nortel commands

4655 Great America ParkwaySanta Clara, CA 95054Phone 1-800-4Nortelhttp://www.nortel.com

Nortel Application Switch Operating System 23.0.2

Command Reference

part number: 320506-A, January 2006

Nortel Application Switch Operating System 23.0.2 Command Reference

2320506-A, January 2006

Copyright 2006 Nortel Networks, Inc., 4655 Great America Parkway, Santa Clara, California 95054, USA. All rights reserved. Part Number: 320506-A.

This document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this document may be reproduced in any form by any means without prior written authorization of Nortel Networks, Inc. Documentation is provided “as is” without warranty of any kind, either express or implied, including any kind of implied or express warranty of non-infringement or the implied warranties of merchantability or fitness for a particular purpose.

U.S. Government End Users: This document is provided with a “commercial item” as defined by FAR 2.101 (Oct 1995) and contains “commercial technical data” and “commercial software documentation” as those terms are used in FAR 12.211-12.212 (Oct 1995). Government End Users are authorized to use this documentation only in accordance with those rights and restrictions set forth herein, consistent with FAR 12.211- 12.212 (Oct 1995), DFARS 227.7202 (JUN 1995) and DFARS 252.227-7015 (Nov 1995).

Nortel Networks, Inc. reserves the right to change any products described herein at any time, and without notice. Nortel Networks, Inc. assumes no responsibility or liability arising from the use of products described herein, except as expressly agreed to in writing by Nortel Networks, Inc. The use and purchase of this product does not convey a license under any patent rights, trademark rights, or any other intellectual property rights of Nortel Networks, Inc.

Nortel Application Switch Operating System, Nortel Application Switch 2424, Nortel Application Switch 2424-SSL, Nortel Application Switch 2224, 2216, 2208, 3408, Nortel Application Switch 180, Nortel Application Switch 180e, Nortel Application Switch 184, Nortel Application Switch AD3, Nortel Application Switch AD4, and ACEswitch are trademarks of Nortel Networks, Inc. in the United States and certain other countries. Cisco® and EtherChannel® are registered trademarks of Cisco Systems, Inc. in the United States and certain other countries. Check Point® and FireWall-1® are trademarks or registered trademarks of Check Point Software Technologies Ltd. Any other trademarks appearing in this manual are owned by their respective companies.

Originated in the U.S.A.

Contents

Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Who Should Use This Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23How to Get Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24

The Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . .25Connecting to the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Establishing a Console Connection. . . . . . . . . . . . . . . . . . . . . . . . . .26Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Establishing a Telnet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .27Using a BOOTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Running Telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Establishing an SSH Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .28Running SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28

Accessing the Switch. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29CLI Versus Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31

First-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Using the Setup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33

Information Needed For Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33Starting Setup When You Log In . . . . . . . . . . . . . . . . . . . . . . . . . . .34Stopping and Restarting Setup Manually . . . . . . . . . . . . . . . . . . . . .36

Stopping Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36Restarting Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36

Setup Part 1: Basic System Configuration . . . . . . . . . . . . . . . . . . . .36

320506-A, January 20063


Setup Part 2: Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Setup Part 3: VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Setup Part 4: IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

IP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Default Gateways. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43IP Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Setup Part 5: Final Steps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Optional Setup for SNMP Support. . . . . . . . . . . . . . . . . . . . . . . . . . 46Optional Setup for Telnet Support . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Setting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Changing the Default Administrator Password . . . . . . . . . . . . . . . . 47Changing the Default User Password. . . . . . . . . . . . . . . . . . . . . . . . 49Changing the Default Layer 4 Administrator Password. . . . . . . . . . 51

Menu Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53The Main Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Menu Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54Global Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Command Line History and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Command Line Interface Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Command Stacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Command Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Tab Completion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Configuration Ranges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

The Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61System Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

SNMPv3 System Information Menu . . . . . . . . . . . . . . . . . . . 65SNMPv3 USM User Table Information . . . . . . . . . . . . . . 66SNMPv3 View Table Information . . . . . . . . . . . . . . . . . . 67SNMPv3 Access Table Information . . . . . . . . . . . . . . . . . 68SNMPv3 Group Table Information . . . . . . . . . . . . . . . . . 69SNMPv3 Community Table Information . . . . . . . . . . . . . 69SNMPv3 Target Address Table Information . . . . . . . . . . 70SNMPv3 Target Parameters Table Information . . . . . . . . 71SNMPv3 Notify Table Information . . . . . . . . . . . . . . . . . 72SNMPv3 Dump Information . . . . . . . . . . . . . . . . . . . . . . 73

4 Contents320506-A, January 2006


General System Information . . . . . . . . . . . . . . . . . . . . . . . . . . 74Show System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Show Last 64 Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 76Last 64 Saved Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . 77Management Port Information . . . . . . . . . . . . . . . . . . . . . . . . 78SONMP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79System Capacity Information . . . . . . . . . . . . . . . . . . . . . . . . . 80Show switch fan status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Show switch temperature sensor status . . . . . . . . . . . . . . . . . 83Show encryption licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Show current user status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83System Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Layer 2 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Layer 2 FDB Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Show All FDB Information . . . . . . . . . . . . . . . . . . . . . . . 92Clearing Entries from the Forwarding Database. . . . . . . . . . . . . . . .92

Link Aggregation Control Protocol Information Menu . . . . . . . . 93LACP Aggregator Information. . . . . . . . . . . . . . . . . . . . . . . . 94LACP Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95LACP Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Layer 2 Spanning Tree Group Information . . . . . . . . . . . . . . 98Show common internal spanning tree (CIST) information . 101Trunk Group Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 102VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103VLAN Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Status of port teams. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105Layer2 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Layer3 Information Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106IP Routing Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Show All IP Route Information . . . . . . . . . . . . . . . . . . . 108Type Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109Tag Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109

IPv6 Routing Information Menu. . . . . . . . . . . . . . . . . . . . . . 110ARP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Show ARP Entries on Referenced SP. . . . . . . . . . . . . . . 113Show All ARP Entry Information . . . . . . . . . . . . . . . . . 114ARP Address List Information . . . . . . . . . . . . . . . . . . . . 115IPv6 Neighbor Cache Information . . . . . . . . . . . . . . . . . 115

Contents 5320506-A, January 2006


BGP Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117BGP Peer information. . . . . . . . . . . . . . . . . . . . . . . . . . . 118BGP Summary information . . . . . . . . . . . . . . . . . . . . . . 119Dump BGP Information . . . . . . . . . . . . . . . . . . . . . . . . . 119

OSPF Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 119OSPF General Information . . . . . . . . . . . . . . . . . . . . . . . 121OSPF Interface Information . . . . . . . . . . . . . . . . . . . . . . 122OSPF Database Information . . . . . . . . . . . . . . . . . . . . . . 122OSPF Information Route Codes . . . . . . . . . . . . . . . . . . . 124

OSPF Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 125IP Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126VRRP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127Layer3 Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Layer 4 Information Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132Session Table Information . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Samples of Session Dumps for Different Applications . . . . . . 135Session dump information in Nortel Application Switch Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Global SLB Information Menu. . . . . . . . . . . . . . . . . . . . . . . 139Show All Layer 4 Information . . . . . . . . . . . . . . . . . . . . . . . 140

Bandwidth Management Information. . . . . . . . . . . . . . . . . . . . . 141BWM IP User Information Menu. . . . . . . . . . . . . . . . . . . . . 142BWM Contract Information . . . . . . . . . . . . . . . . . . . . . . . . . 144

Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146Link Status Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147Port Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149Software Enabled Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Information Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

The Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151System statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154Port Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Bridging Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Ethernet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161Interface Protocol Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 162Link Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163



RMON Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164Port Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Port mirroring statistics menu. . . . . . . . . . . . . . . . . . . . . . . . . . . 170Layer 2 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

FDB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171LACP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172Spanning Tree Group Statistics . . . . . . . . . . . . . . . . . . . 173

Layer 3 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174OSPF Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

OSPF Global Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 177IP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181IP6 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Route Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189ARP statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190VRRP Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191DNS Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192ICMP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Interface Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197UDP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Server Load Balancing Statistics Menu . . . . . . . . . . . . . . . . . . . 199Server Load Balancing SP statistics Menu . . . . . . . . . . . . . . 202

SP Real Server Statistics. . . . . . . . . . . . . . . . . . . . . . . . . 202SP Filter Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203SP Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 204

Global SLB Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 206Real Server Global SLB Statistics . . . . . . . . . . . . . . . . . 207Virtual Server Global SLB Statistics . . . . . . . . . . . . . . . 207Global SLB Site Statistics. . . . . . . . . . . . . . . . . . . . . . . . 208Global SLB Maintenance Statistics . . . . . . . . . . . . . . . . 209

Real Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . 211Per Service Octet Counters. . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Real Server Group Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 212Virtual Server SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . 213Filter SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213SLB Layer7 Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 214

Layer7 Redirection Statistics . . . . . . . . . . . . . . . . . . . . . 214Layer 7 SLB String Statistics . . . . . . . . . . . . . . . . . . . . . 215



Layer 7 SLB Maintenance Statistics. . . . . . . . . . . . . . . . 216Layer7 Pooling Statistics . . . . . . . . . . . . . . . . . . . . . . . . 218

SLB Secure Socket Layer Statistics . . . . . . . . . . . . . . . . . . . 219File Transfer Protocol SLB and Filter Statistics Menu. . . . . 220

Active FTP SLB Parsing and Filter Statistics. . . . . . . . . 221Passive FTP SLB Parsing Statistics . . . . . . . . . . . . . . . . 221FTP SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . 222FTP SLB Statistics Dump. . . . . . . . . . . . . . . . . . . . . . . . 222

RTSP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223DNS SLB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224WAP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225SLB Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 227SIP SLB Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229Display Workload Manager SASP statistics . . . . . . . . . . . . 230Clear Workload Manager SASP Statistics . . . . . . . . . . . . . . 230Display Workload Manager SASP statistics . . . . . . . . . . . . 231

BWM Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232BWM Switch Processor Statistics . . . . . . . . . . . . . . . . . . . . 233

BWM Switch Processor Contract Statistics Menu . . . . . 233BWM Switch Processor Rate Contract Statistics . . . . . . 233

BWM Contract Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 234BWM Contract Rate Statistics . . . . . . . . . . . . . . . . . . . . . . . 235BWM History Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237BWM Maintenance Statistics . . . . . . . . . . . . . . . . . . . . . . . . 238BWM IP Users Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Security Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239DOS Attack Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . 240Types of DOS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241IP Access Control List Statistics. . . . . . . . . . . . . . . . . . . . . . 244UDP Blast Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

UDP Blast Dump Statistics. . . . . . . . . . . . . . . . . . . . . . . 245UDP Pattern Match Statistics . . . . . . . . . . . . . . . . . . . . . . . . 246Rate Limiting Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246Dump Statistics for Security . . . . . . . . . . . . . . . . . . . . . . . . . 247

Management Processor Statistics . . . . . . . . . . . . . . . . . . . . . . . . 248MP Packet Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249TCP Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251UCB Statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251



MP-Specific SFD Statistics . . . . . . . . . . . . . . . . . . . . . . . . . 252CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

SP Specific Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253SP-Specific Maintenance Statistics . . . . . . . . . . . . . . . . . . . 254CPU Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Port Mirroring Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 255Management Port Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Dump Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

The Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Viewing, Applying, and Saving Changes . . . . . . . . . . . . . . . . . . . . . . .259

Viewing Pending Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259Applying Pending Changes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259Saving the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

System Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261System Host Log Configuration . . . . . . . . . . . . . . . . . . . . . . 263

Seven Levels of Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264Management Port Configuration Menu . . . . . . . . . . . . . . . . 264Management Port Link Menu . . . . . . . . . . . . . . . . . . . . . . . . 268RADIUS Server Configuration. . . . . . . . . . . . . . . . . . . . . . . 268TACACS+ Server Configuration Menu . . . . . . . . . . . . . . . . 270NTP Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 271SynOptics Network Management Protocol Configuration. . 273System SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . 273SNMPv3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . 276

User Security Model Configuration Menu . . . . . . . . . . . 278SNMPv3 View Configuration Menu . . . . . . . . . . . . . . . 279View-based Access Control Model Configuration Menu280SNMPv3 Group Configuration Menu. . . . . . . . . . . . . . . 282SNMPv3 Community Table Configuration Menu . . . . . 283SNMPv3 Target Address Table Configuration Menu . . 284SNMPv3 Target Parameters Table Configuration Menu 285SNMPv3 Notify Table Configuration Menu . . . . . . . . . 286

System Health Check Configuration Menu . . . . . . . . . . . . . 287System Access Control Configuration . . . . . . . . . . . . . . . . . 288

Management Networks Menu. . . . . . . . . . . . . . . . . . . . . 289Port Management Access Menu . . . . . . . . . . . . . . . . . . . . . . 291



User Access Control Menu . . . . . . . . . . . . . . . . . . . . . . . 291System User ID Configuration Menu . . . . . . . . . . . . . . . 294HTTPS Access Configuration Menu . . . . . . . . . . . . . . . 295

SSH Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297XML Configuration Access Menu . . . . . . . . . . . . . . . . . . . . 298

Example of enabling or disabling XML access . . . . . . . 299Configure the Timezone . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Port Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301Nortel Application Switch Operating System 2000 Series . . . . . . 302

Fast Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302SFP GBIC Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Port Link Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304 Nortel Application Switch 3000 Series . . . . . . . . . . . . . . . . . . . . . 306Port Configuration on Nortel Application Switch 3408. . . . . . . . . 306

Single-Mode ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310Dual-Mode Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311Dual-Mode Copper Port Link Configuration . . . . . . . . . 313Dual-Mode SFP Gigabit Link Configuration Menu . . . . 314

Temporarily Disabling a Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314Port Mirroring Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Port-Mirroring Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315Bandwidth Management Configuration . . . . . . . . . . . . . . . . . . . 316

Bandwidth Management Contract Configuration . . . . . . . . 319BWM Contract Time Policy Configuration Menu . . . . . 320

Bandwidth Management Policy Configuration . . . . . . . . . . 322Bandwidth Management Group Configuration Menu . . . . . 323Bandwidth Management Current Configuration . . . . . . . . . 324

Layer 2 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 325Multiple Spanning Tree Menu. . . . . . . . . . . . . . . . . . . . . . . 326Multiple Spanning Tree Menu. . . . . . . . . . . . . . . . . . . . . . . 327CIST Bridge Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Current configuration for CIST Bridge . . . . . . . . . . . . . 328Spanning Tree Group Configuration . . . . . . . . . . . . . . . . . . . . . 329

Bridge Spanning Tree Configuration . . . . . . . . . . . . . . . . . . 331



Spanning Tree Port Configuration . . . . . . . . . . . . . . . . . 332Trunk Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333Link Aggregation Control Protocol Menu . . . . . . . . . . . . . . . . . 335

LACP Port Configuration Menu . . . . . . . . . . . . . . . . . . . . . 338VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339Port Team Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341Layer 3 Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

IP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 344IPv6 Neighbor Discovery Menu . . . . . . . . . . . . . . . . . . . . . . 345Default IP Gateway Configuration . . . . . . . . . . . . . . . . . . . . 346

Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347IP Static Route Configuration. . . . . . . . . . . . . . . . . . . . . . . . 348ARP Configuration Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . 348

ARP Static Configuration Menu. . . . . . . . . . . . . . . . . . . 349IP Forwarding Configuration Menu . . . . . . . . . . . . . . . . . . . 350

Local Network Route Caching Definition . . . . . . . . . . . 350Defining IP Address Ranges for the Local Route Cache . . . . . . . .351Network Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . 352Route Map Configuration Menu. . . . . . . . . . . . . . . . . . . . . . 353

IP Access List Configuration Menu . . . . . . . . . . . . . . . . 355Autonomous System Filter Path . . . . . . . . . . . . . . . . . . . 356

Routing Information Protocol Configuration . . . . . . . . . . . . 357RIP Interface Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359Open Shortest Path First Configuration . . . . . . . . . . . . . . . . 361

Area Index Configuration Menu. . . . . . . . . . . . . . . . . . . 363OSPF Summary Range Configuration Menu . . . . . . . . 364OSPF Interface Configuration Menu . . . . . . . . . . . . . . . 365OSPF Virtual Link Configuration Menu . . . . . . . . . . . . 367OSPF MD5 Key Configuration Menu . . . . . . . . . . . . . . 368OSPF Host Entry Configuration Menu . . . . . . . . . . . . . 369OSPF Route Redistribution Configuration Menu. . . . . . 370

Border Gateway Protocol Configuration . . . . . . . . . . . . . . . 371BGP Peer Configuration Menu. . . . . . . . . . . . . . . . . . . . 373BGP Redistribution Configuration Menu . . . . . . . . . . . . 375BGP Aggregate Routing Configuration Menu . . . . . . . . 377

IP Forwarding Port Configuration Menu . . . . . . . . . . . . . . . 378Domain Name System Configuration Menu . . . . . . . . . . . . 379Bootstrap Protocol Relay Configuration Menu . . . . . . . . . . 380



VRRP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . 381Virtual Router Configuration Menu . . . . . . . . . . . . . . . . . . . 383

Virtual Router Priority Tracking Configuration . . . . . . . 385Virtual Router Group Menu . . . . . . . . . . . . . . . . . . . . . . 387Virtual Router Group Priority Tracking Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Virtual Router Group Configuration. . . . . . . . . . . . . . . . . . . 390Virtual Router Group Priority Tracking Configuration . 392

VRRP Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . 394VRRP Tracking Configuration . . . . . . . . . . . . . . . . . . . . . . . 395Default Gateway Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Security Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 397Port Security Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399IP Address Access Control List Configuration Menu . . . . . 400UDP Blast Protection Configuration Menu . . . . . . . . . . . . . 402Anomaly and Denial of Service Attack Prevention Menu . . 403Pattern Matching Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407Saving the Active Switch Configuration . . . . . . . . . . . . . . . . . . 408Restoring the Active Switch Configuration . . . . . . . . . . . . . . . . 408

The SLB Configuration Menu . . . . . . . . . . . . . . . . . . . . . . . . .411SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Filtering and Layer 4 (Server Load Balancing) . . . . . . . . . . . . 414Real Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 414

Real Server Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . 419Buddy Server Health Check Menu . . . . . . . . . . . . . . . . . . . . 420Real Server Layer 7 Configuration. . . . . . . . . . . . . . . . . . . . 421Real server IDS Configuration Menu . . . . . . . . . . . . . . . . . . 422

Real Server Group SLB Configuration. . . . . . . . . . . . . . . . . . . . 423SLB Health Check Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426Server Load Balancing Metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Virtual Server SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . 431Virtual Server Service Configuration . . . . . . . . . . . . . . . . . . 434WTS Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . 440HTTP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 441



SIP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . . . 442RTSP Load Balancing Menu . . . . . . . . . . . . . . . . . . . . . . . . 443Cookie-Based Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .444

SLB Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445Defining IP Address Ranges for Filters . . . . . . . . . . . . . . . . . . . . .449Advanced Filter Configuration . . . . . . . . . . . . . . . . . . . . . . 450

802.1p Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . 453Advanced Filter TCP Configuration. . . . . . . . . . . . . . . . 453IP Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454ICMP Message Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .455Layer 7 Advanced Filter Configuration Menu . . . . . . . . 457Layer 7 SIP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Proxy Advanced Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 460SLB Filter Advanced Security Menu . . . . . . . . . . . . . . . 460Advanced Security Rate Limiting Configuration Menu. 462

Port SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463Global SLB Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465

GSLB Remote Site Configuration . . . . . . . . . . . . . . . . . . . . 467GSLB Network Preference Configuration Menu . . . . . . . . . 469GSLB Rule Configuration Menu . . . . . . . . . . . . . . . . . . . . . 470

Global SLB Rule Metric Menu. . . . . . . . . . . . . . . . . . . . 472Layer 7 SLB Resource Definition Menu . . . . . . . . . . . . . . . 472Web Cache Redirection Configuration. . . . . . . . . . . . . . . . . 473Server Load Balance Resource Configuration Menu . . . . . . 475SDP Mapping Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

WAP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477Synchronize Peer Switch Configuration. . . . . . . . . . . . . . . . . . . 478

Peer Switch Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 479Advanced Layer 4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . 480

SYN Attack Detection Configuration Menu . . . . . . . . . . . . 483Advanced SMT Real Server Port Configuration Menu . 483

Inbound Link Load Balancing configuration Menu . . . . . . . 484Inbound Link Load Balancing Domain Record Menu . . . . . 485

Inbound Link Load Balancing Mapping Menu . . . . . . . 486Advanced Health Check Configuration Menu . . . . . . . . 486

Scriptable Health Checks Configuration . . . . . . . . . . . . . . . 488SNMP Health Check Configuration . . . . . . . . . . . . . . . . . . . 490WAP Health Check Configuration . . . . . . . . . . . . . . . . . . . . 492



WSP Content Health Check . . . . . . . . . . . . . . . . . . . . . . 494WTP and WSP Content Health Check Menu . . . . . . . . . 495

Proxy IP Address Configuration Menu . . . . . . . . . . . . . . . . 496SLB Peer Proxy IP Address Menu . . . . . . . . . . . . . . . . . 497

WorkLoad Management Menu. . . . . . . . . . . . . . . . . . . . . . . 498

The Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499Operations Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499Operations-Level Port Options . . . . . . . . . . . . . . . . . . . . . . . . . . 501Operations-Level SLB Options . . . . . . . . . . . . . . . . . . . . . . . . . 502

Real Server Group Operations . . . . . . . . . . . . . . . . . . . . . . . 503Global SLB Operations Menu . . . . . . . . . . . . . . . . . . . . . . . 504

Operations-Level VRRP Options. . . . . . . . . . . . . . . . . . . . . . . . 505Operations-Level Bandwidth Management Options . . . . . . . . . 505

Security Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506IP ACL Operations Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Operations-Level IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 508Operations-Level BGP Options . . . . . . . . . . . . . . . . . . . . . . 508

Activating Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 509Removing Optional Software . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

The Boot Options Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .511Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511Scheduled Reboot of the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Scheduled Reboot Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 512Updating the Switch Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . 512

Downloading New Software to Your Switch. . . . . . . . . . . . . . . . . 513Selecting a Software Image to Run . . . . . . . . . . . . . . . . . . . . . . . . 514Uploading a Software Image from Your Switch . . . . . . . . . . . . . . 514

Selecting a Configuration Block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515Resetting the Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517

The Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .519Maintenance Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519System Maintenance Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 522Forwarding Database Options . . . . . . . . . . . . . . . . . . . . . . . . . . 522ARP Cache Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523

ARP Entries on a Single Port . . . . . . . . . . . . . . . . . . . . . . . . 524



IP Route Manipulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525IPv6 Manipulation Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527Uuencode Flash Dump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528System Dump Put . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Clearing Dump Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529Panic Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530Unscheduled System Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .531

The SSL Processor Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Login to the SSL processor. . . . . . . . . . . . . . . . . . . . . . . . . . 533

SSL Processor Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535SSL Performance information menu . . . . . . . . . . . . . . . . . . . . . 536

SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 540SSL Performance Statistics menu . . . . . . . . . . . . . . . . . . . . . . . 541

SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 542SSL Performance SSL Local Statistics Menu . . . . . . . . . . . 543SSL Performance: Single ISD SSL Statistics Menu. . . . . . . 544

IPSEC Statistics menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545SSL Performance: Local IPSEC Statistics Menu . . . . . . . . . 546SSL Performance: Single IPSEC ISD Statistics Menu . . . . 547AAA Statistics Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548SSL Performance Configuration Menu . . . . . . . . . . . . . . . . 548SSL Configuration Server Menu . . . . . . . . . . . . . . . . . . . . . 551SSL Configuration Server-specific Menu. . . . . . . . . . . . . . . 552SSL Configuration Server-specific Trace Menu . . . . . . . . . 554SSL Configuration Server-specific SSL Menu. . . . . . . . . . . 555SSL Configuration Server-specific TCP Menu . . . . . . . . . . 556SSL Configuration Server-specific Advanced Menu . . . . . . 557SSL Configuration Server Advanced String Menu . . . . . . . 558SSL Configuration Server Advanced Load Balancing Menu559SSL Configuration Server Advanced Load Balancing Cookie Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560Local VIP Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 562SSL Configuration Server Advanced Load Balancing Health Script Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562SSL Configuration Server Advanced Load Balancing Remote SSL Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563



SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu . . . . . . . . . . . . . . . . . . . . . . 564SSL Configuration Server Advanced Load Balancing Backend Server Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565SSL Configuration Certificate Menu . . . . . . . . . . . . . . . . . . 566SSL Configuration Revoke Certificate Menu. . . . . . . . . . . . 571SSL Configuration Revoke Certificate Automatic Menu. . . 572SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 573SSL VPN Configuration Menu . . . . . . . . . . . . . . . . . . . . . . 574SSL VPN Configuration TunnelGuard Menu . . . . . . . . . . . 576SSL VPN Configuration Authentication Menu . . . . . . . . . . 578SSL VPN Configuration Authentication Radius Menu . . . . 579SSL VPN Configuration Authentication Radius Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580SSL VPN Configuration Authentication Radius Session Timeout Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580SSL VPN Configuration Authentication Radius Macro Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581SSL VPN Configuration Authentication Advanced Menu. . 582SSL VPN Configuration Network Menu . . . . . . . . . . . . . . . 582SSL VPN Configuration Network Subnet Menu . . . . . . . . . 583SSL VPN Configuration Service Menu . . . . . . . . . . . . . . . . 584SSL VPN Configuration Application specific Menu . . . . . . 585SSL VPN Configuration Application specific Paths Menu . 587SSL VPN Configuration AAA Filter Menu . . . . . . . . . . . . . 588SSL VPN Configuration AAA Group Menu . . . . . . . . . . . . 589SSL VPN Configuration AAA Group Access Menu . . . . . . 591SSL VPN Configuration AAA Group Linkset Menu. . . . . . 592SSL VPN Configuration AAA Group Extend Profiles Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593SSL VPN Configuration AAA Group Extend Profiles Access Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594SSL VPN Configuration AAA Group Extend Profiles Linkset Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595SSL VPN Configuration AAA Group IPsec Menu . . . . . . . 595SSL VPN Configuration AAA Single-sign on Enabled Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597



SSL VPN Configuration AAA Single-sign on Headers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597SSL VPN Configuration AAA Radius Accounting Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599SSL VPN Configuration AAA Radius Accounting Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599SSL VPN Configuration AAA Radius Accounting VPN attributes Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601SSL VPN Configuration Server Menu . . . . . . . . . . . . . . . . . 601SSL VPN Configuration Server Traffic Trace Menu . . . . . . 602SSL VPN Configuration Server SSL Settings Menu . . . . . . 603SSL VPN Configuration Server TCP endpoint Settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605SSL VPN Configuration Server HTTP Settings Menu . . . . 606SSL VPN Configuration Server SSL triggered rewrite Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607SSL VPN Configuration Server Intranet Proxy settings Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608SSL VPN Configuration Server Portal settings Menu . . . . . 609SSL VPN Configuration Server Advanced Menu . . . . . . . . 609SSL VPN Configuration Server UDP Syslog Traffic Log Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610SSL VPN Configuration Server SSL Connect Menu . . . . . . 611SSL VPN Configuration Server SSL Connect verify Server Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612SSL VPN Configuration IPsec Server Menu . . . . . . . . . . . . 612SSL VPN Configuration IPsec Server IKE Profile Menu . . 614SSL VPN Configuration IPsec Server IKE Profile Encryption Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615SSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman Group Mask Menu . . . . . . . . . . . . . . . . . . . 616SSL VPN Configuration IPsec Server IKE Profile NAT Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617SSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617SSL VPN Configuration IP Pool Menu . . . . . . . . . . . . . . . . 618SSL VPN Configuration Portal Menu . . . . . . . . . . . . . . . . . 619SSL VPN Configuration Portal Colors Menu. . . . . . . . . . . . 621



SSL VPN Configuration Portal Full Access Menu . . . . . . . 621SSL VPN Configuration Portal Language Menu . . . . . . . . . 622SSL VPN Configuration Portal Whitelist settings Menu . . . 623SSL VPN Configuration Portal Whitelist settings Domains Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623SSL VPN Configuration Linkset Menu . . . . . . . . . . . . . . . . 624SSL VPN Configuration Linkset Link Menu . . . . . . . . . . . . 625SSL VPN Configuration Linkset Link Internal Setting Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626SSL VPN Configuration SSL Client Menu . . . . . . . . . . . . . 626SSL VPN Configuration Advanced Menu . . . . . . . . . . . . . . 627SSL VPN Configuration Advanced DNS settings Menu . . . 627SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 628SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 629SSL Configuration System Host Routes Menu . . . . . . . . . . 630SSL Configuration System Host Menu . . . . . . . . . . . . . . . . 631SSL Configuration System Host Interface Routes Menu . . . 632SSL Configuration System Host Port Menu. . . . . . . . . . . . . 632SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 633SSL Configuration System Time Menu . . . . . . . . . . . . . . . . 633SSL Configuration System Time NTP servers Menu. . . . . . 634SSL Configuration System DNS settings Menu. . . . . . . . . . 634SSL Configuration System DNS Servers settings Menu . . . 635SSL Configuration System RSA servers Menu . . . . . . . . . . 636SSL Configuration System SysLog Servers Menu. . . . . . . . 636SSL Configuration System Access List Menu . . . . . . . . . . . 637SSL Configuration System Administrative applications Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 638SSL Configuration System Administrative applications SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639SSL Configuration System Administrative applications SNMPv2 MIB SNMP Menu . . . . . . . . . . . . . . . . . . . . . . . . 640SSL Configuration System Administrative applications SNMP Community Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . 640SSL Configuration System Administrative applications SNMP Users Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641SSL Configuration System Administrative applications SNMP Target Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642



SSL Configuration System Administrative applications Audit Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643SSL Configuration System Administrative applications Audit Servers Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644SSL Configuration System Administrative applications HTTP Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644SSL Configuration System Administrative applications HTTPS Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645SSL Configuration System Administrative applications SSH Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646SSL Configuration System Administrative applications SSH Known Host keys Menu . . . . . . . . . . . . . . . . . . . . . . . . 646SSL Configuration System Menu . . . . . . . . . . . . . . . . . . . . . 647SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648SSL Configuration System User Edit Menu. . . . . . . . . . . . . 648SSL Configuration Language Support Menu . . . . . . . . . . . . 649SSL Boot Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649SSL Performance Menu. . . . . . . . . . . . . . . . . . . . . . . . . . . . 651SSL Performance Maintenance Menu . . . . . . . . . . . . . . . . . 652SSL Performance HSM Menu . . . . . . . . . . . . . . . . . . . . . . . 653

Nortel Application Switch Operating System Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655

LOG_WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .655LOG_ALERT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .656LOG_CRIT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657LOG_ERR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .657LOG_NOTICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .663LOG_INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .665

Nortel Application Switch Operating System SNMP Agent .667

Performing a Serial Download . . . . . . . . . . . . . . . . . . . . . . . . 671

Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .677


Preface

The Nortel Application Switch Operating System 23.0.2 Command Reference describes how to configure and use the Nortel Application Switch Operating System software with your Nortel Application Switch.

For documentation on installing the switches physically, see the Hardware Installation Guide for your particular switch model.

Who Should Use This BookThis Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. The administrator should be familiar with Ethernet concepts, IP addressing, the IEEE 802.1d Spanning Tree Protocol, and SNMP configuration parameters.

How This Book Is Organized“The Command Line Interface” describes how to connect to the switch and access the information and configuration menus.

“First-Time Configuration” describes how to use the Setup utility for initial switch configuration and how to change the system passwords.

“Menu Basics” provides an overview of the menu system, including a menu map, global com-mands, and menu shortcuts.

“The Information Menu” describes how to view switch configuration parameters.

“The Statistics Menu” describes how to view switch performance statistics.

“The Configuration Menu” describes how to configure switch system parameters, ports, VLANs, Spanning Tree Protocol, SNMP, Port Mirroring, IP Routing, Port Trunking, and more.

320506-A, January 200621


“The SLB Configuration Menu” describes how to configure Server Load Balancing, Filter-ing, Global Server Load Balancing, and more.

“The Operations Menu” describes how to use commands which affect switch performance immediately, but do not alter permanent switch configurations (such as temporarily disabling ports). The menu describes how to activate or deactivate optional software features.

“The Boot Options Menu” describes the use of the primary and alternate switch images, how to load a new software image, and how to reset the software to factory defaults.

“The Maintenance Menu” describes how to generate and access a dump of critical switch state information, how to clear it, and how to clear part or all of the forwarding database.

Appendix A, “Nortel Application Switch Operating System Syslog Messages” presents a listing of syslog messages.

Appendix B, “Nortel Application Switch Operating System SNMP Agent” lists the Management Interface Bases (MIBs) supported in the switch software.

Appendix C, “Performing a Serial Download” shows how to directly load a binary software image into the switch for upgrade or maintenance.

“Glossary” defines the terminology used throughout the book.

“Index” includes pointers to the description of the key words used throughout the book.

Related DocumentationNortel Application Switch Operating System 23.0.2 Application Guide (Part Number 320507-A)

Provides application explanations and configuration examples for the Switch.

Nortel Application Switch Operating System 23.0.2 Browser-Based Interface (BBI) Quick Guide (Part Number 320508-A)

Provides a description of the Switch BBI and how to configure and access it on the Switch.

Nortel Application Switch Hardware Installation Guide (Part Number 315396-E)

Provides a description of the Nortel Application Switch hardware, the physical features, how to install it, and how to troubleshoot it.

22 Preface320506-A, January 2006


Nortel Application Switch Operating System 23.0.2 Release Notes (Part Number 320509-A).

This document provides a description of new features and caveats and limitations, if any, in the software.

Typographic ConventionsThe following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Symbol

Meaning Example

AaBbCc123 This type is used for names of commands, files, and directories used within the text.

View the readme.txt file.

It also depicts on-screen computer output and prompts.

Main#

AaBbCc123 This bold type appears in command exam-ples. It shows text that must be typed in exactly as shown.

Main# sys

<AaBbCc123> This italicized type appears in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

To establish a Telnet session, enter:host# telnet <IP address>

This also shows book titles, special terms, or words to be emphasized.

Read your User’s Guide thoroughly.

[ ] Command items shown inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

host# ls [-a]

Preface 23320506-A, January 2006


How to Get HelpIf you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel service program, contact one of the following Nortel Technical Solutions Centers:

Additional information about the Nortel Technical Solutions Centers is available at the follow-ing URL:

http://www.nortelnetworks.com/help/contact/global

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, refer to the following URL:

http://www.nortelnetworks.com/help/contact/erc/index.html

Technical Solutions Center Telephone

Europe, Middle East, and Africa 00800 8008 9009or

+44 (0) 870 907 9009

North America (800) 4NORTEL or (800) 466-7835

Asia Pacific (61) (2) 8870-8800

China (800) 810-5000

24 Preface320506-A, January 2006

http://www.nortelnetworks.com/help/contact/global

http://www.nortelnetworks.com/help/contact/erc/index.html

CHAPTER 1The Command Line Interface

Your Nortel Application Switch is ready to perform basic switching functions right out of the box. Some of the more advanced features, however, require some administrative configuration before they can be used effectively.

The extensive Nortel Application Switch Operating System switching software included in your switch provides a variety of options for accessing and configuring the switch:

A built-in, text-based command line interface and menu system for access via local terminal or remote Telnet session

A GUI-based Application Switch Element Manager (ASEM) for interactive network access

SNMP support for access through network management software such as HP OpenView

Nortel Application Switch Operating System Browser-Based Interface (BBI)

The command line interface is the most direct method for collecting switch information and performing switch configuration. Using a basic terminal, you are presented with a hierarchy of menus that enable you to view information and statistics about the switch, and to perform any necessary configuration.

This chapter explains how to access the Command Line Interface (CLI) of the switch.

320506-A, January 200625


Connecting to the SwitchYou can access the command line interface in any one of the following ways:

Using a console connection via the console portUsing a Telnet connection over the networkUsing an SSH connection to securely log into another computer over a network

Establishing a Console Connection

RequirementsTo establish a console connection with the switch, you will need the following:

An ASCII terminal or a computer running terminal emulation software set to the parameters shown in the table below:

A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specifics).

Procedure

1. Connect the terminal to the Console port using the serial cable.

2. Power on the terminal.

3. To establish the connection, press <Enter> a few times on your terminal.

You will next be required to enter a password for access to the switch. (For more information, see “Setting Passwords” on page 47).

Table 1-1 Console Configuration Parameters

Parameter Value

Baud RateData BitsParityStop BitsFlow Control

96008None1None

26 Chapter 1: The Command Line Interface320506-A, January 2006


Establishing a Telnet ConnectionA Telnet connection offers the convenience of accessing the switch from any workstation connected to the network. Telnet access provides the same options for user access and administrator access as those available through the console port.

To configure the switch for Telnet access, you need to have a device with Telnet software located on the same network as the switch. The switch must have an IP address. The switch can get its IP address in one of two ways:

Dynamically, from a BOOTP server on your networkManually, when you configure the switch IP address (see “Setup Part 1: Basic System Configuration” on page 36).

NOTE – You need to enable Telnet and SSH, using serial connection, before you can use these methods of accessing the switch. Refer to “Establishing a Telnet Connection” on page 27.

Using a BOOTP ServerBy default, the Nortel Application Switch Operating System software is set up to request its IP address from a BOOTP server. If you have a BOOTP server on your network, add the MAC address of the switch to the BOOTP configuration file located on the BOOTP server. The MAC address can be found on a small white label on the back panel of the switch. The MAC address can also be found in the System Information menu (see “System Information” on page 63).

NOTE – If connecting to the management port, BOOTP is not supported. The port must be manually configured with the proper IP address.

Running TelnetOnce the IP parameters on the Nortel Application Switch are configured, you can access the CLI using a Telnet connection. To establish a Telnet connection with the switch, run the Telnet pro-gram on your workstation and issue the Telnet command, followed by the switch IP address:

You will then be prompted to enter a password as explained on page 28.

telnet <IP address>

Chapter 1: The Command Line Interface 27320506-A, January 2006


Establishing an SSH ConnectionAlthough a remote network administrator can manage the configuration of an Nortel Application Switch via Telnet, this method does not provide a secure connection. The SSH (Secure Shell) protocol enables you to securely log into another computer over a network to execute com-mands remotely. As a secure alternative to using Telnet to manage switch configuration, SSH ensures that all data sent over the network is encrypted and secure.

The switch can do only one session of key/cipher generation at a time. Thus, a SSH/SCP client will not be able to login if the switch is doing key generation at that time or if another client has just logged in before this client. Similarly, the system will fail to do the key generation if a SSH/SCP client is logging in at that time.

The supported SSH encryption and authentication methods are listed below.

Server Host Authentication: Client RSA-authenticates the switch in the beginning of every connection.

Key Exchange: RSA

Encryption: 3DES-CBC, DES

User Authentication: Local password authentication, Radius

The following SSH clients have been tested:

SSH 1.2.23 and SSH 1.2.27 for Linux (freeware)

SecureCRT 3.0.2 and SecureCRT 3.0.3 (Van Dyke Technologies, Inc.)

F-Secure SSH 1.1 for Windows (Data Fellows)

NOTE – The Nortel Application Switch Operating System implementation of SSH is based on SSH version 1.5 and supports SSH-1.5-1.X.XX. SSH clients of other versions (especially Version 2) will not be supported.

Running SSHOnce the IP parameters are configured and the SSH service is turned on the Nortel Application Switch, you can access the command line interface using an SSH connection.

To establish an SSH connection with the switch, run the SSH program on your workstation by issuing the SSH command, followed by the switch IP address:

>> # ssh <switch IP address>



or, if SecurID authentication is required, use the following command:

You will then be prompted to enter your user name and password.

Accessing the Switch To enable better switch management and user accountability, seven levels or classes of user access have been implemented on the Nortel Application Switch. Levels of access to CLI, Web management functions, and screens increase as needed to perform various switch management tasks. Conceptually, access classes are defined as follows:

User interaction with the switch is completely passive—nothing can be changed on the Nortel Application Switch. Users may display information that has no security or privacy implications, such as switch statistics and current operational state information.

Operators can only effect temporary changes on the Nortel Application Switch. These changes will be lost when the switch is rebooted/reset. Operators have access to the switch management features used for daily switch operations. Because any changes an operator makes are undone by a reset of the switch, operators cannot severely impact switch opera-tion.

Administrators are the only ones that may make permanent changes to the switch configu-ration—changes that are persistent across a reboot/reset of the switch. Administrators can access switch functions to configure and troubleshoot problems on the Nortel Application Switch. Because administrators can also make temporary (operator-level) changes as well, they must be aware of the interactions between temporary and permanent changes.

Access to switch functions is controlled through the use of unique surnames and passwords. Once you are connected to the switch via local console, Telnet, or SSH, you are prompted to enter a password. The default user names/password for each access level are listed in the fol-lowing table.

NOTE – It is recommended that you change default switch passwords after initial configuration and as regularly as required under your network security policies. For more information, see “Setting Passwords” on page 47.

>> # ssh -1 ace <switch IP address>



NOTE – With the exception of the “admin” user, access to each user level can be disabled by setting the password to an empty value. All user levels below “admin” will by default be ini-tially disabled (empty password) until they are enabled by the “admin” user. This prevents inadvertently leaving the switch open to unauthorized users.

Table 1-2 User Access Levels

User Account Description and Tasks Performed Password

User The User has no direct responsibility for switch management. He or she can view all switch status information and statistics, but cannot make any configuration changes to the switch.

user

SLB Operator The SLB Operator manages Web servers and other Internet ser-vices and their loads. In addition to being able to view all switch information and statistics, the SLB Operator can enable/disable servers using the Server Load Balancing operation menu.

slboper

Layer 4 Operator The Layer 4 Operator manages traffic on the lines leading to the shared Internet services. This user currently has the same access level as the SLB operator. and the access level is reserved for future use, to provide access to operational commands for opera-tors managing traffic on the line leading to the shared Internet services.

l4oper

Operator The Operator manages all functions of the switch. In addition to SLB Operator functions, the Operator can reset ports or the entire switch.

oper

SLB Administrator The SLB Administrator configures and manages Web servers and other Internet services and their loads. In addition to SLB Operator functions, the SLB Administrator can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters or bandwidth management.

slbadmin

Layer 4Administrator

The Layer 4 Administrator configures and manages traffic on the lines leading to the shared Internet services. In addition to SLB Administrator functions, the Layer 4 Administrator can configure all parameters on the Server Load Balancing menus, including filters and bandwidth management.

l4admin

Administrator The superuser Administrator has complete access to all menus, information, and configuration commands on the Nortel Appli-cation Switch, including the ability to change both the user and administrator passwords.

admin



CLI Versus SetupOnce the administrator password is verified, you are given complete access to the switch. If the switch is still set to its factory default configuration, the system will ask whether you wish to run Setup (see Chapter 2, “First-Time Configuration”), a utility designed to help you through the first-time configuration process. If the switch has already been configured, the Main Menu of the CLI is displayed instead.

The following table shows the Main Menu with administrator privileges.

NOTE – If you are accessing a user account or Layer 4 administrator account, some menu options will not be available.

Command Line History and EditingFor a description of global commands, shortcuts, and command line editing functions, see “Menu Basics” on page 53.”

Idle TimeoutBy default, the switch will disconnect your console or Telnet session after five minutes of inac-tivity. This function is controlled by the idle timeout parameter, which can be set from 1 to 10080 minutes. For information on changing this parameter, see “System Configuration” on page 261.

[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu oper - Operations Command Menu boot - Boot Options Menu maint - Maintenance Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] save - Save updated config to FLASH [global command] revert - Revert pending or applied changes [global command] exit - Exit [global command, always available]


CHAPTER 2First-Time Configuration

To help with the initial process of configuring your switch, the Nortel Application Switch Operating System software includes a Setup utility. The Setup utility prompts you step-by-step to enter all the necessary information for basic configuration of the switch. This chapter describes how to use the Setup utility and how to change system passwords.

NOTE – If you are configuring a 2000-SSL Series Switch, you can use the Switch Setup Utility in the Nortel Application Switch Operating System 2000-SSL Series Quick Setup Guide (part number 215102-A) instead for setting up the Switch and the SSL Processor. Then return to this guide for configuration and management information on your Switch.

Using the Setup UtilityWhenever you log in as the system administrator under the factory default configuration, you are asked whether you wish to run the Setup utility. Setup can also be activated manually from the command line interface any time after login.

Information Needed For SetupSetup requests the following information:

Basic system information

Date & time

Whether to use BOOTP or not

Whether to use Spanning Tree Protocol or not

Management port configuration

Optional configuration for each port

Speed, duplex, flow control, and negotiation mode (as appropriate)

Whether to use VLAN tagging or not (as appropriate)

320506-A, January 200633


Optional configuration for each VLAN

Name of VLAN

Which ports are included in the VLAN

Optional configuration of IP parameters

IP address, subnet mask, and broadcast address, and VLAN for each IP interface

IP addresses for up to four default gateways

Destination, subnet mask, and gateway IP address for each IP static route

Whether IP forwarding is enabled or not

Whether the RIP supply is enabled or not

Starting Setup When You Log InThe Setup prompt appears automatically whenever you login as the system administrator under the factory default settings.

1. Connect to the switch console.

After connecting, the login prompt will appear as shown below.

2. Enter admin as the default administrator password.

If the factory default configuration is detected, the system prompts:

NOTE – If the default admin login is unsuccessful, or if the administrator Main Menu appears instead, the system configuration has probably been changed from the factory default settings. If you are certain that you need to return the switch to its factory default settings, see “Select-ing a Configuration Block” on page 515.

Enter Password:

Connected to Nortel Application Switch 242418:44:05 Mon April 12, 2004

The switch is booted with factory default configuration.To ease the configuration of the switch, a "Set Up" facility whichwill prompt you with those configuration items that are essential to the operation of the switch is provided.Would you like to run "Set Up" to configure the switch? [y/n]:

34 Chapter 2: First-Time Configuration320506-A, January 2006


3. Enter y to begin the initial configuration of the switch, or n to bypass the Setup facility.

Chapter 2: First-Time Configuration 35320506-A, January 2006


Stopping and Restarting Setup Manually

Stopping SetupTo abort the Setup utility, press <Ctrl-C> during any Setup question. When you abort Setup, the system will prompt:

Enter n to abort Setup, or y to restart the Setup program at the beginning.

Restarting SetupYou can restart the Setup utility manually at any time by entering the following command at the administrator prompt:

Setup Part 1: Basic System ConfigurationWhen Setup is started, the system prompts:

1. Enter y if you will be configuring VLANs. Otherwise enter n.

If you decide not to configure VLANs during this session, you can configure them later using the configuration menus, or by restarting the Setup facility. For more information on configur-ing VLANs, see the Nortel Application Switch Operating System23.0.2 Application Guide.Next, the Setup utility prompts you to input basic system information.

2. Enter the year of the current date at the prompt:

Enter the last two digits of the year as a number from 00 to 99. “00” is considered 2000. To keep the current year, press <Enter>.

Would you like to run from top again? [y/n]

# /cfg/setup

"Set Up" will walk you through the configuration ofSystem Date and Time, BOOTP, Spanning Tree, Management port, Port Speed/Mode,VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"]------------------------------------------------------------

Will you be configuring VLANs? [y/n]

System Date:Enter year [2004]:



3. Enter the month of the current system date at the prompt:

Enter the month as a number from 1 to 12. To keep the current month, press <Enter>.

4. Enter the day of the current date at the prompt:

Enter the date as a number from 1 to 31. To keep the current day, press <Enter>.

5. Enter the hour of the current system time at the prompt:

Enter the hour as a number from 00 to 23. To keep the current hour, press <Enter>.

6. Enter the minute of the current time at the prompt:

Enter the minute as a number from 00 to 59. To keep the current minute, press <Enter>.

7. Enter the seconds of the current time at the prompt:

Enter the seconds as a number from 00 to 59. To keep the current second, press <Enter>.

The system displays the date and time settings:

8. Enable or disable the use of BOOTP at the prompt:

System Date:Enter month [4]:

Enter day [12]:

System Time:Enter hour in 24-hour format [18]:

Enter minutes [55]:

Enter seconds [37]:

System clock set to 18:55:36 Mon April 12, 2004.

BootP Option:Current BOOTP usage: disabledEnter new BOOTP usage [d/e]:



If available on your network, a BOOTP server can supply the switch with IP parameters so that you do not have to enter them manually. BOOTP must be disabled however, before the system will prompt for IP parameters.

Enter d to disable the use of BOOTP, or enter e to enable the use of BOOTP. To keep the cur-rent setting, press <Enter>.

9. Turn Spanning Tree Protocol on or off at the prompt:

Enter y to turn off Spanning Tree, or enter n to leave Spanning Tree on.

Setup Part 2: Port Configuration

NOTE – The port configuration options shown in these steps are for the Nortel Application Switch Operating System 2424. When configuring port options for other switches, some of the prompts and options may be different.

1. If desired, set up the management port:

If you answer y to configure the management port, you will be prompted for IP address, subnet mask, broadcast address, default gateway, and other management port options.

2. Select the port to configure, or skip port configuration at the prompt:

If you wish to change settings for individual ports, enter the number of the port you wish to configure. To skip port configuration, press <Enter> without specifying any port and go to “Setup Part 3: VLANs” on page 41.

Spanning Tree:Current Spanning Tree setting: ONTurn Spanning Tree OFF? [y/n]

Management Port Config:Configure management port? [y/n] y

Port Config:Enter port number: (1-28)



3. If appropriate, configure Ethernet/Fast Ethernet port speed.

If you selected a port that has an Ethernet/Fast Ethernet connector, the system prompts:

Enter the port speed from the options available, or enter any to have the switch auto-sense the port speed. To keep the current setting, press <Enter>.

4. If appropriate, configure Ethernet/Fast Ethernet port duplex mode.


Enter full for full-duplex, half for half-duplex, or any to have the switch auto-negotiate. To keep the current setting, press <Enter>.

5. If appropriate, configure Ethernet/Fast Ethernet port flow control.


Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or none to turn flow control off for the port. To keep the current setting, press <Enter>.

6. If appropriate, configure Ethernet/Fast Ethernet port autonegotiation mode.


Enter on to enable autonegotiation, off to disable it, or press <Enter> to keep the current setting.

Fast Link Configuration:Port Speed:Current Port 1 speed setting: 10/100Enter new speed ["10"/"100"/"any"]:

Port Mode:Current port 1 mode setting: anyEnter new speed ["full"/"half"/"any"]

Port Flow Control:Current Port 1 flow control setting: bothEnter new value ["rx"/"tx"/"both"/"none"]:

Port Auto Negotiation:Current Port 1 autonegotiation: onEnter new value ["on"/"off"]:



7. If appropriate, configure Gigabit Ethernet port flow parameters.

If you selected a port that has a Gigabit Ethernet connector, the system prompts:

Enter rx to enable receive flow control, tx for transmit flow control, both to enable both, or none to turn flow control off for the port. To keep the current setting, press <Enter>.

8. If appropriate, configure Gigabit Ethernet port autonegotiation mode.

If you selected a port that has a Gigabit Ethernet connector, the system prompts:

Enter on to enable port autonegotiation, off to disable it, or press <Enter> to keep the current setting.

9. If configuring VLANs, enable or disable VLAN tagging for the port.

If you have selected to configure VLANs back in Part 1, the system prompts:

Enter d to disable VLAN tagging for the port or enter e to enable VLAN tagging for the port. To keep the current setting, press <Enter>.

10. The system prompts you to configure the next port:

When you are through configuring ports, press <Enter> without specifying any port. Other-wise, repeat the steps in this section.

Gig Link Configuration:Port Flow Control:Current Port 1 flow control setting: bothEnter new value ["rx"/"tx"/"both"/"none"]:

Port Auto Negotiation:Current Port 1 autonegotiation: onEnter new value ["on"/"off"]:

Port VLAN tagging config (tagged port can be a member of multiple VLANs)Current TAG flag: disabledEnter new TAG status [d/e]:

Enter port number:



Setup Part 3: VLANsIf you chose to skip VLANs configuration back in Part 1, skip to “Setup Part 4: IP Configura-tion” on page 42.

1. Select the VLAN to configure, or skip VLAN configuration at the prompt:

If you wish to change settings for individual VLANs, enter the number of the VLAN you wish to configure. To skip VLAN configuration, press <Enter> without typing a VLAN number and go to “Setup Part 4: IP Configuration” on page 42.

2. Enter the new VLAN name at the prompt:

Entering a new VLAN name is optional. To use the pending new VLAN name, press <Enter>.

3. Enter the VLAN port numbers.

The system prompts you to define the first port in the VLAN:

Type the first port number to add to the current VLAN and press <Enter>. The right angle prompt appears:

For each additional port in the VLAN, type the port number and press <Enter> to move to the next line. Repeat this until all ports for the VLAN being configured are entered. When you are finished adding ports to this VLAN, press <Enter> without specifying any port.

4. The system prompts you to configure the next VLAN:

VLAN Config:Enter VLAN number from 2 to 4090, NULL at end:

VLAN is newly created.Pending new VLAN name: "VLAN 2"Enter new VLAN name, without quotes:

Define ports in VLAN:Current VLAN 2: emptyEnter port numbers one per line, NULL at end:

>

VLAN Config:Enter VLAN number from 2 to 4090, NULL at end:



Repeat the steps in this section until all VLANs have been configured. When all VLANs have been configured, press <Enter> without specifying any VLAN.

Setup Part 4: IP ConfigurationIf BOOTP was enabled back in Part 1, skip to Setup Part 5: Final Steps. Otherwise, if you dis-abled BOOTP, the system prompts for IP parameters.

IP InterfacesIP interfaces are used for defining subnets to which the switch belongs.

Up to 256 IP interfaces can be configured on the Nortel Application Switch. The IP address assigned to each IP interface provides the switch with an IP presence on your network. No two IP interfaces can be on the same IP subnet. The interfaces can be used for connecting to the switch for remote configuration, and for routing between subnets and VLANs (if used).

1. Select the IP interface to configure, or skip interface configuration at the prompt:

NOTE – The total number of interfaces on an Nortel Application Switch 2424-SSL is 1-255.

If you wish to configure individual IP interfaces, enter the number of the IP interface you wish to configure. To skip IP interface configuration, press <Enter> without typing an interface number and go to “Default Gateways” on page 43.

2. For the specified IP interface, enter the IP address in dotted decimal notation:

To keep the current setting, press <Enter>.

3. At the prompt, enter the IP subnet mask in dotted decimal notation:

IP Config:

IP interfaces:Enter interface number: (1-256)

Current IP address: 0.0.0.0Enter new IP address:

Current subnet mask: 0.0.0.0Enter new subnet mask:




4. At the prompt, enter the broadcast IP address in dotted decimal notation:


5. If configuring VLANs, specify a VLAN for the interface.

This prompt appears if you selected to configure VLANs back in Part 1:

Enter the number for the VLAN to which the interface belongs, or press <Enter> without spec-ifying a VLAN number to accept the current setting.

6. At the prompt, enter y to enable the IP interface, or n to leave it disabled:

7. The system prompts you to configure another interface:

Repeat the steps in this section until all IP interfaces have been configured. When all interfaces have been configured, press <Enter> without specifying any interface number.

Default Gateways

1. At the prompt, select a default gateway for configuration, or skip default gateway config-uration:

Enter the number for the default gateway to be configured. To skip default gateway configura-tion, press <Enter> without typing a gateway number and go to “IP Routing” on page 44.

Current broadcast address: 0.0.0.0Enter new broadcast address:

Current VLAN: 1Enter new VLAN:

Enable IP interface? [y/n]

Enter interface number: (1-256)

IP default gateways:Enter default gateway number: (1-259)



2. At the prompt, enter the IP address for the selected default gateway:

Enter the IP address in dotted decimal notation, or press <Enter> without specifying an address to accept the current setting.

3. At the prompt, enter y to enable the default gateway, or n to leave it disabled:

4. The system prompts you to configure another default gateway:

Repeat the steps in this section until all default gateways have been configured. When all default gateways have been configured, press <Enter> without specifying any number.

IP RoutingWhen IP interfaces are configured for the various subnets attached to your switch, IP routing between them can be performed entirely within the switch. This eliminates the need to bounce inter-subnet communication off an external router device. Routing on more complex networks, where subnets may not have a direct presence on the Nortel Application Switch, can be accom-plished through configuring static routes or by letting the switch learn routes dynamically.

This part of the Setup program prompts you to configure the various routing parameters.

1. At the prompt, enable or disable forwarding for IP Routing:

Enter y to enable IP forwarding. To disable IP forwarding, enter n and proceed to Step 2.To keep the current setting, press <Enter>.

2. At the prompt, enable or disable the RIP supply:

Current IP address: 0.0.0.0Enter new IP address:

Enable default gateway? [y/n]

Enter default gateway number: (1-259)

Enable IP forwarding? [y/n]

Enable RIP supply? [y/n]



Setup Part 5: Final Steps1. When prompted, decide whether to restart Setup or continue:

Enter y to restart the Setup utility from the beginning, or n to continue.

2. When prompted, decide whether you wish to review the configuration changes:

Enter y to review the changes made during this session of the Setup utility. Enter n to continue without reviewing the changes. We recommend that you review the changes.

3. Next, decide whether to apply the changes at the prompt:

Enter y to apply the changes, or n to continue without applying. Changes are normally applied.

4. At the prompt, decide whether to make the changes permanent:

Enter y to save the changes to flash. Enter n to continue without saving the changes. Changes are normally saved at this point.

5. If you do not apply or save the changes, the system prompts whether to abort them:

Enter y to discard the changes. Enter n to return to the Apply the changes? prompt.

NOTE – After initial configuration is complete, it is recommended that you change the default passwords as shown in “Setting Passwords” on page 47.

Would you like to run from top again? [y/n]

Review the changes made? [y/n]

Apply the changes? [y/n]

Save changes to flash? [y/n]

Abort all changes? [y/n]



Optional Setup for SNMP Support

NOTE – This step is optional. Perform this procedure only if you are planning on using SNMP-based tools, such as Nortel ASEM.

NOTE – If you need to configure SNMPv3, refer to “SNMPv3 Configuration Menu” on page 276 of this manual.

1. Enable SNMP and select one of the options.

2. Set SNMP read or write community string. By default, they are public and private respectively.

3. Apply and save configuration if you are not configuring the switch with Telnet support. Otherwise apply and save after “Optional Setup for Telnet Support” on page 46.

Optional Setup for Telnet Support

NOTE – This step is optional. Perform this procedure only if you are planning on connecting to the switch through any telnet application.

1. Enable telnet.

2. Apply and save SNMP and /or telnet configuration(s).

>> # /cfg/sys/access/snmp (disabled/read-only/read-write) [d/r/w]:

>> # /cfg/sys/ssnmp/rcomm|wcomm

>> System# apply>> System# save

>> # /cfg/sys/access/tnet ena

>> System# apply>> System# save



If your network uses Routing Interface Protocol (RIP), enter y to enable the RIP supply. Other-wise, enter n to disable it. When RIP is enabled, RIP listen is set by default.

Setting PasswordsIt is recommended that you change the user and administrator passwords after initial configu-ration and as regularly as required under your network security policies.

To change both the user password and the administrator password, you must login using the administrator password. Passwords cannot be modified from the user command mode.

NOTE – If you forget your administrator password, call your technical support representative for help using the password fix-up mode.

Changing the Default Administrator PasswordThe administrator has complete access to all menus, information, and configuration com-mands, including the ability to change both the user and administrator passwords.

The default password for the administrator account is admin. To change the default password, follow this procedure:

1. Connect to the switch and log in using the admin password.

2. From the Main Menu, use the following command to access the Configuration Menu:

Main# /cfg



The Configuration Menu is displayed.

3. From the Configuration Menu, use the following command to select the System Menu:

The System Menu is displayed.

[Configuration Menu] sys - System-wide Parameter Menu port - Port Menu pmirr - Port Mirroring Menu bwm - Bandwidth Management Menu l2 - Layer 2 Menu l3 - Layer 3 Menu slb - Server Load Balancing (Layer 4-7) Menu security - Security Menu setup - Step by step configuration set up dump - Dump current configuration to script file ptcfg - Backup current configuration to tftp server gtcfg - Restore current configuration from tftp server

>> Configuration# sys

[System Menu] syslog - Syslog Menu mmgmt - Management Port Menu sshd - SSH Server Menu radius - RADIUS Authentication Menu tacacs - TACACS+ Authentication Menu ntp - NTP Server Menu sonmp - SONMP Menu ssnmp - System SNMP Menu health - System Health Check Menu access - System Access Menu date - Set system date time - Set system time idle - Set timeout for idle CLI sessions notice - Set login notice bannr - Set login banner smtp - Set SMTP host hprompt - Enable/disable display hostname (sysName) in CLI prompt bootp - Enable/disable use of BOOTP cur - Display current system-wide parameters



4. From the System menu, use the following path to select the User menu:

5. Select the administrator password.

6. Enter the current administrator password at the prompt:


7. Enter the new administrator password at the prompt:

8. Enter the new administrator password, again, at the prompt:

9. Apply and save your change by entering the following commands:

Changing the Default User PasswordThe user login has limited control of the switch. Through a user account, you can view switch information and statistics, but you can’t make configuration changes.

The default password for the user account is user. This password cannot be changed from the user account. Only the administrator has the ability to change passwords, as shown in the fol-lowing procedure.

System# access/user

System# user/admpw

Changing ADMINISTRATOR password; validation required...Enter current administrator password:

Enter new administrator password:

Re-enter new administrator password:

System# applySystem# save



1. Connect to the switch and log in using the admin password.

2. From the Main Menu, use the following command to access the Configuration Menu:

3. From the Configuration Menu, use the following command to select the System Menu:

4. Select the user password.

5. Enter the current administrator password at the prompt.

Only the administrator can change the user password. Entering the administrator password confirms your authority.

6. Enter the new user password at the prompt:

7. Enter the new user password, again, at the prompt:

8. Apply and save your changes:

Main# cfg

>> Configuration# sys

System# access/user/usrpw

Changing USER password; validation required...Enter current administrator password:

Enter new user password:

Re-enter new user password:




Changing the Default Layer 4 Administrator PasswordThe Layer 4 administrator has limited control of the switch. Through a Layer 4 administrator account, you can view all switch information and statistics, but can configure changes only on the Server Load Balancing menus.

The default password for the Layer 4 administrator account is l4admin. To change the default password, follow this procedure:

1. Connect to the switch and log in using the administrator account.

To change any switch password, you must login using the administrator password. Passwords cannot be modified from the Layer 4 administrator account or the user account.

2. From the Main Menu, use the following path to access the user command:

3. Select the Layer 4 administrator password:

4. Enter the current administrator password (not the Layer 4 administrator password) at the prompt:


5. Enter the new Layer 4 administrator password at the prompt:

6. Enter the new administrator password, again, at the prompt:

Main# /cfg/sys/access/user

System# l4apw

Changing L4 ADMINISTRATOR password; validation required...Enter current administrator password:

Enter new L4 administrator password:

Re-enter new L4 administrator password:



7. Apply and save your change by entering the following commands:



CHAPTER 3Menu Basics

The Nortel Application Switch’s Command Line Interface (CLI) is used for viewing switch information and statistics. In addition, the administrator can use the CLI for performing all lev-els of switch configuration.

To make the CLI easy to use, the various commands have been logically grouped into a series of menus and sub-menus. Each menu displays a list of commands and/or sub-menus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu.

This chapter describes the Main Menu commands, and provides a list of commands and short-cuts that are commonly available from all the menus within the CLI.

The Main MenuThe Main Menu appears after a successful connection and login. The following table shows the Main Menu for the administrator login. Some features are not available under the user login.

320506-A, January 200653


NOTE – The ssl option is only visible on the Nortel Application Switch Operating System 2000-SSL Series.

Menu SummaryInformation Menu

Provides sub-menus for displaying information about the current status of the switch: from basic system settings to VLANs, Layer 4 settings, and more.

Statistics MenuProvides sub-menus for displaying switch performance statistics. Included are port, IF, IP, ICMP, TCP, UDP, SNMP, routing, ARP, DNS, VRRP, and Layer 4 statistics.Configuration MenuThis menu is available only from an administrator login. It includes sub-menus for config-uring every aspect of the switch. Changes to configuration are not active until explicitly applied. Changes can be saved to non-volatile memory.Operations Command MenuOperations-level commands are used for making immediate and temporary changes to switch configuration. This menu is used for bringing ports temporarily in and out of service, performing port mirroring, and enabling or disabling Server Load Balancing functions. It is also used for activating or deactivating optional software packages.Boot Options MenuThis menu is used for upgrading switch software, selecting configuration blocks, and for resetting the switch when necessary.

[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu oper - Operations Command Menu boot - Boot Options Menu maint - Maintenance Menu ssl - SSl Accelerator Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] save - Save updated config to FLASH [global command] revert - Revert pending or applied changes [global command] exit - Exit [global command, always available]

54 Chapter 3: Menu Basics320506-A, January 2006


Maintenance MenuThis menu is used for debugging purposes, enabling you to generate a dump of the critical state information in the switch, and to clear entries in the forwarding database and the ARP and routing tables.

SSL Accelerator Menu

This menu is used for

Chapter 3: Menu Basics 55320506-A, January 2006


Global CommandsSome basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving con-figuration changes.

For help on a specific command, type help. You will see the following screen:

Global Commands: [can be issued from any menu]help up print pwdlines verbose exit quitdiff apply save revertping ping6 traceroute telnethistory pushd popd who

The following are used to navigate the menu structure: . Print current menu .. Move up one menu level / Top menu if first, or command separator ! Execute command from history

Table 3-1 Description of Global Commands

Command Action

? command or help

Provides more information about a specific command on the current menu. When used without the command parameter, a summary of the global com-mands is displayed.

. or print Display the current menu.

.. or up Go up one level in the menu structure.

/ If placed at the beginning of a command, go to the Main Menu. Otherwise, this is used to separate multiple commands placed on the same line.

lines Set the number of lines (n) that display on the screen at one time. The default is 24 lines. When used without a value, the current setting is displayed.

diff Show any pending configuration changes.

apply Apply pending configuration changes.

save Write configuration changes to non-volatile flash memory.

revert Remove pending configuration changes between “apply” commands. Use this command to restore configuration parameters set since last “apply” com-mand.

exit or quit Exit from the command line interface and log out.



ping Use this command to verify station-to-station connectivity across the net-work. The format is as follows: ping <host name>|<IP address> [tries <(1-32)> [msec delay]] [-m|-mgmt|-d|-data]Where IP address is the hostname or IP address of the device, tries (optional) is the number of attempts (1-32), msec delay (optional) is the number of mil-liseconds between attempts. By default, the -d or -data option for net-work ports is in effect. If the management port is used, specify the -m or-mgmt option. The DNS parameters must be configured if specifying host-names (see “Domain Name System Configuration Menu” on page 379).

ping6 Use this command to verify an IP address and interface connectivity across the network. The format is as follows: ping6 <IP6 address> <Interface number>For example: ping6 3001::1234 - for ping6 global unicast address ping6 fe80::201:2ff:feb1:10e2 20 - for ping6 link-local address

traceroute Use this command to identify the route used for station-to-station connectiv-ity across the network. The format is as follows:

traceroute <host name>| <IP address> [<max-hops (1-32)> [msec delay]] [-m|-mgmt|-d|-data]Where IP address is the hostname or IP address of the target station, max-hops (optional) is the maximum distance to trace (1-16 devices), and delay (optional) is the number of milliseconds for wait for the response. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or -mgmt option. As with ping, the DNS parameters must be configured if specifying hostnames.

pwd Display the command path used to reach the current menu.

verbose n Sets the level of information displayed on the screen:0 =Quiet: Nothing appears except errors—not even prompts.1 =Normal: Prompts and requested output are shown, but no menus.2 =Verbose: Everything is shown.When used without a value, the current setting is displayed.

telnet This command is used to telnet out of the switch. The format is as follows:<hostname>|<IP address> [port] [-m|-mgmt|-d|-data].Where IP address is the hostname or IP address of the device. By default, the -d or -data option for network ports is in effect. If the management port is used, specify the -m or -mgmt option.

history This command brings up the history of the last 10 commands.


Command Action



pushd This command stores the current location of the menu tree. Optionally, a new path to change to can be specified. The format is as follows: pushd [<new_path>]

popd This command takes the user one level back to the menu location stored by the last pushd command.

who This command displays the currently logged user’s session information.


Command Action



Command Line History and EditingUsing the command line interface, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:

Table 3-2 Command Line History and Editing Options

Option Description

history Display a numbered list of the last 10 previously entered commands.

!! Repeat the last entered command.

!n Repeat the nth command shown on the history list.

<Ctrl-p> (Also the up arrow key.) Recall the previous command from the history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the options below.

<Ctrl-n> (Also the down arrow key.) Recall the next command from the history list. This can be used multiple times to work forward through the last 10 commands. The recalled com-mand can be entered as is, or edited using the options below.

<Ctrl-a> Move the cursor to the beginning of command line.

<Ctrl-e> Move cursor to the end of the command line.

<Ctrl-b> (Also the left arrow key.) Move the cursor back one position to the left.

<Ctrl-f> (Also the right arrow key.) Move the cursor forward one position to the right.

<Backspace> (Also the Delete key.) Erase one character to the left of the cursor position.

<Ctrl-d> Delete one character at the cursor position.

<Ctrl-k> Kill (erase) all characters from the cursor position to the end of the command line.

<Ctrl-l> Redraw the screen.

<Ctrl-u> Clear the entire line.

Other keys Insert new characters at the cursor position.



Command Line Interface Shortcuts

Command StackingAs a shortcut, you can type multiple commands on a single line, separated by forward slashes (/). You can connect as many commands as required to access the menu option that you want. For example, the keyboard shortcut to access the Spanning Tree Port Configuration Menu from the Main# prompt is as follows:

Command AbbreviationMost commands can be abbreviated by entering the first characters which distinguish the com-mand from the others in the same menu or sub-menu. For example, the command shown above could also be entered as follows:

Tab CompletionBy entering the first letter of a command at any menu prompt and hitting <Tab>, the CLI will display all commands or options in that menu that begin with that letter. Entering additional letters will further refine the list of commands or options displayed. If only one command fits the input text when <Tab> is pressed, that command will be supplied on the command line, waiting to be entered. If the <Tab> key is pressed without any input on the command line, the currently active menu will be displayed.

Configuration RangesMost commands now support the use of configuration ranges. Configuration ranges allow the user to set common parameters on a range of similar items on the switch like ports or VLANs. For example, the command shown below would set the PVID of ports 1 through 10 to 5.

Main# cfg/l2/stg/port

Main# c/l2/st/p

Main# /cfg/port 1-10/pvid 5


CHAPTER 4The Information Menu

You can view configuration information for the switch in both the user and administrator command modes. This chapter discusses how to use the command line interface to display switch infor-mation.

/infoInformation Menu

The information provided by each menu option is briefly described in Table 4-1 on page 61, with pointers to where detailed information can be found.

[Information Menu] sys - System Information Menu l2 - Layer 2 Information Menu l3 - Layer 3 Information Menu slb - Layer 4-7 Information Menu bwm - Bandwidth Management Information Menu security - Show Security status link - Show link status port - Show port information swkey - Show enabled software features dump - Dump all information

Table 4-1 Information Menu Options (/info)

Command Syntax and Usage

sysDisplays system menu information. To view menu options, see page 63.

l2Displays the Layer 2 Information Menu. For details, see page 89.

l3Displays the Layer 3 information menu. For details, see page 106.

320506-A, January 200661


slbDisplays the Layer 4 Information Menu. To view menu options, see page 132.

bwmDisplays Bandwidth Management information. For details, see page 141.

securityDisplays current UDP blast settings and the security status of the port. To view a sample, see page 146.

linkDisplays configuration information about each port, including:Port numberPort speed (10, 100, 10/100, or 1000)Duplex mode (half, full, or auto)Flow control for transmit and receive (no, yes, or auto)Link status (up or down)

For details, see page 147.

portDisplays port status information, including:Port numberWhether the port uses VLAN Tagging or not Port VLAN ID (PVID)Port nameVLAN membership


swkeyDisplays a list of all the optional software packages which have been activated or installed on your switch. For details see page 150.

dumpDumps all switch information available from the Information Menu (10K or more, depending on your configuration).If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump commands. For details, see page 150.

Table 4-1 Information Menu Options (/info)


62 Chapter 4: The Information Menu320506-A, January 2006


/info/sysSystem Information Menu

[System Menu] snmpv3 - SNMPv3 Information Menu general - Show general system information time - Show date and time log - Show last 64 syslog messages slog - Show last 64 syslog messages saved in FLASH mgmt - Show management port information sonmp - Show SONMP topology table information capacity - Show switch capacity information fan - Show switch fan status temp - Show switch temperature sensor status encrypt - Show switch encryption licenses user - Show current user status dump - Dump all system information

Table 4-2 Information System Menu Options (/info/sys)


snmpv3Displays SNMPv3 Information Menu. To view the menu options, see page 65.

generalDisplays general system information including:System information like time, day, and date.Switch model name and numberHow long the switch has been upTime of last bootMAC address of the switch management processorInternal SSL Processor MAC Address if the switch is 2424-SSLIP address of IP interface #1Hardware order number and part numbers of the Mainboard Hardware, Management Processor Board Hardware, and Fast Ethernet Board HardwareSoftware image file and version numberConfiguration nameLog-in banner, if one is configured

See page 74 for a sample output.

time Displays the current time.

logDisplays last 64 syslog messages. See page 76 for a sample output and detailed information.

Chapter 4: The Information Menu 63320506-A, January 2006


slogDisplays the last 64 syslog messages that are saved in flash. See page 77 for a sample output.

mgmtDisplays Management port information. See page 78 for detailed information.

sonmpDisplays SONMP topology table information. See page 79 for detailed information.

capacity gen|bwm|l2|l3|slb|portDisplays the switch capacity information. This output displays the maximum switch capacity for the various applications and services that the switch supports. The output contains capacity infor-mation about Layer 2, Layer 3, RIP, OSPF, BGP, Route Maps, Network Filters, VRRP, Layer 4-7, which includes Server Load Balancing, Filters, GSLB, Health Checks, Bandwidth Management, General switch information, and SNMPv3.See page 80 for a sample output.

fanDisplays the fan status of the switch.

tempDisplays the temperature status of the switch sensors.

encryptDisplays the current encryption licenses.

userDisplays the current user names.

dumpDisplays all system information. See page 84 for a sample output.

Table 4-2 Information System Menu Options (/info/sys)




/info/sys/snmpv3SNMPv3 System Information MenuSNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following:

a new SNMP message format

security for messages

access control

remote configuration of SNMP parameters

For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.

[SNMPv3 Information Menu] usm - Show usmUser table information view - Show vacmViewTreeFamily table information access - Show vacmAccess table information group - Show vacmSecurityToGroup table information comm - Show community table information taddr - Show targetAddr table information tparam - Show targetParams table information notify - Show notify table information dump - Show all SNMPv3 information

Table 4-3 SNMPv3 information Menu Options (/info/sys/snmpv3)


usmDisplays User Security Model (USM) table information. To view the table, see page 66.

viewDisplays information about view, sub tress, mask and type of view. To view a sample, see page 67.

accessDisplays View-based Access Control information. To view a sample, see page 68.

groupDisplays information about the group that includes, the security model, user name, and group name. To view a sample, see page 69.

commDisplays information about the community table information. To view a sample, see page 69.

taddrDisplays the Target Address table information. To view a sample, see page 70.



/info/sys/snmpv3/usmSNMPv3 USM User Table InformationThe User-based Security Model (USM) in SNMPv3 provides security services such as authen-tication and privacy of messages. This security model makes use of a defined set of user iden-tities displayed in the USM user table. The USM user table contains information like:

the user name

a security name in the form of a string whose format is independent of the Security Model

an authentication protocol, which is an indication that the messages sent on behalf of the user can be authenticated

the privacy protocol.

tparamDisplays the Target parameters table information. To view a sample, see page 71.

notifyDisplays the Notify table information. To view a sample, see page 72.

dumpDisplays all the SNMPv3 information. To view a sample, see page 73.

usmUser Table:User Name Protocol-------------------------------- --------------------------------admin NO AUTH, NO PRIVACYadminmd5 HMAC_MD5, DES PRIVACYadminsha HMAC_SHA, DES PRIVACYv1v2only NO AUTH, NO PRIVACY

Table 4-3 SNMPv3 information Menu Options (/info/sys/snmpv3)




/info/sys/snmpv3/viewSNMPv3 View Table Information

The user can control and restrict the access allowed to a group to only a subset of the manage-ment information in the management domain that the group can access within each context by specifying the group’s rights in terms of a particular MIB view for security reasons.

Table 4-4 USM User Table Information Parameters (/info/sys/usm)

Field Description

User Name This is a string that represents the name of the user that you can use to access the switch.

Protocol This indicates whether messages sent on behalf of this user are protected from disclosure using a privacy protocol. Nortel Appli-cation Switch Operating System23.0.2 supports DES algorithm for privacy. The software also supports two authentication algo-rithms: MD5 and HMAC-SHA.

View Name Subtree Mask Type----------------- ------------------ -------------- --------org 1.3 includedv1v2only 1.3 includedv1v2only 1.3.6.1.6.3.15 excludedv1v2only 1.3.6.1.6.3.16 excludedv1v2only 1.3.6.1.6.3.18 excluded

Table 4-5 SNMPv3 View Table Information Parameters (/info/sys/snmpv3/view)

Field Description

View Name Displays the name of the view.

Subtree Displays the MIB subtree as an OID string. A view subtree is the set of all MIB object instances which have a common Object Identifier prefix to their names.

Mask Displays the bit mask.

Type Displays whether a family of view subtrees is included or excluded from the MIB view.



/info/sys/snmpv3/accessSNMPv3 Access Table Information

The access control sub system provides authorization services.

The vacmAccessTable maps a group name, security information, a context, and a message type, which could be the read or write type of operation or notification into a MIB view.

The View-based Access Control Model defines a set of services that an application can use for checking access rights of a group. This group's access rights are determined by a read-view, a write-view and a notify-view. The read-view represents the set of object instances authorized for the group while reading the objects. The write-view represents the set of object instances authorized for the group when writing objects. The notify-view represents the set of object instances authorized for the group when sending a notification.

Group Name Prefix Model Level Match ReadV WriteV NotifyV---------- ------ ------- ------ ------ ------ ------ ----- admin usm noAuthNoPriv exact org org orgv1v2grp snmpv1 noAuthNoPriv exact org org v1v2onlyadmingrp usm authPriv exact org org org

Table 4-6 SNMPv3 Access Table Information (/info/sys/snmpv3/access)

Field Description

Group Name Displays the name of group.

Prefix Displays the prefix that is configured to match the values.

Model Displays the security model used, for example, SNMPv1, or SNMPv2 or USM.

Level Displays the minimum level of security required to gain rights of access. For example, noAuthNoPriv, authNoPriv, or auth-Priv.

Match Displays the match for the contextName. The options are: exact and prefix.

ReadV Displays the MIB view to which this entry authorizes the read access.

WriteV Displays the MIB view to which this entry authorizes the write access.

NotifyV Displays the Notify view to which this entry authorizes the notify access.



/info/sys/snmpv3/groupSNMPv3 Group Table InformationA group is a combination of security model and security name that defines the access rights assigned to all the security names belonging to that group. The group is identified by a group name.

/info/sys/snmpv3/commSNMPv3 Community Table Information

This command displays the community table information stored in the SNMP engine.

Sec Model User Name Group Name---------- ------------------------------- --------------------snmpv1 v1v2only v1v2grpusm admin adminusm adminmd5 admingrpusm adminsha admingrp

Table 4-7 SNMPv3 Group Table Information Parameters (/info/sys/snmpv3/group)

Field Description

Sec Model Displays the security model used, which is any one of: USM, SNMPv1, SNMPv2, and SNMPv3.

User Name Displays the name for the group.

Group Name Displays the access name of the group.

Index Name User Name Tag---------- ---------- -------------------- ----------trap1 public v1v2only v1v2trap



/info/sys/snmpv3/taddrSNMPv3 Target Address Table Information

This command displays the SNMPv3 target address table information, which is stored in the SNMP engine.

Table 4-8 SNMPv3 Community Table Parameters (/info/sys/snmpv3/comm)

Field Description

Index Displays the unique index value of a row in this table

Name Displays the community string, which represents the configuration.

User Name Displays the User Security Model (USM) user name.

Tag Displays the community tag. This tag specifies a set of transport endpoints from which a command responder application accepts management requests and to which a command responder applica-tion sends an SNMP trap.

Name Transport Addr Port Taglist Params---------- --------------- ---- ---------- ---------------trap1 47.81.25.66 162 v1v2trap v1v2param

Table 4-9 SNMPv3 Target Address Table Information Parameters (/info/sys/snmpv3/taddr)

Field Description

Name Displays the locally arbitrary, but unique identifier associated with this snmpTargetAddrEntry.

Transport Addr Displays the transport addresses.

Port Displays the SNMP UDP port number.

Taglist This column contains a list of tag values which are used to select tar-get addresses for a particular SNMP message.

Params The value of this object identifies an entry in the snmpTargetParam-sTable. The identified entry contains SNMP parameters to be used when generating messages to be sent to this transport address.



/info/sys/snmpv3/tparamSNMPv3 Target Parameters Table Information

Name MP Model User Name Sec Model Sec Level--------------- -------- -------------- --------- ---------v1v2param snmpv2c v1v2only snmpv1 noAuthNoPriv

Table 4-10 SNMPv3 Target Parameters Table Information (/info/sys/snmpv3/tparam)

Field Description

Name Displays the locally arbitrary, but unique identifier associated with this snmpTargeParamsEntry.

MP Model Displays the Message Processing Model used when generating SNMP messages using this entry.

User Name Displays the securityName, which identifies the entry on whose behalf SNMP messages will be generated using this entry.

Sec Model Displays the security model used when generating SNMP messages using this entry. The system may choose to return an inconsis-tentValue error if an attempt is made to set this variable to a value for a security model which the system does not support.

Sec Level Displays the level of security used when generating SNMP mes-sages using this entry.



/info/sys/snmpv3/notifySNMPv3 Notify Table Information

Name Tag-------------------- --------------------v1v2trap v1v2trap

Table 4-11 SNMPv3 Notify Table Information (/info/sys/snmpv3/notify)

Field Description

Name The locally arbitrary, but unique identifier associated with this snmpNotifyEntry.

Tag This represents a single tag value which is used to select entries in the snmpTargetAddrTable. Any entry in the snmpTar-getAddrTable that contains a tag value equal to the value of this entry, is selected. If this entry contains a value of zero length, no entries are selected.



/info/sys/snmpv3/dumpSNMPv3 Dump Information

usmUser Table:User Name Protocol-------------------------------- --------------------------------admin NO AUTH, NO PRIVACYadminmd5 HMAC_MD5, DES PRIVACYadminsha HMAC_SHA, DES PRIVACYv1v2only NO AUTH, NO PRIVACY

vacmAccess Table:Group Name Prefix Model Level Match ReadV WriteV NotifyV---------- ------ ------- ---------- ------ ------- -------- ------admin usm noAuthNoPriv exact org org orgv1v2grp snmpv1 noAuthNoPriv exact org org v1v2onlyadmingrp usm authPriv exact org org org

vacmViewTreeFamily Table:View Name Subtree Mask Type-------------------- --------------- ------------ --------------org 1.3 includedv1v2only 1.3 includedv1v2only 1.3.6.1.6.3.15 excludedv1v2only 1.3.6.1.6.3.16 excludedv1v2only 1.3.6.1.6.3.18 excluded

vacmSecurityToGroup Table:Sec Model User Name Group Name---------- ------------------------------- -----------------------snmpv1 v1v2only v1v2grpusm admin adminusm adminsha admingrp

snmpCommunity Table:Index Name User Name Tag---------- ---------- -------------------- ----------snmpNotify Table:Name Tag-------------------- --------------------snmpTargetAddr Table:Name Transport Addr Port Taglist Params---------- --------------- ---- ---------- ---------------snmpTargetParams Table:Name MP Model User Name Sec Model Sec Level-------------------- -------- ------------------ --------- -------



/info/sys/generalGeneral System Information

On a Nortel Application Switch 2424:

System Information at 6:56:53 Thu Sep 15, 2005 (DST)Time zone: America/Canada/Atlantic-Nova-Scotia (GMT offset -4:00)

Alteon Application Switch 2424

Switch is up 3 days, 11 hours, 28 minutes and 34 seconds.Last boot: 18:28:09 Sun Sep 11, 2005 (reset from Telnet)Last apply: unknownLast save: 5

MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0Hardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: 09Mainboard Hardware: Part No: P314090-A Rev: 00Management Processor Board Hardware: Part No: P314080-A Rev: 00Fast Ethernet Board Hardware: Part No: P314091-A Rev: 00

Note - When the measured temperature inside the switch EXCEEDs the high threshold at 62 degree Celsius a syslog message will be generated.

Software Version 23.0.1 (FLASH image2), active configuration.



On a Nortel Application Switch 2424-SSL:

NOTE – The display of temperature will come up only if the temperature of any of the sensors exceeds 60oC. There will be a warning from the software if any of the sensors exceeds this temperature threshold. The switch will shut down if the power supply overheats and the tem-perature gets to 100oC. Information about fan failures will also be displayed if one or more fans are not functioning.


Alteon Application Switch 2424-SSL


MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0Internal SSL Processor MAC Address: 00:01:81:2e:bc:6fHardware Order No: EB1412006 Serial No:ABCDE600MJ Rev: 09Mainboard Hardware: Part No: P314090-A Rev: 00Management Processor Board Hardware: Part No: P314080-A Rev: 00Fast Ethernet Board Hardware: Part No: P314091-A Rev: 00





/info/sys/timeShow System Time

/info/sys/logShow Last 64 Syslog Messages

Each syslog message has a criticality level associated with it, included in text form as a prefix to the log message. One of eight different prefixes is used, depending on the condition that the administrator is being notified of, as shown below.

EMERG: indicates the system is unusable

ALERT: Indicates action should be taken immediately

>> Main# /info/sys/time12:52:49 Fri Jul 8, 2005 (DST)Time zone: America/Canada/Atlantic-Nova-Scotia DST on first Sunday of April at 02:00 DST off last Sunday of October at 02:00

Date Time Criticality level MessageNov 19 12:16:51 ALERT stp: STG 1, new root bridgeNov 19 13:52:03 ALERT ip: cannot contact default gateway 47.80.22.1Nov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 operationalNov 19 13:52:23 NOTICE ip: default gateway 47.80.22.1 enabledNov 19 14:21:27 ALERT ip: cannot contact default gateway 47.80.22.1Nov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 operationalNov 19 14:21:47 NOTICE ip: default gateway 47.80.22.1 enabledNov 19 14:38:55 NOTICE mgmt: admin login from host 47.81.27.4Nov 19 14:44:02 NOTICE mgmt: admin idle timeout from Telnet/SSHNov 19 16:15:06 INFO mgmt: new configuration appliedNov 19 16:15:20 INFO mgmt: new configuration savedNov 19 16:18:44 INFO mgmt: new configuration appliedNov 19 16:19:37 ERROR mgmt: Error: Apply not doneNov 19 16:19:57 INFO mgmt: new configuration appliedNov 19 16:34:35 NOTICE mgmt: admin login from host 47.81.27.4Nov 19 16:39:43 NOTICE mgmt: admin idle timeout from Telnet/SSHNov 19 16:39:59 NOTICE mgmt: admin login from host 47.81.27.4Nov 19 16:54:13 NOTICE mgmt: admin idle timeout from Telnet/SSHNov 19 17:20:37 NOTICE mgmt: admin login from host 47.81.27.4Nov 19 17:26:21 NOTICE mgmt: admin login from host 47.81.25.49Nov 19 17:31:53 NOTICE mgmt: admin idle timeout from Telnet/SSH



CRIT: Indicates critical conditions

ERR: indicates error conditions or error operations

WARNING: indicates warning conditions

NOTICE: indicates a normal but significant condition

INFO: indicates an information message

DEBUG: indicates a debut-level message

/info/sys/slogLast 64 Saved Syslog Messages

Aug 20 13:54:21 NOTICE ip: management port default gateway 47.80.22.1 operationalAug 20 13:57:53 ALERT ip: cannot contact management port default gateway 47.80.22.1Aug 20 13:57:57 NOTICE ip: management port default gateway 47.80.22.1 operationalAug 20 13:58:23 ALERT ip: cannot contact management port default gateway 47.80.22.1Aug 20 13:58:33 NOTICE ip: management port default gateway 47.80.22.1 operationalAug 24 14:43:43 NOTICE mgmt: admin login from host 47.81.25.12Aug 24 14:49:50 NOTICE mgmt: admin idle timeout from Telnet/SSHAug 24 14:51:38 NOTICE mgmt: admin login from host 47.81.25.12Aug 24 14:57:30 NOTICE mgmt: admin idle timeout from Telnet/SSHAug 24 15:05:54 NOTICE mgmt: admin login from host 47.81.25.12Aug 24 15:11:40 NOTICE mgmt: admin idle timeout from Telnet/SSHAug 24 16:00:40 NOTICE mgmt: admin login from host 47.81.25.12Aug 24 16:00:52 NOTICE mgmt: switch reset from CLI



/info/sys/mgmtManagement Port Information

Use this command to display Management port information on an Nortel Application Switch including:

Port speed (10/100)

Duplex mode (half, full, any, or auto)

Link (Up or down)

MAC Address of the system

IP address of the Interface

IP address of the gateway.

Speed Duplex Link ----- ------ ---- 100 full up

MAC address: 00:01:81:2e:a4:8d

Interface information: 47.80.23.251 255.255.254.0 47.80.23.255

Gateway information: 47.80.22.1



/info/sys/sonmpSONMP InformationThis command displays the SynOptics Network Management Protocol (SONMP) topology table. SONMP protocol is enabled on Nortel Application Switches using the /cfg/sys/sonmp on command, and is necessary so that a Nortel Application Switch can be discovered by the Nortel Enterprise Switch Manager.When SONMP is enabled, devices on the network exchange multicast packets namely: flatnet hellos and segment hellos. The IP address of the device is written into the hello packets. As the network devices exchange information, a topology table is built like the one shown below.

Slot IP address Seg MAC address Chassis Type Local State Port Id Seg ----- --------------- --- ----------------- ------------------ ----- -----0 /0 47.80.23.247 0 00:01:81:2e:a3:60 Alteon2224 true topChanged1 /11 47.80.22.1 770 00:e0:16:7c:28:24 Passport1200 true heartbeat1 /11 47.80.23.25 259 00:60:cf:81:54:28 Passport8610 true heartbeat1 /11 47.80.23.25 260 00:60:cf:81:54:38 Passport8610 true heartbeat1 /11 47.80.23.241 257 00:60:cf:43:a2:10 AlteonAD4 true topChanged1 /11 50.10.10.1 263 00:60:cf:46:d5:60 Alteon184 true topChanged

Table 4-12 SONMP Information Parameters Description

Parameter Description

Slot Port Specifies the slot and port on which the topology message was received.

IP Address This is the IP address of the sender of the topology message.

Seg ID The “segment identifier” of the segment from which the remote agent send the topology message. Different devices may use differ-ent methods for representing the segment identifier.

Mac Address The MAC address of the sender of the topology message.

Chassis Type The chassis type of the device that sent the topology message.

Local Seg Indicates if the sender of the topology message is on the same Ether-net segment (i.e. not across a bridge) as the reporting agent.

State The current state of the sender of the topology message. the values are:

topChanged—topology information has recently changed heartbeat—topology information unchanged. new—sending agent is in new state.



/info/sys/capacitySystem Capacity InformationThe following sample output from an Nortel Application Switch 2424 displays the maximum and currently enabled switch capacity for various services and applications from Layer 2-7.

Maximum Current(Enabled)LAYER 2FDB 16384 54FDB per SP 8192VLANs 1024 1(1)Static Trunk Groups 12 0(0)LACP Trunk Groups 28Trunks per Trunk Group 8Spanning Tree Groups 16 16(1)Port Teams 8 8(0)Monitor Ports 1

LAYER 3IP Interfaces 256 1(1)IP Gateways 4+255 1+0(1+0)IP Routes 4096 7Static Routes 128 0ARP Entries 8192 5Static ARP Entries 128 0Local Nets 5 0DNS Servers 2 0BOOTP Servers 2 0

RIP Interfaces 256 0

OSPF Interfaces 256 0(0)OSPF Areas 3 0(0)OSPF Summary Ranges 16 0(0)OSPF Virtual Links 3 0(0)OSPF Hosts 128 0(0)LSDB Limit 12288

Continued...



BGP Peers 16 0(0)BGP Route Aggregators 16 0(0)

Route Maps 32 0(0)Network Filters 256 0(0)AS Filters 8

VRRP Routers 1024 0(0)VRRP Router Groups 16 0(0)VRRP Interfaces 256 0

SLB (LAYER 4-7)Real Servers 1024 0(0)Server Groups 1024 0Virtual Servers 1024 0(0)Virtual Services 1024Real Services 8192

Real IDS Servers 62IDS Server Groups 63

Global SLB Domains 1024 0(0)Global SLB Services 8192 0(0)Global SLB Local Servers 1024 0(0)Global SLB Remote Servers 1024 0(0)Global SLB Remote Sites 64 0(0)Global SLB Failovers per Remote Site 2 2(2)Global SLB Networks 128 0(0)Global SLB Geographical Regions 7 7(7)Global SLB Rules 128 0(1)Global SLB Metrics Per Rule 8 8(8)Global SLB DNS Persistence Cache Entries 100000 100000(100000)

Filters 2048 0(0)PIPs 1024 0Scriptable Health Checks 64 0SNMP Health Checks 5 0Rules for URL Parsing 1024 1SLB Sessions 1048550 0Number of Rports to Vport 64Domain Records 64 0(0)Mapping Per Domain Record 8

LAYER 4 - PORTSPort # Client Server Filter RTS

Continued...



BWMPolicies 512 0Contracts 1024 1(1)Groups 32 0Contracts per Group 8Time Policies per Contract 2

SecurityConfiguration source IP ACLs 5120 0Bogon source IP ACLs 8192 0Operations source IP ACLs 1024 0Total source IP ACLs 14340 0Configuration destination IP ACLs 1024 0Operations destination IP ACLs 1024 0Total destination IP ACLs 2052 0IP DoS attacks prevention 17TCP DoS attacks prevention 18UDP DoS attacks prevention 6ICMP DoS attacks prevention 5IGMP DoS attacks prevention 3ARP DoS attacks prevention 5IPv6 DoS attacks prevention 2Total DoS attacks prevention 56UDP ports for UDP blast protection 5000

GENERALSyslog hosts 2 0RADIUS servers 2 0NTP servers 1 0SMTP hosts 1 1Mnet/Mmask 5 0End Users 10Panic Dumps 2MP memory 128MSP memory 128M

SNMPv3 Users 16 3SNMPv3 Views 128 5SNMPv3 Access Groups 32 2SNMPv3 Target Address Entries 16 0SNMPv3 Target Params Entries 16 0



/info/sys/fanShow switch fan status

/info/sys/tempShow switch temperature sensor status

/info/sys/encryptShow encryption licenses

/info/sys/userShow current user status

>> System# fanFans OK.

>> System# tempTemperature OK.

AOS contains the following encryption licenses: BLOWFISH DES & 3DES MD5 RC4 SHA-1

Usernames: user - enabled slboper - disabled l4oper - disabled oper - disabled slbadmin - disabled l4admin - disabled admin - Always Enabled

Note: there are pending config changes; use "diff" to see them.Current User ID table:



/info/sys/dumpSystem Information Dump


Alteon Application Switch 2424-SSL


MAC Address: 00:01:81:2e:bc:50 IP (If 1) Address: 0.0.0.0Internal SSL Processor MAC Address: 00:01:81:2e:bc:6fHardware Order No: EB1412006 Serial No: ABCDE600MJ Rev: 09Mainboard Hardware: Part No: P314090-A Rev: 00Management Processor Board Hardware: Part No: P314080-A Rev: 00Fast Ethernet Board Hardware: Part No: P314091-A Rev: 00



Last 64 syslog messages:Sep 12 10:42:19 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 11:03:13 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 11:27:48 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 11:54:07 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 12:19:01 ERROR mgmt: tcp open error, cannot contact reporting serverSep 12 13:57:54 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 14:02:58 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 14:07:27 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 14:10:03 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 14:19:44 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 14:59:20 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 15:08:06 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 15:09:43 NOTICE mgmt: admin idle timeout from Telnet/SSHSep 12 15:15:08 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 15:15:32 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 15:58:30 NOTICE mgmt: admin login from host 192.168.0.3Sep 12 16:00:02 NOTICE mgmt: admin connection closed from Telnet/SSHSep 12 17:56:01 ERROR mgmt: tcp open error, cannot contact reporting serverSep 12 23:33:01 ERROR mgmt: tcp open error, cannot contact reporting serverSep 13 5:10:01 ERROR mgmt: tcp open error, cannot contact reporting serverSep 13 10:47:01 ERROR mgmt: tcp open error, cannot contact reporting server

Continued . . .



Sep 13 16:24:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 13 22:01:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 14 3:38:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 14 9:15:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 14 10:23:04 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 10:23:05 ERROR cli: Error: VLAN 5 doesn't exist; the PVID for port 1 (5) needs to be changedSep 14 10:23:05 ERROR cli: Error: PVID 5 for port 1 is not createdSep 14 10:23:05 ERROR mgmt: Error: Apply not doneSep 14 10:24:45 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 11:30:36 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 11:35:25 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 11:35:40 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 11:39:37 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 11:49:12 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 11:58:20 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 13:41:54 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 13:46:18 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 14:37:07 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 14:52:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 14 14:58:57 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 16:09:44 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 16:20:44 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 16:24:58 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 16:30:51 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 16:48:16 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 16:50:34 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 16:57:47 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 16:57:55 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 17:00:02 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 17:04:59 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 17:05:49 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 17:06:05 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 19:54:04 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 20:00:22 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 20:01:47 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 20:22:49 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 20:23:10 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 20:23:55 NOTICE mgmt: admin connection closed from Telnet/SSHSep 14 20:29:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 14 20:40:41 NOTICE mgmt: admin login from host 192.168.0.3Sep 14 21:43:51 NOTICE mgmt: admin idle timeout from Telnet/SSHSep 15 2:06:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 15 6:56:45 NOTICE mgmt: admin login from host 192.168.0.3

Continued . . .



Last 64 syslog messages saved in FLASH:Sep 8 10:44:06 NOTICE mgmt: admin login from host 192.168.0.3Sep 8 10:48:43 NOTICE mgmt: admin connection closed from Telnet/SSHSep 8 10:49:32 NOTICE mgmt: admin login from host 192.168.0.3Sep 8 10:50:18 NOTICE mgmt: admin connection closed from Telnet/SSHSep 8 10:57:59 NOTICE mgmt: admin login from host 192.168.0.3Sep 8 10:57:42 ERROR cli: Error: IP interface 2 has no IP address config-uredSep 8 10:57:42 ERROR mgmt: Error: Apply not doneSep 8 10:58:19 INFO mgmt: new configuration appliedSep 8 10:58:20 INFO mgmt: Operational change made by Admin from Tel-net:192.168.0.3, login since 10:56:59Sep 8 10:58:33 INFO mgmt: new configuration savedSep 8 10:58:44 NOTICE mgmt: admin connection closed from Telnet/SSHSep 8 11:09:21 NOTICE mgmt: admin login from host 192.168.0.3Sep 8 11:58:21 NOTICE mgmt: admin connection closed from Telnet/SSHSep 8 13:11:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 8 15:31:08 NOTICE mgmt: admin login from host 192.168.0.3Sep 8 15:31:21 NOTICE mgmt: admin connection closed from Telnet/SSHSep 8 18:48:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 9 0:25:00 ERROR mgmt: tcp open error, cannot contact reporting serverSep 9 6:02:04 ERROR mgmt: tcp open error, cannot contact reporting serverSep 9 9:15:45 NOTICE mgmt: admin login from host 192.168.0.3Sep 9 9:23:27 NOTICE mgmt: admin connection closed from Telnet/SSHSep 9 10:32:10 NOTICE mgmt: admin login from host 192.168.0.3Sep 9 10:33:40 NOTICE mgmt: admin connection closed from Telnet/SSHSep 9 11:39:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 9 13:37:24 NOTICE mgmt: admin login from host 192.168.0.3Sep 9 13:37:53 NOTICE mgmt: admin connection closed from Telnet/SSHSep 9 13:38:07 NOTICE mgmt: Failed login attempt via BBI.Sep 9 13:38:22 NOTICE mgmt: Failed login attempt via BBI.Sep 9 16:00:10 NOTICE mgmt: admin login from host 192.168.0.3Sep 9 16:00:13 NOTICE mgmt: admin connection closed from Telnet/SSHSep 9 17:16:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 9 22:53:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 10 4:30:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 10 10:07:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 10 15:44:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 10 21:21:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 11 2:58:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 11 8:35:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 11 14:12:03 ERROR mgmt: tcp open error, cannot contact reporting serverSep 11 19:21:27 NOTICE mgmt: Failed login attempt via TELNET from host 192.168.249.237Sep 11 19:21:48 NOTICE mgmt: admin login from host 192.168.0.3Sep 11 19:25:08 INFO mgmt: image2 downloaded from host 192.168.0.10, file 'AAS-23.0.1.0-2000-AlteonOS.img', software version 23.0.1Sep 11 19:26:39 NOTICE mgmt: Next boot will use new image2.Sep 11 19:26:52 NOTICE mgmt: switch reset from CLI

Continued . . .



Management port information:

Speed Duplex Link ----- ------ ---- 100 half up

MAC address: 00:03:24:6e:bd:3d

Interface information: 192.168.0.13 255.255.255.0 192.168.0.255

Gateway information: 192.168.0.1

Engine ID = 80:00:07:50:03:00:01:81:2E:BC:50

usmUser Table:User Name Protocol-------------------------------- --------------------------------adminmd5 HMAC_MD5, DES PRIVACYadminsha HMAC_SHA, DES PRIVACYv1v2only NO AUTH, NO PRIVACY

vacmAccess Table:Group Name Prefix Model Level Match ReadV WriteV NotifyV---------- ------ ------- ------------ ------ ---------- ---------- --------v1v2grp snmpv1 noAuthNoPriv exact iso iso v1v2onlyadmingrp usm authPriv exact iso iso iso

vacmViewTreeFamily Table:View Name Subtree Mask Type-------------------- ------------------------------ -------------- ------iso 1 includedv1v2only 1 includedv1v2only 1.3.6.1.6.3.15 excludedv1v2only 1.3.6.1.6.3.16 excludedv1v2only 1.3.6.1.6.3.18 excluded

vacmSecurityToGroup Table:Sec Model User Name Group Name---------- ------------------------------- -------------------------------snmpv1 v1v2only v1v2grpusm adminmd5 admingrpusm adminsha admingrp

Continued . . .



snmpCommunity Table:Index Name User Name Tag---------- ---------- -------------------- ----------

snmpNotify Table:Name Tag-------------------- --------------------

snmpTargetAddr Table:Name Transport Addr Port Taglist Params---------- --------------- ---- ---------- ---------------

snmpTargetParams Table:Name MP Model User Name Sec Model Sec Level-------------------- -------- -------------------- --------- ---------

Slot IP address Seg MAC address Chassis Type Local StatePort Id Seg----- --------------- ---- ----------------- ----------------- ----- -------



/info/l2Layer 2 Information Menu

[Layer 2 Menu] fdb - Forwarding Database Information Menu lacp - Link Aggregation Control Protocol Menu stg - Show STG information cist - Show CIST information trunk - Show Trunk Group information vlan - Show VLAN information team - Show port team information dump - Dump all layer 2 information

Table 4-13 Layer 2 Information Menu Options


fdbDisplays the Forwarding Database Information Menu. For details, see page 90.

lacpDisplays Link Aggregation Control Protocol Information Menu. For details, see page 93.

stg <STG index to display or carriage return for all STGs>In addition to seeing if Spanning Tree Protocol is enabled or disabled, you can view the following STP bridge information:PriorityHello intervalMaximum age valueForwarding delayAging time

You can also see the following port-specific STP information:Port number and priorityCostState


cistDisplay the CIST information.

trunkWhen trunk groups are configured, you can view the state of each port in the various trunk groups. For details, see page 102.



/info/l2/fdbLayer 2 FDB Information The forwarding database (FDB) contains information that maps the media access control (MAC) address of each known device to the switch port where the device address was learned. The FDB also shows which other ports have seen frames destined for a particular MAC address.

vlan <VLAN number to display or carriage return to display all VLANs>Displays VLAN configuration information, including:VLAN NumberVLAN NameStatusPort membership of the VLAN


teamShow port team information.

dumpDisplays all Layer 2 information.

[Forwarding Database Menu] find - Show a single FDB entry by MAC address port - Show FDB entries on a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries on a single VLAN refpt - Show FDB entries referenced by a single SP dump - Show all FDB entries





NOTE – The master forwarding database supports up to 16K MAC address entries on the MP per switch. Each SP supports up to 8K entries.

Table 4-14 Layer 2 FDB Information Menu Options (/info/l2/fdb)


find <MAC address> [<VLAN>]Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the format, xx:xx:xx:xx:xx:xx. For example, 08:00:20:12:34:56.You can also enter the MAC address using the format, xxxxxxxxxxxx. For example, 080020123456.

port <port number, 0 for "unknown">Displays all FDB entries for a particular port.

trunk <trunk group number>Displays all FDB entries on a single trunk.

vlan <VLAN number (1-4090)>Displays all FDB entries on a single VLAN.

refpt <SP number (1-4)>Displays the FDB entries referenced by a single port.

dumpDisplays all entries in the Forwarding Database. For more information, see page 92.



/info/l2/fdb/dumpShow All FDB Information

An address that is in the forwarding (FWD) state, means that it has been learned by the switch. When in the trunking (TRK) state, the port field represents the trunk group number. If the state for the port is listed as unknown (UNK), the MAC address has not yet been learned by the switch, but has only been seen as a destination address. When an address is in the unknown state, no outbound port is indicated, although ports which reference the address as a destination will be listed under “Reference ports.”

If the state for the port is listed as an interface (IF), the MAC address is for a standard VRRP virtual router. If the state is listed as a virtual server (VIP), the MAC address is for a virtual server router—a virtual router with the same IP address as a virtual server.

Clearing Entries from the Forwarding DatabaseTo delete a MAC address from the forwarding database (FDB) or to clear the entire FDB, refer to “Forwarding Database Options” on page 522.

MAC address VLAN Port State Referenced SPs Referenced ports ----------------- ---- ---- ----- -------------- ------------- 00:02:01:00:00:00 300 23 FWD 1 2 1 23 00:02:01:00:00:01 300 23 FWD 1 2 1 23 00:02:01:00:00:02 300 23 FWD 1 2 1 23 00:02:01:00:00:03 300 23 FWD 1 2 1 23 00:02:01:00:00:04 300 23 FWD 1 2 1 23 00:02:01:00:00:05 300 23 FWD 1 2 1 23 00:02:01:00:00:06 300 23 FWD 1 2 1 23 00:02:01:00:00:07 300 23 FWD 1 2 1 23 00:02:01:00:00:08 300 23 FWD 1 2 1 23 00:02:01:00:00:09 300 23 FWD 1 2 1 23 00:02:01:00:00:0a 300 23 FWD 1 2 1 23 00:02:01:00:00:0b 300 23 FWD 1 2 1 23 00:02:01:00:00:0c 300 23 FWD 1 2 1 23



/info/l2/lacpLink Aggregation Control Protocol Information MenuThe following menu options display the Link Aggregation Control Protocol (LACP) informa-tion on the Nortel Application Switch Operating System.

[LACP Menu] aggr - Show LACP aggregator information for the port port - Show LACP port information dump - Show all LACP ports information

Table 4-15 Link Aggregation Control Protocol Information Menu Options (/info/lacp)


aggr <aggregator index 1 to max num ports>Displays information an LACP aggregator.

port <port index 1 to max num ports>Displays information of an LACP port.

dumpDisplays LACP information of all the ports. Use this command to verify the state of ports in an LACP trunk group. To view a sample output, see page 96.



/info/lacp/aggrLACP Aggregator Information

Aggregator Id 1----------------------------------------------MAC address - 00:01:81:2e:a1:d1Actor System Priority - 32768Actor System ID - 00:01:81:2e:a1:b0Individual - FALSEActor Admin Key - 300Actor Oper Key - 300Partner System Priority - 32768Partner System ID - 00:0d:29:e3:4a:00Partner Oper Key - 1ready - TRUENumber of Ports in aggr - 10index 0 port 1index 1 port 2index 2 port 3index 3 port 4index 4 port 5index 5 port 6index 6 port 7index 7 port 8index 8 port 9index 9 port 10



/info/lacp/portLACP Port Information

port 1----------------------------------------------lacp_enabled - TRUElacp_admin_enabled - TRUE

Actor System ID - 00:01:81:2e:a1:b0Actor System Priority - 32768Actor Admin Key - 300Actor Oper Key - 300Actor Port Number - 1Actor Port Priority - 32768

Partner Admin System Priority - 0Partner Oper System Priority - 32768Partner Admin System ID - 00:00:00:00:00:00Partner Oper System ID - 00:0d:29:e3:4a:00Partner Admin Key - 0Partner Oper Key - 1Partner Admin Port Number - 0Partner Admin Port Priority - 0Partner Oper Port Number - 4Partner Oper Port Priority - 32768

Actor Admin Port state Activity: Active Timeout: Long Aggregation: TRUE Synchronization:FALSE Collecting: FALSE Distributing: FALSE Defaulted: FALSE Expired: FALSEActor Oper Port state Activity: Active Timeout: Long Aggregation: TRUE Synchronization:TRUE Collecting: TRUE Distributing: TRUE Defaulted: FALSE Expired: FALSE

Partner Admin Port state - 0x0Partner Oper Port state

Continued



Individual - TRUESelected Aggregator ID - 0Attached Aggregator ID - 0ready_n - FALSEntt - FALSEselected - Unselctedport_moved - FALSECollection and Distribution state turned ON!

Rx machine state - LACP_RX_INIT_STATEMux machine state - LACP_MUX_DETACHED_STATEPeriodic machine state - LACP_PERIODIC_NO_STATE



/info/lacp/dumpLACP Dump Information

port lacp adminkey operkey selected prio attached trunk aggr ------------------------------------------------------------------- 1 active 300 300 y 32768 1 13 2 active 300 300 y 32768 1 13 3 active 300 300 y 32768 1 13 4 active 300 300 y 32768 1 13 5 active 300 300 y 32768 1 13 6 active 300 300 y 32768 1 13 7 active 300 300 y 32768 1 13 8 active 300 300 y 32768 1 13 9 active 300 300 n 32768 -- -- 10 active 300 300 n 32768 -- -- 11 active 300 300 n 32768 -- -- 12 active 300 300 n 32768 -- -- 13 active 300 300 n 32768 -- -- 14 off 14 14 n 32768 -- -- 15 off 15 15 n 32768 -- -- 16 off 16 16 n 32768 -- -- 17 off 17 17 n 32768 -- -- 18 off 18 18 n 32768 -- -- 19 off 19 19 n 32768 -- -- 20 off 20 20 n 32768 -- -- 21 off 21 21 n 32768 -- -- 22 off 22 22 n 32768 -- -- 23 off 23 23 n 32768 -- -- 24 off 24 24 n 32768 -- -- 25 off 25 25 n 32768 -- -- 26 off 26 26 n 32768 -- -- 27 off 27 27 n 32768 -- -- 28 off 28 28 n 32768 -- --



/info/l2/stgLayer 2 Spanning Tree Group InformationWhen multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path.

NOTE – Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Span-ning Tress or Spanning Tree Groups.

The switch software uses the IEEE 802.1d Spanning Tree Protocol (STP). In addition to seeing if STP is enabled or disabled, you can view the following STP bridge information:

Priority

Hello interval

Maximum age value

Forwarding delay

Aging time

Spanning Tree Group 1: On

Current Root: Path-Cost Port Hello MaxAge FwdDel Aging 8000 00:01:81:2e:a1:80 0 0 2 20 15 300

Parameters: Priority Hello MaxAge FwdDel Aging 32768 2 20 15 300

Port Priority Cost State Designated Bridge Des Port----- -------- ---- ---------- ---------------------- ------- 1 128 0 DISABLED 2 128 0 DISABLED 3 128 0 DISABLED 4 128 0 DISABLED 5 128 5 FORWARDING 8000-00:01:81:2e:a1:80 32773 6 128 0 DISABLED 7 128 0 DISABLED 8 128 0 DISABLED 9 128 0 DISABLED 10 128 0 DISABLED 11 128 0 DISABLED



You can also see the following port-specific STP information:

Port number and priority

Cost

State

Designated Bridge

Designated Port

The following table describes the STP parameters.

Table 4-16 Spanning Tree Parameter Descriptions


Priority (bridge) The bridge priority parameter controls which bridge on the network will become the STP root bridge.

Hello The hello time parameter specifies, in seconds, how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value.

MaxAge The maximum age parameter specifies, in seconds, the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it reconfigure the STP network.

FwdDel The forward delay parameter specifies, in seconds, the amount of time that a bridge port has to wait before it changes from learning state to forwarding state.

Aging The aging time parameter specifies, in seconds, the amount of time the bridge waits without receiving a packet from a station before removing the station from the Forwarding Database.

priority (port) The port priority parameter helps determine which bridge port becomes the designated port. In a network topology that has multiple bridge ports con-nected to a single segment, the port with the lowest port priority becomes the designated port for the segment.

Cost The port path cost parameter is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. A setting of 0 indicates that the cost will be set to the appropriate default after the link speed has been auto negotiated.

State The state field shows the current state of the port. The state field can be either BLOCKING, LISTENING, LEARNING, FORWARDING, or DISABLED.



Designated Bridge

The designated bridge resides closest to the root bridge and is responsible for forwarding packets from LAN towards the root bridge. This bridge is dis-played as character string starting with the bridge priority (1-65535) fol-lowed by a hyphen and six byte MAC address of that switch.

Designated port The designated port identifies a physical port. This is a number that is the numerical sum of bridge priority and the actual physical port number. For example, a physical port number four with bridge priority 32768 will be dis-played as 32678+4=32772.

Table 4-16 Spanning Tree Parameter Descriptions (Continued)




/info/l2/cistShow common internal spanning tree (CIST) information

NOTE – Nortel Application Switch Operating System 23.0.2 supports up to 16 multiple Span-ning Tress or Spanning Tree Groups.

------------------------------------------------------------------Common Internal Spanning Tree:

VLANs: 1 4-4094

Current Root: Path-Cost Port MaxAge FwdDel 8000 00:01:81:2e:bc:50 0 0 20 15

Cist Regional Root: Path-Cost 8000 00:01:81:2e:bc:50 0

Parameters: Priority MaxAge FwdDel Hops 32768 20 15 20Port Prio Cost State Role Designated Bridge Des Port Hello Type----- ---- --------- ----- ---- ---------------------- -------- ----- ----1 128 20000 DSB2 128 20000 DSB3 128 20000 DSB4 128 20000 DSB5 128 20000 DSB6 128 20000 DSB7 128 20000 DSB...18 128 20000 DSB19 128 20000 DSB20 128 20000 DSB21 128 20000 DSB22 128 20000 DSB23 128 20000 DSB24 128 20000 DSB25 128 20000 DSB26 128 20000 DSB27 128 20000 DSB28 128 20000 DSBsslpro 128 20000 DISC DESG 8000-00:01:81:2e:bc:50 801d 2 Shared



/info/l2/trunkTrunk Group InformationTrunk groups can provide super-bandwidth, multi-link connections between Nortel Applica-tion Switches or other trunk-capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are configured, you can view the state of each port in the various trunk groups.

NOTE – If Spanning Tree Protocol on any port in the trunk group is set to forwarding, the remaining ports in the trunk group will also be set to forwarding.

Trunk group 1, bw contract 1024, port state: 1: STG 1 forwarding 2: STG 1 forwarding



/info/l2/vlanVLAN Information

This information display includes all configured VLANs and all member ports that have an active link state. Port membership is represented in slot/port format.

VLAN information includes:

VLAN Number

VLAN Name

Status

Jumbo Frames

Bandwidth Contract if BWM is enabled

Source MAC Address Learning

Port membership of the VLAN

VLAN Name Status Jumbo BWC Learn Ports---- -------------------------------- ------ ----- ---- ----- -----1 Default VLAN ena n 1024 ena 1-28



/info/l2/vlanVLAN Information

VLAN Name Status Jumbo BWC Learn Ports---- -------------------------------- ------ ----- ---- ----- -----1 Default VLAN ena n 1024 ena 1-28



/info/l2/teamStatus of port teams

/info/l2/dumpLayer2 Dump Information

>> Layer 2# teamAll port teams are disabled.

Spanning Tree Group 1: On

Current Root: Path-Cost Port Hello MaxAge FwdDel Aging 8000 00:01:81:2e:a1:80 0 0 2 20 15 300

Parameters: Priority Hello MaxAge FwdDel Aging 32768 2 20 15 300

Port Priority Cost State Designated Bridge Des Port----- -------- ---- ---------- ---------------------- -------- 1 128 0 DISABLED 2 128 0 DISABLED 3 128 0 DISABLED 4 128 0 DISABLED 5 128 5 FORWARDING 8000-00:01:81:2e:a1:80 32773 6 128 0 DISABLED 7 128 0 DISABLED 8 128 0 DISABLED 9 128 0 DISABLED 10 128 0 DISABLED 11 128 0 DISABLED 12 128 0 DISABLED



/info/l3Layer3 Information Menu

[Layer 3 Menu] route - IP Routing Information Menu route6 - IP6 Routing Information Menu arp - ARP Information Menu nbrcache - IP6 Neighbor Cache Information Menu bgp - BGP Information Menu ospf - OSPF Routing Information Menu ip - Show IP information vrrp - Show Virtual Router Redundancy Protocol information dump - Dump all layer 3 information



routeDisplays the IP Routing Menu. Using the options of this menu, the system displays the following for each configured or learned route:Route destination IP address, subnet mask, and gateway addressType of routeTag indicating origin of routeMetric for RIP tagged routes, specifying the number of hops to the destination (1-15 hops, or 16 for infinite hops)The IP interface that the route uses


route6IP6 Routing Information Menu. To view menu options, see page 110.

arpDisplays the Address Resolution Protocol (ARP) Information Menu. For details, see page 112.

nbrcacheIP6 Neighbor Cache Menu. To view menu options, see page 115.

bgpDisplays BGP Information Menu. To view menu options, see page 117.

ospfDisplays OSPF routing information menu. For details, see page 119.



/info/l3/routeIP Routing Information

Using the commands listed below, you can display all or a portion of the IP routes currently held in the switch.

ipDisplays IP Information. For details, see page 126. IP information, includes:IP interface information: Interface number, IP address, subnet mask, broadcast address, VLAN number, and operational status.Default gateway information: Metric for selecting which configured gateway to use, gateway number, IP address, and health statusIP forwarding information: Enable status, lnet and lmaskPort status

vrrpDisplays the VRRP Information Menu. For details, see page 127.

dumpDisplays all Layer 3 information.

[IP Routing Menu] find - Show a single route by destination IP address gw - Show routes to a single gateway type - Show routes of a single type tag - Show routes of a single tag if - Show routes on a single interface dump - Show all routes

Table 4-18 Route Information Menu Options (/info/route)


find <IP address (such as, 192.4.17.101)>Displays a single route by destination IP address.

gw <default gateway address (such as, 192.4.17.44)>Displays routes to a single gateway.

type indirect|direct|local|broadcast|martian|multicastDisplays routes of a single type. For a description of IP routing types, see Table 4-19 on page 109.





/info/l3/route/dumpShow All IP Route Information

tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vipDisplays routes of a single tag. For a description of IP routing types, see Table 4-20 on page 109.

if <interface number (1-256)>Displays routes on a single interface.

NOTE – The total number of interfaces on a Nortel Application Switch 2424-SSL is 1-255.

dumpDisplays all routes configured in the switch. For more information, see page 108.

Status code: * - best Destination Mask Gateway Type Tag Metr If --------------- --------------- ------------- --------- ----- -- -* 0.0.0.0 0.0.0.0 47.80.22.1 indirect static 1* 47.80.22.0 255.255.254.0 47.80.23.249 direct fixed 1* 47.80.23.249 255.255.255.255 47.80.23.249 local addr 1* 47.80.23.255 255.255.255.255 47.80.23.255 broadcast broadcast 1* 127.0.0.0 255.0.0.0 0.0.0.0 martian martian* 224.0.0.0 224.0.0.0 0.0.0.0 martian martian* 224.0.0.5 255.255.255.255 0.0.0.0 multicast addr* 224.0.0.6 255.255.255.255 0.0.0.0 multicast addr* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broadcast

Table 4-18 Route Information Menu Options (/info/route)




Type ParametersThe following table describes the Type parameters.

Tag ParametersThe following table describes the Tag parameters.

Table 4-19 IP Routing Type Parameters (/info/l3/route/dump/type)


indirect The next hop to the host or subnet destination will be forwarded through a router at the Gateway address.

direct Packets will be delivered to a destination host or subnet attached to the switch.

local Indicates a route to one of the switch’s IP interfaces.

broadcast Indicates a broadcast route.

martian The destination belongs to a host or subnet which is filtered out. Packets to this destination are discarded.

multicast Indicates a multicast route.

Table 4-20 IP Routing Tag Parameters (info/l3/route/tag)


fixed The address belongs to a host or subnet attached to the switch.

static The address is a static route which has been configured on the Nortel Appli-cation Switch.

addr The address belongs to one of the switch’s IP interfaces.

rip The address was learned by the Routing Information Protocol (RIP).

ospf The address was learned by Open Shortest Path First (OSPF).

bgp The address was learned via Border Gateway Protocol (BGP)

broadcast Indicates a broadcast address.

martian The address belongs to a filtered group.

vip Indicates a route destination that is a virtual server IP address. VIP routes are needed to advertise virtual server IP addresses via BGP.



/info/l3/route6IPv6 Routing Information MenuThis menu provides a mechanism for viewing IPv6 routing information. The IPv6 routing table stores routes it learns from network traffic and pre-configured, static routes.

NOTE – Presently there is no mechanism for clearing this IPv6 routing table..

Table 4-21provides a description of this menu.

[IP6 Routing Menu] dump - Show all routes

Table 4-21 IPv6 Routing Information Menu Options (/info/l3/route6)


dumpThe /info/l3/route6/dump command shows all the IPv6 routes maintained. Since each link-local interface is shown with an entry prefix of /128, the link-local network; such as FE80::/10; is not shown for each interface to avoid too many network entries in the table.



The following is an example of output from the /info/l3/route6/dump command.

>> Main# /info/l3/route6/dump

IPv6 Forwarding Table:

Destination: 0:0:0:0:0:0:0:0/0 If:1 NextHop: 2005:0:0:0:0:0:0:16 Proto: STATIC Destination: 2005:0:0:0:0:0:0:0/64 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL Destination: 2005:0:0:0:0:0:0:1/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL Destination: 2005:0:0:0:0:0:0:16/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC Destination: fe80:0:0:0:201:81ff:fe2e:a100/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: LOCAL Destination: ff02:0:0:0:0:0:0:1/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC Destination: ff02:0:0:0:0:0:0:2/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC Destination: ff02:0:0:0:0:1:ff00:0/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC Destination: ff02:0:0:0:0:1:ff00:1/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC Destination: ff02:0:0:0:0:1:ff2e:a100/128 If:1 NextHop: 0:0:0:0:0:0:0:0 Proto: STATIC

Total number of route6 entries: 10



/info/l3/arpARP Information MenuAddress Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.

The ARP information includes IP address and MAC address of each entry, address status flags (see Table 4-23 on page 114), VLAN and port for the address, and port referencing information.

[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries help - Show help on the fields of ARP entries addr - Show ARP address list

Table 4-22 ARP Information Menu Options (/info/l3/arp)


find <IP address (such as, 192.4.17.101>Displays a single ARP entry by IP address.

port <port number>Displays the ARP entries on a single port.

vlan <VLAN number (1-4090)>Displays the ARP entries on a single VLAN.

refpt <SP number (1-4)>Displays the ARP entries referenced by a single SP. For details, see page 113.



/info/l3/arp/refptShow ARP Entries on Referenced SP

dumpDisplays all ARP entries. including:IP address and MAC address of each entryAddress status flag (see below)The VLAN and port to which the address belongsThe ports which have referenced the address (empty if no port has routed traffic to the IP address shown)

For more information, see page 114.

helpDisplays help on the ARP field entries. For example:IP address: IP address of ARP entryFlags: J - ARP entry belongs to a Jumbo capable VLAN P - Permanent ARP entry (not obtained via ARP request), e.g. IP interface,

VIP, etc. R - Indirect ARP (cache) entry for IP address reachable via indirect routes

(static/dynamic)4 - Layer 4 IP address (VIP)u - Unresolved ARP entry. The MAC address has not been learned.

MAC address: MAC address of ARP entryVLAN: VLAN of this ARP entryPort: Physical port where this IP address owner is connectedReferenced SPs: SPs on which this ARP entry is present

addrDisplays the ARP address list: IP address, IP mask, MAC address, and VLAN flags.

IP address Flags MAC address VLAN Port Referenced SPs ------------- ----- ----------------- ---- ----- ------------ 47.80.23.249 P 00:0e:40:2f:5b:00 1 1-4

Table 4-22 ARP Information Menu Options (/info/l3/arp)




/info/l3/arp/dumpShow All ARP Entry Information

Referenced ports are the ports that request the ARP entry. So the traffic coming into the refer-enced ports has the destination IP address. From the ARP entry (the referenced ports), this traf-fic needs to be forwarded to the egress port (port 6 in the above example).

NOTE – If you have VMA turned on, the referenced port will be the designated port. If you have VMA turned off, the designated port will be the normal ingress port.

The Flag field is interpreted as follows:

IP address Flags MAC address VLAN Port Referenced SPs --------------- ----- ----------------- ---- ---- ------------- 1.1.11.1 P 4 00:09:97:16:5f:01 1-4 10.10.10.10 P 4 00:09:97:16:5f:01 1-4 47.80.22.1 00:e0:16:7c:28:86 1 23 empty 47.80.23.81 P 00:09:97:16:5f:00 1 1-4 172.31.3.1 P 00:09:97:16:5f:00 1 1-4 172.31.3.10 00:b0:d0:98:d8:1b 1 3 empty 172.31.3.11 00:b0:d0:98:d8:1b 1 3 empty

Table 4-23 ARP Dump Flag Parameters

Flag Description

P Permanent entry created for switch IP interface.

P 4 Permanent entry created for Layer 4 proxy IP address or virtual server IP address.

R Indirect route entry.

U Unresolved ARP entry. The MAC address has not been learned.

J ARP entry belongs to a Jumbo capable VLAN



/info/l3/arp/addrARP Address List Information

/info/l3/nbrcacheIPv6 Neighbor Cache InformationThis menu provides a mechanism for viewing IPv6 Neighbor Cache information.

IPv6 uses the Neighbor Discovery (ND) protocol to discover its neighbors link-layer addresses and neighbor reachabilty. ND can also auto-configure addresses and detect duplicate addresses. ND enables routers to advertise their presence and address prefixes and to inform hosts of a better next-hop address to forward packets.

The information collected from ND is stored in the Neighbor Cache. The Neighbor Cache maintains information about each neighbor such as:

MAC Address

Reachability State

Neighbor Type

VLAN

Ingress Port

Neighbor Cache entries are added in a number of situations:

1. Entries are added when an IPv6 Interface or Virtual IP is operational.

2. Reception of ND messages from neighbor.

3. A switch sends ND packets to resolve a link-layer address that it wishes to send packets to.

IP address IP mask MAC address VLAN Flags --------------- --------------- ----------------- ---- ----- 10.10.10.10 255.255.255.255 00:09:97:16:5f:01 1.1.11.1 255.255.255.255 00:09:97:16:5f:01 172.31.4.200 255.255.255.255 00:09:97:16:5f:0e D 172.31.3.1 255.255.255.255 00:09:97:16:5f:00 1 172.31.4.1 255.255.255.255 00:09:97:16:5f:00 1 47.80.23.81 255.255.255.255 00:09:97:16:5f:00 1



There are 5 reachability states:

INCOMPLETE

The link-layer address of the neighbor has not yet been determined.

REACHABLE

The neighbor is known to have been reachable recently.

STALE

The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability.

DELAY

The neighbor is no longer known to be reachable and traffic has recently been sent to the neighbor.

PROBE

The neighbor is no longer known to be reachable, and ND messages are sent to the neighbor to verify reachability.

The neighbor types are LOCAL and DYNAMIC. The LOCAL neighbor type is for switch pre-configured addresses and DYNAMIC is for neighbor addresses learnt from ND.

NOTE – Once the Neighbor Cache table reaches 2000 entries, table entries are replaced by adding the new entry and dropping the 2000th entry off the list. Table entries are kept until the entry is replaced by a new one. During this 2000 full entries period, no new entries will be used to sort for display.

Table 4-24 provides a description of this menu.

[IP6 Neighbor Discovery Protocol Menu] dump - Show all IP6 neighbor cache entries

Table 4-24 IPv6 Neighbor Cache Information Menu (/info/l3/nbrcache)


dumpDisplays all IPv6 neighbor cache entries.



The following is an example of output from the /info/l3/nbrcache/dump command.

/info/l3/bgpBGP Information MenuBorder Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. For more information, refer to BGP section in chapter: “The Configuration Menu” on page 257 and the Application Guide.

>> IP6 Neighbor Discovery Protocol# dumpIP address State Type MAC address VLAN Port----------------------------- ----- --- ----------------- ---- ----2000:0:0:0:0:0:0:0 REACH LOC 00:0e:62:f6:b2:00 12000:0:0:0:0:0:0:1 STALE DYN 00:50:da:16:f7:27 1 12000:0:0:0:0:0:0:100 REACH LOC 00:0e:62:f6:b2:00 12000:0:0:0:0:0:0:200 REACH LOC 00:0e:62:f6:b2:0e 1fe80:0:0:0:20e:62ff:fef6:b200 REACH LOC 00:0e:62:f6:b2:00 1fe80:0:0:0:211:11ff:fee3:32b9 STALE DYN 00:11:11:e3:32:b9 1 9fe80:0:0:0:250:daff:fe16:f727 STALE DYN 00:50:da:16:f7:27 1 1

Total dynamic neighbor cache entries: 3Total local neighbor cache entries: 4Other neighbor cache entries: 0

[BGP Menu] peer - Show all BGP peers summary - Show all BGP peers in summary dump - Show BGP routing table

Table 4-25 BGP Peer Information Menu Options (/info/l3/bgp)


peerDisplays BGP peer information. See page 118 for a sample output.

summaryDisplays peer summary information such as AS, message received, message sent, up/down, state. See page 119 for a sample output.

dumpDisplays the BGP routing table. See page 119 for a sample output.



/info/l3/bgp/peerBGP Peer informationFollowing is an example of the information that /info/l3/bgp/peer provides.

BGP Peer Information:

3: 2.1.1.1 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0

4: 2.1.1.4 , version 0, TTL 1 Remote AS: 0, Local AS: 0, Link type: IBGP Remote router ID: 0.0.0.0, Local router ID: 1.1.201.5 BGP status: idle, Old status: idle Total received packets: 0, Total sent packets: 0 Received updates: 0, Sent updates: 0 Keepalive: 0, Holdtime: 0, MinAdvTime: 60 LastErrorCode: unknown(0), LastErrorSubcode: unspecified(0) Established state transitions: 0



/info/l3/bgp/summaryBGP Summary informationFollowing is an example of the information that /info/l3/bgp/summary provides.

/info/l3/bgp/dumpDump BGP InformationFollowing is an example of the information that /info/l3/bgp/dump provides.

/info/l3/ospfOSPF Information MenuNortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583. OSPF is designed for rout-ing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multiple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more

BGP Peer Summary Information: Peer V AS MsgRcvd MsgSent Up/Down State --------------- - -------- -------- -------- -------- ---------- 1: 205.178.23.142 4 142 113 121 00:00:28 established 2: 205.178.15.148 0 148 0 0 never connect

>> BGP# dumpStatus codes: * valid, > best, i - internalOrigin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght Path --------------- --------------- ----- ---- ----- --------------*> 10.0.0.0 205.178.21.147 1 256 147 148 i*>i205.178.15.0 0.0.0.0 0 i* 205.178.21.147 1 128 147 i*> 205.178.17.0 205.178.21.147 1 128 147 i 13.0.0.0 205.178.21.147 1 256 147 {35} ?



information on how to configure OSPF on the switch, refer to the OSPF section in chapter “The Configuration Menu” on page 257 and your Nortel Application Switch Operating System Application Guide.

[OSPF Information Menu] general - Show general information aindex - Show area(s) information if - Show interface(s) information virtual - Show details of virtual links nbr - Show neighbor(s) information dbase - Database Menu sumaddr - Show summary address list nsumadd - Show NSSA summary address list routes - Show OSPF routes dump - Show OSPF information

Table 4-26 OSPF Information Menu (/info/l3/ospf)


generalDisplays general OSPF information. See page 121 for a sample output.

aindex <area index [0-2]>Displays area information for a particular area index. If no parameter is supplied, it displays area information for all the areas.

if <interface number [1-256]>Displays interface information for a particular interface. If no parameter is supplied, it displays information for all the interfaces. See page 122 for a sample output.

virtualDisplays information about all the configured virtual links.

nbr <nbr router-id (A.B.C.D)>Displays the status of a neighbor with a particular router ID. If no router ID is supplied, it displays the information about all the current neighbors.

dbase Displays OSPF database menu. To view menu options, see page 122.

sumaddr <area index (0-2)>Displays the list of summary ranges belonging to non-NSSA areas.

nsumadd <area index (0-2)>Displays the list of summary ranges belonging to NSSA areas.

routesDisplays OSPF routing table. See page 124 for a sample output.



/info/l3/ospf/generalOSPF General Information

dumpDisplay all the OSPF information. See for a sample output.

OSPF Version 2Router ID: 47.80.23.247Started at 95 and the process uptime is 352315Area Border Router: yes, AS Boundary Router: noLS types supported are 6External LSA count 0External LSA checksum sum 0x0Number of interfaces in this router is 2Number of virtual links in this router is 116 new lsa received and 34 lsa originated from this routerTotal number of entries in the LSDB 10Database checksum sum 0x0Total neighbors are 1, of which 2 are >=INIT state, 2 are >=EXCH state, 2 are =FULL stateNumber of areas is 2, of which 3-transit 0-nssa Area Id : 0.0.0.0 Authentication : none Import ASExtern : yes Number of times SPF ran : 8 Area Border Router count : 2 AS Boundary Router count : 0 LSA count : 5 LSA Checksum sum : 0x2237B Summary : noSummary

Table 4-26 OSPF Information Menu (/info/l3/ospf)




/info/l3/ospf/ifOSPF Interface Information

/info/l3/ospf/dbaseOSPF Database Information

Ip Address 10.10.12.1, Area 0.0.0.1, Admin Status UP Router ID 10.10.10.1, State DR, Priority 1 Designated Router (ID) 10.10.10.1, Ip Address 10.10.12.1 Backup Designated Router (ID) 10.10.14.1, Ip Address 10.10.12.2 Timer intervals, Hello 10, Dead 40, Wait 1663, Retransmit 5, Poll interval 0, Transit delay 1 Neighbor count is 1 If Events 4, Authentication type none

[OSPF Database Menu] advrtr - LS Database info for an Advertising Router asbrsum - ASBR Summary LS Database info dbsumm - LS Database summary ext - External LS Database info nw - Network LS Database info nssa - NSSA External LS Database info rtr - Router LS Database info self - Self Originated LS Database info summ - Network-Summary LS Database info all - All

Table 4-27 OSPF Database Information Menu (/info/l3/ospf/dbase)


advrtr <router-id (A.B.C.D)>Takes advertising router as a parameter. Displays all the Link State Advertisements (LSAs) in the LS database that have the advertising router with the specified router ID, for example: 20.1.1.1.

asbrsum <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays ASBR summary LSAs. The usage of this command is as follows: a) asbrsum adv-rtr 20.1.1.1 displays ASBR summary LSAs having the advertising router 20.1.1.1.b) asbrsum link_state_id 10.1.1.1 displays ASBR summary LSAs having the link state ID 10.1.1.1. c) asbrsum self displays the self advertised ASBR summary LSAs.d) asbrsum with no parameters displays all the ASBR summary LSAs.



dbsumm Displays the following information about the LS database in a table format:a) the number of LSAs of each type in each area.b) the total number of LSAs for each area.c) the total number of LSAs for each LSA type for all areas combined.d) the total number of LSAs for all LSA types for all areas combined.No parameters are required.

ext <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays the AS-external (type 5) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum.

nw <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays the network (type 2) LSAs with detailed information of each field of the LSA.network LS database. The usage of this command is the same as the usage of the command asbrsum.

nssa <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays the NSSA (type 7) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum.

rtr <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays the router (type 1) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum.

selfDisplays all the self-advertised LSAs. No parameters are required.

summ <adv-rtr (A.B.C.D)>|<link_state_id (A.B.C.D)>|<self>Displays the network summary (type 3) LSAs with detailed information of each field of the LSAs. The usage of this command is the same as the usage of the command asbrsum.

allDisplays all the LSAs.

Table 4-27 OSPF Database Information Menu (/info/l3/ospf/dbase)




/info/l3/ospf/routesOSPF Information Route Codes

Codes: IA - OSPF inter area, N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 IA 10.10.0.0/16 via 200.1.1.2 IA 40.1.1.0/28 via 20.1.1.2 IA 80.1.1.0/24 via 200.1.1.2 IA 100.1.1.0/24 via 20.1.1.2 IA 140.1.1.0/27 via 20.1.1.2 IA 150.1.1.0/28 via 200.1.1.2 E2 172.18.1.1/32 via 30.1.1.2 E2 172.18.1.2/32 via 30.1.1.2 E2 172.18.1.3/32 via 30.1.1.2 E2 172.18.1.4/32 via 30.1.1.2 E2 172.18.1.5/32 via 30.1.1.2 E2 172.18.1.6/32 via 30.1.1.2 E2 172.18.1.7/32 via 30.1.1.2 E2 172.18.1.8/32 via 30.1.1.2



/info/ospf/dumpOSPF Dump Information

OSPF Version 2Router ID: 1.1.1.1Started at 42 and the process uptime is 1197051Area Border Router: no, AS Boundary Router: noExternal LSA count 0Number of interfaces in this router is 0Number of virtual links in this router is 00 new lsa received and 0 lsa originated from this routerTotal number of entries in the LSDB 0Total neighbors are 0, of which 0 are >=INIT state, 0 are >=EXCH state, 0 are =FULL stateNumber of areas is 0, of which 0-transit 0-nssa

OSPF Neighbors:Intf NeighborID Prio State Address---- ---------- ---- ----- -------

OSPF LS Database: OSPF LSDB breakdown for router with ID (1.1.1.1)No areas enabled.



/info/l3/ipIP InformationInterface information: 1: 47.80.23.81 255.255.254.0 47.80.23.255, vlan 1, up 2: 172.31.4.1 255.255.255.0 172.31.4.255, vlan 1, up 3: 172.31.3.1 255.255.255.0 172.31.3.255, vlan 1, up

Default gateway information: metric strict 2: 47.80.22.1, vlan any, up

Current IP forwarding settings: ON, dirbr disabled

Current local networks:

Current IP port settings: All other ports have forwarding ON

Current network filter settings: none

Current route map settings:Current OSPF settings: ON Default route none Router ID: 1.1.1.1 lsdb limit 0



/info/l3/vrrpVRRP InformationVirtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup vir-tual routers will assume routing authority and take control of the virtual router IP address. Refer to your Nortel Application Switch Operating System Application Guide for more information on VRRP.

When virtual routers are configured, you can view the status of each virtual router using this command. VRRP information includes:

Virtual router numberVirtual router ID and IP addressInterface numberOwnership status

owner identifies the preferred master virtual router. A virtual router is the owner when the IP address of the virtual router and its IP interface are the same.renter identifies virtual routers which are not owned by this device.

VRRP information: 10: vrid 10, 10.1.2.200, if 10, renter, prio 110, master 11: vrid 11, 11.1.2.200, if 11, renter, prio 118, master 12: vrid 12, 12.1.2.200, if 12, renter, prio 102, backup 13: vrid 13, 13.1.2.200, if 13, renter, prio 118, master 14: vrid 14, 14.1.2.200, if 14, renter, prio 102, backup 20: vrid 20, 20.1.2.200, if 20, renter, prio 110, master 27: vrid 27, 27.1.2.200, if 27, renter, prio 118, master 28: vrid 28, 28.1.2.200, if 28, renter, prio 102, backup 100: vrid 100, 172.21.8.100, if 172, renter, prio 110, master, server 172: vrid 172, 172.21.8.200, if 172, renter, prio 110, master 254: vrid 254, 27.1.2.100, if 27, renter, prio 102, backup, server 255: vrid 255, 28.1.2.100, if 28, renter, prio 118, master, serverVRRP information:

1: vrid 2, 205.178.18.210, if 1, renter, prio 100, master, server2: vrid 1, 205.178.18.202, if 1, renter, prio 100, backup3: vrid 3, 205.178.18.204, if 1, renter, prio 100, master, proxy



Priority value. During the election process, the virtual router with the highest priority becomes master.

Activity status

master identifies the elected master virtual router.backup identifies that the virtual router is in backup mode.

Server status. The server state identifies virtual routers that support Layer 4 services. These are known as virtual server routers: any virtual router whose IP address is the same as any configured virtual server IP address.

Proxy status. The proxy state identifies virtual proxy routers, where the virtual router shares the same IP address as a proxy IP address. The use of virtual proxy routers enables redundant switches to share the same IP address, minimizing the number of unique IP addresses that must be configured.



/info/l3/dumpLayer3 Dump InformationThis command dumps all the information about Layer 3 parameters. This dump is a collection of all the individual commands described in the sections above.

IP information:IP information: Router ID: 45.1.1.201, AS number 100

Interface information: 2: 45.1.1.201 255.0.0.0 45.255.255.255 , vlan 1, up 3: 205.1.1.201 255.255.255.0 205.1.1.255 , vlan 1, up 4: 172.21.1.254 255.255.255.0 172.21.1.255 , vlan 1, up

Default gateway information: metric strict

Current IP forwarding settings: ON, dirbr disabled

Current local networks:

Current IP port settings: All other ports have forwarding ON

Current network filter settings: none

Current route map settings:

Current BGP settings: ON, pref 100, AS number 100

Current BGP peer settings: 1: 45.1.1.203, ras 300, hold 180, alive 60, adv 60 retry 120, orig 15, ttl 1, enabled metric none, default none, rip disabled, ospf disabled fixed disabled, static disabled, vip disabled in-rmap: empty out-rmap: empty

Current BGP aggr settings:

Continued



Virtual Router Redundancy is globally turned OFF.ARP cache information: IP address Flags MAC address VLAN Port Referenced SPs --------------- ----- ----------------- ---- ----- ---------------- 45.1.1.75 00:0f:06:ec:8a:00 1 24 empty 45.1.1.201 P 00:01:81:2e:a2:20 1 1-4 45.1.1.202 00:09:97:5e:69:00 1 24 empty 172.21.1.254 P 00:01:81:2e:a2:20 1 1-4 205.1.1.1 00:09:6b:b5:0b:d6 1 24 empty 205.1.1.2 00:09:6b:b5:08:48 1 24 empty 205.1.1.3 00:09:6b:00:6f:b7 1 24 empty 205.1.1.4 00:09:6b:00:76:1b 1 24 empty 205.1.1.5 00:09:6b:00:74:97 1 24 empty 205.1.1.6 00:09:6b:00:71:bb 1 24 empty 205.1.1.100 P 4 00:01:81:2e:a2:2e 1-4 205.1.1.201 P 00:01:81:2e:a2:20 1 1-4

ARP address information: IP address IP mask MAC address VLAN Flags --------------- --------------- ----------------- ---- ----- 205.1.1.100 255.255.255.255 00:01:81:2e:a2:2e D 172.21.1.254 255.255.255.255 00:01:81:2e:a2:20 1 205.1.1.201 255.255.255.255 00:01:81:2e:a2:20 1 45.1.1.201 255.255.255.255 00:01:81:2e:a2:20 1

Route table information:Status code: * - best Destination Mask Gateway Type Tag Metr If--------------- ------------- ------------ ------- ----- --- --* 45.0.0.0 255.0.0.0 45.1.1.201 direct fixed 2* 45.1.1.201 255.255.255.255 45.1.1.201 local addr 2* 45.255.255.255 255.255.255.255 45.255.255.255broadcast broadcast 2* 127.0.0.0 255.0.0.0 0.0.0.0 martian martian* 172.21.1.0 255.255.255.0 172.21.1.254 direct fixed 4* 172.21.1.254 255.255.255.255 172.21.1.254 local addr 4* 172.21.1.255 255.255.255.255 172.21.1.255 broadcast broadcast 4

Continued



* 205.1.1.0 255.255.255.0 205.1.1.201 direct fixed 3* 205.1.1.100 255.255.255.255 205.1.1.100 direct vip* 205.1.1.201 255.255.255.255 205.1.1.201 local addr 3* 205.1.1.255 255.255.255.255 205.1.1.255 broadcast broadcast 3* 224.0.0.0 224.0.0.0 0.0.0.0 martian martian* 255.255.255.255 255.255.255.255 255.255.255.255 broadcast broad-cast

OSPF is disabled. Status codes: * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metr LcPrf Wght Path --------------- --------------- ----- ----- ----- ---------------*> 45.0.0.0 0.0.0.0 0 ?*> 172.21.1.0 0.0.0.0 0 ?*> 205.1.1.0 0.0.0.0 0 ?



/info/slbLayer 4 Information MenuServer Load Balancing (SLB) allows you to configure the Nortel Application Switch to bal-ance user session traffic among a pool of available servers that provide shared services. In an average network that employs multiple servers without server load balancing, each server usu-ally specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become overutilized. Placing this kind of strain on a server can decrease the performance of the entire network as user requests are rejected by the server and then resubmitted by the user stations. With this software feature, the switch is aware of the services provided by each server and can direct user session traffic to an appropriate server, based on a variety of load-balancing algorithms.

Refer to your Nortel Application Switch Operating System Application Guide for detailed infor-mation on this feature.:

[Server Load Balancing Information Menu] sess - Session Table Information Menu gslb - Global SLB Information Menu real - Show real server information group - Show real server group information virt - Show virtual server information filt - Show filter information port - Show port information wlm - Show Workload Manager information idshash - Show IDS server selected by hash or minmisses metric bind - Show real server selected by hash, phash, or minmisses metric cookie - Decode the HEX value to get VIP, RIP and Rport synatk - Show SYN attack detection information dump - Show all layer 4 information

Table 4-28 Layer 4 Information Menu Options (/info/slb)


sessDisplays the Session Table Information Menu. To view menu options, see page 134.

gslbDisplays the Global SLB Information Menu. To view menu options, see page 139.

real <real server number (1-1023)>Displays Real server number, real IP address, MAC address, VLAN, physical switch port, layer where health check is performed, and health check result.



group <real server group number, 1-1024>Real server group information

virt <virtual server number (1-1024)>Displays Virtual Server State: Virtual server number, IP address, virtual MAC addressVirtual Port State: Virtual service or port, server port mapping, real server group, group backup server.

filt <filter ID (1-2048)>|list|allow|deny|redir|natDisplays the filter number, destination port, real server port, real server group, health check layer, group backup server, URL for health checks, and real server group, IP address, backup server, and status.

port <port number>Displays the physical port number, proxy IP address, filter status, a list of applied filters, and client and/or server Layer 4 activity.

wlm <work_load_manager_number, 1 to 16>Show workload manager information.

idshash <IP address 1> <IP address 2>Displays the Intrusion Detection System server selected by hash or minmisses metric.

bind <IP address> <mask> <group number>Displays the real server selected by hash, phash, or minmisses metric.

cookie <16 or 20 bytes cookie value in HEX as 0xXXXXXXXXXXXXXXXX>Decodes the hexadecimal value to get the virtual server IP address, real server IP address, and real server port.

synatkDisplays SYN attack detection information. To identify whether or not the server is under SYN attack, the number of new half open sessions is examined within a set period of time, for example, every two seconds. This feature requires dbind to be enabled.

dumpDisplays all Layer 4 information for the switch. For details, see page 140.

Table 4-28 Layer 4 Information Menu Options (/info/slb)




/info/slb/sessSession Table Information[Session Table Information Menu] cip - Show all session entries with source IP address cip6 - Show all session entries with source IP6 address cport - Show all session entries with source port dip - Show all session entries with destination IP address dip6 - Show all session entries with source IP6 address dport - Show all session entries with destination port pip - Show all session entries with proxy IP address pport - Show all session entries with proxy port filter - Show all session entries with matching filter flag - Show all session entries with matching flag port - Show all session entries with ingress port real - Show all session entries with real IP address sp - Show all session entries on sp dump - Show all session entries help - Session entry description

Table 4-29 Session Information Menu Options (/info/slb/sess)


cip <IP address>Displays all session entries with client’s source IP address.

cip6 <IP6_address>Display session entries with the specified IP6 address.

cport <real port>Displays all session entries with source (client) port.

dip <Destination IP address>Displays all session entries with the destination IP address.

dip6 <IP6_address>Display session entries with the specified IP6 address.

dport <Destination real port>Displays all session entries with destination port.

pip <Proxy IP address>Displays all session entries with proxy IP address.

pport <proxy port>Displays all session entries with proxy port.



Samples of Session Dumps for Different Applications L4 HTTP

3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 http age 4

L4-L7 WCR HTTP

2,16: 172.21.8.200 44687, 172.21.8.51 http -> 192.168.1.11 wcr age 4 f:12 E 3,01: 172.21.12.19 1040, 39.2.2.1 http -> 47.81.24.79 urlwcr age 6 f:123 E

RTSP

L4-L7 RTSP

filter <filter ID (1-2048)>Displays all session entries with matching filter.

flag <E|L|N|P|S|Rt|Ru|Ri|Vi|Vr|Vs|Vm|Vd|U|W>Displays all session entries with matching flag. See “Session dump information in Nortel Applica-tion Switch Operating System” on page 137 for a description of these options.

port <port number>Displays all session entries on the ingress port.

real <IP address>Displays all session entries with real server IP address.

sp <port number (1-4)>Displays all session entries on switch processor.

dump <v4 | v6>Displays all session entries. Specify v4 to dump IPv4 information, v6 to dump IPv6 information or no parameter to display all information. Information similar to the following may appear in a session entry dump:3, 01: 1.1.1.1 4586, 2.2.2.1 http -> 1.1.1.2 3567 3.3.3.1 http age 6 f:10 EUSPT c(1) (2) (3) (4) (5) (6) (7a) (7) (8) (9) (10) (11) (12) (13)Note: The fields, 1 to 13 associated with a session as identified in the above example, are described in “Session dump information in Nortel Application Switch Operating System” on page 137.

helpDisplays the description of the session entry.

Table 4-29 Session Information Menu Options (/info/slb/sess)




3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 rtsp age 10 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P The first session is RTSP TCP control connection. The second session is RTSP UDP data connection.

3,01: 172.21.12.19 6970, 39.2.2.1 rtsp -> 47.81.144.13 0 age 10 P During client-server port negotiation, the destination port shows “rtsp” and server port shows “0”

L7 WCR RTSP

3,01: 172.21.12.19 4586, 39.2.2.1 rtsp -> 47.81.144.13 urlwcr age 10 f:100 EU 3,01: 172.21.12.19 6970, 39.2.2.1 21220 -> 47.81.144.13 21220 age 10 P

Filtering LinkLB

2,07: 10.0.1.26 1706, 205.178.14.84 http -> 192.168.4.10 linklb age 8 f:10 E

FTP

1,00: 172.31.4.215 80, 172.31.4.200 0 172.31.3.11 age 8 EP c:1 1,09: 172.31.4.215 4098, 172.31.4.200 ftp ->172.31.3.20 ftp age 10 EU 1,09: 172.31.4.215 4102, 172.31.4.200 ftp-data ->172.31.3.20 ftp-data age 10 E

NAT

2,05: 172.21.8.16 2559, 10.0.1.26 http NAT age 2 f:24 E

Persistent session

3,00: 237.162.52.123 160.10.20.30 age 4 EPS C:3 The destination port, real server IP and server port are not shown for persistent session.



Session dump information in Nortel Application Switch

Field Description

(1) SP number This field indicates the Switch Processor number that created the session.

(2) Ingress port This field shows the physical port through which the client traffic enters the switch.

(3) Source IP address

This field contains the source IP address from the client’s IP packet in IPv4 or IPv6.

(4) Source port This field identifies the source port from the client’s TCP/UDP packet.

(5) Destination IP address

This field identifies the destination IP address from the client’s TCP/UDP packet.

(6) Destination port

This field identifies the destination port from client’s TCP/UDP packet.

(7a) Proxy IP address

This field contains the Proxy IP address substituted by the switch. This field contains the real server IP address of the corresponding server that the switch selects to forward the client packet to, for load balancing. If the switch does not find a live server, this field contains the same information as the destination IP address men-tioned in field (5).This field also shows the real server IP address for filtering. No address is shown if the filter action is Allow, Deny or NAT. It will show “ALLOW”, “DENY” or “NAT” instead.

(7) Proxy Port This field identifies the TCP/UDP source port substituted by the switch.

(8) Real Server IP Address

For load balancing, this field contains the IP address of the real server that the switch selects to forward client packet to. If the switch does not find live server, this field is the same as destination IP address (as in row 5).For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 3,01: 1.1.1.1 6970, 2.2.2.1 rtsp -> 2.2.2.1 21220 age 10 PFor filtering, this field also shows the real server IP address. No address is shown if the filter action is Allow, Deny or NAT. It will show ALLOW, DENY or NAT instead.For example: 3,01: 1.1.1.1 1040, 2.2.2.1 http -> 3.3.3.1 http age 10 f:11 2,07: 1.1.1.1 1706, 2.2.2.1 http-> 192.168.4.10 linklb age 8 f:10 E



Operating System

(9) Server port This field is the same as the destination port (field 6) for load bal-ancing except for the RTSP UDP session. For RTSP UDP session, this server port is obtained from the client-server negotiation.This field is the filtering application port for filtering. It is for internal use only. This field can be urlwcr, wcr, idslb, linkslb or nonat.

(10) Age This is the session timeout value. If no packet is received within the value specified, the session is freed. For example, if: age 10 - The session is aged out in 10 minutes.age < 160 - The session is aged out in 160 minutes. This indicates that slowage is used. The user can configure slowage by using the command: /cfg/slb/adv/slowage.

(11) Filter number This field indicates the session created by filtering code as a result of the IP header keys matching the filtering criteria.

(12) Flag “E”: Indicates the session is established and will be aged out if no traffic is received within session timeout value.“L”: Indicates the session is a link load balance session.“N”: Indicates no NAT, which means the session only translates the destination MAC when forwarding client traffic to the real server.“P”: Indicates the session is a persistent session and is not to be aged out. Fields (6), (7) and (8) cannot have persistent session.“S”: Indicates the session is a persistent session and the application is SSL session ID, or Cookie Pbind.“Rt”: Indicates the session is TCP rate limiting for every client entry.“Ru”: Indicates UDP rate limiting for every client entry.“Ri”: Indicates the session is ICMP rate limiting per-client entry.“Vr”: Indicates the session is a SIP REGISTER session.“Vs”: Indicates the session is a SIP SUBSCRIBE session.“Vi”: Indicates the session is a SIP INVITE session.“Vm”: Indicates the session is a SIP MESSAGE session.“Vd”: Indicates the session is a SIP NAT data session.“U”: Indicates the session is Layer 7 delayed binding and the switch is trying to open TCP connection to the real server.“W”: Indicates the session only translates the destination MAC when forwarding Layer 7 WCR traffic to the real server.

(13) Persistent session user count

This counter indicates the number of client sessions created to associate with this persistent session.

Field Description



/info/slb/gslbGlobal SLB Information MenuAn Nortel Application Switch Operating System running Global SLB selects the most appro-priate site to direct the client traffic for a given domain during the initial client connection. The menu for this feature displays the following information:

[Global SLB Information Menu] virt - Show Global SLB virtual server information site - Show Global SLB remote site information rule - Show Global SLB rule information geo - Show Global SLB geographical preference information pers - Show Global SLB DNS persistence cache information dump - Show all Global SLB information

Table 4-30 Global SLB Information Menu Options (/info/slb/gslb)


virt <virtual server number (1-1024)>Displays the Global SLB virtual server information such as the domain name of the virtual server, the number of the local and remote virtual servers, the number of virtual services on those virtual servers, and the group of real servers associated with the local and remote virtual servers.

siteDisplays the Global SLB remote site information.

geoDisplays the Global SLB geographical preference information.

pers <IP_Address>Display the Global SLB DNS persistence cache information.

dumpDisplays all Global SLB information.



/info/slb/dumpShow All Layer 4 Information

Real server state: 1: 210.1.2.200, 00:01:02:c1:4b:48, vlan 1, port 1, health 3, up 2: 210.1.2.1, 00:01:02:70:4d:4a, vlan 1, port 8, health 3, up 26: 20.20.20.102, 00:03:47:07:a4:9e, vlan 1, port 6, health 3, up 27: 20.20.20.101, 00:01:02:71:9c:a6, vlan 1, port 7, health 3, up

Virtual server state: 1: 20.20.20.200, 00:60:cf:47:5c:1e virtual ports: http: rport http, group 88, backup none, dbind HTTP Application: urlslb real servers: 26: 20.20.20.102, backup none, 2 ms, up exclusionary string matching: disabled 1: any 2: urlone 27: 20.20.20.101, backup none, 1 ms, up exclusionary string matching: disabled 3: urltwo 4: urlthree

Redirect filter state:Action redirdport http, rport 3128, vlan any200: group 1, health 3, backup none proxy enabled, radius snoop disabled real servers: 1: 210.1.2.200, backup none, 3 ms, up 2: 210.1.2.1, backup none, 2 ms, up

Port state: 1: filt disabled, filters: 80 2: idslb filt enabled, filters: 200 3: idslb filt enabled, filters: 200 4: filt disabled, filters: 50 200



/info/bwmBandwidth Management InformationBandwidth Management (BWM) enables Web site managers to allocate a portion of the avail-able bandwidth for specific users or applications. It allows companies to guarantee that critical business traffic, such as e-commerce transactions, receive higher priority versus non-critical-traffic. Traffic classification can be based on user or application information. BWM policies can be configured to set lower and upper bounds on the bandwidth allocation.

You can see the following information on your switch when you execute this command:

[Bandwidth Management Information Menu] ipuser - BWM IP User Entries Information Menu cont - Show Bandwidth Management Contract information

Table 4-31 Bandwidth Management Information


ipuser Displays the IP user entries with their IP addresses. See page 142 for sample output.

contDisplays the BWM contract information configured on this switch.



/info/bwm/ipuserBWM IP User Information Menu

[BWM IP User Entries Information Menu] ip - Show all IP user entries with IP address cont - Show all IP user entries for a contract sp - Show all IP user entries on sp dump - Show all IP user entries

Table 4-32 BWM IP User Information Menu (/info/bwm/ipuser)


ip <IP address>Displays the IP user entries for a specific IP address.

cont <BW Contract number, 1-1024>Displays the IP user entries for a specific BWM contract.

sp <SP number (1-4)>Displays the IP user entries on the Switch Processor. The same fields as described in cont above are displayed, but only for the specified sp number.

dumpDisplays all the IP user entries.



The format of the output of the above commands:

SP Rate: the switch processor number (1-4) of the ipuser entry.

Contract Rate: the BWM contract number of the ipuser entry.

IP address: the IP address of the ipuser entry.

Age: the age of the entry in seconds.

Octets: the number of octets processed on this ipuser entry

Discards: the number of octets discarded on this ipuser entry

Allowed Rate: the rate of traffic allowed for this IP address

Offered Rate: the rate including the discards for this IP address

SP Contract IP Address Age Octets Discards Allowed OfferedRate Rate-- -------- ---------------- --- ---------- ---------- -----2 11 11.0.1.100 86 21500000 301001440 1953 292972 10 11.0.1.100 86 1076600 0 97 972 10 11.0.1.107 16 199940 0 97 972 10 11.0.1.105 16 198402 0 96 962 10 11.0.1.106 16 199940 0 97 972 10 11.0.1.103 16 196864 0 96 962 10 11.0.1.104 16 204554 0 99 992 10 11.0.1.101 16 201478 0 98 982 10 11.0.1.102 16 198402 0 96 962 10 11.0.1.108 16 199940 0 97 972 10 11.0.1.109 16 203016 0 99 99



/info/bwm/contBWM Contract Information

This command displays information about any configured contracts and the BWM policies applied to the contracts.

Current Bandwidth Management setting: ON Policy Enforcement:enabled BWM history will be mailed in a minute to 'abcd' at host '100.81.138.26' BWM IP user table entries 64k

Contract Policy Per User Traffic Num Name Prec Hard Soft Resv Limit Key State Shaping 1 123456789012345 2 1 50M 1M 500K - - E D 2 vlan 4 1 60M 2M 500K - - E D 3 filter 7 20 2M 1M 500K - - E D 4 5 1 2M 1M 500K - - D D 5 512 1 2M 1M 500K - - E D 10 10 1 1M 0K 0K 500K sip E D 11 11 1 100M 80M 500K 2M sip E D 12 12 1 2M 1M 500K - - E D 13 13 1 3M 1M 500K - - E D 14 14 1 4M 400K 100K - - E D 15 15 1 2M 1M 500K - - E D

Table 4-33 BWM Contract Information

Field Description

Contract Displays the BWM contract number.

Policy Displays specific information about a policy applied to a contract. Includes the following:

The policy number applied to the contractPrec: the precedence applied to the policyHard: the hard limit applied to the policySoft: the soft limit applied to the policyResv: the reserve limit applied to the policy



Per User These two columns display information for an ipuser limit, if applied to the contract. Includes the following:Limit: the user rate limit applied to the ipuser.Key: If an ipuser rate limit is enforced, this field displays whether the user limit is enforced on a source IP address (sip) or a destination IP address (dip).

State Displays whether the BWM contract is enabled (E) or disabled (D).

Traffic Shaping Displays whether Traffic Shaping is enabled (E) or disabled (D) for this contract.

Table 4-33 BWM Contract Information

Field Description



/info/securitySecurity Information

The information provided by each menu option is described in Table 4-34.

[Security Information Menu] port - Show port security information ipacl - Show IP ACL information udpblast - Show UDP blast protection information dos - Show protocol anomaly and DoS attack prevention information dump - Show all security information

Table 4-34 Security Information Menu (/info/security)


portThis menu displays the current port security settings.

ipaclThis menu displays the current IP ACL settings.

udpblastThis menu displays UDP blast protection settings.

dosThis menu displays DoS protection settings.

dumpThis menu displays all security settings.



/info/linkLink Status Information

Use this command to display link status information about each port on an Nortel Application Switch slot, including:

Port Alias

Port number

Port speed (10, 100, 10/100, or 1000)

Duplex mode (half, full, any, or auto)

Flow control for transmit and receive (no, yes, or auto)

Alias Port Speed Duplex Flow Ctrl Link------ ---- ----- -------- --TX-----RX-- ------1 1 10/100 any yes yes down2 2 10/100 any yes yes down3 3 10/100 any yes yes down4 4 10/100 any yes yes down5 5 10/100 any yes yes down6 6 10/100 any yes yes down7 7 10/100 any yes yes down8 8 10/100 any yes yes down9 9 10/100 any yes yes down10 10 10/100 any yes yes down11 11 10/100 any yes yes down12 12 10/100 any yes yes down13 13 10/100 any yes yes down14 14 10/100 any yes yes down15 15 10/100 any yes yes down16 16 10/100 any yes yes down17 17 10/100 any yes yes down18 18 10/100 any yes yes down19 19 10/100 any yes yes down20 20 10/100 any yes yes down21 21 10/100 any yes yes down22 22 10/100 any yes yes down23 23 10/100 any yes yes down24 24 10/100 any yes yes down25 25 1000 full yes yes down26 26 1000 full yes yes down27 27 1000 full yes yes down28 28 1000 full yes yes down



Link status (up or down)



/info/portPort Information

Port information includes:

Port aliasPort numberWhether the port uses VLAN tagging or not (y or n)Whether Remote Monitor is enabled or disabledPort VLAN ID (PVID)Port nameVLAN membership

Alias Port Tag RMON PVID BWC NAME VLAN(s)------ ---- --- ---- ---- ----- -------------- --------------1 1 y d 1 1024 12 2 n d 2 1024 23 3 n d 3 1024 34 4 n d 3 1024 35 5 n d 1 1024 16 6 n d 1 5 17 7 n d 1 1024 18 8 n d 1 1024 19 9 n d 1 1024 110 10 n d 1 1024 111 11 n d 1 1024 112 12 n d 1 1024 113 13 n d 1 6 114 14 n d 1 1024 115 15 n d 1 1024 116 16 n d 1 1024 117 17 n d 1 1024 118 18 n d 1 1024 119 19 n d 1 1024 120 20 n d 1 1024 121 21 n d 1 1024 122 22 n d 1 1024 123 23 n d 1 1024 124 24 n d 1 1024 125 25 n d 1 1024 126 26 n d 1 1024 127 27 n d 1 1024 128 28 n d 1 1024 1



Whether RMON is enabled or disabled on the port

/info/swkeySoftware Enabled KeysFor optional Layer 4 switching software, the information would be displayed as follows:

Software key information includes a list of all the optional software packages which have been activated or installed on your switch. For information on ordering optional software license keys, see “How to Get Help” on page 24.

/info/dumpInformation DumpUse the dump command to dump all switch information available from the Information Menu (10K or more, depending on your configuration). This data is useful for tuning and debugging switch performance.

If you want to capture dump data to a file, set your communication software on your worksta-tion to capture session data prior to issuing the dump commands.

Enabled Software features: Layer 4: GSLB Bandwidth Management Security PackEnabled Software features: Layer 4: GSLB Inbound Linklb Intelligent Traffic Management


CHAPTER 5The Statistics Menu

You can view switch performance statistics in both the user and administrator command modes. This chapter discusses how to use the command line interface to display switch statis-tics.

/statsStatistics Menu

[Statistics Menu] sys - System Stats Menu port - Port Stats Menu pmirr - Port Mirroring Stats Menu l2 - Layer 2 Stats Menu l3 - Layer 3 Stats Menu slb - Server Load Balancing (Layer 4-7) Stats Menu bwm - Bandwidth Management Stats Menu security - Security Stats Menu mp - MP-specific Stats Menu sp - SP-specific Stats Menu dump - Dump all stats

320506-A, January 2006151


Table 5-1 Statistics Menu Options (/stats)


sysSystem statistics menu

port <port number>Displays the Port Statistics Menu for the specified port. Use this command to display traffic statis-tics on a port-by-port basis. Traffic statistics are included in SNMP Management Information Base (MIB) objects. To view menu options, see page 154.

l2Displays Layer 2 Statistics Menu. To view menu options, see page 170.

l3Displays Layer3 Statistics Menu. To view menu options, see page 174.

slbDisplays the Server Load Balancing (SLB) Menu. To view menu options, see page 199.

bwmDisplays the Bandwidth Management Menu. To view menu options, see page 232.

mpDisplays the Management Processor Statistics Menu. Use this command to view information on how switch management processes and resources are currently being allocated. To view menu options, see page 248.

sp <SP number (1-4)>Displays Switch Processor-Specific Menu. To view menu options, see page 253.

securityDisplays Security Statistics Menu. To view menu options, see page 239.

snmpDisplays SNMP Statistics.

ntp <clear>Displays Network Time Protocol (NTP) Statistics. You can execute the clear command option to delete all statistics.

pmDisplays Port Mirroring Statistics Menu. To view menu options, see page 255.

mgmtDisplays interface statistics for the Management Port. See page 255 for sample output.

152 Chapter 5: The Statistics Menu320506-A, January 2006


dumpDumps all switch statistics. Use this command to gather data for tuning and debugging switch per-formance. If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command. For details, see page 256.

Table 5-1 Statistics Menu Options (/stats)


Chapter 5: The Statistics Menu 153320506-A, January 2006


/stats/sysSystem statistics menuThis menu displays traffic statistics on a system basis.

[System Statistics Menu] access - System Access Menu mgmt - Show management port stats ntp - Show NTP server stats snmp - Show SNMP stats dump - Dump system stats

Table 5-2 System Statistics Menu Options (/stats/sys)


accessGo to the System Access menu.

mgmtManagement port interface statistics.

ntpShow NTP server statistics.

snmpShow SNMP statistics.

dumpDump system statistics.



/stats/port <port number>Port Statistics MenuThis menu displays traffic statistics on a port-by-port basis. Traffic statistics include SNMP Management Information Base (MIB) objects.

[Port Statistics Menu] brg - Show bridging ("dot1") stats ether - Show Ethernet ("dot3") stats if - Show interface ("if") stats ip - Show Internet Protocol ("IP") stats link - Show link stats rmon - Show RMON stats dump - Dump port stats clear - Clear all port stats

Table 5-3 Port Statistics Menu Options (/stats/port)


brgDisplays bridging (“dot1”) statistics for the port. See page 156 for a sample output and the descrip-tion of statistics.

etherDisplays Ethernet (“dot1”) statistics for the port. See page 157 for a sample output and the descrip-tion of statistics.

ifDisplays interface statistics for the port. See page 161 for a sample output and the description of statistics.

ipDisplays IP statistics for the port. See page 162 for a sample output and the description of statis-tics.

linkDisplays link statistics for the port. See page 163 for a sample output and the description of statis-tics.

rmonDisplays Remote Monitor (RMON) statistics for the port. See page 164 for a sample output and the description of statistics.

dumpDisplays all the port statistics.



/stats/port <port number>/brgBridging StatisticsThis menu option enables you to display the bridging statistics of the selected port.

clear This command clears all the statistics on this port.

Bridging statistics for port 1:dot1PortInFrames: 63242584dot1PortOutFrames: 63277826dot1PortInDiscards: 0dot1TpLearnedEntryDiscards: 0dot1BasePortDelayExceededDiscards: NAdot1BasePortMtuExceededDiscards: NAdot1StpPortForwardTransitions: 0

Table 5-4 Bridging Statistics of a Port (/stats/port/brg)

Statistics Description

dot1PortInFrames The number of frames that have been received by this port from its seg-ment. A frame received on the interface corresponding to this port is only counted by this object if and only if it is for a protocol being processed by the local bridging function, including bridge management frames.

dot1PortOutFrames The number of frames that have been transmitted by this port to its seg-ment. Note that a frame transmitted on the interface corresponding to this port is only counted by this object if and only if it is for a protocol being processed by the local bridging function, including bridge management frames.

dot1PortInDiscards Count of valid frames received which were discarded (that is, filtered) by the Forwarding Process.

dot1TpLearnedEntry Discards

The total number of Forwarding Database entries, which have been or would have been learnt, but have been discarded due to a lack of space to store them in the Forwarding Database. If this counter is increasing, it indicates that the Forwarding Database is regularly becoming full (a con-dition which has unpleasant performance effects on the subnetwork). If this counter has a significant value but is not presently increasing, it indi-cates that the problem has been occurring but is not persistent.

Table 5-3 Port Statistics Menu Options (/stats/port) (Continued)




/stats/port <port number>/etherEthernet StatisticsThis menu option enables you to display the ethernet statistics of the selected port

dot1BasePortDelay ExceededDiscards

The number of frames discarded by this port due to excessive transit delay through the bridge. It is incremented by both transparent and source route bridges.

dot1BasePortMtuExceededDiscards

The number of frames discarded by this port due to an excessive size. It is incremented by both transparent and source route bridges.

dot1StpPortForward Transitions

The number of times this port has transitioned from the Learning state to the Forwarding state.

Ethernet statistics for port 1:dot3StatsAlignmentErrors: 0dot3StatsFCSErrors: 0dot3StatsSingleCollisionFrames: 0dot3StatsMultipleCollisionFrames: 0dot3StatsSQETestErrors: NAdot3StatsDeferredTransmissions: 0dot3StatsLateCollisions: 0dot3StatsExcessiveCollisions: 0dot3StatsInternalMacTransmitErrors: NAdot3StatsCarrierSenseErrors: 0dot3StatsFrameTooLongs: 0dot3StatsInternalMacReceiveErrors: 0dot3CollFrequencies [1-15]: NA

Table 5-4 Bridging Statistics of a Port (/stats/port/brg)




Table 5-5 Ethernet Statistics for Port (/stats/port/ether)


dot3StatsAlignmentErrors

A count of frames received on a particular interface that are not an integral number of octets in length and do not pass the Frame Check Sequence (FCS) check.

The count represented by an instance of this object is incremented when the alignmentError status is returned by the MAC service to the Logical Link Control (LLC) (or other MAC user). Received frames for which multiple error conditions are obtained are, according to the con-ventions of IEEE 802.3 Layer Management, counted exclusively accord-ing to the error status presented to the LLC.

dot3StatsFCSErrors A count of frames received on a particular interface that are an integral number of octets in length but do not pass the Frame Check Sequence (FCS) check. This count does not include frames received with frame-too-long or frame-too-short errors.The count represented by an instance of this object is incremented when the frameCheckError status is returned by the MAC service to the LLC (or other MAC user). Received frames for which multiple error con-ditions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status pre-sented to the LLC.Note: Coding errors detected by the physical layer for speeds above 10 Mb/s will cause the frame to fail FCS check.

dot3StatsSingle-CollisionFrames

A count of successfully transmitted frames on a particular interface for which transmission is inhibited by exactly one collision.A frame that is counted by an instance of this object is also counted by the corresponding instance of either the ifOutUcastPkts, ifOutMul-ticastPkts, or ifOutBroadcastPkts, and is not counted by the corresponding instance of the dot3StatsMultipleCollision-Frame object.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsMultiple-CollisionFrames

A count of successfully transmitted frames on a particular interface for which transmission is inhibited by more than one collision.A frame that is counted by an instance of this object is also counted by the corresponding instance of either the ifOutUcastPkts, ifOutMul-ticastPkts, or ifOutBroadcastPkts, and is not counted by the corresponding instance of the dot3StatsSingleCollision-Frames object.This counter does not increment when the interface is operating in full-duplex mode.



dot3StatsSQETest-Errors

A count of times that the SQE TEST ERROR message is generated by the PLS sub layer for a particular interface. The SQE TEST ERROR is set in accordance with the rules for the verification of the SQE detection mech-anism in the PLS Carrier Sense Function as described in IEEE Std.802.3-1998 Edition, section 7.2.4.6.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsDeferred-Transmissions

A count of frames for which the first transmission attempt on a particular interface is delayed because the medium is busy.The count represented by an instance of this object does not include frames involved in collisions.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsLate-Collisions

The number of times that a collision is detected on a particular interface later than one slotTime into the transmission of a packet.Five hundred and twelve bit-times corresponds to 51.2 microseconds on a 10 Mbit/s system. A (late) collision included in a count represented by an instance of this object is also considered as a (generic) collision for purposes of other col-lision-related statistics.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsExcessiveCollisions

A count of frames for which transmission on a particular interface fails due to excessive collisions.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsInternal-MacTransmitErrors

A count of frames for which transmission on a particular interface fails due to an internal MAC sub layer transmit error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the dot3StatsLateCollisions object, the dot3StatsExcessiveCollisions object, or the dot3Stats-CarrierSenseErrors object.The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of transmission errors on a particular interface that are not otherwise counted.





dot3StatsCarrier-SenseErrors

The number of times that the carrier sense condition was lost or never asserted when attempting to transmit a frame on a particular interface.The count represented by an instance of this object is incremented at most once per transmission attempt, even if the carrier sense condition fluctu-ates during a transmission attempt.This counter does not increment when the interface is operating in full-duplex mode.

dot3StatsFrameToo-Longs

A count of frames received on a particular interface that exceed the maxi-mum permitted frame size.The count represented by an instance of this object is incremented when the frameTooLong status is returned by the MAC service to the LLC (or other MAC user). Received frames for which multiple error condi-tions are obtained are, according to the conventions of IEEE 802.3 Layer Management, counted exclusively according to the error status presented to the LLC.

dot3StatsInternal-MacReceiveErrors

A count of frames for which reception on a particular interface fails due to an internal MAC sub layer receive error. A frame is only counted by an instance of this object if it is not counted by the corresponding instance of either the dot3StatsFrameTooLongs object, the dot3Stats-AlignmentErrors object, or the dot3StatsFCSErrors object.The precise meaning of the count represented by an instance of this object is implementation-specific. In particular, an instance of this object may represent a count of received errors on a particular interface that are not otherwise counted.

dot3Coll-Frequencies

A count of individual MAC frames for which the transmission (successful or otherwise) on a particular interface occurs after the frame has experienced exactly the number of collisions specified by the index. For example, a frame which is transmitted after experiencing exactly 4 collisions would be indicated by incrementing only dot3CollFrequencies [4]. No other instance of dot3CollFrequencies would be incremented in this example.This counter does not increment when the interface is operating in full-duplex mode.





/stats/port <port number>/ifInterface StatisticsThis menu option enables you to display the interface statistics of the selected port.

Interface statistics for port 1: ifHCIn Counters ifHCOut CountersOctets: 51697080313 51721056808UcastPkts: 65356399 65385714BroadcastPkts: 0 6516MulticastPkts: 0 0Discards: 0 0Errors: 0 0

Table 5-6 Interface Statistics for Port (/stats/port/if)


ifHCInOctets The number of octets in valid MAC frames received on the interface, including the MAC header and FCS. This does include the number of octets in valid MAC Control frames received on this interface.

ifHCInUcastPkts The number of packets, delivered by this sub-layer to a higher sub- layer, which were not addressed to a multicast or broadcast address at this sub-layer.

ifHCInBroadcastP-kts

The number of packets, delivered by this sub-layer to a higher sub- layer, which were addressed to a broadcast address at this sub-layer.

ifHCInMulticastP-kts

The number of packets delivered by this sub-layer to a higher (sub) layer, which were addressed to a multicast address at this sub-layer. For a MAC layer protocol, this includes both Group and Functional addresses.

ifHCInDiscards The number of inbound packets which were chosen to be discarded even though no errors had been detected to prevent their being delivered to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

ifHCInErrors The sum for this interface of dot3statsAlignmentErrors, dot3StatsFCSErrors, dot3StatsFrameTooLongs, dot3StatsInternalMacReceiveErrors and dot3StatsSymbolErrors.

ifHCOutOctets The number of octets transmitted in valid MAC frames on this interface, including the MAC header and FCS. This does not include the number of octets in valid MAC Control frames transmitted on this interface.



/stats/port <port number>/ipInterface Protocol StatisticsThis menu option enables you to display the interface statistics of the selected port.

ifHCOutUcastPkts The total number of packets that higher-level protocols requested to be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent.

ifHCOutBroadcastP-kts

The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a broadcast address at this sub-layer, including those that were discarded or not sent.

ifHCOutMulticastP-kts

The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a multicast address at this sub-layer, including those that were discarded or not sent. For a MAC layer protocol, this includes both Group and Functional addresses.

ifHCOutDiscards The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space.

ifHCOutErrors The sum for this interface of: dot3statsSQETestErrors, dot3StatsLateCollisions, dot3StatsExcessiveCollisions, dot3StatsInternalMacTransmitErrors and dot3StatsCarrierSenseErrors.

IP statistics for port 1:ipInReceives: 0ipInAddrErrors: 0 ipForwDatagrams: 0ipInUnknownProtos: 0 ipInDiscards: 0ipInDelivers: 0ipTtlExceeds: 0ipLANDattacks: 0

Table 5-7 Interface Protocol Statistics (/stats/port/ip)


ipInReceives The total number of input datagrams received from interfaces, including those received in error.

Table 5-6 Interface Statistics for Port (/stats/port/if)




/stats/port <port number>/linkLink StatisticsThis menu enables you to display the link statistics of the selected port.

ipInAddrErrors The number of input datagrams discarded because the IP address in their IP header's destination field was not a valid address to be received at this entity (the switch). This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported Classes (for example, Class E). For entities which are not IP Gateways and therefore do not forward data-grams, this counter includes datagrams discarded because the destination address was not a local address.

ipForwDatagrams The number of input datagrams for which this entity (the switch) was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets which were Source-Routed via this entity (the switch), and the Source- Route option processing was successful.

ipInUnknownProtos The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.

ipInDiscards The number of input IP datagrams for which no problems were encoun-tered to prevent their continued processing, but which were discarded (for example, for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly.

ipInDelivers The total number of input datagrams successfully delivered to IP user-protocols (including ICMP).

ipTtlExceeds The number of IP datagram for which an ICMP TTL exceeded mes-sage was sent.

ipLANDattacks The number of packets that have the same source and destination IP address.

Link statistics for port 1:linkStateChange: 4

Table 5-7 Interface Protocol Statistics (/stats/port/ip)




/stats/port <port number>/rmonRMON StatisticsThis menu option enables you to display the remote monitor statistics of the selected port.

Table 5-8 Link Statistics (/stats/port/link)


linkStateChange The total number of link state changes.

RMON statistics for port 1:etherStatsDropEvents: 0etherStatsOctets: 129677etherStatsPkts: 1485etherStatsBroadcastPkts: 734etherStatsMulticastPkts: 712etherStatsCRCAlignErrors: 0etherStatsUndersizePkts: 0etherStatsOversizePkts: 0etherStatsFragments: 0etherStatsJabbers: 0etherStatsCollisions: 0etherStatsPkts64Octets: 954etherStatsPkts65to127Octets: 578etherStatsPkts128to255Octets: 35etherStatsPkts256to511Octets: 26etherStatsPkts512to1023Octets: 16etherStatsPkts1024to1518Octets: 8

Table 5-9 Remote Monitor Statistics (/stats/port/rmon)


etherStatsDropEvents

The total number of events in which packets were dropped by the probe due to lack of resources. Note that this number is not necessarily the num-ber of packets dropped; it is just the number of times this condition has been detected.



etherStatsOctets The total number of octets of data (including those in bad packets) received on the network (excluding framing bits but including FCS octets).This object can be used as a reasonable estimate of utilization (which is the percent utilization of the ethernet segment). If greater precision is desired, the etherStatsPkts and etherStatsOctets objects should be sampled before and after a common interval. The differences in the sampled values are Pkts and Octets, respectively, and the number of seconds in the interval is Interval. These values are used to calcu-late the utilization as follows:

The result of this equation is the percent value of utilization.

etherStatsPkts The total number of packets (including bad packets, broadcast packets, and multicast packets) received.

etherStatsBroad-castPkts

The total number of good packets received that were directed to the broadcast address. Note that this does not include multicast packets.

etherStatsMulti-castPkts

The total number of good packets received that were directed to a multi-cast address. Note that this number does not include packets directed to the broadcast address.

etherStatsCRCAlign Errors

The total number of packets received that had a length (excluding fram-ing bits, but including Frame Check Sequence (FCS) octets) of between 64 and 1518 octets, inclusive, but had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).

etherStatsUnder-sizePkts

The total number of packets received that were less than 64 octets long (excluding framing bits, but including FCS octets) and were otherwise well formed.

etherStatsOver-sizePkts

The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets) and were otherwise well formed.



Utilization Pkts 9.6 6.4+( )× Octets 0.8×( )+Interval 10 000,×

----------------------------------------------------------------------------------------=



etherStatsFrag-ments

The total number of packets received that were less than 64 octets in length (excluding framing bits but including FCS octets) and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Align-ment Error).Note that it is entirely normal for etherStatsFragments to incre-ment. This is because it counts both runts (which are normal occurrences due to collisions) and noise hits. (A runt is a packet that is less than 64 bytes.)

etherStatsJabbers The total number of packets received that were longer than 1518 octets (excluding framing bits, but including FCS octets), and had either a bad Frame Check Sequence (FCS) with an integral number of octets (FCS Error) or a bad FCS with a non-integral number of octets (Alignment Error).Note that this definition of jabber is different than the definition in IEEE-802.3 section 8.2.1.5 (10Base-5) and section 10.3.1.4 (10Base-2). These documents define jabber as the condition where any packet exceeds 20 ms. The allowed range to detect jabber is between 20 milliseconds and 150 milliseconds.

etherStats-Collisions

The best estimate of the total number of collisions on this Ethernet seg-ment.The value returned will depend on the location of the RMON probe. Sec-tion 8.2.1.3 (10Base-5) and section 10.3.1.3 (10Base-2) of IEEE standard 802.3 states that a station must detect a collision, in the receive mode, if three or more stations are transmitting simultaneously. A repeater port must detect a collision when two or more stations are transmitting simul-taneously. Thus a probe placed on a repeater port could record more colli-sions than a probe connected to a station on the same segment would.Probe location plays a much smaller role when considering 10Base-T. 14.2.1.4 (10Base-T) of IEEE standard 802.3 defines a collision as the simultaneous presence of signals on the DO and RD circuits (transmitting and receiving at the same time). A 10Base-T station can only detect colli-sions when it is transmitting. Thus probes placed on a station and a repeater, should report the same number of collisions.Note also that an RMON probe inside a repeater should ideally report col-lisions between the repeater and one or more other hosts (transmit colli-sions as defined by IEEE 802.3k) plus receiver collisions observed on any coax segments to which the repeater is connected.

etherStatsPkts64-Octets

The total number of packets (including bad packets) received that were 64 octets in length (excluding framing bits but including Frame Check Sequence (FCS) octets).





etherStatsPkts65-to127Octets

The total number of packets (including bad packets) received that were between 65 and 127 octets in length (excluding framing bits but including FCS octets).


The total number of packets (including bad packets) received that were between 128 and 255 octets in length (excluding framing bits but includ-ing Frame Check Sequence (FCS) octets).


The total number of packets (including bad packets) received that were between 256 and 511 octets in length (excluding framing bits but includ-ing FCS octets).


The total number of packets (including bad packets) received that were between 512 and 1023 octets in length (excluding framing bits but includ-ing FCS octets).

etherStatsPkts-1024to1518Octets

The total number of packets (including bad packets) received that were between 1024 and 1518 octets in length (excluding framing bits but including FCS octets).





/stats/port <port number>/dumpPort Dump Statistics

Bridging statistics for port 1:dot1PortInFrames: 1284dot1PortOutFrames: 142dot1PortInDiscards: 130dot1TpLearnedEntryDiscards: 0dot1BasePortDelayExceededDiscards: NAdot1BasePortMtuExceededDiscards: NAdot1StpPortForwardTransitions: 2------------------------------------------------------------------Ethernet statistics for port 1:dot3StatsAlignmentErrors: 0dot3StatsFCSErrors: 0dot3StatsSingleCollisionFrames: 0dot3StatsMultipleCollisionFrames: 0dot3StatsSQETestErrors: NAdot3StatsDeferredTransmissions: 0dot3StatsLateCollisions: 0dot3StatsExcessiveCollisions: 0dot3StatsInternalMacTransmitErrors: NAdot3StatsCarrierSenseErrors: 1dot3StatsFrameTooLongs: 0dot3StatsInternalMacReceiveErrors: 0dot3CollFrequencies [1-15]: NA------------------------------------------------------------------Interface statistics for port 1: ifHCIn Counters ifHCOut CountersOctets: 124166 19560UcastPkts: 39 27BroadcastPkts: 631 14MulticastPkts: 614 101Discards: 130 0Errors: 1 0------------------------------------------------------------------IP statistics for port 1:ipInReceives: 0ipInAddrErrors: 0 ipForwDatagrams: 0ipInUnknownProtos: 0 ipInDiscards: 0ipInDelivers: 0ipTtlExceeds: 0ipLANDattacks: 0------------------------------------------------------------------Link statistics for port 1:linkStateChange: 3------------------------------------------------------------------



RMON statistics for port 1:etherStatsDropEvents: 0etherStatsOctets: 123840etherStatsPkts: 1406etherStatsBroadcastPkts: 698etherStatsMulticastPkts: 669etherStatsCRCAlignErrors: 0etherStatsUndersizePkts: 0etherStatsOversizePkts: 0etherStatsFragments: 0etherStatsJabbers: 0etherStatsCollisions: 0etherStatsPkts64Octets: 906etherStatsPkts65to127Octets: 548etherStatsPkts128to255Octets: 35etherStatsPkts256to511Octets: 25etherStatsPkts512to1023Octets: 16etherStatsPkts1024to1518Octets: 8



/stats/pmirrPort mirroring statistics menuThis menu displays port mirroring statistics on an all ports basis.

/stats/l2Layer 2 Statistics Menu

[Port Mirroring Statistics Menu] dump - Show port mirroring stats clear - Clear all port mirroring stats

Table 5-10 PMIRR Statistics Menu Options (/stats/pmirr)


dumpDisplays all mirrored port statistics.

clearClears the port statistics.

[Layer 2 Statistics Menu] fdb - Show FDB stats lacp - Show LACP stats stg - Show STG stats dump - Dump layer 2 stats

Table 5-11 Layer 2 Statistics Menu Options (/stats/l2)


fdb

Displays Forwarding Database statistics. To view statistics and their description, see page 171.

lacp <port number (1 to max num ports)>Displays Link Aggregation Control Protocol statistics. To view statistics and their description, see page 172.

stg

Displays Spanning Tree Group statistics. To view statistics and their description, see page 173.



/stats/l2/fdbFDB Statistics

This menu option enables you to display statistics regarding the use of the forwarding data-base, including the number of new entries, finds, and unsuccessful searches.

FDB statistics are described in the following table:

dump

Dump the Layer 2 statistics.

FDB statistics: creates: 9611 deletes: 9553 current: 58 hiwat: 65 lookups: 850254 lookup fails: 151373 finds: 5832 find fails: 0 find_or_c's: 11874 overflows: 0 max: 16384

Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)

Statistic Description

creates Number of entries created in the Forwarding Database.

current Current number of entries in the Forwarding Database.

lookups Number of entry lookups in the Forwarding Database.

finds Number of successful searches in the Forwarding Database.

find_or_c’s Number of entries found or created in the Forwarding Database.

deletes Number of entries deleted from the Forwarding Database.

hiwat Highest number of entries recorded at any given time in the Forwarding Database.

lookup fails Number of unsuccessful searches made in the Forwarding Database.

find fails Number of search failures in the Forwarding Database.

overflows Number of entries overflowing the Forwarding Database.

Table 5-11 Layer 2 Statistics Menu Options (/stats/l2)




/stats/l2/lacpLACP Statistics

max Number of maximum Forwarding Database entries supported by the switch.

>> Layer 2 Statistics# lacp 1port 1Valid LACPDUs received - 9394Valid Marker PDUs received - 0Valid Marker Rsp PDUs received - 0Unknown version/TLV type - 0Illegal subtype received - 0LACPDUs transmitted - 8516Marker PDUs transmitted - 0Marker Rsp PDUs transmitted - 0

Table 5-13 LACP Statistics Parameters (/stats?l2/lacp)

Field Description

Valid LACPDUs received The number of LACPDUs that the switch received on this port.

Valid Marker PDUs received

The number of valid Marker PDUs that the switch received on this port.

Valid Marker Rsp PDUs received

The number of valid Marker Responses that the switch received on this port.

Unknown version/TLV type

The number of unknown version or TLV type that the switch received on this port.

Illegal subtype received

The number of illegal LACP subtype received on this port.

LACPDUs transmitted The number of LACPDUs transmitted out of this port.

Marker PDUs transmit-ted

The number of Marker PDUs transmitted out of this port.

Marker Rsp PDUs trans-mitted

The number of Marker Responses transmitted out of this port.

Table 5-12 Forwarding Database Statistics (/stats/l2/fdb)




/stats/l2/stgSpanning Tree Group Statistics

Spanning Tree Group 1:Port Rcv Cfg Rcv TCN Xmt Cfg Xmt TCN----- ---------- ---------- ---------- ---------- 1 0 0 0 0 2 0 0 0 0 3 0 0 0 0 4 0 0 0 0 5 0 0 0 0 6 0 0 0 0 7 0 0 0 0 8 0 0 0 0 9 139046 176 27 15 10 0 0 0 0 11 0 0 0 0 12 0 0 0 0 13 0 0 0 0 14 0 0 0 0 15 0 0 0 0 16 0 0 0 0 17 0 0 0 0 18 0 0 0 0 19 0 0 0 0 20 0 0 0 0 21 0 0 0 0 22 0 0 0 0 23 0 0 0 0 24 0 0 0 0 25 0 0 0 0 26 0 0 0 0 27 0 0 0 0 28 0 0 0 0

Table 5-14 Spanning Tree Group Statistics Parameters (/stats/l2/stg)

Field Description

Port Displays the port number.

Rcv cfg Displays the number of configuration BPDUs received

Rcv TCN Displays the number of TCN (Topology Change Notification) mes-sages received.

Xmt Cfg Displays the number of configuration BPDUs transmitted.



/stats/l3Layer 3 Statistics Menu

Xmt TCN Displays the number of TCN (Topology Change Notification) mes-sages transmitted

[Layer 3 Statistics Menu] ospf - OSPF Statistics Menu ip - Show IP stats ip6 - Show IP6 stats route - Show route stats arp - Show ARP stats vrrp - Show VRRP stats dns - Show DNS stats icmp - Show ICMP stats if - Show IP interface ("if") stats tcp - Show TCP stats udp - Show UDP stats ifclear - Clear IP interface ("if") stats ipclear - Clear IP stats dump - Dump layer 3 stats

Table 5-15 Layer 3 Statistics Menu (/stats/l3)


ospfDisplays OSPF statistics Menu. See page 176 for sample output.

ipDisplays IP statistics. See page 181 for sample output.

ip6Displays IP6 statistics.See page 184 for sample output.

routeDisplays route statistics. See page 189 for sample output.

arpDisplays Address Resolution Protocol (ARP) statistics. See page 190 for sample output.

Table 5-14 Spanning Tree Group Statistics Parameters (/stats/l2/stg)

Field Description



vrrpWhen virtual routers are configured, you can display the following protocol statistics for VRRP:Advertisements received (vrrpInAdvers)Advertisements transmitted (vrrpOutAdvers)Advertisements received, but ignored (vrrpBadAdvers)

See page 191 for sample output.

dnsDisplays Domain Name Server/System (DNS) statistics. See page 192 for sample output.

icmpDisplays ICMP statistics. See page 193 for sample output.

if <interface number (1-256)>Displays IP interface statistics for the management processors. See page 195 for sample output.

tcpDisplays TCP statistics. See page 197 for sample output.

udpDisplays UDP statistics. See page 199 for sample output.

ifclearClears IP interface statistics. Use this command with caution as it will delete all the IP interface statistics.

ipclearClears IP statistics. Use this command with caution as it will delete all the IP statistics.

dumpDumps all Layer 3 switch statistics. Use this command to gather data for tuning and debugging Layer 3 switch performance. If you want to capture dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command.

Table 5-15 Layer 3 Statistics Menu (/stats/l3)




/stats/l3/ospfOSPF Statistics Menu

[OSPF stats Menu] general - Show global stats aindex - Show area(s) stats if - Show interface(s) stats

Table 5-16 OSPF Statistics Menu (/stats/l3/ospf)


generalDisplays global statistics. See page 177 for sample output and details.

aindex <area index (0-2)>Displays area index statistics.

if <interface number (1-256)>Displays interface statistics.



/stats/l3/ospf/generalOSPF Global StatisticsThe OSPF General Statistics contain the sum total of all OSPF packets received on all OSPF areas and interfaces.

OSPF stats ---------- Rx/Tx Stats: Rx Tx -------- -------- Pkts 0 0 hello 23 518 database 4 12 ls requests 3 1 ls acks 7 7 ls updates 9 7

Nbr change stats: Intf change Stats: hello 2 hello 4 start 0 down 2 n2way 2 loop 0 adjoint ok 2 unloop 0 negotiation done 2 wait timer 2 exchange done 2 backup 0 bad requests 0 nbr change 5 bad sequence 0 loading done 2 n1way 0 rst_ad 0 down 1

Timers kickoff hello 514 retransmit 1028 lsa lock 0 lsa ack 0 dbage 0 summary 0 ase export 0



Table 5-17 OSPF General Statistics (stats/l3/ospf/general)


Rx/Tx Stats:

Rx Pkts The sum total of all OSPF packets received on all OSPF areas and inter-faces.

Tx Pkts The sum total of all OSPF packets transmitted on all OSPF areas and interfaces.

Rx Hello The sum total of all Hello packets received on all OSPF areas and inter-faces.

Tx Hello The sum total of all Hello packets transmitted on all OSPF areas and interfaces.

Rx Database The sum total of all Database Description packets received on all OSPF areas and interfaces.

Tx Database The sum total of all Database Description packets transmitted on all OSPF areas and interfaces.

Rx ls Requests The sum total of all Link State Request packets received on all OSPF areas and interfaces.

Tx ls Requests The sum total of all Link State Request packets transmitted on all OSPF areas and interfaces.

Rx ls Acks The sum total of all Link State Acknowledgement packets received on all OSPF areas and interfaces.

Tx ls Acks The sum total of all Link State Acknowledgement packets transmitted on all OSPF areas and interfaces.

Rx ls Updates The sum total of all Link State Update packets received on all OSPF areas and interfaces.

Tx ls Updates The sum total of all Link State Update packets transmitted on all OSPF areas and interfaces.



Nbr Change Stats:

hello The sum total of all Hello packets received from neighbors on all OSPF areas and interfaces.

Start The sum total number of neighbors in this state (that is, an indication that Hello packets should now be sent to the neighbor at intervals of Hel-loInterval seconds) across all OSPF areas and interfaces.

n2way The sum total number of bidirectional communication establishment between this router and other neighboring routers.

adjoint ok The sum total number of decisions to be made (again) as to whether an adjacency should be established/maintained with the neighbor across all OSPF areas and interfaces.

negotiation done The sum total number of neighbors in this state wherein the Master/slave relationship has been negotiated, and sequence numbers have been exchanged, across all OSPF areas and interfaces.

exchange done The sum total number of neighbors in this state (that is, in an adjacency's final state) having transmitted a full sequence of Database Description packets, across all OSPF areas and interfaces.

bad requests The sum total number of Link State Requests which have been received for a link state advertisement not contained in the database across all interfaces and OSPF areas.

bad sequence The sum total number of Database Description packets which have been received that either:

a) Has an unexpected DD sequence number b) Unexpectedly has the init bit set c) Has an options field differing from the last Options field

received in a Database Description packet.Any of these conditions indicate that some error has occurred during adjacency establishment for all OSPF areas and interfaces.

loading done The sum total number of link state updates received for all out-of-date portions of the database across all OSPF areas and interfaces.

n1way The sum total number of Hello packets received from neighbors, in which this router is not mentioned across all OSPF interfaces and areas.

rst_ad The sum total number of times the Neighbor adjacency has been reset across all OPSF areas and interfaces.

Table 5-17 OSPF General Statistics (stats/l3/ospf/general) (Continued)




down The total number of Neighboring routers down (that is, in the initialstate of a neighbor conversation) across all OSPF areas and interfaces.

Intf Change Stats:

hello The sum total number of Hello packets sent on all interfaces and areas.

down The sum total number of interfaces down in all OSPF areas.

loop The sum total of interfaces no longer connected to the attached network across all OSPF areas and interfaces.

unloop The sum total number of interfaces, connected to the attached network in all OSPF areas.

wait timer The sum total number of times the Wait Timer has been fired, indicating the end of the waiting period that is required before electing a (Backup) Designated Router across all OSPF areas and interfaces.

backup The sum total number of Backup Designated Routers on the attached net-work for all OSPF areas and interfaces.

nbr change The sum total number of changes in the set of bidirectional neighbors associated with any interface across all OSPF areas.

Timers Kickoff:

hello The sum total number of times the Hello timer has been fired (which trig-gers the send of a Hello packet) across all OPSF areas and interfaces.

retransmit The sum total number of times the Retransmit timer has been fired across all OPSF areas and interfaces.

lsa lock The sum total number of times the Link State Advertisement (LSA) lock timer has been fired across all OSPF areas and interfaces.

lsa ack The sum total number of times the LSA Ack timer has been fired across all OSPF areas and interfaces.

dbage The total number of times the data base age (Dbage) has been fired.

summary The total number of times the Summary timer has been fired.

ase export The total number of times the Autonomous System Export (ASE) timer has been fired.

Table 5-17 OSPF General Statistics (stats/l3/ospf/general) (Continued)




/stats/l3/ipIP Statistics

IP statistics:ipInReceives: 3115873 ipInHdrErrors: 1ipInAddrErrors: 35447 ipForwDatagrams: 0ipInUnknownProtos: 500504 ipInDiscards: 0ipInDelivers: 2334166 ipOutRequests: 1010542ipOutDiscards: 4 ipOutNoRoutes: 4ipReasmReqds: 0 ipReasmOKs: 0ipReasmFails: 0 ipFragOKs: 0ipFragFails: 0 ipFragCreates: 0ipRoutingDiscards: 0 ipDefaultTTL: 255ipReasmTimeout: 5

Table 5-18 IP Statistics (/stats/l3/ip)


ipInReceives The total number of input datagrams received from interfaces, including those received in error.

ipInHdrErrors The number of input datagrams discarded due to errors in their IP head-ers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, and so forth.

ipInAddrErrors The number of input datagrams discarded because the IP address in their IP header's destination field was not a valid address to be received at this entity (the switch). This count includes invalid addresses (for example, 0.0.0.0) and addresses of unsupported Classes (for example, Class E). For entities which are not IP Gateways and therefore do not forward data-grams, this counter includes datagrams discarded because the destination address was not a local address.

ipForwDatagrams The number of input datagrams for which this entity (the switch) was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities which do not act as IP Gateways, this counter will include only those packets, which were Source-Routed via this entity (the switch), and the Source- Route option processing was successful.

ipInUnknownProtos The number of locally addressed datagrams received successfully but dis-carded because of an unknown or unsupported protocol.



ipInDiscards The number of input IP datagrams for which no problems were encoun-tered to prevent their continued processing, but which were discarded (for example, for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly.

ipInDelivers The total number of input datagrams successfully delivered to IP user-protocols (including ICMP).

ipOutRequests The total number of IP datagrams which local IP user-protocols (includ-ing ICMP) supplied to IP in requests for transmission. Note that this counter does not include any datagrams counted in ipForwDatagrams.

ipOutDiscards The number of output IP datagrams for which no problem was encountered to prevent their transmission to their destination, but which were discarded (for example, for lack of buffer space). Note that this counter would include datagrams counted in ipForwDatagrams if any such packets met this (discretionary) discard criterion.

ipOutNoRoutes The number of IP datagrams discarded because no route could be found to transmit them to their destination. Note that this counter includes any packets counted in ipForwDatagrams, which meet this no-route cri-terion. Note that this includes any datagrams which a host cannot route because all of its default gateways are down.

ipReasmReqds The number of IP fragments received which needed to be reassembled at this entity (the switch).

ipReasmOKs The number of IP datagrams successfully reassembled.

ipReasmFails The number of failures detected by the IP re- assembly algorithm (for whatever reason: timed out, errors, and so forth). Note that this is not nec-essarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received.

ipFragOKs The number of IP datagrams that have been successfully fragmented at this entity (the switch).

ipFragFails The number of IP datagrams that have been discarded because they needed to be fragmented at this entity (the switch) but could not be, for example, because their Don't Fragment flag was set.

ipFragCreates The number of IP datagram fragments that have been generated as a result of fragmentation at this entity (the switch).





ipRoutingDiscards The number of routing entries, which were chosen to be discarded even though they are valid. One possible reason for discarding such an entry could be to free-up buffer space for other routing entries.

ipDefaultTTL The default value inserted into the Time-To-Live (TTL) field of the IP header of datagrams originated at this entity (the switch), whenever a TTL value is not supplied by the transport layer protocol.

ipReasmTimeout The maximum number of seconds, which received fragments are held while they are awaiting reassembly at this entity (the switch).





/stats/l3/ip6IP6 Statistics Menu

>> Layer 3 Statistics# /stat/l3/ip6------------------------------------------------------------------IP6 statistics:InReceives: 20519 InDiscards: 2InDelivers: 24793 ForwDatagrams: 0UnknownProtos: 0 InAddrErrors: 0OutRequests: 34548 OutNoRoutes: 0ReasmOKs: 0 ReasmFails: 0IcmpInMsgs: 24793 IcmpInErrors: 4268IcmpOutMsgs: 12829 IcmpOutErrors: 4271InEchos: 0 OutEchos: 8538InEchoReplies: 8536 OutEchoReplies: 0InDestUnreachs: 4268 OutDestUnreachs: 4271InPktTooBigs: 0 OutPktTooBigs: 0InTimeExcds: 0 OutTimeExcds: 0------------------------------------------------------------------

ICMP6 statistics:

Interface: 1InMsgs: 18929 InErrors: 0InEchos: 0 InEchoReplies: 4268InNeighborSolicits: 4513 InNeighborAdvertisements:4271InRouterSolicits: 0 InRouterAdvertisements: 5877InDestUnreachs: 0 InTimeExcds: 0InPktTooBigs: 0 InParmProblems: 0InRedirects: 0OutMsgs: 4280 OutErrors: 0OutEchos: 4269 OutEchoReplies: 0OutNeighborSolicits: 3 OutNeighborAdvertisements:4516OutRouterSolicits: 0 OutRouterAdvertisements: 1OutRedirects: 0------------------------------------------------------------------ Interface: 7InMsgs: 5864 InErrors: 4268InEchos: 0 InEchoReplies: 4268InNeighborSolicits: 122 InNeighborAdvertisements: 3InRouterSolicits: 0 InRouterAdvertisements: 1471InDestUnreachs: 4268 InTimeExcds: 0InPktTooBigs: 0 InParmProblems: 0InRedirects: 0OutMsgs: 8549 OutErrors: 4271OutEchos: 4269 OutEchoReplies: 0OutNeighborSolicits: 2 OutNeighborAdvertisements:124OutRouterSolicits: 0 OutRouterAdvertisements: 1OutRedirects: 0------------------------------------------------------------------

IP6 gateway health check statistics:gateway 5 echo-req 4269 echo-resp 4268 fails 0gateway 7 echo-req 4269 echo-resp 0 fails 4268



Table 5-19 IPv6 Statistics (/stats/l3/ip6)


IP6 Statistics Section

InReceives The total number of input datagrams received by the interface, including those received in error.

InDelivers The total number of datagrams successfully delivered to IPv6 user-protocols (including ICMP). This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.

UnknownProtos The number of locally-addressed datagrams received successfully but discarded because of an unknown or unsupported protocol. This counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the datagrams.

OutRequests The total number of IPv6 datagrams which local IPv6 user-protocols (including ICMP) supplied to IPv6 in requests for transmission. Note that this counter does not include any datagrams counted in ipv6IfStatsOutForwDatagrams.

ReasmOKs The number of IPv6 datagrams successfully reassembled. Note that this counter is incremented at the interface to which these datagrams were addressed which might not be necessarily the input interface for some of the fragments.

InDiscards The number of input IPv6 datagrams for which no problems were encountered to prevent their continued processing, but which were discarded (e.g., for lack of buffer space). Note that this counter does not include any datagrams discarded while awaiting re-assembly.

ForwDatagrams The number of output datagrams which this entity received and for-warded to their final destinations. In entities which do not act as IPv6 routers, this counter will include only those packets which were Source-Routed via this entity, and the Source-Route processing was successful. Note that for a successfully forwarded datagram the counter of the outgoing interface is incremented.

InAddrErrors The number of input datagrams discarded because the IPv6 address in their IPv6 header's destination field was not a valid address to be received at this entity. This count includes invalid addresses (e.g., ::0) and unsupported addresses (e.g., addresses with unallocated pre-fixes). For entities which are not IPv6 routers and therefore do not forward datagrams, this counter includes datagrams discarded because the destination address was not a local address.



OutNoRoutes The number of locally generated IP datagrams discarded because no route could be found to transmit them to their destination.

ReasmFails The number of failures detected by the IPv6 re-assembly algorithm (for whatever reason: timed out, errors, etc.). Note that this is not necessarily a count of discarded IPv6 fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. This counter is incremented at the interface to which these fragments were addressed which might not be necessarily the input interface for some of the fragments.

IcmpInMsgs The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.

IcmpOutMsgs The total number of ICMP messages which this interface attempted to send. Note that this counter includes all those counted by icmpOutErrors

IcmpInErrors The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.).

IcmpOutErrors The number of ICMP messages which this interface did not send due to problems discovered within ICMP such as a lack of buffers. This value should not include errors discovered outside the ICMP layer such as the inability of IPv6 to route the resultant datagram. In some implementations there may be no types of error which contribute to this counter's value.

IcmpInEchos The number of ICMP Echo (request) messages received by the inter-face.

ICMP6 Statistics Section

InMsgs The total number of ICMP messages received by the interface which includes all those counted by ipv6IfIcmpInErrors. Note that this interface is the interface to which the ICMP messages were addressed which may not be necessarily the input interface for the messages.

InNeighborSolicits The number of ICMP Neighbor Solicit messages received by the interface.

Table 5-19 IPv6 Statistics (/stats/l3/ip6) (Continued)




InRouterSolicits The number of ICMP Router Solicit messages received by the inter-face.

InDestUnreachs The number of ICMP Destination Unreachable messages received by the interface.

InPktTooBigs The number of ICMP Packet Too Big messages received by the interface.

InRedirects The number of Redirect messages received by the interface.

InErrors The number of ICMP messages which the interface received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, etc.).

InEchoReplies The number of ICMP Echo Reply messages received by the inter-face.

InNeighborAdvertisements The number of ICMP Neighbor Advertisement messages received by the interface.

InRouterAdvertisements The number of ICMP Router Advertisement messages received by the interface.

InTimeExcds The number of ICMP Time Exceeded messages received by the interface.

InParmProblems The number of ICMP Parameter Problem messages received by the interface.

OutMsgs The total number of ICMP messages which this interface attempted to send.

OutEchos The number of ICMP Echo Request messages sent by the interface.

OutNeighborSolicits The number of ICMP Neighbor Solicitation messages sent by the interface.

OutRouterSolicits The number of ICMP Router Solicitation messages sent by the interface.

OutRedirects The number of Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects.





OutErrors The number of ICMP messages which this interface did not send due to problems discovered within ICMP such as a lack of buffers. This value should not include errors discovered outside the ICMP layer such as the inability of IPv6 to route the resultant datagram. In some implementations there may be no types of error which contribute to this counter's value.

OutEchoReplies The number of ICMP Echo Reply messages sent by the interface.

OutNeighborAdvertisements The number of ICMP Neighbor Advertisement messages sent by the interface.

OutRouterAdvertistments The number of ICMP Router Advertisement messages sent by the interface.





e

/stats/l3/routeRoute Statistics

Route statistics:ipRoutesCur: 3 ipRoutesHighWater: 3ipRoutesMax: 4096------------------------------------------------------------------

SP Route statistics:SP ipRoutesCur ipRoutesHighWater ipRoutesMax--- ------------- ------------------- ------------- 1 3 3 4096 2 3 3 4096 3 3 3 4096 4 3 3 4096------------------------------------------------------------------

RIP statistics:ripInPkts: 0 ripOutPkts: 0ripDiscardPkts: 0 ripRoutesAgedOut: 0

BGP statistics:bgpInPkts: 0 bgpOutPkts: 0bgpBadPkts: 0 bgpSessFailures: 0bgpRoutesAdded: 0 bgpRoutesRemoved: 0bgpRoutesCur: 0 bgpRoutesFailed: 0bgpRoutesIgnored: 0 bgpRoutesFiltered: 0

Table 5-20 Route Statistics (/stats/l3/route)


Route Statistics & SP Route Statistics:

ipRoutesCur The total number of outstanding routes in the route table.

ipRoutesHighWater The highest number of routes ever recorded in the route table.

ipRoutesMax The maximum number of supported routes.

RIP statistics:

ripInPkts The total number of good RIP advertisement packets received.

ripOutPkts The total number of RIP advertisement packets sent.

ripDiscardPkts The total number of RIP advertisement packets received that werdropped.



/stats/l3/arpARP statisticsThis menu option enables you to display Address Resolution Protocol statistics.

ripRoutesAgedOut The total number of routes learned via RIP that has aged out.

BGP statistics:

bgpInPkts The total number of BGP packets received.

bgpOutPkts The total number of BGP packets sent.

bgpBadPkts The total number of BGP packets dropped.

bgpSessFailures The total number of failed sessions.

bgpRoutesAdded The total number of routes that were added to the routing table.

bgpRoutesRemoved The total number of routes that were removed from the routing table.

bgpRoutesCur The total number of current BGP routes.

bgpRoutesFailed The total number of BGP routes that failed to add in the routing table.

bgpRoutesIgnored The total number of routes ignored because the peer was not con-nected locally or multihop was not configured.

bgpRoutesFiltered The total number of routes dropped by the filter.

MP ARP statistics:arpEntriesCur: 2 arpEntriesHighWater: 2arpEntriesMax: 8192------------------------------------------------------------------

SP ARP statistics:SP arpEntriesCur arpEntriesHighWater arpEntriesMax--- --------------- --------------------- --------------- 1 1 1 8192 2 1 1 8192 3 1 1 8192 4 1 1 8192

Table 5-20 Route Statistics (/stats/l3/route)




/stats/l3/vrrpVRRP StatisticsVirtual Router Redundancy Protocol (VRRP) support on the Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup virtual routers will assume routing authority and take control of the virtual router IP address.

When virtual routers are configured, you can display the following protocol statistics for VRRP:

Advertisements received (vrrpInAdvers)Advertisements transmitted (vrrpOutAdvers)Advertisements received, but ignored (vrrpBadAdvers)

The statistics for the VRRP LAN are displayed:

Table 5-21 ARP Statistics (/stats/l3/arp)


arpEntriesCur The total number of outstanding ARP entries in the ARP table.

arpEntriesHighWater The highest number of ARP entries ever recorded in the ARP table.

arpEntriesMax The maximum number of ARP entries that are supported.

VRRP statistics:vrrpInAdvers: 0 vrrpBadAdvers: 0vrrpOutAdvers: 0vrrpBadVersion: 0 vrrpBadVrid: 0vrrpBadAddress: 0 vrrpBadData: 0vrrpBadPassword: 0 vrrpBadInterval: 0

Table 5-22 VRRP Statistics (/stats/l3/vrrp)


vrrpInAdvers The total number of VRRP advertisements that have been received.

vrrpBadAdvers The total number of VRRP advertisements received that were dropped.

vrrpOutAdvers The total number of VRRP advertisements that have been sent.

vrrpBadVersion



/stats/l3/dnsDNS StatisticsThis menu option enables you to display Domain Name System statistics.

vrrpBadVrid

vrrpBadAddress

vrrpBadData

vrrpBadPassword

vrrpBadInterval

DNS statistics:dnsInRequests: 0 dnsOutRequests: 0dnsBadRequests: 0

Table 5-23 DNS Statistics (/stats/l3/dns)


dnsInRequests The total number of DNS request packets that have been received.

dnsOutRequests The total number of DNS response packets that have been transmitted.

dnsBadRequests The total number of DNS request packets received that were dropped.

Table 5-22 VRRP Statistics (/stats/l3/vrrp)




/stats/l3/icmpICMP StatisticsICMP statistics:icmpInMsgs: 245802 icmpInErrors: 1393icmpInDestUnreachs: 41 icmpInTimeExcds: 0icmpInParmProbs: 0 icmpInSrcQuenchs: 0icmpInRedirects: 0 icmpInEchos: 18icmpInEchoReps: 244350 icmpInTimestamps: 0icmpInTimestampReps: 0 icmpInAddrMasks: 0icmpInAddrMaskReps: 0 icmpOutMsgs: 253810icmpOutErrors: 0 icmpOutDestUnreachs: 15icmpOutTimeExcds: 0 icmpOutParmProbs: 0icmpOutSrcQuenchs: 0 icmpOutRedirects: 0icmpOutEchos: 253777 icmpOutEchoReps: 18icmpOutTimestamps: 0 icmpOutTimestampReps: 0icmpOutAddrMasks: 0 icmpOutAddrMaskReps: 0

Table 5-24 ICMP Statistics (/stats/l3/icmp)


icmpInMsgs The total number of ICMP messages which the entity (the switch) received. Note that this counter includes all those counted by icmpInErrors.

icmpInErrors The number of ICMP messages which the entity (the switch) received but determined as having ICMP-specific errors (bad ICMP checksums, bad length, and so forth).

icmpInDestUnreachs The number of ICMP Destination Unreachable messages received.

icmpInTimeExcds The number of ICMP Time Exceeded messages received.

icmpInParmProbs The number of ICMP Parameter Problem messages received.

icmpInSrcQuenchs The number of ICMP Source Quench (buffer almost full, stop send-ing data) messages received.

icmpInRedirects The number of ICMP Redirect messages received.

icmpInEchos The number of ICMP Echo (request) messages received.

icmpInEchoReps The number of ICMP Echo Reply messages received.

icmpInTimestamps The number of ICMP Timestamp (request) messages received.

icmpInTimestampReps The number of ICMP Timestamp Reply messages received.

icmpInAddrMasks The number of ICMP Address Mask Request messages received.



icmpInAddrMaskReps The number of ICMP Address Mask Reply messages received.

icmpOutMsgs The total number of ICMP messages which this entity (the switch) attempted to send. Note that this counter includes all those counted by icmpOutErrors.

icmpOutErrors The number of ICMP messages which this entity (the switch) did not send due to problems discovered within ICMP such as a lack of buffer. This value should not include errors discovered outside the ICMP layer such as the inability of IP to route the resultant data-gram. In some implementations there may be no types of errors that contribute to this counter's value.

icmpOutDestUnreachs The number of ICMP Destination Unreachable messages sent.

icmpOutTimeExcds The number of ICMP Time Exceeded messages sent.

icmpOutParmProbs The number of ICMP Parameter Problem messages sent.

icmpOutSrcQuenchs The number of ICMP Source Quench (buffer almost full, stop send-ing data) messages sent.

icmpOutRedirects The number of ICMP Redirect messages sent. For a host, this object will always be zero, since hosts do not send redirects.

icmpOutEchos The number of ICMP Echo (request) messages sent.

icmpOutEchoReps The number of ICMP Echo Reply messages sent.

icmpOutTimestamps The number of ICMP Timestamp (request) messages sent.

icmpOutTimestampReps The number of ICMP Timestamp Reply messages sent.

icmpOutAddrMasks The number of ICMP Address Mask Request messages sent.

icmpOutAddrMaskReps The number of ICMP Address Mask Reply messages sent.

Table 5-24 ICMP Statistics (/stats/l3/icmp)




/stats/l3/if <interface number>Interface Statistics

IP interface 1 statistics:ifInOctets: 48948386 ifInUcastPkts: 220553ifInNUCastPkts: 167895 ifInDiscards: 0ifInErrors: 0 ifInUnknownProtos: 0ifOutOctets: 27100789 ifOutUcastPkts: 441938ifOutNUcastPkts: 218652 ifOutDiscards: 0ifOutErrors: 0 ifStateChanges 1

Table 5-25 Interface Statistics (/stats/if)


ifInOctets The total number of octets received on the interface, including framing characters.

ifInUcastPkts The number of packets, delivered by this sub-layer to a higher (sub- layer), which were not addressed to a multicast or broadcast address at this sub-layer.

ifInNUCastPkts The number of packets, delivered by this sub-layer to a higher (sub- layer), which were addressed to a multicast or broadcast address at this sub-layer. This object is deprecated in favor of ifInMulticastPkts and ifInBroadcastPkts.

ifInDiscards The number of inbound packets that were chosen to be discarded even though no errors had been detected to prevent their being delivered to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.

ifInErrors For packet-oriented interfaces, the number of inbound packets that con-tained errors preventing them from being delivered to a higher-layer pro-tocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol.

ifInUnknownProtos For packet-oriented interfaces, the number of packets received via the interface which were discarded because of an unknown or unsupported protocol. For character-oriented or fixed-length interfaces which support protocol multiplexing the number of transmission units received via the interface which were discarded because of an unknown or unsupported protocol. For any interface which does not support protocol multiplexing, this counter will always be 0.



ifOutOctets The total number of octets transmitted out of the interface, including framing characters.

ifOutUcastPkts The total number of packets that higher-level protocols requested to be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent.

ifOutNUcastPkts The total number of packets that higher-level protocols requested to be transmitted, and which were addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent.This object is deprecated in favor of ifOutMulticastPkts and ifOutBroadcastPkts.

ifOutDiscards The number of outbound packets, which were chosen to be discarded even though no errors had been detected to prevent their being transmit-ted. One possible reason for discarding such a packet could be to free up buffer space.

ifOutErrors For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors.

ifStateChanges The number of times an interface has transitioned from either down to up or from up to down.

Table 5-25 Interface Statistics (/stats/if)




/stats/l3/tcpTCP StatisticsTCP statistics:tcpRtoAlgorithm: 4 tcpRtoMin: 0tcpRtoMax: 240000 tcpMaxConn: 1600tcpActiveOpens: 0 tcpPassiveOpens: 0tcpAttemptFails: 0 tcpEstabResets: 0tcpInSegs: 0 tcpOutSegs: 0tcpRetransSegs: 0 tcpInErrs: 0tcpCurBuff: 0 tcpCurConn: 6tcpCurInConn: 0 tcpCurOutConn: 0tcpCurLstnConn: 3 tcpOutRsts: 0tcpAllocTCBFails: 0

Table 5-26 TCP Statistics (/stats/l3/tcp)


tcpRtoAlgorithm The algorithm used to determine the timeout value used for retransmit-ting unacknowledged octets.

tcpRtoMin The minimum value permitted by a TCP implementation for the retrans-mission timeout, measured in milliseconds. More refined semantics for objects of this type depend upon the algorithm used to determine the retransmission timeout. In particular, when the timeout algorithm is rsre(3), an object of this type has the semantics of the LBOUND quantity described in RFC 793.

tcpRtoMax The maximum value permitted by a TCP implementation for the retrans-mission timeout, measured in milliseconds. More refined semantics for objects of this type depend upon the algorithm used to determine the retransmission timeout. In particular, when the timeout algorithm is rsre(3), an object of this type has the semantics of the UBOUND quantity described in RFC 793.

tcpMaxConn The limit on the total number of TCP connections the entity (the switch) can support. In entities where the maximum number of connections is dynamic, this object should contain the value -1.

tcpActiveOpens The number of times TCP connections have made a direct transition to the SYN-SENT state from the CLOSED state.

tcpPassiveOpens The number of times TCP connections have made a direct transition to the SYN-RCVD state from the LISTEN state.



tcpAttemptFails The number of times TCP connections have made a direct transition to the CLOSED state from either the SYN-SENT state or the SYN-RCVD state, plus the number of times TCP connections have made a direct tran-sition to the LISTEN state from the SYN-RCVD state.

tcpEstabResets The number of times TCP connections have made a direct transition to the CLOSED state from either the ESTABLISHED state or the CLOSE-WAIT state.

tcpInSegs The total number of segments received, including those received in error. This count includes segments received on currently established connec-tions.

tcpOutSegs The total number of segments sent, including those on current connec-tions but excluding those containing only retransmitted octets.

tcpRetransSegs The total number of segments retransmitted - that is, the number of TCP segments transmitted containing one or more previously transmitted octets.

tcpInErrs The total number of segments received in error (for example, bad TCP checksums).

tcpCurBuff The total number of outstanding memory allocations from heap by TCP protocol stack.

tcpCurConn The total number of outstanding TCP sessions that are currently opened.

tcpCurInConn The total number of remotely-initiated TCP connections.

tcpCurOutConn The total number of switch-originated TCP connection requests.

tcpCurLstnConn The total number of TCP ports on which the switch is listening.

tcpOutRsts The number of TCP segments sent containing the RST flag.

tcpAllocTCBFails

Table 5-26 TCP Statistics (/stats/l3/tcp)




/stats/l3/udpUDP Statistics

/stats/slbServer Load Balancing Statistics Menu

UDP statistics:udpInDatagrams: 54 udpOutDatagrams: 43udpInErrors: 0 udpNoPorts: 1578077

Table 5-27 UDP Statistics (/stats/l3/udp)


udpInDatagrams The total number of UDP datagrams delivered to the switch.

udpOutDatagrams The total number of UDP datagrams sent from this entity (the switch).

udpInErrors The number of received UDP datagrams that could not be delivered for reasons other than the lack of an application at the destination port.

udpNoPorts The total number of received UDP datagrams for which there was no application at the destination port.

[Server Load Balancing Statistics Menu] sp - SLB Switch SP Stats Menu gslb - Global SLB Stats Menu real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats layer7 - Show Layer 7 stats ssl - Show SSL SLB stats ftp - Show FTP SLB parsing and NAT stats rtsp - Show RTSP SLB stats dns - Show DNS SLB stats wap - Show WAP SLB stats maint - Show maintenance stats sip - Show SIP SLB stats wlm - Show Workload Manager SASP stats mirror - Show Session mirroring stats clear - Clear non-operational Server Load Balancing stats aux - Show auxiliary session table stats dump - Dump all SLB statistics



Table 5-28 SLB Statistics Menu Options (/stats/slb)


sp <SP number (1-4)>Displays the server load balancing statistics menu. To view menu options, see page 202.

gslbDisplays the Global SLB Statistics menu. For more information, see page 206.

real <real server number (1-1023)>Displays the following real server statistics:Number of times the real server has failed its health checksNumber of sessions currently open on the real serverTotal sessions the real server was assignedHighest number of simultaneous sessions recorded for each real serverReal server transmit/receive octets


group <real server group number (1-1024)>Displays the following real server group statistics:Current and total sessions for each real server in the real server group.Current and total sessions for all real servers associated with the real server group.Highest number of simultaneous sessions recorded for each real server.Real server transmit/receive octets. For per-service octet counters, see page 211.


virt <virtual server number (1-1024)>Displays the following virtual server statistics:Current and total sessions for each real server associated with the virtual server.Current and total sessions for all real servers associated with the virtual server.Highest number of simultaneous sessions recorded for each real server.Real server transmit/receive octets. For per-service octet counters, see page 211.


filt <filter ID (1-2048)>Displays the total number of times any filter has been used. See page 213 for sample output.

layer7Displays Layer 7 statistics. See page 214 for sample output.

sslDisplays SSL server load balancing statistics. See page 219 for sample output.

ftpDisplays FTP SLB parsing and NAT statistics. See page 220 for sample output.

rtspDisplays RTSP SLB statistics. See page 223 for sample output.



dnsDisplays DNS SLB statistics. See page 224 for sample output.

wapDisplays WAP SLB statistics. See page 225 for sample output.

maintDisplays SLB maintenance statistics. See page 227 for sample output.

sipDisplays SIP SLB statistics. See page 229 for sample output.

wlm <Workload Manager number, 1-16> <clear>Display Workload Manager SASP statistics. See page 230 for sample output.

mirrorDisplay session mirroring statistics. See page 231 for sample output.

clear [y|n]Clears all non-operating SLB statistics on the Nortel Application Switch, resetting them to zero. This command does not reset the switch and does not affect the following counters: Counters required for Layer 4 and Layer 7 operation (such as current real server sessions).All related SNMP counters.

To view the statistics reset by this command, refer to Table 5-51 on page 230.

auxDisplays auxiliary session table statistics.

dumpDumps all switch SLB statistics. Use this command to gather data for tuning and debugging switch performance. To save dump data to a file, set your communication software on your workstation to capture session data prior to issuing the dump command.

Table 5-28 SLB Statistics Menu Options (/stats/slb)




/stats/slb/spServer Load Balancing SP statistics Menu

/stats/slb/sp/real <real server number>SP Real Server Statistics

[Server Load Balancing SP Statistics Menu] real - Show real server stats group - Show real server group stats virt - Show virtual server stats filt - Show filter stats maint - Show maintenance stats aux - Show auxiliary session table stats clear - Clear SP stats

Table 5-29 SP Statistics Menu options (/stats/slb/sp)


real <real server number (1-1023)>Displays real server statistics of the switch port. See page 202 for a sample output.

group <real server group number (1-1024)>Displays real server group statistics of the switch port. See page 203 for a sample output.

virt <virtual server number (1-1024)>Displays statistics of the virtual server. See page 203 for a sample output.

filt <filter ID (1-2048)>Displays statistics of the filter. See page 203 for a sample output.

maintDisplays the SP maintenance statistics. See page 204 for a sample output.

auxDisplays the statistics of the auxiliary session table.

clearDeletes all the SP statistics.

Port 1 Real server 1 stats:Current sessions: 3Total sessions: 3Octets: 24



/stats/slb/sp <sp number>/group <real group server number>

SP Real Group Server Statistics

/stats/slb/sp <sp number>/virt <virtual server number>

SP Virtual Server Statistics

/stats/slb/sp <sp number>/filt <filter number>

SP Filter Statistics

Real server group 1 stats: Current Total HighestReal IP address Sessions Sessions Sessions Octets---- --------------- -------- ---------- -------- --------------- 1 200.100.10.14 20 60 9 480000 2 200.100.10.15 20 77 12 616000---- --------------- -------- ---------- -------- --------------- 40 137 21 1096000

Real server group 1 stats: Current Total HighestReal IP address Sessions Sessions Sessions Octets---- --------------- -------- ---------- -------- --------------- 1 200.100.10.14 20 60 9 480000 2 200.100.10.15 20 77 12 616000---- --------------- -------- ---------- -------- --------------- 200.100.10.100 40 137 21 1096000

SP 1 Filter 1 stats:Total firings: 2



/stats/slb/sp <sp number>/maintSP Maintenance Statistics

SP 1 SLB Maintenance stats:Maximum sessions: 524276Current sessions: 0 4 second average: 0 64 second average: 0Terminated sessions: 0Allocation failures: 0Non TCP/IP frames: 0UDP datagrams: 0Incorrect VIPs: 0Incorrect Vports: 0No available real server: 0Filtered (denied) frames: 0LAND attacks: 0No TCP control bits: 0Invalid reset packet drops: 0Total IP fragment sessions: 0IP fragment sessions: 0IP fragment discards: 0IP fragment table full: 0

Table 5-30 SP Maintenance Statistics (/stats/slb/sp/maint)


Maximum sessions The maximum number of simultaneous sessions supported.

Current Sessions Number of session bindings currently in use (the last 4 and 64 sec-onds).

Terminated Sessions Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled.

Allocation Failures Indicates instances where the Switch ran out of available sessions for a port.

UDP Datagrams Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on.

Non TCP/IP Frames Indicates the number of non-IP based frames received by the virtual server.

Incorrect VIPs Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured.



Incorrect Vports This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing appli-cation like SATAN.

No Available Real Server

This dropped frames counter indicates that all real servers are either out of service or at their maxcon limit.

Backup Server Activations

This indicates the number of times a real server failure has occurred and caused a backup server to be brought online.

Overflow Server Acti-vations

This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online.

Filtered (Denied) Frames

This indicates the number of frames that were dropped because of one of the following reasons: 1. They matched an active filter with the deny action set. 2. There are no real servers (in the case of redirection filters.) 3. When there are no available session entries.

LAND attacks This counter increases whenever a packet has the same source and destination IP addresses and ports.

No TCP Control Bits The number of packets that were dropped because the packet had no control bits set in the TCP header.

Invalid reset packet drops

The number of packets that were dropped because the packet had an invalid reset flag set.

Total IP fragment ses-sions

This represents the total number of fragment sessions the switch has processed so far.

Current IP fragment sessions

This represents the current number of fragment sessions.

IP fragment discards The number of fragmented packets that are discarded due to lack of resources.

IP fragment table full This counter indicates how many times session table is full.

Table 5-30 SP Maintenance Statistics (/stats/slb/sp/maint)




/stats/slb/gslbGlobal SLB Statistics Menu[Global SLB Statistics Menu] real - Show Global SLB remote real server stats virt - Show Global SLB virtual server stats site - Show Global SLB remote site stats network - Show Global SLB network preference stats rule - Show Global SLB rule stats geo - Show Global SLB geographical preference stats pers - Show Global SLB DNS persistence cache stats maint - Show Global SLB maintenance stats clear - Clear all Global SLB stats dump - Show all Global SLB stats

Table 5-31 Global SLB Statistics Menu Options (/stats/slb/gslb)


real <real server number (1-1023)>Where the real server number represents the real server ID on this switch, under which the remote server is configured.To view an example and description of what is displayed on-screen, see page 211.

virt <virtual server number (1-1024)>To view an example and description of what is displayed on-screen, see page 207.

site <remote site, 1-64>Displays Global SLB statistics for the remote site. To view an example, see page 208.

network <network, 1-64>Displays Global SLB statistics for the network.

rule <rule, 1-64>Displays Global SLB statistics for the rule.

pers Displays Global SLB DNS persistence cache statistics.

geo Displays Global SLB statistics for the geographical preference.

maintTo view an example and description of Global SLB maintenance statistics, see page 209.

clearDeletes all Global SLB statistics.



/stats/slb/gslb/real <real server number>Real Server Global SLB Statistics

For any remote real server configured for Global Server Load Balancing, the following statis-tics can be viewed:

Number of DNS responses directed to the remote real server

Number of HTTP redirects to the remote real server

/stats/slb/gslb/virt <virtual server number>Virtual Server Global SLB Statistics

dumpDisplays all Global SLB statistics.

Real server 1 global stats:DNS directs: 3210HTTP redirects: 12

Global SLB virtual server 1 http service stats:Domain: www.gslb.example.comServer IP address Site DNS directs HTTP redirects------ --------------- ---- ----------- -------------- v1 200.200.200.1 0 0 r2 200.200.200.10 5 0 0------ --------------- ---- ----------- --------------Totals 0 0

Table 5-32 Virtual Server Global SLB Statistics (/stats/slb/gslb/virt)

Field Description

Server Type of server configuration and server ID number.v# represents a local virtual server numberr# represents a remote site. Since each remote sites is config-ured on its peers as if it were a real server (with certain special properties), the number represents the real server ID on this switch, under which the remote server is configured.

Table 5-31 Global SLB Statistics Menu Options (/stats/slb/gslb)




/stats/slb/gslb/siteGlobal SLB Site Statistics

IP Address IP address of the server.

Site The remote site number.

DNS directs The number of DNS responses that return the IP address of the cor-responding server.

HTTP redirects The number of HTTP requests redirected to the corresponding server.

Global SLB remote site 1 stats:Bad remote site packets received: 386DSSPv1 remote site updates sent: 0DSSPv1 remote site updates received: 0DSSPv2 remote site updates sent: 768DSSPv2 remote site updates received: 348

Table 5-33 Global SLB Site Statistics Parameters (/stats/slb/gslb/site)

Field Description

Bad remote site pack-ets received

The number of bad packets received from remote site.

DSSPv1 remote site updates sent

The number of remote site updates sent using DSSP version 1.

DSSPv1 remote site updates received

The number of remote site updates received using DSSP version 1.


The number of remote site updates sent using DSSP version 2.


The number of remote site updates received using DSSP version 2.

Table 5-32 Virtual Server Global SLB Statistics (/stats/slb/gslb/virt)

Field Description



/stats/slb/gslb/maintGlobal SLB Maintenance Statistics

Global SLB maintenance stats:Bad remote site packets received: 0DSSPv1 remote site updates sent: 0DSSPv1 remote site updates received: 0DSSPv2 remote site updates sent: 127746DSSPv2 remote site updates received: 85164DNS queries received: 0Bad DNS queries received: 0DNS responses sent: 0HTTP requests received: 0Bad HTTP requests received: 0HTTP responses sent: 0Hostname domain hits: 0Network domain hits: 0Basic domain hits: 0No server selected for hostname domain: 0No server selected for network domain: 0No server selected for basic domain: 0No matching domain: 0Last no result domain:Last source IP: 0.0.0.0

Table 5-34 Global SLB Maintenance Statistics (/stats/slb/gslb/maint)

Field Description

Bad remote site pack-ets received

The number of bad packets received from the remote site. Bad updates or dropped packets usually indicate that there is a configuration problem at local or remote GSLB switches. If bad updates or dropped packets occur, check your syslog for configuration error messages.


The number of Distributed Site State Protocol (DSSP) ver-sion one updates/packets sent to the remote sites.


The number of Distributed Site State Protocol (DSSP) ver-sion one updates/packets received from the remote sites.


The number of Distributed Site State Protocol (DSSP) ver-sion two updates/packets sent to the remote sites.


The number of Distributed Site State Protocol (DSSP) ver-sion two updates/packets received from the remote sites.



DNS queries received The number of DNS queries received.

Bad DNS queries received

The number of bad DNS queries received.

DNS responses sent The number of DNS responses sent by the switch that includes DNS directs and DNS error responses.

HTTP requests received The number of HTTP requests received.

Bad HTTP requests received

The number of bad/dropped client HTTP requests. Client HTTP GET request packets that do not contain the entire URL are considered bad and are dropped.

HTTP responses sent The number of HTTP responses sent by the switch that includes HTTP redirects.

Hostname domain hits The number of times the DNS queries received matched for the hostname configured.

Network domain hits The number of times the DNS queries received matched for the network domain name configured.

Basic domain hits The number of times the DNS queries received matched for the basic domain name configured.

No server selected for hostname domain

The number of times no server was selected after matching the host name domain.

No server selected for network domain

The number of times no server was selected after matching the network domain name.

No server selected for basic domain

The number of times no server was selected after matching the basic domain name.

No matching domain The number of times the DNS queries received did not match the host name, domain name, or the network domain config-ured.

Last no result domain The domain in the last DNS query received that did not match the host name, domain name, or the network domain config-ured.

Last source IP The source IP address of the last DNS query or HTTP request received.

Table 5-34 Global SLB Maintenance Statistics (/stats/slb/gslb/maint)

Field Description



/stats/slb/real <real server number>Real Server SLB Statistics

NOTE – Octets are provided per server, not per service, unless configured as described in “Per Service Octet Counters” on page 211.

Per Service Octet CountersFor each load-balanced real server, the octet counters represent the combined number of trans-mit and receive bytes (octets). These counters are then added to report the total octets for each virtual server.

The octet counters are provided per server–not per service. If you need octet counters on a per-service basis, you can accomplish this through the following configuration:

1. Configure a separate IP address for each service on each server being load balanced.

For instance, you can configure IP address 10.1.1.20 for HTTP services, and 10.1.1.21 for FTP services on the same physical server.

Real server 1 stats:Current sessions: 129Total sessions: 65478Highest sessions: 4343Octets 523824000

Table 5-35 Real Server SLB Statistics (/stats/slb/real)


Current sessions The total number of outstanding sessions that are established to the par-ticular real server.

Total sessions The total number of sessions that have been established to the particular real server.

Highest sessions The highest number of sessions ever recorded for the particular real server.

Octets The total number of octets sent by the particular real server.



2. On the Nortel Application Switch, configure a real server with a real IP address for each service above.

Continuing the example above, two real servers would be configured for the physical server (representing each real service). If there were five physical servers providing the two services (HTTP and FTP), 10 real servers would have to be configured: five for the HTTP services on each physical server, and five for the FTP services on each physical server.

3. On the Nortel Application Switch, configure one real server group for each type of ser-vice, and group each appropriate real server IP address into the group that handles the specific service.

Thus, in keeping with our example, two groups would be configured: one for handling HTTP and one for handling FTP.

4. Configure a virtual server and add the appropriate services to that virtual server.

/stats/slb/group <real server group number>Real Server Group Statistics

Real server group statistics include the following:

Current and total sessions for each real server in the real server group.

Current and total sessions for all real servers associated with the real server group.

Highest number of simultaneous sessions recorded for each real server.

Real server transmit/receive octets. For per-service octet counters, see the procedure on “Per Service Octet Counters” on page 211.

Real server group 1 stats:

Total weight updates from WorkLoad Manager : 10

Current Total HighestReal IP address Sessions Sessions Sessions Octets---- --------------- -------- ---------- -------- --------------- 1 200.100.10.14 20 60 9 480000 2 200.100.10.15 20 77 12 616000---- --------------- -------- ---------- -------- --------------- 40 137 21 1096000



/stats/slb/virt <virtual server number>Virtual Server SLB Statistics

NOTE – The virtual server IP address is shown on the last line, below the real server IP addresses.

Virtual server statistics include the following:

Current and total sessions for each real server associated with the virtual server.

Current and total sessions for all real servers associated with the virtual server.

Highest number of simultaneous sessions recorded for each real server.

Real server transmit/receive octets. For per-service octet counters, see “Per Service Octet Counters” on page 211.

/stats/slb/filt <filter number>Filter SLB Statistics

You can obtain the total number of times any filter has been matched.

Virtual server 1 stats: Current Total HighestReal IP address Sessions Sessions Sessions Octets---- --------------- -------- ---------- -------- --------------- 1 200.100.10.14 20 60 9 480000 2 200.100.10.15 20 77 12 616000---- --------------- -------- ---------- -------- --------------- 200.100.10.20 40 309 21 1096000

Filter 1 stats:Total firings: 1011



/stats/slb/layer7SLB Layer7 Statistics Menu

/stats/slb/layer7/redirLayer7 Redirection Statistics

[Layer 7 Statistics Menu] redir - Show URL Redirection stats str - Show SLB String stats maint - Show Layer 7 Maintenance stats pooling - Show connection pooling stats

Table 5-36 SLB Layer 7 Statistics Menu Options (/stats/slb/layer7)

Command Syntax & Usage

redirDisplays URL Redirection statistics. See page 214 for a sample output.

strDisplays SLB string statistics. See page 215 for a sample output.

maintDisplays Layer 7 maintenance statistics. See page 216 for a sample output.

poolingDisplay the connection pooling statistics.See page 216 for a sample output.

Total URL based web cache redirection stats:Total cache server hits: 0Total origin server hits: 0Total straight to origin server hits: 0Total none-GETs hits: 0Total 'Cookie: ' hits: 0Total no-cache hits: 0Total RTSP cache server hits: 0Total RTSP origin server hits: 0Total HTTP redirection hits: 0

Table 5-37 Layer 7 Redirection Statistics (/stats/slb/layer7/redir)


Total cache server hits The total number of HTTP requests redirected to the cache server.

Total origin server hits The total number of HTTP requests forwarded to the origin server.



/stats/slb/layer7/strLayer 7 SLB String Statistics

Total straight to ori-gin server hits

The total number of HTTP requests forwarded from straight to the origin server.

Total none-GETs hits The total number of none GET requests forwarded to the origin server.

Total 'Cookie:' hits The total number of cookie requests forwarded to the origin server.

Total no-cache hits The total number of requests containing no-cache header forwarded to the origin server.

Total RTSP cache server hits

The total number of RTSP requests redirected to the cache server.

Total RTSP origin server hits

The total number of RTSP requests forwarded to the origin server.

Total HTTP redirec-tion hits

The total number of HTTP requests that were redirected by redirec-tion filter.

SLB String stats: ID SLB String Hits 1 any 1527115 2 www.[abcdefghijklm]*.com 0 3 www.[nopqrstuvwxyz]*.com 0 4 www.junk.com 0 5 www.abc.com 0 6 www.[abcdefjhijklm]*.org 0 7 www.[nopqrstuvwxyz]*.org 0

Table 5-38 Layer 7 SLB String Statistics (/stats/slb/layer7/str)


ID SLB String The user-defined strings being used in URL matching.

Hits The total number of instances that are load-balanced due to matching of the particular URL ID.

Table 5-37 Layer 7 Redirection Statistics (/stats/slb/layer7/redir)




/stats/slb/layer7/maintLayer 7 SLB Maintenance Statistics

Layer 7 maintenance stats:Clients reset by switch on client side: 0Clients reset by switch on server side: 0Connection Splicing to support HTTP/1.1: 0Invalid HTTP methods: 0Aged delayed binding sessions: 0Half open connections: 0Switch retries: 0Random early drops: 0Requests exceeded 9000 bytes: 0Invalid 3-way handshakes: 0Exceeded max frame size: 0Out of order packet drops: 0Current SP[1] memory units: 1260 Lowest: 1260Current SP[2] memory units: 1260 Lowest: 1260Current SP[3] memory units: 1260 Lowest: 1260Current SP[4] memory units: 1260 Lowest: 1260Current SP memory units: 5040Current SEQ buffer entries: 0 Highest: 0Current Data buffer use: 0 Highest: 0Current SP buffer entries: 0 Highest: 0Total Nonzero SEQ Alloc: 0Total SEQ Buffer Allocs: 0 Total SEQ Frees: 0Total Data Buffer Allocs: 0 Total Data Frees: 0Alloc Fails - Seq buffers: 0 Alloc Fails - Ubufs: 0Max sessions per bucket: 0 Max frames per session: 0Max bytes buffered (sess): 0

Table 5-39 SLB Layer 7 Maintenance Statistics (/stats/slb/layer7/maint)


Clients reset by switch on client side

The number of reset frames sent to the client by the switch during server connection termination. This means that when the switch could not connect to the real sever and the client’s retries exceeded the threshold due to delayed binding, the switch will send a reset frame to the client to terminate the connection.

Clients reset by switch on server side

The number of reset frames sent to the server by the switch during server connection termination due to delayed binding.

Connection Splicing to support HTTP/1.1

The total number of connection swapping between different real servers in supporting multiple HTTP/1.1 client requests.0



Invalid HTTP methods The total number of HTTP requests that contain invalid methods sent by the client.

Aged delayed binding sessions

The total number of aged delayed binding sessions caused by failed connection initialization between the switch and the server.

Half open connections The total numbers of outstanding TCP connections that are half opened. It is incremented when the switch responds to TCP SYN packet and decremented upon receiving TCP SYN ACK packet from the requester.

Switch retries The total number of switch retries to connect to the real server.

Random early drops The total number of SYN frames dropped when the buffer is low.

Requests exceeded 4500 bytes

The total number of GET requests that exceeded 4500 bytes.

Invalid 3-way hand-shakes

The total number of dropped frames because of invalid 3-way hand shakes.

Exceeded max frame size

The total number of switch-generated frames that exceeded the max-imum allowed frame size.

Out of order packet drops:

The total number of TCP packets dropped because they were received out of order.

Current SP memory units

The currently available SP memory units.

Current SEQ buffer entries

The number of outstanding sequence buffers used.

Highest SEQ buffer entries

The highest number of sequence buffers ever used.

Current Data buffer use

The number of outstanding data buffers used.

Highest Data buffer use

The highest number of data buffers ever used.

Total Nonzero SEQ Alloc

The total number of sequence buffer allocated.2

Total SEQ Buffer Allocs

The total number of sequence buffer allocations.

Total SEQ Frees The total number of sequence buffer is freed.





/stats/slb/layer7/poolingLayer7 Pooling Statistics

Total Data Buffer Allocs

The total number of buffers allocated to store client request.2

Total Data Frees The total of number buffers freed.

Alloc Fails - Seq buffers

The number of times sequence buffer allocation failed.

Alloc Fails - Ubufs The number of times the URL data buffer allocation failed.

Max sessions per bucket

The maximum number of items (sessions) allowed in the session table hash bucket chain.

Max frames per session The maximum number of frames to be buffered per session.

Max bytes buffered (sess)

The maximum number of bytes to be buffered per session.

>> Layer 7 Statistics# pooling------------------------------------------------------------------Connection pooling statistics:Current opened server connections: 0Active server connections: 0Available server connections: 0Total number of aged out client connections: 0Total number of aged out server connections: 0





/stats/slb/sslSLB Secure Socket Layer Statistics

SSL SLB maintenance stats:SessionId allocation fails: 0Total number of SSL ID reassignments: 0

Current Total Highest Sessions Sessions Sessions------------------------- -------- ---------- --------Unique SessionIds 0 0 0SSL connections 0 0 0Persistent Port Sessions 0 0 0

Table 5-40 SLB Secure Socket Layer Statistics (/stats/slb/ssl)


SSL SLB maintenance stats

Debug stats for SSL SessionId based persistence.

SessionId allocation fails

The number of times allocation of a session table entry failed when attempting to store a SessionId in the table.

Total number of SSL ID reassignments

The table shows the Current Sessions, the total sessions seen on the switch since last reset and the high water mark of current sessions for the following:

Unique SessionIds Many SSL sessions can use the same SessionId, these should all bind to the same server. This number shows the number of unique SSL sessions seen on the switch.

SSL connections The number of different TCP connections using SSL service.

Persistent PortSessions

The number of SessionIds maintained to allow for persistence across different client ports.



/stats/slb/ftpFile Transfer Protocol SLB and Filter Statistics Menu[FTP SLB parsing and Filter Statistics Menu] active - Show active FTP NAT filter stats parsing - Show FTP SLB parsing server stats maint - Show FTP maintenance stats dump - Dump all FTP SLB/NAT stats

Table 5-41 FTP SLB Parsing and Filter Statistics Menu Options (/stats/slb/ftp)


active Shows active FTP SLB parsing and filter statistics. See page 221 for sample output.

parsing Shows parsing statistics. See page 221 for sample output.

maint Shows maintenance statistics. See page 222 for sample output.

dumpShows all FTP SLB/NAT statistics. See page 222.



/stats/slb/ftp/activeActive FTP SLB Parsing and Filter Statistics

/stats/slb/ftp/parsingPassive FTP SLB Parsing Statistics

Total Active FTP NAT stats(PORT):Total FTP: 0Total New Active FTP Index: 0Active FTP NAT ACK/SEQ diff: 0

Table 5-42 Active FTP Slb Parsing and Filter statistics (/stats/slb/ftp/active)


Total Active FTP NAT stats (PORT)

The number of times the switch receives the port command from the client.

Total FTP The number of times the switch receives both active and passive FTP connections.

Total New Active FTP Index

The number of times the switch creates a new index due to port command from the client.

Active FTP NAT ACK/SEQ diff

The difference in the numbers of ACK and SEQ that the Switch needs for packet adjustment.

Total FTP SLB Parsing Stats(PASV):Total FTP: 0Total New FTP SLB parsing Index: 0FTP SLB parsing ACK/SEQ diff: 0

Table 5-43 Passive FTP SLB Parsing Statistics (/stats/slb/ftp/parsing)


Total FTP The number of times the switch receives both active and passive FTP connections.

Total New FTP SLB parsing Index

The number of times the switch creates a new index in response to the pasv command from the client.

FTP SLB parsing ACK/SEQ diff

The difference in the numbers of ACK and SEQ that the switch needs FTP SLB parsing.



/stats/slb/ftp/maintFTP SLB Maintenance Statistics

/stats/slb/ftp/dumpFTP SLB Statistics Dump

FTP mode switch error: 0

Table 5-44 FTP SLB Maintenance Statistics (/stats/slb/ftp/maint)


FTP mode switch error The number of times the switch is not able to switch modes from active to passive and vice versa.

Total FTP : 0Total FTP NAT Filtered: 0Total new active FTP NAT Index: 0Total new FTP SLB parsing Index: 0FTP Active FTP NAT ACK/SEQ diff: 0FTP SLB parsing ACK/SEQ diff: 0FTP mode switch error: 0

Table 5-45 FTP SLB Statistics Dump (/stats/slb/ftp/dump)


Total FTP The total number of FTP sessions that occurred.

Total FTP NAT Filtered The total number of FTP NAT filter sessions that occurred.

Total new active FTP NAT Index

The total number of new data sessions created for FTP NAT filter in active mode.

Total new FTP SLB parsing Index

The number of times the switch creates a new index in response to the pasv command from the client.

FTP Active FTP NAT ACK/SEQ diff

The total number of times the adjustment between ACK and SEQ occurred on the filter.

FTP SLB parsing ACK/SEQ diff

The difference in the numbers of ACK and SEQ that the switch needs for FTP SLB parsing.

FTP mode switch error The number of times the switch could not switch mode from active to passive and vice versa.



/stats/slb/rtspRTSP SLB Statistics

Control UDP Connection Buffer AllocSP Connection Streams Redirect Denied Allocs Failures-- ---------- ---------- ---------- ---------- ---------- ---------- 1 0 0 0 0 0 0 2 0 0 0 0 0 0 3 0 0 0 0 0 0 4 0 0 0 0 0 0 -- ---------- ---------- ---------- ---------- ---------- -------- 0 0 0 0 0 0

Table 5-46 RTSP SLB Statistics (/stats/slb/rtsp)


ControlConnection The total number of TCP connections for RTSP control connection.

UDP Streams The total number of UDP connections for data channels. The number depends upon the type of media player being used.

Redirect The total number of times the connection got redirected.

ConnectionDenied The total number of times the connections got denied due to shortage of resources or the real server being down.

BufferAllocs The total number of buffer allocations used.

AllocFailures The total number of times the buffer allocation failed.



/stats/slb/dnsDNS SLB Statistics

Total number of TCP DNS queries: 0Total number of UDP DNS queries: 0Total number of invalid DNS queries: 0Total number of multiple DNS queries: 0Total number of domain name parse errors: 0Total number of failed real server name matches: 0Total number of DNS parsing internal errors: 0

Table 5-47 DNS SLB Statistics (/stats/slb/dns)


Total number of TCP DNS queries

The total number of DNS queries that received through TCP connections.

Total number of UDP DNS queries

The total number of DNS queries received through UDP requests.

Total number of invalid DNS queries

The total number of malformed DNS queries received.

Total number of multiple DNS queries

The total number of DNS queries that contain more than one domain name to be resolved. Currently only one domain name resolution per request is supported.

Total number of domain name parse errors

The total number of DNS queries that have short or invalid domain names to be resolved.

Total number of failed real server name matches

The total number of times the user failed to find a real server which has the same layer 7 strings that match the domain name to be resolved.

Total number of DNS parsing internal errors

The total number of out of memory and other unexpected errors the user gets while processing the DNS query.



/stats/slb/wapWAP SLB StatisticsThis command displays all the Radius and WAP related counters.

WAP Maintenance stats: current sessions: 0 allocation failures: 0 incorrect VIPs: 0 incorrect Vports: 0 no available real server: 0 requests to wrong SP: 0------------------------------------------------------------------TPCP External Notification stats: add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- SP dead: 0------------------------------------------------------------------RADIUS Snooping stats: acct reqs: 0 acct wrap reqs: 0 acct start reqs: 0 acct update reqs: 0 acct stop reqs: 0 acct bad reqs: 0 acct reqs(FIP): 0 acct reqs(no FIP): 0 add session reqs: 0 del session reqs: 0 req fails- SP dead: 0 req fails- DMA: 0

Table 5-48 WAP SLB Statistics (/stats/slb/wap)


WAP Maintenance stats:

current sessions The number of session bindings currently in use.

allocation failures Indicates instances where the switch ran out of available bindings for a port.

incorrect VIPs Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured.

incorrect Vports This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client.

no available real server


requests to wrong SP The number of session add/delete requests sent to the wrong SP.



TPCP External Notification stats:

add session reqs The number of WAP session add requests via TPCP.

req fails- SP dead The number of add-request failures due to dead target SP.

RADIUS Snooping stats:

acct reqs The number of RADIUS Accounting frames received.

acct wrap reqs The number of wrapped RADIUS Accounting frames received.

acct start reqs The number of RADIUS Accounting Start frames received.

acct update reqs The number of RADIUS Accounting Update frames.

acct stop reqs The number of RADIUS Accounting Stop frames received.

acct bad reqs The number of bad RADIUS Accounting frames received.

add session reqs The number of WAP session add requests via RADIUS snooping.

del session reqs The number of WAP session delete requests via RADIUS snooping.

req fails- SP dead The number of add/delete request failures due to dead target SP.

req fails- DMA The number of add/delete requests failed due to DMA write failure.

Table 5-48 WAP SLB Statistics (/stats/slb/wap)




/stats/slb/maintSLB Maintenance Statistics

SLB Maintenance statistics are described in the following table.

SLB Maintenance stats:Maximum sessions: 2097104Current sessions: 0 4 second average: 0 64 second average: 0Terminated sessions: 0Allocation failures: 0UDP datagrams: 0Non TCP/IP frames: 0Incorrect VIPs: 0Incorrect Vports: 0No available real server: 0Backup server activations: 0Overflow server activations: 0Filtered (denied) frames: 0LAND attacks: 0No TCP control bits: 0Invalid reset packet drops: 0Total IP fragment sessions: 0Current IP fragment sessions 0IP fragment discards: 0IP fragment table full: 0Current IPF buffer sessions: 0Highest IPF buffer sessions: 0IPF buffer alloc fails: 0IPF SP buffer alloc fails: 0SP buffer too low: 0Exceeded 16 OOO packets: 0Free Service pool entries: 8192Current IP6 sessions: 0Incorrect IP6 VIPs: 0Incorrect IP6 Vports: 0IP6 packets drops: 0

Table 5-49 Server Load Balancing Maintenance Statistics (/stats/slb/maint)


Maximum sessions The maximum number of simultaneous sessions supported.

Current Sessions Number of session bindings currently in use (the last 4 and 64 seconds).

Terminated Sessions Number of sessions removed from the session table because the server assigned to them failed and graceful server failure was not enabled.



Allocation Failures Indicates instances where the Switch ran out of available sessions for a port.

UDP Datagrams Indicates that the virtual server IP address and MAC are receiving UDP frames when UDP balancing is not turned on.

Non TCP/IP Frames Indicates the number of non-IP based frames received by the virtual server.

Incorrect VIPs Indicates the number of times the switch received a Layer 4 request for a virtual server which was not configured.

Incorrect Vports This dropped frames counter indicates that the virtual server has received frames for TCP/UDP services that have not been configured. Normally this indicates a mis-configuration on the virtual server or the client, but it may be an indication of a potential security probing application like SATAN.

No Available Real Server


Backup Server Activations

This indicates the number of times a real server failure has occurred and caused a backup server to be brought online.

Overflow Server Activations

This indicates the number of times a real server has reached the maxcon limit and caused an overflow server to be brought online.

Filtered (Denied) Frames

This indicates the number of frames that were dropped because they matched an active filter with the deny action set.

LAND attacks This counter increases whenever a packet has the same source and desti-nation IP addresses and ports.

No TCP Control Bits The number of packets that were dropped because the packet had no con-trol bits set in the TCP header.

Invalid reset packet drops

The number of packets that were dropped because the packet had an invalid reset flag set.

Total IP fragment sessions

This represents the total number of fragment sessions the switch has pro-cessed so far.

Current IP fragment sessions

This represents the current number of fragment sessions.

IP fragment discards

The number of fragmented packets that are discarded due to lack of resources.

IP fragment table full

This counter indicates how many times session table is full.

Free service pool entries

This counter indicates the number of free service pool entries.

Table 5-49 Server Load Balancing Maintenance Statistics (/stats/slb/maint)




/stats/slb/sipSIP SLB Statistics

SIP Stats:

Total number of SIP Client Parse Errors : 0Total number of SIP Server Parse Errors : 0Total number of SIP Unknown Method packets : 0Total number of SIP Incomplete Messages : 0Total number of SIP Filter Parse Errors : 0Total number of packets with SIP SDP NAT : 0

Table 5-50 SIP SLB Statistics (/stats/slb/sip)


Total number of SIP Client Parse Errors

The total number of errors encountered during client processing when parsing an incoming SIP packet.

Total number of SIP Server Parse Errors

The total number of errors encountered during server processing when parsing an incoming SIP packet.

Total number of SIP Unknown Method packets

Total number of packets received with methods not known to the SIP parser on the switch.

Total number of SIP Incomplete Messages

Total number of packets received which do not have the complete SIP message in a single packet.

Total number of SIP Filter Parse Errors

Total number of errors encountered during filter processing when parsing an incoming SIP packet.

Total number of packets with SIP SDP NAT

Total number of packets received that have SIP SDP NAT information.



/stats/slb/wlm <wlm number>Display Workload Manager SASP statistics

/stats/slb/wlm <wlm number>/clearClear Workload Manager SASP StatisticsThis command clears statistics for the specified Workload Manager.

Table 5-51 SLB WorkLoad Manager SASP (/stats/slb/wlm)

>> Server Load Balancing Statistics# /st/sl/wlm 1 ------------------------------------------------------------------Workload Manager 1 Statistics:Registration Requests: 1Registration Replies: 1Registration Reply Errors: 0 Deregisteration Requests: 1Deregisteration Replies: 1Deregisteration Reply Errors: 0 Set LB State Requests: 1Set LB State Replies: 1Set LB State Reply Errors: 0 Set Member State Requests: 0Set Member State Replies: 0Set Member State Reply Errors: 0 Send Weights Messages received: 47Send Weights Message Parse Errors: 0Total Messages with Invalid LB Name: 0Total Messages with Invalid Group Name: 0Total Messages with Invalid Real Server Name: 0Messages with Invalid SASP Header: 0Messages with parse errors: 0Messages with Unsuppored Message Type: 0



/stats/slb/mirrorDisplay Workload Manager SASP statistics

Table 5-52 SLB Session Mirroring statistics (/stats/slb/mirror)

>> Server Load Balancing Statistics# mirror------------------------------------------------------------------Session Mirroring Stats: Rx TxTotal Create Session Messages 0 0Total Update Session Messages 0 0Total Delete Session Messages 0 0Total Create Data Session Messages 0 0Total Update Data Session Messages 0 0Total Delete Data Session Messages 0 0Total Sessions Created 0Total Sessions Updated 0Total Sessions Deleted 0Total Data Sessions Created 0Total Data Sessions Updated 0Total Data Sessions Deleted 0Session table full 0Unvailable pport 0Session already present 0Session not found 0Control session not found 0



/stats/bwmBWM Statistics Menu

[Bandwidth Management Statistics Menu] port - Switch Port Contract Stats Menu cont - BW Contract stats rcont - BW Contract rate stats hist - BW History stats maint - Show BWM maint statistics ipusers - Show BWM IP user stats for iplimit contracts dump - Dump all BWM statistics clear - Clear BWM statistics

Table 5-53 Bandwidth Management Statistics Menu Options (/stats/bwm)


port <port number>Displays Switch Port Contract Statistics Menu. To view menu options, see page 233.

cont <BW Contract number (1-1024)>Displays bandwidth management contract statistics. See page 234 for details.

rcont <BW Contract number (1-1024)>Displays bandwidth management contract rate statistics. See page 235 for details.

histDisplays bandwidth management history statistics. See page 237 for sample output.

maintDisplays bandwidth management maintenance statistics. See page 238 for sample output.

ipusersDisplays Bandwidth Management IP user stats for iplimit contracts. Each IP address is limited to the user limit configured in /cfg/bwm/contract on page 319. See page 238 for sample output.

dumpDisplays all bandwidth management statistics.

clearClears all bandwidth management statistics.



/stats/bwm/port <port number>BWM Switch Processor Statistics

/stats/bwm/port <port number>/contBWM Switch Processor Contract Statistics Menu

/stats/bwm/port <port number>/rcontBWM Switch Processor Rate Contract StatisticsThis command repeats its output when the printed lines are less than the configured CLI lines per screen. If the CLI lines are configured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session.

You can configure the number of CLI lines per screen using the global (hidden) command: lines <number of lines>. For example:

[Bandwidth Management Port Statistics Menu] cont - BW Contract stats rcont - BW Contract rate stats

Table 5-54 Management Port Statistics Menu Options (/stats/bwm/sp)


cont <BW Contract number (1-1024)>Displays bandwidth management contract statistics. See page 233 for a sample output.

rcont <BW Contract number (1-1024)>Displays bandwidth management contract rate statistics.

>> Bandwidth Management Port Statistics# cont------------------------------------------------------------------BW Contract statisticsContract Name Octets Discards Total Pkts BufUsed BufMax-------- ---------- ---------- ---------- ---------- ------- ---- 1024 Default 0 0 0 0 16320

>> AAS_2424 - Bandwidth Management Statistics# linesCurrent lines-per-screen: 24>> AAS_2424 - Bandwidth Management Statistics# lines ?lines sets lines-per-screen 0-300, zero for infinite



/stats/bwm/cont <contract number>BWM Contract Statistics

The following description of statistics applies on a specific switch port for all enabled contracts.

NOTE – This command displays enabled contracts only.

BW Contract statisticsContract Name Rate(Kbps) Octets Discards BufUsed BufMax-------- --------------- ---------- ---------- ---------- ------- ----- 1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5230 682947936 1822133376 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 773974 0 0 16320 1 cont1 0 40465360 262049256 0 16320 2 cont2 0 0 0 0 16320 20 cont20 5238 684289056 1825753104 16384 16320 26 cont26 0 0 0 0 16320 1024 Default 0 774114 0 0 16320

BW Contract statisticsContract Name Octets Discards Total Pkts BufUsed BufMax-------- ---------- ---------- ---------- ---------- ------- ------- 1024 Default 0 0 0 0 16320

Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)


Contract The contract number.

Name The contract name.

Octets The number of octets that are being transmitted through a particular con-tract since the switch is booted.

Discards The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limit permits.

Total Pkts The total number of packets classified for that contract.

BufUsed The current amount of buffer space used to store the packets that is wait-ing to be transmitted.



/stats/bwm/rcontBWM Contract Rate StatisticsUse this command to show the rate statistics of all the enabled contracts.

NOTE – This command displays enabled contracts only.

This command repeats its output when the printed lines are less than the configured CLI lines per screen. If the CLI lines are configured at zero per screen, the command will continue to repeat its output until you type a key on the console or telnet session.

You can configure the number of CLI lines per screen using the global (hidden) command: lines <number of lines>. For example:

BufMax Maximum buffer space that can be used to store the packets before they can be transmitted. The switch starts dropping the packets of a particular contract after the maximum buffer space allocated for that contract is being occupied.

>> AAS_2424 - Bandwidth Management Statistics# linesCurrent lines-per-screen: 24>> AAS_2424 - Bandwidth Management Statistics# lines ?lines sets lines-per-screen 0-300, zero for infinite

Table 5-55 Bandwidth Management Contract Statistics (/stats/bwm/cont)




BW Contract statisticsContract Name Rate(Kbps) Octets Discards BufUsed BufMax-------- --------------- ---------- ---------- ---------- ------- ----- 1 cont1 5222 285408288 735607152 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 285720864 735308784 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 4 517182 0 0 456960 1 cont1 5230 286747296 739228896 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5230 287059872 738930528 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 519400 0 0 456960 1 cont1 5222 288084192 742853160 16384 456960 2 cont2 0 0 0 0 456960 20 cont20 5238 288400992 742550760 16384 456960 26 cont26 0 0 0 0 456960 1024 Default 8 521578 0 0 456960

Table 5-56 Bandwidth Management Contract Rate Statistics (/stats/bwm/rcont)


Contract The contract number.

Name The contract name.

Rate (in Kbps) Rate at which the packets are going out of the switch on a particular con-tract.

Octets The number of octets that are being transmitted through a particular con-tract since the switch is booted.

Discards The number of octets that are being discarded because of seeing more traffic than the bandwidth contract limits.

BufUsed The current amount of buffer space used to store the packets that is wait-ing to be transmitted.

BufMax Maximum buffer space that can be used to store the packets before they can be transmitted. The switch starts dropping the packets of a particular contract after the maximum buffer space allocated for that contract is being occupied.



/stats/bwm/histBWM History Statistics

You can dump the stats kept in the SMTP history buffer that get dumped periodically when an E-mail is sent. This command is used to keep long term history only for the contracts that are enabled and have history command turned on.

Use this command to show the history of all the contracts for which history command is enabled. The sampling is done at one-minute intervals.

NOTE – These statistics can only be viewed when the e-mail option is enabled.

Switch IP Cont Name Octets Discards TimeStamp YyyyMmDd:Hr:Mi/TmZone--------------- ---- ---------------- ---------- ---------- ---------- 47.80.23.124 1 filter_number01 0 0 20030910:15:11/ -8:00 47.80.23.124 2 filter_number02 0 0 20030910:15:11/ -8:00 47.80.23.124 3 filter_number03 0 0 20030910:15:11/ -8:00 47.80.23.124 4 filter_number04 0 0 20030910:15:11/ -8:00 47.80.23.124 5 filter_number05 0 0 20030910:15:11/ -8:00 47.80.23.124 6 filter_number06 0 0 20030910:15:11/ -8:00 47.80.23.124 7 filter_number07 0 0 20030910:15:11/ -8:00 47.80.23.124 8 filter_number08 0 0 20030910:15:11/ -8:00 47.80.23.124 9 filter_number09 0 0 20030910:15:11/ -8:00 47.80.23.124 10 filter_number10 0 0 20030910:15:11/ -8:00 47.80.23.124 1024 Default 608 0 20030910:15:11/ -8:00

Table 5-57 Bandwidth Management History Statistics (/stats/bwm/hist)


Contract The contract number for which history is enabled.

Octets The number of octets sent out on a particular contract.

Discards The number of octets discarded because of seeing more traffic than the bandwidth contract limit permits.

TimeStamp Indicates the time the packets were received or discarded.



/stats/bwm/maintBWM Maintenance Statistics

/stats/bwm/ipusersBWM IP Users StatisticsThis command displays the number of BWM IP user entries for each BWM contract for each SP.

BWM Maint statistics------------------------------------------------------------------Maint Stats for rate limiting contracts Discard pkts 0 Discard octets 0 Out pkts 0 Out octets 0 Transmit failed 0 User Limit entry allocation failures 0------------------------------------------------------------------Maint Stats for traffic shaping contracts QFull Discard pkts 0 QFull Discard octets 0 Out of buffers pkts 0 Out of buffers pkts 0 Transmit failed 0 TDT set when qfull 0 TDT set between soft and hard 0 TDT set at soft 0

BWM IP users statistics

Contract SP1 SP2 SP3 SP4 Total-------- ---------- ---------- ---------- ---------- ---------- 10 0 10 0 0 10 11 0 10 0 0 10 ---------- ---------- ---------- ---------- ---------- 0 20 0 0 20



/stats/securitySecurity Statistics

[Security Statistics Menu] ipacl - IP Address ACL Statistics Menu udpblast - UDP Blast Statistics Menu dos - DoS Attack Statistics Menu pgroup - Show pattern match group statistics ratelim - Show rate limiting statistics dump - Dump all security statistics


dos

Displays the DOS Attack statistics menu. To view a sample output and a description of the stats, see page 240.

ipacl

Displays the IP Address Access Control List statistics menu. To view a sample output and a description of the statistics, see page 244.

udpblast

Displays the UDP Blast statistics menu. To view a sample output and a description of the statistics, see page 245.

pgroup

Displays the Pattern Match Group statistics menu. To view a sample output and a description of the statistics, see page 246.

ratelim

Displays the Rate Limiting statistics menu. To view a sample output and a description of the stats, see page 246.

dump

Displays all security statistics.



/stats/security/dosDOS Attack Statistics Menu

[Protocol Anomaly and DoS Attack Prevention Statistics Menu]port - Show port protocol anomaly and DoS attack prevention statsdump - Dump all protocol anomaly and DoS attack prevention statsclear - Clear all protocol anomaly and DoS attack prevention statshelp - Protocol anomaly and DoS attack prevention description

Table 5-58 DOS Attacks Statistics Menu Options (/stats/security/dos)


port <port number>Displays the number of times the packets were dropped for each of the following types of DOS attacks, on the selected port only.

dump

Displays the number of times the packets were dropped on the switch, for each of the following types of DOS attacks: iplen, ipversion, broadcast, loopback, land, ipreserved, ipttl, ipprot, ipoptlen, fragmoredont, fragdata, fragboundary, fraglast, fragdontoff, fragopt, fragoff, fragoversize, tcplen, tcpportzero, blat, tcpreserved, nullscan, fullxmasscan, finscan, vecnascan, xmasscan, synfinscan, flagabnormal, syndata, synfrag, ftpport, dnsport, seqzero, ackzero, tcpoptlen, udplen, udpportzero, fraggle, pepsi, rc8, snmpnull, icmplen, smurf, icmpdata, icmpoff, icmptype, igmplen, igmpfrag, igmptype, arplen, arpnbcast, arpnucast, arpspoof, garp, ip6len, ip6versionFor a description of these different types of DOS attacks, see “Types of DOS Attacks” on page 241.

clear

Deletes all DOS attack statistics.

help

Displays a description of each type of DOS attack by name and how it works.



Types of DOS AttacksNortel Application Switch Operating System can protect switch ports against a variety of Denial of Service (DOS) attacks including Port Smurf, LandAttack, Fraggle, Nullscan, Xmas-can, PortZero, and ScanSynFin. Enable DOS protection on ports connected to any network that could be the source of an attack.

You can use the help command to obtain a brief explanation of each type of DOS attack detected by the switch.



Refer to your Nortel Application Switch Operating System Application Guide for a detailed description of DOS attacks.

>> /stats/security/dos helpiplen : IPv4 packets with bad IP header or payload length.ipversion : IPv4 packets with IP version not 4.broadcast : IPv4 packets with broadcast source or destination IP [0.0.0.0,255.255.255.255].loopback : IPv4 packets with loopback source or destination IP [127.0.0.0/8].land : IPv4 packets with same source and destination IP.ipreserved : IPv4 packets with IP reserved bit is set.ipttl : IPv4 packets with small IP TTL.ipprot : IPv4 packets with IP protocol is unassigned or reserved.ipoptlen : IPv4 packets with bad IP options length.fragmoredont: IPv4 packets with more fragments and don't fragment bits are set.fragdata : IPv4 packets with more fragments bit is set and small payload.fragboundary: IPv4 packets with more fragments bit is set and payload not at 8-byte boundary.fraglast : IPv4 packets last fragment without payload.fragdontoff : IPv4 packets with non-zero fragment offset and don't fragment bits are set.fragopt : IPv4 packets with non-zero fragment offset and IP options.fragoff : IPv4 packets with small non-zero fragment offset.fragoversize: IPv4 packets with non-zero fragment offset and over-size payload.tcplen : TCP packets with bad TCP header length.tcpportzero : TCP packets with source or destination port is zero.blat : TCP packets with SIP!=DIP and SPORT=DPORT.tcpreserved : TCP packets with TCP reserved bit is set.nullscan : TCP packets with all control bits are zero.fullxmasscan: TCP packets with all control bits are set.finscan : TCP packets with only FIN bit is set.vecnascan : TCP packets with only URG or PUSH or URG|FIN or PSH|FIN or URG|PSH bits are set.



xmasscan : TCP packets with FIN, URG and PSH bits are set.synfinscan : TCP packets with SYN and FIN bits are set.flagabnormal: TCP packets with abnormal control bits combination.syndata : TCP packets with SYN bit is set and with payload.synfrag : TCP packets with SYN bit is set and more fragments bit is set.ftpport : TCP packets with SPORT=20, DPORT<1024 and SYN bit is set.dnsport : TCP packets with SPORT=53, DPORT<1024 and SYN bit is set.seqzero : TCP packets with sequence number is zero.ackzero : TCP packets with acknowledgement number is zero and ACK bit is set.tcpoptlen : TCP packets with bad TCP options length.udplen : UDP packets with bad UDP header length.udpportzero : UDP packets with source or destination port is zero.fraggle : UDP packets to broadcast destination IP (x.x.x.255).pepsi : UDP packets with SPORT=19, DPORT=7 or SPORT=7, DPORT=19.rc8 : UDP packets with SPORT=7 and DPORT=7.snmpnull : UDP packets with DPORT=161 and without payload.icmplen : ICMP packets with bad ICMP header length.smurf : ICMP ping requests to a broadcast destination IP (x.x.x.255).icmpdata : ICMP packets with zero fragment offset and large pay-load.icmpoff : ICMP packets with large fragment offset.icmptype : ICMP packets with type is unassigned or reserved.igmplen : IGMP packets with bad IGMP header length.igmpfrag : IGMP packets with more fragments bit is set or non-zero fragment offset.igmptype : IGMP packets with type is unassigned or reserved.arplen : ARP request or reply packets with bad length.arpnbcast : ARP request packets with non broadcast destination MAC.arpnucast : ARP reply packets with non unicast destination MAC.arpspoof : ARP request or reply packets with mismatch source with sender MACs or destination with target MACs.garp : ARP request or reply packets with same source and des-tination IP.ip6len : IPv6 packets with bad header length.ip6version : IPv6 packets with IP version not 6.



/stats/security/ipaclIP Access Control List StatisticsThe following IP Access Control List statistics can be viewed with this command:

[IP ACL Statistics Menu] dump - IP address access control Stats clear - Clear all access control Stats

Table 5-59 IPACL Security Statistics Menu Options (/stats/security/ipacl)


dump

Displays the accumulated blocked packets for each source or destination IP address and mask pair in the access control list.>> Main# /stats/security/ipacl/dump

-----------------------------------------------------------------

IP ACL stats:

Source IP Addr Mask Type Blocked Packets

--------------- --------------- ----- ---------------

No source IP ACL's created

Dest IP Addr Mask Type Blocked Packets

--------------- --------------- ----- ---------------

No destination IP ACL's created

clear

Deletes all the statistics of accumulated blocked packets.



/stats/security/udpblastUDP Blast Statistics

/stats/security/udpblast/dumpUDP Blast Dump Statistics

[UDP Blast Statistics Menu] dump - UDP Blast Stats clear - Clear all UDP Blast Stats

Table 5-60 UDP Blast Statistics Menu Options (/stats/security/udpblast)


dump

Displays all the accumulated blocked packets for each port, and the current packet rate per second. See page 245 for a sample output and a description of the statistics.

clear

Deletes all the accumulated blocked packets.

UDP blast protection stats:UDP Port Blocked Packets Current Packet Rate/Second---------- ---------------- --------------------------

Table 5-61 UDP Blast Dump Statistics Parameters (/stats/security/udpblast/dump)

Field Description

UDP Port UDP ports that experienced UDP blast attacks.

Blocked Packets The number of blocked packets.

Current Packet Rate/ Second

Displays the current rate of packet to the UDP port.



/stats/security/pgroupUDP Pattern Match Statistics

This menu displays how many times each configured pattern group has been matched and a subsequent filtering action performed. Pattern groups are configured in the “Pattern Matching Menu” on page 404.

/stats/security/ratelimRate Limiting Statistics

Pattern Match Group stats: ID Name Hits 1 0

Rate limiting stats:

TCP: Total hold downs triggered: 0 Current per-client state entries: 0

UDP: Total hold downs triggered: 0 Current per-client state entries: 0

ICMP: Total hold downs triggered: 0 Current per-client state entries: 0

Table 5-62 Rate Limiting Statistics (/stats/security/ratelim)

Field Description

Total holds down triggered

The total number of packets dropped after the hold-down period expired.

Current per-client state entries

The total number of per-client state entries for TCP/UDP/ICMP rate limiting.



/stats/security/dumpDump Statistics for Security

IP ACL stats:

Address Blocked Packets--------------- ---------------------------------------------------------------------------------UDP blast protection stats:UDP Port Blocked Packets Current Packet Rate/Second---------- ---------------- --------------------------------------------------------------------------------------------Pattern Match Group stats: ID Name Hits 1 0 100 0 101 0------------------------------------------------------------------Rate limiting stats:

TCP: Total hold downs triggered: 0 Current per-client state entries: 0

UDP: Total hold downs triggered: 0 Current per-client state entries: 0

ICMP: Total hold downs triggered: 0 Current per-client state entries: 0



/stats/mpManagement Processor Statistics

[MP-specific Statistics Menu] pkt - Show Packet and TCP stats tcb - Show All TCP control blocks in use ucb - Show All UDP control blocks in use sfd - Show All Socket FD in use cpu - Show CPU utilization mem - Show memory stats

Table 5-63 Management Processor Statistics Menu Options (/stats/mp)


pktDisplays packet statistics, to check for leads and load. To view a sample output and a description of the stats, see page 249.

tcbDisplays all TCP control blocks that are in use. To view a sample output and a description of the stats, see page 251.

ucbDisplays all UDP control blocks that are in use. To view a sample output, see page 251.

sfdDisplays all Socket File Descriptors that are in use. To view a sample output, see page 252.

cpuDisplays CPU utilization for periods of up to 1, 4, and 64 seconds. To view a sample output and a description of the stats, see page 252.

memDisplays memory statistics.



/stats/mp/pktMP Packet Statistics

Packet counts: allocs: 89262 frees: 89262 mediums: 0 mediums hi-watermark: 4 jumbos: 0 jumbos hi-watermark: 0 smalls: 0 smalls hi-watermark: 4 alloc fails: 0 packet discards: 0TCP counts: allocs: 4866 frees: 4827 current: 46 current hi-watermark: 146 alloc fails: 0 alloc discards: 0

Table 5-64 Packet Statistics (/stats/mp/pkt)


Packet counts:

allocs Total number of packet allocations from the packet buffer pool by the TCP/IP protocol stack.

frees Total number of times the packet buffers are freed (released) to the packet buffer pool by the TCP/IP protocol stack.

mediums Total number of packet allocations with size between 128 to 1536 bytes from the packet buffer pool by the TCP/IP protocol stack.

jumbos Total number of packet allocations with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack.

smalls Total number of packet allocations with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack.

alloc fails Total number of packet allocation failures from the packet buffer pool by the TCP/IP protocol stack.

frees Total number of packets freed from the packet buffer pool by the TCP/IP protocol stack.

mediums hi-water-mark

The highest number of packet allocation with size between 128 to 1536 bytes from the packet buffer pool by the TCP/IP protocol stack.

jumbos hi-watermark The highest number of packet allocation with size between 1536 bytes to 9K bytes from the packet buffer pool by the TCP/IP protocol stack.

smalls hi-watermark The highest number of packet allocation with size less than 128 bytes from the packet buffer pool by the TCP/IP protocol stack.



packet discards The number of packets that are discarded by the MP. The packets are dis-carded because buffer resources are not available or the buffer threshold is reached and the low priority packets are discarded.

TCP counts:

allocs Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack.

current Total number of TCP packet allocations from MP memory by the TCP/IP protocol stack.

alloc fails Total number of TCP packet allocation failures from MP memory by the TCP/IP protocol stack.

frees Total number of times the TCP packet buffers are freed (released) to MP memory by the TCP/IP protocol stack.

current hi-water-mark

The highest number of TCP packet allocation from MP memory by the TCP/IP protocol stack.

alloc discards The number of TCP packets that are discarded by the MP. The packets are discarded because MP memory resources are not available.

Table 5-64 Packet Statistics (/stats/mp/pkt)




/stats/mp/tcbTCP Statistics

/stats/mp/ucbUCB Statistics

All TCP allocated control blocks:117f6d00: 0.0.0.0 0 <=> 0.0.0.0 80 listen117f81a8: 47.81.27.6 1331 <=> 47.80.16.59 23 established

Table 5-65 MP Specified TCP Statistics (/stats/mp/tcb)


117f6d00/117f81a8 Memory

0.0.0.0/47.81.27.6 Destination IP address

0/1331 Destination port

0.0.0.0/47.80.16.59 Source IP

80/23 Source port

listen/established State

All UDP allocated control blocks: 161: listen 1985: listen 3122: listen

Table 5-66 UCB Statistics on MP (/stats/mp/ucb)

Field Description

161/1985/3122 UDP port number

Listen State



/stats/mp/sfdMP-Specific SFD Statistics

/stats/mp/cpuCPU StatisticsThis menu option enables you to display the CPU utilization statistics on MP.

All Socket FD allocated: 0 -1 16 1180b128: 0.0.0.0 0 <=> 47.133.88.31 81 listen TCP server 1 -1 17 108c5bd8: 0.0.0.0 0 <=> 47.133.88.31 23 listen TCP server 2 -1 18 108d5cfc: 0.0.0.0 0 <=> 47.133.88.31 22 listen TCP server 3 -1 19 1180a258: 0.0.0.0 0 <=> 47.133.88.31 443 listen TCP server

CPU utilization:cpuUtil1Second: 100%cpuUtil4Seconds: 100%cpuUtil64Seconds: 100%

Table 5-67 CPU Statistics (stats/mp/cpu)


cpuUtil1Second The percentage of CPU utilization as measured over the last one second interval.

cpuUtil4Seconds The percentage of CPU utilization as measured over the last four second interval.

cpuUtil64Seconds The percentage of CPU utilization as measured over the last 64 second interval.



/stats/sp <SP Number>SP Specific Statistics

[SP-specific Statistics Menu] maint - Show maintenance stats clear - Clear maintenance stats cpu - Show CPU utilization

Table 5-68 SP Specific Statistics (/stats/sp)


maint Displays internal statistics, Layer 2 FDB maintenance statistics, and MP DOS shield statistics. See page 254 for a sample output.

clear Deletes all the maintenance statistics.

cpu Displays what percentage of the CPU has been utilized. To view a sam-ple output and a description of the stats, see page 254.



/stats/sp <SP number>/maintSP-Specific Maintenance Statistics

/stats/sp/cpuCPU StatisticsThis menu option enables you to display the CPU utilization statistics on the Switch Processor (SP).

Maintenance statistics for SP 1: Receive Letter success from MP: 158648 Receive Letter success from SP 2: 0 Receive Letter success from SP 3: 0 Receive Letter success from SP 4: 0 Receive Letter errors from MP: 0 Receive Letter errors from SP 2: 0 Receive Letter errors from SP 3: 0 Receive Letter errors from SP 4: 0 Send Letter success to MP: 125516 Send Letter success to SP 2: 0 Send Letter success to SP 3: 6799 Send Letter success to SP 4: 6791 Send Letter failures to MP: 0 Send Letter failures to SP 2: 0 Send Letter failures to SP 3: 0 Send Letter failures to SP 4: 0 learnErrNoddw: 0 resolveErrNoddw: 0 ageMPNoddw: 0 deleteMiss: 0 pfdbFreeEmpty: 0 arpDiscards: 0 icmpDiscards: 0 tcpDiscards: 0 udpDiscards: 0

CPU utilization for SP 1:cpuUtil1Second: 6%cpuUtil4Seconds: 6%cpuUtil64Seconds: 6%

Table 5-69 CPU Statistics (stats/sp/cpu)


cpuUtil1Second The percentage of CPU utilization as measured over the last one second interval.



/stats/pmirrPort Mirroring Statistics Menu

/stats/mgmtManagement Port Statistics

cpuUtil4Seconds The percentage of CPU utilization as measured over the last four second interval.

cpuUtil64Seconds The percentage of CPU utilization as measured over the last 64 second interval.

[Port Mirroring Statistics Menu] dump - Port Mirroring Stats clear - Clear all Port Mirroring Stats

Table 5-70 Port Mirroring


dumpDisplays the port number, and the statistics of the traffic on the ingress and egress ports.

clear

Deletes all the port mirroring statistics. CAUTION—Use this command carefully as it will delete all statistics permanently.

Management port interface statistics:RX bytes: 0 TX bytes: 0RX packets: 0 TX packets: 0RX errors: 0 TX errors: 0RX dropped: 0 TX dropped: 0RX overruns: 0 TX overruns: 0RX frame errors: 0 TX carrier errors: 0RX multicast: 0 TX collisions: 0

Table 5-69 CPU Statistics (stats/sp/cpu)




/stats/dumpDump StatisticsUse the dump command to dump all switch statistics available from the Statistics Menu (40K or more, depending on your configuration). This data can be used to tune or debug switch performance.

If you want to capture dump data to a file, set your communication software on your worksta-tion to capture session data prior to issuing the dump commands.

Table 5-71 Management Port Statistics (/stats/mgmt)


RX bytes The total number of incoming bytes successfully transferred by the interface.

RX packets The total number of incoming packets successfully transferred by the interface.

RX errors The number of bad packets received.

RX dropped The number of incoming packets that were dropped due to lack of receive buffers.

RX overruns The number of received packets that were dropped because their size exceeded that of the receive queue.

RX frame errors The number of incoming packets dropped due to IP framing errors.

RX multicast The number of multicast packets received.

TX bytes The total number of outgoing bytes successfully transferred by the interface.

TX packets The total number of outgoing packets successfully transferred by the interface.

TX errors The number of packets dropped due to transmission problems.

TX dropped The number of packets dropped due to lack of transmit buffers.

TX overruns The number of packets dropped because size exceeded that of the transmit queue.

TX carrier errors Not applicable.

TX collisions The number of collisions due to congestion on the medium. Colli-sions occur when two or more stations are transmitting signals at the same time.


CHAPTER 6The Configuration Menu

This chapter discusses how to use the Command Line Interface (CLI) for making, viewing, and saving switch configuration changes. Many of the commands, although not new, display more or different information than in the previous version. Important difference are called out in the text.

To make finding information easier, the menu options under the Server Load Balancing Menu (/cfg/slb) are in Chapter 7.

/cfgConfiguration Menu

[Configuration Menu] sys - System-wide Parameter Menu port - Port Menu pmirr - Port Mirroring Menu bwm - Bandwidth Management Menu l2 - Layer 2 Menu l3 - Layer 3 Menu slb - Server Load Balancing (Layer 4-7) Menu security - Security Menu sslproc - SSL Processor Setup Menu setup - Step by step configuration set up dump - Dump current configuration to script file ptcfg - Backup current configuration to FTP/TFTP server gtcfg - Restore current configuration from FTP/TFTP server

320506-A, January 2006257


Table 6-1 Configuration Menu Options (/cfg)


sysDisplays the System-wide parameter Configuration Menu. To view menu options, see page 261.

port <port number>Displays the Port Configuration Menu. To view menu options, see page 301.

pmirrDisplays the Mirroring Configuration Menu. To view menu options, see page 315.

bwmDisplays the Bandwidth Management Configuration Menu. To view menu options, see page 316.

l2Displays Layer 2 Configuration Menu. To view menu options, see page 325.

l3Displays Layer 3 Configuration Menu. To view menu options, see page 342.

slbDisplays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7, “The SLB Configuration Menu”.

securityDisplays the Security Menu. To view menu options, see page 397.

sslprocDisplays the SSL processor setup Menu. To view menu options, see page 403

setupStep-by-step configuration set-up of the switch. For details, see page 403.

dumpDumps current configuration to a script file. For details, see page 407.

ptcfg <host name or IP address of TFTP server> <filename on host>Backs up current configuration to TFTP server. For details, see page 408.

gtcfg <host name or IP address of TFTP server> <filename on host>Restores current configuration from TFTP server. For details, see page 408.

258 Chapter 6: The Configuration Menu320506-A, January 2006


Viewing, Applying, and Saving ChangesAs you use the configuration menus to set switch parameters, the changes you make do not take effect immediately. All changes are considered “pending” until you explicitly apply them. Also, any changes are lost the next time the switch boots unless the changes are explicitly saved.

While configuration changes are in the pending state, you can do the following:

View the pending changesApply the pending changesSave the changes to flash memory

Viewing Pending ChangesYou can view all pending configuration changes by entering diff at the menu prompt.

NOTE – The diff command is a global command. Therefore, you can enter diff at any prompt in the CLI.

Applying Pending ChangesTo make your configuration changes active, you must apply them. To apply configuration changes, enter apply at any prompt in the CLI.

NOTE – The apply command is a global command. Therefore, you can enter apply at any prompt in the administrative interface.

NOTE – All configuration changes take effect immediately when applied, except for starting Spanning Tree Protocol. To turn STP on or off, you must apply the changes, save them (see below), and then reset the switch (see “Resetting the Switch” on page 517).

Saving the ConfigurationIn addition to applying the configuration changes, you can save them to flash memory on the

Nortel Application Switch.

# apply

Chapter 6: The Configuration Menu 259320506-A, January 2006


NOTE – If you do not save the changes, they will be lost the next time the system is rebooted.

To save the new configuration, enter the following command at any CLI prompt:

When you save configuration changes, the changes are saved to the active configuration block. The configuration being replaced by the save is first copied to the backup configuration block. If you do not want the previous configuration block copied to the backup configuration block, enter the following instead:

You can decide which configuration you want to run the next time you reset the switch. Your options include:

The active configuration blockThe backup configuration blockFactory default configuration

You can view all pending configuration changes that have been applied but not saved to flash memory using the diff flash command. It is a global command that can be executed from any menu.

For instructions on selecting the configuration to run at the next system reset, see “Selecting a Configuration Block” on page 515.

# save

# save n



/cfg/sysSystem Configuration

This menu provides configuration of switch management parameters such as user and administrator privilege mode passwords, Web-based management settings, and management access list.

[System Menu] syslog - Syslog Menu mmgmt - Management Port Menu radius - RADIUS Authentication Menu tacacs - TACACS+ Authentication Menu ntp - NTP Server Menu sonmp - SONMP Menu ssnmp - System SNMP Menu health - System Health Check Menu access - System Access Menu date - Set system date time - Set system time timezone - Set system timezone (daylight savings) idle - Set timeout for idle CLI sessions notice - Set login notice bannr - Set login banner smtp - Set SMTP host hprompt - Enable/disable display hostname (sysName) in CLI prompt bootp - Enable/disable use of BOOTP cur - Display current system-wide parameters

Table 6-2 System Configuration Menu Options (/cfg/sys)


syslogDisplays the Syslog Menu. To view menu options, see page 263.

mmgmtDisplays Management Port Menu. To view menu options, see page 264.

radiusDisplays the RADIUS Authentication Menu. To view menu options, see page 268.

tacacsDisplays TACACS+ authentication Menu. To view menu options, see page 270.

ntpDisplays the Network Time Protocol (NTP) Server Menu. To view menu options, see page 271.



sonmpDisplays the SynOptics Network Management Protocol (SONMP) menu. To view menu options, see page 273.

ssnmpDisplays the System SNMP Menu. To view menu options, see page 273.

healthDisplays system health check menu. To view menu options, see page 287.

accessDisplays System Access Menu. To view menu options, see page 288.

datePrompts the user for the system date.

timeConfigures the system time using a 24-hour clock format.

timezoneConfigures the system time zone. To view an example, see page 300.

idle <idle timeout in minutes; affects both console and Telnet>Sets the idle timeout for CLI sessions, from 1 to 10080 minutes. The default is 5 minutes.

notice <max 1024 char multi-line login notice> <'-' to end>Displays login notice immediately before the “Enter password:” prompt. This notice can contain up to 1024 characters and new lines.

bannr <string, maximum 80 characters>Configures a login banner of up to 80 characters. When a user or administrator logs into the switch, the login banner is displayed. It is also displayed as part of the output from the /info/sys com-mand.

smtp <SMTP host name or IP address>Sets the Simple Mail Transfer Protocol (SMTP) host, which is used for sending bandwidth man-agement history information.

hprompt disable|enableEnables or disables displaying of the host name (system administrator’s name) in the Command Line Interface (CLI).

bootp disable|enableEnables or disables the use of BOOTP. If you enable BOOTP, the switch will query its BOOTP server for all of the switch IP parameters. This command is disabled by default.

curDisplays the current system parameters.

Table 6-2 System Configuration Menu Options (/cfg/sys)




/cfg/sys/syslogSystem Host Log Configuration

NOTE – Nortel Application Switch Operating System 23.0 supports the RFC 3164 standard for Syslogs.

[Syslog Menu] host - Set IP address of first syslog host host2 - Set IP address of second syslog host sever - Set the severity of first syslog host sever2 - Set the severity of second syslog host facil - Set facility of first syslog host facil2 - Set facility of second syslog host console - Enable/disable console output of syslog messages log - Enable/disable syslogging of features cur - Display current syslog settings

Table 6-3 System Configuration Menu Options (/cfg/sys/syslog)


host <new syslog host IP address (such as, 192.4.17.223)>Sets the IP address of the first syslog host.

host2 <new syslog host IP address (such as, 192.4.17.223)>Sets the IP address of the second syslog host.

sever <syslog host local severity (0–7)>This option sets the severity level of the first syslog host displayed. The default is 7, which means log all the seven severity levels. For a detailed description of the seven levels of severity, see page 264.

sever2 <syslog host local severity (0–7)>This option sets the severity level of the second syslog host displayed. The default is 7, which means, log all the seven severity levels. For a detailed description of the seven levels of severity, see page 264.

facil <syslog host local facility (0-7)>This option sets the facility level of the first syslog host displayed. The default is 0.

facil2 <syslog host local facility (0-7)>This option sets the facility level of the second syslog host displayed. The default is 0.

console disable|enableEnables or disables delivering syslog messages to the console. When necessary, disabling con-sole ensures the switch is not affected by syslog messages. It is enabled by default.



Seven Levels of SeverityFollowing is the description of the seven levels of severity:

0: Emergency. This means that the system is unusable.

1: Alert. This means that corrective action must be taken immediately.

2: Critical. This means the condition of the system is critical.

3: Error. This means that the system has errors that should be corrected.

4: Warning. This means that the system is giving a warning.

5: Notice. This means that the condition of the system is normal but with significant conditions that need attention.

6: Informational. This means that the system is working but giving out information about cer-tain unfavorable conditions.

7. Debug. This means that the system is giving out debug-level messages.

/cfg/sys/mmgmtManagement Port Configuration MenuThe Management port is a Fast Ethernet port that is used exclusively to manage the switch. While the switch can be managed from any network port, the Management port saves consum-ing a port that could otherwise be used for processing data and traffic. This port manages the switch using either telnet CLI, SNMP, or HTTP. This port is isolated from and does not partic-ipate in the networking protocols that run on the network ports.

The Management port must be configured with a static IP address, subnet mask, broadcast address, and default gateway, and must be enabled before it can be used. If this port is disabled, the network ports have to perform all switch management (other than the switch management

log <feature|all> <enable|disable>Displays a list of features for which syslog messages can be generated. You can choose to enable/disable specific features (such as vlans, gslb, filter), or enable/disable syslog on all available features.

curDisplays the current syslog settings.

Table 6-3 System Configuration Menu Options (/cfg/sys/syslog)




using the console). If this port is enabled, the factory default settings for some of the manage-ment features remain with the network ports. You can change the defaults by configuring these features to permanently use the management port, or in some cases, by using the operational commands to set these options on a one-time basis.

NOTE – The Management port does not support BOOTP.

[Management Port Menu] port - Management Port Phy Menu addr - Set IP address mask - Set subnet mask gw - Set default gateway address intr - Set interval between gateway ping attempts retry - Set number of failed attempts to declare gateway DOWN dns - Set default port for DNS ntp - Set default port for NTP radius - Set default port for RADIUS tacacs - Set default port for TACACS+ smtp - Set default port for SMTP snmp - Set default port for SNMP traps syslog - Set default port for SYSLOG sonmp - Set default IP for SONMP hello packets tftp - Set default port for FTP/TFTP wlm - Set default port for Workload Manager report - Set default port for Reporting server ena - Enable management port dis - Disable management port cur - Display current configuration

Table 6-4 Management Port Configuration Menu Options (/cfg/sys/mmgmt)


portDisplays the management port link menu. To view the menu options, see page 268.

addr <IP address (such as, 192.4.17.101)>Sets the IP address.

mask <subnet mask (such as, 255.255.255.0)>Sets the subnet mask.

gw <gateway address (such as, 192.4.17.1)>Sets the IP address for the default gateway.

intr <interval (0 - 60 seconds)>Sets the interval between gateway ping attempts.



retry <number of attempts (1-120>Sets the number of failed ping attempts before a gateway is declared DOWN.

dns default port mgmt|dataSets DNS over management or data port. Default is data port.

ntp default port mgmt|dataSets NTP over management or data ports. The default is data port.

radius default port mgmt|dataSets RADIUS over management or data ports. Default is data port.

tacacs mgmt|dataSets TACACS+ over management or data ports. Default is data port.

smtp default port mgmt|dataSets SMTP over management or data ports. Default is data port.

snmp default port mgmt|dataSets SNMP trap host over management or data ports. Default is data port.

syslog default port mgmt|dataSets syslog host access over management or data ports. Default is data port.

sonmp default port mgmt|dataSets default IP address for SONMP hello packets.When this option is set to mgmt then the Management Port IP address is used in the SONMP hello packets transmitted by the switch. But if it is set to data, then the IP address of the data port interface specified by srcif (/cfg/sys/sonmp/srcif) command is used in the hello packets.

tftp default port mgmt|dataSets TFTP over management or data port. Default is data port.

wlm ["mgmt"|"data"]Set the default port for the workload manager.

report ["mgmt"|"data"]Set the default port for the reporting server.

enaEnables the Management port.





disDisables the Management port.

curDisplays the current configuration.





/cfg/sys/mmgmt/portManagement Port Link Menu

/cfg/sys/radiusRADIUS Server Configuration

[Management Port Link Menu] speed - Set link speed mode - Set full or half duplex mode auto - Set autonegotiation cur - Display current link configuration

Table 6-5 Management Port Link Menu Options (/cfg/sys/mgmt/port)


speed 10|100|anySets the speed of the link with the Management port. Default is any.

mode full|half|anySets half or full duplex mode. Default is any.

auto on|offSets auto negotiation for the port. By default this command is turned on.

curDisplays the current link configuration.

[RADIUS Server Menu] prisrv - Set primary RADIUS server address secsrv - Set secondary RADIUS server address secret - Set primary RADIUS server secret secret2 - Set secondary RADIUS server secret port - Set RADIUS port retries - Set RADIUS server retries timeout - Set RADIUS server timeout telnet - Enable/disable RADIUS backdoor for telnet on - Turn RADIUS authentication ON off - Turn RADIUS authentication OFF cur - Display current RADIUS configuration



Table 6-6 RADIUS Server Configuration Menu Options (/cfg/sys/radius)


prisrv <IP address>Sets the primary RADIUS server address.

secsrv <IP address>Sets the secondary RADIUS server address.

secret <1-128 character secret>This is the shared secret password between the switch and the primary RADIUS server(s).

secret2 <1-128 character secret>This is the shared secret password between the switch and the secondary RADIUS server(s).

port <RADIUS port to configure, default 1645>Enter the number of the UDP port to be configured, between 1500 - 3000. The default is 1645.

retries <RADIUS server retries (1-3)>Sets the number of failed authentication requests before switching to a different RADIUS server. The default is 3 requests.

timeout <RADIUS server timeout seconds (1-10)>Sets the amount of time, in seconds, before a RADIUS server authentication attempt is considered to have failed. The default is 3 seconds.

telnet disable|enableEnables or disables the RADIUS back door for telnet. Telnet also applies to SSH/SCP connec-tions.

onEnables the RADIUS server.

offDisables the RADIUS server.

curDisplays the current RADIUS server parameters.



/cfg/sys/tacacsTACACS+ Server Configuration MenuTACACS (Terminal Access Controller Access Control System) is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS is an encryption protocol and therefore less secure than TACACS+ and Remote Authentication Dial-In User Service (RADIUS) protocols. (Both TACACS and TACACS+ are described in RFC 1492.)

TACACS+ protocol is seen as more reliable than RADIUS as TACACS+ uses the Transmis-sion Control Protocol (TCP) whereas RADIUS uses the User Datagram Protocol (UDP). Also, RADIUS combines authentication and authorization in a user profile, whereas TACACS+ sep-arates the two operations.

TACACS+ protocol has been implemented on Nortel Application Switch Operating System to support the customers that have Cisco’s TACACS+ protocol as their network security feature. Apart from that, TACACS+ offers the following advantages over RADIUS as the authentica-tion device:

TACACS+ is TCP-based so it facilitates connection-oriented traffic.

It supports full-packet encryption as against password-only in authentication requests.

Supports decoupled authentication, authorization, and accounting.

[TACACS+ Server Menu] prisrv - Set primary TACACS+ server address secsrv - Set secondary TACACS+ server address secret - Set primary TACACS+ server secret secret2 - Set secondary TACACS+ server secret port - Set TACACS+ TCP port retries - Set TACACS+ server retries timeout - Set TACACS+ server timeout (seconds) telnet - Enable/disable TACACS+ backdoor for telnet on - Turn TACACS+ authentication ON off - Turn TACACS+ authentication OFF cur - Display current TACACS+ configuration



/cfg/sys/ntpNTP Server Configuration

Table 6-7 TACACS+ Server Menu Options (/cfg/sys/tacacs)


prisrv <IP address>Defines the primary TACACS+ server address.

secsrv <IP address>Defines the secondary TACACS+ server address.

secret <1-128 character secret>This is the shared secret between the switch and the primary TACACS+ server(s).

secret2 <1-128 character secret>This is the shared secret between the switch and the secondary TACACS+ server(s).

port <RADIUS port configure, default 1645>Enter the number of the TCP port to be configured, between 1500 - 3000. The default is 1645.

retries <RADIUS server retries, 1-3>Sets the number of failed authentication requests before switching to a different TACACS+ server. The default is 3 requests.

timeout <RADIUS server timeout seconds, 4 to 15>Sets the amount of time, in seconds, before a TACACS+ server authentication attempt is consid-ered to have failed. The default is 3 seconds.

telnet disable|enableEnables or disables the TACACS+ back door for telnet. Telnet also applies to SSH/SCP connections.

onEnables the TACACS+ server.

offDisables the TACACS+ server.

curDisplays current TACACS+ configuration parameters.



This menu enables you to synchronize the switch clock to a Network Time Protocol (NTP) server. By default, this option is disabled.

[NTP Server Menu] prisrv - Set primary NTP server address secsrv - Set secondary NTP server address intrval - Set NTP server resync interval tzone - Set NTP timezone offset from GMT on - Turn NTP service ON off - Turn NTP service OFF cur - Display current NTP configuration

Table 6-8 NTP Server Configuration Menu Options (/cfg/sys/ntp)


prisrv <primary NTP server IP address>Prompts for the IP address of the primary NTP server to which you want to synchronize the switch clock.

secsrv <secondary NTP server IP address>Prompts for the IP address of the secondary NTP server to which you want to synchronize the switch clock.

intrval <resync interval in minutes>Specifies how often the switch will re-synchronize the switch clock with the NTP server. This interval of time will be specified in minutes (1-44640). The default value is 1440 minutes.

tzone <offset from GMT, in HH:MM>Prompts for the NTP time zone offset, in hours and minutes, of the switch you are synchronizing from Greenwich Mean Time (GMT).

on Enables the NTP synchronization service.

offDisables the NTP synchronization service.

curDisplays the current NTP service settings.



/cfg/sys/sonmpSynOptics Network Management Protocol Configuration

SynOptics Network Management Protocol (SONMP) is a proprietary network management protocol that is used by Nortel Networks Optivitiy Switch Manager (OSM) to discover Nortel Application Switches on the network. The following commands add support for the Ethernet Autotopology algorithm and the Bay Topology MIB. The topology algorithm is executed by each Nortel Application Switch on which SONMP is enabled.

/cfg/sys/ssnmpSystem SNMP ConfigurationNortel Application Switch Operating System supports SNMP-based network management. In SNMP model of network management, a management station (client/manager) accesses a set of variables known as MIBs (Management Information Base) provided by the managed device (agent). If you are running an SNMP network management station on your network, you can manage the switch using the following standard SNMP MIBs:

MIB II (RFC 1213)Ethernet MIB (RFC 1643)

[SONMP Menu] srcif - Set source interface to be used in hello packets on - Turn Ethernet Autotopology ON off - Turn Ethernet Autotopology OFF cur - Display current SONMP configuration

Table 6-9 System Configuration Menu Options (/cfg/sys/sonmp)


srcif <interface number (1-256)>This command specifies the IP address to be used in the hello packets. If the interface specified by this command is not up, then the first interface which is up and running is used in the hello packets.

on This command enables the SONMP protocol, and turns Ethernet Autotopology on.

offThis command disables the SONMP protocol, and turns Ethernet Autotopology off.

curThis command displays the current SONMP configuration.



Bridge MIB (RFC 1493)

An SNMP agent is a software process on the managed device that listens on UDP port 161 for SNMP messages. Each SNMP message sent to the agent contains a list of management objects to retrieve or to modify.

SNMP parameters that can be modified include:

System nameSystem locationSystem contactUse of the SNMP system authentication trap functionRead community stringWrite community string

Trap community strings

[System SNMP Menu] snmpv3 - SNMPv3 Menu name - Set SNMP "sysName" locn - Set SNMP "sysLocation" cont - Set SNMP "sysContact" rcomm - Set SNMP read community string wcomm - Set SNMP write community string trsrc - Set SNMP trap source interface timeout - Set timeout for the SNMP state machine auth - Enable/disable SNMP "sysAuthenTrap" linkt - Enable/disable SNMP link up/down trap cur - Display current system SNMP configuration

Table 6-10 SNMP Configuration Menu Options (/cfg/sys/ssnmp)


snmpv3Displays SNMPv3 menu. To view menu options, see page 276.

name <new string (maximum 64 characters)>Configures the name for the system. The name can have a maximum of 64 characters.

locn <new string (maximum 64 characters)>Configures the name of the system location. The location can have a maximum of 64 characters.

cont <new string (maximum 64 characters)>Configures the name of the system contact. The contact can have a maximum of 64 characters.



rcomm <new SNMP read community string (maximum 32 characters)>Configures the SNMP read community string. The read community string controls SNMP “get” access to the switch. It can have a maximum of 32 characters. The default read community string is public.

wcomm <new SNMP write community string (maximum 32 characters)>Configures the SNMP write community string. The write community string controls SNMP “set” and “get” access to the switch. It can have a maximum of 32 characters. The default write commu-nity string is private.

trsrc <interface number (1-256)>Defines the interface number for SNMP trap source interface. This command enables the user to select one of the configured interfaces as the source interface using the interface number.

NOTE – This command is applicable only to SNMPv1 and SNMPv2 traps because only the SNMPv1 and SNMPv2 trap packets contain the source IP address that can be set with this command. The SNMPv3 packets do not contain this field.

timeout <SNMP state machine timeout minutes, 1-30>Defines the timeout period for SNMP state machine. When you use diff and apply, memory is allocated to store the output of the command. The timeout period determines when the resources/memory allocated for the output will be freed.

auth disable|enableEnables or disables the use of the system authentication trap facility. The default setting is dis-abled.

linkt <port> <disable|enable>Enables or disables the sending of SNMP link up and link down traps. The default setting is enabled.

curDisplays the current STP port parameters.

Table 6-10 SNMP Configuration Menu Options (/cfg/sys/ssnmp)




/cfg/sys/ssnmp/snmpv3SNMPv3 Configuration MenuSNMP version 3 (SNMPv3) is an extensible SNMP Framework that supplements the SNMPv2 Framework by supporting the following:

a new SNMP message format

security for messages

access control

remote configuration of SNMP parameters

For more details on the SNMPv3 architecture please refer to RFC2271 to RFC2276.

[SNMPv3 Menu] usm - usmUser Table menu view - vacmViewTreeFamily Table menu access - vacmAccess Table menu group - vacmSecurityToGroup Table menu comm - community Table menu taddr - targetAddr Table menu tparam - targetParams Table menu notify - notify Table menu v1v2 - Enable/disable V1/V2 access cur - Display current SNMPv3 configuration

Table 6-11 SNMPv3 Configuration Menu Options (/cfg/sys/ssnmp/snmpv3)


usm <usmUser number [1-16]>This command allows you to create a user security model (USM) entry for an authorized user. You can also configure this entry through SNMP. To view menu options, see page 278.

view <vacmViewTreeFamily number [1-128]>This command allows you to create different MIB views. To view menu options, see page 279.

access <vacmAccess number [1-32]>This command allows you to specify access rights. The View-based Access Control Model defines a set of services that an application can use for checking access rights of the user. You need access control when you have to process retrieval or modification request from an SNMP entity. To view menu options, see page 280.



group <vacmSecurityToGroup number [1-16]>A group maps the user name to the access group names and their access rights needed to access SNMP management objects. A group defines the access rights assigned to all names that belong to a particular group. To view menu options, see page 282.

comm <snmpCommunity number [1-16]>The community table contains objects for mapping community strings and version-independent SNMP message parameters. To view menu options, see page 283.

taddr <snmpTargetAddr number [1-16]>This command allows you to configure destination information, consisting of a transport domain and a transport address. This is also termed as transport endpoint. The SNMP MIB provides a mechanism for performing source address validation on incoming requests, and for selecting com-munity strings based on target addresses for outgoing notifications. To view menu options, see page 284.

tparam <target params index [1-16]>This command allows you to configure SNMP parameters, consisting of message processing model, security model, security level, and security name information. There may be multiple trans-port endpoints associated with a particular set of SNMP parameters, or a particular transport end-point may be associated with several sets of SNMP parameters. To view menu options, see page 285.

notify <notify index [1-16]>A notification application typically monitors a system for particular events or conditions, and gen-erates Notification-Class messages based on these events or conditions. To view menu options, see page 286.

v1v2 disable|enableThis command allows you to enable or disable the access to SNMP version 1 and version 2. This command is enabled by default.

curDisplays the current SNMPv3 configuration.

Table 6-11 SNMPv3 Configuration Menu Options (/cfg/sys/ssnmp/snmpv3)



/cfg/sys/ssnmp/snmpv3/usmUser Security Model Configuration MenuYou can make use of a defined set of user identities using this Security Model. An SNMP engine must have the knowledge of applicable attributes of a user.

This menu helps you create a user security model entry for an authorized user. You need to pro-vide a security name to create the USM entry.

[SNMPv3 usmUser 1 Menu] name - Set USM user name auth - Set authentication protocol authpw - Set authentication password priv - Set privacy protocol privpw - Set privacy password del - Delete usmUser entry cur - Display current usmUser configuration

Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/snmpv3/usm)


name <32 character name>This command allows you to configure a string up to 32 characters long that represents the name of the user. This is the login name that you need in order to access the switch.

auth md5|sha|noneThis command allows you to configure the authentication protocol between HMAC-MD5-96 or HMAC-SHA-96. The default algorithm is none.

authpwIf you selected an authentication algorithm using the above command, you need to provide a pass-word, otherwise you will get an error message during validation. This command allows you to cre-ate or change your password for authentication.

priv des|noneThis command allows you to configure the type of privacy protocol on your switch. The privacy protocol protects messages from disclosure. The options are des (CBC-DES Symmetric Encryp-tion Protocol) or none. If you specify des as the privacy protocol, then make sure that you have selected one of the authentication protocols (MD5 or HMAC-SHA-96). If you select none as the authentication protocol, you will get an error message.

privpwThis command allows you to create or change the privacy password.



cfg/sys/ssnmp/snmpv3/viewSNMPv3 View Configuration Menu

delDeletes the USM user entries.

curDisplays the USM user entries.

[SNMPv3 vacmViewTreeFamily 1 Menu] name - Set view name tree - Set MIB subtree(OID) which defines a family of view subtrees mask - Set view mask type - Set view type del - Delete vacmViewTreeFamily entry cur - Display current vacmViewTreeFamily configuration

Table 6-13 SNMPv3 View Menu Options (/cfg/sys/ssnmp/snmpv3/view)


name <32 character name>This command defines the name for a family of view subtrees up to a maximum of 32 characters.

tree <object identifier, such as,. 1.3.6.1.2.1.1.1.0, max 32 characters>This command defines MIB tree, a string of maximum 32 characters, which when combined with the corresponding mask defines a family of view subtrees.

mask <bitmask, max size 32 characters>This command defines the bit mask, which in combination with the corresponding tree defines a family of view subtrees.

type included|excludedThis command indicates whether the corresponding instances of vacmViewTreeFamilySub-tree and vacmViewTreeFamilyMask define a family of view subtrees, which is included in or excluded from the MIB view.

delDeletes the vacmViewTreeFamily group entry.

curDisplays the current vacmViewTreeFamily configuration.

Table 6-12 User Security Model Configuration Menu Options (/cfg/sys/ssnmp/snmpv3/usm)




/cfg/sys/ssnmp/snmpv3/accessView-based Access Control Model Configuration MenuThe view-based Access Control Model defines a set of services that an application can use for checking access rights of the user. Access control is needed when the user has to process SNMP retrieval or modification request from an SNMP entity.

[SNMPv3 vacmAccess 1 Menu] name - Set group name prefix - Set content prefix model - Set security model level - Set minimum level of security match - Set prefix only or exact match rview - Set read view index wview - Set write view index nview - Set notify view index del - Delete vacmAccess entry cur - Display current vacmAccess configuration

Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/snmpv3/access)


name <32 character name>Defines the name of the group.

prefix <32 character name>Defines the name of the context. An SNMP context is a collection of management information that an SNMP entity can access. An SNMP entity has access to many contexts. For more information on naming the management information, see RFC2571, the SNMP Architecture document. The view-based Access Control Model defines a table that lists the locally available contexts by con-textName.

model usm|snmpv1|snmpv2Allows you to select the security model to be used.

level noAuthNoPriv|authNoPriv|authPrivDefines the minimum level of security required to gain access rights. The level noAuthNoPriv means that the SNMP message will be sent without authentication and without using a privacy pro-tocol. The level authNoPriv means that the SNMP message will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.



match exact|prefixIf the value is set to exact, then all the rows whose contextName exactly matches the prefix are selected. If the value is set to prefix then the all the rows where the starting octets of the con-textName exactly match the prefix are selected.

rview <32 character view name>This is a 32 character long read view name that allows you read access to a particular MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted.

wview <32 character view name>This is a 32 character long write view name that allows you write access to the MIB view. If the value is empty or if there is no active MIB view having this value then no access is granted.

nview <32 character view name>This is a 32 character long notify view name that allows you notify access to the MIB view.

delDeletes the View-based Access Control entry.

curDisplays the View-based Access Control configuration.

Table 6-14 View-based Access Control Model Menu Options (/cfg/sys/ssnmp/snmpv3/access)




/cfg/sys/ssnmp/snmpv3/groupSNMPv3 Group Configuration Menu

[SNMPv3 vacmSecurityToGroup 1 Menu] model - Set security model uname - Set USM user name gname - Set group gname del - Delete vacmSecurityToGroup entry cur - Display current vacmSecurityToGroup configuration

Table 6-15 SNMPv3 Group Menu Options (/cfg/sys/ssnmp/snmpv3/group)


model usm|snmpv1|snmpv2Defines the security model.

uname <32 character name>Sets the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 278.

gname <32 character name>The name for the access group as defined in /cfg/sys/ssnmp/snmpv3/access/name on page 280.

delDeletes the vacmSecurityToGroup entry.

curDisplays the current vacmSecurityToGroup configuration.



/cfg/sys/ssnmp/snmpv3/commSNMPv3 Community Table Configuration MenuThis command is used for configuring the community table entry. The configured entry is stored in the community table list in the SNMP engine. This table is used to configure commu-nity strings in the Local Configuration Datastore (LCD) of SNMP engine.

[SNMPv3 snmpCommunityTable 1 Menu] index - Set community index name - Set community string uname - Set USM user name tag - Set community tag del - Delete communityTable entry cur - Display current communityTable configuration

Table 6-16 SNMPv3 Community Table Configuration Menu Options (/cfg/sys/ssnmp/snmpv3/comm)


index <32 character name>Allows you to configure the unique index value of a row in this table consisting of 32 characters maximum.

name <32 character name>Defines the user name as defined in /cfg/sys/ssnmp/snmpv3/usm/name on page 278.

uname <32 character name>Defines a readable 32 character long string that represents the corresponding value of an SNMP community name in a security model.

tag <list of tag string, max 255 characters>Allows you to configure a tag of up to 255 characters maximum. This tag specifies a set of trans-port endpoints to which a command responder application sends an SNMP trap.

delDeletes the community table entry.

curDisplays the community table configuration.



/cfg/sys/ssnmp/snmpv3/taddrSNMPv3 Target Address Table Configuration Menu

This command is used to configure the target transport entry. The configured entry is stored in the target address table list in the SNMP engine. This table of transport addresses is used in the generation of SNMP messages.

[SNMPv3 snmpTargetAddrTable 1 Menu] name - Set target address name addr - Set target transport address IP port - Set target transport address port taglist - Set tag list pname - Set targetParams name del - Delete targetAddrTable entry cur - Display current targetAddrTable configuration

Table 6-17 Target Address Table Menu Options (/cfg/sys/ssnmp/snmpv3/taddr)


name <32 character name>Allows you to configure the locally arbitrary, but unique identifier, target address name associated with this entry.

addr <transport address ip>Allows you to configure a transport address IP that can be used in the generation of SNMP traps.

port <transport address port>Allows you to configure a transport address port that can be used in the generation of SNMP traps.

taglist <list of tag string, max 255 characters>Allows you to configure a list of tags that are used to select target addresses for a particular opera-tion.

pname <32 character name>Defines the name as defined in /cfg/sys/ssnmp/snmpv3/tparam/name on page 285.

delDeletes the Target Address Table entry.

curDisplays the current Target Address Table configuration.



/cfg/sys/ssnmp/snmpv3/tparamSNMPv3 Target Parameters Table Configuration Menu

You can configure the target parameters entry and store it in the target parameters table in the SNMP engine. This table contains parameters that are used to generate a message. The param-eters include the message processing model (for example: SNMPv3, SNMPv2c, SNMPv1), the security model (for example: USM), the security name, and the security level (noAuthno-Priv, authNoPriv, or authPriv).

[SNMPv3 snmpTargetParamsTable 1 Menu] name - Set target params name mpmodel - Set message processing model model - Set security model uname - Set USM user name level - Set minimum level of security del - Delete targetParamsTable entry cur - Display current targetParamsTable configuration

Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ssnmp/snmpv3/tparam)


name <32 character name>Allows you to configure the locally arbitrary, but unique identifier that is associated with this entry.

mpmodel snmpv3|snmpv1|snmpv2cAllows you to configure the message processing model that is used to generate SNMP messages.

model usm|snmpv1|snmpv2Allows you to select the security model to be used when generating the SNMP messages.

uname <32 character name>Defines the name that identifies the user in the USM table (page 278) on whose behalf the SNMP messages are generated using this entry.

level noAuthNoPriv|authNoPriv|authPrivAllows you to select the level of security to be used when generating the SNMP messages using this entry. The level noAuthNoPriv means that the SNMP message will be sent without authen-tication and without using a privacy protocol. The level authNoPriv means that the SNMP mes-sage will be sent with authentication but without using a privacy protocol. The authPriv means that the SNMP message will be sent both with authentication and using a privacy protocol.



/cfg/sys/ssnmp/snmpv3/notifySNMPv3 Notify Table Configuration MenuSNMPv3 uses Notification Originator to send out traps. A notification typically monitors a system for particular events or conditions, and generates Notification-Class messages based on these events or con-ditions.

delDeletes the targetParamsTable entry.

curDisplays the current targetParamsTable configuration.

[SNMPv3 snmpNotifyTable 1 Menu] name - Set notify name tag - Set notify tag del - Delete notifyTable entry cur - Display current notifyTable configuration

Table 6-19 Notify Table Menu Options (/cfg/sys/ssnmp/snmpv3/notify)


name <32 character name>Defines a locally arbitrary but unique identifier associated with this SNMP notify entry.

tag <list of tag string, max 255 characters>Allows you to configure a tag of 255 characters maximum that contains a tag value which is used to select entries in the Target Address Table. Any entry in the snmpTargetAddrTable, that matches the value of this tag, is selected.

delDeletes the notify table entry.

curDisplays the current notify table configuration.

Table 6-18 Target Parameters Table Configuration Menu Options (/cfg/sys/ssnmp/snmpv3/tparam)




/cfg/sys/healthSystem Health Check Configuration Menu

[System TCP Health Menu] add - Add TCP services to listen for health check rem - Remove TCP services from listening on - Turn system TCP health services ON off - Turn system TCP health services OFF cur - Display current TCP health services configuration

Table 6-20 System Health Check Configuration Menu Options (/cfg/sys/health)


add <TCP port (2-65534)>Adds TCP services to listen to the health checks. Specify a TCP service port number, such as 80 for HTTP.

rem <TCP port (2-65534)>Removes TCP services that were added for listening to health checks. Specify a TCP service port number, such as 80 for HTTP.

onTurns on the TCP health check services.

offTurns off the TCP health check services.

curDisplays the current TCP health check services configuration.



/cfg/sys/accessSystem Access Control Configuration

[System Access Menu] mgmt - Management Network Access Menu port - Port Management Access Menu user - User Access Control Menu (passwords) https - HTTPS (Web) Server Access Menu sshd - SSH Server Menu xml - XML Configuration Access Menu http - Enable/disable HTTP (Web) server access wport - Set HTTP (Web) server port number snmp - Set SNMP access control tnport - Set Telnet server port number rlimit - Set max rate of ARP, ICMP, TCP, or UDP packets to MP cur - Display current system access configuration

Table 6-21 System Access Configuration Menu Options (/cfg/sys/access)


mgmtDisplays the Management Configuration Menu. To view menu options, see page 289.

portDispal the port management access menu.To view menu options, see page 291.

userDisplays the User Access Control Menu. To view menu options, see page 291.

httpsDisplays HTTPS Server Access Menu. To view menu options, see page 295.

http disable|enableEnables or disables HTTP (Web) access to the browser-based interface. It is disabled by default.

wport <TCP port number (1-65535)>Sets the switch port used for serving switch Web content. The default is HTTP port 80. If Global Server Load Balancing is to be used, set this to a different port (such as 8080).

snmp disable|read-only|read-writeSets the snmp user access level to either disabled, read-only, or read-write.

tnetEnables or disables Telnet access to the switch. This command is disabled by default. You will see this command only if you are connected to the switch through the console port.



/cfg/sys/access/mgmtManagement Networks Menu This menu is used to define IP address ranges which are allowed to access the switch for management purposes. Nortel Application Switch Operating System 23.0 supports up to 10 management networks.

NOTE – The add and rem commands below replace the /cfg/sys/mnet and /cfg/sys/mmask commands found in earlier releases of Nortel Application Switch Operating Sys-tem.

tnport <TCP port number>The TCP port number that the telnet server listens for telnet sessions. Sets an optional telnet server port number for cases where the server listens for telnet sessions on a non-standard port.

rlimit <arp|icmp|tcp|udp> <max rate, 0-65535 (pkts/sec)>Sets switch-wide rate limiting on traffic entering the switch over ARP, ICMP, TCP, or UDP proto-cols. Specify which protocol you wish to limit. Then specify the maximum rate, which the maxi-mum number of packets per second that is allowed to enter the switch.


[Management Networks Menu] add - Add mgmt network definition rem - Remove mgmt network definition cur - Display current mgmt network definitions

Table 6-21 System Access Configuration Menu Options (/cfg/sys/access)




Table 6-22 Management Network Menu Options (/cfg/sys/access/mgmt)


add <mgmt network address> <mgmt network mask>Adds a defined network through which switch access is allowed through Telnet, SNMP, RIP, or the Nortel Application Switch Operating System browser-based interface. A range of IP addresses is produced when used with a network mask address. Specify an IP address and mask address in dotted-decimal notation.

NOTE – If you configure the management network without including the switch interfaces, it will cause the Firewall Load Balancing health checks to fail and will create a “Network Down” state on the network.

rem <mgmt network address> <mgmt network mask>Removes a defined network, which consists of a management network address and a management network mask address.




/cfg/sys/access/portPort Management Access Menu

/cfg/sys/access/userUser Access Control Menu

[Port Management Access Menu] add - Add port with management access aadd - Add all ports with management access rem - Remove port from management access arem - Remove all ports from management access cur - Display current ports with management access

Table 6-23 Port Management Access Menu Options


add <port_number>Add a port with management access.

aaddAdd all ports with management access.

rem <port_number>Remove a port from management access.

aremRemove all ports from management access.

curDisplays the port numbers that currently have management access.

uid - User ID Menu usrpw - Set user password (user) sopw - Set SLB operator password (slboper) l4opw - Set L4 operator password (l4oper) opw - Set operator password (oper) sapw - Set Slb administrator password (slbadmin) l4apw - Set L4 administrator password (l4admin) admpw - Set administrator password (admin) cur - Display current user status



NOTE – Passwords can be a maximum of 15 characters.

Table 6-24 User Access Control Menu Options (/cfg/sys/access/user)


uid <User ID, 1-10>Displays the User ID Menu. To view menu options, see page 294.

usrpwSets the user (user) password. The user has no direct responsibility for switch management. He or she can view switch status information and statistics, but cannot make any configuration changes.

sopwSets the SLB operator (slboper)password. The SLB operator manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics and can enable/disable servers using the Server Load Balancing configuration menus.Access includes “user” functions.

l4opwSets the Layer 4 operator (l4oper)password. The Layer 4 operator manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics.Access includes “slboper” functions.

opwSets the operator (oper)password. The operator password can have a maximum of 15 characters. The operator manages all functions of the switch. He or she can view all switch information and statistics and can reset ports or the entire switch.Access includes “l4oper” functions.

sapwSets the SLB administrator (slbadmin) password. Administrator who configures and manages Web servers and other Internet services and their loads. He or she can view all switch information and statistics, but can configure changes only on the Server Load Balancing menus. Note that the Filter Menu options are not accessible to the SLB administrator.Access includes “l4oper” functions.

l4apwSets the Layer 4 administrator (l4admin) password. The Layer 4 administrator configures and manages traffic on the lines leading to the shared Internet services. He or she can view all switch information and statistics and can configure parameters on the Server Load Balancing menus, with the exception of not being able to configure filters.Access includes “slbadmin” functions.



admpwSets the administrator (admin) password. The super user administrator has complete access to all menus, information, and configuration commands on the Nortel Application Switch, including the ability to change both the user and administrator passwords.Access includes “oper” and “l4admin” functions.

curDisplays the current user status.

Table 6-24 User Access Control Menu Options (/cfg/sys/access/user)




/cfg/sys/access/user/uidSystem User ID Configuration MenuThis feature allows the users to operate the real servers assigned to them. Using this command you can list the current status of the real server including the real server number, the real server name, the operational state of the real server, and the number of current sessions. You can enable or disable the real servers and change the password for accessing these real servers.

[User ID 1 Menu] cos - Set class of service name - Set user name pswd - Set user password add - Add real server rem - Remove real server ena - Enable user ID dis - Disable user ID del - Delete user ID cur - Display current user configuration

Table 6-25 User ID Configuration Menu Options (/cfg/sys/access/user/uid)


cos <user|slboper|l4oper|oper|slbadmin|l4admin|admin>Sets the Class-of-Service to define the user’s authority level. Nortel Application Switch Operating System defines these levels as: User, SLB Operator, Layer 4 Operator, Operator, SLB Administra-tor, and Administrator, with User being the most restricted level.

name <8 char max>Defines the user name of maximum eight characters.

pswd <15 char max>Sets the user password of up to 15 characters maximum.

add <real server number, 1-1023>Assigns a real server access to this user.

rem <real server number, 1-1023>Removes a real server access from this user.

enaEnables the user ID.

disDisables the user ID.



/cfg/sys/access/httpsHTTPS Access Configuration Menu

delDeletes the user ID.

curDisplays the current user ID configuration.

[https Menu] https - Enable/Disable HTTPS Web access port - HTTPS WebServer port number generate - Generate self-signed HTTPS server certificate certSave - save HTTPS certificate cur - Display current SSL Web Access configuration

Table 6-26 HTTPS Access Configuration Menu Options (/cfg/sys/access/https)


https Enables or disables BBI access (Web access) using HTTPS.

port <TCP port number>Defines the HTTPS Web server port number.

generate Allows you to generate a certificate to connect to the SSL to be used during the key exchange. A default certificate is created when HTTPS is enabled for the first time. The user can create a new certificate defining the information that they want to be used in the various fields. For example:

Country Name (2 letter code) [ ]: CA State or Province Name (full name) []: Ontario Locality Name (for example, city) []: Ottawa Organization Name (for example, company) []: Nortel Networks Organizational Unit Name (for example, section) []: Alteon Common Name (for example, user’s name) []: Mr Smith Email (for example, email address) []: [email protected]

You will be asked to confirm if you want to generate the certificate. It will take approximately 30 seconds to generate the certificate. Then the switch will restart SSL agent.

Table 6-25 User ID Configuration Menu Options (/cfg/sys/access/user/uid)




certSave

Allows the client, or the Web browser, to accept the certificate and save the certificate to Flash to be used when the switch is rebooted.

curDisplays the current SSL Web Access configuration.

Table 6-26 HTTPS Access Configuration Menu Options (/cfg/sys/access/https)




/cfg/sys/access/sshdSSH Server Menu[SSH Server Menu] sshport - Set SSH server port number ena - Enable SCP apply and save on - Turn SSH server ON (SSHv1/SSHv2) cur - Display current SSH server configuration

Table 6-27 SSH Server Menu Options


sshport <TCP_port_number>Set the server port number.

enaSets the SCP apply and save.

onSet the SSH server to on.

curDisplay the current SSH server configuration.



/cfg/sys/access/xmlXML Configuration Access Menu[XML Config Access Menu] xml - Enable/disable XML config access port - Set XML server port number gtcert - Import XML client certificate delcert - Delete XML client certificate dispcert - Display XML client certificate debug - Debug XML operations cur - Display current XML config access configuration

Table 6-28 XML Configuration Menu Options


xmlEnable or disable XML access. For an example, see page 299

port <TCP_port_number>Set the XML server port number.

gtcertImport an XML client certificate.Enter hostname or IP address of FTP/TFTP server:Enter name of file on FTP/TFTP server:Enter username for FTP server or hit return for TFTP server:

delcertDelete XML client certificate.Current XML client certificate has been deleted from FLASH

dispcertDisplay the current XML certificate.

debugToggle Debug mode on or off. Enabling XML debugging causes all commands in the XML file to be echoed to the Console and prefaces each one with running XML cmd: or Invalid XML cmd:. All responses to the commands will also be output to the Console.Current XML debug: enabledEnter new XML debug [d/e]:

curDisplay current XML configuration.XML config access currently disabled on TCP port 443XML debug is enabledNote: there are pending config changes; use "diff" to see them.



/cfg/sys/access/xml/xmlExample of enabling or disabling XML access

Current XML access: disabledPending new XML access: enabledEnter new XML access [d/e]:



/cfg/sys/timezoneConfigure the Timezone>> Main# /cfg/sys/timezonePlease identify a location so that time zone rules can be set cor-rectly.Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean10) Pacific Ocean11) None - disable timezone settingEnter the number of your choice: 2Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago10) Canada 27) Honduras 44) Turks & Caicos Is11) Cayman Islands 28) Jamaica 45) United States12) Chile 29) Martinique 46) Uruguay13) Colombia 30) Mexico 47) Venezuela14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)16) Dominica 33) Nicaragua17) Dominican Republic 34) PanamaEnter the number of your choice: 10



/cfg/port <port number>Port ConfigurationThe Port Menu enables you to configure settings for individual switch ports. This command is enabled by default.

Port configuration is different on Nortel Application Switch Operating System 2000 series and 3000 series.

Please select one of the following time zone regions. 1) Newfoundland Island 2) Atlantic Time - Nova Scotia (most places), NB, W Labrador, E Que-bec & PEI 3) Atlantic Time - E Labrador 4) Eastern Time - Ontario & Quebec - most locations 5) Eastern Time - Thunder Bay, Ontario 6) Eastern Standard Time - Pangnirtung, Nunavut 7) Eastern Standard Time - east Nunavut 8) Eastern Standard Time - central Nunavut 9) Central Time - Manitoba & west Ontario10) Central Time - Rainy River & Fort Frances, Ontario11) Central Time - west Nunavut12) Central Standard Time - Saskatchewan - most locations13) Central Standard Time - Saskatchewan - midwest14) Mountain Time - Alberta, east British Columbia & west Saskatchewan15) Mountain Time - central Northwest Territories16) Mountain Time - west Northwest Territories17) Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia18) Pacific Time - west British Columbia19) Pacific Time - south Yukon20) Pacific Time - north YukonEnter the number of your choice: 2



Nortel Application Switch Operating System 2000 SeriesThe following table displays the number of Fast Ethernet ports and SFP GBIC ports with the numbering of the ports on Nortel Application Switch Operating System 2000 series:

Fast Ethernet PortsThe RJ-45 jack is used for connecting 10/100 Mbps Ethernet segments to the port. The ports are auto-sensing, auto-negotiating, and support half or full-duplex operation.

SFP GBIC Ports The LC jack is used for connecting Gigabit Ethernet fiber optic segments. The SFP modules are not shipped with the product. You may order the SFP modules from Nortel Networks.

For more information on connectors, please refer to the Hardware Installation Guide for Nortel Application Switch Operating System.

Table 6-29 Port Configuration and Numbering on Nortel Application Switch Operating System 2000 Series

Model 10/100 Mbps Fast Ethernet Port Numbers

1000 Mbps SFP GBIC Port Numbers

Nortel Application Switch 2208 (1U)

1–8 9–10


1–16 17–18


1–24 25–26


1–24 25–28



The commands on Nortel Application Switch Operating System 2000 series and their description are as follows:

[Port <port_number> Menu] fast - Fast Phy Menu gig - Gig Phy Menu pvid - Set default port VLAN id alias - Set port alias name - Set port name cont - Set default port BW Contract nonip - Set BW Contract for non-IP traffic egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration

Table 6-30 Port Configuration Menu Options (/cfg/port)


fastIf a port is configured to support Fast Ethernet, this option displays the Fast Ethernet Physical Link Menu. To view menu options, see page 313.

gigIf a port is configured to support Gigabit Ethernet, this option displays the Gigabit Ethernet Physi-cal Link Menu. To view menu options, see page 313.

pvid <VLAN number, 1-4090>Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1.

alias <15 characters string>Set an alias for the port number.

name <64 character string>|noneSets a name for the port. The assigned port name appears next to the port number on some infor-mation and statistics screens. The default is set to none.

cont <BWM Contract (1-1024)>Sets the default Bandwidth Management Contract for this port.

nonip <BW Contract number, 1-1024>Sets the Bandwidth Management contract for non-IP traffic for this port.



/cfg/port <port number> fast|gigPort Link Configuration

Use these menu options to set port parameters for the port link.

egbw <0k-5000k|1m-100m>Sets the egress bandwidth limit for the port to avoid overloading the receiving router or switch. Using this command, you can configure the egress bandwidth limit of the port to match with the bandwidth link of the receiving router or the switch. This means that the port’s speed will be taken as the egress bandwidth. For example, the egress bandwidth for an FE port will be 100m. The default is 0.

NOTE – You need Bandwidth Management license to use this command.

rmon disable|enableDisables or enables RMON for this port. It is disabled by default.

tag disable|enableDisables or enables VLAN tagging for this port. It is disabled by default.

iponly disable|enableDisables or enables allowing only IP-related frames. It is disabled by default.

enaEnables the port.

disDisables the port. (To temporarily disable a port without changing its configuration attributes, refer to “Temporarily Disabling a Port” on page 314.)

curDisplays the current port parameters.

[Fast Link Menu] speed - Set link speed mode - Set full or half duplex mode fctl - Set flow control auto - Set auto negotiation cur - Display current fast link configuration

Table 6-30 Port Configuration Menu Options (/cfg/port)




NOTE – If the port does not have a Gig Ethernet physical link, the following message is dis-played: >> Port 1# gig Current Port 1 does not have Gig Ethernet phy.

NOTE – Since the speed and mode parameters cannot be set for Gigabit Ethernet ports, these options do not appear on the Gigabit Link Menu.

Link menu options are described in Table 6-38 and appear on the fast and gig port configu-ration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link.

Table 6-31 Port Link Configuration Menu Options (/cfg/port/fast|gig)

Command Syntax and Usagespeed 10|100|any

Sets the link speed. Not all options are valid on all ports. The choices include:Any for automatic detection (default)10 Mbps100 Mbps

This menu appears only if a Fast Ethernet port is selected.

mode full|half|anySets the operating mode. This command is available only in the Fast Link Menu.The choices include:

Any for auto negotiation (default)Full-duplexHalf-duplex

This menu appears only if a Fast Ethernet port is selected.

fctl rx|tx|both|noneSets the flow control. This command is available only in the Fast Link Menu.The choices include:

Receive flow controlTransmit flow controlBoth receive and transmit flow control (default)No flow control

auto on|offEnables or disables auto negotiation for the port.




Nortel Application Switch 3000 SeriesThe following table displays the port configuration and numbering on Nortel Application Switch 3408:

Port Configuration on Nortel Application Switch 3408The Nortel Application Switch 3408 contains 12 ports. Their description is as follows:

Four 1000BaseT ports (1, 2, 7, and 8) with RJ-45 connectors. The ports are autonegotiat-ing and support half or full duplex operation.

Four dual-mode ports (3, 4, 5, and 6). These ports have two interfaces each: 1000 Mbps SFP GBIC and 10/100/1000Base-T Copper. When the 1000 Mbps SFP GBIC port is selected as the preferred link, it is fixed at 1000 Mbps, full-duplex with autonegotiation turned on. When the 10/100/1000Base-T copper port is selected as the preferred link, it can be configured at any speed. However, if 1000 Mbps is selected, autonegotiation must be turned on. You can set either interface as the preferred or backup link. See “Dual-Mode Ports” on page 311 for more details.

Four Small Form Pluggable (SFP) GBIC Fiber ports (9–12). These ports are designed to operate at 1000 Mbps and full duplex mode only.

NOTE – For more information on connectors, refer to the Nortel Application Switch Operating System Hardware Installation Guide Part Number 315393-E.

Table 6-32 Port configuration on Nortel Application Switch 3408

Model 10/100/1000Base-T Copper Port Numbers

Dual-Mode Port Numbers

1000 Mbps SFP GBIC Port Numbers


1, 2, 7, 8 3–6 9–12



Single-Mode ports

10/100/1000Base-T Copper Ports

When you select a single-mode copper port (1, 2, 7, or 8), you see the menu below:

[Port 1 Menu] fast - Fast Phy Menu gig - Gig Phy Menu pvid - Set default port VLAN id alias - Set port alias name - Set port name cont - Set default port BW Contract nonip - Set BW Contract for non-IP traffic egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allow IP related frames at ingress ena - Enable port dis - Disable port cur - Display current port configuration

Table 6-33 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)

Command Syntax and Usagegig

If a port is configured to support Gigabit Ethernet, this option displays the Copper Gigabit Ethernet Physical Link Menu. To view menu options, see page 308.

pvid <VLAN number (1-4090)>Sets the default VLAN number which will be used to forward frames which are not VLAN tagged. The default number is 1.

name <64 character string>|noneSets a name for the port. The assigned port name appears next to the port number on some infor-mation and statistics screens. The default is set to None.







/cfg/port <port number> gigSingle-Mode Copper Port Gigabit Ethernet Link Configuration Menu

Use these menu options to set port parameters for the port link. Link menu options are described in Table 6-38 and appear on the gig port configuration menus for the Nortel Applica-tion Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link.




[GE Copper Link Menu] speed - Set link speed mode - Set duplex mode fctl - Set flow control auto - Set auto negotiate cur - Display current ge copper link configuration

Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options (/cfg/port <1, 2, 7, or 8>/gig)

Command Syntax and Usagespeed 10|100|1000|any

Sets the link speed. Not all options are valid on all ports. The choices include:Any for automatic detection (default)10 Mbps100 Mbps1000 Mbps

mode full|half|anySets the operating mode. The choices include:

Any for auto negotiation (default)Full-duplexHalf-duplex

Table 6-33 Single-Mode Copper Port Configuration Menu Options (/cfg/port <1, 2, 7, or 8>)




1000 Mbps SFP GBIC Fiber SFP Ports

When you select a single-mode SFP fiber port (9–12), you see a slightly different menu as below:

fctl rx|tx|both|noneSets the flow control. This command is available only in the Fast Link Menu.The choices include:


auto on|offEnables or disables autonegotiation for the port.

curDisplays the current Gigabit Ethernet copper link port parameters.

[Port 9 Menu] gig - SFP Gig Phy Menu pvid - Set default port VLAN id name - Set port name cont - Set default port BW Contract egbw - Set port egress bandwidth Limit rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames ena - Enable port dis - Disable port cur - Display current port configuration

Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <9–12>)


gigIf a port is configured to support Gigabit Ethernet, this option displays the SFP Gigabit Ethernet Physical Link Menu. To view menu options, see page 310.


Table 6-34 Single-Mode Copper Port Gigabit Ethernet Link Configuration Menu Options (/cfg/port <1, 2, 7, or 8>/gig)




/cfg/port <port number> gigSingle-Mode SFP Gigabit Ethernet Port Link Configuration Menu

Use these menu options to set port parameters for the port link. Link menu options are described in Table 6-38 and appear on the gig port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as flow control, and negotiation mode for the port link.









[GE SFP Link Menu] fctl - Set flow control auto - Set auto negotiate cur - Display current SFP gig link configuration

Table 6-35 Single-Mode SFP Gigabit Ethernet Port Configuration Menu Options (/cfg/port <9–12>)




Dual-Mode PortsWhen you select any one of the dual-mode ports (3–6), you see the menu below:

Table 6-36 Single-Mode SFP Gigabit Ethernet Port Link Configuration Menu Options (/cfg/port <9-12>/gig)

Command Syntax and Usagefctl rx|tx|both|none

Sets the flow control. The choices include:Receive flow controlTransmit flow controlBoth receive and transmit flow control (default)No flow control

auto on|offEnables or disables autonegotiation for the port.

curDisplays the current SFP Gigabit Ethernet link port parameters.

[Port 3 Menu] cop - Copper Gig Phy Menu sfp - SFP Gig Phy Menu pref - Set preferred link back - Set backup link pvid - Set default port VLAN id name - Set port name cont - Set default port BW Contract rmon - Enable/Disable RMON for port tag - Enable/disable VLAN tagging for port iponly - Enable/disable allowing only IP related frames ena - Enable port dis - Disable port cur - Display current port configuration

Table 6-37 Dual-Mode Port Configuration Menu Options (/cfg/port <3–6>)


copDisplays Copper Gigabit Physical Link Menu. To view menu options, see page 313.

sfpDisplays SFP Gigabit Physical Link Menu. To view menu options, see page 314.



pref copper|sfpSets the port preference between copper or SFP mode. The selected port will be used as the pre-ferred port if both the ports are available.

back copper|sfp|noneSets the preference for the backup link if the preferred port is not available. You cannot set the pre-ferred port as the backup port. If you choose none, the port will not switch automatically to the backup port if the preferred port goes down.










Table 6-37 Dual-Mode Port Configuration Menu Options (/cfg/port <3–6>)




/cfg/port <port number (3–6)> copDual-Mode Copper Port Link Configuration

Use these menu options to set port parameters for the port link.

Link menu options are described in Table 6-38 and appear on the cop port configuration menus for the Nortel Application Switch. Using these configuration menus, you can set port parameters such as speed, flow control, and negotiation mode for the port link.

[GE Copper Link Menu] speed - Set link speed mode - Set duplex mode fctl - Set flow control auto - Set auto negotiate cur - Display current ge copper link configuration

Table 6-38 Dual-Mode Copper Port Link Configuration Menu Options (/cfg/port <3–6>/cop)

Command Syntax and Usagespeed 10|100|1000|any

Sets the link speed. Not all options are valid on all ports. The choices include:Any for automatic detection (default)10 Mbps100 Mbps1000 Mbps

mode full|half|anySets the operating mode. The choices include:

Any for autonegotiation (default)Full-duplexHalf-duplex

fctl rx|tx|both|noneSets the flow control. The choices include:


auto on|offEnables or disables auto negotiation for the port.

curDisplays the current Gigabit Ethernet copper link port parameters.



/cfg/port <port number (3–6)> sfpDual-Mode SFP Gigabit Link Configuration Menu

Temporarily Disabling a PortTo temporarily disable a port without changing its stored configuration attributes, enter the fol-lowing command at any prompt:

Because this configuration sets a temporary state for the port, you do not need to use apply or save. The port state will revert to its original configuration when the Nortel Application Switch is reset. See the “Operations Menu” on page 499 for other operations-level commands.

[GE SFP Link Menu] fctl - Set flow control cur - Display current SFP gig link configuration

Table 6-39 Dual-Mode SFP Gigabit Link Configuration Menu Options (/cfg/port <3-6>/sfp)


fctl rx|tx|both|noneSets the flow control. The choices include:


curDisplays the current SFP Gigabit link port configuration.

Main# /oper/port <port number>/dis



/cfg/pmirrPort Mirroring Menu

Port mirroring is disabled by default.

The Port Mirroring Menu is used to configure, enable, and disable the monitored port. When enabled, network packets being sent and/or received on a target port are duplicated and sent to a monitor port. By attaching a network analyzer to the monitor port, you can collect detailed information about your network performance and usage.

/cfg/pmirr monportPort-Mirroring Menu

[Port Mirroring Menu] mirror - Enable/Disable Mirroring monport - Configure Monitor Port cur - Display All Mirrored and Monitored Ports and VLANs

Table 6-40 Port Mirroring menu options (/cfg/pmirr)


mirror disable|enableEnables or disables port mirroring

monport <monitoring port (port to mirror to)>Displays port-mirroring menu options that help configure the port. To view menu options, see page 315.

curDisplays the current settings of the mirrored and monitoring ports.

>> Port Mirroring# monportEnter port (1-28): <port_number>------------------------------------------------------------[Port 1 Menu] add - Add "Mirrored" port and VLANs rem - Rem "Mirrored" port and VLANs cur - Display current Port-based Port Mirroring configuration



/cfg/bwmBandwidth Management ConfigurationBandwidth Management (BWM) enables Web site managers to allocate a portion of the avail-able bandwidth for specific users or applications. It allows companies to guarantee that critical business traffic, such as e-commerce transactions, receive higher priority versus non-critical traffic. Traffic classification can be based on user or application information. BWM policies can be configured to set lower and upper bounds on the bandwidth allocation.

NOTE – BWM is a software key-enabled feature that requires users to purchase a license and a key. In order to enable BWM, users need to enter the Bandwidth Management key using the /oper/swkey command.

By default, BWM is turned off.

Refer to your Application Guide for more information.

Table 6-41 Port-Based Port-Mirroring Menu Options (/cfg/pmirr/monport)

Command Syntax and Usageadd <mirrored port (port to mirror from)> <direction (in, out, or both)> <vlan index or Carriage Return for all vlans>

Adds the port to be mirrored. This command also allows you to enter the direction of the traffic. It is necessary to specify the direction because:If the source port of the frame matches the mirrored port and the mirrored direction is ingress or both (ingress and egress), the frame is sent to the mirrored port. If the destination port of the frame matches the mirrored port and the mirrored direction is egress or both, the frame is sent to the monitoring port. VLAN-based port mirroring allows the user to monitor traffic based on VLANs associated with a port. You can add specific VLAN(s) to a be monitored even if there are multiple VLANs associ-ated with that port. If you do not specify a VLAN, all traffic on that port will be mirrored.

rem <mirrored port (port to mirror from)> <vlan index or Carriage Return for all vlans>Removes the mirrored port.

curDisplays the current settings of the monitoring port. For example:

>> Port 1# cur Monitoring port (Mirrored port,direction,vlans) 1 none



NOTE – Up to 1024 bandwidth management contracts can be configured on the Nortel Appli-cation Switch Operating System.

[Bandwidth Management Menu] cont - Contract Menu policy - Policy Menu group - Group Menu user - Set SMTP server user name report - Set IP address of Reporting server entries - Set number of entries in the BWM IP user table frequen - Set the frequency of BWM statistics in minutes email - Enable/disable sending BWM statistics via email force - Enable/disable enforce policies on - Globally turn Bandwidth Management processing ON off - Globally turn Bandwidth Management processing OFF cur - Display current Bandwidth Management configuration

Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)


cont <BW contract number (1-1024)>Displays the Bandwidth Management Contract Menu. To manage bandwidth on an Nortel Application Switch, you must create one or more bandwidth management contracts. The switch uses these contracts to limit individual traffic flows. For further details, see the Nortel Application Switch Operating System 23.0.2 Application Guide.By default, this option is disabled. To view menu options, see page 319.

policy <BW policy number (1-512)>Displays the Bandwidth Management Policy Menu. Bandwidth policies are bandwidth limita-tions defined for any set of frames, specifying the guaranteed bandwidth rates. A band-width policy is often based on a rate structure whereby a Web host could charge a customer for bandwidth utilization. For further details, see the Nortel Application Switch Operating System 23.0.2 Application Guide.To view menu options, see page 322.

group <BW Group number (1-32)>Displays the Bandwidth Management Group Menu. To view menu options, see page 323.

user <user name>Sets the SMTP user name to whom the history statistics will be mailed. The default is set to None.

report <IP4 address> | <IP6 address>Set the IP address of the Reporting Server.



entries <64k|128k|256k|512k>Sets the number of entries in the Bandwidth Management IP user table.

frequen <1-1440 minutes, 0 for default behavior>Sets the frequency of Bandwidth Management email in minutes. The default is set to 0.

email disable|enableEnable/disable sending BWM statistics using email. When this option is disabled, these statistics are sent using a socket mechanism.

force disable|enableEnables or disables the enforcement of bandwidth policy on the traffic. When disabled, the reor-dering of the packets does not occur. The packets will exit in the order they came in. This means that no bandwidth limit is applied on the queues. By default, this option is enabled.

onGlobally enables Bandwidth Management on this switch.

offGlobally disables Bandwidth Management on this switch.

curDisplays the current Bandwidth Management configuration.

Table 6-42 Bandwidth Management Menu Options (/cfg/bwm)




/cfg/bwm/cont <contract number>Bandwidth Management Contract Configuration

[BW Contract <1 to 1024> Menu] timepol - Time policy Menu name - Set Contract name policy - Set Contract Policy prec - Set Contract Precedence iptype - Set user (IP address) limiting type for this contract pmirr - Set monitoring port for packet mirroring iplimit - Enable/disable user (IP address) limiting for this contract history - Enable/disable Saving Contract stats history wtos - Enable/disable overwriting IP TOS for this Contract mononly - Enable/disable monitor-only mode for this Contract shaping - Enable/disable traffic shaping - disable is rate limiting wtcpwin - Enable/disable overwriting TCP Window for this Contract ena - Enable BW Contract dis - Disable BW Contract del - Delete BW Contract cur - Display current BW Contract configuration

Table 6-43 Bandwidth Management Policy Menu Options (/cfg/bwm/cont)


timepol <BW Contract time policy number (1-2)>Displays Time Policy Menu. To view menu options, see page 320.

name <31 character name>Sets the name for this Bandwidth Management contract.

>> BW Contract 1# name Current BW Contract name: Enter new BW Contract name:

policy <Bandwidth policy number (1-512)>Sets the policy number for this Bandwidth Management contract. The default policy number is 64.

prec <Bandwidth precedence value (1-255)>Sets the precedence value for this Bandwidth Management contract. The default value is 1.

iptype <sip|dip>Defines the IP type for this contract, whether the user (IP address) limiting is enforced by the source IP address (SIP) or the destination IP address (DIP).

pmirr <port | none>Defines a port to mirror contract packets to. Enter a valid port to enable this feature or none to disable it. This command is available in maintenance mode only.



/cfg/bwm/cont <contract number>/timepol <Contract time policy number>

BWM Contract Time Policy Configuration Menu

iplimit disable|enableEnables or disables user (IP address) limiting for this contract. If enabled, each IP address is lim-ited to the user limit configured in /cfg/bwm/policy on page 322.

history disable|enableDisables or enables saving statistics for this contract on the server. By default, it is enabled.

wtos disable|enableDisables or enables overwriting the IP Type of Service (TOS) for this contract. By default, it is dis-abled.

mononly disable|enableEnables or disables monitor-only mode for this Contract. This command is used for design and auditing purposes only. The statistics are generated but no shaping or limiting will apply to this contract.

shaping disable|enableDisables or enables shaping of the traffic for this contract. In this context, shaping means buffering a packet and keeping it ready to be sent.

wtcpwin disable|enableEnables or disables overwriting TCP Window for this Contract. By overwriting the default win-dow size, the user can modify the TCP window size to a lower value so that when the packet arrives carrying the bytes within that window size, the receiver of that packet does not have to wait for acknowledgement. This may help reduce the traffic congestion. Do not set the value to lower than 1500 bytes. For details, refer to the Application Guide.

enaEnables this Bandwidth Management contract.

disDisables this Bandwidth Management contract.

delRemoves this contract from the switch.

curDisplays the current Bandwidth Management contract configuration.

Table 6-43 Bandwidth Management Policy Menu Options (/cfg/bwm/cont)




This feature enables the user to configure different policies based on the time of the day using the following menu and commands:

[BW Contract 1 Time Policy 1 Menu] day - Set Time Policy day from - Set Time Policy from hour to - Set Time Policy to hour policy - Set Time Policy enable - Enable Time Policy disable - Disable Time Policy delete - Delete Time Policy cur - Display current Time Policy configuration

Table 6-44 BWM Contract Time Policy Configuration Menu Options (/cfg/bwm/timepol)


day <mon|tue|wed|thu|fri|sat|sun|weekday|weekend|everyday>Defines the day(s) of the week, weekdays (Monday to Friday), weekend (Saturday and Sunday) or everyday. The default is everyday.

from <1-12am/pm>Defines the time from where you need to start the time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher.

to <1-12am/pm>Sets the end limit of time in hours. If am or pm is not specified, the switch will default to am for numbers lower than 12 and will default to pm for numbers 13 or higher.

policy <BW Policy number, 1-512> Defines the policy number for the contract.

enableEnables the Time Policy command on the switch.

disableDisables the Time Policy command on the switch.

deleteDeletes the current Time Policy.

curDisplays the current Time Policy configuration on the switch. For example:

Time Policy 1: Day everyday, From Hour 12am, To Hour 12am, Policy 512, disabled



/cfg/bwm/policy <policy number>Bandwidth Management Policy Configuration

[Policy 1 Menu] hard - Set hard Limit soft - Set soft Limit resv - Set Reservation Limit userlim - Set per user (IP address) Limit utos - Set underlimit (soft limit) TOS otos - Set overlimit (soft limit) TOS buffer - Set Buffer Limit del - Delete BW Policy cur - Display current Policy configuration

Table 6-45 Bandwidth Management Policy Menu Options (/cfg/bwm/pol)


hard <0k-5000k|1m-1000m>Sets the hard bandwidth limit for this policy. This is the highest amount of bandwidth available to this policy. The default value is 2000 kbps.

soft <0k-5000k|1m-1000m>Sets the soft bandwidth limit for this policy. The default value is 1000 kbps.

resv <0k-5000k|1m-1000m>Sets the reserve limit for this policy. This is the amount of bandwidth always available to this pol-icy. The default value is 500Kbytes.

userlim <0k-5000k|1m-1000m>Sets the bandwidth limit for each IP address in the contract traffic.

utos <BW Policy TOS (0-255)>Sets the new utos (underlimit TOS) value to overwrite the original TOS value if the traffic for this contract is under the soft limit. With this option set to the default value of “0,” the switch will not overwrite the TOS value.

otos <BW Policy TOS (0-255)>Sets the new otos (over the limit TOS) value to overwrite the original TOS value if the traffic for this contract is over the soft limit. With this option set to the default value of “0,” the switch will not overwrite the TOS value.

buffer <Maximum buffer space (bytes) (8192-128000)>Sets the buffer limit for this policy. The default value is 8192 bytes.



/cfg/bwm/groupBandwidth Management Group Configuration Menu

delDeletes the bandwidth management policy.

cur Displays the current value of the bandwidth policy configuration.

[BW Group 1 Menu] add - Add Contract to this group rem - Remove Contract from this group del - Delete BW Group cur - Display current BW Group configuration

Table 6-46 Bandwidth Management Group Menu Options (/cfg/bwm/group)


add <BW Contract number, 1-1023 excluding default>Adds a contract to this group.

rem <BW Contract number, 1-1023 excluding default>Removes a contract from this group.

delDeletes this Bandwidth Management group.

curDisplays all current Bandwidth Management Group configurations.

Table 6-45 Bandwidth Management Policy Menu Options (/cfg/bwm/pol)




/cfg/bwm/curBandwidth Management Current Configuration

Current Bandwidth Management setting: ON Policy Enforcement: enabled SMTP server user name:

Contract Name Policy Prec Hist TOS State Shaping 1 cont_1 1 1 E E E E 2 cont_2 2 1 E D D D 1024 Default -- 0 E D E D*Default contract gets all the BW that is available on a port after the active contracts reserved BW is taken.

Policy Hard Soft Resv oTOS uTOS Buffer 1 25M 20M 500K 150 100 16320 2 10M 8M 500K 0 0 16320 3 2M 1M 500K 0 0 16320 4 2M 1M 500K 0 0 16320 5 2M 1M 500K 0 0 16320 6 2M 1M 500K 0 0 16320 7 2M 1M 500K 0 0 16320 8 2M 1M 500K 0 0 16320 9 2M 1M 500K 0 0 16320 10 2M 1M 500K 0 0 16320 11 2M 1M 500K 0 0 16320 12 2M 1M 500K 0 0 16320 13 2M 1M 500K 0 0 16320 14 2M 1M 500K 0 0 16320 15 2M 1M 500K 0 0 16320 16 2M 1M 500K 0 0 16320 17 2M 1M 500K 0 0 16320 18 2M 1M 500K 0 0 16320 19 2M 1M 500K 0 0 16320 20 2M 1M 500K 0 0 16320 21 2M 1M 500K 0 0 16320 22 2M 1M 500K 0 0 16320 23 2M 1M 500K 0 0 16320 24 2M 1M 500K 0 0 16320 25 2M 1M 500K 0 0 16320 26 2M 1M 500K 0 0 16320 27 2M 1M 500K 0 0 16320 28 2M 1M 500K 0 0 16320 29 2M 1M 500K 0 0 16320 30 2M 1M 500K 0 0 16320



/cfg/l2Layer 2 Configuration Menu

[Layer 2 Menu] mrst - Multiple Spanning Tree/Rapid Spanning Tree Menu stg - Spanning Tree Menu trunk - Trunk Group Menu lacp - Link Aggregation Control Protocol Menu vlan - VLAN Menu team - Port Teaming Menu ntmstg - Enable/disable Nortel multiple STG mode cur - Display current layer 2 parameters

Table 6-47 Layer 2 Configuration Menu Options (/cfg/l2)

Command Syntax and Usagemrst

Go to the Multiple/Rapid Spanning Tree menu. See page 326.

stg <group number [1-16]>Displays Spanning Tree Group Menu. To view menu options, see page 329.

trunk <trunk group number>Displays Trunk Group Menu. To view menu options, see page 333.

lacpDisplays Link Aggregation Control Protocol (LACP) Menu. To view menu options, see page 335.

vlan <VLAN number (1-4090)> Displays VLAN Menu. To view menu options, see page 339.

teamGo to the port teaming menu. See page 341.

ntmstg disable|enableEnables or disables Nortel Multiple Spanning Tree Group mode. When Nortel multiple STG mode is enabled, the Nortel implementation of multiple STGs will be followed. When Nortel multiple STG mode is disabled, the Cisco implementation of multiple STGs will be followed. The ntm-stg enabled device will not work with the device configured for Cisco implementation of Span-ning Tree BPDUs. The factory default value of this command is Nortel multiple STG mode disabled. You need to reset the switch with the command /boot/reset for the Spanning Tree Group con-figuration to change to ntmstg enabled.

curDisplays the current Layer 2 parameters.



/cfg/l2/mrstMultiple Spanning Tree Menu[Multiple Spanning Tree Menu] cist - Common and Internal Spanning Tree menu name - Set MST region name version - Set Version of this MST region maxhop - Set Maximum Hop Count for MST (4 - 60) mode - Spanning Tree Mode on - Globally turn Multiple Spanning Tree (MSTP/RSTP) ON off - Globally turn Multiple Spanning Tree (MSTP/RSTP) OFF cur - Display current MST parameters

Table 6-48 Multiple Spanning Tree Menu Options


cistGo to the Common and Internal Spanning Tree menu. See page 327.

name <1-32 character region name>Set the MST region name.

version <version number 1-65535>Set the MST region version.

maxhop <max hops 4-60>Set the maximum MST hop count.

mode mstp|rstpSet the spanning tree mode.

onSet the spanning tree on (Bridge MSTP/RSTP runs normally).

offSet the spanning tree off (Bridge MSTP/RSTP does not run).

curDisplay the current MST parameters.



/cfg/l2/mrst/cistMultiple Spanning Tree Menu[Common Internal Spanning Tree Menu] brg - CIST Bridge parameter menu port - CIST Port parameter menu default - Default Common Internal Spanning Tree and Member parms cur - Display current CIST parameters

Table 6-49 Mupltiple Spanning Tree CIST Bridge Menu Options


brgGo to the CIST Bridge parameter menu. See page 328.

port <port_number>Set the port number.

default Resets STG and Group member parameters to factory default.

cur Displays current values of all objects settable from this menu.



/cfg/l2/mrst/cist/brgCIST Bridge Menu

/cfg/l2/mrst/cist/brg curCurrent configuration for CIST Bridge

[CIST Bridge Menu] prior - Set CIST bridge Priority (0-65535) mxage - Set CIST bridge Max Age (6-40 secs) fwd - Set CIST bridge Forward Delay (4-30 secs) cur - Display current CIST bridge parameters

Table 6-50 Mupltiple Spanning Tree CIST Bridge Menu Options


prior <new bridge Priority, 0-65535>Set the bridge priority.

mxage <new bridge Max Age, 6-40 secs>Set the port number.

fwd <new bridge Forward Delay, 4-30 secs>Set the CIST bridge forward delay.

cur Displays current values of all objects settable from the CIST bridge menu.

>> CIST Bridge# cur------------------------------------------------------------------Current Common Internal Spanning Tree settings:Bridge params: Priority MaxAge FwdDel 32768 20 15

Table 6-51 CIST bridge configuration


Priority The current CIST Bridge priority setting. Priority is a value between 0 and 65535.

MaxAge The current CIST Bridge maximum aging setting. MaxAge is a value in seconds between 6 and 40.

FwdDel The current CIST Bridge forwarding delay setting. FwdDel is a value in seconds between 4 and 30.



/cfg/l2/stgSpanning Tree Group ConfigurationWhen multiple paths exist on a network, Spanning Tree Protocol (STP) configures the network so that a switch uses only the most efficient path. Spanning Tree Protocol (STP) detects and eliminates logical loops in a bridged or switched network. STP forces redundant data paths into a standby (blocked) state. When multiple paths exist, Spanning Tree configures the net-work so that a switch uses only the most efficient path. If that path fails, Spanning Tree auto-matically sets up another active path on the network to sustain network operations. Thus, STP is used to prevent loops in the network topology.

Nortel Application Switch Operating System supports the IEEE 802.1p Spanning Tree Proto-col (STP). Nortel Application Switch Operating System supports up to 16 instances of Span-ning Trees or Spanning Tree groups. Each VLAN can be placed in only one Spanning Tree group per switch except for the default Spanning Tree group (STG 1). The default Spanning Tree group (1) can have more than one VLAN. All other Spanning Tree groups (2-16) can have only one VLAN associated with it. Spanning Tree can be enabled or disabled for each port. Multiple Spanning Trees can be enabled on tagged or untagged ports. See your Applica-tion Guide for a detailed description of this feature and how to configure Spanning Tree Groups on the switch.

This command is turned on by default.

[Spanning Tree Group 1 Menu] brg - Bridge parameter menu port - Port parameter menu add - Add VLAN(s) to Spanning Tree Group remove - Remove VLAN(s) from Spanning Tree Group clear - Remove all VLANs from Spanning Tree Group on - Globally turn Spanning Tree ON off - Globally turn Spanning Tree OFF default - Default Spanning Tree and Member parameters cur - Display current bridge parameters



NOTE – When VRRP is used for active/active redundancy, STP must be enabled.

Table 6-52 Spanning Tree Configuration Menu (/cfg/l2/stp)


brgDisplays the Bridge Spanning Tree Menu. To view menu options, see page 331.

port <port number>Displays the Spanning Tree Port Menu. To view menu options, see page 332.

add <VLAN numbers (1-4090)>Associates a VLAN with a spanning tree and requires an external VLAN ID as a parameter.

remove <VLAN numbers, 1-4095 (802.1d & RSTP) / 2-4094 (MSTP)>Breaks the association between a VLAN and a spanning tree and requires an external VLAN ID as a parameter.

clearRemoves all VLANs from a spanning tree.

onGlobally enables Spanning Tree Protocol.

offGlobally disables Spanning Tree Protocol.

default Resets STG and Group member parameters to factory default.

curDisplays the current Spanning Tree Protocol parameters.



/cfg/l2/stg/brgBridge Spanning Tree Configuration

Spanning Tree bridge parameters affect the global STP operation of the switch. STP bridge parameters include:

Bridge priorityBridge hello timeBridge maximum ageForwarding delayBridge aging time

[Bridge Spanning Tree Menu] prior - Set bridge Priority [0-65535] hello - Set bridge Hello Time [1-10 secs] mxage - Set bridge Max Age (6-40 secs) fwd - Set bridge Forward Delay (4-30 secs) aging - Set bridge Aging Time (1-65535 secs, 0 to disable) cur - Display current bridge parameters

Table 6-53 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)


prior <new bridge priority (0-65535)>Configures the bridge priority. The bridge priority parameter controls which bridge on the network is the STP root bridge. To make this switch the root bridge, configure the bridge priority lower than all other switches and bridges on your network. The lower the value, the higher the bridge pri-ority. The range is 0 to 65535, and the default is 32768.

hello <new bridge hello time (1-10 secs)>Configures the bridge hello time.The hello time specifies how often the root bridge transmits a configuration bridge protocol data unit (BPDU). Any bridge that is not the root bridge uses the root bridge hello value. The range is 1 to 10 seconds, and the default is 2 seconds.

mxage <new bridge max age (6-40 secs)>Configures the bridge maximum age. The maximum age parameter specifies the maximum time the bridge waits without receiving a configuration bridge protocol data unit before it re configures the STP network. The range is 6 to 40 seconds, and the default is 20 seconds.

fwd <new bridge Forward Delay (4-30 secs)>Configures the bridge forward delay parameter. The forward delay parameter specifies the amount of time that a bridge port has to wait before it changes from the listening state to the learning state and from the learning state to the forwarding state. The range is 4 to 30 seconds, and the default is 15 seconds.



When configuring STP bridge parameters, the following formulas must be used:

2*(fwd-1) > mxage2*(hello+1) < mxage

/cfg/l2/stg <STG Group Index>/port <port #>Spanning Tree Port Configuration

Spanning Tree port parameters are used to modify STP operation on an individual port basis. STP port parameters include:

Port priorityPort path cost

STP is turned on by default for the port.

aging <new bridge Aging Time (1-65535 secs, 0 to disable)>Configures the forwarding database aging time. The aging time specifies the amount of time the bridge waits without receiving a packet from a station before removing the station from the for-warding database. The range is 1 to 65535 seconds, and the default is 300 seconds. To disable aging, set this parameter to 0.

curDisplays the current bridge STP parameters.

[Spanning Tree Port 1 Menu] prior - Set port Priority (0-255) cost - Set port Path Cost link - Set port link type (auto,p2p,or shared; default: auto) edge - Enable/disable edge port on - Turn port's Spanning Tree ON off - Turn port's Spanning Tree OFF cur - Display current port Spanning Tree parameters

Table 6-53 Bridge Spanning Tree Menu Options (/cfg/l2/stp/brg)




/cfg/l2/trunk <trunk group number>Trunk ConfigurationTrunk groups can provide super-bandwidth and multi-link connections between Nortel Applica-tion Switches or other trunk capable devices. A trunk group is a group of ports that act together, combining their bandwidth to create a single, larger virtual link. When trunk groups are config-ured, you can view the state of each port in the various trunk groups. Up to 12 trunk groups can be configured on the Nortel Application Switch, with the following restrictions:

Any physical switch port can belong to no more than one trunk group.Up to eight ports/trunks can belong to the same trunk group.Best performance is achieved when all ports in a trunk are configured for the same speed.

Table 6-54 Spanning Tree Port Menu (/cfg/l2/stp/port)


prior <new port Priority (0-255)>Configures the port priority. The port priority helps determine which bridge port becomes the des-ignated port. In a network topology that has multiple bridge ports connected to a single segment, the port with the lowest port priority becomes the designated port for the segment. The range is 0 to 255, and the default is 128.

cost <new port Path Cost (1-65535, 0 for default)>Configures the port path cost. The port path cost is used to help determine the designated port for a segment. Generally speaking, the faster the port, the lower the path cost. The range is 1 to 65535. The default is 10 for 100Mbps ports, and 1 for Gigabit ports. A value of 0 indicates that the default cost will be computed for an auto negotiated link speed.

link auto|p2p|shared Set port link type (auto, p2p, or shared; default: auto)

edge disable|enableEnable/disable edge port

onEnables STP on the port.

offDisables STP on the port.

curDisplays the current STP port parameters.



Trunking from non-Nortel devices must comply with Cisco® EtherChannel® technology.

By default, the trunk group is empty and disabled.

[Trunk group 1 Menu] cont - Set BW contract for this trunk group add - Add port to trunk group rem - Remove port from trunk group ena - Enable trunk group dis - Disable trunk group del - Delete trunk group cur - Display current Trunk Group configuration

Table 6-55 Trunk Configuration Menu Options (/cfg/l2/trunk)


cont <BWM Contract (1-1024)>Sets the default Bandwidth Management Contract for this trunk group. By default, the contract number is 1024 for AD3 and 1024 for AD4.

add <port number>Adds a physical port to the current trunk group.

rem <port number>Removes a physical port from the current trunk group.

enaEnables the current trunk group.

disTurns the current trunk group off.

delRemoves the current trunk group configuration.

curDisplays the current trunk group parameters.



/cfg/l2/lacpLink Aggregation Control Protocol MenuNortel Application Switch Operating System 23.0.2 supports IEEE 802.3ad standard on the Nortel Application Switch Operating System. At the core of the 802.3ad standard is Link Aggregation Control Protocol (LACP). This protocol allows the user to group several physical ports into one logical port (LACP trunk group) with any switch that supports IEEE 802.3ad standard (LACP). You can configure the trunk groups manually called the static trunks as well as you can configure dynamic trunk group using the IEEE 802.3ad standard called the LACP trunks. The maximum number of configurable trunk groups are 40: 12 user configurable trunks and 28 LACP trunks depending upon the maximum number of ports in the switch. The maxi-mum number of active physical ports in any trunk group is eight and the number of standby ports is also eight.

The 802.3ad standard allows two or more standard Ethernet links to form a single Layer 2 link using the Link Aggregation Control Protocol (LACP). Link aggregation is a method of group-ing physical link segments of the same media type and speed in full duplex, and treating them as if they were part of a single, logical link segment. If a link in a LACP trunk group fails, traf-fic is reassigned dynamically to the remaining links of the LACP trunk group or is assigned to the standby LACP links.

NOTE – Refer to IEEE 802.3ad-2000 for a detailed information about the standard.

LACP automatically determines which member links can be aggregated and then aggregates them. It provides for the controlled addition and removal of physical links for the link aggrega-tion.

Each external port in the Nortel Application Switch Operating System can have one of the fol-lowing LACP modes.

off (default)The user can configure this port to a regular static trunk group. When the system initial-izes, all ports are in off mode by default.

activeThe port is capable of forming an LACP trunk. This port initiates negotiation with the partner system port by sending LACPDU (Link Aggregation Control Protocol Data Unit) packets.



passiveThe port is capable of forming an LACP trunk. This port only responds to the negotiation requests sent from an LACP active port.

Each LACP active or passive port needs an admin, an operational key, and an aggregator for LACP to start negotiation on these ports. You need to assign the same admin key to a group of ports to make them aggregatable. The link can generate Link Aggregation ID (LAG ID) based on the operational key. All the aggregatable ports must have the same LAG ID. You can form an active LACP trunk group with all the ports that have the same LAG ID.

Please refer to your Nortel Application Switch Operating System Application Guide for a detailed information on this protocol.

NOTE – All ports are in LACP off mode by default.

Use the following commands to configure LACP on the Nortel Application Switch Operating System.

[LACP Menu] sysprio - Set LACP system priority timeout - Set LACP system timeout scale for timing out partner info port - LACP port Menu cur - Display current LACP configuration

Table 6-56 Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp)


sysprio <1-65535>Defines the priority value (1 through 65535) for the Nortel Application Switch Operating Sys-tem. Lower numbers provide higher priority. System priority is used when there are more than eight ports configured with the same admin-key. The system priority, in conjunction with port priority, decides which eight ports should be combined to form a trunk group between two switches. The rest of the ports stay in standby mode to substitute for any failed ports. The default value is 32768.

timeout <short|long>Defines the timeout period before invalidating LACP data from a remote partner. You can choose between short (3 seconds) or long (90 seconds) timeout periods. The default value is long.



port <port number>Displays the LACP Port menu. To view menu options, see page 338.

curDisplays the current LACP configuration.

Table 6-56 Link Aggregation Control Protocol Menu Options (/cfg/l2/lacp)




/cfg/l2/lacp/port <port number>LACP Port Configuration Menu

Use the following commands to configure Link Aggregation Control Protocol (LACP) on a selected port.

[LACP Port 1 Menu] mode - Set LACP mode prio - Set LACP port priority adminkey - Set LACP port admin key cur - Display current LACP port configuration

Table 6-57 Link Aggregation Control Protocol Port Configuration Menu Options (/cfg/l2/lacp/port #)


mode <off for no LACP or active or passive>off: Using this option, you can turn LACP off for this port. You can use this port to manually configure a static trunk. All ports are in off mode by default.active: Using this option, you can turn LACP on and set this port to active. Only active ports initiate negotiation with the partner system port by sending the LACPDU packets.passive: Using this option, you can turn LACP on and set this port to passive mode. Passive ports do not initiate negotiation, but only respond to the negotiation requests from active ports.

prio <1-65535>Sets the priority value for the selected port. Lower numbers provide higher priority. The default value is 128.

adminkey <1-65535>Sets the admin key for this port. Only ports with the same admin key and oper key (operational state generated internally) can form an LACP trunk group.

cur Displays the current LACP configuration for this port.



/cfg/l2/vlan <VLAN number>VLAN ConfigurationVLANs are commonly used to split up groups of network users into manageable broadcast domains, to create logical segmentation of workgroups, and to enforce security policies among logical segments. The commands in this menu configure VLAN attributes, change the status of the VLAN, delete the VLAN, and change the port membership of the VLAN. For more infor-mation on configuring VLANs, see “Setup Part 3: VLANs” on page 41.

By default, the VLAN menu option is disabled except VLAN 1, which is enabled all the time.

[VLAN 1 Menu] name - Set VLAN name stg - Assign VLAN to a Spanning Tree Group cont - Set BW contract add - Add port to VLAN rem - Remove port from VLAN def - Define VLAN as list of ports jumbo - Enable/disable Jumbo Frame support learn - Enable/disable smac learning ena - Enable VLAN dis - Disable VLAN del - Delete VLAN cur - Display current VLAN configuration

Table 6-58 VLAN Configuration Menu Options (/cfg/l2/vlan)


nameAssigns a name to the VLAN or changes the existing name. The default VLAN name is the first one.

stg <Spanning Tree Group index (1-16)>Assigns a VLAN to a Spanning Tree Group.

cont <BW Contract number, (1-1024)>Sets the Bandwidth Management contract for this VLAN. The default contract number is 1024 on AD3 and AD4.

add <port number>Adds port(s) or trunk group(s) to the VLAN membership.

rem <port number>Removes port(s) or trunk group(s) from this VLAN.



NOTE – All ports must belong to at least one VLAN. Any port which is removed from a VLAN and which is not a member of any other VLAN is automatically added to default VLAN #1. You cannot remove a port from VLAN #1 if the port has no membership in any other VLAN. Also, you cannot add a port to more than one VLAN unless the port has VLAN tagging turned on (see the tag command on page 307).

def <list of port numbers>Defines which ports are members of this VLAN. Every port must be a member of at least one VLAN. By default, it defines ports between 1-28 for VLAN 1.

jumbo disable|enableEnables or disables jumbo frame support on this VLAN. You need to reset the switch using /boot/reset command to enable jumbo frames on the switch.

learn disable|enableEnables or disables source MAC address learning on this VLAN.

enaEnables this VLAN.

disDisables this VLAN without removing it from the configuration.

delDeletes this VLAN.

curDisplays the current VLAN configuration.

Table 6-58 VLAN Configuration Menu Options (/cfg/l2/vlan)




/cfg/l2/team <team number>Port Team ConfigurationPort teams are used to operationally link ports and interfaces together.

Table 6-59 outlines the commands in this menu.

[Port team 1 Menu] addport - Add port to team remport - Remove port from team addtrunk - Add trunk group to team remtrunk - Remove trunk group from team ena - Enable port team dis - Disable port team del - Delete port team cur - Display current port team configuration

Table 6-59 Port Team Configuration Menu


addport <port number>Adds the specified port to the current team.

remport <port number>Removes the specified port from the current team.

addtrunk <trunk group number>Adds a trunk group to the current team.

remtrunk <trunk group number>Removes a trunk group from the current team.

enaEnables the port team.

disDisables the port team.

delDeletes the port team.

curDisplays the current port team configuration.



/cfg/l3Layer 3 Configuration Menu

[Layer 3 Menu] if - Interface Menu gw - Default Gateway Menu route - Static Route Menu arp - ARP Menu frwd - Forwarding Menu nwf - Network Filters Menu rmap - Route Map Menu rip - Routing Information Protocol Menu ospf - Open Shortest Path First (OSPF) Menu bgp - Border Gateway Protocol Menu port - IP Port Menu dns - Domain Name System Menu bootp - Bootstrap Protocol Relay Menu vrrp - Virtual Router Redundancy Protocol Menu rtrid - Set router ID metrc - Set default gateway metric cur - Display current IP configuration


Command Syntax and Usageif <interface number (1-256)>

Displays the IP Interface Menu. To view menu options, see page 344.

gw <default gateway number (1-259)>Displays the IP Default Gateway Menu. To view menu options, see page 346.

routeDisplays the IP Static Route Menu. To view menu options, see page 348.

arpDisplays Address Resolution Protocol menu. To view menu options, see page 348.

frwdDisplays the IP Forwarding Menu. To view menu options, see page 350.

nwf <Network filter number (1-256)>Displays the Network Filter Configuration Menu. To view menu options see page 352.

rmap <route map number (1-32)>Displays the Route Map Menu. To view menu options see page 353.

ripDisplays the Routing Interface Protocol Menu. To view menu options, see page 357.



ospfDisplays the OSPF Menu. To view menu options, see page 361.

bgpDisplays the Border Gateway Protocol Menu. To view menu options, see page 371.

port <port number>Displays the IP Port Menu. To view menu options, see page 378.

dnsDisplays the IP Domain Name System Menu. To view menu options, see page 379.

bootpDisplays the Bootstrap Protocol Menu. To view menu options, see page 380.

vrrp Displays Virtual Router Redundancy Protocol Menu. To view menu options, see page 381.

rtrid <IP address (such as, 192.4.17.101)>Defines the router ID.

metrc strict|roundrobinSets the default gateway metric for strict or roundrobin. The default gateway metric is strict. For more information on gateway metrics, see page 396.

curDisplays the current IP configuration.





/cfg/l3/if <interface number>IP Interface Configuration

The Nortel Application Switch can be configured with up to 256 IP interfaces. Each IP interface represents the Nortel Application Switch on an IP subnet on your network. The Interface option is disabled by default.

[IP Interface 1 Menu] ip6nd - IP6 Neighbor Discovery Menu ipver - Set IP version addr - Set IP address mask - Set subnet mask/prefix len vlan - Set VLAN number relay - Enable/disable BOOTP relay ena - Enable IP interface dis - Disable IP interface del - Delete IP interface cur - Display current interface configuration

Table 6-61 IP Interface Menu Options (/cfg/l3/if)


ip6ndOpens the IPv6 Neighbor Discovery menu This menu is used to enable or disable the sending of IPv6 Router Advertisement packets from this interface. For more information on this topic, refer to page 345.

ipver <IP version (v4 or v6)>Set the IP version.

addr <IP address (such as 192.4.17.101 for IPv4 or 3001::abcd:5678 for IPv6)>Configures the IP address of the switch interface using dotted decimal notation for IPv4 and colon notation for IPv6.

mask <IP subnet mask for IPv4 or prefix length for IPv6 (such as 255.255.255.0 for IPv4 or 64 for IPv6)>

Configures the IP subnet address mask for the interface using dotted decimal notation for IPv4 or prefix length for IPv6.

vlan <VLAN number (1-4090)>Configures the VLAN number for this interface. Each interface can belong to one VLAN, though any VLAN can have multiple IP interfaces in it.

relay disable|enableEnables or disables the BOOTP relay on this interface. It is enabled by default.



/cfg/l3/if/ip6ndIPv6 Neighbor Discovery Menu

This menu is used to configure the sending of IPv6 Neighbor Discovery router advertisements from this interface.

enaEnables this IP interface.

disDisables this IP interface.

delRemoves this IP interface.

curDisplays the current interface settings.

[IP6 Neighbor Discovery Menu] rtradv - Enable/disable router advertisement

Table 6-62 IPv6 Neighbor Discovery Menu Options


rtradv disable | enableEnables or disables the sending of IPv6 Neighbor Discovery router advertisements from this interface.

Table 6-61 IP Interface Menu Options (/cfg/l3/if)




/cfg/l3/gw <gateway number>Default IP Gateway Configuration

NOTE – The switch can be configured with up to 255 gateways. Gateways one to four are reserved for default gateway load balancing. Gateways five to 259 are used for load-balancing of VLAN-based gateways.

This option is disabled by default.

[Default gateway 1 Menu] ipver - Set IP version addr - Set IP address intr - Set interval between ping attempts retry - Set number of failed attempts to declare gateway DOWN vlan - Set VLAN number prio - Set priority of default gateway route arp - Enable/disable ARP only health checks ena - Enable default gateway dis - Disable default gateway del - Delete default gateway cur - Display current default gateway configuration

Table 6-63 Default Gateway Options (/cfg/l3/gw)



addr <default gateway address (such as, 192.4.17.44 for IPv4 or 3001::abcd:1234 for IPv6)>Configures the IP address of the default IP gateway using dotted decimal notation for IPv4 and colon notation for IPv6.

intr <0-60 seconds>The switch pings the default gateway to verify that it’s up. The intr option sets the time between health checks. The range is from 1 to 120 seconds. The default is 2 seconds.

retry <number of attempts (1-120)>Sets the number of failed health check attempts required before declaring this default gateway inoperative. The range is from 1 to 120 attempts. The default is 8 attempts.

vlan <VLAN number (1-4090)>Sets the VLAN to be assigned to this default IP gateway.



Default Gateway MetricsFor information about configuring which gateway is selected when multiple default gateways are enabled, see page 396.

prio <high|low>Allows you to change the priority of the default gateway route to either high or low, relative to learned default routes. If you set the priority to high, then the default gateway route will always be preferred over learned default routes (such as from OSPF, BGP, or RIP protocols). If you set the priority to low, then learned default routes will always be preferred over the default gateway route.

NOTE – By default learned default route has higher priority than the configured default gateway route.

arp disable|enableEnables or disables Address Resolution Protocol (ARP) health checks. This command is disabled by default.

enaEnables the gateway for use.

disDisables the gateway.

delDeletes the gateway from the configuration.

curDisplays the current gateway settings.

Table 6-63 Default Gateway Options (/cfg/l3/gw)




/cfg/l3/routeIP Static Route Configuration

Up to 128 static routes can be configured.

/cfg/l3/arpARP Configuration MenuAddress Resolution Protocol (ARP) is the TCP/IP protocol that resides within the Internet layer. ARP resolves a physical address from an IP address. ARP queries machines on the local network for their physical addresses. ARP also maintains IP to physical address pairs in its cache memory. In any IP communication, the ARP cache is consulted to see if the IP address of the computer or the router is present in the ARP cache. Then the corresponding physical address is used to send a packet.

[IP Static Route Menu] add - Add static route rem - Remove static route cur - Display current static routes

Table 6-64 IP Static Route Configuration Menu Options (cfg/l3/route)


add <destination> <mask> <gateway> [interface number]Adds a static route. You will be prompted to enter a destination IP address, destination subnet mask, and gateway address. Enter all addresses using dotted decimal notation. If a gateway address is 0.0.0.0., the route becomes a black hole route, where any packet routed to this destination will be dropped.

rem <destination> <mask>Removes a static route. The destination address of the route to remove must be specified using dot-ted decimal notation.

curDisplays the current IP static routes.

[ARP Menu] static - Static ARP Menu rearp - Set re-ARP period in minutes cur - Display current ARP configuration



/cfg/l3/arp/staticARP Static Configuration MenuStatic ARP entries are permanent in the ARP cache and do not age out like the ARP entries that are learnt dynamically. Static ARP entries enable the switch to reach the hosts without sending an ARP broadcast request to the network. Static ARPs are also useful to communicate with devices that do not respond to ARP requests. Static ARPs can also be configured on some gate-ways as a protection against malicious ARP Cache corruption and possible DOS attacks.

NOTE – Nortel Application Switch Operating System 21.0 and above allows the static ARP configuration to be retained over reboots. Nortel Application Switch Operating System 20.x and below allow the user to configure the ARP information but that information cannot be retained over a switch reboot.

Table 6-65 ARP Configuration Menu Options (/cfg/l3/arp)

Command Syntax and Usagestatic

Displays Static ARP menu. To view options, see page 349.

rearp <2-120 minutes>Defines re-ARP period in minutes. You can set this duration between two and 120 minutes.

curDisplays the current ARP configurations.

[Static ARP Menu] add - Add a permanent ARP entry del - Delete an ARP entry cur - Display current static ARP configuration

Table 6-66 ARP Static Configuration Menu Options (/cfg/l3/arp/static)


add <IP address> <MAC address> <VLAN number> <port number>Adds a permanent ARP entry.

del <IP address (such as, 192.4.17.101)>Deletes a permanent ARP entry.

curDisplays current static ARP configuration.



/cfg/l3/frwdIP Forwarding Configuration Menu

/cfg/l3/frwd/localLocal Network Route Caching DefinitionThis menu is used for adding local networks by setting the local network address and netmask for the route cache, and to remove local networks.

[IP Forwarding Menu] local - Local network definition for route caching menu dirbr - Enable or disable forwarding directed broadcasts on - Globally turn IP Forwarding ON off - Globally turn IP Forwarding OFF cur - Display current IP Forwarding configuration

Table 6-67 IP Forwarding Configuration Menu Options (/cfg/l3/frwd)


localDisplays the menu used to define local network for route caching. Up to five local networks (lnets) can be configured. To view menu options, see page 350.

dirbr disable|enableEnables or disables forwarding directed broadcasts. This command is disabled by default.

onEnables IP forwarding (routing) on the Nortel Application Switch.

offDisables IP forwarding (routing) on the Nortel Application Switch. Forwarding is turned on by default.

curDisplays the current IP forwarding settings.

[IP Local Networks Menu] add - Add local network definition rem - Remove local network definition cur - Display current local network definitions



Defining IP Address Ranges for the Local Route CacheThe Local Route Cache lets you use switch resources more efficiently, by reducing the size of the ARP table on the Nortel Application Switch. The /cfg/l3/frwd/local/add parame-ters define a range of addresses that will be cached on the Nortel Application Switch. The local network address is used to define the base IP address in the range which will be cached, and the local network mask is the mask which is applied to produce the range. To determine if a route should be added to the memory cache, the destination address is masked (bitwise and) with the local network mask and checked against the local network address.

By default, the local network address and mask are both set to 0.0.0.0. This produces a range that includes all Internet addresses for route caching: 0.0.0.0 through 255.255.255.255.

Addresses to be cached are subnets that are directly connected and for which there is an inter-face configured on the Nortel Application Switch. To limit the route cache to your local hosts, you could configure the parameters as shown in the examples in the following table.

NOTE – All addresses that fall outside the defined range are forwarded to the default gateway. The default gateways must be within range.

Table 2 IP Local Networks Menu Options (/cfg/l3/frwd/local)


add <local network address> <local network mask>Adds a definition for a local network. For details, see “Defining IP Address Ranges for the Local Route Cache” on page 351.

rem <local network address> <local network mask>Removes a definition for a local network.

curDisplays the current local network definitions.

Table 6-68 Local Routing Cache Address Ranges

Local Host Address Range Address Mask0.0.0.0 - 127.255.255.255 0.0.0.0 128.0.0.0

128.0.0.0 - 255.255.255.255 128.0.0.0 128.0.0.0

205.32.0.0 - 205.32.255.255 205.32.0.0 255.255.0.0



/cfg/l3/nwfNetwork Filter Configuration

[IP Network Filter 1 Menu] addr - IP Address mask - IP Subnet mask enable - Enable Network Filter disable - Disable Network Filter delete - Delete Network Filter cur - Display current Network Filter configuration

Table 6-69 IP Network Filter Menu Options (/cfg/l3/nwf)


addr <IP address (such as, 192.4.17.44)>Sets the starting IP address for this filter. The default address is 0.0.0.0.

mask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 mask prefix len (eg, 64)>Sets the IP subnet mask that is used with /cfg/l3/nwf/addr to define the range of IP addresses that will be accepted by the peer when the filter is enabled. The default value is 0.0.0.0.For Border Gateway Protocol (BGP), assign the network filter to a route map, then assign the route map to the peer.

enableEnables the Network Filter configuration.

disableDisables the Network Filter configuration.

deleteDeletes the Network Filter configuration.

curDisplays the current the Network Filter configuration. For example:

Current Network Filter 1: addr 0.0.0.0, mask 0.0.0.0, disabled



/cfg/l3/rmap <route map number>Route Map Configuration MenuRoute maps control and modify routing information.

NOTE – The map number (1-32) represents the routing map you wish to configure.

[IP Route Map 1 Menu] alist - Access List number aspath - AS Filter Menu ap - Set as-path prepend of the matched route lp - Set local-preference of the matched route metric - Set metric of the matched route type - Set OSPF metric-type of the matched route prec - Set the precedence of this route map weight - Set weight of the matched route enable - Enable route map disable - Disable route map delete - Delete route map cur - Display current route map configuration

Table 6-70 Routing Map Menu Options (/cfg/l3/rmap)


alist <number (1-8)>Displays the Access List menu. For more information, see page 355.

aspath <number (1-8)>Displays the Autonomous System (AS) Filter menu. For more information, see page 356.

ap <AS number> [<AS number>] [<AS number>]|noneSets the AS path preference of the matched route. One to three path preferences can be configured.

lp <(value 0-4294967294)>|noneSets the local preference of the matched route, which affects both inbound and outbound direc-tions. The path with the higher preference is preferred.

metric <(value 0-4294967294)>|noneSets the metric of the matched route.



type <value (1|2)>|noneAssigns the type of OSPF metric. The default is type 1.

Type 1—External routes are calculated using both internal and external metrics. Type 2—External routes are calculated using only the external metrics. Type 2 routes have more cost than Type 2. none—Removes the OSPF metric.

prec <value (1-255)>Sets the precedence of the route map. The smaller the value, the higher the precedence. Default value is 10.

weight <value (0-65534)>|noneSets the weight of the route map.

enableEnables the route map.

disableDisables the route map.

deleteDeletes the route map.

curDisplays the current route configuration.

Table 6-70 Routing Map Menu Options (/cfg/l3/rmap) (Continued)




/cfg/l3/rmap <route map number/alist <access list number>

IP Access List Configuration Menu

NOTE – The route map number (1-32) and the access list number (1-8) represent the IP access list you wish to configure.

[IP Access List 1 Menu] nwf - Network Filter number metric - Metric action - Set Network Filter action enable - Enable Access List disable - Disable Access List delete - Delete Access List cur - Display current Access List configuration

Table 6-71 IP Access List Menu Options (/cfg/l3/rmap/alist)


nwf <network filter number (1-256)> Sets the network filter number. See “/cfg/l3/nwf” on page 352 for details.

metric <(1-4294967294)>|noneSets the metric value in the AS-External (ASE) LSA.

action permit|deny or p|dPermits or denies action for the access list.

enableEnables the access list.

disableDisables the access list.

deleteDeletes the access list.

curDisplays the current Access List configuration.



/cfg/l3/rmap <route map number> aspath <autonomous system path>

Autonomous System Filter Path

NOTE – The rmap number (1-32) and the path number (1-8) represent the AS path you wish to configure.

[AS Filter 1 Menu] as - AS number action - Set AS Filter action enable - Enable AS Filter disable - Disable AS Filter delete - Delete AS Filter cur - Display current AS Filter configuration

Table 6-72 AS Filter Menu Options (/cfg/l3/rmap/aspath)


as <AS number (1-65535)> Sets the Autonomous System filter’s path number.

action permit|deny or p|dPermits or denies Autonomous System filter action.

enableEnables the Autonomous System filter.

disableDisables the Autonomous System filter.

deleteDeletes the Autonomous System filter.

curDisplays the current Autonomous System filter configuration.



/cfg/l3/ripRouting Information Protocol ConfigurationThe Routing Information Protocol (RIP) is an interior gateway protocol (IGP). RIP is one of a class of algorithms known as distance vector algorithms. The distance or hop count is used as the metric to determine the best path to a remote network or host where the hop count does not exceed 15 hops assuming a cost of one for each network. RIP uses broadcast User Datagram protocol (UDP) data packets to exchange routing information.

RIP sends routing information updates every 30 seconds. This update contains known net-works and the distances (hop count) associated with each one. For RIP1, no mask information is exchanged; the natural mask is always applied by the router receiving the update. For RIP2, mask information is sent. There are two timers associated with each route: a timeout and garbage-collection timer. Upon expiration of the timeout timer, the route is no longer valid but it is retained in the routing table for a short time so that neighbors can be notified that the route has been dropped. Upon expiration of the garbage-collection timer, the route is finally removed from the routing table. The timeout timer is set for 180 seconds and the garbage-col-lection timer is set for 120 seconds by default.

The menu below is used for configuring globally Routing Information Protocol parameters. The Routing Information Protocol is turned off by default.

[Routing Information Protocol Menu] if - RIP Interface Menu update - Set update period in seconds vip - Enable/disable vip advertisement statc - Enable/disable static routes advertisement on - Globally turn RIP ON off - Globally turn RIP OFF current - Display current RIP configuration

Table 6-73 Routing Information Protocol Menu (/cfg/l3/rip)


if <Interface Number (1-256)>Go to the RIP Interface menu. See page 359.

update <update period (1-120 seconds)>Sets the RIP update period in seconds. It is set at 30 seconds by default.



vip disable|enableEnables or disables the advertisement of virtual IP addresses as Host Routes. If a VIP route exists in a routing table, it will always be advertised except when it is included in another network route that is already being advertised. Note: If all real servers behind a VIP go down, the route gets removed from the routing table, and will not be advertised. If we disable all the real servers using operation command, the VIP route does not get eliminated from the routing table, and the switch will continue to advertise the route.

statc disable|enableEnables or disables the advertisement of static routes.

onGlobally turns RIP ON.

offGlobally turns RIP OFF.

curDisplays the current RIP configuration.

Table 6-73 Routing Information Protocol Menu (/cfg/l3/rip)




/cfg/l3/rip/ifRIP Interface Menu[RIP Interface 1 Menu] version - Set RIP version supply - Enable/disable supplying route updates listen - Enable/disable listening to route updates poison - Enable/disable poisoned reverse trigg - Enable/disable triggered updates mcast - Enable/disable multicast updates default - Set default route action metric - Set metric auth - Set authentication type key - Set authentication key enable - Enable interface disable - Disable interface current - Display current RIP interface configuration

Table 6-74 RIP Menu Options


version 1|2|both Set the RIP version. The default value is 2.

supply disable|enableEnables or disables supplying route updates. When enabled, the switch supplies routes to other routers. This is enabled by default.

listen disable|enableWhen enabled, the switch stores routing information from other routers. The default is enabled.

poison disable|enableWhen enabled, the switch uses split horizon with poisoned reverse. The default is disabled. When disabled, the switch uses split horizon only.

mcast disable|enableEnable or disable triggered updates. The default is enabled.

default none|listen|supply|bothSet the default route action. The default action is none.

metric <value [1-15]>Set metric value for this RIP interface. The default value is 1.

auth none|passwordSet the type of authentication. The default value is none.

key <key|none (to remove existing key value)>Set the authentication key. The default value is none.



enable Enable the interface.

disable Disable the interface.

current Displays current values of all objects settable from this menu.

Table 6-74 RIP Menu Options




/cfg/l3/ospfOpen Shortest Path First ConfigurationNortel Application Switch Operating System supports the Open Shortest Path First (OSPF) routing protocol. The Nortel Application Switch Operating System implementation conforms to the OSPF version 2 specifications detailed in Internet RFC 1583.

OSPF is designed for routing traffic within a single IP domain called an Autonomous System (AS). The AS can be divided into smaller logical units known as areas. In any AS with multi-ple areas, one area must be designated as area 0, known as the backbone. The backbone acts as the central OSPF area. All other areas in the AS must be connected to the backbone. Areas inject summary routing information into the backbone, which then distributes it to other areas as needed. For more information on how to configure OSPF on the switch, refer to your Nortel Application Switch Operating System Application Guide.

[Open Shortest Path First Menu] aindex - OSPF Area (index) Menu range - OSPF Summary Range Menu if - OSPF Interface Menu virt - OSPF Virtual Links Menu md5key - OSPF MD5 Key Menu host - OSPF Host Entry Menu redist - OSPF Route Redistribute Menu lsdb - Set the LSDB limit for external LSA default - Export default route information on - Globally turn OSPF ON off - Globally turn OSPF OFF cur - Display current OSPF configuration

Table 6-75 OSPF Configuration Menu Options (/cfg/l3/ospf)


aindex <area index (0-2)>Displays the area index menu. This area index does not represent the actual OSPF area number. See page 363 to view menu options.

range <range number (1-16)>Displays summary routes menu for up to 16 IP addresses. See page 364 to view menu options.

if <interface number (1-255)>Displays the OSPF interface configuration menu. See page 365 to view menu options.

virt <virtual link (1-3)>Displays the Virtual Links menu used to configure OSPF for a Virtual Link. See page 367 to view menu options.



md5key <key ID (1-255)>Assigns a string to MD5 authentication key. See

host <host entry number (1-128)>Displays the menu for configuring OSPF for the host routes. Up to 128 host routes can be config-ured. Host routes are used for advertising network device IP addresses to external networks to per-form server load balancing within OSPF. It also makes Area Border Route (ABR) load sharing and ABR failover possible. See page 369 to view menu options.

redist <fixed|static|rip|ebgp|ibgp>Displays Route Distribution Menu See page 370 to view menu options.

lsdb <LSDB limit (0-2000, 0 for no limit)>Sets the link state database limit.

default <metric (1-16777215)> <metric-type 1|2>|noneSets one default route among multiple choices in an area. Use none for no default.

onEnables OSPF on the Nortel Application Switch.

offDisables OSPF on the Nortel Application Switch.

curDisplays the current OSPF configuration settings.

Table 6-75 OSPF Configuration Menu Options (/cfg/l3/ospf)




/cfg/l3/ospf/aindexArea Index Configuration Menu

[OSPF Area (index) 1 Menu] areaid - Set area ID type - Set area type metric - Set stub area metric auth - Set authentication type spf - Set time interval between two SPF calculations enable - Enable area disable - Disable area delete - Delete area cur - Display current OSPF area configuration

Table 6-76 Area Index Configuration Menu Options (/cfg/l3/ospf/aindex)


areaid <IP address (such as, 192.4.17.101)>Defines the IP address of the OSPF area number.

type transit|stub|nssaDefines the type of area. For example, when a virtual link has to be established with the backbone, the area type must be defined as transit. Transit area: allows area summary information to be exchanged between routing devices. Any area that is not a stub area or NSSA is considered to be transit area.Stub area: is an area where external routing information is not distributed. Typically, a stub area is connected to only one other area.NSSA: Not-So-Stubby Area (NSSA) is similar to stub area with additional capabilities. For exam-ple, routes originating from within the NSSA can be propagated to adjacent transit and backbone areas. External routes from outside the Autonomous System (AS) can be advertised within the NSSA but are not distributed into other areas.

metric <metric value (1-65535)>Configures a stub area to send a numeric metric value. All routes received via that stub area carry the configured metric to potentially influencing routing decisions. Metric value assigns the priority for choosing the switch for default route. Metric type determines the method for influencing routing decisions for external routes.

auth none|password|md5None: No authentication required.Password: Authenticates simple passwords so that only trusted routing devices can participate.MD5: This parameter is used when MD5 cryptographic authentication is required.



/cfg/l3/ospf/rangeOSPF Summary Range Configuration Menu

spf <interval (0-255)>Sets time interval between two successive SPF (shortest path first) calculations of the shortest path tree using the Dijkstra’s algorithm.

enableEnables the OSPF area.

disableDisables the OSPF area.

deleteDeletes the OSPF area.

curDisplays the current OSPF configuration.

[OSPF Summary Range 1 Menu] addr - Set IP address mask - Set IP mask aindex - Set area index hide - Enable/disable hide range enable - Enable range disable - Disable range delete - Delete range cur - Display current OSPF summary range configuration

Table 6-77 OSPF Summary Range Configuration Menu Options (/cfg/l3/ospf/range)


addr <IP Address (such as, 192.4.17.101)>Displays the base IP address for the range.

mask <IP address (such as, 192.4.17.101>Displays the IP address mask for the range.

aindex <area index [0-2]>Displays the area index used by the Nortel Application Switch.

Table 6-76 Area Index Configuration Menu Options (/cfg/l3/ospf/aindex)




/cfg/l3/ospf/ifOSPF Interface Configuration Menu

hide disable|enableHides the OSPF summary range.

enable Enables the OSPF summary range.

disableDisables the OSPF summary range.

deleteDeletes the OSPF summary range.

curDisplays the current OSPF summary range.

[OSPF Interface 1 Menu] aindex - Set area index prio - Set interface router priority cost - Set interface cost hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transit delay in seconds retra - Set retransmit interval in seconds key - Set authentication key mdkey - Set MD5 key ID enable - Enable interface disable - Disable interface delete - Delete interface cur - Display current OSPF interface configuration

Table 6-77 OSPF Summary Range Configuration Menu Options (/cfg/l3/ospf/range)




Table 6-78 OSPF Interface Configuration Menu Options (/cfg/l3/ospf/if)


aindex <area index (0-2)>Displays the OSPF area index.

prio <priority value (0-255)>Displays the assigned priority value to the Nortel Application Switch’s OSPF interfaces.(A priority value of 127 is the highest and 1 is the lowest. A priority value of 0 specifies that the interface cannot be used as Designated Router (DR) or Backup Designated Router (BDR).)

cost <cost value (1-65535)>Displays cost set for the selected path—preferred or backup. Usually the cost is inversely propor-tional to the bandwidth of the interface. Low cost indicates high bandwidth.

hello <value (1-65535)>Displays the interval in seconds between the hello packets for the interfaces.

dead <value (1-65535)>Displays the health parameters of a hello packet, which is set for an interval of seconds before declaring a silent router to be down.

trans <value (0-3600)>Displays the transit delay in seconds.

retra <value (0-3600)>Displays the retransmit interval in seconds.

key <key>|noneSets the authentication key to clear the password.

mdkey <key ID (1-255)>|noneAssigns an MD5 key to the interface.

enableEnables OSPF interface.

disableDisables OSPF interface.

deleteDeletes OSPF interface.

curDisplays the current settings for OSPF interface.



/cfg/l3/ospf/virtOSPF Virtual Link Configuration Menu

[OSPF Virtual Link 1 Menu] aindex - Set area index hello - Set hello interval in seconds dead - Set dead interval in seconds trans - Set transit delay in seconds retra - Set retransmit interval in seconds nbr - Set router ID of virtual neighbor key - Set authentication key mdkey - Set MD5 key ID enable - Enable interface disable - Disable interface delete - Delete interface cur - Display current OSPF interface configuration

Table 6-79 OSPF Virtual Link Configuration Menu Options (/cfg/l3/ospf/virt)


aindex <area index (0-2)>Displays the OSPF area index.

hello <value (1-65535)>Displays the authentication parameters of a hello packet, which is set to be in an interval of seconds.

dead <value (1-65535)>Displays the health parameters of a hello packet, which is set to be in an interval of seconds. Default is 40 seconds.

trans <value (1-3600)>Displays the delay in transit in seconds. Default is one seconds.

retra <value (1-3600)>Displays the retransmit interval in seconds. Default is five seconds.

nbr <nbr router ID (IP address)>Displays the router ID of the virtual neighbor. Default is 0.0.0.0.

key <key>|noneDisplays the password (up to eight characters) for each virtual link. Default is none.

mdkey <key ID (1-255)>|noneSets MD5 key ID for each virtual link. Default is none.



/cfg/l3/ospf/md5keyOSPF MD5 Key Configuration Menu

enableEnables OSPF virtual link.

disableDisables OSPF virtual link.

deleteDeletes OSPF virtual link.

curDisplays the current OSPF virtual link settings.

[OSPF MD5 Key 1 Menu] key - Set authentication key delete - Delete key cur - Display current MD5 key configuration

Table 6-80 OSPF MD5 Key Configuration Menu Options (/cfg/l3/ospf/md5key)


key <key, up to 16 chars>Sets the authentication key up to 16 characters for this OSPF packet.

deleteDeletes the authentication key for this OSPF packet.

curDisplays the current MD5 key configuration.

Table 6-79 OSPF Virtual Link Configuration Menu Options (/cfg/l3/ospf/virt)




/cfg/l3/ospf/hostOSPF Host Entry Configuration Menu

[OSPF Host Entry 1 Menu] addr - Set host entry IP address aindex - Set area index cost - Set cost of this host entry enable - Enable host entry disable - Disable host entry delete - Delete host entry cur - Display current OSPF host entry configuration

Table 6-81 OSPF Host Entry Configuration Menu Options (/cfg/l3/ospf/host)


addr <IP address (such as, 192.4.17.101)>Displays the base IP address for the host entry.

aindex <area index [0-2]>Displays the area index of the host.

cost <cost value [1-65535]>Displays the cost value of the host.

enableEnables OSPF host entry.

disableDisables OSPF host entry.

deleteDeletes OSPF host entry.

curDisplays the current OSPF host entries.



/cfg/l3/ospf/redist <fixed|static|rip|ebgp|ibgp>

OSPF Route Redistribution Configuration Menu.

[OSPF Redistribute Fixed Menu] add - Add rmap into route redistribution list rem - Remove rmap from route redistribution list export - Export all routes of this protocol cur - Display current route-maps added

Table 6-82 OSPF Route Redistribution Menu Options (/cfg/l3/ospf/redist)


add (<route map (1-32)> <route map (1-32)>)|allAdds selected routing maps to the rmap list.To add all the 32 route maps, enter all. To add spe-cific route maps, enter routing map numbers one per line, NULL at the end. This option adds a route map to the route redistribution list. The routes of the redistribution proto-col matched by the route maps in the route redistribution list will be redistributed.

rem (<route map (1-32)> <route map (1-32)>) ... |allRemoves the route map from the route redistribution list.Removes routing maps from the rmap list. To remove all 32 route maps, enter all. To remove specific route maps, enter routing map numbers one per line, NULL at end.

export <metric (1-16777215)><metric type (1|2)> |none Exports the routes of this protocol as external OSPF AS-external LSAs in which the metric and metric type are specified. To remove a previous configuration and stop exporting the routes of the protocol, enter none.

curDisplays the current route map settings.



/cfg/l3/bgpBorder Gateway Protocol ConfigurationBorder Gateway Protocol (BGP) is an Internet protocol that enables routers on a network to share routing information with each other and advertise information about the segments of the IP address space they can access within their network with routers on external networks. BGP allows you to decide what is the “best” route for a packet to take from your network to a desti-nation on another network, rather than simply setting a default route from your border router(s) to your upstream provider(s). You can configure BGP either within an autonomous system or between different autonomous systems. When run within an autonomous system, it is called internal BGP (iBGP). When run between different autonomous systems, it is called external BGP (eBGP). BGP is defined in RFC 1771.

The BGP Menu enables you to configure the switch to receive routes and to advertise static routes, fixed routes and virtual server IP addresses with other internal and external routers.

BGP is turned off by default.

NOTE – Fixed routes are subnet routes. There is one fixed route per IP interface.

[Border Gateway Protocol Menu] peer - Peer menu aggr - Aggregation menu as - Set Autonomous System (AS) number maxpath - Set Max AS Path Length pref - Set Local Preference on - Globally turn BGP ON off - Globally turn BGP OFF cur - Display current BGP configuration

Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)


peer <peer number (1-16)>Displays the menu used to configure each BGP peer. Each border router, within an autonomous system, exchanges routing information with routers on other external networks. To view menu options, see page 373.

aggr <aggregate number (1-16)>Displays the Aggregation Menu. To view menu options, see page 377.



as <autonomous system number (1-65535)>Sets Autonomous System Number for this autonomous system.An autonomous system (AS) is the unit of router policy, either a single network or a group of net-works that is controlled by a common network administrator on behalf of an administrative entity (such as a university, a business enterprise, or a business division). An autonomous system is assigned a globally unique number called an Autonomous System Number (ASN). An autono-mous system shares routing information with other autonomous systems using the Border Gateway Protocol (BGP).

maxpath <max AS path length (1-127)>This command limits the maximum length of an accepted AS Path. The default value is 50. Paths greater than this value will be ignored. The command is designed to protect the MP CPU, memory resources and routing table from BGP-based attacks, BGP errors and probes designed to locate BGP speaking devices that do not limit the maximum AS Path.

pref <preference (0-4294967294)>Sets the local preference. The path with the higher value is preferred. When multiple peers advertise the same route, use the route with the shortest AS path as the preferred route if you are using eBGP, or use the local preference if you are using iBGP.

onGlobally turns BGP on.

offGlobally turns BGP off.

curDisplays the current BGP configuration.

Table 6-83 Border Gateway Protocol Menu (/cfg/l3/bgp)




/cfg/l3/bgp/peer <peer number>BGP Peer Configuration Menu

This menu is used to configure BGP peers, which are border routers that exchange routing information with routers on internal and external networks. The peer option is disabled by default.

[BGP Peer 1 Menu] redist - Redistribution menu addr - Set remote IP address ras - Set remote autonomous system number hold - Set hold time alive - Set keep alive time advert - Set min time between advertisements retry - Set connect retry interval orig - Set min time between route originations ttl - Set time-to-live of IP datagrams addi - Add rmap into in-rmap list addo - Add rmap into out-rmap list remi - Remove rmap from in-rmap list remo - Remove rmap from out-rmap list enable - Enable peer disable - Disable peer delete - Delete peer cur - Display current peer configuration

Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)


redistDisplays BGP Redistribution Menu. To view the menu options, see page 375.

addr <IP address (such as, 192.4.17.101)>Defines the IP address for the specified peer (border router), using dotted decimal notation. The default address is 0.0.0.0.

ras <AS number (0-65535)>Sets the remote autonomous system number for the specified peer.

hold <hold time (0, 3-65535)>Sets the period of time, in seconds, that will elapse before the peer session is torn down because the switch hasn’t received a “keep alive” message from the peer. It is set at 90 seconds by default.

alive <keepalive time (0, 1-21845)>Sets the keep-alive time for the specified peer in seconds. It is set at 0 by default.



advert <min adv time (1-65535)>Sets time in seconds between advertisements.

retry <connect retry interval (1-65535)>Sets connection retry interval in seconds.

orig <min orig time (1-65535)>Sets the minimum time between route originations in seconds.

ttl <number of router hops (1-255)>Time-to-live (TTL) is a value in an IP packet that tells a network router whether or not the packet has been in the network too long and should be discarded. TTL specifies a certain time span in sec-onds that, when exhausted, would cause the packet to be discarded. The TTL is determined by the number of router hops the packet is allowed before it must be discarded.This command specifies the number of router hops that the IP packet can make. This value is used to restrict the number of “hops” the advertisement makes. It is also used to support multi-hops, which allow BGP peers to talk across a routed network. The default number is set at 1.

addi <route map ID (1-32)>Adds route map into in-route map list.

addo <route map ID (1-32)>Adds route map into out-route map list.

remi <route map ID (1-32)>Removes route map from in-route map list.

remo <route map ID (1-32)>Removes route map from out-route map list.

enaEnables this peer configuration.

disDisables this peer configuration.

delDeletes this peer configuration.

curDisplays the current BGP peer configuration.

Table 6-84 BGP Peer Configuration Options (/cfg/l3/bgp/peer)




/cfg/l3/bgp/peer/redist BGP Redistribution Configuration Menu

[Redistribution Menu] metric - Set default-metric of advertised routes default - Set default route action rip - Enable/disable advertising RIP routes ospf - Enable/disable advertising OSPF routes fixed - Enable/disable advertising fixed routes static - Enable/disable advertising static routes vip - Enable/disable advertising VIP routes cur - Display current redistribution configuration

Table 6-85 BGP Redistribution Configuration Menu Options (/cfg/l3/bgp/peer/redist)


metric <metric (1-4294967294)>|noneSets default metric of advertised routes.

default none|import|originate|redistributeSets default route action.Defaults routes can be configured as import, originate, redistribute, or none.None: No routes are configuredImport: Import these routes.Originate: The switch sends a default route to peers even though it does not have any default routes in its routing table. Redistribute: Default routes are either configured through default gateway or learned through other protocols and redistributed to peer. If the routes are learned from default gateway configura-tion, you have to enable static routes since the routes from default gateway are static routes. Simi-larly, if the routes are learned from a certain routing protocol, you have to enable that protocol in this redistribute submenu.

rip disable|enableEnables or disables advertising RIP routes

ospf disable|enableEnables or disables advertising OSPF routes.

fixed disable|enableEnables or disables advertising fixed routes.

static disable|enableEnables or disables advertising static routes.



vip disable|enableEnables or disables advertising VIP routes.

curDisplays the current redistribution configuration.

Table 6-85 BGP Redistribution Configuration Menu Options (/cfg/l3/bgp/peer/redist)




/cfg/l3/bgp/aggr <aggregate number>BGP Aggregate Routing Configuration Menu

NOTE – The aggregate number (1-16) represents the aggregation route you wish to configure.

This menu allows you to configure aggregate routing to condense the number of routes between internal and external peer routers.

[BGP Aggr 1 Menu] addr - Set aggregation IP address mask - Set aggregation network mask enable - Enable aggregation disable - Disable aggregation delete - Delete aggregation current - Display current aggregation configuration

Table 6-86 BGP Aggregate Menu Options (/cfg/l3/ip/bgp/aggr)

Command Syntax and Usageaddr <IP address, such as 192.4.17.101>

Adds the IP address to the selected aggregate.

mask <IP subnet mask, such as 255.255.255.0>Sets the IP mask for the selected aggregate.

enableEnables the selected aggregate.

disableDisables the selected aggregate.

deleteDeletes the selected aggregate.

currentDisplays the current aggregate configuration.



/cfg/l3/port <port number>IP Forwarding Port Configuration Menu

The Layer 3 Port Menu allows you to turn IP forwarding on or off on a port-by-port basis. By default, the port forwarding option is turned on.

[IP Forwarding Port 1 Menu] on - Turn Forwarding ON off - Turn Forwarding OFF cur - Display current port configuration

Table 6-87 IP Forwarding Port Configuration Menu Options (/cfg/l3/port)


onEnables IP forwarding for the current port.

offDisables IP forwarding for the current port.

curDisplays the current IP forwarding settings.



/cfg/l3/dnsDomain Name System Configuration Menu

The Domain Name System (DNS) Menu is used for defining the primary and secondary DNS servers on your local network, and for setting the default domain name served by the switch services. DNS parameters must be configured prior to using hostname parameters with the ping, traceroute, and tftp commands.

[Domain Name System Menu] prima - Set IP address of primary DNS server secon - Set IP address of secondary DNS server dname - Set default domain name cur - Display current DNS configuration

Table 6-88 Domain Name System Menu Options (/cfg/l3/dns)


prima <IP address (such as, 192.4.17.101)>You will be prompted to set the IP address for your primary DNS server. Use dotted decimal nota-tion.

secon <IP address (such as, 192.4.17.101)>You will be prompted to set the IP address for your secondary DNS server. If the primary DNS server fails, the configured secondary will be used instead. Enter the IP address using dotted deci-mal notation.

dname <dotted DNS notation>|noneSets the default domain name used by the switch. For example: mycompany.com

curDisplays the current Domain Name System settings.



/cfg/l3/bootpBootstrap Protocol Relay Configuration Menu

The Bootstrap Protocol (BOOTP) Relay Menu is used to allow hosts to obtain their configura-tions from a Dynamic Host Configuration Protocol (DHCP) server. The BOOTP configuration enables the switch to forward a client request for an IP address to two DHCP/BOOTP servers with IP addresses that have been configured on the Nortel Application Switch.

BOOTP relay menu is turned off by default.

[Bootstrap Protocol Relay Menu] addr - Set IP address of BOOTP server addr2 - Set IP address of second BOOTP server on - Globally turn BOOTP relay ON off - Globally turn BOOTP relay OFF cur - Display current BOOTP relay configuration

Table 6-89 Bootstrap Protocol Relay Configuration Menu Options (/cfg/l3/bootp)


addr <IP address (such as, 192.4.17.101)>Sets the IP address of the BOOTP server.

addr2 <IP address (such as, 192.4.17.101)>Sets the IP address of the second BOOTP server.

onGlobally turns on BOOTP relay.

offGlobally turns off BOOTP relay.

curDisplays the current BOOTP relay configuration.



/cfg/l3/vrrpVRRP Configuration Menu

Virtual Router Redundancy Protocol (VRRP) support on Nortel Application Switch provides redundancy between routers in a LAN. This is accomplished by configuring the same virtual router IP address and ID number on each participating VRRP-capable routing device. One of the virtual routers is then elected as the master, based on a number of priority criteria, and assumes control of the shared virtual router IP address. If the master fails, one of the backup vir-tual routers will assume routing authority and take control of the virtual router IP address.

By default, VRRP is disabled. Nortel Application Switch Operating System has extended VRRP to include virtual servers as well, allowing for full active/active redundancy between its Layer 4 switches.For more information on VRRP, see the “High Availability” chapter in your Nortel Application Switch Operating System 23.0.2 Application Guide.

[Virtual Router Redundancy Protocol Menu] vr - VRRP Virtual Router Menu vrgroup - VRRP Virtual Router Vrgroup Menu group - VRRP Virtual Router Group Menu if - VRRP Interface Menu track - VRRP Priority Tracking Menu hotstan - Enable/disable hot-standby processing on - Globally turn VRRP ON off - Globally turn VRRP OFF holdoff - Globally VRRP hold off time cur - Display current VRRP configuration

Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)


vr <virtual router number (1-1024)>Displays the VRRP Virtual Router Menu. This menu is used for configuring up to 1024 virtual routers on this switch. To view menu options, see page 383.

vrgroup <virtual router vrgroup number (1-16)>Displays VR Group Menu. To view menu options, see page 387.

groupDisplays the VRRP virtual router group menu, used to combine all virtual routers together as one logical entity. Group options must be configured when using two or more Nortel Application Switches in a hot-standby failover configuration where only one switch is active at any given time. To view menu options, see page 390.



if <interface number (1-255)>Displays the VRRP Virtual Router Interface Menu. To view menu options, see page 394.

track Displays the VRRP Tracking Menu. This menu is used for weighting the criteria used when modi-fying priority levels in the master router election process. To view menu options, see page 395.

hotstan disable|enableEnables or disables hot standby processing, in which two or more switches provide redundancy for each other. By default, this option is disabled.

onGlobally enables VRRP on this switch.

offGlobally disables VRRP on this switch.

holdoff <0-255 seconds>Globally suspends VRRP operation for the specified interval.

curDisplays the current VRRP parameters.

Table 6-90 Virtual Router Redundancy Protocol Options (/cfg/l3/vrrp)




/cfg/l3/vrrp/vr <router number>Virtual Router Configuration Menu

This menu is used for configuring up to 256 virtual routers for this switch. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device par-ticipating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address.

Virtual routers are disabled by default.

[VRRP Virtual Router 1 Menu] track - Priority Tracking Menu vrid - Set virtual router ID addr - Set IP address if - Set interface number prio - Set renter priority adver - Set advertisement interval preem - Enable or disable preemption share - Enable or disable sharing ena - Enable virtual router dis - Disable virtual router del - Delete virtual router cur - Display current VRRP virtual router configuration

Table 6-91 VRRP Virtual Router Options (/cfg/l3/vrrp/vr)

Command Syntax and Usagetrack

Displays the VRRP Priority Tracking Menu for this virtual router. Tracking is Nortel’s proprietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 385.

vrid <virtual router ID (1-1024)>Defines the virtual router ID. This is used in conjunction with addr (below) to define a virtual router on this switch. To create a pool of VRRP-enabled routing devices which can provide redun-dancy to each other, each participating VRRP device must be configured with the same virtual router: one that shares the same vrid and addr combination.The vrid for standard virtual routers (where the virtual router IP address is not the same as any virtual server) can be any integer between 1 and 255. The default value is 1.The vrid of virtual server routers where the virtual router IP address is the same as the virtual server can be between 1 and 1024.All vrid values must be unique within the VLAN to which the virtual router’s IP interface belongs.



addr <IP address (such as, 192.4.17.101)>Defines the IP address for this virtual router using dotted decimal notation. This is used in conjunc-tion with the vrid (above) to configure the same virtual router on each participating VRRP device. The default address is 0.0.0.0.

if <interface number (1-256)>Selects a switch IP interface (between 1 and 256). If the IP interface has the same IP address as the addr option above, this switch is considered the “owner” of the defined virtual router. An owner has a special priority of 255 (highest) and will always assume the role of master router, even if it must preempt another virtual router which has assumed master routing authority. This preemption occurs even if the preem option below is disabled. The default value is 1.

prio <priority (1-254)>Defines the election priority bias for this virtual server. This can be any integer between 1 and 254. The default value is 100.During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual router’s IP address (addr) is the same as the one used by the IP interface, the priority for this vir-tual router will automatically be set to 255 (highest).When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track), this base priority value can be modified according to a number of performance and operational cri-teria.

adver <seconds (1-255)>Defines the time interval between VRRP master advertisements. This can be any integer between 1 and 255 seconds. The default value is 1.

preem disable|enableEnables or disables master preemption. When enabled, if this virtual router is in backup mode but has a higher priority than the current master, this virtual router will preempt the lower priority mas-ter and assume control. Note that even when preem is disabled, this virtual router will always pre-empt any other master if this switch is the owner (the IP interface address and virtual router addr are the same). By default, this option is enabled.

share disable|enableEnables or disables virtual router sharing, an Nortel proprietary extension to VRRP. When enabled, this switch will process any traffic addressed to this virtual router, even when in backup mode. By default, this option is enabled.

enaEnables this virtual router.

disDisables this virtual router.

delDeletes this virtual router from the switch configuration.





/cfg/l3/vrrp/vr <router number>/trackVirtual Router Priority Tracking Configuration

This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount defined through the VRRP Tracking Menu (see page 395).

Criteria are tracked dynamically, continuously updating virtual router priority levels when enabled. If the virtual router preemption option (see preem in Table 6-91 on page 383) is enabled, this virtual router can assume master routing authority when its priority level rises above that of the current master.

Some tracking criteria (vrs, ifs, and ports below) apply to standard virtual routers, other-wise called “virtual interface routers.” Other tracking criteria (l4pts, reals, and hsrp) apply to “virtual server routers,” which perform Layer 4 Server Load Balancing functions. A virtual server router is defined as any virtual router whose IP address (addr) is the same as any configured virtual server IP address.

curDisplays the current configuration information for this virtual router.

[VRRP Virtual Router 1 Priority Tracking Menu] vrs - Enable/disable tracking master virtual routers ifs - Enable/disable tracking other interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP virtual router configuration





Table 6-92 VRRP Priority Tracking Menu Options (/cfg/l3/vrrp/vr/track)


vrs disable|enableWhen enabled, the priority for this virtual router will be increased for each virtual router in master mode on this switch. This is useful for making sure that traffic for any particular client/server pair-ing are handled by the same switch, increasing routing and load balancing efficiency. This com-mand is disabled by default.

ifs disable|enableWhen enabled, the priority for this virtual router will be increased for each IP interface active on this switch. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This com-mand is disabled by default.

ports disable|enableWhen enabled, the priority for this virtual router will be increased for each active port on the same VLAN. A port is considered “active” if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default.

l4pts disable|enableWhen enabled for virtual server routers, the priority for this virtual router will be increased for each physical switch port which has active Layer 4 processing on this switch. This helps elect the main Layer 4 switch as the master. This command is disabled by default.

reals disable|enableWhen enabled for virtual server routers, the priority for this virtual router will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this switch. This helps elect the switch with the largest server pool as the master, increas-ing Layer 4 efficiency. This command is disabled by default.

hsrp disable|enableHot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing effi-ciency. This command is disabled by default.

hsrv disable|enableHot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default.

curDisplays the current configuration for priority tracking for this virtual router.



/cfg/l3/vrrp/vrgroupVirtual Router Group MenuThis feature allows the failover of individual groups of VIRs and VSRs. When Web hosting is shared between two or more customers on a single VRRP switch, you can group VIRs and VSRs to serve the high availability of a specific customer. If failover occurs on a customer link, the group of VIRs and VSRs associated with that customer alone will fail over to the backup switch. The VIRs and VSRs configured for the other customers on the master switch are not affected.

Up to 16 virtual router groups can be configured on the switch.

[VRRP Virtual Router Vrgroup 1 Menu] track - Priority Tracking Menu name - Set virtual router group name add - Add virtual router to group rem - Remove virtual router from group prio - Set priority for virtual router group trackvr - Set track virtual router for group adver - Set advertisement interval for group preem - Enable/disable preemption for group share - Enable/disable sharing for group ena - Enable virtual router group dis - Disable virtual router group del - Delete virtual router group cur - Display current VRRP virtual router group configuration

Table 6-93 Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup)


trackDisplays VRRP priority tracking menu for this virtual router group. Tracking is Nortel’s propri-etary extension to VRRP, used for modifying the standard priority system used for electing the master router. To view menu options, see page 388.

nameDefines virtual router group name up to eight characters.

add <virtual router number (1-1024)>Adds a virtual router to the group. Each virtual router group can have up to 64 virtual routers.

rem <virtual router number (1-1024)>Removes a virtual router from the group.



/cfg/l3/vrrp/vrgroup <vrgroup number>/track

Virtual Router Group Priority Tracking Configuration Menu

prio <1-254>Defines the election priority bias for this virtual router group. This can be any integer between 1 and 254. The default value is 100.During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual router’s IP address (addr) is the same as the one used by the IP interface, the priority for this vir-tual router will automatically be set to 255 (highest).When priority tracking is used (/cfg/l3/vrrp/vrgroup #/track), this base priority value can be modified according to a number of performance and operational criteria.

trackvr <virtual router number (0-1024)> Set track virtual router for group

adver <1-255 seconds>Set advertisement interval for group.

preem disable|enableEnable/disable preemption for group.

share disable|enableEnable/disable sharing for group.

enaEnables the virtual router group.

disDisables the virtual router group.

delDeletes the virtual router group.

curDisplays the current VRRP virtual router group configuration.

Table 6-93 Virtual Router Group Menu Options (/cfg/l3/vrrp/vrgroup)




This menu is used for modifying the priority system used when electing the master router from a pool of virtual routers. Various tracking criteria can be used to bias the election results. Each time one of the tracking criteria is met, the priority level for the virtual router is increased by an amount defined through the VRRP Tracking Menu (see page 395). Criteria are tracked dynam-ically, continuously updating virtual router priority levels when enabled.

[VRRP Vrgroup 1 Priority Tracking Menu] ifs - Enable/disable tracking interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP vrgroup tracking configuration

Table 6-94 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)


ifs disable|enableWhen enabled, the priority will be increased for each IP interface active on this virtual router group. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This com-mand is disabled by default.

ports disable|enableWhen enabled, the priority will be increased for each active port on the VLAN on this virtual router group. A port is considered “active” if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default.

l4pts disable|enableWhen enabled for virtual server routers, the priority will be increased for each physical switch port which has active Layer 4 processing on this virtual router group. This helps elect the main Layer 4 switch as the master. This command is disabled by default.

reals disable|enableWhen enabled for virtual server routers, the priority will be increased for each healthy real server behind the virtual server IP address of the same IP address as the virtual router on this virtual router group. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default.



/cfg/l3/vrrp/groupVirtual Router Group Configuration

The Virtual Router Group menu is used for associating all virtual routers into a single logical virtual router, which forces all virtual routers on the Nortel Application Switch to either be master or backup as a group. A virtual router is defined by its virtual router ID and an IP address. On each VRRP-capable routing device participating in redundancy for this virtual router, a virtual router will be configured to share the same virtual router ID and IP address.

hsrp disable|enableHot Standby Router Protocol (HSRP) is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router group for each Layer 4 client-only port that receives HSRP advertisements. Enabling HSRP helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default.

hsrv disable|enableHot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance on the virtual router group that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default.

curDisplays the current configuration for priority tracking for this virtual router group.

[VRRP Virtual Router Group Menu] track - Priority Tracking Menu vrid - Set virtual router ID if - Set interface number prio - Set renter priority adver - Set advertisement interval preem - Enable or disable preemption share - Enable or disable sharing ena - Enable virtual router dis - Disable virtual router del - Delete virtual router cur - Display current VRRP virtual router configuration

Table 6-94 Virtual Router Group Priority Tracking Menu Options (/cfg/l3/vrrp/vrgroup/track)




NOTE – This option is required to be configured only when using at least two Nortel Application Switches in a hot-standby failover configuration, where only one switch is active at any time.

Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)


trackDisplays the VRRP Priority Tracking Menu for the virtual router group. Tracking is Nortel’s pro-prietary extension to VRRP, used for modifying the standard priority system used for electing the master router. Tracking is not needed if sharing (share) is enabled. To view menu options, see page 395.

vrid <virtual router ID (1-1024)>Defines the virtual router ID for this group.

if <interface number (1-256)>Selects a switch IP interface (between 1 and 256). The default switch IP interface number is 1.

prio <priority (1-254)>Defines the election priority bias for this virtual router group. This can be any integer between 1 and 254. The default value is 100.During the master router election process, the routing device with the highest virtual router priority number wins. If there is a tie, the device with the highest IP interface address wins. If this virtual router’s IP address (addr) is the same as the one used by the IP interface, the priority for this vir-tual router will automatically be set to 255 (highest).When priority tracking is used (/cfg/l3/vrrp/track or /cfg/l3/vrrp/vr #/track), this base priority value can be modified according to a number of performance and operational cri-teria.

adver <1-255 (seconds)>Defines the time interval between VRRP master advertisements. This can be any integer between 1 and 255 seconds. The default is 1.

preem disable|enableEnables or disables master preemption. When enabled, if the virtual router group is in backup mode but has a higher priority than the current master, this virtual router will preempt the lower priority master and assume control. Note that even when preem is disabled, this virtual router will always preempt any other master if this switch is the owner (the IP interface address and virtual router addr are the same). By default, this option is enabled.

share disable|enableEnables or disables virtual router sharing, Nortel’s proprietary extension to VRRP. When enabled, this switch will process any traffic addressed to this virtual router, even when in backup mode. By default, this option is enabled.



/cfg/l3/vrrp/group/trackVirtual Router Group Priority Tracking Configuration

NOTE – If Virtual Router Group Tracking is enabled, then the tracking option will be available only under group option. The tracking setting for the other individual virtual routers will be ignored.

enaEnables the virtual router group.

disDisables the virtual router group.

delDeletes the virtual router group from the switch configuration.

curDisplays the current configuration information for the virtual router group.

[Virtual Router Group Priority Tracking Menu] ifs - Enable/disable tracking other interfaces ports - Enable/disable tracking VLAN switch ports l4pts - Enable/disable tracking L4 switch ports reals - Enable/disable tracking L4 real servers hsrp - Enable/disable tracking HSRP hsrv - Enable/disable tracking HSRP by VLAN cur - Display current VRRP Group Tracking configuration

Table 6-95 VRRP Virtual Router Group Options (/cfg/l3/vrrp/group)




Table 6-96 Virtual Router Group Priority Tracking Options (/cfg/l3/vr/group/track)


ifs disable|enableWhen enabled, the priority for this virtual router will be increased for each other IP interface active on this switch. An IP interface is considered active when there is at least one active port on the same VLAN. This helps elect the virtual routers with the most available routes as the master. This command is disabled by default.

ports disable|enableWhen enabled, the priority for this virtual router will be increased for each active port on the same VLAN. A port is considered “active” if it has a link and is forwarding traffic. This helps elect the virtual routers with the most available ports as the master. This command is disabled by default.

l4pts disable|enableWhen enabled for virtual server routers, the priority for this virtual router will be increased for each physical switch port which has active Layer 4 processing on this switch. This helps elect the main Layer 4 switch as the master. This command is disabled by default.

reals disable|enableWhen enabled for virtual server routers, the priority for this virtual router will be increased for each healthy real server. This helps elect the switch with the largest server pool as the master, increasing Layer 4 efficiency. This command is disabled by default.

hsrp disable|enableEnables Hot Standby Router Protocol (HSRP) for this virtual router group. HSRP is used with some types of routers for establishing router failover. In networks where HSRP is used, enable this switch option to increase the priority of this virtual router for each Layer 4 client-only port that receives HSRP advertisements. This helps elect the switch closest to the master HSRP router as the master, optimizing routing efficiency. This command is disabled by default.

hsrv disable|enableHot Standby Router on VLAN (HSRV) is used to work in VLAN-tagged environments. Enable this switch option to increment only that vrrp instance that is on the same VLAN as the tagged hsrp master flagged packet. This command is disabled by default.

curDisplays the current configuration for priority tracking for this virtual router.



/cfg/l3/vrrp/if <interface number>VRRP Interface Configuration

NOTE – The interface-number (1 to 256) represents the IP interface on which authentication parameters must be configured.

This menu is used for configuring VRRP authentication parameters for the IP interfaces used with the virtual routers.

[VRRP Interface 1 Menu] auth - Set authentication types passw - Set plain-text password del - Delete interface cur - Display current VRRP interface configuration

Table 6-97 VRRP Interface Menu Options (/cfg/l3/vrrp/if)


auth none|passwordDefines the type of authentication that will be used: none (no authentication), or password (password authentication).

passw <password>Defines a plain text password up to eight characters long. This password will be added to each VRRP packet transmitted by this interface when password authentication is chosen (see auth above).

delClears the authentication configuration parameters for this IP interface. The IP interface itself is not deleted.

curDisplays the current configuration for this IP interface’s authentication parameters.



/cfg/l3/vrrp/trackVRRP Tracking Configuration

This menu is used for setting weights for the various criteria used to modify priority levels dur-ing the master router election process. Each time one of the tracking criteria is met (see “VRRP Virtual Router Priority Tracking Menu” on page 385), the priority level for the virtual router is increased by an amount defined through this menu.

[VRRP Tracking Menu] vrs - Set priority increment for virtual router tracking ifs - Set priority increment for IP interface tracking ports - Set priority increment for VLAN switch port tracking l4pts - Set priority increment for L4 switch port tracking reals - Set priority increment for L4 real server tracking hsrp - Set priority increment for HSRP tracking hsrv - Set priority increment for HSRP by VLAN tracking cur - Display current VRRP Priority Tracking configuration

Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)


vrs <0-254>Defines the priority increment value (1 through 254) for virtual routers in master mode detected on this switch. The default value is 2.

ifs <0-254>Defines the priority increment value (1 through 254) for active IP interfaces detected on this switch. The default value is 2.

ports <0-254>Defines the priority increment value (1 through 254) for active ports on the virtual router’s VLAN. The default value is 2.

l4pts <0-254>Defines the priority increment value (1 through 254) for physical switch ports with active Layer 4 processing. The default value is 2.

reals <0-254>Defines the priority increment value (1 through 254) for healthy real servers behind the virtual server router. The default value is 2.

hsrp <0-254>Defines the priority increment value (1 through 254) for switch ports with Layer 4 client-only pro-cessing that receive HSRP broadcasts. The default value is 10.



These priority tracking options only define increment values. These options do not affect the VRRP master router election process until options under the VRRP Virtual Router Priority Tracking Menu (see page 385) are enabled.

/cfg/l3/metrc <metric name>Default Gateway MetricsIf multiple default gateways are configured and enabled, a metric can be set to determine which primary gateway is selected. There are two metrics, which are described in the table “Default Gateway Metrics (/cfg/l3/metrc)” on page 396.

hsrv <0-254>Defines the priority increment value (1 through 254) for vrrp instances that are on the same VLAN.The default value is 10.

curDisplays the current configuration of priority tracking increment values.

Table 6-99 Default Gateway Metrics (/cfg/l3/metrc)

Option Descriptionstrict The gateway number determines its level of preference. Gateway #1 acts as

the preferred default IP gateway until it fails or is disabled, at which point the next in line will take over as the default IP gateway.

roundrobin This provides basic gateway load balancing. The switch sends each new gate-way request to the next healthy, enabled gateway in line. All gateway requests to the same destination IP address are resolved to the same gateway.

Table 6-98 VRRP Tracking Options (/cfg/l3/vrrp/track)




/cfg/slb/cfg/slb displays the Server Load Balancing Configuration Menu. To view menu options, see Chapter 7, “The SLB Configuration Menu”.

/cfg/securitySecurity Configuration Menu

[Security Menu] port - Port Security Menu ipacl - IP ACL Menu udpblast - UDP Blast Protection Menu dos - Protocol Anomaly and DoS Attack Prevention Menu pgroup - Pattern Match Group Menu seclog - Set rate threshold for security logging pdepth - Set packet depth for pattern matching cur - Display current Security configuration

Table 6-100 Security Configuration Menu Options (/cfg/security)


port <port number>Displays Port Security Menu. To view menu options, see page 399.

ipacl Displays IP address Access Control Menu. To view options, see page 400.

udpblastDisplays UDP Blast Menu. To view menu options, see page 402.

dosGo to the Protocol Anomaly and DoS Attack Prevention Menu. To view menu options, see page 403.

pgroup <pattern group ID (1-128)>Displays Pattern Match Group Menu. To view menu options, see page 404.

seclog <rate threshold packets/sec, 0-1048576 (0, no rate threshold)>Defines the rate threshold for security logging by the number of packets per second. Any packets above the current threshold will be logged.



pdepth <# of packets, 1-255|none>Defines the search window for pattern matching beginning from the start of the packet stream. The window is in units of packets.

curDisplays the current security configuration.

Table 6-100 Security Configuration Menu Options (/cfg/security)




Table 6-102 IP Address ACL Menu Options (/cfg/sec/ipacl)


add <IP address> <IP mask>Adds range of source IP addresses to be denied, defined by the IP address/mask pair.

rem <IP address/mask pair index>Removes range of source IP addresses to be denied, defined by the IP address/mask pair index.

aremRemove all configuration source IP Address/Mask.

dadd <IP address> <IP subnet mask> Add configuration destination IP Address/Mask.

drem <IP address> <IP subnet mask>Remove configuration destination IP Address/Mask.

daremRemove all configuration destination IP Address/Mask.

cfgDisplay configuration IP Address/Mask.

bogonDisplay bogon IP Address/Mask.

operDisplay operations IP Address/Mask.

curDisplays current IP addresses ranges in Access Control List.



/cfg/security/udpblastUDP Blast Protection Configuration MenuMalicious attacks over UDP protocol ports are becoming a common way to bring down real servers. Nortel Application Switch Operating System can be configured to restrict the amount of traffic allowed on any UDP port, thus ensuring that backend servers are not flooded with data and disabled.

You can specify a series of UDP port ranges and the allowed packet limit for that range. When the maximum number of packets/second is reached, UDP traffic is shut down on those ports.

Nortel Application Switch Operating System supports up to 5000 UDP port numbers, using any integer from 1 to 65535. The maximum port range is 5000. If the first port number is 300, the last number that can be used is 5300.

While you can configure multiple port ranges, the sum of ranges cannot exceed the maximum of 5000 ports.

[UDP Blast Protection Menu] add - Add UDP port/range for UDP blast protection rem - Remove UDP port/range for UDP blast protection default - Default packet rate for UDP blast protection cur - Display all UDP blast protection Ports

Table 6-103 UDP Blast Protection Menu Options (/cfg/sec/udpblast)


add <UDP port number or range (first-last)> [packet rate]Adds UDP port or range for UDP blast protection, as well as the maximum packet rate per second. If the number of packets on this port range exceeds the maximum packet rate per second, UDP traffic will be dropped.

rem <UDP port number or range (first-last)>Removes UDP port or range for UDP blast protection.

default <packet rate>Defines the default packet rate for UDP blast protection.

curDisplays all UDP blast protection ports.



/cfg/security/dosAnomaly and Denial of Service Attack Prevention Menu [Protocol Anomaly and DoS Attack Prevention Menu]ipttl - Set the smallest allowable IP ttl for ipttlipprot - Set the highest allowable IP protocol for ipprotfragdata - Set smallest allowable IP fragment payload for fragdatafragoff - Set the smallest allowable IP fragment offset for fragoffsyndata - Set the largest allowable TCP SYN payload for syndataicmpdata - Set the largest allowable ICMP payload for icmpdataicmpoff - Set the largest allowable ICMP fragment offset for icmpoffhelp - Protocol anomaly and DoS attack prevention descriptioncur - Display current protocol anomaly and DoS attack prevention

Table 6-104 Anomaly and DoS Menu Options


ipttl <IPv4 TTL, 0-255>Set the smallest allowable IP ttl for IPTTL.

ipprot <highest allowable IPv4 protocol [0-255]>Set the highest allowable IP protocol for IP protection. For example:

Current highest allowable IPv4 protocol: 137 Enter new highest allowable IPv4 protocol [0-255]:

fragdata <IPv4 fragment payload size in bytes, 16-248>Set the smallest allowable IP fragment payload.

fragoff <IPv4 fragment offset in multiples of 8 bytes, 1-255>Set the smallest allowable IP fragment offset.

syndata <TCP packet payload size in bytes, 0-255>Set the largest allowable IP SYN payload.

icmpdata <ICMP packet payload size in bytes, 1-9026>Set the largest allowable ICMP payload.

icmpoff <ICMP fragment offset in multiples of 8 bytes, 1-8190>Set the largest allowable ICMP fragment offset.

helpDescription of the Anomaly and DoS attack prevention.

curDisplay current protocol anomaly and DoS attack prevention settings. For example:

Current protocol anomaly and DoS attack prevention settings: ipttl 1, ipprot 137, fragdata 32, fragoff 4, syndata 0, icmpdata 800, icmpoff 101



/cfg/security/pgroup <pattern group number>Pattern Matching MenuWhen a virus or other attack contains multiple patterns or strings, it is useful to combine them into one group and give the group a name that is easy to remember. When a pattern group is applied to a deny filter, the switch will match any of the strings or patterns within that group before denying and dropping the packet. Up to five patterns can be combined into a single pat-tern group. Configure the binary or ASCII pattern strings, group them into a pattern group, name the pattern group, and then apply the group to a filter.

The filtering commands in Nortel Application Switch Operating System Advanced Denial of Service Pack allow the administrator to define groups of patterns. By applying the patterns and groups to a deny filter, the packet content can be detected and thus denied access to the net-work.

The Nortel Application Switch Operating System 23.0 supports up to 1024 pattern matching groups.

[Pattern Match Group 1 Menu] name - Set pattern group name add - Add SLB string to group rem - Remove SLB string from group del - Delete pattern group cur - Display current configuration

Table 6-105 Pattern Matching Group Menu Options (/cfg/sec/pgroup)


name <31 character name>|noneSpecifies a descriptive name for this pattern group.

add <string ID>Adds a pre-configured SLB string to this pattern group by the string ID number. To configure SLB strings, use the /cfg/slb/layer7/slb/add command described on page 475. To view existing strings and their ID numbers, use the /cfg/slb/layer7/slb/cur com-mand, also on page 475.

Note: You can only add the binary or ASCII strings to a pattern matching group. Up to five pat-terns can be combined into a single pattern group.

rem <SLB string ID>Removes an SLB string from this pattern group.

delDeletes the pattern group.



curDisplays the current configuration of this pattern group.

Table 6-105 Pattern Matching Group Menu Options (/cfg/sec/pgroup)




/cfg/sslprocSSL Processor Menu

/cfg/setupSetupThe setup program steps you through configuring the system date and time, BOOTP, IP, Span-ning Tree, port speed/mode, VLAN parameters, and IP interfaces. For a complete description of how to use setup, see Chapter 2, “First-Time Configuration.”

[SSL Processor Menu] mip - Set SSL processor management IP port - Set SSL processor Web server port rts - Enable/disable RTS processing filt - Enable/disable filtering add - Add filter rem - Remove filter cur - Display current SSL processor configuration

Table 6-106 SSL Processor Menu Options


mip <SSL processor management IP>Set SSL processor management IP.

port <SSL processor Web server port>Set SSL processor Web server port.

rts enable|disableEnable/disable RTS processing

filt enable|disableEnable/disable filtering.

add <filter ID, 1-2048>Add a filter.

rem <filter ID, 1-2048>Remove a filter.

curDisplay current SSL processor configuration.



To start the setup program, at the Configuration# prompt, enter:

/cfg/dumpDumpThe dump program writes the current switch configuration to the terminal screen. To start the dump program, at the Configuration# prompt, enter:

The configuration is displayed with parameters that have been changed from the default val-ues. The screen display can be captured, edited, and placed in a script file, which can be used to configure other switches through a Telnet connection. When using Telnet to configure a new switch, paste the configuration commands from the script file at the command line prompt of the switch. The active configuration can also be saved or loaded via TFTP, as described on page 408.

>> Configuration# setup

"Set Up" will walk you through the configuration ofSystem Date and Time, BOOTP, Spanning Tree, Management Port, Port Speed/Mode,VLANs, and IP interfaces. [type Ctrl-C to abort "Set Up"]------------------------------------------------------------------

Configuration# dump



/cfg/ptcfg Saving the Active Switch ConfigurationWhen the ptcfg command is used, the switch’s active configuration commands (as displayed using /cfg/dump) will be uploaded to the specified script configuration file on the TFTP or FTP server. To start the switch configuration upload, at the Configuration# prompt, enter:

where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file.

NOTE – The output file is formatted with line-breaks but no carriage returns—the file cannot be viewed with editors that require carriage returns (such as Microsoft Notepad).

NOTE – If the TFTP server is running SunOS or the Solaris operating system, the specified ptcfg file must exist prior to executing the ptcfg command and must be writable (set with proper permission, and not locked by any application). The contents of the specified file will be replaced with the current configuration data.

/cfg/gtcfgRestoring the Active Switch ConfigurationWhen the gtcfg command is used, the active configuration will be replaced with the commands found in the specified configuration file. The file can contain a full switch con-figuration or a partial switch configuration. The configuration loaded using gtcfg is not acti-vated until the apply command is used. If the apply command is found in the configuration script file loaded using this command, the apply action will be performed automatically.

To start the switch configuration download, at the Configuration# prompt, enter:

Configuration# ptcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password} [-m | -mgmt | -d | -data]

Configuration# gtcfg <TFTP/FTP server> <filename> {-tftp | ftp user name ftp password} [-m | -mgmt | -d | -data]



where server is the TFTP or FTP server IP address or hostname, and filename is the name of the target script configuration file.


CHAPTER 7The SLB Configuration Menu

Server Load Balancing (SLB) allows you to configure the Nortel Application Switch to bal-ance user session traffic among a pool of available servers that provide shared services. In an average network that employs multiple servers without server load balancing, each server usu-ally specializes in providing one or two unique services. If one of these servers provides access to applications or data that is in high demand, it can become overutilized. Placing this kind of strain on a server can decrease the performance of the entire network as user requests are rejected by the server and then resubmitted by the user stations. With this software feature, the switch is aware of the services provided by each server and can direct user session traffic to an appropriate server, based on a variety of load-balancing algorithms.

This chapter discusses how to use the Command Line Interface (CLI) for configuring Server Load Balancing (SLB) on the Nortel Application Switch. Refer to your Nortel Application Switch Operating System Application Guide for detailed information on this feature.

320506-A, January 2006411


/cfg/slbSLB Configuration

[Layer 4 Menu] real - Real Server Menu group - Real Server Group Menu virt - Virtual Server Menu filt - Filtering Menu port - Layer 4 Port Menu gslb - Global SLB Menu layer7 - Layer 7 Resource Definition Menu wap - WAP Menu sync - Config Synch Menu adv - Layer 4 Advanced Menu linklb - Inbound Linklb Menu advhc - Layer 4 Advanced Health Check Menu pip - Proxy IP Address Menu peerpip - Peer Proxy IP Address Menu wlm - Workload Manager Menu on - Globally turn Layer 4 processing ON off - Globally turn Layer 4 processing OFF cur - Display current Layer 4 configuration

Table 7-1 Server Load Balancing Configuration Menu Options (/cfg/slb)


real <real server number (1-1023)>Displays the menu for configuring real servers. To view menu options, see page 414.

group <real server group number (1-1024)>Displays the menu for placing real servers into real server groups. To view menu options, see page 423.

virt <virtual server number (1-1024)>Displays the menu for defining virtual servers. To view menu options, see page 431.

filt <filter ID (1-2048)>Displays the menu for Filtering and Application Redirection. To view menu options, see page 445.

port <port number>Displays the menu for setting physical switch port states for Layer 4 activity. To view menu options, see page 463.

412 Chapter 7: The SLB Configuration Menu320506-A, January 2006


gslbDisplays the menu for configuring Global Server Load Balancing. To view menu options, see page 465.

layer7Displays Layer 7 Resource Definition Menu. To view menu options, see page 472.

wapDisplays WAP Menu. To view menu options, see page 477.

syncDisplays the Synch Peer Switch Menu. To view menu options, see page 478.

advDisplays the Layer 4 Advanced Menu. To view menu options, see page 480.

linklbDisplays Inbound Link Load Balancing Menu. To view menu options, see page 484.

advhcDisplays Layer 4 Advanced Health Check Menu. To view menu options, see page 486.

pipThis menu is used to set the switch proxy IP address using dotted decimal notation. When the pip is defined, client address information in Layer 4 requests is replaced with this proxy IP address.To view options, see page 496.

peerpipDisplays Peer Proxy IP address Menu. When this command is enabled, the switch is able to for-ward traffic from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each other’s proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch. To view menu options, see page 497.

wlmDisplays the menu for workload management of servers. To view menu options, see page 498.

onGlobally turns on Layer 4 software services for Server Load Balancing and Application Redirec-tion. This option can be performed only after the optional Layer 4 software is enabled (see “Acti-vating Optional Software on page 509). Enabling Layer 4 services is not necessary for using filters only to allow, deny, or NAT traffic.



Chapter 7: The SLB Configuration Menu 413320506-A, January 2006


Filtering and Layer 4 (Server Load Balancing)Filters configured to allow, deny, or perform Network Address Translation (NAT) on traffic do not require Layer 4 software to be activated. These filters are not affected by the Server Load Balancing on and off commands in this menu.

Application Redirection filters, however, require Layer 4 software services. Layer 4 process-ing must be turned on before redirection filters will work.

/cfg/slb/real <server number>Real Server SLB Configuration

offGlobally disables Layer 4 services. All configuration information will remain in place (if applied or saved), but the software processes will no longer be active in the switch

curDisplays the current Server Load Balancing configuration.

[Real Server 1 Menu] adv - Real Server Advanced Menu layer7 - Layer 7 Command Menu ids - IDS Command Menu rip - Set IP addr of real server name - Set real server name weight - Set weight for real server maxcon - Set maximum number of connections tmout - Set minutes inactive connection remains open backup - Set backup real server inter - Set interval between health checks retry - Set number of failed attempts to declare server DOWN restr - Set number of successful attempts to declare server UP overflo - Enable/Disable backup on overflow addport - Add real port to server remport - Remove real port from server ena - Enable real server dis - Disable real server del - Delete real server cur - Display current real server configuration





This menu is used for configuring information about real servers that participate in a server pool for Server Load Balancing or Application Redirection. The required parameters are:

Real server IP addressReal server enabled (disabled by default)

Table 7-2 Real Server Configuration Menu Options (/cfg/slb/real)


advGo to the Real Server Advanced menu. To view menu options, see page 421.

layer7Displays the Layer 7 Menu. To view menu options, see page 421.

idsDisplays Intrusion Detection Server/system menu. To view menu options, see page 422.

rip <real server IP address>Sets the IP address of the real server in dotted decimal format. When this command is used, the address entered is PINGed to determine if the server is up, and the administrator will be warned if the server does not respond.

name <string, maximum 31 characters>|noneDefines a 15-character alias for each real server. This will enable the network administrator to quickly identify the server by a natural language keyword value.

weight <real server weight (1-48)>Sets the weighting value (1 to 48) that this real server will be given in the load balancing algo-rithms. Higher weighting values force the server to receive more connections than the other servers configured in the same real server group. By default, each real server is given a weight setting of 1. A setting of 10 would assign the server roughly 10 times the number of connections as a server with a weight of 1.Weights are not applied when using the hash or minmisses metrics (see “Server Load Balanc-ing Metrics” on page 429).

avail <server weight (1-48)>Displays the currently available real server for Global server load balancing and allows the user to change to another real server for Global server load balancing.



maxcon <maximum connections (0-200000)>Sets the maximum number of connections that this server should simultaneously support. By default, the number of maximum connections is set at 200,000. This option sets a threshold as an artificial barrier, such that new connections will not be issued to this server if the maxcon limit is reached. New connections will be issued again to this server once the number of current connec-tions has decreased below the maxcon setting.If all servers in a real server group for a virtual server reach their maxcon limit at the same time, client requests will be sent to the backup/overflow server or backup/overflow server group. If no backup servers/server group are configured, client requests will be dropped by the virtual server.

tmout <even number of minutes (2-32768)>Sets the number of minutes an inactive session remains open (in even numbered increments).Every client-to-server session being load balanced is recorded in the switch's Session Table. When a client makes a request, the session is recorded in the table. The data is transferred until the client ends the session, and the session table entry is then removed.In certain circumstances, such as when a client application is abnormally terminated by the client's system, TCP/UDP connections will remain registered in the switch's binding table. In order to pre-vent table overflow, these orphaned entries must be aged out of the binding table.Using the tmout option, you can set the number of minutes to wait before removing orphan table entries. Settings must be specified in even numbered increments between 2 and 32768 minutes. The default setting is 10.This option is also used with the Persistent option (see /cfg/slb/virt/pbind). When persis-tent is activated, this option sets how long an idle client is allowed to remain associated with a par-ticular server.

backup <real server number (1-1023)>|noneSets the real server used as the backup/overflow server for this real server.To prevent loss of service if a particular real server fails, use this option to assign a backup real server number. Then, if the real server becomes inoperative, the switch will activate the backup real server until the original becomes operative again.The backup server is also used in overflow situations. If the real server reaches its maxcon (maxi-mum connections) limit, the backup comes online to provide additional processing power until the original server becomes desaturated.The same backup/overflow server may be assigned to more than one real server at the same time





inter <number of seconds between health checks (0-60)>Sets the interval between real server health verification attempts.Determining the health of each real server is a necessary function for Layer 4 switching. For TCP services, the switch verifies that real servers and their corresponding services are operational by opening a TCP connection to each service, using the defined service ports configured as part of each virtual service. For UDP services, the switch pings servers to determine their status.The inter option lets you choose the time between health checks. The range is from 1 to 60 sec-onds. The default interval is 2 seconds. An interval of “0” disables health checking for the server.

retry <number of consecutive health checks (1-63)>Sets the number of failed health check attempts required before declaring this real server inopera-tive. The range is from 1 to 63 attempts. The default is 4 attempts

restr <number of consecutive health checks (1-63)>Sets the number of successful health check attempts required before declaring a UDP service operational. The range is from 1 to 63 attempts. The default is 8 attempts

overflo enable|disableEnable or disable backup upon overflow.

addport <real server port (2–65534)>Add multiple service ports to the server.

remport <real server port (2–65534)>Remove multiple service ports from the server.

remote disable|enableEnables or disables remote site operation for this server. This option should be enabled when the real IP address supplied above represents a remote server (real or virtual) that this switch will access as part of its Global Server Load Balancing network. By default, this option is disabled.

proxy disable|enableEnables or disables proxy IP address translation. With this option enabled (default), a client request from any application can be proxied using a load-balancing Proxy IP address (PIP).

fasthc disable|enableEnables or disables Fast Health Check operation. When enabled, the real server goes down opera-tionally as soon as the physical port connected to the real server goes down. When disabled, the real server will go down only after the configured health check interval. This command is enabled by default.

submac disable|enableEnables or disables source MAC address substitution. By default, this option is disabled.





enaYou must perform this command to enable this real server for Layer 4 service. When enabled, the real server can process virtual server requests associated with its real server group. This option, when the apply and save commands are used, enables this real server for operation until explic-itly disabled.See /oper/slb/ena on page 412 for an operations-level command.

disDisables this real server from Layer 4 service. A disabled server will no longer process virtual server requests as part of the real server group to which it is assigned. This option, when the apply and save commands are used, disables this real server until it is explicitly re-enabled. NOTE – This option does not perform a graceful server shutdown.See /oper/slb/dis on page 502 for an operations-level command that permits graceful server shutdown.

delDeletes this real server from the Layer 4 switching software configuration. This removes the real server from operation within its real server groups. Use this command with caution, as it will delete any configuration options that have been set for this real server. This option does not per-form a graceful server shutdown.

curDisplays the current configuration information for this real server.





/cfg/slb/real/advReal Server Advanced Menu[Real Server 1 Advanced Menu] avail - Set Global SLB availability for real server remote - Enable/disable Global SLB remote site operation proxy - Enable/disable client proxy operation buddyhc - Buddy Server Menu fasthc - Enable/disable fast health check operation submac - Enable/disable source MAC address substitution subdmac - Enable/disable destination MAC address substitution cur - Display current real server advanced configuration

Table 7-3 Real Server Advanced Menu Options


avail <server weight, 1-48> Set Global SLB availability for real server.

remote enable|disable Enable/disable Global SLB remote site operation

proxy enable|disableEnable/disable client proxy operation.

buddyhcGo to the Buddy Server Menu.

fasthc enable|disableEnable/disable fast health check operation.

submac enable|disableEnable/disable source MAC address substitution.

subdmac enable|disableEnable/disable destination MAC address substitution.

cur enable|disableDisplay current real server advanced configuration.



/cfg/slb/real/adv/buddyhcBuddy Server Health Check Menu

[Real server 1 Buddy Menu] addbd - Add Buddy Server delbd - Delete Buddy Server cur - Display current buddy server configuration

Table 7-4 Buddy Server Health Check Menu Options


addbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>Adds a buddy server.

delbd <real server number 1-1023> <real server group 1-1024> <service 9-65534>Deletes a previously added buddy server.

curDisplays the current buddy server configuration.



/cfg/slb/real <server number>/layer7Real Server Layer 7 Configuration

This menu is used for entering commands and strings for Layer 7 processing.

[Real Server 1 Layer 7 Commands Menu] addlb - Add SLB string for content load balance remlb - Remove SLB string for content load balance cookser - Enable/disable cookie assignment server exclude - Enable/disable exclusionary string matching ldapwr - Enable/disable LDAP Write server cur - Display current real server configuration

Table 7-5 Layer 7 Commands Menu Options (/cfg/slb/real/layer7)


addlb <defined SLB string ID, 1-1024>Adds the predefined URL loadbalance string ID to the real server.

remlb <defined SLB string ID, 1-1024>Removes the predefined URL loadbalance string ID from the real server.

cookser disable|enableEnables or disables the real server to handle client requests that don’t contain a cookie. This option is used if you want to designate a specific server to assign cookies only. This server gets the client request, assigns the cookie, and embeds the IP address of the real server that will handle the subse-quent requests from the client. By default, this option is disabled.

exclude disable|enableEnables or disables exclusionary string matching. By default, this option is disabled.

ldapwr disable|enableEnables or disables LDAP write server. LDAP servers are of two types: read servers and write servers. You need to use read servers when you only want to browse the directory. You need to use the write servers when you want to modify the directory on the server. The write server can con-duct both read and write operations.

curDisplays the current real server configuration.



/cfg/slb/real <real server number>/idsReal server IDS Configuration MenuIntrusion Detection System (IDS) is a type of security management system for computers and networks. An Intrusion Detection System gathers and analyzes information from various areas within a computer or a network to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organi-zation). Refer to your Application Guide for more information.

[Real Server 1 IDS Menu] idsvlan - Set Vlan ID for ID Server idsport - Set Port for ID Server oid - Override OID for SNMP HC comm - Override community string for SNMP HC cur - Display current real server configuration

Table 7-6 IDS Configuration Menu options (/cfg/slb/real/ids)


idsvlan <vlan number (1-4090>Defines VLAN ID for Intrusion Detection Server.

idsport <port number> | noneDefines port for Intrusion Detection Server. Note: IDS can only be configured on real servers between one to maximum number of ports on the switch.

oid <SNMP health check object identifier to override group OID>Specifies the object identifier (OID). This OID overrides the OID for SNMP health checks.

comm <SNMP health check community string to override group community string>Overrides community string for SNMP health checks.

curDisplays the current real server configuration.



/cfg/slb/group <real server group number>Real Server Group SLB Configuration

This menu is used for combining real servers into real server groups. Each real server group should consist of all the real servers which provide a specific service for load balancing. Each group must consist of at least one real server. Each real server can belong to more than one group. Real server groups are used both for Server Load Balancing and Application Redirection.

[Real Server Group 1 Menu] metric - Set metric used to select next server in group rmetric - Set metric used to select next rport in server content - Set health check content health - Set health check type backup - Set backup real server or group name - Set real server group name realthr - Set real server failure threshold idsrprt - Set Intrusion Detection Port advhlth - Set an advance group health check formula mhash - Set minmisses hash parameter wlm - Set Workload Manager number viphlth - Enable/disable VIP health checking in DSR mode ids - Enable/disable Intrusion Detection idsfld - Enable/disable Intrusion Detection Group Flood oper - Enable/disable the access to this group for operator ena - Enable real server in this group dis - Disable real server in this group add - Add real server rem - Remove real server del - Delete real server group cur - Display current group configuration

Table 7-7 Real Server Group Configuration Menu Options (/cfg/slb/group)


metric leastconns|roundrobin|minmisses|hash|response|bandwidth|phashSets the load balancing metric used for determining which real server in the group will be the tar-get of the next client request. The default setting is leastconns. See “Server Load Balancing Metrics” on page 429 for more information.

rmetricSets the load balancing metric used for determining which port in the real server will be the target of the next client request.



content <filename>|//<host>/<filename>|noneThis option defines the specific content which is examined during health checks. The content depends on the type of health check specified in the health option (see below).

health link|arp|icmp|tcp|http|httphead|dns|pop3|smtp|nntp|ftp|imap|sslh|radius-auth|radius-acc|script<n>|udpdns|wsp|wtp|wtls|ldap| snmp<n>|tftp|rtsp|sip|sipoptions|wts

http - use GET method, httphead - use HEAD method

Sets the type of health checking performed. The default is tcp. See “SLB Health Check Types” on page 426.

backup r<real server number (1-1023)>|g<group number (1-1024)>|noneSets the real server or real server group used as the backup/overflow server/server group for this real server group.To prevent loss of service if the entire real server group fails, use this option to assign a backup real server/real server group number. Then, if the real server group becomes inoperative, the switch will activate the backup real server /server group until one of the original real servers becomes operative again.The backup server/server group is also used in overflow situations. If all the servers in the real server group reach their maxcon (maximum connections) limit, the backup server/server group comes online to provide additional processing power until one of the original servers becomes desaturated.The same backup/overflow server/server group may be assigned to more than one real server group at the same time.

name <maximum 31 characters>|noneDefines a 15-character alias for each Real Server Group. This will enable the network administra-tor to quickly identify the server group by a natural language keyword value.

realthr <real servers (1-15, 0 for disabled)> Specifies a minimum number of real servers available. If any time, the number reaches this mini-mum limit, a SYSLOG ALERT message is sent to the configured SYSLOG servers stating that the real server threshold has been reached for the concerned server load balancing group. The default threshold is 0, which also means the option is disabled

idsrprt <real server port (2-65534)>|anySets real server port for the Intrusion Detection Server.





advhlth <(1&2|3..), 128>|noneDefines an advanced health check formula expression for the real servers. This command allows you to create a boolean expression to health check the real server group based on the state of the virtual services. This command supports two boolean operators, AND or OR that are used to manipulate TRUE or FLALSE values. Using parenthesis with the boolean operators, you can cre-ate a boolean expression to state the health of the server group. This command also supports a string expression which is up to 128 characters long, or you can also set the formula expression as none.

mhash 24|32 <number of sip bits used for minmisses hash>Defines the minmisses hash parameter for this real server as either 24 or 32 bits. By default the minmiss algorithm uses the upper 24-bits of the source IP address to calculate the real server that the traffic should be sent to when the minmiss metric is selected.You can also select all 32-bits of the source IP address to hash to the real server.

wlm <1 - 16> | noneSet Workload Manager number.

viphlth disable|enableEnables or disables VIP health checking in a service. This feature is enabled by default. However, it works only when the service has DSR (Direct Server Return) feature enabled. When viphlth is disabled, the switch uses RIP to perform all health checks, whether DSR is enabled or disabled.

ids disable|enableEnables or disables Intrusion Detection Server (IDS) load balancing for the designated real server group. This feature can only be configured on real server groups between 1-63.

idsfld disable|enableEnables or disables the Intrusion Detection flood. When Intrusion Detection flood is enabled, packets are copied to all IDS servers in the IDS group. When this is disabled, packets are only copied to the load balanced IDS server within the IDS group.

oper disable|enableEnables or disables the real server group operation.

ena <real server number, 1-1023>Enables a real server in this group gracefully or on a per group basis. For example, if a real server is a member of more than one group, you can configure this real server to accept requests from all the groups or any number of groups that this real server is member of.

dis <real server number, 1-1023>Disables a real server in this group gracefully or on a per group basis.

add <real server number (1-1023)>Adds a real server to this real server group. You will be prompted to enter the number of the real server to add to this group.





SLB Health Check TypesUsing the health command, you can specify the type of health check for the group of real servers. The health check options are described in the following table. Refer to your Applica-tion Guide for their detailed description.

rem <real server number (1-1023)>Remove a real server from this real server group. You will be prompted for the ID number for the real server to remove from this group.

delDeletes this real server group from the Layer 4 software configuration. This removes the group from operation under all virtual servers it is assigned to. Use this command with caution: if you remove the only group that is assigned to a virtual server, the virtual server will become inopera-tive.

curDisplays the current configuration parameters for this real server group.

>> Real Server Group 1# healthCurrent health check type: tcpPending new health check type: sipoptionsEnter health check type:

Table 7-8 SLB Health Check Types (/cfg/slb/group/health)

Option and Description

linkChecks status of port for each server for IDSLB group only.

arpSends an ARP request for Layer 2 health checking.

icmpFor Layer 3 health checking, pings the server.

tcp Opens and closes a TCP/IP connection to the server for TCP service.





httpFor HTTP service, use HTTP 1.1 GETS when a HOST: header is required to check that the URL content is specified in content command. Otherwise, an HTTP/1.0 GET occurs. Note: If the content is not specified, the health check will revert back to TCP on the port that is being load balanced.

httpheadAllows the switch to declare if the server is up or not just by locating the URL header and not wait until all the URL contents are received. You can use this command to test the validity and access to the hypertext links or to look for any recent modification to the URL.

dnsFor Domain Name Service, check that the domain name specified in content can be resolved by the server.

pop3For user mail service, check that the user:password account specified in content exists on the server.

smtpFor mail-server services, check that the user specified in content is accessible on the server.

nntpFor newsgroup services, check that the newsgroup name specified in content is accessible on the server.

ftpFor FTP services, check that the filename specified in content is accessible on the server through anonymous login.

imapFor user mail service, check that the user:password value specified in content exists on the serve

sslhEnables the switch to query the health of the SSL servers by sending an SSL client “Hello” packet and then verify the contents of the server’s “Hello” response. During the handshake, the user and server exchange security certificates, negotiate an encryption and compression method, and estab-lish a session ID for each session.





radius-auth, radius-accFor RADIUS remote access server authentication, check that the user:password value specified in content exists on the Nortel Application Switch and the server. To perform application health checking to a RADIUS server, the network administrator must also configure the /cfg/slb/secrt parameter. The secrt value is a field of up to 32 alphanumeric characters that is used by the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the RADIUS server to decrypt the password during verification.

script <n>Enables the use of script-based health checks in send/expect format to check for application and content availability. <n> denotes the health script number (1-64).

udpdnsAllows the user to perform health checking using UDP DNS queries.

wspEnables connectionless WSP content health checks for WAP gateways. The content under /cfg/slb/adv/waphc (see page 486) must also be configured.

wtpEnables connection-oriented WTP + WSP content health checks for WAP gateways. The content under /cfg/slb/adv/waphc (see page 486) must also be configured

wtlsProvides Wireless Transport Layer Security (WTLS) Hello-based health check for encrypted and connection-oriented WTLS traffic on port 9203.

ldapSets the health check type to LDAP. The LDAP health checks enable the switch to determine if the LDAP server is alive. This health check consists of three LDAP messages over one TCP connec-tion: a bind request, a bind result, and an unbind request. The switch sends an anonymous bind request to the server. If the server is up, it will send the bind result message and the switch will mark the server as alive. The switch must send an unbind request so that the server does not hold resources indefinitely. The switch administrator can choose LDAP version 2 or 3 as both the ver-sions are compatible with Nortel Application Switch Operating System 23.0.2.

snmp <n>Enables the use of SNMP-based health checks. <n> denotes the health script number (1-5).

tftpSets the health check type to TFTP. This protocol enables the user to request a file from the server. At regular intervals, the switch transmits TFTP read requests (RRQ) to all servers in the group. The health check is successful if the server responds to the RRQ. The health check fails if the switch receives an error packet from the real server.





Server Load Balancing MetricsUsing the metric command, you can set a number of metrics for selecting which real server in a group gets the next client request.

The metrics are described in the following table:

rtspSets the health check type to RTSP. The RTSP health check can operate with or without content. If there is no content configured the switch will issue an RTSP OPTIONS method. If content is supplied the switch will issue the RTSP DESCRIBE method. If the response to either method is RTSP/200 then the health check passes. If this is not the response, the health check will fail.

sipSets the health check type to sip. You can perform the SIP (Session Initiation Protocol) health check by using SIP PING request. You must enable UDP to perform SIP load balancing.

sipoptionsSets the health check type to sipoptions.

wtsSets the health check type to wts.

>> Real Server Group 1# metricCurrent metric: leastconnsEnter metric:

Table 7-9 Real Server Group Metrics (/cfg/slb/group/metric)


minmissesMinimum misses. This metric is optimized for Application Redirection. When minmisses is specified for a real server group performing Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful in caching applica-tions, helping to maximize successful cache hits. Best statistical load balancing is achieved when the IP address destinations of load balanced frames are spread across a broad range of IP subnets.Minmisses can also be used for Server Load Balancing. When specified for a real server group per-forming Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained on the server between ses-sions. Server load with this metric becomes most evenly balanced as the number of active clients increases.





hashLike minmisses, the hash metric uses IP address information in the client request to select a server.For Application Redirection, all requests for a specific IP destination address will be sent to the same server. This is particularly useful for maximizing successful cache hits.For Server Load Balancing, all requests from a specific client will be sent to the same server. This is useful for applications where client information must be retained between sessions.The hash metric should be used if the statistical load balancing achieved using minmisses is not as optimal as desired. Although the hash metric can provide more even load balancing at any given instance, it is not as effective as minmisses when servers leave and reenter service.If the Load Balancing statistics indicate that one server is processing significantly more requests over time than other servers, consider using the hash metric.

leastconnsLeast connections. With this option, the number of connections currently open on each real server is measured in real time. The server with the fewest current connections is considered to be the best choice for the next client connection request.This option is the most self-regulating, with the fastest servers typically getting the most connec-tions over time, due to their ability to accept, process, and shut down connections faster than slower servers.

roundrobinRound robin. With this option, new connections are issued to each server in turn: the first real server in this group gets the first connection, the second real server gets the next connection, fol-lowed by the third real server, and so on. When all the real servers in this group have received at least one connection, the issuing process starts over with the first real server.

responseReal server response time. With this option, the switch monitors and records the amount of time that each real server takes to reply to a health check. The response time is used to adjust the real server weights. The weights are adjusted so they are inversely proportional to a moving average of response time.

bandwidthBandwidth Metric. With this option, the real server weights are adjusted so they are inversely pro-portional to the number of octets that the real server processes during a given interval. The higher the bandwidth used, the smaller is the weight assigned to that server.





NOTE – Under the leastconns, roundrobin, hash, and phash metrics, when real servers are configured with weights (see the weight option on page 415), a higher proportion of connections are given to servers with higher weights. This can improve load balancing among servers of different performance levels. Weights are not applied when using the minmisses metrics.

/cfg/slb/virt <virtual server number>Virtual Server SLB Configuration

This menu is used for configuring the virtual servers which will be the target for client requests for Server Load Balancing. Configuring a virtual server requires the following parameters:

phashThe phash metric utilizes the best features of the hash and minmiss metrics. With phash enabled, the switch supports an even load distribution (hash) and stable server assignment (min-miss) even when a server in the group goes down. With the phash metric, the first hash will always be the same even if a real server is down. If the first hash hits a dead server, it will rehash for that request based on the actual number of servers that are up. This results in a request always being sent to a server that is up.

[Virtual Server 1 Menu] service - Virtual Service Menu ipver - Set IP version vip - Set IP addr of virtual server vname - Set name of virtual server dname - Set domain name of virtual server cont - Set BW Contract weight - Set Global SLB weight for virtual server avail - Set Global SLB availability for virtual server addrule - Add Global SLB rule to domain remrule - Remove Global SLB rule from domain layr3 - Enable/disable layer 3 only balancing creset - Enable/disable client connection reset invalid VPORT ena - Enable virtual server dis - Disable virtual server del - Delete virtual server cur - Display current virtual configuration





Creating a virtual server IP addressAdding TCP/UDP port and real server groupEnabling the virtual server (disabled by default)

Table 7-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)


service <virtual port or name>Displays the Virtual Services Menu. The virtual port name can be a well-known port name, such as http, ftp, the service number, and so on. The allowable port range is from 9 to 65534. To get more information about well-known ports, see the sport command on page 447. To view the services menu options, see page 434.


vip <virtual server IP address for IPv4 or IPv6>Sets the IP address of the virtual server using dotted-decimal notation. The virtual server created within the switch will respond to ARPs and PINGs from network ports as if it was a normal server. Client requests directed to the virtual server’s IP address will be balanced among the real servers available to it through real server group assignments.

dname <64 character domain name>|noneSets the domain name for this virtual server. The domain name typically includes the name of the company or organization, and the Internet group code (.com, .edu, .gov, .org, and so forth). An example would be foocorp.com. It does not include the hostname portion (www, www2, ftp, and so forth). The maximum number of characters that can be used in a domain name is 64. To define the hostname, see hname below. To clear the dname, specify the name as none.

vname <32 character virtual server name>|noneSet name of virtual server.

cont <BWM contract (1-1024)>Enter a new Bandwidth Management Contract for this virtual service. By default, all services under this virtual server are assigned this BW contract. However, the BW contract can be changed for a selected virtual server with /cfg/slb/virt <number>/service <number>/cont. All the frames that match this virtual server services are assigned this BW contract if the previ-ously assigned contract for the frame has lower or equal precedence of the virtual server contract.The default number of contracts is set at 1024 for Nortel Application Switch Operating System.

weightSets the Global server weight for the virtual server. The higher the weight value, the more connec-tions that will be directed to the local site. The default is 1. The response time of this site is divided by this weight before the best site is assigned to a client. Remote site response times are divided by the real server weight before selection occurs.



availSets the Global SLB availability for the virtual server.

addrule <rule, 1-64>Adds Global SLB rule to domain. Rule allows the server selected for GSLB to use different metric preference based on time of the day. Each domain has one or more rules. Each rule has metric pref-erence list. The server selected for GSLB selects the first rule that matches the domain and starts with the first metric in the preference list of the rule. The default is rule 1.

remrule <rule, 1-64>Removes Global SLB rule from domain.

layr3 disable|enableNormally, the client IP address is used with the client Layer 4 port number to produce a session identifier. When the layr3 option is enabled (disabled by default), the switch uses only the client IP address as the session identifier. It associates all the connections from the same client with the same real server while any connection exists between them.This option is necessary for some server applications where state information about the client sys-tem is divided across different simultaneous connections, and also in applications where TCP frag-ments are generated.If the real server to which the client is assigned becomes unavailable, the Layer 4 software will allow the client to connect to a different server.

creset enable|disableEnable/disable client connection reset invalid VPORT.

enaEnables this virtual server. This option activates the virtual server within the switch so that it can service client requests sent to its defined IP address.

disThis option disables the virtual server so that it no longer services client requests.

delThis command removes this virtual server from operation within the switch and deletes it from the Layer 4 switching software configuration. Use this command with caution, as it will delete the options that have been set for this virtual server.

curDisplays the current configuration of the specified virtual server.

Table 7-10 Virtual Server Configuration Menu Options (/cfg/slb/virt)




/cfg/slb/virt <server number>/service <virtual port or name>

Virtual Server Service Configuration This menu is used for configuring services assigned to a virtual server. The following example shows a menu for http (port 80) services.

NOTE – Select virtual service port 554 to configure RTSP traffic. See page 444 to view the menu options for configuring virtual services on port 554 for RTSP.

[Virtual Server 1 14 Service Menu] wts - WTS Load Balancing Menu http - HTTP Load Balancing Menu sip - SIP Load Balancing Menu rtsp - RTSP Load Balancing Menu group - Set real server group number rport - Set real port hname - Set hostname cont - Set BW contract for this virtual service pbind - Set persistent binding type thash - Set hash parameter tmout - Set minutes inactive connection remains open dbind - Enable/disable delayed binding udp - Enable/disable UDP balancing frag - Enable/disable remapping UDP server fragments nonat - Enable/disable only substituting MAC addresses dnsslb - Enable/disable DNS query load balancing direct - Enable/disable direct access mode mirror - Enable/disable session mirroring epip - Enable/disable pip selection based egress port/vlan del - Delete virtual service cur - Display current virtual service configuration



Table 7-11 Virtual Server Service Configuration Options (/cfg/slb/virt/service)


wtsGo to the WTS Load Balancing Menu. To view the menu options, see page 440.

httpEnables or disables HTTP Redirection for Global server load balancing on a per VIP basis. Disabling HTTP Redirection causes GSLB to use proxy IP address for HTTP. To view the menu options, see page 441.

sip Enables or disables Session Initiation Protocol (SIP) server load balancing on the Nortel Application Switch Operating System. When enabled, you can configure SIP service on the service port 5060 for a virtual server. SIP is a UDP-based application-level control protocol for creating, modifying and terminating sessions with one or more participants (documented in RFC3261). The SIP processing occurs at application level in order to parse out messages coming from client side as well as the server side. Using SIP on your switch, you can load balance Nortel’s MCS (Multimedia Communication Server) proxy servers. Nortel Networks’ MCS is a SIP enabled application Server. When SIP is enabled, you can scan and hash calls based on a SIP Call-ID header to an MCS server. You need to turn Direct Access Mode (DAM) on to perform SIP load balancing.You can use only minmiss as the load balancing metric since the load balancing is per-formed based on the Call-ID.To view the menu options, see page 442.

rtspGo to the RTSP Load Balancing Menu. To view the menu options, see page 443.

group <real server group number (1-1024)>Sets a real server group for this service. The default is set at 1. You will be prompted to enter the number (1 to 1024) of the real server group to add to this service.

rport <real server port (0-65534)>Defines the real server TCP or UDP port assigned to this service. By default, this is the same as the virtual port (service virtual port). If rport is configured to be different than the virtual port defined in /cfg/slb/virt <number>/service <virtual port>, the switch will map the virtual port to this real port.



hname <hostname>|noneSets the hostname for a service added. This is used in conjunction with dname (above) to cre-ate a full host/domain name for individual services.The format for this command is: # hname <hostname>For example, to add a hostname for Web services, you could specify www as the hostname. If a dname of “foocorp.com” was defined (above), “www.foocorp.com” would be the full host/domain name for the service.To clear the hostname for a service, use the command: # hname none

httpslb urlslb|host|cookie|browser|urlhash|headerhash|others Load balances on the following applications:urlslb: Enable or disable URL SLBhost: Enable or disable for virtual hostingcookie: Enable or disable cookie-based SLB for cookie-based preferential load balanc-ing. You will be prompted for the following: Cookie name, starting point of the cookie value, number of bytes to be extracted, enable/disable checking for cookie in URIbrowser: Enable or disable SLB, based on browser typeurlhash: Enable or disable URL hashing based on URIheaderhash: Hashes on any HTTP header value.others: Requires inputs for a particular header field

You may choose to combine or select applications to load balance using the commands and and/or or. For example:httpslb <application>httpslb <application> and|or <application>

cont <BWM Contract (0-1024), 0 for VIP default>Sets a Bandwidth Management contract for this virtual service. The default number of con-tracts is set at 1024 for Nortel Application Switch Operating System.Note: If you enter 0 for the service contract, it will carry the value entered for the Virtual Server IP (vip) contract.

urlcont <URL path ID> <BW contract>Sets the Bandwidth Management contract of a string specific to this virtual service. Only use this command when a string is shared by multiple virtual services and each service requires a separate bandwidth. The default is set at 1024.





pbind clientip|cookie<p|r|i>|sslid|disableEnables or disables persistent bindings for a real server (disabled by default). This may be necessary for some server applications where state information about the client system is retained on the server over a series of sequential connections, such as with SSL (Secure Socket Layer, HTTPS), Web site search results, or multi-page Web forms.

The clientip option uses the client IP address as an identifier, and associates all con-nections from the same client with the same real server until the client becomes inactive and the connection is aged out of the binding table. The connection timeout value (set in the Real Server Menu) is used to control how long these inactive but persistent connections remain associated with their real servers. When the client resumes activity after their con-nection has been aged out, they will be connected to the most appropriate real server based on the load balancing metric.An alternative approach may be to use the real server group metrics minmisses or hash (see Server Load Balancing Metrics).In Nortel Application Switch Operating System 23.0.2, with clientip command enabled, HTTP and HTTPs traffic from the same client will map to the same server irre-spective of the load balancing metric used, since the services are related. Whereas, differ-ent services from the same client may not map to the same server.The cookie option uses a cookie defined in the HTTP header or placed in the URI for hashing. For more information on cookie option, see “Cookie-Based Persistence” on page 444. For detailed information on Cookie-Based Persistence, see the Persistence chapter in the Nortel Application Switch Operating System 23.0.2 Application Guide.The sslid option is for Secure Sockets Layer (SSL), which is a set of protocols built on top of TCP/IP that allow an application server and user to communicate over an encrypted HTTP session. SSL provides authentication, non-repudiation, and security. The session ID is a value comprising 32 random bytes chosen by the SSL server that gets stored in a ses-sion hash table. By enabling the sslid option, all subsequent SSL sessions which present the same session ID will be directed to the same real server.The disable option allows you to disable presistent binding, if it has previously been enabled for a particular application.

rcount <response count number (1–16)>Sets the maximum response counter for cookie-based persistence. The Nortel Application Switch will examine each server response until the cookie is found, or until the maximum count is reached. The default number is 1.

thash sip|sip+sportDefines hash parameter. Tunable hash feature allows the user to select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For example, the source IP address, or both source IP address and source port. If the user does not select any, the switch will use default hash parameter, which is sip.





dbind disable|enableEnables or disables Layer 4 Delayed Binding for TCP service and ports. Enabling this com-mand protects the server from Denial of Service (DoS) attacks. This option is disabled by default.

udp disable|enable|statelessEnables or disables UDP load balancing for a virtual port (disabled by default). You can con-figure this option if the service(s) to be load balanced include UDP and TCP. For example, DNS uses UDP and TCP. In those environments, you must activate UDP balancing for the particular virtual servers that clients will communicate with using UDP.When stateless is enabled, no session table entry is created.Since no session is created, you have to bind to a new server every time.Note: If applying a filter to the same virtual server IP address on which UDP load balancing is enabled, disable caching on that filter for optimal performance. For more information, see the cache command in Table 7-18 on page 452.

frag disable|enableEnables or disables remapping server fragments for virtual port. This option is enabled by default.

nonat disable|enableEnables or disables substituting only the MAC address of the real server (disabled by default). This option does not substitute IP addresses. This option is used for Direct Server Return (DSR) in an one-armed load balancing setup, so that frames returning from server to the client do not have to pass through the switch.

dnsslb disable|enableEnables or disables DNS-based Layer 7 content load balancing.

direct disable|enable Enables or disables Direct Access Mode (DAM) on the selected virtual service. This command takes precedence over the command to globally enable or disable Direct Access Mode on the switch.

mirror disable|enableEnables or disables session mirroring on the selected virtual service.

xforward disable|enableEnables or disables inserting the X-Forward-For header into the client HTTP request to pre-serve the client IP information. X-Forward-For is a special header that stores and identifies the client IP information. This feature is applicable only on HTTP protocol.





epip disable|enableEnables or disables proxy IP selection based on egress port or VLAN. By default, the SP selects the proxy IP address based on ingress port or VLAN. Using the epip command, you can configure the SP to select proxy IP address based on the egress port or VLAN.

delThis command removes this virtual service from operation within the switch and deletes it from the Layer 4 switching software configuration. Use this command with caution, as it will delete the options that have been set for this virtual service.

curDisplays the current configuration of services on the specified virtual server.





/cfg/slb/virt/service/wtsWTS Load Balancing Menu[WTS Load Balancing Menu] userhash - Enable userhash when there is no Session Dir. Server ena - Enable WTS loadbalancing and persistence dis - Disable WTS loadbalancing and persistence cur - Display current WTS configuration

Table 7-12 WTS Load Balancing Menu Options


userhashEnables the userhash if there is no session director server in the server platform.

ena [true|false]Enable WTS load balancing.

dis [true|false]Disable WTS load balancing.

curDisplay the current WTS configuration.



/cfg/slb/virt/service/httpHTTP Load Balancing Menu[HTTP Load Balancing Menu] httpslb - Set HTTP SLB processing urlcont - Set BW cont of an SLB string specific to this service rcount - Set multi response count http - Enable/disable HTTP redirects for Global SLB xforward - Enable/disable X-Forwarded-For for proxy mode pooling - Enable/disable connection pooling for HTTP traffic cur - Display current HTTP configuration

Table 7-13 HTTP Load Balancing Menu Options


httpslbSet HTTP SLB processing.

urlcontSet BW cont of an SLB string specific to this service.

rcountSet multi response count.

httpEnable/disable HTTP redirects for Global SLB.

xforwardEnable/disable X-Forwarded-For for proxy mode.

poolingEnable/disable connection pooling for HTTP traffic.

curDisplay current HTTP configuration.



/cfg/slb/virt/service/sipSIP Load Balancing Menu[SIP Load Balancing Menu] sip - Enable/disable SIP load balancing sdpnat - Enable/disable SIP SDP Media Portal NAT cur - Display current SIP configuration

Table 7-14 SIP Load Balancing Menu Options


sipEnable SIP load balancing.

sdpnatEnable SIP SDP Media Portal NAT.

curDisplay the current SIP configuration.



/cfg/slb/virt/service/rtspRTSP Load Balancing Menu[RTSP Load Balancing Menu] group - Set real server group number hname - Set hostname rtspslb - Set RTSP URL load balancing type thash - Set hash parameter softgrid - Enable/disable SoftGrid load balancing del - Delete virtual service cur - Display current virtual service configuration

Table 7-15 RTSP Load Balancing Menu Options


group <real server group number (1-1024)>Sets real server group number.

hname <hostname>|noneSets the hostname for a service added. This is used in conjunction with dname (above) to create a full host/domain name for individual services.The format for this command is: # hname <hostname>For example, to add a hostname for Web services, you could specify www as the hostname. If a dname of “foocorp.com” was defined (above), “www.foocorp.com” would be the full host/domain name for the service.To clear the hostname for a service, use the command: # hname none

rtspslb hash|patternMatch|l4hash|noneThis Layer 7 load balancing option sets the type of rtspslb, either hash or patternMatch, thereby enabling the service. The default is hash. hash: If you use hash, RTSP will parse the URL and will hash the URL to select a server to load balance.patternMatch: If you select this option, the switch will match the string or pattern within the URL to select a server based on the string configured on the real server.l4hash: The l4hash option configures Server Load Balancing to be based on the Layer 4 hash metric.none: If set at none, RTSP will use Layer 4 metrics to select a server to load balance.

thash sip|sip+sportDefines hash parameter. Tunable hash feature allows the user to select different parameters for computing the hash value used by the hash, phash, and minmisses SLB metrics. For exam-ple, the source IP address, the destination IP address, or both source IP address and source port. If the user does not select any, the switch will use default hash parameter, which is sip.

softgrid enable|disableEnable or disable softgrid load balancing.



Cookie-Based PersistenceThe cookie option is used to establish cookie-based persistence, and has the following com-mand syntax and usage:

pbind cookie <mode> <name> <offset> <length> <URI>

Each parameter is explained in the following table.

delDeletes this virtual service.

curDisplays the current virtual service configuration.

Option Description

<mode> Specify the mode for cookie-based persistence. The following three modes are available:p: Passive mode. In this mode, the network administrator configures the Web server to embed a cookie in the server response that the switch looks for in sub-sequent requests from the same client.r: Rewrite mode. In active cookie mode (or cookie rewrite mode), the switch, and not the network administrator, generates the cookie value on behalf of the server. The switch intercepts this persistence cookie and rewrites the value to include server-specific information before sending it to the client. i: Insert mode. When a client sends a request without a cookie, the server responds with the data, and the switch inserts a persistence cookie into the data packet. The switch uses this cookie to bind to the appropriate server.Insert cookie mode expiration parameters are as follows:

Enter insert-cookie expiration as either:... a date <MM/dd/yy[@hh:mm]> (e.g. 12/31/01@23:59)... a duration <days[:hours[:minutes]]> (e.g. 45:30:90)... or none <return>

<name> Enter the name of the cookie.

<offset> Enter the starting point of the cookie value (1-64)

<length> Enter number of bytes to extract (1-64). For cookie rewrite, the extracting length must be 8 or 16.

<URI> Look for cookie in the URI. If you want to look for cookie name or value in the URI, enter e to enable this option. To look for cookie in the HTTP header, enter d to disable this option.

Table 7-15 RTSP Load Balancing Menu Options




For more information on Cookie-Based Persistence, see the Nortel Application Switch Operat-ing System 23.0.2 Application Guide.

/cfg/slb/filt <filter number>SLB Filter Configuration

The switch supports up to 2048 traffic filters. Each filter can be configured to allow, deny, redirect or perform Network Address Translation on traffic according to a variety of address and protocol specifications, and each physical switch port can be configured to use any combi-nation of filters. This command is disabled by default.

There are several options available in the Filter Advanced Menu (/cfg/slb/filt/adv, page 450) that can be used to provide more information through syslog. The types of informa-tion include:

IP protocolTCP/UDP ports

[Filter 1 Menu] adv - Filter Advanced Menu name - Set filter name smac - Set source MAC address dmac - Set destination MAC address ipver - Set Filter IP version sip - Set source IP address smask - Set source subnet mask/prefix len dip - Set destination IP address dmask - Set destination subnet mask/prefix len proto - Set IP protocol sport - Set source TCP/UDP port or range dport - Set destination TCP/UDP port or range action - Set action group - Set real server group for redirection rport - Set real server port for redirection nat - Set which addresses are network address translated vlan - Set vlan id invert - Enable/disable filter inversion ena - Enable filter dis - Disable filter del - Delete filter cur - Display current filter configuration



TCP flags ICMP message type

The following parameters are required for filtering:

Set the address, masks, and/or protocol that will be affected by the filterSet the filter action (allow, deny, redirect, nat)Enable the filterAdd the filter to a switch portEnable filtering on the Nortel Application Switch port

Table 7-16 Filter Configuration Menu Options (/cfg/slb/filt)


advDisplays the Filter Advanced Menu. To view menu options, see page 450.

name <31 character name>|noneAllows the user to assign a name to a filter.

smac any|<MAC address (such as, 00:60:cf:40:56:00)>Sets the source MAC address. The default is any.

dmac any|<MAC address (such as, 00:60:cf:40:56:00)>Sets the destination MAC address. The default is any.

ipver v4 | v6Sets the IP version that the filter will use. Filtering using IPv6 is only supported in bridge mode.

sip sip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>

If defined, traffic with this source IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the smask below. The default is any if the source MAC address is any.

smask <IP4 subnet mask (such as, 255.255.255.0> | <IP6 prefix length (eg, 64)>This IP address mask is used with the sip to select traffic which this filter will affect. See details below for more information on producing address ranges. For more information, see “Defining IP Address Ranges for Filters” on page 449.



dip <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234 or 3001::abcd:1234)>

If defined, traffic with this destination IP address will be affected by this filter. Specify an IP address in dotted decimal notation for IPv4 or colon notation for IPv6, or any. A range of IP addresses is produced when used with the dmask below. The default is any if the destination MAC address is any. For more information, see “Defining IP Address Ranges for Filters” on page 449.

dmask <IP4 subnet mask (such as, 255.255.255.0)> | <IP6 prefix length (eg, 64)>This IP address mask is used with the dip to select traffic which this filter will affect.

proto any|<number>|<name>If defined, traffic from the specified protocol is affected by this filter. Specify the protocol number, name, or “any”. The default is any. Listed below are some of the well-known proto-cols.Number Name1 icmp2 igmp6 tcp17 udp58 icmp689 ospf112 vrrp

sport any|<name>|<port>|<port>-<port>If defined, traffic with the specified TCP or UDP source port will be affected by this filter. Specify the port number, range, name, or “any”. The default is any. Listed below are some of the well-known ports:Number Name20 ftp-data21 ftp22 ssh23 telnet25 smtp37 time42 name43 whois53 domain69 tftp70 gopher79 finger80 http109 pop2110 pop3





dport any|<name>|<port>|<port>-<port>If defined, traffic with the specified real server TCP or UDP destination port will be affected by this filter. Specify the port number, range, name, or “any”, just as with sport above. The default is set at any.

action allow|deny|redir|nat|gotoSpecifies the action this filter takes:allow Allow the frame to pass (by default).deny Discard frames that fit this filter’s profile. This can be used for building basic secu-

rity profiles.redir Redirect frames that fit this filter’s profile, such as for web cache redirection. In

addition, Layer 4 processing must be activated (see the /cfg/slb/on command on page 412).

nat Perform generic Network Address Translation (NAT). This can be used to map the source or destination IP address and port information of a private network scheme to/from the advertised network IP address and ports. This is used in conjunction with the nat option (mentioned in this table) and can also be combined with prox-ies.

goto Allows the user to specify a target filter ID that the filter search should jump to when a match occurs. The goto action causes filter processing to jump to a desig-nated filter, effectively skipping over a block of filter IDs. Filter searching action will then continue from the designated filter ID.To specify the new filter to goto, use the /cfg.slb/filt/adv/goto com-mand.

group <real server group number (1-1024)>This option applies only when redir is specified at the filter action. Define a real server group (1 to 16) to which redirected traffic will be sent. The default is group 1

rport <real server port (0-65535)>This option applies only when redir is specified at the filter action. This defines the real server TCP or UDP port to which redirected traffic will be sent. For valid Layer 4 health checks, this must be configured whenever TCP protocol traffic is redirected. Also, if transpar-ent proxies are used for Network Address Translation (NAT) on the Nortel Application Switch (see the pip option in Table 7-28 on page 463), rport must be configured for all Applica-tion Redirection filters. The default is set at 0.

nat source|destWhen nat is set as the filter action (see above), this command specifies whether Network Address Translation (NAT) is performed on the source or the destination information. Desti-nation (dest) is set as the default filter. If source is specified, the frame’s source IP address (sip) and port number (sport) are replaced with the dip and dport values. If dest is specified, the frame’s destination IP address (dip) and port number (dport) are replaced with the sip and sport values.





Defining IP Address Ranges for FiltersYou can specify a range of IP address for filtering both the source and/or destination IP address for traffic. When a range of IP addresses is needed, the sip (source) or dip (destination) defines the base IP address in the desired range, and the smask (source) or dmask (destina-tion) is the mask which is applied to produce the range.

For example, to determine if a client request’s destination IP address should be redirected to the cache servers attached to a particular switch, the destination IP address is masked (bitwise AND) with the dmask and then compared to the dip.

vlan any|<VLAN ID (1 - 4090)>Sets the ID of the VLAN that is to be filtered. This option allows you to match the VLAN ID of the switch against the VLAN ID of the incoming packet. The default is any, which means the switch will match any VLAN ID of the incoming packet This command allows filters to be configured on per VLAN basis, and applies a filter to a VLAN that already has been configured. A VLAN has a set of member ports. But by applying this filter to a VLAN, the filter does not get applied to all the member ports of this VLAN. You have to manually add the filter to the port.

invert disable|enableInverts the filter logic. If the conditions of the filter are met, don’t act. If the conditions for the filter are not met, perform the assigned action. This option is disabled by default.

When using filter inversion for IPv6, be aware the Neighbor Solicitations (NSol) are filtered out if no appropriate NSol filter was set up before inversion.

enaEnables this filter.

disDisables this filter.

delDeletes this filter.

curDisplays the current configuration of the filter.





As another example, you could configure the switch with two filters so that each would handle traffic filtering for one half of the Internet. To do this, you could define the following parameters:

/cfg/slb/filt <filter number>/advAdvanced Filter Configuration

Table 7-17 Filtering IP Address Ranges

Filter Internet Address Range dip dmask

#1 0.0.0.0 - 127.255.255.255 0.0.0.0 128.0.0.0

#2 128.0.0.0 - 255.255.255.255

128.0.0.0 128.0.0.0

[Filter 1 Advanced Menu] 8021p - 802.1p Advanced Menu tcp - TCP Advanced Menu ip - IP Advanced Menu layer7 - Layer 7 Advanced Menu proxyadv - Proxy Advanced Menu redir - Redirection Advanced Menu security - Security Menu icmp - Set ICMP message type cont - Set BW contract revcont - Set BW contract for the reverse session tmout - Set NAT or L7 lookup session timeout idsgrp - Set IDS server group for intrusion detection SLB idshash - Set hash parameter for intrusion detection SLB thash - Set hash parameter for Filter goto - Set GOTO filter ID reverse - Enable/disable creating session reverse side traffic cache - Enable/disable caching sessions that match filter log - Enable/disable logging mirror - Enable/disable session mirroring cur - Display current advanced filter configuration



Table 7-18 Advanced Filter Menu (/cfg/slb/filt/adv)


8021pDisplays 8021p Advanced Menu. IEEE 802.1p is the specification for prioritizing the net-work traffic at the Layer 2 level in your switch. Using this command you can preserve 802.1p bits in all the frames that pass through the switch. To view menu options, see page 453.

tcpDisplays the TCP Flags advanced menu. To view menu options, see page 453.

ip Sets IP advanced menu. To view menu options, see page 454.

layer7 Displays Layer7 advanced menu. To view menu options, see page 457.

proxyadvDisplays the Proxy Advanced Menu. To view menu options, see page 460.

icmp any|<number>|<type; "icmp list" for list>Sets the ICMP message type. The default is set at any. For a list of ICMP message types, see Table 7-22 on page 455. For a detailed description of filtering and ICMP, see the Nortel Applica-tion Switch Operating System 23.0.2 Application Guide.

cont <BWM Contract (1-1024)>Sets the Bandwidth Management Contract. By default, the contract number is set at 1024.

revcont <BW Contract (1-1024)>Sets the Bandwidth Management contract for the reverse traffic session. This command helps you assign a different Bandwidth management contract from the one configured on the ingress filter.

tmout <even number of minutes (4-32768)>Sets the session timeout in an even number of minutes. The default is set at 4 minutes.

idsgrp <real server group number (1-1024)>|noneSets the IDS server group for intrusion detection server load balancing. When filtering is used for IDSLB, each filter added to an IDSLB-enabled port can be assigned a unique IDS real server group.

idshash sip|dip|bothSets the hash metric parameter for Intrusion Detection System Server Load Balancing: source IP (sip), destination IP (dip), or both.



thash auto|sip|dip|both|sip+sportAllows you to choose hash parameter to use for filter redirection. The Default is auto. The sip option allows you to perform tunable hash on source IP address for this filter. The option dip allows you to perform tunable hash on destination IP address for this filter. The option both allows you to perform tunable hash on both source IP address and the destination IP address at the same time. The option sip+sport allows you to perform tunable hash on both source IP address and source port at the same time.

goto <filter ID>Allows the user to specify a target filter ID that the filter search should jump to when a match occurs. Filter searching will then continue from the designated filter ID. Use this command to specify the new filter to go to. In order to use this feature, the action on this filter must be set to goto.

reverse disable|enableEnables or disables the creation of a session for traffic coming from the reverse side. This command allows for the creation of a session entry for reverse traffic to avoid inspecting traffic in both directions.

cache disable|enableEnables or disables caching sessions that match the filter. Exercise caution while applying cache-enabled and cache-disabled filters to the same switch port. A cache-enabled filter creates a session entry in the switch, so that the switch can bypass checking for subsequent frames that match the same criteria. Cache is enabled by default.Note: Cache should be disabled if applying a filter to virtual server IP address while performing UDP load balancing (see “udp disable|enable|stateless” on page 438).

log disable|enableEnables or disables generating of syslog messages when a filter is hit. This option is disabled by default.

mirror disable|enableEnables or disables session mirroring.

curDisplays the current advanced filter configuration.

Table 7-18 Advanced Filter Menu (/cfg/slb/filt/adv)




/cfg/slb/filt <filter number>/adv/8021p802.1p Advanced Menu

This feature provides the Nortel Application Switch Operating System the capability to filter IP packets based on the 802.1p bits in the packet's VLAN header. The 802.1p bits specify the priority that you should give to the packets while forwarding them. The packets with a higher (non-zero) priority bits are given forwarding preference over packets with numerically lower priority bits value.

/cfg/slb/filt <filter number>/adv/tcpAdvanced Filter TCP Configuration

[802.1p Advanced Menu] value - Set 802.1p value match - Enable/disable 802.1p value matching cur - Display current 802.1p configuration

Table 7-19 8021p Advanced Menu Options (/cfg/slb/filt/adv/8021p)


value <0-7>Defines 802.1p value. The value is the priority bits information in the packet structure.

match disable|enableEnables or disables matching of 802.1p value. When the Management Processor needs to reuse the packet to send to the destination, the switch matches the original priority bits information with the priority bits information after the frame processing is complete.

curDisplays current 802.1p configuration.

[TCP Advanced Menu] urg - Enable/disable TCP URG matching ack - Enable/disable TCP ACK matching psh - Enable/disable TCP PSH matching rst - Enable/disable TCP RST matching syn - Enable/disable TCP SYN matching fin - Enable/disable TCP FIN matching ackrst - Enable/disable TCP ACK or RST matching cur - Display current TCP configuration



These commands can be used to configure packet filtering for specific TCP flags.

/cfg/slb/filt <filter number> /adv/ipIP Advanced Menu

Table 7-20 Advanced Filter TCP Menu (/cfg/slb/filt/adv/tcp)


urg disable|enableEnables or disables TCP URG (urgent) flag matching. By default, this option is disabled.

ack disable|enableEnables or disables TCP ACK (acknowledgement) flag matching. By default, this option is dis-abled.

psh disable|enableEnables or disables TCP PSH (push) flag matching. By default, this option is disabled.

rst disable|enableEnables or disables TCP RST (reset) flag matching. By default, this option is disabled.

syn disable|enableEnables or disables TCP SYN (synchronize) flag matching. By default, this option is disabled.

fin disable|enableEnables or disables TCP FIN (finish) flag matching. By default, this option is disabled.

ackrst disable|enableEnables or disables TCP acknowledgement or reset flag matching. By default, this option is disabled.

curDisplays the current Access Control List TCP filter configuration.

[IP Advanced Menu] tos - Set IP Type of Service tmask - Set IP TOS mask newtos - Set new IP TOS length - Set IP maximum packet length option - Enable/disable IP option matching cur - Display current IP configuration



ICMP Message TypesThe following ICMP message types are used with the /cfg/slb/filt/adv/icmp com-mand. You can list all ICMP message types with the /cfg/slb/filt/adv/icmp list command.

Table 7-21 IP Advanced Menu Options (/cfg/slb/filt #/adv/ip)


tos <0-255>Sets IP type of service (ToS) and the value of the type of service. For more information on ToS, refer to RFC 1340 and 1349.

tmask <0-255>Sets IP type of service mask.

newtos <0-255>Sets new IP type of service.

length <IP packet length (in bytes), 64-65535>|anyDefines the limit of the IP packet’s length, including the IPv4 or IPv6 IP header. Any packet equal or exceeding the specified length will not match the filter. This option supports both IPv4 and IPv6 packets.

option disable|enableEnables or disables IP option matching.

curDisplays the current advanced IP settings for the selected filter.

Table 7-22 ICMP Message Types

Type # Message Type Description

0 echorep ICMP echo reply

3 destun ICMP destination unreachable

4 quench ICMP source quench

5 redir ICMP redirect

8 echoreq ICMP echo request

9 rtradv ICMP router advertisement

10 rtrsol ICMP router solicitation

11 timex ICMP time exceeded



12 param ICMP parameter problem

13 timereq ICMP timestamp request

14 timerep ICMP timestamp reply

15 inforeq ICMP information request

16 inforep ICMP information reply

17 maskreq ICMP address mask request

18 maskrep ICMP address mask reply

Table 7-22 ICMP Message Types

Type # Message Type Description



/cfg/slb/filt <filter number> /adv/layer7Layer 7 Advanced Filter Configuration Menu

[Layer 7 Advanced Menu] sip - Layer 7 SIP Menu urlcont - Set BW cont of an URL path specific to this filter addrd - Add HTTP redirection mapping remrd - Remove HTTP redirection mapping addstr - Add string for layer 7 filtering remstr - Remove string for layer 7 filtering rdsnp - Enable/disable WAP RADIUS Snooping rdswap - Enable/disable RADIUS/WAP Persistence ftpa - Enable/disable active FTP NAT l7lkup - Enable/disable layer 7 content lookup parseall - Enable/disable layer 7 lookup (parsing) of all packets cur - Display current layer 7 configuration

Table 7-23 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/layer7)


sipGo to the Layer 7 SIP menu. To view the menu options, see page 459.

urlcont <URL path ID> <BW contract>Sets the URL path BW contract for this filter. Only use this command when a string is shared by multiple filters and each filter requires a separate bandwidth.

addrd [1>2]Adds an HTTP redirection mapping. Strings are defined under: /cfg/slb/layer7/slb/add.This command tells the filter that if it matches on the first string id, then send back an HTTP redi-rection message back to the client that contains information in the second string ID.

remrd <string id to redirect from (1-1024)> <string id to redirect to (2-1024)>Removes an HTTP redirection mapping that was added using the addrd command described above.

addstr <string id (1-1024)>Adds the string ID to this filter for L7 filtering. The string is defined under: /cfg/slb/layer7/slb/add.

remstr <string id (1-1024)>Removes the string ID for Layer 7 filtering. The string is defined under: /cfg/slb/layer7/slb/add.



rdsnp disable|enable Enables or disables WAP RADIUS snooping on this filter. Radius snooping allows the Nortel Application Switch Operating System to examine RADIUS accounting packets for client information. This information is needed to add to or delete static session entries in the switch’s session table so that it can perform the required persistency for load balancing. For more details, please refer to your Applica-tion Guide.

rdswap enable|disable Enables or disables WAP RADIUS persistence on this filter. This feature allows for RADIUS and WAP persistence by binding both (RADIUS accounting and WAP) sessions to the same server. A WAP client is first authenticated by the RADIUS server on UDP port 1812. The server replies with a Radius Accept or Reject frame. The switch forwards this reply to the RAS. After the RAS receives the Radius accept packet, it sends a RADIUS accounting start packet on UDP port 1813 to the bound server. The application switch snoops on the RADIUS accounting start packet for the “framed IP address” attribute. The “framed IP address” attribute is used to rebind the RADIUS accounting session to a new server. For more details, please refer to your Application Guide.

ftpa disable|enable Enables or disables active FTP Client Network Address Translation (NAT). When a client in active FTP mode sends a PORT command to a remote FTP server, the switch will look into the data part of the frame and replace the client 's private IP address with a proxy IP (PIP) address. The real server port (RPORT) will be replaced with a proxy port (PPORT), that is PIP:PPORT. By default, this option is disabled.

l7lkup disable|enable Enables or disables layer 7 lookup on this filter. This command replaces the urlp and l7deny commands found in earlier releases of Nortel Application Switch Operating System. When enabled, the filter performs a lookup on layer 7 content such as HTTP strings or headers. When combined with a filter action (for example, deny, redir), this feature enables content-intelligent redirection or content-intelligent deny filtering.

parseall disable|enable Enables or disables parsing of all packets in a session where layer 7 lookup is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter.However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, layer 7 lookup is turned off for the remaining packets in the session.

curDisplays the current advanced Layer 7 configuration of the filter including the Radius/Wap persis-tence settings.

Table 7-23 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/layer7)




/cfg/slb/filt <num> /adv/layer7/sipLayer 7 SIP Menu

[Layer 7 SIP Menu] rtpcont - Set BW contract for the SIP RTP sessions sipp - Enable/disable SIP parsing cur - Display current SIP configuration

Table 7-24 Layer 7 SIP Menu Options (/cfg/slb/filt/adv/layer7/sip)


rtpcont <BW contract>Set BW contract for the SIP RTP sessions.

sipp enable|disableEnable or disable SIP parsing.

curDisplays the current advanced SIP configuration.



/cfg/slb/filt/adv/proxyadvProxy Advanced Menu

/cfg/slb/filt <filter number> /adv/securitySLB Filter Advanced Security Menu

[Proxy Advanced Menu] proxyip - Set client proxy IP address epip - Enable/disable pip selection based egress port/vlan proxy - Enable/disable client proxy cur - Display current proxy configuration

Table 7-25 Proxy Advanced Menu Options


proxyip <IP_address>Set the client proxy IP_address.

epip enable|disableEnable or diable PIP selection based on the outgoing port or VLAN.

proxy enable|disableEnable or disable client proxy.

curShows all Proxy statistics.

[Security Menu] ratelim - Rate Limiting Menu addgrp - Add pattern match group for layer 7 filtering remgrp - Remove pattern match group for layer 7 filtering pmatch - Enable/disable pattern matching matchall - Enable/disable match-all criteria for layer 7 filtering parsechn - Enable/disable chained pgroup match criteria for l7 filtering parseall - Enable/disable pattern string lookup (parsing) of all packets cur - Display current Security configuration



Table 7-26 Layer 7 Advanced Filter Menu Options (/cfg/slb/filt/adv/security)


ratelimDisplays the Rate Limiting Menu. The protocol-based rate limiting limits the traffic coming from specific clients based on the IP address of the client. This feature enables the switch to detect and block UDP or ICMP-based DOS attacks that slow down or decapitate the servers. Currently, the switch allows rate limiting to be enabled on TCP, UDP, and ICMP protocols. To view menu options see page 462.

addgrp <pattern match group id>Adds a pattern group to this filter. Pattern groups are added using the /cfg/security/pgroup/add command.

remgrp <pattern match group id>Removes a pattern group from this filter.

pmatch disable|enableEnables or disables pattern matching on this filter.

matchall disable|enableEnables or disables matching of all configured patterns before the filter can perform the deny action.

parsechn enable|disableEnable/disable chained pgroup match criteria for l7 filtering.

parseall disable|enableEnables or disables pattern string lookup (parsing) of all packets in a session where pattern match-ing is being performed. This command is enabled by default, and normally all data packets in a session are examined by the filter.However, some sessions may contain only one packet containing the layer 7 content. Once this packet is found, subsequent packets can be ignored. When parseall is disabled, pattern match-ing is turned off for the remaining packets in the session.




/cfg/slb/filt <filter number> /adv/security/ratelim

Advanced Security Rate Limiting Configuration Menu

[Rate Limiting Menu] maxconn - Set maximum connections for rate limiting timewin - Set time window for rate limiting holddur - Set hold down duration for rate limiting ena - Enable TCP, UDP, or ICMP rate limiting dis - Disable TCP, UDP, or ICMP rate limiting cur - Display current rate limiting configuration

Table 7-27 Rate Limiting Advanced Menu Options (/cfg/slb/filt/adv/security/ratelim)


maxconn <# of connections in units of 10 (0-255)>Defines maximum connections for rate limiting.

timewin <seconds, 1-65535>Defines time window for rate limiting. A time window is a configured period of time (in seconds) during which packets are allowed to be received. The time window can be configured per filter and not globally on all the filters.

holddur <minutes, 2-65535>Defines hold down duration for rate limiting. When the number of new connections or packets exceeds the configured limit, any new TCP connection requests or UDP/ICMP packets from the client are blocked. When blocking occurs, the client is said to be held down. The client is held down for a specified number of minutes, after which new TCP connection requests or packets from the client are allowed once again to pass through. The hold-down duration can be configured per filter and not globally on all the filters.

enaEnables the protocol for rate limiting. Rate limiting is applied to the protocol configured on the fil-ter. The supported protocols are: TCP, UDP, and ICMP.

disDisables TCP, UDP, or ICMP rate limiting.

curDisplays the current rate limiting configuration.



/cfg/slb/port <port number>Port SLB Configuration

Nortel Application Switch Operating System switch software allows you to enable or disable processing independently for each type of Layer 4 traffic (client and server) on a per port basis, expanding your topology options.

NOTE – When changing the filters on a given port, it may take some time before the port ses-sion information is updated so that the filter changes take effect. To make port filter changes take effect immediately, clear the session binding table for the port (see the clear command in Table 8-3 on page 502).

[SLB port 1 Menu] client - Enable/disable client processing server - Enable/disable server processing rts - Enable/disable RTS processing hotstan - Enable/disable hot-standby processing intersw - Enable/disable inter-switch processing proxy - Enable/disable use of PIP for ingress traffic filt - Enable/disable filtering add - Add filter to port rem - Remove filter from port idslb - Enable/disable intrusion detection server load balancing cur - Display current port configuration

Table 7-28 Port Configuration Menu Options (/cfg/slb/port)


client disable|enableFor Server Load Balancing, the port can be enabled or disabled to process client Layer 4 traffic. Ports configured to process client request traffic bind servers to clients and provide address translation from the virtual server IP address to the real server IP address, re-mapping virtual server IP addresses and port values to real server IP addresses and ports. Traffic not associated with virtual servers is switched normally. Maximizing the number of these ports on the Layer 4 switch will improve the switch’s potential for effective Server Load Balancing. This option is disabled by default.

server disable|enablePorts configured to provide real server responses to client requests require real servers to be con-nected to the Layer 4 switch, directly or through a hub, router, or another switch. When server pro-cessing is enabled, the switch port re-maps real server IP addresses and Layer 4 port values to virtual server IP addresses and Layer 4 ports. Traffic not associated with virtual servers is switched normally. This option is disabled by default.



rts disable|enableEnables or disables Return to Sender (RTS) load balancing on this port. This option is used for firewall load balancing or VPN load balancing applications. Enable rts on all client-side ports to ensure that traffic ingresses and egresses through the same port. This option is disabled by default.For more information on using rts, see the “Firewall Load Balancing” and “VPN Load Balanc-ing” chapters in the Nortel Application Switch Operating System 23.0.2 Application Guide.

hotstan disable|enableEnables or disables hot-standby processing. Use this option and the intersw option in conjunc-tion with VRRP hot-standby failover. This option is disabled by default.

intersw disable|enableEnables or disables inter-switch processing. This option is enabled for ports connected to a peer switch and is disabled by default.

proxy disable|enableEnables or disables a proxy for traffic that ingresses this port. When the PIP is defined, client address information in Layer 4 requests is replaced with this proxy IP address.In Server Load Balancing applications, this forces response traffic to return through the switch, rather than around it, as is possible in complex routing environments.Proxies are also useful for Application Redirection and Network Address Translation (NAT). When pip is used with Application Redirection filters, each filter’s rport parameter must also be defined (see rport on page 446). This option is disabled by default.

filt disable|enableEnables or disables filtering on this port. Enabling the filter sets up the Real Server to look into the VPN session table. This option is disabled by default.

add <filter ID (1 to 2048)|block of IDs (first-last)>Adds a filter or a block of filters for use on this port. Enter filter ID (1 to 2048) or a contiguous block of filter IDs. For example, 1-100.

rem <filter ID (1 to 2048)|block of IDs (first-last)>Removes a filter or a block of filters from use on this port. Enter filter ID (1 to 2048) or a contiguous block of filter IDs. For example, 1-100.

idslb disable|enableEnables or disables Intrusion Detection System Server Load Balancing on this port. In Nortel Application Switch Operating System 23.0.2, IDSLB is done at the end of filter processing or at the end of client processing where filtering is not enabled. In the case of client processing, IDSLB is enabled on a port and a real server group is designated for IDSLB.This option is disabled by default.

curDisplays the current system parameters.

Table 7-28 Port Configuration Menu Options (/cfg/slb/port)



/cfg/slb/gslbGlobal SLB Configuration

Global Server Load Balancing (GSLB) at any given site performs periodic SLB health checks to determine the health and response time of the remote real server corresponding to the virtual server at the remote site. GSLB uses the health and response time to select the server in the GSLB selection engine. In addition, GSLB sends the health and response time together with the local session and CPU utilization information that are collectively known as remote site updates. The switch performs this periodically on every remote site using Distributed Site State Protocol (DSSP). DSSP is a proprietary protocol that resides above TCP.

For more information, please refer to your Application Guide.s

[Global SLB Menu] site - Remote Site Menu network - Network Preference Menu rule - Rule Menu version - Set DSSP version 1 or 2 to send out remote site updates port - Set TCP port number for DSSPv2 remote site updates sinter - Set interval in seconds for remote site updates sesscap - Set sessions utilization capacity threshold (DSSPv2) cpucap - Set CPU utilization capacity threshold (DSSPv2) smask - Set source IP subnet mask for DNS persistence cache timeout - Set timeout in minutes for DNS persistence cache mincon - Set sessions available capacity threshold noresp - Set DNS response code when no server is returned dns - Enable/disable authoritative DNS direct based GSLB hostlk - Enable/disable virtual service hostname matching http - Enable/disable HTTP redirect based GSLB usern - Enable/disable HTTP redirect to remote real server name norem - Enable/disable no remote real SLB encrypt - Enable/disable encrypting remote site updates on - Globally turn Global SLB ON off - Globally turn Global SLB OFF cur - Display current Global SLB configuration

Table 7-29 Global SLB Menu Options (/cfg/slb/gslb)


site <remote site (1-64)>Displays the menu for a remote site. To view menu options, see page 467.

network <network (1-128)>Displays Network Preference Menu. To view menu options, see page 469.



rule <rule (1-128)>Displays the Rule Menu. To view menu options, see page 470.

version <DSSP version 1 or 2>Defines the version of Distributed Site State Protocol (DSSP) that is used to send out the remote site updates.

port <TCP port number>Sets the TCP port number for remote site updates for Global server load balancing. The default TCP port is 80.

sinter <remote site updates interval in seconds, 10-7200>Sets the time interval in seconds for remote site updates. The range is between 10 and 7200 sec-onds.

sesscap <Session utilization capacity threshold (1-100)>Sets the threshold for session utilization capacity. The default configuration is 90%.

cpucap <CPU utilization capacity threshold (1-100)>Sets the threshold for the CPU utilization capacity. The default configuration is 90%.

smask <set IP4 subnet mask (eg, 255.255.255.0)> ORsmask <set IP6 prefix len (eg, 64)>

Set source IP subnet mask for DNS persistence cache.

timeout <timeout in minutes, 1-1440>Set timeout in minutes for DNS persistence cache.

mincon <available sessions threshold, 0-65535>Defines the capacity threshold for the sessions available on the real server for GSLB.

dns disable|enableEnables or disables DNS direct-based GSLB. This option is enabled by default.

hostlk disable|enableEnables or disables lookups based on host or domain name in a GSLB configuration. When enabled, the hostname specified in the Virtual Service configuration, in addition to the domain name, will be used to resolve the IP address for the domain. When disabled, only the domain name will be used to match.

http disable|enableEnables or disables HTTP redirects to peer sites by this switch. When enabled (default), this switch will redirect client requests to peer sites if its own real servers fail or have reached their maximum connection limits. If disabled, the switch will not perform HTTP Redirects, but will instead drop requests for new connections and cause the client’s browser to eventually issue a new DNS request.





/cfg/slb/gslb/site <site number>GSLB Remote Site ConfigurationThe switch initiates a global server selection to direct client traffic to the best server for a given domain. Each domain has one or more sites. Each site has a virtual server for the domain. Each virtual server has a number of virtual services. Each virtual service has a group of real servers. Each virtual server has a domain name. Each virtual service has a host name. The combination of a virtual server and a virtual service is called a domain.

usern disable|enableEnables or disables an HTTP redirect to a real server name. When a site redirects a client to another site using an HTTP redirect, the client is redirected to the new site's IP address. This option is disabled by default. If usern is enabled, the client will be redirected to the domain name speci-fied by the remote real server name plus virtual server domain name: <remote real server name> <virtual server domain name>

noremThis command enables or disables no-remote real server load balancing. If enabled, the switch will not do remote real server load balancing for non-http protocols. For HTTP protocols, if you want to do no-remote-real-server load balancing, you need to disable the http parameter in the same menu.

encryptThis command enables or disables encrypting of DSSP updates. If disabled, the switch will not encrypt the DSSP messages going out of the switch. This option allows the GSLB feature to work with older versions of Web OS that do not encrypt DSSP messages

onActivates Global Server Load Balancing (GSLB) for this switch. This option can be performed only once the optional GSLB software is activated (refer to “Activating Optional Software” on page 509).

offTurns GSLB off for this switch. Any active remote sites will still perform GSLB services with each other, but will not hand off requests to this switch. By default, GSLB is turned off.

curDisplays the current Global SLB configuration.





At a local site for a domain, there is a local virtual server but no remote virtual server. The local virtual server has a number of local virtual services Each local virtual service has a group of local or remote real servers. The remote real servers are the virtual servers at the remote sites.

Up to 64 remote sites can be configured.

[Remote site 1 Menu] prima - Set primary switch IP address of remote site secon - Set secondary switch IP address of remote site name - Set remote site name update - Enable/disable remote site updates ena - Enable remote site dis - Disable remote site del - Delete remote site cur - Display current remote site configuration

Table 7-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)


prima <server IP address>Defines the IP interface IP address of the primary switch at the remote site used for Global Server Load Balancing. Use dotted decimal notation.

secon <server IP address>If the remote site is configured with a redundant switch, enter the IP address of the IP interface for the remote secondary switch here. If the remote site primary switch fails, the local switch will address the remote site secondary switch instead.

name <31 character name>|noneSets the name of the remote site. The default is set at none.

update disable|enableEnables or disables remote site updates. If enabled (default), this switch will send regular Distrib-uted Site State Protocol (DSSP) updates to its remote peers using HTTP port 80. If disabled, the switch will not send state updates. If your local firewall does not permit this traffic, disable the updates. Note: When update is enabled, Global Server Load Balancing uses service port 80 on the IP inter-face for DSSP updates. By default, the Nortel Application Switch Operating System Web-based interface also uses port 80. Both services cannot use the same port. If both are enabled, config-ure the Nortel Application Switch Operating System Browser-Based Interface (BBI) to use a different service port (see the /cfg/sys/access/wport option on page 288).

enaEnables this remote site for use with Global Server Load Balancing.



/cfg/slb/gslb/network <network number>GSLB Network Preference Configuration MenuNetwork preference selects a server based on the preferred network of the source IP address for a given domain. The preferred network contains a subset of the servers for the domain.

Up to 128 network preference numbers can be set.

disDisables this remote site. The switch will no longer use this remote site for Global Server Load Balancing.

delRemoves this remote site from operation and deletes its configuration.

curDisplays the current remote site configuration.

[Network 1 Menu] sip - Set source IP address mask - Set source IP and network netmask addvirt - Add virtual server to network remvirt - Remove virtual server from network addreal - Add remote real server to network remreal - Remove remote real server from network ena - Enable network dis - Disable network del - Delete network cur - Display current network configuration

Table 7-31 GSLB Network Menu Options (/cfg/slb/gslb/network)


sip <IP address>Defines the source (client) IP address. Specify an IP address in dotted decimal notation. A range of IP addresses is produced when used with the mask option.

mask <IP subnet mask (such as, 255.255.255.0)>This IP address mask is used with the source IP (SIP) address to find a correct virtual server IP address to respond to a DNS request.

Table 7-30 GSLB Remote Site Menu Options (/cfg/slb/gslb/site)




/cfg/slb/gslb/ruleGSLB Rule Configuration MenuRules allow the GSLB selection to use different metric preferences based on time-of-day. You can configure one or more rules on each domain. Each rule has a metric preference list. The GSLB selection selects the first rule that matches the domain and starts with the first metric in the metric preference list of the rule.

addvirt <virtual server number (1-1024)>Adds a virtual server to the network. No virtual server is added by default.

remvirt <virtual server number (1-1024)>Removes a virtual server from the network.

addreal <real server number (1-1023)>Adds a real server to the network.

remreal <real server number (1-1023)>Removes a real server from the network.

enaEnables the network.

disDisables the network.

delDeletes the network entry.

curDisplays the current Internet network entry configuration.

[Rule 1 Menu] metric - Metric Menu start - Set start time for rule end - Set end time for rule ttl - Set Time To Live in seconds of DNS resource records rr - Set DNS resource records in DNS response dname - Set network preference domain name for rule ena - Enable rule dis - Disable rule del - Delete rule cur - Display current rule configuration

Table 7-31 GSLB Network Menu Options (/cfg/slb/gslb/network)




Table 7-32 GSLB Rule Configuration Menu Options (/cfg/slb/gslb/rule)


metric <metric (1-16)>Displays Metric Preference Menu. To view menu options, see page 472.

start <hour (0-23)> <minutes (0-59)>Defines the start time for the rule. The default is zero.

end <hour (0-23)> <minutes (0-59)>Defines the end time for the rule. The default is zero.

ttl <time to live in seconds (0-65535)>Specifies the duration (from 0 to 65535 seconds, with default at 60) that the DNS response from the switch (indicating site of best service) will remain in the cache of DNS servers. A lower value may increase the ability of the GSLB system to adjust to sudden changes in traffic load, but will generate more DNS traffic. Higher numbers may reduce the amount of DNS traffic, but may slow GSLB’s response to sudden traffic changes.

rr <rr (1-10)>Sets the DNS resource records that how many DNS resource records will be returned in the DNS response. The default is 2 records.

dname <34 character (wildcard "*" allowed) domain name> | noneDefines the domain name for the rule for network preference. The maximum length for the domain name can be 34 characters. You can use wildcard “*” while creating the domain name. Default is none.

enaEnables the rule.

disDisables the rule.

delDeletes the rule.

curDisplays the current rule configuration.



/cfg/slb/gslb/rule/metricGlobal SLB Rule Metric Menu

/cfg/slb/layer7Layer 7 SLB Resource Definition Menu

[Rule 1 Metric 1 Menu] gmetric - Set metric to use to select next server addnet - Add network to gmetric=network remnet - Remove network from gmetric=network cur - Display current metric configuration

Table 7-33 Global SLB Rule Metric Menu Options (/cfg/slb/gslb/rule/metric)


gmetric leastconns|roundrobin|response|geographical|network|ran-dom|availability|qos|minmisses|hash|local|always|remote|none

Defines the metric to select the next real server for GSLB. The default is none.

addnetAllows you to add a network to the selected metric. This command applies only if you select net-work as the metric.

remnet <1-128>Allows you to delete a network that was added to the selected metric.

curDisplays the current configuration of the metric.

[Layer 7 Resource Definition Menu] redir - Web Cache Redirection Menu slb - Server Load Balancing Menu sdp - SIP SDP Menu dbindtm - Set timeout for incomplete delayed binding connections cur - Display current Layer 7 configuration

Table 7-34 Layer 7 Resource Definition Menu Options (/cfg/slb/layer7)


redirDisplays the Web Cache Redirection Menu. To view menu options, see page 473.



/cfg/slb/layer7/redirWeb Cache Redirection Configuration

slbDisplays the Server Load Balancing Menu. To view menu options, see page 475.

sdpDisplays the SIP SDP Menu. To view menu options, see page 477.

dbindtm <10-60 seconds>Sets the timeout for incomplete delayed binding connections.

curDisplays the current Layer 7 configuration.

[Web Cache Redirection Menu] urlal - Enable/disable auto-ALLOW for non-GETs to origin servers cookie - Enable/disable auto-ALLOW for Cookie to origin servers nocache - Enable/disable no-cache control header to origin servers hash - Enable/disable URL hashing based on URI header - Enable/disable server loadbalance based on HTTP header cur - Display current WCR configuration

Table 7-35 Web Cache Redirection Menu Options (/cfg/slb/layer7/redir)


urlal disable|enableEnables or disables auto-ALLOW for non-GETs to origin servers.

If this command is enabled, the switch will redirect all non-GET requests to the origin server.If this command is disabled, the switch will compare the URI against the expression table to determine whether all non-GET requests should be redirected to a cache server or origin server.

This option is enabled by default.

Table 7-34 Layer 7 Resource Definition Menu Options (/cfg/slb/layer7)




cookie disable|enableEnables or disables auto-ALLOW for cookie to origin servers.

If this command is enabled, the switch will redirect all requests that contain Cookie: in the HTTP header to the origin server.If this command is disabled, the switch will compare the URI against the expression table to determine whether it should redirect all requests that contain Cookie: in the HTTP header to a cache server or origin server.


nocache disable|enableEnables or disables no-cache control header to origin servers.

If this command is enabled, the switch will redirect all requests that contain Cache-Control: no-cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to the origin server.If this command is disabled, the switch will compare the URI against the expression table to determine whether it should redirect requests that contain Cache-Control: no-cache in HTTP/1.1 header, or Pragma: no-cache in HTTP/1.0 header to a cache server or origin server.

This option is enabled by default.

hash disable|enable <number (1-255)>Enables or disables URL hashing based on the URI.

If hashing is enabled, you can set the length of URI that will be used to hash into the cache server by specifying a number from 1-255.If hashing is disabled, the switch will only use the host header field to calculate the hash key.


header disable|enable host|useragent|othersEnables or disables server load balancing based on HTTP header. This option is disabled by default.

curDisplays the current URL expression table.

Table 7-35 Web Cache Redirection Menu Options (/cfg/slb/layer7/redir)




/cfg/slb/layer7/slbServer Load Balance Resource Configuration Menu

[Server Loadbalance Resource Menu] message - Set HTTP error message addstr - Add SLB string for load balance remstr - Remove SLB string for load balance rename - Rename SLB string for load balance addmeth - Add HTTP method type remmeth - Remove HTTP method type case - Enable/disable case sensitive for string matching cont - Set BW contract for the SLB string cur - Display current configuration

Table 7-36 Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb)


message <64 byte error message>Sets the message that will be displayed when an error occurs. The default message is “No available server to handle this request.”

addstr <l7lkup|pattern>Allows the user to define a string that can be used for server load balancing or filtering by selecting either a Layer 7 look up string or a pattern match.

If you choose l7lkup string, you can define a string for server load balancing or a string for Layer 7 lookup. If you choose pattern string, you will have the option to choose between ascii or binary strings on a specific offset of the IP frame. These strings will only be used for filtering string pat-tern matching.

remstr <SLB string ID>Removes this SLB string from the real server.

rename <SLB string ID> <SLB string>Renames the SLB string for load balancing.

addmeth <Method, 1-32>Allows you to add HTTP request methods of maximum 32 characters to your switch software. HTTP allows an open-ended set of methods to be used to indicate the purpose of a request. Nortel Application Switch Operating System 23.0.2 supports 22 request methods by default. The methods GET and HEAD must be supported by all general-purpose servers. All other methods are optional. You can see a list of supported default methods by using the command cur in this menu.A method is case-sensitive.The software supports both HTTP 1.0 and HTTP 1.1 to perform HTTP request methods.



remmeth <Method ID> Allows you to remove HTTP methods from your switch software.

case disable|enableEnables or disables case sensitivity for string matching. Using this command you can do either case sensitive or case insensitive string comparison. If you disable case sensitive, all load balanc-ing strings and all the request strings arriving on the switch will have to be converted to lower case before doing any string comparison.

cont <SLB string ID [1-1024]> <BW contract number [1-1024]>Sets the Bandwidth Management contract for a specified string for the SLB string ID.

curDisplays the currently configured SLB strings and their associated string IDs (index numbers) and the supported HTTP request methods.

Table 7-36 Server Load Balance Resource Menu Options (/cfg/slb/layer7/slb)




/cfg/slb/layer7/sdpSDP Mapping Menu

/cfg/slb/wapWAP Configuration

[SDP Mapping Menu] add - Add SDP mapping rem - Remove SDP mapping cur - Display current SDP mapping configuration

Table 7-37 SDP Mapping Menu Options


add <private IP> <public IP>Add SDP mapping.

rem <private IP>Remove SDP mapping.

curDisplay current SDP mapping configuration.

[WAP Options Menu] tpcp - Enable/disable WAP TPCP external notification debug - WAP debug level cur - Display current WAP configuration

Table 7-38 WAP Configuration Menu Options (/cfg/slb/wap)


tpcp disable|enableEnables or disables the TPCP external notification for Add/Delete session requests. This option is disabled by default.

debug <wap debug level (0-10)>Sets the debug level for tracing the WAP related messages. The default is set at 0.

curDisplays the current WAP configuration



/cfg/slb/syncSynchronize Peer Switch Configuration

To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator pass-word. Peers are sent SLB, FILT, and VRRP configuration updates using /oper/slb/synch.

[Config Synchronization Menu] peer - Synch Peer Switch Menu filt - Enable/disable syncing filter configuration ports - Enable/disable syncing port configuration prios - Enable/disable syncing VRRP priorities pips - Enable/disable syncing proxy IP addresses peerpips - Enable/disable syncing peer proxy IP addresses bwm - Enable/disable syncing BWM configuration state - Enable/disable syncing persistent session state update - Set stateful failover update period cur - Display current Layer 4 sync configuration

Table 7-39 Synchronization Menu Options (/cfg/slb/sync)


peer <peer switch number (1-2)>Displays the Sync Peer Switch Menu. This option is enabled by default. To view menu options, see page 479.

filt disable|enableEnables or disables synchronizing filter configuration. This option is disabled by default.

ports disable|enableEnables or disables synchronizing Layer 4 port configuration. This option is enabled by default.

prios disable|enableEnables or disables syncing VRRP priorities. This option is enabled by default.

pips disable|enableEnables or disables synchronizing proxy IP addresses. This option is disabled by default.

peerpips disable|enableEnables or disables synchronizing the peer proxy IP addresses. Peer proxy IP addresses are used in VRRP Active/Active configuration. This option is disabled by default.



/cfg/slb/sync/peer <peer switch number>Peer Switch Configuration

To synchronize the configuration between two switches, a peer must be configured and enabled on each switch. Switches being synchronized must use the same administrator pass-word.

bwm disable|enableEnables or disables synchronizing Bandwidth Management configuration between Master and backup switches. This option is enabled by default.

state disable|enableEnables or disables stateful failover for synchronizing the persistent session state. This option is disabled by default.

update <seconds, 1–60>Sets the stateful failover update interval. The active switch sends update packets of new persistent binding entries, if any, to the backup switch at the specified update interval. The default value is 30 seconds.

curDisplays the current Layer 4 synchronization configuration.

[Peer Switch 1 Menu] addr - Set peer switch IP address ena - Enable peer switch dis - Disable peer switch del - Delete peer switch cur - Display current peer switch configuration

Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)


addr <IP address>Sets the peer switch IP address. The default is 0.0.0.0

enaEnables the peer for this switch. By default, this option is disabled.

disDisables the peer for this switch.

Table 7-39 Synchronization Menu Options (/cfg/slb/sync)




/cfg/slb/advAdvanced Layer 4 Configuration

delDeletes the peer for this switch

curDisplays the current peer switch configuration.

[Layer 4 Advanced Menu] synatk - SYN Attack Detection Menu smtport - Service Mapping Table Real Port Menu imask - Set virtual and real IP address mask mnet - Set management network mmask - Set management subnet mask pmask - Set persistent mask intrval - Set SLB session attack inspection interval allowlim - Set SLB session attack alert allowable limit submac - Enable/disable Source MAC address substitution direct - Enable/disable Direct Access Mode grace - Enable/disable graceful real server failure matrix - Enable/disable Virtual Matrix Architecture vmasport - Enable/disable VMA with source port tpcp - Enable/disable Transparent Proxy Cache Protocol vstat - Enable/disable Virtual Service Statistics rtsvlan - Enable/disable using VLAN info for real server lookup pvlantag - Enable/disable preserving vlan tag during packet forwarding portbind - Enable/disable Ingress Port For Session Table Binding fastage - Session table fast-age (1 sec) period bit shift slowage - Session table slow-age (2 min) period bit shift cur - Display current Layer 4 advanced configuration

Table 7-41 Layer 4 Advanced Menu Options (/cfg/slb/adv)


synatkDisplays SYN Attack Detection Menu. To view menu options, see page 483.

Table 7-40 Peer Switch Configuration Menu Options (/cfg/slb/sync/peer)




smtportDisplays Service Mapping Table (SMT) Real Server Port Menu. Using this command you can add or remove a number of real server service port(s) that will process client traffic by-passing the server. In other words, this service port’s client request will not be processed by the server proces-sor. To view menu options, see page 483.

imask <IP subnet mask (such as 255.255.255.0)>Configures the real and virtual server IP address mask using dotted decimal notation. The default is 255.255.255.255.

mnet <IP address>If defined, management traffic with this source IP address will be allowed direct (non-Layer 4) access to the real servers. Specify an IP address in dotted decimal notation. A range of IP addresses is produced when used with the mmask option.

mmask <IP subnet mask (such as 255.255.255.0)>This IP address mask is used with the mnet to select management traffic which is allowed direct access to real servers. The default is 255.255.255.255.

pmask <IP subnet mask (such as 255.255.255.0)>Sets persistent mask. The default is 255.255.255.255.

intrval <time window for collecting sessions (0-3600)>This command allows you to configure the time interval (from one second to one hour) to specify how frequently you want to check the SLB sessions (attacks) the switch received. At the config-ured interval of time the switch will check if the number of sessions is within the configured limits. You can set this limit by using the next command in this menu: allowlim.

allowlim <allowable limit (1-2097104)>This command allows you to specify the maximum number of sessions the switch can receive at any given period of time. If the number of sessions exceeds this limit, the switch will generate a syslog and an SNMP trap to alert the administrator that the switch is under SLB attack.

submac disable|enableEnables or disables Source MAC address substitution. Typically, the source MAC is not modified for the packets going to the servers in an SLB environment. But if you enable this command, the switch will substitute the source MAC address (for the packets going to the server) with the MAC address of the switch.

direct disable|enableEnable/disables Direct Access Mode to real servers/services. This option also allows any virtual server to load balance any real server. By default, this option is disabled.





grace disable|enableEnables or disables graceful real server failure. Allows existing sessions to remain bound to a server after the server has been placed in the service failed state (for more information, see “Service Failure” in the Nortel Application Switch Operating System 23.0.2 Application Guide). By default, this option is disabled.

matrix disable|enableEnables or disables the use of Virtual Matrix Architecture on the Nortel Application Switch. By default, this option is enabled.

vmasport enable|disableEnable/disable VMA with source port.

tpcp disable|enableEnables or disables the TPCP (Transparent Proxy Cache Protocol). This command is used for security reasons—the UDP port can be closed. By default, this option is disabled.

vstat disable|enableEnables or disables reporting of virtual service statistics.

rtsvlan disable|enableEnables or disables the use of VLAN for Return to Sender information on the real server.

pvlantagEnable/disable preserving vlan tag during packet forwarding.

portbind disable|enableEnables or disables the inclusion of the ingress port number in the session table look up.

fastage <shift the fast-age (1sec) period 0-7 bits>Controls how frequently a fastage scan is performed. The default interval is two seconds. Each incremental increase of the value doubles the length of the interval.The fastage scan is used to remove TCP sessions that have been closed with a FIN and sessions that have been identified by the slowage scan as idle for the maximum allowed period. If a large value of fastage is used, a session can remain in the session table for a few minutes. The default is 0.

slowage <shift the slow-age (2min) period 0-14 bits>Controls how frequently a slowage scan is performed. The default interval is two minutes. Each incremental increase of the value doubles the length of the interval. (Value is set in bits rather than seconds, which causes the time to double per increment).The slowage scan is used to remove idle or non-TCP sessions from the session at the specified intervals. If a large value of slowage is used, a session can remain in the session table for months. The default is 0.





/cfg/slb/adv/synatkSYN Attack Detection Configuration Menu

/cfg/slb/adv/smtportAdvanced SMT Real Server Port Configuration Menu

curDisplays the current Layer 4 advanced configuration.

[SYN Attack Detection Menu] intrval - Set SYN attack detection interval thrshld - Set SYN attack alarm threshold cur - Display current SYN attack detection configuration

Table 7-42 SYN Attack Detection Menu Options (/cfg/slb/adv/synatk)


intrval <SYN attack check interval in seconds (2-3600)>Sets the interval of SYN attack inspection.

thrshld <SYN attack alarm threshold (new half-open sessions/second) (1-100000)>Sets the threshold of SYN attack alarm.

cur Displays the current SYN attack detection configuration.

[SMT Real Port Menu] add - Add real port remove - Remove real port cur - Display real port configuration

Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)


add <real server port (2-65534)>This command allows you to add a service port to the real server that is configured to process cli-ent traffic by-passing the server processor.





/cfg/slb/linklbInbound Link Load Balancing configuration Menu

remove <real server port (2-65534)>This command allows you to remove a service port from the real server that is configured to pro-cess client traffic by-passing the server processor.

curDisplays real port configuration.

[Inbound Linklb Menu] drecord - Domain Record Menu group - Set real server group ttl - Set Time to Live of DNS resource records ena - Enable Inbound Linklb dis - Disable Inbound Linklb cur - Display current Inbound Linklb configuration

Table 7-44 Inbound Link Load Balancing Configuration Menu Options (/cfg/slb/linklb)


drecord <domain record number (1-64)>Displays domain record menu. To view menu options, see page 485.

group <real server group number (1-1023)>Sets the real server ISP group number.

ttl <time to live in seconds (0-65535)>Sets the time-to-live for DNS resource records.

ena Enables inbound link load balancing.

dis Disables inbound link load balancing.

curDisplays current inbound link load configuration.

Table 7-43 Advanced SMT Real Server Port Menu Options (/cfg/slb/adv/smtport)




/cfg/slb/linklb/drecordInbound Link Load Balancing Domain Record Menu

[Domain Record <domain_number> Menu] entry - Virt Real Mapping Menu domain - Set Domain Name ena - Enable Domain Record dis - Disable Domain Record del - Delete Domain Record cur - Display current Domain Record configuration

Table 7-45 Inbound Link Load Balancing Domain Record Menu Options (/cfg/slb/linklb/drecord)


entry <linklb entry number (1-8)>Displays the link load balancer’s mapping menu for the virtual and real servers. See page 452 to view menu options.

domain <64 character domain name>|noneAllows you to configure the domain name. Default is none.

enaEnables the domain records.

disDisables the domain records.

delDeletes the domain records.

curDisplays the current domain records.



/cfg/slb/linklb/drecord/entryInbound Link Load Balancing Mapping Menu

/cfg/slb/advhcAdvanced Health Check Configuration Menu

[Virt Real Mapping 1 Menu] virt - Set Virtual Server Number real - Set Real Server Number ena - Enable Entry dis - Disable Entry del - Delete Entry cur - Display current Entry configuration

Table 7-46

Command Syntax & Usage

virt <virtual server number, 1-1024>Defines the virtual server number for mapping.

realDefines the real server number for mapping.

enaEnables the entry for drecords.

disDisables the entry for drecords.

delDeletes the entry for drecords.

curDisplays the current real and virtual server mappings for drecords entries.

[Layer 4 Advanced Health Check Menu] script - Scriptable Health Check Menu snmphc - SNMP Health Check Menu waphc - WAP Health Check Menu aphttp - Enable/disable Allow HTTP Health Check on any port ldapver - LDAP version secret - Set RADIUS secret minter - Set interval of response and bandwidth metric updates cur - Display current Layer 4 advanced health check configuration



Table 7-47 Advanced Health Check Menu Options (/cfg/slb/advhc)


script <health script number (1-64)>Displays the Scriptable Health Check Menu. To view menu options, see page 488.

snmphc <SNMP health check number (1-5)>Displays the SNMP Health Check Menu. To view menu options, see page 490.

waphcDisplays the WAP Health Check Menu. To view menu options, see page 492.

aphttp disable|enableEnables or disables HTTP health checks on any port. By default, this option is disabled. When dis-abled, you can use HTTP health checks only for HTTP service. Enabling it will allow you to use it on any port, like HTTPs.

ldapver <LDAP version>Sets the LDAP version to 2 or 3. The default is 2.

secret <1-32 character secret>To perform application health checking to a RADIUS server, the network administrator must con-figure two parameters in the switch: the /cfg/slb/secret value and the cntnt parameter with a username:password value. The secret value is a field of up to 32 alphanumeric charac-ters that is used by the switch to encrypt a password during the RSA Message Digest Algorithm (MD5) and by the RADIUS server to decrypt the password during verification. The default is none.

minter <number of seconds between updates (1-256)>This command sets the interval of response and bandwidth metric updates. The default is set at 10.

curDisplays the current Layer 4 advanced health check configuration.



/cfg/slb/advhc/script <health script number>Scriptable Health Checks ConfigurationScriptable health checks provide a robust and extensible way to health check a group of real servers. With these health checks, the users can define their own health checks of varied com-plexity. The ASCII and binary-based scripts control how a group of real servers are health-checked. So both TCP and UDP services can be health-checked.

The Health Script menu provides commands that can be used to define the health “script.” The total number of characters cannot exceed 6144 bytes. Up to 64 scripts can be configured.

[Health Script 1 Menu] open - Add open command to end of script send - Add send command to end of script bsend - Add binary send command to end of script nsend - Add additional send binary string to end of script expect - Add expect command to end of script bexpect - Add binary expect command to end of script nexpect - Add additional expect binary string to end of script offset - Add offset command to end of script depth - Add depth command to end of script wait - Add wait command to end of script close - Add close command to end of script (TCP only) rem - Remove last command from script del - Delete script cur - Display current script configuration

Table 7-48 Scriptable Health Check Menu Options (/cfg/slb/adv/script)


open <real port or name (such as: http)> <tcp|udp>Opens a TCP connection or specifies a UDP port for the health check. You need to specify the pro-tocol (TCP or UDP), and the port number.

send <text string (TCP), hex string (UDP)>Sends an ASCII request string through an open TCP or UDP port to the server.

bsend <hex string>Sends a binary request string in hexadecimal format for the request packet through an open TCP or UDP port to the server.



nsend <additional hex string (UDP)>Allows you to append additional content to the packet generated by the bsend command. The Nortel Application Switch Operating System 23.0.2 allows a maximum of 256 bytes to be entered. Using one or more nsend commands allows you to generate a binary content of more than 256 bytes in length.

expect <text string (TCP), hex string (UDP)>Allows you to configure an ASCII request string that you can search in each server response packet for successful health check on an open TCP port. If you do not see this string in any response packet before the health check interval or the configured wait window expires, the server does not pass the expect step and the health check fails.

bexpect <hex string>Allows you to configure binary content request string (in hexadecimal format) that you can search in each server response packet for successful health check on an open TCP port.

nexpect <additional hex string (UDP)>Allows you to append additional content to the original content of the response packet specified by the bexpect command.

offset <offset, 1-1464>Allows you to specify the offset from the beginning of the UDP data area to start matching the con-tent specified in the expect command. If you need to specify offset, you must do it after exe-cuting the bexpect command.

depth <depth, 1-1464>Allows you to specify the depth (the window) in bytes beginning from the start of the UDP data area, or beginning from offset if offset was specified, to search for the bexpect content.

wait <wait window in milliseconds (1-65535)>Allows the user to configure a wait window for the expected response. The wait window starts when the request is sent from the switch. If the expected response is received within the wait window, the health check passes, otherwise the health check fails. The wait command should follow the offset and depth commands in the script. The wait window is set in the units of milli-seconds.

closeCloses TCP connection.

remRemoves the last entered line from the script.

delDeletes the current script.





/cfg/slb/advhc/snmphcSNMP Health Check Configuration

curLists the current script configuration.

[SNMP Health Check 1 Menu] oid - OID to be sent in the SNMP request packet comm - Community string used in the SNMP request packet rcvcnt - Expected value in the SNMP response packet invert - Enable/disable inversion of expected value weight - Enable/disable readjusting of weights based on response del - Delete SNMP health check cur - Display current SNMP health check configuration

Table 7-49 SNMP Health Check Menu Options (/cfg/slb/adv/snmphc)


oid <object identifier, such as, 1.3.6.1.2.1.1.1.0 max 30 sub-identifiers>Specify the Object Identifier (OID) to be sent in the SNMP GET request packet. The format of the OID depends on the MIB file, for example, an OID is of the form 1.3.6.1.4.1.1872.2.5.7.11.

comm <community string, maximum 32 characters>Enter the community string used in the SNMP get request packet. The default community string is public.

rcvcnt <expected content an integer value or a string>Enter the content the switch expects to receive from the SNMP agent on the real server.

invert disable|enableEnables or disables the inversion of the expected value. When the invert option is enabled, the health check fails if the response packet contains the value specified in the receive content (rcvnt) field.

weight disable|enableWhen enabled, the real server weights are dynamically adjusted based on SNMP health check response.

del Deletes the current SNMP health check.





cur Displays the current SNMP Health Check configuration.

Table 7-49 SNMP Health Check Menu Options (/cfg/slb/adv/snmphc)




/cfg/slb/advhc/waphcWAP Health Check ConfigurationWireless Session Protocol (WSP) is used within the Wireless Application Protocol (WAP) suite to manage sessions between wireless devices and WAP content servers or WAP gate-ways. The Nortel Application Switch Operating System provides a content-based health check mechanism where customized WSP packets are sent to the WAP gateways, and the switch ver-ifies the expected response, in a manner similar to scriptable health checks.

WSP content health checks can be configured in two modes: connectionless and connection-oriented. Connectionless WSP runs on UDP/IP protocol, ports 9200 and 9202 and connection-oriented (WTP) traffic runs on ports 9201 and 9203. Application switches can be used to load balance the gateways in both modes of operation.

The Nortel Application Switch Operating System allows you to configure three WAP gateway health check types for all four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP), deployed on WAP gateways/servers. For further details, refer to the Application Guide.

[WAP Health Check Menu] wspcnt - WSP Health Check Content Menu wtpcnt - WTP+WSP Health Check Content Menu wspport - WSP port number to health check wtpport - WTP port number to health check wtlswsp - WTLS+WSP port number to health check wtlsprt - WTLS port number to health check couple - Enable/disable coupling with RADIUS Accounting Service cur - Display current WAP health check configuration

Table 7-50 WAP Health Check Menu Options (/cfg/slb/adv/waphc)


wspcntDisplays WSP Health Check Content Menu. To view menu options, see page 494.

wtpcntDisplays WTP and WSP Health Check Content Menu. To view menu options, see page 495.

wspport <wsp port number to health check (0-65534)>Enter the port number on which WSP health checks will be performed. The default port number is 9200.

wtpport <wtp port number to health check (0-65534)>Defines the WTP port number to health check. The default port number is 9201.



wtlswsp <wtls+wsp port number to health check (0-65534)>Defines the WTLS (Wireless Transport Layer Security) and WSP port number to health check. The connectionless encrypted WTLS traffic uses default port 9202.

wtlsprt <port number (0-65534)>Enter the port number on which WTLS health checks will be performed. The connection-oriented WTLS traffic uses default port 9203.

couple disable|enableEnables or disables coupling together of all the four WAP services (WSP, WTP+WSP, WTLS+WSP, WTLS+WTP+WSP) with Radius Accounting Service. If the health check to any one of the four WAP services or Radius Accounting Service fails, then all of the four WAP ser-vices and Radius Accounting Service are disabled.

cur Displays the current WAP Health Check configuration.

Table 7-50 WAP Health Check Menu Options (/cfg/slb/adv/waphc)




/cfg/slb/advhc/waphc/wspcntWSP Content Health Check

[WSP Health Check Content Menu] offset - Offset in received WSP packet sndcnt - Content to be sent to the WAP gateway rcvcnt - Content to be received from the WAP gateway cur - Display current WSP health check content configuration

Table 7-51 WSP Content Health Check Options (/cfg/slb/advhc/waphc/wspcnt)


offset <Offset in the received WSP packet (0-512)>Enter the offset value content of the received WSP packages. An offset value of 0 (default) sets the switch to start comparisons from the beginning of the content of the received packet.

sndcnt <send content as hexadecimal string>Enter a hexadecimal string that represents a connectionless WSP request to a WSP gateway. This string will be delivered to the WSP gateway.

rcvcnt <receive content as hexadecimal string>Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway.

cur Displays the current WAP Health Check configuration.



/cfg/slb/advhc/waphc/wtpcntWTP and WSP Content Health Check MenuThis menu is used for configuring the health check for connection-oriented unencrypted WAP traffic.

[WTP+WSP Health Check Content Menu] offset - Offset in received WSP PDU connect - CONNECT PDU to be sent to the WAP gateway sndcnt - GET PDU to be sent to the WAP gateway rcvcnt - REPLY PDU to be received from the WAP gateway cur - Display current WTP+WSP health check content configuration

Table 7-52 WTP and WSP Content Health Check Menu Options (/cfg/slb/advhc/waphc/wtpcnt)


offset <offset in the received WSP PDU>Enter the offset value content of the received WSP packets. The offset value is the number of bytes from the beginning of the WSP PDU, at which the comparison begins to match with the expected receive content. An offset value of 0 (default) sets the switch to start comparisons from the begin-ning of WSP PDU of the received packet.

connect <connect content as hexstring>Enter the content for the first switch-generated WSP session packet. This command allows you to customize the headers in the connect message.

sndcnt <send content as hexadecimal string>Enter a hexadecimal string that represents a WSP request to a WSP gateway. This string will be delivered to the WSP gateway.

rcvcnt <receive content as a hexadecimal string>Enter a hexadecimal string that represents the content that the switch expects to receive from the WSP gateway.

curDisplays current WTP+WSP health check content configuration.



/cfg/slb/pip Proxy IP Address Configuration Menu You need to enable proxy IP address processing on the port to use this command. You can con-figure multiple proxy IP addresses based on either port or VLAN.

You can configure up to 1024 proxy IP addresses on a per switch basis.

[Proxy IP Address Menu] type - Set base type of Proxy IP address add - Add port or VLAN to Proxy IP address rem - Remove port or VLAN from Proxy IP address cur - Display current Proxy IP address configuration

Table 7-53 Proxy IP Address Configuration Menu Options (/cfg/slb/pip)


type <port|vlan>Defines the base type of the proxy IP address, whether it is port-based or VLAN-based.

add <IP address> <port number|vlan number>|<port number-port number|vlan number-vlan number>

Allows you to add either a port or a VLAN to a proxy IP address.

rem <<PIP ID> <port#|vlan#>|<port#-port#|vlan#-vlan#>>Allows you to remove a port or a VLAN from a proxy IP address. This command also allows you to remove all ports or VLANs assigned to any proxy IP address.

curDisplays the current Proxy IP address configuration.



/cfg/slb/peerpipSLB Peer Proxy IP Address MenuWhen this command is enabled, the switch is able to forward traffic from the other switch, using Layer 2, without performing server processing on the packets of the other switch. This happens because the peer switches are aware of each other’s proxy IP addresses. This prevents the dropping of a packet or being sent to the backup switch in the absence of the proxy IP address of the peer switch.

[Peer Proxy IP Address Menu] add - Add peer Proxy IP address rem - Rem peer Proxy IP address cur - Display current peer Proxy IP address configuration

Table 7-54 Peer Proxy IP Address Menu Options (/cfg/slb/peerpip)


add <IP address>Allows you to add a proxy IP address to the server load balancing peer.

rem <IP address>Allows you to remove a proxy IP address from the server load balancing peer.

curDisplays the current proxy address configuration of the peer.



/cfg/slb/wlmWorkLoad Management Menu[Workload Manager 1 Menu] addr - Set IP address for Workload Manager port - Set port for Workload Manager del - Delete Workload Manager cur - Display current Workload Manager configuration

Table 7-55 Workload Manager Menu Options


addr <IP_address>Set the IP address for the Workload Manager.

port <TCP_port>Set the port number for the Workload Manager.

delDelete the Workload Manager.

curShows all Workload Manager statistics. For example:

Current Workload Manager 1: IP address Port 0.0.0.0 0


CHAPTER 8The Operations Menu

The Operations Menu is generally used for commands that affect switch performance immedi-ately, but do not alter permanent switch configurations. For example, you can use the Opera-tions Menu to immediately disable a port (without the need to apply or save the change), with the understanding that when the switch is reset, the port returns to its normally configured operation.

/operOperations Menu

The commands of the Operations Menu enable you to alter switch operational characteristics without affecting switch configuration.

Port Mirroring menu options are accessible only to the Nortel Application Switch AD4 and Nortel Application Switch 184 Web Switches.

[Operations Menu] port - Operational Port Menu slb - Operational Server Load Balancing Menu vrrp - Operational Virtual Router Redundancy Menu bwm - Operational Bandwidth Management Menu security - Operational Security Menu ip - Operational IP Menu swkey - Enter key to enable software feature rmkey - Enter software feature to be removed passwd - Change current user password clrlog - Clear syslog messages displog - Turn on/off display syslog msgs to telnet/ssh sessions defalias - Set default port alias ntpreq - Send NTP request

320506-A, January 2006499


Table 8-1 Operations Menu Options (/oper)


port <port number>Displays the Operational Port Menu. To view menu options, see page 501.

slbDisplays the Operational Layer 4 Menu. To view menu options, see page 502.

vrrpDisplays the Operational Virtual Router Redundancy Menu. To view menu options, see page 505.

bwmOperational Bandwidth Management Menu. To view menu options, see page 505.

securityGo to the Operational Security menu. To view menu options, see page 506.

ipDisplays the IP Operations Menu, which has one sub-menu/option, the Operational Border Gate-way Protocol Menu. To view menu options, see page 505.

swkey <16-hexadecimal digit key to enable software feature>Sets key to enable software feature. For details, see page 509.

rmkey <software feature to be removed (GSL|BWM|Security)>Defines software feature to be removed. For details, see page 510.

passwd <15 char max>Allows the user to change the password. You need to enter the current password in use for validation.

clrlogClears all syslog messages.

displog on|offTurn on/off display syslog msgs to telnet/ssh sessions

defalias Set the default port alias.

ntpreqAllows the user to send requests to the NTP server.

500 Chapter 8: The Operations Menu320506-A, January 2006


/oper/port <port number>Operations-Level Port Options

Operations-level port options are used for temporarily disabling or enabling a port, and for changing Remote Monitoring (RMON) status on a port.

[Operations Port 1 Menu] rmon - Enable/Disable RMON for port ena - Enable port dis - Disable port cur - Current port state

Table 8-2 Operations-Level Port Menu Options (/oper/port)


rmon disable|enableTemporarily enables/disables Remote Monitoring on the port. The port will be returned to its con-figured operation mode when the switch is reset.

enaTemporarily enables the port. The port will be returned to its configured operation mode when the switch is reset.

disTemporarily disables the port. The port will be returned to its configured operation mode when the switch is reset.

curDisplays the current settings for the port.

Chapter 8: The Operations Menu 501320506-A, January 2006


/oper/slbOperations-Level SLB Options

When the optional Layer 4 software is enabled, the operations-level Server Load Balancing options are used for temporarily disabling or enabling real servers and synchronizing the con-figuration between the active/active switches.

[Server Load Balancing Operations Menu] group - Real Server Group Menu gslb - Global SLB Operations Menu sync - Synchronize SLB, VRRP and other configurations on peers ena - Enable real server dis - Disable real server sessdel - Delete session table entry clear - Clear session table cur - Current layer 4 operational state

Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)


group <real server group number (1-1024)>Displays the Real Server Group Menu. To view menu options, see page 503.

gslbDisplays Global SLB Operations Menu. To view menu options, see page 504.

syncSynchronizes the SLB, filter, VRRP, port, Bandwidth Management configuration, and VR priori-ties on a peer switch (a switch that owns the IP address). To take effect, peers must be configured on the Nortel Application Switch and the administrator password on the switch must be identical.

ena <real server number (1-1023)>Temporarily enables a real server. The real server will be returned to its configured operation mode when the switch is reset.



/oper/slb/groupReal Server Group Operations

dis <real server number, 1-1023> [P - allow persistent http 1.0 sessions] p|nThe disable command is used to temporarily disable real servers as follows:

Using the p (persistent) option—immediately suspends assignment of connections to the specified real server (except for persistent http 1.0 sessions) by removing the real server from operation within its real server group and virtual serverUsing the n (none) option—immediately suspends assignment of connections to the specified real server by removing the real server from operation within its real server group and virtual server

The real server will be returned to its configured state after a switch reset.NOTE – This command provides for orderly server shutdown to allow maintenance on a server. For more information, see “Disabling and Enabling Real Servers” in the Nortel Application Switch Operating System 23.0.2 Application Guide.

sessdelDelete session table entry.

clearClears all session tables and allows port filter changes to take effect immediately.

NOTE – This command disrupts current SLB and Application Redirection sessions.

curDisplays the current SLB operational state.

[Real server group 1 Menu] ena - Enable real server in this group dis - Disable real server in this group cur - Current server group operational state

Table 8-4 Real Server Group Operations Options (oper/slb/group)


ena <real server number (1-1023)>Enables real server in this group.

Table 8-3 Server Load Balancing Operations Menu Options (/oper/slb)




/oper/slb/gslbGlobal SLB Operations Menu

dis <real server number (1-1023)>Disables real server in this group.

curDisplays current operational state of the server group.

[Global SLB Operations Menu] query - Query Global SLB selection add - Add entry to Global SLB DNS persistence cache arem - Remove all entries Global SLB DNS persistence cache

Table 8-5 Global SLB Operations Menu Options (/oper/slb/gslb)


queryAllows you to query the Global site selection.

addAdd an entry to the Global SLB DNS persistence cache.

aremRemove all entries Global SLB DNS persistence cache.

Table 8-4 Real Server Group Operations Options (oper/slb/group)




/oper/vrrpOperations-Level VRRP Options.

/oper/bwmOperations-Level Bandwidth Management Options

[VRRP Operations Menu] back - Set virtual router to backup

Table 8-6 Virtual Router Redundancy Operations Menu Options (/oper/vrrp)


back <virtual router number (1-1024)>Forces the specified master virtual router on this switch into backup mode. This is generally used for passing master control back to a preferred switch once the preferred switch has been returned to service after a failure. When this command is executed, the current master gives up control and ini-tiates a new election by temporarily advertising its own priority level as 0 (lowest). After the new election, the virtual router forced into backup mode by this command will resume master control in the following cases:

This switch owns the virtual router (the IP addresses of the virtual router and its IP interface are the same)This switch’s virtual router has a higher priority and preemption is enabled.There are no other virtual routers available to take master control.

[Bandwidth Management Operations Menu] sndhist - Send BW History to SMTP server clear - Clear BWM IP user entry table

Table 8-7 Bandwidth Operations Menu Options (/oper/bwm/sndhist)


sndhistSends the bandwidth history to a system administrator specified under /cfg/bwm/user (see page 316).

clearClear the BWM IP user entry table.



/oper/securitySecurity Menu

/oper/security/ipaclIP ACL Operations Menu

[Security Menu] ipacl - IP ACL Operations Menu

Table 8-8 Security Menu Options


ipaclGo to the IP ACL Operation menu. To view menu options, see page 506

[IP ACL Operations Menu] add - Add operations source IP Address/Mask rem - Remove operations source IP Address/Mask arem - Remove all operations source IP Address/Mask dadd - Add operations destination IP Address/Mask drem - Remove operations destination IP Address/Mask darem - Remove all operations destination IP Address/Mask cfg - Display configuration IP Address/Mask bogon - Display bogon IP Address/Mask oper - Display operations IP Address/Mask cur - Display all IP Address/Mask

Table 8-9 IP ACL Operations Menu Options


add <IP address> <IP subnet mask> <timeout in minutes, 1-10080>Add the operations source IP mask.

rem <IP address> <IP subnet mask>Remove the operations source IP mask.

aremRemove all operations source IP addresses and Masks.

dadd <IP address> <IP subnet mask> <timeout in minutes, 1-10080>Add an operations destination IP address and Mask.

drem <IP address> <IP subnet mask>Remove an operations destination IP address and Mask.



daremRemove all of the operations destination IP addresses and Masks.

cfgDisplay all configuration IP addresses and Masks. For example:

Current configuration IP ACL settings: 0 configuration source IP ACL. 0 configuration destination IP ACL.

bogonDisplay bogon IP address and Mask. For example:

>> IP ACL Operations# bogon Current bogon IP ACL settings: 0 bogon source IP ACL.

operDisplay operations IP addresses and Masks. For example:

Current operations IP ACL settings: 0 operations source IP ACL. 0 operations destination IP ACL.

curDisplay all IP addresses and Masks. For example:

Current total IP ACL settings: 0 total source IP ACL. 0 total destination IP ACL.

Current configuration IP ACL settings: 0 configuration source IP ACL. 0 configuration destination IP ACL.

Current bogon IP ACL settings: 0 bogon source IP ACL. Use "bogon" command to display.

Current operations IP ACL settings: 0 operations source IP ACL. 0 operations destination IP ACL.

Table 8-9 IP ACL Operations Menu Options




/oper/ipOperations-Level IP Options

/oper/ip/bgpOperations-Level BGP Options

[IP Operations Menu] bgp - Operational Border Gateway Protocol Menu garp - Send gratuitous arp

Table 8-10 IP Operations Menu Options (/oper/ip)


bgpDisplays the Border Gateway Protocol Operations Menu. To view the menu options see page 508.

garp <IP address> <Vlan number>Send gratuitous arp.

[Border Gateway Protocol Operations Menu] start - Start peer session stop - Stop peer session cur - Current BGP operational state

Table 8-11 IP Operations Menu Options (/oper/ip)


start <peer number (1-16)>Starts the peer session.

stop <peer number (1-16)>Stops the peer session.

curDisplays the current BGP operational state.



/oper/swkeyActivating Optional SoftwareThe swkey option is used for activating any optional software you have purchased for your switch.

Before you can activate optional software, you must obtain a software license from your Nortel Networks representative or authorized reseller. One software license is needed for each switch where the optional software is to be used. You will receive a Licence Certificate for each soft-ware license purchased.

Currently the following software packages are available for purchase and installation:

Security Pack

Bandwidth Management

Global Server Load Balancing

To obtain a software key, you must register each License Certificate with Nortel Networks and provide the MAC address of the Nortel Application Switch Operating System switch that will run the optional software. Nortel Networks will then provide a License Password.

NOTE – Each License Password will work only on the specific switch which has the MAC address you provided when registering your Licence Certificate.

Once you have your License Password, perform the following actions:

1. Connect to the switch’s command line interface and log in as the administrator (see Chap-ter 1, “The Command Line Interface”).

2. At the Main# prompt, enter:

3. At the Operations# prompt, enter:

Main# oper

Operations# swkey



4. When prompted, enter your 16-digit software key code. For example:

If the correct code is entered, you will see the following message:

/oper/rmkeyRemoving Optional SoftwareThe rmkey option is used for deactivating any optional software. Deactivated software is still present in switch memory and can be reactivated at any later time.

To review the deactivation options, enter the following at the Operations Menu:

To deactivate optional software, enter the following at the Operations Menu:

When prompted, enter the code for software to be removed. For example:

Enter Software Key: <16 hexadecimal-digit key to enable software feature (such as, 123456789ABCDEF)>

Valid software key entered.Software feature enabled.

>> Operations# ? rmkUsage: rmkey <software feature to be removed (GSLB||BWM|Secu-rity|Linklb|ITM)>

Operations# rmkey

Enter Software Feature to be removed:[GSLB]|BWM|Security: GSLB


CHAPTER 9The Boot Options Menu

To use the Boot Options Menu, you must be logged in to the switch as the administrator. The Boot Options Menu provides options for:

Selecting a switch software image to be used when the switch is next resetSelecting a configuration block to be used when the switch is next resetDownloading or uploading a new software image to the switch via TFTP

/bootBoot Menu

Each of these options is discussed in greater detail in the following sections.

[Boot Options Menu] sched - Scheduled Switch Reset Menu image - Select software image to use on next boot conf - Select config block to use on next boot gtimg - Download new software image via TFTP ptimg - Upload selected software image via TFTP reset - Reset switch [WARNING: Restarts Spanning Tree] cur - Display current boot options

320506-A, January 2006511


Scheduled Reboot of the SwitchThis feature allows the switch administrator to schedule a reboot to occur at a particular time in future. This feature is particularly helpful if the user needs to perform switch upgrades during off-peak hours. You can set the reboot time, cancel a previously scheduled reboot, and check the time of the currently set reboot schedule with the help of the following sub-menu:

/boot/schedScheduled Reboot Menu

The cur option displays the current scheduled reboot time. For example:

Updating the Switch Software ImageThe switch software image is the executable code running on the Nortel Application Switch. A version of the image ships with the switch, and comes pre-installed on the device. As new ver-sions of the image are released, you can upgrade the software running on your switch.

Upgrading the software image on your switch requires the following:

Loading the new image onto a TFTP server on your network

Downloading the new image from the TFTP server to your switch

Selecting the new software image to be loaded into switch memory the next time the switch is reset

[Boot Schedule Menu] set - Set switch reset time cancel - Cancel pending switch reset cur - Display current switch reset schedule

>> Boot Schedule# curCurrently scheduled reboot time: none

512 Chapter 9: The Boot Options Menu320506-A, January 2006


Downloading New Software to Your SwitchThe switch can store up to two different software images, called image1 and image2, as well as boot software, called boot. When you download new software, you must specify where it should be placed: either into image1, image2, or boot.

For example, if your active image is currently loaded into image1, you would probably load the new image software into image2. This lets you test the new software and reload the origi-nal active image (stored in image1), if needed.

To download a new software to your switch, you will need the following:

The image or boot software loaded on a TFTP server on your network

The hostname or IP address of the TFTP server

The name of the new software image or boot file

Setup the TFTP option (/cfg/sys/mgmt/tftp) for the TFTP connection. This sets the default option for the gtimg and ptimg commands. However, note that you can override this setting with the option provided to these operational commands.

NOTE – The DNS parameters must be configured if specifying hostnames. See “Domain Name System Configuration Menu” on page 379).

When the above requirements are met, use the following procedure to download the new soft-ware to your switch.

1. At the Boot Options# prompt, enter:

2. Enter the name of the switch software to be replaced:

3. Enter the hostname or IP address of the TFTP server.

Boot Options# gtimg

Enter name of switch software image to be replaced["image1"/"image2"/"boot"]: <image>

Enter hostname or IP address of TFTP server: <server name or IP address>

Chapter 9: The Boot Options Menu 513320506-A, January 2006


4. Enter the name of the new software file on the server.

The exact form of the name will vary by TFTP server. However, the file location is normally relative to the TFTP directory (usually /tftpboot).

5. The system prompts you to confirm your request.

You should next select a software image to run, as described below.

Selecting a Software Image to RunYou can select which software image (image1 or image2) you want to run in switch mem-ory for the next reboot.


2. Enter the name of the image you want the switch to use upon the next boot.

The system informs you of which image is currently set to be loaded at the next reset, and prompts you to enter a new choice:

Uploading a Software Image from Your SwitchYou can upload a software image from the switch to a TFTP server.


2. The system prompts you for information. Enter the desired image:

Enter name of file on TFTP server: <filename>

Boot Options# image

Currently set to use switch software "image1" on next reset.Specify new image to use on next reset ["image1"/"image2"]:

Boot Options# ptimg

Enter name of switch software image to be uploaded["image1"|"image2"|"boot"]: <image> <hostname or server-IP-addr> <server-file-name>



3. Enter the name or the IP address of the TFTP server:

4. Enter the name of the file into which the image will be uploaded on the TFTP server:

5. The system then requests confirmation of what you have entered. To have the file uploaded, enter Y.

Selecting a Configuration BlockWhen you make configuration changes to the Nortel Application Switch, you must save the changes so that they are retained beyond the next time the switch is reset. When you perform the save command, your new configuration changes are placed in the active configuration block. The previous configuration is copied into the backup configuration block.

There is also a factory configuration block. This holds the default configuration set by the factory when your Nortel Application Switch was manufactured. Under certain circumstances, it may be desirable to reset the switch configuration to the default. This can be useful when a custom-con-figured Nortel Application Switch is moved to a network environment where it will be re config-ured for a different purpose.

Use the following procedure to set which configuration block you want the switch to load the next time it is reset:


2. Enter the name of the configuration block you want the switch to use:

Enter hostname or IP address of TFTP server: <server name or IP address>

Enter name of file on TFTP server: <filename>

image2 currently contains Software Version 20.2.0.7Upload will transfer image2 (1889411 bytes) to file "test" on TFTP server 192.1.1.1.Confirm upload operation [y/n]: y

Boot Options# conf



The system informs you of which configuration block is currently set to be loaded at the next reset, and prompts you to enter a new choice:

Currently set to use active configuration block on next reset.Specify new block to use ["active"/"backup"/"factory"]:



Resetting the SwitchYou can reset the switch to make your software image file and configuration block changes occur.

NOTE – Resetting the switch causes the Spanning Tree Protocol to restart. This process can be lengthy, depending on the topology of your network.

To reset the switch, at the Boot Options# prompt, enter:

You are prompted to confirm your request.

>> Boot Options# reset


CHAPTER 10The Maintenance Menu

The Maintenance Menu is used to manage dump information and forward database informa-tion. It also includes a debugging menu to help with troubleshooting.

/maintMaintenance Menu

NOTE – To use the Maintenance Menu, you must be logged in to the switch as the administrator.

Dump information contains internal switch state data that is written to flash memory on the Nortel Application Switch after any one of the following occurs:

The switch administrator forces a switch panic. The panic option, found in the Mainte-nance Menu, causes the switch to dump state information to flash memory, and then causes the switch to reboot.

[Maintenance Menu] sys - System Maintenance Menu fdb - Forwarding Database Manipulation Menu arp - ARP Cache Manipulation Menu route - IP Route Manipulation Menu ip6 - IP6 Manipulation Menu debug - Debugging Menu uudmp - Uuencode FLASH dump ptdmp - Upload FLASH dump via FTP/TFTP cldmp - Clear FLASH dump lsdmp - List FLASH dump panic - Dump state information to FLASH and reboot tsdmp - Tech support dump pttsdmp - Upload tech support dump via FTP/TFTP sslrst - Reset SSL card

320506-A, January 2006519


The switch administrator enters the switch reset key combination on a device that is attached to the console port. The switch reset key combination is <Shift><Ctrl><->.The watchdog timer forces a switch reset. The purpose of the watchdog timer is to reboot the switch if the switch software freezes.The switch detects a hardware or software problem that requires a reboot.

Table 10-1 Maintenance Menu Options (/maint)


sysDisplays the System Maintenance Menu. To view menu options, see page 522.

fdbDisplays the Forwarding Database Manipulation Menu. To view menu options, see page 522.

arpDisplays the ARP Cache Manipulation Menu. To view menu options, see page 523.

routeDisplays the IP Route Manipulation Menu. To view menu options, see page 525.

ip6Displays the IPv6 Manipulation Menu. To view menu options, see page 526.

debugDisplays the Debugging Menu. To view menu options, see page 527.

uudmpDisplays dump information in uuencoded format. For details, see page 528.

ptdmp hostname filename [-mgmt| -data]Saves the system dump information using TFTP. For details, see page 529.

cldmpClears dump information from flash memory. For details, see page 529.

lsdmpDisplays list flash dump. For details, see page 530.

panicDumps MP information to FLASH and reboots. For details, see page 530.

tsdmpDumps all Nortel Application Switch information, statistics, and configuration.You can log the tsdump output into a file, and send it to Nortel Networks Tech Support for debugging purposes. For details, see page 531.

520 Chapter 10: The Maintenance Menu320506-A, January 2006


pttsdmp <hostname> <filename> <-tftp|username password> [-mgmt|-data]Upload tech support dump using FTP/TFTP. For details, see page 531.

sslrst Reset the SSL card. For details, see page 531.

Table 10-1 Maintenance Menu Options (/maint)


Chapter 10: The Maintenance Menu 521320506-A, January 2006


/maint/sysSystem Maintenance OptionsThis menu is reserved for use by Nortel Networks Customer Support group. The options are used to perform system debugging.

/maint/fdbForwarding Database Options

The Forwarding Database Manipulation Menu can be used to view information and to delete a MAC address from the forwarding database or clear the entire forwarding database. This is helpful in identifying problems associated with MAC address learning and packet forwarding decisions.

[System Maintenance Menu] flags - Set NVRAM flag word sfpinfo - Show SFP information

Table 10-2 System Maintenance Menu Options (/maint/sys)


flags <new NVRAM flags word as 0xXXXXXXXX>This command sets the flags that are used for debugging purposes by Tech support group.

sfpinfo <port_number>Show the SFP information. For example:

>> System Maintenance# sfpinfo 1 Probing SFP on port 1 - please wait Invalid: Port 1 does not support SFP's

[FDB Manipulation Menu] find - Show a single FDB entry by MAC address port - Show FDB entries for a single port trunk - Show FDB entries on a single trunk vlan - Show FDB entries for a single VLAN refpt - Show FDB entries referenced by a single port dump - Show all FDB entries del - Delete an FDB entry clear - Clear entire FDB



/maint/arpARP Cache Options

Table 10-3 FDB Manipulation Menu Options (/maint/fdb)


find <MAC address> [<VLAN>]Displays a single database entry by its MAC address. You are prompted to enter the MAC address of the device. Enter the MAC address using the xx:xx:xx:xx:xx:xx format (such as 08:00:20:12:34:56) or xxxxxxxxxxxx format (such as 080020123456).

port <port number, 0 for unknown>>Displays all FDB entries for a particular port. Use “0” for unknown port number.

trunk <trunk number (1-12)>Displays all FDB entries for the specified trunk group.

vlan <VLAN number (1-4090)>Displays all FDB entries on a single VLAN.

refpt <SP number (1-4)>Displays all FDB entries reference by a single port.

dumpDisplays all entries in the Forwarding Database. For details, see page 90.

del <MAC address> [<VLAN number>]Removes a single FDB entry.

clearClears the entire Forwarding Database from switch memory.

[Address Resolution Protocol Menu] find - Show a single ARP entry by IP address port - Show ARP entries on a single port vlan - Show ARP entries on a single VLAN refpt - Show ARP entries referenced by a single SP dump - Show all ARP entries clear - Clear ARP cache addr - Show ARP address list



/maint/arp/port <port number>ARP Entries on a Single Port

NOTE – To display all ARP entries currently held in the switch, or a portion according to one of the options listed on the menu above (find, port, vlan, refpt, dump), you can also refer to “ARP Information” on page 112.

Table 10-4 Address Resolution Protocol Menu Options (/maint/arp)


find <IP address (such as, 192.4.17.101)>Shows a single ARP entry by IP address.

port <port number>Displays ARP entries on a single port. See page 524 for a sample output.

vlan <VLAN number (1-4090)>Shows ARP entries on a single VLAN.

refpt <SP number (1-4)>Shows all ARP entries referenced by a single port.

dumpShows all ARP entries.

clearClears the entire ARP list from switch memory.

addrShows the list of IP addresses which the switch will respond to for ARP requests.

IP address Flags MAC address VLAN Port Referenced SPs --------------- ----- ----------------- ---- ----- --------------- 47.80.16.1 00:e0:16:7c:28:82 1 1 empty 47.80.16.81 00:e0:81:24:ef:3c 1 1 empty 47.80.17.169 00:04:75:db:1c:1a 1 1 empty



/maint/routeIP Route Manipulation

NOTE – To display all routes, you can also refer to “IP Routing Information” on page 108.

[IP Routing Menu] find - Show a single route by destination IP address gw - Show routes to a single gateway type - Show routes of a single type tag - Show routes of a single tag if - Show routes on a single interface dump - Show all routes clear - Clear route table

Table 10-5 IP Route Manipulation Menu Options (/maint/route)


find <IP4 address (eg, 192.4.17.101)> | <IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)>

Shows a single route by destination IP address.

gw <default gateway IP4 address (eg, 192.4.17.44)> <default gateway IP6 address (eg, 3001:0:0:0:0:0:abcd:1234)

Shows routes to a default gateway.

type indirect|direct|local|broadcast|martian|multicastShows routes of a single type. For a description of IP routing types, see Table 4-19 on page 109

tag fixed|static|addr|rip|ospf|bgp|broadcast|martian|vipShows routes of a single tag. For a description of IP routing tags, see Table 4-20 on page 109

if <interface number (1-255)>Shows routes on a single interface.

dumpShows all routes.

clearClears the route table from switch memory.



/maint/ip6IPv6 Manipulation Menu

[IP6 Menu] nbrcache - Neighbor Cache Manipulation Menu

Table 10-6 IPv6 Manipulation Menu Options


nbrcacheOpens the Neighbor Cache menu whose only option is the clear command. This command is used to clear the IPv6 Neighbor Cache table.



/maint/debugDebugging Options

The Miscellaneous Debug Menu displays trace buffer information about events that can be helpful in understanding switch operation. You can view the following information using the debug menu:

Events traced by the Management Processor (MP)Events traced by the Switch Processor (SP)Events traced to a buffer area when a reset occurs

If the switch resets for any reason, the MP trace buffer and SP trace buffers are saved into the snap trace buffer area. The output from these commands can be interpreted by the Nortel Net-works Customer Support division.

[Miscellaneous Debug Menu] tbuf - Show MP trace buffer sptb - Show SP trace buffer spall - Show All SPs trace buffers clrcfg - Clear all flash configs portmap - Show port-SP-MAC mapping vmasp - Show designated SP for IP address vmasp6 - Show designated SP for IP6 address

Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)


tbufDisplays the Management Processor trace buffer. Header information similar to the following is shown:MP trace buffer at 13:28:15 Fri May 25, 2001; mask: 0x2ffdf748The buffer information is displayed after the header.

sptb <port number (1-4)>Displays the Switch Processor trace buffer. Header information similar to the following is shown:SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008

The buffer information is displayed after the header.

spallDisplays the Switch Processor trace buffer. Header information similar to the following is shown:SP 1 trace buffer at 10:56:35 Tue Jul 30, 2002; mask: 0x00800008.

The buffer information is displayed after the header. Displays all SP trace buffers.

clrcfgDeletes all flash configuration blocks.



/maint/uudmpUuencode Flash DumpUsing this command, dump information is presented in uuencoded format. This format makes it easy to capture the dump information as a file or a string of characters. You can then contact Nortel Networks Customer Support for help analyzing the information.

If you want to capture dump information to a file, set your communication software on your workstation to capture session data prior to issuing the uudmp command. This will ensure that you do not lose any information. Once entered, the uudmp command will cause approximately 23,300 lines of data to be displayed on your screen and copied into the file.

Using the uudmp command, dump information can be read multiple times. The command does not cause the information to be updated or cleared from flash memory.

NOTE – Dump information is not cleared automatically. In order for any subsequent dump information to be written to flash memory, you must manually clear the dump region. For more information on clearing the dump region, see page 529.

To access dump information, at the Maintenance# prompt, enter:

The dump information is displayed on your screen and, if you have configured your communi-cation software to do so, captured to a file. If there is a dump available, the system prompts as follows:

portmapShow port to SP to MAC mapping.

vmasp <IP address>Displays the assigned SP (Switch Processor) for this IP address.

vmasp6 <IP_address>Show designated SP for IP6 address.

Maintenance# uudmp

>> Maintenance# uuEnter region to dump [main/bkp]: mainDumping main region:

Use 'ptdmp' to extract panic dumps.Confirm proceed with large dump (15000 lines) [y/n]:

Table 10-7 Miscellaneous Debug Menu Options (/maint/debug)




If the dump region is empty, the following message appears:

/maint/ptdmp <server> <filename>System Dump PutUse this command to put (save) the system dump to a TFTP or FTP server.

NOTE – If the TFTP or FTP server is running SunOS or the Solaris operating system, the specified ptdmp file must exist prior to executing the ptdmp command, and must be writ-able (set with proper permission, and not locked by any application). The contents of the spec-ified file will be replaced with the current dump data.

To save dump information via TFTP or FTP, at the Maintenance# prompt, enter:

Where server is the TFTP or FTP server IP address or hostname, and filename is the target dump file.

/maint/cldmpClearing Dump InformationTo clear dump information from flash memory, at the Maintenance# prompt, enter:

The switch clears the dump region of flash memory and displays the following message:

If the flash dump region is already clear, the switch displays the following message:

No FLASH dump available.

Maintenance# ptdmp <hostname> <filename> <-tftp|username password> [-mgmt|-data]

Maintenance# cldmp

FLASH dump region cleared.

FLASH dump region is already clear.



/maint/lsdmpUse the /maint/lsdmp command to view dump statistics. For example:

/maint/panicPanic CommandThe panic command causes the switch to immediately dump state information to flash mem-ory and automatically reboot.

To select panic, at the Maintenance# prompt, enter:

Enter y to confirm the command:

The following messages are displayed:

>> Maintenance# lsdmp The main dump was saved at 8:12:58 Fri Jun 3, 2005. A backup dump was saved at 14:47:31 Mon Jun 20, 2005.

>> Maintenance# panicA FLASH dump already exists.Confirm replacing existing dump and reboot [y/n]:

Confirm dump and reboot [y/n]: y

Loading Image:..........Alteon Application Switch 2424 Rebooted because of Software PANIC.Booting complete 19:15:23 Thu Jan 9, 2003:Version 20.2.7 from FLASH image1, active config block.Jan 9 19:15:32 NOTICE system: link up on port 25Enter password:



/maint/tsdmpUse the /maint/tsdmp command to dump all dump information that can be used for technical support. For example:

/maint/pttsdmpUse the /maint/pttsdmp command to upload a technical support dump using an FTP or TFTP connection. The dump was performed earlier using the /maint/tsdmp command. For example:

/maint/sslrstUse the maint/sslrst command to reset the switch SSL card.

Unscheduled System DumpsIf there is an unscheduled system dump to flash memory, the following message is displayed when you log on to the switch:

>> Maintenance# tsdmpConfirm dumping all information, statistics, and configuration [y/n]:

>> Maintenance# ? pttsdmpUsage: pttsdmp <hostname> <filename> <-tftp|username password> [-mgmt|-data]>> Maintenance# pttsdmpEnter hostname or IP address of FTP/TFTP server: 0.0.0.0Enter name of file on FTP/TFTP server: dump.txtEnter username for FTP server or hit return for TFTP server: usernameEnter password for username on FTP server:Connecting to 0.0.0.0.....

Note: A system dump exists in FLASH. The dump was savedat 19:15:23 Thu Jan 9, 2003. Use /maint/uudmp toextract the dump for analysis and /maint/cldmp toclear the FLASH region. The region must be clearedbefore another dump can be saved.


CHAPTER 11The SSL Processor Menu

The SSL Menu is used to connect to the SSL processor.

NOTE – To use the SSL Processor Menu, you must be logged in to the processor as the administrator.

Login to the SSL processorLog into the SSL Processor as described in the following paragraphs.

Go to the main menu and enter the SSL processor level.

# cd /------------------------------------------------------------[Main Menu] info - Information Menu stats - Statistics Menu cfg - Configuration Menu oper - Operations Command Menu boot - Boot Options Menu maint - Maintenance Menu ssl - SSL Accelerator Menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] save - Save updated config to FLASH [global command] revert - Revert pending or applied changes [global command] exit - Exit [global command, always available]>> Main# ssl

320506-A, January 2006533


Enter the appropriate account information to logon to the processor.

NOTE – Help information on specific commands uses the command “help”, and not the “?” symbol used at other directory levels. The command must also be spelled-out in full. For example, to request help on the “apply” command enter:SSL >> Main# help diffShow any pending configuration changes.

>> Main# sslConnected to SSL Processor. Type "exit" to quit.

login: adminPassword:Alteon iSD SSLHardware platform: 2424SSoftware version: 5.0.0.34

------------------------------------------------------------[Main Menu] info - Information menu stats - Statistics menu cfg - Configuration menu boot - Boot menu maint - Maintenance menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]

SSL >> Main#

534 Chapter 11: The SSL Processor Menu320506-A, January 2006


/sslSSL Processor Menu

[Main Menu] info - Information menu stats - Statistics menu cfg - Configuration menu boot - Boot menu maint - Maintenance menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert - Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]



info Go to the Information level of the SSL Processor menu. For details, see page 536.

stats Go to the Statistics level of the SSL Processor menu. For details, see page 540.

cfg Go to the Configuration level of the SSL Processor menu. For details, see page 545.

boot Go to the Boot level of the SSL Processor menu. For details, see page 649.

maint Go to the Maintenance level of the SSL Processor menu. For details, see page 652.

diffShows any pending configuration changes. For example:

SSL >> Main# diff Configuration/ Certificate menu: new child "1" created

apply Applies pending configuration changes.

revertRemove pending configuration changes. Use this command to undo configuration parameters set since last apply command. For example:

Chapter 11: The SSL Processor Menu 535320506-A, January 2006


/ssl/infoSSL Performance information menu

pasteLets you restore a saved configuration that includes private keys. Before pasting the configuration, you need to provide the password phrase you specified when selecting to include the private keys in the configuration dump.

helpDisplays a summary of the global commands.

exitLeave the SSL Processor menu.

[Information Menu] servers - Show configured SSL servers certs - Show configured certificates hsm - Show local HSM information sslvpn - Show configured VPNs users - Show logged in SSL VPN portal users ipsec - Show logged in IPSEC users ippool - Show ip pool allocations ip - Find information about an IP address sys - Show system configuration licenses - Show SSL VPN portal license usage access - Print the access rules of an SSL VPN portal user kick - Kick an SSL VPN portal user isdlist - Show all iSDs and their operational status local - Show local iSD information ethernet - Show local ethernet status information ports - Show local port(s) information events - Inspect Events menu







servers Displays the current SSL server settings, including SSL specific settings for each configured vir-tual SSL server.

certsDisplays the certificate name, serial number, expiration date, and key size for each installed certif-icate. Information related to the subject of the certificate is also displayed. For example:

Certificate 1: Certificate name = No certificate information. Validate: key or certificate not defined. No key has been defined. No key has been defined.

Revocation: Automatic CRL: URL to retrieve CRL from = LDAP DN used for bind/authentication = Password to use when to authenticate = Refresh interval = 1d List of accepted signers of CRLs = Enable automatic retrieval = disabled

hsm Displays information related to the HSM card(s) on the iSD310-SSL FIPS device to which you are currently connected. Information about the current security mode (Extended Security mode or FIPS mode) in the iSD310-SSL FIPS cluster is displayed, as well as user login information (SO or USER) for each HSM card on the iSD310-SSL FIPS device. HSM information is only displayed when you are using the iSD310-SSL FIPS model.

sslvpn Show the configured VPNs.

usersShows all logged in VPN portal users. For example:

Number of currently logged in users: 0

VPN Id User Login Source IP Access Group:Profile...Variables...------ ---- ----- --------- ------ ----------------

ipsec [<vpnid> [<prefix>]]Show number of IPSEC users logged-in. For example:

Number of active ipsec sessions for all VPNs: 0

ippool [<vpnid>]Displays the IP pool allocations.



ip <IP_address>Display information about a specific IP address. For example:

SSL >> Information# ip Enter IP to search for: 0.0.0.0 IP 0.0.0.0 not allocated from IP pool

sysShows the system configuration. For example (in part):

System: Management IP (MIP) address = 10.10.10.72 iSD Host 1: Type of the iSD = master IP address = 10.10.10.71 License = IPSEC user sessions: 10 TPS: 300 SSL user sessions: 10 Default gateway address = 10.10.10.69 Ports = 1 Hardware platform = 2424S Host Routes: No items configured Host Interface 1: IP address = 10.10.10.71 Network mask = 255.255.255.0 Default gateway address = 0.0.0.0 VLAN tag id = 0 Mode = failoverHost Interface Routes: No items configured Interface Ports: 1 . . .

licenses [<vpn_ID>]Show the SSL VPN port licenses. For example:

Global License Pools VPN Used Size ------------------------------------------------------ SSL - 0 10 IPSEC - 0 10

access <vpnid> <username>Display the access rules for an SSL Portal user.

kick <vpnid> <username>Kick an SSL VPN user.





isdlistDisplays the IP addresses, master/slave assignments, CPU usage, memory usage, and operational status for all the iSDs in the cluster. An asterisk (*) in the MIP column indicates which iSD in the cluster is currently is control of the Management IP. An asterisk (*) in the Local column indicates the particular iSD to which you have connected. For example:

SSL >> Information# isdlist IP addr type MIP Local cpu(%) mem(%) op 10.10.10.71 master * * 2 52 up

localDisplays the current software version, iSD hardware platform, up time (since last boot), IP address, and Ethernet MAC address for the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For example:

SSL >> Information# local Alteon iSD SSL Hardware platform: 2424S Software version: 5.0.0.34 Up time: 11 days 1 hour 52 minutes IP address: 10.10.10.71 MAC address: 00:01:81:2e:bc:6f

ethernetDisplays statistics for the Ethernet network interface card (NIC) on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. If more than one net-work is configured in the cluster, ethernet statistics for the respective network is displayed.

RX packets: the total number of received packets TX packets: the total number of transmitted packets errors: packets lost due to error dropped: error due to lack of resources overruns: error due to lack of resources frame: error due to malformed packets carrier: error due to lack of carrier collisions: number of packet collisions

Note: A non-zero collision value may indicate an incorrect configuration of the Ethernet autonego-tiation.For example:

I/f 1: RX packets:3438 errors:0 dropped:0 overruns:0 frame:0 I/f 1: TX packets:2738 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 I/f 1: RX bytes:220060 (214.9 Kb) TX bytes:205486 (200.6 Kb)





/ssl/info/eventsSSL Performance Menu

portsDisplays the status of the local Ethernet interface (NIC) ports on the particular iSD host to which you have connected. If you have connected to the MIP address, the information displayed relates to the iSD host in the cluster that currently is in control of the MIP. For each port, link status (up/down) and Ethernet autonegotiation setting (on/off) is shown. If the link is up, current values for speed (10/100/1000) and duplex mode (half/full) are also shown. If the link is down and autonegotiation is set to off, the configured values for speed and duplex mode are shown instead. For example:

SSL >> Information# ports Port 1: link = up, autoneg = on, speed = 1000, mode = full

eventsGo to the Inspect events menu. For details, see page 540.

[Events Menu] alarms - List all pending alarms download - Dump the event log file to a TFTP/FTP/SFTP server

Table 11-3 SSL Performance Menu Options


alarmsDisplays all alarms in the active alarm list by their main attributes: severity level, alarm ID num-ber, date and time when triggered, alarm name, sender, and cause.

download <protocol> <IP_address | hostname> <filename>Transmits the event log file from the iSD cluster to a file on a TFTP server. Specify the IP address or host name of the TFTP server, as well as a file name.





/ssl/statsSSL Performance Statistics menu

[Statistics Menu] sslstats - SSL stats ipsec - IPSEC stats aaa - AAA specific statistics dump - Dump all information

Table 11-4 IP Route Manipulation Menu Options (/maint/route)


sslstats Go to the SSL statistics menu. To view menu options, see page 542.

ipsec Go to the IPSEC statistics menu. To view menu options, see page 545.

aaa Go to the AAA specific statistics. To view menu options, see page 548.

dump Displays cluster-wide SSL statistics for each virtual SSL server in the cluster, as well as the number of active request sessions, and the total number of completed request sessions. The total number of initi-ated SSL client connections, and the total number of established SSL client connections as accumulated values for all virtual SSL servers in the cluster are also displayed. Histograms, however, are not included in the output



/ssl/stats/sslstatsSSL Performance Menu[SSL stats Menu] vpn - Cluster SSL VPN statistics server - Cluster SSL Server statistics local - Local statistics for each isdhost clear - Clear all statistics for all IPs activesess - Number of currently active request sessions totalsess - Total completed request sessions sslaccept - Total completed SSL accept sslconnect - Total completed SSL connect tpshisto - Cluster-wide TPS histograms for all servers clihisto - cluster wide client data histograms for all servers srvhisto - cluster wide server data histograms for all servers



vpn <VPN_number>Displays the cluster-wide statistics for SSL VPN.

server <srever_number>Displays the cluster-wide statistics for SSL servers.

localGo to the Local SSL Statistics Menu. To view menu options, see page 543.

clearErase all statistics for all IPs.

activesessDisplay the number of currently active requests. For example:

active_sessions : 0

totalsessDisplay the total number of completed request sessions.

sslacceptDisplay the total number of completed SSL request sessions.

sslconnectDisplay the total number of successful SSL connections.

tpshistoDisplay the total number of cluster-wide TPS histograms for all servers.

clihistoDisplay the total number of cluster-wide client data histograms for all servers.



/ssl/stats/sslstats/localSSL Performance SSL Local Statistics Menu

srvhistoDisplay the total number of cluster-wide server data histograms for all servers.

[Local SSL Statistics Menu]isdhost - ISD local SSL server statistics menuoverview - Overview of isdhost local statisticstpshisto - ISD local TPS histograms for all servers/ISDsclihisto - ISD local client byte/s histos for all servers/ISDssrvhisto - ISD local server data byte/s histos for all servers/ISDslicense - ISD local license statisticsdump - Dump all information

Table 11-6 SSL Perfomance: SSL Local Statistics Menu Options


isdhost <host_number>Go to the ISD local SSL Statistics Menu. To view menu options, see page 544.

overviewDisplay the overall of the isdhost local statistics.

tpshistoDisplay ISD local TPS histograms for all servers/ISDs.

clihistoDisplay ISD local client data histograms for all servers and ISDs.

srvhistoDisplay ISD local server data histograms for all servers and ISDs.

licenseDisplay local ISD license statistics. For example:

**** License stats at ISD number '1' **** License Limit reached times tps {ok,0}

dumpDisplay all local statistical information.





/ssl/stats/sslstats/local/isdhostSSL Performance: Single ISD SSL Statistics Menu[Single ISD SSL Stats 1 Menu] server - ISD local SSL server stats tpshisto - ISD local TPS histograms for all servers clihisto - ISD local client byte/s histograms for all servers srvhisto - ISD local server byte/s histograms for all servers dump - Dump all information

Table 11-7 SSL Perfomance: Single ISD SSL Statistics Menu Options


server Displays statistics for the local ISD SSL server.

tpshistoDisplays ISD local TPS histograms for all servers.

clihistoDisplays ISD local client data histograms for all servers.

srvhostoDisplays ISD local server histograms for all servers.

dumpDisplays all statistical information.



/ssl/stats/ipsecIPSEC Statistics menu

[IPSEC stats Menu] vpn - Cluster IPSEC Server statistics local - Local statistics for each isdhost clear - Clear all ipsec statistics for all IPs activesess - Number of currently active ipsec sessions totalsess - Total completed ipsec sessions failedsess - Total failed ipsec sessions enctot - Total encoded kBytes enc - Encoded kB/sec last minute dectot - Total decoded kBytes dec - Decoded kB/sec last minute sesshisto - Cluster-wide ipsec session histograms for all servers enchisto - Cluster-wide ipsec encrypt histograms for all servers dechisto - Cluster-wide ipsec decrypt histograms for all servers

Table 11-8 IPSEC Statistics Menu Options


vpn <VPN_number>Displays cluster IPSEC server statistics.

local Go to the local statistics menu. To view menu options, see page 546.

clearClear all IPSEC statistics.

activesessDisplay the number of currently active IPSEC sessions.

totalsessDisplay the number of completed IPSEC sessions.

failedsess Display the number of failed IPSEC sessions.

enctot Display the total number of encoded kBytes.

encDisplay the total number of encoded kBytes in the last 60 seconds.

dectotDisplay the total number of decoded kBytes.

decDisplay the total number of decoded kBytes in the last 60 seconds.



/ssl/stats/ipsec/localSSL Performance: Local IPSEC Statistics Menu

sesshistoDisplay the Cluster-wide ipsec session histograms for all servers.

enchistoDisplay the Cluster-wide ipsec encrypt histograms for all servers.

dechistoDisplay the Cluster-wide ipsec decrypt histograms for all servers.

[Local IPSEC Statistics Menu] isdhost - ISD local IPSEC server statistics menu sesshisto - ISD local ipsec session histograms for all VPNs/ISDs enchisto - ISD local ipsec encrypt histograms for all VPNs/ISDs dechisto - ISD local ipsec decrypt histograms for all VPNs/ISDs dump - Dump all information

Table 11-9 SSL Perfomance: Local IPSEC Statistics Menu Options


isdhostGo to the ISD Local IPSEC server statistics menu. To view menu options, see page 547.

sesshistoDisplays the local IPSEC session histograms for all VPNs and ISDs.

enchistoDisplays the local IPSEC encryption histograms for all VPNs and ISDs.

dechistoDisplays the local IPSEC decryption histograms for all VPNs and ISDs.

dumpDisplay all IPSEC statistical information.

Table 11-8 IPSEC Statistics Menu Options




/ssl/stats/ipsec/local/isdhostSSL Performance: Single IPSEC ISD Statistics Menu[Single ISD IPSEC Stats 1 Menu] vpn - ISD local IPSEC server stats activesess - Locally active ipsec sessions all VPNs totalsess - Locally total ipsec sessions all VPNs failedsess - Locally failed ipsec sessions, all VPNs enctot - Locally total ipsec encoded kBytes all VPNs enc - Locally ipsec encoded kB/sec last minute all VPNs dectot - Locally total ipsec decoded kBytes all VPNs dec - Locally ipsec decoded kB/sec last minute all VPNs sesshisto - ISD local ipsec sess histograms for all VPNs enchisto - ISD local ipsec encrypt histograms for all VPNs dechisto - ISD local ipsec decrypt histograms for all VPNs dump - Dump all information

Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options


vpn <VPN_number>Display the ISD local IPSEC server statistics.

activesessDisplay the locally active IPSEC sessions for all VPNs.

totalsessDisplay the total of locally active IPSEC sessions for all VPNs.

failedsessDisplay the failed IPSEC sessions for all VPNs.

enctotDisplay the total kBytes encoded for all VPNs.

enc Display the locally encoded kBytes for all VPNs.

dectotDisplay the total kBytes decoded for all VPNs.

decDisplay the locally decoded kBytes for all VPNs.

sesshistoDisplay the ISD local IPSEC session histograms for all VPNs.

enchistoDisplay the ISD local IPSEC encrypted histograms for all VPNs.



/ssl/stats/aaaAAA Statistics Menu

/ssl/cfgSSL Performance Configuration Menu

dechistoDisplay the ISD local ipsec decrypt histograms for all VPNs.

dumpDisplay all ISD statistics.

[AAA Statistics Menu] total - Cluster-wide authentication statistics (per VPN) isdhost - ISD local authentication statistics (per VPN) dump - Dump all information

Table 11-11 AAA Statistics Menu Options


total <VPN_ID>Display the Cluster-wide authentication statistics for each VPN.

isdhost </cfg/sys/host number>Display the ISD local authentication statistics for each VPN.

dumpDisplay all AA statistics.

[Configuration Menu] ssl - SSL offload menu cert - Certificate menu vpn - VPN menu test - Create test vpn, portal and certificate quick - Quick vpn setup wizard sys - System-wide parameter menu lang - Language support ptcfg - Backup configuration to TFTP/FTP/SCP/SFTP server gtcfg - Restore configuration from TFTP/FTP/SCP/SFTP server dump - Dump configuration on screen for copy-and-paste

Table 11-10 SSL Perfomance: Single IPSEC ISD Statistics Menu Options




Table 11-12 SSL Perfomance Configuration Menu Options


sslGo to the SSL offload menu. To view menu options, see page 551.

certGo to the Certificate menu. To view menu options, see page 554.

vpnGo to the VPN menu. To view menu options, see page 573.

test Create a test VPN, portal and certificate. For example:

SSL >> Configuration# test Enter virtual IP address of test portal: 0.0.0.0 VPN user name: Test_vpn VPN password: smith Do you want to configure IPsec? (yes/no) [no]: n Do you want to configure Netdirect? (yes/no) [no]: n Creating VPN 1 Creating Linkset 1 Name: base-links Creating Authentication 1 Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test Creating Group 1 Name: test Creating Access rule 1 Added base-links to linkset Created /cfg/cert 2 Use 'apply' to activate.

quickCreate a VPN configuration using command prompts.

sysGo to the System-wide parameter menu. To view menu options, see page 649.

langGo to the Language Support menu. To view menu options, see page 649.



ptcfgSaves the current configuration, including private keys and certificates, to a TFTP server. The con-figuration can later be restored by using the gtcfg command. You are required to specify a pass-word phrase before the information is sent to the TFTP server. If you restore the configuration by using the gtcfg command, you will be prompted for the pass-word phrase you have specified. The password phrase is used to protect the private keys in the con-figuration.

NOTE – Note 1: If you have fully separated the Administrator user role from the Certifi-cate Administrator user role, the export passphrase defined by the certificate administra-tor is used to protect the private keys in the configuration - transparently to the user. When a configuration backup is restored by using the gtcfg command, the certificate administrator must enter the correct passphrase.

NOTE – Note 2: When using the ptcfg command on an iSD310-SSL FIPS, private keys are encrypted using the wrap key that was generated when the first HSM card in the clus-ter was initialized.

gtcfgRestores a configuration, including private keys and certificates, from a TFTP server. You need to provide the password phrase you specified when saving the configuration to the TFTP server.

NOTE – Note: If you have fully separated the Administrator user role from the Certifi-cate Administrator user role (by removing the admin user from the certadmin group), the certificate administrator must enter the passphrase that was defined by him or her using the /cfg/sys/user/caphrase command.

dumpDisplay the configuration on-screen for a copy and paste operation.

Table 11-12 SSL Perfomance Configuration Menu Options




/ssl/cfg/sslSSL Configuration Server Menu[SSL Menu] server - SSL server menu test - Create test server and certificate quick - Quick server setup wizard

Table 11-13 SSL Configuration Server Menu Options


serverGo to the SSl Server menu. To view menu options, see page 552.

test Create a test VPN, portal and certificate. For example:

SSL >> Configuration# test Enter virtual IP address of test portal: 0.0.0.0 VPN user name: Test_vpn VPN password: smith Do you want to configure IPsec? (yes/no) [no]: n Do you want to configure Netdirect? (yes/no) [no]: n Creating VPN 1 Creating Linkset 1 Name: base-links Creating Authentication 1 Calling /cfg/vpn 1/aaa/auth 1/local/add Test_vpn smith test Creating Group 1 Name: test Creating Access rule 1 Added base-links to linkset Created /cfg/cert 2 Use 'apply' to activate.

quickCreate a VPN configuration using command prompts.



/ssl/cfg/ssl/serverSSL Configuration Server-specific Menu[Server 1 Menu] name - Set server name vips - Set IP addr(s) of server standalone - Set standalone mode port - Set listen port of server rip - Set real server IP addr rport - Set real server port type - Set type (generic/http/socks) proxy - Set transparent proxy mode (on/off) trace - Traffic trace menu ssl - SSL settings menu tcp - TCP endpoint settings menu adv - Advanced settings menu del - Remove virtual server ena - Enable virtual server dis - Disable virtual server

Table 11-14 SSL Configuration Server-specific Menu Options


name <string>Enter the name of the server.

vips <IP_address>Enter the virtual IP address for the server.

standalone on|offSet the standalone mode.

port <integer>Set the listen port for the server.

rip <IP_address>Set the actual server IP address.

rport <integer>Set the actual server port number.

type <generic/http/socks>Set the port type.

proxy on|offSet the proxy mode.

traceGo to the Trace menu.To view menu options, see page 554.



sslGo to the SSL Settings menu. To view menu options, see page 555.

tcpGo to the TCP endpoints menu. To view menu options, see page 556.

advGo to the Advanced settings menu. To view menu options, see page 557.

delRemove the virtual server.

ena enabled|disabledEnable the virtual server.

dis enabled|diabledDisable the virtual server.





/ssl/cfg/ssl/server/traceSSL Configuration Server-specific Trace Menu[Trace Menu] ssldump - Create traffic dump tcpdump - Create traffic dump ping - Ping through backend interface dnslookup - Lookup a name in DNS through backend interface traceroute - traceroute through backend interface

Table 11-15 SSL Configuration Server-specific Trace Menu Options


ssldump Create a traffic dump. Information on creating dump patterns can be found at http://www.tcpdump.org/tcpdump_man.html.

tcpdump Create a traffic dump. Information on creating dump patterns can be found at http://www.tcpdump.org/tcpdump_man.html.

ping <hostname>Use this command to verify station-to-station connectivity across the network.

dnslookup <hostname>Lookup a hostname in DNS.

traceroute <hostname>Use this command to identify the route used for station-to-station connectivity across the network.



/ssl/cfg/ssl/server/sslSSL Configuration Server-specific SSL Menu[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version verify - Set certificate verification level ciphers - Set cipher list ena - Enable SSL dis - Disable SSL

Table 11-16 SSL Configuration Server-specific SSL Menu Options


cert unset|setCreate a server certificate.

cachesize <integer>Set the SSL cache size.

cachettl <integer>Set the SSL cache timeout (in seconds).

cacerts <integerlist>Set the list of authorized signers of client certificates. Separate the signer list using commas.

cachain <integerlist>Set the list of CA chain certificates. Separate the list using commas.

protocol <issl2/ssl3/ssl23/tls1>Set the protocol version.

verify none|optional|requireSet the verification level of the certificate.

ciphersSet the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently deletes the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length.



C

c

c

s

s

c

c

s

s

/ssl/cfg/ssl/server/tcpSSL Configuration Server-specific TCP Menu

ena yes|noEnable SSL.

dis yes|noDisable SSL.

[TCP Settings Menu] cwrite - Set client TCP write timeout ckeep - Set client TCP keep alive timeout swrite - Set server TCP write timeout sconnect - Set server TCP connect timeout csendbuf - Set client TCP send buffer size crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size

Table 11-17 SSL Configuration Server-specific TCP Menu Options

ommand Syntax and Usage

write <integer>Set the client TCP write timeout (in seconds, 1-2147483647).

keep <integer>Set the client TCP keep alive timeout (in seconds, 1-2147483647).

write <integer>Set the server TCP write timeout (in seconds, 1-2147483647).

connect <integer>Set the server TCP connect timeout (in seconds, 1-2147483647).

sendbuf auto|<2000 to 100000>Set the client TCP send buffer size (in bytes).

recbuf auto|<2000 to 100000>Set the client TCP receive buffer size (in bytes).

sendbuf <generic/http/socks>Set the server TCP send buffer size (in bytes).

recbuf on|offSet the server TCP receive buffer size (in bytes).

Table 11-16 SSL Configuration Server-specific SSL Menu Options




/ssl/cfg/ssl/server/advSSL Configuration Server-specific Advanced Menu[Advanced Settings Menu] string - String menu blockstrin - Set strings to block loadbalanc - Load balancing menu sslconnect - SSL connect menu



stringGo to the String menu. To view the menu options, see page 558.

blockstrin <string>Set the strings to block, separated by commas.

loadbalancGo to the Load Balancing menu. To view the menu options, see page 559.

sslconnectGo to the SSL Connect menu. To view the menu options, see page 560.



/ssl/cfg/ssl/server/adv/stringSSL Configuration Server Advanced String Menu [LB String 1 Menu] match - Set string to match location - Set locations to perform the match in icase - Set ignore case in to match negate - Set negate the result of the match del - Remove string



match <string>|*Enter the string to match. For example:

SSL >> LB String 1# match Current value: <not set> Enter match string (may contain *):

location <locationlist>Set the match string locations, separated by commas.Possible values are:Macros url, unknown, other, headerMethods options, get, head, post, put, delete, trace, connectSpecial query, params, cookie-overrideHeaders accept, accept-charset, accept-encoding, accept-language, accept-ranges, age, allow, authoriza-tion, cache-control, connection, content-base, content-encoding, content-language, content-length, content-location, content-md5, content-range, content-type, cookie, cookie2, date, etag, expires, from, host, if-match, if-modified-since, if-none-match, if-range, if-unmodified-since, keep-alive, last-modified, location, max-forwards, pragma, proxy-authenticate, proxy-authorization, proxy-connection, public, range, referer, retry-after, server, set-cookie, transfer-encoding, upgrade, user-agent, vary, via, warning, www-authenticate, x-forwarded-for, x-ssl

icase on|offSet the string match as case respective yes (on) or no (off).

negate on|offSet a negative match scheme. The current strings are excluded (on) or included (off).

del string<string_number>Delete the string.



/ssl/cfg/ssl/server/adv/loadbalancSSL Configuration Server Advanced Load Balancing Menu[Load Balancing Settings Menu] type - Set load balancing type persistenc - Set persistence strategy cookie - Cookie settings menu metric - Set load balancing metric health - Set health check type script - Health check script menu interval - Set health check interval (s) remotessl - Remote SSL connect menu backend - Backend servers menu ena - Enable load balancing dis - Disable load balancing

Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options


type all|<string>Set the load balancing type.

persistenc none|cookie|sessionSet the persistence strategy.

cookieGo to the Cookie settings menu. To view the menu options, see page 560. Note that this menu is accessible only when persistenc is set to “cookie”.

metric hash|roundrobin|leastconnSet the load balancing metric.

health none|tcp|ssl|auto|scriptSet the health check type.

scriptGo to the heath check script menu. To view the menu options, see page 562.

interval <integer>Set the health check interval.

remotesslGo to the Remote SSL connection menu. To view the menu options, see page 563.

backendGo to the Backend Servers menu. To view the menu options, see page 565.



/ssl/cfg/ssl/server/adv/loadbalanc/cookie

SSL Configuration Server Advanced Load Balancing Cookie Menu

ena enable|disableEnable load balancing.

dis enable|disableDisable load balancing.

[Cookie Settings Menu] mode - Set cookie mode name - Set cookie name domain - Set cookie domain expires - Set cookie expires expiresdel - Set cookie expires delta localvips - Configure other local VIPs offset - Set cookie value offset length - Set cookie value length

Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options


mode insert | passive | rewriteSets the cookie load balancing mode.

name <cookie_name>Sets the cookie name.

domain <domain_name>Sets the cookie domain name.

expires <date_time>Sets the cookie expiration date and time.

expiresdel <0(session)-2147483647>Sets the cookie expiration delta value.

localvipsOpens the Local VIPs menu. For more information on this menu refer to page 562.

Table 11-20 SSL Configuration Server Advanced Load Balancing Menu Options




offset <1-64>Sets the cookie value offset.

length <0-64>Sets the cookie length

Table 11-21 SSL Configuration Server Advanced Load Balancing Cookie Menu Options (Continued)




/ssl/cfg/ssl/server/adv/loadbalanc/cookie/localvips

Local VIP Configuration Menu

/ssl/cfg/ssl/server/adv/loadbalanc/script

SSL Configuration Server Advanced Load Balancing Health Script Menu

[Local VIPs Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-22 Local VIP Configuration Menu


listLists all configured values.

del <entry_index>Deletes the entry indicated by the index value.

add <ip_address>Adds an entry by IP address.

insert <entry_index, ip_address>Adds an entry at a specific point by index and IP address.

move <source_index, destination_index>Moves an entry from the source index to the destination index.

[Health Check Script Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number



/ssl/cfg/ssl/server/adv/loadbalanc/remotessl

SSL Configuration Server Advanced Load Balancing Remote SSL Menu

Table 11-23 SSL Configuration Server Advanced Load Balancing Health Script Menu Options


list Display all values.

del <index>Delete a specific value.

add <command> <timeout> <argument>Add a new health script.

insert <position> <command> <timeout> <argument>Insert a new value.

move <value> <value>Exchange one value for another.

[Remote SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu

Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options


protocol aissl2|ssl3|ssl23|tls1Set the protocol version.

cert <integer, 1 to 1500>Set the certificate number.



/ssl/cfg/ssl/server/adv/loadbalanc/remotessl/verify

SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu

ciphers <string>Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms). Each cipher string can be optionally preceded by the characters !, - or +. ! permanently delets the ciphers from the list (e.g. !RSA). - deletes the ciphers from the list, but the ciphers can be added again by later options. + moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones. Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length

verifyGo to the Verify Server menu. To view the menu options, see page 564.

[Remote SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers of server's certificate

Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu Options


verify none|requireSet the ertification verification level.

commonname <name>Set the server common name. For example:

SSL >> Remote SSL Connect Verify Settings# commonname Current value: [old_server_name] Give common name of server: <new_server_name>

Table 11-24 SSL Configuration Server Advanced Load Balancing Remote SSL Menu Options




/ssl/cfg/ssl/server/adv/loadbalanc/backend

SSL Configuration Server Advanced Load Balancing Backend Server Menu

cacerts <integer_list>Enter the certificate numbers, separated by commas.

[Backend Server 1 Menu] ip - Set IP addr of backend server port - Set backend server port sslconnect - Set perform SSL connect if enabled for server remote - Set server is remote rname - Set host name of remote server remotessl - Set remote site is ssl lbstrings - Set load balancing strings lbop - Set string load balancing operation del - Remove backend server ena - Enable backend server dis - Disable backend server

Table 11-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options


ip <IP_address>Set theIP address of the backend server.

port <port_number>Set the backend server port number.

sslconnect on|offSet the SSL connection option.

remote true|falseSet the server as remote, as required.

rname <hostname>Set hostname of the remote server.

Table 11-25 SSL Configuration Server Advanced Load Balancing Remote SSL Verification Menu Options




/ssl/cfg/certSSL Configuration Certificate Menu

remotessl true|falseSet the remote site as SSL.

lbstrings <integers>Set the load balance strings, separated by a comma.

lbop any|all|one|noneSet the string load balancing operation.

delRemove the backend server.

ena enable|disableEnable the backend server.

dis enable|disableDisable the backend server.

[Certificate 1 Menu] name - Set certificate name cert - Set certificate key - Set private key revoke - Revocation menu genkey - Generate private key gensigned - Generate signed client/server certificate request - Generate certificate request sign - Sign a certificate request test - Generate test certificate and key import - Import key and certificate with TFTP/FTP/SCP/SFTP export - Export certificate and key with TFTP/FTP/SCP/SFTP display - Display certificate and key show - Show certificate information info - Show certificate short information subject - Show certificate subject information validate - Check if key and certificate match keysize - Show key size keyinfo - Show how key is stored del - Remove certificate

Table 11-26 SSL Configuration Server Advanced Load Balancing Backend Server Menu Options




Table 11-27 SSL Configuration Certificate Menu Options


name <string>Enter the name of the certificate.

cert <pasted_certificate_content>Paste the content of a copied certificate. For example:

Paste the certificate, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. >

key <pasted_key_content>Paste the copied key. For example:

Paste the key, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate. >

revokeGo to the Revoke menu. To view the menu options, see page 571.

genkey 512|1024|2048|4096Generate a private key.

gensigned <key> <certificate_number>Generate a certificate.



requestGenerate a certicate request.

SSL >> Certificate 1# requestThe combined length of the following parameters may not exceed 225 bytes.Country Name (2 letter code): CAState or Province Name (full name): OntarioLocality Name (eg, city): OttawaOrganization Name (eg, company): NoTelOrganizational Unit Name (eg, section): MaintCommon Name (eg, your name or your server's hostname): NoTel-12Email Address: [email protected] size (512/1024/2048/4096) [1024]: 1024Request a CA certificate (y/n) [n]: ySpecify challenge password (y/n) [n]: n-----BEGIN CERTIFICATE REQUEST-----MIIBvjCCAScCAQAwfjELMAkGA1UEBhMCQ0ExCzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdPdHRhd2VhMQ4wDAYDVQQKEwVOb1RlbDEOMAwGA1UECxMFTWFpbnQxETAPBgNVBAMTCE5vVGVsLTEyMR0wGwYJKoZIhvcNAQkBFg5tYWludEBub3RlbC5jYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA2LJNQnjDxHXm1bunZF39o/1CJ7egEupdgXaIiDt1xQ5kWNlCcIhXrsksrpAOss/NMy2DNLmNd/31BO8XSvuZWs6LJxznZyBC6WcSmOa6r96CnsvPPi/jIqAZQMbklwclH5Qa/JjSWuaoVdlVOAuhe58PqyQketXm58w8n+Iy+a0CAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4GBAMMhwai0XLkL+YT3qBBotmtTL7DgH/7czR97lgXsDawZOWaiYq4tAEBSr+Ap1qxAqgS4VJxrjBZIYT6xQW6zMvHE20s+Reaf9cX9OePTvaSH9SUSKz8QNhPLUdBo7LOURUaF7aN5IWPBezGQwgjpRxxf+chfXa7M8i7VdY9YyAHA-----END CERTIFICATE REQUEST-----

Use 'apply' to store the private key in the iSD untilthe signed certificate is entered.The private key will be lost unless you 'apply' orsave it elsewhere using 'export'.

sign <key> <certificate_number>Sign a certificate.





testCreate a test certificate and key. For example:

SSL >> Certificate 1# testThe combined length of the following parameters may not exceed 225 bytes.Country Name (2 letter code): CAState or Province Name (full name): OntarioLocality Name (eg, city): OttawaOrganization Name (eg, company): NoTelOrganizational Unit Name (eg, section): MaintCommon Name (eg, your name or your server's hostname): NoTel-12Email Address: [email protected] for days [365]: 200Valid for days [365]: 200Key size (512/1024/2048/4096) [1024]: 1024Test key and certificate added.Use 'apply' to activate.

import <proto> <server> <certfile>Import a remote certificate and key. For example:

SSL >> Certificate 1# importSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: NoTel-10Enter filename on server: key_certificate2389Retrieving key_certificate2389 from NoTel-10Error: Host not found, FTP server not found, or connection rejected.

export <proto> <server> <certfile>Export a key and certificate to a remote host. For example:

SSL >> Certificate 1# exportSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: NoTel-10Enter export format (pem/der/net/pkcs12): pemEnter export pass phrase: <hidden_text>Reconfirm export pass phrase: <hidden_text>Enter name of combined key and certificate file on remote host: key_cert_from_NoTel-12Error: Host not found, FTP server not found, or connection rejected.





displayDisplay a certificate and key. For example:

SSL >> Certificate 1# displayEncrypt private key (yes/no) [yes]: yesEnter export pass phrase: <hidden_text>Reconfirm export pass phrase: <hidden_text>Proc-Type: 4,ENCRYPTEDDEK-Info: DES-EDE3-CBC,8E1E1EB54398437B

1NngBGmeIGxhndoR3+F4DNmYNCtH6tbVMZmmTCAu0ee9Ss9vjy6N3jXgMUy8RnfV1dRLixDPlpAB5CwsSUBLROtvq6rhyZnwKbofz4UBon1tE33eX86uNrXGjdvPkfzDx8TrCXdcewY0W1xuPA6mnb0mHCn768fqoNd5YlXPMRbPrK/nTfvCHlfvVmHkzpw3BrvNfqVpdijQkdv+X53gn7DbYBsFYKSLsjyZ1Dst1JFDS5W594by1P7WseRYi4LqXPcmgZA7BtC5JV9d6Fwmd66Cois3WUxBtTeLJDFet6fr/9e3nXfa+pPyIgGGWAYE...A9xlBRMYzppbzQVjjFK0maFRtuhIiEbexLJwTCEwfyVMk8juHvBWIQ==-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----MIID3jCCA0egAwIBAgIBADANBgkqhkiG9w0BAQQFADCBgjELMAkGA1UEBhMCQ0ExEDAOBgNVBAgTB09udGFyaW8xDzANBgNVBAcTBk90dGF3YTEOMAwGA1UEChMFTm9U..

showShow certificate information.

infoShow short-form certificate information. For example:

SSL >> Certificate 1# infoSerial number: 0 (0x0)Expire: Jan 19 14:49:18 2006 GMTCertificate subject: C=CA ST=Ontario L=Ottawa O=NoTel OU=Maint CN=NoTel-12/[email protected]





/ssl/cfg/cert/revokeSSL Configuration Revoke Certificate Menu

subjectShow certificate subject information. For example:

SSL >> Certificate 1# subjectCertificate subject: C/countryName (2.5.4.6) = CA ST/stateOrProvinceName (2.5.4.8) = Ontario L/localityName (2.5.4.7) = Ottawa O/organizationName (2.5.4.10) = NoTel OU/organizationalUnitName (2.5.4.11) = Maint CN/commonName (2.5.4.3) = NoTel-12 emailAddress/emailAddress (1.2.840.113549.1.9.1) = [email protected]

validate <matched_key> <matched_certificate>Check if certificate and key are matched.

keysizeDisplay key size (in bytes).

keyinfoDisplays how the key is stored.

delDelete the certificate and key. For example:

SSL >> Certificate 1# del Certificate 1 will be deleted when changes are applied.

[Revocation Menu] add - Add decimal serial number to revocation list addx - Add hex serial number to revocation list del - Cancel revocation for a serial number list - List revoked certificates rev - Enter revocation list import - Import revocation list with TFTP/FTP/SCP/SFTP automatic - Automatic CRL retrieval menu

Table 11-28 SSL Configuration Revoke Certificate Menu Options


add <integer>Add a decimal serial number to the revocation list.





/ssl/cfg/cert/revoke/automaticSSL Configuration Revoke Certificate Automatic Menu

addx <hexidecimal_number>Add a hexidecimal number to the revocation list.

del <serial_number>Cancel the revocation of a serial number.

listList the revoked certificates.

revPaste a revocation list into another revocation list.

import <proto> <server> <file>Import a remote revocation list.

automaticGo to the automatic retrieval menu.

[Automatic CRL Menu] url - Set URL to retrieve CRL from authDN - Set LDAP DN used for bind/authentication passwd - Set password to use when to authenticate interval - Set refresh interval cacerts - Set list of accepted signers of CRLs ena - Enable automatic retrieval dis - Disable automatic retrieval

Table 11-29 SSL Configuration Revoke Certificate Automatic Menu Options


url <URL>Set the URL value to retrieve the CRL.

authDN <LDAP-Distinguished-Name>Set the LDAP DN to be used for bind and authentication.

passwd <string>Set the authentication password.

interval <time>Set the refresh interval.

Table 11-28 SSL Configuration Revoke Certificate Menu Options




/ssl/cfg/vpnSSL VPN Configuration Menu

cacerts <certificate_numbers>Create a list of accepted signers of CRLs. Separate the lsit elements by commas

ena enabled|disabledEnable automatic retrieval.

dis enabled|disabledDisable automatic retrieval.

[VPN 1 Menu] ips - Set IP addr(s) of the VPN standalone - Set standalone mode (no switch) aaa - AAA menu server - SSL server menu ipsec - IPsec server menu ippool - IP address pool menu portal - Portal look and feel menu linkset - Portal linkset menu sslclient - SSL VPN client menu adv - Advanced settings menu del - Remove VPN

Table 11-30 SSL VPN Configuration Menu Options


ips <IP_address>Set the IP address of the VPN.

standalone on|offSet the standalone mode.

aaaGo to the AAA menu. To view the menu options, see page 573.

serverGo to the SSL server menu. To view the menu options, see page 578.

ipsecGo to the IPsec server menu. To view the menu options, see page 602.

Table 11-29 SSL Configuration Revoke Certificate Automatic Menu Options




/ssl/cfg/vpn/aaaSSL VPN Configuration Menu

ippoolGo to the IP POOL menu. To view the menu options, see page 615.

portalGo to the Portal look and feel menu. To view the menu options, see page 619.

linksetGo to the Portal lonkset menu. To view the menu options, see page 621.

sslclientGo to the SSL VPN client menu.To view the menu options, see page 625.

advGo to the Advanced Settings menu.To view the menu options, see page 627.

delRemove the VPN.

[AAA Menu] quick - AAA setup wizard tg - TunnelGuard menu ttl - Set login session TTL auth - Authentication menu authorder - Set authentication server fallback order network - Network access menu service - Service access menu appspec - Application specific menu filter - Client filter menu group - Group menu defgroup - Set default group ssodomains - Single-Sign on enabled domains menu ssoheaders - Single-Sign on headers menu radacct - RADIUS accounting menu

Table 11-31 SSL VPN Configuration AAA Menu Options


quick <IP_address>AAA setup wizard.

Table 11-30 SSL VPN Configuration Menu Options




tgGo to the TunnelGuard menu. To view the menu options, see page 576.

ttl <TTL for idle sessions (max 31d, min 2m)>Set the login session TTL.

authGo to the Authentication menu. To view the menu options, see page 578.

authorder <list_of_servers>Set the authetication server fallback order. Use a comma to separate entries.

networkGo to the Network Access menu. To view the menu options, see page 582.

serviceGo to the Service Access menu. To view the menu options, see page 584.

appsecGo to the Application Specific menu. To view the menu options, see page 585.

filterGo to the Client Filter menu.To view the menu options, see page 588.

groupGo to the Group menu.To view the menu options, see page 589.

defgroup <name_of_group>Set the default group.

ssodomainsGo to the Single sign-on enabled domains menu. To view the menu options, see page 597.

ssoheadersGo to the Single Sugn-on Headers menu. To view the menu options, see page 597.

radacctGo to the Radius Accounting menu. To view the menu options, see page 599.

Table 11-31 SSL VPN Configuration AAA Menu Options




/ssl/cfg/vpn/aaa/tgSSL VPN Configuration TunnelGuard Menu[TG Menu] ena - Enable TunnelGuard dis - Disable TunnelGuard quick - Quick TunnelGuard setup wizard recheck - Set recheck interval action - Set fail action retry - Set UDP retry interval list - List SRS rules loglevel - Set TunnelGuard applet loglevel

Table 11-32 SSL VPN Configuration AAA TunnelGuard Menu Options


ena enable|disableEnable TunnelGuard.

dis enable|disableDisable TunnelGuard.



quick <TTL for idle sessions (max 31d, min 2m)>Use the Quick TunnelGuard setup wizard. For example:

SSL >> TG# quickIn the event that the TunnelGuard checks fails on a client,the session can be teardown, or left in restricted modewith limited access.Which action do you want to use for TunnelGuardfailure? (teardown/restricted) [restricted]: restrictedDo you want to create a tunnelguard test user? (yes/no) [yes]: yes

Enabling TunnelGuardCreating Linkset 1

Name: tg_passed This Linkset just prints the TG resultCreating Linkset 2 Name: tg_failed This Linkset just prints the TG resultAdding test SRS rule srs-rule-test This rule check for the presence of the file C:\tunnelguard\tg.txtCreating Group 1 Name: tunnelguardCreating Extended Profile 1 Giving full access when tg passedCreating Access rule 1Creating Extended Profile 2 Giving no access when tg failedUsing SRS rule: srs-rule-testCreating Authentication 1Adding user 'tg' with password 'tg'

Use 'diff' to view pending changes, and 'apply' to commit

recheck <seconds>Set the recheck interval.

action teardown|restrictedSet the Fail action.

retry <seconds, 1-65535>Set the UDP retry interval.

listList the SRS rules.

loglevel <string>Set the TunnelGuard applet log level.

Table 11-32 SSL VPN Configuration AAA TunnelGuard Menu Options




/ssl/cfg/vpn/aaa/authSSL VPN Configuration Authentication MenuTo enter the /ssl/cfg/vpn/aaa/auth menu level, you are prompted to create an authentication if one does not already exist.

Creating Authentication 1Select one of radius, ldap, ntlm, siteminder, cert, rsa or local: radiusAuth name: Authentication_1Entering: RADIUS settings menuEntering: RADIUS servers menuIP Address to add: 0.0.0.0Port (default is 1812): 1812Enter shared secret: sharedLeaving: RADIUS servers menuEnter vendor id [alteon]: alteonEnter vendor type [1]: 1Leaving: RADIUS settings menu

------------------------------------------------------------[Authentication 1 Menu] type - Set authentication mechanism name - Set auth name display - Set auth display name domain - Set windows domain for backend single sign-on radius - RADIUS settings menu adv - Advanced settings menu del - Remove Authentication

Table 11-33 SSL VPN Configuration AAA Authentication Menu Options


type radius|ldap|ntlm|siteminder|cert|rsa|localSet the authentication scheme.

name <string>Set the authentication name. The default is local.

display <string>Set the authentication display name.

domain <string>Set the current windows domain for backend single sign-on.

radius <list_of_servers>Go to the Radius menu. The menu is available only if the type is Radius (# type radius). To view the menu options, see page 579.



/ssl/cfg/vpn/aaa/auth/radiusSSL VPN Configuration Authentication Radius MenuTo enter the /ssl/cfg/vpn/aaa/auth/radius menu level, the authentication type must be set to radius. For example, /ssl/vpn/aaa/auth/type radius.

advGo to the Advanced menu. To view the menu options, see page 582.

delRemove the authentication.

[RADIUS Menu] servers - RADIUS servers menu vendorid - Set vendor id for group attribute vendortype - Set vendor type for group attribute timeout - Set RADIUS server timeout sessiontim - Session Timeout menu macro - User-defined Macro menu

Table 11-34 SSL VPN Configuration AAA Authentication Radius Menu Options


servers Go to the Radius servers menu. To view the menu options, see page 580.

vendorid <string>Set the switch vendor ID.

vendortype <vendortype>Set the vendor type.

timeout <integer, 1 to 1000 seconds>Set the Radius server timeout.

sessiontim Go to the Sessiontim menu. To view the menu options, see page 580.

macroGo to the Macro menu. To view the menu options, see page 581.

Table 11-33 SSL VPN Configuration AAA Authentication Menu Options




/ssl/cfg/vpn/aaa/auth/radius/serversSSL VPN Configuration Authentication Radius Servers Menu

/ssl/cfg/vpn/aaa/auth/radius/sessiontm

SSL VPN Configuration Authentication Radius Session Timeout Menu

[RADIUS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-35 SSL VPN Configuration AAA Authentication Radius Menu Options


listList all values (servers).

del <index_number>Delete a server value by name.

add <ip> <port, default=1812> <secret>Add a new value (server).

insert <position> <ip> <port> <secret>Insert a value into the list.

move <value> <value>Move a value position in the list.

[SessionTimeout Menu] vendorid - Set vendor id for session timeout attribute vendortype - Set vendor type for session timeout attribute ena - Enable Session-Timeout dis - Disable Session-Timeout



/ssl/cfg/vpn/aaa/auth/radius/macroSSL VPN Configuration Authentication Radius Macro Menu

Table 11-36 SSL VPN Configuration AAA Authentication Radius Session Timeout Menu Options


vendorid <vendorid>Set the vendor ID number.

vendortype <value>Set the Vendor Type number.

ena enable|disableEnable session timeout.

dis enable|disableDisable session timeout.

[Macro Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-37 SSL VPN Configuration AAA Authentication Radius Macro Menu Options


list List all values.

del <value>Delete a value using its number.

add <vendorid> <vendortype> <attribute_type (IP, <string> <integer>)> Add a value.

insert <index_position> <vendorid> <vendortype> <attribute_type_string>

Insert a value.

move <value> <value>Move a value’s position in the list.



/ssl/cfg/vpn/aaa/auth/advSSL VPN Configuration Authentication Advanced Menu

/ssl/cfg/vpn/aaa/networkSSL VPN Configuration Network MenuTo enter the /ssl/cfg/vpn/aaa/network menu level, you are prompted to create a network if one does not already exist.

[Advanced Menu] groupauth - Set Authentication server list of group information secondauth - Set Secondary authentication server

Table 11-38 SSL VPN Configuration AAA Authentication Advamced Menu Options


groupauth <hostnames>Set the list of authentication servers. Separate values using a comma.

secondauth <hostname>Set the secondary authentication server.

SSL >> AAA# networkEnter network number or name: (1-1023) 1Creating Network 1Network name: Network_1

------------------------------------------------------------[Network 1 Menu] name - Set network name subnet - Subnet menu comment - Set comment del - Remove network

Table 11-39 SSL VPN Configuration AAA Network Menu Options


name <string>Set the network name.

subnetGo to the Subnet menu. To view the menu options, see page 583.



/ssl/cfg/vpn/aaa/network/subnetSSL VPN Configuration Network Subnet MenuTo enter the /ssl/cfg/vpn/aaa/networksubnet menu level, you are prompted to create a subnet if one does not already exist.

comment <text_string>Create a text description (comment) about the network.

delRemove the network. The network will be removed when the global /apply command is entered.

SSL >> Network 1# subEnter subnet number: (1-1023) 1Creating Network Subnet 1Enter host name: Subnet_1Enter network address: 0.0.0.0Enter network netmask: netmask

------------------------------------------------------------[Network Subnet 1 Menu] host - Set Host Name net - Set network address mask - Set network mask del - Remove subnet

Table 11-40 SSL VPN Configuration AAA Network Subnet Menu Options


host <hostname>Set the hostname for the subnet.

net <IP_address>Set the subnet address.

mask <IP_address>Set the Network mask.

delRemove the Subnet.

Table 11-39 SSL VPN Configuration AAA Network Menu Options




/ssl/cfg/vpn/aaa/serviceSSL VPN Configuration Service MenuTo enter the /ssl/cfg/vpn/aaa/service menu level, you are prompted to create a service if one does not already exist.

SSL >> AAA# serviceEnter service number or name: (1-1023) 1Creating Service 1Service name: Service_1Enter service protocol (list of tcp,udp): tcpEnter service ports: 1,2,3

------------------------------------------------------------[Service 1 Menu] name - Set service name protocol - Set allowed protocols ports - Set allowed port comment - Set comment del - Remove Service

Table 11-41 SSL VPN Configuration AAA Service Menu Options


name <service_name>Set the service name.

protocol tcp|udpSet the protocols that are allowed.

ports <integers>Set the allowed ports. If nore than one, use commas to separate.

comment <string>Create a description (comment) about the service.

del Delete the service.



/ssl/cfg/vpn/aaa/appspecSSL VPN Configuration Application specific MenuTo enter the /ssl/cfg/vpn/aaa/appspec menu level, you are prompted to create a network if one does not already exist.

SSL >> AAA# appspecEnter appspec number or name: (1-1023) 1Creating AppSpecific 1AppSpec name: AppSpec_1Entering: Paths menuPath format:The paths are formated differently for different applications.For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,for example /NORTEL/homes/publicThis will give access to the public directory in the homes sharein the NORTEL workgroup/domain.

For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/This will give access to the /home/share/public. Note that all pathsare absolute from the root.

For web servers you write the path <SERVER PATH>, for example /intranetThis will give access to the /intranet path on the web server.

Enter path: /pathLeaving: Paths menu.----------------------------------------------[AppSpecific 1 Menu] name - Set appspec name paths - Paths menu comment - Set comment del - Remove AppSpec

Table 11-42 SSL VPN Configuration AAA Application specific Menu Options


name <appsec_name>Create an application name.

pathsGo to the Paths menu. To view the menu options, see page 571.



comment <string>Create a description (comment) about the Application.

delDelete the application.

Table 11-42 SSL VPN Configuration AAA Application specific Menu Options




/ssl/cfg/vpn/aaa/appspec/pathsSSL VPN Configuration Application specific Paths Menu[Paths Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu Options


listList all paths.

del <path_value>Delete a path by its number.

add Add a new path. For example:

SSL >> Paths# listOld:Pending: 1: /info

SSL >> Paths# addPath format:The paths are formated differently for different applications.For smb you write the path as /<WORKGROUP>/<FILESHARE>/<FILE PATH>,for example /NORTEL/homes/publicThis will give access to the public directory in the homes sharein the NORTEL workgroup/domain.

For ftp you write the path as <ABSOLUTE FILE PATH>, for example /home/share/public/This will give access to the /home/share/public. Note that all pathsare absolute from the root.

For web servers you write the path <SERVER PATH>, for example /intranetThis will give access to the /intranet path on the web server.

Enter path: /home/storage

insert <index>Insert a path into the path list.



/ssl/cfg/vpn/aaa/filterSSL VPN Configuration AAA Filter MenuTo enter the /ssl/cfg/vpn/aaa/filter menu level, you are prompted to create a service if one does not already exist.

delDelete the path.

SSL >> AAA# filterEnter client filter number or name: (1-63) 1Creating Client Filter 1Filter name: Filter_1

------------------------------------------------------------[Client Filter 1 Menu] name - Set filter name cert - Client certificate present iewiper - IE cache wiper present tg - TunnelGuard checks passed methods - Set access methods authserver - Set authentication servers clientnet - Set client network reference comment - Set comment del - Remove client filter

Table 11-44 SSL VPN Configuration AAA Filter Menu Options


name <filter_name>Set the filter name.

cert true|false|ignoreEnter teh applicability of a certificate.

iewiper true|false|ignoreSet the prescence of the IE cache wiper.

tg true|false|ignoreSet the state of the TunnelGuard checks passed.

Table 11-43 SSL VPN Configuration AAA Application specific Paths Menu Options




/ssl/cfg/vpn/aaa/groupSSL VPN Configuration AAA Group MenuTo enter the /ssl/cfg/vpn/aaa/group menu level, you are prompted to create a service if one does not already exist.

methods ssl|ipsec|netdirectSet the access methods.

authserver <hostnames>Set authentication server names. If more than one, separate the names using a comma.

clientnet <clientnet_hostname>Set client network reference.

commentCreate a description (comment) of the filter.

delRemove the client filter.

SSL >> AAA# groupEnter group number or name: (1-1023) 1Creating Group 1Group name: Group_1Enter number of sessions (0 is unlimited): 0Enter user type (advanced/medium/novice): novice

------------------------------------------------------------[Group 1 Menu] name - Set group name access - Access rule menu print - Print access rules restrict - Set number of login sessions usertype - Set portal user type linkset - Linkset menu extend - Extended profiles menu tgsrs - Set TunnelGuard SRS Rule ipsec - IPsec menu comment - Set comment del - Remove group

Table 11-44 SSL VPN Configuration AAA Filter Menu Options




Table 11-45 SSL VPN Configuration AAA Group Menu Options


name <string>Set tthe group name.

accessGo to the Access rule menu. To view the menu options, see page 591.

print Display the Access rules. For example:

SSL >> Group 1# printNetwork Ports Proto Path Action------- ----- ----- ---- ------

restrict <integer>Restrict the number of login sessions. The default is 0 (unlimited)

usertype advanced|medium|noviceSet the user level.

linksetGo to the Linkset menu. To view the menu options, see page 592.

extendGo to the Extended Profiles menu. To view the menu options, see page 593.

tgsrs <string>Set the TunnelGuard SRS rule.

ipsecGo to the IPSEC menu.To view the menu options, see page 595.

commentCreate a decription (comment) of the Group.

del Delete the group.



/ssl/cfg/vpn/aaa/group/accessSSL VPN Configuration AAA Group Access MenuTo enter the /ssl/cfg/vpn/aaa/group/access menu level, you are prompted to create a service if one does not already exist.

SSL >> Group 1# accessEnter access rule number: (1-1023) 1Creating Access rule 1Enter network name: Network_1Enter service name: Service_1Enter application specific name: Application_1Enter action (accept/reject): accept

------------------------------------------------------------[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule

Table 11-46 SSL VPN Configuration AAA Group Access Menu Options


network <network_name>Enter the network name reference.

service <service_name>Set the Service name reference.

appspec <application_name>Set the application specific name reference.

action accept|rejectAccept or reject the creation of this Access rule.

comment Create a description (comment) of this Access rule.

delDelete the Access rule.



/ssl/cfg/vpn/aaa/group/linksetSSL VPN Configuration AAA Group Linkset Menu[Linksets Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-47 SSL VPN Configuration AAA Group Linkset Menu Options


list List all of the configured linksets.

add <linkset_name>Add a linkset name.

insert <position> <name>Insert a linkset into the linkset list.

move <value> <value>Move the linkset from one position to another in the linkset list.



/ssl/cfg/vpn/aaa/group/extendSSL VPN Configuration AAA Group Extend Profiles MenuTo enter the /ssl/cfg/vpn/aaa/group/extend menu level, you are prompted to create an extended service profile if one does not already exist.

SSL >> Group 1# extendEnter profile number or name (1-63): 1Creating Extended Profile 1Enter client filter name: Filter_1Enter user type (advanced/medium/novice): novice

------------------------------------------------------------[Extended Profile 1 Menu] filter - Set client filter reference access - Access rule menu print - Print access rules usertype - Set portal user type linkset - Linkset menu del - Remove profile

Table 11-48 SSL VPN Configuration AAA Group Extend Profiles Menu Options


filter <client_filter_name>Set the client filter name reference.

accessGo to the Access Rule menu. To view the menu options, see page 594.

print Display the extended profile information.

usertype advanced|medium|noviceSet the portal user level.

linkset Go to the Linkset menu. To view the menu options, see page 595.

delDelete the Extended Profile.



/ssl/cfg/vpn/aaa/group/extend/accessSSL VPN Configuration AAA Group Extend Profiles Access Menu[Access rule 1 Menu] network - Set network reference service - Set service reference appspec - Set application specific reference action - Set action comment - Set access rule comment del - Remove access rule

Table 11-49 SSL VPN Configuration AAA Group Extend Profiles Access Menu Options


network <network_name>Set the network name reference.

service <service_name>Set the Service name reference.

appspec <application_name>Set the Application name reference..

action accept|rejectAccept or reject the Access rule change.

comment Create a description (comment) of the Access rule.

delDelete the Extended Profile Access rule.



/ssl/cfg/vpn/aaa/group/extend/linkset

SSL VPN Configuration AAA Group Extend Profiles Link-set Menu

/ssl/cfg/vpn/aaa/group/ipsecSSL VPN Configuration AAA Group IPsec Menu

[Linksets Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-50 SSL VPN Configuration AAA Group Extend Profiles Linkset Menu Options


list List all of the configured Extended Profile linksets.

del <extended_profile_linkset_name>Delete the Extended Profile Linkset.

add <extended_profile_linkset_name>Add an Extended Profile linkset name.

insert <position> <name>Insert an Extended Profile linkset into the linkset list.

move <value> <value>Move the Extended Profile linkset from one position to another in the linkset list.

[IPsec Menu] secret - Set shared secret utunnel - Set user tunnel profile

Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options


secret <string>Set the group Secret value.



utunnel <string>Set the user tunnel profile name.

Table 11-51 SSL VPN Configuration AAA Group IPsec Menu Options




/ssl/cfg/vpn/aaa/ssodomainsSSL VPN Configuration AAA Single-sign on Enabled Domains Menu

/ssl/cfg/vpn/aaa/ssoheadersSSL VPN Configuration AAA Single-sign on Headers Menu

[SSO Domain menu Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-52 SSL VPN Configuration AAA Single-sign on enabled Domains Menu Options


list List all of the SSO domains.

del <index>Delete an SSO domain.

add <domain_name> <mode, normal|add_domain>Add an SSO domain.

[SSO headers menu Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options


list List all of the configured SSO Headers.

del <SSO Headers_name>Delete the SSO Header.



add <domain> <header_pattern>Add an SSO Header.

insert <position> <domain> <header_name>Insert a SSO Header into the headers list.

move <value> <value>Move the SSO Headers from one position to another in the SSO Headers list.

Table 11-53 SSL VPN Configuration AAA Single-sign on Headers Menu Options




/ssl/cfg/vpn/aaa/radacctSSL VPN Configuration AAA Radius Accounting Menu

ssl/cfg/vpn/aaa/radacct/serversSSL VPN Configuration AAA Radius Accounting Servers Menu

[RADIUS Accounting Menu] servers - RADIUS accounting servers menu vpnattribu - VPN attribute menu ena - Enable RADIUS accounting dis - Disable RADIUS accounting

Table 11-54 SSL VPN Configuration AAA Radius Accounting Menu Options


servers Go to the Radius servers menu. To view the menu options, see page 599.

vpnattribuGo to the VPN attribute menu. To view the menu options, see page 601.

ena enable|disableEnable AAA radius accounting.

dis enable|disableDisable AAA radius accounting.

[RADIUS Accounting Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number



list List all of the configured Radius Accounting servers.

del <Radius_Accounting_server_name>Delete the SSO Header.



add <ip_address> <port> <secret>Add a Radius Account.

insert <position> <ip_address> <port> <secret>Insert a Radius account into the account list.

move <value> <value>Move the Radius account from one position to another in the account list.





ssl/cfg/vpn/aaa/radacct/vpnattribuSSL VPN Configuration AAA Radius Accounting VPN attributes Menu

/ssl/cfg/vpn/serverSSL VPN Configuration Server Menu

[VPN Attribute Menu] vendorid - Set vendor id for the VPN attribute vendortype - Set vendor type for the VPN attribute

Table 11-56 SSL VPN Configuration AAA Radius Accounting VPN attributes Menu Options


vendorid <vendorID>Set the vendor name.

vendortype <integer>Set the vendor type.

[Server Menu] port - Set listen port of server dnsname - Set DNS name of server trace - Traffic trace menu ssl - SSL settings menu tcp - TCP endpoint settings menu http - HTTP settings menu proxymap - Intranet proxy configuration menu portal - Portal settings menu adv - Advanced settings menu ena - Enable virtual server dis - Disable virtual server

Table 11-57 SSL VPN Configuration Server Menu Options


port <integer, 1-65534>Set the listen port of the server.

dnsname <fully_qualified_DNS_name>Set the DNS name of the server.



/ssl/cfg/vpn/server/traceSSL VPN Configuration Server Traffic Trace Menu

traceGo to the Trace menu. To view the menu options, see page 602.

sslGo to the SSL settings menu. To view the menu options, see page 603.

tcpGo to the TCP endpoint settings menu. To view the menu options, see page 605.

httpGo to the HTTP settings menu. To view the menu options, see page 606.

proxymapGo to the Intranet Proxy configuration menu. To view the menu options, see page 608.

portalGo to the Portal menu. To view the menu options, see page 609.

advGo to the Advanced settings menu.To view the menu options, see page 609.

ena enable|disableEnable the VPN server.

dis enable|disableDisable the VPN server.

[Trace Menu] ssldump - Create traffic dump tcpdump - Create traffic dump ping - Ping through backend interface dnslookup - Lookup a name in DNS through backend interface traceroute - traceroute through backend interface

Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options


ssldumpCreate an SSL traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html).

Table 11-57 SSL VPN Configuration Server Menu Options




/ssl/cfg/vpn/server/sslSSL VPN Configuration Server SSL Settings Menu

standalone on|offCreate a TCP traffic dump. See the tcpdump documentation for a desription of the patterns that are allowed. (http://www.tcpdump.org/tcpdump_man.html) traceroute - traceroute through backend interface

ping <hostname>Ping through the backend interface.

dnslookup <hostname>Lookup a name in DNS through the backend interface.

tracerouteTraceroute through backend interface. Use this command to identify the route used for station-to-station connectivity across the network.

[SSL Settings Menu] cert - Set server certificate cachesize - Set SSL cache size cachettl - Set SSL cache timeout cacerts - Set list of accepted signers of client certificates cachain - Set list of CA chain certificates protocol - Set protocol version ciphers - Set cipher list verify - Set certificate verification level ena - Enable SSL dis - Disable SSL

Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options


cert <certicate_nuber, 1 to 1500>Set the IP address of the VPN.

cachesize <integer, 0 to 10000>Set the SSL cache size (kBytes).

cachettl <integer>Set the SSL cache timeout (in minutes).

Table 11-58 SSL VPN Configuration Server Traffic Trace Menu Options




cacerts <certificate_numbers> Set the list of accepted signers of client certificates. If more than one, use a comma to separate the entries.

cachain <certificate_numbers>Set the list of CA chain certificates. If more than one, use a comma to separate the entries.

protocol ssl2|ssl3|ssl23|tls1Set the protocol version.

ciphersSet the cipher list. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).Each cipher string can be optionally preceded by the characters !, - or +:

! permanently delets the ciphers from the list (e.g. !RSA).- deletes the ciphers from the list, but the ciphers can be added again by later options.+ moves the ciphers to the end of the list. This option does not add any new ciphers.

Additionally, the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length.

verify none|optionalSet the certificate verification level.

ena enable|disableEnable SSL.

dis enable|disableDisable SSL.

Table 11-59 SSL VPN Configuration Server SSL Settings Menu Options




/ssl/cfg/vpn/server/tcpSSL VPN Configuration Server TCP endpoint Settings Menu[TCP Settings Menu] cwrite - Set client TCP write timeout ckeep - Set client TCP keep alive timeout skeep - Set socks client TCP keep alive heartbeat timeout swrite - Set server TCP write timeout sconnect - Set server TCP connect timeout csendbuf - Set client TCP send buffer size crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size

Table 11-60 SSL VPN Configuration Server TCP endpoint settings Menu Options


ips <integer, 1 to 2147483647s>Set client TCP write timeout, in seconds. crecbuf - Set client TCP receive buffer size ssendbuf - Set server TCP send buffer size srecbuf - Set server TCP receive buffer size

ckeep <integer, 1 to 2147483647s>Set client TCP keep alive timeout.

skeep <integer, 1 to 2147483647s>Set the SOCKS client TCP keep alive heartbeat timeout.

swrite <integer, 1 to 2147483647s>Set the server TCP write timeout.

sconnect <integer, 1 to 2147483647s>Set the server TCP connect timeout.

csendbuf auto|<integer, 2000 to 100000>Set the client TCP send buffer size (Bytes).

crecbuf auto|<integer, 2000 to 100000>Set the client TCP receive buffer size (Bytes).

ssendbuf auto|<integer, 2000 to 100000>Set the server TCP send buffer size (Bytes).

srecbuf auto|<integer, 2000 to 100000>Set server TCP receive buffer size (Bytes).



/ssl/cfg/vpn/server/httpSSL VPN Configuration Server HTTP Settings Menu[HTTP Settings Menu] downstatus - Set server down reply status rewrite - SSL triggered rewrite menu securecook - Set add secure option to session cookie sslheader - Add SSL header sslxheader - Add SSL header with serial in hex sslsidhead - Add SSL SID header addxfor - Add X-Forwarded-For header addvia - Add Via header addxisd - Add HTTP-X-ISD debug header addclicert - Add Client-Cert as a HTTP header addnostore - Add no-cache/no-store HTTP header allowimage - Allow image caching allowdoc - Allow document caching allowscrip - Set allow script caching allowica - Allow ICA file caching cmsie - Set MSIE session termination bug workaround maxrcount - Set max number of persistant client requests maxline - Set max line length

Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options


downstatus unavailable|redirect|resetSet the server down reply status.

rewrite on|offGo to the SSl triggered Rewrite menu. To view the menu options, see page 607.

securecook on|offSet the “add secure” option for the session cookie.

sslheader on|offAdd an SSL session ID header.

sslxheader on|offAdd an SSL header with serial number in hexadecimal.

sslsidhead on|offAdd an SSL SID header.

addxfor on|off|anonymous|removeAdd X-Forwarded-For header.



/ssl/cfg/vpn/server/http/rewriteSSL VPN Configuration Server SSL triggered rewrite Menu

addvia on|off|anonymous|removeSet VIA header

addxisd on|offSet HTTP-X-ISD debug header.

addclicert on|offSet Client-Cert as a HTTP header.

adddnostore on|offSet no-cache/no-store HTTP header.

allowimage on|offSet image caching.

allowdoc on|offSet document caching

allowscrip on|offSet allow script caching.

allowica on|offSet ICA file caching.

cmsie on|offSet MSIE session termination bug workaround.

maxrcount <integer>Set max number of persistant client requests.

maxline <integer>Set the maximum line length.

[Rewrite Menu] rewrite - Set SSL triggered rewrite ciphers - Set accepted ciphers response - Set source of response URI - Set URI with the weak cipher alert

Table 11-61 SSL VPN Configuration Server HTTP settings Menu Options




/ssl/cfg/vpn/server/proxymapSSL VPN Configuration Server Intranet Proxy settings MenuThe PROXY menu is not available for type portal and socks servers.

Table 11-62 SSL VPN Configuration Server SSL triggered rewrite Menu Options


rewrite on|offSet SSL triggered rewrite. For step-up certificates we recommend ALL:-RC2:-SHA1:@STRENGTH

ciphers <string>Set the accepted ciphers. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).Each cipher string can be optionally preceded by the characters !, - or +:

! permanently delets the ciphers from the list (e.g. !RSA).- deletes the ciphers from the list, but the ciphers can be added again by later options.+ moves the ciphers to the end of the list. This option doesn't add any new ciphers it just moves matching existing ones.

Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length.

response iSD|WebServerSet the source of response.

URI <WebServer response only>Set the URI with the weak cipher alert. For example, /cgi-bin/weakcipher.

[Proxy Mapping Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options


list List all of the server Intranet Proxy settings.



ssl/cfg/vpn/server/portalSSL VPN Configuration Server Portal settings Menu

ssl/cfg/vpn/server/advSSL VPN Configuration Server Advanced Menu

del <Proxy_server_name>Delete the Intranet Proxy server.

add <ip_address> <port>Add an Intranet Proxy server.

insert <position> <ip_address> <port>Insert a Intranet Proxy server into the Proxy server list.

move <value> <value>Move the Intranet Proxy server from one position to another in the server list.

[Portal Settings Menu] resetcooki - Set Re-Set session cookie in each request domain - Set cookie domain persistent - Set use persistent session cookies

Table 11-64 SSL VPN Configuration Server Portal settings Menu Options


resetcoolki on|offSet the Reset session cookie in each request.

domain <domain_name>Set the cookie domain name for the portal.

persistent on|offSet the use of persistent session cookies.

[Advanced Settings Menu] traflog - UDP syslog Traffic Log menu sslconnect - SSL connect menu

Table 11-63 SSL VPN Configuration Server Intranet Proxy settings Menu Options




ssl/cfg/vpn/server/adv/traflogSSL VPN Configuration Server UDP Syslog Traffic Log Menu

Table 11-65 SSL VPN Configuration Server Advanced Menu Options


traflog <IP_address>Go to the UDP syslog Traffic Log menu. To view the menu options, see page 610.

sslconnect on|offGo to the SSL Connect menu. To view the menu options, see page 611.

[Traffic Log Settings Menu] sysloghost - Set syslog host IP udpport - Set syslog portnumber priority - Set syslog priority facility - Set syslog facility ena - Enable traffic UDP syslog logging dis - Disable traffic UDP syslog logging

Table 11-66 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options


sysloghost <IP_address>Set the IP address of the VPN.

udpport <UDP_port_number>Set the standalone mode.

priority <syslog_name>Set the syslog priority.

facility <string>Set the syslog facility.

ena enable|disableEnable traffic UDP syslog messaging.

disDisable traffic UDP syslog messaging.



ssl/cfg/vpn/server/adv/sslconnectSSL VPN Configuration Server SSL Connect Menu[SSL Connect Settings Menu] protocol - Set protocol version cert - Set client certificate ciphers - Set accepted ciphers for ssl connect verify - Verify server menu

Table 11-67 SSL VPN Configuration Server UDP Syslog Traffic Log Menu Options


protocol ssl2|ssl3|ssl23|tls1Set the Protocol version.

cert <certicate_number, 1 to 1500>Set the client certificate.

ciphers Set the accepted ciphers for SSL connection. The cipher list consists of one or more cipher strings separated by colons (e.g. SSLv3:TLSv1). Lists of cipher suites can be combined using a logical and operation (+) (e.g. SHA1+DES represents all cipher suites containing the SHA1 and the DES algorithms).Each cipher string can be optionally preceded by the characters !, - or +.

! permanently delets the ciphers from the list (e.g. !RSA).- deletes the ciphers from the list, but the ciphers can be added again by later options.+ moves the ciphers to the end of the list.

Additionally the cipher string @STRENGTH sorts the current cipher list in order of encryption algorithm key length.

verifyGo to the Verify server menu. To view the menu options, see page 612.



ssl/cfg/vpn/server/adv/sslconnect/verify

SSL VPN Configuration Server SSL Connect verify Server Menu

/ssl/cfg/vpn/ipsecSSL VPN Configuration IPsec Server Menu

[SSL Connect Verify Settings Menu] verify - Set certificate verification level commonname - Set server common name cacerts - Set list of accepted signers server's certificate

Table 11-68 SSL VPN Configuration Server SSL Connect Verify Server Menu Options


verify none|verifySet the Certicate Verication level.

commonname <string>Set the server common name.

cacerts <certicate_numbers>Set the list of accepted signers for each server certificate. If more than one, use a comma to sepa-rate each entry.

[IPsec Menu] ena - Enable IPsec dis - Disable IPsec quick - Quick IPsec setup wizard ikeprof - IKE profile utunprof - User tunnel profile cacerts - Set list of accepted signers of clients certificate cert - Set server certificate

Table 11-69 SSL VPN Configuration IPSEC Server Menu Options


ena [enable|disable]Enable IPsec.



dis [enable|disable]Disable IPsec.

quickUse the Quick IPsec setup wizard. For example:

SSL >> IPsec# quickDo you want to use IPsec Group login? (yes/no) [no]: nLower IP address in pool range: 0.0.0.0Upper IP address in pool range: 1.1.1.1Enabled IPsecCreating IKE Profile 1 Name: vpn_1_1Creating User Tunnel Profile 1 Name: vpn_1_1You should create a AAA group for the user tunnel profileEnabled PoolUse apply to activate the changes

ikeprofGo to the IKE profile menu.

utunprofSet the User tunnel profile.

cacertsSet the list of accepted signers of clients certificate.

certSet the server certicate.

Table 11-69 SSL VPN Configuration IPSEC Server Menu Options




/ssl/cfg/vpn/ipsec/ikeprofSSL VPN Configuration IPsec Server IKE Profile Menu[IKE Profile 1 Menu] name - Set IKE profile name del - Remove IKE Profile enc - Encryption mask menu dh - Diffie-Hellman group mask menu pfs - Enable Perfect Forward Secrecy initcontac - Accept ISAKMP initial contact payload rekeytime - Set rekey time limit rekeytraf - Set rekey traffic limit retransmit - Set ISAKMP retransmit interval maxretrans - Set ISAKMP max attempts retransmits replaywins - Set replay window size nat - NAT menu deadpeer - Dead peer menu

Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options


name <string>Set the IKE profile name.

del <IKE_profile_name>Disable IPsec.

encGo to the Encryption mask menu.To view the menu options, see page 615.

dhGo to the Diffie_Hellman group mask menu. To view the menu options, see page 616.

pfs on|offEnable Perfect Forward Secrecy.

initcontac on|offAccept ISAKMP intitial contact payload.

rekeytime <integer>Set the rekey time limit, in seconds.

rekeytraf <integer> Set rekey traffic limit, in KBytes.

retransmit <integer>Set ISAKMP retransmit limit, in seconds.



/ssl/cfg/vpn/ipsec/ikeprof/encSSL VPN Configuration IPsec Server IKE Profile Encryp-tion Menu

maxretrans <integer>Set the maximum ISAKMP attempts to retransmit.

replaywins <integer>Set replay window size.

natGo to the NAT menu.To view the menu options, see page 617.

deadpeerGo to the Dead Peer menu.To view the menu options, see page 617.

[Encryption Menu] hmac_md5 - Set HMAC with MD5 hmac_sha - Set HMAC with SHA null_md5 - Set NULL with MD5 null_sha - Set NULL with SHA des_md5 - Set DES with MD5 des_sha - Set DES with SHA 3des_md5 - Set 3DES with MD5 3des_sha - Set 3DES with SHA aes_128_sh - Set 128 bits AES with SHA

Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options


hmac_md5 on|offSet HMAC with MD5.

hmac_sha on|offSet HMAC with SHA.

null_md5 on|offSet NULL with MD5.

null_sha on|offSet NULL with SHA.

Table 11-70 SSL VPN Configuration IPSEC Server IKE Profile Menu Options




/ssl/cfg/vpn/ipsec/ikeprof/dhSSL VPN Configuration IPsec Server IKE Profile Diffie-Hellman Group Mask Menu

des_md5 on|offSet DES with MD5.

des_sha on|offSet DES with SHA.

3des_md5 on|offSet 3DES with MD5.

3des_sha on|offSet 3DES with SHA.

aes_128_sh on|offSet 128 bits AES with SHA.

[Diffie-Hellman Group Menu] dh1 - Set Diffie-Hellman group 1 dh2 - Set Diffie-Hellman group 2 dh5 - Set Diffie-Hellman group 5

Table 11-72 SSL VPN Configuration IPSEC Server IKE Profile Diffie-Hellman Group Mask Menu Options


dh1 on|offSet Diffie_Hellman group 1.



Table 11-71 SSL VPN Configuration IPSEC Server IKE Profile Encryption Menu Options




/ssl/cfg/vpn/ipsec/ikeprof/NATSSL VPN Configuration IPsec Server IKE Profile NAT Menu

/ssl/cfg/vpn/ipsec/ikeprof/deadpeerSSL VPN Configuration IPsec Server IKE Profile Dead Peer Menu

[NAT Menu] natdetect - Set ESP UDP NAT detect timeout - Set detect timeout keepalive - Set keepalive timeout

Table 11-73 SSL VPN Configuration IPSEC Server IKE Profile NAT Menu Options


natdetect disabled|auto|ipsec_capable|use_udp_encapSet ESP UDP detection.

timeout <integer>Set the detection timeout, in seconds.

keepalive <integer>Set the keepalive timeout, in seconds.

[Dead Peer Menu] ena - Enable dead peer detection dis - Disable dead peer detection interval - Set detect interval retransmit - Set max retransmissions

Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options


ena [enable|disable]Enable dead peer detection.

dis [enable|disable]Disable dead peer detection.



/ssl/cfg/vpn/ippoolSSL VPN Configuration IP Pool Menu

interval <integer>Set the detection interval, in seconds.

retransmit <integer>Set the maximum number retransmissions.

[Pool Menu] ena - Enable pool dis - Disable pool lowerip - Set lower IP in pool range upperip - Set upper IP in pool range proxyarp - Set proxy arp on clean side interfaces info - Print alloc info for this VPN

Table 11-75 SSL VPN Configuration IP IPool Menu Options


ena enable|disableEnable the IP Pool.

dis enable|disableDisable the IP Pool.

lowerip <lower_IP_address>Set the lower IP address in the pool range.

upperip <upper_IP_address>Set the upper IP address in the pool range.

proxyarp on|off|allSet proxy ARP on clean side interfaces.

infoDisplay all of the IP Pool configuration information.

Table 11-74 SSL VPN Configuration IPSEC Server IKE Profile Dead Peer Menu Options




/ssl/cfg/vpn/portalSSL VPN Configuration Portal Menu[Portal Menu] import - Import banner image gif restore - Restores default Nortel banner banner - Show installed banner file redirect - Set redirect URL logintext - Set static text on login page iconmode - Set Home tab icon mode linktext - Set static text on link page linkurl - Set url input field on link page linkcols - Set number of columns on home tab linkwidth - Set width of link columns on home tab companynam - Set company name used on portal pages colors - Portal colors menu faccess - Full Access menu lang - Portal language menu wiper - Set use ActiveX component for clearing cache ieclear - Set use IE ClearAuthCache whitelist - White-list settings menu citrix - Set Citrix support

Table 11-76 SSL VPN Configuration Portal Menu Options


import [<protocol> <hostname> <bannerfilename>]Import banner image gif. For example:

SSL >> Portal# importSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter hostname or IP address of server: 0.0.0.0Enter filename on server: nortel_banner.gif

restoreRestores default Nortel banner.

bannerShow installed banner file.

redirect <URL> Set redirect URL.

logintextSet static text on login page. Write or paste the text to show up in the Login window, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.

iconmode clean|fancySet Home tab icon mode.



linktext [<string>]Set static text on link page. Write or paste the text, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate.

linkurl on|offSet URL input field on link page.

linkcols [<integer>]Set number of columns on home tab. Four can be considered a practical maximum.

linkwidth [auto|0 to 100%]Set width of link columns on home tab.

companynam [<string>]Set company name used on portal pages.

colorsGo to the Portal Colors menu.To view the menu options, see page 621.

faccessGo to the Full Access menu. To view the menu options, see page 621.

langGo to the Portal language menu. To view the menu options, see page 622.

wiper [on|off]Set use ActiveX component for clearing cache.

ieclear [on|off]Set use IE ClearAuthCache.

whitelistGo to the White-list settings menu. To view the menu options, see page 623.

citrix [on|off]Set Citrix support.

Table 11-76 SSL VPN Configuration Portal Menu Options




/ssl/cfg/vpn/portal/colorsSSL VPN Configuration Portal Colors Menu

/ssl/cfg/vpn/portal/faccessSSL VPN Configuration Portal Full Access Menu

[Portal Colors Menu] color1 - Set portal color 1 color2 - Set portal color 2 color3 - Set portal color 3 color4 - Set portal color 4 theme - Color theme

Table 11-77 SSL VPN Configuration Portal Colors Menu Options


color1 [<HTML_color_syntax>]Set Portal color 1. For example, #003399 for blue.

color2 [<HTML_color_syntax>]Set Portal color 2.



theme [default|aqua|apple|jeans|cinnamon|candy]Set the color theme.

[Full Access Menu] ena - Enable 'Full Access' tab dis - Disable 'Full Access' tab ipsecmode - Set IPSEC Mode contip - Set Contivity IP address contid - Set Contivity group ID contpass - Set Contivity group password portalmsg - Set text in 'Full Access' portal tab appletmsg - Set text in 'Full Access' Applet window



/ssl/cfg/vpn/portal/langSSL VPN Configuration Portal Language Menu

Table 11-78 SSL VPN Configuration Portal Full Access Menu Options


ena [enable|disable]Enable 'Full Access' tab.

dis [enable|disable]Disable 'Full Access' tab.

ipsecmode [contivity|native]Set the IPSEC Mode.

contip [<IP_address>]Set Contivity IP address.

contid [<string>]Set the Contivity group ID.

contpass [<string>]Set a Contivity group password.

portalmsgSet text in 'Full Access' portal tab. Write or paste the text to show up in the Full Access Portal win-dow, press Enter to create a new line, and then type "..." (without the quotation marks) to termi-nate.

appletmsgSet text in 'Full Access' Applet window. Write or paste text to show up in the Full Access Applet window, press Enter to create a new line, and then type "..." (without the quotation marks) to termi-nate. If you *only* enter "..." a default text will be generated.

[Portal Language Menu] setlang - Set the language to be used in the portal charset - Print charset in use list - List supported languages

Table 11-79 SSL VPN Configuration Portal Language Menu Options


ips [<ISO 639 Language Code>]Set the language to be used in the portal. For English, enter en.



/ssl/cfg/vpn/portal/whitelistSSL VPN Configuration Portal Whitelist settings Menu

/ssl/cfg/vpn/portal/whitelist/domains

SSL VPN Configuration Portal Whitelist settings Domains Menu

charset on|offDisplay the current character set. For example:

Charset = iso-8859-1

listDisplay all of the pre-defined languages.

[White-list Settings Menu] domains - Configure white-list domains ena - Enable URL rewrite white-list dis - Disable URL rewrite white-list

Table 11-80 SSL VPN Configuration Portal Whitelist settings Menu Options


domains Go to the Domains menu. To view the menu options, see page 623.

ena [enable|disable]Enable URL re-write whitelist.

dis [enable|disable]Disable URL re-write whitelist.

[White-list menu Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-79 SSL VPN Configuration Portal Language Menu Options




/ssl/cfg/vpn/linksetSSL VPN Configuration Linkset MenuTo enter the /ssl/cfg/vpn/linkset menu level, you are prompted to create a linkset if one does not already exist.

Table 11-81 SSL VPN Configuration Portal Whitelist settings Domains Menu Options


list Go to the Domains menu. To view the menu options, see page 621.

del [<index>]Delete a value.

add [<domain_name>]Add a domain.

SSL >> VPN 1# linksetEnter Linkset number or name (1-1023): 1Creating Linkset 1Linkset name: Linkset_1Linkset text (HTML syntax, eg <b>A heading</b>): htmlAutorun Linkset (true/false) [false]: false

------------------------------------------------------------[Linkset 1 Menu] name - Set linkset name text - Set linkset text autorun - Set autorun support link - Link menu del - Remove tunnel

Table 11-82 SSL VPN Configuration Linkset Menu Options


name <string>Set the linkset name.

text [<text_type>]Set the text type. In the current release, only HTML is available (default).

autorun [true|false>]Set the autorun linkset option.



/ssl/cfg/vpn/linkset/linkSSL VPN Configuration Linkset Link MenuTo enter the /ssl/cfg/vpn/linkset/link menu level, you are prompted to create a link if one does not already exist.

linkGo to the Link menu. To view the menu options, see page 625.

del [<linkset_number>]Remove the linkset.

SSL >> Linkset 1# linkEnter Link number or name (1-1023): 1Creating Link 1Enter link text: Link_1Enter type of link (hit TAB to see possible values) [internal]: <tab> smb ftp proxy custom mail telnet netdrive wts outlook netdirect terminal external internal eauto iautoEnter type of link (hit TAB to see possible values) [internal]: inter-nalEntering: Internal settings menuEnter method (http/https): httpEnter host (eg inside.company.com): NoTel.caEnter path (eg /): /infoLeaving: Internal settings menu

------------------------------------------------------------[Link 1 Menu] move - Move link text - Set link text type - Set link type internal - Internal settings menu del - Remove link

Table 11-83 SSL VPN Configuration Linkset Link Menu Options


move [<link_number>]Move the link.

Table 11-82 SSL VPN Configuration Linkset Menu Options




/ssl/cfg/vpn/linkset/link/internalSSL VPN Configuration Linkset Link Internal Setting Menu

/ssl/cfg/vpn/sslclientSSL VPN Configuration SSL Client Menu

text [<link_name>]Set the name of the link.

type [link_type>]Set the link type. See the list of link types on page 625.

internalGo to the Internal link menu. To view the menu options, see page 626.

del [<link_number>]Remove the link.

[Internal menu Menu] quick - Quick internal link wizard

Table 11-84 SSL VPN Configuration Linkset Link Internal Settings Menu Options


quickConfigure the link using the internal link wizard. For example:

SSL >> Internal menu# quick Enter method (http/https): http Enter host (eg inside.company.com): NoTel.ca Enter path (eg /): /

[SSL VPN Client Menu] netdirect - Allow Netdirect client xmlconfig - Set XML client configuration

Table 11-83 SSL VPN Configuration Linkset Link Menu Options




/ssl/cfg/vpn/advSSL VPN Configuration Advanced Menu

/ssl/cfg/vpn/adv/dnsSSL VPN Configuration Advanced DNS settings Menu

Table 11-85 SSL VPN Configuration SSL Client Menu Options


netdirect [on|off]Allow a Netdirect VPN client.

xmlconfig Set the XML client configuration. Write or paste the text, press Enter to create a new line, and then type "..."(without the quotation marks) to terminate.

[Advanced Menu] interface - Set backend interface used by VPN dns - DNS settings menu log - Set log settings

Table 11-86 SSL VPN Configuration Advanced Menu Options


interface [<backend_interface_number>]Set the backend interface.

dns Go to the DNS settings menu. To view the menu options, see page 627.

log [all|login|http|portal|reject|socks]Set the log option.

[DNS Settings Menu] search - Set DNS search list

Table 11-87 SSL VPN Configuration Advanced DN S settings Menu Options


search [<domain_names>]Set the domain search list. If more than one domain, use a comma to separate each entry.



/ssl/cfg/sysSSL Configuration System Menu [System Menu] mip - Set management IP (MIP) address host - iSD host menu routes - Routes menu time - Date and time menu dns - DNS settings rsa - RSA Servers syslog - Syslog servers menu accesslist - Access list menu adm - Administrative applications menu user - User Access Control menu distrace - Disable tracing with tcpdump/ssldump

Table 11-88 SSL Configuration System Menu Options


mip [<IP_address>]Set the management IP (MIP) address.

hostGo to the Host menu. To view menu options, see page 629.

routesGo to the Routes menu. To view menu options, see page 630.

time Go to the Time menu. To view menu options, see page 634.

dnsGo to the Time menu. To view menu options, see page 634.

rsaGo to the RSA server menu. To view menu options, see page 636.

syslogGo to the RSA server menu. To view menu options, see page 636.

accesslistGo to the Access List menu. To view menu options, see page 637.

admGo to the Administrative Applcations menu.To view menu options, see page 638.

userGo to the Administrative Applcations menu.To view menu options, see page 647.



/ssl/cfg/sys/hostSSL Configuration System Host Menu

distrace [yes|no]Deactivate trace. Trace cannot be reactivated during the session.

[iSD Host 1 Menu] type - Set type of the iSD ip - Set IP address license - Set License gateway - Set default gateway address routes - Routes menu interface - iSD host interface menu port - iSD port configuration menu ports - Display physical ports hwplatform - Display hardware platform halt - Halt the iSD reboot - Reboot the iSD delete - Remove iSD Host

Table 11-89 SSL Configuration System Host Menu Options


type [master|slave]Set the iSD type.

ip [<IP_address>]Set the IP address of the host.

license [<string>]Enter or paste the host license information. Paste the license, press Enter to create a new line, and then type "..." (without the quotation marks) to terminate..

gateway [<IP_address>]Set default gateway address.

routesGo to the Routes menu. To view menu options, see page 633.

interfaceGo to the iSD host interface menu. To view menu options, see page 631.

portGo to the iSD port configuration menu. To view menu options, see page 632.





/ssl/cfg/sys/host/routesSSL Configuration System Host Routes Menu

portsDisplay the number of physical ports.

hwplatformDisplay hardware platform.

halt [yes|no]Halt the iSD platform.

reboot [yes|no]Reboot the iSD.

delete [<hostname>]Remove iSD Host.

[Host Routes Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-90 SSL Configuration System Host Routes Menu Options


listList all host routes.

del [<route_number>]Delete a route by its number.

add [<destination> <netmask> <gateway>]Add a route.

Table 11-89 SSL Configuration System Host Menu Options




/ssl/cfg/sys/host/interfaceSSL Configuration System Host Menu [Host Interface 1 Menu] ip - Set IP address netmask - Set network mask gateway - Set default gateway address routes - Routes menu vlanid - Set VLAN tag id mode - Set mode ports - Interface ports menu primary - Set primary port delete - Remove Host Interface

Table 11-91 SSL Configuration System Host Interface Menu Options


ip [<IP_address>]Set the host inteface IP address.

netmask [<IP_address>]Set the inteface netmask.

gateway [<IP_address>]Set the Gateway IP address.

routes Go to the Routes menu. To view menu options, see page 632.

vlanid [<integer>]Set the VLAN tag ID.

mode [failover|trunking]Set the interface mode.

portsGo to the Ports menu. To view menu options, see page 633.

primary [<port_number>]Set the Primary port.

delete [<interafce_hostname>]Delete the interface.



/ssl/cfg/sys/host/interface/routesSSL Configuration System Host Interface Routes Menu

/ssl/cfg/sys/host/portSSL Configuration System Host Port Menu

[Host Interface Routes Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-92 SSL Configuration System Host Interface Menu Options


listList all of the configured interface routes.

del [<route_number>]Delete an interface route.

add [<destination> <netmask> <gateway>]Add an interface route.

[Host Port 1 Menu] autoneg - Set autonegotiation speed - Set Speed mode - Set full or half duplex mode

Table 11-93 SSL Configuration System Host Port Menu Options


autoneg <on | off>Enables or disables autonegotiation on the port. The default is on.

speed <10 | 100 | 1000>Sets the port speed in Mbits per second when autonegotiation is not in use.

mode <full | half>Sets the duplex mode of the port when autonegotiation is not in use. When autonegotiation is not in use the default mode is full.



/ssl/cfg/sys/routesSSL Configuration System Menu

/ssl/cfg/sys/timeSSL Configuration System Time Menu

[Routes Menu] list - List all values del - Delete a value by number add - Add a new value



listList all of the configured routes.

del [<route_number>]Delete a route. This command removes the specified static route from the system configuration. Use the list command to display the index numbers of all added static routes.

add [<destination> <netmask> <gateway>]Add a static route.

[Date and Time Menu] date - Set system date time - Set system time tzone - Set Timezone ntp - Configure NTP servers

Table 11-95 SSL Configuration System Time Menu Options


date [YYYY-MM-DD]Enter the date.

time [HH:MM:SS]Set the time, using a 24-hour clock scheme.

tzone [<continent_number> <country_number> <region_number>]Set the time zone.

ntp Configure NTP servers. To view menu options, see page 634.



/ssl/cfg/sys/time/ntpSSL Configuration System Time NTP servers Menu

/ssl/cfg/sys/dnsSSL Configuration System DNS settings Menu

[NTP Servers Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-96 SSL Configuration System Time NTP Servers Menu Options


listList the configured NTP servers.

del [<NTP_server>]Delete the NTP server. Removes the specified NTP server from the system configuration. Use the list command to display the index numbers of all added NTP servers..

add [<IP_address>]Add an NTP server. Adds an NTP server to the system configuration. The NTP server you add is used by the NTP client on the iSD to synchronize its clock. NTP should have access to a number of servers (at least three) in order to compensate for any discrepancies in the servers.

[DNS Settings Menu] servers - DNS servers menu cachesize - Set Local DNS cache size retransmit - Set DNS Retransmit interval timer count - Set DNS Retransmit counter ttl - Set Max TTL health - Set Health check interval hdown - Set Health check down counter hup - Set Health check up counter

Table 11-97 SSL Configuration System DNS Settings Menu Options


serversGo to the DNS Servers menu. To view menu options, see page 635.

cachesize [<integer>]Set the DNS cache size in kBytes.



sl/cfg/sys/dns/serversSSL Configuration System DNS Servers settings Menu

retransmit [<integer>]Set the DNS retransmit interval timer value, in seconds.

count [<integer>]Set the DNS Retransmit counter value.

ttl [<integer>]Set the maximum TTL, in seconds.

health [<integer>]Set Health check interval.

hdown [<integer>]Set Health check down counter

hup [<integer>]Set Health check up counter

[DNS Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-98 SSL Configuration System DNS Servers Menu Options


list List all of the DNS server settings.

del <DNS_server_name>Delete the DNS server.

add <ip_address>Add a DNS server.

insert <position> <ip_address>Insert a DNS server into the DNS server list.

move <value> <value>Move the DNS server from one position to another in the server list.

Table 11-97 SSL Configuration System DNS Settings Menu Options




/ssl/cfg/sys/rsaSSL Configuration System RSA servers MenuTo enter the /ssl/cfg/sys/rsa menu level, you are prompted to create an RSA server if one does not already exist.

/ssl/cfg/sys/syslogSSL Configuration System SysLog Servers Menu

SSL >> System# rsaEnter RSA Server number or name: (1-255) 1Creating RSA Servers 1RSA server symbolic name: RSA_1

------------------------------------------------------------[RSA Servers 1 Menu] rsaname - Set RSA server symbolic name import - Import sdconf.rec file rmnodesecr - Remove Node Secret del - Remove RSA server

Table 11-99 SSL Configuration System RSA servers Menu Options


rsname <string>]Set the RSA server symbolic name.

import [<protocol> <host> <file>]Import a sdconf.rec file.

rmnodesecr [<node_secret_name>]Remove a Node Secret.

del Remove an RSA server.

[Syslog Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number



/ssl/cfg/sys/accesslistSSL Configuration System Access List Menu

Table 11-100 SSL Configuration System SysLog Servers Menu Options


list List all of the Syslog server settings.

del <Syslog_server_name>Delete the Syslog server.

add <ip_address>Add a Syslog server.

insert [<position> <ip_address> <local_facility>]Insert a Syslog server into the Syslog server list.

move <value> <value>Move the Syslog server from one position to another in the server list. Moves a syslog server up or down in the list of configured servers. The index numbers you specify must be in use. To view all syslog servers currently added to the system configuration, use the list command.

[Access List Menu] list - List all values del - Delete a value by number add - Add a new value



listList the accesslist values.

del [<acces_list_number>]Delete an accesslist.

addAdd a new value to the accesslist. Adds a single machine, or a range of machines on a specific net-work, to the access list. Only those machines listed will be allowed to access the iSD host via a Telnet or SSH connection (assuming that Telnet or SSH connections, or both, are enabled).



/ssl/cfg/sys/admSSL Configuration System Administrative applications Menu [Administrative Applications Menu] snmp - SNMP menu clitimeout - Set CLI idle timeout audit - Audit Settings Menu auth - Authentication menu telnet - Set telnet CLI access ssh - Set SSH CLI access http - HTTP access menu https - HTTPS access menu sshkeys - SSH host keys menu

Table 11-102 SSL Configuration System Administrative applications Menu Options


snmpGo to the SNMP menu. To view menu options, see page 639.

clitimeout [<integer>]Set the CLI idle timeout value, in seconds.

auditGo to the Audit menu. To view menu options, see page 643.

telnet Set the telnet CLI access. Enables or disables Telnet access. When set to on and not having added machine(s) to the access list, all Telnet connections are allowed.

When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed Telnet access. When set to off, all Telnet connections are rejected, including connections from machine(s) added to the access list.

The default Telnet setting is off.

sshSet the SSH CLI access. Enables or disables SSH access. When set to on and not having added machine(s) to the access list, all SSH connections are allowed.

When set to on and having added machine(s) to the access list, only the specified machine(s) are allowed SSH access.When set to off, all SSH connections are rejected, including connections from machine(s) added to the access list.

The default SSH setting is off.



/ssl/cfg/sys/adm/snmpSSL Configuration System Administrative applications SNMP Menu

httpGo to the HTTP access menu. To view menu options, see page 644.

httpsGo to the HTTP access menu. To view menu options, see page 645.

sshkeysGo to the HTTP access menu. To view menu options, see page 646.

[SNMP Menu] ena - Enable SNMP dis - Disable SNMP versions - Set SNMP versions supported snmpv2-mib - SNMPv2-MIB menu community - SNMP community menu users - SNMP USM Users Menu target - Notification target menu

Table 11-103 SSL Configuration System Administrative applications SNMP Menu Options


ena [true|false]Enable SNMP.

dis [true|false]Disable SNMP.

versions [<SNMP_version_number>]Set the SNMP version, such as v1.

snmpv2-mibGo to the SNMPv2-MIB menu.To view menu options, see page 640.

communityGo to the SNMP community menu. To view menu options, see page 640.

usersGo to the SNMP USM Users community menu. To view menu options, see page 641.

Table 11-102 SSL Configuration System Administrative applications Menu Options




/ssl/cfg/sys/adm/snmp/snmpv2-mibSSL Configuration System Administrative applications SNMPv2 MIB SNMP Menu

/ssl/cfg/sys/adm/snmp/communitySSL Configuration System Administrative applications SNMP Community Menu

targetGo to the Notification target menu. To view menu options, see page 642.

[SNMPv2-MIB Menu] sysContact - Set sysContact sysName - Set sysName sysLocatio - Set sysLocation snmpEnable - Set snmpEnableAuthenTraps

Table 11-104 SSL Configuration System Administrative applications SNMPv2-MIB Menu Options


sysContact [<name_of_a_person>]Set a system contact name. Designates a contact person for the managed iSD cluster, together with information on how to contact this person.

sysName [<string, iSD_cluster_name>]Assign a name to the managed iSD cluster.

sysLocatio [<string>]Set the system location.

snmpEnable [<SNMP_trap_value>]Set the snmpEnableAuthenTraps value.

[SNMP Community Menu] read - Set Read Community String write - Set Write Community String trap - Set Trap Community String

Table 11-103 SSL Configuration System Administrative applications SNMP Menu Options




/ssl/cfg/sys/adm/snmp/usersSSL Configuration System Administrative applications SNMP Users MenuTo enter the /ssl/cfg/sys/adm/snmp/users menu level, you are prompted to create a userID if one does not already exist.

Table 11-105 SSL Configuration System Administrative applications SNMP Community Menu Options


read [<string>]Set the Read Community String. Specifies the monitor community name that grants read access to the Management Information Base (MIB). If no monitor community name is specified, read access is not granted. The default monitor community name is public

write [<string>]Set the Write Community String. Specifies the control community name that grants read and write access to the Management Information Base (MIB). If no control community name is specified, neither write nor read access is granted.

trap [<string>]Set the Trap Community String. Specifies the trap community name that accompanies trap mes-sages sent to the SNMP manager. If no trap community name is specified, the sending of trap mes-sages is disabled.The default trap community name is trap

Enter user number or name: (1-1023) 1Creating SNMP User 1User name: Maint_ChiefEnter security level (none/auth/priv) [priv]: privEnter permission (list of get,set,trap): getEnter auth password: <password>Enter priv password: <password>

------------------------------------------------------------[SNMP User 1 Menu] name - Set user name seclevel - Set Security level permission - Set Permission authpasswd - Set Authentication Password privpasswd - Set Encryption Password del - Remove SNMP User



/ssl/cfg/sys/adm/snmp/targetSSL Configuration System Administrative applications SNMP Target MenuTo enter the /ssl/cfg/sys/adm/snmp/target menu level, you are prompted to create a target if one does not already exist.

Table 11-106 SSL Configuration System Administrative applications SNMP Users Menu Options


name [<string>]Set the user name.

seclevel [none|auth|priv]Set the user Security level.

permission [get|set|trap]Set user Permission.

authpasswd [<string>]Set the Authentication Password.

privpasswd [<string>]Set the Encryption Password.

del [<SNMP_user_ID>]Remove the SNMP User.

SSL >> SNMP# targetEnter Notification Target number: (1-) 1Creating Notification Target 1Enter target ip: 0.0.0.0Enter snmp version (v1/v2c/v3): v1

------------------------------------------------------------[Notification Target 1 Menu] ip - Set target IP address port - Set target port version - Set SNMP version del - Remove Notification Target



/ssl/cfg/sys/adm/auditSSL Configuration System Administrative applications Audit Menu

Table 11-107 SSL Configuration System Administrative applications SNMP Target Menu Options


ip [<IP_address]Set the target IP address.

port [<port_number]Disable SNMP.

version [v1|v2|v3]Set the SNMP version.

delDelete the SNMP target.

[Audit Menu] servers - RADIUS Servers Menu vendorid - Set vendor id for audit attribute vendortype - Set vendor type for audit attribute ena - Enable Audit dis - Disable Audit

Table 11-108 SSL Configuration System Administrative applications Audit Menu Options


serversGo to the Servers menu. To view menu options, see page 644.

vendorid [<string>]Set the vendor ID.

vendortype [<integer>]Set the vendor type.

ena [<true|false>]Enable Audit.

dis[<true|false>]Disable audit.



/ssl/cfg/sys/adm/audit/serversSSL Configuration System Administrative applications Audit Servers Menu

/ssl/cfg/sys/adm/httpSSL Configuration System Administrative applications HTTP Menu

[RADIUS Audit Servers Menu] list - List all values del - Delete a value by number add - Add a new value insert - Insert a new value move - Move a value by number

Table 11-109 SSL Configuration System Administrative applications Audit Servers Menu Options


list List all of the Audit server settings.

del <Audit_server_name>Delete the Audit server.

add [<IP_address> <port> <secret>]Add an Audit server.

insert [<position> <IP_address> <port> <secret>]Insert a Audit server into the Audit server list.

move <value> <value>Move the Audit server from one position to another in the server list.

[HTTP Menu] port - Set HTTP Server port ena - Enable server dis - Disable server



/ssl/cfg/sys/adm/httpsSSL Configuration System Administrative applications HTTPS Menu

Table 11-110 SSL Configuration System Administrative applications HTTP Menu Options


port [<integer>]Set the HTTP server port.

ena [true|false]Enable the HTTP server.

dis [true|false]Disable the HTTP server.

[HTTPS Menu] port - Set HTTPS Server port ena - Enable server dis - Disable server

Table 11-111 SSL Configuration System Administrative applications HTTPS Menu Options


port [<integer>]Set the HTTPS server port.

ena [true|false]Enable the HTTPS server.

dis [true|false]Disable the HTTPS server.



/ssl/cfg/sys/adm/sshkeysSSL Configuration System Administrative applications SSH Host keys Menu

/ssl/cfg/sys/adm/sshkeys/knownhostsSSL Configuration System Administrative applications SSH Known Host keys Menu

[SSH Host Keys Menu] generate - Generate new SSH host keys for the cluster show - Show current SSH host keys for the cluster knownhosts - SSH known host keys menu

Table 11-112 SSL Configuration System Administrative applications SSH Host keys Menu Options


generate [yes|no]Generate new SSH host keys for the server cluster.

showShow the SSH host keys for the server cluster.

knownhostsGo to the Known Host Keys menu. To view menu options, see page 644.

[SSH Known Host Keys Menu] list - List known SSH keys of remote hosts del - Delete known SSH host key by index add - Add a new SSH host key import - Retrieve SSH key from remote host

Table 11-113 SSL Configuration System Administrative applications Known SSH Host keys Menu Options


list [yes|no]Display the known SSH keys of remote hosts.

del [<hostkey_name>]Delete a host key.



/ssl/cfg/sys/userSSL Configuration System Menu

addAdd a new SSH host key. Paste the key, press Enter to create a new line, and then type "..." (with-out the quotation marks) to terminate

import [<hostname_or_IP_address>]Retrieve an SSH key from a remote host.

[User Menu] passwd - Change own password expire - Set password expire time interval list - List all users del - Delete a user add - Add a new user edit - Edit a user menu caphrase - Certadmin export passphrase



passwdChange your current login password. The password can contain spaces and is case respective.

expire [DDdHHhMMmSS]Set the password expiry time and date.

listList all user accounts.

del Delete a user ID. Removes the specified user account from the system. Of the three built-in users (admin, oper, and root) only the oper user can be deleted. Only users with Administrator rights can delete user accounts.

add [<string>]Add a new user ID. After a user account is added, you must also assign the user account to a group. Only users with Administrator rights can add user accounts.

editGo to the Edit a user menu. To view menu options, see page 648.

Table 11-113 SSL Configuration System Administrative applications Known SSH Host keys Menu Options




/ssl/cfg/sys/user/editSSL Configuration System User Edit Menu

/ssl/cfg/sys/user/edit/groupsSSL Configuration System User Edit Menu

caphrase [<string>]Set the Certadmin export passphrase.

[User User_1 Menu] groups - Groups menu cur - Display current setting

Table 11-115 SSL Configuration System User Edit Menu Options


groupsGo to theGroups menu. To view menu options, see page 551.

curDisplay the user configurations.

[Groups Menu] list - List all values del - Delete a value by number add - Add a new value

Table 11-116 SSL Configuration System User Edit Groups Menu Options


listList all of the user groups information.

del [<user_group_name>]Delete a user group.

add [<string, user_group_name>]Add a user group.





/ssl/cfg/langSSL Configuration Language Support Menu

/ssl/bootSSL Boot Menu

[Language Support Menu] import - Import language definition file export - Export language definition template list - List the loaded languages vlist - List ISO 639 language codes del - Delete (custom) language definition

Table 11-117 SSL Configuration System Language Support Menu Options


import [<protocol> <host> <filename> <ISO_language_code>]Import a language definition file from another host.

export[<protocol> <host> <filename>]Export a language definition file.

list [<language_number>]List the pre-defined languages that have been loaded.

vlist [<language_shortform>]List the ISO 639 language codes. If a language_shortform argument is used (e.g., en for English), all of the codes that contain the argument characters are listed.

del [<language_deinition_filename>]Delete a language definition.

[Boot Menu] software - Software management menu halt - Halt the iSD reboot - Reboot the iSD delete - Delete the iSD

Table 11-118 SSL Configuration Boot Menu Options


softwareGo to Software Management menu. To view menu options, see page 651.



haltHalt the iSD. The command stops the particular iSD host to which you have connected by Telnet, SSH, or a console connection. Always use this command before turning off the device. If you are connected by Telnet or SSH to the Management IP address (MIP), use the halt command in the iSD Host menu (/cfg/sys/cluster/host #) instead.

rebootReboot the iSD. The command reboots the particular iSD host to which you have connected by Telnet, SSH or a console connection. If you are connected by Telnet or SSH to the Management IP address (MIP), use the reboot command in the iSD Host menu (/cfg/sys/cluster/host #) instead.

deleteDelete an iSD host. Resets the particular iSD host to which you have connected via Telnet, SSH, or a console connection, to its factory default configuration (all IP configuration is lost). The software itself will remain intact. After having performed a delete, you can only access the device via a console connection. Log in as the admin user with the admin password to enter the Setup menu.

NOTE – Note: If you receive a warning that the iSD you are trying to delete has no con-tact with any (other) master iSD in the cluster, connect to the MIP address by Telnet or SSH and delete the iSD from the cluster by using the delete command in the iSD Host menu (/cfg/sys/cluster/host #).

The /boot/delete command is primarily intended for situations when you want to delete an iSD host that has either become isolated from the cluster, or has been physically removed from the cluster without first performing the delete command from the iSD Host menu. Under these circumstances, you must use the /boot/delete command to present the Setup menu, from which you can perform the new and join commands.

Table 11-118 SSL Configuration Boot Menu Options




/ssl/boot/softwareSSL Performance Menu[Software Management Menu] cur - Display current software status activate - Select software version to run download - Download new software pkg. via TFTP/FTP/SCP/SFTP del - Remove unpacked/old releases

Table 11-119 SSL Perfomance Software Menu Options


curDisplay the current software status. For example:

SSL >> Software Management# curVersion Name Status------- ---- ------4.1.1.11 SSL old5.0.0.34 SSL permanent

activate [<software_version>]Select the software version to run.

download [<protocol> <host> <filename>]Download a new software package.

del [<software_version>]Remove old software releases. Removes a software upgrade package that has been downloaded by using the tftp or ftp command, in case you do not want to activate the unpacked software upgrade package. Only software versions whose status is indicated as unpacked (using the cur command) can be removed.



/ssl/maintSSL Performance Maintenance Menu[Maintenance Menu] hsm - HSM menu dumplogs - Tech suppt dump log files to TFTP/FTP/SFTP server dumpstat - Tech suppt dump curr. status to TFTP/FTP/SFTP server chkcfg - Check applied configuration starttrace - Start Trace stoptrace - Stop Trace

Table 11-120 SSL Perfomance Maintenance Menu Options


hsmGo to the HSM menu. To view menu options, see page 653.

dumplogsDump the log files. System log file information is collected from the iSD host you are connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip com-pressed tar format on the TFTP server you have specified. The information can then be used for technical support purposes.The file sent to the TFTP server does not contain any sensitive information related to the system configuration, such as certificates, private keys, and so on.

dumpstatDump the current status. Th current system internal status is collected from the iSD host you are connected to (or optionally, all iSD hosts in the cluster) and sends the information to a file in the gzip compressed tar format on the TFTP server you have specified. The information can then be used for technical support purposes.

chkcfg [all-isds | one-isd] [item...]Check the applied configuration.

starttrace [<tags>] [<VPN>]Start trace. Valid tags are all, aaa, dns, ike, ipsec, ippool, ssl, tg, pptp, upref, netdirect, net and direct_packet.

stoptraceStop the Trace.



/ssl/maint/hsmSSL Performance HSM MenuThe /ssl/maint/hsm menu is only available to HSM enabled iSDs.

[HSM Menu] login - Login to HSM cards on local iSD splitkey - Split a wrap key onto CODE iKeys changepass - Change iKey password

Table 11-121 SSL Perfomance Maintenance HSM Menu Options


login <HSM-USER password for the currently inserted HSM-USER iKey>Lets you log in to a HSM card, using the HSM-USER iKey and the correct password.

splitkeySplits the wrap key used by the hardware security module onto the two black CODE iKeys.

changepass <card number [0 | 1]> <iKey [HSM-SO | HSM-USER]> <current password for the selected iKey> <new password for the selected iKey>

Sets the password for a HSM-SO or a HSM-USER iKey.


APPENDIX ANortel Application Switch Operating System Syslog Messages

The following syntax is used when outputting syslog messages:

<Time stamp><Log Label>Web OS<Thread ID>:<Message> where

<Timestamp>

The time of the message event is displayed in month day hour:minute:second format. For example: Aug 19 14:20:30

<Log Label>

The following types of log messages are recorded: LOG_EMERG, LOG_ALERT, LOG_CRIT, LOG_ERR, LOG_WARNING, LOG_NOTICE, LOG_INFO, and LOG_DEBUG

<Thread ID>

This is the software thread that reports the log message. The following thread IDs are recorded: stp, ip, slb, console, telnet, vrrp, system, web server, ssh, and bgp

<Message>: The log message

Following is a list of potential syslog messages. To keep this list as short as possible, only <Thread ID> and <Message> are shown. The messages are sorted by <Log Label>.

Where the <Thread ID> is listed as mgmt, one of the following may be shown: console, telnet, web server, or ssh.

LOG_WARNINGFILTER “filter <filter number> fired on port <port number>, <source IP address> -> <desti-nation IP address>, [<ICMP type>], [<IP protocol>], [<layer-4 ports>], [<TCP f1ags>]”

ntp: cannot contact primary NTP server <ip_address>

ntp cannot contact secondary NTP server <ip_address>

320506-A, January 2006655


LOG_ALERT

stp: own BPDU received from port <port_id>

IP cannot contact default gateway <ip_address>

vrrp: received errored advertisement from <ip_address>

vrrp: received incorrect password from <ip_address>

vrrp: received incorrect addresses from <ip_address>

vrrp: received incorrect advertisement interval <seconds> from <ip_address>

slb: cannot contact real server <ip_address>

slb: real server <ip_address> has reached maximum connections

gslb: received update from <ip_address> for unknown remote server <ip_address>

gslb: received update from <ip_address> for unknown virtual service

gslb: received update for unknown remote server <ip_address> from <ip_address>

gslb: received update for unknown service <ip_address:service>

slb: cannot contact real service <ip_address:real_port>

slb: real server failure threshold (<threshold>) has been reach for group <group_id>

slb: real server <ip_address> disabled through configuration

slb: Virtual Service Pool full. gSvcPool=MAX_SERVICES

bgp: notification (<reason>) received from <BGP peer ip_address>

bgp: session with <BGP peer ip_address> failed (<reason>)

vrrp: Synchronization from non-configured peer <ip_address>

vrrp: Synchronization from non-configured peer <ip_address> was blocked

dps: hold down triggered: <ip_address> for <min> minutes

dps: manual hold down: <ip_address>

syn_atk SYN attack detected: <count> new half-open sessions per second

tcplim hold down triggered: <ip_address> for <min> minutes

656 Appendix A: Nortel Application Switch Operating System Syslog Mes-sages 320506-A, January 2006


LOG_CRIT SYSTEM: temperature at sensor <sensor_id> exceeded threshold

SYSTEM: internal power supply failed

SYSTEM: redundant power supply failed

SYSTEM: fan failure detected

SSH can't allocate memory in load_MP_INT

LOG_ERR mgmt: PANIC at <file>:<line> in thread <thread id>

mgmt: VERIFY at <file>:<line> in thread <thread id>

mgmt: ASSERT at <file>:<line> in thread <thread id>

ntp: unable to listen to NTP port

isd: unable to listen to BOOTP_SERVER_PORT port

stp: Error: Error writing STG config to FLASH

stp: Error: Error writing config to FLASH

mgmt: Apply not done

mgmt: Save not done

mgmt: “<““apply””|““save””> is issued by another user. Try later”

cli: Error: Error writing %s config to FLASH

cli: New Path Cost for Port <port_id> is invalid

cli: PVID <vlan_id> for port <port_id> is not created

cli: RADIUS secret must be 1-32 characters long

cli: Please configure primary RADIUS server address

cli: STP changes can't be applied since STP is OFF

cli: Switch reset is required to turn STP on/off

cli: Trunk group <trunk_id> contains ports with different PVIDs

cli: Trunk group <trunk_id> has more than <max_trunk_ports> ports

Appendix A: Nortel Application Switch Operating System Syslog Messages 657320506-A, January 2006


cli: Trunk group <trunk_id> contains no ports but is enabled

cli: Not all ports in trunk group <trunk_id> are in VLAN <vlan_id>

cli: Trunk groups <trunk_id> and <trunk_id> can not share the same port

port_mirr: Port Mirroring changes are not applied

cli: Broadcast address for IP interface <interface_id> is invalid

cli: IP Interfaces <interface_id> and <interface_id> are on the same subnet

cli: Multiple static routes have same destination

cli: Virtual router <vr_id> must have sharing disabled when hotstandby is enabled

cli: Virtual router group must be enabled when hotstandby is enabled

cli: At least one virtual router must be enabled when group is enabled

cli: Virtual router group must have sharing disabled when hotstandby is enabled

cli: Virtual router group must have preemption enabled when hotstandby is enabled

cli: Virtual router <vr_id> must have an IP address

cli: Virtual router <vr_id> cannot have same VRID and VLAN as <vlan_id>

cli: Virtual router <vr_id> cannot have same IP address as <ip_address>

cli: Virtual router <vr_id> corresponding virtual server <server_id> is not enabled

cli: Hot-standby must be enabled when a virtual router has a PIP address

cli: Virtual router <vr_id> IP interface should be <interface_id>

cli: Enabled real server <server_id> has no IP address

cli: Real server <server_id> has same IP address as IP interface <interface_id>

cli: Real server <server_id> has same IP address as switch

cli: Real server <server_id> (Backup for <server_id>) is not enabled

cli: Real server <server_id> has same IP address as virtual server <server_id>

cli: Real server <server_id> has same IP address as real server <server_id>

cli: Real server group <group_id> cannot backup itself

cli: Real server <server_id> cannot be added to same group

cli: Enabled virtual server <server_id> has no IP address

LOG_ERR (Continued)



cli: Virtual server <server_id> has same IP address as IP interface <interface_id>

cli: Virtual server <server_id> has same IP address as switch

cli: Virtual servers <server_id> and <server_id> with same IP address must support same layr3 configuration

cli: Real server <server_id> cannot be backup server for both real server <server_id> and group <group_id>

cli: Virtual server <server_id> has same IP address and vport as virtual server <server_id>

cli: RS <server_id> can't exist for VS <server_id> vport <virtual_port>

cli: Switch port <port_id> has same proxy IP address as port <port_id>

cli: Switch port <port_id> has same IP address as IP interface <interface_id>

cli: A hot-standby port cannot also be an inter-switch port

cli: There must be at least one inter-switch port if any hot-standby port exist

cli: “With VMA, ports 1-8 must all have a PIP if any one does”

cli: Client bindings are not supported with proxy IP addresses

cli: DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtual server to support FTP parsing

cli: Real server <server_id> and group %u cannot both have backups configured

cli: Virtual server <server_id> : port mapping but layer3 bindings

cli: Extracting length has to set to 8 or 16 for cookie rewrite mode

cli: DAM must be turned on or a PIP must be enabled for port <port_id> in order for virtural server <server_id> to support URL parsing

cli: Port filtering must be disabled on port <port_id> in order to support cookie based persis-tence for virtual server <server_id>

cli: Virtual server <server_id>: port mapping but Direct Access Mode

cli: Virtual server %lu: support nonat IP but not layer 3 bindings

cli: Virtual servers: all that support IP must use same group

cli: Virtual servers <server_id> and <server_id> that include the same real server <server_id> cannot map the same real port or balance UDP

cli: Virtual server <server_id>: UDP service <virtual_port> with out-of-range port number

LOG_ERR (Continued)



cli: Switch cannot support more than <MAX_VIRT_SERVICES> virtual services

cli: Switch cannot support more than <MAX_SMT> real services

cli: Trunk group (<trunk_id>) ports must have same L4 config

cli: Trunk group (<trunk_id>) ports must all have a PIP

cli: DAM must be turned on or a PIP must be enabled for ports <port_id> in order to do URL based redirection

cli: “Two services have same hostname, <host_name>.<domain_name>”

cli: Direct access mode is not supported with default gateway load balancing

cli: SLB Radius secret must be 16 characters long

cli: Dynamic NAT filter <filter_id> must be cached

cli: NAT filter <filter_id> must have same smask and dmask

cli: NAT filter <filter_id> cannot have port ranges

cli: NAT filter <filter_id> must be cached

cli: NAT filter <filter_id> dest range includes VIP <server_id>

cli: NAT filter <filter_id> dest range includes RIP <server_id>

cli: Redirection filter <filter_id> must be cached

cli: Filter with L4 ports configured <port_id> must have IP protocol configured

cli: “For Global SLB, Web server must be moved from TCP port 80”

cli: Remote site <site_id> does not have a primary IP address

cli: Primary and secondary remote site <site_id> switches must differ

cli: Remote sites <site_id> and <site_id> must use different addresses

cli: Remote site <site_id> and real server <server_id> must use different addresses

cli: Remote site <site_id> and virtual server <server_id> must use different addresses

cli: Only <MAX_SLB_SITES> remote servers are allowed per group

cli: Only <MAX_SLB_SERVICES> remote services are supported

cli: Enabled external lookup IP address has no IP address

cli: domain name must be configured

LOG_ERR (Continued)



cli: Network <static_network_id> has no VIP address

cli: duplicate default entry

cli: BGP peer <bgp_peer_id> must have an IP address

cli: BGP peers <bgp_peer_id> and <bgp_peer_id> have same address

cli: BGP peer <bgp_peer_id> have same address as IP interface <ip_interface_id>

cli: BGP peer <bgp_peer_id> IP interface <ip_interface_id> is not enabled

cli: Filter with ICMP types configured (<icmp_type>) must have IP protocol configure to ICMP

cli: “Two services have same hostname, <host_name>.<domain_name>”

cli: Loadbalance string must be added to real server <server_id> in order to enable exclusion-ary string matching

cli: intrval input value must be in the range [0-24]

mgmt: unapplied changes reverted

mgmt: unsaved changes reverted

mgmt: Attempting to redirect a previously redirected output

vrrp: Attempting to redirect a previously redirected output

vrrp: cfg_sync_tx_putsn: ABORTED

vrrp: Synchronization TX Error

vrrp: Synchronization TX connection RESET

vrrp: Synchronization TX connection TIMEOUT

vrrp: Synchronization TX connection UNREACEABLE

vrrp: Synchronization TX connection UNKNOWN CLOSE

vrrp: Synchronization RX connection RESET

vrrp: Synchronization RX connection TIMEOUT

vrrp: Synchronization RX connection UNREACEABLE

vrrp: Synchronization RX connection UNKNOWN CLOSE

vrrp: Synchronization connection RCLOSE by peer

vrrp: Synchronization connection RCLOSE before RX

LOG_ERR (Continued)



vrrp: Synchronization connection early RCLOSE in RX

vrrp: Synchronization connection Wait-For-Close Timeout

vrrp: Synchronization connection Transmit Timeout

vrrp: Synchronization Receive Timeout

vrrp: Synchronization Receive UNKNOWN Timeout

vrrp: Sync transmit in progress … cannot start Sync

vrrp: Sync receive in progress … cannot start Sync

vrrp: Sync already in progress … cannot start Sync

vrrp: Config Sync route find error

vrrp: Config Sync tcp_open error

vrrp: Config Synchronization Timeout - Resuming Console thread

vrrp: “<""apply""|""save""> is issued by another user. Try later”

vrrp: new configuration did not validate (rc = )

vrrp: new configuration did not apply (rc = )

vrrp: new configuration did not save (rc = )

vrrp: Sync config apply error

vrrp: Restoring Current Config

vrrp: Sync rx tcp open error

vrrp: Sync Version/Password Failed-No Version/Password Line

vrrp: Sync Version Failed - peer:%s config:%s

vrrp: Sync Password Failed-Bad Password

vrrp: Sync receive already in progress … cannot start Sync receive

vrrp: Sync transmit in progress … cannot start Sync receive

LOG_ERR (Continued)



LOG_NOTICE system: internal power supply ok

system: redundant power supply present and ok

system: temperature ok

system: fan ok

system: rebooted <last_reset_information>

system: rebooted <last_reset_information> administrator logged in

mgmt: boot config block changed

mgmt: boot image changed

mgmt: switch reset from CLI

mgmt: syslog host changed to <ip_address>

mgmt: syslog host changed to this host

mgmt: second syslog host changed to <ip_address>

mgmt: second syslog host changed to this host

mgmt: Next boot will use active config block

mgmt: user password changed

mgmt: SLB operator password changed

mgmt: L4 operator password changed

mgmt: operator password changed

mgmt: SLB administrator password changed

mgmt: L4 administrator password changed

mgmt: administrator password changed

ssh: scp <login_level> login

ssh: “scp <login_level> <""connection closed""|""idle timeout""|""logout"">”

mgmt: RADIUS server timeouts

mgmt: Failed login attempt via TELNET from host %s

mgmt: PASSWORD FIX-UP MODE IN USE

mgmt: <login_level> login on Console



mgmt: “<login_level> <""idle timeout""|""logout""> from Console”

mgmt: PANIC command from CLI

port_mirr: “port mirroring is <""enabled""|""disabled"">”

vlan: Default VLAN can not be deleted

mgmt: <login_level> login from host <ip_address>

mgmt: “<login_level> <""connection closed""|""idle timeout""|""logout""> from”

IP “default gateway <ip_address> <""enabled""|""disabled"">”

IP default gateway <ip_address> operational

vrrp: virtual router <ip_address> is now master

vrrp: virtual router <ip_address> is now backup

slb: “backup server <ip_address> <""enabled""|""diabled""> for real server <server_id>”

slb: “backup server <ip_address> <""enabled""|""disabled""> for real server group <group_id>”

slb: “backup group server <ip_address> <""enabled""|""disabled""> for real server group group_id>”

slb: “overflow server <ip_address> <""enabled""|""disabled""> for real server <server_id>”

slb: “overflow server <ip_address> <""enabled""|""disabled""> for real server group <group_id>”

slb: “overflow group server <ip_address> <""enabled""|""disabled""> for real server group <group_id>”

slb: real server <ip_address> operational

slb: real service <ip_address:real_port> operational

slb: No services are available for Virtual Server <virtual_server>

slb: Services are available for Virtual Server <virtual_server>

bgp: session established with <BGP_peer_ip_address>

LOG_NOTICE (Continued)



LOG_INFOSYSTEM: bootp response from <ip_address>

mgmt: new configuration applied

mgmt: new configuration saved

mgmt: unsaved changes reverted

mgmt: Could not revert unsaved changes

mgmt: "<image1|image2> downloaded from host <ip_address>, file <file_name> <software_version>"

mgmt: serial EEPROM downloaded from host <ip_address> file <file_name>

ssh: scp <login_level> login

ssh: "scp <login_level> <""connection closed""|""idle timeout""|""logout"">"

mgmt: <login_level> login on Console

mgmt: "<login_level> <""idle timeout""|""logout""> from Console"

mgmt: <login_level> login from host <ip_address>

mgmt: "<login_level> <""connection closed""|""idle timeout""|""logout""> from Telnet/SSH."

ssh: server key autogen starts

ssh: server key autogen completes

ssh: server key autogen timer timeouts

vrrp: new synch configuration applied

vrrp: new synch configuration saved

vrrp: Synchronizing from <host_name>

vrrp: Synchronizing to <host_name>

vrrp: Config Synchronization Transmit Successful

vrrp: Config Synchronization Receive Successful

vrrp: new configuration VALIDATED


APPENDIX BNortel Application Switch Operating System SNMP Agent

The Nortel Application Switch Operating System SNMP agent supports SNMP Version 1, Version 2, and Version 3. Version 3 supports two authentication protocols: MD5 and SHA. Nortel MIBs are registered as Vendor 1872. Detailed SNMP MIBs and trap definitions of the Nortel Application Switch Operating System SNMP agent can be found in the following enter-prise MIB documents:

altroot.mib - aosSwitch.mib aosPhysical.mib aosNetwork.mib

aosLayer4.mib

aosLayer7.mib

aosBwm.mib

aosTrap.mib

In addition, the following SynOptics MIBS are also supported:

synro193.mib -- SynOptics Root MIBs5roo117.mib -- SynOptics Registration MIBs5tcs112.mib -- Textual Convention MIBs5emt104.mib -- Ethernet Multi segment Autotopology MIB

SNMPv1|v2|v3 traps can be sent to the hosts configured in targetAddr table. Up to 16 IP addresses can be configured in targetAddr table.

Nortel Application Switch Operating System SNMP agent supports the following standard MIBs:

RFC 1213 - MIB II (System, Interface, Address Translation, IP, ICMP, TCP, UDP, SNMP Groups)RFC 1573 - MIB II Extension (IFX table)

320506-A, January 2006667


RFC 1643 - EtherLike MIBRFC 1493 - Bridge MIBRFC 1757 - RMON MIB (Statistics, History, Alarm, Event Groups)RFC 1850 for OSPFRFC 1657 for BGPIEEE 802.3ad MIB for LACP

The following SNMPv3 MIBs are supported:

RFC 2571 - SNMP Frame workRFC 2572 - MPD MIBRFC 2573 - Target MIBRFC 2574 - USM MIBRFC 2575 - VACM MIBRFC 2576 - Community MIB

Nortel Application Switch Operating System SNMP agent supports the following generic traps as defined in RFC 1215:

ColdStartWarmStartLinkDownLinkUpAuthenticationFailure

The SNMP agent also supports two Spanning Tree traps as defined in RFC 1493:

NewRootTopologyChange

The following are the enterprise SNMP traps supported in Nortel Application Switch Operat-ing System:

Table 11-122 Nortel Application Switch Operating System-Supported Enterprise SNMP Traps

Trap Name Description

altSwDefGwUp Signifies that the default gateway is alive.

altSwDefGwDown Signifies that the default gateway is down.

altSwDefGwInService Signifies that the default gateway is up and in service

668 Appendix B: Nortel Application Switch Operating System SNMP Agent320506-A, January 2006


altSwDefGwNotInService Signifies that the default gateway is alive but not in service

altSwSlbRealServerUp Signifies that the real server is up and operational

altSwSlbRealServerDown Signifies that the real server is down and out of service

altSwSlbRealServerMaxCon-nReached

Signifies that the real server has reached maximum connections

altSwSlbBkupRealServerAct Signifies that the backup real server is activated due to availablity of the primary real server

altSwSlbBkupRealServerDeact Signifies that the backup real server is deactivated due to the primary real server is available

altSwSlbBkupRealServerActOver-flow

Signifies that the backup real server is deactivated due to the primary real server is overflowed

altSwSlbBkupRealServerDeac-tOverflow

Signifies that the backup real server is deactivated due to the primary real server is out from overflow situa-tion

altSwfltFilterFired Signifies that the packet received on a switch port matches the filter rule

altSwSlbRealServerServiceUp Signifies that the service port of the real server is up and operational

altSwSlbRealServerServiceDown Signifies that the service port of the real server is down and out of service

altSwVrrpNewMaster The newMaster trap indicates that the sending agent has transitioned to 'Master' state.

altSwVrrpNewBackup The newBackup trap indicates that the sending agent has transitioned to 'Backup' state.

altSwVrrpAuthFailure A vrrpAuthFailure trap signifies that a packet has been received from a router whose authentication key or authenti-cation type conflicts with this router's authentication key or authentication type. Implementation of this trap is optional.

altSwLoginFailure An altSwLoginFailure trap signifies that someone failed to enter a valid username/password combination.



Appendix B: Nortel Application Switch Operating System SNMP Agent 669320506-A, January 2006


altSwSlbSynAttack An altSwSlbSynAttack trap signifies that a SYN attack has been detected.

altSwTcpHoldDown An altSwTcpHoldDown trap signifies that new TCP con-nection requests from a particular client will be blocked for a pre-determined amount of time since the rate of new TCP connections from that client has reached a pre-determined threshold.

altSwTempExceedThreshold An altSwTempExceedThreshold trap signifies that the switch temperature has exceeded maximum safety limits.

altSwSlbSessAttack An altSwSlbSessAttack trap signifies that an SLB attack has been detected.

altSwFanFailure An altSwFanFailure trap signifies that a fan failure has occured.



670 Appendix B: Nortel Application Switch Operating System SNMP Agent320506-A, January 2006

APPENDIX CPerforming a Serial Download

You can perform a serial download of the new Nortel Application Switch software if you are upgrading Nortel Application Switch Operating System directly from any image.

This procedure requires the following:

A computer running terminal emulation software

A standard serial cable with a male DB9 connector (see your switch hardware installation guide for specifics)

A binary switch firmware image (not the tftp file used for TFTP download)

Use the following procedure to perform a serial upgrade.

1. Using the serial cable, connect the Console port of an Nortel Application Switch to the serial port of your PC that supports XModem/1K XModem.

2. Start hyper terminal (part of Microsoft Windows) and set the following parameters:

3. Power on the switch.

4. Hold the <Shift> key down and hit D repeatedly until the following message appears:

Parameter Value


96008None1None

Nortel Application Switch - PPCBoot 2.2.To download a serial image use 1K Xmodem at 115200

320506-A, January 2006671


5. Reconfigure your terminal emulation software with the following parameters (only after you see the message displayed in step 4):

NOTE – You can perform serial downloads at 57600 baud rate by pressing Shift f or at 115200 baud rate by pressing Shift d.

6. Press <Enter> on the key board of the PC that is connected to the console port of the switch. When the Console Port is successfully communicating with the PC, you will see: CCCC...

7. Make sure that the new binary firmware file is available on the computer. This file can be downloaded from the CD that is shipped with the switch. Select <Transfer-Send File> and choose the following:

file: For example, "21.0.0.0_Serial.img" (Or the file previously downloaded to the computer)protocol: 1K XMODEM

It will take about 15 minutes for the transfer to complete.

NOTE – Although slower, XMODEM will work too if you choose not to use 1K MODEM.

8. Power off the switch, wait for a few seconds and power the switch on.

9. The switch will boot with the new software load. You should see the following sample log on your screen:

Parameter Value


1152008None1None

!CAUTION—Do not power off the switch until you see the message: “Change your baud rate to 9600 bps and power cycle switch”, otherwise, the switch will be inoperable.

Nortel Application Switch - PPCBoot 2.2.To download a serial image use 1K Xmodem at 115200CCCCCCCCCCCCCCCCCCCCCCCCCCCCCTotal bytes transferred: 0x4ff400Extracting images... Do *NOT* power cycle the switchUpdating flash...#################################################################Change your baudrate to 9600 bps and power cycle the switch

672 Appendix C: Performing a Serial Download320506-A, January 2006

Glossary

DIP (Destination IP Address)

The destination IP address of a frame.

Dport (Destination Port)

The destination port (application socket: for example, http-80/https-443/DNS-53)

NAT (Network Address Translation)

Any time an IP address is changed from one source IP or destination IP address to another address, network address translation can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another. Full NAT is when both addresses are changed from one address to another. No NAT is when neither source nor destination IP addresses are translated. Virtual server-based load balancing uses half NAT by design, because it translates the destination IP address from the Virtual Server IP address, to that of one of the real servers.

Preemption In VRRP, preemption will cause a Virtual Router that has a lower priority to go into backup should a peer Virtual Router start advertising with a higher priority.

Priority In VRRP, the value given to a Virtual Router to determine its ranking with its peer(s). Minimum value is 1 and maximum value is 254. Default is 100. A higher number will win out for master designation.

Proto (Protocol) The protocol of a frame. Can be any value represented by a 8-bit value in the IP header adherent to the IP specification (for example, TCP, UDP, OSPF, ICMP, and so on.)

Real Server Group A group of real servers that are associated with a Virtual Server IP address, or a filter.

320506-A, January 2006673


Redirection or Filter-Based Load Balancing

A type of load balancing that operates differently from virtual server-based load balanc-ing. With this type of load balancing, requests are transparently intercepted and “redi-rected” to a server group. “Transparently” means that requests are not specifically destined for a Virtual Server IP address that the switch owns. Instead, a filter is configured in the switch. This filter intercepts traffic based on certain IP header criteria and load balances it.Filters can be configured to filter on the SIP/Range (via netmask), DIP/Range (via net-mask), Protocol, SPort/Range or DPort/Range. The action on a filter can be Allow, Deny, Redirect to a Server Group, or NAT (translation of either the source IP or destination IP address). In redirection-based load balancing, the destination IP address is not translated to that of one of the real servers. Therefore, redirection-based load balancing is designed to load balance devices that normally operate transparently in your network—such as a fire-wall, spam filter, or transparent Web cache.

RIP (Real Server) Real Server IP Address. An IP addresses that the switch load balances to when requests are made to a Virtual Server IP address (VIP).

SIP (Source IP Address)

The source IP address of a frame.

SPort (Source Port) The source port (application socket: for example, HTTP-80/HTTPS-443/DNS-53).

Tracking In VRRP, a method to increase the priority of a virtual router and thus master designation (with preemption enabled). Tracking can be very valuable in an active/active configuration.You can track the following:

Vrs: Virtual Routers in Master Mode (increments priority by 2 for each)Ifs: Active IP interfaces on the Nortel Application Switch (increments priority by 2 for each)Ports: Active ports on the same VLAN (increments priority by 2 for each)l4pts: Active Layer 4 Ports, client or server designation (increments priority by 2 for eachreals: healthy real servers (increments by 2 for each healthy real server)hsrp: HSRP announcements heard on a client designated port (increments by 10 for each)

VIP (Virtual Server IP Address)

An IP address that the switch owns and uses to load balance particular service requests (like HTTP) to other servers.

VIR (Virtual Interface Router)

A VRRP address that is an IP interface address shared between two or more virtual routers.

674 Glossary320506-A, January 2006


Virtual Router A shared address between two devices utilizing VRRP, as defined in RFC 2338. One vir-tual router is associated with an IP interface. This is one of the IP interfaces that the switch is assigned. All IP interfaces on the Nortel Application Switch must be in a VLAN. If there is more than one VLAN defined on the Nortel Application Switch, then the VRRP broad-casts will only be sent out on the VLAN of which the associated IP interface is a member.

Virtual Server Load Balancing

Classic load balancing. Requests destined for a Virtual Server IP address (VIP), which is owned by the switch, are load balanced to a real server contained in the group associated with the VIP. Network address translation is done back and forth, by the switch, as requests come and go.Frames come to the switch destined for the VIP. The switch then replaces the VIP and with one of the real server IP addresses (RIP's), updates the relevant checksums, and for-wards the frame to the server for which it is now destined. This process of replacing the destination IP (VIP) with one of the real server addresses is called half NAT. If the frames were not half NAT'ed to the address of one of the RIPs, a server would receive the frame that was destined for it's MAC address, forcing the packet up to Layer 3. The server would then drop the frame, since the packet would have the DIP of the VIP and not that of the server (RIP).

VRID (Virtual Router Identifier)

In VRRP, a value between 1 and 255 that is used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00-00-5E-00-01-{VRID}. If you have a VRRP address that two switches are sharing, then the VRID number needs to be identical on both switches so each virtual router on each switch knows whom to share with.

VRRP (Virtual Router Redundancy Protocol)

A protocol that acts very similarly to Cisco's proprietary HSRP address sharing protocol. The reason for both of these protocols is so devices have a next hop or default gateway that is always available. Two or more devices sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224.0.0.18.With VRRP, one switch is considered the master and the other the backup. The master is always advertising via the broadcasts. The backup switch is always listening for the broad-casts. Should the master stop advertising, the backup will take over ownership of the VRRP IP and MAC addresses as defined by the specification. The switch announces this change in ownership to the devices around it by way of a Gratuitous ARP, and advertise-ments. If the backup switch didn't do the Gratuitous ARP the Layer 2 devices attached to the switch would not know that the MAC address had moved in the network. For a more detailed description, refer to RFC 2338.

VSR (Virtual Server Router)

A VRRP address that is a shared Virtual Server IP address. VSR is a Nortel proprietary extension to the VRRP specification. The switches must be able to share Virtual Server IP addresses, as well as IP interfaces. If they didn’t, the two switches would fight for owner-ship of the Virtual Server IP address, and the ARP tables in the devices around them would have two ARP entries with the same IP address but different MAC addresses.

Glossary 675320506-A, January 2006


676 Glossary320506-A, January 2006

Index

Symbols(MD5).............................................................. 487(SLB real server group option)

content ...................................................... 424/ command.......................................................... 56[ ]....................................................................... 23

Numerics1K XModem..................................................... 6713000 series........................................................ 306

Aabbreviating commands (CLI) .............................. 60access control

system....................................................... 288action (SLB filtering option)............................... 448activating optional software................................ 509active configuration block .......................... 260, 515active FTP SLB parsing statistics ........................ 221active IP interface.............................................. 393active Layer 4 processing ................................... 393active port

VLAN....................................................... 393active switch configuration

gtcfg ......................................................... 408ptcfg ......................................................... 408restoring .................................................... 408

active switch, saving and loading configuration.... 408add

SLB port option.......................................... 464addr

ARP entries................................................ 524IP route tag ................................................ 109

Address Resolution Protocol (ARP)address list ................................................. 524

administrator account30, 33

admpw (system option) ...................................... 293advertisement of virtual IP addresses ................... 358aging

STP bridge option ....................................... 332STP information ........................................... 99

application redirection................................ 415, 448filter states.................................................. 133filters......................................................... 414within real server groups .............................. 423

apply (global command)..................................... 259applying configuration changes ........................... 259ASCII terminal .................................................... 26autoconfiguration

duplex mode................................................. 39link........................................................ 39, 40port speed..................................................... 39

auto-negotiation................................................... 39enable/disable on port .......... 305, 309, 311, 313setup...................................................... 39, 40

autonomous system filter action .......................... 356autonomous system filter path

action ........................................................ 356as .............................................................. 356aspath ........................................................ 356

Bbackup

SLB real server group option ........................ 424backup configuration block......................... 260, 515backup server activations (SLB statistics) .... 205, 228bandwidth management

configuration .............................................. 316contracts .................................................... 317

bandwidth management contractprecedence value......................................... 319

bandwidth management contract configuration .... 264, 319

320506-A, January 2006677


Bandwidth Management optionsoperations-level options................................505

bandwidth management policy configuration ........322buffer limit .................................................322hard bandwidth limit ....................................322over the limit TOS .......................................322reserve limit ................................................322soft bandwidth limit .....................................322underlimit TOS ...........................................322

bandwidth management statistics .........................232banner (system option)........................................262baud rate

console connection ........................................26serial download ...................................671, 672

BBI.....................................................................25BGP

configuration...............................................371eBGP .........................................................371iBGP..........................................................371in route.......................................................374IP address, border router...............................373IP route tag .................................................109keep-alive time............................................373peer ...........................................................371peer configuration........................................373redistribution configuration...........................375remote autonomous system...........................373router hops..................................................374

binary ...............................................................671binary firmware image........................................672binding failure ...........................................204, 228binding table......................................................437BLOCKING (port state)........................................99boot options menu..............................................511BOOTP...............................................................27

setup (enable/disable).....................................37system option..............................................262

bootstrap protocol ..............................................380Border Gateway Protocol ....................................109

configuration...............................................371Border Gateway Protocol (BGP)

operations-level options................................508BPDU. See Bridge Protocol Data Unit.bridge parameter menu, for STP ..........................330bridge priority......................................................99Bridge Protocol Data Unit (BPDU)........................99

STP transmission frequency..........................331Bridge Spanning-Tree parameters ........................331

broadcastIP route tag ................................................ 109IP route type............................................... 109

broadcast domains ............................................. 339broadcast IP address ............................................ 43Browser-Based Interface ...................................... 25BWM

contract rate statistics................................... 235contract statistics......................................... 234history statistics .......................................... 237port ........................................................... 233switch processor contract statistics ................ 233switch processor rate contract statistics .......... 233

Ccapture dump information to a file....................... 528Cisco Ether Channel .......................................... 334clear

ARP entries................................................ 524dump information ....................................... 529FDB entry.................................................. 523routing table ............................................... 525

clearing SLB statistics................................ 230, 231client traffic processing ...................................... 463command (help) .................................................. 56Command-Line Interface (CLI) ....... 25 to 31, 33, 53commands

abbreviations................................................ 60conventions used in this manual...................... 23global commands.......................................... 56shortcuts ...................................................... 60stacking ....................................................... 60tab completion.............................................. 60

678 Index320506-A, January 2006


configurationadministrator password................................ 293apply changes............................................. 259default gateway interval, for health checks ..... 346default gateway IP address ........................... 346dump command.......................................... 407effect on Spanning-Tree Protocol.................. 259Fast Ethernet .............................................. 303flow control ....................... 305, 309, 311, 313Gigabit Ethernet ......................... 303, 307, 309IP static route ............................................. 348Layer 4 administrator password .................... 292operating mode........................... 305, 308, 313port link speed............................ 305, 308, 313port mirroring............................................. 315port trunking .............................................. 333route cache................................................. 350save changes .............................................. 260setup ......................................................... 406setup command .......................................... 403switch IP address ........................................ 344TACACS+................................................. 270user password............................................. 292view changes.............................................. 259VLAN default (PVID)......... 303, 307, 309, 312VLAN IP interface...................................... 344VLAN tagging ................... 304, 307, 310, 312VRRP ....................................................... 381

configuration blockactive ........................................................ 515backup....................................................... 515factory....................................................... 515selection .................................................... 515

configuration menu............................................ 257configuring routing information protocol ............. 357connecting

via console................................................... 26via Telnet..................................................... 27

connection timeout (Real Server Menu option)..... 437console port

communication settings ................................. 26connecting ................................................... 26serial download settings....................... 671, 672

contentSLB real server group option........................ 424

contracts, bandwidth management....................... 317copper ports ...................................................... 307

costSTP information ........................................... 99STP port option........................................... 333

counters, No Server Available (dropped frames) .. 205, 228

CPU statistics ............................................ 252, 254CPU utilization.......................................... 252, 254cur (system option) .................................... 269, 272current bindings......................................... 204, 227

Ddate

setup............................................................ 37system option ............................................. 262

debugging ......................................................... 519default gateway

information ................................................ 107interval, for health checks............................. 346metrics....................................................... 396round robin, load balancing for ..................... 396

default password.................................................. 30delete

FDB entry .................................................. 523deny (filtering) .................................................. 228designated port. ................................................. 114diff (global) command, viewing changes.............. 259dip (destination IP address for filtering) ............... 449direct (IP route type) .......................................... 109directed broadcasts............................................. 350DISABLED (port state) ........................................ 99disconnect idle timeout......................................... 31Distributed Site State Protocol (DSSP)

setting update interval .................................. 466dmask

destination mask for filtering ........................ 449DNS statistics.................................................... 192Domain Name System (DNS)

health checks .............................................. 427downloading software ........................................ 513dropped frames (No Server Available) counter .... 205,

228dump

configuration command ............................... 407maintenance ............................................... 519state information ......................................... 530

duplex mode........................................................ 39link status....................................... 62, 78, 147setup............................................................ 39

Index 679320506-A, January


dynamic routes...................................................525

EEMS,Alteon EMS ................................................46emulation software .............................................671EtherChannel

as used with port trunking.............................334

Ffactory configuration block .................................515factory default configuration .....................31, 33, 34Fast Ethernet Physical Link.................................303Fast Ethernet, configuring ports for......................303fastage ..............................................................482FDB statistics ....................................................171fiber optic ports..................................................309File Transfer Protocol .........................................220filter statistics ....................................................213filtered (denied) frames...............................205, 228filters

IP address ranges.........................................449Final Steps...........................................................45first-time configuration ......................... 31, 33 to 50fixed

IP route tag .................................................109flag field............................................................114flow control .................................................62, 147

configuring .........................305, 309, 311, 313setup ......................................................39, 40

forwarding configurationIP forwarding configuration ..........................350

forwarding database (FDB) .................................519delete entry .................................................523

Forwarding Database Information Menu ................90Forwarding Database Menu.........................522, 535forwarding state (FWD)..........................92, 99, 102FTP server health checks ....................................427FTP SLB maintenance statistics...........................222FTP SLB statistics dump.....................................222full-duplex...........................................................39fwd (STP bridge option) .....................................331FwdDel (forward delay), bridge port ......................99

Ggig (Port Menu option) .......................303, 307, 309Gigabit Ethernet

configuration...............................303, 307, 309

Gigabit Ethernet Physical Link ........... 303, 307, 309global commands................................................. 56global SLB maintenance statistics ....................... 209global SLB statistics .......................................... 206grace

graceful real server failure............................ 482Greenwich ........................................................ 272Greenwich Mean Time (GMT) ........................... 272group................................................................ 212gtcfg (TFTP load command)............................... 408

Hhalf-duplex ......................................................... 39hash metric ....................................................... 430health check types, SLB ..................................... 426health checks..................................................... 417

default gateway interval, retries .................... 346IDSLB....................................................... 426layer information ........................................ 132parameters for most protocols....................... 427redirection (rport)........................................ 448retry, number of failed health checks ............. 346script ......................................................... 488SNMP ............................................... 428, 490WAP......................................................... 492

helloSTP information ........................................... 99

help.................................................................... 56host routes ........................................................ 358Hot Standby Router on VLAN (HSRV)

use with VLAN-tagged environment ............. 386VRRP priority increment value..................... 396

Hot Standby Router Protocol (HSRP)priority increment value for L4 client ports..... 395use with VRRP................................... 386, 393VRRP priority increment value..................... 395

Hot Standby Router VLAN (HSRV)use with VRRP........................................... 393

hot-standby failover ........................................... 391HP-OpenView..................................................... 25hprompt

system option ............................................. 262HSRP. See Hot Standby Router Protocol.HSRV. See Hot Standby Router Protocol.HTTP

application health checks ............................. 427redirects (Global SLB option)....................... 466system option ............................................. 288



http .................................................................. 288HTTP health checks

on any port (aphttp)..................................... 487

IICMP statistics.................................................. 193idle timeout

overview...................................................... 31IDSLB health checks ......................................... 426IEEE standards

802.1d Spanning-Tree Protocol .............. 98, 329image

downloading .............................................. 513software, selecting ...................................... 514

IMAP server health checks................................. 427imask (IP address mask)..................................... 481incorrect VIPs (statistic)............................. 204, 228incorrect Vports (dropped frames counter) ... 205, 228indirect (IP route type) ....................................... 109Information

Trunk Group Information............................. 102Information Menu ............................................... 61Interface change stats......................................... 180interface statistics .............................................. 195IP address ........................................................... 42

ARP information ........................................ 113BOOTP ....................................................... 27configuring default gateway ......................... 346filter ranges................................................ 449IP interface .................................................. 42local route cache ranges............................... 351Telnet.......................................................... 27

IP address mask for SLB.................................... 481IP configuration via setup..................................... 42IP forwarding.................................................... 378

directed broadcasts...................................... 350local networks for route caching ................... 350

IP forwarding information .................................. 107IP Information Menu ................................. 107, 126IP interface ....................................................... 344

active ........................................................ 393configuring address ..................................... 344configuring VLANs .................................... 344

IP interfaces................................................ 42, 109information ................................................ 107IP route tag ................................................ 109priority increment value (ifs) for VRRP ......... 395

IP network filter configuration............................ 352

IP port configuration .......................................... 378IP Route Manipulation Menu .............................. 525IP routing............................................................ 42

tag parameters ............................................ 109IP Static Route Menu ......................................... 348IP statistics........................................................ 181IP subnet mask .................................................... 42IP subnets

VLANs...................................................... 339

Ll4apw (L4 administrator system option) ............... 292Layer 4

administrator account..................................... 30Layer 4 processing

active......................................................... 393layer 7 SLB maintenance statistics ...................... 216layer 7 SLB string statistics ................................ 215layer7 redirection statistics ......................... 214, 218LDAP version ................................................... 487LEARNING (port state) ....................................... 99least connections (SLB Real Server metric).. 426, 430licence certificate............................................... 509license password................................................ 509link

speed, configuring....................... 305, 308, 313link status............................................................ 62

command ................................................... 148duplex mode................................... 62, 78, 147port speed....................................... 62, 78, 147

Link Status Information...................................... 147linkt (SNMP option) .......................................... 275LISTENING (port state) ....................................... 99lmask (routing option)........................................ 107lnet (routing option) ........................................... 107local (IP route type) ........................................... 109local network for route caching ........................... 350local route cache

IP address ranges for.................................... 351log

syslog messages.......................................... 264logical segment. See IP subnets.

MMAC (media access control) address ...... 63, 90, 113,

509, 522switch location.............................................. 27



Main Menu..........................................................53Command-Line Interface (CLI) .......................31summary ......................................................54

Maintenance Menu.............................................519Management Processor (MP)...............................527

display MAC address .....................................63manual style conventions ......................................23martian

IP route tag (filtered)....................................109IP route type (filtered out).............................109

maskIP interface subnet address............................344

MaxAge (STP information)...................................99mcon (maximum connections).............205, 228, 424MD5 authentication key......................................362MD5 cryptographic authentication .......................363MD5 key ...........................................................366media access control. See MAC address.metric

SLB real server group option.........................423metrics, SLB......................................................429minimum misses (SLB real server metric) ....426, 429Miscellaneous Debug Menu ........................527, 545mmask

IP address mask for SLB ..............................481mnet

management traffic IP address for SLB ..........481monitor port.......................................................315mp

packet ........................................................249MP. See Management Processor.multicast

IP route type ...............................................109multi-links between switches

using port trunking...............................102, 333mxage (STP bridge option) .................................331

Nnbr change statistics............................................179Network Address Translation (NAT)

filter action .................................................448network management............................................25non TCP/IP frames .....................................204, 228notice ................................................................262NTP synchronization ..........................................272NTP time zone ...................................................272

Ooctet counters .................................................... 211online help .......................................................... 56operating mode, configuring ............... 305, 308, 313operations menu ................................................ 499operations-level BGP options ............................. 508operations-level BWM options ........................... 505operations-level IP options ................................. 508Operations-Level Port Options............................ 501operations-level SLB options.............................. 502operations-level VRRP options ........................... 505optional software ......................................... 62, 150

activating ................................................... 509removing ................................................... 510

OSPFarea types........................................... 119, 361

ospfarea index .......................................... 361, 363authentication key ....................................... 366configuration.............................................. 361cost of the selected path ............................... 366cost value of the host ................................... 369dead, declaring a silent router to be down....... 366dead, health parameter of a hello packet......... 367export........................................................ 370fixed routes ................................................ 371general ...................................................... 177global ........................................................ 177hello, authentication parameter of a hello packet ...



367host entry configuration ............................... 369host routes ................................................. 362interface .................................................... 361interface configuration................................. 365link state database ....................................... 362MD5 authentication key............................... 362Not-So-Stubby Area.................................... 363priority value of the switch interface.............. 366range number ............................................. 361redistribution menu ..................................... 362route redistribution configuration .................. 370spf, shortest path first .................................. 364stub area .................................................... 363summary range configuration ....................... 364transit area ................................................. 363transit delay ............................................... 366type........................................................... 363virtual link ................................................. 361virtual link configuration ............................. 367virtual neighbor, router ID ........................... 367

OSPF Database Information ............................... 122OSPF general.................................................... 120OSPF General Information ................................. 121OSPF Information ............................................. 119OSPF Information Route Codes.......................... 124OSPF statistics .......................................... 176, 184overflow server activations......................... 205, 228overflow servers................................................ 416

Ppanic

command................................................... 530switch (and Maintenance Menu option) ......... 519

parameterstag ............................................................ 109type........................................................... 109

Passive FTP SLB Parsing Statistics ..................... 221Password

user access control ...................................... 292password

administrator account .................................... 30default ......................................................... 30L4 administrator account ............................... 30user account ................................................. 30VRRP authentication................................... 394

passwords ........................................................... 29

persistent bindingsreal server .................................................. 437

ping............................................................ 57, 415PIP ................................................................... 496POP3

server health checks..................................... 427port

bandwidth management switch processor statistics233

switch port contract statistics menu................ 232port configuration .............................................. 301port flow control. See flow control.Port Menu

configuration options ................................... 307configuring Fast Ethernet ............................. 303configuring Gigabit Ethernet (gig). 303, 307, 309

port mirroringconfiguration .............................................. 315

Port number ...................................................... 147port speed ............................................. 62, 78, 147

auto-sense .................................................... 39setup............................................................ 39

port statesUNK (unknown) ........................................... 92

port trunkingdescription ................................................. 333

port trunking configuration ................................. 333ports

configuration ................................................ 38disabling (temporarily)................................. 314information ................................................ 149IP status ..................................................... 107membership of the VLAN...................... 90, 103priority......................................................... 99RJ-45......................................................... 302SLB state information.................................. 133STP port priority ......................................... 333VLAN ID............................................. 62, 149

preemptionassuming VRRP master routing authority....... 385virtual router....................................... 384, 391

priorityvirtual router............................................... 391

priority (STP port option) ................................... 333prisrv

primary radius server ................................... 269proxies

IP address translation................................... 417proxy IP address (PIP)........................................ 133



proxy IP address (PIP) configuration....................496ptcfg (TFTP save command) ...............................408PVID (port VLAN ID)..................................62, 149pwd ....................................................................57

Qquiet (screen display option)..................................57

RRADIUS

server authentication ....................................428read community string (SNMP option) .................275real server

statistics .....................................................211real server global SLB statistics ...........................207real server group options

add ............................................................425real server group SLB configuration.....................423real server group statistics ...................................212real server groups

combining servers into .................................423statistics .....................................................212

real server SLB configuration..............................414real servers

backup .......................................................424priority increment value (reals) for VRRP.......395SLB state information ..................................132

reboot .......................................................519, 530receive flow control39, 40, 305, 309, 311, 313, 314redir (SLB filtering option) .................................448reference ports .....................................................92referenced port...................................................114remote monitoring on the port (rmon) ..................501remote site servers..............................................417removing optional software .................................510reset key combination .........................................520restarting switch setup ..........................................36retries

radius server ...............................................269retry

health checks for default gateway ..................346rip

IP route tag .................................................109RIP. See Routing Information Protocol.rmkey ...............................................................510round robin

as used in gateway load balancing..................396

roundrobinSLB Real Server metric ....................... 426, 430

routecache configuration ..................................... 350

route statistics ................................................... 189router hops........................................................ 374routing information protocol

configuration.............................................. 357Routing Information Protocol (RIP) .................... 109

options ...................................................... 359rport

SLB virtual server option ............................. 435RTSP SLB statistics........................................... 223rx flow control .............................................. 39, 40Rx/Tx statistics.................................................. 178

Ssave (global command) ...................................... 260

noback option............................................. 260save command................................................... 515script

health checks.............................................. 488scriptable health checks configuration ................. 488secret

radius server............................................... 269secsrv

secondary radius server................................ 269security

VLANs...................................................... 339segmentation. See IP subnets.segments. See IP subnets.serial cable.......................................................... 26serial download ................................................. 671Server Load Balancing

IDS ........................................................... 422operations-level options ............................... 502real server weights ...................................... 415

server load balancingclient traffic processing................................ 463health check ............................................... 426health check types....................................... 426metrics ...................................................... 429port options ................................................ 464server traffic processing ............................... 463

server load balancing configuration options ......... 412Server Load Balancing Maintenance Statistics Menu ..

219, 220, 227server port mapping ........................................... 133



server traffic processing ..................................... 463Session Binding Table ....................................... 416session identifier ............................................... 433setup

configuration.............................................. 406setup command, configuration ............................ 403setup facility ................................................. 31, 33

BOOTP ....................................................... 37duplex mode ................................................ 39IP configuration............................................ 42IP subnet mask ............................................. 42port auto-negotiation mode ...................... 39, 40port configuration ......................................... 38port flow control ..................................... 39, 40port speed .................................................... 39restarting ..................................................... 36Spanning-Tree Protocol ................................. 38starting ........................................................ 34stopping....................................................... 36system date .................................................. 37system time.................................................. 37VLAN name ................................................ 41VLAN port numbers ..................................... 41VLAN tagging ............................................. 40VLANs ....................................................... 41

SFD statisticsmp specific ................................................ 252

SFP GBIC ports ................................................ 309shortcuts (CLI).................................................... 60single-mode ports .............................................. 307SIP (source IP address for filtering)..................... 449SLB filtering option

action ........................................................ 448SLB Information ............................................... 132SLB layer7 statistics .......................................... 214

SLB real server group health checksarp............................................................. 426dns ............................................................ 427ftp ............................................................. 427http............................................................ 427icmp .......................................................... 426imap .......................................................... 427ldap ........................................................... 428radius ........................................................ 428script ......................................................... 428smtp .......................................................... 427SNMP ....................................................... 428sslh............................................................ 427tcp............................................................. 426udpdns....................................................... 428wsp ........................................................... 428wtls ........................................................... 428

SLB real server group optionapplication health checking .......................... 424health checking........................................... 424metric ........................................................ 423

SLB real server optionbackup....................................................... 416intr (interval) .............................................. 417maxcon (maximum connections)................... 416name, alias for each real server ..................... 415restr (restore) SLB real server UDP option ..... 417retry .......................................................... 417RIP, real server IP address............................ 415submac ...................................................... 417tmout (time out) .......................................... 416weights ...................................................... 415

slowage ............................................................ 482smask

source mask for filtering .............................. 449smtp ................................................................. 262SMTP server health checks................................. 427snap traces

buffer ........................................................ 527SNMP ........................................................ 25, 152

health checks .............................................. 490HP-OpenView .............................................. 25menu options .............................................. 274set and get access ........................................ 275

SNMP Agent..................................................... 667SNMP health check configuration ....................... 490SNMP health checks .......................................... 428SNMP Support

optional setup for SNMP support .................... 46



softwareimage file and version ....................................63license........................................................509

software image...................................................512SP specific statistics ...........................................253spanning tree

configuration...............................................329Spanning-Tree Protocol ..............................102, 259

bridge aging option ......................................332bridge parameters ........................................331bridge priority ...............................................99port cost option ...........................................333port priority option.......................................333root bridge ............................................99, 331setup (on/off) ................................................38switch reset effect ........................................517

SSL ..................................................................437secure socket layer statistics ..........................219

stacking commands (CLI) .....................................60starting switch setup .............................................34state (STP information).........................................99state information, client system............................437static

IP route tag .................................................109static route

rem............................................................348statis route

add ............................................................348statistics

group .........................................................212management processor .................................248

Statistics Menu ..................................................151stopping switch setup............................................36subnet address maskconfiguration

IP subnet address .........................................344subnet mask.........................................................42subnets ................................................................42

IP interface .................................................344switch

resetting .....................................................517Switch Processor (SP).........................................527

display trace buffer ......................................527swkey ...............................................................509SYN attack detection configuration......................483sync ..................................................................502synchronization

VRRP switch ......................................478, 502syslog

system host log configuration........................263

systemcontact (SNMP option) ................................ 274date and time.......................................... 61, 63location (SNMP option)............................... 274

system access control configuration..................... 288System Maintenance Menu................................. 522system options

admpw (administrator password) .................. 293BOOTP ..................................................... 262cur (current system parameters) ............ 269, 272date ........................................................... 262hprompt..................................................... 262HTTP access .............................................. 288l4apw (Layer 4 administrator password) ........ 292login banner ............................................... 262time........................................................... 262tnet............................................................ 288tnport ........................................................ 289usrpw (user password) ................................. 292

system parameters, current ......................... 269, 272

Ttab completion (CLI) ........................................... 60tacacs ............................................................... 270TACACS+........................................................ 270TCP

fragments................................................... 433health checking using .................................. 417health checks.............................................. 427source and destination ports.......................... 447

TCP statistics ............................................ 197, 251Telnet................................................................. 27

BOOTP ....................................................... 27configuring switches using ........................... 407

telnetradius server............................................... 269

Telnet supportoptional setup for Telnet support..................... 46

terminal emulation............................................... 26text conventions .................................................. 23TFTP................................................................ 513

PUT and GET commands ............................ 408TFTP server ...................................................... 408time

setup ........................................................... 37system option ............................................. 262

timeoutradius server............................................... 269



timeoutsidle connection ............................................. 31

timers kickoff.................................................... 180time-to-live, DNS response (global SLB menu option)

471tnet

system option ............................................. 288tnport

system option ............................................. 289TPCP (Transparent Proxy Cache Protocol) .......... 482trace buffer ....................................................... 527

Switch Processor ........................................ 527traceroute............................................................ 57Tracking

VRRP ............................................... 383, 387transmit flow control39, 40, 305, 309, 311, 313, 314transparent proxies, when used for NAT.............. 448Trunk Group Information ................................... 102ttl (time to live, global SLB menu option) ............ 466tx flow control............................................... 39, 40type of area

ospf........................................................... 363type parameters ................................................. 109typographic conventions, manual .......................... 23tzone ................................................................ 272

UUCB statistics ................................................... 251UDP

datagrams .......................................... 204, 228server status using....................................... 417source and destination ports ......................... 447

UDP statistics ................................................... 199unknown (UNK) port state ................................... 92Unscheduled System Dump................................ 531upgrade, switch software.................................... 512URL for health checks ....................................... 133user account........................................................ 30usrpw (system option)........................................ 292Uuencode Flash Dump....................................... 528

Vverbose............................................................... 57vip

advertisement of virtual IP addresses as HostRoutes................................................ 358

IP route tag ................................................ 109

virtual IP address (VIP) ...................................... 133virtual port state, SLB information about ............. 133virtual router

description ................................................. 383priority....................................................... 391tracking criteria........................................... 385

virtual router groupVRRP priority tracking ................................ 391

virtual router group configuration........................ 390virtual router group priority tracking.................... 392Virtual Router Redundancy Protocol (VRRP)

authentication parameters for IP interfaces ..... 394group options (prio)..................................... 391operations-level options ............................... 505password, authentication .............................. 394priority election for the virtual router ............. 384priority tracking options ....................... 373, 386

Virtual Router Redundancy Protocol configuration381virtual router sharing.......................................... 391virtual routers

HSRP failover .................................... 386, 393HSRP priority increment value ..................... 395HSRV........................................................ 393HSRV priority increment value..................... 396increasing priority level of.................... 385, 389incrementing VRRP instance ........................ 386master preemption (preem)........................... 391master preemption (prio) .............................. 384priority increment values (vrs) for VRRP ....... 395

virtual server global SLB statistics ...................... 207virtual server SLB statistics ................................ 213virtual servers.................................................... 426

SLB state information.................................. 133statistics ..................................................... 213

VLANactive port .................................................. 393configuration .............................................. 339

VLAN taggingport configuration................ 304, 307, 310, 312port restrictions ........................................... 340setup............................................................ 40



VLANs ...............................................................42ARP entry information .................................113broadcast domains .......................................339information.................................................103interface .......................................................43multiple spanning trees.................................329name....................................................90, 103name setup....................................................41port membership....................................90, 103port numbers.................................................41security ......................................................339setting default number (PVID) .....303, 307, 309,

312setup ............................................................41Spanning-Tree Protocol................................329tagging ...................................40, 62, 149, 340VLAN Number ...........................................103

VRID (virtual router ID) .............................383, 391VRRP

interface configuration .................................394master advertisements ..................................384tracking ..............................................383, 387tracking configuration ..................................395virtual router sharing....................................384

VRRP Information .............................................127VRRP master advertisements

time interval................................................391VRRP statistics ..................................................191

WWAP

health checks ..............................................492WAP health check

wspport ..............................................490, 492wtlsprt................................................490, 493

WAP health check configuration .........................492WAP SLB statistics ............................................225watchdog timer ..................................................520web-based management interface...........................25weights

for SLB real servers .....................................431setting virtual router priority values................395

write community string (SNMP option)................275wspport

WAP health check ...............................490, 492wtlsprt

WAP health check ...............................490, 493

XXModem .......................................................... 671


nortel commands

Documents

nortel application switch

nortel application switch

trademarks of nortel

nortel applicationswitch

nortel http

use of products

trademark rights

patent rights