SH 4.1.10 Cli

Riverbed Command-Line Interface
Reference Manual
Version 4.1.10
April 2010
2003-2010 Riverbed Technology, Incorporated. All rights reserved.

Riverbed Technology, Riverbed, Steelhead, RiOS, Interceptor, Cascade, and the Riverbed logo are trademarks or registered
trademarks of Riverbed Technology, Inc. All other trademarks used or mentioned herein belong to their respective owners.
Linux is a trademark of Linus Torvalds in the United States and in other countries. VMware is a trademark of VMware,
Incorporated. Oracle and JInitiator are trademarks or registered trademarks of Oracle Corporation. Microsoft, Windows, Vista,
Outlook, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation. UNIX is a registered trademark
in the United States and in other countries, exclusively licensed through X/Open Company, Ltd.
Parts of this product are derived from the following software:
Apache 2000-2003. The Apache Software Foundation. All rights reserved.
Busybox 1999-2005 Eric Andersen
ethtool 1994, 1995-8, 1999, 2001, 2002 Free Software Foundation, Inc
Less 1984-2002 Mark Nudelman
Libevent 2000-2002 Niels Provos. All rights reserved.
LibGD, Version 2.0 licensed by Boutell.Com, Inc.
Libtecla 2000, 2001 by Martin C. Shepherd. All rights reserved.
Linux Kernel Linus Torvalds
login 2.11 1993 The Regents of the University of California. All rights reserved.
md5, md5.cc 1995 University of Southern California, 1991-2, RSA Data Security, Inc.
my_getopt.{c,h} 1997, 2000, 2001, 2002, Benjamin Sittler. All rights reserved.
NET-SNMP Copyright 1989, 1991, 1992 by Carnegie Mellon University. All rights reserved. Derivative Work - 1996, 1998-2000
Copyright 1996, 1998-2000 The Regents of the University of California. All rights reserved.
OpenSSH 1983, 1990, 1992, 1993, 1995, 1993 The Regents of the University of California. All rights reserved.
pam 2002-2004 Tall Maple Systems, Inc. All rights reserved.
pam-radius 1989, 1991 Free Software Foundation, Inc.
pam-tacplus 1997-2001 by Pawel Krawczyk
sscep 2003 Jarkko Turkulainen. All rights reserved.
ssmtp GNU General Public License
syslogd 2002-2005 Tall Maple Systems, Inc. All rights reserved.
Vixie-Cron 1988, 1990, 1993, 1994 by Paul Vixie. All rights reserved.
Zile 1997-2001 Sandro Sigalam 2003 Reuben Thomas. All rights reserved.
This product includes software developed by the University of California, Berkeley (and its contributors) and Comtech AHA
Corporation. This product is derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm.
For detailed copyright and license agreements or modified source code (where required), see the Riverbed Technical Support site
at
https://support.riverbed.com. Certain libraries were used in the development of this software, licensed under GNU Lesser
General Public License, Version 2.1, February 1999. For a list of libraries, see the Riverbed Technical Support at
https://support.riverbed.com. You must log in to the support site to request modified source code.
Other product names, brand names, marks, and symbols are registered trademarks or trademarks of their respective owners.
The content of this manual is furnished on a RESTRICTED basis and is subject to change without notice and should not be
construed as a commitment by Riverbed Technology, Incorporated. Use, duplication, or disclosure by the U.S. Government is
subject to restrictions set forth in Subparagraphs (c) (1) and (2) of the Commercial Computer Software Restricted Rights at 48 CFR
52.227-19, as applicable. Riverbed Technology, Incorporated assumes no responsibility or liability for any errors or inaccuracies
that may appear in this book.
Riverbed Technology
199 Fremont St.
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801
Web: http://www.riverbed.com
Part Number
720-00002 (PUB-00003)
Contents
Introduction
.............................................................................................................................19
About This Guide ....................................................................................................................................... 19

Types of Users ...................................................................................................................................... 19
Organization of This Guide................................................................................................................ 19
Document Conventions ...................................................................................................................... 20
Hardware and Software Dependencies................................................................................................... 20
Ethernet Network Compatibility.............................................................................................................. 21
SNMP-Based Management Compatibility.............................................................................................. 21
Additional Resources ................................................................................................................................. 21
Online Notes......................................................................................................................................... 22
Related Riverbed Documentation ..................................................................................................... 22
Online Documentation........................................................................................................................ 23
Related Reading ................................................................................................................................... 23
Safety Guidelines ........................................................................................................................................ 23
Contacting Riverbed................................................................................................................................... 23
Internet .................................................................................................................................................. 24
Technical Support ................................................................................................................................ 24
Documentation..................................................................................................................................... 24
Chapter 1 Using the Command-Line Interface
..................................................................................25
Connecting to the CLI ................................................................................................................................ 25

Overview of the CLI ................................................................................................................................... 26
Entering Commands .................................................................................................................................. 27
Accessing Online Help............................................................................................................................... 27
Error Messages ............................................................................................................................................ 28
Command Negation ................................................................................................................................... 28
Saving Configuration Changes................................................................................................................. 28
RIVERBED COMMAND-LINE INTERFACE REFERENCE MANUAL
III
Chapter 2 User-Mode Commands
......................................................................................................29
enable ............................................................................................................................................. 29
exit .................................................................................................................................................. 29
ping................................................................................................................................................. 30
traceroute ....................................................................................................................................... 30
Chapter 3 Enable-Mode Commands
..................................................................................................31
System Administration Commands......................................................................................................... 32

clear arp-cache .............................................................................................................................. 32
clear hardware error-log.............................................................................................................. 32
clear interface ................................................................................................................................ 33
configure terminal ........................................................................................................................ 33
debug generate dump.................................................................................................................. 33
disable ............................................................................................................................................ 34
slogin .............................................................................................................................................. 34
tcpdump......................................................................................................................................... 34
Displaying Configuration Settings........................................................................................................... 36
show aaa ........................................................................................................................................ 37
show arp ........................................................................................................................................ 37
show banner .................................................................................................................................. 37
show bootvar................................................................................................................................. 38
show cli .......................................................................................................................................... 38
show clock ..................................................................................................................................... 38
show cmc ....................................................................................................................................... 39
show configuration ...................................................................................................................... 39
show configuration flash............................................................................................................. 40
show configuration flash text ..................................................................................................... 41
show configuration full ............................................................................................................... 41
show configuration running ....................................................................................................... 41
show datastore .............................................................................................................................. 42
show email..................................................................................................................................... 42
show failover................................................................................................................................. 43
show hardware ............................................................................................................................. 43
show hardware error-log............................................................................................................. 43
show hardware watchdog........................................................................................................... 44
show hosts ..................................................................................................................................... 44
IV
CONTENTS
show in-path ................................................................................................................................. 44

show in-path cdp.......................................................................................................................... 45
show in-path lsp ........................................................................................................................... 45
show in-path interfaces (Interceptor) ........................................................................................ 46
show in-path neighbor (Interceptor) ......................................................................................... 46
show in-path neighbor (Steelhead)............................................................................................ 46
show in-path neighbor peers ...................................................................................................... 47
show in-path peering auto .......................................................................................................... 47
show in-path peering rules ......................................................................................................... 48
show in-path rules........................................................................................................................ 48
show in-path simplified routing ................................................................................................ 49
show interfaces ............................................................................................................................. 49
show ip........................................................................................................................................... 50
show job ......................................................................................................................................... 51
show limit bandwidth ................................................................................................................. 51
show limit connection.................................................................................................................. 52
show load balance rules .............................................................................................................. 52
show logging................................................................................................................................. 52
show ntp ........................................................................................................................................ 53
show out-of-path .......................................................................................................................... 53
show peer version ........................................................................................................................ 53
show peers..................................................................................................................................... 54
show port-label ............................................................................................................................. 54
show pfs all-info shares ............................................................................................................... 55
show pfs configuration ................................................................................................................ 55
show prepop.................................................................................................................................. 56
show protocol cifs......................................................................................................................... 56
show protocol cifs oopen............................................................................................................. 56
show protocol connection ........................................................................................................... 57
show protocol ftp.......................................................................................................................... 57
show protocol http ....................................................................................................................... 57
show protocol jinitiator ............................................................................................................... 58
show protocol mapi...................................................................................................................... 58
show protocol ms-sql ................................................................................................................... 59
show protocol ms-sql rules ......................................................................................................... 59
show protocol nfs ......................................................................................................................... 60
show protocol ssl .......................................................................................................................... 61

show protocol ssl backend ......................................................................................................... 61
show protocol ssl ca ..................................................................................................................... 62
show protocol ssl crl .................................................................................................................... 62
show protocol ssl expiring-certs................................................................................................. 63
show protocol ssl peering............................................................................................................ 64
show protocol ssl scep peering................................................................................................... 64
show protocol ssl scep peering auto-reenroll........................................................................... 64
show protocol ssl scep peering ca .............................................................................................. 65
show protocol ssl scep peering enrollment status ................................................................... 65
show protocol ssl scep peering on-demand ............................................................................. 65
show protocol ssl server .............................................................................................................. 66
show qos classification ................................................................................................................ 66
show radius ................................................................................................................................... 67
show raid configuration .............................................................................................................. 67
show raid diagram ....................................................................................................................... 68
show raid info ............................................................................................................................... 69
show raid physical ....................................................................................................................... 70
show redirect................................................................................................................................. 70
show redirect peers ...................................................................................................................... 71
show running-config.................................................................................................................... 71
show service .................................................................................................................................. 71
show service connection pooling ............................................................................................... 72
show service neural-framing ...................................................................................................... 72
show service ports........................................................................................................................ 72
show snmp .................................................................................................................................... 73
show ssh client .............................................................................................................................. 73
show ssh server............................................................................................................................. 73
show ssh server allowed-ciphers ............................................................................................... 74
show support sha512-pass .......................................................................................................... 74
show tacacs.................................................................................................................................... 75
show tcp highspeed ..................................................................................................................... 75
show tcp reordering ..................................................................................................................... 75
show telnet-server ........................................................................................................................ 76
show terminal ............................................................................................................................... 76
show usernames ........................................................................................................................... 76
VI
CONTENTS
show wccp ..................................................................................................................................... 77

show web....................................................................................................................................... 77
show web prefs ............................................................................................................................. 78
show web ssl cipher ..................................................................................................................... 78
Displaying System Data............................................................................................................................. 79
show configuration files .............................................................................................................. 79
show connection ........................................................................................................................... 79
show connections ......................................................................................................................... 80
show files debug-dump............................................................................................................... 82
show files sa .................................................................................................................................. 82
show files stats .............................................................................................................................. 83
show files tcpdump...................................................................................................................... 83
show images.................................................................................................................................. 83
show info ....................................................................................................................................... 84
show in-path asym-route-tab...................................................................................................... 84
show in-path ar-circbuf ............................................................................................................... 85
show interfaces ............................................................................................................................. 85
show jobs ....................................................................................................................................... 86
show licenses................................................................................................................................. 87
show log......................................................................................................................................... 87
show pfs status ............................................................................................................................. 88
show pfs stats shares.................................................................................................................... 89
show raid error-msg..................................................................................................................... 89
show stats ...................................................................................................................................... 90
show tcp statistics......................................................................................................................... 92
show version ................................................................................................................................. 92
show version history.................................................................................................................... 93
Chapter 4 Configuration-Mode Commands
......................................................................................95
System Administration Commands......................................................................................................... 96

Authentication Commands................................................................................................................ 97
aaa accounting per-command default....................................................................................... 97
aaa authentication cond-fallback ............................................................................................... 98
aaa authentication console-login default .................................................................................. 98
aaa authentication login default................................................................................................. 98
aaa authorization map default-user .......................................................................................... 99
VII
aaa authorization map order ...................................................................................................... 99

aaa authorization per-command default ................................................................................ 100
radius-server host....................................................................................................................... 101
radius-server key ........................................................................................................................ 101
radius-server retransmit ............................................................................................................ 102
radius-server timeout ................................................................................................................ 102
tacacs-server first-hit.................................................................................................................. 103
tacacs-server host........................................................................................................................ 103
tacacs-server key......................................................................................................................... 104
tacacs-server retransmit............................................................................................................. 104
tacacs-server timeout ................................................................................................................. 105
username disable........................................................................................................................ 105
username nopassword............................................................................................................... 105
username password ................................................................................................................... 106
username password 0 ................................................................................................................ 106
username password 7 ................................................................................................................ 107
Secure Shell Access Commands ...................................................................................................... 108
ssh client generate identity user............................................................................................... 108
ssh client user authorized-key rsakey sshv2 .......................................................................... 109
ssh server enable......................................................................................................................... 109
ssh server listen enable .............................................................................................................. 109
ssh server listen interface .......................................................................................................... 110
ssh server v2-only enable .......................................................................................................... 110
CLI Terminal Configuration Commands ....................................................................................... 112
banner login ................................................................................................................................ 112
banner motd ................................................................................................................................ 113
cli clear-history............................................................................................................................ 113
cli default auto-logout ............................................................................................................... 113
cli default paging enable ........................................................................................................... 114
cli session ..................................................................................................................................... 114
terminal........................................................................................................................................ 115
Management Console Configuration Commands........................................................................ 116
web auto-logout.......................................................................................................................... 116
web enable................................................................................................................................... 117
web http enable........................................................................................................................... 117
web http port............................................................................................................................... 117
web httpd listen enable.............................................................................................................. 118
VIII
CONTENTS
web httpd listen interface.......................................................................................................... 118

web https enable......................................................................................................................... 119
web https port ............................................................................................................................. 119
web prefs log lines...................................................................................................................... 119
web proxy host............................................................................................................................ 120
web session renewal................................................................................................................... 120
web session timeout ................................................................................................................... 120
Configuration and File Manipulation Commands ....................................................................... 121
configuration copy ..................................................................................................................... 121
configuration delete ................................................................................................................... 122
configuration factory ................................................................................................................. 122
configuration fetch ..................................................................................................................... 122
configuration jump-start ........................................................................................................... 123
configuration merge................................................................................................................... 124
configuration move .................................................................................................................... 125
configuration new ...................................................................................................................... 126
configuration flash restore ........................................................................................................ 126
configuration flash write ........................................................................................................... 126
configuration revert keep-local ................................................................................................ 127
configuration revert saved ........................................................................................................ 127
configuration switch-to ............................................................................................................. 127
configuration upload ................................................................................................................. 128
configuration write..................................................................................................................... 128
file debug-dump delete ............................................................................................................. 128
file debug-dump email .............................................................................................................. 129
file debug-dump upload ........................................................................................................... 129
file stats delete............................................................................................................................. 129
file stats move ............................................................................................................................. 130
file stats upload........................................................................................................................... 130
file tcpdump ................................................................................................................................ 130
write flash .................................................................................................................................... 131
write memory.............................................................................................................................. 131
write terminal.............................................................................................................................. 131
tcp connection send keep-alive ................................................................................................ 132
tcp connection send reset ......................................................................................................... 132
Port Alias Support ............................................................................................................................. 133
IX
port-label...................................................................................................................................... 133
Statistics Manipulation Commands................................................................................................ 135
stats alarm.................................................................................................................................... 136
stats chd ....................................................................................................................................... 140
stats clear-all................................................................................................................................ 140
stats export .................................................................................................................................. 140
stats sample ................................................................................................................................. 141
stats settings bandwidth............................................................................................................ 142
Notification and SNMP Commands ............................................................................................... 143
email autosupport enable.......................................................................................................... 143
email domain .............................................................................................................................. 144
email mailhub ............................................................................................................................. 144
email mailhub-port .................................................................................................................... 144
email notify events enable......................................................................................................... 145
email notify events recipient..................................................................................................... 145
email notify failures enable....................................................................................................... 145
email notify failures recipient................................................................................................... 146
email send-test ............................................................................................................................ 146
snmp-server community ........................................................................................................... 146
snmp-server contact ................................................................................................................... 147
snmp-server enable .................................................................................................................... 147
snmp-server host ........................................................................................................................ 147
snmp-server listen enable.......................................................................................................... 148
snmp-server listen interface...................................................................................................... 148
snmp-server location.................................................................................................................. 149
Data Store Management Commands.............................................................................................. 150
datastore convert ........................................................................................................................ 150
datastore encryption type ......................................................................................................... 151
datastore notification enable..................................................................................................... 152
datastore notification wrap-around......................................................................................... 153
datastore receive port................................................................................................................. 153
datastore send addr.................................................................................................................... 153
datastore sync enable ................................................................................................................. 154
datastore sync master ................................................................................................................ 156
datastore sync peer-ip................................................................................................................ 157
datastore sync port ..................................................................................................................... 157
datastore sync reconnect ........................................................................................................... 157
X
CONTENTS
Logging Commands.......................................................................................................................... 158

logging ......................................................................................................................................... 158
logging files delete ..................................................................................................................... 159
logging files rotation criteria frequency .................................................................................. 159
logging files rotation criteria size............................................................................................. 159
logging files rotation force ........................................................................................................ 160
logging files rotation max-num ................................................................................................ 160
logging local ................................................................................................................................ 160
logging trap ................................................................................................................................. 161
License and Upgrade Commands................................................................................................... 162
boot system.................................................................................................................................. 162
hardware upgrade model.......................................................................................................... 162
image boot ................................................................................................................................... 163
image delete ................................................................................................................................ 163
image fetch .................................................................................................................................. 163
image flash backup .................................................................................................................... 164
image flash restore ..................................................................................................................... 164
image install ................................................................................................................................ 164
image move ................................................................................................................................. 165
license delete ............................................................................................................................... 165
license install ............................................................................................................................... 165
System Service and Other System Administration Commands ................................................. 166
hardware watchdog ................................................................................................................... 166
job.................................................................................................................................................. 166
job comment ................................................................................................................................ 167
job date-time................................................................................................................................ 168
job enable ..................................................................................................................................... 168
job execute ................................................................................................................................... 168
job fail-continue .......................................................................................................................... 169
job name....................................................................................................................................... 169
job recurring ................................................................................................................................ 169
reload............................................................................................................................................ 169
restart............................................................................................................................................ 170
service enable .............................................................................................................................. 170
service error reset ....................................................................................................................... 171
service map-port......................................................................................................................... 171
service neural-framing............................................................................................................... 172
XI
service port .................................................................................................................................. 172

service restart .............................................................................................................................. 173
Host Setup Commands ..................................................................................................................... 174
arp ................................................................................................................................................. 174
clock set........................................................................................................................................ 174
clock timezone ............................................................................................................................ 175
hardware ecc-mem-check enable ............................................................................................. 175
hostname...................................................................................................................................... 175
interface........................................................................................................................................ 176
ip default-gateway ..................................................................................................................... 176
ip domain-list .............................................................................................................................. 177
ip host........................................................................................................................................... 177
ip name-server ............................................................................................................................ 177
ip route ......................................................................................................................................... 178
ntp disable ................................................................................................................................... 178
ntp enable .................................................................................................................................... 178
ntp peer ........................................................................................................................................ 179
ntp server..................................................................................................................................... 179
ntpdate ......................................................................................................................................... 180
telnet-server enable ................................................................................................................... 180
Steelhead Appliance Feature Configuration Commands ................................................................... 181
In-Path and Virtual In-Path Support Commands ......................................................................... 182
in-path enable ............................................................................................................................. 183
in-path interface enable ............................................................................................................. 183
in-path interface vlan ................................................................................................................. 183
in-path kickoff............................................................................................................................. 184
in-path lsp enable ....................................................................................................................... 184
in-path move-rule rulenum ...................................................................................................... 185
in-path oop enable...................................................................................................................... 185
in-path rule auto-discover......................................................................................................... 186
in-path rule deny ........................................................................................................................ 188
in-path rule discard .................................................................................................................... 189
in-path rule fixed-target ............................................................................................................ 190
in-path rule pass-through.......................................................................................................... 193
in-path turbo enable................................................................................................................... 194
ip in-path-gateway ..................................................................................................................... 194
XII
CONTENTS
ip in-path route ........................................................................................................................... 195

Out-of-Path Support.......................................................................................................................... 196
out-of-path enable ...................................................................................................................... 197
Peering Commands ........................................................................................................................... 198
in-path peering auto................................................................................................................... 199
in-path peering rule ................................................................................................................... 199
in-path peering move-rule ........................................................................................................ 201
peer ............................................................................................................................................... 202
Asymmetric Route Detection and Connection Forwarding Commands .................................. 203
in-path asym-route-tab flush .................................................................................................... 204
in-path asym-route-tab remove................................................................................................ 204
in-path asymmetric routing detection enable ........................................................................ 205
in-path asymmetric routing pass-through enable ................................................................. 207
in-path cdp allow-failure enable .............................................................................................. 208
in-path cdp enable...................................................................................................................... 208
in-path cdp holdtime ................................................................................................................. 209
in-path cdp interval.................................................................................................................... 209
in-path neighbor allow failure.................................................................................................. 210
in-path neighbor enable............................................................................................................. 210
in-path neighbor ip address...................................................................................................... 211
in-path neighbor keepalive count ............................................................................................ 211
in-path neighbor keepalive interval ........................................................................................ 212
in-path neighbor interface......................................................................................................... 212
in-path neighbor peer ................................................................................................................ 212
in-path neighbor port................................................................................................................. 213
Simplified Routing Support ............................................................................................................. 214
in-path simplified routing......................................................................................................... 215
NetFlow Support Commands.......................................................................................................... 216
ip flow-export ............................................................................................................................. 217
ip flow-export enable ................................................................................................................. 218
IPSec Commands ............................................................................................................................... 220
ip security authentication policy.............................................................................................. 221
ip security enable........................................................................................................................ 221
ip security encryption policy .................................................................................................... 222
ip security peer ip....................................................................................................................... 222
ip security pfs enable ................................................................................................................. 223
ip security rekey interval........................................................................................................... 223
ip security shared secret ............................................................................................................ 223
XIII
PFS Support Commands .................................................................................................................. 225

pfs domain................................................................................................................................... 226
pfs enable..................................................................................................................................... 227
pfs settings................................................................................................................................... 228
pfs share cancel-event ................................................................................................................ 229
pfs share configure ..................................................................................................................... 230
pfs share configure (version 2.0 only) ..................................................................................... 232
pfs share manual-sync ............................................................................................................... 234
pfs share modify ......................................................................................................................... 235
pfs share upgrade ....................................................................................................................... 237
pfs share verify............................................................................................................................ 238
pfs start......................................................................................................................................... 239
pfs workgroup ............................................................................................................................ 239
Prepopulation Support Commands................................................................................................ 240
prepop enable.............................................................................................................................. 241
prepop share................................................................................................................................ 241
CIFS Support Commands................................................................................................................. 243
protocol cifs applock .................................................................................................................. 244
protocol cifs applock extension ................................................................................................ 244
protocol cifs dw-throttling enable............................................................................................ 244
protocol cifs disable write optimization.................................................................................. 245
protocol cifs enable..................................................................................................................... 245
protocol cifs nosupport.............................................................................................................. 246
protocol cifs oopen ..................................................................................................................... 246
protocol cifs oopen enable......................................................................................................... 247
protocol cifs prepop enable....................................................................................................... 247
protocol cifs secure-sig-opt enable........................................................................................... 247
protocol cifs smbv1-mode enable............................................................................................. 248
HS-TCP Support Commands........................................................................................................... 249
protocol connection lan receive buf-size................................................................................. 250
protocol connection lan send buf-size ..................................................................................... 250
protocol connection wan receive def-buf-size........................................................................ 250
protocol connection wan send def-buf-size............................................................................ 251
tcp highspeed enable ................................................................................................................. 251
JInitiator Support Commands ......................................................................................................... 253
protocol jinitiator enable ........................................................................................................... 254
MAPI Support Commands .............................................................................................................. 255
XIV
CONTENTS
protocol mapi enable.................................................................................................................. 256

protocol mapi 2k3 enable .......................................................................................................... 256
protocol mapi 2k7 fallback enable ........................................................................................... 256
protocol mapi nspi ..................................................................................................................... 257
protocol mapi nspi enable ......................................................................................................... 258
protocol mapi port...................................................................................................................... 258
protocol mapi prepop enable.................................................................................................... 258
MS-SQL Blade Support Commands ............................................................................................... 260
protocol ms-sql enable ............................................................................................................... 261
protocol ms-sql fetch-next enable ............................................................................................ 261
protocol ms-sql num-preack .................................................................................................... 261
protocol ms-sql port ................................................................................................................... 262
protocol ms-sql query-act rule-id action-id ............................................................................ 262
protocol ms-sql query-arg-act rule-id action-id arg-offset expr .......................................... 263
protocol ms-sql rpc-act rule-id action-id................................................................................. 263
protocol ms-sql rpc-arg-act rule-id arg-offset expr ............................................................... 264
protocol ms-sql rpc-arg rule-id arg-offset expr ..................................................................... 265
protocol ms-sql rpc-rule rule-id app-name-regex.................................................................. 265
protocol ms-sql support-app .................................................................................................... 266
NFS Support Commands ................................................................................................................. 267
protocol ftp .................................................................................................................................. 268
protocol nfs alarm v2-v4 clear .................................................................................................. 268
protocol nfs default server ........................................................................................................ 268
protocol nfs default volume...................................................................................................... 269
protocol nfs enable ..................................................................................................................... 270
protocol nfs max-directories ..................................................................................................... 271
protocol nfs max-symlinks........................................................................................................ 271
protocol nfs memory.................................................................................................................. 271
protocol nfs server ..................................................................................................................... 272
protocol nfs v2-v4-alarm ........................................................................................................... 273
HTTP Support Commands .............................................................................................................. 274
protocol http default ntlm enable ............................................................................................ 275
protocol http enable ................................................................................................................... 275
protocol http prefetch extension .............................................................................................. 275
protocol http server.................................................................................................................... 276
SSL Support Commands .................................................................................................................. 277
protocol ssl backend................................................................................................................... 278
XV
protocol ssl bulk-export............................................................................................................. 278

protocol ssl bulk-import ............................................................................................................ 279
protocol ssl crl ca ........................................................................................................................ 280
protocol ssl crl cas enable .......................................................................................................... 280
protocol ssl crl handshake......................................................................................................... 281
protocol ssl crl manual............................................................................................................... 281
protocol ssl crl peering............................................................................................................... 282
protocol ssl crl query-now......................................................................................................... 283
protocol ssl ca.............................................................................................................................. 283
protocol ssl enable ...................................................................................................................... 284
protocol ssl peering .................................................................................................................... 286
protocol ssl protocol-vers .......................................................................................................... 288
protocol ssl scep peering auto-reenroll ................................................................................... 289
protocol ssl scep peering max-num-polls ............................................................................... 289
protocol ssl scep peering on-demand cancel.......................................................................... 290
protocol ssl scep peering on-demand gen-key-and-csr ........................................................ 290
protocol ssl scep peering on-demand start............................................................................. 291
protocol ssl scep peering passphrase....................................................................................... 292
protocol ssl scep peering poll-frequency ................................................................................ 292
protocol ssl scep peering trust .................................................................................................. 292
protocol ssl scep peering url ..................................................................................................... 293
protocol ssl server....................................................................................................................... 293
secure-vault ................................................................................................................................. 296
QoS Support Commands.................................................................................................................. 297
qos classification burst............................................................................................................... 298
qos classification class................................................................................................................ 298
qos classification enable ............................................................................................................ 300
qos classification link-rate ......................................................................................................... 300
qos classification queue ............................................................................................................. 301
qos classification rule add ......................................................................................................... 301
qos classification rule move ...................................................................................................... 302
qos dscp edit-rule ....................................................................................................................... 302
qos dscp move-rule .................................................................................................................... 303
qos dscp rule ............................................................................................................................... 304
Connection Pooling Commands...................................................................................................... 306
service connection pooling........................................................................................................ 307
XVI
CONTENTS
service default-port .................................................................................................................... 307

WCCP Support Commands ............................................................................................................. 308
wccp enable ................................................................................................................................. 309
wccp mcast-ttl ............................................................................................................................. 309
wccp service-group .................................................................................................................... 310
Failover Support Commands........................................................................................................... 312
failover buddy addr ................................................................................................................... 313
failover buddy port .................................................................................................................... 313
failover enable............................................................................................................................. 313
failover master ............................................................................................................................ 314
failover port................................................................................................................................. 315
Data Replication Commands ........................................................................................................... 316
datastore anchor-select .............................................................................................................. 317
datastore disklayout................................................................................................................... 317
datastore disk read-pressure..................................................................................................... 318
datastore use-one-defer-q.......................................................................................................... 318
FIPS/CC Compliance Commands .................................................................................................. 318
fips bootloader password.......................................................................................................... 320
reset factory ................................................................................................................................. 320
ssh server v2-only enable .......................................................................................................... 321
ssh server allowed-ciphers........................................................................................................ 321
sport fail-to-bypass enable ........................................................................................................ 322
support sha512-pass enable ...................................................................................................... 322
web ssl ciphers ............................................................................................................................ 323
web ssl protocol tlsv1................................................................................................................. 323
web ssl protocol sslv2 ................................................................................................................ 324
web ssl protocol sslv3 ................................................................................................................ 324
Interceptor Appliance Feature Commands........................................................................................... 324
Load-Balancing Commands............................................................................................................. 325
load balance move-rule ............................................................................................................. 325
load balance rule......................................................................................................................... 325
load balance rule edit rulenum <num> description ............................................................. 327
Peering Support Commands............................................................................................................ 328
in-path neighbor interface......................................................................................................... 328
in-path neighbor peer ................................................................................................................ 329
in-path rule redirect ................................................................................................................... 329
redirect allow-failure.................................................................................................................. 330
redirect interface ......................................................................................................................... 331
XVII
redirect peer addr ....................................................................................................................... 331

Debugging Commands..................................................................................................................... 332
debug validate deployment ..................................................................................................... 332
Statistics Configuration Commands ............................................................................................... 333
stats alarm.................................................................................................................................... 333
Central Management Console Feature Commands............................................................................. 334
Export Commands............................................................................................................................. 334
export appliance ......................................................................................................................... 334
export stats .................................................................................................................................. 335
Chapter 5 Troubleshooting
...............................................................................................................337
Troubleshooting Quick Reference .......................................................................................................... 337

Appendix A
Riverbed Ports
...........................................................................................................339
Default Ports.............................................................................................................................................. 339

Commonly Optimized Ports ................................................................................................................... 340
Commonly Excluded Ports ..................................................................................................................... 340
Interactive Ports Forwarded by the Steelhead Appliance .................................................................. 340
Secure Ports Forwarded by the Steelhead Appliance ......................................................................... 341
Appendix B
Riverbed MIB
.............................................................................................................345
Accessing the Steelhead Enterprise MIB ............................................................................................... 345

SNMP Traps............................................................................................................................................... 346
Steelhead Enterprise MIB ........................................................................................................................ 349
Interceptor MIB File: Contents................................................................................................................ 363
Riverbed MIB............................................................................................................................................. 371
Acronyms and Abbreviations ...............................................................................................................373
Glossary .................................................................................................................................................379
Index .......................................................................................................................................................385
XVIII
CONTENTS
Introduction
In This Introduction
Welcome to the Riverbed Command-Line Interface Reference Manual. Read this introduction for an overview of
the information provided in this guide and for an understanding of the documentation conventions used
throughout. This introduction contains the following sections:
About This Guide, next
Hardware and Software Dependencies on page 20
Ethernet Network Compatibility on page 21
SNMP-Based Management Compatibility on page 21
Additional Resources on page 21
Safety Guidelines on page 23
Contacting Riverbed on page 23
About This Guide

The Riverbed Command-Line Interface Reference Manual is a reference manual for the command-line interface
for the Steelhead appliance, Steelhead Central Management Console, and the Interceptor appliance. This
manual lists commands, syntax, parameters, and example usage.
Types of Users
This guide is written for storage and network administrators who are familiar administering and managing
WAN using common network protocols, such as TCP, CIFS, HTTP, FTP, and NFS, and so forth.
Organization of This Guide

The Riverbed Command-Line Interface Reference Manual includes the following chapters:
Chapter 1, Using the Command-Line Interface,describes how to connect and use the CLI.
Chapter 2, User-Mode Commands,provides a reference for user-mode commands.
Chapter 3, Enable-Mode Commands, provides a reference for enable-mode commands.
Riverbed Command-Line Interface Reference Manual
19
Introduction
Chapter 4, Configuration-Mode Commands,provides a reference for configuration-mode

commands.
Appendix A, Riverbed Ports, provides a reference of ports used by the Riverbed system.
Appendix B, Riverbed MIB, provides the text of the Riverbed MIB.
A list of acronyms and a glossary of terms follows the chapters. A comprehensive index directs you to areas
of particular interest.
Document Conventions
This manual uses the following standard set of typographical conventions to introduce new terms, illustrate
screen displays, describe command syntax, and so forth.
Convention
Meaning
italics
Within text, new terms and emphasized words appear in italic typeface.
boldface
Within text, commands, keywords, identifiers (names of classes, objects, constants, events,
functions, program variables), environment variables, filenames, GUI controls, and other
similar terms appear in bold typeface.
Courier
Information displayed on your terminal screen and information that you are instructed to
enter appears in Courier font.
<>
Within syntax descriptions, values that you specify appear in angle brackets. For example:
interface <ipaddress>
[]
Within syntax descriptions, optional keywords or variables appear in brackets. For example:
ntp peer <addr> [version <number>]

{}
Within syntax descriptions, required keywords or variables appear in braces. For example:
{delete <filename> | upload <filename>}
Within syntax descriptions, the pipe symbol represents a choice to select one keyword or
variable to the left or right of the symbol. (The keyword or variable can be either optional or
required.) For example:
{delete <filename> | upload <filename>}
Hardware and Software Dependencies

The following table summarizes the hardware and software requirements for the Riverbed CLI.
Riverbed CLI Hardware Requirements
Software Requirements
Operating System Requirements
One of the following:
Secure Shell. Free SSH clients include PuTTY for

Windows computers, OpenSSH for many Unix and
Unix-like operating systems, and Cygwin.
An ASCII terminal or emulator that can connect

to the serial console (9600 baud, 8 bits, no parity, 1
stop bit, and no flow control).
A computer with an SSH client that is connected
by an IP network to the appliance primary
interface.
20
Introduction
Ethernet Network Compatibility

The Steelhead appliance supports the following types of Ethernet networks:
Ethernet Logical Link Control (LLC) (IEEE 802.2 - 2002)
Fast Ethernet 100 Base-TX (IEEE 802.3 - 2002)
Gigabit Ethernet over Copper 1000 Base-T and Fiber 1000 Base-SX (LC connector) (IEEE 802.3 - 2002)
The Primary port in the Steelhead appliance is 10 Base-T/100, Base-TX/1000, and Base-T/SX Mbps (IEEE
802.3 -2002). (The Primary port on the Model 100, 200 is Fast Ethernet only.)
In-path Steelhead appliance ports are 10/100/1000 Base-TX or Gigabit Ethernet 1000Base-T/SX (IEEE 802.3
2002) (depending on your order).
The Steelhead appliance supports VLAN Tagging (IEEE 802.1Q - 2003). It does not support the Cisco ISL
protocol.
All copper interfaces are auto-sensing for speed and duplex (IEEE 802.3 - 2002).
The Steelhead appliance auto-negotiates speed and duplex mode for all data rates and supports full duplex
mode and flow control (IEEE 802.3 2002).
The Steelhead appliance with a Gigabit Ethernet card supports Jumbo Frames on in-path and primary
ports.
SNMP-Based Management Compatibility

The Steelhead appliance supports a proprietary Riverbed MIB accessible through SNMP. Both SNMP v1
(RFCs 1155, 1157, 1212, and 1215) and SNMP v2c (RFCs 1901, 2578, 2579, 2580, 3416, 3417, and 3418) are
supported, although some MIB items may only be accessible through SNMPv2.
SNMP support allows the Steelhead appliance to be integrated into network management systems such as
Hewlett Packard OpenView Network Node Manager, BMC Patrol, and other SNMP-based network
management tools.
Additional Resources
This section describes resources that supplement the information in this guide. It contains the following
sections:
Online Notes, next
Related Riverbed Documentation on page 22
Online Documentation on page 23
Related Reading on page 23
21
Introduction
Online Notes
The following online file supplements the information in this manual. It is available on the Riverbed
Technical Support site at https://support.riverbed.com.
Online File
Purpose
<product>_<version_number>.txt
Describes the product release and identifies fixed problems, known

problems, and workarounds. This file also provides documentation
information not covered in the manuals or that has been modified since
publication.
Please examine this file before you begin the installation and configuration process. It contains important
information about this release of the software.
Related Riverbed Documentation

You can access the complete document set for the Steelhead appliance from the Documentation Set CD:
Steelhead Appliance Installation and Configuration Guide describes how to install and configure the
Steelhead appliance.
Steelhead Management Console Users Guide describes how to manage and administer a Steelhead
appliance using the Management Console.
Steelhead Central Management Console Users Guide describes how to install, configure, and administer a
network made up of multiple Steelhead appliances using the Steelhead Central Management Console
Steelhead Appliance Deployment Guide describes how to deploy the Steelhead appliance in complex
network environments (for example, environments using WCCP, PBR, and Layer-4 switches).
Interceptor Appliance Installation Guide describes how to install the appliance, run the initial
configuration wizard, and connect the appliance to your network. It also includes a reference of
product technical specifications, including pre-installed bypass cards.
Interceptor Appliance Users Guide describes how to configure and manage the Interceptor appliance to
balance traffic loads in pools of Steelhead appliances.
Steelhead Mobile Controller Installation Guide describes how to quickly install the Steelhead Mobile
Controller.
Steelhead Mobile Controller Users Guide describes how to deploy endpoint client packages, and how to
administer and manage your Steelhead Mobile deployment.
Getting Started Guide describes how to quickly install and set up the Steelhead appliance, Central
Management Console, and the Interceptor appliance.
Troubleshooting Guide describes how to troubleshoot Model 520, 1020, 1520, and 2020 Rev. A systems.
Hardware Owners Manual describes how to troubleshoot Model 520, 1020, 1520, and 2020 Rev. B
systems.
Riverbed Copy Utility Reference Manual describes how to install and deploy the Riverbed Copy Utility
(RCU). The RCU is an optional utility of the Steelhead appliance that copies, mirrors, and
transparently prepopulates data. You can download the RCU from the Riverbed Technical Support site
located at https://support.riverbed.com.
Bypass Card Installation Guide describes how to install the bypass cards in the Steelhead and Interceptor
appliance.
22
Introduction
Rack Installation Guide describes how to install the Steelhead appliance in a standard Telco-type rack
(all models except the 520, 1020, 1520, 2020, and 3020).
Maintenance Guide describes how to replace components in the Steelhead appliance.
Safety and Compliance Guide describes safety precautions for installing and setting up your equipment
in English and other languages.
Online Documentation
The Steelhead appliance documentation set is periodically updated with new information. To access the
most current version of the Steelhead appliance documentation and other technical information, consult the
Riverbed Technical Support site located at https://support.riverbed.com.
Related Reading
To learn more about network administration, consult the following books:
Microsoft Windows 2000 Server Administrators Companion by Charlie Russell and Sharon Crawford
(Microsoft Press, 2000)
Common Internet File System (CIFS) Technical Reference by the Storage Networking Industry Association
(Storage Networking Industry Association, 2002)
TCP/IP Illustrated, Volume I, The Protocols by W. R. Stevens (Addison-Wesley, 1994)
Internet Routing Architectures (2nd Edition) by Bassam Halabi (Cisco Press, 2000)
Safety Guidelines
Follow the safety precautions outlined in the Safety and Compliance Guide when installing and setting up
your equipment.
Important: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of
the equipment voids all warranties. Please read and follow safety guidelines and installation instructions carefully.
Many countries require the safety information to be presented in their national languages. If this
requirement applies to your country, consult the Safety and Compliance Guide. The guide contains the safety
information in your national language. Before you install, operate, or service the Riverbed products, you
must be familiar with the safety information. Refer to the guide if you do not clearly understand the safety
information provided in the documentation.
Contacting Riverbed
This section describes how to contact departments within Riverbed.
23
Introduction
Internet
You can find out about Riverbed products through our Web site at http://www.riverbed.com.
Technical Support
If you have problems installing, using, or replacing Riverbed products contact Riverbed Technical Support.
For the fastest service, open a trouble ticket at https://support.riverbed.com or call 1-888-RVBD-TAC (1-888782-3822) in the United States and Canada or +1 415 247 7381 outside the United States.
Documentation
We continually strive to improve the quality and usability of our documentation. We appreciate any
suggestions you may have about our online documentation or printed materials. Send documentation
comments to techpubs@riverbed.com.
24
CHAPTER 1
Using the Command-Line

Interface
In This Chapter
This chapter describes how to access and use the CLI. This chapter includes the following sections:
Connecting to the CLI, next
Overview of the CLI on page 26
Entering Commands on page 27
Accessing Online Help on page 27
Error Messages on page 28
Command Negation on page 28
Saving Configuration Changes on page 28
Connecting to the CLI

This section assumes you have already performed the initial setup of the appliance using the configuration
wizard. For detailed information, see the installation guide for the system.
To connect the CLI
1. You can connect to the CLI using one of the following options:
An ASCII terminal or emulator that can connect to the serial console. It must have the following
settings: 9600 baud, 8 bits, no parity, 1 stop bit, and no flow control.
A computer with an SSH client that is connected to the appliance Primary port (in rare cases, you
might connect through the Auxiliary port).
2. At the system prompt enter the following command if the appliance resolves to your local DNS:
ssh admin@host.domain
otherwise at the system prompt enter the following command:
ssh admin@ipaddress
25
3. When prompted, enter the administrator password. This is the password you set during the initial
configuration process. The default password is password.
You can also log in as a monitor user (monitor). A monitor user cannot make configuration changes,
modify private keys, view logs, or manage cryptographic modules in the system.
Overview of the CLI

The CLI has the following modes:
User. When you start a CLI session, you begin in the default, user mode. From user mode you can run
common network tests such as ping. You do not enter a command to enter user mode. To exit user
mode, enter exit at the command line.
Enable. To access a restricted set of commands, you must enter enable mode. For example, while in
enable mode, you can restart and reboot the system, display non-sensitive system information, verify
configuration information. From enable mode, you can enter any enable mode command or enter
configuration mode. You can be an administrator or monitor user to enter enable mode. To exit enable
mode, enter disable at the command line.
Configuration. To make changes to the running configuration, you must enter configuration mode. To
save configuration changes to memory, you must enter the write memory command. To enter
configuration mode, you must first be in enable mode. You must be an administrator user to enter
configuration mode. To exit configuration mode, enter exit at the command line.
The commands available to you depend on which mode you are in and whether you are a monitor or
administrator user. Entering a question mark (?) at the system prompt provides a list of commands for each
command mode.
Mode
Access Method
System Prompt
Exit Method
Description
user
Each CLI session

begins in user-mode.
host >
exit
Perform common
network tests, such as
ping.
Display system settings
and statistics.
26
1 - USING THE COMMAND-LINE INTERFACE
Mode
Access Method
System Prompt
Exit Method
Description
enable
Enter the enable

command at the
system prompt while
in user-mode.
host #
disable
Administrator user can

perform basic system
administration tasks, such
as restarting and rebooting
the system. A monitor
user cannot make
configuration changes,
modify private keys, view
logs, or manage
cryptographic modules in
the system.
Display system data
and statistics.
Perform all user-mode
commands.
configuration
Enter the configure

terminal command at
the system prompt
while in enable-mode.
host (config) #
exit
Configure system
parameters.
Administrator user can
erform all user and
enable-mode
commands.
Entering Commands
The CLI accepts abbreviations for commands. The following example is the abbreviation for the configure
terminal command:
tilden (config)# configure t
You can press the tab key to complete a CLI command automatically.
Accessing Online Help

At the system prompt, type the full or partial command string followed by a question mark (?). The CLI
displays the command keywords or parameters for the command and a short description.
To access online help
At the system prompt enter the following command:
tilden (config) # show ?
The CLI does not display the question mark.
27
Error Messages
If at any time the system does not recognize the command or parameter, it displays the following message:
tilden (config) # logging files enable
% Unrecognized command "enable".
Type "logging files?" for help.
If a command is incomplete, the following message is displayed:

tilden (config) # logging
% Incomplete command.
Type "logging ?" for help.
Command Negation
You can type no before many of the commands to negate the syntax. Depending on the command or the
parameters, command negation disables the command or returns the parameter to the default value.
Saving Configuration Changes

The show configuration running command displays the current configuration of the system. When you
make a configuration change to the system, the change becomes part of the running configuration.
The change does not automatically become part of the configuration file in memory until you write the file
to memory. If you do not save your changes to memory, they are lost when the system restarts.
To save all configuration changes to memory, you must enter the write memory command while in
configuration mode.
28
1 - USING THE COMMAND-LINE INTERFACE
User-Mode Commands
CHAPTER 2
In This Chapter
This chapter is a reference for user-mode commands. User-mode commands allow you to enter enable
mode and perform standard network monitoring tasks.
To enter user mode
Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
enable
Description
Enters enable mode.
Syntax
enable
Parameters
None
Usage
You must enter enable mode before you can perform standard network monitoring tasks.
Example
minna > enable

minna #
Product
CMC appliance, Interceptor appliance, Steelhead appliance
exit
Description
Exits the CLI when in user mode; exits enable mode when in enable mode; exits configuration
mode when in configuration mode.
Syntax
exit
Parameters
None
Example
minna (config) # exit

minna #
Product
29
ping
Description
Executes the ping utility to send ICMP ECHO_REQUEST packets to network hosts for
troubleshooting.
Syntax
ping [<options>]
Parameters
<options>
Usage
The ping command without any options pings from the primary or the auxiliary (aux) interface
and not the in-path interfaces.
[-L RUbdfnqrvVaA]
[-c count]
[-i interval]
[-w deadline]
[-p pattern]
[-s packet size]
[-t ttl]
[-I interface address] For example: ping 10.1.1.1 10.11.22.15
[-M MTU discovery hint]
[-S sndbuf]
[-T timestamp option]
[-Q tos]
[hop1...]destination. Specify intermediate hops.
If the primary and auxiliary interfaces are not on the same network as the in-path interfaces, you
will not be able to ping an IP address on the in-path interface network unless you have a gateway
between the two networks.
To ping from an in-path interface, use the following syntax:
ping -I <in-path interface IP address> <destination IP address>
Example
minna # ping -I 10.1.1.1 10.11.22.15

PING 10.11.22.15 (10.11.22.15) from 10.1.1.1: 56(84) bytes of data.
64 bytes from 10.11.22.15: icmp_seq=0 ttl=64 time=0.044 ms
Product
traceroute
Description
Executes the traceroute utility. The traceroute command takes the standard Linux options.
Syntax
traceroute [<options>]
Parameters
<options>
Example
minna # traceroute minna

traceroute to minna.domain.com (10.0.0.3), 30 hops max, 38 byte packets
1 minna (10.0.0.3) 0.035 ms 0.021 ms 0.013 ms
Product
30
The traceroute command takes the standard Linux options. For detailed
information, see the Linux man page.
2 - USER-MODE COMMANDS
CHAPTER 3
Enable-Mode Commands
In This Chapter
This chapter is a reference for enable-mode commands. Enable-mode commands display configuration
settings and process information.
To enter enable mode
1. Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
2. To enter enable mode, at the system prompt enter:
minna> enable
To exit enable mode, enter exit. For information about the exit command, see exit on page 29.
This chapter includes the following sections:
System Administration Commands on page 32
Displaying Configuration Settings on page 36
Displaying System Data on page 79
TIP: For an alphabetical list of commands, see the Index at the end of this book.
31
System Administration Commands

This section describes commands you use to perform system administration tasks. It includes the following
commands:
clear arp-cache, next
clear hardware error-log on page 32
clear interface on page 33
configure terminal on page 33
debug generate dump on page 33
disable on page 34
slogin on page 34
tcpdump on page 34
clear arp-cache
Description
Clears dynamic entries from the ARP cache. This command does not clear static entries.
Syntax
clear arp-cache
Parameters
None
Usage
minna # show arp

ARP cache contents
IP 10.1.4.1 maps to MAC 00:16:46:1E:75:CE
minna # clear arp-cache
Example
minna # clear arp-cache

minna #
Product
Related Topics
show arp
clear hardware error-log

Description
Clears IPMI System Event Log (SEL).
Syntax
Parameters
None
Usage
The amber LED light will stop blinking on the system.
Example
minna # clear hardware error-log

minna #
Product
Related Topics
show hardware error-log
32
3 - ENABLE-MODE COMMANDS
clear interface
Description
Sets the interface counters for the specified interface to 0.
Syntax
clear interface {<interface name>
Parameters
<interface
name>
Example
minna # clear interface aux

minna #
Product
Related Topics
show interfaces
Specifies the interface name: aux, primary, lo, wan1_1, lan1_1, wan1_0, lan1_0,
inpath1_0, inpath1_1, all.
configure terminal
Description
Enables configuration from the terminal by entering the configuration subsystem. You must
execute the enable command first to enter configuration mode.
Syntax
configure terminal
Parameters
None
Usage
To exit the configuration subsystem, type exit.

The no command option disables the terminal configuration.
Example
minna # configure terminal

minna (config) #
Product
Related Topics
show configuration, show configuration full, show configuration running
debug generate dump

Description
Generates a file to debug the appliance.
Syntax
debug generate dump
Parameters
None
Example
minna # debug generate dump

minna #
Product
Related Topics
Configuration and File Manipulation Commands
33
disable
Description
Exits enable mode.
Syntax
disable
Parameters
None
Example
minna # disable
minna >
Product
Related Topics
exit
slogin
Description
Enables log in to another system securely using SSH.
Syntax
slogin [<options>]
Parameters
<options>
Example
minna # slogin -l usertest
Product
Related Topics
show ssh client, show ssh server
Specifies slogin options. To view options, enter slogin at the system prompt.
tcpdump
Description
Executes the tcpdump utility. The tcpdump command takes the standard Linux options. For
detailed information, see the Linux man page.
Syntax
tcpdump [<options>]
34
Parameters
<options>
The tcpdump command takes the standard Linux options:

-a Attempt to convert network and broadcast addresses to names.
-c Exit after receiving count packets.
-d Dump the compiled packet-matching code in a human readable form to
standard output and stop.
-dd Dump packet-matching code as a C program fragment.
-ddd Dump packet-matching code as decimal numbers (preceded with a count).
-e Print the link-level header on each dump line.
-E Use algo:secret for decrypting IPsec ESP packets.
-f Print foreign internet addresses numerically rather than symbolically.
-F Use file as input for the filter expression. An additional expression given on the
command line is ignored.
-i Listen on interface. If unspecified, tcpdump searches the system interface list
for the lowest numbered, configured up interface.
-n Do not convert addresses (such as host addresses, port numbers, and so forth)
to names.
-N Do not print domain name qualification of host names. For example, if you
specify this flag, then tcpdump will print nic instead of nic.ddn.mil.
-m Load SMI MIB module definitions from file module. This option can be used
several times to load several MIB modules into tcpdump.
-q Quiet output. Print less protocol information so output lines are shorter.
-r Read packets from file (which was created with the -w option). Standard input
is used if file is -.
-S Print absolute, not relative, TCP sequence numbers.
-v (Slightly more) verbose output. For example, the time to live, identification,
total length and options in an IP packet are printed. Also enables additional
packet integrity checks such as verifying the IP and ICMP header checksum.
-w Write the raw packets to file rather than parsing and printing them out. They
can later be printed with the -r option. Standard output is used if file is -.
-x Print each packet (minus its link level header) in hex. The smaller of the entire
packet or snaplen bytes will be printed.
-X When printing hex, print ascii too. Thus if -x is also set, the packet is printed in
hex/ascii. This option enables you to analyze new protocols.
For detailed information, see the Linux man page.
Usage
You can write tcpdump output to a file using the -w option so that you can analyze it.
Example
minna # tcpdump
tcpdump: listening on primary
18:59:13.682568 minna.domain.com.ssh > dhcp-22.domain.com.3277: P
3290808290:3290808342(52) ack 3412262693 win 5840 (DF) [dscp 0x10]
18:59:13.692513 minna.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1
win 5840 (DF) [dscp 0x10]
18:59:13.702482 minna.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1
win 5840 (DF) [dscp 0x10]
Product
Related Topics
35
Displaying Configuration Settings

This section describes the commands you use to display active configuration settings.
show aaa on page 37
show pfs all-info shares on page 55
show arp on page 37
show pfs configuration on page 55
show banner on page 37
show prepop on page 56
show bootvar on page 38
show protocol cifs on page 56
show cli on page 38
show protocol cifs oopen on page 56
show clock on page 38
show protocol connection on page 57
show cmc on page 39
show protocol ftp on page 57
show configuration on page 39
show protocol http on page 57
show configuration flash on page 40
show protocol jinitiator on page 58
show configuration flash text on page 41
show protocol mapi on page 58
show configuration full on page 41
show protocol ms-sql on page 59
show configuration running on page 41
show protocol ms-sql rules on page 59
show datastore on page 42
show protocol nfs on page 60
show email on page 42
show protocol ssl on page 61
show failover on page 43
show protocol ssl server on page 66
show hardware on page 43
show qos classification on page 66
show hardware watchdog on page 44
show radius on page 67
show hosts on page 44
show raid configuration on page 67
show in-path on page 44
show raid diagram on page 68
show in-path cdp on page 45
show raid info on page 69
show in-path lsp on page 45
show raid physical on page 70
show in-path neighbor (Interceptor) on page 46
show redirect on page 70
show in-path neighbor (Steelhead) on page 46
show redirect peers on page 71
show in-path neighbor peers on page 47
show running-config on page 71
show in-path peering auto on page 47
show service on page 71
show in-path peering rules on page 48
show service connection pooling on page 72
show in-path rules on page 48
show service neural-framing on page 72
show in-path simplified routing on page 49
show service ports on page 72
show interfaces on page 49
show snmp on page 73
show ip on page 50
show ssh client on page 73
show job on page 51
show ssh server on page 73
show limit bandwidth on page 51
show tacacs on page 75
show limit connection on page 52
show tcp highspeed on page 75
show load balance rules on page 52
show tcp reordering on page 75
show logging on page 52
show telnet-server on page 76
show ntp on page 53
show terminal on page 76
show out-of-path on page 53
show usernames on page 76
show peer version on page 53
show wccp on page 77
show peers on page 54
show web on page 77
show port-label on page 54
show web prefs on page 78
36
show aaa
Description
Displays the authentication methods used for log in.
Syntax
show aaa
Parameters
None
Example
minna # show aaa

AAA authorization:
Default User: admin
Map Order: remote-first
Authentication method(s):
local
Product
Related Topics
Authentication Commands
show arp
Description
Displays the contents of the ARP cache. The ARP cache includes all statically-configured ARP
entries as well as any that the system has picked up dynamically.
Syntax
show arp [static]
Parameters
static
Example
minna # show arp

ARP cache contents
IP 10.0.0.1 maps to MAC 00:07:E9:70:20:15
IP 10.0.0.2 maps to MAC 00:05:5D:36:CB:29
IP 10.0.100.22 maps to MAC 00:07:E9:55:10:09
Product
Related Topics
arp, clear arp-cache
Displays static ARP addresses.
show banner
Description
Displays the banner settings.
Syntax
show banner
Parameters
None
Example
minna # show banner

Banners:
MOTD:
Issue: Riverbed Interceptor
Net Issue: Riverbed Interceptor
minna #
Product
Related Topics
banner login, banner motd
37
show bootvar
Description
Displays the software image that is booted upon the next reboot.
Syntax
show bootvar
Parameters
None
Example
minna # show bootvar

Installed images:
Partition 1:
rbtsh/linux columbia
Partition 2:
rbtsh/linux Columbia
Last boot partition:
Next boot partition:
#1 2004-02-07 19:24:24 root@test:repository

#2 2004-02-13 17:30:17 root@test:repository
1
1
Product
Related Topics
hardware watchdog, image boot
show cli
Description
Displays current CLI settings.
Syntax
show cli
Parameters
None
Example
minna # show cli

CLI current session settings
Maximum line size: 8192
Terminal width:
157 columns
Terminal length:
15 rows
Terminal type:
xterm
Auto-logout:
30 minutes
Paging:
enabled
CLI defaults for future sessions
Auto-logout:
30 minutes
Paging:
enabled
Product
Related Topics
CLI Terminal Configuration Commands
show clock
Description
Displays current date and time.
Syntax
show clock
Parameters
None
38
Example
minna
Time:
Date:
Zone:
# show clock
19:31:43
2006/12/22
GMT-offset GMT
Product
Related Topics
Host Setup Commands
show cmc
Description
Shows whether the appliance is managed by the CMC.
Syntax
show cmc
Parameters
None
Example
minna # show cmc
CMC
support enabled: yes
CMC's hostname: yourcmc
Managed by CMC: no
Auto configuration status: Inactive
Product
Steelhead appliance
Related Topics
ip name-server, show ip
show configuration
Description
Displays the current and saved configuration settings that differ from the default settings.
Syntax
show configuration
Parameters
None
39
Example
minna # show configuration

##
## Network interface configuration
##
no interface aux dhcp
interface aux duplex "auto"
no interface aux shutdown
interface aux speed "auto"
interface primary ip address 10.0.0.3 /16
##
## Routing configuration
##
ip default-gateway "10.0.0.1"
##
## Other IP configuration
##
hostname "minna"
ip domain-list domain.com
ip domain-list domain.com
ip name-server 10.0.0.2
##
## Logging configuration
##
logging local "info"
##
## Process Manager configuration
##
pm process mgmtd launch timeout "4000"
pm process sport shutdown order "0"
pm process statsd shutdown order "0"
##
## Network management configuration
##
## Miscellaneous other settings (this is a partial list of settings)
Product
Related Topics
show configuration flash

Description
Shows configuration files stored in flash memory.
Syntax
show configuration flash
Parameters
None
Example
minna # show configuration flash
Product
Steelhead appliance
Related Topics
40
show configuration flash text

Description
Write the configuration stored in flash memory to the screen.
Syntax
show configuration flash text
Parameters
None
Example
minna # show configuration flash text
Product
Steelhead appliance
Related Topics
show configuration full

Description
Displays all configuration settings including the default settings.
Syntax
show configuration full
Parameters
None
Example
minna # show configuration full

##
##(displays the full configuration; this is a partial list of settings.)
Product
Related Topics
show configuration running

Description
Displays running configuration settings that are different from the defaults.
Syntax
show configuration running [full]
Parameters
full
Example
minna # show configuration running

##
##(displays running configuration; this is a partial list of settings.)
Product
Related Topics
Displays all settings, including default settings
41
show datastore
Description
Displays current data store settings.
Syntax
show datastore
Parameters
None
Example
minna # show datastore

Datastore Wrap-Around Notification: yes
Expected Period (days) Before Datastore Wrap-Around: 1
Automated Online Datastore Synchronization: no
Master: no
Peer IP Address: 0.0.0.0
Port: 7744
Reconnect Seconds: 30
Connection Status: disconnected
Catch-Up Synchronization Status: disconnected
Keep-Up Synchronization Status: disconnected
Encryption Type: NONE
minna #
Product
Steelhead appliance
Related Topics
Data Store Management Commands
show email
Description
Displays current email settings.
Syntax
show email
Parameters
None
Example
minna # show email

Mail hub:
Domain:
domain.com (default)
Event emails
Enabled: yes
No recipients configured.
Failure emails
Enabled: yes
No recipients configured.
Autosupport emails
Enabled: yes
Recipient:autosupport@autosupport.domain.com
Mail hub:autosupport.domain.com
Product
Related Topics
Notification and SNMP Commands
42
show failover
Description
Displays current failover device settings.
Syntax
show failover
Parameters
None
Example
minna # show failover

Enabled:
no
Master:
yes
Local Port:
7820
Buddy IP Address: 0.0.0.0
Buddy Port:
7820
minna #
Product
Interceptor appliance, Steelhead appliance
Related Topics
Peering Commands
show hardware
Description
Displays hardware information.
Syntax
show hardware
Parameters
None
Example
minna # show hardware

Hardware Revision: B
Mainboard: Series 3000/5000 motherboard, ................. CMP-00072
Slot 0:
4 Port Copper GigE Network Bypass Card, ....... CMP-00074
Slot 1:
(Empty)
Slot 2:
(Empty)
Slot 3:
(Empty)
Slot 4:
6 Port SATA RAID I/O Card, .................... CMP-00014
Slot 5:
(Empty)
Product
Related Topics
hardware upgrade model

Description
Displays IPMI system event log entries.
Syntax
show hardware error-log all | new
Parameters
all
Displays all IPMI SEL entries
new
Display IPMI SEL entries since the last show hardware error-log command.
43
Example
minna # show hardware error-log all

1 | 11/28/2006 11:55:10 | Event Logging Disabled SEL | Log area reset/cleared |
Asserted = yes.
2 | 01/04/2007 21:09:07 | Slot/Connector Drive | Fault Status | Asserted = yes.
3 | 01/07/2007 03:24:07 | Slot/Connector Drive | Fault Status | Asserted = yes.
Product
Related Topics
show hardware watchdog

Description
Displays hardware watchdog information.
Syntax
show hardware watchdog
Parameters
None
Example
minna # show hardware watchdog

Enable: yes
Last Ping: 2006-05-12 14:31:49.412973153 -0700
Saved Ping: 2006-04-21 07:25:51.000000000 -0700
Product
Steelhead appliance
Related Topics
hardware watchdog
show hosts
Description
Displays system hosts.
Syntax
show hosts
Parameters
None
Example
minna # show hosts

Hostname: minna
Name server: 10.0.0.2 (configured)
Domain name: domain.com (configured)
Domain name: domain.com (configured)
IP 127.0.0.1 maps to hostname localhost
minna #
Product
Related Topics
Host Setup Commands
show in-path
Description
Displays in-path interface settings.
Syntax
show in-path
Parameters
None
44
Example
minna # show in-path

Enabled: yes
Kickoff: no
L4/PBR/WCCP: no
Main Interface: inpath1_0
Optimizations Enabled On:
inpath1_0
VLAN Tag IDs:
inpath1_0: 0
inpath1_1: 0
minna #
Product
Related Topics
In-Path and Virtual In-Path Support Commands
show in-path cdp

Description
Displays CDP settings for failover deployments using PBR to redirect traffic to the backup
Syntax
show in-path cdp
Parameters
None
Example
minna # show in-path cdp

CDP Enabled: no
Interval: 10 seconds
Hold Time: 180 seconds
minna #
Product
Steelhead appliance
Related Topics
Asymmetric Route Detection and Connection Forwarding Commands
show in-path lsp

Description
Displays whether link state propagation is enabled. When LSP is enabled, if the LAN interface
drops link then the WAN will do the same.
Syntax
show in-path lsp
Parameters
None
Example
minna # show in-path lsp

Link State Propagation Enabled: no
minna #
Product
Steelhead appliance
Related Topics
MAPI Support Commands
45
show in-path interfaces (Interceptor)

Description
Displays a list of appliance interfaces, indicates whether or not they are currently enabled, and
displays the VLAN tag (displays 0 if VLAN is disabled).
Syntax
show in-path interfaces
Parameters
None
Example
minna # show in-path interfaces

In-Path Interface(s):
inpath0_0: enabled
vlan: 0
inpath0_1: disabled vlan: 0

minna #
Product
Interceptor appliance
Related Topics
Peering Support Commands
show in-path neighbor (Interceptor)

Description
Displays the interface on which the Interceptor appliance communicates with neighbor peer
Steelhead appliances.
Syntax
show in-path neighbor
Parameters
None
Example
minna # show in-path neighbor

Neighbor Interface: inpath3_0
minna #
Product
Related Topics
show in-path neighbor (Steelhead)

Description
Displays connection forwarding settings.
Syntax
show in-path neighbor
Parameters
None
46
Example
minna # show in-path neighbor

Connection forwarding Enabled: no
Connection forwarding Port:
7850
Keepalive Count:
3
Keepalive Interval:
10
Product
Steelhead appliance
Related Topics
show in-path neighbor peers

Description
Displays the state of connections to peer neighbor Steelhead appliances.
Syntax
show in-path neighbor peers [configured] [brief]
Parameters
configured
Specify this option to display only a list of configured peers.
brief
Specify this option to display only brief status of peer connections.
Example
minna #show in-path neighbor peers

Neighbor 1:
Name:
172.0.131.3
Version:
tahiti-x86_64-flamebox
Backup:
255.255.255.255:0
Last_reconnect:
2007/05/11 11:45:40
Optimized connections: 0
Admission Control:
40000
Interface:
State:
Neighbor 2:
Name:
Version:
Backup:
Last_reconnect:
Optimized connections:
Admission Control:
Interface:
State:
172.0.131.3:7850
Connected
172.0.131.4
tahiti-x86_64-flamebox
255.255.255.255:0
2007/05/11 15:13:33
0
15000
172.0.131.4:7850
Connected
minna #
Product
Steelhead appliance
Related Topics
Peering Support Commands on page 328
show in-path peering auto

Description
Displays whether or not automatic in-path peer detection is enabled.
Syntax
show in-path peering auto
Parameters
None
47
Example
meow-mix # show in-path peering auto

Automatic Peering Enabled:
yes
meow-mix #
Product
Steelhead appliance
Related Topics
in-path peering auto
show in-path peering rules

Description
Displays in-path peering rules used in serial cluster deployments.
Syntax
show in-path peering rules
Parameters
None
Example
minna # show in-path peering rules

Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- ------------1 pass
*
*
*
10.0.1.3
2 pass
*
*
*
10.0.1.
def auto *
*
*
*
Product
Steelhead appliance
Related Topics
in-path peering rule
show in-path rules

Description
Displays current in-path rules and VLAN identification numbers.
Syntax
show in-path rules
Parameters
None
Example Interceptor
appliance
minna # show in-path rules

Rule Type
Source
Destination
Port
VLAN
----- ------------ ------------------ ------------------ -------------1
pass-through
0.0.0.0/0
0.0.0.0/0
Secure
all
2
pass-through
0.0.0.0/0
0.0.0.0/0
Interactive
all
def redirect
all
all
all
all
---------------------------------------------------------------------------2 user added rule(s)
minna #
Example Steelhead
appliance
minna # show in-path rules

Rule Type O N VLAN Source Addr
Dest Addr
Port
----- ---- - - ---- ------------------ ------------------ ------------1 pass - - all all
all
Secure
2 pass - - all all
all
Interactive
def auto F A all all
all
all
----------------------------------------------------------------------2 user added rule(s)
(O) Optimization Policy: F=Full S=SDR-Only C=Compr-Only N=None
(N) Neural Framing:
N=Never A=Always T=TCP Hints D=Dynamic
48
Product
Related Topics
show in-path simplified routing

Description
Displays simplified routing settings.
Syntax
Parameters
None
Example
minna #
Collect
Collect
Collect
minna #
Product
Steelhead appliance
Related Topics
Simplified Routing Support

mappings from destination MAC data: no
mappings from source MAC data:
no
data from un-natted connections:
no
show interfaces
Description
Displays the running state settings and statistics.
Syntax
show interfaces [<intname>] | [brief | configured]
Parameters
<intname>
Specifies the interface name. For example, aux, lan0_0, wan0_0, primary,
in-path0_0, lo.
brief
Displays the running state settings without statistics.
configured
Displays configured settings for the interface.
Usage
The set of settings and statistics displayed varies when using DHCP.
49
Example
minna # show interfaces lo

Interface lo state
Up:
yes
IP address:
127.0.0.1
Netmask:
255.0.0.0
Speed:
Duplex:
Interface type:
loopback
MTU:
16436
HW address:
XX:XX:XX:XX:XX
RX bytes:
656
RX packets:
12
RX mcast packets:
0
RX discards:
0
RX errors:
0
RX overruns:
0
RX frame:
0
TX bytes:
656
TX packets:
12
TX discards:
0
TX errors:
0
TX overruns:
0
TX carrier:
0
TX collisions:
0
Product
Related Topics
interface
show ip
Description
Displays IP settings.
Syntax
show ip {
flow-export
default gateway [static] |
in-path route <interface>
in-path-gateway <interface>
route [static]
security <cr> | peers}
Parameters
flow-export
Displays NetFlow settings.
default gateway [static]
Displays the default gateway or static default gateway.
in-path route <interface>
Displays in-path route settings for inpath0_0, inpath1_1, and so

forth.
in-path-gateway
<interface>
Displays in-path gateway settings for inpath0_0, inpath1_1, and so

forth.
route [static]
Displays the IP route or IP static route.
security <cr> | peers
Displays IPSec connections to other appliances.

FIPS Mode
To verify if the system is FIPS-compliant, execute the show ip
security command. FIPS mandates that IPSec is disabled.
50
Example
minna # show ip route

Destination
Mask
10.0.0.0
255.255.0.0
default
0.0.0.0
minna #
Gateway
0.0.0.0
10.0.0.1
Product
Related Topics
Host Setup Commands, FIPS/CC Compliance Commands
show job
Description
Displays the status of a scheduled job.
Syntax
show job <job-id>
Parameters
<job-id>
Example
minna # show job 10

job {job_id}: 10
Status: pending
Name: myjob
Comment: this is a text
Absolute range:
Commands:
show info.
show connections.
show version.
Product
Related Topics
System Service and Other System Administration Commands
Specifies the job identification number.
show limit bandwidth

Description
Displays the current value for bandwidth threshold settings.
Syntax
show limit bandwidth
Parameters
None
Example
minna # show limit bandwidth

Max rate: 4000 kb/s
wan0_0 : disabled
primary: disabled
Product
Steelhead appliance
Related Topics
Host Setup Commands
51
show limit connection

Description
Displays the current value for the connection limit setting.
Syntax
show limit connection
Parameters
None
Example
minna # show limit connection

Per source IP connection limit: 4096
Product
Steelhead appliance
Related Topics
Host Setup Commands
show load balance rules

Description
Displays load balancing settings.
Syntax
Parameters
None
Example
minna # show load balance rules

Rule Type
Source
Destination
Port
VLAN Target(s)
----- --------- ---------------- ---------------- ----------- ---- ------------def
auto
all
all
all
all auto
--------------------------------------------------------------------------------0 user added rule(s)
minna #
Product
Related Topics
Load-Balancing Commands
show logging
Description
Displays logging settings.
Syntax
show logging
Parameters
None
Example
minna # show logging

Local logging level: info
Default remote logging level: info
No remote syslog receivers configured.
Number of archived log files to keep: 10
Log rotation frequency: daily
minna #
Product
Related Topics
Logging Commands
52
show ntp
Description
Displays NTP settings.
Syntax
show ntp
Parameters
None
Example
minna # show ntp

NTP enabled: yes
No NTP peers configured.
NTP server: 192.6.38.127 (version 4)
Product
Related Topics
Host Setup Commands
show out-of-path
Description
Displays out-of-path configuration settings.
Syntax
show out-of-path
Parameters
None
Example
minna # show out-of-path

Enabled:
no
Inner Port: 7810
Product
Steelhead appliance
Related Topics
Out-of-Path Support
show peer version

Description
Displays the current service connection protocol.
Syntax
show peer version
Parameters
None
Example
minna # show peer version

No peer setting defined.
Product
Steelhead appliance
Related Topics
Peering Commands
53
show peers
Description
Displays information about connected peers.
Syntax
show peers
Parameters
None
Example
minna # show peers

IP
Name
10.11.22.17
tcfe17
Product
Steelhead appliance
Related Topics
Peering Commands
Model
Version
2000
3.0-beta
Licenses
CIFS/MAPI/MS-SQL
show port-label
Description
Displays a list of port labels or a list of ports that belong to the label.
Syntax
show port-label [<name> | Secure | Interactive | RBT-Proto]
Parameters
<name>
Specify a port label name to display a list of ports that belong to the label.
Secure
Display the list of ports that belong to the system label for secure ports.
The Steelhead appliance automatically passes through traffic on commonly secure
ports (for example, ssh, https, and smtps). For a list of secure ports, see Appendix
A, Riverbed Ports.
If you do not want to pass through secure ports, you must delete the default
secure in-path rule. For detailed information, see in-path rule fixed-target on
page 190.
Interactive
Display the list of ports that belong to the system label for interactive ports.
The Steelhead appliance automatically passes through traffic on interactive ports
(for example, Telnet, TCP ECHO, remote logging, and shell). For a list of
interactive ports, see Appendix A, Riverbed Ports.
If you do not want to pass through interactive ports, you must delete the default
interactive in-path rule. For detailed information, see in-path rule fixed-target
on page 190.
RBT-Proto
Example
Display the list of ports that belong to the label for system processes: 7744 (data
store synchronization), 7800-7801 (in-path), 7810 (out-of-path), 7820 (failover),
7850 (connection forwarding), 7860 (Interceptor appliance).
minna # show port-label

Port Label:
Interactive
Port Label:
Secure
minna # show port-label Secure
Port Label: Secure
22, 261, 443, 448, 465, 563, 585, 614, 636, 684, 695, 989-990, 992-995, 1701, 17
23, 2252, 2478-2479, 2482, 2484, 2679, 2762, 2998, 3077-3078, 3183, 3191, 3220,
3269, 3410, 3424, 3471, 3496, 3509, 3529, 3539, 3660-3661, 3713, 3747, 3864, 388
5, 3896-3897, 3995, 4031, 5007, 5061, 7674, 9802, 11751, 12109
54
Product
Related Topics
Port Alias Support
show pfs all-info shares

Description
Displays PFS share settings.
Syntax
show pfs all-info shares [<cr>] [local-name <localname>]
Parameters
<cr>
Displays PFS settings for all shares.
local-name
<localname>
Displays the PFS settings for the specified local share.
Example
minna # show pfs all-info shares

no registered shares
Product
Steelhead appliance
Related Topics
PFS Support Commands
show pfs configuration

Description
Displays PFS configuration settings.
Syntax
show pfs configuration {domain} {shares {<cr>] [local-name <localname>]} {workgroup}
Parameters
domain
Displays PFS domain settings.
shares <cr>
Displays the PFS settings for all shares.
shares local-name <localname>
Displays the PFS settings for the specified local share.
workgroup
Displays PFS workgroup settings.
Example
meow-mix # show pfs configuration workgroup

Workgroup
: nbttech
Domain Required
: yes
meow-mix # show pfs configuration domain
Domain Name
: nbttech.com
Short Domain Name
: nbttech
Login
:
Domain Controller List
: daltrey
Domain Required
: yes
Domain Check Required
: yes
meow-mix #
Product
Steelhead appliance
Related Topics
55
show prepop
Description
Displays prepopulation settings.
Syntax
show prepop {[all-info | configuration | stats | status] shares | remote-path <remote-path>}
Parameters
all-info |
configuration | stats |
status
Specifies which prepopulation settings to display:

all-info. Specifies complete prepopulation setting information.
configuration. Specifies prepopulation configuration information.
stats. Specifies prepopulation statistics.
status. Specifies prepopulation status.
shares <cr>
Specifies settings for all shares should be displayed.
shares remote-path
<remote-path>
Displays settings for the share named <remote-path>.
Example
minna # show prepop all-info shares

No registered shares
Product
Steelhead appliance
Related Topics
Prepopulation Support Commands
show protocol cifs

Description
Displays CIFS settings.
Syntax
show protocol cifs
Parameters
None
Example
minna # show protocol cifs

Enable Transparent Prepopulation Support: no
Disable CIFS Write Optimization:
no
Security Signature Optimization:
yes
Overlapping Open Enabled: yes
Product
Steelhead appliance
Related Topics
CIFS Support Commands
show protocol cifs oopen

Description
Displays CIFS overlapping open sessions.
Syntax
Parameters
None
56
Example
minna # show protocol cifs oopen

Enabled:
yes
Optimization Policy: deny first
Extensions to always allow:
doc, pdf, ppt, sldasm, slddrw, slddwg, sldprt, txt, vsd, xls
Extensions to always deny:
ldb, mdb
Product
Steelhead appliance
Related Topics
show protocol connection

Description
Displays HS-TCP settings.
Syntax
show protocol connection
Parameters
None
Example
minna # show protocol connection

LAN:
Send socket buffer size:
Receive socket buffer size:
WAN:
Default send socket buffer size:
Default receive socket buffer size:
Product
Steelhead appliance
Related Topics
HS-TCP Support Commands
81920 bytes
32768 bytes
262140 bytes
262140 bytes
show protocol ftp

Description
Displays FTP settings.
Syntax
show protocol ftp
Parameters
None
Example
minna # show protocol ftp

FTP Port Enable
-------- -----21
true
Product
Steelhead appliance
Related Topics
web proxy host
show protocol http

Description
Displays HTTP settings.
Syntax
show protocol http
57
Parameters
None
Example
meow-mix # show protocol http

Enabled: yes
NTLM Authentication Settings:
Default
Reuse Auth: no
Pre-Fetch Objects with Extensions:
css
gif
jpg
js
meow-mix #
Product
Steelhead appliance
Related Topics
HTTP Support Commands
show protocol jinitiator

Description
Displays JInitiator settings.
Syntax
show protocol jinitiator
Parameters
None
Example
minna # show protocol jinitiator

Enabled: yes
Product
Steelhead appliance
Related Topics
JInitiator Support Commands
show protocol mapi

Description
Displays MAPI settings.
Syntax
show protocol mapi
Parameters
None
Example
minna # show protocol mapi

Incoming MAPI Port:
7830
Prepop Enabled:
yes
Prepop Max Connections:
1125
Prepop Poll Interval:
20 min(s)
Prepop Timeout:
96 hr(s)
NSPI Port:
7840
MAPI/Exchange 2003 Support: yes
Product
Steelhead appliance
Related Topics
58
show protocol ms-sql

Description
Displays MS SQL settings.
Syntax
Parameters
None
Example
minna # show protocol ms-sql

Enable entire MS-SQL blade:
MS-SQL server port:
MS-SQL number of preacknowledgement:
MS-SQL prefetch fetch-next:
Product
Steelhead appliance
Related Topics
MS-SQL Blade Support Commands
yes
1433
5
yes
show protocol ms-sql rules

Description
Displays MS SQL rules.
Syntax
show protocol ms-sql rules
Parameters
default-cmds
Displays only the MS-SQL default commands.
default-config
Displays only the MS-SQL default configuration.
59
Example
minna # show protocol ms-sql rules

MS-SQL RPC Rule
Rule ID App Name RPC ID RPC Name Num Params RPC Query Cursor Type
------- -------- ------ -------- ---------- --------- ----------1
Microsoft$R$ Project for Windows$TM$ 0
sp_ddopen 9
MS-SQL RPC Arg Rule
Arg-Offset Expr
---------- -------------------------------------------------------1
sp_tables
5
MSP_PROJECTS
MS-SQL RPC Action
Action ID Num Reps Invalidate Miss Policy Prefetch Preack
--------- -------- ---------- ----------- -------- -----1
1
flush-all
0
true
true
MS-SQL RPC Arg Action Rule
Arg-Offset Expr
---------- -------------------------------------------------------5
replace MSP_NUMBER_FIELDS
MS-SQL RPC Action
--------- -------- ---------- ----------- -------- -----2
1
flush-all
0
true
true
Arg-Offset Expr
---------- -------------------------------------------------------5
replace MSP_TEXT_FIELDS
MS-SQL RPC Action
--------- -------- ---------- ----------- -------- -----3
1
flush-all
0
true
true
rg-Offset Expr
---------- -------------------------------------------------------5
replace MSP_DATE_FIELDS
(this is a partial example)
Product
Steelhead appliance
Related Topics
show protocol nfs

Description
Displays NFS server and volume settings.
Syntax
show protocol nfs [server <name> {full | lookup-volumes | volume id <fsid>} | servers {<cr> |
full}]
Parameters
server <name> {full | lookup-volumes |

volume id <fsid>}
Displays information for the NFS server specified by

<name>. You can specify the following levels of
detail:
full. Displays full details.
lookup-volumes. Displays a list of NFS server
volumes that have been exported.
volume id <fsid>. Displays details for the NFS
server volume.
servers {full}
60
Displays NFS server settings.
Example
minna # show protocol nfs

Global:
NFS Enabled: yes
V2/V4 Alarm Enabled: yes
Memory Soft Limit: 10000000
Memory Hard Limit: 12000000
Max Directory Count: 5242880 bytes
Max Symlink Count: 524288 bytes
Default NFS Server Settings:
Policy: Global Read-Write
Default NFS Volume Settings:
Policy: Global Read-Write
Product
Steelhead appliance
Related Topics
NFS Support Commands
show protocol ssl

Description
Displays SSL configuration settings and certificates.
Syntax
show protocol ssl [<cr>]
Parameters
<cr>
Example
minna # show protocol ssl

Enabled: no
Fail handshakes if a relevant CRL cannot be found: no
Show all.
CA certificates:
AOL_Time_Warner_1
AOL_Time_Warner_2
Actalis
AddTrust_Class_1
AddTrust_External
AddTrust_Public
<<partial list>>
Product
Steelhead appliance
Related Topics
SSL Support Commands
show protocol ssl backend

Description
Displays SSL configuration settings and certificates.
Syntax
show protocol ssl [<cr>] [{backend {client | server} cipher-string}] [ca] [expiring-certs] [{peering
{ca | certificate | cipher-strings}}] [server]
Parameters
backend {client | server} cipher-string}
Example
minna # show protocol ssl backend client cipher-string

# Cipher String/Suite Name
--- -----------------------------1 DEFAULT
Show cipher strings.
61
Product
Steelhead appliance
Related Topics
show protocol ssl ca

Description
Displays current status of CRL polling.
Syntax
show protocol ssl ca <ca name> <cr> certificate raw <cr>| text <cr>
Parameters
ca <ca name>
Specify the CA name.
certificate
Displays SSL CA certificate.
raw <cr>
Display CA in raw format.
text <cr>
Displays CA certificate in text format.
Example
amnesiac > show protocol ssl crl ca Actalis certificate text

Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1034588298 (0x3daa908a)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=IT, O=Actalis S.p.A., OU=Certification Service Provider, CN=Ac
talis Root CA
Validity
Not Before: Oct 14 09:38:38 2002 GMT
Not After : Oct 14 08:38:38 2022 GMT
Subject: C=IT, O=Actalis S.p.A., OU=Certification Service Provider, CN=A
ctalis Root CA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:bc:54:63:8a:98:15:48:be:6a:ae:e1:70:90:4a:
a4:55:00:26:8b:6e:8d:4f:eb:b3:df:ca:c8:53:6c:
84:e4:30:ba:3d:bb:fb:f3:c0:40:8c:c1:62:ce:ae:
20:4e:37:1f:5c:36:fe:7a:88:5e:00:e2:a9:8a:1e:
5d:a6:ca:d3:81:c9:f5:74:33:62:53:c2:28:72:2b:
c2:fb:b7:c1:81:d3:c3:fa:d7:eb:a9:62:05:94:1e:
ac:1f:53:69:2b:ca:39:1c:36:8f:63:38:c5:31:e4:
<<partial listing>>
Product
Steelhead appliance
Related
Topics
show protocol ssl crl

Description
Syntax
show protocol ssl crl ca <ca name> | cas <cr> | crl-file <string> text | peering {ca <string> | cas
crl-file <string> text}
62
Parameters
ca <ca name>
Display current state of CRL polling of a CA.
crl cas <cr> | crl-file

<string> text
Display CRL in text format version.
crl peering ca
<string> | cas crl-file
<string> text
Display CRL file by peering CA(s).
crl report ca <string>

| peering ca <string>
Display reports of CRL polling from CA or display reports of CRL

polling from peer.
Example
amnesiac > show protocol ssl crl ca Actalis

Automatically Discovered CDPs:
(can be overriden by manually configured CDP URIs):
CA: Actalis
CDP Index: 1
DP Name 1: URI:ldap://ldap.actalis.it/cn%3dActalis%20Root%20CA,ou%3dCertifi
cation%20Service%20Provider,o%3dActalis%20S.p.A.,c%3dIT?certificateRevocationLis
t;binary
Last Query Status: unavailable
CDP Index: 2
DP Name 1: URI:http://ca.actalis.it/crl/root/getCRL
Manually Configured CDP URIs:
(Dangling manually configured CDP URIs for certificates that do
not exist will NOT be updated.)
No manually configured CDP URIs.
Product
Steelhead appliance
Related
Topics
show protocol ssl expiring-certs

Description
Displays expiring or expired SSL certificates.
Syntax
show protocol ssl expiring-certs
Parameters
expiring-certs
Example
amnesiac > show protocol ssl expiring-certs

Peering certificate is OK.
All server certificates are OK.
All server chain certificates are OK.
All CA certificates are OK.
All peering trust certificates are OK.
Product
Steelhead appliance
Related
Topics
Display any certificates with impending expiration dates (60 days) and
expired dates.
63
show protocol ssl peering

Description
Syntax
show protocol ssl crl ca <ca name> | cas <cr> | crl-file <string> text | peering {ca <string> | cas
crl-file <string> text}
Parameters
ca <ca name>
certificate <cr> | raw
| text
Displays SSL peering trusted CAs in raw or text format.
certificate <cr> | raw

| text
Displays SSL peering certificate in raw or text format.
cipher-strings <cr> |
verbose
Display CRL file by peering CA(s).
crl report ca <string>

| peering ca <string>
Displays the cipher strings used for peering.
Example
amnesiac > show protocol ssl peering ca Actalis certificate
Product
Steelhead appliance
Related
Topics
show protocol ssl scep peering

Description
Displays SCEP peering settings
Syntax
Parameters
None
Example
amnesiac > show protocol ssl peering scep peering

Peering SCEP settings:
URL:
When server responds with 'pending':
Maximum number of polls: 5
Poll frequency:
5 (minutes)
Automatic re-enrollment:
Enabled:
no
Expiration threshold: 30 (days)
No peering SCEP CA certificates.
Product
Steelhead appliance
Related
Topics
show protocol ssl scep peering auto-reenroll

Description
Displays SCEP automatic re-enrollment information.
Syntax
show protocol ssl scep peering auto-reenroll csr | last-result
64
Parameters
csr
Displays auto-reenrollment CSR.
last-result
Displays result of the last completed automatic re-enrollment.
Example
amnesiac > show protocol ssl scep peering auto-reenroll last-result

% No completed (non-interrupted) automatic re-enrollment since boot.
Product
Steelhead appliance
Related
Topics
show protocol ssl scep peering ca

Description
Displays SCEP peering CA.
Syntax
show protocol ssl scep peering ca <ca name> certificate
Parameters
<ca name>
Specify the CA name.
certificate
Displays SCEP peering CA certificate.
Example
amnesiac > show protocol ssl scep peering ca GoDaddy certificate
Product
Steelhead appliance
Related
Topics
show protocol ssl scep peering enrollment status

Description
Displays SCEP enrollment information.
Syntax
show protocol ssl scep peering enrollment status
Parameters
None
Example
amnesiac > show protocol ssl scep peering enrollment status
Product
Steelhead appliance
Related
Topics
show protocol ssl scep peering on-demand

Description
Displays SCEP on-demand enrollment information.
Syntax
show protocol ssl scep peering on-demand csr | last-result
Parameters
csr
Displays enrollment CSR.
last-result
Displays the result of the last completed automatic re-enrollment.
Example
amnesiac > show protocol ssl scep peering on-demand csr
65
Product
Steelhead appliance
Related
Topics
show protocol ssl server

Description
Displays SSL servers and certificates.
Syntax
show protocol ssl server <cr> {ip <ip address> <cr> port <port> [certificate | chain-cert <name>
certificate | chain-certs <cr>]}
Parameters
<cr>
Displays SSL servers.
{ip <ip address> <cr> port <port> [certificate |

chain-cert <name> certificate | chain-certs <cr>]}
Specifies the IP address of the SSL server

you want to display.
certificate
Displays SSL server certificate.
chain-cert <name> certificate
Specifies the name of the chain certificate

that you want to display.
chain-certs <cr>
Displays all chain certificates.
Example
minna (config) # show protocol ssl server

SSL servers:
1.1.1.1:443 (Enabled: yes)
2.2.2.2:443 (Enabled: yes)
tcfe51 (config) # show protocol ssl server ip 1.1.1.1 chain-certs
No chain certificates.
Product
Steelhead appliance
Related Topics
show qos classification

Description
Displays QoS classification settings.
Syntax
show qos classification [classes | rules]
Parameters
classes
Displays QoS classification class settings.
rules
Displays QoS classification rules.
Example
minna # show qos classification

QoS Settings (QoS Enabled)
Interface Burst (kbit) LinkRate (kbps)
--------- ------------ --------------wan0_0
2500
10000
Product
Steelhead appliance
Related Topics
QoS Support Commands
66
show qos dscp rules

Description
Displays QoS DSCP rules.
Syntax
show qos dscp rules traffic-type {optimized | pass-through}
Parameters
None
Example
minna # show qos dscp rules traffic-type optimized

Rule Source
Destination
Port
DSCP
----- ------------------ ------------------ --------------- ---def
all
all
all
refl
---------------------------------------------------------------0 user added rule(s)
Product
Steelhead appliance
Related Topics
show radius
Description
Displays RADIUS configuration settings.
Syntax
show radius
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. Radius must be
disabled for FIPS-mode. For detailed information, see the FIPS/CC Administrators Guide.
Example
minna # show radius

RADIUS defaults:
key:
timeout: 3
retransmit: 1
No RADIUS servers configured.
Product
Related Topics
Authentication Commands, FIPS/CC Compliance Commands
show raid configuration

Description
Displays RAID configuration information.
Syntax
Parameters
None
67
Example
minna # show raid configuration

Logical Drive : 0( Adapter: 0 ): Status: OPTIMAL
--------------------------------------------------SpanDepth :03
RaidLevel: 1 RdAhead : No Cache: Direction
StripSz
:064KB
Stripes : 2 WrPolicy: WriteThru
Logical Drive 0 : SpanLevel_0 Disks
Chnl Target StartBlock
Blocks
---- ------ --------------0
00
0x00000000
0x1d1c3000
0
01
0x00000000
0x1d1c3000
Physical Target Status

---------------------ONLINE
ONLINE

Blocks
---- ------ --------------0
02
0x00000000
0x1d1c3000
0
03
0x00000000
0x1d1c3000

---------------------ONLINE
ONLINE

Blocks
---- ------ --------------0
04
0x00000000
0x1d1c3000
0
05
0x00000000
0x1d1c3000

---------------------ONLINE
ONLINE
Product
Steelhead appliance
Related Topics
show hardware, show hardware watchdog
show raid diagram

Description
Displays the physical layout of the RAID disks and the state of each drive: Online; Offline; Fail;
Rebuild; Missing; Spare.
Syntax
show raid diagram
Parameters
None
68
Example
minna # show raid diagram

series 3000 layout:
[============][============][============][============]
[
][
][
][
spare
]
[============][============][============][============]
-------------------------------------------------------[============][============][============][============]
[
][
][
][
]
[============][============][============][============]
-------------------------------------------------------[============][============][============][============]
[ 1 : online ][ 2 : online ][ 3 : online ][ 4 : online ]
[============][============][============][============]
series 5000 layout:
[============][============][============][============]
[
][
][
][
spare
]
[============][============][============][============]
-------------------------------------------------------[============][============][============][============]
[ 5 : online ][ 6 : online ][
][
]
[============][============][============][============]
-------------------------------------------------------[============][============][============][============]
[ 1 : online ][ 2 : online ][ 3 : online ][ 4 : online ]
[=========-===][============][============][============]
Product
Steelhead appliance
Related Topics
show raid info

Description
Displays RAID information.
Syntax
show raid info
Parameters
None
Example
minna # show raid info

Firmware Version : 712T BIOS Version : G116
Logical Drives : 01 DRAM : 64MB
Rebuild Rate : 30%
Flush Interval : 4 secs
Number Of Chnls : 1 Bios Status : Enabled
Alarm State : Enabled Auto Rebuild : Enabled
FW : SPAN-8, 40-LD BIOS Config AutoSelection : USER
BIOS Echos Mesg : ON BIOS Stops On Error : ON
Initiator Id : 16(Clustered Firmware)
Board SN: {STX}33686018
**********************************************************************
Product
Steelhead appliance
Related Topics
69
show raid physical

Description
Displays RAID physical details.
Syntax
show raid physical
Parameters
None
Example
minna # show raid physical

Adapter 0, Channel 0, Target ID 0
---------------------------------------Type: DISK
Vendor
:
Product: WD2500SD-01KCB0
Revision
:
Synchronous
: No
Wide-32
:
LinkCmdSupport: No
TagQ support:
Removable
: No
SoftReset
:
WDC
08.0
No
No
No
Wide-16: No
RelAddr: No
AENC
: No
Adapter 0, Channel 0, Target ID 1

---------------------------------------Type: DISK
Vendor
:
Product: WD2500SD-01KCB0
Revision
:
Synchronous
: No
Wide-32
:
LinkCmdSupport: No
TagQ support:
Removable
: No
SoftReset
:
WDC
08.0
No
No
No
Wide-16: No
RelAddr: No
AENC
: No
(this is a partial example)
Product
Steelhead appliance
Related Topics
show redirect
Description
Displays the interface the appliance uses to communicate with peers.
Syntax
show redirect
Parameters
None
Example
minna # show redirect

Redirect Interface: inpath3_0
minna #
Product
Related Topics
70
show redirect peers

Description
Displays status of Redirect Peers. Redirect Peers include Interceptor appliances deployed in
parallel to cover asymmetric routing, as well as an Interceptor appliance that functions as a
failover buddy.
Syntax
show redirect peers [configured] [brief]
Parameters
configured
Specify this option to display only a list of configured peers.
brief
Specify this option to display only brief status of peer connections.
Example
minna # show redirect peers

Peer
Version
------------------------ ------------gen-sh5
1.1-beta
Interface(s):
Backup
--------------------255.255.255.255:0
172.0.13.4:7860
Last Reconnect
------------------2007/05/10 15:30:33
Connected
minna #
Product
Related Topics
show running-config
Description
Displays the running configuration settings that differ from the defaults.
Syntax
show running-config [full]
Parameters
full
Example
minna # show running-config

(displays running configuration)
Product
Related Topics
Displays all settings, including those set to the default value.
show service
Description
Displays the state of the Steelhead service.
Syntax
show service
Parameters
None
Example
minna # show service

Optimization Service: Running
Product
Steelhead appliance
Related Topics
71
show service connection pooling

Description
Displays connection pooling settings.
Syntax
Parameters
None
Example
minna # show service connection pooling

Connection Pooling Max Pool Size: 20
Product
Steelhead appliance
Related Topics
Connection Pooling Commands
show service neural-framing

Description
Displays neural framing settings.
Syntax
show service neural-framing
Parameters
None
Example
minna # show service neural-framing

Enable Computation of Neural heuristics: no
minna #
Product
Steelhead appliance
Related Topics
show service ports

Description
Displays service port settings.
Syntax
show service ports
Parameters
None
Example
minna # show service ports

Service ports:
7800 (default)
7810
minna #
Product
Steelhead appliance
Related Topics
72
show snmp
Description
Displays SNMP server settings.
Syntax
show snmp
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. SNMPv2 must be
Example
minna # show snmp

SNMP enabled: yes
System location:
System contact:
Read-only community: riverbed
Traps enabled: yes
Interface listen enabled: no
Trap interface: primary
Persistent ifindex: no
No Listen Interfaces.
No trap sinks configured.
Product
Related Topics
Notification and SNMP Commands, FIPS/CC Compliance Commands
show ssh client

Description
Displays the client settings.
Syntax
show ssh client
Parameters
None
Example
minna # show ssh client

No user identities configured.
SSH authorized keys:
Product
Related Topics
Secure Shell Access Commands
show ssh server

Description
Displays the server settings.
Syntax
show ssh server
Parameters
None
Usage
FIPS mandates that remote SSH daemon connections are made using SSH v2. For detailed
information, see the FIPS/CC Administrators Guide.
73
Example
minna # SSH server enabled: yes

SSH server listen enabled: no
SSH port: 22
SSH v2 only: no
Product
Related Topics
Secure Shell Access Commands, FIPS/CC Compliance Commands
show ssh server allowed-ciphers

Description
Show SSH server allowed ciphers.
Syntax
Parameters
None
Example
minna # show ssh server allowed-ciphers

SSH server allowed ciphers:
--------------------------aes128-ctr
aes192-ctr
aes256-ctr
Product
CMC appliance, Steelhead appliance
Related Topics
FIPS/CC Compliance Commands
show support sha512-pass

Description
Displays FIPS password file settings.
Syntax
Parameters
None
Usage
For FIPS compliance, password files must be SHA-512 encrypted. Execute this command to
display password file settings.
SHA-512 encryption is enabled when you execute the reset factory command. If your system fails
to have SHA-512 encryption after you have executed the reset factory command, execute the sha512-pass enable command.
Example
minna (config) # show support sha512-pass
Product
Steelhead appliance
Related Topics
74
show tacacs
Description
Displays TACACS+ settings.
Syntax
show tacacs
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. TACACS+ must be
Example
minna # show tacacs

TACACS+ defaults:
key:
timeout: 3
retransmit: 1
first_hit: no
TACACS+ global:
first_hit: no
No TACACS+ servers configured.
Product
Related Topics
Authentication Commands, FIPS/CC Compliance Commands
show tcp highspeed

Description
Displays HS-TCP settings.
Syntax
show tcp highspeed
Parameters
None
Example
minna # show tcp highspeed

High Speed TCP license found: no
High Speed TCP enabled: no
Product
Steelhead appliance
Related Topics
show tcp reordering

Description
Displays TCP reordering information.
Syntax
show tcp reordering
Parameters
None
Example
minna # show tcp reordering

TCP reordering enabled:
no
TCP reordering threshold: 3
75
Product
Steelhead appliance
Related Topics
show telnet-server
Description
Displays Telnet server settings.
Syntax
show telnet-server
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. Telnet must be
Example
minna # show telnet-server

Telnet server enabled: no
Product
Steelhead appliance
Related Topics
CLI Terminal Configuration Commands, FIPS/CC Compliance Commands
show terminal
Description
Displays terminal settings.
Syntax
show terminal
Parameters
None
Example
minna # show terminal

CLI current session settings
Terminal width:
80 columns
Terminal length:
24 rows
Terminal type:
xterm
Product
Steelhead appliance
Related Topics
show usernames
Description
Displays information about active or configured users.
Syntax
show usernames
Parameters
None
Example
minna # show usernames

admin
monitor
76
Product
Related Topics
show wccp
Description
Displays WCCP settings.
Syntax
show wccp
Parameters
None
Example
minna # show wccp

WCCP Support Enabled: no
WCCP Multicast TTL:
Product
Steelhead appliance
Related Topics
WCCP Support Commands
show web
Description
Displays current Web settings.
Syntax
show web
Parameters
None
Usage
FIPS Mode
Use this command to confirm that you are running in FIPS-approved mode. For FIPS mode HTTP
must be disabled, HTTPS must be enabled, SSLv2 must be disabled, SSLv3 must be enabled, and
TLSv1 must be enabled
Example
minna # show web

HTTP enabled: no
HTTP port: 80
HTTPS enabled: yes
HTTPS port: 443
Configure Mode TRAP: yes
Inactivity timeout: 1000 minutes
Session timeout: 1000 minutes
Session renewal threshold: 500 minutes
Timeout during report auto-refresh: yes
SSLv2 enabled: no
SSLv3 enabled: no
TLSv1 enabled: yes
Listen enabled: yes
77
Product
Related Topics
Management Console Configuration Commands, FIPS/CC Compliance Commands
show web prefs

Description
Displays current Web preferences.
Syntax
show web prefs
Parameters
None
Example
minna # show web prefs

Log:
Lines Per Page: 100
Product
Related Topics
Management Console Configuration Commands
show web ssl cipher

Description
Displays current Apache SSL ciphers.
Syntax
show web ssl cipher
Parameters
None
Example
minna # show web ssl cipher

Apache SSL cipher string: aes128-cbc,blowfish-cbc
Product
CMC appliance, Steelhead appliance
Related Topics
FIPS/CC Compliance Commands on page 318
78
Displaying System Data

This section describes commands you use to display system data, including statistics and files generated by
system processes. It includes the following commands:
show configuration files on page 79
show jobs on page 86
show connection on page 79
show licenses on page 87
show connections on page 80
show log on page 87
show files debug-dump on page 82
show pfs status on page 88
show files sa on page 82
show pfs stats shares on page 89
show files stats on page 83
show raid error-msg on page 89
show files tcpdump on page 83
show stats on page 90
show images on page 83
show tcp statistics on page 92
show info on page 84
show version on page 92
show in-path asym-route-tab on page 84
show version history on page 93
show in-path ar-circbuf on page 85
show configuration files

Description
Displays the list of active and backup configuration files.
Syntax
show configuration files [<filename>]
Parameters
<filename>
Example
minna # show configuration files

initial (active)
initial.bak
Product
Related Topics
Specifies a particular configuration file.
show connection
Description
Displays information about a single connection.
Syntax
show connection srcip <source IP addr> srcport <source port> dstip <destination IP addr>
dstport <destination port>
Parameters
srcip <source IP addr>
Specifies the source IP address.
srcport <source port>
Specifies the source port.
dstip <destination IP
address>
Specifies the destination IP address.
dstport <destination port>
Specifies the destination port.
79
Example
minna # show connection srcip 10.11.62.56 srcport 36433 dstip 10.11.60.9 dstport
7810
Type:
Passthrough
Source:
10.11.62.56:36433
Destination:
10.11.60.9:7810
Application:
Reduction:
0%
Client Side:
no
Since:
2006/02/21 17:24:00
Peer Appliance:
0.0.0.0:0
Inner Local Port:
0
Outer Local:
0.0.0.0:0
Outer Remote:
0.0.0.0:0
LAN Side Statistics:
Bytes:
0
Packets:
0
Retransmitted:
0
Fast Retransmitted: 0
Timeouts:
0
Congestion Window: 0
WAN Side Statistics:
Bytes:
0
Packets:
0
Retransmitted:
0
Fast Retransmitted: 0
Timeouts:
0
Congestion Window: 0
Product
Related Topics
Statistics Configuration Commands
show connections
Description
Displays connections running through the appliance.
Syntax
show connections {<type>} [filter <filter-string>] [sort-by <state>] [brief | full]
80
Parameters
<type>
optimized
Specifies the total active connections optimized. A U is displayed

next to the appliance name if the connection is in an unknown
state.
passthrough
Specifies the total connections passed through, unoptimized. A U

is displayed next to the appliance name if the connection is in an
unknown state.
forwarded
Specifies the total number of connections that were forwarded

when you have configured a connection forwarding neighbor to
manage the connection.
opening
Specifies the total half-opened active connections. A half-opened

connection is a TCP connection in which the connection has not
been fully established. Half-opened connections count toward the
connection count-limit on the appliance because at any time they
might become fully opened connections. If you are experiencing a
large number of half-opened connections, consider deploying an
appropriately sized appliance. A U is displayed next to the
appliance name if the connection is in an unknown state.
closing
Specifies the total half-closed active connections. A half-closed

connection is a TCP connection which has been closed on one side.
The other side of the connection can still send data. These
connections count toward the appliance connection count-limit. If
you experience a large number of half-closed connections,
consider deploying an appropriately sized appliance. A U is
displayed next to the appliance name if the connection is in an
unknown state.
discarded
Show discarded connections only.
denied
Show denied connections only.
<cr>
filter
<string>
Filters the list according to string. For example, to filter by IP address (such as
srcip or destip), the filter string is the IP address.
sort-by
<state>
Sort results by the following states:

srcip. Sort connections by source IP address.
srcport. Sort connections by source port.
destip. Sort connections by destination IP address.
peerip. Sort connections by peer IP address.
peerport. Sort connections by peer port.
app. Sort connections by application, such as HTTP.
reduction. Sort connections by percent of reduction in bandwidth.
bytes_in. Sort connections by total number of bytes in.
bytes_out. Sort connections by total number of bytes out.
starttime. Sort connections by start time.
brief|full
Specify a brief or full report.
81
Example
minna # show connections

T Source
Destination
App Rdxn Since
-------------------------------------------------------------------------------O 10.11.141.1
2842 10.11.141.2
135 EPM 45% 2007/05/02 14:21:59
O 10.11.141.1
2843 10.11.141.2
1025 TCP 16% 2007/05/02 14:22:00
O 10.11.141.3
4765 10.11.141.4
445 CIFS 23% 2007/05/02 14:21:14
O 10.11.141.4
4667 10.11.141.2
445 CIFS
1% 2007/05/02 14:04:40
-------------------------------------------------------------------------------Established Optimized (O):
4
Half-Opened Optimized (H):
0
Half-Closed Optimized (C):
0
Pass Through (P):
0
Forwarded (F):
0
Discarded (not shown):
0
Denied
(not shown):
0
-------------------------------Total:
4
Product
Steelhead appliance
Related Topics
show files debug-dump

Description
Displays a list of debug dump files.
Syntax
show files debug-dump
Example
minna # show files debug-dump

sysinfo-sysdump-minna-20050725-183016.txt
sysdump-minna-20050606-140826.tgz
Product
Related Topics
show files sa
Description
Displays Steelhead appliance log files.
Syntax
show files sa
Parameters
<cr>
To display a list of log files, press Enter after the command.
<filename>
To display the contents of the log file, specify the filename and press Enter.
Example
minna # show files sa

2006.05.16.23.53.sar
2006.05.17.23.53.sar
2006.05.18.23.53.sar
2006.05.19.23.53.sar
2006.05.20.23.53.sar
2006.05.21.23.53.sar
minna # show files 2006.05.21.23.53.sar
Product
Steelhead appliance
Related Topics
82
show files stats

Description
Displays performance statistics files.
Syntax
show files stats
Usage
You export performance statistics to files using the stats export command.
Example
minna # show files stats

minna #
Product
Steelhead appliance
Related Topics
show files tcpdump

Description
Displays files saved by the tcpdump utility.
Syntax
show files tcpdump
Parameters
None
Example
minna # show files tcpdump

unopt.cap
big-noopt.cap
big-opt.cap
big.tgz
big-opt2.cap
Product
Related Topics
show images
Description
Displays the available software images and which partition the appliance will boot the next time
the appliance is restarted.
Syntax
show images
Parameters
None
83
Example
minna # show images

Images available to be installed:
webimage.tbz
rbtsh/linux 4.0 #12 2007-05-15 11:54:52 root@test:CVS_TMS/HEAD
image.img
rbtsh/linux 4.0 #17 2007-05-22 16:39:32 root@test:CVS_TMS/HEAD
Installed images:
Partition 1:
rbtsh/linux 4.0-HEAD-2007-06-15-07:19:19 #0 2007-06-15 07:19:19 root@test:CVS_TMS/
HEAD
Partition 2:
rbtsh/linux 4.0 2007-05-15 11:54:52 root@test:CVS_TMS/HEAD
Last boot partition: 2
Next boot partition: 2
Product
Related Topics
License and Upgrade Commands
show info
Description
Displays the system status, including the running state of the appliance.
Syntax
show info
Parameters
None
Usage
Use this command to verify that you are running a FIPS approved software image.
Example
minna # show info

Status:
Config:
Appliance Up Time:
Service Up Time:
Managed by CMC:
Temperature (C):
Serial:
Model:
Revision:
Version:
Healthy
working
11d 16h 38m 26s
11d 16h 36m 56s
no
38
C48QM000056EA
1050 (1050H)
A
4.1.9-fips
Product
Related Topics
show configuration
show in-path asym-route-tab

Description
Displays the asymmetric route table. The table contains any asymmetric routes that currently
exist. It includes the source IP, destination IP, reason code, and time-out.
Syntax
Parameters
None
84
Usage
The following types of asymmetry are displayed in the asymmetric routing table:
bad RST. Complete Asymmetry: packets traverse both Steelhead appliances going from client
to server but bypass both Steelhead appliances on the return path.
bad SYN/ACK. Server-Side Asymmetry: Packets traverse both Steelhead appliances going
from client to server but bypass the server-side Steelhead appliance on the return path.
no SYN/ACK. Client-Side Asymmetry: Packets traverse both Steelhead appliances going from
client to server but bypass the client-side Steelhead appliance on the return path.
probe-filtered (not-AR). Probe-Filtered: Occurs when the client-side Steelhead appliance sends
out multiple SYN+ frames and does not get a response.
probe-filtered (not-AR). SYN-Rexmit: Occurs when the client-side Steelhead appliance
receives multiple SYN retransmits from a client and does not see a SYN/ACK packet from the
destination server.
Example
minna # show in-path asym-route-tab

Format: [IP 1] [IP 2] [reason] [timeout(
10.11.111.19 10.11.25.23 no-SYNACK 770
minna #
Product
Steelhead appliance
Related Topics
show in-path ar-circbuf

Description
Displays the asymmetric route circular buffer. The buffer contains all the asymmetric routes that
have been detected. This is a circular buffer and wraps after a period of time. The circular buffer
displays artable-match if a new TCP connection is created for a pair of IP addresses that already
have an asymmetric routing table entry. The buffer is set up with Source IP:Source Port,
Destination IP:Destination Port, and reason code.
Syntax
show in-path ar-circbuf
Parameters
None
Example
minna # show in-path ar-circbuf

Format: [IP 1]:[port 1] [IP 2]:[port 2] [reason]
10.11.111.19:33280 10.11.25.23:5001 artable-match
10.11.111.19:33278 10.11.25.23:5001 no-SYNACK
10.11.111.19:33277 10.11.25.23:5001 SYN-rexmit
10.11.111.19:33271 10.11.25.23:5001 artable-match
10.11.111.19:33270 10.11.25.23:5001 SYN-rexmit
Product
Steelhead appliance
Related Topics
show interfaces
Description
Displays the running state settings and statistics.
Syntax
show interfaces [<intname>] | [brief | configured]
85
Parameters
<intname>
Specifies the interface name. For example, aux, lan0_0, wan0_0, primary,
in-path0_0, lo.
brief
Displays the running state settings without statistics.
configured
Displays configured settings for the interface.
Usage
The set of settings and statistics displayed varies when using DHCP.
Example
minna # show interfaces lo

Up:
yes
IP address:
Netmask:
Speed:
UNKNOWN
Duplex:
UNKNOWN
Interface type:
ethernet
MTU:
1500
HW address:
00:0E:B6:25:7B:5D
Link:
no
Interface primary state
Up:
yes
IP address:
10.12.60.34
Netmask:
255.255.0.0
Speed:
UNKNOWN
Duplex:
UNKNOWN
Interface type:
ethernet
MTU:
1500
HW address:
00:15:C5:F5:5E:BA
Link:
no
RX bytes:
0
RX packets:
0
RX mcast packets:
0
RX discards:
0
RX errors:
0
RX overruns:
0
RX frame:
0
TX bytes:
0
TX packets:
0
TX discards:
0
TX errors:
0
TX overruns:
0
TX carrier:
0
TX collisions:
0
Product
Related Topics
Host Setup Commands
show jobs
Description
Displays a list of all jobs.
Syntax
show jobs
Parameters
None
Example
minna # show jobs

% No jobs configured.
86
Product
Related Topics
show licenses
Description
Displays active licenses.
Syntax
show licenses
Parameters
None
Example
minna # show licenses

XXX-XXXXXX-XXXX-XXXX-X-XXXX-XXXX-XXXX
Feature:
SH10BASE
Valid:
yes
Active:
yes
Start date:
End date:
Feature:
SH10CIFS
Valid:
yes
Active:
yes
Start date:
End date:
Feature:
SH10EXCH
Valid:
yes
Active:
yes
Start date:
End date:
XXX-XXXXXXX-XXXX-XXXX-X-XXXX-XXXX-XXXX
Index:
4
Feature:
SH40SSL
Valid:
yes
Active:
yes
Start date:
End date:
Product
Related Topics
show log
Description
Displays system logs.
Syntax
show log [continuous | files <log number> | matching]
Parameters
continuous
Displays the log continuously, similar to the Linux tail -f command.
files <log
number>
Displays a list of log files or a specific log file.
reverse
Displays the log information, in reverse order, with the latest entry at the top.
matching
Displays a list of matching log files.
87
Example
minna # show log

May 22 20:00:00 localhost /usr/sbin/crond[784]: (root) CMD (/usr/sbin/logrotate /
etc/logrotate.conf)
May 22 20:00:00 localhost cli[555]: [cli.INFO]: user admin: CLI got signal 2
(SIGINT)
May 22 20:02:31 localhost cli[555]: [cli.INFO]: user admin: Executing command: show
ip route
(SIGINT)
Dec 22 20:03:16 localhost cli[555]: [cli.INFO]: user admin: CLI got signal 2
(SIGINT)
ip route static
licenses
Dec 22 20:05:09 localhost cli[555]: [cli.INFO]: user admin: CLI got signal 2
(SIGINT)
limit bandwidth
(SIGINT)
log
Product
Related Topics
Logging Commands
show pfs status

Description
Displays the status of local shares.
Syntax
show pfs status [<cr>] {shares [<cr>] [local-name <localname>]}
Parameters
<cr>
Displays whether or not PFS is enabled.
shares <cr>
Displays the status of all PFS shares.
local-name
<localname>
Displays the status for the specified local share.
Example
minna # show pfs status shares

+=============================
| Information for PFS share lshare1
|
| ----- Status ----|
Last Sync Status: true
|
Share Ready: true
|
Status: START_SYNC in progress since Fri Mar
|
Size (MB): 39
|
Last Synced: Fri Mar 9 17:05:30 2007
Product
Steelhead appliance
Related Topics
88
9 17:04:26 2007
show pfs stats shares

Description
Displays PFS share statistics.
Syntax
show pfs stats shares [local-name <localname>]
Parameters
local-name
<localname>
Example
minna # show pfs stats shares

+=============================
| Information for PFS share field_kit
|
| ----- Statistics ----+=============================
| Information for PFS share internal-test
|
| ----- Statistics ----+=============================
| Information for PFS share internal-townsend
|
| ----- Statistics ----+=============================
Product
Steelhead appliance
Related Topics
Specifies the name of the local share for which to display statistics.
show raid error-msg

Description
Displays the RAID disk drives that are not functioning.
Syntax
show raid error-msg
Parameters
None
Example
minna # show raid error-msg
Product
Steelhead appliance
Related Topics
show raid info
89
show stats
Description
Displays system statistics.
Syntax
show stats {
[alarm <type>]
[bandwidth {all | <port> bi-directional | lan-to-wan | wan-to-lan} {1min | 5min | hour | day |
week | month}]
[conn-pool {1min | 5min | hour | day | week | month}]
[connections {5min | hour | day | week | month}]
[cpu]
[datastore {<carriage return>| [5min | hour | day | week | month]}]
[ecc-ram]
[fan]
[http]
[link-state {all loss-rate {hour | day | week | month}}]
[memory]
[neighbor-fwd {all | default {pkt | byte {hour | day | week | month}}}]
[nfs {all | 1min | 5min | hour | day | week | month}]
[pfs {all | 1min | 5min | hour | day | week | month}]
[qos {all | default {pkt | byte {hour | day | week | month}}}]
settings bandwidth ports
[ssl [5min | hour | day | week | month]]
[throughput {all | <port> bi-directional | lan-to-wan | wan-to-lan} {1min | 5min | hour | day
| week | month}]
[traffic {passthrough | optimized} {1min | 5min | hour | day | week | month}]
}
Parameters
alarm <type>
Displays alarm statistics. Specify alarm type or <carriage return>:

<alarm-ID>, admission-conn, admission_mem, bypass,
cpu_util_indiv, critical_temp, duplex, fs_mnt, halt_error, license,
link_state, mismatch_peer, nfs_v2_v4, paging, pfs_config,
pfs_disk_full, pfs_operation, power_supply, rcu_error,
service_error, store_corruption, sw-version, warning_temp.
bandwidth {all | <port>

bi-directional | lan-to-wan
| wan-to-lan} {1min |
5min | hour | day | week
| month}
Displays bandwidth statistics for the specified period. The all

option displays aggregate bandwidth statistics for all ports.
conn-pool {1min | 5min |

hour | day | week |
month}
Displays connection pooling statistics for the specified period.
connections {5min | hour

| day | week | month}
Displays connection statistics for the specified period.
cpu
Displays CPU statistics.
datastore <carriage return>

| [5min | hour | day |
week | month
Displays data store statistics for the specified period.
ecc-ram
Displays ECC error counts.
fan
Displays fan errors.
http
Displays HTTP turbo errors.
90
Steelhead appliance only.
link-state {all} {loss-rate

{hour | day | week |
month}}
Displays link-state statistics on packet loss rate for the specified

period.
memory
Displays memory statistics.
neighbor-fwd {all |
default | pkt | byte {hour
| day | week | month}
Displays connection forwarding statistics for the specified period.
nfs {all | 1min | 5min |

hour | day | week |
month}
Displays NFS statistics for the specified period. The all option
displays aggregate statistics for all NFS servers. You can substitute
a server name for all to display statistics for the specified server
you configured.

pfs {all | 1min | 5min |
hour | day | week |
month}
Displays PFS statistics for the specified period. The all option
displays aggregate statistics for all PFS shares. You can substitute a
share name for all to display statistics for the specified share you
configured.
qos {all | default {pkt |

byte {hour | day | week |
month}}}
Displays QoS statistics for the specified period. The all option
displays aggregate statistics for all QoS classes. You can substitute a
QoS class name for all to display statistics for the specified QoS
class.
settings bandwidth ports
Displays ports being monitored.
ssl [5min | hour | day |

week | month]
Displays SSL statistics.
throughput {all | <port>

bi-directional | lan-to-wan
| wan-to-lan} {1min |
5min | hour | day | week
| month}
Displays throughput statistics for the specified period.
traffic {passthrough |
optimized {all 1min | 5min
| hour | day | week |
month}}
Displays traffic statistics.
91
Example
minna # show stats traffic optimized day

Port
Rdx% LAN Data
WAN Data
Trf%
------------------------------- ---- ---------- ---------- ---Total Traffic
29.6 GB
8.2 GB
CIFS:TCP (445)
93.30%
16.3 GB
1 GB 55.07%
https (443)
0.00%
4.4 GB
4.5 GB 15.04%
HTTP (80)
50.85%
4.1 GB
2 GB 13.98%
mysql (3306)
91.52%
3.7 GB 326.1 MB 12.68%
nfs (2049)
90.60%
729.4 MB
68.5 MB 2.40%
CIFS:NetBIOS (139)
96.02%
110.7 MB
4.4 MB 0.37%
Unknown (1195)
0.00%
86.6 MB
90.7 MB 0.29%
Unknown (8020)
0.00%
25 MB
26.3 MB 0.08%
Unknown (2020)
0.00%
1 8.1 MB
19.7 MB 0.06%
Unknown (47738)
38.62%
17.7 MB
10.8 MB 0.06%
FTP (21)
25.92%
5.6 MB
4.1 MB 0.02%
rtsp (554)
0.66%
4.7 MB
4.7 MB 0.02%
imap (143)
83.18%
2.3 MB 400.2 KB 0.01%
Unknown (1935)
30.81%
1.7 MB
1.2 MB 0.01%
svn (3690)
97.88%
1.3 MB
29.5 KB 0.00%
webcache (8080)
92.73%
992 KB
72.1 KB 0.00%
ldap (389)
52.73%
447.6 KB 211.5 KB 0.00%
Unknown (1025)
0.00%
357.5 KB 366.2 KB 0.00%
Unknown (1026)
14.39%
184.3 KB 157.8 KB 0.00%
pop3 (110)
65.30%
167.8 KB
58.2 KB 0.00%
Product
Related Topics
show tcp statistics

Description
Displays TCP statistics.
Syntax
show tcp statistics
Parameters
None
Example
minna # show tcp statistics

1948 packets received
2167 packets sent
0 packets retransmitted
0 packets fast retransmitted
0 timeouts
0 other TCP loss events
Product
Steelhead appliance
Related Topics
show version
Description
Displays the installed software version including build number.
Syntax
show version [concise]
Parameters
concise
92
Displays the installed software version without build information.
Example
#minna # show version

Product name:
rbt_sh
Product release:
4.1.9-fips
Build ID:
#85_1
Build date:
2009-02-27 16:01:21
Build arch:
x86_64
Built by:
root@mallo
Uptime:
11d 16h 44m 25s
Product model:
System memory:
Number of CPUs:
CPU load averages:
1050
2320 MB used / 1628 MB free / 3949 MB total
2
0.19 / 0.16 / 0.10
Product
Related Topics
image fetch, image install
show version history

Description
Displays upgrade version history.
Syntax
show version history
Parameters
None
Example
#minna # show version history

rbt_sh 2.1.6 #37 2006-03-31 21:44:41 i386 root@munich:repository/rapanui_37
Product
Related Topics
image fetch, image install
93
94
CHAPTER 4
Configuration-Mode Commands
In This Chapter
This chapter is a reference for configuration-mode commands. You use configuration-mode commands to
perform system administration tasks and to set the appliance, network, and feature configuration.
To enter configuration mode
1. Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
2. Enter enable mode; at the system prompt enter enable:
minna> enable
3. Enter configuration mode; at the system prompt enter configure terminal:

minna # configure terminal
minna (config) #
You are now in configuration mode.

To exit configuration mode, enter exit. For information about the exit command, see exit on page 29.
This chapter is organized into the following major sections:
Steelhead Appliance Feature Configuration Commands on page 181
Interceptor Appliance Feature Commands on page 324
Central Management Console Feature Commands on page 334
NOTE: You can use the CLI for some CMC system administration tasks and for appliance host and network setup, but
you must use the CMC Web-based user interface to use the centralized monitoring and management features provided
with the CMC product.
TIP: For an alphabetical list of commands, see the Index at the end of this book.
95
System Administration Commands

This section describes commands you use to perform system administration tasks. Many system
administration commands are common to the CMC appliance, the Interceptor appliance, and the Steelhead
appliance. This section includes the following content.
Configuration-Mode Documentation Navigation
In This Section
Authentication Commands on page 97
Steelhead Appliance Feature Configuration Commands on

page 181
Secure Shell Access Commands on page 108
CLI Terminal Configuration Commands on page 112
Central Management Console Feature Commands on

page 334
Management Console Configuration Commands on page 116

Configuration and File Manipulation Commands on
page 121
Port Alias Support on page 133
Statistics Manipulation Commands on page 135
Notification and SNMP Commands on page 143
Data Store Management Commands on page 150
Logging Commands on page 158
License and Upgrade Commands on page 162
System Service and Other System Administration
Commands on page 166
96
4 - CONFIGURATION-MODE COMMANDS
In This Section
System Administration Commands on

page 96
aaa accounting per-command default

on page 97
Steelhead Appliance Feature

Configuration Commands on page 181
Secure Shell Access Commands on

page 108
aaa authentication cond-fallback on

page 98
Interceptor Appliance Feature

CLI Terminal Configuration

Central Management Console Feature

Management Console Configuration

Configuration and File Manipulation
Statistics Manipulation Commands on
page 135
aaa authentication console-login

default on page 98
aaa authentication login default on
page 98
aaa authorization map default-user on
page 99
aaa authorization map order on
page 99
aaa authorization per-command
default on page 100
radius-server host on page 101
Notification and SNMP Commands on

page 143
radius-server key on page 101

on page 150
radius-server timeout on page 102
radius-server retransmit on page 102
tacacs-server first-hit on page 103

tacacs-server host on page 103
License and Upgrade Commands on

page 162
tacacs-server key on page 104
System Service and Other System

Administration Commands on page 166
tacacs-server timeout on page 105
tacacs-server retransmit on page 104
username disable on page 105

username nopassword on page 105
username password on page 106
username password 0 on page 106
username password 7 on page 107
aaa accounting per-command default

Description
Configure per-command accounting settings.
Syntax
[no] aaa accounting per-command default <method>
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authorization is attempted.
Specifies the authentication method: tacacs+ or local. Use a space separated list.
The no command option clears all authorization states and returns the user authorization to the
local user name database.
Example
amnesiac (config) # aaa accounting per-command default tacacs+ local

amnesiac (config) #
Product
Steelhead appliance, CMC appliance
Related Topics
show aaa, show radius, show tacacs
97
aaa authentication cond-fallback

Description
Fall-back only if server is unavailable.
Syntax
[no] aaa authentication cond-fallback
Parameters
None
Usage
If enabled the next authentication method is tried only if the servers for the current authentication
method are unavailable.
The no command option disables fall-back mode.
Example
amnesiac (config) # aaa authentication cond-fallback

amnesiac (config) #
Product
Related Topics
aaa authentication console-login default

Description
Configures local, RADIUS, or TACACS+ console settings for log in.
Syntax
aaa authentication console-login default <method>
Parameters
<method>
Usage
Specifies the authentication method: radius, tacacs+, or local. Use a space

separated list.
The no command option clears all authentication states and returns user authentication to the
Example
amnesiac (config) # aaa authentication console-login default radius tacacs+ local

amnesiac (config) #
Product
Related Topics
aaa authentication login default

Description
Configures local, RADIUS, or TACACS+ login settings.
Syntax
aaa authentication login default <method>
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authentication is
attempted.
Specifies the authentication method: radius, tacacs+, or local. Use a space

separated list.
The no command option clears all authentication states and returns user authentication to the
98
Example
minna (config) # aaa authentication login default radius tacacs+

minna (config) #
Product
Related Topics
aaa authorization map default-user

Description
Specifies what local user the authenticated user will be logged in as when they are authenticated
(through RADIUS or TACACS+) and do not have a local user mapping specified in the remote
database.
Syntax
aaa authorization map default-user <user_name>
Parameters
<user_name>
Usage
When a user is authenticated through RADIUS or TACACS+ and does not have a local account,
this command specifies what local account the authenticated user will be logged in as.
Specifies the user name for RADIUS or TACACS+ authentication: admin or

monitor.
For the local authentication method, this setting is ignored. This mapping depends on the setting
of the aaa authorization map order command.
The no command option disables user default mapping.
Example
minna (config) # aaa authorization map default-user admin

minna (config) #
Product
Related Topics
aaa authorization map order

Description
Sets the order for remote-to-local user mappings for RADIUS or TACACS+ server authentication.
Syntax
aaa authorization map order <policy>
Parameters
<policy>
Specifies the order in which to apply the authentication policy: remote-only,

remote-first, local-only.
99
Usage
The order determines how the remote user mapping behaves. If the authenticated user name is
valid locally, no mapping is performed. The setting has the following behaviors:
remote-first. If a local-user mapping attribute is returned and it is a valid local user name, map
the authenticated user to the local user specified in the attribute. If the attribute is not present or
not valid locally, use the user name specified by the default-user command. (This is the default
behavior.)
remote-only. Map only to a remote authenticated user if the authentication server sends a
local-user mapping attribute. If the attribute does not specify a valid local user, no further
mapping is attempted.
local-only. All remote users are mapped to the user specified by the aaa authorization map
default-user <user name> command. Any vendor attributes received by an authentication
server are ignored.
To set TACACS+ authorization levels (admin and read-only) to allow certain members of a group
to log in, add the following attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
where you replace monitor with admin for write access.

To turn off general authentication in the Interceptor appliance, enter the following command at
the system prompt:
aaa authorization map order remote-only
The no command option disables authentication.

Example
minna (config) # aaa authorization map order remote-only

minna (config) #
Product
Related Topics
aaa authorization per-command default

Description
Configures authorization mapping settings.
Syntax
[no] aaa authorization per-command default <method>
Parameters
<method>
Usage
Specifies the authentication method: tacacs+ or local. Use a space separated list.
The no command option clears all authorization states and returns the user authorization to the
Example
amnesiac (config) # aaa authorization per-command default tacacs+ local

amnesiac (config) #
Product
Related Topics
100
radius-server host
Description
Adds a RADIUS server to the set of servers used for authentication.
Syntax
[no] radius-server host {<ip-address> | auth-port <port-number> | timeout <seconds> |

retransmit <retries> | key <string>}
Parameters
<IP address>
Specifies the RADIUS server IP address.
auth-port <port>
Configures the authentication port number to use with this RADIUS

server. The default value is 1812.
key <keynumber>
Sets the shared secret text string used to communicate with this RADIUS
server.
retransmit <number>
Specifies the number of times the client attempts to authenticate with

any RADIUS server. The default value is 1. The range is 0-5. To disable
retransmissions, set it to 0.
key <keynumber>
Sets the shared secret text string used to communicate with this RADIUS
server.
Usage
RADIUS servers are tried in the order they are configured.

The same IP address can be used in more than one radius-server host command if the auth-port
value is different for each. The auth-port value is a UDP port number. The auth-port value must
be specified immediately after the host <ip-address> option (if present).
Some parameters override the RADIUS server global defaults. For detailed information, see the
Steelhead Appliance Deployment Guide.
The no command option stops sending RADIUS authentication requests to the host.
If no radius-server host <ip-address> is specified, all radius configurations for the host are
deleted.
The no radius-server host <ip-address> auth-port <port> command can be specified to refine
which host is deleted, as the previous command deletes all RADIUS servers with the specified IP
address.
FIPS Mode
FIPS mandates that Radius support is disabled. To disable Radius support for FIPS-compliance,
execute the no radius-server host command. For detailed information, see the FIPS/CC
Administrators Guide.
Example
minna (config) # radius-server host 10.0.0.0 key XXXX retransmit 3 timeout 10

minna (config) #
Product
Related Topics
show aaa, show radius, FIPS/CC Compliance Commands
radius-server key
Description
Sets the shared secret text string used to communicate with a RADIUS server.
Syntax
radius-server key <string>
Parameters
<string>
Sets the shared secret text string used to communicate with any RADIUS server.
101
Usage
This command can be overridden using the radius-server host command.

The no command option resets the key to the default value.
Example
minna (config) # radius-server key XYZ

minna (config) #
Product
Related Topics
show aaa, show radius
radius-server retransmit
Description
Specifies the number of times the client attempts to authenticate with any RADIUS server.
Syntax
radius-server retransmit <retries>
Parameters
<retries>
Usage
This command can be overridden in a radius-server host command.
Example
minna (config) # radius-server retransmit 5

minna (config) #
Product
Related Topics
Specifies the number of times the client attempts to authenticate with any
RADIUS server. The range is 0-5. The default value is 1.
The no command option resets the value to the default value.
radius-server timeout
Description
Sets the time-out in seconds for retransmitting a request to any RADIUS server.
Syntax
radius-server timeout <seconds>
Parameters
<seconds>
Usage
The range is 1-60. The default value is 3.
Sets the time-out for retransmitting a request to any RADIUS server. The range is
1-60. The default value is 3.
This command can be overridden in a radius-server host command.

Example
minna (config) # radius-server timeout 30

minna (config) #
Product
Related Topics
102
tacacs-server first-hit
Description
Enables first-hit option for TACACS+ servers.
Syntax
tacacs-server first-hit
Parameters
<IP address>
Usage
TACACS+ servers are tried in the order they are configured. If this option is enabled, only the first
server in the list of TACACS+ servers is queried for authentication and authorization purposes.
Specifies the TACACS+ server IP address.
The no command option disables TACACS+ first-hit option.

Example
minna (config) # tacacs-server first-hit

minna (config) #
Product
Related Topics
show aaa, show tacacs
tacacs-server host
Description
Adds a TACACS+ server to the set of servers used for authentication.
Syntax
tacacs-server host {<ip-address> | auth-port <port-number> | timeout <seconds> | retransmit

<retries> | key <string>}
Parameters
<IP address>
Specifies the TACACS+ server IP address.
auth-port <port>
Specifies the authorization port number. The default value is 49.
auth-type <type>
Specifies the authorization type to use with this TACACS+ server: ascii,
pap.
key <keynumber>
Sets the shared secret text string used to communicate with any
TACACS+ server.
retransmit <number>
Specifies the number of times the client attempts to authenticate with

any TACACS+ server. The default value is 1. The range is 0-5. To disable
retransmissions set it to 0.
timeout <seconds>
Sets the time-out for retransmitting a request to any TACACS+ server.

The range is 1-60. The default value is 3.
103
Usage
TACACS+ servers are tried in the order they are configured.

The same IP address can be used in more than one tacacs-server host command if the auth-port
value is different for each. The auth-port value is a UDP port number. The auth-port value must
be specified immediately after the hostname option (if present).
Some of the parameters given can override the configured global defaults for all TACACS+
servers. For detailed information, see the Steelhead Appliance Deployment Guide.
If no tacacs-server host <ip-address> is specified, all TACACS+ configurations for this host are
deleted. The no tacacs-server host <ip-address> auth-port <port> command can be specified to
refine which host is deleted, as the previous command deletes all TACACS+ servers with the
specified IP address.
The no command option disables TACACS+ support.
FIPS Mode
FIPS mandates that TACACS+ support is disabled. To disable TACACS+ for FIPS-compliance,
execute the no tacacs-server host command. For detailed information, see the FIPS/CC
Example
minna (config) # tacacs-server host 10.0.0.0

minna (config) #
Product
Related Topics
show aaa, show tacacs, FIPS/CC Compliance Commands
tacacs-server key
Description
Sets the shared secret text string used to communicate with any TACACS+ server.
Syntax
tacacs-server key <string>
Parameters
<string>
Usage
The tacacs-server key command can be overridden using the tacacs-server host command. The
no command option resets the value to the default value.
Example
minna (config) # tacacs-server key XYZ

minna (config) #
Product
Related Topics
Sets the shared secret text string used to communicate with any TACACS+ server.
tacacs-server retransmit
Description
Specifies the number of times the client attempts to authenticate with any TACACS+ server.
Syntax
tacacs-server retransmit <retries>
Parameters
<retries>
Usage
The default value is 1. The range is 0-5. To disable retransmissions set it to 0. The tacacs-server
retransmit command can be overridden in a tacacs-server host command.
Specifies the number of times the client attempts to authenticate with any
TACACS+ server. The range is 0-5. The default value is 1.
104
Example
minna (config) # tacacs-server retransmit 5

minna (config) #
Product
Related Topics
tacacs-server timeout
Description
Sets the time-out for retransmitting a request to any TACACS+ server.
Syntax
tacacs-server timeout <seconds>
Parameters
<seconds>
Usage
This command can be overridden with the tacacs-server host command.
Sets the time-out for retransmitting a request to any TACACS+ server. The range
is 1-60. The default value is 3.

Example
minna (config) # tacacs-server timeout 30

minna (config) #
Product
Related Topics
username disable
Description
Disables the account so that no one can log in.
Syntax
username <userid> disable
Parameters
<userid>
Usage
The no command option re-enables the specified user account. To re-enable the account, you must
set a password for it.
Example
minna (config) # username monitor disable

minna (config) #
Product
Related Topics
show usernames
Specifies the user login: admin or monitor.
username nopassword
Description
Disables password protection for a user.
Syntax
username <userid> nopassword
Parameters
<userid>
Usage
The no command option re-enables the specified user account.
105
Example
minna (config) # username monitor nopassword

minna (config) #
Product
Related Topics
show usernames
username password
Description
Sets the password for the specified user.
Syntax
username <userid> password <cleartext>
Parameters
<userid>
<cleartext>
Specifies the password. The password must be at least 6 characters.
Usage
The password is returned in cleartext format on the command line.

CC-compliance mandates that the administrator user ensure that all passwords are at least 8
characters. Passwords must contain one upper case character, one lower case character, one
number, and one special character. The administrator user should ignore any password guidance
that violates these rules.
Example
minna (config) # username admin password xyzzzZ

minna (config) #
Product
Related Topics
show usernames
username password 0
Description
Sets the password for the specified user.
Syntax
username <userid> password 0 <password>
Parameters
<userid>
<cleartext>
Usage
The password is returned in cleartext format on the command line.

Example
minna (config) # username admin password 0 xyzzzZ

minna (config) #
Product
Related Topics
show usernames
106
username password 7
Description
Sets the password for the specified user. Use this command if it become necessary to restore your
appliance configuration, including the password.
Syntax
username <userid> password 7 <password>
Parameters
<userid>
<cleartext>
Usage
Use this command to restore your password using an encrypted version of the password. You can
display the encrypted version of the password using the show running configuration command.
For example, executing username monitor password awesomepass results in the following line
being added to the running configuration file:
username monitor password 7 $1$f2Azp8N8$n0oy6Y1KhCfuMo93f24ku/
If you need to restore your password in the future, you would paste:
username monitor password 7 $1$f2Azp8N8$n0oy6Y1KhCfuMo93f24ku/
in the CLI, to restore your monitor password to awesomepass.

Example
minna (config) # username admin password 7 $1$f2Azp8N8$n0oy6Y1KhCfuMo93f24ku/

minna (config) #
Product
Related Topics
show usernames
107
Secure Shell Access Commands

In This Section

page 96
ssh client generate identity user on

page 108


page 108
ssh client user authorized-key rsakey

sshv2 on page 109




ssh server enable on page 109

ssh server listen enable on page 109
ssh server listen interface on page 110
ssh server v2-only enable

page 135
page 143
on page 150
page 162
ssh client generate identity user

Description
Generates SSH client identity keys for the specified user. SSH provides secure log in for Windows
and Unix clients and servers.
Syntax
ssh client generate identity user <user>
Parameters
<user>
Example
minna (config) # ssh client generate user test

minna (config) #
Product
Related Topics
108
Specifies the client user login.
ssh client user authorized-key rsakey sshv2

Description
Sets the RSA encryption method by RSA Security and authorized-key for the SSH user.
Syntax
ssh client user <user> authorized-key rsakey sshv2 <public key>
Parameters
<user>
Usage
The no command option disables the authorized-key encryption method.
Example
minna (config) # ssh client user authorized-key rsakey

minna (config) #
Product
Related Topics
Specifies the public key for SSH version 2 for the specified SSH user.
ssh server enable

Description
Enables SSH access to the system.
Syntax
ssh server enable
Parameters
None
Usage
After you have enabled interface restrictions, you must specify which interfaces to accept
connections on using the ssh server listen interface command. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server listens on that
subset of interfaces.
The no command option disables SSH interface restrictions which causes SSH to accept
connections from all interfaces.
SSH interface restrictions are not available through the Management Console.
Example
minna (config) # ssh server enable

minna (config) #
Product
Related Topics
ssh server listen enable

Description
Enables SSH interface restrictions to the system.
Syntax
ssh server listen enable
Parameters
None
109
Usage
connections on using the ssh server listen interface command. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server listens on that
subset of interfaces.
The no command option disables SSH interface restrictions which causes SSH to accept
SSH interface restrictions are not available through the Management Console.
Example
minna (config) # ssh server listen enable

minna (config) #
Product
Related Topics
ssh server listen interface

Description
Adds one or more interfaces to the SSH server access restriction list.
Syntax
ssh server listen interface <interface>
Parameters
<interface>
Usage
To add an interface to the list:
Specifies the interface name; aux, primary, inpath1_0, or inpath1_1.
ssh server listen interface <interface>
To remove an interface:
no ssh server listen interface <interface>
If the list of interfaces is empty, all interfaces are accepted. If the list of interfaces has at least one
entry, then the server listens on that subset of interfaces.
The no command option removes the interface.
SSH interface restrictions are not available through the Management Console
Example
minna (config) # ssh server listen interface 10.1.1.1, 10.0.0.4

minna (config) #
Product
Related Topics

Description
Enables SSH server to accept only v2 connections, which are more secure.
Syntax
Parameters
None
Usage
This command restricts the server to accept only v2 protocol connections, which are more secure.
The no command option removes the restriction.
110
Example
minna (config) # ssh server v2-only enable

minna (config) #
Product
Related Topics
111

In This Section

page 96
banner login on page 112


page 108
cli clear-history on page 113


cli default paging enable on page 114


terminal on page 115
banner motd on page 113
cli default auto-logout on page 113
cli session on page 114

page 135
page 143
on page 150
page 162
banner login
Description
Sets the system login banner.
Syntax
banner login <message string>
Parameters
<message
string>
Usage
The no command option disables the login banner.
Example
minna (config) # banner login reminder: meeting today

minna (config) #
Product
Related Topics
show banner, show cli, show terminal, show web,show web prefs
112
Specifies the login banner message.
banner motd
Description
Sets the system Message of the Day banner.
Syntax
banner motd <message string>
Parameters
<message string>
Usage
The no command option disables the system Message of the Day banner.
Example
minna (config) # banner motd customer visit today

minna (config) #
Product
Related Topics
show banner, show cli, show terminal, show web,show web prefs
Specifies the login Message of the Day.
cli clear-history
Description
Clears the command history for the current user.
Syntax
cli clear-history
Parameters
None
Example
minna (config) # cli clear-history

minna (config) #
Product
Related Topics
show cli
cli default auto-logout

Description
Sets keyboard inactivity time for automatic log out.
Syntax
cli default auto-logout <minutes>
Parameters
<minutes>
Usage
The no command option disables the automatic logout feature.
Example
minna (config) # cli default auto-logout 25

minna (config) #
Product
Related Topics
show cli, show terminal, show web,show web prefs
Specifies the number of minutes before log out occurs.
113
cli default paging enable

Description
Sets ability to view text one screen at a time.
Syntax
cli default paging enable
Parameters
None
Usage
The no command option disables paging.
Example
minna (config) # cli default paging enable

minna (config) #
Product
Related Topics
show cli, show terminal, show web, show web prefs
cli session
Description
Sets CLI options for the current session only.
Syntax
cli session {auto-logout <minutes> | paging enable | terminal length <lines> | type
<terminal_type> | terminal width <number of characters>}
Parameters
auto-logout
<minutes>
Sets the number of minutes before the CLI automatically logs out the user.
The default value is 15 minutes. The no command option disables the
automatic logout feature.
paging enable
Sets paging. With paging enabled, if there is too much text to fit on the
page, the CLI prompts you for the next page of text. The no command
option disables paging.
terminal length
<lines>
Sets the terminal length. The no command option disables the terminal
length.
terminal type
<terminal_type>
Sets the terminal type. The no command option disables the terminal type.
terminal width
<number of
characters>
Sets the terminal width. The no command option disables the terminal
width.
Usage
The no command option disables CLI option settings.
Example
minna (config) # cli session auto-logout 20

minna (config) #
Product
Related Topics
show cli, show clock, show terminal, show web, show web prefs
114
terminal
Description
Configures terminal display.
Syntax
terminal {type <type> | length <number>| width <number>}
Parameters
<type>
Specifies the terminal type.
length <number>
Specifies the number of lines for the terminal.
width <number>
Specifies the terminal width in number of characters.
Usage
The no command option disables the terminal settings.
Example
minna (config) # terminal type vt100 length 20 width 180

minna (config) #
Product
Related Topics
show terminal, show cli, show web, show web prefs
115
Management Console Configuration Commands

In This Section

page 96
web auto-logout on page 116


page 108
web http enable on page 117


web httpd listen enable on page 118


web https enable on page 119

web prefs log lines on page 119
web enable on page 117

page 135
web http port on page 117
web httpd listen interface on page 118
web https port on page 119
web proxy host on page 120

web session renewal on page 120
web session timeout on page 120

page 143
on page 150
page 162
web auto-logout
Description
Sets the number of minutes before the Management Console automatically logs out the user.
Syntax
web auto-logout <minutes>
Parameters
<minutes>
Usage
The no command option disables the automatic log out feature.
Example
minna (config) # web auto-logout 20

minna (config) #
Product
Related Topics
116
Specifies the number of minutes before the system automatically logs out the user.
The default value is 15 minutes.
web enable
Description
Enables the Management Console.
Syntax
web enable
Parameters
None
Usage
The Management Console is enabled by default.
Example
minna (config) # web enable

minna (config) #
Product
Related Topics
The no command option disables the Management Console.
web http enable

Description
Enables HTTP access to the Management Console.
Syntax
web http enable
Parameters
None
Usage
The Management Console is enabled by default.

FIPS Mode
FIPS mandates that you disable HTTP and enable HTTPS. If you have been running the Steelhead
appliance in nonFIPS-mode, you must make sure that HTTP is not enabled. You must run the no
protocol http enable command to disable HTTP. You must also execute the protocol https enable
command to enable HTTPS on the system. For detailed information about configuring FIPSmode, see the FIPS/CC Administrators Guide.
The no command option disables HTTP access to the Management Console.
Example
minna (config) # web http enable

minna (config) #
Product
Related Topics
show protocol http, show cli, show terminal, show web,show web prefs
web http port

Description
Sets the Web port for HTTP access.
Syntax
web http port <port>
Parameters
<port>
Usage
The no command option resets the Web port to the default value.
Specifies the port number. The default value is 80.
117
Example
minna (config) # web http port 8080

minna (config) #
Product
Related Topics
show protocol http, show cli, show terminal, show web, show web prefs
web httpd listen enable

Description
Enables Web interface restrictions to this system.
Syntax
web httpd listen enable
Parameters
None
Usage
After you have enabled interface restrictions, you must use the web httpd listen interface
command to specify which interfaces to accept connections on. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server only listens on
that subset of interfaces.
The no command option disables Web interface restrictions which causes the server to accept
Web interface restrictions are not available through the Management Console.
Example
minna (config) # web httpd listen enable

minna (config) #
Product
Related Topics
show protocol http, show cli, show terminal, show web, show web prefs, web httpd
listen interface
web httpd listen interface

Description
Adds an interface to the Web server access restriction list.
Syntax
web httpd listen interface <interface>
Parameters
<interface>
Usage
To add an interface to the list to listen on:
Specifies the listen interface name: primary, aux, or inpathXY.
web httpd listen interface <interface>
To remove an interface so that it is no longer listened to:

no web httpd listen interface <interface>
The no command option removes the Web interface.

Web interface restrictions are not available through the Management Console.
Example
minna (config) # web httpd listen interface aux

minna (config) #
Product
Related Topics
show protocol http, show cli, show terminal, show web, web httpd listen enable,
118
web https enable

Description
Enables HTTPS for accessing a secure Web server.
Syntax
web https enable
Parameters
None
Usage
FIPS Mode
FIPS mandates that you enable HTTPS and disable HTTP access to the system. You must execute
the protocol https enable command to enable HTTPS on the system. You must also disable HTTP
by executing the no protocol http enable command. For detailed information about configuring
FIPS-mode, see the FIPS/CC Administrators Guide.
The no command option disables secure port support.
Example
minna (config) # web https enable

minna (config) #
Product
Related Topics
show web
web https port

Description
Sets the HTTPS secure Web port.
Syntax
web https port <port>
Parameters
<port>
Usage
The no command option disables support on a secure port.
Example
minna (config) # web https port 8080

minna (config) #
Product
Related Topics
show web
Specifies the port number.
web prefs log lines

Description
Sets the number of lines per system log page.
Syntax
web prefs log lines <number>
Parameters
<number>
Usage
The no command option disables the number of log lines.
Example
minna (config) # web prefs logs lines 10

minna (config) #
Product
Related Topics
show web,show web prefs
Specifies the number of lines per log page.
119
web proxy host

Description
Sets the HTTP, HTTPS, and FTP proxy.
Syntax
web proxy host <ip address> [port <port>]
Parameters
<ip address>
Specifies the IP address for the host.
<port>
Specifies the port for the host.
Usage
The no command option disables the Web proxy.
Example
minna (config) # web proxy 10.1.2.1 port 1220

minna (config) #
Product
Related Topics
show protocol http, show protocol ftp, show protocol connection, show web
web session renewal

Description
Sets the session renewal time. This is the time before the Web session time-out, at which if a Web
request comes in, it automatically renews the session.
Syntax
web session renewal <minutes>
Parameters
<minutes>
Usage
Specifies the number of minutes.
The no command option resets the session renewal time to the default value.
Example
minna (config) # web session renewal 5

minna (config) #
Product
Related Topics
show web, show web prefs
web session timeout

Description
Sets the session time-out value. This is the amount of time the cookie is active.
Syntax
web session timeout <minutes>
Parameters
<minutes>
Usage
Specifies the number of minutes.
The no command option resets the session time-out to the default value.
Example
minna (config) # web session timeout 120

minna (config) #
Product
Related Topics
show web, show web prefs
120

In This Section

page 96
configuration copy on page 121


page 108
configuration factory on page 122


configuration flash write on page 126


configuration merge on page 124

configuration new on page 126
configuration delete on page 122

page 135
configuration fetch on page 122
configuration jump-start on page 123
configuration move on page 125
configuration flash restore on page 126

configuration revert keep-local on
page 127
configuration revert saved on page 127

page 143
configuration switch-to on page 127

on page 150
configuration write on page 128
file debug-dump delete on page 128

page 162
file debug-dump email on page 129

file stats delete on page 129
configuration upload on page 128
configuration flash write on page 126
file debug-dump upload on page 129
file stats move on page 130

file stats upload on page 130
file tcpdump on page 130
write flash on page 131
write flash on page 131
write terminal on page 131
configuration copy
Description
Copies a configuration file.
Syntax
configuration copy <sourcename> <new-filename>
Parameters
<sourcename>
Specifies the name of the source file.
<newfilename>
Specifies the name of the destination file.
Example
minna (config) # configuration copy westcoast eastcoast

minna (config) #
Product
Related Topics
121
configuration delete
Description
Deletes a configuration file.
Syntax
configuration delete <filename>
Parameters
<filename>
Example
minna (config) # configuration delete westcoast

minna (config) #
Product
Related Topics
Specifies the name of the configuration file to delete.
configuration factory
Description
Create a new configuration file.
Syntax
configuration factory <filename>
Parameters
<filename>
Example
minna (config) # configuration factory eastcoast

minna (config) #
Product
Related Topics
Specifies the name of the destination file.
configuration fetch
Description
Downloads a configuration file over the network.
Syntax
configuration fetch
{<URL, scp://, or ftp://username:password@hostname/path/filename> [filename]}
Parameters
<URL, scp://, or ftp://

username:password@hostna
me/path/filename>
Specifies the location of the configuration file to download in

URL, scp://, or ftp:// format.
filename
Create a new name for the configuration file.
Usage
To copy one configuration file to another appliance, run the following set of commands:
configuration fetch <url-to-remote-config> <new-config-name>
;; this fetches the configuration from the remote
configuration switch-to <new-config-name>
;; this activates the newly fetched configuration
Example
minna (config) # configuration fetch http://domain.com/westcoast newconfig

minna (config) #configuration switch-to newconfig
Product
Related Topics
122
configuration jump-start
Description
Restarts the configuration wizard.
Syntax
configuration jump-start
Parameters
None
Example Interceptor
appliance
minna (config) # configuration jump-start

Riverbed Interceptor configuration wizard.
Step 1: Hostname? [perf1-int2]
Step 2: Use DHCP on primary interface? [no]
Step 3: Primary IP address? [10.0.0.74]
Step 4: Netmask? [255.255.0.0]
Step 5: Default gateway? [10.0.0.1]
Step 6: Primary DNS server? [10.0.0.2]
Step 7: Domain name? [domain.com]
Step 8: Admin password?
You have entered the following information:
1. Hostname: perf1-int2
2. Use DHCP on primary interface: no
3. Primary IP address: 10.0.0.74
4. Netmask: 255.255.0.0
5. Default gateway: 10.0.0.1
6. Primary DNS server: 10.0.0.2
7. Domain name: domain.com
8. Admin password: (unchanged)
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Choice: Configuration changes saved.
123
Example Steelhead
appliance
minna (config) # configuration jump-start

Configuration wizard.
Step 1: Hostname? [minna]
Step 2: Use DHCP on primary interface? [no]
Step 3: Primary IP address? [10.10.10.6]
Step 4: Netmask? [255.255.0.0]
Step 5: Default gateway? [10.0.0.1]
Step 6: Primary DNS server? [10.0.0.2]
Step 7: Domain name? [example.com]
Step 8: Admin password?
Step 9: SMTP server? [natoma]
Step 10: Notification email address? [example@xample.com]
Step 11: Set the primary interface speed? [auto]
Step 12: Set the primary interface duplex? [auto]
Step 13: Would you like to activate the in-path configuration? [yes]
Step 14: In-Path IP address? [10.11.11.6]
Step 15: In-Path Netmask? [255.255.0.0]
Step 16: In-Path Default gateway?
Step 17: Set the in-path:LAN interface speed? [auto]
Step 18: Set the in-path:LAN interface duplex? [auto]
Step 19: Set the in-path:WAN interface speed? [auto]
Step 20: Set the in-path:WAN interface duplex? [auto]
You have entered the following information:
1. Hostname: minna
2. Use DHCP on primary interface: no
3. Primary IP address: 10.10.10.6
4. Netmask: 255.255.0.0
5. Default gateway: 10.0.0.1
6. Primary DNS server: 10.0.0.2
7. Domain name: example.com
8. Admin password: (unchanged)
9. SMTP server: natoma
10. Notification email address: example@example.com
11. Set the primary interface speed: auto
12. Set the primary interface duplex: auto
13. Would you like to activate the in-path configuration: yes
14. In-Path IP address: 10.11.11.6
15. In-Path Netmask: 255.255.0.0
16. In-Path Default gateway:
17. Set the in-path:LAN interface speed: auto
18. Set the in-path:LAN interface duplex: auto
19. Set the in-path:WAN interface speed: auto
20. Set the in-path:WAN interface duplex: auto
To change an answer, enter the step number to return to.
Otherwise hit <enter> to save changes and exit.
Choice:
Product
Related Topics
configuration merge
Description
Merges common configuration settings from one appliance to another.
Syntax
configuration merge <filename> <new-config-name>
Parameters
<filename>
Name of file from which to merge settings.
<new-configname>
Specifies the new configuration name.
124
Usage
Use the configuration merge command to deploy a network of appliances. Set up a template
Interceptor appliance and merge the template with each Interceptor appliance in the network.
The following configuration settings are not merged when you run the configuration merge
command: failover settings, SNMP SysContact and SysLocation, log settings, and all network
settings (for example, host name, auxiliary interface, DNS settings, defined hosts, static routing,
and in-path routing).
The following configuration settings are merged when you run the configuration merge
command: in-path, out-of-path, protocols, statistics, CLI, email, NTP and time, Web, SNMP, and
alarm.
To merge a configuration file, run the following set of commands:
configuration write to <new-config-name>
;; this saves the current config to the new name and activates
;; the new configuration
configuration fetch <url-to-remote-config> <temp-config-name>
;; this fetches the configuration from the remote
configuration merge <temp-config-name>
;; this merges the fetched config into the active configuration
;; which is the newly named/created one in step 1 above
configuration delete <temp-config-name>
;; this deletes the fetched configuration as it is no longer
;; needed since you merged it into the active configuration
Example
minna
minna
minna
minna
minna
(config)
(config)
(config)
(config)
(config)
# configuration write to newconfig

#configuration fetch http://domain.com/remoteconfig tempconfig
#configuration merge tempconfig
#configuration delete tempconfig
#
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running
configuration move
Description
Moves and renames a configuration file.
Syntax
configuration move <sourcename> <destname>
Parameters
<sourcename>
Specifies the name of the source configuration file.
<destname>
Specifies the name of the new configuration file.
Example
minna (config) # configuration move westcoast eastcoast

minna (config) #
Product
Related Topics
running
125
configuration new
Description
Creates a new, blank configuration file.
Syntax
configuration new {<new-filename> [keep licenses]}
Parameters
<newfilename>
keep licenses
Create a new configuration file with default settings and active licenses.
Usage
Riverbed recommends that you use the keep licenses command option. If you do not keep
licenses, your new configuration will not have a valid license key.
Example
minna (config) # configuration new westcoast keep licenses

minna (config) #
Product
Related Topics
running, show version, show version history
configuration flash restore

Description
Restore a saved configuration from flash memory.
Syntax
configuration flash restore
Parameters
None
Example
minna (config) # configuration flash restore

minna (config) #
Product
Related Topics
image flash backup, configuration flash write, write flash, show configuration files,
show configuration, show configuration full, show configuration running, show
hardware, show version, show version history
configuration flash write

Description
Writes the active configuration to flash disk memory in binary and text form.
Syntax
configuration flash write
Parameters
None
Example
minna (config) # configuration flash write

minna (config) #
Product
Related Topics
126
configuration revert keep-local

Description
Reverts to the initial configuration but maintains some appliance-specific settings.
Syntax
configuration revert keep-local
Parameters
None
Example
minna (config) # configuration revert keep-local

minna (config) #
Product
Related Topics
show configuration files, show configuration, show configuration full, show

configuration running, show hardware, show version, show version history
configuration revert saved

Description
Reverts the active configuration to the last saved configuration.
Syntax
configuration revert saved
Parameters
None
Example
minna (config) # configuration revert saved

minna (config) #
Product
Related Topics

configuration switch-to
Description
Loads a new configuration file and makes it the active configuration.
Syntax
configuration switch-to {<filename> | initial | initial.bak}
Parameters
<filename>
initial
Specifies the initial configuration.
initial.bak
Specifies the initial backup configuration.
cold
Specifies the configuration file before SDR has occurred.
working
Specifies the current configuration.
working.bak
Specifies the current backup configuration.
Example
minna (config) # configuration switch-to westcoast

minna (config) #
Product
Related Topics

127
configuration upload
Description
Uploads the configuration file.
Syntax
configuration upload <filename>

<URL, scp://, or ftp://username:password@hostname/path/filename> [active]
Parameters
<filename>
Specifies the configuration filename.

username:password@h
ostname/path/
filename>
Specifies the protocol, location, and authentication credentials for a

remote configuration file.
active
Makes the uploaded file the active configuration file.
Example
minna (config) # configuration upload initial scp://test:MyPassword@example/tmp/

minna (config) #
Product
Related Topics
running, show hardware, show version, show version history
configuration write
Description
Writes the current, active configuration file to memory.
Syntax
configuration write [to <filename>]
Parameters
to <filename>
Save the running configuration to a file.
Example
minna (config) # configuration write

minna (config) #
Product
Related Topics
running, show hardware, show version, show version history
file debug-dump delete

Description
Deletes debug dump file.
Syntax
file debug-dump delete <filename>
Parameters
<filename>
Example
minna (config) # file debug-dump delete blah

minna (config) #
Product
Related Topics
debug generate dump, tcpdump, show files debug-dump, show files tcpdump
128
Specifies the debug dump file to delete.
file debug-dump email

Description
Emails a debug dump file to pre-configured recipients.
Syntax
file debug-dump email <filename>
Parameters
<filename>
Example
minna (config) # file debug-dump email blah

minna (config) #
Product
Related Topics
show email, debug generate dump, tcpdump, show files debug-dump, show files
tcpdump
Emails a debug dump file to pre-configured recipients.
file debug-dump upload

Description
Uploads a debug dump file to a remote host.
Syntax
file debug-dump upload <filename>
Parameters
<filename>
Example
minna (config) # file debug-dump upload blah

minna (config) #
Product
Related Topics
Uploads a debug dump file to a remote host.
file stats delete

Description
Deletes statistics file.
Syntax
file stats delete <filename>
Parameters
<filename>
Example
minna (config) # file stats delete throughput

minna (config) #
Product
Related Topics
show files stats
Specifies the statistics file to delete.
129
file stats move

Description
Renames a statistics file.
Syntax
file stats move <source filename> <destination filename>
Parameters
<source
filename>
Specifies the source file to rename.
<destination
filename>
Specifies the new filename.
Example
minna (config) # file stats move throughput throughput2

minna (config) #
Product
Related Topics
show files stats
file stats upload

Description
Uploads a statistics report file to a remote host.
Syntax
file stats upload <filename>

<URL, scp://, or ftp://username:password@hostname/path/filename>
Parameters
<filename>
Specifies the source filename.

username:password@host
name/path/filename>
Specifies the upload protocol, the location, and authentication

credentials for the remote file.
Example
minna (config) # file stats upload throughput http://www.test.com/stats

minna (config) #
Product
Related Topics
show files stats
file tcpdump
Description
Deletes or uploads a tcpdump file.
Syntax
file tcpdump {delete <filename> | upload <filename>

<URL or scp://username:password@hostname/path/filename>}
Parameters
delete <filename>
Deletes the tcpdump file.
upload <filename>
<URL or scp://
username:password@hos
tname/path/filename>
Uploads a tcpdump output file to a remote host. Specify the upload

protocol, the location, and authentication credentials for the remote
configuration file.
130
Example
minna
minna
minna
minna
(config)
(config)
(config)
(config)
# file tcpdump delete dumpfile

#
# file tcpdump upload dump http://www.test.com/stats
#
Product
Related Topics
write flash
Description
Saves the current configuration settings to flash memory.
Syntax
write flash
Parameters
None
Example
minna (config) # write flash

minna (config) #
Product
Related Topics
write memory
Description
Saves the current configuration settings to memory.
Syntax
write memory
Parameters
None
Example
minna (config) # write memory

minna (config) #
Product
Related Topics
write terminal
Description
Displays commands to recreate current running configuration.
Syntax
write terminal
Parameters
None
Example
minna (config) # write terminal
Product
Related Topics
131
tcp connection send keep-alive

Description
Configures TCP connection tools for debugging Steelhead appliances.
Syntax
tcp connection send keep-alive local-addr <local IP addr> local-port <port> remote-addr
<remote IP addr> remote-port <port>]]
Parameters
local-addr <local IP addr> local-port

<port> remote-addr <remote IP addr>
remote-port <port>]
Usage
Enables a keep-alive timer between a local and remote Steelhead appliance so that you can
determine if there is an active connection between the appliances. If the appliance is down, it
terminates the connection. Use this command to debug connection problems in your network.
Example
minna (config) # tcp connection send keep-alive local-addr 10.0.0.0 local-port 1240
remote-addr 10.0.0.1 local-port 1300
minna (config) #
Product
Steelhead appliance
Related Topics
show connection, show connections
Specifies a local and remote Steelhead appliance

for which you want to terminate a connection.
tcp connection send reset

Description
Configures TCP connection tools for debugging Steelhead appliances.
Syntax
tcp connection send reset

[both local-only local-addr <local IP addr> local-port <port> remote-addr <remote IP addr>
remote-port <port> |
local-only local-addr <local IP addr> local-port <port> remote-addr <remote IP addr>
remote-port <port> |
remote-only remote-addr <remote IP addr> remote-port <port> local-addr <local IP addr>
local-port <port>
Parameters
both local-only local-addr <local IP

addr> local-port <port> remote-addr
<remote IP addr> remote-port <port>
Terminates the connection for the local and remote

local-only local-addr <local IP addr>

local-port <port> remote-addr
<remote IP addr> remote-port <port>
Terminates the connection for the local Steelhead

appliance.
remote-only remote-addr <remote IP

addr> remote-port <port> local-addr
<local IP addr> local-port <port>
Terminates the connection for the remote Steelhead

appliance.
Usage
Terminates connections between Steelhead appliances so that you can debug connection problems
in your network.
Example
minna (config) # tcp connection send reset local-only local-addr 10.0.0.0 local-port
1240 remote-addr 10.0.0.1 remote-port 1300
minna (config) #
Product
Steelhead appliance
Related Topics
show connection, show connections
132
Port Alias Support

In This Section

page 96
port-label on page 133


page 108




page 135
page 143
on page 150
page 162
port-label
Description
Configures port label settings. Port labels are names given to sets of ports. When you configure
rules for feature implementation, you can specify port labels instead of port numbers to reduce
the number of rules.
Syntax
port-label <name> port <port>
Parameters
<label>
Specifies the name of the port label. Port labels are not case sensitive and can be
any string consisting of letters, numbers, underscore ( _ ), or a hyphen ( - ).
<port>
Specifies a comma-separated list of ports and ranges of ports. For example:

22,443,990-995,3077-3078
133
Usage
The Riverbed system includes the following default port labels:

Secure. Contains ports that belong to the system label for secure ports. The Steelhead appliance
automatically passes through traffic on commonly secure ports (for example, ssh, https, and
smtps). For a list of secure ports, see Riverbed Ports on page 339.
Interactive. Contains ports that belong to the system label for interactive ports. The Steelhead
appliance automatically passes through traffic on interactive ports (for example, Telnet, TCP
ECHO, remote logging, and shell). For a list of interactive ports, see Riverbed Ports on
page 339.
RBT-Proto. Contains ports that belong to the label for system processes: 7744 (data store
synchronization), 7800-7801 (in-path), 7810 (out-of-path), 7820 (failover), 7850 (connection
forwarding), 7860 (Interceptor appliance).
All. Contains all ports that have been discovered by the system. This label cannot be modified.
Unknown. Contains ports that have been discovered by the system that do not belong to
another port label (besides All). Riverbed appliances automatically discover active ports.
Activity for the discovered port is included in the Traffic Summary report. If a port label
contains the discovered port, the report reflects this. If a label does not exist, the port activity is
labeled unknown. You can create an appropriately descriptive port label for activity on such
ports. All statistics for this new port label are preserved from the time the port was discovered.
You can use the port-label FOO port <port> command to add or modify ports in a port label. For
example you define port label FOO by issuing following the command.
(config)# port-label FOO port 2-9,14
If you want to add ports to the FOO port label:

(config)# port-label FOO port 10-20
If you run the show port-label FOO command, you will see the new range of ports from 2 to 20.
The no command option resets the port label configuration settings to the defaults.
Example
minna (config) # port-label foo port 22,443,990-995,3077-3078

minna (config) #
Product
Related Topics
show port-label
134
Statistics Manipulation Commands

In This Section

page 96
export stats on page 335


page 108
stats chd on page 140


stats export on page 140


stats settings bandwidth on page 142
stats alarm on page 136
stats clear-all on page 140
stats sample on page 141

page 135
page 143
on page 150
page 162
135
stats alarm
Description
Configures alarms based on sampled or computed statistics.
Syntax
stats alarm {<type> <options>}
Parameters
<type>
admission_conn. Should not be disabled. Whether the system connection limit

has been reached. Additional connections are passed through unoptimized.
The alarm clears when the Steelhead appliance moves out of this condition.
admission_mem. Should not be disabled. Whether the system connection
memory limit has been reached. Additional connections are passed through
unoptimized. The alarm clears when the Steelhead appliance moves out of this
condition.
arcount. Should not be disabled. Whether the system is experiencing
asymmetric traffic. If the system experiences asymmetric traffic, this condition
is detected and reported here. In addition, the traffic is passed through, and the
route appears in the Asymmetric Routing table.
bypass. Should not be disabled. Whether the system is in bypass mode. If the
Steelhead appliance is in bypass mode, restart the Steelhead service.
certs_expiring. Whether the system has expiring SSL certificates.
cpu_util_indiv. Whether the system has reached the CPU threshold for any of
the CPUs in the Steelhead appliance If the system has reached the CPU
threshold, check your settings.
cf_ack_timeout. A connection cannot be established with a connection
forwarding neighbor. This alarm is cleared the next time the system
successfully connects to this neighbor.
cf_conn_failure. A connection cannot be established with a connection
forwarding neighbor.This alarm is cleared the next time the system
cf_conn_lost_eos. A connection is closed by the connection forwarding
neighbor. This alarm is cleared the next time the system successfully connects
to this neighbor.
cf_conn_lost_err. A connection has been lost with the connection forwarding
neighbor due to an error. This alarm is cleared the next time the system
cf_keepalive_timeout. The connection forwarding neighbor has not sent a
keep-alive message within the time-out period to the neighbor Steelhead
appliances, indicating that the connection has been lost. This alarm is cleared
the next time the system successfully connects to this neighbor.
cf_latency_exceeded. The amount of latency between connection forwarding
neighbors has exceeded the specified threshold. This alarm is cleared when the
connection latency drops below the threshold.
cf_read_info_timeout. The connection times out waiting for an initialization
message from connection forwarding neighbor. This alarm is cleared only
when reading initialization information from this neighbor succeeds.
cpu_util_indiv. Whether the system has reached the CPU threshold for any of
the CPUs in the Steelhead appliance If the system has reached the CPU
threshold, check your settings. If your alarm thresholds are correct, reboot the
136
critical_temp. Whether the CPU temperature has exceeded the critical

threshold. The default value for the rising threshold temperature is 80 C; the
default reset threshold temperature is 70 C.
crl_error. Whether the CRL verification on the server certificate fails. A CRL
includes any digital certificates that have been invalidated before their
expiration date, including the reasons for their revocation and the names of the
issuing certificate signing authorities. A CRL prevents the use of digital
certificates and signatures that have been compromised. The certificate
authorities that issue the original certificates create and maintain the CRLs.
datastore_error. Whether the data store is corrupt. Clear the data store to clear
the alarm.
datastore_sync_error. Whether the system has detected a problem with the
synchronized data.
domain_join_error. Whether he system has encountered an error when
attempting to join a domain.
fan_error. Whether the system has detected a fan error.
fs_mnt. Whether the system has detected a file system error in the software.
halt_error. Cannot be disabled. Whether the system has detected a software
error in the Steelhead service. The Steelhead service continues to function, but
an error message appears in the logs that you should investigate.
hardware_error. Whether the system has detected a problem with the
Steelhead appliance hardware. The alarm clears when you add the necessary
hardware, remove the non-qualified hardware, or resolve other hardware
issues. The following issues trigger the hardware error alarm: the Steelhead
appliance does not have enough disk, memory, CPU cores, or NIC cards to
support the current configuration; the Steelhead appliance is using a memory
Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not
qualified by Riverbed; an RSP upgrade requires additional memory or a
memory replacement; other hardware issues.
ipmi. Whether the system has detected IPMI SEL errors.
license. Whether the system has detected an expired license.
linkstate. Whether the system has detected a link that is down. You are notified
via SNMP traps, email, and alarm status.By default this alarm is not enabled.
The no stats alarm linkstate enable command disables the link state alarm.
memory_error. Whether the system has detected a memory error.
mismatch_peer. Whether there is a mismatch between software versions in
your network. If a software mismatch is detected, resolve the mismatch by
upgrading or reverting to a previous version of the software.
nfs_v2_v4. Whether the system has triggered a v2 or v4 NFS alarm.
paging. Whether the system has reached the memory paging threshold. If 100
pages are swapped approximately every two hours the Steelhead appliance is
functioning properly. If thousands of pages are swapped every few minutes,
then reboot the Steelhead appliance. If rebooting does not solve the problem,
contact Riverbed Technical Support.
pfs_config. Whether there has been a PFS or prepopulation operation error. If
an operation error is detected, restart the Steelhead service and PFS.
pfs_operation. Whether a synchronization operation has failed. If an operation
failure is detected, attempt the operation again.
137
datastore_sync_error. Whether the system has detected a problem with the

synchronized data.
domain_join_error. Whether he system has encountered an error when
attempting to join a domain.
fan_error. Whether the system has detected a fan error.
fs_mnt. Whether the system has detected a file system error in the software.
halt_error. Cannot be disabled. Whether the system has detected a software
error in the Steelhead service. The Steelhead service continues to function, but
an error message appears in the logs that you should investigate.
hardware_error. Whether the system has detected a problem with the
Steelhead appliance hardware. The alarm clears when you add the necessary
hardware, remove the non-qualified hardware, or resolve other hardware
issues. The following issues trigger the hardware error alarm: the Steelhead
appliance does not have enough disk, memory, CPU cores, or NIC cards to
support the current configuration; the Steelhead appliance is using a memory
Dual In-line Memory Module (DIMM), a hard disk, or a NIC that is not
qualified by Riverbed; an RSP upgrade requires additional memory or a
memory replacement; other hardware issues.
ipmi. Whether the system has detected IPMI SEL errors.
license. Whether the system has detected an expired license.
linkstate. Whether the system has detected a link that is down. You are notified
via SNMP traps, email, and alarm status.By default this alarm is not enabled.
The no stats alarm linkstate enable command disables the link state alarm.
memory_error. Whether the system has detected a memory error.
mismatch_peer. Whether there is a mismatch between software versions in
your network. If a software mismatch is detected, resolve the mismatch by
nfs_v2_v4. Whether the system has triggered a v2 or v4 NFS alarm.
paging. Whether the system has reached the memory paging threshold. If 100
pages are swapped approximately every two hours the Steelhead appliance is
functioning properly. If thousands of pages are swapped every few minutes,
then reboot the Steelhead appliance. If rebooting does not solve the problem,
contact Riverbed Technical Support.
pfs_config. Whether there has been a PFS or prepopulation operation error. If
an operation error is detected, restart the Steelhead service and PFS.
pfs_operation. Whether a synchronization operation has failed. If an operation
failure is detected, attempt the operation again.
power_supply. Whether the system has detected a power supply error.
raid_error. Whether the system has encountered RAID errors (for example,
missing drives, pulled drives, drive failures, and drive rebuilds). For drive
rebuilds, if a drive is removed and then reinserted, the alarm continues to be
triggered until the rebuild is complete. Rebuilding a disk drive can take 4-6
hours.
rsp_license_expired. Whether an RSP license has expired.
rsp_license_expiring. Whether an RSP virtual machine is powered off. When
the alarm is triggered, it provides a link to the RSP Packages page.
138
rsp_not_on_vms. Whether an RSP virtual machine is powered off. When the

alarm is triggered, it provides a link to the RSP Packages page.
rsp_watchdog_error. Whether an RSP watchdog error has been detected.
secure_vault_unlocked. Wheher the secure vault is locked. When the vault is
locked, SSL traffic is not optimized and you cannot encrypt a data store.
serial_cascade_misconfig. Whether the system has detected a serial cascade
misconfiguration error.
service_error. Whether the system has detected an error with the service.
smb_alert. Whether the system has detected an SMB signing error.
ssl_hardware. Whether the system has detected an SSL hardware error.
ssl_peer_scep_auto_reenroll. Whether the system has detected an SCEP error.
The Steelhead appliance uses SCEP to dynamically re-enroll a peering
certificate to be signed by a certificate authority. The alarm clears automatically
when the next automatic re-enrollment succeeds. To clear the alarm, execute
the protocol ssl peering auto- reenroll last-result clear-alarm command.
store_corruption. Cannot be disabled. Whether the data store is corrupt. To
clear the data store of data, restart the Steelhead service and clear the data store
on the next restart.
sw-version. Whether there is a mismatch between software versions in your
network. If a software mismatch is detected, resolve the mismatch by
warning_temp. Whether the CPU temperature has exceeded the warning
threshold. The default value for the rising threshold temperature is 80 C; the
default reset threshold temperature is 70 C.
<options>
Specify the following alarm options:

clear. Clears alarm settings.
enable. Enables alarm.
rate-limit {count [long | medium | short] | [reset] | [window [long |
medium | short]}. Sets alarm event rate-limit values.
rising. Sets the rising threshold.
rising clear_threshold <amount>. Sets the threshold to clear rising alarm. The
default value for CPU temperature is 50 C.
rising error_threshold <amount>. Sets threshold to trigger rising alarm. The
default value for the CPU temperature is 50 C.
falling clear_threshold <amount>. Sets the threshold to clear falling alarm.
The default value for the CPU temperature is 0 C.
falling error_threshold <amount>. Sets the threshold to trigger falling alarm.
Usage
Critical temperature settings cannot be changed. Warning temperature settings can be changed.
The no command option disables all statistical alarms. The no stats alarm <type> enable
command disables specific statistical alarms.
Example
amnesiac # stats alarm bypass enable

amnesiac #
Product
Related
Topics
show stats alarm
139
stats chd
Description
Sets computed historical data points.
Syntax
stats chd <CHD ID> clear
Parameters
<CHD ID>
Specifies the specific data point: <CHD ID>, cpu_util, cpu_util_ave,

cpu_util_day, duplex_aux, duplex_lan, duplex_pri, duplex_wan, memory_day,
paging, paging_day, rbt, rbt_day, rbt_month, rbt_week, rbtkernel,
rbtkernel_day, rbtkernel_month, rbtkernel_week.
clear
Clears all data.
Example
minna (config) # stats chd rbt_month

minna (config) #
Product
Related Topics
show clock
stats clear-all
Description
Clears all statistics.
Syntax
stats clear-all
Parameters
None
Example
minna (config) # stats clear-all

minna (config) #
Product
Related Topics
show stats on page 90
stats export
Description
Exports statistics.
Syntax
stats export <format> csv <report name> after <yyyy>/<mm>/<dd> before <yyyy>/<mm>/<dd>
filename <filename>
140
Parameters
<format>
Specifies the format.
csv <report name>
Specifies the type of report to export:

cpu_util. CPU utilization.
memory. Memory utilization.
paging. Paging.
conns. Connection history.
bw. Aggregate bandwidth.
bw_<port>. Port bandwidth.
after <yyyy>/
<mm>/<dd>
Specifies statistics collected after a specific time.
before <yyyy>/
<mm>/<dd>
Specifies statistics collected before a specific time
filename
<filename>
Specifies the filename for the new report.
Example
minna (config) # stats export csv dstore newdstore

minna (config) #
Product
Related Topics
show stats
stats sample
Description
Configure sampled statistics.
Syntax
stats sample {<type> clear | interval <seconds>}
Parameters
type
Specifies the type of statistic: admission_conn, admission_mem, bypass,

cpu_util, duplex_aux, duplex_lan, duplex_pri, duplex_ wan, halt_error,
memory, mismatch_peer, paging, raid_error, raid_warning, rbt, rbt_kernel,
service_error, store-corruption, sw-version.
clear
Clears all statistics for the specified type.
interval
<seconds>
Specifies the sampling interval for this set of samples.
Examples
minna (config) # stats bypass clear

minna (config) #
Product
Related Topics
show stats
141
stats settings bandwidth

Description
Configure sampled statistics.
Syntax
[no] stats settings bandwidth <port> desc <description>
Parameters
<port>
desc <description>
Specifies a description of the port.
Usage
The no command option disables bandwidth statistics.
Example
minna (config) # stats settings bandwidth 2727

minna (config) #
Product
Steelhead appliance
Related Topics
show stats
142
Notification and SNMP Commands

In This Section

page 96
email autosupport enable on page 143


page 108
email mailhub on page 144


email notify events enable on page 145


email domain on page 144

page 135
email mailhub-port on page 144
email notify events recipient on

page 145
email notify failures enable on
page 145
email notify failures recipient on
page 146
email send-test on page 146
snmp-server community on page 146
snmp-server contact on page 147

page 143
snmp-server enable on page 147

snmp-server host on page 147

on page 150
snmp-server listen enable on page 148
snmp-server listen interface on

page 148

page 162
snmp-server location on page 149

email autosupport enable

Description
Enables automatic email notification of significant alarms and events to Riverbed Technical
Support.
Syntax
email autosupport enable
Parameters
None
Usage
The no command option disables automatic email notification.
Example
minna (config) # email autosupport enable

minna (config) #
Product
Related Topics
show email
143
email domain
Description
Specifies the domain for email notifications.
Syntax
email domain <host name or IP address>
Parameters
<host name or IP
address>
Usage
Use the email domain command only if the email address does not contain the domain.
Example
minna (config) # email domain example.com

minna (config) #
Product
Related Topics
show email
Specifies the domain for email notifications (only if the email

address does not contain it).
The no command option disables the email domain.
email mailhub
Description
Specifies the SMTP server for email notifications.
Syntax
email mailhub <host name or IP address>
Parameters
<host name or IP
address>
Usage
The no command option disables the SMTP server.
Example
minna (config) # email mailhub mail-server.example.com

minna (config) #
Product
Related Topics
show email
Specifies the SMTP server for email notifications.
email mailhub-port
Description
Specifies the mail port for email notifications.
Syntax
email mailhub-port <port number>
Parameters
<port number>
Usage
The no command option disables the SMTP server.
Example
minna (config) # email mailhub-port 135

minna (config) #
Product
Related Topics
show email
144
Specifies the mail port for email notifications.
email notify events enable

Description
Enables email notification for events.
Syntax
email notify events enable
Parameters
None
Usage
The no command option disables email notification.
Example
minna (config) # email notify events enable

minna (config) #
Product
Related Topics
show email
email notify events recipient

Description
Enables email notification for events.
Syntax
email notify events recipient <email addr>
Parameters
<email addr>
Usage
Example
minna (config) # email notify events recipient example@example.com

minna (config) #
Product
Related Topics
show email
Specifies the email address of users to receive notification of events.
email notify failures enable

Description
Enables email notification of appliance failures, such as core dumps.
Syntax
email notify failures enable
Parameters
None
Usage
Example
minna (config) # email notify failures enable

minna (config) #
Product
Related Topics
show email
145
email notify failures recipient

Description
Enables email notification of appliance failures, such as core dumps.
Syntax
email notify failures recipient <email addr>
Parameters
recipient <email-addr>
Usage
Example
minna (config) # email notify failures recipient example@example.com

minna (config) #
Product
Related Topics
show email
Specifies the email address of users to receive notification of failures.
email send-test
Description
Sends test email to all configured event and failure recipients.
Syntax
email send-test
Parameters
None
Example
minna (config) # email send-test

minna (config) #
Related Topics
show email
snmp-server community
Description
Enables an SNMP server community.
Syntax
[no] snmp-server community <name>
Parameters
<name>
Usage
The no command option disables an SNMP server community.
Example
minna (config) # snmp-server community ReaDonLy

minna (config) #
Product
Related Topics
show snmp
146
Specifies the name of the SNMP server community.
snmp-server contact
Description
Sets the SNMP server contact.
Syntax
snmp-server contact <name>
Parameters
<name>
Usage
The no command option disables the SNMP server contact.
Example
minna (config) # snmp-server contact john doe

minna (config) #
Product
Related Topics
show snmp
Specifies the user name of the SNMP server community contact.
snmp-server enable
Description
Enables an SNMP server.
Syntax
snmp-server enable [traps]
Parameters
None
Usage
FIPS Mode
If you are running the Steelhead appliance in FIPS mode, you must make sure that SNMPv2 is not
enabled. You must run the no snmp-server enable command to shut down the SNMP server on
the Steelhead appliance. When you disable the SNMP server, SNMP traps are not sent out from
the appliance and SNMP queries cannot be performed to the servers from SNMP browsers (such
as snmpwalk).For detailed information about configuring FIPS-mode, see the FIPS/CC
The no command option disables the SNMP server and traps.
Example
minna (config) # snmp-server enable

minna (config) #
Product
Related Topics
show snmp
snmp-server host
Description
Sets the SNMP server host, traps, and version.
Syntax
snmp-server {host <host name or IP address>} [traps <host>] [traps version <versionnumber>
Parameters
<host name or IP address>
Specifies the host name or IP address for the SNMP server.
traps <host>
Specifies the SNMP host on a community.
traps version
<versionnumber>
Specifies the SNMP version of traps to send to this host.
Usage
The no command option disables the SNMP server host.
147
Example
minna (config) # snmp-server host minna

minna (config) #
Product
Related Topics
show snmp
snmp-server listen enable

Description
Enables SNMP interface restrictions to this system.
Syntax
snmp-server listen enable
Parameters
None
Usage
connections on using the snmp-server listen interface command. If the list of interfaces is empty,
all interfaces are accepted. If the list of interfaces has at least one entry, then the server listens only
on that subset of interfaces.
The no command option disables SNMP interface restrictions, which causes the SNMP to accept
SNMP interface restrictions are not available through the Management Console.
FIPS Mode
If you are running the Steelhead appliance in FIPS mode, you must make sure that SNMPv2 is not
enabled. You must run the no snmp-server enable command to shut down the SNMP server on
the Steelhead appliance. When you disable the SNMP server, SNMP traps are not sent out from
the appliance and SNMP queries cannot be performed to the servers from SNMP browsers (such
as snmpwalk).
The snmp-server listen enable command restricts SNMP access on all interfaces. If you have not
specified specific interfaces using the snmp-server listen interface command, no snmp queries
cannot be performed on this Steelhead appliance through snmpwalk or other SNMP applications.
Example
minna (config) # snmp-server listen enable

minna (config) #
Product
Related Topics
show snmp
snmp-server listen interface

Description
Adds an interface to the SNMP server access restriction list.
Syntax
snmp-server listen interface <interface>
Parameters
<interface>
148
Specifies a comma-separated list of IP addresses.
Usage
To add an interface to the list to listen on:

snmp-server listen interface <interface>
To remove an interface from the list:

no ssh server listen interface <interface>
The no command option removes the SNMP interface.

SNMP interface restrictions are not available through the Management Console.
Example
minna (config) # snmp-server listen interface 10.0.0.1, 10.0.0.4

minna (config) #
Product
Related Topics
show snmp
snmp-server location
Description
Sets the SNMP server location.
Syntax
snmp-server location <addr>
Parameters
<addr>
Usage
The no command option disables the SNMP server location.
Example
minna (config) # snmp-server location 10.10.10.1

minna (config) #
Product
Related Topics
show snmp
Specifies the location of the system.
149

In This Section

page 96
datastore convert on page 150


page 108
datastore notification enable on

page 152


datastore notification wrap-around on

page 153


datastore encryption type on page 151

page 135
datastore receive port on page 153

datastore send addr on page 153
datastore sync enable on page 154
datastore sync peer-ip on page 157
datastore sync port on page 157
datastore sync reconnect on page 157
datastore sync master on page 156

page 143
on page 150
page 162
datastore convert
Description
Converts the data store from software v2.x to v3.x or v4.x formats.
Syntax
datastore convert [dsv1-format | dsv2-format]
Parameters
[dsv1-format |
dsv2-format]
Specify a decimal-separated value format:

dsv1-format. To convert the data store to a format that can be booted by
Version 2.1.x.
dsv2-format. To convert the data store to a format that can be booted by
Version 3.x or higher.
150
Usage
The datastore convert command is provided to support software downgrades.

If you downgrade the software version from v3.x/4.x without converting the data store to v2.x
format, the system will detect data store corruption.
To reformat the data store for downgrades:
1. Stop the Steelhead service.
2. Convert the data store to a DSV1 format.
datastore convert dsv1-format
3. Boot the lower version image.

Example
minna (config) # no service enable

minna (config) # datastore convert dsv1-format
minna (config) # reload
Product
Steelhead appliance
Related Topics
show datastore
datastore encryption type

Description
Specifies the type of encryption to use to encrypt the Steelhead appliance data store. Also turns
data store encryption on and off.
Syntax
datastore encryption type {NONE |AES_128 | AES_192 | AES_256}
Parameters
[NONE |
AES_128 |
AES_192 |
AES_256]
Specify a data store encryption scheme:

NONE. Do not encrypt the data store.
AES_128. Use the Advanced Encryption Standard (AES) 128-bit cipher
setting.
AES_192. Use the AES 192-bit cipher setting.
AES_256. Use the AES 256-bit cipher setting. This encryption scheme is the
most secure.
151
Usage
NOTE: Data store synchronization traffic is not encrypted.

IMPORTANT: After you turn data store encryption on or off, or change the data store encryption
scheme, you must clean the data store and restart the Steelhead service.
To encrypt the data store, you must:
1. Make sure your secure vault is unlocked.
The encryption key is stored in the secure vault.
2. Turn on data store encryption by using the datastore encryption type command to specify an
encryption scheme.
3. Clean the data store and restart the Steelhead service:
restart clean
To turn off data store encryption:

1. Specify none as the encryption scheme. For example:
datastore encryption type none

restart clean
If your data store is encrypted and you want to downgrade Steelhead appliance software to a
version prior to 4.1, you must:
1. Turn off data store encryption.
To do so, use the command datastore encryption type none. Setting the encryption type to
none turns off data store encryption.
restart clean
For more information, see the Steelhead Management Console Users Guide.
Example
minna (config) # datastore encryption type AES_192

minna (config) # restart clean
Product
Steelhead appliance
Related Topics
protocol ssl enable, secure-vault, restart, show datastore
datastore notification enable

Description
Enables email notification when the data in the data store is replaced with new data in less time
than you specify.
Syntax
[no] datastore notification enable

The no command option disables notification wrap-around.
Parameters
None
Usage
152
Example
minna (config) # datastore notification enable

minna (config) #
Product
Steelhead appliance
Related Topics
show datastore
datastore notification wrap-around

Description
Sets the number of days to elapse before sending an email message notifying you that the data in
the data store has been replaced.
Syntax
[no] datastore notification wrap-around <days>
Parameters
wrap-around <days>
Usage
Specifies the number of days to elapse before sending an email message

notifying you that the data in the data store has been replaced.
The no command option disables notification wrap-around.

Example
minna (config) # datastore notification wrap-around 2

minna (config) #
Product
Steelhead appliance
Related Topics
show datastore,
datastore receive port

Description
Receives the data store from another Steelhead appliance.
Syntax
datastore receive port <port>
Parameters
<port>
Example
minna (config) # datastore receive port 2202

minna (config) #
Product
Steelhead appliance
Related Topics
show datastore
Specifies the port of the Steelhead appliance that will receive the data store.
datastore send addr

Description
Copies the data store to another Steelhead appliance.
Syntax
datastore send addr <addr> port <port>
Parameters
<addr>
Specifies the IP address of the remote Steelhead appliance from which to send the
data store.
<port>
Specifies the corresponding port.
153
Example
minna (config) # datastore send addr 10.0.0.2

minna (config) #
Product
Steelhead appliance
Related Topics
show datastore, show stats
datastore sync enable

Description
Enables pairs of Steelhead appliances on the same side of a WAN to automatically keep their data
stores synchronized. This feature provides for failover and overflow capacity without
performance loss. Although the two features are typically enabled together, you can enable this
feature which, beginning with version 4.0, is also known as active-active synchronization
independent of whether you have enabled failover.
Syntax
[no] datastore sync enable
Parameters
None
154
Usage
Automated data store synchronization allows pairs of Steelhead appliances on the same side of a
WAN to keep their data stores automatically synchronized.
In pre-4.0 versions of Steelhead appliance software, automated data store synchronization
involved configuring a pair of Steelhead appliances, one as active and the other as passive. A
synchronization server (sync-server) ran on the active Steelhead appliance, and sent segment
pages to the synchronization client (sync-client) running on the passive Steelhead appliance.
Beginning with version 4.0, pairs of Steelhead appliances on the same side of a WAN can keep
their data stores synchronized via active-active synchronization (active-active sync). With
active-active sync, both the sync-client and sync-server are enabled on each Steelhead appliance,
thus allowing each Steelhead appliance to send and receive new data-store segment pages.
Active-active sync not only provides automatic synchronization and replication but also provides
for failover and overflow capacity without performance loss.
Although the failover and active-active sync features are typically enabled together, you can
enable active-active sync independently of standard failover.
To use active-active sync, you configure two Steelhead appliances, one as a synchronization server
(the synchronization master) and the other as synchronization backup. After you have enabled
and configured active-active sync, both Steelhead appliances are active and optimize connections.
Additionally, the data stores are actively kept synchronized. Active-active sync replicates data
using the following techniques:
Catch-up. Copies data that is already on the master Steelhead appliance data store to the backup
Steelhead appliance. The first time you synchronize your data stores, the backup data store is
overwritten by the master during catch-up. Subsequently, synchronization occurs in both
directions (from the master to the backup and vice versa). If your data stores are out-of-sync, the
Steelhead appliance determines what data has changed on both the master and the backup, and
only copies the missing data.
Keep-up. New data in the backup Steelhead appliance is sent to the master Steelhead appliance
and new pages in the master Steelhead appliance are sent to the backup Steelhead appliance.
Keep-up runs continuously, copying new data that the master Steelhead appliance encounters on
the backup Steelhead appliance and vice versa.
The synchronization server functions as the master copy of the data. Data is replicated from the
master to the backup at the beginning of the process, not from the backup to the master. Data on
the master is replicated to the backup using the catch-up mechanism. Any data on the backup is
deleted.
If a synchronization master Steelhead appliance fails, the backup Steelhead appliance continues
intercepting traffic and acquiring new data. When the master Steelhead appliance comes back
online, synchronization stops.
If data store synchronization is interrupted for any reason (such as a network interruption or if
one of the Steelhead appliances is taken out of service), the Steelhead appliances continue other
operations without disruption. When the interruption is resolved, data store synchronization
resumes where it left off without risk of data corruption.
155
Before you replace a synchronization master for any reason, Riverbed recommends that you make
the backup Steelhead appliance the new master. This enables the new master (the former backup)
to warm the new (replacement) Steelhead appliance, ensuring that the most recent data is
optimized and none is cleared.
To enable active-active sync, the synchronization master and its backup:
must be on the same side of the WAN.
do not have to be in the same physical location. If they are in different physical locations, they
must be connected via a fast, reliable LAN connection with minimal latency.
must be running the same version of the RiOS software.
must have the same hardware model.
IMPORTANT: If you are setting up active-active sync for the first time, you must restart the
Steelhead service on both Steelhead appliances.
For data store synchronization, the master Steelhead appliance serves as the original copy of the
data for replication. Both the master and the backups are active at the same time.
In most implementations in which both failover and active-active sync are enabled, the same
Steelhead appliance serves as the master for both failover and data store synchronization.
However, if you enable failover and active-active synchronization, the failover master and the
synchronization master do not have to be the same Steelhead appliance.
The no command option disables automatic synchronization.
Example
minna
minna
minna
minna
minna
minna
(config)
(config)
(config)
(config)
(config)
(config)
#
#
#
#
#
#
datastore
datastore
datastore
datastore
datastore
Product
Steelhead appliance
Related Topics
sync
sync
sync
sync
sync
peer-ip "192.148.0.12"
port "7744"
reconnect "30"
master
enable
datastore sync master

Description
Sets the local appliance as the master appliance to which the data stores for other appliances
synchronize.
Syntax
[no] datastore sync master
Parameters
None
Usage
The no command option removes the master status for the appliance data store.
Example
minna (config) # datastore sync master

minna (config) #
Product
Steelhead appliance
Related Topics
156
datastore sync peer-ip

Description
Sets the IP address for the peer appliance for which you want to push replicated data.
This must be the primary IP address of a backup appliance.
Syntax
datastore sync peer-ip <addr>
Parameters
<addr>
Example
minna (config) # datastore sync peer-ip 10.0.0.3

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the primary IP address of the backup appliance.
datastore sync port

Description
Sets the port for the peer Steelhead appliance for which you want to push replicated data.
Syntax
datastore sync port <port>
Parameters
<port>
Example
minna (config) # datastore sync port 1234

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the port of the peer Steelhead appliance. The default value is 7744.
datastore sync reconnect

Description
Sets the reconnection interval for data store synchronization.
Syntax
[no] datastore sync reconnect <seconds>
Parameters
<seconds>
Usage
The no command option resets the reconnection interval to the default.
Example
minna (config) # datastore sync reconnect 40

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the number of seconds for the reconnection interval. The default value is
30.
157
Logging Commands
In This Section

page 96
logging on page 158


page 108
logging files rotation criteria frequency

on page 159


logging files rotation criteria size on

page 159


logging files delete on page 159

logging files rotation force on page 160

logging files rotation max-num on
page 160
logging local on page 160
logging trap on page 161

page 135
page 143
on page 150
page 162
logging
Description
Adds a remote system log (syslog) server to the system.
Syntax
logging <addr> [trap <log level>]
Parameters
<addr>
Specifies the IP address for the syslog server.
trap <log level>
Specifies the trap log level of the syslog server. If you have set different log
levels for each remote syslog server, this option changes all remote syslog
servers to have a single log level.
Usage
The no command option removes a remote syslog server from the system.
Example
minna (config) # logging 10.0.0.2

minna (config) #
Product
Related Topics
show log, show logging
158
logging files delete

Description
Deletes the oldest log file or a specified number of the oldest log files.
Syntax
logging files delete [oldest <number>]
Parameters
oldest [<number>]
Deletes the single oldest log file.

Specifies the number of old log files to delete. The range is 1-10.
Usage
Example
minna (config) # logging files delete oldest 10

minna (config) #
Product
Related Topics
logging files rotation criteria frequency

Description
Sets the frequency of log rotation.
Syntax
logging files rotation criteria frequency <rotation frequency>
Parameters
<rotation frequency>
Usage
The default value is weekly.
Example
minna (config) # logging files rotation criteria frequency weekly

minna (config) #
Product
Related Topics
Specifies how often log rotation occurs: monthly, weekly, daily.
logging files rotation criteria size

Description
Sets the size, in MB, of the log file before rotation occurs.
Syntax
logging files rotation criteria size <size>
Parameters
<size>
Usage
The default value is 0 (unlimited).
Example
minna (config) # logging files rotation criteria size 100

minna (config) #
Product
Related Topics
Specifies the size of the log file to save in MB.
159
logging files rotation force

Description
Rotates logs immediately.
Syntax
logging files rotation force
Parameters
None
Example
minna (config) # logging files rotation force

minna (config) #
Product
Related Topics
logging files rotation max-num

Description
Sets the maximum number of log files to keep locally.
Syntax
logging files rotation max-num <number>
Parameters
<number>
Usage
The default value is 10.
Example
minna (config) # logging files rotation max-num 10

minna (config) #
Product
Related Topics
Specifies the number of log files to keep locally. The range is 1-100.
logging local
Description
Sets the minimum severity of log messages saved on the local syslog servers.
Syntax
logging local <loglevel>
Parameters
<loglevel>
Specifies the logging severity level. The follow severity levels are supported:
emerg. Emergency, the system is unusable.
alert. Action must be taken immediately.
crit. Critical conditions.
err. Error conditions.
warning. Warning conditions.
notice. Normal but significant condition.
info. Informational messages.
debug. Debug-level messages.
Usage
The default value is none.

The no command option sets the severity level for logging to none (no logs are sent).
160
Example
minna (config) # logging local notice

minna (config) #
Product
Related Topics
logging trap
Description
Sets the minimum severity for messages sent to the remote syslog servers.
Syntax
logging trap <loglevel>
Parameters
<loglevel>
Specifies the logging severity level. The following levels are supported:
emerg. Emergency, the system is unusable.
alert. Action must be taken immediately.
crit. Critical conditions.
err. Error conditions.
warning. Warning conditions.
notice. Normal but significant condition.
info. Informational messages.
debug. Debug-level messages.
Usage
The default value is none.
Example
minna (config) # logging trap notice

minna (config) #
Product
Related Topics
The no command option sets the severity level for logging to none.
161

In This Section

page 96
boot system on page 162


page 108
image boot on page 163


image fetch on page 163


image install on page 164

license delete on page 165
hardware upgrade model on page 162
image delete on page 163
image flash backup on page 164
image move on page 165
license install on page 165

page 135
page 143
on page 150
page 162
boot system
Description
Boots the specified partition the next time the appliance is rebooted.
Syntax
boot system <partition>
Parameters
<partition>
Example
minna (config) # boot system 1

minna (config) #
Product
Related Topics
show version, show version history, show images, show info, show bootvar
Specifies the partition to boot: 1 or 2.

Description
Upgrades hardware settings to reflect new hardware model.
Syntax
Parameters
None
162
This command is valid only after you have installed a hardware upgrade license.
Usage
The no command option disables ECC memory check.

Example
minna (config) # hardware upgrade model

minna (config) #
Product
Steelhead appliance
Related Topics
image boot
Description
Boots the specified system image by default.
Syntax
image boot <partition>
Parameters
<partition>
Example
minna (config) # image boot 1

minna (config) #
Product
CMC appliance, Steelhead appliance, Interceptor appliance
Related Topics
Specifies the partition to boot: 1 or 2.
image delete
Description
Deletes the specified software image.
Syntax
image delete <image-filename>
Parameters
<imagefilename>
Example
minna (config) # image delete snkv1.0

minna (config) #
Product
Related Topics
Specifies the software image to delete.
image fetch
Description
Downloads a software image from a remote host.
Syntax
image fetch <URL, scp://, or ftp://username:password@hostname/path/filename>

<image-filename>
Parameters

username:password@
hostname/path/
filename>
Specifies the upload protocol, the location, and authentication

credentials for the remote image file.
<image-filename>
Specifies the filename under which to store the image locally.
A carriage return downloads the image and gives it the same name it
had on the server.
163
Example
minna (config) # image fetch http://www.domain.com/v.1.0 version1.0

minna (config) #
Product
Related Topics
image flash backup

Description
Backs up the current image to flash memory.
Syntax
image flash backup <image version>
Parameters
<image version>
Example
minna (config) # image flash backup image 19

minna (config) #
Product
Related Topics
configuration flash restore, configuration flash write, show version, show version
history, show images, show info, show bootvar
Specifies the filename under which to store the image on the flash disk.
image flash restore

Description
Restores the system to an image in flash memory.
Syntax
image flash restore <flash recovery image>
Parameters
<flash recovery
image>
Example
minna (config) # image flash restore image 19

minna (config) #
Product
Related Topics
configuration flash restore, configuration flash write, show version, show version
history, show images, show info, show bootvar
The name of the image saved on the flash disk.
image install
Description
Installs the software image onto a system partition.
Syntax
image install <image-filename> <partition>
Parameters
<image-filename>
Specifies the software image filename.
<partition>
Specifies the partition number: 1, 2.
Example
minna (config) # image install version1.0 2

minna (config) #
Product
Related Topics
164
image move
Description
Moves or renames an inactive system image on the hard disk.
Syntax
image move <source-image-name> <new-image-name>
Parameters
<source-imagename>
Specifies the name of the software image to move or rename.
<new-image-name>
Specifies the new name of the software image.
Example
minna (config) # image move www.domain.com/v.1.0 version1.0

minna (config) #
Product
Related Topics
license delete
Description
Deletes the specified license key.
Syntax
license delete <key>
Parameters
<key>
Example
minna (config) # license delete SH10_B-0000-1-7F14-FC1F

minna (config) #
Product
Related Topics
Specifies the license key.
license install
Description
Installs a new software license key.
Syntax
license install <license key>
Parameters
<license key>
Usage
The no command option disables this command.
Example
minna (config) # license install SH10_B-0000-1-7F14-FC1F

minna (config) #
Product
Related Topics
show licenses
Specifies the license key.
165

In This Section

page 96
hardware watchdog on page 166


page 108
job comment on page 167


job enable on page 168


job fail-continue on page 169

job recurring on page 169
hardware watchdog on page 166
job date-time on page 168
job execute on page 168
job name on page 169
reload on page 169

restart on page 170

page 135
service enable on page 170

page 143
service map-port on page 171

on page 150
service port on page 172
service error reset on page 171
service neural-framing on page 172
service neural-framing on page 172

page 162
hardware watchdog
Description
Enables the hardware watchdog which monitors the system for hardware errors.
Syntax
hardware watchdog enable
Parameters
None
Example
minna (config) # hardware watchdog enable

minna (config) #
Product
Steelhead appliance
Related Topics
show hardware, show hardware error-log, show hardware watchdog
job
Description
Schedules CLI command execution for a specified time in the future.
Syntax
job <job-id> command <sequence #> <cli-command>
166
Parameters
Usage
<job-id>
<sequence #>
Specifies the sequence number for job execution. The sequence number is an
integer that controls the order in which a CLI command is executed. CLI
commands are executed from the smallest to the largest sequence number.
<cli-command>
Specifies the CLI command.
A job includes a set of CLI commands and a time when the job will run. Jobs are run one time only,
but they can be reused.
Any number of CLI commands can be specified with a job and are executed in an order specified
by sequence numbers. If a CLI command in the sequence fails, no further commands in the job are
executed. A job can have an empty set of CLI commands.
The output of all commands executed are saved to a file in a specified directory. The output of
each command is simply appended to the file.
The job output and any error messages are saved. Jobs can be canceled and rescheduled.
The no job <job-id> command <sequence #> command option deletes the CLI command from
the job.
The no job <job-id> command option removes all statistics associated with the specified job. If
the job has not executed, the timer event is canceled. If the job was executed, the results are
deleted along with the job statistics.
Example
minna (config) #job 10 command 1 show info

minna (config) #job 10 command 2 show connections
minna (config) #job 10 command 3 show version
Product
Related Topics
show jobs
job comment
Description
Adds a comment to the job for display when show jobs is run.
Syntax
job <job-id> comment
Parameters
<job-id>
<comment>
Specifies the comment for the job.
Usage
The no command option deletes the comment.
Example
minna (config) # job 10 comment this is a test

minna (config) #
Product
Related Topics
show jobs
167
job date-time
Description
Sets the date and time for the job to execute.
Syntax
job <job-id> date-time-pairs <hh>: <mm> [<ss>] | [<date>]
Parameters
<job-id>
<hh>: <mm> [<ss>] [<date>]
Specifies the date and time for the job to execute. An hour and
minute must be specified; optionally, you can specify seconds or
the date.
Usage
If the time specified is in the past, the job does not execute and is in the inactive state. An hour and
minute must be specified; optionally, you can specify seconds or the date.
Example
minna (config) # job 10 date-time-pairs 04:30:23

minna (config) #
Product
Related Topics
show jobs
The no command option disables the date and time settings.
job enable
Description
Enables a CLI command job to execute at the date and time specified in the job.
Syntax
job <job-id> enable
Parameters
<job-id>
Usage
The no command option disables jobs.
Example
minna (config) # job 10 enable

minna (config) #
Product
Related Topics
show jobs
job execute
Description
Forces an immediate execution of a job. The timer (if set) is canceled, and the job is moved to the
completed state.
Syntax
job <job-id> execute
Parameters
<job-id>
Example
minna (config) # job 10 execute

minna (config) #
Product
Related Topics
show jobs
168
job fail-continue
Description
Execute all commands in a job even if a command in the sequence fails.
Syntax
job <job-id> fail-continue
Parameters
<job-id>
Usage
The no command option disables this command.
Example
minna (config) # job 10 fail-continue

minna (config) #
Related Topics
show jobs
job name
Description
Specifies a name for the job.
Syntax
job <job-id> name <friendly-name>
Parameters
<job-id>
<friendly-name>
Specifies a name for the job.
Usage
The no command option deletes the job name.
Example
minna (config) # job 10 name myjob

minna (config) #
Related Topics
show jobs
job recurring
Description
Specifies the frequency with which to recurrently execute this job.
Syntax
job <job-id> recurring <seconds>
Parameters
<job-id>
<seconds>
Specifies how frequently the recurring job should execute.
Example
minna (config) # job 10 recurring 36000

minna (config) #
Related Topics
show jobs
reload
Description
Reboots the system.
Syntax
reload [clean [halt] | halt | force]
169
Parameters
clean [halt]
Clears the data store, then reboots or shuts down the system.
halt
Shuts down the system.
force
Force an immediate reboot of the system even if it is busy.
Usage
Example
minna # reload
The session will close. It takes about 2-3 minutes to reboot the appliance.
Product
Related Topics
show configuration running, show hardware error-log, show info, show log
restart
Description
Restarts the optimization service.
Syntax
restart [clean]
Parameters
clean
Example
minna # restart
Terminating the process....
Relaunching the process.
Product
Related Topics
show datastore
Restarts the optimization service and clears the data store.
service enable
Description
Starts the Riverbed service.
Syntax
service enable
Parameters
None
Usage
The no command option disables the service (that is, it disables all the configured in-path IP
addresses and ports and the appliance loses its connection to the Management Console).
Example
minna (config) # service enable

minna (config) #
Product
Related Topics
170
service error reset

Description
Resets the Steelhead service after a service error.
Syntax
service error reset
Parameters
None
Example
minna (config) # service error reset

minna (config) #
Product
Steelhead appliance
Related Topics
service map-port
Description
Sets a target port to service port mapping.
Syntax
[no] service map-port <dest port> <service port>
Parameters
<dest port>
Specifies the destination port to which you want to map.
<service port>
Specifies the service port to which you want to map.
Usage
Setting multiple service ports on inner connections enables you to identify the type of traffic and
apply QoS settings based on a port.
For example, in an in-path deployment, CIFS and MAPI could be mapped to port 9800 and HTTP
to port 9802. You can configure the WAN router to tag packets for port 9800 with the same priority
as for port 9802, therefore CIFS and MAPI have the same priority as HTTP. Or you can create a
hierarchical mapping where port 9800 receives a higher priority than 9802, etcetera.
In the out-of-path deployment, you define which port to listen to on the server Steelhead
appliance, and you define an in-path, fixed-target rule on the client Steelhead appliance to point to
the service ports for the traffic to which you want to apply QoS.
You cannot map the following ports:
Port 22. Reserved for SSH.
Port 80, 443, and 446. Reserved for the Management Console.
Port 139, 445, and 977. Reserved for PFS. These ports are only excluded if you have enabled
PFS.
Port 7800-7899. Reserved by Riverbed (except 7800 and 7810).
Port 8777. Reserved for CIFS transparent prepopulation. This port is excluded only if you have
enabled CIFS prepopulation.
The no command option disables the service map.
Example
minna (config) # service map-port 7018 8000

minna (config) #
Product
Steelhead appliance
Related Topics
show service ports
171
service neural-framing
Description
Dumps or enables neural-framing statistics.
Syntax
[no] service neural-framing [dump | iterations | stats enable]
Parameters
dump <cr>
Dumps neural-framing debug files, which will be used by sysdump.
iterations <cr>
Resets Iterations before determining heuristic. Used only with the no option.
For example: no service-neural framing iterations
stats enable <cr>
Enables collection of neural-framing statistics.
Usage
By default, neural-framing statistics are disabled. Neural framing enables the Steelhead appliance
to select the optimal packet framing boundaries for SDR. SDR encoding provides the best
optimization results when the largest buffer is available before a flush is performed.
Neural framing creates a set of heuristics to intelligently determine the optimal moment to flush
TCP buffers. The Steelhead appliance continuously evaluates these heuristics and uses the
optimal heuristic to maximize the amount of buffered data transmitted in each flush, while
minimizing the amount of idle time that the data sits in the buffer.
You must set the neural framing mode (algorithm) for in-path rules for which you want to apply
neural framing.
The no command option disables neural-framing statistics.
Example
minna (config) # service neural-framing stats enable

minna (config) #
Product
Steelhead appliance
Related Topics
show stats
service port
Description
Sets a new service port to add for multiple service ports. Service ports are the ports used for inner
connection between Steelhead appliances.
Syntax
[no] service port <port>
Parameters
<port>
Usage
You can configure multiple service ports on the server side of the network for multiple QoS
mappings. You define a new service port and then map CIFS ports to that port, so that QoS
configuration settings on the router are applied to that service port.
Specifies the new port to add. The default service ports are 7800 and 7810.
The no command option disables the service port.

Example
minna (config) # service port 7800

minna (config) #
Product
Steelhead appliance
Related Topics
show service ports
172
service restart
Description
Restarts the Riverbed service.
Syntax
service restart
Parameters
None
Example
minna (config) # service restart

minna (config) #
Product
Related Topics
173
Host Setup Commands

page 96
In This Section
Host Setup Commands on page 174
arp on page 174

clock set on page 174

clock timezone on page 175

hardware ecc-mem-check enable on
page 175

hostname on page 175

interface on page 176

ip default-gateway on page 176

ip domain-list on page 177
ip host on page 177
ip name-server on page 177
ip route on page 178
ntp disable on page 178
ntp enable on page 178
ntp peer on page 179
ntp server on page 179
ntpdate on page 180
telnet-server enable on page 180
arp
Description
Creates static ARP entries in the ARP table.
Syntax
arp <addr> <MACaddr>
Parameters
<addr>
Specifies the IP address of the machine.
<MACaddr>
Specifies the MAC address.
Usage
The no command option disables ARP static entries.
Example
minna (config) # arp 10.0.0.0 00:07:E9:55:10:09

minna (config) #
Product
Related Topics
show arp
clock set
Description
Sets the system time and date.
Syntax
clock set {<hh:mm:ss> | <yyyy/mm/dd>}
Parameters
<hh:mm:ss>
Specifies the hour, minutes, and seconds.
<yyyy/mm/dd>
Specifies the year, month, and day.
174
Example
minna (config) # clock set 12:34:55

minna (config) #
Product
Related Topics
show clock
clock timezone
Description
Sets the current time zone.
Syntax
clock timezone <zone>
Parameters
<zone>
Usage
The default value is GMT-offset.
Example
minna (config) # clock timezone Africa

minna (config) #
Product
Related Topics
show clock
Specifies the time zone name: Africa, America, Antarctica, Arctic, Asia,
Atlantic_Ocean, Australia, Europe, GMT-offset, Indian_Ocean, Pacific_Ocean,
UTC.
hardware ecc-mem-check enable

Description
Enables ECC memory check.
Syntax
[no] hardware ecc-mem-check enable
Parameters
None
Usage
The no command option disables ECC memory check.
Example
minna (config) # hardware ecc-mem-check enable

minna (config) #
Product
Steelhead appliance
Related Topics
show hardware
hostname
Description
Sets the host name for this appliance.
Syntax
hostname <host name>
Parameters
<host name>
Usage
The no command option removes the host name for this appliance.
Specifies the host name. Do not include the domain name.
175
Example
minna (config) # hostname park

minna (config) #
Product
Related Topics
show hosts
interface
Description
Configures appliance interfaces.
Syntax
interface <interfacename> <options>
Parameters
<interfacename>
Specifies the interface name: aux, lan0_0, wan0_0, primary, in-path0_0.
<options>
Each interface has the following configuration options:

dhcp. Enables DHCP on the interface.
dhcp renew. Renews DHCP for this interface.
duplex <speed>. Specifies the duplex speed: auto, full, half. The default
value is auto.
ip address <addr>. Specifies the IP address for the interface.
mtu <speed>. Configures the MTU. The MTU is set once on the in-path
interface; it propagates automatically to the LAN and the WAN. The no
command option disables the MTU setting. The default value is 1500.
shutdown. Shuts down the interface.
speed <speed>. Specifies the speed for the interface: auto, 10, 100, 1000.
Usage
The no command option disables the interface settings.
Example
minna (config) # interface lan dhcp 100

minna (config) #
Product
Related Topics
show interfaces
ip default-gateway
Description
Sets the default gateway for the appliance.
Syntax
ip default-gateway <addr>
Parameters
<addr>
Usage
This command is used to set the default gateway for the entire appliance. It is primarily used for
the primary or auxiliary (aux) interfaces for management, but can also be used for out-of-path
optimization configurations as well as PFS.
Specifies the IP address of the management interface.
The no command option disables the default gateway IP address.
176
Example
minna (config) # ip default-gateway 10.10.10.1

minna (config) #
Product
Related Topics
show ip, show configuration running
ip domain-list
Description
Adds a domain name to the domain list for resolving host names.
Syntax
ip domain list <domain>
Parameters
<domain>
Usage
The no command option removes a domain from the domain list.
Example
minna (config) # ip domain-list example.com

minna (config) #
Product
Related Topics
Specifies the domain name.
ip host
Description
Adds an entry to the static host table.
Syntax
ip host <host name> <addr>
Parameters
<host name>
Specifies the host name.
<addr>
Specifies the IP address.
Usage
The no command option removes an entry from the static host table.
Example
minna (config) # ip host park 10.10.10.1

minna (config) #
Product
Related Topics
show hosts
ip name-server
Description
Adds a DNS name server.
Syntax
ip name-server <addr>
Parameters
<addr>
Usage
The no command option removes a DNS name server.
Specifies the name server IP address.
177
Example
minna (config) # ip name-server 10.10.10.1

minna (config) #
Product
Related Topics
ip route
Description
Adds a static route.
Syntax
[no] ip route <network prefix> <netmask> <netmask length> <next-hop-IP-addr>
Parameters
<network prefix>
Specifies the network prefix.
<netmask>
Specifies the netmask. For example: 255.255.255.0
<mask length>
Specifies the netmask length. For example: /24
<next-hop-IPaddress>
Specifies the next hop IP address (gateway).
Usage
The no command option disables the static route. If no ip route is run with only a network prefix
and mask, it deletes all routes for that prefix.
Example
minna (config) # ip route 193.166.0/24 10.10.10.1

minna (config) #
Product
CMC, Interceptor appliance, Steelhead appliance
Related Topics
show ip
ntp disable
Description
Disables NTP support.
Syntax
ntp disable
Parameters
None
Usage
The no command option enables NTP support.
Example
minna (config) # ntp disable

minna (config) #
Related Topics
show ntp
ntp enable
Description
Enables NTP support.
Syntax
ntp enable
Parameters
None
178
Usage
The no command option disables NTP support.
Example
minna (config) # ntp enable

minna (config) #
Product
Related Topics
show ntp
ntp peer
Description
Enables an NTP peer.
Syntax
ntp peer <addr> [version <number>]
Parameters
<addr>
Specifies the NTP peer IP address.
version <number>
Specifies the NTP version number. You do not need to specify the version
number for the no ntp peer command.
Usage
The no command option disables an NTP peer.
Example
minna (config) # ntp peer 10.10.10.1

minna (config) #
Product
Related Topics
show ntp, show peers
ntp server
Description
Configures an NTP server.
Syntax
ntp server <addr> [version <number>]
Parameters
<addr>
Specifies the NTP server to synchronize with.
version <number>
Specifies the version number for NTP. You do not need to specify the
version number for the no ntp server command.
Usage
The no command option removes an NTP server.
Example
minna (config) # ntp server 10.10.10.1

minna (config) #
Product
Related Topics
show ntp, show peers
179
ntpdate
Description
Conducts a single-time synchronization with a specified NTP server.
Syntax
ntpdate <addr>
Parameters
<addr>
Specifies the NTP server with which to synchronize.
Usage
Example
minna (config) # ntpdate 10.10.10.1

minna (config) #
Product
Related Topics
show ntp
telnet-server enable
Description
Enables you to access the CLI using Telnet. This feature is disabled by default.
Syntax
telnet-server enable
Usage
You can use this command to troubleshoot your system. It enables you to access the CLI from
another system.
FIPS Mode
You must disable Telnet in the Steelhead appliance to be FIPS compliant. If you have been running
the Steelhead appliance in non-FIPS mode and you have enabled Telnet, you must run no telnetserver to make the Steelhead appliance FIPS compliant. For detailed information about FIPS
mode, see FIPS/CC Compliance Commands on page 318 and the FIPS/CC Administrators
Guide.
Example
minna (config) # telnet-server enable

minna (config) #
Product
Steelhead appliance
Related Topics
show telnet-server
180
Steelhead Appliance Feature Configuration Commands

This section describes commands you use to configure Steelhead appliance features. This section includes
the following content.
In This Section
In-Path and Virtual In-Path Support Commands on

page 182

page 181
Out-of-Path Support on page 196
Peering Commands on page 198
Asymmetric Route Detection and Connection Forwarding

Simplified Routing Support on page 214
NetFlow Support Commands on page 216
IPSec Commands on page 220
PFS Support Commands on page 225
Prepopulation Support Commands on page 240
CIFS Support Commands on page 243
HS-TCP Support Commands on page 249
JInitiator Support Commands on page 253
MAPI Support Commands on page 255
MS-SQL Blade Support Commands on page 260
NFS Support Commands on page 267
HTTP Support Commands on page 274
SSL Support Commands on page 277
QoS Support Commands on page 297
Connection Pooling Commands on page 306
WCCP Support Commands on page 308
Failover Support Commands on page 312
Data Replication Commands on page 316
181

In This Section

page 96
In-Path and Virtual In-Path Support

in-path enable on page 183

in-path interface vlan on page 183


Asymmetric Route Detection and

Connection Forwarding Commands on
page 203
in-path interface enable on page 183
in-path kickoff on page 184
Simplified Routing Support on

page 214
in-path lsp enable on page 184

in-path move-rule rulenum on
page 185
in-path oop enable on page 185
in-path rule auto-discover on page 186
in-path rule deny on page 188
in-path rule discard on page 189
NetFlow Support Commands on

page 216
in-path rule fixed-target on page 190

in-path rule pass-through on page 193
in-path turbo enable on page 194
ip in-path-gateway on page 194
Prepopulation Support Commands on

page 240
ip in-path route on page 195

HS-TCP Support Commands on
page 249
JInitiator Support Commands on
page 253
MAPI Support Commands on
page 255
MS-SQL Blade Support Commands on
page 260
Connection Pooling Commands on
page 306
WCCP Support Commands on
page 308
Failover Support Commands on
page 312
Data Replication Commands on
page 316
FIPS/CC Compliance Commands on
page 318
182
in-path enable
Description
Enables in-path support. An in-path configuration is a configuration in which the appliance is in

the direct path of the client and the server.
Syntax
[no] in-path enable
Parameters
None
Usage
The no command option disables in-path support.
Example
minna (config) # in-path enable

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path, show in-path rules, show interfaces
in-path interface enable

Description
Enables the in-path interface for optimization.
Syntax
[no] in-path interface <interface> enable
Parameters
<interface>
Usage
The in-path interface enable command is useful only when there are multiple bypass cards
enabled (for example, with a Four-Port Copper Gigabit-Ethernet Bypass card).
Example
minna (config) #in-path interface 10.0.0.1 enable

minna (config) #
Product
Steelhead appliance, Interceptor appliance
Related Topics
Specifies the IP address of the in-path interface.
The no command option disables the in-path interface.
in-path interface vlan

Description
Enables VLAN support for an in-path interface on a trunked link.
Syntax
[no] in-path interface <interface> vlan <id>
Parameters
<interface>
Specifies the in-path appliance for which the VLAN applies.
<id>
Specifies the VLAN identification number. The VLAN identification number is a

value with a range from 0-4094 (-1 specifies all; 0 specifies no tagging).
Usage
The in-path interface vlan command enables you to set which VLAN to use for connections. It
does not define which VLAN to optimize.
To define which VLAN to optimize, you must define in-path rules and apply them to all VLANs
or a specific VLAN.
The no command option disables the VLAN support.
183
Example
minna (config)# in-path interface inpath0_0 vlan 26

minna (config) #
Product
Related Topics
in-path kickoff
Description
Resets open connections upon start up.
Syntax
[no] in-path kickoff
Parameters
None
Usage
When the Steelhead service restarts with kickoff enabled, it breaks existing connections and forces
clients to open new connections.
With kickoff disabled, open connections are not broken, but they are unoptimized. New
connections are optimized.
When the appliance is not powered on or the Steelhead service is not running, the failover
appliance takes over so that connections continue to be made to the WAN.
Generally, connections are short lived and kickoff is not necessary; kickoff is suitable for very
challenging remote environments. For example, in an environment with 128 kbps and 1.5 seconds
of latency, you might want to cancel an HTTP download so that your traffic is optimized; whereas
in a remote branch-office with a T1 and 35 ms round-trip time, you would want connections to
migrate to optimization gracefully, rather than risk interruption with kickoff.
NOTE: Do not enable kickoff for in-path Steelhead appliances that use auto-discovery or if you do
not have a Steelhead appliance on the remote side of the network. If you do not set any in-path
rules, the default behavior is to auto-discover all connections. If kickoff is enabled, all connections
that existed before the Steelhead appliance started are reset.
The no command option disables the in-path kickoff feature.
Example
minna (config) # in-path kickoff

minna (config) #
Product
Steelhead appliance
Related Topics
in-path lsp enable

Description
Enables link-state propagation. For example, if the LAN interface drops link then the WAN will
do the same.
Syntax
[no] in-path lsp enable
Parameters
None
Usage
If you require a Steelhead appliance to fail-to-wire when the LAN or WAN ports become
disconnected, enable this feature. This feature is similar to what ISPs do in order to follow the state
of a link.
The no command option disables the in-path feature.
184
Example
minna (config) # in-path lsp enable

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path lsp
in-path move-rule rulenum

Description
Moves the order of the rule in the rule list to the specified position.
Syntax
in-path move-rule rulenum <rulenum> to <rulenum>
Parameters
<rulenum>
Usage
Example
minna (config) # in-path move-rule rulenum 25 to 10

minna (config) #
Product
Related Topics
Specifies the rule number or start or end.
in-path oop enable

Description
Enable in-path support for networks that utilize Layer-4 switches, PBR, and WCCP.
Syntax
[no] in-path oop enable
Parameters
None
Usage
The no command option disables out-of-path support.
Example
minna (config) # in-path oop enable

minna (config) #
Product
Steelhead appliance
Related Topics
show out-of-path
185
in-path rule auto-discover

Description
Adds an auto-discovery rule.

Auto-discovery is the process by which the Steelhead appliance automatically intercepts and
optimizes traffic on all IP addresses and ports. By default, auto-discovery is applied to all IP
addresses and ports that are not secure, interactive, or default Riverbed ports.
Syntax
[no] in-path rule auto-discover [scraddr <network>] [dstaddr <network>] [dstport <port>]
[vlan <vlan tag ID>] [optimization {normal | sdr-only |compr-only | none}] [preoptimization
{ssl | jinitiator | none}] [latency-opt {normal|http|none}] [neural-mode {always | dynamic |
never | tcphints}] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet. For example:

1.2.3.4/32
dstaddr <network>
dstport <port>
Specifies the destination subnet and port.

For the network address, use the following format:
XXX.XXX.XXX.XXX/XX
For the port, you can specify a single port (number), a port label, or all
to specify all ports.
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN identification number is
a value with a range from 0-4094. Specify 0 to mark the link untagged.
optimization {normal
| sdr-only |
compr-only | none}
Specifies an optimization policy:

compr-only. Specify this option to turn off SDR but perform LZ
compression.
normal. The normal optimization policy is the default. The normal
process performs LZ compression and SDR.
none. Specify this option to turn off LZ compression and SDR.
sdr-only. Specify this option to turn off LZ compression.
Setting an optimization policy allows you more flexibility in applying
optimization techniques. For example, if you have a network that
requires 45 Mbps or higher with abundant bandwidth, you do not need
to perform LZ compression to obtain maximum optimization of data.
Turning off LZ compression also increases throughput on large
bandwidth networks.
To configure optimization policies for the FTP data channel, define an
in-path rule with the destination port 20 and set its optimization policy.
Setting QoS for port 20 on the client-side Steelhead appliance affects
passive FTP, while setting the QoS for port 20 on the server-side
Steelhead appliance affects active FTP.
To configure optimization policies for the Messaging Application
Protocol Interface (MAPI) data channel, define an in-path rule with the
destination port 7830 and set its optimization policy.
preoptimization {ssl
|jinitiator | none}
Specifies a preoptimization policy:

none. Preoptimization processing is set to none by default. If SSL or
JInitiator preoptimization processing is turned on and you want to
turn it off for a port, specify none.
ssl. Specify ssl to enable SSL preoptimization processing for traffic
via SSL secure ports.
jinitiator. Specify jinitiator to enable preoptimization processing for
the Oracle JInitiator browser plugin.
186
latency-opt {http |
normal |none}
Specifies a latency-optimization policy:

http. Perform HTTP optimization on connections matching this rule.
normal. Perform HTTP optimization for ports 80 and 8080. This is
the default setting.
none. Do not perform HTTP optimization on connections matching
this rule.
neural-mode {always
| dynamic | never |
tcphints}
Enables neural framing in the Steelhead appliance. Enabling neural

framing makes your WAN more efficient by gathering data to select the
optimal packet framing boundaries for SDR.
If you specify a neural mode, your network will experience a trade-off
between the compression and SDR performance, and the latency added
to the connection. For different types of traffic, one algorithm might be
better than others.
Specify one of the following modes:
always. Always use the Nagle algorithm. This is the default setting
(always wait 6 ms). All data is passed to the codec which attempts to
coalesce consume calls (if needed) to achieve better fingerprinting. A
timer (6 ms) backs it up and causes leftover data to be consumed.
Neural heuristics are computed in this mode but are not used.
dynamic. Dynamically adjust the Nagle parameters. The Steelhead
appliance picks the best algorithm to use by learning what algorithm
is best and adapting if the traffic characteristic changes.
never. Never use the Nagle algorithm. All the data is immediately
encoded without waiting for timers to fire or application buffers to
fill past a specified threshold. Neural heuristics are computed in this
mode but are not used.
tcphints. Base setting on TCP hints. If data is received from a partial
frame packet or a packet with the TCP PUSH flag set, the encoder
encodes the data instead of immediately coalescing it. Neural
heuristics are computed in this mode but are not used.
To configure neural framing for an FTP data channel, define an in-path
rule with the destination port 20 and set its optimization policy. To
configure neural framing for a MAPI data channel, define an in-path
rule with the destination port 7830 and set its optimization policy.
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-N or start or end.
The rule is inserted into the list at the specified position. For example, if
you specify rulenum as 3, the new rule will be #3, the old rule #3 will
become #4, and so forth.
The start value specifies that the rule become the first rule and end
specifies that it become the last rule.
If you do not specify a rule number, the rule is added to the end of the
list.
description
<description>
Usage
Specify a description to facilitate communication about network

administration.
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports
(all) and optimizes according to default settings.
Specify auto-discovery rules for traffic that you want to optimize in a particular way.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>
187
Example
minna (config) # in-path rule auto-discover srcaddr 10.10.10.1 port 2121 dstaddr
10.24.24.24.1 rulenum 2
minna (config) #
Product
Steelhead appliance
Related Topics
show in-path, show in-path rules, show interfaces, SSL Support Commands, JInitiator
Support Commands, HTTP Support Commands
in-path rule deny

Description
Adds a deny rule to reject connection requests.
Syntax
[no] in-path rule deny [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan <vlan
tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet for this rule. For example: 1.2.3.4/32
dstaddr <network>
dstport <port>
Specifies the destination subnet and port for this rule.

XXX.XXX.XXX.XXX/XX.
For the port, you can specify a single port (number), a port label, or
all to specify all ports.
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN tag ID is a number
with a range from 0-4094. Specify 0 to mark the link untagged.
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-N or start or

end.
The rule is inserted into the list at the specified position. For
example, if you specify rulenum as 3, the new rule will be #3, the
old rule #3 will become #4, and so forth.
If you do not specify a rule number, the rule is added to the end of
the list.
description <description>
Usage
Specify a description to facilitate network administration.
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all)
and optimizes according to default settings.
Specify deny rules for traffic you want to reject and return a message to the client that the request
has been denied.
The no command option disables the rule. The no command option syntax is:
Example
minna (config) # in-path rule deny srcaddr 10.0.0.1 dstaddr 10.0.0.2 rulenum 4
minna (config) #
Product
Related Topics
188
in-path rule discard

Description
Adds a discard rule to drop connections.
Syntax
[no] in-path rule discard [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan <vlan
tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
dstaddr <network>
dstport <port>
Specifies the destination subnet and port for this rule.

XXX.XXX.XXX.XXX/XX.
For the port, you can specify a single port (number), a port label,
or all to specify all ports.
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN tag ID is a number
with a range from 0-4094. Specify 0 to mark the link untagged.
rulenum <rulenum>

end.
The start value specifies that the rule become the first rule and
end specifies that it become the last rule.
If you do not specify a rule number, the rule is added to the end
of the list.
Usage

administration.
Specify discard rules for traffic that you want to drop silently instead of optimizing or passing
through.
no in-path rule <rulenum>.
Example
minna (config) # in-path rule discard srcaddr 10.0.0.2 dstaddr 10.0.0.1 port 1234
rulenum 2
minna (config) #
Product
Related Topics
189
in-path rule fixed-target

Description
Adds a fixed-target rule.

Fixed-target rules directly specify out-of-path Steelhead appliances near a target server. You
determine which servers you want the appliance to optimize (and, optionally, which ports), and
add fixed-target rules to specify the network of servers, ports, port labels, and out-of-path
Steelhead appliances to use.
Syntax
190
[no] in-path rule fixed-target [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan
<vlan tag ID>] [optimization {normal | sdr-only |compr-only | none}] [preoptimization {ssl
|jinitiator |none}] [latency-opt {normal|http|none}] [neural-mode {always | dynamic | never
| tcphints}] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet. For example:

1.2.3.4/32
dstaddr <network>
dstport <port>

XXX.XXX.XXX.XXX/XX
For the port, you can specify a single port (number), a port label, or all to
specify all ports.
target-addr <addr>
target-port <port>
Specifies the fixed target appliance address.

For the network address, use the following format: XXX.XXX.XXX.XXX.
specify all ports.
backup-addr <addr>
backup-port <port>
Specifies a backup to the fixed target appliance (if any).

For the network address, use the following format: XXX.XXX.XXX.XXX.
specify all ports.
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN identification number is a
value with a range from 0-4094. Specify 0 to mark the link untagged.
optimization {normal
| sdr-only | compronly | none}
Specifies an optimization policy:

compr-only. Specify this option to turn off SDR but perform LZ
compression.
normal. The normal optimization policy is the default. The normal
process performs LZ compression and SDR.
none. Specify this option to turn off LZ compression and SDR.
sdr-only. Specify this option to turn off LZ compression.
Setting an optimization policy allows you more flexibility in applying
optimization techniques. For example, if you have a network that
requires 45 Mbps or higher with abundant bandwidth, you do not need
to perform LZ compression to obtain maximum optimization of data.
Turning off LZ compression also increases throughput on large
bandwidth networks.
To configure optimization policies for the FTP data channel, define an
in-path rule with the destination port 20 and set its optimization policy.
Setting QoS for port 20 on the client-side Steelhead appliance affects
passive FTP, while setting the QoS for port 20 on the server-side
Steelhead appliance affects active FTP.
To configure optimization policies for the Messaging Application
Protocol Interface (MAPI) data channel, define an in-path rule with the
destination port 7830 and set its optimization policy.
preoptimization {ssl |
jinitiator | none}
Specifies a preoptimization policy:

none. Preoptimization processing is set to none by default. If SSL or
JInitiator preoptimization processing is turned on and you want to
turn it off for a port, specify none.
ssl. Specify ssl to enable SSL preoptimization processing for traffic
via SSL secure ports.
jinitiator. Specify jinitiator to enable preoptimization processing for
the Oracle JInitiator browser plugin.
191
latency-opt {http |
normal |none}
Specifies a latency-optimization policy:

http. Only perform HTTP optimizations.
normal. Perform all latency optimizations. This is the default setting.
none. Excludes HTTP optimizations.
neural-mode {always
| dynamic | never |
tcphints}
Enables neural framing in the Steelhead appliance. Enabling neural

framing makes your WAN more efficient by gathering data to select the
optimal packet framing boundaries for SDR.
If you specify a neural mode, your network will experience a trade-off
between the compression and SDR performance, and the latency added
to the connection. For different types of traffic, one algorithm might be
better than others.
Specify one of the following modes:
always. Always use the Nagle algorithm. This is the default setting
(always wait 6 ms). All data is passed to the codec which attempts to
coalesce consume calls (if needed) to achieve better fingerprinting. A
timer (6 ms) backs it up and causes leftover data to be consumed.
Neural heuristics are computed in this mode but are not used.
dynamic. Dynamically adjust the Nagle parameters. The Steelhead
appliance picks the best algorithm to use by learning what algorithm
is best and adapting if the traffic characteristic changes.
never. Never use the Nagle algorithm. All the data is immediately
encoded without waiting for timers to fire or application buffers to fill
past a specified threshold. Neural heuristics are computed in this
mode but are not used.
tcphints. Base setting on TCP hints. If data is received from a partial
frame packet or a packet with the TCP PUSH flag set, the encoder
encodes the data instead of immediately coalescing it. Neural
heuristics are computed in this mode but are not used.
To configure neural framing for an FTP data channel, define an in-path
rule with the destination port 20 and set its optimization policy. To
configure neural framing for a MAPI data channel, define an in-path
rule with the destination port 7830 and set its optimization policy.
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-N or start or end.
The rule is inserted into the list at the specified position. For example, if
you specify rulenum as 3, the new rule will be #3, the old rule #3 will
become #4, and so forth.
list.
description
<description>
192
Specify a description to facilitate network administration.
Usage
Specify fixed-target rules to set out-of-path Steelhead appliances near the target server that you
want to optimize.
NOTE: In out-of-path deployments, to optimize MAPI Exchange 2003 by destination port, you
must define fixed-target, in-path rules that specify the following ports on the client-side Steelhead
appliance: the Microsoft end-point mapper port: 135; the Steelhead appliance port for Exchange
traffic: 7830; the Steelhead appliance port for Exchange Directory NSPI traffic: 7840.
Example
minna (config) # in-path rule fixed-target srcaddr 10.0.0.0/24 optimization

sdr-only rulenum 1
minna (config) #
Product
Steelhead appliance
Related Topics
in-path rule pass-through

Description
Adds a pass-through rule.

Pass-through describes WAN traffic that traverses the network unoptimized. You define
pass-through rules to exclude subnets or ports from optimization. Traffic is also passed through
when the Steelhead appliance is in bypass mode.
Syntax
[no] in-path rule pass-through [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan
<vlan tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
dstaddr <network>
dstport <port>

XXX.XXX.XXX.XXX/XX.
For the port, you can specify a single port (number), a port label,
or all to specify all ports.
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN identification

number is a value with a range from 0-4094. Specify 0 to mark the
link untagged.
rulenum <rulenum>

end.
The start value specifies that the rule become the first rule and
end specifies that it become the last rule.
If you do not specify a rule number, the rule is added to the end
of the list.

administration.
193
Usage
Specify pass-through rules for traffic that you want to pass through to its destination without
optimization by the Riverbed system.
Example
minna (config) # in-path rule pass-through addr 10.10.10.1 port 2121 rulenum 25
minna (config) #
Product
Related Topics
in-path turbo enable

Description
Enables in-path turbo support. Enabling turbo support accelerates HTTP connections.
Syntax
[no] in-path turbo enable
Parameters
None
Usage
The no command option disables in-path turbo support.
Example
minna (config) #in-path turbo enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol http
ip in-path-gateway
Description
Configures the default gateway for the in-path interface.
Syntax
ip in-path-gateway <interface> <destination addr>
Parameters
<interface>
Specifies the interface name. For example, in-path0_0, in-path1_1
<destination
addr>
Specifies the destination IP address of the in-path gateway.
Usage
This command is used to set the default gateway for a particular bypass pair, for in-path
optimization configurations.
NOTE: in-pathX_X represents the bypass pair. Examples are in-path0_0, in-path1_0, and
in-path1_1. For the in-path interfaces, this command should be used to set the default gateway.
The no command option disables the default gateway.
Example
minna (config) # ip in-path-gateway in-path0_0 10.0.0.0

minna (config) #
Product
Related Topics
show ip
194
ip in-path route
Description
Adds a static in-path route.
Syntax
ip in-path route <interface> <network prefix> <network mask> <next hop IP address>
Parameters
<interface>
Specifies the interface name: aux, lan0_0, wan0_0, primary, in-path0_0.
<network prefix>
Specifies the network prefix.
<network mask>
Specifies the netmask.
<next hop IP address

or WAN gateway>
Specifies the next hop IP address in this route or WAN gateway.
Usage
In-path interfaces use routes from an in-path route table. To configure in-path routes, you set a
new in-path route that points to your WAN gateway. You must also copy any static routes that
you have added to the main table, if they apply to the in-path interface.
Example
minna (config) # ip in-path route 193.140.0.0 255.255.0.0 190.160.0.0

minna (config) #
Product
Related Topics
show ip
The no command option removes an in-path route.
195
Out-of-Path Support
In This Section

page 96

out-of-path enable on page 197




page 203
page 214
page 216
page 240
page 249
page 253
page 255
page 260
HTTP Support Commands on
page 274
page 306
page 308
page 312
page 316
page 318
196
out-of-path enable
Description
Enables an out-of-path configuration.
Syntax
[no] out-of-path enable
Parameters
None
Usage
The no command option disables out-of-path configuration.
Example
minna (config) # out-of-path enable

minna (config) #
Product
Steelhead appliance
Related Topics
show out-of-path
197
Peering Commands
In This Section

page 96

in-path peering rule on page 199

peer on page 202



page 203
in-path peering move-rule on page 201

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
198
in-path peering auto

Description
Enables automatic peering for serial cascade deployments.
Syntax
[no] in-path peering auto
Parameters
<port>
Usage
Cascade configurations enable optimal multi-site deployments where connections between the
client and the server might pass through intermediate Steelhead appliances to reach their final
destination. For Steelhead appliances running v4.0, you can configure this to happen
automatically through automatic peering. For Steelhead appliances running versions prior to
v4.0, in-path peering rules are used at the intermediate Steelhead appliances.
With automatic peering, the Steelhead appliance bypasses any intermediary Steelhead appliances
and automatically finds the furthest appliance from the source. Automatic peering simplifies
configuration and makes deployments more scalable. Automatic peering is disabled by default in
v4.0.
NOTE: For Steelhead appliances running versions prior to v4.0, in-path peering rules are used at
the intermediate Steelhead appliances.
You can deploy a cascade on either the client side or on the server side.
Example: C-----SH1-----SH2-----SH3-----WAN-----SH4-----SH5-----SH6-----S
The appliances are configured to auto-discover available peers across the WAN.
The no command option disables automatic peering.
Example
minna (config) # in-path peering auto

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path, show in-path peering auto, show in-path peering rules
in-path peering rule

Description
Configures in-path peering rules.
Syntax
[no] in-path peering rule {auto | pass | accept} peer <peerip> src <subnet> | dest <subnet> |
dest-port <port> rulenum <rulenum> description <desc>
Parameters
auto | pass | accept
Specifies the rule:

auto. Automatically determines the response for peering requests
(performs the best peering possible).
pass. Passes through matching peering requests.
accept. Accepts matching peering requests.
peer <peerip>
Specifies the peer IP address.
src <subnet>
Specifies the source network for this rule.
dest <subnet>
Specifies the destination network for this rule.
dest-port <port>
Specifies the destination port for this rule. You can specify a port label, or
all for all ports.
199
Usage
rulenum
<rulenum>
Specifies the rule number.
description <desc>

administration.
Serial clusters are supported only on Models 5000, 5010, 5520, and 6020
You configure peering rules that define what to do when a Steelhead appliance receives an
auto-discovery probe from another Steelhead appliance. If you enable in-path peering auto, you
do not need to configure peering rules.
If automatic peering causes unexpected behavior in your network, you can set specific rules for
peering in a serial cluster.
Serial clustering can increase optimization capacity of your deployment.
You can provide increased optimization by deploying several Steelhead appliances back-to-back
in an in-path configuration to create a serial cluster.
Appliances in a cluster process the peering rules you specify in a spill-over fashion. When the
maximum number of TCP connections for a Steelhead appliance is reached, that appliance stops
intercepting new connections. This allows the next Steelhead appliance in the cluster the
opportunity to intercept the new connections, if it has not reached its maximum number of
connections. The in-path peering rules and in-path rules tell the Steelhead appliances in a cluster
not to intercept connections between themselves.
For detailed information about how to configure serial cluster deployments, see the Steelhead
Appliance Deployment Guide.
The no command option disables the peering rule.
Example
Here is an example of how to configure a cluster of 3 in-path appliances in a data center.

WAN----SH1----SH2----SH3----LAN
SH1 ip address is 10.0.1.1 on a /16

Each appliance is configured with in-path peering rules to not peer with another appliance in the
cluster, and with in-path rules to not optimize connections originating from those appliances.
SH1 configuration:
SH1 > enable
SH1 # configure terminal
SH1 (config) # in-path peering rule pass peer 10.0.1.2 rulenum 1
SH1 (config) # in-path rule pass-through srcaddr 10.0.1.2/32 rulenum 1
SH1 (config) # wr mem
SH1 (config) # show in-path peering rules
Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- --------------1 pass
*
*
*
10.0.1.3
2 pass
*
*
*
10.0.1.2
def auto
*
*
*
*
SH1 (config) # show in-path rules
Rule Type Source Addr
Dest Addr
Port Target Addr
Port
----- ---- ------------------ ------------------ ----- --------------- ----1 pass 10.0.1.3/32
*
*
--2 pass 10.0.1.2/32
*
*
--def auto *
*
*
---
200
SH2 configuration:
SH2 > enable
Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- --------------1 pass
*
*
*
10.0.1.3
2 pass
*
*
*
10.0.1.1
def auto
*
*
*
*
SH1 (config) # show in-path rules
Dest Addr
Port Target Addr
Port
----- ---- ------------------ ------------------ ----- --------------- ----1 pass 10.0.1.3/32
*
*
--2 pass 10.0.1.1/32
*
*
--def auto *
*
*
---
SH3 configuration:
SH3 > enable
Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- --------------SH1 (config) # show in-path rules
Dest Addr
Port Target Addr
Port
----- ---- ------------------ ------------------ ----- --------------- ----1 pass 10.0.1.2/32
*
*
--2 pass 10.0.1.1/32
*
*
--def auto *
*
*
---
Product
Steelhead appliance
Related Topics
show in-path peering auto, show in-path peering rules
in-path peering move-rule

Description
Moves the order of the rule to the specified position in the rule list.
Syntax
in-path peering move-rule <rulenum> to <rulenum>
Parameters
<rulenum>
Usage
Rules in the rule list are consulted from first to last. Use this command to reorder an in-path
peering rule in the rule list.
Example
minna (config) # in-path peering move-rule 3 to 1
Product
Steelhead appliance
Related Topics
201
peer
Description
Use only to harmonize connection protocol versions in deployments with a mix of version 1.2 and
version 2.x appliances.
Syntax
[no] peer <IP addr> version [min <version> | max <version>]
Parameters
<IP addr>
Specifies the in-path or out-of-path (or both) Steelhead appliance.
min <version>
Specifies the protocol version number: 5 or 6.
max <version>
Specifies the protocol version number: 5 or 6.
Usage
For each v1.2 Steelhead appliance peer, enter the following commands:
sh> peer <addr> version min 5
sh> peer <addr> version max 5
After all the v1.2 Steelhead appliances in the network have been upgraded to 2.x Steelhead
appliances, remove the version settings:
sh> no peer <addr> version min
sh> no peer <addr> version max
If you are unable to discover all v1.2 Steelhead appliances in the network, configure all v2.1
Steelhead appliances to use v5 protocol by default with all peers by specifying 0.0.0.0 as the peer
address:
sh> peer 0.0.0.0 version min 5
sh> peer 0.0.0.0 version max 5
NOTE: Version 5 does not support some optimization policy features. Ultimately, you need to
upgrade all appliances to v2.1 or later.
The no command option resets the protocol version to the default.
Example
minna (config) # peer 10.0.0.1 version min 5

minna (config)
# peer 10.0.0.2 version max 5
Product
Steelhead appliance
Related Topics
202

In This Section

page 96

in-path asym-route-tab flush on

page 204

in-path asym-route-tab remove on

page 204

in-path asymmetric routing detection

enable on page 205


page 203
in-path asymmetric routing passthrough enable on page 207

in-path cdp allow-failure enable on
page 208

page 214
in-path cdp enable on page 208

page 216
in-path cdp interval on page 209
in-path cdp holdtime on page 209
in-path neighbor allow failure on

page 210
in-path neighbor enable on page 210

page 240
in-path neighbor ip address on

page 211
in-path neighbor keepalive count on

page 211

page 249
in-path neighbor keepalive interval on

page 212

page 253
page 255
in-path neighbor interface on page 212

in-path neighbor peer on page 212
in-path neighbor port on page 213

page 260
page 274
page 306
page 308
page 312
page 316
page 318
203
in-path asym-route-tab flush

Description
Clears a single route from the asymmetric routing table. Requires the specification of an address
pair that exists in the table, for example 1.1.1.1-2.2.2.2.
Syntax
in-path asym-rout-tab flush
Parameters
None
Example
minna (config) # in-path asym-route-tab flush

minna (config) #
Product
Steelhead appliance
Related Topics
in-path asym-route-tab remove

Description
Clears a specified single route from the asymmetric routing table. To specify an address pair that
exists in the table, use the format X.X.X.X-X.X.X.X. For example 1.1.1.1-2.2.2.2.
Syntax
in-path asym-rout-tab remove <entry>
Parameters
<entry>
Usage
Requires the specification of an address pair that exists in the table, for example 1.1.1.1-2.2.2.2.
Example
minna (config) # in-path asym-route-tab remove 10.0.0.0-10.1.0.0

minna (config) #
Product
Steelhead appliance
Related Topics
204
Specifies the IP address of the asymmetric routing table entry to remove.
in-path asymmetric routing detection enable

Description
Enables asymmetric route detection. Asymmetric route detection automatically detects and
reports asymmetric routing conditions and caches this information to avoid losing connectivity
between a client and a server.
Asymmetric routing occurs when a packet takes one path to the destination and another path
when returning to the source. Asymmetric routing is common within most networks; the larger
the network, the more likely there is asymmetric routing in the network.
Asymmetric route auto-detection enables Steelhead appliances to detect the presence of
asymmetry within the network. Asymmetry is detected by the client-side Steelhead appliances.
Once detected, the Steelhead appliance will pass asymmetric traffic through unoptimized,
allowing the TCP connections to continue to work. The first TCP connection for a pair of
addresses might be dropped because during the detection process, the Steelhead appliances have
no way of knowing that the connection is asymmetric.
Asymmetric routing is undesirable for many network devices including, firewalls, VPNs, and
Steelhead appliances. To function properly, these devices all rely on seeing every packet. When
Steelhead appliances are deployed in a network, all TCP traffic must flow through the same
Steelhead appliances in the forward and reverse directions.
Asymmetric route detection is enabled by default. If you disable asymmetric route detection,
asymmetrically routed TCP connections break. No logging, alarms, or emails are created when
this feature is disabled. Riverbed does not recommend disabling this feature.
Syntax
[no] in-path asymmetric routing detection {caching | detection} enable
Parameters
caching
Enables the asymmetric routing cache.
detection
Enables asymmetric routing detection.
Product
Steelhead appliance
205
Usage
If asymmetric routing is detected, an entry is placed in the asymmetric routing table and any
subsequent connections from that IP pair will be passed through. Further connections between
these hosts are not optimized until that particular asymmetric routing cache entry times out.
To display the asymmetric routing table, use the following CLI command:
Types of asymmetry:
Complete Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass both Steelhead appliances on the return path.
Asymmetric routing table entry: bad RST
Log: Sep 5 11:16:38 gen-sh102 kernel: [intercept.WARN] asymmetric routing
between 10.11.111.19 and 10.11.25.23 detected (bad RST)
Server-Side Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass the server-side Steelhead appliance on the return path.
Asymmetric routing table entry: bad SYN/ACK
between 10.11.25.23:5001 and 10.11.111.19:33261 detected (bad SYN/ACK)
Client-Side Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass the client-side Steelhead appliance on the return path.
Asymmetric routing table entry: no SYN/ACK
between 10.11.111.19:33262 and 10.11.25.23:5001 detected (no SYN/ACK)
Multi-SYN Retransmit- Probe-Filtered. Occurs when the client-side Steelhead appliance sends
out multiple SYN+ frames and does not get a response.
Asymmetric routing table entry: probe-filtered(not-AR)
Log: Sep 13 20:59:16 gen-sh102 kernel: [intercept.WARN] it appears as though
probes from 10.11.111.19 to 10.11.25.23 are being filtered. Passing through
connections between these two hosts.
Multi-SYN Retransmit- SYN-Rexmit. Occurs when the client-side Steelhead appliance

receives multiple SYN retransmits from a client and does not see a SYN/ACK packet from the
destination server.
Asymmetric routing table entry: probe-filtered(not-AR)
Log: Sep 13 20:59:16 gen-sh102 kernel: [intercept.WARN] it appears as though
probes from 10.11.111.19 to 10.11.25.23 are being filtered. Passing through
connections between these two hosts.
206
You can use the following tools to detect and analyze asymmetric routes:
TCP Dump. Run the TCP dump tool on the client-side Steelhead appliance to verify the packet
sequence that is causing the asymmetric route detection. You can take traces on the LAN and
WAN ports of the Steelhead appliance and, based on the packet maps, look for the packet
sequence that is expected for the type of warning message in the log. For example to obtain
information on all packets on the WAN interface, sourced from or destined to 10.0.0.1, and with
a source/destination TCP port of 80:
tcpdump -i wan0_0 host 10.0.0.1 port 80
To filter SYN, SYN/ACK, and reset packets, you can use the following command. This will not
show you ACK packets but it can be useful if the link is saturated with traffic and the traces are
filling quickly. The following command is uses the -i parameter to specify the interface and the -w
parameter to write to a file:
tcpdump -i wan1_0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) = 0' -w
lookingforasymwan
Trace Route. Run the trace route tool to discover what path a packet is taking from client to
server and from server to client. Access the client and run the traceroute command with the IP
address of the server, and then run the traceroute command from the server with the IP address
of the client. For example for a Cisco router:
#Clients Address: 10.1.0.2 ..
#Servers Address: 10.0.0.4
client# traceroute 10.0.0.4 Type escape sequence to abort.
Tracing the route to 10.0.0.4
1 10.1.0.1 4 msec 0 msec 4 msec
2 10.0.0.2 4 msec 4 msec 0 msec
3 10.0.0.3 4 msec 4 msec 0 msec
4 10.0.0.4 4 msec 4 msec 0 msec
server# traceroute 10.1.0.2 Type escape sequence to abort.
Tracing the route to 10.1.0.2
1 10.0.0.6 4 msec 0 msec 4 msec
2 10.0.0.5 4 msec 4 msec 0 msec
3 10.1.0.1 4 msec 4 msec 0 msec
4 10.1.0.2 4 msec 4 msec 0 msec
The no command option disables asymmetric route detection and caching.

Example
minna (config) # in-path asymmetric routing detection caching enable

minna (config) #
Product
Steelhead appliance
Related Topics
in-path asymmetric routing pass-through enable

Description
Enables and disables the pass-through feature for asymmetric routing. If disabled, asymmetrically
routed TCP connections are still detected and a warning message is logged, but the connection is
not passed-through and no alarm or email is sent. Use this command to ensure connections are
not passed-through the Steelhead appliances unoptimized but logging occurs when asymmetric
routes are detected.
Syntax
[no] in-path asymmetric routing pass-through enable
Parameters
None
207
Usage
If asymmetric routing is detected, the pair of IP addresses, defined by the client and server
addresses of the connection, is cached in the asymmetric routing cache on the Steelhead appliance.
Further connections between these hosts are not optimized until that particular asymmetric
routing cache entry times out.
The no command option disables asymmetric routing pass through.
Example
minna (config) # in-path asymmetric routing pass-through enable

minna (config) #
Product
Steelhead appliance
Related Topics
in-path cdp allow-failure enable

Description
In PBR deployments with a multiple in-path interfaces, enables CDP packets to be sent to the
other routers when one of the routers goes down.
Syntax
[no] in-path cdp allow-failure enable
Parameters
None
Usage
With PBR, CDP is used by the Steelhead appliance to notify the router that the Steelhead
appliance is still alive and that the router can still redirect packets to it.
In some cases, the you might want to disable this command so that if one router goes down, the
Steelhead appliance stops sending CDP packets to all the routers it is attached to and connections
are redirected and optimized by another Steelhead appliance.
This can be useful when the routers are configured to redirect to a Steelhead appliance when all
routers are up but to another Steelhead appliance when one router goes down.
For detailed information about how to configure a Steelhead appliance for PBR with CDP, see the
The no command option disables CDP.
Example
minna (config) # in-path cdp allow-failure enable

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path cdp
in-path cdp enable

Description
Enables the asymmetric route caching and detection feature.
Syntax
[no] in-path asymmetric routing detection {caching | detection} enable
Parameters
None
208
Usage
Enables CDP support in PBR deployments. Virtual in-path failover deployments require CDP on
the Steelhead appliance to bypass the Steelhead appliance that is down.
CDP is a proprietary protocol used by Cisco routers and switches to obtain neighbor IP addresses,
model, IOS version, and so forth. The protocol runs at the OSI layer 2 using the 802.3 Ethernet
frame.
For detailed information about how to configure a Steelhead appliance for PBR with CDP, see the
The no command option disables CDP.
Example
minna (config) # in-path cdp enable

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path cdp
in-path cdp holdtime

Description
Configures the hold-time for CDP. The hold-time period allows for a quick recovery in failover
deployments with PBR and CDP.
Syntax
[no] in-path cdp holdtime <holdtime>
Parameters
<holdtime>
Usage
The no command option resets the CDP hold-time to the default (5).
Example
minna (config) # in-path cdp holdtime 10

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path cdp
Specifies the CDP hold-time in seconds. The default value is 5.
in-path cdp interval

Description
Configures the refresh period for CDP. The refresh period allows for a quick recovery in failover
deployments with PBR and CDP.
Syntax
[no] in-path cdp interval <interval>
Parameters
<interval>
Usage
The no command option resets the CDP refresh period to the default (1).
Example
minna (config) # in-path cdp holdtime 10

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path cdp
Specifies the CDP refresh interval in seconds. The default value is 1.
209
in-path neighbor allow failure

Description
Enables the Steelhead appliance to continue to optimize connections when one or more of the
configured neighbors is unreachable.
Syntax
[no] in-path neighbor allow failure
Parameters
None
Usage
When you deploy the Steelhead appliance in an in-path deployment with connection forwarding,
you want the Steelhead appliance to stop intercepting traffic if it cannot contact its neighbor. In
deployments with multiple WCCP clusters or Interceptor appliance masters and backups, the
in-path neighbor allow failure command enables the appliance to continue to intercept
connections if one or more of the configured neighbors is unreachable.
The no command option disables this feature.
Example
minna (config) # in-path neighbor allow failure

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor peers
in-path neighbor enable

Description
Enables connection forwarding support in asymmetric networks. Connection forwarding

forwards TCP connections in networks where the path from the client to the server is different
from the path from the server to the client.
Syntax
[no] in-path neighbor enable
Parameters
None
Usage
If you have one path from the client to the server and a different path from the server to the client,
enable in-path connection forwarding so that the Steelhead appliances can communicate with
each other. These Steelhead appliances are called neighbors and exchange connection information
to redirect packets to each other.
When you define a neighbor, you must specify the Steelhead appliance in-path IP address, not the
primary IP address.
Neighbors can be placed in the same physical site or in different sites but the latency between
them must be small because the packets travelling between them are not optimized.
If there are more than two possible paths, additional Steelhead appliances must be installed on
each path and configured as neighbors. Neighbors are notified in parallel so that the delay
introduced at connection setup is equal to the time it takes to get an acknowledgement from the
furthest neighbor.
For detailed information about connection forwarding deployments and how to configure them,
see the Steelhead Appliance Deployment Guide.
The no command option disables connection forwarding support.
210
Example
minna (config) # in-path neighbor enable

minna (config) #in-path neighbor ip-address 10.0.0.4
;;client-side appliance (Steelhead-1)
;;the server-side appliance (Steelhead-2)
Product
Steelhead appliance
Related Topics
in-path neighbor ip address

Description
Sets the IP address for the neighbor Steelhead appliance for connection forwarding.
Syntax
[no] in-path neighbor ip address <addr> [port <port>]
Parameters
<addr>
Specifies the IP address of the in-path Steelhead appliance.
port <port>
Specifies the port for the in-path Steelhead appliance.
Usage
If you have one path from the client to the server and a different path from the server to the client,
enable in-path connection forwarding and configure the Steelhead appliances to know about and
communicate with each other. These Steelhead appliances are called neighbors and exchange
connection information to redirect packets to each other. For example:
minna (config) # in-path neighbor enable
;;client-side appliance (Steelhead-1)
;;the server-side appliance (Steelhead-2)
When you define a neighbor, you must specify the Steelhead appliance in-path IP address, not the
primary IP address.
The no command option removes the IP address for the neighbor Steelhead appliance from the
connection forwarding list.
Example
minna (config) # in-path neighbor ip-address 10.0.0.4

minna (config) #
Product
Steelhead appliance
Related Topics
in-path neighbor keepalive count

Description
Sets the keep-alive messages before terminating connections with the neighbor Steelhead
appliance for TCP connection forwarding.
Syntax
[no] in-path keepalive count <count>
Parameters
<count>
Usage
The no command option resets the count to the default (3).
Specifies the number of keep-alive messages. The default value is 3.
211
Example
minna (config) # in-path neighbor keepalive count 10

minna (config) #
Product
Steelhead appliance
Related Topics
in-path neighbor keepalive interval

Description
Sets the time interval between keep-alive messages with the neighbor Steelhead appliance for
connection forwarding.
Syntax
[no] in-path keepalive interval <seconds>
Parameters
<seconds>
Usage
The no command option resets the interval to the default.
Example
minna (config) # in-path neighbor keepalive interval 15

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the number of seconds between keep-alive messages. The default value
is 10.
in-path neighbor interface

Description
Specifies the interface on which the appliance communicates with a peer neighbor Steelhead
appliance.
Syntax
in-path neighbor interface <iface>
Parameters
interface <iface>
Usage
The no command option disables the interface.
Example
minna (config) # in-path neighbor interface inpath3_0

minna (config) #
Product
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor peers, show interfaces
Specifies the interface name.
in-path neighbor peer

Description
Specifies a connection to a peer neighbor Steelhead appliance.
Syntax
in-path neighbor peer addr <ip> port <port> [paused]
212
Parameters
addr <peer IP
address>
Specifies the peer neighbor IP address.
port
Specifies the corresponding port. The default value is 7850.
paused
Pauses communication with the peer neighbor.
Usage
The no command option disables the connection.
Example
minna (config) # in-path neighbor peer addr 10.10.10.1

minna (config) #
Product
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor (Interceptor), show in-path
neighbor peers, show peers
in-path neighbor port

Description
Sets the neighbor port for the Steelhead appliance in connection forwarding deployments.
Syntax
[no] in-path neighbor <port>
Parameters
<port>
Usage
The no command option resets the port to the default.
Example
minna (config) # in-path neighbor port 2380

minna (config) #
Product
Steelhead appliance
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor peers, show peers
Specifies the neighbor Steelhead appliance port. The default value is 7850.
213
Simplified Routing Support

In This Section

page 96

in-path simplified routing on page 215




page 203
page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
214
in-path simplified routing

Description
Enables simplified routing. Simplified routing collects the IP address for the next hop MAC
address from each packet it receives to use in addressing traffic. Enabling simplified routing
eliminates the need to add static routes when the Steelhead appliance is in a different subnet from
the client and server.
Syntax
[no] in-path simplified routing {[all | dest-only | dest-source | mac-def-gw-only | none]}
Parameters
all
Collects source and destination MAC data. Also collects data for connections that
are un-natted (connections that are not translated using NAT).
dest-only
Collects destination MAC data. This option can be used in connection

forwarding.
dest-source
Collects destination and source MAC data. This option cannot be used in
connection forwarding.
none
Disables all options.
Usage
Without simplified routing, if a Steelhead appliance is installed in a different subnet from the
client or server, you must define one router as the default gateway and static routes for the other
routers so that traffic is not redirected back through the Steelhead appliance. However, in some
cases, even with static routes defined, the ACL on the default gateway may still drop traffic that
should have gone through the other router. Enabling simplified routing eliminates this issue.
Simplified routing has the following constraints:
Broadcast support in PFS configurations cannot be enabled.
WCCP cannot be enabled.
The default route must exist on each Steelhead appliance in your network.
Simplified routing requires a client-side and server-side Steelhead appliance.
Optionally, you can also enable automatic peering. When you enable simplified routing,
Riverbed recommends that you also enable automatic peering because it gives the Steelhead
appliance more information to associate IP addresses and MAC addresses (and potentially
VLAN tags). For information, see in-path peering auto on page 199.
The no command option disables simplified routing.
Example
minna (config) # in-path simplified routing all

minna (config) #
Product
Steelhead appliance
Related Topics
215
NetFlow Support Commands

In This Section

page 96

ip flow-export on page 217




page 203
ip flow-export enable on page 218

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
216
ip flow-export
Description
Configures NetFlow support. NetFlow enables you to collect traffic flow data and gather it on
NetFlow collectors. You can gather pre-optimization and post-optimization data on traffic flows
for custom reports.
Steelhead appliances support NetFlow v5 (the most common format).
Syntax
ip flow-export {destination <collector ip> <collector port> [export-port {aux | primary} |

[interface {primary |wan1_1 | lan1_1 | wan1_0 | lan1_0}] | [capture {all | optimized |
optimized-lan | optimized-wan | passthrough}] | [lan-addrs {off | on}] [fakeindex {off | on}]}
Parameters
destination <collector
ip> <collector port>
Specifies the export IP address and port the NetFlow collector is

listening on. The default value is 2055.
export-port {aux |
primary}
Specifies the interface used to send NetFlow packets to the collector.
interface {primary
|wan1_1 | lan1_1 |
wan1_0 | lan1_0}
Specifies the interface used to capture packets. NetFlow records sent

from the Steelhead appliance will appear to be sent from the IP address
of the selected interface.
capture {all |
optimized |
optimized-lan |
optimized-wan |
passthrough}
Specifies whether all traffic, optimized traffic, optimized LAN traffic,

optimized WAN traffic, or only pass-through traffic is exported to the
NetFlow collector.
lan-addrs {off | on}
Specifies whether the TCP IP addresses and ports reported for optimized
flows should contain the original client and server IP addresses and not
those of the Steelhead appliance: off displays the Steelhead appliance
information; on displays the LAN address information.
The default value is optimized.
The default is to display the IP addresses of the original client and server
without the IP address of the Steelhead appliances.
fakeindex {off | on}
Specifies whether to use the LAN interface index for WAN traffic.
In virtual in-path deployments, traffic moves in and out of the same
WAN interface; the LAN interface is not used. As a result, when the
Steelhead appliance exports data to a NetFlow collector, all traffic has the
WAN interface index. Though it is technically correct for all traffic to
have the WAN interface index because the input and output interfaces
are the same, this makes it impossible for an administrator to use the
interface index to distinguish between LAN-to-WAN and WAN-to-LAN
traffic.
The default value is off. Specify on to use the LAN interface index for
WAN traffic, which inserts the correct interface index before exporting
data to a NetFlow collector. This feature works only for optimized traffic,
not unoptimized or passed through traffic
217
Usage
Before you enable NetFlow support in your network, you should consider the following:
Generating NetFlow data can utilize large amounts of bandwidth, especially on low
bandwidth links, thereby impacting Steelhead appliance performance.
You can reduce the amount of data exported by NetFlow if you export only optimized traffic.
NetFlow only tracks incoming packets (ingress).
To troubleshoot your NetFlow settings:
Make sure the port configuration on the Steelhead appliance and the listening port of the
collector match.
Ensure that you can reach the collectors from the Steelhead appliance (for example, ping
X.X.X.X where X.X.X.X is the NetFlow collector).
Verify that your capture settings are on the correct interface and that traffic is flowing through
it:
minna (config) # ip flow-export enable
minna (config) # ip flow-export wan0_0 destination 10.2.2.2 2055 export-port
primary capture optimized lan-addrs on
minna (config) # show ip flow-export
For WCCP or PBR virtual in-path deployments, because the traffic is arriving and leaving from
the same WAN interface, when the Steelhead appliance exports data to a NetFlow collector, all
traffic has the WAN interface index. This is the correct behavior because the input interface is the
same as the output interface.
To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments.
use the fakeindex parameter.
Example
minna (config) # ip flow-export lan0 destination 10.2.2.2 80 export-port aux

capture all lan-addrs off
minna (config) #
Product
Steelhead appliance
Related Topics
show job
ip flow-export enable
Description
Enables NetFlow support. NetFlow enables you to collect traffic flow data and gather it on
NetFlow collectors. You can gather pre-optimization and post-optimization data on traffic flows
for custom reports.
NetFlow enables you to export network statistics that provide information about network data
flows such as peak usage times, traffic accounting, security, and traffic routing. NetFlow records
information for each incoming packet on the specified network interface (the ingress interface).
This data is sent to a NetFlow collector and analyzed by a NetFlow analyzer.
Steelhead appliances support NetFlow v5 (the most common format).
Syntax
[no] ip flow-export enable
Parameters
None
218
Usage
Before you enable NetFlow support in your network, you should consider the following:
Generating NetFlow data can utilize large amounts of bandwidth, especially on low bandwidth
links, thereby impacting Steelhead appliance performance.
You can reduce the amount of data exported by NetFlow by exporting only optimized traffic.
NetFlow only tracks incoming packets (ingress).
To troubleshoot your NetFlow settings:
Make sure the port configuration matches on the Steelhead appliance and the listening port of
the collector.
Ensure that you can reach the collectors from the Steelhead appliance (for example, ping
X.X.X.X where X.X.X.X is the NetFlow collector).
Verify that your capture settings are on the correct interface and that traffic is flowing through
it:
minna (config) # ip flow-export wan0_0 destination 10.2.2.2 2055 export-port
primary capture optimized lan-addrs on
minna (config) # show ip flow-export
For virtual in-path deployments (WCCP or PBR), because the traffic is arriving and leaving from
the same WAN interface, when the Steelhead appliance exports data to a NetFlow collector, all
traffic has the WAN interface index. This is the correct behavior because the input interface is the
same as the output interface.
To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments,
see the fakeindex parameter in ip flow-export on page 217 or the Steelhead Appliance Deployment
Guidee.
The no command option disables NetFlow support.
Example

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
219
IPSec Commands
In This Section

page 96

ip security authentication policy on

page 221

ip security enable on page 221



page 203
ip security encryption policy on

page 222
ip security peer ip on page 222
ip security pfs enable on page 223
ip security rekey interval on page 223
ip security shared secret on page 223

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
220
ip security authentication policy

Description
Sets the authentication algorithms in order of priority.
Syntax
ip security authentication policy <policy> [<policy>]
Parameters
<policy>
Specifies the primary policy (method 1):

hmac_md5. Message-Digest algorithm 5 (MD5) is a widely-used cryptographic
hash function with a 128-bit hash value. This is the default value.
hmac_sha1. Secure Hash Algorithm (SHA1) is a set of related cryptographic hash
functions. SHA-1 is considered to be the successor to MD5.
<policy>
Specifies the secondary policy (method 2): hmac_md5, hmac_sha1.
Usage
You must specify at least one algorithm. The algorithm is used to guarantee the authenticity of
each packet.
Example
minna (config) # ip security authentication policy hmac_md5

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
ip security enable
Description
Enables encryption and authentication support using IPSec.
Syntax
[no] ip security enable
Parameters
None
Usage
Enabling IPSec support makes it difficult for a third party to view your data or pose as a machine
you expect to receive data from. You must also specify a shared secret to enable IPSec support. To
create a shared secret see, ip security shared secret.
To enable IPSec authentication, you must have at least one encryption and authentication
algorithm specified.
You must set IPSec support on each Steelhead appliance with which you want to establish a secure
connection.
If you NAT traffic between Steelhead appliances, you cannot use the IPSec channel between the
appliances because the NAT changes the packet headers, causing IPSec to reject them.
The no command option disables encryption and authentication support.
FIPS Mode
For FIPS compliance you must disable IPSec security. IPSEC security is disabled by default. If you
have been running the Steelhead appliance in non-FIPS mode, you must run no ip security enable
command to disable IPSEC security. For detailed information about FIPS compliance commands,
see FIPS/CC Compliance Commands on page 318. For detailed information about configuring
FIPS-mode, see the FIPS/CC Administrators Guide.
221
Example
minna (config) # ip security enable

minna (config) #
Product
Steelhead appliance
Related Topics
show ip, FIPS/CC Compliance Commands
ip security encryption policy

Description
Sets the encryption algorithms in order of priority.
Syntax
ip security encryption policy <algorithm> [<algorithm>]
Parameters
<algorithm>
Specifies the primary algorithm:

des. The Data Encryption Standard. This is the default value.
null_enc. The null encryption algorithm.
<algorithm>
Specifies the alternate algorithm: des and null_enc.
Usage
You must specify at least one algorithm. The algorithm is used to encrypt each packet sent using
IPSec.
Example
minna (config) # ip security encryption policy null_enc

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
ip security peer ip
Description
Sets the peer Steelhead appliance for which you want to make a secure connection.
Syntax
[no] ip security peer ip <addr>
Parameters
<addr>
Usage
If IPSec is enabled on this Steelhead appliance, then it must also be enabled on all Steelhead
appliances in the IP security peers list; otherwise this Steelhead appliance will not be able to make
optimized connections with those peers that are not running IPSec.
Specifies the peer IP address.
If a connection has not been established between the Steelhead appliances that are configured to
use IPSec security, the Peers list does not display the peer Steelhead appliance because a security
association has not been established.
NOTE: When you add a peer, there is a short service disruption (3-4 seconds) causing the state
and time-stamp to change in the Current Connections report.
The no command option disables the peer.
Example
minna (config) # ip security peer ip 10.0.0.2

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
222
ip security pfs enable

Description
Enables Perfect Forward Secrecy. Perfect Forward Secrecy provides additional security by
renegotiating keys at specified intervals. With Perfect Forward Secrecy, if one key is compromised,
previous and subsequent keys are secure because they are not derived from previous keys.
Syntax
[no] ip security pfs enable
Parameters
None
Usage
The no command option disables Perfect Forward Secrecy.
Example
minna (config) # ip security pfs enable

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
ip security rekey interval

Description
Sets the time between quick-mode renegotiation of keys by IKE. IKE is a method for establishing a
SA that authenticates users, negotiates the encryption method, and exchanges a secret key. IKE
uses public key cryptography to provide the secure transmission of a secret key to a recipient so
that the encrypted data can be decrypted at the other end.
Syntax
[no] ip security rekey interval <minutes>
Parameters
<minutes>
Usage
The no command options resets the interval to the default.
Example
minna (config) # ip security rekey interval 30

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
Specifies the number of minutes between quick-mode renegotiation of keys. The

value must be a number between 1 and 65535. The default value is 240.
ip security shared secret

Description
Sets the shared secret used to negotiate and renegotiate secret keys.
Syntax
ip security shared secret <secret>
Parameters
<secret>
Usage
All Steelhead appliances that need to communicate to each other using IPSec must have the same
key. The ip security shared secret option must be set before IPSec is enabled.
Specifies the secret key to ensure Perfect Forward Secrecy security.
223
Example
minna (config) # ip security shared secret xxxx

minna (config) #
Product
Steelhead appliance
Related Topics
show ip
224

In This Section

page 96

pfs domain on page 226

pfs settings on page 228



page 203
pfs enable on page 227
pfs share cancel-event on page 229

page 214
pfs share configure on page 230

pfs share configure (version 2.0 only)
on page 232
pfs share manual-sync on page 234
pfs share modify on page 235
pfs share upgrade on page 237
pfs share upgrade on page 237

page 216
pfs start on page 239

pfs workgroup on page 239

page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
225
pfs domain
Description
Configures PFS domain mode.
Syntax
[no] pfs domain {join | rejoin | leave} domain-name <domain name> login <login> password
<password> [dc-name <domain controller>] [dc-list <list>] [short-name <name>]} [check]
[require]
Parameters
join | rejoin |
leave
Specify whether the Steelhead appliance joins, rejoins, or leaves the

specified domain.
After a PFS Steelhead appliance leaves a domain, you must remove the
Steelhead account from your Windows Active Directory. The Active
Directory Users and Computers modification utility is normally located
under the Administrative Tools folder in Windows. Consult your Windows
documentation for further information.
226
domain-name
<domain name>
Specifies the domain name (in Windows 2000 or above) to join, rejoin, or
leave. The Steelhead appliance host name must be in the DNS database.
The host name must not exceed 15 characters.
login <login>
password
<password>
Specify the login and password for the domain.
dc-list <dc list>
Optionally, specify a comma-separated list of domain controller names.
short-name
<name>
Optionally, specify a short name for the domain.
check
Requires domain check upon startup.
require
Requires a domain for PFS.
Usage
In domain mode, you configure the PFS Steelhead appliance to join a Windows domain (typically,
your companys domain). When you configure the Steelhead appliance to join a Windows
domain, you do not have to manage local accounts in the branch office, as you do in Local
Workgroup mode.
Domain mode allows a DC to authenticate users accessing its file shares. The DC can be located at
the remote site or over the WAN at the main data center. The Steelhead appliance must be
configured as a Member Server in the Windows 2000, or later, ADS domain. Domain users are
allowed to access the PFS shares based on the access permission settings provided for each user.
Data volumes at the data center are configured explicitly on the proxy file server and are served
locally by the Steelhead appliance. As part of the configuration, the data volume and ACLs from
the origin server are copied to the Steelhead appliance. PFS allocates a portion of the Steelhead
appliance data store for users to access as a network file system.
Before you enable Domain mode in PFS make sure you:
configure the Steelhead appliance to use NTP to synchronize the time.
configure the DNS server correctly. The configured DNS server must be the same DNS server to
which all the Windows client machines point.
have a fully-qualified domain name for which PFS will be configured. This domain name must
be the domain name for which all the Windows desktop machines are configured.
set the owner of all files and folders in all remote paths to a domain account and not a local
account.
IMPORTANT: PFS only supports domain accounts on the origin file server; PFS does not support
local accounts on the origin file server. During an initial copy from the origin file server to the PFS
Steelhead appliance, if PFS encounters a file or folder with permissions for both domain and local
accounts, only the domain account permissions are preserved on the Steelhead appliance.
For detailed information about how ACLs are propagated from the origin server to a PFS share,
refer to the Riverbed Technical Support site at https://support.riverbed.com.
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
For detailed information about PFS, see the Steelhead Appliance Deployment Guide.
Example
minna (config) # pfs domain join realm login mylogin password mypassword
minna (config) #
Product
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
pfs enable
Description
Enables PFS support. PFS is an integrated virtual file server that allows you to store copies of files
on the Steelhead appliance with Windows file access, creating several options for transmitting
data between remote offices and centralized locations with improved performance. Data is
configured into file shares and the shares are periodically synchronized transparently in the
background, over the optimized connection of the Steelhead appliance. PFS leverages the
integrated disk capacity of the Steelhead appliance to store file-based data in a format that allows
it to be retrieved by NAS clients.
Syntax
[no] pfs enable
Parameters
None
227
Usage
In RiOS v3.x or higher, you do not need to install the RCU service on the server to synchronize
shares. RCU functionality has been moved to the Steelhead appliance. When you upgrade from
v2.x to v3.x, your existing shares will be running as v2.x shares.
PFS is not appropriate for all network environments. For example, in a collaborative work
environment when there are many users reading, writing, and updating a common set of files and
records, you should consider not enabling PFS. For detailed information about whether PFS is
appropriate for your network environment, see the Steelhead Appliance Deployment Guide.
Before you enable PFS, configure the Steelhead appliance to use NTP to synchronize the time.
To use PFS, the Steelhead appliance and DC clocks must be synchronized.
The PFS Steelhead appliance must run the same version of the Steelhead appliance software as
the server side Steelhead appliance.
PFS traffic to and from the Steelhead appliance travels through the Primary interface. PFS
requires that the Primary interface is connected to the same switch as the LAN interface. For
detailed information, see the Steelhead Appliance Installation and Configuration Guide.
The PFS share and origin-server share names cannot contain Unicode characters.
NOTE: Using PFS can reduce the overall connection capacity for optimized TCP connections, as
memory and CPU resources are diverted to support the PFS operation.
The no command option disables PFS support.
Example
minna (config) # pfs enable

minna (config) #
Product
Related Topics
pfs settings
Description
Configures settings for a PFS file share.
Syntax
[no] pfs settings {[admin-password <password>] [log-level <0-10>] [conn-timeout <minutes>]

[max-log-size <size in KB>] [server-signing {enabled | disabled | required}]}
Parameters
admin-password
<password>
Specifies the local administrator password.
log-level <0-10>
Specifies the log level: 0-10.

The no command option resets the log level to the default.
conn-timeout
<minutes>
Specify the number of minutes after which to time-out idle connections. If

there is no read or write activity on a mapped PFS share on a client machine,
then the TCP connection times out according to the value set and the client
has to re-map the share.
The no command option resets the time-out to the default.
max-log-size
<size>
228
Specifies the maximum log size in KB.

The no command option resets the size to the default.
Specifies the SMB server signing mode:
server signing
{enabled |
disabled |
required}
enabled. Specifies any type of security signature setting requested by the

client machine.
disabled. Specifies the default value. In this setting, PFS does not support
clients with security signatures set to required.
required. Specifies clients with security signatures set to enabled or
required.
Usage
Requires at least one option.

Example
minna (config) # pfs settings server-signing enabled

minna (config) #
Product
Related Topics
pfs share cancel-event

Description
Cancels a PFS synchronization and verification.
Syntax
pfs share cancel-event local-name <name>
Parameters
local-name
<name>
Usage
Example
minna (config) # pfs share cancel-event local-name test

minna (config) #
Product
Related Topics
Specifies the local share name. A local share is the data volume exported from the
origin server to the Steelhead appliance.
229
pfs share configure

Description
Configures a PFS file share.

This command applies to v3.x or higher shares. For information on Version 2.X shares, see pfs
share configure (version 2.0 only) on page 232.
You cannot run a mixed system of v2.x and v3.0 (or higher) PFS shares.
Riverbed recommends you upgrade your v2.x shares to v3.x (or higher) shares so that you do not
have to run the RCU on a server.
For detailed information, see the Steelhead Appliance Deployment Guide.
Syntax
[no] pfs share configure local-name <local name> version 3 mode {broadcast | local |
standalone} remote-path <remote path> server-name <name> server-account <login> serverpassword <password> interval <seconds> [full-interval <seconds>] [comment <description>]
[start-time <yyyy/mm/dd hh:mm:ss>] [full-start-time <yyyy/mm/dd hh:mm:ss>]
Parameters
local-name <local
name>
Specifies the local share name. A local share is the data volume exported
from the origin server to the Steelhead appliance.
The local share name cannot contain Unicode characters.
230
mode [broadcast |
local | standalone]
Specifies the mode of file sharing:

Broadcast. Use Broadcast mode for environments seeking to broadcast a
set of read-only files to many users at different sites. Broadcast mode
quickly transmits a read-only copy of the files from the origin server to
your remote offices. The PFS share on the Steelhead appliance contains
read-only copies of files on the origin server. The PFS share is
synchronized from the origin server according to parameters you specify.
However, files deleted on the origin server are not deleted on the
Steelhead appliance until you perform a full synchronization.
Additionally, if, on the origin server, you perform directory moves (for
example, move .\dir1\dir2 .\dir3\dir2) regularly, incremental
synchronization will not reflect these directory changes. You must
perform a full synchronization frequently to keep the PFS shares in
synchronization with the origin server.
Local. Use Local mode for environments that need to efficiently and
transparently copy data created at a remote site to a central data center,
perhaps where tape archival resources are available to back up the data.
Local mode enables read-write access at remote offices to update files on
the origin file server. After the PFS share on the Steelhead appliance
receives the initial copy from the origin server, the PFS share copy of the
data becomes the master copy. New data generated by clients is
synchronized from the Steelhead appliance copy to the origin server
based on parameters you specify when you configure the share. The
folder on the origin server essentially becomes a back-up folder of the
share on the Steelhead appliance. If you use Local mode, users must not
directly write to the corresponding folder on the origin server.
CAUTION: In Local mode, the Steelhead appliance copy of the data is the
master copy; do not make changes to the shared files from the origin server
while in Local mode. Changes are propagated from the remote office
hosting the share to the origin server.
IMPORTANT: Riverbed recommends that you do not use Windows file
shortcuts if you use PFS. For more information, contact Riverbed Technical
Support at https://support.riverbed.com.
Stand-Alone. Use Stand-Alone mode for network environments where it
is more effective to maintain a separate copy of files that are accessed
locally by the clients at the remote site. The PFS share also creates
additional storage space. The PFS share on the Steelhead appliance is a
one-time, working copy of data mapped from the origin server. You can
specify a remote path to a directory on the origin server, creating a copy
at the branch office. Users at the branch office can read from or write to
stand-alone shares but there is no synchronization back to the origin
server since a stand-alone share is an initial and one-time only
synchronization.
NOTE: When you configure a v3.x Local mode share or any v2.x share
(except a Stand-Alone share in which you do not specify a remote path to a
directory on the origin server), a text file (._rbt_share_lock. txt) that keeps
track of which Steelhead appliance owns the share is created on the origin
server. Do not remove this file. If you remove the._rbt_share_lock. txt file on
the origin file server, PFS will not function properly (v3.x or higher).
Broadcast and Stand-Alone shares do not create this text file.
remote-path
<remote path>
Specify, using UNC format, the path to the data on the origin server that you
want to make available to PFS.
server-account
<login>
Specify the login and password to be used to access the shares folder on the
origin file server. The login must be a member of the Administrators group
on the origin server, either locally on the file server (the local Administrators
group) or globally in the domain (the Domain Administrator group).
server-password
<password>
231
Usage
interval
<seconds>
Specify the interval that you want incremental synchronization to occur. The
first synchronization, or the initial copy, retrieves data from origin file server
and copies it to the local disk on the Steelhead appliance. Subsequent
synchronizations are based on the synchronization interval. In incremental
synchronization, only new and changed data are sent between the proxy file
server and the origin file server.
full-interval
<seconds>
Specify the frequency of updates (full synchronization) in minutes. In full

synchronization, a full directory comparison is performed and all changes
since the last full synchronization are sent between the proxy file server and
the origin file server. Use full synchronization if performance is not an issue.
start-time <yyyy/
mm/dd hh:mm:ss>
Specify the date and time to commence initial synchronization.
full-start-time
<yyyy/mm/dd
hh:mm:ss>
Specify the start time for full synchronization.
[comment
<description>]
Optionally, specify a description for the share.
For v3.x (or higher) PFS shares, you do not need to install the RCU service on a Windows server.
Make sure the server-account you specify is a member of the Administrators group on the origin
server, either locally on the file server (the local Administrators group) or globally in the domain
(the Domain Administrator group).
Example
minna (config) # pfs share configure local-name test version 2 mode local remotepath c:/data server-name test port 81 interval 5 full-interval 5 start-interval
2006/06/06 02:02:02 comment test
minna (config) #
minna (config)
Product
Related Topics
pfs share configure (version 2.0 only)

Description
Configures a PFS file share for v2.x Steelhead appliance software.

For information about configuring v3.x (or higher) shares, see pfs share configure on page 230.
Syntax
232
[no] pfs share configure local-name <local name> version 2 mode {broadcast | local |
standalone} server-name <name> port <port> remote-path <remote path> interval <seconds>
[full-interval <seconds>] [comment <description>] [start-time <yyyy/mm/dd hh:mm:ss>] [fullstart-time <yyyy/mm/dd hh:mm:ss>]
Parameters
local-name <local
name>
mode [broadcast |
local | standalone]
Specifies the mode of file sharing. For details, see pfs share configure on
page 230.
server-name
<name> port
<port>
Specify the origin server and port located in the data center which hosts the
origin data volumes (folders).
remote-path
<remote path>
Specify the remote path for the share folder on the origin file server.
interval
<seconds>
Specify the interval that you want incremental synchronization to occur. The
first synchronization, or the initial copy, retrieves data from origin file server
and copies it to the local disk on the Steelhead appliance. Subsequent
synchronizations are based on the synchronization interval. In incremental
synchronization, only new and changed data are sent between the proxy file
server and the origin file server.
full-interval
<seconds>
Specify the frequency of full synchronization updates in minutes. In full

synchronization, a full directory comparison is performed and all changes
since the last full synchronization are sent between the proxy file server and
the origin file server. Use full synchronization if performance is not an issue.
start-time <yyyy/
mm/dd hh:mm:ss>
full-start-time
<yyyy/mm/dd
hh:mm:ss>
[comment
<description>]
Optionally, specify an administrative description for the share.
The origin-server share name cannot contain Unicode characters.
For v2.x, you must have the RCU service running on a Windows server (this
can be the origin file server or a separate server). If the origin server is not
the RCU server, you specify the remote path using the UNC format for the
mapped drive. If the origin server is the same as the RCU server then you
must type its full path including the drive letter, for example C:\data.
233
Usage
Riverbed strongly recommends that you upgrade your shares to v3.x shares. If you upgrade any
v2.x shares, you must upgrade all of them. After you have upgraded shares to v3.x, you should
only create v3.x shares.
By default, when you configure PFS shares with Steelhead appliance software v3.x and higher,
you create v3.x PFS shares. PFS shares configured with Steelhead appliance software v2.x are v2.x
shares. Version 2.x shares are not upgraded when you upgrade Steelhead appliance software.
If you do not upgrade your v.2.x shares:
You should not create v3.x shares.
You must install and start the RCU on the origin server or on a separate Windows host with
write-access to the data PFS uses. The account that starts the RCU must have write permissions
to the folder on the origin file server that contains the data PFS uses. You can download the
RCU from the Riverbed Technical Support site at https://support.riverbed.com. For detailed
information, see the Riverbed Copy Utility Reference Manual.
Make sure the account that starts the RCU has permissions to the folder on the origin file server
and is a member of the Administrators group on the remote share server, either locally on the
file server (the local Administrators group) or globally in the domain (the Domain
Administrator group).
In Steelhead appliance software version 3.x and higher, you do not need to install the RCU
service on the server for synchronization purposes. All RCU functionality has been moved to
the Steelhead appliance.
You must configure domain, not workgroup, settings, using the pfs domain command.
Domain mode supports v2.x PFS shares but local workgroup mode is supported only in v3.x
(or higher).
Example
minna (config) # pfs share configure local-name test version 2 mode local
remote-path c:/data server-name test port 81 interval 5 full-interval 5
start-interval 2006/06/06 02:02:02 comment test
minna (config) #
minna (config)
Product
Related Topics
pfs share manual-sync

Description
Performs a manual synchronization of a PFS share.
Syntax
pfs share manual-sync local-name <local name>
Parameters
local-name <local name>
Usage
Example
minna (config) # pfs share manual-sync local-name test

minna (config) #
Product
Related Topics
234
Specifies the local share name. A local share is the data volume
exported from the origin server to the Steelhead appliance.
pfs share modify

Description
Modifies properties of a PFS file share.

Syntax
[no] pfs share modify local-name <local name> [acl-group-ctrl {true | false}] [acl-inherit {true |
false}] [syncing {true | false}] [port <port>] [sharing {true | false}] [mode broadcast | local |
standalone <cr>] [remote-path <remote path>] [server-name <name>] [server-account <login>]
[server-password <password>] [port <port>] [interval <seconds>] [full-interval <seconds>]
[full-start-time <yyyy/mm/dd hh:mm:ss>] [start-time <yyyy/mm/dd hh:mm:ss>] comment
<description>]
235
Parameters
local-name <local
name>
acl-group-ctrl {true
| false}
Specify true if you want accounts in the primary owners group to be able to
assign permissions.
Specify false if you want only the primary owner or local administrator to
be able to assign permissions.
The default value is false.
acl-inherit {true |
false}
Specify true if you want shared folders to inherit permissions from parents.
Specify false if you do not want to retain inherited permissions.
syncing {true |
false}
Specify true to enable synchronization.

Specify false to disable synchronization.
sharing {true |
false}
Specify true to enable sharing.

Specify false to disable sharing.
port <port>
Specifies the share port.
mode <mode>
Specifies the mode of file sharing. For details, see pfs share configure on
page 230.
remote-path
<remote path>
For version 3.x (or higher) shares, specify the remote path using UNC
format to specify the server name and remote path.
For version 2.x shares, specify the remote path for the share folder on the
origin file server.
For version 2.x shares, you must have the RCU service running on a
Windows server (this can be the origin file server or a separate server). If the
origin server is not the RCU server, you specify the remote path using the
UNC format for the mapped drive. If the origin server is the same as the
RCU server then you must type its full path including the drive letter, for
example C:\data.
server-name
<name> port
<port>
Version 2.x shares only. Specify the origin server and port located in the data
center which hosts the origin data volumes (folders).
server-account
<login>
Version 3.x or higher shares only. Specify the login to be used to access the
shares folder on the origin file server. The login must be member of the
Administrators group on the origin server, either locally on the file server
(the local Administrators group) or globally in the domain (the Domain
server-password
<password>
236
The origin-server share name cannot contain Unicode characters.
interval
<seconds>
Specify the interval that you want incremental synchronization updates to

occur. The first synchronization, or the initial copy, retrieves data from
origin file server and copies it to the local disk on the Steelhead appliance.
Subsequent synchronizations are based on the synchronization interval.
full-interval
<seconds>
Specifies the frequency of full synchronization updates, in minutes. Use full

synchronization if performance is not an issue.
Usage
start-time <yyyy/
mm/dd hh:mm:ss>
full-start-time
<yyyy/mm/dd
hh:mm:ss>
[comment
<description>]
Optionally, specify an administrative description for the share.
You must specify at least one option.

You cannot run a mixed system of v2.x and v3.0 (or higher) PFS shares; Riverbed strongly
recommends you upgrade your v2.x shares to 3.x or higher shares.
Example
minna (config) # pfs share modify local-name test remote-path /tmp server-name
mytest mode broadcast frequency 10
minna (config) #
Product
Related Topics
pfs share upgrade

Description
Upgrades shares from v2.x to v3.x software.
Syntax
pfs share upgrade local-name <local name> remote-path <remote path> server-account <login>
server-password <server password>
Parameters
local-name
<local name>
Specifies the local share name. A local share is the data volume exported from
the origin server to the Steelhead appliance.
remote-path
<remote path>
Specifies the remote path to the share.
server-account
<server login>
Specifies the server login.
server-account
<server login>
Specifies the server password.
237
Usage
Riverbed strongly recommends that you upgrade your shares to v3.x shares. If you upgrade any
v2.x shares, you must upgrade all of them. After you have upgraded shares to v3.x, you should
only create v3.x shares.
By default, when you configure PFS shares with Steelhead appliance software v3.x and higher,
you create v3.x PFS shares. PFS shares configured with Steelhead appliance software v2.x are v2.x
shares. Version 2.x shares are not upgraded when you upgrade Steelhead appliance software.
If you do not upgrade your v.2.x shares:
You should not create v3.x shares.
You must install and start the RCU on the origin server or on a separate Windows host with
write-access to the data PFS uses. The account that starts the RCU must have write permissions
to the folder on the origin file server that contains the data PFS uses. You can download the
RCU from the Riverbed Technical Support site at https://support.riverbed.com. For detailed
information, see the Riverbed Copy Utility Reference Manual.
Make sure the account that starts the RCU has permissions to the folder on the origin file server
and is a member of the Administrators group on the remote share server, either locally on the
file server (the local Administrators group) or globally in the domain (the Domain
In Steelhead appliance software version 3.x and higher, you do not need to install the RCU
service on the server for synchronization purposes. All RCU functionality has been moved to
the Steelhead appliance.
You must configure domain, not workgroup, settings, using the pfs domain command.
Domain mode supports v2.x PFS shares but local workgroup mode is supported only in v3.x
(or higher).
Example
minna (config) # pfs share verify local-name test

minna (config) #
Product
Related Topics
pfs share verify

Description
Verifies a PFS share.
Syntax
pfs verify local-name <local name>
Parameters
local-name
<local name>
Usage
Example
minna (config) # pfs share verify local-name test

minna (config) #
Product
Related Topics
238
Specifies the local share name. A local share is the data volume exported from
the origin server to the Steelhead appliance.
pfs start
Description
Starts the PFS service.
Syntax
pfs start
Parameters
None
Usage
Example
minna (config) # pfs share start

minna (config) #
Product
Related Topics
pfs workgroup
Description
Configures local workgroup mode for the PFS share. In local workgroup mode, you define a
workgroup and add individual users that will have access to the PFS shares on the Steelhead
appliance.
If you configure PFS local workgroup mode, the Steelhead appliance does not have to join a
domain. The local workgroup accounts are used by clients when they connect to the PFS share.
Syntax
pfs workgroup {account {add | modify | remove} user-name <name> password <password>}
{join <workgroup>} {leave}
Parameters
account {add
|modify | remove}
user-name <name>
password
<password>
Manage a user account for the workgroup. Specify the login and password
to create a local workgroup account so that users can connect to the
Steelhead appliance to access PFS shares.
join <workgroup>
Joins the specified workgroup.
leave
Leaves the workgroup.
Usage
Use local workgroup mode in environments where you do not want the Steelhead appliance to be
a part of a Windows domain. Creating a workgroup eliminates the need to join a Windows
domain and vastly simplifies the PFS configuration process.
If you use Local Workgroup mode you must manage the accounts and permissions for the branch
office on the Steelhead appliance. The local workgroup account permissions might not match the
permissions on the origin file server.
Example
minna (config) # pfs workgroup join test

minna (config) #
Product
Related Topics
239
Prepopulation Support Commands

page 96





page 203
prepop enable on page 241

prepop share on page 241

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
240
prepop enable
Description
Enables the prepopulation feature.
Syntax
[no] prepop enable
Parameters
None
Usage
The no command option disables the prepopulation feature.
Example
minna (config) # prepop enable

minna (config) #
Product
Steelhead appliance
Related Topics
show prepop
prepop share
Description
Configures prepopulation settings for a share.
Syntax
[no] prepop share {cancel-event remote-path <remote-path>|

configure remote-path <path> server-account <login> <password> |
manual-sync remote-path <remote-path>|
modify remote-path <name> <option> <value>}}
Parameters
cancel-event remote-path
<remote-path>
Cancels synchronization and verification processes for a remote

share.
configure remote-path
<path> server-account
<login> <password>
Specifies the remote path of the share, as well as the login and
password if required for secure access.
manual-sync remote-path
<remote-path>
Specifies the remote path of the share to be synchronized.
modify remote-path
<name> <option>
<value>
Sets or modifies options for the share <name>. You can set the
following options:
Option
Value
comment
Type a string to describe the share for

administrative purposes.
frequency
Type a frequency, in seconds, for

synchronization.
server-account
Specify the login, if any, required to access the

share.
serverpassword
Specify the corresponding password, if any, to

access the share.
sharing
Specify true to enable sharing; false to disable

sharing.
start-time
Specify a start time for synchronization, in the

following format:
yyyy/mm/dd hh:mm:ss
241
Usage
The no command option disables the prepopulation share.
Example
minna (config) # prepop share configure remote-path /users server-account root

password
minna (config) #
minna (config) # prepop share modify remote-path /users sharing true syncing true
frequency 6000 start-time 2006/08/01 00:00:00
minna (config) #
Product
Steelhead appliance
Related Topics
show prepop
242

page 96





page 203
protocol cifs applock on page 244

protocol cifs applock extension on
page 244
protocol cifs disable write optimization
on page 245
protocol cifs enable on page 245
protocol cifs nosupport on page 246
protocol cifs oopen on page 246
protocol cifs oopen enable on page 247

page 214
protocol cifs prepop enable on

page 247

page 216
protocol cifs secure-sig-opt enable on

page 247
protocol cifs smbv1-mode enable on

page 248

page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
243
protocol cifs applock

Description
Enables CIFS application lock feature.
Syntax
[no] protocol cifs applock enable
Parameters
None
Usage
Enable this feature if you are experiencing degraded optimization in Word or Excel applications.
MS Office often opens the same file multiple times with conflicting access permissions. This
causes any oplock on the file to be lost, which degrades optimization. Although the oplock is lost,
these MS Office applications only allow one user to edit the file at a time. While no oplock is held,
the applications follow the behavior where an oplock would be granted.
NOTE: Some versions of Word experience poor performance during antivirus scans while in read
only mode.
The no command option disables CIFS application lock.
Example
minna (config) # protocol cifs applock enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs applock extension

Description
Sets the CIFS application lock for doc or xls files.
Syntax
protocol cifs applock extension <extension>
Parameters
<extension>
Usage
You will experience major performance improvements in Word and Excel 2007 while these
applications have read and write access. Performance gains are seen if a second user accesses a file
or if the user is the second user accessing the file. In addition, antivirus applications run faster so
long as only one person is editing the file
Example
minna (config) # protocol cifs applock extension doc

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
Specifies the extension to lock: doc or xls.
protocol cifs dw-throttling enable

Description
Enables CIFS dynamic throttling mechanism.
Syntax
[no] protocol cifs dw-throttling enable
Parameters
None
244
Usage
In v3.x or higher, the CIFS dynamic throttling mechanism replaces the Version 2 static buffer
scheme. If you enable CIFS dynamic throttling, it is activated only when there are sub-optimal
conditions on the server side causing a back-log of write messages; it does not have a negative
effect under normal network conditions.
The no command option disables the dynamic throttling mechanism.
Example
minna (config) # protocol cifs dw-throttling enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs disable write optimization

Description
Disables CIFS write optimization.
Syntax
[no] protocol cifs disable write optimization
Parameters
None
Usage
The no command option enables CIFS write optimization.
Example
minna (config) # protocol cifs disable write optimization

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs enable

Description
Enables CIFS optimization.
Syntax
[no] protocol cifs enable
Parameters
None
Usage
CIFS optimization is enabled by default.

The no command option disables CIFS optimization for testing purposes.
Example
minna (config) # protocol cifs enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
245
protocol cifs nosupport

Description
Sets a specified OS as unsupported for optimization.
Syntax
[no] protocol cifs nosupport {client | server [add | remove] <os name>}
Parameters
client |
server
Specifies the location to disable OS support.
add |
remove
Adds or removes a OS support from the specified location.
<os name>
Specifies the OS type. For example, WinXP.
Usage
Example
minna (config) # protocol cifs nosupport client remove WinXP

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs oopen

Description
Enables the CIFS overlapping opens feature.
Syntax
[no] protocol cifs oopen extension [add <ext> | modify <ext> setting <policy> | delete <ext>] |
policy <default policy>
Parameters
extension [add <ext> | modify

<ext> setting <policy> | delete
<ext>
Adds, modifies, or deletes from the overlapping open special

case list files with the specified extension <ext>. For
example, pdf.
policy <default policy>
Specifies the default policy for overlapping opens.
Usage
Enable overlapping open optimization to prevent any compromise to data integrity. With
overlapping opens enabled, the Steelhead appliance optimizes data to which exclusive access is
available (in other words, when locks are granted). When an oplock is not available, the Steelhead
appliance does not perform application-level latency optimization but still performs SDR and
compression on the data, as well as TCP optimizations. If you do not enable this feature, the
Steelhead appliance will still increase WAN performance, but not as effectively.
Enabling this feature on applications that perform multiple opens on the same file to complete an
operation (for example, CAD applications) will result in a performance improvement.
You specify a list of extensions you want to optimize using overlapping opens. You can also use
this command to specify a list of extensions you do not want to optimize using overlapping opens.
If a remote user opens a file which is optimized using the overlapping opens feature and a second
user opens the same file, the second user might receive an error if the file fails to go through a v3.x
Steelhead appliance or if it does not go through a Steelhead appliance at all (for example, certain
applications that are sent over the LAN). If this occurs, you should disable overlapping opens for
those applications.
The no command options disables CIFs opens.
246
Example
minna (config) # protocol cifs oopen extension modify pdf setting <policy>
minna (config) #
Product
Steelhead appliance
Related Topics
protocol cifs oopen enable

Description
Enables CIFS overlapping opens.
Syntax
[no] protocol cifs oopen enable
Parameters
None
Usage
The no command option disables CIFS overlapping opens.
Example
minna (config) # protocol cifs oopen enable

minna (config) #
Product
Steelhead appliance
Related Topics
protocol cifs prepop enable

Description
Enables CIFS transparent prepopulation.
Syntax
[no] protocol cifs prepop enable
Parameters
None
Usage
The no command option disables CIFS transparent prepopulation.
Example
minna (config) # protocol cifs prepop enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs secure-sig-opt enable

Description
Disables Security Signature negotiations between a Windows client and the server.
Syntax
[no] protocol cifs secure-sig-opt enable
Parameters
None
247
Usage
By default, the Secure CIFS feature is disabled.

When a Windows server is set to SecuritySignatureEnable, the Steelhead appliance stops CIFS
transaction prediction optimization but continues performing SDR optimization. When the
Steelhead secure-sig-opt command is set to enable, the Steelhead appliance continues to perform
CIFS optimization for connections even when the SecuritySignatureEnable setting is specified.
(The Steelhead appliance does not continue to optimize traffic if the SecuritySignatureRequired
setting is specified on the server.)
For detailed information about disabling Windows security signing, see the Steelhead Appliance
Installation and Configuration Guide.
The no command option enables Security Signature negotiations.
Example
minna (config) # protocol cifs secure-sig-opt enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
protocol cifs smbv1-mode enable

Description
Enables SMBv1 backward compatibility mode, which allows a Steelhead appliance to perform
CIFS latency optimization and SDR on SMB traffic in Windows Vista environments.
Syntax
[no] protocol cifs smbv1-mode enable
Parameters
None
Usage
Steelhead appliances are fully compatible with SMB versions 1 and 2 (version 2 is included in
Windows Vista) but deliver the best performance with SMB version 1. If you are running
Steelhead appliance software v4.1 or greater in a Windows Vista environment, enable SMBv1
backward compatibility to improve SMB traffic performance for Windows Vista users. This
features allows the Steelhead appliance to perform CIFS latency optimization and SDR on SMB
traffic.
You must restart the Steelhead service after enabling this feature.
To enable SDR and CIFS latency optimization on SMB traffic in a Windows Vista environment,
perform the following steps on the client-side Steelhead appliance:
1. Run the following command:
protocol cifs smbv1-mode enable
2. Restart the Steelhead service.

The no command option disables this feature. When SMBv1 backward compatibility mode is
disabled, SDR is performed but CIFS optimization is not performed on SMB traffic.
Example
minna (config) # protocol cifs smbv1-mode enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol cifs
248

page 96

protocol connection lan receive bufsize on page 250

protocol connection lan send buf-size

on page 250

protocol connection wan receive defbuf-size on page 250


page 203
protocol connection wan send def-bufsize on page 251

tcp highspeed enable on page 251

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
249
protocol connection lan receive buf-size

Description
Sets the LAN receive buffer size for HS-TCP.
Syntax
[no] protocol connection lan receive buf-size <bytes>
Parameters
<bytes>
Usage
To support High-Speed TCP (HS-TCP), you must increase your LAN buffer size to 1 MB.
Specifies the LAN receive buffer size. The default value is 32768.
The no command option resets the buffer size to the default.

Example
minna (config) # protocol connection lan receive buf-size 1000000

minna (config) #
Product
Steelhead appliance
Related Topics
show tcp highspeed
protocol connection lan send buf-size

Description
Sets the LAN send buffer size for HS-TCP.
Syntax
[no] protocol connection lan send buf-size <bytes>
Parameters
<bytes>
Usage
To support HS-TCP, you must increase your LAN buffer size to 1 MB.
Specifies the LAN send buffer size. The default value is 81920.

Example
minna (config) # protocol connection lan send buf-size 1000000

minna (config) #
Product
Steelhead appliance
Related Topics
show tcp highspeed
protocol connection wan receive def-buf-size

Description
Sets the WAN receive buffer size for HS-TCP.
Syntax
[no] protocol connection wan receive buf-size <bytes>
Parameters
<bytes>
Usage
To configure your WAN buffer you must increase the WAN buffers to 2 BDP or 10 MB. You can
calculate the BDP WAN buffer size. For a link of 155 Mbps and 100 ms round-trip delay, the WAN
buffers should be set to 2 * 155 Mbps * 100 ms = 1937500 bytes.
Specifies the WAN receive buffer size. The default value is 262140.
250
Example
minna (config) # protocol connection wan receive def-buf-size 3875000

minna (config) #
Product
Steelhead appliance
Related Topics
show tcp highspeed
protocol connection wan send def-buf-size

Description
Sets the WAN send buffer size for HS-TCP.
Syntax
[no] protocol connection wan send buf-size <bytes>
Parameters
<bytes>
Usage
To configure your WAN buffer you must increase the WAN buffers to 2 BDP or 10 MB. You can
calculate the BDP WAN buffer size. For a link of 155 Mbps and 100 ms round-trip delay, the WAN
buffers should be set to 2 * 155 Mbps * 100 ms = 1937500 bytes.
Specifies the WAN send buffer size. The default value is 262140.

Example
minna (config) # protocol connection wan send def-buf-size 3875000

minna (config) #
Product
Steelhead appliance
Related Topics
show tcp highspeed
tcp highspeed enable

Description
Enables the HS-TCP feature, which provides acceleration and high throughput for high
bandwidth networks where the WAN pipe is large but latency is high.
Syntax
[no] tcp highspeed enable
Parameters
None
251
Usage
HS-TCP is activated for all connections that have a BDP larger than 100 packets. If you have a BDP
of greater than 512 KB, and you are more interested in filling the WAN pipe than saving
bandwidth, you should consider enabling HS-TCP.
You need to carefully evaluate whether HS-TCP will benefit your network environment. To enable
HS-TCP, you must disable LZ compression and SDR.
If you have an Optical Carrier-3 line or faster, turning off SDR makes sense and allows HS-TCP to
reach its full potential.
To configure HS-TCP:
enable HS-TCP.
disable LZ compression and SDR in the optimization policies if your WAN link capacity is 100
Mbps.
enable in-path support.
increase the WAN buffers to 2 BDP or 10 MB. You can calculate the BDP WAN buffer size. For a
link of 155 Mbps and 100 ms round-trip delay, the WAN buffers should be set to: 2 * 155 Mbps
* 100 ms = 3875000 bytes
increase the LAN buffers to 1 MB.

The no command option disables HS-TCP.
Example
minna (config) # in-path rule auto-discover srcaddr 0.0.0.0/0 dstaddr 0.0.0.0/0

dstport 0 optimization none vlan -1 neural-mode always rulenum 1
minna (config) # in-path enable
minna (config) # protocol connection lan receive buf-size 1000000
minna (config) # protocol connection lan send buf-size 1000000
minna (config) # protocol connection wan receive def-buf-size 3875000
minna (config) # protocol connection wan send def-buf-size 3875000
Product
Steelhead appliance
Related Topics
show tcp highspeed
252
JInitiator Support Commands

page 96





page 203
protocol jinitiator enable on page 254

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
253
protocol jinitiator enable

Description
Enables JInitiator optimization. JInitiator is browser plugin that accesses Oracle forms and
Oracle E-Business application suite content from within the browser.

Syntax
[no] protocol jinitiator enable
Parameters
None
Usage
JInitiator optimization is enabled by default. To optimize JInitiator traffic, you must:

1. Make sure JInitiator optimization is enabled.
2. Create an in-path rule (fixed-target or auto-discovery) that specifies:
preoptimization policy: jinitiator.
optimization policy: normal.
latency optimization policy: none.
Neural framing: always.
The no command option disables JInitiator optimization.
Example
minna (config) # protocol jinitiator enable

minna (config) # in-path rule auto-discover dstaddr 10.11.41.14/32 dstport 9000
preoptimization jinitiator latency-opt http neural-mode always rulenum 1
minna (config) #
Product
Steelhead appliance
Related Topics show protocol jinitiator,in-path rule auto-discover, in-path rule fixed-target
254

page 96

protocol mapi enable on page 256

protocol mapi 2k7 fallback enable on

page 256

protocol mapi nspi on page 257


page 203
protocol mapi 2k3 enable on page 256
protocol mapi nspi enable on page 258

protocol mapi port on page 258
protocol mapi prepop enable on
page 258

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
255
protocol mapi enable

Description
Enables MAPI support.
Syntax
[no] protocol mapi enable
Parameters
None
Usage
MAPI optimization is enabled by default.

The no command option disables MAPI optimization for testing purposes. For example, if you are
experiencing problems with Outlook clients connecting with Exchange, you can disable MAPI
latency acceleration (while continuing to optimize with SDR for MAPI) by issuing the no protocol
mapi enable command.
Example
minna (config) # no protocol mapi enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
protocol mapi 2k3 enable

Description
Enables Exchange MAPI 2003 acceleration, which allows increased optimization of traffic
between Exchange 2003 and Outlook 2003.
Syntax
[no] protocol mapi 2k3 enable
Parameters
None
Usage
MAPI optimization is enabled by default.

The no command option disables MAPI 2003 acceleration.
Example
minna (config) # no protocol mapi 2k3 enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
protocol mapi 2k7 fallback enable

Description
Enables optimization to occur if you have Outlook 2007 and Exchange Server 2003 or Exchange
Server 2007.
Syntax
[no] protocol mapi 2k7 fallback enable
Parameters
None
256
Usage
If you have Outlook 2007, regardless of the Exchange Server version (Exchange Server 2003 or
Exchange Server 2007), communication is encrypted by default. To enable optimization to take
place, you must perform the following steps:
1. Make sure you are running v3.0.8 or higher of the Steelhead software. If you are not, you must
upgrade your software. For details, see the Steelhead Management Console Users Guide.
2. Disable encryption on the Exchange (Outlook) 2007 clients. For information, refer to your
Microsoft documentation.
3. At the Steelhead appliance CLI system prompt, enter the following command:
protocol mapi 2k7 fallback enable
The no command option disables fallback. Optimization does not occur if you specify the no
command option.
Example
minna (config) # protocol mapi 2k7 fallback enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
protocol mapi nspi

Description
Sets the NSPI port.
Syntax
[no] protocol mapi nspi port <port>
Parameters
<port>
Usage
In certain situations (for example, clients connecting through a firewall), you might want to force
a server to listen on a single pre-defined port so that access to ports can be controlled or locked
down on the firewall.
Specifies the incoming NSPI port number. The default value is 7840.
In out-of-path deployments, if you want to optimize MAPI Exchange by destination port, you
must define in-path rules that specify the following ports on the client-side Steelhead appliance:
Port 135. The Microsoft end-point mapper port.
Port 7830. The Steelhead appliance port used for Exchange traffic.
Port 7840. The Steelhead appliance port used for Exchange Directory NSPI traffic.
If you changed the Microsoft Exchange Information Store Interface port in your environment,
change port 7830 to the static port number you have configured in your Exchange environment.
For further information, see Microsoft Exchange Information Store Interface at http://
support.microsoft.com/default.aspx?scid=kb;en-us;270836.
The no command option resets the NSPI port to the default value.
Example
minna (config) # protocol mapi nspi port 2125

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
257
protocol mapi nspi enable

Description
Enables the MAPI NSPI feature.
Syntax
[no] protocol mapi nspi enable
Parameters
None
Usage
MAPI NSPI is enabled by default.

The no command option disables MAPI NSPI optimization for testing purposes.
Example
minna (config) # no protocol mapi nspi enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
protocol mapi port

Description
Sets the incoming MAPI Exchange port.
Syntax
[no] protocol mapi port <port>
Parameters
<port>
Usage
The no command option resets the MAPI port to the default value.
Example
minna (config) # protocol mapi port 2125

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol mapi
Specifies the incoming MAPI port number. The default value is 7830.
protocol mapi prepop enable

Description
Enables MAPI transparent prepopulation. Transparent prepopulation allows email data to be

delivered between an Exchange server and the client-side Steelhead appliance while the Outlook
client is offline. When a user logs into their MAPI client, the mail has already been seen by the
client-side appliance and can be retrieved with LAN-like performance.
Syntax
[no] protocol mapi prepop enable [max-connections <number> | poll-interval <minutes> |

timeout <seconds>]
Parameters
maxconnections
<number>
Specifies the maximum number of connections to enable. The default value is

156.
poll-interval
<minutes>
Specifies the polling interval in minutes. The default value is 20.
timeout
<seconds>
Specifies the time out period in seconds. The default value 96.
258
The no option resets max-connections to the default.
Usage
The no command option disables MAPI prepopulation support. If you specify the no option and
parameters, you do not disable MAPI prepopulation support; you reset the specified parameter to
its default value.
Example
minna (config) # protocol mapi prepop enable

minna (config) #
Product
Steelhead appliance
Related Topics
show prepop, show protocol mapi
259

page 96





page 203
page 214
protocol ms-sql enable on page 261

protocol ms-sql fetch-next enable on
page 261
protocol ms-sql num-preack on
page 261
protocol ms-sql port on page 262
protocol ms-sql query-act rule-id actionid on page 262
protocol ms-sql query-arg-act rule-id
action-id arg-offset expr on page 263
protocol ms-sql rpc-act rule-id actionid on page 263

page 216
protocol ms-sql rpc-arg-act rule-id argoffset expr on page 264
protocol ms-sql rpc-arg rule-id argoffset expr on page 265

page 240
protocol ms-sql rpc-rule rule-id appname-regex on page 265

protocol ms-sql support-app on
page 266

page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
260
protocol ms-sql enable

Description
Enables MS-SQL blade support. Enabling the MS-SQL blade supports MS Project optimization.
Syntax
[no] protocol ms-sql enable
Parameters
None
Usage
The commands for MS-SQL support must be implemented by Riverbed professional services.
Improper use can result in undesirable effects.
The MS-SQL blade supports other database applications, but you must define SQL rules to obtain
maximum optimization. If you are interested in enabling the MS-SQL blade for other database
applications, contact Riverbed professional services.
You must restart the Steelhead service after enabling this feature.
The no command option disables SQL blade support.
Example
minna (config) # protocol ms-sql enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol ms-sql, show protocol ms-sql rules
protocol ms-sql fetch-next enable

Description
Enables pre-fetching requests to request the next row in MS Project. The server-side Steelhead
appliance pre-fetches sequential row results and the client-side Steelhead appliance caches them.
You decide which cursors or queries are cacheable.
Syntax
[no] protocol ms-sql fetch-next enable
Parameters
None
Usage
To determine which cursors or queries are cacheable, you configure rules. By default, all fetch next
queries are cacheable
The no command option removes pre-fetching requests.
Example
minna (config) # protocol ms-sql fetch-next enable

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql num-preack

Description
Specifies the maximum number of sp_execute (or save project) requests to pre-acknowledge
before waiting for a server response to be returned.
Syntax
[no] protocol ms-sql num-preack <num-preack>
Parameters
<num-preack>
Specifies the maximum number of pre-acknowledgements. The default value is

5.
261
Usage
You can enable pre-acknowledgement if the client application does not need a result value from
the server.
For example, when you save a project in MS Project, server-side procedures are invoked many
times to write or update database data. To maximize optimization, the protocol ms-sql
num-preack command limits the number of pre-acknowledgements from the server.
The no command option disables pre-acknowledgement.
Example
minna (config) # protocol ms-sql num-preack 5

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql port

Description
Specifies the server port to listen on for SQL requests.
Syntax
[no] protocol ms-sql port <port>
Parameters
<port>
Usage
The no command option resets the SQL server port to the default value.
Example
minna (config) # protocol ms-sql port 2433

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the SQL server port to listen on for requests. The default value is 1433.
protocol ms-sql query-act rule-id action-id

Description
Specifies a query action when the corresponding query match occurs.
Syntax
[no] protocol ms-sql query-act rule-id <rule_id> action-id <action_id>

[[num-reps <num_reps> | invalidate {flush-all | flush-rule}]
[miss-policy <policy> | allow-preack {true | false} | scope {sfe | cfe}]]
Parameters
rule-id <rule_id>
Specifies the rule identification number that uniquely identifies the

rule.
action-id <action_id>
Specifies the action identification number that uniquely identifies this

action within the rule.
num-reps <num_reps>
Specifies how many times the action is to be repeated.
invalidate
<invalidate_action>
Invalidates the specified action: flush-all or flush-rule.
miss-policy <policy>
Specifies the MS-SQL cache miss policy.
allow-preack {true |
false}
Specifies whether to allow the MS-SQL pre-acknowledgment (true)

or not (false).
scope {sfe | cfe}
Specifies MS-SQL scope: sfe or cfe.
262
Usage
You can specify the following types of actions:

prefetch requests as specified in query argument actions.
invalidate prefetched cache entries.
The no command option disables the query action.
Example
minna (config) # protocol ms-sql query-act rule-id 10 action-id 1 num-reps 1 misspolicy 1

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql query-arg-act rule-id action-id arg-offset expr

Description
Specifies how the query arguments should be modified when prefetching queries.
Syntax
[no] protocol ms-sql query-arg-action rule-id <rule_id> action-id <action_id> arg-offset

<arg_offset> expr <expression>
Parameters
rule-id <rule_id>

rule.

arg-offset <arg_offset>
Specifies the SQL query argument to be modified.
expr <expression>
Specifies the SQL query expression.
Usage
The no command option disables the SQL query argument.
Example
minna (config) # protocol ms-sql query-arg-act rule-id 1 action-id 1 arg-offset

blah expr select *"
minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql rpc-act rule-id action-id

Description
Specifies an RPC action when a match occurs.
Syntax
[no] protocol ms-sql rpc-act rule-id <rule_id> action-id <action_id> [[num-reps <num_reps> |
invalidate {flush-all | flush-rule}] [miss-policy <policy> | allow-preack {true | false} |
allow-prefetch {true | false} | scope {sfe | cfe}]]
Parameters
rule-id <rule_id>

rule.

263
Usage
num-reps <num_reps>
Specifies how many times the action is to be repeated
invalidate
<invalidate_action>
Invalidates the specified action: flush-all or flush-rule.
miss-policy <policy>
Specifies the MS-SQL cache miss policy.
allow-preack {true |
false}
Specifies whether to allow the MS-SQL pre-acknowledgment (true)

or not (false).
allow-prefetch {true |
false}
Specifies whether to allow MS-SQL pre-fetch (true) or not (false).
scope {sfe | cfe}
Specifies MS-SQL scope: sfe or cfe.
You can specify the following types of actions:

prefetch requests as specified in query argument actions.
invalidation of prefetched cache entries.
whether the fetch next requests can be prefetched.
whether spe_execute requests can be pre-acknowledged.
The no command option disables the RPC action.
Example
minna (config) # protocol ms-sql rpc-arg-act rule-id 2 action-id 1 arg-offset 0

expr "replace select PROJ_READ_COUNT, PROJ_LOCKED,
PROJ_READ_WRITE,PROJ_READ_ONLY, PROJ_ID, PROJ_MACHINE_ID, PROJ_DATA_SOURCE from
MSP_PROJECTS where PROJ_NAME = '$1' "
Product
Steelhead appliance
Related Topics
protocol ms-sql rpc-arg-act rule-id arg-offset expr

Description
Specifies a RPC argument used to determine if the RPC request matches a rule.
Syntax
[no] protocol ms-sql rpc-arg-act rule-id <rule_id> arg-offset <arg_offset> expr <expr>
Parameters
rule-id <rule_id>

rule.
Specifies the RPC argument parameter.
expr <expr>
Specifies the regular expression for the RPC value.
Usage
The no command option disables the RPC argument.
Example
minna (config) # protocol ms-sql rpc-arg-act rule-id 2 action-id 1 arg-offset 0

expr "replace select PROJ_READ_COUNT, PROJ_LOCKED,
PROJ_READ_WRITE,PROJ_READ_ONLY, PROJ_ID, PROJ_MACHINE_ID, PROJ_DATA_SOURCE from
MSP_PROJECTS where PROJ_NAME = '$1' "
minna (config) #
Product
Steelhead appliance
Related Topics
264
protocol ms-sql rpc-arg rule-id arg-offset expr

Description
Specifies how the RPC argument should be modified when prefetching queries.
Syntax
[no] protocol ms-sql rpc-arg rule-id <rule_id> action-id <action_id> arg-offset <arg_offset>
expr <expr>
Parameters
rule-id <rule_id>

rule.

Specifies the RPC argument parameter.
expr <expr>
Specifies the regular expression for the RPC value.
Usage
The no command option disables the RPC argument.
Example
minna (config) # protocol ms-sql rpc-arg rule-id 2 action-id 1 arg-offset 0 expr

"replace select PROJ_READ_COUNT, PROJ_LOCKED, PROJ_READ_WRITE,PROJ_READ_ONLY,
PROJ_ID, PROJ_MACHINE_ID, PROJ_DATA_SOURCE from MSP_PROJECTS where PROJ_NAME =
'$1' "
minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql rpc-rule rule-id app-name-regex

Description
Specifies the RPC rule.
Syntax
[no] protocol ms-sql rpc-rule <rule-id <rule_id> app-name-regex <app_name> {rpc-id <rpc_id>
num-params <num_params> | [rpc-query-regex <regex_match_for_rpc_query_string>] |
[cursor-type <cursor_type>]]}
Parameters
rule-id <rule_id>
Specifies the rule identification number that uniquely identifies

the rule.
app-name-regex <app_name>
Specifies the client application name (standard string

expression).
rpc-id <rpc_id>
Specifies the RPC identifier.
num-params <num_params>
Specifies the expected number of parameters in the SQL query.
rpc-name-regex
<regex_match_for_rpc_string
>
Specifies the RPC name (standard string expression).
265
Specifies the cursor type for the RPC query. Depending on

cursor type, the client can read forward or backward, from
beginning or end, or read an arbitrary position in the result set:
cursor-type <cursor_type>
forward-only. Only the next rows can be read. The row

pointer cannot be moved back.
dynamic. The rows must be read in forward or reverse
relative to current row pointer. The row pointer cannot be
moved to an arbitrary index except for first and last positions.
static. The rows can be read forward or reverse or at an
arbitrary position.
Usage
The no command option disables the rule.
Example
minna (config) # protocol ms-sql rpc-rule rule-id 1 app-name-regex blah rpc-nameregex blah num-params 1 rpc-query-regex blah cursor-type static
minna (config) #
Product
Steelhead appliance
Related Topics
protocol ms-sql support-app

Description
Specifies a regular expression (standard string) for an application name that can be optimized
using the MS-SQL blade.
Syntax
[no] protocol ms-sql support-app <name> [collation <collation> | misc <misc> | unicode {-1, 0,
1}]
Parameters
support-app <name>
Specifies the name of the application to be supported by the MS-SQL

blade.
collation <collation>
Specifies MS-SQL protocol collation mode settings.
misc <misc>
Specifies MS-SQL protocol miscellaneous settings.
unicode {-1, 0, 1}
Specifies the unicode character set: -1, 0 or 1.
Usage
The no command option removes the application from MS-SQL blade support.
Example
minna (config) # protocol ms-sql support-app msproject

minna (config) #
Product
Steelhead appliance
Related Topics
266
NFS Support Commands

page 96





page 203
protocol ftp on page 268

protocol nfs alarm v2-v4 clear on
page 268
protocol nfs default server on page 268

page 214
protocol nfs default volume on

page 269
protocol nfs enable on page 270
protocol nfs max-directories on
page 271
protocol nfs max-symlinks on page 271
protocol nfs memory on page 271

page 216
protocol nfs memory on page 271
protocol nfs v2-v4-alarm on page 273
protocol nfs server on page 272

page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
267
protocol ftp
Description
Configures FTP port settings.
Syntax
[no] protocol ftp {port}
Parameters
port <port>
Usage
The no command option disables the FTP port.
Example
minna (config) # protocol ftp port 2243

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol ftp
Specifies the ftp port.
protocol nfs alarm v2-v4 clear

Description
Resets the NFS v2 and v4 alarm.
Syntax
[no] protocol nfs alarm v2-v4 clear
Parameters
None
Usage
The no command option sets the NFS v2 and v4 alarm.
Example
minna (config) # protocol nfs alarm v2-v4 clear

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
protocol nfs default server

Description
Configures default settings for NFS servers.
Syntax
[no] protocol nfs default server {direntrymap <cr> | policy [custom | global_rw] | read-ahead
[small-files <cr> | transfer-size <size>] | read-dir [optimize <cr> | read-size <size>] |
threshold multiple <multiple> | write [optimize <cr> | max-data <max>]}
268
Parameters
direntrymap <cr>
Enables the directory entry map.
policy [custom |
global_rw]
Specifies one of the following policies:

Custom. Enables you to turn on or off the root squash feature for
NFS volumes from this server. Root-squashing allows an NFS
server to map any incoming user ID 0 or guest ID 0 to another
number that does not have super user privileges, often -2 (the
nobody user).
Global Read-Write. Specifies a policy that provides a trade-off of
performance for data consistency. All of the data can be accessed
from any client, including LAN based NFS clients (which do not go
through the Steelhead appliances) and clients using other file
protocols like CIFS. This option severely restricts the optimizations
that can be applied without introducing consistency problems.
This is the default configuration.
read-ahead [small-files
<cr> |transfer-size
<size>]
Enables read-ahead for small files; sets the transfer size in bytes.
read-dir [optimize <cr>

| read-size <size>]
Enables read optimization for the directory; sets the read size in bytes.
threshold multiple
<multiple>
Specifies the threshold multiple.
write [optimize <cr> |

max-data <max>
Enables write optimization for the directory; sets the maximum write
size in bytes.
Usage
The no command option resets the value of a given option. For example, no protocol nfs default
server policy resets the policy to the default value.
Example
minna (config) # protocol nfs default server read-dir optimize

minna (config) #
minna (config) # protocol nfs default server write optimize
minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
protocol nfs default volume

Description
Configures default settings for the NFS volumes.
Syntax
[no] protocol nfs default volume {perm_cache | policy [custom | global_rw] |root-squash
<cr>}
269
Parameters
perm_cache
Enables a permission cache. Specify this option if the server uses ACLs
or if your server is configured to map client user IDs. This option
enables the Steelhead appliance to optimize traffic without violating the
permissions model.
policy [custom |
global_rw]
Specifies one of the following policies:

NFS volumes from this server.
that can be applied without introducing consistency problems. This
is the default configuration.
root-squash <cr>
Usage
Enables root squashing. Root-squashing allows an NFS server to map

any incoming user ID 0 or guest ID 0 to another number that does not
have super user privileges, often -2 (the nobody user).
NFS file system objects have owners and permissions and the NFS optimizer conforms to the file
system permissions model by enforcing file server and volume policies.
The no command option resets the value of a given option.
Example
minna (config) # protocol nfs default volume root-squash

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
protocol nfs enable

Description
Enables the NFS optimizer. The NFS optimizer provides latency optimization improvements for
NFS operations primarily by prefetching data, storing it on the client Steelhead appliance for a
short amount of time, and using it to respond to client requests.
Syntax
[no] protocol nfs enable
Parameters
None
Usage
The no command option disables the NFS optimizer.
Example
minna (config) # protocol nfs enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
270
protocol nfs max-directories

Description
Specifies, in bytes, the maximum size of NFS directories.
Syntax
[no] protocol nfs max-directories <bytes>
Parameters
<bytes>
Usage
Example
minna (config) # protocol nfs max-directories 4294967295

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
Specifies a number of bytes between 0 and 4294967295.
protocol nfs max-symlinks

Description
Specifies, in bytes, the maximum size of NFS symbolic link directories.
Syntax
[no] protocol nfs max-symlinks <bytes>
Parameters
<bytes>
Usage
Example
minna (config) # protocol nfs max-symlinks 4294967295

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
Specifies a number of bytes between 0 and 4294967295.
protocol nfs memory

Description
Specifies, in percent, the soft-limit size (warning threshold) and hard-limit size (error threshold) of
memory usage.
Syntax
[no] protocol nfs memory softlimit <percent> hardlimit <percent>
Parameters
<percent>
Usage
The no command option resets the limit to the default.
Example
minna (config) # protocol nfs memory softlimit 65 hardlimit 95

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
Specifies a percent to establish the respective thresholds.
271
protocol nfs server

Description
Configures settings for the specified NFS server.
Syntax
[no] protocol nfs server <name> {default volume enable | default volume policy [custom |
global_rw | home_dir]| default volume root-squash| direntrymap <cr> | ip <address> |
policy [custom | global_rw | home_dir] | read-ahead [small-files <cr> | transfer-size <size>] |
read-dir [optimize <cr> | read-size <size>] | threshold multiple <multiple> | volume id
<fsid> <cr> volume id <fsid> policy [custom | global_rw | home_dir] volume id <fsid> rootsquash write [optimize <cr> | max-data <max>]}
Parameters
default volume enable
Enables defaults to be used by all volumes on the server.
default volume policy

[custom | global_rw]
Specifies the default volume policy to the type specified:

NFS volumes from this server.
default volume
root-squash
Enables root-squashing by default on new volumes. Root-squashing

allows an NFS server to map any incoming user ID 0 or guest ID 0 to
another number that does not have super user privileges, often -2 (the
nobody user).
direntrymap <cr>
Enables the directory entry map.
ip <address>
Specifies the IP address of the NFS server.
policy [custom |
global_rw]
On the NFS server, sets one of the following policies:

NFS volumes from this server.Root-squashing allows an NFS server
to map any incoming user ID 0 or guest ID 0 to another number that
does not have superuser privileges, often -2 (the nobody user).
272
read-ahead [smallfiles <cr> |transfersize <size>]
Enables read-ahead for small files; sets the transfer size in bytes.
read-dir [optimize
<cr> | read-size
<size>]
Enables read optimization for the directory and sets the read size in
bytes.
threshold multiple
<multiple>
Specifies the threshold multiple.
volume id <fsid> <cr>
Specifies the file system volume identification (ID).
volume id <fsid>
policy [custom |
global_rw]
Specifies the file system ID and policy. On the specified volume, sets
one of the following policies:
NFS volumes from this server. Root-squashing allows an NFS server
to map any incoming user ID 0 or guest ID 0 to another number that
does not have superuser privileges, often -2 (the nobody user).
Usage
volume id <fsid> rootsquash
Enables root-squashing on the specified volume.
write [optimize <cr> |

max-data <max>
Enables write optimization for the directory; sets the maximum write
size in bytes.
NFS objects have owners and permissions and the NFS optimizer conforms to the file system
permissions model by enforcing file server and volume policies.
The no command option disables the NFS server.
Example
minna (config) # protocol nfs server volume id 21

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
protocol nfs v2-v4-alarm

Description
Enables the NFS v2 and v4 alarm.
Syntax
[no] protocol nfs v2-v4-alarm
Parameters
None
Usage
The no command option disables the alarm.
Example
minna (config) # protocol nfs-v2-v4-alarm

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol nfs
273
HTTP Support Commands

page 96

protocol http default ntlm enable on

page 275

protocol http enable on page 275



page 203
protocol http prefetch extension on

page 275
protocol http server on page 276

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
274
protocol http default ntlm enable

Description
Configure default settings to be used when you add target HTTP servers.
Syntax
[no] protocol http default ntlm enable
Parameters
None
Usage
Specify whether or not to reuse NTLM authentication values.

The no command option disables reuse of NTLM authentication values.
Example
minna (config) # protocol http default ntlm enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol http
protocol http enable

Description
Enables HTTP module support. Enabling HTTP module support optimizes traffic to or from port
80.
Syntax
[no] protocol http enable
Parameters
None
Usage
The no command option disables HTTP module support.
Example
minna (config) # protocol http enable

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol http
protocol http prefetch extension

Description
Specifies file extensions for file types you want to prefetch.
Syntax
[no] protocol http prefetch extension <ext>
Parameters
<ext>
Usage
Create a list of file extensions for file types you want to prefetch. You add file extensions one at a
time. Repeat the command for each of the file types you want to add to the list.
Specify a file extension to add to the list of file types to prefetch.
Use the show protocol http command to display your list.

The no command option removes the extension from the list of file types.
275
Example
minna (config) # protocol http prefetch extension css

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol http
protocol http server

Description
Specifies a target HTTP server. Currently, you can use these commands to create a list of HTTP
servers to optimize.
Syntax
[no] protocol http server <IP> [ntlm enable]
Parameters
<IP>
Specifies the IP address of the target HTTP server.
[ntlm
enable]
If you have disabled NTLM reuse as the default with the no protocol http default
ntlm command and want to enable NTLM reuse for this server, specify ntlm
enable.
Usage
Create a list of HTTP servers to optimize. You add servers one at a time. Repeat the command for
each server you want to optimize.
Use the show protocol http command to display your list.
The no command option removes the sever from the list to optimize.
Example
minna (config) # protocol http server 127.18.32.18

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol http
276

page 96

protocol ssl backend on page 278

protocol ssl bulk-import on page 279



page 203
protocol ssl bulk-export on page 278
protocol ssl ca on page 283

protocol ssl enable on page 284
protocol ssl peering on page 286

page 214
protocol ssl protocol-vers on page 288

protocol ssl server on page 293
secure-vault on page 296

page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
277
protocol ssl backend

Description
Create a preference list of cipher strings used for client-handshakes or server-handshakes.
Syntax
[no] protocol ssl backend {client | server} cipher-string <string> cipher-num <num>
Parameters
client | server
Specify whether you are configuring the client or server list.
cipher-string
<string>
Specify one of the following cipher-strings (case-sensitive) or a combination

using the underscore character ( _ ). For a complete list, view the CLI online
help.
cipher-num
<num>
Specify a number to set the order of the list. The number must be an integer
greater or equal to 1, the string start, or the string end.
Usage
Create a preference list of cipher strings used for client-handshakes, server-handshakes, or

peering-handshakes.
To view your list, use the command show protocol ssl backend {client | server} cipher-strings.
To remove a cipher string from the list, use the command no protocol ssl backend {client |
server} cipher-num <num>.
Example
minna (config) # protocol ssl backend server cipher-string DEFAULT cipher-num 1

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol ssl
protocol ssl bulk-export

Description
Export the current SSL configuration, keys, and certificates.
Syntax
protocol ssl bulk-export password <password> [include-servers]
Parameters
password
<password>
Specify a password used to encrypt exported data.
[includeservers]
Optionally, specify include-servers to include server certificates and keys. If you

include this parameter, the data includes the peering certificate, key, all certificate
authorities, and all peering trust entities. In addition, it contains all the back-end
server configurations (certificates, keys, and so forth).
IMPORTANT: To protect your servers private keys, do not include this
parameter when performing bulk exports of peers.
Usage
Use bulk-export to expedite backup and peer trust configurations:

Backup. If you want to back up your SSL configurations, specify include servers and then
export.
Peer Trust. If you use self-signed peering certificates and have multiple Steelhead appliances
(including multiple server-side appliances), you can use the bulk export feature to avoid
configuring each peering trust relationship between the pairs of Steelhead appliances.
IMPORTANT: To protect server private keys, do not use the include servers option.
278
Example
minna (config) # protocol ssl bulk-export password foo_pass include-servers

U2FsdGVkX1/GM9EmJ0O9c1ZXh9N18PuxiAJdG1maPGtBzSrsU/CzgNaOrGsXPhor
VEDokHUvuvzsfvKfC6VnkXHOdyAde+vbMildK/lxrqRsAD1n0ezFFuobYmQ7a7uu
TmmSVDc9jL9tIVhd5sToRmeUhYhEHS369ubWMWBZ5rounu57JE6yktECqo7tKEVT
DPXmF1BSbnbK+AHZc6NtyYP3OQ88vm9iNySOHGzJ17HvhojzWth5dwNNx28I8GDS
zCmkqlaNX6vI3R/9KmtIR/Pk6QCfQ0sMvXLeThnSPnQ6wLGctPxYuoLJe0cTNlVh
r3HjRHSKXC7ki6Qaw91VDdTobtQFuJUTvSbpKME9bfskWlFh9NMWqKEuTJiKC7GN
[partial example]
minna (config) #
Product
Steelhead appliance
Related Topics
show protocol ssl
protocol ssl bulk-import

Description
Import SSL configuration, keys, and certificates.
Syntax
protocol ssl bulk-import password <password> data <data>
Parameters
password
<password>
Specify a password required to decrypt data.
data <data>
Specify a file that contains previously exported data.
Usage
Use the bulk import feature to expedite configuration of peering trust relationships between
The bulk data that you import contains the serial number of the exporting Steelhead appliance.
The Steelhead appliance importing the data compares its own serial number with the serial
number contained in the bulk data. The following rules apply to bulk data import and export:
Peering Certificate and Key Data. If the serial numbers match, the Steelhead appliance
importing the bulk data overwrites its existing peering certificates and keys with the bulk data.
If the serial numbers do not match, the Steelhead appliance importing the data is not
overwritten; peering certificates and keys are not overwritten.
Certificate Authority, Peering Trust, and SSL Server Configuration Data. For all other
configuration data, such as certificate authorities, peering trusts, and server configurations (if
included), if there is a conflict, the imported configuration data take precedence and the
imported configuration data does not overwrite any existing configurations.
NOTE: Bulk data import cannot delete configurations; it only adds or overwrites them.
For example, assume you have two servers: 1.1.1.1:443 (enabled) and 2.2.2.2:443 (disabled). The
bulk data contains three servers: 1.1.1.1:443 (disabled), 2.2.2.2:443 (disabled), and 3.3.3.3:443
(enabled). After a bulk data import, there are three servers: 1.1.1.1:443 (disabled), 2.2.2.2:443
(disabled), and 3.3.3.3:443 (enabled). The certificates and keys of servers 1.1.1.1:443 and 2.2.2.2:443
were overwritten with those in the bulk data.
Example
minna (config) # protocol ssl bulk-import password temp data temp

minna (config) #
Product
Steelhead appliance
Related Topics
show protocol ssl, show connections, show log
279
protocol ssl crl ca

Description
Configures CRL for an automatically discovered CAs. You can update automatically discovered
CRLs using this command.
Syntax
[no] protocol ssl crl ca <ca name> cdp <integer> ldap server <IP addr or hostname> | crl-attrname <attr-name> | port <port>
Parameters
<ca name>
Specify the name of a SSL CA certificate.
cdp <integer>
Specify an integer index. Index of a Cisco Discovery Protocol (CDP) in a CA

certificate.
The no protocol ssl crl ca * cdp *command option removes the update.
Usage
ldap server
<IP addr or
hostname>
Specify the LDAP server IP address or hostname to modify a CDP URI.
crl-attr-name
<attr-name>
Optionally, specify the attribute name of CRL in a LDAP entry.
port <port>
Optionally, specify the LDAP service port.
Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the
certificate has been compromised, the CA can issue a CRL that revokes the certificate.
A CRL includes any digital certificates that have been invalidated before their expiration date,
including the reasons for their revocation and the names of the issuing certificate signing
authorities. A CRL prevents the use of digital certificates and signatures that have been
compromised. The certificate authorities that issue the original certificates create and maintain the
CRLs.
To clear the CRL alarm, execute the no stats alarm crl_error enable command.
Example
amnesiac (config) # protocol ssl ca mycert cdp 512
Product
Steelhead appliance
Related
Topics
protocol ssl crl cas enable

Description
Enables CRL polling and use of CRL in handshake verifications of CAs certificates. Currently, the
Steelhead appliance only supports downloading CRLs from Lightweight Directory Access
Protocol (LDAP) servers.
Syntax
[no] protocol ssl crl cas enable
Parameters
None.
280
Usage
A CRL includes any digital certificates that have been invalidated before their expiration date,
including the reasons for their revocation and the names of the issuing certificate signing
authorities. A CRL prevents the use of digital certificates and signatures that have been
compromised. The certificate authorities that issue the original certificates create and maintain the
CRLs.
Example
amnesiac (config) # protocol ssl crl cas enable
Product
Steelhead appliance
Related
Topics
protocol ssl crl handshake

Description
Configures handshake behavior for a CRL.
Syntax
[no] protocol ssl crl handshake fail-if-missing
Parameters
fail-if-missing
Example
amnesiac (config) # protocol ssl crl handshake fail-if-missing
Product
Steelhead appliance
Related
Topics
If a relevant CRL cannot be found the handshake fails.
protocol ssl crl manual

Description
Manually configures a CDP for CRL management.
Syntax
[no] protocol ssl crl manual ca uri <uri>| peering ca uri <uri>
Parameters
ca
Specify the CA name to manually configure the CDP. The no protocol ssl crl
manual command removes manually configured CDPs.
uri <uri>
Specify the CDP URI to manually configure the CDP for the CRL.
peering ca uri
<uri>
Specify the peering CA name to manually configure the CDP URI.
Usage
The Steelhead appliance automatically discovers CDPs for all certificates on the appliance. You
can manually configure a CA using this command.
Example
amnesiac (config) # protocol ssl crl manual ca Camerfirma_Chambers_of_Commerce uri

URI: http://crl.chambersign.org/chambersroot.crl
Product
Steelhead appliance
Related
Topics
281
protocol ssl crl peering

Description
Configures a CRL for an automatically discovered peering CA.
Syntax
[no] protocol ssl crl peering {ca <ca name> cdp <integer> ldap server <ip-addr or hostname>
<cr> [crl-attr-name <string> | port <port num>]}| cas enable
Parameters
ca <ca name>
Configures CRL for an automatically discovered peering CA.
cdp <integer>
Specify an integer index of a CDP in a peering CA certificate. The no protocol

ssl crl peering ca * cdp * removes the update.
ldap server
<ip-addr or
hostname>
<cr>
Specify the IP address or hostname of a LDAP server.
crl-attr-name
<string>
Optionally, specify an attribute name of CRL in a LDAP entry.
port <port
num>
Optionally, specify the LDAP service port.
cas enable
Enables CRL polling and use of CRL in handshake verification.
Usage
To enable CRL polling and handshakes, at the system prompt enter the following set commands:
protocol ssl crl cas enable
protocol ssl crl peering cas enable
To view the CRL polling status of all CAs, at the system prompt enter the following command:
show protocol ssl crl ca cas
<<this example lists two CDPs: one complete CDP and one incomplete CDP>>
CA: Comodo_Trusted_Services
CDP Index: 1
DP Name 1: URI:http://crl.comodoca.com/TrustedCertificateServices.crl
CDP Index: 2
DP Name 1: URI:http://crl.comodo.net/TrustedCertificateServices.crl
<<an incomplete CDP is indicated by the DirName format>>
CA: Entrust_Client
CDP Index: 1
DP Name 1: DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/
CPS incorp. by ref.limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
Client Certification Authority
CN=CRL1
CDP Index: 2
DP Name 1: URI:http://www.entrust.net/CRL/Client1.crl
In this case, the Entrust Client is an incomplete CDP as indicated by DirName format. Currently,
the Steelhead appliance only supports updates in the DirName format.
To update the incomplete CDP URI, at the system prompt enter the following set of commands:
protocol ssl crl ca Entrust_Client cdp 1 ldap-server 192.168.172.1
protocol ssl crl peering ca Entrust_Client cdp 1 ldap-server 192.168.172.1
282
Example
amnesiac (config) # protocol ssl crl peering cas enable
Product
Steelhead appliance
Related
Topics
protocol ssl crl query-now

Description
Downloads CRL now.
Syntax
[no] protocol ssl crl query-now ca <string> cdp <integer> <cr>| peering ca <string> cdp
<integer> <cr>
Parameters
ca <string>
cdp <integer>
Download CRL issued by SSL CA. Specify the CA name and CDP integer.
peering ca
<string> cdp
<integer>
Download CRL issued by SSL peering CA. Specify the CA name and CDP
integer.
Example
amnesiac (config) # protocol ssl crl query-now ca myca cdp 12
Product
Steelhead appliance
Related
Topics
protocol ssl ca
Description
Adds a Certificate Authority (CA) to the local collection. A CA is a a third-party entity in a

network which issues digital certificates and manages security credentials and public keys for
message encryption. A CA issues a public key certificate which states that the CA attests that the
public key contained in the certificate belongs to the person, organization, server, or other entity
noted in the certificate. The CA verifies an applicant's credentials, so that relying parties can trust
the information in the CA certificates. If you trust the CA and can verify the CA signature, then
you can also verify that a certain public key belongs to whomever is identified in the certificate.
Syntax
protocol ssl ca cert <certificate> local-name <local-name>
Parameters
cert
<certificate>
Paste the text of a CA certificate in PEM format.
local-name
<local-name>
Specify a name to identify the certificate in the local collection.
Usage
Add Certificate Authorities you intend to use for server and peering configuration.
283
Example
minna (config) # protocol ssl ca cert "-----BEGIN CERTIFICATE---MIICoDCCAgmgAwIBAgIBADANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0Ex

CzAJBgNVBAcTAlNGMQ0wCwYDVQQKEwRSVkJEMQ0wCwYDVQQDEwR0ZXN0MB4XDTA2MDMxMDIzMTUwMFoX
DTA3MDMxMDIzMTUwMFowRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMQswCQYDVQQHEwJTRjENMAsG
A1UEChMEUlZCRDENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAmWIDqu+q
I8b8xM6W/oVsKZ2ZmJXVYINEN+0mFnYsfE0QfDbR8Cwv7YwvZNYu3RsOHTjqwN6Y/
5SaSxauqtrbLWlFBnI9ZR7AdvsZKWRyuhZixMEofmypzpFhFnfH+U74JzDZGGObKTNdMQJ/
KDWUYAhRnXSP8tEc6V222aEQ7iECAwEAAaOBnzCBnDAdBgNVHQ4EFgQUsPTKQDXaNaGY3Y8cUBuvQM9F
CQcwbQYDVR0jBGYwZIAUsPTKQDXaNaGY3Y8cUBuvQM9FCQehSaRHMEUxCzAJBgNVBAYTAlVTMQswCQYD
VQQIEwJDQTELMAkGA1UEBxMCU0YxDTALBgNVBAoTBFJWQkQxDTALBgNVBAMTBHRlc3SCAQAwDAYDVR0T
BAUwAwEBzANBgkqhkiG9w0BAQUFAAOBgQBEp+HHgdb4sBSRfhNxn5TqrGLzOevoGzptDWcozEM0p9OoY
RZhvnGJ1hG/O05xOOBb41LgCYNfy9irRta0/lHd9aP1PoYmO7QWCb6tE9F7m9zxG/
chw5N8Fbw3erAZ3JKdnUV3goLJJ+kGF9v9WbvsvxogXjEDc1qXRkY3fcIPdw==-----END
CERTIFICATE-----" local-name Some_CA_Cert
minna (config) #
Product
Steelhead appliance
Related Topics
protocol ssl enable

Description
Enables SSL optimization, which accelerates encrypted traffic on secure ports (https). This
command can only be used after you have generated or imported a server.
To configure SSL support, you do not make configuration changes on the client and the server
clients continue connecting to the same server name or IP address.
The Steelhead appliances are configured to have a trust relationship, so they can exchange
information securely over an SSL connection. (Each client uses unchanged server addresses and
each server uses unchanged client addresses; no application changes or explicit proxy
configuration is required.) The server-side Steelhead appliance handles SSL handshakes on behalf
of the server, yet makes itself appear to the client as if it were the actual server. The server-side
Steelhead appliance is configured with a legitimate certificate and private key just as the one (not
necessarily the same one) used by the back-end Web server.
Intercepting a new SSL connection from a client (for example, the browser), the server-side
Steelhead appliance simultaneously acts as an SSL server to the original client and an SSL client to
the back-end server.
The temporary session key (used for encryption and decryption) is securely transported from the
server-side Steelhead appliance to the client-side Steelhead appliance so that RiOS optimization
and acceleration occurs on all data transfers over the WAN.
All data transfers between the client-side and the server-side Steelhead appliance are over a
secure channel between the Steelhead appliances. The two peer Steelhead appliances must be
configured as SSL peers so that they are trusted entities.
The Steelhead appliance contains an encrypted file system, called the secure vault, which stores all
SSL server settings, other certificates (the CA, peering trusts, and peering certificates) and the
peering private key. See secure-vault, for more information.
The Steelhead appliance ships with a default peer certificate. Riverbed recommends you replace
the default peer certificate with a certificate with a matching common name and security
parameters (key length).
Syntax
[no] protocol ssl enable
Parameters
None
284
Usage
You should keep secure backups of your private keys and the CA-signed certificates before you
begin the SSL configuration process.
The following steps describe how to initially deploy and verify SSL module support:
1. Install SSL licenses on a client-side and server-side pair of appliances. If you do not have an SSL
license go to https://support.riverbed.com and follow the procedures documented there.
2. On the client-side appliance, add an in-path rule for port 443 (SSL default port). For example:
minna (config) # in-path rule auto-discover dstaddr 10.11.41.14/32 dstport 443
preoptimization ssl latency-opt http neural-mode always rulenum 1
TIP: Specify each of the parameters listed in this example. You must specify the exact SSL server IP
address and the default SSL port.
NOTE: Latency optimization may not always be HTTP, especially for applications that use the SSL
protocol but are not HTTP based. In such cases, specify None for the latency optimization.
3. On both appliances, enable SSL support. For example:
minna (config) # protocol ssl enable
4. On both appliances, generate or import a self-identifying certificate. For example:

minna (config) # protocol ssl peering generate-cert ...
To display the certificate, enter the certificate ssl show command. For example:
minna (config) # show protocol ssl peering cert raw
5. Create a peer trust relationship by installing the client ID certificate on the server-side appliance
and vice versa. For example:
minna (config) # protocol ssl peer trust cert ...
Configuring a trust relationship for peer appliances must be performed on every pair of Steelhead
appliances that need a secure channel. For example, if your organization has one data center
location and five remote office locations, you must configure this peering-trust on five pairs of
TIP: Your organization may choose to replace all the default self-signed identity certificates and
keys on their Steelhead appliances with those certificates signed by another CA (either internal to
your organization or an external well-known CA). In such cases, every Steelhead appliance must
simply have the certificate of the designated CA (that signed all those Steelhead appliance
identity certificates) added as a new trusted entity.
TIP: For production networks with multiple Steelhead appliances, use the CMC or the bulk
import and export feature to simplify configuring trusted peer relationships.
6. On the server-side appliance, generate or import a proxy certificate for the SSL server. For
example:
minna (config) # protocol ssl server ip <ip-address> import-cert <certificate>
import-key <private key>
7. Enable the SSL server. You can only enable the SSL server after the server has been generated or
imported. For example:
minna (config) # protocol ssl server ip enable <ip-address> enable
285
8. Import any CA certificates if necessary (for example, if a server certificate is self-signed or you
need an intermediate CA). For example:
minna (config) # protocol ssl ca cert <certificate> local-name <name>
You must perform this step if you use internal CAs because the Steelhead appliance default list of
well-known CAs (trusted by the server-side Steelhead appliance) does not include your internal
CA certificate. To identify the certificate of your internal CA (in some cases, the chain of certificate
authorities) go to your Web browser repository of trusted-root or intermediate CAs. (For example,
Internet Explorer ->Tools -> Internet Options -> Certificates.)
9. Restart the service on the client and server-side Steelhead appliance.
minna (config) # restart
To troubleshoot your SSL configuration, view system logs and current connections.
The no command option disables SSL module support.
Example
minna (config) # protocol ssl enable

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ssl peering

Description
Configures SSL peering trust by synchronizing cipher strings, generated keys and certificates, or
imported keys and certificates to be used for SSL handshakes.
Syntax
[no] protocol ssl peering {

{cipher-string <string> cipher-num <num>} |
{generate-cert [rsa] | common-name <string> country <string> email <email address> keysize <512|1024|2048> locality <string> org <string> org-unit <string> state <string> valid-days
<int>}
{generate-csr common-name <string> country <string> email <email address> locality
<string> org <string> org-unit <string> state <string>} |
{import-cert <string> [import-key <string>] password <string>} |
{import-cert-key <string> password <string>} |
{trust {ca <string> | cert <string> local-name <name>}
}
Parameters
{cipher-string <string> cipher-num <num>}

<string>
Specify one of the cipher-strings (case-sensitive) or a combination

using the underscore character ( _ ). For a complete list of ciphers,
display the CLI online help.
cipher-num
<num>
Specify a number to set the order of the list. The cipher number must
be an integer from 1-N or the string start, or the string end.
generate-cert [rsa] | common-name <string> country <string> email <email address> key-size
<512|1024|2048> locality <string> org <string> org-unit <string> state <string> valid-days
<int>
286
[rsa]
Specify RSA encryption.
commonname
<string>
Specify a host name of the peer.
country
<string>
Specify the country (2-letter code only).
<email
address>
Specify an email address of the contact person.
key-size
<512|1024|
2048>
Specify the key size.
locality
<string>
Specify the city.
org-unit
<string>
Specify the organization name (for example, the company).
org-unit
<string>
Specify the organizational unit (for example, the department).
state
<string>
Specify the state. No abbreviations.
valid-days
<int>
Specify an integer value to set the parameter. If you omit valid-days,

the default is 2 years.
generate-csr common-name <string> country <string> email <email address> locality <string>
org <string> org-unit <string> state <string>
commonname
<string>
Specify the host name of the peer.
country
<string>
email
<email
address>
locality
<string>
Specify the city.
org <string>
org-unit
<string>
state
<string>
287
import-cert <certificate> [import-key <private-key>] password <string>

<certificate>
Specify the existing string to import the certificate. (These are X509
PEM-format field names.)
import-key
<privatekey>
Specify the private key in PEM format.
import-cert-key <string> password <string>

<certkey>
Specify the existing certificate key in PEM format to import the key.
(These are X509 PEM-format field names.)
NOTE: The private key is required regardless of whether you are
adding or updating.
<string>
Specify the decryption password.
trust {ca <cert> | cert <certificate> local-name <name>}
Usage
ca <cert>
Specify the CA name for the certificate provided by the peer. (These
are X509 PEM-format field names.)
cert
<certificate>
Paste the text of a CA certificate (PEM format) for the peer and give
the certificate a local name. (These are X509 PEM-format field names.)
local-name
<name>
Specify a local name for the certificate.
All data between client-side and server-side Steelhead appliances are sent over a secure channel
between the Steelhead appliances. The peer Steelhead appliances must be configured as SSL peers
so that they are trusted entities.
In SSL, peer authentication allows you to confirm the identity of the peer. The Steelhead appliance
checks the certificates to make sure they are valid and that they have been issued by a valid CA
which is listed in the trusted entity list.
The no command option removes SSL peering settings.
Example
minna (config) # protocol ssl peering cipher-string DEFAULT cipher-num 1

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ssl protocol-vers

Description
Specifies the SSL versions supported in your deployment. The default setting is SSLv3_or_TLSv1.
Syntax
[no] protocol ssl protocol-vers <version>
Parameters
<version>
288
Specify one of the following values to specify the SSL versions supported in your
deployment:
SSLv3_or_TLSv1
Use both SSLv3 and TLSv1.
SSLv3_only
Use only SSLv3.
TLSv1_only
Use only TLSv1.
Usage
The no protocol ssl protocol-vers option clears the setting.
Example
minna (config) # protocol ssl protocol-vers SSLv3_or_TLSv1

minna (config) #
Product
Steelhead appliance
Related Topics
protocol ssl scep peering auto-reenroll

Description
Configures automatic re-enrollment settings. The Steelhead appliance uses SCEP to automatically
re-enroll certificates.
Syntax
[no] protocol ssl scep peering auto-reeroll enable | exp-threshold <num-of-days> | last-result
clear-alarm
Parameters
enable
Enables automatic re-enrollment of a certificate to be signed by a CA.
expthreshold
<num-ofdays>
Specify the amount of time (in days) to schedule re-enrollment before the
certificate expires.
last-result
clear-alarm
Clears the automatic re-enrollment last-result alarm. The last result is the last
completed enrollment attempt.
Usage
The Steelhead appliance uses SSCEP to dynamically re-enroll a peering certificate to be signed by
a certificate authority.
Example
amnesiac (config) # protocol ssl scep peering auto-reenroll enable
Product
Steelhead appliance
Related
Topics
protocol ssl scep peering max-num-polls

Description
Configure the maximum number of polls. A poll is as request to the server for an enrolled
certificate by the Steelhead appliance. The Steelhead appliance polls only if the server responds
with pending. If the server responds with fail then the Steelhead appliance does not poll.
Syntax
protocol ssl scep peering max-num-polls <max number polls>
Parameters
<max
number
polls>
Usage
Specify the maximum number of polls before the Steelhead appliance cancels the
enrollment. The peering certificate is not modified. The default value is 5.
289
Example
amnesiac (config) # protocol ssl scep peering max-num-polls 12
Product
Steelhead appliance
Related
Topics
protocol ssl scep peering on-demand cancel

Description
Cancels any active on-demand enrollment.
Syntax
[no] protocol ssl scep peering on-demand cancel
Parameters
None
Usage
Example
amnesiac (config) # protocol ssl scep peering on-demand cancel
Product
Steelhead appliance
Related
Topics
protocol ssl scep peering on-demand gen-key-and-csr

Description
Generate new private key and CSR for on-demand enrollment using the Rivest-Shamir-Adleman
algorithm.
Syntax
[no] protocol ssl scep peering on-demand gen-key-and-csr rsa state <string> | org-unit
<string> | org <string> | locality <string> | email <email-addr> | country <string> |
common-name <string> | key-size <512 | 1024 | 2048>
290
Parameters
rsa
Configures the RSA algorithm.
state
<string>
org-unit
<string>
org <string>
locality
<string>
Specify the city.
email
<emailaddr>
country
<string>
commonname
<string>
Specify the hostname of the peer.
key-size
<512|1024|2
048>
Specify the key size in bits (for example, 512|1024|2048).
Usage
Example
amnesiac (config) # protocol ssl scep peering on-demand gen-key-and-csr rsa stat
california
Product
Steelhead appliance
Related
Topics
protocol ssl scep peering on-demand start

Description
Starts an on-demand enrollment in the background.
Syntax
[no] protocol ssl scep peering on-demand start <cr> | foreground
Parameters
foreground
Usage
Example
amnesiac (config) # protocol ssl scep peering on-demand start
Product
Steelhead appliance
Related
Topics
Specify to start an on-demand enrollment in the foreground
291
protocol ssl scep peering passphrase

Description
Configure the challenge password phrase.
Syntax
protocol ssl scep peering passphrase
Parameters
<passphrase>
Usage
Example
amnesiac (config) # protocol ssl scep peering passphrase myphrase
Product
Steelhead appliance
Related
Topics
Specify the challenge password phrase.
protocol ssl scep peering poll-frequency

Description
Configure the poll frequency.
Syntax
protocol ssl scep peering poll-frequency <minutes>
Parameters
<minutes>
Usage
Example
amnesiac (config) # protocol ssl scep peering poll-frequency 5
Product
Steelhead appliance
Related
Topics
Specify the poll frequency in minutes. The default value is 5.
protocol ssl scep peering trust

Description
Adds a peering trust for SCEP.
Syntax
[no] protocol ssl scep peering trust peering-ca <name>
Parameters
peering-ca
<name>
Usage
Example
amnesiac (config) # protocol ssl scep peering trust peering-ca Wells_Fargo
Product
Steelhead appliance
Related
Topics
292
Specify the name of the existing peering CA.
protocol ssl scep peering url

Description
Configures the SCEP responder URL.
Syntax
protocol ssl scep peering url <url>
Parameters
<url>
Usage
Example
amnesiac (config) # protocol ssl scep peering url http:examplehost:1212/

pathtoservice
Product
Steelhead appliance
Related
Topics
Specify the URL of the SCEP responder. Use the following format:
http://host[:port/path/to/service
protocol ssl server

Description
Enables optimization for a specified SSL server and manages SSL certificates.
Syntax
[no] protocol ssl server ip <ip address> port <port> enable | change {
chain-cert ca <ca name> | cert <certificates>}
{export <cr> | include-key password <string>
{generate-cert [rsa] | key-size <512|1024|2048> common-name <string> country <string>
email <email address> locality <string> org <string> org-unit <string> state <string> validdays <int>} |
{generate-csr common-name <string> country <string> email <email address> locality
<string> org <string> org-unit <string> state <string>} |
{import-cert <certificate> [import-key <string>] password <string>}
{import-cert-key <certkey> password <string>}
}
Parameters
ip <ip address> port

<port>
Specify the IP address and port for an SSL server.
enable
Enable or change optimization on the specified SSL server.

no protocol ssl server ip <ip address> port <port> enable disables
optimization on the specified server.
Enter the carriage return to enable the server and configure certificates
later. Otherwise, include a generate-cert and generate-csr or import-cert
and import-cert-key command to configure SSL certificates.
{chain-cert
ca <ca name> |
cert <certificates>}
Configures and imports CA chain certificates.
change
Change optimization settings on the specified SSL server.
export <cr> |
include-key
password <string>
Export server certificate in PEM format. Specify the password to include

the private key.
Configure chain CA certificates if the clients (for example, the browsers)

do not have the complete or up-to-date chain of CA certificates to verify
the server's proxy certificate or if your organization requires recursive
authentication using intermediate Certificate Authorities.
293
generate-cert [rsa] | common-name <string> country <string> email <email address> key-size
<512|1024|2048> locality <string> org <string> org-unit <string> state <string> valid-days
<int>
[rsa]
Specify RSA encryption.
common-name
<string>
Specify the certificate common name.
country <string>
Specify the certificate 2-letter country code.
email <email
address>
Specify the email address of the contact person.
key-size
<512|1024|2048>
Specify the key size.
locality <string>
Specify the city.
org-unit <string>
Specify the organization name (for example, the

company).
state <string>
Specify the state. You cannot use abbreviations.
valid-days <int>
Specify how many days the certificate is valid. If

you omit valid-days, the default is 2 years.
generate-csr common-name <string> country <string> email <email address> locality <string>
org <string> org-unit <string> state <string>
common-name
<string>
Default to that in existing certificate.
country <string>
email <email
address>
locality <string>
org <string>
org-unit <string>
state <string>
import-cert <certificate> [import-key <string>] password <string>
294
<certificate>
Specify the certificate string. (X509 PEM-format

field names.)
import-key
<private-key> >
Specify the private key string in PEM format.
password
<string>
Specify a decryption password.
import-cert-key <certkey> <cr> password <string>

<certkey>
Specify the existing private key in PEM format to

import the key. (These are X509 PEM-format field
names.)
NOTE: You must specify the private key regardless
of whether you are adding or updating.
password
<password>
Usage
Specify a decryption password.
Add or change SSL servers to your deployment. You must generate or import certificates and
private keys for the server.
You must configure each distinct server IP address and port combination that the client may
connect to. For example, if https://intranet resolves to one of three different server P addresses,
you must configure an SSL server for each of the IP addresses. The same certificate and private
key can be used for each, but three separate server configurations must be created.
NOTE: Optimization will not occur for a particular server IP address and port unless that server is
configured on the server-side Steelhead appliance. The client-side in-path rules must also be
defined.
When you configure the back-end server proxy certificate and key on the server-side Steelhead
appliance, if you choose not to use the back-end server's actual certificate and key, you can use a
self-signed certificate and key or another CA-signed certificate and key. If you have a CA-signed
certificate and key, import it.
If you do not have a CA-signed certificate and key, you can add the proxy server configuration
with a self-sign certificate and key, back up the private key, generate CSR, have it signed by a CA,
and import the newly CA-signed certificate and the backed up private key.
TIP: To back up a single certificate and key pair (that is, the peering certificate and key pair and a
single server's certificate and key) use the export option. Make sure you include the private key
and enter the encryption password. Save the exported file that contains the certificate and the
encrypted private key.
Alternatively, you can use the generated self-signed certificate and key, but doing so might be
undesirable because, by default, the clients will not trust it, and end-user action would be
required.
Example
minna (config) # protocol ssl server ip 10.1.1.1 port 443 enable

minna (config) # protocol ssl server ip 10.1.1.1 port 443 generate-cert rsa commonname Company-Wide country US email root@company.com key-size 2048 locality en validdays 360 generate-csr common-name Company-Wide country USA email root@company.com
locality en org Company org-unit all state California
minna (config) #
Product
Steelhead appliance
Related Topics
295
secure-vault
Description
Manages the secure vault password and unlocks the secure vault.
Syntax
secure vault {[new-password <password> | reset-password <old password> | unlock

<password>]}
Parameters
newpassword
<password>
Specify an initial or new password for the secure vault.
resetpassword
<old
password>
Specify the old secure vault password to reset it.
unlock
<password>
Specify the current password to unlock the secure vault.
Usage
The secure vault is an encrypted file system on the Steelhead appliance where all Steelhead
appliance SSL server settings, other certificates (the CA, peering trusts, and peering certificates)
and the peering private key are stored. The secure vault protects your SSL private keys and
certificates when the Steelhead appliance is not powered on.
You can set a password for the secure vault. The password is used to unlock the secure vault when
the Steelhead appliance is powered on. After rebooting the Steelhead appliance, SSL traffic is not
optimized until the secure vault is unlocked with the unlock <password> parameter.
Data in the secure vault is always encrypted, whether or not you choose to set a password. The
password is used only to unlock the secure vault.
To change the secure vault password
1. Reset the password with the reset-password <password> parameter.
2. Specify a new password with the new-password <password> parameter.
Example
minna (config) # secure-vault unlock mypassword

minna (config) #
Product
Steelhead appliance
Related Topics
296

page 96

qos classification burst on page 298

qos classification enable on page 300



page 203
qos classification class on page 298
qos classification link-rate on page 300

page 214
qos classification rule add on page 301

qos classification rule move on
page 302
qos dscp edit-rule on page 302
qos dscp move-rule on page 303
qos dscp rule on page 304

page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
297
qos classification burst

Description
Sets bandwidth for traffic bursts greater than the upper bandwidth limit. Available in the CLI
only.
Syntax
qos classification burst interface <wanX_X> size <int>
Parameters
interface
<wanX_X>
Specify the interface for which you want to set the burst size. For example,
wan0_0 or wan0_1.
size <int>
Specify a bandwidth size for traffic bursts greater than the upper limit.
Usage
This commands sets the amount of burst allowed for real-time QoS classes at the link rate. During
this burst, all other traffic is suppressed. The formula for the burst rate is:
burst = 25% of (link-rate kb/sec * 1 sec)
Therefore, the burst rate changes as the link rate changes.
Example
minna (config) # qos classification burst wan0_0 2400

minna (config) #
Product
Steelhead appliance
Related Topics
qos classification class

Description
Creates or modifies a QoS class.
Syntax
[no] qos classification class [add | modify] class-name <classname> priority [realtime
|interactive | business | normal | low] min-pct <pct> upper-limit-pct <pct> conn-limit <num>
link-share <weight> queue [fifo | mxtcp | sfq]
Parameters
[add | modify]
Specifies whether to add or modify a new class.
class-name
<classname>
Specify a name for the QoS class.
priority [realtime |
interactive | business
| normal | low]
Specifies a minimum guaranteed QoS priority level:

Real-Time. Specifies real-time traffic class. Traffic that is your
highest priority should be given this value.
Interactive. Specifies Interactive traffic class.
Business Critical. Specifies the business critical traffic class.
Normal Priority. Specifies normal priority traffic class.
Low Priority. Specifies low priority traffic class.
Priorities are listed in decreasing order of importance. These are
minimum priority guarantees. If better service is available, it is
provided. For example, if a class is specified as Low Priority and the
higher priority classes are not active, then the Low Priority class is
given the highest possible priority for the current traffic conditions.
298
min-pct <pct>
Specifies the minimum amount of bandwidth given to a flow when

there is bandwidth contention. Flows that do not use all of their
allocated minimum bandwidth will share this excess bandwidth with
other flows that exceed their minimum bandwidth allocation. All the
classes combined cannot exceed 100%. During contention for
bandwidth, the class is guaranteed at least the amount specified. It will
receive more if there is unused bandwidth remaining. Must be a whole
number 0-100.
upper-limit-pct <pct>
Optionally, specify the maximum amount (percentage) of allowed

bandwidth a flow will receive regardless of excess bandwidth
available. All the classes combined cannot exceed 100%. Must be a
whole number 0-100.
The upper bandwidth limit does not apply to MX-TCP queues.
conn-limit <num>
Specifies a maximum number of connections the specified class will

optimize. Connections over this limit are passed-through unoptimized.
link-share <weight>
Specifies how excess bandwidth is allocated to classes. Link share does

not depend on the minimum guaranteed bandwidth. By default, all the
link shares are equal.
Classes with a larger weight will be allocated more of the excess
bandwidth than classes with a lower weight. Must be a whole number
0-100.
The link-share weight does not apply to MX-TCP queues.
queue [fifo | mxtcp |

sfq]
Specify a queue policy:

fifo. All flows are transmitted in the order that they are received
(first in, first out). Bursty sources can cause long delays in delivering
time-sensitive application traffic, and potentially to network control
and signaling messages.
mxtcp. MX-TCP optimizes TCP/IP traffic to provide more
throughput for high loss links or links that have large

bandwidth and high latency (Long Fat Networks). With MX-
TCP, the TCP congestion control algorithm is removed on the inner

connections. This allows the link to be saturated in a much faster
time frame and eliminates the possibility of under utilizing the link.
If your network includes privately-owned links dedicated to HSTCP traffic (or rate-based TCP), you can create QoS queue policy
that prioritizes TCP traffic. This queue policy, called MX-TCP,
forwards TCP traffic regardless of congestion or packet loss. You
should assign QoS rules that incorporate this policy only to links
where HS-TCP is of exclusive importance. MX-TCP is coupled with
QoS as a class option. Any class that is defined on the Steelhead
appliance can be MX-TCP enabled. You can only configure rules for
MX-TCP classes that contain optimized traffic (no pass-through
support). MX-TCP classes cannot be configured to contain more
bandwidth than the license limit. The QoS parameters, link-share
weight and upper bandwidth limit do not apply to MX-TCP queues.
sfq. SFQ is the default queue for all classes. SFQ services all flows in
a round-robin fashion, reducing the latency for competing flows.
SFQ ensures that each flow has fair access to network resources and
prevent a bursty flow from consuming more than its fair share of
output bandwidth. To prevent shorter flows from experiencing the
long latency of waiting for the queue to drain before it receives its
turn, SFQ allows new flows to cut in line. To reduce latency for
competing flows, SFQ services all flows in a round-robin fashion.
299
Usage
The Steelhead appliance allows you to decouple priority (in terms of delay) from the bandwidth
allocation. This provides the flexibility needed to support varying degrees of priority and
bandwidth traffic patterns, such as high-priority, low-bandwidth traffic patterns (for example,
Telnet). Many QoS schemes use the term priority to specify how to control the excessive
bandwidth among different classes. In the Steelhead appliance, priority actually refers to traffic
delays and excessive bandwidth is shared, proportional to the minimum bandwidth guaranteed
for a specific class.
You must enable QoS classification and set the bandwidth link rate for the WAN interface before
you create a QoS class.
The no command options deletes the QoS class.
Example
minna (config) # qos classification class add class-name example priority

realtime min-pct 20 parent myparent
Product
Steelhead appliance
Related Topics
qos classification enable

Description
Enables the QoS feature. The QoS classification feature allows you to prioritize both optimized
and pass-through traffic going through this appliance.
Syntax
[no] qos classification enable
Parameters
None
Usage
The no command option disables QoS.
Example
minna (config) # qos classification enable

minna (config) #
Product
Steelhead appliance
Related Topics
qos classification link-rate

Description
Set the bandwidth link-rate for the specified WAN interface.
Syntax
qos classification link-rate interface <interface> rate <kbps>
Parameters
<interface>
Specifies the interface for which to set the link rate.
<kbps>
Specifies the link rate in kbps.
Usage
This is the bottleneck WAN bandwidth not the interface speed out of the WAN interface into the
router or switch. For example, if your Steelhead appliance connects to a router with a 100 Mbps
link, do not specify this valuespecify the actual WAN bandwidth (for example, T1, T3).
Different WAN interfaces can have different WAN bandwidths; this value must be correctly
entered for QoS to function correctly.
The percentage of excess bandwidth given to a class is relative to the percentage of minimum
bandwidth allocated to the class.
300
Example
minna (config) # qos classification link-rate interface wan0_0 rate 1200

minna (config) #
Product
Steelhead appliance
Related Topics
qos classification queue

Description
Sets the QoS queue settings.
Syntax
qos classification queue classname <classname>
Parameters
classname
<classname>
Specifies the QoS queue length class name.
Usage
Example
minna (config) # qos classification queue classname test

minna (config) #
Product
Steelhead appliance
Related Topics
qos classification rule add

Description
Adds a QoS classification rule.
Syntax
[no] qos classification rule add {rulenum <priority> class-name <class> traffic-type [optimized
| passthrough] source subnet <subnet/mask> port <port> destination subnet <subnet/mask>
port <port>} [dscp <dscp> | vlan <vlan>]
Parameters
rulenum <priority>
Specifies the order in which the rule is processed in the rules list.
Steelhead appliances evaluate rules in numerical order starting with
rule 1. If the conditions set in the rule match, then the rule is applied,
and the system moves on to the next packet. If the conditions set in the
rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches
the conditions, it is applied, and no further rules are consulted.
class-name <class>
Specifies the class to which the rule applies. If the rule matches, the
specified rule sends the packet to this class.
traffic-type
[optimized |
passthrough]
Specifies the type of traffic: optimized or passthrough. QoS rules are

applied to optimized and pass-through (egress only) traffic.
source subnet
<subnet/mask>
Specifies the subnet and mask in the following format: 1.2.3.4/123.
port <port>
Specifies the port number. Port labels and port ranges are also
supported on v4.x.
destination subnet
<subnet/mask>
Specifies the subnet and mask in the following format: 1.2.3.4/123.
301
Usage
port <port>
Specifies the port number. Port labels and port ranges are also
supported on v4.x.
dscp <dscp>
Optionally, specify a DSCP level (0-63).
vlan <vlan>
Optionally, specify the VLAN tag ID.
A class configured for the MX-TCP queue cannot be modified to use another queue. If you need to
change the MX-TCP queue, you must first delete the class and associated rules, then recreate them
with the appropriate queue.
IMPORTANT: If you delete or add new rules, existing optimized connections are not affected. The
changes only affect new optimized connections.
The no command option disables the rule.
Example
minna (config) # qos classification rule add rulenum 1 class-name WorldWide

traffic-type passthrough source subnet 192.12.12.1 port 80 destination subnet
192.12.12.1 port 80
minna (config) #
Product
Steelhead appliance
Related Topics
qos classification rule move

Description
Moves the order of the rule in the rule list to the specified number.
Syntax
qos classification rule move rulenum <rule> to <rule>
Parameters
<rule>
Example
minna (config) # qos classification rule move rulenum 2 to 1

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the order in which rules are evaluated.
qos dscp edit-rule

Description
Modifies the description of the rule. DSCP markings are applied to optimized and pass-through
(egress only) traffic. The rules appear in separate lists according to the traffic type.
Syntax
[no] qos dscp edit-rule {traffic-type [optimized | passthrough] rulenum <rule-num>

description <description>}
Parameters
traffic-type [optimized |
passthrough]
Specifies the type of traffic: optimized or passthrough. DSCP

marking is applied to optimized and pass-through (egress only)
traffic.
rulenum <rule-num>
description
<description>
Type a string to describe the rule.
302
Usage
After you map a destination port and a DSCP level, every packet corresponding to the connection
with that destination port has the DSCP field set to that value in the forward and backward
direction. On the WAN side of the Steelhead appliance, you configure a network router or a traffic
shaper to prioritize packets according to the value in the DSCP field before they are sent across the
WAN.
NOTE: Optimized traffic is marked in both directions, but pass-through traffic is marked only on
the egress traffic.
The no command option removes the description.
Example
minna (config) # qos dscp edit-rule rulenum 1 description PassThroughSecure

minna (config) #
Product
Steelhead appliance
Related Topics
qos dscp move-rule

Description
Moves the order of the DSCP mapping rule in the rule list to the specified number.
Syntax
qos dscp move-rule traffic type optimized | passthrough rulenum <rule> to <rule>
Parameters
<rule>
Usage
You specify an ordered list of rules where each rule is the DSCP level used on the inner connection
for connections matching the source IP subnet, the destination IP subnet and, optionally, the
destination port fields.
Specifies the order in which rules are evaluated.
Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in
the rule match, then the rule is applied, and the system moves on to the next packet. If the
conditions set in the rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied,
and no further rules are consulted.
Example
minna (config) # qos dscp move-rule rulenum 2 to 1

minna (config) #
Product
Steelhead appliance
Related Topics
303
qos dscp rule

Description
Maps a service port to a QoS DSCP level based on the source IP subnet, the destination IP subnet,
destination port, and rule number. The QoS marking enables you to enforce a DSCP level for
optimized and pass-through (egress only) connections. Optimized and pass-through rules are
displayed in separate rule lists.
The DSCP level corresponds to the DiffServ DSCP field in the IP packets header. After you map a
source-destination-port pattern and a DSCP level, every packet corresponding to the connection
with that destination port has the DSCP field set to that value in the forward and backward
direction. On the WAN side of the Steelhead appliance, you configure a network router or a traffic
shaper to prioritize packets according to the value in the DSCP field before they are sent across the
WAN.
NOTE: Optimized traffic is marked in both directions, but pass-through traffic is marked only on
the egress traffic.
Syntax
[no] qos dscp rule traffic-type [optimized | passthrough] src <source IP> dest <destination IP>
[dest-port <port>] dscp <level> rulenum <rulenum>
Parameters
traffic-type
[optimized |
passthrough]
Specifies the type of traffic: optimized or passthrough.
<source IP>
Specifies the source IP subnet. You can use wild cards in this field.
<destination
IP>
Specifies the destination IP subnet. You can use wild cards in this field.
dest-port <port>
Specifies the port on which to monitor. Port labels and port ranges are also
supported on v4.x.
To configure QoS mapping for the FTP data channel, specify port 20. To
configure QoS mapping for the MAPI data channel, specify port 7830 and the
corresponding DSCP level. The destination port can be a single port (number),
a port label, or all specifies all ports.
Usage
<level>
Specifies the DSCP level (0-63) or reflect.
<rulenum>
Specifies the rule number to insert before.
You specify an ordered list of rules where each rule is the DSCP level to use on the inner
connection for connections matching the source IP subnet, the destination IP subnet and,
optionally, the destination port fields.
After you map a service port and a DSCP level, every packet using that service port has the DSCP
field set to that value in the forward and backward direction. On the WAN Steelhead appliance,
you can configure a network router or a traffic shaper to prioritize packets according to the value
in the DSCP field before they are sent across the WAN.
If you have already defined a DSCP level and you do not define one in the CLI, the Steelhead
appliance uses the existing DSCP level for the connection between the Steelhead appliances. If
you define a DSCP level in the CLI, the Steelhead appliance overrides the existing DSCP level and
the value that you defined is applied.
To configure QoS mapping for the FTP data channel, specify port 20 and the corresponding DSCP
level. To configure QoS mapping for the MAPI data channel, specify port 7830 and the
corresponding DSCP level.
The no qos rule rulenum <rulenum> command disables the QoS rule.
304
Example
minna (config) # qos dscp rule src 10.0.0.4 dest 10.0.0.1 dscp 12 rulenum 3
minna (config) #
Product
Steelhead appliance
Related Topics
305
Connection Pooling Commands

page 96





page 203
service connection pooling on page 307

service default-port on page 307

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
306
service connection pooling

Description
Enables a pool of connections to a peer Steelhead appliance. Connection pooling enables you to
save an extra round-trip for the initial connection setup. Connection pooling is useful for
protocols that open a number of short lived connections, such as HTTP.
Syntax
[no] service connection pooling <addr> <value>
Parameters
<addr>
Specifies the IP address of the peer Steelhead appliance. The IP address of 0.0.0.0
identifies the group of all Steelhead appliance peers.
<value>
Specifies the connection pooling value for the Steelhead appliance peer. The
default value is 20.
Usage
Any change in the connection pooling parameter requires you to restart the Steelhead service.
The no command option disables connection pooling.
Example
minna (config) # service connection pooling 10.0.0.1 10

minna (config) #
Product
Steelhead appliance
Related Topics
service default-port
Description
Sets the default service port you want to use for connection pooling.
Syntax
service default-port <port>
Parameters
<port>
Example
minna (config) # service default-port 7800

minna (config) #
Product
Steelhead appliance
Related Topics
Specifies the new port.
307
WCCP Support Commands

page 96

wccp enable on page 309

wccp service-group on page 310



page 203
wccp mcast-ttl on page 309

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
308
wccp enable
Description
Enables WCCP support.
Syntax
[no] wccp enable
Parameters
None
Usage
You configure WCCP to redirect traffic to a Steelhead appliance or group of Steelhead appliances:
so that the Steelhead appliances do not have to be physically in-path but can be virtually in-path.
That is, the Steelhead appliances are configured to be physically out-of-path devices while
optimizing traffic as if they were in-path devices.
to redirect traffic to a Steelhead appliance or group of Steelhead appliances to provide load
balancing and failover support.
For detailed information about configuring WCCP, see the Steelhead Appliance Deployment Guide.
The no command option disables WCCP support.
Example
minna (config) # wccp enable

minna (config) #
Product
Steelhead appliance
Related Topics
show wccp
wccp mcast-ttl
Description
Sets the multicast TTL parameter for WCCP. The TTL determines the range over which a
multicast packet is propagated in your intranet.
Syntax
[no] wccp mcast-ttl <value>
Parameters
<value>
Usage
For detailed information about configuring WCCP, see the Steelhead Appliance Deployment Guide.
Specifies the multicast-TTL value.

Example
minna (config) # wccp mcast-ttl 10

minna (config) #
Product
Steelhead appliance
Related Topics
show wccp
309
wccp service-group
Description
Enables a WCCP service group. A service group is a group of routers and Steelhead appliances
which define the traffic to redirect, and the routers and Steelhead appliances the traffic goes
through.
Syntax
[no] wccp service-group <service-id> routers <routers> {assign-scheme [hash | hash]

encap_scheme [either|gre|12]| flags <flags> | password <password> | ports <ports> |
priority <priority> | weight <weight>}
Parameters
service group
<service-id>
Specifies the service group identification number (ID) (from 0 to 255). The
service group ID is the number that is set on the router. A value of 0 specifies the
standard http service group.
assignscheme [hash
| mask]
Specifies the redirection scheme to use:

either. Specifies either hash or mask. This is the default setting (hash first,
then mask).
hash. Specifies a hash redirection scheme. Enabling hash allows you to load
balance. A hash assignment requires the first packet of each connection to be
processed by the CPU resulting in slightly lower performance.
mask. Specifies a mask redirection scheme. In mask assignment the first
packet is processed in the hardware so there is less CPU utilization resulting
in better performance.
routers
<routers>
A comma-separated list of router IPs (maximum of 32).
encap_schem
e
[either|gre|1
2]
Specifies the traffic forwarding and redirection scheme:

gre. Generic Routing Encapsulation (gre)
l2. Layer-2 redirection.
either. Layer-2 first; if Layer-2 is not supported, then gre.
310
flags <flags>
Specifies the fields the router hash on and if certain ports should be redirected.
Specify a combination of src-ip-hash, dst-ip-hash, src-port-hash, dst-port-hash,
ports-dest, ports-source.
ports <ports>
Specifies a comma-separated list of up to seven ports that the router will redirect.
Use only if ports-dest or ports-source service flag is set.
priority
<priority>
Specifies the WCCP priority for traffic redirection. If a connection matches

multiple service groups on a router, the router chooses the service group with the
highest priority. The range is 0-255. The default value is 200.
password
<password>
Specifies the WCCP password. This password must be the same as the password
on the router. (WCCP requires that all routers in a service group have the same
password.) Passwords are limited to eight characters.
weight
<weight>
Specifies how often the traffic is redirected to a particular Steelhead appliance. A

higher weight redirects more traffic to that Steelhead appliance. The ratio of
traffic redirected to a Steelhead appliance is equal to its weight divided by the
sum of the weights of all the Steelhead appliances in the same service group. For
example, if there are two Steelhead appliances in a service group and one has a
weight of 100 and the other has a weight of 200, the one with the weight 100
receives 1/3 of the traffic and the other receives 2/3 of the traffic. The range is 065535. The default value corresponds to the number of TCP connections your
appliance supports.
Usage
To enable WCCP, the Steelhead appliance must join a service group at the router. A service group
is a group of routers and Steelhead appliances which define the traffic to redirect, and the routers
and Steelhead appliances the traffic goes through.
To enable failover support with WCCP groups, define the service group weight to be 0 on the
backup Steelhead appliance. If one Steelhead appliance has a weight 0, but another one has a nonzero weight, the Steelhead appliance with weight 0 does not receive any redirected traffic. If all the
Steelhead appliances have a weight 0, the traffic is redirected equally among them.
If the source or destination flags are set, the router redirects only the TCP traffic that matches the
source or destination ports specified.
The Steelhead appliance now supports mask-based redirection to a single Steelhead appliance
using the WCCP protocol.
To enable mask based redirection use the assign-scheme option in the wccp service-groups CLI
command. For example:
minna (config) # wccp service-group 91 routers 10.58.1.1 assign-scheme mask
For detailed information about configuring WCCP in Riverbed deployments, see the Steelhead
Appliance Deployment Guide.
For detailed information about WCCP, see the Cisco documentation Web site at http://
www.cisco.com/univercd/home/home.htm.
Example
minna (config) # wccp service-group 999 routers 10.0.0.0 assign-scheme mask

minna (config) #
Product
Steelhead appliance
Related Topics
show wccp
311
Failover Support Commands

page 96

failover buddy addr on page 313

failover buddy addr on page 313



page 203
failover buddy port on page 313
failover buddy port on page 313

failover enable on page 313
failover master on page 314
failover port on page 315

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
312
failover buddy addr

Description
Sets the IP address for a failover buddy appliance. A failover buddy is a backup appliance. If the
master fails, the buddy takes over.
Syntax
failover buddy addr <addr>
Parameters
<addr>
Specifies the IP address for the failover, backup machine. The default value is
0.0.0.0.
If you have installed multiple bypass cards, you must specify the IP address for
the inpath0_0 slot.
Usage
The default value is 0.0.0.0.

The no command option resets the failover IP address to the default value.
Example
minna (config) # failover buddy addr 10.10.10.1

minna (config) #
Product
Related Topics
show failover
failover buddy port

Description
Sets the port for a failover buddy appliance. A failover buddy is a backup appliance. If the master
fails, the buddy takes over.
Syntax
failover buddy port <port>
Parameters
<port>
Usage
You cannot specify the failover buddy port for the Interceptor appliance.
The no command option resets the port to the default value.
Example
minna (config) # failover buddy port 2515

minna (config) #
Product
Steelhead appliance
Related Topics
show failover
failover enable
Description
Enables a failover buddy appliance. A failover buddy is a backup appliance. If the master fails,
the buddy takes over.
Syntax
[no] failover enable
Parameters
None
313
Usage
In an in-path deployment, to use failover mode, you configure a pair of Steelhead appliances, one
as a master and the other as a backup. The master and backup Steelhead appliances are
configured statically with their partner's information. When you enable failover mode, the master
Steelhead appliance in the pair is active and the backup Steelhead appliance is passive. The
master Steelhead appliance is active unless it fails for some reason; the backup is passive while the
master is active and becomes active if and only if the master fails. A backup Steelhead appliance
will not intercept traffic while the master appliance is active. It pings the master Steelhead
appliance to make sure that it is alive and processing data. If the master Steelhead appliance fails,
the backup takes over, and starts processing all the connections. When the master Steelhead
appliance comes back up, it sends a message to the backup that it has recovered. Then, the backup
Steelhead appliance stops processing new connections (but continues to serve old ones until they
end).
In an out-of-path, failover deployment, you deploy two Steelhead appliances and use a fixedtarget rule to define main and backup targets. When both Steelhead appliances are functioning
properly, the connections traverse the master appliance. If the master Steelhead appliance fails,
subsequent connections traverse the backup Steelhead appliance.
On the master appliance, you must specify valid values for this buddy IP address and buddy port
before this command can complete.
The no command option disables failover.
Example
minna (config) # failover enable

minna (config) #
Product
Related Topics
show failover
failover master
Description
Sets the appliance as the master appliance of a failover pair. If the master fails, traffic is routed
automatically through the failover buddy.
Syntax
[no] failover master
Parameters
None
Usage
You must specify valid values for the buddy IP address and buddy port.
The no command option sets the appliance as the failover buddy.
Example
minna (config) # failover master

minna (config) #
Product
Related Topics
show failover
314
failover port
Description
Sets the port on the master appliance with which to communicate with the failover buddy
appliance. A failover buddy is a backup appliance. If the master fails, the buddy takes over.
Syntax
failover port <port>
Parameters
<port>
Usage
The no command option resets the port to the default value.

Example
minna (config) # failover port 2515

minna (config) #
Product
Related Topics
show failover
315
Data Replication Commands

page 96

datastore anchor-select on page 317

datastore disk read-pressure on

page 318

datastore use-one-defer-q on page 318


page 203
datastore disklayout on page 317

page 318
page 318

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
316
datastore anchor-select
Description
Enables an anchor selection algorithm that discards margin segments without writing them to
disk. Enabling anchor selection based on contiguous segments decreases pressure on the disk and
improves performance.
Before you enable the set of data replication commands, please contact Riverbed Technical
Syntax
[no] datastore anchor-select {1 | 0}

The no command option disables anchor selection.
Specify 1 to turn on anchor selection; specify 0 to turn off anchor selection.
Parameters
{1 | 0}
Usage
Use this command if you are experiencing a gradual decline in optimization over time when using
DR applications.
For detailed information about the set of data replication commands, please contact Riverbed
Technical Support at https://support.riverbed.com.
Example
minna (config) # datastore anchor select 1
Product
Steelhead appliance
Related Topics
datastore disklayout, datastore use-one-defer-q
datastore disklayout
Description
Selects data store replacement policy.

Syntax
[no] datastore disklayout <fifo | rvbdlru>

The no command option disables LRU data replacement.
Parameters
Usage
<fifo |
rvbdlru>
fifo. Enables FIFO data replacement. This is the default method.

rvbdlru. Enables LRU data replacement. This method replaces the least
frequently used data in the data store which improves hit rates if all data in
the data store are not equally used.
If, gradually over time, you experience sharp throughput degradation even though the data
reduction numbers continue to be good, use this command
IMPORTANT: Enabling the LRU disk layout method may cause the data store wrap warning to
occur earlier than expected when using the FIFO replacement policy. This is expected behavior.
Example
minna (config) # datastore disklayout rvbdlru
Product
Steelhead appliance
Related Topics
datastore anchor-select, datastore use-one-defer-q
317
datastore disk read-pressure

Description
Sets the disk read pressure values.

Syntax
[no] datastore disk read-pressure {interval <seconds>}

The no command option disables read pressure.
Parameters
[interval
<seconds>}
Specify the read pressure value in seconds.
Usage
DR applications.
Example
minna (config) # datastore disk read-pressure interval 90
Product
Steelhead appliance
Related Topics
FIPS/CC Compliance Commands, FIPS/CC Compliance Commands
datastore use-one-defer-q
Description
The no option enables dual queues of the disk I/O subsystem to give priority to writes over reads
when the disk is backed up, to free memory.
Syntax
[no] datastore use-one-defer-q
Parameters
None
Usage
DR applications.
Example
minna (config) # no datastore use-one-defer-q
Product
Steelhead appliance
Related Topics
datastore disklayout, datastore anchor-select

The following section describes the CLI commands for Federal Information Processing Standards (FIPS)
and Common Criteria for Information Technology Security Evaluation (CC) compliance.
318
For detailed information about configuring the Steelhead appliance for FIPS-mode, see the FIPS/CC
page 96

fips bootloader password on page 320

support sha512-pass enable on

page 322

web ssl protocol tlsv1 on page 323


page 203
reset factory on page 320
web ssl protocol sslv2 on page 324

web ssl protocol sslv3 on page 324

page 214
page 216
page 240
page 249
page 253
page 255
page 260
page 274
page 306
page 308
page 312
page 316
page 318
319
fips bootloader password

Description
Sets the boot order.
Syntax
fips bootloader password <password>]
Parameters
<password>
Usage
This command ensures that the Steelhead appliance does not allow changes to the boot order so
that the system is FIPS/CC compliant.
Specify the boot loader password.
The reset factory command automatically sets the boot order, if you have been running the
Steelhead appliance in nonFIPS-mode, you must execute the reset factory command to return the
system to the factory default settings. For detailed information about configuring a FIPS-mode
system, see the FIPS/CC Administrators Guide.
Example
minna (config) # fips bootloader password myfipspassword
Product
Steelhead appliance
Related Topics
show info
reset factory
Description
Resets all configurable parameters in the Steelhead appliance to the manufactured default settings
and halts the appliance.
Syntax
[no] reset factory [reload]
Parameters
reload
Usage
The reset factory reload command ensures that the Steelhead appliance is FIPS/CC compliant by
resetting the appliance to its default manufactured state, thereby eliminating sensitive security
parameters and features that are unsupported by FIPS/CC.
Reboots the system. You must reboot the system after executing the reset
factory command.
For FIPS/CC compliance, many RiOS features must be disabled (for example, IPSec, Telnet access,
SNMPv2 and v3, and HTTP). Because many of these features are disabled by default, you do not
need to take any action to be FIPS/CC compliant. However, if you have been running the
Steelhead appliance in non-FIPS/CC mode, you must execute the reset factory command to reset
all Steelhead appliance configurable parameters to their default settings.
After you execute the reset factory command and reboot the system, you must reconfigure the
system using the configuration wizard. The configuration wizard appears automatically after you
reboot the system. In addition, you must enable features such as HTTPS, TLSv1, SSH v2, and
configure FIPS/CC approved ciphers. You must also configure your system so that it is FIPS/CC
compliant for Web and remote CLI access.
For complete instructions about configuring a FIPS/CC-mode system, see the FIPS/CC
Example
minna (config) # reset factory reload
Product
Steelhead appliance
Related Topics
show info
320

Description
Configures the SSH server to accept only v2 connections of the SSH protocol.
Syntax
[no] ssh server v2-only enable
Parameters
None
Usage
FIPS-mode requires that remote SSH daemon connections use v2 of the SSH protocol. FIPS/CC
mandates that remote SSH daemon connections do not use v1.33 or v1.5 of the SSH protocol.
These versions of the SSH protocol are not considered cryptographically safe according FIPS/CC.
FIPS-mode requires that remote SSH daemon connections use v2 of the SSH protocol.
To verify the system is running SSH v2, telnet to the system and execute the following command:
# telnet perf4-sh5 22
Trying 10.0.12.2...
Connected to perf4-sh5.tech.com (10.0.12.2).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2
For detailed information about configuring a FIPS/CC-mode system, see the FIPS/CC
Example
minna (config) # ssh server v2-only enable
Product
Steelhead appliance
Related Topics
show ssh server
ssh server allowed-ciphers

Description
Configures SSH server allowed ciphers
Syntax
[no] ssh server allowed-ciphers <cipher list>
Parameters
<cipher list>
Usage
FIPS-mode requires the use of strong ciphers. Use this command to configure FIPS/CC compliant
ciphers.
Specify the FIPS/CC approved cipher. Use a comma separated list.
For detailed information about configuring a FIPS/CC -mode system, see the FIPS/CC
Example
minna (config) # ssh server allowed-ciphers es128-cbc,3des-cbc,aes192-cbc,aes256cbc,aes128-ctr,aes192-ctr,aes256-ctr
Product
Steelhead appliance
Related Topics
321
sport fail-to-bypass enable

Description
Enables fail-to-block mode. With fail-to-block, in the event a optimization service failure or a
hardware failure, network traffic is stopped. With fail-to-bypass mode, in the event of a failure,
traffic is passed through the Steelhead appliance (as if it were a network wire).
Syntax
[no] sport fail-to-bypass enable
Parameters
None
Usage
FIPS-mode requires that you configure each network interface card (NIC) in the Steelhead
appliance to block traffic (fail-to-block) when the appliance hardware or software fails. With failto-block, in the event a optimization service failure or a hardware failure, network traffic is
stopped. With fail-to-bypass mode, in the event of a failure, traffic is passed through the Steelhead
appliance (as if it were a network wire).
A Steelhead appliance can have multiple NIC cards, some of which may or may not support the
fail-to-block mode. The following table is an overview of cards that physically support fail-toblock on all compatible Steelhead appliance platforms. For detailed information on configuring
the fail-to-block feature, see the Bypass Card Installation Guide.
For detailed information about configuring a FIPS-mode system, see the FIPS/CC Administrators
Guide.
Example
minna (config) # no sport fail-to-bypass enable

minna (config) # show sport fail-to-bypass
Product
Steelhead appliance
Related Topics
None
support sha512-pass enable

Description
Enables password files to be Secure Hash Algorithm (SHA-512) encrypted.
Syntax
[no] support sha512-pass enable
Parameters
None
Usage
For FIPS/CC compliance, password files must be SHA-512 encrypted. If you have been running
the Steelhead appliance in non-FIPS mode, when you execute the reset factory command the
Steelhead appliance password files are SHA-512 encrypted.
Example
minna (config) # support sha512-pass enable
Product
Steelhead appliance
Related Topics
322
web ssl ciphers

Description
Configures SSL Cipher Suite setting in Apache.
Syntax
[no] web ssl cipher <cipher list>
Parameters
<cipher list>
Usage
FIPS-mode requires the use of strong ciphers. Riverbed recommends you specify:
TLSv1:!NULL:!EXPORT:!MD5:!RC4:!LOW
Specify the SSL cipher. Use a comma separated list.
This value results in the following ciphers offered for HTTPS:

ADH-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
ADH-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
ADH-DES-CBC3-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
Example
minna (config) # web ssl cipher TLSv1:!NULL:!EXPORT:!MD5:!RC4:!LOW
Product
Steelhead appliance
Related Topics
show web ssl cipher
web ssl protocol tlsv1

Description
Enables v1.0 of the Transport Layer Security (TLSv1) communication protocol.
Syntax
[no] web ssl protocol tlsv1
Parameters
None
Usage
FIPS mandates Web-based communication into the Steelhead appliance use TLS v1.0 or later. You
must execute this command for your system to be in FIPS/CC-mode.
Example
minna (config) # web ssl protocol tlsv1
Product
Steelhead appliance
Related Topics
show web
323
web ssl protocol sslv2

Description
Enables v2.0 of the Secure Sockets Layer (SSLv2) security protocol.
Syntax
[no] web ssl protocol sslv2
Parameters
None
Usage
FIPS mandates that all Web-based communication into the Steelhead appliance use TLS v1.0 or
later. You must execute this command for your system to be in FIPS/CC-mode.
Example
minna (config) # web ssl protocol sslv2
Product
Steelhead appliance
Related Topics
show web
web ssl protocol sslv3

Description
Enables v3.0 of the Secure Sockets Layer (SSLv3) security protocol.
Syntax
[no] web ssl protocol sslv3
Parameters
None
Usage
FIPS mandates that all Web-based communication into the Steelhead appliance use TLS v1.0 or
later. You must execute this command for your system to be in FIPS/CC-mode.
For detailed information about configuring a FIPS/CC -mode system, see the FIPS/CC
Example
minna (config) # web ssl protocol sslv3
Product
Steelhead appliance
Related Topics
show web
Interceptor Appliance Feature Commands

This section describes commands you use to configure Interceptor appliance features. This section includes
the following content.
In This Section
Load-Balancing Commands on page 325

page 181
Peering Support Commands on page 328
Debugging Commands on page 332
Statistics Configuration Commands on page 333
324
NOTE: You must also set up the host and networking configuration, configure in-path interfaces, and configure in-path
rules for deployments that use the Interceptor appliance for load-balancing. For documentation of these commands,
refer to previous sections in this chapter.
In This Section

page 96
Load-Balancing Commands on
page 325
load balance move-rule on page 325

Peering Support Commands on

page 328
load balance rule edit rulenum <num>

description on page 327


Statistics Configuration Commands on

page 333
load balance rule on page 325
load balance move-rule

Description
Moves the order of the rule in the rule list to the specified number.
Syntax
load balance move-rule rulenum <rulenum> to <rulenum>
Parameters
rulenum <rulenum> to
<rulenum>
Example
minna (config) # load balance move-rule rulenum 9 to 5

minna (config) #
Product
Related Topics
Specifies the rule number to be moved and where to move it.
load balance rule

Description
Creates load balancing rules. The Interceptor appliance processes load-balancing rules as follows:
Redirect rule matches and target
Steelhead appliance available.
Redirect to a target appliance according to the load

balancing algorithm.
Redirect rule matches but none of the

target Steelhead appliance for the rule
are available.
Consults the next rule in list.
Pass-through rule matches.
Pass-through, traversing Riverbed routes but

unoptimized.
325
Redirect rule matches but no capacity

and does not match a pass-through
rule.
No rules match.
No rules specified.
Automatically balances load among neighbor Steelhead

appliances not reserved by other rules.
Target Steelhead appliances are chosen based on the
following rules:
1. Peer affinity. Prefers a target Steelhead appliance that
has had a previous connection with the source
2. Least connections. If more than one target Steelhead
appliance has peer affinity, the connection is
redirected to one that has the least current
connections.
If no Steelhead appliance has peer affinity, the
connection is redirected to the Steelhead appliance
with the least current connections.
Syntax
load balance rule [redirect | pass] [src <subnet>/<mask>] [dest <subnet>/<mask>] [dest-port
<port>] [addrs <ip>] [description <string>] [vlan <vlan number>]
Parameters
[redirect | pass]
Specifies one of the following rule types:

redirect. Configure rules of this type for traffic you
want to optimize.
pass. Configure rules of this type as a
second-preference rule for cases where you would
like to optimize when connections are available on
specified targets, but, in the event targets have
reached Admission Control capacity, you would
rather pass-through than tax the auto-balance pool.
For example, you might use pass-through rules to
handle HTTP traffic on port 80.
[src <subnet>/<mask>]
Specifies the IP address for the source network. Use the

following format: XXX.XXX.XXX.XXX/XX.
[dest <subnet>/<mask>]
Specify the IP address for the destination network. Use

the following format: XXX.XXX.XXX.XXX/XX.
[dest-port <port>]
Specifies a port number or port label.
[addrs <ip>]
Specify a comma-separated list of Steelhead appliance

IP addresses to which traffic may be redirected. (Specify
the IP address for the Steelhead inpath0_0 interface.)
If a rule matches, connections are redirected to a
Steelhead appliance in the list according to the load
balancing algorithm.
Note: This parameter is not required for rules of type
pass.
NOTE: You must also configure Interceptor-toSteelhead appliance communication and Steelhead
appliance-to-Interceptor communication for peering
between appliances. See in-path neighbor interface on
page 328.
326
[description <string>]
Specifies a description of the rule.
[vlan <vlan-number>]
Specifies the VLAN tag Identification Number (ID).
Usage
Load-balancing rules define the characteristics by which traffic is selected for load balancing and
the availability of LAN-side Steelhead appliance for such traffic.
Typically, your rules list should:
account for traffic over all subnets and ports that have been selected for redirection.
account for all Steelhead appliances you have configured as neighbor peers to be targets of
redirect rules or reserved for the automatic load-balancing rule.
If a neighbor Steelhead appliance is specified as a target for a rule, it is reserved for traffic that
matches
that rule and is not available to the pool used for automatic load-balancing.
If a neighbor Steelhead appliance is not specified as a target for a rule, it is available for
automatic load balancing.
account for second-preference cases where you would rather pass-through traffic than tax the
autoload-balancing pool.
Example
minna (config) # load balance rule redirect src 10.0.0.0/16 dest 10.0.0.1/16 destport 1240 description test vlan 12 addrs 10.0.0.3 10.0.0.4 10.0.0.5
minna (config) #
Product
Related Topics
show load balance rules, in-path neighbor peer
load balance rule edit rulenum <num> description

Description
Edit the description of a rule previously created.
Syntax
load balance rule edit rulenum <num> description <desc>
Parameters
<num>
Specifies the rule number for which to edit the description.
<desc>
Specifies the new description.
Example
minna (config) # load balance rule edit rulenum 1 description Cluster1

minna (config) #
Product
Related Topics
327

In This Section

page 96
page 325
in-path neighbor interface on page 328


page 328
in-path rule redirect on page 329

redirect interface on page 331


page 333
in-path neighbor peer on page 212
redirect allow-failure on page 330
redirect peer addr on page 331
in-path neighbor interface

Description
Specifies the interface to use for Interceptor-to-Steelhead communication.
Syntax
in-path neighbor interface <iface>
Parameters
interface <iface>
Usage
The no command option disables the interface.
Specifies the interface name.
Make sure you configure the Steelhead appliance to communicate with this Interceptor appliance
on this interface when you configure Steelhead-to-Interceptor communication.
Assume you want to configure peering between Interceptor A (with primary interface 10.10.10.1.
inpath0_0 interface 10.10.10.2, inpath0_1 interface 10.10.10.3) and Steelhead Z (with primary
interface 10.10.10.21, inpath0_0 10.10.10.22, inpath0_1 interface 10.10.10.23).
1. Log into the CLI for Interceptor A.
2. Specify which in-path interface on Interceptor A to use for Interceptor-to-Steelhead peering.
in-path neighbor interface inpath0_0
3. Add Steelhead Z as a peer by specifying the IP address for the Steelhead Z inpath0_0 interface.
in-path neighbor peer addr 10.10.10.22
4. Next. log into the CLI for Steelhead Z.

5. Enable the in-path interface, as shown in the following example:
in-path enable
6. Enable the out-of-path interface, as shown in the following example:
in-path oop enable
7. Enable peering, as shown in the following example:
in-path neighbor enable
8. Specify the neighbor IP address, as shown in the following example:
in-path neighbor ip address 10.10.10.2
328
Example
minna (config) # in-path neighbor interface inpath0_0

minna (config) #
Product
Related Topics
show in-path neighbor (Interceptor), show in-path neighbor peers, show in-path rules,
in-path neighbor peer

Description
Configures Interceptor-to-Steelhead peering communication.
Syntax
in-path neighbor peer addr <ip> [port <port>] [paused]
Parameters
addr <ip>
Specifies the IP address for the peer Steelhead inpath0_0 interface.
port
Specifies the corresponding port. The default value is 7850.
paused
Pauses communication with the peer neighbor.
Usage
The no command option disables the connection.
Example
minna (config) # in-path neighbor peer addr 10.10.10.1

minna (config) #
Product
Related Topics
show in-path neighbor (Interceptor), show in-path neighbor peers, show in-path rules,
in-path rule redirect

Description
Adds a redirect rule to the in-path rules table.

A redirect rule specifies the subnets and ports for traffic to be optimized by the Riverbed system.
Syntax
[no] in-path rule redirect src <subnet> dest <subnet> dest-port <port> [rulenum <num>] [vlan
<vlan tag ID>] [description <description>]
Parameters
src <subnet>
Specifies the source subnet. For example: 1.2.3.4/32
dest <subnet> destport <port>

XXX.XXX.XXX.XXX/XX
specify all ports.
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-n or start or end.
The list is reordered after you execute this command. For example, if
your command specifies rulenum 3, then the new rule will be #3, the
former #3 rule will be #4, and so forth.
The start value specifies the rule to be the first rule and end specifies it to
be the last rule.
list.
329
Usage
vlan <vlan tag ID>
Specifies the VLAN tag ID (if any). The VLAN identification number is a
value with a range from 0-4094. Specify 0 to mark the link untagged.
description
<description>

administration.
The in-path rules table is a list of rules for determining how the Riverbed system handles network
connection requests. The system either optimizes the traffic, passes it through unoptimized,
discards the connection, or denies the connection.
An in-path rule redirect command selects traffic to be optimized when your deployment includes
Interceptor load balancing. The connections selected by the in-path rule redirect command are
load-balanced according to rules you specify in the load-balance rules table.
The Interceptor appliance evaluates rules in numerical order starting with rule 1. If the conditions
set in the rule match, then the rule is applied, and the system moves on to the next packet. If the
conditions set in the rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied,
and no further rules are consulted.
In general, filter traffic that is to be unoptimized, discarded, or denied before processing rules for
traffic that is to be optimized. For example, order rules as follows:
1. Pass-through. 2. Discard. 3. Deny. 4. Redirect.
The default rule, Redirect All (all remaining traffic), is listed automatically and should be ordered
last.
Example
minna (config) # in-path rule redirect src 10.10.10.1/32 port 2121 dest
10.24.24.24.1/32 dest-port rulenum 5
minna (config) #
Product
Related Topics
in-path rule deny, in-path rule discard, in-path rule pass-through, load balance rule
redirect allow-failure
Description
Allows failure in active-passive Interceptor appliance deployments.
Syntax
[no] redirect allow-failure
Parameters
None
Usage
Run this command on all Interceptor appliances on the active and passive links. You must also run
the command in-path neighbor allow-failure on all Steelhead appliances that point to the
Interceptor appliances on which you ran this command.
The no command option disables the command.
Example
minna (config) # redirect allow-failure

minna (config) #
Product
Related Topics
show redirect
330
redirect interface
Description
Specifies the name of the interface to use for Interceptor-to-Interceptor communication.
Syntax
redirect interface <iface>
Parameters
<iface>
Example
minna (config) # redirect interface inpath0_0

You must restart the service for your changes to take effect.
minna (config) #
Product
Related Topics
show redirect
Specifies the name of the interface the appliance uses to communicate with peer
Interceptor appliances. Your selection must be implemented system-wide. For example,
if you decide for Interceptor A to use inpath0_0, you must specify inpath0_0 when you
run this command on Interceptor B and any other Interceptor appliance in your
deployment.
redirect peer addr

Description
Configures Interceptor-to-Interceptor peering communication.
Syntax
redirect peer addr <ip> port <port>
Parameters
addr <ip>
Specifies the IP address for a peer Interceptor appliance in-path

interface. This is the interface you set when you run the redirect
interface command on the peer Interceptor appliance. Use the
following format: 0.0.0.0.
port <port>
Specifies the corresponding port. The default is 7860.
Usage
The no command option disables the connection to the peer Interceptor appliance.
Assume you want to configure peering between Interceptor A (with primary interface 10.10.10.1.
inpath0_0 interface 10.10.10.2, inpath0_1 interface 10.10.10.3) and Interceptor B (with primary
interface 10.10.10.11, inpath0_0 10.10.10.12, inpath0_1 interface 10.10.10.13).
1. Log into the CLI for Interceptor A.
2. Specify which in-path interface on Interceptor A to use for Interceptor-to-Interceptor peering.
redirect interface inpath0_0
3. Add Interceptor B as a peer by specifying the IP address for the Interceptor B inpath0_0 interface.
redirect peer addr 10.10.10.12
4. Next. log into the CLI for Interceptor B.

5. Specify the Interceptor B interface to use for Interceptor-to-Interceptor peering:
redirect interface inpath0_0
6. Add Interceptor A as a peer by specify the IP address for the Interceptor A inpath0_0 interface:
redirect peer addr 10.10.10.2
331
Example
minna (config) # redirect peer addr 10.10.10.1

minna (config) #
Product
Related Topics
show redirect peers, Failover Support Commands on page 312
Debugging Commands
In This Section

page 96
page 325
debug validate deployment on

page 332


page 328



page 333
debug validate deployment

Description
Generates a report you can use to diagnose misconfiguration in Interceptor deployments.
Syntax
debug validate deployment
Parameters
Example
minna (config) # debug validate deployment

minna (config) #
Product
Related Topics
file debug-dump delete on page 128, file debug-dump email on page 129, file debug-dump upload on
page 129
332

page 96
page 325


page 328


page 333
In This Section
stats alarm on page 333

stats alarm
Description
Configures alarms based on sampled or computed statistics.
Syntax
stats alarm {<type> <options>}
Parameters
<type>
admission_conn
admission_mem
bypass
cpu_util_indiv
duplex
fan_error
fs_mnt
ipmi
link_propagation
linkstate
memory_error
paging
power_supply
<options>
Specifies the following alarm options:

clear. Clears alarm settings.
enable. Enables alarm.
rate-limit {count [long | medium | short] | [reset] | [window [long |
medium | short]}. Sets alarm event rate-limit values.
rising. Sets the rising threshold.
rising clear_threshold <amount>. Sets the threshold to clear rising alarm. The
default value for CPU temperature is 47 C.
rising error_threshold <amount>. Sets threshold to trigger rising alarm. The
default value for the CPU temperature is 50 C.
falling clear_threshold <amount>. Sets the threshold to clear falling alarm.
falling error_threshold <amount>. Sets the threshold to trigger falling alarm.
333
Usage
Critical temperature settings cannot be changed. Warning temperature settings can be changed.
The no command option disables all statistical alarms. The no stats alarm <type> enable
command disables specific statistical alarms.
Example
minna (config) # stats alarm bypass enable

minna (config) #
Product
Related Topics
show stats
Central Management Console Feature Commands

This section describes commands you use to configure Central Management Console features. This section
includes the following content.
In This Section
Export Commands on page 334

page 181
Export Commands
page 96
In This Section
Export Commands on page 334
export appliance on page 334

export stats on page 335

export appliance
Description
Exports appliance information for CMC managed appliances to a remote email address or SCP/
FTP location.
Syntax
export appliance to-email <email addr> html | csv | to-file <URL or

scp://username:password@hostname/path/filename> html | csv
Parameters
to-email <email addr> html | csv
334
Specifies an email address, file format, and

type of report to export.
to-file <URL or
scp://username:password@hostname/path/
filename html | csv
Specifies a URL or SCP, file format, and

Example
minna (config) # export appliance to-email foo@bar html

minna (config) #
Product
CMC appliance
Related Topics
export stats
export stats
Description
Exports statistics information for CMC managed appliances to a remote email address or SCP/
FTP location.
Syntax
export stats <quoted list of groups separated by /> <period over which to export, in seconds>
<granularity of the exported stat, in seconds> to-email <email addr> html | csv <bandwidth |
throughput | data-reduction | conn-history | traffic-summary> | to-file <URL or scp://
username:password@hostname/path/filename> html | csv <bandwidth | throughput | datareduction | conn-history | traffic-summary>
Parameters
to-email <email addr> html | csv <bandwidth |

throughput | data-reduction |
conn-history | traffic-summary>
Specifies an email address, file format, and

to-file <URL or scp html | csv <bandwidth |

throughput | data-reduction |
conn-history | traffic-summary
Specifies a URL or SCP, file format, and

Example
minna (config) # export stats "remoteappliance" 3600 60 to-email foo@bar html

bandwidth
minna (config) #
Product
CMC appliance
Related Topics
export appliance
335
336
CHAPTER 5
Troubleshooting
In This Chapter
This chapter contains a table of commands to provide a quick reference for troubleshooting.
Troubleshooting Quick Reference

Problem
Commands
General
show stats (alarm)

show log
logging local
show info
show version
Start, Stop, and Reboot
reload
service enable
Connectivity Issue
ping
traceroute
show arp
Data Store
show datastore
Optimization Service
show in-path
show in-path cdp
show out-of-path
show in-path rules
show peers
show service
show wccp
show licenses
337
Problem
Commands
Hardware
show stats (CPU)

show stats (memory)
show stats (ecc-ram)
show stats (fan)
show hardware
Protocol Specific
show protocol cifs

show protocol nfs
show protocol mapi
PFS and Prepopulation
show pfs stats shares

show pfs status
show prepop
pfs settings
Asymmetric Routing and Failover
show failover
show in-path neighbor (Steelhead)
show in-path neighbor (Interceptor)
show stats
RAID

show raid diagram
show raid info
show raid physical
show raid error-msg
Upgrade and Boot
show images
show bootvar
Collecting System Data for
tcpdump
Riverbed Technical Support
debug generate dump
338
5 - TROUBLESHOOTING
APPENDIX A
Riverbed Ports
In This Appendix
This appendix describes the Steelhead appliance default and supported secure ports. It includes the
following sections:
Default Ports, next
Commonly Optimized Ports on page 340
Commonly Excluded Ports on page 340
Interactive Ports Forwarded by the Steelhead Appliance on page 340
Secure Ports Forwarded by the Steelhead Appliance on page 341
Default Ports
The following table summarizes Steelhead appliance default ports with the port label: RBT-Proto.
Default Ports
Description
7744
Data store synchronization port.
7800
In-path port for appliance-to-appliance connections.
7801
NAT port.
7810
Out-of-path server port.
7820
Failover port for redundant appliances.
7830
MAPI Exchange 2003 port.
7840
NSPI port.
7850
Connection forwarding (neighbor) port.
7860
7870
Steelhead Mobile Controller to Steelhead Mobile Client communication
339
IMPORTANT: For two Steelhead appliances to optimize traffic, ports 7800 and 7810, must be passed through firewall
devices located between the pair of Steelhead appliances. Also, SYN and SYN/ACK packets with the TCP option 76
must be passed through firewalls for autodiscovery to function properly. For the Steelhead Central Management
Console (CMC), port 22 must be passed through the firewall for it to function properly.
Commonly Optimized Ports

The Steelhead appliance by default optimizes all ports. If you do not want the Steelhead appliance to
optimize all ports for an in-path or out-of path configuration, you can specify specific ports for
optimization.
Although these ports can vary according to your requirements, the following ports are commonly
optimized and monitored for in-path and out-of-path configurations:
21 (FTP)
80 (HTTP)
139 (CIFS:NETBIOS)
445 (CIFS:TCP)
1433 (SQL:TDS)
7830 (MAPI)
Commonly Excluded Ports

This section summarizes the ports that are commonly excluded from optimization in the Steelhead
appliance.
If you have multiple ports that you want to exclude, create a port label and list the ports.
Application
Ports
PolyComm (video conferencing)
1503, 1720-1727, 3230-3253, 5060
Cisco IPTel
2000
Interactive Ports Forwarded by the Steelhead Appliance

A default in-path rule with the port label Interactive is automatically created in your system. This in-path
rule automatically passes through traffic on interactive ports (for example, Telnet, TCP ECHO, remote
logging, and shell).
340
A - RIVERBED PORTS
TIP: If you do not want to automatically forward these ports, simply delete the Interactive rule in the Management
Console.
The following table lists the interactive ports that are automatically forwarded by the Steelhead appliance.
Port
Description
TCP ECHO
23
Telnet
37
UDP/Time
107
Remote Telnet Service
179
Border Gateway Protocol
513
Remote Login
514
Shell
1494
Citrix
1718-1720
h323gatedisc
2000-2003
Cisco SCCp
2427
Media Gateway Control Protocol Gateway
2598
Citrix
2727
Media Gateway Control Protocol Call Agent
3389
MS WBT Server, TS/Remote Desktop
5060
SIP
5631
PC Anywhere
5900-5903
VNC
6000
X11
Secure Ports Forwarded by the Steelhead Appliance

A default in-path rule with the port label Secure is automatically created in your system. This in-path rule
automatically passes through traffic on commonly secure ports (for example, ssh, https, and smtps).
TIP: If you do not want to automatically forward these ports, simply delete the Secure rule in the Management
Console.
341
The following table lists the common secure ports that are automatically forwarded by the Steelhead
appliance.
Type
Port
Description
ssh
22/tcp
SSH Remote Login Protocol
tacacs
49/tcp
TACACS+
https
443/tcp
http protocol over TLS/SSL
smtps
465/tcp
# SMTP over SSL (TLS)
nntps
563/tcp
nntp protocol over TLS/SSL (was snntp)
imap4-ssl
585/tcp
IMAP4+SSL (use 993 instead)
sshell
614/tcp
SSLshell
ldaps
636/tcp
ldap protocol over TLS/SSL (was sldap)
ftps-data
989/tcp
ftp protocol, data, over TLS/SSL
ftps
990/tcp
ftp protocol, control, over TLS/SSL
telnets
992/tcp
telnet protocol over TLS/SSL
imaps
993/tcp
imap4 protocol over TLS/SSL
pop3s
995/tcp
pop3 protocol over TLS/SSL (was spop3)
l2tp
1701/tcp
l2tp
pptp
1723/tcp
pptp
tftps
3713/tcp
TFTP over TLS
The following table contains the uncommon ports automatically forwarded by the Steelhead appliance.
Type
Port
Description
nsiiops
261/tcp
IIOP Name Service over TLS/SSL
ddm-ssl
448/tcp
DDM-Remote DB Access Using Secure Sockets
corba-iiop-ssl
684/tcp
CORBA IIOP SSL
ieee-mms-ssl
695/tcp
IEEE-MMS-SSL
ircs
994/tcp
irc protocol over TLS/SSL
njenet-ssl
2252/tcp
NJENET using SSL
ssm-cssps
2478/tcp
SecurSight Authentication Server (SSL)
ssm-els
2479/tcp
SecurSight Event Logging Server (SSL)
giop-ssl
2482/tcp
Oracle GIOP SSL
ttc-ssl
2484/tcp
Oracle TTC SSL
syncserverssl
2679/tcp
Sync Server SSL
dicom-tls
2762/tcp
DICOM TLS
realsecure
2998/tcp
Real Secure
342
A - RIVERBED PORTS
Type
Port
Description
orbix-loc-ssl
3077/tcp
Orbix 2000 Locator SSL
orbix-cfg-ssl
3078/tcp
Orbix 2000 Locator SSL
cops-tls
3183/tcp
COPS/TLS
csvr-sslproxy
3191/tcp
ConServR SSL Proxy
xnm-ssl
3220/tcp
XML NM over SSL
msft-gc-ssl
3269/tcp
Microsoft Global Catalog with LDAP/SSL
networklenss
3410/tcp
NetworkLens SSL Event
xtrms
3424/tcp
xTrade over TLS/SSL
jt400-ssl
3471/tcp
jt400-ssl
seclayer-tls
3496/tcp
securitylayer over tls
vt-ssl
3509/tcp
Virtual Token SSL Port
jboss-iiop-ssl
3529/tcp
JBoss IIOP/SSL
ibm-diradm-ssl
3539/tcp
IBM Directory Server SSL
can-nds-ssl
3660/tcp
Candle Directory Services using SSL
can-ferret-ssl
3661/tcp
Candle Directory Services using SSL
linktest-s
3747/tcp
LXPRO.COM LinkTest SSL
asap-tcp-tls
3864/tcp
asap/tls tcp port
topflow-ssl
3885/tcp
TopFlow SSL
sdo-tls
3896/tcp
Simple Distributed Objects over TLS
sdo-ssh
3897/tcp
Simple Distributed Objects over SSH
iss-mgmt-ssl
3995/tcp
ISS Management Svcs SSL
suucp
4031/tcp
UUCP over SSL
wsm-server-ssl
5007/tcp
wsm server ssl
sip-tls
5061/tcp
SIP-TLS
imqtunnels
7674/tcp
iMQ SSL tunnel
davsrcs
9802/tcp
WebDAV Source TLS/SSL
intrepid-ssl
11751/tcp
Intrepid SSL
rets-ssl
12109/tcp
RETS over SSL
343
344
A - RIVERBED PORTS
APPENDIX B
Riverbed MIB
In This Appendix
This appendix describes the Riverbed Enterprise SNMP MIB. It contains the following sections:
Accessing the Steelhead Enterprise MIB, next
SNMP Traps on page 346
Steelhead Enterprise MIB on page 349
Interceptor MIB File: Contents on page 363
Riverbed MIB on page 371
Accessing the Steelhead Enterprise MIB

The Steelhead Enterprise MIB monitors device status, peers, and provides network statistics for seamless
integration into network management systems such as Hewlett Packard OpenView Network Node
Manager, PRTG), and other SNMP browser tools.
For detailed information about configuring and using these network monitoring tools, consult their
individual Web sites.
The following guidelines describe how to download and access the Steelhead Enterprise MIB using
common MIB browsing utilities.
You can download the Steelhead Enterprise MIB (STEELHEAD-MIB.txt) from the help page of the
Management Console or from the Riverbed Technical Support site at https://support.riverbed.com and
load it into any MIB browser utility.
Some utilities might expect a file type other than a text file. If this occurs, change the file type to the one
expected.
Some utilities assume that the root is mib-2 by default. If the utility sees a new node, such as
enterprises, it might look under mib-2.enterprises. If this occurs, use
.iso.org.dod.internet.private.enterprises.rbt as the root.
Some command-line browsers might not load all MIB files by default. If this occurs, find the
appropriate command option to load the STEELHEAD-MIB.txt file. For example, for NET-SNMP
browsers: snmwalk -m all
345
SNMP Traps
Alarms fire for their event only. If a service alarm is fired indicating that the service has halted, no alarm is
fired when the service returns to normal operation.
The following table summarizes the SNMP traps sent out from the system to configured trap receivers.
Trap
Text
Description
procCrash
(enterprises.17163.1.1.4.1)
A procCrash trap signifies

that a process managed by
PM has crashed and left a
core file. The variable sent
with the notification
indicates which process
crashed.
A process has crashed and subsequently been

restarted by the system. The trap contains the name of
the process that crashed. A system snapshot
associated with this crash has been created on the
appliance and is accessible via the CLI or the
Management Console. Riverbed Technical Support
may need this information to determine the cause of
the crash. No other action is required on the appliance
as the crashed process is automatically restarted.
procExit
A procExit trap signifies that

a process managed by PM
has exited unexpectedly, but
not left a core file. The
variable sent with the
notification indicates which
process exited.
A process has unexpectedly exited and been restarted

by the system. The trap contains the name of the
process. The process may have exited on its own or
due to other process failures on the appliance. Please
review the release notes for known issues related to
this process exit. If none exist, please contact Riverbed
Technical Support to determine the cause of this event.
No other action is required on the appliance as the
crashed process is automatically restarted.
cpuUtil
The average CPU utilization

in the past minute has gone
above the acceptable
threshold.
Average CPU utilization has exceeded an acceptable

threshold. If CPU utilization spikes are frequent, it
may be because the system is undersized. Sustained
CPU load can be symptomatic of more serious issues.
Consult the CPU Utilization report to gauge how long
the system has been loaded and also monitor the
amount of traffic currently going through the
appliance. A one time spike in CPU is normal but
extended high CPU utilization should be reported to
Riverbed Technical Support. No other action is
necessary as the alarm clears on its own.
pagingActivity
The system has been paging

excessively (thrashing).
The system is running low on memory and has begun

swapping memory pages to disk. This event can be
triggered during a software upgrade while the
optimization service is still running but there may be
other causes which should be monitored or
diagnosed. Should this event be triggered at any other
time, please generate a debug sysdump and send it to
Riverbed Technical Support. No other action is
required as the alarm clears on its own.
smartError
SMART has sent an event

about a possible disk error.
A disk is about to fail. Contact Riverbed Technical

Support immediately.
NOTE: Applicable to models 100, 200, 510, 520, 1010,
1020, 2010, 2510, 2511 only.
346
B - RIVERBED MIB
Trap
Text
Description
peerVersionMismatch
Detected a peer with a

mismatched software
version.
The appliance has encountered another appliance

which is running an incompatible version of system
software. The CLI, Management Console, or the
SNMP peer table can be referenced to determine
which appliance is causing the conflict. To resolve the
problem: upgrade your system software. No other
action is required as the alarm clears on its own.
bypassMode
The appliance has entered

bypass (failthru) mode.
The appliance has entered bypass mode and is now

passing through all traffic unoptimized. This error is
generated if the optimization service locks up or
crashes. It can also be generated when the system is
first turned on or turned off. If this trap is generated
on a system that was previously optimizing and is still
running, you should contact Riverbed Technical
Support.
raidError
An error has been generated

by the RAID array.
A drive has failed in a RAID array. Consult the CLI or

Management Console to determine the location of the
failed drive. Please contact Riverbed Technical
Support for assistance with installing the spare drive.
The appliance continues to optimize during this event.
After the error is corrected, the alarm clears on its
own.
NOTE: Applicable to models 3010, 3510, 3020, 3520,
5010, 5520, 6020 only.
storeCorruption
The data store is corrupted.
Corruption has been detected in the data store. Please

contact Riverbed Technical Support immediately. If
you have recently downgraded to a previous software
version, see Related Topics on page 107.
admissionMemError
(enterprises.17163.1.1.4.10)
Admission control memory

alarm has been triggered.
The appliance has entered admission control due to

memory consumption. The appliance is optimizing
traffic beyond its rated capability and is unable to
handle the amount of traffic passing through the
WAN link. During this event, the appliance will
continue to optimize existing connections, but new
connections are passed through without optimization.
No other action is necessary as the alarm clears on its
own when the traffic has decreased.
admissionConnError
(enterprises.17163.1.1.4.11)
Admission control
connections alarm has been
triggered.
The appliance has entered admission control due to

the number of connections and is unable to handle the
amount of connections going over the WAN link.
During this event, the appliance continues to optimize
existing connections, but new connections are passed
through without optimization. No other action is
necessary as the alarm clears on its own when the
traffic has decreased.
haltError
(enterprises.17163.1.1.4.12)
The service is halted due to a

software error.
The optimization service has halted due to a serious

software error. Please contact Riverbed Technical
Support immediately.
347
Trap
Text
Description
serviceError
(enterprises.17163.1.1.4.13)
There has been a service

error. Please consult the log
file.
The optimization service has encountered a condition

which may degrade optimization performance. Please
consult the system log for more information. No other
action is necessary.
scheduledJobError
(enterprises.17163.1.1.4.14)
A scheduled job has failed

during execution.
A scheduled job on the system (for example, a

software upgrade) has failed. Please use the CLI or the
Management Console to determine which job failed.
confModeEnter
(enterprises.17163.1.1.4.15)
A user has entered

configuration mode.
A user on the system has entered a configuration

mode from either the CLI or Management Console. A
log in to the Management Console by user admin
sends this trap as well. This is for notification
purposes only; no other action is necessary.
confModeExit
(enterprises.17163.1.1.4.16)
A user has exited

configuration mode.
A user on the system has exited configuration mode

from either the CLI or Management Console. A log
out of the Management Console by user admin sends
this trap as well. This is for notification purposes only;
no other action is necessary.
linkError
(enterprises.17163.1.1.4.0.1
7)
An interface on the appliance

has lost its link.
The system has lost one of its Ethernet links due to a

network event. Check the physical connectivity
between the Steelhead appliance and its neighbor
device. This should be investigated as soon as possible
as depending on what link is down, the system might
no longer be optimizing and a network outage could
occur.
nfsV2V4
(enterprises.17163.1.1.4.0.1
8)
NFS v2/v4 alarm

notification.
The Steelhead appliance has detected that either

NFSv2 or NFSv4 is in use. The Steelhead appliance
only supports NFSv3 and will pass through all other
versions. Check that the clients and servers are using
NFSv3 and reconfigure if necessary.
powerSupplyError
(enterprises.17163.1.1.4.0.1
9)
A power supply on the

appliance has failed (not
supported on all models).
A redundant power supply on the appliance has

failed on the appliance and needs to be replaced.
Please contact Riverbed Technical Support for an
RMA replacement as soon as practically possible.
asymRouteError
(enterprises.17163.1.1.4.0.2
0)
Asymmetric routes have

been detected, certain
connections might not have
been optimized because of
this.
Asymmetric routing has been detected on the

network. In the NMCI architecture, this is very likely
due to a failover event of an inner router or VPN. If so,
no action needs to be taken. If not, please contact
Riverbed Technical Support for further
troubleshooting assistance.
fanError
(enterprises.17163.1.1.4.0.2
1)
A fan has failed on this

appliance (not supported on
all models).
A fan is failing or has failed and need to be replaced.

Please contact Riverbed Technical Support for an
RMA replacement as soon practically possible.
memoryError
(enterprises.17163.1.1.4.0.2
2)
A memory error has been

detected on the appliance
(not supported on all
models).
A memory error has been detected. A system memory

stick might be failing. Try resetting the memory first. If
the problem persists, please contact Riverbed
Technical Support for an RMA replacement as soon as
practically possible.
348
B - RIVERBED MIB
Trap
Text
Description
ipmi
(enterprises.17163.1.1.4.0.2
3)
An IPMI event has been

detected on the appliance.
Please check the details in the
alarm report on the Web UI
(not supported on all
models).
An Intelligent Platform Management Interface (IPMI)

event has been detected. Check the Alarm Status page
for more detail.
configChange
(enterprises.17163.1.1.4.0.2
4)
A change has been made to

the systems configuration.
A configuration change has been detected. Check the

log files around the time of this trap to determine
what changes were made and whether they were
authorized.
datastoreWrapped
(enterprises.17163.1.1.4.0.2
5)
The datastore has wrapped

around.
The data store on the Steelhead appliance went

through an entire cycle and is removing data to make
space for new data. This is normal behavior unless it
wraps too quickly, which might indicate the data store
is undersized.
temperatureCritical
(enterprises.17163.1.1.4.0.2
6)
The temperature of the

system has reached critical
stage.
The system temperature has reached critical stage.

Please contact Riverbed Technical Support for
assistance.
cpuUtilClear
(enterprises.17163.1.1.4.0.2
7)
The average CPU utilization

has fallen back within the
acceptable threshold.
The average CPU utilization has fallen back within the

acceptable threshold. Please contact Riverbed
Technical Support for assistance.
Steelhead Enterprise MIB

The following text represents the Steelhead Enterprise MIB file (STEELHEAD-MIB.txt).
STEELHEAD-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE, enterprises, Unsigned32,
TimeTicks, IpAddress, Counter64 FROM SNMPv2-SMI
DateAndTime FROM SNMPv2-TC
products FROM RBT-MIB;
steelhead MODULE-IDENTITY
LAST-UPDATED
"200701080000Z"
ORGANIZATION
"Riverbed Technology, Inc."
CONTACT-INFO
"
Balaji Ramachandran
balajir@riverbed.com"
DESCRIPTION
"Steelhead MIB"
REVISION
"200702010000Z"
DESCRIPTION
"Riverbed Steelhead 4.0 Revisions"
::= { products 1 }
system OBJECT IDENTIFIER
::= { steelhead 1 }
status OBJECT IDENTIFIER
::= { steelhead 2 }
config OBJECT IDENTIFIER
::= { steelhead 3 }
349
alarms OBJECT IDENTIFIER

::= { steelhead 4 }
statistics OBJECT IDENTIFIER
::= { steelhead 5 }
---- SYSTEM
--model OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Appliance model"
::= { system 1 }
serialNumber OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Appliance serial number"
::= { system 2 }
systemVersion OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"System software version string"
::= { system 3 }
---- STATUS
--systemClock OBJECT-TYPE
SYNTAX
DateAndTime
STATUS
current
DESCRIPTION
"System clock time"
::= { status 1 }
health OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current health of the system. The value is one amongst
Healthy, Admission Control, Degraded, Critical"
::= { status 2 }
serviceStatus OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
350
B - RIVERBED MIB
DESCRIPTION
"Current status of the optimization service"
::= { status 3 }
serviceUptime OBJECT-TYPE
SYNTAX
TimeTicks
STATUS
current
DESCRIPTION
"Uptime of the optimization service"
::= { status 4 }
procTable OBJECT-TYPE
SYNTAX
SEQUENCE OF ProcEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Table containing information about the various
managed processes"
::= { status 5 }
procEntry OBJECT-TYPE
SYNTAX
ProcEntry
STATUS
current
DESCRIPTION
"Entry for one process"
INDEX
{ procIndex }
::= { procTable 1 }
ProcEntry ::=
SEQUENCE {
procIndex
procName
procStatus
procNumFailures
}
Unsigned32,
OCTET STRING,
OCTET STRING,
Unsigned32
procIndex OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of process"
::= { procEntry 1 }
procName OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Unique name of process"
::= { procEntry 2 }
procStatus OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current state of process"
::= { procEntry 3 }
procNumFailures OBJECT-TYPE
SYNTAX
Unsigned32
351
STATUS
current
DESCRIPTION
"Number of times process has crashed or exited unexpectedly"
::= { procEntry 4 }
peerStatus OBJECT IDENTIFIER
::= { status 6 }
peerTable OBJECT-TYPE
SYNTAX
SEQUENCE OF PeerEntry
STATUS
current
DESCRIPTION
"A table containing information about the various peer
appliances"
::= { peerStatus 1 }
peerEntry OBJECT-TYPE
SYNTAX
PeerEntry
STATUS
current
DESCRIPTION
"Entry for one peer"
INDEX
{ peerIndex }
::= { peerTable 1 }
PeerEntry ::=
SEQUENCE {
peerIndex
peerHostname
peerVersion
peerAddress
peerModel
}
Unsigned32,
OCTET STRING,
OCTET STRING,
IpAddress,
OCTET STRING
peerIndex OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Index of peer"
::= { peerEntry 1 }
peerHostname OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Hostname of peer"
::= { peerEntry 2 }
peerVersion OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"System software version of peer"
::= { peerEntry 3 }
peerAddress OBJECT-TYPE
SYNTAX
IpAddress
STATUS
current
352
B - RIVERBED MIB
DESCRIPTION
"IP address of peer"
::= { peerEntry 4 }
peerModel OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Model of peer"
::= { peerEntry 5 }
systemHealth OBJECT-TYPE
SYNTAX
INTEGER {
healthy (10000),
degraded (30000),
admissionControl (31000),
critical (50000)
}
STATUS
current
DESCRIPTION
"Current health of the system. This variable is identical to
health except that it is of integer datatype"
::= { status 7 }
optServiceStatus OBJECT-TYPE
SYNTAX
INTEGER {
none (0),
unmanaged (1),
running (2),
sentTerm1 (3),
sentTerm2 (4),
sentTerm3 (5),
pending (6),
stopped (7)
}
STATUS
current
DESCRIPTION
"Status of the optimization service. This variable is identical to
serviceStatus except that it is of integer datatype"
::= { status 8 }
---- CONFIG
--activeConfig OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Name of the currently active configuration"
::= { config 1 }
inpath OBJECT IDENTIFIER
::= { config 2 }
inpathSupport OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
353
DESCRIPTION
"In-path support"
::= { inpath 1 }
outofpath OBJECT IDENTIFIER
::= { config 3 }
outofpathSupport OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Out-of-path support"
::= { outofpath 1 }
---- ALARMS
--alarmsPrefix OBJECT IDENTIFIER
::= { alarms 0 }
procCrash NOTIFICATION-TYPE
OBJECTS { procName }
STATUS current
DESCRIPTION
"A procCrash trap signifies that a process managed by PM
has crashed and left a core file. The variable sent with
the notification indicates which process crashed."
::= { alarmsPrefix 1 }
procExit NOTIFICATION-TYPE
OBJECTS { procName }
STATUS current
DESCRIPTION
"A procExit trap signifies that a process managed by PM
has exited unexpectedly, but not left a core file.
The variable sent with the notification indicates
which process exited."
cpuUtil NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization in the past minute has gone
above the acceptable threshold"
pagingActivity NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has been paging excessively (thrashing)"
smartError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"SMART has sent an event about a possible disk error"
peerVersionMismatch NOTIFICATION-TYPE
OBJECTS { systemVersion }
354
B - RIVERBED MIB
STATUS current
DESCRIPTION
"Detected a peer with a mismatched software version"
bypassMode NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is being passed through"
raidError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An error has been generated by the RAID array"
storeCorruption NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The data store is corrupted"
admissionMemError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Memory pressure is high. No additional connections will be
optimized"
admissionConnError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Connection limit reached. No additional connections will be
optimized"
haltError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is halted due to a software error"
serviceError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"There has been a non-fatal optimization service error.
Please consult the log file"
scheduledJobError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A scheduled job has failed during execution"
confModeEnter NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has entered configuration mode"
confModeExit NOTIFICATION-TYPE
STATUS current
355
DESCRIPTION
"A user has exited configuration mode"
linkError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has lost its link"
nfsV2V4 NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"NFS v2/v4 alarm notification"
powerSupplyError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A power supply on the appliance has failed" -- Not supported on all models
asymRouteError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Asymmetric routes have been detected,certain connections might
not have been optimized because of this."
fanError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A fan has failed on this appliance" -::= { alarmsPrefix 21 }
Not supported on all models
memoryError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been detected on the appliance" -- Not supported on all models
ipmi NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been detected on the appliance. Please check
the details in the alarm report on the web UI" -- Not supported on all models
cpuUtilClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization has fallen back
within the acceptable threshold"
pagingActivityClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has stopped paging excessively (thrashing)"
peerVersionMismatchClear NOTIFICATION-TYPE
OBJECTS { systemVersion }
STATUS current
356
B - RIVERBED MIB
DESCRIPTION
"All peers are compatible"
bypassModeClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is now being optimized"
raidErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A RAID error has been cleared"
storeCorruptionClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The data store is normal"
admissionMemErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been cleared,
and the optimization service is running normally"
admissionConnErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been cleared,
and the service is running normally"
haltErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is now running normally"
serviceErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is now running normally"
linkErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has regained its link"
nfsV2V4Clear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"NFS v2/v4 alarm has been cleared"
powerSupplyErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All power supplies are now functioning normally" -- Not supported on all models
357

asymRouteErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All asymmetric routes have expired or have been cleared"
fanErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All system fans are now functioning normally" -- Not supported on all models
memoryErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been rectified on the appliance" -- Not supported on all models
ipmiClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been rectified on the appliance" -- Not supported on all models
---- STATISTICS
--cpuLoad OBJECT IDENTIFIER
::= { statistics 1 }
cpuLoad1 OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"One-minute CPU load in hundreths"
::= { cpuLoad 1 }
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Five-minute CPU load in hundreths"
::= { cpuLoad 2 }
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Fifteen-minute CPU load in hundreths"
::= { cpuLoad 3 }
cpuUtil1 OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Percentage CPU utilization, aggregated across all CPUs, rolling
358
B - RIVERBED MIB
average over the past minute"

::= { cpuLoad 4 }
cpuIndivUtilTable OBJECT-TYPE
SYNTAX
SEQUENCE OF CPUIndivUtilEntry
STATUS
current
DESCRIPTION
"Details about the individual CPU utilization"
::= { cpuLoad 5 }
cpuIndivUtilEntry OBJECT-TYPE
SYNTAX
CPUIndivUtilEntry
STATUS
current
DESCRIPTION
"Entry for one cpu"
INDEX
{ cpuIndivId }
::= {cpuIndivUtilTable 1 }
CPUIndivUtilEntry ::=
SEQUENCE {
cpuIndivIndex
cpuIndivId
cpuIndivIdleTime
cpuIndivSystemTime
cpuIndivUserTime
}
Unsigned32,
Unsigned32,
Unsigned32,
Unsigned32,
Unsigned32
cpuIndivIndex OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"A synthetic number numbering the cpus"
::= { cpuIndivUtilEntry 1 }
cpuIndivId OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Name of the cpu, also serves as the Index for the table"
cpuIndivIdleTime OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Idle time for this CPU"
cpuIndivSystemTime OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"System time for this CPU"
cpuIndivUserTime OBJECT-TYPE
SYNTAX
Unsigned32
359
STATUS
current
DESCRIPTION
"User time for this CPU"
connectionCounts OBJECT IDENTIFIER
optimizedConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current total number of optimized connections"
::= { connectionCounts 1 }
passthroughConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current total number of pass-through connections"
halfOpenedConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current total number of half-opened (optimized) connections"
halfClosedConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current total number of half-closed (optimized) connections"
establishedConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current number of established (optimized) connections"
activeConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Current number of active (optimized) connections"
totalConnections OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Total number of connections"
360
B - RIVERBED MIB
bandwidth OBJECT IDENTIFIER

bandwidthAggregate OBJECT IDENTIFIER
::= { bandwidth 1 }
bwAggInLan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Total bytes WanToLan LAN side since last restart of service"
::= { bandwidthAggregate 1 }
bwAggInWan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Total bytes from Wan to Lan on the WAN side,
since last restart of service"
bwAggOutLan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Total bytes from Lan to Wan on the LAN side,
bwAggOutWan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Total bytes from Lan to Wan on the WAN side,
bandwidthPerPort OBJECT IDENTIFIER
::= { bandwidth 2 }
bwPortTable OBJECT-TYPE
SYNTAX
SEQUENCE OF BWPortEntry
STATUS
current
DESCRIPTION
"List of bandwidth ports"
::= { bandwidthPerPort 1 }
bwPortEntry OBJECT-TYPE
SYNTAX
BWPortEntry
STATUS
current
DESCRIPTION
"Entry for one port"
INDEX
{ bwPort }
::= { bwPortTable 1 }
BWPortEntry ::=
SEQUENCE {
bwPort
Unsigned32,
361
bwPortInLan
bwPortInWan
bwPortOutLan
bwPortOutWan
bwPortNumber
Counter32,
Counter32,
Counter32,
Counter32,
Unsigned32,
}
bwPort OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Index for the table"
::= { bwPortEntry 1 }
bwPortInLan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Bytes from Wan to Lan on the LAN side,
bwPortInWan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Bytes from Wan to Lan on the WAN side,
bwPortOutLan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Bytes from Lan to Wan on the LAN side,
bwPortOutWan OBJECT-TYPE
SYNTAX
Counter32
STATUS
current
DESCRIPTION
"Bytes from Lan to Wan on the WAN side,
bwPortNumber OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Port Number on which the traffic is observed"
bandwidthPassThrough OBJECT IDENTIFIER
::= { bandwidth 3 }
bwPassThroughIn OBJECT-TYPE
SYNTAX
Counter64
362
B - RIVERBED MIB
STATUS
current
DESCRIPTION
"Amount of incoming passthrough traffic"
::= { bandwidthPassThrough 1 }
bwPassThroughOut OBJECT-TYPE
SYNTAX
Counter64
STATUS
current
DESCRIPTION
"Amount of outgoing pass through traffic"
bwPassThroughTotal OBJECT-TYPE
SYNTAX
Counter64
STATUS
current
DESCRIPTION
"Total pass through traffic"
datastore OBJECT IDENTIFIER
hitsTotal OBJECT-TYPE
SYNTAX
Counter64
STATUS
current
DESCRIPTION
"Total number of datastore hits since last restart of service"
::= { datastore 1 }
missTotal OBJECT-TYPE
SYNTAX
Counter64
STATUS
current
DESCRIPTION
"Total number of datastore misses since last restart of service"
::= { datastore 2 }
END
Interceptor MIB File: Contents

The following text is the contents of the Interceptor MIB file (INTERCEPTOR-MIB.txt).
INTERCEPTOR-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, MODULE-IDENTITY, NOTIFICATION-TYPE, enterprises, Unsigned32,
TimeTicks, IpAddress, Counter64 FROM SNMPv2-SMI
DateAndTime FROM SNMPv2-TC
products FROM RBT-MIB;
interceptor MODULE-IDENTITY
LAST-UPDATED
"200701170000Z"
ORGANIZATION
CONTACT-INFO
"
Balaji Ramachandran
363
balajir@riverbed.com"
DESCRIPTION
"Riverbed Technology INTERCEPTOR MIB"
REVISION
"200701170000Z"
DESCRIPTION
"Riverbed Interceptor 1.1 Revisions"
REVISION
"200602030000Z"
DESCRIPTION
"Riverbed Interceptor 1.0 MIB"
::= { products 3 }
system OBJECT IDENTIFIER
::= { interceptor 1 }
status OBJECT IDENTIFIER
config OBJECT IDENTIFIER
alarms OBJECT IDENTIFIER
statistics OBJECT IDENTIFIER
---- SYSTEM
--model OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Appliance model"
::= { system 1 }
serialNumber OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Appliance serial number"
::= { system 2 }
systemVersion OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"System software version string"
::= { system 3 }
---- STATUS
--systemClock OBJECT-TYPE
SYNTAX
DateAndTime
STATUS
current
DESCRIPTION
364
B - RIVERBED MIB
"System clock time"

::= { status 1 }
health OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current health"
::= { status 2 }
serviceStatus OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current service status"
::= { status 3 }
serviceUptime OBJECT-TYPE
SYNTAX
TimeTicks
STATUS
current
DESCRIPTION
"Current service uptime"
::= { status 4 }
procTable OBJECT-TYPE
SYNTAX
SEQUENCE OF ProcEntry
STATUS
current
DESCRIPTION
"List of managed processes"
::= { status 5 }
procEntry OBJECT-TYPE
SYNTAX
ProcEntry
STATUS
current
DESCRIPTION
"Entry for one process"
INDEX
{ procIndex }
::= { procTable 1 }
ProcEntry ::=
SEQUENCE {
procIndex
procName
procStatus
procNumFailures
}
Unsigned32,
OCTET STRING,
OCTET STRING,
Unsigned32
procIndex OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of process"
::= { procEntry 1 }
procName OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
365
DESCRIPTION
"Unique name of process"
::= { procEntry 2 }
procStatus OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current state of process"
::= { procEntry 3 }
procNumFailures OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Number of times process has crashed or exited unexpectedly"
::= { procEntry 4 }
neighborTable OBJECT-TYPE
SYNTAX
SEQUENCE OF NeighborEntry
STATUS
current
DESCRIPTION
"List of managed steelheads"
::= { status 6 }
neighborEntry OBJECT-TYPE
SYNTAX
NeighborEntry
STATUS
current
DESCRIPTION
"Entry for one steelhead"
INDEX
{ neighborId }
::= { neighborTable 1 }
NeighborEntry ::=
SEQUENCE {
neighborIndex
neighborId
neighborName
neighborConnectionCount
neighborConnectionEnable
}
Unsigned32,
Unsigned32,
OCTET STRING,
Unsigned32,
Unsigned32,
neighborIndex OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of steelhead"
::= { neighborEntry 1 }
neighborId OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of steelhead"
neighborName OBJECT-TYPE
SYNTAX
OCTET STRING
366
B - RIVERBED MIB
STATUS
current
DESCRIPTION
"Unique name of steelhead"
neighborConnectionCount OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"The number of optimized connections"
neighborConnectionEnable OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"The number of connections to trigger admission control"
---- CONFIG
--activeConfig OBJECT-TYPE
SYNTAX
OCTET STRING
STATUS
current
DESCRIPTION
"Current active configuration"
::= { config 1 }
---- ALARMS
--alarmsPrefix OBJECT IDENTIFIER
::= { alarms 1 }
procCrash NOTIFICATION-TYPE
OBJECTS { procIndex, procName }
STATUS current
DESCRIPTION
"A procCrash trap signifies that a process managed by PM
has crashed and left a core file. The variable sent with
the notification indicates which process crashed."
procExit NOTIFICATION-TYPE
OBJECTS { procIndex, procName }
STATUS current
DESCRIPTION
"A procExit trap signifies that a process managed by PM
has exited unexpectedly, but not left a core file.
The variable sent with the notification indicates
which process exited."
367
cpuUtil NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization in the past minute has gone
above the acceptable threshold"
pagingActivity NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has been paging excessively (thrashing)"
bypassMode NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The appliance has entered bypass (failthru) mode"
admissionMemError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been triggered"
admissionConnError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been triggered"
scheduledJobError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A scheduled job has failed during execution"
confModeEnter NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has entered configuration mode"
confModeExit NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has exited configuration mode"
linkError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface has lost link on the appliance"
powerSupplyError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A power supply on the appliance has failed. Not supported on all models"
fanError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
368
B - RIVERBED MIB
"A fan error has been detected on the appliance. Not supported on all models"
memoryError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been detected on the appliance. Not supported on all models"
ipmi NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been detected on the appliance. Not supported on all models"
linkPropagationStateError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface has link propagation state error on the appliance"
cpuUtilClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization has fallen back
within the acceptable threshold"
pagingActivityClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has stopped paging excessively (thrashing)"
bypassModeClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is now being optimized"
admissionMemErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been cleared,
and the optimization service is running normally"
admissionConnErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been cleared,
and the service is running normally"
linkErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has regained its link"
powerSupplyErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All power supplies are now functioning normally" -- Not supported on all models
369

fanErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All system fans are now functioning normally" -- Not supported on all models
memoryErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been rectified on the appliance" -- Not supported on all models
ipmiClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been rectified on the appliance" -- Not supported on all models
linkPropagationStateErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A link propagation state error on an interface on the appliance
has been rctified"
---- STATISTICS
--cpuLoad OBJECT IDENTIFIER
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
::= { cpuLoad 1 }
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
::= { cpuLoad 2 }
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
"Fifteen-minute CPU load in hundreths"
::= { cpuLoad 3 }
cpuUtil1 OBJECT-TYPE
SYNTAX
Unsigned32
STATUS
current
DESCRIPTION
370
B - RIVERBED MIB
"Percentage CPU utilization, aggregated across all CPUs, rolling

average over the past minute"
::= { cpuLoad 4 }
END
Riverbed MIB
The following text represents the Riverbed MIB (RBT-MIB.txt).
RBT-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, MODULE-IDENTITY, enterprises FROM SNMPv2-SMI;
rbt MODULE-IDENTITY
LAST-UPDATED
"200604100000Z"
ORGANIZATION
CONTACT-INFO
"
John Cho
jcho@riverbed.com"
DESCRIPTION
"Riverbed Technology MIB"
::= { enterprises 17163 }
products OBJECT IDENTIFIER
::= { rbt 1 }
END
371
372
B - RIVERBED MIB
Acronyms and Abbreviations
AAA. Authentication, Authorization, and Accounting.

ACL. Access Control List.
ACS. (Cisco) Access Control Server.
AD. Active Directory.
ADS. Active Directory Services.
AES. Advanced Encryption Standard.
AR. Asymmetric Routing.
ARP. Address Resolution Protocol.
BDP. Bandwidth-Delay Product.
BW. Bandwidth.
CA. Certificate Authority.
CAD. Computer Aided Design.
CDP. Cisco Discovery Protocol.
CHD. Computed Historical Data.
CIFS. Common Internet File System.
CLI. Command-Line Interface.
CMC. Central Management Console.
CPU. Central Processing Unit.
CSR. Certificate Signing Request.
CSV. Comma-Separated Value.
373
DC. Domain Controller.

DES. Data Encryption Standard.
DID. Deployment ID.
DMZ. Demilitarized zone.
DER. Distinguished Encoding Rules.
DHCP. Dynamic Host Configuration Protocol.
DNS. Domain Name Service.
DSA. Digital Signature Algorithm.
DSCP. Differentiated Services Code Point.
ECC. Error-Correcting Code.
ESD. Electrostatic Discharge.
FDDI. Fiber Distributed Data Interface.
FIFO. First in First Out.
FSID. File System ID.
FTP. File Transfer Protocol.
GB. Gigabytes.
GMT. Greenwich Mean Time.
GRE. Generic Routing Encapsulation.
GUI. Graphical User Interface.
HFSC. Hierarchical Fair Service Curve.
HSRP. Hot Standby Routing Protocol.
HSTCP. High-Speed Transmission Control Protocol.
HTTP. HyperText Transport Protocol.
HTTPS. HyperText Transport Protocol Secure.
ICMP. Internet Control Message Protocol.
ID. Identification number.
IGP. Interior Gateway Protocol.
374
ACRONYMS AND ABBREVIATIONS
IOS. (Cisco) Internetwork Operating System.

IKE. Internet Key Exchange.
IP. Internet Protocol.
IPMI. Intelligent Platform Management Interface.
IPSec. Internet Protocol Security protocol.
ISL. InterSwitch Link. Also known as Cisco InterSwitch Link Protocol.
L2. Layer-2.
L4. Layer-4.
LAN. Local Area Network.
LED. Light-Emitting Diode.
LZ. Lempel-Ziv.
MAC. Media Access Control.
MAPI. Messaging Application Protocol Interface.
MEISI. Microsoft Exchange Information Store Interface.
MIB. Management Information Base.
MOTD. Message of the Day.
MS GPO. Microsoft Group Policy Object.
MS SMS. Microsoft Systems Management Server.
MS-SQL. Microsoft Structured Query Language.
MSFC. Multilayer Switch Feature Card.
MSI Package. Microsoft Installer Package.
MTU. Maximum Transmission Unit.
MX-TCP. Max-Speed TCP.
NAS. Network Attached Storage.
NAT. Network Address Translate.
NFS. Network File System.
NIS. Network Information Services.
375
NSPI. Name Service Provider Interface.

NTLM. Windows NT LAN Manager
NTP. Network Time Protocol.
OSI. Open System Interconnection.
OSPF. Open Shortest Path First.
PAP. Password Authentication Protocol.
PBR. Policy-Based Routing.
PCI. Peripheral Component Interconnect.
PEM. Privacy Enhanced Mail.
PFS. Proxy File Service.
PKCS12. Public Key Cryptography Standard #12.
PRTG. Paessler Router Traffic Grapher.
QoS. Quality of Service.
RADIUS. Remote Authentication Dial-In User Service.
RAID . Redundant Array of Independent Disks.
RCU. Riverbed Copy Utility.
ROFS. Read-Only File System.
RSA. Rivest-Shamir-Adleman encryption method by RSA Security.
SA. Security Association.
SDR. Scalable Data Referencing.
SEL. System Event Log.
SFQ. Stochastic Fairness Queuing.
SMB. Server Message Block.
SMI. Structure of Management Information.
SMTP. Simple Mail Transfer Protocol.
SNMP. Simple Network Management Protocol.
SQL. Structured Query Language.
376
SSH. Secure Shell.

SSL. Secure Sockets Layer.
TA. Transaction Acceleration.
TACACS+. Terminal Access Controller Access Control System.
TCP. Transmission Control Protocol.
TCP/IP. Transmission Control Protocol/Internet Protocol.
TP. Transaction Prediction.
TTL. Time to Live.
ToS. Type of Service.
U. Unit.
UDP. User Diagram Protocol.
UNC. Universal Naming Convention.
URL. Uniform Resource Locator.
UTC. Universal Time Code.
VGA. Video Graphics Array.
VLAN. Virtual Local Area Network.
VoIP. Voice over IP.
VWE. Virtual Window Expansion.
WAN. Wide Area Network.
WCCP. Web Cache Communication Protocol.
377
378
Glossary
Acceleration Policy. An acceleration policy contains optimization rules for accelerating the WAN traffic for
endpoint clients. An acceleration policy is required for optimization to occur.
ARP. Address Resolution Protocol. An IP protocol used to obtain a node's physical address.
Assignment. An assignment occurs when an endpoint or acceleration policy is matched to a deployment
ID (DID).
Bandwidth. The upper limit on the amount of data, typically in kilobits per second (kbps), that can pass
through a network connection. Greater bandwidth indicates faster data transfer capability.
Bit. A Binary digit. The smallest unit of information handled by a computer; either 1 or 0 in the binary
number system.
Blade. One component in a system designed to accept some number of components (blades).
Bridge. Device that connects and passes packets between two network segments that use the same
communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In
general, a bridge filters, forwards, or floods an incoming frame based on the MAC address of that frame.
Cache. A temporary storage area for frequently or recently accessed data.
CIFS. Common Internet File System. CIFS is the remote file system access protocol used by Windows
servers and clients to share files across the network.
Database Cursor. A record pointer in a database. When a database file is selected and the cursor is opened,
the cursor points to the first record in the file. Using various commands, the cursor can be moved forward,
backward, to top of file, bottom of file, and so forth.
Default Gateway. The default address of a network or Web site. It provides a single domain name and point
of entry to the network or site.
Deployment ID. The deployment ID (DID) is used to apply policies and policy updates to groups of
endpoint clients. The DID is associated with the endpoint client upon installation of a MSI package. The
Mobile Controller uses the DID to identify the client and provide their assigned policies and policy updates.
DHCP. Dynamic Host Configuration Protocol. Software that automatically assigns IP addresses to client
stations logging onto a TCP/IP network.
379
Domain. In the Internet, a portion of the Domain Name Service (DNS) that refers to groupings of networks
based on the type of organization or geography.
DMZ. Demilitarized Zone. A computer or small subnetwork that sits between a trusted internal network,
such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically,
the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers.
DNS. Domain Name Service. A system used in the Internet for translating names of network nodes into IP
addresses. A Domain Name Server notifies hosts of other host IP addresses, associating host names with IP
addresses.
Endpoint. An endpoint is a client computer. For example, a PC or laptop.
Endpoint Policy. An endpoint policy specifies machine-specific software settings for endpoint clients, such
as the data store size. An endpoint policy is required for optimization to occur.
Ethernet. The most widely used Local Area Network (LAN) access method.
FDDI. Fiber Distributed Data Interface. A set of American National Standards Institute (ANSI) protocols
for sending digital data over fiber optic cable. FDDI networks are token-passing networks, and support
data rates of up to 100 Mbps (100 million bits) per second. FDDI networks are typically used as backbones
for Wide Area Networks (WANs).
Filer. An appliance that attaches to a computer network and is used for data storage.
Gateway. A computer that acts as an intermediate device for two or more networks that use the same
protocols. The gateway functions as an entry and exit point to the network. Transport protocol conversion
might not be required, but some form of processing is typically performed.
Gigabit Ethernet. An Ethernet technology that raises transmission speed to 1 Gbps (1000 Mbps).
Hashing. Producing hash values for accessing data or for security. A hash value is a number generated from
a string of text. The hash is substantially smaller than the text itself and is generated by a formula in such a
way that it is extremely unlikely that some other text will produce the same hash value.
Heartbeat. A repeating signal transmitted from one appliance to another to indicate that the appliance is
operating.
Heuristic. A method of problem solving using exploration and trial and error methods. Heuristic program
design provides a framework for solving the problem in contrast with a fixed set of algorithmic rules that
cannot vary.
Host. A computer or other computing device that resides on a network.
Host address. The IP address assigned to each computer attached to the network.
Host name. Name given to a computer, usually by DNS.
380
GLOSSARY
HSRP. Hot Standby Routing Protocol. HSRP is a routing protocol from Cisco that provides backup to a
router in the event of failure. Using HSRP, several routers are connected to the same segment of an Ethernet,
FDDIs or token-ring network and work together to present the appearance of a single virtual router on the
LAN. The routers share the same IP and MAC addresses, therefore in the event of failure of one router, the
hosts on the LAN are able to continue forwarding packets to a consistent IP and MAC address. The process
of transferring the routing responsibilities from one device to another is transparent to the user.
HTTP. Hypertext Transport Protocol. The protocol used by Web browsers to communicate with Web
servers.
HTTPS. Hypertext Transport Protocol Secure. The protocol for accessing a secure Web server. Using HTTPS
directs the message to a secure port number to be managed by a security protocol.
Interface. The point at which a connection is made between two elements, systems, or devices so that they
can communicate with one another.
Internet. The collection of networks tied together to provide a global network that use the TCP/IP suite of
protocols.
IP. Internet Protocol. Network layer protocol in the TCP/IP stack that enables a connectionless
internetwork service.
IP address. In IP version 4 (IPv4), a 32-bit address assigned to hosts using the IP protocol. Also called an
Internet address.
IPsec. Internet Protocol Security protocol. A set of protocols to support secure exchange of packets at the IP
layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two
encryption modes: Transport and Tunnel. For IPsec to work, the sending and receiving devices must share
a public key.
Latency. Delay between a request being issued and its response being received.
Layer 2. The communications protocol (called the data link layer or MAC layer) that contains the physical
address of a client or server inspected by a bridge or switch. Layer 2 processing is faster than layer 3
processing, because less analysis of the packet is required.
Layer 3. The communications protocol (called the network layer) that contains the logical address of a client
or server station that is inspected by a router which in turn forwards it through the network. Layer 3
contains a type field so that traffic can be prioritized and forwarded based on message type as well as
network destination. The IP network layer (Layer 3) accepts packets from the TCP or UDP transport layer
(Layer 4), adds its own header and delivers a datagram to the data link layer protocol (Layer 2).
Layer-4. A communications protocol (called the transport layer) responsible for establishing a connection
and ensuring that all data has arrived safely. The application delivers its data to the communications system
by passing a stream of data bytes to the transport layer along with the socket (the IP address of the station
and a port number) of the destination machine.
MAC address. Unique serial number or physical station address burned into Ethernet and Token Ring
adapters to identify that network card from all others.
MAPI. Messaging API. A programming interface from Microsoft that enables a client application to send
and receive mail from Exchange Server or a Microsoft Mail (MS Mail) messaging system. Microsoft
applications such as Outlook, the Exchange client, and Microsoft Schedule use MAPI.
381
Microsoft Exchange. Messaging and groupware software for Windows from Microsoft. The Exchange
server is an Internet-compliant messaging system that runs under Windows systems and can be accessed
by Web browsers, the Windows In-box, Exchange client, or Outlook. The Exchange server is also a storage
system that can hold anything that needs to be shared.
MSI Package. An MSI package is the Microsoft Software Installer (MSI) used to install Steelhead Mobile
Client software onto endpoint clients.
Netmask. A 32-bit mask which shows how an Internet address is divided into network, subnet, and host
parts. The netmask has ones in the bit positions in the 32-bit address which are used for the network and
subnet parts, and zeros for the host part. The mask must contain at least the standard network portion (as
determined by the class of the address), and the subnet field should be contiguous with the network
portion.
Neural Network. A modeling technique based on the observed behavior of biological neurons and used to
mimic the performance of a system. It consists of a set of elements that start out connected in a random
pattern, and, based upon operational feedback, are molded into the pattern required to generate the
required results. It is used in applications such as robotics, diagnosing, forecasting, image processing, and
pattern recognition.
NFS. Network File System. The file sharing protocol in a UNIX network.
NIS. Network Information Services. A naming service that allows resources to be easily added, deleted, or
relocated.
Opportunistic Lock. Also known as oplock. A lock requested by a client on a file that resides on a remote
server. To prevent any compromise to data integrity, the Steelhead appliance only optimizes data where
exclusive access is available (in other words, when locks are granted). When an oplock is not available, the
Steelhead appliance does not perform application-level latency optimizations but still performs Scalable
Data Referencing and compression on the data as well as TCP optimizations. Therefore, even without the
benefits of latency optimization, Steelhead appliances still increase WAN performance, but not as
effectively as when application optimizations are available.
OSPF. Open Shortest Path First. An interior gateway routing protocol developed for IP networks based on
the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information
to all nodes in an internetwork by calculating the shortest path to each node based on a topography of the
Internet constructed by each node. Each router sends that portion of the routing table (which keeps track of
routes to particular network destinations) that describes the state of its own links. It also sends the complete
routing structure (topography).
Packet. A unit of information transmitted, as a whole, from one device to another on a network.
Probe. A small utility program that is used to investigate, or test, the status of a system, network, or Web
site.
Policy. Routing and Quality of Service (QoS) scheme that forwards data packets to network interfaces based
on user-configured parameters.
Port. A pathway into and out of the computer or a network device such as a hub, switch, or router. On
network devices, the ports are for communications, typically connecting Ethernet cables or other network
devices.
382
GLOSSARY
Proxy. An entity that acts on behalf of a network client. In a network, a client is an entity that makes a
network request and a server is an entity that responds to the request. For example, your Web browser is a
client which requests Web content from a Web server. A proxy can take the place of the client, meaning the
client never communicates directly with the server. Instead, the client makes a connection to the proxy and
the proxy makes the connection to the server, receives any responses from the server, and relays them back
to the client.
Router. A device that forwards data packets from one LAN or WAN to another. Based on routing tables and
routing protocols, routers read the network address in each transmitted frame and make a decision on how
to send it based on the most expedient route (traffic load, line costs, speed, bad lines, etc.). Routers work at
Layer-3 in the protocol stack, whereas bridges and switches work at Layer-2.
SMB. Server Message Block. A message format used by DOS and Windows to share files, directories, and
devices. There are also a number of products that use SMB to enable file sharing among different operating
system platforms. A product called Samba, for example, enables UNIX and Windows machines to share
directories and files.
SNMP. Simple Network Management Protocol. A network protocol that provides a way to monitor
network devices, performance, security, and manages configurations and collects statistics.
Socket. The method of directing data to the appropriate application in a TCP/IP network. A socket is made
up of the IP address of the station and a port number.
Switch. A network device that filters and forwards frames based on the destination address of each frame.
The switch operates at Layer-2 (data link layer) of the Open System Interconnection (OSI) model.
TCP. Transmission Control Protocol. The error correcting Transport layer (Layer-4) in the TCP/IP protocol
suite.
TCP/IP. Transmission Control Protocol/Internet Protocol. The protocol suite used in the Internet, intranets,
and extranets. TCP provides transport functions, which ensures that the total amount of bytes sent is
received correctly at the other end. TCP/IP is a routable protocol, and the IP part of TCP/IP provides this
capability.
Throttle. To adjust the Central Processing Unit (CPU) speed.
VLAN. Virtual Local Area Network. A VLAN is an administratively configured LAN or broadcast domain.
Instead of going to the wiring closet to move a cable to a different LAN, network administrators can
remotely configure a port on an 802.1Q-compliant switch to belong to a different VLAN. A 802.1Q VLAN
enables network administrators to move end stations to different broadcast domains by setting
membership profiles for each port on centrally managed switches.
383
384
GLOSSARY
Index
A
aaa accounting per-command default 97
aaa authentication cond-fallback 98
aaa authentication cond-fallback default 98
aaa authentication login default 98
aaa authorization map default-user 43, 99
aaa authorization map order 99
arp 174
B
banner login 112
banner motd 113
boot system 162
C
clear arp-cache 32
clear hardware error-log 32
clear interface 33
CLI
command negation 28
connecting 25
online help 27
overview of 26
saving configurations 28
cli clear-history 113
cli default auto-logout 113
cli default paging enable 114
cli session options 114
clock set 174
clock timezone 175
configuration copy 121
configuration delete 122
configuration factory 122
configuration fetch 122
configuration flash restore 126
configuration flash write 126
configuration jump-start 123
configuration merge 124
configuration move 125
configuration new 126
configuration revert keep-local 127
configuration revert saved 127

configuration switch-to 127
configuration upload 128
configuration write 128
configure terminal 33
D
Data replication commands 316
datastore convert 150
datastore disk read-pressure 318
datastore disklayout 317
datastore encryption type 151
datastore notification enable 152
datastore notification wrap-around 153
datastore receive port 153
datastore send addr 153
datastore sync enable 154
datastore sync master 156
datastore sync peer-ip 157
datastore sync port 157
datastore sync reconnect 157
datastore use-one-defer-q 318
debug generate dump 33
debug validate deployment 332
disable 34
Documentation, contacting 24
E
email autosupport enable 143
email domain 144
email mailhub 144
email mailhub-port 144
email notify events enable 145
email notify events recipient 145
email notify failures enable 145
email notify failures recipient 146
email send-test 146
enable 29
Enabling optimization for Outlook 2007 257
Enterprise MIB
accessing 345
385
Enterprise MIB, example of 349

Ethernet network compatibility 21
Exchange Server 257
exit 29
export appliance 334
export stats 335
F
failover buddy addr 313
failover buddy port 313
failover enable 313
failover master 314
failover port 315
file debug-dump 169
file debug-dump delete 128
file debug-dump email 129
file debug-dump upload 129
file stats delete 129
file stats move 130
file stats upload 130
file tcpdump 130
file tcpdump delete 131
fips bootloader password 320
FIPS compliance commands 318
FTP data channel, setting QoS for 304
H
hardware ecc-mem-check enable 175
hardware upgrade model 162
hardware watchdog 166
hostname 175
I
image boot 163
image delete 163
image fetch 163
image flash backup 164
image flash restore 164
image install 164
image move 165
in-path asymmetric routing detection enable 205
in-path asymmetric routing pass-through enable 207
in-path asym-route-tab flush 204
in-path asym-route-tab remove 204
in-path cdp allow-failure 208
in-path cdp enable 208
in-path cdp holdtime 209
in-path cdp interval 209
in-path enable 183
in-path interface enable 183
in-path interface vlan 183
in-path kickoff 184
386
in-path lsp enable 184

in-path move-rule rulenum 185
in-path neighbor allow failure 210
in-path neighbor enable 210
in-path neighbor interface 328
in-path neighbor ip address 211
in-path neighbor keepalive count 211
in-path neighbor keepalive interval 212
in-path neighbor peer 329
in-path neighbor port 213
in-path oop enable 186
in-path peering auto 199
in-path peering move-rule 201
in-path peering rule 199
in-path rule auto-discover 186
in-path rule deny 188
in-path rule discard 189
in-path rule fixed-target 190
in-path rule pass-through 193
in-path rule redirect 329
in-path simplified routing 215
in-path turbo enable 194
Interactive ports 341
interface 176
ip default-gateway 176
ip domain-list 177
ip flow-export 217
ip flow-export enable 218
ip host 177
ip in-path route 195
ip in-path-gateway 194
ip name-server 177
ip route 178
ip security authentication policy 221
ip security enable 221
ip security encryption policy 222
ip security peer ip 222
ip security pfs enable 223
ip security rekey interval 223
ip security shared secret 223
J
job command 166
job comment 167
job date-time 168
job enable 168
job execute 168
job fail-continue 169
job name 169
L
license delete 165
INDEX
license install 165

load balance move-rule 325, 327
load balance rule 325, 332, 334
load balance rule src 101
logging 158
logging files delete oldest 159
logging files rotation criteria frequency 159
logging files rotation criteria size 159
logging files rotation force 160
logging files rotation max-num 160
logging local 160
logging trap 161
M
MAC address, displaying 50, 86
MAPI data channel, setting QoS for 304
MIB file
accessing 345
SNMP traps sent 346
MIB file, example of 349
N
NetFlow support commands 216
ntp disable 178
ntp enable 178
ntp peer 179
ntp server 179
ntpdate 180
O
Online documentation 23
Online notes 22
Outlook 2007, enabling optimization for 257
out-of-path enable 197
P
peer 202
peer addr 315, 330, 331
pfs domain 226
pfs enable 227
pfs settings 228
pfs share cancel-event 229
pfs share configure 230
pfs share configure, (version 2.0) 232
pfs share manual-sync 234
pfs share modify 235
pfs share upgrade 237
pfs share verify 238
pfs start 239
pfs workgroup 239
ping 30
port-label 133
Ports
commonly excluded 340
commonly optimized 340
default listening 339
interactive ports forwarded 341

secure automatically forwarded 341
prepop enable 241
prepop share 241
protocol cifs applock 244
protocol cifs disable write optimization 245
protocol cifs dw-throttling enable 244
protocol cifs enable 245
protocol cifs nosupport 246
protocol cifs oopen 246
protocol cifs oopen enable 247
protocol cifs prepop enable 247
protocol cifs secure-sig-opt enable 247
protocol cifs smbv1-mode enable 248
protocol connection lan receive buf-size 250
protocol connection lan send buf-size 250
protocol connection wan receive def-buf-size 250
protocol connection wan send def-buf-size 251
protocol ftp 268
protocol http default ntlm enable 275
protocol http enable 275
protocol http prefetch extension 275
protocol http server 276
protocol jinitiator enable 254
protocol mapi 2k3 enable 256
protocol mapi 2k7 fallback enable 256
protocol mapi enable 256
protocol mapi nspi 257
protocol mapi nspi enable 258
protocol mapi port 258
protocol mapi prepop enable 258
protocol ms-sql enable 261
protocol ms-sql fetch-next enable 261
protocol ms-sql num-preack 261
protocol ms-sql port 262
protocol ms-sql query-act rule-id action-id 262
protocol ms-sql query-arg-act rule-id action-id argoffset expr 263
protocol ms-sql rpc-act rule-id action-id 263
protocol ms-sql rpc-arg rule-id arg-offset expr 265
protocol ms-sql rpc-arg-act rule-id arg-offset expr 264
protocol ms-sql rpc-rule rule-id app-name-regex 265
protocol ms-sql support-app 266
protocol nfs alarm v2-v4 clear 268
protocol nfs default server 268
protocol nfs default volume 269
protocol nfs enable 270
protocol nfs max-directories 271
protocol nfs max-symlinks 271
protocol nfs memory 271
protocol nfs server 272
protocol nfs v2-v4-alarm 273
protocol ssl backend 278
protocol ssl bulk-export 278
387
protocol ssl bulk-import 279

protocol ssl ca 283
protocol ssl crl ca 280
protocol ssl crl cas enable 280
protocol ssl crl handshake 281
protocol ssl crl manual 281
protocol ssl crl peering 282
protocol ssl crl query-now 283
protocol ssl enable 284
protocol ssl peering 286
protocol ssl protocol-vers 288
protocol ssl scep peering auto-reenroll 289
protocol ssl scep peering max-num-polls 289
protocol ssl scep peering on-demand cancel 290
protocol ssl scep peering on-demand gen-key-andcsr 290
protocol ssl scep peering on-demand start 291
protocol ssl scep peering passphrase 292
protocol ssl scep peering poll-frequency 292
protocol ssl scep peering trust 292
protocol ssl scep peering url 293
protocol ssl server 293
Q
qos classification burst 298
qos classification class 298
qos classification enable 300
qos classification link-rate 300
qos classification queue 301
qos classification rule add 301
qos classification rule move 302
qos dscp edit-rule 302
qos dscp move-rule 303
qos dscp rule 304
QoS, setting the FTP data channel 304
QoS, setting the MAPI data channel 304
R
radius-server host 101
radius-server key 181
radius-server retransmit 102
radius-server timeout 102
RBT-Proto, common ports used by the system 339
redirect allow-failure 330
redirect interface 315, 330, 331
redirect peer addr 315, 331
Related reading 23
Release notes 22
reload 169
reset factory 320, 322
restart 170
388
S
Safety guidelines 23
Secure ports, automatically forwarded 341
secure vault 296
secure-vault 296
service connection pooling 307
service default-port 307
service enable 181
service error reset 170
service map-port 171
service neural-framing 172
service port 172
service restart 172
show aaa 37
show arp 37
show banner 37
show bootvar 38
show cli 38
show clock 38
show cmc 39
show configuration 39
show configuration files 79
show configuration flash 40
show configuration flash text 41
show configuration full 41
show configuration running 41
show connection 79
show connections 80
show datastore 42
show email 42
show failover 43
show files debug-dump 82
show files sa 82
show files stats 83
show files tcpdump 83
show hardware 43
show hardware error-log 43
show hardware watchdog 43, 44
show hosts 44
show images 83
show info 84
show in-path 44, 45
show in-path ar-circbuf 85
show in-path asym-route-tab 84
show in-path cdp 45
show in-path lsp 45
show in-path neighbor (Interceptor) 46
show in-path neighbor (Steelhead) 46
show in-path neighbor peers 47
show in-path peering auto 47
show in-path peering rules 48
INDEX
show in-path rules 48

show in-path simplified routing 49
show interfaces 49, 85
show ip 50
show job 51
show licenses 87
show limit bandwidth 51
show limit connection 52
show load balance rules 51, 52
show log 87
show logging 52
show ntp 53
show out-of-path 53
show peer version 53
show peers 54
show pfs all-info shares 55
show pfs configuration 55
show pfs stats shares 89
show pfs status 88
show port-label 54
show prepop 56
show protocol cifs 56
show protocol cifs oopen 56
show protocol connection 57
show protocol ftp 57
show protocol http 57
show protocol jinitiator 58
show protocol mapi 58
show protocol ms-sql 59
show protocol ms-sql rules 59
show protocol nfs 60
show protocol ssl 61
show protocol ssl backend 61
show protocol ssl ca 62
show protocol ssl crl 62
show protocol ssl expiring-certs 63
show protocol ssl peering 64
show protocol ssl scep peering auto-reenroll 64
show protocol ssl scep peering ca 65
show protocol ssl scep peering enrollment status 65
show protocol ssl scep peering on-demand 65
show protocol ssl server 66
show qos classification 66
show radius 67
show raid configuration 67
show raid diagram 68
show raid error-msg 89
show raid info 69
show raid physical 70
show redirect 70
show redirect peers 71
show running-config 71
show service 71
show service connection pooling 72
show service neural-framing 72

show service ports 72
show snmp 73
show ssh client 73
show ssh server 73
show ssh server allowed-ciphers 74
show stats 90
show support sha512-pass 74
show tacacs 75
show tcp highspeed 75
show tcp reordering 75
show tcp statistics 92
show telnet-server 76
show terminal 76
show usernames 76
show version 92
show version history 93
show wccp 77
show web 77
show web prefs 78
show web ssl cipher 78
slogin 34
SNMP
traps, summary of sent 346
SNMP compatibility 21
SNMP MIB, accessing 345
snmp-server community 146
snmp-server contact 147
snmp-server enable 147
snmp-server host 147
snmp-server listen enable 148
snmp-server listen interface 148
snmp-server location 149
sport codec decoder global sig-disk-press enable 158,
318
sport fail-to-block enable 322
ssh client generate identity user 108
ssh client user authorized-key rsakey sshv2 109
ssh server allowed-ciphers 321
ssh server enable 109
ssh server listen enable 109
ssh server listen interface 110
ssh server v2-only enable 110, 321
stats alarm 333
stats chd 140
stats clear-all 140
stats export 140
stats sample 141
stats settings bandwidth 142
support sha512-pass enable 322
T
tacacs-server first-hit 103
tacacs-server host 103
389
tacacs-server key 104

tacacs-server retransmit 104
tacacs-server timeout 105
tcp connection send keep-alive 132
tcp connection send reset 132
tcp highspeed enable 251
tcpdump 34
Technical support, contacting 24
telnet-server enable 180
terminal 309
traceroute 30
Traps, summary of SNMP traps sent 346
U
username disable 105
username nopassword 105
username password 106
username password 0 106
username password 7 107
W
WCCP
mask-based redirection 311
wccp enable 309
wccp mcast-ttl 309
wccp service-group 310
web auto-logout 116
web enable 117
web http enable 117
web http port 117
web httpd listen enable 118
web httpd listen interface 118
web https enable 119
web https port 119
web prefs log lines 119
web proxy host 120
web session renewal 120
web session timeout 120
web ssl cipher 323
web ssl protocol tlsv1 323, 324
write flash 131
write memory 131
write terminal 131
390
INDEX

SH 4.1.10 Cli

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

SH 4.1.10 Cli

Transféré par

Droits d'auteur :

Formats disponibles

Riverbed Command-Line Interface

2003-2010 Riverbed Technology, Incorporated. All rights reserved.

About This Guide ....................................................................................................................................... 19

Connecting to the CLI ................................................................................................................................ 25

RIVERBED COMMAND-LINE INTERFACE REFERENCE MANUAL

Chapter 2 User-Mode Commands

System Administration Commands......................................................................................................... 32

show in-path ................................................................................................................................. 44

show protocol ssl .......................................................................................................................... 61

show wccp ..................................................................................................................................... 77

System Administration Commands......................................................................................................... 96

RIVERBED COMMAND-LINE INTERFACE REFERENCE MANUAL

aaa authorization map order ...................................................................................................... 99

web httpd listen interface.......................................................................................................... 118

RIVERBED COMMAND-LINE INTERFACE REFERENCE MANUAL

Logging Commands.......................................................................................................................... 158

service port .................................................................................................................................. 172

ip in-path route ........................................................................................................................... 195

PFS Support Commands .................................................................................................................. 225

protocol mapi enable.................................................................................................................. 256

protocol ssl bulk-export............................................................................................................. 278

service default-port .................................................................................................................... 307

redirect peer addr ....................................................................................................................... 331

Troubleshooting Quick Reference .......................................................................................................... 337

Default Ports.............................................................................................................................................. 339

Accessing the Steelhead Enterprise MIB ............................................................................................... 345

About This Guide, next

Hardware and Software Dependencies on page 20

Ethernet Network Compatibility on page 21

SNMP-Based Management Compatibility on page 21

Additional Resources on page 21

Safety Guidelines on page 23

Contacting Riverbed on page 23

About This Guide

Organization of This Guide

Chapter 2, User-Mode Commands,provides a reference for user-mode commands.

Chapter 3, Enable-Mode Commands, provides a reference for enable-mode commands.

Riverbed Command-Line Interface Reference Manual

Chapter 4, Configuration-Mode Commands,provides a reference for configuration-mode

Appendix B, Riverbed MIB, provides the text of the Riverbed MIB.

ntp peer <addr> [version <number>]

Hardware and Software Dependencies

One of the following:

Secure Shell. Free SSH clients include PuTTY for

An ASCII terminal or emulator that can connect

Riverbed Command-Line Interface Reference Manual

Ethernet Network Compatibility

Ethernet Logical Link Control (LLC) (IEEE 802.2 - 2002)

Fast Ethernet 100 Base-TX (IEEE 802.3 - 2002)

SNMP-Based Management Compatibility

Online Notes, next

Related Riverbed Documentation on page 22

Online Documentation on page 23

Related Reading on page 23

Riverbed Command-Line Interface Reference Manual

Describes the product release and identifies fixed problems, known

Related Riverbed Documentation

Riverbed Command-Line Interface Reference Manual

Maintenance Guide describes how to replace components in the Steelhead appliance.

TCP/IP Illustrated, Volume I, The Protocols by W. R. Stevens (Addison-Wesley, 1994)

Riverbed Command-Line Interface Reference Manual

Riverbed Command-Line Interface Reference Manual

Using the Command-Line