Académique Documents
Professionnel Documents
Culture Documents
Reference Manual
Version 4.1.10
April 2010
Riverbed Technology
199 Fremont St.
San Francisco, CA 94105
Phone: 415.247.8800
Fax: 415.247.8801
Web: http://www.riverbed.com
Part Number
720-00002 (PUB-00003)
Contents
Introduction
.............................................................................................................................19
..................................................................................25
III
......................................................................................................29
enable ............................................................................................................................................. 29
exit .................................................................................................................................................. 29
ping................................................................................................................................................. 30
traceroute ....................................................................................................................................... 30
Chapter 3 Enable-Mode Commands
..................................................................................................31
IV
CONTENTS
CONTENTS
......................................................................................95
VII
CONTENTS
IX
port-label...................................................................................................................................... 133
Statistics Manipulation Commands................................................................................................ 135
stats alarm.................................................................................................................................... 136
stats chd ....................................................................................................................................... 140
stats clear-all................................................................................................................................ 140
stats export .................................................................................................................................. 140
stats sample ................................................................................................................................. 141
stats settings bandwidth............................................................................................................ 142
Notification and SNMP Commands ............................................................................................... 143
email autosupport enable.......................................................................................................... 143
email domain .............................................................................................................................. 144
email mailhub ............................................................................................................................. 144
email mailhub-port .................................................................................................................... 144
email notify events enable......................................................................................................... 145
email notify events recipient..................................................................................................... 145
email notify failures enable....................................................................................................... 145
email notify failures recipient................................................................................................... 146
email send-test ............................................................................................................................ 146
snmp-server community ........................................................................................................... 146
snmp-server contact ................................................................................................................... 147
snmp-server enable .................................................................................................................... 147
snmp-server host ........................................................................................................................ 147
snmp-server listen enable.......................................................................................................... 148
snmp-server listen interface...................................................................................................... 148
snmp-server location.................................................................................................................. 149
Data Store Management Commands.............................................................................................. 150
datastore convert ........................................................................................................................ 150
datastore encryption type ......................................................................................................... 151
datastore notification enable..................................................................................................... 152
datastore notification wrap-around......................................................................................... 153
datastore receive port................................................................................................................. 153
datastore send addr.................................................................................................................... 153
datastore sync enable ................................................................................................................. 154
datastore sync master ................................................................................................................ 156
datastore sync peer-ip................................................................................................................ 157
datastore sync port ..................................................................................................................... 157
datastore sync reconnect ........................................................................................................... 157
X
CONTENTS
XI
XII
CONTENTS
XIII
XIV
CONTENTS
XV
XVI
CONTENTS
XVII
...............................................................................................................337
Riverbed Ports
...........................................................................................................339
Riverbed MIB
.............................................................................................................345
XVIII
CONTENTS
Introduction
In This Introduction
Welcome to the Riverbed Command-Line Interface Reference Manual. Read this introduction for an overview of
the information provided in this guide and for an understanding of the documentation conventions used
throughout. This introduction contains the following sections:
Types of Users
This guide is written for storage and network administrators who are familiar administering and managing
WAN using common network protocols, such as TCP, CIFS, HTTP, FTP, and NFS, and so forth.
Chapter 1, Using the Command-Line Interface,describes how to connect and use the CLI.
19
Introduction
Appendix A, Riverbed Ports, provides a reference of ports used by the Riverbed system.
A list of acronyms and a glossary of terms follows the chapters. A comprehensive index directs you to areas
of particular interest.
Document Conventions
This manual uses the following standard set of typographical conventions to introduce new terms, illustrate
screen displays, describe command syntax, and so forth.
Convention
Meaning
italics
Within text, new terms and emphasized words appear in italic typeface.
boldface
Within text, commands, keywords, identifiers (names of classes, objects, constants, events,
functions, program variables), environment variables, filenames, GUI controls, and other
similar terms appear in bold typeface.
Courier
Information displayed on your terminal screen and information that you are instructed to
enter appears in Courier font.
<>
Within syntax descriptions, values that you specify appear in angle brackets. For example:
interface <ipaddress>
[]
Within syntax descriptions, optional keywords or variables appear in brackets. For example:
Within syntax descriptions, required keywords or variables appear in braces. For example:
{delete <filename> | upload <filename>}
Within syntax descriptions, the pipe symbol represents a choice to select one keyword or
variable to the left or right of the symbol. (The keyword or variable can be either optional or
required.) For example:
{delete <filename> | upload <filename>}
Software Requirements
Operating System Requirements
20
Introduction
Gigabit Ethernet over Copper 1000 Base-T and Fiber 1000 Base-SX (LC connector) (IEEE 802.3 - 2002)
The Primary port in the Steelhead appliance is 10 Base-T/100, Base-TX/1000, and Base-T/SX Mbps (IEEE
802.3 -2002). (The Primary port on the Model 100, 200 is Fast Ethernet only.)
In-path Steelhead appliance ports are 10/100/1000 Base-TX or Gigabit Ethernet 1000Base-T/SX (IEEE 802.3
2002) (depending on your order).
The Steelhead appliance supports VLAN Tagging (IEEE 802.1Q - 2003). It does not support the Cisco ISL
protocol.
All copper interfaces are auto-sensing for speed and duplex (IEEE 802.3 - 2002).
The Steelhead appliance auto-negotiates speed and duplex mode for all data rates and supports full duplex
mode and flow control (IEEE 802.3 2002).
The Steelhead appliance with a Gigabit Ethernet card supports Jumbo Frames on in-path and primary
ports.
Additional Resources
This section describes resources that supplement the information in this guide. It contains the following
sections:
21
Introduction
Online Notes
The following online file supplements the information in this manual. It is available on the Riverbed
Technical Support site at https://support.riverbed.com.
Online File
Purpose
<product>_<version_number>.txt
Please examine this file before you begin the installation and configuration process. It contains important
information about this release of the software.
Steelhead Appliance Installation and Configuration Guide describes how to install and configure the
Steelhead appliance.
Steelhead Management Console Users Guide describes how to manage and administer a Steelhead
appliance using the Management Console.
Steelhead Central Management Console Users Guide describes how to install, configure, and administer a
network made up of multiple Steelhead appliances using the Steelhead Central Management Console
Steelhead Appliance Deployment Guide describes how to deploy the Steelhead appliance in complex
network environments (for example, environments using WCCP, PBR, and Layer-4 switches).
Interceptor Appliance Installation Guide describes how to install the appliance, run the initial
configuration wizard, and connect the appliance to your network. It also includes a reference of
product technical specifications, including pre-installed bypass cards.
Interceptor Appliance Users Guide describes how to configure and manage the Interceptor appliance to
balance traffic loads in pools of Steelhead appliances.
Steelhead Mobile Controller Installation Guide describes how to quickly install the Steelhead Mobile
Controller.
Steelhead Mobile Controller Users Guide describes how to deploy endpoint client packages, and how to
administer and manage your Steelhead Mobile deployment.
Getting Started Guide describes how to quickly install and set up the Steelhead appliance, Central
Management Console, and the Interceptor appliance.
Troubleshooting Guide describes how to troubleshoot Model 520, 1020, 1520, and 2020 Rev. A systems.
Hardware Owners Manual describes how to troubleshoot Model 520, 1020, 1520, and 2020 Rev. B
systems.
Riverbed Copy Utility Reference Manual describes how to install and deploy the Riverbed Copy Utility
(RCU). The RCU is an optional utility of the Steelhead appliance that copies, mirrors, and
transparently prepopulates data. You can download the RCU from the Riverbed Technical Support site
located at https://support.riverbed.com.
Bypass Card Installation Guide describes how to install the bypass cards in the Steelhead and Interceptor
appliance.
22
Introduction
Rack Installation Guide describes how to install the Steelhead appliance in a standard Telco-type rack
(all models except the 520, 1020, 1520, 2020, and 3020).
Safety and Compliance Guide describes safety precautions for installing and setting up your equipment
in English and other languages.
Online Documentation
The Steelhead appliance documentation set is periodically updated with new information. To access the
most current version of the Steelhead appliance documentation and other technical information, consult the
Riverbed Technical Support site located at https://support.riverbed.com.
Related Reading
To learn more about network administration, consult the following books:
Microsoft Windows 2000 Server Administrators Companion by Charlie Russell and Sharon Crawford
(Microsoft Press, 2000)
Common Internet File System (CIFS) Technical Reference by the Storage Networking Industry Association
(Storage Networking Industry Association, 2002)
Internet Routing Architectures (2nd Edition) by Bassam Halabi (Cisco Press, 2000)
Safety Guidelines
Follow the safety precautions outlined in the Safety and Compliance Guide when installing and setting up
your equipment.
Important: Failure to follow these safety guidelines can result in injury or damage to the equipment. Mishandling of
the equipment voids all warranties. Please read and follow safety guidelines and installation instructions carefully.
Many countries require the safety information to be presented in their national languages. If this
requirement applies to your country, consult the Safety and Compliance Guide. The guide contains the safety
information in your national language. Before you install, operate, or service the Riverbed products, you
must be familiar with the safety information. Refer to the guide if you do not clearly understand the safety
information provided in the documentation.
Contacting Riverbed
This section describes how to contact departments within Riverbed.
23
Introduction
Internet
You can find out about Riverbed products through our Web site at http://www.riverbed.com.
Technical Support
If you have problems installing, using, or replacing Riverbed products contact Riverbed Technical Support.
For the fastest service, open a trouble ticket at https://support.riverbed.com or call 1-888-RVBD-TAC (1-888782-3822) in the United States and Canada or +1 415 247 7381 outside the United States.
Documentation
We continually strive to improve the quality and usability of our documentation. We appreciate any
suggestions you may have about our online documentation or printed materials. Send documentation
comments to techpubs@riverbed.com.
24
CHAPTER 1
In This Chapter
This chapter describes how to access and use the CLI. This chapter includes the following sections:
An ASCII terminal or emulator that can connect to the serial console. It must have the following
settings: 9600 baud, 8 bits, no parity, 1 stop bit, and no flow control.
A computer with an SSH client that is connected to the appliance Primary port (in rare cases, you
might connect through the Auxiliary port).
2. At the system prompt enter the following command if the appliance resolves to your local DNS:
ssh admin@host.domain
otherwise at the system prompt enter the following command:
ssh admin@ipaddress
25
3. When prompted, enter the administrator password. This is the password you set during the initial
configuration process. The default password is password.
You can also log in as a monitor user (monitor). A monitor user cannot make configuration changes,
modify private keys, view logs, or manage cryptographic modules in the system.
User. When you start a CLI session, you begin in the default, user mode. From user mode you can run
common network tests such as ping. You do not enter a command to enter user mode. To exit user
mode, enter exit at the command line.
Enable. To access a restricted set of commands, you must enter enable mode. For example, while in
enable mode, you can restart and reboot the system, display non-sensitive system information, verify
configuration information. From enable mode, you can enter any enable mode command or enter
configuration mode. You can be an administrator or monitor user to enter enable mode. To exit enable
mode, enter disable at the command line.
Configuration. To make changes to the running configuration, you must enter configuration mode. To
save configuration changes to memory, you must enter the write memory command. To enter
configuration mode, you must first be in enable mode. You must be an administrator user to enter
configuration mode. To exit configuration mode, enter exit at the command line.
The commands available to you depend on which mode you are in and whether you are a monitor or
administrator user. Entering a question mark (?) at the system prompt provides a list of commands for each
command mode.
Mode
Access Method
System Prompt
Exit Method
Description
user
host >
exit
Perform common
network tests, such as
ping.
Display system settings
and statistics.
26
Mode
Access Method
System Prompt
Exit Method
Description
enable
host #
disable
configuration
host (config) #
exit
Configure system
parameters.
Administrator user can
erform all user and
enable-mode
commands.
Entering Commands
The CLI accepts abbreviations for commands. The following example is the abbreviation for the configure
terminal command:
tilden (config)# configure t
You can press the tab key to complete a CLI command automatically.
27
Error Messages
If at any time the system does not recognize the command or parameter, it displays the following message:
tilden (config) # logging files enable
% Unrecognized command "enable".
Type "logging files?" for help.
Command Negation
You can type no before many of the commands to negate the syntax. Depending on the command or the
parameters, command negation disables the command or returns the parameter to the default value.
28
User-Mode Commands
CHAPTER 2
In This Chapter
This chapter is a reference for user-mode commands. User-mode commands allow you to enter enable
mode and perform standard network monitoring tasks.
To enter user mode
Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
enable
Description
Syntax
enable
Parameters
None
Usage
You must enter enable mode before you can perform standard network monitoring tasks.
Example
Product
exit
Description
Exits the CLI when in user mode; exits enable mode when in enable mode; exits configuration
mode when in configuration mode.
Syntax
exit
Parameters
None
Example
Product
29
ping
Description
Executes the ping utility to send ICMP ECHO_REQUEST packets to network hosts for
troubleshooting.
Syntax
ping [<options>]
Parameters
<options>
Usage
The ping command without any options pings from the primary or the auxiliary (aux) interface
and not the in-path interfaces.
[-L RUbdfnqrvVaA]
[-c count]
[-i interval]
[-w deadline]
[-p pattern]
[-s packet size]
[-t ttl]
[-I interface address] For example: ping 10.1.1.1 10.11.22.15
[-M MTU discovery hint]
[-S sndbuf]
[-T timestamp option]
[-Q tos]
[hop1...]destination. Specify intermediate hops.
If the primary and auxiliary interfaces are not on the same network as the in-path interfaces, you
will not be able to ping an IP address on the in-path interface network unless you have a gateway
between the two networks.
To ping from an in-path interface, use the following syntax:
ping -I <in-path interface IP address> <destination IP address>
Example
Product
traceroute
Description
Executes the traceroute utility. The traceroute command takes the standard Linux options.
Syntax
traceroute [<options>]
Parameters
<options>
Example
Product
30
The traceroute command takes the standard Linux options. For detailed
information, see the Linux man page.
2 - USER-MODE COMMANDS
CHAPTER 3
Enable-Mode Commands
In This Chapter
This chapter is a reference for enable-mode commands. Enable-mode commands display configuration
settings and process information.
To enter enable mode
1. Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
2. To enter enable mode, at the system prompt enter:
minna> enable
To exit enable mode, enter exit. For information about the exit command, see exit on page 29.
This chapter includes the following sections:
TIP: For an alphabetical list of commands, see the Index at the end of this book.
31
clear arp-cache
Description
Clears dynamic entries from the ARP cache. This command does not clear static entries.
Syntax
clear arp-cache
Parameters
None
Usage
Example
Product
Related Topics
show arp
Syntax
Parameters
None
Usage
Example
Product
Related Topics
32
3 - ENABLE-MODE COMMANDS
clear interface
Description
Syntax
Parameters
<interface
name>
Example
Product
Related Topics
show interfaces
Specifies the interface name: aux, primary, lo, wan1_1, lan1_1, wan1_0, lan1_0,
inpath1_0, inpath1_1, all.
configure terminal
Description
Enables configuration from the terminal by entering the configuration subsystem. You must
execute the enable command first to enter configuration mode.
Syntax
configure terminal
Parameters
None
Usage
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
33
disable
Description
Syntax
disable
Parameters
None
Example
minna # disable
minna >
Product
Related Topics
exit
slogin
Description
Syntax
slogin [<options>]
Parameters
<options>
Example
Product
Related Topics
Specifies slogin options. To view options, enter slogin at the system prompt.
tcpdump
Description
Executes the tcpdump utility. The tcpdump command takes the standard Linux options. For
detailed information, see the Linux man page.
Syntax
tcpdump [<options>]
34
3 - ENABLE-MODE COMMANDS
Parameters
<options>
Usage
You can write tcpdump output to a file using the -w option so that you can analyze it.
Example
minna # tcpdump
tcpdump: listening on primary
18:59:13.682568 minna.domain.com.ssh > dhcp-22.domain.com.3277: P
3290808290:3290808342(52) ack 3412262693 win 5840 (DF) [dscp 0x10]
18:59:13.692513 minna.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1
win 5840 (DF) [dscp 0x10]
18:59:13.702482 minna.domain.com.ssh > dhcp-22.domain.com.3277: P 0:52(52) ack 1
win 5840 (DF) [dscp 0x10]
Product
Related Topics
35
show ip on page 50
36
3 - ENABLE-MODE COMMANDS
show aaa
Description
Syntax
show aaa
Parameters
None
Example
Product
Related Topics
Authentication Commands
show arp
Description
Displays the contents of the ARP cache. The ARP cache includes all statically-configured ARP
entries as well as any that the system has picked up dynamically.
Syntax
Parameters
static
Example
Product
Related Topics
show banner
Description
Syntax
show banner
Parameters
None
Example
Product
Related Topics
37
show bootvar
Description
Displays the software image that is booted upon the next reboot.
Syntax
show bootvar
Parameters
None
Example
Product
Related Topics
show cli
Description
Syntax
show cli
Parameters
None
Example
Product
Related Topics
show clock
Description
Syntax
show clock
Parameters
None
38
3 - ENABLE-MODE COMMANDS
Example
minna
Time:
Date:
Zone:
# show clock
19:31:43
2006/12/22
GMT-offset GMT
Product
Related Topics
show cmc
Description
Syntax
show cmc
Parameters
None
Example
CMC
support enabled: yes
CMC's hostname: yourcmc
Managed by CMC: no
Auto configuration status: Inactive
Product
Steelhead appliance
Related Topics
ip name-server, show ip
show configuration
Description
Displays the current and saved configuration settings that differ from the default settings.
Syntax
show configuration
Parameters
None
39
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
40
3 - ENABLE-MODE COMMANDS
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
Displays running configuration settings that are different from the defaults.
Syntax
Parameters
full
Example
Product
Related Topics
41
show datastore
Description
Syntax
show datastore
Parameters
None
Example
Product
Steelhead appliance
Related Topics
show email
Description
Syntax
show email
Parameters
None
Example
Product
Related Topics
42
3 - ENABLE-MODE COMMANDS
show failover
Description
Syntax
show failover
Parameters
None
Example
Product
Related Topics
Peering Commands
show hardware
Description
Syntax
show hardware
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
all
new
Display IPMI SEL entries since the last show hardware error-log command.
43
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
hardware watchdog
show hosts
Description
Syntax
show hosts
Parameters
None
Example
Product
Related Topics
show in-path
Description
Syntax
show in-path
Parameters
None
44
3 - ENABLE-MODE COMMANDS
Example
Product
Related Topics
Displays CDP settings for failover deployments using PBR to redirect traffic to the backup
Steelhead appliance.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Displays whether link state propagation is enabled. When LSP is enabled, if the LAN interface
drops link then the WAN will do the same.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
45
Displays a list of appliance interfaces, indicates whether or not they are currently enabled, and
displays the VLAN tag (displays 0 if VLAN is disabled).
Syntax
Parameters
None
Example
vlan: 0
Product
Interceptor appliance
Related Topics
Displays the interface on which the Interceptor appliance communicates with neighbor peer
Steelhead appliances.
Syntax
Parameters
None
Example
Product
Interceptor appliance
Related Topics
Syntax
Parameters
None
46
3 - ENABLE-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
configured
brief
Example
172.0.131.3:7850
Connected
172.0.131.4
tahiti-x86_64-flamebox
255.255.255.255:0
2007/05/11 15:13:33
0
15000
172.0.131.4:7850
Connected
minna #
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
47
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example Interceptor
appliance
Example Steelhead
appliance
48
3 - ENABLE-MODE COMMANDS
Product
Related Topics
Syntax
Parameters
None
Example
minna #
Collect
Collect
Collect
minna #
Product
Steelhead appliance
Related Topics
show interfaces
Description
Syntax
Parameters
<intname>
Specifies the interface name. For example, aux, lan0_0, wan0_0, primary,
in-path0_0, lo.
brief
configured
Usage
The set of settings and statistics displayed varies when using DHCP.
49
Example
Product
Related Topics
interface
show ip
Description
Displays IP settings.
Syntax
show ip {
flow-export
default gateway [static] |
in-path route <interface>
in-path-gateway <interface>
route [static]
security <cr> | peers}
Parameters
flow-export
in-path-gateway
<interface>
route [static]
50
3 - ENABLE-MODE COMMANDS
Example
Gateway
0.0.0.0
10.0.0.1
Product
Related Topics
show job
Description
Syntax
Parameters
<job-id>
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
51
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Interceptor appliance
Related Topics
Load-Balancing Commands
show logging
Description
Syntax
show logging
Parameters
None
Example
Product
Related Topics
Logging Commands
52
3 - ENABLE-MODE COMMANDS
show ntp
Description
Syntax
show ntp
Parameters
None
Example
Product
Related Topics
show out-of-path
Description
Syntax
show out-of-path
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Out-of-Path Support
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Peering Commands
53
show peers
Description
Syntax
show peers
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Peering Commands
Model
Version
2000
3.0-beta
Licenses
CIFS/MAPI/MS-SQL
show port-label
Description
Displays a list of port labels or a list of ports that belong to the label.
Syntax
Parameters
<name>
Specify a port label name to display a list of ports that belong to the label.
Secure
Display the list of ports that belong to the system label for secure ports.
The Steelhead appliance automatically passes through traffic on commonly secure
ports (for example, ssh, https, and smtps). For a list of secure ports, see Appendix
A, Riverbed Ports.
If you do not want to pass through secure ports, you must delete the default
secure in-path rule. For detailed information, see in-path rule fixed-target on
page 190.
Interactive
Display the list of ports that belong to the system label for interactive ports.
The Steelhead appliance automatically passes through traffic on interactive ports
(for example, Telnet, TCP ECHO, remote logging, and shell). For a list of
interactive ports, see Appendix A, Riverbed Ports.
If you do not want to pass through interactive ports, you must delete the default
interactive in-path rule. For detailed information, see in-path rule fixed-target
on page 190.
RBT-Proto
Example
Display the list of ports that belong to the label for system processes: 7744 (data
store synchronization), 7800-7801 (in-path), 7810 (out-of-path), 7820 (failover),
7850 (connection forwarding), 7860 (Interceptor appliance).
54
3 - ENABLE-MODE COMMANDS
Product
Related Topics
Syntax
Parameters
<cr>
local-name
<localname>
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
domain
shares <cr>
workgroup
Example
Product
Steelhead appliance
Related Topics
55
show prepop
Description
Syntax
Parameters
all-info |
configuration | stats |
status
shares <cr>
shares remote-path
<remote-path>
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
56
3 - ENABLE-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
81920 bytes
32768 bytes
262140 bytes
262140 bytes
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
57
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
58
3 - ENABLE-MODE COMMANDS
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
yes
1433
5
yes
Syntax
Parameters
default-cmds
default-config
59
Example
Product
Steelhead appliance
Related Topics
Syntax
show protocol nfs [server <name> {full | lookup-volumes | volume id <fsid>} | servers {<cr> |
full}]
Parameters
servers {full}
60
3 - ENABLE-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<cr>
Example
Show all.
CA certificates:
AOL_Time_Warner_1
AOL_Time_Warner_2
Actalis
AddTrust_Class_1
AddTrust_External
AddTrust_Public
<<partial list>>
Product
Steelhead appliance
Related Topics
Syntax
show protocol ssl [<cr>] [{backend {client | server} cipher-string}] [ca] [expiring-certs] [{peering
{ca | certificate | cipher-strings}}] [server]
Parameters
Example
61
Product
Steelhead appliance
Related Topics
Syntax
show protocol ssl ca <ca name> <cr> certificate raw <cr>| text <cr>
Parameters
ca <ca name>
certificate
raw <cr>
text <cr>
Example
Product
Steelhead appliance
Related
Topics
Syntax
show protocol ssl crl ca <ca name> | cas <cr> | crl-file <string> text | peering {ca <string> | cas
crl-file <string> text}
62
3 - ENABLE-MODE COMMANDS
Parameters
ca <ca name>
crl peering ca
<string> | cas crl-file
<string> text
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
expiring-certs
Example
Product
Steelhead appliance
Related
Topics
Display any certificates with impending expiration dates (60 days) and
expired dates.
63
Syntax
show protocol ssl crl ca <ca name> | cas <cr> | crl-file <string> text | peering {ca <string> | cas
crl-file <string> text}
Parameters
ca <ca name>
certificate <cr> | raw
| text
cipher-strings <cr> |
verbose
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related
Topics
Syntax
64
3 - ENABLE-MODE COMMANDS
Parameters
csr
last-result
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
<ca name>
certificate
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
csr
last-result
Example
65
Product
Steelhead appliance
Related
Topics
Syntax
show protocol ssl server <cr> {ip <ip address> <cr> port <port> [certificate | chain-cert <name>
certificate | chain-certs <cr>]}
Parameters
<cr>
certificate
chain-certs <cr>
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
classes
rules
Example
Product
Steelhead appliance
Related Topics
66
3 - ENABLE-MODE COMMANDS
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
show radius
Description
Syntax
show radius
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. Radius must be
disabled for FIPS-mode. For detailed information, see the FIPS/CC Administrators Guide.
Example
Product
Related Topics
Syntax
Parameters
None
67
Example
Product
Steelhead appliance
Related Topics
Displays the physical layout of the RAID disks and the state of each drive: Online; Offline; Fail;
Rebuild; Missing; Spare.
Syntax
Parameters
None
68
3 - ENABLE-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
69
Syntax
Parameters
None
Example
WDC
08.0
No
No
No
Wide-16: No
RelAddr: No
AENC
: No
WDC
08.0
No
No
No
Wide-16: No
RelAddr: No
AENC
: No
Product
Steelhead appliance
Related Topics
show redirect
Description
Syntax
show redirect
Parameters
None
Example
Product
Interceptor appliance
Related Topics
Load-Balancing Commands
70
3 - ENABLE-MODE COMMANDS
Displays status of Redirect Peers. Redirect Peers include Interceptor appliances deployed in
parallel to cover asymmetric routing, as well as an Interceptor appliance that functions as a
failover buddy.
Syntax
Parameters
configured
brief
Example
Backup
--------------------255.255.255.255:0
172.0.13.4:7860
Last Reconnect
------------------2007/05/10 15:30:33
Connected
minna #
Product
Interceptor appliance
Related Topics
Load-Balancing Commands
show running-config
Description
Displays the running configuration settings that differ from the defaults.
Syntax
Parameters
full
Example
Product
Related Topics
show service
Description
Syntax
show service
Parameters
None
Example
Product
Steelhead appliance
Related Topics
71
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
72
3 - ENABLE-MODE COMMANDS
show snmp
Description
Syntax
show snmp
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. SNMPv2 must be
disabled for FIPS-mode. For detailed information, see the FIPS/CC Administrators Guide.
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
None
Usage
FIPS mandates that remote SSH daemon connections are made using SSH v2. For detailed
information, see the FIPS/CC Administrators Guide.
73
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
None
Usage
For FIPS compliance, password files must be SHA-512 encrypted. Execute this command to
display password file settings.
SHA-512 encryption is enabled when you execute the reset factory command. If your system fails
to have SHA-512 encryption after you have executed the reset factory command, execute the sha512-pass enable command.
Example
Product
Steelhead appliance
Related Topics
74
3 - ENABLE-MODE COMMANDS
show tacacs
Description
Syntax
show tacacs
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. TACACS+ must be
disabled for FIPS-mode. For detailed information, see the FIPS/CC Administrators Guide.
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
75
Product
Steelhead appliance
Related Topics
show telnet-server
Description
Syntax
show telnet-server
Parameters
None
Usage
Use this command to confirm that you are running in FIPS-approved mode. Telnet must be
disabled for FIPS-mode. For detailed information, see the FIPS/CC Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show terminal
Description
Syntax
show terminal
Parameters
None
Example
80 columns
Terminal length:
24 rows
Terminal type:
xterm
Product
Steelhead appliance
Related Topics
show usernames
Description
Syntax
show usernames
Parameters
None
Example
76
3 - ENABLE-MODE COMMANDS
Product
Related Topics
Authentication Commands
show wccp
Description
Syntax
show wccp
Parameters
None
Example
Product
Steelhead appliance
Related Topics
show web
Description
Syntax
show web
Parameters
None
Usage
FIPS Mode
Use this command to confirm that you are running in FIPS-approved mode. For FIPS mode HTTP
must be disabled, HTTPS must be enabled, SSLv2 must be disabled, SSLv3 must be enabled, and
TLSv1 must be enabled
Example
77
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
78
3 - ENABLE-MODE COMMANDS
Syntax
Parameters
<filename>
Example
Product
Related Topics
show connection
Description
Syntax
show connection srcip <source IP addr> srcport <source port> dstip <destination IP addr>
dstport <destination port>
Parameters
dstip <destination IP
address>
79
Example
minna # show connection srcip 10.11.62.56 srcport 36433 dstip 10.11.60.9 dstport
7810
Type:
Passthrough
Source:
10.11.62.56:36433
Destination:
10.11.60.9:7810
Application:
Reduction:
0%
Client Side:
no
Since:
2006/02/21 17:24:00
Peer Appliance:
0.0.0.0:0
Inner Local Port:
0
Outer Local:
0.0.0.0:0
Outer Remote:
0.0.0.0:0
LAN Side Statistics:
Bytes:
0
Packets:
0
Retransmitted:
0
Fast Retransmitted: 0
Timeouts:
0
Congestion Window: 0
WAN Side Statistics:
Bytes:
0
Packets:
0
Retransmitted:
0
Fast Retransmitted: 0
Timeouts:
0
Congestion Window: 0
Product
Related Topics
show connections
Description
Syntax
80
3 - ENABLE-MODE COMMANDS
Parameters
<type>
optimized
passthrough
forwarded
opening
closing
discarded
denied
<cr>
filter
<string>
Filters the list according to string. For example, to filter by IP address (such as
srcip or destip), the filter string is the IP address.
sort-by
<state>
brief|full
81
Example
Product
Steelhead appliance
Related Topics
Syntax
Example
Product
Related Topics
show files sa
Description
Syntax
show files sa
Parameters
<cr>
<filename>
To display the contents of the log file, specify the filename and press Enter.
Example
Product
Steelhead appliance
Related Topics
82
3 - ENABLE-MODE COMMANDS
Syntax
Usage
You export performance statistics to files using the stats export command.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
show images
Description
Displays the available software images and which partition the appliance will boot the next time
the appliance is restarted.
Syntax
show images
Parameters
None
83
Example
Product
Related Topics
show info
Description
Displays the system status, including the running state of the appliance.
Syntax
show info
Parameters
None
Usage
Use this command to verify that you are running a FIPS approved software image.
Example
Healthy
working
11d 16h 38m 26s
11d 16h 36m 56s
no
38
C48QM000056EA
1050 (1050H)
A
4.1.9-fips
Product
Related Topics
show configuration
Displays the asymmetric route table. The table contains any asymmetric routes that currently
exist. It includes the source IP, destination IP, reason code, and time-out.
Syntax
Parameters
None
84
3 - ENABLE-MODE COMMANDS
Usage
The following types of asymmetry are displayed in the asymmetric routing table:
bad RST. Complete Asymmetry: packets traverse both Steelhead appliances going from client
to server but bypass both Steelhead appliances on the return path.
bad SYN/ACK. Server-Side Asymmetry: Packets traverse both Steelhead appliances going
from client to server but bypass the server-side Steelhead appliance on the return path.
no SYN/ACK. Client-Side Asymmetry: Packets traverse both Steelhead appliances going from
client to server but bypass the client-side Steelhead appliance on the return path.
probe-filtered (not-AR). Probe-Filtered: Occurs when the client-side Steelhead appliance sends
out multiple SYN+ frames and does not get a response.
probe-filtered (not-AR). SYN-Rexmit: Occurs when the client-side Steelhead appliance
receives multiple SYN retransmits from a client and does not see a SYN/ACK packet from the
destination server.
Example
Product
Steelhead appliance
Related Topics
Displays the asymmetric route circular buffer. The buffer contains all the asymmetric routes that
have been detected. This is a circular buffer and wraps after a period of time. The circular buffer
displays artable-match if a new TCP connection is created for a pair of IP addresses that already
have an asymmetric routing table entry. The buffer is set up with Source IP:Source Port,
Destination IP:Destination Port, and reason code.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
show interfaces
Description
Syntax
85
Parameters
<intname>
Specifies the interface name. For example, aux, lan0_0, wan0_0, primary,
in-path0_0, lo.
brief
configured
Usage
The set of settings and statistics displayed varies when using DHCP.
Example
Product
Related Topics
show jobs
Description
Syntax
show jobs
Parameters
None
Example
86
3 - ENABLE-MODE COMMANDS
Product
Related Topics
show licenses
Description
Syntax
show licenses
Parameters
None
Example
Product
Related Topics
show log
Description
Syntax
Parameters
continuous
files <log
number>
reverse
Displays the log information, in reverse order, with the latest entry at the top.
matching
87
Example
Product
Related Topics
Logging Commands
Syntax
Parameters
<cr>
shares <cr>
local-name
<localname>
Example
Product
Steelhead appliance
Related Topics
88
9 17:04:26 2007
3 - ENABLE-MODE COMMANDS
Syntax
Parameters
local-name
<localname>
Example
Product
Steelhead appliance
Related Topics
Specifies the name of the local share for which to display statistics.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
89
show stats
Description
Syntax
show stats {
[alarm <type>]
[bandwidth {all | <port> bi-directional | lan-to-wan | wan-to-lan} {1min | 5min | hour | day |
week | month}]
[conn-pool {1min | 5min | hour | day | week | month}]
[connections {5min | hour | day | week | month}]
[cpu]
[datastore {<carriage return>| [5min | hour | day | week | month]}]
[ecc-ram]
[fan]
[http]
[link-state {all loss-rate {hour | day | week | month}}]
[memory]
[neighbor-fwd {all | default {pkt | byte {hour | day | week | month}}}]
[nfs {all | 1min | 5min | hour | day | week | month}]
[pfs {all | 1min | 5min | hour | day | week | month}]
[qos {all | default {pkt | byte {hour | day | week | month}}}]
settings bandwidth ports
[ssl [5min | hour | day | week | month]]
[throughput {all | <port> bi-directional | lan-to-wan | wan-to-lan} {1min | 5min | hour | day
| week | month}]
[traffic {passthrough | optimized} {1min | 5min | hour | day | week | month}]
}
Parameters
alarm <type>
cpu
ecc-ram
fan
http
90
3 - ENABLE-MODE COMMANDS
memory
neighbor-fwd {all |
default | pkt | byte {hour
| day | week | month}
Displays NFS statistics for the specified period. The all option
displays aggregate statistics for all NFS servers. You can substitute
a server name for all to display statistics for the specified server
you configured.
Displays PFS statistics for the specified period. The all option
displays aggregate statistics for all PFS shares. You can substitute a
share name for all to display statistics for the specified share you
configured.
Steelhead appliance only.
Displays QoS statistics for the specified period. The all option
displays aggregate statistics for all QoS classes. You can substitute a
QoS class name for all to display statistics for the specified QoS
class.
Steelhead appliance only.
traffic {passthrough |
optimized {all 1min | 5min
| hour | day | week |
month}}
91
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
show version
Description
Syntax
Parameters
concise
92
3 - ENABLE-MODE COMMANDS
Example
Product model:
System memory:
Number of CPUs:
CPU load averages:
1050
2320 MB used / 1628 MB free / 3949 MB total
2
0.19 / 0.16 / 0.10
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
93
94
3 - ENABLE-MODE COMMANDS
CHAPTER 4
Configuration-Mode Commands
In This Chapter
This chapter is a reference for configuration-mode commands. You use configuration-mode commands to
perform system administration tasks and to set the appliance, network, and feature configuration.
To enter configuration mode
1. Connect to the CLI. For detailed information, see Connecting to the CLI on page 25.
2. Enter enable mode; at the system prompt enter enable:
minna> enable
NOTE: You can use the CLI for some CMC system administration tasks and for appliance host and network setup, but
you must use the CMC Web-based user interface to use the centralized monitoring and management features provided
with the CMC product.
TIP: For an alphabetical list of commands, see the Index at the end of this book.
95
In This Section
96
4 - CONFIGURATION-MODE COMMANDS
Authentication Commands
Configuration-Mode Documentation Navigation
In This Section
Syntax
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authorization is attempted.
Specifies the authentication method: tacacs+ or local. Use a space separated list.
The no command option clears all authorization states and returns the user authorization to the
local user name database.
Example
Product
Related Topics
97
Syntax
Parameters
None
Usage
If enabled the next authentication method is tried only if the servers for the current authentication
method are unavailable.
The no command option disables fall-back mode.
Example
Product
Related Topics
Syntax
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authorization is attempted.
The no command option clears all authentication states and returns user authentication to the
local user name database.
Example
Product
Related Topics
Syntax
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authentication is
attempted.
The no command option clears all authentication states and returns user authentication to the
local user name database.
98
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
Specifies what local user the authenticated user will be logged in as when they are authenticated
(through RADIUS or TACACS+) and do not have a local user mapping specified in the remote
database.
Syntax
Parameters
<user_name>
Usage
When a user is authenticated through RADIUS or TACACS+ and does not have a local account,
this command specifies what local account the authenticated user will be logged in as.
For the local authentication method, this setting is ignored. This mapping depends on the setting
of the aaa authorization map order command.
The no command option disables user default mapping.
Example
Product
Related Topics
Sets the order for remote-to-local user mappings for RADIUS or TACACS+ server authentication.
Syntax
Parameters
<policy>
99
Usage
The order determines how the remote user mapping behaves. If the authenticated user name is
valid locally, no mapping is performed. The setting has the following behaviors:
remote-first. If a local-user mapping attribute is returned and it is a valid local user name, map
the authenticated user to the local user specified in the attribute. If the attribute is not present or
not valid locally, use the user name specified by the default-user command. (This is the default
behavior.)
remote-only. Map only to a remote authenticated user if the authentication server sends a
local-user mapping attribute. If the attribute does not specify a valid local user, no further
mapping is attempted.
local-only. All remote users are mapped to the user specified by the aaa authorization map
default-user <user name> command. Any vendor attributes received by an authentication
server are ignored.
To set TACACS+ authorization levels (admin and read-only) to allow certain members of a group
to log in, add the following attribute to users on the TACACS+ server:
service = rbt-exec {
local-user-name = "monitor"
}
Product
Related Topics
Syntax
Parameters
<method>
Usage
The order in which the methods are specified is the order in which the authorization is attempted.
Specifies the authentication method: tacacs+ or local. Use a space separated list.
The no command option clears all authorization states and returns the user authorization to the
local user name database.
Example
Product
Related Topics
100
4 - CONFIGURATION-MODE COMMANDS
radius-server host
Description
Syntax
Parameters
<IP address>
auth-port <port>
key <keynumber>
Sets the shared secret text string used to communicate with this RADIUS
server.
retransmit <number>
key <keynumber>
Sets the shared secret text string used to communicate with this RADIUS
server.
Usage
Example
Product
Related Topics
radius-server key
Description
Sets the shared secret text string used to communicate with a RADIUS server.
Syntax
Parameters
<string>
Sets the shared secret text string used to communicate with any RADIUS server.
101
Usage
Example
Product
Related Topics
radius-server retransmit
Description
Specifies the number of times the client attempts to authenticate with any RADIUS server.
Syntax
Parameters
<retries>
Usage
Example
Product
Related Topics
Specifies the number of times the client attempts to authenticate with any
RADIUS server. The range is 0-5. The default value is 1.
radius-server timeout
Description
Sets the time-out in seconds for retransmitting a request to any RADIUS server.
Syntax
Parameters
<seconds>
Usage
Sets the time-out for retransmitting a request to any RADIUS server. The range is
1-60. The default value is 3.
Product
Related Topics
102
4 - CONFIGURATION-MODE COMMANDS
tacacs-server first-hit
Description
Syntax
tacacs-server first-hit
Parameters
<IP address>
Usage
TACACS+ servers are tried in the order they are configured. If this option is enabled, only the first
server in the list of TACACS+ servers is queried for authentication and authorization purposes.
Product
Related Topics
tacacs-server host
Description
Syntax
Parameters
<IP address>
auth-port <port>
auth-type <type>
Specifies the authorization type to use with this TACACS+ server: ascii,
pap.
key <keynumber>
Sets the shared secret text string used to communicate with any
TACACS+ server.
retransmit <number>
timeout <seconds>
103
Usage
Example
Product
Related Topics
tacacs-server key
Description
Sets the shared secret text string used to communicate with any TACACS+ server.
Syntax
Parameters
<string>
Usage
The tacacs-server key command can be overridden using the tacacs-server host command. The
no command option resets the value to the default value.
Example
Product
Related Topics
Sets the shared secret text string used to communicate with any TACACS+ server.
tacacs-server retransmit
Description
Specifies the number of times the client attempts to authenticate with any TACACS+ server.
Syntax
Parameters
<retries>
Usage
The default value is 1. The range is 0-5. To disable retransmissions set it to 0. The tacacs-server
retransmit command can be overridden in a tacacs-server host command.
Specifies the number of times the client attempts to authenticate with any
TACACS+ server. The range is 0-5. The default value is 1.
104
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
tacacs-server timeout
Description
Syntax
Parameters
<seconds>
Usage
Sets the time-out for retransmitting a request to any TACACS+ server. The range
is 1-60. The default value is 3.
Product
Related Topics
username disable
Description
Syntax
Parameters
<userid>
Usage
The no command option re-enables the specified user account. To re-enable the account, you must
set a password for it.
Example
Product
Related Topics
show usernames
username nopassword
Description
Syntax
Parameters
<userid>
Usage
105
Example
Product
Related Topics
show usernames
username password
Description
Syntax
Parameters
<userid>
<cleartext>
Usage
Example
Product
Related Topics
show usernames
username password 0
Description
Syntax
Parameters
<userid>
<cleartext>
Usage
Example
Product
Related Topics
show usernames
106
4 - CONFIGURATION-MODE COMMANDS
username password 7
Description
Sets the password for the specified user. Use this command if it become necessary to restore your
appliance configuration, including the password.
Syntax
Parameters
<userid>
<cleartext>
Usage
Use this command to restore your password using an encrypted version of the password. You can
display the encrypted version of the password using the show running configuration command.
For example, executing username monitor password awesomepass results in the following line
being added to the running configuration file:
username monitor password 7 $1$f2Azp8N8$n0oy6Y1KhCfuMo93f24ku/
If you need to restore your password in the future, you would paste:
username monitor password 7 $1$f2Azp8N8$n0oy6Y1KhCfuMo93f24ku/
Product
Related Topics
show usernames
107
In This Section
Generates SSH client identity keys for the specified user. SSH provides secure log in for Windows
and Unix clients and servers.
Syntax
Parameters
<user>
Example
Product
Related Topics
108
4 - CONFIGURATION-MODE COMMANDS
Sets the RSA encryption method by RSA Security and authorized-key for the SSH user.
Syntax
Parameters
<user>
Usage
Example
Product
Related Topics
Specifies the public key for SSH version 2 for the specified SSH user.
Syntax
Parameters
None
Usage
After you have enabled interface restrictions, you must specify which interfaces to accept
connections on using the ssh server listen interface command. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server listens on that
subset of interfaces.
The no command option disables SSH interface restrictions which causes SSH to accept
connections from all interfaces.
SSH interface restrictions are not available through the Management Console.
Example
Product
Related Topics
Syntax
Parameters
None
109
Usage
After you have enabled interface restrictions, you must specify which interfaces to accept
connections on using the ssh server listen interface command. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server listens on that
subset of interfaces.
The no command option disables SSH interface restrictions which causes SSH to accept
connections from all interfaces.
SSH interface restrictions are not available through the Management Console.
Example
Product
Related Topics
Adds one or more interfaces to the SSH server access restriction list.
Syntax
Parameters
<interface>
Usage
To remove an interface:
no ssh server listen interface <interface>
If the list of interfaces is empty, all interfaces are accepted. If the list of interfaces has at least one
entry, then the server listens on that subset of interfaces.
The no command option removes the interface.
SSH interface restrictions are not available through the Management Console
Example
Product
Related Topics
Enables SSH server to accept only v2 connections, which are more secure.
Syntax
Parameters
None
Usage
This command restricts the server to accept only v2 protocol connections, which are more secure.
The no command option removes the restriction.
110
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
111
In This Section
banner login
Description
Syntax
Parameters
<message
string>
Usage
Example
Product
Related Topics
show banner, show cli, show terminal, show web,show web prefs
112
4 - CONFIGURATION-MODE COMMANDS
banner motd
Description
Syntax
Parameters
<message string>
Usage
The no command option disables the system Message of the Day banner.
Example
Product
Related Topics
show banner, show cli, show terminal, show web,show web prefs
cli clear-history
Description
Syntax
cli clear-history
Parameters
None
Example
Product
Related Topics
show cli
Syntax
Parameters
<minutes>
Usage
Example
Product
Related Topics
113
Syntax
Parameters
None
Usage
Example
Product
Related Topics
cli session
Description
Syntax
cli session {auto-logout <minutes> | paging enable | terminal length <lines> | type
<terminal_type> | terminal width <number of characters>}
Parameters
auto-logout
<minutes>
Sets the number of minutes before the CLI automatically logs out the user.
The default value is 15 minutes. The no command option disables the
automatic logout feature.
paging enable
Sets paging. With paging enabled, if there is too much text to fit on the
page, the CLI prompts you for the next page of text. The no command
option disables paging.
terminal length
<lines>
Sets the terminal length. The no command option disables the terminal
length.
terminal type
<terminal_type>
Sets the terminal type. The no command option disables the terminal type.
terminal width
<number of
characters>
Sets the terminal width. The no command option disables the terminal
width.
Usage
Example
Product
Related Topics
show cli, show clock, show terminal, show web, show web prefs
114
4 - CONFIGURATION-MODE COMMANDS
terminal
Description
Syntax
Parameters
<type>
length <number>
width <number>
Usage
Example
Product
Related Topics
115
In This Section
web auto-logout
Description
Sets the number of minutes before the Management Console automatically logs out the user.
Syntax
Parameters
<minutes>
Usage
Example
Product
Related Topics
116
Specifies the number of minutes before the system automatically logs out the user.
The default value is 15 minutes.
4 - CONFIGURATION-MODE COMMANDS
web enable
Description
Syntax
web enable
Parameters
None
Usage
Example
Product
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Related Topics
show protocol http, show cli, show terminal, show web,show web prefs
Syntax
Parameters
<port>
Usage
The no command option resets the Web port to the default value.
117
Example
Product
Related Topics
show protocol http, show cli, show terminal, show web, show web prefs
Syntax
Parameters
None
Usage
After you have enabled interface restrictions, you must use the web httpd listen interface
command to specify which interfaces to accept connections on. If the list of interfaces is empty, all
interfaces are accepted. If the list of interfaces has at least one entry, then the server only listens on
that subset of interfaces.
The no command option disables Web interface restrictions which causes the server to accept
connections from all interfaces.
Web interface restrictions are not available through the Management Console.
Example
Product
Related Topics
show protocol http, show cli, show terminal, show web, show web prefs, web httpd
listen interface
Syntax
Parameters
<interface>
Usage
Product
Related Topics
show protocol http, show cli, show terminal, show web, web httpd listen enable,
118
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
None
Usage
FIPS Mode
FIPS mandates that you enable HTTPS and disable HTTP access to the system. You must execute
the protocol https enable command to enable HTTPS on the system. You must also disable HTTP
by executing the no protocol http enable command. For detailed information about configuring
FIPS-mode, see the FIPS/CC Administrators Guide.
The no command option disables secure port support.
Example
Product
Related Topics
show web
Syntax
Parameters
<port>
Usage
Example
Product
Related Topics
show web
Syntax
Parameters
<number>
Usage
Example
Product
Related Topics
119
Syntax
Parameters
<ip address>
<port>
Usage
Example
Product
Related Topics
show protocol http, show protocol ftp, show protocol connection, show web
Sets the session renewal time. This is the time before the Web session time-out, at which if a Web
request comes in, it automatically renews the session.
Syntax
Parameters
<minutes>
Usage
The no command option resets the session renewal time to the default value.
Example
Product
Related Topics
Sets the session time-out value. This is the amount of time the cookie is active.
Syntax
Parameters
<minutes>
Usage
The no command option resets the session time-out to the default value.
Example
Product
Related Topics
120
4 - CONFIGURATION-MODE COMMANDS
In This Section
configuration copy
Description
Syntax
Parameters
<sourcename>
<newfilename>
Example
Product
Related Topics
121
configuration delete
Description
Syntax
Parameters
<filename>
Example
Product
Related Topics
configuration factory
Description
Syntax
Parameters
<filename>
Example
Product
Related Topics
configuration fetch
Description
Syntax
configuration fetch
{<URL, scp://, or ftp://username:password@hostname/path/filename> [filename]}
Parameters
filename
Usage
To copy one configuration file to another appliance, run the following set of commands:
configuration fetch <url-to-remote-config> <new-config-name>
;; this fetches the configuration from the remote
configuration switch-to <new-config-name>
;; this activates the newly fetched configuration
Example
Product
Related Topics
122
4 - CONFIGURATION-MODE COMMANDS
configuration jump-start
Description
Syntax
configuration jump-start
Parameters
None
Example Interceptor
appliance
123
Example Steelhead
appliance
Product
Related Topics
configuration merge
Description
Syntax
Parameters
<filename>
<new-configname>
124
4 - CONFIGURATION-MODE COMMANDS
Usage
Use the configuration merge command to deploy a network of appliances. Set up a template
Interceptor appliance and merge the template with each Interceptor appliance in the network.
The following configuration settings are not merged when you run the configuration merge
command: failover settings, SNMP SysContact and SysLocation, log settings, and all network
settings (for example, host name, auxiliary interface, DNS settings, defined hosts, static routing,
and in-path routing).
The following configuration settings are merged when you run the configuration merge
command: in-path, out-of-path, protocols, statistics, CLI, email, NTP and time, Web, SNMP, and
alarm.
To merge a configuration file, run the following set of commands:
configuration write to <new-config-name>
;; this saves the current config to the new name and activates
;; the new configuration
configuration fetch <url-to-remote-config> <temp-config-name>
;; this fetches the configuration from the remote
configuration merge <temp-config-name>
;; this merges the fetched config into the active configuration
;; which is the newly named/created one in step 1 above
configuration delete <temp-config-name>
;; this deletes the fetched configuration as it is no longer
;; needed since you merged it into the active configuration
Example
minna
minna
minna
minna
minna
(config)
(config)
(config)
(config)
(config)
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running
configuration move
Description
Syntax
Parameters
<sourcename>
<destname>
Example
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running
125
configuration new
Description
Syntax
Parameters
<newfilename>
keep licenses
Create a new configuration file with default settings and active licenses.
Usage
Riverbed recommends that you use the keep licenses command option. If you do not keep
licenses, your new configuration will not have a valid license key.
Example
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running, show version, show version history
Syntax
Parameters
None
Example
Product
Related Topics
image flash backup, configuration flash write, write flash, show configuration files,
show configuration, show configuration full, show configuration running, show
hardware, show version, show version history
Writes the active configuration to flash disk memory in binary and text form.
Syntax
Parameters
None
Example
Product
Related Topics
image flash backup, configuration flash write, write flash, show configuration files,
show configuration, show configuration full, show configuration running, show
hardware, show version, show version history
126
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
None
Example
Product
Related Topics
configuration switch-to
Description
Syntax
Parameters
<filename>
initial
initial.bak
cold
working
working.bak
Example
Product
Related Topics
127
configuration upload
Description
Syntax
Parameters
<filename>
active
Example
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running, show hardware, show version, show version history
configuration write
Description
Syntax
Parameters
to <filename>
Example
Product
Related Topics
show configuration files, show configuration, show configuration full, show configuration
running, show hardware, show version, show version history
Syntax
Parameters
<filename>
Example
Product
Related Topics
debug generate dump, tcpdump, show files debug-dump, show files tcpdump
128
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<filename>
Example
Product
Related Topics
show email, debug generate dump, tcpdump, show files debug-dump, show files
tcpdump
Syntax
Parameters
<filename>
Example
Product
Related Topics
debug generate dump, tcpdump, show files debug-dump, show files tcpdump
Syntax
Parameters
<filename>
Example
Product
Related Topics
129
Syntax
Parameters
<source
filename>
<destination
filename>
Example
Product
Related Topics
Syntax
Parameters
<filename>
Example
Product
Related Topics
file tcpdump
Description
Syntax
Parameters
delete <filename>
upload <filename>
<URL or scp://
username:password@hos
tname/path/filename>
130
4 - CONFIGURATION-MODE COMMANDS
Example
minna
minna
minna
minna
(config)
(config)
(config)
(config)
Product
Related Topics
debug generate dump, tcpdump, show files debug-dump, show files tcpdump
write flash
Description
Syntax
write flash
Parameters
None
Example
Product
Related Topics
image flash backup, configuration flash write, write flash, show configuration files,
show configuration, show configuration full, show configuration running, show
hardware, show version, show version history
write memory
Description
Syntax
write memory
Parameters
None
Example
Product
Related Topics
write terminal
Description
Syntax
write terminal
Parameters
None
Example
Product
Related Topics
131
Syntax
tcp connection send keep-alive local-addr <local IP addr> local-port <port> remote-addr
<remote IP addr> remote-port <port>]]
Parameters
Usage
Enables a keep-alive timer between a local and remote Steelhead appliance so that you can
determine if there is an active connection between the appliances. If the appliance is down, it
terminates the connection. Use this command to debug connection problems in your network.
Example
minna (config) # tcp connection send keep-alive local-addr 10.0.0.0 local-port 1240
remote-addr 10.0.0.1 local-port 1300
minna (config) #
Product
Steelhead appliance
Related Topics
Syntax
Parameters
Usage
Terminates connections between Steelhead appliances so that you can debug connection problems
in your network.
Example
minna (config) # tcp connection send reset local-only local-addr 10.0.0.0 local-port
1240 remote-addr 10.0.0.1 remote-port 1300
minna (config) #
Product
Steelhead appliance
Related Topics
132
4 - CONFIGURATION-MODE COMMANDS
In This Section
port-label
Description
Configures port label settings. Port labels are names given to sets of ports. When you configure
rules for feature implementation, you can specify port labels instead of port numbers to reduce
the number of rules.
Syntax
Parameters
<label>
Specifies the name of the port label. Port labels are not case sensitive and can be
any string consisting of letters, numbers, underscore ( _ ), or a hyphen ( - ).
<port>
133
Usage
If you run the show port-label FOO command, you will see the new range of ports from 2 to 20.
The no command option resets the port label configuration settings to the defaults.
Example
Product
Related Topics
show port-label
134
4 - CONFIGURATION-MODE COMMANDS
In This Section
135
stats alarm
Description
Syntax
Parameters
<type>
136
4 - CONFIGURATION-MODE COMMANDS
137
138
4 - CONFIGURATION-MODE COMMANDS
Usage
Critical temperature settings cannot be changed. Warning temperature settings can be changed.
The no command option disables all statistical alarms. The no stats alarm <type> enable
command disables specific statistical alarms.
Example
Product
Related
Topics
139
stats chd
Description
Syntax
Parameters
<CHD ID>
clear
Example
Product
Related Topics
show clock
stats clear-all
Description
Syntax
stats clear-all
Parameters
None
Example
Product
Related Topics
stats export
Description
Exports statistics.
Syntax
stats export <format> csv <report name> after <yyyy>/<mm>/<dd> before <yyyy>/<mm>/<dd>
filename <filename>
140
4 - CONFIGURATION-MODE COMMANDS
Parameters
<format>
after <yyyy>/
<mm>/<dd>
before <yyyy>/
<mm>/<dd>
filename
<filename>
Example
Product
Related Topics
show stats
stats sample
Description
Syntax
Parameters
type
clear
interval
<seconds>
Examples
Product
Related Topics
show stats
141
Syntax
Parameters
<port>
desc <description>
Usage
Example
Product
Steelhead appliance
Related Topics
show stats
142
4 - CONFIGURATION-MODE COMMANDS
In This Section
Enables automatic email notification of significant alarms and events to Riverbed Technical
Support.
Syntax
Parameters
None
Usage
Example
Product
Related Topics
show email
143
email domain
Description
Syntax
Parameters
<host name or IP
address>
Usage
Use the email domain command only if the email address does not contain the domain.
Example
Product
Related Topics
show email
email mailhub
Description
Syntax
Parameters
<host name or IP
address>
Usage
Example
Product
Related Topics
show email
email mailhub-port
Description
Syntax
Parameters
<port number>
Usage
Example
Product
Related Topics
show email
144
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
None
Usage
Example
Product
Related Topics
show email
Syntax
Parameters
<email addr>
Usage
Example
Product
Related Topics
show email
Syntax
Parameters
None
Usage
Example
Product
Related Topics
show email
145
Syntax
Parameters
recipient <email-addr>
Usage
Example
Product
Related Topics
show email
email send-test
Description
Syntax
email send-test
Parameters
None
Example
Related Topics
show email
snmp-server community
Description
Syntax
Parameters
<name>
Usage
Example
Product
Related Topics
show snmp
146
4 - CONFIGURATION-MODE COMMANDS
snmp-server contact
Description
Syntax
Parameters
<name>
Usage
Example
Product
Related Topics
show snmp
snmp-server enable
Description
Syntax
Parameters
None
Usage
FIPS Mode
If you are running the Steelhead appliance in FIPS mode, you must make sure that SNMPv2 is not
enabled. You must run the no snmp-server enable command to shut down the SNMP server on
the Steelhead appliance. When you disable the SNMP server, SNMP traps are not sent out from
the appliance and SNMP queries cannot be performed to the servers from SNMP browsers (such
as snmpwalk).For detailed information about configuring FIPS-mode, see the FIPS/CC
Administrators Guide.
The no command option disables the SNMP server and traps.
Example
Product
Related Topics
show snmp
snmp-server host
Description
Syntax
snmp-server {host <host name or IP address>} [traps <host>] [traps version <versionnumber>
Parameters
traps <host>
traps version
<versionnumber>
Usage
147
Example
Product
Related Topics
show snmp
Syntax
Parameters
None
Usage
After you have enabled interface restrictions, you must specify which interfaces to accept
connections on using the snmp-server listen interface command. If the list of interfaces is empty,
all interfaces are accepted. If the list of interfaces has at least one entry, then the server listens only
on that subset of interfaces.
The no command option disables SNMP interface restrictions, which causes the SNMP to accept
connections from all interfaces.
SNMP interface restrictions are not available through the Management Console.
FIPS Mode
If you are running the Steelhead appliance in FIPS mode, you must make sure that SNMPv2 is not
enabled. You must run the no snmp-server enable command to shut down the SNMP server on
the Steelhead appliance. When you disable the SNMP server, SNMP traps are not sent out from
the appliance and SNMP queries cannot be performed to the servers from SNMP browsers (such
as snmpwalk).
The snmp-server listen enable command restricts SNMP access on all interfaces. If you have not
specified specific interfaces using the snmp-server listen interface command, no snmp queries
cannot be performed on this Steelhead appliance through snmpwalk or other SNMP applications.
Example
Product
Related Topics
show snmp
Syntax
Parameters
<interface>
148
4 - CONFIGURATION-MODE COMMANDS
Usage
Product
Related Topics
show snmp
snmp-server location
Description
Syntax
Parameters
<addr>
Usage
Example
Product
Related Topics
show snmp
149
In This Section
datastore convert
Description
Converts the data store from software v2.x to v3.x or v4.x formats.
Syntax
Parameters
[dsv1-format |
dsv2-format]
150
4 - CONFIGURATION-MODE COMMANDS
Usage
Product
Steelhead appliance
Related Topics
show datastore
Specifies the type of encryption to use to encrypt the Steelhead appliance data store. Also turns
data store encryption on and off.
Syntax
Parameters
[NONE |
AES_128 |
AES_192 |
AES_256]
151
Usage
If your data store is encrypted and you want to downgrade Steelhead appliance software to a
version prior to 4.1, you must:
1. Turn off data store encryption.
To do so, use the command datastore encryption type none. Setting the encryption type to
none turns off data store encryption.
2. Clean the data store and restart the Steelhead service:
restart clean
For more information, see the Steelhead Management Console Users Guide.
Example
Product
Steelhead appliance
Related Topics
Enables email notification when the data in the data store is replaced with new data in less time
than you specify.
Syntax
Parameters
None
Usage
152
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
show datastore
Sets the number of days to elapse before sending an email message notifying you that the data in
the data store has been replaced.
Syntax
Parameters
wrap-around <days>
Usage
Product
Steelhead appliance
Related Topics
show datastore,
Syntax
Parameters
<port>
Example
Product
Steelhead appliance
Related Topics
show datastore
Specifies the port of the Steelhead appliance that will receive the data store.
Syntax
Parameters
<addr>
Specifies the IP address of the remote Steelhead appliance from which to send the
data store.
<port>
153
Example
Product
Steelhead appliance
Related Topics
Enables pairs of Steelhead appliances on the same side of a WAN to automatically keep their data
stores synchronized. This feature provides for failover and overflow capacity without
performance loss. Although the two features are typically enabled together, you can enable this
feature which, beginning with version 4.0, is also known as active-active synchronization
independent of whether you have enabled failover.
Syntax
Parameters
None
154
4 - CONFIGURATION-MODE COMMANDS
Usage
Automated data store synchronization allows pairs of Steelhead appliances on the same side of a
WAN to keep their data stores automatically synchronized.
In pre-4.0 versions of Steelhead appliance software, automated data store synchronization
involved configuring a pair of Steelhead appliances, one as active and the other as passive. A
synchronization server (sync-server) ran on the active Steelhead appliance, and sent segment
pages to the synchronization client (sync-client) running on the passive Steelhead appliance.
Beginning with version 4.0, pairs of Steelhead appliances on the same side of a WAN can keep
their data stores synchronized via active-active synchronization (active-active sync). With
active-active sync, both the sync-client and sync-server are enabled on each Steelhead appliance,
thus allowing each Steelhead appliance to send and receive new data-store segment pages.
Active-active sync not only provides automatic synchronization and replication but also provides
for failover and overflow capacity without performance loss.
Although the failover and active-active sync features are typically enabled together, you can
enable active-active sync independently of standard failover.
To use active-active sync, you configure two Steelhead appliances, one as a synchronization server
(the synchronization master) and the other as synchronization backup. After you have enabled
and configured active-active sync, both Steelhead appliances are active and optimize connections.
Additionally, the data stores are actively kept synchronized. Active-active sync replicates data
using the following techniques:
Catch-up. Copies data that is already on the master Steelhead appliance data store to the backup
Steelhead appliance. The first time you synchronize your data stores, the backup data store is
overwritten by the master during catch-up. Subsequently, synchronization occurs in both
directions (from the master to the backup and vice versa). If your data stores are out-of-sync, the
Steelhead appliance determines what data has changed on both the master and the backup, and
only copies the missing data.
Keep-up. New data in the backup Steelhead appliance is sent to the master Steelhead appliance
and new pages in the master Steelhead appliance are sent to the backup Steelhead appliance.
Keep-up runs continuously, copying new data that the master Steelhead appliance encounters on
the backup Steelhead appliance and vice versa.
The synchronization server functions as the master copy of the data. Data is replicated from the
master to the backup at the beginning of the process, not from the backup to the master. Data on
the master is replicated to the backup using the catch-up mechanism. Any data on the backup is
deleted.
If a synchronization master Steelhead appliance fails, the backup Steelhead appliance continues
intercepting traffic and acquiring new data. When the master Steelhead appliance comes back
online, synchronization stops.
If data store synchronization is interrupted for any reason (such as a network interruption or if
one of the Steelhead appliances is taken out of service), the Steelhead appliances continue other
operations without disruption. When the interruption is resolved, data store synchronization
resumes where it left off without risk of data corruption.
155
Before you replace a synchronization master for any reason, Riverbed recommends that you make
the backup Steelhead appliance the new master. This enables the new master (the former backup)
to warm the new (replacement) Steelhead appliance, ensuring that the most recent data is
optimized and none is cleared.
To enable active-active sync, the synchronization master and its backup:
must be on the same side of the WAN.
do not have to be in the same physical location. If they are in different physical locations, they
must be connected via a fast, reliable LAN connection with minimal latency.
must be running the same version of the RiOS software.
must have the same hardware model.
IMPORTANT: If you are setting up active-active sync for the first time, you must restart the
Steelhead service on both Steelhead appliances.
For data store synchronization, the master Steelhead appliance serves as the original copy of the
data for replication. Both the master and the backups are active at the same time.
In most implementations in which both failover and active-active sync are enabled, the same
Steelhead appliance serves as the master for both failover and data store synchronization.
However, if you enable failover and active-active synchronization, the failover master and the
synchronization master do not have to be the same Steelhead appliance.
The no command option disables automatic synchronization.
Example
minna
minna
minna
minna
minna
minna
(config)
(config)
(config)
(config)
(config)
(config)
#
#
#
#
#
#
datastore
datastore
datastore
datastore
datastore
Product
Steelhead appliance
Related Topics
sync
sync
sync
sync
sync
peer-ip "192.148.0.12"
port "7744"
reconnect "30"
master
enable
Sets the local appliance as the master appliance to which the data stores for other appliances
synchronize.
Syntax
Parameters
None
Usage
The no command option removes the master status for the appliance data store.
Example
Product
Steelhead appliance
Related Topics
156
4 - CONFIGURATION-MODE COMMANDS
Sets the IP address for the peer appliance for which you want to push replicated data.
This must be the primary IP address of a backup appliance.
Syntax
Parameters
<addr>
Example
Product
Steelhead appliance
Related Topics
Sets the port for the peer Steelhead appliance for which you want to push replicated data.
Syntax
Parameters
<port>
Example
Product
Steelhead appliance
Related Topics
Specifies the port of the peer Steelhead appliance. The default value is 7744.
Syntax
Parameters
<seconds>
Usage
Example
Product
Steelhead appliance
Related Topics
Specifies the number of seconds for the reconnection interval. The default value is
30.
157
Logging Commands
Configuration-Mode Documentation Navigation
In This Section
logging
Description
Syntax
Parameters
<addr>
Specifies the trap log level of the syslog server. If you have set different log
levels for each remote syslog server, this option changes all remote syslog
servers to have a single log level.
Usage
The no command option removes a remote syslog server from the system.
Example
Product
Related Topics
158
4 - CONFIGURATION-MODE COMMANDS
Deletes the oldest log file or a specified number of the oldest log files.
Syntax
Parameters
oldest [<number>]
Usage
Example
Product
Related Topics
Syntax
Parameters
<rotation frequency>
Usage
Example
Product
Related Topics
Sets the size, in MB, of the log file before rotation occurs.
Syntax
Parameters
<size>
Usage
Example
Product
Related Topics
159
Syntax
Parameters
None
Example
Product
Related Topics
Syntax
Parameters
<number>
Usage
Example
Product
Related Topics
Specifies the number of log files to keep locally. The range is 1-100.
logging local
Description
Sets the minimum severity of log messages saved on the local syslog servers.
Syntax
Parameters
<loglevel>
Specifies the logging severity level. The follow severity levels are supported:
emerg. Emergency, the system is unusable.
alert. Action must be taken immediately.
crit. Critical conditions.
err. Error conditions.
warning. Warning conditions.
notice. Normal but significant condition.
info. Informational messages.
debug. Debug-level messages.
Usage
160
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
logging trap
Description
Sets the minimum severity for messages sent to the remote syslog servers.
Syntax
Parameters
<loglevel>
Specifies the logging severity level. The following levels are supported:
emerg. Emergency, the system is unusable.
alert. Action must be taken immediately.
crit. Critical conditions.
err. Error conditions.
warning. Warning conditions.
notice. Normal but significant condition.
info. Informational messages.
debug. Debug-level messages.
Usage
Example
Product
Related Topics
The no command option sets the severity level for logging to none.
161
In This Section
boot system
Description
Boots the specified partition the next time the appliance is rebooted.
Syntax
Parameters
<partition>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
Syntax
Parameters
None
162
4 - CONFIGURATION-MODE COMMANDS
This command is valid only after you have installed a hardware upgrade license.
Usage
Product
Steelhead appliance
Related Topics
show version, show version history, show images, show info, show bootvar
image boot
Description
Syntax
Parameters
<partition>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
image delete
Description
Syntax
Parameters
<imagefilename>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
image fetch
Description
Syntax
Parameters
<image-filename>
A carriage return downloads the image and gives it the same name it
had on the server.
163
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
Syntax
Parameters
<image version>
Example
Product
Related Topics
configuration flash restore, configuration flash write, show version, show version
history, show images, show info, show bootvar
Specifies the filename under which to store the image on the flash disk.
Syntax
Parameters
<flash recovery
image>
Example
Product
Related Topics
configuration flash restore, configuration flash write, show version, show version
history, show images, show info, show bootvar
image install
Description
Syntax
Parameters
<image-filename>
<partition>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
164
4 - CONFIGURATION-MODE COMMANDS
image move
Description
Syntax
Parameters
<source-imagename>
<new-image-name>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
license delete
Description
Syntax
Parameters
<key>
Example
Product
Related Topics
show version, show version history, show images, show info, show bootvar
license install
Description
Syntax
Parameters
<license key>
Usage
Example
Product
Related Topics
show licenses
165
In This Section
hardware watchdog
Description
Enables the hardware watchdog which monitors the system for hardware errors.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
job
Description
Syntax
166
4 - CONFIGURATION-MODE COMMANDS
Parameters
Usage
<job-id>
<sequence #>
Specifies the sequence number for job execution. The sequence number is an
integer that controls the order in which a CLI command is executed. CLI
commands are executed from the smallest to the largest sequence number.
<cli-command>
A job includes a set of CLI commands and a time when the job will run. Jobs are run one time only,
but they can be reused.
Any number of CLI commands can be specified with a job and are executed in an order specified
by sequence numbers. If a CLI command in the sequence fails, no further commands in the job are
executed. A job can have an empty set of CLI commands.
The output of all commands executed are saved to a file in a specified directory. The output of
each command is simply appended to the file.
The job output and any error messages are saved. Jobs can be canceled and rescheduled.
The no job <job-id> command <sequence #> command option deletes the CLI command from
the job.
The no job <job-id> command option removes all statistics associated with the specified job. If
the job has not executed, the timer event is canceled. If the job was executed, the results are
deleted along with the job statistics.
Example
Product
Related Topics
show jobs
job comment
Description
Adds a comment to the job for display when show jobs is run.
Syntax
Parameters
<job-id>
<comment>
Usage
Example
Product
Related Topics
show jobs
167
job date-time
Description
Syntax
Parameters
<job-id>
Specifies the date and time for the job to execute. An hour and
minute must be specified; optionally, you can specify seconds or
the date.
Usage
If the time specified is in the past, the job does not execute and is in the inactive state. An hour and
minute must be specified; optionally, you can specify seconds or the date.
Example
Product
Related Topics
show jobs
job enable
Description
Enables a CLI command job to execute at the date and time specified in the job.
Syntax
Parameters
<job-id>
Usage
Example
Product
Related Topics
show jobs
job execute
Description
Forces an immediate execution of a job. The timer (if set) is canceled, and the job is moved to the
completed state.
Syntax
Parameters
<job-id>
Example
Product
Related Topics
show jobs
168
4 - CONFIGURATION-MODE COMMANDS
job fail-continue
Description
Syntax
Parameters
<job-id>
Usage
Example
Related Topics
show jobs
job name
Description
Syntax
Parameters
<job-id>
<friendly-name>
Usage
Example
Related Topics
show jobs
job recurring
Description
Syntax
Parameters
<job-id>
<seconds>
Example
Related Topics
show jobs
reload
Description
Syntax
169
Parameters
clean [halt]
Clears the data store, then reboots or shuts down the system.
halt
force
Usage
Example
minna # reload
The session will close. It takes about 2-3 minutes to reboot the appliance.
Product
Related Topics
show configuration running, show hardware error-log, show info, show log
restart
Description
Syntax
restart [clean]
Parameters
clean
Example
minna # restart
Terminating the process....
Relaunching the process.
Product
Related Topics
show datastore
service enable
Description
Syntax
service enable
Parameters
None
Usage
The no command option disables the service (that is, it disables all the configured in-path IP
addresses and ports and the appliance loses its connection to the Management Console).
Example
Product
Related Topics
170
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
service map-port
Description
Syntax
Parameters
<dest port>
<service port>
Usage
Setting multiple service ports on inner connections enables you to identify the type of traffic and
apply QoS settings based on a port.
For example, in an in-path deployment, CIFS and MAPI could be mapped to port 9800 and HTTP
to port 9802. You can configure the WAN router to tag packets for port 9800 with the same priority
as for port 9802, therefore CIFS and MAPI have the same priority as HTTP. Or you can create a
hierarchical mapping where port 9800 receives a higher priority than 9802, etcetera.
In the out-of-path deployment, you define which port to listen to on the server Steelhead
appliance, and you define an in-path, fixed-target rule on the client Steelhead appliance to point to
the service ports for the traffic to which you want to apply QoS.
You cannot map the following ports:
Port 22. Reserved for SSH.
Port 80, 443, and 446. Reserved for the Management Console.
Port 139, 445, and 977. Reserved for PFS. These ports are only excluded if you have enabled
PFS.
Port 7800-7899. Reserved by Riverbed (except 7800 and 7810).
Port 8777. Reserved for CIFS transparent prepopulation. This port is excluded only if you have
enabled CIFS prepopulation.
The no command option disables the service map.
Example
Product
Steelhead appliance
Related Topics
171
service neural-framing
Description
Syntax
Parameters
dump <cr>
iterations <cr>
Resets Iterations before determining heuristic. Used only with the no option.
For example: no service-neural framing iterations
Usage
By default, neural-framing statistics are disabled. Neural framing enables the Steelhead appliance
to select the optimal packet framing boundaries for SDR. SDR encoding provides the best
optimization results when the largest buffer is available before a flush is performed.
Neural framing creates a set of heuristics to intelligently determine the optimal moment to flush
TCP buffers. The Steelhead appliance continuously evaluates these heuristics and uses the
optimal heuristic to maximize the amount of buffered data transmitted in each flush, while
minimizing the amount of idle time that the data sits in the buffer.
You must set the neural framing mode (algorithm) for in-path rules for which you want to apply
neural framing.
The no command option disables neural-framing statistics.
Example
Product
Steelhead appliance
Related Topics
show stats
service port
Description
Sets a new service port to add for multiple service ports. Service ports are the ports used for inner
connection between Steelhead appliances.
Syntax
Parameters
<port>
Usage
You can configure multiple service ports on the server side of the network for multiple QoS
mappings. You define a new service port and then map CIFS ports to that port, so that QoS
configuration settings on the router are applied to that service port.
Specifies the new port to add. The default service ports are 7800 and 7810.
Product
Steelhead appliance
Related Topics
172
4 - CONFIGURATION-MODE COMMANDS
service restart
Description
Syntax
service restart
Parameters
None
Example
Product
Related Topics
173
In This Section
arp
Description
Syntax
Parameters
<addr>
<MACaddr>
Usage
Example
Product
Related Topics
show arp
clock set
Description
Syntax
Parameters
<hh:mm:ss>
<yyyy/mm/dd>
174
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
show clock
clock timezone
Description
Syntax
Parameters
<zone>
Usage
Example
Product
Related Topics
show clock
Specifies the time zone name: Africa, America, Antarctica, Arctic, Asia,
Atlantic_Ocean, Australia, Europe, GMT-offset, Indian_Ocean, Pacific_Ocean,
UTC.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
show hardware
hostname
Description
Syntax
Parameters
<host name>
Usage
The no command option removes the host name for this appliance.
175
Example
Product
Related Topics
show hosts
interface
Description
Syntax
Parameters
<interfacename>
<options>
Usage
Example
Product
Related Topics
show interfaces
ip default-gateway
Description
Syntax
ip default-gateway <addr>
Parameters
<addr>
Usage
This command is used to set the default gateway for the entire appliance. It is primarily used for
the primary or auxiliary (aux) interfaces for management, but can also be used for out-of-path
optimization configurations as well as PFS.
176
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Related Topics
ip domain-list
Description
Adds a domain name to the domain list for resolving host names.
Syntax
Parameters
<domain>
Usage
Example
Product
Related Topics
ip host
Description
Syntax
Parameters
<host name>
<addr>
Usage
The no command option removes an entry from the static host table.
Example
Product
Related Topics
show hosts
ip name-server
Description
Syntax
ip name-server <addr>
Parameters
<addr>
Usage
177
Example
Product
Related Topics
ip route
Description
Syntax
Parameters
<network prefix>
<netmask>
<mask length>
<next-hop-IPaddress>
Usage
The no command option disables the static route. If no ip route is run with only a network prefix
and mask, it deletes all routes for that prefix.
Example
Product
Related Topics
show ip
ntp disable
Description
Syntax
ntp disable
Parameters
None
Usage
Example
Related Topics
show ntp
ntp enable
Description
Syntax
ntp enable
Parameters
None
178
4 - CONFIGURATION-MODE COMMANDS
Usage
Example
Product
Related Topics
show ntp
ntp peer
Description
Syntax
Parameters
<addr>
version <number>
Specifies the NTP version number. You do not need to specify the version
number for the no ntp peer command.
Usage
Example
Product
Related Topics
ntp server
Description
Syntax
Parameters
<addr>
version <number>
Specifies the version number for NTP. You do not need to specify the
version number for the no ntp server command.
Usage
Example
Product
Related Topics
179
ntpdate
Description
Syntax
ntpdate <addr>
Parameters
<addr>
Usage
Example
Product
Related Topics
show ntp
telnet-server enable
Description
Enables you to access the CLI using Telnet. This feature is disabled by default.
Syntax
telnet-server enable
Usage
You can use this command to troubleshoot your system. It enables you to access the CLI from
another system.
FIPS Mode
You must disable Telnet in the Steelhead appliance to be FIPS compliant. If you have been running
the Steelhead appliance in non-FIPS mode and you have enabled Telnet, you must run no telnetserver to make the Steelhead appliance FIPS compliant. For detailed information about FIPS
mode, see FIPS/CC Compliance Commands on page 318 and the FIPS/CC Administrators
Guide.
Example
Product
Steelhead appliance
Related Topics
show telnet-server
180
4 - CONFIGURATION-MODE COMMANDS
In This Section
181
In This Section
182
4 - CONFIGURATION-MODE COMMANDS
in-path enable
Description
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<interface>
Usage
The in-path interface enable command is useful only when there are multiple bypass cards
enabled (for example, with a Four-Port Copper Gigabit-Ethernet Bypass card).
Example
Product
Related Topics
Syntax
Parameters
<interface>
<id>
Usage
The in-path interface vlan command enables you to set which VLAN to use for connections. It
does not define which VLAN to optimize.
To define which VLAN to optimize, you must define in-path rules and apply them to all VLANs
or a specific VLAN.
The no command option disables the VLAN support.
183
Example
Product
Related Topics
in-path kickoff
Description
Syntax
Parameters
None
Usage
When the Steelhead service restarts with kickoff enabled, it breaks existing connections and forces
clients to open new connections.
With kickoff disabled, open connections are not broken, but they are unoptimized. New
connections are optimized.
When the appliance is not powered on or the Steelhead service is not running, the failover
appliance takes over so that connections continue to be made to the WAN.
Generally, connections are short lived and kickoff is not necessary; kickoff is suitable for very
challenging remote environments. For example, in an environment with 128 kbps and 1.5 seconds
of latency, you might want to cancel an HTTP download so that your traffic is optimized; whereas
in a remote branch-office with a T1 and 35 ms round-trip time, you would want connections to
migrate to optimization gracefully, rather than risk interruption with kickoff.
NOTE: Do not enable kickoff for in-path Steelhead appliances that use auto-discovery or if you do
not have a Steelhead appliance on the remote side of the network. If you do not set any in-path
rules, the default behavior is to auto-discover all connections. If kickoff is enabled, all connections
that existed before the Steelhead appliance started are reset.
The no command option disables the in-path kickoff feature.
Example
Product
Steelhead appliance
Related Topics
Enables link-state propagation. For example, if the LAN interface drops link then the WAN will
do the same.
Syntax
Parameters
None
Usage
If you require a Steelhead appliance to fail-to-wire when the LAN or WAN ports become
disconnected, enable this feature. This feature is similar to what ISPs do in order to follow the state
of a link.
The no command option disables the in-path feature.
184
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Moves the order of the rule in the rule list to the specified position.
Syntax
Parameters
<rulenum>
Usage
Example
Product
Related Topics
Enable in-path support for networks that utilize Layer-4 switches, PBR, and WCCP.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
show out-of-path
185
Syntax
[no] in-path rule auto-discover [scraddr <network>] [dstaddr <network>] [dstport <port>]
[vlan <vlan tag ID>] [optimization {normal | sdr-only |compr-only | none}] [preoptimization
{ssl | jinitiator | none}] [latency-opt {normal|http|none}] [neural-mode {always | dynamic |
never | tcphints}] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
dstaddr <network>
dstport <port>
Specifies the VLAN tag ID (if any). The VLAN identification number is
a value with a range from 0-4094. Specify 0 to mark the link untagged.
optimization {normal
| sdr-only |
compr-only | none}
preoptimization {ssl
|jinitiator | none}
186
4 - CONFIGURATION-MODE COMMANDS
latency-opt {http |
normal |none}
neural-mode {always
| dynamic | never |
tcphints}
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-N or start or end.
The rule is inserted into the list at the specified position. For example, if
you specify rulenum as 3, the new rule will be #3, the old rule #3 will
become #4, and so forth.
The start value specifies that the rule become the first rule and end
specifies that it become the last rule.
If you do not specify a rule number, the rule is added to the end of the
list.
description
<description>
Usage
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports
(all) and optimizes according to default settings.
Specify auto-discovery rules for traffic that you want to optimize in a particular way.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>
187
Example
minna (config) # in-path rule auto-discover srcaddr 10.10.10.1 port 2121 dstaddr
10.24.24.24.1 rulenum 2
minna (config) #
Product
Steelhead appliance
Related Topics
show in-path, show in-path rules, show interfaces, SSL Support Commands, JInitiator
Support Commands, HTTP Support Commands
Syntax
[no] in-path rule deny [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan <vlan
tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet for this rule. For example: 1.2.3.4/32
dstaddr <network>
dstport <port>
Specifies the VLAN tag ID (if any). The VLAN tag ID is a number
with a range from 0-4094. Specify 0 to mark the link untagged.
rulenum <rulenum>
description <description>
Usage
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all)
and optimizes according to default settings.
Specify deny rules for traffic you want to reject and return a message to the client that the request
has been denied.
The no command option disables the rule. The no command option syntax is:
no in-path rule <rulenum>
Example
minna (config) # in-path rule deny srcaddr 10.0.0.1 dstaddr 10.0.0.2 rulenum 4
minna (config) #
Product
Related Topics
188
4 - CONFIGURATION-MODE COMMANDS
Syntax
[no] in-path rule discard [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan <vlan
tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet for this rule. For example: 1.2.3.4/32
dstaddr <network>
dstport <port>
Specifies the VLAN tag ID (if any). The VLAN tag ID is a number
with a range from 0-4094. Specify 0 to mark the link untagged.
rulenum <rulenum>
description <description>
Usage
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all)
and optimizes according to default settings.
Specify discard rules for traffic that you want to drop silently instead of optimizing or passing
through.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>.
Example
minna (config) # in-path rule discard srcaddr 10.0.0.2 dstaddr 10.0.0.1 port 1234
rulenum 2
minna (config) #
Product
Related Topics
189
Syntax
190
[no] in-path rule fixed-target [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan
<vlan tag ID>] [optimization {normal | sdr-only |compr-only | none}] [preoptimization {ssl
|jinitiator |none}] [latency-opt {normal|http|none}] [neural-mode {always | dynamic | never
| tcphints}] [rulenum <rulenum>] [description <description>]
4 - CONFIGURATION-MODE COMMANDS
Parameters
srcaddr <network>
dstaddr <network>
dstport <port>
target-addr <addr>
target-port <port>
backup-addr <addr>
backup-port <port>
Specifies the VLAN tag ID (if any). The VLAN identification number is a
value with a range from 0-4094. Specify 0 to mark the link untagged.
optimization {normal
| sdr-only | compronly | none}
preoptimization {ssl |
jinitiator | none}
191
latency-opt {http |
normal |none}
neural-mode {always
| dynamic | never |
tcphints}
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-N or start or end.
The rule is inserted into the list at the specified position. For example, if
you specify rulenum as 3, the new rule will be #3, the old rule #3 will
become #4, and so forth.
The start value specifies that the rule become the first rule and end
specifies that it become the last rule.
If you do not specify a rule number, the rule is added to the end of the
list.
description
<description>
192
4 - CONFIGURATION-MODE COMMANDS
Usage
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all)
and optimizes according to default settings.
Specify fixed-target rules to set out-of-path Steelhead appliances near the target server that you
want to optimize.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>.
NOTE: In out-of-path deployments, to optimize MAPI Exchange 2003 by destination port, you
must define fixed-target, in-path rules that specify the following ports on the client-side Steelhead
appliance: the Microsoft end-point mapper port: 135; the Steelhead appliance port for Exchange
traffic: 7830; the Steelhead appliance port for Exchange Directory NSPI traffic: 7840.
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] in-path rule pass-through [scraddr <network>] [dstaddr <network>] [dstport <port>] [vlan
<vlan tag ID>] [rulenum <rulenum>] [description <description>]
Parameters
srcaddr <network>
Specifies the source subnet for this rule. For example: 1.2.3.4/32
dstaddr <network>
dstport <port>
rulenum <rulenum>
description <description>
193
Usage
The Steelhead appliance automatically intercepts traffic on all IP addresses (0.0.0.0) and ports (all)
and optimizes according to default settings.
Specify pass-through rules for traffic that you want to pass through to its destination without
optimization by the Riverbed system.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>.
Example
minna (config) # in-path rule pass-through addr 10.10.10.1 port 2121 rulenum 25
minna (config) #
Product
Related Topics
Enables in-path turbo support. Enabling turbo support accelerates HTTP connections.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
ip in-path-gateway
Description
Syntax
Parameters
<interface>
<destination
addr>
Usage
This command is used to set the default gateway for a particular bypass pair, for in-path
optimization configurations.
NOTE: in-pathX_X represents the bypass pair. Examples are in-path0_0, in-path1_0, and
in-path1_1. For the in-path interfaces, this command should be used to set the default gateway.
The no command option disables the default gateway.
Example
Product
Related Topics
show ip
194
4 - CONFIGURATION-MODE COMMANDS
ip in-path route
Description
Syntax
ip in-path route <interface> <network prefix> <network mask> <next hop IP address>
Parameters
<interface>
<network prefix>
<network mask>
Usage
In-path interfaces use routes from an in-path route table. To configure in-path routes, you set a
new in-path route that points to your WAN gateway. You must also copy any static routes that
you have added to the main table, if they apply to the in-path interface.
Example
Product
Related Topics
show ip
195
Out-of-Path Support
Configuration-Mode Documentation Navigation
In This Section
196
4 - CONFIGURATION-MODE COMMANDS
out-of-path enable
Description
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
show out-of-path
197
Peering Commands
Configuration-Mode Documentation Navigation
In This Section
198
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<port>
Usage
Cascade configurations enable optimal multi-site deployments where connections between the
client and the server might pass through intermediate Steelhead appliances to reach their final
destination. For Steelhead appliances running v4.0, you can configure this to happen
automatically through automatic peering. For Steelhead appliances running versions prior to
v4.0, in-path peering rules are used at the intermediate Steelhead appliances.
With automatic peering, the Steelhead appliance bypasses any intermediary Steelhead appliances
and automatically finds the furthest appliance from the source. Automatic peering simplifies
configuration and makes deployments more scalable. Automatic peering is disabled by default in
v4.0.
NOTE: For Steelhead appliances running versions prior to v4.0, in-path peering rules are used at
the intermediate Steelhead appliances.
You can deploy a cascade on either the client side or on the server side.
Example: C-----SH1-----SH2-----SH3-----WAN-----SH4-----SH5-----SH6-----S
The appliances are configured to auto-discover available peers across the WAN.
The no command option disables automatic peering.
Example
Product
Steelhead appliance
Related Topics
show in-path, show in-path peering auto, show in-path peering rules
Syntax
[no] in-path peering rule {auto | pass | accept} peer <peerip> src <subnet> | dest <subnet> |
dest-port <port> rulenum <rulenum> description <desc>
Parameters
peer <peerip>
src <subnet>
dest <subnet>
dest-port <port>
Specifies the destination port for this rule. You can specify a port label, or
all for all ports.
199
Usage
rulenum
<rulenum>
description <desc>
Serial clusters are supported only on Models 5000, 5010, 5520, and 6020
You configure peering rules that define what to do when a Steelhead appliance receives an
auto-discovery probe from another Steelhead appliance. If you enable in-path peering auto, you
do not need to configure peering rules.
If automatic peering causes unexpected behavior in your network, you can set specific rules for
peering in a serial cluster.
Serial clustering can increase optimization capacity of your deployment.
You can provide increased optimization by deploying several Steelhead appliances back-to-back
in an in-path configuration to create a serial cluster.
Appliances in a cluster process the peering rules you specify in a spill-over fashion. When the
maximum number of TCP connections for a Steelhead appliance is reached, that appliance stops
intercepting new connections. This allows the next Steelhead appliance in the cluster the
opportunity to intercept the new connections, if it has not reached its maximum number of
connections. The in-path peering rules and in-path rules tell the Steelhead appliances in a cluster
not to intercept connections between themselves.
For detailed information about how to configure serial cluster deployments, see the Steelhead
Appliance Deployment Guide.
The no command option disables the peering rule.
Example
200
4 - CONFIGURATION-MODE COMMANDS
SH2 configuration:
SH2 > enable
SH2 # configure terminal
SH2 (config) # in-path peering rule pass peer 10.0.1.1 rulenum 1
SH2 (config) # in-path peering rule pass peer 10.0.1.3 rulenum 1
SH2 (config) # in-path rule pass-through srcaddr 10.0.1.1/32 rulenum 1
SH2 (config) # in-path rule pass-through srcaddr 10.0.1.3/32 rulenum 1
SH2 (config) # wr mem
SH2 (config) # show in-path peering rules
Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- --------------1 pass
*
*
*
10.0.1.3
2 pass
*
*
*
10.0.1.1
def auto
*
*
*
*
SH1 (config) # show in-path rules
Rule Type Source Addr
Dest Addr
Port Target Addr
Port
----- ---- ------------------ ------------------ ----- --------------- ----1 pass 10.0.1.3/32
*
*
--2 pass 10.0.1.1/32
*
*
--def auto *
*
*
---
SH3 configuration:
SH3 > enable
SH3 # configure terminal
SH3 (config) # in-path peering rule pass peer 10.0.1.1 rulenum 1
SH3 (config) # in-path peering rule pass peer 10.0.1.2 rulenum 1
SH3 (config) # in-path rule pass-through srcaddr 10.0.1.1/32 rulenum 1
SH3 (config) # in-path rule pass-through srcaddr 10.0.1.2/32 rulenum 1
SH3 (config) # wr mem
SH3 (config) # show in-path peering rules
Rule Type
Source Network
Dest Network
Port Peer Addr
----- ------ ------------------ ------------------ ----- --------------SH1 (config) # show in-path rules
Rule Type Source Addr
Dest Addr
Port Target Addr
Port
----- ---- ------------------ ------------------ ----- --------------- ----1 pass 10.0.1.2/32
*
*
--2 pass 10.0.1.1/32
*
*
--def auto *
*
*
---
Product
Steelhead appliance
Related Topics
Moves the order of the rule to the specified position in the rule list.
Syntax
Parameters
<rulenum>
Usage
Rules in the rule list are consulted from first to last. Use this command to reorder an in-path
peering rule in the rule list.
Example
Product
Steelhead appliance
Related Topics
201
peer
Description
Use only to harmonize connection protocol versions in deployments with a mix of version 1.2 and
version 2.x appliances.
Syntax
Parameters
<IP addr>
min <version>
max <version>
Usage
For each v1.2 Steelhead appliance peer, enter the following commands:
sh> peer <addr> version min 5
sh> peer <addr> version max 5
After all the v1.2 Steelhead appliances in the network have been upgraded to 2.x Steelhead
appliances, remove the version settings:
sh> no peer <addr> version min
sh> no peer <addr> version max
If you are unable to discover all v1.2 Steelhead appliances in the network, configure all v2.1
Steelhead appliances to use v5 protocol by default with all peers by specifying 0.0.0.0 as the peer
address:
sh> peer 0.0.0.0 version min 5
sh> peer 0.0.0.0 version max 5
NOTE: Version 5 does not support some optimization policy features. Ultimately, you need to
upgrade all appliances to v2.1 or later.
The no command option resets the protocol version to the default.
Example
Product
Steelhead appliance
Related Topics
202
4 - CONFIGURATION-MODE COMMANDS
In This Section
203
Clears a single route from the asymmetric routing table. Requires the specification of an address
pair that exists in the table, for example 1.1.1.1-2.2.2.2.
Syntax
Parameters
None
Example
Product
Steelhead appliance
Related Topics
Clears a specified single route from the asymmetric routing table. To specify an address pair that
exists in the table, use the format X.X.X.X-X.X.X.X. For example 1.1.1.1-2.2.2.2.
Syntax
Parameters
<entry>
Usage
Requires the specification of an address pair that exists in the table, for example 1.1.1.1-2.2.2.2.
Example
Product
Steelhead appliance
Related Topics
204
4 - CONFIGURATION-MODE COMMANDS
Enables asymmetric route detection. Asymmetric route detection automatically detects and
reports asymmetric routing conditions and caches this information to avoid losing connectivity
between a client and a server.
Asymmetric routing occurs when a packet takes one path to the destination and another path
when returning to the source. Asymmetric routing is common within most networks; the larger
the network, the more likely there is asymmetric routing in the network.
Asymmetric route auto-detection enables Steelhead appliances to detect the presence of
asymmetry within the network. Asymmetry is detected by the client-side Steelhead appliances.
Once detected, the Steelhead appliance will pass asymmetric traffic through unoptimized,
allowing the TCP connections to continue to work. The first TCP connection for a pair of
addresses might be dropped because during the detection process, the Steelhead appliances have
no way of knowing that the connection is asymmetric.
Asymmetric routing is undesirable for many network devices including, firewalls, VPNs, and
Steelhead appliances. To function properly, these devices all rely on seeing every packet. When
Steelhead appliances are deployed in a network, all TCP traffic must flow through the same
Steelhead appliances in the forward and reverse directions.
Asymmetric route detection is enabled by default. If you disable asymmetric route detection,
asymmetrically routed TCP connections break. No logging, alarms, or emails are created when
this feature is disabled. Riverbed does not recommend disabling this feature.
Syntax
Parameters
caching
detection
Product
Steelhead appliance
205
Usage
If asymmetric routing is detected, an entry is placed in the asymmetric routing table and any
subsequent connections from that IP pair will be passed through. Further connections between
these hosts are not optimized until that particular asymmetric routing cache entry times out.
To display the asymmetric routing table, use the following CLI command:
show in-path asym-route-tab
Types of asymmetry:
Complete Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass both Steelhead appliances on the return path.
Asymmetric routing table entry: bad RST
Log: Sep 5 11:16:38 gen-sh102 kernel: [intercept.WARN] asymmetric routing
between 10.11.111.19 and 10.11.25.23 detected (bad RST)
Server-Side Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass the server-side Steelhead appliance on the return path.
Asymmetric routing table entry: bad SYN/ACK
Log: Sep 7 16:17:25 gen-sh102 kernel: [intercept.WARN] asymmetric routing
between 10.11.25.23:5001 and 10.11.111.19:33261 detected (bad SYN/ACK)
Client-Side Asymmetry. Packets traverse both Steelhead appliances going from client to server
but bypass the client-side Steelhead appliance on the return path.
Asymmetric routing table entry: no SYN/ACK
Log: Sep 7 16:41:45 gen-sh102 kernel: [intercept.WARN] asymmetric routing
between 10.11.111.19:33262 and 10.11.25.23:5001 detected (no SYN/ACK)
Multi-SYN Retransmit- Probe-Filtered. Occurs when the client-side Steelhead appliance sends
out multiple SYN+ frames and does not get a response.
Asymmetric routing table entry: probe-filtered(not-AR)
Log: Sep 13 20:59:16 gen-sh102 kernel: [intercept.WARN] it appears as though
probes from 10.11.111.19 to 10.11.25.23 are being filtered. Passing through
connections between these two hosts.
206
4 - CONFIGURATION-MODE COMMANDS
You can use the following tools to detect and analyze asymmetric routes:
TCP Dump. Run the TCP dump tool on the client-side Steelhead appliance to verify the packet
sequence that is causing the asymmetric route detection. You can take traces on the LAN and
WAN ports of the Steelhead appliance and, based on the packet maps, look for the packet
sequence that is expected for the type of warning message in the log. For example to obtain
information on all packets on the WAN interface, sourced from or destined to 10.0.0.1, and with
a source/destination TCP port of 80:
tcpdump -i wan0_0 host 10.0.0.1 port 80
To filter SYN, SYN/ACK, and reset packets, you can use the following command. This will not
show you ACK packets but it can be useful if the link is saturated with traffic and the traces are
filling quickly. The following command is uses the -i parameter to specify the interface and the -w
parameter to write to a file:
tcpdump -i wan1_0 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) = 0' -w
lookingforasymwan
Trace Route. Run the trace route tool to discover what path a packet is taking from client to
server and from server to client. Access the client and run the traceroute command with the IP
address of the server, and then run the traceroute command from the server with the IP address
of the client. For example for a Cisco router:
#Clients Address: 10.1.0.2 ..
#Servers Address: 10.0.0.4
client# traceroute 10.0.0.4 Type escape sequence to abort.
Tracing the route to 10.0.0.4
1 10.1.0.1 4 msec 0 msec 4 msec
2 10.0.0.2 4 msec 4 msec 0 msec
3 10.0.0.3 4 msec 4 msec 0 msec
4 10.0.0.4 4 msec 4 msec 0 msec
server# traceroute 10.1.0.2 Type escape sequence to abort.
Tracing the route to 10.1.0.2
1 10.0.0.6 4 msec 0 msec 4 msec
2 10.0.0.5 4 msec 4 msec 0 msec
3 10.1.0.1 4 msec 4 msec 0 msec
4 10.1.0.2 4 msec 4 msec 0 msec
Product
Steelhead appliance
Related Topics
Enables and disables the pass-through feature for asymmetric routing. If disabled, asymmetrically
routed TCP connections are still detected and a warning message is logged, but the connection is
not passed-through and no alarm or email is sent. Use this command to ensure connections are
not passed-through the Steelhead appliances unoptimized but logging occurs when asymmetric
routes are detected.
Syntax
Parameters
None
207
Usage
If asymmetric routing is detected, the pair of IP addresses, defined by the client and server
addresses of the connection, is cached in the asymmetric routing cache on the Steelhead appliance.
Further connections between these hosts are not optimized until that particular asymmetric
routing cache entry times out.
The no command option disables asymmetric routing pass through.
Example
Product
Steelhead appliance
Related Topics
In PBR deployments with a multiple in-path interfaces, enables CDP packets to be sent to the
other routers when one of the routers goes down.
Syntax
Parameters
None
Usage
With PBR, CDP is used by the Steelhead appliance to notify the router that the Steelhead
appliance is still alive and that the router can still redirect packets to it.
In some cases, the you might want to disable this command so that if one router goes down, the
Steelhead appliance stops sending CDP packets to all the routers it is attached to and connections
are redirected and optimized by another Steelhead appliance.
This can be useful when the routers are configured to redirect to a Steelhead appliance when all
routers are up but to another Steelhead appliance when one router goes down.
For detailed information about how to configure a Steelhead appliance for PBR with CDP, see the
Steelhead Appliance Deployment Guide.
The no command option disables CDP.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
208
4 - CONFIGURATION-MODE COMMANDS
Usage
Enables CDP support in PBR deployments. Virtual in-path failover deployments require CDP on
the Steelhead appliance to bypass the Steelhead appliance that is down.
CDP is a proprietary protocol used by Cisco routers and switches to obtain neighbor IP addresses,
model, IOS version, and so forth. The protocol runs at the OSI layer 2 using the 802.3 Ethernet
frame.
For detailed information about how to configure a Steelhead appliance for PBR with CDP, see the
Steelhead Appliance Deployment Guide.
The no command option disables CDP.
Example
Product
Steelhead appliance
Related Topics
Configures the hold-time for CDP. The hold-time period allows for a quick recovery in failover
deployments with PBR and CDP.
Syntax
Parameters
<holdtime>
Usage
The no command option resets the CDP hold-time to the default (5).
Example
Product
Steelhead appliance
Related Topics
Configures the refresh period for CDP. The refresh period allows for a quick recovery in failover
deployments with PBR and CDP.
Syntax
Parameters
<interval>
Usage
The no command option resets the CDP refresh period to the default (1).
Example
Product
Steelhead appliance
Related Topics
209
Enables the Steelhead appliance to continue to optimize connections when one or more of the
configured neighbors is unreachable.
Syntax
Parameters
None
Usage
When you deploy the Steelhead appliance in an in-path deployment with connection forwarding,
you want the Steelhead appliance to stop intercepting traffic if it cannot contact its neighbor. In
deployments with multiple WCCP clusters or Interceptor appliance masters and backups, the
in-path neighbor allow failure command enables the appliance to continue to intercept
connections if one or more of the configured neighbors is unreachable.
The no command option disables this feature.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
If you have one path from the client to the server and a different path from the server to the client,
enable in-path connection forwarding so that the Steelhead appliances can communicate with
each other. These Steelhead appliances are called neighbors and exchange connection information
to redirect packets to each other.
When you define a neighbor, you must specify the Steelhead appliance in-path IP address, not the
primary IP address.
Neighbors can be placed in the same physical site or in different sites but the latency between
them must be small because the packets travelling between them are not optimized.
If there are more than two possible paths, additional Steelhead appliances must be installed on
each path and configured as neighbors. Neighbors are notified in parallel so that the delay
introduced at connection setup is equal to the time it takes to get an acknowledgement from the
furthest neighbor.
For detailed information about connection forwarding deployments and how to configure them,
see the Steelhead Appliance Deployment Guide.
The no command option disables connection forwarding support.
210
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Sets the IP address for the neighbor Steelhead appliance for connection forwarding.
Syntax
Parameters
<addr>
port <port>
Usage
If you have one path from the client to the server and a different path from the server to the client,
enable in-path connection forwarding and configure the Steelhead appliances to know about and
communicate with each other. These Steelhead appliances are called neighbors and exchange
connection information to redirect packets to each other. For example:
minna (config) # in-path neighbor enable
minna (config) #in-path neighbor ip-address 10.0.0.4
;;client-side appliance (Steelhead-1)
minna (config) #in-path neighbor ip-address 10.0.0.6
;;the server-side appliance (Steelhead-2)
When you define a neighbor, you must specify the Steelhead appliance in-path IP address, not the
primary IP address.
The no command option removes the IP address for the neighbor Steelhead appliance from the
connection forwarding list.
Example
Product
Steelhead appliance
Related Topics
Sets the keep-alive messages before terminating connections with the neighbor Steelhead
appliance for TCP connection forwarding.
Syntax
Parameters
<count>
Usage
211
Example
Product
Steelhead appliance
Related Topics
Sets the time interval between keep-alive messages with the neighbor Steelhead appliance for
connection forwarding.
Syntax
Parameters
<seconds>
Usage
Example
Product
Steelhead appliance
Related Topics
Specifies the number of seconds between keep-alive messages. The default value
is 10.
Specifies the interface on which the appliance communicates with a peer neighbor Steelhead
appliance.
Syntax
Parameters
interface <iface>
Usage
Example
Product
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor peers, show interfaces
Syntax
212
4 - CONFIGURATION-MODE COMMANDS
Parameters
addr <peer IP
address>
port
paused
Usage
Example
Product
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor (Interceptor), show in-path
neighbor peers, show peers
Sets the neighbor port for the Steelhead appliance in connection forwarding deployments.
Syntax
Parameters
<port>
Usage
Example
Product
Steelhead appliance
Related Topics
show in-path neighbor (Steelhead), show in-path neighbor peers, show peers
Specifies the neighbor Steelhead appliance port. The default value is 7850.
213
In This Section
214
4 - CONFIGURATION-MODE COMMANDS
Enables simplified routing. Simplified routing collects the IP address for the next hop MAC
address from each packet it receives to use in addressing traffic. Enabling simplified routing
eliminates the need to add static routes when the Steelhead appliance is in a different subnet from
the client and server.
Syntax
Parameters
all
Collects source and destination MAC data. Also collects data for connections that
are un-natted (connections that are not translated using NAT).
dest-only
dest-source
Collects destination and source MAC data. This option cannot be used in
connection forwarding.
none
Usage
Without simplified routing, if a Steelhead appliance is installed in a different subnet from the
client or server, you must define one router as the default gateway and static routes for the other
routers so that traffic is not redirected back through the Steelhead appliance. However, in some
cases, even with static routes defined, the ACL on the default gateway may still drop traffic that
should have gone through the other router. Enabling simplified routing eliminates this issue.
Simplified routing has the following constraints:
Broadcast support in PFS configurations cannot be enabled.
WCCP cannot be enabled.
The default route must exist on each Steelhead appliance in your network.
Simplified routing requires a client-side and server-side Steelhead appliance.
Optionally, you can also enable automatic peering. When you enable simplified routing,
Riverbed recommends that you also enable automatic peering because it gives the Steelhead
appliance more information to associate IP addresses and MAC addresses (and potentially
VLAN tags). For information, see in-path peering auto on page 199.
The no command option disables simplified routing.
Example
Product
Steelhead appliance
Related Topics
215
In This Section
216
4 - CONFIGURATION-MODE COMMANDS
ip flow-export
Description
Configures NetFlow support. NetFlow enables you to collect traffic flow data and gather it on
NetFlow collectors. You can gather pre-optimization and post-optimization data on traffic flows
for custom reports.
Steelhead appliances support NetFlow v5 (the most common format).
Syntax
Parameters
destination <collector
ip> <collector port>
export-port {aux |
primary}
interface {primary
|wan1_1 | lan1_1 |
wan1_0 | lan1_0}
capture {all |
optimized |
optimized-lan |
optimized-wan |
passthrough}
Specifies whether the TCP IP addresses and ports reported for optimized
flows should contain the original client and server IP addresses and not
those of the Steelhead appliance: off displays the Steelhead appliance
information; on displays the LAN address information.
The default is to display the IP addresses of the original client and server
without the IP address of the Steelhead appliances.
fakeindex {off | on}
Specifies whether to use the LAN interface index for WAN traffic.
In virtual in-path deployments, traffic moves in and out of the same
WAN interface; the LAN interface is not used. As a result, when the
Steelhead appliance exports data to a NetFlow collector, all traffic has the
WAN interface index. Though it is technically correct for all traffic to
have the WAN interface index because the input and output interfaces
are the same, this makes it impossible for an administrator to use the
interface index to distinguish between LAN-to-WAN and WAN-to-LAN
traffic.
The default value is off. Specify on to use the LAN interface index for
WAN traffic, which inserts the correct interface index before exporting
data to a NetFlow collector. This feature works only for optimized traffic,
not unoptimized or passed through traffic
217
Usage
Before you enable NetFlow support in your network, you should consider the following:
Generating NetFlow data can utilize large amounts of bandwidth, especially on low
bandwidth links, thereby impacting Steelhead appliance performance.
You can reduce the amount of data exported by NetFlow if you export only optimized traffic.
NetFlow only tracks incoming packets (ingress).
To troubleshoot your NetFlow settings:
Make sure the port configuration on the Steelhead appliance and the listening port of the
collector match.
Ensure that you can reach the collectors from the Steelhead appliance (for example, ping
X.X.X.X where X.X.X.X is the NetFlow collector).
Verify that your capture settings are on the correct interface and that traffic is flowing through
it:
minna (config) # ip flow-export enable
minna (config) # ip flow-export wan0_0 destination 10.2.2.2 2055 export-port
primary capture optimized lan-addrs on
minna (config) # show ip flow-export
For WCCP or PBR virtual in-path deployments, because the traffic is arriving and leaving from
the same WAN interface, when the Steelhead appliance exports data to a NetFlow collector, all
traffic has the WAN interface index. This is the correct behavior because the input interface is the
same as the output interface.
To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments.
use the fakeindex parameter.
Example
Product
Steelhead appliance
Related Topics
show job
ip flow-export enable
Description
Enables NetFlow support. NetFlow enables you to collect traffic flow data and gather it on
NetFlow collectors. You can gather pre-optimization and post-optimization data on traffic flows
for custom reports.
NetFlow enables you to export network statistics that provide information about network data
flows such as peak usage times, traffic accounting, security, and traffic routing. NetFlow records
information for each incoming packet on the specified network interface (the ingress interface).
This data is sent to a NetFlow collector and analyzed by a NetFlow analyzer.
Steelhead appliances support NetFlow v5 (the most common format).
Syntax
Parameters
None
218
4 - CONFIGURATION-MODE COMMANDS
Usage
Before you enable NetFlow support in your network, you should consider the following:
Generating NetFlow data can utilize large amounts of bandwidth, especially on low bandwidth
links, thereby impacting Steelhead appliance performance.
You can reduce the amount of data exported by NetFlow by exporting only optimized traffic.
NetFlow only tracks incoming packets (ingress).
To troubleshoot your NetFlow settings:
Make sure the port configuration matches on the Steelhead appliance and the listening port of
the collector.
Ensure that you can reach the collectors from the Steelhead appliance (for example, ping
X.X.X.X where X.X.X.X is the NetFlow collector).
Verify that your capture settings are on the correct interface and that traffic is flowing through
it:
minna (config) # ip flow-export enable
minna (config) # ip flow-export wan0_0 destination 10.2.2.2 2055 export-port
primary capture optimized lan-addrs on
minna (config) # show ip flow-export
For virtual in-path deployments (WCCP or PBR), because the traffic is arriving and leaving from
the same WAN interface, when the Steelhead appliance exports data to a NetFlow collector, all
traffic has the WAN interface index. This is the correct behavior because the input interface is the
same as the output interface.
To distinguish between LAN-to-WAN and WAN-to-LAN traffic in virtual in-path deployments,
see the fakeindex parameter in ip flow-export on page 217 or the Steelhead Appliance Deployment
Guidee.
The no command option disables NetFlow support.
Example
Product
Steelhead appliance
Related Topics
show ip
219
IPSec Commands
Configuration-Mode Documentation Navigation
In This Section
220
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<policy>
<policy>
Usage
You must specify at least one algorithm. The algorithm is used to guarantee the authenticity of
each packet.
Example
Product
Steelhead appliance
Related Topics
show ip
ip security enable
Description
Syntax
Parameters
None
Usage
Enabling IPSec support makes it difficult for a third party to view your data or pose as a machine
you expect to receive data from. You must also specify a shared secret to enable IPSec support. To
create a shared secret see, ip security shared secret.
To enable IPSec authentication, you must have at least one encryption and authentication
algorithm specified.
You must set IPSec support on each Steelhead appliance with which you want to establish a secure
connection.
If you NAT traffic between Steelhead appliances, you cannot use the IPSec channel between the
appliances because the NAT changes the packet headers, causing IPSec to reject them.
The no command option disables encryption and authentication support.
FIPS Mode
For FIPS compliance you must disable IPSec security. IPSEC security is disabled by default. If you
have been running the Steelhead appliance in non-FIPS mode, you must run no ip security enable
command to disable IPSEC security. For detailed information about FIPS compliance commands,
see FIPS/CC Compliance Commands on page 318. For detailed information about configuring
FIPS-mode, see the FIPS/CC Administrators Guide.
221
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<algorithm>
<algorithm>
Usage
You must specify at least one algorithm. The algorithm is used to encrypt each packet sent using
IPSec.
Example
Product
Steelhead appliance
Related Topics
show ip
ip security peer ip
Description
Sets the peer Steelhead appliance for which you want to make a secure connection.
Syntax
Parameters
<addr>
Usage
If IPSec is enabled on this Steelhead appliance, then it must also be enabled on all Steelhead
appliances in the IP security peers list; otherwise this Steelhead appliance will not be able to make
optimized connections with those peers that are not running IPSec.
If a connection has not been established between the Steelhead appliances that are configured to
use IPSec security, the Peers list does not display the peer Steelhead appliance because a security
association has not been established.
NOTE: When you add a peer, there is a short service disruption (3-4 seconds) causing the state
and time-stamp to change in the Current Connections report.
The no command option disables the peer.
Example
Product
Steelhead appliance
Related Topics
show ip
222
4 - CONFIGURATION-MODE COMMANDS
Enables Perfect Forward Secrecy. Perfect Forward Secrecy provides additional security by
renegotiating keys at specified intervals. With Perfect Forward Secrecy, if one key is compromised,
previous and subsequent keys are secure because they are not derived from previous keys.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
show ip
Sets the time between quick-mode renegotiation of keys by IKE. IKE is a method for establishing a
SA that authenticates users, negotiates the encryption method, and exchanges a secret key. IKE
uses public key cryptography to provide the secure transmission of a secret key to a recipient so
that the encrypted data can be decrypted at the other end.
Syntax
Parameters
<minutes>
Usage
Example
Product
Steelhead appliance
Related Topics
show ip
Sets the shared secret used to negotiate and renegotiate secret keys.
Syntax
Parameters
<secret>
Usage
All Steelhead appliances that need to communicate to each other using IPSec must have the same
key. The ip security shared secret option must be set before IPSec is enabled.
223
Example
Product
Steelhead appliance
Related Topics
show ip
224
4 - CONFIGURATION-MODE COMMANDS
In This Section
225
pfs domain
Description
Syntax
[no] pfs domain {join | rejoin | leave} domain-name <domain name> login <login> password
<password> [dc-name <domain controller>] [dc-list <list>] [short-name <name>]} [check]
[require]
Parameters
join | rejoin |
leave
226
domain-name
<domain name>
Specifies the domain name (in Windows 2000 or above) to join, rejoin, or
leave. The Steelhead appliance host name must be in the DNS database.
The host name must not exceed 15 characters.
login <login>
password
<password>
short-name
<name>
check
require
4 - CONFIGURATION-MODE COMMANDS
Usage
In domain mode, you configure the PFS Steelhead appliance to join a Windows domain (typically,
your companys domain). When you configure the Steelhead appliance to join a Windows
domain, you do not have to manage local accounts in the branch office, as you do in Local
Workgroup mode.
Domain mode allows a DC to authenticate users accessing its file shares. The DC can be located at
the remote site or over the WAN at the main data center. The Steelhead appliance must be
configured as a Member Server in the Windows 2000, or later, ADS domain. Domain users are
allowed to access the PFS shares based on the access permission settings provided for each user.
Data volumes at the data center are configured explicitly on the proxy file server and are served
locally by the Steelhead appliance. As part of the configuration, the data volume and ACLs from
the origin server are copied to the Steelhead appliance. PFS allocates a portion of the Steelhead
appliance data store for users to access as a network file system.
Before you enable Domain mode in PFS make sure you:
configure the Steelhead appliance to use NTP to synchronize the time.
configure the DNS server correctly. The configured DNS server must be the same DNS server to
which all the Windows client machines point.
have a fully-qualified domain name for which PFS will be configured. This domain name must
be the domain name for which all the Windows desktop machines are configured.
set the owner of all files and folders in all remote paths to a domain account and not a local
account.
IMPORTANT: PFS only supports domain accounts on the origin file server; PFS does not support
local accounts on the origin file server. During an initial copy from the origin file server to the PFS
Steelhead appliance, if PFS encounters a file or folder with permissions for both domain and local
accounts, only the domain account permissions are preserved on the Steelhead appliance.
For detailed information about how ACLs are propagated from the origin server to a PFS share,
refer to the Riverbed Technical Support site at https://support.riverbed.com.
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
For detailed information about PFS, see the Steelhead Appliance Deployment Guide.
Example
minna (config) # pfs domain join realm login mylogin password mypassword
minna (config) #
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
pfs enable
Description
Enables PFS support. PFS is an integrated virtual file server that allows you to store copies of files
on the Steelhead appliance with Windows file access, creating several options for transmitting
data between remote offices and centralized locations with improved performance. Data is
configured into file shares and the shares are periodically synchronized transparently in the
background, over the optimized connection of the Steelhead appliance. PFS leverages the
integrated disk capacity of the Steelhead appliance to store file-based data in a format that allows
it to be retrieved by NAS clients.
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
For detailed information about PFS, see the Steelhead Appliance Deployment Guide.
Syntax
Parameters
None
227
Usage
In RiOS v3.x or higher, you do not need to install the RCU service on the server to synchronize
shares. RCU functionality has been moved to the Steelhead appliance. When you upgrade from
v2.x to v3.x, your existing shares will be running as v2.x shares.
PFS is not appropriate for all network environments. For example, in a collaborative work
environment when there are many users reading, writing, and updating a common set of files and
records, you should consider not enabling PFS. For detailed information about whether PFS is
appropriate for your network environment, see the Steelhead Appliance Deployment Guide.
Before you enable PFS, configure the Steelhead appliance to use NTP to synchronize the time.
To use PFS, the Steelhead appliance and DC clocks must be synchronized.
The PFS Steelhead appliance must run the same version of the Steelhead appliance software as
the server side Steelhead appliance.
PFS traffic to and from the Steelhead appliance travels through the Primary interface. PFS
requires that the Primary interface is connected to the same switch as the LAN interface. For
detailed information, see the Steelhead Appliance Installation and Configuration Guide.
The PFS share and origin-server share names cannot contain Unicode characters.
NOTE: Using PFS can reduce the overall connection capacity for optimized TCP connections, as
memory and CPU resources are diverted to support the PFS operation.
The no command option disables PFS support.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
pfs settings
Description
Syntax
Parameters
admin-password
<password>
log-level <0-10>
conn-timeout
<minutes>
max-log-size
<size>
228
4 - CONFIGURATION-MODE COMMANDS
server signing
{enabled |
disabled |
required}
Usage
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Syntax
Parameters
local-name
<name>
Usage
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Specifies the local share name. A local share is the data volume exported from the
origin server to the Steelhead appliance.
229
Syntax
[no] pfs share configure local-name <local name> version 3 mode {broadcast | local |
standalone} remote-path <remote path> server-name <name> server-account <login> serverpassword <password> interval <seconds> [full-interval <seconds>] [comment <description>]
[start-time <yyyy/mm/dd hh:mm:ss>] [full-start-time <yyyy/mm/dd hh:mm:ss>]
Parameters
local-name <local
name>
Specifies the local share name. A local share is the data volume exported
from the origin server to the Steelhead appliance.
The local share name cannot contain Unicode characters.
230
4 - CONFIGURATION-MODE COMMANDS
mode [broadcast |
local | standalone]
remote-path
<remote path>
Specify, using UNC format, the path to the data on the origin server that you
want to make available to PFS.
server-account
<login>
Specify the login and password to be used to access the shares folder on the
origin file server. The login must be a member of the Administrators group
on the origin server, either locally on the file server (the local Administrators
group) or globally in the domain (the Domain Administrator group).
server-password
<password>
231
Usage
interval
<seconds>
Specify the interval that you want incremental synchronization to occur. The
first synchronization, or the initial copy, retrieves data from origin file server
and copies it to the local disk on the Steelhead appliance. Subsequent
synchronizations are based on the synchronization interval. In incremental
synchronization, only new and changed data are sent between the proxy file
server and the origin file server.
full-interval
<seconds>
start-time <yyyy/
mm/dd hh:mm:ss>
full-start-time
<yyyy/mm/dd
hh:mm:ss>
[comment
<description>]
For v3.x (or higher) PFS shares, you do not need to install the RCU service on a Windows server.
Make sure the server-account you specify is a member of the Administrators group on the origin
server, either locally on the file server (the local Administrators group) or globally in the domain
(the Domain Administrator group).
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
minna (config) # pfs share configure local-name test version 2 mode local remotepath c:/data server-name test port 81 interval 5 full-interval 5 start-interval
2006/06/06 02:02:02 comment test
minna (config) #
minna (config)
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Syntax
232
[no] pfs share configure local-name <local name> version 2 mode {broadcast | local |
standalone} server-name <name> port <port> remote-path <remote path> interval <seconds>
[full-interval <seconds>] [comment <description>] [start-time <yyyy/mm/dd hh:mm:ss>] [fullstart-time <yyyy/mm/dd hh:mm:ss>]
4 - CONFIGURATION-MODE COMMANDS
Parameters
local-name <local
name>
Specifies the local share name. A local share is the data volume exported
from the origin server to the Steelhead appliance.
The local share name cannot contain Unicode characters.
mode [broadcast |
local | standalone]
Specifies the mode of file sharing. For details, see pfs share configure on
page 230.
server-name
<name> port
<port>
Specify the origin server and port located in the data center which hosts the
origin data volumes (folders).
remote-path
<remote path>
Specify the remote path for the share folder on the origin file server.
interval
<seconds>
Specify the interval that you want incremental synchronization to occur. The
first synchronization, or the initial copy, retrieves data from origin file server
and copies it to the local disk on the Steelhead appliance. Subsequent
synchronizations are based on the synchronization interval. In incremental
synchronization, only new and changed data are sent between the proxy file
server and the origin file server.
full-interval
<seconds>
start-time <yyyy/
mm/dd hh:mm:ss>
full-start-time
<yyyy/mm/dd
hh:mm:ss>
[comment
<description>]
For v2.x, you must have the RCU service running on a Windows server (this
can be the origin file server or a separate server). If the origin server is not
the RCU server, you specify the remote path using the UNC format for the
mapped drive. If the origin server is the same as the RCU server then you
must type its full path including the drive letter, for example C:\data.
233
Usage
Riverbed strongly recommends that you upgrade your shares to v3.x shares. If you upgrade any
v2.x shares, you must upgrade all of them. After you have upgraded shares to v3.x, you should
only create v3.x shares.
By default, when you configure PFS shares with Steelhead appliance software v3.x and higher,
you create v3.x PFS shares. PFS shares configured with Steelhead appliance software v2.x are v2.x
shares. Version 2.x shares are not upgraded when you upgrade Steelhead appliance software.
If you do not upgrade your v.2.x shares:
You should not create v3.x shares.
You must install and start the RCU on the origin server or on a separate Windows host with
write-access to the data PFS uses. The account that starts the RCU must have write permissions
to the folder on the origin file server that contains the data PFS uses. You can download the
RCU from the Riverbed Technical Support site at https://support.riverbed.com. For detailed
information, see the Riverbed Copy Utility Reference Manual.
Make sure the account that starts the RCU has permissions to the folder on the origin file server
and is a member of the Administrators group on the remote share server, either locally on the
file server (the local Administrators group) or globally in the domain (the Domain
Administrator group).
In Steelhead appliance software version 3.x and higher, you do not need to install the RCU
service on the server for synchronization purposes. All RCU functionality has been moved to
the Steelhead appliance.
You must configure domain, not workgroup, settings, using the pfs domain command.
Domain mode supports v2.x PFS shares but local workgroup mode is supported only in v3.x
(or higher).
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
minna (config) # pfs share configure local-name test version 2 mode local
remote-path c:/data server-name test port 81 interval 5 full-interval 5
start-interval 2006/06/06 02:02:02 comment test
minna (config) #
minna (config)
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Syntax
Parameters
Usage
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
234
Specifies the local share name. A local share is the data volume
exported from the origin server to the Steelhead appliance.
4 - CONFIGURATION-MODE COMMANDS
Syntax
[no] pfs share modify local-name <local name> [acl-group-ctrl {true | false}] [acl-inherit {true |
false}] [syncing {true | false}] [port <port>] [sharing {true | false}] [mode broadcast | local |
standalone <cr>] [remote-path <remote path>] [server-name <name>] [server-account <login>]
[server-password <password>] [port <port>] [interval <seconds>] [full-interval <seconds>]
[full-start-time <yyyy/mm/dd hh:mm:ss>] [start-time <yyyy/mm/dd hh:mm:ss>] comment
<description>]
235
Parameters
local-name <local
name>
Specifies the local share name. A local share is the data volume exported
from the origin server to the Steelhead appliance.
The local share name cannot contain Unicode characters.
acl-group-ctrl {true
| false}
Specify true if you want accounts in the primary owners group to be able to
assign permissions.
Specify false if you want only the primary owner or local administrator to
be able to assign permissions.
The default value is false.
acl-inherit {true |
false}
Specify true if you want shared folders to inherit permissions from parents.
Specify false if you do not want to retain inherited permissions.
The default value is false.
syncing {true |
false}
sharing {true |
false}
port <port>
mode <mode>
Specifies the mode of file sharing. For details, see pfs share configure on
page 230.
remote-path
<remote path>
For version 3.x (or higher) shares, specify the remote path using UNC
format to specify the server name and remote path.
For version 2.x shares, specify the remote path for the share folder on the
origin file server.
For version 2.x shares, you must have the RCU service running on a
Windows server (this can be the origin file server or a separate server). If the
origin server is not the RCU server, you specify the remote path using the
UNC format for the mapped drive. If the origin server is the same as the
RCU server then you must type its full path including the drive letter, for
example C:\data.
server-name
<name> port
<port>
Version 2.x shares only. Specify the origin server and port located in the data
center which hosts the origin data volumes (folders).
server-account
<login>
Version 3.x or higher shares only. Specify the login to be used to access the
shares folder on the origin file server. The login must be member of the
Administrators group on the origin server, either locally on the file server
(the local Administrators group) or globally in the domain (the Domain
Administrator group).
server-password
<password>
236
interval
<seconds>
full-interval
<seconds>
4 - CONFIGURATION-MODE COMMANDS
Usage
start-time <yyyy/
mm/dd hh:mm:ss>
full-start-time
<yyyy/mm/dd
hh:mm:ss>
[comment
<description>]
Example
minna (config) # pfs share modify local-name test remote-path /tmp server-name
mytest mode broadcast frequency 10
minna (config) #
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Syntax
pfs share upgrade local-name <local name> remote-path <remote path> server-account <login>
server-password <server password>
Parameters
local-name
<local name>
Specifies the local share name. A local share is the data volume exported from
the origin server to the Steelhead appliance.
remote-path
<remote path>
server-account
<server login>
server-account
<server login>
237
Usage
Riverbed strongly recommends that you upgrade your shares to v3.x shares. If you upgrade any
v2.x shares, you must upgrade all of them. After you have upgraded shares to v3.x, you should
only create v3.x shares.
By default, when you configure PFS shares with Steelhead appliance software v3.x and higher,
you create v3.x PFS shares. PFS shares configured with Steelhead appliance software v2.x are v2.x
shares. Version 2.x shares are not upgraded when you upgrade Steelhead appliance software.
If you do not upgrade your v.2.x shares:
You should not create v3.x shares.
You must install and start the RCU on the origin server or on a separate Windows host with
write-access to the data PFS uses. The account that starts the RCU must have write permissions
to the folder on the origin file server that contains the data PFS uses. You can download the
RCU from the Riverbed Technical Support site at https://support.riverbed.com. For detailed
information, see the Riverbed Copy Utility Reference Manual.
Make sure the account that starts the RCU has permissions to the folder on the origin file server
and is a member of the Administrators group on the remote share server, either locally on the
file server (the local Administrators group) or globally in the domain (the Domain
Administrator group).
In Steelhead appliance software version 3.x and higher, you do not need to install the RCU
service on the server for synchronization purposes. All RCU functionality has been moved to
the Steelhead appliance.
You must configure domain, not workgroup, settings, using the pfs domain command.
Domain mode supports v2.x PFS shares but local workgroup mode is supported only in v3.x
(or higher).
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
Syntax
Parameters
local-name
<local name>
Usage
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
238
Specifies the local share name. A local share is the data volume exported from
the origin server to the Steelhead appliance.
4 - CONFIGURATION-MODE COMMANDS
pfs start
Description
Syntax
pfs start
Parameters
None
Usage
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
pfs workgroup
Description
Configures local workgroup mode for the PFS share. In local workgroup mode, you define a
workgroup and add individual users that will have access to the PFS shares on the Steelhead
appliance.
If you configure PFS local workgroup mode, the Steelhead appliance does not have to join a
domain. The local workgroup accounts are used by clients when they connect to the PFS share.
Syntax
pfs workgroup {account {add | modify | remove} user-name <name> password <password>}
{join <workgroup>} {leave}
Parameters
account {add
|modify | remove}
user-name <name>
password
<password>
Manage a user account for the workgroup. Specify the login and password
to create a local workgroup account so that users can connect to the
Steelhead appliance to access PFS shares.
join <workgroup>
leave
Usage
Use local workgroup mode in environments where you do not want the Steelhead appliance to be
a part of a Windows domain. Creating a workgroup eliminates the need to join a Windows
domain and vastly simplifies the PFS configuration process.
If you use Local Workgroup mode you must manage the accounts and permissions for the branch
office on the Steelhead appliance. The local workgroup account permissions might not match the
permissions on the origin file server.
For detailed information about PFS, see the Steelhead Appliance Deployment Guide.
PFS is supported only on models 520, 1010, 1020, 1520, 2020, 3010, 3020, 3520, and 5010.
Example
Product
Steelhead appliance.
Related Topics
show pfs configuration, show pfs status, show pfs all-info shares
239
240
4 - CONFIGURATION-MODE COMMANDS
prepop enable
Description
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
show prepop
prepop share
Description
Syntax
Parameters
cancel-event remote-path
<remote-path>
configure remote-path
<path> server-account
<login> <password>
Specifies the remote path of the share, as well as the login and
password if required for secure access.
manual-sync remote-path
<remote-path>
modify remote-path
<name> <option>
<value>
Sets or modifies options for the share <name>. You can set the
following options:
Option
Value
comment
frequency
server-account
serverpassword
sharing
start-time
241
Usage
Example
Product
Steelhead appliance
Related Topics
show prepop
242
4 - CONFIGURATION-MODE COMMANDS
243
Syntax
Parameters
None
Usage
Enable this feature if you are experiencing degraded optimization in Word or Excel applications.
MS Office often opens the same file multiple times with conflicting access permissions. This
causes any oplock on the file to be lost, which degrades optimization. Although the oplock is lost,
these MS Office applications only allow one user to edit the file at a time. While no oplock is held,
the applications follow the behavior where an oplock would be granted.
NOTE: Some versions of Word experience poor performance during antivirus scans while in read
only mode.
The no command option disables CIFS application lock.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<extension>
Usage
You will experience major performance improvements in Word and Excel 2007 while these
applications have read and write access. Performance gains are seen if a second user accesses a file
or if the user is the second user accessing the file. In addition, antivirus applications run faster so
long as only one person is editing the file
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
244
4 - CONFIGURATION-MODE COMMANDS
Usage
In v3.x or higher, the CIFS dynamic throttling mechanism replaces the Version 2 static buffer
scheme. If you enable CIFS dynamic throttling, it is activated only when there are sub-optimal
conditions on the server side causing a back-log of write messages; it does not have a negative
effect under normal network conditions.
The no command option disables the dynamic throttling mechanism.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
245
Syntax
[no] protocol cifs nosupport {client | server [add | remove] <os name>}
Parameters
client |
server
add |
remove
<os name>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] protocol cifs oopen extension [add <ext> | modify <ext> setting <policy> | delete <ext>] |
policy <default policy>
Parameters
Usage
Enable overlapping open optimization to prevent any compromise to data integrity. With
overlapping opens enabled, the Steelhead appliance optimizes data to which exclusive access is
available (in other words, when locks are granted). When an oplock is not available, the Steelhead
appliance does not perform application-level latency optimization but still performs SDR and
compression on the data, as well as TCP optimizations. If you do not enable this feature, the
Steelhead appliance will still increase WAN performance, but not as effectively.
Enabling this feature on applications that perform multiple opens on the same file to complete an
operation (for example, CAD applications) will result in a performance improvement.
You specify a list of extensions you want to optimize using overlapping opens. You can also use
this command to specify a list of extensions you do not want to optimize using overlapping opens.
If a remote user opens a file which is optimized using the overlapping opens feature and a second
user opens the same file, the second user might receive an error if the file fails to go through a v3.x
Steelhead appliance or if it does not go through a Steelhead appliance at all (for example, certain
applications that are sent over the LAN). If this occurs, you should disable overlapping opens for
those applications.
The no command options disables CIFs opens.
246
4 - CONFIGURATION-MODE COMMANDS
Example
minna (config) # protocol cifs oopen extension modify pdf setting <policy>
minna (config) #
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Disables Security Signature negotiations between a Windows client and the server.
Syntax
Parameters
None
247
Usage
Example
Product
Steelhead appliance
Related Topics
Enables SMBv1 backward compatibility mode, which allows a Steelhead appliance to perform
CIFS latency optimization and SDR on SMB traffic in Windows Vista environments.
Syntax
Parameters
None
Usage
Steelhead appliances are fully compatible with SMB versions 1 and 2 (version 2 is included in
Windows Vista) but deliver the best performance with SMB version 1. If you are running
Steelhead appliance software v4.1 or greater in a Windows Vista environment, enable SMBv1
backward compatibility to improve SMB traffic performance for Windows Vista users. This
features allows the Steelhead appliance to perform CIFS latency optimization and SDR on SMB
traffic.
You must restart the Steelhead service after enabling this feature.
To enable SDR and CIFS latency optimization on SMB traffic in a Windows Vista environment,
perform the following steps on the client-side Steelhead appliance:
1. Run the following command:
protocol cifs smbv1-mode enable
Product
Steelhead appliance
Related Topics
248
4 - CONFIGURATION-MODE COMMANDS
249
Syntax
Parameters
<bytes>
Usage
To support High-Speed TCP (HS-TCP), you must increase your LAN buffer size to 1 MB.
Specifies the LAN receive buffer size. The default value is 32768.
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<bytes>
Usage
To support HS-TCP, you must increase your LAN buffer size to 1 MB.
Specifies the LAN send buffer size. The default value is 81920.
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<bytes>
Usage
To configure your WAN buffer you must increase the WAN buffers to 2 BDP or 10 MB. You can
calculate the BDP WAN buffer size. For a link of 155 Mbps and 100 ms round-trip delay, the WAN
buffers should be set to 2 * 155 Mbps * 100 ms = 1937500 bytes.
Specifies the WAN receive buffer size. The default value is 262140.
250
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<bytes>
Usage
To configure your WAN buffer you must increase the WAN buffers to 2 BDP or 10 MB. You can
calculate the BDP WAN buffer size. For a link of 155 Mbps and 100 ms round-trip delay, the WAN
buffers should be set to 2 * 155 Mbps * 100 ms = 1937500 bytes.
Specifies the WAN send buffer size. The default value is 262140.
Product
Steelhead appliance
Related Topics
Enables the HS-TCP feature, which provides acceleration and high throughput for high
bandwidth networks where the WAN pipe is large but latency is high.
Syntax
Parameters
None
251
Usage
HS-TCP is activated for all connections that have a BDP larger than 100 packets. If you have a BDP
of greater than 512 KB, and you are more interested in filling the WAN pipe than saving
bandwidth, you should consider enabling HS-TCP.
You need to carefully evaluate whether HS-TCP will benefit your network environment. To enable
HS-TCP, you must disable LZ compression and SDR.
If you have an Optical Carrier-3 line or faster, turning off SDR makes sense and allows HS-TCP to
reach its full potential.
To configure HS-TCP:
enable HS-TCP.
disable LZ compression and SDR in the optimization policies if your WAN link capacity is 100
Mbps.
enable in-path support.
increase the WAN buffers to 2 BDP or 10 MB. You can calculate the BDP WAN buffer size. For a
link of 155 Mbps and 100 ms round-trip delay, the WAN buffers should be set to: 2 * 155 Mbps
* 100 ms = 3875000 bytes
Product
Steelhead appliance
Related Topics
252
4 - CONFIGURATION-MODE COMMANDS
253
Enables JInitiator optimization. JInitiator is browser plugin that accesses Oracle forms and
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics show protocol jinitiator,in-path rule auto-discover, in-path rule fixed-target
254
4 - CONFIGURATION-MODE COMMANDS
255
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Enables Exchange MAPI 2003 acceleration, which allows increased optimization of traffic
between Exchange 2003 and Outlook 2003.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Enables optimization to occur if you have Outlook 2007 and Exchange Server 2003 or Exchange
Server 2007.
Syntax
Parameters
None
256
4 - CONFIGURATION-MODE COMMANDS
Usage
If you have Outlook 2007, regardless of the Exchange Server version (Exchange Server 2003 or
Exchange Server 2007), communication is encrypted by default. To enable optimization to take
place, you must perform the following steps:
1. Make sure you are running v3.0.8 or higher of the Steelhead software. If you are not, you must
upgrade your software. For details, see the Steelhead Management Console Users Guide.
2. Disable encryption on the Exchange (Outlook) 2007 clients. For information, refer to your
Microsoft documentation.
3. At the Steelhead appliance CLI system prompt, enter the following command:
protocol mapi 2k7 fallback enable
The no command option disables fallback. Optimization does not occur if you specify the no
command option.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<port>
Usage
In certain situations (for example, clients connecting through a firewall), you might want to force
a server to listen on a single pre-defined port so that access to ports can be controlled or locked
down on the firewall.
Specifies the incoming NSPI port number. The default value is 7840.
In out-of-path deployments, if you want to optimize MAPI Exchange by destination port, you
must define in-path rules that specify the following ports on the client-side Steelhead appliance:
Port 135. The Microsoft end-point mapper port.
Port 7830. The Steelhead appliance port used for Exchange traffic.
Port 7840. The Steelhead appliance port used for Exchange Directory NSPI traffic.
If you changed the Microsoft Exchange Information Store Interface port in your environment,
change port 7830 to the static port number you have configured in your Exchange environment.
For further information, see Microsoft Exchange Information Store Interface at http://
support.microsoft.com/default.aspx?scid=kb;en-us;270836.
The no command option resets the NSPI port to the default value.
Example
Product
Steelhead appliance
Related Topics
257
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<port>
Usage
The no command option resets the MAPI port to the default value.
Example
Product
Steelhead appliance
Related Topics
Specifies the incoming MAPI port number. The default value is 7830.
Syntax
Parameters
maxconnections
<number>
poll-interval
<minutes>
timeout
<seconds>
Specifies the time out period in seconds. The default value 96.
258
4 - CONFIGURATION-MODE COMMANDS
Usage
The no command option disables MAPI prepopulation support. If you specify the no option and
parameters, you do not disable MAPI prepopulation support; you reset the specified parameter to
its default value.
Example
Product
Steelhead appliance
Related Topics
259
260
4 - CONFIGURATION-MODE COMMANDS
Enables MS-SQL blade support. Enabling the MS-SQL blade supports MS Project optimization.
Syntax
Parameters
None
Usage
The commands for MS-SQL support must be implemented by Riverbed professional services.
Improper use can result in undesirable effects.
The MS-SQL blade supports other database applications, but you must define SQL rules to obtain
maximum optimization. If you are interested in enabling the MS-SQL blade for other database
applications, contact Riverbed professional services.
You must restart the Steelhead service after enabling this feature.
The no command option disables SQL blade support.
Example
Product
Steelhead appliance
Related Topics
Enables pre-fetching requests to request the next row in MS Project. The server-side Steelhead
appliance pre-fetches sequential row results and the client-side Steelhead appliance caches them.
You decide which cursors or queries are cacheable.
Syntax
Parameters
None
Usage
To determine which cursors or queries are cacheable, you configure rules. By default, all fetch next
queries are cacheable
The no command option removes pre-fetching requests.
Example
Product
Steelhead appliance
Related Topics
Specifies the maximum number of sp_execute (or save project) requests to pre-acknowledge
before waiting for a server response to be returned.
Syntax
Parameters
<num-preack>
261
Usage
You can enable pre-acknowledgement if the client application does not need a result value from
the server.
For example, when you save a project in MS Project, server-side procedures are invoked many
times to write or update database data. To maximize optimization, the protocol ms-sql
num-preack command limits the number of pre-acknowledgements from the server.
The no command option disables pre-acknowledgement.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<port>
Usage
The no command option resets the SQL server port to the default value.
Example
Product
Steelhead appliance
Related Topics
Specifies the SQL server port to listen on for requests. The default value is 1433.
Syntax
Parameters
rule-id <rule_id>
action-id <action_id>
num-reps <num_reps>
invalidate
<invalidate_action>
miss-policy <policy>
allow-preack {true |
false}
262
4 - CONFIGURATION-MODE COMMANDS
Usage
Example
Product
Steelhead appliance
Related Topics
Specifies how the query arguments should be modified when prefetching queries.
Syntax
Parameters
rule-id <rule_id>
action-id <action_id>
arg-offset <arg_offset>
expr <expression>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] protocol ms-sql rpc-act rule-id <rule_id> action-id <action_id> [[num-reps <num_reps> |
invalidate {flush-all | flush-rule}] [miss-policy <policy> | allow-preack {true | false} |
allow-prefetch {true | false} | scope {sfe | cfe}]]
Parameters
rule-id <rule_id>
action-id <action_id>
263
Usage
num-reps <num_reps>
invalidate
<invalidate_action>
miss-policy <policy>
allow-preack {true |
false}
allow-prefetch {true |
false}
Example
Product
Steelhead appliance
Related Topics
Specifies a RPC argument used to determine if the RPC request matches a rule.
Syntax
[no] protocol ms-sql rpc-arg-act rule-id <rule_id> arg-offset <arg_offset> expr <expr>
Parameters
rule-id <rule_id>
arg-offset <arg_offset>
expr <expr>
Usage
Example
Product
Steelhead appliance
Related Topics
264
4 - CONFIGURATION-MODE COMMANDS
Specifies how the RPC argument should be modified when prefetching queries.
Syntax
[no] protocol ms-sql rpc-arg rule-id <rule_id> action-id <action_id> arg-offset <arg_offset>
expr <expr>
Parameters
rule-id <rule_id>
action-id <action_id>
arg-offset <arg_offset>
expr <expr>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] protocol ms-sql rpc-rule <rule-id <rule_id> app-name-regex <app_name> {rpc-id <rpc_id>
num-params <num_params> | [rpc-query-regex <regex_match_for_rpc_query_string>] |
[cursor-type <cursor_type>]]}
Parameters
rule-id <rule_id>
app-name-regex <app_name>
rpc-id <rpc_id>
num-params <num_params>
rpc-name-regex
<regex_match_for_rpc_string
>
265
cursor-type <cursor_type>
Example
minna (config) # protocol ms-sql rpc-rule rule-id 1 app-name-regex blah rpc-nameregex blah num-params 1 rpc-query-regex blah cursor-type static
minna (config) #
Product
Steelhead appliance
Related Topics
Specifies a regular expression (standard string) for an application name that can be optimized
using the MS-SQL blade.
Syntax
[no] protocol ms-sql support-app <name> [collation <collation> | misc <misc> | unicode {-1, 0,
1}]
Parameters
support-app <name>
collation <collation>
misc <misc>
unicode {-1, 0, 1}
Usage
The no command option removes the application from MS-SQL blade support.
Example
Product
Steelhead appliance
Related Topics
266
4 - CONFIGURATION-MODE COMMANDS
267
protocol ftp
Description
Syntax
Parameters
port <port>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] protocol nfs default server {direntrymap <cr> | policy [custom | global_rw] | read-ahead
[small-files <cr> | transfer-size <size>] | read-dir [optimize <cr> | read-size <size>] |
threshold multiple <multiple> | write [optimize <cr> | max-data <max>]}
268
4 - CONFIGURATION-MODE COMMANDS
Parameters
direntrymap <cr>
policy [custom |
global_rw]
read-ahead [small-files
<cr> |transfer-size
<size>]
Enables read-ahead for small files; sets the transfer size in bytes.
Enables read optimization for the directory; sets the read size in bytes.
threshold multiple
<multiple>
Enables write optimization for the directory; sets the maximum write
size in bytes.
Usage
The no command option resets the value of a given option. For example, no protocol nfs default
server policy resets the policy to the default value.
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] protocol nfs default volume {perm_cache | policy [custom | global_rw] |root-squash
<cr>}
269
Parameters
perm_cache
Enables a permission cache. Specify this option if the server uses ACLs
or if your server is configured to map client user IDs. This option
enables the Steelhead appliance to optimize traffic without violating the
permissions model.
policy [custom |
global_rw]
root-squash <cr>
Usage
NFS file system objects have owners and permissions and the NFS optimizer conforms to the file
system permissions model by enforcing file server and volume policies.
The no command option resets the value of a given option.
Example
Product
Steelhead appliance
Related Topics
Enables the NFS optimizer. The NFS optimizer provides latency optimization improvements for
NFS operations primarily by prefetching data, storing it on the client Steelhead appliance for a
short amount of time, and using it to respond to client requests.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
270
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<bytes>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<bytes>
Usage
Example
Product
Steelhead appliance
Related Topics
Specifies, in percent, the soft-limit size (warning threshold) and hard-limit size (error threshold) of
memory usage.
Syntax
Parameters
<percent>
Usage
Example
Product
Steelhead appliance
Related Topics
271
Syntax
[no] protocol nfs server <name> {default volume enable | default volume policy [custom |
global_rw | home_dir]| default volume root-squash| direntrymap <cr> | ip <address> |
policy [custom | global_rw | home_dir] | read-ahead [small-files <cr> | transfer-size <size>] |
read-dir [optimize <cr> | read-size <size>] | threshold multiple <multiple> | volume id
<fsid> <cr> volume id <fsid> policy [custom | global_rw | home_dir] volume id <fsid> rootsquash write [optimize <cr> | max-data <max>]}
Parameters
default volume
root-squash
direntrymap <cr>
ip <address>
policy [custom |
global_rw]
272
Enables read-ahead for small files; sets the transfer size in bytes.
read-dir [optimize
<cr> | read-size
<size>]
Enables read optimization for the directory and sets the read size in
bytes.
threshold multiple
<multiple>
4 - CONFIGURATION-MODE COMMANDS
volume id <fsid>
policy [custom |
global_rw]
Specifies the file system ID and policy. On the specified volume, sets
one of the following policies:
Custom. Enables you to turn on or off the root squash feature for
NFS volumes from this server. Root-squashing allows an NFS server
to map any incoming user ID 0 or guest ID 0 to another number that
does not have superuser privileges, often -2 (the nobody user).
Global Read-Write. Specifies a policy that provides a trade-off of
performance for data consistency. All of the data can be accessed
from any client, including LAN based NFS clients (which do not go
through the Steelhead appliances) and clients using other file
protocols like CIFS. This option severely restricts the optimizations
that can be applied without introducing consistency problems. This
is the default configuration.
Usage
Enables write optimization for the directory; sets the maximum write
size in bytes.
NFS objects have owners and permissions and the NFS optimizer conforms to the file system
permissions model by enforcing file server and volume policies.
The no command option disables the NFS server.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
273
274
4 - CONFIGURATION-MODE COMMANDS
Configure default settings to be used when you add target HTTP servers.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Enables HTTP module support. Enabling HTTP module support optimizes traffic to or from port
80.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<ext>
Usage
Create a list of file extensions for file types you want to prefetch. You add file extensions one at a
time. Repeat the command for each of the file types you want to add to the list.
275
Example
Product
Steelhead appliance
Related Topics
Specifies a target HTTP server. Currently, you can use these commands to create a list of HTTP
servers to optimize.
Syntax
Parameters
<IP>
[ntlm
enable]
If you have disabled NTLM reuse as the default with the no protocol http default
ntlm command and want to enable NTLM reuse for this server, specify ntlm
enable.
Usage
Create a list of HTTP servers to optimize. You add servers one at a time. Repeat the command for
each server you want to optimize.
Use the show protocol http command to display your list.
The no command option removes the sever from the list to optimize.
Example
Product
Steelhead appliance
Related Topics
276
4 - CONFIGURATION-MODE COMMANDS
277
Syntax
[no] protocol ssl backend {client | server} cipher-string <string> cipher-num <num>
Parameters
client | server
cipher-string
<string>
cipher-num
<num>
Specify a number to set the order of the list. The number must be an integer
greater or equal to 1, the string start, or the string end.
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
password
<password>
[includeservers]
Usage
278
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
password
<password>
data <data>
Usage
Use the bulk import feature to expedite configuration of peering trust relationships between
Steelhead appliances.
The bulk data that you import contains the serial number of the exporting Steelhead appliance.
The Steelhead appliance importing the data compares its own serial number with the serial
number contained in the bulk data. The following rules apply to bulk data import and export:
Peering Certificate and Key Data. If the serial numbers match, the Steelhead appliance
importing the bulk data overwrites its existing peering certificates and keys with the bulk data.
If the serial numbers do not match, the Steelhead appliance importing the data is not
overwritten; peering certificates and keys are not overwritten.
Certificate Authority, Peering Trust, and SSL Server Configuration Data. For all other
configuration data, such as certificate authorities, peering trusts, and server configurations (if
included), if there is a conflict, the imported configuration data take precedence and the
imported configuration data does not overwrite any existing configurations.
NOTE: Bulk data import cannot delete configurations; it only adds or overwrites them.
For example, assume you have two servers: 1.1.1.1:443 (enabled) and 2.2.2.2:443 (disabled). The
bulk data contains three servers: 1.1.1.1:443 (disabled), 2.2.2.2:443 (disabled), and 3.3.3.3:443
(enabled). After a bulk data import, there are three servers: 1.1.1.1:443 (disabled), 2.2.2.2:443
(disabled), and 3.3.3.3:443 (enabled). The certificates and keys of servers 1.1.1.1:443 and 2.2.2.2:443
were overwritten with those in the bulk data.
Example
Product
Steelhead appliance
Related Topics
279
Configures CRL for an automatically discovered CAs. You can update automatically discovered
CRLs using this command.
Syntax
[no] protocol ssl crl ca <ca name> cdp <integer> ldap server <IP addr or hostname> | crl-attrname <attr-name> | port <port>
Parameters
<ca name>
cdp <integer>
Usage
ldap server
<IP addr or
hostname>
crl-attr-name
<attr-name>
port <port>
Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the
certificate has been compromised, the CA can issue a CRL that revokes the certificate.
A CRL includes any digital certificates that have been invalidated before their expiration date,
including the reasons for their revocation and the names of the issuing certificate signing
authorities. A CRL prevents the use of digital certificates and signatures that have been
compromised. The certificate authorities that issue the original certificates create and maintain the
CRLs.
To clear the CRL alarm, execute the no stats alarm crl_error enable command.
Example
Product
Steelhead appliance
Related
Topics
Enables CRL polling and use of CRL in handshake verifications of CAs certificates. Currently, the
Steelhead appliance only supports downloading CRLs from Lightweight Directory Access
Protocol (LDAP) servers.
Syntax
Parameters
None.
280
4 - CONFIGURATION-MODE COMMANDS
Usage
Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the
certificate has been compromised, the CA can issue a CRL that revokes the certificate.
Enabling CRL allows the CA to revoke a certificate. For example, when the private key of the
certificate has been compromised, the CA can issue a CRL that revokes the certificate.
A CRL includes any digital certificates that have been invalidated before their expiration date,
including the reasons for their revocation and the names of the issuing certificate signing
authorities. A CRL prevents the use of digital certificates and signatures that have been
compromised. The certificate authorities that issue the original certificates create and maintain the
CRLs.
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
fail-if-missing
Example
Product
Steelhead appliance
Related
Topics
Syntax
[no] protocol ssl crl manual ca uri <uri>| peering ca uri <uri>
Parameters
ca
Specify the CA name to manually configure the CDP. The no protocol ssl crl
manual command removes manually configured CDPs.
uri <uri>
Specify the CDP URI to manually configure the CDP for the CRL.
peering ca uri
<uri>
Usage
The Steelhead appliance automatically discovers CDPs for all certificates on the appliance. You
can manually configure a CA using this command.
Example
Product
Steelhead appliance
Related
Topics
281
Syntax
[no] protocol ssl crl peering {ca <ca name> cdp <integer> ldap server <ip-addr or hostname>
<cr> [crl-attr-name <string> | port <port num>]}| cas enable
Parameters
ca <ca name>
cdp <integer>
ldap server
<ip-addr or
hostname>
<cr>
crl-attr-name
<string>
port <port
num>
cas enable
Usage
To enable CRL polling and handshakes, at the system prompt enter the following set commands:
protocol ssl crl cas enable
protocol ssl crl peering cas enable
To view the CRL polling status of all CAs, at the system prompt enter the following command:
show protocol ssl crl ca cas
<<this example lists two CDPs: one complete CDP and one incomplete CDP>>
CA: Comodo_Trusted_Services
CDP Index: 1
DP Name 1: URI:http://crl.comodoca.com/TrustedCertificateServices.crl
Last Query Status: unavailable
CDP Index: 2
DP Name 1: URI:http://crl.comodo.net/TrustedCertificateServices.crl
Last Query Status: unavailable
<<an incomplete CDP is indicated by the DirName format>>
CA: Entrust_Client
CDP Index: 1
DP Name 1: DirName:/C=US/O=Entrust.net/OU=www.entrust.net/Client_CA_Info/
CPS incorp. by ref.limits liab./OU=(c) 1999 Entrust.net Limited/CN=Entrust.net
Client Certification Authority
CN=CRL1
Last Query Status: unavailable
CDP Index: 2
DP Name 1: URI:http://www.entrust.net/CRL/Client1.crl
Last Query Status: unavailable
In this case, the Entrust Client is an incomplete CDP as indicated by DirName format. Currently,
the Steelhead appliance only supports updates in the DirName format.
To update the incomplete CDP URI, at the system prompt enter the following set of commands:
protocol ssl crl ca Entrust_Client cdp 1 ldap-server 192.168.172.1
protocol ssl crl peering ca Entrust_Client cdp 1 ldap-server 192.168.172.1
282
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related
Topics
Syntax
[no] protocol ssl crl query-now ca <string> cdp <integer> <cr>| peering ca <string> cdp
<integer> <cr>
Parameters
ca <string>
cdp <integer>
Download CRL issued by SSL CA. Specify the CA name and CDP integer.
peering ca
<string> cdp
<integer>
Download CRL issued by SSL peering CA. Specify the CA name and CDP
integer.
Example
Product
Steelhead appliance
Related
Topics
protocol ssl ca
Description
Syntax
Parameters
cert
<certificate>
local-name
<local-name>
Usage
Add Certificate Authorities you intend to use for server and peering configuration.
283
Example
Product
Steelhead appliance
Related Topics
Enables SSL optimization, which accelerates encrypted traffic on secure ports (https). This
command can only be used after you have generated or imported a server.
To configure SSL support, you do not make configuration changes on the client and the server
clients continue connecting to the same server name or IP address.
The Steelhead appliances are configured to have a trust relationship, so they can exchange
information securely over an SSL connection. (Each client uses unchanged server addresses and
each server uses unchanged client addresses; no application changes or explicit proxy
configuration is required.) The server-side Steelhead appliance handles SSL handshakes on behalf
of the server, yet makes itself appear to the client as if it were the actual server. The server-side
Steelhead appliance is configured with a legitimate certificate and private key just as the one (not
necessarily the same one) used by the back-end Web server.
Intercepting a new SSL connection from a client (for example, the browser), the server-side
Steelhead appliance simultaneously acts as an SSL server to the original client and an SSL client to
the back-end server.
The temporary session key (used for encryption and decryption) is securely transported from the
server-side Steelhead appliance to the client-side Steelhead appliance so that RiOS optimization
and acceleration occurs on all data transfers over the WAN.
All data transfers between the client-side and the server-side Steelhead appliance are over a
secure channel between the Steelhead appliances. The two peer Steelhead appliances must be
configured as SSL peers so that they are trusted entities.
The Steelhead appliance contains an encrypted file system, called the secure vault, which stores all
SSL server settings, other certificates (the CA, peering trusts, and peering certificates) and the
peering private key. See secure-vault, for more information.
The Steelhead appliance ships with a default peer certificate. Riverbed recommends you replace
the default peer certificate with a certificate with a matching common name and security
parameters (key length).
Syntax
Parameters
None
284
4 - CONFIGURATION-MODE COMMANDS
Usage
You should keep secure backups of your private keys and the CA-signed certificates before you
begin the SSL configuration process.
The following steps describe how to initially deploy and verify SSL module support:
1. Install SSL licenses on a client-side and server-side pair of appliances. If you do not have an SSL
license go to https://support.riverbed.com and follow the procedures documented there.
2. On the client-side appliance, add an in-path rule for port 443 (SSL default port). For example:
minna (config) # in-path rule auto-discover dstaddr 10.11.41.14/32 dstport 443
preoptimization ssl latency-opt http neural-mode always rulenum 1
TIP: Specify each of the parameters listed in this example. You must specify the exact SSL server IP
address and the default SSL port.
NOTE: Latency optimization may not always be HTTP, especially for applications that use the SSL
protocol but are not HTTP based. In such cases, specify None for the latency optimization.
3. On both appliances, enable SSL support. For example:
minna (config) # protocol ssl enable
To display the certificate, enter the certificate ssl show command. For example:
minna (config) # show protocol ssl peering cert raw
5. Create a peer trust relationship by installing the client ID certificate on the server-side appliance
and vice versa. For example:
minna (config) # protocol ssl peer trust cert ...
Configuring a trust relationship for peer appliances must be performed on every pair of Steelhead
appliances that need a secure channel. For example, if your organization has one data center
location and five remote office locations, you must configure this peering-trust on five pairs of
Steelhead appliances.
TIP: Your organization may choose to replace all the default self-signed identity certificates and
keys on their Steelhead appliances with those certificates signed by another CA (either internal to
your organization or an external well-known CA). In such cases, every Steelhead appliance must
simply have the certificate of the designated CA (that signed all those Steelhead appliance
identity certificates) added as a new trusted entity.
TIP: For production networks with multiple Steelhead appliances, use the CMC or the bulk
import and export feature to simplify configuring trusted peer relationships.
6. On the server-side appliance, generate or import a proxy certificate for the SSL server. For
example:
minna (config) # protocol ssl server ip <ip-address> import-cert <certificate>
import-key <private key>
7. Enable the SSL server. You can only enable the SSL server after the server has been generated or
imported. For example:
minna (config) # protocol ssl server ip enable <ip-address> enable
285
8. Import any CA certificates if necessary (for example, if a server certificate is self-signed or you
need an intermediate CA). For example:
minna (config) # protocol ssl ca cert <certificate> local-name <name>
You must perform this step if you use internal CAs because the Steelhead appliance default list of
well-known CAs (trusted by the server-side Steelhead appliance) does not include your internal
CA certificate. To identify the certificate of your internal CA (in some cases, the chain of certificate
authorities) go to your Web browser repository of trusted-root or intermediate CAs. (For example,
Internet Explorer ->Tools -> Internet Options -> Certificates.)
9. Restart the service on the client and server-side Steelhead appliance.
minna (config) # restart
To troubleshoot your SSL configuration, view system logs and current connections.
The no command option disables SSL module support.
Example
Product
Steelhead appliance
Related Topics
Configures SSL peering trust by synchronizing cipher strings, generated keys and certificates, or
imported keys and certificates to be used for SSL handshakes.
Syntax
Parameters
cipher-num
<num>
Specify a number to set the order of the list. The cipher number must
be an integer from 1-N or the string start, or the string end.
generate-cert [rsa] | common-name <string> country <string> email <email address> key-size
<512|1024|2048> locality <string> org <string> org-unit <string> state <string> valid-days
<int>
286
4 - CONFIGURATION-MODE COMMANDS
[rsa]
commonname
<string>
country
<string>
<email
address>
key-size
<512|1024|
2048>
locality
<string>
org-unit
<string>
org-unit
<string>
state
<string>
valid-days
<int>
generate-csr common-name <string> country <string> email <email address> locality <string>
org <string> org-unit <string> state <string>
commonname
<string>
country
<string>
email
<email
address>
locality
<string>
org <string>
org-unit
<string>
state
<string>
287
Specify the existing string to import the certificate. (These are X509
PEM-format field names.)
import-key
<privatekey>
Specify the existing certificate key in PEM format to import the key.
(These are X509 PEM-format field names.)
NOTE: The private key is required regardless of whether you are
adding or updating.
<string>
Usage
ca <cert>
Specify the CA name for the certificate provided by the peer. (These
are X509 PEM-format field names.)
cert
<certificate>
Paste the text of a CA certificate (PEM format) for the peer and give
the certificate a local name. (These are X509 PEM-format field names.)
local-name
<name>
All data between client-side and server-side Steelhead appliances are sent over a secure channel
between the Steelhead appliances. The peer Steelhead appliances must be configured as SSL peers
so that they are trusted entities.
In SSL, peer authentication allows you to confirm the identity of the peer. The Steelhead appliance
checks the certificates to make sure they are valid and that they have been issued by a valid CA
which is listed in the trusted entity list.
The no command option removes SSL peering settings.
Example
Product
Steelhead appliance
Related Topics
Specifies the SSL versions supported in your deployment. The default setting is SSLv3_or_TLSv1.
Syntax
Parameters
<version>
288
Specify one of the following values to specify the SSL versions supported in your
deployment:
4 - CONFIGURATION-MODE COMMANDS
SSLv3_or_TLSv1
SSLv3_only
TLSv1_only
Usage
Example
Product
Steelhead appliance
Related Topics
Configures automatic re-enrollment settings. The Steelhead appliance uses SCEP to automatically
re-enroll certificates.
Syntax
[no] protocol ssl scep peering auto-reeroll enable | exp-threshold <num-of-days> | last-result
clear-alarm
Parameters
enable
expthreshold
<num-ofdays>
Specify the amount of time (in days) to schedule re-enrollment before the
certificate expires.
last-result
clear-alarm
Clears the automatic re-enrollment last-result alarm. The last result is the last
completed enrollment attempt.
Usage
The Steelhead appliance uses SSCEP to dynamically re-enroll a peering certificate to be signed by
a certificate authority.
The no command option disables this feature.
Example
Product
Steelhead appliance
Related
Topics
Configure the maximum number of polls. A poll is as request to the server for an enrolled
certificate by the Steelhead appliance. The Steelhead appliance polls only if the server responds
with pending. If the server responds with fail then the Steelhead appliance does not poll.
Syntax
Parameters
<max
number
polls>
Usage
Specify the maximum number of polls before the Steelhead appliance cancels the
enrollment. The peering certificate is not modified. The default value is 5.
289
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related
Topics
Generate new private key and CSR for on-demand enrollment using the Rivest-Shamir-Adleman
algorithm.
Syntax
[no] protocol ssl scep peering on-demand gen-key-and-csr rsa state <string> | org-unit
<string> | org <string> | locality <string> | email <email-addr> | country <string> |
common-name <string> | key-size <512 | 1024 | 2048>
290
4 - CONFIGURATION-MODE COMMANDS
Parameters
rsa
state
<string>
org-unit
<string>
org <string>
locality
<string>
email
<emailaddr>
country
<string>
commonname
<string>
key-size
<512|1024|2
048>
Usage
Example
amnesiac (config) # protocol ssl scep peering on-demand gen-key-and-csr rsa stat
california
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
foreground
Usage
Example
Product
Steelhead appliance
Related
Topics
291
Syntax
Parameters
<passphrase>
Usage
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
<minutes>
Usage
Example
Product
Steelhead appliance
Related
Topics
Syntax
Parameters
peering-ca
<name>
Usage
Example
Product
Steelhead appliance
Related
Topics
292
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<url>
Usage
Example
Product
Steelhead appliance
Related
Topics
Specify the URL of the SCEP responder. Use the following format:
http://host[:port/path/to/service
Enables optimization for a specified SSL server and manages SSL certificates.
Syntax
[no] protocol ssl server ip <ip address> port <port> enable | change {
chain-cert ca <ca name> | cert <certificates>}
{export <cr> | include-key password <string>
{generate-cert [rsa] | key-size <512|1024|2048> common-name <string> country <string>
email <email address> locality <string> org <string> org-unit <string> state <string> validdays <int>} |
{generate-csr common-name <string> country <string> email <email address> locality
<string> org <string> org-unit <string> state <string>} |
{import-cert <certificate> [import-key <string>] password <string>}
{import-cert-key <certkey> password <string>}
}
Parameters
enable
{chain-cert
ca <ca name> |
cert <certificates>}
change
export <cr> |
include-key
password <string>
293
generate-cert [rsa] | common-name <string> country <string> email <email address> key-size
<512|1024|2048> locality <string> org <string> org-unit <string> state <string> valid-days
<int>
[rsa]
common-name
<string>
country <string>
email <email
address>
key-size
<512|1024|2048>
locality <string>
org-unit <string>
state <string>
valid-days <int>
generate-csr common-name <string> country <string> email <email address> locality <string>
org <string> org-unit <string> state <string>
common-name
<string>
country <string>
email <email
address>
locality <string>
org <string>
org-unit <string>
state <string>
294
4 - CONFIGURATION-MODE COMMANDS
<certificate>
import-key
<private-key> >
password
<string>
password
<password>
Usage
Add or change SSL servers to your deployment. You must generate or import certificates and
private keys for the server.
You must configure each distinct server IP address and port combination that the client may
connect to. For example, if https://intranet resolves to one of three different server P addresses,
you must configure an SSL server for each of the IP addresses. The same certificate and private
key can be used for each, but three separate server configurations must be created.
NOTE: Optimization will not occur for a particular server IP address and port unless that server is
configured on the server-side Steelhead appliance. The client-side in-path rules must also be
defined.
When you configure the back-end server proxy certificate and key on the server-side Steelhead
appliance, if you choose not to use the back-end server's actual certificate and key, you can use a
self-signed certificate and key or another CA-signed certificate and key. If you have a CA-signed
certificate and key, import it.
If you do not have a CA-signed certificate and key, you can add the proxy server configuration
with a self-sign certificate and key, back up the private key, generate CSR, have it signed by a CA,
and import the newly CA-signed certificate and the backed up private key.
TIP: To back up a single certificate and key pair (that is, the peering certificate and key pair and a
single server's certificate and key) use the export option. Make sure you include the private key
and enter the encryption password. Save the exported file that contains the certificate and the
encrypted private key.
Alternatively, you can use the generated self-signed certificate and key, but doing so might be
undesirable because, by default, the clients will not trust it, and end-user action would be
required.
Example
Product
Steelhead appliance
Related Topics
295
secure-vault
Description
Manages the secure vault password and unlocks the secure vault.
Syntax
Parameters
newpassword
<password>
resetpassword
<old
password>
unlock
<password>
Usage
The secure vault is an encrypted file system on the Steelhead appliance where all Steelhead
appliance SSL server settings, other certificates (the CA, peering trusts, and peering certificates)
and the peering private key are stored. The secure vault protects your SSL private keys and
certificates when the Steelhead appliance is not powered on.
You can set a password for the secure vault. The password is used to unlock the secure vault when
the Steelhead appliance is powered on. After rebooting the Steelhead appliance, SSL traffic is not
optimized until the secure vault is unlocked with the unlock <password> parameter.
Data in the secure vault is always encrypted, whether or not you choose to set a password. The
password is used only to unlock the secure vault.
To change the secure vault password
1. Reset the password with the reset-password <password> parameter.
2. Specify a new password with the new-password <password> parameter.
Example
Product
Steelhead appliance
Related Topics
296
4 - CONFIGURATION-MODE COMMANDS
297
Sets bandwidth for traffic bursts greater than the upper bandwidth limit. Available in the CLI
only.
Syntax
Parameters
interface
<wanX_X>
Specify the interface for which you want to set the burst size. For example,
wan0_0 or wan0_1.
size <int>
Specify a bandwidth size for traffic bursts greater than the upper limit.
Usage
This commands sets the amount of burst allowed for real-time QoS classes at the link rate. During
this burst, all other traffic is suppressed. The formula for the burst rate is:
burst = 25% of (link-rate kb/sec * 1 sec)
Therefore, the burst rate changes as the link rate changes.
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] qos classification class [add | modify] class-name <classname> priority [realtime
|interactive | business | normal | low] min-pct <pct> upper-limit-pct <pct> conn-limit <num>
link-share <weight> queue [fifo | mxtcp | sfq]
Parameters
[add | modify]
class-name
<classname>
priority [realtime |
interactive | business
| normal | low]
298
4 - CONFIGURATION-MODE COMMANDS
min-pct <pct>
upper-limit-pct <pct>
conn-limit <num>
link-share <weight>
sfq. SFQ is the default queue for all classes. SFQ services all flows in
a round-robin fashion, reducing the latency for competing flows.
SFQ ensures that each flow has fair access to network resources and
prevent a bursty flow from consuming more than its fair share of
output bandwidth. To prevent shorter flows from experiencing the
long latency of waiting for the queue to drain before it receives its
turn, SFQ allows new flows to cut in line. To reduce latency for
competing flows, SFQ services all flows in a round-robin fashion.
299
Usage
The Steelhead appliance allows you to decouple priority (in terms of delay) from the bandwidth
allocation. This provides the flexibility needed to support varying degrees of priority and
bandwidth traffic patterns, such as high-priority, low-bandwidth traffic patterns (for example,
Telnet). Many QoS schemes use the term priority to specify how to control the excessive
bandwidth among different classes. In the Steelhead appliance, priority actually refers to traffic
delays and excessive bandwidth is shared, proportional to the minimum bandwidth guaranteed
for a specific class.
You must enable QoS classification and set the bandwidth link rate for the WAN interface before
you create a QoS class.
The no command options deletes the QoS class.
Example
Product
Steelhead appliance
Related Topics
Enables the QoS feature. The QoS classification feature allows you to prioritize both optimized
and pass-through traffic going through this appliance.
Syntax
Parameters
None
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<interface>
<kbps>
Usage
This is the bottleneck WAN bandwidth not the interface speed out of the WAN interface into the
router or switch. For example, if your Steelhead appliance connects to a router with a 100 Mbps
link, do not specify this valuespecify the actual WAN bandwidth (for example, T1, T3).
Different WAN interfaces can have different WAN bandwidths; this value must be correctly
entered for QoS to function correctly.
The percentage of excess bandwidth given to a class is relative to the percentage of minimum
bandwidth allocated to the class.
300
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
classname
<classname>
Usage
Example
Product
Steelhead appliance
Related Topics
Syntax
[no] qos classification rule add {rulenum <priority> class-name <class> traffic-type [optimized
| passthrough] source subnet <subnet/mask> port <port> destination subnet <subnet/mask>
port <port>} [dscp <dscp> | vlan <vlan>]
Parameters
rulenum <priority>
Specifies the order in which the rule is processed in the rules list.
Steelhead appliances evaluate rules in numerical order starting with
rule 1. If the conditions set in the rule match, then the rule is applied,
and the system moves on to the next packet. If the conditions set in the
rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches
the conditions, it is applied, and no further rules are consulted.
class-name <class>
Specifies the class to which the rule applies. If the rule matches, the
specified rule sends the packet to this class.
traffic-type
[optimized |
passthrough]
source subnet
<subnet/mask>
port <port>
Specifies the port number. Port labels and port ranges are also
supported on v4.x.
destination subnet
<subnet/mask>
301
Usage
port <port>
Specifies the port number. Port labels and port ranges are also
supported on v4.x.
dscp <dscp>
vlan <vlan>
A class configured for the MX-TCP queue cannot be modified to use another queue. If you need to
change the MX-TCP queue, you must first delete the class and associated rules, then recreate them
with the appropriate queue.
IMPORTANT: If you delete or add new rules, existing optimized connections are not affected. The
changes only affect new optimized connections.
The no command option disables the rule.
Example
Product
Steelhead appliance
Related Topics
Moves the order of the rule in the rule list to the specified number.
Syntax
Parameters
<rule>
Example
Product
Steelhead appliance
Related Topics
Modifies the description of the rule. DSCP markings are applied to optimized and pass-through
(egress only) traffic. The rules appear in separate lists according to the traffic type.
Syntax
Parameters
traffic-type [optimized |
passthrough]
rulenum <rule-num>
description
<description>
302
4 - CONFIGURATION-MODE COMMANDS
Usage
After you map a destination port and a DSCP level, every packet corresponding to the connection
with that destination port has the DSCP field set to that value in the forward and backward
direction. On the WAN side of the Steelhead appliance, you configure a network router or a traffic
shaper to prioritize packets according to the value in the DSCP field before they are sent across the
WAN.
NOTE: Optimized traffic is marked in both directions, but pass-through traffic is marked only on
the egress traffic.
The no command option removes the description.
Example
Product
Steelhead appliance
Related Topics
Moves the order of the DSCP mapping rule in the rule list to the specified number.
Syntax
qos dscp move-rule traffic type optimized | passthrough rulenum <rule> to <rule>
Parameters
<rule>
Usage
You specify an ordered list of rules where each rule is the DSCP level used on the inner connection
for connections matching the source IP subnet, the destination IP subnet and, optionally, the
destination port fields.
Steelhead appliances evaluate rules in numerical order starting with rule 1. If the conditions set in
the rule match, then the rule is applied, and the system moves on to the next packet. If the
conditions set in the rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied,
and no further rules are consulted.
Example
Product
Steelhead appliance
Related Topics
303
Maps a service port to a QoS DSCP level based on the source IP subnet, the destination IP subnet,
destination port, and rule number. The QoS marking enables you to enforce a DSCP level for
optimized and pass-through (egress only) connections. Optimized and pass-through rules are
displayed in separate rule lists.
The DSCP level corresponds to the DiffServ DSCP field in the IP packets header. After you map a
source-destination-port pattern and a DSCP level, every packet corresponding to the connection
with that destination port has the DSCP field set to that value in the forward and backward
direction. On the WAN side of the Steelhead appliance, you configure a network router or a traffic
shaper to prioritize packets according to the value in the DSCP field before they are sent across the
WAN.
NOTE: Optimized traffic is marked in both directions, but pass-through traffic is marked only on
the egress traffic.
Syntax
[no] qos dscp rule traffic-type [optimized | passthrough] src <source IP> dest <destination IP>
[dest-port <port>] dscp <level> rulenum <rulenum>
Parameters
traffic-type
[optimized |
passthrough]
<source IP>
Specifies the source IP subnet. You can use wild cards in this field.
<destination
IP>
Specifies the destination IP subnet. You can use wild cards in this field.
dest-port <port>
Specifies the port on which to monitor. Port labels and port ranges are also
supported on v4.x.
To configure QoS mapping for the FTP data channel, specify port 20. To
configure QoS mapping for the MAPI data channel, specify port 7830 and the
corresponding DSCP level. The destination port can be a single port (number),
a port label, or all specifies all ports.
Usage
<level>
<rulenum>
You specify an ordered list of rules where each rule is the DSCP level to use on the inner
connection for connections matching the source IP subnet, the destination IP subnet and,
optionally, the destination port fields.
After you map a service port and a DSCP level, every packet using that service port has the DSCP
field set to that value in the forward and backward direction. On the WAN Steelhead appliance,
you can configure a network router or a traffic shaper to prioritize packets according to the value
in the DSCP field before they are sent across the WAN.
If you have already defined a DSCP level and you do not define one in the CLI, the Steelhead
appliance uses the existing DSCP level for the connection between the Steelhead appliances. If
you define a DSCP level in the CLI, the Steelhead appliance overrides the existing DSCP level and
the value that you defined is applied.
To configure QoS mapping for the FTP data channel, specify port 20 and the corresponding DSCP
level. To configure QoS mapping for the MAPI data channel, specify port 7830 and the
corresponding DSCP level.
The no qos rule rulenum <rulenum> command disables the QoS rule.
304
4 - CONFIGURATION-MODE COMMANDS
Example
minna (config) # qos dscp rule src 10.0.0.4 dest 10.0.0.1 dscp 12 rulenum 3
minna (config) #
Product
Steelhead appliance
Related Topics
305
306
4 - CONFIGURATION-MODE COMMANDS
Enables a pool of connections to a peer Steelhead appliance. Connection pooling enables you to
save an extra round-trip for the initial connection setup. Connection pooling is useful for
protocols that open a number of short lived connections, such as HTTP.
Syntax
Parameters
<addr>
Specifies the IP address of the peer Steelhead appliance. The IP address of 0.0.0.0
identifies the group of all Steelhead appliance peers.
<value>
Specifies the connection pooling value for the Steelhead appliance peer. The
default value is 20.
Usage
Any change in the connection pooling parameter requires you to restart the Steelhead service.
The no command option disables connection pooling.
Example
Product
Steelhead appliance
Related Topics
service default-port
Description
Sets the default service port you want to use for connection pooling.
Syntax
Parameters
<port>
Example
Product
Steelhead appliance
Related Topics
307
308
4 - CONFIGURATION-MODE COMMANDS
wccp enable
Description
Syntax
Parameters
None
Usage
You configure WCCP to redirect traffic to a Steelhead appliance or group of Steelhead appliances:
so that the Steelhead appliances do not have to be physically in-path but can be virtually in-path.
That is, the Steelhead appliances are configured to be physically out-of-path devices while
optimizing traffic as if they were in-path devices.
to redirect traffic to a Steelhead appliance or group of Steelhead appliances to provide load
balancing and failover support.
For detailed information about configuring WCCP, see the Steelhead Appliance Deployment Guide.
The no command option disables WCCP support.
Example
Product
Steelhead appliance
Related Topics
show wccp
wccp mcast-ttl
Description
Sets the multicast TTL parameter for WCCP. The TTL determines the range over which a
multicast packet is propagated in your intranet.
Syntax
Parameters
<value>
Usage
For detailed information about configuring WCCP, see the Steelhead Appliance Deployment Guide.
Product
Steelhead appliance
Related Topics
show wccp
309
wccp service-group
Description
Enables a WCCP service group. A service group is a group of routers and Steelhead appliances
which define the traffic to redirect, and the routers and Steelhead appliances the traffic goes
through.
Syntax
Parameters
service group
<service-id>
Specifies the service group identification number (ID) (from 0 to 255). The
service group ID is the number that is set on the router. A value of 0 specifies the
standard http service group.
assignscheme [hash
| mask]
routers
<routers>
encap_schem
e
[either|gre|1
2]
310
flags <flags>
Specifies the fields the router hash on and if certain ports should be redirected.
Specify a combination of src-ip-hash, dst-ip-hash, src-port-hash, dst-port-hash,
ports-dest, ports-source.
ports <ports>
Specifies a comma-separated list of up to seven ports that the router will redirect.
Use only if ports-dest or ports-source service flag is set.
priority
<priority>
password
<password>
Specifies the WCCP password. This password must be the same as the password
on the router. (WCCP requires that all routers in a service group have the same
password.) Passwords are limited to eight characters.
weight
<weight>
4 - CONFIGURATION-MODE COMMANDS
Usage
To enable WCCP, the Steelhead appliance must join a service group at the router. A service group
is a group of routers and Steelhead appliances which define the traffic to redirect, and the routers
and Steelhead appliances the traffic goes through.
To enable failover support with WCCP groups, define the service group weight to be 0 on the
backup Steelhead appliance. If one Steelhead appliance has a weight 0, but another one has a nonzero weight, the Steelhead appliance with weight 0 does not receive any redirected traffic. If all the
Steelhead appliances have a weight 0, the traffic is redirected equally among them.
If the source or destination flags are set, the router redirects only the TCP traffic that matches the
source or destination ports specified.
The Steelhead appliance now supports mask-based redirection to a single Steelhead appliance
using the WCCP protocol.
To enable mask based redirection use the assign-scheme option in the wccp service-groups CLI
command. For example:
minna (config) # wccp service-group 91 routers 10.58.1.1 assign-scheme mask
For detailed information about configuring WCCP in Riverbed deployments, see the Steelhead
Appliance Deployment Guide.
For detailed information about WCCP, see the Cisco documentation Web site at http://
www.cisco.com/univercd/home/home.htm.
The no command option disables WCCP support.
Example
Product
Steelhead appliance
Related Topics
show wccp
311
312
4 - CONFIGURATION-MODE COMMANDS
Sets the IP address for a failover buddy appliance. A failover buddy is a backup appliance. If the
master fails, the buddy takes over.
Syntax
Parameters
<addr>
Specifies the IP address for the failover, backup machine. The default value is
0.0.0.0.
If you have installed multiple bypass cards, you must specify the IP address for
the inpath0_0 slot.
Usage
Example
Product
Related Topics
show failover
Sets the port for a failover buddy appliance. A failover buddy is a backup appliance. If the master
fails, the buddy takes over.
Syntax
Parameters
<port>
Usage
You cannot specify the failover buddy port for the Interceptor appliance.
The no command option resets the port to the default value.
Example
Product
Steelhead appliance
Related Topics
show failover
failover enable
Description
Enables a failover buddy appliance. A failover buddy is a backup appliance. If the master fails,
the buddy takes over.
Syntax
Parameters
None
313
Usage
In an in-path deployment, to use failover mode, you configure a pair of Steelhead appliances, one
as a master and the other as a backup. The master and backup Steelhead appliances are
configured statically with their partner's information. When you enable failover mode, the master
Steelhead appliance in the pair is active and the backup Steelhead appliance is passive. The
master Steelhead appliance is active unless it fails for some reason; the backup is passive while the
master is active and becomes active if and only if the master fails. A backup Steelhead appliance
will not intercept traffic while the master appliance is active. It pings the master Steelhead
appliance to make sure that it is alive and processing data. If the master Steelhead appliance fails,
the backup takes over, and starts processing all the connections. When the master Steelhead
appliance comes back up, it sends a message to the backup that it has recovered. Then, the backup
Steelhead appliance stops processing new connections (but continues to serve old ones until they
end).
In an out-of-path, failover deployment, you deploy two Steelhead appliances and use a fixedtarget rule to define main and backup targets. When both Steelhead appliances are functioning
properly, the connections traverse the master appliance. If the master Steelhead appliance fails,
subsequent connections traverse the backup Steelhead appliance.
On the master appliance, you must specify valid values for this buddy IP address and buddy port
before this command can complete.
The no command option disables failover.
Example
Product
Related Topics
show failover
failover master
Description
Sets the appliance as the master appliance of a failover pair. If the master fails, traffic is routed
automatically through the failover buddy.
Syntax
Parameters
None
Usage
You must specify valid values for the buddy IP address and buddy port.
The no command option sets the appliance as the failover buddy.
Example
Product
Related Topics
show failover
314
4 - CONFIGURATION-MODE COMMANDS
failover port
Description
Sets the port on the master appliance with which to communicate with the failover buddy
appliance. A failover buddy is a backup appliance. If the master fails, the buddy takes over.
Syntax
Parameters
<port>
Usage
Product
Related Topics
show failover
315
316
4 - CONFIGURATION-MODE COMMANDS
datastore anchor-select
Description
Enables an anchor selection algorithm that discards margin segments without writing them to
disk. Enabling anchor selection based on contiguous segments decreases pressure on the disk and
improves performance.
Before you enable the set of data replication commands, please contact Riverbed Technical
Support at https://support.riverbed.com.
Syntax
Parameters
{1 | 0}
Usage
Use this command if you are experiencing a gradual decline in optimization over time when using
DR applications.
For detailed information about the set of data replication commands, please contact Riverbed
Technical Support at https://support.riverbed.com.
Example
Product
Steelhead appliance
Related Topics
datastore disklayout
Description
Syntax
Parameters
Usage
<fifo |
rvbdlru>
If, gradually over time, you experience sharp throughput degradation even though the data
reduction numbers continue to be good, use this command
For detailed information about the set of data replication commands, please contact Riverbed
Technical Support at https://support.riverbed.com.
IMPORTANT: Enabling the LRU disk layout method may cause the data store wrap warning to
occur earlier than expected when using the FIFO replacement policy. This is expected behavior.
Example
Product
Steelhead appliance
Related Topics
317
Syntax
Parameters
[interval
<seconds>}
Usage
Use this command if you are experiencing a gradual decline in optimization over time when using
DR applications.
For detailed information about the set of data replication commands, please contact Riverbed
Technical Support at https://support.riverbed.com.
Example
Product
Steelhead appliance
Related Topics
datastore use-one-defer-q
Description
The no option enables dual queues of the disk I/O subsystem to give priority to writes over reads
when the disk is backed up, to free memory.
Before you enable the set of data replication commands, please contact Riverbed Technical
Support at https://support.riverbed.com.
Syntax
Parameters
None
Usage
Use this command if you are experiencing a gradual decline in optimization over time when using
DR applications.
For detailed information about the set of data replication commands, please contact Riverbed
Technical Support at https://support.riverbed.com.
Example
Product
Steelhead appliance
Related Topics
318
4 - CONFIGURATION-MODE COMMANDS
For detailed information about configuring the Steelhead appliance for FIPS-mode, see the FIPS/CC
Administrators Guide.
System Administration Commands on
page 96
319
Syntax
Parameters
<password>
Usage
This command ensures that the Steelhead appliance does not allow changes to the boot order so
that the system is FIPS/CC compliant.
The reset factory command automatically sets the boot order, if you have been running the
Steelhead appliance in nonFIPS-mode, you must execute the reset factory command to return the
system to the factory default settings. For detailed information about configuring a FIPS-mode
system, see the FIPS/CC Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show info
reset factory
Description
Resets all configurable parameters in the Steelhead appliance to the manufactured default settings
and halts the appliance.
Syntax
Parameters
reload
Usage
The reset factory reload command ensures that the Steelhead appliance is FIPS/CC compliant by
resetting the appliance to its default manufactured state, thereby eliminating sensitive security
parameters and features that are unsupported by FIPS/CC.
Reboots the system. You must reboot the system after executing the reset
factory command.
For FIPS/CC compliance, many RiOS features must be disabled (for example, IPSec, Telnet access,
SNMPv2 and v3, and HTTP). Because many of these features are disabled by default, you do not
need to take any action to be FIPS/CC compliant. However, if you have been running the
Steelhead appliance in non-FIPS/CC mode, you must execute the reset factory command to reset
all Steelhead appliance configurable parameters to their default settings.
After you execute the reset factory command and reboot the system, you must reconfigure the
system using the configuration wizard. The configuration wizard appears automatically after you
reboot the system. In addition, you must enable features such as HTTPS, TLSv1, SSH v2, and
configure FIPS/CC approved ciphers. You must also configure your system so that it is FIPS/CC
compliant for Web and remote CLI access.
For complete instructions about configuring a FIPS/CC-mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show info
320
4 - CONFIGURATION-MODE COMMANDS
Configures the SSH server to accept only v2 connections of the SSH protocol.
Syntax
Parameters
None
Usage
FIPS-mode requires that remote SSH daemon connections use v2 of the SSH protocol. FIPS/CC
mandates that remote SSH daemon connections do not use v1.33 or v1.5 of the SSH protocol.
These versions of the SSH protocol are not considered cryptographically safe according FIPS/CC.
FIPS-mode requires that remote SSH daemon connections use v2 of the SSH protocol.
To verify the system is running SSH v2, telnet to the system and execute the following command:
# telnet perf4-sh5 22
Trying 10.0.12.2...
Connected to perf4-sh5.tech.com (10.0.12.2).
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2
For detailed information about configuring a FIPS/CC-mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
Syntax
Parameters
<cipher list>
Usage
FIPS-mode requires the use of strong ciphers. Use this command to configure FIPS/CC compliant
ciphers.
For detailed information about configuring a FIPS/CC -mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
321
Enables fail-to-block mode. With fail-to-block, in the event a optimization service failure or a
hardware failure, network traffic is stopped. With fail-to-bypass mode, in the event of a failure,
traffic is passed through the Steelhead appliance (as if it were a network wire).
Syntax
Parameters
None
Usage
FIPS-mode requires that you configure each network interface card (NIC) in the Steelhead
appliance to block traffic (fail-to-block) when the appliance hardware or software fails. With failto-block, in the event a optimization service failure or a hardware failure, network traffic is
stopped. With fail-to-bypass mode, in the event of a failure, traffic is passed through the Steelhead
appliance (as if it were a network wire).
A Steelhead appliance can have multiple NIC cards, some of which may or may not support the
fail-to-block mode. The following table is an overview of cards that physically support fail-toblock on all compatible Steelhead appliance platforms. For detailed information on configuring
the fail-to-block feature, see the Bypass Card Installation Guide.
For detailed information about configuring a FIPS-mode system, see the FIPS/CC Administrators
Guide.
Example
Product
Steelhead appliance
Related Topics
None
Syntax
Parameters
None
Usage
For FIPS/CC compliance, password files must be SHA-512 encrypted. If you have been running
the Steelhead appliance in non-FIPS mode, when you execute the reset factory command the
Steelhead appliance password files are SHA-512 encrypted.
For detailed information about configuring a FIPS/CC-mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
322
4 - CONFIGURATION-MODE COMMANDS
Syntax
Parameters
<cipher list>
Usage
FIPS-mode requires the use of strong ciphers. Riverbed recommends you specify:
TLSv1:!NULL:!EXPORT:!MD5:!RC4:!LOW
Product
Steelhead appliance
Related Topics
Syntax
Parameters
None
Usage
FIPS mandates Web-based communication into the Steelhead appliance use TLS v1.0 or later. You
must execute this command for your system to be in FIPS/CC-mode.
For detailed information about configuring a FIPS/CC-mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show web
323
Syntax
Parameters
None
Usage
FIPS mandates that all Web-based communication into the Steelhead appliance use TLS v1.0 or
later. You must execute this command for your system to be in FIPS/CC-mode.
For detailed information about configuring a FIPS/CC-mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show web
Syntax
Parameters
None
Usage
FIPS mandates that all Web-based communication into the Steelhead appliance use TLS v1.0 or
later. You must execute this command for your system to be in FIPS/CC-mode.
For detailed information about configuring a FIPS/CC -mode system, see the FIPS/CC
Administrators Guide.
Example
Product
Steelhead appliance
Related Topics
show web
In This Section
324
4 - CONFIGURATION-MODE COMMANDS
NOTE: You must also set up the host and networking configuration, configure in-path interfaces, and configure in-path
rules for deployments that use the Interceptor appliance for load-balancing. For documentation of these commands,
refer to previous sections in this chapter.
Load-Balancing Commands
Configuration-Mode Documentation Navigation
In This Section
Load-Balancing Commands on
page 325
Moves the order of the rule in the rule list to the specified number.
Syntax
Parameters
rulenum <rulenum> to
<rulenum>
Example
Product
Interceptor appliance
Related Topics
Creates load balancing rules. The Interceptor appliance processes load-balancing rules as follows:
Redirect rule matches and target
Steelhead appliance available.
325
No rules specified.
Syntax
load balance rule [redirect | pass] [src <subnet>/<mask>] [dest <subnet>/<mask>] [dest-port
<port>] [addrs <ip>] [description <string>] [vlan <vlan number>]
Parameters
[redirect | pass]
[src <subnet>/<mask>]
[dest <subnet>/<mask>]
[dest-port <port>]
[addrs <ip>]
326
[description <string>]
[vlan <vlan-number>]
4 - CONFIGURATION-MODE COMMANDS
Usage
Load-balancing rules define the characteristics by which traffic is selected for load balancing and
the availability of LAN-side Steelhead appliance for such traffic.
Typically, your rules list should:
account for traffic over all subnets and ports that have been selected for redirection.
account for all Steelhead appliances you have configured as neighbor peers to be targets of
redirect rules or reserved for the automatic load-balancing rule.
If a neighbor Steelhead appliance is specified as a target for a rule, it is reserved for traffic that
matches
that rule and is not available to the pool used for automatic load-balancing.
If a neighbor Steelhead appliance is not specified as a target for a rule, it is available for
automatic load balancing.
account for second-preference cases where you would rather pass-through traffic than tax the
autoload-balancing pool.
Example
minna (config) # load balance rule redirect src 10.0.0.0/16 dest 10.0.0.1/16 destport 1240 description test vlan 12 addrs 10.0.0.3 10.0.0.4 10.0.0.5
minna (config) #
Product
Interceptor appliance
Related Topics
Syntax
Parameters
<num>
<desc>
Example
Product
Interceptor appliance
Related Topics
327
In This Section
Load-Balancing Commands on
page 325
Syntax
Parameters
interface <iface>
Usage
Make sure you configure the Steelhead appliance to communicate with this Interceptor appliance
on this interface when you configure Steelhead-to-Interceptor communication.
Assume you want to configure peering between Interceptor A (with primary interface 10.10.10.1.
inpath0_0 interface 10.10.10.2, inpath0_1 interface 10.10.10.3) and Steelhead Z (with primary
interface 10.10.10.21, inpath0_0 10.10.10.22, inpath0_1 interface 10.10.10.23).
1. Log into the CLI for Interceptor A.
2. Specify which in-path interface on Interceptor A to use for Interceptor-to-Steelhead peering.
in-path neighbor interface inpath0_0
3. Add Steelhead Z as a peer by specifying the IP address for the Steelhead Z inpath0_0 interface.
in-path neighbor peer addr 10.10.10.22
328
4 - CONFIGURATION-MODE COMMANDS
Example
Product
Interceptor appliance
Related Topics
show in-path neighbor (Interceptor), show in-path neighbor peers, show in-path rules,
show in-path interfaces (Interceptor)
Syntax
Parameters
addr <ip>
port
paused
Usage
Example
Product
Interceptor appliance
Related Topics
show in-path neighbor (Interceptor), show in-path neighbor peers, show in-path rules,
show in-path interfaces (Interceptor)
Syntax
[no] in-path rule redirect src <subnet> dest <subnet> dest-port <port> [rulenum <num>] [vlan
<vlan tag ID>] [description <description>]
Parameters
src <subnet>
rulenum <rulenum>
Specifies the order in which the rule is consulted: 1-n or start or end.
The list is reordered after you execute this command. For example, if
your command specifies rulenum 3, then the new rule will be #3, the
former #3 rule will be #4, and so forth.
The start value specifies the rule to be the first rule and end specifies it to
be the last rule.
If you do not specify a rule number, the rule is added to the end of the
list.
329
Usage
Specifies the VLAN tag ID (if any). The VLAN identification number is a
value with a range from 0-4094. Specify 0 to mark the link untagged.
description
<description>
The in-path rules table is a list of rules for determining how the Riverbed system handles network
connection requests. The system either optimizes the traffic, passes it through unoptimized,
discards the connection, or denies the connection.
An in-path rule redirect command selects traffic to be optimized when your deployment includes
Interceptor load balancing. The connections selected by the in-path rule redirect command are
load-balanced according to rules you specify in the load-balance rules table.
The Interceptor appliance evaluates rules in numerical order starting with rule 1. If the conditions
set in the rule match, then the rule is applied, and the system moves on to the next packet. If the
conditions set in the rule do not match, the system consults the next rule. For example, if the
conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied,
and no further rules are consulted.
In general, filter traffic that is to be unoptimized, discarded, or denied before processing rules for
traffic that is to be optimized. For example, order rules as follows:
1. Pass-through. 2. Discard. 3. Deny. 4. Redirect.
The default rule, Redirect All (all remaining traffic), is listed automatically and should be ordered
last.
The no command option disables the rule. The no command option has the following syntax:
no in-path rule <rulenum>
Example
minna (config) # in-path rule redirect src 10.10.10.1/32 port 2121 dest
10.24.24.24.1/32 dest-port rulenum 5
minna (config) #
Product
Interceptor appliance
Related Topics
in-path rule deny, in-path rule discard, in-path rule pass-through, load balance rule
redirect allow-failure
Description
Syntax
Parameters
None
Usage
Run this command on all Interceptor appliances on the active and passive links. You must also run
the command in-path neighbor allow-failure on all Steelhead appliances that point to the
Interceptor appliances on which you ran this command.
The no command option disables the command.
Example
Product
Interceptor appliance
Related Topics
show redirect
330
4 - CONFIGURATION-MODE COMMANDS
redirect interface
Description
Syntax
Parameters
<iface>
Example
Product
Interceptor appliance
Related Topics
show redirect
Specifies the name of the interface the appliance uses to communicate with peer
Interceptor appliances. Your selection must be implemented system-wide. For example,
if you decide for Interceptor A to use inpath0_0, you must specify inpath0_0 when you
run this command on Interceptor B and any other Interceptor appliance in your
deployment.
Syntax
Parameters
addr <ip>
port <port>
Usage
The no command option disables the connection to the peer Interceptor appliance.
Assume you want to configure peering between Interceptor A (with primary interface 10.10.10.1.
inpath0_0 interface 10.10.10.2, inpath0_1 interface 10.10.10.3) and Interceptor B (with primary
interface 10.10.10.11, inpath0_0 10.10.10.12, inpath0_1 interface 10.10.10.13).
1. Log into the CLI for Interceptor A.
2. Specify which in-path interface on Interceptor A to use for Interceptor-to-Interceptor peering.
redirect interface inpath0_0
3. Add Interceptor B as a peer by specifying the IP address for the Interceptor B inpath0_0 interface.
redirect peer addr 10.10.10.12
6. Add Interceptor A as a peer by specify the IP address for the Interceptor A inpath0_0 interface:
redirect peer addr 10.10.10.2
331
Example
Product
Interceptor appliance
Related Topics
Debugging Commands
Configuration-Mode Documentation Navigation
In This Section
Load-Balancing Commands on
page 325
Syntax
Parameters
Example
Product
Interceptor appliance
Related Topics
file debug-dump delete on page 128, file debug-dump email on page 129, file debug-dump upload on
page 129
332
4 - CONFIGURATION-MODE COMMANDS
Load-Balancing Commands on
page 325
In This Section
stats alarm on page 333
stats alarm
Description
Syntax
Parameters
<type>
admission_conn
admission_mem
bypass
cpu_util_indiv
duplex
fan_error
fs_mnt
ipmi
link_propagation
linkstate
memory_error
paging
power_supply
<options>
333
Usage
Critical temperature settings cannot be changed. Warning temperature settings can be changed.
The no command option disables all statistical alarms. The no stats alarm <type> enable
command disables specific statistical alarms.
Example
Product
Related Topics
show stats
In This Section
Export Commands
Configuration-Mode Documentation Navigation
System Administration Commands on
page 96
In This Section
export appliance
Description
Exports appliance information for CMC managed appliances to a remote email address or SCP/
FTP location.
Syntax
Parameters
334
4 - CONFIGURATION-MODE COMMANDS
to-file <URL or
scp://username:password@hostname/path/
filename html | csv
Example
Product
CMC appliance
Related Topics
export stats
export stats
Description
Exports statistics information for CMC managed appliances to a remote email address or SCP/
FTP location.
Syntax
export stats <quoted list of groups separated by /> <period over which to export, in seconds>
<granularity of the exported stat, in seconds> to-email <email addr> html | csv <bandwidth |
throughput | data-reduction | conn-history | traffic-summary> | to-file <URL or scp://
username:password@hostname/path/filename> html | csv <bandwidth | throughput | datareduction | conn-history | traffic-summary>
Parameters
Example
Product
CMC appliance
Related Topics
export appliance
335
336
4 - CONFIGURATION-MODE COMMANDS
CHAPTER 5
Troubleshooting
In This Chapter
This chapter contains a table of commands to provide a quick reference for troubleshooting.
Commands
General
reload
service enable
Connectivity Issue
ping
traceroute
show arp
Data Store
show datastore
Optimization Service
show in-path
show in-path cdp
show out-of-path
show in-path rules
show peers
show service
show wccp
show licenses
337
Problem
Commands
Hardware
Protocol Specific
show failover
show in-path asym-route-tab
show in-path neighbor (Steelhead)
show in-path neighbor (Interceptor)
show stats
RAID
show images
show bootvar
tcpdump
338
5 - TROUBLESHOOTING
APPENDIX A
Riverbed Ports
In This Appendix
This appendix describes the Steelhead appliance default and supported secure ports. It includes the
following sections:
Default Ports
The following table summarizes Steelhead appliance default ports with the port label: RBT-Proto.
Default Ports
Description
7744
7800
7801
NAT port.
7810
7820
7830
7840
NSPI port.
7850
7860
Interceptor appliance
7870
339
IMPORTANT: For two Steelhead appliances to optimize traffic, ports 7800 and 7810, must be passed through firewall
devices located between the pair of Steelhead appliances. Also, SYN and SYN/ACK packets with the TCP option 76
must be passed through firewalls for autodiscovery to function properly. For the Steelhead Central Management
Console (CMC), port 22 must be passed through the firewall for it to function properly.
21 (FTP)
80 (HTTP)
139 (CIFS:NETBIOS)
445 (CIFS:TCP)
1433 (SQL:TDS)
7830 (MAPI)
Ports
Cisco IPTel
2000
340
A - RIVERBED PORTS
TIP: If you do not want to automatically forward these ports, simply delete the Interactive rule in the Management
Console.
The following table lists the interactive ports that are automatically forwarded by the Steelhead appliance.
Port
Description
TCP ECHO
23
Telnet
37
UDP/Time
107
179
513
Remote Login
514
Shell
1494
Citrix
1718-1720
h323gatedisc
2000-2003
Cisco SCCp
2427
2598
Citrix
2727
3389
5060
SIP
5631
PC Anywhere
5900-5903
VNC
6000
X11
TIP: If you do not want to automatically forward these ports, simply delete the Secure rule in the Management
Console.
341
The following table lists the common secure ports that are automatically forwarded by the Steelhead
appliance.
Type
Port
Description
ssh
22/tcp
tacacs
49/tcp
TACACS+
https
443/tcp
smtps
465/tcp
nntps
563/tcp
imap4-ssl
585/tcp
sshell
614/tcp
SSLshell
ldaps
636/tcp
ftps-data
989/tcp
ftps
990/tcp
telnets
992/tcp
imaps
993/tcp
pop3s
995/tcp
l2tp
1701/tcp
l2tp
pptp
1723/tcp
pptp
tftps
3713/tcp
The following table contains the uncommon ports automatically forwarded by the Steelhead appliance.
Type
Port
Description
nsiiops
261/tcp
ddm-ssl
448/tcp
corba-iiop-ssl
684/tcp
ieee-mms-ssl
695/tcp
IEEE-MMS-SSL
ircs
994/tcp
njenet-ssl
2252/tcp
ssm-cssps
2478/tcp
ssm-els
2479/tcp
giop-ssl
2482/tcp
ttc-ssl
2484/tcp
syncserverssl
2679/tcp
dicom-tls
2762/tcp
DICOM TLS
realsecure
2998/tcp
Real Secure
342
A - RIVERBED PORTS
Type
Port
Description
orbix-loc-ssl
3077/tcp
orbix-cfg-ssl
3078/tcp
cops-tls
3183/tcp
COPS/TLS
csvr-sslproxy
3191/tcp
xnm-ssl
3220/tcp
msft-gc-ssl
3269/tcp
networklenss
3410/tcp
xtrms
3424/tcp
jt400-ssl
3471/tcp
jt400-ssl
seclayer-tls
3496/tcp
vt-ssl
3509/tcp
jboss-iiop-ssl
3529/tcp
JBoss IIOP/SSL
ibm-diradm-ssl
3539/tcp
can-nds-ssl
3660/tcp
can-ferret-ssl
3661/tcp
linktest-s
3747/tcp
asap-tcp-tls
3864/tcp
topflow-ssl
3885/tcp
TopFlow SSL
sdo-tls
3896/tcp
sdo-ssh
3897/tcp
iss-mgmt-ssl
3995/tcp
suucp
4031/tcp
wsm-server-ssl
5007/tcp
sip-tls
5061/tcp
SIP-TLS
imqtunnels
7674/tcp
davsrcs
9802/tcp
intrepid-ssl
11751/tcp
Intrepid SSL
rets-ssl
12109/tcp
343
344
A - RIVERBED PORTS
APPENDIX B
Riverbed MIB
In This Appendix
This appendix describes the Riverbed Enterprise SNMP MIB. It contains the following sections:
You can download the Steelhead Enterprise MIB (STEELHEAD-MIB.txt) from the help page of the
Management Console or from the Riverbed Technical Support site at https://support.riverbed.com and
load it into any MIB browser utility.
Some utilities might expect a file type other than a text file. If this occurs, change the file type to the one
expected.
Some utilities assume that the root is mib-2 by default. If the utility sees a new node, such as
enterprises, it might look under mib-2.enterprises. If this occurs, use
.iso.org.dod.internet.private.enterprises.rbt as the root.
Some command-line browsers might not load all MIB files by default. If this occurs, find the
appropriate command option to load the STEELHEAD-MIB.txt file. For example, for NET-SNMP
browsers: snmwalk -m all
345
SNMP Traps
Alarms fire for their event only. If a service alarm is fired indicating that the service has halted, no alarm is
fired when the service returns to normal operation.
The following table summarizes the SNMP traps sent out from the system to configured trap receivers.
Trap
Text
Description
procCrash
(enterprises.17163.1.1.4.1)
procExit
(enterprises.17163.1.1.4.2)
cpuUtil
(enterprises.17163.1.1.4.3)
pagingActivity
(enterprises.17163.1.1.4.4)
smartError
(enterprises.17163.1.1.4.5)
346
B - RIVERBED MIB
Trap
Text
Description
peerVersionMismatch
(enterprises.17163.1.1.4.6)
bypassMode
(enterprises.17163.1.1.4.7)
raidError
(enterprises.17163.1.1.4.8)
storeCorruption
(enterprises.17163.1.1.4.9)
admissionMemError
(enterprises.17163.1.1.4.10)
admissionConnError
(enterprises.17163.1.1.4.11)
Admission control
connections alarm has been
triggered.
haltError
(enterprises.17163.1.1.4.12)
347
Trap
Text
Description
serviceError
(enterprises.17163.1.1.4.13)
scheduledJobError
(enterprises.17163.1.1.4.14)
confModeEnter
(enterprises.17163.1.1.4.15)
confModeExit
(enterprises.17163.1.1.4.16)
linkError
(enterprises.17163.1.1.4.0.1
7)
nfsV2V4
(enterprises.17163.1.1.4.0.1
8)
powerSupplyError
(enterprises.17163.1.1.4.0.1
9)
asymRouteError
(enterprises.17163.1.1.4.0.2
0)
fanError
(enterprises.17163.1.1.4.0.2
1)
memoryError
(enterprises.17163.1.1.4.0.2
2)
348
B - RIVERBED MIB
Trap
Text
Description
ipmi
(enterprises.17163.1.1.4.0.2
3)
configChange
(enterprises.17163.1.1.4.0.2
4)
datastoreWrapped
(enterprises.17163.1.1.4.0.2
5)
temperatureCritical
(enterprises.17163.1.1.4.0.2
6)
cpuUtilClear
(enterprises.17163.1.1.4.0.2
7)
349
350
B - RIVERBED MIB
DESCRIPTION
"Current status of the optimization service"
::= { status 3 }
serviceUptime OBJECT-TYPE
SYNTAX
TimeTicks
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Uptime of the optimization service"
::= { status 4 }
procTable OBJECT-TYPE
SYNTAX
SEQUENCE OF ProcEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Table containing information about the various
managed processes"
::= { status 5 }
procEntry OBJECT-TYPE
SYNTAX
ProcEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Entry for one process"
INDEX
{ procIndex }
::= { procTable 1 }
ProcEntry ::=
SEQUENCE {
procIndex
procName
procStatus
procNumFailures
}
Unsigned32,
OCTET STRING,
OCTET STRING,
Unsigned32
procIndex OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of process"
::= { procEntry 1 }
procName OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Unique name of process"
::= { procEntry 2 }
procStatus OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current state of process"
::= { procEntry 3 }
procNumFailures OBJECT-TYPE
SYNTAX
Unsigned32
351
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of times process has crashed or exited unexpectedly"
::= { procEntry 4 }
peerStatus OBJECT IDENTIFIER
::= { status 6 }
peerTable OBJECT-TYPE
SYNTAX
SEQUENCE OF PeerEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"A table containing information about the various peer
appliances"
::= { peerStatus 1 }
peerEntry OBJECT-TYPE
SYNTAX
PeerEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Entry for one peer"
INDEX
{ peerIndex }
::= { peerTable 1 }
PeerEntry ::=
SEQUENCE {
peerIndex
peerHostname
peerVersion
peerAddress
peerModel
}
Unsigned32,
OCTET STRING,
OCTET STRING,
IpAddress,
OCTET STRING
peerIndex OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Index of peer"
::= { peerEntry 1 }
peerHostname OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Hostname of peer"
::= { peerEntry 2 }
peerVersion OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"System software version of peer"
::= { peerEntry 3 }
peerAddress OBJECT-TYPE
SYNTAX
IpAddress
MAX-ACCESS read-only
STATUS
current
352
B - RIVERBED MIB
DESCRIPTION
"IP address of peer"
::= { peerEntry 4 }
peerModel OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Model of peer"
::= { peerEntry 5 }
systemHealth OBJECT-TYPE
SYNTAX
INTEGER {
healthy (10000),
degraded (30000),
admissionControl (31000),
critical (50000)
}
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current health of the system. This variable is identical to
health except that it is of integer datatype"
::= { status 7 }
optServiceStatus OBJECT-TYPE
SYNTAX
INTEGER {
none (0),
unmanaged (1),
running (2),
sentTerm1 (3),
sentTerm2 (4),
sentTerm3 (5),
pending (6),
stopped (7)
}
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Status of the optimization service. This variable is identical to
serviceStatus except that it is of integer datatype"
::= { status 8 }
---- CONFIG
--activeConfig OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Name of the currently active configuration"
::= { config 1 }
inpath OBJECT IDENTIFIER
::= { config 2 }
inpathSupport OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
353
DESCRIPTION
"In-path support"
::= { inpath 1 }
outofpath OBJECT IDENTIFIER
::= { config 3 }
outofpathSupport OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Out-of-path support"
::= { outofpath 1 }
---- ALARMS
--alarmsPrefix OBJECT IDENTIFIER
::= { alarms 0 }
procCrash NOTIFICATION-TYPE
OBJECTS { procName }
STATUS current
DESCRIPTION
"A procCrash trap signifies that a process managed by PM
has crashed and left a core file. The variable sent with
the notification indicates which process crashed."
::= { alarmsPrefix 1 }
procExit NOTIFICATION-TYPE
OBJECTS { procName }
STATUS current
DESCRIPTION
"A procExit trap signifies that a process managed by PM
has exited unexpectedly, but not left a core file.
The variable sent with the notification indicates
which process exited."
::= { alarmsPrefix 2 }
cpuUtil NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization in the past minute has gone
above the acceptable threshold"
::= { alarmsPrefix 3 }
pagingActivity NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has been paging excessively (thrashing)"
::= { alarmsPrefix 4 }
smartError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"SMART has sent an event about a possible disk error"
::= { alarmsPrefix 5 }
peerVersionMismatch NOTIFICATION-TYPE
OBJECTS { systemVersion }
354
B - RIVERBED MIB
STATUS current
DESCRIPTION
"Detected a peer with a mismatched software version"
::= { alarmsPrefix 6 }
bypassMode NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is being passed through"
::= { alarmsPrefix 7 }
raidError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An error has been generated by the RAID array"
::= { alarmsPrefix 8 }
storeCorruption NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The data store is corrupted"
::= { alarmsPrefix 9 }
admissionMemError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Memory pressure is high. No additional connections will be
optimized"
::= { alarmsPrefix 10 }
admissionConnError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Connection limit reached. No additional connections will be
optimized"
::= { alarmsPrefix 11 }
haltError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is halted due to a software error"
::= { alarmsPrefix 12 }
serviceError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"There has been a non-fatal optimization service error.
Please consult the log file"
::= { alarmsPrefix 13 }
scheduledJobError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A scheduled job has failed during execution"
::= { alarmsPrefix 14 }
confModeEnter NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has entered configuration mode"
::= { alarmsPrefix 15 }
confModeExit NOTIFICATION-TYPE
STATUS current
355
DESCRIPTION
"A user has exited configuration mode"
::= { alarmsPrefix 16 }
linkError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has lost its link"
::= { alarmsPrefix 17 }
nfsV2V4 NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"NFS v2/v4 alarm notification"
::= { alarmsPrefix 18 }
powerSupplyError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A power supply on the appliance has failed" -- Not supported on all models
::= { alarmsPrefix 19 }
asymRouteError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Asymmetric routes have been detected,certain connections might
not have been optimized because of this."
::= { alarmsPrefix 20 }
fanError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A fan has failed on this appliance" -::= { alarmsPrefix 21 }
memoryError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been detected on the appliance" -- Not supported on all models
::= { alarmsPrefix 22 }
ipmi NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been detected on the appliance. Please check
the details in the alarm report on the web UI" -- Not supported on all models
::= { alarmsPrefix 23 }
cpuUtilClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization has fallen back
within the acceptable threshold"
::= { alarmsPrefix 1003 }
pagingActivityClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has stopped paging excessively (thrashing)"
::= { alarmsPrefix 1004 }
peerVersionMismatchClear NOTIFICATION-TYPE
OBJECTS { systemVersion }
STATUS current
356
B - RIVERBED MIB
DESCRIPTION
"All peers are compatible"
::= { alarmsPrefix 1006 }
bypassModeClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is now being optimized"
::= { alarmsPrefix 1007 }
raidErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A RAID error has been cleared"
::= { alarmsPrefix 1008 }
storeCorruptionClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The data store is normal"
::= { alarmsPrefix 1009 }
admissionMemErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been cleared,
and the optimization service is running normally"
::= { alarmsPrefix 1010 }
admissionConnErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been cleared,
and the service is running normally"
::= { alarmsPrefix 1011 }
haltErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is now running normally"
::= { alarmsPrefix 1012 }
serviceErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The service is now running normally"
::= { alarmsPrefix 1013 }
linkErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has regained its link"
::= { alarmsPrefix 1017 }
nfsV2V4Clear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"NFS v2/v4 alarm has been cleared"
::= { alarmsPrefix 1018 }
powerSupplyErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All power supplies are now functioning normally" -- Not supported on all models
357
358
B - RIVERBED MIB
Unsigned32,
Unsigned32,
Unsigned32,
Unsigned32,
Unsigned32
cpuIndivIndex OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"A synthetic number numbering the cpus"
::= { cpuIndivUtilEntry 1 }
cpuIndivId OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Name of the cpu, also serves as the Index for the table"
::= { cpuIndivUtilEntry 2 }
cpuIndivIdleTime OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Idle time for this CPU"
::= { cpuIndivUtilEntry 3 }
cpuIndivSystemTime OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"System time for this CPU"
::= { cpuIndivUtilEntry 4 }
cpuIndivUserTime OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
359
STATUS
current
DESCRIPTION
"User time for this CPU"
::= { cpuIndivUtilEntry 5 }
connectionCounts OBJECT IDENTIFIER
::= { statistics 2 }
optimizedConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current total number of optimized connections"
::= { connectionCounts 1 }
passthroughConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current total number of pass-through connections"
::= { connectionCounts 2 }
halfOpenedConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current total number of half-opened (optimized) connections"
::= { connectionCounts 3 }
halfClosedConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current total number of half-closed (optimized) connections"
::= { connectionCounts 4 }
establishedConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current number of established (optimized) connections"
::= { connectionCounts 5 }
activeConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current number of active (optimized) connections"
::= { connectionCounts 6 }
totalConnections OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Total number of connections"
::= { connectionCounts 7 }
360
B - RIVERBED MIB
Unsigned32,
361
bwPortInLan
bwPortInWan
bwPortOutLan
bwPortOutWan
bwPortNumber
Counter32,
Counter32,
Counter32,
Counter32,
Unsigned32,
}
bwPort OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Index for the table"
::= { bwPortEntry 1 }
bwPortInLan OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Bytes from Wan to Lan on the LAN side,
since last restart of service"
::= { bwPortEntry 2 }
bwPortInWan OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Bytes from Wan to Lan on the WAN side,
since last restart of service"
::= { bwPortEntry 3 }
bwPortOutLan OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Bytes from Lan to Wan on the LAN side,
since last restart of service"
::= { bwPortEntry 4 }
bwPortOutWan OBJECT-TYPE
SYNTAX
Counter32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Bytes from Lan to Wan on the WAN side,
since last restart of service"
::= { bwPortEntry 5 }
bwPortNumber OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Port Number on which the traffic is observed"
::= { bwPortEntry 6 }
bandwidthPassThrough OBJECT IDENTIFIER
::= { bandwidth 3 }
bwPassThroughIn OBJECT-TYPE
SYNTAX
Counter64
362
B - RIVERBED MIB
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Amount of incoming passthrough traffic"
::= { bandwidthPassThrough 1 }
bwPassThroughOut OBJECT-TYPE
SYNTAX
Counter64
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Amount of outgoing pass through traffic"
::= { bandwidthPassThrough 2 }
bwPassThroughTotal OBJECT-TYPE
SYNTAX
Counter64
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Total pass through traffic"
::= { bandwidthPassThrough 3 }
datastore OBJECT IDENTIFIER
::= { statistics 4 }
hitsTotal OBJECT-TYPE
SYNTAX
Counter64
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Total number of datastore hits since last restart of service"
::= { datastore 1 }
missTotal OBJECT-TYPE
SYNTAX
Counter64
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Total number of datastore misses since last restart of service"
::= { datastore 2 }
END
363
balajir@riverbed.com"
DESCRIPTION
"Riverbed Technology INTERCEPTOR MIB"
REVISION
"200701170000Z"
DESCRIPTION
"Riverbed Interceptor 1.1 Revisions"
REVISION
"200602030000Z"
DESCRIPTION
"Riverbed Interceptor 1.0 MIB"
::= { products 3 }
system OBJECT IDENTIFIER
::= { interceptor 1 }
status OBJECT IDENTIFIER
::= { interceptor 2 }
config OBJECT IDENTIFIER
::= { interceptor 3 }
alarms OBJECT IDENTIFIER
::= { interceptor 4 }
statistics OBJECT IDENTIFIER
::= { interceptor 5 }
---- SYSTEM
--model OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Appliance model"
::= { system 1 }
serialNumber OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Appliance serial number"
::= { system 2 }
systemVersion OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"System software version string"
::= { system 3 }
---- STATUS
--systemClock OBJECT-TYPE
SYNTAX
DateAndTime
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
364
B - RIVERBED MIB
Unsigned32,
OCTET STRING,
OCTET STRING,
Unsigned32
procIndex OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of process"
::= { procEntry 1 }
procName OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
365
DESCRIPTION
"Unique name of process"
::= { procEntry 2 }
procStatus OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current state of process"
::= { procEntry 3 }
procNumFailures OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Number of times process has crashed or exited unexpectedly"
::= { procEntry 4 }
neighborTable OBJECT-TYPE
SYNTAX
SEQUENCE OF NeighborEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"List of managed steelheads"
::= { status 6 }
neighborEntry OBJECT-TYPE
SYNTAX
NeighborEntry
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Entry for one steelhead"
INDEX
{ neighborId }
::= { neighborTable 1 }
NeighborEntry ::=
SEQUENCE {
neighborIndex
neighborId
neighborName
neighborConnectionCount
neighborConnectionEnable
}
Unsigned32,
Unsigned32,
OCTET STRING,
Unsigned32,
Unsigned32,
neighborIndex OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of steelhead"
::= { neighborEntry 1 }
neighborId OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Synthetic numeric unique ID of steelhead"
::= { neighborEntry 2 }
neighborName OBJECT-TYPE
SYNTAX
OCTET STRING
366
B - RIVERBED MIB
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"Unique name of steelhead"
::= { neighborEntry 3 }
neighborConnectionCount OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"The number of optimized connections"
::= { neighborEntry 4 }
neighborConnectionEnable OBJECT-TYPE
SYNTAX
Unsigned32
MAX-ACCESS not-accessible
STATUS
current
DESCRIPTION
"The number of connections to trigger admission control"
::= { neighborEntry 5 }
---- CONFIG
--activeConfig OBJECT-TYPE
SYNTAX
OCTET STRING
MAX-ACCESS read-only
STATUS
current
DESCRIPTION
"Current active configuration"
::= { config 1 }
---- ALARMS
--alarmsPrefix OBJECT IDENTIFIER
::= { alarms 1 }
procCrash NOTIFICATION-TYPE
OBJECTS { procIndex, procName }
STATUS current
DESCRIPTION
"A procCrash trap signifies that a process managed by PM
has crashed and left a core file. The variable sent with
the notification indicates which process crashed."
::= { alarmsPrefix 1 }
procExit NOTIFICATION-TYPE
OBJECTS { procIndex, procName }
STATUS current
DESCRIPTION
"A procExit trap signifies that a process managed by PM
has exited unexpectedly, but not left a core file.
The variable sent with the notification indicates
which process exited."
::= { alarmsPrefix 2 }
367
cpuUtil NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization in the past minute has gone
above the acceptable threshold"
::= { alarmsPrefix 3 }
pagingActivity NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has been paging excessively (thrashing)"
::= { alarmsPrefix 4 }
bypassMode NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The appliance has entered bypass (failthru) mode"
::= { alarmsPrefix 5 }
admissionMemError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been triggered"
::= { alarmsPrefix 6 }
admissionConnError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been triggered"
::= { alarmsPrefix 7 }
scheduledJobError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A scheduled job has failed during execution"
::= { alarmsPrefix 8 }
confModeEnter NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has entered configuration mode"
::= { alarmsPrefix 9 }
confModeExit NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A user has exited configuration mode"
::= { alarmsPrefix 10 }
linkError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface has lost link on the appliance"
::= { alarmsPrefix 11 }
powerSupplyError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A power supply on the appliance has failed. Not supported on all models"
::= { alarmsPrefix 12 }
fanError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
368
B - RIVERBED MIB
"A fan error has been detected on the appliance. Not supported on all models"
::= { alarmsPrefix 13 }
memoryError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"A memory error has been detected on the appliance. Not supported on all models"
::= { alarmsPrefix 14 }
ipmi NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An IPMI event has been detected on the appliance. Not supported on all models"
::= { alarmsPrefix 15 }
linkPropagationStateError NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface has link propagation state error on the appliance"
::= { alarmsPrefix 16 }
cpuUtilClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The average CPU utilization has fallen back
within the acceptable threshold"
::= { alarmsPrefix 1003 }
pagingActivityClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"The system has stopped paging excessively (thrashing)"
::= { alarmsPrefix 1004 }
bypassModeClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Traffic is now being optimized"
::= { alarmsPrefix 1005 }
admissionMemErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control memory alarm has been cleared,
and the optimization service is running normally"
::= { alarmsPrefix 1006 }
admissionConnErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"Admission control connections alarm has been cleared,
and the service is running normally"
::= { alarmsPrefix 1007 }
linkErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"An interface on the appliance has regained its link"
::= { alarmsPrefix 1011 }
powerSupplyErrorClear NOTIFICATION-TYPE
STATUS current
DESCRIPTION
"All power supplies are now functioning normally" -- Not supported on all models
369
370
B - RIVERBED MIB
Riverbed MIB
The following text represents the Riverbed MIB (RBT-MIB.txt).
RBT-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, MODULE-IDENTITY, enterprises FROM SNMPv2-SMI;
rbt MODULE-IDENTITY
LAST-UPDATED
"200604100000Z"
ORGANIZATION
"Riverbed Technology, Inc."
CONTACT-INFO
"
John Cho
jcho@riverbed.com"
DESCRIPTION
"Riverbed Technology MIB"
::= { enterprises 17163 }
products OBJECT IDENTIFIER
::= { rbt 1 }
END
371
372
B - RIVERBED MIB
373
374
375
376
377
378
Glossary
Acceleration Policy. An acceleration policy contains optimization rules for accelerating the WAN traffic for
endpoint clients. An acceleration policy is required for optimization to occur.
ARP. Address Resolution Protocol. An IP protocol used to obtain a node's physical address.
Assignment. An assignment occurs when an endpoint or acceleration policy is matched to a deployment
ID (DID).
Bandwidth. The upper limit on the amount of data, typically in kilobits per second (kbps), that can pass
through a network connection. Greater bandwidth indicates faster data transfer capability.
Bit. A Binary digit. The smallest unit of information handled by a computer; either 1 or 0 in the binary
number system.
Blade. One component in a system designed to accept some number of components (blades).
Bridge. Device that connects and passes packets between two network segments that use the same
communications protocol. Bridges operate at the data link layer (Layer 2) of the OSI reference model. In
general, a bridge filters, forwards, or floods an incoming frame based on the MAC address of that frame.
Cache. A temporary storage area for frequently or recently accessed data.
CIFS. Common Internet File System. CIFS is the remote file system access protocol used by Windows
servers and clients to share files across the network.
Database Cursor. A record pointer in a database. When a database file is selected and the cursor is opened,
the cursor points to the first record in the file. Using various commands, the cursor can be moved forward,
backward, to top of file, bottom of file, and so forth.
Default Gateway. The default address of a network or Web site. It provides a single domain name and point
of entry to the network or site.
Deployment ID. The deployment ID (DID) is used to apply policies and policy updates to groups of
endpoint clients. The DID is associated with the endpoint client upon installation of a MSI package. The
Mobile Controller uses the DID to identify the client and provide their assigned policies and policy updates.
DHCP. Dynamic Host Configuration Protocol. Software that automatically assigns IP addresses to client
stations logging onto a TCP/IP network.
379
Domain. In the Internet, a portion of the Domain Name Service (DNS) that refers to groupings of networks
based on the type of organization or geography.
DMZ. Demilitarized Zone. A computer or small subnetwork that sits between a trusted internal network,
such as a corporate private LAN, and an untrusted external network, such as the public Internet. Typically,
the DMZ contains devices accessible to Internet traffic, such as Web (HTTP) servers, FTP servers, SMTP (email) servers, and DNS servers.
DNS. Domain Name Service. A system used in the Internet for translating names of network nodes into IP
addresses. A Domain Name Server notifies hosts of other host IP addresses, associating host names with IP
addresses.
Endpoint. An endpoint is a client computer. For example, a PC or laptop.
Endpoint Policy. An endpoint policy specifies machine-specific software settings for endpoint clients, such
as the data store size. An endpoint policy is required for optimization to occur.
Ethernet. The most widely used Local Area Network (LAN) access method.
FDDI. Fiber Distributed Data Interface. A set of American National Standards Institute (ANSI) protocols
for sending digital data over fiber optic cable. FDDI networks are token-passing networks, and support
data rates of up to 100 Mbps (100 million bits) per second. FDDI networks are typically used as backbones
for Wide Area Networks (WANs).
Filer. An appliance that attaches to a computer network and is used for data storage.
Gateway. A computer that acts as an intermediate device for two or more networks that use the same
protocols. The gateway functions as an entry and exit point to the network. Transport protocol conversion
might not be required, but some form of processing is typically performed.
Gigabit Ethernet. An Ethernet technology that raises transmission speed to 1 Gbps (1000 Mbps).
Hashing. Producing hash values for accessing data or for security. A hash value is a number generated from
a string of text. The hash is substantially smaller than the text itself and is generated by a formula in such a
way that it is extremely unlikely that some other text will produce the same hash value.
Heartbeat. A repeating signal transmitted from one appliance to another to indicate that the appliance is
operating.
Heuristic. A method of problem solving using exploration and trial and error methods. Heuristic program
design provides a framework for solving the problem in contrast with a fixed set of algorithmic rules that
cannot vary.
Host. A computer or other computing device that resides on a network.
Host address. The IP address assigned to each computer attached to the network.
Host name. Name given to a computer, usually by DNS.
380
GLOSSARY
HSRP. Hot Standby Routing Protocol. HSRP is a routing protocol from Cisco that provides backup to a
router in the event of failure. Using HSRP, several routers are connected to the same segment of an Ethernet,
FDDIs or token-ring network and work together to present the appearance of a single virtual router on the
LAN. The routers share the same IP and MAC addresses, therefore in the event of failure of one router, the
hosts on the LAN are able to continue forwarding packets to a consistent IP and MAC address. The process
of transferring the routing responsibilities from one device to another is transparent to the user.
HTTP. Hypertext Transport Protocol. The protocol used by Web browsers to communicate with Web
servers.
HTTPS. Hypertext Transport Protocol Secure. The protocol for accessing a secure Web server. Using HTTPS
directs the message to a secure port number to be managed by a security protocol.
Interface. The point at which a connection is made between two elements, systems, or devices so that they
can communicate with one another.
Internet. The collection of networks tied together to provide a global network that use the TCP/IP suite of
protocols.
IP. Internet Protocol. Network layer protocol in the TCP/IP stack that enables a connectionless
internetwork service.
IP address. In IP version 4 (IPv4), a 32-bit address assigned to hosts using the IP protocol. Also called an
Internet address.
IPsec. Internet Protocol Security protocol. A set of protocols to support secure exchange of packets at the IP
layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two
encryption modes: Transport and Tunnel. For IPsec to work, the sending and receiving devices must share
a public key.
Latency. Delay between a request being issued and its response being received.
Layer 2. The communications protocol (called the data link layer or MAC layer) that contains the physical
address of a client or server inspected by a bridge or switch. Layer 2 processing is faster than layer 3
processing, because less analysis of the packet is required.
Layer 3. The communications protocol (called the network layer) that contains the logical address of a client
or server station that is inspected by a router which in turn forwards it through the network. Layer 3
contains a type field so that traffic can be prioritized and forwarded based on message type as well as
network destination. The IP network layer (Layer 3) accepts packets from the TCP or UDP transport layer
(Layer 4), adds its own header and delivers a datagram to the data link layer protocol (Layer 2).
Layer-4. A communications protocol (called the transport layer) responsible for establishing a connection
and ensuring that all data has arrived safely. The application delivers its data to the communications system
by passing a stream of data bytes to the transport layer along with the socket (the IP address of the station
and a port number) of the destination machine.
MAC address. Unique serial number or physical station address burned into Ethernet and Token Ring
adapters to identify that network card from all others.
MAPI. Messaging API. A programming interface from Microsoft that enables a client application to send
and receive mail from Exchange Server or a Microsoft Mail (MS Mail) messaging system. Microsoft
applications such as Outlook, the Exchange client, and Microsoft Schedule use MAPI.
381
Microsoft Exchange. Messaging and groupware software for Windows from Microsoft. The Exchange
server is an Internet-compliant messaging system that runs under Windows systems and can be accessed
by Web browsers, the Windows In-box, Exchange client, or Outlook. The Exchange server is also a storage
system that can hold anything that needs to be shared.
MSI Package. An MSI package is the Microsoft Software Installer (MSI) used to install Steelhead Mobile
Client software onto endpoint clients.
Netmask. A 32-bit mask which shows how an Internet address is divided into network, subnet, and host
parts. The netmask has ones in the bit positions in the 32-bit address which are used for the network and
subnet parts, and zeros for the host part. The mask must contain at least the standard network portion (as
determined by the class of the address), and the subnet field should be contiguous with the network
portion.
Neural Network. A modeling technique based on the observed behavior of biological neurons and used to
mimic the performance of a system. It consists of a set of elements that start out connected in a random
pattern, and, based upon operational feedback, are molded into the pattern required to generate the
required results. It is used in applications such as robotics, diagnosing, forecasting, image processing, and
pattern recognition.
NFS. Network File System. The file sharing protocol in a UNIX network.
NIS. Network Information Services. A naming service that allows resources to be easily added, deleted, or
relocated.
Opportunistic Lock. Also known as oplock. A lock requested by a client on a file that resides on a remote
server. To prevent any compromise to data integrity, the Steelhead appliance only optimizes data where
exclusive access is available (in other words, when locks are granted). When an oplock is not available, the
Steelhead appliance does not perform application-level latency optimizations but still performs Scalable
Data Referencing and compression on the data as well as TCP optimizations. Therefore, even without the
benefits of latency optimization, Steelhead appliances still increase WAN performance, but not as
effectively as when application optimizations are available.
OSPF. Open Shortest Path First. An interior gateway routing protocol developed for IP networks based on
the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information
to all nodes in an internetwork by calculating the shortest path to each node based on a topography of the
Internet constructed by each node. Each router sends that portion of the routing table (which keeps track of
routes to particular network destinations) that describes the state of its own links. It also sends the complete
routing structure (topography).
Packet. A unit of information transmitted, as a whole, from one device to another on a network.
Probe. A small utility program that is used to investigate, or test, the status of a system, network, or Web
site.
Policy. Routing and Quality of Service (QoS) scheme that forwards data packets to network interfaces based
on user-configured parameters.
Port. A pathway into and out of the computer or a network device such as a hub, switch, or router. On
network devices, the ports are for communications, typically connecting Ethernet cables or other network
devices.
382
GLOSSARY
Proxy. An entity that acts on behalf of a network client. In a network, a client is an entity that makes a
network request and a server is an entity that responds to the request. For example, your Web browser is a
client which requests Web content from a Web server. A proxy can take the place of the client, meaning the
client never communicates directly with the server. Instead, the client makes a connection to the proxy and
the proxy makes the connection to the server, receives any responses from the server, and relays them back
to the client.
Router. A device that forwards data packets from one LAN or WAN to another. Based on routing tables and
routing protocols, routers read the network address in each transmitted frame and make a decision on how
to send it based on the most expedient route (traffic load, line costs, speed, bad lines, etc.). Routers work at
Layer-3 in the protocol stack, whereas bridges and switches work at Layer-2.
SMB. Server Message Block. A message format used by DOS and Windows to share files, directories, and
devices. There are also a number of products that use SMB to enable file sharing among different operating
system platforms. A product called Samba, for example, enables UNIX and Windows machines to share
directories and files.
SNMP. Simple Network Management Protocol. A network protocol that provides a way to monitor
network devices, performance, security, and manages configurations and collects statistics.
Socket. The method of directing data to the appropriate application in a TCP/IP network. A socket is made
up of the IP address of the station and a port number.
Switch. A network device that filters and forwards frames based on the destination address of each frame.
The switch operates at Layer-2 (data link layer) of the Open System Interconnection (OSI) model.
TCP. Transmission Control Protocol. The error correcting Transport layer (Layer-4) in the TCP/IP protocol
suite.
TCP/IP. Transmission Control Protocol/Internet Protocol. The protocol suite used in the Internet, intranets,
and extranets. TCP provides transport functions, which ensures that the total amount of bytes sent is
received correctly at the other end. TCP/IP is a routable protocol, and the IP part of TCP/IP provides this
capability.
Throttle. To adjust the Central Processing Unit (CPU) speed.
VLAN. Virtual Local Area Network. A VLAN is an administratively configured LAN or broadcast domain.
Instead of going to the wiring closet to move a cable to a different LAN, network administrators can
remotely configure a port on an 802.1Q-compliant switch to belong to a different VLAN. A 802.1Q VLAN
enables network administrators to move end stations to different broadcast domains by setting
membership profiles for each port on centrally managed switches.
383
384
GLOSSARY
Index
A
aaa accounting per-command default 97
aaa authentication cond-fallback 98
aaa authentication cond-fallback default 98
aaa authentication login default 98
aaa authorization map default-user 43, 99
aaa authorization map order 99
arp 174
B
banner login 112
banner motd 113
boot system 162
C
clear arp-cache 32
clear hardware error-log 32
clear interface 33
CLI
command negation 28
connecting 25
online help 27
overview of 26
saving configurations 28
cli clear-history 113
cli default auto-logout 113
cli default paging enable 114
cli session options 114
clock set 174
clock timezone 175
configuration copy 121
configuration delete 122
configuration factory 122
configuration fetch 122
configuration flash restore 126
configuration flash write 126
configuration jump-start 123
configuration merge 124
configuration move 125
configuration new 126
configuration revert keep-local 127
386
INDEX
388
S
Safety guidelines 23
Secure ports, automatically forwarded 341
secure vault 296
secure-vault 296
service connection pooling 307
service default-port 307
service enable 181
service error reset 170
service map-port 171
service neural-framing 172
service port 172
service restart 172
show aaa 37
show arp 37
show banner 37
show bootvar 38
show cli 38
show clock 38
show cmc 39
show configuration 39
show configuration files 79
show configuration flash 40
show configuration flash text 41
show configuration full 41
show configuration running 41
show connection 79
show connections 80
show datastore 42
show email 42
show failover 43
show files debug-dump 82
show files sa 82
show files stats 83
show files tcpdump 83
show hardware 43
show hardware error-log 43
show hardware watchdog 43, 44
show hosts 44
show images 83
show info 84
show in-path 44, 45
show in-path ar-circbuf 85
show in-path asym-route-tab 84
show in-path cdp 45
show in-path lsp 45
show in-path neighbor (Interceptor) 46
show in-path neighbor (Steelhead) 46
show in-path neighbor peers 47
show in-path peering auto 47
show in-path peering rules 48
INDEX
390
INDEX