Académique Documents
Professionnel Documents
Culture Documents
b y
D e s i g n
Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support)
Fax: +1-408-325-8666
www.a10networks.com
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-888-822-7210 (support toll-free in USA)
Tel: +1-408-325-8676 (support direct dial)
Fax: +1-408-325-8666
www.a10networks.com
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
3 of 718
As an alternative to saving the output in a log file captured by your terminal emulation application, you can export the output from the CLI using
the following command:
show techsupport export [use-mgmt-port] url
(For syntax information, see the AX Series CLI Reference.)
4 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
5 of 718
6 of 718
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
7 of 718
Audience
This document is for network architects for determining applicability and
planning implementation, and for system administrators for provisioning
and maintenance of A10 Networks AX Series devices.
8 of 718
P e r f o r m a n c e
b y
D e s i g n
5
About This Document
25
EXEC Commands
37
enable .................................................................................................................................................... 37
exit ......................................................................................................................................................... 38
health-test .............................................................................................................................................. 38
help ........................................................................................................................................................ 39
no ........................................................................................................................................................... 39
ping ........................................................................................................................................................ 40
show ...................................................................................................................................................... 42
ssh ......................................................................................................................................................... 42
telnet ...................................................................................................................................................... 43
traceroute ............................................................................................................................................... 43
45
active-partition ........................................................................................................................................ 45
axdebug ................................................................................................................................................. 45
backup config ......................................................................................................................................... 46
backup log ............................................................................................................................................. 47
clear ....................................................................................................................................................... 49
clock ....................................................................................................................................................... 51
config ..................................................................................................................................................... 51
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
9 of 718
69
10 of 718
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
11 of 718
12 of 718
P e r f o r m a n c e
b y
D e s i g n
183
211
Config Commands: IP
215
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
13 of 718
241
253
14 of 718
P e r f o r m a n c e
b y
D e s i g n
279
281
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
15 of 718
305
379
16 of 718
P e r f o r m a n c e
b y
D e s i g n
391
401
409
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
17 of 718
427
455
18 of 718
P e r f o r m a n c e
b y
D e s i g n
485
493
505
AX Debug Commands
525
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
19 of 718
Show Commands
535
20 of 718
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
21 of 718
659
713
Up Causes............................................................................................................................................713
22 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
23 of 718
24 of 718
P e r f o r m a n c e
b y
D e s i g n
System Access
You can access the CLI through a console connection, an SSH session, or a
Telnet session. Regardless of which connection method is used, access to the
AX CLI is generally referred to as an EXEC session or simply a CLI session.
Note:
By default, Telnet access is disabled on all interfaces, including the management interface. SSH, HTTP, HTTPS, and SNMP access are enabled by
default on the management interface only, and disabled by default on all
data interfaces.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
25 of 718
or
AX-Standby#
26 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Context-Sensitive Help
Enter a question mark (?) at the system prompt to display a list of available
commands for each command mode. The context-sensitive help feature provides a list of the arguments and keywords available for any command.
To view help specific to a command name, a command mode, a keyword, or
an argument, enter any of the following commands:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
27 of 718
Prompt
Command
Purpose
Help
abbreviatedcommand-help?
AX#
abbreviatedcommand-complete<Tab>
or
command ?
Lists the available syntax options (arguments and keywords) for the entered command.
command keyword ?
AX>
or
(config)#
A space (or lack of a space) before the question mark (?) is significant when
using context-sensitive help. To determine which commands begin with a
specific character sequence, type in those characters followed directly by
the question mark; e.g. AX>te?. Do not include a space. This help form is
called word help, because it completes the word for you.
To list arguments or keywords, enter a question mark (?) in place of the
argument or the keyword. Include a space before the (?); e.g.
AX> terminal ?. This form of help is called command syntax help,
because it shows you which keywords or arguments are available based on
the command, keywords, and arguments that you already entered.
Users can abbreviate commands and keywords to the minimum number of
characters that constitute a unique abbreviation. For example, you can
abbreviate the config terminal command to conf t. If the abbreviated form of the command is unique, then the AX Series accepts the abbreviated form and executes the command.
28 of 718
P e r f o r m a n c e
b y
D e s i g n
The <cr> symbol (cr stands for carriage return) appears in the list to indicate that one of your options is to press the Return or Enter key to execute
the command, without adding any additional keywords.
In this example, the output indicates that your only option for the config
command is config terminal (configure manually from the terminal
connection).
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
29 of 718
Command History
The CLI provides a history or record of commands that you have entered.
This feature is particularly useful for recalling long or complex commands
or entries, including access lists. To use the command history feature, perform any of the tasks described in the following sections:
Setting the command history buffer size
Recalling commands
Disabling the command history feature
Convention
Description
Enables the command history feature for the current terminal session.
Recalling Commands
To recall commands from the history buffer, use one of the following commands or key combinations:
Command or
Key Combination
Description
Recalls commands in the history buffer, beginning with the
most recent command. Repeat the key sequence to recall
successively older commands.
1.
30 of 718
P e r f o r m a n c e
b y
D e s i g n
Keystrokes
Function
Summary
Function Details
Left Arrow
or ctrl+B
Back character
Right Arrow
or ctrl+F
Forward character
ctrl+A
Beginning of line
ctrl+E
End of line
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
31 of 718
The letters entered before the question mark (te) are reprinted to the screen
to allow continuation of command entry from where you left off.
32 of 718
P e r f o r m a n c e
b y
D e s i g n
Keystrokes
Purpose
backspace
delete or
ctrl+D
ctrl+K
All characters from the cursor to the end of the command line are deleted.
ctrl+U or
ctrl+X
ctrl+W
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
33 of 718
Keystrokes
ctrl+L or ctrl+R
Purpose
Re-displays the current command line
fied string
include string Displays only the output lines that contain the
specified string
exclude string Displays only the output lines that do not contain
the specified string
section string Displays only the lines for the specified section
(for example, slb server, virtual-server, or logging). To display all
server-related configuration lines, you can enter server.
Use | as a delimiter between the show command and the display filter.
You can use regular expressions in the filter string, as shown in this example:
AX(config)#show arp | include 192.168.1.3*
192.168.1.3
001d.4608.1e40
Dynamic
192.168.1.33
0019.d165.c2ab
Dynamic
ethernet4
ethernet4
The output filter in this example displays only the ARP entries that contain
IP addresses that match 192.168.1.3 and any value following 3. The
asterisk ( * ) matches on any pattern following the 3. (See Regular
Expressions on page 35.)
34 of 718
P e r f o r m a n c e
b y
D e s i g n
Regular Expressions
Regular expressions are patterns (e.g. a phrase, number, or more complex
pattern) used by the CLI string search feature to match against show or
more command output. Regular expressions are case sensitive and allow
for complex matching requirements. A simple regular expression can be an
entry like Serial, misses, or 138. Complex regular expressions can be an
entry like 00210... , ( is ), or [Oo]utput.
A regular expression can be a single-character pattern or a multiple-character pattern. This means that a regular expression can be a single character
that matches the same single character in the command output or multiple
characters that match the same multiple characters in the command output.
The pattern in the command output is referred to as a string. This section
describes creating single-character patterns.
Single-Character Patterns
The simplest regular expression is a single character that matches the same
single character in the command output. You can use any letter (AZ, az)
or digit (09) as a single-character pattern. You can also use other keyboard
characters (such as ! or ~) as single-character patterns, but certain keyboard
characters have special meaning when used in regular expressions. The following table lists the keyboard characters that have special meaning.
Character
.
_ (underscore)
P e r f o r m a n c e
b y
Meaning
Matches a comma (,), left brace ({), right brace (}), left
parenthesis ( ( ), right parenthesis ( ) ), the beginning of
the string, the end of the string, or a space.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
35 of 718
\077
\ To use a back slash in a string, enter another back slash in front of it:
\\
For example, to use
"a\"b\077c\\d"
the
string
a"b?c\d,
enter
the
following:
36 of 718
Note:
Note:
P e r f o r m a n c e
b y
D e s i g n
EXEC Commands
The EXEC commands (sometimes referred to as the User EXEC commands) are available at the CLI level that is presented when you log into the
CLI.
The EXEC level command prompt ends with >, as in the following example:
AX>
enable
Description
Enter privileged EXEC mode, or any other security level set by a system
administrator.
Syntax
enable
Mode
EXEC
Usage
Example
In the following example, the user enters privileged EXEC mode using the
enable command. The system prompts the user for a password before
allowing access to the privileged EXEC mode. The password is not printed
to the screen. The user then exits back to user EXEC mode using the disable
command. Note that the prompt for user EXEC mode is >, and the prompt
for privileged EXEC mode is #.
AX>enable
Password: <letmein>
AX# disable
AX>
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
37 of 718
exit
Description
Syntax
Mode
Usage
Use the exit command in EXEC mode to exit the active session (log off
the device).
Example
health-test
Description
Syntax
Description
ipaddr |
ipv6 ipv6addr
count num
monitorname
monitor-name
port portnum
38 of 718
P e r f o r m a n c e
b y
D e s i g n
Only the IP address is required. The other parameters have the following
defaults:
count 1
monitorname ICMP ping, the default Layer 3 health check
port Override port number set in the health monitor configuration, if
Usage
If an override IP address and protocol port are set in the health monitor configuration, the AX device will use the override address and port, even if you
specify an address and port with the health-test command.
Example
The following command tests port 80 on server 192.168.1.66, using configured health monitor hm80:
help
Description
Syntax
Example
help
(See CLI Quick Reference on page 27.)
no
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
39 of 718
ping
Description
Syntax
Description
[ipv6]
hostname |
ipaddr
data HEX-word
flood
interface
{ethernet portnum |
ve ve-num |
management}
Uses the specified interface as the source address
of the ping.
40 of 718
repeat count
size num
timeout secs
ttl num
P e r f o r m a n c e
b y
D e s i g n
in the main route table and uses the interface associated with the route.
(The management interface is not used unless you specify the management IP address as the source interface.)
repeat 5
size datagram size is 84 bytes
timeout 10 seconds
ttl 1
source not set. The AX device looks up the route to the ping target and
Usage
The ping command sends an echo request packet to a remote address, and
then awaits a reply. Unless you use the flood option, the interval between
sending of each ping packet is 1 second.
To terminate a ping session, type ctrl+c.
Example
AX>ping 192.168.3.116
PING 192.168.3.116 (192.168.3.116) 56(84) bytes of data
64 bytes from 192.168.3.116: icmp_seq=1 ttl=128 time=0.206 ms
64 bytes from 192.168.3.116: icmp_seq=2 ttl=128 time=0.260 ms
64 bytes from 192.168.3.116: icmp_seq=3 ttl=128 time=0.263 ms
64 bytes from 192.168.3.116: icmp_seq=4 ttl=128 time=0.264 ms
64 bytes from 192.168.3.116: icmp_seq=5 ttl=128 time=0.216 ms
--- 192.168.3.116 ping statistics --5 packets transmitted, 5 received, 0% packet loss, time 3996ms
rtt min/avg/max/mdev = 0.206/0.241/0.264/0.032 ms
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
41 of 718
AX#ping data ffff repeat 100 size 1024 source ethernet 1 10.10.1.20
show
Description
Syntax
Default
N/A
Mode
Usage
ssh
Description
Syntax
Default
42 of 718
Description
use-mgmt-port
host-name
ipaddr
login-name
protocol-port
By default, the AX device will use a data interface as the source interface.
The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 22.
P e r f o r m a n c e
b y
D e s i g n
telnet
Description
Syntax
Description
use-mgmt-port
host-name
ipaddr
protocol-port
Default
By default, the AX device will use a data interface as the source interface.
The management interface is not used unless you specify the use-mgmtport option. The default protocol-port is 23.
Mode
Example
traceroute
Description
Display the router hops through which a packet sent from the AX Series
device can reach a remote device.
Syntax
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
43 of 718
Description
ipv6
use-mgmt-port
{hostname |
ipaddr)
Default
N/A
Mode
Usage
If a hop does not respond within 5 seconds, asterisks ( * ) are shown in the
row for that hop.
Example
AX#traceroute 192.168.10.99
traceroute to 192.168.10.99 (192.168.10.99), 30 hops max, 40 byte packets
1 10.10.20.1 (10.10.20.1) 1.215 ms 1.151 ms 1.243 ms
2 10.10.13.1 (10.10.13.1) 0.499 ms 0.392 ms 0.493 ms
...
44 of 718
P e r f o r m a n c e
b y
D e s i g n
active-partition
Description
Syntax
Description
partition-name
shared
Default
Mode
Privileged EXEC
Usage
Admins with Root, Read-write, or Read-only privileges can select the partition to view. When an admin with one of these privilege levels logs in, the
view is set to the shared partition by default, which means all resources are
visible.
Example
axdebug
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
45 of 718
backup config
Back up the system.
Syntax Description
Description
config
use-mgmt-port
url
Default
N/A
Mode
Example
AX(config)#backup tftp://1.1.1.1/back_file
46 of 718
P e r f o r m a n c e
b y
D e s i g n
backup log
Description
Configure log backup options and save a backup of the system log.
Syntax
period
{all | day |
month | week}
Description
Allocates additional CPU to the backup process.
This option allows up to 80% CPU utilization to
be devoted to the log backup process.
[use-mgmt-port]
url
Saves a backup of the log to a remote server.
The use-mgmt-port option uses the management
interface as the source interface for the connection to the remote device. The management route
table is used to reach the device. Without this
option, the AX device attempts to use the data
route table to reach the remote device through a
data interface.
The url specifies the file transfer protocol, username (if required), and directory path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
47 of 718
backup.
period month
Mode
Usage
Example
The following commands change the backup period to all, allow up to 80%
CPU utilization for the backup process, and back up the log:
Example
Note:
48 of 718
The log period and expedite settings also apply to backups of the GUI statistical data.
P e r f o r m a n c e
b y
D e s i g n
clear
Description
Syntax
Description
access-list
{acl-num | all} Clears ACL statistics.
admin session
{session-id |
all}
aflex
[aflex-name]
arp {options}
core
debug
dns
fwlb {options}
gslb {options}
ha
health
icmp
ip nat
{options}
ip nat lsn
{options}
ip ospf
[process-id |
tag] process
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
49 of 718
ipv6 neighbor
ipv6 traffic
logging
mac-address
{options}
sessions
{options}
sip
slb {options}
statistics
{options}
Default
N/A
Mode
Usage
To list the options available for a clear command, enter ? after the command name. For example, to display the clear gslb options, enter the following command: clear gslb ?
Example
50 of 718
P e r f o r m a n c e
b y
D e s i g n
clock
Description
Syntax
Note:
Description
time
day
month
year
Mode
Privileged EXEC
Usage
Use this command to manually set the system time and date.
If you use the GUI or CLI to change the AX timezone or system time, the
statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
If the system clock is adjusted while OSPF or RIP is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and RIP before adjusting the system clock.
Example
Set the system clock to 5:51 p.m. and the date to February 22nd, 2007.
AX#clock set 17:51:00 22 February 2007
config
Description
Syntax
config [terminal]
Mode
Privileged EXEC
Example
AX#config
AX(config)#
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
51 of 718
debug
Description
Syntax
Description
cache
conn-reuse
dumpthread
gslb
http-proxy
hw-compression
ip
monitor
[filename
[cpu-id]]
52 of 718
P e r f o r m a n c e
b y
D e s i g n
sip
ssl
tcp-proxy
Default
N/A
Mode
Privileged EXEC
Usage
Some debug sub-commands have additional options. Use the CLI help ( ? )
to display the additional options.
The no form of the command turns off debugging.
Enabling Debugging
To enable debugging, use the debug packet command first. Next, enter
additional debug commands for each of the processes you need to debug.
Finally, use the debug monitor command to begin output to the terminal or
into a file.
The following commands enable Layer 3, TCP-proxy, and HTTP-proxy
packet debugging for VIP 20.20.1.134, then begin output to the terminal.
The AX device is acting as an HTTP proxy for the VIP.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
53 of 718
soon as you enter the debug packet command, but does not begin displaying them until you enter the debug monitor command. Any packets
that are captured after you enter debug packet but before you enter
debug monitor are included in the count but are not displayed.
More packets displayed The count is per CPU thread, not per system.
Since ACOS uses multiple CPUs, it is possible that more than one CPU
will be used for the traffic you are monitoring.
Note:
This behavior also applies to AXdebug, which uses the same count
parameter.
By default, the maximum number of packets that will be captured by the
debug packet command is 3000. To change the default maximum, use the
AX debug count command. (See count on page 529.)
Filtering
If you are monitoring SLB traffic, packets for both sides of a session (the
client side and the server side) will be captured, even if only one side of the
session matches the debug filter.
For example, if you configure the filter to capture packets only for Ethernet
interface 4, and an SLB client sends a request that is received on interface 4,
the request packet that the AX device sends to the server on behalf of the
client is also captured, even if the server is connected to a different interface.
Example
54 of 718
Note:
If a packet capture is running and you change the filter, there will be a
5-second delay while the AX device clears the older filter. The delay does
not occur if a packet capture is not already running.
Note:
P e r f o r m a n c e
b y
D e s i g n
control CPU.
1738448 Time delay between packets. This is a jiffies value that incre-
the VLAN tag is 0, then the port is untagged. In this example, the first
packet is received on Ethernet port 2, and the VLAN is not yet known.
The packet is assigned to buffer index d821.
Generally, the VLAN tag for ingress packets is 0. It is normal for the
ingress VLAN tag to be 0 even when the egress VLAN tag is not 0.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
55 of 718
Layer 4 port.
S For TCP, shows the packet type:
S Syn
SA Syn Ack
A Ack
F Fin
PA Push Ack
b85767f9:0(0) The number in parentheses is the number of bytes in
the packet payload. The other numbers are used by A10 Networks for
troubleshooting.
diff
Description
Syntax
Default
N/A
Mode
Privileged EXEC
Usage
The diff startup-config running-config command compares the configuration profile that is currently linked to startup-config with the running-config. Similarly, the diff startup-config profile-name command compares the
configuration profile that is currently linked to startup-config with the
specified configuration profile.
To compare a configuration profile other than the startup-config to the running-config, enter the configuration profile name instead of startup-config.
To compare any two configuration profiles, enter their profile names instead
of startup-config or running-config.
In the CLI output, the commands in the first profile name you specify are
listed on the left side of the terminal screen. The commands in the other profile that differ from the commands in the first profile are listed on the right
side of the screen, across from the commands they differ from. The following flags indicate how the two profiles differ:
56 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
(
(
(
(
(
(
(
(
(
(
(
(
(
|
ip address
ipv6 address
(
(
> ip nat range-
disable
Description
Exit the Privileged EXEC mode and enter the EXEC mode.
Syntax
Mode
P e r f o r m a n c e
disable
Privileged EXEC
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
57 of 718
Note:
exit
Description
Exit the Privileged EXEC mode and enter the EXEC Mode.
Syntax
exit
Mode
Privileged EXEC
Example
In the following example, the exit command is used to exit the Privileged
EXEC level and return to the User EXEC level of the CLI:
AX#exit
AX>
Note:
export
Description
Syntax
58 of 718
Description
aflex
class-list
ssl-cert
Exports a certificate.
ssl-key
ssl-crl
axdebug
debug_monitor
file-name
b y
D e s i g n
url
Mode
Example
health-test
Description
import
Description
Syntax
P e r f o r m a n c e
import
{aflex | bw-list | class-list | geo-location |
ssl-cert | ssl-key | ssl-crl }
file-name url
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
59 of 718
Description
aflex
bw-list
class-list
geo-location
ssl-cert
Imports a certificate.
ssl-ley
ssl-crl
file-name
url
Mode
Usage
For SSL certificates and keys, this command is equivalent to the slb sslload command. You can use either one to import SSL certificates and keys.
Note:
Example
60 of 718
P e r f o r m a n c e
b y
D e s i g n
locale
Description
Syntax
locale parameter
Parameter
Description
test
en_US.UTF-8
zh_CN.UTF-8
zh_CN.GB18030
zh_CN.GBK
zh_CN.GB2312
zh_TW.UTF-8
zh_TW.BIG5
zh_TW.EUCTW
ja_JP.UTF-8
ja_JP.EUC-JP
Default
en_US.UTF-8
Mode
no
Description
Syntax
no command
Mode
All
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
61 of 718
ping
Test network connectivity. For syntax information, see ping on page 40.
reboot
Reboot the AX Series device.
Syntax
reboot
[text |
in [hh:]mm [text] |
at hh:mm [month day | day month] [text] |
cancel]
Parameter
Description
text
in [hh:]mm
at hh:mm
month
day
cancel
Mode
Privileged EXEC
Usage
The reboot command halts the system. If the system is set to restart on
error, it reboots itself. Use the reboot command after configuration information is entered into a file and saved to the startup configuration.
You cannot reboot from a virtual terminal if the system is not set up for automatic booting. This prevents the system from dropping to the ROM monitor
and thereby taking the system out of the remote users control.
62 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config)# reboot
System configuration has been modified. Save? [yes/no]:yes
Rebooting System Now !!!
Proceed with reboot? [yes/no]:yes
The following example reboots the AX Series device in 10 minutes:
AX(config)# reboot in 10
AX(config)# Reboot scheduled for 11:57:08 PDT Fri Apr 21 1996 (in 10 minutes)
Proceed with reboot? [yes/no]yes
AX(config)#
The following example reboots the AX Series device at 1:00 p.m. today:
AX(config)# reboot at 13:0013:00
AX(config)# Reboot scheduled for 13:00:00 PDT Fri Apr 21 1996 (in 1 hour and 2
minutes)
Proceed with reboot? [yes/no]yes
AX(config)#
The following example reboots the AX Series device on Apr 20 at 4:20 p.m.:
AX(config)# reboot at 16:20 apr 20
AX(config)# Reboot scheduled for 16:20:00 PDT Sun Apr 20 2008 (in 38 hours and
9 minutes)
Proceed with reboot? [yes/no]yes
AX(config)#
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
63 of 718
reload
Description
Syntax
Mode
Privileged EXEC
Usage
The reload command restarts AX system processes and reloads the startupconfig, without reloading the system image. To also reload the system
image, use the reboot command instead. (See reboot on page 62.)
The AX device closes all sessions as part of the reload.
Example
AX(config)#reload
Reload AX ....Done.
AX(config)#
repeat
Description
Syntax
Description
Interval at which to re-enter the command. You
can specify 1-300 seconds.
seconds
command-options Options of the show command. See Show Commands on page 535 and SLB Show Commands on page 659.
Mode
Privileged EXEC
Usage
The repeat command is especially useful when monitoring or troubleshooting the system.
The elapsed time indicates how much time has passed since you entered the
repeat command. To stop the command, press Ctrl+C.
Example
64 of 718
P e r f o r m a n c e
b y
D e s i g n
show
Description
shutdown
Schedule a system shutdown at a specified time or after a specified interval,
or cancel a scheduled system shutdown.
Syntax
P e r f o r m a n c e
b y
Description
at
in
cancel
text
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
65 of 718
Privileged EXEC
Example
AX#shutdown at 23:59
System configuration has been modified. Save? [yes/no]:yes
Building configuration...
[OK]
Shutdown scheduled for 23:59:00 UTC Fri Sep 30 2005 (in 5 hours and 39 minutes)
by admin on 192.168.1.102
Proceed with shutdown? [confirm]
AX#
Example
AX#shutdown cancel
***
*** --- SHUTDOWN ABORTED --***
ssh
Description
telnet
Description
terminal
Description
Syntax
66 of 718
Description
auto-size
Enables the terminal length and width to automatically change to match the terminal window
size.
editing
P e r f o r m a n c e
b y
D e s i g n
Default
history [size]
Enables and controls the command history function. The size option specifies the number of
command lines that will be held in the history
buffer. You can specify 0-1000.
length num
monitor
width num
Mode
Example
traceroute
Description
write terminal
Description
Syntax
write terminal
[all-partitions |
partition {shared | private-partition-name}]
Parameter
all-partitions
P e r f o r m a n c e
b y
Description
Displays configuration information for all system
partitions.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
67 of 718
68 of 718
P e r f o r m a n c e
b y
D e s i g n
access-list (standard)
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
69 of 718
Description
acl-num
seq-num
deny | permit
Note:
If you are configuring an ACL for source NAT, use the permit action. For
ACLs used with source NAT, the deny action does not drop traffic, it simply does not use the denied addresses for NAT translations.
l3-vlan-fwddisable
remark string
source-ipaddr
{filter-mask |
/mask-length}
Denies or permits traffic received from the specified host or subnet. The filter-mask specifies the
portion of the address to filter:
Use 0 to match.
Use 255 to ignore.
For example, the following filter-mask filters on
a 24-bit subnet: 0.0.0.255
Alternatively, you can use mask-length to specify
the portion of the address to filter. For example,
you can specify /24 instead 0.0.0.255 to filter on a 24-bit subnet.
70 of 718
P e r f o r m a n c e
b y
D e s i g n
Configures the AX device to generate log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule.
Default
No ACLs are configured by default. When you configure one, the log
option is disabled by default.
Mode
Global Config
Usage
page 183.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 409.
To use an ACL to control management access, see disable-manage-
The syntax shown in this section configures a standard ACL, which filters
based on source IP address. To filter on additional values such as destination
address, IP protocol, or TCP/UDP ports, configure an extended ACL. (See
access-list (extended) on page 72.)
Example
P e r f o r m a n c e
The following commands configure a standard ACL and use it to deny traffic sent from subnet 10.10.10.x, and apply the ACL to inbound traffic
received on Ethernet interface 4:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
71 of 718
access-list (extended)
Description
Syntax
Related Commands
72 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
acl-num
seq-num
deny | permit
l3-vlan-fwddisable
remark string
P e r f o r m a n c e
b y
ip
Filters on IP packets.
icmp
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
73 of 718
type typeoption
code code-num
74 of 718
P e r f o r m a n c e
b y
D e s i g n
eq src-port |
gt src-port |
lt src-port |
range startsrc-port
end-src-port
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
75 of 718
Configures the AX device to generate log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule.
Default
No ACLs are configured by default. When you configure one, the log
option is disabled by default.
Mode
Global Config
Usage
page 183.
To use an ACL to filter traffic on a virtual server port, see access-list
on page 409.
76 of 718
P e r f o r m a n c e
b y
D e s i g n
accounting
Description
Description
start-stop
stop-only
radius |
tacplus
cmd-level
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
77 of 718
Default
N/A
Mode
Global configuration.
Usage
Example
78 of 718
P e r f o r m a n c e
b y
D e s i g n
admin
Configure an admin account for management access to the AX Series
device.
This command is available only to admins who have Root privileges.
Note:
Syntax
This command changes the CLI to the configuration level for the specified
admin account, where the following admin-related commands are available:
Command
Description
admin
disable
enable
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
79 of 718
Private partitions are used in Role-Based Administration (RBA). For information, see the Role-Based Administration chapter of the AX Series Configuration Guide.
trusted-host
ipaddr
{subnet-mask |
/mask-length}
unlock
Default
The system has a default admin account, with username admin and password a10. The default admin account has write privilege and can log on
from any host or subnet address.
Other admin accounts have the following defaults:
enable / disable Admin accounts are enabled by default as soon as
any admin account you configure if you do not configure the password
for the account.
privilege read
80 of 718
P e r f o r m a n c e
b y
D e s i g n
Global Config
Example
AX(config)#admin adminuser1
AX(config-admin:adminuser1)#password 1234
Example
AX(config)#admin adminuser2
AX(config-admin:adminuser2)#password 12345678
AX(config-admin:adminuser2)#write
Example
The following commands add admin adminuser3 with password abcdefgh and write privilege, and restrict login access to the 10.10.10.x subnet
only:
AX(config)#admin adminuser3
AX(config-admin:adminuser3)#password abcdefgh
AX(config-admin:adminuser3)#write
AX(config-admin:adminuser3)#trusted-host 10.10.10.0 /24
Example
admin lockout
Description
Syntax
P e r f o r m a n c e
b y
Description
Number of minutes a lockout remains in effect.
After the lockout times out, the admin can try
again to log in. You can specify 0-1440 minutes.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
81 of 718
enable
reset-time
minutes
threshold
number
Default
The lockout feature is disabled by default. This command has the following
defaults:
duration 10 minutes
reset-time 10 minutes
threshold 5
Example
aflex
Description
arp
Description
Syntax
Create a static ARP entry or change the timeout for dynamic entries.
[no] arp ipaddr mac-address
[interface ethernet number
[vlan vlan-id]]
[no] arp timeout seconds
Parameter
82 of 718
Description
ipaddr
mac-address
P e r f o r m a n c e
b y
D e s i g n
Default
The default timeout for learned entries is 300 seconds. Static entries do not
time out.
Mode
Global Config
arp timeout
Description
Syntax
Default
Mode
Global Config
Description
Number of seconds a dynamic entry can remain
unused before being removed from the ARP
table. You can specify 60-86400 seconds.
audit
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
83 of 718
Description
enable
[privilege]
size numentries
Default
Mode
Global Config
Usage
The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admins role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
Note:
Example
AX(config)#show audit
84 of 718
P e r f o r m a n c e
b y
D e s i g n
authentication
Description
Syntax
Description
local
radius
tacplus
Default
Mode
Global Config
Usage
The local database (local option) must be included as one of the authentication sources, regardless of the order is which the sources are used. Authentication using only a remote server is not supported.
If the same username is configured in the local database and on the remote
server but the passwords do not match, the order in which the authentication
sources are used determines whether the admin is granted access. (For more
information, see the Configuring AAA for Admin Access section in the
Management Security Features chapter of the AX Series Configuration
Guide.)
Usage
Example
The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
85 of 718
authorization
Description
Syntax
Description
cmd-level
tacplus
86 of 718
b y
D e s i g n
none
debug-level
Default
Not set
Mode
Global configuration.
Usage
Example
axdebug
Description
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
87 of 718
backup config
Back up the system. See backup config on page 46.
backup log
Description
Configure log backup options and save a backup of the system log. See
backup log on page 47.
banner
Set the banners to be displayed when an admin logs onto the CLI or
accesses the Privileged EXEC mode.
Syntax Description
Description
exec
login
multi-line
end-marker
line
Default
Mode
88 of 718
Global Config
P e r f o r m a n c e
b y
D e s i g n
The following examples set the login banner to welcome to login mode
and set the EXEC banner to a multi-line greeting:
boot-block-fix
Description
Repair the master boot record (MBR) on the hard drive or compact flash.
Syntax
Description
Medium to be repaired:
cf compact flash
hd hard disk
Default
N/A
Mode
Global Config
Usage
The MBR is the boot sector located at the very beginning of a boot drive.
Under advisement from A10 Networks, you can use the command if your
compact flash or hard drive cannot boot. If this occurs, boot from the other
drive, then use this command.
bootimage
Description
Specify the boot image location from which to load the system image the
next time the AX Series is rebooted.
Syntax
P e r f o r m a n c e
b y
Description
Boot medium. The AX Series device always tries
to boot using the hard disk (hd) first. The compact flash (cf) is used only if the hard disk is unavailable.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
89 of 718
Default
The default location is primary, for both the hard disk and the compact
flash.
Mode
Global Config
Example
The following command configures the AX Series to boot from the secondary image area on the hard disk the next time the device is rebooted:
AX(config)#bootimage hd sec
bpdu-fwd-group
Description
Configure a group of tagged Ethernet interfaces for forwarding Bridge Protocol Data Units (BPDUs). BPDU forwarding groups enable you to use the
AX device in a network that runs Spanning Tree Protocol (STP).
A BPDU forwarding group is a set of tagged Ethernet interfaces that will
accept and broadcast STP BPDUs among themselves. When an interface in
a BPDU forwarding group receives an STP BPDU (a packet addressed to
MAC address 01-80-C2-00-00-00), the interface broadcasts the BPDU to all
the other interfaces in the group.
Syntax
Description
BPDU forwarding group number, 1-8.
number
This command changes the CLI to the configuration level for the BPDU
forwarding group, where the following command is available.
Command
Description
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ...
Default
None
Mode
Global config
90 of 718
P e r f o r m a n c e
b y
D e s i g n
the BPDU is not broadcast to any other members of the same trunk.
Example
AX(config)#bpdu-fwd-group 1
AX(config-bpdu-fwd-group:1)#ethernet 1 to 3
AX(config-bpdu-fwd-group:1)#show bpdu-fwd-group
BPDU forward Group 1 members: ethernet 1 to 3
bridge-vlan-group
Description
Syntax
Description
[no] name
string
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
91 of 718
[no]
vlan vlan-id
[vlan vlan-id
... | to vlan
vlan-id]
Default
By default, the configuration does not contain any bridge VLAN groups.
When you create a bridge VLAN group, it has the following default settings:
forward-all-traffic | forward-ip-traffic forward-ip-traffic
name Not set
router-interface Not set
vlan Not set
Mode
Global Config
Usage
Example
For more information, including configuration notes and examples, see the
VLAN-to-VLAN Bridging chapter in the AX Series Configuration Guide.
bw-list
Description
Syntax
92 of 718
Description
name
use-mgmt-port
P e r f o r m a n c e
b y
D e s i g n
period seconds
Specifies how often the AX Series device reimports the list to ensure that changes to the list
are automatically replicated on the AX device.
You can specify 60-86400 seconds.
load
If you use the load option, the CLI cannot accept any new commands
until the load is completely finished. For large black/white lists, loading
can take a while. Do not abort the load process; doing so can also interrupt
periodic black/white-list updates. If you do accidentally abort the load
process, repeat the command with the load option and allow the load to
complete.
Note:
Default
Mode
Global Config
Usage
A TFTP server is required on the PC and the TFTP server must be running
when you enter the bw-list command.
Example
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
93 of 718
Note:
Description
list-name
filename file
A class list can be exported only if you use the file option.
This command changes the CLI to the configuration level for the specified
class list, where the following command is available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] ipaddr
/network-mask
[glid num |
lid num]
Default
None
Mode
Global Config
94 of 718
P e r f o r m a n c e
b y
D e s i g n
Configure the LIDs before configuring the class list entries. To configure a
LID for IP limiting, see lid on page 117.
As an alternative to configuring class entries on the AX device, you can
configure the class list using a text editor on another device, then import the
class list onto the AX device. To import a class list, see import on
page 59.
For more information about IP limiting, see the IP Limiting chapter in the
AX Series Configuration Guide.
Example
AX(config)#class-list global
AX(config-class list)#0.0.0.0/0 glid 1
Note:
Syntax
Description
list-name
filename file
This command changes the CLI to the configuration level for the specified
class list, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] priv-addr
{subnet-mask |
/mask-length}
lsn-lid num
P e r f o r m a n c e
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
95 of 718
None
Mode
Global Config
Usage
Configure the LSN LIDs before configuring the class list entries. To configure an LSN LID for IP limiting, see lsn-lid on page 130.
As an alternative to configuring class entries on the AX device, you can
configure the class list using a text editor on another device, then import the
class list onto the AX device. To import a class list, see import on
page 59.
For more information about LSN, see the Large-Scale NAT chapter in the
AX Series Configuration Guide.
Example
AX(config)#class-list list1
AX(config-class list)#5.5.5.0 /24 lsn-lid 5
clock timezone
Set the clock timezone.
Syntax Description
Description
timezone
Timezone to use. To view the available timezones, enter the following command:
clock timezone ?
nodst
Default
Europe/Dublin (GMT)
Mode
Global Config
Usage
If you use the GUI or CLI to change the AX timezone or system time, the
statistical database is cleared. This database contains general system statistics (performance, and CPU, memory, and disk utilization) and SLB statistics. For example, in the GUI, the graphs displayed on the Monitor >
Overview page are cleared.
96 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands list the available timezones, then set the timezone
to America/Los_Angeles:
AX(config)#clock timezone ?
Pacific/Midway
(GMT-11:00)Midway Island, Samoa
Pacific/Honolulu
(GMT-10:00)Hawaii
America/Anchorage
(GMT-09:00)Alaska
...
AX(config)#clock timezone America/Los_Angeles
convert-passwd
Description
Convert admin accounts and enable passwords into pre-1.2.7 format before
downgrade to AX Release 1.2.6 or earlier.
Syntax
Description
Specifies the image area to which you want to
save the admin accounts and passwords. Specify
the image area from which you to plan to boot
using the 1.2.6 or earlier image.
Default
N/A
Mode
Global Config
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
97 of 718
copy
Copy a running-config or startup-config.
Syntax Description
Description
running-config
startup-config
use-mgmt-port
url
Copies the running-config or configuration profile to a remote device. The URL specifies the
file transfer protocol, username, and directory
path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
a password is required, you will still be prompted
for the password. To enter the entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
98 of 718
P e r f o r m a n c e
b y
D e s i g n
to-profile-name
[cf]
Configuration profile you are copying to. The cf
option copies the profile to the compact flash
instead of the hard disk.
Note:
Copying a profile from the compact flash to the hard disk is not supported.
Note:
You cannot use the profile name default. This name is reserved and
always refers to the configuration profile that is stored in the image area
from which the AX device most recently rebooted.
Default
None
Mode
Global Config
Usage
If you are planning to configure a new AX device by loading the configuration from another AX device:
1. On the configured AX device, use the copy startup-config url command to save the startup-config to a remote server.
2. On the new AX device, use the copy url startup-config command to
copy the configured AX devices startup-config from the remote server
onto the new AX device.
3. Use the reboot command (at the Privileged EXEC level) to reboot the
new AX device.
4. Modify parameters as needed (such as IP addresses).
If you attempt to copy the configuration by copying-and-pasting it from a
CLI session on the configured AX device, some essential parameters such
as interface states will not be copied.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
99 of 718
delete startup-config
Description
Syntax
Description
profile-name
cf
Default
N/A
Mode
Global Config
Usage
Although the command uses the startup-config option, the command only
deletes the configuration profile linked to startup-config if you enter that
profiles name. The command deletes only the profile you specify.
If the configuration profile you specify is linked to startup-config,
startup-config is automatically relinked to the default. (The default is the
configuration profile stored in the image area from which the AX device
most recently rebooted).
Example
disable
Description
Syntax
100 of 718
Description
server-name
port port-num
b y
D e s i g n
Enabled
Mode
Global Config
Example
Example
Example
disable-management
Description
Syntax
Syntax
P e r f o r m a n c e
b y
Description
all
ssh
telnet
http
https
snmp
ping
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
101 of 718
Note:
Default
Specifies the interfaces for which you are configuring access control.
Disabling ping replies from being sent by the device does not affect the
devices ability to ping other devices.
Table 1 lists the default settings for each management service.
TABLE 1
Management
Service
SSH
Telnet
HTTP
HTTPS
SNMP
Ping
Ethernet
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Ethernet and VE
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Mode
Global Config
Usage
If you disable the type of access you are using on the interface you are using
at the time you enter this command, your management session will end. If
you accidentally lock yourself out of the device altogether (for example, if
you use the all option for all interfaces), you can still access the CLI by connecting a PC to the AX devices serial port.
To enable management access, see enable-management on page 105.
You can enable or disable management access, for individual access types
and interfaces. You also can use an Access Control List (ACL) to permit or
deny management access through the interface by specific hosts or subnets.
Notes Regarding Use of ACLs
If you use an ACL to secure management access, the action in the ACL rule
that matches the management traffics source address is used to permit or
deny access, regardless of other management access settings.
102 of 718
P e r f o r m a n c e
b y
D e s i g n
The following command disables HTTP access to the out-of-band management interface:
do
Description
Syntax
do command
Default
N/A
Mode
Global Config
Usage
Example
The following command runs the traceroute command from the global
CONFIG level:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
103 of 718
enable
Description
Syntax
Description
server-name
port port-num
Default
Enabled
Mode
Global Config
Example
Example
Example
enable-core
Description
Syntax
Default
104 of 718
Description
Enables A10 core dump files. Without this
option, system core dump files are used instead.
System core dump files are larger than A10 core
dump files.
b y
D e s i g n
Global config
enable-management
Description
Syntax
Syntax
ssh
telnet
http
https
snmp
ping
acl acl-num
management |
ethernet portnum [to portnum] |
ve ve-num
[to ve-num]
Default
P e r f o r m a n c e
Description
Specifies the interfaces for which you are configuring access control.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
105 of 718
Management
Service
SSH
Telnet
HTTP
HTTPS
SNMP
Ping
Management
Interface
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled
Data Interfaces
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Mode
Global Config
Usage
Example
enable-password
Description
Syntax
Set the enable password, which secures access to the Privileged EXEC level
of the CLI.
[no] enable-password password-string
Parameter
Description
Mode
Global Config
Example
AX(config)#enable-password execadmin
106 of 718
P e r f o r m a n c e
b y
D e s i g n
end
Description
Syntax
end
Default
N/A
Mode
Config
Usage
The end command is valid at all configuration levels of the CLI. From any
configuration level, the command returns directly to the Privileged EXEC
level.
Example
The following command returns from the global Config level to the Privileged EXEC level:
AX(config)#end
AX#
erase
Description
Syntax
erase
Default
N/A
Mode
Global Config
Usage
Example
AX(config)#erase
exit
Description
Syntax
Default
P e r f o r m a n c e
exit
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
107 of 718
Config
Usage
The exit command is valid at all CLI levels. At each level, the command
returns to the previous CLI level. For example, from the server port level,
the command returns to the server level. From the global Config level, the
command returns to the Privileged EXEC level. From the user EXEC level,
the command terminates the CLI session.
From the global configuration level, you also can use the end command to
return to the Privileged EXEC level.
Example
The following command returns from the global Config level to the Privileged EXEC level:
AX(config)#exit
AX#
floating-ip
Description
Syntax
Description
ipaddr
group-id
HA group ID.
Default
None
Mode
Global Config
Usage
fwlb
Description
108 of 718
Configure Firewall Load Balancing (FWLB) parameters. See Config Commands: Firewall Load Balancing on page 485.
P e r f o r m a n c e
b y
D e s i g n
gslb
Description
ha
Description
health external
Use an external program for health monitoring.
Syntax
health external
{delete program-name |
import [use-mgmt-port] [description] url |
export [use-mgmt-port] program-name url}
Parameter
Description
program-name
use-mgmt-port
description
url
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
109 of 718
N/A
Mode
Global Config
Usage
Example
health global
Description
Syntax
Description
monitor-name
interval
seconds
retry number
110 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
You can change one or more parameters on the same command line.
Default
See above.
Mode
Global Config
Usage
Globally changing a health monitor parameter changes the default for that
parameter. For example, if you globally change the interval from 5 seconds
to 10 seconds, the default interval becomes 10 seconds.
If a parameter is explicitly set on a health monitor, globally changing the
parameter does not affect the health monitor. For example, if the interval on
health monitor hm1 is explicitly set to 20 seconds, the interval remains 20
seconds on hm1 regardless of the global setting.
Global health monitor parameter changes automatically apply to all new
health monitors configured after the change. To apply a global health
monitor parameter change to health monitors that were configured before
the change, you must reboot the AX device.
Note:
Example
Example
health monitor
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
111 of 718
Description
monitor-name
interval
seconds
retry number
Default
See above.
Mode
Global Config
Usage
For information about the commands available at the health-monitor configuration level, see Config Commands: SLB Health Monitors on page 493.
For more usage information about health monitors, see the Health Monitoring chapter of the AX Series Configuration Guide.
Example
112 of 718
P e r f o r m a n c e
b y
D e s i g n
health postfile
Description
Import or delete a POST data file for an HTTP or HTTPS health check.
Syntax
Description
Default
N/A
Mode
Global Config
Usage
The maximum length of POST data you can specify in the CLI or GUI is
255 bytes. For longer data (up to 2 Kbytes), you must import the data in a
file and refer to the file in the HTTP or HTTPS health check.
To use a POST data payload file in an HTTP/HTTPS health monitor, use the
postfile filename option in the method http or method https command, at
the configuration level for the health monitor.
Example
The following commands import a file containing a large HTTP POST data
payload (up to 2 Kbytes), and add the payload to an HTTP health monitor:
In this example, health checks that use this health monitor will send a POST
request containing the data in postfile, and expect the string def in
response.
hostname
Set the AX Series devices hostname.
Syntax Description
Default
AX
Mode
Global Config
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
113 of 718
The CLI command prompt also is changed to show the new hostname.
Example
AX(config)#hostname SLBswitch2
icmp-rate-limit
Description
Syntax
Description
normal-rate
lockup max-rate
lockup-time
Default
None
Mode
Global Config
Usage
This command configures ICMP rate limiting globally for all traffic to or
through the AX device. To configure ICMP rate limiting on individual
Ethernet interfaces, see icmp-rate-limit on page 186. To configure it in a
virtual server template, see slb template virtual-server on page 375. If you
configure ICMP rate limiting filters at more than one of these levels, all filters are applicable.
114 of 718
P e r f o r m a n c e
b y
D e s i g n
interface
Description
Syntax
Default
N/A
Mode
Global Config
Usage
For information about the commands available at the interface configuration level, see Config Commands: Interface on page 183.
Example
The following command changes the CLI to the configuration level for
Ethernet interface 3:
AX(config)#interface ethernet 3
AX(config-if:ethernet3)#
ip
Description
ipv6
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
115 of 718
key chain
Configure a key chain for use by RIP.
Syntax Description
Description
Name of the key chain, 1-31 characters.
name
This command changes the CLI to the configuration level for the specified
key chain, where the following key-chain related command is available:
Command
Description
Default
Mode
Global Config
Usage
Although you can configure multiple key chains, A10 Networks recommends using one key chain per interface, per routing protocol.
Example
116 of 718
P e r f o r m a n c e
b y
D e s i g n
l3-vlan-fwd-disable
Description
Syntax
[no] l3-vlan-fwd-disable
Default
Mode
Global Config
Usage
disabled for all traffic that matches ACL rules that use the l3-vlan-fwddisable action. (See access-list (standard) on page 69 or access-list
(extended) on page 72.)
To display statistics for this option, see show slb switch on page 699.
lid
Description
Note:
Syntax
P e r f o r m a n c e
b y
Description
Limit ID, 1-31.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
117 of 718
Description
[no] conn-limit
num
[no] overlimit-action
[forward |
reset]
[lockout
minutes]
[log minutes]
118 of 718
P e r f o r m a n c e
b y
D e s i g n
Global Config
Usage
This command uses a single class list for IP limiting. To use multiple class
lists for system-wide IP limiting, use a PBSLB policy template instead. See
slb template policy on page 338.
A PBSLB policy template is also required if you plan to apply IP limiting
rules to individual virtual servers or virtual ports.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
119 of 718
AX(config)#lid 1
AX(config-global lid)#conn-rate-limit 10000 per 1
AX(config-global lid)#conn-limit 2000000
AX(config-global lid)#over-limit forward logging
AX(config-global lid)#exit
AX(config)#system lid 1
AX(config)#class-list global
AX(config-class list)#0.0.0.0/0 glid 1
link
Description
Syntax
Description
default
Links startup-config to the configuration profile stored in the image area from which the AX
device was most recently rebooted.
profile-name
primary |
secondary
cf
Default
Mode
Global Config
Usage
This command enables you to easily test new configurations without replacing the configuration stored in the image area.
The profile you link to must be stored on the boot device you select. For
example, if you use the default boot device (hard disk) selection, the profile
120 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
The following command relinks startup-config to the configuration profile stored in the image area from which the AX device was most recently
rebooted:
locale
Set the CLI locale.
Syntax Description
Default
en_US.UTF-8
Mode
Global Config
Usage
Use this command to configure the locale or to test the supported locales.
Example
The following commands test the Chinese locales and set the locale to
zh_CN.GB2312:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
121 of 718
Syntax
Description
Specifies where event messages are sent:
target
For information about the email option, see logging email buffer on
page 124. and logging email filter on page 124.
severity-level
Default
Mode
122 of 718
Global Config
P e r f o r m a n c e
b y
D e s i g n
To send log messages to an external host, you must configure the external
host using the logging host command.
Example
The following command sets the severity level for event messages sent to
the console to 2 (critical):
AX(config)#logging console 2
logging buffered
Description
Syntax
Description
Specifies the maximum number of messages the
event log buffer will hold.
Specifies the severity levels to log. You can enter
the name or the number of the severity level.
{0 | emergency}
{1 | alert}
{2 | critical}
{3 | error}
{4 | warning}
{5 | notification}
{6 | information}
{7 | debugging}
Default
The default buffer size (maximum messages) is 30000. The default severity
level is 7 (debugging).
Mode
Global Config
Example
The following command sets the severity level for log messages to 7
(debugging):
AX(config)#logging buffered 7
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
123 of 718
Default
Description
number num
time minutes
By default, emailing of log messages is disabled. When you enable the feature, the buffer options have the following default values:
number 50
time 10
Mode
Global Config
Usage
To configure the AX device to send log messages by email, you also must
configure an email filter and specify the email address to which to email the
log messages. See logging email filter on page 124 and logging emailaddress on page 127.
Example
124 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
filter-num
conditions
Message attributes on which to match. The conditions list can contain one or more of the following:
level severity-levels Specifies the severity levels of messages to send in email. You can specify
the severity levels by number (0-7) or by name:
emergency, alert, critical, error, warning, notification, information, or debugging.
mod software-module-name Specifies the software modules for which to email messages. Messages are emailed only if they come from one of
the specified software modules. For a list of
module names, enter ? instead of a module name,
and press Enter.
pattern regex Specifies the string requirements. Standard regular expression syntax is supported. Only messages that meet the criteria of
the regular expression will be emailed. The regular expression can be a simple text string or a
more complex expression using standard regular
expression logic.
operators
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
125 of 718
trigger
Default
Mode
Global Config
Usage
To configure the AX device to send log messages by email, you also must
specify the email address to which to email the log messages. See logging
email-address on page 127.
Considerations
You can configure up to 8 filters. The filters are used in numerical order,
starting with filter 1. When a message matches a filter, the message will
be emailed based on the buffer settings. No additional filters are used to
examine the message.
A maximum of 8 conditions are supported in a filter.
The total number of conditions plus the number of Boolean operators
is still supported:
logging email severity-level
The severity-level can be one or more of the following: 0, 1, 2, 5, emergency, alert, critical, notification.
The command is treated as a special filter. This filter is placed into effect
only if the command syntax shown above is in the configuration. The
filter has an implicit trigger option for emergency, alert, and critical
messages, to emulate the behavior in previous releases.
Example
Example
126 of 718
P e r f o r m a n c e
b y
D e s i g n
logging email-address
Description
Syntax
Description
Specifies an email address. You can enter more
than one address on the command line. Use a
space between each address.
Default
None
Mode
Global Config
Usage
To configure the AX device to send log messages by email, you also must
configure an email filter. See logging email filter on page 124.
Example
The following command sets two email addresses to which to send log messages:
logging export
Description
Send the messages that are in the event buffer to an external file server.
Syntax
Description
all
url
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
127 of 718
N/A
Mode
Global Config
logging facility
Description
Syntax
Description
facility-name
Default
Mode
Global Config
logging flow-control
Description
store.
Older messages replace newer ones. Depending on the state of logging flow
control, the oldest messages are deleted or copied to an external data store to
make room for new messages.
Syntax
Default
128 of 718
P e r f o r m a n c e
b y
D e s i g n
Global Config
logging host
Description
Syntax
port protocolport
Description
IP address of the Syslog server. You can enter
multiple IP addresses. Up to 10 remote logging
servers are supported.
Protocol port number to which to send messages.
You can specify only one protocol port with the
command. All servers must use the same protocol port to listen for syslog messages.
Default
Mode
Global Config
Usage
If you use the command to add some log servers, then need to add a new log
server later, you must enter all server IP addresses in the new command.
Each time you enter the logging host command, it replaces any set of servers and syslog port configured by the previous logging host command.
Example
Example
The following command reconfigures the set of external log servers, with a
different protocol port. All the log servers must use this port.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
129 of 718
lsn-lid
Description
Syntax
This command configures a limit ID (LID) for use with LSN. To configure a LID for use with IP limiting instead, see lid on page 117.
Parameter
Description
LSN LID number, 1-31.
num
This command changes the CLI to the configuration level for the specified
LSN LID, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] extendeduser-quota
{tcp | udp |
icmp}
service-port
portnum
sessions num
[no] sourcenat-pool
pool-name
[no] user-quota
{tcp | udp |
icmp}
quota-num
[reserve
reserve-num]
130 of 718
Configures a per-user extended quota for essential services. The port option specifies the
Layer 4 protocol port of the service, and can be
1-65535. The sessions option specifies how
many extended sessions are allowed for the protocol port, and can be 1-255.
P e r f o r m a n c e
b y
D e s i g n
user-quota value.
Mode
Global Config
Example
The following commands configure an LSN LID. The LID is bound to pool
LSN_POOL1. Per-user quotas are configured for TCP, UDP, and ICMP.
For UDP, this class of users will reserve only 100 UDP ports instead of 300.
An extended quota of sessions per client is allocated for TCP port 25
(SMTP).
AX(config)#lsn-lid 5
AX(config-lsn lid)#source-nat-pool LSN_POOL1
AX(config-lsn lid)#user-quota tcp 100
AX(config-lsn lid)#user-quota udp 300 reserve 100
AX(config-lsn lid)#user-quota icmp 10
AX(config-lsn lid)#extended-user-quota tcp port 25 sessions 3
mac-address
Description
Syntax
P e r f o r m a n c e
b y
Description
mac-address
port port-num
vlan vlan-id
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
131 of 718
Note:
Default
Mode
Global Config
Example
mac-age-time
Description
Syntax
Set the aging time for dynamic (learned) MAC entries. An entry that
remains unused for the duration of the aging time is removed from the MAC
table.
[no] mac-age-time seconds
Parameter
seconds
Description
Number of seconds a learned MAC entry can
remain unused before it is removed from the
MAC table. You can specify 10-600 seconds.
Default
300 seconds
Mode
Global Config
Usage
132 of 718
P e r f o r m a n c e
b y
D e s i g n
The following command changes the MAC aging time to 600 seconds:
AX(config)#mac-age-time 600
mirror-port
Description
Syntax
Description
Ethernet port number out which the monitored
traffic will be sent.
Default
Mode
Global Config
Usage
To specify the port to monitor, use the monitor command at the interface
configuration level. (See monitor on page 206.)
Example
AX(config)#mirror-port ethernet 3
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#monitor input
monitor
Description
Syntax
P e r f o r m a n c e
b y
Description
buffer-drop
buffer-usage
ctrl-cpu
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
133 of 718
disk
memory
Memory utilization
warn-temp
CPU temperature
Usage
Example
The following command sets the event threshold for data CPU utilization to
80%:
AX(config)#monitor data-cpu 80
134 of 718
P e r f o r m a n c e
b y
D e s i g n
no
Description
Syntax
no command-string
Default
N/A
Mode
Config
Usage
Use the no form of a command to disable a setting or remove a configured item. Configuration commands at all Config levels of the CLI have a
no form, unless otherwise noted.
The command is removed from the running-config. To permanently remove
the command from the configuration, use the write memory command to
save the configuration changes to the startup-config. (See write terminal
on page 67.)
Example
ntp
Description
Syntax
Default
P e r f o r m a n c e
Description
Hostname or IP address of the NTP server.
minutes
disable
enable
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
135 of 718
Global Config
Usage
Example
packet-handling
Description
Syntax
Description
trap
Sends broadcast packets to the CPU for processing, instead of forwarding them in hardware.
flood
Default
flood
Mode
Global Config
Usage
partition
Description
Syntax
136 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Specifies the name of the private partition, 1-14
characters.
Specifies the maximum number of aFleX policies the partition can have, 1-128.
Default
Mode
Global Config
Usage
To use this command, you must be logged in with an admin account that has
Root or Read-write privileges. (See show admin on page 536 for descriptions of the admin privilege levels.)
Example
AX(config)#partition companyA
AX(config)#partition companyB
Example
AX(config)#no partition
Remove all RBA partitions and configurations therein? (y/n) y
ping
Ping is used to diagnose basic network connectivity. For syntax information, see ping on page 40.
radius-server
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
137 of 718
Description
hostname |
ipaddr
secret
secret-string
acct-port
protocol-port
auth-port
protocol-port
retransmit num
You can configure up to 2 RADIUS servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond.
Mode
138 of 718
Global Config
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a pair of RADIUS servers and configure the AX device to use them first, before using the local database. Since
10.10.10.12 is added first, this server will be used as the primary server.
Server 10.10.10.13 will be used only if the primary server is unavailable.
raid
Description
Syntax
raid
CAUTION! RAID configuration should be performed only by or with
the assistance of A10 Networks. A10 strongly advises that you do not
experiment with these commands.
restore
Description
Restore the startup-config, aFleX policy files, and SSL certificates and keys
from a tar file previously created by the backup command. The restored
configuration takes effect following a reboot.
Syntax
Description
use-mgmt-port
url
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
139 of 718
N/A
Mode
Global Config
Usage
Do not save the configuration (write memory) after restoring the startupconfig. If you do, the startup-config will be replaced by the running-config
and you will need to restore the startup-config again.
To place the restored configuration into effect, reboot the AX device.
The no form of this command is invalid.
route-map
Description
Configure a rule in a route map. You can use route maps to provide input to
the following OSPF commands:
redistribute on page 260
default-information originate on page 270
Syntax
Description
map-name
deny | permit
sequence-num
140 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Command
match as-path
acl-id
match community
acl-id
[exact-match]
match
extcommunity
acl-id
[exact-match]
match interface
{ethernet
portnum |
loopback num |
management |
ve ve-num}
match ip
address
{acl-id |
prefix-list
list-name}
match ip
next-hop
{acl-id |
prefix-list
list-name}
match ip peer
acl-id
P e r f o r m a n c e
b y
Description
Matches on the BGP AS paths listed in the specified ACL.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
141 of 718
specified
metric
value,
match origin
{egp | igp |
incomplete}
match
route-type
external
{type-1 |
type-2}
match tag
Matches on the
0-4294967295.
specified
TAG
value,
Default
Mode
Global config
Usage
For options that use an ACL, the ACL must use a permit action. Otherwise,
the route map action is deny.
142 of 718
P e r f o r m a n c e
b y
D e s i g n
router
Description
Enter the configuration mode for a routing protocol, OSPF or RIP. The command also enables the specified routing protocol.
Syntax
Description
ospf {0 | 1}
Enables OSPF. The AX device can run two independent instances of OSPF at the same time. To
specify the instance you want to configure, enter
0 or 1.
rip
Enables RIP.
Default
Mode
Global Config
Usage
This command is valid only when the AX is configured for gateway mode
(Layer 3).
See the following chapters for information about the routing commands:
Config Commands: Router OSPF on page 253
Config Commands: Router RIP on page 279
Example
The following command enters the configuration level for OSPF instance 0:
AX(config)#router ospf 0
AX(config-router-ospf:0)#
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
143 of 718
Default
Description
name string
per-protocol
rotate num
size Mbytes
Specifies the size of each log file. You can specify 0-1000000 Mbytes. If you specify 0, the file
size is unlimited.
Mode
Global configuration
Usage
When you enable logging, the default minimum severity level that is logged
is debugging. To change the minimum severity level that is logged, see
router log trap on page 145.
The per-protocol option is recommended. Without this option, messages
from all routing protocols will be written to the same file, which may make
troubleshooting more difficult.
Default
Disabled
Mode
Global configuration
144 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Default
Disabled
Mode
Global configuration
Usage
When you enable logging, the default minimum severity level that is logged
is debugging. To change the minimum severity level that is logged, see
router log trap on page 145.
Syntax
Default
Disabled
Mode
Global configuration
Usage
When you enable logging, the default minimum severity level that is logged
is debugging. To change the minimum severity level that is logged, see
router log trap on page 145.
To display the log messages in the local log buffer, use the show log command.
Syntax
Description
Minimum severity level to log. You can specify
one of the following:
emergencies
alerts
critical
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
145 of 718
debugging
Mode
Global configuration
session-filter
Description
Description
ipv4addrsuboptions
Matches on sessions that have a source or destination IPv4 address. The following address suboptions are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] Matches on
IPv4 sessions that have the specified source IP
address.
source-port port-num Matches on IPv4 sessions that have the specified source protocol port
number, 1-65535.
dest-addr ipaddr
[{subnet-mask | /mask-length}] Matches on
IPv4 sessions that have the specified destination
IP address.
dest-port port-num Matches on IPv4 sessions
that have the specified destination protocol port
number, 1-65535.
146 of 718
P e r f o r m a n c e
b y
D e s i g n
sip
Default
Mode
Global Config
Usage
Session filters allows you to save session display options for use with the
clear session and show session commands. Configuring a session filter
allows you to specify a given set of options one time rather than re-entering
the options each time you use the clear session or show session command.
Example
The following commands configure a session filter and use it to filter show
session output:
slb
Description
smtp
Description
Configure a Simple Mail Transfer Protocol (SMTP) server to use for sending emails from the AX device.
Syntax
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
147 of 718
Description
hostname |
ipaddr
mailfrom
email-src-addr
needauthenticat
ion
Specifies that authentication is required.
port
protocol-port
username string
password string Specifies the username and password required
for access.
Default
No SMTP servers are configured by default. When you configure one, it has
the following default settings:
port 25
needauthentication disabled
mailfrom not set
Mode
Global Config
Example
snat-on-vip
Description
Syntax
Default
Disabled
Mode
Global Config
148 of 718
P e r f o r m a n c e
b y
D e s i g n
snmp-server community
Description
Syntax
remote
{hostname |
ipaddr masklength |
ipv6addr/prefixlength]}
P e r f o r m a n c e
b y
Description
The read-only community string.
Object ID. This option restricts the objects that
the AX Series device returns in response to GET
requests. Values are returned only for the objects
within or under the specified OID.
Restricts SNMP access to a specific host or subnet. When you use this option, only the specified
host or subnet can receive SNMP data from the
AX Series device by sending a GET request to
this community.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
149 of 718
The configuration does not have any default SNMP communities. When
you configure one, all OIDs are allowed by default and all remote hosts are
allowed by default.
Mode
Global Config
Usage
All SNMP communities are read-only. Read-write communities are not supported. The OID for A10 Networks AX Series objects is 1.3.6.1.4.1.22610.
The no form removes the read-only community string.
Example
AX(config)#snmp-server enable
AX(config)#snmp-server community read A10_AX oid AxMgmt remote 10.10.20.0 24
Example
AX(config)#snmp-server enable
AX(config)#snmp-server community read A10_AX2 remote a101::1111
snmp-server contact
Description
Syntax
Description
contact-name
Default
Empty string
Mode
Global Config
Usage
Example
150 of 718
P e r f o r m a n c e
b y
D e s i g n
snmp-server enable
Description
Enable the AX Series device to accept SNMP MIB data queries and to send
SNMP v1/v2c traps.
To use SNMP on the device, you must enter this command. Enter this command first, then enter the other snmp-server commands to further configure
the feature.
Syntax
Description
Specifies the traps to enable. You can enable all
traps, all traps of a specific type, or individual
traps.
To enable all traps, specify traps, without any
additional options.
To enable all traps of a specific type, specify one
of the following:
traps snmp Enables the following traps:
linkdown Indicates that an Ethernet
interface has gone down.
linkup Indicates that an Ethernet interface has come up.
traps system Enables the following traps:
control-cpu-high Indicates that the
control CPU utilization is higher than the
configured threshold. (See monitor on
page 133.)
data-cpu-high Indicates that data
CPU utilization is higher than the configured
threshold. (See monitor on page 133.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
151 of 718
This trap does not apply to the following models: AX 2500, AX 2600,
AX 3000, AX 5100, or AX 5200.
shutdown Indicates that the AX device
has shut down.
start Indicates that the AX device has
started.
traps network Enables the following trap:
trunk-port-threshold Indicates
that the trunk ports threshold feature has dis-
152 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
153 of 718
If you enter the snmp-server enable command without a trap option, the
SNMP service is enabled but no traps are enabled.
Default
The SNMP service is disabled by default and all traps are disabled by
default.
Mode
Global Config
Usage
Example
Example
Example
154 of 718
P e r f o r m a n c e
b y
D e s i g n
snmp-server group
Description
Syntax
Description
group-name
v1
v2c
v3
auth
noauth
priv
view-name
Default
Mode
Global config
Example
snmp-server host
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
155 of 718
Description
trap-receiver
version
{v1 | v2c}
communitystring
port-num
Default
No SNMP hosts are defined. When you configure one, the default SNMP
version is v2c and the default UDP port is 162.
Mode
Global Config
Usage
Example
snmp-server location
Description
Syntax
Description
The location of this AX device.
location
Default
Empty string
Mode
Global Config
Usage
Example
156 of 718
P e r f o r m a n c e
b y
D e s i g n
snmp-server user
Description
Syntax
Description
username
groupname
v1 | v2c
v3
[auth {md5 |
sha} password
[encrypted]]
Default
No SNMP users are configured by default. When you configure one, all
remote hosts are allowed by default. For v3, there is no authentication by
default.
Mode
Global config
Example
snmp-server view
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
157 of 718
Description
view-name
oid
oid-mask
included
excluded
Default
N/A
Mode
Global config
Usage
Example
The following command adds SNMP view view1 and includes all objects
in the 1.3.6 tree:
stats-data-disable
Description
Syntax
Default
Mode
Global Config
Usage
This command also disables statistical data collection for any of the following types of load-balancing resources, if collection is enabled on those
resources:
SLB resources:
Real server
Real server port
158 of 718
P e r f o r m a n c e
b y
D e s i g n
stats-data-enable
Description
Syntax
stats-data-enable
Default
Mode
Global Config
Usage
The command also re-enables statistical data collection for any individual
load-balancing resources on which collection had been enabled before it
was globally disabled.
switch
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
159 of 718
Mode
Global Config
Usage
syn-cookie
Description
Syntax
[no] syn-cookie
[on-threshold num off-threshold num]
Parameter
Description
on-threshold
num
off-threshold
num
Note:
160 of 718
P e r f o r m a n c e
b y
D e s i g n
Mode
Global Config
Usage
Example
AX(config)#syn-cookie
Example
system
Description
Set traffic limits for VLANs. You can set a global limit for all VLANs or per
VLAN.
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
161 of 718
Description
all-vlan-limit
| per-vlanlimit
bcast |
ipmcast |
mcast |
unknown_ucast
num
Default
Not set
Mode
Global Config
Example
The following command limits each VLAN to 1000 multicast packets per
second:
162 of 718
P e r f o r m a n c e
b y
D e s i g n
system lid
Description
Syntax
Description
Specifies the LID to use.
Default
None
Mode
Global Config
Usage
This command uses a single LID. To configure the LID, see lid on
page 117.
For more information about IP limiting, see the IP Limiting chapter in the
AX Series Configuration Guide.
Example
AX(config)#lid 1
AX(config-global lid)#conn-rate-limit 10000 per 1
AX(config-global lid)#conn-limit 2000000
AX(config-global lid)#over-limit forward logging
AX(config-global lid)#exit
AX(config)#system lid 1
Syntax
Default
None
Mode
Global Config
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
163 of 718
system pbslb id
Description
Syntax
Specify the action to take for clients in a black/white list used for systemwide PBSLB.
[no] system pbslb id id {drop | reset}
[logging minutes]
Parameter
Description
id
drop | reset
Not set
Mode
Global Config
Syntax
Specify the action to take for system-wide PBSLB clients who either exceed
the connection limit specified in the black/white list, or exceed the threshold
of any IP anomaly filter used for system-wide PBSLB.
[no] system pbslb over-limit
[reset]
[lockup minutes]
[logging minutes]
Parameter
Description
reset
Resets all new connection attempts from the client. If you omit this option, new connection
attempts are dropped instead.
lockup minutes
164 of 718
P e r f o r m a n c e
b y
D e s i g n
Not set
Mode
Global Config
Usage
The IP anomaly filters used by system-wide PBSLB are bad-content, outof-sequence, and zero-window. These filters are enabled automatically
when you configure system-wide PBSLB. To modify the filters, see ip
anomaly-drop on page 216.
Syntax
Description
Specifies the timeout, 1-127 minutes.
Default
5 minutes
Mode
Global Config
Usage
If the lockup option is used with the system pbslb over-limit command,
aging of the dynamic entry for a locked up client begins only after the
lockup expires.
system resource-usage
Description
Syntax
Description
Specifies the system resource you are resizing:
client-ssl-template-count
Total configurable client SSL templates
conn-reuse-template-count
Total configurable connection reuse templates
fast-tcp-template-count Total
configurable Fast TCP templates
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
165 of 718
Total
IP
persist-cookie-template-count
Total configurable persistent cookie templates
persist-srcip-template-count
Total configurable source IP persistence
templates
proxy-template-count Total configurable proxy templates
real-port-count Total real server
ports
real-server-count Total real servers
server-ssl-template-count
Total configurable server SSL templates
service-group-count Total service
groups
stream-template-count Total configurable streaming-media templates
virtual-port-count Total virtual
server ports
virtual-server-count Total virtual servers
maximum
Default
The default maximum number for each type of system resource depends on
the AX Series model. To display the defaults and current values for your
AX Series, enter the following command: show system resource-usage on
page 652.
Mode
Global Config
166 of 718
P e r f o r m a n c e
b y
D e s i g n
The maximum number you can configure depends on the resource type and
the AX Series model. To display the range of values that are valid for a
resource, enter a question mark instead of a quantity.
The maximum number of real servers allowed in a service group is half
rable.
For every type of system resource that has a default, the AX device
The following commands display the current usage and settings for maximum URI count, then display the range of values to which the default maximum can be set, then reset the default maximum to 512.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
167 of 718
system-reset
Description
Syntax
Default
N/A
Mode
Global Config
Usage
Example
The following commands reset an AX device to its factory default configuration, then reboot the device to erase the running-config:
AX(config)#system-reset
AX(config)#end
AX#reboot
tacacs-server
Description
Syntax
168 of 718
P e r f o r m a n c e
b y
D e s i g n
secret-string
protocolportnum
seconds
Description
Hostname or IP address of the TACACS+ server.
If a hostname is to be used, make sure a DNS
server has been configured.
The shared secret.
The port used for setting up a connection with a
TACACS+ server.
The maximum number of seconds allowed for
setting up a connection with a TACACS+ server.
You can specify 1-12 seconds.
Default
Mode
Global configuration.
You can configure up to 2 TACACS+ servers. The servers are used in the
order in which you add them to the configuration. Thus, the first server you
add is the primary server. The second server you add is the secondary
(backup) server. Enter a separate command for each of the servers. The secondary server is used only if the primary server does not respond.
Example
techreport
Description
Configure automated collection of system information. If you need to contact Technical Support, they may ask you to for the techreports to help diagnose system issues.
Syntax
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
169 of 718
Description
interval
minutes
disable
Default
Mode
Global Config
Usage
The AX device saves all techreport information for a given day in a single
file. Timestamps identify when each set of information is gathered. The AX
device saves techreport files for the most recent 31 days. Each days reports
are saved in a separate file.
The techreports are a light version of the output generated by the show
techsupport command. To export the information, use the show techsupport command. (See show techsupport on page 653.)
terminal
Description
Syntax
Description
auto-size
editing
history
[size number]
idle-timeout
minutes
length number
170 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
no-ha-prompt
width lines
Specifies the number of columns to display, 0512. To use an unlimited number of columns,
enter 0.
Mode
Global Config
Example
AX(config)#terminal idle-timeout 30
tftp blksize
Description
Syntax
Default
512 bytes
Mode
Global Config
P e r f o r m a n c e
b y
Description
Maximum packet length the AX TFTP client can
use when sending or receiving files to or from a
TFTP server. You can specify from 512-32768
bytes.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
171 of 718
Increasing the TFTP block size can provide the following benefits:
TFTP file transfers can occur more quickly, since fewer blocks are
1024
64 MB
8192
512 MB
32768
2048 MB
Increasing the TFTP block size of the AX device only increases the maximum block size supported by the AX device. The TFTP server also must
support larger block sizes. If the block size is larger than the TFTP server
supports, the file transfer will fail and a communication error will be displayed on the CLI terminal.
If the TFTP block size is larger than the IP Maximum Transmission Unit
(MTU) on any device involved in the file transfer, the TFTP packets will be
fragmented to fit within the MTU. The fragmentation will not increase the
number of blocks; however, it can re-add some overhead to the overall file
transmission speed.
Example
The following commands display the current TFTP block size, increase it,
then verify the change:
AX(config)#show tftp
TFTP client block size is set to 512
AX(config)#tftp blksize 4096
AX(config)#show tftp
TFTP client block size is set to 4096
172 of 718
P e r f o r m a n c e
b y
D e s i g n
trunk
Description
Syntax
Description
disable
ethernet
portnum
[to portnum]
[ethernet
portnum] ...
enable ethernet
portnum
[to portnum]
[ethernet
portnum] ...
[no] ethernet
portnum
[to portnum]
[ethernet
portnum] ...
[no]
ports-threshold
num
Specifies the minimum number of ports that must
be up in order for the trunk to remain up. You can
specify 2-8.
If the number of up ports falls below the configured threshold, the AX automatically disables the
trunks member ports. The ports are disabled in
the running-config. The AX device also generates a log message and an SNMP trap, if these
services are enabled.
[no] portsthreshold-timer
seconds
Specifies how many seconds to wait after a port
goes down before marking the trunk down, if the
threshold is exceeded. You can set the ports-
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
173 of 718
N/A
Mode
Global Config
Usage
A maximum of 8 trunk groups are supported. Each group can have a maximum of 8 ports. Trunk group port numbers do not need to be consecutive.
Operations such as setting an IP interface or VLAN are performed on the
lead member of the trunk, which is the lowest-numbered interface. For
example, to configure an IP interface on a trunk containing ports 1-4, add
the interface to port 1.
Ports-Threshold
By default, a trunks status remains UP so long as at least one of its member
ports is up. You can change the ports threshold of a trunk to 2-8 ports.
If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports. The ports are disabled in the
running-config. The AX device also generates a log message and an SNMP
trap, if these services are enabled.
Note:
After the feature has disabled the members of the trunk group, the ports
are not automatically re-enabled. The ports must be re-enabled manually
after the issue that caused the ports to go down has been resolved.
In some situations, a timer is used to delay the ports-threshold action. The
configured port threshold is not enforced until the timer expires. The portsthreshold timer for a trunk is used in the following situations:
When a member of the trunk links up.
A port is added to or removed from the trunk.
The port threshold for the trunk is configured during runtime. (If the
The following commands configure trunk 1 and add ports 6-8 and 14 to it:
AX(config)#trunk 1
AX(config-trunk:1)#ethernet 6 to 8 ethernet 14
174 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands configure an 8-port trunk, set the port threshold
to 6, and display the trunks configuration:
AX(config)#trunk 1
AX(config-trunk:1)#ethernet 1 to 8
AX(config-trunk:1)#ports-threshold 6
AX(config-trunk:1)#show trunk
Trunk ID
: 1
Member Count: 8
Trunk Status
: Up
Members
: 1
Cfg Status
Oper Status
: Up
Ports-Threshold
: 6
Working Lead
: 1
Up
Up
4
Up
5
Up
6
Up
7
Up
8
Up
tx-congestion-ctrl
Description
Note:
Syntax
tx-congestion-ctrl retries
Default
Mode
Global Config
update
Description
Copy the currently running system image from the hard disk to the compact
flash (cf).
Syntax Description
Description
Image to replace:
pri primary image
sec secondary image
Default
P e r f o r m a n c e
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
175 of 718
Global Config
Usage
This command does not save the configuration or reboot. To verify the
update, enter the show version command.
Example
The following command copies the currently running system image from
the hard disk to the secondary image area on the compact flash.
AX(config)#update cf sec
upgrade
Upgrade the system.
Syntax Description
Description
System location to which write the upgrade
image:
cf | hd
cf compact flash
hd hard drive
pri | sec
Image to replace:
pri primary image
sec secondary image
use-mgmt-port
url
176 of 718
P e r f o r m a n c e
b y
D e s i g n
N/A
Mode
Global Config
Usage
For complete upgrade instructions, see the release notes for the AX release
to which you plan to upgrade.
There is no no form of this command.
Example
The following example uses TFTP to upgrade the system image in the secondary image area of the hard disk:
vlan
Description
Configure a virtual LAN (VLAN). This command changes the CLI to the
configuration level for the VLAN.
Syntax
Description
VLAN ID, from 1 to 4094.
Default
Mode
Global Config
Usage
You can add or remove ports in VLAN 1 but you cannot delete VLAN 1
itself.
For information about the commands available at the VLAN configuration
level, see Config Commands: VLAN on page 211.
Example
The following command adds VLAN 69 and enters the configuration level
for it:
AX(config)#vlan 69
AX(config-vlan:69)#
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
177 of 718
web-service
Description
Syntax
Description
auto-redir
axapi-timeoutpolicy idle
minutes
port protocolport
secure-port
protocol-port
Specifies the number of minutes an aXAPI session can remain idle before being terminated.
Once the aXAPI session is terminated, the session ID generated by the AX device for the session is no longer valid. You can specify 0-60
minutes. If you specify 0, sessions never time
out.
Specifies the protocol port number for the unsecured (HTTP) port.
Specifies the protocol port number for the secure
(HTTPS) port.
server
secure-server
timeout-policy
idle minutes
178 of 718
Specifies the number of minutes a Web management session can remain idle before it times out
and is terminated by the AX device. You can
specify 0-60 minutes. To disable the timeout,
enter 0.
P e r f o r m a n c e
b y
D e s i g n
Mode
Global Config
Usage
Example
write memory
Description
Syntax
P e r f o r m a n c e
b y
Description
memory
force
primary
secondary
profile-name
Replaces the commands in the specified configuration profile with the running-config.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
179 of 718
Replaces the configuration profile in the specified image area (primary or secondary) on the
compact flash rather than the hard disk. If you
omit this option, the configuration profile in the
specified area on the hard disk is replaced.
all-partitions
partition
{shared |
privatepartition-name} Saves changes only for the resources in the specified partition.
Default
Mode
Global Config
Usage
Example
The following command saves the running-config to the configuration profile stored in the primary image area of the hard disk:
180 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
The following command attempts to save the running-config but the system
is not ready:
AX(config)#write memory
AX system is not ready. Cannot save the configuration.
Example
AX(config)#write memory
AX system is not ready. Cannot save the configuration.
AX(config)#write force
write terminal
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
181 of 718
182 of 718
P e r f o r m a n c e
b y
D e s i g n
access-list
Description
Syntax
in
Default
N/A
Mode
Interface
P e r f o r m a n c e
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
183 of 718
Example
cpu-process
Description
Syntax
Default
Mode
Interface
disable
Description
Syntax
Disable an interface.
disable
Default
The management interface is enabled by default. Data interfaces are disabled by default.
Mode
Interface
184 of 718
P e r f o r m a n c e
b y
D e s i g n
This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
and loopback interfaces.
Example
AX(config-if:ethernet3)#disable
duplexity
Description
Syntax
Description
Full
Full-duplex mode.
Half
Half-duplex mode.
auto
Default
auto
Mode
Interface
Usage
Example
AX(config-if:ethernet6)#duplexity Half
enable
Description
Enable an interface.
Syntax
enable
Default
The management interface is enabled by default. Data interfaces are disabled by default.
Mode
Interface
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
185 of 718
This command applies to all interface types: Ethernet data interfaces, outof-band Ethernet management interface, Virtual Ethernet (VE) interfaces,
and loopback interfaces.
Example
AX(config-if:ethernet3)#enable
flow-control
Description
Syntax
Default
Mode
Interface
icmp-rate-limit
Description
Syntax
186 of 718
Description
normal-rate
lockup max-rate
P e r f o r m a n c e
b y
D e s i g n
Default
None
Mode
Global Config
Usage
This command configures ICMP rate limiting on a physical, virtual Ethernet, or loopback interface. To configure ICMP rate limiting globally, see
icmp-rate-limit on page 114. To configure it in a virtual server template,
see slb template virtual-server on page 375. If you configure ICMP rate
limiting filters at more than one of these levels, all filters are applicable.
Specifying a maximum rate (lockup rate) and lockup time is optional. If you
do not specify them, lockup does not occur.
Example
interface
Description
Syntax
Default
N/A
Mode
Interface
Usage
Example
The following command changes the CLI from the configuration level for
Ethernet interface 3 to the configuration level for Ethernet interface 4:
AX(config-if:ethernet3)#interface ethernet 4
AX(config-if:ethernet4)#
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
187 of 718
ip address
Description
Syntax
Default
Mode
Interface
Usage
This command applies only when the AX Series is used in gateway mode.
You can configure multiple IP addresses on Ethernet and Virtual Ethernet
(VE) data interfaces and on loopback interfaces, on AX devices deployed in
gateway (route) mode.
Each IP address must be unique on the AX device. Addresses within a given
subnet can be configured on only one interface on the device. (The AX
device can have only one data interface in a given subnet.)
IP addresses are added to an interface in the order you configure them. The
addresses appear in show command output and in the configuration in the
same order.
The first IP address you add to an interface becomes the primary IP address
for the interface. If you remove the primary address, the next address in the
list (the second address to be added to the interface) becomes the primary
address.
In most cases, it does not matter which address is the primary address. However, this does matter if you plan to run RIP on the interface. In the current
release, RIP is supported only for the primary IP address. This limitation
does not apply to OSPF. OSPF can run on all subnets configured on a data
interface.
The AX device automatically generates a directly connected route to each
IP address. If you enable redistribution of directly connected routes by RIP
or OSPF, those protocols can advertise the routes to the IP addresses.
Example
188 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#ip address 10.10.10.1 /24
AX(config-if:ethernet1)#ip address 10.10.20.2 /24
AX(config-if:ethernet1)#ip address 20.20.20.1 /24
AX(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
10.10.20.2 /24
20.20.20.1 /24
AX(config-if:ethernet1)#no ip address 10.10.20.2 /24
AX(config-if:ethernet1)#show ip interfaces ethernet 1
Ethernet 1 ip addresses:
10.10.10.1 /24 (Primary)
20.20.20.1 /24
ip allow-promiscuous-vip
Description
Enable client traffic received on this interface and addressed to TCP port 80
to be load balanced for any VIP address.
Syntax
[no] ip allow-promiscuous-vip
Default
Disabled
Mode
Interface
Usage
ip cache-spoofing-port
Description
Syntax
[no] ip cache-spoofing-port
Default
Disabled
Mode
Interface
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
189 of 718
Example
AX(config-if:ethernet9)#cache-spoofing-port
Syntax
Enable use of the management interface as the source interface for automated management traffic.
[no] ip control-apps-use-mgmt-port
Default
By default, use of the management interface as the source interface for automated management traffic is disabled.
Mode
Interface
Usage
The AX device uses separate route tables for management traffic and data
traffic.
Management route table Contains all static routes whose next hops are
data interface. Also contains copies of all static routes in the management route table, excluding the management default gateway route.
Only the data routes are used for load-balanced traffic.
By default, the AX device attempts to use a route from the main route table
for management connections originated on the AX device. The ip controlapps-use-mgmt-port command enables the AX device to use the management route table for these connections instead.
The AX device will use the management route table for reply traffic on connections initiated by a remote host that reaches the AX device on the management port. For example, this occurs for SSH or HTTP connections from
remote hosts to the AX device.
190 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config-if:management)#ip control-apps-use-mgmt-port
Syntax
Default
None
Mode
Interface
Configuring a default gateway for the management interface provides the
following benefits:
Ensures that reply management traffic sent by the AX Series travels
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
191 of 718
AX(config)#interface management
AX(config-if:management)#ip address 10.10.20.1 /24
AX(config-if:management)#ip default-gateway 10.10.20.1
ip helper-address
Description
Syntax
Description
IP address of the DHCP server.
ipaddr
Default
None
Mode
Interface
Usage
In the current release, the helper-address feature provides service for DHCP
packets only.
The AX interface on which the helper address is configured must have an IP
address.
The helper address can not be the same as the IP address on any AX interface or an IP address used for SLB.
The current release supports DHCP relay service for IPv4 only.
Example
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#ip helper-address 100.100.100.1
AX(config-if:ethernet1)#interface ve 5
AX(config-if:ve5)#ip helper-address 100.100.100.1
AX(config-if:ve5)#interface ve 7
AX(config-if:ve7)#ip helper-address 100.100.100.1
AX(config-if:ve7)#interface ve 9
AX(config-if:ve9)#ip helper-address 20.20.20.102
192 of 718
P e r f o r m a n c e
b y
D e s i g n
ip nat
Description
Syntax
Description
inside
outside
Default
None
Mode
Interface
Usage
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
193 of 718
ip ospf
Description
Syntax
Description
Configures the parameter only for the specified
IP address. Without this option, the parameter is
configured for all IP addresses on the interface.
ipaddr
authentication
[message-digest
| null]
authenticationkey key-string
Password used by the interface to authenticate
link-state messages exchanged with neighbor
OSPF routers. Applies to simple authentication
only. Can be a string up to 8 characters long, with
no blanks.
cost number
database-filter
all out
Blocks flooding of LSAs to the OSPF interface.
dead-interval
seconds
disable all
194 of 718
P e r f o r m a n c e
b y
D e s i g n
message-digestkey key-id
md5 key-string
Set of MD passwords used by the interface to
authenticate link-state messages exchanged with
neighbor OSPF routers. You can enter up to four
key strings. Applies only to MD authentication.
Key strings can be up to 16 bytes long, with no
blanks.
mtu
mtu-ignore
network
network-type
retransmitinterval
seconds
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
195 of 718
Default
packets from a neighbor does not match the interface MTU, adjacency is
not established.
network depends on the media type
priority 1
resync-timeout 40 seconds
retransmit-interval 5 seconds
transmit-delay 1 second
Mode
Interface
Usage
The OSPF router with the highest priority is elected as the DR and the
router with the second highest priority is elected as the BDR. If more than
one router has the highest priority, the router with the highest OSPF router
ID is selected. Priority applies only to multi-access networks, not to pointto-point networks. If you set the priority to 0, the AX Series does not participate in DR and BDR election.
For the message-digest-key key-id md5 key-string option, the CLI lists the
encrypted keyword. This keyword encrypts display of the string in the
startup-config and running-config. Do not enter this keyword. The AX
196 of 718
P e r f o r m a n c e
b y
D e s i g n
ip rip
Description
Syntax
Description
Type of authentication used to validate RIP route
updates sent or received on this interface:
mode md5 Message Digest 5 (MD5)
string text Simple text password, up
to 8 characters with no blanks
key-chain chain-name Set of passwords
poisonedreverse
Default
split horizon.
Mode
Interface
Usage
For the authentication string text option, the CLI lists the encrypted keyword. This keyword encrypts display of the string in the startup-config and
running-config. Do not enter this keyword. The AX device automatically
applies the keyword. Entering the keyword manually is not valid.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
197 of 718
ip tcp syn-cookie
Description
Syntax
Default
Disabled
Mode
Interface
Usage
Example
The following commands globally enable SYN cookie support, then enable
Layer 2/3 SYN cookies on Ethernet interfaces 4 and 5:
Syntax
Syntax
Default
None.
Mode
Interface
Usage
The ipv6 default-gateway command applies only to the management interface. To configure IPv6 on a data interface, see ipv6 address on page 199.
Example
198 of 718
P e r f o r m a n c e
b y
D e s i g n
ipv6 access-list
Description
Syntax
Description
acl-id
in
Default
N/A
Mode
Interface
ipv6 address
Description
Syntax
Description
ipv6-addr
prefix-length
link-local
Default
None.
Mode
Interface
Usage
Use this command to configure the link-local and global IP addresses for
the interface.
The ipv6 address command, used without the link-local option, config-
ures a global address. If you use the link-local option, the address is
instead configured as the link-local address.
To enable automatic configuration of the link-local IPv6 address instead,
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
199 of 718
Example
ipv6 enable
Description
Syntax
Default
Disabled
Mode
Interface
Usage
Example
AX(config-if:ethernet6)#ipv6 enable
ipv6 nat
Description
Syntax
Description
prefix
ipv6-addr/
prefix-length
Default
200 of 718
None
P e r f o r m a n c e
b y
D e s i g n
Interface
Syntax
P e r f o r m a n c e
b y
Description
disable
enable
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
201 of 718
hop-limit num
max-interval
seconds
min-interval
seconds
mtu
{disable |
bytes}
Note:
202 of 718
P e r f o r m a n c e
b y
D e s i g n
reachable-time
ms
retransmittimer seconds
Default
Specifies the maximum number of router solicitation requests per second that will be processed
on the interface. You can specify 1-100000 messages per second.
Specifies the number of milliseconds (ms) for
which the host should assume a neighbor is
reachable, after receiving a reachability confirmation from the neighbor. You can specify
0-3600000 ms. If you specify 0, the value is
unspecified by this IPv6 router.
Specifies the number of seconds a host should
wait between sending neighbor solicitation messages. You can specify 0-4294967295 seconds. If
you specify 0, the value is unspecified by this
IPv6 router.
IPv6 router discovery is disabled by default. The command options have the
following default values:
default-lifetime 1800 seconds
disable Disabled
enable Disabled
ha-group-id Not set. Advertisements are sent regardless of HA group.
hop-limit 255
max-interval 600 seconds
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
203 of 718
face are advertised. The prefix options have the following defaults:
not-autonomous disabled (Auto-configuration of IPv6 addresses
by clients is enabled.)
not-on-link enabled (On-Link is disabled.)
preferred-lifetime 604800 seconds
valid-lifetime 2592000 seconds
rate-limit 100000 messages per second
reachable-time 0 (The value is unspecified by this IPv6 router.)
retransmit-timer 0 (The value is unspecified by this IPv6 router.)
Mode
Interface
Usage
router discovery is enabled. IPv6 hosts that receive the router advertisements will use the AX device as their default gateway.
Replies to IPv6 router solicitations received by IPv6 interfaces on which
204 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config)#interface ethernet 1
AX(config-if:ethernet1)#ipv6 address 2001::1/64
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement enable
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement max-interval 300
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement min-interval 150
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001::/64
on-link
AX(config-if:ethernet1)#ipv6 ndisc router-advertisement prefix 2001:a::/96
on-link
l3-vlan-fwd-disable
Description
Syntax
[no] l3-vlan-fwd-disable
Default
Mode
Interface
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
205 of 718
load-interval
Description
Syntax
Description
You can specify 5-300 seconds.
seconds
You must specify the amount in 5-second intervals. For example, 290 and 295 are valid interval
values. However, 291, 292, 293, and 294 are not
valid interval values.
Default
300 seconds
Mode
Interface
Usage
Example
The following command changes the utilization statistics interval for Ethernet interface 1 to 200 seconds:
AX(config-if:ethernet1)#load-interval 200
monitor
Description
Syntax
Configure an Ethernet interface to send a copy of its traffic to another Ethernet interface.
[no] monitor [both | input | output]
Parameter
Description
both | input |
output
Default
Mode
Interface
206 of 718
P e r f o r m a n c e
b y
D e s i g n
This command is valid only on Ethernet data interfaces. To specify the port
to which to mirror the traffic, use the mirror-port command at the global
Config level. (See mirror-port on page 133.)
On models AX 1000, AX 2000, AX 2100, AX 2500, AX 2600, and
AX 3000, you can monitor only one port. On AX models AX 2200,
AX 3100, AX 3200, AX 5100, and AX 5200, you can monitor multiple
ports. On all models, only one mirror port is supported. All mirrored traffic for the directions you specify goes to that port.
Note:
Example
AX(config)#mirror-port ethernet 3
AX(config)#interface ethernet 5
AX(config-if:ethernet5)#monitor input
mtu
Description
Syntax
Description
Largest packet size that can be forwarded out the
interface. You can specify 1200-1500 bytes.
Default
1500 bytes
Mode
Interface
Usage
This command applies to the management interface and Ethernet data interfaces.
If the AX device needs to forward a packet that is larger than the MTU of
the AX egress interface to the next hop, but the Do Not Fragment bit is set
in the packet, the AX device drops the packet and sends an ICMP Destination Unreachable code 4 (Fragmentation required, and DF set) message to
the sender.
If the Do Not Fragment bit is not set, the AX device silently drops the
packet.
To display a counter of how many outbound packets have been dropped
because they were longer than the outbound interface's MTU, use the following command:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
207 of 718
name
Description
Syntax
Description
Name for the interface, 1-63 characters.
Default
None
Mode
Interface
Usage
This command applies to physical and virtual Ethernet data interfaces. This
command does not apply to the management interface.
Example
The following commands assign the name "WLAN-interface" to an interface and show the result:
AX(config)#interface ve 1
AX(config-if:ve1)#name WLAN-interface
AX(config-if:ve1)#show ip interfaces
Port IP
Netmask
PrimaryIP
Name
---------------------------------------------------------------------------mgm 192.168.20.136 255.255.255.0
Yes
ve1 192.168.217.1
255.255.255.0
Yes
WLAN-interface
ve2 50.50.50.1
255.255.255.0
Yes
speed
Description
Syntax
208 of 718
Description
10
100
P e r f o r m a n c e
b y
D e s i g n
10000
auto
Default
auto
Mode
Interface
Usage
This command applies to the management interface and Ethernet data interfaces.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
209 of 718
210 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
211 of 718
name
Description
Syntax
Description
Name for the VLAN, 1-63 characters.
string
Default
The default name for VLAN 1 is DEFAULT VLAN. For other VLANs, if
a name is not configured, None appears in place of the name.
Mode
VLAN
Example
The following commands assign the name Test100 to VLAN 100 and
show the result:
AX(config)#vlan 100
AX(config-vlan:100)#name Test100
AX(config-vlan:100)#show vlan
Total VLANs: 3
VLAN 1, Name [DEFAULT VLAN]:
Untagged Ports:
3
4
5
6
Tagged Ports:
None
10
212 of 718
P e r f o r m a n c e
b y
D e s i g n
router-interface
Description
Syntax
Description
VE number, 1-128.
Default
Mode
VLAN
Usage
Example
tagged
Description
Add tagged ports to a VLAN. A tagged port can be a member of more than
one VLAN. An untagged port can be a member of only a single VLAN.
Syntax
Default
Mode
VLAN
Usage
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
213 of 718
untagged
Description
Syntax
Add untagged ports to a VLAN. Untagged ports can belong to only one
VLAN.
[no] untagged ethernet port-num
[ethernet port-num ... | to port-num]
Default
VLAN 1 contains all ports by default. New VLANs do not contain any ports
by default.
Mode
VLAN
Example
214 of 718
P e r f o r m a n c e
b y
D e s i g n
Config Commands: IP
The IP commands configure global IPv4 parameters.
This CLI level also has the following commands, which are available at all
configuration levels:
clear See clear on page 49.
debug See debug on page 52.
do See do on page 103.
end See end on page 107.
exit See exit on page 107.
no See no on page 135.
show See Show Commands on page 535.
write See write terminal on page 67.
Note:
ip address
Description
Configure the global IP address of the AX Series device, when the device is
deployed in transparent mode (Layer 2 mode).
Syntax
Default
None.
Mode
Global Config
Usage
This command applies only when the AX Series device is deployed in transparent mode. To assign IP addresses to individual interfaces instead (gateway mode), use the ip address command at the interface configuration
level. (See ip address on page 188.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
215 of 718
ip anomaly-drop
Description
Syntax
Description
anomaly-type
216 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Mode
Global Config
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
217 of 718
All filters are supported for IPv4. All filters except ip-option are supported
for IPv6.
On models AX 2200, AX 3100, AX 3200, AX 5100, and AX 5200, DDoS
protection is hardware-based. On other models, DDoS protection is software-based.
DDoS protection applies only to Layer 3, Layer 4, and Layer 7 traffic.
Layer 2 traffic is not affected by the feature.
IP Anomaly Filters Used for System-Wide Policy-Based SLB
The bad-content, out-of-sequence, and zero-window filters apply only to
system-wide Policy-Based SLB (PBSLB).
Filtering for these anomalies is disabled by default. However, if you configure a system-wide PBSLB policy, the filters are automatically enabled. You
also can configure the filters on an individual basis.
Each of these filters has a configurable threshold. The threshold specifies
the number of times the anomaly is allowed to occur in a clients connection
requests. If a client exceeds the threshold, the AX device applies the system-wide PBSLB policys over-limit action to the client.
For each of the new IP anomaly filters, the threshold can be set to 1-127
occurrences of the anomaly. The default is 10.
Note:
Example
ip default-gateway
Description
Syntax
Default
218 of 718
Specify the default gateway to use to reach other subnets, when the
AX Series device is deployed in transparent mode (Layer 2 mode).
[no] ip default-gateway ipaddr
None.
P e r f o r m a n c e
b y
D e s i g n
Global Config
Usage
This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3
mode), configure routing.
To configure the default gateway for the out-of-band management interface,
use the interface management command to go to the configuration level
for the interface, then enter the ip default-gateway command. (See ip
default-gateway (management interface only) on page 191.)
Example
The following command configures an AX Series device deployed in transparent mode to use router 10.10.10.1 as the default gateway for data traffic:
ip dns
Description
Configure DNS servers and the default domain name (DNS suffix) for hostnames on the AX device.
Syntax
Default
None
Mode
Global Config
Usage
Example
ip frag timeout
Description
Syntax
P e r f o r m a n c e
b y
Description
Specifies the number of milliseconds (ms) the
AX device buffers fragments for fragmented IP
packets. If all the fragments of an IP packet do
not arrive within the specified time, the frag-
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
219 of 718
1000 ms (1 second)
Mode
Global Config
Syntax
Default
Enabled
Mode
Global Config
Usage
NAT ALG for PPTP has additional configuration requirements. For information, see the NAT ALG Support for PPTP section in the Network
Address Translation chapter of the AX Series Configuration Guide.
ip nat allow-static-host
Description
Syntax
Default
Disabled
Mode
Global Config
Usage
Example
220 of 718
P e r f o r m a n c e
b y
D e s i g n
ip nat inside
Description
Syntax
pool pool-orgroup-name
static
inside-ipaddr
nat-ipaddr
ha-group-id
group-id
Description
Specifies an Access Control List (ACL) that
matches on the inside addresses to be translated.
(To configure the ACL, see access-list (standard) on page 69 or access-list (extended) on
page 72.)
Dynamically assigns addresses from a range
defined in a pool or pool group.
Default
None
Mode
Global Config
Usage
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
221 of 718
Description
class-list
list-name
Default
None
Mode
Global Config
Usage
The class list must already be configured. You can import the class list or
configure it on the AX device. For more information, see the Large-Scale
NAT chapter in the AX Series Configuration Guide.
Syntax
Enable LSN to provide full-cone support for user sessions initiated from an
internal IP address to a well-known TCP or UDP port (0-1023) on an external address.
[no] ip nat lsn enable-full-cone-for-well-known
Default
Disabled
Mode
Global Config
Specify the method for LSN to use to select IP addresses within a pool.
[no] ip nat lsn ip-selection method
Parameter
method
Description
Specifies the method, which can be one of the
following:
random Selects addresses randomly, instead of
using any of the other methods.
round-robin Selects addresses sequentially.
222 of 718
P e r f o r m a n c e
b y
D e s i g n
random
Mode
Global Config
Usage
Set a configured LSN traffic logging template as the default template for all
LSN pools.
Syntax
Default
Not set
Mode
Global Config
P e r f o r m a n c e
b y
Description
Specifies the name of the LSN traffic logging
template to use as the default for all LSN pools.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
223 of 718
The NAT logging template you plan to use as the default must already be
configured. To configure a NAT logging template, see ip nat template logging on page 231.
You also can assign a NAT logging template to an individual pool. In this
case, the NAT logging template assigned to the pool is used instead of the
default NAT logging template. See ip nat lsn logging pool on page 224.
Example
Description
pool-name
template-name
Default
Not set. If a NAT logging template has been set as the default NAT logging
template, that template is used.
Mode
Global Config
Usage
The NAT logging template you plan to use must already be configured. To
configure a NAT logging template, see ip nat template logging on
page 231.
224 of 718
P e r f o r m a n c e
b y
D e s i g n
Configure static LSN mappings for a range of protocol ports for an internal
address.
Syntax
end-privportnum
public-ipaddr
start-publicportnum
end-publicportnum
Description
Specifies the internal IP address.
Specifies the beginning (lowest-numbered) protocol port number in the range of internal protocol port numbers.
Specifies the ending (highest-numbered) protocol port number in the range of internal protocol
port numbers.
Specifies the public IP address to map to the
internal IP address.
Specifies the beginning public protocol port
number in the range to map to the internal protocol port numbers.
Specifies the ending public protocol port number
in the range to map to the internal protocol port
numbers.
Default
None. If LSN is configured, LSN mappings are created and deleted dynamically.
Mode
Global Config
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
225 of 718
Configure the LSN STUN timeout. The LSN STUN timeout specifies how
long a NAT mapping for a full-cone session is maintained after the data session ends.
Syntax
Default
Mode
Global Config
Description
Specifies the timeout, 0-60 minutes.
Default
Description
Specifies the timeout, 2-7 seconds.
Default
Mode
Global Config
Usage
The LSN SYN timeout is separate from the IP NAT translation timeout. If
you need to configure the IP NAT translation timeout out instead, see ip nat
translation on page 233.
ip nat pool
Description
Syntax
226 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
pool-name
start-ipaddr
end-ipaddr
netmask
{subnet-mask |
/mask-length}
lsn
[max-users-perip num]
Enables the pool to be used for Large-Scale NAT
(LSN).
The max-user-per-ip option specifies the maximum number of internal addresses that can be
mapped to a single public address at the same
time. You can specify 1-65535. By default, there
is no limit.
The lsn option applies only to the LSN feature. Pools that use the lsn
option can not be used with any type of NAT except LSN.
Note:
gateway ipaddr
ha-group-id
group-id
[ha-use-allports]
It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid.
Note:
Default
None.
Mode
Global Config
Usage
The pool can be used by other ip nat commands. The IP addresses must be
IPv4 addresses. To configure a pool of IPv6 addresses, see ipv6 nat pool
on page 245.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
227 of 718
used if the source NAT address (the address from the pool) and the
server address are not in the same IP subnet.
On reverse traffic (reply traffic from a server to a client), the NAT gate-
Example
It is recommended to use the ha-use-all-ports option only for DNS virtual ports. Using this option with other virtual port types is not valid.
The following command configures an IP address pool named pool1 that
contains addresses from 30.30.30.1 to 30.30.30.254:
228 of 718
P e r f o r m a n c e
b y
D e s i g n
ip nat pool-group
Description
Configure a set of IP pools for use by NAT. Pool groups enable you to use
non-contiguous IP address ranges, by combining multiple IP address pools.
Syntax
Description
Description
Name of a configured IP address pool.
Default
None.
Mode
Global Config
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
229 of 718
The following commands create a pool group for LSN and add 25 pools to
the group:
ip nat range-list
Description
Syntax
Description
list-name
local-ipaddr
/mask-length
global-ipaddr
/mask-length
count number
ha-group-id
group-id
Default
None.
Mode
Global Config
230 of 718
P e r f o r m a n c e
b y
D e s i g n
You can configure up to 1000 ranges. You can specify IPv4 or IPv6
addresses within a range.
Example
count 100
ip nat reset-idle-tcp-conn
Description
Enable client and server TCP Resets for NATted TCP sessions that become
idle.
Syntax
Default
Disabled.
Mode
Global Config
Syntax
[no] includedestination
[no] log portmappings
P e r f o r m a n c e
b y
Description
Specifies the logging facility to use. For a list of
available facilities, enter the following command: facility ?
Includes the destination IP addresses and protocol ports in NAT port mapping logs.
Enables logging of LSN port mapping events.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
231 of 718
[no] servicegroup
group-name
[no] severity
severity-level
Specifies the severity level to assign to LSN traffic logs generated using this template. You can
enter the name or the number of a severity level.
0 | emergency
1 | alert
2 | critical
3 | error
4 | warning
5 | notification
6 | information
7 | debugging
Default
There is no NAT logging template by default. When you configure one, the
template options have the following default values:
facility local0
include-destination disabled
log port-mappings enabled
log sessions disabled
log service-group not set
log severity 7 (debugging)
log source-port 514
Mode
Global Config
Usage
The template does not take effect until you set it as the default LSN logging
template or assign it to individual LSN pools.
232 of 718
P e r f o r m a n c e
b y
D e s i g n
page 224.
Example
The following commands configure external logging for LSN traffic events,
using the same template for all LSN pools:
ip nat translation
Description
Syntax
Description
Specifies how long NATted ICMP sessions can
remain idle before being terminated. You can
specify 60-15000 seconds, or fast. The fast
option terminates the session as soon as a
response is received.
service-timeout
seconds | fast
Specifies how long NATted sessions on a specific protocol port can remain idle before being
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
233 of 718
udp-timeout
seconds
Default
timeout or udp-timeout setting is used. For UDP port 53, the SLB MSL
time is used.
syn-timeout 60 seconds
tcp-timeout 300 seconds
udp-timeout 300 seconds
Mode
Global Config
Example
ip prefix-list
Description
Syntax
234 of 718
P e r f o r m a n c e
b y
D e s i g n
seq sequencenum
deny | permit
any | ipaddr
/mask-length
ge prefixlength
le prefixlength
Description
Name or sequence number of the IP prefix-list
rule. The name can not contain blanks. The
sequence number can be 1-4294967295.
Changes the sequence number of the IP prefixlist rule. The sequence number can be
1-4294967295.
Action to take for IP addresses that match the
prefix list.
IP address and number of mask bits, from left to
right, on which to match. If you omit the ge and
le options (described below), the mask-length is
also the subnet mask on which to match.
Specifies a range of prefix lengths on which to
match. Any prefix length equal to or greater than
the one specified will match. For example, ge 25
will match on any of the following mask lengths:
/25, /26, /27, /28, /29, /30, /31, or /32.
Specifies a range of prefix lengths on which to
match. Any prefix length less than or equal to the
one specified will match. The lowest prefix
length in the range is the prefix specified with the
IP address. For example, 192.168.1.0/24 le 28
will match on any of the following mask lengths:
/24, /25, /26, /27, or /28.
Default
N/A
Mode
Global configuration
Usage
You can use IP prefix lists to provide input to the OSPFv2 command area
area-id filter-list on page 267.
How Matching Occurs
Matching begins with the lowest numbered IP prefix-list rule and continues
until the first match is found. The action in the first matching rule is applied
to the IP address. For example, if the IP prefix list contains the following
two rules, rule 5 is used for IP address 192.168.1.9, even though the address
also matches rule 10.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
235 of 718
If you use one or both of the ge or le options, the mask-length specifies only
the number of bits to match. The ge or le option specifies the mask length(s)
on which to match.
The following rule matches on any address whose first octet is 10 and
whose mask-length is 8:
ip prefix-list match_on_8bit_mask_only permit 10.0.0.0/8
IP address 10.10.10.10/8 would match this rule but 10.10.10.10/24 would
not.
The following rule uses the le option to extend the range of mask lengths
that match:
ip prefix-list match_on_24bit_mask_or_less permit 10.0.0.0/8 le 24
This rule matches on any address that has 10 in the first octet, and whose
mask length is 24 bits or less. IP addresses 10.10.10.10/8 and 10.10.10.10/
24 would both match this rule.
The following rule permits any address from any network that has a mask
16-24 bits long.
ip prefix-list match_any_on_16-24bit_mask permit 0.0.0.0/0 ge 16 le 24
Implied Deny any Rule
The IP prefix list has an implied deny any rule at the end. This rule is not
visible and can not be changed or deleted. If an IP address does not match
any of the rules in the IP prefix list, the AX device uses the implied deny
any rule to deny the address.
Sequence Numbering
As described above, the sequence of rules in the IP prefix list can affect
whether a given address matches a permit rule or a deny rule.
236 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
Name or sequence number of the IP prefix-list
rule.
Description of the IP prefix list. The string can be
up to 80 characters, and can contain blanks. Quotation marks are not required.
Default
None
Mode
Global configuration
Usage
The description is placed above the rule it describes. (See the CLI example.)
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
237 of 718
ip prefix-list sequence-number
Description
Syntax
Default
Enabled
Mode
Global configuration
Usage
When this option is enabled, the sequence numbers are displayed in the running-config. After you save the configuration, the sequence numbers also
are displayed in the startup-config.
Example
Example
The following commands disable display of sequence numbers, then re-display the IP prefix-list rules:
ip route
Description
Syntax
238 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Default
Mode
Global Config
Usage
Example
Modify the threshold for TCP handshake completion. The TCP handshake
threshold is applicable when SYN cookies are active.
Syntax
Default
P e r f o r m a n c e
Description
Specifies the number of seconds allowed for a
TCP handshake to be completed. If the handshake is not completed within the allowed time,
the AX device drops the session. You can specify
1-100 seconds.
4 seconds
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
239 of 718
Global Config
Usage
Example
240 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
ipv6 access-list
Description
Syntax
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
241 of 718
Description
seq-num
deny | permit
ipv6 | icmp
tcp | udp
any |
host host-srcipv6addr |
net-srcipv6addr /masklength
Source IP address(es) to filter.
any The ACL matches on all source IP
addresses.
host host-src-ipv6addr The ACL
matches only on the specified host IPv6 address.
net-src-ipv6addr /mask-length The
ACL matches on any host in the specified subnet.
The mask-length specifies the portion of the
address to filter.
242 of 718
P e r f o r m a n c e
b y
D e s i g n
any |
host host-dstipv6addr |
net-dstipv6addr /masklength
Destination IP address(es) to filter.
eq dst-port |
gt dst-port |
lt dst-port |
range startdst-port
end-dst-port
log
[transparentsession-only]
Configures the AX device to generate log messages when traffic matches the ACL.
The transparent-session-only option limits logging for an ACL rule to creation and deletion of
transparent sessions for traffic that matches the
ACL rule.
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
243 of 718
None
Mode
Global Config
ipv6 address
Description
Syntax
Configure the global IPv6 address of the AX Series device, when the device
is deployed in transparent mode (Layer 2 mode).
[no] ipv6 address ipv6-addr/prefix-length
Parameter
Description
ipv6-addr
prefix-length
Default
N/A
Mode
Global Config
Usage
This command applies only when the AX Series device is deployed in transparent mode. To assign IPv6 addresses to individual interfaces instead
(gateway mode), use the ipv6 address command at the interface configuration level. (See ipv6 address on page 199.)
Example
ipv6 default-gateway
Description
Syntax
Specify the default gateway to use to reach other IPv6 networks, when the
AX Series device is used in transparent mode (Layer 2 mode).
[no] ipv6 default-gateway ipv6-addr
Parameter
Description
ipv6-addr
Default
244 of 718
N/A
P e r f o r m a n c e
b y
D e s i g n
Global Config
Usage
This command applies only when the AX Series device is used in transparent mode. If you instead want to use the device in gateway mode (Layer 3
mode), configure routing.
Example
Syntax
Description
pool-name
start-ipaddr
end-ipaddr
netmask masklength
gateway
ipv6-addr
group-id
Default
None.
Mode
Global Config
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
245 of 718
ipv6 neighbor
Description
Syntax
Description
ipv6-addr
macaddr
port-num
vlan-id
Default
N/A
Mode
Global Config
Usage
Example
Explicitly set the link-state metric (cost) for this OSPF interface.
[no] ipv6 ospf cost num
Parameter
num
Description
Specifies the cost, 1-65535.
Default
By default, an interfaces cost is calculated based on the interfaces bandwidth. If the auto-cost reference bandwidth is set to its default value (100
Mbps), the default interface cost is 10.
Mode
Interface
246 of 718
P e r f o r m a n c e
b y
D e s i g n
Specify the maximum time to wait for a reply to a hello message, before
declaring the neighbor to be offline.
Syntax
Default
40
Mode
Interface
Description
Number of seconds this OSPF router will wait
for a reply to a hello message sent out this interface to an OSPF neighbor, before declaring the
neighbor to be offline. You can specify 1-65535
seconds.
Specify the time to wait between sending hello packets to OSPF neighbors.
Syntax
Default
10
Mode
Interface
P e r f o r m a n c e
b y
Description
Number of seconds this OSPF router will wait
between transmission of hello packets out this
interface to OSPF neighbors. You can specify
1-65535 seconds.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
247 of 718
Syntax
Description
ipv6-addr
cost num
poll-interval
seconds
priority num
Default
ipv6 network
Description
Syntax
248 of 718
Change the OSPF network type to a type different from the default for the
media.
[no] ipv6 ospf network network-type
P e r f o r m a n c e
b y
D e s i g n
Description
Type of network. You can specify one of the following:
broadcast Broadcast network.
non-broadcast Non-broadcast multiaccess
(NBMA) network.
point-to-multipoint Point-to-multipoint network.
point-to-point Point-to-point network.
Default
Broadcast
Mode
Interface
Priority of this OSPF router (and process) on this interface for becoming the
designated router for the OSPF domain.
Syntax
Description
Priority of this OSPF process on this interface, 0255. The lowest priority is 0 and the highest priority is 255.
Default
Mode
Interface
Usage
If more than one OSPF router has the highest priority, the router with the
highest router ID is selected as the designated router.
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
249 of 718
Description
Number of seconds this OSPF router waits
before resending an unacknowledged packet out
this interface to a neighbor. You can specify
1-65535 seconds.
seconds
Default
Mode
Interface
ipv6 transmit-delay
Description
Specify the time to wait between sending packets out this interface to an
OSPF neighbor.
Syntax
Description
Number of seconds this OSPF router waits
between transmission of packets out this interface to OSPF neighbors. You can specify
1-65535 seconds.
seconds
Default
Mode
Interface
ipv6 route
Description
Syntax
250 of 718
Description
ipv6-addr
prefix-length
gateway-addr
P e r f o r m a n c e
b y
D e s i g n
Uses the link-local address on the specified interface as the next hop.
Default
N/A
Mode
Config
Usage
The ethernet, trunk, and ve options are available only if the gateway-addr
is a link-local address. Otherwise, the options are not displayed in the online
help and are not supported.
If you use an individual Ethernet port, the port can not be a member of a
trunk or a VE. If you use a trunk, the trunk can not be a member of a VE.
After you configure the static route, you can not change the interfaces
Example
The following command configures an IPv6 static route that uses Ethernet
port 6s link-local address as the next hop:
AX(config)#ipv6 route abaa:3::0/64 fe80::2 ethernet 6
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
251 of 718
252 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Enabling OSPF
To enable OSPF, use one of the following commands at the global configuration level of the CLI. Each command changes the CLI to the configuration
level for the specified OSPFv2 process ID or OSPFv3 instance tag.
OSPFv2
router ospf [process-id]
The process-id specifies the IPv4 OSPFv2 instance to run on the AX device,
and can be 1-65535.
OSPFv3
router ipv6 ospf [tag]
The tag specifies the IPv6 OSPFv3 instance to run on the IPv6 link, and can
be 1-65535.
Interface-level OSPF Commands
In addition to global parameters, OSPF has parameters on the individual
interface level. To configure OSPF on an interface, use the interface command to access the configuration for the interface, then use the ip ospf command. (See ip ospf on page 194.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
253 of 718
Specify the cost of a default summary route sent into a stub area.
[no] area area-id default-cost num
Parameter
Description
area-id
num
Default
The default is 1.
Mode
OSPFv2 or OSPFv3
Example
254 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
area-id
range area-id
ipaddr
/mask-length
advertise
not-advertise
Default
Mode
OSPFv2 or OSPFv3
Example
Syntax
Description
area-id
Area ID.
no-summary
Default
None
Mode
OSPFv2 or OSPFv3
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
255 of 718
Syntax
Configure a link between two backbone areas that are separated by nonbackbone areas.
[no] area area-id virtual-link ipaddr
[authentication]
[authentication-key string [string ...]]
[dead-interval seconds]
[hello-interval seconds]
[message-digest-key num md5 string [string ...]]
[retransmit-interval seconds]
[transmit-delay seconds]
Parameter
Description
area-id
ipaddr
authentication
authenticationkey string
[string ...]
Specifies a simple text password for authenticating OSPF traffic between this router and the
neighbor at the other end of the virtual link. The
string is an 8-character authentication password.
dead-interval
seconds
hello-interval
seconds
256 of 718
P e r f o r m a n c e
b y
D e s i g n
transmit-delay
seconds
Default
None. When you configure a virtual link, it has the following default settings:
authentication disabled
authentication-key not set
dead-interval 40
hello-interval 10
message-digest-key not set
retransmit-interval 5
transmit-delay 1
Mode
OSPFv2 or OSPFv3
Syntax
Description
Specifies the reference bandwidth, in Mbps. You
can specify 1-4294967.
Default
100 Mbps
Mode
OSPFv2 or OSPFv3
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
257 of 718
capability restart
Description
Syntax
Description
graceful
signaling
Default
Mode
OSPFv2 or OSPFv3
default-metric
Description
Syntax
Set the numeric cost that is assigned to OSPF routes by default. The metric
(cost) is added to routes when they are redistributed.
[no] default-metric num
Parameter
Description
Default cost, 0-16777214.
num
Default
20
Mode
OSPFv2 or OSPFv3
Example
AX(config-router)#default-metric 6666
ha-standby-extra-cost
Description
Syntax
258 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Specifies the extra cost to add to the AX devices
OSPF interfaces, if the HA status of one or more
of the devices HA groups is Standby. You can
specify 1-65535. If the resulting cost value is
more than 65535, the cost is set to 65535.
Default
Not set. The OSPF protocol on the AX device is not aware of the HA state
(Active or Standby) of the AX device.
Mode
OSPFv2 or OSPFv3
Usage
max-concurrent-dd
Description
Set the maximum number of OSPF neighbors that can be processed concurrently during database exchange between this OSPF router and its OSPF
neighbors.
Syntax
Description
Specifies the maximum number of neighbors that
can be processed at the same time during database exchange. You can specify 1-65535.
Default
Mode
OSPFv2 or OSPFv3
Usage
maximum-area
Description
Set the maximum number of OSPF areas supported for this OSPF process.
Syntax
P e r f o r m a n c e
b y
Description
Specifies the maximum number of areas allowed
for this OSPF process. You can specify
1-4294967294.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
259 of 718
4294967294
Mode
OSPFv2 or OSPFv3
passive-interface
Description
Syntax
Default
Mode
OSPFv2 or OSPFv3
Example
The following command configures a passive interface on the Virtual Ethernet (VE) interface on VLAN 3:
AX(config-router)#passive-interface ve 3
redistribute
Description
Description
connected
[options]
260 of 718
P e r f o r m a n c e
b y
D e s i g n
ip-nat
[ipaddr/masklength
floating-IPforward-address
ipaddr]
[options]
Redistributes routes into OSPF for reaching
translated NAT addresses allocated from a pool.
By default, the forward address for all redistributed NAT pool addresses is 0.0.0.0. To set a
floating IP address as the forward address, use
the ipaddr/mask-length] option to specify the
NAT pool address. The floating-IP-forwardaddress ipaddr option specifies the forward
address to use when redistributing the route to
the NAT pool address.
For options, see the end of this parameter list.
ip-nat-list
[options]
ospf
[process-id]
[options]
rip [options]
static
[options]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
261 of 718
262 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Default
Disabled. By default, OSPF routes are not redistributed. For other defaults,
see above.
Mode
OSPFv2 or OSPFv3
Usage
When you enable redistribution, routes to all addresses of the specified type
are redistributed. For example, if you use the vip option, routes to all VIPs
are redistributed into OSPF.
By default, the AX device uses 0.0.0.0 as the forward address in routes that
are redistributed in OSPF type-5 link state advertisement (LSAs). In this
case, other OSPF routers find a route to reach the AX device (which is acting as OSPF ASBR), then use the corresponding next-hop address as the
next hop for the destination network. You can specify a floating IP address
to use as the forward address, for individual NAT pools or VIPs. (See the
syntax above.)
VIP Redistribution
VIP redistribution is not supported for VIPs on which destination NAT has
been disabled. For example, VIP redistribution is not supported for VIPs
that are configured for Direct Server Return (DSR).
You can exclude redistribution of individual VIPs using one or the other of
the following methods. They are mutually exclusive.
If more VIPs will be excluded than will be allowed to be redistributed:
At the configuration level for each of the VIPs to allow to be redis-
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
263 of 718
use the redistribute vip command at the configuration level for the
OSPF process.
If you have 10 VIPs but only 2 of them need to be redistributed, use the
AX(config-router)#redistribute rip
Example
AX(config-router)#redistribute floating-ip
AX(config-router)#redistribute vip
Example
Example
The following command enables redistribution of VIPs, and sets tag value
555 to be included in external LSAs that advertise the route to the VIP:
264 of 718
P e r f o r m a n c e
b y
D e s i g n
router-id
Description
Set the value used by this OSPF router to identify itself when exchanging
route information with other OSPF routers.
Syntax
Default
For OSPFv2, the default router ID is the highest-numbered IP address configured on any of the AX devices loopback interfaces. If no loopback interfaces are configured, the highest-numbered IP address configured on any of
the AX devices other Ethernet data interfaces is used.
For OSPFv3, the router ID must be set.
Setting the router ID is required for OSPFv3 and is strongly recommended for OSPFv2.
Note:
Mode
OSPFv2 or OSPFv3
Usage
The AX device has only one router ID. The address does not need to match
an address configured on the AX device. However, the address must be an
IPv4 address and must be unique within the routing domain.
New or changed router IDs require a restart of the OSPF process. To restart
the OSPF process, use the clear ip ospf process command.
Example
The following commands set the router ID to 2.2.2.2 and reload OSPF to
place the new router ID into effect:
AX(config-router)#router-id 2.2.2.2
AX(config-router)#clear ip ospf process
Change Shortest Path First (SPF) timers used for route recalculation following a topology change.
Syntax
Description
Enables exponential back-off delays for route
recalculation.
The min-delay specifies the minimum number of
milliseconds (ms) the OSPF process waits after
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
265 of 718
For the exp option, the default min-delay is 50 ms and the default max-delay
is also 50 ms. For delay hold-time option, the default delay is 50 ms. The
default hold-time is 100 ms.
Mode
OSPFv2 or OSPFv3
Usage
After you enter this command, any pending route recalculations are
rescheduled based on the new timer values.
266 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Enables MD5 authentication. If you omit this
option, simple text authentication is used.
Default
Mode
OSPFv2
Usage
To configure a simple text password or MD5 key, see ip ospf on page 194.
Syntax
prefix
list-name
{in | out}
Description
Area ID, either an IP address or a number.
ID of an Access Control List (ACL). The only
routes that are advertised are routes to the subnets permitted by the ACL.
Default
Not set.
Mode
OSPFv2
Usage
You can specify an ACL or an IP prefix list. To configure an ACL, see the
AX Series CLI Reference. To configure a prefix list, see Prefix List Command Reference on page 259.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
267 of 718
Syntax
Enables support for multiple OSPF area adjacencies on the specified interface.
[no] area area-id multi-area-adjacency
{ethernet portnum | loopback num | management |
ve ve-num}
neighbor ipaddr
Default
Mode
OSPFv2
Usage
Description
Area ID.
area-id
defaultinformationoriginate
[metric num]
[metric-type
{1 | 2}]
268 of 718
P e r f o r m a n c e
b y
D e s i g n
no-summary
translator-role
{always |
candidate |
never}
Specifies the types of LSA translation performed
by this OSPF router for the NSSA:
always If this OSPF router is an NSSA border
router, the router will always translate Type 7
LSAs into Type 5 LSAs, regardless of the translator state of other NSSA border routers.
candidate If this OSPF router is an NSSA border router, the router is eligible to be elected the
Type 7 NSSA translator.
never This OSPF router is ineligible to be
elected the Type 7 NSSA translator.
Default
None
Mode
OSPFv2
Example
Syntax
P e r f o r m a n c e
b y
Description
area-id
Area ID.
default
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
269 of 718
enable
Default
None
Mode
OSPFv2
Usage
capability opaque
Description
Syntax
Default
Enabled.
Mode
OSPFv2
Usage
compatible rfc1583
Description
Syntax
Default
Mode
OSPFv2
default-information originate
Description
Syntax
270 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
always
metric num
metric-type
{1 | 2}
route-map
map-name
Default
This option is disabled by default. If you enable it, the default metric is 10.
The default metric type is 2.
Mode
OSPF
Example
The following command creates a default route into the OSPF domain with
a metric of 20:
distance
Description
Set the administrative distance for OSPF routes, based on route type.
Syntax
[no] distance
{
num |
ospf {external | inter-area | intra-area} num
}
Parameter
num
P e r f o r m a n c e
b y
Description
Sets the administrative distance for all route
types. You can specify 1-255.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
271 of 718
Default
Mode
OSPFv2
Usage
distribute-list
Description
Syntax
272 of 718
Description
acl-id
in
out route-type
b y
D e s i g n
Note:
Default
None
Mode
OSPFv2
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
273 of 718
Description
ipaddr
area area-id
cost num
Default
None
Mode
OSPFv2
Usage
neighbor
Description
Syntax
Description
ipaddr
cost num
poll-interval
seconds
priority num
Default
Mode
274 of 718
OSPFv2
P e r f o r m a n c e
b y
D e s i g n
network
Description
Enable OSPF routing for an area, on interfaces that have IP addresses in the
specified area subnet.
Syntax
[no] network
ipaddr {/mask-length | wildcard-mask}
area area-id
[instance-id num]
Parameter
ipaddr
{/mask-length |
wildcard-mask}
area area-id
Description
None
Mode
OSPFv2
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
275 of 718
ospf abr-type
Description
Syntax
Description
cisco
ibm
shortcut
Shortcut
02.txt).
standard
Default
cisco
Mode
OSPFv2
ABR
(draft-ietf-ospf-shortcut-abr-
overflow database
Description
Syntax
Specify the maxim number of LSAs or the maximum size of the external
database.
[no] overflow database
{
max-lsa [hard | soft] |
external max-lsa recover-time
}
Parameter
Description
max-lsa
[hard | soft]
276 of 718
P e r f o r m a n c e
b y
D e s i g n
Specifies the maximum number of AS-externalLSAs the OSPF router can receive,
0-2147483647. The recover-time option specifies
the number of seconds OSPF waits before
attempting to recover after max-lsa is exceeded.
You can specify 0-65535 seconds. To disable
recovery, specify 0.
Default
Mode
OSPFv2
summary-address
Description
Syntax
Description
ipaddr/mask
not-advertise
tag num
Default
None
Mode
OSPFv2
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
277 of 718
278 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
If the system clock is adjusted while OSPF or RIP is enabled, the routing
protocols may stop working properly. To work around this issue, disable
OSPF and RIP before adjusting the system clock.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
279 of 718
network
Description
Syntax
Default
None
Mode
RIP
Example
AX(config-router-rip)#network 10.10.10.10 /8
passive-interface
Description
Syntax
Default
Mode
RIP
Example
The following command disables RIP route advertisements from being sent
out VE 4:
AX(config-router-rip)#passive-interface ve 4
redistribute
Description
Syntax
Default
Mode
RIP
Example
AX(config-router-rip)#redistribute ospf
280 of 718
P e r f o r m a n c e
b y
D e s i g n
slb buff-thresh
Description
Syntax
relieve-thresh
num
P e r f o r m a n c e
b y
Description
IO buffer threshold. For each CPU, if the number
of queued entries in the IO buffer reaches this
threshold, fast aging is enabled and no more IO
buffer entries are allowed to be queued on the
CPUs IO buffer.
Threshold at which fast aging is disabled, to
allow IO buffer entries to be queued again.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
281 of 718
sys-buff-high
num
Mode
Global Config
slb compress-block-size
Description
Syntax
Description
Default compression block size, 6000-32000
bytes.
bytes
Default
16000
Mode
Global config
slb conn-rate-limit
Description
Syntax
282 of 718
Description
tcp | udp
conn-limit
P e r f o r m a n c e
b y
D e s i g n
shared
exceed-action
[log]
[lock-out
lockout-period] Enables optional exceed actions:
log Enables logging. Logging generates a log
message when a client exceeds the connection
limit.
lock-out lockout-period Locks out the client
for a specified number of seconds. During the
lockout period, all connection requests from the
client are dropped. The lockout period can be 13600 seconds (1 hour). There is no default.
All connection requests in excess of the connection limit that are received
from a client within the limit period are dropped. This action is enabled by
default when you enable the feature, and can not be disabled.
Note:
Default
Not set
Mode
Global Config
Usage
Example
The following command allows up to 1000 connection requests per onesecond interval from any individual client. If a client sends more than 1000
requests within a given limit period, the client is locked out for 3 seconds.
The limit applies separately to each individual virtual port. Logging is not
enabled.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
283 of 718
The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging
is enabled but lockout is not enabled.
Example
The following command allows up to 2000 connection requests per 100millisecond interval. The limit applies to all virtual ports together. Logging
is enabled and lockout is enabled. If a client sends a total of more than 2000
requests within a given limit period, to one or more virtual ports, the client
is locked out for 3 seconds.
slb dns-cache-age
Description
Syntax
Configure the amount of time the AX device locally caches DNS replies.
[no] slb dns-cache-age seconds
Parameter
seconds
Description
Number of seconds the AX device caches DNS
replies. You can specify 1-1000000 seconds.
Default
300
Mode
Global Config
Usage
A DNS reply begins aging as soon as it is cached and continues aging even
if the cached reply is used after aging starts. Use of a cached reply does not
reset the age of that reply.
DNS cache aging is applicable only when DNS caching is enabled. (See
slb dns-cache-enable on page 284.)
slb dns-cache-enable
Description
Syntax
Default
Disabled
Mode
Global Config
284 of 718
P e r f o r m a n c e
b y
D e s i g n
When DNS caching is enabled, the AX device sends the first request for a
given name (hostname, fully-qualified domain name, URL, and so on) to
the DNS server. The AX device caches the reply from the DNS server, and
sends the cached reply in response to the next request for the same name.
The AX device continues to use the cached DNS reply until the reply times
out. After the reply times out, the AX devices sends the next request for the
URL to the DNS server, and caches the reply, and so on.
DNS caching applies only to DNS requests sent to a UDP virtual port in a
DNS SLB configuration. DNS caching is not supported for DNS requests
sent over TCP.
slb dsr-health-check-enable
Description
Enable health checking of the virtual server IP addresses instead of the real
server IP addresses in Direct server Return (DSR) configurations.
Syntax
Default
Disabled
Mode
Global Config
Usage
Example
slb enable-l7-req-acct
Description
Syntax
Default
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
285 of 718
Global Config
Usage
slb fast-path-disable
Description
Syntax
Default
Mode
Global Config
Usage
Fast processing of packets maximizes performance by using all the underlying hardware assist facilities. Typically, the feature should remain enabled.
The option to disable it is provided only for troubleshooting, in case it is
suspected that the fast processing logic is causing an issue. If you disable
fast-path processing, ACOS does not perform a deep inspection of every
field within a packet.
slb graceful-shutdown
Description
Syntax
Description
grace-period
286 of 718
P e r f o r m a n c e
b y
D e s i g n
virtual-server
after-disable
Default
Disabled. When you delete a real or virtual service port, the AX device
places all the ports sessions in the delete queue, and stops accepting new
sessions on the port.
Mode
Global Config
Usage
Example
The following command enables graceful shutdown and sets the grace
period to one hour:
slb hw-compression
Description
Syntax
Default
Disabled.
Mode
Global Config
Usage
Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, AX 3200, and
AX 5200. If this command does not appear on your AX device, the device
does not contain a compression module.
Installation of the compression module into AX devices in the field is not
supported. Contact A10 Networks for information on obtaining an AX
device that includes the module.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
287 of 718
AX(config)#slb hw-compression
slb l2l3-trunk-lb-disable
Description
Syntax
Default
Enabled.
Mode
Global Config
Usage
When trunk load balancing is enabled, the AX device load balances outbound Layer 2/3 traffic among all the ports in a trunk. The round-robin
method is used to load balance the traffic. For example, in a trunk containing ports 1-4, the first Layer 2/3 packet is sent on port 1. The second packet
is sent on port 2. The third packet is sent on port 3, and so on.
If you disable trunk load balancing, the lead port was always used for outbound traffic. The other ports were standby ports in case the lead port went
down.
Trunk load balancing applies only to Layer 2/3 traffic, and is enabled by
default. However, the CLI provides a command to disable trunk load balancing, in case there is a need to do so. Disabling trunk load balancing
causes the AX device to use only the lead port for outbound traffic.
Note:
slb msl-time
Description
Syntax
288 of 718
Configure the maximum session life for client sessions. The maximum session life controls how long the AX device maintains a session table entry for
a client-server session after the session ends.
[slb] msl-time seconds
P e r f o r m a n c e
b y
D e s i g n
Description
Number of seconds a client session can remain in
the session table following completion of the session. You can specify 1-40 seconds.
Default
2 seconds
Mode
Global Config
Usage
The maximum session life allows time for retransmissions from clients or
servers, which can occur if there is an error in a transmission. If a retransmission occurs while the AX device still has a session entry for the session,
the AX device is able to forward the retransmission. However, if the session
table entry has already aged out, the AX device drops the retransmission
instead.
The maximum session life begins aging out a session table entry when the
session ends:
TCP The session ends when the AX device receives a TCP FIN from
Note:
slb mss-table
Description
Configure the TCP Maximum Segment Size (MSS) allowed for client traffic.
Syntax
Default
538
Mode
Global Config
P e r f o r m a n c e
b y
Description
Minimum MSS allowed in traffic from clients.
You can specify 128-750.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
289 of 718
Clients who can only transmit TCP segments that are smaller than the MSS
are unable to reach servers.
This command globally changes the MSS. You also can change the MSS in
individual TCP-proxy templates. (See slb template tcp-proxy on
page 368.)
slb new-path-enable
Description
Syntax
Default
Disabled
Mode
Global Config
slb rate-limit-logging
Description
Syntax
Description
max-local-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to the local log buffer.
You can specify 1-100.
max-remote-rate
msgs-per-second Specifies the maximum number of messages per
second that can be sent to remote log servers.
You can specify 1-100000.
excludedestination
{local |
remote}
290 of 718
b y
D e s i g n
Log rate limiting is enabled by default and can not be disabled. The configurable settings have the following default values:
max-local-rate 32 messages per second
max-remote-rate 15000 messages per second
exclude-destination Logging to both destinations is enabled.
Mode
Global Config
Usage
interval is the internal maximum or less, then during the following onesecond interval, the AX will again send messages to the local logging
buffer as well as the external log server.
In any case, all messages (up to the external maximum) are sent to the
The following command increases the maximum number of external messages per second:
slb server
Description
Configure a real server. Use the first command shown below to create or a
delete a server. Use the second command to edit a server.
Syntax
Default
P e r f o r m a n c e
Description
server-name
hostname
ipaddr
N/A
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
291 of 718
Global Config
Usage
The normal form of this command creates a new or edits an existing real
server. The CLI changes to the configuration level for the server. See Config Commands: SLB Servers on page 379.
The IP address of the server can be in either IPv4 or IPv6 format. The
AX Series supports both address formats.
The no form of this command removes an existing real server.
The maximum number of real servers is configurable. See system
resource-usage on page 165.
Example
The following example creates a new real server with an IPv4 address:
Example
The following example creates a new real server with an IPv6 address:
slb service-group
Description
Syntax
Description
group-name
tcp | udp
Default
Mode
Global Config
292 of 718
P e r f o r m a n c e
b y
D e s i g n
The normal form of this command creates a new or edits an existing service
group. The CLI changes to the configuration level for the service group. See
Config Commands: SLB Service Groups on page 391.
Example
slb snat-gwy-for-l3
Description
Syntax
Default
Disabled
Mode
Global Config
Usage
When this feature is enabled, ACOS checks the server IP subnet against the
IP NAT pool subnet. If they are on the same subnet, then ACOS uses the
gateway as defined in the IP NAT pool for Layer 2 / Layer 3 forwarding.
This feature is useful if the server does not have its own upstream router and
ACOS can leverage the same upstream router for Layer 2 / Layer 3.
slb snat-on-vip
Description
Syntax
Default
Disabled
Mode
Global Config
Usage
These methods are used in the order shown above. For example, if IP source
NAT is configured using an ACL on the virtual port, and VIP source NAT is
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
293 of 718
The current release does not support source IP NAT on FTP or RTSP virtual ports.
Description
certificatename
The key length, common name, and number of days the certificate is valid
are required. The other information is optional.
The certificate is created when you press enter after answering the last
prompt.
Default
The default key length is 1024 bits. The default number of days the certificate is valid is 730.
Mode
Global Config
294 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
Syntax
Description
csr-name
url
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
295 of 718
The CSR is created when you press enter after answering the last prompt.
The key for the certificate is also created.
Default
The default key length is 1024 bits. The default number of days the certificate will be valid is 730.
Mode
Global Config
Usage
After the CSR is generated and exported by this command, send the CSR to
the CA. After you receive the signed certificate from the CA, use the import
command to import the CA onto the AX device. (See import on page 59.)
The key does not need to be imported. The key is generated along with the
CSR.
296 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands generate and export a CSR, then import the
signed certificate.
slb ssl-delete
Description
Syntax
Default
None.
Mode
Global Config
Usage
This command does not affect the server certificate of the Web management
interface. The command applies only to certificates that have been imported
for use with SSL offload.
Example
The following commands delete SSL certificate testcert.crt and its key:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
297 of 718
slb ssl-load
Description
Syntax
Description
file-name
use-mgmt-port
url
298 of 718
P e r f o r m a n c e
b y
D e s i g n
None.
Mode
Global Config
Usage
Example
The following commands load SSL certificate testcert.crt and its key:
Example
The following commands import a CA certificate and its key, and a CRL
file:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
299 of 718
slb template
Description
Syntax
Description
template-type
Type of template:
cache Configures RAM caching of HTTP
Web content.
client-ssl Configures offload of SSL
validation of clients from real servers
connection-reuse Configures re-use of
established connections
http Configures HTTP modifications to
server replies to clients and configures load balancing based on HTTP information
persist cookie Configures session persistence by inserting persistence cookies into
server replies to clients
persist destination-ip Configures
the granularity of load balancing persistence
(selection of the same server resources) for clients, based on destination IP address
persist source-ip Configures the
granularity of load balancing persistence for clients, based on source IP address
persist ssl-sid Directs clients based
on SSL session ID
policy Configures Policy-Based SLB
(PBSLB) settings
port Configures settings for real server ports
server Configures settings for real servers
server-ssl Configures the AX device to
validate real servers based on their certificates
sip Configures separate load balancing of
Session Initiation Protocol (SIP) registration traffic and non-registration traffic
smtp Configures STARTTLS support for
Simple Mail Transfer Protocol (SMTP) clients
300 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
The templates have default settings, and some template types are automatically added to a virtual port depending on its service type. For information,
see the AX Series Configuration Guide.
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing template. The CLI changes to the configuration level for the template. See
Config Commands: SLB Templates on page 305.
The no form of this command removes an existing template.
The maximum number of templates is configurable. See system resourceusage on page 165.
Example
slb transparent-tcp-template
Description
Set the idle timeout for pass-through TCP sessions. A pass-through TCP
session is one that is not terminated by the AX device (for example, a session for which the AX device is not serving as a proxy for SLB).
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
301 of 718
Description
Specifies the name of a TCP template. The idle
timeout specified in the TCP template is used for
pass-through TCP sessions.
template-name
Note:
Default
The default idle timeout for pass-through TCP sessions is 30 minutes. The
default idle timeout in TCP templates is 120 seconds.
Mode
Global Config
Usage
Only the idle timeout setting in the specified TCP template is applicable to
pass-through TCP sessions. None of the other options in TCP templates
affect pass-through TCP sessions.
Example
The following command changes the idle timeout for pass-through TCP
sessions to the idle timeout set in the default TCP template:
slb virtual-server
Description
Syntax
Description
name
ipaddr
302 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
N/A
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing virtual
server. The CLI changes to the configuration level for the virtual server. See
Config Commands: SLB Virtual Servers on page 401.
The no form of this command removes an existing virtual server.
The maximum number of virtual servers is configurable. See system
resource-usage on page 165.
Notes on VIP Ranges
The IP addresses in the specified subnet range can not belong to an IP
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
303 of 718
304 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
P e r f o r m a n c e
b y
Description
Name of the template, up to 31 characters long.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
305 of 718
Description
[no] acceptreload-req
[no] age
seconds
[no] defaultpolicy-nocache
[no] disableinsert-age
[no] disableinsert-via
[no] max-cachesize MB
Specifies the size of the AX RAM cache.
On models AX 1000, AX 2000, AX 2100,
AX 2200, AX 3100, and AX 3200, you can
specify 1-512 MB.
On model AX 2500, you can specify
1-1024 MB.
306 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] mincontent-size
bytes
[no] removecookies
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
307 of 718
[no] verifyhost
Default
cached content.
Mode
Configure
Usage
308 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a RAM caching template. In this example, all the default RAM cache settings are used.
Example
Example
The following commands configure a RAM caching template that will only
cache content from www.xyz.com/news-clips.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
309 of 718
Description
template-name
This command changes the CLI to the configuration level for the specified
client-SSL template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] ca-cert
cert-name
[no] cert
cert-name
[no] chain-cert
chain-cert-name Specifies a certificate-key chain.
[no] cipher
cipher
310 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] closenotify
[no] crl
filename
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
311 of 718
If you plan to use a CRL, you must set the client-certificate mode to
require.
[no] key
key-name
[passphrase
passphrasestring]
[no] sessioncache-size
number
Default
Specifies the key for the certificate, and the passphrase used to encrypt the key.
The configuration does not have a default client-side SSL template. If you
create one, the template has the following defaults:
cipher All options are enabled. (This is equivalent to entering the
cipher command multiple times, once with each of the options listed in
the Syntax section.)
client-certificate ignore
close-notify disabled
session cache-size 0 (Session ID reuse is disabled.)
Mode
Configure
Usage
The normal form of this command creates a client-SSL configuration template. The no form of this command removes the template.
The certificate must be imported onto the AX Series. To import a certificate,
see import on page 59 or slb ssl-load on page 298.
You can bind only one client-SSL template to a virtual port. However, you
can bind the same client-SSL template to multiple ports.
Example
312 of 718
The following commands configure a client-SSL template named clientssl1 that uses imported CA certificates and requires clients to present their
certificates when requesting connections to servers:
P e r f o r m a n c e
b y
D e s i g n
Example
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
connection-reuse template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] keepalive-conn
number
Note:
Description
Specifies the number of new reusable connections to open before beginning to reuse existing
connections. You can specify 1-1024 connections.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
313 of 718
Default
To display the default template settings, use the show slb template connection-reuse default command.
Mode
Configure
Usage
The normal form of this command creates a connection reuse template. The
no form of this command removes the template.
You can bind only one connection-reuse template to a virtual port. However,
you can bind the same connection-reuse template to multiple ports.
The keep-alive-conn option is applicable only for SIP-over-TCP sessions.
The option is not applicable to other types of sessions, such as HTTP sessions.
Due to the way the connection-reuse feature operates, backend sessions
with servers will not be reused in either of the following cases:
The limit-per-server option is set to a very low value, lower than the
server option.
314 of 718
P e r f o r m a n c e
b y
D e s i g n
virtual ports.
This feature is configured using a new connection-reuse option. The fea-
reuse template, any packets that are queued due to the feature are
released for transmission.
Example
Syntax
P e r f o r m a n c e
b y
Description
Name of the template, 1-31 characters.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
315 of 718
Description
[no] malformedquery
{drop | forward
service-groupname}
Specifies the action to take for malformed DNS
queries:
drop Drops malformed queries.
forward Sends the queries to the specified
service group. With either option, the malformed
queries are not sent to the DNS virtual port.
Default
The configuration does not have a default DNS template. If you configure
one, the default action is to drop malformed DNS queries.
Mode
Configure
Usage
The normal form of this command creates a DNS template. The no form
of this command removes the template.
You can bind only one DNS template to a virtual port. However, you can
bind the same DNS template to multiple ports.
Example
The following commands configure a DNS template for DNS security and
bind the template to the DNS virtual port on a virtual server:
Since the drop action is specified, malformed DNS queries sent to the virtual DNS server are dropped by the AX device.
316 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
Name of the template
This command changes the CLI to the configuration level for the specified
HTTP template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no]
compression
option
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
317 of 718
Compression is supported only for HTTP and HTTPS virtual ports. Compression is not supported for fast-HTTP virtual ports.
[no] failoverurl url-string
318 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] headerinsert
header-name
[no] hostswitching
{starts-with
|contains |
ends-with}
host-string
service-group
service-groupname
[no] insertclient-ip
[http-headername] [replace] Inserts the clients source IP address into HTTP
headers. If you specify an HTTP header name,
the source address is inserted only into headers
with that name.
The replace option replaces any client addresses
that are already in the header. Without this
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
319 of 718
[no] requestheader-erase
field
320 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] responseheader-erase
field
[no] responseheader-insert
field:value
[insert-always
| insert-ifnot-exist]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
321 of 718
Configures the AX device to retry sending a clients request to a service port that replies with an
HTTP 5xx status code, and reassign the request
to another server if the first server replies with a
5xx status code. The retry number specifies the
number of times the AX device is allowed to
reassign the request.
For example, assume that a service group has
three members (s1, s2, and s3), and the retry is
set to 1. In this case, if s1 replies with a 5xx status code, the AX device reassigns the request to
s2. If s2 also responds with a 5xx status code, the
AX device will not reassign the request to s3,
because the maximum number of retries has
already been used.
If you use this command, the AX device stops
sending client requests to a service port for 30
seconds following reassignment. If you want the
service port to remain eligible for client requests,
use the following command instead. An HTTP
template can contain one or the other of these
commands, but not both.
Note:
The 5xx options are supported only for virtual port types HTTP and
HTTPS. They are not supported for fast-HTTP or any other virtual port
type.
[no] retry-on5xx-per-req num This command provides the same function as the
retry-on-5xx command (described above). However, the retry-on-5xx-per-req command does
not briefly stop using a service port following
reassignment. An HTTP template can contain
one or the other of these commands, but not both.
[no] stricttransactionswitch
322 of 718
b y
D e s i g n
[no] url-hashpersist
{first | last}
bytes
[use-serverstatus}
Note:
P e r f o r m a n c e
b y
This feature requires some custom configuration on the server. For information, see the URL Hash Switching section in the HTTP Options for
SLB chapter of the AX Series Configuration Guide.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
323 of 718
Note:
Default
You can configure a maximum of 16 url-switching commands in a template. If you need to use more, use aFleX policies.
The configuration has a default HTTP template. In the template, most
options are disabled or not set.
Compression is disabled by default. When you enable it, it has the following
default settings:
content-type text and application included by default
exclude-content-type not set (nothing excluded)
exclude-uri not set (no URIs excluded)
keep-accept-encoding disabled
level 1
minimum-content-length 120 bytes
To display the default HTTP template settings, use the show slb template
http default command.
Mode
Configure
Usage
324 of 718
P e r f o r m a n c e
b y
D e s i g n
If a template has more than one command with the same option (startswith, contains, or ends-with) and a host name or URL matches on more
than one of them, the most-specific match is always used. For example, if a
template has the following commands, host "ddeeff" will always be directed
to service group http-sgf:
slb template http http-host
host-switching starts-with d service-group http-sgd
host-switching starts-with dd service-group http-sge
host-switching starts-with dde service-group http-sgf
If a contains rule and an ends-with rule match on exactly the same string,
the ends-with rule is used, because it has the more specific match.
If you use the starts-with option with URL switching, use a slash in front of
the URL string. For example:
url-switching starts-with /urlexample service-group http-sg1
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
325 of 718
The following commands configure an HTTP template called http-compression that enables compression. The minimum length a packet must be
for it to be compressed is set at 120 bytes.
Example
Example
AX(config)#slb
AX(config-HTTP
sg1
AX(config-HTTP
sg2
AX(config-HTTP
http-sg3
Example
326 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config)#slb
AX(config-HTTP
AX(config-HTTP
AX(config-HTTP
AX(config-HTTP
The following commands configure an HTTP template called http-compress, that uses compression level 5 to compress files with media type
application or image. Files with media type application/zip are
explicitly excluded from compression.
template http http-compress
template)#compression enable
template)#compression level 5
template)#compression content-type image
template)#compression exclude-content-type application/zip
Example
The following commands configure an HTTP template that replaces the client IP addresses in the X-Forwarded-For field with the current client IP
address:
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
persistence template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] domain
domain-name
[no] donthonor-connrules
P e r f o r m a n c e
b y
Description
Adds the specified domain name to the cookie.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
327 of 718
[no] insertalways
[no] match-type
{server
[service-group]
| servicegroup}
[scan-allmembers]
Changes the granularity of cookie persistence.
server The cookie inserted into the HTTP
header of the server reply to a client ensures that
subsequent requests from the client for the same
VIP are sent to the same real server. (This
assumes that all virtual ports of the VIP use the
same cookie persistence template with matchtype set to server.)
Without this option, the default behavior is used:
subsequent requests from the client will be sent
to the same real port on the same real server.
server service-group Sets the granularity to the same as server, and also enables cookie
persistence to be used along with URL switching
or host switching. Without the service-group
option, URL switching or host switching can be
used only for the initial request from the client.
After the initial request, subsequent requests are
always sent to the same service group.
service-group This option enables support for URL switching and host switching,
along with the default cookie persistence behavior.
scan-all-members This option scans all
members bound to the template. This option is
useful in configurations where match-type
328 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
[no] name
cookie-name
[no] path
path-name
Default
Note:
Although the default is 10 years (essentially, unlimited), the maximum configurable expiration is one year.
insert-always Disabled. The AX device inserts a persistence cookie
only if the client request does not already contain a persistence cookie
inserted by the AX device, or if the server referenced by the cookie is
unavailable.
match-type The default match type is port. (There is no port key-
Mode
Configure
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
329 of 718
from the client will be sent to the same real port on the same real server.
URL switching or host switching can be used only for the first request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport=rserverIP_rport
The vport is the virtual port number. The rserverIP is the real server IP
address and the rport is the real server port number.
Note:
The port option is shown in parentheses because the CLI does not have a
port keyword. If you do not set the match type to server (see below),
the match type is automatically port.
match-type server Subsequent requests from the client for the same
VIP will be sent to the same real server, provided that all virtual ports of
the VIP use the same cookie persistence template with match-type set to
server. URL switching or host switching can be used only for the first
request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename=rserverIP
match-type (port) service-group Subsequent requests from the client
will be sent to the same real port on the same real server, within the service group selected by URL switching or host switching. URL switching or host switching, if configured, is still used for every request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-vport-servicegroupname=rserverIP_rport
match-type server service-group Subsequent requests from the cli-
ent for the same VIP will be sent to the same real server, within the service group selected by URL switching or host switching. URL
switching or host switching, if configured, is still used for every request.
The cookie that the AX device inserts into the server reply has the following format:
Set-Cookie: cookiename-servicegroupname=rserverIP
330 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
persistence template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] donthonor-connrules
[no] match-type
{server |
service-group}
[scan-allmembers]
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
331 of 718
332 of 718
P e r f o r m a n c e
b y
D e s i g n
The configuration does not have a default destination-IP persistence template. If you configure one, it has the following defaults:
dont-honor-conn-rules Disabled; by default, the connection limit set
address and port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
netmask 255.255.255.255
timeout 5 minutes
Mode
Configure
Usage
The normal form of this command creates a destination-IP persistence template. The no form of this command removes the template.
You can bind only one destination-IP persistence template to a virtual port.
However, you can bind the same destination-IP persistence template to
multiple ports.
Example
Syntax
P e r f o r m a n c e
b y
Description
Name of the template, 1-31 characters.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
333 of 718
Description
[no] donthonor-connrules
[no] match-type
{server |
service-group}
[scan-allmembers]
334 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
The match type for FWLB is always server, which sets the granularity of
source-IP persistence to individual firewalls, not firewall groups or individual service ports.
[no] netmask
ipaddr
[no] timeout
timeout-minutes Specifies how many minutes the mapping
remains persistent after the last time traffic from
the client is sent to the server. You can specify
1-2000 minutes (about 33 hours).
The timeout for a source-IP persistent session will not be reset if the timeout in the source-IP persistence template is set to 1 minute. If the timeout
is set to 1 minute, sessions will always age out after 1 minute, even if they
are active.
Note:
Default
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
335 of 718
same virtual port is always sent to the same real port. This is the most
granular setting. (There is no port keyword.)
For FWLB, the default is server and none of the other match-type
options are applicable.
netmask 255.255.255.255
timeout 5 minutes
Mode
Configure
Usage
Example
Syntax
336 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
persistence template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] donthonor-connrules
Description
[no] timeout
timeout-minutes Specifies how many minutes the mapping
remains persistent after the last time traffic with
the SSL session ID is sent to the server. You can
specify 1-250 minutes.
Default
The configuration does not have a default SSL session-ID persistence template. If you configure one, it has the following defaults:
dont-honor-conn-rules Disabled; by default, the connection limit set
Mode
Configure
Usage
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
337 of 718
Description
[no] bw-list
id id
service
{service-groupname |
drop | reset}
[logging
[minutes]
[fail]]
Specifies the action to take for clients in the
black/white list:
id Group ID in the black/white list.
service-group-name Sends clients to the
SLB service group associated with this group ID
on the AX device.
drop Drops connections for IP addresses that
are in the specified group.
reset Resets connections for IP addresses
that are in the specified group.
logging [minutes] [fail] Enables
logging. The minutes option specifies how often
messages can be generated. This option reduces
overhead caused by frequent recurring messages.
338 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
339 of 718
[no] class-list
client-ip
{l3-dest |
l7-header
[header-name]}
Matches black/white list entries based on the clients destination IP address, instead of matching
by client source address. By default, matching is
based on the clients source IP address. Generally, this option is applicable when wildcard
VIPs are used.
[no] class-list
name name
[no] class-list
lid num
340 of 718
P e r f o r m a n c e
b y
D e s i g n
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
341 of 718
Note:
Default
The AX device does not have a default PBSLB template. When you configure one, the template has the following default settings:
bw-list id None. Logging is disabled by default. If you enable it, the
342 of 718
P e r f o r m a n c e
b y
D e s i g n
Mode
Configure
Usage
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
real port template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
343 of 718
Description
[no] conn-limit
max-connections
[resume
connections]
[no-logging]
Specifies the maximum number of connections
allowed on ports that use this template.
The max-connections option specifies the maximum number of concurrent connections,
0-1048575.
The resume connections option specifies
the maximum number of connections the port
can have before the AX device resumes use of
the port. You can specify 1-1048575 connections.
The no-logging option disables logging for the
feature.
[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[no-logging]
Limits the rate of new connections the AX device
is allowed to send to ports that use this template.
When a real port reaches its connection limit, the
AX device stop selecting the port to serve client
requests.
connections Maximum of new connections
allowed on the port. You can specify 1-1048575
connections.
per {100ms | 1sec} Specifies whether
the connection rate limit applies to one-second
intervals or 100-ms intervals. The default is onesecond intervals (1sec).
The no-logging option disables logging for the
feature.
[no] dest-nat
Enables destination Network Address Translation (NAT) on ports that use this template.
Destination NAT is enabled by default, but is
automatically disabled in Direct Server Return
(DSR) configurations. You can re-enable destination NAT on individual ports for deployment of
344 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] dynamicmember-priority
num decrement
delta
Configure service-group priority settings for
ports on dynamically created servers. The num
option sets the initial TTL for dynamically created service-group members, and can be 1-16.
The delta option specifies how much to decrement the TTL if the IP address is not included in
the DNS reply, and can be 0-7. When configuring
the service group, add the port template to the
member.
[no] healthcheck
[monitor-name]
[no] inbandhealth-check
[retry maximumretries]
[reassign
maximumreassigns]
Supplements the standard Layer 4 health checks
by using client-server traffic to check the health
of service ports.
retry maximum-retries Each client-server session has its own retry counter. The AX device
increments a sessions retry counter each time a
SYN ACK is late. If the retry counter exceeds the
configured maximum number of retries allowed,
the AX device sends the next SYN for the session to a different server. The AX device also
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
345 of 718
346 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] weight
number
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
347 of 718
The AX device has a default real port template, called default. The default
port template has the same default settings as the individual parameters you
can configure in the template. Here are the defaults:
conn-limit 8000000 (8 million)
conn-rate-limit Not set; when enabled, the default sampling rate is
per 1-sec.
dest-nat Not set
dscp Not set
dynamic-member-priority priority 16 and delta 0
health-check If you omit this command or you enter it without the
Mode
Configure
Usage
The normal form of this command creates a real port template. The no
form of this command removes the template.
You can bind only one real port template to a real port. However, you can
bind the real port template to multiple real ports.
348 of 718
P e r f o r m a n c e
b y
D e s i g n
on the individual port, the setting on the individual port takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual port, the setting in the
template takes precedence.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
Example
The following commands configure a real port template named commonrpsettings, enable slow-start in the template, and bind the template to a real
port:
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
real server template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] conn-limit
max-connections
[resume
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
349 of 718
[no] conn-ratelimit
connections
[per {100ms |
1sec}]
[no-logging]
Limits the rate of new connections the AX device
is allowed to send to servers that use this template. When a real server reaches its connection
limit, the AX device stops selecting the server for
client requests.
connections Maximum of new connections
allowed on a server. You can specify 1-1048575
connections.
per {100ms | 1sec} Specifies whether
the connection rate limit applies to one-second
intervals or 100-ms intervals.
The no-logging option disables logging for the
feature.
[no] dns-queryinterval
minutes
Specifies how often the AX device sends DNS
queries for the IP addresses of dynamic real servers. You can specify 1-1440 minutes (one day).
[no] dynamicserver-prefix
string
350 of 718
Specifies the prefix added to the front of dynamically created servers. You can specify a string of
1-3 characters.
P e r f o r m a n c e
b y
D e s i g n
[no] maxdynamic-server
num
[no] slow-start
[from startingconn-limit]
[times scalefactor | add
conn-incr]
[every
interval]
[till endingconn-limit]
Provides time for real ports that use the template
to ramp-up after TCP/UDP service is enabled, by
temporarily limiting the number of new connections on the ports.
from starting-conn-limit Maximum number of
concurrent connections to allow on the server
after it first comes up. You can specify from 14095 concurrent connections. The default is 128.
times scale-factor | add conn-incr Amount by
which to increase the maximum number of con-
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
351 of 718
Default
per 1-sec.
dns-query-interval 10 minutes
dynamic-server-prefix DRS (for Dynamic Real Servers)
352 of 718
P e r f o r m a n c e
b y
D e s i g n
Mode
Configure
Usage
The normal form of this command creates a real server template. The no
form of this command removes the template.
You can bind only one real server template to a real server. However, you
can bind the real server template to multiple real servers.
Some of the parameters that can be set using a template can also be set or
changed on the individual server.
If a parameter is set (or changed from its default) in both a template and
on the individual server, the setting on the individual server takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual server, the setting in the
template takes precedence.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
353 of 718
The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
Example
Description
template-name
This command changes the CLI to the configuration level for the specified
server-SSL template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
354 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Default
The configuration does not have a default server-side SSL template. If you
create one, all the cipher suite options listed in the Syntax section are
enabled by default.
Mode
Configure
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
355 of 718
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP clients.
Note:
Syntax
Except for the timeout command, none of the commands in this section
are applicable to SIP over TCP/TLS. To configure a template for SIP over
TCP/TLS, see slb template sip (SIP over TCP/TLS) on page 358.
[no] slb template sip template-name
Parameter
Description
template-name
This command changes the CLI to the configuration level for the specified
SIP template, where the following commands are available:
Command
Description
356 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
The configuration does not have a default SIP over UDP template. If you
create one, the default timeout is 30 minutes. The other parameters are unset
by default.
Mode
Configure
Usage
The normal form of this command creates a SIP configuration template. The
no form of this command removes the template.
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example
Configure separate load balancing of Session Initiation Protocol (SIP) registration traffic and non-registration traffic for SIP over TCP/TLS.
Except for the timeout command, none of the commands in this section
are applicable to SIP over UDP. To configure a template for SIP over
UDP, see slb template sip (SIP over UDP) on page 356.
Note:
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
SIP template, where the following commands are available:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
357 of 718
Description
[no] clientkeep-alive
Note:
Note:
Regardless of the settings for this option, the AX device never translates
addresses in Call-ID or X-Forwarded-For headers.
[no] insertclient-ip
[no] selectclient-fail
{string | drop} Specifies the AX response when selection of a
SIP client fails. You can specify one of the following:
string Message string to send to the server; for
example: 480 Temporarily Unavailable. If the
358 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
[no] selectserver-fail
{string | drop} Specifies the AX response when selection of a
SIP server fails. You can specify one of the following:
string Message string to send to the client; for
example: 504 Server Time-out. If the message
string contains a blank, use double quotation
marks around the string.
drop Drops the traffic.
[no] timeout
minutes
Default
The configuration does not have a default SIP over TCP/TLS template. If
you create one, the template has the following default settings, for the
parameters that are applicable to SIP over TCP/TLS:
client-keep-alive Disabled
exclude-translation Not set. The AX device does not translate
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
359 of 718
Mode
Configure
Usage
The normal form of this command creates a SIP configuration template. The
no form of this command removes the template.
You can bind only one SIP template to a virtual port. However, you can bind
the same SIP template to multiple ports.
Example
Syntax
Description
template-name
This command changes the CLI to the configuration level for the specified
SMTP template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
360 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Disables support of the specified SMTP commands. If a client tries to issue a disabled SMTP
command, the AX sends the following message
to the client: 502 - Command not implemented
If you enter this command without specifying a
command name, all the listed SMTP commands
(VRFY, EXPN, and TURN) are disabled.
[no] serviceready-message
string
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
361 of 718
Default
The configuration has a default SMTP template, with the following settings:
client-domain-switching Not set. All client domains match, and any
To display the default SMTP template settings, use the show slb template
smtp default command.
Usage
362 of 718
P e r f o r m a n c e
b y
D e s i g n
(4)
(5)
(6)
(3)
(2)
(1)
Example
AX(config)#slb
AX(config-SMTP
AX(config-SMTP
AX(config-SMTP
smtp-sg1
AX(config-SMTP
group smtp-sg2
The following commands configure an SMTP template named securemail. The template enforces use of STARTTLS by mail clients, disables
client use of certain SMTP commands, and directs clients to a service group
based on client domain.
template smtp secure-mail
template)#starttls enforced
template)#command-disable expn turn vrfy
template)#client-domain-switching contains hq service-group
template)#client-domain-switching contains northdakota service-
Example
AX(config)#slb
AX(config-SMTP
smtp-sg1
AX(config-SMTP
group smtp-sg2
AX(config-SMTP
smtp-sg3
The following commands configure an SMTP template called smtpdomain. The template uses client domain switching to select a service
group based on the email clients domain. Clients from any domain that
starts with smb are sent to service group smtp-sg1. Clients whose
domain name does not start with smb and whose domain name contains
company1 are sent to service group smtp-sg2. Clients whose domain
name does not match on the starts-with or contains strings and ends with
.com are sent to service group smtp-sg3.
template smtp smtp-domain
template)#client-domain-switching starts-with smb service-group
template)#client-domain-switching contains company1 servicetemplate)#client-domain-switching ends-with .com service-group
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
363 of 718
Syntax
Description
template-name
This command changes the CLI to the configuration level for the specified
streaming-media template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] uriswitching
stream
uri-string
service-group
group-name
Note:
Default
Mode
Configure
Usage
Example
364 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
TCP template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
365 of 718
Note:
Default
[no] reset-fwd
Sends a TCP RST to the real server after a session times out.
[no] reset-rev
If the server is Down, the reset-rev option immediately sends the RST to
the client and does not wait for the session to time out.
The configuration has a default TCP template, with the following default
settings:
half-close-idle-timeout Not set. The AX device keeps half-closed ses-
If SYN cookies are enabled, either globally or on the virtual service port,
the AX device acts as a TCP proxy even though the service type is not
normally proxied. In this case, the behavior is the same as for any of the
other service types TCP proxied by the AX device.
reset-fwd Disabled
reset-rev Disabled
Mode
Configure
Usage
366 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands change the idle timeout in TCP template tcptmpl2 to 120 seconds:
Example
The following commands configure a TCP template named test that sets
the TCP window size to 1460 bytes, and bind the template to virtual service
port 22 on virtual server vs1:
Syntax
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
TCP-proxy template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] fintimeout seconds Specifies the number of seconds that a connection can be in the FIN-WAIT or CLOSING state
before the AX Series terminates the connection.
You can specify 1-60 seconds.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
367 of 718
[no] mss
[no] nagle
Enables
Nagle
congestion
(described in RFC 896).
[no]
retransmitretries number
368 of 718
compression
P e r f o r m a n c e
b y
D e s i g n
[no] timewait
number
Default
The configuration has a default TCP template, with the following default
settings:
fin-timeout 5 seconds
half-close-idle-timeout Not set. The AX device keeps half-closed ses-
Note:
mss 538
nagle disabled
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
369 of 718
Mode
Configure
Usage
The normal form of this command creates a TCP-proxy configuration template. The no form of this command removes the template.
You can bind only one TCP-proxy template to a virtual port. However, you
can bind the same TCP-proxy template to multiple ports.
Example
Description
template-name
This command changes the CLI to the configuration level for the specified
UDP template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
aging
{immediate |
370 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
The configuration has a default UDP template. The template has the following defaults:
aging Not set. The idle-timeout value in the template is used instead.
idle-timeout 120 seconds
re-select-if-server-down disabled
Mode
Configure
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
371 of 718
Note:
TABLE 3
Aging
Configuration
Current
Release
Aging Short
Response Received
Session is terminated
within 1 second.
Aging Immediate
Response Received
Session is terminated
within 1 second.
No Response Session is
terminated after configured short aging period.
If you enable short aging, you can set the aging interval to 1-6 seconds. The
default short aging period is 3 seconds.
Example
Description
template-name
This command changes the CLI to the configuration level for the specified
virtual port template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] conn-limit
max-connections
[reset]
[no-logging]
Specifies the maximum number of connections
allowed on virtual ports that use this template.
372 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
373 of 718
The AX device has a default virtual port template, called default. The
default virtual port template has the same default settings as the individual
parameters you can configure in the template. Here are the defaults:
conn-limit 8000000 (8 million)
conn-rate-limit Not set; when enabled, the default sampling rate is
per 1-sec.
Mode
Configure
Usage
The normal form of this command creates a virtual service port template.
The no form of this command removes the template.
You can bind only one virtual service port template to a virtual service port.
However, you can bind the virtual service port template to multiple virtual
service ports.
Some of the parameters that can be set using a template can also be set or
changed on the individual virtual port.
If a parameter is set (or changed from its default) in both a template and
on the individual virtual port, the setting on the individual virtual port
takes precedence.
If a parameter is set (or changed from its default) in a template but is not
set or changed from its default on the individual virtual port, the setting
in the template takes precedence.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
374 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Name of the template, 1-31 characters.
This command changes the CLI to the configuration level for the specified
virtual server template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] conn-limit
max-connections
[reset]
[no-logging]
Specifies the maximum number of connections
allowed on virtual servers that use this template.
The max-connections option specifies the maximum number of concurrent connections, 01048575.
The reset option specifies the action to take for
connections after the connection limit is reached
on the virtual server. By default, excess connections are dropped. If you change the action to
reset, the connections are reset instead. Excess
connections are dropped by default.
The no-logging option disables logging for the
feature.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
375 of 718
376 of 718
P e r f o r m a n c e
b y
D e s i g n
This option applies only to VIPs that are created using a range of subnet
IP addresses. The option has no effect on VIPs created with a single IP
address.
Note:
Default
The AX device has a default virtual server template, called default. The
default virtual server template has the same default settings as the individual
parameters you can configure in the template. Here are the defaults:
conn-limit 8000000 (8 million)
conn-rate-limit Not set; when enabled, the default sampling rate is
per 1-sec.
icmp-rate-limit Not set. If you enable it, specifying a maximum rate
(lockup rate) and lockup time is optional. If you do not specify them,
lockup does not occur.
subnet-gratuitous-arp Disabled. The AX device sends gratuitous
Configure
Usage
The normal form of this command creates a virtual server template. The
no form of this command removes the template.
You can bind only one virtual server template to a virtual server. However,
you can bind the virtual server template to multiple virtual servers.
Some of the parameters that can be set using a template can also be set or
changed on the individual virtual server.
If a parameter is set (or changed from its default) in both a template and
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
377 of 718
set or changed from its default on the individual virtual server, the setting in the template takes precedence.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
Example
The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual
server:
378 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
This CLI level also has the following commands, which are available at all
configuration levels:
clear See clear on page 49.
debug See debug on page 52.
do See do on page 103.
end See end on page 107.
exit See exit on page 107.
no See no on page 135.
show See Show Commands on page 535.
write See write terminal on page 67.
conn-limit
Description
Syntax
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
379 of 718
Real server
Usage
If you set a connection limit, A10 Networks recommends that you also set
the conn-resume interval. (See conn-resume on page 380.)
You also can set the connection limit on individual protocol ports. In this
case, the limit specified for the port overrides the limit set at the server
level.
Example
conn-resume
Description
Syntax
Specify the maximum number of connections the server can have before the
AX device resumes use of the server. Use does not resume until the number
of connections reaches the configured maximum or less.
[no] conn-resume connections
Parameter
Description
connections
Default
By default, this option is not set. The AX device is allowed to start sending
new connection requests to the server as soon as the number of connections
on the server falls back below the connection limit threshold set by the
conn-limit command.
Mode
Real server
Usage
You also can set the conn-resume value on individual protocol ports. In this
case, the value specified for the port overrides the value set at the server
level.
Example
380 of 718
P e r f o r m a n c e
b y
D e s i g n
disable
Description
Syntax
[no] disable
Default
Enabled
Mode
Real server
Example
enable
Description
Syntax
[no] enable
Default
Enabled
Mode
Real server
Example
external-ip
Description
Syntax
Default
None
Mode
Real server
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
381 of 718
ha-priority-cost
Description
Syntax
ha-group
group-id
Description
Specifies the amount to subtract from the HA
groups priority value, if this server or ports
health status changes to Down. You can specify
1-255.
Specifies the HA group from which to subtract
the weight. If you do not specify an HA group
ID, the weight is subtracted from all HA groups.
Default
None
Mode
Real server
Usage
If the server or ports status changes back to Up, the weight value is added
back to the HA groups priority value.
If the HA priority of a group falls below the priority of the same group on
the other AX device, HA failover can be triggered.
The lowest HA priority value a server or port can have is 1.
If HA weights for an HA group are assigned to both the server and an
individual port, and both health checks are unsuccessful, only the server
weight is subtracted from the HA groups priority.
For failover to occur due to HA priority changes, the HA pre-emption
health-check
Description
Syntax
382 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Name of a configured health monitor.
If you omit this command or you enter it without
the monitor-name option, the default ICMP
health monitor is used. (See below.)
Default
ICMP ping (echo request), sent every 5 seconds. If the ping fails 4 times
consecutively (the first attempt followed by 3 retries), the AX device sets
the server state to DOWN.
Mode
Real server
Usage
Entering the command at this level enables Layer 3 health checking. The
monitor you specify must use the ICMP method.
Example
The following command sets a server to use the RUthere health monitor:
ipv6
Description
Syntax
Default
None
Mode
Real server
port
Description
Syntax
Description
Protocol port number, 0-65534.
Note: Port number 0 is a wildcard port used for
IP protocol load balancing. (For more information, see the IP Protocol Load Balancing chapter of the AX Series Configuration Guide.)
tcp | udp
P e r f o r m a n c e
b y
Protocol type.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
383 of 718
Description
[no] conn-limit
number
[no] disable
[no] enable
[no] hapriority-cost
weight
[ha-group
group-id]
384 of 718
P e r f o r m a n c e
b y
D e s i g n
Enables health monitoring of the port. The monitor-name specifies the name of a configured
health monitor.
If you omit this command or you enter it without
the monitor-name option, the default TCP or
UDP health monitor is used:
TCP Every 5 seconds, the AX device sends
a connection request (TCP SYN) to the specified TCP port on the server. The port passes
the health check if the server replies to the
AX device by sending a TCP SYN ACK.
UDP Every 5 seconds, the AX device
sends a packet with a valid UDP header and
a garbage payload to the UDP port. The port
passes the health check if the server either
does not reply, or replies with any type of
packet except an ICMP Error message.
The follow-port port-num option specifies
another real port upon which to base this ports
health status. Both the real port and the port to
use for the real ports health status must be the
same type, TCP or UDP. By default, this option
is not set.
[no] no-ssl
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
385 of 718
[no] weight
number
Default
No ports are configured by default. The defaults for the command options
are described with the options, above. Statistical data collection of load-balancing resources is enabled by default.
Mode
Real server
The no form of this command resets the ports connection limit, health
monitoring, or weight to its default value. To collect statistical data for a
load-balancing resource, statistical data collection also must be enabled
globally. (See stats-data-enable on page 159.)
Example
386 of 718
The following commands configure server terap and add TCP port 69 to
the server. The health-check command is not entered, so by default the AX
device will check the service ports health by sending a connection request
to 69 on terap every 30 seconds.
P e r f o r m a n c e
b y
D e s i g n
slow-start
Description
Enable slow-start for a server. Slow start allows time for a server to ramp up
after the server is enabled or comes online, by temporarily limiting the
number of new connections on the server.
Syntax
[no] slow-start
Default
Disabled
Mode
Real server
Usage
Example
AX(config-real server)#slow-start
spoofing-cache
Description
Enable support for a spoofing cache server. A spoofing cache server uses
the clients IP address instead of its own as the source address when obtaining content requested by the client.
Syntax
[no] spoofing-cache
Default
Disabled
Mode
Real server
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
387 of 718
Example
stats-data-disable
Description
Syntax
Default
Mode
Real server
stats-data-enable
Description
Syntax
Default
Mode
Real server
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
template server
Description
Syntax
388 of 718
P e r f o r m a n c e
b y
D e s i g n
The real server template named default is bound to servers by default. The
parameter settings in the default real server template are automatically
applied to the new server, unless you bind a different real server template to
the server.
Mode
Real server
Usage
Example
The following commands configure a real server template called rstmplt1 and bind the template to two real servers:
weight
Description
Syntax
Description
Administrative weight assigned to the server.
You can specify 1-100.
Default
Mode
Real server
Usage
Example
AX(config-real server)#weight 20
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
389 of 718
390 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
391 of 718
health-check
Description
Syntax
Use a health monitor to check the health of all members of the service
group.
[no] health-check monitor-name
Parameter
Description
monitor-name
Default
None
Mode
Service group
Usage
The health monitor is used to test the health of all members of the service
group, including any members that are added in the future.
Service group health status applies only within the context of the service
group. For example, a health check of the same port from another service
group can result in a different health status, depending on the resource
requested by the health check.
Health checks can be applied to the same resource (real server or port) at the
following levels:
In a service group that contains the server and port as a member
In a server or server port configuration template that is bound to the
server or port
Directly on the individual server or port
In cases where health checks are applied at multiple levels, they have the
following priority:
1. Health check on real server
2. Health check on real servers port
3. Health check on service group
If a health check at the real server level (1) fails, the corresponding real
server, real server port, and service group members are marked Down.
However, if a health check on the service group level (3) fails, only that service group member in that service group is marked Down.
Example
392 of 718
The following commands configure a health monitor and apply it to a service group:
P e r f o r m a n c e
b y
D e s i g n
member
Description
Syntax
priority num
template
template-name
stats-datadisable |
stats-dataenable
Default
Description
There are no servers in a service group by default. When you add a server
and port to the service group, the default state is enabled and the default priority is 1. Statistical data collection of load-balancing resources is enabled
by default.
To configure a real port template, see slb template port on page 344.
Mode
Service group
Usage
The normal form of this command adds a configured server to the service
group. The no form of this command removes the server from the group.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
393 of 718
Example
The following command adds a member server and port to a service group
and binds a real port template to the port:
method
Description
Syntax
Description
lb-method
Load-balancing method:
fastest-response Selects the server with
the fastest SYN-ACK response time.
least-connection Selects the server that
currently has the fewest connections.
service-least-connection Selects the
server port that currently has the fewest connections. If there is a tie, the port (among those tied)
that has the lowest number of request bytes plus
response bytes is selected. If there is still a tie, a
port is randomly selected from among the ones
that are still tied.
weighted-least-connection Selects
a server based on a combination of the servers
administratively assigned weight and the number
of connections on the server. (To assign a weight
to a server, see weight on page 389.)
394 of 718
P e r f o r m a n c e
b y
D e s i g n
The following methods apply only to stateless SLB. (See Usage for
more information.)
stateless-src-ip-hash Balances
server load based on a hash value calculated
using the source IP address and source TCP or
UDP port.
stateless-src-dst-ip-hash Balances server load based on a hash value calculated using both the source and destination IP
addresses and TCP or UDP ports.
stateless-dst-ip-hash Balances
server load based on a hash value calculated
using the destination IP address and destination
TCP or UDP port.
stateless-per-pkt-round-robin
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
395 of 718
Round Robin. This method selects servers in rotation but does not take
server weight into account.
Note:
Round Robin is not one of the methods you can specify. If you do not
specify a method, you get Round Robin. To reset a service group to use
Round Robin, enter the no method command.
Mode
Service group
Usage
The fastest-response method takes effect only if the traffic rate on the servers is at
least 5 connections per second (per server). If the traffic rate is lower, the first
server in the service group usually is selected.
396 of 718
P e r f o r m a n c e
b y
D e s i g n
A given real server can be used in only one stateless SLB service group. A
real server that is in a stateless SLB service group can not be used in any
other service groups.
Graceful transitions between stateful and stateless SLB in a service group
are not supported.
Mega-proxies may interfere with equal balancing of traffic load among the
multiple data CPUs. In this case, for DNS traffic only, try using the stateless-per-pkt-round-robin method.
The stateless-per-pkt-round-robin method is valid only for DNS traffic.
Note:
Example
The following example sets the load-balancing method for a service group
to least-connection:
Example
The following commands configure a stateless SLB service group for UDP
traffic:
min-active-member
Description
Use backup servers even if some primary servers are still up.
Syntax
P e r f o r m a n c e
b y
Description
num
skip-pri-set
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
397 of 718
By default, the servers with the highest priority value are the primary servers. All other servers are backups only, and are used only if all the primary
servers are unavailable.
When you use this command, the skip-pri-set option is disabled by default,
for all load-balancing methods except round-robin. For round-robin (the
default), skip-pri-set is always enabled and can not be disabled.
Mode
Service group
Usage
Primary and backup servers are designated based on member priority (set
with the member command). For example, if a service group contains real
servers with the following priority settings, real servers s1, s2, and s3 are the
primary servers. Real servers s4 and s5 are backup servers.
s1 priority 16
s2 priority 16
s3 priority 16
s4 priority 8
s5 priority 8
398 of 718
P e r f o r m a n c e
b y
D e s i g n
reset-on-server-selection-fail
Description
Syntax
[no] reset-on-server-selection-fail
Default
Disabled
Mode
Service group
Usage
The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is
no longer true. The reset-on-server-selection-fail option must be used
instead.
stats-data-disable
Description
Syntax
stats-data-disable
Default
Mode
Service group
stats-data-enable
Description
Syntax
stats-data-enable
Default
Mode
Service group
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
399 of 718
400 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
This CLI level also has the following commands, which are available at all
configuration levels:
clear See clear on page 49.
debug See debug on page 52.
do See do on page 103.
end See end on page 107.
exit See exit on page 107.
no See no on page 135.
show See Show Commands on page 535.
write See write terminal on page 67.
arp-disable
Description
Syntax
[no] arp-disable
Default
Mode
Virtual server
Usage
Use this command if you do not want the AX Series device to reply to ARP
requests to the virtual servers IP address. For example, you can use this
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
401 of 718
disable
Description
Syntax
Description
when-all-portsdown
Automatically disables the virtual server if all its
service ports are down. If OSPF redistribution of
the VIP is enabled, the AX device also withdraws the route to the VIP in addition to disabling the virtual server.
Default
Mode
Virtual server
Example
enable
Description
Syntax
Default
Enabled
Mode
Virtual server
402 of 718
P e r f o r m a n c e
b y
D e s i g n
ha-dynamic
Description
Syntax
Description
Amount to subtract from the HA groups priority
value for each real server that becomes unavailable. The weight can be 1-255.
Default
Not set
Mode
Virtual server
Example
ha-group
Description
Syntax
Default
None.
Mode
Virtual server
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
403 of 718
port
Description
Syntax
Description
port
service-type
Default
N/A
Mode
Virtual server
Usage
The normal form of this command creates a new or edits an existing virtual
port. The CLI changes to the configuration level for the virtual port. (See
Config Commands: SLB Virtual Server Ports on page 409.)
The no form of this command removes the specified virtual port from
current virtual server.
404 of 718
P e r f o r m a n c e
b y
D e s i g n
The following example creates a new (or edits an existing) virtual port:
redistribution-flagged
Description
Syntax
Default
[no] redistribution-flagged
Not set. The VIP is automatically redistributed if VIP redistribution is enabled in
OSPF.
Mode
Virtual server
Usage
Use this option if you want to redistribute only some of the VIPs rather than
all of them.
Selective VIP redistribution also requires configuration in OSPF. See the
description of the vip option in redistribute on page 260.
stats-data-disable
Description
Syntax
stats-data-disable
Default
Mode
Virtual server
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
405 of 718
stats-data-enable
Description
Syntax
Default
Mode
Virtual server
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
template policy
Description
Syntax
Default
None
Mode
Virtual server
Usage
template virtual-server
Description
Syntax
Default
Mode
Virtual server
Usage
If a parameter is set individually on this virtual server and also is set in a virtual server template bound to this virtual server, the individual setting on
this virtual server is used instead of the setting in the template.
406 of 718
P e r f o r m a n c e
b y
D e s i g n
The following commands configure a virtual server template called vstmplt1 that sets ICMP rate limiting, and bind the template to a virtual
server:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
407 of 718
408 of 718
P e r f o r m a n c e
b y
D e s i g n
access-list
Description
Syntax
P e r f o r m a n c e
b y
Description
Number of a configured IPv4 ACL (acl-num), or
the name of a configured IPv6 ACL
(name acl-name).
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
409 of 718
N/A
Mode
Virtual port
Usage
410 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
aflex
Description
Syntax
Description
Name of a configured aFleX policy.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command applies the specified aFleX policy to the
port.
The no form of this command removes the aFleX policy from the port.
For more information about aFleX policies, see the AX Series aFleX
Scripting Language Reference Guide.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
411 of 718
conn-limit
Description
Syntax
Description
number
reset
Sends a connection reset to the client, if the connection limit has been reached. If you omit this
option, the connection is silently dropped and no
reset is sent to the client.
Default
Not set. If you set a limit, the default action for any new connection request
after the limit has been reached is to silently drop the connection, without
sending a reset to the client.
Mode
Virtual port
Usage
The normal form of this command changes the current ports connection
limit.
The no form of this command resets the ports connection limit to its
default value.
The connection limit puts a hard limit on the number of concurrent
connections supported by the port. No more connections will be put on the
port if its number of current connections is already equal to or bigger than
the limit.
If you change the connection limiting configuration on a virtual port or virtual server that has active sessions, or in a virtual-port or virtual-server template bound to the virtual server or virtual port, the current connection
counter for the virtual port or server in show command output and in the
GUI may become incorrect. To avoid this, do not change the connection
limiting configuration until the virtual server or port does not have any
active connections.
Example
412 of 718
P e r f o r m a n c e
b y
D e s i g n
def-selection-if-pref-failed
Description
Syntax
[no] def-selection-if-pref-failed
Default
Enabled
Mode
Virtual port
Usage
During SLB selection of the preferred server to use for a client request, SLB
checks the following configuration areas, in the order listed:
1. Layer 3-4 configuration items:
a. aFleX policies triggered by Layer 4 events
b. Policy-based SLB (black/white lists). PBSLB is a Layer 3 configuration item because it matches on IP addresses in black/white lists.
2. Layer 7 configuration items:
a. Cookie switching
b. aFleX policies triggered by Layer 7 events
c. URL switching
d. Host switching
3. Default service group. If none of the items above results in selection of a
server, the default service group is used.
If the configuration uses only one service group, this is the default
service group.
If the configuration uses multiple service groups, the default service
group is the one that is used if none of the templates used by the
configuration selects another service group instead.
For example, if the CLIENT_ACCEPTED event triggers the aFleX policy,
the policy is consulted first. Similarly, if the HTTP_REQUEST event triggers the aFleX policy, the policy is consulted only if none of the Layer 4
configuration items results in selection of a server.
The first configuration area that matches the client or VIP (as applicable) is
used, and the client request is sent to a server in the service group that is
applicable to that configuration area. For example, if the client's IP address
is in a black/white list, the service group specified by the list is used for the
client request.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
413 of 718
disable
Description
Syntax
Default
Enabled
Mode
Virtual port
Example
enable
Description
Syntax
Default
Enabled
Mode
Virtual port
Example
gslb-enable
Description
414 of 718
Enable a DNS port to function as a proxy for Global Server Load Balancing
(GSLB) for this virtual port.
P e r f o r m a n c e
b y
D e s i g n
Note:
Syntax
[no] gslb-enable
Default
Disabled
Mode
Virtual port
Usage
Example
ha-conn-mirror
Description
Syntax
[no] ha-conn-mirror
Default
Disabled.
Mode
Virtual port
Usage
Connection mirroring applies to HA configurations. When connection mirroring is enabled, the Active AX Series device sends information about
active client connections to the Standby AX Series device. If a failover
occurs, the newly Active AX device continues service for the session. The
client perceives very brief or no interruption.
When connection mirroring is disabled, client session information is lost.
Clients must establish new connections.
In HA deployments, HA session synchronization is required for persistent
sessions (source-IP persistence, and so on), and is therefore automatically
enabled for these sessions by the AX device. Persistent sessions are synchronized even if session synchronization is disabled in the configuration.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
415 of 718
no-dest-nat
Description
Syntax
Default
Mode
Virtual port
Usage
Example
pbslb
Description
Syntax
Syntax
[no] pbslb id id
{service service-group-name | drop | reset}
[logging [minutes] [fail]]]
Syntax
Description
bw-list name
id id
{service
service-groupname | drop |
reset}
416 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
417 of 718
bw-list N/A
id N/A
logging Disabled. When logging is enabled, the default for minutes is 3.
over-limit drop
Mode
Virtual port
Usage
Example
The following commands bind black/white list sample-bwlist to the virtual port, assign clients in group 2 to service group srvcgroup2, and drop
clients in group 4:
reset-on-server-selection-fail
Description
Syntax
Default
Disabled
Mode
Service group
Usage
The TCP template reset-rev option also can be used to send a RST to clients. In AX releases prior to 2.2.2, the reset-rev option would send a RST in
response to a server selection failure. In AX Release 2.2.2 and later, this is
no longer true. The reset-on-server-selection-fail option must be used
instead.
418 of 718
P e r f o r m a n c e
b y
D e s i g n
service-group
Description
Syntax
Description
Service-group name.
Default
N/A
Mode
Virtual port
Usage
The normal form of this command binds the virtual port to the specified
service group. The no form of this command removes the binding.
One virtual port can be associated with one service group only, while one
service group can be associated with multiple virtual ports.
The type of service group and type of virtual port should match. For
example, a UDP service group can not be bound to an HTTP virtual port.
Example
The following examples bind a service group to a virtual port, then remove
the binding, respectively.
snat-on-vip
Description
Syntax
[no] snat-on-vip
Default
Disabled
Mode
Virtual port
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
419 of 718
The current release does not support source IP NAT on FTP or RTSP virtual ports.
source-nat
Description
Enable source NAT. Source NAT is required if the real servers are in a different subnet than the VIP.
Note:
Syntax
Description
Specifies the name of an IP pool of addresses to
use as source addresses.
Disabled.
Mode
Virtual port
Usage
Example
The following example enables source NAT for the virtual port:
420 of 718
P e r f o r m a n c e
b y
D e s i g n
stats-data-disable
Description
Syntax
stats-data-disable
Default
Mode
Virtual port
stats-data-enable
Description
Syntax
stats-data-enable
Default
Mode
Virtual port
Usage
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
syn-cookie
Description
Enable software-based SYN cookies for a virtual port. SYN cookies provide
protection against TCP SYN flood attacks.
Syntax
P e r f o r m a n c e
Enables clients to acknowledge receipt of individual TCP/IP packets. Using this information, a
server does not need to resend an entire segment
of packets and can instead resend only the missing packets.
This option applies only to the following service types: TCP, FTP, MMS,
RTSP, and fast-HTTP.
Note:
Default
Description
Disabled.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
421 of 718
Virtual port
Usage
cookie check.
SACK support is available for the following virtual port service types: TCP,
FTP, MMS, RTSP, and fast-HTTP.
Example
template
Description
Syntax
Description
template-type
Type of template:
cache
client-ssl
connection-reuse
dns
http
persist cookie
422 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
If the AX device has a default template that is applicable to the service type,
the default template is automatically applied. The AX device has a default
virtual-port template, which is applied to a virtual port when you create it.
Mode
Virtual port
Usage
The normal form of this command applies the specified template to the virtual port. The no form of this command removes the template from the
virtual port but does not delete the template itself.
A virtual port can be associated with only one template of a given type.
However, the same template can be associated with more than one virtual
port.
To bind a virtual-port template to the port, see template virtual-port on
page 424.
Example
reuse-template
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
423 of 718
template virtual-port
Description
Syntax
Default
Mode
Virtual port
Usage
If a parameter is set individually on this virtual port and also is set in a virtual port template bound to this virtual port, the individual setting on this
port is used instead of the setting in the template.
To configure a virtual port template, see slb template virtual-port on
page 373.
Example
use-default-if-no-server
Description
Syntax
Default
Disabled.
Mode
Virtual port
424 of 718
P e r f o r m a n c e
b y
D e s i g n
use-rcv-hop-for-resp
Description
Force the AX Series device to send replies to clients back through the last
hop on which the request for the virtual port's service was received.
Syntax
[no] use-rcv-hop-for-resp
Default
Disabled.
Mode
Virtual port
Usage
Last hop information is not included in the information sent to the Standby
AX device during HA session synchronization. If an HA failover occurs,
the last hop might not be used for the reply.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
425 of 718
426 of 718
P e r f o r m a n c e
b y
D e s i g n
gslb active-rtt
Description
Syntax
P e r f o r m a n c e
b y
Description
Specifies the query domain. To measure the
active round-trip time (RTT) for a client, the site
AX device sends queries for the domain name to
a clients local DNS. An RTT sample consists of
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
427 of 718
Specifies the number of seconds between queries. You can specify 1-120 seconds.
retry num
sleep seconds
timeout ms
track seconds
Default
428 of 718
P e r f o r m a n c e
b y
D e s i g n
Mode
Global Config
Globally drop or reject DNS queries from the local DNS server.
Syntax
Description
drop
reject
Default
Not set
Mode
Global Config
Globally set DNS logging parameters. When this option is enabled, the
GSLB DNS log messages appear in the AX log.
Syntax
Default
Disabled
Mode
Global Config
P e r f o r m a n c e
b y
Description
Specifies the types of messages to log.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
429 of 718
gslb geo-location
Description
Syntax
Description
location-name
start-ip-addr
mask ip-mask
Network mask.
end-ip-addr
Default
N/A
Mode
Global Config
Usage
mapping.
If no geo-location is configured for a GSLB site, GSLB automatically
AX device to a geo-location.
Example
430 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Default
N/A
Usage
Mode
Global Config
Load a geo-location database into GSLB. Loading a pre-configured geolocation database provides a convenient alternative to manually configuring
each geo-location separately.
Syntax
file-name
csv-templatename
Note:
P e r f o r m a n c e
b y
Description
Loads the Internet Assigned Numbers Authority
(IANA) database. The IANA database contains
the geographic locations of the IP address ranges
and subnets assigned by the IANA. The IANA
database is included in the AX system software.
However, it is unloaded (not used) by default.
The file-name option is available only if you have already imported a geolocation database file.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
431 of 718
Mode
Global Config
Usage
You can load more than one geo-location database. When you load a new
database, if the same IP address or IP address range already exists in a previously loaded database, the address or range is overwritten by the new
database.
Example
Example
gslb ip-list
Description
Syntax
Configure a list of IP addresses and group IDs to use as input to other GSLB
commands.
[no] gslb ip-list list-name
The command changes the CLI to the configuration level for the list, where
the following IP-list-related commands are available:
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
Description
[no] ip ipaddr
{subnet-mask |
/mask-length}
id group-id
[no] load
bwlist-name
Default
432 of 718
Creates an IP entry in the list. Based on the subnet mask or mask length, the entry can be a host
address or a subnet address. The id option adds
the entry to a group. The group-id can be 0-31.
Loads the entries from a black/white list into the
IP list. For information on configuring a black/
white list, see the Policy-Based SLB (PBSLB)
section in the Traffic Security Features chapter
of the AX Series Configuration Guide.
None
P e r f o r m a n c e
b y
D e s i g n
Global Config
Usage
list, then load the entries from the black/white list into an IP list.
Use this command to configure individual IP list entries.
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from active-RTT data collection:
gslb ping
Description
Syntax
Mode
Global Config
gslb policy
Description
Syntax
P e r f o r m a n c e
b y
Description
The default GSLB policy included in the software.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
433 of 718
This command changes the CLI to the configuration level for the specified
GSLB policy. For information about the commands available at the GSLB
policy level, see Config Commands: GSLB Policy on page 455.
Default
N/A
Mode
Global Config
Example
gslb protocol
Description
Syntax
Description
enable
{controller |
device
[no-passivertt]}
status-interval
seconds
Changes the number of seconds between GSLB
status messages. You can specify 1-300 seconds.
434 of 718
P e r f o r m a n c e
b y
D e s i g n
Mode
Global Config
Usage
The A10 Networks GSLB protocol uses port 4149. The protocol is registered on this port for both TCP and UDP.
AX devices use the GSLB protocol for GSLB management traffic. The protocol is required to be enabled on the GSLB controller. The protocol is recommended on site AX devices but is not required. However, some GSLB
policy metrics require the protocol to be enabled on the site AX devices as
well as the GSLB controller:
session-capacity
active-rtt
passive-rtt
connection-load
num-session
least-response
The GSLB protocol is required in order to collect the site information provided for these metrics.
The GSLB protocol is also required for the health-check metric, if the
default health checks are used. If you modify the health checks, the GSLB
protocol is not required.
Example
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
435 of 718
Default
Mode
Global Config
gslb service-ip
Description
Syntax
Description
service-name
ipaddr
This command changes the CLI to the configuration level for the specified
service, where the following GSLB-related commands are available:
Command
Description
[no] adminpreference
preference
436 of 718
b y
D e s i g n
enable
[no] external-ip
ipaddr
[no] ipv6
ipv6-addr
P e r f o r m a n c e
b y
Maps the specified IPv6 address to an IPv4 service IP. This option also requires IPv6 DNS
AAAA support to be enabled in the GSLB policy. (See the ipv6-mapping option in dns on
page 464.)
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
437 of 718
{tcp | udp}
Default
Mode
Global Config
Usage
If you leave the health monitor for a service left at its default setting (the
default ICMP ping health check), the health checks are performed within
the GSLB protocol.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks.
If you use a custom health monitor for a service port, the port number specified in the service configuration is used instead of the port number specified in the health monitor configuration.
The following policy metric options are not supported for IPv6 service IPs:
active-rtt
ip-list
passive-rtt
438 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
The following example creates a GSLB service IP address named gslbsrvc2 with IP address 192.160.20.99:
gslb site
Description
Syntax
Description
Name for the site, up to 31 alphanumeric characters.
This command changes the CLI to the configuration level for the specified
site, where the following site-related commands are available:
Command
[no] active-rtt
option
Description
Configures options for the active RTT metric:
aging-time minutes Specifies the maximum amount of time a stored active-RTT result
can be used. You can specify 1-60 minutes. The
default is 10 minutes.
bind-geoloc Stores the active-RTT measurements on a per geo-location basis. Without
this option, the measurements are stored on a per
site-SLB device basis.
ignore-count num Specifies the ignore
count if RTT is out of range. You can specify 115. The default is 5.
limit num Specifies the maximum RTT
allowed for the site. If the RTT measurement for
a site exceeds the configured limit, GSLB does
not eliminate the site. Instead, GSLB moves to
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
439 of 718
440 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] ip-server
service-ip
[no] passive-rtt
option
[no] slb-dev
device-name
ip-addr
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
441 of 718
442 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
See above.
Mode
Global Config
Example
The following example creates a site named NY-site and adds SLB
AX Series site-ax-1 with IP address 10.10.10.10 to the site:
Syntax
Default
Mode
Global Config
Description
Length of the delay, 0-16384 seconds.
Syntax
Description
Name of the template, 1-63 characters.
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
443 of 718
Description
[no] delimiter
{character |
ASCII-code}
Default
There is no default CSV template. When you configure one, the field locations are not set. The default delimiter character is a comma ( , ).
Mode
Global Config
Usage
To load a geo-location data file and use the CSV template to extract the
data, see gslb geo-location load on page 431.
Example
444 of 718
P e r f o r m a n c e
b y
D e s i g n
Configure an SNMP template to query data for use by the bw-cost metric.
Syntax
Description
Name of the template, 1-63 characters.
This command changes the CLI to the configuration level for the specified
template, where the following commands are available.
(The other commands are common to all CLI configuration levels. See
Config Commands: Global on page 69.)
Command
[no] auth-key
string
[no] auth-proto
{sha | md5}
[no] community
communitystring
[no] contextengine-id id
[no] contextname id
P e r f o r m a n c e
b y
Description
Specifies the authentication key. The key string
can be 1-127 characters long. This command is
applicable if the security level is auth-no-priv or
auth-priv.
Specifies the authentication protocol. This command is applicable if the security level is authno-priv or auth-priv.
[no] host
ipaddr
[no] interface
id
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
445 of 718
[no] oid
oid-value
Note:
If the object is part of a table, make sure to append the table index to the
end of the OID. Otherwise, the AX device will return an error.
[no] port
portnum
[no] priv-key
string
[no] priv-proto
{aes | des}
[no] securityengine-id id
[no] securitylevel
{no-auth |
auth-no-priv |
auth-priv}
[no] username
name
446 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
See above.
Mode
Global config
Usage
Example
Example
gslb zone
Description
Configure a GSLB zone, which identifies the top-level URL for the services
load balanced by GSLB.
Syntax
P e r f o r m a n c e
b y
Description
URL of the zone, up to 127 alphanumeric characters.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
447 of 718
Description
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure Address records for
the mail service.
[no] dns-nsrecord
domain-name
[no] dns-soarecord dnsserver-name
mailbox-name
[expire
seconds]
[refresh
seconds]
[retry seconds]
[serial num]
[ttl seconds]
448 of 718
b y
D e s i g n
Adds a service to the zone. The port option specifies the service port and can be a well-known
name recognized by the CLI or a port number
from 1 to 65535. The service-name can be 1-31
alphanumeric characters or * (wildcard character
matching on all service names).
For the same reason described for zone names,
the AX device converts all upper case characters
in GSLB service names to lower case.
This command changes the CLI to the configuration level for the service, where the following
GSLB-related commands are available:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
449 of 718
Use of the actions configured for services also must be enabled in the
GSLB policy, using the dns action command at the configuration level
for the policy. See dns on page 464.
dns-a-record
{service-name | service-ipaddr}
{as-replace | no-resp | static |
ttl num | weight num} Configures a
DNS Address (A) record for the service, for use
with the DNS replace-ip option in the GSLB policy. (See dns on page 464.)
as-replace This option is used with the
ip-replace option in the policy. When both
options are set (as-replace here and ipreplace in the policy), the client receives
only the IP address set here by service-ip.
no-resp Prevents the IP address for this
site from being included in DNS replies to
clients.
static This option is used with the dns
server option in the policy. When both
options are set (static here and dns server in
450 of 718
P e r f o r m a n c e
b y
D e s i g n
The no-resp option is not valid with the static or as-replace option. If
you use no-resp, you cannot use static or as-replace.
dns-cname-record alias [as-backup]
[alias ...] Configures DNS Canonical
Name (CNAME) records for the service. The
as-backup option specifies that the record is a
backup record.
dns-mx-record name priority Configures a DNS Mail Exchange (MX) record for
the service. The name is the fully-qualified
domain name of the mail server for the service.
If more than MX record is configured for the
same service, the priority specifies the order in
which the mail server should attempt to deliver
mail to the MX hosts. The MX record with the
lowest priority number has the highest priority
and is tried first. The priority can be 0-65535.
There is no default.
Note:
If you want the GSLB AX device to return the IP address of the mail service in response to MX requests, you must configure A records for the
mail service.
dns-ns-record domain-name
[as-backup] Configures a DNS name
server record. The as-backup option specifies
that the record is a backup record. To use the asbackup option, you also must use the dns
backup-alias command in the policy. (See dns
on page 464.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
451 of 718
452 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
policy The default GSLB policy is used, unless you configure another
policy and apply it to the zone. The GSLB policy applied to the zone is also
applied to the services in that zone. If no policy is applied to the zone, the
default GSLB policy is applied to the services.
ttl 10
The TTL of the DNS reply can be overridden in two different places in
the GSLB configuration:
Note:
Global Config
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
453 of 718
454 of 718
P e r f o r m a n c e
b y
D e s i g n
active-rtt
Description
Syntax
P e r f o r m a n c e
[no] active-rtt
[difference num]
[fail-break]
[ignore-id group-id]
[keep-tracking]
[limit ms]
[samples num-samples]
[single-shot] [skip count] [timeout seconds]
[tolerance num-percentage]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
455 of 718
Description
difference
num
fail-break
Note:
To configure the RTT limit, use the limit option (describe below).
To configure GSLB to return a CNAME record as a backup, enable the
backup-alias option using the dns backup-alias command at the configuration level for the policy. To configure the backup alias for a service
within a zone, use the following command at the configuration level for
the service: dns-cname-record alias-name as-backup
ignore-id
group-id
keep-tracking
limit ms
456 of 718
P e r f o r m a n c e
b y
D e s i g n
tolerance
num-percentage
Default
Disabled. When you enable the active RTT metric, it has the following
default settings:
difference 0
fail-break disabled
ignore-id not set
keep-tracking disabled
limit 16383 ms
samples 5
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
457 of 718
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
AX(config gslb-policy)#active-rtt
active-servers
Description
Configure the active-servers metric, which prefers the VIP with the highest
number of active servers.
Active-servers is a measure of the number of active real servers bound to a
Virtual IP address (VIP) residing on a GSLB site. The GSLB AX Series
uses the active-servers metric to select the best IP address for the client. The
VIP with the highest number of active servers is the IP address preferred by
this metric.
Syntax
Description
fail-break
Default
Disabled
Mode
GSLB Policy
458 of 718
P e r f o r m a n c e
b y
D e s i g n
Use this command to eliminate inactive real servers from being eligible for
selection by GSLB as the best IP address to send at the top of the IP address
list in DNS replies to clients.
Example
AX(config gslb-policy)#active-servers
admin-preference
Description
Enable or disable the admin-preference metric, which prefers the site whose
SLB device has the highest administratively set weight.
Syntax
[no] admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
Example
AX(config gslb-policy)#admin-preference
alias-admin-preference
Description
Enable or disable the Alias Admin Preference metric, which selects the
DNS CNAME record with the highest administratively set preference. This
metric is similar to the Admin Preference metric, but applies only to DNS
CNAME records.
Syntax
[no] alias-admin-preference
Default
Disabled
Mode
GSLB Policy
Usage
Metric order does not apply to this metric. When enabled, this metric
always has high priority.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
459 of 718
bw-cost
Description
Syntax
Configure the bw-cost metric. This mechanism queries the bandwidth utilization of each site, and selects the site(s) whose bandwidth utilization has
not exceeded a configured threshold during the most recent query interval.
[no] bw-cost [fail-break]
Parameter
Description
fail-break
Default
Disabled
Mode
GSLB Policy
460 of 718
P e r f o r m a n c e
b y
D e s i g n
AX(config gslb-policy)#bw-cost
capacity
Description
Syntax
Description
threshold num
fail-break
Default
P e r f o r m a n c e
Disabled. When you enable the capacity metric, the default threshold is 90
percent.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
461 of 718
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
The following command enables the capacity metric at the default value of
90% utilization of TCP/UDP session capacity:
AX(config gslb-policy)#capacity
connection-load
Description
Syntax
Configure the connection-load metric, which prefers sites that have not
exceeded their thresholds for new connections.
[no] connection-load
[limit number-of-connections] |
[samples number-of-samples interval seconds]
[fail-break]
Parameter
Description
limit numberof-connections
samples numberof-samples
interval
seconds
Number of samples for the SLB device (the site
AX Series) to collect, and the number of seconds
between each sample. You can specify 1-8 samples and an interval of 1-60 seconds.
fail-break
462 of 718
P e r f o r m a n c e
b y
D e s i g n
Disabled. When you enable the connection-load metric, the default limit is
not set (unlimited). The default number of samples is 5 and the default interval is 5 seconds.
Mode
GSLB Policy
Usage
This command applies only to GSLB selection of a site. The command does
not affect the number of connections the site AX Series itself allows.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
The following command sets the connection load limit to 1000 new connections:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
463 of 718
dns
Description
Syntax
[no] dns
{
action |
active-only |
addition-mx |
backup-alias |
best-only [max-answers] |
cache [aging-time {seconds | ttl}] |
cname-detect |
external-ip |
geoloc-action |
geoloc-alias |
geoloc-policy |
ip-replace |
ipv6 options |
logging {both | query | response}
[geo-location name | ip ipaddr] |
server [addition-mx] [authoritative [full-list]]
[mx] [ns [auto-ns]] [ptr [auto-ptr]] [srv] |
sticky [/prefix-length] [aging-time minutes]
[ipv6-mask mask-length] |
ttl num
}
Parameter
Description
Enable GSLB to perform the DNS actions specified in the service configurations.
action
Note:
To configure the DNS action for a service, use the action action-type
command at the configuration level for the service. See gslb zone on
page 447.
active-only
addition-mx
464 of 718
P e r f o r m a n c e
b y
D e s i g n
best-only
[max-answers]
cache
[aging-time
seconds| ttl]
cname-detect
P e r f o r m a n c e
b y
Enables GSLB for CNAME records. For example, if the GSLB AX Series receives a DNS reply
that contains the CNAME record
Alias = www1.a10networks.com,
Actual name = www.a10networks.com,
and the zone and application name
"www.a10networks.com" have been configured
on the GSLB-AX, the GSLB-AX will apply the
GSLB policy to the CNAME record.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
465 of 718
geoloc-action
Note:
Performs the DNS traffic handling action specified for the clients geo-location. The action is
specified as part of service configuration in a
zone.
To configure the DNS action for a service, use the geo-location locationname action-type command at the configuration level for the service. See
gslb zone on page 447.
geoloc-alias
geoloc-policy
ip-replace
ipv6 options
466 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
467 of 718
The server option is not valid with the ip-replace option. They are mutually exclusive.
sticky
[/prefixlength]
[aging-time
minutes]
[ipv6-mask
mask-length]
468 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
ttl num
Default
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
469 of 718
GSLB Policy
Usage
If more than one of the following options are enabled, GSLB uses them in
the order listed, beginning with sticky:
1.
2.
3.
4.
sticky
server
cache
proxy (The command does not have a separately configurable proxy
option. The proxy option is automatically enabled when you configure
the DNS proxy.)
The site address selected by the first option that is applicable to the client
and requested service is used.
Example
Example
The following configuration excerpt uses the ipv6 mix option to enable
mixing of IPv4 and IPv6 service-ip addresses in DNS answers. Both A and
AAAA records will be included in replies to either A or AAAA requests
from clients.
gslb service-ip ip1 20.20.20.100
port 80 tcp
gslb service-ip ip2 20.20.20.102
port 80 tcp
gslb service-ip ipv61 fe80::1
port 80 tcp
gslb service-ip ipv62 fe80::2
port 80 tcp
gslb service-ip ipv63 fe80::3
port 80 tcp
gslb policy p8
dns ipv6 mix
dns server
gslb zone a8.com
policy p8
service http www
dns-a-record ip2 static
dns-a-record ip1 static
dns-a-record ipv61 static
dns-a-record ipv62 static
dns-a-record ipv63 static
Example
470 of 718
The following configuration excerpt uses the ipv6 smart option. For IPv4IPv6 mapping records, an A query will be answered by an A record and an
AAAA query will be answered by an AAAA record. More specifically, if a
client sends an A query, GSLB returns A records in the answer section, and
P e r f o r m a n c e
b y
D e s i g n
geo-location
Description
Syntax
Description
location-name
start-ip-addr
mask ip-mask
Network mask.
end-ip-addr
Default
None.
Mode
GSLB Policy
Usage
To prefer the location configured with this command over a globally configured location, use the gslb policy geo-location match-first policy command. (See geo-location match-first on page 472.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
471 of 718
geo-location full-domain-share
Description
Syntax
Default
Mode
GSLB Policy
Usage
geo-location match-first
Description
Syntax
472 of 718
Description
global
policy
b y
D e s i g n
global
Mode
GSLB Policy
Example
geo-location overlap
Description
Syntax
Default
Disabled
Mode
GSLB Policy
geographic
Description
Enable or disable the geographic metric. The geographic metric prefers sites
that are within the geographic location of the client.
Syntax
[no] geographic
Default
Enabled
Mode
GSLB Policy
Usage
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
473 of 718
health-check
Description
Syntax
Default
Enabled
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices, if the default health checks are used on
the service IPs.
If you use a custom health monitor, or you explicitly apply the default
Layer 3 health monitor to the service, the GSLB protocol is not used for any
of the health checks. In this case, the GSLB protocol is not required to be
enabled on the site AX devices, although use of the protocol is still recommended.
Example
ip-list
Description
Syntax
Default
None
Usage
Example
The following commands configure a GSLB IP list and use the list to
exclude IP addresses from active-RTT data collection:
474 of 718
P e r f o r m a n c e
b y
D e s i g n
least-response
Description
Enable or disable the least-response metric, which prefers VIPs that have
the fewest hits.
Syntax
[no] least-response
Default
Disabled
Mode
GSLB Policy
Usage
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
AX(config gslb-policy)#least-response
metric-fail-break
Description
Syntax
[no] metric-fail-break
Default
Disabled
Mode
GSLB Policy
metric-force-check
Description
Force the GSLB controller to always check all metrics in the policy.
Syntax
[no] metric-force-check
Default
By default, the GSLB controller stops evaluating metrics for a site once a
metric comparison definitively selects or rejects a site.
Mode
GSLB Policy
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
475 of 718
metric-order
Description
Syntax
Configure the order in which the GSLB metrics in this policy are used.
[no] metric-order metric [metric ...]
Parameter
Description
metric
[metric ...]
Default
476 of 718
P e r f o r m a n c e
b y
D e s i g n
GSLB Policy
Usage
The first metric you specify with this command becomes the primary metric. If you specify additional parameters, they are used in the priority you
specify. All remaining metrics are prioritized to follow the metrics you
specify.
For example, if you specify only the ordered-ip metric with the command,
this metric becomes the first metric instead of the 13th metric. The healthcheck metric becomes the 2nd metric, weighted-ip becomes the 3rd metric,
and so on.
The GSLB AX Series uses each metric, in the order specified, to compare
the IP addresses returned in DNS replies to clients. If a metric is disabled,
the metric order does not change. The GSLB AX Series skips the metric and
continues to the next enabled metric.
The round-robin metric can not be re-ordered.
To display the metric order used in a policy, see show gslb policy on
page 568.
Example
num-session
Description
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
477 of 718
Description
Number from 1 to 100 specifying the percentage
by which the number of available sessions on site
SLB devices can differ without causing the numsession metric to select one site device over
another. (See the Usage description.)
Default
Disabled. When you enable the num-session metric, the default tolerance is
10 percent.
Mode
GSLB Policy
Usage
The GSLB AX Series considers site SLB devices to be equal if the difference in the number of available sessions on each device does not exceed the
tolerance percentage. The tolerance percentage ensures that minor differences in available sessions do not cause frequent, unnecessary, changes in
site preference.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
ordered-ip
Description
Syntax
478 of 718
Description
Returns only the first (top) IP address in the IP
list. By default, GSLB sends all IP addresses in
P e r f o r m a n c e
b y
D e s i g n
Disabled
Mode
GSLB Policy
Usage
The prioritized list is sent to the next metric for further evaluation. If
ordered-ip is the last metric, the prioritized list is sent to the client.
To configure the ordered list of IP addresses for a service, use the ip-order
command at the service configuration level for the GSLB zone. See See
gslb zone on page 447.
Example
AX(config gslb-policy)#ordered-ip
passive-rtt
Description
Syntax
[no] passive-rtt
[difference num]
[samples num-samples]
[tolerance num-percentage]
[fail-break]
Parameter
difference
num
samples
num-samples
tolerance
num-percentage
fail-break
P e r f o r m a n c e
b y
Description
Number from 0 to 1023 specifying the round-trip
time difference.
Number of samples to collect, 1-8.
Specifies how much the RTT values of sites must
differ in order for GSLB to prefer one site over
the other based on passive RTT.
Enables GSLB to stop if the configured RTT
limit in a policy is reached. The fail-break action
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
479 of 718
Disabled. When you enable the passive RTT metric, it has the following
default settings:
samples 5
tolerance 10 percent
Mode
GSLB Policy
Usage
Sites with faster passive round-trip times (RTTs) between a client and the
site are preferred over sites with slower times. The passive RTT is the time
between when the site AX device receives a clients TCP connection (SYN)
and the time when the site AX device receives acknowledgement (ACK)
back from the client for the connection. RTT measurements are taken for
client addresses in each /24 subnet range.
Example: Site As RTT value is 0.3 seconds and Site Bs RTT value is 0.32
seconds. If the RTT tolerance is 10% then the two sites are treated as having
the same RTT preference.
This metric requires the GSLB protocol to be enabled both on the GSLB
controller and on the site AX devices.
Example
AX(config gslb-policy)#passive-rtt
round-robin
Description
Syntax
Default
480 of 718
P e r f o r m a n c e
b y
D e s i g n
GSLB Policy
Usage
If all the enabled metrics in the policy result in a tie (do not definitively
select a single site as the best site), the AX device uses round-robin to select
a site. This is true even if the round-robin metric is disabled in the GSLB
policy.
If the last metric is ordered-ip, and round-robin is disabled, the prioritized
list of IP addresses is sent to the client. Round-robin is not used.
Note:
Example
weighted-alias
Description
Enable the Weighted Alias metric, which prefers CNAME records with
higher weight values over CNAME records with lower weight values. This
metric is similar to Weighted-IP, but applies only to DNS CNAME records.
Syntax
[no] weighted-alias
Default
Disabled
Mode
GSLB Policy
Usage
your deployment:
DNS backup-alias
DNS geoloc-alias
(See dns on page 464.)
3. If using the backup-alias option, use the dns-cname-record as-backup
option on the service. (See gslb service-ip on page 436.)
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
481 of 718
weighted-ip
Description
Syntax
Description
total-hits
Default
Disabled
Mode
GSLB Policy
Usage
As a simple example, assume that the weighted-ip metric is the only enabled
metric, or at least always ends up being the tie breaker. The total-hits option
is disabled. IP address 10.10.10.1 has weight 4 and IP address 10.10.10.2
has weight 2. During a given session aging period, the first 4 requests go to
10.10.10.1, the next 2 requests go to 10.10.10.2, and so on, (4 to 10.10.10.1,
then 2 to 10.10.10.2).
Here is an example using the same two servers and weights, with the totalhits option enabled. IP address 10.10.10.1 has weight 4 and total hits 8, and
IP address 10.10.10.2 has weight 2 and total hits 0. In this case, the first 4
requests go to 10.10.10.2, then the requests are distributed according to
weight. Four requests go to 10.10.10.1, then two requests go to 10.10.10.2,
and so on. To display the total hits for a service IP address, use the show
gslb service-ip command. (See show gslb service-ip on page 578.)
To assign a weight to a service IP address, use the following command at
the configuration level for the zone service:
dns-a-record name weight num
Example
weighted-site
Description
482 of 718
Configure the weighted-site metric, which uses sites with higher weight values more often than sites with lower weight values.
P e r f o r m a n c e
b y
D e s i g n
Description
First sends requests to the sites that have fewer
hits. After all service sites have the same number
of hits, GSLB sends requests based on weight.
This option is disabled by default.
Default
Disabled. When you enable the weighted-site metric, the default weight of
each site is 1.
Mode
GSLB Policy
Usage
As a simple example, assume that the weighted-site metric is the only enabled metric, or at least always ends up being the tie breaker. Site A has
weight 4 and site B has weight 2. During a given session aging period, the
first 4 requests go to site A, the next 2 requests go to site B, and so on, (4 to
A, then 2 to B).
Here is an example using the same two sites and weights, with the total-hits
option enabled. Site A has weight 4 with total hits 8, and site B has weight 2
with total hits 0. In this case, the first 4 requests go to site B, then requests
are sent as described above. Four requests go to site A, then 2 requests go to
site B, and so on.
To assign a weight to a site, use the following command at the configuration
level for the site: weight num
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
483 of 718
484 of 718
P e r f o r m a n c e
b y
D e s i g n
fwlb node
Description
Configure a firewall.
Syntax
Description
fwall-name
ipaddr
This command changes the CLI to the configuration level for the firewall,
where the following FWLB-related commands are available:
Command
[no] disable
[no] healthcheck monitorname
Description
Disables load balancing of traffic to the firewall.
stats-datadisable |
stats-dataenable
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
485 of 718
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing firewall. The CLI changes to the configuration level for the firewall.
The IP address of the firewall can be in either IPv4 or IPv6 format. The
AX Series recognizes both address formats.
The no form of this command removes an existing firewall.
To collect statistical data for a load-balancing resource, statistical data collection also must be enabled globally. (See stats-data-enable on
page 159.)
Example
The following command creates a new firewall named fw1 with an IPv4
address:
Example
The following command creates a new firewall named fw2 with an IPv6
address:
fwlb service-group
Description
Syntax
Description
group-name
This command changes the CLI to the configuration level for the firewall
group, where the following FWLB-related commands are available:
486 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
[no] leastconnection
Default
There are no firewall service groups configured by default. When you create
one, it contains no members and the default load-balancing method is round
robin. Statistical data collection of load-balancing resources is enabled by
default.
Mode
Global Config
Usage
The normal form of this command creates a new or edits an existing firewall
group. The CLI changes to the configuration level for the group.
The firewall nodes must already be configured. To configure a firewall
node, see fwlb node on page 485.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
487 of 718
The following example configures firewall group fwsg and adds firewalls
fw1 and fw2 to it:
fwlb virtual-firewall
Description
Syntax
Description
The virtual firewall name. (In the current release,
this is the only name that is supported.)
default
This command changes the CLI to the configuration level for the virtual
firewall, where the following FWLB-related commands are available:
Command
Description
[no] disable
[no] ha-connmirror
[no] ha-group
{1 | 2}
[no] servicegroup groupname
488 of 718
P e r f o r m a n c e
b y
D e s i g n
[no] template
persist sourceip templatename
Uses a configured source-IP persistence template
to send all traffic from a given source address to
the same firewall.
You also can specify a source-IP persistence template on individual service ports. If you specify a
template at each level, the template specified for
the individual service port takes precedence.
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
489 of 718
Mode
Global Config
Usage
firewall or the UDP virtual firewall port, that idle-timeout is used. Otherwise, if the UDP idle-timeout is not set in FWLB, the idle-timeout in
the default SLB UDP template is used. Unless the default template has
been changed, the idle-timeout is 120 seconds.
490 of 718
P e r f o r m a n c e
b y
D e s i g n
TCP template is used. Unless the default template has been changed, the
idle-timeout is 120 seconds.
For service-type HTTP (Layer 7), the idle-timeout in the default SLB
Note:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
491 of 718
492 of 718
P e r f o r m a n c e
b y
D e s i g n
disable-after-down
Description
Disable the target of a health check if the target fails the health check.
Syntax
[no] disable-after-down
Default
Disabled
Mode
Usage
This command applies to all servers, ports, or service groups that use the
health monitor. When a server, port, or service group is disabled based on
this command, the server, port, or service groups state is changed to disable in the running-config. If you save the configuration while the server,
port, or service group is disabled, the state change is written to the startupconfig.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
493 of 718
method
Description
Syntax
dns
{ipaddr |
domain domainname}
[options]
Description
Configures a compound health monitor. A compound health monitor consists of a set of health
monitors joined in a Boolean expression
(AND / OR / NOT). For more information, see
the Compound Health Monitors section in the
Health Monitoring chapter of the AX Series
Configuration Guide.
494 of 718
P e r f o r m a n c e
b y
D e s i g n
ftp
[[username name
password
string] port
port-num]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
495 of 718
Note:
496 of 718
The expect maintenance-code option applies only to servers in cookiepersistence or source-IP persistence configurations, and can be used only
for HTTP and HTTPS ports.
P e r f o r m a n c e
b y
D e s i g n
In a postdata string, use = between a field name and the value you are
posting to it. If you post to multiple fields, use & between the fields.
For example: postdata fieldname1=value&fieldname1=value. The string
can be up to 255 bytes long.
To use POST data longer than 255 bytes, you must import a POST data
file and use the POST / postfile filename option. (See health postfile on
page 113.)
username name Specifies the username
required for HTTP access to the server. Unless
anonymous login is used, the username must be
specified.
https [options] Similar to an HTTP health check, except SSL is
used to secure the connection. The default port is
443.
icmp
[transparent
ipaddr]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
497 of 718
Sends an LDAP Bind request. Expects reply containing result code 0. The binddn option species
the Distinguished Name and the password
option specifies the password for the Distinguished Name. The overssl option uses SSL
(TLS) for the health check.
Sends an NTP client message to UDP port 123.
Expects a standard NTP 48-byte reply packet.
ntp
pop3
port port-num
username name
password string Sends a POP3 user login request with the specified username and password. Expects reply with
OK message.
radius
port port-num
secret string
username name
password string Sends a Password Authentication Protocol (PAP)
request to the specified port to authenticate the
specified username. Expects Access Accepted
message (reply code 2). The secret option specifies the shared secret required by the RADIUS
server.
rtsp
port port-num
rtspurl string
sip
[register
[port portnum]]
[tcp]
498 of 718
Sends a request to the specified port for information about the file specified by rtspurl. Expects
reply with information about the specified file.
b y
D e s i g n
snmp
[port port-num]
[community
string]
[oid oid-name]
[operation {get
| getnext}]
tcp
port port-num
[halfopen]
udp
port port-num
Default
P e r f o r m a n c e
The configuration has a default ping health monitor that uses the icmp
method. The AX device applies the ping monitor by default. The AX device
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
499 of 718
Usage
To configure a health monitor that uses a script, use the health external
command to create it, instead of using the health monitor command.
(See health external on page 109 and the external health check example
below.)
2. Apply the health monitor to a real server or real server port, using the
health-check command at the configuration level for the server or the
server port. Apply monitors that use the ICMP method to real servers.
(See health-check on page 382.) Apply monitors that use any of the
other types of methods to individual server ports. (See port on
page 383.)
Example
500 of 718
The following commands apply health monitor ping to server rs0. The
ping monitor is included in the AX Series devices configuration by default,
so you do not need to configure it.
P e r f o r m a n c e
b y
D e s i g n
Example
The following commands configure health monitor hm1 to use the TCP
health method, and apply the monitor to a TCP port on real server rs1.
The TCP health checks are sent to TCP port 23 on the server.
Example
The following commands configure health monitor hm2 and set it to use
the HTTP method. The health monitor is applied to port 80 on real server
rs1.
Example
Utility commands such as ping, ping6, wget, dig, and so on are supported.
For Tcl scripts, the health check parameters are transmitted to the script
through the predefined TCL array ax_env. The array variable
ax_env(ServerHost) is the server IP address and ax_env(ServerPort) is the
server port number. Set ax_env(Result) 0 as pass and set the others as fail.
TCL script filenames must use the .tcl extension.
To use the external method, you must import the program onto the
AX Series device. The script execution result indicates the server status,
which must be stored in ax_env(Result).
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
501 of 718
For additional information and more examples, see the External Health
Method Examples section in the Health Monitoring chapter of the
AX Series Configuration Guide.
502 of 718
P e r f o r m a n c e
b y
D e s i g n
override-ipv4
Description
Send the health check to a specific IPv4 address, instead of sending the
health check to the IP address of the real server or GSLB service IP to
which the health monitor is bound. This command and the other override
commands are particularly useful for testing the health of remote links.
Syntax
Default
Mode
Example
override-ipv6
Description
Send the health check to a specific IPv6 address, instead of sending the
health check to the IP address of the real server to which the health monitor
is bound.
Syntax
Default
Mode
Example
override-port
Description
P e r f o r m a n c e
Send the health check to a specific protocol port, instead of sending the
health check to the server port to which the health monitor is bound.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
503 of 718
Default
Mode
Example
strictly-retry-on-server-error-response
Description
Syntax
Force the AX device to wait until all retries are unsuccessful before marking
a server or port Down.
[no] strictly-retry-on-server-error-response
Default
Disabled. For some health method types, the AX device marks the server or
port Down after the first failed health check attempt, even if the retries
option for the health monitor is set to higher than 0.
Mode
Usage
Example
The following commands configure an HTTP health monitor that checks for
the presence of testpage.html, and enable strict retries for the monitor.
504 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
This CLI level also has the following commands, which are available at all
configuration levels:
clear See clear on page 49.
debug See debug on page 52.
do See do on page 103.
end See end on page 107.
exit See exit on page 107.
no See no on page 135.
show See Show Commands on page 535.
write See write terminal on page 67.
ha arp-retry
Description
Syntax
Default
P e r f o r m a n c e
Description
Specifies the number of additional gratuitous
ARPs to send, after sending the first one. You
can specify 1-255.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
505 of 718
Global Config
Example
AX(config)#ha arp-retry 9
ha check gateway
Description
Syntax
Description
IP address of the gateway.
ipaddr
Default
Not set
Mode
Global Config
Usage
This feature uses health monitors to check the availability of the gateways.
If any of the active AX devices gateways fails a health check, the AX
device changes its HA status to Down. If the HA status of the other AX
device is higher than Down, a failover occurs.
Likewise, if the gateway becomes available again and all gateways pass
their health checks, the AX device recalculates its HA status according to
the HA interface counts. If the new HA status of the AX device is higher
than the other AX devices HA status, a failover occurs.
Configuration of gateway-based failover requires the following steps:
1. Configure a health monitor that uses the ICMP method. (See health
monitor on page 111.)
2. Configure the gateway as an SLB real server and apply the ICMP health
monitor to the server. (See method on page 494.)
3. Enable HA checking for the gateway, using the command described in
this section.
Example
506 of 718
P e r f o r m a n c e
b y
D e s i g n
ha check route
Description
Syntax
gateway ipaddr
P e r f o r m a n c e
b y
Description
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
507 of 718
distance num
Default
None
Mode
Global Config
Usage
This feature applies only to routes in the data route table. The feature does
not apply to routes in the management route table.
For failover to occur due to HA priority changes, the HA pre-emption
option must be enabled.
You can configure this option for up to 100 IPv4 routes and up to 100 IPv6
routes. This option is valid for all types of IP routes supported in this release
(static, RIP, and OSPF).
If the priority of an HA group falls below the priority for the same group on
the other AX device in an HA pair, a failover can be triggered.
Omitting an optional parameter matches on all routes. For example, if you
do not specify the next-hop gateway, routes that match based on the other
parameters can have any next-hop gateway.
Example
Note:
Example
The lowest possible HA priority value is 1. Deleting 255 sets the HA priority value to 1, regardless of the original priority value.
The following command configures HA route awareness for a dynamic
route to subnet 10.10.10.x with route cost 10. If the IP route table does not
have a dynamic route to this destination with the specified cost, 10 is subtracted from the HA priority value for each HA group.
508 of 718
P e r f o r m a n c e
b y
D e s i g n
ha check vlan
Description
Syntax
Description
vlan-id
VLAN ID.
seconds
Default
Not set
Mode
Global Config
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
509 of 718
ha conn-mirror
Description
Syntax
Set the peer IP address to use for session synchronization (also called connection mirroring) and config sync.
[no] ha conn-mirror ip ipaddr
Parameter
Description
Specifies the IP address of the other AX in the
HA configuration.
ipaddr
Default
None
Mode
Global Config
Usage
Example
510 of 718
P e r f o r m a n c e
b y
D e s i g n
ha force-self-standby
Description
Syntax
Description
Specifies the group ID. Only the specified group
is forced to change from Active to Standby. If
you do not specify a group ID, all Active groups
are forced to change to Standby status.
Default
N/A
Mode
Global Config
Usage
Example
AX(config)#ha force-self-standby 1
ha forward-l4-packet-on-standby
Description
Syntax
[no] ha forward-l4-packet-on-standby
Default
Mode
Global Config
ha group
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
511 of 718
Description
group-id
num
Default
Mode
Global Config
Usage
Example
The following command configures HA group 1 and sets its priority to 100:
ha id
Description
Syntax
Enable HA.
[no] ha id {1 | 2} [set-id num]
Parameter
Description
1 | 2
set-id num
Default
Mode
Global Config
Usage
Example
AX(config)#ha id 1
512 of 718
P e r f o r m a n c e
b y
D e s i g n
ha inline-mode
Description
Syntax
Description
Specifies the port to use for session synchronization and for management traffic between the
AX Series devices in the HA pair. For example,
if you use the CLI on one AX to ping the other
AX device, the ping packets are sent only on the
preferred HA port. Likewise, the other AX
device sends the ping reply only on its preferred
HA port.
Management traffic between AX Series devices
includes any of the following types of traffic:
Telnet, SSH, or Ping.
Default
Disabled. If you enable inline mode but you do not specify the preferred
port, the preferred port is selected as follows:
1. The first HA interface that comes up on the AX is used as the preferred
HA port.
2. If the preferred HA port selected above goes down, the HA interface
with the lowest port number is used. If that port also goes down, the HA
interface with the next-lowest port number is used, and so on.
This selection mechanism is also used if the preferred port is configured but
goes down.
The preferred port must be added as an HA interface and heartbeat messages must be enabled on the interface.
Note:
Mode
Global Config
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
513 of 718
The following command enables HA inline mode and sets the preferred port
to Ethernet port 5:
ha interface
Description
Syntax
Configure an HA interface.
[no] ha interface ethernet port-num
[router-interface | server-interface | both]
[no-heartbeat | vlan vlan-id]
Parameter
Description
Specifies the HA interface.
port-num
routerinterface |
serverinterface |
both
no-heartbeat |
vlan vlan-id
Default
Mode
Global Config
Usage
514 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
If the heartbeat messages from one AX device to the other will pass though
a Layer 2 switch, the switch must be able to pass UDP IP multicast packets.
Set each interface connected to the real servers or clients (for example, connected through upstream routers) as an HA interface. Also set the interface
that connects an AX Series device to its HA peer (the other AX device in
the HA pair) as an HA interface.
Setting the device type increases the granularity of the HA state.
If the device type is not set, the HA state of the AX device can be one of
the following:
Up All configured interfaces are up.
Down At least one of the HA interfaces is down.
If you set the device type, the HA status of the AX device is based on
the status of the AX link with the real server or upstream router:
Up All configured HA router and server interfaces are up.
Partially Up Some HA router or server interfaces are down but at
least one server link and one router link are up.
Down All router interfaces, or all server interfaces, or both are
down. The status also is Down if neither router interfaces nor server
interfaces are configured and an HA interface goes down.
If both types of interfaces (router interfaces and server interfaces) are
configured, the HA interfaces for which a type has not been configured
are not included in the HA interface status determination.
Example
ha l3-inline-mode
Description
Syntax
[no] ha l3-inline-mode
Default
Disabled.
Mode
Global Config
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
515 of 718
Example
AX(config)#ha l3-inline-mode
ha link-event-delay
Description
Syntax
Change the delay waited by the AX device before changing the HA state
(Up, Partially Up, or Down) in response to link-state changes on HA interfaces.
[no] ha link-event-delay 100-ms-unit
Parameter
Description
100-ms-unit
Default
3000 ms (3 seconds)
Mode
Global Config
Usage
This command applies only to inline mode (Layer 2 or Layer 3). The delay
is applicable in the following situations:
The AX device is Active and a link goes down.
The AX device is Standby and a link comes up. (There is an additional
AX(config)#ha link-event-delay 50
516 of 718
P e r f o r m a n c e
b y
D e s i g n
ha ospf-inline vlan
Description
Syntax
Default
Mode
Global Config
Usage
When this option is enabled, OSPF on the Standby AX device will always
participate in OSPF routing. There is no additional time gap when failover
happens.
To limit OSPF adjacency formation to a specific VLAN only, explicitly
configure adjacency formation for that VLAN. In this case, OSPF adjacency formation does not occur for any other VLANs.
ha preemption-enable
Description
Allow the high-priority HA group to take over from the currently active
one. This command enables you to force HA failovers based on HA configuration changes.
Syntax
[no] ha preemption-enable
Default
Note:
Mode
P e r f o r m a n c e
Global Config
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
517 of 718
AX(config)#ha preemption-enable
ha restart-port-list
Description
Syntax
Description
port-list
Note:
You must omit at least one port connecting the AX devices from the
restart port-list, and heartbeat messages must be enabled on the port. This
is so that heartbeat messages between the AX devices are maintained;
otherwise, flapping might occur.
Note:
Default
Mode
Global Config
Usage
Use this command in inline mode configurations to cause the router connected to the AX Series device to relearn MACs, including MACs for the
real servers. Without this command, the router might continue to try to
reach the real servers through the AX Series device that becomes the
Standby AX device after a failover.
HA port restart toggles a specified set of ports on the formerly Active AX
by disabling the ports, waiting for a specified number of milliseconds, then
re-enabling the ports. Toggling the ports causes the links to go down, which
in turn causes the devices on the other ends of the links to flush their learned
MAC entries on the links. The devices then can relearn MACs through links
with the newly Active AX.
Example
518 of 718
P e r f o r m a n c e
b y
D e s i g n
ha restart-time
Description
Syntax
Description
Amount of time to keep the HA interfaces disabled. You can specify 1-100 units of 100 ms
(from 0.1 seconds to 10 seconds).
Default
The default is 20 units of 100 milliseconds (ms) each, for a total of 2 seconds.
Mode
Global Config
Usage
Example
AX(config)#ha restart-time 40
ha sync
Description
Syntax
ha sync all
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
Syntax
ha sync startup-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
Syntax
ha sync running-config
{to-startup-config [with-reload] |
to-running-config}
[all-partitions | partition partition-name]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
519 of 718
ha sync data-files
[all-partitions | partition partition-name]
Parameter
Description
Synchronizes data files and the running-config.
(See Usage for a list of the types of data files
that are synchronized.) You can synchronize the
running-config to one of the following on the
other AX Series device:
all
startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the
with-reload option, see Usage below.
Note:
If the HA status is Standby for all the HA groups on the other AX device,
the AX device is reloaded anyway, even if the with-reload option is not
used.
running-config Replaces the runningconfig on the other AX device with the runningconfig on this device.
data-files
Synchronizes data files but not the running-config or startup-config. (See Usage for a list of
the types of data files that are synchronized.)
running-config
Synchronizes the running-config. You can synchronize it to one of the following on the other
AX Series device:
startup-config Replaces the startup-config on the other AX device with the running-config on this device. For information about the
with-reload option, see Usage below.
running-config Replaces the runningconfig on the other AX device with the runningconfig on this device.
startup-config
520 of 718
P e r f o r m a n c e
b y
D e s i g n
Default
N/A
Mode
Global Config
Usage
Connection mirroring is required for config sync. Config sync uses the connection mirroring link. (See ha conn-mirror on page 510.)
SSH management access must be enabled on both ends of the link. (See
enable-management on page 105.)
The following configuration items are backed up during HA config sync:
Admin accounts and settings
Floating IP addresses
IP NAT configuration
Access control lists (ACLs)
Health monitors
Policy-based SLB (black/white lists)
SLB
FWLB
GSLB
Data Files:
aFleX files
External health check files
SSL certificate and private-key files
Black/white-list files
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
521 of 718
Admin Role
Root or Super User
(Read-Write)
Status of Target AX
Standby
Active
Partition Write
Standby
Active
Target Config
startup-config
running-config
startup-config
running-config
startup-config
running-config
startup-config
running-config
Reload?
Automatic
Automatic
Optional1
Not reloaded by default
Automatic
Not Allowed
Not Allowed
Not Allowed
Not Allowed
1. If the target AX device is not reloaded, the GUI Save button on the Standby AX device does not blink to indicate
unsaved changes. It is recommended to save the configuration if required to keep the running-config before the next
reboot.
An admin who is logged on with Root or Read-Write (Super Admin) privileges can synchronize for all Role-Based Administration (RBA) partitions
or for a specific partition.
522 of 718
P e r f o r m a n c e
b y
D e s i g n
Note:
Example
The following commands synchronize the Active AX devices running-config with the Standby AX devices running-config, for AX devices that are
configured for Role-Based Administration (RBA):
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
523 of 718
ha time-interval
Description
Syntax
Description
100-msec-units
Default
200 milliseconds
Mode
Global Config
Example
AX(config)#ha time-interval 4
ha timeout-retry-count
Description
Syntax
Description
Number of times the HA time interval can expire
before the Standby AX device fails over to
become the Active AX device. You can specify
2-255.
num
Default
Mode
Global Config
Example
AX(config)#ha timeout-retry-count 10
524 of 718
P e r f o r m a n c e
b y
D e s i g n
AX Debug Commands
The AX debug subsystem enables you to trace packets on the AX device. To
access the AX debug subsystem, enter the following command at the Privileged EXEC level of the CLI:
axdebug
The CLI prompt changes as follows:
AX(axdebug)#
This chapter describes the debug-related commands in the AX debug subsystem.
To perform AX debugging using this subsystem:
1. Use the filter command to configure packet filters to match on the types
of packets to capture.
2. (Optional) Use the count command to change the maximum number of
packets to capture.
3. (Optional) Use the timeout command to change the maximum number
of minutes during which to capture packets.
4. (Optional) Use the incoming or outgoing command to limit the interfaces on which to capture traffic.
5. Use the capture command to start capturing packets. The AX device
begins capturing packets that match the filter, and saves the packets to a
file or displays them, depending on the capture options you specify.
6. To display capture files, use the show axdebug file command. (See
show axdebug file on page 541.)
7. To export capture files, use the export axdebug command at the Privileged EXEC or global configuration level of the CLI. (See export on
page 58.)
The AXdebug utility creates a separate debug file in packet capture (PCAP)
format for each CPU thread. The PCAP format can be read by third-party
diagnostic applications such as Wireshark, Ethereal (the older name for
Wireshark) and tcpdump. To simplify export of the PCAP files, the AX
device compresses them into a single zip file in tar format. To use the PCAP
files, you must untar them first.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
525 of 718
capture
Description
Syntax
Description
brief
[save ...]
detail
[save ...]
non-display
[save ...]
save filename
[max-packets]
[incoming
[portnum ...]]
[outgoing
[portnum ...]]
526 of 718
P e r f o r m a n c e
b y
D e s i g n
By default, packets in both directions on all Ethernet data interfaces are captured.
The traffic also must match the AX debug filters.
Note:
Mode
AX debug
Usage
To minimize the impact of packet capture on system performance, A10 Networks recommends that you configure an AX debug filter before beginning
the packet capture.
To display a list of AX debug capture files or to display the contents of a
capture file, see show axdebug file on page 541.
Example
AX(axdebug)#capture brief
Wait for debug output, enter <ctrl c> to exit
(0,1738448) i( 1,
0, cca8)> ip 10.10.11.30 >
78f07ab8:dbffc02d(0)
(0,1738448) o( 3,
0, cca8)> ip 10.10.11.30 >
78f07ab8:dbffc02d(0)
(0,1738448) i( 1,
0, cca9)> ip 10.10.11.30 >
78f07ab9:dbffc0c2(0)
(0,1738448) o( 3,
0, cca9)> ip 10.10.11.30 >
78f07ab9:dbffc0c2(0)
(1,1738450) i( 1,
0, ccaa)> ip 10.10.11.30 >
78f07ab9:dbffc0c2(191)
(1,1738450) o( 3,
0, ccaa)> ip 10.10.11.30 >
78f07ab9:dbffc0c2(191)
(1,1738450) i( 1,
0, ccab)> ip 10.10.11.30 >
78f07b78:dbffc0c3(0)
(1,1738450) o( 3,
0, ccab)> ip 10.10.11.30 >
78f07b78:dbffc0c3(0)
...
control CPU.
1738448 Time delay between packets. This is a jiffies value that incre-
the VLAN tag is 0, then the port is untagged. In this example, the first
packet is received on Ethernet port 1, and the VLAN is not yet known.
The packet is assigned to buffer index cca8.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
527 of 718
Generally, the VLAN tag for ingress packets is 0. It is normal for the
ingress VLAN tag to be 0 even when the egress VLAN tag is not 0.
The source and destination IP addresses are listed next, followed by the
source and destination protocol port numbers.
The TCP flag is shown next:
S Syn
SA Syn Ack
A Ack
F Fin
PA Push Ack
The TCP sequence number and ACK sequence number are then shown.
Finally, the packet payload is shown. The header size is excluded.
Example
AX(axdebug)#capture detail
Wait for debug output, enter <ctrl c> to exit
i( 1, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657058: 003c0000 40004006 e8580a0a 0b1e1e1e : .<..@.@..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
o( 3, 0, ccae)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 SA 7ab6ae46:ddb87996(0)
Dump buffer(0xa6657048), len(80 bytes)...
0xa6657048: 001d09f0 e01e0090 0b0b3e83 08004500 : ..........>...E.
0xa6657058: 003c0000 40003f06 e9580a0a 0b1e1e1e : .<..@.?..X......
0xa6657068: 1f1e0050 35467ab6 ae46ddb8 7996a012 : ...P5Fz..F..y...
0xa6657078: 16a02ea5 00000204 05b40402 080a5194 : ..............Q.
0xa6657088: 6c551f3c 1d3f0103 03072d59 f97f0000 : lU.<.?....-Y....
0xa6657098: 00000000 00000000 00000000 00000000 : ................
i( 1, 0, ccaf)> ip 10.10.11.30 > 30.30.31.30 tcp 80 > 13638 A 7ab6ae47:ddb87a2b(0)
Dump buffer(0xa6657848), len(80 bytes)...
0xa6657848: 00900b0b 3e83001d 09f0dec2 08004500 : ....>.........E.
0xa6657858: 0034c211 40004006 264f0a0a 0b1e1e1e : .4..@.@.&O......
0xa6657868: 1f1e0050 35467ab6 ae47ddb8 7a2b8010 : ...P5Fz..G..z+..
0xa6657878: 00367344 00000101 080a5194 6c561f3c : .6sD......Q.lV.<
0xa6657888: 1d4041de e3380000 00000000 00000000 : .@A..8..........
0xa6657898: 00000000 00000000 00000000 00000000 : ................
...
528 of 718
P e r f o r m a n c e
b y
D e s i g n
count
Description
Syntax
Description
Maximum number of packets to capture, 065535. To capture an unlimited number of packets, specify 0.
Default
3000
Mode
AX debug
Example
AX(axdebug)#count 2048
delete
Description
Syntax
delete filename
Default
N/A
Mode
AX debug
Example
AX(axdebug)#delete file123
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
529 of 718
filter
Description
Syntax
Description
filter-id
This command changes the CLI to the configuration level for the specified
AX debug filter, where the following AX debug filter-related commands are
available:
Command
Description
dst
{ip ipaddr |
mac macaddr |
port portnum}
l3-protocol
{arp | ip |
ipv6}
ip ipaddr
{subnet-mask |
/mask-length}
mac macaddr
offset position
length bytes
operator value
530 of 718
P e r f o r m a n c e
b y
D e s i g n
max-value (select a
Default
No filters are configured by default. When you create one, all packets match
the filter by default.
Mode
AX debug
Usage
If a packet capture is running and you change the filter, there will be a 5-second delay while the AX device clears the older filter. The delay does not
occur if a packet capture is not already running.
The packet filter for the debug command is internally numbered filter 0. In
AXdebug, you can create multiple filters, which are uniquely identified by
filter ID. If you create filter 0 in AXdebug, this filter will overwrite the
debug packet filter. Likewise, if you configure filter 0 in AXdebug, then
configure the debug packet filter, the debug packet filter will overwrite
AXdebug filter 0.
Example
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
531 of 718
incoming | outgoing
Description
Specify the Ethernet interfaces and traffic direction for which to capture
packets.
Syntax
Default
Mode
AX debug
Example
AX(axdebug)#incoming 3 outgoing 4
Example
AX(axdebug)#outgoing 7
532 of 718
P e r f o r m a n c e
b y
D e s i g n
length
Description
Specify the maximum length of packets to capture. Packets that are longer
are not captured.
Syntax
Description
Maximum packet length, 64-1518 bytes.
Default
96
Mode
AX debug
Example
AX(axdebug)#length 128
maxfile
Description
Syntax
Description
Maximum number of files to keep, 1-65535.
Default
100
Mode
AX debug
Usage
Once the maximum is reached, the oldest axdebug files are purged to make
room for the newest ones.
Example
The following command changes the maximum number of AX debug capture files to keep to 125:
AX(axdebug)#maxfile 125
outgoing
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
533 of 718
timeout
Description
Syntax
Description
Maximum number of minutes to capture packets,
0-65535.
Default
Mode
AX debug
Example
AX(axdebug)#timeout 10
534 of 718
P e r f o r m a n c e
b y
D e s i g n
Show Commands
The show commands display configuration and system information.
In addition to the command options provided with some show commands,
you can use output modifiers to search and filter the output. See Searching
and Filtering CLI Output on page 34.
To automatically re-enter a show command at regular intervals, see repeat
on page 64.
The show slb commands are described in a separate chapter. See SLB
Show Commands on page 659.
Note:
show access-list
Description
Display the configured Access Control Lists (ACLs). The output lists the
configuration commands for the ACLs in the running-config.
Syntax
Description
ipv4 | ipv6
IP address type.
acl-id
Mode
Example
The ACL Hits counter is not applicable to ACLs applied to the management port.
Note:
show active-partition
Description
Show the active partition, which is the system partition the CLI session is
currently managing.
Partitions are used by Role-Based Administration (RBA).
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
535 of 718
show active-partition
Mode
Example
The following command shows that the partition currently being managed
by the CLI session is the shared partition:
AX#show active-partition
Currently active partition: shared
show admin
Description
Syntax
Description
admin-name
Administrator name.
detail
session
Mode
Example
AX(config)#show admin
UserName
Status
Privilege Partition
------------------------------------------------------admin
Enabled
Root
admin2
Enabled
Read/Write
compAadmin
Enabled
P.R/W
companyA
compBadmin
Enabled
P.R/W
companyB
536 of 718
P e r f o r m a n c e
b y
D e s i g n
Field
Privilege
Description
Access privilege level for the account:
Root Allows access to all levels of the system. This
account is the admin account called admin and cannot
be deleted. This is the only privilege level that can configure other admin accounts.
Read/Write Allows access to all levels of the system.
This account is not the admin account and can be
deleted.
Read only Allows monitoring access to the system but
not configuration access. In the CLI, this account can only
access the User EXEC and Privileged EXEC levels, not
the configuration levels. In the GUI, this account cannot
modify configuration information.
P.R/W The admin has read-write privileges within the
private partition to which the admin has been assigned.
The admin has read-only privileges for the shared partition.
P.R The admin has read-only privileges within the private partition to which the admin has been assigned, and
read-only privileges for the shared partition.
P.RS Op The admin is assigned to a private partition but
has permission only to view service port statistics for real
servers in the partition, and to disable or re-enable the real
servers or their service ports.
Note: The P (partition) privilege levels apply to RoleBased Administration (RBA). See the Role-Based Administration chapter of the AX Series Configuration Guide.
Private partition to which the admin is assigned.
Partition
Example
P e r f o r m a n c e
b y
admin
Enabled
Root
Any
No
Encrypted
$1$6334ba07$CKbWL/LuSNdY12kcE.KdS0
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
537 of 718
Field
User Name
Status
Privilege
Description
Name of the AX admin.
Administrative status of the account.
Access privilege level for the account:
Root Allows access to all levels of the system. This
account is the admin account called admin and cannot
be deleted.
Read/Write Allows access to all levels of the system.
This account is not the admin account and can be
deleted.
Read only Allows monitoring access to the system but
not configuration access. In the CLI, this account can only
access the User EXEC and Privileged EXEC levels, not
the configuration levels. In the GUI, this account cannot
modify configuration information.
Partition-write The admin has read-write privileges
within the private partition to which the admin has been
assigned. The admin has read-only privileges for the
shared partition.
Partition-read The admin has read-only privileges within
the private partition to which the admin has been assigned,
and read-only privileges for the shared partition.
Partition
Trusted
Host(Netmask)
Lock Status
Lock Time
Unlock Time
Password Type
Password
538 of 718
Partition-enable-disable The admin is assigned to a private partition but has permission only to view service port
statistics for real servers in the partition, and to disable or
re-enable the real servers and their service ports.
Private partition to which the admin is assigned.
Note: A partition name appears only for admins with Partition-write, Partition-read, or Partition-enable-disable privileges. For other privilege levels, this field is blank.
IP host or subnet address from which the admin must log in.
Indicates whether the admin account is currently locked.
If the account is locked, indicates how long the account has
been locked.
If the account is locked, indicates how long the account will
continue to be locked.
Indicates whether the password is encrypted when displayed
in the CLI or GUI and in the startup-config and running-config.
The admins password.
P e r f o r m a n c e
b y
D e s i g n
The following command lists all the currently active admin sessions:
Cfg
Yes
No
No
show aflex
Description
Syntax
Mode
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
539 of 718
AX#show aflex
Total aFleX number: 6
Name
Syntax
Virtual port
-----------------------------------------------------------aFleX_Remote
No
No
aFleX_check_agent
No
No
aFleX_relay_client
Check
No
bugzilla_proxy_fix
Check
Bind
http_to_https
Check
No
louis
No
No
Virtual port
show arp
Description
Syntax
Mode
Example
The following command lists the ARP entry for host 192.168.1.144:
540 of 718
P e r f o r m a n c e
b y
D e s i g n
Field
Total arp entries
Age time
IP Address
MAC Address
Type
Age
Interface
Vlan
Description
Total number of entries in the ARP table. This total includes
static and learned (dynamic) entries.
Number of seconds a dynamic ARP entry can remain in the
table before being removed.
IP address of the device.
MAC address of the device.
Indicates whether the entry is static or dynamic.
For dynamic entries, the number of seconds since the entry
was last used.
AX interface through which the device that has the displayed
MAC address and IP address can be reached.
VLAN through which the device that has the MAC address
can be reached.
show audit
Description
Syntax
Mode
Usage
The audit log is maintained in a separate file, apart from the system log. The
audit log is RBA-aware. The audit log messages that are displayed for an
admin depend upon the admins role (privilege level). Admins with Root,
Read Write, or Read Only privileges who view the audit log can view all the
messages, for all system partitions. To display the messages for a specific
Role-Based Administration (RBA) partition only, use the partition name
option.
Admins who have privileges only within a specific partition can view only
the audit log messages related to management of that partition. Partition
Real Server Operator admins can not view any audit log entries.
Syntax
P e r f o r m a n c e
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
541 of 718
Example
The following command displays the list of AX debug capture files on the
device:
Example
The following command displays the packet capture data in file file123:
show bootimage
Description
Syntax
Mode
542 of 718
P e r f o r m a n c e
b y
D e s i g n
AX#show bootimage
(* = Default)
Version
----------------------------------------------Hard disk primary
1.2.0.153 (*)
Hard disk secondary
1.2.1.24
Compact flash primary
1.1.1.68 (*)
Compact flash secondary
1.1.1.51
The asterisk ( * ) indicates the default image for each boot device (hard disk
and compact flash). The default image is the one that the AX Series device
will try to use first, if trying to boot from that boot device. (The order in
which the AX tries to use the image areas is controlled by the bootimage
command. See bootimage on page 89.)
show bpdu-fwd-group
Description
Syntax
Description
Displays the configuration of the specified
BPDU forwarding group. If you omit this option,
all configured BPDU forwarding groups are
shown.
number
Mode
Example
AX#show bpdu-fwd-group
BPDU forward Group 1 members:
BPDU forward Group 2 members:
ethernet 1 to 3
ethernet 9 to 12
show bridge-vlan-group
Description
Syntax
Mode
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
543 of 718
show bw-list
Description
Syntax
Description
name
detail
ipaddr
Default
N/A
Mode
Config
Example
AX#show bw-list
Name
Url
Size(Byte)
Date
---------------------------------------------------------------------------bw1
tftp://192.168.1.143/bwl.txt
106
Jan/22 12:48:01
bw2
tftp://192.168.1.143/bw2.txt
211
Jan/23 10:02:44
bw3
tftp://192.168.1.143/bw3.txt
192
Feb/11 08:02:01
bw4
Local
82
Dec/12 21:01:05
Total: 4
Example
test
URL:
tftp://192.168.20.143/bwl_test.txt
Size:
226
Date:
May/11 12:04:00
Update period:
120 seconds
Update times:
bytes
Content
-----------------------------------------------------------------------------1.1.1.0 #13
1.1.1.1 #13
1.1.1.2 #13
1.1.1.3 #13
1.1.1.4 #13
544 of 718
P e r f o r m a n c e
b y
D e s i g n
show class-list
Description
Syntax
Description
name [ipaddr]
Mode
Example
AX#show class-list
Name
IP
Subnet
Location
test
file
user-limit
14
config
Total: 2
P e r f o r m a n c e
b y
Description
Name of the class list.
Number of host IP addresses in the class list.
Number of subnets in the class list.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
545 of 718
Description
Indicates whether the class list is in the startup-config or in a
standalone file:
config Class list is located in the startup-config.
Total
test
Total IP subnet:
Content:
1.1.1.1 /32 glid 1
2.2.2.2 /32 glid 2
10.1.2.1 /32 lid 1
10.1.2.2 /32 lid 2
20.1.1.0 /24 lid 1
20.1.2.0 /24 lid 2
0.0.0.0 /0 lid 31
The following commands show the closest matching entries for specific IP
addresses in class list test:
AX#show class-list test 1.1.1.1
1.1.1.1 /32 glid 1
AX#show class-list test 1.1.1.2
0.0.0.0 /0 lid 31
The class list contains an entry for 1.1.1.1, so that entry is shown. However,
since the class list does not contain an entry for 1.1.1.2 but does contain a
wildcard entry (0.0.0.0), the wildcard entry is shown.
show clock
Description
Syntax
546 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Shows the clock source, which can be one of the
following:
Time source is NTP
Time source is user configuration
Mode
Example
Example
If a dot appears in front of the time, the AX Series has been configured to
use NTP but NTP is not synchronized. The clock was in sync, but has since
lost contact with all configured NTP servers.
AX#show clock
.20:27:16 Europe/Dublin Sat Apr 28 2007
Example
If an asterisk appears in front of the time, the clock is not in sync or has
never been set.
AX#show clock
*20:27:16 Europe/Dublin Sat Apr 28 2007
show core
Description
Syntax
Description
Shows core dump statistics for AX processes.
Without this option, system core dump statistics
are shown instead.
Mode
Example
AX#show core
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 71048 sec.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
547 of 718
show cpu
Description
Syntax
Description
interval
seconds
Automatically refreshes the output at the specified interval. If you omit this option, the output is
shown one time. If you use this option, the output
is repeatedly refreshed at the specified interval
until you press ctrl+c.
Mode
Example
2%
0%
0%
2%
0%
0%
AX#
548 of 718
Description
System time when the statistics were gathered.
Control CPU.
Data CPU. The number of data CPUs depends on the AX
model.
Time intervals at which statistics are collected.
P e r f o r m a n c e
b y
D e s i g n
show debug
Description
Syntax
show debug
Mode
Example
AX#debug ip
AX#show debug
debug ip is on
show disk
Description
Syntax
show disk
Mode
Example
AX#show disk
Total(MB) Used
Free
Usage
----------------------------------------154104
5895
148209
4.0%
Device
Primary Disk
Secondary Disk
---------------------------------------------md0
Active
Active
md1
Active
Active
P e r f o r m a n c e
Field
Total(MB)
Description
Total amount of data the hard disk can hold.
Used
Free
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
549 of 718
Description
Percentage of the disk that is in use.
Virtual partition on the disk:
md0 The boot partition
md1 The A10 data partition
Status of the left hard disk in the redundant pair:
Primary Disk
Secondary Disk
show dns
Description
Syntax
Mode
Example
550 of 718
P e r f o r m a n c e
b y
D e s i g n
show dns-cache-stat
Description
Syntax
show dns-cache-stat
Mode
Example
AX#show dns-cache-stat
Total query: 100
Total server response: 55
Total cache hit: 49
Query not passed: 0
Response not passed: 0
Query encoded: 0
Response encoded: 0
Query with multiple questions: 0
Response with multiple questions: 0
Total aged out: 0
b y
Description
Total number of DNS queries received by the AX device.
Total number of responses form DNS servers received by the
AX device.
Total number of times the AX device was able to use a
cached reply in response to a query.
Number of queries that did not pass a packet sanity check.
Number of responses that did not pass a packet sanity check.
The AX device checks the DNS header and question in the
packet, but does not parse the entire packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS query packet.
Number of queries that were not cached because the domain
name in the question was encoded in the DNS response
packet.
Number of queries that were not cached because they contained multiple questions.
Number of responses that were not cached because they contained answers for multiple questions.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
551 of 718
Description
Total number of DNS cache entries that have aged out of the
cache.
show dumpthread
Description
Syntax
Mode
Example
The following command shows status information for the SLB process:
AX#show dumpthread
It has been rebooted 1 time.
It has been crashed 0 time.
The process is up 101102 sec.
show environment
Description
Syntax
Mode
Example
AX#show environment
Physical System temperature: 56C / 132F
Fan1 speed: 2576 RPM
Fan2 speed: 2576 RPM
Fan3 speed: 2576 RPM
Upper Power Unit State: On
Lower Power Unit State: On
552 of 718
P e r f o r m a n c e
b y
D e s i g n
show errors
Description
Show error information for the system. This command provides a simple
way to quickly view system status and error statistics.
Syntax
show errors
[
application [sub-options] |
critical [detail] |
detail |
informational [detail] |
system [sub-options]
]
Option
application
[sub-options]
Description
Displays error information for AX applications.
The following sub-options are available.
critical [detail]
detail
ha
[critical [detail]]
[detail]
[informational [detail]]
hw-compression
[critical [detail]]
[detail]
[informational [detail]]
informational [detail]
ipnat
[critical [detail]]
[detail]
[informational [detail]]
l2-l3-forward
[critical [detail]]
[detail]
[informational [detail]]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
553 of 718
554 of 718
P e r f o r m a n c e
b y
D e s i g n
detail
informational
[detail]
system
[sub-options]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
555 of 718
Example
AX#show errors
Hardware components status
===========================
Physical System temperature: 36C / 96F
CPU Fan1 speed: 5818 RPM
CPU Fan2 speed: 5720 RPM
Upper Power Unit State: On
Lower Power Unit State: Off
Total(MB)
Used
Free
Usage
----------------------------------------157065
Device
5777
151287
3.6%
Primary Disk
-----------------------------md0
Active
md1
Active
Free
Shared
Buffers
Cached
Usage
--------------------------------------------------------------------------2074308
316048
556 of 718
37324
256232
72.4%
P e r f o r m a n c e
b y
D e s i g n
5Sec
10Sec
30Sec
60Sec
-------------------------------------------------------Control
31%
30%
25%
25%
26%
Data1
0%
0%
0%
0%
0%
Data2
0%
0%
0%
0%
0%
Data3
0%
0%
0%
0%
0%
Data4
0%
0%
0%
0%
0%
Data5
0%
0%
0%
0%
0%
: 16
: 57
VLAN Flood
: 175313
: 1741315
Retries:
: 28982
Timeouts:
: 9
Example
: 0
: 0
: 16
Packet drops:
: 0
Example
P e r f o r m a n c e
The following command shows detailed error statistics for SLB health monitoring:
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
557 of 718
: 0
: 1742518
: 0
Unexpected error:
: 0
Retries:
: 29002
Timeouts:
: 9
Description
fwall-name
config
Mode
Usage
To display configuration information for the firewall, use the config option.
To display statistics instead, do not use the config option.
Example
558 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
Description
Total number of individual service ports configured on the
firewall.
If the number is 0, then FWLB applies to all services on the
firewall.
Firewall or service name.
IP address of the firewall.
Health check assigned to the firewall path or service.
Status of the firewall service.
Maximum number of connections allowed through the firewall or service.
Administrative weight assigned to the firewall or service.
P e r f o r m a n c e
b y
Description
Total number of individual service ports configured on the
firewall.
If the number is 0, then FWLB applies to all services on the
firewall.
Firewall or service name.
Current number of connections through the firewall.
Total number of connections through the firewall.
Number of request packets sent through the firewall.
Number of server response packets received from the real
servers on the other side of the firewall.
State of the firewall or service.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
559 of 718
Description
Number of request packets for the service.
Number of response packets from the service.
Number of request bytes for the service.
Number of response bytes for the service.
Current number of connections through the firewall for the
service.
Number of persistent connections through the firewall.
Total number of connections to the service through the firewall.
Description
group-name
config
Mode
Usage
To display configuration information for the firewall group, use the config
option. To display statistics instead, do not use the config option.
Example
560 of 718
P e r f o r m a n c e
b y
D e s i g n
Example
Description
Name of the service group.
Type of service group. For FWLB, the type is firewall.
Load-balancing method used to select firewalls in the group.
Number of firewalls in the group.
Member number, assigned by the AX Series for use in this
show commands output.
Priority value assigned to the firewall when it was added to
the service group.
P e r f o r m a n c e
b y
Description
Name of the service group.
Firewall or service name.
Number of request packets for the service.
Number of response packets from the service.
Number of request bytes for the service.
Number of response bytes for the service.
Current number of connections through the firewall for the
service.
Number of persistent connections through the firewall.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
561 of 718
Description
Total number of connections to the service through the firewall.
Description
Displays configuration information.
config
Mode
Usage
To display configuration information for the virtual firewall, use the config
option. To display statistics instead, do not use the config option.
Example
562 of 718
Description
Total number of services configured on the virtual firewall. If
no individual service ports were configured, the number is
1.
Name of the virtual firewall.
Service group and service port bound to the virtual firewall.
State of connection mirroring for the virtual firewall or individual service port.
P e r f o r m a n c e
b y
D e s i g n
Description
Total number of services configured on the virtual firewall. If
no individual service ports were configured, the number is
1.
Name of the virtual firewall.
Firewall service group bound to the virtual firewall or service.
Service port number and transport protocol, TCP or UDP.
Current number of connections through the firewall to the
service.
Number of request packets sent through the firewall to the
service.
Number of response packets received through the firewall
from the service.
Show the DNS messages cached on the GSLB AX device. The GSLB AX
device caches DNS replies if either of the following GSLB policy options
are enabled:
DNS caching
Active RTT metric (if the single-shot option is used)
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
563 of 718
Description
zone-name
service-name
Mode
Example
564 of 718
Description
GSLB zone name.
GSLB service.
Alias, if configured, that maps to the DNS Canonical Name
(CNAME) for the service.
Length of the DNS message, in bytes.
Number of seconds for which the cached message is still
valid.
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
Displays the geo-location database. If you specify a geo-location name, only the entries for that
geo-location are shown. Otherwise, entries for all
geo-locations are shown.
ip-range Displays entries for the specified IP
address range.
depth num Specifies how many nodes within
the geo-location data tree to display. For example, to display only continent and country entries
and hide individual state and city entries, specify
depth 2. By default, the full tree (all nodes) is displayed.
statistics Displays client statistics for the specified geo-location.
file
[file-name]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
565 of 718
rtt [options]
Mode
Usage
The matched client IP address and the hits counter indicate the working status of the geo-location configuration.
Example
566 of 718
Description
Name of the geo-location.
Beginning address in the address range assigned to the geolocation.
P e r f o r m a n c e
b y
D e s i g n
Hits
Sub
Description
Ending address in the address range assigned to the geo-location.
Client IP address that most recently matched the geo-location. If the value is empty, no client addresses have
matched.
Total number of client IP addresses that have matched the
geo-location.
Number of sublocations within the geo-location. For example, if you configure the following geo-locations, geo-location pc has two sublocations, pc.office and pc.lab.
geo-location pc 10.1.0.0 mask /16
geo-location pc.office 10.1.1.0 mask /24
P-Name
Example
The following command shows the load status information for a geo-location database file:
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
567 of 718
Mode
Example
568 of 718
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
569 of 718
Description
Name of the GSLB policy.
Name of the GSLB metric.
For GSLB metrics, indicates the order in which the metrics
are used.
Metric or option name.
For metric, indicates whether they are enabled (yes or no).
For options, indicates the value.
Description of the metric or option.
Syntax
Show the status of the GSLB protocol on the GSLB AX Series and the SLB
devices (site AX Series).
show gslb protocol
Mode
Example
0
1
0
34411
1407
0
570 of 718
P e r f o r m a n c e
0
1
0
34411
1407
b y
D e s i g n
Syntax
P e r f o r m a n c e
b y
Description
geo-location
slb-device
local-info
passive
active
both
site site-name
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
571 of 718
Usage
All of the options except local-info are applicable when you enter the command on a GSLB AX device. To display local RTT data on a site AX
device, enter the command on the site AX device and use the local-info
option.
Example
Here is an example of the output for this command when entered on the
GSLB AX device:
TTL
T|
-----------------------------------------------------------------------------10.10.10.2
10
A|
20.20.20.21
10
A|
41
40
29
46
38
42
34
30
192.168.217.1
10
A|
38
54
46
50
43
38
192.168.217.11
10
A|
41
40
29
46
38
42
34
30
T|
Device: site2/local
IP
TTL
-----------------------------------------------------------------------------10.10.10.2
10
A|
35
52
35
40
54
56
44
48
20.20.20.21
10
A|
20
20
16
16
20
16
20
18
192.168.217.1
10
A|
16
44
20
16
20
18
192.168.217.11
10
A|
20
20
16
16
20
16
20
18
Site
T RTT
TS
-----------------------------------------------------------------------------cn.sh
cn.bj
jp
us
site1
A 38
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 30
10
site2
A 18
10
site1
A 0
10
site2
A 48
10
This example shows the default display (with no additional options). The
TTL results are organized by site AX device, then by geo-location.
572 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Site AX device.
IP address at the other end of the RTT exchange.
Time-to-live for the RTT entry.
RTT type:
A Active RTT, which measures the round-trip-time for a
DNS query and reply between a site AX device and the
GSLB local DNS.
1-8
Geo-location
Site
T
RTT
TS
Syntax
P e r f o r m a n c e
b y
Description
service-name |
vipaddr
port-num
range-start
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
573 of 718
Mode
Usage
The number of connections on the site is sampled based on the GSLB status
interval. (This is configurable using the gslb protocol command. See gslb
protocol on page 434.) Samples are listed row by row. The first 7 samples
appear on row 1, the second 7 samples appear on row 2, and so on.
If you disable the GSLB protocol, the data is cleared.
Example
The following example shows connection activity for virtual port 80 on virtual server china.
Description
num-samples
num-samples
service-name |
vipaddr
port-num
Mode
574 of 718
P e r f o r m a n c e
b y
D e s i g n
In this example, five samples, taken at 5-second intervals, are shown for
each of four services (ip1:80 to ip4:80). The services are listed by service IP
and service port.
In each section, the numbers across the top are column numbers. The numbers along the leftmost column are row numbers. The other numbers are the
actual connection load data. For example, for ip1:80 (service port 80 on service IP ip1), there were no connections during the first or second data
samples, and 11 connections during the third sample.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
575 of 718
Show the round-trip time (RTT) between the GSLB AX Series and a client.
show gslb samples rtt
[geo-location-name
[passive [geo-location-name ...]
[site site-name] [depth num] |
[active [geo-location-name ...]
[site site-name] [depth num] |
[both [geo-location-name ...]
[site site-name] [depth num]]
[slb-device
[passive [geo-location-name ...]
[site site-name] [depth num] |
[active [geo-location-name ...]
[site site-name] [depth num] |
[both [geo-location-name ...]
[site site-name] [depth num]]
[local-info]
Option
Description
geo-locationname
Mode
576 of 718
slb-device
local-info
passive
active
both
site site-name
depth num
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed.
b y
D e s i g n
Eight RTT samples are displayed for each device. Times are shown in
10-millisecond (ms) increments. In the example below, the first RTT time
for Device1 is 50 ms.
If you disable the GSLB protocol, the data is cleared.
Syntax
dns-a-record
dns-cnamerecord
dns-mx-record
session
service-name
zone zone-name
ip ipaddr
{subnet-mask |
/mask-length}
Mode
P e r f o r m a n c e
Description
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
577 of 718
Example
Description
service-name |
vipaddr
local-info
578 of 718
Description
Device name and service IP name.
IP address of the service.
Indicates whether the service IP is a virtual server IP address
(Y) or a real server IP address (N).
Indicates whether the service IP is enabled.
Indicates the service IP state: UP or DOWN.
Number of service ports on the service IP.
Number of times the service IP has been selected.
P e r f o r m a n c e
b y
D e s i g n
Show information about the GSLB service ports configured on the sites.
Syntax
Description
Shows local SLB virtual-port information.
Mode
Example
The following command shows information about all the configured GSLB
service ports.
Description
Service IP address and service port number.
Indicates whether the service port is reached using the GSLB
protocol or the local (SLB) protocol.
Indicates the service state: IP or DOWN.
Number of active real servers for the service.
Current number of connections to the service.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
579 of 718
Description
service-name
zone zone-name
ip ipaddr
{subnet-mask |
/mask-length}
Mode
Example
In this example, there is 1 client session with the HTTP service on www.testme.com.
580 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Client IP address.
IP address selected by the GSLB policy as the best address.
DNS mode in use for the session and can contain one of the
following values:
Proxy The GSLB AX device is configured to be a DNS
proxy for the service. The GSLB AX device intercepts
DNS queries for the zone and service, sends them to the
DNS server, and modifies the replies to contain the best IP
address based on the GSLB policy, before sending the
replies to clients.
Note: This is the default DNS mode, which takes effect
after the DNS proxy is configured on the GSLB AX
device.
Cache The GSLB AX device is configured to cache
DNS replies. This mode is enabled by the DNS cache
option in the GSLB policy.
Hits
TTL
Upd
Init
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
581 of 718
Description
site-name
bw-cost
statistics
Displays statistics.
Mode
Example
582 of 718
Description
GSLB site name.
Device name and device IP address or real server name and
real server IP address.
Virtual IP address for the service.
Virtual port number.
Virtual port state.
Number of times the service IP was selected.
P e r f o r m a n c e
b y
D e s i g n
Example
Description
GSLB site name.
SNMP template name.
Current value of the SNMP object used for measurement.
Highest value of the SNMP object used for measurement.
Limit configured for the bw-cost metric.
Indicates whether the site is usable, based on the bw-cost
measurement.
Data type of the SNMP object.
Data length of the SNMP object.
Value of the SNMP object.
Time interval between measurements.
Table 29 describes the fields in the command output when the statistics
option is used.
TABLE 29 show gslb site statistics fields
Field
Site
Hits
Last
P e r f o r m a n c e
b y
Description
GSLB site name.
Number of times the site was selected.
Site that was most recently selected.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
583 of 718
Description
device-name
local-info
rtt options
Mode
Example
584 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Site name and device name.
SLB devices IP address.
Administrative preference for the device.
Current session utilization on the device.
Number of sessions available on the device.
Number of service IPs on the device.
Syntax
Mode
Usage
To collect state information, enable GSLB debugging and use the state
option. (See the example below.)
Example
Show statistics for the GSLB protocol, for sites, or for zones.
Syntax
Mode
Usage
The show gslb statistics message command shows the same output as the
show gslb protocol command. Similarly, the show gslb statistics site command shows the same output as the show gslb site statistics command, and
the show gslb statistics zone command shows the same output as the show
gslb zone statistics command.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
585 of 718
0
1
3
5101
1218
0
0
1
1
0
22
1
0
0
0
1
0
22
1
0
0
Mode
586 of 718
Description
zone-name
dns-mx-record
statistics
P e r f o r m a n c e
b y
D e s i g n
Example
Description
Zone name.
Service type and service name.
GSLB policy name.
DNS TTL value set by GSLB in DNS replies to queries for
the zone address.
P e r f o r m a n c e
b y
Description
Zone and service name to which the MX record belongs.
Name of the MX record.
Priority (preference) set for the MX record.
Number of times the record has been used.
Most recent time the record was used.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
587 of 718
M-Svr
M-Sticky
Description
Zone name.
Number of GSLB services configured for the zone.
show ha
Description
Syntax
588 of 718
Show the status of each HA group. The output shows information for the
AX device on which you enter the command, and the devices HA peer.
show ha [config | detail]
P e r f o r m a n c e
b y
D e s i g n
Description
config
detail
Shows HA statistics.
Mode
Example
AX#show ha
Local Unit:
HA Group
1
2
UP
Unit
Local
Peer
Local
Peer
Peer Unit:
State
Active
Standby
Active
Standby
Example
AX#show ha detail
Local Unit:
UP
HA Group
Unit
1
Local
Peer
Transitions
Pkts processed
Peer Unit:
State
Active
Standby
Active
2
559826
Connectivity:
HA packets:
Conn Sync:
0
0
6
Sent
0
0
403435
0
0
403435
UP
Priority
200
100
Standby
2
568
Server Ports
Sent
Sent
HA errors:
Dup HA ID
Version Mismatch
Missed Heartbeat
HA Port
1
3
4
5
6
9
UP
Priority
200
100
255
100
2
806870
2039
Invalid Group
SetId Mismatch
Timer Msgs
Recvd
0
0
0
0
0
397769
Router Ports
Received
Received
2
397769
0
0
0
0
Missed Heartbeat
0
0
0
0
0
6
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
589 of 718
0
0
IP:
IP:
MAC:
0
235
Description
Shows the HA operational status of this AX device.
Shows the HA operational status of the other AX device.
HA Group
Transitions
Pkts processed
Connectivity
HA packets
Conn Sync
590 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Shows HA error statistics:
Dup HA ID Number of incoming HA hello (heartbeat)
packets that had the same HA ID as the HA ID of this AX
device (the local AX device).
Invalid Group Number of incoming HA hello packets
that had an invalid group ID.
Version Mismatch Number of incoming HA hello packets that had a packet version mismatch.
SetId Mismatch Number of incoming HA hello packets
that had an HA set ID mismatch.
Missed Heartbeat Total number of heartbeat (hello)
packets expected from the peer HA device that were not
received.
HA Port
Inline L2 HA
Peer Port
Misc Packet statistics
Active mode
stats
Standby mode
stats
Example
AX#show ha config
ha id 1
ha group 1 priority 255
ha group 2 priority 255
ha time-interval 3
ha preemption-enable
ha conn-mirror ip 172.22.66.2
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
591 of 718
show ha mac
Description
Syntax
show ha mac
Mode
Usage
The following command shows the virtual MAC addresses for configured
HA groups 1 and 2:
AX#show ha mac
HA Group
MACs
021f.a000.0021
021f.a000.0022
show health
Description
Syntax
Description
monitor [name]
Mode
Usage
To display health monitor information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
Example
The following command shows configuration settings and status for health
monitor ping:
592 of 718
P e r f o r m a n c e
b y
D e s i g n
monitor ping
ping
30
3
5
In use
ICMP
The output shows the method used for the monitor, and the settings for each
of the parameters that are configurable for that method.
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
593 of 718
:
:
:
:
:
:
:
:
:
:
:
:
:
:
IP address
Port Health monitor Status Cause(Up/Down/Retry) PIN
-------------------------------------------------------------------------------10.10.10.99
default
Down
0 /48 /854
2 /0
4.4.4.4
default
Down
0 /48 /854
2 /0
8.4.3.2
default
Down
0 /48 /854
2 /0
99.99.99.99
default
Down
0 /48 /854
2 /0
10.10.10.88
default
Down
0 /48 /854
2 /0
10.10.10.88
80
qrs
Down
0 /34 /0
2 /0
10.10.10.88
80
tuv
Down
0 /34 /0
2 /0
10.10.10.88
80
wxyz
Down
0 /34 /0
2 /0
Number of timer
adjustment
Timer offset
Opened socket
Open socket
failed
Close socket
Send packet
Send packet
failed
594 of 718
Description
Time elapsed since the health monitoring process started.
Number of times the system detected that a health check
would leave the AX device as a traffic burst, and remedied
the situation.
Number of times the system made internal time keeping
adjustments to synchronize with the system clock.
Offset of internal time keeping from the system clock, in
microseconds.
Number of sockets opened.
Number of failed attempts to open a socket.
Number of sockets closed.
Number of health check packets sent to the target of the
health monitor.
Number of sent health check packets that failed. (This is the
number of times a target server or service failed its health
check.)
P e r f o r m a n c e
b y
D e s i g n
Description
Number of packets received from the target in reply to health
checks.
Number of failed receive attempts.
Number of times a health check was resent because the target
did not reply.
Number of times a response was not received before the
health check timed out.
Number of unexpected errors that occurred.
IP address of the real server.
Protocol port on the server.
Name of the health monitor.
Cause
(Up/Down/
Retry)
PIN
Status
show history
Description
Syntax
show history
Mode
Usage
Commands are listed starting with the oldest command, which appears at
the top of the list.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
595 of 718
The following example shows commands entered by the tech writer while
drafting this chapter:
AX#show history
enable
show version
show access-list
show admin
show admin admin
show admin detail
show admin session
show admin admin detail
show arp
show arp 192.168.1.144
show aflex
show bootimage
show bw-list sample-bw-list 1.1.1.1
show bw-list
show clock
show clock detail
show core
show cpu interval 1
show cpu interval 10
show debug
show disk
show dumpthread
--MORE--
show icmp
Description
Syntax
Mode
Example
The following command shows ICMP rate limiting settings, and the number
of ICMP packets dropped because the threshold has been exceeded:
AX(config)#show icmp
Global rate limit:
Global lockup rate limit:
Lockup period:
Current global rate:
Global rate limit drops:
Interfaces rate limit drops:
Virtual server rate limit drops:
Total rate limit drops:
596 of 718
5
10
20
0
0
0
0
0
P e r f o r m a n c e
b y
D e s i g n
show interfaces
Description
Syntax
Mode
Example
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
597 of 718
Example
show ip dns
Description
Syntax
show ip dns
Mode
Example
AX#show ip dns
DNS suffix: org
Primary server: 192.168.1.50
Secondary server: None
show ip fib
Description
Syntax
This command is applicable only on AX Series devices that are configured in route mode. The command returns an error if you enter it on a
device configured for transparent mode.
show ip fib
Mode
Example
The following command shows the FIB entries on an AX Series device configured in route mode:
598 of 718
P e r f o r m a n c e
b y
D e s i g n
show ip helper-address
Description
Syntax
Mode
Example
AX3200(config)#show ip helper-address
Interface Helper-Address
RX
--------- -------------- -----------eth1
100.100.100.1
0
ve5
100.100.100.1
1669
ve7
1668
ve8
100.100.100.1
0
ve9
20.20.20.102
0
TX
-----------0
1668
1668
0
0
No-Relay
-----------0
0
0
0
0
Drops
-----------0
1
0
0
0
Description
AX interface. Interfaces appear in the output in either of the
following cases:
A helper address is configured on the interface.
Helper-Address
RX
TX
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
599 of 718
Description
Number of packets that were examined for DHCP relay but
were not relayed, and instead received regular Layer 2/3 processing.
Generally, this counter increments in the following cases:
DHCP packets are received on an interface that does not
have a helper address and the packets are not destined to
the relay.
DHCP packets are received on an interface that does have
a helper address, but the packets are unicast directly from
the client to the server and do not need relay intervention.
Number of packets that were ineligible for relay and were
dropped.
Drops
Example
: 0
TX: 0
BootRequest Packets : 0
BootReply Packets
: 0
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
: 0
: 0
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 0
600 of 718
P e r f o r m a n c e
b y
D e s i g n
: 0
TX: 14
BootRequest Packets : 0
BootReply Packets
: 14
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
: 0
: 0
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 2
: 14
TX: 14
BootRequest Packets : 14
BootReply Packets
: 0
No-Relay: 0
Drops:
Invalid BOOTP Port
: 0
: 0
: 0
: 0
Invalid Dest IP
: 0
Exceeded TTL
: 0
No Route to Dest
: 0
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
601 of 718
Description
AX interface.
IP address configured on the AX interface as the DHCP
helper address.
DHCP packet statistics:
RX Total number of DHCP packets received on the
interface.
BootRequest Packets Number of DHCP boot request
packets (Op = BOOTREQUEST) received on the interface.
BootReply Packets Number of DHCP boot reply
packets (Op = BOOTREPLY) received on the interface.
TX Total number of DHCP packets sent on the interface.
BootRequest Packets Number of DHCP boot request
packets (Op = BOOTREQUEST) sent on the interface.
No-Relay
602 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Lists the following counters for packets dropped on the interface:
Invalid BOOTP Port Number of packets dropped
because they had UDP destination port 68 (BOOTPC).
Invalid IP/UDP Len Number of packets dropped because
the IP or UDP length of the packet was shorter than the
minimum required length for DHCP headers.
Invalid DHCP Oper Number of packets dropped because
the Op field in the packet header did not contain
BOOTREQUEST or BOOTREPLY.
Exceeded DHCP Hops Number of packets dropped
because the number in the Hops field was higher than 16.
Invalid Dest IP Number of packets dropped because the
destination was invalid for relay.
Exceeded TTL Number of packets dropped because the
TTL value was too low (less than or equal to 1).
No Route to Dest Number of packets dropped because
the relay agent (AX device) did not have a valid forwarding entry towards the destination.
Dest Processing Err Number of packets dropped because
the relay agent experienced an error in sending the packet
towards the destination.
show ip interfaces
Description
Display IP interfaces.
show ip interfaces
[ethernet port-num] |
[ve ve-num] |
[loopback lb-num] |
[management]
Mode
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
603 of 718
show ip nat
Description
Syntax
Description
alg pptp
statistics
interfaces
pool
[pool-name]
[statistics]
pool-group
[pool-groupname]
range-list
range-name
static-binding
[ipaddr] |
[statistics
[ipaddr]]
statistics
604 of 718
P e r f o r m a n c e
b y
D e s i g n
translations
Mode
Example
Example
Example
In the show ip nat pool statistics output, the Address column lists the
source addresses that are bound to NAT addresses. The Port Usage column
indicates how many sessions are currently being NATted for each address.
Each session counted here uses a unique TCP or UDP protocol port. ICMP
traffic does not cause this counter to increment.
The Total Used column indicates the total number of sessions that have
been NATted for the source address. The Total Freed column indicates how
many NATted sessions have been terminated, thus freeing up a port for
another session.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
605 of 718
The following command displays statistics for static source NAT bindings:
Port Usage
Total Used
Total Freed
-----------------------------------------------------------------------------30.30.31.35
1727
329756
328029
30.30.31.36
1799
343950
342151
30.30.31.37
1793
346257
344464
30.30.31.38
1829
232605
230776
30.30.31.39
1738
241147
240937
30.30.31.40
1774
286022
284248
Example
ethernet3
Misses: 0
Inbound
Inbound
Dynamic mappings:
-- Inside Source
access-list 1 pool p2
start 192.168.217.200 end 192.168.217.200
total addresses 1, allocated 0, misses 0
Example
TCP
UDP
ICMP
-----------------------60
300
300
fast
In this example, the output indicates that fast aging is used for IP NATted
ICMP sessions, and for IP NATted DNS sessions on port 53.
The message at the bottom of the display indicates that the fast aging setting
(SLB MSL timeout) will be used for IP NATted UDP sessions on port 53. If
the message is not shown in the output, then the timeout shown under
UDP will be used instead.
606 of 718
P e r f o r m a n c e
b y
D e s i g n
10
Call Creation
Failure
Truncated PNS
Message
Truncated PAC
Message
Mismatched
PNS Call ID
Mismatched
PAC Call ID
Retransmitted
PAC Message
Truncated GRE
Packets
Unknown GRE
Packets
No Matching
Session Drops
P e r f o r m a n c e
b y
Description
Current call attempts, counted by inspecting the TCP control
session. This counter will decrease once the first GRE packet
arrives.
Number of times a call could not be set up because the AX
device ran out of memory or other system resources.
Number of runt TCP PPTP messages received from clients.
Number of runt TCP PPTP messages received from servers.
Number of calls that were disconnected because the GRE
session had the wrong Call ID.
Number of calls that were disconnected because they had the
wrong Call ID.
Number of TCP packets retransmitted from PAC servers.
Number of runt GRE packets received by the AX device.
Number of GRE packets that were not used for PPTP and
were dropped.
Number of GRE PPTP packets sent with no current call.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
607 of 718
Description
full-conesessions
statistics
user-quotasessions
Mode
Example
AX(config)#end
AX#show class-list list1
Name:
list1
Total single IP:
0
Total IP subnet:
2
Content:
192.168.1.0 /24 lsn-lid 2
192.168.0.0 /16 lsn-lid 1
AX#show ip nat lsn full-cone-sessions
LSN Full Cone Sessions:
Prot Inside Address
NAT Address
Conns
Pool
CPU Age
-------------------------------------------------------------------------------------------------UDP 1.0.208.99:1105
6.6.0.158:1345
1
pool1
1
0
UDP 1.4.144.150:1093
6.6.0.140:31573
1
pool1
4
0
UDP 1.0.167.140:1117
6.6.0.145:12277
1
pool1
13
0
608 of 718
P e r f o r m a n c e
b y
D e s i g n
Table 39 describes the fields in the show ip nat lsn pool-statistics output.
TABLE 39 show ip nat lsn pool-statistics fields
Field
Address
Users
ICMP
Freed (ICMP)
Total (ICMP)
Description
NAT (global) IP address.
Number of inside IP addresses currently using the NAT IP
address.
Number of ICMP identifiers currently in use.
Total number of ICMP identifiers freed.
Total number of ICMP identifiers allocated.
UDP
Freed (UDP)
Total (UDP)
Rsvd (UDP)
TCP
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
609 of 718
Description
Total number of TCP ports freed.
Total number of TCP ports allocated.
Rsvd (TCP)
Syntax
Description
process-id
tag
Mode
Example
AX#show ip ospf 0
Routing Process "ospf 0" with ID 1.1.1.1
Process uptime is 3 hours 12 minutes
Process bound to VRF default
Conforms to RFC2328, and RFC1583 Compatibility flag is disabled
Supports only single TOS(TOS0) routes
Supports opaque LSA
Supports Graceful Restart
This router is an ASBR (injecting external routing information)
SPF schedule delay min 0.500 secs, SPF schedule delay max 50.0 secs
Refresh timer 10 secs
Number of incoming current DD exchange neighbors 0/5
610 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Mode
Example
The following command shows route information for ABRs and ASBRs:
P e r f o r m a n c e
b y
The options are different for OSPFv3. See show ipv6 ospf database on
page 614.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
611 of 718
Description
adv-router
ipaddr
612 of 718
asbr-summary
max-age
self-originate
external
network
nssa-external
opaque-area
opaque-as
opaque-link
router
summary
P e r f o r m a n c e
b y
D e s i g n
ipaddr
adv-router
ipaddr
self-originate
Mode
Example
ADV Router
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
Age
1105
638
1998
1717
Seq#
0x800000c9
0x80000008
0x800000cb
0x800000f6
CkSum
0xcb72
0xdb92
0x47c1
0xe1d2
Link count
2
2
2
3
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
Age
1998
203
1717
1962
Seq#
0x80000006
0x80000005
0x80000006
0x80000004
CkSum
0xec1b
0x14ef
0xbf3c
0xf207
ADV Router
3.3.3.3
Age Seq#
CkSum Route
1998 0x800000a3 0x99ed 0.0.0.0/0
ADV Router
1.1.1.1
P e r f o r m a n c e
b y
Age Seq#
CkSum Route
1105 0x8000008e 0x942a E2 1.0.100.1/32
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Tag
0
613 of 718
Description
external
grace
inter-prefix
inter-router
intra-prefix
links
network
router
Mode
614 of 718
P e r f o r m a n c e
b y
D e s i g n
ADV Router
1.1.1.1
3.3.3.3
Age Seq#
CkSum Prefix
1121 0x8000008a 0xc927
1
1953 0x80000007 0x30cd
1
Link-LSA (Interface ve 2)
Link State ID
0.0.0.50
0.0.0.8
ADV Router
1.1.1.1
4.4.4.4
Age Seq#
CkSum Prefix
1121 0x80000096 0x08d8
1
1893 0x80000007 0xe638
1
ADV Router
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
Age
1114
904
1953
1893
Seq#
0x800000b1
0x800000ab
0x80000094
0x800000a8
CkSum
0xcafa
0x61a6
0xe52a
0x846b
Link
2
2
2
2
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
Age
1953
179
1893
124
Seq#
0x80000006
0x80000005
0x80000006
0x80000005
CkSum
0xd40b
0xfedc
0xd8fe
0x03d0
ADV Router
3.3.3.3
3.3.3.3
4.4.4.4
4.4.4.4
P e r f o r m a n c e
b y
Age
1953
179
1893
124
Seq#
0x80000006
0x80000005
0x80000006
0x80000005
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
CkSum Prefix
0x9cb3
1
0x90ba
1
0xec58
1
0xe05f
1
Reference
Network-LSA
Network-LSA
Network-LSA
Network-LSA
615 of 718
Mode
Example
Mode
Example
616 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Note:
Parameter
Description
process-id
tag
Includes neighbors whose status is Down. Without this option, down neighbors are not included
in the output.
detail [all]
interface
ipaddr
Mode
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
617 of 718
State
Full/DR
Full/DR
Dead Time
00:00:31
00:00:30
Address
10.0.0.1
13.0.0.2
Interface Instance ID
ve 1
0
ve 2
0
Syntax
The bgp, isis, and kernel options are not applicable to the current release
and are not supported.
Parameter
Description
process-id
connected
floating-ip
ip-nat
ip-nat-list
ospf
[process-id]
rip
618 of 718
b y
D e s i g n
static
vip
Mode
Usage
Syntax
Description
process-id
tag
Mode
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
619 of 718
Description
tag
area area-id
Mode
Example
Interface
ve
ve
ve
ve
1
2
1
2
Mode
620 of 718
Description
process-id
tag
b y
D e s i g n
show ip rip
Description
Syntax
show ip rip
Mode
Example
AX#show ip rip
Codes: R - RIP, C - connected, S - Static, O - OSPF, B - BGP
Sub-codes:
(n) - normal, (s) - static, (d) - default, (r) - redistribute,
(i) - interface
R*
R*
Network
192.168.10.0/24
192.168.20.0/24
Next Hop
Metric From
[120/2] via 192.168.10.1
00:12:42
[120/2] via 192.168.10.1
00:12:42
Tag Time
ethernet4
ethernet4
The asterisk following R indicates that the route is the Forwarding Information Base (FIB) next hop.
show ip route
Description
Syntax
P e r f o r m a n c e
show ip route
[all | mgmt | ospf | rip | summary
ipaddr [subnet-mask | /mask-length]]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
621 of 718
Description
all
mgmt
ospf
rip
summary
ipaddr
[subnet-mask |
/mask-length]
Mode
Usage
table only.
The total number of routes listed by the output differs depending on the
command you use. For example, the total number of routes listed by the
show ip route command includes only data routes, whereas the total number of routes listed by the show ip route summary command includes data
routes and management routes.
Example
AX#show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF
S*
S*
C*
C*
Total
622 of 718
P e r f o r m a n c e
b y
D e s i g n
show ipv6
Description
Syntax
show ipv6
[
fib |
interfaces [ethernet portnum | ve ve-num |
loopback num | management] |
nat v6v4 [fragmentation] statistics |
ndisc router-advertisement
{ethernet portnum | ve ve-num | statistics} |
neighbor [ipaddr] |
route |
traffic
]
Option
fib
interfaces
[ethernet
portnum |
ve ve-num |
loopback num |
management]
Description
Shows the IPv6 Forwarding Information Base
(FIB).
nat v6v4
[fragmentation]
statistics
Shows statistics for IPv6-IPv4 translation.
ndisc routeradvertisement
{ethernet
portnum |
ve ve-num |
statistics}
neighbor
[ipaddr]
Mode
P e r f o r m a n c e
route
traffic
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
623 of 718
Example
Example
Traffic Type
Received
Sent
-------------------------------------Neigh Solicit
2
0
Neigh Adverts
2
2
Echo Request
0
0
Echo Replies
5
0
Errors
0
0
Enabled
200
150
Disabled
Reachable Time:
Retransmit Timer:
255
Default Lifetime:
200
None
Prefix 1:
Prefix:
2001:a::/96
On-Link:
True
624 of 718
P e r f o r m a n c e
b y
D e s i g n
2001:32::/64
On-Link:
True
1320
880
R.S. Truncated:
The error counters apply to router solicitations (R.S.) that are dropped by
the AX device.
The Src Link-Layer Option and Unspecified Address counter indicates the
number of times the AX device received a router solicitation with source
address :: (unspecified IPv6 address) and with the source link-layer
(MAC address) option set.
In the current release, the AX device does not drop IPCMv6 packets that
have bad (invalid) checksums.
Note:
show key-chain
Description
Syntax
Mode
P e r f o r m a n c e
Description
name
key num
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
625 of 718
The following example shows the configuration commands for a key chain
named example_chain:
show lid
Description
Syntax
Mode
Example
AX#show lid
lid 1
conn-limit 100
conn-rate-limit 100 per 10
request-limit 1
request-rate-limit 10 per 10
over-limit-action reset log 1
lid 2
conn-limit 20000
conn-rate-limit 2000 per 10
request-limit 200
request-rate-limit 200 per 1
over-limit-action reset log 3
lid 30
conn-limit 10000
conn-rate-limit 1000 per 1
over-limit-action forward log
Example
AX#show lid 1
lid 1
conn-limit 100
626 of 718
P e r f o r m a n c e
b y
D e s i g n
show locale
Description
Syntax
show locale
Mode
Example
AX#show locale
en_US.UTF-8
show log
Description
Display entries in the syslog buffer or display current log settings (policy).
Log entries are listed starting with the most recent entry on top.
Syntax
Description
length num
policy
Mode
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
627 of 718
Example
disable
disable
debugging
debugging
AX#show log
Log Buffer: 30000
Jan 17 11:32:02
Warning A10LB HTTP request has p-conn
Jan 17 11:31:01
Notice The session [1] is closed
Jan 17 11:31:00
Info
Load libraries in 0.044 secs
Jan 17 11:26:19
Warning A10LB HTTP request has p-conn
Jan 17 11:26:19
Warning A10LB HTTP response not beginning of header: m counterType="1" hourlyCount="2396" dailyCount="16295" weeklyCount="16295" monthly
Jan 17 11:16:18
Warning A10LB HTTP request has p-conn
Jan 17 11:16:01
Notice The session [1] is closed
Jan 17 11:16:00
Info
Load libraries in 0.055 secs
Jan 17 11:15:22
Warning A10LB HTTP request has p-conn
Jan 17 11:15:03
Notice The session [1] is closed
Jan 17 11:14:33
Warning A10LB HTTP request has p-conn
Jan 17 11:14:07
Warning A10LB HTTP request has p-conn
Jan 17 11:13:23
Warning A10LB HTTP request has p-conn
Jan 17 11:12:47
Info
Load libraries in 0.047 secs
Jan 17 11:12:47
Notice The session for user admin from 192.168.1.166 is
opened. Session ID is [4]
Jan 17 11:09:28
Warning A10LB HTTP request has p-conn
Jan 17 11:09:18
Warning A10LB HTTP response not beginning of header: 5a8^M
p; ^M Korn shell programming
la
Jan 17 11:01:04
Warning A10LB HTTP request has p-conn
--MORE--
show mac-address-table
Description
Syntax
628 of 718
Description
macaddr
port port-num
P e r f o r m a n c e
b y
D e s i g n
Mode
Example
The following command displays the MAC table entry for MAC address
0013.72E3.C773:
Description
Total number of active MAC entries in the table. An active
entry is one that has not aged out.
Number of seconds a dynamic (learned) MAC entry can
remain unused before it is removed from the table.
MAC address of the entry.
Ethernet port through which the MAC address is reached.
Indicates whether the entry is dynamic or static.
The MAC entrys position in the MAC table.
VLAN the MAC address is on.
Number of seconds since the entry was last used.
show management
Description
Syntax
show management
Mode
Usage
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
629 of 718
AX#show management
PING
SSH
Telnet HTTP
HTTPS SNMP
ACL
------------------------------------------------------mgmt on
on
off
on
on
on
1
on
off
off
off
off
off
2
on
off
on
off
off
off
3
on
off
on
off
off
off
4
on
off
on
off
off
off
5
on
off
on
off
off
off
6
on
off
on
off
off
off
7
on
off
on
off
off
off
9
on
off
on
off
off
off
10
on
off
on
off
off
off
3
ve1 on
off
on
on
off
off
ve2 on
off
on
off
off
off
-
show memory
Description
Syntax
Description
cache
system
Mode
Example
Example
The following command shows memory usage for individual system modules:
AX#show memory
Total(KB) Used
Free
Usage
---------------------------------------------------Memory: 2070368
1222016
848352
59.0%
630 of 718
P e r f o r m a n c e
b y
D e s i g n
1204
759
53
25
10
1
8
163840
163840
320
160
80
40
40
N2 memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------96
1
10240
224
0
10240
480
0
10240
992
2000
10240
2016
1512
10240
SSL memory:
Object size(byte)
Allocated(#)
Max(#)
---------------------------------------------------------------48
2786
10240
112
72
10240
240
81
10240
--MORE--
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
631 of 718
show mirror
Description
Syntax
Mode
Example
AX#show mirror
Mirror Port :
4
Port monitored at ingress : 2
Port monitored at egress : 2
632 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Port to which the traffic is copied. This is the port to which
the protocol analyzer should be attached.
Port(s) whose inbound traffic is copied to the monitor port.
Port(s) whose outbound traffic is copied to the monitor port.
show monitor
Description
Syntax
show monitor
Mode
Example
The following commands set the event threshold for data CPU utilization to
80% and verify the result:
AX(config)#monitor data-cpu 80
AX(config)#show monitor
Current system monitoring threshold:
Hard disk usage:
85
Memory usage:
95
90
80
IO Buffer usage:
60000
Buffer Drop:
100
Warning Temperature: 68
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
633 of 718
show ntp
Description
Syntax
Description
servers
status
Shows whether the AX Series device is synchronized with the NTP server.
Mode
Example
The following command shows the NTP configuration and the synchronization status:
Sync Interval
Status
Example
Description
IP address of the NTP server.
The asterisk ( * ) in front of the address indicates that the
AX Series device is synchronized with the NTP server. If
there is no asterisk, the device is not synchronized with the
NTP server.
Number of minutes between each synchronization with the
NTP server.
Indicates whether NTP is enabled.
634 of 718
P e r f o r m a n c e
b y
D e s i g n
show partition
Description
Syntax
show partition
Mode
Usage
To use this command, you must be logged in with an admin account that has
Root, Read-write, or Read-only privileges. (See show admin on page 536
for descriptions of the admin privilege levels.)
Example
AX(config)#show partition
Max Number allowed: 128
Total Number of partitions configured: 2
Partition Name
# of Admins
-----------------------------------------------------companyA
32
companyB
32
P e r f o r m a n c e
b y
Description
Maximum number of partitions the AX device can have.
Total number of partitions the AX device currently has.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
635 of 718
show pbslb
Description
Syntax
Description
Shows information for virtual servers.
name
system
virtual-server
virtual-servername
[port port-num
service-type]
Shows statistics for IP limiting on the specified
virtual server.
Mode
Example
AX#show pbslb
Total number of PBSLB configured: 1
Virtual server Port Blacklist/whitelist GID Connection # (Establish Reset Drop)
-----------------------------------------------------------------------------PBSLB_VS1
80
sample-bwlist
2
0
0
0
4
0
0
0
636 of 718
Description
Number of black/white lists imported onto the AX Series
device.
SLB virtual server to which the black/white list is bound.
P e r f o r m a n c e
b y
D e s i g n
Example
Description
Protocol port.
Name of the black/white list.
Group ID.
Number of client connections established to the group and
protocol port.
Number of client connections to the group and protocol port
that were reset.
Number of client connections to the group and protocol port
that were dropped.
show process
Description
Syntax
Mode
Usage
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
637 of 718
show reboot
Description
Syntax
Mode
Example
AX#show reboot
Reboot scheduled for 04:20:00 PST Sun Apr 20 2008 (in 63 hours and 16 minutes)
by admin on 192.168.1.144
Reboot reason: Outlook_upgrade
show router
Description
Syntax
Show the OSPF or RIP configuration commands that are in the runningconfig.
show router {ospf | rip}
Mode
Example
638 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
nsm [file-num]
ospf6d
[file-num]
ospfd
[file-num]
Mode
Description
Any
show running-config
Description
Syntax
P e r f o r m a n c e
show running-config
[
ha |
health-monitor [name]
[all-partitions | partition partition-name] |
interfaces [ethernet [portnum] | ve [num] |
loopback [num] | management |
slb [server [name] | service-group [name] |
virtual-server [name]]
[all-partitions | partition partition-name] |
vlan [vlan-id] |
all-partitions |
partition partition-name
]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
639 of 718
Description
Shows High Availability configuration commands in the running-config.
ha
health-monitor
[name]
[all-partitions
| partition
partition-name] Shows health-monitor configuration commands
in the running-config.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.
slb
[server [name]
| service-group
[name] |
virtual-server
[name]]
[all-partitions
| partition
partition-name] Shows SLB server, service-group, and virtualserver configuration commands in the runningconfig.
To display the health monitors for a specific
RBA partition, use the partition partition-name
option.
vlan [vlan-id]
all-partitions
partition
partition-name
Mode
Usage
640 of 718
P e r f o r m a n c e
b y
D e s i g n
AX#show running-config
!Current configuration : 10577 bytes
!Configuration last updated at 18:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 1.2.0
!
hostname AX2K-B
!
clock timezone America/Tijuana
!
!
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 11
untagged ethernet 2
router-interface ve 11
!
vlan 20
tagged ethernet 4
router-interface ve 20
--MORE--
show session
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
641 of 718
Description
Displays summary statistics for all session types.
brief
filter
filter-name |
config
ipv4 [addrsuboptions]
Displays information for IPv4 sessions. The following address suboptions are supported:
source-addr ipaddr
[{subnet-mask | /mask-length}] Displays IPv4
sessions that have the specified source IP
address.
source-port port-num Displays IPv4 sessions
that have the specified source protocol port
number, 1-65535.
dest-addr ipaddr
[{subnet-mask | /mask-length}] Displays IPv4
sessions that have the specified destination IP
address.
dest-port port-num Displays IPv4 sessions that
have the specified destination protocol port
number, 1-65535.
You can use one or more of the suboptions, in the
order listed above. For example, if the first suboption you enter is dest-addr, the only additional
suboption you can specify is dest-port.
ipv4v6 [addrsuboptions]
642 of 718
P e r f o r m a n c e
b y
D e s i g n
Displays information for IPv6 sessions. The following address suboptions are supported:
source-addr ipv6addr/mask-length Displays
sessions that have the specified IPv6 source IP
address.
source-port port-num Displays IPv6 sessions
that have the specified source protocol port
number, 1-65535.
dest-addr ipv6addr/mask-length Displays sessions that have the specified IPv6 destination IP
address.
dest-port port-num Displays IPv6 sessions that
have the specified destination protocol port
number, 1-65535.
You can use one or more of the suboptions, in the
order listed above. For example, if the first suboption you enter is dest-addr, the only additional
suboption you can specify is dest-port.
persist
[persistencetype [addrsuboptions]]
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
643 of 718
Mode
Usage
For convenience, you can save session display options as a session filter.
(See session-filter on page 146.)
Example
644 of 718
P e r f o r m a n c e
b y
D e s i g n
UDP
Non TCP/UDP
IP sessions
Other
Reverse NAT
TCP
Reverse NAT
UDP
Free Buff Count
Curr Free Conn
Conn Count
Conn Freed
TCP SYN Half
Open
Conn SMP Alloc
Conn SMP Free
Conn SMP Aged
Prot
Forward Source
Forward Dest
Reverse Source
Description
Number of established TCP sessions.
Number of half-open TCP sessions. A half-open session is
one for which the AX Series device has not yet received a
SYN ACK from the backend server.
Number of UDP sessions.
Number of IP sessions other than TCP or UDP sessions.
This counter applies specifically to IP protocol load balancing. (See the IP Protocol Load Balancing chapter in the
AX Series Configuration Guide.)
Number of internally used sessions. As an example, internal
sessions are used to hold fragmentation information.
Number of reverse-NAT TCP sessions.
Number of reverse-NAT UDP sessions.
Number of IO buffers currently available.
Number of Layer 4 sessions currently available.
Number of connections.
Number of connections freed after use.
Number of half-open TCP sessions. These are sessions that
are half-open from the clients perspective.
Statistics used by A10 Technical Support.
Transport protocol.
Client IP address when connecting to a VIP.
Note: For DNS sessions, the clients DNS transaction ID is
shown instead of a protocol port number.
VIP to which the client is connected.
Real servers IP address.
Note: If the AX device is functioning as a cache server
(RAM caching), asterisks ( * ) in this field and the Reverse
Dest field indicate that the AX device directly served the
requested content to the client from the AX RAM cache. In
this case, the session is actually between the client and the
AX device rather than the real server.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
645 of 718
Description
IP address to which the real server responds.
If source NAT is used for the virtual port, this address is
the source NAT address used by AX device when connecting to the real server.
Age
Example
The following command displays the IPv4 session for a specific source IP
address:
Example
646 of 718
P e r f o r m a n c e
b y
D e s i g n
show shutdown
Description
Syntax
show shutdown
Mode
Example
AX#show shutdown
Shutdown scheduled for 12:00:00 PST Sat Jan 19 2008 (in 358 hours and 23 minutes) by admin on 192.168.1.144
Shutdown reason: Scheduled shutdown
show sip
Description
Syntax
show sip
Mode
Example
AX#show sip
8
12
4
99
12
32
0
show slb
Description
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
647 of 718
show smtp
Description
Syntax
Mode
Example
AX#show smtp
SMTP server address:
192.168.1.99
show startup-config
Description
Syntax
Mode
Display a configuration profile or display a list of all the locally saved configuration profiles.
show startup-config [all | profile-name] [cf]
[all-partitions | partition partition-name]
Privileged EXEC and all Config levels
Option
Description
all
profile-name
cf
Displays the configuration profile in the specified image area (primary or secondary) on the
compact flash rather than the hard disk. If you
omit this option, the configuration profile in the
specified area on the hard disk is displayed.
If the all option is also used, the cf option displays all the configuration profiles stored on the
compact flash.
all-partitions
partition
partition-name
648 of 718
b y
D e s i g n
Usage
Example
AX#show startup-config
Building configuration...
!Current configuration: 10580 bytes
!Configuration last updated at 15:01:01 PST Mon Jan 21 2008
!Configuration last saved at 15:09:41 PST Mon Jan 21 2008
!version 1.2.0
!
hostname AX2K-B
!
clock timezone America/Tijuana
!
!
!
vlan 10
untagged ethernet 1
router-interface ve 10
!
vlan 11
untagged ethernet 2
router-interface ve 11
!
vlan 20
--MORE--
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
649 of 718
show statistics
Description
Syntax
Mode
Example
The following command shows brief statistics for all Ethernet interfaces on
an AX Series device:
AX#show statistics
Port Good Rcv
Good Sent
Bcast Rcv
Bcast Sent
Errors
--------------------------------------------------------------------------1
3026787
3013699
91573
154220
0
2
0
0
0
0
0
3
0
0
0
0
0
...
XAUI
3171070
3118342
Note:
Example
275613
216063
650 of 718
6926
477802
5573
0
0
0
477802
0
OutPkts
OutOctets
OutBroadcastPkts
OutMulticastPkts
OutBadPkts
Collisions
InAlignErr
InOverErr
427659
323788182
62389
359729
0
0
0
0
P e r f o r m a n c e
b y
D e s i g n
0
InCrcErr
0
InMissErr
0
InShortLenErr
0
OutCarrierErr
0 OutLateCollisions
0
OutFlowCtrlXon
0
OutFlowCtrlXoff
0
15
OutUtilization
0
48
0
0
0
0
0
0
show switch
Description
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
651 of 718
Usage
Syntax
Mode
Usage
Example
652 of 718
P e r f o r m a n c e
b y
D e s i g n
2048
512
512
512
256
128
256
256
256
256
256
256
256
256
2048
512
512
512
256
128
256
256
256
256
256
256
256
256
512
512
256
512
32
32
32
32
32
32
32
32
32
32
4096
1024
1024
1024
1024
128
1024
1024
1024
1024
1024
1024
1024
1024
show tacacs-server
Description
Syntax
Mode
Example
0
0
0
0
0
0
0
0
show techsupport
Description
Syntax
P e r f o r m a n c e
show techsupport
[export [use-mgmt-port] url]
[page]
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
653 of 718
Description
export
[use-mgmt-port]
url
Exports the output to a remote server. The url
specifies the file transfer protocol, username (if
required), and directory path.
You can enter the entire URL on the command
line or press Enter to display a prompt for each
part of the URL. If you enter the entire URL and
a password is required, you will still be prompted
for the password. To enter the entire URL:
tftp://host/file
ftp://[user@]host[:port]/file
scp://[user@]host/file
rcp://[user@]host/file
Shows the information page by page. Without
this option, all the commands output is sent to
the terminal at once.
page
Mode
show terminal
Description
Syntax
Mode
Example
AX#show terminal
Idle-timeout is 00:10:00
Length: 24 lines, Width: 80 columns
Editing is enabled
History is enabled, history size is 256
Auto size is enabled
Terminal monitor is off
654 of 718
P e r f o r m a n c e
b y
D e s i g n
show tftp
Description
Syntax
show tftp
Mode
All
Example
show trunk
Description
Syntax
Description
num
Trunk number
Mode
Example
AX#show trunk 1
Trunk ID
: 1
Trunk Status
: Up
Member Count: 8
Members
: 1
Cfg Status
Oper Status
: Up
Ports-Threshold
Working Lead
: 6
: 1
2
Up
3
Up
4
Up
Up
Up
7
Up
8
Up
b y
Description
ID assigned to the trunk by the admin who configured it.
Number of ports in the trunk.
Indicates whether the trunk is up.
Port numbers in the trunk.
Configuration status of the port.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
655 of 718
Timer
Running
Working Lead
Description
Operational status of the port.
Indicates the minimum number of ports that must be up in
order for the trunk to remain up.
If the number of up ports falls below the configured threshold, the AX automatically disables the trunks member ports.
The ports are disabled in the running-config. The AX device
also generates a log message and an SNMP trap, if these services are enabled.
Indicates how many seconds the AX device waits after a port
goes down before marking the trunk down, if the ports
threshold is exceeded.
Indicates whether the ports-threshold timer is currently running. When the timer is running, a port has gone down but
the state change has not yet been applied to the trunks state.
Port number used for responding to ARP requests and for
Layer 2 processing.
Note: If the lead port number shown is 0, the trunk interface
is down.
show version
Description
Syntax
Mode
Example
AX#show version
AX Series Advanced Traffic Manager AX2600
Copyright 2007-2010 by A10 Networks, Inc. All A10 Networks products are
protected by one or more of the following US patents and patents pending:
7716378, 7675854, 7647635, 7552126, 20090049537, 20080229418, 20080040789,
20070283429, 20070271598, 20070180101
Advanced Core OS (ACOS) version 2.4.3-P1, build 9 (Jun-17-2010,12:06)
Booted from NFS
Serial Number: AX22101107430012
Firmware version 7.11
aFleX version: 2.0.0
Last configuration saved at Jun-18-2010, 18:36
Hardware: 4 CPUs(Stepping 6), Dual 70G Hard disks
Memory 2074 Mbyte, Free Memory 937 Mbyte
Current time is Jun-21-2010, 19:30
The system has been up 3 days, 20 hours, 15 minutes
656 of 718
P e r f o r m a n c e
b y
D e s i g n
show vlans
Description
Syntax
Mode
Example
AX#show vlans
Total VLANs: 2
VLAN 1:
Untagged Ports:
Tagged Ports:
2
3
10 11
19 20
None
VLAN 199:
Untagged Ports:
Tagged Ports:
1 16
None
4
12
5
13
6
14
7
15
8
17
9
18
show web-service
Description
Syntax
show web-service
Mode
Example
The following command shows the settings for access to the management
GUI on an AX Series device:
AX#show web-service
AX Web server:
Idle time:
Http port:
Https port:
Auto redirect:
Https:
aXAPI Idle time:
P e r f o r m a n c e
b y
10 minutes
80
443
Enabled
Enabled
5 minutes
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
657 of 718
658 of 718
Description
Number of minutes a web management session can remain
idle before the AX device terminates the session.
HTTP port number on which the AX device listens for connections to the management GUI.
HTTPS port number on which the AX device listens for connections to the management GUI.
Indicates whether requests for the HTTP port are automatically redirected to the HTTPS port.
State of the HTTPS port on the AX device.
Number of minutes an aXAPI session can remain idle before
bering terminated. Once the aXAPI session is terminated, the
session ID generated by the AX device for the session is no
longer valid.
P e r f o r m a n c e
b y
D e s i g n
Note:
Syntax
memory-usage
replacement
vip-name
port-num
stats
[vip-name
port-num]
Mode
P e r f o r m a n c e
Description
Lists RAM caching statistics by VIP. If you specify a VIP or port number, statistics are displayed
only for that VIP or port number.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
659 of 718
If you do not use any of the optional parameters, RAM caching statistics are
displayed. This is equivalent to entering the show slb cache stats command.
Example
0
6
27648
0
6
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
220
37
0
0
383579
0
0
660 of 718
Description
Number of times a requested page was found in the cache
and served from the cache.
Number of times a requested page was not found in the
cache.
Amount of RAM currently used by cached content.
P e r f o r m a n c e
b y
D e s i g n
Content Too
Small
Srvr Resp Cont Len
Srvr Resp Chnk Enc
Srvr Resp 304 Status
Srvr Resp Other
Cache Resp No Comp
P e r f o r m a n c e
b y
Description
Number of bytes served.
Number of objects currently in the cache.
Number of cached items that were removed to make room
for newer entries, per the replacement policy.
Number of entries that were removed because they are older
than their expiration time.
Number of cached objects that have aged out and therefore
been removed from the cache.
Total number of requests received on all virtual server ports
on which caching is configured.
Number of requests that are potentially cacheable.
Number of requests with no-cache header directives.
Number of responses with no-cache header directives.
Number of requests that contained an If-Modified-Since
header.
Number of 304 Not Modified responses sent to clients.
Number of entries that were successfully revalidated by the
server.
Number of times revalidation failed.
Number of times requested content was not cached due to a
URI policy.
Number of times a request was cached due to a URI policy.
Number of times a request was invalidated due to a URI policy.
Number of cacheable items that were not cached because the
file size was larger than the configured maximum content
size.
Number of cacheable items that were not cached because the
file size was smaller than the configured minimum content
size.
Number of responses that contained Content-Length headers.
Number of responses that were chunk encoded.
Number of responses that had status code 304.
Number of responses that were of other types.
Object is uncompressed.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
661 of 718
Entry create
failures
Example
Description
Object was compressed using gzip. Gzip is an encoding format produced by the file compression program gzip (GNU
zip) as described in RFC 1952 (Lempel-Ziv coding [LZ77]
with a 32 bit CRC).
Object was compressed using deflate. Deflate is the zlib
format defined in RFC 1950 in combination with the
deflate compression mechanism described in RFC 1951.
Object was compressed using compress. Compress is the
encoding format produced by the common UNIX file compression program compress (adaptive Lempel-Ziv-Welch
coding [LZW]).
Counter used by A10 technical support for troubleshooting.
662 of 718
Description
Virtual port number on which RAM caching is enabled.
IP address of the content server.
URL from which the cached object was obtained by the AX
device.
Length of the cached object.
P e r f o r m a n c e
b y
D e s i g n
Description
Indicates whether the cached object has a Content-Length
header, is compressed, or is chunk-encoded.
The value after the comma indicates the type of compression
used:
No Object is uncompressed.
Gz Object was compressed using gzip. Gzip is an encoding format produced by the file compression program
gzip (GNU zip) as described in RFC 1952 (Lempel-Ziv
coding [LZ77] with a 32 bit CRC).
Cm Object was compressed using compress. Compress
is the encoding format produced by the common UNIX
file compression program compress (adaptive LempelZiv-Welch coding [LZW]).
Status
Expires in
Example
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
663 of 718
0
0
0
0
0
0
0
0
0
0
0
0
2
The output shows the distribution of requests for the cached entries. Entries
listed for 1/256 (one in 256 requests) are the least requested, whereas entries
listed for 128 are the most requested.
Mode
Example
664 of 718
P e r f o r m a n c e
b y
D e s i g n
Long resp
Missed resp
Unbound data
rcvd
Example
Description
Number of new client connections directed to the same
server as previous connections by the persistence feature.
Number of currently active connections that were sent to the
same real server by the persistence feature.
Total number of established connections to the backend
server.
Total number of terminated connections to the backend
server.
Total number of client persistent connections bound to the
backend server.
Total number of client persistent connections unbound from
the backend server.
Number of connections whose unbinding was delayed.
Note: In the current release, this counter is unused and is
always 0.
Number of responses that took too long.
Number of missed responses to HTTP requests.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
Total
0
0
1787
1787
1277
2389
4
0
0
0
665 of 718
Syntax
Mode
Example
1000
666 of 718
Description
Number of sessions allocated.
Number of sessions freed.
Number of times too many sessions were consumed.
P e r f o r m a n c e
b y
D e s i g n
Description
Number of requests permitted because they were within the
connection limit.
Number of requests denied because they exceeded the connection limit.
Number of requests dropped because a client was locked out.
Number of log messages generated by this feature.
Number of re-transmitted DNS requests detected. These are
DNS requests for which no response was received by the AX
device.
Number of DNS requests for which no response was
received.
Syntax
Mode
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
667 of 718
668 of 718
Description
Number of currently active connections using the fast-HTTP
proxy.
Total number of connections that have used the fast-HTTP
proxy.
Number of HTTP requests received by the fast-HTTP proxy.
Number of HTTP requests successfully fulfilled (by establishing a connection to a real server).
Number of proxy errors.
Number of times TCP connections with clients were reset.
Number of times TCP connections with servers were reset.
Number of tuple errors.
Number of times the HTTP parser failed to parse a received
HTTP request.
Number of times selection of a real server failed.
Number of forward request failures.
Number of forward request data failures.
Number of retransmitted requests.
Number of request packets received from clients out of
sequence.
Number of times initial selection of a real server for an
HTTP request failed (for example, due to a TCP Reset sent
by the server).
Number of times the connection with a server closed prematurely.
Number of connections made with servers.
Number of source NAT failures.
These counters show statistics for HTTP compression, in
bytes.
P e r f o r m a n c e
b y
D e s i g n
Total
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Syntax
Mode
Example
0
0
0
0
0
0
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
669 of 718
Description
Total number of FTP control sessions load-balanced by the
AX Series device.
Total number of Application Layer Gateway (ALG) packets.
Number of ALG packets that have been retransmitted.
Number of times an FTP control session could not be established because none of the real servers had available connections.
Total number of FTP data sessions load-balanced by the
AX Series device.
Number of times an FTP data session could not be established because none of the real servers had available connections.
Description
virtual-servername
Displays geo-location information for only the
specified virtual server.
670 of 718
port-num
bad-only
P e r f o r m a n c e
b y
D e s i g n
Specifies how many nodes within the geo-location data tree to display. For example, to display
only continent and country entries and hide individual state and city entries, specify depth 2. By
default, the full tree (all nodes) is displayed. You
can specify 1-5.
id group-id
ip ipaddr
location
location-name
statistics
Mode
Usage
Some options can be combined on the same command line. See the CLI
help for information.
Syntax
Mode
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
671 of 718
0
0
0
1791
0
1373117
404410
672 of 718
Description
Number of currently active HTTP connections using the
AX Series device as an HTTP proxy.
Total number of HTTP connections that have used the
AX Series device as an HTTP proxy.
Total number of HTTP requests received by the HTTP
proxy.
Number of HTTP requests received by the HTTP proxy that
were successfully fulfilled (by connection to a real server).
Number of proxy errors.
Number of times TCP connections with clients were reset.
Number of times TCP connections with servers were reset.
Number of tuple errors.
Number of times parsing of an HTTP request failed.
Number of times selection of a real server failed.
Number of forward request failures.
Number of forward request data failures.
Number of retransmitted requests.
Number of request packets received from clients out of
sequence.
Number of times a request was forwarded to another server
because the current server was failing.
Number of times the connection with a server closed prematurely.
Number of connections made with servers.
Number of source NAT failures.
These counters show statistics for HTTP compression, in
bytes.
P e r f o r m a n c e
b y
D e s i g n
Total
2
3266
3860
3605
0
351
1
0
0
0
10
0
0
0
0
0
1791
0
Syntax
Mode
Usage
Hardware-based compression is available using an optional hardware module in the following models: AX 2100, AX 2200, AX 3100, and AX 3200.
If this command does not appear on your AX device, the device does not
contain a compression module.
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
673 of 718
0
0
0
84
68
show slb l4
Description
Syntax
Mode
Example
AX#show slb l4
Total
-----------------------------------------------------------------IP out noroute
0
TCP out RST
0
TCP out RST no SYN
0
TCP out RST L4 proxy
0
TCP out RST ACK attack
0
TCP out RST aFleX
0
TCP out RST stale sess
2
TCP out RST TCP proxy
1906748
TCP SYN received
17556
TCP SYN cookie snt
3276
TCP SYN cookie snt fail 0
TCP received
2014764
UDP received
0
Server sel failure
0
Source NAT failure
0
TCP SYN cookie failed
18
No vport drops
0
No SYN pkt drops
0
No SYN pkt drops - FIN
0
No SYN pkt drops - RST
0
No SYN pkt drops - ACK
0
Conn Limit drops
0
Conn Limit resets
0
Conn rate limit drops
0
Conn rate limit resets
0
Proxy no sock drops
0
aFleX drops
0
TCP Session aged out
0
UDP Session aged out
0
Other Session aged out
0
674 of 718
P e r f o r m a n c e
b y
D e s i g n
0
0
0
0
0
P e r f o r m a n c e
b y
Description
Number of IP packets that could not be routed.
Number of TCP Resets sent.
Number of Resets sent for which there was no SYN.
Number of TCP Reset packets the AX device has sent as a
Layer 4 proxy.
Number of TCP Resets sent in response to a TCP ACK
attack.
Number of TCP Reset packets the AX device has sent due to
an aFleX policy.
Number of TCP Reset packets the AX device has sent due to
stale TCP sessions.
Number of TCP Reset packets the AX device has sent as a
TCP proxy.
Number of TCP SYN packets received.
Number of TCP SYN cookies sent.
Number of TCP SYN cookie send attempts that failed.
Number of TCP packets received.
Number of UDP packets received.
Number of times selection of a real server failed.
Number of times a source NAT failure occurred.
Number of times a TCP SYN cookie failure occurred.
Number of times traffic was dropped because the requested
virtual port was not available.
Number of SYN packets dropped.
Number of SYN packets dropped due to a TCP FIN.
Number of SYN packets dropped due to a TCP Reset.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
675 of 718
Description
Number of SYN packets dropped due to an ACK.
Number of connections dropped because the server connection limit had been reached.
Number of connections reset because the server connection
limit had been reached.
Number of connections dropped by connection rate limiting.
Number of connections reset by connection rate limiting.
Number of packets dropped because the proxy did not have
an available socket.
Number of packets dropped due to an aFleX policy.
Number of TCP sessions that have aged out.
Number of UDP sessions that have aged out.
UDP no SLB
SYN Throttle
Inband HM retry
Inband HM
reassign
Example
The following command shows detailed Layer 4 SLB statistics for each data
processor (DP):
676 of 718
P e r f o r m a n c e
b y
Total
0
0
0
0
0
0
2
1906748
D e s i g n
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
5476
1029
0
645686
0
0
0
5
0
0
0
0
0
0
0
0
0
0
0
24
0
0
0
0
0
5963
1105
0
651307
0
0
0
6
0
0
0
0
0
0
0
0
0
0
0
24
0
0
0
0
0
6118
1142
0
717772
0
0
0
7
0
0
0
0
0
0
0
0
0
0
0
19
0
0
0
0
0
17557
3276
0
2014765
0
0
0
18
0
0
0
0
0
0
0
0
0
0
0
67
0
0
0
0
0
Display statistics for pass-through TCP sessions. A pass-through TCP session is one that is not terminated by the AX device (for example, a session
for which the AX device is not serving as a proxy for SLB).
Syntax
Mode
Example
10741
570272
Current connections:
P e r f o r m a n c e
Response packets:
Response bytes:
0
b y
Total connections:
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
38195
56562872
4
677 of 718
Description
interval number Automatically refreshes the output at the specified interval. The interval can be 1-32 seconds.
If you omit this option, the output is shown one
time. If you use this option, the output is repeatedly refreshed at the specified interval until you
press ctrl+c.
l4cpi
l7cpi
l7tpi
natcpi
sslcpi
detail
Mode
Example
678 of 718
P e r f o r m a n c e
b y
D e s i g n
L4cpi
L7cpi
L7tpi
SSLcpi
Natcpi
Time
Description
Interval at which the statistics are refreshed.
Syntax
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
679 of 718
URL hash
persist(sec)
URL hash persist
fail
SRC IP persist
ok
SRC IP persist
fail
SRC IP hash
persist(pri)
SRC IP hash
persist(sec)
SRC IP hash
persist fail
DST IP persist
ok
DST IP persist
fail
DST IP hash
persist(pri)
DST IP hash
persist(sec)
DST IP hash
persist fail
SSL SID persist
ok
SSL SID persist
fail
Cookie persist ok
680 of 718
Description
Number of requests successfully sent to the primary server
selected by URL hashing. The primary server is the one that
was initially selected and then re-used based on the hash
value.
Number of requests that were sent to another server (a secondary server) because the primary server selected by URL
hashing was unavailable.
Number of requests that could not be fulfilled using URL
hashing.
Number of requests successfully sent to the same server as
previous requests from the same client, based on source-IP
persistence.
Number of requests that could not be fulfilled by the same
server as previous requests from the same client, based on
source-IP persistence.
These fields are used by A10 Networks technical support for
troubleshooting.
b y
D e s i g n
Description
Number of requests that could not be fulfilled by the same
server as previous requests based on a persistence cookie.
Number of requests in which a persistence cookie was not
found in the request header.
Syntax
Mode
Example
Local log
messages
P e r f o r m a n c e
b y
Description
Total number of times log rate limiting has been used.
Total number of log messages generated by the AX device.
Note: The AX device combines repeated messages into a
single message. For this reason, the Total log times count
will differ from the Total log messages count.
Total number of log messages in the AX devices log buffer.
These messages can be displayed using the show log command.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
681 of 718
Log-session
alloc
Log-session free
Log-session
alloc fail
No repeat
message
Description
Total number of log messages the AX device has sent to
external log servers.
Number of messages sent to the AX devices log buffer during the most recent one-second interval.
Number of messages sent to external log servers during the
most recent one-second interval.
Number of log messages dropped by the AX device because
they were too long.
Number of log messages dropped by the AX device because
the device did not have a route to the log server.
Number of times the AX device was unable to allocate a buffer for sending a log message to an external log server.
Number of times the AX device was unable to send a log
message that had been placed in the buffer for sending to an
external log server.
Number of times the AX device allocated a log session for
repeated log messages.
Number of times the AX device freed a log session that was
allocated for repeated log messages.
Number of times the AX device was unable to allocate a log
session for repeated log messages.
Number of times there was no repeated message for a log
session allocated for repeated messages.
Description
server-name
[[port-num]
detail]
682 of 718
P e r f o r m a n c e
b y
D e s i g n
config
connectionreuse
Mode
Usage
Example
The following command shows SLB statistics for real server mhs001:
Description
Total number of services configured on the AX Series device
(if a server name is not specified) or on the specified server.
Real server name, service protocol port, and transport protocol (TCP or UDP).
Current number of connections to the service.
Total number of connections to the service.
Number of request packets received for the service.
Number of response packets sent on behalf of the real server.
Current state of the service:
Up
Down
Rsp Time
P e r f o r m a n c e
b y
Disabled
Response time of the server.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
683 of 718
dang1
1.1.1.1:80
Up
default
default
53
42
10011
20090
20089
36378463
378463
463784638
3784638
Description
Name of the server.
Real port number.
Current state of the service:
Up
Down
Port template
Health check
Current
connection
Current request
Disabled
Name of the real port template bound to the port.
Name of the health monitor used to check the health of the
real port.
Current number of connections to the port.
Current number of HTTP requests being processed by
the port.
Total
connection
Total request
Total request
success
Total forward
bytes
684 of 718
Note: In this field and the Total request and Total request
success fields, Layer 7 requests are counted only if Layer 7
request accounting is enabled. See slb enable-l7-req-acct
on page 285.
Total number of connections that have been made to the port.
Total number of HTTP requests processed by the port.
Total number of HTTP requests that were successful.
Number of request bytes forwarded to the port.
P e r f o r m a n c e
b y
D e s i g n
Description
Number of request packets forwarded to the port.
Number of request bytes received from the port.
Number of request packets received from the port.
s-test1
Hostname:
s1.test.com
State:
Up
Server template:
temp-server
16
Health check:
none
Current connection:
Current request:
Total connection:
1919
Total request:
1919
1877
546650
5715
919730
5631
DRS-10.4.2.5-s1.test.com
TTL:
4500
State:
Up
Server template:
test
15
1023
Health check:
none
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
685 of 718
Current request:
Total connection:
1919
Total request:
1919
1877
546650
5715
919730
5631
Example
202.218.147.129 None
202.218.147.129 None
Enable
Enable
1000000
1000000
1
1
win20:25/tcp
win20
172.22.66.20
172.22.66.20
Default
ping
Enable
Disable
1000000
1000000
1
1
win21:25/tcp
--MORE--
172.22.66.21
Default
Enable
1000000
686 of 718
Description
Total number of SLB services configured on the AX Series
device.
Real server name, service protocol port, and transport protocol (TCP or UDP).
Real IP address of the server.
P e r f o r m a n c e
b y
D e s i g n
Description
Health check enabled for the service:
None No health check has been applied to the service.
Default The default health monitor for the service type
was automatically applied to the service by the AX Series
device.
Status
Max conn
Wgt
Example
Disable
Maximum number of connections allowed to the service.
Administrative weight assigned to the service.
The following command shows connection-reuse state information and statistics for real servers:
Up
win20:25/tcp
Down
win21:25/tcp
win21:110/tcp
win21:80/tcp
win21:443/tcp
Up
Up
Up
Down
0
0
0
0
linux22:25/tcp
linux22:80/tcp
linux22:53/udp
Disb
Up
Disb
0
0
0
linux23:25/tcp
linux23:80/tcp
linux23:53/udp
Down
Down
Down
0
0
0
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
687 of 718
Description
Total number of SLB services configured on the AX Series
device.
Real server name, service protocol port, and transport protocol (TCP or UDP).
Current state of the service:
Up
Down
Persistent-Conn
Disabled
Number of connections sent to the server by the persistence
feature.
Description
group-name
config
Mode
Usage
To display service-group information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
688 of 718
P e r f o r m a n c e
b y
D e s i g n
State: All Up
0
*test
20.29:22
State: All Up
0
Description
Total number of SLB service groups configured on the
AX Series device.
Name of the service group.
Indicates the state of the service group:
All Up All service ports on all real servers in the service
group are up.
Functional Up Each service port number is up on at least
one real server in the service group.
Partially Up Some service ports are up but others are
down.
Down Either all the service ports are down, or some but
not all of them are Disabled.
Current
Total
Req-p
Resp-p
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
689 of 718
Description
Name of the service group.
Indicates the state of the service group:
All Up All service ports on all real servers in the service
group are up.
Functional Up Each service port number is up on at least
one real server in the service group.
Partially Up Some service ports are up but others are
down.
Down Either all the service ports are down, or some but
not all of them are Disabled.
Service
selection fail
drop
Service
selection fail
reset
690 of 718
P e r f o r m a n c e
b y
D e s i g n
the server.
Total
requests
Total
connections
Response time
Total
requests succ
Example
Description
Service bound to the service group. Also indicates the state
of the service.
Total number of request packets received by the AX Series
device for the service.
Total number of server response packets sent to clients by
the AX Series device on behalf of real servers.
Total number of request bytes received by the AX Series
device for the service.
Total number of server response bytes sent to clients by the
AX Series device on behalf of real servers.
Current number of connections to the service.
Note: In this field and the Total Requests and Total requests
success fields, Layer 7 requests are counted only if Layer 7
request accounting is enabled. See slb enable-l7-req-acct
on page 285.
Total number of HTTP requests processed by the server.
Total number of connections to the service.
Server response time.
Total number of HTTP requests that were successful.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
691 of 718
Priority: 1
Priority: 1
Description
Total number of SLB service groups configured on the
AX Series device.
Name of the service group.
Transport protocol used to reach the service, TCP or UDP.
Name of the health monitor assigned to the service group.
Load-balancing method used by the service group to select
real servers.
Number of real servers in the group.
Member number, assigned by the AX Series for use in this
show commands output.
Priority assigned to the member when it was added to the
group.
Current
Total
Fwd-p
Rev-p
----------------------------------------------------------------------*sg-test
State: All Up
DRS-10.4.2.6-s2.test.com:80
DRS-10.4.2.5-s1.test.com:80
36
1919
5714
5631
s-test2:80
53
265
212
692 of 718
P e r f o r m a n c e
b y
D e s i g n
State: All Up
Service: DRS-10.4.2.6-s2.test.com:80
Forward packets:
UP
Reverse packets:
Forward bytes:
Reverse bytes:
Current connections:
Persistent connections:
Current requests:
Total requests:
Total connections:
Service: DRS-10.4.2.5-s1.test.com:80
Forward packets:
Forward bytes:
5715
0
0
msec
UP
Reverse packets:
546650
5631
Reverse bytes:
919730
Current connections:
10
Persistent connections:
Current requests:
10
Total requests:
Total connections:
1919
1919
msec
1877
Service: s-test1:80
UP
Forward packets:
Forward bytes:
450
Reverse packets:
31500
Reverse bytes:
360
44820
Current connections:
Persistent connections:
Current requests:
Total requests:
Total connections:
90
1877
0
msec
Syntax
Mode
Example
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
693 of 718
125
0
12
0
119
12
0
113
0
0
115
0
694 of 718
Description
Current number of SIP connections between the AX device
and SIP servers.
Total number of SIP connections between the AX device and
SIP servers.
Total number of SIP messages received from clients.
Number of SIP messages received from clients that were not
forwarded to servers.
Total number of SIP messages received from servers.
Number of SIP messages received from servers that were not
forwarded to clients.
Total number of SIP requests received from clients.
Number of SIP requests received from clients that were successful.
Number of times TCP connections with clients were reset.
Number of times TCP connections with servers were reset.
Number of times the SIP parser failed to parse a received SIP
request.
Number of times selection of a real server failed.
Number of connections made with servers.
Number of source NAT failures.
P e r f o r m a n c e
b y
D e s i g n
Syntax
Mode
Example
P e r f o r m a n c e
b y
Description
Number of currently active SMTP connections using the
AX Series device as an SMTP proxy.
Total number of SMTP connections that have used the
AX Series device as an SMTP proxy.
Total number of SMTP requests received by the SMTP
proxy.
Number of SMTP requests received by the AX Series device
that were successfully fulfilled (by connection to a real
server).
Number of proxy errors.
Number of times TCP connections with clients were reset.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
695 of 718
Example
Description
Number of times TCP connections with servers were reset.
Number of tuple errors.
Number of times parsing of an SMTP request failed.
Number of times selection of a real server failed.
Number of forward request failures.
Number of forward request data failures.
Number of retransmitted requests.
Number of request packets received from clients out of
sequence.
Number of times a request was forwarded to another server
because the current server was failing.
Number of times the connection with a server closed prematurely.
Number of connections made with servers.
Number of source NAT failures.
The following command shows detailed SMTP SLB statistics for each data
processor (DP):
696 of 718
P e r f o r m a n c e
b y
D e s i g n
Syntax
Description
cert
crl
Shows information about the Certificate Revocation Lists (CRLs) imported onto the AX device.
stats
Mode
Usage
Example
Example
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
697 of 718
Description
Total number of SSL processing modules on the device.
number of
enabled crypto
engines
number of available crypto
engines
Current SSL
connections
Total SSL connections
698 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Number of currently active connections using the AX device
as an SSL proxy.
Number of client errors.
Number of server errors.
Number of times a session was not found.
Number of times no route was available.
Number of times selection or a real server failed.
Number of occurrences of source NAT failure.
Syntax
Mode
P e r f o r m a n c e
Description
Shows detailed statistics.
Shows statistics only for the specified Ethernet
port.
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
699 of 718
700 of 718
Description
Number of packets that have been Layer 2 switched.
Number of packets that have been Layer 3 routed.
Number of IPv4 packets that were dropped due to routing
failures.
b y
D e s i g n
Anomaly IP OPT
Drops
Anomaly PingDeath Drop
Description
Number of IPv6 packets that were dropped due to routing
failures.
Number of packets that went to a VIP or NAT for processing.
Number of packets dropped due to incorrect protocol length.
Note: A high value for this counter can indicate a packet
length attack.
Number of packets dropped because the corresponding protocol was disabled.
Number of packets dropped because the protocol was
unknown.
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
701 of 718
Description
Number of IP fragments dropped.
Number of TCP packets dropped because they had no flags
set.
Anomaly SYN
Frag Drop
TCP packets are normally sent with at least one bit in the
flags field set.
Number TCP SYN fragments dropped that had the fragmentation bit set.
Anomaly TCP
SYNFIN Drop
Anomaly Any
Drops
BPDUs
Received
BPDUs Sent
ACL Denys
SYN rate
exceeded Drop
Packet Error
Drops
IPv6 Frag Reasm
OKs
IPv6 Frag Reasm
Fails
IPv6 Frag
Invalid Pkts
Bad Pkt Drop
IP Frag Exceed
Drop
702 of 718
This counter also includes traffic dropped due to the l3-vlanfwd-disable action in ACL rules.
Number of packets dropped because the TCP SYN threshold
had been exceeded.
Number of packets dropped due to a packet error.
Number of successfully reassembled IPv6 fragments.
Number of IPv6 fragment reassembly failures.
Number of IPv6 fragments that were invalid.
Number of bad packets dropped.
Number of fragmented IP packets that were dropped because
they exceeded the allowed maximum.
P e r f o r m a n c e
b y
D e s i g n
Example
Description
Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv4 ACL.
Number of IP packets that were dropped by the l3-vlan-fwddisable action in an IPv6 ACL.
The following command shows detailed SLB switching statistics for Ethernet port 1:
Syntax
Mode
Example
The following command shows the state of the dynamic SYN cookie feature:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
703 of 718
Mode
Example
704 of 718
Description
Current number of established TCP connections being handled by the proxy.
Number of active connections open.
Number of passive connections open.
Number of TCP connection attempts that failed.
Total number of TCP packets received by the TCP proxy.
Total number of TCP packets sent by the TCP proxy.
Number of TCP packets retransmitted by the TCP proxy.
Number of TCP Resets received for established connections.
Number of TCP Resets sent by the AX Series device.
P e r f o r m a n c e
b y
D e s i g n
The following command shows detailed TCP-proxy statistics for each data
processor (DP):
P e r f o r m a n c e
b y
Description
Current number of established TCP connections being handled by the proxy.
Number of connections opened actively.
Number of connections opened passively.
Number of TCP connection attempts that failed.
Total number of TCP packets received by the TCP proxy.
Total number of TCP packets sent by the TCP proxy.
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
705 of 718
Description
Number of TCP packets retransmitted by the TCP proxy.
Number of TCP Resets received for established connections.
Number of TCP Resets sent by the AX device.
Number of invalid TCP packets received by the AX device.
Number of TCP sockets currently allocated.
Current number of orphan sockets.
Total memory allocated for TCP.
Total RX buffers allocated for TCP.
Total TX buffers occupied by TCP.
Current number of TCP connections in the SYN-SNT state.
Current number of TCP connections in the SYN-RCV state.
Current number of TCP connections in the Fin-Wait-1 state.
Current number of TCP connections in the Fin-Wait-2 state.
Current number of TCP connections in the Time Wait state.
Current number of TCP connections in the Close state.
Current number of TCP connections in the Close-Wait state.
Current number of TCP connections in the Last-ACK state.
Current number of TCP connections in the Listening state.
Current number of TCP connections in the Closing state.
Syntax
Mode
706 of 718
Show configuration information for SLB templates. The template configuration commands in the running-config are displayed.
show slb template [template-type [template-name]]
[all-partitions | partition name]
Privileged EXEC and all Config levels
P e r f o r m a n c e
b y
D e s i g n
Example
Syntax
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
707 of 718
Description
virtual-servername
Shows information only for the specified virtual
server.
The virtual-port-num service-type option shows
information only for the specified virtual port on
the virtual server.
The service-group-name option further restricts
the output, to show information only for the
specified service group.
The detail option displays connection and packet
statistics.
Displays virtual-server configuration information.
config
Mode
Usage
To display virtual-server information for a specific Role-Based Administration (RBA) partition only, use the partition name option.
Example
The following command shows summary information for all virtual servers:
708 of 718
Description
Total number of virtual services (virtual server ports) configured on the AX Series device.
P e r f o r m a n c e
b y
D e s i g n
IP
Current
connection
Total
connection
Request
packets
Response
packets
Total received
conn attempts on
this port
Service-Group
Service
Example
Description
Name of the virtual server.
Underneath the virtual server name, each of the virtual ports
on the server is listed, followed by the service groups in
which the virtual server and the virtual port are members.
In the example above, virtual server v-server has two virtual ports, HTTP port 80 and UDP port 53. HTTP port 80 is a
member of service group abctcp, and UDP port 53 is a
member of service group abcudp.
Virtual IP address of the virtual server.
Current number of connections to the virtual service port.
Note: Connection and packet counters are listed separately
for virtual ports and for service groups.
Total number of connections to the virtual service port.
Number of request packets received for the virtual service.
Number of server reply packets sent by the AX device for
the virtual service.
Total number of connection requests received for this port.
The following command shows status information for SLB virtual server
v-server:
10
14
10
14
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
709 of 718
Description
Name of the virtual server.
State information is shown separately for virtual servers and
for individual virtual ports.
Virtual server state:
All Up All virtual ports on the virtual server are Running.
Functional Up Some of the virtual ports are Running or
Functional Running, but at least one of them is not Running.
Partial Up At least one virtual port is Running or Functional Running, but at least one other virtual port is Down.
Down All the virtual ports are Down.
Disb The virtual server has been administratively disabled.
Virtual port state:
All Up All members (real servers and ports) in all service groups bound to the virtual port are up.
Functional Up At least one member in a service group
bound to the virtual port is up, but not all members are up.
Down All members in all service groups bound to the
virtual port are down.
IP
Port
Curr-conn
Total-conn
Rev-Pkt
Fwd-Pkt
710 of 718
P e r f o r m a n c e
b y
D e s i g n
Description
Total number of virtual services (virtual server ports) configured on the AX Series device.
Name of the virtual server.
Virtual IP address of the virtual server.
Real server bound to the virtual server. The number at the
end is assigned by the AX Series for this show command
output.
Under the member name, the NAT pools and SLB templates
bound to the virtual server are listed.
Example
The following command shows details for a virtual port on a virtual server:
P e r f o r m a n c e
b y
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
711 of 718
Total
connection
Total request
Total request
success
Total forward
bytes
Total forward
packets
Total reverse
bytes
Total reverse
packets
712 of 718
Description
Name of the virtual server and virtual port.
IP address of the virtual server and protocol port number of
the virtual port.
Name of the virtual port template bound to the virtual port.
Current number of connections to the virtual port.
Current number of HTTP requests being processed by
the virtual port.
Note: In this field and the Total request and Total request
success fields, Layer 7 requests are counted only if Layer 7
request accounting is enabled. See slb enable-l7-req-acct
on page 285.
Total number of connections that have been made to the virtual port.
Total number of HTTP requests processed by the virtual
port.
Total number of HTTP requests that were successful.
Number of request bytes forwarded to the virtual port.
Number of request packets forwarded to the virtual port.
Number of request bytes received from the virtual port.
Number of request packets received from the virtual port.
P e r f o r m a n c e
b y
D e s i g n
Up Causes
Table 77 lists the Up causes.
TABLE 77 show health stat Up Causes
Cause Code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
P e r f o r m a n c e
b y
Cause String
HM_INVALID_UP_REASON
HM_DNS_PARSE_RESPONSE_OK
HM_EXT_REPORT_UP
HM_EXT_TCL_REPORT_UP
HM_FTP_ACK_USER_LOGIN
HM_FTP_ACK_PASS_LOGIN
HM_HTTP_RECV_URL_FIRST
HM_HTTP_RECV_URL_NEARBY_FIRST
HM_HTTP_RECV_URL_FOLLOWING
HM_HTTP_RECV_URL_NEARBY_FOLLOWING
HM_HTTP_STATUS_CODE
HM_ICMP_RECV_OK
HM_ICMP_RECV6_OK
HM_LDAP_RECV_ACK
HM_POP3_RECV_ACK_PASS_OK
HM_RADIUS_RECV_OK
HM_RTSP_RECV_STATUS_OK
HM_SIP_RECV_OK
HM_SMTP_RECV_OK
HM_SNMP_RECV_OK
HM_TCP_VERIFY_CONN_OK
HM_TCP_CONN_OK
HM_TCP_HALF_CONN_OK
HM_UDP_RECV_OK
HM_UDP_NO_RESPOND
HM_COMPOUND_UP
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
713 of 718
Down Causes
Table 78 lists the Down causes.
TABLE 78 show health stat Down Causes
Cause Code
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
714 of 718
Cause String
HM_INVALID_DOWN_REASON
HM_DNS_TIMEOUT
HM_EXT_TIMEOUT
HM_EXT_TCL_TIMEOUT
HM_FTP_TIMEOUT
HM_HTTP_TIMEOUT
HM_HTTPS_TIMEOUT
HM_ICMP_TIMEOUT
HM_LDAP_TIMEOUT
HM_POP3_TIMEOUT
HM_RADIUS_TIMEOUT
HM_RTSP_TIMEOUT
HM_SIP_TIMEOUT
HM_SMTP_TIMEOUT
HM_SNMP_TIMEOUT
HM_TCP_TIMEOUT
HM_TCP_HALF_TIMEOUT
HM_DNS_RECV_ERROR
HM_DNS_PARSE_RESPONSE_ERROR
HM_DNS_RECV_LEN_ZERO
HM_EXT_WAITPID_FAIL
HM_EXT_TERM_BY_SIG
HM_EXT_REPORT_DOWN
HM_EXT_TCL_REPORT_DOWN
HM_FTP_RECV_TIMEOUT
HM_FTP_SEND_TIMEOUT
HM_FTP_NO_SERVICE
HM_FTP_ACK_USER_WRONG_CODE
HM_FTP_ACK_PASS_WRONG_CODE
HM_COM_CONN_CLOSED_IN_WRITE
HM_COM_OTHER_ERR_IN_WRITE
HM_COM_CONN_CLOSED_IN_READ
HM_COM_OTHER_ERR_IN_READ
HM_COM_SEND_TIMEOUT
HM_COM_CONN_TIMEOUT
HM_COM_SSL_CONN_ERR
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
b y
Cause String
HM_HTTP_SEND_URL_ERR
HM_HTTP_RECV_URL_ERR
HM_HTTP_RECV_MSG_ERR
HM_HTTP_NO_LOCATION
HM_HTTP_WRONG_STATUS_CODE
HM_HTTP_WRONG_CHUNK
HM_HTTP_AUTH_ERR
HM_HTTPS_SSL_WRITE_ERR
HM_HTTPS_SSL_WRITE_OTHERS
HM_HTTPS_SSL_READ_ERR
HM_HTTPS_SSL_READ_OTHERS
HM_ICMP_RECV_ERR
HM_ICMP_SEND_ERR
HM_ICMP_RECV6_ERR
HM_LDAP_RECV_ACK_ERR
HM_LDAP_SSL_READ_ERR
HM_LDAP_SSL_READ_OTHERS
HM_LDAP_RECV_ACK_WRONG_PACKET
HM_LDAP_SSL_WRITE_ERR
HM_LDAP_SSL_WRITE_OTHERS
HM_LDAP_SEND_ERR
HM_POP3_RECV_TIMEOUT
HM_POP3_SEND_TIMEOUT
HM_POP3_NO_SERVICE
HM_POP3_RECV_ACK_USER_ERR
HM_POP3_RECV_ACK_PASS_ERR
HM_RADIUS_RECV_ERR
HM_RADIUS_RECV_ERR_PACKET
HM_RADIUS_RECV_NONE
HM_RTSP_RECV_STATUS_ERR
HM_RTSP_RECV_ERR
HM_RTSP_SEND_ERR
HM_SIP_RECV_ERR
HM_SIP_RECV_ERR_PACKET
HM_SIP_CONN_CLOSED
HM_SIP_NO_MEM
HM_SIP_STARTUP_ERR
HM_SMTP_RECV_ERR
HM_SMTP_NO_SERVICE
HM_SMTP_SEND_HELO_TIMEOUT
HM_SMTP_SEND_QUIT_TIMEOUT
D e s i g n
Document No.: D-030-01-00-0003 - Ver. 2.4.3 6/21/2010
715 of 718
716 of 718
Cause String
HM_SMTP_WRONG_CODE
HM_SNMP_RECV_ERR
HM_SNMP_RECV_ERR_PACKET
HM_SNMP_RECV_ERR_OTHER
HM_TCP_PORT_CLOSED
HM_TCP_ERROR
HM_TCP_INVALID_TCP_FLAG
HM_TCP_HALF_NO_ROUTE
HM_TCP_HALF_NO_MEM
HM_TCP_HALF_SEND_ERR
HM_UDP_RECV_ERR
HM_UDP_RECV_ERR_OTHERS
HM_UDP_NO_SERVICE
HM_UDP_ERR
HM_COMPOUND_INVAL_RPN
HM_COMPOUND_DOWN
HM_COMPOUND_TIMEOUT
P e r f o r m a n c e
b y
D e s i g n
P e r f o r m a n c e
718
b y
D e s i g n
P e r f o r m a n c e
b y
Corporate Headquarters
A10 Networks, Inc.
2309 Bering Dr.
San Jose, CA 95131-1125 USA
Tel: +1-408-325-8668 (main)
Tel: +1-408-325-8676 (support - worldwide)
Tel: +1-888-822-7210 (support - toll-free in USA)
Fax: +1-408-325-8666
www.a10networks.com
718
D e s i g n