid)#exit
AX(config)#system lid 1
AX(config)#class-list global
AX(config-class list)#0.0.0.0/0 glid 1
link
Description
Syntax
Link the startup-config token to the specified configuration profile. By

default, startup-config is linked to default, which means the configuration profile stored in the image area from which the AX device most
recently rebooted.
link startup-config {default | profile-name}
[primary | secondary] [cf]
Parameter
Description
default
Links startup-config to the configuration profile stored in the image area from which the AX
device was most recently rebooted.
profile-name
Links startup-config to the specified configuration profile.
primary |
secondary
cf
Specifies the image area. If you omit this option,

the image area last used to boot is selected.
Links the profile to the specified image area in
compact flash instead of the hard disk.
Default
The startup-config token is linked to the configuration profile stored in

the image area from which the AX device was most recently rebooted.
Mode
Global Config
Usage
This command enables you to easily test new configurations without replacing the configuration stored in the image area.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device (hard disk) selection, the profile
120 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

locale
you link to must be stored on the hard disk. If you specify cf, the profile
must be stored on the compact flash. (To display the profiles stored on the
boot devices, use the show startup-config all and show startup-config all
cf commands. See show startup-config on page 648.)
After you link startup-config to a different configuration profile, configuration management commands that affect startup-config affect the linked
profile instead of affecting the configuration stored in the image area. For
example, if you enter the write memory command without specifying a
profile name, the command saves the running-config to the linked profile
instead of saving it to the configuration stored in the image area.
Likewise, the next time the AX device is rebooted, the linked configuration
profile is loaded instead of the configuration that is in the image area.
To relink startup-config to the configuration profile stored in the image
area, use the default option (link startup-config default).
Example
The following command links configuration profile slbconfig3 with

startup-config:
AX(config)#link startup-config slbconfig3
Example
The following command relinks startup-config to the configuration profile stored in the image area from which the AX device was most recently
rebooted:
AX(config)#link startup-config default
locale
Set the CLI locale.
Syntax Description
[no] locale {test | locale}
Default
en_US.UTF-8
Mode
Global Config
Usage
Use this command to configure the locale or to test the supported locales.
Example
The following commands test the Chinese locales and set the locale to
zh_CN.GB2312:
AX(config)#locale test zh_CN

AX(config)#locale zh_CN.GB2312
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
121 of 718

logging target severity-level
logging target severity-level

Description
Specify the severity levels of event messages to send to message targets

other than the AX log buffer.
Syntax
[no] logging target severity-level

Parameter
Description
Specifies where event messages are sent:
target
console serial console

email email
monitor Telnet and SSH sessions
syslog external Syslog host
trap external SNMP trap host
Note:
For information about the email option, see logging email buffer on
page 124. and logging email filter on page 124.
severity-level
Specifies the severity levels to log. You can enter

the name or the number of the severity level.
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default
The default severity level depends on the target:

console 3 (error)
email not set (no logging)
monitor 7 (debugging)
syslog not set (no logging)
trap not set (no logging)
Mode
122 of 718
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

logging buffered
Usage
To send log messages to an external host, you must configure the external
host using the logging host command.
Example
The following command sets the severity level for event messages sent to
the console to 2 (critical):
AX(config)#logging console 2
logging buffered
Description
Configure the event log on the AX Series device.
Syntax
[no] logging buffered

{maximum-messages | severity-level}
Parameter
maximummessages
severity-level
Description
Specifies the maximum number of messages the
event log buffer will hold.
Specifies the severity levels to log. You can enter
the name or the number of the severity level.
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default
The default buffer size (maximum messages) is 30000. The default severity
level is 7 (debugging).
Mode
Global Config
Example
The following command sets the severity level for log messages to 7
(debugging):
AX(config)#logging buffered 7
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
123 of 718

logging email buffer
logging email buffer

Description
Syntax
Configure log email settings.

[no] logging email buffer [number num]
[time minutes]
Parameter
Default
Description
number num
Specifies the maximum number of messages to

buffer. You can specify 16-256.
time minutes
Specifies how long to wait before sending all

buffered messages, if the buffer contains fewer
than the maximum allowed number of messages.
You can specify 10-1440 minutes.
By default, emailing of log messages is disabled. When you enable the feature, the buffer options have the following default values:
number 50
time 10
Mode
Global Config
Usage
To configure the AX device to send log messages by email, you also must
configure an email filter and specify the email address to which to email the
log messages. See logging email filter on page 124 and logging emailaddress on page 127.
Example
The following command configures the AX device to buffer log messages

to be emailed. Messages will be emailed only when the buffer reaches 32
messages, or 30 minutes passes since the previous log message email,
whichever happens first.
AX(config)#logging email buffer number 32 time 30
logging email filter

Description
Syntax
124 of 718
Configure a filter for emailing log messages.

[no] logging email filter filter-num
conditions operators
[trigger]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Parameter
Description
filter-num
Specifies the filter number, 1-8.
conditions
Message attributes on which to match. The conditions list can contain one or more of the following:
level severity-levels Specifies the severity levels of messages to send in email. You can specify
the severity levels by number (0-7) or by name:
emergency, alert, critical, error, warning, notification, information, or debugging.
mod software-module-name Specifies the software modules for which to email messages. Messages are emailed only if they come from one of
the specified software modules. For a list of
module names, enter ? instead of a module name,
and press Enter.
pattern regex Specifies the string requirements. Standard regular expression syntax is supported. Only messages that meet the criteria of
the regular expression will be emailed. The regular expression can be a simple text string or a
more complex expression using standard regular
expression logic.
operators
Set of Boolean operators (AND, OR, NOT) that

specify how the conditions should be compared.
The CLI Boolean expression syntax is based on
Reverse Polish Notation (also called Postfix
Notation), a notation method that places an operator (AND, OR, NOT) after all of its operands (in
this case, the conditions list).
After listing all the conditions, specify the Boolean operator(s). The following operators are supported:
AND All conditions must match in order
for a log message to be emailed.
OR Any one or more of the conditions
must match in order for a log message to be
emailed.
NOT A log message is emailed only if it
does not match the conditions
(For more information about Reverse Polish
Notation,
see
the
following
link:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
125 of 718

http://en.wikipedia.org/wiki/Reverse_Polish_notation.)
Immediately sends the matching messages in an
email instead of buffering them. If you omit this
option, the messages are buffered based on the
logging email buffer settings.
trigger
Default
Not set. Emailing of log messages is disabled by default.
Mode
Global Config
Usage
specify the email address to which to email the log messages. See logging
email-address on page 127.
Considerations
You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
A maximum of 8 conditions are supported in a filter.
The total number of conditions plus the number of Boolean operators
supported in a filter is 16.

For backward compatibility, the following syntax from previous releases
is still supported:
logging email severity-level
The severity-level can be one or more of the following: 0, 1, 2, 5, emergency, alert, critical, notification.
The command is treated as a special filter. This filter is placed into effect
only if the command syntax shown above is in the configuration. The
filter has an implicit trigger option for emergency, alert, and critical
messages, to emulate the behavior in previous releases.
Example
The following command configures a filter that matches on log messages if

they are information-level messages and contain the string abc. The trigger option is not used, so the messages will be buffered rather than emailed
immediately.
AX(config)#logging email filter 1 level information pattern "abc" and
Example
The following command reconfigures the filter to immediately email

matching messages.
AX(config)#logging email filter 1 level information pattern "abc" and trigger
126 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

logging email-address
logging email-address
Description
Specify the email addresses to which to send event messages.
Syntax
[no] logging email-address address [...]

Parameter
address
Description
Specifies an email address. You can enter more
than one address on the command line. Use a
space between each address.
Default
None
Mode
Global Config
Usage
configure an email filter. See logging email filter on page 124.
Example
The following command sets two email addresses to which to send log messages:
AX(config)#logging email-address admin1@example.com admin2@example.com
logging export
Description
Send the messages that are in the event buffer to an external file server.
Syntax
[no] logging export [all] url

Parameter
Description
all
Include system support messages.
url

directory path.
tftp://host/file
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
127 of 718

logging facility
Default
N/A
Mode
Global Config
logging facility
Description
Syntax
Enable logging facilities.

[no] logging facility facility-name
Parameter
Description
facility-name
Name of a log facility:

local0
local1
local2
local3
local4
local5
local6
local7
Default
The default facility is local0.
Mode
Global Config
logging flow-control
Description
Control handling of log messages when the logging buffer is full.

When flow control is disabled, messages are dropped.
When flow control is enabled, messages are saved on an external data
store.
Older messages replace newer ones. Depending on the state of logging flow
control, the oldest messages are deleted or copied to an external data store to
make room for new messages.
Syntax
Default
128 of 718
[no] logging flow-control enable

Disabled
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

logging host
Mode
Global Config
logging host
Description
Specify a Syslog server to which to send event messages.
Syntax
[no] logging host ipaddr [ipaddr...]

[port protocol-port]
Parameter
ipaddr
port protocolport
Description
IP address of the Syslog server. You can enter
multiple IP addresses. Up to 10 remote logging
servers are supported.
Protocol port number to which to send messages.
You can specify only one protocol port with the
command. All servers must use the same protocol port to listen for syslog messages.
Default
The default protocol port is 514.
Mode
Global Config
Usage
If you use the command to add some log servers, then need to add a new log
server later, you must enter all server IP addresses in the new command.
Each time you enter the logging host command, it replaces any set of servers and syslog port configured by the previous logging host command.
Example
The following command configures 4 external log servers. In this example,

the servers use the default syslog protocol port, 514, to listen for log messages.
AX(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4
Example
The following command reconfigures the set of external log servers, with a
different protocol port. All the log servers must use this port.
AX(config)#logging host 1.1.1.1 2.2.2.2 3.3.3.3 4.4.4.4 port 8899
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
129 of 718

lsn-lid
lsn-lid
Description
Configure a limit ID (LID) for Large-Scale NAT (LSN).
Syntax
[no] lsn-lid num

Note:
This command configures a limit ID (LID) for use with LSN. To configure a LID for use with IP limiting instead, see lid on page 117.
Parameter
Description
LSN LID number, 1-31.
num
LSN LID, where the following commands are available.
Command
Description
[no] extendeduser-quota
{tcp | udp |
icmp}
service-port
portnum
sessions num
[no] sourcenat-pool
pool-name
[no] user-quota
{tcp | udp |
icmp}
quota-num
[reserve
reserve-num]
130 of 718
Configures a per-user extended quota for essential services. The port option specifies the
Layer 4 protocol port of the service, and can be
1-65535. The sessions option specifies how
many extended sessions are allowed for the protocol port, and can be 1-255.
Binds an LSN NAT pool to the LID.
Configures the per-user mapping quota for each

type of protocol supported for LSN (TCP, UDP,
or ICMP). The quota-num option specifies the
maximum number of sessions allowed per client
and can be 1-64000.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

mac-address
The reserve option allows you to specify how
many ports to reserve on a NAT IP for each user,
0-64000. If unspecified, the reserve value is the
same as the user-quota value.
Default
The LSN LID options have the following default values:

extended-user-quota not set
source-nat-pool not set
user-quota Not set. By default, the reserve value is the same as the
user-quota value.
Mode
Global Config
Example
The following commands configure an LSN LID. The LID is bound to pool
LSN_POOL1. Per-user quotas are configured for TCP, UDP, and ICMP.
For UDP, this class of users will reserve only 100 UDP ports instead of 300.
An extended quota of sessions per client is allocated for TCP port 25
(SMTP).
AX(config)#lsn-lid 5
AX(config-lsn lid)#source-nat-pool LSN_POOL1
AX(config-lsn lid)#user-quota tcp 100
AX(config-lsn lid)#user-quota udp 300 reserve 100
AX(config-lsn lid)#user-quota icmp 10
AX(config-lsn lid)#extended-user-quota tcp port 25 sessions 3
mac-address
Description
Configure a static MAC address.
Syntax
[no] mac-address mac-address port port-num

vlan vlan-id [trap {source | dest | both}]
Parameter
b y
Description
mac-address
Hardware address, in the following format:

aabb.ccdd.eeff
port port-num
AX Ethernet port to which to assign the MAC

address.
vlan vlan-id
Layer 2 broadcast domain in which to place the

device.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
131 of 718

mac-age-time
trap
Send packets to the CPU for processing, instead

of switching them in hardware.
source Send packets that have this MAC
as a source address to the CPU.
dest Send packets that have this MAC as
a destination address to the CPU.
both Send packets that have this MAC as
either a source or destination address to the
CPU.
Note:
The trap option is supported only on models AX 2200, AX 3100,

AX 3200, AX 5100, and AX 5200. On models AX 5100 and AX 5200,
only trap dest is supported.
Default
No static MAC addresses are configured by default.
Mode
Global Config
Example
The following command configures static MAC address abab.cdcd.efef on

port 5 in VLAN 3:
AX(config)#mac-address abab.cdcd.efef port 5 vlan 3
mac-age-time
Description
Syntax
Set the aging time for dynamic (learned) MAC entries. An entry that
remains unused for the duration of the aging time is removed from the MAC
table.
[no] mac-age-time seconds
Parameter
seconds
Description
Number of seconds a learned MAC entry can
remain unused before it is removed from the
MAC table. You can specify 10-600 seconds.
Default
300 seconds
Mode
Global Config
Usage
On models AX 1000, AX 2000, AX 2100, and AX 3000, the actual MAC

aging time can be +/- 10 seconds from the configured value.
On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, the
actual MAC aging time can be up to 2 times the configured value. For
132 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

mirror-port
example, if the aging time is set to 50 seconds, the actual aging time will be
between 50 and 100 seconds.
Example
The following command changes the MAC aging time to 600 seconds:
AX(config)#mac-age-time 600
mirror-port
Description
Specify a port to which to copy monitored traffic to or from another port.
Syntax
[no] mirror-port ethernet port-num

Parameter
port-num
Description
Ethernet port number out which the monitored
traffic will be sent.
Default
No ports are mirrored.
Mode
Global Config
Usage
To specify the port to monitor, use the monitor command at the interface
configuration level. (See monitor on page 206.)
Example
The following commands configure Ethernet port 3 to mirror traffic, and

enable port 5 to copy its inbound traffic to port 3:
AX(config)#mirror-port ethernet 3
AX(config-if:ethernet5)#monitor input
monitor
Description
Specify event thresholds for utilization of resources.
Syntax
monitor {buffer-drop | buffer-usage | ctrl-cpu |

data-cpu | disk | memory | warn-temp}
threshold-value
Parameter
b y
Description
buffer-drop
Packet drops (dropped IO buffers)
buffer-usage
Control buffer utilization
ctrl-cpu
Control CPU utilization
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
133 of 718

monitor
data-cpu
Data CPUs utilization
disk
Hard disk utilization
memory
Memory utilization
warn-temp
CPU temperature
threshold-value The values you can specify depend on the event

type:
buffer-drop You can specify 1-32767 drops
per 10-second interval.
buffer-usage You can specify 60000-120000
buffers.
ctrl-cpu You can specify 1-100 percent.
data-cpu You can specify 1-100 percent.
disk You can specify 1-100 percent.
memory You can specify 1-100 percent.
warn-temp You can specify 1-68 C (degrees
Centigrade).
Default
The default threshold values are as follows:

buffer-usage 100 drops per 10-second interval
buffer-usage 90000 buffers
ctrl-cpu 90%
data-cpu 90%
disk 85%
memory 95%
warn-temp 68 C
Usage
If utilization of a system resource crosses the configured threshold, a log

message is generated. If applicable, an SNMP trap is also generated.
To display the configured event thresholds, see show monitor on
page 633.
Example
The following command sets the event threshold for data CPU utilization to
80%:
AX(config)#monitor data-cpu 80
134 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

no
no
Description
Remove a configuration command from the running configuration.
Syntax
no command-string
Default
N/A
Mode
Config
Usage
Use the no form of a command to disable a setting or remove a configured item. Configuration commands at all Config levels of the CLI have a
no form, unless otherwise noted.
The command is removed from the running-config. To permanently remove
the command from the configuration, use the write memory command to
save the configuration changes to the startup-config. (See write terminal
on page 67.)
Example
The following command removes server http99 from the running-config:
AX(config)#no slb server http99
ntp
Description
Configure Network Time Protocol (NTP) parameters.
Syntax
[no] ntp server {hostname | ipaddr} [minutes]

[no] ntp {disable | enable}
Parameter
hostname |
ipaddr
Default
Description
Hostname or IP address of the NTP server.
minutes
Synchronization interval, which specifies how

often the AX polls the NTP server for updated
time information. You can specify 1-518400
minutes.
disable
Disables synchronization with the NTP server.
enable
Enables synchronization with the NTP server.
NTP synchronization is disabled by default. If you enable it, the default

interval is 1440 minutes. DST is enabled by default, if applicable to the
specified timezone.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
135 of 718

packet-handling
Mode
Global Config
Usage
You can configure a maximum of 4 NTP servers.

Example
The following commands configure an NTP server and enable NTP:
AX(config)#ntp server 10.1.4.20

AX(config)#ntp server enable
packet-handling
Description
Syntax
Set handling of Layer 2 broadcast packets.

[no] packet-handling broadcast {trap | flood}
Parameter
Description
trap
Sends broadcast packets to the CPU for processing, instead of forwarding them in hardware.
flood
Forwards broadcast packets in hardware.
Default
flood
Mode
Global Config
Usage
This command is supported only on models AX 2200, AX 3100, and

AX 3200.
partition
Description
Syntax
Configure a private partition for Role-Based Administration (RBA).

partition partition-name [max-aflex-file num]
no partition [partition-name]
[max-aflex-file num]
136 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ping
Parameter
partition-name
max-aflex-file
num
Description
Specifies the name of the private partition, 1-14
characters.
Specifies the maximum number of aFleX policies the partition can have, 1-128.
Default
The AX device has a shared partition but no private partitions by default.

When you create a private partition, it can have a maximum of 32 aFleX
policies by default.
Mode
Global Config
Usage
To use this command, you must be logged in with an admin account that has
Root or Read-write privileges. (See show admin on page 536 for descriptions of the admin privilege levels.)
Example
The following commands configure two private partitions, companyA

and companyB:
AX(config)#partition companyA
AX(config)#partition companyB
Example
The following command removes all private partitions:
AX(config)#no partition
Remove all RBA partitions and configurations therein? (y/n) y
ping
Ping is used to diagnose basic network connectivity. For syntax information, see ping on page 40.
radius-server
Description
Set RADIUS parameters, for authenticating administrative access to the

AX Series device.
Syntax
[no] radius-server host {hostname | ipaddr}

secret secret-string
[acct-port protocol-port]
[auth-port protocol-port]
[retransmit num]
[timeout seconds]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
137 of 718

radius-server
Parameter
Description
hostname |
ipaddr
Hostname or IP address of the RADIUS server.
secret
secret-string
acct-port
protocol-port
auth-port
protocol-port
retransmit num
Password required by the RADIUS server for

authentication requests.
Protocol port to which the AX Series device
sends RADIUS accounting information.
Protocol port to which the AX Series device
sends authentication requests.
Maximum number of times the AX device can
resend an unanswered authentication request to
the server. If the AX device does not receive a
reply to the final request, the AX device tries the
secondary server, if one is configured.
If no secondary server is available, or if the secondary server also fails to reply after the maximum number of retries, authentication fails and
the admin is denied access.
You can specify 0-5 retries.
timeout seconds Maximum number of seconds the AX device will

wait for a reply to an authentication request
before resending the request. You can specify
1-15 seconds.
Default
No RADIUS servers are configured by default. When you add a RADIUS

server, it has the following default settings:
acct-port 1813
auth-port 1812
retransmit 3 retries
timeout 3 seconds
You can configure up to 2 RADIUS servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond.
Mode
138 of 718
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

raid
Example
The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.

AX(config)#authentication type radius local
raid
Description
Enter the configuration level for RAID.
Syntax
raid
CAUTION! RAID configuration should be performed only by or with
the assistance of A10 Networks. A10 strongly advises that you do not
experiment with these commands.
restore
Description
Restore the startup-config, aFleX policy files, and SSL certificates and keys
from a tar file previously created by the backup command. The restored
configuration takes effect following a reboot.
Syntax
[no] restore [use-mgmt-port] url

Parameter
Description
use-mgmt-port

url

directory path.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
139 of 718

route-map
tftp://host/file
Default
N/A
Mode
Global Config
Usage
Do not save the configuration (write memory) after restoring the startupconfig. If you do, the startup-config will be replaced by the running-config
and you will need to restore the startup-config again.
To place the restored configuration into effect, reboot the AX device.
The no form of this command is invalid.
route-map
Description
Configure a rule in a route map. You can use route maps to provide input to
the following OSPF commands:
redistribute on page 260
default-information originate on page 270
Syntax
[no] route-map map-name {deny | permit}

sequence-num
Parameter
Description
map-name
Route map name.
deny | permit
Action to perform on data that matches the rule.
sequence-num
Sequence number of the rule within the route

map, 1-65535. Rules are used in ascending
sequence order.
The action in the first matching rule is used, and
no further matching is performed.
You do not need to configure route map rules in
numerical order. The CLI automatically places
them in the configuration (running-config) in
ascending numerical order.
140 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

route-map
route map rule, where the following match commands are available.
Some match options apply only to BGP, which is not supported in the current release.
Note:
Command
match as-path
acl-id
match community
acl-id
[exact-match]
match
extcommunity
acl-id
[exact-match]
match interface
{ethernet
portnum |
loopback num |
management |
ve ve-num}
match ip
address
{acl-id |
prefix-list
list-name}
match ip
next-hop
{acl-id |
prefix-list
list-name}
match ip peer
acl-id
b y
Description
Matches on the BGP AS paths listed in the specified ACL.
Matches on the BGP communities listed in the

specified ACL.
Matches on the BGP external communities listed

in the specified ACL.
Matches on the interface used as the first hop for

a route.
Matches on the route IP addresses in the specified ACL or prefix list.
Matches on the next-hop router IP addresses in

the specified ACL or prefix list.
Matches on the peer router IP addresses in the
specified ACL.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
141 of 718

route-map
match ipv6
address
{acl-id |
prefix-list
list-name}
match ipv6
next-hop
{acl-id |
prefix-list
list-name |
ipv6-addr}
match ipv6 peer

acl-id
match metric
num
Matches on the route IP addresses in the specified ACL or prefix list.
Matches on the next-hop router IP addresses in

the specified ACL or prefix list, or the specified
IPv6 address.
Matches on the peer router IP addresses in the
specified ACL.
Matches on the
0-4294967295.
specified
metric
value,
match origin
{egp | igp |
incomplete}
Matches on the specified BGP origin code.
match
route-type
external
{type-1 |
type-2}
Matches on the specified external route type.
match tag
Matches on the
0-4294967295.
specified
TAG
value,
Default
Specifies the maximum number of concurrent connections allowed on the

server for this port, 0-1000000 (one million). The default is 1000000None
Mode
Global config
Usage
For options that use an ACL, the ACL must use a permit action. Otherwise,
the route map action is deny.
142 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

router
router
Description
Enter the configuration mode for a routing protocol, OSPF or RIP. The command also enables the specified routing protocol.
Syntax
[no] router (ospf {0 | 1} | rip)

Parameter
Description
ospf {0 | 1}
Enables OSPF. The AX device can run two independent instances of OSPF at the same time. To
specify the instance you want to configure, enter
0 or 1.
rip
Enables RIP.
Default
OSPF and RIP are disabled by default.
Mode
Global Config
Usage
This command is valid only when the AX is configured for gateway mode
(Layer 3).
See the following chapters for information about the routing commands:
Config Commands: Router OSPF on page 253
Config Commands: Router RIP on page 279
Example
The following command enters the configuration level for OSPF instance 0:
AX(config)#router ospf 0
AX(config-router-ospf:0)#
router log file

Description
Configure router logging to a local file.
Syntax
[no] router log file

{
name string |
per-protocol |
rotate num |
size Mbytes
}
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
143 of 718

router log record-priority
Parameter
Default
Description
name string
Name of the log file.
per-protocol
Uses separate log files for each protocol. Without

this option, log messages for all protocols are
written to the same file.
rotate num
Specifies the number of backups to allow for

each log file. When a log file becomes full, the
logs are saved to a backup file and the log file is
cleared for new logs. You can specify 0-100
backups. If the maximum number of backups is
reached, the oldest backups are purged to make
way for new ones.
size Mbytes
Specifies the size of each log file. You can specify 0-1000000 Mbytes. If you specify 0, the file
size is unlimited.
This command has the following default values:

per-protocol disabled
rotate 0
size 0 (unlimited)
Mode
Global configuration
Usage
When you enable logging, the default minimum severity level that is logged
is debugging. To change the minimum severity level that is logged, see
router log trap on page 145.
The per-protocol option is recommended. Without this option, messages
from all routing protocols will be written to the same file, which may make
troubleshooting more difficult.
router log record-priority

Description
Syntax
Include the message priority within each router log message.

[no] router log record-priority
Default
Disabled
Mode
144 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

router log stdout
router log stdout

Description
Enable router logging to the terminal.
Syntax
[no] router log stdout
Default
Disabled
Mode
Usage
router log syslog

Description
Enable router logging to the local log buffer.
Syntax
[no] router log syslog
Default
Disabled
Mode
Usage
To display the log messages in the local log buffer, use the show log command.
router log trap

Description
Specify the minimum severity level to log for router logs.
Syntax
[no] router log trap severity-level

Parameter
severity-level
Description
Minimum severity level to log. You can specify
one of the following:
emergencies
alerts
critical
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
145 of 718

session-filter
errors
warnings
notifications
informational
debugging
Default
debugging
Mode
session-filter
Description
Configure a session filter.

session-filter filter-name
{
ipv4addr-suboptions |
ipv6 |
sip |
filter filter-name
}
Parameter
Description
ipv4addrsuboptions
Matches on sessions that have a source or destination IPv4 address. The following address suboptions are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] Matches on
IPv4 sessions that have the specified source IP
address.
source-port port-num Matches on IPv4 sessions that have the specified source protocol port
number, 1-65535.
dest-addr ipaddr
[{subnet-mask | /mask-length}] Matches on
IPv4 sessions that have the specified destination
IP address.
dest-port port-num Matches on IPv4 sessions
that have the specified destination protocol port
number, 1-65535.
146 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb
You can use one or more of the suboptions, in the
order listed above. For example, if the first suboption you enter is dest-addr, the only additional
suboption you can specify is dest-port.
ipv6
Matches on all sessions that have a source or destination IPv6 address.
sip
Matches on all SIP sessions.
Default
No session filters are configured by default.
Mode
Global Config
Usage
Session filters allows you to save session display options for use with the
clear session and show session commands. Configuring a session filter
allows you to specify a given set of options one time rather than re-entering
the options each time you use the clear session or show session command.
Example
The following commands configure a session filter and use it to filter show
session output:
AX(config)#session-filter f1 source-addr 1.0.4.147

AX(config)#show session filter f1
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age Hash
---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:51613
1.0.100.1:21
1.0.3.148:21
1.0.4.147:51613
120
1
slb
Description
Configure Server Load Balancing (SLB) parameters. For information about

the slb commands, see Config Commands: Server Load Balancing on
page 281.
smtp
Description
Configure a Simple Mail Transfer Protocol (SMTP) server to use for sending emails from the AX device.
Syntax
[no] smtp {hostname | ipaddr}

[mailfrom email-src-addr]
[needauthentication]
[port protocol-port]
[username string password string]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
147 of 718

snat-on-vip
Parameter
Description
hostname |
ipaddr
mailfrom
email-src-addr
Specifies an SMTP server.

Specifies the email address to use as the sender
(From) address.
needauthenticat
ion
Specifies that authentication is required.
port
protocol-port
Specifies the protocol port on which the server

listens for SMTP traffic.
username string
password string Specifies the username and password required
for access.
Default
No SMTP servers are configured by default. When you configure one, it has
the following default settings:
port 25
needauthentication disabled
mailfrom not set
Mode
Global Config
Example
The following command configures the AX Series device to use SMTP

server ourmailsrvr:
AX(config)#smtp ourmailsrvr
snat-on-vip
Description
Syntax
Globally enable IP NAT support for VIPs.

[no] snat-on-vip
Default
Disabled
Mode
Global Config
148 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

snmp-server community
Usage
Source IP NAT can be configured on a virtual port in the following ways:

1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and the slb snat-onvip command is also used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
snmp-server community
Description
Configure an SNMP community string.
Syntax
[no] snmp-server community

read ro-community-string
[oid oid-value]
[remote {hostname | ipaddr mask-length |
ipv6-addr/prefix-length}]
Parameter
ro-communitystring
oid oid-value
remote
{hostname |
ipaddr masklength |
ipv6addr/prefixlength]}
b y
Description
The read-only community string.
Object ID. This option restricts the objects that
the AX Series device returns in response to GET
requests. Values are returned only for the objects
within or under the specified OID.
Restricts SNMP access to a specific host or subnet. When you use this option, only the specified
host or subnet can receive SNMP data from the
AX Series device by sending a GET request to
this community.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
149 of 718

snmp-server contact
Default
The configuration does not have any default SNMP communities. When
you configure one, all OIDs are allowed by default and all remote hosts are
allowed by default.
Mode
Global Config
Usage
All SNMP communities are read-only. Read-write communities are not supported. The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610.
The no form removes the read-only community string.
Example
The following commands enable SNMP, define community string

A10_AX, and restrict access to hosts in subnet 10.10.20.x/24 and to AX
MIB objects only:
AX(config)#snmp-server enable
AX(config)#snmp-server community read A10_AX oid AxMgmt remote 10.10.20.0 24
Example
The following commands enable SNMP, define community string

A10_AX2, and restrict access to hosts in IPv6 network a101::1111:
AX(config)#snmp-server enable
AX(config)#snmp-server community read A10_AX2 remote a101::1111
snmp-server contact
Description
Syntax
Configure SNMP contact information.

[no] snmp-server contact contact-name
Parameter
Description
contact-name
The contact persons name.
Default
Empty string
Mode
Global Config
Usage
The no form removes the contact information.
Example
The following command defines the contact person as snmp-admin:
AX(config)#snmp-server contact snmp-admin
150 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

snmp-server enable
snmp-server enable
Description
Enable the AX Series device to accept SNMP MIB data queries and to send
SNMP v1/v2c traps.
To use SNMP on the device, you must enter this command. Enter this command first, then enter the other snmp-server commands to further configure
the feature.
Syntax
[no] snmp-server enable

[
traps [
snmp [trap-name]
system [trap-name]
ha [trap-name]
network [trap-name]
slb [trap-name]
]
]
Parameter
traps
Description
Specifies the traps to enable. You can enable all
traps, all traps of a specific type, or individual
traps.
To enable all traps, specify traps, without any
additional options.
To enable all traps of a specific type, specify one
of the following:
traps snmp Enables the following traps:
linkdown Indicates that an Ethernet
interface has gone down.
linkup Indicates that an Ethernet interface has come up.
traps system Enables the following traps:
control-cpu-high Indicates that the
control CPU utilization is higher than the
configured threshold. (See monitor on
page 133.)
data-cpu-high Indicates that data
CPU utilization is higher than the configured
threshold. (See monitor on page 133.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
151 of 718

snmp-server enable
fan Indicates that a system fan has failed.
Contact A10 Networks.
high-disk-use Indicates that hard disk
usage on the AX device is higher than the
page 133.)
high-memory-use Indicates that the
memory usage on the AX device is higher
than the configured threshold. (See monitor on page 133.)
high-temp Indicates that the temperature inside the AX chassis is higher than the
page 133.)
packet-drop Indicates that the number
of dropped packets during the previous
10-second interval exceeded the configured
threshold. (See monitor on page 133.)
power Indicates that a power supply has
failed. Contact A10 Networks.
pri-disk Indicates that the primary
Hard Disk has failed or the RAID system has
failed. In dual-disk models, the primary Hard
Disk is the one on the left, as you are facing
the front of the AX chassis.
restart Indicates that the AX device is
going to reboot or reload.
sec-disk Indicates that the secondary
Hard Disk has failed or the RAID system has
failed. The secondary Hard Disk is the one
on the right, as you are facing the front of the
AX chassis.
Note:
This trap does not apply to the following models: AX 2500, AX 2600,
AX 3000, AX 5100, or AX 5200.
shutdown Indicates that the AX device
has shut down.
start Indicates that the AX device has
started.
traps network Enables the following trap:
trunk-port-threshold Indicates
that the trunk ports threshold feature has dis-
152 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

snmp-server enable
abled trunk members because the number of
up ports in the trunk has fallen below the
configured threshold. (To configure the
threshold, see trunk on page 173.)
traps ha Enables the following traps:
active Indicates that the AX device is
going from HA Standby mode to Active
mode.
standby Indicates that the AX device is
going from HA Active mode to Standby
mode.
active-active Indicates that an
Active-Active HA configuration has been
enabled.
traps slb Enables the following traps:
application-buffer-limit Indicates that the configured SLB application
buffer threshold has been exceeded. (See
monitor on page 133.)
server-conn-limit Indicates that an
SLB server has reached its configured connection limit.
server-conn-resume Indicates that
an SLB server has reached its configured
connection-resume value.
server-down Indicates that an SLB
server has gone down.
server-up Indicates that an SLB server
has come up.
service-conn-limit Indicates that
an SLB service has reached its configured
connection limit.
service-conn-resume Indicates that
an SLB service has reached its configured
connection-resume value.
service-down Indicates that an SLB
service has gone down.
service-up Indicates that an SLB service has come up.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
153 of 718

snmp-server enable
vip-connlimit Indicates that the connection limit configured on a virtual server
has been exceeded.
vip-connratelimit Indicates that the
connection rate limit configured on a virtual
server has been exceeded.
vip-port-connlimit Indicates that
the connection limit configured on a virtual
port has been exceeded.
vip-port-connratelimit Indicates
that the connection rate limit configured on a
virtual port has been exceeded.
vip-port-down Indicates that an SLB
virtual service port has gone down.
vip-port-up Indicates that an SLB virtual service port has come up. An SLB virtual servers service port is up when at least
one member (real server and real port) in the
service group bound to the virtual port is up.
Note:
If you enter the snmp-server enable command without a trap option, the
SNMP service is enabled but no traps are enabled.
Default
The SNMP service is disabled by default and all traps are disabled by
default.
Mode
Global Config
Usage
The no form disables traps.
Example
The following command enables all traps:
AX(config)#snmp-server enable traps
Example
The following command enables all SLB traps:
AX(config)#snmp-server enable traps slb
Example
The following commands enable SLB traps server-conn-limit and serverconn-resume:
AX(config)#snmp-server enable traps slb server-conn-limit

AX(config)#snmp-server enable traps slb server-conn-resume
154 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

snmp-server group
snmp-server group
Description
Configure an SNMP group.
Syntax
[no] snmp-server group group-name {v1 | v2c | v3

{auth | noauth | priv}} read view-name
Parameter
Description
group-name
Specifies the name of the SNMP group.
v1
Uses the least secure of the security models.
v2c
Uses the second-least secure of the security models.
v3
Uses the most secure of the security models.
auth
Uses packet authentication but does not encrypt

the packets. (This is the authNoPriv security
level.)
noauth
Does not use any authentication of packets.

(This is the noAuthNoPriv security level.)
priv
Uses packet authentication and encryption.

(This is the authPriv security level.)
view-name
Specifies the name of a read-only view for

accessing the MIB object values.
Default
The configuration does not have any default SNMP groups.
Mode
Global config
Example
The following commands add SNMP v3 group group1 with authPriv

security and read-only view view1:
AX(config)#snmp-server group group1 v3 priv read view1
snmp-server host
Description
Configure an SNMP v1/v2c trap receiver.
Syntax
[no] snmp-server host trap-receiver

[version {v1 | v2c}]
community-string
[udp-port port-num]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
155 of 718

snmp-server location
Parameter
Description
trap-receiver
version
{v1 | v2c}
communitystring
Hostname or IP address of the remote device to

which traps will be sent.
SNMP version. If you omit this option, the trap
receiver can use SNMP v1 or v2c.
Community string for the traps.
UDP port to which the AX Series device will
send the traps.
port-num
Default
No SNMP hosts are defined. When you configure one, the default SNMP
version is v2c and the default UDP port is 162.
Mode
Global Config
Usage
You can configure up to 2 trap receivers.

The no form removes the trap receiver.
Example
The following command configures SNMP trap receiver 100.10.10.12 to

use community string public and UDP port 166 for SNMP v2c traps.
AX(config)#snmp-server host 100.10.10.12 public udp-port 166
snmp-server location
Description
Syntax
Configure SNMP location information.

[no] snmp-server location location
Parameter
Description
The location of this AX device.
location
Default
Empty string
Mode
Global Config
Usage
The no form removes the location information.
Example
The following command configures the location as A10-HQ:
AX(config)#snmp-server location A10-HQ
156 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

snmp-server user
snmp-server user
Description
Configure SNMP user-based groups.
Syntax
[no] snmp-server user username group groupname

{v1 | v2 | v3 [auth {md5 | sha} password
[encrypted]]}
Parameter
Description
username
Specifies the SNMP user name.
groupname
Specifies the group to which the SNMP user

belongs.
v1 | v2c
Specifies SNMP version 1 or v2c.
v3
[auth {md5 |
sha} password
[encrypted]]
Specifies SNMP version 3 and the authentication

to use.
md5 | sha HMAC MD5 (md5) or HMAC
SHA (sha).
password [encrypted] Password for
SNMP messages. To encrypt the password, use
the encrypted option.
Default
No SNMP users are configured by default. When you configure one, all
remote hosts are allowed by default. For v3, there is no authentication by
default.
Mode
Global config
Example
The following command adds an SNMP user belonging to group group1.

The SNMP version is 3 and the authentication method is HMAC MD5. The
password is 12345678. The password is not encrypted.
AX(config)#snmp-server user user1 group group1 v3 auth md5 12345678
snmp-server view
Description
Configure an SNMP view.
Syntax
[no] snmp-server view view-name oid [oid-mask]

{included | excluded}
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
157 of 718

stats-data-disable
Parameter
Description
view-name
SNMP views name.
oid
MIB view family name or OID.
oid-mask
OID mask. Use hex octets, separated by ..
included
MIB family is included in the view.
excluded
MIB family is excluded from the view.
Default
N/A
Mode
Global config
Usage
The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610.
Example
The following command adds SNMP view view1 and includes all objects
in the 1.3.6 tree:
AX(config)#snmp-server view view1 1.3.6 included
stats-data-disable
Description
Syntax
Globally disable collection of statistical data.

stats-data-disable
Default
Statistical data collection is enabled by default.
Mode
Global Config
Usage
This command disables statistical data collection for system resources,

including the following:
CPU
Memory
Disk
Interfaces
This command also disables statistical data collection for any of the following types of load-balancing resources, if collection is enabled on those
resources:
SLB resources:
Real server
Real server port
158 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

stats-data-enable
Service group
Virtual server
Virtual server port
FWLB resources:
Firewall node
Firewall group
Virtual firewall
stats-data-enable
Description
Globally re-enable collection of statistical data.
Syntax
stats-data-enable
Default
Statistical data collection is enabled by default.
Mode
Global Config
Usage
This command re-enables statistical data collection for system resources,

including the following:
CPU
Memory
Disk
Interfaces
The command also re-enables statistical data collection for any individual
load-balancing resources on which collection had been enabled before it
was globally disabled.
switch
Description
Configure hardware settings on Ethernet ports.

CAUTION! Do not use this command unless advised to do so by A10
Networks. The command is used for troubleshooting and can affect
performance of the AX Series.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
159 of 718

syn-cookie
Syntax
switch phy-10g-reg port port-num

register hex-number value hex-number
switch phy-10g-reg-ext device number port portnum register hex-number value hex-number
switch phy-reg port port-num register hex-number
value hex-number
switch register {bitmask number-hex value numberhex | field-offset number field-length number
value number-hex | value number-hex}
Mode
Global Config
Usage
There is no no form of this command.
syn-cookie
Description
Enable hardware-based SYN cookies, which protect against TCP SYN

flood attacks.
Syntax
[no] syn-cookie
[on-threshold num off-threshold num]
Parameter
Description
on-threshold
num
off-threshold
num
Note:
160 of 718
Maximum number of concurrent half-open TCP

connections allowed on the AX device, before
SYN cookies are enabled. If the number of halfopen TCP connections exceeds the on-threshold,
the AX device enables SYN cookies. You can
specify 0-2147483647 half-open connections.
Minimum number of concurrent half-open TCP
connections for which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this level, SYN cookies are
disabled. You can specify 0-2147483647 halfopen connections.
It may take up to 10 milliseconds for the AX device to detect and respond

to crossover of either threshold.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

system
Default
Hardware-based SYN cookies are disabled by default. When the feature is

enabled, there are no default settings for the on and off thresholds.
Mode
Global Config
Usage
Hardware-based SYN cookies are available only on the AX 2200,

AX 3100, AX 3200, AX 5100, and AX 5200.
If both hardware-based and software-based SYN cookies are enabled, only
hardware-based SYN cookies are used. You can leave software-based SYN
cookies enabled but they are not used. (Software-based SYN cookies are
enabled at the virtual port level using the syn-cookie enable command.)
If you omit the on-threshold and off-threshold options, SYN cookies are
enabled and are always on regardless of the number of half-open TCP connections present on the AX device.
This command globally enables SYN cookie support for SLB and also
enables SYN cookie support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie support. However, to use Layer 2/3
SYN cookie support, you also must enable it at the configuration level for
individual interfaces. See ip tcp syn-cookie on page 198.
Example
The following command enables hardware-based SYN cookies:
AX(config)#syn-cookie
Example
The command in the following example configures dynamic SYN cookies

when the number of concurrent half-open TCP connections exceeds 50000,
and disables SYN cookies when the number falls below 30000:
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000
system
Description
Set traffic limits for VLANs. You can set a global limit for all VLANs or per
VLAN.
Syntax
[no] system {all-vlan-limit | per-vlan-limit}

{bcast | ipmcast | mcast | unknown_ucast} num
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
161 of 718

system
Parameter
Description
all-vlan-limit
| per-vlanlimit
Specifies whether the limit is system-wide for all

VLANs or for each individual VLAN.
all-vlan-limit Limit applies systemwide to all VLANs. Collectively, all the
AX Series devices VLANS together cannot
exceed the specified limit.
per-vlan-limit Limit applies to each
VLAN. No individual can exceed the specified limit.
bcast |
ipmcast |
mcast |
unknown_ucast
Specifies the type of traffic to limit:

bcast Broadcast traffic
ipmcast IP multicast traffic
mcast All multicast packets except IP
multicast packets.
unknown_ucast Unknown unicast traffic
num
Specifies the maximum number of packets per

second that are allowed of the specified traffic
type.
Default
Not set
Mode
Global Config
Example
The following command limits each VLAN to 1000 multicast packets per
second:
AX(config)#system per-vlan-limit mcast 1000
162 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

system lid
system lid
Description
Apply a combined set of IP limiting rules to the whole system.
Syntax
[no] system lid num

Parameter
num
Description
Specifies the LID to use.
Default
None
Mode
Global Config
Usage
This command uses a single LID. To configure the LID, see lid on
page 117.
For more information about IP limiting, see the IP Limiting chapter in the
Example
The following commands configure a standalone IP limiting rule to be

applied globally to all IP clients (the clients that match class list global):
AX(config)#lid 1
AX(config-global lid)#conn-rate-limit 10000 per 1
AX(config-global lid)#conn-limit 2000000
AX(config-global lid)#over-limit forward logging
AX(config-global lid)#exit
AX(config)#system lid 1
system pbslb bw-list

Description
Specify the name of a black/white list to use for system-wide Policy-Based

SLB (BPSLB).
Syntax
[no] system pbslb bw-list name
Default
None
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
163 of 718

system pbslb id
system pbslb id
Description
Syntax
Specify the action to take for clients in a black/white list used for systemwide PBSLB.
[no] system pbslb id id {drop | reset}
[logging minutes]
Parameter
Description
id
Group ID within the black/white list.
drop | reset
Specifies the action to take for clients in the specified group:

drop Drops the connections.
reset Resets the connections.
logging minutes Enables logging. The minutes option specifies

how often messages can be generated.
Default
Not set
Mode
Global Config
system pbslb over-limit

Description
Syntax
Specify the action to take for system-wide PBSLB clients who either exceed
the connection limit specified in the black/white list, or exceed the threshold
of any IP anomaly filter used for system-wide PBSLB.
[no] system pbslb over-limit
[reset]
[lockup minutes]
[logging minutes]
Parameter
Description
reset
Resets all new connection attempts from the client. If you omit this option, new connection
attempts are dropped instead.
lockup minutes
Continues to apply the over-limit action to all

new connection attempts from the client, for the
specified number of minutes.
logging minutes Enables logging. The minutes option specifies

how often messages can be generated.
164 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

system pbslb timeout
Default
Not set
Mode
Global Config
Usage
The IP anomaly filters used by system-wide PBSLB are bad-content, outof-sequence, and zero-window. These filters are enabled automatically
when you configure system-wide PBSLB. To modify the filters, see ip
anomaly-drop on page 216.
system pbslb timeout

Description
Set the timeout for dynamic black/white-list entries, used by system-wide

PBSLB.
Syntax
[no] system pbslb timeout minutes

Parameter
minutes
Description
Specifies the timeout, 1-127 minutes.
Default
5 minutes
Mode
Global Config
Usage
If the lockup option is used with the system pbslb over-limit command,
aging of the dynamic entry for a locked up client begins only after the
lockup expires.
system resource-usage
Description
Change the capacity of a system resource.
Syntax
[no] system resource-usage resource-type maximum

Parameter
resource-type
Description
Specifies the system resource you are resizing:
client-ssl-template-count
Total configurable client SSL templates
conn-reuse-template-count
Total configurable connection reuse templates
fast-tcp-template-count Total
configurable Fast TCP templates
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
165 of 718

fast-udp-template-count Total
configurable Fast UDP templates
http-template-count Total configurable HTTP templates
l4-session-count Total Layer 4 sessions
nat-pool-addr-count
source NAT pools
Total
IP
persist-cookie-template-count
Total configurable persistent cookie templates
persist-srcip-template-count
Total configurable source IP persistence
templates
proxy-template-count Total configurable proxy templates
real-port-count Total real server
ports
real-server-count Total real servers
server-ssl-template-count
Total configurable server SSL templates
service-group-count Total service
groups
stream-template-count Total configurable streaming-media templates
virtual-port-count Total virtual
server ports
virtual-server-count Total virtual servers
maximum
The maximum number of the specified resource

you want to allow on the AX Series.
Default
The default maximum number for each type of system resource depends on
the AX Series model. To display the defaults and current values for your
AX Series, enter the following command: show system resource-usage on
page 652.
Mode
Global Config
166 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Usage
The maximum number you can configure depends on the resource type and
the AX Series model. To display the range of values that are valid for a
resource, enter a question mark instead of a quantity.
The maximum number of real servers allowed in a service group is half
the total number of real servers allowed on the device.

The maximum number of real ports allowed on a real server is half the
total number of real ports allowed on the device.

For all the following types of SLB templates, the total number allowed
is 256 each, and is not configurable in the current release:

RAM caching
SIP
SMTP
Policy (PBSLB)
The total number of health monitors allowed is 1024 and is not configu-
rable.
For every type of system resource that has a default, the AX device
reserves one instance of the resource.

For example, the device allows a total of 256 RAM caching templates.
However, the device reserves one RAM caching template for the default
template, which leaves a maximum of 255 additional RAM caching
templates that can be configured.
The software must be reloaded to place a resource change into effect.
Example
The following commands display the current usage and settings for maximum URI count, then display the range of values to which the default maximum can be set, then reset the default maximum to 512.
AX(config)#show system resource-usage

Resource
Current
Default
Minimum
Maximum
-------------------------------------------------------------------------l4-session-count
8388608
8388608
524288
33554432
...
stream-uri-count
256
256
32
1024
...
AX(config)system resource-usage stream-uri-count ?
<32-1024> Total configurable URI strings in the System
AX(config)system resource-usage stream-uri-count 512
Changes will take effect next time the software is reloaded.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
167 of 718

system-reset
system-reset
Description
Syntax
Restore the AX device to its factory default configuration.

system-reset
Default
N/A
Mode
Global Config
Usage
This command is helpful when you need to redeploy an AX device in a new

environment or at a new customer site, or you need to start over the configuration at the same site.
The command erases any saved configuration profiles, as well as system
files such as SSL certificates and keys, aFleX policies, black/white lists, and
system logs. The management IP address and admin-configured admin and
enable passwords are also removed.
However, the command does not remove the running-config and does not
automatically reboot or power down the device. The device continues to
operate using the running-config and any other system files in memory,
until you reboot or power down the device.
Reboot the AX device to erase the running-config and place the system
reset into effect.
Example
The following commands reset an AX device to its factory default configuration, then reboot the device to erase the running-config:
AX(config)#system-reset
AX(config)#end
AX#reboot
tacacs-server
Description
Syntax
168 of 718
Configure TACACS+ for authorization and accounting. If authorization or

accounting is specified, the AX device will attempt to use the TACACS+
servers in the order they are configured. If one server fails to respond, the
next server will be used.
[no] tacacs-server host {hostname | ipaddr}
secret secret-string [port protocol-portnum]
[timeout seconds]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

techreport
Parameter
hostname |
ipaddr
secret-string
protocolportnum
seconds
Description
Hostname or IP address of the TACACS+ server.
If a hostname is to be used, make sure a DNS
server has been configured.
The shared secret.
The port used for setting up a connection with a
TACACS+ server.
The maximum number of seconds allowed for
setting up a connection with a TACACS+ server.
Default
The default port number is 49. The default timeout is 12 seconds.
Mode
You can configure up to 2 TACACS+ servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond.
Example
The following command adds a TACACS+ server "192.168.3.45" and sets

its shared secret as "SharedSecret":
AX(config)#tacacs-server host 192.168.3.45 secret SharedSecret
The following command adds a TACACS+ server "192.168.3.72", sets the

shared secret as "NewSecret", sets the port number as 1980, and sets the
connection timeout value as 6 seconds:
AX(config)#tacacs-server host 192.168.3.72 secret NewSecret port 1980 timeout 6
The following command deletes TACACS+ server 192.168.3.45:

AX(config)#no tacacs-server host 192.168.3.45
The following command deletes all TACACS+ servers:

AX(config)#no tacacs-server
techreport
Description
Configure automated collection of system information. If you need to contact Technical Support, they may ask you to for the techreports to help diagnose system issues.
Syntax
[no] techreport {interval minutes | disable}

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
169 of 718

terminal
Parameter
Description
interval
minutes
Specifies how often to collect new information.

Disables automated collection of system information.
disable
Default
Automated collection of system information is enabled by default. The

default interval is 15 minutes.
Mode
Global Config
Usage
The AX device saves all techreport information for a given day in a single
file. Timestamps identify when each set of information is gathered. The AX
device saves techreport files for the most recent 31 days. Each days reports
are saved in a separate file.
The techreports are a light version of the output generated by the show
techsupport command. To export the information, use the show techsupport command. (See show techsupport on page 653.)
terminal
Description
Syntax
Set the terminal configuration.

[no] terminal {auto-size | editing | history
[size number] | idle-timeout minutes |
length number | width lines}
Parameter
Description
auto-size
Automatically adjusts the length and width of the

terminal display.
editing
Enables command editing.
history
[size number]
idle-timeout
minutes
length number
170 of 718
Enables the command history and specifies the

number of commands it can contain, 0-1000.
Specifies the number of minutes a CLI session
can be idle before it times out and is terminated,
0-60 minutes. To disable timeout, enter 0.
Specifies the number of lines to display per page,
0-512. To disable paging, enter 0.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

tftp blksize
Default
no-ha-prompt
Disables display of the HA status in the CLI

prompt. (For more information, see High Availability Status in Command Prompt on page 26.)
width lines
Specifies the number of columns to display, 0512. To use an unlimited number of columns,
enter 0.

auto-size enabled
editing enabled
history enabled, for up to 256 commands
idle-timeout 10 minutes
length 24 lines
no-ha-prompt Disabled. (Display of the HA status is enabled.)
width 80 columns
Mode
Global Config
Example
The following example sets the idle-timeout to 30 minutes:
AX(config)#terminal idle-timeout 30
tftp blksize
Description
Change the TFTP block size.
Syntax
[no] tftp blksize bytes

Parameter
bytes
Default
512 bytes
Mode
Global Config
b y
Description
Maximum packet length the AX TFTP client can
use when sending or receiving files to or from a
TFTP server. You can specify from 512-32768
bytes.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
171 of 718

tftp blksize
Usage
Increasing the TFTP block size can provide the following benefits:
TFTP file transfers can occur more quickly, since fewer blocks are
required to a send a file.

File transfer errors due to the server reaching its maximum block size
before a file is transferred can be eliminated.

To determine the maximum file size a block size will allow, use the following formula:
1K-blocksize = 64MB-filesize
Here are some examples.
Block Size
Maximum File Size
1024
64 MB
8192
512 MB
32768
2048 MB
Increasing the TFTP block size of the AX device only increases the maximum block size supported by the AX device. The TFTP server also must
support larger block sizes. If the block size is larger than the TFTP server
supports, the file transfer will fail and a communication error will be displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Example
The following commands display the current TFTP block size, increase it,
then verify the change:
AX(config)#show tftp
TFTP client block size is set to 512
AX(config)#tftp blksize 4096
172 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

trunk
trunk
Description
Configure a trunk group, which is a single logical link consisting of multiple

Ethernet ports.
Syntax
[no] trunk num

trunk, where the following trunk-related commands are available:
Command
Description
disable
ethernet
portnum
[to portnum]
[ethernet
portnum] ...
Disables ports in the trunk.
enable ethernet
portnum
[to portnum]
[ethernet
portnum] ...
Enables ports in the trunk.
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ...
Adds ports to the trunk.
[no]
ports-threshold
num
Specifies the minimum number of ports that must
be up in order for the trunk to remain up. You can
specify 2-8.
If the number of up ports falls below the configured threshold, the AX automatically disables the
trunks member ports. The ports are disabled in
the running-config. The AX device also generates a log message and an SNMP trap, if these
services are enabled.
[no] portsthreshold-timer
seconds
Specifies how many seconds to wait after a port
goes down before marking the trunk down, if the
threshold is exceeded. You can set the ports-
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
173 of 718

trunk
threshold timer to 1-300 seconds. The default is
10 seconds.
Default
N/A
Mode
Global Config
Usage
A maximum of 8 trunk groups are supported. Each group can have a maximum of 8 ports. Trunk group port numbers do not need to be consecutive.
Operations such as setting an IP interface or VLAN are performed on the
lead member of the trunk, which is the lowest-numbered interface. For
example, to configure an IP interface on a trunk containing ports 1-4, add
the interface to port 1.
Ports-Threshold
By default, a trunks status remains UP so long as at least one of its member
ports is up. You can change the ports threshold of a trunk to 2-8 ports.
If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports. The ports are disabled in the
running-config. The AX device also generates a log message and an SNMP
trap, if these services are enabled.
Note:
After the feature has disabled the members of the trunk group, the ports
are not automatically re-enabled. The ports must be re-enabled manually
after the issue that caused the ports to go down has been resolved.
In some situations, a timer is used to delay the ports-threshold action. The
configured port threshold is not enforced until the timer expires. The portsthreshold timer for a trunk is used in the following situations:
When a member of the trunk links up.
A port is added to or removed from the trunk.
The port threshold for the trunk is configured during runtime. (If the
threshold is set in the startup-config, the timer is not used.)

Example
The following commands configure trunk 1 and add ports 6-8 and 14 to it:
AX(config)#trunk 1
AX(config-trunk:1)#ethernet 6 to 8 ethernet 14
174 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

tx-congestion-ctrl
Example
The following commands configure an 8-port trunk, set the port threshold
to 6, and display the trunks configuration:
AX(config)#trunk 1
AX(config-trunk:1)#ethernet 1 to 8
AX(config-trunk:1)#ports-threshold 6
AX(config-trunk:1)#show trunk
Trunk ID
: 1
Member Count: 8
Trunk Status
: Up
Members
: 1
Cfg Status
: Enb Enb Enb Enb Enb Enb Enb Enb
Oper Status
: Up
Ports-Threshold
: 6
Working Lead
: 1
Up
Up
4
Up
5
Up
6
Up
7
Up
8
Up
Timer: 10 sec(s) Running: No
tx-congestion-ctrl
Description
Configure looping on the polling driver, on applicable AX models.

This command can impact system performance. It is recommended not to
use this command unless advised by A10 Networks technical support.
Note:
Syntax
tx-congestion-ctrl retries
Default
Mode
Global Config
update
Description
Copy the currently running system image from the hard disk to the compact
flash (cf).
Syntax Description
update cf {pri | sec}

Parameter
pri | sec
Description
Image to replace:
pri primary image
sec secondary image
Default
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
175 of 718

upgrade
Mode
Global Config
Usage
This command does not save the configuration or reboot. To verify the
update, enter the show version command.
Example
The following command copies the currently running system image from
the hard disk to the secondary image area on the compact flash.
AX(config)#update cf sec
upgrade
Upgrade the system.
Syntax Description
upgrade {cf | hd} {pri | sec} [use-mgmt-port] url

Parameter
Description
System location to which write the upgrade
image:
cf | hd
cf compact flash
hd hard drive
pri | sec
Image to replace:
pri primary image
sec secondary image
use-mgmt-port

url

directory path.
tftp://host/file
176 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

vlan
Default
N/A
Mode
Global Config
Usage
For complete upgrade instructions, see the release notes for the AX release
to which you plan to upgrade.
There is no no form of this command.
Example
The following example uses TFTP to upgrade the system image in the secondary image area of the hard disk:
AX(config)#upgrade hd sec tftp://192.168.1.144/ax2k_upg_1_2_0_107.tgz

Do you want to reboot the system after the upgrade?[yes/no]:yes
vlan
Description
Configure a virtual LAN (VLAN). This command changes the CLI to the
configuration level for the VLAN.
Syntax
[no] vlan vlan-id

Parameter
vlan-id
Description
VLAN ID, from 1 to 4094.
Default
VLAN 1 is configured by default. All Ethernet data ports are members of

VLAN 1 by default.
Mode
Global Config
Usage
You can add or remove ports in VLAN 1 but you cannot delete VLAN 1
itself.
For information about the commands available at the VLAN configuration
level, see Config Commands: VLAN on page 211.
Example
The following command adds VLAN 69 and enters the configuration level
for it:
AX(config)#vlan 69
AX(config-vlan:69)#
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
177 of 718

web-service
web-service
Description
Syntax
Configure access parameters for the Graphical User Interface (GUI).

[no] web-service
{
auto-redir |
axapi-timeout-policy idle minutes |
port protocol-port |
secure-port protocol-port |
server |
secure-server |
timeout-policy idle minutes
}
Parameter
Description
auto-redir
axapi-timeoutpolicy idle
minutes
port protocolport
secure-port
protocol-port
Specifies the number of minutes an aXAPI session can remain idle before being terminated.
Once the aXAPI session is terminated, the session ID generated by the AX device for the session is no longer valid. You can specify 0-60
minutes. If you specify 0, sessions never time
out.
Specifies the protocol port number for the unsecured (HTTP) port.
Specifies the protocol port number for the secure
(HTTPS) port.
server
Enables the HTTP server.
secure-server
Enables the HTTPS server.
timeout-policy
idle minutes
178 of 718
Enables requests for the unsecured port (HTTP)

to be automatically redirected to the secure port
(HTTPS).
Specifies the number of minutes a Web management session can remain idle before it times out
and is terminated by the AX device. You can
specify 0-60 minutes. To disable the timeout,
enter 0.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

write memory
Default

auto-redir enabled
axapi-timeout-policy idle 5 minutes
port 80
secure-port 443
server enabled
secure-server enabled
timeout-policy 10 minutes
Mode
Global Config
Usage
If you disable HTTP or HTTPS access, any sessions on the management

GUI are immediately terminated.
Example
The following command disables management access on HTTP:
AX(config)#no web-service server
write memory
Description
Write the running-config to a configuration profile.
Syntax
write {memory | force}

[primary | secondary | profile-name]
[cf]
[all-partitions |
partition {shared | private-partition-name}]
Parameter
b y
Description
memory
Writes (saves) the running-config to a configuration profile.
force
Forces the AX device to save the configuration

regardless of whether the system is ready.
primary
Replaces the configuration profile stored in the

primary image area with the running-config.
secondary
Replaces the configuration profile stored in the

secondary image area with the running-config.
profile-name
Replaces the commands in the specified configuration profile with the running-config.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
179 of 718

write memory
cf
Replaces the configuration profile in the specified image area (primary or secondary) on the
compact flash rather than the hard disk. If you
omit this option, the configuration profile in the
specified area on the hard disk is replaced.
all-partitions
Saves changes for all resources in all partitions.
partition
{shared |
privatepartition-name} Saves changes only for the resources in the specified partition.
Default
If you enter write memory without additional options, the command

replaces the configuration profile that is currently linked to by startup-config with the commands in the running-config. If startup-config is set to its
default (linked to the configuration profile stored in the image area that was
used for the last reboot), then write memory replaces the configuration profile in the image area with the running-config.
The all-partitions and partition partition-name options are applicable on
AX devices that are configured for Role-Based Administration (RBA). If
you omit both options, only the resources in the shared partition are saved.
(If RBA is not configured, all resources are in the shared partition, so you
can omit both options.)
The all-partitions option is applicable only to admins with Root, Readwrite, or Read-only privileges. (See show admin on page 536 for descriptions of the admin privilege levels.)
Mode
Global Config
Usage
CAUTION! Using the write force command can result in an incomplete or

empty configuration! A10 Networks recommends that you use this command only with the advice of A10 Networks Technical Support.
Unless you use the force option, the command checks for system readiness
and saves the configuration only if the system is ready.
For more information about configuration profiles, see the AX Series Configuration Guide.
Example
The following command saves the running-config to the configuration profile stored in the primary image area of the hard disk:
AX(config)#write memory primary
180 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

write terminal
Example
The following command saves the running-config to a configuration profile

named "slbconfig2":
AX(config)#write memory slbconfig2
Example
The following command attempts to save the running-config but the system
is not ready:
AX(config)#write memory
AX system is not ready. Cannot save the configuration.
Example
The following commands attempt to save the running-config on a system

that is not ready, then force the save operation to take place anyway:
AX(config)#write memory
AX system is not ready. Cannot save the configuration.
AX(config)#write force
write terminal
Description
Display the running-config on the terminal. (See write terminal on

page 67.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
181 of 718

write terminal
182 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

access-list
Config Commands: Interface

This chapter describes the commands for configuring AX interface parameters.
To access this configuration level, enter the following command at the
Global Config level:
interface
{ethernet port-num | ve number | loopback number | management}
do See do on page 103.
end See end on page 107.
exit See exit on page 107.
no See no on page 135.
access-list
Description
Apply an Access Control List (ACL) to an interface.
Syntax
[no] access-list acl-num in

Parameter
acl-num
Number of a configured ACL.
in
Applies the ACL to inbound traffic received on

the interface.
Default
N/A
Mode
Interface
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
183 of 718

cpu-process
Usage
The ACL must be configured before you can apply it to an interface. To

configure an ACL, see access-list (standard) on page 69 and access-list
(extended) on page 72.
You can apply ACLs to Ethernet data interfaces, Virtual Ethernet (VE)
interfaces, the management interface, and virtual server ports. Applying
ACLs to the out-of-band management interface is not supported.
You can apply ACLs only to the inbound traffic direction. This restriction
ensures that ACLs are used most efficiently by filtering traffic as it attempts
to enter the AX Series device, before being further processed by the device.
Example
The following commands configure a standard ACL to deny traffic from

subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
Ethernet interface 4:

AX(config-if:ethernet4)#access-list 1 in
cpu-process
Description
Enable software-based switching or routing of Layer 2/Layer 3 traffic.

Note:
Syntax
This command is applicable only to models AX 2200, AX 3100,

AX 3200, AX 5100, and AX 5200. The command does not appear in the
CLI on other models.
[no] cpu-process
Default
Disabled. Traffic is switched or routed in hardware.
Mode
Interface
disable
Description
Syntax
Disable an interface.
disable
Default
The management interface is enabled by default. Data interfaces are disabled by default.
Mode
Interface
184 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

duplexity
Usage
This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
and loopback interfaces.
Example
The following command disables Ethernet interface 3:
AX(config-if:ethernet3)#disable
duplexity
Description
Set the duplex mode for an Ethernet interface.
Syntax
[no] duplexity {Full | Half | auto}

Parameter
Description
Full
Full-duplex mode.
Half
Half-duplex mode.
auto
The mode is negotiated based on the mode of the

other end of the link.
Default
auto
Mode
Interface
Usage
This command applies only to physical interfaces (Ethernet ports or the

management port).
Example
The following command changes the mode on Ethernet interface 6 to halfduplex:
AX(config-if:ethernet6)#duplexity Half
enable
Description
Enable an interface.
Syntax
enable
Default
The management interface is enabled by default. Data interfaces are disabled by default.
Mode
Interface
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
185 of 718

flow-control
Usage
This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
and loopback interfaces.
Example
The following command enables Ethernet interface 3:
AX(config-if:ethernet3)#enable
flow-control
Description
Syntax
Enable 802.3x flow control on a full-duplex Ethernet interface.

[no] flow-control
Default
Disabled. The AX Ethernet interface auto-negotiates flow control settings

with the other end of the link.
Mode
Interface
icmp-rate-limit
Description
Syntax
Configure ICMP rate limiting, to protect against denial-of-service (DoS)

attacks.
[no] icmp-rate-limit normal-rate lockup max-rate
lockup-time
Parameter
186 of 718
Description
normal-rate

second on the interface. If the AX interface
receives more than the normal rate of ICMP
packets, the excess packets are dropped until the
next one-second interval begins. The normal rate
can be 1-65535 packets per second.
lockup max-rate

second before the AX device locks up ICMP traffic on the interface. When ICMP traffic is locked
up, all ICMP packets on the interface are
dropped until the lockup expires. The maximum
rate can be 1-65535 packets per second. The
maximum rate must be larger than the normal
rate.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

interface
lockup-time
Number of seconds for which the AX device

drops all ICMP traffic on the interface, after the
maximum rate is exceeded. The lockup time can
be 1-16383 seconds.
Default
None
Mode
Global Config
Usage
This command configures ICMP rate limiting on a physical, virtual Ethernet, or loopback interface. To configure ICMP rate limiting globally, see
icmp-rate-limit on page 114. To configure it in a virtual server template,
see slb template virtual-server on page 375. If you configure ICMP rate
limiting filters at more than one of these levels, all filters are applicable.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Example
The following command configures ICMP rate limiting on Ethernet interface 3:
AX(config-if:ethernet3)#icmp-rate-limit 1024 lockup 1200 10
interface
Description
Access the interface configuration level for another interface.
Syntax
interface {ethernet port-num | ve number |

loopback number | management}
Default
N/A
Mode
Interface
Usage
This command allows you to go directly to the configuration level for

another interface, without the need to return to the global Config level first.
Example
The following command changes the CLI from the configuration level for
Ethernet interface 3 to the configuration level for Ethernet interface 4:
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
187 of 718

ip address
ip address
Description
Syntax
Assign an IP address to an interface.

[no] ip address ipaddr
{subnet-mask | /mask-length}
Default
There are no IP addresses configured by default.
Mode
Interface
Usage
This command applies only when the AX Series is used in gateway mode.
You can configure multiple IP addresses on Ethernet and Virtual Ethernet
(VE) data interfaces and on loopback interfaces, on AX devices deployed in
gateway (route) mode.
Each IP address must be unique on the AX device. Addresses within a given
subnet can be configured on only one interface on the device. (The AX
device can have only one data interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.
The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
In most cases, it does not matter which address is the primary address. However, this does matter if you plan to run RIP on the interface. In the current
release, RIP is supported only for the primary IP address. This limitation
does not apply to OSPF. OSPF can run on all subnets configured on a data
interface.
The AX device automatically generates a directly connected route to each
IP address. If you enable redistribution of directly connected routes by RIP
or OSPF, those protocols can advertise the routes to the IP addresses.
Example
The following command assigns IP address 10.2.4.69 to Ethernet

interface 9:
AX(config-if:ethernet9)#ip address 10.2.4.69 /24
188 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip allow-promiscuous-vip
Example
The following commands configure multiple IP addresses on an Ethernet

data interface, display the addresses, then delete the primary IP address and
display the results.
AX(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
10.10.20.2 /24
20.20.20.1 /24
AX(config-if:ethernet1)#no ip address 10.10.20.2 /24
AX(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
20.20.20.1 /24
ip allow-promiscuous-vip
Description
Enable client traffic received on this interface and addressed to TCP port 80
to be load balanced for any VIP address.
Syntax
[no] ip allow-promiscuous-vip
Default
Disabled
Mode
Interface
Usage
This feature also requires configuration of a virtual server that has IP

address 0.0.0.0. For more information, see the Wildcard VIPs chapter in
the AX Series Configuration Guide.
ip cache-spoofing-port
Description
Configure the interface to support a spoofing cache server. A spoofing

cache server uses the clients IP address instead of its own as the source
address when obtaining content requested by the client.
Syntax
[no] ip cache-spoofing-port
Default
Disabled
Mode
Interface
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
189 of 718

ip control-apps-use-mgmt-port (management interface only)
Usage
This command applies to the Transparent Cache Switching (TCS) feature.

Enter the command on the interface that is attached to the spoofing cache.
For more information about TCS, including additional configuration
requirements and examples, see the Transparent Cache Switching chapter
in the AX Series Configuration Guide.
Example
The following command configures interface 9 to support a spoofing cache

server that is attached to the interface.
AX(config-if:ethernet9)#cache-spoofing-port
ip control-apps-use-mgmt-port (management interface

only)
Description
Syntax
Enable use of the management interface as the source interface for automated management traffic.
[no] ip control-apps-use-mgmt-port
Default
By default, use of the management interface as the source interface for automated management traffic is disabled.
Mode
Interface
Usage
The AX device uses separate route tables for management traffic and data
traffic.
Management route table Contains all static routes whose next hops are
connected to the management interface. The management route table

also contains the route to the device configured as the management
default gateway.
Main route table Contains all routes whose next hop is connected to a
data interface. Also contains copies of all static routes in the management route table, excluding the management default gateway route.
Only the data routes are used for load-balanced traffic.
By default, the AX device attempts to use a route from the main route table
for management connections originated on the AX device. The ip controlapps-use-mgmt-port command enables the AX device to use the management route table for these connections instead.
The AX device will use the management route table for reply traffic on connections initiated by a remote host that reaches the AX device on the management port. For example, this occurs for SSH or HTTP connections from
remote hosts to the AX device.
190 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip default-gateway (management interface only)
Example
The following command enables use of the management interface as the

source interface for automated management traffic:
AX(config-if:management)#ip control-apps-use-mgmt-port
ip default-gateway (management interface only)

Description
Specify the default gateway for the out-of-band management interface.
Syntax
[no] ip default-gateway ipaddr
Default
None
Mode
Interface
Configuring a default gateway for the management interface provides the
following benefits:
Ensures that reply management traffic sent by the AX Series travels
through the correct gateway

Keeps reply management traffic off the data interfaces
The default gateway configured on the management interface applies only

to traffic sent from this interface. For traffic sent through data interfaces,
either the globally configured default gateway is used instead (if the AX is
deployed in transparent mode) or an IP route is used (if the AX is deployed
in route mode).
To configure the default gateway for data interfaces on an AX Series device
deployed in transparent mode, use the ip default-gateway command at the
global Config level. (See ip default-gateway on page 218.)
Note:
Normally, if the AX device is deployed in transparent mode, outbound

traffic through the management interface is limited to the same subnet.
However, outbound traffic through data interfaces is not restricted to the
same subnet. To perform operations that require exchanging files with a
host (upgrade, import, export, and so on) that is in a different subnet from
the management interface:
For automated management traffic such as syslog messages and
SNMP traps, see ip control-apps-use-mgmt-port (management

interface only) on page 190.
For management traffic that you initiate using a command, use the
use-mgmt-port option with the command.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
191 of 718

ip helper-address
Example
The following commands configure an IP address and default gateway for

the management interface:
AX(config)#interface management
AX(config-if:management)#ip address 10.10.20.1 /24
AX(config-if:management)#ip default-gateway 10.10.20.1
ip helper-address
Description
Syntax
Configure a helper address for Dynamic Host Configuration Protocol

(DHCP).
[no] ip helper-address ipaddr
Parameter
Description
IP address of the DHCP server.
ipaddr
Default
None
Mode
Interface
Usage
In the current release, the helper-address feature provides service for DHCP
packets only.
The AX interface on which the helper address is configured must have an IP
address.
The helper address can not be the same as the IP address on any AX interface or an IP address used for SLB.
The current release supports DHCP relay service for IPv4 only.
Example
The following commands configure two helper addresses. The helper

address for DHCP server 100.100.100.1 is configured on AX Ethernet interface 1 and on Virtual Ethernet (VE) interfaces 5 and 7. The helper address
for DHCP server 20.20.20.102 is configured on VE 9.
AX(config-if:ethernet1)#ip helper-address 100.100.100.1
AX(config-if:ethernet1)#interface ve 5
AX(config-if:ve5)#ip helper-address 100.100.100.1
AX(config-if:ve5)#interface ve 7
AX(config-if:ve7)#interface ve 9
192 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat
ip nat
Description
Enable source Network Address Translation (NAT) on an interface.
Syntax
[no] ip nat {inside | outside}

Parameter
Description
inside
Specifies that this AX interface is connected to

the internal hosts on the private network that
need to be translated into external addresses for
routing.
outside
Specifies that this AX interface is connected to

the external network or Internet. Before sending
traffic from an inside host out on this interface,
the AX device translates the hosts private
address into a public, routable address.
Default
None
Mode
Interface
Usage
On an AX device deployed in transparent mode, this command is valid only

on Ethernet data ports. On an AX device deployed in route mode, this command is valid on Ethernet data ports and on Virtual Ethernet (VE) interfaces.
To use source NAT, you also must configure global NAT parameters. See
the ip nat commands in Config Commands: IP on page 215.
In addition, on some AX models, if Layer 2 IP NAT is required, you also
must enable CPU processing on the interface. (See cpu-process on
page 184.) This applies to models AX 2200, AX 3100, AX 3200, AX 5100,
and AX 5200.
Example
The following commands configure IP source NAT for internal addresses in

the 10.1.1.x/24 subnet connected to interface 14. The addresses are translated into addresses in the range 10.153.60.120-150 before traffic from the
internal hosts is sent onto the Internet on interface 15. Likewise, return traffic is translated back from public addresses into the private host addresses.
AX(config)#access-list 3 permit 10.1.1.0 0.0.0.255

AX(config)#ip nat pool 1 10.153.60.120 10.153.60.150 netmask /24
AX(config)#ip nat inside source list 3 pool 1
AX(config-if:ethernet14)#ip address 10.1.1.1 255.255.255.0
AX(config-if:ethernet14)#ip nat inside
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
193 of 718

ip ospf
AX(config-if:ethernet14)#interface ethernet 15
AX(config-if:ethernet15)#ip address 10.153.60.100 255.255.255.0
AX(config-if:ethernet15)#ip nat outside
ip ospf
Description
Syntax
Configure OSPFv2 parameters on a data interface.

[no] ip ospf [ipaddr] parameter
Parameter
Description
Configures the parameter only for the specified
IP address. Without this option, the parameter is
configured for all IP addresses on the interface.
ipaddr
authentication
[message-digest
| null]
Type of authentication used to validate OSPF

route updates sent or received on this interface:
message-digest Message Digest 5
(MD5)
null No authentication is used.
If you enter the authentication command without either of the options above, a
simple key is used for authentication.
authenticationkey key-string
Password used by the interface to authenticate
link-state messages exchanged with neighbor
OSPF routers. Applies to simple authentication
only. Can be a string up to 8 characters long, with
no blanks.
cost number
Numeric cost for using the interface, 1-65535.
database-filter
all out
Blocks flooding of LSAs to the OSPF interface.
dead-interval
seconds
disable all
194 of 718
Number of seconds that neighbor OSPF routers

will wait for a new OSPF Hello packet from the
AX Series before declaring this OSPF router (the
AX Series) to be down, 1-65535 seconds.
Disables all OSPF packet processing on the interface.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip ospf
hello-interval
seconds
Number of seconds between transmission of

OSPF Hello packets on this interface, 1-65535
seconds.
message-digestkey key-id
md5 key-string
Set of MD passwords used by the interface to
authenticate link-state messages exchanged with
neighbor OSPF routers. You can enter up to four
key strings. Applies only to MD authentication.
Key strings can be up to 16 bytes long, with no
blanks.
mtu
Specifies the Maximum Transmission Unit

(MTU) for OSPF packets transmitted on the
interface. You can specify 576-65535 bytes.
mtu-ignore
Disables MTU size checking Database Description (DD) exchange.
network
network-type
OSPF network type from the default for the

media. You can specify one of the following:
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess
(NBMA) network.
point-to-multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
priority number Eligibility of this OSPF router to be elected as

the designated router (DR) or backup designated
router (BDRs) for the routing domain, 0-255. 1 is
the lowest priority and 255 is the highest priority.
resync-timeout
seconds
retransmitinterval
seconds
b y
Time to wait before resetting the adjacency with

a neighbor, after receiving a restart signal from
the neighbor. The resync-timeout is applicable if
out-of-band resynchronization does not occur
following the restart signal. You can specify
1-65535 seconds.
Number of seconds between retransmissions of

link-state advertisements (LSAs) to adjacent
routers for this interface, 3-65535 seconds.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
195 of 718

ip ospf
transmit-delay
seconds
Default
Number of seconds it takes to transmit Link State

Update packets (route updates) on this interface,
1-65535 seconds. This amount is added to the
ages of LSAs sent in the updates.
The OSPF interface options have the following defaults:

authentication Not set
authentication-key Not set
cost By default, an interfaces cost is calculated based on the inter-
faces bandwidth. If the auto-cost reference bandwidth is set to its

default value (100 Mbps), the default interface cost is 10.
database-filter all out Disabled. LSA flooding is permitted.
dead-interval 40 seconds
hello-interval 10 seconds
message-digest-key Not set
mtu The IP MTU set on the interface is used.
mtu-ignore MTU size checking is enabled. If the MTU size in DD
packets from a neighbor does not match the interface MTU, adjacency is
not established.
network depends on the media type
priority 1
resync-timeout 40 seconds
retransmit-interval 5 seconds
transmit-delay 1 second
Mode
Interface
Usage
The OSPF router with the highest priority is elected as the DR and the
router with the second highest priority is elected as the BDR. If more than
one router has the highest priority, the router with the highest OSPF router
ID is selected. Priority applies only to multi-access networks, not to pointto-point networks. If you set the priority to 0, the AX Series does not participate in DR and BDR election.
For the message-digest-key key-id md5 key-string option, the CLI lists the
encrypted keyword. This keyword encrypts display of the string in the
startup-config and running-config. Do not enter this keyword. The AX
196 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip rip
device automatically applies the keyword. Entering the keyword manually
is not valid.
Example
The following command sets the OSPF priority on Ethernet interface 10 to

100:
AX(config-if:ethernet10)#ip ospf priority 100
ip rip
Description
Configure RIP parameters on a data interface.
Syntax
[no] ip rip parameter

Parameter
authentication
option
Description
Type of authentication used to validate RIP route
updates sent or received on this interface:
mode md5 Message Digest 5 (MD5)
string text Simple text password, up
to 8 characters with no blanks
key-chain chain-name Set of passwords
poisonedreverse
Default
When disabled, enables split-horizon.
The RIP interface options have the following defaults:

authentication simple text password (string text)
poisoned-reverse Disabled. The default loop prevention algorithm is
split horizon.
Mode
Interface
Usage
For the authentication string text option, the CLI lists the encrypted keyword. This keyword encrypts display of the string in the startup-config and
running-config. Do not enter this keyword. The AX device automatically
applies the keyword. Entering the keyword manually is not valid.
Example
The following command sets RIP authentication on Ethernet interface 11 to

use password rippass4:
AX(config-if:ethernet11)#ip rip authentication string rippass4
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
197 of 718

ip tcp syn-cookie
ip tcp syn-cookie
Description
Syntax
Enable Layer 2/3 SYN cookies on the interface.

[no] ip tcp syn-cookie
Default
Disabled
Mode
Interface
Usage
To globally enable SYN cookie support, see syn-cookie on page 160. To

configure the SYN cookie expire threshold, see ip tcp syn-cookie threshold on page 239.
Example
The following commands globally enable SYN cookie support, then enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
AX(config)#syn-cookie on-threshold 50000 off-threshold 30000

AX(config-if: ethernet4)#ip tcp syn-cookie
AX(config-if: ethernet4)#interface ethernet 5
AX(config-if: ethernet5)#ip tcp syn-cookie
ipv6 (on management interface)

Description
Configure an IP version 6 address and default gateway on the management

interface.
Syntax
[no] ipv6 address ipaddr/mask-length
Syntax
[no] ipv6 default-gateway gateway-ipaddr
Default
None.
Mode
Interface
Usage
The ipv6 default-gateway command applies only to the management interface. To configure IPv6 on a data interface, see ipv6 address on page 199.
Example
The following commands configure an IPv6 address and default gateway on

the management port:
AX(config-if:management)#ipv6 address 2001:db8:11:2/32

AX(config-if:management)#ipv6 default-gateway 2001:db8:11:1/32
198 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 access-list
ipv6 access-list
Description
Apply an IPv6 Access Control List (ACL) to an interface.
Syntax
[no] ipv6 access-list acl-id in

Parameter
Description
acl-id
Name of a configured IPv6 ACL.
in
Applies the ACL to inbound IPv6 traffic received

on the interface.
Default
N/A
Mode
Interface
ipv6 address
Description
Configure an IPv6 address on the interface.
Syntax
[no] ipv6 address ipaddr/prefix-length

[link-local]
Parameter
Description
ipv6-addr
Valid unicast IPv6 address.
prefix-length
Prefix length, up to 128.
link-local
Explicitly configures the specified address as the

link-local IPv6 address for the interface, instead
of a global address. Without this option, the
address is a global address.
Default
None.
Mode
Interface
Usage
Use this command to configure the link-local and global IP addresses for
the interface.
The ipv6 address command, used without the link-local option, config-
ures a global address. If you use the link-local option, the address is
instead configured as the link-local address.
To enable automatic configuration of the link-local IPv6 address instead,
use the ipv6 enable command.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
199 of 718

ipv6 enable
To configure IPv6 on the management interface, see ipv6 (on management
interface) on page 198.
Example
The following command configures a global IPv6 address on Ethernet

interface 8:
AX(config-if:ethernet8)#ipv6 address e101::1112/64
Example
The following command overrides any auto-generated link-local address on

interface 6 and explicitly configures a new link-local address:
AX(config-if:ethernet6)#ipv6 address fe80::1/64 link-local
ipv6 enable
Description
Syntax
Enable automatic configuration of a link-local IPv6 address on the interface.

[no] ipv6 enable
Default
Disabled
Mode
Interface
Usage
Use this command to enable automatic configuration of the link-local IPv6

address.
To manually configure the address instead, see ipv6 address on page 199.
Example
The following command enables an automatically generated link-local IPv6

address on Ethernet interface 6:
AX(config-if:ethernet6)#ipv6 enable
ipv6 nat
Description
Syntax
Enable Network Address Translation Protocol Translation (NAT-PT) on an

IPv6 interface.
[no] ipv6 nat [prefix ipv6-addr/prefix-length]
Parameter
Description
prefix
ipv6-addr/
prefix-length
Default
200 of 718
Specifies the prefix.
None
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 ndisc router-advertisement
Mode
Interface

Description
Configure IPv6 router discovery (RFC 4861).
Syntax
[no] ipv6 ndisc router-advertisement

{
default-lifetime seconds |
disable |
enable |
ha-group-id group-id
[use-floating-ip ipv6-addr/prefix-length] |
hop-limit num |
max-interval seconds |
min-interval seconds |
mtu {disable | bytes} |
prefix ipv6-addr/prefix-length
[not-autonomous | not-on-link |
preferred-lifetime seconds |
valid-lifetime seconds] |
rate-limit num |
reachable-time ms |
retransmit-timer seconds
}
Parameter
defaultlifetime
seconds
b y
Description
Specifies the number of seconds for which router

advertisements sent on this interface are valid.
You can specify 0 or 4-9000 seconds. The value
can not be less than the maximum advertisement
interval. If you specify 0, the host will not use
this interface (IPv6 router) as a default route.
disable
Disables IPv6 router discovery.
enable
Enables IPv6 router discovery.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
201 of 718

ha-group-id
group-id
[use-floatingip ipv6-addr/
prefix-length]
Specifies an HA group for which to send router

advertisements.
The use-floating-ip option specifies a floating
IPv6 address to use as the source address for
router advertisements for the HA group. The
address must be a link-local address on this interface. The HA virtual MAC address will be used
as the source address.
hop-limit num
max-interval
seconds
min-interval
seconds
mtu
{disable |
bytes}
Note:
Specifies the default hop count value that should

be used by hosts. For a given packet, the hop
count is decremented at each router hop. If the
hop count reaches 0, the packet becomes invalid.
You can specify 0-255. If you specify 0, the
value is unspecified by this IPv6 router.
Specifies the maximum number of seconds
between transmission of unsolicited router advertisement messages on this interface. You can
specify 4-1800 seconds.
Specifies the minimum number of seconds
between transmission of unsolicited router advertisement messages on this interface. You can
Specifies the MTU value to include in the MTU

options field. You can specify 1200-1500 bytes
(on 1-Gbps interfaces) or disabled.
If the option is disabled, no MTU value is included.

prefix
ipv6-addr/
prefix-length
[options]
Specifies the IPv6 prefixes to advertise on this

interface. A maximum of 32 prefixes can be
advertised on an interface.
The following options are supported:
202 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

not-autonomous Disables support for autoconfiguration of IPv6 addresses by clients.
not-on-link Disables the On-Link flag. When
enabled, the On-Link flag indicates that the prefix is assigned to this interface. If you enable this
option, the valid-lifetime is 2592000 seconds
(30 days).
preferred-lifetime seconds Specifies the
number of seconds for which auto-generated
addresses remain preferred. You can specify
0-4294967295 seconds. The default is 604800.
valid-lifetime seconds specifies the number of
seconds for which advertisement of the prefix is
valid. You can specify 1-4294967295 seconds.
The default is 2592000.
rate-limit num
reachable-time
ms
retransmittimer seconds
Default
Specifies the maximum number of router solicitation requests per second that will be processed
on the interface. You can specify 1-100000 messages per second.
Specifies the number of milliseconds (ms) for
which the host should assume a neighbor is
reachable, after receiving a reachability confirmation from the neighbor. You can specify
0-3600000 ms. If you specify 0, the value is
unspecified by this IPv6 router.
Specifies the number of seconds a host should
wait between sending neighbor solicitation messages. You can specify 0-4294967295 seconds. If
you specify 0, the value is unspecified by this
IPv6 router.
IPv6 router discovery is disabled by default. The command options have the
following default values:
default-lifetime 1800 seconds
disable Disabled
enable Disabled
ha-group-id Not set. Advertisements are sent regardless of HA group.
hop-limit 255
max-interval 600 seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
203 of 718

min-interval 200 seconds
mtu disabled
prefix All prefixes for IPv6 addresses that are configured on this inter-
face are advertised. The prefix options have the following defaults:
not-autonomous disabled (Auto-configuration of IPv6 addresses
by clients is enabled.)
not-on-link enabled (On-Link is disabled.)
preferred-lifetime 604800 seconds
valid-lifetime 2592000 seconds
rate-limit 100000 messages per second
reachable-time 0 (The value is unspecified by this IPv6 router.)
retransmit-timer 0 (The value is unspecified by this IPv6 router.)
Mode
Interface
Usage
When router discovery is enabled, the AX device:

Sends IPv6 router advertisements out the IPv6 interfaces on which
router discovery is enabled. IPv6 hosts that receive the router advertisements will use the AX device as their default gateway.
Replies to IPv6 router solicitations received by IPv6 interfaces on which
router discovery is enabled.

IPv6 router discovery is not supported in transparent mode. The AX device
must be deployed in gateway mode.
When IPv6 router discovery is enabled on an interface, any new IPv6
addresses that you add to the interface are automatically added to the set of
prefixes to advertise.
Router advertisements are sent to the all-nodes multicast address at an interval that is uniformly distributed between the minimum and maximum
advertisement intervals. If a host sends a router solicitation message, the
AX device sends a router advertisement as a unicast to that host instead.
The source address of router advertisements is always a link-local IPv6
address.
For the reachable-time, hop-limit, and retransmit-timer options, the AX
device recommends the configured value to hosts but does not itself use the
value.
204 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

l3-vlan-fwd-disable
Example
The following commands configure an IPv6 address on Ethernet interface 1,

enable IPv6 router discovery, change the minimum and maximum advertisement intervals, and add two prefixes to the prefix advertisement list.
AX(config-if:ethernet1)#ipv6 address 2001::1/64
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement enable
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement max-interval 300
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement min-interval 150
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001::/64
on-link
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001:a::/96
on-link
l3-vlan-fwd-disable
Description
Disable Layer 3 forwarding between VLANs on tis interface.
Syntax
[no] l3-vlan-fwd-disable
Default
By default, the AX device can forward Layer 3 traffic between VLANs.
Mode
Interface
Usage
This command is applicable only on AX devices deployed in gateway

(route) mode. If the option to disable Layer 3 forwarding between VLANs
is configured at any level, the AX device can not be changed from gateway
mode to transparent mode, until the option is removed.
The command is applicable to inbound traffic on the interface.
The command is valid on physical Ethernet interfaces, Virtual Ethernet
(VE) interfaces, and on the lead interface in trunks.
However, if the command is configured on a physical Ethernet interface,
that interface can not be added to a trunk or VE.
If the command is used on a trunk or VE and that trunk or VE is removed
from the configuration, the command is also removed from all physical
Ethernet interfaces that were members of the trunk or VE. Likewise, if a
VLAN is removed, the command is removed from any physical Ethernet
interfaces that were members of the VLAN.
To display statistics for this option, see show slb switch on page 699.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
205 of 718

load-interval
load-interval
Description
Syntax
Change the interval for utilization statistics for the interface.

[no] load-interval seconds
Parameter
Description
seconds
You must specify the amount in 5-second intervals. For example, 290 and 295 are valid interval
values. However, 291, 292, 293, and 294 are not
valid interval values.
Default
300 seconds
Mode
Interface
Usage
This command applies only to data interfaces.

To display interface utilization statistics, see and show interfaces on
page 597 and show statistics on page 650.
Example
The following command changes the utilization statistics interval for Ethernet interface 1 to 200 seconds:
AX(config-if:ethernet1)#load-interval 200
monitor
Description
Syntax
Configure an Ethernet interface to send a copy of its traffic to another Ethernet interface.
[no] monitor [both | input | output]
Parameter
Description
both | input |
output
Traffic direction to mirror. If you do not specify a

direction, traffic in both directions is copied.
Default
By default, no traffic is mirrored. When you enable a port to be monitored,

both traffic directions are mirrored by default.
Mode
Interface
206 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

mtu
Usage
This command is valid only on Ethernet data interfaces. To specify the port
to which to mirror the traffic, use the mirror-port command at the global
Config level. (See mirror-port on page 133.)
On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and
AX 3000, you can monitor only one port. On AX models AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200, you can monitor multiple
ports. On all models, only one mirror port is supported. All mirrored traffic for the directions you specify goes to that port.
Note:
Example
The following commands configure Ethernet port 3 to mirror traffic, and

enable port 5 to copy its inbound traffic to port 3:
AX(config)#mirror-port ethernet 3
AX(config-if:ethernet5)#monitor input
mtu
Description
Change the Maximum Transmission Unit (MTU) for an Ethernet interface.
Syntax
[no] mtu bytes

Parameter
bytes
Description
Largest packet size that can be forwarded out the
interface. You can specify 1200-1500 bytes.
Default
1500 bytes
Mode
Interface
Usage
This command applies to the management interface and Ethernet data interfaces.
If the AX device needs to forward a packet that is larger than the MTU of
the AX egress interface to the next hop, but the Do Not Fragment bit is set
in the packet, the AX device drops the packet and sends an ICMP Destination Unreachable code 4 (Fragmentation required, and DF set) message to
the sender.
If the Do Not Fragment bit is not set, the AX device silently drops the
packet.
To display a counter of how many outbound packets have been dropped
because they were longer than the outbound interface's MTU, use the following command:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
207 of 718

name
show slb switch [detail | ethernet port-num [detail]]
The counter is labeled MTU exceeded Drops. The counter includes packets that had the Do Not Fragment bit set and packets that did not have the bit
set.
name
Description
Syntax
Assign a name to the interface.

[no] name string
Parameter
string
Description
Name for the interface, 1-63 characters.
Default
None
Mode
Interface
Usage
This command applies to physical and virtual Ethernet data interfaces. This
command does not apply to the management interface.
Example
The following commands assign the name "WLAN-interface" to an interface and show the result:
AX(config)#interface ve 1
AX(config-if:ve1)#name WLAN-interface
AX(config-if:ve1)#show ip interfaces
Port IP
Netmask
PrimaryIP
Name
---------------------------------------------------------------------------mgm 192.168.20.136 255.255.255.0
Yes
ve1 192.168.217.1
255.255.255.0
Yes
WLAN-interface
ve2 50.50.50.1
255.255.255.0
Yes
speed
Description
Syntax
Set the maximum speed on an Ethernet interface.

[no] speed {10 | 100 | 1000 | 10000 | auto}
Parameter
208 of 718
Description
10
10 Megabits per second (Mbs/sec)
100
100 Megabits per second (Mbs/sec)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

speed
1000
1 Gigabit per second (Gb/sec)
10000
10 Gigabits per second (Gbs/sec)
auto
The interface speed is negotiated based on the

speed of the other end of the link.
Default
auto
Mode
Interface
Usage
This command applies to the management interface and Ethernet data interfaces.
Example
The following command changes the speed of Ethernet interface 6 to 10

Mbs/sec:
AX(config-if:ethernet6)#speed 10
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
209 of 718

speed
210 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Config Commands: VLAN

The commands in this chapter configure parameters on individual VLANs.
To access this CLI level, enter the vlan vlan-id command from the global
Config level.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
211 of 718

name
name
Description
Assign a name to the VLAN.
Syntax
[no] name string

Parameter
Description
Name for the VLAN, 1-63 characters.
string
Default
The default name for VLAN 1 is DEFAULT VLAN. For other VLANs, if
a name is not configured, None appears in place of the name.
Mode
VLAN
Example
The following commands assign the name Test100 to VLAN 100 and
show the result:
AX(config)#vlan 100
AX(config-vlan:100)#name Test100
AX(config-vlan:100)#show vlan
Total VLANs: 3
VLAN 1, Name [DEFAULT VLAN]:
Untagged Ports:
3
4
5
6
Tagged Ports:
None
10
VLAN 100, Name [Test100]:

Untagged Ports:
1
Tagged Ports:
None
Router Interface: ve 1
VLAN 200, Name [None]:
Untagged Ports:
2
Tagged Ports:
None
Router Interface: ve 2
212 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

router-interface
router-interface
Description
Add a virtual Ethernet (VE) router interface to the VLAN. A VE is required

in order to configure an IP address on a VLAN.
Syntax
[no] router-interface ve ve-num

Parameter
ve-num
Description
VE number, 1-128.
Default
By default, a VLAN does not have a VE.
Mode
VLAN
Usage
This command is valid only on AX devices deployed in route mode.
Example
The following command configures VE 4 on VLAN 4:

AX(config-vlan:4)#router-interface ve 4
tagged
Description
Add tagged ports to a VLAN. A tagged port can be a member of more than
one VLAN. An untagged port can be a member of only a single VLAN.
Syntax
[no] tagged ethernet port-num

[ethernet port-num ... | to port-num]
Default
A VLAN has no ports by default.
Mode
VLAN
Usage
A port can be a tagged member of a maximum of 128 VLANs.
Example
The following command adds ports 4 and 5 to VLAN 4 as tagged ports:

AX(config-vlan:4)#tagged ethernet 4 to 5
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
213 of 718

untagged
untagged
Description
Syntax
Add untagged ports to a VLAN. Untagged ports can belong to only one
VLAN.
[no] untagged ethernet port-num
[ethernet port-num ... | to port-num]
Default
VLAN 1 contains all ports by default. New VLANs do not contain any ports
by default.
Mode
VLAN
Example
The following command adds port 6 to VLAN 4 as an untagged port:

AX(config-vlan:4)#untagged ethernet 6
214 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip address
Config Commands: IP
The IP commands configure global IPv4 parameters.
To configure global IPv6 parameters, see Config Commands: IPv6 on

page 241.
Note:
ip address
Description
Configure the global IP address of the AX Series device, when the device is
deployed in transparent mode (Layer 2 mode).
Syntax
[no] ip address ipaddr

Default
None.
Mode
Global Config
Usage
This command applies only when the AX Series device is deployed in transparent mode. To assign IP addresses to individual interfaces instead (gateway mode), use the ip address command at the interface configuration
level. (See ip address on page 188.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
215 of 718

ip anomaly-drop
Loopback Interface Support for OSPF
If an IP address is configured on a loopback interface, and the address is in a
subnet that is also configured as an OSPF network subnet, the loopback
interface is automatically included in the OSPF subnet.
The AX devices table of OSPF interfaces will include the loopback interface. Likewise, the AX device will include the loopback interface in linkstate advertisements sent to neighbor OSPF routers.
Multiple OSPF Networks on the Same Interface Not Supported
The AX device does not support multiple OSPF networks on a data interface. One OSPF network configuration can enable at most one network per
interface.
For example, assume a data port has 3 IP addresses configured that belong
to 3 separate subnets, S1, S2, and S3. If you configure network S4 with area
A.B.C.D, and S4 contains S1, S2, and S3, then only S1 will be running
OSPF. S2 and S3 will not be known to other OSPF routers.
To work around this limitation, enable OSPF redistribution of directly connected routes so that OSPF will redistribute S2 and S3 via the network running on S1.
Example
The following command configures global IP address 10.10.10.4/24:
AX(config)#ip address 10.10.10.4 /24
ip anomaly-drop
Description
Syntax
Enable protection against distributed denial-of-service (DDoS) attacks.

[no] ip anomaly-drop anomaly-type
Parameter
Description
anomaly-type
Specifies the type of IP anomaly to protect

against:
bad-content [threshold] Checks for
invalid HTTP or SSL payloads in new HTTP or
HTTPS connection requests from clients. (For
more information, see IP Anomaly Filters Used
for System-Wide Policy-Based SLB in the
Usage section below.)
drop-all Enables all the DDoS protection
options listed below.
216 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip anomaly-drop
frag Drops all IP fragments, which can be
used to attack hosts running IP stacks that have
known vulnerabilities in their fragment reassembly code.
ip-option Drops all packets that contain
any IP options.
land-attack Drops spoofed SYN packets
containing the same IP address as the source and
destination, which can be used to launch an IP
land attack.
out-of-sequence
[threshold]
Checks for out-of-sequence packets in new

HTTP or HTTPS connection requests from clients. (For more information, see IP Anomaly
Filters Used for System-Wide Policy-Based
SLB in the Usage section below.)
ping-of-death Drops all jumbo IP packets
longer than the maximum valid IP packet size
(65535 bytes), known as ping of death packets.
On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and
AX 3000, the ping-of-death option drops all IP packets longer than
32000 bytes. On models AX 2200, AX 3100, AX 3200, AX 5100, and
AX 5200, the option drops IP packets longer than 65535 bytes.
Note:
tcp-no-flag Drops all TCP packets that do

not have any TCP flags set.
tcp-syn-fin Drops all TCP packets in
which both the SYN and FIN flags are set.
tcp-syn-frag Drops incomplete (fragmented) TCP Syn packets, which can be used to
launch TCP Syn flood attacks.
zero-window [threshold] Checks for
a zero-length TCP window in new HTTP or
HTTPS connection requests from clients. (For
more information, see IP Anomaly Filters Used
for System-Wide Policy-Based SLB in the
Usage section below.)
Default
All IP anomaly drop options are disabled by default.
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
217 of 718

ip default-gateway
Usage
All filters are supported for IPv4. All filters except ip-option are supported
for IPv6.
On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, DDoS
protection is hardware-based. On other models, DDoS protection is software-based.
DDoS protection applies only to Layer 3, Layer 4, and Layer 7 traffic.
Layer 2 traffic is not affected by the feature.
IP Anomaly Filters Used for System-Wide Policy-Based SLB
The bad-content, out-of-sequence, and zero-window filters apply only to
system-wide Policy-Based SLB (PBSLB).
Filtering for these anomalies is disabled by default. However, if you configure a system-wide PBSLB policy, the filters are automatically enabled. You
also can configure the filters on an individual basis.
Each of these filters has a configurable threshold. The threshold specifies
the number of times the anomaly is allowed to occur in a clients connection
requests. If a client exceeds the threshold, the AX device applies the system-wide PBSLB policys over-limit action to the client.
For each of the new IP anomaly filters, the threshold can be set to 1-127
occurrences of the anomaly. The default is 10.
Note:
The thresholds are not tracked by PBSLB policies bound to individual

virtual ports.
The AX device tracks each of these types of anomaly for each client in each
black/white list. For dynamic black/white-list clients, the statistics counters
for these anomalies are reset to 0 when the clients dynamic entry ages out.
Example
The following command enables DDoS protection against ping-of-death

attacks:
AX(config)#ip anomaly-drop ping-of-death
ip default-gateway
Description
Syntax
Default
218 of 718
Specify the default gateway to use to reach other subnets, when the
AX Series device is deployed in transparent mode (Layer 2 mode).
[no] ip default-gateway ipaddr
None.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip dns
Mode
Global Config
Usage
This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3
mode), configure routing.
To configure the default gateway for the out-of-band management interface,
use the interface management command to go to the configuration level
for the interface, then enter the ip default-gateway command. (See ip
default-gateway (management interface only) on page 191.)
Example
The following command configures an AX Series device deployed in transparent mode to use router 10.10.10.1 as the default gateway for data traffic:
AX(config)#ip default-gateway 10.10.10.1
ip dns
Description
Configure DNS servers and the default domain name (DNS suffix) for hostnames on the AX device.
Syntax
[no] ip dns {primary | secondary} ipaddr

[no] ip dns suffix string
Default
None
Mode
Global Config
Usage
This command applies to transparent mode and gateway mode.
Example
The following command sets primary DNS server 20.20.20.5:
AX(config)#ip dns primary 20.20.20.5
ip frag timeout
Description
Configure the timeout for IP packet fragments.
Syntax
[no] ip frag timeout ms

Parameter
ms
b y
Description
Specifies the number of milliseconds (ms) the
AX device buffers fragments for fragmented IP
packets. If all the fragments of an IP packet do
not arrive within the specified time, the frag-
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
219 of 718

ip nat alg pptp
ments are discarded and the packet is not reassembled. You can specify 4-1600 ms (16 seconds), in 10-ms increments.
Default
1000 ms (1 second)
Mode
Global Config
ip nat alg pptp

Description
Syntax
Disable or re-enable NAT Application-Layer Gateway (ALG) support for

the Point-to-Point Tunneling Protocol (PPTP). This feature enables clients
and servers to exchange Point-to-Point (PPP) traffic through the AX device
over a Generic Routing Encapsulation (GRE) tunnel. PPTP is used to connect Microsoft Virtual Private Network (VPN) clients and VPN hosts.
ip nat alg pptp {enable | disable}
Default
Enabled
Mode
Global Config
Usage
NAT ALG for PPTP has additional configuration requirements. For information, see the NAT ALG Support for PPTP section in the Network
Address Translation chapter of the AX Series Configuration Guide.
ip nat allow-static-host
Description
Syntax
Enable static Network Address Translation (NAT).

[no] ip nat allow-static-host
Default
Disabled
Mode
Global Config
Usage
This command is required only if you configure individual static source

mappings, using the ip nat inside source static command. If you configure
a static range list instead, you do not need the ip nat allow-static-host command.
Example
The following command enables static NAT support:
AX(config)#ip nat allow-static-host
220 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat inside
ip nat inside
Description
Configure inside Network Address Translation (NAT).
Syntax
[no] ip nat inside source

{
list acl-name pool pool-or-group-name |
static inside-ipaddr nat-ipaddr
[ha-group-id group-id]
}
Parameter
list acl-name
pool pool-orgroup-name
static
inside-ipaddr
nat-ipaddr
ha-group-id
group-id
Description
Specifies an Access Control List (ACL) that
matches on the inside addresses to be translated.
(To configure the ACL, see access-list (standard) on page 69 or access-list (extended) on
page 72.)
Dynamically assigns addresses from a range
defined in a pool or pool group.
Statically maps the specified inside address to a

specific NAT address.
HA group ID, 1-31.
Default
None
Mode
Global Config
Usage
For static NAT mappings, the following limitations apply:

Application Layer Gateway (ALG) services other than FTP are not sup-
ported when the server is on the inside.

HA session synchronization is not supported. However, sessions will
not be interrupted by HA failovers.

Syn-cookies are not supported.
Example
The following command configures static inside NAT translation of

10.10.10.55 to 192.168.20.44:
AX(config)#ip nat inside source static 10.10.10.55 192.168.20.44
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
221 of 718

ip nat inside (for LSN)
ip nat inside (for LSN)

Description
Syntax
Bind an IP class list for use with LSN.

[no] ip nat inside source class-list list-name
Parameter
Description
class-list
list-name
Specifies the name of the class list.
Default
None
Mode
Global Config
Usage
The class list must already be configured. You can import the class list or
configure it on the AX device. For more information, see the Large-Scale
NAT chapter in the AX Series Configuration Guide.
ip nat lsn enable-full-cone-for-well-known

Description
Syntax
Enable LSN to provide full-cone support for user sessions initiated from an
internal IP address to a well-known TCP or UDP port (0-1023) on an external address.
[no] ip nat lsn enable-full-cone-for-well-known
Default
Disabled
Mode
Global Config
ip nat lsn ip-selection

Description
Syntax
Specify the method for LSN to use to select IP addresses within a pool.
[no] ip nat lsn ip-selection method
Parameter
method
Description
Specifies the method, which can be one of the
following:
random Selects addresses randomly, instead of
using any of the other methods.
round-robin Selects addresses sequentially.
222 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat lsn logging default-template
least-used-strict Selects the address with the
fewest NAT ports of any type (ICMP, TCP, or
UDP) used.
least-udp-used-strict Selects the address with
the fewest UDP NAT ports used.
least-tcp-used-strict Selects the address with
the fewest TCP NAT ports used.
least-reserved-strict Selects the address with
the fewest NAT ports of any type (ICMP, TCP, or
UDP) reserved.
least-reserved-udp-strict Selects the address
with the fewest UDP NAT ports reserved.
least-reserved-tcp-strict Selects the address
with the fewest TCP NAT ports reserved.
least-users Selects the address with the fewest
users.
Default
random
Mode
Global Config
Usage
The IP address selection method applies only to the IP addresses within

individual pools. The method does not apply to selection of pools within a
pool group. LSN randomly selects a pool from within a pool group, then
uses the configured IP address selection method to select an address from
within the pool.
ip nat lsn logging default-template

Description
Set a configured LSN traffic logging template as the default template for all
LSN pools.
Syntax
[no] ip nat lsn logging default-template

template-name
Parameter
template-name
Default
Not set
Mode
Global Config
b y
Description
Specifies the name of the LSN traffic logging
template to use as the default for all LSN pools.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
223 of 718

ip nat lsn logging pool
Usage
The NAT logging template you plan to use as the default must already be
configured. To configure a NAT logging template, see ip nat template logging on page 231.
You also can assign a NAT logging template to an individual pool. In this
case, the NAT logging template assigned to the pool is used instead of the
default NAT logging template. See ip nat lsn logging pool on page 224.
Example
The following commands configure a NAT logging template, then set it as

the default logging template for LSN:
AX5200(config)#slb server syslog1 192.168.1.100

AX5200(config-real server)#port 514 udp
AX5200(config-real server)#exit
AX5200(config)#slb service-group syslog udp
AX5200(config-slb svc group)#member syslog1:514
AX5200(config-slb svc group)#exit
AX5200(config)#ip nat template logging lsn_logging
AX5200(config-nat logging)#log port-mappings
AX5200(config-nat logging)#service-group syslog
AX5200(config-nat logging)#exit
AX5200(config)#ip nat lsn logging default-template lsn_logging
ip nat lsn logging pool

Description
Syntax
Assign a NAT logging template to an LSN pool.

[no] ip nat lsn logging pool pool-name template
template-name
Parameter
Description
pool-name
Specifies the LSN pool.
template-name
Specifies the NAT logging template.
Default
Not set. If a NAT logging template has been set as the default NAT logging
template, that template is used.
Mode
Global Config
Usage
The NAT logging template you plan to use must already be configured. To
configure a NAT logging template, see ip nat template logging on
page 231.
224 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat lsn port-reservation
ip nat lsn port-reservation

Description
Configure static LSN mappings for a range of protocol ports for an internal
address.
Syntax
[no] ip nat lsn port-reservation inside

priv-ipaddr start-priv-portnum end-priv-portnum
nat public-ipaddr start-public-portnum
end-public-portnum
Parameter
priv-ipaddr
start-privportnum
end-privportnum
public-ipaddr
start-publicportnum
end-publicportnum
Description
Specifies the internal IP address.
Specifies the beginning (lowest-numbered) protocol port number in the range of internal protocol port numbers.
Specifies the ending (highest-numbered) protocol port number in the range of internal protocol
port numbers.
Specifies the public IP address to map to the
internal IP address.
Specifies the beginning public protocol port
number in the range to map to the internal protocol port numbers.
Specifies the ending public protocol port number
in the range to map to the internal protocol port
numbers.
Default
None. If LSN is configured, LSN mappings are created and deleted dynamically.
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
225 of 718

ip nat lsn stun-timeout
ip nat lsn stun-timeout

Description
Configure the LSN STUN timeout. The LSN STUN timeout specifies how
long a NAT mapping for a full-cone session is maintained after the data session ends.
Syntax
[no] ip nat lsn stun-timeout minutes

Parameter
minutes
Default
Mode
Global Config
Description
Specifies the timeout, 0-60 minutes.
ip nat lsn syn-timeout

Description
Configure the SYN timeout for LSN.
Default
[no] ip nat lsn syn-timeout seconds

Parameter
seconds
Description
Specifies the timeout, 2-7 seconds.
Default
Mode
Global Config
Usage
The LSN SYN timeout is separate from the IP NAT translation timeout. If
you need to configure the IP NAT translation timeout out instead, see ip nat
translation on page 233.
ip nat pool
Description
Syntax
226 of 718
Configure a named set of IP addresses for use by NAT.

[no] ip nat pool pool-name
start-ipaddr end-ipaddr
netmask {subnet-mask | /mask-length}
[lsn [max-users-per-ip num]]
[gateway ipaddr]
[ha-group-id group-id [ha-use-all-ports]]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat pool
Parameter
Description
pool-name
Name of the address pool.
start-ipaddr
Beginning (lowest) IP address in the range.
end-ipaddr
Ending (highest) IP address in the range.
netmask
{subnet-mask |
/mask-length}
Network mask for the IP addresses in the pool.
lsn
[max-users-perip num]
Enables the pool to be used for Large-Scale NAT
(LSN).
The max-user-per-ip option specifies the maximum number of internal addresses that can be
mapped to a single public address at the same
time. You can specify 1-65535. By default, there
is no limit.
The lsn option applies only to the LSN feature. Pools that use the lsn
option can not be used with any type of NAT except LSN.
Note:
gateway ipaddr
Default gateway to use for NATted traffic.
ha-group-id
group-id
[ha-use-allports]
HA group ID, 1-31.

The ha-use-all-ports option disables division of
the pools ports between AX devices. Without
this option, the AX device automatically allocates half of each pool addresss ports to one of
the AX devices and allocates the other half of the
ports to the other AX device. (See Usage
below.)
It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid.
Note:
Default
None.
Mode
Global Config
Usage
The pool can be used by other ip nat commands. The IP addresses must be
IPv4 addresses. To configure a pool of IPv6 addresses, see ipv6 nat pool
on page 245.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
227 of 718

ip nat pool
To enable inside or outside NAT on interfaces, see ip nat on page 193.
When you use the gateway option, the gateway you specify is used as follows:
For forward traffic (traffic from a client to a server), the NAT gateway is
used if the source NAT address (the address from the pool) and the
server address are not in the same IP subnet.
On reverse traffic (reply traffic from a server to a client), the NAT gate-
way is used if all the following conditions are true:

The session is using translated addresses (is source NATted).
The source protocol port is in the source NAT subnet.
The destination is not in the source NAT subnet.
For conditions under which the NAT gateway is needed, if no NAT gateway
is configured, the AX device uses the default gateway configured for the
AX devices other traffic instead.
Port Allocation Between AX Devices in High Availability Deployments (ha-use-all-ports option)
By default, when you assign an IP NAT pool to an HA group, the AX device
automatically allocates half of each pool addresss ports to one of the AX
devices and allocates the other half of the ports to the other AX device.
This automatic allocation is used to prevent simultaneous use of the same
port number by both AX devices. For example, without this protection, it
would be possible for the same IP address and protocol port number to be in
use on both AX devices in an Active-Active configuration.
However, this protection also requires the pool to be configured with more
addresses than will actually be needed.
In some cases, there is no benefit to dividing the pools ports between the
AX devices. In particular, there is no benefit for DNS virtual ports. DNS
sessions are very short-lived and are never synchronized between the AX
devices. For this reason, there is no risk that the same NAT port will be in
use on more than one session at the same time. You can use the ha-use-allports option to disable division of the ports between AX devices.
Note:
Example
It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid.
The following command configures an IP address pool named pool1 that
contains addresses from 30.30.30.1 to 30.30.30.254:
AX(config)#ip nat pool pool1 30.30.30.1 30.30.30.254 netmask /24
228 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat pool-group
ip nat pool-group
Description
Configure a set of IP pools for use by NAT. Pool groups enable you to use
non-contiguous IP address ranges, by combining multiple IP address pools.
Syntax
[no] ip nat pool-group pool-group-name

Parameter
Description
pool-group-name Name of the pool group.

pool group, where the following command is available.
Parameter
member
pool-name
Description
Name of a configured IP address pool.
Default
None.
Mode
Global Config
Usage
To use a non-contiguous range of addresses, configure a separate pool for

each contiguous portion of the range, then configure a pool group that contains the pools.
The addresses within an individual pool still must be contiguous, but you
can have gaps between the ending address in one pool and the starting
address in another pool. You also can use pools that are in different subnets.
For Large-Scale NAT (LSN), a pool group can contain up to 25 pools. For
other types of NAT, a pool group can contain up to 5 pools. Pool group
members must belong to the same protocol family (IPv4 or IPv6) and must
use the same HA ID. A pool can be a member of multiple pool groups.
If a pool group contains pools in different subnets, the AX device selects the
pool that matches the outbound subnet. For example, of there are two routes
to a given destination, in different subnets, and the pool group has a pool for
one of those subnets, the AX selects the pool that is in the subnet for the
outbound route.
The AX device selects the pool whose addresses are in the same subnet as
the next-hop interface used by the data route table to reach the server.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
229 of 718

ip nat range-list
Example
The following commands create a pool group for LSN and add 25 pools to
the group:
AX(config)#ip nat pool-group group1

AX(config-pool-group)member pool1
...
ip nat range-list
Description
Syntax
Configure a range of IP addresses to use with static NAT.

[no] ip nat range-list list-name
local-ipaddr /mask-length
global-ipaddr /mask-length
count number [ha-group-id group-id]
Parameter
Description
list-name
local-ipaddr
/mask-length
global-ipaddr
/mask-length
count number
Name of the static NAT address range.

Beginning (lowest) IP address in the range of
local addresses.
Beginning (lowest) IP address in the range of
global addresses.
Number of addresses to be translated, 1-200000.
The range contains a contiguous block of the
number of addresses you specify.
The block of local addresses starts with the
address you specify for local-ipaddr. Likewise,
the block of global addresses begins with the
address you specify for global-ipaddr.
ha-group-id
group-id
Default
None.
Mode
Global Config
230 of 718
HA group ID, 1-31. Specifying the HA group ID

allows a newly Active AX device to properly
continue management of NATted IP resources
following a failover.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat reset-idle-tcp-conn
Usage
You can configure up to 1000 ranges. You can specify IPv4 or IPv6
addresses within a range.
Example
The following command configures an IP address range named nat-list-1

that maps up to 100 local addresses starting from 10.10.10.97 to Internet
addresses starting from 192.168.22.50:
AX(config)#ip nat range-list nat-list-1 10.10.10.97 /16 192.168.22.50 /16
count 100
ip nat reset-idle-tcp-conn
Description
Enable client and server TCP Resets for NATted TCP sessions that become
idle.
Syntax
[no] ip nat reset-idle-tcp-conn
Default
Disabled.
Mode
Global Config
ip nat template logging

Description
Configure a template for external logging of LSN traffic events.
Syntax
[no] ip nat template logging template-name

NAT logging template, where the following command is available.
Parameter
[no] facility
facility-name
[no] includedestination
[no] log portmappings
b y
Description
Specifies the logging facility to use. For a list of
available facilities, enter the following command: facility ?
Includes the destination IP addresses and protocol ports in NAT port mapping logs.
Enables logging of LSN port mapping events.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
231 of 718

ip nat template logging
[no] log
sessions
Enables logging of LSN data session events.
[no] servicegroup
group-name
Specifies the service group for the external log

servers.
[no] severity
severity-level
Specifies the severity level to assign to LSN traffic logs generated using this template. You can
enter the name or the number of a severity level.
0 | emergency
1 | alert
2 | critical
3 | error
4 | warning
5 | notification
6 | information
7 | debugging
[no] sourceport port-num
Default
Specifies the UDP port number from which the

AX device will send the log messages.
There is no NAT logging template by default. When you configure one, the
template options have the following default values:
facility local0
include-destination disabled
log port-mappings enabled
log sessions disabled
log service-group not set
log severity 7 (debugging)
log source-port 514
Mode
Global Config
Usage
The template does not take effect until you set it as the default LSN logging
template or assign it to individual LSN pools.
232 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip nat translation
To set the template as the default LSN logging template, see ip nat lsn
logging default-template on page 223.

To assign the template to an LSN pool, see ip nat lsn logging pool on
page 224.
Example
The following commands configure external logging for LSN traffic events,
using the same template for all LSN pools:
AX5200(config)#slb server syslog1 192.168.1.100

AX5200(config-real server)#port 514 udp
AX5200(config-real server)#exit
AX5200(config)#slb service-group syslog udp
AX5200(config-slb svc group)#member syslog1:514
AX5200(config-slb svc group)#exit
AX5200(config)#ip nat template logging lsn_logging
AX5200(config-nat logging)#log port-mappings
AX5200(config-nat logging)#service-group syslog
AX5200(config-nat logging)#exit
AX5200(config)#ip nat lsn logging default-template lsn_logging
ip nat translation
Description
Configure NAT timers.
Syntax
[no] ip nat translation

{
icmp-timeout {seconds | fast} |
service-timeout {seconds | fast} |
syn-timeout seconds |
tcp-timeout seconds |
udp-timeout seconds
}
Parameter
icmp-timeout
seconds | fast
Description
Specifies how long NATted ICMP sessions can
remain idle before being terminated. You can
specify 60-15000 seconds, or fast. The fast
option terminates the session as soon as a
response is received.
service-timeout
seconds | fast
Specifies how long NATted sessions on a specific protocol port can remain idle before being
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
233 of 718

ip prefix-list
terminated. The timeout set for an individual protocol port overrides the global TCP or UDP timeout for NATted sessions. You can specify 6015000 seconds, or fast. The fast option terminates the session as soon as a response is
received.
syn-timeout
seconds
tcp-timeout
seconds
udp-timeout
seconds
Default
Timeout after a SYN. You can specify 60-300

seconds, in intervals of 60 seconds.
Timeout for TCP sessions that are not ended normally by a FIN or RST. You can specify 6015000 seconds, in intervals of 60 seconds.
Timeout for UDP sessions. You can specify 60300 seconds, in intervals of 60 seconds.
The NAT timers have the following defaults:

icmp-timeout SLB maximum session life (MSL), which is 2 seconds
by default. (See slb msl-time on page 288.)

service-timeout Not set. For all service ports except UDP 53, the tcp-
timeout or udp-timeout setting is used. For UDP port 53, the SLB MSL
time is used.
syn-timeout 60 seconds
tcp-timeout 300 seconds
udp-timeout 300 seconds
Mode
Global Config
Example
The following command changes the SYN timeout to 120 seconds:
AX(config)#ip nat translation syn-timeout 120
ip prefix-list
Description
Syntax
234 of 718
Configure an IP prefix list.

[no] prefix-list {name | sequence-num}
[seq sequence-num]
{deny | permit}
{any | ipaddr/mask-length}
[ge prefix-length] [le prefix-length]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip prefix-list
Parameter
name |
sequence-num
seq sequencenum
deny | permit
any | ipaddr
/mask-length
ge prefixlength
le prefixlength
Description
Name or sequence number of the IP prefix-list
rule. The name can not contain blanks. The
sequence number can be 1-4294967295.
Changes the sequence number of the IP prefixlist rule. The sequence number can be
1-4294967295.
Action to take for IP addresses that match the
prefix list.
IP address and number of mask bits, from left to
right, on which to match. If you omit the ge and
le options (described below), the mask-length is
also the subnet mask on which to match.
Specifies a range of prefix lengths on which to
match. Any prefix length equal to or greater than
the one specified will match. For example, ge 25
will match on any of the following mask lengths:
/25, /26, /27, /28, /29, /30, /31, or /32.
Specifies a range of prefix lengths on which to
match. Any prefix length less than or equal to the
one specified will match. The lowest prefix
length in the range is the prefix specified with the
IP address. For example, 192.168.1.0/24 le 28
will match on any of the following mask lengths:
/24, /25, /26, /27, or /28.
Default
N/A
Mode
Usage
You can use IP prefix lists to provide input to the OSPFv2 command area
area-id filter-list on page 267.
How Matching Occurs
Matching begins with the lowest numbered IP prefix-list rule and continues
until the first match is found. The action in the first matching rule is applied
to the IP address. For example, if the IP prefix list contains the following
two rules, rule 5 is used for IP address 192.168.1.9, even though the address
also matches rule 10.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
235 of 718

ip prefix-list
ip prefix-list 5 permit any
ip prefix-list 10 deny 192.168.1.0/24
The ge prefix-length and le prefix-length options enable you to specify a
range of mask lengths on which to match. If you do not use either option,
the mask-length in the address (/24 in the example above) specifies both the
following:
Number of bits to match, from left to right
Mask length on which to match
If you use one or both of the ge or le options, the mask-length specifies only
the number of bits to match. The ge or le option specifies the mask length(s)
on which to match.
The following rule matches on any address whose first octet is 10 and
whose mask-length is 8:
ip prefix-list match_on_8bit_mask_only permit 10.0.0.0/8
IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would
not.
The following rule uses the le option to extend the range of mask lengths
that match:
ip prefix-list match_on_24bit_mask_or_less permit 10.0.0.0/8 le 24
This rule matches on any address that has 10 in the first octet, and whose
mask length is 24 bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/
24 would both match this rule.
The following rule permits any address from any network that has a mask
16-24 bits long.
ip prefix-list match_any_on_16-24bit_mask permit 0.0.0.0/0 ge 16 le 24
Implied Deny any Rule
The IP prefix list has an implied deny any rule at the end. This rule is not
visible and can not be changed or deleted. If an IP address does not match
any of the rules in the IP prefix list, the AX device uses the implied deny
any rule to deny the address.
Sequence Numbering
As described above, the sequence of rules in the IP prefix list can affect
whether a given address matches a permit rule or a deny rule.
236 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip prefix-list list-id description
When you configure the first IP prefix-list rule, the AX device assigns
sequence number 5 to the rule by default. After that, the sequence number
for each new rule is incremented by 5. If you explicitly set the sequence
number of a rule, subsequent rules are still sequenced in increasing increments of 5. For example, if you set the sequence number of the first rule to
7, the next rule is 12 by default.
You can explicitly set the sequence number of a rule when you configure the
rule. You also can change the sequence number of a rule that is already configured.
ip prefix-list list-id description

Description
Add a description to an IP prefix list.
Syntax
[no] prefix-list {name | sequence-num}

description string
Parameter
name |
sequence-num
description
string
Description
Name or sequence number of the IP prefix-list
rule.
Description of the IP prefix list. The string can be
up to 80 characters, and can contain blanks. Quotation marks are not required.
Default
None
Mode
Usage
The description is placed above the rule it describes. (See the CLI example.)
Example
The following commands add descriptions to some IP prefix-list rule and

display the results:
AX(config)#ip prefix-list aaa description Here is a string to describe the

rule.
AX(config)#ip prefix-list ccc description And here is a string to describe this
rule.
AX(config)#show running-config | section ip prefix-list
ip prefix-list aaa description Here is a string to describe the rule.
ip prefix-list aaa seq 5 permit any
ip prefix-list bbb seq 10 permit 192.168.1.0/24
ip prefix-list ccc description And here is a string to describe this rule.
ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
237 of 718

ip prefix-list sequence-number
ip prefix-list sequence-number
Description
Syntax
Enable or disable display of the sequence numbers of IP prefix-list rules.

[no] prefix-list sequence-number
Default
Enabled
Mode
Usage
When this option is enabled, the sequence numbers are displayed in the running-config. After you save the configuration, the sequence numbers also
are displayed in the startup-config.
Example
The following commands configure some IP prefix-list rules, then display

them in the running-config. Display of sequence numbers is enabled.
AX(config)#ip prefix-list aaa deny 10.10.10.0/8 le 24

AX(config)#ip prefix-list bbb permit 192.168.1.0/24
AX(config)#ip prefix-list ccc permit any
ip prefix-list aaa seq 5 permit any
ip prefix-list bbb seq 10 permit 192.168.1.0/24
ip prefix-list ccc seq 15 deny 10.10.10.0/8 le 24
Example
The following commands disable display of sequence numbers, then re-display the IP prefix-list rules:
AX(config)#no ip prefix-list sequence-number

ip prefix-list aaa deny 10.10.10.0/8 le 24
ip prefix-list bbb permit 192.168.1.0/24
ip prefix-list ccc permit any
ip route
Description
Syntax
238 of 718
Configure a static IP route.

[no] ip route destination-ipaddr
next-hop-ipaddr [cpu-process]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ip tcp syn-cookie threshold
Parameter
Description
destinationipaddr {subnetmask | /masklength}

Specifies the destination of the route. To configure a default route, specify 0.0.0.0/0.
next-hop-ipaddr Specifies the next-hop router to use to reach the
route destination. The address must be in the
same subnet as the AX Series device.
cpu-process
Sends traffic that uses this route to the CPU for

processing. This option is applicable only to
models AX 2200, AX 3100, AX 3200, AX 5100,
and AX 5200. The option does not appear in the
Default
There are no static routes configured by default.
Mode
Global Config
Usage
If a destination can be reached by an explicit route (a route that is not a

default route), then the explicit route is used. If an explicit route is not available to reach a given destination, the default route is used (if a default route
is configured).
Example
The following command configures a default route using gateway

10.10.10.1 and the default metric:
AX(config)#ip route 0.0.0.0/0 10.10.10.1

Description
Modify the threshold for TCP handshake completion. The TCP handshake
threshold is applicable when SYN cookies are active.
Syntax
[no] ip tcp syn-cookie threshold seconds

Parameter
seconds
Default
Description
Specifies the number of seconds allowed for a
TCP handshake to be completed. If the handshake is not completed within the allowed time,
the AX device drops the session. You can specify
1-100 seconds.
4 seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
239 of 718

Mode
Global Config
Usage
The TCP handshake threshold is applicable only when hardware-based

SYN cookies are active. To enable support for hardware-based SYN cookies, see syn-cookie on page 160.
Example
The following command changes the TCP TCP handshake threshold to 15

seconds:
AX(config)#ip tcp syn-cookie threshold 15
240 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 access-list
Config Commands: IPv6

The IPv6 commands configure global IPv6 parameters.
To configure global IPv4 parameters, see Config Commands: IP on

page 215.
Note:
ipv6 access-list
Description
Configure an extended IPv6 ACL.
Syntax
[no] ipv6 access-list acl-id

This command changes the CLI to the configuration level for the ACL,
where the following ACL-related commands are available.
Syntax
[no] [seq-num] {permit | deny} {ipv6 | icmp}

{any | host host-src-ipv6addr |
net-src-ipv6addr /mask-length}
{any | host host-dst-ipv6addr |
net-dst-ipv6addr /mask-length}
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
241 of 718

ipv6 access-list
or
Syntax
[no] {permit | deny} {tcp | udp}

{any | host host-src-ipv6addr |
net-src-ipv6addr /mask-length}
[eq src-port | gt src-port | lt src-port |
range start-src-port end-src-port]
{any | host host-dst-ipv6addr |
net-dst-ipv6addr /mask-length}
[eq dst-port | gt dst-port | lt dst-port |
range start-dst-port end-dst-port]
Parameter
Description
seq-num

ACL.
deny | permit

deny Drops the traffic.
permit Allows the traffic.
ipv6 | icmp
Filters on IPv6 or ICMP packets.
tcp | udp
Filters on TCP or UDP packets. The tcp and udp

options enable you to filter on protocol port numbers.
any |
host host-srcipv6addr |
net-srcipv6addr /masklength
Source IP address(es) to filter.
any The ACL matches on all source IP
addresses.
host host-src-ipv6addr The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /mask-length The
ACL matches on any host in the specified subnet.
The mask-length specifies the portion of the
address to filter.
242 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 access-list
eq src-port |
gt src-port |
lt src-port |
range startsrc-port
end-src-port
For tcp or udp, the source protocol ports to filter.

eq src-port The ACL matches on traffic
from the specified source port.
gt src-port The ACL matches on traffic
from any source port with a higher number than
the specified port.
lt src-port The ACL matches on traffic
from any source port with a lower number than
the specified port.
range start-src-port end-src-port
The ACL matches on traffic from any source
port within the specified range.
any |
host host-dstipv6addr |
net-dstipv6addr /masklength
Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range startdst-port
end-dst-port
log
For tcp or udp, the destination protocol ports to

filter.
ACL rule.
Syntax
[no] remark string

The remark command adds a remark to the ACL. The remark appears at
the top of the ACL when you display it in the CLI. The string can be 1-63
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
243 of 718

ipv6 address
characters. To use blank spaces in the remark, enclose the entire remark
string in double quotes.
Default
None
Mode
Global Config
ipv6 address
Description
Syntax
Configure the global IPv6 address of the AX Series device, when the device
is deployed in transparent mode (Layer 2 mode).
[no] ipv6 address ipv6-addr/prefix-length
Parameter
Description
ipv6-addr
Valid unicast IPv6 address.
prefix-length
Prefix length, up to 128.
Default
N/A
Mode
Global Config
Usage
This command applies only when the AX Series device is deployed in transparent mode. To assign IPv6 addresses to individual interfaces instead
(gateway mode), use the ipv6 address command at the interface configuration level. (See ipv6 address on page 199.)
Example
The following command configures global IPv6 address

2001:db8::1521:31ab/32:
AX(config)#ipv6 address 2001:db8::1521:31ab/32
ipv6 default-gateway
Description
Syntax
Specify the default gateway to use to reach other IPv6 networks, when the
AX Series device is used in transparent mode (Layer 2 mode).
[no] ipv6 default-gateway ipv6-addr
Parameter
Description
ipv6-addr
Default
244 of 718
IPv6 address of the next-hop gateway.
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 nat pool
Mode
Global Config
Usage
This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3
mode), configure routing.
Example
The following command configures default IPv6 gateway

2001:db8::1521:31ac:
AX(config)#ipv6 default-gateway 2001:db8::1521:31ac
ipv6 nat pool

Description
Configure a named set of IPv6 addresses for use by Network Address

Translation (NAT).
Syntax
[no] ipv6 nat pool pool-name

start-ipv6-addr end-ipv6-addr
netmask mask-length
[gateway ipaddr] [ha-group-id group-id]
Parameter
Description
pool-name
Name of the address pool.
start-ipaddr
Beginning (lowest) IP address in the range.
end-ipaddr
Ending (highest) IP address in the range.
netmask masklength
Network mask for the IP addresses in the pool,

96-128.
gateway
ipv6-addr
Next-hop gateway address.
group-id
HA group ID, 1-31.
Default
None.
Mode
Global Config
Example
The following command configures an IPv6 address pool named

ipv6pool2:
AX(config)#ipv6 nat pool ipv6pool2 abc1::1 abc1::10 netmask 96
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
245 of 718

ipv6 neighbor
ipv6 neighbor
Description
Syntax
Configure a static IPv6 neighbor.

[no] ipv6 neighbor ipv6-addr macaddr
ethernet port-num [vlan vlan-id]
Parameter
Description
ipv6-addr
IPv6 unicast address of the neighbor.
macaddr
MAC address of the IPv6 neighbor.
port-num
Ethernet interface connected to the neighbor.
vlan-id
VLAN for which to add the IPv6 neighbor entry.

If you do not specify the VLAN, the entry is
added for all VLANs.
Default
N/A
Mode
Global Config
Usage
The neighbor must be directly connected to the AX Series devices Ethernet

port you specify, or connected through a Layer 2 switch.
Example
The following command configures IPv6 neighbor 2001:db8::1111:2222

with MAC address abab.cdcd.efef, connected to the AX Series devices
Ethernet port 5:
AX(config)#ipv6 neighbor 2001:db8::1111:2222 abab.cdcd.efef ethernet 5
ipv6 ospf cost

Description
Syntax
Explicitly set the link-state metric (cost) for this OSPF interface.
[no] ipv6 ospf cost num
Parameter
num
Description
Specifies the cost, 1-65535.
Default
By default, an interfaces cost is calculated based on the interfaces bandwidth. If the auto-cost reference bandwidth is set to its default value (100
Mbps), the default interface cost is 10.
Mode
Interface
246 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 ospf dead-interval
ipv6 ospf dead-interval

Description
Specify the maximum time to wait for a reply to a hello message, before
declaring the neighbor to be offline.
Syntax
[no] ipv6 ospf dead-interval seconds

Parameter
seconds
Default
40
Mode
Interface
Description
Number of seconds this OSPF router will wait
for a reply to a hello message sent out this interface to an OSPF neighbor, before declaring the
neighbor to be offline. You can specify 1-65535
seconds.
ipv6 ospf hello-interval

Description
Specify the time to wait between sending hello packets to OSPF neighbors.
Syntax
[no] ipv6 ospf hello-interval seconds

Parameter
seconds
Default
10
Mode
Interface
b y
Description
between transmission of hello packets out this
interface to OSPF neighbors. You can specify
1-65535 seconds.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
247 of 718

ipv6 ospf neighbor
ipv6 ospf neighbor

Description
Syntax
Configure an OSPFv3 neighbor that is located on a non-broadcast network

reachable through this interface.
[no] ipv6 ospf neighbor ipv6-addr
[
cost num [instance-id num] |
instance-id num |
poll-interval seconds [priority num]
[instance-id num] |
priority num [poll-interval seconds]
[instance-id num]
]
Parameter
Description
ipv6-addr
IPv6 address of the OSPF neighbor.
cost num
Specifies the link-state metric to the neighbor,

1-65535.
poll-interval
seconds
priority num
Default
Number of seconds this OSPFv3 interface will

wait for a reply to a hello message sent to the
neighbor, before declaring the neighbor to be
offline. You can specify 1-65535 seconds.
Router priority of the neighbor, 1-255.
No neighbors on non-broadcast networks are configured by default. When

you configure one, the other parameters have the following default settings:
cost not set
poll-interval 120 seconds
priority 0
ipv6 network
Description
Syntax
248 of 718
Change the OSPF network type to a type different from the default for the
media.
[no] ipv6 ospf network network-type
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 ospf priority
Parameter
network-type
Description
Type of network. You can specify one of the following:
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess
(NBMA) network.
point-to-multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
Default
Broadcast
Mode
Interface
ipv6 ospf priority

Description
Priority of this OSPF router (and process) on this interface for becoming the
designated router for the OSPF domain.
Syntax
[no] ipv6 ospf priority num

Parameter
num
Description
Priority of this OSPF process on this interface, 0255. The lowest priority is 0 and the highest priority is 255.
Default
Mode
Interface
Usage
If more than one OSPF router has the highest priority, the router with the
highest router ID is selected as the designated router.
ipv6 ospf retransmit-interval

Description
Specify the time to wait before resending an unacknowledged packet out

this interface to an OSPF neighbor.
Syntax
[no] ipv6 ospf retransmit-interval seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
249 of 718

ipv6 transmit-delay
Parameter
Description
Number of seconds this OSPF router waits
before resending an unacknowledged packet out
this interface to a neighbor. You can specify
1-65535 seconds.
seconds
Default
Mode
Interface
ipv6 transmit-delay
Description
Specify the time to wait between sending packets out this interface to an
OSPF neighbor.
Syntax
[no] ipv6 ospf transmit-delay seconds

Parameter
Description
between transmission of packets out this interface to OSPF neighbors. You can specify
1-65535 seconds.
seconds
Default
Mode
Interface
ipv6 route
Description
Syntax
Configure a static IPv6 route.

[no] ipv6 route ipv6-addr/prefix-length
gateway-addr
[ethernet port-num | trunk num | ve ve-num]
Parameter
250 of 718
Description
ipv6-addr
IPv6 unicast address of the route destination.
prefix-length
Prefix length, 1-128.
gateway-addr
IPv6 unicast address of the next-hop gateway to

the destination.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6 route
ethernet portnum |
trunk num |
ve ve-num
Uses the link-local address on the specified interface as the next hop.
Default
N/A
Mode
Config
Usage
The ethernet, trunk, and ve options are available only if the gateway-addr
is a link-local address. Otherwise, the options are not displayed in the online
help and are not supported.
If you use an individual Ethernet port, the port can not be a member of a
trunk or a VE. If you use a trunk, the trunk can not be a member of a VE.
After you configure the static route, you can not change the interfaces
membership in trunks or VEs. For example, if you configure a static

route that uses Ethernet port 6s link-local address as the next hop, it is
not supported to later add the interface to a trunk or VE. The static route
must be removed first.
Example
The following command configures a static IPv6 route to destination

2001:db8::3333:3333/32, though gateway 2001:db8::3333:4444:
AX(config)#ipv6 route 2001:db8::3333:3333/32 2001:db8::3333:4444
Example
The following command configures a default IPv6 route:
AX(config)#ipv6 route ::/0 abc1::1111
The following command configures an IPv6 static route that uses Ethernet
port 6s link-local address as the next hop:
AX(config)#ipv6 route abaa:3::0/64 fe80::2 ethernet 6
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
251 of 718

ipv6 route
252 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Config Commands: Router OSPF

This chapter describes the commands for configuring global OSPFv2 and
OSPFv3 parameters.
This CLI level also has the following commands, which are available at
all configuration levels:
Note:

Enabling OSPF
To enable OSPF, use one of the following commands at the global configuration level of the CLI. Each command changes the CLI to the configuration
level for the specified OSPFv2 process ID or OSPFv3 instance tag.
OSPFv2
router ospf [process-id]
The process-id specifies the IPv4 OSPFv2 instance to run on the AX device,
and can be 1-65535.
OSPFv3
router ipv6 ospf [tag]
The tag specifies the IPv6 OSPFv3 instance to run on the IPv6 link, and can
be 1-65535.
Interface-level OSPF Commands
In addition to global parameters, OSPF has parameters on the individual
interface level. To configure OSPF on an interface, use the interface command to access the configuration for the interface, then use the ip ospf command. (See ip ospf on page 194.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
253 of 718

area area-id default-cost
Show Commands
To display OSPF settings, use show ip ospf commands. (See Show Commands on page 535.)
Configuration Commands Applicable to OSPFv2 or

OSPFv3
The following configuration commands are applicable to OSPFv2 and
OSPFv3.
The commands in this section apply throughout the OSPFv2 process or
OSPFv3 instance in which the commands are entered.
area area-id default-cost

Description
Syntax
Specify the cost of a default summary route sent into a stub area.
[no] area area-id default-cost num
Parameter
Description
area-id
Area ID, either an IP address or a number.
num
Cost of the default summary route, 0-16777214.
Default
The default is 1.
Mode
OSPFv2 or OSPFv3
Example
The following command assigns a cost of 4400 to default summary routes

injected into stub areas:
AX(config-router)#area 5.5.5.5 default-cost 4400
area area-id range

Description
Syntax
254 of 718
Summarize routes at an area boundary.

[no] area area-id range ipaddr/mask-length
[advertise | not-advertise]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

area area-id stub
Parameter
Description
area-id
Beginning area ID.
range area-id
Ending area ID.
ipaddr
Subnet address for the range.
/mask-length
Network mask length for the range.
advertise
Generates Type 3 summary LSAs for the areas in

the range.
not-advertise
Does not generate Type 3 summary LSAs. The

networks are hidden from other networks.
Default
There is no default range configuration. When you configure a range, the

default advertisement string is advertise.
Mode
OSPFv2 or OSPFv3
Example
The following command configures a range and disables advertisement of

routes into the areas:
AX(config-router)#area 8.8.8.8 range 10.10.10.10/16 not-advertise
area area-id stub

Description
Configure a stub area.
Syntax
[no] area area-id stub [no-summary]

Parameter
Description
area-id
Area ID.
no-summary
ABRs do not send summary LSAs into the stub

area.
Default
None
Mode
OSPFv2 or OSPFv3
Example
The following command configures a stub area with area ID 10.2.4.5:
AX(config-router)#area 10.2.4.5 stub
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
255 of 718

area area-id virtual-link
area area-id virtual-link

Description
Syntax
Configure a link between two backbone areas that are separated by nonbackbone areas.
[no] area area-id virtual-link ipaddr
[authentication]
[authentication-key string [string ...]]
[dead-interval seconds]
[hello-interval seconds]
[message-digest-key num md5 string [string ...]]
[retransmit-interval seconds]
[transmit-delay seconds]
Parameter
Description
area-id
ipaddr
IP address of the OSPF neighbor at the other end

of the link.
authentication
Enables authentication on the link.
authenticationkey string
[string ...]
Specifies a simple text password for authenticating OSPF traffic between this router and the
neighbor at the other end of the virtual link. The
string is an 8-character authentication password.
dead-interval
seconds
hello-interval
seconds

for a reply to a hello message sent to the neighbor
on the other end of the virtual link, before declaring the neighbor to be offline. You can specify
1-65535 seconds.
between sending hello messages to the neighbor
on the other end of the virtual link. You can specify 1-65535 seconds.
message-digestkey num md5

string
[string ...]
Specifies an MD5 key, 1-255. The string is a 16character authentication password.
256 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

auto-cost reference bandwidth
retransmitinterval
seconds
transmit-delay
seconds
Default

before resending an unacknowledged packet to
the neighbor on the other end of the virtual link.
between sending packets to the neighbor on the
other end of the virtual link. You can specify
1-65535 seconds.
None. When you configure a virtual link, it has the following default settings:
authentication disabled
authentication-key not set
dead-interval 40
hello-interval 10
message-digest-key not set
retransmit-interval 5
transmit-delay 1
Mode
OSPFv2 or OSPFv3
auto-cost reference bandwidth

Description
Change the reference bandwidth used by OSPF to calculate default metrics.
Syntax
[no] auto-cost reference-bandwidth mbps

Parameter
mbps
Description
Specifies the reference bandwidth, in Mbps. You
can specify 1-4294967.
Default
100 Mbps
Mode
OSPFv2 or OSPFv3
Usage
By default, OSPF calculates the OSPF metric for an interface by dividing

the reference bandwidth by the interface bandwidth. This command differentiates high-bandwidth links from lower-bandwidth links. If multiple links
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
257 of 718

capability restart
have high bandwidth, specify a larger reference bandwidth so that the cost
of those links is differentiated from the cost of lower-bandwidth links.
capability restart
Description
Syntax
Enable graceful restart of the OSPF process or OSPF signalling.

[no] capability restart {graceful | signaling}
Parameter
Description
graceful
Enables graceful restart of OSPF.
signaling
Enables restart of OSPF signalling.
Default
Graceful restart and signalling are both enabled by default.
Mode
OSPFv2 or OSPFv3
default-metric
Description
Syntax
Set the numeric cost that is assigned to OSPF routes by default. The metric
(cost) is added to routes when they are redistributed.
[no] default-metric num
Parameter
Description
Default cost, 0-16777214.
num
Default
20
Mode
OSPFv2 or OSPFv3
Example
The following command configures a default metric of 6666:
AX(config-router)#default-metric 6666
ha-standby-extra-cost
Description
Syntax
258 of 718
Enable OSPF awareness of High Availability (HA).

[no] ha-standby-extra-cost num
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

max-concurrent-dd
Parameter
num
Description
Specifies the extra cost to add to the AX devices
OSPF interfaces, if the HA status of one or more
of the devices HA groups is Standby. You can
specify 1-65535. If the resulting cost value is
more than 65535, the cost is set to 65535.
Default
Not set. The OSPF protocol on the AX device is not aware of the HA state
(Active or Standby) of the AX device.
Mode
OSPFv2 or OSPFv3
Usage
Enter the command on each of the AX devices in the HA pair.
max-concurrent-dd
Description
Set the maximum number of OSPF neighbors that can be processed concurrently during database exchange between this OSPF router and its OSPF
neighbors.
Syntax
[no] max-concurrent-dd num

Parameter
num
Description
Specifies the maximum number of neighbors that
can be processed at the same time during database exchange. You can specify 1-65535.
Default
Not set (no limit)
Mode
OSPFv2 or OSPFv3
Usage
This command is useful in cases where router performance is being

adversely affected by processing of neighbor adjacencies.
maximum-area
Description
Set the maximum number of OSPF areas supported for this OSPF process.
Syntax
[no] maximum-area num

Parameter
num
b y
Description
Specifies the maximum number of areas allowed
for this OSPF process. You can specify
1-4294967294.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
259 of 718

passive-interface
Default
4294967294
Mode
OSPFv2 or OSPFv3
passive-interface
Description
Syntax
Disable Link-State Advertisements (LSAs) from being sent on an interface.

[no] passive-interface
{ethernet portnum | loopback num | management |
ve ve-num}
Default
LSAs are enabled. (No interfaces are passive.)
Mode
OSPFv2 or OSPFv3
Example
The following command configures a passive interface on the Virtual Ethernet (VE) interface on VLAN 3:
AX(config-router)#passive-interface ve 3
redistribute
Description
Enable distribution of routes from other sources into OSPF.

[no] redistribute
{
connected [options] |
floating-ip [options] |
ip-nat [ipaddr/mask-length
floating-IP-forward-address ipaddr] [options] |
ip-nat-list [options] |
ospf [process-id] [options] |
rip [options] |
static [options] |
vip [ipaddr floating-IP-forward-address ipaddr |
{only-flagged | only-not-flagged}] [options]
}
Parameter
Description
connected
[options]
260 of 718
Redistributes routes into OSPF for reaching

directly connected networks. For options, see the
end of this parameter list.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

redistribute
floating-ip
[options]
Redistributes routes into OSPF for reaching HA

floating IP addresses. For options, see the end of
this parameter list.
ip-nat
[ipaddr/masklength
floating-IPforward-address
ipaddr]
[options]
translated NAT addresses allocated from a pool.
By default, the forward address for all redistributed NAT pool addresses is 0.0.0.0. To set a
floating IP address as the forward address, use
the ipaddr/mask-length] option to specify the
NAT pool address. The floating-IP-forwardaddress ipaddr option specifies the forward
address to use when redistributing the route to
the NAT pool address.
For options, see the end of this parameter list.
ip-nat-list
[options]
ospf
[process-id]
[options]
rip [options]
static
[options]
b y

translated NAT addresses allocated from a range
list. For options, see the end of this parameter
list.
Redistributes routes into this OSPFv2 process for

reaching networks in another OSPFv2 process.
For options, see the end of this parameter list.
Redistributes routes into OSPF for reaching networks advertised by RIP. For options, see the end
of this parameter list.
Redistributes routes into OSPF for reaching networks through static routes. For options, see the
end of this parameter list.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
261 of 718

redistribute
vip [ipaddr
floating-IPforward-address
ipaddr |
{only-flagged |
only-notflagged}]
[options]
Redistributes routes into OSPF for reaching virtual server IP addresses.
By default, the forward address for all redistributed VIPs is 0.0.0.0. To set a floating IP address
as the forward address, use the ipaddr option to
specify the VIP address. Use the floating-IP-forward-address ipaddr option to specify the forward address to use when redistributing the route
to the VIP.
By default, all VIPs are redistributed when you
use the vip option. To restrict redistribution to a
subset of VIPs, use one of the following options:
only-flagged Redistributes only the VIPs
on which the redistribution-flagged command is used.
only-not-flagged Redistributes all VIPs
except those on which the redistributionflagged command is used.
For more information, see Usage.
For options, see below.
options
Optional parameters supported for all the options

listed above:
metric-type {1 | 2} External link type associated with the route advertised into the OSPF
routing domain:
1 Type 1 external route
metric num Metric for the default route,
0-16777214. The default is 20.
route-map map-name Name of a route map.
(To configure a route map, see route-map on
page 255.)
tag num Includes the specified tag value in
external Link-State Advertisements (LSAs).
262 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

redistribute
Inter-domain routers running Border Gateway
Protocol (BGP) can be configured to make routing decisions based on the tag value. The tag
value can be 0-4294967295. The default is 0.
The bgp, isis, and kernel options are not applicable to the current release
and are not supported.
Note:
Default
Disabled. By default, OSPF routes are not redistributed. For other defaults,
see above.
Mode
OSPFv2 or OSPFv3
Usage
When you enable redistribution, routes to all addresses of the specified type
are redistributed. For example, if you use the vip option, routes to all VIPs
are redistributed into OSPF.
By default, the AX device uses 0.0.0.0 as the forward address in routes that
are redistributed in OSPF type-5 link state advertisement (LSAs). In this
case, other OSPF routers find a route to reach the AX device (which is acting as OSPF ASBR), then use the corresponding next-hop address as the
next hop for the destination network. You can specify a floating IP address
to use as the forward address, for individual NAT pools or VIPs. (See the
syntax above.)
VIP Redistribution
VIP redistribution is not supported for VIPs on which destination NAT has
been disabled. For example, VIP redistribution is not supported for VIPs
that are configured for Direct Server Return (DSR).
You can exclude redistribution of individual VIPs using one or the other of
the following methods. They are mutually exclusive.
If more VIPs will be excluded than will be allowed to be redistributed:
At the configuration level for each of the VIPs to allow to be redis-
tributed, enter the following command: redistribution-flagged

At the configuration level for the OSPFv2 process or OSPFv3
instance, enter the following command: redistribute vip onlyflagged
If fewer VIPs will be excluded than will be allowed to be redistributed:
At the configuration level for each of the VIPs to exclude from
redistribution, enter the following command: redistributionflagged

At the configuration level for the OSPFv2 process or OSPFv3
instance, enter either of the following commands: redistribute vip
only-not-flagged or redistribute vip
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
263 of 718

redistribute
Note:
In the configuration, the redistribute vip only-not-flagged command is

automatically converted into the redistribute vip command. When you
display the configuration, it will contain the redistribute vip command,
not the redistribute vip only-not-flagged command. This command conversion makes the behavior in the current release backwards compatible
with the behavior in previous releases.
VIP Redistribution Usage Examples:
If you have 10 VIPs and all of them need to be redistributed by OSPF,
use the redistribute vip command at the configuration level for the
OSPF process.
If you have 10 VIPs but only 2 of them need to be redistributed, use the
redistribution-flagged command at the configuration level for each of

the 2 VIPs, then use the redistribute vip only-flagged command at the
configuration level for the OSPFv2 process or OSPFv3 instance.
If you have 10 VIPs and need to redistribute 8 of them, use the redistri-
bution-flagged command at the configuration level for the 2 VIPs that

should not be redistributed. Enter the redistribute vip only-not-flagged
command at the configuration level for the OSPFv2 process or OSPFv3
instance. (In this case, alternatively, you could enter redistribute vip
instead of redistribute vip only-not-flagged.)
Example
The following command enables redistribution of OSPF routes into RIP:
AX(config-router)#redistribute rip
Example
The following commands redistribute floating IP addresses and VIP

addresses into OSPF:
AX(config-router)#redistribute floating-ip
AX(config-router)#redistribute vip
Example
The following commands flag a VIP, then configure OSPF to redistribute

only that flagged VIP. The other (unflagged) VIPs will not be redistributed.
AX(config)#slb virtual-server vip1

AX(config-slb virtual server)#redistribution-flagged
AX(config-slb virtual server)#exit
AX(config)#router ospf
AX(config-router)redistribute vip only-flagged
Example
The following command enables redistribution of VIPs, and sets tag value
555 to be included in external LSAs that advertise the route to the VIP:
AX(config-router)#redistribute vip metric-type 1 metric 1 tag 555
264 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

router-id
router-id
Description
Set the value used by this OSPF router to identify itself when exchanging
route information with other OSPF routers.
Syntax
[no] router-id ipaddr
Default
For OSPFv2, the default router ID is the highest-numbered IP address configured on any of the AX devices loopback interfaces. If no loopback interfaces are configured, the highest-numbered IP address configured on any of
the AX devices other Ethernet data interfaces is used.
For OSPFv3, the router ID must be set.
Setting the router ID is required for OSPFv3 and is strongly recommended for OSPFv2.
Note:
Mode
OSPFv2 or OSPFv3
Usage
The AX device has only one router ID. The address does not need to match
an address configured on the AX device. However, the address must be an
IPv4 address and must be unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart
the OSPF process, use the clear ip ospf process command.
Example
The following commands set the router ID to 2.2.2.2 and reload OSPF to
place the new router ID into effect:
AX(config-router)#router-id 2.2.2.2
AX(config-router)#clear ip ospf process
timers spf exp

Description
Change Shortest Path First (SPF) timers used for route recalculation following a topology change.
Syntax
[no] timers spf

{exp min-delay max-delay | delay hold-time}
Parameter
exp min-delay
max-delay
Description
Enables exponential back-off delays for route
recalculation.
The min-delay specifies the minimum number of
milliseconds (ms) the OSPF process waits after
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
265 of 718

area area-id authentication
receiving a topology change, before recalculating
its OSPF routes. You can specify 0-2147483647.
The max-delay specifies the maximum number
of milliseconds (ms) the OSPF process waits
after receiving a topology change, before recalculating its OSPF routes. You can specify
0-2147483647.
delay hold-time Specifies the delay time between the receipt of a
topology change and the calculation of the SPF.
This option also configures the hold time
between two consecutive SPF calculations.
The delay specifies the number of milliseconds
(ms) the OSPF process waits after receiving a
topology change, before recalculating its OSPF
routes. You can specify 0-2147483647 ms.
The hold-time specifies the minimum number of
seconds the OSPF process must wait between
consecutive route recalculations. You can specify
0-2147483647 ms.
Default
For the exp option, the default min-delay is 50 ms and the default max-delay
is also 50 ms. For delay hold-time option, the default delay is 50 ms. The
default hold-time is 100 ms.
Mode
OSPFv2 or OSPFv3
Usage
After you enter this command, any pending route recalculations are
rescheduled based on the new timer values.
Configuration Commands Applicable to OSPFv2 Only

The following configuration commands are applicable to OSPFv2 only.
The commands in this section apply throughout the OSPFv2 process in
which the commands are entered.
area area-id authentication

Description
Syntax
266 of 718
Enable authentication for an OSPF area.

[no] area area-id authentication [message-digest]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

area area-id filter-list
Parameter
message-digest
Description
Enables MD5 authentication. If you omit this
option, simple text authentication is used.
Default
Disabled. No authentication is used.
Mode
OSPFv2
Usage
To configure a simple text password or MD5 key, see ip ospf on page 194.
area area-id filter-list

Description
Filter the summary routes advertised by this OSPF router, if it is acting as an

Area Border Router (ABR).
Syntax
[no] area area-id filter-list

{
access acl-id {in | out} |
prefix list-name {in | out}
}
Parameter
area-id
access acl-id
{in | out}
prefix
list-name
{in | out}
Description
ID of an Access Control List (ACL). The only
routes that are advertised are routes to the subnets permitted by the ACL.
ID of an IP prefix list. The only routes that are

advertised are routes to the subnets that match
the list.
Default
Not set.
Mode
OSPFv2
Usage
You can specify an ACL or an IP prefix list. To configure an ACL, see the
AX Series CLI Reference. To configure a prefix list, see Prefix List Command Reference on page 259.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
267 of 718

area area-id multi-area-adjacency
area area-id multi-area-adjacency

Description
Syntax
Enables support for multiple OSPF area adjacencies on the specified interface.
[no] area area-id multi-area-adjacency
ve ve-num}
neighbor ipaddr
Default
Disabled. By default, only one OSPF adjacency is allowed on an interface

for a given OSPF process.
Mode
OSPFv2
Usage
This command is applicable only if this OSPF router is an ABR.
area area-id nssa

Description
Syntax
Configure a not-so-stubby area (NSSA).

[no] area area-id nssa
[
default-information-originate
[metric num] [metric-type {1 | 2}] |
no-redistribution |
no-summary |
translator-role {always | candidate | never}
]
Parameter
Description
Area ID.
area-id
defaultinformationoriginate
[metric num]
[metric-type
{1 | 2}]
Generates a Type 7 LSA into the NSSA area.

(This option takes effect only on Area Border
Routers (ABRs)).
metric num Metric for the default route,
0-16777214. The default is 20.
268 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

area area-id shortcut
metric-type {1 | 2} External link type associated with the route advertised into the OSPF
routing domain:
noredistribution
Disables redistribution of routes into the area.
no-summary
Disables sending summary LSAs into the NSSA.
translator-role
{always |
candidate |
never}
Specifies the types of LSA translation performed
by this OSPF router for the NSSA:
always If this OSPF router is an NSSA border
router, the router will always translate Type 7
LSAs into Type 5 LSAs, regardless of the translator state of other NSSA border routers.
candidate If this OSPF router is an NSSA border router, the router is eligible to be elected the
Type 7 NSSA translator.
never This OSPF router is ineligible to be
elected the Type 7 NSSA translator.
Default
None
Mode
OSPFv2
Example
The following command configures an NSSA with area ID 6.6.6.6:
AX(config-router)#area 6.6.6.6 nssa
area area-id shortcut

Description
Configure short-cutting through an area.
Syntax
[no] area area-id shortcut

{default | disable | enable}
Parameter
b y
Description
area-id
Area ID.
default
Enables the default shortcut behavior. (See

below.)
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
269 of 718

capability opaque
disable
Disables shortcutting through the area.
enable
Forces shortcutting through the area.
Default
None
Mode
OSPFv2
Usage
A shortcut enables traffic to go through a non-backbone area with a lower

metric, regardless of whether the ABR router is attached to the backbone
area.
capability opaque
Description
Syntax
Disable or re-enable opaque LSA capability.

[no] capability opaque
Default
Enabled.
Mode
OSPFv2
Usage
Opaque-LSAs deliver information used by external applications. Type 9, 10

and 11 LSAs can be opaque LSAs.
compatible rfc1583
Description
Syntax
Enable calculation of summary route costs per RFC 1583.

[no] compatible rfc1583
Default
Disabled. Summary route costs are calculated based on RFC 2328.
Mode
OSPFv2
default-information originate
Description
Syntax
270 of 718
Create a default route into the OSPF domain.

[no] default-information originate
[always]
[metric num]
[metric-type {1 | 2}]
[route-map name]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

distance
Parameter
Description
always
Configures the AX device to automatically

declare itself a default gateway for other OSPF
routers, even if the AX device does not have a
default route to 0.0.0.0/0.
metric num
Metric for the default route, 0-16777214.
metric-type
{1 | 2}
External link type associated with the default

route advertised into the OSPF routing domain:
route-map
map-name
Name of a route map. (To configure a route map,

see route-map on page 255.)
Default
This option is disabled by default. If you enable it, the default metric is 10.
The default metric type is 2.
Mode
OSPF
Example
The following command creates a default route into the OSPF domain with
a metric of 20:
AX(config-router)#default-information originate metric 20
distance
Description
Set the administrative distance for OSPF routes, based on route type.
Syntax
[no] distance
{
num |
ospf {external | inter-area | intra-area} num
}
Parameter
num
b y
Description
Sets the administrative distance for all route
types. You can specify 1-255.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
271 of 718

distribute-list
ospf
{external |
inter-area |
intra-area}
num
Sets the administrative distance for specific route

types:
external Routes that OSPF learns from other
routing domains by redistribution.
intra-area Routes within the same OSPF area.
inter-area Routes between OSPF areas.
You can use the ospf option with one or more of
its suboptions. For each route type, you can specify 1-255.
Default
For all route types, the default administrative distance is 110.
Mode
OSPFv2
Usage
The administrative distance specifies the trustworthiness of routes. A low

administrative distance value indicates a high level of trust. Likewise, a
administrative distance value indicates a low level of trust. For example,
setting the administrative distance value for external routes to 255 means
those routes are very untrustworthy and should not be used.
distribute-list
Description
Syntax
Filter the networks received or sent in route updates.

[no] distribute-list acl-id
{
in |
out {connected | floating-ip | ip-nat |
ip-nat-list | ospf | rip | static | vip}
Parameter
272 of 718
Description
acl-id
ID of an ACL. Only the networks permitted by

the ACL will be allowed.
in
Uses the specified ACL to filter routes received

by OSPF from other sources. The filter applies to
routes from all sources.
out route-type
Uses the specified ACL to filter routes advertised

by OSPF to other routing domains. The routetype can be one of the following:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

host ipaddr area
connected Filters advertisement of directly
connected networks.
floating-ip Filters advertisement of networks
for HA floating IP addresses.
ip-nat Filters advertisement of networks that
are translated NAT addresses allocated from a
pool.
ip-nat-list Filters advertisement of networks
that are translated NAT addresses allocated from
a range list.
ospf [process-id] Filters advertisement of networks to another OSPF process.
rip Filters advertisement of networks to RIP.
static [only-flagged | only-not-flagged] Filters
advertisement of networks reached by static
routes.
vip [only-flagged | only-not-flagged] Filters
advertisement of networks to reach VIPs.
By default, the option applies to all VIPs. To
restrict the option to a subset of VIPs, use one of
the following options:
only-flagged Redistributes only the VIPs on
which the redistribution-flagged command is
used.
only-not-flagged Redistributes all VIPs except
those on which the redistribution-flagged command is used.
Note:
Default
None
Mode
OSPFv2
host ipaddr area

Description
Configure a stub host entry for an area.
Syntax
[no] host ipaddr area area-id [cost num]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
273 of 718

neighbor
Parameter
Description
ipaddr
IP address of the host.
area area-id
OSPF area where the host is located.
cost num
Cost of the stub host entry, 0-65535.
Default
None
Mode
OSPFv2
Usage
Routes to the host are listed in router LSAs as stub links.
neighbor
Description
Syntax
Configure an OSPF neighbor that is located on a non-broadcast network.

[no] neighbor ipaddr
[
cost num |
poll-interval seconds [priority num] |
priority num [poll-interval seconds]
]
Parameter
Description
ipaddr
IP address of the OSPF neighbor.
cost num
Specifies the link-state metric to the neighbor,

1-65535.
poll-interval
seconds
priority num
Default

for a reply to a hello message sent to the neighbor, before declaring the neighbor to be offline.
Router priority of the neighbor, 1-255.
No neighbors on non-broadcast networks are configured by default. When

you configure one, the other parameters have the following default settings:
cost not set
poll-interval 120 seconds
priority 0
Mode
274 of 718
OSPFv2
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

network
Usage
This command is required only for neighbors on networks. Adjacencies to

neighbors on other types of networks are automatically established by the
OSPF protocol.
It is recommended to set the poll-interval to a much higher value than the
hello interval.
network
Description
Enable OSPF routing for an area, on interfaces that have IP addresses in the
specified area subnet.
Syntax
[no] network
ipaddr {/mask-length | wildcard-mask}
area area-id
[instance-id num]
Parameter
ipaddr
{/mask-length |
wildcard-mask}
area area-id
Description
Subnet of the area. You can specify the subnet in

CIDR format (ipaddr/mask-length) or as ipaddr
wildcard-mask. In a wildcard-mask, 0s represent
the network portion and 1s represent the host
portion. For example, for a subnet that has 254
hosts and a 24-bit network mask, the wildcardmask is 0.0.0.255.
Area ID.
instance-id num Range of OSPF instances for which to enable

OSPF routing for the area, 0-255. If you omit this
option, OSPF routing is enabled for all OSPF
instances that are running on interfaces that have
IP addresses in the specified area subnet.
Default
None
Mode
OSPFv2
Example
The following command configures an OSPF network:
AX(config-router)#network 10.10.20.20/24 area 10.10.20.30
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
275 of 718

ospf abr-type
ospf abr-type
Description
Specify the Area Border Router (ABR) type.
Syntax
[no] ospf abr-type

{cisco | ibm | shortcut | standard}
Parameter
Description
cisco
Alternative ABR using Cisco implementation

(RFC 3509).
ibm
Alternative ABR using IBM implementation

(RFC 3509).
shortcut
Shortcut
02.txt).
standard
Standard ABR behavior (RFC 2328)
Default
cisco
Mode
OSPFv2
ABR
(draft-ietf-ospf-shortcut-abr-
overflow database
Description
Syntax
Specify the maxim number of LSAs or the maximum size of the external
database.
[no] overflow database
{
max-lsa [hard | soft] |
external max-lsa recover-time
}
Parameter
Description
max-lsa
[hard | soft]
Specifies the maximum number of LSAs per

OSPF instance, 0-4294967294. The hard | soft
option specifies the action to take if the LSA
limit is exceeded:
hard Shut down the OSPF process for the
instance.
soft Issue a warning message without shutting
down the OSPF process for the instance.
276 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

summary-address
external
max-lsa
recover-time
Specifies the maximum number of AS-externalLSAs the OSPF router can receive,
0-2147483647. The recover-time option specifies
the number of seconds OSPF waits before
attempting to recover after max-lsa is exceeded.
You can specify 0-65535 seconds. To disable
recovery, specify 0.
Default
The default max-lsa is 2147483647.
Mode
OSPFv2
summary-address
Description
Summarize or disable advertisement of external routes for a specific IP

address range. A summary-address helps reduce the size of the OSPF linkstate database.
Syntax
[no] summary-address ipaddr/mask

{not-advertise | tag num}
Parameter
Description
ipaddr/mask
Specifies the address range.
not-advertise
Disables advertisement of routes for the specified

range.
tag num
Includes the specified tag value in external LSAs

for IP addresses within the specified range. The
tag value can be 0-4294967295. The default tag
value is 0.
Default
None
Mode
OSPFv2
Configuration Commands Applicable to OSPFv3 Only

All the global OSPF commands that are applicable to OSPFv3 are also
applicable to OSPFv2. (See Configuration Commands Applicable to
OSPFv2 or OSPFv3 on page 254.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
277 of 718

summary-address
278 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Config Commands: Router RIP

This chapter describes the commands for configuring global RIP parameters.
To access this configuration level, enter the router rip command at the
global Config level.
In addition to global parameters, RIP has parameters on the individual interface level. To configure RIP on an interface, use the interface command to
access the configuration for the interface, then use the ip rip command.
(See ip rip on page 197.)
To display RIP settings, use show ip rip commands. (See show ip rip on
page 621.)
Note:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
279 of 718

network
network
Description
Syntax
Configure a RIP network.

[no] network ipaddr {subnet-mask | /mask-length}
Default
None
Mode
RIP
Example
The following command configures RIP network 10.10.10.0 /8:
AX(config-router-rip)#network 10.10.10.10 /8
passive-interface
Description
Syntax
Disable route advertisements from being sent on an interface.

[no] passive-interface
{ethernet port-num | ve vlan-id}
Default
Route advertisements are enabled. (No interfaces are passive.)
Mode
RIP
Example
The following command disables RIP route advertisements from being sent
out VE 4:
AX(config-router-rip)#passive-interface ve 4
redistribute
Description
Syntax
Enable distribution of RIP routes into other route types.

[no] redistribute {connected | ospf | static}
Default
Disabled. By default, RIP routes are not redistributed.
Mode
RIP
Example
The following command enables redistribution of RIP routes into OSPF:
AX(config-router-rip)#redistribute ospf
280 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb buff-thresh
Config Commands: Server Load Balancing

The commands in this chapter configure SLB parameters. In some cases,
the commands create an SLB configuration item and change the CLI to the
configuration level for that item.
slb buff-thresh
Description
Fine-tune thresholds for SLB buffer queues.

Caution:
Do not use this command except under advisement by A10 Networks.
Syntax
[no] slb buff-thresh hw-buff num

relieve-thresh num sys-buff-low num
sys-buff-high num
Parameter
hw-buff num
relieve-thresh
num
b y
Description
IO buffer threshold. For each CPU, if the number
of queued entries in the IO buffer reaches this
threshold, fast aging is enabled and no more IO
buffer entries are allowed to be queued on the
CPUs IO buffer.
Threshold at which fast aging is disabled, to
allow IO buffer entries to be queued again.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
281 of 718

slb compress-block-size
sys-buff-low
num
sys-buff-high
num
Mode
Threshold of queued system buffer entries at

which the AX begins refusing new incoming
connections.
Threshold of queued system buffer entries at
which the AX device drops a connection whenever a packet is received for that connection.
Global Config
slb compress-block-size
Description
Syntax
Change the default compression block size used for SLB.

[no] compress-block-size bytes
Parameter
Description
Default compression block size, 6000-32000
bytes.
bytes
Default
16000
Mode
Global config
slb conn-rate-limit
Description
Syntax
Configure source-IP based connection rate limiting.

[no] slb conn-rate-limit src-ip {tcp | udp}
conn-limit per {100 | 1000}
[shared]
[exceed-action [log] [lock-out lockout-period]]
Parameter
282 of 718
Description
tcp | udp
Specifies the Layer 4 protocol for which the filter

applies.
conn-limit
Specifies the connection limit. The connection

limit is the maximum number of connection
requests allowed from a client, within the limit
period. You can specify 1-1000000.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb conn-rate-limit
per
{100 | 1000}
shared
Specifies the limit period, The limit period is the

interval to which the connection limit is applied.
A client is conforming to the rate limit if the
number of new connection requests within the
limit period does not exceed the connection limit.
You can specify 100 milliseconds or 1000 milliseconds.
Specifies that the connection limit applies in
aggregate to all virtual ports. If you omit this
option, the limit applies separately to each virtual
port.
exceed-action
[log]
[lock-out
lockout-period] Enables optional exceed actions:
log Enables logging. Logging generates a log
message when a client exceeds the connection
limit.
lock-out lockout-period Locks out the client
for a specified number of seconds. During the
lockout period, all connection requests from the
client are dropped. The lockout period can be 13600 seconds (1 hour). There is no default.
All connection requests in excess of the connection limit that are received
from a client within the limit period are dropped. This action is enabled by
default when you enable the feature, and can not be disabled.
Note:
Default
Not set
Mode
Global Config
Usage
For more information, including deployment considerations, see the

Source-IP Based Connection Rate Limiting section in the Traffic Security Features chapter of the AX Series Configuration Guide.
Example
The following command allows up to 1000 connection requests per onesecond interval from any individual client. If a client sends more than 1000
requests within a given limit period, the client is locked out for 3 seconds.
The limit applies separately to each individual virtual port. Logging is not
enabled.
AX(config)#slb conn-rate-limit src-ip 1000 per 1000 exceed-action lock-out 3
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
283 of 718

slb dns-cache-age
Example
The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging
is enabled but lockout is not enabled.
AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log
Example
The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging
is enabled and lockout is enabled. If a client sends a total of more than 2000
requests within a given limit period, to one or more virtual ports, the client
is locked out for 3 seconds.
AX(config)#slb conn-rate-limit src-ip 2000 per 100 shared exceed-action log

lock-out 3
slb dns-cache-age
Description
Syntax
Configure the amount of time the AX device locally caches DNS replies.
[no] slb dns-cache-age seconds
Parameter
seconds
Description
Number of seconds the AX device caches DNS
replies. You can specify 1-1000000 seconds.
Default
300
Mode
Global Config
Usage
A DNS reply begins aging as soon as it is cached and continues aging even
if the cached reply is used after aging starts. Use of a cached reply does not
reset the age of that reply.
DNS cache aging is applicable only when DNS caching is enabled. (See
slb dns-cache-enable on page 284.)
slb dns-cache-enable
Description
Syntax
Enable local caching of replies to DNS queries.

[no] slb dns-cache-enable
Default
Disabled
Mode
Global Config
284 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb dsr-health-check-enable
Usage
When DNS caching is enabled, the AX device sends the first request for a
given name (hostname, fully-qualified domain name, URL, and so on) to
the DNS server. The AX device caches the reply from the DNS server, and
sends the cached reply in response to the next request for the same name.
The AX device continues to use the cached DNS reply until the reply times
out. After the reply times out, the AX devices sends the next request for the
URL to the DNS server, and caches the reply, and so on.
DNS caching applies only to DNS requests sent to a UDP virtual port in a
DNS SLB configuration. DNS caching is not supported for DNS requests
sent over TCP.
slb dsr-health-check-enable
Description
Enable health checking of the virtual server IP addresses instead of the real
server IP addresses in Direct server Return (DSR) configurations.
Syntax
[no] slb dsr-health-check-enable
Default
Disabled
Mode
Global Config
Usage
This feature also requires configuration of a Layer 3 health method (ICMP),

with the transparent option enabled, and with the alias address set to the
virtual IP address. (See method on page 494.) The health monitor must be
applied to the real server ports.
Example
The following commands configure a Layer 3 health monitor for DSR

health checking, apply it to the real server ports, and enable DSR health
checking:
AX(config)#health monitor dsr-hm

AX(config-health:monitor)#method icmp transparent 10.10.10.99
AX(config-health:monitor)#exit
AX(config)#slb dsr-health-check-enable
slb enable-l7-req-acct
Description
Globally enable Layer 7 request accounting.
Syntax
Default
[no] slb enable-l7-req-acct

Disabled
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
285 of 718

slb fast-path-disable
Mode
Global Config
Usage
If you use the least-request load-balancing method in a service group,

Layer 7 request accounting is automatically enabled for the service groups
members, and for the virtual service ports that are bound to the service
groups members.
To display Layer 7 request statistics, use the show slb service-group groupname command. See show slb server on page 682, show slb servicegroup on page 688, and show slb virtual-server on page 707.
slb fast-path-disable
Description
Syntax
Enable fast-path packet inspection.

[no] slb fast-path-disable
Default
Fast processing of packets is enabled by default. (Deep inspection of every

packet field is enabled.)
Mode
Global Config
Usage
Fast processing of packets maximizes performance by using all the underlying hardware assist facilities. Typically, the feature should remain enabled.
The option to disable it is provided only for troubleshooting, in case it is
suspected that the fast processing logic is causing an issue. If you disable
fast-path processing, ACOS does not perform a deep inspection of every
field within a packet.
slb graceful-shutdown
Description
Syntax
Allow currently active sessions time to terminate normally before shutting

down a service when you delete or disable the real or virtual server or port
providing the service.
[no] slb graceful-shutdown grace-period
[server | virtual-server] [after-disable]
Parameter
Description
grace-period
286 of 718
Number of seconds existing connections on a

disabled or deleted server or port are allowed to
remain up before being terminated. You can
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb hw-compression
server
Limits the graceful shutdown to real servers only.
virtual-server
Limits the graceful shutdown to virtual servers

only.
after-disable
Applies graceful shutdown to disabled servers

and service ports, as well as deleted servers.
Without this option, graceful shutdown applies
only to deleted servers.
Default
Disabled. When you delete a real or virtual service port, the AX device
places all the ports sessions in the delete queue, and stops accepting new
sessions on the port.
Mode
Global Config
Usage
When graceful shutdown is enabled, the AX device stops accepting new

sessions on a disabled or deleted port, but waits for the specified grace
period before moving active sessions to the delete queue.
Example
The following command enables graceful shutdown and sets the grace
period to one hour:
AX(config)#slb graceful-shutdown 3600
slb hw-compression
Description
Enable hardware-based compression.
Syntax
[no] slb hw-compression
Default
Disabled.
Mode
Global Config
Usage
Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, AX 3200, and
AX 5200. If this command does not appear on your AX device, the device
does not contain a compression module.
Installation of the compression module into AX devices in the field is not
supported. Contact A10 Networks for information on obtaining an AX
device that includes the module.
Note:
When you enable hardware-based compression, all compression settings

configured in HTTP templates, except the compression level, are used.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
287 of 718

slb l2l3-trunk-lb-disable
Hardware-based compression always uses the same compression level,
regardless of the compression level configured in an HTTP template.
Example
The following command enables hardware-based compression:
AX(config)#slb hw-compression
slb l2l3-trunk-lb-disable
Description
Disable or re-enable trunk load balancing.
Syntax
[no] slb l2l3-trunk-lb-disable
Default
Enabled.
Mode
Global Config
Usage
When trunk load balancing is enabled, the AX device load balances outbound Layer 2/3 traffic among all the ports in a trunk. The round-robin
method is used to load balance the traffic. For example, in a trunk containing ports 1-4, the first Layer 2/3 packet is sent on port 1. The second packet
is sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port was always used for outbound traffic. The other ports were standby ports in case the lead port went
down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load balancing, in case there is a need to do so. Disabling trunk load balancing
causes the AX device to use only the lead port for outbound traffic.
Note:
Trunk load balancing does not apply to Layer 4-7 traffic.
slb msl-time
Description
Syntax
288 of 718
Configure the maximum session life for client sessions. The maximum session life controls how long the AX device maintains a session table entry for
a client-server session after the session ends.
[slb] msl-time seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb mss-table
Parameter
seconds
Description
Number of seconds a client session can remain in
the session table following completion of the session. You can specify 1-40 seconds.
Default
2 seconds
Mode
Global Config
Usage
The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retransmission occurs while the AX device still has a session entry for the session,
the AX device is able to forward the retransmission. However, if the session
table entry has already aged out, the AX device drops the retransmission
instead.
The maximum session life begins aging out a session table entry when the
session ends:
TCP The session ends when the AX device receives a TCP FIN from
the client or server.

UDP The session ends after the AX device receives a server response
to the clients request. If the reply is fragmented, the maximum session

life begins only after the last fragment is received.
For UDP sessions, the maximum session life is used only if UDP aging is
set to short, instead of immediate. UDP aging is set in the UDP template
bound to the UDP virtual port. The default setting is short.
Note:
slb mss-table
Description
Configure the TCP Maximum Segment Size (MSS) allowed for client traffic.
Syntax
[no] slb mss-table num

Parameter
num
Default
538
Mode
Global Config
b y
Description
Minimum MSS allowed in traffic from clients.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
289 of 718

slb new-path-enable
Usage
Clients who can only transmit TCP segments that are smaller than the MSS
are unable to reach servers.
This command globally changes the MSS. You also can change the MSS in
individual TCP-proxy templates. (See slb template tcp-proxy on
page 368.)
slb new-path-enable
Description
Enable new-path processing for Large4-Scale NAT (LSN).

Caution:
Syntax
In the current release, new-path processing is required for LSN and

applies only to LSN. The option does not apply to any other features.
[no] slb new-path-enable
Default
Disabled
Mode
Global Config
slb rate-limit-logging
Description
Syntax
Configure rate limiting settings for system logging.

slb rate-limit-logging
[max-local-rate msgs-per-second]
[max-remote-rate msgs-per-second]
[exclude-destination {local | remote}]
Parameter
Description
max-local-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to the local log buffer.
max-remote-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to remote log servers.
excludedestination
{local |
remote}
290 of 718
Excludes logging to the specified destination,

local or remote.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb server
Default
Log rate limiting is enabled by default and can not be disabled. The configurable settings have the following default values:
max-local-rate 32 messages per second
max-remote-rate 15000 messages per second
exclude-destination Logging to both destinations is enabled.
Mode
Global Config
Usage
The log rate limiting mechanism works as follows:

If the number of new messages within a one-second interval exceeds the
internal maximum (32 by default), then during the next one-second

interval, the AX sends log messages only to the external log servers.
If the number of new messages generated within the new one-second
interval is the internal maximum or less, then during the following onesecond interval, the AX will again send messages to the local logging
buffer as well as the external log server.
In any case, all messages (up to the external maximum) are sent to the
external log servers.

Example
The following command increases the maximum number of external messages per second:
AX(config)#slb rate-limit-logging max-remote-rate 30000
slb server
Description
Configure a real server. Use the first command shown below to create or a
delete a server. Use the second command to edit a server.
Syntax
[no] slb server server-name {ipaddr | hostname}

Parameter
Default
Description
server-name
Server name, 1-31 characters.
hostname
Fully-qualified hostname, for dynamic real

server creation.
ipaddr
IP address of the server in either IPv4 or IPv6

format. The address is required only if you are
creating a new server.
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
291 of 718

slb service-group
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing real
server. The CLI changes to the configuration level for the server. See Config Commands: SLB Servers on page 379.
The IP address of the server can be in either IPv4 or IPv6 format. The
AX Series supports both address formats.
The no form of this command removes an existing real server.
The maximum number of real servers is configurable. See system
resource-usage on page 165.
Example
The following example creates a new real server with an IPv4 address:
AX(config)#slb server rs1 10.10.10.99

AX(config-real server)#
Example
The following example creates a new real server with an IPv6 address:
AX(config)#slb server rs2 2020:3e8::3

AX(config-real server)#
The following commands configure a hostname server for dynamic server

creation using DNS, add a port to it, and bind the server template to it:
AX(config)#slb server s-test1 s1.test.com
AX(config-real server)#template server temp-server
AX(config-real server)#port 80 tcp
AX(config-real server-node port)#exit
AX(config-real server)#exit
slb service-group
Description
Syntax
Configure an SLB service group.

[no] slb service-group group-name {tcp | udp}
Parameter
Description
group-name
Name of the group, 1-31 characters.
tcp | udp
Application type of the group.
Default
There are no service groups configured by default.
Mode
Global Config
292 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb snat-gwy-for-l3
Usage
The normal form of this command creates a new or edits an existing service
group. The CLI changes to the configuration level for the service group. See
Config Commands: SLB Service Groups on page 391.
Example
The following example adds TCP service group my-service-group:
AX(config)#slb service-group my-service-group tcp

AX(config-slb service group)#
slb snat-gwy-for-l3
Description
Use an IP pools default gateway to forward traffic from a real server.
Syntax
[no] slb snat-gwy-for-l3
Default
Disabled
Mode
Global Config
Usage
When this feature is enabled, ACOS checks the server IP subnet against the
IP NAT pool subnet. If they are on the same subnet, then ACOS uses the
gateway as defined in the IP NAT pool for Layer 2 / Layer 3 forwarding.
This feature is useful if the server does not have its own upstream router and
ACOS can leverage the same upstream router for Layer 2 / Layer 3.
slb snat-on-vip
Description
Globally enable IP NAT support for VIPs.
Syntax
[no] slb snat-on-vip
Default
Disabled
Mode
Global Config
Usage

ACL-SNAT Binding at the virtual port level
VIP source NAT at the global configuration level
aFleX policy bound to the virtual port
Source NAT Pool at the virtual port level
NAT is configured using an ACL on the virtual port, and VIP source NAT is
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
293 of 718

slb ssl-create certificate
also enabled globally, then a pool assigned by the ACL is used for traffic
that is permitted by the ACL. For traffic that is not permitted by the ACL,
the globally configured VIP source NAT can be used instead.
Note:
The current release does not support source IP NAT on FTP or RTSP virtual ports.
slb ssl-create certificate

Description
Syntax
Create a self-signed certificate for use with SLB.

slb ssl-create certificate certificate-name
Parameter
Description
certificatename
Name of the certificate, 1-31 characters.
This command displays a series of prompts for the following information:

Key length, which can be 512, 1024, or 2048 bits
Common name, 1-64 characters
Division, 0-31 characters
Organization, 0-63 characters
Locality, 0-31 characters
State or Province, 0-31 characters
Country, 2 characters
Email address, 0-64 characters
Number of days the certificate is valid, 30-3650 days
The key length, common name, and number of days the certificate is valid
are required. The other information is optional.
The certificate is created when you press enter after answering the last
prompt.
Default
The default key length is 1024 bits. The default number of days the certificate is valid is 730.
Mode
Global Config
294 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb ssl-create csr
Usage
To use the certificate, add it to a client-SSL or server-SSL template. (See

slb template client-ssl on page 310 or slb template server-ssl on
page 355.)
If you need to create a wildcard certificate, use an asterisk as the first part of
the common name. For example, to create a wildcard certificate for domain
example.com and it sub-domains, enter the following common name:
*.example.com
Example
The following commands create a self-signed certificate named "slbcert1"

and verify the configuration:
AX(config)#slb ssl-create certificate slbcert1

input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcert1
input Division, 0~31:Div1
input Organization, 0~63:Org2
input Locality, 0~31:WestCoast
input State or Province, 0~31:CA
input Country, 2 characters:US
input email address, 0~64:axadmin@example.com
input valid days, 30~3650, default 730:<Enter>
AX(config)#show slb ssl cert
name: slbcert1
type: certificate/key
Common Name: slbcert1
Organization: Org2
Expiration: Apr 10 00:34:34 2010 GMT
Issuer: Self
key size: 1024
slb ssl-create csr

Description
Create a Certificate Signing Request (CSR), to use for requesting a signed

certificate from an external Certificate Authority (CA).
Syntax
slb ssl-create certificate csr-name url

Parameter
Description
csr-name
Name of the CSR, 1-31 characters.
url

directory path, for exporting the CSR request.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
295 of 718

slb ssl-create csr
tftp://host/file
This command displays a series of prompts for the following information:
IP address of the server to which to export the CSR
Username for write access to the server
Password for write access to the server
Path and filename
Key length, which can be 512, 1024, or 2048 bits
Common name, 1-64 characters
Division, 0-31 characters
Organization, 0-63 characters
Locality, 0-31 characters
State or Province, 0-31 characters
Country, 2 characters
Email address, 0-64 characters
Passphrase to use for the key, 0-31 characters
The CSR is created when you press enter after answering the last prompt.
The key for the certificate is also created.
Default
The default key length is 1024 bits. The default number of days the certificate will be valid is 730.
Mode
Global Config
Usage
After the CSR is generated and exported by this command, send the CSR to
the CA. After you receive the signed certificate from the CA, use the import
command to import the CA onto the AX device. (See import on page 59.)
The key does not need to be imported. The key is generated along with the
CSR.
296 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb ssl-delete
If you need to create a request for a wildcard certificate, use an asterisk as
the first part of the common name. For example, to request a wildcard certificate for domain example.com and it sub-domains, enter the following
common name: *.example.com
Example
The following commands generate and export a CSR, then import the
signed certificate.
AX(config)#slb ssl-create csr slbcsr1 ftp:

Address or name of remote host []?192.168.1.10
User name []?axadmin
Password []?********
File name [/]?slbcsr1
input key bits(512,1024,2048) default 1024:<Enter>
input Common Name, 1~64:slbcsr1
input Division, 0~31:div1
input Organization, 0~63:org2
input Locality, 0~31:westcoast
input State or Province, 0~31:ca
input Country, 2 characters:us
input email address, 0~64:axadmin@example.com
input Pass Phrase, 0~31:csrpword
Confirm Pass Phrase:csrpword
AX(config)#import ca-signedcert1 ftp:
Password []?********
File name [/]?ca-signedcert1
slb ssl-delete
Description
Delete an SSL certificate or private key from the AX Series device.
Syntax
[no] slb ssl-delete

{certificate cert-name | private-key key-string}
Default
None.
Mode
Global Config
Usage
This command does not affect the server certificate of the Web management
interface. The command applies only to certificates that have been imported
for use with SSL offload.
Example
The following commands delete SSL certificate testcert.crt and its key:
AX(config)#slb ssl-delete certificate testcert.crt

AX(config)#slb ssl-delete private-key testcertkey.pem
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
297 of 718

slb ssl-load
slb ssl-load
Description
Load an SSL certificate, private key, or Certificate Revocation List (CRL)

for use with SSL offload.
Note:
Syntax
The AX device only supports certificates that are in Privacy-Enhanced

Mail (PEM) format. The maximum supported certificate size is 16KB. To
convert a certificate from Windows format to PEM format, see the
Importing SSL Certificates chapter in the AX Series Configuration
Guide.
[no] slb ssl-load
{certificate file-name [type {der | pem | pfx}] |
private-key file-name |
crl file-name}
[use-mgmt-port]
url
Parameter
Description
file-name
File name of the certificate, key, or CRL.

If you are importing a certificate, use the type
option to specify the format of the certificate.
The AX device supports PEM format only. If you
specify the certificate format, the AX device can
convert the certificate into PEM format.
use-mgmt-port

url

directory path.
tftp://host/file
298 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb ssl-load
http://[user@]host/file
https://[user@]host/file
Default
None.
Mode
Global Config
Usage
This command is equivalent to the import ssl-cert and import ssl-key

commands. You can use those commands or slb ssl-load to import SSL certificates and keys.
Example
The following commands load SSL certificate testcert.crt and its key:
AX(config)#slb ssl-load certificate testcert.pem scp:

Password []?*********
File name [/]?testcert.pem
AX(config)#slb ssl-load certificate testcertkey.pem scp:
Password []?*********
File name [/]?testcertkey.pem
Example
The following commands import a CA certificate and its key, and a CRL
file:
AX(config)#slb ssl-load certificate ca-cert.pem scp:

User name []?admin
Password []?*********
File name [/]?ca-cert.pem
AX(config)#slb ssl-load private-key ca-certkey.pem scp:
User name []?admin
Password []?*********
File name [/]?ca-certkey.pem
AX(config)#slb ssl-load certificate ca-crl.pem scp:
User name []?admin
Password []?*********
File name [/]?ca-crl.pem
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
299 of 718

slb template
slb template
Description
Syntax
Configure an SLB template.

[no] slb template template-type template-name
Parameter
Description
template-type
Type of template:
cache Configures RAM caching of HTTP
Web content.
client-ssl Configures offload of SSL
validation of clients from real servers
connection-reuse Configures re-use of
established connections
http Configures HTTP modifications to
server replies to clients and configures load balancing based on HTTP information
persist cookie Configures session persistence by inserting persistence cookies into
server replies to clients
persist destination-ip Configures
the granularity of load balancing persistence
(selection of the same server resources) for clients, based on destination IP address
persist source-ip Configures the
granularity of load balancing persistence for clients, based on source IP address
persist ssl-sid Directs clients based
on SSL session ID
policy Configures Policy-Based SLB
(PBSLB) settings
port Configures settings for real server ports
server Configures settings for real servers
server-ssl Configures the AX device to
validate real servers based on their certificates
sip Configures separate load balancing of
Session Initiation Protocol (SIP) registration traffic and non-registration traffic
smtp Configures STARTTLS support for
Simple Mail Transfer Protocol (SMTP) clients
300 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb transparent-tcp-template
streaming-media Configures load balancing of multimedia content
tcp Configures TCP connection settings
tcp-proxy Configures TCP/IP stack parameters
udp Configures UDP connection settings
virtual-port Configures settings for virtual server ports
virtual-server Configures settings for
virtual servers
template-name
Name of the template.
Default
The templates have default settings, and some template types are automatically added to a virtual port depending on its service type. For information,
see the AX Series Configuration Guide.
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing template. The CLI changes to the configuration level for the template. See
Config Commands: SLB Templates on page 305.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See system resourceusage on page 165.
Example
The following command creates a TCP-proxy template named proxy1:
AX(config)#slb template tcp-proxy proxy1

AX(config-TCP proxy template)#
slb transparent-tcp-template
Description
Set the idle timeout for pass-through TCP sessions. A pass-through TCP
session is one that is not terminated by the AX device (for example, a session for which the AX device is not serving as a proxy for SLB).
Syntax
[no] slb transparent-tcp-template template-name
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
301 of 718

slb virtual-server
Parameter
Description
Specifies the name of a TCP template. The idle
timeout specified in the TCP template is used for
pass-through TCP sessions.
template-name
To use the default TCP template, specify the name default.
Note:
Default
The default idle timeout for pass-through TCP sessions is 30 minutes. The
default idle timeout in TCP templates is 120 seconds.
Mode
Global Config
Usage
Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
Example
The following command changes the idle timeout for pass-through TCP
sessions to the idle timeout set in the default TCP template:
AX(config)#slb transparent-tcp-template default
slb virtual-server
Description
Syntax
Configure a virtual server.

[no] slb virtual-server name [ipaddr]
or
[no] slb virtual-server server-name starting-ip
Parameter
Description
name
Virtual server name, 1-31 characters.
ipaddr
IP address of the virtual server in either IPv4 or

IPv6 format. The address is required only if you
are creating a new virtual server.
If you are configuring a wildcard VIP, enter one
of the following for the IP address:
0.0.0.0 IPv4 wildcard VIP
:: IPv6 wildcard VIP
You can use the acl acl-id option to specify the
IP addresses to be handled as wildcard VIPs.
302 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb virtual-server
(For more information, see the Wildcard VIPs
chapter in the AX Series Configuration Guide.)
starting-ip
{subnet-mask |
/mask-length}
Configures a contiguous set of IPv4 or IPv6

VIPs, beginning with the starting-ip.
Default
N/A
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing virtual
server. The CLI changes to the configuration level for the virtual server. See
Config Commands: SLB Virtual Servers on page 401.
The no form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See system
resource-usage on page 165.
Notes on VIP Ranges
The IP addresses in the specified subnet range can not belong to an IP
interface, real server, or other virtual server configured on the AX

device.
The largest supported IPv4 subnet length is /20.
Statistics are aggregated for all VIPs in the subnet virtual server.
The current release supports this feature only for DNS ports on the
default DNS port number (TCP port 53 or UDP port 53).

Example
The following command configures a new virtual server named vs1:
AX(config)#slb virtual vs1 10.10.2.1

AX(config-slb virtual server)#
Example
The following command configures a set of VIPs for IP addresses 1.1.1.51.1.1.255:
AX(config)#slb virtual-server vs1 1.1.1.5 /24
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
303 of 718

slb virtual-server
304 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template cache
Config Commands: SLB Templates

This chapter describes the commands and subcommands for configuring
SLB configuration templates.
To access this configuration level, enter the slb template template-type template-name command at the global Config level.
To display configured templates, use the show template command.
To apply a template to a virtual port, use the template template-type template-name command at the configuration level for the virtual port.
For more information about how to use templates, including configuration
examples, see the Templates chapter in the AX Series Configuration
Guide.
slb template cache

Description
Configure the AX device to perform transparent Web caching.
Syntax
[no] slb template cache template-name

Parameter
template-name
b y
Description
Name of the template, up to 31 characters long.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
305 of 718

slb template cache
RAM caching template, where the following commands are available.
Command
Description
[no] acceptreload-req
Enables support for the following Cache-Control

headers:
Cache-Control: no-cache
Cache-Control: max-age=0
When support for these headers is enabled, either
header causes the AX device to reload the cached
object from the origin server.
[no] age
seconds
Specifies how long a cached object can remain in

the AX RAM cache without being requested.
You can specify 1-999999 seconds (about 11-1/2
days).
[no] defaultpolicy-nocache
[no] disableinsert-age
[no] disableinsert-via
Changes the default cache policy in the template

from cache to nocache. This option gives you
tighter control over content caching. When you
use the default no-cache policy, the only content
that is cached is cacheable content whose URI
matches an explicit cache policy.
Disables insertion of Age headers into cached
responses. Insertion of Age headers is enabled by
default.
Disables insertion of Via headers into cached
responses. Insertion of Via headers is enabled by
default.
[no] max-cachesize MB
Specifies the size of the AX RAM cache.
On models AX 1000, AX 2000, AX 2100,
AX 2200, AX 3100, and AX 3200, you can
specify 1-512 MB.
On model AX 2500, you can specify
1-1024 MB.
306 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template cache
On models AX 2600 and AX 3000, you can
specify 1-2048 MB.
On models AX 5100 and AX 5200, you can
specify 1-4096 MB.
[no] maxcontent-size
bytes
[no] mincontent-size
bytes
[no] policy uri

pattern
{cache
[seconds] |
nocache |
invalidate
inv-pattern}
Specifies the maximum object size that can be

cached. The AX device will not cache objects
larger than this size. You can specify 0-4194303
bytes (4 MB). If you specify 0, no objects can be
cached.
Specifies the minimum object size that can be

cached. The AX device will not cache objects
smaller than this size. You can specify
0-4194303 bytes (4 MB). If you specify 0, all
objects smaller than or equal to the maximum
content size can be cached.
Configures a policy for dynamic caching.

pattern Specifies the portion of the URL
string to match on. The options below specify the
action to take for URLs that match the pattern:
cache [seconds] Caches the content. By
default, the content is cached for the number of
seconds configured in the template (set by the
age command). To override the aging period set
in the template, specify the number of seconds
with the cache command.
nocache Does not cache the content.
invalidate inv-pattern Invalidates the
content that has been cached for inv-pattern.
[no] removecookies
b y
Removes cookies from server replies so the

replies can be cached. RAM caching does not
cache server replies that contain cookies. (Image
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
307 of 718

slb template cache
files are an exception. RAM caching can cache
images that have cookies.)
[no]
replacementpolicy LFU
Specifies the policy used to make room for new

objects when the RAM cache is full.
The policy supported in the current release is
Least Frequently Used (LFU). When the RAM
cache becomes more than 90% full, the AX
device discards the least-frequently used objects
to ensure there is sufficient room for new objects.
[no] verifyhost
Default
Enables the AX device to cache the host name in

addition to the URI for cached content. Use this
command if a real server that contains cacheable
content will host more than one host name (for
example, www.abc.com and www.xyz.com).
The default RAM caching template has the following defaults:

accept-reload-req Disabled
age 3600 seconds (1 hour)
disable-insert-age Insertion of Age headers is enabled by default.
disable-insert-via Insertion of Via headers is enabled by default.
max-cache-size 80 MB
max-content-size 81920 bytes (80 KB)
min-content-size 512 bytes
remove-cookies disabled
replacement-policy Least Frequently Used (LFU)
verify-host Disabled. Host names are not cached along with URIs for
cached content.
Mode
Configure
Usage
The normal form of this command creates a RAM caching configuration

template. The no form of this command removes the template.
You can bind only one RAM caching template to a virtual port. However,
you can bind the same RAM caching template to multiple ports.
308 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template cache
If a URI matches the pattern in more than one policy command, the policy
command with the most specific match is used. For example, if a template
has the following commands, content for page122 is cached whereas content for page123 is not cached:
policy uri /page12 cache 300
policy uri /page123 nocache
Wildcard characters (for example: ? and *) are not supported in RAM Caching policies. For example, if the string pattern contains *, it is interpreted
literally, as the * character.
In the current release, matching is performed based on containment. All
URIs that contain the pattern string match the rule. For example, the following policy matches all URIs that contain the string .jpg and sets the cache
timeout for the matching objects to 7200 seconds:
policy uri .jpg cache 7200
Example
The following commands configure a RAM caching template. In this example, all the default RAM cache settings are used.
AX(config)#slb template cache ramcache

AX(config-RAM caching template)#
Example
The following commands configure some dynamic caching policies. The

policy that matches on /list caches content for 5 minutes. The policy that
matches on /private does not cache content.
AX(config)#slb template cache ram-cache

AX(config-RAM caching template)#policy uri /list cache 300
AX(config-RAM caching template)#policy uri /private nocache
Example
The following commands configure a RAM caching template that will only
cache content from www.xyz.com/news-clips.
AX(config)#slb template cache ramcache

AX(config-RAM caching template)#default-policy-nocache
AX(config-RAM caching template)#policy uri www.xyz.com/news-clips cache
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
309 of 718

slb template client-ssl

Description
Syntax
Configure offload of SSL validation of clients from real servers.

[no] slb template client-ssl template-name
Parameter
Description
template-name
Name of the template, up to 31 characters long.
client-SSL template, where the following commands are available.
Command
Description
[no] ca-cert
cert-name
[no] cert
cert-name
Specifies the name of the Certificate Authority

(CA) certificate to use for validating client certificates. The CA certificate must be installed on
the AX device. (You can use the import or slb
ssl-load command. They are equivalent. See
import on page 59 or slb ssl-load on
page 298.)
Specifies the name of the certificate to use for
terminating or initiating an SSL connection. The
certificate must be installed on the AX.
[no] chain-cert
chain-cert-name Specifies a certificate-key chain.
[no] cipher
cipher
Specifies the cipher suite to support for certificates from clients:

SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_DES_40_CBC_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_AES_128_SHA
310 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
[no] clientcertificate
{ignore |
request |
require}
Specifies the action that the AX device takes in

response to a clients connection request:
ignore The AX device does not request the
client to send its certificate.
request The AX device requests the client
to send its certificate. With this action, the SSL
handshake proceeds even if either of the following occurs:
The client sends a NULL certificate (one
with zero length).
The certificate is invalid, causing client
verification to fail.
Use this option if you want the request to trigger
an aFleX policy for further processing.
require The AX device requires the client
certificate. This action requests the client to send
its certificate. However, the SSL handshake does
not proceed (it fails) if the client sends a NULL
certificate or the certificate is invalid.
[no] closenotify
[no] crl
filename
b y
Enables closure alerts for SSL sessions. When

this option is enabled, the AX device sends a
close_notify message when an SSL transaction
ends, before sending a FIN. This behavior is
required by certain types of client applications,
including PHP cgi. For this type of client, if the
AX device does not send a close_notify, an error
or warning appears on the client.
Specifies the Certificate Revocation List (CRL)
to use for verifying that client certificates have
not been revoked. The CRL must be installed on
the AX device first. (You can use the slb ssl-load
command. See slb ssl-load on page 298.)
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
311 of 718

When you add a CRL to a client SSL template,
the AX device checks the CRL to ensure that the
certificates presented by clients have not been
revoked by the issuing CA.
Note:
If you plan to use a CRL, you must set the client-certificate mode to
require.
[no] key
key-name
[passphrase
passphrasestring]
[no] sessioncache-size
number
Default
Specifies the key for the certificate, and the passphrase used to encrypt the key.
Maximum number of cached sessions for SSL

session ID reuse, 0-131072. The value 0 disables
session ID reuse.
The configuration does not have a default client-side SSL template. If you
create one, the template has the following defaults:
cipher All options are enabled. (This is equivalent to entering the
cipher command multiple times, once with each of the options listed in
the Syntax section.)
client-certificate ignore
close-notify disabled
session cache-size 0 (Session ID reuse is disabled.)
Mode
Configure
Usage
The normal form of this command creates a client-SSL configuration template. The no form of this command removes the template.
The certificate must be imported onto the AX Series. To import a certificate,
see import on page 59 or slb ssl-load on page 298.
You can bind only one client-SSL template to a virtual port. However, you
can bind the same client-SSL template to multiple ports.
Example
312 of 718
The following commands configure a client-SSL template named clientssl1 that uses imported CA certificates and requires clients to present their
certificates when requesting connections to servers:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template connection-reuse
AX(config)#slb template client-ssl client-ssl1
AX(config-client SSL template)#ca-cert ca-bundle.crt
AX(config-client SSL template)#client-certificate require
Example
The following commands configure a client SSL template to use an

imported CA certificate and key, and an imported Certificate Revocation
List (CRL) from the CA:
AX(config)#slb template client-ssl client-ssl1

AX(config-client SSL template)#ca-cert ca-cert.pem
AX(config-client SSL template)#ca-cert ca-crl.pem
AX(config-client SSL template)#client-certificate require

Description
Configure re-use of established connections.
Syntax
[no] slb template connection-reuse template-name

Parameter
template-name
Description
Name of the template, 1-31 characters.
connection-reuse template, where the following commands are available.
Command
[no] keepalive-conn
number
Note:
Description
Specifies the number of new reusable connections to open before beginning to reuse existing
connections. You can specify 1-1024 connections.
This option is applicable only for SIP-over-TCP sessions. The option is

not applicable to other types of sessions, such as HTTP sessions.
[no] limit-perserver number
[smart-flowcontrol queuedepth]
Maximum number of reusable connections per
server port. You can specify 0-65535. 0 means
unlimited.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
313 of 718

The smart-flow-control option queues HTTP
packets from clients when a server port reaches a
configured connection limit, instead of dropping
them. The AX device then monitors the port, and
begins forwarding the queued packets when connections become available again. To prevent
flooding of the port, the AX device forwards the
queued packets at a steady rate. The queue-depth
option specifies the maximum number of packets
the AX device will queue for the port. You can
specify 1-32000. The default 1000. If this queue
becomes full, the AX device will drop additional
packets.
[no] timeout
seconds
Default
Maximum number of seconds a connection can

remain idle before it times out. You can specify
1-3600 seconds.
The default connection reuse template has the following defaults:

keep-alive-conn 100
limit-per-server 1000
timeout 2400 seconds (40 minutes)
To display the default template settings, use the show slb template connection-reuse default command.
Mode
Configure
Usage
The normal form of this command creates a connection reuse template. The
no form of this command removes the template.
You can bind only one connection-reuse template to a virtual port. However,
you can bind the same connection-reuse template to multiple ports.
The keep-alive-conn option is applicable only for SIP-over-TCP sessions.
The option is not applicable to other types of sessions, such as HTTP sessions.
Due to the way the connection-reuse feature operates, backend sessions
with servers will not be reused in either of the following cases:
The limit-per-server option is set to a very low value, lower than the
number of data CPUs on the AX device.

The keep-alive-conn option is set to a lower value than the limit-per-
server option.
314 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template dns
Smart Flow Control
In the current release, this feature applies only to traffic sent to HTTP
virtual ports.
This feature is configured using a new connection-reuse option. The fea-
ture can be activated if a real port either reaches the smart-flow-control

limit configured in the connection-reuse template, or the connection
limit specified on the port or in the port template used by the port.
If the real-port connection limit is set and the limit-per-server is set in
the connection-reuse template, the smaller of the two limits is used for
smart flow control.
The connection limit is applied across the data CPUs. It is possible for
an individual CPU to reach its maximum while other CPUs have not
reached their maximums.
The actual connection limit is calculated as follows:
(rport-conn-limit/data-cpu-num - n)* data-cpu-num
where n is the largest possible value among 2, 1 or 0.

Here are some examples:
Case 1: rport-conn-limit = 10; data-cpu-num = 7; n must be 0
(otherwise the result will be negative). The result will be
(10/7 0)*7=7.
Case 2: rport-conn-limit = 30; data-cpu-num = 7; n should be 2.
The result will be (30/7 2)*7=14.
If you remove the smart flow control configuration from a connection-
reuse template, any packets that are queued due to the feature are
released for transmission.
Example
The following commands configure a connection reuse template named

conn-reuse1 and set the limit per server to 2000 re-used connections:
AX(config)#slb template connection-reuse conn-reuse1

AX(config-connection reuse template)#limit-per-server 2000
slb template dns

Description
Configure DNS security.
Syntax
[no] slb template dns template-name

Parameter
template-name
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
315 of 718

slb template dns
DNS template, where the following commands are available.
Command
Description
[no] malformedquery
{drop | forward
service-groupname}
Specifies the action to take for malformed DNS
queries:
drop Drops malformed queries.
forward Sends the queries to the specified
service group. With either option, the malformed
queries are not sent to the DNS virtual port.
Default
The configuration does not have a default DNS template. If you configure
one, the default action is to drop malformed DNS queries.
Mode
Configure
Usage
The normal form of this command creates a DNS template. The no form
of this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
Example
The following commands configure a DNS template for DNS security and
bind the template to the DNS virtual port on a virtual server:
AX(config)#slb template dns dns-sec

AX(config-dns-policy)#malformed-query drop
AX(config-dns-policy)#exit
AX(config)#slb virtual-server dnsvip1 192.168.1.53
AX(config-slb vserver)#port 53 udp
AX(config-slb vserver-vport)#template dns dns-sec
Since the drop action is specified, malformed DNS queries sent to the virtual DNS server are dropped by the AX device.
316 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template http
slb template http

Description
Configure HTTP modifications to server replies to clients and configure

load balancing based on HTTP information.
Syntax
[no] slb template http template-name

Parameter
template-name
Description
Name of the template
HTTP template, where the following commands are available.
Command
[no]
compression
option
Description
Offloads Web servers from CPU-intensive HTTP

compression operations.
Options:
content-type content-string
Specifies the type of content to compress,
based on a string in the content-type header
of the HTTP response. The content-string
can be 1-64 characters long.
enable
Enables compression.
exclude-content-type
content-string
Excludes the specified content type from
being compressed. The content-string can be
1-64 characters long.
For a list of media type strings, see the Internet
Assigned Numbers Authority Web site:
http://www.iana.org/assignments/media-types
exclude-uri uri-string
Excludes an individual URI from being compressed. The URI string can be 1-31 charac-
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
317 of 718

slb template http
ters. An HTTP template can exclude up to 10
URI strings.
The order in which content-type, exclude-content-type, and exclude-uri filters appear in the
configuration does not matter.
keep-accept-encoding enable
Configures the AX device to leave the
Accept-Encoding header in HTTP requests
from clients instead of removing the header.
When keep-accept-encoding is enabled,
compression is performed by the real server
instead of the AX device, if the server is configured to perform the compression. The AX
device compresses the content that the real
server does not compress. This option is disabled by default, which means the AX
device performs all the compression.
level number
Specifies the compression level. You can use
compression level 1-9. Each level provides a
higher compression ratio, beginning with
level 1, which provides the lowest compression ratio. A higher compression ratio results
in a smaller file size after compression.
However, higher compression levels also
require more CPU processing than lower
compression levels, so performance can be
affected.
minimum-content-length bytes
Specifies the minimum length (in bytes) a
server response can be in order to be compressed. The length applies to the content
(payload) only and does not include the
headers. You can specify 0-2147483647
bytes.
Note:
Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported for fast-HTTP virtual ports.
[no] failoverurl url-string
318 of 718
Specifies the fallback URL to send in an HTTP

302 response when all real servers are down.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template http
[no] headererase
header-name
[no] headerinsert
header-name
[no] hostswitching
{starts-with
|contains |
ends-with}
host-string
service-group
service-groupname
Erases the specified HTTP header from the

HTTP request. Header names can be up to 256
characters long.
Inserts the specified HTTP header into the HTTP

request. Header names can be up to 256 characters long.
Selects a service group based on the value in the

Host field of the HTTP header. The selection
overrides the service group configured on the virtual port.
For host-string, you can specify an IP address or
a hostname. If the host-string does not match, the
service group configured on the virtual port is
used.
starts-with host-string matches only
if the hostname or IP address starts with hoststring.
contains host-string matches if the
host-string appears anywhere within the hostname or host IP address.
ends-with host-string matches only if
the hostname or IP address ends with host-string.
[no] insertclient-ip
[http-headername] [replace] Inserts the clients source IP address into HTTP
headers. If you specify an HTTP header name,
the source address is inserted only into headers
with that name.
The replace option replaces any client addresses
that are already in the header. Without this
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
319 of 718

slb template http
option, the client IP address is appended to the
lists of client IP addresses already in the header.
For example, if the header already contains
X-Forwarded-For:1.1.1.1 and the current clients IP address is 2.2.2.2, the replace option
changes the field:value pair to
X-Forwarded-For:2.2.2.2. Without the replace
option, the field:value pair becomes
X-Forwarded-For:1.1.1.1, 2.2.2.2.
[no] log-retry
[no] redirectrewrite match

url-string
rewrite-to
url-string
[no] redirectrewrite secure

{port tcpportnum}
Logs HTTP retries. An HTTP retry occurs when

the AX device resends a clients HTTP request to
a server because the server did not reply to the
first request. (HTTP retries are enabled using the
retry-on-5xx or retry-on-5xx-per-req command
in the HTTP template.)
Modifies redirects sent by servers by rewriting

the matching URL string to the specified value
before sending the redirects to clients.
Changes HTTP redirects sent by servers into

HTTPS redirects before sending the redirects to
clients.
To redirect clients to the default HTTPS port
(443), enter the following command:
redirect-rewrite secure
To redirect clients to an HTTPS port other than
the default, enter the following command
instead: redirect-rewrite secure port port-num
[no] requestheader-erase
field
320 of 718
Erases the specified header (field) from HTTP

requests.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template http
[no] requestheader-insert
field:value
[insert-always
| insert-ifnot-exist]
Inserts the specified header into HTTP requests.

The field:value pair indicates the header field
name and the value to insert.
If you use the insert-always option, the command always inserts the field:value pair. If the
request already contains a header with the same
field name, the new field:value pair is added after
the existing field:value pair. Existing headers are
not replaced.
If you use the insert-if-not-exist option, the
command inserts the header only if the request
does not already contain a header with the same
field name.
Without either option, if a request already contains one or more headers with the specified field
name, the command replaces the first header.
[no] responseheader-erase
field
[no] responseheader-insert
field:value
[insert-always
| insert-ifnot-exist]
Erases the specified header (field) from HTTP

responses.
Inserts the specified header into HTTP

responses. The field:value pair indicates the
header field name and the value to insert.
If you use the insert-always option, the command always inserts the field:value pair. If the
response already contains a header with the same
field name, the new field:value pair is added after
the existing field:value pair. Existing headers are
not replaced.
If you use the insert-if-not-exist option, the
command inserts the header only if the response
does not already contain a header with the same
field name.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
321 of 718

slb template http
Without either option, if a response already contains one or more headers with the specified field
name, the command replaces the first header.
[no] retry-on5xx num
Configures the AX device to retry sending a clients request to a service port that replies with an
HTTP 5xx status code, and reassign the request
to another server if the first server replies with a
5xx status code. The retry number specifies the
number of times the AX device is allowed to
reassign the request.
For example, assume that a service group has
three members (s1, s2, and s3), and the retry is
set to 1. In this case, if s1 replies with a 5xx status code, the AX device reassigns the request to
s2. If s2 also responds with a 5xx status code, the
AX device will not reassign the request to s3,
because the maximum number of retries has
already been used.
If you use this command, the AX device stops
sending client requests to a service port for 30
seconds following reassignment. If you want the
service port to remain eligible for client requests,
use the following command instead. An HTTP
template can contain one or the other of these
commands, but not both.
Note:
The 5xx options are supported only for virtual port types HTTP and
HTTPS. They are not supported for fast-HTTP or any other virtual port
type.
[no] retry-on5xx-per-req num This command provides the same function as the
retry-on-5xx command (described above). However, the retry-on-5xx-per-req command does
not briefly stop using a service port following
reassignment. An HTTP template can contain
one or the other of these commands, but not both.
[no] stricttransactionswitch
322 of 718
Forces the AX device to perform the server

selection process anew for every HTTP request.
Without this option, the AX device reselects the
same server for subsequent requests (assuming
the same server group is used), unless overridden
by other template options.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template http
[no] term11client-hdrconn-close
[no] url-hashpersist
{first | last}
bytes
[use-serverstatus}
Enables the AX device to terminate HTTP 1.1

client connections when the Connection: close
header exists in the HTTP request. This option is
applicable to connection-reuse deployments that
have HTTP 1.1 clients that are not compliant
with the HTTP 1.1 standard. Without this option,
sessions for non-compliant HTTP 1.1. clients are
not terminated.
Enables server stickiness based on hash values. If

this feature is configured, for each URL request,
the AX device calculates a hash value based on
part of the URL string. The AX device then
selects a real server based on the hash value. A
given hash value always results in selection of
the same real server. Thus, requests for a given
URL always go to the same real server.
The first | last option specifies which end of the
URL string to use to calculate the hash value.
The bytes option specifies how many bytes to use
to calculate the hash value.
Optionally, you can use URL hashing with either
URL switching or host switching. Without URL
switching or host switching configured, URL
hash switching uses the hash value to choose a
server within the default service group (the one
bound to the virtual port). If URL switching or
host switching is configured, for each HTTP
request, the AX device first selects a service
group based on the URL or host switching values, then calculates the hash value and uses it to
choose a server within the selected service group.
The use-server-status option enables server load
awareness, which allows servers to act as backups to other servers, based on server load.
Note:
b y
This feature requires some custom configuration on the server. For information, see the URL Hash Switching section in the HTTP Options for
SLB chapter of the AX Series Configuration Guide.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
323 of 718

slb template http
[no] urlswitching
{starts-with |
contains |
ends-with}
url-string
service-group
service-groupname
Selects a service group based on the URL string

requested by the client. The selection overrides
the service group configured on the virtual port.
starts-with /url-string matches only
if the URL starts with url-string.
contains url-string matches if the urlstring appears anywhere within the URL.
ends-with url-string matches only if
the URL ends with url-string.
Note:
Default
You can configure a maximum of 16 url-switching commands in a template. If you need to use more, use aFleX policies.
The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the following
default settings:
content-type text and application included by default
exclude-content-type not set (nothing excluded)
exclude-uri not set (no URIs excluded)
keep-accept-encoding disabled
level 1
minimum-content-length 120 bytes
To display the default HTTP template settings, use the show slb template
http default command.
Mode
Configure
Usage
The normal form of this command creates an HTTP configuration template.

The no form of this command removes the template.
324 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template http
You can bind only one HTTP template to a virtual port. However, you can
bind the same HTTP template to multiple ports.
Header insertion is not supported on fast-HTTP virtual ports.
Starts-with, Contains, and Ends-with Rule Matching
The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in
the configuration. The service group for the first match is used.
starts-with
contains
ends-with
If a template has more than one command with the same option (startswith, contains, or ends-with) and a host name or URL matches on more
than one of them, the most-specific match is always used. For example, if a
template has the following commands, host "ddeeff" will always be directed
to service group http-sgf:
slb template http http-host
host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
Redirect-Rewrite Rule Matching

If a URL matches on more than redirect-rewrite rule within the same HTTP
template, the AX device selects the rule that has the most specific match to
the URL. For example, if a server sends redirect URL 66.1.1.222/000.html,
and the HTTP template has the redirect-rewrite rules shown below, the AX
device will use the last rule because it is the most specific match to the
URL:
slb template http 1
redirect-rewrite match /00 rewrite-to http://66.1.1.202/a
redirect-rewrite match /000.html rewrite-to /001.gif
redirect-rewrite match 66.1.1.222/000.html rewrite-to 66.1.1.202/003.bmp
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
325 of 718

slb template http
Example
The following commands configure an HTTP template called http-compression that enables compression. The minimum length a packet must be
for it to be compressed is set at 120 bytes.
AX(config)#slb template http http-compression

AX(config-HTTP template)#compression enable
AX(config-HTTP template)#compression minimum-content-length 120
Example
The following commands configure an HTTP template called http-header

that inserts the client IP address and a Cookie field into HTTP headers in
requests from clients before sending the requests to servers:
AX(config)#slb template http http-header

AX(config-HTTP template)#insert-client-ip
AX(config-HTTP template)#header-insert Cookie:a = b
Example
AX(config)#slb
AX(config-HTTP
sg1
AX(config-HTTP
sg2
AX(config-HTTP
http-sg3
Example
The following commands configure an HTTP template called http-host

that selects a service group based on the contents of the Host field in the
HTTP headers of client requests. Requests for hostnames that start with
Gossip are directed to service group http-sg1. Requests for hostnames
that contain NewsDeskA are directed to service group http-sg2.
Requests for hostnames that end with weather.com are directed to service
group http-sg3.
template http http-host
template)#host-switching starts-with Gossip service-group httptemplate)#host-switching contains NewsDeskA service-group httptemplate)#host-switching ends-with weather.com service-group
The following commands configure an HTTP template to use URL hashing.

Hash values will be calculated based on the last 8 bytes of the URL. In this
example, URL switching is also configured in the template. As a result, the
AX device uses URL switching to select a service group first, then uses
URL hashing to select a server within that service group. If the template did
not also contain URL switching commands, this template would always
select a server from service group sg3.
AX(config)#slb template http hash

AX(config-HTTP template)#url-hash-switching last 8
AX(config-HTTP template)#url-switching starts-with /news service-group sg1
AX(config-HTTP template)#url-switching starts-with /sports service-group sg2
AX(config-HTTP template)#exit
AX(config)#slb virtual-server vs1 1.1.1.1
AX(config-slb virtual server)#port 80 http
AX(config-slb virtual server-slb virtua...)#service-group sg3
AX(config-slb virtual server-slb virtua...)#template http hash
326 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template persist cookie
Example
AX(config)#slb
AX(config-HTTP
AX(config-HTTP
AX(config-HTTP
AX(config-HTTP
The following commands configure an HTTP template called http-compress, that uses compression level 5 to compress files with media type
application or image. Files with media type application/zip are
explicitly excluded from compression.
template http http-compress
template)#compression enable
template)#compression level 5
template)#compression content-type image
template)#compression exclude-content-type application/zip
Example
The following commands configure an HTTP template that replaces the client IP addresses in the X-Forwarded-For field with the current client IP
address:
AX(config)#slb template http clientip-replace

AX(config-HTTP template)#insert-client-ip X-Forwarded-For replace

Description
Configure session persistence by inserting persistence cookies into server

replies to clients.
Syntax
[no] slb template persist cookie template-name

Parameter
template-name
Description
persistence template, where the following commands are available.
Command
[no] domain
domain-name
[no] donthonor-connrules
b y
Description
Adds the specified domain name to the cookie.
Ignores connection limit settings configured on

real servers and real ports. This option is useful
for applications in which multiple sessions (connections) are likely to be used for the same persistent cookie.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
327 of 718

[no] expire
expire-seconds
[no] insertalways
Specifies the number of seconds a cookie persists

on a clients PC before being deleted by the clients browser. You can specify from 0 to
31,536,000 seconds (one year). (Do not enter the
commas.) If you specify 0, cookies persist only
for the current session.
Specifies whether to insert a new persistence
cookie in every reply, even if the request already
had a persistence cookie previously inserted by
the AX device.
[no] match-type
{server
[service-group]
| servicegroup}
[scan-allmembers]
Changes the granularity of cookie persistence.
server The cookie inserted into the HTTP
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with matchtype set to server.)
Without this option, the default behavior is used:
subsequent requests from the client will be sent
to the same real port on the same real server.
server service-group Sets the granularity to the same as server, and also enables cookie
persistence to be used along with URL switching
or host switching. Without the service-group
option, URL switching or host switching can be
used only for the initial request from the client.
After the initial request, subsequent requests are
always sent to the same service group.
service-group This option enables support for URL switching and host switching,
along with the default cookie persistence behavior.
scan-all-members This option scans all
members bound to the template. This option is
useful in configurations where match-type
328 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

server is used, and where some members have
different priorities or are disabled. (For more
information about this option, see the Scan-AllMembers Option in Persistence Templates
To use URL switching or host switching, you also must configure an
HTTP template with the host-switching or url-switching command.
Note:
[no] name
cookie-name
[no] path
path-name
Default
Specifies the name of the persistence cookie,

1-63 characters.
Adds path information to the cookie, 1-31 characters.
The configuration does not have a default cookie-persistence template. If

you create one, it has the following defaults:
domain Not set
dont-honor-conn-rules Disabled; by default, the connection limit set
on real servers and real ports is used.

expire about 10 years
Note:
Although the default is 10 years (essentially, unlimited), the maximum configurable expiration is one year.
insert-always Disabled. The AX device inserts a persistence cookie
only if the client request does not already contain a persistence cookie
inserted by the AX device, or if the server referenced by the cookie is
unavailable.
match-type The default match type is port. (There is no port key-
word. See Usage for more information.)

name sto-id
path /
Mode
Configure
Usage
The normal form of this command creates a cookie-persistence template.

You can bind only one cookie-persistence template to a virtual port.
However, you can bind the same cookie-persistence template to multiple
ports.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
329 of 718

When cookie persistence is configured, the AX device adds a persistence
cookie to the server reply before sending the reply to the client. The clients
browser re-inserts the cookie into each request.
Note:
For security, address information in the cookie is encrypted.

The format of the cookie depends on the match-type setting:
match-type (port) This is the default setting. Subsequent requests
from the client will be sent to the same real port on the same real server.
URL switching or host switching can be used only for the first request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
Note:
The port option is shown in parentheses because the CLI does not have a
port keyword. If you do not set the match type to server (see below),
the match type is automatically port.
match-type server Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching can be used only for the first
request.
Set-Cookie: cookiename=rserverIP
match-type (port) service-group Subsequent requests from the client
will be sent to the same real port on the same real server, within the service group selected by URL switching or host switching. URL switching or host switching, if configured, is still used for every request.
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
match-type server service-group Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the service group selected by URL switching or host switching. URL
switching or host switching, if configured, is still used for every request.
Set-Cookie: cookiename-servicegroupname=rserverIP
330 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template persist destination-ip
Example
The following commands configure a cookie persistence template named

persist-cookie. The template inserts a cookie named MyCookie, containing the real servers IP address and protocol port in encrypted form, into
server responses before sending the responses to clients. The template also
sets the cookie to persist on client PCs for only 10 minutes (600 seconds).
AX(config)#slb template persist cookie persist-cookie

AX(config-cookie persistence template)#name MyCookie
AX(config-cookie persistence template)#expire 600

Description
Configure the granularity of load balancing persistence (selection of the

same server resources) for clients, based on destination IP address.
Syntax
[no] slb template persist destination-ip

template-name
Parameter
template-name
Description
Command
[no] match-type
{server |
service-group}
[scan-allmembers]
Description

for applications in which multiple sessions (connections) are likely to be used for the same persistent destination IP address.
Specifies the granularity of persistence:

server Traffic to a given destination IP
address is always sent to the same real server, for
any service port.
By default (without the server option), traffic to
the same destination IP address and virtual port is
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
331 of 718

always sent to the same real port. This is the most
granular setting.
service-group This option is applicable if
you also plan to use URL switching or host
switching. If you use the service-group option,
URL or host switching is used for every request
to select a service group. The first time URL or
host switching selects a given service group, the
load-balancing method is used to select a real
port within the service group. The next time URL
or host switching selects the same service group,
the same real port is used. Thus, service group
selection is performed for every request, but once
a service group is selected for a request, the
request goes to the same real port that was
selected the first time that service group was
selected.
Note:

[no] netmask
ipaddr
Specifies the granularity of IP address hashing

for initial server port selection.
You can specify an IPv4 network mask in dotted
decimal notation.
To configure initial server port selection to
occur once per destination VIP subnet, configure
the network mask to indicate the subnet length.
For example, to select a server port once for all
requested VIPs within a subnet such as
10.10.10.x, 192.168.1.x, and so on (class C
subnets), use mask 255.255.255.0. SLB selects a
server port for the first request to the given VIP
subnet, the sends all other requests for the same
VIP subnet to the same port.
332 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template persist source-ip
To configure initial server port selection to
occur independently for each requested VIP, use
mask 255.255.255.255. (This is the default.)
[no] timeout
timeout-minutes Specifies how many minutes the mapping
remains persistent after the last time it is used.
Default
The configuration does not have a default destination-IP persistence template. If you configure one, it has the following defaults:

match-type For SLB, by default, traffic to a given destination IP
address and port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
netmask 255.255.255.255
timeout 5 minutes
Mode
Configure
Usage
The normal form of this command creates a destination-IP persistence template. The no form of this command removes the template.
You can bind only one destination-IP persistence template to a virtual port.
However, you can bind the same destination-IP persistence template to
multiple ports.
Example
The following command creates a destination-IP persistence template

named persist-dest:
AX(config)#slb template persist destination-ip persist-source

Description
Configure the granularity of load balancing persistence (selection of the

same server resources) for clients, based on source IP address.
Syntax
[no] slb template persist source-ip template-name

Parameter
template-name
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
333 of 718

Command
Description
[no] match-type
{server |
service-group}
[scan-allmembers]

for applications in which multiple sessions (connections) are likely to be used for the same persistent client source IP address.
Specifies the granularity of persistence:

server Traffic from a given client to the
same VIP is always sent to the same real server,
for any service port requested by the client.
By default (without the server option), traffic
from a given client to the same virtual port is
always sent to the same real port. This is the most
granular setting.
service-group This option is applicable if
you also plan to use URL switching or host
switching. If you use the service-group option,
URL or host switching is used for every request
to select a service group. The first time URL or
host switching selects a given service group, the
load-balancing method is used to select a real
port within the service group. The next time URL
or host switching selects the same service group,
the same real port is used. Thus, service group
selection is performed for every request, but once
a service group is selected for a request, the
request goes to the same real port that was
selected the first time that service group was
selected.
334 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Note:

Note:
The match type for FWLB is always server, which sets the granularity of
source-IP persistence to individual firewalls, not firewall groups or individual service ports.
[no] netmask
ipaddr
Specifies the granularity of IP address hashing

for server port selection.
You can specify an IPv4 network mask in dotted
decimal notation.
To configure server port selection to occur on a
per subnet basis, configure the network mask to
indicate the subnet length. For example, to send
all clients within a subnet such as 10.10.10.x,
192.168.1.x, and so on (class C subnets) to the
same server port, use mask 255.255.255.0. SLB
selects a server port for the first client in a given
subnet, the sends all other clients in the same
subnet to the same port.
To configure server port selection to occur on a
per client basis, use mask 255.255.255.255. SLB
selects a server port for the first request from a
given client, the sends all other requests from the
same client to the same port. (This is the default.)
[no] timeout
remains persistent after the last time traffic from
the client is sent to the server. You can specify
1-2000 minutes (about 33 hours).
The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout
is set to 1 minute, sessions will always age out after 1 minute, even if they
are active.
Note:
Default
The configuration does not have a default source-IP persistence template. If

you configure one, it has the following defaults:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
335 of 718

slb template persist ssl-sid

match-type For SLB, by default, traffic from a given client to the
same virtual port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
For FWLB, the default is server and none of the other match-type
options are applicable.
netmask 255.255.255.255
timeout 5 minutes
Mode
Configure
Usage
The normal form of this command creates a source-IP persistence template.

You can bind only one source-IP persistence template to a virtual port.
However, you can bind the same source-IP persistence template to multiple
ports.
The timeout for a source-IP persistent session will not be reset if the timeout
in the source-IP persistence template is set to 1 minute. If the timeout is set
to 1 minute, sessions will always age out after 1 minute, even if they are
active.
Example
The following commands configure a source-IP persistence template named

persist-source and set the granularity to service-group:
AX(config)#slb template persist source-ip persist-source

AX(config-source ip persistence template)#match-type service-group

Description
Direct clients based on SSL session ID.

SSL session-ID persistence directs all client requests for a given virtual
port, and that have a given SSL session ID, to the same real server and real
port. For example, with SSL session-ID persistence configured, all client
requests for virtual port 443 on virtual server 1.2.3.4 that have the same SSL
session ID will be directed to the same real server and port.
The persistence is based on the SSL session ID, not on the client IP address.
Syntax
336 of 718
[no] slb template persist ssl-sid template-name
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Parameter
template-name
Description
Command
Description

for applications in which multiple sessions (connections) are likely to be used for the same persistent SSL session ID.
[no] timeout
remains persistent after the last time traffic with
the SSL session ID is sent to the server. You can
specify 1-250 minutes.
Default
The configuration does not have a default SSL session-ID persistence template. If you configure one, it has the following defaults:

timeout 5 minutes
Mode
Configure
Usage
The normal form of this command creates an SSL session-ID persistence

template. The no form of this command removes the template.
You can bind only one SSL session-ID persistence template to a virtual port.
However, you can bind the same SSL session-ID persistence template to
multiple ports.
To display statistics for SSL session-ID persistence, use the following command: show slb l4
Example
The following commands configure an SSL session-ID persistence template

named ssl-persist1 and apply it to virtual port 443 on virtual server
vip1:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
337 of 718

slb template policy
AX(config)#slb template persist ssl-sid ssl-persist1
AX(config-SSL session ID persistence te...)#exit
AX(config)#slb virtual-server vip1 1.2.3.4
AX(config-slb virtual server)#port 443 tcp
AX(config-slb virtual server-slb virtua...)#service-group https-sg1
AX(config-slb virtual server-slb virtua...)#template ssl-sid ssl-persist1
slb template policy

Description
Syntax
Configure a template of Policy-Based SLB (PBSLB) settings.

[no] slb template policy template-name
PBSLB template, where the following commands are available.
Command
Description
[no] bw-list
id id
service
{service-groupname |
drop | reset}
[logging
[minutes]
[fail]]
Specifies the action to take for clients in the
black/white list:
id Group ID in the black/white list.
service-group-name Sends clients to the
SLB service group associated with this group ID
on the AX device.
drop Drops connections for IP addresses that
are in the specified group.
reset Resets connections for IP addresses
that are in the specified group.
logging [minutes] [fail] Enables
logging. The minutes option specifies how often
messages can be generated. This option reduces
overhead caused by frequent recurring messages.
338 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template policy
Enables logging. The minutes option specifies
how often messages can be generated. This
option reduces overhead caused by frequent
recurring messages.
For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times
within a five-minute period, the AX device generates only a single message. The message indicates the number of times the rule was applied
since the last message. You can specify a logging
interval from 0 to 60 minutes. To send a separate
message for each event, set the interval to 0.
PBSLB rules that use the service service-groupname option also have a fail option for logging.
The fail option configures the AX device to generate log messages only when there is a failed
attempt to reach a service group. Messages are
not generated for successful connections to the
service group. The fail option is disabled by
default. The option is available only for PBSLB
rules that use the service service-group-name
option, not for rules with the drop or reset
option, since any time a drop or reset rule affects
traffic, this indicates a failure condition.
Logging is disabled by default. If you enable it,
the default for minutes is 3.
[no] bw-list
name file-name
[no] bw-list
over-limit
{lockup min |
logging min |
reset}
Binds a black/white list to the virtual ports that

use this template.
Specifies the action to take for traffic that is over

the limit. The default is drop.
lockup min Continues to apply the overlimit action to all new connection attempts from
the client, for the specified number of minutes
(1-127).
logging min Generates a log message when
traffic goes over the limit. The min option specifies the log interval and can be 1-255 minutes.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
339 of 718

slb template policy
reset Resets new connections until the
number of concurrent connections on the virtual
port falls below the connection limit.
[no] bw-list
timeout minutes Specifies the number of minutes dynamic black/
white-list client entries can remain idle before
aging out. You can specify 1-127 minutes.
[no] bw-list
usedestination-ip
[no] class-list
client-ip
{l3-dest |
l7-header
[header-name]}
Matches black/white list entries based on the clients destination IP address, instead of matching
by client source address. By default, matching is
based on the clients source IP address. Generally, this option is applicable when wildcard
VIPs are used.
Specifies the IP address to use for matching

entries in an IP class list.
l3-dest Matches based on the destination IP
address in packets from clients.
l7-header [header-name] Matches based on
the IP address in the specified header in packets
from clients. The header-name specifies the
name of the header to use. If you do not specify a
header name, the X-Forwarded-For header is
used.
[no] class-list
name name
[no] class-list
lid num
Applies an IP class list to the template.

Configures an IP limiting rule for the IP limiting
feature. This command changes the CLI to the
configuration level for the rule, where the following commands are available:
[no] conn-limit num Specifies the maximum
number of concurrent connections allowed for a
client. You can specify 1-1048575.
[no] conn-rate-limit num per num-of-100ms
Specifies the maximum number of new connections allowed for a client within the specified
limit period. You can specify 1-4294967295 con-
340 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template policy
nections. The limit period can be 100-6553500
milliseconds (ms), specified in increments of 100
ms.
[no] request-limit num Specifies the maximum number of concurrent Layer 7 requests
allowed for a client. Maximum number of concurrent Layer 7 requests allowed for a client. You
can specify 1-1048575.
[no] request-rate-limit num per num-of-100ms
Specifies the maximum number of Layer 7
requests allowed for the client within the specified limit period. You can specify 1-4294967295
connections. The limit period can be 1006553500 milliseconds (ms), specified in increments of 100 ms.
[no] over-limit-action [forward | reset]
[lockout minutes] [log minutes] Specifies the
action to take when a client exceeds one or more
of the limits. The command also configures lockout and enables logging. The action can be one of
the following:
drop The AX device drops that traffic. If logging is enabled, the AX device also generates a
log message. (There is no drop keyword. This is
the default action.)
forward The AX device forwards the traffic.
If logging is enabled, the AX device also generates a log message.
reset For TCP, the AX device sends a TCP
RST to the client. If logging is enabled, the AX
device also generates a log message.
The lockout option specifies the number of minutes during which to apply the over-limit action
after the client exceeds a limit. The lockout
period is activated when a client exceeds any
limit. The lockout period can be 1-1023 minutes.
The logging option generates log messages when
clients exceed a limit. When you enable logging,
a separate message is generated for each overlimit occurrence, by default. You can specify a
logging period, in which case the AX device
holds onto the repeated messages for the specified period, then sends one message at the end of
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
341 of 718

slb template policy
the period for all instances that occurred within
the period. The logging period can be 0-255 minutes. The default is 0 (no wait period).
[no] geolocation share
Enables sharing of PBLSB statistics counters for

all virtual servers and virtual ports that use the
template. This option causes the following counters to be shared:
Permit
Deny
Connection number
Connection limit
Note:
It is recommended to enable or disable this option before enabling GSLB.

Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
[no] overlap
Default
Enables overlap matching mode. If there are

overlapping addresses in the black/white-list, use
this option to enable the AX device to find the
most precise match.
The AX device does not have a default PBSLB template. When you configure one, the template has the following default settings:
bw-list id None. Logging is disabled by default. If you enable it, the
default for minutes is 3.

bw-list name None
bw-list over-limit drop
bw-list timeout 5
bw-list use-destination-ip Disabled. By default, the AX device
matches by client source IP address.

class-list client-ip Clients IP address is used.
class-list name not set
class-list lid Not set. When you create one, the limiting rule has the
following default values:

conn-limit Not set
conn-rate-limit Not set
request-limit Not set
request-rate-limit Not set
342 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template port
over-limit-action Drop. There is no default lockout period. Log-
ging is disabled by default. The default logging period is 0 (no wait

period).
geo-location share disabled
overlap disabled
Mode
Configure
Usage
The normal form of this command creates a PBSLB template. The no

form of this command removes the template.
You can bind only one PBSLB template to a virtual port. However, you can
bind the same PBSLB template to multiple ports.
PBSLB configuration on a virtual port can be set either using a template or
by configuring the individual settings on the port. Individual PBSLB settings and a PBSLB template can not be configured on the same virtual port.
The following commands configure a PBSLB template and bind it to a virtual port:
AX(config)#slb template policy bw1

AX(config-policy)#bw-list name bw1
AX(config-policy)#bw-list id 2 service srvcgroup2
AX(config-policy)#bw-list id 4 drop
AX(config-policy)#exit
AX(config)#slb virtual-server PBSLB_VS1 10.10.10.69
AX(config-slb virtual server-slb virtua...)#template policy bw1
slb template port

Description
Configure a template of SLB settings for service ports on real servers.
Syntax
[no] slb template port template-name

Parameter
template-name
Description
real port template, where the following commands are available.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
343 of 718

slb template port
Command
Description
[no] conn-limit
max-connections
[resume
connections]
[no-logging]
Specifies the maximum number of connections
allowed on ports that use this template.
The max-connections option specifies the maximum number of concurrent connections,
0-1048575.
The resume connections option specifies
the maximum number of connections the port
can have before the AX device resumes use of
the port. You can specify 1-1048575 connections.
The no-logging option disables logging for the
feature.
[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[no-logging]
Limits the rate of new connections the AX device
is allowed to send to ports that use this template.
When a real port reaches its connection limit, the
AX device stop selecting the port to serve client
requests.
connections Maximum of new connections
allowed on the port. You can specify 1-1048575
connections.
per {100ms | 1sec} Specifies whether
the connection rate limit applies to one-second
intervals or 100-ms intervals. The default is onesecond intervals (1sec).
feature.
[no] dest-nat
Enables destination Network Address Translation (NAT) on ports that use this template.
Destination NAT is enabled by default, but is
automatically disabled in Direct Server Return
(DSR) configurations. You can re-enable destination NAT on individual ports for deployment of
344 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template port
mixed DSR configurations, which use backup
servers across Layer 3 (in different subnets).
[no] dscp
number
Sets the differentiated services code point

(DSCP) value in the IP header of a client request
before sending the request to ports that use this
template. The number specifies the DSCP value
and can be 1-63. By default, DSCP is not set by
the AX device.
[no] dynamicmember-priority
num decrement
delta
Configure service-group priority settings for
ports on dynamically created servers. The num
option sets the initial TTL for dynamically created service-group members, and can be 1-16.
The delta option specifies how much to decrement the TTL if the IP address is not included in
the DNS reply, and can be 0-7. When configuring
the service group, add the port template to the
member.
[no] healthcheck
[monitor-name]
Enables health monitoring of ports that use this

template. The monitor-name specifies the name
of a configured health monitor.
[no] inbandhealth-check
[retry maximumretries]
[reassign
maximumreassigns]
Supplements the standard Layer 4 health checks
by using client-server traffic to check the health
of service ports.
retry maximum-retries Each client-server session has its own retry counter. The AX device
increments a sessions retry counter each time a
SYN ACK is late. If the retry counter exceeds the
configured maximum number of retries allowed,
the AX device sends the next SYN for the session to a different server. The AX device also
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
345 of 718

slb template port
resets the retry counter to 0. You can set the retry
counter to 0-7 retries.
reassign maximum-reassigns Each real port
has its own reassign counter. Each time the retry
counter for any session is exceeded, the AX
device increments the reassign counter for the
server port. If the reassign counter exceeds the
configured maximum number of reassignments
allowed, the AX device marks the port down.
In this case, the port remains down until the next
time the port successfully passes a standard
health check. Once the port passes a standard
health check, the AX device starts using the port
again and resets the reassign counter to 0. You
can set the reassign counter to 0-255 reassignments. The default is 25 reassignments.
Note:
A10 Networks recommends that you continue to use standard Layer 4

health monitoring even if you enable in-band health monitoring. Without
standard health monitoring, a server port marked down by an in-band
health check remains down.
[no] slow-start
[from startingconn-limit]
[times scalefactor | add
conn-incr]
[every
interval]
[till endingconn-limit]
Provides time for real ports that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connections on the ports.
from starting-conn-limit Maximum number of
concurrent connections to allow on the service
port after it first comes up. You can specify from
1-4095 concurrent connections. The default is
128.
times scale-factor | add conn-incr Amount by
which to increase the maximum number of con-
346 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template port
current connections allowed. You can use one of
the following methods to specify the increment:
times scale-factor The scale factor is the
number by which to multiply the starting
connection limit. For example, if the scale
factor is 2 and the starting connection limit is
128, the AX device increases the connection
limit to 256 after the first ramp-up interval.
The scale factor can be 2-10. The default
is 2.
add conn-incr As an alternative to specifying a scale factor, you can instead specify
how many more concurrent connections to
allow. You can specify 1-4095 new connections.
every interval Number of seconds between
each increase of the number of concurrent connections allowed. For example, if the ramp-up
interval is 10 seconds, the number of concurrent
connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds.
The default is 10 seconds.
till ending-conn-limit Maximum number of
concurrent connections to allow during the final
ramp-up interval. After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify
from 1-65535 connections. The default is 4096.
Note:
If a normal runtime connection limit is also configured (for example, by

the conn-limit command), and the normal connection limit is smaller than
the slow-start ending connection limit, the AX device limits slow-start
connections to the maximum allowed by the normal connection limit.
source-nat
pool-name
[no] weight
number
b y
Specifies the IP NAT pool to use for assigning

source IP addresses to client traffic sent to ports
that use this template. When the AX device performs NAT for a port that is bound to the template, the device selects an IP address from the
pool.
Specifies the load-balancing preference for ports
that use this template. You can specify 1-100. A
higher weight gives more favor to the server and
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
347 of 718

slb template port
port relative to the other servers and ports.
Default is 1.
This option applies only to the weighted-leastconnection, service-weighted-least-connection,
and weighted-rr (weighted round robin) loadbalancing methods.
Default
The AX device has a default real port template, called default. The default
port template has the same default settings as the individual parameters you
can configure in the template. Here are the defaults:
conn-limit 8000000 (8 million)
conn-rate-limit Not set; when enabled, the default sampling rate is
per 1-sec.
dest-nat Not set
dscp Not set
dynamic-member-priority priority 16 and delta 0
health-check If you omit this command or you enter it without the
monitor-name option, the default TCP or UDP health monitor is used:

TCP Every 30 seconds, the AX device sends a connection request
(TCP SYN) to the specified TCP port on the server. The port passes
the health check if the server replies to the AX device by sending a
TCP SYN ACK.
UDP Every 30 seconds, the AX device sends a packet with a valid
UDP header and a garbage payload to the UDP port. The port passes
the health check if the server either does not reply, or replies with
any type of packet except an ICMP Error message.
inband-health-check Disabled. When enabled, the feature has the fol-
lowing defaults: maximum-retries 2; maximum-reassigns 25.

slow-start Not set
source-nat Not set
weight 1
Mode
Configure
Usage
The normal form of this command creates a real port template. The no
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
348 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template server
Some of the parameters that can be set using a template can also be set or
changed on the individual port.
If a parameter is set (or changed from its default) in both a template and
on the individual port, the setting on the individual port takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual port, the setting in the
template takes precedence.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
Example
The following commands configure a real port template named commonrpsettings, enable slow-start in the template, and bind the template to a real
port:
AX(config)#slb template port common-rpsettings

AX(config-rport)#slow-start from 256
AX(config-rport)#exit
AX(config-real server-node port)#template port common-rpsettings
slb template server

Syntax
[no] slb template server template-name

Parameter
template-name
Description
real server template, where the following commands are available.
Command
Description
[no] conn-limit
max-connections
[resume
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
349 of 718

slb template server
connections]
[no-logging]

allowed on real servers that use this template.
The max-connections option specifies the maximum number of concurrent connections, 01048575.
The resume connections option specifies
the maximum number of connections the server
can have before the AX device resumes use of
the server. You can specify 1-1048575 connections.
feature.
[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[no-logging]
is allowed to send to servers that use this template. When a real server reaches its connection
limit, the AX device stops selecting the server for
client requests.
allowed on a server. You can specify 1-1048575
connections.
intervals or 100-ms intervals.
feature.
[no] dns-queryinterval
minutes
Specifies how often the AX device sends DNS
queries for the IP addresses of dynamic real servers. You can specify 1-1440 minutes (one day).
[no] dynamicserver-prefix
string
350 of 718
Specifies the prefix added to the front of dynamically created servers. You can specify a string of
1-3 characters.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template server
[no] healthcheck
[monitor-name]
Enables health monitoring of ports that use this

template. The monitor-name specifies the name
of a configured health monitor.
If you omit this command or you enter it without
the monitor-name option, the default ICMP
health monitor is used: an ICMP ping (echo
request) is sent every 30 seconds. If the ping fails
2 times consecutively, the AX device sets the
server state to DOWN.
[no] maxdynamic-server
num
[no] min-ttlratio num
Specifies the maximum number of dynamic real

servers that can be created for a given hostname.
Specifies the minimum initial value for the TTL
of dynamic real servers. The AX device multiplies this value by the TTL in the DNS reply to
calculate the minimum TTL value to assign to
the dynamically created server. The min-ttl-ratio
can be 2-15.
[no] slow-start
[from startingconn-limit]
[times scalefactor | add
conn-incr]
[every
interval]
[till endingconn-limit]
Provides time for real ports that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connections on the ports.
from starting-conn-limit Maximum number of
concurrent connections to allow on the server
after it first comes up. You can specify from 14095 concurrent connections. The default is 128.
times scale-factor | add conn-incr Amount by
which to increase the maximum number of con-
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
351 of 718

slb template server
current connections allowed. You can use one of
the following methods to specify the increment:
times scale-factor The scale factor is the
number by which to multiply the starting
connection limit. For example, if the scale
factor is 2 and the starting connection limit is
128, the AX device increases the connection
limit to 256 after the first ramp-up interval.
The scale factor can be 2-10. The default
is 2.
add conn-incr As an alternative to specifying a scale factor, you can instead specify
how many more concurrent connections to
allow. You can specify 1-4095 new connections.
every interval Number of seconds between
each increase of the number of concurrent connections allowed. For example, if the ramp-up
interval is 10 seconds, the number of concurrent
connections to allow is increased every 10 seconds. The ramp-up interval can be 1-60 seconds.
The default is 10 seconds.
till ending-conn-limit Maximum number of
concurrent connections to allow during the final
ramp-up interval. After the final ramp-up interval, the slow start is over and does not limit further connections to the server. You can specify
from 1-65535 connections. The default is 4096.
Note:
Default
If a normal runtime connection limit is also configured on the server (for

example, by the conn-limit command), and the normal connection limit is
smaller than the slow-start ending connection limit, the AX device limits
slow-start connections to the maximum allowed by the normal connection
limit.
The AX device has a default real server template, called default. The
default server template has the same default settings as the individual
parameters you can configure in the template. Here are the defaults:
per 1-sec.
dns-query-interval 10 minutes
dynamic-server-prefix DRS (for Dynamic Real Servers)
352 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template server
health-check If you omit this command or you enter it without the
monitor-name option, the default ICMP health monitor is used. An

ICMP ping (echo request), sent every 30 seconds. If the ping fails 2
times consecutively, the AX device sets the server state to DOWN.
max-dynamic-server 255
min-ttl-ratio 2
slow-start Not set
Mode
Configure
Usage
The normal form of this command creates a real server template. The no
You can bind only one real server template to a real server. However, you
can bind the real server template to multiple real servers.
changed on the individual server.
on the individual server, the setting on the individual server takes precedence.
set or changed from its default on the individual server, the setting in the
template takes precedence.
active connections.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
353 of 718

slb template server-ssl
Example
The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
AX(config)#slb template server rs-tmplt1

AX(config-rserver)#health-check ping2
AX(config-rserver)#conn-limit 500000
AX(config-rserver)#exit
AX(config-real server)#template server rs-tmplt1
Example
The following commands configure hostname server parameters in a server

port template and a server template:
AX(config)#slb template port temp-port

AX(config-rport)#dynamic-member-priority 12
AX(config-rport)#exit
AX(config)#slb template server temp-server
AX(config-rserver)#dns-query-interval 5
AX(config-rserver)#min-ttl-ratio 3
AX(config-rserver)#max-dynamic-server 16

Description
Syntax
Configure the AX device to validate real servers based on their certificates.

[no] slb template server-ssl template-name
Parameter
Description
template-name
server-SSL template, where the following commands are available.
354 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Command
[no] ca-cert
certificatename
[no] cipher
Description
Name of the CA certificate.

Specifies the cipher suite to support for certificates from servers:
SSL3_RSA_DES_192_CBC3_SHA
SSL3_RSA_RC4_128_MD5
SSL3_RSA_RC4_128_SHA
SSL3_RSA_RC4_40_MD5
TLS1_RSA_EXPORT1024_RC4_56_MD5
TLS1_RSA_EXPORT1024_RC4_56_SHA
Default
The configuration does not have a default server-side SSL template. If you
create one, all the cipher suite options listed in the Syntax section are
enabled by default.
Mode
Configure
Usage
The normal form of this command creates a server-SSL configuration template.

The certificate must be imported onto the AX Series. To import a certificate,
use the import or slb ssl-load command. They are equivalent. (See
import on page 59 or slb ssl-load on page 298.)
You can bind only one server-SSL template to a virtual port. However, you
can bind the same server-SSL template to multiple ports.
If you add, remove, or replace a certificate in a server-SSL template that is
already bound to a VIP, the AX device does not use the changes. To change
the certificates in a server-SSL template, unbind the template from the VIP
and delete the template. Configure a new template with the changed certificates and bind the new template to the VIP.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
355 of 718

slb template sip (SIP over UDP)
slb template sip (SIP over UDP)

Description
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP clients.
Note:
Syntax
Except for the timeout command, none of the commands in this section
are applicable to SIP over TCP/TLS. To configure a template for SIP over
TCP/TLS, see slb template sip (SIP over TCP/TLS) on page 358.
[no] slb template sip template-name
Parameter
Description
template-name
SIP template, where the following commands are available:
Command
Description
[no] headererase string
[no] headerinsert string
[no] headerreplace string

new-string
Erases the specified SIP header from the SIP

request before sending it to a SIP Registrar.
Header names can be 1-255 characters long.
Inserts the specified SIP header into the SIP
request before sending it to a SIP Registrar.
Replaces the specified SIP header in the SIP

request before sending it to a SIP Registrar
[no] pass-realserver-ip-foracl acl-id

Disables reverse NAT based on the IP addresses
in an extended ACL. This command is useful in
cases where a SIP server needs to reach another
server, and the traffic must pass through the AX
device.
[no] registrar
service-group
group-name
356 of 718
Specifies the name of a service group of SIP

Registrar servers.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template sip (SIP over TCP/TLS)
[no] timeout
minutes
Specifies the number of minutes a call can

remain idle before the AX Series terminates it.
Default
The configuration does not have a default SIP over UDP template. If you
create one, the default timeout is 30 minutes. The other parameters are unset
by default.
Mode
Configure
Usage
The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example
The following commands configure a SIP template named

Registrar_template:
AX(config)#slb template sip Registrar_template

AX(config-SIP LB template)#registrar service-group Registrar_gp
AX(config-SIP LB template)#header-insert Max-Forwards:22
AX(config-SIP LB template)#header-replace Max-Forwards 15
AX(config-SIP LB template)#header-erase Contact

Description
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP over TCP/TLS.
Except for the timeout command, none of the commands in this section
are applicable to SIP over UDP. To configure a template for SIP over
UDP, see slb template sip (SIP over UDP) on page 356.
Note:
Syntax
[no] slb template sip template-name

Parameter
template-name
Description
SIP template, where the following commands are available:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
357 of 718

Command
Description
[no] clientkeep-alive
Note:
Enables the AX device to respond to SIP pings

from clients on behalf of SIP servers. When this
option is enabled, the AX device responds to a
SIP ping from a client with a pong. This option
is disabled by default.
If connection reuse is configured, even if client keepalive is disabled, the

AX device will respond to a client SIP ping with a pong.
[no] excludetranslation
{body |
header string |
start-line}
Disables translation of the virtual IP address and

virtual port in specific portions of SIP messages:
body Does not translate virtual IP addresses
and virtual ports in the body of the message.
header string Does not translate virtual IP
addresses and virtual ports in the specified
header.
start-line Does not translate virtual IP
addresses and virtual ports in the SIP request line
or status line.
Note:
Regardless of the settings for this option, the AX device never translates
addresses in Call-ID or X-Forwarded-For headers.
[no] insertclient-ip
Inserts an X-Forwarded-For: IP-address:port

header into SIP packets from the client to the SIP
server. The header contains the client IP address
and source protocol port number. The AX device
uses the header to identify the client when forwarding a server reply. This option is disabled by
default.
[no] selectclient-fail
{string | drop} Specifies the AX response when selection of a
SIP client fails. You can specify one of the following:
string Message string to send to the server; for
example: 480 Temporarily Unavailable. If the
358 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

message string contains a blank, use double quotation marks around the string.
drop Drops the traffic.
[no] serverkeep-alive
seconds
For configurations that use a connection-reuse

template, this option specifies how often the AX
device sends a SIP ping on each persistent connection. The AX device silently drops the
servers reply.
If the server does not reply to a SIP ping within
the connection-reuse timeout, the AX device
closes the persistent connection. (The connection-reuse timeout is configured by the timeout
command at the configuration level for the connection-reuse template. See slb template connection-reuse on page 313.)
This option is applicable only if the configuration includes a connectionreuse template.
Note:
[no] selectserver-fail
{string | drop} Specifies the AX response when selection of a
SIP server fails. You can specify one of the following:
string Message string to send to the client; for
example: 504 Server Time-out. If the message
string contains a blank, use double quotation
marks around the string.
drop Drops the traffic.
[no] timeout
minutes
Default
Specifies the number of minutes a SIP session

can remain idle before the AX device terminates
it. You can specify 1-250 minutes.
The configuration does not have a default SIP over TCP/TLS template. If
you create one, the template has the following default settings, for the
parameters that are applicable to SIP over TCP/TLS:
client-keep-alive Disabled
exclude-translation Not set. The AX device does not translate
addresses in any header except the top Via header.

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
359 of 718

slb template smtp
insert-client-ip Disabled
select-client-fail Not set. The AX device resets the connection.
server-keep-alive 30
select-server-fail Not set. The AX device resets the connection.
timeout 30
Mode
Configure
Usage
The normal form of this command creates a SIP configuration template. The
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example
The following commands configure a SIP over TCP/TLS template:
AX(config)#slb template sip siptls-tmplt

AX(config-SIP LB template)#insert-client-ip
AX(config-SIP LB template)#client-keep-alive
AX(config-SIP LB template)#select-client-fail "480 Temporarily Unavailable"
AX(config-SIP LB template)#select-server-fail "504 Server Time-out"
AX(config-SIP LB template)#exclude-translation header Authentication
slb template smtp

Description
Syntax
Configure STARTTLS support for Simple Mail Transfer Protocol (SMTP)

clients.
[no] slb template smtp template-name
Parameter
Description
template-name
Name of the template, 1-31 characters long.
SMTP template, where the following commands are available.
360 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template smtp
Command
[no] clientdomainswitching
{starts-with |
contains |
ends-with}
string
service-group
group-name
Description
Selects a service group based on the domain of

the client. You can specify all or part of the client
domain name. This command is applicable when
you have multiple SMTP service groups.
starts-with string matches only if the
clients domain name starts with string.
contains string matches if the string
appears anywhere within the domain name of the
client.
ends-with string matches only if the clients domain name ends with string.
[no] commanddisable [vrfy]

[expn] [turn]
Disables support of the specified SMTP commands. If a client tries to issue a disabled SMTP
command, the AX sends the following message
to the client: 502 - Command not implemented
If you enter this command without specifying a
command name, all the listed SMTP commands
(VRFY, EXPN, and TURN) are disabled.
[no] serverdomain name
[no] serviceready-message
string
Specifies the email server domain. This is the

domain for which the AX Series device provides
SMTP load balancing.
Specifies the text of the SMTP service-ready

message sent to clients. The complete message
sent to the client is constructed as follows: 200 smtp-domain service-ready-string
200 - smtp-domain service-ready-string
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
361 of 718

slb template smtp
starttls
{disable |
optional |
enforced}
Specifies whether use of STARTTLS by clients

is required:
disable Clients cannot use STARTTLS.
Use this option if you need to disable STARTTLS support but you do not want to remove the
configuration.
optional Clients can use STARTTLS but
are not required to do so.
enforced Before any mail transactions are
allowed, the client must issue the STARTTLS
command to establish a secured session. If the
client does not issue the STARTTLS command,
the AX sends the following message to the client:
"530 - Must issue a STARTTLS command first
Default
The configuration has a default SMTP template, with the following settings:
client-domain-switching Not set. All client domains match, and any
service group can be used.

command-disable VRFY, EXPN, and TURN are enabled.
server-domain mail-server-domain
service-ready-message "ESMTP mail service ready"
starttls disabled
To display the default SMTP template settings, use the show slb template
smtp default command.
Usage
The normal form of this command creates an SMTP template. The no

You can bind only one SMTP template to a virtual port. However, you can
bind the same SMTP template to multiple ports.
The starts-with, contains, and ends-with options are always applied in the
following order, regardless of the order in which the commands appear in
the configuration. The service group for the first match is used.
starts-with
contains
ends-with
362 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template smtp
If a template has more than one command with the same option (startswith, contains, or ends-with) and a client domain matches on more than
one of them, the most-specific match is always used.
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match. Here is
an example of a set of client-domain-switching rules in an SMTP template.
The numbers to the right indicate the precedence of the rules when matching on client domain name localhost. In this case, the last rule is the best
match and will be used.
client-domain-switching contains localhost service-group sg-a
(4)
client-domain-switching contains local service-group sg-b
(5)
client-domain-switching ends-with host service-group sg-c
(6)
client-domain-switching ends-with localhost service-group sg-d
(3)
client-domain-switching starts-with local service-group sg-e
(2)
client-domain-switching starts-with localhost service-group sg-f
(1)
Example
AX(config)#slb
AX(config-SMTP
AX(config-SMTP
AX(config-SMTP
smtp-sg1
AX(config-SMTP
group smtp-sg2
The following commands configure an SMTP template named securemail. The template enforces use of STARTTLS by mail clients, disables
client use of certain SMTP commands, and directs clients to a service group
based on client domain.
template smtp secure-mail
template)#starttls enforced
template)#command-disable expn turn vrfy
template)#client-domain-switching contains hq service-group
template)#client-domain-switching contains northdakota service-
Example
AX(config)#slb
AX(config-SMTP
smtp-sg1
AX(config-SMTP
group smtp-sg2
AX(config-SMTP
smtp-sg3
The following commands configure an SMTP template called smtpdomain. The template uses client domain switching to select a service
group based on the email clients domain. Clients from any domain that
starts with smb are sent to service group smtp-sg1. Clients whose
domain name does not start with smb and whose domain name contains
company1 are sent to service group smtp-sg2. Clients whose domain
name does not match on the starts-with or contains strings and ends with
.com are sent to service group smtp-sg3.
template smtp smtp-domain
template)#client-domain-switching starts-with smb service-group
template)#client-domain-switching contains company1 servicetemplate)#client-domain-switching ends-with .com service-group
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
363 of 718

slb template streaming-media
slb template streaming-media

Description
Configure load balancing of multimedia content.
Syntax
[no] slb template streaming-media template-name

Parameter
Description
template-name
Name of the template, 1-31 characters long.
streaming-media template, where the following commands are available.
Command
Description
[no] uriswitching
stream
uri-string
service-group
group-name
Note:
Default
Specifies the service group to which to send

requests for the URI.
This option is supported only for Windows Media Server.

The configuration does not have a default streaming-media template.
If the URI string in a request does not match any uri-switching stream
commands in the template, by default the request is sent to the service group
that is bound to the virtual port.
Mode
Configure
Usage
The normal form of this command creates a streaming-media template. The

You can bind only one streaming-media template to a virtual port. However,
you can bind the same streaming-media template to multiple ports.
Example
The following command creates a streaming-media template named

media1:
AX(config)#slb template streaming-media media1

AX(config-Streaming-media-template)#
364 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template tcp
slb template tcp

Description
Configure TCP connection settings.
Syntax
[no] slb template tcp template-name

Parameter
template-name
Description
TCP template, where the following commands are available.
Command
Description
[no] halfclose-idletimeout seconds Enables aging of half-closed TCP sessions. A

half-closed TCP session is a session in which the
server sends a FIN but the client does not reply
with an ACK. You can set the timeout to
60-15000 seconds.
[no] idletimeout seconds Specifies the number of seconds a connection
can remain idle before the AX Series device terminates it. You can specify 60-120000 seconds
(about 33 hours).
Enter a value that is a multiple of 60 (60, 120,
1200, and so on). If you enter a value that is not a
multiple of 60, the AX device rounds to the nearest multiple of 60. For example, if you enter 70,
the actual timeout is 60 seconds.
[no] initialwindow-size
bytes
Sets the initial TCP window size in SYN ACK

packets to clients. The TCP window size in a
SYN ACK or ACK packet specifies the amount
of data that a client can send before it needs to
receive an ACK. You can set the initial TCP window size to 1-65535 bytes.
The initial TCP window size applies only to the
SYN ACKs sent to the client. After the SYN
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
365 of 718

slb template tcp
ACK, the AX device does not modify the TCP
window size for any other packets in the session.
Note:
Default
[no] reset-fwd
Sends a TCP RST to the real server after a session times out.
[no] reset-rev
Sends a TCP RST to the client after a session

times out.
If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
The configuration has a default TCP template, with the following default
settings:
half-close-idle-timeout Not set. The AX device keeps half-closed ses-
sions open indefinitely.

idle-timeout 120 seconds
initial-window-size By default, the AX device uses the TCP window
size set by the client or server.

If the virtual port is one of the service types that is proxied by the
AX device, initial TCP window size applies to SYN ACKs generated by the AX device and sent to clients. By default, the AX device
uses the TCP window size in the clients SYN. The following service types are proxied by the AX device: http, https, fast-http, sslproxy, and smtp
If the virtual port is not one of the service types that is proxied by
the AX device (for example, the tcp service type), initial TCP window size applies to SYN ACKs generated by servers and forwarded
by the AX device to clients. By default, the AX device uses the TCP
window size in the servers SYN ACK.
Note:
If SYN cookies are enabled, either globally or on the virtual service port,
the AX device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the AX device.
reset-fwd Disabled
reset-rev Disabled
Mode
Configure
Usage
The normal form of this command creates a TCP configuration template.

You can bind only one TCP template to a virtual port. However, you can
bind the same TCP template to multiple ports.
366 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template tcp-proxy
In AX releases prior to 2.2.2, the reset-rev option sent a RST to a client if a
server selection failure occurred. In AX Release 2.2.2 and later, the resetrev option does not send an RST if a server selection failure occurs. Instead,
use the reset-on-server-selection-fail option at the configuration level for
the service group or virtual port.
Example
The following commands change the idle timeout in TCP template tcptmpl2 to 120 seconds:
AX(config)#slb template tcp tcp-tmpl2

AX(config-L4 TCP LB template)#idle-timeout 120
Example
The following commands configure a TCP template named test that sets
the TCP window size to 1460 bytes, and bind the template to virtual service
port 22 on virtual server vs1:
AX(config)#slb template tcp test

AX(config-L4 TCP LB template)#initial-window-size 1460
AX(config-L4 TCP LB template)#exit
AX(config-slb virtual server-slb virtua...)#template tcp test

Description
Configure TCP/IP stack parameters.
Syntax
[no] slb template tcp-proxy template-name

Parameter
template-name
Description
TCP-proxy template, where the following commands are available.
Command
Description
[no] fintimeout seconds Specifies the number of seconds that a connection can be in the FIN-WAIT or CLOSING state
before the AX Series terminates the connection.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
367 of 718

[no] halfclose-idletimeout seconds Enables aging of half-closed TCP sessions. A
half-closed TCP session is a session in which the
server sends a FIN but the client does not reply
with an ACK. You can set the timeout to
60-15000 seconds.
[no] idletimeout seconds Specifies the number of minutes that a connection can be idle before the AX Series terminates
the connection. You can specify 60-120000 seconds (about 33 hours).
[no] initialwindow-size
bytes
Sets the initial TCP window size in SYN ACK

packets to clients. The TCP window size in a
SYN ACK or ACK packet specifies the amount
of data that a client can send before it needs to
receive an ACK. You can set the initial TCP window size to 1-65535 bytes.
The initial TCP window size applies only to the
SYN ACKs sent to the client. After the SYN
ACK, the AX device does not modify the TCP
window size for any other packets in the session.
[no] mss
Minimum TCP Maximum Segment Size (MSS)

for transmissions from clients. You can specify
128-4312.
[no] nagle
Enables
Nagle
congestion
(described in RFC 896).
[no] receivebuffer number
[no]
retransmitretries number
368 of 718
compression
Maximum number of bytes addressed to the port

that the AX Series will buffer. You can specify 12147483647 bytes.
Maximum number of times the AX Series can

retransmit a data segment for which the
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series does not receive an ACK. You can
specify 1-20.
[no] synretries number
[no] timewait
number
[no] transmitbuffer number
Default
Maximum number of times the AX Series can

retransmit a SYN for which the AX Series does
not receive an ACK. You can specify 1-20.
Specifies the number of seconds that a connection can be in the TIME-WAIT state before the
AX Series transitions it to the CLOSED state.
Maximum number of bytes sent by the port that
the AX Series will buffer. You can specify
1-2147483647 bytes.
The configuration has a default TCP template, with the following default
settings:
fin-timeout 5 seconds
half-close-idle-timeout Not set. The AX device keeps half-closed ses-
sions open indefinitely.

initial-window-size By default, the AX device uses the TCP window
size set by the client or server.

If the virtual port is one of the service types that is proxied by the
AX device, initial TCP window size applies to SYN ACKs generated by the AX device and sent to clients. By default, the AX device
uses the TCP window size in the clients SYN. The following service types are proxied by the AX device: http, https, fast-http, sslproxy, and smtp
If the virtual port is not one of the service types that is proxied by
the AX device (for example, the tcp service type), initial TCP window size applies to SYN ACKs generated by servers and forwarded
by the AX device to clients. By default, the AX device uses the TCP
window size in the servers SYN ACK.
If SYN cookies are enabled, either globally or on the virtual service port,
the AX device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the AX device.
Note:
mss 538
nagle disabled
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
369 of 718

slb template udp
receive-buffer 87380 bytes
retransmit-retries 3
syn-retries 5
timewait 5 seconds
transmit-buffer 16384 bytes
Mode
Configure
Usage
The normal form of this command creates a TCP-proxy configuration template. The no form of this command removes the template.
You can bind only one TCP-proxy template to a virtual port. However, you
can bind the same TCP-proxy template to multiple ports.
Example
The following commands create a TCP-proxy template named ftp-proxy

and set the idle timeout to 240 minutes:
AX(config)#slb template tcp-proxy ftp-proxy

AX(config-TCP proxy template)#idle-timeout 240
slb template udp

Description
Syntax
Configure UDP connection settings.

[no] slb template udp template-name
Parameter
Description
template-name
UDP template, where the following commands are available.
Command
Description
aging
{immediate |
370 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template udp
short
[seconds]}
Specifies how quickly sessions are terminated

when the request is received.
immediate
short
(See Usage below.)
It is recommended to explicitly set the aging in UDP templates used for

DNS virtual ports.
Note:
[no] idletimeout seconds Specifies the number of seconds a connection

can remain idle before the AX Series terminates
it. You can specify 60-120000 seconds (about 33
hours).
[no] re-selectif-server-down
Configures the AX device to select another real
server if the server that is bound to an active connection goes down. Without this option, another
server is not selected.
Default
The configuration has a default UDP template. The template has the following defaults:
aging Not set. The idle-timeout value in the template is used instead.
re-select-if-server-down disabled
Mode
Configure
Usage
The normal form of this command creates a UDP configuration template.

You can bind only one UDP template to a virtual port. However, you can
bind the same UDP template to multiple ports.
UDP Session Aging
Table 3 describes UDP session aging in the current release and previous
releases.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
371 of 718

slb template virtual-port
You can configure aging short or aging immediate, or leave aging unset.
Aging short and aging immediate can not both be enabled.
Note:
TABLE 3
UDP Session Aging
Aging
Configuration
Current
Release
Aging Short
Response Received
Session is terminated
within 1 second.
Aging Immediate
Response Received
within 1 second.
Not Set (Default)

Response Received
within 1 second.
No Response Session is
terminated after configured short aging period.
No Response Idle timeout value in UDP template

is used.
No Response Idle timeout value in UDP template

is used.
If you enable short aging, you can set the aging interval to 1-6 seconds. The
default short aging period is 3 seconds.
Example
The following commands create a UDP template named udp-quickterm

and set session termination to occur immediately after a response is
received:
AX(config)#slb template udp udp-quickterm

AX(config-L4 UDP LB template)#aging immediate

Description
Syntax
Configure a template of SLB settings for virtual service ports.

[no] slb template virtual-port template-name
Parameter
Description
template-name
virtual port template, where the following commands are available.
Command
Description
[no] conn-limit
max-connections
[reset]
[no-logging]
allowed on virtual ports that use this template.
372 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

The reset option specifies the action to take for
connections after the connection limit is reached
on the virtual server port. By default, excess connections are dropped. If you change the action to
reset, the connections are reset instead. Excess
connections are dropped by default. The no-logging option disables logging for the feature.
[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[reset]
[no-logging]
is allowed to send to virtual service ports that use
this template. When a virtual service port reaches
its connection limit, the AX device stop selecting
the port to serve client requests.
allowed on the virtual service port. You can specify 1-1048575 connections.
reset Send a reset (RST) to a client after the
connection rate has been exceeded. By default
(without this option), the AX device silently
drops the request.
If you configure a limit for a virtual server and
also for an individual virtual service port, the AX
device uses the lower limit.
feature.
[no] resetunknown-conn
b y
Enables sending of a TCP Reset (RST) in

response to a session mismatch. A session mismatch occurs when the AX device receives a
TCP packet for a TCP session that is not in the
active session table on the AX device. (For more
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
373 of 718

information, see the TCP Reset Option for Session Mismatch section in the Server and Port
Templates chapter of the AX Series Configuration Guide.)
Default
The AX device has a default virtual port template, called default. The
default virtual port template has the same default settings as the individual
per 1-sec.
Mode
Configure
Usage
The normal form of this command creates a virtual service port template.
You can bind only one virtual service port template to a virtual service port.
However, you can bind the virtual service port template to multiple virtual
service ports.
changed on the individual virtual port.
on the individual virtual port, the setting on the individual virtual port
takes precedence.
set or changed from its default on the individual virtual port, the setting
in the template takes precedence.
active connections.
374 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slb template virtual-server
Example
The following commands configure a virtual service port template named

common-vpsettings, set the connection limit, and bind the template to a
virtual port:
AX(config)#slb template virtual-port common-vpsettings

AX(config-Virtual port template)#conn-limit 500000
AX(config-Virtual port template)#exit
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#template virtual-port common-vpsettings

Syntax
[no] slb template virtual-server template-name

Parameter
template-name
Description
virtual server template, where the following commands are available.
Command
Description
[no] conn-limit
max-connections
[reset]
[no-logging]
allowed on virtual servers that use this template.
The reset option specifies the action to take for
connections after the connection limit is reached
on the virtual server. By default, excess connections are dropped. If you change the action to
reset, the connections are reset instead. Excess
connections are dropped by default.
feature.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
375 of 718

[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[reset]
[no-logging]
is allowed to send to servers that use this template. When a real server reaches its connection
limit, the AX device stop selecting the server for
client requests.
allowed on a server. You can specify 1-1048575
connections.
reset Send a reset (RST) to a client after the
connection rate has been exceeded. By default
(without this option), the AX device silently
drops the request.
If you configure a limit for a server and also for
an individual port, the AX device uses the lower
limit.
feature.
[no] icmp-ratelimit normalrate lockup
max-rate
lockup-time
Configures ICMP rate limiting for the virtual
server, to protect against denial-of-service (DoS)
attacks.
normal-rate Maximum number of ICMP packets allowed per second. If the virtual server
receives more than the normal rate of ICMP
packets, the excess packets are dropped until the
next one-second interval begins. The normal rate
can be 1-65535 packets per second.
lockup max-rate Maximum number of ICMP
packets allowed per second before the AX device
locks up ICMP traffic to the virtual server. When
376 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ICMP traffic is locked up, all ICMP packets are
dropped until the lockup expires. The maximum
rate can be 1-65535 packets per second. The
maximum rate must be larger than the normal
rate.
lockup-time Number of seconds for which the
AX device drops all ICMP traffic to the virtual
server, after the maximum rate is exceeded. The
lockup time can be 1-16383 seconds.
[no] subnetgratuitous-arp
This option applies only to VIPs that are created using a range of subnet
IP addresses. The option has no effect on VIPs created with a single IP
address.
Note:
Default
Enable gratuitous ARPs for all VIPs in subnet

VIPs. A subnet VIP is a range of VIPs created
from a range of IP addresses within a subnet.
The AX device has a default virtual server template, called default. The
default virtual server template has the same default settings as the individual
per 1-sec.
icmp-rate-limit Not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
subnet-gratuitous-arp Disabled. The AX device sends gratuitous
ARPs for only the first IP address in a subnet VIP.

Mode
Configure
Usage
The normal form of this command creates a virtual server template. The
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
changed on the individual virtual server.
on the individual virtual server, the setting on the individual virtual

server takes precedence.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
377 of 718

set or changed from its default on the individual virtual server, the setting in the template takes precedence.
active connections.
Example
The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual
server:
AX(config)#slb template virtual-server vs-tmplt1

AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60
AX(config-vserver)#exit
AX(config-slb virtual server)#template virtual-server vs-tmplt1
378 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

conn-limit
Config Commands: SLB Servers

This chapter describes the commands for configuring SLB servers.
To access this configuration level, enter the slb server server-name command at the global Config level.
To display configured servers, use the show slb server command.
The commands in this chapter apply to real servers, not to virtual servers.
To configure virtual servers, see Config Commands: SLB Virtual Servers on page 401.
Note:
conn-limit
Description
Specify the maximum number of concurrent connections allowed on a real

server.
Syntax
[no] conn-limit max-connections

Parameter
Description
max-connections Maximum number of concurrent connections

allowed on the server. You can specify
1-1000000 (one million).
Default
1000000 (one million).
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
379 of 718

conn-resume
Mode
Real server
Usage
If you set a connection limit, A10 Networks recommends that you also set
the conn-resume interval. (See conn-resume on page 380.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server
level.
Example
The following command sets the connection limit to 10,000:
AX(config-real server)#conn-limit 10000
conn-resume
Description
Syntax
Specify the maximum number of connections the server can have before the
AX device resumes use of the server. Use does not resume until the number
of connections reaches the configured maximum or less.
[no] conn-resume connections
Parameter
Description
connections
Maximum number of connections the server can

have before the AX device resumes use of the
server. You can specify 1-1000000 (1 million)
connections.
Default
By default, this option is not set. The AX device is allowed to start sending
new connection requests to the server as soon as the number of connections
on the server falls back below the connection limit threshold set by the
conn-limit command.
Mode
Real server
Usage
You also can set the conn-resume value on individual protocol ports. In this
case, the value specified for the port overrides the value set at the server
level.
Example
The following command sets the conn-resume option to 500,000 connections:
AX(config-real server)#conn-resume 500000
380 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

disable
disable
Description
Disable a real server.
Syntax
[no] disable
Default
Enabled
Mode
Real server
Example
The following commands disable a server named rs123:
AX(config)#slb server rs123

AX(config-real server)#disable
enable
Description
Re-enable a real server.
Syntax
[no] enable
Default
Enabled
Mode
Real server
Example
The following commands re-enable a disabled server named rs123:

AX(config-real server)#enable
external-ip
Description
Assign an external Network Address Translation (NAT) IP address to the

server. The external IP address allows a server that has an internal IP
address to be reached from outside the internal network.
Syntax
[no] external-ip ipaddr
Default
None
Mode
Real server
Example
The following commands configure external IP address 192.168.10.11 on

real server rs123:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
381 of 718

ha-priority-cost
AX(config-real server)#external-ip 192.168.10.11
ha-priority-cost
Description
Syntax
Enable HA priority changes based on the health status of the server.

[no] ha-priority-cost weight [ha-group group-id]
Parameter
weight
ha-group
group-id
Description
Specifies the amount to subtract from the HA
groups priority value, if this server or ports
health status changes to Down. You can specify
1-255.
Specifies the HA group from which to subtract
the weight. If you do not specify an HA group
ID, the weight is subtracted from all HA groups.
Default
None
Mode
Real server
Usage
If the server or ports status changes back to Up, the weight value is added
back to the HA groups priority value.
If the HA priority of a group falls below the priority of the same group on
the other AX device, HA failover can be triggered.
The lowest HA priority value a server or port can have is 1.
If HA weights for an HA group are assigned to both the server and an
individual port, and both health checks are unsuccessful, only the server
weight is subtracted from the HA groups priority.
For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
health-check
Description
Syntax
382 of 718
Enable health monitoring for a server.

[no] health-check [monitor-name]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ipv6
Parameter
monitor-name
Description
Name of a configured health monitor.
the monitor-name option, the default ICMP
health monitor is used. (See below.)
Default
ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times
consecutively (the first attempt followed by 3 retries), the AX device sets
the server state to DOWN.
Mode
Real server
Usage
Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example
The following command sets a server to use the RUthere health monitor:
AX(config-real server)#health-check RUthere
ipv6
Description
Assign an IPv6 address to the real server for GSLB.
Syntax
[no] ipv6 ipv6-addr
Default
None
Mode
Real server
port
Description
Configure a TCP or UDP port on a server.
Syntax
[no] port port-num {tcp | udp}

Parameter
port-num
Description
Protocol port number, 0-65534.
Note: Port number 0 is a wildcard port used for
IP protocol load balancing. (For more information, see the IP Protocol Load Balancing chapter of the AX Series Configuration Guide.)
tcp | udp
b y
Protocol type.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
383 of 718

port
port, where the following port-related commands are available:
Command
Description
[no] conn-limit
number
[no] connresume minutes

connections allowed on the server for this port,
0-1000000 (one million). The default is 1000000.
the service port can have before the AX device
resumes use of the port. Use does not resume
until the number of connections reaches the configured maximum or less. You can specify
1-1000000 (1 million) connections.
By default, this option is not set. The AX device
is allowed to start sending new connection
requests to the service port as soon as the number
of connections on the port falls back below the
connection limit threshold set by the conn-limit
command.
[no] disable
Disables the port.
[no] enable
Re-enables the port.
[no] hapriority-cost
weight
[ha-group
group-id]
Enable HA priority changes based on the health

status of the port.
The weight option specifies the amount to subtract from the HA groups priority value, if this
server or ports health status changes to Down.
You can specify 1-255. The HA group ID can be
1-31. If you do not specify an HA group ID, the
weight applies to all HA groups. By default, this
option is not set. (For more information, see
Usage under ha-priority-cost on page 382.)
384 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

port
[no] healthcheck
[monitor-name]
[follow-port
port-num]
Enables health monitoring of the port. The monitor-name specifies the name of a configured
health monitor.
the monitor-name option, the default TCP or
UDP health monitor is used:
TCP Every 5 seconds, the AX device sends
a connection request (TCP SYN) to the specified TCP port on the server. The port passes
the health check if the server replies to the
AX device by sending a TCP SYN ACK.
UDP Every 5 seconds, the AX device
sends a packet with a valid UDP header and
a garbage payload to the UDP port. The port
passes the health check if the server either
does not reply, or replies with any type of
packet except an ICMP Error message.
The follow-port port-num option specifies
another real port upon which to base this ports
health status. Both the real port and the port to
use for the real ports health status must be the
same type, TCP or UDP. By default, this option
is not set.
[no] no-ssl
Disables SSL for server-side connections. This

command is useful if a server-SSL template is
bound to the virtual port that uses this real port,
and you want to disable encryption on this real
port.
Encryption is disabled by default, but it is enabled for server-side connections when the real
port is used by a virtual port that is bound to a
server-SSL template.
Using the double-negative form of the command
(no no-ssl) enables SSL for server-side connections.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
385 of 718

port
stats-datadisable |
stats-dataenable
[no] template
port templatename
Disable or enable statistical data collection for

the port.
Binds a port template to the port. The parameter

settings in the template are applied to the port.
The real port template named default is bound
to real ports by default. The parameter settings in
the default real port template are automatically
applied to the port, unless you bind a different
real port template to the port.
If a parameter is set individually on this port and
also is set in a port template bound to this port,
the individual setting on this port is used instead
of the setting in the template.
To configure a port template, see slb template
port on page 344.
[no] weight
number
Specifies the load-balancing preference for this

port, 1-100. A higher weight gives more favor to
this server for this port relative to the other servers. Default is 1.
This option applies only to the
service-weighted-least-connection load-balancing method.
Default
No ports are configured by default. The defaults for the command options
are described with the options, above. Statistical data collection of load-balancing resources is enabled by default.
Mode
Real server
The no form of this command resets the ports connection limit, health
monitoring, or weight to its default value. To collect statistical data for a
load-balancing resource, statistical data collection also must be enabled
globally. (See stats-data-enable on page 159.)
Example
386 of 718
The following commands configure server terap and add TCP port 69 to
the server. The health-check command is not entered, so by default the AX
device will check the service ports health by sending a connection request
to 69 on terap every 30 seconds.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

slow-start
AX(config)#slb server terap 10.2.4.69
AX(config-real server-node port)#
slow-start
Description
Enable slow-start for a server. Slow start allows time for a server to ramp up
after the server is enabled or comes online, by temporarily limiting the
number of new connections on the server.
Syntax
[no] slow-start
Default
Disabled
Mode
Real server
Usage
Slow-start allows a maximum of 128 new connections during the first 10

seconds. During each subsequent 10-second interval, the total number of
concurrent connections allowed to the server is doubled. Thus, during the
first 20 seconds, the server is allowed to have a total of 256 concurrent connections. After 59 seconds, slow-start ends the ramp-up and no longer limits
the number of concurrent connections.
After the ramp-up period ends, the number of new connections is controlled
by the conn-limit setting. (See conn-limit on page 379 and the description
of conn-limit in port on page 383.)
Slow-start is also configurable in server and port templates. (See slb template server on page 350 and slb template port on page 344.)
Example
The following command enables slow-start:
AX(config-real server)#slow-start
spoofing-cache
Description
Enable support for a spoofing cache server. A spoofing cache server uses
the clients IP address instead of its own as the source address when obtaining content requested by the client.
Syntax
[no] spoofing-cache
Default
Disabled
Mode
Real server
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
387 of 718

stats-data-disable
Usage
This command applies to the Transparent Cache Switching (TCS) feature.

For more information about TCS, including additional configuration
requirements and examples, see the Transparent Cache Switching chapter
in the AX Series Configuration Guide.
Example
The following commands configure a real server for a spoofing cache

server:
AX(config)#slb server cache-rs 110.110.110.10

AX(config-real server)#spoofing-cache
stats-data-disable
Description
Syntax
Disable collection of statistical data for the server.

stats-data-disable
Default
Statistical data collection for load-balancing resources is enabled by default.
Mode
Real server
stats-data-enable
Description
Syntax
Enable collection of statistical data for the server.

stats-data-enable
Default
Mode
Real server
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
template server
Description
Syntax
388 of 718
Bind a a real server template to the server.

[no] template server template-name
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

weight
Default
The real server template named default is bound to servers by default. The
parameter settings in the default real server template are automatically
applied to the new server, unless you bind a different real server template to
the server.
Mode
Real server
Usage
If a parameter is set individually on this server and also is set in a server

template bound to this server, the individual setting on this server is used
instead of the setting in the template.
To configure a real server template, see slb template server on page 350.
Example
The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
AX(config)#slb template server rs-tmplt1

AX(config-rserver)#health-check ping2
AX(config-rserver)#conn-limit 500000
weight
Description
Assign an administrative weight to the server, for weighted load balancing.
Syntax
[no] weight num

Parameter
num
Description
Administrative weight assigned to the server.
Default
Mode
Real server
Usage
This parameter applies only to the weighted-least-connection and

weighted-rr (weighted round robin) load-balancing methods.
Example
The following command assigns a weight of 20 to a server:
AX(config-real server)#weight 20
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
389 of 718

weight
390 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Config Commands: SLB Service Groups

This chapter describes the commands for configuring SLB service groups.
To access this configuration level, enter the slb service-group group-name
{tcp | udp} command at the global Config level.
To display configured service groups, use the show slb service-group command.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
391 of 718

health-check
health-check
Description
Syntax
Use a health monitor to check the health of all members of the service
group.
[no] health-check monitor-name
Parameter
Description
monitor-name
Specifies the health monitor to use.
Default
None
Mode
Service group
Usage
The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the context of the service
group. For example, a health check of the same port from another service
group can result in a different health status, depending on the resource
requested by the health check.
Health checks can be applied to the same resource (real server or port) at the
following levels:
In a service group that contains the server and port as a member
In a server or server port configuration template that is bound to the
server or port
Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real servers port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that service group member in that service group is marked Down.
Example
392 of 718
The following commands configure a health monitor and apply it to a service group:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

member
AX(config)#health monitor qrs
AX(config-health:monitor)#method http url GET /media-qrs/index.html
AX(config)#slb service-group qrs tcp
AX(config-slb svc group)#member media-rs:80
AX(config-slb svc group)#health-check qrs
member
Description
Add a server to a service group.
Syntax
[no] member server-name:portnum

[disable | enable]
[priority num]
[template template-name]
[stats-data-disable | stats-data-enable]
Parameter
servername:portnum
disable |
enable
Real server name, and protocol port number on

the server.
Disables or re-enables the server and port, for
this service group only.
priority num
Sets the preference for this server and port, 1-16.
template
template-name
Binds a real port template to this member port.
stats-datadisable |
stats-dataenable
Default
Description

the service-group member.
There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default priority is 1. Statistical data collection of load-balancing resources is enabled
by default.
To configure a real port template, see slb template port on page 344.
Mode
Service group
Usage
The normal form of this command adds a configured server to the service
group. The no form of this command removes the server from the group.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
393 of 718

method
If you disable or re-enable a port, the state change applies only to this service group. The state of the port is unchanged in other service groups.
page 159.)
Example
The following commands add servers slaughterhouse5 and catscradle

to service group vonnegut:
AX(config)#slb service-group vonnegut

AX(config-slb service group)#member slaughterhouse5:80
AX(config-slb service group)#member catscradle:80
Example
The following command adds a member server and port to a service group
and binds a real port template to the port:
AX(config-slb service group)#member rs1:80 template port rptmp1
method
Description
Syntax
Set the load-balancing method for a service group.

[no] method lb-method
Parameter
Description
lb-method
Load-balancing method:
fastest-response Selects the server with
the fastest SYN-ACK response time.
least-connection Selects the server that
currently has the fewest connections.
service-least-connection Selects the
server port that currently has the fewest connections. If there is a tie, the port (among those tied)
that has the lowest number of request bytes plus
response bytes is selected. If there is still a tie, a
port is randomly selected from among the ones
that are still tied.
weighted-least-connection Selects
a server based on a combination of the servers
administratively assigned weight and the number
of connections on the server. (To assign a weight
to a server, see weight on page 389.)
394 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

method
service-weighted-least-connection Same as weighted-least-connection, but
per service. (To assign a weight to a service, see
port on page 383. Use the weight option.)
least-request Selects the real server port
for which the AX device is currently processing
the fewest HTTP requests. This method is applicable to HTTP load balancing.
weighted-rr Selects servers in rotation,
biased by the servers administratively assigned
weights.
To use this method, you also need to assign
weights to the servers. (See weight on
page 389.) If the weight value is the same on
each server, this load-balancing method simply
selects the servers in rotation.
round-robin-strict Provides a more
exact round-robin method. The standard, default
round robin method is optimized for high performance. Over time, this optimization can result in
a slight imbalance in server selection. Server
selection is still basically round robin, but over
time some servers may be selected slightly more
often than others.
Note:
The following methods apply only to stateless SLB. (See Usage for
more information.)
stateless-src-ip-hash Balances
server load based on a hash value calculated
using the source IP address and source TCP or
UDP port.
stateless-src-dst-ip-hash Balances server load based on a hash value calculated using both the source and destination IP
addresses and TCP or UDP ports.
stateless-dst-ip-hash Balances
server load based on a hash value calculated
using the destination IP address and destination
TCP or UDP port.
stateless-per-pkt-round-robin
Balances server load by sending each packet to a

different server, in rotation. This method is applicable only for UDP DNS traffic.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
395 of 718

method
stateless-src-ip-only-hash
Calculates a hash value based only on the source

IP address of the request, and selects a server
based on the hash value. Subsequently, all
requests from the same client address are sent to
the same server.
Default
Round Robin. This method selects servers in rotation but does not take
server weight into account.
Note:
Round Robin is not one of the methods you can specify. If you do not
specify a method, you get Round Robin. To reset a service group to use
Round Robin, enter the no method command.
Mode
Service group
Usage
The fastest-response method takes effect only if the traffic rate on the servers is at
least 5 connections per second (per server). If the traffic rate is lower, the first
server in the service group usually is selected.
To set a servers weight, see weight on page 389.

Stateless SLB
Stateless SLB conserves system resources by operating without session
table entries on the AX device. The stateless SLB methods are valid for the
following types of traffic:
Traffic with very short-lived sessions, such as DNS
Layer 2 Direct Server Return (DSR) traffic
Other types of traffic that do not require features that use session-table
entries. (See list of limitations below.)

You can enable stateless SLB on an individual service-group basis, by
selecting a stateless SLB load-balancing method for the group.
Limitations
Stateless SLB is not valid for the following features or traffic types:
Rate limiting
ACLs
IP source NAT
HA session synchronization
Application Layer Gateway (ALG)
396 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

min-active-member
Layer 3 DSR
SLB-PT
IPv6
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group can not be used in any
other service groups.
Graceful transitions between stateful and stateless SLB in a service group
are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method.
The stateless-per-pkt-round-robin method is valid only for DNS traffic.
Note:
Example
The following example sets the load-balancing method for a service group
to least-connection:
AX(config-slb service group)#method least-connection
Example
The following commands configure a stateless SLB service group for UDP
traffic:
AX(config)#slb service-group dns-stateless udp

AX(config-slb svc group)#member dns1:53
AX(config-slb svc group)#member dns2:53
AX(config-slb svc group)#method stateless-src-dst-ip-hash
min-active-member
Description
Use backup servers even if some primary servers are still up.
Syntax
[no] min-active-member num [skip-pri-set]

Parameter
b y
Description
num
Minimum number of primary servers that can

still be active (available), before the backup servers are used. You can specify 1-63. There is no
default.
skip-pri-set
Specifies whether the remaining primary servers

continue to be used. If you use this option, the
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
397 of 718

min-active-member
AX device uses only the backup servers and
stops using any of the primary servers.
Default
By default, the servers with the highest priority value are the primary servers. All other servers are backups only, and are used only if all the primary
servers are unavailable.
When you use this command, the skip-pri-set option is disabled by default,
for all load-balancing methods except round-robin. For round-robin (the
default), skip-pri-set is always enabled and can not be disabled.
Mode
Service group
Usage
Primary and backup servers are designated based on member priority (set
with the member command). For example, if a service group contains real
servers with the following priority settings, real servers s1, s2, and s3 are the
primary servers. Real servers s4 and s5 are backup servers.
s1 priority 16
s2 priority 16
s3 priority 16
s4 priority 8
s5 priority 8
When the minimum number of active members (primary servers) comes

back up, the AX device immediately returns to using only the primary servers.
Example
The following commands add members with different priorities to a service

group, and configure promiscuous VIP to begin using backup servers if any
of the primary servers becomes unavailable:
AX(config)#slb service-group sg-prom

AX(config-slb service group)#method least-connection
AX(config-slb service group)#member s1:80 priority 16
AX(config-slb service group)#min-active-member 1
398 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

reset-on-server-selection-fail
Description
Send a TCP reset (RST) to the client if server selection fails.
Syntax
[no] reset-on-server-selection-fail
Default
Disabled
Mode
Service group
Usage
The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is
no longer true. The reset-on-server-selection-fail option must be used
instead.
stats-data-disable
Description
Disable collection of statistical data for the service group.
Syntax
stats-data-disable
Default
Mode
Service group
stats-data-enable
Description
Enable collection of statistical data for the service group.
Syntax
stats-data-enable
Default
Mode
Service group
Usage
page 159.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
399 of 718

stats-data-enable
400 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

arp-disable
Config Commands: SLB Virtual Servers

This chapter describes the commands for configuring SLB virtual servers.
To access this configuration level, enter the slb virtual-server vipaddr vipname command at the global Config level.
To display configured virtual servers, use the show slb virtual-server command.
The commands in this chapter apply to virtual servers (also called
VIPs), not to real servers. To configure real servers, see Config Commands: SLB Servers on page 379.
Note:
arp-disable
Description
Disable ARP replies from a virtual server.
Syntax
[no] arp-disable
Default
ARP replies are enabled by default.
Mode
Virtual server
Usage
Use this command if you do not want the AX Series device to reply to ARP
requests to the virtual servers IP address. For example, you can use this
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
401 of 718

disable
command to put a VIP out of service on one AX device and use that device
as a switch or router for another AX device providing SLB for the VIP.
When you disable ARP replies for a VIP, redistribution of routes to the VIP
is automatically disabled.
Example
The following command disables ARP replies:
AX(config-slb virtual server)#arp-disable
disable
Description
Syntax
Disable a virtual server.

[no] disable [when-all-ports-down]
Parameter
Description
when-all-portsdown
Automatically disables the virtual server if all its
service ports are down. If OSPF redistribution of
the VIP is enabled, the AX device also withdraws the route to the VIP in addition to disabling the virtual server.
Default
Virtual servers are enabled by default. The when-all-ports-down option is

disabled by default.
Mode
Virtual server
Example
The following commands disable virtual server vs1:
AX(config)#slb virtual-server vs1

AX(config-slb virtual server)#disable
enable
Description
Syntax
Enable a virtual server.

[no] enable
Default
Enabled
Mode
Virtual server
402 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha-dynamic
Example
The following commands re-enable virtual server vs1:

AX(config-slb virtual server)#enable
ha-dynamic
Description
Enable VIP-based failover.
Syntax
[no] ha-dynamic server-weight

Parameter
server-weight
Description
Amount to subtract from the HA groups priority
value for each real server that becomes unavailable. The weight can be 1-255.
Default
Not set
Mode
Virtual server
Example
The following commands assign virtual server VIP2 to HA group 6 and

enable VIP-based failover for the virtual server.
AX(config)#slb virtual VIP2 192.168.10.22

AX(config-slb virtual server)#ha group 6
AX(config-slb virtual server)#ha-dynamic 10
ha-group
Description
Add a virtual server to a High-Availability (HA) group.
Syntax
[no] ha-group group-id
Default
None.
Mode
Virtual server
Example
The following commands assign virtual server vs1 to HA group 1:

AX(config-slb virtual server)#ha-group 1
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
403 of 718

port
port
Description
Syntax
Configure a virtual port on a virtual server.

[no] port port-number service-type
Parameter
Description
port
Port number, 0-65534.
service-type
Service type of the port:

fast-http Streamlined Hypertext Transfer
Protocol (HTTP) service
ftp File Transfer Protocol
http HTTP
https Secure HTTP (SSL)
mms Microsoft Media Server
rtsp Real Time Streaming Protocol
sip Session Initiation Protocol (SIP) over
UDP
sip-tcp SIP over TCP
sips SIP over TCP / TLS
smtp Simple Mail Transfer Protocol
ssl-proxy SSL proxy service
tcp Transmission Control Protocol
udp User Datagram Protocol
others Wildcard port used for IP protocol
load balancing. (For more information, see the
IP Protocol Load Balancing chapter of the
AX Series Configuration Guide.)
Default
N/A
Mode
Virtual server
Usage
The normal form of this command creates a new or edits an existing virtual
port. The CLI changes to the configuration level for the virtual port. (See
Config Commands: SLB Virtual Server Ports on page 409.)
The no form of this command removes the specified virtual port from
current virtual server.
404 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

redistribution-flagged
The maximum number of virtual service ports allowed and the maximum
number per virtual server depend on the AX model.
The AX device allocates processing resources to HTTPS virtual ports when
you bind them to an SSL template. This results in increased CPU utilization,
regardless of whether traffic is active on the virtual port.
Example
The following example creates a new (or edits an existing) virtual port:
AX(config-slb virtual server)#port 443 https

AX(config-slb virtual server-slb virtua...)#
redistribution-flagged
Description
Flag this VIP to selectively enable or disable redistribution of it by OSPF.
Syntax
Default
[no] redistribution-flagged
Not set. The VIP is automatically redistributed if VIP redistribution is enabled in
OSPF.
Mode
Virtual server
Usage
Use this option if you want to redistribute only some of the VIPs rather than
all of them.
Selective VIP redistribution also requires configuration in OSPF. See the
description of the vip option in redistribute on page 260.
stats-data-disable
Description
Disable collection of statistical data for the virtual server.
Syntax
stats-data-disable
Default
Mode
Virtual server
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
405 of 718

stats-data-enable
stats-data-enable
Description
Syntax
Enable collection of statistical data for the virtual server.

stats-data-enable
Default
Mode
Virtual server
Usage
page 159.)
template policy
Description
Syntax
Bind a a PBSLB policy template to the virtual server.

[no] template policy template-name
Default
None
Mode
Virtual server
Usage
This command is applicable only for PBSLB policy templates configured

for IP limiting. (See the IP Limiting chapter in the AX Series Configuration Guide.)
template virtual-server
Description
Syntax
Bind a a virtual server template to the virtual server.

[no] template virtual-server template-name
Default
The virtual server template named default is bound to virtual servers by

default. The parameter settings in the default virtual server template are
automatically applied to the new virtual server, unless you bind a different
virtual server template to the virtual server.
Mode
Virtual server
Usage
If a parameter is set individually on this virtual server and also is set in a virtual server template bound to this virtual server, the individual setting on
this virtual server is used instead of the setting in the template.
406 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

To configure a virtual server template, see slb template virtual-server on
page 375.
Example
The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual
server:
AX(config)#slb template server vs-tmplt1

AX(config-vserver)#icmp-rate-limit 25000 lock 30000 60
AX(config-vserver)#exit
AX(config-slb virtual server)#template virtual-server vs-tmplt1
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
407 of 718

408 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

access-list
Config Commands: SLB Virtual Server Ports

This chapter describes the commands for configuring virtual ports.
To access this configuration level, enter the port port-num port-type command at the configuration level for a virtual server.
access-list
Description
Apply an Access Control List (ACL) to a virtual server port.
Syntax
[no] access-list {acl-num | name acl-name}

[source-nat-pool
{pool-name | pool-group-name}
[sequence-number num]]
Parameter
acl-num | name
acl-name
b y
Description
Number of a configured IPv4 ACL (acl-num), or
the name of a configured IPv6 ACL
(name acl-name).
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
409 of 718

access-list
source-nat-pool
pool-name |
pool-group-name
[sequencenumber num]
Name of a configured IP source NAT pool or
pool group. Use this option if you are configuring policy-based source NAT. Source NAT is
required if the real servers are in a different subnet than the VIP.
The sequence-number num option specifies the
position of this ACL in the sequence of ACLs
that are associated with IP source NAT pools and
which are assigned to this virtual port. The
sequence number is important because the AX
device will use the IP addresses in the pool associated with the first ACL that matches the traffic.
By default, the ACL sequence is based on the
order in which you apply them to the virtual port.
The first ACL has sequence number 1, the second ACL has sequence number 2, and so on. You
can specify 1-32 as the sequence number. To
view the sequence, use the show running-config
command to view the configuration for this virtual port.
Default
N/A
Mode
Virtual port
Usage
The ACL must be configured before you can apply it to an interface. To

configure an ACL, see access-list (standard) on page 69 and access-list
(extended) on page 72.
To permit or deny traffic on the virtual port, specify an ACL but do not
specify a NAT pool.
To configure policy-based source NAT, specify an ACL and a NAT pool.
Use an extended ACL. The source IP address must match on the client
address. The destination IP address must match on the real server address.
The action must be permit. The NAT pool is used only for traffic that
matches the ACL. This configuration allows the virtual port to have multiple pools, and to select a pool based on the traffic.
410 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

aflex
Example
The following commands configure a standard ACL to deny traffic from

subnet 10.10.10.x, and apply the ACL to the inbound traffic direction on
virtual port 8080 on virtual server slb1:

AX(config)#slb server slb1
AX(config-slb virtual server-slb virtua...)#access-list 99
Example
The following commands configure policy-based source NAT, by binding

ACLs to NAT pools on the virtual port.

AX(config-slb virtual server-slb virtua...)#access-list 30 source-nat-pool
pool1
AX(config-slb virtual server-slb virtua...)#access-list 50 source-nat-pool
pool2
aflex
Description
Apply an aFleX policy to a virtual port.
Syntax
[no] aflex policy-name

Parameter
policy-name.
Description
Name of a configured aFleX policy.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command applies the specified aFleX policy to the
port.
The no form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the AX Series aFleX
Scripting Language Reference Guide.
Example
The following command applies aFleX policy aflex1 to a virtual port:
AX(config-slb virtual server-slb virtua...)#aflex aflex1
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
411 of 718

conn-limit
conn-limit
Description
Syntax
Set the connection limit for a virtual port.

[no] conn-limit number [reset]
Parameter
Description
number
Connection limit, 0-8000000 (8 million);

0 means no limit.
reset
Sends a connection reset to the client, if the connection limit has been reached. If you omit this
option, the connection is silently dropped and no
reset is sent to the client.
Default
Not set. If you set a limit, the default action for any new connection request
after the limit has been reached is to silently drop the connection, without
sending a reset to the client.
Mode
Virtual port
Usage
The normal form of this command changes the current ports connection
limit.
The no form of this command resets the ports connection limit to its
default value.
The connection limit puts a hard limit on the number of concurrent
connections supported by the port. No more connections will be put on the
port if its number of current connections is already equal to or bigger than
the limit.
active connections.
Example
The following command changes a virtual ports connection limit to 10000:
AX(config-slb virtual server-slb virtua...)#conn-limit 10000
412 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

def-selection-if-pref-failed
def-selection-if-pref-failed
Description
Configure SLB to continue checking for an available server in other service

groups if all of the servers are down in the first service group selected by
SLB.
Syntax
[no] def-selection-if-pref-failed
Default
Enabled
Mode
Virtual port
Usage
During SLB selection of the preferred server to use for a client request, SLB
checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
a. aFleX policies triggered by Layer 4 events
b. Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it matches on IP addresses in black/white lists.
2. Layer 7 configuration items:
a. Cookie switching
b. aFleX policies triggered by Layer 7 events
c. URL switching
d. Host switching
3. Default service group. If none of the items above results in selection of a
server, the default service group is used.
If the configuration uses only one service group, this is the default
service group.
If the configuration uses multiple service groups, the default service
group is the one that is used if none of the templates used by the
configuration selects another service group instead.
For example, if the CLIENT_ACCEPTED event triggers the aFleX policy,
the policy is consulted first. Similarly, if the HTTP_REQUEST event triggers the aFleX policy, the policy is consulted only if none of the Layer 4
configuration items results in selection of a server.
The first configuration area that matches the client or VIP (as applicable) is
used, and the client request is sent to a server in the service group that is
applicable to that configuration area. For example, if the client's IP address
is in a black/white list, the service group specified by the list is used for the
client request.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
413 of 718

disable
When the def-selection-if-pref-failed option is enabled, SLB continues to
check for an available server in other service groups if all servers are down
in the first service group selected by SLB.
If Policy-Based SLB (PBSLB) is also configured on the same virtual port,
PBSLB server-selection failures are not logged. This limitation does not
affect failures that occur because a client is over their PBSLB connection
limit. These failures are still logged.
Example
The following command enables this option:
AX(config-slb virtual server-slb virtua...)#def-selection-if-pref-failed
disable
Description
Syntax
Disable a virtual port.

[no] disable
Default
Enabled
Mode
Virtual port
Example
The following command disables a virtual port:

AX(config-slb virtual server-slb virtua...)#disable
enable
Description
Syntax
Enable a virtual port.

[no] enable
Default
Enabled
Mode
Virtual port
Example
The following command re-enables a virtual port:
AX(config-slb virtual server-slb virtua...)#enable
gslb-enable
Description
414 of 718
Enable a DNS port to function as a proxy for Global Server Load Balancing
(GSLB) for this virtual port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha-conn-mirror
This command applies only to UDP ports and only for a virtual server that
will be used as a DNS proxy on the GSLB AX Series device.
Note:
Syntax
[no] gslb-enable
Default
Disabled
Mode
Virtual port
Usage
Additional configuration is required for GSLB. See the Global Server

Load Balancing chapter in the AX Series Configuration Guide.
Example
The following commands enable virtual server "DNS_SrvA" to be a DNS

proxy:
AX(config)#slb virtual-server DNS_SrvA 10.10.10.100

AX(config-slb virtual-server)#port 53 udp
AX(config-slb virtual server-slb virtua...)#gslb-enable
ha-conn-mirror
Description
Enable connection mirroring (session synchronization) for the virtual port.
Syntax
[no] ha-conn-mirror
Default
Disabled.
Mode
Virtual port
Usage
Connection mirroring applies to HA configurations. When connection mirroring is enabled, the Active AX Series device sends information about
active client connections to the Standby AX Series device. If a failover
occurs, the newly Active AX device continues service for the session. The
client perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost.
Clients must establish new connections.
In HA deployments, HA session synchronization is required for persistent
sessions (source-IP persistence, and so on), and is therefore automatically
enabled for these sessions by the AX device. Persistent sessions are synchronized even if session synchronization is disabled in the configuration.
Example
The following command enables connection mirroring:
AX(config-slb virtual server-slb virtua...)#ha-conn-mirror
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
415 of 718

no-dest-nat
no-dest-nat
Description
Syntax
Disable destination NAT.

[no] no-dest-nat
Default
Destination NAT is enabled by default.
Mode
Virtual port
Usage
Disabling destination NAT enables Direct Server Return (DSR).

In the current release, for IPv4 VIPs, DSR is supported on virtual port types
(service types) TCP, UDP, FTP, and RTSP. For IPv6 VIPs, DSR is supported
on virtual port types TCP, UDP, and RTSP.
VIP redistribution is not supported for VIPs on which destination NAT has
been disabled. For example, VIP redistribution is not supported for VIPs
that are configured for Direct Server Return (DSR).
Example
The following command enables DSR:
AX(config-slb virtual server-slb virtua...)#no-dest-nat
pbslb
Description
Configure settings for Policy-based SLB (PBSLB).
Syntax
[no] pbslb bw-list name
Syntax
[no] pbslb id id
{service service-group-name | drop | reset}
[logging [minutes] [fail]]]
Syntax
[no] pbslb over-limit {drop | reset}

Parameter
Description
bw-list name
id id
{service
service-groupname | drop |
reset}
416 of 718
Binds a black/white list to the virtual port.
Specifies the action to take for clients in the

black/white list:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

pbslb
id Group ID in the black/white list.
service-group-name Name of an SLB
service group on the AX Series device.
drop Drops new connections until the number
of concurrent connections on the virtual port falls
below the ports connection limit. (The connection limit is set in the black/white list.)
reset Resets new connections until the
number of concurrent connections on the virtual
port falls below the connection limit.
logging
[minutes]
[fail]]
Enables logging. The minutes option specifies

how often messages can be generated. This
option reduces overhead caused by frequent
recurring messages.
For example, if the logging interval is set to 5
minutes, and the PBSLB rule is used 100 times
within a five-minute period, the AX device generates only a single message. The message indicates the number of times the rule was applied
since the last message. You can specify a logging
interval from 0 to 60 minutes. To send a separate
message for each event, set the interval to 0.
PBSLB rules that use the service service-groupname option also have a fail option for logging.
The fail option configures the AX device to generate log messages only when there is a failed
attempt to reach a service group. Messages are
not generated for successful connections to the
service group. The fail option is disabled by
default. The option is available only for PBSLB
rules that use the service service-group-name
option, not for rules with the drop or reset
option, since any time a drop or reset rule affects
traffic, this indicates a failure condition.
Note:
b y
If the def-selection-if-pref-failed option is enabled on the virtual port, log

messages will never be generated for server-selection failures. To ensure
that messages are generated to log server-selection failures, disable the
def-selection-if-pref-failed option on the virtual port. This limitation does
not affect failures that occur because a client is over their PBSLB connection limit. These failures are still logged.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
417 of 718

Default
bw-list N/A
id N/A
logging Disabled. When logging is enabled, the default for minutes is 3.
over-limit drop
Mode
Virtual port
Usage
The black/white list specified by bw-list name must already be imported

onto the AX Series device. To import a black/white list file, see bw-list on
page 92.
If you use the logging option, the AX device uses a log rate limiting mechanism and load balances logging among multiple log servers, if more than
one is configured. For more information, see the Log Rate Limiting section in the Traffic Security Features chapter of the AX Series Configuration Guide.
Example
The following commands bind black/white list sample-bwlist to the virtual port, assign clients in group 2 to service group srvcgroup2, and drop
clients in group 4:
AX(config-slb virtual server-slb virtua...)#pbslb bw-list sample-bwlist

AX(config-slb virtual server-slb virtua...)#pbslb id 2 service srvcgroup2
AX(config-slb virtual server-slb virtua...)#pbslb id 4 drop
Description
Syntax
Send a TCP reset (RST) to the client if server selection fails.

[no] reset-on-server-selection-fail
Default
Disabled
Mode
Service group
Usage
The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is
no longer true. The reset-on-server-selection-fail option must be used
instead.
418 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

service-group
service-group
Description
Bind a virtual port to a service group.
Syntax
[no] service-group group-name

Parameter
group-name
Description
Service-group name.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command binds the virtual port to the specified
service group. The no form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports.
The type of service group and type of virtual port should match. For
example, a UDP service group can not be bound to an HTTP virtual port.
Example
The following examples bind a service group to a virtual port, then remove
the binding, respectively.
AX(config-slb virtual server-slb virtua...)#service-group tcp-grp

AX(config-slb virtual server-slb virtua...)#no service-group tcp-grp
snat-on-vip
Description
Enable IP NAT support for the virtual port.
Syntax
[no] snat-on-vip
Default
Disabled
Mode
Virtual port
Usage

1. ACL-based source NAT (access-list command at virtual port level)
2. VIP source NAT (slb snat-on-vip command at global configuration
level)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
419 of 718

source-nat
3. aFleX policy (aflex command at virtual port level)
4. Non-ACL source NAT (source-nat command at virtual port level)
NAT is configured using an ACL on the virtual port, and the slb snat-onvip command is also used, then a pool assigned by the ACL is used for traffic that is permitted by the ACL. For traffic that is not permitted by the
ACL, VIP source NAT can be used instead.
Note:
The current release does not support source IP NAT on FTP or RTSP virtual ports.
source-nat
Description
Enable source NAT. Source NAT is required if the real servers are in a different subnet than the VIP.
Note:
Syntax
This command is not applicable to the mms or rtsp service types.

[no] source-nat pool
{pool-name | pool-group-name}
Sub-Command
pool-name
Description
Specifies the name of an IP pool of addresses to
use as source addresses.
pool-group-name Specifies the name of a group of IP address pools

to use as source addresses.
Default
Disabled.
Mode
Virtual port
Usage
By default, source NAT is disabled.

This command enables source NAT.
This command enables source NAT using a single NAT pool or pool group,
for all source addresses. If you want the AX device to select from among
multiple pools based on source IP address, configure policy-based source
NAT instead. See access-list on page 409.
Example
The following example enables source NAT for the virtual port:
AX(config-slb virtual server-slb virtua...)#source-nat pool pool2
420 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

stats-data-disable
stats-data-disable
Description
Disable collection of statistical data for the virtual port.
Syntax
stats-data-disable
Default
Mode
Virtual port
stats-data-enable
Description
Enable collection of statistical data for the virtual port.
Syntax
stats-data-enable
Default
Mode
Virtual port
Usage
page 159.)
syn-cookie
Description
Enable software-based SYN cookies for a virtual port. SYN cookies provide
protection against TCP SYN flood attacks.
Syntax
[no] syn-cookie [sack]

Sub-Command
sack
Enables clients to acknowledge receipt of individual TCP/IP packets. Using this information, a
server does not need to resend an entire segment
of packets and can instead resend only the missing packets.
This option applies only to the following service types: TCP, FTP, MMS,
RTSP, and fast-HTTP.
Note:
Default
Description
Disabled.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
421 of 718

template
Mode
Virtual port
Usage
If hardware-based SYN cookies are enabled, software-based SYN cookies

are not needed and are not used. (Hardware-based SYN cookies are enabled
at the global configuration level. See syn-cookie on page 160.)
Without the sack option, the efficiency of packet acknowledgement and
retransmission typically is constrained by the timeout period between transmission of a packet from the server and acknowledgement from the client.
The timeout generally is calculated based on the round-trip time between
sending a packet and receiving an acknowledgement. If an acknowledgement is not received, the server might resend an entire segment of packets,
without knowledge of exactly which packets are missing.
If you use the sack option, the AX does the following for client traffic containing the SACK option:
Includes the SACK option in the SYN-ACK.
Send the SACK option to the server, following success of the SYN
cookie check.
SACK support is available for the following virtual port service types: TCP,
FTP, MMS, RTSP, and fast-HTTP.
Example
The following command enables SYN cookies for a virtual port:
AX(config-slb virtual server-slb virtua...)#syn-cookie sack
template
Description
Syntax
Applies an SLB configuration template to a virtual port.

[no] template template-type template-name
Parameter
Description
template-type
Type of template:
cache
client-ssl
connection-reuse
dns
http
persist cookie
422 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

template
persist destination-ip
persist source-ip
persist ssl-id
policy
server-ssl
sip
smtp
streaming-media
tcp
tcp-proxy
udp
virtual-port
template-name
Name of the template.
Default
If the AX device has a default template that is applicable to the service type,
the default template is automatically applied. The AX device has a default
virtual-port template, which is applied to a virtual port when you create it.
Mode
Virtual port
Usage
The normal form of this command applies the specified template to the virtual port. The no form of this command removes the template from the
virtual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one virtual
port.
To bind a virtual-port template to the port, see template virtual-port on
page 424.
Example
The following example applies connection reuse template reuse-template

to a virtual port:
AX(config-slb virtual server-slb virtua...)#template connection-reuse
reuse-template
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
423 of 718

template virtual-port
template virtual-port
Description
Syntax
Bind a a virtual service port template to the virtual port.

[no] template virtual-port template-name
Default
The virtual port template named default is bound to virtual ports by

default. The parameter settings in the default virtual port template are automatically applied to the new virtual port, unless you bind a different virtual
port template to the virtual port.
Mode
Virtual port
Usage
If a parameter is set individually on this virtual port and also is set in a virtual port template bound to this virtual port, the individual setting on this
port is used instead of the setting in the template.
To configure a virtual port template, see slb template virtual-port on
page 373.
Example
The following commands configure a virtual service port template named

common-vpsettings, set the connection limit, and bind the template to a
virtual port:
AX(config)#slb template virtual-port common-vpsettings

AX(config-Virtual port template)#conn-limit 500000
AX(config-Virtual port template)#exit
AX(config-slb vserver)#port 80 http
AX(config-slb vserver-vport)#template virtual-port common-vpsettings
use-default-if-no-server
Description
Syntax
Contact A10 Networks for information.

[no] use-default-if-no-server
Default
Disabled.
Mode
Virtual port
424 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

use-rcv-hop-for-resp
Description
Force the AX Series device to send replies to clients back through the last
hop on which the request for the virtual port's service was received.
Syntax
[no] use-rcv-hop-for-resp
Default
Disabled.
Mode
Virtual port
Usage
Last hop information is not included in the information sent to the Standby
AX device during HA session synchronization. If an HA failover occurs,
the last hop might not be used for the reply.
Example
The following command enables this option:
AX(config-slb virtual server-slb virtua...)#use-rcv-hop-for-resp
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
425 of 718

426 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb active-rtt
Config Commands: Global Server Load Balancing

The commands in this chapter configure Global Server Load Balancing
(GSLB) parameters. In some cases, the commands create a GSLB configuration item and change the CLI to the configuration level for that item.
gslb active-rtt
Description
Configure global active-RTT settings.
Syntax
[no] gslb active-rtt

{
domain domain-name |
interval seconds |
retry num |
sleep seconds |
timeout ms |
track seconds
}
Parameter
domain domainname
b y
Description
Specifies the query domain. To measure the
active round-trip time (RTT) for a client, the site
AX device sends queries for the domain name to
a clients local DNS. An RTT sample consists of
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
427 of 718

gslb active-rtt
the time between when the site AX device sends
a query and when it receives the response.
Only one active-RTT domain can be configured.
It is recommended to use a domain name that is
likely to be in the cache of each clients local
DNS.
The AX device averages multiple active-RTT
samples together to calculate the active-RTT
measurement for a client. (See the description of
track below.)
interval
seconds
Specifies the number of seconds between queries. You can specify 1-120 seconds.
retry num
Specifies the number of times GSLB will resend

a query if there is no response. You can specify
0-16.
sleep seconds
Specifies the number of seconds GSLB stops

tracking active-RTT data for a client after a query
fails. You can specify 1-300 seconds.
timeout ms
Specifies the number of milliseconds GSLB will

wait for a reply before resending a query. You
can specify 1-1023 ms.
track seconds
Specifies the number of seconds during which

the AX device collects samples for a client. The
samples collected during the track time are averaged together, and the averaged value is used as
the active RTT measurement for the client. You
can specify 15-3600 seconds.
The averaged RTT measurement is used until it
ages out. The aging time for averaged RTT measurements is 10 minutes by default and is configurable on individual sites, using the active-rtt
aging-time command.
Default
This command has the following default settings:

domain google.com
interval 1 second
retry 3
sleep 3 seconds
428 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb dns action
timeout 1000 ms
track 60 seconds
Mode
Global Config
gslb dns action

Description
Globally drop or reject DNS queries from the local DNS server.
Syntax
[no] gslb dns action {drop | reject}

Parameter
Description
drop
Drops DNS queries that do not match any zone

service.
reject
Rejects DNS queries that do not match any zone

service, and returns the Refused message in
replies.
Default
Not set
Mode
Global Config
gslb dns logging

Description
Globally set DNS logging parameters. When this option is enabled, the
GSLB DNS log messages appear in the AX log.
Syntax
[no] gslb dns logging {both | query | response}

Parameter
both | query |
response
Default
Disabled
Mode
Global Config
b y
Description
Specifies the types of messages to log.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
429 of 718

gslb geo-location
gslb geo-location
Description
Syntax
Configure a global geographic location, by assigning a location name to a

client IP address range. GSLB forwards client requests from addresses
within the specified IP address range to the GSLB site that servers the location.
[no] gslb geo-location location-name
start-ip-addr [mask ip-mask] [end-ip-addr]
Parameter
Description
location-name
Name of the location, up to 127 alphanumeric

characters.
start-ip-addr
Beginning IP address for the range.
mask ip-mask
Network mask.
end-ip-addr
Ending IP address for the range.
Default
N/A
Mode
Global Config
Usage
Geographic location also can be configured in a GSLB policy. In this case,

the policy specifies whether to use the globally configured geographic location or the location configured in the policy. (See geo-location on
page 471 and geo-location match-first on page 472.)
You can use manually configured geo-location mappings or load a database
of mappings. To load a geo-location databases, see gslb geo-location load
on page 431.
If you manually map a geo-location to an GSLB site, GSLB uses the
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
maps the service-ip to a geo-location in the loaded geo-location database.

If a service-ip cannot be mapped to a geo-location, GSLB maps the site
AX device to a geo-location.
Example
The following example configures geographic location US.CA.SanJose

for IP address range 100.1.1.1 through 100.1.1.125:
AX(config)#gslb geo-location US.CA.SanJose 100.1.1.1 100.1.1.125
430 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb geo-location delete
gslb geo-location delete

Description
Delete or replace a custom geo-location database from the AX device.
Syntax
gslb geo-location delete file-name
Default
N/A
Usage
This command is available only if you have already imported a geo-location

database file. This command can replace a loaded geo-location database file
but does not unload one without replacing it. To unload a geo-location database file without replacing it, see gslb geo-location load on page 431.
Mode
Global Config
gslb geo-location load

Description
Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring
each geo-location separately.
Syntax
[no] gslb geo-location load

{iana | file-name csv-template-name}
Parameter
iana
file-name
csv-templatename
Note:
b y
Description
Loads the Internet Assigned Numbers Authority
(IANA) database. The IANA database contains
the geographic locations of the IP address ranges
and subnets assigned by the IANA. The IANA
database is included in the AX system software.
However, it is unloaded (not used) by default.
Loads a custom database. You can load a custom

geo-location database from a file in comma-separated-values (CSV) format. This option requires
configuration of a CSV template on the AX
device. When you load the CSV file, the data is
formatted based on the template. (To configure a
CSV template, see gslb template csv on
page 443.)
The file-name option is available only if you have already imported a geolocation database file.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
431 of 718

gslb ip-list
Default
The IANA database is loaded by default.
Mode
Global Config
Usage
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new
database.
Example
The following command loads the IANA database:
AX(config)#gslb geo-location load iana
Example
The following command loads geo-location data from a CSV file:
AX(config)#gslb geo-location load test1.csv test1-tmplte
gslb ip-list
Description
Syntax
Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
[no] gslb ip-list list-name
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
Command
Description
[no] ip ipaddr
{subnet-mask |
/mask-length}
id group-id
[no] load
bwlist-name
Default
432 of 718
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The id option adds
the entry to a group. The group-id can be 0-31.
Loads the entries from a black/white list into the
IP list. For information on configuring a black/
white list, see the Policy-Based SLB (PBSLB)
section in the Traffic Security Features chapter
of the AX Series Configuration Guide.
None
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb ping
Mode
Global Config
Usage
You can configure an IP list in either of the following ways:

Use a text editor on a PC or use the AX GUI to configure a black/white
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from active-RTT data collection:
AX(config)#gslb ip-list iplist1

AX(config-gslb ip-list)#ip 192.168.1.0 /24 id 3
AX(config-gslb ip-list)#exit
AX(config)#gslb policy pol1
AX(config-gslb policy)#ip-list iplist1
AX(config-gslb policy)#active-rtt ignore-id 3
gslb ping
Description
Test GSLB connectivity from the GSLB AX device to a site AX device.
Syntax
ping {site-name | ipaddr}

site-name |
ipaddr
Mode
GSLB site name or the IP address of the site AX

device.
Global Config
gslb policy
Description
Configure a GSLB policy.
Syntax
[no] gslb policy {default | policy-name}

Parameter
default
b y
Description
The default GSLB policy included in the software.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
433 of 718

gslb protocol
policy-name
Name of the policy, up to 31 alphanumeric characters.
GSLB policy. For information about the commands available at the GSLB
policy level, see Config Commands: GSLB Policy on page 455.
Default
N/A
Mode
Global Config
Example
The following example creates a GSLB policy called gslb-policy2:
AX(config)#gslb policy gslb-policy2

AX(config gslb-policy)#
gslb protocol
Description
Syntax
Enable the GSLB protocol or set protocol options.

[no] gslb protocol
{enable {controller | device [no-passive-rtt]} |
status-interval seconds}
Parameter
Description
enable
{controller |
device
[no-passivertt]}
Enables the GSLB protocol:

controller Use this option on the AX
device on which GSLB is configured.
device Use this option on the AX devices
that are SLB devices at the GSLB sites.
The no-passive-rtt option disables collection of
passive RTT data for the site AX device.
status-interval
seconds
Changes the number of seconds between GSLB
status messages. You can specify 1-300 seconds.
434 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb protocol
Default
The GSLB protocol options have the following defaults:

enable Disabled. If you enable the GSLB protocol with the device
option (instead of the controller option), collection of passive RTT data

is enabled by default.
status-interval 30 seconds.
Mode
Global Config
Usage
The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
AX devices use the GSLB protocol for GSLB management traffic. The protocol is required to be enabled on the GSLB controller. The protocol is recommended on site AX devices but is not required. However, some GSLB
policy metrics require the protocol to be enabled on the site AX devices as
well as the GSLB controller:
session-capacity
active-rtt
passive-rtt
connection-load
num-session
least-response
The GSLB protocol is required in order to collect the site information provided for these metrics.
The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
Example
The following command enables the GSLB protocol on a GSLB AX Series

device:
AX(config)#gslb protocol enable controller
Example
The following command enables the GSLB protocol on a site AX Series

device:
AX(config)#gslb protocol enable device
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
435 of 718

gslb protocol limit
gslb protocol limit

Description
Syntax
Change RTT message limits.

[no] gslb protocol limit
{
artt-query num-msgs |
artt-response num-msgs |
artt-session num-sessions |
prtt-response num-msgs |
conn-response num-msgs |
response num-msgs |
message num-msgs
}
Default
See the online help.
Mode
Global Config
gslb service-ip
Description
Syntax
Configure a service IP, which can be a virtual servers or real servers IP

address.
[no] gslb service-ip service-name [ipaddr]
Parameter
Description
service-name
Name of the service, up to 31 alphanumeric characters.
ipaddr
IP address of the virtual server or real server. You

can specify an IPv4 or IPv6 address.
(If you are changing the configuration of a GSLB
service that is already configured, this parameter
is not required.)
service, where the following GSLB-related commands are available:
Command
Description
[no] adminpreference
preference
436 of 718
Assigns an administrative preference to the DNS

CNAME record for the service. The preference
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb service-ip
can be 0-255. A higher value is preferred over a
lower value. The default is 0 (not set).
disable
Disables GSLB for the service IP address.
enable
Enables GSLB for the service IP address.
[no] external-ip
ipaddr
[no] healthcheck [option]
Assigns an external IP address to the service IP.

The external IP address allows a service IP that
has an internal IP address to be reached from outside the internal network.
Configures monitoring of the service IP address.
If you enter the command without any options,
the default Layer 3 health monitor (ICMP ping)
is used.
monitor-name The service is checked using the
specified Layer 3, 4 or 7 health monitor.
follow-port portnum The health of the service
port is based on the health of another port. Specify the other port number.
gateway Enables health checking of the site
gateway. A gateway health check is a Layer 3
health check (ping) sent to the gateway router for
an SLB site. This option is enabled by default.
port port-num port-num [...] Configures multiple port health checking for the service. The service IP is marked Up if any of the ports passes
the health check. It is not required for all ports to
pass the health check. You can specify up to 64
ports.
protocol Enables or disables use of the GSLB
protocol for health checking of the service. By
default, the protocol option is enabled. If the
GSLB protocol is enabled and can reach the service, health checking is performed over the GSLB
protocol. Otherwise, health checking is performed using standard network traffic instead.
[no] ipv6
ipv6-addr
b y
Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS
AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on
page 464.)
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
437 of 718

gslb service-ip
[no] port num
{tcp | udp}
Adds a service port to the service IP address. The

command also changes the CLI to the configuration level for the specified service port, where the
following service port-related commands are
available:
disable Disables GSLB for the service port
on this service IP address.
enable Enables GSLB for the service port on
this service IP address.
[no] health-check [monitor-name]
Enables or disables health monitoring for the service port. If you do not specify a health monitor,
the default health monitor is used. (See Usage
below.)
[no] weight num
Assigns a weight to the DNS CNAME record for

the service. Use this option if you plan to use the
Weighted Alias metric.
Default
No services are configured by default. When you configure a service, the

service is enabled by default. The default health monitor for a service is the
default Layer 3 health monitor (ICMP ping). The default health monitor for
a service port is the default TCP or UDP monitor, depending on the transport protocol. (For more on health checking, see Usage below.)
Mode
Global Config
Usage
If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), the health checks are performed within
the GSLB protocol.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks.
If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
active-rtt
ip-list
passive-rtt
438 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb site
dns external-ip
dns ipv6 mapping
geo-location
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
AX(config)#gslb service-ip gslb-srvc2 192.168.20.99

AX(config-gslb service-ip)#
gslb site
Description
Configure a GSLB site.
Syntax
[no] gslb site site-name

Parameter
site-name
Description
Name for the site, up to 31 alphanumeric characters.
site, where the following site-related commands are available:
Command
[no] active-rtt
option
Description
Configures options for the active RTT metric:
aging-time minutes Specifies the maximum amount of time a stored active-RTT result
can be used. You can specify 1-60 minutes. The
default is 10 minutes.
bind-geoloc Stores the active-RTT measurements on a per geo-location basis. Without
this option, the measurements are stored on a per
site-SLB device basis.
ignore-count num Specifies the ignore
count if RTT is out of range. You can specify 115. The default is 5.
limit num Specifies the maximum RTT
allowed for the site. If the RTT measurement for
a site exceeds the configured limit, GSLB does
not eliminate the site. Instead, GSLB moves to
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
439 of 718

gslb site
the next metric in the policy. You can specify
0-16383 milliseconds (ms). The default is 16383.
mask {/mask-length | mask-ipaddr}
Specifies the IPv4 client subnet mask length. The
default mask length is 32.
overlap Allows overlap for the Bind option,
to ensure the most precise match. This option is
range-factor num Specifies the maximum percentage a new active-RTT measurement
can differ from the previous measurement. If the
new measurement differs from the previous measurement by more than the allowed percentage,
the new measurement is discarded and the previous measurement is used again.
For example, if the range-factor is set to 25 (the
default), a new measurement that has a value
from 75% to 125% of the previous value can be
used. A measurement that is less than 75% or
more than 125% of the previous measurement
can not be used.
You can specify 1-1000. The default is 25.
smooth-factor num Blends the new
measurement with the previous one, to smoothen
the measurements.
For example, if the smooth-factor is set to 10 (the
default), 10% of the new measurement is used,
along with 90% of the previous measurement.
Similarly, if the smooth-factor is set to 50, 50%
of the new measurement is used, along with 50%
of the previous measurement.
You can specify 1-100. The default is 10.
(For information about the active RTT metric,
see active-rtt on page 455.)
[no] bw-cost
options
Configures options for the bw-cost metric:

limit num Specifies the maximum amount
the SNMP object queried by the GSLB AX
device can increment since the previous query, in
order for the site to remain eligible for selection
as the best site. You can specify 0-2147483647.
There is no default.
440 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb site
If a site becomes ineligible due to being over the
limit, the percentage parameter is used. In order
to become eligible for selection again, the sites
limit value must not increment more than
limit*threshold-percentage.
You can specify 0-100. There is no default.
threshold percentage For a site to
regain eligibility when bw-cost is being compared, the SNMP objects incremental value
must be below the threshold-percentage of the
limit value.
For example, if the limit value is 80000 and the
threshold is 90, the limit value must increment by
72000 or less, in order for the site to become eligible again based on bandwidth cost. Once a site
again becomes eligible, the SNMP objects value
is again allowed to increment by as much as the
bandwidth limit value (80000, in this example).
(For information about the bw-cost metric, see
bw-cost on page 460.)
[no] geolocation
location-name
[no] ip-server
service-ip
Associates this site with a specific geographic

location. (To configure a location, use the gslb
geo-location command.)
Associates a real server with this site.
Note: Generally, virtual servers rather than real
servers are associated with a site. To associate a
virtual server with a site, use the vip-server
option of the slb-dev command.
[no] passive-rtt
option
Configures options for the passive RTT metric.

The options are the same as those for active-rtt.
(See above.)
(For information about the passive RTT metric,
see passive-rtt on page 479.)
[no] slb-dev
device-name
ip-addr
b y
Specifies the device that provides SLB for the

site. The IP address must be reachable by the
GSLB AX Series when the GSLB protocol is
enabled.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
441 of 718

gslb site
This command changes the CLI to the configuration level for the SLB device. At this CLI level,
the following optional GSLB-related commands
are available:
[no] admin-preference num Assigns a
preference value to the SLB device. If the adminpreference metric is enabled in the policy and all
metrics before this one result in a tie, the SLB
device with the highest admin-preference value
is preferred. You can specify from 0 255. The
default is 100.
[no] gateway ipaddr Specifies the gateway that the SLB device will use to reach the
GLSB local DNS for collecting active RTT
measurements.
[no] gateway health-check Enables
gateway health checking. A gateway health
check is a Layer 3 health check (ping) sent to the
gateway router for an SLB site. This option is
enabled by default.
[no] max-client num Specifies the maximum number of clients for which the GSLB AX
device (controller) saves data such as active and
passive RTT measurements for each of the clients. You can specify 1-2147483647. The default
is 32768.
[no] passive-rtt-timer num For passive RTT, specifies the number of seconds during
which samples are collected during each sampling period. You can specify 1-255. The default
is 3. To prevent samples from being taken for this
device, use the no passive-rtt-timer command.
[no] vip-server name Maps this SLB site
to a globally configured GSLB service IP
address. The name must be the name of a configured service IP. (To configure the service IP, use
the gslb service-ip command. See gslb serviceip on page 436.)
[no] template
template-name
442 of 718
Binds a template to the site. To use the bw-cost

metric, use this option to bind a GSLB SNMP
template to the site.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb system wait
[no] weight num
Assigns a weight to the site. If the weighted-site

metric is enabled in the policy and all metrics
before weighted-site result in a tie, the site with
the highest weight is preferred. The weight can
be from 1 100. The default is 1.
Default
See above.
Mode
Global Config
Example
The following example creates a site named NY-site and adds SLB
AX Series site-ax-1 with IP address 10.10.10.10 to the site:
AX(config)#gslb site NY-site

AX(config gslb-site)#slb-dev site-ax-1 10.10.10.10
gslb system wait

Description
Delay startup of GSLB following startup of the AX device.
Syntax
[no] gslb system wait seconds

Parameter
seconds
Default
0 seconds (no delay)
Mode
Global Config
Description
Length of the delay, 0-16384 seconds.
gslb template csv

Description
Configure a template for extracting geo-location data from an imported

CSV file.
Syntax
[no] gslb template csv template-name

Parameter
template-name
Description
template, where the following commands are available.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
443 of 718

gslb template csv
Command
Description
[no] delimiter
{character |
ASCII-code}
[no] field num

type-of-data
Specifies the character used in the file to delimit

fields. You can type the character or enter its decimal ASCII code (0-255).
The num option specifies the field position
within the CSV file. You can specify from 1-64.
The following options specify the type of geolocation that is located in the field position:
ip-from Specifies the beginning IP address in
the range or subnet.
ip-to-mask Specifies the ending IP address in
the range, or the subnet mask.
continent Specifies the continent where the IP
address range or subnet is located.
country Specifies the country where the IP
address range or subnet is located.
state Specifies the state where the IP address
range or subnet is located.
city Specifies the city where the IP address
range or subnet is located.
Default
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ).
Mode
Global Config
Usage
To load a geo-location data file and use the CSV template to extract the
data, see gslb geo-location load on page 431.
Example
The following commands configure a CSV template called test1-tmplte:
AX(config)#gslb template csv test1-tmplte

AX(config-gslb template csv)#field 1 ip-from
AX(config-gslb template csv)#field 2 ip-to-mask
AX(config-gslb template csv)#field 5 continent
AX(config-gslb template csv)#field 3 country
444 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb template snmp
gslb template snmp

Description
Configure an SNMP template to query data for use by the bw-cost metric.
Syntax
[no] gslb template snmp template-name

Parameter
template-name
Description
template, where the following commands are available.
Command
[no] auth-key
string
[no] auth-proto
{sha | md5}
[no] community
communitystring
[no] contextengine-id id
[no] contextname id
b y
Description
Specifies the authentication key. The key string
can be 1-127 characters long. This command is
applicable if the security level is auth-no-priv or
auth-priv.
Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
For SNMPv1 or v2c, specifies the community

string required for authentication.
Specifies the ID of the SNMPv3 protocol engine
running on the site AX device.
Specifies an SNMPv3 collection of management
information objects accessible by an SNMP
entity.
[no] host
ipaddr
Specifies the IP address of the site AX device.
[no] interface
id
Specifies the SNMP interface ID.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
445 of 718

gslb template snmp
[no] interval
seconds
[no] oid
oid-value
Note:
Specifies the amount of time between each

SNMP GET to the site AX devices. You can
specify 1-999 seconds. The default is 3.
Specifies the interface MIB object to query on
the site AX device.
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
[no] port
portnum
[no] priv-key
string
[no] priv-proto
{aes | des}
[no] securityengine-id id
[no] securitylevel
{no-auth |
auth-no-priv |
auth-priv}
Specifies the protocol port on which the site AX

devices listen for the SNMP requests from the
GSLB AX device. You can specify 1-65535. The
default is 161.
Specifies the encryption key. The key string can
be 1-127 characters long. This command is applicable only if the security level is auth-priv.
Specifies the privacy protocol used for encryption. This command is applicable only if the
security level is auth-priv.
Specifies the ID of the SNMPv3 security engine
running on the site AX device. For each command, the ID is a string 1-127 characters long.
Specifies the SNMPv3 security level:

no-auth Authentication is not used and encryption (privacy) is not used. This is the default.
auth-no-priv Authentication is used but
encryption is not used.
auth-priv Both authentication and encryption
are used.
[no] username
name
446 of 718
Specifies the SNMPv3 username required for

access to the SNMP agent on the site AX device.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb zone
[no] version
{v1 | v2c | v3}
Specifies the SNMP version running on the site

AX device.
Default
See above.
Mode
Global config
Usage
The community command applies only to SNMPv1 or v2c. Most of the

other commands, with the exception of the version, interval, port, and
interface commands, apply to SNMPv3.
Example
The following commands configure a GSLB SNMP template for

SNMPv2c:
AX(config)#gslb template snmp snmp-1

AX(config-gslb template snmp)#version v2c
AX(config-gslb template snmp)#host 192.168.214.124
AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12
AX(config-gslb template snmp)#community public
AX(config-gslb template snmp)#exit
Example
The following commands configure a GSLB SNMP template for SNMPv3.

In this example, authentication and encryption are both used.
AX(config)#gslb template snmp snmp-2

AX(config-gslb template snmp)#security-level auth-priv
AX(config-gslb template snmp)#host 192.168.214.124
AX(config-gslb template snmp)#username read
AX(config-gslb template snmp)#oid .1.3.6.1.2.1.2.2.1.16.12
AX(config-gslb template snmp)#priv-proto des
AX(config-gslb template snmp)#auth-key 12345678
AX(config-gslb template snmp)#priv-key 12345678
gslb zone
Description
Configure a GSLB zone, which identifies the top-level URL for the services
load balanced by GSLB.
Syntax
[no] gslb zone zone-url

Parameter
zone-url
b y
Description
URL of the zone, up to 127 alphanumeric characters.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
447 of 718

gslb zone
You can use lower case characters and upper case
characters. However, since Internet domain
names are case-insensitive, the AX device internally converts all upper case characters in GSLB
zone names to lower case.
zone, where the following zone-related commands are available:
Command
Description
[no] dns-mxrecord name

priority
Configures a DNS Mail Exchange (MX) record

for the zone. The name is the fully-qualified
domain name of the mail server for the zone.
If more than MX record is configured for the
same zone, the priority specifies the order in
which the mail server should attempt to deliver
mail to the MX hosts. The MX with the lowest
priority value has the highest priority and is tried
first. The priority can be 0-65535. There is no
default.
MX records configured on a zone are used only
for services on which MX records are not configured.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for
the mail service.
[no] dns-nsrecord
domain-name
[no] dns-soarecord dnsserver-name
mailbox-name
[expire
seconds]
[refresh
seconds]
[retry seconds]
[serial num]
[ttl seconds]
448 of 718
Configures a DNS name server record for the

specified domain.
Configures a DNS start of authority (SOA)

record for the GSLB zone.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb zone
The refresh option specifies the number of seconds other DNS servers wait before requesting
updated information for the GSLB zone. The
retry option specifies how many seconds other
DNS servers wait before resending a refresh
request, if GSLB does not respond to the previous request. The expire option specifies how
many seconds GSLB can remain unresponsive to
a refresh request before the other DNS server
drops responding to queries for the zone.
The serial option specifies the initial serial number of the SOA record. This number is automatically incremented each time a change occurs to
any records for the GSLB zone. You can specify
0-2147483647. The default is based on the current system time on the GSLB AX device when
you create the SOA record.
The ttl option specifies the number of seconds
GSLB will cache and reuse negative replies
(NXDOMAIN messages). A negative reply is an
error message indicating that a requested domain
does
not
exist.
You
can
specify
0-2147483647secodns. The default is the value
of the zone TTL when you create the SOA
record.
Note:
The ttl option is equivalent to the minimum option in BIND 9.

[no] policy
policy-name
[no] service
port
[service-name]
Applies the specified GSLB policy to the zone.
Adds a service to the zone. The port option specifies the service port and can be a well-known
name recognized by the CLI or a port number
from 1 to 65535. The service-name can be 1-31
alphanumeric characters or * (wildcard character
matching on all service names).
For the same reason described for zone names,
the AX device converts all upper case characters
in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service, where the following
GSLB-related commands are available:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
449 of 718

gslb zone
action action-type Specifies the action to
perform for DNS traffic:
drop Drops DNS queries from the local
DNS server.
reject Rejects DNS queries from the
local DNS server and returns the Refused
message in replies.
forward
{both | query | response} Forwards requests or queries, as follows:
forward both Forwards queries to the
Authoritative DNS server, and forwards
responses to the local DNS server.
forward query Forwards queries to the
Authoritative DNS server, but does not
forward responses to the local DNS
server.
forward response Forwards responses
to the local DNS server, but does not forward queries to the Authoritative DNS
server.
Note:
Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level
for the policy. See dns on page 464.
dns-a-record
{service-name | service-ipaddr}
{as-replace | no-resp | static |
ttl num | weight num} Configures a
DNS Address (A) record for the service, for use
with the DNS replace-ip option in the GSLB policy. (See dns on page 464.)
as-replace This option is used with the
ip-replace option in the policy. When both
options are set (as-replace here and ipreplace in the policy), the client receives
only the IP address set here by service-ip.
no-resp Prevents the IP address for this
site from being included in DNS replies to
clients.
static This option is used with the dns
server option in the policy. When both
options are set (static here and dns server in
450 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb zone
the policy), the GSLB AX device acts as the
DNS server for the IP address set here by
service-ip.
ttl num Assigns a TTL to the service,
0-2147483647. By default, the TTL of the
zone is used. This option can be used with
the dns server option in the policy, or with
DNS proxy mode enabled in the policy.
weight num Assigns a weight to the service. If the weighted-ip metric is enabled in
the policy and all metrics before weighted-ip
result in a tie, the service on the site with the
highest weight is selected. The weight can be
1-100. By default, the weight is not set.
Note:
The no-resp option is not valid with the static or as-replace option. If
you use no-resp, you cannot use static or as-replace.
dns-cname-record alias [as-backup]
[alias ...] Configures DNS Canonical
Name (CNAME) records for the service. The
as-backup option specifies that the record is a
backup record.
dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for
the service. The name is the fully-qualified
domain name of the mail server for the service.
If more than MX record is configured for the
same service, the priority specifies the order in
which the mail server should attempt to deliver
mail to the MX hosts. The MX record with the
lowest priority number has the highest priority
and is tried first. The priority can be 0-65535.
There is no default.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the
mail service.
dns-ns-record domain-name
[as-backup] Configures a DNS name
server record. The as-backup option specifies
that the record is a backup record. To use the asbackup option, you also must use the dns
backup-alias command in the policy. (See dns
on page 464.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
451 of 718

gslb zone
dns-ptr-record domain-name Configures a DNS pointer record.
dns-srv-record domain-name
priority [port portnum]
[weight num] Configures a DNS pointer
record.
The priority can be 0-65535. There is no
default.
The port portnum specifies the protocol port
to return to the client, and can be 0-65534.
There is no default. If you do not specify the
port, GSLB finds the port for the SRV record
and sends it to the client. If you do specify
the port, GSLB sends the specified port to
the client.
The weight num specifies the weight and can
be 0-65535. The default is 10.
geo-location location-name
{action action | alias url |
policy policy-name} Configures geolocation settings. The location must already be
configured. (See gslb geo-location on
page 430.)
action action Specifies the action to perform for DNS traffic. The action options are
the same as those for the action command
described above.
alias url Maps an alias configured with the
alias option (see above) to the specified
location for this service.
policy policy-name Applies the specified
GSLB to clients from the geo-location.
ip-order
{service-name | service-ipaddr} [...]
Specifies the order in which to list the service
IP addresses in the DNS reply. The configured
order is used by the ordered-ip metric during
selection of the best IP addresses to send to a client in DNS replies.
policy policy-name Applies the specified GSLB policy to the service.
452 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

gslb zone
[no] ttl
seconds
Default
Changes the TTL of each DNS record contained

in DNS replies received from the DNS for which
the AX Series is a proxy, for this zone. You can
specify from 0 to 1000000 (1,000,000) seconds.
This TTL setting overrides the TTL setting in the
GSLB policy.
policy The default GSLB policy is used, unless you configure another
policy and apply it to the zone. The GSLB policy applied to the zone is also
applied to the services in that zone. If no policy is applied to the zone, the
default GSLB policy is applied to the services.
ttl 10
The TTL of the DNS reply can be overridden in two different places in
the GSLB configuration:
Note:
1. If a GSLB policy is assigned to the individual service, the TTL set in

that policy is used.
2. If no policy is assigned to the individual service, but the TTL is set in
the zone, then the zones TTL setting is used. (This is the level set by the
ttl command shown in this section.)
None of the other parameters have a default setting.
Mode
Global Config
Example
The following example creates a zone named ax-gslb-zone:
AX(config)#gslb zone ax-gslb-zone

AX(config gslb-zone)#
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
453 of 718

gslb zone
454 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

active-rtt
Config Commands: GSLB Policy

The commands in this chapter configure Global Server Load Balancing
(GSLB) policies. The CLI changes to this level when you enter the
gslb policy policy-name command from the global Config level.
active-rtt
Description
Configure the active round-trip time (RTT) metric.

Active RTT measures the round-trip-time for a DNS query and reply
between a site AX device and the GSLB local DNS.
Syntax
[no] active-rtt
[difference num]
[fail-break]
[ignore-id group-id]
[keep-tracking]
[limit ms]
[samples num-samples]
[single-shot] [skip count] [timeout seconds]
[tolerance num-percentage]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
455 of 718

active-rtt
Parameter
Description
difference
num
fail-break
Number from 0 to 1023 specifying the round-trip

time difference.
Enables GSLB to stop if the configured RTT
limit in a policy is reached. The fail-break action
depends on whether the GSLB controller is running in proxy mode or server mode:
Server mode: If a backup-alias is configured,
the GSLB controller returns the backup-alias to
the client; otherwise, the controller returns a
SERVFAIL error to the client.
Proxy mode: If a backup-alias is configured,
the client; otherwise, the controller returns the
response from the backend DNS server.
Note:
To configure the RTT limit, use the limit option (describe below).
To configure GSLB to return a CNAME record as a backup, enable the
backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service
within a zone, use the following command at the configuration level for
the service: dns-cname-record alias-name as-backup
ignore-id
group-id
Excludes the IP addresses in the specified IP list

from active-RTT data collection. (To configure
an IP list, see gslb ip-list on page 432.)
keep-tracking
Continues tracking of active RTT for clients after

the track time expires. By default, GSLB stops
collecting active-RTT samples for a client (stops
tracking the client) after the number of seconds
specified by the global active-RTT track setting.
limit ms
Specifies the RTT limit for the policy. This

option is useful for applying site selection based
on RTT limits and geo-location. This option is
required if you plan to use the DNS geoloc-policy option. You can specify 0-16383 ms.
To configure active-RTT limit by geo-location:
1. Enable the active-rtt bind-geoloc option on
each GSLB site.
2. Enable the dns geoloc-policy option in the
default GSLB policy, and enable the active-rtt
456 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

active-rtt
option in the policies for geo-locations. If applicable, configure the active-RTT limit.
3. On the service within the zone, enable the geolocation option and specify the GSLB policy to
use for that location.
samples
num-samples
single-shot
Number from 1 to 8 specifying the number of

samples to collect.
Collects a single sample only. For single-shot,
you can configure the following options:
skip count Number of site AX devices that can
exceed their single-shot timeouts, without the
active RTT metric itself being skipped by the
GSLB AX device during site selection. You can
skip from 1-31 sites. By default, there is no limit.
Any number of the sites can time out, without
invalidating the active RTT metric.
timeout seconds Number of seconds each site
AX device should wait for the DNS reply. If the
reply does not arrive within the specified timeout, the site becomes ineligible for selection, in
cases where selection is based on the active RTT
metric. You can specify 1-255 seconds.
tolerance
num-percentage
Default
Specifies how much the active RTT values must

differ in order for GSLB to prefer one geo-location or site over another based on active RTT.
Disabled. When you enable the active RTT metric, it has the following
default settings:
difference 0
fail-break disabled
ignore-id not set
keep-tracking disabled
limit 16383 ms
samples 5
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
457 of 718

active-servers
single-shot Disabled. Multiple samples are taken at regular intervals.
skip 3
timeout 3 seconds
tolerance 10 percent.
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
The following command enables the active RTT metric:
AX(config gslb-policy)#active-rtt
active-servers
Description
Configure the active-servers metric, which prefers the VIP with the highest
number of active servers.
Active-servers is a measure of the number of active real servers bound to a
Virtual IP address (VIP) residing on a GSLB site. The GSLB AX Series
uses the active-servers metric to select the best IP address for the client. The
VIP with the highest number of active servers is the IP address preferred by
this metric.
Syntax
[no] active-servers [fail-break]

Parameter
Description
fail-break
Enables GSLB to stop if the number of active

servers for all services is 0. The fail-break action
Default
Disabled
Mode
GSLB Policy
458 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

admin-preference
Usage
Use this command to eliminate inactive real servers from being eligible for
selection by GSLB as the best IP address to send at the top of the IP address
list in DNS replies to clients.
Example
The following command enables the active-servers metric:
AX(config gslb-policy)#active-servers
admin-preference
Description
Enable or disable the admin-preference metric, which prefers the site whose
SLB device has the highest administratively set weight.
Syntax
[no] admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
To set the GSLB admin-preference for a site, use the admin-preference

command at the configuration level for the SLB device within the site. (See
gslb site on page 439.)
Example
The following command enables the admin-preference metric:
AX(config gslb-policy)#admin-preference
alias-admin-preference
Description
Enable or disable the Alias Admin Preference metric, which selects the
DNS CNAME record with the highest administratively set preference. This
metric is similar to the Admin Preference metric, but applies only to DNS
CNAME records.
Syntax
[no] alias-admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
Metric order does not apply to this metric. When enabled, this metric
always has high priority.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
459 of 718

bw-cost
To configure the Alias Admin Preference metric:
1. At the configuration level for the GSLB service, use the admin-preference preference command to assign an administrative preference to the
DNS CNAME record for the service. (See gslb service-ip on
page 436.)
2. At the configuration level for the GSLB policy:
Use the alias-admin-preference command to enable the Alias
Admin Preference metric.

Enable one or both of the following DNS options, as applicable to
your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 464.)
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See gslb service-ip on page 436.)
bw-cost
Description
Syntax
Configure the bw-cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost [fail-break]
Parameter
Description
fail-break
Enables GSLB to stop if the current bw-cost

value is over the limit. The fail-break action
Default
Disabled
Mode
GSLB Policy
460 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

capacity
Example
The following command enables the bw-cost metric:
AX(config gslb-policy)#bw-cost
capacity
Description
Configure the TCP/UDP session-capacity metric. This mechanism provides

a way to shift load away from a site before the site becomes congested. A
site AX Series is eligible to be the best site only if its session utilization is
below the specified value.
Example:
Site As maximum session capacity is 800,000 and Site Bs maximum session capacity is 500,000. If the session-capacity threshold is set to 90, then
for Site A the capacity threshold is 90% of 800,000, which is 720,000. Likewise, the capacity threshold for Site B is 90% of 500,000, which is 450,000.
Syntax
[no] capacity [threshold num] [fail-break]

Parameter
Description
threshold num
Number from 0 to 100 specifying the maximum

percentage of a site AX Series session table that
can be used. If the session table utilization is
greater than the specified percentage, the GSLB
AX Series prefers other sites over this site.
fail-break
Enables GSLB to stop if the session utilization

on all site SLB devices is over the threshold. The
fail-break action depends on whether the GSLB
controller is running in proxy mode or server
mode:
Default
Disabled. When you enable the capacity metric, the default threshold is 90
percent.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
461 of 718

connection-load
Mode
GSLB Policy
Usage
Example
The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:
AX(config gslb-policy)#capacity
connection-load
Description
Syntax
Configure the connection-load metric, which prefers sites that have not
exceeded their thresholds for new connections.
[no] connection-load
[limit number-of-connections] |
[samples number-of-samples interval seconds]
[fail-break]
Parameter
Description
limit numberof-connections
Number that specifies the maximum average

number of new connections per second the site
AX Series can have. You can specify from 1 to
999999999 (999,999,999).
samples numberof-samples
interval
seconds
Number of samples for the SLB device (the site
AX Series) to collect, and the number of seconds
between each sample. You can specify 1-8 samples and an interval of 1-60 seconds.
fail-break
Enables GSLB to stop if the connection load for

all sites is over the limit. The fail-break action
462 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

connection-load
Default
Disabled. When you enable the connection-load metric, the default limit is
not set (unlimited). The default number of samples is 5 and the default interval is 5 seconds.
Mode
GSLB Policy
Usage
This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site AX Series itself allows.
Example
The following command sets the connection load limit to 1000 new connections:
AX(config gslb-policy)#connection-load limit 1000
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
463 of 718

dns
dns
Description
Configure DNS parameters for the policy.
Syntax
[no] dns
{
action |
active-only |
addition-mx |
backup-alias |
best-only [max-answers] |
cache [aging-time {seconds | ttl}] |
cname-detect |
external-ip |
geoloc-action |
geoloc-alias |
geoloc-policy |
ip-replace |
ipv6 options |
logging {both | query | response}
[geo-location name | ip ipaddr] |
server [addition-mx] [authoritative [full-list]]
[mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] |
sticky [/prefix-length] [aging-time minutes]
[ipv6-mask mask-length] |
ttl num
}
Parameter
Description
Enable GSLB to perform the DNS actions specified in the service configurations.
action
Note:
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See gslb zone on
page 447.
active-only
Removes IP addresses from DNS replies when

those addresses fail health checks.
Note: If none of the IP addresses in the DNS
reply pass the health check, the GSLB AX Series
does not use this metric, since it would result in
an empty IP address list.
addition-mx
464 of 718
Appends MX records in the Additional section in

replies for A records, when the device is configured for DNS proxy or cache mode.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

dns
backup-alias
Returns the alias CNAME record configured for

the service, if GSLB does not receive an answer
to a query for the service and no active DNS
server exists. This option is valid in server mode
or proxy mode.
To configure the backup alias for a service within
a zone, use the following command at the configuration level for the service: dns-cname-record
alias-name as-backup
best-only
[max-answers]
cache
[aging-time
seconds| ttl]
Removes all IP addresses from DNS replies

except for the address selected as the best address
by the GSLB policy metrics. It is possible for
more than one address to be the best address. The
max-answers option specifies the maximum
number of best addresses allowed, 1-128. By
default, max-answers is not set. There is no limit
to the number of answers.
Enables the GSLB AX device to cache DNS

replies. The AX device uses information in the
cached DNS entries when replying to clients,
instead of sending a new DNS request for every
client query.
By default, the AX device caches a DNS reply
for the duration of the TTL in the reply. You can
override the entry TTL by setting the cache aging
time. You can specify 1-1,000,000,000 seconds
(nearly 32 years). Do not type commas when you
enter the number.
If you change the aging time but later decide to
restore it to its default value, use the ttl option
instead of seconds.
cname-detect
b y
Enables GSLB for CNAME records. For example, if the GSLB AX Series receives a DNS reply
that contains the CNAME record
Alias = www1.a10networks.com,
Actual name = www.a10networks.com,
and the zone and application name
"www.a10networks.com" have been configured
on the GSLB-AX, the GSLB-AX will apply the
GSLB policy to the CNAME record.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
465 of 718

dns
external-ip
Returns the external IP address configured for a

service IP. If this option is disabled, the internal
address is returned instead.
The external IP address must be configured on
the service IP. (Use the external-ip command at
the configuration level for the service IP.)
geoloc-action
Note:
Performs the DNS traffic handling action specified for the clients geo-location. The action is
specified as part of service configuration in a
zone.
To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See
gslb zone on page 447.
geoloc-alias
Returns the alias name configured for the clients

geo-location. (This option does the same thing as
the alias-geoloc option, which is deprecated in
AX Release 2.0.)
geoloc-policy
Uses the GSLB policy assigned to the clients

geo-location.
ip-replace
Replaces the IP addresses in the DNS reply with

the service IP addresses configured for the service. (To configure the service IP addresses, use
the service-ip command at the configuration
level for the service. See gslb zone on
page 447.)
ipv6 options
Enables support for IPv6 AAAA records. The

following options are supported:
mapping {addition | answer | exclusive |
replace} Specifies the actions in response to an
IPv6 DNS query. You can enable one or more of
these options.
addition Append AAAA records in the
DNS Addition section of replies.
answer Append AAAA records in the
DNS Answer section of replies.
exclusive Replace A records (IPv4 address
records) with AAAA records.
replace Reply with AAAA records only.
466 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

dns
The current release has the following limitations:
Note:
Health checks and the GSLB protocol use IPv4 only.

IP address-related metrics such as RTT are always based on IPv4.
Virtual servers for GSLB service IPs are required to have both an IPv4
and an IPv6 address.

mix Enables GSLB to return both AAAA and
A records in the same answer.
smart Enables IPv6 return by query type. For
the ipv4-ipv6 mapping records, an A query
(IPv4) will return an A record and an AAAA
query (IPv6) will return an AAAA record.
logging options Configures DNS logging.
The both | query | response option specifies the
types of messages to log. To restrict logging to a
specific geo-location or IP address, use one of
the following options:
geo-location name
ip ipaddr
server
[options]
Enables the GSLB AX device to act as a DNS

server, for specific service IPs in the GSLB zone.
When you enable the server option, the GSLB
AX directly responds to Address queries for specific service IP addresses in the GSLB zone. The
AX device still forwards other types of queries to
the DNS server.
If you use the server option, you do not need to
use the cname-detect option. When a client
requests a configured alias name, GSLB applies
the policy to the CNAME records.
To place the server option into effect, you also
must enable the static option on the individual
service IP. (To configure the service IP addresses,
use the service-ip command at the configuration
level for the service. See gslb zone on
page 447.)
addition-mx Enables the GSLB AX
device to provide the A record containing the
mail servers IP address in the Additional
section, when the device is configured for
DNS server mode.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
467 of 718

dns
authoritative [full-list] Makes
the AX device the authoritative DNS server
for the GSLB zone, for the service IPs in
which you enable the static option. (See
below.) If you omit the authoritative option,
the AX device is a non-authoritative DNS
server for the zone domain. The fulllist option appends all A records in the
Authoritative section of DNS replies.
mx Provides the MX record in the Answer
section, and the A record for the mail server
in the Additional section, when the device is
configured for DNS server mode.
ns [auto-ns] Provides the name server
record. The auto-ns option causes the policy
to provide A records for NS records automatically.
ptr [auto-ptr] Provides the pointer
record. The auto-ptr option causes the policy to provide pointer records automatically.
srv Provides the service record.
Note:
The server option is not valid with the ip-replace option. They are mutually exclusive.
sticky
[/prefixlength]
[aging-time
minutes]
[ipv6-mask
mask-length]
Sends the same service IP address to a client for

all requests from that client for the service
address. Sticky DNS ensures that, during the
aging-time, a client is always directed to the
same site.
/prefix-length Adjusts the granularity of
the feature. The default prefix length is 32, which
causes the AX device to maintain separate stickiness information for each local DNS server. For
example, if two clients use DNS 10.10.10.25 as
their local DNS server, and two other clients use
DNS 10.20.20.99 as their local DNS server, the
AX maintains separate stickiness information for
each set of clients, by maintaining separate stick-
468 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

dns
iness information for each of the local DNS servers.
aging-time
minutes Specifies how
many minutes a DNS reply remains sticky. You
can specify 1-65535 minutes.
ipv6-mask mask-length Adjusts the
granularity of the feature for IPv6. The default
mask length is 128.
If you enable the sticky option, the sticky time must be as long or longer
than the zone TTL. (Use the ttl command at the configuration level for the
zone. See gslb zone on page 447.)
Note:
ttl num
Default
Changes the TTL of each DNS record contained

in DNS replies received from the DNS for which
the AX Series is a proxy. You can specify 01000000 (1,000,000) seconds.

action disabled
active-only disabled
addition-mx disabled
backup-alias disabled
best-only disabled
cache disabled; when you enable this option, the default aging time for a
cached DNS reply is the TTL set by the DNS server in the reply
cname-detect enabled
external-ip enabled
geoloc-action disabled
geoloc-alias disabled
geoloc-policy disabled
ip-replace disabled
ipv6 all options disabled
logging disabled
server disabled
sticky disabled; when you enable this option, the default prefix is /32 and
the default aging time is 5 minutes
ttl num 10 seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
469 of 718

dns
Mode
GSLB Policy
Usage
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1.
2.
3.
4.
sticky
server
cache
proxy (The command does not have a separately configurable proxy
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
The site address selected by the first option that is applicable to the client
and requested service is used.
Example
The following command enables CNAME detection:
AX(config gslb-policy)#dns cname-detect
Example
The following configuration excerpt uses the ipv6 mix option to enable
mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and
AAAA records will be included in replies to either A or AAAA requests
from clients.
gslb service-ip ip1 20.20.20.100
port 80 tcp
port 80 tcp
gslb service-ip ipv61 fe80::1
port 80 tcp
port 80 tcp
port 80 tcp
gslb policy p8
dns ipv6 mix
dns server
gslb zone a8.com
policy p8
service http www
dns-a-record ip2 static
dns-a-record ipv61 static
Example
470 of 718
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an
AAAA query will be answered by an AAAA record. More specifically, if a
client sends an A query, GSLB returns A records in the answer section, and
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

geo-location
AAAA records in the additional section. If a client sends an AAAA query,
GSLB returns AAAA records in the answer section, and A records in the
additional section.
ipv6 ffff::1
port 80 tcp
ipv6 ffff::2
port 80 tcp
gslb policy p8
dns ipv6 mapping addition
dns ipv6 smart
dns server
gslb zone a8.com
policy p8
service http www
geo-location
Description
Configure a geographic location. GSLB forwards client requests from IP

addresses within the locations range to the GSLB site that serves the location.
Syntax
[no] geo-location location-name start-ip-addr

[mask ip-mask] [end-ip-addr]
Parameter
Description
location-name
Name of the location, up to 31 alphanumeric

characters.
start-ip-addr
Beginning IP address for the range.
mask ip-mask
Network mask.
end-ip-addr
Ending IP address for the range.
Default
None.
Mode
GSLB Policy
Usage
To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 472.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
471 of 718

geo-location full-domain-share
Example
The following example configures geographic location CN.BeiJing for IP

address range 200.1.1.1 through 200.1.1.253:
AX(config gslb-policy)#geo-location CN.BeiJing 200.1.1.1 200.1.1.253
geo-location full-domain-share
Description
Syntax
Enable full-domain checking for connection limits. When full-domain

checking is enabled, the AX device checks the current connection count not
only for the clients specific geo-location, but for all geo-locations higher up
in the domain tree.
[no] geo-location full-domain-tree
Default
Disabled. When a client requests a connection, the AX device checks the

connection count only for the specific geo-location level of the client. If the
connection limit for that specific geo-location level has not been reached,
the clients connection is permitted.
Mode
GSLB Policy
Usage
When this option is enabled, the connection permit counter is incremented

for all applicable levels of the domain tree, not just the domain level
requested by the client.
It is recommended to enable or disable this option before enabling GSLB.
Changing the state of this option while GSLB is running can cause the
related statistics counters to be incorrect.
geo-location match-first
Description
Syntax
Configure the policy to prefer either the globally configured geo-location or

the one configured in this policy. If a client IP address matches the IP ranges
in a globally configured location and in a location configured in this policy,
the geo-location match-first command specifies which matching geo-location to use.
[no] geo-location match-first {global | policy}
Parameter
472 of 718
Description
global
GSLB prefers globally configured locations over

locations configured in this policy.
policy
GSLB prefers locations configured in this policy

over globally configured locations.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

geo-location overlap
Default
global
Mode
GSLB Policy
Example
The following command configures the GSLB AX Series to prefer locations

configured in this policy:
AX(config gslb-policy)#geo-location match-first policy
geo-location overlap
Description
Enable overlap matching mode. If there are overlapping addresses in the

geo-location database, use this option to enable the AX device to find the
most precise match.
Syntax
[no] geo-location overlap
Default
Disabled
Mode
GSLB Policy
geographic
Description
Enable or disable the geographic metric. The geographic metric prefers sites
that are within the geographic location of the client.
Syntax
[no] geographic
Default
Enabled
Mode
GSLB Policy
Usage
You must configure the geographic location, by configuring a geo-location

name, then assigning the geo-location to a GSLB site. To configure a geolocation, assign a client IP address range to a location name. (See gslb geolocation on page 430 and geo-location on page 471.) To assign the geolocation to a site, use the geo-location command at the site configuration
level. (See gslb site on page 439.)
Example
The following command disables the geographic metric:
AX(config gslb-policy)#no geographic
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
473 of 718

health-check
health-check
Description
Syntax
Enable or disable the health-check metric. The health-check metric prefers

sites that pass their health checks.
[no] health-check
Default
Enabled
Mode
GSLB Policy
Usage
controller and on the site AX devices, if the default health checks are used on
the service IPs.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks. In this case, the GSLB protocol is not required to be
enabled on the site AX devices, although use of the protocol is still recommended.
Example
The following command disables the health-check metric:
AX(config gslb-policy)#no health-check
ip-list
Description
Syntax
Use an IP list to exclude a set of IP addresses from active-RTT polling.

[no] gslb ip-list list-name
Default
None
Usage
To configure an IP list, see gslb ip-list on page 432.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from active-RTT data collection:
AX(config)#gslb ip-list iplist1

AX(config-gslb ip-list)#exit
AX(config)#gslb policy pol1
474 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

least-response
AX(config-gslb policy)#ip-list iplist1
AX(config-gslb policy)#active-rtt ignore-id 3
least-response
Description
Enable or disable the least-response metric, which prefers VIPs that have
the fewest hits.
Syntax
[no] least-response
Default
Disabled
Mode
GSLB Policy
Usage
Example
The following command enables the least-response metric:
AX(config gslb-policy)#least-response
metric-fail-break
Description
Enable GSLB to stop if there are no valid service IPs.
Syntax
[no] metric-fail-break
Default
Disabled
Mode
GSLB Policy
metric-force-check
Description
Force the GSLB controller to always check all metrics in the policy.
Syntax
[no] metric-force-check
Default
By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
Mode
GSLB Policy
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
475 of 718

metric-order
metric-order
Description
Syntax
Configure the order in which the GSLB metrics in this policy are used.
[no] metric-order metric [metric ...]
Parameter
Description
metric
[metric ...]
One or more of the following metrics:

active-rtt
active-servers
admin-preference
alias-admin-preference
bw-cost
capacity
connection-load
geographic
health-check
least-response
num-session
ordered-ip
passive-rtt
weighted-alias
weighted-ip
weighted-site
Default
By default, metrics are used in the following order:

5. weighted-ip
6. weighted-site
7. capacity
8. active-servers
9. passive-rtt
10. active-rtt
11. geographic
12. connection-load
13. num-session
476 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

num-session
14. admin-preference
15. bw-cost
16. least-response
17. ordered-ip
18. round-robin
The health-check, geographic and round-robin metrics are enabled by
default.
Metric order does not apply to the alias-admin-preference or weighted-alias
metrics.
Mode
GSLB Policy
Usage
The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you
specify. All remaining metrics are prioritized to follow the metrics you
specify.
For example, if you specify only the ordered-ip metric with the command,
this metric becomes the first metric instead of the 13th metric. The healthcheck metric becomes the 2nd metric, weighted-ip becomes the 3rd metric,
and so on.
The GSLB AX Series uses each metric, in the order specified, to compare
the IP addresses returned in DNS replies to clients. If a metric is disabled,
the metric order does not change. The GSLB AX Series skips the metric and
continues to the next enabled metric.
The round-robin metric can not be re-ordered.
To display the metric order used in a policy, see show gslb policy on
page 568.
Example
The following command sets the ordered-ip metric as the highest-priority

metric.
AX(config gslb-policy)#metric-order ordered-ip
num-session
Description
Configure the num-session metric, which evaluates a site based on available

session capacity and tolerance threshold compared to another site. Sites that
are at or below their thresholds of current available sessions are preferred
over sites that are above their thresholds.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
477 of 718

ordered-ip
Example:
Site A has 800,000 sessions available and Site B has 600,000 sessions available. The difference between the two sites is 200,000 available sessions. If
num-session is set to 10, then Site A is preferred because 200,000 is larger
than 10% of 800,000, which is 80,000.
Syntax
[no] num-session [tolerance num]

Parameter
num
Description
Number from 1 to 100 specifying the percentage
by which the number of available sessions on site
SLB devices can differ without causing the numsession metric to select one site device over
another. (See the Usage description.)
Default
Disabled. When you enable the num-session metric, the default tolerance is
10 percent.
Mode
GSLB Policy
Usage
The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differences in available sessions do not cause frequent, unnecessary, changes in
site preference.
Example
The following command changes the available-session tolerance threshold

to 70 percent:
AX(config gslb-policy)#num-session tolerance 70
ordered-ip
Description
Syntax
Configure the ordered-ip metric, which re-orders the IP addresses in DNS

replies.
[no] ordered-ip [top-only]
Parameter
top-only
478 of 718
Description
Returns only the first (top) IP address in the IP
list. By default, GSLB sends all IP addresses in
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

passive-rtt
the list that are allowed by all higher-priority
metrics in the policy.
Default
Disabled
Mode
GSLB Policy
Usage
The prioritized list is sent to the next metric for further evaluation. If
ordered-ip is the last metric, the prioritized list is sent to the client.
To configure the ordered list of IP addresses for a service, use the ip-order
command at the service configuration level for the GSLB zone. See See
gslb zone on page 447.
Example
The following command enables the ordered-ip metric:
AX(config gslb-policy)#ordered-ip
passive-rtt
Description
Configure the passive round-trip time (RTT) metric.

Passive RTT measures the round-trip-time between when the site AX
device receives a clients TCP connection (SYN) and the time when the site
AX device receives acknowledgement (ACK) back from the client for the
connection.
Syntax
[no] passive-rtt
[difference num]
[samples num-samples]
[tolerance num-percentage]
[fail-break]
Parameter
difference
num
samples
num-samples
tolerance
num-percentage
fail-break
b y
Description
Number from 0 to 1023 specifying the round-trip
time difference.
Number of samples to collect, 1-8.
Specifies how much the RTT values of sites must
differ in order for GSLB to prefer one site over
the other based on passive RTT.
Enables GSLB to stop if the configured RTT
limit in a policy is reached. The fail-break action
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
479 of 718

round-robin
Default
Disabled. When you enable the passive RTT metric, it has the following
default settings:
samples 5
tolerance 10 percent
Mode
GSLB Policy
Usage
Sites with faster passive round-trip times (RTTs) between a client and the
site are preferred over sites with slower times. The passive RTT is the time
between when the site AX device receives a clients TCP connection (SYN)
and the time when the site AX device receives acknowledgement (ACK)
back from the client for the connection. RTT measurements are taken for
client addresses in each /24 subnet range.
Example: Site As RTT value is 0.3 seconds and Site Bs RTT value is 0.32
seconds. If the RTT tolerance is 10% then the two sites are treated as having
the same RTT preference.
Example
The following command enables the passive RTT metric:
AX(config gslb-policy)#passive-rtt
round-robin
Description
Syntax
Default
480 of 718
Configure the round-robin metric, which selects sites in sequential order.

[no] round-robin
Enabled
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

weighted-alias
Mode
GSLB Policy
Usage
If all the enabled metrics in the policy result in a tie (do not definitively
select a single site as the best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is disabled in the GSLB
policy.
If the last metric is ordered-ip, and round-robin is disabled, the prioritized
list of IP addresses is sent to the client. Round-robin is not used.
Note:
Example
The following command disables the round-robin metric:
AX(config gslb-policy)#no round-robin
weighted-alias
Description
Enable the Weighted Alias metric, which prefers CNAME records with
higher weight values over CNAME records with lower weight values. This
metric is similar to Weighted-IP, but applies only to DNS CNAME records.
Syntax
[no] weighted-alias
Default
Disabled
Mode
GSLB Policy
Usage
Metric order does not apply to this metric.

To configure the Weighted Alias metric:
1. At the configuration level for the GSLB service, use the weight command to assign a weight to the DNS CNAME record for the service.
(See gslb service-ip on page 436.)
2. At the configuration level for the GSLB policy:
Enable the Weighted Alias metric.
Enable one or both of the following DNS options, as applicable to
your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 464.)
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See gslb service-ip on page 436.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
481 of 718

weighted-ip
weighted-ip
Description
Syntax
Configure the weighted-ip metric, which uses service IP addresses with

higher weight values more often than addresses with lower weight values.
[no] weighted-ip [total-hits]
Parameter
Description
total-hits
First sends requests to the service IP addresses

that have fewer hits. After all service IP
addresses have the same number of hits, GSLB
sends requests based on weight. This option is
Default
Disabled
Mode
GSLB Policy
Usage
As a simple example, assume that the weighted-ip metric is the only enabled
metric, or at least always ends up being the tie breaker. The total-hits option
is disabled. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2
has weight 2. During a given session aging period, the first 4 requests go to
10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1,
then 2 to 10.10.10.2).
Here is an example using the same two servers and weights, with the totalhits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and
IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4
requests go to 10.10.10.2, then the requests are distributed according to
weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,
and so on. To display the total hits for a service IP address, use the show
gslb service-ip command. (See show gslb service-ip on page 578.)
To assign a weight to a service IP address, use the following command at
the configuration level for the zone service:
dns-a-record name weight num
Example
The following command disables the weighted-ip metric:
AX(config gslb-policy)#no weighted-ip
weighted-site
Description
482 of 718
Configure the weighted-site metric, which uses sites with higher weight values more often than sites with lower weight values.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

weighted-site
Syntax
[no] weighted-site [total-hits]

Parameter
total-hits
Description
First sends requests to the sites that have fewer
hits. After all service sites have the same number
of hits, GSLB sends requests based on weight.
This option is disabled by default.
Default
Disabled. When you enable the weighted-site metric, the default weight of
each site is 1.
Mode
GSLB Policy
Usage
As a simple example, assume that the weighted-site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to
A, then 2 to B).
Here is an example using the same two sites and weights, with the total-hits
option enabled. Site A has weight 4 with total hits 8, and site B has weight 2
with total hits 0. In this case, the first 4 requests go to site B, then requests
are sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
To assign a weight to a site, use the following command at the configuration
level for the site: weight num
Example
The following command disables the weighted-site metric:
AX(config gslb-policy)#no weighted-site
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
483 of 718

weighted-site
484 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

fwlb node
Config Commands: Firewall Load Balancing

The commands in this chapter configure Firewall Load Balancing (FWLB)
parameters. In some cases, the commands create an FWLB configuration
item and change the CLI to the configuration level for that item.
fwlb node
Description
Configure a firewall.
Syntax
[no] fwlb node fwall-name [ipaddr]

Parameter
Description
fwall-name
Firewall name, 1-63 characters.
ipaddr
IP address of the firewall, in either IPv4 or IPv6

format. The address is required only if you are
creating a new firewall.
This command changes the CLI to the configuration level for the firewall,
where the following FWLB-related commands are available:
Command
[no] disable
[no] healthcheck monitorname
Description
Disables load balancing of traffic to the firewall.
Enables health checking of the firewall path. The

path through the firewall to the AX Series on the
other side of the firewall is checked.
monitor-name Name of a configured health
monitor. The monitor must use the ICMP method
and the transparent option. (See method on
page 494.)
stats-datadisable |
stats-dataenable
b y

the firewall node.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
485 of 718

fwlb service-group
Default
No firewalls are configured by default. When you create a firewall, it is

enabled by default. No health monitor is assigned by default. Statistical data
collection of load-balancing resources is enabled by default.
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing firewall. The CLI changes to the configuration level for the firewall.
The IP address of the firewall can be in either IPv4 or IPv6 format. The
AX Series recognizes both address formats.
The no form of this command removes an existing firewall.
page 159.)
Example
The following command creates a new firewall named fw1 with an IPv4
address:
AX(config)#fwlb node fw1 10.10.20.44

AX(config-firewall node)#
Example
The following command creates a new firewall named fw2 with an IPv6
address:
AX(config)#fwlb node fw2 2001:db8::9

AX(config-firewall node)#
fwlb service-group
Description
Syntax
Configure an FWLB service group.

[no] fwlb service-group group-name
Parameter
Description
group-name
Name of the group, 1-63 characters.
This command changes the CLI to the configuration level for the firewall
group, where the following FWLB-related commands are available:
486 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

fwlb service-group
Command
[no]
member fwallname
[priority num]
[stats-datadisable |
stats-dataenable]
Description
Adds the specified firewall to the firewall service

Adds the specified firewall to the firewall service
group.
The priority num option specifies the priority of
the firewall. This option enables you to establish
a set of primary firewalls (high priority) and
backup firewalls (low priority). When priorities
are assigned to firewall nodes, the AX device
always uses the firewalls with the highest priority
when available, and uses those with lower priorities only if the firewalls with the highest priority
are unavailable. The priority can be 1-10. The
default is 1.
The stats-data-disable | stats-data-enable
option disables or enables statistical data collection for the firewall service group.
[no] leastconnection
Uses the least-connection load-balancing method

instead of the round robin method.
Round robin selects firewalls in rotation. Leastconnection selects the firewall that currently has
the fewest connections.
Default
There are no firewall service groups configured by default. When you create
one, it contains no members and the default load-balancing method is round
robin. Statistical data collection of load-balancing resources is enabled by
default.
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing firewall
group. The CLI changes to the configuration level for the group.
The firewall nodes must already be configured. To configure a firewall
node, see fwlb node on page 485.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
487 of 718

fwlb virtual-firewall
page 159.)
Example
The following example configures firewall group fwsg and adds firewalls
fw1 and fw2 to it:
AX(config)#fwlb service-group fwsg

AX(config-fwlb service group)#member fw1
AX(config-fwlb service group)#member fw2
Description
Syntax
Configure a virtual firewall.

[no] fwlb virtual-firewall default
Parameter
Description
The virtual firewall name. (In the current release,
this is the only name that is supported.)
default
This command changes the CLI to the configuration level for the virtual
firewall, where the following FWLB-related commands are available:
Command
Description
[no] disable
[no] ha-connmirror
[no] ha-group
{1 | 2}
[no] servicegroup groupname
Disables the virtual firewall. This disables

FWLB.
Enables session synchronization (connection
mirroring) for sessions through the virtual firewall.
Specifies the HA group ID.
Binds the virtual firewall to the specified firewall

service group.
[no] port portnumber

{tcp | udp}
Specifies a service port that is being protected by
the firewall. This is the virtual port configured on
the VIP in the SLB configuration. (This command is optional. See Usage below.)
488 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

This command changes the CLI to the configuration level for the virtual port, where the following FWLB-related commands are available:
[no] idle-timeout seconds Sets the
TCP/UDP idle timeout on an individual virtual
firewall port, 60-15000 seconds (a little over 4
hours).
[no] service-group group-name
Binds the virtual port to the specified FWLB
service group. If you specify a firewall group at
this level, the firewall group specified here takes
precedence over the firewall group specified at
the firewall level.
[no] template persist source-ip
template-name Uses a configured sourceIP persistence template to send all traffic from a
given source address to the same firewall. If a
source-IP persistence template also is specified at
the firewall level, the template at the individual
port level overrides the other template, for this
service port.
stats-datadisable |
stats-dataenable

the virtual firewall.
[no] template
persist sourceip templatename
Uses a configured source-IP persistence template
to send all traffic from a given source address to
the same firewall.
You also can specify a source-IP persistence template on individual service ports. If you specify a
template at each level, the template specified for
the individual service port takes precedence.
Note:
b y
Setting the match-type option in source-IP persistence templates is not

applicable to FWLB. The match type for FWLB is always server, which
sets the granularity of source-IP persistence to individual firewalls, not
firewall groups or individual service ports.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
489 of 718

[no] tcp-idletimeout seconds Specifies how long a TCP session through the
firewall can remain idle before timing out, 6015000 seconds. (But see Usage below.)
[no] udp-idletimeout seconds Specifies how long a UDP session through the
firewall can remain idle before timing out, 6015000 seconds. (But see Usage below.)
Default
No virtual firewalls are configured by default. When you create one, it is

enabled by default and has the following default settings:
ha-conn-mirror disabled
ha-group not set
service-group not set
port none configured; when you configure one, its default idle-time-
out is 300 seconds

stats-data-disable | stats-data-enable enabled (stats-data-enable)
tcp-idle-timeout 300 seconds
udp-idle-timeout 300 seconds
Mode
Global Config
Usage
The normal form of this command creates a virtual firewall.

The no form of this command removes an existing virtual firewall.
The port command is optional. To apply FWLB to all traffic types, do not
configure any virtual ports on the virtual firewall. To apply FWLB only to
traffic for specific services, create a virtual port for each service.
Session Idle Timeout
By default, the AX device allows TCP or UDP connections through a firewall to be idle for 300 seconds (5 minutes). The idle timeout for a TCP or
UDP session through a firewall is determined as follows:
For service-type UDP (Layer 4), if the idle-timeout is set on the virtual
firewall or the UDP virtual firewall port, that idle-timeout is used. Otherwise, if the UDP idle-timeout is not set in FWLB, the idle-timeout in
the default SLB UDP template is used. Unless the default template has
been changed, the idle-timeout is 120 seconds.
490 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

For service-type TCP (Layer 4), the idle-timeout in the default SLB
TCP template is used. Unless the default template has been changed, the
idle-timeout is 120 seconds.
For service-type HTTP (Layer 7), the idle-timeout in the default SLB
TCP-proxy template is used. Unless the default template has been

changed, the idle-timeout is 600 seconds.
In the current release, the TCP idle-timeout settings in FWLB are never
used. The AX device allows you to configure them but they are not used.
Note:
Statistical Data Collection

page 159.)
Example
The following commands configure a virtual firewall:
AX(config)#fwlb virtual-firewall default

AX(config-slb virtual firewall default)#ha-group 1
AX(config-slb virtual firewall default)#port 80 tcp
AX(config-slb virtual firewall default...)#service-group fwsg
AX(config-slb virtual firewall default...)#ha-conn-mirror
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
491 of 718

492 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

disable-after-down
Config Commands: SLB Health Monitors

The commands in this chapter configure SLB health monitors.
To access this configuration level, enter the health monitor monitor-name
command at the global config level.
For more information about health monitors, see the Health Monitoring
chapter of the AX Series Configuration Guide.
disable-after-down
Description
Disable the target of a health check if the target fails the health check.
Syntax
[no] disable-after-down
Default
Disabled
Mode
Health monitor configuration
Usage
This command applies to all servers, ports, or service groups that use the
health monitor. When a server, port, or service group is disabled based on
this command, the server, port, or service groups state is changed to disable in the running-config. If you save the configuration while the server,
port, or service group is disabled, the state change is written to the startupconfig.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
493 of 718

method
The server, port, or service group remains disabled until you explicitly
enable it.
method
Description
Syntax
Configure a health method.

[no] method method-name
method-name
compound sub
monitor-name
[sub monitorname ...]
Booleanoperators
dns
{ipaddr |
domain domainname}
[options]
Description
Configures a compound health monitor. A compound health monitor consists of a set of health
monitors joined in a Boolean expression
(AND / OR / NOT). For more information, see
the Compound Health Monitors section in the
Health Monitoring chapter of the AX Series
Configuration Guide.
Sends a lookup request to the specified port

number for the specified domain name. By
default, expects reply with code 0. You can specify a domain name or a server IP address as the
target of the health check.
You also can configure the following options:
expect response-code code-list Specifies a list
of response codes, in the range 0-15, that are
valid responses to a health check. The DNS
server can respond with any of the expected
response codes. By default, the expect list is
empty, in which case the AX device expects status code 0 (No error condition).
port port-num Specifies the protocol port
number on which the DNS server listens for DNS
queries. Use this option if the server is not using
the default DNS port, 53.
494 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

method
recurse {enabled | disabled} Specifies
whether the tested DNS server is allowed to send
the health checks request to another DNS server
if the tested server can not fulfill the request
using its own database. Recursion is enabled by
default.
type {A | CNAME | SOA | PTR | MX | TXT |
AAAA} For health checks sent to a domain
name, specifies the record type the responding
server is expected to send in reply to health
checks.
You can specify one of the following record
types:
A IPv4 address record
CNAME Canonical name record for a DNS
alias
SOA Start of authority record
PTR Pointer record for a domain name
MX Mail Exchanger record
TXT Text string
AAAA IPv6 address record
By default, the AX device expects the DNS
server to respond to the health check with an A
record.
external
[port port-num]
program
program-name
[arguments
argumentstring]
ftp
[[username name
password
string] port
port-num]
b y
Runs an external program (for example, a Tcl

script) and bases the health status on the outcome
of the program. See Usage below for more
information on health check using an external
program.
Sends an FTP login request to the specified port.

Expects OK message, or Password message followed by OK message. Unless you use anony-
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
495 of 718

method
mous login, the username and password must be
specified in the health check configuration.
http [options]
Sends an HTTP request to the specified TCP port

and URL. Expects OK message (200). You can
specify the following options:
expect {string | response-code code-list}
Specifies a response code or string expected from
the server, in which case this value is also
expected. To specify a range of response codes,
use a dash ( - ) between the low and high numbers of the range. Use commas to delimit individual code numbers or separate ranges. By default,
the AX device expects response code 200 (OK).
maintenance-code code-list Specifies a
response code that indicates the server needs to
be placed into maintenance mode. If the AX
device receives the specified status code in
response to a health check, the AX device
changes the servers health status to Maintenance.
When a servers health status is Maintenance, the
server will accept new requests on existing
cookie-persistent or source-IP persistent connections, but will not accept any other requests.
To leave maintenance mode, the server must do
one of the following:
Successfully reply to a health check by sending
the expected string or response code, but without
including the maintenance code. In this case, the
servers health status changes to Up.
Fail a health check. In this case, the servers
status changes to Down.
The Maintenance health status applies to server
ports and service-group members. When a ports
status changes to Maintenance, this change
applies to all service-group members that use the
port.
Note:
496 of 718
The expect maintenance-code option applies only to servers in cookiepersistence or source-IP persistence configurations, and can be used only
for HTTP and HTTPS ports.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

method
host {ipv4-addr | ipv6-addr | domain-name}
[:port-num] Replaces the information in the
Host field of the request sent to the real server.
By default, the real servers IP address is placed
in the field.
port port-num Specifies the protocol port on
which the server listens for HTTP traffic. Use
this option if the server does not use the default
HTTP port, 80.
url string Specifies the request type and the
page (url-path) to which to send the request. By
default, GET requests are sent for / , the
index.html page. You can specify one of the following:
GET url-path
HEAD url-path
POST url-path postdata string
POST / postfile filename
Note:
In a postdata string, use = between a field name and the value you are
posting to it. If you post to multiple fields, use & between the fields.
For example: postdata fieldname1=value&fieldname1=value. The string
can be up to 255 bytes long.
To use POST data longer than 255 bytes, you must import a POST data
file and use the POST / postfile filename option. (See health postfile on
page 113.)
username name Specifies the username
required for HTTP access to the server. Unless
anonymous login is used, the username must be
specified.
https [options] Similar to an HTTP health check, except SSL is
used to secure the connection. The default port is
443.
icmp
[transparent
ipaddr]
Sends an ICMP echo request to the server.

Expects ICMP echo reply message.
The transparent ipaddr option applies only to
specific configurations, where the health check
must check the path through a device:
In DSR, the ipaddr specifies the virtual IP
address.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
497 of 718

method
In FWLB, the ipaddr specifies the IP address
of the AX device on the other side of the
firewall, or the floating IP address of the HA
group on the other side of the firewall.
ldap
[port port-num]
[binddn name
password
string]
[overssl]
Sends an LDAP Bind request. Expects reply containing result code 0. The binddn option species
the Distinguished Name and the password
option specifies the password for the Distinguished Name. The overssl option uses SSL
(TLS) for the health check.
Sends an NTP client message to UDP port 123.
Expects a standard NTP 48-byte reply packet.
ntp
pop3
port port-num
username name
password string Sends a POP3 user login request with the specified username and password. Expects reply with
OK message.
radius
port port-num
secret string
username name
password string Sends a Password Authentication Protocol (PAP)
request to the specified port to authenticate the
specified username. Expects Access Accepted
message (reply code 2). The secret option specifies the shared secret required by the RADIUS
server.
rtsp
port port-num
rtspurl string
sip
[register
[port portnum]]
[tcp]
498 of 718
Sends a request to the specified port for information about the file specified by rtspurl. Expects
reply with information about the specified file.
Sends a SIP request to the SIP port. Expects 200

OK in response. The request is an OPTION
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

method
request, unless you use the register option to
send a REGISTER request instead.
The tcp option configures the health method for
SIP over TCP/TLS. Without this option, the
health method is for SIP over UDP.
smtp
port port-num
domain domainname
snmp
[port port-num]
[community
string]
[oid oid-name]
[operation {get
| getnext}]
tcp
port port-num
[halfopen]
Sends an SMTP Hello message to the specified

server in the specified domain. Expects reply
with OK message (reply code 250).
Sends an SNMP Get or Get Next request to the

specified OID, from the specified community.
Expects reply with the value of the OID. The
OID can be sysDescr, sysUpTime, sysName, or
another name in ASN.1 style.
Sends a connection request (TCP SYN) to the

specified TCP port on the server. Expects TCP
SYN ACK in reply.
By default, the AX Series responds to the SYN
ACK by sending an ACK. To configure the AX
Series to send a RST (Reset) instead, use the halfopen option.
udp
port port-num
Sends a packet with a valid UDP header and a

garbage payload to the specified UDP port on the
server. Expects either of the following:
server reply from the specified UDP port, with
any type of packet.
server does not reply at all.
The server fails the health check only if the
server replies with an ICMP Error message.
Default
The configuration has a default ping health monitor that uses the icmp
method. The AX device applies the ping monitor by default. The AX device
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
499 of 718

method
also applies the TCP or UDP health monitor by default, depending on the
port type. These default monitors are used even if you also apply configured
monitors to a service port.
To use differently configured ping or TCP/UDP monitors, configure new
monitors with the ICMP, TCP, or UDP method and apply those monitors
instead.
When specifying a protocol port number, specify the port number on the
real server, not the port number of the virtual port. By default, the wellknown port number for the service type of the health monitor is used. For
example, for LDAP, the default port is 389 (or 636 if the overssl option is
used).
If you specify the protocol port number in the health monitor, the protocol
port number configured in the health monitor is used if you send an ondemand health check to a server without specifying the protocol port. (See
health-test on page 38.) After you bind the health monitor to a real server
port, health checks using the monitor are addressed to the real server port
number instead of the port number specified in the health monitors configuration. In this case, you can override the IP address or port using the override commands described later in this chapter.
Mode
Usage
To use a health method, you must do the following:

1. Configure a health monitor, by assigning a name to it and by assigning
one of the health methods listed above to it. Use the health monitor
command at the global Config level to create and name the monitor.
(See health monitor on page 111.) Use the method command at the
monitor configuration level to assign a health method to the monitor.
Note:
To configure a health monitor that uses a script, use the health external
command to create it, instead of using the health monitor command.
(See health external on page 109 and the external health check example
below.)
2. Apply the health monitor to a real server or real server port, using the
health-check command at the configuration level for the server or the
server port. Apply monitors that use the ICMP method to real servers.
(See health-check on page 382.) Apply monitors that use any of the
other types of methods to individual server ports. (See port on
page 383.)
Example
500 of 718
The following commands apply health monitor ping to server rs0. The
ping monitor is included in the AX Series devices configuration by default,
so you do not need to configure it.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

method
AX(config-real server)#health-check ping
Example
The following commands configure health monitor hm1 to use the TCP
health method, and apply the monitor to a TCP port on real server rs1.
The TCP health checks are sent to TCP port 23 on the server.

AX(config-health:monitor)#method tcp port 23
AX(config-real server)#port 23 TCP
AX(config-real server-node port)#health-check hm1
Example
The following commands configure health monitor hm2 and set it to use
the HTTP method. The health monitor is applied to port 80 on real server
rs1.

AX(config-health:monitor)#method http
AX(config-real server)#port 80 http
AX(config-real server-node port)#health-check hm2
Example
External Health Check Example

Besides internal health checks, which use a predefined health check
method, you can use external health checks with any of the following types
of scripts are supported:
Perl
Shell
TCL
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the .tcl extension.
To use the external method, you must import the program onto the
AX Series device. The script execution result indicates the server status,
which must be stored in ax_env(Result).
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
501 of 718

method
The following commands import external program ext.tcl from FTP
server 192.168.0.1, and configure external health method hm3 to use the
imported program to check the health of port 80 on the real server:
AX(config)#health external import "checking HTTP server" ftp://192.168.0.1/
ext.tcl
AX(config-health:monitor)#method external port 80 program ext.tcl
Here is the ext.tcl file:

# Init server status to "DOWN"
set ax_env(Result) 1
# Open a socket
if {[catch {socket $ax_env(serverHost) $ax_env(serverPort)} sock]} {
puts stderr "$ax_env(serverHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
# Send the request
puts $sock "GET /1.html HTTP/1.0\n"
# Wait for the response from http server
set line [read $sock]
if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {
puts "server $ax_env(serverHost) response : $status"
# Check exit code
if { $status == 200 } {
# Set server to be "UP"
}
}
close $sock
}
For additional information and more examples, see the External Health
Method Examples section in the Health Monitoring chapter of the
502 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

override-ipv4
override-ipv4
Description
Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to
which the health monitor is bound. This command and the other override
commands are particularly useful for testing the health of remote links.
Syntax
[no] override-ipv4 ipaddr
Default
By default, a health check is addressed to the real server IP address of the

server to which the health monitor is bound.
Mode
Example
The following commands configure a health monitor to check 192.168.1.1:
AX(config)#health monitor site1-hm

AX(config-health:monitor)#method icmp
AX(config-health:monitor)#override-ipv4 192.168.1.1
override-ipv6
Description
Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health monitor
is bound.
Syntax
[no] override-ipv6 ipv6addr
Default
By default, a health check is addressed to the real server IP address of the

server to which the health monitor is bound.
Mode
Example
The following commands configure a health monitor to check

2001:db8::1521:31ab:

AX(config-health:monitor)#override-ipv6 2001:db8::1521:31ab
override-port
Description
Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
503 of 718

strictly-retry-on-server-error-response
Syntax
[no] override-port portnum
Default
By default, a health check is addressed to the protocol port number to which

the health monitor is bound.
Mode
Example
The following commands configure a health monitor to check port 8081 on

192.168.1.1:

AX(config-health:monitor)#method http
AX(config-health:monitor)#override-ipv4 192.168.1.1
AX(config-health:monitor)#override-prt 8081
strictly-retry-on-server-error-response
Description
Syntax
Force the AX device to wait until all retries are unsuccessful before marking
a server or port Down.
[no] strictly-retry-on-server-error-response
Default
Disabled. For some health method types, the AX device marks the server or
port Down after the first failed health check attempt, even if the retries
option for the health monitor is set to higher than 0.
Mode
Usage
This command is applicable only to some types of health monitors, such as

HTTP health monitors. For example, this command applies to HTTP health
monitors that expect a string in the server reply. By default, if the servers
HTTP port does not reply to the first health check attempt with the expected
string, the AX device immediately marks the port Down.
Example
The following commands configure an HTTP health monitor that checks for
the presence of testpage.html, and enable strict retries for the monitor.
AX(config)#health monitor http-exhaust

AX(config-health:monitor)#method http url GET /testpage.html
AX(config-health:monitor)#strictly-retry-on-server-error-response
504 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha arp-retry
Config Commands: High Availability

The commands in this chapter configure global High Availability (HA)
parameters.
(Also see floating-ip on page 108.)
This chapter provides reference information for individual commands.
For information about how HA works and how to configure it, see the
Note:
ha arp-retry
Description
Change the number of additional gratuitous ARPs, in addition to the first

one, an AX sends after transitioning from Standby to Active in an HA configuration. These ARPs are sent at intervals of 500 milliseconds.
Syntax
[no] ha arp-retry num

Parameter
num
Default
Description
Specifies the number of additional gratuitous
ARPs to send, after sending the first one. You
can specify 1-255.
The AX device sends 4 additional gratuitous ARPs by default, for a total

of 5.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
505 of 718

ha check gateway
Mode
Global Config
Example
The following command increases the number of additional gratuitous

ARPs to 9, for a total of 10 ARPs:
AX(config)#ha arp-retry 9
ha check gateway
Description
Syntax
Configure an AX device to detect the status of its gateway routers, and

change HA status based on gateway status changes.
[no] ha check gateway ipaddr
Parameter
Description
IP address of the gateway.
ipaddr
Default
Not set
Mode
Global Config
Usage
This feature uses health monitors to check the availability of the gateways.
If any of the active AX devices gateways fails a health check, the AX
device changes its HA status to Down. If the HA status of the other AX
device is higher than Down, a failover occurs.
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the AX device recalculates its HA status according to
the HA interface counts. If the new HA status of the AX device is higher
than the other AX devices HA status, a failover occurs.
Configuration of gateway-based failover requires the following steps:
1. Configure a health monitor that uses the ICMP method. (See health
monitor on page 111.)
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server. (See method on page 494.)
3. Enable HA checking for the gateway, using the command described in
this section.
Example
The following commands configure gateway-based failover for gateway

10.10.10.1:
AX(config)#health monitor gatewayhm1

AX(config)#slb server gateway1 10.10.10.1
506 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha check route
AX(config-real server)#health-check gatewayhm1
AX(config)#ha check gateway 10.10.10.1
ha check route
Description
Reduces the HA priority of all HA groups on the AX device, if the specified

route is missing from the IPv4 or IPv6 route table.
Syntax
For IPv4 routes:

[no] ha check route destination-ipaddr /masklength
priority-cost weight
[gateway ipaddr]
[protocol {static | dynamic}]
[distance num]
For IPv6 routes:
[no] ha check route
destination-ipv6addr/mask-length
priority-cost weight
[gateway ipv6addr]
[protocol {static | dynamic}]
[distance num]
Parameter
destinationipaddr
/mask-length
destinationipv6addr/masklength
priority-cost
weight
gateway ipaddr
b y
Description
Specifies the destination IPv4 subnet of the

route.
Specifies the destination IPv6 address of the

route.
Specifies the value to subtract from the HA priority of each HA group, if the IP route table does
not have a route to the destination subnet.
Specifies the next-hop gateway for the route.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
507 of 718

ha check route
protocol
{static |
dynamic}
Specifies the source of the route:

static The route was added by an administrator.
dynamic The route was added by a routing
protocol. (This includes redistributed routes.)
distance num
Specifies the metric value (cost) of the route.
Default
None
Mode
Global Config
Usage
This feature applies only to routes in the data route table. The feature does
not apply to routes in the management route table.
For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static, RIP, and OSPF).
If the priority of an HA group falls below the priority for the same group on
the other AX device in an HA pair, a failover can be triggered.
Omitting an optional parameter matches on all routes. For example, if you
do not specify the next-hop gateway, routes that match based on the other
parameters can have any next-hop gateway.
Example
The following command configures HA route awareness for a default IPv4

route. If this route is not in the IP route table, 255 is subtracted from the HA
priority of all HA groups.
AX(config)#ha check route 0.0.0.0 /0 priority-cost 255
Note:
Example
The lowest possible HA priority value is 1. Deleting 255 sets the HA priority value to 1, regardless of the original priority value.
The following command configures HA route awareness for a dynamic
route to subnet 10.10.10.x with route cost 10. If the IP route table does not
have a dynamic route to this destination with the specified cost, 10 is subtracted from the HA priority value for each HA group.
AX(config)#ha check route 10.10.10.0 /24 priority-cost 10 protocol dynamic distance 10
508 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha check vlan
Example
The following commands configure HA route awareness for an IPv6 route

to 3000::/64. Based on the combination of these commands, if the IPv6
route table does not contain any routes to the destination, 105 is subtracted
from the HA priority of each HA group.
If the IPv6 route table does contain a static route to the destination, but the
next-hop gateway is not 2001::1, the AX device subtracts only 5 from the
HA priority of each HA group.
AX(config)#ha check route 3000::/64 priority-cost 100

AX(config)#ha check route 3000::/64 priority-cost 5 protocol static gateway
2001::1
ha check vlan
Description
Configure an AX device to detect the status of its VLANs, and change HA

status based on VLAN status changes.
Syntax
[no] ha check vlan vlan-id timeout seconds

Parameter
Description
vlan-id
VLAN ID.
seconds
Number of seconds a VLAN can be inactive

before a failover is triggered. The timeout can be
2-600 seconds. You must specify the timeout.
Although there is no default, A10 recommends
trying 30 seconds.
Default
Not set
Mode
Global Config
Usage
When HA checking is enabled for a VLAN, the active AX device in the HA

pair monitors traffic activity on the VLAN. If there is no traffic on the
VLAN for half the duration of a configurable timeout, the AX device
attempts to generate traffic by issuing ping requests to servers if configured,
or broadcast ARP requests through the VLAN.
If the AX device does not receive any traffic on the VLAN before the timeout expires, a failover occurs.
This HA checking method provides a passive means to detect network
health, whereas heartbeat messages are an active mechanism. You can use
either or both methods to check VLAN health. If you use both methods on a
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
509 of 718

ha conn-mirror
VLAN, A10 recommends that you specify an HA checking interval (timeout) that is much longer than the heartbeat interval.
Example
The following command enables VLAN-based failover for VLAN 10 and

sets the timeout to 30 seconds:
AX(config)#ha check vlan 10 timeout 30
ha conn-mirror
Description
Syntax
Set the peer IP address to use for session synchronization (also called connection mirroring) and config sync.
[no] ha conn-mirror ip ipaddr
Parameter
Description
Specifies the IP address of the other AX in the
HA configuration.
ipaddr
Default
None
Mode
Global Config
Usage
This command sets the IP address to which to mirror sessions. However,

you also must use the ha-conn-mirror command on individual virtual ports
to enable connection mirroring on the virtual ports. (See ha-conn-mirror
on page 415.)
Connection mirroring is required for config sync. Config sync uses the connection mirroring link.
HA session synchronization applies primarily to Layer 4 sessions. HA session synchronization does not apply to DNS sessions. Since these sessions
are typically very short lived, there is no benefit to synchronizing them.
Likewise, session synchronization does not apply to static NAT sessions.
Synchronization of these sessions is not needed since the newly Active AX
device will create a new flow for the session following failover.
Example
The following command sets the session synchronization address to

10.10.10.66, the IP address of the other AX in this HA pair:
AX(config)#ha conn-mirror ip 10.10.10.66
510 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha force-self-standby
ha force-self-standby
Description
Force HA groups to change from Active to Standby status.
Syntax
[no] ha force-self-standby [group-id]

Parameter
group-id
Description
Specifies the group ID. Only the specified group
is forced to change from Active to Standby. If
you do not specify a group ID, all Active groups
are forced to change to Standby status.
Default
N/A
Mode
Global Config
Usage
This command provides a simple method to force a failover, without the

need to change HA group priorities and enable pre-emption. The command
is not added to the configuration and does not persist across reboots.
Example
The following command forces HA group 1 to change from Active to

Standby status:
AX(config)#ha force-self-standby 1
ha forward-l4-packet-on-standby
Description
Enable Layer 2/3 forwarding of Layer 4 traffic on the Standby AX device.
Syntax
[no] ha forward-l4-packet-on-standby
Default
Disabled. Layer 4 traffic is dropped by the Standby AX device.
Mode
Global Config
ha group
Description
Configure an HA group and set its priority.
Syntax
[no] ha group group-id priority num
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
511 of 718

ha id
Parameter
Description
group-id
HA group ID, 1-31.
num
Number from 1 (low priority) to 255 (high priority).
Default
The configuration does not have a default HA group. HA groups do not

have a default priority. You must set the priority.
Mode
Global Config
Usage
In Active-Standby configurations, configure only one HA group. Use the

same group ID on each AX device.
In Layer 3 Active-Active configurations, to make one AX active for some
virtual servers and make the other AX active for the other virtual servers,
configure multiple HA groups and give them different priorities. Use the
same group IDs for the same virtual servers on each AX.
Example
The following command configures HA group 1 and sets its priority to 100:
AX(config)#ha group 1 priority 100
ha id
Description
Syntax
Enable HA.
[no] ha id {1 | 2} [set-id num]
Parameter
Description
1 | 2
HA ID for the AX device.
set-id num
HA set ID, 1-7.
Default
Neither parameter is set.
Mode
Global Config
Usage
Use HA ID 1 on one of the AX Series devices in the HA pair. Use HA ID 2

on the other AX Series device in the HA pair.
The set-id option allows you to use multiple HA pairs. The set ID must be
unique for each AX pair.
Example
The following command enables HA with ID 1:
AX(config)#ha id 1
512 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha inline-mode
ha inline-mode
Description
Enable blocking of Layer 2 loops in a transparent (Layer 2) hot-standby HA

configuration.
Syntax
[no] ha inline-mode [preferred-port port-num]

Parameter
port-num
Description
Specifies the port to use for session synchronization and for management traffic between the
AX Series devices in the HA pair. For example,
if you use the CLI on one AX to ping the other
AX device, the ping packets are sent only on the
preferred HA port. Likewise, the other AX
device sends the ping reply only on its preferred
HA port.
Management traffic between AX Series devices
includes any of the following types of traffic:
Telnet, SSH, or Ping.
Default
Disabled. If you enable inline mode but you do not specify the preferred
port, the preferred port is selected as follows:
1. The first HA interface that comes up on the AX is used as the preferred
HA port.
2. If the preferred HA port selected above goes down, the HA interface
with the lowest port number is used. If that port also goes down, the HA
interface with the next-lowest port number is used, and so on.
This selection mechanism is also used if the preferred port is configured but
goes down.
The preferred port must be added as an HA interface and heartbeat messages must be enabled on the interface.
Note:
Mode
Global Config
Usage
Inline support applies specifically to network topologies where inserting a

pair of AX Series devices would cause a Layer 2 loop. In this type of topology, inline mode enables you to deploy the AX Series devices in an HA pair
without the need to enable Spanning Tree Protocol (STP) on any of the
devices in the network.
Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
513 of 718

ha interface
Example
The following command enables HA inline mode and sets the preferred port
to Ethernet port 5:
AX(config)#ha inline-mode preferred-port 5
ha interface
Description
Syntax
Configure an HA interface.
[no] ha interface ethernet port-num
[router-interface | server-interface | both]
[no-heartbeat | vlan vlan-id]
Parameter
Description
Specifies the HA interface.
port-num
routerinterface |
serverinterface |
both
Identifies the type of device connected to the HA

interface:
router-interface The HA interface is
connected to an upstream router.
server-interface The HA interface is
connected to a real server.
both The HA interface is connected to an
upstream router and a real server.
no-heartbeat |
vlan vlan-id
Disables HA heartbeat messages on the HA

interface, or enables them only on the specified
VLAN.
If the port is tagged and heartbeat messages are
enabled, you must specify the VLAN.
Default
No HA interfaces are set by default. When you set an HA interface, the

device type is not set by default. Heartbeat messages are enabled on the
interface by default.
Mode
Global Config
Usage
At least one HA interface must be specified and at least one HA interface

must have heartbeat messages enabled. If the interface is tagged, a VLAN
ID must be specified if heartbeat messages are enabled on the interface.
514 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha l3-inline-mode
The maximum number of HA interfaces you can configure is the same as
the number of Ethernet data ports on the AX device.
Note:
If the heartbeat messages from one AX device to the other will pass though
a Layer 2 switch, the switch must be able to pass UDP IP multicast packets.
Set each interface connected to the real servers or clients (for example, connected through upstream routers) as an HA interface. Also set the interface
that connects an AX Series device to its HA peer (the other AX device in
the HA pair) as an HA interface.
Setting the device type increases the granularity of the HA state.
If the device type is not set, the HA state of the AX device can be one of
the following:
Up All configured interfaces are up.
Down At least one of the HA interfaces is down.
If you set the device type, the HA status of the AX device is based on
the status of the AX link with the real server or upstream router:
Up All configured HA router and server interfaces are up.
Partially Up Some HA router or server interfaces are down but at
least one server link and one router link are up.
Down All router interfaces, or all server interfaces, or both are
down. The status also is Down if neither router interfaces nor server
interfaces are configured and an HA interface goes down.
If both types of interfaces (router interfaces and server interfaces) are
configured, the HA interfaces for which a type has not been configured
are not included in the HA interface status determination.
Example
The following command configures Ethernet port 2 as an HA interface,

indicates that it is connected to a router, and disables heartbeat messages on
the interface:
AX(config)#ha interface ethernet 2 router-interface no-heartbeat
ha l3-inline-mode
Description
Enable blocking of traffic loops in a gateway (Layer 3) hot-standby HA

configuration.
Syntax
[no] ha l3-inline-mode
Default
Disabled.
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
515 of 718

ha link-event-delay
Usage
Layer 3 inline support applies specifically to network topologies where

inserting a pair of AX Series devices would cause a traffic loop. In this type
of topology, Layer 3 inline mode enables you to deploy the AX Series
devices in an HA pair without the need to change the network topology or
enable Spanning Tree Protocol (STP) on any of the devices in the network.
Inline mode is designed for one HA group in Hot-Standby mode. Do not
configure more than one HA group on an AX running in inline mode.
Example
The following command enables Layer 3 inline mode:
AX(config)#ha l3-inline-mode
ha link-event-delay
Description
Syntax
Change the delay waited by the AX device before changing the HA state
(Up, Partially Up, or Down) in response to link-state changes on HA interfaces.
[no] ha link-event-delay 100-ms-unit
Parameter
Description
100-ms-unit
Specifies how many 100-ms units (one tenth of a

second units) to use for the delay. You can set the
delay to a value from 100 milliseconds (ms) to
10000 ms, in increments of 100 ms.
Default
3000 ms (3 seconds)
Mode
Global Config
Usage
This command applies only to inline mode (Layer 2 or Layer 3). The delay
is applicable in the following situations:
The AX device is Active and a link goes down.
The AX device is Standby and a link comes up. (There is an additional
10-20 second delay in this case.)

The delay helps prevent HA flapping.
Example
The following command changes the HA state change delay to 5 seconds:
AX(config)#ha link-event-delay 50
516 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha ospf-inline vlan
ha ospf-inline vlan
Description
In HA Layer 3 inline mode, leave OSPF enabled on the Standby AX device,

on the specified VLAN.
Syntax
[no] ha ospf-inline vlan vlan-id
Default
Enabled for all VLANs.
Mode
Global Config
Usage
When this option is enabled, OSPF on the Standby AX device will always
participate in OSPF routing. There is no additional time gap when failover
happens.
To limit OSPF adjacency formation to a specific VLAN only, explicitly
configure adjacency formation for that VLAN. In this case, OSPF adjacency formation does not occur for any other VLANs.
ha preemption-enable
Description
Allow the high-priority HA group to take over from the currently active
one. This command enables you to force HA failovers based on HA configuration changes.
Syntax
[no] ha preemption-enable
Default
Pre-emption is disabled by default. By default, a failover occurs only in the

following cases:
The Standby AX device stops receiving HA heartbeat messages from
the other AX device in the HA pair.

The HA interface state changes give the Standby AX device a better HA
state than the Active AX device.

By default, failover does not occur due to HA configuration changes to the
HA priority.
To force failover without changing HA group priorities or enable preemption, see ha force-self-standby on page 511.
Note:
Mode
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
517 of 718

ha restart-port-list
Example
The following command enables HA pre-emption mode:
AX(config)#ha preemption-enable
ha restart-port-list
Description
Configure HA interfaces on the previously Active AX device to toggle (shut

down and restart) following HA failover.
Syntax
[no] ha restart-port-list ethernet port-list

Parameter
Description
port-list
Specifies the HA interfaces to restart.
Note:
You must omit at least one port connecting the AX devices from the
restart port-list, and heartbeat messages must be enabled on the port. This
is so that heartbeat messages between the AX devices are maintained;
otherwise, flapping might occur.
Note:
On model AX 2000 or AX 2100, A10 recommends that you do not

include Fiber ports in the restart port list.
Default
Disabled. HA interfaces are not restarted after a failover.
Mode
Global Config
Usage
Use this command in inline mode configurations to cause the router connected to the AX Series device to relearn MACs, including MACs for the
real servers. Without this command, the router might continue to try to
reach the real servers through the AX Series device that becomes the
Standby AX device after a failover.
HA port restart toggles a specified set of ports on the formerly Active AX
by disabling the ports, waiting for a specified number of milliseconds, then
re-enabling the ports. Toggling the ports causes the links to go down, which
in turn causes the devices on the other ends of the links to flush their learned
MAC entries on the links. The devices then can relearn MACs through links
with the newly Active AX.
Example
The following command enables restart of HA interfaces 1 and 2, to occur if

the AX Series device transitions to Standby:
AX(config)#ha restart-port-list ethernet 1 to 2
518 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha restart-time
ha restart-time
Description
Configure the amount of time HA interfaces remain disabled following a

failover.
Syntax
[no] ha restart-time 100-msec-units

Parameter
100-msec-units
Description
Amount of time to keep the HA interfaces disabled. You can specify 1-100 units of 100 ms
(from 0.1 seconds to 10 seconds).
Default
The default is 20 units of 100 milliseconds (ms) each, for a total of 2 seconds.
Mode
Global Config
Usage
This command applies only to HA interfaces in a restart port list configured

by the ha restart-port-list command. (See ha restart-port-list on
page 518.)
Example
The following command changes the restart interval to 4 seconds:
AX(config)#ha restart-time 40
ha sync
Description
Synchronize the Layer 4-7 configuration information of the standby

AX Series device with the active AX device in an HA pair.
Syntax
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
Syntax
ha sync startup-config
to-running-config}
Syntax
ha sync running-config
to-running-config}
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
519 of 718

ha sync
Syntax
ha sync data-files
Parameter
Description
Synchronizes data files and the running-config.
(See Usage for a list of the types of data files
that are synchronized.) You can synchronize the
running-config to one of the following on the
other AX Series device:
all
startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the
with-reload option, see Usage below.
Note:
If the HA status is Standby for all the HA groups on the other AX device,
the AX device is reloaded anyway, even if the with-reload option is not
used.
running-config Replaces the runningconfig on the other AX device with the runningconfig on this device.
data-files
Synchronizes data files but not the running-config or startup-config. (See Usage for a list of
the types of data files that are synchronized.)
running-config
Synchronizes the running-config. You can synchronize it to one of the following on the other
AX Series device:
startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the
running-config Replaces the runningconfig on the other AX device with the runningconfig on this device.
startup-config
Synchronizes the startup-config. See above for

descriptions of the options. You can synchronize
it to one of the following on the other AX Series
device:
startup-config Replaces the startup-config on the other AX device with the startup-config on this device. For information about the
520 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha sync
running-config Replaces the runningconfig on the other AX device with the startupconfig on this device.
all-partitions
partition
partition-name
Synchronizes the configuration for all partitions.

Synchronizes the configuration only for the specified partition.
Default
N/A
Mode
Global Config
Usage
Connection mirroring is required for config sync. Config sync uses the connection mirroring link. (See ha conn-mirror on page 510.)
SSH management access must be enabled on both ends of the link. (See
enable-management on page 105.)
The following configuration items are backed up during HA config sync:
Admin accounts and settings
Floating IP addresses
IP NAT configuration
Access control lists (ACLs)
Health monitors
Policy-based SLB (black/white lists)
SLB
FWLB
GSLB
Data Files:
aFleX files
External health check files
SSL certificate and private-key files
Black/white-list files
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
521 of 718

ha sync
The following configuration items are not backed up during HA config
sync:
Management access settings (the ones described in enable-manage-
ment on page 105)

AX Hostname
MAC addresses
Management IP addresses
Trunks or VLANs
Interface settings
OSPF or RIP settings
ARP entries or settings
This command does not have a no form.

Reload of the target AX device following synchronization
In certain cases, the target AX device is automatically reloaded, but in other
cases, reload is either optional or is not allowed.
Table 4 lists the cases in which reload is automatic, optional, or not allowed.
TABLE 4
Reload of Target AX Device After Config-Sync
Admin Role
Root or Super User
(Read-Write)
Status of Target AX
Standby
Active
Partition Write
Standby
Active
Target Config
startup-config
running-config
startup-config
running-config
startup-config
running-config
startup-config
running-config
Reload?
Automatic
Automatic
Optional1
Not reloaded by default
Automatic
Not Allowed
Not Allowed
Not Allowed
Not Allowed
1. If the target AX device is not reloaded, the GUI Save button on the Standby AX device does not blink to indicate
unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next
reboot.
An admin who is logged on with Root or Read-Write (Super Admin) privileges can synchronize for all Role-Based Administration (RBA) partitions
or for a specific partition.
522 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

ha sync
An admin who is logged on with Partition Write privileges can synchronize
only for the partition to which the admin is assigned, and can only synchronize to the startup-config on the other device. The with-reload and to-running-config options are not available to Partition Write admins.
Data that is synchronized from a Standby AX device to an Active AX
device is not available on the Active AX device until that device is rebooted
or the software is reloaded.
Synchronization on an AX Device configured for RBA
you omit both options, only the resources in the shared partition are synchronized. (If RBA is not configured, all resources are in the shared partition, so you can omit both options.)
If you plan to synchronize the Active AX devices running-config to the
Standby AX devices running-config, make sure to use one of the following synchronization options. Performing any one of these options ensures
that new private partitions appear correctly in the Standby AX devices
configuration.
Note:
Synchronize all partitions

Synchronize the shared partition to the startup-config first, then synchronize the private partition to the running-config.
On the Active AX device, synchronize the shared partition to the running-config first. Log onto the Standby AX device and save the shared
partition (write memory partition shared). Then, on the Active AX
device, synchronize the private partition to the running-config.
Example
The following command synchronizes the running-config and data files by

copying them from this AX Series device to the other one in the HA pair.
The running-config is copied to the other AX devices startup-config, and
the other AX device is then reloaded:
AX(config)#ha sync all startup-config
Example
The following commands synchronize the Active AX devices running-config with the Standby AX devices running-config, for AX devices that are
configured for Role-Based Administration (RBA):
AX(config)#ha sync running-config to-running-config partition shared

AX(config)#ha sync running-config to-running-config all-partitions
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
523 of 718

ha time-interval
ha time-interval
Description
Configure the interval between HA heartbeat messages.
Syntax
[no] ha time-interval 100-msec-units

Parameter
Description
100-msec-units
Amount of time between sending each heartbeat

message. You can specify 1-255 units of 100 ms
each.
Default
200 milliseconds
Mode
Global Config
Example
The following command changes the HA time interval to 400 ms:
AX(config)#ha time-interval 4
ha timeout-retry-count
Description
Configure the number of HA heartbeat intervals the Standby AX Series

device will wait for a heartbeat message from the Active AX device before
failing over.
Syntax
[no] ha timeout-retry-count num

Parameter
Description
Number of times the HA time interval can expire
before the Standby AX device fails over to
become the Active AX device. You can specify
2-255.
num
Default
Mode
Global Config
Example
The following command changes the HA timeout retry count to 10:
AX(config)#ha timeout-retry-count 10
524 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
AX Debug Commands
The AX debug subsystem enables you to trace packets on the AX device. To
access the AX debug subsystem, enter the following command at the Privileged EXEC level of the CLI:
axdebug
The CLI prompt changes as follows:
AX(axdebug)#
This chapter describes the debug-related commands in the AX debug subsystem.
To perform AX debugging using this subsystem:
1. Use the filter command to configure packet filters to match on the types
of packets to capture.
2. (Optional) Use the count command to change the maximum number of
packets to capture.
3. (Optional) Use the timeout command to change the maximum number
of minutes during which to capture packets.
4. (Optional) Use the incoming or outgoing command to limit the interfaces on which to capture traffic.
5. Use the capture command to start capturing packets. The AX device
begins capturing packets that match the filter, and saves the packets to a
file or displays them, depending on the capture options you specify.
6. To display capture files, use the show axdebug file command. (See
show axdebug file on page 541.)
7. To export capture files, use the export axdebug command at the Privileged EXEC or global configuration level of the CLI. (See export on
page 58.)
The AXdebug utility creates a separate debug file in packet capture (PCAP)
format for each CPU thread. The PCAP format can be read by third-party
diagnostic applications such as Wireshark, Ethereal (the older name for
Wireshark) and tcpdump. To simplify export of the PCAP files, the AX
device compresses them into a single zip file in tar format. To use the PCAP
files, you must untar them first.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
525 of 718

capture
capture
Description
Syntax
Start capturing packets.

[no] capture parameter
Parameter
Description
brief
[save ...]
detail
[save ...]
non-display
[save ...]
save filename
[max-packets]
[incoming
[portnum ...]]
[outgoing
[portnum ...]]
Captures basic information about packets. (For

save options, see save filename below.)
Captures packet content in addition to basic
information. (For save options, see save filename
below.)
Does not display the captured packets on the terminal screen. Use the save options to configure a
file in which to save the captured packets.
Saves captured packets in a file.

filename Specifies the name of the packet capture file.
max-packets Specifies the maximum number of
packets to capture in the file, 0-65535. To save an
unlimited number of packets in the file,
specify 0.
incoming [portnum ...] Captures inbound packets. You can specify one or more physical Ethernet interface numbers. Separate the interface
numbers with spaces. If you do not specify interface numbers, inbound traffic on all physical
Ethernet interfaces is captured.
outgoing [portnum ...] Captures outbound
packets on the specified physical Ethernet interfaces or on all physical Ethernet interfaces. If
you do not specify interface numbers, outbound
traffic on all physical Ethernet interfaces is captured.
526 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

capture
Default
By default, packets in both directions on all Ethernet data interfaces are captured.
The traffic also must match the AX debug filters.
Note:
Mode
AX debug
Usage
To minimize the impact of packet capture on system performance, A10 Networks recommends that you configure an AX debug filter before beginning
the packet capture.
To display a list of AX debug capture files or to display the contents of a
capture file, see show axdebug file on page 541.
Example
The following command captures brief packet information for display on

the terminal screen. The output is not saved to a file.
AX(axdebug)#capture brief
(0,1738448) i( 1,
0, cca8)> ip 10.10.11.30 >
78f07ab8:dbffc02d(0)
(0,1738448) o( 3,
0, cca8)> ip 10.10.11.30 >
78f07ab8:dbffc02d(0)
(0,1738448) i( 1,
0, cca9)> ip 10.10.11.30 >
78f07ab9:dbffc0c2(0)
(0,1738448) o( 3,
0, cca9)> ip 10.10.11.30 >
(1,1738450) i( 1,
0, ccaa)> ip 10.10.11.30 >
(1,1738450) o( 3,
0, ccaa)> ip 10.10.11.30 >
(1,1738450) i( 1,
0, ccab)> ip 10.10.11.30 >
78f07b78:dbffc0c3(0)
(1,1738450) o( 3,
0, ccab)> ip 10.10.11.30 >
78f07b78:dbffc0c3(0)
30.30.31.30 tcp 80 > 13632 SA

30.30.31.30 tcp 80 > 13632 SA
30.30.31.30 tcp 80 > 13632 A
30.30.31.30 tcp 80 > 13632 A
30.30.31.30 tcp 80 > 13632 PA
30.30.31.30 tcp 80 > 13632 PA
30.30.31.30 tcp 80 > 13632 FA
30.30.31.30 tcp 80 > 13632 FA
...
These lines of debug output show the following:

0 CPU ID. Indicates the CPU that processed the packet. CPU 0 is the
control CPU.
1738448 Time delay between packets. This is a jiffies value that incre-
ments in 4-millisecond (4-ms) intervals.

i Traffic direction: 1 (input) or o (output).
(1, 0, cca8) Ethernet interface, VLAN tag, and packet buffer index. If
the VLAN tag is 0, then the port is untagged. In this example, the first
packet is received on Ethernet port 1, and the VLAN is not yet known.
The packet is assigned to buffer index cca8.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
527 of 718

capture
Note:
Generally, the VLAN tag for ingress packets is 0. It is normal for the
ingress VLAN tag to be 0 even when the egress VLAN tag is not 0.
The source and destination IP addresses are listed next, followed by the
source and destination protocol port numbers.
The TCP flag is shown next:
S Syn
SA Syn Ack
A Ack
F Fin
PA Push Ack
The TCP sequence number and ACK sequence number are then shown.
Finally, the packet payload is shown. The header size is excluded.
Example
The following command captures packet information and packet contents

for display on the terminal screen. The output is not saved to a file.
AX(axdebug)#capture detail
i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@.@..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>...E.
0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0)
0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O......
0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+..
0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD......Q.lV.<
0xa6657888: 1d4041de e3380000 00000000 00000000 : .@A..8..........
0xa6657898: 00000000 00000000 00000000 00000000 : ................
...
528 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

count
Example
The following command saves captured packet information in file

file123. The captured traffic is not displayed on the terminal screen.
AX(axdebug)#capture save file123
count
Description
Specify the maximum number of packets to capture.
Syntax
[no] count num

Parameter
num.
Description
Maximum number of packets to capture, 065535. To capture an unlimited number of packets, specify 0.
Default
3000
Mode
AX debug
Example
The following command sets the maximum number of packets to capture to

2048:
AX(axdebug)#count 2048
delete
Description
Delete an axdebug capture file.
Syntax
delete filename
Default
N/A
Mode
AX debug
Example
The following command deletes capture file file123:
AX(axdebug)#delete file123
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
529 of 718

filter
filter
Description
Syntax
Configure an AX debug filter, to specify the types of packets to capture.

[no] filter filter-id
Parameter
Description
filter-id
ID of the filter, 1-255.
AX debug filter, where the following AX debug filter-related commands are
available:
Command
Description
dst
{ip ipaddr |
mac macaddr |
port portnum}
Matches on the specified destination IP address,

MAC address, or protocol port number.
l3-protocol
{arp | ip |
ipv6}
Matches on the specified Layer 3 protocol.
ip ipaddr
{subnet-mask |
/mask-length}
Matches on the specified IPv4 address.
mac macaddr
Matches on the specified MAC address.
offset position
length bytes
operator value
Matches on the specified length of bytes and

value of those bytes within the packet.
position Starting position within the packet,
1-65535 bytes.
bytes Number of consecutive bytes to filter
on, from 1-65535, beginning at the offset position.
530 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

filter
operator One of the following:
> (greater than)
>= (greater than or equal to)
<= (smaller than or equal to)
< (smaller than)
= (equal to)
range min-value
range)
max-value (select a
value String to filter on.

port minportnum maxportnum
proto
{tcp | udp |
portnum}
src
{ip ipaddr |
mac macaddr |
port port-num}
Matches on the specified range of protocol port

numbers.
Matches on the specified Layer 4 transport protocol or protocol port number.
Matches on the specified source IP address,

MAC address, or protocol port number.
Default
No filters are configured by default. When you create one, all packets match
the filter by default.
Mode
AX debug
Usage
If a packet capture is running and you change the filter, there will be a 5-second delay while the AX device clears the older filter. The delay does not
occur if a packet capture is not already running.
The packet filter for the debug command is internally numbered filter 0. In
AXdebug, you can create multiple filters, which are uniquely identified by
filter ID. If you create filter 0 in AXdebug, this filter will overwrite the
debug packet filter. Likewise, if you configure filter 0 in AXdebug, then
configure the debug packet filter, the debug packet filter will overwrite
AXdebug filter 0.
Example
The following commands configure an AX debug filter to match on source

IP address 10.10.10.30, destination protocol port number 80, and source
MAC address aabb.ccdd.eeff. The show axdebug filter command displays
the filter.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
531 of 718

incoming | outgoing
AX(axdebug)#filter 1
AX(axdebug-filter:1)#src ip 10.10.10.30
AX(axdebug-filter:1)#dst port 80
AX(axdebug-filter:1)#src mac aabb.ccdd.eeff
AX(axdebug-filter:1)#exit
AX(axdebug)#show axdebug filter
axdebug filter 1
src ip 10.10.10.30
dst port 80
src mac aabb.ccdd.eeff
incoming | outgoing
Description
Specify the Ethernet interfaces and traffic direction for which to capture
packets.
Syntax
[no] incoming [portnum ...]

[outgoing [portnum ...]]
outgoing [portnum ...]
Default
Incoming and outgoing traffic on all Ethernet data ports is captured.

Note:
The traffic also must match the AX debug filters.
Mode
AX debug
Example
The following command limits the packet capture to inbound packets on

Ethernet interface 3 and outbound packets on Ethernet interface 4:
AX(axdebug)#incoming 3 outgoing 4
Example
The following command limits the packet capture to outbound packets on

Ethernet interface 7. Inbound packets on all Ethernet interfaces are captured, unless specified otherwise in AX debug filters.
AX(axdebug)#outgoing 7
532 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

length
length
Description
Specify the maximum length of packets to capture. Packets that are longer
are not captured.
Syntax
[no] length bytes

Parameter
bytes
Description
Maximum packet length, 64-1518 bytes.
Default
96
Mode
AX debug
Example
The following command changes the maximum packet length to capture to

128:
AX(axdebug)#length 128
maxfile
Description
Specify the maximum number of axdebug packet capture files to keep.
Syntax
[no] maxfile num

Parameter
num
Description
Maximum number of files to keep, 1-65535.
Default
100
Mode
AX debug
Usage
Once the maximum is reached, the oldest axdebug files are purged to make
room for the newest ones.
Example
The following command changes the maximum number of AX debug capture files to keep to 125:
AX(axdebug)#maxfile 125
outgoing
Description
See incoming | outgoing on page 532.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
533 of 718

timeout
timeout
Description
Specify the maximum number of minutes to capture packets.
Syntax
[no] timeout minutes

Parameter
minutes
Description
Maximum number of minutes to capture packets,
0-65535.
Default
Mode
AX debug
Example
The following command changes the capture timeout to 10 minutes:
AX(axdebug)#timeout 10
534 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show access-list
Show Commands
The show commands display configuration and system information.
In addition to the command options provided with some show commands,
you can use output modifiers to search and filter the output. See Searching
and Filtering CLI Output on page 34.
To automatically re-enter a show command at regular intervals, see repeat
on page 64.
The show slb commands are described in a separate chapter. See SLB
Show Commands on page 659.
Note:
show access-list
Description
Display the configured Access Control Lists (ACLs). The output lists the
configuration commands for the ACLs in the running-config.
Syntax
access-list [ipv4 | ipv6] [acl-id]

Parameter
Description
ipv4 | ipv6
IP address type.
acl-id
ACL name or number.
Mode
Privileged EXEC and all Config levels
Example
The following command displays the configuration commands for ACL 1:
AX#show access-list ipv4 1

access-list 1 permit 198.162.11.0 0.0.0.255 Hits: 3
access-list 1 deny 198.162.12.0 0.0.0.255 Hits: 1
The ACL Hits counter is not applicable to ACLs applied to the management port.
Note:
show active-partition
Description
Show the active partition, which is the system partition the CLI session is
currently managing.
Partitions are used by Role-Based Administration (RBA).
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
535 of 718

show admin
Syntax
show active-partition
Mode
Example
The following command shows that the partition currently being managed
by the CLI session is the shared partition:
AX#show active-partition
Currently active partition: shared
show admin
Description
Syntax
Display the administrator accounts.

show admin [admin-name] [detail | session]
Parameter
Description
admin-name
Administrator name.
detail
Shows detailed information about the admin

account.
session
Shows the current management sessions.
Mode
Example
The following command lists the admins configured on an AX device:
AX(config)#show admin
UserName
Status
Privilege Partition
------------------------------------------------------admin
Enabled
Root
admin2
Enabled
Read/Write
compAadmin
Enabled
P.R/W
companyA
compBadmin
Enabled
P.R/W
companyB
Table 5 describes the fields in the command output.

TABLE 5
Field
UserName
Status
536 of 718
show admin fields

Description
Name of the AX admin.
Administrative status of the account.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show admin
TABLE 5
show admin fields (Continued)
Field
Privilege
Description
Access privilege level for the account:
Root Allows access to all levels of the system. This
account is the admin account called admin and cannot
be deleted. This is the only privilege level that can configure other admin accounts.
Read/Write Allows access to all levels of the system.
This account is not the admin account and can be
deleted.
Read only Allows monitoring access to the system but
not configuration access. In the CLI, this account can only
access the User EXEC and Privileged EXEC levels, not
the configuration levels. In the GUI, this account cannot
modify configuration information.
P.R/W The admin has read-write privileges within the
private partition to which the admin has been assigned.
The admin has read-only privileges for the shared partition.
P.R The admin has read-only privileges within the private partition to which the admin has been assigned, and
read-only privileges for the shared partition.
P.RS Op The admin is assigned to a private partition but
has permission only to view service port statistics for real
servers in the partition, and to disable or re-enable the real
servers or their service ports.
Note: The P (partition) privilege levels apply to RoleBased Administration (RBA). See the Role-Based Administration chapter of the AX Series Configuration Guide.
Private partition to which the admin is assigned.
Partition
Note: A partition name appears only for admins with P.R/W,

P.R, or P.RS Op privileges. For other privilege levels, this
field is blank.
Example
The following command lists details for the admin account:
AX#show admin admin detail

User Name
......
Status
......
Privilege
......
Partition
......
Trusted Host(Netmask) ......
Lock Status
......
Lock Time
......
Unlock Time
......
Password Type
......
Password
......
b y
admin
Enabled
Root
Any
No
Encrypted
$1$6334ba07$CKbWL/LuSNdY12kcE.KdS0
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
537 of 718

show admin
TABLE 6
show admin detail fields
Field
User Name
Status
Privilege
Description
Name of the AX admin.
Administrative status of the account.
Access privilege level for the account:
Root Allows access to all levels of the system. This
account is the admin account called admin and cannot
be deleted.
Read/Write Allows access to all levels of the system.
This account is not the admin account and can be
deleted.
Read only Allows monitoring access to the system but
not configuration access. In the CLI, this account can only
access the User EXEC and Privileged EXEC levels, not
the configuration levels. In the GUI, this account cannot
modify configuration information.
Partition-write The admin has read-write privileges
within the private partition to which the admin has been
assigned. The admin has read-only privileges for the
shared partition.
Partition-read The admin has read-only privileges within
the private partition to which the admin has been assigned,
and read-only privileges for the shared partition.
Partition
Trusted
Host(Netmask)
Lock Status
Lock Time
Unlock Time
Password Type
Password
538 of 718
Partition-enable-disable The admin is assigned to a private partition but has permission only to view service port
statistics for real servers in the partition, and to disable or
re-enable the real servers and their service ports.
Private partition to which the admin is assigned.
Note: A partition name appears only for admins with Partition-write, Partition-read, or Partition-enable-disable privileges. For other privilege levels, this field is blank.
IP host or subnet address from which the admin must log in.
Indicates whether the admin account is currently locked.
If the account is locked, indicates how long the account has
been locked.
If the account is locked, indicates how long the account will
continue to be locked.
Indicates whether the password is encrypted when displayed
in the CLI or GUI and in the startup-config and running-config.
The admins password.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show aflex
Example
The following command lists all the currently active admin sessions:
AX#show admin session

Id
User Name
Start Time
Source IP
Type Partition
--------------------------------------------------------------------------1
admin
14:48:17 PST Wed Jan 16 2008 192.168.1.152 CLI shared
*2
admin
15:34:15 PST Wed Jan 16 2008 192.168.1.144 CLI shared
3
admin
15:32:33 PST Wed Jan 16 2008 192.168.1.144 WEB shared
Cfg
Yes
No
No

TABLE 7
Field
Id
User Name
Start Time
Source IP
Type
Partition
Cfg
show admin session fields

Description
Admin session ID assigned by the AX device. The ID applies
only to the current session.
Admin name.
System time when the admin logged onto the AX device to
start the current management session.
IP address from which the admin logged on.
Management interface through which the admin logged on.
Role-Based Administration (RBA) partition that is currently
active for the management session.
Indicates whether the admin is at the configuration level.
show aflex
Description
Display the configured aFleX policies.
Syntax
show aflex [aflex-name]

[all-partitions | partition name]
Mode
Usage
To display the aFleX policies for a specific Role-Based Administration

(RBA) partition only, use the partition name option.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
539 of 718

show arp
Example
The following command shows the aFleX policies on an AX Series device:
AX#show aflex
Total aFleX number: 6
Name
Syntax
Virtual port
-----------------------------------------------------------aFleX_Remote
No
No
aFleX_check_agent
No
No
aFleX_relay_client
Check
No
bugzilla_proxy_fix
Check
Bind
http_to_https
Check
No
louis
No
No

TABLE 8
Field
Total aFleX
number
Name
Syntax
show aflex fields

Description
Total number of aFleX policies on the AX Series.
Name of the aFleX policy.
Indicates whether the aFleX policy has passed the syntax
check performed by the AX device:
Check The aFleX policy passed the syntax check.
Virtual port
No The aFleX policy did not pass the syntax check.

Indicates whether the aFleX policy is bound to a virtual port.
show arp
Description
Syntax
Display ARP table entries.

show arp [all | ipaddr]
Mode
Example
The following command lists the ARP entry for host 192.168.1.144:
AX#show arp 192.168.1.144

Total arp entries: 1
Age time: 300 secs
IP Address
MAC Address
Type
Age Interface
Vlan
--------------------------------------------------------------------------192.168.1.144
0011.2F7C.1A75
Dynamic
293 Management
1
540 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show audit
TABLE 9
show arp fields
Field
Total arp entries
Age time
IP Address
MAC Address
Type
Age
Interface
Vlan
Description
Total number of entries in the ARP table. This total includes
static and learned (dynamic) entries.
Number of seconds a dynamic ARP entry can remain in the
table before being removed.
IP address of the device.
MAC address of the device.
Indicates whether the entry is static or dynamic.
For dynamic entries, the number of seconds since the entry
was last used.
AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN through which the device that has the MAC address
can be reached.
show audit
Description
Show the command audit log.
Syntax
show audit [all-partitions | partition name]
Mode
Usage
The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admins role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions. To display the messages for a specific
Role-Based Administration (RBA) partition only, use the partition name
option.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
show axdebug file

Description
Display AX debug capture files or their contents.
Syntax
show axdebug file [filename]

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
541 of 718

show bootimage
Mode
Example
The following command displays the list of AX debug capture files on the
device:
AX(axdebug)#show axdebug file

------------------------------------+--------------+---------------------------Filename
|
Size(Byte) | Date
------------------------------------+--------------+---------------------------file1
|
58801 | Tue Sep 23 22:49:07 2008
file123
|
192 | Fri Sep 26 17:06:51 2008
------------------------------------+--------------+---------------------------Total: 2
Maximum file number is: 100
Example
The following command displays the packet capture data in file file123:
AX(axdebug)#show axdebug file file123

Parse file for cpu #1:
Parse file for cpu #2:

15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack
3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: S 2111796945:2111796945(0) ack
3775149588 win 5792 <mss 1460,sackOK,timestamp 1368738447 524090233,nop,wscale 7>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54
<nop,nop,timestamp 1368738447 524090233>
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: . ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: P 1:192(191) ack 150 win 54
15:16:05.788530 IP 10.10.11.30.http > 30.30.31.30.13649: F 192:192(0) ack 151 win 54
show bootimage
Description
Syntax
Mode
542 of 718
Display the software images stored on the AX Series device.

show bootimage
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show bpdu-fwd-group
Example
The following command shows the software images on an AX Series

device:
AX#show bootimage
(* = Default)
Version
----------------------------------------------Hard disk primary
1.2.0.153 (*)
Hard disk secondary
1.2.1.24
Compact flash primary
1.1.1.68 (*)
Compact flash secondary
1.1.1.51
The asterisk ( * ) indicates the default image for each boot device (hard disk
and compact flash). The default image is the one that the AX Series device
will try to use first, if trying to boot from that boot device. (The order in
which the AX tries to use the image areas is controlled by the bootimage
command. See bootimage on page 89.)
show bpdu-fwd-group
Description
Display the configured BPDU forwarding groups.
Syntax
show bpdu-fwd-group [number]

Option
Description
Displays the configuration of the specified
BPDU forwarding group. If you omit this option,
all configured BPDU forwarding groups are
shown.
number
Mode
Example
The following command shows all configured BPDU forwarding groups:
AX#show bpdu-fwd-group
BPDU forward Group 1 members:
BPDU forward Group 2 members:
ethernet 1 to 3
ethernet 9 to 12
show bridge-vlan-group
Description
Display information for a bridge VLAN group.
Syntax
Mode
show bridge-vlan-group [group-id]

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
543 of 718

show bw-list
show bw-list
Description
Show black/white list information.
Syntax
show bw-list [name [detail | ipaddr]]

Parameter
Description
name
Name of a black/white list.
detail
Displays the IP addresses contained in a black/

white list.
ipaddr
IP address within the black/white list.
Default
N/A
Mode
Config
Example
The following command shows all the black/white lists on an AX Series

device:
AX#show bw-list
Name
Url
Size(Byte)
Date
---------------------------------------------------------------------------bw1
tftp://192.168.1.143/bwl.txt
106
Jan/22 12:48:01
bw2
tftp://192.168.1.143/bw2.txt
211
Jan/23 10:02:44
bw3
tftp://192.168.1.143/bw3.txt
192
Feb/11 08:02:01
bw4
Local
82
Dec/12 21:01:05
Total: 4
Example
The following command shows the IP addresses in black/white list test:
AX#show bw-list test detail

Name:
test
URL:
tftp://192.168.20.143/bwl_test.txt
Size:
226
Date:
May/11 12:04:00
Update period:
120 seconds
Update times:
bytes
Content
-----------------------------------------------------------------------------1.1.1.0 #13
1.1.1.1 #13
1.1.1.2 #13
1.1.1.3 #13
1.1.1.4 #13
544 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show class-list
9.9.99.9 9
1.2.3.4/32 31
4.3.2.1/24 4
10.1.2.1/32 1
10.1.2.2/32 2
10.1.2.3/32 3
10.1.2.4/32 4
10.3.2.1/32 3
10.3.2.2/32 4
10.5.2.1/32 5
10.5.2.2/32 6
128.0.0.0/1 11
show class-list
Description
Display information for IP class lists.
Syntax
show class-list [name [ipaddr]]

Parameter
Description
name [ipaddr]
Specifies the class list name or an IP address in

the class list. If you omit both options, the list of
configured class lists is displayed instead.
Mode
Example
The following command displays the class-list files on the AX device:
AX#show class-list
Name
IP
Subnet
Location
test
file
user-limit
14
config
Total: 2

TABLE 10 show class-list fields
Field
Name
IP
Subnet
b y
Description
Name of the class list.
Number of host IP addresses in the class list.
Number of subnets in the class list.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
545 of 718

show clock
TABLE 10 show class-list fields (Continued)
Field
Location
Description
Indicates whether the class list is in the startup-config or in a
standalone file:
config Class list is located in the startup-config.
Total
file Class list is located in a standalone file.

Total number of class lists on the AX device.
The following command shows details for a class list:

AX#show class-list test
Name:
test
Total single IP:
Total IP subnet:
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1
20.1.2.0 /24 lid 2
0.0.0.0 /0 lid 31
The following commands show the closest matching entries for specific IP
addresses in class list test:
AX#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
AX#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.
show clock
Description
Syntax
546 of 718
Display the time, timezone, and date.

show clock [detail]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show core
Parameter
detail
Description
Shows the clock source, which can be one of the
following:
Time source is NTP
Time source is user configuration
Mode
Example
The following command shows clock information for an AX Series device:
AX#show clock detail

20:27:16 Europe/Dublin Sat Apr 28 2007
Time source is NTP
Example
If a dot appears in front of the time, the AX Series has been configured to
use NTP but NTP is not synchronized. The clock was in sync, but has since
lost contact with all configured NTP servers.
AX#show clock
.20:27:16 Europe/Dublin Sat Apr 28 2007
Example
If an asterisk appears in front of the time, the clock is not in sync or has
never been set.
AX#show clock
*20:27:16 Europe/Dublin Sat Apr 28 2007
show core
Description
Display core dump statistics.
Syntax
show core [process]

Parameter
process
Description
Shows core dump statistics for AX processes.
Without this option, system core dump statistics
are shown instead.
Mode
Example
The following command shows system core dump statistics:
AX#show core
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 71048 sec.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
547 of 718

show cpu
show cpu
Description
Syntax
Display CPU statistics.

show cpu [interval seconds]
Parameter
Description
interval
seconds
Automatically refreshes the output at the specified interval. If you omit this option, the output is
shown one time. If you use this option, the output
is repeatedly refreshed at the specified interval
until you press ctrl+c.
Mode
Example
The following command shows CPU statistics on an AX 2000, in 10-second

intervals:
AX#show cpu interval 10

Cpu Usage: (press ^C to quit)
1Sec
5Sec
10Sec
30Sec
60Sec
-------------------------------------------------------Time: 16:28:57 PST Wed Jan 16 2008
Control
2%
2%
2%
2%
2%
Data0
0%
0%
0%
0%
0%
Data1
0%
0%
0%
0%
0%
Time: 16:29:07 PST Wed Jan 16 2008
Control
2%
2%
2%
Data0
0%
0%
0%
Data1
0%
0%
0%
...
<ctrl+c>
2%
0%
0%
2%
0%
0%
AX#

TABLE 11 show cpu fields
Field
Time
Control
Data0-7
1Sec-60sec
548 of 718
Description
System time when the statistics were gathered.
Control CPU.
Data CPU. The number of data CPUs depends on the AX
model.
Time intervals at which statistics are collected.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show debug
show debug
Description
Display the enabled debug options.
Syntax
show debug
Mode
Example
The following commands enable IP debugging and verify that it is on:
AX#debug ip
AX#show debug
debug ip is on
show disk
Description
Display status information for the AX hard disks.
Syntax
show disk
Mode
Example
The following command shows hard disk information for an AX Series

device:
AX#show disk
Total(MB) Used
Free
Usage
----------------------------------------154104
5895
148209
4.0%
Device
Primary Disk
Secondary Disk
---------------------------------------------md0
Active
Active
md1
Active
Active

TABLE 12 show disk fields
Field
Total(MB)
Description
Total amount of data the hard disk can hold.
Used
Free
Note: The hard disk statistics apply to a single disk. This is

true even if your AX device contains two disks. In systems
with two disks, the second disk is a hot standby for the primary disk and is not counted separately in the statistics.
Number of MB used.
Number of MB free.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
549 of 718

show dns
TABLE 12 show disk fields (Continued)
Field
Usage
Device
Description
Percentage of the disk that is in use.
Virtual partition on the disk:
md0 The boot partition
md1 The A10 data partition
Status of the left hard disk in the redundant pair:
Primary Disk
Active The disk is operating normally.

Inactive The disk has failed and must be replaced. Contact your A10 Networks representative.
Synchronizing The disk has just been installed and is
synchronizing itself with the other disk.
Status of the right hard disk in the redundant pair.
Secondary Disk
show dns
Description
Show DNS statistics.
Syntax
show dns statistics
Mode
Example
The following command displays DNS statistics:
AX#show dns statistics

DNS statistics for SLB:
----------------------No. of requests: 510
No. of responses: 508
No. of request retransmits: 0
No. of requests with no response: 2
No. of responses with no matching session: 0
No. of resource failures: 0
DNS statistics for IP NAT:
-------------------------No. of requests: 0
No. of responses: 0
No. of request retransmits: 0
No. of requests with no response: 0
No. of responses with no matching session: 0
No. of resource failures: 0
550 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show dns-cache-stat
show dns-cache-stat
Description
Display DNS caching statistics.
Syntax
show dns-cache-stat
Mode
Example
The following command shows DNS caching statistics:
AX#show dns-cache-stat
Total query: 100
Total server response: 55
Total cache hit: 49
Query not passed: 0
Response not passed: 0
Query encoded: 0
Response encoded: 0
Query with multiple questions: 0
Response with multiple questions: 0
Total aged out: 0

TABLE 13 show dns-cache-stat fields
Field
Total Query
Total Server
Response
Total Cache Hit
Query Not
Passed
Response Not
Passed
Query Encoded
Response
Encoded
Query With
Multiple
Questions
Response With
Multiple
Questions
b y
Description
Total number of DNS queries received by the AX device.
Total number of responses form DNS servers received by the
AX device.
Total number of times the AX device was able to use a
cached reply in response to a query.
Number of queries that did not pass a packet sanity check.
Number of responses that did not pass a packet sanity check.
The AX device checks the DNS header and question in the
packet, but does not parse the entire packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS response
packet.
Number of queries that were not cached because they contained multiple questions.
Number of responses that were not cached because they contained answers for multiple questions.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
551 of 718

show dumpthread
TABLE 13 show dns-cache-stat fields (Continued)
Field
Total Aged Out
Description
Total number of DNS cache entries that have aged out of the
cache.
show dumpthread
Description
Syntax
Show status information about the SLB process.

show dumpthread
Mode
Example
The following command shows status information for the SLB process:
AX#show dumpthread
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 101102 sec.
show environment
Description
Syntax
Display temperature, fan, and power supply status.

show environment
Mode
Example
The following command shows environment information for an AX Series

device:
AX#show environment
Physical System temperature: 56C / 132F
Fan1 speed: 2576 RPM
Upper Power Unit State: On
Lower Power Unit State: On
552 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show errors
show errors
Description
Show error information for the system. This command provides a simple
way to quickly view system status and error statistics.
Syntax
show errors
[
application [sub-options] |
critical [detail] |
detail |
informational [detail] |
system [sub-options]
]
Option
application
[sub-options]
Description
Displays error information for AX applications.
The following sub-options are available.
critical [detail]
detail
ha
[critical [detail]]
[detail]
[informational [detail]]
hw-compression
[critical [detail]]
[detail]
informational [detail]
ipnat
[critical [detail]]
[detail]
l2-l3-forward
[critical [detail]]
[detail]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
553 of 718

show errors
ram-cache
[critical [detail]]
[detail]
slb
[critical [detail]]
[detail]
[health-monitor
[critical [detail]]
[detail]
[layer4
[critical [detail]]
[detail]
[tcp
[critical [detail]]
[detail]
[udp
[critical [detail]]
[detail]
[layer7
[critical [detail]]
[detail]
[fast-http
[critical [detail]]
[detail]
[http
[critical [detail]]
[detail]
[sip
[critical [detail]]
[detail]
[smtp
[critical [detail]]
[detail]
554 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show errors
[ssl-slb
[critical [detail]]
[detail]
[persist
[cookie
[critical [detail]]
[detail]
[critical [detail]]
[dest-ip
[critical [detail]]
[detail]
[detail]
[informational [detail]
[source-ip
[critical [detail]]
[detail]
[ssl-sid
[critical [detail]]
[detail]
[url-hash
[critical [detail]]
[detail]
ssl
[critical [detail]]
[detail]
critical
[detail]
Displays information about critical errors only.
detail
Displays detailed error information only.
informational
[detail]
Displays informational output only.
system
[sub-options]
Displays system-level errors. The following suboptions are available.

critical [detail]
detail
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
555 of 718

show errors
hardware
[critical [detail]]
[detail]
informational [detail]
software
[critical [detail]]
[detail]
Mode
Example
The following shows high-level error information for the system:
AX#show errors
Hardware components status
===========================
Physical System temperature: 36C / 96F
CPU Fan1 speed: 5818 RPM
CPU Fan2 speed: 5720 RPM
Upper Power Unit State: On
Lower Power Unit State: Off
Total(MB)
Used
Free
Usage
----------------------------------------157065
Device
5777
151287
3.6%
Primary Disk
-----------------------------md0
Active
md1
Active
System Memory Usage:

Total(KB)
Free
Shared
Buffers
Cached
Usage
--------------------------------------------------------------------------2074308
316048
556 of 718
37324
256232
72.4%
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show errors
Time: 21:22:12 IST Mon May 17 2010
1Sec
5Sec
10Sec
30Sec
60Sec
-------------------------------------------------------Control
31%
30%
25%
25%
26%
Data1
0%
0%
0%
0%
0%
Data2
0%
0%
0%
0%
0%
Data3
0%
0%
0%
0%
0%
Data4
0%
0%
0%
0%
0%
Data5
0%
0%
0%
0%
0%
System software Error Counters

==========================================
Error packets drops:
: 16
Hardware compression device is not installed.

L2-L3 Fwd (Switch) Error Counters
==========================================
Link Down Drop
: 57
VLAN Flood
: 175313
Health Monitor Error Counters

==========================================
Send packet failed:
: 1741315
Retries:
: 28982
Timeouts:
: 9
Example
The following command shows detailed system-software error statistics:
AX#show errors system software detail

System software Error Counters
==========================================
buff alloc failed:
: 0
buff alloc from sys failed:
: 0
Error packets drops:
: 16
Packet drops:
: 0
Example
The following command shows detailed error statistics for SLB health monitoring:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
557 of 718

show fwlb node
AX#show errors application slb health-monitor detail
Health Monitor Error Counters
==========================================
Open socket failed:
: 0
Send packet failed:
: 1742518
Receive packet failed:
: 0
Unexpected error:
: 0
Retries:
: 29002
Timeouts:
: 9
show fwlb node

Description
Syntax
Show statistics or configuration information for firewall nodes.

show fwlb node [fwall-name] [config]
Option
Description
fwall-name
Specifies the firewall name.
config
Displays configuration information.
Mode
Usage
To display configuration information for the firewall, use the config option.
To display statistics instead, do not use the config option.
Example
The following command shows configuration information for firewall

fw1:
AX#show fwlb node fw1 config

Total Number of Services configured on server fw1: 0
H-check = Health check
Max conn = Max. Connection
Wgt = Weight
Service
Address
H-check
Status
Max conn Wgt
-----------------------------------------------------------------------------fw1
20.1.1.1
tsping
Enable
1000000
1
558 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show fwlb node
TABLE 14 show fwlb node config fields
Field
Total Number of
Services
configured on
server
Service
Address
H-check
Status
Max conn
Wgt
Example
Description
Total number of individual service ports configured on the
firewall.
If the number is 0, then FWLB applies to all services on the
firewall.
Firewall or service name.
IP address of the firewall.
Health check assigned to the firewall path or service.
Status of the firewall service.
Maximum number of connections allowed through the firewall or service.
Administrative weight assigned to the firewall or service.
The following command shows statistics for firewall fw1:
AX#show fwlb node fw1

Total Number of Services configured on server fw1: 0
Current = Current Connections, Total = Total Connections
Req-pkt = Request packets, Resp-pkt = Response packets
Service
Current
Total
Req-pkt
Resp-pkt
State
-----------------------------------------------------------------------------Firewall: fw1
Request packets: 635567690
Response packets: 400297636
Request bytes: 48917119727
Response bytes: 38054947415
Current connections:
0
Persistent connections: 0
Total connections: 228870394

TABLE 15 show fwlb node fields
Field
Total Number of
Services
configured on
server
Service
Current
Total
Req-pkt
Resp-pkt
State
b y
Description
Total number of individual service ports configured on the
firewall.
If the number is 0, then FWLB applies to all services on the
firewall.
Current number of connections through the firewall.
Total number of connections through the firewall.
Number of request packets sent through the firewall.
Number of server response packets received from the real
servers on the other side of the firewall.
State of the firewall or service.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
559 of 718

show fwlb service-group
TABLE 15 show fwlb node fields (Continued)
Field
Request packets
Response
packets
Request bytes
Response bytes
Current
connections
Persistent
connections
Total
connections
Description
Number of request packets for the service.
Number of response packets from the service.
Number of request bytes for the service.
Number of response bytes for the service.
Current number of connections through the firewall for the
service.
Number of persistent connections through the firewall.
Total number of connections to the service through the firewall.

Description
Syntax
Display statistics or configuration information for firewall service groups.

show fwlb service-group [group-name] [config]
Option
Description
group-name
Specifies the firewall group name.
config
Mode
Usage
To display configuration information for the firewall group, use the config
option. To display statistics instead, do not use the config option.
Example
The following command shows configuration information for firewall

group fwsg:
AX#show fwlb service-group fwsg config

Service group name: fwsg
Type: firewall
Distribution: Least Conn
Member Count:2
Member2: fw1
Priority: 1
Member1: fw2
Priority: 1
560 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 16 show fwlb service-group config fields
Field
Service group
name
Type
Distribution
Member Count
Member1-n
Priority
Example
Description
Name of the service group.
Type of service group. For FWLB, the type is firewall.
Load-balancing method used to select firewalls in the group.
Number of firewalls in the group.
Member number, assigned by the AX Series for use in this
show commands output.
Priority value assigned to the firewall when it was added to
the service group.
The following command shows statistics for firewall group fwsg:
AX#show fwlb service-group fwsg

Service group name: fwsg
Service: fw1
0
Service: fw2
0

TABLE 17 show fwlb service-group fields
Field
Service group
name
Service
Request packets
Response
packets
Request bytes
Response bytes
Current
connections
Persistent
connections
b y
Description
Number of request packets for the service.
Number of response packets from the service.
Number of request bytes for the service.
Number of response bytes for the service.
Current number of connections through the firewall for the
service.
Number of persistent connections through the firewall.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
561 of 718

show fwlb virtual-firewall
TABLE 17 show fwlb service-group fields (Continued)
Field
Total
connections
Description
Total number of connections to the service through the firewall.
show fwlb virtual-firewall

Description
Syntax
Display statistics or configuration information for a virtual firewall.

show fwlb virtual-firewall [config]
Option
Description
config
Mode
Usage
To display configuration information for the virtual firewall, use the config
option. To display statistics instead, do not use the config option.
Example
The following command shows configuration information for a virtual firewall:
AX#show fwlb virtual-firewall config

Total Number of Virtual Services configured: 1
Virtual Firewall Name
-----------------------------------------------default
member0:fwsg
80/tcp
HA conn mirror enabled

TABLE 18 show fwlb virtual-firewall config fields
Field
Total Number of
Virtual Services
configured
Virtual Firewall
Name
Member0-n
HA conn mirror
562 of 718
Description
Total number of services configured on the virtual firewall. If
no individual service ports were configured, the number is
1.
Name of the virtual firewall.
Service group and service port bound to the virtual firewall.
State of connection mirroring for the virtual firewall or individual service port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb cache
Example
The following command shows statistics for a virtual firewall:
AX#show fwlb virtual-firewall

Virtual Firewall Name
Current
Total
Request Response
Service-Group
Service
connection connection packets packets
----------------------------------------------------------------------------default
fwsg
80/tcp
0
425054897 10643656 6772219
Total received conn attempts on this port: 0

TABLE 19 show fwlb virtual-firewall fields
Field
Total Number of
Virtual Services
configured
Virtual Firewall
Name
Service-Group
Service
Current
connection
Request packets
Response
packets
Description
Total number of services configured on the virtual firewall. If
no individual service ports were configured, the number is
1.
Name of the virtual firewall.
Firewall service group bound to the virtual firewall or service.
Service port number and transport protocol, TCP or UDP.
Current number of connections through the firewall to the
service.
Number of request packets sent through the firewall to the
service.
Number of response packets received through the firewall
from the service.
show gslb cache

Description
Show the DNS messages cached on the GSLB AX device. The GSLB AX
device caches DNS replies if either of the following GSLB policy options
are enabled:
DNS caching
Active RTT metric (if the single-shot option is used)
Syntax
show gslb cache

[service-name ...]
[zone zone-name]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
563 of 718

show gslb cache
Option
Description
zone-name
Displays cached DNS messages for the specified

zone.
service-name
Displays cached DNS messages for the specified

service.
Mode
Example
The following command displays cached DNS messages for service

www.testme.com:http:
AX#show gslb cache www.testme.com:http

QD = Question Records, AN = Answer Records
NS = Authority Records, AR = Additional Records
Flag = DNS Flag, Len = Cache Length
A = Authoritative Answer, D = Recursion Desired
R = Recursion Available
Zone: testme.com
Service
Alias
Len TTL
Flag QD AN NS AR
--------------------------------------------------------------------------www.testme.com:http
96
3055
DR
1
4
0
0

TABLE 20 show gslb cache fields
Field
Zone
Service
Alias
Len
TTL
564 of 718
Description
GSLB zone name.
GSLB service.
Alias, if configured, that maps to the DNS Canonical Name
(CNAME) for the service.
Length of the DNS message, in bytes.
Number of seconds for which the cached message is still
valid.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb geo-location

Description
Show the status of GSLB geo-location mappings.
Syntax

{
[db [geo-location-name]
[[statistics] ip-range range-start range-end]
[[statistics] depth num]
[statistics]]
[file [file-name]]
[ip ipaddr]
[rtt
[passive [geo-location-name ...]
[site site-name] [depth num] |
[active [geo-location-name ...]
[both [geo-location-name ...]
[site site-name] [depth num]]
Option
db [options]
Description
Displays the geo-location database. If you specify a geo-location name, only the entries for that
geo-location are shown. Otherwise, entries for all
geo-locations are shown.
ip-range Displays entries for the specified IP
address range.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is displayed.
statistics Displays client statistics for the specified geo-location.
file
[file-name]
b y
Displays the geo-location database files on the

AX device, and their load status. (Data from a
geo-location database file does not enter the geolocation database until you load the file. See
gslb geo-location load on page 431.)
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
565 of 718

ip ipaddr
Displays geo-location database entries for the

specified IP address.
rtt [options]
Displays RTT data for geo-locations. You can

use the following options:
passive Displays data for passive RTT.
active Displays data for active RTT.
both Displays data for passive RTT and active
RTT.
geo-location-name Displays RTT data only for
the specified GSLB geo-location.
site site-name Displays RTT data only for the
specified GSLB site.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is
displayed.
Mode
Usage
The matched client IP address and the hits counter indicate the working status of the geo-location configuration.
Example
The following command shows the status of a geo-location named pc:
AX#show gslb geo-location pc

Last = Last Matched Client, Hits = Count of Client matched
Sub = Count of Sub Geo-location
T = Type, G(global)/P(policy), P-Name = Policy name
Geo-location: pc
From
To
Last
Hits
Sub
T
P-Name
----------------------------------------------------------------------------1.2.2.0
1.2.2.255
(empty)
0
0
P
default

TABLE 21 show gslb geo-location fields
Field
Geo-location
From
566 of 718
Description
Name of the geo-location.
Beginning address in the address range assigned to the geolocation.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 21 show gslb geo-location fields (Continued)
Field
To
Last
Hits
Sub
Description
Ending address in the address range assigned to the geo-location.
Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have
matched.
Total number of client IP addresses that have matched the
geo-location.
Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab.
geo-location pc 10.1.0.0 mask /16
geo-location pc.office 10.1.1.0 mask /24
geo-location pc.lab 10.1.2.0 mask /24

Type of geo-location:
G The geo-location is configured at the global level in
the AX Series configuration.
P-Name
Example
P The geo-location is configured within a GSLB policy.

Name of the GSLB policy where the geo-location is configured.
The following command shows the load status information for a geo-location database file:
AX(config)#show gslb geo-location file test1

T = T(Template)/B(Built-in), Per = Percentage of loading
Filename
T Template
Per Lines
Success Error
-----------------------------------------------------------------------------test1
T t1
98% 11
10
0
Example
The following command displays entries in the geo-location database:
AX(config)#show gslb geo-location db

Last = Last Matched Client, Hits = Count of Client matched
T = Type, Sub = Count of Sub Geo-location
G(global)/P(policy), S(sub)/R(sub range)
M(manually config)
Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------NA
(empty)
(empty)
(empty)
0
1
G
Geo-location: NA, Global
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
567 of 718

show gslb policy
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------US
(empty)
(empty)
(empty)
0
10
GS
Geo-location: NA.US, Global
Name
From
To
Last
Hits
Sub T
-----------------------------------------------------------------------------69.26.125.0
69.26.125.255
(empty)
0
0
GR
69.26.126.0
69.26.126.255
(empty)
0
0
GR
69.26.127.0
69.26.127.255
(empty)
0
0
GR
...
show gslb policy

Description
Syntax
Show GSLB metric settings for GSLB policies.

show gslb policy [policy-name]
Mode
Example
The following command shows the configuration of GSLB policy www:
AX#show gslb policy www

Policy name: www
MO = Metric Order, En-Value = Enabled or Value
Type
| MO| Option
| En-Value | Description
================================================================================
DNS
|
| action
| no
| Action
|
| active-only | no
| Only return active service-IP(s)
|
| best-only
| no
| Only return best service-IP(s)
|
| cname-detect| yes
| Apply policy on CNAME records
|
| external-ip | yes
| Return external IP
|
| IPv6 Mapping| no
|
|
| IPv6 Mix
| no
| Both IPv6 and IPv6 Server
|
| IPv6 Smart | no
| Return IPv6 Server by Qeury Type
|
| ip-replace | no
| Replace DNS server's service-IPs
|
| GL-alias
| no
| Return CNAME Records by Geo-loc
|
| GL-action
| no
| Action by Geo-location
|
| GL-policy
| no
| Policy by Geo-location
|
| Bak-alias
| no
| Return Alias when fail
|
| cache
| no
| Cache DNS proxy response
|
| addition-mx | no
| Addition MX Records
|
| server
| no
| Run GSLB in DNS server mode
|
| sticky
| no
| Stick to DNS Record
|
| ttl
| 10
| TTL value, unit: sec
|
| Log
| global
| DNS Logging
-------------------------------------------------------------------------------Metric
|
| Force-Check | no
| Check Service-IP for all metrics
|
| Fail-Break | no
| Break if no valid service-IP
568 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb policy
-------------------------------------------------------------------------------health-check
| 1 |
| yes
| Service-IP's health
geographic
| 8 |
| yes
| Geographic
round-robin
| 15|
| yes
| Round robin selection
-------------------------------------------------------------------------------weighted-ip
| 2 |
| no
| Service-IP's weight
|
| total-hits | no
| Weighed IP by total hits
weighted-site
| 3 |
| no
| Site's weight
|
| total-hits | no
| Weighed Site by total hits
capacity
| 4 |
| no
| Session capacity of SLB device
|
| threshold
| 90
| Threshold of session capacity
|
| fail-break | no
| Break when exceed threshold
active-servers | 5 |
| no
| Active servers of SLB device
|
| fail-break | no
| Break when no active server
passive-rtt
| 6 |
| no
| Passive Round trip time
|
| tolerance
| 10
| RTT tolerance
|
| difference | 0
| RTT Difference
|
| samples
| 5
| Count of RTT samples
|
| limit
| 16383
| Limit of usable RTT
|
| fail-break | no
| Break when no valid RTT
active-rtt
| 7 |
| no
| Active Round trip time
|
| tolerance
| 10
| RTT tolerance
|
| difference | 0
| RTT Difference
|
| samples
| 5
| Count of RTT samples
|
| limit
| 16383
| Limit of usable RTT
|
| fail-break | no
| Break when no valid RTT
|
| single-shot | no
| Wait for A-RTT Samples
|
| timeout
| 3
| Timeout of single-shot
|
| skip
| 3
| Skip query if no samples
|
| keep-track | no
| Keep tracking clients
|
| ignore-id
| no
| Ignore IP Address by group ID
connection-load | 9 |
| no
| Service-IP's connection load
|
| limit
| unlimit
| Limit of connection load
|
| fail-break | no
| Break when exceed limit
|
| number
| 5
| Number of conn-load samples
|
| interval
| 5
| Interval between two samples
num-session
| 10|
| no
| Session number of SLB device
|
| tolerance
| 10
| Tolerance of session number
admin-preference| 11|
| no
| Admin preference of SLB device
bw-cost
| 12|
| no
| Cost of Bandwidth
|
| fail-break | no
| Break when exceed limit
least-response | 13|
| no
| Least response service-IP
ordered-ip
| 14|
| no
| Service-IPs' order
|
| top-only
| no
| Highest priority server only
-------------------------------------------------------------------------------alias-admin-pf |
|
| no
| Admin preference of alias name
weighted-alias |
|
| no
| Weight of alias name
-------------------------------------------------------------------------------geo-location
|
| match-first | global
| Geo-location table to use first
|
| overlap
| no
| Geo-location overlap matching
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
569 of 718

show gslb protocol
TABLE 22 show gslb policy fields
Field
Policy name
Type
MO
Option
En-Value
Description
Description
Name of the GSLB policy.
Name of the GSLB metric.
For GSLB metrics, indicates the order in which the metrics
are used.
Metric or option name.
For metric, indicates whether they are enabled (yes or no).
For options, indicates the value.
Description of the metric or option.
show gslb protocol

Description
Syntax
Show the status of the GSLB protocol on the GSLB AX Series and the SLB
devices (site AX Series).
show gslb protocol
Mode
Example
The following command shows GSLB protocol status information on an

AX device acting as a GSLB controller:
AX#show gslb protocol

Passive RTT is disabled, required by 0 controller(s).
GSLB site: aapg
slb-dev: ax (127.0.0.1) Established
Session ID:
26702
Connection succeeded:
1 |Connection failed:
Open packet sent:
1 |Open packet received:
Open session succeeded:
1 |Open session failed:
Sessions Dropped:
0 |Update packet received:
Keepalive packet sent:
1408 |Keepalive packet received:
Notify packet sent:
0 |Notify packet received:
Message Header Error:
0
0
1
0
34411
1407
0
GSLB site: abc

slb-dev: ax1 (127.0.0.2) Established
Session ID:
65410
Connection succeeded:
1 |Connection failed:
Open packet sent:
Open session succeeded:
1 |Open session failed:
Sessions Dropped:
570 of 718
0
1
0
34411
1407
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb rtt
Notify packet sent:
...

0
show gslb rtt

Description
Show RTT data.
Syntax
show gslb rtt

[geo-location
[slb-device
[local-info]
Option
b y
Description
geo-location
Displays RTT data based on geo-location.
slb-device
Displays RTT data based on SLB device.
local-info
Displays local RTT data on a site AX device.
passive
Displays data for passive RTT.
active
Displays data for active RTT.
both
Displays data for passive RTT and active RTT.
site site-name
Displays RTT data only for the specified GSLB

site.
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
571 of 718

show gslb rtt
Mode
Usage
All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local RTT data on a site AX
device, enter the command on the site AX device and use the local-info
option.
Example
Here is an example of the output for this command when entered on the
GSLB AX device:
AX#show gslb rtt

TTL = Time to live(Unit: min), T = Type, A(active)/P(passive)
Device: site1/remote
IP
TTL
T|
-----------------------------------------------------------------------------10.10.10.2
10
A|
20.20.20.21
10
A|
41
40
29
46
38
42
34
30
192.168.217.1
10
A|
38
54
46
50
43
38
192.168.217.11
10
A|
41
40
29
46
38
42
34
30
T|
Device: site2/local
IP
TTL
-----------------------------------------------------------------------------10.10.10.2
10
A|
35
52
35
40
54
56
44
48
20.20.20.21
10
A|
20
20
16
16
20
16
20
18
192.168.217.1
10
A|
16
44
20
16
20
18
192.168.217.11
10
A|
20
20
16
16
20
16
20
18
T = Type: A(active)/P(passive), TS = Time Stamp(unit: min)

Geo-location
Site
T RTT
TS
-----------------------------------------------------------------------------cn.sh
cn.bj
jp
us
site1
A 38
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 0
10
site2
A 48
10
This example shows the default display (with no additional options). The
TTL results are organized by site AX device, then by geo-location.
572 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb samples conn
TABLE 23 show gslb rtt fields
Field
Device
IP
TTL
T
Description
Site AX device.
IP address at the other end of the RTT exchange.
Time-to-live for the RTT entry.
RTT type:
A Active RTT, which measures the round-trip-time for a
DNS query and reply between a site AX device and the
GSLB local DNS.
1-8
Geo-location
Site
T
RTT
TS
P Passive RTT, which measures the round-trip-time

between when the site AX device receives a clients TCP
connection (SYN) and the time when the site AX device
receives acknowledgement (ACK) back from the client for
the connection.
Individual TTL measurements. RTTs are measured in seconds.
Geo-location name for which RTT measurements have been
taken.
GSLB site name within the geo-location.
RTT type. (See descriptions above.)
Individual TTL measurements. RTTs are measured in seconds.
System time stamp of the RTT measurement.

Description
Show the number of connections that are currently on a virtual port.
Syntax

{service-name | vipaddr} port-num
[range-start]
[range range-start range-end]
Option
b y
Description
service-name |
vipaddr
Specifies the service name or service IP.
port-num
Specifies the virtual port.
range-start
Specifies the range start.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
573 of 718

show gslb samples conn-load
range
range-start
range-end
Collects samples only for the specified range of

service port numbers.
Mode
Usage
The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See gslb
protocol on page 434.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
AX#show gslb samples conn china 80

0
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 15000
25000
35000
45000
55000
65000
75000
2
| 85000
95000
105000

Description
Syntax
Show the number of connections on each virtual server.

show gslb samples conn-load num-samples interval
[service-name | vipaddr]
[port-num]
Option
Description
num-samples
Number of connection-load samples to collect

and display.
num-samples
Number of seconds to wait between collection of

each sample.
service-name |
vipaddr
port-num
Mode
574 of 718
Collects samples only for the specified service

IP.
Collects samples only for the specified service
port number.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Example
The following command shows 5 connection-load samples, collected at 5second intervals:
AX#show gslb samples conn-load 5 5

ip1:80, average is: 36
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 0
0
11
1
168
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 0
0
22
2
168
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 120
0
0
0
180
| 1
2
3
4
5
6
7
---------------------------------------------------------------------------1
| 240
0
0
0
192
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). The services are listed by service IP
and service port.
In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the
actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data
samples, and 11 connections during the third sample.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
575 of 718

show gslb samples rtt

Description
Syntax
Show the round-trip time (RTT) between the GSLB AX Series and a client.
[geo-location-name
[slb-device
[local-info]
Option
Description
geo-locationname
Mode
576 of 718

geo-location.
slb-device
Displays RTT data only for the specified SLB

device.
local-info
Displays local RTT data on a site AX device.
passive
Displays data for passive RTT.
active
Displays data for active RTT.
both
Displays data for passive RTT and active RTT.
site site-name

site.
depth num
default, the full tree (all nodes) is displayed.

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb service
Usage
Eight RTT samples are displayed for each device. Times are shown in
10-millisecond (ms) increments. In the example below, the first RTT time
for Device1 is 50 ms.
If you disable the GSLB protocol, the data is cleared.
show gslb service

Description
Show the configuration information for services.
Syntax
show gslb service

{cache | dns-a-record | dns-cname-record |
dns-mx-record | session}
[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
Option
cache
Displays service information in the GSLB DNS

cache.
dns-a-record
Displays Address records for GSLB services.
dns-cnamerecord
Displays CNAME records for GSLB services.
dns-mx-record
Displays MX records for GSLB services.
session
Displays current GSLB sessions for services.
service-name
Specifies a service name.
zone zone-name
Specifies a zone name.
ip ipaddr
{subnet-mask |
/mask-length}
Mode
Description
Specifies a client host or subnet address. (This

option applies only to the session option.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
577 of 718

show gslb service-ip
Example
The following example shows CNAME information for zone a10.com:
AX#show gslb service dns-cname-record a10.com

Zone: a10.com
Alias = Alias Name, Geoloc = Geo-location
G-Geoloc = Matched Global Geo-location
P-Geoloc = Matched Policy Geo-location
Service
Alias
Geoloc
G-Geoloc
P-Geoloc
-----------------------------------------------------------------------------http:www
http.a10.com
pc1
(empty)
(empty)
ftp:ftp
ftpp.a10.com
pc1
(empty)
pc1
show gslb service-ip

Description
Shows information for a GSLB service.

show gslb service-ip {service-name | vipaddr |
local-info}
Option
Example
Description
service-name |
vipaddr
Specifies the service name or VIP address.
local-info
Shows local SLB virtual-server information.
The following command shows information for the beijing service:
AX#show gslb service-ip beijing

V = Is Virtual server, E = Enabled
P-Cnt = Count of Service Ports
Service-IP
IP
V E State
P-Cnt Hits
-----------------------------------------------------------------------------:Device1:beijing
2.1.1.10
Y Y UP
3
0

TABLE 24 show gslb service-ip fields
Field
Service-IP
IP
V
E
State
P-Cnt
Hits
578 of 718
Description
Device name and service IP name.
IP address of the service.
Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
Indicates whether the service IP is enabled.
Indicates the service IP state: UP or DOWN.
Number of service ports on the service IP.
Number of times the service IP has been selected.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb service-port
show gslb service-port

Description
Show information about the GSLB service ports configured on the sites.
Syntax
show gslb service-port [local-info]

Option
local-info
Description
Shows local SLB virtual-port information.
Mode
Example
The following command shows information about all the configured GSLB
service ports.
AX#show gslb service-port

Attrs = Attributes, Act-Svrs = Active Real Servers
Curr-Conn = Current Connections
D = Disabled, P = GSLB Protocol, L = Local Protocol
Service-Port
Attrs State
Act-Svrs
Curr-Conn
-----------------------------------------------------------------------------10.77.27.222:80
L
DOWN
0
0
10.10.10.1:80
DOWN
0
0
67.67.6.84:80
UP
1
0
67.67.6.82:21
UP
1
0
192.168.100.6:80
DOWN
0
0

TABLE 25 show gslb service-port fields
Field
Service-Port
Attrs
State
Act-Svrs
Curr-Conn
Description
Service IP address and service port number.
Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
Indicates the service state: IP or DOWN.
Number of active real servers for the service.
Current number of connections to the service.
show gslb session

Description
Show cached GSLB policy selections.

Selections are cached on a zone:service basis. While a cached GSLB policy
selection is valid (that is, before it ages out), the cached selection is used for
subsequent requests from the same client for the same zone and service.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
579 of 718

show gslb session
Syntax
show gslb session

[service-name ...] [zone zone-name]
[ip ipaddr {subnet-mask | /mask-length}]
Option
Description
service-name
Specifies a service name.
zone zone-name
Specifies a zone name.
ip ipaddr
{subnet-mask |
/mask-length}
Specifies a client host or subnet address.
Mode
Example
The following example shows GSLB sessions:
AX#show gslb session

Best = Best Service-IP for sticky
TTL = DNS TTL, Time until next query(unit: min)
Upd = Update Time(unit: sec), Init = Init Time(unit: sec)
Service: www.abc.com:http
Total Number of Sessions: 1
Client
Best
Mode
Hits
TTL
Upd
Init
-----------------------------------------------------------------------------192.168.217.11 10.10.10.100
Server 2
71582784
1364 1364
Service: www.xyz.com:http
Client
Best
Mode
Hits
TTL
Upd
Init
-----------------------------------------------------------------------------192.168.217.11 10.10.10.100
Cache 2
57
1397 1396
Service: www.a10.com:http
Client
Best
Mode
Hits
TTL
Upd
Init
-----------------------------------------------------------------------------192.168.217.11 10.10.10.100
Proxy 2
59
1521 1521
Service: ftp.a10.com:ftp
Client
Best
Mode
Hits
TTL
Upd
Init
-----------------------------------------------------------------------------192.168.217.11 10.10.10.102
Proxy 2
WAIT_QUERY 1615 1614
In this example, there is 1 client session with the HTTP service on www.testme.com.
580 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb session
TABLE 26 show gslb session fields
Field
Client
Best
Mode
Description
Client IP address.
IP address selected by the GSLB policy as the best address.
DNS mode in use for the session and can contain one of the
following values:
Proxy The GSLB AX device is configured to be a DNS
proxy for the service. The GSLB AX device intercepts
DNS queries for the zone and service, sends them to the
DNS server, and modifies the replies to contain the best IP
address based on the GSLB policy, before sending the
replies to clients.
Note: This is the default DNS mode, which takes effect
after the DNS proxy is configured on the GSLB AX
device.
Cache The GSLB AX device is configured to cache
DNS replies. This mode is enabled by the DNS cache
option in the GSLB policy.
Hits
TTL
Server The GSLB AX device is configured to directly

reply to DNS queries for the GSLB zone, without sending
the queries to an external DNS server. This mode is
enabled by the DNS cache option in the GSLB policy.
Number of times the cache entry was used to direct the client's request for the zone and service to the address in the
Best column.
Number of seconds for which the cached selection entry is
still valid.
In Proxy mode, this column displays the DNS TTL configured from the DNS server. If the TTL less than 1 minute,
WAIT_QUERY is displayed.
Upd
Init
b y
In Server mode, the value can be quite large. This is normal.

Number of seconds between startup of the GSLB process
(TS = 0) and the most recent use of the cache entry (the most
recent Hit).
Number of seconds between startup of the GSLB process
(TS = 0) and initialization of this session.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
581 of 718

show gslb site
show gslb site

Description
Syntax
Show GSLB site information.

show gslb site [site-name ...]
[bw-cost] [statistics]
Option
Description
site-name
Displays information only for the specified site.
bw-cost
Displays bw-cost information.
statistics
Displays statistics.
Mode
Example
The following command shows information for GSLB site Site1:
AX#show gslb site Site1

Site
Device/server
VIP
Vport
State
Hits
------------------------------------------------------------------Site1
Device1 (device) 2.1.1.10
Up
0
1.2.2.2
21
Up
23
Up
80
Up
2.1.1.11
Up
0
21
Up
80
Up
2.1.1.12
Up
0
21
Up
23
Up
80
Up
serverB (server)
Up
0
3.1.1.10
80
Up

TABLE 27 show gslb site fields
Field
Site
Device/server
VIP
Vport
State
Hits
582 of 718
Description
GSLB site name.
Device name and device IP address or real server name and
real server IP address.
Virtual IP address for the service.
Virtual port number.
Virtual port state.
Number of times the service IP was selected.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb site
Table 28 describes the fields in the command output when the bw-cost
option is used.
TABLE 28 show gslb site bw-cost fields
Field
Site
Template
Current
Highest
Limit
U
Type
Len
Value
TI
Example
Description
GSLB site name.
SNMP template name.
Current value of the SNMP object used for measurement.
Highest value of the SNMP object used for measurement.
Limit configured for the bw-cost metric.
Indicates whether the site is usable, based on the bw-cost
measurement.
Data type of the SNMP object.
Data length of the SNMP object.
Value of the SNMP object.
Time interval between measurements.
The following command shows GSLB site statistics:
AX#show gslb site statistics

Site
Hits
Last
----------------------------------------------------------------------------site1
14
2.1.1.10
site2
0
(empty)
site3
0
(empty)
site4
0
(empty)
Table 29 describes the fields in the command output when the statistics
option is used.
TABLE 29 show gslb site statistics fields
Field
Site
Hits
Last
b y
Description
GSLB site name.
Number of times the site was selected.
Site that was most recently selected.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
583 of 718

show gslb slb-device

Description
Syntax
Show information about an SLB device used by GSLB.

[
device-name |
local-info |
rtt {passive [device-name ... | ip ipaddr ...] |
active [device-name ... | ip ipaddr ...] |
both [device-name ... | ip ipaddr ...]}
]
Option
Description
device-name
Displays information only for the specified SLB

device.
local-info
Displays local SLB device information on a site

SLB device.
rtt options
Displays RTT data. You can use the following

options:
passive Displays data for passive RTT.
active Displays data for active RTT.
both Displays data for passive RTT and active
RTT.
device-name Displays RTT data only for the
specified SLB device.
ip ipaddr Displays RTT data only for the specified client IP address(es).
Mode
Example
The following command shows information about SLB device Device1:
AX#show gslb slb-device Device1

APF = Administrative Preference, Sub-Cnt = Count of Service-IPs
Sesn-Uzn = Session Utilization
Sesn-Num = Number of Available Sessions
Device
IP
APF Sesn-Uzn Sesn-Num
Sub-Cnt
-----------------------------------------------------------------------------site1:Device1
1.2.2.2
200
0% 0
3
584 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb state
TABLE 30 show gslb site fields
Field
Device
IP
APF
Sesn-Uzn
Sesn-Num
Sub-Cnt
Description
Site name and device name.
SLB devices IP address.
Administrative preference for the device.
Current session utilization on the device.
Number of sessions available on the device.
Number of service IPs on the device.
show gslb state

Description
Show GSLB state information collected by GSLB debugging.
Syntax
show gslb state
Mode
Usage
To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example
The following commands enable GSBL debugging with retention of state

information, and initiate display of the state information:
site-ax-1(config)#debug gslb state
site-ax-1(config)#show gslb state
show gslb statistics

Description
Show statistics for the GSLB protocol, for sites, or for zones.
Syntax
show gslb statistics {message | site | zone}
Mode
Usage
The show gslb statistics message command shows the same output as the
show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and
the show gslb statistics zone command shows the same output as the show
gslb zone statistics command.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
585 of 718

show gslb zone
Example
The following command shows statistics for the GSLB protocol:
AX#show gslb statistics message

GSLB site: site1
slb-dev: remote (20.20.20.2) Established
Session ID:
40576
Connection success:
4 |Connection failure:
Open packet sent:
Open session success:
1 |Open session failure:
Dropped sessions:
Notify packet sent:
0 |
0
1
3
5101
1218
0
0
GSLB site: site2

slb-dev: local (192.168.217.2) Established
Session ID:
104
Connection success:
Open packet sent:
Open session success:
Dropped sessions:
Notify packet sent:
0 |
1
1
0
22
1
0
0
GSLB controller: 192.168.217.2 Established

Session ID:
104
Connection success:
Open packet sent:
Open Sent
Dropped sessions:
0 |Update packet sent:
Notify packet sent:
0 |
0
1
0
22
1
0
0
show gslb zone

Description
Syntax
Show GSLB zone information.

show gslb zone [zone-name]
[dns-mx-record]
[statistics]
Option
Mode
586 of 718
Description
zone-name
Displays information only for the specified zone.
dns-mx-record
Displays the MX records for the zone(s).
statistics
Displays statistics for the zone(s).
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show gslb zone
Example
The following example shows information for zone a10.com:
AX#show gslb zone a10.com

Zone
Service
Policy
TTL
-----------------------------------------------------------------------------a10.com
www
20
http:www
www
20
ftp:ftp
ftp
30

TABLE 31 show gslb zone fields
Field
Zone
Service
Policy
TTL
Example
Description
Zone name.
Service type and service name.
GSLB policy name.
DNS TTL value set by GSLB in DNS replies to queries for
the zone address.
The following command shows MX records for zones:
AX#show gslb zone dns-mx-record

Pri = Priority, Last = Last Server
Owner
MX-Record
Pri
Hits
Last
-----------------------------------------------------------------------------mail.abc.com:smtp
mail1.abc.com
0
0
mail2.xyz.com
10

TABLE 32 show gslb zone dns-mx-record fields
Field
Owner
MX-Record
Pri
Hits
Last
b y
Description
Zone and service name to which the MX record belongs.
Name of the MX record.
Priority (preference) set for the MX record.
Number of times the record has been used.
Most recent time the record was used.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
587 of 718

show ha
Example
The following command shows GSLB zone statistics:
AX(config-gslb zone-gslb service)#show gslb zone example.com statistics

GSLB Zone example.com:
Total Number of Services configured: 1
Rcv-query = Received Query, Sent-resp = Sent Response
M-Proxy = Proxy Mode, M-Cache = Cache Mode
M-Svr = Server Mode, M-Sticky = Sticky Mode
Service
Rcv-query Sent-resp M-Proxy
M-Cache
M-Svr
M-Sticky
----------------------------------------------------------------------------http:www
16
15
3
0
0
12
Total
16
15
3
0
0
12

TABLE 33 show gslb zone statistics fields
Field
GSLB Zone
Total Number of
Services configured
Service
Rcv-query
Sent-resp
M-Proxy
M-Cache
M-Svr
M-Sticky
Description
Zone name.
Number of GSLB services configured for the zone.
Service type and service name.

Number of DNS queries received for the service.
Number of DNS replies sent to clients for the service.
Number of DNS replies sent to clients by the AX device as a
DNS proxy for the service.
Number of cached DNS replies sent to clients by the AX
device for the service. (This statistic applies only if the DNS
cache option is enabled in the policy.)
Number of DNS replies sent to clients by the AX device as a
DNS server for the service. (This statistic applies only if the
DNS server option is enabled in the policy.)
Number of DNS replies sent to clients by the AX device to
keep the clients on the same site. (This statistic applies only
if the DNS sticky option is enabled in the policy.)
show ha
Description
Syntax
588 of 718
Show the status of each HA group. The output shows information for the
AX device on which you enter the command, and the devices HA peer.
show ha [config | detail]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ha
Parameter
Description
config
Shows the HA configuration commands in the

running-config.
detail
Shows HA statistics.
Mode
Example
The following command shows basic HA information:
AX#show ha
Local Unit:
HA Group
1
2
UP
Unit
Local
Peer
Local
Peer
Peer Unit:
State
Active
Standby
Active
Standby
Example
The following command shows basic HA information along with HA statistics:
AX#show ha detail
Local Unit:
UP
HA Group
Unit
1
Local
Peer
Transitions
Pkts processed
Peer Unit:
State
Active
Standby
Active
2
559826
Connectivity:
HA packets:
Conn Sync:
0
0
6
Sent
0
0
403435
0
0
403435
UP
Priority
200
100
Standby
2
568
Server Ports
Sent
Sent
HA errors:
Dup HA ID
Version Mismatch
Missed Heartbeat
HA Port
1
3
4
5
6
9
UP
Priority
200
100
255
100
2
806870
2039
Invalid Group
SetId Mismatch
Timer Msgs
Recvd
0
0
0
0
0
397769
Router Ports
Received
Received
2
397769
0
0
0
0
Missed Heartbeat
0
0
0
0
0
6
Inline L2 HA Peer Port: 9
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
589 of 718

show ha
Misc Packet statistics:
Self packets
MAC:
Packets for AX
Broadcast:
Active mode stats:
IP
20092
Non-peer port 20821
Standby mode stats:
IP
3
Non-peer port 101
0
0
IP:
IP:
MAC:
0
235

TABLE 34 show ha detail fields
Field
Local Unit
Peer Unit
Description
Shows the HA operational status of this AX device.
Shows the HA operational status of the other AX device.
HA Group
Note: If the status is Incompatible Version, the AX devices

are running different software versions and the HA feature is
not compatible between the two versions. This message is
normal during upgrade, after one of the AX devices has been
upgraded and before the other device is upgraded. If the
devices are not being upgraded, it is recommended to
upgrade one of the devices so that they both are running the
same software version.
Shows HA group information:
Unit Indicates whether the information below is for this
AX device (Local) or the other AX device (Peer).
State Indicates whether the AX device is active or is a
standby.
Transitions
Pkts processed
Connectivity
HA packets
Conn Sync
590 of 718
Priority HA priorities configured for this group on this

AX device and on its peer AX device.
Number of times this AX device has transitioned to the
active or standby state.
(Inline mode only) Shows the number of packets processed
by the HA inline handler when in active or standby mode.
Shows the number of HA interfaces designated as server or
router interfaces that are currently up.
Shows the number of HA hello (heartbeat) packets sent or
received by this AX device.
Shows the number of HA connection synchronization (session mirroring) packets sent or received by this AX device.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ha
TABLE 34 show ha detail fields (Continued)
Field
HA errors
Description
Shows HA error statistics:
Dup HA ID Number of incoming HA hello (heartbeat)
packets that had the same HA ID as the HA ID of this AX
device (the local AX device).
Invalid Group Number of incoming HA hello packets
that had an invalid group ID.
Version Mismatch Number of incoming HA hello packets that had a packet version mismatch.
SetId Mismatch Number of incoming HA hello packets
that had an HA set ID mismatch.
Missed Heartbeat Total number of heartbeat (hello)
packets expected from the peer HA device that were not
received.
HA Port
Timer Msgs Number of times HA internal timers

detected a variance.
Shows statistics for each HA interface:
Sent Number of hello (heartbeat) messages sent on the
interface.
Recvd Number of hello messages received on the interface.
Inline L2 HA
Peer Port
Misc Packet statistics
Active mode
stats
Standby mode
stats
Example
Missed Heartbeat Number of hello messages that were

expected to be received on the interface but that did to
arrive.
(Inline mode only) Shows the interface number used to communicate with the peer HA device.
These fields show internal statistics used by A10 Customer
Support.
The following command shows the HA commands in the running-config:
AX#show ha config
ha id 1
ha group 1 priority 255
ha group 2 priority 255
ha time-interval 3
ha preemption-enable
ha conn-mirror ip 172.22.66.2
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
591 of 718

show ha mac
show ha mac
Description
Show the virtual MAC addresses associated with HA groups.
Syntax
show ha mac
Mode
Usage
The following command shows the virtual MAC addresses for configured
HA groups 1 and 2:
AX#show ha mac
HA Group
MACs
021f.a000.0021
021f.a000.0022
show health
Description
Syntax
Show status information for health monitors.

show health
{monitor [name] | external [name] | stat}
Parameter
Description
monitor [name]
Shows configuration settings and status for the

specified health monitor.
external [name] Shows configuration settings for the specified

external health monitoring program.
stat
Shows health monitoring statistics. The statistics

apply to all health monitoring activity on the
AX Series device.
Mode
Usage
To display health monitor information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
Example
The following command shows configuration settings and status for health
monitor ping:
592 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show health
AX#show health
Monitor Name:
Interval:
Max Retry:
Timeout:
Status:
Method:
monitor ping
ping
30
3
5
In use
ICMP
The output shows the method used for the monitor, and the settings for each
of the parameters that are configurable for that method.
Example
The following command shows the configuration settings of external health

monitoring program http.tcl:
AX#show health external http.tcl

External Program
Description
http.tcl
check http method
!!! Content Begin !!!
# Open a socket
if {[catch {socket $ax_env(ServerHost) $ax_env(ServerPort)} sock]} {
puts stderr "$ax_env(ServerHost): $sock"
} else {
fconfigure $sock -buffering none -eofchar {}
# Send the request
puts $sock "GET / HTTP/1.0\n"
# Wait for the response from http server
set line [read $sock]
if { [ regexp "HTTP/1.. (\[0-9\]+) " $line match status] } {
puts "server $ax_env(ServerHost) response : $status"
}
close $sock
# Check exit code
if { $status == 200 } {
}
}
!!! Content End !!!
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
593 of 718

show health
Example
The following command shows health monitoring statistics:
AX#show health stat

Health monitor statistics
Total run time:
Number of burst:
Number of timer adjustment:
Timer offset:
Opened socket:
Open socket failed:
Close socket:
Send packet:
Send packet failed:
Receive packet:
Receive packet failed
Retry times:
Timeout:
Unexpected error:
:
:
:
:
:
:
:
:
:
:
:
:
:
:
2 hours 1345 seconds

0
0
0
1140
0
1136
0
259379
0
0
4270
0
0
IP address
Port Health monitor Status Cause(Up/Down/Retry) PIN
-------------------------------------------------------------------------------10.10.10.99
default
Down
0 /48 /854
2 /0
4.4.4.4
default
Down
0 /48 /854
2 /0
8.4.3.2
default
Down
0 /48 /854
2 /0
99.99.99.99
default
Down
0 /48 /854
2 /0
10.10.10.88
default
Down
0 /48 /854
2 /0
10.10.10.88
80
qrs
Down
0 /34 /0
2 /0
10.10.10.88
80
tuv
Down
0 /34 /0
2 /0
10.10.10.88
80
wxyz
Down
0 /34 /0
2 /0

TABLE 35 show health stat fields
Field
Total run time
Number of burst
Number of timer
adjustment
Timer offset
Opened socket
Open socket
failed
Close socket
Send packet
Send packet
failed
594 of 718
Description
Time elapsed since the health monitoring process started.
Number of times the system detected that a health check
would leave the AX device as a traffic burst, and remedied
the situation.
Number of times the system made internal time keeping
adjustments to synchronize with the system clock.
Offset of internal time keeping from the system clock, in
microseconds.
Number of sockets opened.
Number of failed attempts to open a socket.
Number of sockets closed.
Number of health check packets sent to the target of the
health monitor.
Number of sent health check packets that failed. (This is the
number of times a target server or service failed its health
check.)
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show history
TABLE 35 show health stat fields (Continued)
Field
Receive packet
Receive packet
failed
Retry times
Timeout
Unexpected error
IP address
Port
Health monitor
Description
Number of packets received from the target in reply to health
checks.
Number of failed receive attempts.
Number of times a health check was resent because the target
did not reply.
Number of times a response was not received before the
health check timed out.
Number of unexpected errors that occurred.
IP address of the real server.
Protocol port on the server.
Name of the health monitor.
Cause
(Up/Down/
Retry)
If the name is default, the default health monitor settings

for the protocol port type are being used. (See health-check
on page 382 for Layer 3 health checks or port on page 383
for Layer 4-7 health checks.)
Indicates whether the service passed the most recent health
check.
Up and Down show internal codes for the reasons the health
check reported the server or service to be up or down. (See
show health stat Up / Down Causes on page 713.)
PIN
For Retry, shows the number of retries.

Indicates the following:
Status
Current number of retries Displayed to the left of the

slash ( / ). The number of times the most recent health
check was retried before a response was received or the
maximum number of retries was used.
Current successful up-retries Displayed to the right of
the slash ( / ). Number of successful health check replies
received for the current health check. This field is applicable if the up-retry option is configured for the health
check. (See health monitor on page 111.)
show history
Description
Show the CLI command history for the current session.
Syntax
show history
Mode
Usage
Commands are listed starting with the oldest command, which appears at
the top of the list.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
595 of 718

show icmp
Example
The following example shows commands entered by the tech writer while
drafting this chapter:
AX#show history
enable
show version
show access-list
show admin
show admin admin
show admin detail
show admin session
show admin admin detail
show arp
show arp 192.168.1.144
show aflex
show bootimage
show bw-list sample-bw-list 1.1.1.1
show bw-list
show clock
show clock detail
show core
show cpu interval 1
show cpu interval 10
show debug
show disk
show dumpthread
--MORE--
show icmp
Description
Syntax
Show ICMP rate limiting configuration settings and statistics.

show icmp
Mode
Example
The following command shows ICMP rate limiting settings, and the number
of ICMP packets dropped because the threshold has been exceeded:
AX(config)#show icmp
Global rate limit:
Global lockup rate limit:
Lockup period:
Current global rate:
Global rate limit drops:
Interfaces rate limit drops:
Virtual server rate limit drops:
Total rate limit drops:
596 of 718
5
10
20
0
0
0
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show interfaces
show interfaces
Description
Display interface configuration and status information.
Syntax
show interfaces [brief] | [ethernet [port-num]] |

[ve [vlan-id]] | [loopback num] | [management]
Mode
Example
The following example shows brief interface information:
AX#show interfaces brief

Port Link Dupl Speed Trunk Vlan MAC
IP Address
Total IPs
----------------------------------------------------------------------------mgmt Up
Full 100
N/A
N/A 0090.0b0a.a594 192.168.20.241/24
1
1
Up
Full 1000 None 1
0090.0b0a.a596 10.10.10.241/24
5
2
Up
Full 1000 None 1
0090.0b0a.a597 20.20.20.241/24
1
3
Down None None None 1
0090.0b0a.a598 0.0.0.0/0
0
4
Down None None None 1
0090.0b0a.a599 0.0.0.0/0
0
5
Disb None None None 1
0090.0b0a.a59a 0.0.0.0/0
0
6
0090.0b0a.a59b 0.0.0.0/0
0
7
Up
Full 1000 None 1
0090.0b0a.a59c 70.70.70.241/24
4
8
0090.0b0a.a59d 0.0.0.0/0
0
...
ve4 Down N/A
N/A
N/A
4
0090.0b0a.a597 60.60.60.241/24
2
ve6 Up
N/A
N/A
N/A
5
0090.0b0a.a597 99.99.99.241/24
1
lo2 Up
N/A
N/A
N/A
N/A N/A
68.67.65.64/23
3
Example
The following example shows information for Ethernet port 1:
AX#show interfaces ethernet 1

Ethernet 1 is up, line protocol is up
Hardware is GigabitEthernet, Address is 0090.0b0a.a596
Internet address is 10.10.10.241, Subnet mask is 255.255.255.0
Configured Speed auto, Actual 1Gbit, Configured Duplex auto, Actual fdx
Member of L2 Vlan 1, Port is Untagged
Flow Control is enabled, IP MTU is 1500 bytes
Port as Mirror disabled, Monitoring this Port disabled
0 packets input, 0 bytes
Received 0 broadcasts, Received 0 multicasts, Received 0 unicasts
0 input errors, 0 CRC 0 frame
0 runts 0 giants
0 packets output 0 bytes
Transmitted 0 broadcasts 0 multicasts 0 unicasts
0 output errors 0 collisions
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
597 of 718

show ip dns
300 second input rate: 158073232 bits/sec, 154368 packets/sec, 15% utilization
300 second output rate: 35704 bits/sec, 5 packets/sec, 0% utilization
Example
The following example shows information for loopback interface 8:
AX#show interfaces loopback 8

Loopback 8 is up, line protocol is up
Hardware is Loopback
show ip dns
Description
Display the DNS configuration.
Syntax
show ip dns
Mode
Example
The following command shows the DNS configuration on an AX Series

device:
AX#show ip dns
DNS suffix: org
Primary server: 192.168.1.50
Secondary server: None
show ip fib
Description
Display Forwarding Information Base (FIB) entries.

Note:
Syntax
This command is applicable only on AX Series devices that are configured in route mode. The command returns an error if you enter it on a
device configured for transparent mode.
show ip fib
Mode
Example
The following command shows the FIB entries on an AX Series device configured in route mode:
598 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip helper-address
AX#show ip fib
Prefix
Next Hop
Interface
Metric
Index
-----------------------------------------------------------------------0.0.0.0 /0
192.168.20.1
ve10
0
0
192.168.20.0 /24
0.0.0.0
ve10
0
0
Total routes = 2
Description
Display DHCP relay information.
Syntax
show ip helper-address [detail]
Mode
Example
The following command shows summary DHCP relay information:
AX3200(config)#show ip helper-address
Interface Helper-Address
RX
--------- -------------- -----------eth1
100.100.100.1
0
ve5
100.100.100.1
1669
ve7
1668
ve8
100.100.100.1
0
ve9
20.20.20.102
0
TX
-----------0
1668
1668
0
0
No-Relay
-----------0
0
0
0
0
Drops
-----------0
1
0
0
0

TABLE 36 show ip helper-address fields
Field
Interface
Description
AX interface. Interfaces appear in the output in either of the
following cases:
A helper address is configured on the interface.
Helper-Address
RX
TX
b y
DHCP packets are sent or received on the interface.

Helper address configured on the interface.
Number of DHCP packets received on the interface.
Number of DHCP packets sent on the interface.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
599 of 718

TABLE 36 show ip helper-address fields (Continued)
Field
No-Relay
Description
Number of packets that were examined for DHCP relay but
were not relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
DHCP packets are received on an interface that does not
have a helper address and the packets are not destined to
the relay.
DHCP packets are received on an interface that does have
a helper address, but the packets are unicast directly from
the client to the server and do not need relay intervention.
Number of packets that were ineligible for relay and were
dropped.
Drops
Example
The following command shows detailed DHCP relay information:
AX#show ip helper-address detail

IP Interface: eth1
-----------Helper-Address: 100.100.100.1
Packets:
RX: 0
BootRequest Packets : 0
BootReply Packets
: 0
TX: 0
BootReply Packets
: 0
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
Invalid IP/UDP Len
: 0
Invalid DHCP Oper
: 0
Exceeded DHCP Hops
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 0
Dest Processing Err : 0
600 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

IP Interface: ve5
-----------Helper-Address: 100.100.100.1
Packets:
RX: 16
BootReply Packets
: 0
TX: 14
BootReply Packets
: 14
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
Invalid IP/UDP Len
: 0
Invalid DHCP Oper
: 0
Exceeded DHCP Hops
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 2

IP Interface: ve7
-----------Helper-Address: None
Packets:
RX: 14
BootReply Packets
: 14
TX: 14
BootReply Packets
: 0
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
Invalid IP/UDP Len
: 0
Invalid DHCP Oper
: 0
Exceeded DHCP Hops
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 0

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
601 of 718

TABLE 37 show ip helper-address detail fields
Field
IP Interface
Helper-Address
Packets
Description
AX interface.
IP address configured on the AX interface as the DHCP
helper address.
DHCP packet statistics:
RX Total number of DHCP packets received on the
interface.
BootRequest Packets Number of DHCP boot request
packets (Op = BOOTREQUEST) received on the interface.
BootReply Packets Number of DHCP boot reply
packets (Op = BOOTREPLY) received on the interface.
TX Total number of DHCP packets sent on the interface.
BootRequest Packets Number of DHCP boot request
packets (Op = BOOTREQUEST) sent on the interface.
No-Relay
BootReply Packets Number of DHCP boot reply

packets (Op = BOOTREPLY) sent on the interface.
Number of packets that were examined for DHCP relay but
were not relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
DHCP packets are received on an interface that does not
have a helper address and the packets are not destined to
the relay.
DHCP packets are received on an interface that does have
a helper address, but the packets are unicast directly from
the client to the server and do not need relay intervention.
602 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip interfaces
TABLE 37 show ip helper-address detail fields (Continued)
Field
Drops
Description
Lists the following counters for packets dropped on the interface:
Invalid BOOTP Port Number of packets dropped
because they had UDP destination port 68 (BOOTPC).
Invalid IP/UDP Len Number of packets dropped because
the IP or UDP length of the packet was shorter than the
minimum required length for DHCP headers.
Invalid DHCP Oper Number of packets dropped because
the Op field in the packet header did not contain
BOOTREQUEST or BOOTREPLY.
Exceeded DHCP Hops Number of packets dropped
because the number in the Hops field was higher than 16.
Invalid Dest IP Number of packets dropped because the
destination was invalid for relay.
Exceeded TTL Number of packets dropped because the
TTL value was too low (less than or equal to 1).
No Route to Dest Number of packets dropped because
the relay agent (AX device) did not have a valid forwarding entry towards the destination.
Dest Processing Err Number of packets dropped because
the relay agent experienced an error in sending the packet
towards the destination.
show ip interfaces
Description
Display IP interfaces.
show ip interfaces
[ethernet port-num] |
[ve ve-num] |
[loopback lb-num] |
[management]
Mode
Example
The following command shows the IP interfaces configured on Ethernet

interface 1:
AX#show ip interfaces ethernet 1

IP addresses on ethernet 1:
ip 10.10.10.241 netmask 255.255.255.0 (Primary)
ip 10.10.10.242 netmask 255.255.255.0
ip 10.10.10.243 netmask 255.255.255.0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
603 of 718

show ip nat
ip 10.10.10.244 netmask 255.255.255.0
ip 10.10.11.244 netmask 255.255.255.0
AX(config-if:ethernet1)#show ip interfaces ve
Port IP
Netmask
PrimaryIP
--------------------------------------------------------------------------------------------------ve4 60.60.60.241
255.255.255.0
Yes
50.60.60.241
255.255.252.0
No
-------------------------------------------------ve6 99.99.99.241
255.255.255.0
Yes
The PrimaryIP column indicates whether the address is the primary IP

address for the interface. (For more information, see ip address on
page 188.)
show ip nat
Description
Syntax
Display NAT information.

show ip nat option
Option
Description
alg pptp
statistics
interfaces
Shows the NAT direction enabled on each interface.
pool
[pool-name]
[statistics]
Shows pool information.
pool-group
[pool-groupname]
Shows pool group information.
range-list
range-name
Shows configured static NAT ranges.
static-binding
[ipaddr] |
[statistics
[ipaddr]]
statistics
604 of 718
Shows statistics for NAT Application Layer

Gateway (ALG) for Point-to-Point Tunneling
Protocol (PPTP).
Shows configuration information or statistics for

static NAT bindings.
Shows NAT statistics.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip nat
timeouts
Shows the timer settings.
translations
Shows currently active NAT translations.
Mode
Example
The following command shows the NAT interface settings:
AX#show ip nat interfaces

Total IP NAT Interfaces configured: 2
Interface
NAT Direction
----------------------------ve10
outside
ve11
inside
Example
The following command shows the configured NAT pools:
AX#show ip nat pool

Total IP NAT Pools: 6
Pool Name
Start Address
End Address
Mask Gateway
HA Group
----------------------------------------------------------------------------172.pool1
192.168.66.201
192.168.66.201
/24
0.0.0.0
1
172.pool3
192.168.66.215
192.168.66.217
/24
0.0.0.0
1
Example
The following command shows NAT pool statistics:
AX#show ip nat pool statistics

Pool
Address
Port Usage
Total Used
Total Freed
---------------------------------------------------------------------------172.pool1
192.168.66.201
0
0
0
Pool
Address
Port Usage
Total Used
Total Freed
---------------------------------------------------------------------------172.pool3
192.168.66.215
0
0
0
192.168.66.216
0
0
0
192.168.66.217
0
0
0
In the show ip nat pool statistics output, the Address column lists the
source addresses that are bound to NAT addresses. The Port Usage column
indicates how many sessions are currently being NATted for each address.
Each session counted here uses a unique TCP or UDP protocol port. ICMP
traffic does not cause this counter to increment.
The Total Used column indicates the total number of sessions that have
been NATted for the source address. The Total Freed column indicates how
many NATted sessions have been terminated, thus freeing up a port for
another session.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
605 of 718

show ip nat
Example
The following command displays statistics for static source NAT bindings:
AX#show ip nat static-binding statistics

Source Address
Port Usage
Total Used
Total Freed
-----------------------------------------------------------------------------30.30.31.35
1727
329756
328029
30.30.31.36
1799
343950
342151
30.30.31.37
1793
346257
344464
30.30.31.38
1829
232605
230776
30.30.31.39
1738
241147
240937
30.30.31.40
1774
286022
284248
Example
The following command shows NAT statistics:
AX#show ip nat statistics

Outside interfaces: ethernet1
Inside interfaces:
Hits: 1
ethernet3
Misses: 0
Outbound TCP sessions created: 6

Outbound
Outbound
UDP sessions created: 7

ICMP sessions created: 8
Inbound
TCP sessions created: 8
Inbound
UDP sessions created: 2
Dynamic mappings:
-- Inside Source
access-list 1 pool p2
start 192.168.217.200 end 192.168.217.200
total addresses 1, allocated 0, misses 0
Example
The following command shows NAT timeout settings:
AX#show ip nat timeouts

NAT Timeout values in seconds:
SYN
TCP
UDP
ICMP
-----------------------60
300
300
fast
Service 53/udp has fast-aging configured
In this example, the output indicates that fast aging is used for IP NATted
ICMP sessions, and for IP NATted DNS sessions on port 53.
The message at the bottom of the display indicates that the fast aging setting
(SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If
the message is not shown in the output, then the timeout shown under
UDP will be used instead.
606 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip nat
The following command displays PPTP NAT ALG statistics.
AX(config-if:ethernet2)#show ip nat alg pptp statistics
Statistics for PPTP NAT ALG:
----------------------------Calls In Progress:
10
Call Creation Failure:
Truncated PNS Message:
Truncated PAC Message:
Mismatched PNS Call ID:
Mismatched PAC Call ID:
Retransmitted PAC Message:
Truncated GRE Packets:
Unknown GRE Packets:
No Matching Session Drops:

TABLE 38 show ip nat alg pptp statistics fields
Field
Calls In Progress
Call Creation
Failure
Truncated PNS
Message
Truncated PAC
Message
Mismatched
PNS Call ID
Mismatched
PAC Call ID
Retransmitted
PAC Message
Truncated GRE
Packets
Unknown GRE
Packets
No Matching
Session Drops
b y
Description
Current call attempts, counted by inspecting the TCP control
session. This counter will decrease once the first GRE packet
arrives.
Number of times a call could not be set up because the AX
device ran out of memory or other system resources.
Number of runt TCP PPTP messages received from clients.
Number of runt TCP PPTP messages received from servers.
Number of calls that were disconnected because the GRE
session had the wrong Call ID.
Number of calls that were disconnected because they had the
wrong Call ID.
Number of TCP packets retransmitted from PAC servers.
Number of runt GRE packets received by the AX device.
Number of GRE packets that were not used for PPTP and
were dropped.
Number of GRE PPTP packets sent with no current call.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
607 of 718

show ip nat lsn
show ip nat lsn

Description
Syntax
Show information for Large-Scale NAT (LSN).

show ip nat lsn
[
full-cone-sessions |
pool-statistics |
port-reservations |
statistics |
user-quota-sessions
]
Parameter
Description
full-conesessions
Shows currently active full-cone sessions.
pool-statistics Shows statistics related to IP address pools used

for LSN.
portreservations
Shows configured LSN static port reservations.
statistics
Shows global statistics related to LSN.
user-quotasessions
Shows currently active user quota sessions.
Mode
Privileged EXEC and all configuration levels
Example
The following commands display LSN information:
AX(config)#end
AX#show class-list list1
Name:
list1
Total single IP:
0
Total IP subnet:
2
Content:
192.168.1.0 /24 lsn-lid 2
192.168.0.0 /16 lsn-lid 1
AX#show ip nat lsn full-cone-sessions
LSN Full Cone Sessions:
Prot Inside Address
NAT Address
Conns
Pool
CPU Age
-------------------------------------------------------------------------------------------------UDP 1.0.208.99:1105
6.6.0.158:1345
1
pool1
1
0
UDP 1.4.144.150:1093
6.6.0.140:31573
1
pool1
4
0
UDP 1.0.167.140:1117
6.6.0.145:12277
1
pool1
13
0
608 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip nat lsn
AX#show ip nat lsn user-quota-sessions
LSN User-Quota Sessions:
Inside Address
NAT Address
ICMP
UDP
TCP
Pool
LID
--------------------------------------------------------------------------------------1.1.138.159
6.6.0.158
0
3
0
pool1
3
1.0.235.149
6.6.0.134
0
3
0
pool1
3
1.0.35.54
6.6.0.188
0
2
0
pool1
3
AX#show ip nat lsn port-reservations
LSN Port Reservations
Inside Address
Start
End
NAT Address
Start
End
-------------------------------------------------------------------------------------10.0.0.1
80
1024
172.7.7.30
80
1024
AX#show ip nat lsn pool-statistics
LSN Address Pool Statistics:
---------------------------pool0
Address
Users ICMP
Freed Total UDP
Freed Total Rsvd
TCP
Freed Total Rsvd
-------------------------------------------------------------------------------------------------------172.7.7.20
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.21
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.22
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.23
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.24
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.25
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.26
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.27
0
0
0
0
0
0
0
0
0
0
0
0
172.7.7.28
0
0
0
0
0
0
0
0
0
3
3
0
172.7.7.29
0
0
0
0
0
0
0
0
0
0
0
0
Table 39 describes the fields in the show ip nat lsn pool-statistics output.
TABLE 39 show ip nat lsn pool-statistics fields
Field
Address
Users
ICMP
Freed (ICMP)
Total (ICMP)
Description
NAT (global) IP address.
Number of inside IP addresses currently using the NAT IP
address.
Number of ICMP identifiers currently in use.
Total number of ICMP identifiers freed.
Total number of ICMP identifiers allocated.
UDP
Freed (UDP)
Total (UDP)
ICMP column + Freed column = Total column.

Number of UDP ports currently in use.
Total number of UDP ports freed.
Total number of UDP ports allocated.
Rsvd (UDP)
TCP
b y
UDP column + Freed column = Total column.

Total of all UDP reserve settings for each user that is currently using the NAT IP address.
For example, if an LID has the setting user-quota udp 100
reserve 50, and there are 50 users using the LID d on the
NAT IP address, the Rsvd value is 50*50 = 2500.
Number of TCP ports currently in use.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
609 of 718

show {ip | ipv6} ospf
TABLE 39 show ip nat lsn pool-statistics fields (Continued)
Field
Freed (TCP)
Total (TCP)
Description
Total number of TCP ports freed.
Total number of TCP ports allocated.
Rsvd (TCP)
TCP column + Freed column = Total column.

Total of all TCP reserve settings for each user that is currently using the NAT IP address.
For example, if an LID has the setting user-quota tcp 100
reserve 60, and there are 10 users using the LID d on the
NAT IP address, the Rsvd value is 10*60 = 600.
show {ip | ipv6} ospf

Description
Syntax
Display configuration information and statistics for OSPFv2 processes or

OSPFv3 instances.
show ip ospf [process-id]
show ipv6 ospf [tag]
Parameter
Description
process-id
Specifies the OSPFv2 process. If you omit this

option, settings for all configured OSPFv2 processes are displayed.
tag
Specifies the OSPFv3 instance. If you omit this

option, settings for all configured OSPFv3
instances are displayed.
Mode
Example
The following command shows information for OSPFv2 instance 0:
AX#show ip ospf 0
Routing Process "ospf 0" with ID 1.1.1.1
Process uptime is 3 hours 12 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Graceful Restart
This router is an ASBR (injecting external routing information)
SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 0/5
610 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip ospf border-routers
Number of outgoing current DD exchange neighbors 0/5
Number of external LSA 0. Checksum 0x000000
Number of opaque AS LSA 0. Checksum 0x000000
Number of non-default external LSA 0
External LSA database is unlimited.
Number of LSA originated 2
Number of LSA received 79
Number of areas attached to this router: 1
Area 1 (NSSA)
Number of interfaces in this area is 2(2)
Number of fully adjacent neighbors in this area is 2
Number of fully adjacent virtual neighbors through this area is 0
Area has no authentication
SPF algorithm last executed 02:07:40.860 ago
SPF algorithm executed 16 times
Number of LSA 10. Checksum 0x06b2fa
NSSA Translator State is disabled
Shortcutting mode: Default, S-bit consensus: ok

Description
Display route information for OSPFv2 ABRs and ASBRs.
Syntax
Mode
Example
The following command shows route information for ABRs and ASBRs:
AX#show ip ospf border-routers

OSPF process 0 internal Routing Table
Codes: i - Intra-area route, I - Inter-area route
i 3.3.3.3 [1] via 10.0.0.1, ve 1, ABR, ASBR, Area 0.0.0.1
show ip ospf database

Description
Displays information about the OSPFv2 databases on the device.

Note:
b y
The options are different for OSPFv3. See show ipv6 ospf database on
page 614.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
611 of 718

Syntax

[
adv-router ipaddr |
{asbr-summary | external | network |
nssa-external | opaque-area | opaque-as |
opaque-link | router | summary}
[[ipaddr [adv-router ipaddr]
[self-originate]] | [adv-router ipaddr] |
[self-originate]] |
max-age |
self-originate
]
Parameter
Description
adv-router
ipaddr
612 of 718
Displays LSA information for the specified

advertising router.
asbr-summary
Displays information about ASBR summary

LSAs.
max-age
Displays information for the LSAs that have

reached the maximum age allowed, which is
3600 seconds.
self-originate
Displays information for LSAs originated by this

OSPF router.
external
Displays information about external LSAs.
network
Displays information about network LSAs.
nssa-external
Displays information about NSSA external

LSAs.
opaque-area
Displays information about Type-10 Opaque

LSAs. Type-10 Opaque LSAs are LSAs with
local-area scope (link state type 10), and are not
flooded outside the local area.
opaque-as
Displays information about Type-11 LSAs,

which are flooded throughout the Autonomous
System (AS).
opaque-link
Displays information about Type-9 LSAs.

Type-9 LSAs have link-local scope, and are not
flooded beyond the local network.
router
Displays information about router LSAs.
summary
Displays information about summary LSAs.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

The following suboptions are available for the external, network, nssaexternal, opaque-area, opaque-as, opaque-link, router, and summary
options:
Displays LSA information for a specific linkstate ID (expressed as an IP address).
ipaddr
adv-router
ipaddr

advertising router.
self-originate
Displays information for LSAs originated by this

OSPF router.
Mode
Example
The following command shows the OSPFv2 database:
AX#show ip ospf database

Router Link States (Area 0.0.0.1 [NSSA])
Link ID
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
ADV Router
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
Age
1105
638
1998
1717
Seq#
0x800000c9
0x80000008
0x800000cb
0x800000f6
CkSum
0xcb72
0xdb92
0x47c1
0xe1d2
Link count
2
2
2
3
Net Link States (Area 0.0.0.1 [NSSA])

Link ID
10.0.0.1
11.0.0.1
13.0.0.2
14.0.0.1
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
Age
1998
203
1717
1962
Seq#
0x80000006
0x80000005
0x80000006
0x80000004
CkSum
0xec1b
0x14ef
0xbf3c
0xf207
Summary Link States (Area 0.0.0.1 [NSSA])

Link ID
0.0.0.0
ADV Router
3.3.3.3
Age Seq#
CkSum Route
1998 0x800000a3 0x99ed 0.0.0.0/0
NSSA-external Link States (Area 0.0.0.1 [NSSA])

Link ID
1.0.100.1
ADV Router
1.1.1.1
b y
Age Seq#
CkSum Route
1105 0x8000008e 0x942a E2 1.0.100.1/32
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Tag
0
613 of 718

show ipv6 ospf database

Description
Syntax
Displays information about the OSPFv3 databases on the device.

show ipv6 ospf [instance-id] database
[
external |
grace |
inter-prefix |
inter-router |
intra-prefix |
link |
network |
router}
[adv-router ipaddr]
]
Parameter
Description
external
Displays information about external LSAs.
grace
Displays information about grace LSAs, used

during graceful restart.
inter-prefix
Displays information about Inter-Area-Prefix

LSAs.
inter-router
Displays information about Inter-Area-Router

LSAs.
intra-prefix
Displays information about Intra-Area-Prefix

LSAs.
links
Displays information about link LSAs.
network
Displays information about network LSAs.
router
Displays information about router LSAs.
Each option above supports the following suboption:

adv-router
ipaddr
Mode
614 of 718

advertising router.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Example
The following command shows the OSPFv3 database:
AX#show ipv6 ospf database

OSPFv3 Router with ID (1.1.1.1) (Process *null*)
Link-LSA (Interface ve 1)
Link State ID
0.0.0.49
0.0.0.8
ADV Router
1.1.1.1
3.3.3.3
Age Seq#
CkSum Prefix
1121 0x8000008a 0xc927
1
1953 0x80000007 0x30cd
1
Link-LSA (Interface ve 2)
Link State ID
0.0.0.50
0.0.0.8
ADV Router
1.1.1.1
4.4.4.4
Age Seq#
CkSum Prefix
1121 0x80000096 0x08d8
1
1893 0x80000007 0xe638
1
Router-LSA (Area 0.0.0.0)

Link State ID
0.0.0.0
0.0.0.0
0.0.0.0
0.0.0.0
ADV Router
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
Age
1114
904
1953
1893
Seq#
0x800000b1
0x800000ab
0x80000094
0x800000a8
CkSum
0xcafa
0x61a6
0xe52a
0x846b
Link
2
2
2
2
Network-LSA (Area 0.0.0.0)

Link State ID
0.0.0.8
0.0.0.9
0.0.0.8
0.0.0.9
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
Age
1953
179
1893
124
Seq#
0x80000006
0x80000005
0x80000006
0x80000005
CkSum
0xd40b
0xfedc
0xd8fe
0x03d0
Intra-Area-Prefix-LSA (Area 0.0.0.0)

Link State ID
0.0.32.0
0.0.36.0
0.0.32.0
0.0.36.0
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
b y
Age
1953
179
1893
124
Seq#
0x80000006
0x80000005
0x80000006
0x80000005
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
CkSum Prefix
0x9cb3
1
0x90ba
1
0xec58
1
0xe05f
1
Reference
Network-LSA
Network-LSA
Network-LSA
Network-LSA
615 of 718

show {ip | ipv6} ospf interface

Description
Syntax
Display OSPF information for an interface.

ve ve-num}
Mode
Example
The following command shows OSPFv2 information for interface VE 1:
AX#show ip ospf interface ve 1

ve 1 is up, line protocol is up
Internet Address 10.0.0.2/24, Area 0.0.0.1 [NSSA], MTU 1500
Process ID 0, Router ID 1.1.1.1, Network Type BROADCAST, Cost: 1
Transmit Delay is 1 sec, State Backup, Priority 1
Designated Router (ID) 3.3.3.3, Interface Address 10.0.0.1
Backup Designated Router (ID) 1.1.1.1, Interface Address 10.0.0.2
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:07
Neighbor Count is 1, Adjacent neighbor count is 1
Crypt Sequence Number is 1274173120
Hello received 1218 sent 1158, DD received 3 sent 4
LS-Req received 0 sent 1, LS-Upd received 52 sent 49
LS-Ack received 27 sent 35, Discarded 0
show ip ospf multi-area-adjacencies

Description
Syntax
Display OSPFv2 multi-area adjacency information.

show ip ospf multi-area-adjacencies
Mode
Example
The following command shows multi-area adjacency information:
AX#show ip ospf 1 multi-area-adjacencies

Multi-area-adjacency on interface eth1 to neighbor 20.20.20.10
Internet Address 20.20.20.11/24, Area 0.0.0.1, MTU 1500
Process ID 1, Router ID 10.10.10.10, Network Type POINTOPOINT, Cost: 10
Transmit Delay is 1 sec, State Point-To-Point
Neighbor Count is 0, Adjacent neighbor count is 0
Crypt Sequence Number is 1229928206
Hello received 0 sent 513, DD received 0 sent 0
LS-Req received 0 sent 0, LS-Upd received 0 sent 0
LS-Ack received 0 sent 0, Discarded 0
616 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show {ip | ipv6} ospf neighbor
show {ip | ipv6} ospf neighbor

Description
Display information about OSPF neighbors.
Syntax
show ip ospf [process-id] neighbor

[ipaddr [detail]] |
[all] |
[detail [all]] |
[interface ipaddr]
show ipv6 ospf [tag] neighbor
[ipaddr [detail]] |
[detail [all]] |
[interface ipaddr]
The all option applies only to OSPFv2.
Note:
Parameter
Description
process-id

option, information for all configured OSPFv2
processes are displayed.
tag

ipaddr [detail] Displays information for the specified neighbor.

For detailed information, use the detail option.
For summary information, omit the detail option.
all
Includes neighbors whose status is Down. Without this option, down neighbors are not included
in the output.
detail [all]
Displays detailed information for all neighbors.

To include down neighbors in the output, use the
all option.
interface
ipaddr
Mode
Displays information for neighbors reachable

through the specified IP interface.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
617 of 718

show ip ospf redistributed
Example
The following command shows information for OSPFv2 neighbors:
AX#show ip ospf neighbor

OSPF process 0:
Neighbor ID
Pri
3.3.3.3
1
4.4.4.4
1
State
Full/DR
Full/DR
Dead Time
00:00:31
00:00:30
Address
10.0.0.1
13.0.0.2
Interface Instance ID
ve 1
0
ve 2
0
show ip ospf redistributed

Description
Display the routes that are being redistributed into OSPFv2.
Syntax
show ip ospf [process-id] redistributed

[
connected |
floating-ip |
ip-nat |
ip-nat-list |
ospf [process-id] |
rip |
selected-vip
static |
vip
]
Note:
Parameter
Description
process-id

option, information for all configured OSPF
instances is displayed.
connected
Displays redistributed routes to directly-connected networks.
floating-ip
Displays redistributed routes to floating IP

addresses.
ip-nat
Displays redistributed routes to IP addresses

assigned from an IP NAT pool.
ip-nat-list
Displays redistributed routes to IP addresses

assigned from an IP NAT range list.
ospf
[process-id]
rip
618 of 718
Displays redistributed routes from other OSPFv2

processes.
Displays redistributed routes from RIP.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip ospf route
selected-vip
Displays redistributed routes to SLB VIPs that

are explicitly flagged for redistribution. This
option is applicable if the only-flagged option
was used with the redistribute vip command.
static
Displays redistributed static routes.
vip
Displays redistributed routes to SLB VIPs that

are implicitly flagged for redistribution. This
option is applicable if the only-not-flagged
option was used with the redistribute vip command.
Mode
Usage
For more information on VIP redistribution, see Usage in redistribute

on page 260.
show ip ospf route

Description
Display information for OSPFv2 routes.
Syntax
show ip ospf [process-id] route

show ipv6 ospf [tag] route
Parameter
Description
process-id

tag

Mode
Example
The following command shows OSPFv2 routes:
AX#show ip ospf route

IA 0.0.0.0/0 [2] via 10.0.0.1, ve 1, Area 0.0.0.1
O 1.0.4.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1
C 10.0.0.0/24 [1] is directly connected, ve 1, Area 0.0.0.1
O 11.0.0.0/24 [2] via 10.0.0.1, ve 1, Area 0.0.0.1
C 13.0.0.0/24 [1] is directly connected, ve 2, Area 0.0.0.1
O 14.0.0.0/24 [2] via 13.0.0.2, ve 2, Area 0.0.0.1
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
619 of 718

show ipv6 ospf topology
show ipv6 ospf topology

Description
Syntax
Display OSPFv3 topology information.

show ipv6 ospf [tag] topology
[area area-id]
Parameter
Description
tag

instances is displayed.
area area-id
Displays OSPFv3 topology information for the

specified area.
Mode
Example
The following command shows the OSPFv3 topology:
AX#show ipv6 ospf topology

OSPFv3 Process (*null*)
OSPFv3 paths to Area (0.0.0.0) routers
Router ID
Bits Metric
Next-Hop
1.1.1.1
E
-2.2.2.2
2
3.3.3.3
4.4.4.4
3.3.3.3
E
1
3.3.3.3
4.4.4.4
E
1
4.4.4.4
Interface
ve
ve
ve
ve
1
2
1
2
show {ip | ipv6} ospf virtual-links

Description
Syntax
Display virtual link information.

show ip ospf [process-id] virtual-links
show ipv6 ospf [tag] virtual-links
Parameter
Mode
620 of 718
Description
process-id

tag


b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ip rip
Example
The following command shows information for OSPFv2 virtual links:
AX(config)#show ip ospf virtual-link

Virtual Link VLINK1 to router 143.0.0.143 is up
Transit area 0.0.0.1 via interface ethernet 1
Local address 13.0.0.2/32
Remote address 13.0.0.1/32
Transmit Delay is 1 sec, State Point-To-Point,
Adjacency state Full
show ip rip
Description
Show RIP route information.
Syntax
show ip rip
Mode
Example
The following command shows RIP route information on an AX Series

device that is running RIP:
AX#show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface
R*
R*
Network
192.168.10.0/24
192.168.20.0/24
Next Hop
Metric From
[120/2] via 192.168.10.1
00:12:42
[120/2] via 192.168.10.1
00:12:42
Tag Time
ethernet4
ethernet4
The asterisk following R indicates that the route is the Forwarding Information Base (FIB) next hop.
show ip route
Description
Display the IP routing table.
Syntax
show ip route
[all | mgmt | ospf | rip | summary
ipaddr [subnet-mask | /mask-length]]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
621 of 718

show ip route
Option
Description
all
Shows all type of routes.
mgmt
Shows management routes.
ospf
Shows OSPF routes.
rip
Shows RIP routes.
summary
Shows summary route information.
ipaddr
[subnet-mask |
/mask-length]
Shows static routes.
Mode
Usage
The show ip route summary command displays summary information for

all IP routes, including the total number of routes. The command output
applies to both the data route table and the management route table, which
are separate route tables.
The following commands display routes for only one of the route tables:
show ip route Shows information for the data route table only.
show ip route mgmt Shows information for the management route
table only.
The total number of routes listed by the output differs depending on the
command you use. For example, the total number of routes listed by the
show ip route command includes only data routes, whereas the total number of routes listed by the show ip route summary command includes data
routes and management routes.
Example
The following example shows the IP route table:
AX#show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF
S*
S*
C*
C*
Total
0.0.0.0/0 [1/0] via 192.168.20.1, ve 10

192.168.1.0/24 [1/0] is directly connected, Management
192.168.1.0/24 is directly connected, Management
192.168.19.0/24 is directly connected, ve 10
number of routes : 4
622 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show ipv6
show ipv6
Description
Display IPv6 route information.
Syntax
show ipv6
[
fib |
interfaces [ethernet portnum | ve ve-num |
loopback num | management] |
nat v6v4 [fragmentation] statistics |
ndisc router-advertisement
{ethernet portnum | ve ve-num | statistics} |
neighbor [ipaddr] |
route |
traffic
]
Option
fib
interfaces
[ethernet
portnum |
ve ve-num |
loopback num |
management]
Description
Shows the IPv6 Forwarding Information Base
(FIB).
Shows information about IPv6 interfaces.
nat v6v4
[fragmentation]
statistics
Shows statistics for IPv6-IPv4 translation.
ndisc routeradvertisement
{ethernet
portnum |
ve ve-num |
statistics}
neighbor
[ipaddr]
Mode
Shows information about IPv6 router discovery.

Shows information about the AX Series devices
IPv6 neighbors.
route
Shows IPv6 routes.
traffic
Shows IPv6 traffic statistics.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
623 of 718

show ipv6
Example
The following command shows IPv6 FIB entries:
AX(config)#show ipv6 fib

Prefix
Next Hop
Interface
Metric
Index
---------------------------------------------------------------------------b101::/64
::
Ethernet 6
256
0
Total routes = 1
Example
The following command shows IPv6 neighbors:
AX(config)#show ipv6 neighbor

Total IPv6 neighbor entries: 2
IPv6 Address
MAC Address
Type
Age State
Interface
Vlan
--------------------------------------------------------------------------------------b101::1112
0007.E90A.4402 Dynamic
30
Reachable
ethernet 6
1
fe80::207:e9ff:fe0a:4402 0007.E90A.4402 Dynamic
20
Reachable
ethernet 6
1
Example
The following command shows IPv6 traffic statistics:
Traffic Type
Received
Sent
-------------------------------------Neigh Solicit
2
0
Neigh Adverts
2
2
Echo Request
0
0
Echo Replies
5
0
Errors
0
0
The following command displays configuration information for IPv6 router

discovery on an Ethernet interface. In this example, the interface is VE 10.
AX#show ipv6 ndisc router-advertisement ve 10
Interface VE 10
Send Advertisements:
Enabled
Max Advertisement Interval:
200
Min Advertisement Interval:
150
Advertise Link MTU:
Disabled
Reachable Time:
Retransmit Timer:
Current Hop Limit:
255
Default Lifetime:
200
Max Router Solicitations Per Second: 100000

HA Group ID:
None
Number of Advertised Prefixes:
Prefix 1:
Prefix:
2001:a::/96
On-Link:
True
Valid Lifetime: 4400
624 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show key-chain
Prefix 2:
Prefix:
2001:32::/64
On-Link:
True
Valid Lifetime: 2592000
The following command displays router discovery statistics:

AX(config)#show ipv6 ndisc router-advertisement statistics
IPv6 Router Advertisement/Solicitation Statistics:
-------------------------------------------------Good Router Solicitations (R.S.) Received:
1320
Periodic Router Advertisements (R.A.) Sent:
880
R.S. Rate Limited:
R.S. Bad Hop Limit:
R.S. Truncated:
R.S. Bad ICMPv6 Checksum:
R.S. Unknown ICMPv6 Code:
R.S. Bad ICMPv6 Option:
R.S. Src Link-Layer Option and Unspecified Address: 0

No Free Buffers to send R.A.:
The error counters apply to router solicitations (R.S.) that are dropped by
the AX device.
The Src Link-Layer Option and Unspecified Address counter indicates the
number of times the AX device received a router solicitation with source
address :: (unspecified IPv6 address) and with the source link-layer
(MAC address) option set.
In the current release, the AX device does not drop IPCMv6 packets that
have bad (invalid) checksums.
Note:
show key-chain
Description
Show configuration information for an authentication key chain.
Syntax
show key-chain key name [key num]

Option
Mode
Description
name
Name of the key chain.
key num
Key number (1-255).

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
625 of 718

show lid
Example
The following example shows the configuration commands for a key chain
named example_chain:
AX#show key-chain example_chain

key chain example_chain
key 1
key-string thisiskey1
key 2
key 3
show lid
Description
Syntax
Show information for IP limiting rules.

show lid [num]
Mode
Example
The following command the configuration of each standalone IP limiting

rule:
AX#show lid
lid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
lid 2
conn-limit 20000
request-limit 200
lid 30
conn-limit 10000
over-limit-action forward log
Example
The following command shows the configuration of IP limiting rule 1:
AX#show lid 1
lid 1
conn-limit 100
626 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show locale
request-limit 1
show locale
Description
Display the configured CLI locale.
Syntax
show locale
Mode
Example
The following command shows the locale configured on an AX Series

device:
AX#show locale
en_US.UTF-8
English locale for the USA, encoding with UTF-8 (default)
show log
Description
Display entries in the syslog buffer or display current log settings (policy).
Log entries are listed starting with the most recent entry on top.
Syntax
show log [length num] [policy]

Option
Description
length num
Shows the most recent log entries, up to the

number of entries you specify. You can specify
1-1000000 entries.
policy
Shows the log settings. To display log entries,

omit this option.
Mode
Example
The following command shows the log settings:
AX#show log policy

Syslog facility: local0
Flow-control: disable
Name
Level
---------------------------Console
error
Buffer
debugging
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
627 of 718

show mac-address-table
Email
Trap
Syslog
Monitor
Example
disable
disable
debugging
debugging
The following command shows log entries.
AX#show log
Log Buffer: 30000
Jan 17 11:32:02
Warning A10LB HTTP request has p-conn
Jan 17 11:31:01
Notice The session [1] is closed
Jan 17 11:31:00
Info
Load libraries in 0.044 secs
Jan 17 11:26:19
Jan 17 11:26:19
Warning A10LB HTTP response not beginning of header: m counterType="1" hourlyCount="2396" dailyCount="16295" weeklyCount="16295" monthly
Jan 17 11:16:18
Jan 17 11:16:01
Jan 17 11:16:00
Info
Jan 17 11:15:22
Jan 17 11:15:03
Jan 17 11:14:33
Jan 17 11:14:07
Jan 17 11:13:23
Jan 17 11:12:47
Info
Jan 17 11:12:47
Notice The session for user admin from 192.168.1.166 is
opened. Session ID is [4]
Jan 17 11:09:28
Jan 17 11:09:18
Warning A10LB HTTP response not beginning of header: 5a8^M
p; ^M Korn shell programming
la
Jan 17 11:01:04
--MORE--
Description
Syntax
Display MAC table entries.

[macaddr | port port-num | vlan vlan-id]
Option
628 of 718
Description
macaddr
Shows the MAC table entry for the specified

MAC address. Enter the MAC address in the following format: aaaa.bbbb.cccc
port port-num
Shows the MAC table entries for the specified

Ethernet port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show management
vlan vlan-id
Shows the MAC table entries for the specified

VLAN.
Mode
Example
The following command displays the MAC table entry for MAC address
0013.72E3.C773:
AX#show mac-address-table 0013.72E3.C773

Total active entries: 1
Age time: 300 secs
MAC-Address
Port
Type
Index
Vlan Age
--------------------------------------------------------0013.72E3.C773
1
Dynamic
16
10
90

TABLE 40 show mac-address-table fields
Field
Total active
entries
Age time
MAC-Address
Port
Type
Index
Vlan
Age
Description
Total number of active MAC entries in the table. An active
entry is one that has not aged out.
Number of seconds a dynamic (learned) MAC entry can
remain unused before it is removed from the table.
MAC address of the entry.
Ethernet port through which the MAC address is reached.
Indicates whether the entry is dynamic or static.
The MAC entrys position in the MAC table.
VLAN the MAC address is on.
Number of seconds since the entry was last used.
show management
Description
Show the types of management access allowed on each of the AX Series

devices Ethernet interfaces.
Syntax
show management
Mode
Usage
To configure the management access settings, see enable-management on

page 105 and disable-management on page 101.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
629 of 718

show memory
Example
The following command shows the management access settings on an

AX Series device.
AX#show management
PING
SSH
Telnet HTTP
HTTPS SNMP
ACL
------------------------------------------------------mgmt on
on
off
on
on
on
1
on
off
off
off
off
off
2
on
off
on
off
off
off
3
on
off
on
off
off
off
4
on
off
on
off
off
off
5
on
off
on
off
off
off
6
on
off
on
off
off
off
7
on
off
on
off
off
off
9
on
off
on
off
off
off
10
on
off
on
off
off
off
3
ve1 on
off
on
on
off
off
ve2 on
off
on
off
off
off
-
show memory
Description
Syntax
Display memory usage information.

show memory [cache | system]
Option
Description
cache
Shows cache statistics.
system
Shows summary statistics for memory usage.
Mode
Example
The following command shows summary statistics for memory usage:
AX#show memory system

System Memory Usage:
Total(KB) Free
Shared
Buffers
Cached
Usage
--------------------------------------------------------------------------2070368
751580
0
269560
96756
59.0%
Example
The following command shows memory usage for individual system modules:
AX#show memory
Total(KB) Used
Free
Usage
---------------------------------------------------Memory: 2070368
1222016
848352
59.0%
630 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show memory
System memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------16
195
10240
48
21
10240
112
536
10240
240
20
10240
496
3
10240
1008
1
1280
2032
1
1280
4080
0
1280
aFleX memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------16
438
10240
48
1204
163840
--MORE-48
112
240
496
1008
2032
4080
1204
759
53
25
10
1
8
163840
163840
320
160
80
40
40
N2 memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------96
1
10240
224
0
10240
480
0
10240
992
2000
10240
2016
1512
10240
SSL memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------48
2786
10240
112
72
10240
240
81
10240
--MORE--
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
631 of 718

show mirror
Example
The following command shows memory cache information:
AX#show memory cache

System block 16:
Object size: 16, Total in pool: 10240, Allocated to control: 195
Allocated to 8 data threads: 0, 0, 0, 0, 0, 0, 0, 0,
System block 48:
Object size: 48, Total in pool: 10240, Allocated to control: -46510
Allocated to 8 data threads: -426, 29556, 17401, 0, 0, 0, 0, 0,
System block 112:
System block 240:
System block 496:
System block 1008:
--MORE--
show mirror
Description
Syntax
Display port mirroring information.

show mirror
Mode
Example
The following example shows the port mirroring configuration on an

AX Series device:
AX#show mirror
Mirror Port :
4
Port monitored at ingress : 2
Port monitored at egress : 2
632 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show monitor
TABLE 41 show mirror fields
Field
Mirror Port
Port monitored at
ingress
Port monitored at
egress
Description
Port to which the traffic is copied. This is the port to which
the protocol analyzer should be attached.
Port(s) whose inbound traffic is copied to the monitor port.
Port(s) whose outbound traffic is copied to the monitor port.
show monitor
Description
Display the event thresholds for system resources.
Syntax
show monitor
Mode
Example
The following commands set the event threshold for data CPU utilization to
80% and verify the result:
AX(config)#monitor data-cpu 80
AX(config)#show monitor
Current system monitoring threshold:
Hard disk usage:
85
Memory usage:
95
Control CPU usage:
90
Data CPU usage:
80
IO Buffer usage:
60000
Buffer Drop:
100
Warning Temperature: 68
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
633 of 718

show ntp
show ntp
Description
Show the Network Time Protocol (NTP) configuration and status.
Syntax
show ntp {servers | status}

Option
Description
servers
Shows the NTP configuration and shows whether

the AX Series device is synchronized with the
NTP server.
status
Shows whether the AX Series device is synchronized with the NTP server.
Mode
Example
The following command shows the NTP configuration and the synchronization status:
AX#show ntp servers

( * = The NTP server is currently synchronized with AX system )
Ntp server
Sync Interval(minute)
Status
----------------------------------------------------------*10.1.4.20
1440
enabled

TABLE 42 show ntp fields
Field
NTP server
Sync Interval
Status
Example
Description
IP address of the NTP server.
The asterisk ( * ) in front of the address indicates that the
AX Series device is synchronized with the NTP server. If
there is no asterisk, the device is not synchronized with the
NTP server.
Number of minutes between each synchronization with the
NTP server.
Indicates whether NTP is enabled.
The following command shows the NTP synchronization status:
AX#show ntp status

NTP sync status: success
634 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show partition
show partition
Description
Show the private partitions, used by Role-Based Administration (RBA),

that are configured on the AX device.
Syntax
show partition
Mode
Usage
To use this command, you must be logged in with an admin account that has
Root, Read-write, or Read-only privileges. (See show admin on page 536
for descriptions of the admin privilege levels.)
Example
The following command displays the private partitions configured on an

AX device:
AX(config)#show partition
Max Number allowed: 128
Total Number of partitions configured: 2
Partition Name
Max. aFleX File Allowed
# of Admins
-----------------------------------------------------companyA
32
companyB
32

TABLE 43 show partition fields
Field
Max Number
allowed
Total Number of
partitions configured
Partition Name
Max. aFleX File
Allowed
# of Admins
b y
Description
Maximum number of partitions the AX device can have.
Total number of partitions the AX device currently has.
Name of the private partition.

Maximum number of aFleX policies that can belong to the
partition.
Number of admins configured for the partition.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
635 of 718

show pbslb
show pbslb
Description
Syntax
Show configuration information and statistics for Policy-based SLB

(PBSLB).
show pbslb [name]
show pbslb client [ipaddr]
show pbslb system
show pbslb virtual-server virtual-server-name
[port port-num service-type]
Option
Description
Shows information for virtual servers.
name
client [ipaddr] Shows information for black/white list clients.

Shows statistics for system-wide PBSLB.
system
virtual-server
virtual-servername
[port port-num
service-type]
Shows statistics for IP limiting on the specified
virtual server.
Mode
Example
The following command shows PBSLB information for an AX Series

device:
AX#show pbslb
Total number of PBSLB configured: 1
Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
-----------------------------------------------------------------------------PBSLB_VS1
80
sample-bwlist
2
0
0
0
4
0
0
0

TABLE 44 show pbslb fields
Field
Total number of
PBSLB configured
Virtual server
636 of 718
Description
Number of black/white lists imported onto the AX Series
device.
SLB virtual server to which the black/white list is bound.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show process
TABLE 44 show pbslb fields (Continued)
Field
Port
Blacklist/
whitelist
GID
Connection #
Establish
Connection #
Reset
Connection #
Drop
Example
Description
Protocol port.
Name of the black/white list.
Group ID.
Number of client connections established to the group and
protocol port.
Number of client connections to the group and protocol port
that were reset.
Number of client connections to the group and protocol port
that were dropped.
The following command shows PBSLB information for VIP vs-22-4:
AX#show pbslb vs-22-4

GID = Group ID, A = Action, OL = Over-limit
GID
Establish
Reset(A)
Drop(A)
Reset(OL)
Drop(OL)
Ser-sel-fail
-------+-----------+-----------+-----------+-----------|-----------+-----------Virtual server: vs-22-4
Port: 80
B/W list: test
1
88
0
3
2
0
0
2
112
0
2
0
0
1
3
29
0
0
0
0
0
4
11
1
0
0
0
0
show process
Description
Display the status of system processes.
Syntax
show process system
Mode
Usage
For descriptions of the system processes, see the AX Software Processes

section in the System Overview chapter of the AX Series Configuration
Guide.
Example
The following command shows the status of system processes on an

AX Series device:
AX#show process system

a10mon is running
syslogd is running
a10logd is running
a10timer is running
a10Stat is running
a10hm is running
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
637 of 718

show reboot
a10switch is running
a10rt is running
a10rip is running
a10ospf is running
a10snmpd is running
a10gmpd is running
a10wa is running
a10lb is running
show reboot
Description
Syntax
Display scheduled system reboots.

show reboot
Mode
Example
The following command shows a scheduled reboot on an AX Series device:
AX#show reboot
Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16 minutes)
by admin on 192.168.1.144
Reboot reason: Outlook_upgrade
show router
Description
Syntax
Show the OSPF or RIP configuration commands that are in the runningconfig.
show router {ospf | rip}
Mode
Example
The following command shows the OSPF configuration commands in the

running-config of an AX Series device:
AX#show router ospf

router ospf
redistribute connected
redistribute static
network 53.19.12.0 255.255.255.0 area 0.0.0.0
network 53.19.15.0 255.255.255.0 area 0.0.0.0
network 53.19.16.0 255.255.255.0 area 0.0.0.0
network 53.53.53.0 255.255.255.0 area 0.0.0.0
network 99.16.1.0 255.255.255.0 area 0.0.0.0
638 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show router log file

Description
Show router logs.
Syntax

[
file-num |
nsm [file-num] |
ospf6d [file-num] |
ospfd [file-num]
]
Parameter
file-num
Log file number.
nsm [file-num]
Displays the specified Network Services Module

(NSM) log file, or all NSM log files.
ospf6d
[file-num]
ospfd
[file-num]
Mode
Description
Displays the specified IPv6 OSPFv3 log file, or

all OSPFv3 log files.
Displays the specified IPv4 OSPFv2 log file, or
all OSPFv2 log files.
Any
show running-config
Description
Display the running-config.
Syntax
show running-config
[
ha |
health-monitor [name]
[all-partitions | partition partition-name] |
interfaces [ethernet [portnum] | ve [num] |
loopback [num] | management |
slb [server [name] | service-group [name] |
virtual-server [name]]
[all-partitions | partition partition-name] |
vlan [vlan-id] |
all-partitions |
partition partition-name
]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
639 of 718

show running-config
Option
Description
Shows High Availability configuration commands in the running-config.
ha
health-monitor
[name]
[all-partitions
| partition
partition-name] Shows health-monitor configuration commands
in the running-config.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.
slb
[server [name]
| service-group
[name] |
virtual-server
[name]]
[all-partitions
| partition
partition-name] Shows SLB server, service-group, and virtualserver configuration commands in the runningconfig.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.
vlan [vlan-id]
Shows VLAN configuration commands in the

running-config.
all-partitions
Shows all resources in all partitions. In this case,

the resources in the shared partition are listed
first. Then the resources in each private partition
are listed, organized by partition.
partition
partition-name
Shows only the resources in the specified partition.
Mode
Usage

you omit both options, only the resources in the shared partition are shown.
640 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show session
Example
The following command shows the running-config on an AX Series device:
AX#show running-config
!Current configuration : 10577 bytes
!Configuration last updated at 18:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 1.2.0
!
hostname AX2K-B
!
!
!
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 11
untagged ethernet 2
!
vlan 20
tagged ethernet 4
--MORE--
show session
Description
Display session information.

show session
[
brief |
filter {filter-name | config} |
ipv4 [addr-suboptions] |
ipv4v6 [addr-suboptions] |
ipv6 [addr-suboptions] |
persist [persistence-type [addr-suboptions]] |
sip [addr-suboptions]
]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
641 of 718

show session
Parameter
Description
Displays summary statistics for all session types.
brief
filter
filter-name |
config
Displays information about configured session

filters.
filter-name Displays the specified session filter.
config Displays all configured session filters.
ipv4 [addrsuboptions]
Displays information for IPv4 sessions. The following address suboptions are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] Displays IPv4
sessions that have the specified source IP
address.
source-port port-num Displays IPv4 sessions
that have the specified source protocol port
number, 1-65535.
dest-addr ipaddr
[{subnet-mask | /mask-length}] Displays IPv4
sessions that have the specified destination IP
address.
dest-port port-num Displays IPv4 sessions that
have the specified destination protocol port
number, 1-65535.
ipv4v6 [addrsuboptions]
Displays information for IPv4-IPv6 or IPv6-IPv4

sessions. The following address suboptions are
supported:
source-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} Displays sessions that
have the specified IPv4 or IPv6 source IP
address.
source-port port-num Displays sessions that
have the specified source protocol port number,
1-65535.
642 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show session
dest-addr
{ipaddr [{subnet-mask | /mask-length}] |
ipv6addr/mask-length} Displays sessions that
have the specified IPv4 or IPv6 destination IP
address.
dest-port port-num Displays sessions that have
the specified destination protocol port number,
1-65535.
ipv6 [addrsuboptions]
Displays information for IPv6 sessions. The following address suboptions are supported:
source-addr ipv6addr/mask-length Displays
sessions that have the specified IPv6 source IP
address.
source-port port-num Displays IPv6 sessions
that have the specified source protocol port
number, 1-65535.
dest-addr ipv6addr/mask-length Displays sessions that have the specified IPv6 destination IP
address.
dest-port port-num Displays IPv6 sessions that
have the specified destination protocol port
number, 1-65535.
persist
[persistencetype [addrsuboptions]]
Displays information for persistent sessions. The

following options are supported:
persistence-type Displays sessions of the specified persistence type:
dst-ip Displays destination-IP persistent
sessions.
src-ip Displays source-IP persistent sessions.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
643 of 718

show session
ssl-id Displays SSl-session-ID persistent
sessions.
The addr-suboptions are the same as those supported for show session ipv4. (See above.)
sip [addrsuboptions]
Displays information for Session Initiation Protocol (SIP) sessions.

The addr-suboptions are the same as those supported for show session ipv4v6. (See above.)
Mode
Usage
For convenience, you can save session display options as a session filter.
(See session-filter on page 146.)
Example
The following command lists information for all IPv4 sessions:
AX(config)#show session ipv4

Traffic Type
Total
-------------------------------------------TCP Established
2
TCP Half Open
0
UDP
0
Non TCP/UDP IP sessions
0
Other
0
Reverse NAT TCP
0
Reverse NAT UDP
0
Free Buff Count
0
Curr Free Conn
2007033
Conn Count
10
Conn Freed
8
TCP SYN Half Open
0
Conn SMP Alloc
13
Conn SMP Free
2
Conn SMP Aged
2
Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age Hash
---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:49107
1.0.100.1:21
1.0.3.148:21
1.0.4.147:49107
120
2
Tcp 1.0.16.2:58736
1.0.100.1:21
1.0.3.148:21
1.0.16.2:58736
60
2
Total Sessions:
2
644 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show session
TABLE 45 show session fields
Field
TCP Established
TCP Half Open
UDP
Non TCP/UDP
IP sessions
Other
Reverse NAT
TCP
Reverse NAT
UDP
Free Buff Count
Curr Free Conn
Conn Count
Conn Freed
TCP SYN Half
Open
Conn SMP Alloc
Conn SMP Free
Conn SMP Aged
Prot
Forward Source
Forward Dest
Reverse Source
Description
Number of established TCP sessions.
Number of half-open TCP sessions. A half-open session is
one for which the AX Series device has not yet received a
SYN ACK from the backend server.
Number of UDP sessions.
Number of IP sessions other than TCP or UDP sessions.
This counter applies specifically to IP protocol load balancing. (See the IP Protocol Load Balancing chapter in the
AX Series Configuration Guide.)
Number of internally used sessions. As an example, internal
sessions are used to hold fragmentation information.
Number of reverse-NAT TCP sessions.
Number of reverse-NAT UDP sessions.
Number of IO buffers currently available.
Number of Layer 4 sessions currently available.
Number of connections.
Number of connections freed after use.
Number of half-open TCP sessions. These are sessions that
are half-open from the clients perspective.
Statistics used by A10 Technical Support.
Transport protocol.
Client IP address when connecting to a VIP.
Note: For DNS sessions, the clients DNS transaction ID is
shown instead of a protocol port number.
VIP to which the client is connected.
Real servers IP address.
Note: If the AX device is functioning as a cache server
(RAM caching), asterisks ( * ) in this field and the Reverse
Dest field indicate that the AX device directly served the
requested content to the client from the AX RAM cache. In
this case, the session is actually between the client and the
AX device rather than the real server.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
645 of 718

show session
TABLE 45 show session fields (Continued)
Field
Reverse Dest
Description
IP address to which the real server responds.
If source NAT is used for the virtual port, this address is
the source NAT address used by AX device when connecting to the real server.
Age
Example
If source IP NAT is not used for the virtual port, this

address is the client IP address.
Number of seconds since the session started.
The following command displays the IPv4 session for a specific source IP
address:
AX(config)#show session ipv4 source-addr 1.0.4.147

Prot Forward Source
Forward Dest
Reverse Source
Reverse Dest
Age Hash
---------------------------------------------------------------------------------------------------------Tcp 1.0.4.147:49107
1.0.100.1:21
1.0.3.148:21
1.0.4.147:49107
120
2
Total Sessions:
1
Example
The following commands display source-IP persistent sessions, clear one of

the sessions, then verify that the session has been cleared:
AX(config)#show session persist src-ip

Prot Forward Source
Forward Dest
Reverse Source
Age
-----------------------------------------------------------------------src 1.0.16.2
1.0.100.1:21
1.0.3.148
6000
src 1.0.4.147
1.0.100.1:21
1.0.3.148
6000
Total Sessions:
2
AX(config)#clear sessions persist src-ip source-addr 1.0.16.2
AX(config)#show session persist src-ip
Prot Forward Source
Forward Dest
Reverse Source
Age
-----------------------------------------------------------------------src 1.0.4.147
1.0.100.1:21
1.0.3.148
5880
646 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show shutdown
show shutdown
Description
Display scheduled system shutdowns.
Syntax
show shutdown
Mode
Example
The following command shows a scheduled shutdown on an AX Series

device:
AX#show shutdown
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and 23 minutes) by admin on 192.168.1.144
Shutdown reason: Scheduled shutdown
show sip
Description
Show SIP SLB statistics.
Syntax
show sip
Mode
Example
The following command shows SIP SLB statistics on an AX Series device:
AX#show sip
Sip current session:

Total sip session created:
Total sip session deleted:
Total sip packet from client:
Total sip packet from server:
Total sip packet between clients:
Total sip server selection failure:
8
12
4
99
12
32
0
show slb
Description
See SLB Show Commands on page 659.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
647 of 718

show smtp
show smtp
Description
Syntax
Display SMTP information.

show smtp
Mode
Example
The following command show the SMTP server address:
AX#show smtp
SMTP server address:
192.168.1.99
show startup-config
Description
Syntax
Mode
Display a configuration profile or display a list of all the locally saved configuration profiles.
show startup-config [all | profile-name] [cf]
Option
Description
all
Displays a list of the locally stored configuration

profiles.
profile-name
Displays the commands that are in the specified

configuration profile.
cf
Displays the configuration profile in the specified image area (primary or secondary) on the
compact flash rather than the hard disk. If you
omit this option, the configuration profile in the
specified area on the hard disk is displayed.
If the all option is also used, the cf option displays all the configuration profiles stored on the
compact flash.
all-partitions
partition
partition-name
648 of 718
Shows all resources in all partitions. In this case,

the resources in the shared partition are listed
first. Then the resources in each private partition
are listed, organized by partition.
Shows only the resources in the specified partition.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show startup-config
Mode
Usage

you omit both options, only the resources in the shared partition are shown.
When entered without the all or profile-name option, this command displays the contents of the configuration profile that is currently linked to
startup-config. Unless you have relinked startup-config, the configuration profile that is displayed is the one that is stored in the image area from
which the AX device most recently rebooted.
Example
The following command shows the configuration profile currently linked to

startup-config on an AX Series device:
AX#show startup-config
Building configuration...
!Current configuration: 10580 bytes
!Configuration last updated at 15:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 1.2.0
!
hostname AX2K-B
!
!
!
!
vlan 10
untagged ethernet 1
!
vlan 11
untagged ethernet 2
!
vlan 20
--MORE--
Example
The following command shows a list of the configuration profiles locally

saved on the AX device. The first line of output lists the configuration profile that is currently linked to startup-config. If the profile name is
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
649 of 718

show statistics
default, then startup-config is linked to the configuration profile stored
in the image area from which the AX device most recently rebooted.
AX#show startup-config all
Current Startup-config Profile: default
Profile-Name
Size
Time
-----------------------------------------------------------1210test
1957
Jan 28 18:39
lb-v6
13414
Jan 23 19:19
show statistics
Description
Display packet statistics for Ethernet interfaces.
Syntax
show statistics [interface ethernet port-num]
Mode
Example
The following command shows brief statistics for all Ethernet interfaces on
an AX Series device:
AX#show statistics
Port Good Rcv
Good Sent
Bcast Rcv
Bcast Sent
Errors
--------------------------------------------------------------------------1
3026787
3013699
91573
154220
0
2
0
0
0
0
0
3
0
0
0
0
0
...
XAUI
3171070
3118342
Note:
Example
275613
216063
The XAUI port is an internal port, not a user-configured interface.

The following command shows detailed statistics for Ethernet interface 1:
AX#show statistics interface ethernet 1

Port Link Dupl Speed
IsTagged MAC Address
--------------------------------------------------1
Up
Full 1000
Untagged 0090.0B0A.D860
Port 1 Counters:
InPkts
InOctets
InBroadcastPkts
InMulticastPkts
InBadPkts
OutDiscards
InLongOctet
InLengthErr
650 of 718
6926
477802
5573
0
0
0
477802
0
OutPkts
OutOctets
OutBroadcastPkts
OutMulticastPkts
OutBadPkts
Collisions
InAlignErr
InOverErr
427659
323788182
62389
359729
0
0
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show switch
InFrameErr
InNoBufErr
InLongLenErr
OutAbortErr
OutFifoErr
InFlowCtrlXon
InFlowCtrlXoff
InBufAllocFailed
InUtilization
0
InCrcErr
0
InMissErr
0
InShortLenErr
0
OutCarrierErr
0 OutLateCollisions
0
OutFlowCtrlXon
0
OutFlowCtrlXoff
0
15
OutUtilization
0
48
0
0
0
0
0
0
show switch
Description
Display internal system information for troubleshooting.

Note:
Syntax
This command is applicable only to models AX 2200, AX 3100,

AX 3200, AX 5100, and AX 5200. The command does not appear in the
show switch bridge-egress-filtering
show switch bridge-global
show switch cascading-header-insertion
show switch dump-all
show switch fdb-global
show switch ingress-drop-counter
show switch ingress-port-bridge port-num
show switch mac-table
show switch phy-10g-reg port port-num register
number-hex
show switch phy-10g-reg-ext device number port
port-num register number-hex
show switch phy-dump port port-num
show switch phy-reg port port-num register numberhex
show switch port-counter port-num
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
651 of 718

show system resource-usage
show switch port-vlan-register port-num
show switch register number-hex [bitmask number]
[field-offset number field-length number]
show switch route-table
show switch trunk-table
show switch unicast-routing-engine
show switch vlan-table
show switch xfp-temp
Mode
Usage
Only the mac-table, vlan-table, and xfp-temp options are supported on

models AX 5100 and AX 5200.

Description
Display the minimum and maximum numbers of each type of system

resource that can be configured or used, the default maximum number
allowed by the configuration, and the number currently in use.
For example, the l4-session-count row of the output shows the number of
Layer 4 sessions that are currently in use, as well as the maximum number
currently supported by the configuration (the default maximum), and the
range of values that can be assigned to the default maximum.
Syntax
Mode
Usage
To change system resource usage settings, see system resource-usage on

page 165 command.
Example
The following command shows system resource usage:
AX#show system resource-usage

Resource
Current
Default
Minimum
Maximum
-------------------------------------------------------------------------l4-session-count
8388608
8388608
524288
33554432
nat-pool-addr-count
500
500
500
4000
real-server-count
1024
1024
512
2048
652 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show tacacs-server
real-port-count
service-group-count
virtual-port-count
virtual-server-count
http-template-count
proxy-template-count
conn-reuse-template-count
fast-tcp-template-count
fast-udp-template-count
client-ssl-template-count
server-ssl-template-count
stream-template-count
persist-cookie-template-count
persist-srcip-template-count
2048
512
512
512
256
128
256
256
256
256
256
256
256
256
2048
512
512
512
256
128
256
256
256
256
256
256
256
256
512
512
256
512
32
32
32
32
32
32
32
32
32
32
4096
1024
1024
1024
1024
128
1024
1024
1024
1024
1024
1024
1024
1024
show tacacs-server
Description
Display TACACS statistics.
Syntax
show tacacs-server [hostname | ipaddr]
Mode
Example
The following command shows information for TACACS server 5.5.5.5:
AX#show tacacs-server 5.5.5.5

TACACS+ server
: 5.5.5.5:49
Socket opens:
Socket closes:
Socket aborts:
Socket errors:
Socket timeouts:
Failed connect attempts:
Total packets recv:
Total packets send:
0
0
0
0
0
0
0
0
show techsupport
Description
Display or export system information for use when troubleshooting.
Syntax
show techsupport
[export [use-mgmt-port] url]
[page]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
653 of 718

show terminal
Option
Description
export
[use-mgmt-port]
url
Exports the output to a remote server. The url
specifies the file transfer protocol, username (if
required), and directory path.
tftp://host/file
Shows the information page by page. Without
this option, all the commands output is sent to
the terminal at once.
page
Mode
show terminal
Description
Syntax
Show the terminal settings.

show terminal
Mode
Example
The following command shows the terminal settings.
AX#show terminal
Idle-timeout is 00:10:00
Length: 24 lines, Width: 80 columns
Editing is enabled
History is enabled, history size is 256
Auto size is enabled
Terminal monitor is off
654 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show tftp
show tftp
Description
Display the currently configured TFTP block size.
Syntax
show tftp
Mode
All
Example
The following command shows the TFTP block size.

show trunk
Description
Show information about a trunk group.
Syntax
show trunk num

Option
Description
num
Trunk number
Mode
Example
The following command shows information for trunk group 1:
AX#show trunk 1
Trunk ID
: 1
Trunk Status
: Up
Member Count: 8
Members
: 1
Cfg Status
: Enb Enb Enb Enb Enb Enb Enb Enb
Oper Status
: Up
Ports-Threshold
Working Lead
: 6
: 1
2
Up
3
Up
4
Up
Up
Up
7
Up
8
Up
Timer: 10 sec(s) Running: No

TABLE 46 show trunk fields
Field
Trunk ID
Member Count
Trunk Status
Members
Cfg Status
b y
Description
ID assigned to the trunk by the admin who configured it.
Number of ports in the trunk.
Indicates whether the trunk is up.
Port numbers in the trunk.
Configuration status of the port.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
655 of 718

show version
TABLE 46 show trunk fields (Continued)
Field
Oper Status
Ports-Threshold
Timer
Running
Working Lead
Description
Operational status of the port.
Indicates the minimum number of ports that must be up in
order for the trunk to remain up.
If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports.
The ports are disabled in the running-config. The AX device
also generates a log message and an SNMP trap, if these services are enabled.
Indicates how many seconds the AX device waits after a port
goes down before marking the trunk down, if the ports
threshold is exceeded.
Indicates whether the ports-threshold timer is currently running. When the timer is running, a port has gone down but
the state change has not yet been applied to the trunks state.
Port number used for responding to ARP requests and for
Layer 2 processing.
Note: If the lead port number shown is 0, the trunk interface
is down.
show version
Description
Syntax
Display software, hardware, and firmware version information.

show version
Mode
Example
The following command shows version information for an AX 2200:
AX#show version
AX Series Advanced Traffic Manager AX2600
Copyright 2007-2010 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
Advanced Core OS (ACOS) version 2.4.3-P1, build 9 (Jun-17-2010,12:06)
Booted from NFS
Serial Number: AX22101107430012
Firmware version 7.11
aFleX version: 2.0.0
Last configuration saved at Jun-18-2010, 18:36
Hardware: 4 CPUs(Stepping 6), Dual 70G Hard disks
Memory 2074 Mbyte, Free Memory 937 Mbyte
Current time is Jun-21-2010, 19:30
The system has been up 3 days, 20 hours, 15 minutes
656 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show vlans
show vlans
Description
Display the configured VLANs.
Syntax
show vlans [vlan-id]
Mode
Example
The following command lists all the VLANs configured on an AX Series

device:
AX#show vlans
Total VLANs: 2
VLAN 1:
Untagged Ports:
Tagged Ports:
2
3
10 11
19 20
None
VLAN 199:
Untagged Ports:
Tagged Ports:
1 16
None
4
12
5
13
6
14
7
15
8
17
9
18
show web-service
Description
Show settings for Web-management access.
Syntax
show web-service
Mode
Example
The following command shows the settings for access to the management
GUI on an AX Series device:
AX#show web-service
AX Web server:
Idle time:
Http port:
Https port:
Auto redirect:
Https:
aXAPI Idle time:
b y
10 minutes
80
443
Enabled
Enabled
5 minutes
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
657 of 718

show web-service
TABLE 47 show web-service fields
Field
Idle time
HTTP port
HTTPS port
Auto redirect
HTTPS
aXAPI Idle time
658 of 718
Description
Number of minutes a web management session can remain
idle before the AX device terminates the session.
HTTP port number on which the AX device listens for connections to the management GUI.
HTTPS port number on which the AX device listens for connections to the management GUI.
Indicates whether requests for the HTTP port are automatically redirected to the HTTPS port.
State of the HTTPS port on the AX device.
Number of minutes an aXAPI session can remain idle before
bering terminated. Once the aXAPI session is terminated, the
session ID generated by the AX device for the session is no
longer valid.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb cache
SLB Show Commands

The show slb commands display information for Server Load Balancing
(SLB).
To automatically re-enter a show slb command at regular intervals, see
repeat on page 64.
In addition to the command options provided with some show commands,
you can use output modifiers to search and filter the output. See Searching
and Filtering CLI Output on page 34.
For information about other show commands, see Show Commands on
page 535.
Note:
show slb cache

Description
Display statistics and other information for RAM caching.
Syntax
show slb cache

[entries vip-name port-num |
memory-usage |
replacement vip-name port-num |
stats [vip-name port-num]]
Option
entries
vip-name
port-num
Shows a list of the cached objects.
memory-usage
Shows memory usage for RAM caching.
replacement
vip-name
port-num
stats
[vip-name
port-num]
Mode
Description
Shows replacement information for the specified

virtual port on the specified virtual server.
Lists RAM caching statistics by VIP. If you specify a VIP or port number, statistics are displayed
only for that VIP or port number.

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
659 of 718

show slb cache
Usage
If you do not use any of the optional parameters, RAM caching statistics are
displayed. This is equivalent to entering the show slb cache stats command.
Example
The following command shows RAM caching statistics:
AX#show slb cache

Cache Hits
Cache Misses
Memory Used
Bytes Served
Entries Cached
Entries Replaced
Entries Aged Out
Entries Cleaned
Total Requests
Cacheable Requests
No-cache Requests
No-cache Responses
IMS Requests
304 Responses
Revalidation Successes
Revalidation Failures
Policy URI nocache
Policy URI cache
Policy URI invalidate
Content Too Big
Content Too Small
Srvr Resp - Cont Len
Srvr Resp - Chnk Enc
Srvr Resp - 304 Status
Srvr Resp - Other
0
6
27648
0
6
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
220
37
0
0
Cache Resp - No Comp
383579
Cache Resp - Gzip
Cache Resp - Deflate
Cache Resp - Other

Entry create failures
0
0

TABLE 48 show slb cache fields
Field
Cache Hits
Cache Misses
Memory Used
660 of 718
Description
Number of times a requested page was found in the cache
and served from the cache.
Number of times a requested page was not found in the
cache.
Amount of RAM currently used by cached content.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb cache
TABLE 48 show slb cache fields (Continued)
Field
Bytes Served
Entries Cached
Entries Replaced
Entries Aged Out
Entries Cleaned
Total Requests
Cacheable
Requests
No-cache
Requests
No-cache
Responses
IMS Requests
304 Responses
Revalidation
Successes
Revalidation
Failures
Policy URI
nocache
Policy URI
cache
Policy URI
invalidate
Content Too Big
Content Too
Small
Srvr Resp Cont Len
Srvr Resp Chnk Enc
Srvr Resp 304 Status
Srvr Resp Other
Cache Resp No Comp
b y
Description
Number of bytes served.
Number of objects currently in the cache.
Number of cached items that were removed to make room
for newer entries, per the replacement policy.
Number of entries that were removed because they are older
than their expiration time.
Number of cached objects that have aged out and therefore
been removed from the cache.
Total number of requests received on all virtual server ports
on which caching is configured.
Number of requests that are potentially cacheable.
Number of requests with no-cache header directives.
Number of responses with no-cache header directives.
Number of requests that contained an If-Modified-Since
header.
Number of 304 Not Modified responses sent to clients.
Number of entries that were successfully revalidated by the
server.
Number of times revalidation failed.
Number of times requested content was not cached due to a
URI policy.
Number of times a request was cached due to a URI policy.
Number of times a request was invalidated due to a URI policy.
Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.
Number of cacheable items that were not cached because the
file size was smaller than the configured minimum content
size.
Number of responses that contained Content-Length headers.
Number of responses that were chunk encoded.
Number of responses that had status code 304.
Number of responses that were of other types.
Object is uncompressed.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
661 of 718

show slb cache
TABLE 48 show slb cache fields (Continued)
Field
Cache Resp Gzip
Cache Resp Deflate

Cache Resp Other
Entry create
failures
Example
Description
Object was compressed using gzip. Gzip is an encoding format produced by the file compression program gzip (GNU
zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77]
with a 32 bit CRC).
Object was compressed using deflate. Deflate is the zlib
format defined in RFC 1950 in combination with the
deflate compression mechanism described in RFC 1951.
Object was compressed using compress. Compress is the
encoding format produced by the common UNIX file compression program compress (adaptive Lempel-Ziv-Welch
coding [LZW]).
Counter used by A10 technical support for troubleshooting.
The following command shows cached objects:
AX#show slb cache entries vs-cookie-cache 80

vs-cookie-cache:80
Host
Object URL
Bytes
Type
Status Expires in
--------------------------------------------------------------------------------------10.20.0.120
/static2/1000.txt
1365
CL,No
FR
3410 s
10.20.0.120
/static2/10000.txt
10366
CL,No
FR
3490 s
10.20.0.120
/static2/1000000.txt
636152
CE,Gz
FR
3594 s
10.20.0.120
/static2/1000000.txt
1000368
CL,No
FR
2719 s
10.20.0.120
/ewen/index.html
1479
CL,Mo
FR
-57 s

TABLE 49 show slb cache entries fields
Field
cached-vip
Host
Object URL
Bytes
662 of 718
Description
Virtual port number on which RAM caching is enabled.
IP address of the content server.
URL from which the cached object was obtained by the AX
device.
Length of the cached object.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb cache
TABLE 49 show slb cache entries fields (Continued)
Field
Type
Description
Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded.
The value after the comma indicates the type of compression
used:
No Object is uncompressed.
Gz Object was compressed using gzip. Gzip is an encoding format produced by the file compression program
gzip (GNU zip) as described in RFC 1952 (Lempel-Ziv
coding [LZ77] with a 32 bit CRC).
Cm Object was compressed using compress. Compress
is the encoding format produced by the common UNIX
file compression program compress (adaptive LempelZiv-Welch coding [LZW]).
Status
Df Object was compressed using deflate. Deflate is the

zlib format defined in RFC 1950 in combination with
the deflate compression mechanism described in RFC
1951.
Status of the entry:
FR Fresh
ST Stale
IN Incomplete
FA Failed
UN Unknown
Expires in
Example
R The entry must be revalidated.

Number of seconds the object can remain unused before it
ages out.
The following command shows RAM caching memory usage:
AX#show slb cache memory-usage

VIP
Port
Memory Configured Memory Used
Percent Used
--------------------------------------------------------------------------------------vs120
80
10485760
8386560
79.98%
--------------------------------------------------------------------------------------Total
10485760
8386560
79.98%
Example
The following command shows replacement statistics:
AX#show slb cache replacement cached-vip 80

Frequency
Total
--------------------------------------------------------------1/256
6
1/128
0
1/64
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
663 of 718

show slb connection-reuse
1/32
1/16
1/8
1/4
1/2
1
2
4
8
16
32
64
128
0
0
0
0
0
0
0
0
0
0
0
0
2
The output shows the distribution of requests for the cached entries. Entries
listed for 1/256 (one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.

Description
Syntax
Show SLB connection-reuse statistics.

show slb connection-reuse [detail]
Mode
Example
The following command shows summary connection-reuse statistics:
AX#show slb connection-reuse

Total
-----------------------------------------------------------------Open persist
0
Active persist
0
Total established
1787
Total terminated
1787
Total bind
1277
Total unbind
2389
Delayed unbind
4
Long resp
0
Missed resp
0
Unbound data rcvd
0
664 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 50 show slb connection-reuse fields
Field
Open persist
Active persist
Total established
Total terminated
Total bind
Total unbind
Delayed unbind
Long resp
Missed resp
Unbound data
rcvd
Example
Description
Number of new client connections directed to the same
server as previous connections by the persistence feature.
Number of currently active connections that were sent to the
same real server by the persistence feature.
Total number of established connections to the backend
server.
Total number of terminated connections to the backend
server.
Total number of client persistent connections bound to the
backend server.
Total number of client persistent connections unbound from
the backend server.
Number of connections whose unbinding was delayed.
Note: In the current release, this counter is unused and is
always 0.
Number of responses that took too long.
Number of missed responses to HTTP requests.
The following command shows detailed connection-reuse statistics for each

data processor (DP):
AX#show slb connection-reuse detail

DP0
DP1
DP2
DP3
-----------------------------------------------------------------Open persist
0
0
0
0
Active persist
0
0
0
0
Total established
0
537
597
653
Total terminated
0
537
597
653
Total bind
0
349
420
508
Total unbind
0
676
797
916
Delayed unbind
0
1
1
2
Long resp
0
0
0
0
Missed resp
0
0
0
0
Unbound data rcvd
0
0
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Total
0
0
1787
1787
1277
2389
4
0
0
0
665 of 718

show slb conn-rate-limit
show slb conn-rate-limit

Description
Show statistics for source-IP based connection rate limiting.
Syntax
show slb conn-rate-limit src-ip

{
[tcp | udp] locked-out-ips |
[tcp | udp] statistics |
tcp |
udp
}
Mode
Example
The following command shows statistics for source-IP based connection

rate limiting:
AX(config)#show slb conn-rate-limit src-ip statistics

Sessions allocated 0
Sessions freed 0
Too many sessions consumed 0
Out of sessions 0
Threshold check count 1022000
Honor threshold count 20532
Threshold exceeded count 1001408
Lockout drops 60
Log messages sent 20532
DNS requests re-transmitted
1000
No DNS response for request 1021000
Table 51 describes the fields in the show command output.

TABLE 51 show slb conn-rate-limit src-ip statistics fields
Field
Sessions
allocated
Sessions freed
Too many
sessions
consumed
Out of sessions
Threshold check
count
666 of 718
Description
Number of sessions allocated.
Number of sessions freed.
Number of times too many sessions were consumed.
Number of times the device ran out of sessions.

Number of times the AX device has checked for connectionlimit violations.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb fast-http-proxy
TABLE 51 show slb conn-rate-limit src-ip statistics fields (Continued)
Field
Honor threshold
count
Threshold
exceeded count
Lockout drops
Log messages
sent
DNS requests
re-transmitted
No DNS
response for
request
Description
Number of requests permitted because they were within the
connection limit.
Number of requests denied because they exceeded the connection limit.
Number of requests dropped because a client was locked out.
Number of log messages generated by this feature.
Number of re-transmitted DNS requests detected. These are
DNS requests for which no response was received by the AX
device.
Number of DNS requests for which no response was
received.

Description
Show statistics for SLB fast-HTTP proxy.
Syntax
show slb fast-http-proxy [detail]
Mode
Example
The following command shows summary fast-HTTP-proxy statistics:
AX#show slb fast-http-proxy

Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
0
HTTP requests
0
HTTP requests(succ)
0
No proxy error
0
Client RST
0
Server RST
0
No tuple error
0
Parse req fail
0
Server selection fail
0
Fwd req fail
0
Fwd req data fail
0
Req retransmit
0
Req pkt out-of-order
0
Server reselection
0
Server premature close
0
Server conn made
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
667 of 718

Source NAT failure
0
Tot data before compress 0
Tot data after compress 0

TABLE 52 show slb fast-http-proxy fields
Field
Curr Proxy
Conns
Total Proxy
Conns
HTTP requests
HTTP
requests(succ)
No proxy error
Client RST
Server RST
No tuple error
Parse req fail
Server selection
fail
Fwd req fail
Fwd req data fail
Req retransmit
Req pkt
out-of-order
Server
reselection
Server
premature close
Server conn
made
Source NAT
failure
Tot data before
compress
Tot data after
compress
668 of 718
Description
Number of currently active connections using the fast-HTTP
proxy.
Total number of connections that have used the fast-HTTP
proxy.
Number of HTTP requests received by the fast-HTTP proxy.
Number of HTTP requests successfully fulfilled (by establishing a connection to a real server).
Number of proxy errors.
Number of times TCP connections with clients were reset.
Number of times TCP connections with servers were reset.
Number of tuple errors.
Number of times the HTTP parser failed to parse a received
HTTP request.
Number of times selection of a real server failed.
Number of forward request failures.
Number of forward request data failures.
Number of retransmitted requests.
Number of request packets received from clients out of
sequence.
Number of times initial selection of a real server for an
HTTP request failed (for example, due to a TCP Reset sent
by the server).
Number of times the connection with a server closed prematurely.
Number of connections made with servers.
Number of source NAT failures.
These counters show statistics for HTTP compression, in
bytes.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb ftp
Example
The following command shows detailed fast-HTTP-proxy statistics for each

AX#show slb fast-http-proxy detail

DP0
DP1
DP2
DP3
-----------------------------------------------------------------Curr Proxy Conns
0
0
0
0
Total Proxy Conns
0
0
0
0
HTTP requests
0
0
0
0
HTTP requests(succ)
0
0
0
0
No proxy error
0
0
0
0
Client RST
0
0
0
0
Server RST
0
0
0
0
No tuple error
0
0
0
0
Parse req fail
0
0
0
0
0
0
0
0
Fwd req fail
0
0
0
0
Fwd req data fail
0
0
0
0
Req retransmit
0
0
0
0
0
0
0
0
Server reselection
0
0
0
0
0
0
0
0
Server conn made
0
0
0
0
Source NAT failure
0
0
0
0
Tot data before compress 0
0
0
0
Tot data after compress 0
0
0
0
Total
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
show slb ftp

Description
Show SLB FTP statistics.
Syntax
show slb ftp
Mode
Example
The following command shows SLB FTP statistics.
AX#show slb ftp

Total Control Sessions
Total ALG packets
ALG packets rexmitted
Out of Connections
0
0
0
0
Total Data Sessions

Out of Connections
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
669 of 718

show slb geo-location
TABLE 53 show slb ftp fields
Field
Total Control
Sessions
Total ALG
packets
ALG packets
rexmitted
Out of
Connections
Total Data
Sessions
Out of
Connections
Description
Total number of FTP control sessions load-balanced by the
AX Series device.
Total number of Application Layer Gateway (ALG) packets.
Number of ALG packets that have been retransmitted.
Number of times an FTP control session could not be established because none of the real servers had available connections.
Total number of FTP data sessions load-balanced by the
AX Series device.
Number of times an FTP data session could not be established because none of the real servers had available connections.
show slb geo-location

Description
Syntax
Display geo-location information.

[
virtual-server-name |
port-num |
bad-only |
depth num |
id group-id |
ip ipaddr |
location location-name |
statistics
]
Option
Description
virtual-servername
Displays geo-location information for only the
specified virtual server.
670 of 718
port-num

specified virtual port.
bad-only
Displays only the invalid entries.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb http-proxy
depth num
default, the full tree (all nodes) is displayed. You
can specify 1-5.
id group-id

specified black/white-list group ID.
ip ipaddr
Displays geo-location database entries for only

the specified IP address.
location
location-name
statistics
Displays geo-location database entries for only

the specified location.
Displays statistics for the specified geo-location.
Mode
Usage
Some options can be combined on the same command line. See the CLI
help for information.
show slb http-proxy

Description
Show statistics for SLB HTTP proxy.
Syntax
show slb http-proxy [detail]
Mode
Example
The following command shows summary HTTP-proxy statistics:
AX#show slb http-proxy

Total
-----------------------------------------------------------------Curr Proxy Conns
2
Total Proxy Conns
3266
HTTP requests
3860
HTTP requests(succ)
3605
No proxy error
0
Client RST
351
Server RST
1
No tuple error
0
Parse req fail
0
0
Fwd req fail
10
Fwd req data fail
0
Req retransmit
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
671 of 718

show slb http-proxy
Server reselection
Server conn made
Source NAT failure
Tot data before compress
Tot data after compress
0
0
0
1791
0
1373117
404410

TABLE 54 show slb http-proxy fields
Field
Curr Proxy
Conns
Total Proxy
Conns
HTTP requests
HTTP
requests(succ)
No proxy error
Client RST
Server RST
No tuple error
Parse req fail
Server selection
fail
Fwd req fail
Fwd req data fail
Req retransmit
Req pkt
out-of-order
Server
reselection
Server
premature close
Server conn
made
Source NAT
failure
Tot data before
compress
Tot data after
compress
672 of 718
Description
Number of currently active HTTP connections using the
AX Series device as an HTTP proxy.
Total number of HTTP connections that have used the
AX Series device as an HTTP proxy.
Total number of HTTP requests received by the HTTP
proxy.
Number of HTTP requests received by the HTTP proxy that
were successfully fulfilled (by connection to a real server).
Number of times parsing of an HTTP request failed.
sequence.
Number of times a request was forwarded to another server
because the current server was failing.
These counters show statistics for HTTP compression, in
bytes.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb hw-compression
Example
The following command shows detailed HTTP-proxy statistics for each

AX#show slb http-proxy detail

DP0
DP1
DP2
DP3
-----------------------------------------------------------------Curr Proxy Conns
0
0
0
2
Total Proxy Conns
0
1026
1102
1138
HTTP requests
0
1218
1282
1360
HTTP requests(succ)
0
1064
1176
1365
No proxy error
0
0
0
0
Client RST
0
102
118
131
Server RST
0
0
1
0
No tuple error
0
0
0
0
Parse req fail
0
0
0
0
0
0
0
0
Fwd req fail
0
5
3
2
Fwd req data fail
0
0
0
0
Req retransmit
0
0
0
0
0
0
0
0
Server reselection
0
0
0
0
0
0
0
0
Server conn made
0
537
598
656
Source NAT failure
0
0
0
0
Total
2
3266
3860
3605
0
351
1
0
0
0
10
0
0
0
0
0
1791
0

Description
Show statistics for hardware-based compression.
Syntax
Mode
Usage
Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, and AX 3200.
If this command does not appear on your AX device, the device does not
contain a compression module.
Example
The following commands enable hardware-based compression and display

statistics for the feature:
AX(config)#show slb hw-compression

Hardware compression device is installed.
Hardware compression module is enabled.
Total
-----------------------------------------------------------------total request count
177157
total submit count
177157
total response count
177157
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
673 of 718

show slb l4
total failure count
last failure code
compression queue full
max queued request count
max queued submit count
0
0
0
84
68
show slb l4
Description
Syntax
Show Layer-4 SLB statistics.

show slb l4 [detail]
Mode
Example
The following command shows summary statistics for Layer 4 SLB:
AX#show slb l4
Total
-----------------------------------------------------------------IP out noroute
0
TCP out RST
0
TCP out RST no SYN
0
TCP out RST L4 proxy
0
TCP out RST ACK attack
0
TCP out RST aFleX
0
TCP out RST stale sess
2
TCP out RST TCP proxy
1906748
TCP SYN received
17556
TCP SYN cookie snt
3276
TCP SYN cookie snt fail 0
TCP received
2014764
UDP received
0
Server sel failure
0
Source NAT failure
0
TCP SYN cookie failed
18
No vport drops
0
No SYN pkt drops
0
No SYN pkt drops - FIN
0
No SYN pkt drops - RST
0
No SYN pkt drops - ACK
0
Conn Limit drops
0
Conn Limit resets
0
Conn rate limit drops
0
Conn rate limit resets
0
Proxy no sock drops
0
aFleX drops
0
TCP Session aged out
0
UDP Session aged out
0
Other Session aged out
0
674 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb l4
TCP no SLB
UDP no SLB
SYN Throttle
Inband HM retry
Inband HM reassign
0
0
0
0
0

TABLE 55 show slb l4 fields
Field
IP out noroute
TCP out RST
TCP out RST no
SYN
TCP out RST L4
proxy
TCP out RST
ACK attack
TCP out RST
aFleX
TCP out RST
stale sess
TCP out RST
TCP proxy
TCP SYN
received
TCP SYN cookie
snt
TCP SYN cookie
snt fail
TCP received
UDP received
Server sel failure
Source NAT failure
TCP SYN cookie
failed
No vport drops
No SYN pkt
drops
No SYN pkt
drops - FIN
No SYN pkt
drops - RST
b y
Description
Number of IP packets that could not be routed.
Number of TCP Resets sent.
Number of Resets sent for which there was no SYN.
Number of TCP Reset packets the AX device has sent as a
Layer 4 proxy.
Number of TCP Resets sent in response to a TCP ACK
attack.
Number of TCP Reset packets the AX device has sent due to
an aFleX policy.
Number of TCP Reset packets the AX device has sent due to
stale TCP sessions.
Number of TCP Reset packets the AX device has sent as a
TCP proxy.
Number of TCP SYN packets received.
Number of TCP SYN cookies sent.
Number of TCP SYN cookie send attempts that failed.
Number of TCP packets received.
Number of UDP packets received.
Number of times a source NAT failure occurred.
Number of times a TCP SYN cookie failure occurred.
Number of times traffic was dropped because the requested
virtual port was not available.
Number of SYN packets dropped.
Number of SYN packets dropped due to a TCP FIN.
Number of SYN packets dropped due to a TCP Reset.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
675 of 718

show slb l4
TABLE 55 show slb l4 fields (Continued)
Field
No SYN pkt
drops - ACK
Conn Limit
drops
Conn Limit
resets
Conn rate limit
drops
Conn rate limit
resets
Proxy no sock
drops
aFleX drops
TCP Session
aged out
UDP Session
aged out
Other Session
aged out
TCP no SLB
Description
Number of SYN packets dropped due to an ACK.
Number of connections dropped because the server connection limit had been reached.
Number of connections reset because the server connection
limit had been reached.
Number of connections dropped by connection rate limiting.
Number of connections reset by connection rate limiting.
Number of packets dropped because the proxy did not have
an available socket.
Number of packets dropped due to an aFleX policy.
Number of TCP sessions that have aged out.
Number of UDP sessions that have aged out.
UDP no SLB
SYN Throttle
Inband HM retry
Inband HM
reassign
Example
Number of sessions of other types (not TCP or UDP) that

have aged out.
Number of non-SLB TCP packets received by the AX
device.
Number of non-SLB UDP packets received by the AX
device.
Number of SYN packets that have been throttled.
Number of times the AX device retried an inband health
check, because a SYN-ACK was not received for the previous SYN.
Number of times the AX device reassigned a clients traffic
to another server, because the initial server exceeded the
maximum number of retries allowed by the inband health
check.
The following command shows detailed Layer 4 SLB statistics for each data
processor (DP):
AX#show slb l4 detail

DP0
DP1
DP2
DP3
-----------------------------------------------------------------IP out noroute
0
0
0
0
TCP out RST
0
0
0
0
TCP out RST no SYN
0
0
0
0
TCP out RST L4 proxy
0
0
0
0
TCP out RST ACK attack
0
0
0
0
TCP out RST aFleX
0
0
0
0
TCP out RST stale sess
0
0
1
1
TCP out RST TCP proxy
0
618892
617473
670383
676 of 718
b y
Total
0
0
0
0
0
0
2
1906748
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb passthrough
TCP SYN received
TCP SYN cookie snt
TCP SYN cookie snt fail
TCP received
UDP received
server sel failure
Source NAT failure
TCP SYN cookie failed
No vport drops
No SYN pkt drops
No SYN pkt drops - FIN
No SYN pkt drops - RST
No SYN pkt drops - ACK
Conn Limit drops
Conn Limit resets
Conn rate limit drops
Conn rate limit resets
Proxy no sock drops
aFleX drops
Session aged out
TCP no SLB
UDP no SLB
SYN Throttle
Inband HM retry
Inband HM reassign
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
5476
1029
0
645686
0
0
0
5
0
0
0
0
0
0
0
0
0
0
0
24
0
0
0
0
0
5963
1105
0
651307
0
0
0
6
0
0
0
0
0
0
0
0
0
0
0
24
0
0
0
0
0
6118
1142
0
717772
0
0
0
7
0
0
0
0
0
0
0
0
0
0
0
19
0
0
0
0
0
17557
3276
0
2014765
0
0
0
18
0
0
0
0
0
0
0
0
0
0
0
67
0
0
0
0
0

Description
Display statistics for pass-through TCP sessions. A pass-through TCP session is one that is not terminated by the AX device (for example, a session
for which the AX device is not serving as a proxy for SLB).
Syntax
Mode
Example
The following command displays TCP pass-through session statistics:
AX#show slb passthrough

Request packets:
Request bytes:
10741
570272
Response packets:
Response bytes:
0
b y
Total connections:
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
38195
56562872
4
677 of 718

show slb performance

Description
Syntax
Show SLB performance statistics.

[interval number [detail]]
[{l4cpi | l7cpi | l7tpi | natcpi | sslcpi}
[detail]]
Option
Description
interval number Automatically refreshes the output at the specified interval. The interval can be 1-32 seconds.
If you omit this option, the output is shown one
time. If you use this option, the output is repeatedly refreshed at the specified interval until you
press ctrl+c.
l4cpi
Shows only Layer 4 connections per interval.
l7cpi
Shows only Layer 7 connections per interval.
l7tpi
Shows only Layer 7 transactions per interval.
natcpi
Shows only Network Address Translation (NAT)

connections per interval.
sslcpi
Shows only SSL connections per interval.
detail
This option is not used in the current release.
Mode
Example
The following command shows SLB performance statistics:
AX#show slb performance

Refreshing SLB performance every 1 seconds. (press ^C to quit)
Note: cpi conn/interval, tpi transactions/interval
CPU Usage
L4cpi
L7cpi
L7tpi
SSLcpi
Natcpi
Time
-----------------------------------------------------------------------8/9
0
0
0
0
0
11:46:10
4/4
4222
0
0
0
0
11:46:11
4/4
3
0
0
0
0
11:46:12
678 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb persist
TABLE 56 show slb performance fields
Field
Refreshing SLB
performance
every # seconds
CPU Usage
L4cpi
L7cpi
L7tpi
SSLcpi
Natcpi
Time
Description
Interval at which the statistics are refreshed.
Utilization on each data CPU.

Each number is the utilization on one data CPU. In the example shown above, the AX model has three data CPUs, and
the utilization on each one is 1%.
Layer 4 connections per interval.
Layer 7 connections per interval.
Layer 7 transactions per interval.
SSL connections per interval.
NAT connections per interval.
System time when the statistics were collected.
show slb persist

Description
Show persistence load-balancing statistics.
Syntax
Example
show slb persist [detail]

The following command shows summary persistence statistics:
AX#show slb persist

Total
-----------------------------------------------------------------URL hash persist(pri)
0
URL hash persist(sec)
0
URL hash persist fail
0
SRC IP persist ok
0
SRC IP persist fail
0
SRC IP hash persist(pri) 0
SRC IP hash persist(sec) 0
SRC IP hash persist fail 0
DST IP persist ok
0
DST IP persist fail
0
DST IP hash persist(pri) 0
DST IP hash persist(sec) 0
DST IP hash persist fail 0
SSL SID persist ok
0
SSL SID persist fail
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
679 of 718

show slb persist
Cookie persist ok
0
Cookie persist fail
0
Persist cookie not found 0

TABLE 57 show slb persist fields
Field
URL hash
persist(pri)
URL hash
persist(sec)
URL hash persist
fail
SRC IP persist
ok
SRC IP persist
fail
SRC IP hash
persist(pri)
SRC IP hash
persist(sec)
SRC IP hash
persist fail
DST IP persist
ok
DST IP persist
fail
DST IP hash
persist(pri)
DST IP hash
persist(sec)
DST IP hash
persist fail
SSL SID persist
ok
SSL SID persist
fail
Cookie persist ok
680 of 718
Description
Number of requests successfully sent to the primary server
selected by URL hashing. The primary server is the one that
was initially selected and then re-used based on the hash
value.
Number of requests that were sent to another server (a secondary server) because the primary server selected by URL
hashing was unavailable.
Number of requests that could not be fulfilled using URL
hashing.
Number of requests successfully sent to the same server as
previous requests from the same client, based on source-IP
persistence.
Number of requests that could not be fulfilled by the same
server as previous requests from the same client, based on
source-IP persistence.
These fields are used by A10 Networks technical support for
troubleshooting.
Number of requests that were sent to the same resource,

based on destination-IP persistence.
Number of requests that were sent to the same resource
based on destination-IP persistence.
These fields are used by A10 Networks technical support for
troubleshooting.

previous requests that had the same SSL session ID, based
on SSL session-ID persistence.
server as previous requests that had the same SSL session
ID, based on SSL session-ID persistence.
previous requests based on a persistence cookie.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb rate-limit-logging
TABLE 57 show slb persist fields (Continued)
Field
Cookie persist
fail
Persist cookie
not found
Description
server as previous requests based on a persistence cookie.
Number of requests in which a persistence cookie was not
found in the request header.
show slb rate-limit-logging

Description
Show log rate-limiting statistics.
Syntax
show slb rate-limit-logging [detail]
Mode
Example
The following command shows log rate-limiting statistics:
AX#show slb rate-limit-logging

Total
-----------------------------------------------------------------Total log times
51
Total log messages
26
Local log messages
190
Remote log messages
1959
Local rate (per sec)
32
Remote rate (per sec)
453
Log message too big
0
No route
0
Buffer alloc fail
0
Buffer send fail
0
Log-session alloc
15
Log-session free
15
Log-session alloc fail
0
No repeat message
4

TABLE 58 show slb rate-limit-logging fields
Field
Total log times
Total log
messages
Local log
messages
b y
Description
Total number of times log rate limiting has been used.
Total number of log messages generated by the AX device.
Note: The AX device combines repeated messages into a
single message. For this reason, the Total log times count
will differ from the Total log messages count.
Total number of log messages in the AX devices log buffer.
These messages can be displayed using the show log command.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
681 of 718

show slb server
TABLE 58 show slb rate-limit-logging fields (Continued)
Field
Remote log
messages
Local rate
(per sec)
Remote rate
(per sec)
Log message too
big
No route
Buffer alloc fail
Buffer send fail
Log-session
alloc
Log-session free
Log-session
alloc fail
No repeat
message
Description
Total number of log messages the AX device has sent to
external log servers.
Number of messages sent to the AX devices log buffer during the most recent one-second interval.
Number of messages sent to external log servers during the
most recent one-second interval.
Number of log messages dropped by the AX device because
they were too long.
Number of log messages dropped by the AX device because
the device did not have a route to the log server.
Number of times the AX device was unable to allocate a buffer for sending a log message to an external log server.
Number of times the AX device was unable to send a log
message that had been placed in the buffer for sending to an
external log server.
Number of times the AX device allocated a log session for
repeated log messages.
Number of times the AX device freed a log session that was
allocated for repeated log messages.
Number of times the AX device was unable to allocate a log
session for repeated log messages.
Number of times there was no repeated message for a log
session allocated for repeated messages.
show slb server

Description
Syntax
Show information about real servers.

show slb server
[[server-name [port-num] detail] config |
connection-reuse]
Option
Description
server-name
[[port-num]
detail]
Shows information only for the specified server

or port. If you omit this option, information is
shown for all real servers and ports.
The detail option shows statistics for the specified server or port. This option also displays the
682 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb server
name of the server or port template bound to the
server or port.
Shows the SLB configuration of the real servers.
config
connectionreuse
Shows connection-reuse state information and

statistics for the real servers.
Mode
Usage
To display server information for a specific Role-Based Administration

Example
The following command shows SLB statistics for real server mhs001:
AX#show slb server mhs001

Total Number of Services configured on Server mhs001: 3
Fwd-pkt = Forward packets, Rev-pkt = Reverse packets
Service
Current
Total
Fwd-pkt
Rev-pkt
State/Rsp Time
-----------------------------------------------------------------------------mhs001:25/tcp
0
481
0
0
Up
/116 ms
mhs001:80/tcp
23
320543
1732383
1263164
Up
/60 ms
mhs001:587/tcp
0
0
0
0
Up
/92 ms
mhs001: Total
23
321024
1732383
1263164
Up

TABLE 59 show slb server fields
Field
Total Number of
Services configured
Service
Current
Total
Fwd-pkt
Rev-pkt
State
Description
Total number of services configured on the AX Series device
(if a server name is not specified) or on the specified server.
Real server name, service protocol port, and transport protocol (TCP or UDP).
Total number of connections to the service.
Number of request packets received for the service.
Number of response packets sent on behalf of the real server.
Current state of the service:
Up
Down
Rsp Time
b y
Disabled
Response time of the server.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
683 of 718

show slb server
Example
The following command shows details for a real port on a server:
AX(config)#show slb server dang1 80 detail

Server name:
Port:
State:
Port template:
Health check:
Current connection:
Current request:
Total connection:
Total request:
Total request success:
Total forward bytes:
Total forward packets:
Total reverse bytes:
Total reverse packets:
dang1
1.1.1.1:80
Up
default
default
53
42
10011
20090
20089
36378463
378463
463784638
3784638

TABLE 60 show slb server <server-name> <portnum> detail fields
Field
Server name
Port
State
Description
Name of the server.
Real port number.
Up
Down
Port template
Health check
Current
connection
Current request
Disabled
Name of the real port template bound to the port.
Name of the health monitor used to check the health of the
real port.
Current number of connections to the port.
Current number of HTTP requests being processed by
the port.
Total
connection
Total request
Total request
success
Total forward
bytes
684 of 718
Note: In this field and the Total request and Total request
success fields, Layer 7 requests are counted only if Layer 7
request accounting is enabled. See slb enable-l7-req-acct
on page 285.
Total number of connections that have been made to the port.
Total number of HTTP requests processed by the port.
Total number of HTTP requests that were successful.
Number of request bytes forwarded to the port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb server
TABLE 60 show slb server <server-name> <portnum> detail fields
Field
Total forward
packets
Total reverse
bytes
Total reverse
packets
Description
Number of request packets forwarded to the port.
Number of request bytes received from the port.
Number of request packets received from the port.
The following command displays detailed information for the hostname

server. The configuration details are shown first, followed by details for the
dynamically created servers.
AX#show slb server s-test1 detail
Server name:
s-test1
Hostname:
s1.test.com
Last DNS reply:
Tue Nov 17 03:41:59 2009
State:
Up
Server template:
temp-server
DNS query interval:
Minimum TTL ratio:
Maximum dynamic server:
16
Health check:
none
Current connection:
Current request:
Total connection:
1919
Total request:
1919
1877
Total forwarded byte:
546650
Total forwarded packet:
5715
Total received byte:
919730
Total received packet:
5631
Dynamic server name:
DRS-10.4.2.5-s1.test.com
Last DNS reply:
Tue Nov 17 03:41:59 2009
TTL:
4500
State:
Up
Server template:
test
DNS query interval:
Minimum TTL ratio:
15
Maximum dynamic server:
1023
Health check:
none
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
685 of 718

show slb server
Current connection:
Current request:
Total connection:
1919
Total request:
1919
1877
546650
5715
919730
5631
Example
The following command shows SLB configuration information for real

servers:
AX#show slb server config

H-check = Health check
Max conn = Max. Connection
Wgt = Weight
Service
Address
H-check
Status
Max conn Wgt
-----------------------------------------------------------------------------1_yahoo_finance:80/tcp
69.147.86.163
None
Enable
1000000 1
1_yahoo_finance
69.147.86.163
None
Enable
1000000 1
1_cybozu:80/tcp
1_cybozu
202.218.147.129 None
202.218.147.129 None
Enable
Enable
1000000
1000000
1
1
win20:25/tcp
win20
172.22.66.20
172.22.66.20
Default
ping
Enable
Disable
1000000
1000000
1
1
win21:25/tcp
--MORE--
172.22.66.21
Default
Enable
1000000

TABLE 61 show slb server config fields
Field
Total Number of
Services configured
Service
Address
686 of 718
Description
Total number of SLB services configured on the AX Series
device.
Real IP address of the server.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb server
TABLE 61 show slb server config fields (Continued)
Field
H-check
Description
Health check enabled for the service:
None No health check has been applied to the service.
Default The default health monitor for the service type
was automatically applied to the service by the AX Series
device.
Status
Name of a configured health monitor (for example,

ping) The named health monitor was applied to the
service by an AX administrator.
Current administrative status of the service:
Enable
Max conn
Wgt
Example
Disable
Maximum number of connections allowed to the service.
Administrative weight assigned to the service.
The following command shows connection-reuse state information and statistics for real servers:
AX#show slb server connection-reuse

Service
State
Persistent-Conn
---------------------------------------------------1_yahoo_finance:80/tcp
Up
0
1_cybozu:80/tcp
Up
win20:25/tcp
Down
win21:25/tcp
win21:110/tcp
win21:80/tcp
win21:443/tcp
Up
Up
Up
Down
0
0
0
0
linux22:25/tcp
linux22:80/tcp
linux22:53/udp
Disb
Up
Disb
0
0
0
linux23:25/tcp
linux23:80/tcp
linux23:53/udp
Down
Down
Down
0
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
687 of 718

show slb service-group
TABLE 62 show slb server connection-reuse fields
Field
Total Number of
Services configured
Service
State
Description
Total number of SLB services configured on the AX Series
device.
Up
Down
Persistent-Conn
Disabled
Number of connections sent to the server by the persistence
feature.

Description
Syntax
Show SLB service-group information.

show slb service-group [group-name] [config]
Option
Description
group-name
Shows information only for the specified service

group. If you omit this option, information is
shown for all service groups configured on the
AX Series device.
config
Shows the SLB configuration of the service

groups.
Mode
Usage
To display service-group information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
688 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Example
The following command shows statistics for SLB service groups:
AX#show slb service-group

Total Number of Service Groups configured: 4
Fwd-p = Forward packets, Rev-p = Reverse packets
Service Group Name
Service
Current
Total
Fwd-p
Rev-p
----------------------------------------------------------------------*louis
State: Functional Up
1.168:80
0
0
0
0
20.29:80
1
1
1
4
1.167:80
0
0
0
0
*flu
20.29:80
State: All Up
0
*test
20.29:22
State: All Up
0

TABLE 63 show slb service-group fields
Field
Total Number of
Service Groups
configured
Service Group
Name
State
Description
Total number of SLB service groups configured on the
AX Series device.
Indicates the state of the service group:
All Up All service ports on all real servers in the service
group are up.
Functional Up Each service port number is up on at least
one real server in the service group.
Partially Up Some service ports are up but others are
down.
Down Either all the service ports are down, or some but
not all of them are Disabled.
Current
Total
Req-p
Resp-p
b y
Disabled All the service ports are disabled.

Total number of request packets received by the AX Series
device for the service.
Total number of server response packets sent to clients by
the AX Series device on behalf of real servers.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
689 of 718

Example
The following command shows configuration information and statistics for

SLB service group louis:
AX#show slb service-group louis

Service group name: louis State: Disb
Service selection fail drop: 2
Service selection fail reset: 1
Service: s-4-2-1:80 DOWN
Request packets: 6 Response packets: 0
Request bytes: 360 Response bytes: 0
Current connections: 2 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0
Service: s-2-2-1:80 DOWN
Forward packets: 12 Reverse packets: 9
Forward bytes: 951 Reverse bytes: 396
Current connections: 0 Persistent connections: 0
Current requests: 0 Total requests: 0
Total connections: 3 Response time: 0.00 msec
Total requests succ: 0

TABLE 64 show slb service-group <group-name> fields
Field
Service group
name
State
Description
Indicates the state of the service group:
All Up All service ports on all real servers in the service
group are up.
Functional Up Each service port number is up on at least
one real server in the service group.
Partially Up Some service ports are up but others are
down.
Down Either all the service ports are down, or some but
not all of them are Disabled.
Service
selection fail
drop
Service
selection fail
reset
690 of 718
Disabled All the service ports are disabled.

Number of server selection failures for which the AX device
dropped the client request.
Number of server selection failures for which the AX device
sent a RST to the client.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 64 show slb service-group <group-name> fields (Continued)
Field
Service
Forward packets
Reverse
packets
Forward bytes
Reverse bytes
Current
connections
Persistent
connections
Current
requests
Number of connections established on the server due to an

SLB persistence feature.
the server.
Total
requests
Total
connections
Response time
Total
requests succ
Example
Description
Service bound to the service group. Also indicates the state
of the service.
Total number of request packets received by the AX Series
Total number of server response packets sent to clients by
the AX Series device on behalf of real servers.
Total number of request bytes received by the AX Series
Total number of server response bytes sent to clients by the
AX Series device on behalf of real servers.
Note: In this field and the Total Requests and Total requests
on page 285.
Total number of HTTP requests processed by the server.
Server response time.
The following command shows configuration information for SLB service

groups:
AX#show slb service-group config

Service group name: c172-80
Type: tcp
Distribution: Round Robin
Health Check: None
Member Count:3
Member3: c1721:80
Priority: 1
Member2: c1722:80
Priority: 1
Member1: c1723:80
Priority: 1
Service group name: linux80
Type: tcp
Health Check: None
Member Count:2
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
691 of 718

Member2: linux22:80
Member1: linux23:80
Priority: 1
Priority: 1
Service group name: 1_sg_cybozu_80

Type: tcp
Health Check: None
Member Count:1
Member1: 1_cybozu:80
Priority: 1
--MORE--

TABLE 65 show slb service-group config fields
Field
Total Number of
Service Groups
configured
Service group
name
Type
Health Check
Distribution
Member Count
Member n
Priority
Description
Total number of SLB service groups configured on the
AX Series device.
Transport protocol used to reach the service, TCP or UDP.
Name of the health monitor assigned to the service group.
Load-balancing method used by the service group to select
real servers.
Number of real servers in the group.
Member number, assigned by the AX Series for use in this
show commands output.
Priority assigned to the member when it was added to the
group.
The following command displays service-group information. A separate

row of information appears for each dynamically created member.
AX#show slb service-group
Fwd-p = Forward packets, Rev-p = Reverse packets
Service Group Name
Service
Current
Total
Fwd-p
Rev-p
----------------------------------------------------------------------*sg-test
State: All Up
DRS-10.4.2.6-s2.test.com:80
DRS-10.4.2.5-s1.test.com:80
36
1919
5714
5631
s-test2:80
53
265
212
692 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb sip
The following command displays detailed statistics for the dynamically created service-group members:
AX#show slb service-group sg-test
Service group name: sg-test
State: All Up
Service selection fail drop:
Service selection fail reset:
Service: DRS-10.4.2.6-s2.test.com:80
Forward packets:
UP
Reverse packets:
Forward bytes:
Reverse bytes:
Persistent connections:
Current requests:
Total requests:
Total connections:
Response time: 0.00
Total requests succ:
Service: DRS-10.4.2.5-s1.test.com:80
Forward packets:
Forward bytes:
5715
0
0
msec
UP
Reverse packets:
546650
5631
Reverse bytes:
919730
10
Current requests:
10
Total requests:
Total connections:
1919
1919
Response time: 0.00
msec
1877
Service: s-test1:80
UP
Forward packets:
Forward bytes:
450
Reverse packets:
31500
Reverse bytes:
360
44820
Current requests:
Total requests:
Total connections:
90
Response time: 0.00
1877
0
msec
show slb sip

Description
Display SIP SLB statistics.
Syntax
show slb sip [detail]
Mode
Example
The following command shows SIP SLB statistics:
AX#show slb sip

Total
-----------------------------------------------------------------Curr Proxy Conns
0
Total Proxy Conns
115
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
693 of 718

show slb sip
Client message
Client message (fail)
Server message
Server message (fail)
Client request
Client request (succ)
Client RST
Server RST
Parse message fail
Server conn made
Source NAT failure
125
0
12
0
119
12
0
113
0
0
115
0

TABLE 66 show slb sip fields
Field
Curr Proxy
Conns
Total Proxy
Conns
Client message
Client message
(fail)
Server message
Server message
(fail)
Client request
Client request
(succ)
Client RST
Server RST
Parse message
fail
Server selection
fail
Server conn
made
Source NAT
failure
694 of 718
Description
Current number of SIP connections between the AX device
and SIP servers.
Total number of SIP connections between the AX device and
SIP servers.
Total number of SIP messages received from clients.
Number of SIP messages received from clients that were not
forwarded to servers.
Total number of SIP messages received from servers.
Number of SIP messages received from servers that were not
forwarded to clients.
Total number of SIP requests received from clients.
Number of SIP requests received from clients that were successful.
Number of times the SIP parser failed to parse a received SIP
request.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb smtp
show slb smtp

Description
Shows SLB information for SMTP.
Syntax
show slb smtp [detail]
Mode
Example
The following command shows summary SMTP SLB statistics:
AX#show slb smtp

Total
-----------------------------------------------------------------Current proxy conns
0
Total proxy conns
0
SMTP requests
0
SMTP requests (success) 0
No proxy error
0
Client reset
0
Server reset
0
No tuple error
0
Parse request failure
0
Server selection failure 0
Forward request failure 0
Forward REQ data failure 0
Request retransmit
0
Request pkt out-of-order 0
Server reselection
0
0
Server connection made
0
Source NAT failure
0

TABLE 67 show slb smtp fields
Field
Current proxy
conns
Total proxy
conns
SMTP requests
SMTP requests
(success)
No proxy error
Client reset
b y
Description
Number of currently active SMTP connections using the
AX Series device as an SMTP proxy.
Total number of SMTP connections that have used the
AX Series device as an SMTP proxy.
Total number of SMTP requests received by the SMTP
proxy.
Number of SMTP requests received by the AX Series device
that were successfully fulfilled (by connection to a real
server).
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
695 of 718

show slb smtp
TABLE 67 show slb smtp fields (Continued)
Field
Server reset
No tuple error
Parse request
failure
Server selection
failure
Forward request
failure
Forward REQ
data failure
Request
retransmit
Request pkt
out-of-order
Server
reselection
Server
premature close
Server
connection made
Source NAT
failure
Example
Description
Number of times parsing of an SMTP request failed.
sequence.
Number of times a request was forwarded to another server
because the current server was failing.
The following command shows detailed SMTP SLB statistics for each data
processor (DP):
AX#show slb smtp detail

DP0
DP1
DP2
Total
-----------------------------------------------------------------Current proxy conns
0
0
0
0
Total proxy conns
0
0
0
0
SMTP requests
0
0
0
0
SMTP requests (success) 0
0
0
0
No proxy error
0
0
0
0
Client reset
0
0
0
0
Server reset
0
0
0
0
No tuple error
0
0
0
0
Parse request failure
0
0
0
0
Server selection failure 0
0
0
0
Forward request failure 0
0
0
0
Forward REQ data failure 0
0
0
0
Request retransmit
0
0
0
0
Request pkt out-of-order 0
0
0
0
Server reselection
0
0
0
0
0
0
0
0
Server connection made
0
0
0
0
Source NAT failure
0
0
0
0
696 of 718
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb ssl
show slb ssl

Description
Show SLB information for SSL.
Syntax
show slb ssl {cert | crl | stats}

Option
Description
cert
Shows information about the certificates on the

AX device.
crl
Shows information about the Certificate Revocation Lists (CRLs) imported onto the AX device.
stats
Shows SSL SLB statistics.
Mode
Usage
To display SSL information for a specific Role-Based Administration

Example
The following command shows SSL certificate information:
AX#show slb ssl cert

name: dang
type: certificate/key
Common Name:Dan G
Organization:Techpubs
Expiration: Jul 28 03:23:17 2008 GMT
Issuer: Self
key size: 512
Example
The following command shows SSL SLB statistics:
AX#show slb ssl stats

Number of SSL modules: 1
SSL module 1
number of enabled crypto engines: 12
number of available crypto engines: 12
Current SSL connections: 0
Total SSL connections: 0
Failed SSL handshakes: 0
Failed crypto operations: 0
SSL memory usage: 0 bytes
SSL fail CA verification 0
HW Context Memory alloc failed 0
HW ring full 0
Record too big 0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
697 of 718

show slb ssl-proxy
TABLE 68 show slb ssl stats fields
Field
Number of SSL
modules
SSL module n
Description
Total number of SSL processing modules on the device.
number of
enabled crypto
engines
number of available crypto
engines
Current SSL
connections
Total SSL connections
Number of SSL encryption/decryption processing

engines that are enabled.
ID number of the SSL module to which the following statistics apply.
Failed SSL handshakes

Failed crypto
operations
SSL memory
usage
SSL fail CA verification
HW Context
Memory alloc
failed
HW ring full
Record too big
Number of SSL encryption/decryption processing

engines that are available on the device.
Number of currently active SSL sessions.
Total number of SSL sessions since the last time statistics were cleared.
Number of SSL sessions in which the SSL security handshake failed.
Number of times an encryption/decryption failure occurred
for an SSL record.
Amount of memory in use by the SSL processing module.
Number of times an SSL session was terminated due to

a certificate verification failure.
Number of times the encryption processor was unable to
allocate memory.
Number of times the AX software was unable to enqueue an
SSL record to the SSL processor for encryption/decryption.
(Number of times the processor reached its performance
limit.)
Number of times the AX device received an SSL record that
spanned across more than 64 packets.
show slb ssl-proxy

Description
Syntax
Mode
698 of 718
Show statistics for SSL-proxy SLB.

show slb ssl-proxy
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb switch
Example
The following command shows SSL-Proxy statistics:
AX#show slb ssl-proxy

Current
Total
----------------------------------------------------------------------------Proxy connections
0
0
Client error
0
Server error
0
Session not found
0
No route
0
0
Source NAT failure
0

TABLE 69 show slb ssl-proxy fields
Field
Proxy connections
Client error
server error
Session not
found
No route
server selection
fail
Source NAT failure
Description
Number of currently active connections using the AX device
as an SSL proxy.
Number of client errors.
Number of server errors.
Number of times a session was not found.
Number of times no route was available.
Number of times selection or a real server failed.
Number of occurrences of source NAT failure.
show slb switch

Description
Show SLB switching statistics.
Syntax
show slb switch

[detail | ethernet port-num [detail]]
Option
detail
ethernet portnum
Mode
Description
Shows detailed statistics.
Shows statistics only for the specified Ethernet
port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
699 of 718

show slb switch
Example
The following command shows summary SLB switching statistics:
AX#show slb switch

Total
-----------------------------------------------------------------L2 Forward
2793
L3 IP Forward
0
IPv4 No Route Drop
0
L3 IPv6 Forward
0
IPv6 No Route Drop
0
L4 Process
709223
Incorrect Len Drop
0
Prot Down Drop
289
Unknown Prot Drop
32136
TTL Exceeded Drop
0
Link Down Drop
0
SRC Port Suppresion
0
VLAN Flood
141022
IP Fragment Rcvd
0
ARP REQ Rcvd
80272
ARP RESP Rcvd
15939
Forward Kernel
91163
IP(TCP) Fragment Rcvd
0
IP Fragment Overlap
0
IP Frag Overload Drops
0
IP Fragment Reasm OKs
23
IP Fragment Reasm Fails 0
BPDUs Received
0
BPDUs Sent
0
ACL Denys
0
SYN rate exceeded Drop
0
Packet Error Drops
0
IPv6 Frag Reasm OKs
0
IPv6 Frag Reasm Fails
0
IPv6 Frag Invalid Pkts
0
Bad Pkt Drop
0
IP Frag Exceed Drop
0
IPv4 No L3 VLAN FWD Drop 0
IPv6 No L3 VLAN FWD Drop 0

TABLE 70 show slb switch fields
Field
L2 Forward
L3 IP Forward
IPv4 No Route
Drop
L3 IPv6 Forward
700 of 718
Description
Number of packets that have been Layer 2 switched.
Number of packets that have been Layer 3 routed.
Number of IPv4 packets that were dropped due to routing
failures.
Number of IPv6 packets that have been Layer 3 routed.

b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb switch
TABLE 70 show slb switch fields (Continued)
Field
IPv6 No Route
Drop
L4 Process
Incorrect Len
Drop
Prot Down Drop
Unknown Prot
Drop
TTL Exceeded
Drop
Link Down Drop
SRC Port
Suppression
VLAN Flood
IP Fragment
Rcvd
ARP REQ Rcvd
ARP RESP Rcvd
Forward Kernel
IP(TCP)
Fragment Rcvd
IP Fragment
Overlap
IP Frag Overload
Drops
IP Fragment
Reasm OKs
IP Fragment
Reasm Fails
Anomaly LAN
Attack Drop
Anomaly IP OPT
Drops
Anomaly PingDeath Drop
Description
Number of IPv6 packets that were dropped due to routing
failures.
Number of packets that went to a VIP or NAT for processing.
Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet
length attack.
Number of packets dropped because the corresponding protocol was disabled.
Number of packets dropped because the protocol was
unknown.
Number of packets dropped due to TTL expiration.

Number of packets dropped because the outgoing link was
down.
Packet drops because of source port suppression.
Number of packets that have been broadcast to a VLAN.
Number of IPv4 fragments that have been received.
Number of ARP requests that have been received.
Number of ARP responses that have been received.
Number of packets received by the kernel from data interfaces.
Number of IP TCP fragments received.
Number of overlapping fragments received.
Number of fragments dropped due to overload.
Number of successfully reassembled IP fragments.
Number of IP fragment reassembly failures.
Number of SYN packets dropped because they were spoofed
(used the destination IP address as the source IP address).
Note: This field and the other Anomaly fields appear only on
models AX 1000, AX 2000, AX 2100, and AX 3000.
Number of packets dropped because they had IP options set.
Number of oversized (longer than 32 K) ICMP packets
dropped.
An oversized ICMP packet can trigger Denial of Service
(DoS), crashing, freezing, or rebooting.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
701 of 718

show slb switch
Field
Anomaly All
Frag Drop
Anomaly TCP
noFlag Drop
Description
Number of IP fragments dropped.
Number of TCP packets dropped because they had no flags
set.
Anomaly SYN
Frag Drop
TCP packets are normally sent with at least one bit in the
flags field set.
Number TCP SYN fragments dropped that had the fragmentation bit set.
Anomaly TCP
SYNFIN Drop
A SYN fragment attack floods the target host with SYN

packet fragments. An unprotected host will store the fragments, in order to reassemble them. By not completing the
connection, and flooding the server or host with such fragmented SYN packets, the attacker can cause the hosts memory buffer to fill up eventually.
Number of TCP packets dropped that had TCP SYN and
FIN bits set.
An attacker can send a packet with both bits set to determine
what kind of system reply is returned, and then use the system information for further attacks using known system vulnerabilities. Also, some older devices will let such packets
through even though there is an established ACL defined and
the state of the TCP connection is not considered to be established.
Total number of packets dropped by IP anomaly filtering.
Anomaly Any
Drops
BPDUs
Received
BPDUs Sent
ACL Denys
Number of Bridge Protocol Data Units (BPDUs) received.

Number of Bridge Protocol Data Units (BPDUs) sent.
Number of times traffic was not forwarded due to a deny rule
in an Access Control List (ACL).
SYN rate
exceeded Drop
Packet Error
Drops
IPv6 Frag Reasm
OKs
IPv6 Frag Reasm
Fails
IPv6 Frag
Invalid Pkts
Bad Pkt Drop
IP Frag Exceed
Drop
702 of 718
This counter also includes traffic dropped due to the l3-vlanfwd-disable action in ACL rules.
Number of packets dropped because the TCP SYN threshold
had been exceeded.
Number of packets dropped due to a packet error.
Number of successfully reassembled IPv6 fragments.
Number of IPv6 fragment reassembly failures.
Number of IPv6 fragments that were invalid.
Number of bad packets dropped.
Number of fragmented IP packets that were dropped because
they exceeded the allowed maximum.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb syn-cookie
Field
IPv4 No L3
VLAN FWD
Drop
IPv6 No L3
VLAN FWD
Drop
Example
Description
Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv4 ACL.
Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv6 ACL.
The following command shows detailed SLB switching statistics for Ethernet port 1:
AX#show slb switch ethernet 1 detail

DP0
DP1
DP2
Total
-----------------------------------------------------------------L2 Forward
2115
227
453
2795
L3 IP Forward
0
0
0
0
IPv4 No Route Drop
0
0
0
0
L3 IPv6 Forward
0
0
0
0
IPv6 No Route Drop
0
0
0
0
L4 Process
0
299123
412578
711701
Incorrect Len Drop
0
0
0
0
Prot Down Drop
0
174
115
289
Unknown Prot Drop
32156
0
0
32156
TTL Exceeded Drop
0
0
0
0
Link Down Drop
0
0
0
0
SRC Port Suppresion
0
0
0
0
VLAN Flood
126819
13530
752
141101
IP Fragment Rcvd
0
0
0
0
ARP REQ Rcvd
80314
0
0
80314
ARP RESP Rcvd
15949
0
0
15949
Forward Kernel
32281
35501
23464
91246
...
show slb syn-cookie

Description
Show the state of dynamic SYN cookie support.
Syntax
show slb syn-cookie
Mode
Example
The following command shows the state of the dynamic SYN cookie feature:
AX#show slb syn-cookie

syn-cookie ON
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
703 of 718

show slb tcp-proxy
show slb tcp-proxy

Description
Syntax
Show statistics for TCP-proxy SLB.

show slb tcp-proxy [detail]
Mode
Example
The following command shows summary TCP-proxy statistics:
AX#show slb tcp-proxy

Total
29
Active open conns
6968
Passive open conns
7938
Connect attemp failures 0
678804
712974
Retransmited packets
359
Resets rcvd on EST conn 5369
Reset Sent
4303

TABLE 71 show slb tcp-proxy fields
Field
Currently EST
conns
Active open
conns
Passive open
conns
Connect attemp
failures
Total in TCP
packets
Total out TCP
packets
Retransmitted
packets
Resets rcvd on
EST conn
Reset Sent
704 of 718
Description
Current number of established TCP connections being handled by the proxy.
Number of active connections open.
Number of passive connections open.
Number of TCP connection attempts that failed.
Total number of TCP packets received by the TCP proxy.
Total number of TCP packets sent by the TCP proxy.
Number of TCP packets retransmitted by the TCP proxy.
Number of TCP Resets received for established connections.
Number of TCP Resets sent by the AX Series device.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb tcp-proxy
Example
The following command shows detailed TCP-proxy statistics for each data
processor (DP):
AX#show slb tcp-proxy detail

DP0
DP1
DP2
Total
0
14
13
27
Active open conns
0
3479
3490
6969
Passive open conns
0
3955
3984
7939
Connect attemp failures 0
0
0
0
0
269216
409613
678829
0
272092
440907
712999
Retransmited packets
0
204
155
359
Resets rcvd on EST conn 0
2657
2712
5369
Reset Sent
0
2138
2165
4303
Input errors
0
0
0
0
Sockets allocated
0
14
15
29
Orphan sockets
0
0
0
0
Memory alloc
0
0
0
0
Total rx buffer
0
0
8
8
Total tx buffer
0
0
0
0
TCP in SYN-SNT state
0
0
0
0
TCP in SYN-RCV state
0
0
0
0
TCP in FIN-W1 state
0
2
3
5
TCP FIN-W2 state
0
0
1
1
TCP TimeW state
0
0
0
0
TCP in Close state
0
3907
3929
7836
TCP in CloseW state
0
31
38
69
TCP in LastACK state
0
1
0
1
TCP in Listen state
0
0
0
0
TCP in Closing state
0
0
0
0

TABLE 72 show slb tcp-proxy detail fields
Field
Currently EST
conns
Active open
conns
Passive open
conns
Connect attemp
failures
Total in TCP
packets
Total out TCP
packets
b y
Description
Current number of established TCP connections being handled by the proxy.
Number of connections opened actively.
Number of connections opened passively.
Number of TCP connection attempts that failed.
Total number of TCP packets received by the TCP proxy.
Total number of TCP packets sent by the TCP proxy.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
705 of 718

show slb template
TABLE 72 show slb tcp-proxy detail fields (Continued)
Field
Retransmitted
packets
Resets rcvd on
EST conn
Reset Sent
Input errors
Sockets allocated
Orphan sockets
Memory alloc
Total rx buffer
Total tx buffer
TCP in SYNSNT state
TCP in SYNRCV state
TCP in FIN-W1
state
TCP FIN-W2
state
TCP TimeW
state
TCP in Close
state
TCP in CloseW
state
TCP in LastACK
state
TCP in Listen
state
TCP in Closing
state
Description
Number of TCP packets retransmitted by the TCP proxy.
Number of TCP Resets received for established connections.
Number of TCP Resets sent by the AX device.
Number of invalid TCP packets received by the AX device.
Number of TCP sockets currently allocated.
Current number of orphan sockets.
Total memory allocated for TCP.
Total RX buffers allocated for TCP.
Total TX buffers occupied by TCP.
Current number of TCP connections in the SYN-SNT state.
Current number of TCP connections in the SYN-RCV state.
Current number of TCP connections in the Fin-Wait-1 state.
Current number of TCP connections in the Fin-Wait-2 state.
Current number of TCP connections in the Time Wait state.
Current number of TCP connections in the Close state.
Current number of TCP connections in the Close-Wait state.
Current number of TCP connections in the Last-ACK state.
Current number of TCP connections in the Listening state.
Current number of TCP connections in the Closing state.
show slb template

Description
Syntax
Mode
706 of 718
Show configuration information for SLB templates. The template configuration commands in the running-config are displayed.
show slb template [template-type [template-name]]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

show slb virtual-server
Usage
To display template information for a specific Role-Based Administration

Example
The following command shows the template configuration commands in the

running-config on an AX Series device:
AX#show slb template

slb template udp udp-aging
aging immediate
slb template http X-Forwarded-For
insert-client-ip "X-Forwarded-For"
compression minimum-content-length 120
slb template http clientip-insert
insert-client-ip "x-Forwarded-For"
slb template http cookie-delete
header-erase "Cookie"
slb template http hostdelete
header-erase "Host"
slb template http hostinsert
header-insert "Host: www.example.com"
slb template http http100
header-insert "Expect: 100-continue"
slb template http httpinsert
header-erase "Host"
header-insert "Host: www.example.com"
slb template tcp-proxy tcp-timeout
idle-timeout 180
slb template connection-reuse creuse
timeout 60
--MORE--

Description
Show information for SLB virtual servers.
Syntax

[
virtual-server-name
[[virtual-port-num service-type
[service-group-name]]
detail]
[config]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
707 of 718

Option
Description
virtual-servername
Shows information only for the specified virtual
server.
The virtual-port-num service-type option shows
information only for the specified virtual port on
the virtual server.
The service-group-name option further restricts
the output, to show information only for the
specified service group.
The detail option displays connection and packet
statistics.
Displays virtual-server configuration information.
config
Mode
Usage
To display virtual-server information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
Example
The following command shows summary information for all virtual servers:
AX#show slb virtual-server

Virtual Server Name
IP
Current
Total
Request Response
Service-Group
Service
connection connection packets packets
-------------------------------------------------------------------------------*v-server
3.1.1.99
port 80 http
0
3
14
10
abctcp
80/http
0
2
14
10
port 53 udp
0
0
0
0
abcudp
53/udp
0
0
0
0
...

TABLE 73 show slb virtual-server fields
Field
Total Number of
Virtual Services
configured
708 of 718
Description
Total number of virtual services (virtual server ports) configured on the AX Series device.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 73 show slb virtual-server fields (Continued)
Field
Virtual Server
Name
IP
Current
connection
Total
connection
Request
packets
Response
packets
Total received
conn attempts on
this port
Service-Group
Service
Example
Description
Name of the virtual server.
Underneath the virtual server name, each of the virtual ports
on the server is listed, followed by the service groups in
which the virtual server and the virtual port are members.
In the example above, virtual server v-server has two virtual ports, HTTP port 80 and UDP port 53. HTTP port 80 is a
member of service group abctcp, and UDP port 53 is a
member of service group abcudp.
Virtual IP address of the virtual server.
Current number of connections to the virtual service port.
Note: Connection and packet counters are listed separately
for virtual ports and for service groups.
Total number of connections to the virtual service port.
Number of request packets received for the virtual service.
Number of server reply packets sent by the AX device for
the virtual service.
Total number of connection requests received for this port.
Service group bound to the virtual service.

Virtual service port number and service type.
The following command shows status information for SLB virtual server
v-server:
AX1(config)#show slb virtual-server v-server

Virtual server: v-server
State: All Up
IP: 3.1.1.99
Port
Curr-conn Total-conn Rev-Pkt
Fwd-Pkt
-----------------------------------------------------------------------Virtual Port:80 / service:abctcp / state:All Up
port 80 http
0
3
10
14
10
14
Source NAT Pool: pootest

Virtual Port:53 / service:abcudp / state:All Up
port 53 udp
0
0
Source NAT Pool: pootest
Total Traffic
0
3
...
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
709 of 718

TABLE 74 show slb virtual-server <server-name> fields
Field
Virtual server
State
Description
State information is shown separately for virtual servers and
for individual virtual ports.
Virtual server state:
All Up All virtual ports on the virtual server are Running.
Functional Up Some of the virtual ports are Running or
Functional Running, but at least one of them is not Running.
Partial Up At least one virtual port is Running or Functional Running, but at least one other virtual port is Down.
Down All the virtual ports are Down.
Disb The virtual server has been administratively disabled.
Virtual port state:
All Up All members (real servers and ports) in all service groups bound to the virtual port are up.
Functional Up At least one member in a service group
bound to the virtual port is up, but not all members are up.
Down All members in all service groups bound to the
virtual port are down.
IP
Port
Curr-conn
Total-conn
Rev-Pkt
Fwd-Pkt
710 of 718
Disb The virtual port has been administratively disabled.

Virtual port number and service type.
Current number of connections to the virtual service port.
Total number of connections to the virtual service port.
Number of server reply packets sent by the AX device for
the virtual service.
Number of request packets received for the virtual service.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

Example
The following command shows configuration information for SLB virtual

server louis2:
AX#show slb virtual-server config louis2

Virtual server Name
Address
-----------------------------------------------louis2
192.168.20.253
member0:louis
80/http
Source NAT Pool: p1
HTTP Template: clientip-insert
Reuse Template: cr
Persist Cookie:cookie-persist
aFleX: bugzilla_proxy_fix

TABLE 75 show slb virtual-server config fields
Field
Total Number of
Virtual Services
configured
Virtual server
Name
Address
membern
Description
Total number of virtual services (virtual server ports) configured on the AX Series device.
Real server bound to the virtual server. The number at the
end is assigned by the AX Series for this show command
output.
Under the member name, the NAT pools and SLB templates
bound to the virtual server are listed.
Example
The following command shows details for a virtual port on a virtual server:
AX(config)#show slb virtual-server dangvip1 80 detail

Virtual port name:
dangvip1:80
Virtual port number:
4.4.4.4:80
Virtual port template:
default
Current connection:
0
Current request:
0
Total connection:
0
Total request:
0
0
0
0
0
0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
711 of 718

TABLE 76 show slb virtual-server detail fields
Field
Virtual port
name
Virtual port
number
Virtual port
template
Current
connection
Current request
Total
connection
Total request
Total request
success
Total forward
bytes
Total forward
packets
Total reverse
bytes
Total reverse
packets
712 of 718
Description
Name of the virtual server and virtual port.
IP address of the virtual server and protocol port number of
the virtual port.
Name of the virtual port template bound to the virtual port.
Current number of connections to the virtual port.
the virtual port.
Note: In this field and the Total request and Total request
on page 285.
Total number of connections that have been made to the virtual port.
Total number of HTTP requests processed by the virtual
port.
Number of request bytes forwarded to the virtual port.
Number of request packets forwarded to the virtual port.
Number of request bytes received from the virtual port.
Number of request packets received from the virtual port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
show health stat Up / Down Causes

This chapter lists the cause strings for the numeric cause codes that appear
in the Up and Down fields of the show health stat output. The Up / Down
cause codes are shown in the output under Cause(Up/Down/Retry).
Up Causes
Table 77 lists the Up causes.
TABLE 77 show health stat Up Causes
Cause Code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
b y
Cause String
HM_INVALID_UP_REASON
HM_DNS_PARSE_RESPONSE_OK
HM_EXT_REPORT_UP
HM_EXT_TCL_REPORT_UP
HM_FTP_ACK_USER_LOGIN
HM_FTP_ACK_PASS_LOGIN
HM_HTTP_RECV_URL_FIRST
HM_HTTP_RECV_URL_NEARBY_FIRST
HM_HTTP_RECV_URL_FOLLOWING
HM_HTTP_RECV_URL_NEARBY_FOLLOWING
HM_HTTP_STATUS_CODE
HM_ICMP_RECV_OK
HM_ICMP_RECV6_OK
HM_LDAP_RECV_ACK
HM_POP3_RECV_ACK_PASS_OK
HM_RADIUS_RECV_OK
HM_RTSP_RECV_STATUS_OK
HM_SIP_RECV_OK
HM_SMTP_RECV_OK
HM_SNMP_RECV_OK
HM_TCP_VERIFY_CONN_OK
HM_TCP_CONN_OK
HM_TCP_HALF_CONN_OK
HM_UDP_RECV_OK
HM_UDP_NO_RESPOND
HM_COMPOUND_UP
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
713 of 718
Down Causes
Table 78 lists the Down causes.
TABLE 78 show health stat Down Causes
Cause Code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
714 of 718
Cause String
HM_INVALID_DOWN_REASON
HM_DNS_TIMEOUT
HM_EXT_TIMEOUT
HM_EXT_TCL_TIMEOUT
HM_FTP_TIMEOUT
HM_HTTP_TIMEOUT
HM_HTTPS_TIMEOUT
HM_ICMP_TIMEOUT
HM_LDAP_TIMEOUT
HM_POP3_TIMEOUT
HM_RADIUS_TIMEOUT
HM_RTSP_TIMEOUT
HM_SIP_TIMEOUT
HM_SMTP_TIMEOUT
HM_SNMP_TIMEOUT
HM_TCP_TIMEOUT
HM_TCP_HALF_TIMEOUT
HM_DNS_RECV_ERROR
HM_DNS_PARSE_RESPONSE_ERROR
HM_DNS_RECV_LEN_ZERO
HM_EXT_WAITPID_FAIL
HM_EXT_TERM_BY_SIG
HM_EXT_REPORT_DOWN
HM_EXT_TCL_REPORT_DOWN
HM_FTP_RECV_TIMEOUT
HM_FTP_SEND_TIMEOUT
HM_FTP_NO_SERVICE
HM_FTP_ACK_USER_WRONG_CODE
HM_FTP_ACK_PASS_WRONG_CODE
HM_COM_CONN_CLOSED_IN_WRITE
HM_COM_OTHER_ERR_IN_WRITE
HM_COM_CONN_CLOSED_IN_READ
HM_COM_OTHER_ERR_IN_READ
HM_COM_SEND_TIMEOUT
HM_COM_CONN_TIMEOUT
HM_COM_SSL_CONN_ERR
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

TABLE 78 show health stat Down Causes (Continued)
Cause Code
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
b y
Cause String
HM_HTTP_SEND_URL_ERR
HM_HTTP_RECV_URL_ERR
HM_HTTP_RECV_MSG_ERR
HM_HTTP_NO_LOCATION
HM_HTTP_WRONG_STATUS_CODE
HM_HTTP_WRONG_CHUNK
HM_HTTP_AUTH_ERR
HM_HTTPS_SSL_WRITE_ERR
HM_HTTPS_SSL_WRITE_OTHERS
HM_HTTPS_SSL_READ_ERR
HM_HTTPS_SSL_READ_OTHERS
HM_ICMP_RECV_ERR
HM_ICMP_SEND_ERR
HM_ICMP_RECV6_ERR
HM_LDAP_RECV_ACK_ERR
HM_LDAP_SSL_READ_ERR
HM_LDAP_SSL_READ_OTHERS
HM_LDAP_RECV_ACK_WRONG_PACKET
HM_LDAP_SSL_WRITE_ERR
HM_LDAP_SSL_WRITE_OTHERS
HM_LDAP_SEND_ERR
HM_POP3_RECV_TIMEOUT
HM_POP3_SEND_TIMEOUT
HM_POP3_NO_SERVICE
HM_POP3_RECV_ACK_USER_ERR
HM_POP3_RECV_ACK_PASS_ERR
HM_RADIUS_RECV_ERR
HM_RADIUS_RECV_ERR_PACKET
HM_RADIUS_RECV_NONE
HM_RTSP_RECV_STATUS_ERR
HM_RTSP_RECV_ERR
HM_RTSP_SEND_ERR
HM_SIP_RECV_ERR
HM_SIP_RECV_ERR_PACKET
HM_SIP_CONN_CLOSED
HM_SIP_NO_MEM
HM_SIP_STARTUP_ERR
HM_SMTP_RECV_ERR
HM_SMTP_NO_SERVICE
HM_SMTP_SEND_HELO_TIMEOUT
HM_SMTP_SEND_QUIT_TIMEOUT
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
715 of 718

TABLE 78 show health stat Down Causes (Continued)
Cause Code
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
716 of 718
Cause String
HM_SMTP_WRONG_CODE
HM_SNMP_RECV_ERR
HM_SNMP_RECV_ERR_PACKET
HM_SNMP_RECV_ERR_OTHER
HM_TCP_PORT_CLOSED
HM_TCP_ERROR
HM_TCP_INVALID_TCP_FLAG
HM_TCP_HALF_NO_ROUTE
HM_TCP_HALF_NO_MEM
HM_TCP_HALF_SEND_ERR
HM_UDP_RECV_ERR
HM_UDP_RECV_ERR_OTHERS
HM_UDP_NO_SERVICE
HM_UDP_ERR
HM_COMPOUND_INVAL_RPN
HM_COMPOUND_DOWN
HM_COMPOUND_TIMEOUT
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
718
b y
D e s i g n
b y
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
718
D e s i g n

AX CLI Ref v2 4 3-20100621 PDF

Transféré par

Informations du document

Description originale:

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

AX CLI Ref v2 4 3-20100621 PDF

Transféré par

Droits d'auteur :

Formats disponibles

P e r f o r m a n c e

AX Series Advanced Traffic Manager

Command Line Interface

A10 Networks, Inc. 6/21/2010 - All Rights Reserved

Information in this document is subject to change without notice.

AX Series - Command Line Interface - Reference

Obtaining Technical Assistance

Collecting System Information

USING THE GUI (RECOMMENDED)

Log into the GUI.

AX Series - Command Line Interface - Reference

USING THE CLI

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

About This Document

System Description - The AX Series

The AX Series Advanced Traffic Manager

The AX Series is the industrys best performing application acceleration

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

Obtaining Technical Assistance

Collecting System Information.............................................................................................................. 3

System Description - The AX Series..................................................................................................... 7

Using the CLI

System Access ..................................................................................................................................... 25

Privileged EXEC Commands

AX Series - Command Line Interface - Reference

Config Commands: Global

access-list (standard) ............................................................................................................................ 69

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

AX Series - Command Line Interface - Reference

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

Config Commands: Interface

access-list ............................................................................................................................................ 183

Config Commands: VLAN

name .................................................................................................................................................... 212

ip address ............................................................................................................................................ 215

AX Series - Command Line Interface - Reference

Config Commands: IPv6

ipv6 access-list .................................................................................................................................... 241

Config Commands: Router OSPF

Configuration Commands Applicable to OSPFv2 or OSPFv3 ........................................................254

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010

AX Series - Command Line Interface - Reference

Configuration Commands Applicable to OSPFv2 Only .................................................................. 266

Configuration Commands Applicable to OSPFv3 Only .................................................................. 277

Config Commands: Router RIP

network ................................................................................................................................................ 280

Config Commands: Server Load Balancing

slb buff-thresh ...................................................................................................................................... 281

AX Series - Command Line Interface - Reference

Config Commands: SLB Templates

slb template cache ............................................................................................................................... 305

Config Commands: SLB Servers

conn-limit ............................................................................................................................................. 379

Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010