Foundry ServerIron Switch Command Line Interface Reference · Foundry ServerIron® Switch Command Line Interface Reference 2100 Gold Street P.O. Box 649100 San Jose, CA 95164-9100

Foundry ServerIron® SwitchCommand Line Interface Reference

2100 Gold Street

P.O. Box 649100

San Jose, CA 95164-9100

Tel 408.586.1700

Fax 408.586.1900

www.foundrynetworks.com

February 2002

Copyright 2002 by Foundry Networks, Inc.

Contents

CHAPTER 1GETTING STARTED...................................................................................... 1-1INTRODUCTION ...........................................................................................................................................1-1AUDIENCE ..................................................................................................................................................1-1NOMENCLATURE .........................................................................................................................................1-1RELATED PUBLICATIONS .............................................................................................................................1-2HOW TO GET HELP .....................................................................................................................................1-2

WARRANTY COVERAGE ........................................................................................................................1-2

CHAPTER 2USING THE COMMAND LINE INTERFACE ....................................................... 2-1EXEC COMMANDS .....................................................................................................................................2-2

USER LEVEL ........................................................................................................................................2-2PRIVILEGED LEVEL ...............................................................................................................................2-2

CONFIG COMMANDS .................................................................................................................................2-2GLOBAL LEVEL .....................................................................................................................................2-2REDUNDANCY LEVEL ............................................................................................................................2-3INTERFACE LEVEL ................................................................................................................................2-3VLAN LEVEL .......................................................................................................................................2-3REAL SERVER, CACHE SERVER, AND FIREWALL LEVEL ..........................................................................2-3VIRTUAL SERVER LEVEL .......................................................................................................................2-3CACHE GROUP AND FIREWALL GROUP LEVEL .......................................................................................2-3GLOBAL AFFINITY LEVEL ......................................................................................................................2-3GLOBAL SLB DNS ZONE LEVEL ...........................................................................................................2-3GLOBAL SLB SITE LEVEL .....................................................................................................................2-3GLOBAL SLB POLICY LEVEL .................................................................................................................2-3URL SWITCHING POLICY LEVEL ............................................................................................................2-3HTTP MATCHING LIST LEVEL ...............................................................................................................2-4SERVER MONITOR LEVEL .....................................................................................................................2-4ROUTING INFORMATION PROTOCOL (RIP) LEVEL ...................................................................................2-4

February 2002 iii

Foundry ServerIron Command Line Interface Reference

ACCESSING THE CLI ...................................................................................................................................2-4NAVIGATING AMONG COMMAND LEVELS ................................................................................................2-5CLI COMMAND STRUCTURE ..................................................................................................................2-5SYNTAX SHORTCUTS ............................................................................................................................2-6SAVING CONFIGURATION CHANGES ......................................................................................................2-6

CHAPTER 3COMMAND LIST .......................................................................................... 3-1COMPLETE COMMAND LIST .........................................................................................................................3-1COMMANDS LISTED BY CLI LEVEL .............................................................................................................3-16

USER EXEC LEVEL ...........................................................................................................................3-17PRIVILEGED EXEC LEVEL ..................................................................................................................3-17CONFIG COMMANDS ........................................................................................................................3-20

CHAPTER 4USER EXEC COMMANDS ............................................................................ 4-1

CHAPTER 5PRIVILEGED EXEC COMMANDS................................................................... 5-1

CHAPTER 6GLOBAL CONFIG COMMANDS.................................................................... 6-1

CHAPTER 7REDUNDANT MANAGEMENT MODULE CONFIG COMMANDS......................... 7-1

CHAPTER 8INTERFACE COMMANDS............................................................................... 8-1

CHAPTER 9VLAN COMMANDS ..................................................................................... 9-1

CHAPTER 10REAL SERVER COMMANDS........................................................................ 10-1

CHAPTER 11VIRTUAL SERVER COMMANDS ................................................................... 11-1

CHAPTER 12CACHE GROUP COMMANDS ...................................................................... 12-1

iv February 2002

CHAPTER 13GSLB AFFINITY COMMANDS..................................................................... 13-1

CHAPTER 14GSLB DNS ZONE COMMANDS ................................................................. 14-1

CHAPTER 15GSLB SITE COMMANDS ........................................................................... 15-1

CHAPTER 16GSLB POLICY COMMANDS ....................................................................... 16-1

CHAPTER 17URL SWITCHING COMMANDS.................................................................... 17-1

CHAPTER 18HTTP MATCH LIST COMMANDS ................................................................ 18-1

CHAPTER 19SERVER MONITOR COMMANDS.................................................................. 19-1

CHAPTER 20ROUTING INFORMATION PROTOCOL (RIP) COMMANDS............................... 20-1

CHAPTER 21SHOW COMMANDS.................................................................................... 21-1

February 2002 v


vi February 2002

Chapter 1Getting Started

Introduction

This reference describes the Command Line Interface (CLI) for Foundry ServerIron® switch products.

For step-by-step instructions on how to install key features of the system, see the Foundry ServerIron Installation and Configuration Guide.

NOTE: Some commands are supported only on specific products. Where this is the case, the description for the command states the products to which the command applies.

NOTE: This reference lists all the commands that appear at each command level for users with super-user access. If you are logged on with port-configuration access or read-only access, some of these commands will not be displayed and will not be available.

AudienceThis manual is designed for system administrators with a working knowledge of Layer 2 and Layer 4 – 7 networking.

NomenclatureThis guide uses the following typographical conventions to show information:

Italic highlights the title of another publication and occasionally emphasizes a word or phrase.

Bold highlights a CLI command.

Bold Italic highlights a term that is being defined.

Underline highlights a link on the Web management interface.

Capitals highlights field names and buttons that appear in the Web management interface.

NOTE: A note emphasizes an important fact or calls your attention to a dependency.

WARNING: A warning calls your attention to a possible hazard that can cause injury or death.

February 2002 1 - 1


CAUTION: A caution calls your attention to a possible hazard that can damage equipment.

Related PublicationsThe following Foundry Networks documents supplement the information in this guide.

• Foundry ServerIron Application Guide – provides setup procedures for the ServerIron’s basic SLB and TCS features.

• Foundry ServerIron Installation and Configuration Guide – provides installation instructions as well as detailed feature descriptions, procedures, and application examples for Server Load Balancing (SLB), Global SLB (GSLB), Transparent Cache Switching (TCS), and URL Switching.

• Foundry ServerIron Firewall Load Balancing Guide – provides detailed feature descriptions, procedures, and application examples for Firewall Load Balancing (FWLB).

To order additional copies of these manuals, do one of the following:

• Call 1-877-TURBOCALL (887-2622) in the United States or 408.586.1881 outside the United States.

• Send email to [email protected].

How to Get HelpFoundry Networks technical support will ensure that the fast and easy access that you have come to expect from your Foundry Networks products will be maintained.

Web Access

The latest product information and technical tips are always available to our customers from the Foundry Networks web site. You can access the web site at the following URL:

• http://www.foundrynetworks.com

Email Access

Technical requests can also be sent to the following email address:

• [email protected]

Telephone Access

• 1-877-TURBOCALL (887-2622) United States

• 408.586.1881 Outside the United States

Warranty CoverageContact Foundry Networks using any of the methods listed above for information about the standard and extended warranties.

1 - 2 February 2002

Chapter 2Using the Command Line Interface

The CLI is a text-based interface for configuring and monitoring Foundry ServerIron products. You can access the CLI can through either a direct serial connection to the device or through a Telnet session.

The commands in the CLI are organized into the following levels:

• User EXEC – Lets you display information and perform basic tasks such as pings and trace routes.

• Privileged EXEC – Lets you use the same commands as those at the User EXEC level plus configuration commands that do not require saving the changes to the system-config file.

• CONFIG – Lets you make configuration changes to the device. To save the changes across reboots, you need to save them to the system-config file. The CONFIG level contains sub-levels for individual ports, for VLANs, and other configuration areas.

NOTE: By default, any user who can open a serial or Telnet connection to the Foundry device can access all these CLI levels. To secure access, you can configure Enable passwords or local user accounts, or you can configure the device to use Access Control Lists (ACLs), a RADIUS server, or a TACACS/TACACS+ server for authentication. See the Foundry Security Guide.

To display a list of available commands or command options, enter “?” or press Tab. If you have not entered part of a command at the command prompt, all the commands supported at the current CLI level are listed. If you enter part of a command, then enter “?” or press Tab, the CLI lists the options you can enter at the point in the command string.

The CLI supports command completion, so you do not need to enter the entire name of a command or option. As long as you enter enough characters of the command or option name to avoid ambiguity with other commands or options, the CLI understands what you are typing.

The CLI supports the following line editing commands. To enter a line-editing command, use the CTRL-key combination for the command by pressing and holding the CTRL key, then pressing the letter associated with the command.

Table 2.1: CLI Line-Editing Commands

Ctrl-Key Combination Description

Ctrl-A Moves to the first character on the command line.

Ctrl-B Moves the cursor back one character.

February 2002 2 - 1


EXEC CommandsThere are two different levels of EXEC commands, the User Level and the Privileged Level. The User level commands are at the top of the CLI hierarchy. These are the first commands that you have access to when connected to the ServerIron through the CLI.

User LevelAt the User EXEC level, you can view basic system information and verify connectivity but cannot make any changes to the ServerIron configuration. To make changes to the configuration base, you must move to other levels of the CLI hierarchy. This is accomplished by entering the enable command at initial log-on. Once entered correctly, you have access to the Privileged Level.

Privileged LevelThe Privileged Level EXEC commands primarily enable you to transfer and store ServerIron software images and configuration files between the network and the system; and review its configuration. You reach this level by entering enable <password> or enable <username> <password> at the user EXEC level.

CONFIG Commands

Global LevelThe global level is the first level of the CONFIG command structure. The global CONFIG level allows you to globally apply or modify parameters for ports on the ServerIron. You reach this level by entering configure terminal at the privileged EXEC level.

Ctrl-C Escapes and terminates command prompts and ongoing tasks (such as lengthy displays), and displays a fresh command prompt.

Ctrl-D Deletes the character at the cursor.

Ctrl-E Moves to the end of the current command line.

Ctrl-F Moves the cursor forward one character.

Ctrl-K Deletes all characters from the cursor to the end of the command line.

Ctrl-L; Ctrl-R Repeats the current command line on a new line.

Ctrl-N Enters the next command line in the history buffer.

Ctrl-P Enters the previous command line in the history buffer.

Ctrl-U; Ctrl-X Deletes all characters from the cursor to the beginning of the command line.

Ctrl-W Deletes the last word you typed.

Ctrl-Z Moves from any CONFIG level of the CLI to the Privileged EXEC level; at the Privileged EXEC level, moves to the User EXEC level.

Table 2.1: CLI Line-Editing Commands (Continued)

Ctrl-Key Combination Description

2 - 2 February 2002

Using the Command Line Interface

Redundancy LevelThis redundancy level allows you to configure redundancy parameters for redundant management modules. You reach this level by entering the redundancy command at the global CONFIG level.

NOTE: The redundancy commands apply only to a BigServerIron with redundant management modules.

Interface LevelThe interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this level by entering interface ethernet <portnum> at the global level.

VLAN LevelPolicy-based VLANs allow you to assign VLANs on a protocol (IP, IPX, Decnet, AppleTalk, NetBIOS, Others), sub-net (IP sub-net and IPX network), port, or 802.1q tagged basis. You reach this level by entering the vlan <vlan-id> by port command at the Global CONFIG Level for switches and vlan 1 for routers.

Real Server, Cache Server, and Firewall LevelThis level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.

Virtual Server LevelThe virtual server level allows you to assign and configure virtual servers. You reach this level by entering the server virtual-name <text> <ip-addr> command at the global CONFIG level.

Cache Group and Firewall Group LevelThis level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this level by entering the server fw-group 2 command at the global CONFIG level.

Global Affinity LevelThis level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb dns affinity command at the global CONFIG level.

Global SLB DNS Zone LevelThis level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb dns zone-name <name> command at the global CONFIG level.

Global SLB Site LevelThis level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name> command at the global CONFIG level.

Global SLB Policy LevelThis level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy command at the global CONFIG level.

URL Switching Policy LevelThis level allows you to configure URL switching policies. You reach this level by entering the url-map <policy-name> command at the global CONFIG level.

February 2002 2 - 3


HTTP Matching List LevelThis level allows you to configure matching lists of selection criteria for HTTP content verification health checks. You reach this level by entering the http match-list <name> command at the global CONFIG level.

Server Monitor LevelThis level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the server monitor command at the global CONFIG level.

Routing Information Protocol (RIP) LevelThis level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by entering the router rip command at the global CONFIG level.

Accessing the CLIThe CLI can be accessed through both serial and Telnet connections. For initial log on, you must use a serial connection. Once an IP address is assigned, you can access the CLI through Telnet.

NOTE: When accessing the CLI through Telnet, you are prompted for a password. By default, the password required is the password you enter for general access at initial setup. You also have the option of assigning a separate password for Telnet access with the enable telnet password <password> command, available at the global CONFIG level.

NOTE: At initial log on, all you need to do is type enable at the prompt. You only need to enter a password after a permanent password is entered at global CONFIG level of the CLI.

Once connectivity to the ServerIron is established, you will see one of the following prompts:

FastIron>

ServerIron>

SW-TurboIron>

At this prompt, you are at the user level of the CLI EXEC command structure.

To reach the Global CONFIG Level, the uppermost level of the CONFIG commands, enter the following commands:

ServerIron> enable User Level EXEC commands

ServerIron# configure terminal Privileged Level EXEC commands

ServerIron(config)# Global Level CONFIG commands

You can then reach all other levels of the CONFIG command structure from this point.

The CLI prompt will change at each level of the CONFIG command structure, to easily identify the current level. A summary of the look of each prompt is noted below:

ServerIron> User EXEC level

ServerIron# Privileged EXEC level

ServerIron(config)# Global CONFIG level

BigServerIron(config-redundancy)# Redundant Management Module CONFIG level

ServerIron(config-gslb-dns-affinity)# Global SLB Affinity level

ServerIron(config-gslb-dns-zonename)# Global SLB DNS Zone level

ServerIron(config-gslb-policy)# Global SLB Policy level

2 - 4 February 2002

Using the Command Line Interface

ServerIron(config-gslb-site-sitename)# Global SLB Site level

ServerIron(config-if-portnum)# Interface CONFIG level

ServerIron(config-vif-number)# Virtual Interface CONFIG level

ServerIron(config-vlan-number)# Port-based VLAN level

ServerIron(config-vlan-protocoltype)# Protocol VLAN level

ServerIron(config-tc-cachename)# Cache Group level

ServerIron(config-tc-firewallname)# Firewall Group level

ServerIron(config-rs-servername)# Real Server level

ServerIron(config-url-policy)# URL Switching Policy level

ServerIron(config-vs-servername)# Virtual Server level

ServerIron(config-http-ml-listname)# HTTP Matching List level

ServerIron(config-slb-mon)# Server Monitor Level

NOTE: The CLI prompt at the interface level includes the port speed. The speed is one of the following:

• e100 – The interface is a 10/100 port.

• e1000 – The interface is a Gigabit port.

For simplicity, the port speeds sometimes are not shown in example Interface level prompts in this manual.

Navigating Among Command LevelsTo reach other CLI command levels, you need to enter certain commands. At each level there is a launch command that allows you to move either up or down to the next level.

CLI Command StructureMany CLI commands may require textual or numeral input as part of the command. These fields are either required or optional depending on how the information is bracketed. For clarity, a few CLI command examples are explained below.

EXAMPLE:

server virtual-name <value>

vlan <num> [name <value>] by port

Whenever an item is bracketed with “< >” symbols, the information requested is required.

Whenever an item is bracketed with “[ ]” symbols, the information requested is optional.

Whenever two or more options are separated by a vertical bar, “ | “, you must enter one of the options as part of the command.

predictor least-conn | response-time | round-robin | weighted

means enter one of the values

For example, the command above requires that "least-conn", "response-time", "round-robin", or "weighted" be entered as part of the command.

To get a quick display of available options at a CLI level, enter a question mark (?) at the prompt, and a summary list of possible commands will be listed, as shown below:

To view all available commands at the user level, enter the following:

February 2002 2 - 5


ServerIron> ? <return>

enable

fastboot

You also can use the question mark (?) with an individual command to see all available options for that command or to check context.

To view possible copy command options, enter the following:

ServerIron# copy ?

flash

running-config

startup-config

tftp

ServerIron# copy flash ?

tftp

Syntax ShortcutsCommands and parameters can be abbreviated as long as enough text is entered to distinguish it from other commands at that level. For example, given the possible commands copy tftp… and config tftp…, possible shortcuts are cop tftp and con tftp respectively. In this case, co does not properly distinguish the two commands.

Saving Configuration ChangesYou can make configuration changes while the ServerIron is running. The type of configuration change determines whether or not it becomes effective immediately or requires a save to flash (write memory) and reset of the system (reload), before it becomes active.

This approach in adopting configuration changes:

• allows you to make configuration changes to the operating or running configuration of the ServerIron to address a short-term requirement or validate a configuration without overwriting the permanent configuration file, the startup configuration, that is saved in the system flash, and;

• ensures that dependent or related configuration changes are all cut in at the same time.

In all cases, if you want to make the changes permanent, you need to save the changes to flash using the write memory command. When you save the configuration changes to flash, this will become the configuration that is initiated and run at system boot.

NOTE: The majority of configuration changes are dynamic in nature. Those changes that require a reset of the system are highlighted in the specific configuration chapter and in the CLI commands of this appendix.

2 - 6 February 2002

Chapter 3Command List

This chapter lists all the commands in the CLI. The commands are listed in two ways:

• All commands are listed together in a single alphabetic list. See “Complete Command List” on page 3-1.

• Commands are listed separately for each CLI level (for example, global CONFIG level, BGP4 level, and so on). See “Commands Listed by CLI Level” on page 3-16.

In each list, the page numbers in this reference that describe the commands are listed.

Complete Command ListThe following table lists all the CLI commands on Foundry ServerIron products.

Table 3.1: Complete ServerIron Command List

aaa authentication 6-1

aaa authorization 6-2

aaa accounting 6-3

access-list (standard) 6-3

access-list (extended) 6-5

acl-id 11-1, 12-1

active-management 7-1

all-client 6-7

always-active 9-1

append 5-1

arp 6-8

asymmetric 10-1

atalk-proto 6-8, 9-1

attrib 5-1

auto-gig 8-1

February 2002 3 - 1


backup 10-1

banner exec 6-9

banner incoming 6-9

banner motd 6-9

bind 11-1

boot system bootp 5-2, 6-10

boot system flash primary 5-2, 6-10

boot system flash secondary 5-3, 6-10

boot system slot1 | slot2 5-3

boot system tftp 5-3, 6-11

broadcast filter 6-11

broadcast limit 6-12, 8-1

cache-enable 11-2

cache-group 8-1

cache-name 12-1

capacity 16-1

capacity threshold 16-1

cd 5-4

chassis name 6-12

chassis poll-time 6-13

chassis trap-log 6-13

chdir 5-4

clear arp 5-4

clear healthck statistics 5-5

clear ip cache 5-5

clear ip nat 5-5

clear ip traffic 5-6

clear logging 5-6

clear mac-address 5-6

clear public-key 5-6

clear rmon 5-6

clear server 5-7

clear server session 5-7

Table 3.1: Complete ServerIron Command List (Continued)

3 - 2 February 2002

Command List

clear snmp-server 5-8

clear statistics 5-8

clear statistics dos-attack 5-8

clear web-connection 5-8

clock 5-8

clock summer-time 6-13

clock timezone 6-13

clone-server 10-2

configure terminal 5-9

confirm-port-up 6-14

console 6-14

copy <from-card> <to-card> 5-9

copy flash flash… 5-9

copy flash slot1 | slot2 5-10

copy flash tftp 5-10

copy running slot1 | slot2 5-10

copy running-config tftp 5-11

copy slot1 | slot2 flash 5-11

copy slot1 | slot2 running 5-11

copy slot1 | slot2 start 5-12

copy slot1 | slot2 tftp 5-12

copy start slot1 | slot2 5-13

copy startup-config tftp 5-13

copy tftp flash 5-13

copy tftp running-config 5-14

copy tftp slot1 | slot2 5-14

copy tftp startup-config 5-14

crypto key 6-15

crypto random-number-seed 6-15

debug access-list 5-18

debug ip nat 5-16

decnet-proto 6-15, 9-2

default 17-1, 18-1


February 2002 3 - 3


default-vlan-id 6-16

delete 5-16

deny redistribute 20-1

dest-nat 12-2

dhcp-gateway-list 6-16, 8-2

dir 5-17

disable 12-2, 8-2

dns active-only 16-2

dns check-interval 16-2

dns ttl 16-2

down compound 18-1

down simple 18-2

enable 4-1, 6-17, 8-2

enable <password> 4-1

enable <username> <password> 4-1

enable password-display 6-17

enable skip-page-display 6-17

enable snmp config-radius 6-18

enable snmp config-tacacs 6-18

enable telnet authentication 6-18

enable telnet password… 6-18

end 6-18

erase flash primary 5-18

erase flash secondary 5-18

erase startup-config 5-19

exceed-max-drop 10-2

exit 6-19

failover-acl 12-3

fastboot… 4-2, 5-19

fast port-span 6-19

fast uplink-span 6-19

filter-match 10-3

flashback 16-3


3 - 4 February 2002

Command List

flashback application | tcp tolerance <num> 16-3

flow-control 6-19, 8-3

format 5-19

fwall-info 12-3

fwall-zone 12-4

fw-exceed-max-drop 12-4

fw-group 8-3

fw-health-check icmp 12-4

fw-health-check tcp | udp 12-5

fw-name 12-6

fw-predictor 12-6

geographic 16-4

geo-location 15-1

gig-default 6-20, 8-3

gslb affinity 6-20

gslb communication 6-21

gslb dns zone-name 6-21

gslb policy 6-22

gslb protocol 6-22

gslb site 6-23

hash-mask 12-6

hash-port-range 12-7

hash-ports 12-7

hd 5-20

healthck

Note: ServerIronXL only

6-23

healthck

Note: ServerIron 400 and ServerIron 800 only

6-26

health-check 16-4

history 19-1

history-group 10-3

host-info 14-1

hostname 6-32


February 2002 3 - 5


host-range 10-3, 11-3

http-cache-control 12-8

http match-list 6-32

httpredirect 11-3

interface ethernet 6-33

ip access-group 8-4

ip access-list 6-33

ip address (Layer 2) 6-34


ip-address 10-4

ip default-gateway 6-34

ip dns domain-name 6-35

ip dns server-address 6-35

ip filter 6-35

ip forward 6-35

ipg10 8-9

ipg100 8-9

ipg1000 8-10

ip icmp burst 6-36, 8-6

ip multicast 6-36

ip-multicast-disable 8-6

ip nat inside 6-36

ip nat pool 6-38

ip nat translation 6-38

ip policy 6-39

ip-policy 8-6

ip-proto 6-46, 9-2

ip rip 8-7

ip rip learn-default 8-7

ip rip poison-reverse 8-8

ip route 6-40

ip show-subnet-length 6-40

ip ssh authentication-retries 6-41


3 - 6 February 2002

Command List

ip ssh key-size 6-41

ip ssh password-authentication 6-41

ip ssh permit-empty-passwd 6-41

ip ssh port 6-42

ip ssh pub-key-file 6-42

ip ssh rsa-authentication 6-43

ip ssh scp 6-43

ip ssh timeout 6-43

ip strict-acl-mode 6-43

ip-subnet 6-46, 9-3

ip tcp burst 6-44, 8-8

ip ttl 6-45

ipx-network 6-47, 9-4

ipx-proto 6-47, 9-4

kill 5-20

l2-fwall 12-8

locate 5-20

lock-address ethernet 6-48

logging 6-48

mac-age-time 6-49

mac filter 6-50

mac filter-group 8-10

mac filter log-enable 6-52

match 17-2

max-conn 10-4

max-tcp-conn-rate 10-5

max-udp-conn-rate 10-5

md 5-21

method 17-2

metric-order 16-4

mirror-port 6-52

mkdir 5-21

module 6-52


February 2002 3 - 7


monitor 8-11

more 5-22

multicast filter 6-53

multicast limit 6-53, 8-11

ncopy flash primary | secondary slot1 | slot2 <to-name>

5-22

ncopy flash primary | secondary tftp <ip-addr> <from-name>

5-23

ncopy running slot1 | slot2 <to-name> 5-23

ncopy running-config tftp <ip-addr> <from-name> 5-24

ncopy slot1 | slot2 <from-name> flash primary | secondary

5-24

ncopy slot1 | slot2 <from-name> running 5-24

ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]

5-25

ncopy slot1 | slot2 <from-name> start 5-25

ncopy start slot1 | slot2 <to-name> 5-26

ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]

5-26

ncopy startup-config tftp <ip-addr> <from-name> 5-26

ncopy tftp <ip-addr> <from-name> flash primary | secondary

5-26

ncopy tftp <ip-addr> <from-name> running-config 5-27

ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]

5-27

ncopy tftp <ip-addr> <from-name> startup-config 5-28

neg-off 8-11

netbios-proto 6-54

no 6-54

no-group-failover 12-8

no-http-downgrade 12-9

num-session 16-6

num-session tolerance 16-6

other-ip 10-5

other-proto 6-54, 9-5

page-display 5-28


3 - 8 February 2002

Command List

password-change 6-54

perf-mode 6-56

permit redistribute 20-2

phy-mode 8-12

ping 4-2, 5-28

port 10-5, 11-3

port disable-all 10-8

port unbind-all 10-8

port-name 8-12

predictor 11-7

prefer 13-1

prefer-cnt 12-9

preference 16-7

prefer-router-cnt 12-9

priority 9-6

privilege 6-55

protocol 16-7

pvst-mode 8-12

pwd 5-29

qos-priority 8-13

quit 6-55

radius-server 6-56

rconsole 5-30

rconsole-exit 5-30

rd 5-30

redistribution 20-3

reload 5-31

rename 5-31

relative-utilization 6-56

response-time 10-9

rmdir 5-31

rmon alarm 6-57

rmon event 6-57


February 2002 3 - 9


rmon history 6-58

round-trip-time 16-7

round-trip-time cache-interval 16-8

round-trip-time cache-prefix 16-8

round-trip-time explore-percentage 16-8

round-trip-time tolerance 16-9

router-interface 9-6

rshow 6-58

server active-active-port 6-59

server allow-sticky 6-59

server backup 6-60

server backup-group 6-60

server backup-port 6-60

server backup-preference 6-61

server backup-timer 6-61

server cache-group 6-61

server cache-name 6-62

server cache-router-offload 6-62

server cache-stateful 6-62

server clock-scale 6-62

server connection-log 6-63

server delay-symmetric 6-63

server force-delete 6-64

server fw-group 6-66

server fw-name 6-66

server fw-port 6-66

server fw-recv-stateful 6-66

server fw-slb 6-67

server fw-stateful 6-67

server fw-strict-sec 6-67

server fw-superzone 6-67

server icmp-message 6-68

server l4-check 6-68


3 - 10 February 2002

Command List

server max-ssl-session-id 6-68

server max-url-switch 6-69

server monitor 6-69

server msl 6-69

server no-fast-bringup 6-69

server no-real-l3-check 6-70

server no-remote-l3-check 6-70

server no-slow-start 6-70

server partner-ports 6-71

server path-group 6-71

server peer-group 6-71

server ping-interval 6-72

server ping-retries 6-72

server policy-hash-acl 6-73

server port 6-73

server predictor 6-78

server real-name 6-78

server reassign-threshold 6-78

server remote-name 6-79

server reverse-nat 6-80

server response-time 6-79

server router-ports 6-81

server session-id-age 6-81

server session-limit 6-81

server slb-fw 6-81

server source-ip 6-82

server source-nat 6-82

server source-nat-ip 6-82

server source-standby-ip 6-83

server sticky-age 6-83

server sym-pdu-rate 6-83

server syn-def 6-84

server syn-limit 6-84


February 2002 3 - 11


server tcp-age 6-85

server transparent-vip 6-85

server udp-age 6-85

server use-simple-ssl-health-check 6-86

server virtual-name 6-86

server vpn-lb 6-86

server vpn-lb-inside 6-87

service password-encryption 6-87

show aaa 21-1

show arp 21-1

show cache-group 21-2

show chassis 21-2

show clock 21-3

show configuration 21-3

show default 21-3

show flash 21-4

show fw-group 21-4

show fw-hash 21-4

show gslb cache 21-5

show gslb default 21-6

show gslb dns detail 21-6

show gslb dns zone 21-7

show gslb global-stat 21-8

show gslb policy 21-8

show gslb resources 21-9

show gslb site 21-10

show healthck 21-11

show healthck statistics 21-12

show http match-list 21-12

show interfaces 21-12

show ip 21-13

show ip cache 21-13

show ip client-public-key 21-14



Command List

show ip filter-cache 21-14

show ip interface 21-14

show ip multicast 21-15

show ip nat statistics 21-15

show ip nat translation 21-15

show ip policy 21-16

show ip route 21-16

show ip ssh 21-16

show ip static-arp 21-17

show ip traffic 21-17

show logging 21-18

show mac-address 21-20

show mac-address statistics 21-21

show media 21-21

show module 21-22

show monitor 21-22

show policy-map 21-22

show relative-utilization 21-23

show reload 21-23

show rmon alarm 21-23

show rmon event 21-24

show rmon history 21-24

show rmon statistics 21-24

show running-config 21-25

show server backup 21-25

show server bind 21-25

show server dynamic 21-26

show server fw-path 21-26

show server global 21-26

show server hash 21-27

show server proxy 21-27

show server real 21-27

show server sessions 21-28




show server symmetric 21-29

show server traffic 21-29

show server virtual 21-29

show snmp server 21-30

show sntp associations 21-30

show sntp status 21-31

show span 21-32

show span vlan 21-32

show statistics 21-33

show statistics dos-attack 21-34

show tech-support 21-34

show telnet 21-34

show trunk 21-35

show users 21-35

show version 21-35

show vlans 21-36

show web-connection 21-36

show who 21-36

show wsm-map 21-36

show wsm-state 21-37

si-name 15-2

skip-page-display 5-32

snmp-client 6-88

snmp-server community 6-88

snmp-server contact 6-88

snmp-server enable traps 6-89

snmp-server enable vlan 6-89

snmp-server host 6-89

snmp-server location 6-89

snmp-server pw-check 6-90

snmp-server trap-source 6-90

snmp-server view 6-90

sntp 5-32



Command List

sntp poll-interval 6-91

sntp server 6-91

source-nat 10-9, 12-10

source-sticky 11-7

spanning-tree 6-91, 8-13, 9-7

spanning-tree <parameter> 6-91

speed-duplex 8-14

spoof-support 12-10

static-mac-address 6-92, 9-8

static-prefix 16-9

stop-traceroute 4-3, 5-32

sym-active 11-8

sym-priority 11-8, 12-11

sync-standby 5-33, 7-2

system-max 6-94

tacacs-server 6-94

tagged 9-9

tag-type 6-95

tcp-port 17-3

telnet <ip-addr> | <name> 5-33

telnet access-group 6-95

telnet client 6-95

telnet login-timeout 6-96

telnet server 6-96

telnet server enable vlan 6-96

telnet timeout 6-97

temperature shutdown 5-33

temperature warning 5-34

tftp client enable vlan 6-97

traceroute 4-3, 5-34

track 11-9

track-group 11-9

transparent-vip 11-9




Commands Listed by CLI LevelThe following sections contain tables that list the CLI commands within each level of the CLI.

trunk 6-97

undebug access-list 5-34

undebug ip nat 5-35

undelete 5-35

unknown-unicast limit 6-98, 8-14

untagged 9-9

up compound 18-3

uplink-switch 9-10

up simple 18-3

url-host-id 12-11

url-map 12-11, 6-98

url-switch 12-11

username 6-98

virtual-ip 12-12

vlan 6-99

vlan-dynamic-discovery 6-99

vlan max-vlans 6-100

web access-group 6-100

web client 6-100

web-management 6-100

web-management enable vlan 6-101

weight 10-10

whois 5-35

write memory 5-36

write terminal 5-36

wsm boot 6-101

wsm copy flash flash 5-36

wsm copy tftp flash 5-36

wsm wsm-map 6-102



Command List

User EXEC LevelThere are two different levels of EXEC commands, the User EXEC level and the Privileged EXEC level. The User level commands are at the top of the CLI hierarchy. These are the first commands that you have access to when connected to the ServerIron through the CLI. At this level, you can view basic system information and verify connectivity but cannot make any changes to the ServerIron configuration.

To make changes to the configuration, you must move to other levels of the CLI hierarchy. This is accomplished by the User EXEC level command enable at initial log-on. This command takes you to the Privileged EXEC level, from which you can reach the configuration command levels.

The User EXEC commands are listed in the following table.

Privileged EXEC LevelThe Privileged EXEC level commands primarily enable you to transfer and store ServerIron software images and configuration files between the network and the ServerIron, and review the configuration.

You reach this level by entering enable [<password>] or enable <username> <password> at the User EXEC level.

Table 3.2: User EXEC Commands

enable 4-1

enable <password> 4-1

enable <username> <password> 4-1

fastboot… 4-2

ping 4-2

rshow 4-3

show 4-3

stop-traceroute 4-3

traceroute 4-3

Table 3.3: Privileged EXEC Commands

append 5-1

attrib 5-1

boot system bootp 5-2

boot system flash primary 5-2

boot system flash secondary 5-3

boot system slot1 | slot2 5-3

boot system tftp 5-3

cd 5-4

chdir 5-4

clear arp 5-4

clear healthck statistics 5-5

clear ip cache 5-5



clear ip nat 5-5

clear ip traffic 5-6

clear logging 5-6

clear mac-address 5-6

clear public-key 5-6

clear rmon 5-6

clear server 5-7

clear server session 5-7

clear snmp-server 5-8

clear statistics 5-8

clear statistics dos-attack 5-8

clear web-connection 5-8

clock 5-8

configure terminal 5-9

copy <from-card> <to-card> 5-9

copy flash flash… 5-9

copy flash slot1 | slot2 5-10

copy flash tftp 5-10

copy running slot1 | slot2 5-10

copy running-config tftp 5-11

copy slot1 | slot2 flash 5-11

copy slot1 | slot2 running 5-11

copy slot1 | slot2 start 5-12

copy slot1 | slot2 tftp 5-12

copy start slot1 | slot2 5-13

copy startup-config tftp 5-13

copy tftp flash 5-13

copy tftp running-config 5-14

copy tftp slot1 | slot2 5-14

copy tftp startup-config 5-14

debug access-list 5-18

debug ip nat 5-16

delete 5-16

Table 3.3: Privileged EXEC Commands (Continued)


Command List

dir 5-17

erase flash primary 5-18

erase flash secondary 5-18

erase startup-config 5-19

exit 5-19

fastboot… 5-19

format 5-19

hd 5-20

kill 5-20

locate 5-20

md 5-21

mkdir 5-21

more 5-22

ncopy flash primary | secondary slot1 | slot2 <to-name>

5-22

ncopy flash primary | secondary tftp <ip-addr> <from-name>

5-23

ncopy running slot1 | slot2 <to-name> 5-23

ncopy running-config tftp <ip-addr> <from-name> 5-24

ncopy slot1 | slot2 <from-name> flash primary | secondary

5-24

ncopy slot1 | slot2 <from-name> running 5-24

ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]

5-25

ncopy slot1 | slot2 <from-name> start 5-25

ncopy start slot1 | slot2 <to-name> 5-26

ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]

5-26

ncopy startup-config tftp <ip-addr> <from-name> 5-26

ncopy tftp <ip-addr> <from-name> flash primary | secondary

5-26

ncopy tftp <ip-addr> <from-name> running-config 5-27

ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]

5-27

ncopy tftp <ip-addr> <from-name> startup-config 5-28

page-display 5-28




CONFIG CommandsCONFIG commands modify the configuration of a Foundry ServerIron product. This reference describes the following CONFIG CLI levels.

ping 5-28

pwd 5-29

quit 5-30

rconsole 5-30

rconsole-exit 5-30

rd 5-30

reload 5-31

rename 5-31

rmdir 5-31

rshow 5-32

show… 5-32

skip-page-display 5-32

sntp 5-32

stop-traceroute 5-32

sync-standby 5-33

telnet <ip-addr> | <name> 5-33

temperature shutdown 5-33

temperature warning 5-34

traceroute 5-34

undebug access-list 5-34

undebug ip nat 5-35

undelete 5-35

whois 5-35

write memory 5-36

write terminal 5-36

wsm copy flash flash 5-36

wsm copy tftp flash 5-36



Command List

Global Level

The global CONFIG level allows you to globally apply or modify parameters for ports on the switch or router. You reach this level by entering configure terminal at the privileged EXEC level.

Table 3.4: Global CONFIG Commands

aaa authentication 6-1

aaa authorization 6-2

aaa accounting 6-3

access-list (standard) 6-3

access-list (extended) 6-5

all-client 6-7

arp 6-8

atalk-proto 6-8

banner exec 6-9

banner incoming 6-9

banner motd 6-9

boot system bootp 6-10

boot system flash primary 6-10

boot system flash secondary 6-10

boot system tftp 6-11

broadcast filter 6-11

broadcast limit 6-12

chassis name 6-12

chassis poll-time 6-13

chassis trap-log 6-13

clear 6-13

clock summer-time 6-13

clock timezone 6-13

confirm-port-up 6-14

console 6-14

crypto key 6-15

crypto random-number-seed 6-15

decnet-proto 6-15

default-vlan-id 6-16

dhcp-gateway-list 6-16



enable 6-17

enable password-display 6-17

enable skip-page-display 6-17

enable snmp config-radius 6-18

enable snmp config-tacacs 6-18

enable telnet authentication 6-18

enable telnet password… 6-18

end 6-18

exit 6-19

fast port-span 6-19

fast uplink-span 6-19

flow-control 6-19

gig-default 6-20

gslb affinity 6-20

gslb communication 6-21

gslb dns zone-name 6-21

gslb policy 6-22

gslb protocol 6-22

gslb site 6-23

healthck

Note: ServerIronXL only

6-23

healthck

Note: ServerIron 400 and ServerIron 800 only

6-26

hostname 6-32

http match-list 6-32

interface ethernet 6-33

ip access-list 6-33


ip default-gateway 6-34

ip dns domain-name 6-35

ip dns server-address 6-35

ip filter 6-35

ip forward 6-35

Table 3.4: Global CONFIG Commands (Continued)


Command List

ip icmp burst 6-36

ip multicast 6-36

ip nat inside 6-36

ip nat pool 6-38

ip nat translation 6-38

ip policy 6-39

ip route 6-40

ip show-subnet-length 6-40

ip ssh authentication-retries 6-41

ip ssh key-size 6-41

ip ssh password-authentication 6-41

ip ssh permit-empty-passwd 6-41

ip ssh port 6-42

ip ssh pub-key-file 6-42

ip ssh rsa-authentication 6-43

ip ssh scp 6-43

ip ssh timeout 6-43

ip strict-acl-mode 6-43

ip tcp burst 6-44

ip tcp conn-rate 6-44

ip tcp conn-rate-change 6-45

ip tcp syn-proxy 6-45

ip ttl 6-45

ip-proto 6-46

ip-subnet 6-46

ipx-network 6-47

ipx-proto 6-47

lock-address ethernet 6-48

logging 6-48

mac-age-time 6-49

mac filter 6-50

mac filter log-enable 6-52

mirror-port 6-52




module 6-52

multicast filter 6-53

multicast limit 6-53

netbios-proto 6-54, 9-5

no 6-54

other-proto 6-54

password-change 6-54

perf-mode 6-56

privilege 6-55

quit 6-55

radius-server 6-56

relative-utilization 6-56

rmon alarm 6-57

rmon event 6-57

rmon history 6-58

router-interface 9-6

rshow 6-58

server active-active-port 6-59

server allow-sticky 6-59

server backup 6-60

server backup-group 6-60

server backup-port 6-60

server backup-preference 6-61

server backup-timer 6-61

server cache-group 6-61

server cache-name 6-62

server cache-router-offload 6-62

server cache-stateful 6-62

server clock-scale 6-62

server connection-log 6-63

server delay-symmetric 6-63

server force-delete 6-64

server fw-group 6-66



Command List

server fw-name 6-66

server fw-port 6-66

server fw-recv-stateful 6-66

server fw-slb 6-67

server fw-stateful 6-67

server fw-strict-sec 6-67

server fw-superzone 6-67

server icmp-message 6-68

server l4-check 6-68

server max-conn-trap 6-68

server max-ssl-session-id 6-68

server max-url-switch 6-69

server monitor 6-69

server no-fast-bringup 6-69

server no-real-l3-check 6-70

server no-remote-l3-check 6-70

server no-slow-start 6-70

server partner-ports 6-71

server path-group 6-71

server peer-group 6-71

server ping-interval 6-72

server ping-retries 6-72

server policy-hash-acl 6-73

server port 6-73

server predictor 6-78

server real-name 6-78

server reassign-threshold 6-78

server remote-name 6-79

server response-time 6-79

server reverse-nat 6-80

server router-ports 6-81

server session-id-age 6-81

server session-limit 6-81




server slb-fw 6-81

server source-ip 6-82

server source-nat 6-82

server source-nat-ip 6-82

server source-standby-ip 6-83

server sticky-age 6-83

server sym-pdu-rate 6-83

server syn-def 6-84

server syn-limit 6-84

server tcp-age 6-85

server transparent-vip 6-85

server udp-age 6-85

server use-simple-ssl-health-check 6-86

server virtual-name 6-86

server vpn-lb 6-86

server vpn-lb-inside 6-87

service password-encryption 6-87

show 6-88

snmp-client 6-88

snmp-server community 6-88

snmp-server contact 6-88

snmp-server enable traps 6-89

snmp-server enable vlan 6-89

snmp-server host 6-89

snmp-server location 6-89

snmp-server pw-check 6-90

snmp-server trap-source 6-90

snmp-server view 6-90

sntp poll-interval 6-91

sntp server 6-91

spanning-tree 6-91

spanning-tree <parameter> 6-91

static-mac-address 6-92



Command List

system-max 6-94

tacacs-server 6-94

tag-type 6-95

telnet access-group 6-95

telnet client 6-95

telnet login-timeout 6-96

telnet server 6-96

telnet server enable vlan 6-96

telnet timeout 6-97

tftp client enable vlan 6-97

trunk 6-97

unknown-unicast limit 6-98

url-map 6-98

username 6-98

vlan 6-99

vlan-dynamic-discovery 6-99

vlan max-vlans 6-100

web access-group 6-100

web client 6-100

web-management 6-100

web-management enable vlan 6-101

write memory 6-101

write terminal 6-101

wsm boot 6-101

wsm wsm-map 6-102




Redundancy Level

The redundancy CONFIG level allows you to configure parameters on redundant management modules. You reach this level by entering redundancy at the global CONFIG level.

Interface Level

The interface level allows you to assign or modify specific port parameters on a port-by-port basis. You reach this level by entering interface ethernet <portnum> or interface ve <num> at the global CONFIG level.

Table 3.5: Redundancy CONFIG Commands

active-management 7-1

end 7-2

exit 7-2

no 7-2

quit 7-2

show 7-2

sync-standby 7-2

write memory 7-3

write terminal 7-3

Table 3.6: Interface Commands

auto-gig 8-1

broadcast limit 8-1

cache-group 8-1

clear 8-2

dhcp-gateway-list 8-2

disable 8-2

enable 8-2

end 8-2

exit 8-3

flow-control 8-3

fw-group 8-3

gig-default 8-3

ip access-group 8-4


ip icmp burst 8-6

ip-multicast-disable 8-6

ip-policy 8-6


Command List

VLAN Level

The VLAN level allows you to configure VLAN parameters. You reach this level by entering the vlan <vlan-id> by port command at the Global CONFIG Level.

ip rip 8-7

ip rip learn-default 8-7

ip rip poison-reverse 8-8

ip tcp burst 8-8

ip tcp syn-proxy 8-9

ipg10 8-9

ipg100 8-9

ipg1000 8-10

mac filter-group 8-10

monitor 8-11

multicast limit 8-11

neg-off 8-11

no 8-12

phy-mode 8-12

port-name 8-12

pvst-mode 8-12

qos-priority 8-13

quit 8-13

rshow 8-13

show 8-13

spanning-tree 8-13

speed-duplex 8-14

unknown-unicast limit 8-14

write memory 8-14

write terminal 8-14

Table 3.7: VLAN Commands

always-active 9-1

atalk-proto 9-1

decnet-proto 9-2

end 9-2

Table 3.6: Interface Commands (Continued)



Real Server, Cache Server, and Firewall Level

This level allows you to assign and configure servers for the SLB, TCS, FWLB, and web switching features. For SLB and web switching, you reach this level by entering the server real-name <text> <ip-addr> command at the global CONFIG level. For TCS, you reach this level by entering the server cache-name <text> command. For FWLB, you reach this level by entering the server fw-name <text> <ip-addr> command.

exit 9-2

ip-proto 9-2

ip-subnet 9-3

ipx-network 9-4

ipx-proto 9-4

netbios-proto 9-5

no 9-5

other-proto 9-5

priority 9-6

quit 9-6

rshow 9-7

show 9-7

spanning-tree 9-7

static-mac-address 9-8

tagged 9-9

untagged 9-9

uplink-switch 9-10

write memory 9-10

write terminal 9-10

Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands

asymmetric 10-1

backup 10-1

clear 10-1

clone-server 10-2

description 10-2

end 10-2

exceed-max-drop 10-2

exit 10-3

filter-match 10-3

Table 3.7: VLAN Commands (Continued)


Command List

Virtual Server Level

The virtual server level allows you to assign and configure virtual servers. You reach this level by entering the server virtual-name <text> <ip-addr> command at the global CONFIG level.

history-group 10-3

host-range 10-3

ip-address 10-4

max-conn 10-4

max-tcp-conn-rate 10-5

max-udp-conn-rate 10-5

no 10-5

other-ip 10-5

port 10-5

port disable-all 10-8

port unbind-all 10-8

quit 10-8

response-time 10-9

rshow 10-9

show 10-9

source-nat 10-9

weight 10-10

write memory 10-10


Table 3.9: Virtual Server CONFIG Commands

acl-id 11-1

bind 11-1

cache-enable 11-2

clear 11-2

end 11-2

exit 11-2

host-range 11-3

httpredirect 11-3

no 11-3

port 11-3

Table 3.8: Real Server, Cache Server, and Firewall CONFIG Commands (Continued)



Cache Group and Firewall Group Level

This level allows you to configure TCS cache groups and the FWLB firewall group. For TCS, you reach this level by entering the server cache-group <num> command at the global CONFIG level. For FWLB, you reach this level by entering the server fw-group 2 command at the global CONFIG level.

predictor 11-7

quit 11-7

rshow 11-7

show 11-7

source-sticky 11-7

sym-active 11-8

sym-priority 11-8

track 11-9

track-group 11-9

transparent-vip 11-9

write memory 11-9


Table 3.10: Cache Group and Firewall Group CONFIG Commands

acl-id 12-1

cache-name 12-1

clear 12-2

dest-nat 12-2

disable 12-2

end 12-2

exit 12-3

failover-acl 12-3

fwall-info 12-3

fwall-zone 12-4

fw-exceed-max-drop 12-4

fw-health-check icmp 12-4

fw-health-check tcp | udp 12-5

fw-name 12-6

fw-predictor 12-6

hash-mask 12-6

Table 3.9: Virtual Server CONFIG Commands (Continued)


Command List

GSLB Affinity Level

This level allows you to configure Global SLB (GSLB) affinity parameters. You reach this level by entering the gslb dns affinity command at the global CONFIG level.

hash-port-range 12-7

hash-ports 12-7

http-cache-control 12-8

l2-fwall 12-8

no 12-8

no-group-failover 12-8

no-http-downgrade 12-9

prefer-cnt 12-9

prefer-router-cnt 12-9

quit 12-10

rshow 12-10

show 12-10

source-nat 12-10

spoof-support 12-10

sym-priority 12-11

url-host-id 12-11

url-map 12-11

url-switch 12-11

virtual-ip 12-12

write memory 12-12


Table 3.11: GSLB Affinity CONFIG Commands

end 13-1

exit 13-1

no 13-1

prefer 13-1

quit 13-2

rshow 13-2

show 13-2

write memory 13-2

Table 3.10: Cache Group and Firewall Group CONFIG Commands (Continued)



GSLB DNS Zone Level

This level allows you to configure Global GSLB DNS zone parameters. You reach this level by entering the gslb dns zone-name <name> command at the global CONFIG level.

GSLB Site Level

This level allows you to configure GSLB site parameters. You reach this level by entering the gslb site <name> command at the global CONFIG level.

write terminal 13-3

Table 3.12: GSLB DNS Zone CONFIG Commands

end 14-1

exit 14-1

host-info 14-1

no 14-2

quit 14-2

rshow 14-3

show 14-3

write memory 14-3

write terminal 14-3

Table 3.13: GSLB Site CONFIG Commands

end 15-1

exit 15-1

geo-location 15-1

no 15-2

quit 15-2

rshow 15-2

show 15-2

si-name 15-2

write memory 15-3

write terminal 15-3

Table 3.11: GSLB Affinity CONFIG Commands (Continued)


Command List

GSLB Policy Level

This level allows you to configure GSLB policy parameters. You reach this level by entering the gslb policy command at the global CONFIG level.

Table 3.14: GSLB Policy CONFIG Commands

capacity 16-1

capacity threshold 16-1

dns active-only 16-2

dns check-interval 16-2

dns ttl 16-2

end 16-2

exit 16-3

flashback 16-3

flashback application | tcp tolerance <num> 16-3

geographic 16-4

health-check 16-4

metric-order 16-4

no 16-6

num-session 16-6

num-session tolerance 16-6

preference 16-7

protocol 16-7

quit 16-7

round-trip-time 16-7

round-trip-time cache-interval 16-8

round-trip-time cache-prefix 16-8

round-trip-time explore-percentage 16-8

round-trip-time tolerance 16-9

rshow 16-9

show 16-9

static-prefix 16-9

write memory 16-10




URL Switching Level

This level allows you to configure URL switching policies. You reach this level by entering the url-map <policy-name> command at the global CONFIG level.

HTTP Match List Level

This level allows you to configure matching lists of selection criteria for HTTP content verification health checks. You reach this level by entering the http match-list <name> command at the global CONFIG level.

Table 3.15: URL Switching CONFIG Commands

default 17-1

end 17-1

exit 17-1

match 17-2

method 17-2

no 17-2

quit 17-2

rshow 17-2

show 17-3

tcp-port 17-3

write memory 17-3

write terminal 17-3

Table 3.16: HTTP Match List CONFIG Commands

default 18-1

down compound 18-1

down simple 18-2

end 18-2

exit 18-2

no 18-2

quit 18-2

rshow 18-3

show 18-3

up compound 18-3

up simple 18-3

write memory 18-3

write terminal 18-3


Command List

Server Monitor Level

This level allows you to configure history lists for monitoring Layer 4 statistics. You reach this level by entering the server monitor command at the global CONFIG level.

Routing Information Protocol (RIP) Level

This level allows you to configure global RIP parameters for use with IP forwarding. You reach this level by entering the router rip command at the global CONFIG level.

Show Commands

The show commands display configuration information and statistics. You can enter these commands from any level of the CLI.

Table 3.17: Server Monitor CONFIG Commands

end 19-1

exit 19-1

history 19-1

no 19-2

quit 19-2

rshow 19-2

show 19-2

write memory 19-2

write terminal 19-2

Table 3.18: RIP CONFIG Commands

deny redistribute 20-1

end 20-2

exit 20-2

no 20-2

permit redistribute 20-2

quit 20-3

redistribution 20-3

rshow 20-3

show 20-4

write memory 20-4

write terminal 20-4

Table 3.19: Show Commands

show aaa 21-1

show arp 21-1



show cache-group 21-2

show chassis 21-2

show clock 21-3

show configuration 21-3

show default 21-3

show flash 21-4

show fw-group 21-4

show fw-hash 21-4

show gslb cache 21-5

show gslb default 21-6

show gslb dns detail 21-6

show gslb dns zone 21-7

show gslb global-stat 21-8

show gslb policy 21-8

show gslb resources 21-9

show gslb site 21-10

show healthck 21-11

show healthck statistics 21-12

show http match-list 21-12

show interfaces 21-12

show ip 21-13

show ip cache 21-13

show ip client-public-key 21-14

show ip filter-cache 21-14

show ip interface 21-14

show ip multicast 21-15

show ip nat statistics 21-15

show ip nat translation 21-15

show ip policy 21-16

show ip route 21-16

show ip ssh 21-16

show ip static-arp 21-17

show ip traffic 21-17

Table 3.19: Show Commands (Continued)


Command List

show logging 21-18

show mac-address 21-20

show mac-address statistics 21-21

show media 21-21

show module 21-22

show monitor 21-22

show policy-map 21-22

show relative-utilization 21-23

show reload 21-23

show rmon alarm 21-23

show rmon event 21-24

show rmon history 21-24

show rmon statistics 21-24

show running-config 21-25

show server backup 21-25

show server bind 21-25

show server conn-rate 21-25

show server dynamic 21-26

show server fw-path 21-26

show server global 21-26

show server hash 21-27

show server proxy 21-27

show server real 21-27

show server sessions 21-28

show server symmetric 21-29

show server traffic 21-29

show server virtual 21-29

show snmp server 21-30

show sntp associations 21-30

show sntp status 21-31

show span 21-32

show span vlan 21-32

show statistics 21-33




show statistics dos-attack 21-34

show tech-support 21-34

show telnet 21-34

show trunk 21-35

show users 21-35

show version 21-35

show vlans 21-36

show web-connection 21-36

show who 21-36

show wsm-map 21-36

show wsm-state 21-37



Chapter 4User EXEC Commands

enableAt initial startup, you enter this command to access the privileged EXEC level of the CLI. You access subsequent levels of the CLI using the proper launch commands.

You can assign a permanent password with the enable password… command at the global level of the CONFIG command structure. To reach the global level, enter configure terminal. Until a password is assigned, you have access only to the user level.

NOTE: You also can configure the ServerIron to authenticate access using a RADIUS or TACACS/TACACS+ server or local user accounts. See the Foundry Security Guide.

EXAMPLE:

ServerIron> enable

Syntax: enable

Possible values: N/A

Default value: No system default

enable <password>Once a password is defined for the ServerIron, you must enter this command along with the defined password to access the privileged EXEC Level of the CLI.

Three levels of password access can be assigned at the global CONFIG level.

EXAMPLE:

ServerIron> enable whateverServerIron#

Syntax: enable <password>

Possible values: Up to 32 alphanumeric characters can be assigned as the password.

Default value: N/A

enable <username> <password>If local access control is configured on the ServerIron, you are prompted for a user name and a password. The user name and password must be configured in a user account on the ServerIron.

EXAMPLE:

ServerIron> enable waldo whereis

February 2002 4 - 1


ServerIron#

Syntax: enable <username> <password>


Default value: N/A

fastboot…By default, this option is turned off, to provide a three-second pause to allow you to break into the boot prompt, if necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off later, enter the command, fastboot off. Fastboot changes will be saved automatically but will not become active until after a system reset.

To execute an immediate reload of the boot code from the console without a three-second delay, enter the fast reload command. The fast reload command is found at the privileged level.

EXAMPLE:

ServerIron> fastboot on

Syntax: fastboot [on | off]

Possible values: off

pingVerifies connectivity to a Foundry device or another device. The command performs an ICMP echo test to confirm connectivity to the specified device.

NOTE: If you address the ping to the IP broadcast address, the device lists the first four responses to the ping.

EXAMPLE:

ServerIron> ping 192.22.2.33

Syntax: ping <ip addr> | <hostname> [source <ip addr>] [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [quiet] [numeric] [no-fragment] [verify] [data <1-to-4 byte hex>] [brief]

The only required parameter is the IP address or host name of the device.

NOTE: If the device is a Foundry Layer 2 or Layer 3 Switch, you can use the host name only if you have already enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.

The source <ip addr> specifies an IP address to be used as the origin of the ping packets.

The count <num> parameter specifies how many ping packets the device sends. You can specify from 1 – 4294967296. The default is 1.

The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the pinged device. You can specify a timeout from 1 – 4294967296 milliseconds. The default is 5000 (5 seconds).

The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 – 255. The default is 64.

The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 – 4000. The default is 16.

The no-fragment parameter turns on the “don’t fragment” bit in the IP header of the ping packet. This option is disabled by default.

The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default.

4 - 2 February 2002

User EXEC Commands

The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.

The data <1 – 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, “abcd”, in the packet’s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.

NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value.

The brief parameter causes ping test characters to be displayed. The following ping test characters are supported:

! Indicates that a reply was received.

. Indicates that the network server timed out while waiting for a reply.

U Indicates that a destination unreachable error PDU was received.

I Indicates that the user interrupted ping.

Possible values: see above

Default value: see above

rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

showDisplays a variety of configuration and statistical information about the device. See “Show Commands” on page 21-1.

stop-tracerouteStops an initiated trace on a Foundry device.

EXAMPLE:

ServerIron> stop-traceroute

Syntax: stop-traceroute


Default value: N/A

tracerouteAllows you to trace the path from the current Foundry device to a host address.

The CLI displays trace route information for each hop as soon as the information is received. Traceroute requests display all responses to a given TTL. In addition, if there are multiple equal-cost routes to the destination, the Foundry device displays up to three responses by default.

EXAMPLE:

ServerIron> traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5

Syntax: traceroute <host-ip-addr> [maxttl <value>] [minttl <value>] [numeric] [timeout <value>] [source-ip <ip addr>]

February 2002 4 - 3


Possible and default values:

minttl – minimum TTL (hops) value: Possible values are 1 – 255. Default value is 1 second.

maxttl – maximum TTL (hops) value: Possible values are 1 – 255. Default value is 30 seconds.

timeout – Possible values are 1 – 120. Default value is 2 seconds.

numeric – Lets you change the display to list the devices by their IP addresses instead of their names.

source-ip <ip addr> – Specifies an IP address to be used as the origin for the traceroute.

4 - 4 February 2002

Chapter 5Privileged EXEC Commands

appendAppends a file on a PCMCIA flash card to the end of another file.

NOTE: This command applies only to a BigServerIron using a Management IV module.

EXAMPLE:

BigServerIron# append newacls.cfg startup-config.cfg

This command appends a file called “newacls.cfg” to the end of a file called “startup-config.cfg” file. This example assumes that both files are present on the PCMCIA slot and in the subdirectory level that currently have the management focus.

The following command appends a file in the current subdirectory to the end of a file in another subdirectory:

BigServerIron# append newacls.cfg \TEST\startup-config.cfg

Syntax: append [<from-card> <to-card>] [\<from-dir-path>\]<from-name> [\<to-dir-path>\]<to-name>

The <from-card> and <to-card> parameters specify the source and destination flash cards when you are appending a file on one flash card to a file located on another flash card.

The [\<from-dir-path>\]<from-name> parameter specifies the file you are adding to the end of another file. If the file is not located in the current subdirectory (the subdirectory that currently has the management focus), specify the subdirectory path in front of the file name.

The [\<to-dir-path>\]<to-name> parameter specifies the file to which you are appending the other file. If the file is not located in the current subdirectory, specify the subdirectory path in front of the file name.

Possible values: See above

Default value: N/A

attribChanges the read-write attribute of a file on a flash card in a Management IV module’s PCMCIA slot.


The read-write attribute specifies whether a file on a flash card can be changed or deleted.

• Read-only – You can display or copy the file but you cannot replace (copy over) or delete the file.

• Read-write – You can replace (copy over) or delete the file. This is the default.

February 2002 5 - 1


Use the following method to change the read-write attribute of a file.

EXAMPLE:

To protect a file from accidental changes by changing the read-write attribute from read-write to read-only, enter a command such as the following:

BigServerIron# attrib ro goodcfg.cfg

Syntax: attrib [slot1 | slot2] ro | rw <file-name>

To determine the read-write attribute of a file, use the dir command to list the directory information for the file. Files set to read-only are listed with “R” in front of the file name. See “dir” on page 5-17.

To change all files on a flash card to read-only, enter a command such as the following:

BigServerIron# attrib ro *.*

This command changes the read-write attribute for all files on the flash card that currently has the management focus to read-only.

Possible values: See above.

Default value: rw (read-write)

boot system bootpInitiates a system boot from a BootP server. You can specify the preferred initial boot source and boot sequence in the startup-config file. If upon boot, the user-specified boot source and sequence fails, then by default, the ServerIron will attempt to load the software image from a different source. The following sources will be tried one at a time, in the order noted, until a software load is successful.

• flash primary

• flash secondary

• TFTP

• BootP

If the image does not load successfully from the above sources, you are prompted to enter alternative locations from which to load an image:

• boot system bootp

• boot system flash primary

• boot system flash secondary

• boot system tftp

EXAMPLE:

ServerIron# boot system bootp

Syntax: boot system bootp


Default value: N/A

boot system flash primaryInitiates a system boot from the primary software image stored in flash.

EXAMPLE:

ServerIron(config)# boot system flash primary

Syntax: boot system flash primary


Default value: N/A

5 - 2 February 2002

Privileged EXEC Commands

boot system flash secondaryInitiates a system boot from the secondary software image stored in flash.

EXAMPLE:

ServerIron(config)# boot system flash secondary

Syntax: boot system flash secondary


Default value: N/A

boot system slot1 | slot2Initiates a system boot from an image file on a PCMCIA flash card.

NOTE: This command applies only to a BigServerIron with the Management IV module.

EXAMPLE:

To reboot the device using a software image file on the flash card, enter a command such as the following at the Privileged Exec level of the CLI:

BigServerIron# boot system slot1 BSI07101.bin

The command in this example reboots the device using the image file BSI07101.bin located on the PCMCIA flash card in slot 1. This example assumes the image file is in the root directory on the flash card. If the image file is in a subdirectory, specify the subdirectory path. For example, to boot using an image in a subdirectory called “BSI”, enter command such as the following:

BigServerIron# boot system slot1 \BSI\BSI07101.bin

Syntax: boot system slot1 | slot2 [\<dir-path>\]<file-name>

The slot1 | slot2 parameter indicates the flash card slot.

The <file-name> parameter specifies the file name. If the file is in a subdirectory, specify the subdirectory path in front of the file name. If the file name you specify is not a full path name, the CLI assumes that the name (and path, if applicable) you enter are relative to the subdirectory that currently has the management focus.


Default value: N/A

boot system tftpInitiates a system boot of the software image from a TFTP server.

EXAMPLE:

ServerIron(config)# boot system tftp 192.22.33.44 current.img

Syntax: boot system tftp <ip-addr> <filename>


Default value: N/A

Before entering the TFTP boot command, you must first assign an IP address, IP mask and default gateway (if applicable) at the boot prompt as shown.

EXAMPLE:

boot> ip address 192.22.33.44 255.255.255.0

boot> ip default-gateway 192.22.33.1

You now can proceed with the boot system tftp… command.

February 2002 5 - 3


cdAnother form of the chdir command. See “chdir” on page 5-4.

chdirSwitches the management focus from one flash card in a Management IV module’s PCMCIA slot to the other slot.


The effect of file management commands depends on the flash card that has the management focus. For example, if you enter a command to delete a file, the software deletes the specified file from the flash card that currently has the management focus.

EXAMPLE:

To switch the focus of the CLI from one flash card to the other, enter a command such as the following:

BigServerIron# cd slot2BigServerIron#

Syntax: cd | chdir slot1 | slot2

Syntax: cd | chdir <dir-name>

When you enter the cd command, the software changes the management focus to the slot or subdirectory path you specify, then displays a new command prompt.

If a slot you specify does not contain a flash card, the software displays the message shown in the following example.

BigServerIron# cd slot2The system can not find the drive specified

To switch the management focus to a different subdirectory, enter a commands such as the following:

BigServerIron# cd PLOOKCurrent directory of slot1 is: \PLOOK

This command changes the focus from the root directory level ( \) to the subdirectory named “PLOOK”.

If you specify an invalid subdirectory path, the CLI displays a message such as the following:

BigServerIron# cd PLOOKPath not found

If you are certain the path you specified exists, make sure you are at the correct level for reaching the path. For example, if you are already at the PLOOK level, the CLI cannot find the subdirectory “\PLOOK” because it is not a subdirectory from the level that currently has the management focus.


Default value: N/A

clear arpRemoves all data from the ARP cache.

EXAMPLE:

ServerIron# clear arp

The following command clears all ARP entries for port 2 on the module in slot 3.

ServerIron# clear arp ethernet 3/2

Syntax: clear arp [ethernet <num> | mac-address <xxxx.xxxx.xxxx> [<mask>] | <ip-addr> [<ip-mask>]]

Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits. Specify IP address masks in standard decimal mask format (for example, 255.255.0.0).


5 - 4 February 2002


Default value: N/A

clear healthck statisticsClears health-check policy statistics.

EXAMPLE:

ServerIron(config)# clear healthck statistics

Syntax: clear healthck statistics


Default value: N/A

clear ip cacheRemoves all entries from the IP cache.

EXAMPLE:

ServerIron# clear ip cache

Syntax: clear ip cache


Default value: N/A

clear ip natClears entries from the NAT table. The software provides the following clear options:

• Clear all entries (static and dynamic)

• Clear an entry for a specific NAT entry based on the private and global IP addresses

• Clear an entry for a specific NAT entry based on the IP addresses and the TCP or UDP port number. Use this option when you are trying to clear specific entries created using the Port Address Translation feature.

NOTE: These commands are not supported on the ServerIron 400 or ServerIron 800.

EXAMPLE:

To clear all dynamic entries from the NAT translation table, enter the following command at the Privileged EXEC level of the CLI:

ServerIron# clear ip nat all

Syntax: clear ip nat all

To clear only the entries for a specific address entry, enter a command such as the following:

ServerIron# clear ip nat inside 209.157.1.43 10.10.10.5

This command clears the inside NAT entry that maps private address 10.10.10.5 to Internet address 209.157.1.43. Here is the syntax for this form of the command.

Syntax: clear ip nat inside <global-ip> <private-ip>

If you use Port Address Translation, you can selectively clear entries based on the TCP or UDP port number assigned to an entry by the feature. For example, the following command clears one of the entries associated with Internet address 209.157.1.44 but does not clear other entries associated with the same address.

ServerIron# clear ip nat inside 209.157.1.43 1081 10.10.10.5 80

The command above clears all inside NAT entries that match the specified global IP address, private IP address, and TCP or UDP ports.

Syntax: clear ip nat <protocol> inside <global-ip> <internet-tcp/udp-port> <private-ip> <private-tcp/udp-port>

The <protocol> parameter specifies the protocol type and can be tcp or udp.

February 2002 5 - 5



Default value: N/A

clear ip trafficClears the IP traffic statistics.

EXAMPLE:

ServerIron# clear ip traffic

Syntax: clear ip traffic


Default value: N/A

clear loggingRemoves all entries from the SNMP event log.

EXAMPLE:

ServerIron# clear logging

Syntax: clear logging


Default value: N/A

clear mac-addressRemoves all static MAC address entries from the address table.

EXAMPLE:

ServerIron# clear mac-address

Syntax: clear mac-address


Default value: N/A

clear public-keyClears the public keys from the active configuration.

EXAMPLE:

ServerIron# clear public-key

Syntax: clear public-key


Default value: N/A

clear rmonClears packet statistics displayed by the show rmon statistics command. See “show rmon statistics” on page 21-24.

EXAMPLE:

ServerIron# clear rmon

Syntax: clear rmon


Default value: N/A

5 - 6 February 2002


clear server trafficClears traffic statistics for real and virtual servers.

EXAMPLE:

ServerIron# clear server traffic

Syntax: clear server traffic


Default value: N/A

clear server sessionClears all session table entries for a deleted real server.

When you delete a real server, the ServerIron attempts to clear all the session entries for that real server from the session table. The ServerIron requires all the sessions to be cleared from the table before performing these operations. If you use the force shutdown option (server force-delete command), the ServerIron ends the sessions within one minute. Otherwise, the ServerIron allows active sessions to end normally before removing them.

When you enter the command to delete a real server (no server real <name>), the ServerIron changes the server’s state to "await_delete". The real server remains in this state until all its sessions are cleared from the session table. Occasionally, the ServerIron cannot clear all of a deleted real server’s sessions from the table. When this occurs, the real server cannot be fully deleted. To complete deletion of the server in this case, enter the clear server session <name> command after entering the no server real <name> command.

EXAMPLE:

ServerIron(config)# no server real rs1ServerIron(config)# show server real rs1Real Servers Info

Name : rs1 Mac-addr: UnknownIP:1.2.3.4 Range:1 State:await_delete Max-conn:1000000Least-con Wt:0 Resp-time Wt:0

Port State Ms CurConn TotConn Rx-pkts Tx-pkts Rx-octet Tx-octet Reas---- ----- -- ------- ------- ------- ------- -------- -------- ----8080 unbnd 0 0 0 0 0 0 0 0default unbnd 0 0 0 0 0 0 0 0

Server Total 0 0 0 0 0 0 0 ServerIron(config)# clear server session rs1

The no server real command deletes real server "rs1". The show server real command displays the states of the real servers. Notice that rs1 is still listed as a valid real server, and has the state "await_delete". If the no server real command does not list the deleted server, the server has been completely deleted.

If the server continues to be listed with the "await_delete" state after several minutes, enter the clear server session command to finish deleting the server. The clear server session command deletes the remaining sessions for rs1, after which the ServerIron can finish deleting the server. You can enter this command immediately after entering the no server real command. You do not need to wait for any sessions to end normally.

Syntax: clear server session <name> [<name> [<name> [<name>]]]

The <name> parameter specifies the name of the real server. You can enter up to four real server names. It can take up to three minutes for the command to take effect. This command is supported only on the MP (the main processor management session). The command is not valid if entered in a WSM CPU management session.

NOTE: You cannot undo the clear server session command. If you re-enter the command for the same real server, the new command is ignored and the original command continues to be processed.

February 2002 5 - 7


Possible values: up to four real server names

Default value: N/A

clear snmp-server trafficClears statistics for SNMP server traffic.

EXAMPLE:

ServerIron# clear snmp-server traffic

Syntax: clear snmp-server traffic


Default value: N/A

clear statisticsClears packet statistics displayed by the show statistics command. See “show statistics” on page 21-33.

EXAMPLE:

ServerIron# clear statistics

Syntax: clear statistics


Default value: N/A

clear statistics dos-attackResets counters for ICMP and TCP SYN packet burst thresholds.

EXAMPLE:

ServerIron# clear statistics dos-attack

Syntax: clear statistics dos-attack


Default value: N/A

clear web-connectionClears all Web management interface sessions with the ServerIron. The sessions are immediately ended when you enter the command.

EXAMPLE:

ServerIron# clear web-connection

Syntax: clear web-connection


Default value: N/A

clockThe system clock can be set for a ServerIron. This command allows you to set the time and date. The time zone must be set using the clock timezone... command at the global CONFIG level.

NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a SNTP server at power up. This server will then automatically download the correct time reference for the network. For more details on this capability, reference the sntp command at the privileged EXEC level and the sntp poll-interval and sntp server commands at the global CONFG level.

EXAMPLE:

ServerIron# clock set 10:15:05 10-15-98

5 - 8 February 2002


Syntax: [no] clock set <hh:mm:ss> <mm-dd-yy> | <mm-dd-yyyy>


Default value: N/A

configure terminalLaunches you into the global CONFIG level.

EXAMPLE:

ServerIron# configure terminal

ServerIron(config)#

Syntax: configure terminal


Default value: N/A

copy <from-card> <to-card>Copies files from one PCMCIA flash card on a management module to the other card.


NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> slot1 | slot2 <to-name> command. See “ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]” on page 5-25.

EXAMPLE:

To copy a file from one flash card to the other, enter the following command:

BigServerIron# copy slot1 slot2 sales.cfg

Syntax: copy <from-card> <to-card> [\<from-dir-path>\]<from-name> [[\<to-dir-path>\]<to-name>]

The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a different file name for the copy.


Default value: N/A

copy flash flashCopies a software image between the primary and secondary flash storage locations.

EXAMPLE:

Suppose you want to copy the software image stored in the primary flash into the secondary storage location. To do so, enter the following command.

BigServerIron# copy flash flash secondary

If you want to copy the image from the secondary flash to the primary flash, enter the following command.

BigServerIron# copy flash flash primary

In the copy flash flash…command, the first ‘flash’ refers to the origin of the image and the second ’flash’ in the command points to the destination flash. Note that in the command above, when ‘primary’ is entered, the system automatically knows that the origin flash is the secondary flash location.

Syntax: copy flash flash [primary | secondary]


Default value: N/A

February 2002 5 - 9


copy flash slot1 | slot2Copies a file from flash memory to a PCMCIA flash card on the management module.


NOTE: This command does the same thing as the ncopy flash primary | secondary slot1 | slot2 <to-name> command. See “ncopy flash primary | secondary slot1 | slot2 <to-name>” on page 5-22.

EXAMPLE:

To copy a file from flash memory to a flash card, enter a command such as the following:

BigServerIron# copy flash slot2 BIS07000.bin primaryFlash Card Write (128 KBytes per dot) .......Write to slot2 BIS07000.bin succeeded

The command in this example copies a software image file from the primary area in flash memory onto the flash card in slot 2.

If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For example, the following messages indicate that the copy did not work because the slot specified for the copy does not contain a flash card.

BigServerIron# copy flash slot2 m4s.car secondaryThe system can not find the drive specifiedWrite to slot2 m4s.car failed

Syntax: copy flash slot1 | slot2 [\<to-dir-path>\]<to-name> primary | secondary


Default value: N/A

copy flash tftpUploads a copy of the primary or secondary software image to a TFTP server.

NOTE: This command does the same thing as the ncopy flash primary | secondary tftp <ip-addr> <from-name> command. See “ncopy flash primary | secondary tftp <ip-addr> <from-name>” on page 5-23.

EXAMPLE:

BigServerIron# copy flash tftp 192.22.33.4 test.img secondary

Syntax: copy flash tftp <ip-addr> <filename> primary | secondary


Default value: N/A

copy running slot1 | slot2Copies the device’s running-config to a PCMCIA flash card. The running-config contains the device’s currently active configuration information. When you copy the running-config to a flash card, you are making a copy of the device’s current configuration, including any configuration changes you have not saved to the startup-config file.


NOTE: This command does the same thing as the ncopy running slot1 | slot2 <to-name> command. See “ncopy running slot1 | slot2 <to-name>” on page 5-23.

EXAMPLE:

To copy the device’s running configuration into a file on a flash card, enter a command such as the following:



BigServerIron# copy running slot1 runip.1Write to slot1 run.sw succeeded

Syntax: copy running slot1 | slot2 [\<to-dir-path>\]<to-name>


Default value: N/A

copy running-config tftpUploads a copy of the running configuration file from the switch or router to a designated TFTP server.

NOTE: This command does the same thing as the ncopy running-config tftp <ip-addr> <from-name> command. See “ncopy running-config tftp <ip-addr> <from-name>” on page 5-24.

EXAMPLE:

BigServerIron# copy running-config tftp 192.22.3.44 newrun.cfg

Syntax: copy running-config tftp <ip-addr> <filename>


Default value: N/A

copy slot1 | slot2 flashCopies a file from a PCMCIA flash card to the primary area in flash memory.


NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> flash primary | secondary command. See “ncopy slot1 | slot2 <from-name> flash primary | secondary” on page 5-24.

EXAMPLE:

To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:

BigServerIron# copy slot1 flash B2P07000.bin primaryBigServerIron# Flash Erase ------------------------------------------Flash Memory Write (8192 bytes per dot) ............................................................................................code flash copy done

Syntax: copy slot1 | slot2 flash [\<from-dir-path>\]<from-name> primary | secondary


Default value: N/A

copy slot1 | slot2 runningLoads ACLs from a running-config file into the device’s active configuration.


For example, if the device’s configuration includes a large set of Access Control Lists (ACLs), you can configure the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the flash card in the Foundry device, then copy the file to the device’s running configuration.



NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a running-config file that contains other types of configuration information using this method, the software might display error messages. This occurs when the device’s parser encounters lines in the file that do not correspond to valid configuration commands.

NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> running command. See “ncopy slot1 | slot2 <from-name> running” on page 5-24.

EXAMPLE:

To copy a running-config file from a flash card, enter a command such as the following:

BigServerIron# copy slot2 running runip.2

Syntax: copy slot1 | slot2 running [\<from-dir-path>\]<from-name>

The command in this example changes the device’s active configuration based on the information in the file.


Default value: N/A

copy slot1 | slot2 startCopies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startup-config in the primary area of flash memory to configure itself when you boot or reload the device.


NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload from a flash card.

NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> start command. See “ncopy slot1 | slot2 <from-name> start” on page 5-25.

EXAMPLE:

To copy a startup-config file from a flash card to flash memory, enter a command such as the following:

BigServerIron# copy slot1 start test2.cfg..Write startup-config done.

Syntax: copy slot1 | slot2 start [\<from-dir-path>\]<from-name>

This command copies a configuration file named test2.cfg from the flash card in slot 2 into the device’s flash memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.


Default value: N/A

copy slot1 | slot2 tftpCopies a file from a PCMCIA flash card to a TFTP server.


NOTE: This command does the same thing as the ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>] command. See “ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]” on page 5-26.

EXAMPLE:

To copy a file from a flash card to a TFTP server, enter a command such as the following:



BigServerIron# copy slot1 tftp 192.168.1.17 notes.txtUploading 254 bytes to tftp server ...Upload to TFTP server done.

Syntax: copy slot1 | slot2 tftp <ip-addr> [\<from-dir-path>\]<from-name> [<to-name>]


Default value: N/A

copy start slot1 | slot2Copies the device’s startup-config file from flash memory onto a PCMCIA flash card.


NOTE: This command does the same thing as the ncopy start slot1 | slot2 <to-name> command. See “ncopy start slot1 | slot2 <to-name>” on page 5-26.

EXAMPLE:

To copy the device’s startup-config file from flash memory onto a flash card, enter a command such as the following:

BigServerIron# copy start slot1 mfgtest.cfgWrite to slot1 cfgtest.cfg succeeded

Syntax: copy start slot1 | slot2 [\<to-dir-path>\]<to-name>


Default value: N/A

copy startup-config tftpUploads a copy of the startup configuration file from the switch or router to a designated TFTP server.

NOTE: This command does the same thing as the ncopy startup-config tftp <ip-addr> <from-name> command. See “ncopy startup-config tftp <ip-addr> <from-name>” on page 5-26.

EXAMPLE:

BigServerIron# copy startup-config tftp 192.22.3.44 new.cfg

Syntax: copy startup-config tftp <ip-addr> <filename>


Default value: N/A

copy tftp flashDownloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the primary or secondary storage location.

NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> flash primary | secondary command. See “ncopy tftp <ip-addr> <from-name> flash primary | secondary” on page 5-26.

EXAMPLE:

BigServerIron# copy tftp flash 192.22.33.4 test.img primary

To download into the secondary storage location, enter the command listed below instead:

BigServerIron# copy tftp flash 192.22.33.4 test.img secondary

Syntax: copy tftp flash <ip-addr> <filename> primary | secondary




Default value: N/A

copy tftp running-configDownloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.

NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> running-config command. See “ncopy tftp <ip-addr> <from-name> running-config” on page 5-27.

EXAMPLE:

BigServerIron# copy tftp running-config 192.22.33.4 newrun.cfg

Syntax: copy tftp running-config <ip-addr> <filename>


Default value: N/A

copy tftp slot1 | slot2Copies a file from a TFTP server to a PCMCIA flash card.


NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>] command. See “ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]” on page 5-27.

EXAMPLE:

To copy a file from a TFTP server to a flash card, enter a command such as the following:

BigServerIron# copy tftp slot1 192.168.1.17 notes.txtDownloading from tftp server ...Tftp 254 bytes done, copy to slot1 ...Write to slot1 cfg.cfg succeeded

Syntax: copy tftp slot1 | slot2 <ip-addr> <from-name> [[\<to-dir-path>\]<to-name>]

If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the following example:

BigServerIron# copy tftp slot1 192.168.1.17 nots.txtDownloading from tftp server ...TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.Error - can't download data from TFTP server, error code 17. Abort!

To simplify troubleshooting, especially when the file is present on your server but the command doesn’t find it, the messages list the complete TFTP path name on your TFTP server.


Default value: N/A

copy tftp startup-configDownloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or router. To activate this configuration file, reload (reset) the system.

NOTE: This command does the same thing as the ncopy tftp <ip-addr> <from-name> startup-config command. See “ncopy tftp <ip-addr> <from-name> startup-config” on page 5-28.

EXAMPLE:

BigServerIron# copy tftp startup-config 192.22.33.4 new.cfg



Syntax: copy tftp startup-config <ip-addr> <filename>


Default value: N/A



debug ip natPlaces the device in diagnostic mode for Network Address Translation (NAT).

NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.

EXAMPLE:

ServerIron# debug ip nat icmp 0.0.0.0NAT: icmp src 10.10.100.18 => trans 192.168.2.79 dst 204.71.202.127NAT: 192.168.2.79 204.71.202.127 ID 35768 len 60 txfid 13 icmp (8/0/512/519)NAT: 204.71.202.127 10.10.100.18 ID 11554 len 60 txfid 15 icmp (0/0/512/519)

ServerIron# debug ip nat tcp 0.0.0.0NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53NAT: 192.168.2.78:8016 192.168.2.158:53 flags S ID 57970 len 44 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags S A ID 22762 len 44 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58226 len 40 txfid 13NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58482 len 77 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23018 len 42 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 58738 len 40 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23274 len 131 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags FA ID 58994 len 40 txfid 13NAT: 192.168.2.158:53 10.10.100.18:1473 flags A ID 23530 len 40 txfid 15NAT: 192.168.2.158:53 10.10.100.18:1473 flags FA ID 23786 len 40 txfid 15NAT: 192.168.2.78:8016 192.168.2.158:53 flags A ID 59250 len 40 txfid 13

ServerIron# debug ip nat udp 0.0.0.0NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53NAT: 192.168.2.79:65286 192.168.3.11:53 ID 35512 len 58 txfid 13NAT: 192.168.3.11:53 10.10.100.18:1560 ID 8453 len 346 txfid 15

ServerIron# debug ip nat transdataNAT: icmp src 10.10.100.18:2048 => trans 192.168.2.79 dst 204.71.202.127NAT: udp src 10.10.100.18:1561 => trans 192.168.2.79:65286 dst 192.168.3.11:53NAT: tcp src 10.10.100.18:1473 => trans 192.168.2.78:8016 dst 192.168.2.158:53

Syntax: debug ip nat icmp | tcp | udp <ip-addr>

Syntax: debug ip nat transdata

The <ip-addr> parameter specifies an IP address. The address applies to packets with the address as the source or the destination. Specify 0.0.0.0 to enable the diagnostic mode for all addresses.

The following examples show sample output from debug ip nat commands. The first three examples show the output from the diagnostic mode for ICMP NAT, TCP NAT, and UDP NAT. The fourth command shows the output for the diagnostic mode for NAT translation requests.

To disable the NAT diagnostic mode, enter a command such as the following:

Syntax: undebug ip nat icmp | tcp | udp | transdata

ServerIron# undebug ip nat tcp

This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types of packets remain enabled.


Default value: Disabled

deleteDeletes a file from a flash card. This command applies only to management modules with PCMCIA slots.




CAUTION: By default, the delete option deletes all files on the flash card. Make sure you specify the files you want to delete.

CAUTION: The software does not have an undelete option. Make sure you really want to delete the file.

EXAMPLE:

To delete a file on the flash card that has the management focus, enter a command such as the following:

BigServerIron# delete cfg.cfg

If the command is successful, the CLI displays a new command prompt.

Syntax: delete [slot1 | slot2] [<file-name>]

The command in this example deletes the specified file. To delete all files that contain a specific string of characters, enter a command such as the following:

BigServerIron# delete test*.*

This command deletes all files whose names start with “test”. To delete all the files on a flash card, enter a command such as the following:

BigServerIron# delete slot2

The command in this example deletes all files on the flash card in slot 2. In this example, slot 1 has the management focus, but the files to be deleted are on the flash card in slot 2.


Default value: Deletes all files on the flash card!

dirList the files on a flash card in a Management IV module’s PCMCIA slot.


NOTE: By default, the software displays the contents of the flash card in the slot that has the management focus. However, you do not need to change the focus to list the files on another flash card. You can specify the other flash card when you display the files.

EXAMPLE:

To display a directory of all the files on the flash card that has the management focus, enter the following command:

BigServerIron# dir Volume in slot1 has no label Volume Serial Number is 19ED-1725

Directory of slot1

01/01/2000 00:00a 685935 POS.BIN01/01/2000 00:00a 2157693 M4R.BIN01/01/2000 00:00a 184 A22.CFG01/01/2000 00:00a 254 R CFG.CFG01/01/2000 00:00a 256 STR.CFG01/01/2000 00:00a 1027230 M5.BIN01/01/2000 00:00a 184 A8.CFG01/01/2000 00:00a 1029838 M4S.BIN01/01/2000 00:00a 687026 P3R.BIN



01/01/2000 00:00a 1029838 MM.BIN 10 File(s) 6618438 bytes 74180608 bytes free

Syntax: dir [slot1 | slot2] [<file-name>]

To list only files that contain a specific pattern of characters in the name, enter a command such as the following:

BigServerIron# dir *.bin Volume in slot1 has no label Volume Serial Number is 19ED-1725

Directory of slot1

01/01/2000 00:00a 685935 POS.BIN01/01/2000 00:00a 2157693 M4R.BIN01/01/2000 00:00a 1027230 M5.BIN01/01/2000 00:00a 1029838 M4S.BIN01/01/2000 00:00a 687026 P3R.BIN01/01/2000 00:00a 1029838 MM.BIN 6 File(s) 6617560 bytes 74180608 bytes free

The command in this example lists all the image files on the flash card in the slot that has the management focus. (More specifically, the command lists all the files that end with “.bin”.)

For information about the command’s display, see the “Displaying a Directory of the Files on a Flash Card” section in the “Using Redundant Management Modules” chapter of the Foundry Switching Router Installation and Configuration Guide.


Default value: Displays all files on the flash card that has the management focus.

debug access-listPlaces the device in diagnostic mode for IP access lists. Use this diagnostic mode only if advised to do so by Foundry Technical Support.



erase flash primaryErases the image stored in primary flash.

EXAMPLE:

ServerIron# erase flash primary

Syntax: erase flash primary


Default value: N/A

erase flash secondaryErases the image stored in secondary flash.

EXAMPLE:

ServerIron# erase flash secondary

Syntax: erase flash secondary


Default value: N/A



erase startup-configErases the configuration stored in the startup-config file.

EXAMPLE:

ServerIron# erase startup-config

Syntax: erase startup-config


Default value: N/A

exitMoves activity up one level from the current level. In this case, activity will be moved to the user level.

EXAMPLE:

To move from the privileged level, back to the user level, enter the following:

ServerIron# exit

ServerIron>

Syntax: exit


Default value: N/A

fastboot…Provides a configurable option to speed up the system startup time. By default, this option is turned off, providing a three-second pause to allow a user to break into the boot prompt, if necessary. Use fastboot on to turn this option on and eliminate the three-second pause. To turn this feature off later, enter the command fastboot off. Fastboot changes will be saved automatically but will not become active until after a system reset.

To execute an immediate reload from the console of the boot code without a three-second delay, you can enter the fast reload command.

EXAMPLE:

ServerIron# fastboot on

Syntax: fastboot [on | off]

Possible values: on or off

Default value: off

formatReformats a flash card in a Management IV module’s PCMCIA slot.


EXAMPLE:

To reformat a flash card, enter the following command:

BigServerIron# format slot2

Formatting Flash Card(256 clusters per dot) ..........................................................................................................................................................Verifying Flash Card(256 clusters per dot) ..........................................................................................................................................................

80809984 bytes total card space. 80809984 bytes available on card.



2048 bytes in each allocation unit. 39458 allocation units available on card.

Flash card format done

As shown in this example, the software formats the sector on the flash card, then verifies the formatting. In this example, the software did not find any bad sectors, so all the bytes on the card are available.

Syntax: format slot1 | slot2 [<label>]

The slot1 | slot2 parameter specifies the PCMCIA slot that contains the flash card you are formatting.

The <label> parameter specifies the label. You can specify up to 11 alphanumeric characters. You cannot use special characters or spaces.


Default value: N/A

hdDisplays the data in a file on a flash card in hexadecimal format. This command applies only to management modules with PCMCIA flash slots.


EXAMPLE:

To display the data in a file in hexadecimal format, enter a command such as the following:

BigServerIron# hd cfg.cfg

Syntax: hd [slot1 | slot2] <file-name>

Each row of hexadecimal output contains the following parts:

• The byte offset of the date that is displayed to the right of the offset

• A row of hexadecimal data

• The ASCII equivalent of the hexadecimal data shown in the row


Default value: N/A

killTerminates the specified active CLI session and resets the CONFIG token. Once you know the session ID of a Telnet connection (using the show who command), you can terminate it with the kill command. If the terminated session was a console, the console is sent back into User EXEC mode. If the terminated CLI session was a Telnet session, the Telnet connection is closed.

EXAMPLE:

ServerIron# kill telnet 1

Syntax: kill console | telnet <session-id>

Possible values: Session ID number from show who command

Default value: N/A

locateDisplays or changes the save location for the startup-config file.




EXAMPLE:

BigServerIron# locate startup-config

Syntax: locate startup-config

EXAMPLE:

By default, when you save configuration changes, the changes are saved to the startup-config file on the device’s flash memory module. If you want to change the save location to a PCMCIA slot, enter a command such as the following:

BigServerIron# locate startup-config slot1 router1.cfgBigServerIron# write memory

The first command in this example sets the device to save configuration changes to the file named “router1.cfg” in the flash card in PCMCIA slot 1. The second command saves the running-config to the router1.cfg file on the flash card in slot 1.

NOTE: In this example, after you save the configuration changes using the write memory command, the router1.cfg file will include the command that designates PCMCIA slot1 as the save location for configuration changes.

Syntax: locate startup-config [[slot1 | slot2] <file-name>]

You can specify a relative path name or full path name as part of the file name.


Default value: N/A

mdAnother form of the md command. See “mkdir” on page 5-21.

mkdirCreates a subdirectory on a PCMCIA flash card.


EXAMPLE:

BigServerIron# mkdir slot1 \TEST

To verify successful creation of the subdirectory, enter a command to change to the new subdirectory level:

BigServerIron# chdir \TESTCurrent directory of slot1 is: \TEST

Syntax: md | mkdir [slot1 | slot2] <dir-name>

You can enter either md or mkdir for the command name.

The slot1 | slot2 parameter specifies a PCMCIA slot. If you do not specify a slot, the command applies to the slot that currently has the management focus.

The <dir-name> parameter specifies the subdirectory name. You can enter a name that contains any combination of the following characters. Do not enter a backslash “ / ” in front of the name.

• All upper and lowercase letters

• All digits

• Spaces

• Any of the following special characters:

• $

• %



• '

• -

• _

• @

• ~

• `

• !

• (

• )

• {

• }

• ^

• #

• &

You can use spaces in a file or subdirectory name if you enclose the name in double quotes. For example, to specify a subdirectory name that contains spaces, enter a string such as the following: “a long subdirectory name”.

A subdirectory or file name can be a maximum of 256 characters long. A complete subdirectory path name cannot contain more than 263 characters.

The name is not case sensitive. You can enter upper- or lowercase letters. The CLI displays the name using uppercase letters.


Default value: N/A

moreDisplays the data in a file on a flash card in a Management IV module’s PCMCIA slot.


EXAMPLE:

To display the contents of a file, enter a command such as the following:

BigServerIron# more cfg.cfg

Syntax: more [slot1 | slot2] <file-name>


Default value: N/A

ncopy flash primary | secondary slot1 | slot2 <to-name>Copies a file from flash memory to a PCMCIA flash card on the management module.


NOTE: This command does the same thing as the copy flash slot1 | slot2 command. See “copy flash slot1 | slot2” on page 5-10.



EXAMPLE:

To copy a file from flash memory to a flash card, enter a command such as the following:

BigServerIron# ncopy flash primary slot2 BIS07000.binFlash Card Write (128 KBytes per dot) .......Write to slot2 BIS07000.bin succeeded

The command in this example copies a software image file from the primary area in flash memory onto the flash card in slot 2.

If the copy does not succeed, the software lists messages to indicate the reason the copy did not work. For example, the following messages indicate that the copy did not work because the slot specified for the copy does not contain a flash card.

BigServerIron# ncopy flash secondary slot2 m4s.carThe system can not find the drive specifiedWrite to slot2 m4s.car failed

Syntax: ncopy flash primary | secondary slot1 | slot2 [\<to-dir-path>\]<to-name>


Default value: N/A

ncopy flash primary | secondary tftp <ip-addr> <from-name>Uploads a copy of the primary or secondary software image to a TFTP server.

NOTE: This command does the same thing as the copy flash tftp <ip-addr> <filename> primary | secondary command. See “copy flash tftp” on page 5-10.

EXAMPLE:

BigServerIron# ncopy flash secondary tftp 192.22.33.4 test.img

Syntax: ncopy flash primary | secondary tftp <ip-addr> <from-name>


Default value: N/A

ncopy running slot1 | slot2 <to-name>Copies the device’s running-config to a PCMCIA flash card. The running-config contains the device’s currently active configuration information. When you copy the running-config to a flash card, you are making a copy of the device’s current configuration, including any configuration changes you have not saved to the startup-config file.


NOTE: This command does the same thing as the copy running slot1 | slot2 <to-name> command. See “copy running slot1 | slot2” on page 5-10.

EXAMPLE:

To copy the device’s running configuration into a file on a flash card, enter a command such as the following:

BigServerIron# ncopy running slot1 runip.1Write to slot1 run.sw succeeded

Syntax: ncopy running slot1 | slot2 [\<to-dir-path>\]<to-name>


Default value: N/A



ncopy running-config tftp <ip-addr> <from-name>Uploads a copy of the running configuration file from the switch or router to a designated TFTP server.

NOTE: This command does the same thing as the copy running-config tftp <ip-addr> <filename> command. See “copy running-config tftp” on page 5-11.

EXAMPLE:

BigServerIron# ncopy running-config tftp 192.22.3.44 newrun.cfg

Syntax: ncopy running-config tftp <ip-addr> <from-name>


Default value: N/A

ncopy slot1 | slot2 <from-name> flash primary | secondaryCopies a file from a PCMCIA flash card to the primary area in flash memory.


NOTE: This command does the same thing as the copy slot1 | slot2 flash <from-name> primary | secondary command. See “copy flash slot1 | slot2” on page 5-10.

EXAMPLE:

To copy a file from a flash card to the primary area in flash memory, enter a command such as the following:

BigServerIron# ncopy slot1 B2P07000.bin flash primaryBigServerIron# Flash Erase ------------------------------------------Flash Memory Write (8192 bytes per dot) ..............................................................................................................................code flash copy done

Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> flash primary | secondary


Default value: N/A

ncopy slot1 | slot2 <from-name> runningLoads ACLs from a running-config file into the device’s active configuration.


For example, if the device’s configuration includes a large set of Access Control Lists (ACLs), you can configure the ACLs offline in a text file on a PC, then save the file to the flash card. To load the ACLs, you can insert the flash card in the Foundry device, then copy the file to the device’s running configuration.

NOTE: This feature allows you to preconfigure and load large sets of ACLs. If you accidentally try to load a running-config file that contains other types of configuration information using this method, the software might display error messages. This occurs when the device’s parser encounters lines in the file that do not correspond to valid configuration commands.

NOTE: This command does the same thing as the copy slot1 | slot2 running <from-name> command. See “copy slot1 | slot2 running” on page 5-11.

EXAMPLE:

To copy a running-config file from a flash card, enter a command such as the following:



BigServerIron# ncopy slot2 runip.2 running

Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> running

The command in this example changes the device’s active configuration based on the information in the file.


Default value: N/A

ncopy slot1 | slot2 <from-name> slot1 | slot2 [<to-name>]Copies files from one PCMCIA flash card on a management module to the other card.


NOTE: This command does the same thing as the copy <from-card> <to-card> <from-name> [<to-name>] command. See “copy <from-card> <to-card>” on page 5-9.

EXAMPLE:

To copy a file from one flash card to the other, enter the following command:

BigServerIron# ncopy slot1 sales.cfg slot2

Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]

The command shown in the example above copies a file from the flash card in slot 1 to the flash card in slot 2. In this case, the software uses the same name for the original file and for the copy. Optionally, you can specify a different file name for the copy.


Default value: N/A

ncopy slot1 | slot2 <from-name> startCopies a startup-config file from a PCMCIA flash card to flash memory. By default, the device uses the startup-config in the primary area of flash memory to configure itself when you boot or reload the device.


NOTE: The device cannot use a startup-config file on a flash card to configure itself. You cannot boot or reload from a flash card.

NOTE: This command does the same thing as the copy slot1 | slot2 start <from-name> command. See “copy slot1 | slot2 start” on page 5-12.

EXAMPLE:

To copy a startup-config file from a flash card to flash memory, enter a command such as the following:

BigServerIron# ncopy slot1 test2.cfg start..Write startup-config done.

Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> start

This command copies a configuration file named test2.cfg from the flash card in slot 2 into the device’s flash memory. The next time you reboot or reload the device, it uses the configuration information in test2.cfg.


Default value: N/A



ncopy start slot1 | slot2 <to-name>Copies the device’s startup-config file from flash memory onto a PCMCIA flash card.


NOTE: This command does the same thing as the copy start slot1 | slot2 <to-name> command. See “copy start slot1 | slot2” on page 5-13.

EXAMPLE:

To copy the device’s startup-config file from flash memory onto a flash card, enter a command such as the following:

BigServerIron# ncopy start slot1 mfgtest.cfgWrite to slot1 cfgtest.cfg succeeded

Syntax: ncopy start slot1 | slot2 [\<to-dir-path>\]<to-name>


Default value: N/A

ncopy slot1 | slot2 <from-name> tftp <ip-addr> [<to-name>]Copies a file from a PCMCIA flash card to a TFTP server.


NOTE: This command does the same thing as the copy slot1 | slot2 tftp <ip-addr> <from-name> [<to-name>] command. See “copy slot1 | slot2 tftp” on page 5-12.

EXAMPLE:

To copy a file from a flash card to a TFTP server, enter a command such as the following:

BigServerIron# ncopy slot1 notes.txt tftp 192.168.1.17 Uploading 254 bytes to tftp server ...Upload to TFTP server done.

Syntax: ncopy slot1 | slot2 [\<from-dir-path>\]<from-name> tftp <ip-addr> [<to-name>]


Default value: N/A

ncopy startup-config tftp <ip-addr> <from-name>Uploads a copy of the startup configuration file from the switch or router to a designated TFTP server.

NOTE: This command does the same thing as the copy startup-config tftp <ip-addr> <filename> command. See “copy startup-config tftp” on page 5-13.

EXAMPLE:

BigServerIron# ncopy startup-config tftp 192.22.3.44 new.cfg

Syntax: ncopy startup-config tftp <ip-addr> <from-name>


Default value: N/A

ncopy tftp <ip-addr> <from-name> flash primary | secondaryDownloads a copy of a Foundry switch or router software image from a TFTP server into the system flash in the primary or secondary storage location.



NOTE: This command does the same thing as the copy tftp flash <ip-addr> <filename> primary | secondary command. See “copy tftp flash” on page 5-13.

EXAMPLE:

BigServerIron# ncopy tftp 192.22.33.4 test.img flash primary

To download into the secondary storage location, enter the command listed below instead:

ServerIron# ncopy tftp 192.22.33.4 test.img flash secondary

Syntax: ncopy tftp <ip-addr> <from-name> flash primary | secondary


Default value: N/A

ncopy tftp <ip-addr> <from-name> running-configDownloads a copy of a running-config file from a TFTP server into the running-config of the switch or router.

NOTE: This command does the same thing as the copy tftp running-config <ip-addr> <filename> command. See “copy tftp running-config” on page 5-14.

EXAMPLE:

BigServerIron# ncopy tftp 192.22.33.4 newrun.cfg running-config

Syntax: ncopy tftp <ip-addr> <from-name> running-config


Default value: N/A

ncopy tftp <ip-addr> <from-name> slot1 | slot2 [<to-name>]Copies a file from a TFTP server to a PCMCIA flash card.


NOTE: This command does the same thing as the copy tftp slot1 | slot2 <ip-addr> <from-name> [<to-name>] command. See “copy tftp slot1 | slot2” on page 5-14.

EXAMPLE:

To copy a file from a TFTP server to a flash card, enter a command such as the following:

BigServerIron# ncopy tftp 192.168.1.17 notes.txt slot1Downloading from tftp server ...Tftp 254 bytes done, copy to slot1 ...Write to slot1 cfg.cfg succeeded

Syntax: ncopy tftp <ip-addr> <from-name> slot1 | slot2 [[\<to-dir-path>\]<to-name>]

If the file name you specify is not on the TFTP server, the CLI displays messages such as those shown in the following example:

BigServerIron# ncopy tftp 192.168.1.17 nots.txt slot1 Downloading from tftp server ...TFTP: received error request -- code 1 message File not found: C:/TFTP/nots.txt.Error - can't download data from TFTP server, error code 17. Abort!

To simplify troubleshooting, especially when the file is present on your server but the command doesn’t find it, the messages list the complete TFTP path name on your TFTP server.




Default value: N/A

ncopy tftp <ip-addr> <from-name> startup-configDownloads a copy of a configuration file from a TFTP server into the startup configuration file of the switch or router. To activate this configuration file, reload (reset) the system.

NOTE: This command does the same thing as the copy tftp startup-config <ip-addr> <filename> command. See “copy tftp startup-config” on page 5-14.

EXAMPLE:

BigServerIron# ncopy tftp 192.22.33.4 new.cfg startup-config

Syntax: ncopy tftp <ip-addr> <from-name> startup-config


Default value: N/A

page-displayEnables page-by-page display of the configuration file. When you display or save the file, one "page" (window-full) of the file is displayed. The following line provides you with options to continue the display or to cancel:

--More--, next page: Space/Return key, quit: Control-c

If you disable the page-display mode, the CLI displays the entire file without interruption.

Page-display mode is enabled by default. To disable it, enter the skip-page-display command.

NOTE: This command is equivalent to the enable skip-page-display command at the global CONFIG level.

EXAMPLE:

ServerIron# page-display

Syntax: page-display


Default value: N/A

pingVerifies connectivity to a Foundry switch or Layer 3 Switch or other device. The command performs an ICMP echo test to confirm connectivity to the specified device.

EXAMPLE:

ServerIron# ping 192.22.2.33

Syntax: ping <ip-addr> | <hostname> [count <num>] [timeout <msec>] [ttl <num>] [size <byte>] [no-fragment] [quiet] [verify] [data <1 – 4 byte hex>] [brief]

The only required parameter is the IP address or host name of the device.

NOTE: If the device is a Foundry switch or Layer 3 Switch, you can use the host name only if you have already enabled the Domain Name Server (DNS) resolver feature on the device from which you are sending the ping. See “ip dns domain-name” on page 6-35 and “ip dns server-address” on page 6-35.

The count <num> parameter specifies how many ping packets the device sends. You can specify from 1 – 4294967296. The default is 1.

The timeout <msec> parameter specifies how many milliseconds the Foundry device waits for a reply from the pinged device. You can specify a timeout from 1 – 4294967296 milliseconds. The default is 5000 (5 seconds).

The ttl <num> parameter specifies the maximum number of hops. You can specify a TTL from 1 – 255. The default is 64.



The size <byte> parameter specifies the size of the ICMP data portion of the packet. This is the payload and does not include the header. You can specify from 0 – 4000. The default is 16.

The no-fragment parameter turns on the "don’t fragment" bit in the IP header of the ping packet. This option is disabled by default.

The quiet parameter hides informational messages such as a summary of the ping parameters sent to the device and instead only displays messages indicating the success or failure of the ping. This option is disabled by default.

The verify parameter verifies that the data in the echo packet (the reply packet) is the same as the data in the echo request (the ping). By default the device does not verify the data.

The data <1 – 4 byte hex> parameter lets you specify a specific data pattern for the payload instead of the default data pattern, "abcd", in the packet’s data payload. The pattern repeats itself throughout the ICMP message (payload) portion of the packet.

NOTE: For numeric parameter values, the CLI does not check that the value you enter is within the allowed range. Instead, if you do exceed the range for a numeric value, the software rounds the value to the nearest valid value.

The brief parameter causes ping test characters to be displayed. The following ping test characters are supported:

! Indicates that a reply was received.

. Indicates that the network server timed out while waiting for a reply.

U Indicates that a destination unreachable error PDU was received.

I Indicates that the user interrupted ping.



pwdIndicates which flash card in a Management IV module’s PCMCIA slot has the management focus.


The management focus determines the default flash card for a file management operation. For example, when you list a directory of the files on a flash card, the PCMCIA slot parameter is optional. If you do not specify the slot, the software displays the contents of the flash card in the slot that currently has the management focus. As another example, the command for deleting a file from a flash card does not require that you specify the PCMCIA slot. If you do not specify the slot, the command deletes the file from the flash card that has the management focus.

When you power on or reload a device, if the management module contains only one flash card, the slot that contains the flash card receives the management focus by default. If both slots contain flash cards, slot 1 receives the management focus by default.

EXAMPLE:

To display which flash card currently has the management focus, enter the following command:

BigServerIron# pwdslot1

Syntax: pwd

In this example, the flash card in slot 1 has the management focus.


Default value: N/A



quitThis command returns you from any level of the CLI to the User EXEC mode.

EXAMPLE:

ServerIron# quit

ServerIron>

Syntax: quit


Default value: N/A

rconsoleLogs in to a WSM CPU on the Web Switching Management Module.

ServerIron# rconsole 2 1ServerIron2/1 #

This command changes the management session from the MP to WSM CPU 1 on the Web Switching Management Module in slot 2. Notice that the end of the command prompt changes to indicate the slot number and WSM CPU number.

Syntax: rconsole <slotnum> <cpunum>

The <slotnum> parameter specifies the chassis slot that contains the module.

• Slots on a four-slot chassis are numbered 1 – 4, from top to bottom.

• Slots on an eight-slot chassis are numbered 1 – 8, from left to right.

The <cpunum> parameter specifies the WSM CPU. The WSM CPUs are numbered from 1 – 3.

For more information, see the "Using the Web Switching Management Module" chapter in the Foundry ServerIron Installation and Configuration Guide.



rconsole-exitLogs out of a WSM CPU on the Web Switching Management Module.

EXAMPLE:

To log out from a management session with a WSM CPU, enter the following command at the WSM command prompt:

ServerIron2/1 # rconsole-exitServerIron#

Syntax: rconsole-exit

NOTE: You must enter the entire command name (rconsole-exit). The CLI will not accept abbreviated forms of the command.


Default value: N/A

rdAnother form of the rmdir command. See “rmdir” on page 5-31.



reloadInitiates a system reset. All configuration changes made since the last reset or start of the ServerIron will be saved to the startup configuration file.

EXAMPLE:

ServerIron# reload

Syntax: reload [after <dd:hh:mm>] | [at <hh:mm:ss> <mm-dd-yy>] | [cancel] [primary | secondary]

Possible values:

after <dd:hh:mm> causes the system to reload after the specified amount of time has passed.

at <hh:mm:ss> <mm-dd-yy> causes the system to reload at exactly the specified time.

cancel cancels the scheduled reload

primary | secondary specifies whether the reload is to occur from the primary code flash module or the secondary code flash module. The default is primary.

NOTE: The reload command must be typed in its entirety.

Default value: N/A

renameRenames a file on a flash card in a Management IV module’s PCMCIA slot.


EXAMPLE:

To rename a file, enter a command such as the following:

ServerIron# rename oldname newname

Syntax: rename [slot1 | slot2] <old-name> <new-name>

If the command is successful, the CLI displays a new command prompt.


Default value: N/A

rmdirRemoves a subdirectory from a PCMCIA flash card.


EXAMPLE:

BigServerIron# rmdir \TEST

Syntax: rd | rmdir [slot1 | slot2] <dir-name>

You can enter either rd or rmdir for the command name.

The slot1 | slot2 parameter specifies a PCMCIA slot.

The <dir-name> parameter specifies the subdirectory you want to delete. You can enter a path name if the subdirectory is not in the current directory.

NOTE: You can remove a subdirectory only if the subdirectory does not contain files or other subdirectories.

If you receive a message such as the following, enter the pwd command to verify that the management focus is at the appropriate level of the directory tree.



BigServerIron# rmdir \TESTFile not found


Default value: N/A


show…Displays a variety of configuration and statistical information about the ServerIron. To see a description of the show commands, see “Show Commands” on page 21-1.

skip-page-displayDisables page-display mode. Page-display mode displays the file one page at a time and prompts you to continue or cancel the display. When page-display mode is disabled, if you display or save the configuration file, the CLI displays the entire file without interruption.

Page display mode is enabled by default.

NOTE: This command is equivalent to the no enable skip-page-display command at the global CONFIG level.

EXAMPLE:

ServerIron> skip-page-display

Syntax: skip-page-display


Default value: Enabled

sntp syncSynchronizes the device’s system clock with the time supplied by the device’s SNTP server.

You define the SNTP server using the sntp server... command at the global CONFIG level. You also can define how often the clock references are validated between the ServerIron and the SNTP server by entering the sntp poll-interval command at the global CONFIG level.

NOTE: Configure the clock timezone parameter before configuring an SNTP server.

EXAMPLE:

ServerIron# sntp sync

Syntax: sntp sync


Default value: N/A

stop-tracerouteStops an initiated trace on a ServerIron.

EXAMPLE:

ServerIron# stop-trace-route

Syntax: stop-trace-route




Default value: N/A

sync-standbyImmediately synchronizes software between the active and standby management modules. When you synchronize software, the active module copies the software you specify to the standby module, replacing the software on the standby module.

NOTE: This command applies only to a BigServerIron with redundant management modules.

EXAMPLE:

To immediately synchronize the boot code on the standby module with the boot code on the active module, enter the following command at the Privileged EXEC level of the CLI:

BigServerIron# sync-standby boot

Syntax: sync-standby boot

To immediately synchronize the flash code (system software) on the standby module with the boot code on the active module, enter the following command at the Privileged EXEC level of the CLI:

BigServerIron# sync-standby code

Syntax: sync-standby code

To immediately synchronize the running-config on the standby module with the running-config on the active module, enter the following command at the Privileged EXEC level of the CLI:

BigServerIron# sync-standby running-config

Syntax: sync-standby running-config

To immediately synchronize the startup-config file on the standby module with the startup-config file on the active module, enter the following command at the Privileged EXEC level of the CLI:

BigServerIron# sync-standby startup-config

Syntax: sync-standby startup-config


Default value: N/A

telnetAllows a Telnet connection to a remote ServerIron using the console. Up to five access Telnet sessions can be supported on a ServerIron at one time. Write access through Telnet is limited to one session and only one outgoing Telnet sessions is supported on a ServerIron at one time.

To see the number of open Telnet sessions at any time, enter the command show telnet.

EXAMPLE:

ServerIron# telnet 208.96.6.101

Syntax: telnet <ip-addr> | <hostname>


Default value: N/A

temperature shutdownChanges the shutdown temperature of a module containing a temperature sensor. If the temperature matches or exceeds the shutdown temperature, the software sends a Syslog message to the Syslog buffer and also to the SyslogD server if configured. The software also sends an SNMP trap to the SNMP trap receiver, if you have configured the device to use one.



If the temperature equals or exceeds the shutdown temperature for five consecutive polls of the temperature by the software, the software shuts down the module to prevent damage.

EXAMPLE:

To change the shutdown temperature from 55 to 57 degrees Celsius, enter the following command:

ServerIron# temperature shutdown 57

Syntax: temperature shutdown <value>

The <value> can be 0 – 125.

Possible values: 0 – 125 degrees Celsius

Default value: 55

temperature warningChanges the warning temperature of a module containing a temperature sensor. If the temperature of the module reaches the warning value, the software sends a Syslog message to the Syslog buffer and also to the SyslogD server, if configured. In addition, the software sends an SNMP trap to the SNMP trap receiver, if you have configured the device to use one.

NOTE: You cannot set the warning temperature to a value higher than the shutdown temperature.

EXAMPLE:

To change the warning temperature from 45 to 47 degrees Celsius, enter the following command:

ServerIron# temperature warning 57

Syntax: temperature warning <value>

The <value> can be 0 – 125.

Possible values: 0 – 125 degrees Celsius

Default value: 45

tracerouteAllows you to trace the path from the current ServerIron to a host address. This command is not available on Foundry switches.

EXAMPLE:

ServerIron# traceroute 192.33.4.7 minttl 5 maxttl 5 timeout 5

Syntax: traceroute <host-ip-addr> [minttl <value>] [maxttl <value>] [timeout <value>] [numeric]

minttl – minimum TTL (hops) value: Possible values are 1 – 255. Default value is 1 second.

maxttl – maximum TTL (hops) value: Possible values are 1 – 255. Default value is 30 seconds.

timeout – Possible values are 1 – 120. Default value is 2 seconds.

numeric – Lets you change the display to list the devices by their IP addresses instead of their names.


Default value: See above.

undebug access-listDisables access-list diagnostic mode.

EXAMPLE:

ServerIron# undebug access-list 1

Syntax: undebug access-list <num>




Default value: N/A

undebug ip natDisables diagnostic mode for NAT.

NOTE: This command is not supported on the ServerIron 400 or ServerIron 800.

EXAMPLE:

To disable the NAT diagnostic mode, enter a command such as the following:

ServerIron# undebug ip nat tcp

Syntax: undebug ip nat icmp | tcp | udp | transdata

This command disables the diagnostic mode for NAT performed on TCP packets. NAT diagnostics for other types of packets remain enabled.


Default value: N/A

undeleteRecovers a file deleted from a PCMCIA flash card.


NOTE: When you delete a file from a flash card, the CLI leaves the file intact but removes the first letter in the file name from the file directory. However, if you save file changes or new files that use part of the space occupied by the deleted file, you cannot undelete the file. The undelete command lists only the files that can be undeleted.

EXAMPLE:

BigServerIron# undeleteUndelete file "?LD.CFG" ? (enter 'y' or 'n'): yInput one character: OFile recovered successfully and named to OLD.CFG

The command in this example starts the undelete process for the flash card and subdirectory that currently have the management focus. For each file that can be undeleted, the CLI displays the remaining name entry in the file directory and prompts you for the first character of the file name. You can enter any valid file name character. You do not need to enter the character that was used before in the deleted file name.

Once you enter a character and the CLI undeletes the file, the CLI continues with the next file that can be undeleted. For each file, specify “y” or “n”, and specify a first character for the files that you select to undelete.

To end the undelete process, enter the CTRL + C key combination.

Syntax: undelete [slot1 | slot2] [\<to-dir-path>]


Default value: N/A

whoisPerforms a whois lookup on a specified domain.

EXAMPLE:

ServerIron# whois boole.com

Syntax: whois <host-ip-addr> | <domain>

Possible values: <host-ip-addr> is a valid IP address; <domain> is a valid domain name.



NOTE: A DNS gateway must be defined in order to use this command.

Default value: N/A

write memorySaves the running-time configuration into the startup-config file.

EXAMPLE:

ServerIron# write memory

Syntax: write memory


Default value: N/A

write terminalDisplays the running-configuration on the terminal screen.

EXAMPLE:

ServerIron# write terminal

Syntax: write terminal


Default value: N/A

wsm copy flash flashCopies the flash code from the primary flash to the secondary flash for each of the WSM CPUs on the Web Switching Management Module.

EXAMPLE:

ServerIron# wsm copy flash flash secondary

Syntax: wsm copy flash flash primary | secondary

The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For each command, the parameter specifies the destination of the copy operation.


Default value: N/A

wsm copy tftp flashUpgrades the WSM CPUs on the Web Switching Management Module.

EXAMPLE:

ServerIron# wsm copy tftp flash 109.157.22.26 wsp07200.bin primary

This command upgrades the WSM CPUs by copying a flash code image from a TFTP server to the primary flash for each of the WSM CPUs on the module.

Syntax: wsm copy tftp flash <tftp-server-ip-addr> <image-file-name> primary | secondary

The primary and secondary parameters identify either the primary or secondary flash on the WSM CPUs. For each command, the parameter specifies the destination of the copy operation.


Default value: N/A


Chapter 6Global CONFIG Commands

aaa authenticationDefines an authentication-method list for access authentication. See the Foundry Security Guide for more information.

EXAMPLE:

To configure an access method list, enter a command such as the following:

ServerIron(config)# aaa authentication web-server default local

This command configures the device to use the local user accounts to authenticate access to the device through the Web management interface. If the device does not have a user account that matches the user name and password entered by the user, the user is not granted access.

To configure the device to consult a RADIUS server first for Enable access, then consult the local user accounts if the RADIUS server is unavailable, enter the following command:

ServerIron(config)# aaa authentication enable default radius local

Syntax: aaa authentication snmp-server | web-server | enable [implicit-user] | login default <method1> [<method2>] [<method3>] [<method4>] [<method5>] [<method6>] [<method7>]

The snmp-server | web-server | enable [implicit-user] | login parameter specifies the type of access this authentication-method list controls. You can configure one authentication-method list for each type of access.

The implicit-user parameter configures the device to prompt for only a password when a user attempts to access the Privileged EXEC or CONFIG level of the CLI. By default, the device prompts for both a username and a password. This parameter is valid only with the enable access type.

NOTE: TACACS/TACACS+ and RADIUS are supported only for enable and login.

February 2002 6 - 1


The <method1> parameter specifies the primary authentication method. The remaining optional <method> parameters specify the secondary methods to try if an error occurs with the primary method. A method can be one of the values listed in the Method Value column in the following table.


Default value: N/A

aaa authorizationConfigures authorization for controlling access to management functions in the CLI. Foundry devices support RADIUS and TACACS+ authorization.

• When RADIUS authorization is enabled, the Foundry device consults the list of commands supplied by the RADIUS server during authentication to determine whether a user can execute a command he or she has entered.

• Two kinds of TACACS+ authorization are supported: Exec authorization determines a user’s privilege level when they are authenticated; Command authorization consults a TACACS+ server to get authorization for commands entered by the user

EXAMPLE:

You enable command authorization by specifying a privilege level whose commands require authorization. For example, to configure the Foundry device to perform RADIUS authorization for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:

ServerIron(config)# aaa authorization commands 0 default radius

Syntax: [no] aaa authorization commands <privilege-level> default tacacs+ | radius | none

The <privilege-level> parameter can be one of the following:

• 0 – Authorization is performed for commands available at the Super User level (all commands)

• 4 – Authorization is performed for commands available at the Port Configuration level (port-config and read-only commands)

• 5 – Authorization is performed for commands available at the Read Only level (read-only commands)

Table 0.1: Authentication Method Values

Method Value Description

tacacs

or

tacacs+

A TACACS/TACACS+ server. You can use either parameter. Each parameter supports both TACACS and TACACS+. You also must identify the server to the device using the tacacs-server command. See “tacacs-server” on page 6-94.

radius A RADIUS server. You also must identify the server to the device using the radius-server command. See “radius-server” on page 6-56.

local A local user name and password you configured on the device. Local user names and passwords are configured using the username… command. See “username” on page 6-98.

line The password you configured for Telnet access. The Telnet password is configured using the enable telnet password… command. See “enable telnet password” on page 6-18.

enable The super-user “enable” password you configured on the device. The enable password is configured using the enable super-user-password… command. See “enable” on page 6-17.

none No authentication is used. The device automatically permits access.

6 - 2 February 2002

Global CONFIG Commands

NOTE: TACACS+ and RADIUS command authorization is performed only for commands entered from Telnet or SSH sessions. No authorization is performed for commands entered at the console, the Web management interface, or IronView.

NOTE: Since RADIUS authorization relies on the command list supplied by the RADIUS server during authentication, you cannot perform RADIUS authorization without RADIUS authentication.

When TACACS+ exec authorization is configured, the Foundry device consults a TACACS+ server to determine the privilege level for an authenticated user. To configure TACACS+ exec authorization, on the Foundry device, enter the following command:

ServerIron(config)# aaa authorization exec default tacacs+

Syntax: [no] aaa authorization exec default tacacs+ | none


Default value: N/A

aaa accountingConfigures RADIUS or TACACS+ accounting for recording information about user activity and system events. When you configure accounting on a Foundry device, information is sent to an accounting server when specified events occur, such as when a user logs into the device or the system is rebooted.

EXAMPLE:

To send an Accounting Start packet to a TACACS+ accounting server when an authenticated user establishes a Telnet or SSH session on the Foundry device, and an Accounting Stop packet when the user logs out:

ServerIron(config)# aaa accounting exec default start-stop tacacs+

Syntax: [no] aaa accounting exec default start-stop radius | tacacs+ | none

You can configure accounting for CLI commands by specifying a privilege level whose commands require accounting. For example, to configure the Foundry device to perform RADIUS accounting for the commands available at the Super User privilege level (that is; all commands on the device), enter the following command:

ServerIron(config)# aaa accounting commands 0 default start-stop radius

Syntax: [no] aaa accounting commands <privilege-level> default start-stop radius | tacacs+ | none

The <privilege-level> parameter can be one of the following:

• 0 – Records commands available at the Super User level (all commands)

• 4 – Records commands available at the Port Configuration level (port-config and read-only commands)

• 5 – Records commands available at the Read Only level (read-only commands)

You can configure accounting to record when system events occur on the Foundry device. System events include rebooting and when changes to the active configuration are made.

The following command causes an Accounting Start packet to be sent to a TACACS+ accounting server when a system event occurs, and a Accounting Stop packet to be sent when the system event is completed:

ServerIron(config)# aaa accounting system default start-stop tacacs+

Syntax: [no] aaa accounting system default start-stop radius | tacacs+ | none


Default value: N/A

access-list (standard)Configures standard Access Control Lists (ACLs), which permit or deny packets based on source IP address (in contrast to extended ACLs, which permit or deny packets based on source and destination IP address and also based on IP protocol information). You can configure up to 99 standard ACLs. You can configure up to 1024

February 2002 6 - 3


individual ACL entries. There is no limit to the number of ACL entries an ACL can contain except for the system-wide limitation of 1024 total ACL entries.

EXAMPLE:

To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.

ServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 1 out ServerIron(config-if-1)# write mem

The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.

Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]

Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] access-list <num> deny | permit host <source-ip> | <hostname> [log]

Syntax: [no] access-list <num> deny | permit any [log]

Syntax: [no] ip access-group <num> in | out

The <num> parameter is the access list number and can be from 1 – 99.

The deny | permit parameter indicates whether packets that match a policy in the access list are denied (dropped) or permitted (forwarded).

The <source-ip> parameter specifies the source IP address. Alternatively, you can specify the host name.

NOTE: To specify the host name instead of the IP address, the host name must be configured using the Foundry device’s DNS resolver. To configure the DNS resolver name, use the ip dns server-address… command at the global CONFIG level of the CLI.

The <wildcard> parameter specifies the mask value to compare against the host address specified by the <source-ip> parameter. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

If you prefer to specify the wildcard (mask value) in CIDR format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.

NOTE: When you save ACL policies to the startup-config file, the software changes your <source-ip> values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.

If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.

NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list commands.

6 - 4 February 2002


The host <source-ip> | <hostname> parameter lets you specify a host IP address or name. When you use this parameter, you do not need to specify the mask. A mask of all zeros (0.0.0.0) is implied.

The any parameter configures the policy to match on all host addresses.

The log argument configures the device to generate Syslog entries and SNMP traps for packets that are permitted or denied by the access policy.

The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.


Default value: N/A

access-list (extended)Configures extended ACLs, which permit or deny packets based on the following information:

• IP protocol

• Source IP address or host name

• Destination IP address or host name

• Source TCP or UDP port (if the IP protocol is TCP or UDP)

• Destination TCP or UDP port (if the IP protocol is TCP or UDP)

EXAMPLE:

To configure an extended ACL that blocks all Telnet traffic received on port 1 from IP host 209.157.22.26, enter the following commands.

ServerIron(config)# access-list 101 deny tcp host 209.157.22.26 any eq telnet log ServerIron(config)# access-list 101 permit ip any any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 101 in ServerIron(config)# write mem

Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [log]

Syntax: [no] access-list <num> deny | permit host <ip-protocol> any any [log]


The <num> parameter indicates the ACL number and can be from 100 – 199 for an extended ACL.

The deny | permit parameter indicates whether packets that match the policy are dropped or forwarded.

The <ip-protocol> parameter indicates the type of IP packet you are filtering. You can specify one of the following:

• icmp

• igmp

• igrp

• ip

• ospf

• tcp

• udp

The <source-ip> | <hostname> parameter specifies the source IP host for the policy. If you want the policy to match on all source addresses, enter any.

February 2002 6 - 5


The <wildcard> parameter specifies the portion of the source IP host address to match against. The <wildcard> is a four-part value in dotted-decimal notation (IP address format) consisting of ones and zeros. Zeros in the mask mean the packet’s source address must match the <source-ip>. Ones mean any value matches. For example, the <source-ip> and <wildcard> values 209.157.22.26 0.0.0.255 mean that all hosts in the Class C sub-net 209.157.22.x match the policy.

If you prefer to specify the wildcard (mask value) in Classless Interdomain Routing (CIDR) format, you can enter a forward slash after the IP address, then enter the number of significant bits in the mask. For example, you can enter the CIDR equivalent of “209.157.22.26 0.0.0.255” as “209.157.22.26/24”.

NOTE: When you save ACL policies to the startup-config file, the software changes your IP address values if appropriate to contain zeros where the packet value must match. For example, if you specify 209.157.22.26/24 or 209.157.22.26 255.255.255.0, then save the startup-config file, the values appear as 209.157.22.0/24 (if you have enabled display of sub-net lengths) or 209.157.22.0 255.255.255.0 in the startup-config file.

If you enable the software to display IP sub-net masks in CIDR format, the mask is saved in the file in “/<mask-bits>” format. To enable the software to display the CIDR masks, enter the ip show-subnet-length command at the global CONFIG level of the CLI. You can use the CIDR format to configure the ACL entry regardless of whether the software is configured to display the masks in CIDR format.

NOTE: If you use the CIDR format, the ACL entries appear in this format in the running-config and startup-config files, but are shown with sub-net mask in the display produced by the show access-list and show ip access-list commands.

The <destination-ip> | <hostname> parameter specifies the destination IP host for the policy. If you want the policy to match on all destination addresses, enter any.

The <operator> parameter specifies a comparison operator for the TCP or UDP port number. This parameter applies only when you specify tcp or udp as the IP protocol. For example, if you are configuring an entry for HTTP, specify tcp eq http. You can enter one of the following operators:

• eq – The policy applies to the TCP or UDP port name or number you enter after eq.

• gt – The policy applies to TCP or UDP port numbers greater than the port number or the numeric equivalent of the port name you enter after gt.

• lt – The policy applies to TCP or UDP port numbers that are less than the port number or the numeric equivalent of the port name you enter after lt.

• neq – The policy applies to all TCP or UDP port numbers except the port number or port name you enter after neq.

• range – The policy applies to all TCP or UDP port numbers that are between the first TCP or UDP port name or number and the second one you enter following the range parameter. The range includes the port names or numbers you enter. For example, to apply the policy to all ports between and including 23 (Telnet) and 53 (DNS), enter the following: range 23 53. The first port number in the range must be lower than the last number in the range.

• established – This operator applies only to TCP packets. If you use this operator, the policy applies to TCP packets that have the ACK (Acknowledgment) or RST (Reset) bits set on (set to "1") in the Control Bits field of the TCP packet header. Thus, the policy applies only to established TCP sessions, not to new sessions. See Section 3.1, "Header Format", in RFC 793 for information about this field.

NOTE: This operator applies only to destination TCP ports, not source TCP ports.

The <tcp/udp-port> parameter specifies the TCP or UDP port number or well-known name. The device recognizes the following well-known names. For other ports, you must specify the port number.

NOTE: The following lists are organized alphabetically. In the CLI, these port names are listed according to ascending port number.

6 - 6 February 2002


• TCP port names recognized by the software:

• bgp

• dns

• ftp

• http

• imap4

• ldap

• mms

• nntp

• pop2

• pop3

• pnm

• rtsp

• smtp

• ssl

• telnet

• UDP port names recognized by the software:

• bootps

• bootpc

• dns

• ntp

• radius

• radius-old

• rip

• snmp

• snmp-trap

• tftp

The in | out parameter specifies whether the ACL applies to incoming traffic or outgoing traffic on the port to which you apply the ACL.


Default value: N/A

all-clientRestricts management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device through Telnet (CLI), the Web (Web management interface), or SNMP (IronView).

If you want to restrict access for some of the management platforms but not all of them, use one or two of the following commands:

• snmp-client – restricts IronView access and all other SNMP access. See “snmp-client” on page 6-88.

• telnet client – restricts Telnet access. See “telnet client” on page 6-95.

February 2002 6 - 7


• web client – restricts web access. See “web client” on page 6-100.

EXAMPLE:

To restrict all management access to the Foundry device to the host with IP address 209.157.22.26, enter the following command:

ServerIron(config)# all-client 209.157.22.26

Syntax: [no] all-client <ip-addr>

Possible values: a valid IP address. You can enter one IP address with the command. You can use the command up to ten times for up to ten IP addresses.

Default value: N/A

arpAdds a static ARP entry.

NOTE: This command applies only to IP forwarding (Layer 3).

EXAMPLE:

ServerIron(config)# arp 1 209.157.22.3 aaaa.bbbb.cccc ethernet 3

This command adds a static ARP entry that maps IP address 209.157.22.3 to MAC address aaaa.bbbb.cccc. The entry is for a MAC address connected to ServerIron port 3.

Syntax: [no] arp <num> <ip-addr> <mac-addr> ethernet <portnum> [vlan <vlan-id>]

The <num> parameter specifies the entry number. You can specify a number from 1 up to the maximum number of static entries allowed on the device. To determine the maximum number of entries, enter the show default values command. To increase the maximum, use the system-max static-arp command.

The <ip-addr> command specifies the IP address of the device that has the MAC address of the entry.

The <mac-addr> parameter specifies the MAC address of the entry.

The ethernet <portnum> command specifies the port number attached to the device that has the MAC address of the entry.

The vlan <vlan-id> parameter specifies the port-based VLAN the entry belongs to. Use this parameter when the port is a member of more than one port-based VLAN and you want the ARP entry to apply only to a specific VLAN.

NOTE: The clear arp command clears learned ARP entries but does not remove any static ARP entries.


Default value: None configured

atalk-protoCreates an AppleTalk protocol VLAN on a Foundry switch or router. When first assigned, all ports are assumed by default to be members of the VLAN. VLAN membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports, enter the following commands.

ServerIron(config)# atalk-proto

ServerIron(config-atalk-proto)# static e9 e13

ServerIron(config-atalk-proto)# no dynamic

ServerIron(config-atalk-proto)# exit

6 - 8 February 2002


Syntax: atalk-proto [name <string>]

The name can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.


Default value: N/A

banner execConfigures the Foundry device to display a message when a user enters the Privileged EXEC CLI level.

EXAMPLE:

ServerIron(config)# banner exec $ (Press Return)Enter TEXT message, End with the character '$'.You are entering Privileged EXEC levelDon’t foul anything up! $

Syntax: [no] banner exec <delimiting-character>

A delimiting character is established on the first line of the banner exec command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner exec command.


Default value: N/A

banner incomingConfigures the Foundry device to display a message on the Console when a user establishes a Telnet session. This message indicates where the user is connecting from and displays a configurable text message.

EXAMPLE:

ServerIron(config)# banner incoming $ (Press Return)Enter TEXT message, End with the character '$'.Incoming Telnet Session!! $

When a user connects to the CLI using Telnet, the following message appears on the Console:

Telnet from 209.157.22.63Incoming Telnet Session!!

Syntax: [no] banner incoming <delimiting-character>

A delimiting character is established on the first line of the banner incoming command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner incoming command.


Default value: N/A

banner motdConfigures the Foundry device to display a message on a user’s terminal when he or she establishes a Telnet CLI session.

EXAMPLE:

To display the message “Welcome to ServerIron!” when a Telnet CLI session is established:

ServerIron(config)# banner motd $ (Press Return)Enter TEXT message, End with the character '$'.Welcome to ServerIron! $

February 2002 6 - 9


Syntax: [no] banner <delimiting-character> | [motd <delimiting-character>]

A delimiting character is established on the first line of the banner motd command. You begin and end the message with this delimiting character. The delimiting character can be any character except “ (double-quotation mark) and cannot appear in the banner text. In this example, the delimiting character is $ (dollar sign). The text in between the dollar signs is the contents of the banner. The banner text can be up to 2048 characters long and can consist of multiple lines. To remove the banner, enter the no banner motd command.

When you access the Web management interface, the banner is displayed on the login panel.

NOTE: The banner <delimiting-character> command is equivalent to the banner motd <delimiting-character> command.


Default value: N/A

boot system bootpConfigures the device to use BootP as the primary boot source.

NOTE: If you enter another boot system command at the global CONFIG level after entering this command, the software adds the new boot source as the primary source and changes the previously entered source to be the secondary source.

EXAMPLE:

ServerIron(config)# boot system bootp

Syntax: boot system bootp


Default value: primary flash

boot system flash primaryConfigures the device to use the primary flash location as the primary boot source. This is the default primary boot source.


EXAMPLE:

ServerIron(config)# boot system flash primary

Syntax: boot system flash primary



boot system flash secondaryConfigures the device to use the secondary flash location as the primary boot source.


EXAMPLE:

ServerIron(config)# boot system flash secondary

Syntax: boot system flash secondary





boot system tftpConfigures the device to use a TFTP server as the primary boot source.


EXAMPLE:

ServerIron(config)# boot sys tftp 192.22.33.44 current.img

NOTE: Before entering the TFTP boot command, you must first assign an IP address, IP mask and default gateway (if applicable) at the boot prompt as shown.

EXAMPLE:

boot> ip address 192.22.33.44 255.255.255.0

boot> ip default-gateway 192.22.33.1

You now can proceed with the boot system tftp… command.

Syntax: boot system tftp <ip-addr> <filename>



broadcast filterConfigures a Layer 2 broadcast packet filter. You can filter on all broadcast traffic or on IP UDP broadcast traffic.

EXAMPLE:

To configure a Layer 2 broadcast filter to filter all types of broadcasts, then apply the filter to ports 1, 2, and 3, enter the following commands:

ServerIron(config)# broadcast filter 1 any

ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 3

ServerIron(config-bcast-filter-id-1)# write mem

EXAMPLE:

To configure two filters, one to filter IP UDP traffic on ports 1 – 4, and the other to filter all broadcast traffic on port 6, enter the following commands:

ServerIron(config)# broadcast filter 1 ip udp

ServerIron(config-bcast-filter-id-1)# exclude-ports ethernet 1 to 4

ServerIron(config-bcast-filter-id-1)# exit

ServerIron(config)# broadcast filter 2 any

ServerIron(config-bcast-filter-id-2)# exclude-ports ethernet 6


EXAMPLE:

To configure an IP UDP broadcast filter and apply that applies only to port-based VLAN 10, then apply the filter to two ports within the VLAN, enter the following commands:

ServerIron(config)# broadcast filter 4 ip udp vlan 10



ServerIron(config-bcast-filter-id-4)# exclude-ports eth 1 eth 3


Syntax: [no] broadcast filter <filter-id> any | ip udp [vlan <vlan-id>]

The <filter-id> specifies the filter number and can be a number from 1 – 8. The software applies the filters in ascending numerical order. As soon as a match is found, the software takes the action specified by the filter (block the broadcast) and does not compare the packet against additional broadcast filters.

You can specify any or ip udp as the type of broadcast traffic to filter. The any parameter prevents all broadcast traffic from being sent on the specified ports. The ip udp parameter prevents all IP UDP broadcasts from being sent on the specified ports but allows other types of broadcast traffic.

If you specify a port-based VLAN ID, the filter applies only to the broadcast domain of the specified VLAN, not to all broadcast domains (VLANs) on the device.

As soon as you press Enter after entering the command, the CLI changes to the configuration level for the filter you are configuring. You specify the ports to which the filter applies at the filter's configuration level.

Syntax: [no] exclude-ports ethernet <portnum> to <portnum>

Or

Syntax: [no] exclude-ports ethernet <portnum> ethernet <portnum>

These commands specify the ports to which the filter applies.

NOTE: This is the same command syntax as that used for configuring port-based VLANs. Use the first command for adding a range of ports. Use the second command for adding separate ports (not in a range). You also can combine the syntax. For example, you can enter exclude-ports ethernet 1/4 ethernet 2/6 to 2/9.


Default value: N/A

broadcast limitSpecifies the maximum number of broadcast packets the device can forward each second. By default the device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those devices by throttling the broadcasts at the Foundry device.

NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit and unknown-unicast limit commands to control these types of traffic. See “multicast limit” on page 6-53 and “unknown-unicast limit” on page 6-98.

EXAMPLE:

ServerIron(config)# broadcast limit 30000

Syntax: broadcast limit <num>

Possible values: 0 – 4294967295

Default value: N/A

chassis nameAssigns an administrative ID to the device.

NOTE: This command does not change the CLI prompt. To change the CLI prompt, use the hostname command. See “hostname” on page 6-32.

EXAMPLE:

ServerIron(config)# chassis name routernyc



Syntax: chassis name <text>

Possible values: Up to 32 alphanumeric characters

Default value: Null string

chassis poll-timeChanges the number of seconds between polls of the power supply and fan status.

Use the show chassis command to display the hardware status.

EXAMPLE:

To change the hardware poll time from 60 seconds (the default) to 30 seconds:

ServerIron(config)# chassis poll-time 30

Syntax: chassis poll-time <num>


Default value: 60

chassis trap-logDisables or re-enables status polling for individual power supplies and fans. When you disable status polling, a fault in the power supply does not generate a trap in the system log.

EXAMPLE:

To disable polling of power supply 2, enter the following command:

ServerIron(config)# no chassis trap-log ps2

Syntax: [no] chassis trap-log ps1 | ps2 | fan1 | fan2


Default value: all traps enabled

clearClears statistics or clears entries from a cache or table. See the descriptions for the individual clear commands in “Privileged EXEC Commands” on page 5-1.

clock summer-timeThis command will automatically activate and deactivate daylight savings time for the relevant time zones.

EXAMPLE:

ServerIron(config)# clock summer-time

Syntax: clock summer-time


Default value: N/A

clock timezoneAllows you to define the time zone of the clock. This parameter is used in conjunction with the clock set command or for timestamps obtained from a SNTP server. The clock set...command is configured at the privileged EXEC level of the CLI.

NOTE: Use this clock command before all others to ensure accuracy of the clock settings.

NOTE: For those time zones that recognize daylight savings time, the clock summer-time command will also need to be defined.



NOTE: Clock settings are not saved over power cycles; however, you can configure the system to reference a SNTP server at power up. This server will then automatically download the correct time reference for the network. The local ServerIron will then adjust the time according to its time zone setting. For more details on setting up a SNTP reference clock, refer to the sntp command at the privileged EXEC level and the sntp poll-interval and sntp server commands at the global CONFIG level.

EXAMPLE:

ServerIron(config)# clock timezone us eastern

Syntax: clock timezone gmt | us <time-zone>

Possible values: The following time zones can be entered for US or GMT:

US time zones: alaska, aleutian, arizona, central, east-indiana, eastern, hawaii, michigan, mountain, pacific, samoa

GMT time zones: gmt+12, gmt+11, gmt+10...fmt+01, gmt+00, gmt-01...gmt-10, gmt-11, gmt-12

Default value: gmt + 00

confirm-port-upReduces the number of up-status confirmations the software requires before bringing a port up for use. This command is useful for network interface cards (NICs) that are designed to come up very quickly in certain applications and are sensitive to the slight delay caused by the Foundry ports as they wait for the multiple status indications before coming up. You can configure a Foundry device to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port.

NOTE: Do not use this command unless advised to do so by Foundry technical support.

By default, Foundry devices wait for multiple indications that a port is good before bringing the port up. Specific types of networking devices are sensitive to the very slight delay caused by the multiple status indications. In this case, you can use one of the following methods to reduce the number of status indications the software requires before bringing up a 10/100Base-Tx port. You can set the parameter globally for all 10/100 ports.

EXAMPLE:

By default, Stackable devices bring a 10/100 Base-Tx port up after receiving ten consecutive up-status indications for the port. You can reduce this number to as few as one indication.

To reduce the up-status indications required to bring up 10/100 ports on a Stackable device, enter the following commands:

ServerIron(config)# confirm-port-up 1

ServerIron(config)# write mem

Syntax: [no] confirm-port-up <num>

The <num> parameter specifies the number of indications required by the software and can be from 1 – 10. The default for Stackable devices is 10.


Default value: 10

consoleTimes out idle serial management sessions.

By default, a Foundry device does not time out serial CLI sessions. A serial session remains open indefinitely until you close it. You can configure the device to time out serial CLI sessions if they remain idle for a specified number of minutes. You can configure an idle timeout value from 0 – 240 minutes. The default is 0.



NOTE: If a session times out, the device does not close the connection. Instead, the CLI changes to the User EXEC mode (for example: ServerIron>).

EXAMPLE:

To configure the idle timeout for serial CLI sessions, enter a command such as the following:

ServerIron(config)# console timeout 20

This command configures the idle timeout value to 20 minutes.

Syntax: [no] console timeout <num>

The <num> parameter specifies the number of minutes the serial CLI session can remain idle before it times out. You can specify from 0 – 240 minutes. The default is 0 (sessions never time out).

Possible values: 0 – 240 minutes

Default value: 0 (sessions never time out)

crypto keyConfigures a host RSA public and private key pair for SSH. The host RSA key pair is stored in the Foundry device’s system-config file. Only the public key is readable. The host RSA key pair is used to negotiate a session key and encryption method with the SSH clients trying to connect to it.

EXAMPLE 1:

To generate a public and private host RSA key pair for the Foundry device:

ServerIron(config)# crypto key generate rsaServerIron(config)# wri mem

A host RSA key pair is stored in the system-config file, and SSH is enabled on the device.

EXAMPLE 2:

To delete the host RSA key pair from the system-config file:

ServerIron(config)# crypto key zeroize rsaServerIron(config)# wri mem

The host RSA key pair is deleted from the system-config file, and SSH is disabled on the device.

Syntax: crypto key generate | zeroize rsa


Default value: N/A

crypto random-number-seedCreates a new seed for generating a random number that is used for generating the dynamically created server RSA key pair for SSH.

EXAMPLE:

ServerIron(config)# crypto random-number-seed generate

Syntax: crypto random-number-seed generate


Default value: N/A

decnet-protoCreates a Decnet protocol VLAN on a Foundry switch or router. All ports will by default be assigned to the VLAN when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.



EXAMPLE:

To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as a dynamic member port (on module 1), enter the following commands.

ServerIron(config)# decnet-proto

ServerIron(config-decnet-proto)# static e 1/15 to 1/16

ServerIron(config-decnet-proto)# exclude e 1/1 to 1/14 e 1/18

Syntax: decnet-proto


Default value: N/A

default-vlan-idWhen you enable port-based VLAN operation, all ports are assigned to VLAN 1 by default. As you create additional VLANs and assign ports to them, the ports are removed from the default VLAN. All ports that you do not assign to other VLANs remain members of default VLAN 1. This behavior ensures that all ports are always members of at least one VLAN.

You can change the VLAN ID for the default VLAN by entering the following command at the global CONFIG level of the CLI:

ServerIron(config)# default-vlan-id 1001

You must specify a valid VLAN ID that is not already in use. For example, if you have already defined VLAN 10, do not try to use "10" as the new VLAN ID for the default VLAN. Valid VLAN IDs are numbers from 1 – 4095.

NOTE: Changing the default VLAN name does not change the properties of the default VLAN. Changing the name allows you to use the VLAN ID "1" as a configurable VLAN.

dhcp-gateway-listThis parameter must be defined when the feature, DHCP Assist, is enabled on a Foundry switch. A gateway address must be defined for each sub-net that will be requesting addresses from a DHCP server. This allows the stamping process to occur. Each gateway address defined on the switch corresponds to an IP address of the ServerIron interface or other device involved.

Up to eight addresses can be defined for each gateway list in support of ports that are multi-homed. When multiple IP addresses are configured for a gateway list, the switch inserts the addresses into the discovery packet in a round robin fashion.

Up to 32 gateway lists can be defined for each switch.

NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

ServerIron(config)# dhcp-gateway-list 1 192.95.5.1

ServerIron(config)# int e 2

ServerIron(config-if-2)# dhcp-gateway-list 1

Syntax: dhcp-gateway-list <num> <ip-addr>


Default value: N/A



enableYou can use the enable command to assign three levels of passwords to provide a range of access points for various users within the network.

The three levels are:

• Super user: This user has unlimited access to all levels of the CLI. This level is generally reserved for system administration. The super user is also the only user that can assign a password access level to another user.

• Configure Port: This user has the ability to configure interface parameters only. The user can also view any show commands.

• Read only: A user with this password level is only able to view show commands. No configuration is allowed with this password access type.

NOTE: You also can secure access using a RADIUS or TACACS/TACACS+ server or local user accounts. See the Foundry Security Guide.

EXAMPLE:

ServerIron(config)# enable super-user-password Alexis

ServerIron(config)# enable read-only-password Jim

ServerIron(config)# enable port-config-password Bill

Syntax: enable super-user-password | read-only-password | port-config-password <text>

Possible values: Up to 32 alphanumeric characters can be assigned in the text field.

Default value: No system default

enable password-displayBy default, passwords are never visible, even in the configuration file. If you want passwords to be visible in the configuration file, use the enable password-display command. The next time you display the configuration file, the passwords will be visible along with the commands used to set them. This command takes effect immediately.

EXAMPLE:

ServerIron(config)# enable password-display

Syntax: [no] enable password-display



enable skip-page-displayRemoves the stop page display characteristic for the write terminal command. For example, by default, when a user enters the command write terminal the full configuration will generally involve more than a single page display. You are prompted to enter the return key to view the next page of information. When this command is enabled, this page-by-page prompting will be removed and the entire display will roll on the screen until the end is reached.

To re-enable the stop page display characteristic, enter the no enable skip-page-display.

EXAMPLE:

To remove the page-by-page display of configuration information, enter the following:

ServerIron(config)# enable skip-page-display

Syntax: enable skip-page-display





enable snmp config-radiusEnables users of IronView or other SNMP management applications to configure RADIUS authentication parameters on the ServerIron.

EXAMPLE:

To enable IronView users to configure RADIUS authentication parameters on the ServerIron, enter the following:

ServerIron(config)# enable snmp config-radius

Syntax: enable snmp config-radius



enable snmp config-tacacsEnables users of IronView or other SNMP management applications to configure TACACS/TACACS+ authentication parameters on the ServerIron.

EXAMPLE:

To enable IronView users to configure TACACS/TACACS+ authentication parameters on the Foundry device, enter the following:

ServerIron(config)# enable snmp config-tacacs

Syntax: enable snmp config-tacacs



enable telnet authenticationAllows you to use local access control or a RADIUS server to authenticate telnet access to the ServerIron.

EXAMPLE:

ServerIron(config)# enable telnet authentication

Syntax: [no] enable telnet authentication



enable telnet passwordAllows you to assign a password for Telnet session access. To close a Telnet session, enter logout.

EXAMPLE:

ServerIron(config)# enable telnet password secretsalso

Syntax: enable telnet password <text>

Possible values: Up to 32 alphanumeric characters can be assigned as the password.

Default value: No system default.

endMoves activity to the privileged EXEC level from any level of the CLI, with the exception of the user level.

EXAMPLE:

ServerIron(config)# end

ServerIron#

Syntax: end




Default value: N/A

exitMoves activity up one level from the current level. In this case, activity will be moved to the privileged level.

EXAMPLE:

To move from the global level, back to the privileged level, enter the following:

ServerIron(config)# exit

ServerIron#

Syntax: exit


Default value: N/A

fast port-spanConfigures the Fast Port Span feature, which allows faster STP convergence on ports that are attached to end stations.

EXAMPLE:

To enable Fast Port Span:

ServerIron(config)# fast port-span

EXAMPLE:

To exclude a port from Fast Port Span, while leaving Fast Port Span enabled globally:

ServerIron(config)# fast port-span exclude ethernet 1

Syntax: [no] fast port-span [exclude ethernet <portnum> [ethernet <portnum>… | to <portnum>]

Possible values: Valid port numbers


fast uplink-spanConfigures the Fast Uplink Span feature, which reduces the convergence time for uplink ports to another device to just four seconds (two seconds for listening and two seconds for learning).

EXAMPLE:

To configure a group of ports for Fast Uplink Span, enter the following commands:

ServerIron(config)# fast uplink-span ethernet 1 to 4

Syntax: [no] fast uplink-span [ethernet <portnum> [ethernet <portnum>… | to <portnum>]

Possible values: Ports that have redundant uplinks on a wiring closet switch.


flow-controlAllows you to turn flow control (802.3x) for full-duplex ports on or off (no). By default, flow control is on. To turn the feature off, enter the command no flow-control.

EXAMPLE:

ServerIron(config)# no flow-control

To turn the feature back on later, enter the following command:

ServerIron(config)# flow-control

Syntax: [no] flow-control




Default value: on

gig-defaultChanges the default negotiation mode for Gigabit ports on Chassis devices. You can configure the default Gigabit negotiation mode to be one of the following:

• Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually configured configuration information (or the defaults if an administrator has not set the information). This is the default for Chassis devices (including the TurboIron/8).

• Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. This is still the default for Stackable devices.

• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.

See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide for more information.

NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See “auto-gig” on page 8-1.

EXAMPLE:

To change the mode globally to negotiation-off, enter the following command:

ServerIron(config)# gig-default neg-off

To override the global default on an individual Gigabit port, see “gig-default” on page 8-3.

Syntax: gig-default neg-full-auto | auto-gig | neg-off


Default value: neg-full-auto

gslb affinityChanges the CLI to the GSLB affinity configuration level. See “GSLB Affinity Commands” on page 13-1 for information about the commands at this level.

EXAMPLE:

To configure an affinity definition, enter commands such as the following:

ServerIron(config)# gslb affinityServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22

These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the 192.108.22.0/22 prefix to a VIP on slb-1 at the “atlanta” site, when available. The ServerIron sends all other clients to a VIP on slb-1 at the “sunnyvale” site when available.

Syntax: gslb affinity

This command places the CLI at the affinity configuration level.

Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>

You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address. Use one of the following parameters:

• The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use this method, you must specify both parameters.

• The <si-ip-addr> parameter specifies the site ServerIron’s management IP address.



NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.

The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask from 0.0.0.0 – 255.255.255.254. If you instead specify a prefix length, you can specify from 0 – 31 bits.

If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a result, an address that does not match another affinity definition uses the zero affinity definition by default. If you do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose addresses are not within a prefix in an affinity definition.


Default value: N/A

gslb communicationChanges the TCP port number used by the GSLB protocol. By default, a GSLB ServerIron uses TCP port 182 to exchange GSLB information with other ServerIrons, including the site ServerIrons. You can change the GSLB protocol port if needed. For example, if other devices in the network also use port 182, but for other applications, you need to change the protocol on those devices or on the ServerIrons.

NOTE: If you change the GSLB protocol port number, you must save the change to the startup-config file and reload the software to place the change into effect. Also, you must change the port to the same number on all ServerIrons in the GSLB configuration. If the port number in two GSLB ServerIrons is not the same, those ServerIrons are not able to properly perform GSLB.

EXAMPLE:

To change the GSLB protocol port number on a ServerIron, enter commands such as the following:

ServerIron(config)# gslb communication 1882ServerIron(config)# write memoryServerIron(config)# endServerIron# reload

The first command changes the TCP protocol port from 182 to the specified port number, in this example 1882. The subsequent commands save the configuration change to the startup-config file and reload the software to place the change into effect.

Syntax: [no] gslb communication <tcp-portnum>

The <tcp-portnum> parameter specifies the TCP port number you want the ServerIron to use for exchanging GSLB information with other ServerIrons.

Possible values: a valid TCP port number

Default value: 182

gslb dns zone-nameChanges the CLI to the GSLB zone configuration level. See “GSLB DNS Zone Commands” on page 14-1 for information about the commands at this level.

EXAMPLE:

To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter the following commands:

ServerIron(config)# gslb dns zone-name foundrynet.comServerIron(config-gslb-dns-foundrynet.com)# host-info www httpServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp

The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp. The GSLB ServerIron will provide global SLB for these two hosts within the zone.

Syntax: [no] gslb dns zone-name <name>



The <name> parameter specifies the DNS zone name.

NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all the host names you associated with the zone are deleted.

Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>

The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host name. Enter only the host portion of the name. For example, if the fully qualified host name is www.foundrynet.com, do not enter the entire name. Enter only “www”. The rest of the name is already specified by the gslb dns zone-name command. You can enter a name up to 32 characters long.

The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global SLB. You can specify one of the following:

• FTP – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)

• TFTP – the well-known name for port 69

• HTTP – the well-known name for port 80

• IMAP4 – the well-known name for port 143

• LDAP – the well-known name for port 389

• NNTP – the well-known name for port 119

• POP3 – the well-known name for port 110

• SMTP – the well-known name for port 25

• TELNET – the well-known name for port 23

The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4 health check on the specified port.

NOTE: If the application number does not correspond to one of the well-known ports recognized by the ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform application-specific health checks.


Default value: N/A

gslb policyChanges the CLI to the GSLB policy configuration level. See “GSLB Policy Commands” on page 16-1 for information about the commands at this level.

EXAMPLE:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)#

Syntax: gslb policy


Default value: N/A

gslb protocolEnables the GSLB protocol on a site ServerIron in a GSLB configuration. The GSLB protocol is enabled by default on the GSLB ServerIron but is disabled by default on the site ServerIrons.



NOTE: The ServerIron uses TCP port 182 for the GSLB protocol by default. You can change the port number if needed. See “gslb communication” on page 6-21.

EXAMPLE:

ServerIron(config)# gslb protocol

Syntax: [no] gslb protocol


Default value: N/A

gslb siteChanges the CLI to the GSLB site configuration level. See “GSLB Site Commands” on page 15-1 for information about the commands at this level.

EXAMPLE:

To identify two server sites, each of which has two ServerIrons, enter the following commands:

ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210ServerIron(config)# gslb site atlantaServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112

These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS replies.

Syntax: [no] gslb site <name>

The <name> parameter is a text string that uniquely identifies the site on the GSLB ServerIron. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks.

NOTE: If you delete a GSLB site (by entering the no gslb site <name> command), the site and all the ServerIrons you associated with the site are deleted.

Syntax: [no] si-name [<name>] <ip-addr>

The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can enter up to four pairs of ServerIron name and IP address on the same command line. The name is optional.

NOTE: Enter the ServerIron’s management IP address, not a virtual IP address (VIP) configured on the ServerIron or a source IP address added for source NAT.

healthck (ServerIronXL)Configures a health-check policy on the ServerIronXL. Health-check policies consist of element-action expressions and logical operators.

• Element-action expression – In the case of Layer 3 health checks, an element-action expression consists of the IP protocol to be used (ICMP) and the IP address to be checked.

• Logical operator – A logical operator is the Boolean operator OR or AND. To configure a health-check policy that requires a reply from all IP addresses in the policy, use the operator AND. To create a policy that is successful if at least one of the addresses replies, use OR.



You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies. The default maximum number you can configure is 128. You can change the maximum to a number from 64 – 254.

To use a health-check policy:

• Configure the element-action expressions.

• Configure the health-check policy using element-action expressions and the logical operator AND or OR.

• Bind logical expressions to application ports on specific VIPs. A health check policy does not take effect until you bind it to an application port on a VIP.

EXAMPLE:

Here is an example of how to configure and apply a Layer 3 health-check policy.

ServerIron(config)# healthck Rtr2-ck1 icmpServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmpServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57ServerIron(config)# healthck Router2 booleanServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2

These commands configure two element-action expressions, "Rtr2-ck1" and "Rtr2-ck2", and use them in a health-check policy called "Router2". The last two commands apply the health-check policy to the HTTP port on VIP1. For more information, see the following sections.

For Layer 3 health-check policies, an element-action expression contains an IP address. To configure an element-action expression, enter commands such as the following:

ServerIron(config)# healthck Rtr2-ck1 icmpServerIron(config-hc-Rtr2-ck1)# dest-ip 10.168.2.56ServerIron(config-hc-Rtr2-ck1)# healthck Rtr2-ck2 icmpServerIron(config-hc-Rtr2-ck2)# dest-ip 10.168.2.57

The commands in this example configure two element-action expressions.

Syntax: [no] healthck <element-name> <protocol>

Syntax: [no] dest-ip <ip-addr>

The <element-name> parameter specifies a name for the element-action expression. The name can be up to 20 characters long. The name cannot contain blanks.

The <protocol> parameter specifies the IP protocol to use for the health. The Layer health checks use ICMP echo packets. Therefore, you must specify icmp.

The <ip-addr> parameter specifies the IP address to check.

A health-check policy consists of one or more element-action expressions. When a logical expression contains multiple element-action expressions, the policy also contains the logical operator AND or OR.

You can use a health-check policy as an element-action expression in another policy.

To configure a health-check policy, enter commands such as the following:

ServerIron(config)# healthck Router2 booleanServerIron(config-hc-Router2)# and Rtr2-ck1 Rtr2-ck2

These commands configure a health-check policy that uses the element-action expressions "Rtr2-ck1" and "Rtr2-ck2". Since the AND operator is used, the IP addresses in both "Rtr2-ck1" and "Rtr2-ck2" must reply successfully for the health check to be successful. If only one of the addresses replies, the health check is unsuccessful and the ServerIron brings the VIP down.

Syntax: [no] healthck <policy-name> boolean



Syntax: <element-name>

Or

Syntax: and | or <element-name> <element-name>

The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks.

The and | or parameter specifies a logical operator in the health-check policy.

• You can specify an element-action without also specifying a logical operator (AND or OR). In this case, the policy checks the health of the specified element (IP address) and has a true result (the health check is successful) if the element replies to the health check.

• You can enter two element-action expressions along with the logical operator and or or.

• If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.

• If you specify or, the policy is true if at least one of the elements responds to the health check.

If you want to use a single health-check policy to test more than two IP addresses, configure health-check policies for all the IP addresses, and use them in another health-check policy. For example, to create a health-check policy that tests four IP addresses, enter commands such as the following:

ServerIron(config)# healthck nest1 icmpServerIron(config-hc-nest1)# dest-ip 1.1.1.10ServerIron(config-hc-nest1)# healthck nest2 icmpServerIron(config-hc-nest2)# dest-ip 1.1.1.20ServerIron(config-hc-nest2)# healthck nest3 icmpServerIron(config-hc-nest3)# dest-ip 1.1.1.30ServerIron(config-hc-nest3)# healthck nest4 icmpServerIron(config-hc-nest4)# dest-ip 1.1.1.40

The commands above configure four element-action expressions, one for each IP address. The following commands configure two health-check policies, each of which contains two of the IP addresses.

ServerIron(config-hc-nest4)# healthck nested1 booleanServerIron(config-hc-nested1)# or nest1 nest2ServerIron(config-hc-nested1)# healthck nested2 booleanServerIron(config-hc-nested2)# or nest3 nest4

The following command creates a health-check policy that contains the two policies configured above. The result is a single health-check policy for all four IP addresses.

ServerIron(config-hc-nested2)# healthck check1 booleanServerIron(config-hc-check1)# or nested1 nested2

In this example, the OR logical operator is used in all the policies. Thus, the "check1" health check is successful if at least one of the four IP addresses responds. To create more restrictive policies, you can use the AND logical operator. For example, if the AND operator is used in this configuration instead of OR, the health check is successful only if all four IP addresses respond.

You also can combine policies that use AND with policies that use OR in nested health-check policies.

After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy does not take effect until you bind the policy to an application port on a VIP.

To bind a health-check policy to an application port on a VIP, enter commands such as the following:

ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2

This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the health of HTTP (port 80) for the VIP.

Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>



The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the application port.



healthck (ServerIron 400 and ServerIron 800)Configures a health-check policy on the ServerIron 400 and ServerIron 800.

Health-check policies enable you to assess the health of any application port using the health-check mechanisms for ports well-known to the ServerIron. In addition, health-check policies enable you to use multiple checks with different parameters, and base a port’s health on successful completion of all or any one of the individual checks in the policy.

Depending on the conditions you specify when you configure a health-check policy, the ServerIron will bring the application port on a server down in one of the following cases:

• Any one of the servers fails its health check (individual health checks combined using AND condition) – In this case, all servers in the policy must pass their health checks. Otherwise, the ServerIron considers all of the servers to have failed the health checks and brings down the application on all servers that are checked by the policy.

• All of the servers fail their health checks (individual health checks combined using OR condition) – In this case, an application port remains up as long as at least one of the servers checked by the policy passes its health check.

For finer control, you can combine OR and AND conditions.

When you attach a health-check policy to a real server’s application port, the ServerIron uses the health-check policy for periodic health checks and also for the next initial bringup of the server. When a health-check policy is attached, the ServerIron no longer uses the default health check methods for initial bringup and periodic health checks described in "Health Check Summary" in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

Health-check policies consist of element-action expressions and logical expressions.

• Element-action expression – An element-action expression consists of the IP address of the server, the Layer 4 protocol (TCP or UDP), and the application port on the server. For some applications, the element-action expression can also include Layer 7 application-specific health check information.

• Logical expression – A logical expression is a set of element-action expressions joined by the Boolean operators OR and AND.

• To create a health-check policy that is successful if at least one of the applications passes its health check, use OR.

• To configure a health-check policy that is successful only if the ServerIron receives a successful reply from all servers and application ports in the policy, use the operator AND.

You can use the same element-action expressions in multiple logical expressions if desired. You can configure up to 254 health-check policies.

To use a health-check policy:

• Configure the element-action expressions.

• Configure the health-check policy using element-action expressions and logical expressions joined by the operators AND or OR.

• Attach logical expressions to application ports on specific real servers. A health check policy does not take effect until you attach it to an application port on a server.



NOTE: A health-check policy does not take effect (begin sending health check packets) until you attach the policy to an application port on a real server.

EXAMPLE:

Configuring an Element-Action Expression

To configure an element-action expression, enter commands such as the following. The commands in this example specify the IP address of the real server and the application port on the server.

ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port http

These commands change the CLI to the configuration level for an element-action expression, then specify the IP address of the real server and the application port on the server. Since the specified application is well-known to the ServerIron, the ServerIron automatically associates the default health check parameters for the port with the element-action expression. In this example, the port is HTTP (80), so the ServerIron associates the default HTTP health check parameters with the element-action expression. By default, the ServerIron sends a HEAD request for the default page, “1.0”.

NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of the health check as FALSE (failed).

To configure an element-action expression for a port number that is not well-known to the ServerIron, enter commands such as the following:

ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port 8080ServerIron(config-hc-check1)# protocol http

These commands configure an element-action expression for unknown port 8080 and associate the default health check parameters for port 80 with the unknown port. To customize the Layer 7 health check parameters for a port, add the information with the protocol command, as in the following example:

ServerIron(config)# healthck check1 tcpServerIron(config-hc-check1)# dest-ip 10.10.10.50ServerIron(config-hc-check1)# port 8080ServerIron(config-hc-check1)# protocol http url "GET/sales.html"

The protocol command in this example changes the Layer 7 health check parameters for this HTTP port to a GET request for a page named "sales.html".

Syntax: [no] healthck <string> tcp | udp

This command begins configuration of the element-action expression. The <string> parameter specifies the name for the expression and can be up to 20 characters long. The tcp | udp parameter specifies whether you are configuring an expression for a TCP application port or a UDP application port. There is no default.

Syntax: [no] dest-ip <ip-addr>

This command specifies the IP address of the real server.

Syntax: [no] port <tcp/udp-port>

This command specifies the application port number.

NOTE: If you do not specify the server IP address and the application port, the ServerIron will list the status of the health check as FALSE (failed).

You can specify any valid number, or one of the following port names well-known to the ServerIron:

• dns – port 53



• ftp – port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name “ftp” corresponds to port 21.)

• http – port 80

• imap4 – port 143

• ldap – port 389

• nntp – port 119

• ntp – port 123

• pop2 – port 109

• pop3 – port 110

• radius – port 1812

• radius-old – the ServerIron name for UDP port 1645, which is used in some older RADIUS implementations instead of port 1812

• smtp – port 25

• snmp – port 161

• ssl – port 443

• telnet – port 23

• tftp – port 69

NOTE: If you enter the no port <tcp/udp-port> command to remove the port, the ServerIron also removes the protocol <tcp/udp-port> command (see below) if the port is well-known to the ServerIron. This is because the ServerIron automatically uses the protocol that matches the well-known port. Otherwise, the ServerIron does not remove the protocol. You must remove it separately.

Syntax: [no] protocol <tcp/udp-port>

This command specifies a port whose health-check mechanism you want to use for the port specified by the port command. You need to use this command only if the port specified by the port command is not one of the ports listed above but the port is the same type as one of the ports listed above. For example, use this command if you want to use the DNS health-check mechanism for a port other than 53.

NOTE: You must specify the port using the port command before you enter the protocol command. If the port command specified a port that is well-known to the ServerIron, the ServerIron automatically uses the protocol that matches the port; you do not need to specify it and cannot change it.

NOTE: If you remove the Layer 7 health check information (using a no protocol command), the application will fail the health check. If you want the ServerIron to use a Layer 4 health check instead, enter the l4-check command to change the health-check type to Layer 4.

If the port is not well-known to the ServerIron and you do not specify a protocol for the Layer 7 health check, but Layer 7 health checking is enabled for the port, the port will fail the health check.

See "Changing the Health-Check Type" below.

For some ports, you also can customize the Layer 7 information sent with the health check. Here is the syntax.

Syntax: [no] protocol http | 80 [url “[GET | HEAD] [/]<URL-page-name>” | port http status_code <range> [<range>[<range>[<range>]]] |content-match <matching-list-name>]



This command changes one of the following HTTP health-check parameters. To change more than one of these parameters, enter a separate protocol http or protocol 80 command for each parameter.

• url “[GET | HEAD] [/]<URL-page-name>” – This parameter specifies whether the HTTP health check performs a GET request or a HEAD request. For GET requests, you can specify the page that is requested. By default, a GET request asks for page “1.0”.

• port http status_code <range> [<range>[<range>[<range>]]] – This parameter changes the HTTP status codes that the ServerIron will accept as valid responses. Each <range> specifies the low number and high number in a range of status codes. You can specify up to four ranges (total of eight values). To specify a single message code for a range, enter the code twice. For example to specify 200 only, enter the following command: port http status_code 200 200. For SLB, the default status code range is 200 – 299. If the server’s reply to the health check contains a status code within this range, the ServerIron considers the HTTP application to be healthy.

• content-match <matching-list-name> – This parameter attaches a match list for an HTTP content verification health check to the real server. An HTTP content verification health check is a type of Layer 7 health check in which the ServerIron examines text in an HTML file sent by a real server in response to an HTTP keepalive request. The ServerIron searches the text in the HTML file for user-specified selection criteria and determines whether the HTTP port on the real server is alive based on what it finds. The selection criteria used in HTTP content verification is contained in a matching list that is attached to one or more real servers. The following is an example of the commands used to set up a matching list. For information on how to configure the match lists, see the "Configuring HTTP Content Matching Lists" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

Syntax: [no] protocol dns | 53 [addr_query "<name>" | zone <zone-name>]

This command changes one of the following DNS health-check parameters. To change more than one of these parameters, enter a separate protocol dns or protocol 53 command for each parameter.

• addr_query "<name>" – This parameter specifies a domain name to be requested from the real server by the ServerIron. If the server successfully responds with the IP address for the domain name, the server passes the health check. There is no default.

• zone <zone-name> – This parameter specifies a DNS zone name. The ServerIron sends a Source-of-Authority (SOA) request for the zone name. If the server is authoritative for the zone and successfully responds to the SOA request, the server passes the health check. There is no default.

NOTE: If you do not configure one of these parameters, the DNS port will fail the health check.

Syntax: [no] protocol radius | 1812 [username <string>] | [password <string>] | [key <string>]

This command changes one of the following RADIUS health-check parameters. The health check requests values that are configured on the RADIOS server. To change more than one of these parameters, enter a separate protocol radius or protocol 1812 command for each parameter.

• username <string> – This parameter specifies an authentication username on the server.

• password <string> – This parameter specifies an authentication password on the server.

• key <string> – This parameter specifies an authentication key on the server.

Syntax: [no] protocol ldap | 389 [<num>]

This command changes the LDAP version. The health check sent by the ServerIron differs depending on the version. You can specify 2 or 3. The default is 3.

Changing the Health-Check Interval and Retries

By default, the ServerIron performs a health check every 5 seconds. If a reply is not received, the ServerIron will attempt the health check two more times before concluding that the application has failed the health check. You can change the number of seconds the ServerIron will wait for a reply to a health check and the number of retries.



NOTE: The number of retries is the total number of attempts the ServerIron will make. Thus, if you use the default interval and retries values, the ServerIron will send up to three health-check packets, at 5-second intervals. If a server does not respond within 15 seconds of the time the ServerIron sent the first health-check packet, the server fails the health check and the ServerIron concludes that the server is not available.

To change the interval for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:

ServerIron(config-hc-check1)# interval 30

Syntax: [no] interval <secs>

You can specify from 2 – 120 seconds. The default is 5 seconds.

To change the number of retries for a health check, enter a command such as the following at the configuration level for the element-action expression that contains the health check:

ServerIron(config-hc-check1)# retries 4

Syntax: [no] retries <num>

You can specify from 1 – 5 retries. The default is 3 retries.

NOTE: You also can globally change the interval and retries for a an application port by editing its port profile. See the "Adding a TCP or UDP Port, Specifying the Port Type, and Configuring the Keepalive Health Check" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

Changing the Health-Check Type

For TCP application ports, you can change the health-check type between Layer 4 and Layer 7. By default, the ServerIron performs a Layer 7 health check in the following cases:

• The port is one of the following ports well-known to the ServerIron:

• FTP – port 21. (Ports 20 and 21 both are FTP ports but on the ServerIron, the name “FTP” corresponds to port 21.)

• HTTP – port 80

• IMAP4 – port 143

• LDAP – port 389

• MMS – port 1755

• NNTP – port 119

• PNM – port 7070

• POP3 – port 110

• RTSP – port 554

• SMTP – port 25

• SSL – port 443

• TELNET – port 23

• The port is not well-known to the ServerIron but you used the protocol command to specify the protocol of one of the well-known ports. By specifying the protocol, you configure the ServerIron to use the protocol’s Layer 7 health-check method for the port.

If the TCP port is not one of the ports above or you did not specify a Layer 7 health-check method (using the protocol command), the ServerIron uses the Layer 4 health check for TCP.



NOTE: Changing the health-check type for UDP application ports has no effect. If the application port is RADIUS (1812) or DNS (53) or uses the health-check method of one of these ports, the ServerIron uses a Layer 7 health check. Otherwise, the ServerIron uses the Layer 4 health check for UDP.

The Layer 7 health-check methods differ depending on the application, and are described in the "Health Check Summary" section of the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide. The Layer 4 health checks are as follows:

• TCP – The ServerIron attempts to engage in a normal three-way TCP handshake with the port on the real server:

• The ServerIron sends a TCP SYN packet to the port on the real server.

• The ServerIron expects the real server to respond with a SYN ACK.

• If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.

• UDP – The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port.

• If the server responds with an ICMP “Port Unreachable” message, the ServerIron concludes that the port is not alive.

• If the server does not respond at all, the ServerIron assumes that the port is alive and received the garbage data. Since UDP is a connectionless protocol, the ServerIron and other clients do not expect replies to data sent to a UDP port. Thus, lack of a response is a good outcome.

ServerIron(config-hc-check1)# l4-check

The command in this example configures the ServerIron to use the Layer 4 health check for the application port in the element-action expression. Since the application port in this element-action expression is HTTP, the ServerIron will use the Layer 4 health check for TCP.

Syntax: [no] l4-check | l7-check

Changing the Health-Check State

Once you configure an element-action expression, the health check in the expression is enabled by default. To disable the health check, enter the following command at the configuration level for the element-action expression:

ServerIron(config-hc-check1)# disable

Syntax: [no] disable | enable

NOTE: Health checking (keepalive) also must be enabled on the port profile level or the real server level. Otherwise, the health-check policy is used during initial bringup of the server but is not used for periodic health checks after the server is brought up.

NOTE: If the health check for an application on a server is disabled, the ServerIron assumes that the server and application are healthy and continues to send client requests to the server.

NOTE: If you change the health-check state from within the element-action expression, this state overrides the health-check state configured in the port profile for the application port or in the real server configuration.

Configuring a Health-Check Policy

A health-check policy consists of one or more element-action expressions. When a logical expression contains multiple element-action expressions, the policy also contains the logical operator AND or OR.

You can use a health-check policy as an element-action expression in another policy.

To configure a health-check policy, enter commands such as the following:

ServerIron(config)# healthck "httpsrvr" booleanServerIron(config-hc-httpsrvr)# and "check1" "check2"



These commands configure a health-check policy that uses the element-action expressions "check1" and "check2". Since the AND operator is used, the real servers in both "check1" and "check2" must reply successfully for the health check to be successful. If only one of the servers replies, the health check is unsuccessful and the ServerIron stops using all the server application ports in the health-check policy "httpsrvr".

Syntax: [no] healthck "<policy-name>" boolean

Syntax: and | or "<element-name>" "<element-name>"

The <policy-name> parameter specifies the name of the health-check policy. The name can be up to 20 characters long. The name cannot contain blanks.

The and | or parameter specifies a logical operator in the health-check policy. You can enter two element-action expressions along with the logical operator and or or.

• If you specify and, the policy evaluates to true only if all elements (IP addresses) respond to the health check.

• If you specify or, the policy is true if at least one of the elements responds to the health check.

Attaching a Health-Check Policy to an Application Port on a Server

After you configure logical expressions, you can attach them to application ports on real servers. The ServerIron does not begin sending health-check packets until you attach the policy to a real server port.

To attach a health-check policy to an application port on a server, enter commands such as the following:

ServerIron(config)# server real-name R1 10.10.10.50ServerIron(config-rs-R1)# port 80 healthck “check1”

This command configures the ServerIron to base the health of application port 80 on real server R1 on the results of the check1 health-check policy.



hostnameChanges the hostname field to more easily identify the ServerIron within the network. By default, a ServerIron will be identified as “ServerIron” in the CLI command prompt.

EXAMPLE:

To change the hostname to TCSserver1 from the ServerIron default, enter the following:

ServerIron(config)# hostname TCSserver1

TCSserver1(config)#

Syntax: hostname <text>

Possible values: Up to 32 alphanumeric characters can be assigned to hostname text string.

Default value: ServerIron

http match-listThis command is used in conjunction with the HTTP content verification health check feature on the ServerIron. This command assigns a name to an HTTP matching list and enters the HTTP matching list CONFIG level.

EXAMPLE:

To create an HTTP matching list name named m1:

ServerIron(config)# http match-list m1

Syntax: http match-list <matching-list-name>

Possible values: HTTP matching list name

Default value: N/A



interface ethernetAccesses the interface CONFIG level of the CLI. You can define a physical or virtual interface (ve) at this level.

EXAMPLE:

To change the configuration for port 1 on a Stackable device, enter the following:

ServerIron(config)# inter e 1

ServerIron(config-if-1)#

NOTE: To change the port for a Chassis device, you also need to enter the slot number of the module on which the port resides.

EXAMPLE:

To change the configuration for port 1 on slot 4 of a Chassis device, enter the following:

ServerIron(config)# inter e 4/1

ServerIron(config-if-4/1)#

Syntax: interface ethernet <portnum> | ve <num>


Default value: N/A

ip access-listConfigures a named IP ACL. The commands for configuring named ACL entries are different from the commands for configuring numbered ACL entries. The command to configure a numbered ACL is access-list. The command for configuring a named ACL is ip access-list. In addition, when you configure a numbered ACL entry, you specify all the command parameters on the same command. When you configure a named ACL, you specify the ACL type (standard or extended) and the ACL number with one command, which places you in the configuration level for that ACL. Once you enter the configuration level for the ACL, the command syntax is the same as the syntax for numbered ACLs.

EXAMPLE:

To configure a named standard ACL entry:

ServerIron(config)# ip access-list standard Net1 ServerIron(config-std-nac1)# deny host 209.157.22.26 logServerIron(config-std-nac1)# deny 209.157.29.12 logServerIron(config-std-nac1)# deny host IPHost1 logServerIron(config-std-nac1)# permit any ServerIron(config-std-nac1)# exit ServerIron(config)# int eth 1/1ServerIron(config-if-1)# ip access-group Net1 out

The commands in this example configure a standard ACL named “Net1”. The entries in this ACL deny packets from three source IP addresses from being forwarded on port 1. Since the implicit action for an ACL is “deny”, the last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries. For an example of how to configure the same entries in a numbered ACL, see the “Configuring Standard ACLs“ section of the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

Notice that the command prompt changes after you enter the ACL type and name. The “std” in the command prompt indicates that you are configuring entries for a standard ACL. For an extended ACL, this part of the command prompt is “ext“. The “nacl” indicates that are configuring a named ACL.

EXAMPLE:

To configure a named extended ACL entry:

ServerIron(config)# ip access-list extended “block Telnet” ServerIron(config-ext-nac1)# deny tcp host 209.157.22.26 any eq telnet log



ServerIron(config-ext-nac1)# permit ip any anyServerIron(config-ext-nac1)# exitServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group “block Telnet” in

Syntax: ip access-list extended | standard <string> | <num>

Syntax: [no] ip access-group <string> in | out

Possible values: The extended | standard parameter indicates the ACL type.

The <string> parameter is the ACL name. You can specify a string of up to 256 alphanumeric characters. You can use blanks in the ACL name if you enclose the name in quotation marks (for example, “ACL for Net1”). The <num> parameter allows you to specify an ACL number if you prefer. If you specify a number, you can specify from 1 – 99 for standard ACLs or 100 – 199 for extended ACLs.

The options at the ACL configuration level and the syntax for the ip access-group command are the same for numbered and named ACLs and are described in the “Configuring Standard ACLs“ section of the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

Default value: N/A

ip addressAssigns an IP address and mask to a switch to support Telnet and SNMP management. Foundry devices support both classical IP network masks (Class A, B, and C sub-net masks, and so on) and prefix masks.

• To enter a classical network mask, enter the mask in IP address format. For example, enter "209.157.22.99 255.255.255.0" for an IP address with a Class-C sub-net mask.

• To enter a network mask using prefix addressing, enter a forward slash ( / ) and the number of bits in the mask immediately after the IP address. For example, enter "209.157.22.99/24" for an IP address that has a network mask with 24 significant ("mask") bits.

NOTE: If you need to add an additional IP address for network address translation (NAT), use the server source-ip command. See “server source-ip” on page 6-82.

EXAMPLE:

ServerIron(config)# ip address 192.22.3.44 255.255.255.0

Syntax: ip address <ip-addr> <ip-mask>

or

Syntax: ip address <ip-addr>/<mask-bits>


Default value: N/A

ip default-gatewayAssigns an IP address and mask to a switch to support Telnet and SNMP management.

NOTE: This command is not available on Foundry routers.

EXAMPLE:

ServerIron(config)# ip default-gateway 192.22.33.100

Syntax: ip default-gateway <ip-addr>


Default value: N/A



ip dns domain-nameThis command is used to define a domain name for a range of addresses on the ServerIron. This will eliminate the need for a user to type in the domain name. It will automatically be appended to the hostname.

EXAMPLE:

ServerIron(config)# ip dns domain-name newyork.com

Syntax: ip dns domain-name


Default value: N/A

ip dns server-addressUp to four DNS servers can be defined for each DNS entry. The first entry serves as the primary default address (207.95.6.199). If a query to the primary address fails to be resolved after three attempts, the next gateway address will be queried for three times as well. This process will continue for each defined gateway address until a query is resolved. The order in which the default gateway addresses are polled is tied to the order in which they are entered when initially defined as shown in the example.

EXAMPLE:

ServerIron(config)# ip dns server-address 207.95.6.199 205.96.7.1 208.95.7.25 201.98.7.15

Syntax: ip dns server-address <ip-addr>


Default value: N/A

ip filter…This command allows you to define layer 4 TCP/UDP filters for switches. Up to 1024 TCP/UDP filters can be defined on a switch.

NOTE: Foundry plans to remove this command in a later software release and therefore recommends that you do not use the command. Instead, always use Access Control Lists (ACLs). For ACL configuration information, see the "Using Access Control Lists (ACLs)" chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.

Syntax: ip filter <index> permit | deny <src-ip-addr> | any <src-mask> | any <dst-ip-addr> | any <dst-mask> | any <protocol> [established <operator> <port range>] [log]

Possible values: The <protocol> parameter can be ICMP, TCP, UDP, or a protocol number.

Default value: N/A

ip forwardEnables IP forwarding (Layer 3).

For complete configuration information, see the "Configuring IP Forwarding" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron(config)# ip forward

Syntax: [no] ip forward





ip icmp burstCauses the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets targeted at the router and drop them when the thresholds are exceeded.

EXAMPLE:

In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP packets for the next 300 seconds (five minutes).

ServerIron(config)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>

The burst-normal value can be from 1 – 100000.

The burst-max value can be from 1 – 100000.

The lockup value can be from 1 – 10000.

The number of incoming ICMP packets per second are measured and compared to the threshold values as follows:

• If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.

• If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.

Possible values: The burst-normal and burst-max values can be between 1 – 100000 packets. The burst-normal value must be smaller than the burst-max value. The lockup value can be between 1 – 10000 seconds.

Default value: N/A

ip multicastEnables IP Multicast Traffic Reduction on a Foundry switch. A switch can operate in either an active or passive IP multicast mode. You must save changes to flash and reset (reload) the switch for the configuration changes to become active. For more details on this feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.

If configured to be active, the switch will actively send out host queries to identify IP Multicast groups on the network and insert this information in the IGMP packet. Routers in the network generally handle this operation

If configured to be passive, the switch will only identify the packet as an IGMP packet and forward it accordingly.

EXAMPLE:

ServerIron(config)# ip multicast passive

ServerIron(config)# write memory

ServerIron(config)# end

ServerIron# reload

Syntax: ip multicast active | passive

Possible values: Active or passive


ip nat insideConfigures and enables Network Address Translation (NAT).

You can use this command to configure static NAT entries and dynamic NAT entries (by referring to an ACL and a pool), and enable NAT.



EXAMPLE:

To configure static NAT for an IP address, enter commands such as the following:

ServerIron(config)# ip nat inside source static 10.10.10.69 209.157.1.69

The commands in this example statically map the private address 10.10.10.69 to the Internet address 209.157.1.69.

Syntax: [no] ip nat inside source static <private-ip> <global-ip>

This command associates a specific private address with a specific Internet address. Use this command when you want to ensure that the specified addresses are always mapped together.

The inside source parameter specifies that the mapping applies to the private address sending traffic to the Internet.

The <private-ip> parameter specifies the private IP address.

The <global-ip> parameter specifies the Internet address. The ServerIron supports up to 255 global IP addresses.

Neither of the IP address parameters needs a network mask.

EXAMPLE:

To configure dynamic NAT, enter commands such as the following at the global CONFIG level of the CLI:

ServerIron(config)# access-list 1 permit 10.10.10.0/24ServerIron(config)# ip nat pool OutAdds 209.157.1.2 209.157.2.254 prefix-length 24ServerIron(config)# ip nat inside source list 1 pool OutAdds

These commands configure a standard ACL for the private sub-net 10.10.10.x/24, then enable inside NAT for the sub-net. Make sure you specify permit in the ACL, rather than deny. If you specify deny, the Foundry device will not provide NAT for the addresses.

Syntax: [no] ip nat pool <pool-name> <start-ip> <end-ip> netmask <ip-mask> | prefix-length <length>

This command configures the address pool.

The <pool-name> parameter specifies the pool name. The name can be up to 255 characters long and can contain special characters and internal blanks. If you use internal blanks, you must use quotation marks around the entire name.

The <start-ip> parameter specifies the IP address at the beginning of the pool range. Specify the lowest-numbered IP address in the range.

The <end-ip> parameter specifies the IP address at the end of the pool range. Specify the highest-numbered IP address in the range.

NOTE: The address range cannot contain any gaps. Make sure you own all the IP addresses in the range. If the range contains gaps, you must create separate pools containing only the addresses you own.

The netmask <ip-mask> | prefix-length <length> parameter specifies a classical sub-net mask (example: netmask 255.255.255.0) or the length of a Classless Interdomain Routing prefix (example: prefix-length 24). The ServerIron supports up to 255 global IP addresses.

Syntax: [no] ip nat inside source list <acl-name-or-num> pool <pool-name> [overload]

This command associates a private address range with a pool of Internet addresses and optionally enables the Port Address Translation feature.

The inside source parameter specifies that the translation applies to private addresses sending traffic to the Internet (inside source).

The list <acl-name-or-num> parameter specifies a standard or extended ACL. You can specify a numbered or named ACL.



NOTE: For complete standard and extended ACL syntax, see the “Using Access Control Lists (ACLs)” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.

The pool <pool-name> parameter specifies the pool. You must create the pool before you can use it with this command.

The overload parameter enables the Port Address Translation feature. Use this parameter if the IP address pool does not contain enough addresses to ensure NAT for each private address. The Port Address Translation feature conserves Internet addresses by mapping the same Internet address to more than one private address and using a TCP or UDP port number to distinguish among the private hosts. The ServerIron supports up to 50 IP addresses with this feature enabled.

EXAMPLE:

To enable NAT on the ServerIron, enter the following command at the global CONFIG level of the CLI:

ServerIron(config)# ip policy 1 cache tcp 0 globalServerIron(config)# ip policy 2 cache udp 0 globalServerIron(config)# ip nat inside

Syntax: [no] ip policy <policy-num> cache tcp | udp 0 global

The <policy-num> value identifies the policy and can be a number from 1 – 64.

Each policy affects TCP or UDP traffic, so you must specify tcp or udp.

The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type (TCP or UDP). In this command, “0” is equivalent to “any port number”. For NAT, you must specify “0”.

Syntax: [no] ip nat inside

This command enables inside NAT.



ip nat poolConfigures an address pool for dynamic NAT. See “ip nat inside” on page 6-36 for syntax information and a configuration example.

ip nat translationChanges the age timer for the specified type of NAT translation entry.

The NAT translation table contains all the currently active NAT translation entries on the device. An active entry is one that the ServerIron created for a private address when that client at that address sent traffic to the Internet. NAT performs the following steps to provide an address translation for a source IP address:

• The feature looks in the NAT translation table for an active NAT entry for the translation. If the table contains an active entry for the session, the ServerIron uses that entry.

• If NAT does not find an active entry in the NAT translation table, NAT creates an entry and places the entry in the table. The entry remains in the table until the entry times out.

Each NAT entry remains in the NAT translation table until the entry ages out. NAT translation table entries have different default timeouts depending on the entry type.

• Dynamic timeout – This age timer applies to all entries (static and dynamic) that do not use Port Address Translation. The default is 120 seconds.

• UDP timeout – This age timer applies to entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds.

• TCP timeout – This age timer applies to entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds.



NOTE: This timer applies only to TCP sessions that do not end “gracefully”, with a TCP FIN or TCP RST.

• TCP FIN/RST timeout – This age timer applies to TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds.

NOTE: This timer is not related to the TCP timeout. The TCP timeout applies to packets to or from a host address that is mapped to an global IP address and a TCP port number (Port Address Translation feature). The TCP FIN/RST timeout applies to packets that terminate a TCP session, regardless of the host address or whether Port Address Translation is used.

• DNS timeout – This age timer applies to connections to a Domain Name Server (DNS). The default is 120 seconds.

EXAMPLE:

To change the age timeout for all entries that do not use Port Address Translation to 1800 seconds (one half hour), enter a command such as the following at the global CONFIG level of the CLI:

ServerIron(config)# ip nat timeout 1800

Syntax: [no] ip nat translation timeout | udp-timeout | tcp-timeout | finrst-timeout | dns-timeout <secs>

Use one of the following parameters to specify the dynamic entry type:

• timeout – All entries that do not use Port Address Translation. The default is 120 seconds.

• udp-timeout – Dynamic entries that use Port Address Translation based on UDP port numbers. The default is 120 seconds.

• tcp-timeout – Dynamic entries that use Port Address Translation based on TCP port numbers. The default is 120 seconds.

• finrst-timeout – TCP FIN (finish) and RST (reset) packets, which normally terminate TCP connections. The default is 120 seconds.

• dns-timeout – Connections to a Domain Name Server (DNS). The default is 120 seconds.

The <secs> parameter specifies the number of seconds. For each entry type, you can enter a value from 1 – 3600.

Possible values: 1 – 3600 seconds

Default value: 120 seconds

ip policyEnables TCS or firewall load balancing. You can enable these features globally or on individual ports. If you want to enable them on individual ports, you must also use the ip-policy command at the interface level. See “ip-policy” on page 8-6.

EXAMPLE:

To globally enable TCS, enter the following command:

ServerIron(config)# ip policy 1 cache tcp 80 global

EXAMPLE:

To locally enable firewall load balancing on port 9, enter the following commands:

ServerIron(config)# ip policy 1 fw tcp 0 local

ServerIron(config)# ip policy 2 fw udp 0 local

ServerIron(config)# int e 9

ServerIron(config-if-9)# ip-policy 1

ServerIron(config-if-9)# ip-policy 2



ServerIron(config-if-9)# write mem

Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local

NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter. This value allows all ports of the specified type (TCP or UDP).



ip routeConfigures a static IP route for IP forwarding.

NOTE: This command applies only to IP forwarding (Layer 3 IP). To add a default gateway address if you are not using IP forwarding, see “ip default-gateway” on page 6-34.

NOTE: The software places the static route in the IP route table only if the virtual routing interface is up.

EXAMPLE:

ServerIron(config)# ip route 209.157.2.0 255.255.255.0 192.168.2.1

This commands adds a static IP route to the 209.157.2.x/24 sub-net.

Syntax: [no] ip route <dest-ip-addr> <dest-mask> <next-hop-ip-addr> | null0 [<metric>]

or

Syntax: [no] ip route <dest-ip-addr>/<mask-bits> <next-hop-ip-addr> | null0 [<metric>]

The <dest-ip-addr> is the route’s destination. The <dest-mask> is the network mask for the route’s destination IP address. Alternatively, you can specify the network mask information by entering a forward slash followed by the number of bits in the network mask. For example, you can enter 192.0.0.0 255.255.255.0 as 192.0.0.0/.24. To configure a default route, enter 0.0.0.0 for <dest-ip-addr> and 0.0.0.0 for <dest-mask> (or 0 for the <mask-bits> if you specify the address in CIDR format). Specify the IP address of the default gateway using the <next-hop-ip-addr> parameter.

The <next-hop-ip-addr> is the IP address of the next-hop router (gateway) for the route. If you specify null0 instead of a next hop IP address, the ServerIron discards packets addressed to the route’s destination IP address instead of forwarding them to another device.

NOTE: If you add a default route, the gateway address of the route replaces the default gateway address configured by the ip default-gateway command. Likewise, if you use the ip default-gateway command to change the default gateway address, the gateway address in the default route is automatically changed also.

The <metric> parameter specifies the cost of the route and can be a number from 1 – 16. The default is 1. The metric is used by RIP. If you do not enable RIP, the metric is not used.


Default value: N/A

ip show-subnet-lengthChanges display of network mask information from class-based notation (xxx.xxx.xxx.xxx) to Classless Interdomain Routing (CIDR) notation. By default the ServerIron displays network mask information in class-based notation.

EXAMPLE:

ServerIron(config)# ip show-subnet-length

Syntax: [no] ip show-subnet-length





ip ssh authentication-retriesSets the number of SSH authentication retries.

EXAMPLE:

The following command changes the number of authentication retries to 5:

ServerIron(config)# ip ssh authentication-retries 5

Syntax: ip ssh authentication-retries <number>


Default value: 3

ip ssh key-sizeSets the SSH key size.

EXAMPLE:

The following command changes the server RSA key size to 896 bits:

ServerIron(config)# ip ssh key-size 896

Syntax: ip ssh key-size <number>

NOTE: The size of the host RSA key that resides in the system-config file is always 1024 bits and cannot be changed.

Possible values: 512 – 896 bits

Default value: 768 bits

ip ssh password-authenticationDisables SSH password authentication.

After the SSH server on the Foundry device negotiates a session key and encryption method with the connecting client, user authentication takes place. Of the methods of user authentication available in SSH, Foundry’s implementation of SSH supports password authentication only.

With password authentication, users are prompted for a password when they attempt to log into the device (unless empty password logins are not allowed; see “ip ssh permit-empty-passwd”). If there is no user account that matches the user name and password supplied by the user, the user is not granted access.

You can deactivate password authentication for SSH. However, since password authentication is the only user authentication method supported for SSH, this means that no user authentication is performed at all. Deactivating password authentication essentially disables the SSH server entirely.

EXAMPLE:

To deactivate password authentication:

ServerIron(config)# ip ssh password-authentication no

Syntax: ip ssh password-authentication no | yes



ip ssh permit-empty-passwdEnables empty password SSH logins. By default, empty password logins are not allowed. This means that users with an SSH client are always prompted for a password when they log into the device. To gain access to the device, each user must have a user name and password. Without a user name and password, a user is not



granted access. See the Foundry Switch and Router Installation and Basic Configuration Guide for information on setting up user names and passwords on Foundry devices.

If you enable empty password logins, users are not prompted for a password when they log in. Any user with an SSH client can log in without being prompted for a password.

EXAMPLE:

To enable empty password logins:

ServerIron(config)# ip ssh permit-empty-passwd yes

Syntax: ip ssh permit-empty-passwd no | yes



ip ssh portChanges the TCP port used for SSH. By default, SSH traffic occurs on TCP port 22. You can change this port number.

EXAMPLE:

The following command changes the SSH port number to 2200:

ServerIron(config)# ip ssh port 2200

Note that if you change the default SSH port number, you must configure SSH clients to connect to the new port. Also, you should be careful not to assign SSH to a port that is used by another service. If you change the SSH port number, Foundry recommends that you change it to a port number greater than 1024.

Syntax: ip ssh port <number>

Possible values: a valid TCP port number

Default value: 22

ip ssh pub-key-fileCauses a public key file to be loaded onto the Foundry device.

EXAMPLE:

To cause a public key file called pkeys.txt to be loaded from the Management IV module’s PCMCIA flash card each time the Foundry device is booted, enter the following command:

ServerIron(config)# ip ssh pub-key-file slot1 pkeys.txt

Syntax: [no] ip ssh pub-key-file slot1 | slot2 <filename>

To cause a public key file called pkeys.txt to be loaded from a TFTP server each time the Foundry device is booted, enter a command such as the following:

ServerIron(config)# ip ssh pub-key-file tftp 192.168.1.234 pkeys.txt

Syntax: [no] ip ssh pub-key-file tftp <tftp-server-ip-addr> <filename>

To reload the public keys from the file on the TFTP server or PCMCIA flash card, enter the following command:

ServerIron(config)# ip ssh pub-key-file reload

Syntax: [no] ip ssh pub-key-file reload

To make the public keys in the active configuration part of the startup-config file, enter the following commands:

ServerIron(config)# ip ssh pub-key-file flash-memoryServerIron(config)# write memory

Syntax: [no] ip ssh pub-key-file flash-memory




Default value: N/A

ip ssh rsa-authenticationDisables or re-enables RSA challenge-response authentication.

EXAMPLE:

To disable RSA challenge-response authentication:

ServerIron(config)# ip ssh rsa-authentication no

Syntax: [no] ip ssh rsa-authentication yes | no

Possible values: yes or no

Default value: RSA challenge-response authentication is enabled by default.

ip ssh scpDisables or re-enables Secure Copy (SCP).

EXAMPLE:

To disable SCP:

ServerIron(config)# ip ssh scp disable

Syntax: [no] ip ssh scp disable | enable

Possible values: disable or enable

Default value: SCP is enabled by default.

NOTE: If you disable SSH, SCP is also disabled.

ip ssh timeoutChanges the SSH timeout value. When the SSH server attempts to negotiate a session key and encryption method with a connecting client, it waits a maximum of 120 seconds for a response from the client. If there is no response from the client after 120 seconds, the SSH server disconnects.

EXAMPLE:

ServerIron(config)# ip ssh timeout 60

Syntax: ip ssh timeout <seconds>

Possible values: 1 – 120 second


ip strict-acl-modeEnables the strict ACL TCP mode.

By default, when you use ACLs to filter TCP traffic, the Foundry device does not compare all TCP packets against the ACLs. Instead, the device compares TCP control packets against the ACLs, but not data packets. Control packets include packet types such as SYN (Synchronization) packets, FIN (Finish) packets, and RST (Reset) packets.

In normal TCP operation, TCP data packets are present only if a TCP control session for the packets also is established. For example, data packets for a session never occur if the TCP SYN for that session is dropped. Therefore, by filtering the control packets, the Foundry device also implicitly filters the data packets associated with the control packets. This mode of filtering optimizes forwarding performance for TCP traffic by forwarding data packets without examining them. Since the data packets are present in normal TCP traffic only if a corresponding TCP control session is established, comparing the packets for the control session to the ACLs is sufficient for filtering the entire session including the data.

However, it is possible to generate TCP data packets without corresponding control packets, in test or research situations for example. In this case, the default ACL mode does not filter the data packets, since there is no



corresponding control session to filter. To filter this type of TCP traffic, use the strict ACL TCP mode. This mode compares all TCP packets to the configured ACLs, regardless of whether the packets are control packets or data packets.

Regardless of whether the strict mode is enabled or disabled, the device always compares TCP control packets against the configured ACLs.

NOTE: If the device's configuration currently has ACLs associated with interfaces, remove the ACLs from the interfaces before changing the ACL mode.

EXAMPLE:

To enable the strict ACL TCP mode, enter the following command at the global CONFIG level of the CLI:

ServerIron(config)# ip strict-acl-mode

Syntax: [no] ip strict-acl-mode

This command configures the device to compare all TCP packets against the configured ACLs before forwarding them.

To disable the strict ACL mode and return to the default ACL behavior, enter the following command:

ServerIron(config)# no ip strict-acl-mode



ip tcp burstCauses the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP SYN packets targeted at the router and drop them when the thresholds are exceeded.

EXAMPLE:

In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN packets for the next 300 seconds (five minutes).

ServerIron(config)# ip tcp burst-normal 10 burst-max 100 lockup 300

Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>




The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows:

• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped.

• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.


Default value: N/A

ip tcp conn-rateConfigures the ServerIron 400 or ServerIron 800 to log information about the TCP connection rate and attack rate on the device.



EXAMPLE:

ServerIron(config)# ip tcp conn-rate conn-rate 10000 attack-rate 10000

Syntax: ip tcp conn-rate conn-rate <rate> attack-rate <rate>

Possible values: The conn-rate <rate> parameter specifies a threshold for the number of global TCP connections per second that are expected on the ServerIron. A global TCP connection is defined as any packet that requires session processing. For example, 1 SLB, 1 TCS, and 1 SYN-Guard connection would equal 3 global TCP connections, since there are three different connections that require session processing.

The attack-rate <rate> parameter specifies a threshold for the number of TCP SYN attack packets per second that are expected on the ServerIron.

Syslog entries are generated under the following circumstances:

• If the connection rate or attack rate on the ServerIron reaches 80% of the configured threshold.

• If the connection rate or attack rate is still between 80% and 100% of the configured threshold 6 minutes after the last message.

• If the connection rate or attack rate exceeds 100% of the configured threshold.

• If the connection rate or attack rate exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage.

• One minute after the last message indicating that the connection rate or attack rate still exceeds 100% of the configured threshold, and has gone up by the configured rate change percentage.

• Three minutes after the last message, if the connection rate or attack rate is still between 80% and 100% of the configured threshold, and has gone up by the configured rate change percentage.

ip tcp conn-rate-changeConfigures thresholds for the TCP connection rate and attack rate change, used in conjunction with the ip tcp conn-rate command on the ServerIron 400 or ServerIron 800.

EXAMPLE:

ServerIron(config)# ip tcp conn-rate-change conn-rate 50 attack-rate 100

Syntax: ip tcp conn-rate-change conn-rate <percentage> attack-rate <percentage>

Possible values: The conn-rate <rate> parameter specifies a percentage change threshold for the number of global TCP connections per second that are expected on the ServerIron.

The attack-rate <rate> parameter specifies a percentage change threshold for the number of TCP SYN attack packets per second that are expected on the ServerIron.

ip tcp syn-proxyActivates the SYN-Guard feature, which completes the TCP three-way handshake on behalf of a connecting client, and sets the amount of time the ServerIron 400 or ServerIron 800 waits for the client to send an ACK.

EXAMPLE:

ServerIron(config)# ip tcp syn-proxy 12

Syntax: ip tcp syn-proxy <threshold>



ip ttlSets the maximum time that a packet will live on the network.

EXAMPLE:

ServerIron(config)# ip ttl 25

Syntax: ip ttl <hops>



Possible values: 1 – 255 hops

Default value: 64 hops

ip-protoThis command creates an IP protocol VLAN on a switch or router.

When creating an IP protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.

On a router, no ports are dynamically assigned to an IP protocol VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IP Protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.

An IP protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP sub-net VLAN on the system, you need to delete it before an IP protocol VLAN can be created.

EXAMPLE:

To assign ports 1, 2, 6 and 8 to an IP protocol VLAN, enter the following:

ServerIron(config)# ip-proto

ServerIron(config-ip-proto)# static e1 to 2 e6 e8

Syntax: ip-proto


Default value: N/A

ip-subnetCreates an IP sub-net protocol VLAN on a switch or router. This allows you to provide additional granularity than that of an IP protocol VLAN, by allowing broadcast domains to be partitioned by sub-net. As with the IP protocol VLAN, port membership can be modified using the static commands. In creating an IP sub-net VLAN, an IP address is used as an identifier.

When creating an IP sub-net VLAN on a switch, all ports are dynamically assigned to the VLAN.

On a router, no ports are dynamically assigned to an IP sub-net VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IP sub-net VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.

NOTE: An IP Protocol and IP sub-net VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX network VLANs. If you have previously defined an IP protocol VLAN on the system, you need to delete it before an IP sub-net VLAN can be created.

EXAMPLE:

To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2, enter the following commands.

ServerIron(config)# ip-subnet 192.75.3.0 255.255.255.0

ServerIron(config-ip-subnet)# static e1 to 2

ServerIron(config-ip-subnet)# exit

Syntax: ip-subnet <ip-addr> <ip-mask>


Default value: N/A



ipx-networkCreates an IPX network protocol VLAN on a switch or router. This allows you to provide additional granularity than that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. The frame type must also be specified when creating the IPX network VLAN.

When creating an IPX network VLAN on a switch, all ports are dynamically assigned to the VLAN.

On a router, no ports are dynamically assigned to an IPX network VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IPX network VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.

NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX protocol VLAN on the system, you need to delete it before an IPX network VLAN can be created.

EXAMPLE:

To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port membership of 10 and 14, enter the following commands.

ServerIron(config)# ipx-network 500 ethernet_802.2

ServerIron(config-ipx-proto)# static e10 e14

ServerIron(config-ipx-proto)# exit

Syntax: ipx-network <ipx-network-number> <frame-encapsulation-type> netbios-allow | netbios-disallow

Possible values: Frame encapsulation type values: ethernet_ii, ethernet_802.2, ethernet_802.3, or ethernet_snap

Default value: N/A

ipx-protoThis command creates an IPX protocol VLAN on a switch or router.

When creating an IPX protocol VLAN on a switch, all ports are dynamically assigned to the VLAN.

On a router, no ports are dynamically assigned to an IPX protocol VLAN. VLAN port membership must be assigned using the static command, as shown in the example below. Because no dynamic port assignment is made for IPX protocol VLANs on a router, there is no need to exclude any ports, only specify membership with the static command.

NOTE: An IPX protocol and IPX network VLAN cannot operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs. If you have previously defined an IPX network VLAN on the system, you need to deleted it before an IPX protocol VLAN can be created.

EXAMPLE:

To assign ports 1, 2, 6 and 8 to an IPX protocol, enter the following:

ServerIron(config)# ipx-proto

ServerIron(config-ipx-proto)# static e1 to 2 e6 e8

ServerIron(config-ipx-proto)# exit

Syntax: ipx-proto


Default value: N/A



lock-address ethernetAllows you to limit the number of devices that have access to a specific port. Access violations are reported by SNMP traps.

EXAMPLE:

ServerIron(config)# lock e2 addr 15

ServerIron(config-if)# end

ServerIron# write memory

Syntax: lock-address ethernet <portnum> [addr-count <num>]

Possible values: Address count: 1 – 2048

Default value: Address count: 8

loggingThe logging commands enable or disable logging, configure the size of the local log buffer, and specify a SyslogD server.

EXAMPLE:

To disable logging of SNMP traps to a locally saved event log, enter the following command:

ServerIron(config)# no logging on

To re-enable logging, enter the following command:

ServerIron(config)# logging on

Syntax: [no] logging on [<udp-port>]


Default value: Enabled; UDP port 514

EXAMPLE:

To specify two third-party SyslogD servers to receive Syslog messages in addition to the device’s local Syslog buffer, enter commands such as the following:

ServerIron(config)# logging 10.0.0.99

ServerIron(config)# logging 209.157.23.69

Syntax: logging <ip-addr> | <server-name>

EXAMPLE:

To change the logging facility from the default facility user to local7, enter the following command:

ServerIron(config)# logging local7

Syntax: logging facility <facility-name>

Possible values:

• kern – kernel messages

• user – random user-level messages

• mail – mail system

• daemon – system daemons

• auth – security/authorization messages

• syslog – messages generated internally by syslogd

• lpr – line printer subsystem

• news – netnews subsystem



• uucp – uucp subsystem

• sys9 – cron/at subsystem

• sys10 – reserved for system use





• cron – cron/at subsystem

• local0 – reserved for local use








Default value: user

EXAMPLE:

To disable logging of debugging and informational messages, enter the following commands:

ServerIron(config)# no logging buffered debugging

ServerIron(config)# no logging buffered informational

Syntax: [no] logging buffered <level> | <num-entries>

Possible values: <level> can be alerts, critical, debugging, emergencies, errors, informational, notifications, or warnings. All message levels are enabled by default. You can disable message levels individually.

<num-entries> can be 1 – 100.

Default value: all message levels are logged; default local buffer capacity is 50 entries.

EXAMPLE:

By default, a message is logged whenever a user logs into or out of the CLI’s User EXEC or Privileged EXEC mode. If you want to disable logging of users’ CLI access, enter the following command:

ServerIron(config)# no logging enable user-login

Syntax: [no] logging enable user-login


Default value: User logins are logged by default.

mac-age-timeSets the aging period for all address entries in the switch or router address table.

EXAMPLE:

ServerIron(config)# mac-age 600

Syntax: mac-age-time <value>

Possible values: 0 – 65535 seconds. If you specify 0, the entries do not age.




mac filterAllows you to define filters for Layer 2 filtering on MAC addresses. After you define the filters, you can apply them to individual interfaces using the mac filter-group command. See “mac filter-group” on page 8-10.

NOTE: You cannot use Layer 2 filters to filter Layer 4 information. To filter Layer 4 information, use ACLs. See the "Using Access Control Lists (ACLs)" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide. The standard and extended ACLs described in that chapter are supported on the ServerIron.

EXAMPLE:

To configure and apply a MAC filter, enter commands such as the following:

ServerIron(config)# mac filter 1 deny 3565.3475.3676 ffff.0000.0000 any etype eq 806ServerIron(config)# mac filter 1024 permit any anyServerIron(config)# int e 1/1ServerIron(config-if-1/1)# mac filter-group 1

These commands configure a filter to deny ARP traffic with a source MAC address that begins with “3565” to any destination. The second filter permits all traffic that is not denied by another filter.

NOTE: Once you define a MAC filter, the device drops Layer 2 traffic that does not match a MAC permit filter.

Syntax: mac filter <filter-num> permit | deny <src-mac> <mask> | any <dest-mac> <mask> | any etype | IIc | snap eq | gt | lt | neq <frame-type>

Possible values:

The <filter-num> is 1 – 64 (64 is the default system-max setting). If you use the system-max mac-filter-sys command, you can increase the maximum number of MAC filters support to 128 for global filter definitions.

The permit | deny argument determines the action the software takes when a match occurs.

The <src-mac> <mask> | any parameter specifies the source MAC address. You can enter a specific address value and a comparison mask or the keyword any to filter on all MAC addresses. Specify the mask using f’s (ones) and zeros. For example, to match on the first two bytes of the address aabb.ccdd.eeff, use the mask ffff.0000.0000. In this case, the filter matches on all MAC addresses that contain "aabb" as the first two bytes. The filter accepts any value for the remaining bytes of the MAC address. If you specify any, do not specify a mask. In this case, the filter matches on all MAC addresses.

The <dest-mac> <mask> | any parameter specifies the destination MAC address. The syntax rules are the same as those for the <src-mac> <mask> | any parameter.

Use the etype | llc | snap argument if you want to filter on information beyond the source and destination address. The MAC filter allows for you to filter on the following encapsulation types:

• etype (Ethertype) – a two byte field indicating the protocol type of the frame. This can range from 0x0600 to 0xFFFF.

• llc (IEEE 802.3 LLC1 SSAP and DSAP) – a two byte sequence providing similar function as the EtherType but for an IEEE 802.3 frame.

• snap (IEEE 802.3 LLC1 SNAP) – a specific LLC1 type packet.

To determine which type of frame is used on your network, use a protocol analyzer. If byte 12 of an Ethernet packet is equal to or greater than 0600 (hex), it is an Ethernet framed packet. Any number below this indicates an IEEE 802.3 frame (byte 12 will now indicate the length of the data field). Some well-known Ethernet types are 0800 (TCP/IP), 0600 (XNS), and 8137 (Novell Netware). Refer to RFC 1042 for a complete listing of EtherTypes.

For IEEE 802.3 frame, you can further distinguish the SSAP and DSAP of LLC header. Some well-known SAPs include: FE (OSI), F0 (NetBIOS), 42 (Spanning Tree BPDU), and AA (SNAP). Usually the DSAP and SSAP are the same.



NOTE: You must type in both bytes, otherwise the software will fill the field, left justified with a 00. Refer to RFC 1042 for a complete listing of SAP numbers.

SNAP is defined as an IEEE 802.3 frame with the SSAP, DSAP, and control field set to AA, AA, and 03. Immediately following these is a five-byte SNAP header. The first three bytes in this header are not used by the MAC filters. However, the next two bytes usually are set to the EtherType, so you can define the EtherType inside the SNAP header that you want to filter on.

The eq | gt | lt | neq argument specifies the possible operator: eq (equal), gt (greater than), lt (less than) and neq (not equal).

The <frame-type> argument is a hexadecimal number for the frame type. For example, the hex number for ARP is 806.

Default value: N/A

Additional Examples of Layer 2 MAC Filter Definitions

ServerIron(config)# mac filter 1 permit any any etype eq 0800

This filter configures the device to permit (forward) any inbound packet with the Ethertype field set to 0800 (IP).

ServerIron(config)# mac filter 2 deny 0080.0020.000 ffff.ffff.0000 any etype eq 0800

This filter configures the device to deny an inbound packet with the first four bytes set to 0800.0020.xxxx and an EtherType field set to 0800 (IP). The destination field does not matter.

ServerIron(config)# mac filter 3 deny any 00e0.5200.1234 ffff.ffff.ffff snap eq 0800

This filter configures the device to deny any inbound IEEE 802.3 packet with a destination set to 00e0.5200.1234 and a SNAP EtherType set to 0800. The source address does not matter.

ServerIron(config)# mac filter 32 permit any any

This filter permits all packets. This filter is used as the last filter assigned in a filter-group that has previous deny filters in the group.

Abbreviating the Address or Mask

Address and Mask abbreviations are allowed. However, be careful when configuring them. The default fill character is a 0 and it will fill a byte range as left justified. This applies only to the MAC address and mask. A range of frame types cannot be filtered. Each frame type must be entered. Here are some examples.

ServerIron(config)# mac filter 1 deny 0800.0700 ffff.ff00 any

This command expands to the following: mac filter 1 deny 0800.0700.0000 ffff.ff00.0000

The filter shown above denied forwarding of an inbound frame that has the source address set to 080007 as the first three bytes. All other information is not significant.

Here is another example of the fill feature.

ServerIron(config)# mac filter 2 deny 0260.8C00.0102 0.0.ffff any

This command expands to the following: mac filter 1 deny 0260.8C00.0102 0000.0000.ffff any

Since the fill character is 0's and the fill is left justified, certain filters will not allow for abbreviations. For example, suppose you want to deny an inbound packet that contained a broadcast destination address. Enter the following command:

ServerIron(config)# mac filter 5 deny any ff ff

This command contains a destination of address all F's and mask of F's. The command expands to the following:

ServerIron(config)# mac filter 1 deny any 00ff.0000.0000 00ff.0000.0000

Here is another example for DSAP and SSAP.

ServerIron(config)# mac filter 10 deny any any llc eq F0



This command expands to the following: mac filter 2 deny any any llc eq 00f0

If you want to filter on both the SSAP and DSAP, then the following example shows this:

ServerIron(config)# mac filter 4 deny any 0020.0010.1000 ffff.ffff.0000 llc eq e0e0

mac filter log-enableEnables logging of packets that are denied by Layer 2 MAC filters. When you enable this feature, the device generates Syslog entries and SNMP traps for denied packets.

EXAMPLE:

ServerIron(config)# mac filter log-enable

Syntax: mac filter log-enable



mac-age-timeSets the aging period for all address entries in the ServerIron address table.

EXAMPLE:

ServerIron(config)# mac-age 600

Syntax: mac-age-time <value>

Possible values: 0 – 65535 seconds. If you specify 0, the entries do not age.


mirror-portEnables and assigns a specific port to operate as a mirror port for other ports on a ServerIron. Once enabled, you can connect an external traffic analyzer to the port for traffic analysis.

You also need to enable the monitor command on a port for it to be mirrored by this port.

EXAMPLE:

To assign port 1 as the mirror port and port 5 as the port to be monitored, enter the following:

ServerIron(config)# mirror-port e 1

ServerIron(config)# interface e 5

ServerIron(config-if)# monitor on

To define a mirror port on a Chassis device, define a slot number in addition to the port number as seen in the syntax below.

Syntax: mirror-port ethernet <portnum>


Default value: Undefined

moduleAdds a hardware module to a Foundry Chassis device.

EXAMPLE:

To add an 8-port Gigabit Ethernet management module to slot 3 in a ServerIron 800, enter the following command:

ServerIron(config)# module 3 bi-8-port-gig-management-module

Syntax: module <slot-num> <module-type>

The <slot-num> parameter indicates the chassis slot number.



• Slots on the ServerIron 400 are numbered 1 – 4, from top to bottom.

• Slots on the ServerIron 800 are numbered 1 – 8, from left to right.

The <module-type> parameter specifies the module. For a list of the valid module types, enter module <slot-num> ? at the CLI prompt.


Default value: N/A

multicast filterConfigures a Layer 2 filter for multicast packets. You can filter on all multicast packets or on specific multicast groups.

EXAMPLE:

To configure a Layer 2 multicast filter to filter all multicast groups, then apply the filter to ports 2/4, 2/5, and 2/8, enter the following commands:

ServerIron(config)# multicast filter 1 any

ServerIron(config-mcast-filter-id-1)# exclude-ports ethernet 2/4 to 2/5 ethernet 2/8

ServerIron(config-mcast-filter-id-1)# write mem

EXAMPLE:

To configure a multicast filter to block all multicast traffic destined for multicast addresses 0100.5e00.5200 – 0100.5e00.52ff on port 4/8, enter the following commands:

ServerIron(config)# multicast filter 2 any 0100.5e00.5200 ffff.ffff.ff00

ServerIron(config-mcast-filter-id-2)# exclude-ports ethernet 4/8

ServerIron(config-mcast-filter-id-2)# write mem

The software calculates the range by combining the mask with the multicast address. In this example, all but the last two bits in the mask are “significant bits” (ones). The last two bits are zeros and thus match on any value.

Syntax: [no] multicast filter <filter-id> any | ip udp mac <multicast-address> | any [mask <ip-mask>] [vlan <vlan-id>]

The parameter values are the same as the for the broadcast filter command. In addition, the multicast filter command requires the mac <multicast-address> | any parameter, which specifies the multicast address. Enter mac any to filter on all multicast addresses. Enter mac followed by a specific multicast address to filter only on that multicast address.

To filter on a range of multicast addresses, use the mask <ip-mask> parameter. For example, to filter on multicast groups 0100.5e00.5200 – 0100.5e00.52ff, use mask ffff.ffff.ff00. The default mask matches all bits (is all Fs). You can leave the mask off if you want the filter to match on all bits in the multicast address.


Default value: N/A

multicast limitSpecifies the maximum number of multicast packets the device can forward each second. By default the device sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those devices by throttling the multicasts at the Foundry device.

NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit and unknown-unicast limit commands to control these types of traffic. See “broadcast limit” on page 6-12 and “unknown-unicast limit” on page 6-98.



EXAMPLE:

ServerIron(config)# multicast limit 30000

Syntax: multicast limit <num>


Default value: N/A

netbios-protoThis command creates a NetBIOS protocol VLAN on a Foundry switch or router. All ports of the system are assumed, by default, to be members of the VLAN when initially created. VLAN Membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create a NetBIOS Protocol VLAN on an 18 port device with permanent port membership of 4 and 5 and ports 8 through 12 as dynamic member ports, enter the following commands.

ServerIron(config)# netbios-proto

ServerIron(config-netbios-proto)# static e4 e5

ServerIron(config-netbios-proto)# exclude e1 to 3 e6 e7 e13 to 18

ServerIron(config-netbios-proto)# exit

Syntax: netbios-proto [<name>]



Default value: N/A

noThis command is used to disable many commands. To do so, place the word no before the command.

other-protoCreates an Other protocol VLAN on the system. All ports of the switch are by default dynamically assigned to the newly created VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.

You can use this option to define a protocol-based VLAN for protocols that are not specified as supported protocol VLANs on a switch or router, or do not require dedicated, separate broadcast domains.

EXAMPLE:

On a 16 port ServerIron, ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate traffic by protocol into separate broadcast domains. Instead, create an Other Protocol VLAN with just those ports as members.

ServerIron(config)# other-protoServerIron(config-other-proto)# static e13 to 16ServerIron(config-other-proto)# exclude e1 to 12ServerIron(config-other-proto)# exit

Syntax: other-proto [<name>]



Default value: N/A

password-changeThis command allows you to define those access points from which the system password can be defined. Options are serial-port-only, telnet-only, or any. ‘Any’ would allow the password to be modified from a serial port, telnet session or through IronView.



EXAMPLE:

To allow password changes from a serial port connection only, enter the following command:

ServerIron(config)# password-change cli

Syntax: password-change any | cli | console-cli | telnet-cli

Possible values: any, cli, console-cli, telnet-cli

Default value: None

privilegeThis command augments the default access privileges for an access level. When you configure a user account, you can give the account one of three privilege levels: full access, port-configuration access, and read-only access. Each privilege level provides access to specific areas of the CLI by default:

• Full access provides access to all commands and displays.

• Port-configuration access gives access to:

• The User EXEC and Privileged EXEC levels, and the port-specific parts of the CONFIG level

• All interface configuration levels

• Read-only access gives access to:

• The User EXEC and Privileged EXEC levels

EXAMPLE:

To enhance the port-configuration privilege level so users also can enter ip commands at the global CONFIG level (useful for adding IP addresses for multinetting), enter the following command:

ServerIron(config)# privilege configure level 4 ip

In this command, configure specifies that the enhanced access is for a command at the global CONFIG level of the CLI. The level 4 parameter indicates that the enhanced access is for privilege level 4 (port-configuration). All users with port-configuration privileges will have the enhanced access. The ip parameter indicates that the enhanced access is for the IP commands. Users who log in with valid port-configuration level user names and passwords can enter commands that begin with "ip" at the global CONFIG level.

Syntax: [no] privilege <cli-level> level <privilege-level> <command-string>

The <cli-level> parameter specifies the CLI level and can be one of the following values:

• exec – EXEC level; for example, ServerIron> or ServerIron#

• configure – CONFIG level; for example, ServerIron(config)#

• interface – interface level; for example, ServerIron(config-if-6)#

• port-vlan – Port-based VLAN level; for example, ServerIron(config-vlan)#

• protocol-vlan – Protocol-based VLAN level; for example, ServerIron(config-vlan)#

The <privilege-level> indicates the privilege level you are augmenting.

The level parameter specifies the privilege-level. You can specify one of the following:

• 0 – Full access (super-user)

• 4 – Port-configuration access

• 5 – Read-only access

The <command-string> parameter specifies the command you are allowing users with the specified privilege level to enter. To display a list of the commands at a CLI level, enter "?" at that level's command prompt and press Return.




EXAMPLE:

ServerIron(config) quit

ServerIron>

Syntax: quit


Default value: N/A

perf-modeAllows you to define the performance mode as 'high' to allow flow control to activate at an earlier stage, when heavy congestion exists on the network. This feature must be saved to memory and the system reset before it becomes active.

EXAMPLE:

ServerIron(config)# perf-mode hi

Syntax: perf-mode normal | hi

Possible values: hi

Default value: normal

radius-serverIdentifies a RADIUS server and sets other RADIUS parameters.

EXAMPLE:

ServerIron(config)# radius-server host 209.157.22.99

Syntax: radius-server host <ip-addr> | <server-name> [auth-port <number>] [acct-port <number>]

<ip-addr> | <server-name> is either an IP address or an ASCII text string.

<auth-port> is the Authentication port number; it is an optional parameter. The default is 1645.

<acct-port> is the Accounting port number; it is an optional parameter. The default is 1646.

Syntax: radius-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]

The key <key-string> parameter is the encryption key; valid key string length is from 1 – 16.

The timeout <number> is how many seconds to wait before declaring a RADIUS server timeout for the authentication request. The default timeout is 3 seconds. The range of possible timeout values is from 1 – 15.

The retransmit <number> is the maximum number of retransmission attempts. When an authentication request timeout, the Foundry software will retransmit the request up to the maximum number of retransmissions configured. The default retransmit value is 3 seconds. The possible retransmit value is from 1 – 5.

The dead-time parameter is not used in this software release. When the software allows multiple authentication servers, this parameter will specify how long the Foundry device waist for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3.



relative-utilizationAllows you to configure uplink utilization lists that display the percentage of a given uplink port’s bandwidth that is used by a specific list of downlink ports. The percentages are based on 30-second intervals of RMON packet statistics for the ports. Both transmit and receive traffic is counted in each percentage.



NOTE: This feature is intended for ISP or collocation environments in which downlink ports are dedicated to various customers’ traffic and are isolated from one another. If traffic regularly passes between the downlink ports, the information displayed by the utilization lists does not provide a clear depiction of traffic exchanged by the downlink ports and the uplink port.

Each uplink utilization list consists of the following:

• Utilization list number (1, 2, 3, or 4)

• One or more uplink ports

• One or more downlink ports

Each list displays the uplink port and the percentage of that port’s bandwidth that was utilized by the downlink ports over the most recent 30-second interval. You can configure up to four bandwidth utilization lists.

EXAMPLE:

To configure a link utilization list with port 1 as the uplink port and ports 2 and 3 as the downlink ports:

ServerIron(config)# relative-utilization 1 uplink eth 1 downlink eth 2 to 3

Syntax: [no] relative-utilization <num> uplink ethernet <portnum> [to <portnum> | <portnum>…] downlink ethernet <portnum> [to <portnum> | <portnum>…]

Possible values: The <num> parameter specifies the list number. You can configure up to four lists. Specify a number from 1 – 4.

The uplink ethernet parameters and the port number(s) you specify after the parameters indicate the uplink port(s).

The downlink ethernet parameters and the port number(s) you specify after the parameters indicate the downlink port(s).

Default value: N/A

rmon alarmThe RMON alarm command defines what MIB objects are monitored, the type of thresholds will be monitored (falling, rising or both), the value of those thresholds, and the sample type (absolute or delta).

An alarm event will be reported each time that a threshold is exceeded. The alarm entry also defines the action (event) to take should the threshold be exceeded.

A sample CLI alarm entry and its syntax is shown below:

EXAMPLE:

ServerIron(config)# rmon alarm 1 ifInOctets.6 10 delta rising-threshold 100 1 falling threshold 50 1 owner nyc02

Syntax: rmon alarm <entry-number> <MIB-object.interface-number> <sampling-time> <sample-type> <threshold-type> <threshold-value> <event-number> <threshold-type> <threshold-value> <event-number> owner <text>

Possible values:

• Threshold type: rising-threshold or falling threshold

• Sample type: delta or absolute

Default value: N/A

rmon eventThere are two elements to the RMON event group 9, the event control table and the event log table.

The event control table defines the action to be taken when an alarm is reported. Defined events can be found by entering the CLI command, show event.

The event log table collects and stores reported events for retrieval by an RMON application.



EXAMPLE:

ServerIron(config)# rmon event 1 description ‘testing a longer string’ log-and-trap public owner nyc02

Syntax: rmon event <event-entry> description <text-string> log | trap | log-and-trap owner <rmon-station>


Default value: N/A

rmon historyAll active ServerIron ports by default will generate two RMON history (group 2) control data entries. If a port becomes inactive, then the two entries will automatically be deleted.

Two history entries are generated for each switch by default:

• a sampling of statistics every 30 seconds

• a sampling of statistics every 30 minutes

You can modify how many of these historical entries are saved in an event log (buckets) as well as how often these intervals are taken. The station (owner) that collects these entries can also be defined.

To review the control data entry for each port or interface, enter the show rmon history command.

EXAMPLE:

ServerIron(config)# rmon history 1 interface 1 buckets 10 interval 10 owner nyc02

Syntax: rmon history <entry-number> interface <portnum> buckets <number> interval <sampling-interval> owner <text-string>

Possible values: Buckets: 1 – 50 entries.

Default value: N/A

router ripEnables the Routing Information Protocol (RIP).

NOTE: This command applies only to IP forwarding (Layer 3 IP).

NOTE: You also must enable RIP locally on the virtual routing interface. See “ip rip” on page 8-7.

EXAMPLE:

To enable RIP globally, enter the following command:

ServerIron(config)# router ripServerIron(config-rip-router)#

Notice that the command also changes the CLI to RIP configuration level. See “Routing Information Protocol (RIP) Commands” on page 20-1.

Syntax: [no] router rip






server active-active-portProvides redundancy for NAT or the SYN-Guard feature when not used with FWLB or SLB. This command specifies the ServerIron port connected to the other ServerIron in the configuration.

EXAMPLE:

ServerIron(config)# server active-active-port ethernet 4/5

This command configures the active-active link on port 4/5.

ServerIron(config)# server active-active-port ethernet 4/5 300

This command configures the active-active link on port 4/5 on VLAN 300 only. The active-active traffic is not forwarded to the other VLANs that port 3/5 is in.

Syntax: [no] server active-active-port ethernet <portnum> [<vlan-id>]

The <portnum> parameter is the first port MAC address where the peer ServerIron resides. This is the MAC address displayed as the "Boot Prom MAC" in the output of the show chassis command on the peer ServerIron. You must add a static MAC entry for this MAC address.

The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use this parameter if the port is a tagged member of multiple VLANs.

NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will carry data traffic.


Default value: N/A

server allow-stickyAccepts new connections on a real server whose sticky port has been unbound.

When you unbind an application port from a server, the ServerIron temporarily places the port in the aw_unbnd (awaiting unbind) state. If you delete an application port, the ServerIron temporarily places the port in the aw_del (awaiting delete) state. These temporary states allow open sessions on the port to be completed before the port is unbound or removed.

By default, when the ServerIron receives a new request associated with a sticky port in the aw_unbnd state, the ServerIron establishes the session on another real server, not the real server from which you are unbinding the port.

This command configures the ServerIron to accept new sessions for the same real server for a sticky port, even under the following conditions:

• The real server port is in the aw_unbnd state.

• The real server port is in the aw_del state.

• The real server port is disabled.

EXAMPLE:

ServerIron(config)# server allow-sticky

Syntax: [no] server allow-sticky [refresh-age]

The refresh-age parameter configures the ServerIron to reset the age of a sticky session on the port whenever a new connection associated with the sticky port is established. This parameter ensures that the session stays up indefinitely until it is no longer needed.

By default, the ServerIron does not reset the age of the session when new connections are established. Instead, the session times out after the sticky age expires.

If you use the refresh-age parameter, the ServerIron resets the age of the session to the value of the sticky age. For example, if the sticky age is five minutes (the default), when the ServerIron establishes a new session on the



sticky port, the ServerIron resets the age time for the session to five minutes. Each time the ServerIron receives another connection request associated with the sticky session, the ServerIron resets the session age again.



server backupThe server backup command sets up the server load balancing redundancy on ServerIron switches. The two switches used in the configuration must be configured with the same MAC address. The MAC address used for the two switches can be any MAC address supported on either of the switches.

EXAMPLE:

ServerIron(config)# server backup ethernet 13 00e0.5201.0c72

Syntax: server backup ethernet <portnum> <HHHH.HHHH.HHHH>


Default value: N/A

server backup-groupConfigures a hot-standby group ID. Use the group ID when you are configuring more than one pair of ServerIrons for SLB hot standby within the same Layer 2 broadcast domain.

Configure a backup group ID on each of the ServerIrons, so that both ServerIrons in a given pair have the same ID. The backup group ID uniquely identifies the pair.

When you configure a backup group ID, both ServerIrons in a hot-standby pair use the ID when exchanging backup information. If a ServerIron receives a backup information packet but the packet’s backup group ID does not match the ServerIron’s backup group ID, the ServerIron discards the packet.

If the broadcast domain contains multiple hot-standby pairs, you must configure backup group IDs on all pairs. If the broadcast domain contains only one hot-standby pair, you do not need to configure a backup group ID.

EXAMPLE:

ServerIron(config)# server backup-group 1

Syntax: [no] server backup-group <num>

The <num> parameter specifies the backup group ID and can be a number from 0 – 7. Enter the same ID on both ServerIrons in a hot-standby pair. Do not enter the same ID on a ServerIron that is not one of the ServerIrons in the hot-standby pair.


Default value: N/A

server backup-portConfigures the active-active (synchronization) port for SSLB. The active-active port connects the ServerIron to its SSLB partner.

EXAMPLE:

ServerIron(config)# server backup-port ethernet 3/5

This command configures the active-active link on port 3/5.

ServerIron(config)# server backup-port ethernet 3/5 200

This command configures the active-active link on port 3/5 on VLAN 200 only. The active-active traffic is not forwarded to the other VLANs that port 3/5 is in.

Syntax: [no] server backup-port ethernet <portnum> [<vlan-id>]

The <vlan-id> parameter specifies the VLAN you want to use for active-active synchronization traffic. Use the <vlan-id> parameter if the port is a tagged member of more than one VLAN.



NOTE: The VLAN you specify must be used only for synchronization traffic. Do not specify a VLAN that also will carry data traffic.


Default value: N/A

server backup-preferenceConfigures a ServerIron in an active-standby pair to always be the active ServerIron. Without the backup preference, ServerIrons in a hot-standby pair elect the active ServerIron based on a random timer on each ServerIron.

NOTE: This command does not apply to FWLB.

EXAMPLE:

To configure a ServerIron in an active-standby pair to always be the active ServerIron, enter the following command at the global CONFIG level of the CLI:

ServerIron(config)# server backup-preference 5

Syntax: server backup-preference <wait-time>

The <wait-time> parameter specifies how long the ServerIron waits before assuming the active role. The ServerIron does not immediately become the active ServerIron but instead waits the number of minutes you specify.


Default value: None

server backup-timerChanges the backup timer on a ServerIron in an active-standby pair. The timer specifies how long a backup ServerIron will wait for a Hello message or synchronization data from the active ServerIron before assuming the active ServerIron is no longer available, and then taking over the active role.

NOTE: This command does not apply to FWLB.

EXAMPLE:

ServerIron(config)# server backup-timer 50

This command sets the backup timer to 5 seconds (50 * 100 milliseconds).

Syntax: server backup-timer <time>

The <time> parameter specifies how long this ServerIron, when it is the backup ServerIron, will wait for a Hello message or synchronization data from the active ServerIron before assuming the active ServerIron is no longer available.

Possible values: 5 (one half second) – 100 (10 seconds), in units of 100 milliseconds each

Default value: 10 (one second)

server cache-groupTCS requires that all cache servers be assigned to a cache-group. By default, all cache servers are assigned to cache group 1. To assign cache servers to a different cache group, use this command.

EXAMPLE:

To assign cache servers server1 and server2 to cache group 2, enter the following:

ServerIron(config)# server cache-group 1

ServerIron(config-tc-1)# cache-name server1



ServerIron(config-tc-1)# cache-name server2

Syntax: server cache-group 1


Default value: N/A

server cache-nameThis command is used to assign a name and IP address to a cache server.

EXAMPLE:

To identify a cache-server with an IP address of 207.95.5.19 as web2, enter the following:

ServerIron(config)# server cache-name web2 207.95.5.19

Syntax: server cache-name <text> <ip-addr>


Default value: N/A

server cache-router-offloadThis command enables the ServerIron Cache Route Optimization feature, which redirects HTTP traffic from a cache server directly toward the clients. Use this command when the ServerIron sits between a remote access server (RAS) and a border access router (BAR) and the cache server’s default gateway is the BAR.

For more information, see the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To enable Cache Route Optimization on a switch operating with TCS, enter the following:

ServerIron(config)# server cache-router-offload

Syntax: [no] server cache-router-offload


Default value: N/A

server cache-statefulDisables stateful TCS. In stateful TCS, the ServerIron creates session table entries for the client connections redirected to cache servers. If you disable stateful TCS, the ServerIron does not create session table entries for the load-balanced traffic, but instead uses hash-based redirection on a packet by packet basis. In addition, the ServerIron uses the return traffic as one means to assess the health of a cache server. If you disable stateful TCS, the ServerIron does not monitor the return traffic.

NOTE: Stateful TCS provides more benefit than stateless TCS in almost all TCS configurations. Do not disable stateful TCS unless advised to do so by Foundry Networks Technical Support.

EXAMPLE:

To disable stateful TCS, enter the following command:

ServerIron(config)# no server cache-stateful

Syntax: [no] server cache-stateful



server clock-scaleProvides a clock multiplier for the TCP age and UDP age timers, which are used to age out the entries in the session table. This command is useful for configurations that require TCP or UDP timeouts longer than the



maximum configurable value (60 minutes). For example, if you set the clock scale to 2, the TCP and UDP age timer values are multiplied by 2. Thus, a TCP age of 60 would then be equivalent to 120 minutes instead of 60 minutes.

EXAMPLE:

ServerIron(config)# server clock-scale 2

Syntax: server clock-scale <multiplier>


Default value: 1

server connection-logEnables TCP/UDP session logging. When TCP/UDP session logging is enabled, the ServerIron sends a message to the external Syslog servers when the software creates a session table entry.

EXAMPLE:

To enable session logging for all TCP and UDP ports, enter a command such as the following:

ServerIron(config)# server connection-log all

The command in this example enables logging for all new session table entries. To enable logging only for new sessions that are used for Source NAT, enter the following command:

ServerIron(config)# server connection-log src-nat

Syntax: server connection-log all | src-nat [url] [cookie]

The all parameter enables logging for all sessions.

The src-nat parameter enables logging only for sessions that are used for Source NAT.

The url parameter enables logging of URL information for sessions that contain a URL.

The cookie parameter enables logging of Cookie information for sessions that contain a Cookie.

NOTE: The URL logging option applies only when URL switching is enabled. The Cookie logging option applies only when Cookie switching is enabled.

To enable session logging for a specific TCP or UDP port, enter commands such as the following:

ServerIron(config)# server port 80ServerIron(config-port-80)# connection-log all url cookie

Syntax: connection-log all | src-nat [url] [cookie]

The parameter values are the same as the values for globally enabling logging.



server delay-symmetricDelays reactivation of a failed ServerIron in an SSLB configuration following the ServerIron’s recovery. By delaying reactivation of a recovered ServerIron, you provide time for sessions created by the standby ServerIron to terminate normally.

NOTE: This command applies only to active-standby SSLB in software release 07.1.x. Software 07.2.x uses active-active SSLB instead. See the "Active-Standby SSLB" section in the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.

When you enable session synchronization in a ServerIronXL SSLB configuration, the active ServerIron for a VIP sends session synchronization information to the standby ServerIron. If the VIP’s active ServerIron becomes



unavailable, the open sessions for the VIP fail over to the other ServerIron, which provides uninterrupted service for the sessions.

The active ServerIron sends session synchronization information to a VIP’s standby ServerIron when the session is created. Following a failover, when the standby ServerIron for a VIP has taken over, the standby ServerIron can create new sessions for the VIP. However, because the ServerIron with the higher priority for the VIP is unavailable, the standby ServerIron cannot send synchronization information for the newly created sessions. As a result, when the other ServerIron becomes available again, it resumes service for the VIP but cannot continue the sessions that were created by the standby ServerIron.

EXAMPLE:

To enable reactivation delay following recovery of a ServerIron, enter the following command at the global CONFIG level of the CLI:

ServerIron(config)# server delay-symmetric

Syntax: [no] server delay-symmetric [<mins>]

The <mins> parameter specifies the number of minutes you want the recovered ServerIron to wait before becoming active again. You can specify from 2 – 120 minutes. The default is 60 minutes.

NOTE: You must enter the same command using the same number of minutes on both ServerIrons in the configuration.


Default value: See above

server force-deleteThis command allows you to force termination of existing server load balancing connections when the supporting server or service is disabled or deleted.

By default, when a service is disabled or deleted, the ServerIron does not send new connections the real servers for that service. However, the ServerIron does allow existing connections to complete normally, however long that may take.

You can use the server force-delete command to force the existing connections to be terminated within two minutes.

NOTE: If you disable or delete a service, do not enter an additional command to reverse the command you used to disable or delete the service, while the server is in graceful shutdown.

NOTE: For important information about shutting down services or servers, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To force the shutdown of all deleted servers on a ServerIron, enter the following:

ServerIron(config)# server force-delete

NOTE: Once enabled, this feature controls all future deletions. To see whether force delete is active, enter the show configuration command. If active, this option will appear in the summary of global parameters. Because the server force-delete command is a global command, there is no need to specify real server 15. It will automatically end the connections of all servers or services awaiting deletion.

NOTE: To display active sessions for a specific server, enter the show sessions real server <number> command and a display as seen below will appear. Notice that the display below shows the Telnet connection on server 15 as awaiting unbinding. Without the server force-delete command, this feature will stay in this state until the session ends naturally.



ServerIron(config-vs-building)# show server real s15

Real Servers Info

Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active

Name: s15 IP: 207.95.18.15 State: 6 Wt: 1 Max-conn: 1000000

Port State CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas

http active 0 1711509 0 1206 0 82402 0

ftp active 0 0 0 0 0 0 0

telnet aw_unbnd 1 2 388 374 23618 22452 0

default unbnd 0 0 0 0 0 0 0

Server Total 1 1711511 388 1580 23618 104854 0

Because the binding is awaiting deletion, it will also still be seen as an active binding, if you enter the show session bind command, as seen below:

ServerIron(config-vs-building)# show server bind

Virtual Server Name: building, IP: 207.95.5.130 http -------> s21: 207.95.18.21, http s15: 207.95.18.15, http s50: 207.95.18.50, http ftp -------> s50: 207.95.18.50, ftp s21: 207.95.18.21, ftp s15: 207.95.18.15, ftp telnet -------> s15: 207.95.18.15, telnet s21: 207.95.18.21, telnet s50: 207.95.18.50, telnet

Once force delete is enabled, the unbinding will occur within two minutes and the show session real server s15 will show that connection as unbound, as seen below:

ServerIron(config)# show session real s15

Real Servers Info

Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active

Name: s15 IP: 207.95.18.15 State: 6 Wt: 1 Max-conn: 1000000

Port State CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reas

http active 0 1711509 0 1206 0 82402 0

ftp active 0 0 0 0 0 0 0

telnet unbnd 0 2 406 385 24700 23112 0

default unbnd 0 0 0 0 0 0 0

Server Total 0 1711511 406 1591 24700 105514 0

NOTE: The binding for the real server will also be eliminated from the show server bind display.

Syntax: server force-delete

Possible values: enabled or disabled



Default value: disabled

server fw-groupChanges the CLI to the Firewall Group level. At this level, you can configure parameters for firewall load balancing. For information about this feature, see the Foundry ServerIron Firewall Load Balancing Guide.

The default firewall group is 2. This is the only firewall group supported. All ServerIron ports are in this firewall group by default.

EXAMPLE:

To change the CLI to the Firewall Group level for firewall group 2, enter the following command:

ServerIron(config)# server fw-group 2

ServerIron(config-tc-2)#

Syntax: server fw-group 2

Possible values: 2

Default value: N/A

server fw-nameAdds a firewall for firewall load balancing.

EXAMPLE:

To define a firewall called FW1, enter the following command:

ServerIron(config)# server fw-name FW1 209.157.22.3

Syntax: fw-name <string> <ip-addr>

NOTE: When you add a firewall name, the CLI level changes to the Firewall level.


Possible values: a string up to 32 characters long; a valid IP address

Default value: N/A

server fw-portIf you are configuring the ServerIron for IronClad Firewall Load Balancing, this command identifies the port that connects this ServerIron to its partner. If you configure a trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk group. On the 8-port, 16-port, and 24-port ServerIrons, you can configure a trunk group with two or four members and the lead ports are the odd-numbered ports.

EXAMPLE:

ServerIron(config)# server fw-port 5

Syntax: fw-port <portnum>


Default value: N/A

server fw-recv-statefulEnables receive stateful FWLB for application traffic coming from the firewalls to the ServerIron. For information, see the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

ServerIron(config)# server fw-recv-stateful

Syntax: [no] server fw-recv-stateful





server fw-slbEnables FWLB-to-SLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

ServerIronB(config)# server fw-slb

Syntax: [no] server fw-slb



server fw-statefulEnables stateful FWLB for application traffic coming from the ServerIron to the firewalls. For information, see the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

ServerIron(config)# server fw-stateful

Syntax: [no] server fw-stateful



server fw-strict-secConfigures the ServerIron to forward a TCP data packet only if the ServerIron has already received a TCP SYN for the packet's traffic flow (source and destination addresses). This command provides tighter security. For example, with the tighter security enabled, the ServerIron does not forward a TCP data packet to 1.1.1.1 unless the ServerIron has already received a TCP SYN for the session between the packet's source and 1.1.1.1.

By default, the ServerIron sends a properly addressed TCP data packet to a firewall regardless of whether the ServerIron has received a TCP SYN for the traffic flow. For example, if the ServerIron receives a TCP packet addressed to TCP port 8080 on IP address 1.1.1.1, the ServerIron forwards the packet to firewall connected to 1,1.1.1 regardless of whether the ServerIron has received a TCP SYN for the session between the packet's source and 1.1.1.1.

EXAMPLE:

ServerIron(config)# server fw-strict-sec

Syntax: [no] server fw-strict-sec

The feature applies globally to all TCP traffic received for FWLB.



server fw-superzoneEnables the superzone FWLB feature.

NOTE: This command does not enable FWLB. The command only enables superzone support.

EXAMPLE:

ServerIron(config)# server fw-superzone

Syntax: [no] server fw-superzone





server icmp-messageEnables the ICMP message feature. This feature configures the ServerIron to send ICMP “Destination Unreachable” messages to clients who request HTTP ports that are unavailable. Generally, a port is unavailable if all the real servers that contain the port are busy or are down, or the port is not configured on the servers.

EXAMPLE:

To enable the ICMP message feature, enter the following command:

ServerIron(config)# server icmp-message

Syntax: [no] server icmp-message



server l4-checkGlobally disables or re-enables Layer 4 TCP or UDP health checks for servers. The Layer 4 health checks are enabled by default.

If you are configuring the ServerIron to load balance traffic to multiple servers on the other side of routers and you want to load-balance the traffic according to TCP or UDP application, use the no server l4-check command to disable the Layer 4 health checks. If you do not disable the health checks in this type of configuration, the routers will fail the health checks (because the target applications for the health checks are not on the routers themselves) and the ServerIron will stop forwarding traffic to those servers.

NOTE: If you are using the ServerIron to load-balance TCP and UDP traffic through routers, you also must add each router as a real server and disable the HTTP port on each of the real servers. HTTP is enabled by default on all real servers.

NOTE: This command also disables all Boolean health-check policies when entered on a ServerIron 400 or ServerIron 800.

EXAMPLE:

To disable the Layer 4 TCP and UDP health checks, enter the following command:

ServerIron(config)# no server l4-check

Syntax: [no] server l4-check


Default value: enabled

server max-conn-trapSpecifies the number of seconds that elapse between traps for logging information about the TCP connection rate and attack rate on the device.

EXAMPLE:

ServerIron(config)# server max-conn-trap 30

Syntax: server max-conn-trap <seconds>



server max-ssl-session-idChanges the number of entries associating a session_id with a real server that the ServerIron can store in its database.



EXAMPLE:

To change the maximum number of database entries from 8,192 to 64,000:

ServerIron(config)# server max-ssl-session-id 64000

Syntax: server max-ssl-session-id <number>

Possible values: On the ServerIronXL and ServerIronXL/G, the number of database entries can range from 8,192 to 64,000. On the ServerIron 400 and ServerIron 800, the number of database entries can range from 8,192 to 256,000.

Default value: 8,192

server max-url-switchChanges the maximum number of concurrent web switching connections.

EXAMPLE:

To change the maximum number of concurrent web switching connections from 100,000 to 160,000:

ServerIron(config)# server max-url-switch 160000

Syntax: server max-url-switch <number>

Possible values: On the ServerIronXL and ServerIronXL/G, the number of concurrent web switching connections can range from 100,000 to 160,000. On the ServerIron 400 and ServerIron 800, the number of concurrent web switching connections can range from 100,000 to 512,000.

Default value: 100,000

server monitorEnters the Layer 4 monitor CLI level.

EXAMPLE:

ServerIron(config)# server monitor

Syntax: server monitor


Default value: N/A

server mslSets the amount of time sessions for ports configured with the udp-fast-age command stay in the delete queue before being deleted.

EXAMPLE:

ServerIron(config)# server msl 2

Syntax: server msl <seconds>



server no-fast-bringupEnables the health-checking procedure for application ports used in releases prior to 7.1.05.

• In releases prior to 7.1.05, the ServerIron performed a Layer 4 health check on a port on a real server, followed by a Layer 7 health check, if one was enabled on the port. If the port passed both health checks, it was then marked ACTIVE.

• Starting with release 7.1.05, by default when a port passes a Layer 4 health check, it is then marked ACTIVE. The ServerIron then performs a Layer 7 health check, if one is enabled on the port. Based on the result of the Layer 7 health check (if enabled), the port is then marked ACTIVE or FAILED.



This change was made so that ports could be brought up more quickly. You can optionally change the default behavior so that a port is not marked ACTIVE until it passes both the Layer 4 and (if one is enabled) Layer 7 health checks.

EXAMPLE:

To enable the health-checking procedure that existed in releases prior to 7.1.05:

ServerIron(config)# server no-fast-bringup

Syntax: [no] server no-fast-bringup


Default value: N/A

server no-real-l3-checkGlobally disables the initial Layer 3 health check for local real servers. When you disable the health check, the ServerIron sends an ARP request for the default gateway and makes the server’s state ACTIVE as long as the ARP entry is present in the ServerIron’s ARP cache.

By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check (IP ping) to determine the server’s reachability. If the real server responds to the ping, the ServerIron changes the server’s state to ACTIVE and begins using the server for client requests.

NOTE: This command applies only to local real servers (servers added using the server real-name command).

EXAMPLE:

ServerIron(config)# server no-real-l3-check

Syntax: [no] server no-real-l3-check


Default value: Health check is enabled

server no-remote-l3-checkGlobally disables the initial Layer 3 health check for remote real servers. When you disable the health check, the ServerIron sends an ARP request for the default gateway and makes the remote server’s state ACTIVE as long as the ARP entry is present in the ServerIron’s ARP cache.

By default, when you add a real server configuration to the ServerIron, the ServerIron uses a Layer 3 health check (IP ping) to determine the server’s reachability. If the real server responds to the ping, the ServerIron changes the server’s state to ACTIVE and begins using the server for client requests.

NOTE: This command applies only to remote servers (servers added using the server remote-name command).

EXAMPLE:

ServerIron(config)# server no-remote-l3-check

Syntax: [no] server no-remote-l3-check


Default value: Health check is enabled

server no-slow-startGlobally disables the slow-start mechanism. When you disable the slow-start mechanism, the ServerIron can immediately send up to the maximum number of connections specified for the real server when the server comes up. Disabling slow-start does not remove the slow-start configuration information from the real servers. To reactive slow-start, globally re-enable the feature.



EXAMPLE:

ServerIron(config)# server no-slow-start

Syntax: [no] server no-slow-start

To globally re-enable slow-start, enter the following command:

ServerIron(config)# no server no-slow-start



server partner-portsEnables the standby ServerIron in an IronClad FWLB configuration that uses the always-active feature to learn the MAC addresses of hosts whose packets pass through the active ServerIron to reach the standby ServerIron.

For more information about the use of this command, see the "Preventing Unnecessary Broadcasts in an Always-Active IronClad Configuration" section in the "Using the Always-Active Feature for Simplified Topologies" appendix of the Foundry ServerIron Firewall Load Balancing Guide.

NOTE: This command applies only to IronClad FWLB configurations that use the always-active option.

EXAMPLE:

ServerIron(config)# server partner-ports 5

Syntax: [no] server partner-ports <portnum>...

The <portnum> parameter specifies the port(s) that are in the always-active VLAN. This is the VLAN that contains the data link between the two ServerIrons.

• On the ServerIronXL, ServerIron 400, and ServerIron 800 you can specify up to eight ports on the same command line. Use a space after each port number to separate them.

• On the ServerIronXL/G, you can specify one port on the same command line. However, you can enter the command multiple times for multiple ports.



server path-groupThis command is for a specific configuration. Do not use this command unless advised to do so by Foundry Networks’ technical staff.

server peer-groupConfigures stateless health checking. Use stateless health checking when you configure multiple ServerIrons to load balance for a common set of TCP or UDP application ports. For example, a transparent VIP configuration that uses stateless application ports can benefit from stateless health checking. A stateless application port is one for which the ServerIron does not create session table entries.

EXAMPLE:

To configure a stateless health check group, enter a command such as the following on each ServerIron in the group.

ServerIronA(config)# server peer-group 1 192.168.3.9 192.168.4.9

This command configures group 1 to contain two ServerIrons.

Syntax: [no] server peer-group <num> <ip-addr>...

The <num> parameter specifies the stateless health check group ID. You can specify a number from 1 – 16. There is no default.



The <ip-addr>... parameter specifies a list of ServerIron management IP addresses. You can specify up to four addresses with the command. Separate each address with a space. You can configure up to 16 ServerIron management IP addresses. To do so, enter the command four times and specify different addresses each time.

NOTE: Make sure you add the management IP address for each of the other ServerIrons in the group. Do not include the ServerIron’s own management address in the list.

To configure a ServerIron’s stateless health check priority, enter a command such as the following on each ServerIron in the stateless health check group.

NOTE: If you do not set the stateless health check priority on a ServerIron, that ServerIron does not participate in stateless health checking. If you set the same priority on all the ServerIrons, their priorities are based on their management IP addresses instead. In this case, a higher management IP address has more priority than a lower management IP address.

ServerIronA(config)# server peer-group 1 self-priority 16

This command sets the stateless health check priority on ServerIron A to 16, the highest priority.

Syntax: [no] server peer-group <num> <priority>

The <priority> parameter specifies the ServerIron’s priority for stateless health checks. You can specify a number from 1 (lowest) – 16 (highest). The ServerIron with the highest stateless health check priority in the group becomes the master for stateless health checks.

To set the priority on ServerIron B, enter a command such as the following:

ServerIronB(config)# server peer-group 1 self-priority 1

This command sets the stateless health check priority on ServerIron B to 1, the lowest priority.



server ping-intervalIn a client server environment, if a server does not respond within five seconds to active traffic, then that server will be marked suspect and the switch will send out a ping to the server. The number of times the server is pinged by the switch is defined by the server ping-retries command. The interval between the pings is defined by this command, the server ping-interval.

This command is used in conjunction with the feature server load balancing on the ServerIron switch.

EXAMPLE:

To modify the interval between ping retries to 8 seconds from the default value of 2 seconds, enter the following command:

ServerIron(config)# server ping-interval 8

Syntax: server ping-interval <value>



server ping-retriesThis command configures how often the server is pinged before placing the server in a failed state. Possible values are between 2 and 10 with a default value of 4.


EXAMPLE:

To modify how often a switch pings a server before declaring the server down to a value of 7 from the default value of 4, enter the following command:



ServerIron(config)# server ping-retries 7

Syntax: server ping-retries <value>

Possible values: 2 – 10 retries

Default value: 4 retries

server policy-hash-aclOverrides the global hash mask for all traffic that matches the source and destination information in the specified ACL.

EXAMPLE:

ServerIron(config)# access-list 100 permit ip any 192.168.1.16 0.0.0.15ServerIron(config)# access-list 100 permit ip any 192.168.2.0 0.0.0.255ServerIron(config)# access-list 100 permit ip any 192.168.3.192 0.0.0.63ServerIron(config)# access-list 100 permit ip any 192.168.4.0 0.0.0.255ServerIron(config)# access-list 100 permit ip any 192.168.3.160 0.0.0.31ServerIron(config)# access-list 100 permit ip any 192.168.3.0 0.0.0.127ServerIron(config)# access-list 100 permit ip any 64.129.1.0 0.0.0.255ServerIron(config)# server fw-group-2ServerIron(config-tc-2)# hash-mask 255.255.255.255 0.0.0.0ServerIron(config-tc-2)# policy-hash-acl 100 255.255.255.255 255.255.255.255

In this example, FWLB will use the hash mask 255.255.255.255 0.0.0.0 for all traffic except the traffic that matches ACL 100.

Syntax: [no] server policy-hash-acl <acl-id> <src-mask> <dst-mask>

This command overrides the global hash mask for all traffic that matches the source and destination information in the specified ACL.

The <acl-id> parameter specifies a standard or extended ACL. Configure each entry in the ACL to permit the addresses for which you want to override the global hash mask.

The <src-mask> parameter species the source mask.

The <dst-mask> parameter species the destination mask.


Default value: N/A; the global hash values are used

server portConfigures a port profile for a TCP/UDP port. The port profile globally defines the following attributes for the port.

NOTE: For additional information, see the "Configuring a Port Profile" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

Table 6.1: Port Profile Attributes

Attribute Description

Port type (TCP or UDP)

This attribute applies only to ports for which the ServerIron does not already know the type. For example, if a real server uses port 8080 for HTTP (a TCP port), you can globally identify 8080 as a TCP port. The ServerIron assumes that ports for which it does not know the type are UDP ports.

Note: To display a list of the ports for the ServerIron already knows the type, enter the server port ? command at the global CONFIG level of the CLI.



EXAMPLE:

To add port 8080 and specify that it is a TCP port, enter the following command:

Keepalive interval and retries

The number of seconds between health checks and the number of times the ServerIron re-attempts a health check to which the server does not respond. You can specify from 2 – 120 seconds for the interval. You can specify from 1 – 5 retries.

Keepalive state Whether the ServerIron’s health check for the port is enabled or disabled. Recurring Layer 4 and Layer 7 health checks are disabled by default. When you configure a port profile, the software automatically globally enables the health check for the application. You also can explicitly disable or re-enable the keepalive health check at this level.

Note: If you are configuring a port profile for a port that is known to the ServerIron, the keepalive parameters affect Layer 7 health checks. For other ports, the keepalive parameters affect Layer 4 health checks.

Keepalive port By default, the ServerIron bases the health of an application port on the port itself. You can specify a different application port for the health check. In this case, the ServerIron bases the health of an application port on the health of the other port you specify.

Note: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not well-known.

Source of health for alias port

By default, the ServerIron performs independent health checks on an alias port and its master port. You can configure the ServerIron to base the health of an alias port on the state of its master port.

TCP or UDP age The number of minutes a TCP or UDP session table entry can remain inactive before the ServerIron times out the entry. This parameter is set globally for all TCP or UDP ports but you can override the global setting for an individual port by changing that port’s profile. You can set the TCP or UDP age from 2 – 60 minutes. The default TCP age is 30 minutes. The default UDP age is five minutes.

Note: Since UDP is a connectionless protocol, the ServerIron does not remove a UDP session from its session table until the session times out. TCP is a connection-based protocol. Thus, for TCP sessions, the ServerIron removes the session as soon as the client or server closes the session.

Session synchronization

In Symmetric SLB configurations, this attribute provides failover for individual sessions on the application port. Normally, existing sessions are not carried over from one ServerIron to another during failover.

Connection logging You can enable logging for session table entries created for this port.

Slow start Configures the ServerIron to control the rate of new connections to the application port to allow the server to ramp up.

Smooth factor If you plan to use server response time as a load-balancing method, you can adjust the amount of preference the ServerIron gives the most recent response time compared to the previous response time.

Server cluster support Configures the ServerIron to stop sending requests to a server when the requested application is down on the server. This feature is useful for server cluster applications such as NFS.

Table 6.1: Port Profile Attributes (Continued)

Attribute Description



ServerIron(config)# server port 8080

ServerIron(config-port-8080)# tcp

Syntax: server port <tcp/udp-portnum>

Syntax: tcp | udp [keepalive [<interval> <retries>]]

Syntax: tcp | udp [keepalive [disable | enable]]


Default values: interval 5, retries 2

If you do not specify the port type (TCP or UDP), the ServerIron assumes that the port type is UDP.

EXAMPLE:

To override the default TCP age and set the age for TCP port 80 to 15 minutes, enter the following commands:

ServerIron(config)# server port 80

ServerIron(config-port-80)# tcp 15


Syntax: tcp | udp <2-60>


Default values: 30 minutes for TCP; 5 minutes for UDP

EXAMPLE:

To change the HTTP (TCP port 80) keepalive interval to 15 seconds and the retries to 5, enter the following commands:

ServerIron(config)# server port 80ServerIron(config-port-80)# tcp keepalive 15 5


Syntax: tcp | udp keepalive <interval> <retries>

Possible values: You can specify from 2 – 120 seconds for the interval. You can specify from 1 – 5 retries.

Default values: interval 5; retries 2

EXAMPLE:

To enable session synchronization for port 80, enter the following commands:

ServerIron(config)# server port 80ServerIron(config-port-80)# session-sync

Syntax: [no] server port <tcp/udp-portnum>

Syntax: [no] session-sync

In Symmetric SLB configurations, if the active ServerIron becomes unavailable, service for the VIPs that ServerIron was load balancing is assumed by the backup ServerIron. By default, open sessions on the ServerIron that becomes unavailable are not carried over to the standby ServerIron. Instead, the sessions end and must be re-established by the clients or servers.

You can configure session failover on an individual TCP or UDP port basis by enabling session synchronization \in the port’s profile.

EXAMPLE:

You can configure the ServerIron to base the health of a port that is not well-known to the ServerIron on the health of one of the following ports that are well-known to the ServerIron:

• DNS – the well-known name for port 53











To base a port’s health on the health of another port, enter a command such as the following:

ServerIron(config-port-1234)# tcp keepalive port 80

Syntax: tcp | udp keepalive port <TCP/UDP-portnum>

The command in this example configures the ServerIron to base the health of port 1234 on the health of port 80 (HTTP). If the health of port 80 changes, the ServerIron applies the change to port 1234.

NOTE: You cannot base the health of a port well-known to the ServerIron on the health of another port, whether the port is well-known or not well-known.

EXAMPLE:

To configure an unknown TCP port to use the Layer 7 health check for a well-known TCP application, enter commands such as the following:

ServerIron(config)# server port 999ServerIron(config-port-999)# tcp keepalive protocol smtp

These commands configure port profile parameters for port 999. The second command in the example makes the port a TCP port and assigns the SMTP Layer 7 health check to the port.

Syntax: [no] server port <TCP-portnum>

Syntax: [no] tcp keepalive protocol <TCP-port>

The protocol <TCP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify one of the following:

• ftp or 21

• imap4 or 143

• ldap or 389

• pop3 or 110

• smtp or 25

• telnet or 23

EXAMPLE:

To configure an unknown UDP port to use a DNS Layer 7 health check, enter commands such as the following:

ServerIron(config)# server port 999ServerIron(config-port-999)# udp keepalive protocol dns

Syntax: server port <UDP-portnum>

Syntax: udp keepalive protocol <UDP-portnum>

The protocol <UDP-port> parameter specifies the type of Layer 7 health you want to use for the port. You can specify dns or 53.



EXAMPLE:

You can globally disable a Layer 4 port on the ServerIron. The port can be disabled for all real servers, all virtual servers or all real and virtual servers. After you disable a port globally, you can enable the port on individual real or virtual servers as necessary. By default, all real and virtual ports are enabled.

When the ServerIron is booted, if the command to globally disable a real or virtual port exists in the startup-config file, the specified port is disabled at startup. When a real or virtual port is created, and the port has been disabled globally, the real or virtual port is disabled as well. You must enable the port explicitly.

To disable all real HTTP ports:

ServerIron(config)# server port 80ServerIron(config-port-http)# disable realServerIron(config-port-http)#

To disable all virtual HTTP ports:

ServerIron(config)# server port 80ServerIron(config-port-http)# disable virtualServerIron(config-port-http)#

To disable all real and virtual HTTP ports:

ServerIron(config)# server port 80ServerIron(config-port-http)# disableServerIron(config-port-http)#

Syntax: disable [real | virtual]

EXAMPLE:

To configure an alias port’s health to be based on its master port’s health, edit the alias port’s profile by entering commands such as the following:

ServerIron(config)# server port 8080ServerIron(config-port-8080)# tcp keepalive use-master-state

Syntax: [no] tcp keepalive use-master-state

NOTE: You can base an alias port’s health on the health of a TCP port that is well-known to the ServerIron. You cannot base an alias port’s health on the health of a UDP port or a port that is not well-known to the ServerIron.

NOTE: The health checks for the alias ports must be enabled. Otherwise, the ServerIron will not check the master port’s state, and the alias port will not go down when the master port goes down.

EXAMPLE:

NOTE: This section applies only to the ServerIron 400 and ServerIron 800.

To configure the ServerIron to stop sending requests to a real server for an application that is down on the server, enter the following command at the configuration level for the port’s profile:

ServerIron(config-port-80)# reset-port-on-reset

Syntax: [no] reset-port-on-reset

By default, if an application on a real server becomes unavailable but the real server itself is still up, the ServerIron continues to include the real server in its load balancing decisions for the application. For example, if the HTTP application on a real server stops responding to Layer 4 health checks but the real server continues to respond to Layer 3 health checks (IP pings) from the ServerIron, the ServerIron continues to forward HTTP requests to the real server.

In some configurations, such as those that use a cluster of servers for an application, you might want to configure the ServerIron to stop sending requests to a server when the requested application is down on the server. For example, this feature is useful in an NFS configuration.



When you enable this feature, the ServerIron does one of the following in addition to redirecting future requests away from the real server:

• UDP – For an unavailable UDP application, the ServerIron terminates the connection.

• TCP – For an unavailable TCP application, the ServerIron resets the connection.


Default values: See above

server predictorThis command is used to select the load-balancing method. By default, the least connections method is enabled.

EXAMPLE:

To change the server load-balancing method from the default value of least connections to the round-robin method, enter the following:

ServerIron(config)# server predictor round-robin

Syntax: [no] server predictor least-conn | response-time | round-robin | weighted


Default value: least-conn

NOTE: When you assign the weighted percentage metric, you must configure both the virtual and real servers involved. Each real server is assigned a weight from 0 – 64000.

server real-nameThis command assigns a name and IP address to the real server. The server name is used to bind the server IP address, so that the real server name can be used to represent the server. The server name can be any alphanumeric string of up to 32 characters.

This command is used in conjunction with the server load balancing feature on the ServerIron switch.

NOTE: Use this command only if the server is attached to the ServerIron at Layer 2. If the server is attached through one or more router hops, use the server remote-name command instead. See “server remote-name” on page 6-79.

EXAMPLE:

ServerIron(config)# server real-name Wolalak_Wuwanich 192.168.1.159

Syntax: server real-name <text> <ip-addr>

Possible values: a string up to 32 alphanumeric characters long

Default value: N/A

server reassign-thresholdThis command modifies the number of contiguous unacknowledged TCP SYN ACKs the ServerIron allows to accumulate for a real server, before determining that the server is down and marking it FAILED.

If the server responds to a TCP SYN, the counter returns to zero.

EXAMPLE:

ServerIron(config)# server reassign-threshold 215

Syntax: server reassign-threshold <6-254>


Default value: 20



server remote-nameThis command assigns a name and IP address to a remote real server. When you add a real server using the server remote-name command instead of the server real-name command, the ServerIron does not include the server in the predictor (load-balancing method). Instead, the ServerIron sends traffic to the remote server only if all local real servers (added using the server real-name command) are unavailable.

The server name is used to bind the server IP address, so that the real server name can be used to represent the server. The server name can be any alphanumeric string of up to 32 characters.

This command is used in conjunction with the Server Load Balancing feature on the ServerIron switch.

NOTE: Use this command only if the server is attached through one or more router hops. If the server is attached to the ServerIron at Layer 2, use the server real-name command instead. See “server real-name” on page 6-78.

EXAMPLE:

ServerIron(config)# server remote-name webfailover 209.157.22.37

Syntax: server remote-name <text> <ip-addr>


Default value: N/A

server response-timeGlobally configures response-time warning and shutdown thresholds for all real servers.

You can specify a warning threshold and a shutdown threshold:

• Warning – If an application’s average response time is longer than the number of milliseconds of the warning threshold, the software generates a Syslog message and an SNMP trap.

• Shutdown – If an application’s average response time is longer than the number of milliseconds of the shutdown threshold, the software generates a Syslog message and an SNMP trap and also shuts down the application port on the real server. Other application ports on the real server are not affected.

By default, a real server does not have a warning threshold or a shutdown threshold. For each threshold, you can specify a threshold value from 0 (disabled) – 65535 milliseconds (65 seconds).

You can configure one or both thresholds globally or on an individual real server basis. The thresholds configured on an individual real server override the globally configured thresholds. After bringing down the application port, the ServerIron periodically attempts to reach the port and brings the port back up once the port responds. For information, see the "Application Port States" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

NOTE: This feature requires the Layer 4 and Layer 7 health checks to enabled. If the health checks are not enabled, the ServerIron does not apply the response thresholds you configure.

NOTE: This feature applies only to TCP ports.

EXAMPLE:

ServerIron(config)# server response-time 200 300

The command in this example configures the ServerIron to generate a warning message for an application port if its average response time is longer than 200 milliseconds. The command also configures the ServerIron to shut down a port if its average response time is longer than 300 milliseconds.

Syntax: [no] server response-time <warning-threshold> [<shutdown-threshold>]

The <warning-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid a warning message. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the warning threshold is disabled.



The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid being shut down. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the shutdown threshold is disabled.

If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an application port, configure the warning threshold but not the shutdown threshold. Here is an example:

ServerIron(config)# server response-time 100

To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as shown in the following example:

ServerIron(config)# server response-time 0 300

Possible values: 0 – 65535 milliseconds (65 seconds)

Default value: not configured

server reverse-natThis command enables Reverse NAT. Reverse NAT allows the ServerIron to change the source IP address of some traffic initiated by a real server. Specifically, the feature causes the ServerIron to change the source IP address for traffic that the real server initiates on TCP or UDP ports that are bound to a VIP.

By default, the ServerIron does not perform address translation for any traffic initiated by the real server. However, if you enable Reverse NAT, the ServerIron does perform address translation for connections that the server initiates on ports that are bound to a VIP on the ServerIron.

Reverse NAT works with any port number you use for binding the real server to the VIP. However, TCP and UDP traffic initiated by a real server usually uses a port that is chosen by the server when the traffic is sent. As a result, it is not easy to predict the port numbers the real server will use. You can ensure that the ServerIron translates the source address of the traffic by binding the real server to a VIP using the “default” port. For example, if you configure VIP1 and bind it to real server RS1 using the default port, the ServerIron translates the source IP address in all TCP and UDP traffic initiated by RS1 from the real server’s IP address into the VIP address.

Even when Reverse NAT is enabled, the ServerIron does not translate the source address for traffic that the real server initiates over ports that are not bound to a VIP.

If you bind a real server to more than one VIP, the ServerIron will use the address of the VIP that is bound to the server using the default port. For example, if you bind a real server to VIP1 using TCP port 80 and bind the same server to VIP2 using the default port, the ServerIron always uses VIP2 for Reverse NAT.

NOTE: Reverse NAT does not affect reply traffic from the server. The feature applies only to traffic initiated by the server. In addition, the feature applies only to traffic on the TCP and UDP ports that are used to bind the real server to a VIP configured on the ServerIron. If the real server and VIP are bound using the default port, Reverse NAT applies to all TCP and UDP traffic initiated by the server.

Reverse NAT is disabled by default. If you need to enable reverse NAT, use one of the following methods.

EXAMPLE:

ServerIron(config)# server real-name R1 10.10.10.1ServerIron(config-rs-RS1)# port httpServerIron(config-rs-RS1)# exitServerIron(config)# server virtual-name VIP1 192.168.1.10ServerIron(config-vs-VIP1)# bind http RS1 httpServerIron(config-rs-RS1)# exitServerIron(config)# server virtual-name VIP2 192.168.1.69ServerIron(config-vs-VIP1)# bind default RS1 defaultServerIron(config)# server reverse-nat

The commands in this example create real server R1 and VIPs VIP1 and VIP2. VIP1 is bound to RS1 using TCP port 80 (HTTP). VIP2 is bound to RS1 using the default port. When RS1 initiates TCP or UDP traffic, the ServerIron translates the source IP address from 10.10.10.1 to 192.168.1.69. The ServerIron uses VIP2’s IP address instead of VIP1’s IP address for Reverse NAT because VIP2 is bound using the default port.



Syntax: [no] server reverse-nat



server router-portsThis command is used to identify ports on a ServerIron switch that are connected to a router. Use this command when multiple ports on the switch are attached to routers.

This command is used in conjunction with the SLB feature on the ServerIron switch.

NOTE: The command is not supported on Foundry Layer 3 Switchs.

EXAMPLE:

ServerIron(config)# server router-ports 8

Syntax: server router-ports <1-26>


Default value: N/A

server session-id-ageThis command is used in conjunction with the SSL session ID switching feature on the ServerIron. By default, the ServerIron keeps the entry associating an SSL session ID with a real server in its database for 30 minutes. After 30 minutes, the entry ages out of the database. Use this command to change the length of time the ServerIron keeps the entry in the database.

EXAMPLE:

To change the aging period to 10 minutes:

ServerIron(config)# server session-id-age 10

Syntax: server session-id-age <minutes>


Default value: 30 minutes

server session-limitThis command is used to limit the maximum number of active sessions allowed on a ServerIron. An active session is a session entry in the ServerIron’s session table. Thus, a UDP or TCP session that has become idle but has not yet timed out (according to the UDP or TCP age timer) is an “active” session in this table.

NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switches.

EXAMPLE:

ServerIron(config)# server session-limit 550000

Syntax: server session-limit <value>

Possible values: The <value> for ServerIron 400 and ServerIron 800 systems can be from 32,768 – 2,000,000. On 32M ServerIron systems, the <value> can be from 32,768 – 1,000,000. On 8M ServerIron systems, the <value> can be from 32,768 – 160,000.

Default value: for 32MB systems: 524,288; for 8MB systems: 131,072.

server slb-fwEnables SLB-to-FWLB. For information, see the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

ServerIronB(config)# server slb-fw



Syntax: [no] server slb-fw



server source-ipAdds an IP address to the ServerIron for use by the real servers as their default gateway address. Source IP addresses, when used with the source NAT feature, enable you to place the ServerIron in a multinetted environment.

You can configure up to 64 source IP addresses on a ServerIronXL running software release 07.3.00 or later. You can configure up to 40 source IP addresses on other models running 07.1.x or 07.2.x software.

NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same source IP address as the real servers’ default gateway on each ServerIron, use the server source-standby-ip command instead. See “server source-standby-ip”.

EXAMPLE:

ServerIron(config)# server source-ip 209.157.22.28 255.255.255.0 209.157.22.1

Syntax: [no] server source-ip <ip-addr> <ip-mask> <default-gateway>

NOTE: The gateway parameter is required. If you do not want to specify a gateway, enter "0.0.0.0".


Default value: N/A

server source-natEnables the ServerIron to change the source IP address for traffic the ServerIron forwards to a real server. When source NAT is enabled, the ServerIron translates the source IP address from the client’s into a source IP address you have configured.

Source NAT is disabled by default.

NOTE: If you are configuring a pair of ServerIrons for hot-standby (active-standby) and you want to use the same source IP address on each ServerIron, use the server source-nat-ip command instead. See “server source-nat-ip”.

EXAMPLE:

ServerIron(config)# server source-nat

Syntax: [no] server source-nat



server source-nat-ipIn a hot-standby (active-standby) SLB configuration, configures a shared source IP address for NAT. Enter the same command with the same source IP address on each of the ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.

NOTE: This command applies only to hot-standby (active-standby) configurations.

NOTE: If you are configuring a shared source IP address for use by the real servers as their default gateway, use the server source-standby-ip address instead. See “server source-standby-ip”.



EXAMPLE:

Enter the following command on each ServerIron in the active-standby pair.

ServerIron(config)# server source-nat-ip 10.10.10.5 255.255.255.0 0.0.0.0

Syntax: [no] server source-nat-ip <ip-addr> <ip-mask> <default-gateway>




server source-standby-ipIn a hot-standby (active-standby) SLB configuration, configures a shared source IP address for use by the real servers as their default gateway. Enter the same command with the same source IP address on each of the ServerIrons. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.

NOTE: This command applies only to hot-standby (active-standby) configurations.

NOTE: If you are configuring a shared source IP address for NAT, use the server source-nat-ip command instead. See “server source-nat-ip”.

EXAMPLE:

Enter the following command on each ServerIron in the active-standby pair.

ServerIron(config)# server source-standby-ip 10.10.10.5 255.255.255.0 0.0.0.0

Syntax: [no] server source-standby-ip <ip-addr> <ip-mask> <default-gateway>




server sticky-ageThis command is used in conjunction with the SLB on the ServerIron switch. It allows you to modify the aging out parameter for inactive sticky server connections.

Sticky connections are defined on the virtual server port of a ServerIron for those instances when sequential TCP/UDP port connections must be service by the same server.

EXAMPLE:

To set a sticky age of 25 minutes, enter the following:

ServerIron(config)# server sticky-age 25

Syntax: server sticky-age



server sym-pdu-rateChanges the interval and wait time for SSLB discovery packets.

A ServerIron in an SSLB configuration uses SSLB discovery packets to request SSLB information from the other ServerIrons. SSLB discovery packets are proprietary Layer 2 broadcast packets and are sent on all ports in all port-based VLANs.



By default, a ServerIron in an SSLB configuration sends SSLB discovery packets at 200-millisecond intervals. The ServerIron will wait up to 20 equivalent intervals to receive an SSLB discovery packet from another ServerIron. If the ServerIron does not receive an SSLB discovery packet from the other ServerIron within the 20 intervals, the ServerIron concludes that its partner ServerIron is unavailable and assumes control of the VIPs being managed by that ServerIron. For example, if the interval for sending SSLB discovery packets is 200 milliseconds (the default), the ServerIron will wait 20 x 200 milliseconds (four seconds) to receive an SSLB discovery packet from another ServerIron.

You can change the discovery interval multiplier and the wait time multiplier.

• The discovery interval is equal to 200 milliseconds multiplied by the discovery interval multiplier. The default discovery interval multiplier is 1, so the default discovery interval is 200 milliseconds. You can specify a multiplier from 1 – 60.

• The wait time interval is equal to the discovery interval multiplied by the wait time multiplier. The default wait time multiplier is 20. Assuming the discovery interval is 200 milliseconds (the default), the default wait time is four seconds (20 x 200 milliseconds).

NOTE: The SSLB timer affects the rate at which the ServerIron sends SSLB protocol packets to its SSLB partners. The timer does not affect client or server traffic to or from a VIP.

NOTE: All the ServerIrons in your configuration must use the same SSLB discovery interval and wait time. If you change the interval and wait time on one ServerIron, make the same change on all the other ServerIrons in the SSLB configuration.

EXAMPLE:

To change the SSLB discovery interval multiplier and wait time multiplier, enter a command such as the following:

ServerIron(config)# server sym-pdu-rate 2 30

This command changes the interval at which the ServerIron sends SSLB discovery packets to once every 400 milliseconds, and changes the maximum amount of time the ServerIron will wait for an SSLB discovery packet from another ServerIron to 12 seconds (30 x 400 milliseconds).

Syntax: [no] server sym-pdu-rate <disc-mult> <wait-time-mult>

Possible values: <disc-mult> 1 – 60; <wait-time-mult> 1 – 60

Default value: <disc-mult> 1; <wait-time-mult> 20

server syn-defProtects against TCP SYN attacks by setting a threshold for the amount of time it takes for a connecting host to send back an ACK packet. If this threshold is exceeded, the ServerIron removes the entry for the connection from its session table, and a TCP RESET packet is sent to the destination real server, causing it to remove the entry from its session table as well.

EXAMPLE:

To configure the ServerIron to remove an entry from its session table if the connection remains incomplete for 6 or more seconds:

ServerIron(config)# server syn-def 6

Syntax: server syn-def <threshold>

Possible values: The threshold parameter can be between 0 – 16 seconds. A threshold of 0 disables this feature. Foundry recommends a threshold above 5 seconds.


server syn-limitThis command is used to limit the maximum number of TCP SYN requests on a per-second basis per server.



NOTE: This command applies only to SLB and is not supported on Foundry Layer 3 Switchs.

EXAMPLE:

ServerIron(config)# server syn-limit 2000

Syntax: server syn-limit <value>


Default value: 65535

server tcp-ageThis command allows you to modify the aging out parameter for inactive TCP server connections.

If you change the TCP age, the change affects only new TCP sessions that start after you make the change. The maximum age for sessions that are already in the session table does not change.

EXAMPLE:

To modify the server TCP age to 20 minutes from the default value of 30 minutes, enter the following command:

ServerIron(config)# server tcp-age 20

Syntax: server tcp-age <value>



server transparent-vipEnables the transparent VIP feature.

NOTE: After you enabling the ServerIron for transparent VIP, you still must enable individual VIPs for the feature. See “transparent-vip” on page 11-9.

EXAMPLE:

ServerIron(config)# server transparent-vipServerIron(config)# ip policy 1 cache tcp 80 localServerIron(config)# interface ethernet 1ServerIron(config-if-1)# ip-policy 1

These commands enable transparent VIP globally for TCP port 80 (HTTP), then configure a cache redirection policy and apply it locally to the ServerIron port(s) connected to the clients. The cache redirection policy identifies the application port(s) on the VIP that you want to load balance.

Syntax: [no] server transparent-vip



server udp-ageThis command allows you to modify the aging out parameter for inactive UDP server connections. Possible values are between 2 and 60 minutes with a default value of 5 minutes.

EXAMPLE:

To modify the server UDP age to 20 minutes from the default value of 5 minutes, enter the following command:

ServerIron(config)# server udp-age 20

Syntax: server udp-age <value>





server use-simple-ssl-health-checkConfigures the ServerIronXL to use the SSL health check method from software releases earlier than 07.1.18.

By default, the ServerIronXL uses the following method for SSL health checks.

The ServerIron initiates an SSL connection with the server on TCP port 443, a secure link is negotiated, and encrypted data is transferred across it. After the SSL connection is established, the ServerIron sends the SSL server an HTTP GET or HEAD request. The GET or HEAD request specifies a page containing the URL of a page on the server. By default, the ServerIron sends a HEAD request for the default page, “1.0”, although this can be changed with the port ssl url command.

• If the server responds with an acceptable status code, the ServerIron resets the connection and marks the port ACTIVE.

• If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.

All other ServerIron models use the following health check method.

The ServerIron sends an SSL client hello with the SSL SID set to 0:

• If the server responds, then the ServerIron resets the connection and marks the port ACTIVE.

• If the server does not respond, the ServerIron retries the health check up to the number of times configured (the default is two retries). If the server still does not respond, the ServerIron marks the server port FAILED and removes the server from the load-balancing rotation for SSL service.

The server use-simple-ssl-health-check command configures the ServerIronXL to also use this method.

EXAMPLE:

ServerIron(config)# server use-simple-ssl-health-check

Syntax: [no] server use-simple-ssl-health-check



server virtual-nameThis command is used to define the virtual server name and IP address. The virtual server name can be any alphanumeric text string of up to 32 characters.


EXAMPLE:

ServerIron(config)# server virtual-name noi 192.168.1.10

Syntax: server virtual-name <text> [<ip-addr>]

Possible values: a string up to 32 alphanumeric characters long

Default value: N/A

server vpn-lbConfigures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall-1. Use this command to enable VPN load balancing on the ServerIron that is on the Internet side of the firewalls.

NOTE: This command’s optional parameters apply only to site-to-site VPN, not to SecureRemote-to-site VPN. From the ServerIron’s perspective, the difference between these two types of VPN is as follows:

• Site-to-site VPN – All Internet Security Association and Key Management Protocol (ISAKMP) packets are addressed to the Cluster IP address. ISAKMP is used by Check Point firewalls and is described in RFC 2408.

• SecureRemote-to-site VPN – Only the first ISAKMP packet is addressed to the Cluster IP address. Subsequent ISAKMP packets are to a firewall.



EXAMPLE:

ServerIron(config)# server vpn-lb

Syntax: [no] server vpn-lb [tunnel-mode [load-balance round-robin | source-ip | spi]]

The tunnel-mode parameter enables site-to-site VPN load balancing.

The load-balance round-robin | source-ip | spi parameter specifies the load balancing method.

• round-robin – Encrypted VPN traffic is load balanced in round robin fashion, regardless of source or destination IP address. You can use this method if the firewalls are synchronized.

NOTE: When this load balancing method is used, the ServerIron does not maintain sessions for the traffic. A session would associate a given pair of source and destination IP addresses with a specific firewall, but the round robin method does not associate the traffic’s addresses with a specific firewall.

• source-ip – Encrypted VPN traffic to the firewalls is load balanced based on the source IP address of the traffic. Once the software selects a firewall for the first packet from a given IP address, all subsequent packets from the same address go to the same firewall. This is the default.

NOTE: In a site-to-site VPN load balancing configuration, this load balancing method can result in all the VPN traffic going to the same firewall, since all the traffic from a given site has the same source IP address.

• spi – Encrypted VPN traffic to the firewalls is load balanced based on the Security Parameter Index (SPI) of the traffic. The SPI is a unique value associated with the tunnel between each pair of source and destination sites or hosts. You can configure the Check Point firewalls to establish multiple tunnels to exchange traffic. If you configure the firewalls this way, the spi option enables the ServerIron to load balance the tunnels across multiple firewalls even though the tunnels appear to be originated by the same source IP address.



server vpn-lb-insideConfigures the ServerIron to provide FWLB for a VPN firewall such as the Check Point VPN-1 Gateway/FireWall-1. Use this command to enable VPN load balancing on the ServerIron that is on the private side of the firewalls.

EXAMPLE:

ServerIron(config)# server vpn-lb-inside

Syntax: [no] server vpn-lb-inside



service password-encryptionThis command enables password encryption. When encryption is enabled, users cannot learn the device’s passwords by viewing the configuration file. Password encryption is enabled by default.

NOTE: Password encryption does not encrypt the password in Telnet packets sent to the device. This feature applies only to the configuration file.

EXAMPLE:

ServerIron(config)# no service password-encryption

Syntax: [no] service password-encryption






snmp-clientRestricts SNMP management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device through IronView or any other SNMP application.

If you want to restrict access from Telnet or the Web, use one or two of the following commands:

• telnet client – restricts Telnet access. See “telnet client” on page 6-95.

• web client – restricts Web access. See “web client” on page 6-100.

If you want to restrict all management access, you can use the commands above and the snmp-client command or you can use the following command: all-client. See “all-client” on page 6-7.

EXAMPLE:

To restrict SNMP access (which includes IronView) to the Foundry device to the host with IP address 209.157.22.26, enter the following command:

ServerIron(config)# snmp-client 209.157.22.26

Syntax: [no] snmp-client <ip-addr>


Default value: N/A

snmp-server communityAssigns a SNMP community string for the system. It will register to the configuration file, a user-specified network community string and an access type of either:

• read-only (public)

• read-write (private)

EXAMPLE:

ServerIron(config)# snmp-server community planet1 ro

Syntax: snmp-server community <string> ro | rw

Possible values: Up to 32 alphanumeric characters for the community string.

Default value: The default read-only community string is “public”. There is no default read-write community string.

snmp-server contactIdentifies a system contact. You can designate a contact name for the ServerIron and save it in the configuration file for later reference. You can later access contact information using the show snmp server command.

EXAMPLE:

ServerIron(config)# snmp-server contact Noi Lampa

Syntax: snmp-server contact <text>

Possible values: up to 32 alphanumeric characters for the system contact text string.

Default value: N/A



snmp-server enable trapsWhen the command is preceded with the word ‘no’, the command is used to stop certain traps from being generated by a system. The following SNMP Traps are collected by default: authentication key, cold-start, link-up, link-down, new-root, topology-change, power-supply-failure and locked-address-violation.

EXAMPLE:

To stop reporting incidences of links that are down, enter the following commands:

ServerIron(config)# no snmp-server enable traps link-down

Syntax: [no] snmp-server enable traps <trap>

Possible values: trap type (for example, cold-start, new-root, etc.)

Default value: All of the following SNMP traps are enabled and will be generated by default for a system: authentication key, cold-start, link-up, link-down, new-root, topology-change, power-supply-failure and locked-address-violation

To disable a fan failure trap or power supply trap, use one of the following values: ps1 | ps2 | ps3 | ps4 | fan1 | fan2 | fan3 | fan4.

snmp-server enable vlanAllows SNMP access only to clients in a specific VLAN.

EXAMPLE:

The following example configures the device to allow SNMP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

ServerIron(config)# snmp-server enable vlan 40

Syntax: [no] snmp-server enable vlan <vlan-id>


Default value: N/A

snmp-server hostAssigns or removes a station as SNMP trap receiver. To assign the trap receiver, use the command: snmp-server host. To later remove the trap receiver feature, enter no snmp-server host.

EXAMPLE:

To disable a station as a SNMP trap receiver, enter the following:

ServerIron(config)# no snmp-server host 192.22.3.33 public

Syntax: [no] snmp-server host <ip-addr> <community-string>

Possible values: IP address of trap receiver station, community string

Default value: no system default

snmp-server locationIdentifies a system location for the ServerIron. This information is saved in the configuration file for later reference. You can later access system location information using the show snmp server command.

EXAMPLE:

ServerIron(config)# snmp-server location pulchritude_lane

Syntax: snmp-server location <text>

Possible values: up to 32 alphanumeric characters for the location text string

Default value: N/A



snmp-server pw-checkDisables password checking for SNMP set requests. If a third-party SNMP management application does not add a password to the password field when it sends SNMP set requests to a Foundry device, by default the Foundry device rejects the request. You can disable this password checking with the no snmp-server pw-check command.

EXAMPLE:

ServerIron(config)# no snmp-server pw-check

Syntax: [no] snmp-server pw-check


Default value: N/A

snmp-server trap-sourceSpecifies a port or virtual interface whose first configured IP address the Foundry device must use as the source for all SNMP traps sent by the device.

EXAMPLE:

ServerIron(config)# snmp trap-source ethernet 4

Syntax: snmp-server trap-source ethernet <portnum> | ve <num>

Possible values: The ethernet <portnum> parameter specifies a physical port on the device. Alternatively, you can specify a virtual interface using the ve <num> parameter, where <num> is the number of a virtual interface configured on the device.

Default value: N/A

snmp-server viewConfigures an SNMP view. You can use an SNMP view as an argument with other commands.

SNMP views are named groups of MIB objects that can be associated with user accounts to allow limited access for viewing and modification of SNMP statistics and system configuration. SNMP views can also be used with other commands that take SNMP views as an argument. SNMP views reference MIB objects using object names, numbers, wildcards, or a combination of the three. The numbers represent the hierarchical location of the object in the MIB tree. You can reference individual objects in the MIB tree or a subset of objects from the MIB tree.

NOTE: The snmp-server view command supports the MIB objects as defined in RFC 1445.

EXAMPLE:

To add an SNMP view, use the following CLI method:

ServerIron(config)# snmp-server view Maynes system includedServerIron(config)# snmp-server view Maynes system.2 excludedServerIron(config)# snmp-server view Maynes 2.3.*.6ServerIron(config)# write mem

Syntax: [no] snmp-server view <name> <mib_tree> included | excluded

The <name> parameter can be any alphanumeric name you choose to identify the view. The names cannot contain spaces.

The <mib_tree> parameter is the name of the MIB object or family. MIB objects and MIB sub-trees can be identified by name or by the numbers representing the position of the object or sub-tree in the MIB hierarchy. You can use a wildcard (*) in the numbers to specify a sub-tree family.

The included | excluded parameter specifies whether the MIB objects identified by the <mib_family> parameter are included in the view or excluded from the view.

To delete a view, use the no parameter before the command.




Default value: N/A

sntp poll-intervalThis parameter sets how often clock updates are requested from a SNTP server.

EXAMPLE:

To configure the ServerIron to poll for clock updates from a SNTP server every 15 minutes, enter the following:

ServerIron(config)# sntp poll-interval 900

Syntax: sntp poll-interval <1-65535>



sntp serverThis command allows you to define the SNTP server that will be used for clock synchronization for the ServerIron. You can either enter the SNTP server’s IP address or its hostname.

Up to three SNTP server entries can be defined.

EXAMPLE:

To define the SNTP server (IP address 192.1.4.69) that will be polled by the ServerIron for time updates, enter:

ServerIron(config)# sntp server 192.1.4.69

Syntax: sntp server <ip-addr> | <hostname> [<version>]

The <version> parameter specifies the SNTP version the server is running and can be from 1 – 4. The default is 1. You can configure up to three SNTP servers by entering three separate sntp server commands.


Default value: N/A

spanning-treeEnables or disables (no) Spanning Tree on the switch. This change can be viewed by the show spanning tree command.

For switches, this feature is enabled by default.

For routers, this feature is disabled by default.

To disable this feature, enter no spanning-tree. To later re-enable spanning tree on the router, enter spanning-tree.

EXAMPLE:

To disable spanning tree, enter the following:

ServerIron(config)# no spanning-tree

EXAMPLE:

To enable spanning tree, enter the following:

ServerIron(config)# spanning-tree

Syntax: [no] spanning-tree


Default value: Enabled on switches. Disabled on routers.

spanning-tree <parameter>Spanning Tree bridge and port parameters are configurable using one CLI command. When no port-based VLANs are active on the system, spanning tree parameters are set at the Global CONFIG Level.



When port-based VLANs are active on the system, spanning tree protocol bridge and port parameters can be configured globally at the VLAN Level. Additionally, you can disable or enable STP on an interface basis.

NOTE: If VLANs are active on a switch or router, spanning-tree will not be seen as an option at the Global CONFIG Level of the CLI but will be an option of the VLAN Level.

All bridge and port parameters have default values and do not need to be modified unless required to match network needs. Additionally, all values will be globally applied to the switch or router. By default this feature is enabled on switches and disabled on routers.

You can modify the following STP Parameters:

1. Modify bridge parameters—forward delay, maximum age, hello time and priority

2. Modify port parameters—priority and path cost

EXAMPLE:

Suppose you want to enable spanning tree on a system in which no port-based VLANs are active and change the hello-time from the default value of 2 to 8 seconds. Additionally, suppose you want to change the path and priority costs for port 5 only. To do so, enter the following commands.

ServerIron(config)# span hello-time 8

ServerIron(config)# span ethernet 5 path-cost 15 priority 64

Syntax: span [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value> maximum-age <time> priority <value>

Possible values: see below

Bridge Parameters:

• Forward-delay: Possible values: 4 – 30 seconds. Default is 15 seconds.

• Max-age: Possible values: 6 – 40 seconds. Default is 20 seconds.

• Hello-time: Possible values: 1 – 10 seconds. Default is 2 seconds.

• Priority: Possible values: 1 – 65,535. Default is 32,768. A higher numerical value means a lower priority; thus, the highest priority is 0.

Port Parameters:

• Path: Possible values: 1-65,535. Default: Auto

NOTE: The default value ‘Auto’ means that the port will adjust the default value automatically based on the port speed. The default value is based on the following formula:

• Half-duplex ports: 1000/port speed

• Full-duplex ports: (1000/port speed)/2

• Priority: possible values are 0-255. Default is 128. A higher numerical value means a lower priority; thus, the highest priority is 0.

static-mac-addressDefines a static MAC addresses on an individual switch or switching port to ensure it is not aged out. The parameter option, router-type or host-type, is not available for the FastIron Workgroup switch or Stackable Layer 3 Switchs.

NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN.



NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports, include only the primary port of the trunk group. If you include all the trunk group’s ports, the ServerIron uses all the ports to forward traffic for the MAC address instead of using only the active trunk port.

EXAMPLE:

ServerIron(config)# static-mac-address 1145.5563.67FF e12 7 router-type

The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis ServerIron.

Syntax for chassis devices:

Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]

Syntax for stackable devices:

Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>] [normal-priority | high-priority] [host-type | router-type | fixed-host]

The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority for stackable devices.

NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.

To create a static MAC entry that is associated with multiple ports, enter a command such as the following:

ServerIron(config)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5

This command creates a static MAC entry that is associated with port 1 and ports 3 – 5. The ServerIron forwards traffic addressed to aaaa.bbbb.cccc out all the ports you specify, in this case 1, 3, 4, and 5.



Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software automatically creates a static MAC entry when you create a static ARP entry.

NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry unless you first delete the static ARP entry.

To create a static ARP entry for a static MAC entry, enter a command such as the following:

ServerIron(config)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1

NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.


Default value: host-type and 0 or normal priority



system-maxAllows you to modify the default settings for parameters that use system memory. The configurable parameters and their defaults and maximums differ depending on the device. To display the configurable parameters, their defaults, and the maximum configurable values for each, enter the following command at any level of the CLI: show default values. See “show default” on page 21-3.

EXAMPLE:

To increase the number of real servers available on the ServerIron:

ServerIron(config)# system-max l4-real 2048

Syntax: system-max l4-real-server <real-servers>

The <real-servers> value can be from 64 – 2048

To increase the number of virtual servers available on the ServerIron:

ServerIron(config)# system-max l4-virtual-server 512

Syntax: system-max l4-virtual-server <virtual-servers>

The <virtual-servers> value can be from 64 – 512

To increase the number of TCP/UDP ports available on the ServerIron:

ServerIron(config)# system-max l4-server-port 4096

Syntax: system-max l4-server-port <number-of-ports>

The <number-of-ports> value can be from 256 – 4096

To increase the number of TCP buffers available on the ServerIron:

ServerIron(config)# system-max tcp-buffer 2048

Syntax: system-max tcp-buffer <number-of-buffers>

The ServerIron uses TCP buffers for TCP sessions. Applications such as GSLB use many TCP buffers, since buffers are required for TCP health checks as well as client connections with real servers. If you receive a message that the ServerIron cannot perform a health check or other TCP tasks, you might need to allocate more memory for TCP buffers.

The <number-of-buffers> value can be from 128 – 2048

Possible values: These depend on the device you are configuring. See the System Parameters section in the show default values display. The CLI will display the acceptable range if you enter a value that is outside the range.


tacacs-serverIdentifies a TACACS or TACACS+ server and sets other TACACS/TACACS+ parameters for authenticating access to the Foundry device.

EXAMPLE:

ServerIron(config)# tacacs-server host 209.157.22.99

Syntax: tacacs-server host <ip-addr> | <server-name> [auth-port <number>]

The only required parameter is the IP address or host name of the server.

NOTE: To specify the server's host name instead of its IP address, you must first identify a DNS server using the ip dns server-address <ip-addr> command at the global CONFIG level. See the “Configuring Basic Features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.

The auth-port parameter specifies the UDP port number of the authentication port on the server. The default port number is 49.



Syntax: tacacs-server [key <key-string>] [timeout <number>] [retransmit <number>] [dead-time <number>]

The key parameter specifies the value that the Foundry device sends to the server when trying to authenticate user access. The TACACS/TACACS+ server uses the key to determine whether the Foundry device has authority to request authentication from the server. The key can be from 1 – 16 characters in length.

The timeout parameter specifies how many seconds the Foundry device waits for a response from the TACACS/TACACS+ server before either retrying the authentication request or determining that the TACACS/TACACS+ server is unavailable and moving on to the next authentication method in the authentication-method list. The timeout can be from 1 – 15 seconds. The default is 3 seconds.

The retransmit parameter specifies how many times the Foundry device will re-send an authentication request when the TACACS/TACACS+ server does not respond. The retransmit value can be from 1 – 5 times. The default is 3 times.

The dead-time parameter is not used in this software release. When the software allows multiple authentication servers, this parameter will specify how long the Foundry device waits for the primary authentication server to reply before deciding the server is dead and trying to authenticate using the next server. The dead-time value can be from 1 – 5 seconds. The default is 3.



tag-typeThis parameter defines the value that will be sent out on a packet to indicate it as tagged VLAN port. The 802.1q standard recognizes the value of 8100 for this purpose. Other values can be assigned to this parameter but are not recommended.

EXAMPLE:

ServerIron(config)# tag-type 8100

Syntax: tag-type <value>

Possible values: 1-65535

Default value: 8100

telnet access-groupApplies an ACL to control Telnet access to the device.

EXAMPLE:

The following commands configure ACL 10, then apply the ACL as the access list for Telnet access. The device will allow Telnet access to all IP addresses except those listed in ACL 10.

ServerIron(config)# access-list 10 deny host 209.157.22.32 logServerIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.25.0/24 logServerIron(config)# access-list 10 permit any ServerIron(config)# telnet access-group 10ServerIron(config)# write mem

Syntax: telnet access-group <num>

Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.

Default value: N/A

telnet clientRestricts Telnet management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device’s CLI through Telnet.

If you want to restrict access from SNMP or the Web, use one or two of the following commands:



• snmp-client – restricts SNMP access (including IronView). See “snmp-client” on page 6-88.

• web client – restricts web access. See “web client” on page 6-100.

If you want to restrict all management access, you can use the commands above and the telnet client command or you can use the following command: all-client. See “all-client” on page 6-7.

EXAMPLE:

To restrict Telnet access (which includes IronView) to the Foundry device to the host with IP address 209.157.22.26, enter the following command:

ServerIron(config)# telnet client 209.157.22.26

Syntax: [no] telnet client <ip-addr>


Default value: N/A

telnet login-timeoutChanges the login timeout period for Telnet sessions.

EXAMPLE:

To change the login timeout period for Telnet sessions to 5 minutes:

ServerIron(config)# telnet login-timeout 5

Syntax: [no] telnet login-timeout <minutes>


Default value: 1 minute

telnet serverThis command enables or disables Telnet access to a ServerIron. By default, Telnet access is allowed on a system.

EXAMPLE:

To disable Telnet access to a switch, enter the following:

ServerIron(config)# no telnet server

Syntax: [no] telnet server

Possible values: Enabled or disabled


telnet server enable vlanAllows Telnet access only to clients in a specific VLAN.

EXAMPLE:

The following command configures the device to allow Telnet management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.

ServerIron(config)# telnet server enable vlan 10

Syntax: [no] telnet server enable vlan <vlan-id>


Default value: N/A



telnet timeoutThis parameter defines how long a Telnet session can remain idle before it is timed out. By default, Telnet sessions do not time out.

EXAMPLE:

ServerIron(config)# telnet timeout 120

Syntax: telnet timeout <0-240>


Default value: 0 seconds (no timeout)

tftp client enable vlanAllows TFTP access only to clients in a specific VLAN.

EXAMPLE:

The following example configures the device to allow TFTP access only to clients connected to ports within port-based VLAN 40. Clients connected to ports that are not in VLAN 40 are denied access.

ServerIron(config)# tftp client enable vlan 40

Syntax: [no] tftp client enable vlan <vlan-id>


Default value: N/A

trunk switch | server ethernetThis command allows you to add a trunk group to a switch, router or server for high-speed connections.

NOTE: On the ServerIron 400 or ServerIron 800, you must use the default trunk type, which is "switch". The "server" parameter is not supported.

EXAMPLE:

To assign ports 1, 2 and 3 to a trunk group on the system, enter the following command:

ServerIron(config)# trunk switch e 1 to 3

A trunk group must then also be configured on the connecting Foundry Networks switch or router at the other end of the trunk group. The term switch in the above command can refer to either a Foundry Networks switch, ServerIron, or router.

If you are going to connect to a server, then enter the following command:

ServerIron(config)# trunk server e1 to 3

This will connect a trunk group of ports 1, 2 and 3 to a server.

Summary of Trunk Group Rules

• The trunk type must be "switch" on the ServerIron 400 and ServerIron 800, and "server" on all other models.

• Up to four trunk groups may be assigned (up to three for a TurboIron).

• Trunk group port assignment should always start with the lead port, i.e. 1, 5, 9, 13 or 17. (1, 3 or 5 for a TurboIron).

• Port assignment must be contiguous

• Ports cannot be assigned across multiple trunk group boundaries; for example, ports 4 and 5 cannot be in the same trunk group.

• All of the trunk group member properties must match the lead port of the trunk group with respect to the following parameters:

• port tag type (untagged or tagged port)



• port speed and duplex

• QoS priority

Syntax: trunk server | switch ethernet <portnum> to <portnum>

Possible values: Port or port ranges


unknown-unicast limitSpecifies the maximum number of unknown-unicast packets the device can forward each second. By default the device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.

NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the broadcast limit and multicast limit commands to control these types of traffic. See “broadcast limit” on page 6-12 and “multicast limit” on page 6-53.

EXAMPLE:

ServerIron(config)# unknown-unicast limit 30000

Syntax: unknown-unicast limit <num>


Default value: N/A

url-mapThis command is used in conjunction with the URL switching feature on the ServerIron. This command assigns a name to a URL switching policy and enters the URL switching policy CONFIG level.

EXAMPLE:

To create a URL switching policy named p1:

ServerIron(config)# url-map p1

Syntax: url-map <policy-name>

Possible values: URL switching policy name

Default value: N/A

usernameThis command configures a local user account. For each user account, you specify the user name. You also can specify the following parameters:

• A password

• The privilege level, which can be one of the following:

• Full access (super-user). This is the default.

• Port-configuration access

• Read-only access

EXAMPLE:

To configure a user account, enter a command such as the following at the global CONFIG level of the CLI.

ServerIron(config)# username wonka password willy

This command adds a user account for a super-user with the user name "wonka" and the password "willy", with privilege level super-user. This user has full access to all configuration and display features.



NOTE: If you configure user accounts, you must add a user account for super-user access before you can add accounts for other access levels. You will need the super-user account to make further administrative changes.

ServerIron(config)# username waldo privilege 5 password whereis

This command adds a user account for user name "waldo", password "whereis", with privilege level read-only. Waldo can look for information but cannot make configuration changes.

Syntax: [no] username <user-string> privilege <privilege-level> password | nopassword <password-string>

The privilege parameter specifies the privilege-level. You can specify one of the following:

• 0 – Full access (super-user)

• 4 – Port-configuration access

• 5 – Read-only access

The default privilege level is 0. If you want to assign full access to the user account, you can enter the command without "privilege 0", as shown in the command example above.

The password | nopassword parameter indicates whether the user must enter a password. If you specify password, enter the string for the user's password.

NOTE: You must be logged on with super-user access (privilege level 0, or with a valid Enable password for super-user access) to add user accounts or configure other access parameters.

vlanCreates or changes the CLI focus to a port-based VLAN.

EXAMPLE:

ServerIron(config)# vlan 200 by port

ServerIron(config)# vlan 200 name WebMgr

Syntax: vlan <num> by port

Syntax: vlan <num> name <string>

NOTE: The second command is optional and also creates the VLAN if the VLAN does not already exist. You can enter the first command after you enter the second command if you first exit to the global CONFIG level of the CLI.

Possible values: VLAN ID 1 – 1024; VLAN name can be a string up to 16 characters. You can use blank spaces in the name if you enclose the name in double quotes (for example, “Tanya Inman”.)

Default value: N/A

vlan-dynamic-discoveryDisables or re-enables dynamic discovery of protocol VLANs on switch-to-switch links. This feature enables switch-to-switch links to be automatically included in protocol VLANs that have dynamic port membership.

EXAMPLE:

To disable the feature, enter the following command:

ServerIron(config)# no vlan-dynamic-discovery

Syntax: [no] vlan-dynamic-discovery

Possible values: Enabled or disabled




vlan max-vlansAllows you to assign a set number of VLANs to be supported on a ServerIron. This allows you to set a smaller value than the default to preserve memory on the system.

EXAMPLE:

ServerIron(config)# vlan max-vlans 200

Syntax: vlan max-vlans <value>


Default value: 32

web access-groupApplies an ACL to control Web access to the device.

EXAMPLE:

The following commands configure ACL 10, then apply the ACL as the access list for Web access. The device will allow Web access to all IP addresses except those listed in ACL 10.

ServerIron(config)# access-list 10 deny host 209.157.22.32 logServerIron(config)# access-list 10 deny 209.157.23.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.24.0 0.0.0.255 logServerIron(config)# access-list 10 deny 209.157.25.0/24 logServerIron(config)# access-list 10 permit any ServerIron(config)# web access-group 10ServerIron(config)# write mem

Syntax: web access-group <num>

Possible values: The <num> parameter specifies the number of a standard ACL and must be from 1 – 99.

Default value: N/A

web clientRestricts Web management access to the Foundry device to the host whose IP address you specify. No other device except the one with the specified IP address can access the Foundry device’s Web management interface.

If you want to restrict access from SNMP or Telnet, use one or two of the following commands:

• snmp-client – restricts SNMP access (including IronView). See “snmp-client” on page 6-88.

• telnet client – restricts Telnet access to the CLI. See “telnet client” on page 6-95.

If you want to restrict all management access, you can use the commands above and the web client command or you can use the following command: all-client. See “all-client” on page 6-7.

EXAMPLE:

To restrict Web access to the Foundry device to the host with IP address 209.157.22.26, enter the following command:

ServerIron(config)# web client 209.157.22.26

Syntax: [no] web client <ip-addr>


Default value: N/A

web-managementThis command enables or disables the Web management interface on a ServerIron. By default this feature is enabled on a system.

6 - 100 February 2002


EXAMPLE:

ServerIron(config)# no web-management

Syntax: [no] web-management

Possible values: Enabled, Disabled


web-management enable vlanAllows Web management access only to clients in a specific VLAN.

EXAMPLE:

The following example configures the device to allow Web management access only to clients connected to ports within port-based VLAN 10. Clients connected to ports that are not in VLAN 10 are denied management access.

ServerIron(config)# web-management enable vlan 10

Syntax: [no] web-management enable vlan <vlan-id>


Default value: N/A


EXAMPLE:

ServerIron(config)# write memory



Default value: N/A

write terminalDisplays the running-configuration of the ServerIron on the terminal screen.

EXAMPLE:

ServerIron(config)# write terminal



Default value: N/A

wsm bootChanges the default boot source for the Web Switching Management Module.

By default, the Web Switching Management Module’s processors boot from the primary flash areas on the module. Each processor boots from its own primary flash. The MP boots first, then the WSM CPUs boot.

You can change the default boot source to one of the following:

• Primary flash (the default)

• Secondary flash

• Interactive

The interactive option pauses during bootup of the WSM CPUs to allow you to select the boot source for the WSM CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, this method is used for troubleshooting.

February 2002 6 - 101


EXAMPLE:

To change the default boot source, enter commands such as the following at the global CONFIG level of the CLI:

ServerIron(config)# wsm boot secondaryServerIron(config)# write memory

This command configures the module to boot from the secondary flash by default.

NOTE: The write memory command saves the change to the startup-config file. You must save the configuration change for the change to remain in effect after you reboot.

Syntax: wsm boot primary | secondary | interactive

The primary and secondary parameters specify a flash memory location. The interactive parameter causes the device to pause during bootup to allow you to specify the boot source for the WSM CPUs. You must use this method if you want to boot the WSM CPUs from a TFTP server. Otherwise, the interactive parameter is used for troubleshooting.

To configure the module to pause during booting to allow you to specify the boot source, enter the following command:

ServerIron(config)# wsm boot interactive

After you set the boot source to interactive and reboot, enter a command such as the following at the Privileged EXEC level of the CLI to boot the WSM CPUs:

ServerIron# wsm boot tftp 192.168.1.170 wsp07200.bin

This command copies the WSM CPU flash code image from the specified TFTP server to a WSM CPU address space from which the WSM CPU can boot.

Syntax: wsm boot primary | secondary | tftp <ip-addr> <image-file-name>


Default value: primary

wsm wsm-mapRemaps processing for a forwarding module to a specific WSM CPU.

NOTE: Foundry recommends that you change slot allocations only if Foundry technical support advises the change or the documentation for a feature states that the change is required.

EXAMPLE:

ServerIron(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1

This command remaps processing for the forwarding module in slot 3 to WSM CPU 1 on the Web Switching Management Module in slot 2.

Syntax: wsm wsm-map <from-slotnum> wsm-slot <to-slotnum> wsm-cpu <cpunum>

The <from-slotnum> parameter specifies the slot that contains the forwarding module.

The <to-slotnum> parameter specifies the slot that contains the Web Switching Management Module.

The <cpunum> parameter specifies the WSM CPU on <to-slotnum> that will perform the processing. The WSM CPUs are numbered from 1 – 3.

6 - 102 February 2002

Chapter 7Redundant Management Module

CONFIG Commands

active-managementIn chassis containing redundant management modules, changes the default assignment of the active management module. By default, the redundant management module in the lower slot number becomes the active redundant management module. You must use this command to override the default and make the redundant management module in the higher slot number the default active module.

NOTE: This command applies only to devices containing redundant management modules.

NOTE: The change does not take effect until you reload the system. If you save the change to the active module's system-config file before reloading, the change persists across system reloads. Otherwise, the change affects only the next system reload.

EXAMPLE:

To override the default and specify the active redundant management module, enter the following commands:

BigServerIron(config)# redundancyBigServerIron(config-redundancy)# active-management 5

This command overrides the default and makes the redundant management module in slot 5 the active module following the next reload. The change affects only the next reload and does not remain in effect for future reloads.

Syntax: active-management <slot-num>

NOTE:

• Slots in a four-slot chassis are numbered 1 – 4, from top to bottom.

• Slots in an eight-slot chassis are numbered 1 – 8, from left to right.

To make the change permanent across future reloads, enter the write memory command to save the change to the startup-config file, as shown in the following example:

BigServerIron(config)# redundancyBigServerIron(config-redundancy)# active-management 5BigServerIron(config-redundancy)# write memory

NOTE: If you do not save the change to the startup-config file, the change affects only the next reload.

February 2002 7 - 1



EXAMPLE:

To move to the privileged level, enter the following from any level of the CLI.

BigServerIron(config-redundancy)# endBigServerIron#

Syntax: end


Default value: N/A

exitMoves activity up one level from the current level. In this case, activity will be moved to the privileged level.

EXAMPLE:

To move from the global level, back to the privileged level, enter the following:

BigServerIron(config-redundancy)# exitBigServerIron#

Syntax: exit


Default value: N/A

noDisables other commands. To disable a command, place the word no before the command.

quitReturns you from any level of the CLI to the User EXEC mode.

EXAMPLE:

BigServerIron(config-redundancy)# quitBigServerIron>

Syntax: quit


Default value: N/A

showDisplays a variety of configuration and statistical information about the switch or router. See “Show Commands” on page 21-1.

sync-standbyAutomates synchronization of software between active and standby redundant management modules.

EXAMPLE:

To change the automatic synchronization setting, use one of the following commands:

Syntax: [no] sync-standby boot

Syntax: [no] sync-standby code

Syntax: [no] sync-standby startup-config

Syntax: [no] sync-standby running-config [<num>]

7 - 2 February 2002

Redundant Management Module CONFIG Commands

To disable automatic synchronization of the boot code, flash code, or startup-config file, enter “no” in front of the command.

The <num> parameter with the sync-standby running-config command specifies the synchronization interval. You can specify from 4 – 20 seconds. The default is 10 seconds. To disable automatic synchronization of the running-config, set the synchronization interval (the <num> parameter) to 0.


Default value: Automatic synchronization of the flash code, running-config, and system-config file is enabled by default. Automatic synchronization of the boot code is disabled by default. The default synchronization interval for the running-config is 10 seconds.

write memorySaves the running configuration into the startup-config file.

EXAMPLE:

BigServerIron(config-redundancy)# write memory



Default value: N/A

write terminalDisplays the running configuration of the Foundry switch or router on the terminal screen.

NOTE: This command is equivalent to the show running-config command.

EXAMPLE:

BigServerIron(config-redundancy)# write terminal



Default value: N/A

February 2002 7 - 3


7 - 4 February 2002

Chapter 8Interface Commands

auto-gigEnables auto-negotiating on a gigabit interface in accordance with the flow control specification 802.3x. Both sides of the circuit need to be configured with this feature.

EXAMPLE:

ServerIron(config)# int e 1ServerIron(config-if-1)# auto-gig

Syntax: [no] auto-gig

Possible values: on or off


broadcast limitSpecifies the maximum number of broadcast packets the device can forward each second. By default the device sends broadcasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited broadcast traffic, this command allows you to relieve those devices by throttling the broadcasts at the Foundry device.

NOTE: The broadcast limit does not affect multicast or unicast traffic. However, you can use the multicast limit and unknown-unicast limit commands to control these types of traffic. See “multicast limit” on page 8-11 and “unknown-unicast limit” on page 8-14.

EXAMPLE:

ServerIron(config)# int e 6ServerIron(config-if-6)# broadcast limit 30000

Syntax: broadcast limit <num>


Default value: N/A

cache-groupApplies the port to a TCS cache group. The port’s membership in a cache group allows client traffic received on the port to be redirected to the cache servers in the cache group.

EXAMPLE:

ServerIron(config)# int e 6ServerIron(config-if-6)# cache-group 1

February 2002 8 - 1


Syntax: cache-group 1

Possible values: 1

Default value: 1


dhcp-gateway-list This parameter assigns a defined DHCP gateway list to a specific interface on a Foundry switch. DHCP gateway lists must be defined at the Global Level and the DHCP Assist feature enabled to support assignment of this feature on switches.

NOTE: This feature is not supported on Foundry routers.

NOTE: For more details on this command and the DHCP Assist feature, see the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

To assign a defined DHCP gateway list (1) to interface 2/5, enter the following:

ServerIron(config)# int e 2ServerIron(config-if-2)# dhcp-gateway-list 1

Syntax: dhcp-gateway-list <number>


Default value: N/A

disableDisables a specific port.

EXAMPLE:

ServerIron(config)# interface e 1ServerIron(config-if-1)# disable

Syntax: disable


Default value: N/A

enableEnables a specific port. All ports are enabled at initial startup. This command is only necessary if a port has been disabled, as all ports are by default enabled at system startup.

EXAMPLE:

ServerIron(config)# interface e 1ServerIron(config-if-1)# enable

Syntax: enable


Default value: All ports are enabled at system startup.

endMoves activity to the privileged level from any level of the CLI with the exception of the User level.

8 - 2 February 2002

Interface Commands

EXAMPLE:

To move to the privileged level, enter the following:

ServerIron(config-if-5)# endServerIron#

Syntax: end


Default value: N/A

exitMoves activity up one level from the current level of the CLI. This command is available at all levels.

EXAMPLE:

To move from the interface level, back to the global level, enter the following:

ServerIron(config-if-4)# exitServerIron(config)#

Syntax: exit


Default value: N/A

flow-controlAllows you to turn flow control (802.3x) for full-duplex ports on or off (no). Flow control is configured on, by default.

EXAMPLE:

To turn the feature off, enter the following:

ServerIron(config)# int e5ServerIron(config-if-5)# no flow control

To turn the feature on after being turned off, enter the following:

ServerIron(config-if-5)# flow-control

Syntax: [no] flow-control


Default value: on

fw-groupAssigns a port to a firewall group.

EXAMPLE:

To assign port 5 to firewall group 2:

ServerIron(config)# int e 5ServerIron(config-if-5)# fw-group 2

Syntax: fw-group 2

Possible values: 2

Default value: All ports are assigned to firewall group 2 by default.

gig-defaultOverrides the global default setting for Gigabit negotiation mode. You can configure the Gigabit negotiation mode for a port to be one of the following:

• Default – The port uses the negotiation mode that was set at the global level.

February 2002 8 - 3


• Negotiate-full-auto – The port first tries to perform a handshake with the other port to exchange capability information. If the other port does not respond to the handshake attempt, the port uses the manually configured configuration information (or the defaults if an administrator has not set the information). This is the default for Chassis devices (including the TurboIron/8).

• Auto-Gigabit – The port tries to perform a handshake with the other port to exchange capability information. This is still the default for Stackable devices.

• Negotiation-off – The port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.

See the “Configuring Basic features” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide for more information.

NOTE: This command does not apply to Stackable devices. To change the negotiation mode for a Stackable Gigabit Ethernet port, use the [no] auto-gig command at the Interface level. See “auto-gig” on page 8-1.

EXAMPLE:

To override the global setting and set the negotiation mode to auto-Gigabit for ports 4/1 – 4/4, enter the following commands:

ServerIron(config)# int ethernet 4/1 to 4/4ServerIron(config-mif-4/1-4/4)# gig-default auto-gig

Syntax: gig-default neg-full-auto | auto-gig | neg-off


Default value: neg-full-auto

ip access-groupApplies an ACL to an interface.

EXAMPLE:

To configure a standard ACL and apply it to outgoing traffic on port 1, enter the following commands.

ServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# int eth 1ServerIron(config-if-1)# ip access-group 1 out ServerIron(config)# write memory

The commands in this example configure an ACL to deny packets from three source IP addresses from being forwarded on port 1. The last ACL entry in this ACL permits all packets that are not explicitly denied by the first three ACL entries.


The <num> parameter is the access list number and can be from 1 – 99.

EXAMPLE:

To apply an ACL to a subset of ports within a virtual interface, enter commands such as the following:

ServerIron(config)# vlan 10 name IP-subnet-vlanServerIron(config-vlan-10)# untag ethernet 1/1 to 2/12ServerIron(config-vlan-10)# router-interface ve 1ServerIron(config-vlan-10)# exitServerIron(config)# access-list 1 deny host 209.157.22.26 logServerIron(config)# access-list 1 deny 209.157.29.12 logServerIron(config)# access-list 1 deny host IPHost1 logServerIron(config)# access-list 1 permit any ServerIron(config)# interface ve 1

8 - 4 February 2002

Interface Commands

ServerIron(config-vif-1)# ip access-group 1 in ethernet 1/1 ethernet 1/3 ethernet 2/1 to 2/4

The commands in this example configure port-based VLAN 10, add ports 1/1 – 2/12 to the VLAN, and add virtual routing interface 1 to the VLAN. The commands following the VLAN configuration commands configure ACL 1. Finally, the last two commands apply ACL 1 to a subset of the ports associated with virtual interface 1.

Syntax: [no] ip access-group <num> in ethernet <portnum> [<portnum>...] to <portnum>


Default value: N/A

ip addressConfigures an IP interface for use with IP forwarding. You must configure the IP interface on a virtual routing interface. You cannot configure the interface on a physical port. See “router-interface” on page 9-6.

NOTE: This command applies only to Layer 3 IP interfaces for use with IP forwarding. To configure the ServerIron’s management IP address, see “ip address” on page 6-34.

EXAMPLE:

To add an IP interface, enter commands such as the following:

ServerIron(config)# interface ve 1ServerIron(config-vif-1)# ip address 10.10.10.1 255.255.255.0

The interface ve 1 command changes the CLI to the configuration level for virtual routing interface 1. The ip address command adds an IP interface.

Syntax: [no] ip address | nat-address | standby-address <ip-addr> <ip-mask>

or

Syntax: [no] ip address | nat-address | standby-address <ip-addr>/<mask-bits>

The address | nat-address | standby-address parameter identifies the type of IP interface you are adding.

• The address parameter adds a standard IP interface. This option is applicable in most cases.

• The nat-address parameter applies to active-standby configurations. This parameter configures a shared IP interface for use with SLB source NAT. Enter the same command with the same IP address on each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.

NOTE: SLB source NAT is different from standard Network Address Translation (NAT).

• The standby-address parameter applies to active-standby configurations and allows both ServerIrons to share the same router interface. One of the ServerIrons actively supports the interface while the other ServerIron provides failover for the interface if the first ServerIron becomes unavailable. Real servers can use the shared interface as their default gateway. Enter the same command with the same IP address on each of the ServerIrons in the active-standby configuration. The address is active only on one ServerIron (the ServerIron that is currently active) at a time.

The <ip-addr> parameter specifies the IP address.

The <ip-mask> parameter specifies a class-based (or “Classical”) IP sub-net mask.

The <mask-bits> parameter specifies the number of significant bits in a Classless Interdomain Routing (CIDR) sub-net mask.

You can use either format to configure the interface. For example, both the following commands are valid and produce the same result:

• ip address 10.10.10.1 255.255.255.0

• ip address 10.10.10.1/24

February 2002 8 - 5



Default value: N/A

ip icmp burstCauses the Foundry device to drop ICMP packets when excessive numbers are encountered, as is the case when the device is the victim of a Smurf attack. This command allows you to set threshold values for ICMP packets targeted at the router and drop them when the thresholds are exceeded.

EXAMPLE:

In the following example, if the number of ICMP packets received per second exceeds 5,000, the excess packets are dropped. If the number of ICMP packets received per second exceeds 10,000, the device drops all ICMP packets for the next 300 seconds (five minutes).

ServerIron(config-if-e100-1)# ip icmp burst-normal 5000 burst-max 10000 lockup 300

Syntax: ip icmp burst-normal <value> burst-max <value> lockup <seconds>




The number of incoming ICMP packets per second are measured and compared to the threshold values as follows:

• If the number of ICMP packets exceeds the burst-normal value, the excess ICMP packets are dropped.

• If the number of ICMP packets exceeds the burst-max value, all ICMP packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.


Default value: N/A

ip-multicast-disableDisables disable Internet Group Membership Protocol (IGMP) queries from being sent or received on the port.

EXAMPLE:

To disable IGMP queries on an interface, enter commands such as the following:

ServerIron(config)# int e5ServerIron(config-if-5)# ip-multicast-disable

To re-enable the IGMP queries on the interface, enter the following command:

ServerIron(config-if-5)# no ip-multicast-disable

Syntax: [no] ip-multicast-disable


Default value: IGMP queries are enabled.

ip-policyLocally enables TCS or firewall load balancing on the interface. Use this command if you did not enable TCS or firewall load balancing globally. See “ip policy” on page 6-39.

NOTE: You must use the ip policy command to configure the policy before using the ip-policy command. See “ip policy” on page 6-39.

8 - 6 February 2002

Interface Commands

NOTE: This command does not configure permit and deny filters. To configure this type of filter, see “ip filter…” on page 6-35.

See the following for more information:

• The "Configuring Transparent Cache Switching" chapter of the Foundry ServerIron Installation and Configuration Guide

• The Foundry ServerIron Firewall Load Balancing Guide

EXAMPLE:

To enable transparent cache switching of HTTP traffic for port 18 only, as opposed to globally on all of the ports, enter the following commands:

ServerIron(config)# ip policy 2 cache tcp 80 localServerIron(config)# int e 18ServerIron(config-if-18)# ip-policy 2

EXAMPLE:

To enable firewall load balancing on port 9, enter the following commands:

ServerIron(config)# ip policy 3 fw tcp 0 localServerIron(config)# ip policy 4 fw udp 0 localServerIron(config)# int e 9ServerIron(config-if-9)# ip-policy 3ServerIron(config-if-9)# ip-policy 4

Syntax: ip policy <index> cache | fw | high | normal tcp | udp <tcp/udp-portnum> global | local

Syntax: ip-policy <index>

NOTE: When enabling firewall load balancing, you must specify "0" for the <tcp/udp-portnum> parameter of the ip policy command. This value allows all ports of the specified type (TCP or UDP).


Default value: N/A

ip ripEnables the Routing Information Protocol (RIP) version on a virtual routing interface.


EXAMPLE:

ServerIron(config-rip-router)# interface ve 1ServerIron(config-vif-1)# ip rip v1-only

This command changes the CLI to the configuration level for virtual routing interface 1 and enables RIP version 1 on the interface. You must specify the version.

Syntax: [no] ip rip v1-only | v1-compatible-v2 | v2-only


Default value: Disabled; no version specified

ip rip learn-defaultEnables the ServerIron to learn RIP default routes.


February 2002 8 - 7


EXAMPLE:

ServerIron(config)# interface ve 1ServerIron(config-vif-1)# ip rip learn-default

Syntax: [no] ip rip learn-default



ip rip poison-reverseChanges the method of loop prevention that RIP uses.


RIP can use one of the following loop-prevention methods:

• Split horizon – The ServerIron does not advertise a route on the same interface as the one on which the ServerIron learned the route.

• Poison reverse – The ServerIron assigns a cost of 16 (“infinite” or “unreachable”) to a route before advertising it on the same interface as the one on which the ServerIron learned the route. This is the default.

NOTE: These methods are in addition to RIP’s maximum valid route cost of 15.

EXAMPLE:

To enable split horizon, enter commands such as the following:

ServerIron(config)# interface ve 1ServerIron(config-vif-1)# no ip rip poison-reverse

Syntax: [no] ip rip poison-reverse


Default value: Poison reverse

ip tcp burstCauses the Foundry device to drop TCP SYN packets when excessive numbers are encountered, as is the case when the device is the victim of a TCP SYN attack. This command allows you to set threshold values for TCP SYN packets targeted at the router and drop them when the thresholds are exceeded.

EXAMPLE:

In the following example, if the number of TCP SYN packets received per second exceeds 10, the excess packets are dropped. If the number of TCP SYN packets received per second exceeds 100, the device drops all TCP SYN packets for the next 300 seconds (five minutes).

ServerIron(config)# int e 1ServerIron(config-if-e100-1)# ip tcp burst-normal 10 burst-max 100 lockup 300

Syntax: ip tcp burst-normal <value> burst-max <value> lockup <seconds>




The number of incoming TCP SYN packets per second are measured and compared to the threshold values as follows:

• If the number of TCP SYN packets exceeds the burst-normal value, the excess TCP SYN packets are dropped.

8 - 8 February 2002

Interface Commands

• If the number of TCP SYN packets exceeds the burst-max value, all TCP SYN packets are dropped for the number of seconds specified by the lockup value. When the lockup period expires, the packet counter is reset and measurement is restarted.


Default value: N/A

ip tcp syn-proxyEnables the SYN-Guard feature on individual ports on the ServerIron 400 or ServerIron 800. This feature can be applied to inbound SYN requests (for Web site traffic) and/or outbound SYN requests (for ISP and institution outgoing traffic).

EXAMPLE:

To use the SYN-Guard feature for inbound SYN requests on interface 3/1:

ServerIron(config)# interface e 3/1ServerIron(config-if-3/1)# ip tcp syn-proxy in

Syntax: ip tcp syn-proxy in | out

When applied to inbound SYN requests, the SYN-Guard feature can be used with all ServerIron features, including TCS, FWLB, and SLB. However, when applied to outbound SYN requests, the SYN-Guard feature is the only process that can act on the packet.


Default value: N/A

iipg10This command allows you to modify the inter-packet gap (delay) between packets on a 10Mbps Ethernet segment. By default, the delay between packets will be 12 bytes or 9.6 microseconds.

Use this command only to adjust the inter-packet gap to match older adapters that do not meet the default IPG requirements for Ethernet.

In determining the value to enter in the CLI command, note that one byte equals.8 microseconds for packets on a 10Mbps segment, so the following equation can be used:

IPG10 = 9.6 microseconds + (value *.8), where value is the number of bytes by which you want to increase the inter-packet gap.

EXAMPLE:

To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the value of 4 (4*.8 =3.2 microseconds).

ServerIron(config)# int e 4ServerIron(config-if-4)# ipg10 4

Syntax: ipg10 <value>

Possible values: 0 – 100 bytes

Default value: 12 bytes or ipg10 0

NOTE: Entering the value of 0 within the ipg10, ipg100, and ipg1000 commands restore the inter-packet gap (IPG) to the default of 12 bytes.

ipg100This command allows you to modify the inter-packet gap (delay) between packets on a 100Mbps Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or 0.96 microseconds.

February 2002 8 - 9


Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default IPG requirements for Fast Ethernet.


IPG100 = 0.96 microseconds + (value *.08), where value is the number of bytes by which you want to increase the inter-packet gap.

EXAMPLE:

To increase the delay between packets by 3.2 microseconds, enter the port to be modified and then enter the value of 40(40*.08 =3.2 microseconds)





ipg1000This command allows you to modify the inter-packet gap (delay) between packets on a 1000Mbps Gigabit Ethernet segment on a port-by-port basis. By default, the delay between packets will be 12 bytes or.096 microseconds.

Use this command only to adjust the inter-packet gap to match that of older adapters that do not meet the default IPG requirements for Gigabit Ethernet.


IPG1000 =.096 microseconds + (value *.008), where value is the number of bytes by which you want to increase the inter-packet gap.

EXAMPLE:

To increase the delay between packets by.32 microseconds, first enter the port to be modified and then enter the value of 40(40*.008 =.32 microseconds)





mac filter-groupApplies a group of MAC filters to an interface. You can configure one filter group on each interface.

NOTE: You must define the filters at the global CONFIG level using the mac filter command (see “mac filter” on page 6-50) before you can apply them in a filter group.

NOTE: The filters must be applied as a group. For example, if you want to apply four filters to an interface, they must all appear on the same command line.

NOTE: You cannot add or remove individual filters in the group. To add or remove a filter on an interface, apply the filter group again containing all the filters you want to apply to the port.


Interface Commands

NOTE: If you apply a filter group to a port that already has a filter group applied, the older filter group is replaced by the new filter group.

EXAMPLE:

To apply MAC filters 1, 2, 3, and 1024 to interface 6, enter the following command:

ServerIron(config)# int e 6ServerIron(config-if-6)# mac filter-group 1 2 3 1024

Syntax: mac-filter-group <filter-list>


Default value: N/A

monitorThis allows you to select a port to be diagnosed by a designated mirror port. You can configure incoming, outgoing or both incoming and outgoing traffic to be monitored on the port.

EXAMPLE:

To monitor both incoming and outgoing traffic on interface 5:

ServerIron(config)# interface e5ServerIron(config-if-5)# monitor both

Syntax: monitor input | output | both



multicast limitSpecifies the maximum number of multicast packets the device can forward each second. By default the device sends multicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited multicast traffic, this command allows you to relieve those devices by throttling the multicasts at the Foundry device.

NOTE: The multicast limit does not affect broadcast or unicast traffic. However, you can use the broadcast limit and unknown-unicast limit commands to control these types of traffic. See “broadcast limit” on page 8-1 and “unknown-unicast limit” on page 8-14.

EXAMPLE:

ServerIron(config)# interface e5ServerIron(config-if-5)# multicast limit 30000

Syntax: multicast limit <num>


Default value: N/A

neg-offOverrides the default negotiation mode for a Gigabit port on Chassis devices. When you invoke this command, the port does not try to perform a handshake. Instead, the port uses configuration information manually configured by an administrator.

EXAMPLE:

To change the negotiation mode for the port to negotiation-off:

ServerIron(config)# int e3ServerIron(config-if-3)# neg-off

Syntax: neg-off




Default value: N/A

noThis command disables other commands. To disable a command, place the word no before the command.

phy-modeIf a port on a ServerIron is to be attached to a Bay Networks™ 28000 switch, enter this command at the Interface Level as shown below.

This command helps the ServerIron to adjust to interoperability requirements of the 28000.

EXAMPLE:

ServerIron(config)# int e3ServerIron(config-if-3)# phy-mode 28k

Syntax: phy-mode 28k

Possible values: 28k

Default value: Option is turned off.

port-nameAssignment of a name to an interface provides additional identification for a segment on the network.

EXAMPLE:

ServerIron(config)# interface e 1ServerIron(config-if-1)# port-name marketing-funk

Syntax: port-name <text>


Default value: N/A

pvst-modeStatically enables support for Cisco Systems’ Per VLAN Spanning Tree (PVST).

PVST/PVST+ support is automatically enabled on a port if the port receives a BPDU in PVST/PVST+ format. However, you can statically enable PVST/PVST+ support on a port if desired. In this case, the support is enabled immediately and support for Foundry tagged BPDUs is disabled at the same time.

NOTE: When PVST/PVST+ support is enabled on a port, support for Foundry BPDUs is disabled.

For more information, see the "Configuring Spanning Tree Protocol (STP) and IronSpan" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

To enable PVST/PVST+ support on a port, enter commands such as the following:

ServerIron(config)# interface ethernet 1/1ServerIron(config-if-1/1)# pvst-mode

Syntax: [no] pvst-mode

NOTE: If you disable PVST/PVST+ support, the software still automatically enables PVST/PVST+ support if the port receives an STP BPDU with PVST/PVST+ format.


Default value: Enabled automatically when a PVST/PVST+ BPDU is received on the port


Interface Commands

qos-prioritySets the Quality-of-Service (QoS) priority level for a port, VLAN, static MAC address, or Layer 4 session. You can select the normal queue or the high-priority queue. All traffic is in the normal queue by default. When you allocate a port, VLAN, static MAC address, or Layer 4 session to the high-priority queue, all traffic queued up for that item is processed before any traffic in the normal queue for the same item is processed.

QoS applies to outbound traffic only.

EXAMPLE:

To allocate port 6 traffic to the high-priority queue, enter the following command:

ServerIron(config)# interface e 6ServerIron(config-if-6)# qos-priority high

Syntax: qos-priority normal | high

Possible values: normal or high

Default value: normal


EXAMPLE:

ServerIron(config-if-6)# quitServerIron>

Syntax: quit


Default value: N/A



spanning-tree Spanning tree can be disabled or enabled on an interface basis.

EXAMPLE:

To disable spanning tree on physical port 4 of a system with no VLANs operating, enter the following:

ServerIron(config)# interface ethernet 4ServerIron(config-if-4) no spanning-tree

EXAMPLE:

To disable spanning tree on physical port 4 of a system within VLAN 2, enter the following:

ServerIron(config)# vlan 2ServerIron(config-vlan-2) no spanning-tree

Syntax: spanning-tree





speed-duplexModifies port speed and duplex. It defines the speed and duplex mode for a 10BaseT and 100BaseTx ports.

Gigabit (1000BaseSx and 1000BaseLx) and 100BaseFx ports operate at a fixed speed and mode (full-duplex) and cannot be modified.

EXAMPLE:

ServerIron(config)# interface e8ServerIron(config-if-8)# speed-duplex 10-full

Syntax: speed-duplex <value>

Possible values: 10-full, 10-half, 100-full, 100-half, auto

Default value: 10/100 autosense

unknown-unicast limitSpecifies the maximum number of unknown-unicast packets the device can forward each second. By default the device sends unknown unicasts and all other traffic at wire speed and is limited only by the capacities of the hardware. However, if other devices in the network cannot handle unlimited unknown-unicast traffic, this command allows you to relieve those devices by throttling the unknown unicasts at the Foundry device.

NOTE: The unknown-unicast limit does not affect broadcast or multicast traffic. However, you can use the broadcast limit and multicast limit commands to control these types of traffic. See “broadcast limit” on page 8-1 and “multicast limit” on page 8-11.

EXAMPLE:

ServerIron(config)# interface e8ServerIron(config-if-8)# unknown-unicast limit 30000

Syntax: unknown-unicast limit <num>


Default value: N/A


EXAMPLE:

ServerIron(config-if-8)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-if-8)# write terminal



Default value: N/A


Chapter 9VLAN Commands

always-activeConfigures a link between active and standby ServerIrons in some FWLB configurations to forward Layer 2 traffic without causing loops. See the Foundry ServerIron Firewall Load Balancing Guide.

atalk-protoThis command creates an AppleTalk protocol VLAN within a ServerIron port-based VLAN when entered at the VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create an AppleTalk Protocol VLAN with permanent port membership of 9 and 13 and no dynamic ports within an already defined port-based VLAN 2, enter the following commands.

ServerIron(config)# vlan 2

ServerIron(config-vlan-2)# atalk-proto

ServerIron(config-vlan-atalk-proto)# static e 9 e 13

ServerIron(config-vlan-atalk-proto)# no dynamic

NOTE: If configuring this on a switch, enter vlan 2 by port at the CONFIG Level versus vlan 2, as shown in the example above.

Syntax: atalk-proto [<name>]


To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. For example, to name an AppleTalk VLAN, enter the following command:

ServerIron(config)# atalk-proto name AppleVLAN1

To name an IP VLAN, enter the following commands:

ServerIron(config)# ip-proto 192.75.5.0/24 name "Ship and Recv"

This example shows how to specify a name that contains a blank. Use double quotation marks before and after the name.


Default value: N/A

February 2002 9 - 1


decnet-protoThis command creates a Decnet protocol VLAN within a ServerIron port-based VLAN, when entered at the VLAN Level. All ports are assumed by default to be members of the VLAN when initially created. Protocol VLAN membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create a Decnet protocol VLAN with permanent port membership of 15 and 16 with port 17 as dynamic member port, within VLAN 5, enter the following commands.


ServerIron(config-vlan-5)# decnet-proto

ServerIron(config-vlan-decnet-proto)# exclude e 1 to 14 e18


Syntax: decnet-proto [<name>]

Syntax: atalk-proto [<name>]


To specify a VLAN name, use the name keyword followed by a string. The name keyword and string are the last arguments in the command. The name can contain blank spaces if you use double quotation marks before and after the name.


Default value: N/A


EXAMPLE:


ServerIron(config-vlan-decnet-proto)# endServerIron#

Syntax: end


Default value: N/A

exitMoves activity up one level from the current level. In this case, activity will be moved to the port-based VLAN level if configuring a protocol VLAN. If configuring a poet-based VLAN, activity would be moved to the global level.

EXAMPLE:

ServerIron(config-vlan-decnet-proto)# exitServerIron(config)#

Syntax: exit


Default value: N/A

ip-protoThis command creates an IP protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.

9 - 2 February 2002

VLAN Commands

When configuring on a switch, all ports are dynamically allocated to the VLAN. You can modify port membership by using the static or exclude commands.

NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IP protocol VLANs.

EXAMPLE:

To assign ports 1, 2, 6 and 8 to an IP protocol VLAN within VLAN 7, enter the following:


ServerIron(config-vlan-7)# ip-proto

ServerIron(config-vlan-ip-proto)# static e 1 to 2 e 6 e 8


NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate on a ServerIron at the same time. This restriction is also true for IPX and IPX network VLANs.

Syntax: ip-proto [<name>]



Default value: N/A

ip-subnetThis command creates an IP sub-net protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level. This allows you to define additional granularity than that of an IP protocol VLAN, by partitioning the broadcast domains by sub-net. In creating an IP sub-net VLAN, an IP address is used as identifier.


NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IP sub-net VLANs.

EXAMPLE:

To create an IP sub-net of IP address 192.75.3.0 with permanent port membership of 1 and 2 (module 2), within VLAN 10, enter the following commands.


ServerIron(config-vlan-10)# ip-subnet 192.75.3.0 255.255.255.0

ServerIron(config-vlan-ip-subnet)# static e 1 to 2


NOTE: An IP protocol and IP sub-net VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IPX and IPX Network VLANs.

Syntax: ip-subnet <ip-addr> <ip-mask> [<name>]


February 2002 9 - 3




Default value: N/A

ipx-networkThis command creates an IPX network VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level. This allows you to define additional granularity than that of the IPX protocol VLAN, by partitioning the broadcast domains by IPX network number. In creating an IPX network VLAN, an IPX network number is used as identifier. The frame type must also be specified.


NOTE: When configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IPX network VLANs.

EXAMPLE:

To create an IPX network VLAN with a network number of 500 and frame type of 802.2 with permanent port membership of 10 and 14 within port-based VLAN 15, enter the following commands.


ServerIron(config-vlan-15)# ipx-network 500 ethernet_802.2

ServerIron(config-vlan-ipx-proto)# static e 10 e 14

Syntax: ipx-network <ipx-network-number> <frame-type> [<name>]


NOTE: An IPX network and IPX protocol VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IP protocol and IP sub-net VLANs.

Possible values: Frame type: ethernet_ii, ethernet_802.2, ethernet_802.3, ethernet_snap

The <name> parameter can be up to 16 characters long and can contain blanks. The name appears in VLAN show displays.

Default value: N/A

ipx-protoThis command creates an IPX protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.


NOTE: If configuring on a Foundry router, ports must be added to the VLAN with the static command. Ports are not dynamically allocated to IPX protocol VLANs.

EXAMPLE:

To assign ports 1, 2, 6 and 8 to an IPX protocol VLAN within port-based VLAN 22, enter the following:


ServerIron(config-vlan-22)# ipx-proto

ServerIron(config-vlan-ipx-proto)# static e 1 to 2 e 6 e 8

9 - 4 February 2002

VLAN Commands


NOTE: An IPX protocol and IPX network VLAN cannot both be configured to operate simultaneously on a Foundry switch or router. This restriction is also true for IP and IP sub-net VLANs.

Syntax: ipx-proto [<name>]




Default value: N/A

netbios-protoThis command creates a NetBIOS protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.

All ports are dynamically allocated to a NetBIOS VLAN when it is created. VLAN Membership can be modified using the dynamic, static, or exclude commands.

EXAMPLE:

To create a NetBIOS Protocol VLAN with permanent port membership of 4 and 5 and ports 8 through 12 as dynamic member ports, within port-based VLAN 25, enter the following commands.


ServerIron(config-vlan-25)# netbios-proto

ServerIron(config-vlan-netbios-proto)# static e 2 e 2

ServerIron(config-vlan-netbios-proto)# exclude e 2 to 2 e 2 e 2 e 2 to 2


Syntax: netbios-proto [<name>]




Default value: N/A

noThis command is used to disable other commands. To do so, place the word no before the command.

other-protoThis command creates an other-protocol VLAN on a ServerIron within a port-based VLAN, when entered at the VLAN Level.

All ports of the ServerIron are by default dynamically assigned to a newly created other protocol VLAN. VLAN Membership can be modified using the dynamic, static, or exclude commands.

February 2002 9 - 5


You can use this option to define a protocol-based VLAN for protocols that do not require a singular protocol broadcast domain or are not currently supported on the ServerIron.

EXAMPLE:

On a 16 port switch ports 13 through 16 represent protocols Decnet and AppleTalk. You do not need to separate traffic by protocol into separate broadcast domains. Instead, create an other-protocol VLAN, with just those ports as members, within port-based VLAN 50.


ServerIron(config-vlan-50)# other-proto

ServerIron(config-vlan-other-proto)# static e13 to 16

ServerIron(config-vlan-other-proto)# exclude e1 to 12


Syntax: other-proto [<name>]




Default value: N/A

priorityThis assigns a higher priority to a VLAN so that in times of congestion, it will receive precedence over other transmissions. Up to eight levels of priority can be assigned to a VLAN.

EXAMPLE:


ServerIron(config-vlan-25)# priority high

Syntax: priority normal | high


Default value: N/A


EXAMPLE:

ServerIron(config-vlan-6)# quit

ServerIron>

Syntax: quit


Default value: N/A

router-interfaceConfigures a virtual routing interface for use with IP forwarding. After you add the virtual routing interface, you can configure IP addresses on the routing interface.

EXAMPLE:


9 - 6 February 2002

VLAN Commands

ServerIron(config-vlan-1)# router-interface ve 1

The vlan 1 command changes the CLI to the configuration level for VLAN 1. The router-interface ve 1 command adds virtual routing interface 1.

Syntax: [no] router-interface ve <num>

The <num> parameter specifies the interface ID and can be from 1 – 24.


Default value: N/A



spanning-treeSpanning Tree bridge and port parameters are configurable using one command set at the global level for VLANs.

NOTE: When port-based VLANs are not operating on the system, spanning tree is set on a system level at the Global CONFIG Level.

EXAMPLE:

Suppose you want to change the hello-time value of VLAN 3 from the default value. Additionally, you want to change the path and priority costs for port 5, a member of VLAN 3. Enter the following commands:


ServerIron(config-vlan-3)# span hello-time 8

ServerIron(config-vlan-3)# span ethernet 5 path-cost 15 priority 64

NOTE: You do not need to configure values for the spanning tree parameters. All parameters have default values as noted below. Additionally, all values will be globally applied to all ports on the system or port-based VLAN for which they are defined.

To configure a specific path-cost or priority value for a given Ethernet port, enter those values using the key words found in the brackets [ ] shown in the syntax summary below. If you do not want to specify any specific values for any given Ethernet port, this portion of the command is not required.

Syntax: spanning-tree [ethernet <portnum> path-cost <value> priority <value>] forward-delay <value> hello-time <value> maximum-age <time> priority <value>

Bridge STP Parameters (applied to all ports within a VLAN)

• Forward Delay: the period of time a bridge will wait (the listen and learn period) before forwarding data packets. Possible values: 4 – 30 seconds. Default is 15.

• Maximum Age: the interval a bridge will wait for receipt of a hello packet before initiating a topology change. Possible values: 6 – 40 seconds. Default is 20.

• Hello Time: the interval of time between each configuration BPDU sent by the root bridge. Possible values: 1 – 10 seconds. Default is 2.

• Priority: a parameter used to identify the root bridge in a network. The bridge with the lowest value has the highest priority and is the root. Possible values: 0 – 255. Default is 128.

February 2002 9 - 7


Port Parameters (applied to a specified port within a VLAN)

• Path Cost: a parameter used to assign a higher or lower path cost to a port. Possible values: 1 – 65535. Default is (1000/Port Speed) for Half-Duplex ports and is (1000/Port Speed)/2 for Full-Duplex ports.

• Priority: value determines when a port will be rerouted in relation to other ports. Possible values: 0 – 255. Default is 128.

static-mac-addressThis command allows you to define a static MAC addresses for a port on a ServerIron to ensure the device is not aged out. When defining the MAC address entry, you can also define the port’s priority and whether or not it is a router-type or host-type.


NOTE: If you want to include a trunk group when you configure a static MAC entry that has multiple ports, include only the primary port of the trunk group. If you include all the trunk group’s ports, the ServerIron uses all the ports to forward traffic for the MAC address instead of using only the active trunk port.

EXAMPLE:

To enter a static MAC address entry for port 5, that is also resident in port-based VLAN 4, enter the following:


ServerIron(config-vlan-4)# static-mac-address 023.876.735 ethernet 5 high-priority router-type

The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis ServerIron.

Syntax for chassis devices:

Syntax: static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]

Syntax for stackable devices:


The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority for stackable devices.

NOTE: The fixed-host parameter is supported only on stackable ServerIrons. Use the fixed-host parameter for Layer 2 firewall configurations. The parameter "fixes" the address to the ServerIron port you specify and prevents other ports on the ServerIron from learning it. Use the router-type parameter for all other types of FWLB configurations. For more information, see the Foundry ServerIron Firewall Load Balancing Guide.

To create a static MAC entry that is associated with multiple ports, enter a command such as the following:

ServerIron(config-vlan-4)# static-mac-address aaaa.bbbb.cccc ethernet 1 ethernet 3 to 5

This command creates a static MAC entry that is associated with port 1 and ports 3 – 5. The ServerIron forwards traffic addressed to aaaa.bbbb.cccc out all the ports you specified, in this case 1, 3, 4, and 5.


9 - 8 February 2002

VLAN Commands


Foundry recommends that you configure a static ARP entry to match the static MAC entry. In fact, the software automatically creates a static MAC entry when you create a static ARP entry.

NOTE: When a static MAC entry has a corresponding static ARP entry, you cannot delete the static MAC entry unless you first delete the static ARP entry.

To create a static ARP entry for a static MAC entry, enter a command such as the following:

ServerIron(config-vlan-4)# arp 1 192.53.4.2 aaaa.bbbb.cccc ethernet 1

NOTE: The arp command allows you to specify only one port number. To create a static ARP entry for a static MAC entry that is associated with multiple ports, specify the first (lowest-numbered) port associated with the static MAC entry.



taggedOnce a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a port-based VLAN, either the tagged or untagged command is used. When a port is tagged, it can be a member of multiple port-based VLANs.

When a port is tagged, it allows communication among the different VLANs to which it is assigned. A common use for this might be to place an email server that multiple groups may need access to on a tagged port, that in turn, is resident in all VLANs that members need access to the server.

EXAMPLE:

Suppose you want to make port 5 (module 5), a member of port-based VLAN 4, a tagged port, enter the following:


ServerIron(config-vlan-4)# tagged ethernet 3/5

Syntax: tagged ethernet <portnum> [to <portnum> [ethernet <portnum>]]

Possible values: see above.

Default value: N/A

untagged Once a port-based VLAN is created, port membership for that VLAN must be defined. To assign a port to a port-based VLAN, either the tagged or untagged command is used. When a port is ‘untagged’ it can only be a member of one VLAN.

EXAMPLE:

Suppose you want to assign all ports on a 16-port ServerIron except port 5 (module 3) as untagged to a VLAN. To assign ports 1-4 and 6-16 to VLAN 4, enter the following:


ServerIron(config-vlan-4)# untagged ethernet 3/1 to 3/4 e 3/6 to 3/16

Syntax: untagged ethernet <portnum> [to <portnum> ethernet <portnum>]


Default value: N/A

February 2002 9 - 9


uplink-switchConfigures a set of ports within a port-based VLAN as uplink ports for the VLAN. All broadcast and unknown-unicast traffic goes only to the uplink ports, not to the other ports in the VLAN.

For more information, see the "Configuring Virtual LANs (VLANs)" chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

To configure a port-based VLAN containing uplink ports, enter commands such as the following:

ServerIron(config)# vlan 10 by portServerIron(config-vlan-10)# untag ethernet 1/1 to 1/24ServerIron(config-vlan-10)# untag ethernet 2/1 to 2/2ServerIron(config-vlan-10)# uplink-switch ethernet 2/1 to 2/2

Syntax: [no] uplink-switch ethernet <portnum> [to <portnum> | ethernet <portnum>]

In this example, 24 ports on a 10/100 module and two Gigabit ports on a Gigabit module are added to port-based VLAN 10. The two Gigabit ports are then configured as uplink ports.


Default value: N/A


EXAMPLE:

ServerIron(config-vlan-4)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-vlan-4)# write terminal



Default value: N/A


Chapter 10Real Server Commands

asymmetricOverrides the ServerIron’s default mechanism for checking the health of cache servers. Normally, the ServerIron uses cache responses forwarded back though the ServerIron as indications of a cache server’s health. However, in some topologies, the cache responses do not pass through the ServerIron.

EXAMPLE:

ServerIron(config-rs-realserver1)# asymmetric

Syntax: asymmetric



backupDesignates a real server to be a backup server.

By default, the virtual server uses the locally attached real servers (added using the server real-name command) as the primary load-balancing servers and uses the remotely attached servers (added using the server remote-name command) as backups.

NOTE: This command applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or later.

EXAMPLE:

ServerIron(config-rs-R3)# backup

Syntax: [no] backup

You also need to configure virtual servers to use the primary and backup servers you designate. See “port” on page 11-3.


Default value: Primary if locally attached; backup if remotely attached




clone-serverMakes a copy ("clone") of a real server’s configuration. When you clone a real server, you make a copy of the real server’s configuration information under a new name. The copy includes the port bindings to the virtual server.

EXAMPLE:

ServerIron(config)# server real rs1 1.2.3.4 ServerIron(config-rs-rs1)# clone-server rs2 5.6.7.8

The first command changes the CLI to the configuration level for the real server you want to copy. The second command creates a clone of real server rs1. The clone is named "rs2" and has IP address 5.6.7.8.

Syntax: clone-server <name> <ip-addr>

The <name> parameter specifies the name of the clone.

The <ip-addr> parameter specifies the IP address of the clone.

NOTE: To delete a server clone, you must manually edit the startup-config file to remove the command. The "no" option is not supported for this command.


Default value: N/A

descriptionAdds a description to a real server, virtual server, firewall, or cache. The description appears in the output of show commands and in the running-config and startup-config files.

EXAMPLE:

ServerIron(config)# server real RS20 1.2.3.4ServerIron(config-rs-RS20)# description "Real Server # 20"

Syntax: description <"text">


Default value: N/A


EXAMPLE:


ServerIron(config-rs-webland)# end

ServerIron#

Syntax: end


Default value: N/A

exceed-max-dropDrops HTTP requests when all the real servers in a server group have reached their maximum number of connections.

EXAMPLE:

ServerIron(config)# server real-name server1 207.95.7.1ServerIron(config-rs-server1)# exceed-max-dropServerIron(config-rs-server1)# exit

Syntax: exceed-max-drop


Real Server Commands


Default value: N/A

exitMoves activity up one level from the current level. In this case, activity will be moved to the global level.

EXAMPLE:

ServerIron(config-rs-webland)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A

filter-matchThis command enables policy-based caching, which selectively caches web sites on specific cache servers. For example, an ISP can use a ServerIron configured for policy-based caching to redirect HTTP traffic to a series of web cache servers made by different vendors with different caching criteria.

To take advantage of policy-based caching, you also need to define IP access policy filters.

EXAMPLE:

ServerIron(config-rs-fixedcontent)# filter-match

Syntax: filter-match


Default value: N/A

history-groupThis command is used with the Layer 4 statistics monitoring function on the ServerIron. This command binds a history list to a real server. You can bind up to 8 history lists to a real server or port on a real server.

EXAMPLE:

To bind history list 1 to port 80 (HTTP) on real server aaa:

ServerIron(config)# server real aaaServerIron(config-rs-aaa)# port http history-group 1

Syntax: history-group <entry-numbers>

Possible values: You can bind up to 8 history lists to a real server or port on a real server

Default value: N/A

host-rangeCreates a range of contiguous virtual IP addresses (VIPs) based on the VIP address of the virtual server. The ServerIron creates the range by creating the number of VIPs that you specify with this command. You do not specify a range; you specify the number of hosts in the range. The beginning address in the range is always the VIP.

NOTE: The IP addresses must be contiguous on the real server.

EXAMPLE:

To define a range of 500 contiguous VIPs, enter the following commands:

ServerIron(config)# server real-name r1 10.4.4.4

ServerIron(config-rs-r1)# host-range 500



ServerIron(config-rs-r1)# exit

ServerIron(config)# server real-name r2 10.4.4.5

ServerIron(config-rs-r2)# host-range 500

ServerIron(config-rs-r2)# exit

ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99

ServerIron(config-vs-lotsofhosts)# host-range 500

ServerIron(config-vs-lotsofhosts)# exit

Syntax: host-range <range>


Default value: N/A

ip-addressChanges a real server’s IP address.

You can change the IP address even when the real server is active. This capability is useful when you want to perform some maintenance on the real server (either the server itself or the server’s configuration on the ServerIron) or when the network topology has changed.

By default, when you change a server’s IP address, the ServerIron performs the change gracefully, as follows:

• Existing connections are allowed to continue on the old IP address until they terminate normally.

• New client requests are sent to the new IP address.

Optionally, you can force all existing connections to be reset instead of waiting for them to terminate normally. When you force the connections to be reset, the ServerIron immediately resets a connection when it receives client data for the connection.

EXAMPLE:

ServerIron(config)# server real rs1ServerIron(config-rs-rs1)# ip-address 5.6.7.8

Syntax: [no] ip-address <ip-addr> [force-shutdown]

The <ip-addr> parameter specifies the real server’s new IP address.

The force-shutdown parameter immediately resets a client’s connection to the IP address when the ServerIron receives TCP data from the client. By default, the ServerIron allows existing connections to terminate normally following the address change.

Possible values: valid IP address

Default value: the address you specified when you configured the server

max-connAllows you to specify the maximum number of sessions the ServerIron will maintain in its session table for a specific real server.

NOTE: The configured value cannot exceed the maximum value configured for active sessions using the server session-limit command at the global level.

EXAMPLE:

ServerIron(config)# server real-name web2

ServerIron(config-rs-web2)# max-conn 1000

Syntax: max-conn <value>

Possible values: 1 – 1,000,000



Default value: 1,000,000

max-tcp-conn-rateConfigures Connection Rate Limiting (CRL) for a TCP application port on a real server, cache server, or firewall.

EXAMPLE:

ServerIron(config-rs-FW1)# max-tcp-conn-rate 1000

The command in this example specifies a maximum TCP connection rate of 1000 connections per second on firewall FW1.

Syntax: [no] max-tcp-conn-rate <num>

The <num> parameter specifies the maximum number of connections per second and can be a number from 1 – 65535. The default is 65535.



max-udp-conn-rateConfigures Connection Rate Limiting (CRL) for a UDP application port on a real server, cache server, or firewall.

EXAMPLE:

ServerIron(config-rs-FW1)# max-udp-conn-rate 800

The command in this example specifies a maximum UDP connection rate of 800 connections per second on firewall FW1.

Syntax: [no] max-udp-conn-rate <num>

The <num> parameter specifies the maximum number of connections per second and can be a number from 1 – 65535. The default is 65535.




other-ipConfigures a second IP address for certain multihomed devices. This command can be used in some FWLB configurations where a pair of ServerIrons is configured as an active-standby pair and the firewalls are multihomed. In this type of configuration, the other-ip command identifies the IP address of the firewall interface connected to the other ServerIron in the pair.

portAllows you to override global port attributes set in the port’s profile. In addition, this command allows you to configure application-specific health check parameters for HTTP, DNS, and RADIUS ports.

EXAMPLE:

To disable a port, enter commands such as the following:

ServerIron(config)# server real-name web2ServerIron(config-rs-web2)# port http disable

Syntax: [no] port <port> [disable | enable]

EXAMPLE:

To locally enable a TCP/UDP health check, enter a command such as the following at the Real Server level of the CLI:

ServerIron(config-rs-jet)# port dns keepalive



Syntax: [no] port <port> [keepalive]

If you use the "no" parameter in front of the command, you are locally disabling the health check. The health checks are locally disabled by default.

The <port> parameter can have one of the following values:

• dns – the well-known name for port 53

NOTE: If you are configuring Global SLB, you must use the proxy parameter following dns; for example, port dns proxy. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

• ftp – the well-known name for port 21. (Ports 20 and 21 both are FTP ports but in the ServerIron, the name “ftp” corresponds to port 21.)

• http – the well-known name for port 80

• imap4 – the well-known name for port 143

• ldap – the well-known name for port 389

• mms – the well-known name for port 1755

• nntp – the well-known name for port 119

• ntp – the well-known name for port 123

• pnm – the well-known name for port 7070

• pop2 – the well-known name for port 109


• radius – the well-known name for udp port 1812

• smtp – the well-known name for port 25

• snmp – the well-known name for port 161

• ssl – the well-known name for port 443

• rtsp – the well-known name for port 554

• telnet – the well-known name for port 23

• tftp – the well-known name for port 69

• <number>

NOTE: Specify the port number if the port is not one of the well-known names listed above.

EXAMPLE:

To configure the HTTP keepalive request to send a HEAD request for “sales.html”, enter the following commands:

ServerIron(config)# server real Jet 207.96.3.251

ServerIron(config-rs-jet)# port http url "/sales.html"

ServerIron(config-rs-jet)# exit

ServerIron(config)# server virtual NiceServer 207.96.4.250

ServerIron(config-vs-NiceServer)# port http

ServerIron(config-vs-NiceServer)# bind http Jet http

Syntax: port http url “[GET | HEAD] [/]<URL-page-name>”



GET or HEAD is an optional parameter that specifies the request type. By default, HTTP keepalive uses HEAD to retrieve the URL page. You can override the default and configure the ServerIron to use GET to retrieve the URL page.

The slash ( / ) is an optional parameter. If you do not set the GET or HEAD parameter, and the slash is not in the configured URL page, then ServerIron automatically inserts a slash before retrieving the URL page.

EXAMPLE:

To configure the domain name for address-based DNS health checking, enter the following command:

ServerIron(config-rs-jet)# port dns addr_query "abc.zone1.com"

Syntax: [no] port dns addr_query "<name>"

To configure the zone name for zone-based DNS health checking, enter the following command:

ServerIron(config-rs-jet)# port dns zone foundrynet.com

Syntax: [no] port dns zone <zone-name>

EXAMPLE:

To configure the parameters for a RADIUS health check, enter commands such as the following at the Real Server level of the CLI:

ServerIron(config-rs-jet)# port radius username willy

ServerIron(config-rs-jet)# port radius password wonka

ServerIron(config-rs-jet)# port radius key chklt

Syntax: [no] port radius username <string>

Syntax: [no] port radius password <string>

Syntax: [no] port radius key <string>



EXAMPLE:

In a web switching configuration, to specify the server group(s) to which the real server belongs:

ServerIron(config-rs-jet)# port http group-id 1 5

Syntax: [no] port http group-id <server-group-id-pairs>

Possible values: The server group is expressed as a pair of numbers, indicating a range of real server group IDs. The first number is the lowest-numbered server group ID, and the second is the highest-numbered server group ID. For example, if a real server belongs only to the server group with ID = 1, the last two numbers in the port http group-id command would be 1 1. (Note the space between the two numbers.) If a real server belongs to server groups 1 – 10, the last two numbers in the command would be 1 10. To include a real server in groups that are not consecutively numbered, you can enter up to four server group ID pairs. Valid numbers for server group IDs are 0 – 1023.

Default value: N/A

EXAMPLE:

To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI:

ServerIron(config-rs-FW1)# port http no-health-check

The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.

Syntax: [no] no-health-check

EXAMPLE:

To limit the rate of new connections for a specific application port, enter commands such as the following:



ServerIron(config-rs-RS1)# port httpServerIron(config-rs-RS1)# port http max-tcp-conn-rate 600

These commands add port HTTP (80) to the real server and limit the rate of new connections to the port to 600.

Syntax: port <TCP/UDP-portnum> max-tcp-conn-rate <num>

Syntax: port <TCP/UDP-portnum> max-udp-conn-rate <num>

The port <TCP/UDP-portnum> parameter specifies the application port.

The <num> parameter specifies the maximum number of connections per second.


Default value: Follows the global state of the Layer 4 path health check. See “fw-health-check tcp | udp” on page 12-5.

port disable-allDisables all the application ports on a real server.

NOTE: This command applies only to the ServerIron 400 and ServerIron 800.

EXAMPLE:

ServerIron(config-rs-R1)# port disable-all

To re-enable all the application ports, enter the following command:

ServerIron(config-rs-R1)# no port disable-all

Syntax: [no] port disable-all



port unbind-allUnbinds all of a real server’s application ports from all virtual servers.

NOTE: This command applies only to the ServerIron 400 and ServerIron 800.

EXAMPLE:

To unbind a real server’s application ports, enter the following command at the configuration level for the server:

ServerIron(config-rs-R1)# port unbind-all

Syntax: port unbind-all

NOTE: Once you unbind the ports, you can rebind them only on an individual virtual server and port basis.

To re-bind an application port, you must use the bind command at the configuration level for the virtual server. For example, if server R1 has two application ports, 80 and 8080, enter the following commands to rebind the ports to virtual server VIP1. This example assumes that the VIP uses two real servers (R1 and R2) for the application ports.

ServerIron(config-vs-VIP1)# bind http R1 http R2 httpServerIron(config-vs-VIP1)# bind 8080 R1 8080 R2 8080


Default value: Bound to the virtual servers to which you bound them




EXAMPLE:

ServerIron(config-rs-test)# quit

ServerIron>

Syntax: quit


Default value: N/A

response-timeConfigures server response-time warning and shutdown thresholds for an individual server.

For information about response-time thresholds, see “server response-time” on page 6-79.

EXAMPLE:

ServerIron(config-rs-R1)# response-time 50 75

This command sets the warning threshold to 50 milliseconds and the shutdown threshold to 75 milliseconds, for this real server only.

NOTE: The threshold values you configure on an individual real server override the globally configured thresholds.

Syntax: [no] response-time <warning-threshold> [<shutdown-threshold>]

The <warning-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid a warning message. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the warning threshold is disabled.

The <shutdown-threshold> parameter specifies the average number of milliseconds within which an application port must respond to avoid being shut down. You can specify from 0 – 65535 milliseconds (65 seconds). There is no default. If you specify 0, the shutdown threshold is disabled.

If you want the ServerIron to generate a warning message but you do not want the ServerIron to shut down an application port, configure the warning threshold but not the shutdown threshold. Here is an example:

ServerIron(config-rs-R1)# response-time 100

To set the shutdown threshold without also setting a warning threshold, enter 0 for the warning threshold, as shown in the following example:

ServerIron(config-rs-R1)# response-time 0 300

Possible values: 0 – 65535 milliseconds (65 seconds)

Default value: not configured



source-natIn an SLB configuration, configures the ServerIron to translate the source address of client requests the ServerIron forwards to real servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.



Add source IP addresses and enable source NAT if the ServerIron and real server are in different sub-nets. See the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron(config-rs-june)# source-nat

Syntax: [no] source-nat



weightAllows you to assign a performance weight to each server. Servers assigned a larger or higher weight receive a larger percentage of connections.

EXAMPLE:

To set the weight for a server to 5 from the default value of 1, enter the following command:

ServerIron(config)# server real web5ServerIron(config-rs-web5)# weight 5

Syntax: weight <least-connections-weight> [<response-time-weight>]

The <least-connections-weight> parameter specifies the real server’s weight relative to other real servers in terms of the number of connections on the server. More precisely, this weight is based on the number of session table entries the ServerIron has for TCP or UDP sessions with the real server. You can specify a value from 0 – 65000. The default is 1. This parameter is required. However, if you want to use a weight value only for the Server Response Time but not for the number of connections, specify 0 for this parameter.

The <response-time-weight> parameter specifies the real server’s weight relative to other real servers in terms of the server’s response time to client requests sent to the server. You can specify a value from 0 – 65000. The default is 0 (disabled). This weight is applicable only when the server response time load-balancing method is enabled.

If you enter a value for <response-time-weight>, the ServerIron adds the two weight values together when selecting a real server. If you specify equal values for each parameter, the ServerIron treats the weights equally. The number of connections on the server is just as relevant as the server’s response time. However, if you set one parameter to a higher value than the other, the ServerIron places more emphasis (weight) on the parameter with the higher value. For example, if you specify a higher server response time weight than the weight for the number of connections, the ServerIron pays more attention to the server’s response time than to the number of connections it currently has when considering the real server for a new connection.

NOTE: If you use the server response time method, you also can modify the smooth factor on individual application ports. See the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: 0


EXAMPLE:

ServerIron(config-rs-web5)# write memory



Default value: N/A

10 - 10 February 2002



EXAMPLE:

ServerIron(config-rs-web5)# write terminal



Default value: N/A

February 2002 10 - 11


10 - 12 February 2002

Chapter 11Virtual Server Commands

acl-idContact Foundry engineering for information about using this command as part of a virtual server configuration.

bindAllows you to bind virtual server service to real server services. A virtual server service can bind one or more real-server services.

EXAMPLE:

To bind a virtual server to HTTP services on real servers web1 and web2, enter the following:

ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1ServerIron(config-vs-www.foundrynet.com)# bind http web1 http web2 http

Syntax: bind <tcp/udp-port-number> <real-server-name> <tcp/udp-port-number>

EXAMPLE:

• TCP/UDP port numbers:

• default – all the well-known names listed below

• dns – the well-known name for port 53

• ftp – the well-known name for port 21. (Ports 20 and 21 both are ftp ports but on the ServerIron, the name “ftp” corresponds to port 21.)

• http – the well-known name for port 80

• imap4 – the well-known name for port 143

• ldap – the well-known name for port 389

• mms – the well-known name for port 1755

• nntp – the well-known name for port 119

• ntp – the well-known name for port 123

• pnm – the well-known name for port 7070



• radius – the well-known name for udp port 1812

• smtp – the well-known name for port 25



• snmp – the well-known name for port 161

• ssl – the well-known name for port 443

• rtsp – the well-known name for port 554

• telnet – the well-known name for port 23

• tftp – the well-known name for port 69

• Virtual server name: any previously defined virtual server

Default value: N/A

cache-enableEnables the Active Cache feature, which configures the ServerIron to try resolving a client request using a cache server first, then using a load balanced server if the cache does not contain the requested content. For an example of how to use this feature, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

NOTE: By default, this command enables combined TCS and SLB service only for the HTTP port (port 80). To enable combined TCS and SLB service for other ports, you must specify the port name or number.

EXAMPLE:

To enable Active Cache for VIP “Foundry“, enter the following command:

ServerIron(config-vs-Foundry)# cache-enable

To enable Active Cache for the SSL port (port 443) on VIP “Foundry“, enter the following command:

ServerIron(config-vs-Foundry)# port ssl cache-enable

Syntax: [no] cache-enable

Syntax: [no] port <tcp/udp-port> cache-enable




EXAMPLE:


ServerIron(config-vs-www.rumors.com)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-vs-www.rumors.com)# exitServerIron(config)#

Syntax: exit


Virtual Server Commands


Default value: N/A

host-rangeEnables you to define a range of virtual IP addresses (VIPs) simply by defining a base VIP and the number of hosts in the range.

NOTE: The VIPs must be contiguous and must map to a contiguous range of real IP addresses on the real server.

EXAMPLE:

To define a range of 500 contiguous VIPs, enter the following commands:

ServerIron(config)# server virtual-name lotsofhosts 209.157.22.99ServerIron(config-vs-lotsofhosts)# host-range 500ServerIron(config-vs-lotsofhosts)# exitServerIron(config)# server virtual-name cache1 10.4.4.4ServerIron(config-rs-cache1)# host-range 500ServerIron(config-rs-cache1)# exit

Syntax: host-range <range>


Default value: N/A

httpredirectIn configurations that use remote failover servers, the remote server sends replies back to the ServerIron or directly to the client:

• If you configure a source IP address and enable source NAT, the remote server sends the response back to the ServerIron.

• If you do not use source NAT (whether you have configured a source IP address or not), the remote real server sends the response directly to the client. In this case, the client refuses the connection request because the client believes it is talking to the virtual IP address, not the real server IP address. In this case, you can configure the ServerIron to send an HTTP redirect message to the client so that the client redirects its HTTP connection to the real server’s IP address instead of the VIP.

EXAMPLE:

To enable HTTP redirect, enter the following command:

ServerIron(config-vs-lotsofhosts)# httpredirect

Syntax: httpredirect




portAllows you to add a TCP/UDP port to a VIP. If you are using the SwitchBack feature, you can use the dsr parameter to enable SwitchBack for the port.

NOTE: SwitchBack also requires that you configure a loopback interface on each real server. The loopback interface must have the same address as the VIP. See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.



NOTE: For servers that use passive FTP, configure the FTP ports to be both sticky and concurrent.

EXAMPLE:

To add port 80 (HTTP) to a VIP called Web1, enter the following command:

ServerIron(config-vs-Web1)# port http

EXAMPLE:

To add port 80 (HTTP) to a VIP called Web69 and enable SwitchBack for the port, enter the following command:

ServerIron(config-vs-Web69)# port http dsr

Syntax: port <tcp/udp-port> [dsr]

EXAMPLE:

To disable port 8080 on VIP Web69, enter the following command:

ServerIron(config-vs-Web69)# port 8080 disable

Syntax: port <tcp/udp-port> [disable]

EXAMPLE:

To configure port 80 on VIP Web69 to support concurrent connections from a client, enter the following command:

ServerIron(config-vs-Web69)# port 8080 concurrent

Syntax: port <tcp/udp-port> [concurrent]

EXAMPLE:

To make port 80 on VIP Web69 "sticky" so that subsequent requests for the port from the same client go to the same real server, enter the following command:

ServerIron(config-vs-Web69)# port 8080 sticky

Syntax: port <tcp/udp-port> [sticky]

EXAMPLE:

To disable port translation for port 180 on VIP2, thus allowing many-to-one port binding for the port, enter the following commands.

NOTE: Port translation is enabled by default. Do not disable it unless you are configuring the "many-to-one" feature. See the "Many-To-One TCP/UDP Port Binding" application example in the "Configuring Server Load Balancing" chapter of the Foundry ServerIron Installation and Configuration Guide. Also make sure you follow the configuration rules in that section. Improper configuration can result in unexpected and difficult-to-diagnose results.

ServerIron(config)# server virtual-name VIP1 209.157.22.88ServerIron(config-vs-VIP1)# port httpServerIron(config-vs-VIP1)# bind http r1 http r2 httpServerIron(config-vs-VIP1)# exitServerIron(config)# server virtual-name VIP2 209.157.22.99ServerIron(config-vs-VIP2)# port httpServerIron(config-vs-VIP2)# no port http translateServerIron(config-vs-VIP2)# bind http r1 180 r2 180

Syntax: port <tcp/udp-port> [translate]

EXAMPLE:

To enable URL switching on a virtual server, enter the following commands.

ServerIron(config)# server virtual-name mysite 209.157.22.63ServerIron(config-vs-mysite)# port httpServerIron(config-vs-mysite)# port http url-map p1



ServerIron(config-vs-mysite)# port http url-switchServerIron(config-vs-mysite)# bind http rs1 httpServerIron(config-vs-mysite)# bind http rs2 httpServerIron(config-vs-mysite)# bind http rs3 httpServerIron(config-vs-mysite)# exit

Syntax: port http

Syntax: port http url-map <policy-name>

Syntax: port http url-switch

Syntax: bind http <real-server-name> http

EXAMPLE:

To configure session persistence in a proxy environment, configure a standard IP ACL containing the addresses, then use the sticky-acl option with the application ports on the virtual server. The sticky-acl option configures the Virtual Source feature.

In a Virtual Source configuration, the ServerIron sends all client traffic from a specified range of IP addresses to the same real server for the application ports you specify. To specify the IP addresses, configure a standard IP ACL. Use this command in configurations where a proxy device allocates IP addresses to client traffic before sending the traffic to the VIP. In some configurations, the proxy device assigns different IP addresses to traffic from the same client. Unless you configure the addresses to go to the same real server, the ServerIron might load balance the client traffic to different servers. This makes applications that require continued access to the same real server unusable.

ServerIron(config)# access-list 1 permit 209.157.22.0ServerIron(config)# server virtual fromproxy 1.1.1.1ServerIron(config-vs-fromproxy)# port 80 sticky-acl 1

Syntax: [no] access-list <num> deny | permit <source-ip> | <hostname> <wildcard> [log]

or

Syntax: [no] access-list <num> deny | permit <source-ip>/<mask-bits> | <hostname> [log]

Syntax: [no] port <tcp/udp-port> sticky-acl <num>

NOTE: This feature is different from the sticky feature, which you can associate with ports on the virtual server level. The sticky attribute ensures that subsequent packets from the same client during the same TCP session go to the same real server. In this case, the ServerIron knows the packets are from the same client based on the source IP address. When a proxy is used, subsequent packets from the same client can have different IP addresses.

For standard IP ACL configuration information, see the “Configuring Standard ACLs” section in the “Using Access Control Lists (ACLs)” chapter of the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

To configure an application port to be stateless, enable the stateless parameter on the port in the virtual server. Here is an example:

ServerIron(config)# server real R1 10.10.10.1ServerIron(config-rs-R1)# port httpServerIron(config-rs-R1)# exitServerIron(config)# server real R2 10.10.11.1ServerIron(config-rs-R2)# port httpServerIron(config-rs-R2)# exitServerIron(config)# server virtual StatelessHTTP 192.168.4.69ServerIron(config-vs-StatelessHTTP)# port http statelessServerIron(config-vs-StatelessHTTP)# bind http R1 httpServerIron(config-vs-StatelessHTTP)# bind http R2 http

Syntax: [no] port <tcp/udp-port> stateless



The <tcp/udp-port> parameter specifies the application port you want to make stateless.

EXAMPLE:

By default, stateless SLB uses a hashing algorithm to select a real server. The ServerIron calculates a hash value for a given client request based on the request’s source IP address and source TCP/UDP port. The request is sent to a real server corresponding to this hash value.

For UDP connections consisting of one client packet and one server response packet, you can disable the stateless SLB hashing algorithm. When the stateless SLB hashing algorithm is disabled for UDP ports, the ServerIron uses the round-robin load balancing method to select a real server for the request. In this case, the ServerIron load balances UDP packets destined for the VIP without creating a session and without calculating hash values based on UDP port number and source IP address.

DNS is an example of a UDP port where this feature can be used. The advantage of disabling the stateless SLB hashing algorithm is that a new real server can be selected immediately after it is brought up.

For example, to disable the stateless SLB hashing algorithm for the DNS port (UDP port 53):

ServerIron(config)# server virtual Stateless 192.168.4.69ServerIron(config-vs-Stateless)# port dns stateless no-hash

Syntax: [no] port <udp-portnum> stateless no-hash

The <udp-port> parameter specifies the UDP application port you want to make stateless.

EXAMPLE:

This example applies to health-check policies (see “healthck (ServerIronXL)” on page 6-23). After you configure logical expressions, you can bind them to application ports on VIPs. A health-check policy does not take effect until you bind the policy to an application port on a VIP.

To bind a health-check policy to an application port on a VIP, enter commands such as the following:

ServerIron(config)# server virtual-name VIP1 1.1.1.1ServerIron(config-vs-VIP1)# port http healthck Router2

This command configures virtual IP address VIP1 to use the heath-check policy named "Router2" to check the health of HTTP (port 80) for the VIP.

Syntax: [no] port <tcp/udp-portnum> healthck <policy-name>

The <tcp/udp-portnum> parameter specifies a TCP or UDP application port. The <policy-name> parameter specifies the health-check policy you want to use to check the Layer 3 health of a device associated with the application port.

EXAMPLE:

When fast aging for UDP sessions is configured, a client request causes the ServerIron to add an entry to its session table; when a response is detected, the ServerIron immediately deletes the session table entry.

When this feature is configured, if the ServerIron detects a server response to a client request, and the response is not fragmented, the session table entry is deleted immediately. If the response is fragmented, the SI waits for the last fragment to arrive, forwards it to the client, and then sends the session to the delete queue. The session stays in the delete queue for 8 seconds by default before being deleted. You can change the amount of time the session stays in the delete queue to between 1 – 40 seconds.

To activate this feature for port 1234:

ServerIron(config)# server virtual vs1 192.168.1.2ServerIron(config-vs-vs1)# port 1234 udp-fast-age

Syntax: port <udp-portnum> udp-fast-age

EXAMPLE:

NOTE: This example applies only to the ServerIron 400 or ServerIron 800 running software release 07.2.23 or later.



To enable a VIP to use the servers designated as backups only as backups, and use the other servers as the primary load-balancing servers, enter the following command at the configuration level for the VIP:

ServerIron(config-vs-VIP1)# port http lb-pri-servers

This command enables VIP1 to use the backup and primary servers for application port HTTP.

To configure the VIP and application port to continue using the backup servers even after the primary servers become available again, use the backup-stay-active parameter, as in the following example:

ServerIron(config-vs-VIP1)# port http lb-pri-servers backup-stay-active

Syntax: [no] port <tcp/udp-port> lb-pri-servers [backup-stay-active]

You also must explicitly designate the backup real servers as backups. See “backup” on page 10-1.


Default value: N/A

predictorThis command is used to select the session's distribution algorithm that will be used on the specified virtual server. This command will override any globally configured value for a virtual server. By default, the least connections method is enabled.

EXAMPLE:

To change the virtual server predictor method from the default value of least connections to the round-robin method, enter the following:

ServerIron(config)# server virtual www.foundrynet.com 207.95.5.1ServerIron(config-vs-www.foundrynet.com)# predictor round-robin

Syntax: [no] predictor least-conn | response-time | round-robin | weighted


Default value: least-conn


EXAMPLE:

ServerIron(config-vs-Foundry)# quitServerIron>

Syntax: quit


Default value: N/A



source-stickyAllows you to disable or re-enable this feature. Use this command only if advised to do so by Foundry technical support.



sym-activeEnables active-active Symmetric SLB on a VIP.

EXAMPLE:

ServerIronA(config)# server virtual-name VIP1 1.1.1.1ServerIronA(config-vs-VIP1)# port 80ServerIronA(config-vs-VIP1)# sym-priority 69ServerIronA(config-vs-VIP1)# sym-active

This example configures VIP1 by adding port 80, enabling SSLB, then enabling active-active SSLB. The sym-priority command enables SSLB. The command requires a number from 1 – 255 to enable SSLB. Once you enter the sym-active command to enable active-active SSLB, the software ignores the priority value you specified.

Syntax: [no] sym-active



sym-priorityAssigns a Symmetric SLB priority to a virtual IP address (VIP). The priority determines which ServerIron in a Symmetric SLB configuration is the default active ServerIron for the VIP. The priority can be from 0 (disabled) – 255 (highest priority).

NOTE: Foundry recommends that you specify 2 (instead of 1) as a low priority or 254 (instead of 255) as a high priority. This way, you can easily force failover of the high priority ServerIron to the low priority ServerIron by changing the priority on just one of the ServerIrons. For example, you can force a failover by changing the priority on the high priority ServerIron from 254 to 1. Since the priority on the low priority ServerIron is 2, the low priority ServerIron takes over for the VIP. Likewise, you can force the low priority ServerIron to take over by changing its priority to 255, since the priority on the high priority ServerIron is only 254.

See the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide for more information about this feature.

EXAMPLE:

To configure VIPs V1 and V2 on two ServerIrons for Symmetric SLB, enter the following commands. After you enter these commands, the first ServerIron is the active ServerIron for VIP V1 (1.1.1.1) and is the backup ServerIron for VIP2 (2.2.2.2). The second ServerIron is the active ServerIron for VIP V2 (2.2.2.2) and the backup ServerIron for VIP1 (1.1.1.1).

Commands for the first ServerIron:

ServerIron(config)# server virtual-name V1 1.1.1.1ServerIron(config-vs-V1)# sym-priority 2ServerIron(config-vs-V1)# exitServerIron(config)# server virtual-name V2 2.2.2.2ServerIron(config-vs-V2)# sym-priority 254ServerIron(config-vs-V2)# write mem

Commands for the second ServerIron:

ServerIron(config)# server virtual-name V1 1.1.1.1ServerIron(config-vs-V1)# sym-priority 254ServerIron(config-vs-V1)# exitServerIron(config)# server virtual-name V2 2.2.2.2ServerIron(config-vs-V2)# sym-priority 2ServerIron(config-vs-V2)# write mem

Syntax: sym-priority <num>

Possible values: 0 – 255; setting the priority to 0 removes the priority setting



Default value: N/A

trackConfigures up to four TCP/UDP ports to “track” another, “primary” TCP/UDP port. This feature enables the ServerIron to group applications. After the ServerIron sends a request for the master TCP/UDP port to a real server, requests from the same client for the ports that track the master port also go to the same real server.

For more information about the feature, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To configure TCP/UDP ports 8080 and 9090 to track port 80, enter the following command

ServerIron(config-vs-Foundry)# track 80 8080 9090

Syntax: track <primary-port> <tcp/udp-port> [<tcp/udp-port>[<tcp/udp-port>[<tcp/udp-port>]]]

Possible values: a TCP or UDP port number.

Default value: N/A

track-groupCauses the ServerIron to use the same server for applications associated with a set of grouped ports, as long as the all the ports in the group are active. After the ServerIron sends a client to a real server for any of the grouped ports, subsequent requests from that client for any of the grouped ports go to the same real server.

EXAMPLE:

To group the HTTP port (80), Telnet port (23), and TFTP port (69) together:

ServerIron(config-vs-v1)# track-group 80 69 23

Whenever a client attempts to connect to a port within the group, the ServerIron ensures all ports in the group are active before granting the connection.

NOTE: The sticky parameter makes the TCP/UDP ports sticky. The sticky parameter must be set for all ports in the group.

Possible values: a TCP or UDP port number. Up to eight ports can be grouped together using the track group function. A port can be part of only one group. The track-group and track commands for a port are mutually exclusive.

Default value: N/A

transparent-vipEnables an individual VIP for transparent VIP. Transparent VIP applies only to the VIPs on which you enable it.

NOTE: You must globally enable transparent VIP support in addition to enabling the feature on individual VIPs. See “server transparent-vip” on page 6-85.

EXAMPLE:

ServerIron(config-vs-TransVIP)# transparent-vip

Syntax: [no] transparent-vip




EXAMPLE:

ServerIron(config-vs-Foundry)# write memory





Default value: N/A


EXAMPLE:

ServerIron(config-vs-Foundry)# write terminal



Default value: N/A

11 - 10 February 2002

Chapter 12Cache Group Commands

acl-idIdentifies an IP ACL for use with your configuration. For example, you can use the command to identify an ACL for denying FWLB for a specific TCP or UDP application port.

EXAMPLE:

To deny FWLB for TCP port 80 (HTTP) but allow FWLB for all other TCP and UDP application ports, enter commands such as the following:

ServerIronA(config)# access-list 101 deny tcp any any eq httpServerIronA(config)# access-list 101 permit tcp any anyServerIronA(config)# access-list 101 permit udp any anyServerIronA(config)# server fw-group 2ServerIronA(config-tc-2)# acl-id 101

The first three commands configure three ACL entries. The first entry denies FWLB for packets addressed to TCP port 80 (HTTP). The second ACL permits FWLB for all TCP applications. Packets that do not match the first ACL entry match the second ACL entry and are provided with FWLB. The third ACL permits FWLB for all UDP applications. The last two commands change the CLI level to the firewall group configuration level and apply ACL 101 to the firewall group.

Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator> <source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>] [precedence <name> | <num>] [tos <name> | <num>] [log]

Syntax: [no] acl-id <num>

For detailed information about the ACL syntax, see the “Using Access Control Lists (ACLs)” chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

Possible values: The ID of a configured IP ACL.

Default value: N/A

cache-nameThis command assigns a cache server to the cache group. The cache server must already be configured. (See “server cache-name” on page 6-62.)

NOTE: A cache server can be in only one cache group. If you add a cache server to a cache group, the ServerIron automatically removes the cache server from the cache group the cache server was already in.



EXAMPLE:

To assign a cache server named “web2” to cache group 2, enter the following:


ServerIron(config-tc-2)# cache-name web2

Syntax: server cache-name <text>


Default value: N/A


dest-natThis command enables destination NAT for TCS.

By default, the ServerIron translates the destination MAC address of a client request into the MAC address of the cache server. However, the ServerIron does not translate the IP address of the request to the cache server’s IP address. Instead, the ServerIron leaves the destination IP address untranslated.

This behavior assumes that the cache server is operating in promiscuous mode, which allows the cache server to receive requests for any IP address so long as the MAC address in the request is the cache server’s. This behavior works well in most caching environments. However, if your cache server requires that the client traffic arrive in directed IP unicast packets, you can enable destination NAT.

Destination NAT is disabled by default.

NOTE: This option is rarely used. If your cache server operates in promiscuous mode, you probably do not need to enable destination NAT. Otherwise, enable destination NAT. Consult your cache server documentation if you are unsure whether you need to enable destination NAT.

EXAMPLE:

To enable destination NAT for cache group 1, enter the following command:


ServerIron(config-tc-1)# dest-nat

Syntax: dest-nat

disable This command disables the cache group.

EXAMPLE:

To disable cache group 2, enter the following command.

ServerIron(config-tc-1)# disable

Syntax: [no] disable

Possible values: Disabled or Enabled



EXAMPLE:


ServerIron(config-tc-1)# end


Cache Group Commands

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-tc-1)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A

failover-aclContact Foundry engineering for information about this command.

fwall-infoConfigures a path for firewall load balancing.

EXAMPLE:

To configure paths for two firewalls, enter the following commands. See the Foundry ServerIron Firewall Load Balancing Guide for complete configuration examples.

ServerIron(config)# server fw-group 2ServerIron(config-tc-2)# fwall-info 1 3 209.157.23.3 209.157.22.3ServerIron(config-tc-2)# fwall-info 2 5 209.157.23.3 209.157.22.4

Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip> [path-group-id <num>] [remote-id <num>]

The <path-num> parameter specifies the path ID.

The path ID – A number that identifies the path. In basic FWLB configurations, the paths go from one ServerIron to the other through the firewalls. In IronClad FWLB, additional paths go to routers. On each ServerIron, the path IDs must be contiguous (with no gaps), starting with path ID 1.

The <portnum> parameter specifies the number of the port that connects the ServerIron to the firewall or router.

The <other-ServerIron-ip> parameter specifies the IP address of the device at the other end of the path. For firewall paths, specify the management address or source IP address of the ServerIron on the other side of the firewall. For router paths, specify the router’s IP interface with the ServerIron.

• On the external ServerIrons, specify the internal ServerIrons’ management addresses for the trusted zone but specify the source IP addresses for the other zones.

• On the internal ServerIrons, specify the external ServerIrons’ management addresses for the non-trusted zone, which is the only zone on the external ServerIrons.

The <next-hop-ip> parameter specifies the IP address of the next hop in the path. For firewall paths, specify the IP address of the firewall interface connected to this ServerIron. For router paths, specify the router’s IP interface with the ServerIron.

The path-group-id <num> parameter specifies the number that indicates the firewall through which the paths go.

NOTE: Router paths do not use path IDs.



The remote-id <num> parameter is a number (1 or 2) representing the ServerIron at the remote end of the path in a superzone FWLB configuration. Specify 1 for a basic configuration. Specify 1 and 2 for the two ServerIrons in a high-availability configuration.

NOTE: The remote-id <num> parameter applies only to superzone FWLB. See the "Configuring Superzone FWLB" chapter in the Foundry ServerIron Firewall Load Balancing Guide.


Default value: N/A

fwall-zoneConfigures a firewall zone. Use this command when configuring multi-zone FWLB. For a complete configuration example, see the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

To configure an ACL and a firewall zone that uses the ACL, enter commands such as the following:

Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255Zone1-SI(config)# server fw-group 2Zone1-SI(config-tc-2)# fwall-zone Zone2 2 2

Syntax: [no] fwall-zone <string> <zonenum> <acl-id>

The <string> parameter specifies the zone name.

The <zonenum> parameter specifies the zone number. You can specify a value from 1 – 10.

The <acl-id> field specifies the ACL that defines the range of IP addresses in the zone.


Default value: N/A

fw-exceed-max-dropConfigures the ServerIron to drop the traffic instead of load balancing it using the hashing mechanism.

By default, if the ServerIron receives traffic that it needs to forward to a firewall, but the firewall already has the maximum number of sessions open or has exceeded its maximum connection rate, the ServerIron uses a hashing mechanism to select another firewall. The hashing mechanism selects another firewall based on the source and destination IP addresses and application port numbers in the packet.

The ServerIron drops traffic only until the firewall again has available sessions.

EXAMPLE:

ServerIron(config-tc-2)# fw-exceed-max-drop

Syntax: [no] fw-exceed-max-drop



fw-health-check icmpChanges the number of times the ServerIron attempts a Layer 3 health check of an FWLB path before concluding that the path is unhealthy.

By default, the ServerIron checks the health of each firewall and router path by sending an ICMP ping on the path every 400 milliseconds.

• If the ServerIron receives one or more responses within 1.2 seconds, the ServerIron concludes that the path is healthy.

• Otherwise, the ServerIron reattempts the health check by sending another ping. By default, the ServerIron reattempts an unanswered path health check up to three times before concluding that the path is unhealthy.



You can change the maximum number of retries to a value from 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models).

EXAMPLE:

ServerIron(config-tc-2)# fw-health-check icmp 20

Syntax: [no] fw-health-check icmp <num>

The <num> parameter specifies the maximum number of retries and can be a number from 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models). The default is 3.

Possible values: 3 – 31 (ServerIron 400 and ServerIron 800) or 8 – 31 (all other ServerIron models)

Default value: 3

fw-health-check tcp | udpYou can configure the ServerIrons in an FWLB configuration to use Layer 4 health checks instead of Layer 3 health checks for firewall paths.

By default, the ServerIron performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health checks of the paths. When you configure a Layer 4 health check, the Layer 3 (ICMP) health check, which is used by default, is disabled.

NOTE: The Layer 4 health check applies only to firewall paths. The ServerIron always uses a Layer 3 (ICMP) health check to test the path to the router.

When you configure a Layer 4 health check for firewall paths, the ServerIron sends Layer 4 health checks and also responds at Layer 4 to health checks from the ServerIron at the other end of the firewall path.

To configure a Layer 4 health check, specify the protocol (TCP or UDP). Optionally, you also can specify the port.

• UDP – The ServerIron sends and listens for path health check packets on the port you specify. If you do not specify a port, the ServerIron uses port 7777 by default. The port number is used as both the source and destination UDP port number in the health check packets.

• TCP – The ServerIron listens for path health check packets on the port you specify, but sends them using a randomly generated port number. If you do not specify a port, the ServerIron uses port 999 as the destination port by default.

NOTE: You must configure the same Layer 4 health check parameters on all the ServerIrons in the FWLB configuration. Otherwise, the paths will fail the health checks.

EXAMPLE:

ServerIron(config-tc-2)# fw-health-check udp

The command in this example enables Layer 4 health checks on UDP port 7777. This ServerIron sends firewall path health checks to UDP port 7777 and listens for health checks on UDP port 7777.

Syntax: [no] fw-health-check udp | tcp [<tcp/udp-portnum> <num>]

The <tcp/udp-portnum> parameter specifies the TCP or UDP port and can be a number from 1 – 65535.

The <num> parameter specifies the maximum number of retries and can be a number from 8 – 31. The default is 3.

You can disable the Layer 4 health checks on individual firewalls if needed. To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI:

ServerIron(config-rs-FW1)# port http no-health-check

The command in this example disables Layer 4 health checks for port HTTP on firewall FW1.

Syntax: [no] no-health-check





fw-nameAdds a firewall to the firewall group for firewall load balancing.

EXAMPLE:

To add a firewall named FW99 to firewall group 2, enter the following commands:

ServerIron(config)# server fw-group 2ServerIron(config-tc-2)# fw-name FW99

NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this example.



Default value: N/A

fw-predictorConfigures the ServerIron to load balance based on the lowest number of connections for the traffic flow’s application. By default, the ServerIron load balances firewall traffic flows by selecting the firewall with the lowest number of total connections.

For example, suppose a configuration has two firewalls (FW1 and FW2), and each firewall has two application ports defined (HTTP and SMTP). Also assume the following:

• FW1 has 10 HTTP connections and 80 SMTP connections.

• FW2 has 60 HTTP connections and 10 SMTP connections.

Using the default load balancing method, traffic for a new flow is load balanced to FW2, since this firewall has fewer total connections. This is true regardless of the application in the traffic. However, using the load balancing by application method, a new traffic flow carrying HTTP traffic is load balanced to FW1 instead of FW2, because FW1 has fewer HTTP connections. A new traffic flow for SMTP is load balanced to FW2, since FW2 has fewer SMTP connections.

EXAMPLE:

ServerIron(config-tc-2)# fw-predictor per-service-least-conn

Syntax: [no] fw-predictor total-least-conn | per-service-least-conn

The total-least-conn parameter load balances traffic based on the total number of connections only. This is the default.

The per-service-least-conn parameter load balances traffic based on the total number of connections for the traffic’s application. This is valid for TCP or UDP applications.


Default value: total-least-conn

hash-maskThis command defines how requests are distributed among multiple web cache servers or firewalls within a cache group or firewall group.

EXAMPLE:

To direct all web queries destined for the same web site (such as “www.rumors.com”) to the same cache server for processing, enter the following hash-mask command:

ServerIron(config-tc-1)# hash-mask 255.255.255.255 0.0.0.0



NOTE: This is useful for networks that have many users accessing the same web site locations. It may be more useful to use only the first three octets of the Destination IP address (255.255.255.0) for web sites that may return multiple web server addresses (for example “www.rumors1.com” and "www.rumors2.com") in response to www.rumors.com queries.

EXAMPLE:

To direct all users from the same Class B sub-net (255.255.0.0) to either server1 or server2 and to direct all redundant requests destined to the same web site (255.255.255.0) to the same web cache server, enter the following hash-mask command:


EXAMPLE:

To configure a hash mask for firewall load balancing, enter the following command:


NOTE: The command prompt looks the same for cache groups and the firewall group. Make sure you enter the fw-group 2 command instead of the cache-group <num> command to reach the CLI prompt shown in this example.

Syntax: hash-mask <destination-mask> <source-mask>

Possible values: valid IP addresses

Default value: destination mask 255.255.255.0, source mask 0.0.0.0.

hash-port-rangeSpecifies a range of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance the traffic across more than one firewall.

By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but disregards the source and destination TCP or UDP application port numbers.

NOTE: You also can specify a list of ports, in which case the software hashes based on the combined set of ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and destination application ports of a packet to hash, if the packet’s source or destination application port is one of the ports in the specified list or the specified range.

EXAMPLE:

To specify a range of application ports, enter a command such as the following at the firewall group configuration level of the CLI:

ServerIron(config-tc-2)# hash-port-range 69 80

Syntax: [no] hash-port-range <start-num> <end-num>

The <start-num> parameter specifies the starting port number in the range. Specify the port number at the lower end of the range.

The <end-num> parameter specifies the ending port number in the range. Specify the port number at the higher end of the range.


Default value: N/A

hash-portsSpecifies a list of TCP or UDP application port numbers for use in FWLB hashing calculations. This is useful in environments where the same source-and-destination pairs generate a lot of traffic and you want to load balance the traffic across more than one firewall.



By default, the FWLB hashing algorithm uses the source and destination IP addresses of a packet for hashing but disregards the source and destination TCP or UDP application port numbers.

NOTE: You also can specify a range of ports, in which case the software hashes based on the combined set of ports from the list and the range. If you specify both a list and a range of ports, the software uses the source and destination application ports of a packet to hash, if the packet’s source or destination application port is one of the ports in the specified list or the specified range.

EXAMPLE:

To specify a list TCP/UDP ports to include in the hash calculations for firewall load balancing:


ServerIron(config-tc-2)# hash-ports 69 80

Syntax: [no] hash-ports <num> [<num...>]

Possible values: The <num> parameters specify TCP or UDP port numbers. You can specify up to eight port numbers on the same command line.

Default value: N/A

http-cache-controlThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command ensures that HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have a Cache-Control header containing a no-cache directive are sent to the Internet. This is the default behavior. You can use the no form of this command to configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request.

EXAMPLE:

To configure the ServerIron to ignore the pragma:no-cache or Cache-Control header in an HTTP request:

ServerIron(config-tc-1)# no http-cache-control

Syntax: [no] http-cache-control


Default value: HTTP 1.0 requests that have a pragma:no-cache header and HTTP 1.1 requests that have a Cache-Control header containing a no-cache directive are sent to the Internet.

l2-fwallEnables Layer 2 FWLB for Layer 2 firewalls and for static route configurations.

EXAMPLE:

To enable the L2-fwall option on a ServerIron, enter the following commands:


ServerIron(config-tc-2)# l2-fwall

Syntax: l2-fwall




no-group-failoverCauses requests to be dropped if a URL switching policy directs the requests to a server group, but none of the cache servers in the server group are available. Without this command, if none of the cache servers in a server group are available, the requests are directed to one of the other server groups configured on the device.



EXAMPLE:

ServerIron(config)# server cache-group 1ServerIron(config-tc-1)# no-group-failoverServerIron(config-tc-1)# exit

Syntax: no-group-failover


Default value: N/A

no-http-downgradePrevents the ServerIron from downgrading the HTTP version in a request to 1.0.

In a content aware cache switching configuration, when the ServerIron receives an HTTP request from a client, it determines to which cache server it should send the request. The ServerIron then establishes a TCP connection with the selected cache server and sends it the request.

If the request sent from the client to the ServerIron uses HTTP version 1.1, the ServerIron downgrades the HTTP version to 1.0 when it sends the request to the cache server. If you want to use HTTP 1.1 for the connection between the ServerIron and the cache servers, you can prevent the ServerIron from downgrading the HTTP version to 1.0.

EXAMPLE:

ServerIron(config)# server cache-group 1ServerIron(config-vs-tc-1)# no-http-downgradeServerIron(config-vs-tc-1)# exit

Syntax: no-http-downgrade


Default value: N/A

prefer-cntSpecifies a path link tolerance for firewall paths. The default failover tolerance for firewall paths is one half the configured firewall paths.

NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must configure the same minimums on the standby ServerIron.

EXAMPLE:

To specify the minimum number of paths required on a ServerIron:


ServerIron(config-tc-2)# prefer-cnt 3

This example specifies that a minimum of three firewall paths must be available for the ServerIron to remain active. Thus, if the ServerIron has three firewall paths, one path can be unavailable and the ServerIron will remain the active ServerIron.

Syntax: prefer-cnt <num>

Possible values: The <num> parameter specifies the minimum number of paths required.

Default value: half the configured paths

prefer-router-cntSpecifies a path link tolerance for router paths. The default tolerance for router ports is one half the configured router ports.



NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must configure the same minimums on the standby ServerIron.

EXAMPLE:

To specify the minimum number of paths required on a ServerIron:


ServerIron(config-tc-2)# prefer-router-cnt 3

This example specifies that a minimum of three router paths must be available for the ServerIron to remain active. Thus, if the ServerIron has three router paths, one path can be unavailable and the ServerIron will remain the active ServerIron.

Syntax: prefer-router-cnt <num>

Possible values: The <num> parameter specifies the minimum number of paths required.

Default value: half the configured router ports


EXAMPLE:

ServerIron(config-tc-1)# quit

ServerIron>

Syntax: quit


Default value: N/A



spoof-supportConfigures the ServerIron to support TCS using cache servers that send requests to the Internet using the requesting client's IP address as the source (known as cache server spoofing).

EXAMPLE:

ServerIron(config)# server cache-group 1ServerIron(config-tc-1)# spoof-support

Syntax: [no] spoof-support


Default value: Cache server spoofing support is disabled by default.

source-natConfigures the ServerIron to translate the source address of client requests the ServerIron forwards to cache servers. The ServerIron changes the address to a source IP address you have configured on the ServerIron.

12 - 10 February 2002


Add source IP addresses and enable source NAT if the ServerIron and cache server are in different sub-nets. For information, see the "Configuring Network Address Translation" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron(config-tc-1)# source-nat

Syntax: [no] source-nat



sym-prioritySpecifies the priority of this ServerIron with respect to the other ServerIron for the firewalls in the firewall group. The ServerIron with the higher priority is the default active ServerIron for the firewalls within the group.

EXAMPLE:

SI-ActiveA(config)# server fw-group 2

SI-ActiveA(config-tc-2)# sym-priority 254

Syntax: sym-priority <priority>

Possible values: 0 – 255; setting the priority to 0 removes the priority setting from the configuration

Default value: N/A

url-host-idThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command causes HTTP requests for a specified host to be evaluated by a specified URL switching policy.

EXAMPLE:

To cause HTTP requests for www.mysite.com to be evaluated by policyA.

ServerIron(config-tc-1)# url-host-id www.mysite.com policyA

Syntax: url-host-id <host> <policy-name>

Possible values: Host name, URL switching policy name

Default value: N/A

url-mapThis command is used in conjunction with the Content Aware Cache Switching feature on the ServerIron. This command specifies a URL switching policy to be active for this cache group. If you configure more than one URL switching policy, the policies must be linked together.

EXAMPLE:

To specify a URL switching policy to be active for a cache group:

ServerIron(config-tc-1)# url-map p1

Syntax: url-map <policy-name>

Possible values: URL switching policy name

Default value: N/A

url-switchActivates Content Aware Cache Switching for this cache group. You must have already defined the URL switching policies before entering this command.

EXAMPLE:

To activate Content Aware Cache Switching for a cache group:

February 2002 12 - 11


ServerIron(config-tc-1)# url-switch

Syntax: url-switch


Default value: N/A

virtual-ipThis command configures the ServerIron for either of the following features:

• Policy-based Cache Failover. See the "Configuring Transparent Cache Switching" chapter in the Foundry ServerIron Installation and Configuration Guide.

• FWLB for VPN firewalls. See the Foundry ServerIron Firewall Load Balancing Guide.

EXAMPLE:

To add virtual IP address 209.157.22.26 to cache group 1, enter the following command:

ServerIron(config-tc-1)# virtual-ip 209.157.22.26

EXAMPLE:

To enable the VPN Load Balancing feature and specify the FireWall-1 Cluster IP address, enter the following commands. These commands apply to the ServerIron that is connected to the Internet side of the firewalls.

ServerIron(config)# server vpn-lbServerIron(config)# server fw-group 2ServerIron(config-tc-2)# virtual-ip 10.10.1.10

Syntax: virtual-ip <ip-addr>

You do not need to enter a network mask.


Default value: N/A


EXAMPLE:

ServerIron(config-tc-1)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-tc-1)# write terminal



Default value: N/A

12 - 12 February 2002

Chapter 13GSLB Affinity Commands


EXAMPLE:


ServerIron(config-gslb-affinity)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-affinity)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A


preferConfigures a GSLB affinity definition. The GSLB Affinity feature configures the GSLB ServerIron to always prefer a specific site ServerIron for queries from clients whose addresses are within a given IP prefix. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To configure an affinity definition, enter commands such as the following:

ServerIron(config)# gslb affinity



ServerIron(config-gslb-affinity)# prefer sunnyvale slb-1 for 0.0.0.0/0ServerIron(config-gslb-affinity)# prefer atlanta slb-1 for 192.108.22.0/22

These commands configure a default affinity definition (using the 0.0.0.0/0) prefix and an affinity definition that uses prefix 192.108.22.0/22. For clients that are not within the prefix in the second affinity definition, the ServerIron uses the default affinity definition. The ServerIron sends clients whose IP addresses are within the 192.108.22.0/22 prefix to a VIP on slb-1 at the “atlanta” site, when available. The ServerIron sends all other clients to a VIP on slb-1 at the “sunnyvale” site when available.

Syntax: gslb affinity

This command places the CLI at the affinity configuration level.

Syntax: [no] prefer <site-name> <si-name> | <si-ip-addr> for <ip-addr> <ip-mask> | <ip-addr>/<prefix-length>

You can refer to the ServerIron by its GSLB site name and ServerIron name or by its management IP address. Use one of the following parameters:

• The <site-name> and <si-name> parameters specify the remote site and a ServerIron at that site. If you use this method, you must specify both parameters.

• The <si-ip-addr> parameter specifies the site ServerIron’s management IP address.

NOTE: In either case, the running-config and the startup-config file refer to the ServerIron by its IP address.

The <ip-addr> <ip-mask> or <ip-addr>/<prefix-length> parameter specifies the prefix. You can specify a mask from 0.0.0.0 – 255.255.255.254. If you instead specify a prefix length, you can specify from 0 – 31 bits.

If you specify 0.0.0.0 0.0.0.0 or 0.0.0.0/0, the ServerIron applies the affinity definition to all client addresses. As a result, an address that does not match another affinity definition uses the zero affinity definition by default. If you do not configure a default affinity definition, the ServerIron uses the standard GSLB policy for clients whose addresses are not within a prefix in an affinity definition.


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-affinity)# quit

ServerIron>

Syntax: quit


Default value: N/A





GSLB Affinity Commands

EXAMPLE:

ServerIron(config-gslb-affinity)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-gslb-affinity)# write terminal



Default value: N/A


Chapter 14GSLB DNS Zone Commands


EXAMPLE:


ServerIron(config-gslb-dns-foundrynet.com)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-dns-foundrynet.com)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A

host-infoConfigures DNS zone and host information for GSLB.

EXAMPLE:

To specify the foundrynet.com zone and two host names, each of which is associated with an application, enter the following commands:

ServerIron(config)# gslb dns zone-name foundrynet.comServerIron(config-gslb-dns-foundrynet.com)# host-info www httpServerIron(config-gslb-dns-foundrynet.com)# host-info ftp ftp

The commands in this example add the zone foundrynet.com and add two hosts within that zone: www and ftp. The GSLB ServerIron will provide global SLB for these two hosts within the zone.


GSLB DNS Zone Commands

Syntax: [no] gslb dns zone-name <name>

The <name> parameter specifies the DNS zone name.

NOTE: If you delete a DNS zone (by entering the no gslb dns zone-name <name> command), the zone and all the host names you associated with the zone are deleted.

Syntax: [no] host-info <host-name> <host-application> | <tcp/udp-portnum>

The <host-name> parameter specifies the host name. You do not need to enter the entire (fully-qualified) host name. Enter only the host portion of the name. For example, if the fully qualified host name is www.foundrynet.com, do not enter the entire name. Enter only “www”. The rest of the name is already specified by the gslb dns zone-name command. You can enter a name up to 32 characters long.

The <host-application> specifies the host application for which you want the GSLB ServerIron to provide global SLB. You can specify one of the following:


• TFTP – the well-known name for port 69








The <tcp/udp-portnum> parameter specifies a TCP/UDP port number instead of a well-known port. If the application is not one of those listed above, you still can configure the GSLB ServerIron to perform the Layer 4 health check on the specified port.

NOTE: If the application number does not correspond to one of the well-known ports recognized by the ServerIron, the GSLB ServerIron performs Layer 4 TCP or UDP health checks for the ports but does not perform application-specific health checks.


Default value: N/A



EXAMPLE:

ServerIron(config-gslb-dns-foundrynet.com)# quit

ServerIron>

Syntax: quit


Default value: N/A






EXAMPLE:

ServerIron(config-gslb-dns-foundrynet.com)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-gslb-dns-foundrynet.com)# write terminal



Default value: N/A


Chapter 15GSLB Site Commands


EXAMPLE:


ServerIron(config-gslb-site-sunnyvale)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-site-sunnyvale)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A

geo-locationExplicitly identifies the geographic location of a GSLB site. By default, the GSLB ServerIron uses a site’s IP address to determine its geographic location.

EXAMPLE:

To explicitly identify Sunnyvale’s geographic location as North America, enter the following commands:

ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# geo-location n-america

Syntax: [no] geo-location asia | europe | n-america | s-america


Default value: the region associated with the site’s IP address





EXAMPLE:

ServerIron(config-gslb-site-sunnyvale)# quit

ServerIron>

Syntax: quit


Default value: N/A



si-nameSpecifies the remote ServerIrons in a GSLB site.

EXAMPLE:

To identify two server sites, each containing two ServerIrons, enter the following commands:

ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.209ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210ServerIron(config)# gslb site atlantaServerIron(config-gslb-site-atlanta)# si-name slb-1 192.108.22.111ServerIron(config-gslb-site-atlanta)# si-name slb-2 192.108.22.112

These commands configure two GSLB sites. One of the sites is in Sunnyvale and the other is in Atlanta. Each site contains two ServerIrons that load balance traffic across server farms. The GSLB ServerIron you are configuring will use information provided by the other ServerIrons when it evaluates the servers listed in DNS replies.

Syntax: [no] si-name [<name>] <ip-addr> [<preference>]

The <name> parameter specifies a unique name for the ServerIron at the site. You can enter a string up to 16 characters long. The string can contain blanks. To use blanks, enclose the string in quotation marks. You can enter up to four pairs of ServerIron names and IP addresses on the same command line. The name is optional.

NOTE: Enter the ServerIron’s management IP address, not a virtual IP address (VIP) configured on the ServerIron or a source IP address added for source NAT.

The <preference> parameter sets the administrative preference for the site. When you enable the administrative preference as a GSLB metric, the administrative preference can be used by the GSLB policy when comparing this site with other sites. You can specify a preference from 0 – 255. The default preference is 128. The GSLB policy prefers high preference values over low preference values. If you specify 0, the site is administratively removed from selection by the GSLB policy but remains connected to the network.


GSLB Site Commands

For example, to set the administrative preference for a site ServerIron to 255, enter a command such as the following:

ServerIron(config-gslb-site-sunnyvale)# si-name slb-1 209.157.22.20 255

To change the preference for a site ServerIron you have already configured, use the same command syntax. You do not need to reconfigure other site parameters when you change the preference. For example, to change the preference for a site ServerIron from the default (128) to 200, enter a command such as the following:

ServerIron(config-gslb-site-sunnyvale)# si-name slb-2 209.157.22.210 200

NOTE: The administrative preference metric is disabled by default, which means it is not used by the GSLB policy. The GSLB policy uses the preference values only if you enable this metric.

By default, the GSLB ServerIron uses a site’s IP address to determine its geographic location. Alternatively, you can explicitly identify the location. To do so, use the following command.

Syntax: [no] geo-location asia | europe | n-america | s-america

For example, to explicitly identify Sunnyvale’s geographic location as North America, enter the following commands:

ServerIron(config)# gslb site sunnyvaleServerIron(config-gslb-site-sunnyvale)# geo-location n-america


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-site-sunnyvale)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-gslb-site-sunnyvale)# write terminal



Default value: N/A




Chapter 16GSLB Policy Commands

capacityDisables or re-enables the capacity threshold GSLB metric. This metric represents a site ServerIron’s available TCP/UDP session capacity. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:

To disable this metric, enter the following command:

ServerIron(config-gslb-policy)# no capacity

To re-enable this metric, enter the following command:

ServerIron(config-gslb-policy)# capacity

Syntax: [no] capacity



capacity thresholdSpecifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site becomes congested. The default value for the threshold is 90%. Thus a site ServerIron is eligible to be the best site only if its session utilization is below 90%.

EXAMPLE:

To change the session-table capacity metric, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# capacity threshold 99

Syntax: [no] capacity threshold <num>

The <num> parameter specifies the maximum percentage of a site ServerIron’s session table that can be in use. If the ServerIron’s session table utilization if greater than the specified percentage, the GSLB ServerIron prefers other sites over this site. You can specify a percentage from 0 – 100. The default is 90.


Default value: 90



dns active-onlyConfigures the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check. The ServerIron removes the addresses that fail the check so long as the DNS query still contains at least one address that passes the health check.

NOTE: A site must pass all applicable health checks (Layer 4 and Layer 7) to avoid being removed.

EXAMPLE:

To configure the ServerIron to remove IP addresses from DNS replies when those addresses fail a health check, enter the following commands.

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns active-only

Syntax: [no] dns active-only



dns check-intervalChanges the refresh interval for DNS queries to refresh verify zone and host information. The GSLB ServerIron sends the queries to the DNS for which it is configured to be a proxy.

EXAMPLE:

To change the refresh interval, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns check-interval 50

Syntax: [no] dns check-interval <num>

The <num> parameter specifies the interval and can be from 0 – 1000000000 seconds. The default is 30 seconds.



dns ttlSpecifies the value to which the GSLB ServerIron changes the TTL of each DNS record contained in DNS replies received from the DNS for which the ServerIron is a proxy.

EXAMPLE:

To change the TTL, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# dns ttl 45

Syntax: [no] dns ttl <num>

The <num> parameter specifies the TTL and can be from 0 – 1000000000 seconds. The default is 10 seconds.

For all GSLB features except DNS cache proxy, the command no dns ttl configures the ServerIron to use the TTL from the DNS. If you are using DNS cache proxy, this command resets the TTL to 10.




EXAMPLE:



GSLB Policy Commands

ServerIron(config-gslb-policy)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-policy)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A

flashbackDisables or re-enables the FlashBack GSLB metric. This metric indicates how quickly the GSLB ServerIron receives Layer 4-7 health check results. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:


ServerIron(config-gslb-policy)# no flashback


ServerIron(config-gslb-policy)# flashback

Syntax: [no] flashback



flashback application | tcp tolerance <num>Modifies the following FlashBack parameters:

• Application tolerance

• TCP tolerance

The GSLB ServerIron uses a tolerance value when comparing the FlashBack speeds of different sites. The tolerance value specifies the percentage by which the FlashBack speeds of the two sites must differ in order for the ServerIron to choose one over the other. The default FlashBack tolerance is 10%. Thus, if the FlashBack speeds of two sites are within 10% of one another, the ServerIron considers the sites to be equal. However, if the speeds differ by more than 10%, the ServerIron prefers the site with the lower FlashBack speed.

FlashBack speeds are measured at Layer 4 for all TCP/UDP ports. For the application ports known to the ServerIron, the FlashBack speed of the application is also measured.

When the ServerIron compares the FlashBack speeds, it compares the Layer 7 (application-level) FlashBack speeds first, if applicable. If the application has a Layer 7 health check and if the FlashBack speeds are not equal, the ServerIron is through comparing the FlashBack speeds. However, if only the Layer 4 health check applies to the application, or if further tie-breaking is needed, the ServerIron then compares the Layer 4 FlashBack speeds.



EXAMPLE:

To change the tolerances for the response times of TCP and application health checks, when used as a metric for selecting a site, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# flashback application tolerance 30ServerIron(config-gslb-policy)# flashback tcp tolerance 50

Syntax: [no] flashback application | tcp tolerance <num>

The application | tcp parameter specifies whether you are modifying the tolerance for the Layer 4 TCP health check or the Layer 7 application health checks. You can change one or both and the values do not need to be the same. For each, you can specify from 0 – 100. The default for each is 10.


Default value: 10

geographicDisables or re-enables the geographic GSLB metric. This metric indicates the geographic location of a site. This metric is enabled by default, which means the GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:


ServerIron(config-gslb-policy)# no geographic


ServerIron(config-gslb-policy)# geographic

Syntax: [no] geographic



health-checkDisables or re-enables the health-check GSLB metric. This metric indicates whether the site has passed the Layer 4 and (if applicable) Layer 7 health checks. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:


ServerIron(config-gslb-policy)# no health-check


ServerIron(config-gslb-policy)# health-check

Syntax: [no] health-check



metric-orderChanges the order in which the GSLB ServerIron applies the policy metrics. To change the order, specify the metrics in the desired order.



NOTE: Foundry Networks recommends that you always use the health check as the first metric. Otherwise, it is possible that the GSLB policy will not select a "best” choice, and thus send the DNS reply unchanged. For example, if the first metric is geographic location, and the DNS reply contains two sites, one in North America and the other in South America, for clients in South America the GSLB policy favors the South American site after the first comparison. However, if that site is down, the GSLB policy will find that none of the sites in the reply is the “best” one, and thus send the reply unchanged.

You cannot disable or change the position of the Least Response Selection metric. The GSLB ServerIron uses this metric as a tie-breaker if the other comparisons do not result is selection of a “best” site.

EXAMPLE:

To specify a new GSLB policy order, enter a command such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# metric-order set round-trip-time capacity num-session flashback

This command changes the GSLB policy to the following:

• The round-trip time between the remote ServerIron and the DNS client

• The site ServerIron’s session capacity threshold

• The site ServerIron’s available session capacity

• The site ServerIron’s FlashBack speed (how quickly the GSLB receives the health check results)

• The Least Response selection (the site ServerIron that has been selected less often than others)

Two of the metrics, server health and geographic location, are not specified. As a result, these metrics are not used when evaluating site IP addresses in the DNS responses.

To display the GSLB policy after you change it, enter the show gslb policy command. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

Syntax: [no] metric-order set <list>

The <list> parameter is a list of the metrics you want to use, in the order you want the GSLB ServerIron to use them. The GSLB uses the metrics in the order you specify them. You can specify one or more of the following:

• capacity – The site ServerIron’s available session capacity

• flashback – The site ServerIron’s FlashBack speed (how quickly the GSLB receives the health check results)

• geographic – The geographic location of the server

• health-check – The Layer 4 and application health checks

• num-session – The site ServerIron’s session capacity threshold

• preference – The administratively configured preference for the site ServerIron

• round-trip-time – The round-trip time between the remote ServerIron and the DNS client

There is no parameter for the Least Response Selection. This metric is always enabled and is always the last one in the policy.

To reset the order of the GSLB policy metrics to the default (and also re-enable all disabled metrics), enter the following command:

ServerIron(config-gslb-policy)# metric-order default

Syntax: metric-order default

The no metric-order set command also resets the order and re-enables all disabled metrics. This command is equivalent to metric-order default.



Possible values: any combination or order

Default value: The GSLB ServerIron applies the metrics in the following order:

• health-check

• num-session

• round-trip-time

• geographic

• capacity

• flashback

• administrative preference (when enabled; this metric is disabled by default)

• least-response (this metric is a tie-breaker and is always enabled and always last; you cannot disable or re-order this metric)


num-sessionDisables or re-enables the GSLB metric for the site ServerIron’s session capacity threshold. The capacity threshold specifies how close to the maximum session capacity the site ServerIron(remote ServerIron) can be and still be eligible as the best site for the client. This mechanism provides a way to shift load away from a site before the site becomes congested. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:


ServerIron(config-gslb-policy)# no num-session


ServerIron(config-gslb-policy)# num-session

Syntax: [no] num-session



num-session toleranceSpecifies the percentage by which the number of available sessions on the site ServerIron can differ from the number of available sessions on another site ServerIron and still be considered an equally good site.

EXAMPLE:

To change the session-table tolerance metric, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# num-session tolerance 20

Syntax: [no] num-session tolerance <num>

The <num> parameter specifies the maximum percentage by which the session table utilization on ServerIrons at different sites can differ without the GSLB ServerIron selecting one over the other based on this metric. You can specify a tolerance from 0 – 100. The default is 10.


Default value: 90



preferenceEnables the administrative preference GSLB metric.

To assign preference values for individual site ServerIron’s, see “si-name” on page 15-2.

EXAMPLE:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# preference



protocolEnables the GSLB protocol on a site ServerIron.

For security, remote ServerIrons do not listen to TCP port 182 (the GSLB protocol port) by default. This means the GSLB protocol is disabled on remote site ServerIrons by default. For a remote ServerIron to use the protocol, you must enable the protocol on the remote ServerIron.

NOTE: Enter this command on the site ServerIron, not on the GSLB ServerIron.

NOTE: You also can secure access to a ServerIron by configuring Access Control Lists (ACLs). For example, you can configure ACLs to control access to the device on TCP port 182. See the “Using Access Control Lists (ACLs)“ chapter in the Foundry Switch and Router Installation and Basic Configuration Guide.

EXAMPLE:

To enable a remote ServerIron to use the GSLB protocol, enter the following command:

ServerIron(config)# gslb protocol

Syntax: [no] gslb protocol




EXAMPLE:

ServerIron(config-gslb-policy)# quit

ServerIron>

Syntax: quit


Default value: N/A

round-trip-timeDisables or re-enables the GSLB metric for the round-trip time between the remote ServerIron and the DNS client. The Round-trip time (RTT) is the amount of time that passes between when the remote site initiates a TCP connection (sends a TCP SYN) to the client and when the remote site receives the client’s acknowledgment of the connection request (sends a TCP ACK). The GSLB ServerIron learns the RTT information from the site ServerIrons through the Foundry GSLB protocol and uses the information as a metric when comparing site IP addresses. The GSLB ServerIron uses this metric when evaluating the sites in a DNS reply to choose the best site.

EXAMPLE:




ServerIron(config-gslb-policy)# no round-trip-time


ServerIron(config-gslb-policy)# round-trip-time

Syntax: [no] round-trip-time



round-trip-time cache-intervalChanges the RTT cache interval, which specifies how often the site ServerIrons use the Foundry GSLB protocol to send RTT information to the GSLB ServerIron. The GSLB ServerIron stores this information in a cache. The GSLB ServerIron uses the entries in the cache when using the RTT metric to evaluate IP addresses in a DNS reply.

EXAMPLE:

To change the RTT cache interval, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time cache-interval 30

The command in this example changes the RTT cache interval from 10 seconds to 30 seconds.

Syntax: [no] round-trip-time cache-interval <num>

The <num> parameter specifies the aging interval and can be from 10 – 300 seconds. The default is 10 seconds.



round-trip-time cache-prefixChanges the RTT cache prefix, which specifies the level of aggregation that occurs in the GSLB ServerIron’s RTT cache. The entries in the RTT cache include IP address information for the clients. To avoid overflowing the cache, cache entries are aggregated based on the IP information. For example, if the GSLB ServerIron receives RTT information for clients at 192.21.4.69 and 192.21.4.18, and the cache prefix is 31 bits, both addresses go in as separate entries. However, if the prefix is 16 bits, the GSLB ServerIron aggregates the addresses. In this case, only one entry, 192.21.x.x goes in the cache.

EXAMPLE:

To change the RTT cache prefix, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time cache-prefix 16

The command in this example changes the RTT cache prefix from 20 bits to 16 bits.

Syntax: [no] round-trip-time cache-prefix <num>

The <num> parameter specifies the number of significant bits in the prefix and can be from 1 – 31. The default is 20.


Default value: 20

round-trip-time explore-percentageChanges the RTT explore percentage, which prevents the GSLB ServerIron from unfairly biasing selection of the best site based on previous RTT responses.

Site ServerIrons send RTT information only for the sessions that clients open with them. These are clients referred to the site ServerIron by the GSLB ServerIron. If the metrics that come before this one (based on the GSLB policy order) do not select a “best” site, the ServerIron selects a site based on RTT.



Since the only RTT information received by the GSLB ServerIron comes from the site ServerIrons to which the GSLB ServerIron has referred clients, it is possible for the GSLB ServerIron to continually bias its selection toward the first site ServerIron that sent RTT information. To prevent this from occurring, the GSLB ServerIron intentionally ignores the RTT metric for a specified percentage of the requests from a given client network. You can specify an RTT explore percentage from 0 – 100. The default is 5. By default, the GSLB ServerIron ignores the RTT for 5% of the client requests from a given network.

EXAMPLE:

To change the RTT explore percentage, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time explore-percentage 10

The command in this example changes the RTT explore percentage from 5% to 10%.

Syntax: [no] round-trip-time explore-percentage <num>

The <num> parameter specifies the explore percentage and can be from 0 – 100. The default is 5.


Default value: 5

round-trip-time toleranceChanges the RTT tolerance. When the GSLB ServerIron compares two site IP addresses based on RTT, the GSLB ServerIron favors one site over the other only if the difference between the RTT values is greater than the specified percentage. This percentage is the RTT tolerance. You can set the RTT tolerance to a value from 0 – 100. The default is 10%.

EXAMPLE:

To change the RTT tolerance, enter commands such as the following:

ServerIron(config)# gslb policy ServerIron(config-gslb-policy)# round-trip-time tolerance 70

The command in this example changes the RTT tolerance from 10% to 70%.

Syntax: [no] round-trip-time tolerance <num>

The <num> parameter specifies the percentage above which the RTTs of two sites must differ for the GSLB ServerIron to favor one site over the other based on the RTT. You can specify a value from 0 – 100. The default is 10%.

Possible values: 0 – 100%

Default value: 10%



static-prefixAdds static prefix information to the cache. For example, you can add static cache entries with longer prefix information than the dynamic cache entries to ensure that RTT information is stored under the static entries instead of dynamic cache entries with shorter prefixes. This is useful when you want to ensure that certain prefixes are always present in the cache regardless of how often the GSLB ServerIron receives RTT data for them. Static prefixes do not age out.



NOTE: The GSLB ServerIron uses the most exact match when more than one prefix entry can apply to the same site address. To ensure that the GSLB ServerIron uses a static entry instead of certain dynamic entries for a given address, make sure prefix of the static entry is longer than the prefix for dynamic entries.

NOTE: Since RTT information is stored under individual domain names that are queried, the RTT information reported from remote ServerIrons are not recorded under the static records until the GSLB ServerIron receives the first DNS query or response.

EXAMPLE:

To add a static prefix cache entry, enter commands such as the following:

ServerIron(config)# gslb policyServerIron(config-gslb-policy)# static-prefix 61.1.1.1/20

Syntax: static-prefix <ip-addr>/<prefix-length>

The <ip-addr> specifies the address of the cache entry. This is not necessarily the address of a remote site. The address you specify here is combined with the prefix length to result in a network prefix (network portion of an IP address). The prefix length can be from 1 – 31.

NOTE: The prefix length 0 is not applicable to this feature and is ignored by the software.

You can enter more than one prefix on the same command line. Separate each prefix with a space. You can configure up to 250 static prefixes on a ServerIron.

The command in this example configures an entry for address 61.1.1.1 with a prefix of 20 bits. (Due to the prefix length, the value actually stored in the cache is 61.1.0.0.20.) When the GSLB ServerIron receives RTT information for an address within the specified prefix, the GSLB ServerIron stores the information in the static prefix entry configured above, instead of creating a dynamic entry.


Default value: N/A


EXAMPLE:

ServerIron(config-gslb-policy)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-gslb-policy)# write terminal



Default value: N/A

16 - 10 February 2002

Chapter 17URL Switching Commands

defaultSpecifies what happens when the URL string does not meet any of the selection criteria in a URL switching policy’s match command(s).

EXAMPLE:

The following commands define a URL switching policy called p1.

ServerIron(config)# url-map p1ServerIron(config-url-p1)# method prefixServerIron(config-url-p1)# match "/home" 1ServerIron(config-url-p1)# default p2ServerIron(config-url-p1)# exit

Syntax: default <server-group-id> | <policy-name>

Possible values: Either a real server group ID number or another URL switching policy

Default value: N/A


EXAMPLE:


ServerIron(config-url-p1)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-url-p1)# exit

ServerIron(config)#

Syntax: exit




Default value: N/A

matchSpecifies the selection criteria in a URL switching policy and indicates what to do when the URL string matches the selection criteria.

EXAMPLE:

ServerIron(config-url-p1)# match "/home" 1

Syntax: match "<selection-criteria>" <server-group-id> | <policy-name>

Possible values:

The selection criteria can be up to 80 characters in length. A URL switching policy can contain multiple match statements, each with different selection criteria. You can also use an asterisk (*) as a wildcard character to specify one or more characters at the end of a URL string.

The second part of the match statement must refer to a server group configured on the ServerIron or to another URL switching policy. In a Content Aware Cache Switching configuration, specifying 0 as the second part of the match statement causes requests meeting the selection criteria to be directed to the Internet, rather than to a cache server.

Default value: N/A

methodSpecifies what kind of matching the URL switching policy does on the selection criteria.

EXAMPLE:

ServerIron(config-url-p1)# method prefix

Syntax: method prefix | suffix | pattern

Possible values:

Three kinds of matching methods are supported:

prefix compares the selection criteria to the beginning of the URL string.

suffix compares the selection criteria to the end of the URL string.

pattern looks for the selection criteria anywhere within the URL string.

Default value: N/A



EXAMPLE:

ServerIron(config-url-p1)# quit

ServerIron>

Syntax: quit


Default value: N/A

rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view


URL Switching Commands

detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


tcp-portSpecifies a TCP port where HTTP requests evaluated by the URL switching policy are sent.

EXAMPLE:

ServerIron(config-url-urlmap3)# tcp-port 8081

Syntax: tcp-port <port-number>

Possible values: TCP port number

Default value: 80


EXAMPLE:

ServerIron(config-url-p1)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-url-p1)# write terminal



Default value: N/A




Chapter 18HTTP Match List Commands

defaultSpecifies what happens if none of the HTML text in the HTTP response message meets the selection criteria in the matching list: either mark port 80 on the real server FAILED or ACTIVE.

EXAMPLE:

To cause port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP response message:

ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" logServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" logServerIron(config-http-ml-m4)# default downServerIron(config-http-ml-m4)# exit

Syntax: default down | up

Possible values: The down parameter causes port 80 on the real server to be marked FAILED if none of the selection criteria are found in the HTTP response message; the up parameter causes port 80 on the real server to be marked ACTIVE if none of the selection criteria are found in the HTTP response message.

Default value: up

down compoundSpecifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is marked FAILED.

EXAMPLE:

To specify that if the HTML file contains a text string that begins with “500” and ends with “Internal Server Error”, the port is marked FAILED:

ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# down compound "500" "Internal Server Error" logServerIron(config-http-ml-m4)# exit

Syntax: down compound <start> <end> [log]

Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log parameter causes a Warning message to be logged when the selection criteria is met:

Default value: N/A



down simpleSpecifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is marked FAILED.

EXAMPLE:

To specify that if the HTML file contains the text “File Not Found”, the port is marked FAILED:

ServerIron(config)# http match-list m1ServerIron(config-http-ml-m1)# down simple "File Not Found"ServerIron(config-http-ml-m1)# exit

Syntax: down simple <text> [log]

Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning message to be logged when the selection criteria is met:

Default value: N/A


EXAMPLE:


ServerIron(config-http-ml-listname)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-http-ml-listname)# exit

ServerIron(config)#

Syntax: exit


Default value: N/A



EXAMPLE:

ServerIron(config-http-ml-listname)# quit

ServerIron>

Syntax: quit


Default value: N/A


HTTP Match List Commands



up compoundSpecifies the beginning and ending parts of a set of selection criteria. Text that begins with the first part and ends with the second part meets the selection criteria. If the selection criteria is met, port 80 on the real server is marked ACTIVE.

EXAMPLE:

To specify that if the HTML file contains a text string that begins with “monkey see” and ends with “monkey do”, the port is marked ACTIVE:

ServerIron(config)# http match-list m4ServerIron(config-http-ml-m4)# up compound "monkey see" "monkey do" logServerIron(config-http-ml-m4)# exit

Syntax: up compound <start> <end> [log]

Possible values: The <start> and <end> parameters specify the beginning and end of a string of text. The log parameter causes a Warning message to be logged when the selection criteria is met:

Default value: N/A

up simpleSpecifies the selection criteria in a matching list. If the selection criteria is met, port 80 on the real server is marked ACTIVE.

EXAMPLE:

To specify that if the HTML file contains the text “File Not Found”, the port is marked FAILED:

ServerIron(config)# http match-list m1ServerIron(config-http-ml-m1)# up simple "elephant"ServerIron(config-http-ml-m1)# exit

Syntax: up simple <text> [log]

Possible values: The <text> parameter specifies the selection criteria. The log parameter causes a Warning message to be logged when the selection criteria is met:

Default value: N/A


EXAMPLE:

ServerIron(config-http-ml-listname)# write memory



Default value: N/A




EXAMPLE:

ServerIron(config-http-ml-listname)# write terminal



Default value: N/A


Chapter 19Server Monitor Commands


EXAMPLE:


ServerIron(config-slb-mon)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-slb-mon)# exitServerIron(config)#

Syntax: exit


Default value: N/A

historyConfigures a history list for the Layer 4 statistics monitoring function.

EXAMPLE:

ServerIron(config)# server monitorServerIron(config-slb-mon)# history 1 buckets 5 interval 30 owner rkwong

Syntax: history <entry-number> buckets <number> interval <sampling-interval> owner <text-string>

Possible values:

<entry-number> Is the index number for the history list. This can be a number from 1 – 100.



buckets <number> Is the number of rows allocated to a data table for this history list. This can be a number from 1 – 65535. This number of samples are stored in the data table. For example, if you specify 10 buckets, the most recent 10 samples are stored in the data table.

interval <sampling-interval> Is the sampling interval in seconds. The sampling interval can be from 1 – 3600 seconds.

owner <text-string> Specifies the owner of the history list.

Default value: N/A



EXAMPLE:

ServerIron(config-slb-mon)# quit

ServerIron>

Syntax: quit


Default value: N/A

rshowDisplays the real and virtual server configuration information on a remote site ServerIron in the GSLB ServerIron’s CLI. The command also displays the session and CPU information used by the GSLB policy. You can view detailed configuration information and statistics for the site ServerIron, from the GSLB ServerIron’s management console. For more information, see the “Configuring Global Server Load Balancing” chapter in the Foundry ServerIron Installation and Configuration Guide.



EXAMPLE:

ServerIron(config-slb-mon)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-slb-mon)# write terminal



Default value: N/A


Chapter 20Routing Information Protocol (RIP) Commands

NOTE: The RIP configuration level applies only to IP forwarding (Layer 3 IP).

deny redistributeConfigures a redistribution filter to deny redistribution for specific routes.

When you enable redistribution, all IP static routes are redistributed by default. If you want to deny certain routes from being redistributed into RIP, configure deny filters for those routes before you enable redistribution. You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.

NOTE: The default redistribution action is still permit, even after you configure and apply redistribution filters to the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.

EXAMPLE:

To configure a redistribution filter, enter a command such as the following:

ServerIron(config-rip-router)# deny redistribute 1 static address 207.92.0.0 255.255.0.0

This command denies redistribution of all 207.92.x.x IP static routes.

Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask> [match-metric <value> | set-metric <value>]

The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route.

The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address. Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.

The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible values are from 1 – 15.

The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.

NOTE: The set-metric parameter does not apply to static routes.

The following command denies redistribution of a 207.92.x.x IP static route only if the route’s metric is 5.



ServerIron(config-rip-router)# deny redistribute 2 static address 207.92.0.0 255.255.0.0 match-metric 5

The following commands deny redistribution of all routes except routes for 10.10.10.x and 20.20.20.x:

ServerIron(config-rip-router)# deny redistribute 64 static address 255.255.255.255 255.255.255.255ServerIron(config-rip-router)# permit redistribute 1 static address 10.10.10.0 255.255.255.0ServerIron(config-rip-router)# permit redistribute 2 static address 20.20.20.0 255.255.255.0


Default value: All routes are permitted to be redistributed


EXAMPLE:


ServerIron(config-rip-router)# end

ServerIron#

Syntax: end


Default value: N/A


EXAMPLE:

ServerIron(config-rip-router)# exitServerIron(config)#

Syntax: exit


Default value: N/A


permit redistributeConfigures a redistribution filter to permit redistribution for specific routes.

When you enable redistribution, all IP static routes are redistributed by default. If you want to permit certain routes to be redistributed into RIP, configure permit filters for those routes before you enable redistribution. You can configure up to 64 RIP redistribution filters. They are applied in ascending numerical order.

NOTE: The default redistribution action is permit, even after you configure and apply redistribution filters to the virtual routing interface. If you want to tightly control redistribution, apply a filter to deny all routes as the last filter (filter ID 64), then apply filters with lower filter IDs to allow specific routes.

EXAMPLE:

To configure a redistribution filter, enter a command such as the following:

ServerIron(config-rip-router)# permit redistribute 1 static address 207.92.0.0 255.255.0.0


Routing Information Protocol (RIP) Commands

This command permits redistribution of all 207.92.x.x IP static routes.

Syntax: [no] deny redistribute <filter-num> static address <ip-addr> <ip-mask> [match-metric <value> | set-metric <value>]

The <filter-num> specifies the redistribution filter ID. Specify a number from 1 – 64. The software uses the filters in ascending numerical order. Thus, if filter 1 denies a route from being redistributed, the software does not redistribute that route even if a filter with a higher ID permits redistribution of the route.

The address <ip-addr> <ip-mask> parameters apply redistribution to the specified network and sub-net address. Use 0 to specify “any”. For example, “207.92.0.0 255.255.0.0“ means “any 207.92.x.x sub-net”. However, to specify any sub-net (all sub-nets match the filter), enter “address 255.255.255.255 255.255.255.255”.

The match-metric <value> parameter applies redistribution to those routes with a specific metric value; possible values are from 1 – 15.

The set-metric <value> parameter sets the RIP metric value that will be applied to the routes imported into RIP.

NOTE: The set-metric parameter does not apply to static routes.


Default value: All routes are permitted to be redistributed


EXAMPLE:

ServerIron(config-rip-router)# quit

ServerIron>

Syntax: quit


Default value: N/A

redistributionEnables redistribution of routes into RIP.

NOTE: When you enable redistribution, all routes are redistributed by default. To control redistribution, configure redistribution filters first, then enable redistribution. See “deny redistribute” on page 20-1 and “permit redistribute” on page 20-2.

EXAMPLE:

To enable RIP redistribution, enter the following command:

ServerIron(config-rip-router)# redistribution

Syntax: [no] redistribution








EXAMPLE:

ServerIron(config-rip-router)# write memory



Default value: N/A


EXAMPLE:

ServerIron(config-rip-router)# write terminal



Default value: N/A


Chapter 21Show Commands

The following commands are found at all levels of the CLI for the ServerIron, except where noted. For simplicity, they are summarized in this section as well in the individual sections.

show aaaDisplays information about all TACACS+ and RADIUS servers identified on the device.

EXAMPLE:

ServerIron# show aaaTacacs+ key: foundryTacacs+ retries: 1Tacacs+ timeout: 15 secondsTacacs+ dead-time: 3 minutesTacacs+ Server: 207.95.6.90 Port:49: opens=6 closes=3 timeouts=3 errors=0 packets in=4 packets out=4no connection

Radius key: networksRadius retries: 3Radius timeout: 3 secondsRadius dead-time: 3 minutesRadius Server: 207.95.6.90 Auth Port=1645 Acct Port=1646: opens=2 closes=1 timeouts=1 errors=0 packets in=1 packets out=4no connection

Syntax: show aaa


Default value: N/A

show arpDisplays the ARP cache of the ServerIron. For switches, the show arp command will not display the 'type' column, but will display a VLAN ID column.

EXAMPLE:

ServerIron(config)# show arp IP Mac Type Port Age VlanId

10.10.10.10 00d0.0958.9b07 Static 9 0 1



192.168.2.14 0050.04bb.81fa Static 15 0 1192.168.2.1 00e0.5205.9056 Static 15 0 1192.168.2.157 00e0.2972.2ab5 Dynamic 15 0 1192.168.2.15 0010.5ad1.3701 Dynamic 15 0 1192.168.2.77 00e0.5202.de72 Dynamic 15 0 1Total Arp Entries : 6

Syntax: show arp [<ip-addr> [<ip-mask>] | ethernet <portnum> mac-address <xxxx.xxxx.xxxx> [<mask>]]

The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).

NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask> parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter for displaying multiple MAC addresses that have specific values in common.


The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.

The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.

The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits.

Here are some examples of how to use these commands.

The following command displays all ARP entries for MAC addresses that begin with “abcd”:

ServerIron# show arp mac-address a.b.c.d ffff.0000.0000

The following command displays all IP address entries for IP addresses that begin with "209.157":

ServerIron# show arp 209.157.0.0 255.255.0.0


Default value: N/A

show cache-groupDisplays configuration information for the TCS cache groups.

EXAMPLE:

ServerIron# show cache-group 1

Cache-group 1 has 1 members Admin-status = Enabledi Active = 0Hash_info: Dest_mask = 255.255.255.0 Src_mask = 0.0.0.0

Cache Server Name Admin-status Hash-distribution

HTTP Traffic From <-> to Web-Caches

Name: aa IP: 1.2.3.4 State: 1 Groups = 1

Syntax: show cache-group [<cache-group-number> | <cache-server-name>]

Possible values: Valid cache group number or cache server name.

Default value: N/A

show chassisDisplays the presence and status of power supplies and fans in the chassis.


Show Commands

EXAMPLE:

ServerIron# show chassis

power supply 1 ok

power supply 2 not present

fan 1 ok

fan 2 ok

Syntax: show chassis


Default value: N/A

show clockDisplays the current settings for the on-board time counter and Simple Network Time Protocol (SNTP) clock, if configured.

EXAMPLE:

ServerIron# show clock

Syntax: show clock [detail]


Default value: N/A

show configurationLists the operating configuration of a ServerIron. This command allows you to check configuration changes before saving them to flash.

EXAMPLE:

ServerIron# show configuration

Syntax: show configuration


Default value: N/A

show defaultDisplays the defaults for system parameters.

If you specify "default" but not the optional "values", the default states for parameters that can either be enabled or disabled are displayed. If you also specify "values", the default values for parameters that take a numeric value are displayed.

EXAMPLE:

ServerIron# show defaultsnmp ro community public spanning tree enabled fast port span enabledauto sense port speed port untagged port flow control onno username assigned no password assigned boot sys flash primarysystem traps enabled sntp disabled radius disabledip multicast disabled

EXAMPLE:

ServerIron# show default valuessys log buffers:50 mac age time:300 sec mac entries:8Ktelnet sessions:5

System Parameters Default Maximum Currentl4-real-server 1024 2048 1024



l4-virtual-server 256 512 256l4-server-port 2048 4096 2048

Syntax: show default [values]


Default value: N/A

show flashDisplays the version of the software image saved in the primary and secondary flash of a ServerIron.

EXAMPLE:

ServerIron# show flash

Syntax: show flash


Default value: N/A

show fw-groupDisplays To display configuration information, state information, and traffic statistics for the firewall group. See the Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.

EXAMPLE:

ServerIron(config)# show fw-group

Firewall-group 2 has 2 members Admin-status = Enabled Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255

Firewall Server Name Admin-st Hash-distribution fw1 1 0 fw2 6 0

Traffic From<->to Firewall Servers=====================================

Name: fw1 IP: 10.10.0.1 State: 1 Groups = 2

Host->Firewall Firewall->Host State CurConn TotConn Packets Octets Packets OctetsFirewall active 0 0 0 0 0 0Total 0 0 0 0 0 0

Name: fw2 IP: 10.10.0.2 State: 6 Groups = 2

Host->Firewall Firewall->Host State CurConn TotConn Packets Octets Packets OctetsFirewall active 0 0 0 0 0 0Total 0 0 0 0 0 0

Syntax: show fw-group


Default value: N/A

show fw-hashDisplays the firewall that the hashing algorithm selected for a given pair of source and destination addresses.

EXAMPLE:

ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2fw3


Show Commands

In this example, the command output indicates that the FWLB hashing algorithm selected firewall "fw3" for traffic to IP address 1.1.1.1 from IP address 2.2.2.2.

Syntax: show fw-hash <dst-ip-addr> <src-ip-addr> <fwall-group-id> [<protocol> <dst-tcp/udp-port> <src-tcp/udp-port>]

The <dst-ip-addr> parameter specifies the destination IP address.

The <src-ip-addr> parameter specifies the source IP address.

The <fwall-group-id> parameter specifies the FWLB group ID. Normally, the FWLB group ID is 2.

The <protocol> parameter specifies the protocol number for TCP or UDP. You can specify one of the following:

• 6 – TCP

• 17 – UDP

The <dst-tcp/udp-port> specifies the destination TCP or UDP application port number.

The <src-tcp/udp-port> specifies the source TCP or UDP application port number.

If you configured the ServerIron to hash based on source and destination TCP or UDP application ports as well as IP addresses, the ServerIron might select more than one firewall for the same pair of source and destination IP addresses, when the traffic uses different pairs of source and destination application ports. Use the optional parameters to ensure that the command’s output distinguishes among the selected firewalls based on the application ports. Here is an example:

ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 8080fw2ServerIron# show fw-hash 1.1.1.1 2.2.2.2 2 6 80 9000fw3


Default value: N/A

show gslb cacheDisplays RTT prefix cache entries.

The GSLB ServerIron maintains a cache of RTT information received from the site ServerIrons through the GSLB protocol. You can display the RTT information the GSLB ServerIron has related to a client IP address.

EXAMPLE:

ServerIron(config)# show gslb cache 209.156.100.100

prefix length = 20, prefix = 209.157.0.0, region = N-AMprefix source = client query

foundrynet.com: site = sunnyvale, SI = slb-1(209.157.22.209), rtt = 5 (x100 usec) site = atlanta, SI = slb-1(192.108.22.112), rtt = 10 (x100 usec)

The command in this example shows the RTT prefix information the GSLB ServerIron has related to client IP address 209.156.100.100. In this case, the GSLB ServerIron has two RTT entries for zone www.foundrynet.com.

Syntax: show gslb cache <ip-addr>

The <ip-addr> command specifies a site address.

Here is another example. In this example, a statically generated entry that the GSLB ServerIron created is displayed. The statically generated entries have an 8-bit prefix, whereas the prefix for dynamic entries is 20 bits long by default.

ServerIron(config)# show gslb cache 61.1.1.1

prefix length = 8, prefix = 60.0.0.0, region = ASIAprefix source = geographic



For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show gslb defaultDisplays the default GSLB policy parameters.

EXAMPLE:

To display the default GSLB policy, enter the following command:

ServerIron(config)# show gslb default

Default metric order: ENABLE Metric processing order: 1-Server health check 2-Remote SI's session capacity threshold 3-Round trip time between remote SI and client 4-Geographic location 5-Remote SI's available session capacity 6-Server flashback speed 7-Least response selection

DNS active-only: DISABLE, Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%

Syntax: show gslb default



Default value: N/A

show gslb dns detailDisplays all the information displayed by the show gslb dns zone command plus information about the site and the ServerIron on which a VIP is configured.

This command is especially useful for sites that are configured for Symmetric Server Load Balancing. For information about this load balancing feature, see the "Configuring Symmetric SLB and SwitchBack" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron(config)# show gslb dns detail

ZONE: foundrynet.comHOST: www: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%)* 209.157.22.227: dns v-ip ACTIVE N-AM. 6 60 40 site: sunnyvale, SI: slb-1 (209.157.22.209) session util: 0%, avail. sessions: 524287 preference: 128


Show Commands

* 209.157.22.228: dns v-ip ACTIVE N-AM. 3 30 60 site: atlanta, SI: slb-1 (192.108.22.111) session util: 10%, avail. sessions: 414269 preference: 128* 210.224.100.5: dns real-ip DOWN ASIA -- -- 0* 201.100.100.6: dns real-ip DOWN S-AM. -- -- 0* 213.34.100.4: dns real-ip DOWN EUROPE -- -- 0

HOST: ftp: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%)* 209.157.22.103: dns v-ip ACTIVE N-AM. 6 60 40 site: sunnyvale, SI: slb-2 (209.157.22.210) session util: 7%, avail. sessions: 414287 preference: 128* 209.157.22.104: dns v-ip ACTIVE N-AM. 3 30 60 site: atlanta, SI: slb-2 (192.108.22.112) session util: 14%, avail. sessions: 324269 preference: 128* 210.224.100.7: dns real-ip DOWN ASIA -- -- 0* 201.100.100.8: dns real-ip DOWN S-AM. -- -- 0* 213.34.100.9: dns real-ip DOWN EUROPE -- -- 0


Syntax: show gslb dns detail


Default value: N/A

show gslb dns zoneDisplays information about all the DNS zones and host applications configured on the GSLB ServerIron.

EXAMPLE:

ServerIron(config)# show gslb dns zone

ZONE: foundrynet.comHOST: www: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%) 209.157.22.100: dns v-ip ACTIVE N-AM. 6 60 40 209.157.22.101: dns v-ip ACTIVE N-AM. 3 30 60 210.224.100.5: dns real-ip DOWN ASIA -- -- 0 201.100.100.6: dns real-ip DOWN S-AM. -- -- 0 213.34.100.4: dns real-ip DOWN EUROPE -- -- 0

HOST: ftp: Flashback DNS resp. delay selection (x100us) percentage TCP APP (%) 209.157.22.103: dns v-ip ACTIVE N-AM. 6 60 40 209.157.22.104: dns v-ip ACTIVE N-AM. 3 30 60 210.224.100.7: dns real-ip DOWN ASIA -- -- 0 201.100.100.8: dns real-ip DOWN S-AM. -- -- 0 213.34.100.9: dns real-ip DOWN EUROPE -- -- 0



Syntax: show gslb dns zone [<name>]

The <name> parameter specifies the zone name.

To display GSLB information for a specific DNS zone, enter a command such as the following:

ServerIron(config)# show gslb dns zone foundrynet.com

The information is the same as the information displayed when you do not specify a zone name, except the ZONE field is unneeded and thus does not appear.



Default value: N/A

show gslb global-statDisplays statistics for transparent DNS query intercept and for DNS cache proxy.

EXAMPLE:

To display the statistics, enter the following command at any level of the CLI:

ServerIron(config)# show gslb global-stat DNS cache proxy stat:Direct response = 10

DNS query intercept stat:Redirect = 10 Direct response = 0

Syntax: show gslb global-stat

The Direct response field, under “DNS cache proxy stat”, lists how many DNS queries the GSLB ServerIron has responded to using the DNS cache proxy feature instead of forwarding the queries to the DNS. In this example, the GSLB ServerIron has responded directly to client queries ten times with the best site address among those cached on the ServerIron itself, instead of forwarding the request to the DNS.

The Redirect field shows the number of queries the ServerIron has redirected to an alternative (proxy) DNS or another ServerIron.

The Direct response field shows the number of queries to which the ServerIron has directly responded using a transparent DNS query intercept IP address configured on the ServerIron itself.


Default value: N/A

show gslb policyDisplays the current GSLB policy parameter settings.

NOTE: If you have changed any of the settings from their default values, you can use this command along with the show gslb default command to identify the settings you have changed. For more information, see the "Configuring Global Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To display the user-configured GSLB policy, enter the following command:

ServerIron(config)# show gslb policy

Default metric order: DISABLE Metric processing order: 1-Round trip time between remote SI and client 2-Remote SI's session capacity threshold


Show Commands

3-Remote SI's available session capacity 4-Server flashback speed 5-Remote SI's preference value 6-Least response selection

DNS active-only: DISABLE DNS best-only: DISABLE DNS override: DISABLE Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Remote SI status update period: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%

Syntax: show gslb policy

In this example, the default order of the policy metrics is in effect. In the following example, the order has been changed and two of the metrics have been disabled.

ServerIron(config)# show gslb policy

Default metric order: DISABLE Metric processing order: 1-Round trip time between remote SI and client 2-Remote SI's session capacity threshold 3-Remote SI's available session capacity 4-Server flashback speed 5-Least response selection

DNS active-only: DISABLE, Modify DNS response TTL: ENABLE DNS TTL: 10 (sec), DNS check interval: 30 (sec) Session capacity threshold: 90%, session capacity tolerance: 10% Round trip time tolerance: 10%, round trip time explore percentage: 5% Round trip time cache prefix: 20, round trip time cache interval: 120 (sec) Flashback appl-level delay tolerance: 10%, TCP-level delay tolerance: 10%



Default value: N/A

show gslb resourcesDisplays the current GSLB resource utilization and the ServerIron capacity for each GSLB resource.

For GSLB parameters, you can display the number of currently configured items and the maximum number of items you can configure on the ServerIron.

EXAMPLE:

To display GSLB resource information, enter the following command at any level of the CLI:

ServerIron(config)# show gslb resourcesGSLB resource usage:

Current Maximumsites 1 100SIs 2 200SIs' VIPs 2 2000dns zones 2 200dns hosts 2 400health-checks app. 2 600dns IP addrs. 5 2000affinities 0 50



static prefixes 4 250prefix cache 104 5050RTT entries 1 10000

The values in the Current column indicate how many of each GSLB configuration or data item are currently on the GSLB ServerIron. The values in the Maximum column list the maximum number of each item the GSLB ServerIron can hold.



Default value: N/A

show gslb siteDisplays information for all the configured sites.

EXAMPLE:

ServerIron(config)# show gslb site

SITE: sunnyvaleSI: slb-1 209.157.22.209:state: CONNECTION ESTABLISHED

Current num. Session CPU load Preference Location sessions util(%) (%) 500000 50 35 128 N-AM

Virtual IPs: 209.157.22.227(A) 209.157.22.103(A)

SI: slb-2 209.157.22.210:state: CONNECTION ESTABLISHED


Virtual IPs: 209.157.22.227(S)

SITE: atlantaSI: slb-1 192.108.22.111:state: CONNECTION ESTABLISHED


Virtual IPs: 209.157.22.227(A) 209.157.22.104(A)



Virtual IPs: 209.157.22.227(S)

Syntax: show gslb site [<name>]

The <name> parameter specifies a site name.

21 - 10 February 2002

Show Commands

To display information about the GSLB site called “sunnyvale” and the ServerIrons providing SLB within those sites, enter the following command:

ServerIron(config)# show gslb site sunnyvale

SITE: sunnyvaleSI: slb-1 209.157.22.209:state: CONNECTION ESTABLISHED

Current num. Session CPU load Location sessions util(%) (%) 500000 50 35 N-AM

Virtual IPs: 209.157.22.227(A)


Current num. Session CPU load Location sessions util(%) (%) 1 0 16 N-AM

Virtual IPs: 209.157.22.227(B)



Default value: N/A

show healthckDisplays a list of the configured health-check policies and their current status. For information about the fields in this display, see one of the following:

• ServerIronXL – the "Configuring Boolean Health-Check Policies (ServerIronXL)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

• ServerIron 400 and ServerIron 800 – the "Configuring Boolean Health-Check Policies (ServerIron 400 and ServerIron 800)" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

Here is an example for the ServerIronXL.

ServerIron(config)# show healthckTotal nodes: 4; Max nodes: 128 Name Value Type--------------------------------------------- Rtr1-ck1 N/B icmp 10.168.2.46 Rtr1-ck2 N/B icmp 10.168.2.47 Router1 N/B or Rtr1-ck1 Rtr1-ck2 Rtr2-ck1 TRUE icmp 10.168.2.56 Rtr2-ck2 TRUE icmp 10.168.2.57 Router2 TRUE and Rtr2-ck1 Rtr2-ck2 Rtr3-ck1 FALSE icmp 10.168.2.66 Rtr3-ck2 TRUE icmp 10.168.2.67 Router3 FALSE and Rtr3-ck1 Rtr3-ck2

EXAMPLE:

Here is an example for the ServerIron 400 or ServerIron 800.

ServerIron(config-hc-check1)# show healthck

February 2002 21 - 11


Total nodes: 6; Max nodes: 128 Name Value Enable Type Dest-IP Port Proto Layer-------------------------------------------------------------------------------- check1 TRUE YES tcp 10.10.10.50 http http l4-chk check2 TRUE YES tcp 10.10.10.40 http http l7-chk check3 TRUE NO udp 10.10.10.30 http http l4-chk check4 TRUE NO udp 10.10.10.40 http http l4-chk check5 N/A NO udp - dns dns l4-chk httpsrvr TRUE YES and check1 check2 nested1 N/A na and check1 check2 nested2 N/A na or check3 check4

Syntax: show healthck


Default value: N/A

show healthck statisticsDisplays health-check policy statistics. For information about the fields in this display, see the "Displaying Health-Check Policy Information" section in the "Configuring Port and Health Check Parameters" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron(config)# show healthck statisticsPing Statistics:Sent: 1524 Received: 1524Invalid Replies: 0 Dropped Replies: 0

Syntax: show healthck statistics


Default value: N/A

show http match-listDisplays information about HTTP content verification matching lists. For information about this health-check feature, see the "Configuring Port and Health Check Parameters" in the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

ServerIron# show http match-listhttp match-list m1 down simple "404" down simple "File Not Found"http match-list m4 default down up compound "monkey see" "monkey do" log down compound "500" "Internal Server Error" log down compound "503" "Service Unavailable" log

Syntax: show http match-list


Default value: N/A

show interfacesDisplays all port interfaces of the ServerIron and their state, duplex mode, STP state, priority and MAC address.

EXAMPLE:

ServerIron# show interfaces e 1

21 - 12 February 2002

Show Commands

FastEthernet1 is down Hardware is FastEthernet, address is 00e0.5202.8bc6 (bia 00e0.5202.8bc6) Configured speed auto, actual unknown, configured duplex fdx, actual unknown Member of L2 VLAN ID 1, port is untagged, port state is BLOCKING STP configured to ON, priority is high, flow control enabled mirror disabled, monitor disabled Not member of any active trunks Member of configured trunk ports 1-3, primary port No port name 5 minute input rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 5 minute output rate: 0 bits/sec, 0 packets/sec, 0.00% utilization 0 packets input, 0 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants 0 input errors, 0 CRC, 0 frame, 0 ignored 0 multicast 0 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions

Syntax: show interfaces [ethernet <portnum>]

Possible values: Valid port number

Default value: N/A

show ipDisplays IP configuration information.

EXAMPLE:

ServerIron(config)# show ip

Disabled : IP_Forwarding

Disabled : RIP RIP-Redist

Switch IP address: 192.168.2.100

Subnet mask: 255.255.255.0

Default router address: 192.168.2.1 TFTP server address: None

Configuration filename: None Image filename: None

For information about the fields in this display, see the "Displaying the IP Forwarding State" section in the "Configuring IP Forwarding" chapter of the Foundry ServerIron Installation and Configuration Guide.

Syntax: show ip


Default value: N/A

show ip cacheDisplays the IP host table showing indexes to MAC addresses and the IP address of the next hop for ServerIrons configured to operate in a multinetted environment.

EXAMPLE:

ServerIron#[ 1] sh ip cache IP Mac Port Age VlanId Cam CamF Hw FCnt

209.157.20.1 0000.0000.0000 6 0 3144 0 0 0 0

February 2002 21 - 13


Syntax: show ip cache [<ip-addr> [<ip-addr>]]


Default value: N/A

show ip client-public-keyDisplays the currently loaded public keys.

EXAMPLE:

ServerIron# show ip client-public-key

1024 65537 162566050678380006149460550286514061230306797782065166110686648548574949573392322599631573796819248476346145327421786527672319957469414416047146826800064453679033330420291249056907718288654183965655676902543288147725297813592782167540629478392662275128774861815448523997023618173312328476660721888873946758201 user@csp_client

1024 35 152676199889856769693556155614587291553826312328095300428421494164360924762074755452346792684432337622953129794188335259756957757051018052125410080748772658611985742270289700411216885214507408796984064240845174271455859236169370590874837875599405503479603024287131312793895007927438074972787423695977635251943 root@unix_machine

There are 2 authorized client public keys configured

Syntax: show ip client-public-key


Default value: N/A

show ip filter-cacheDisplays all active IP filter definitions for a Foundry switch operating with Layer 3 switching.

EXAMPLE:

ServerIron# show ip filter-cache

Syntax: show ip filter-cache [<ip-addr>]


Default value: N/A

show ip interfaceDisplays information about the IP interfaces configured on virtual routing interfaces.


EXAMPLE:

ServerIron(config)# show ip interfaceInterface IP-Address OK? Method Status ProtocolVe 1 192.168.2.1 YES manual up upVe 1 10.10.10.1 YES manual up upVe 1 20.20.20.1 YES manual up upVe 10 120.120.120.1 YES manual down upVe 10 130.130.130.1 YES manual down up

Syntax: show ip interface


Default value: N/A

21 - 14 February 2002

Show Commands

show ip multicastIndicates if IP multicast is active on a Foundry switch or not, and notes its operating mode—active or passive.

EXAMPLE:

ServerIron# show ip multicast

Syntax: show ip multicast


Default value: N/A

show ip nat statisticsDisplays Network Address Translation (NAT) statistics.

NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To display the NAT statistics, enter the following command at any level of the CLI:

ServerIron(config)# show ip nat statistics

Total translations: 2 (1 static, 1 dynamic)Hits: 2 Misses: 2Expired translations: 4Dynamic mappings: pool OutAdds: netmask 255.255.255.0 start 209.157.1.2 end 209.157.1.254 total addresses 252

Syntax: show ip nat statistics

For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show ip nat translationDisplays currently active NAT entries.

NOTE: On the ServerIron 400 and ServerIron 800, you can enter this command only when logged in to a WSM CPU. The command is not supported on the Main Processor CPU. To log in to a WSM CPU, see the "Logging In to a WSM CPU" section in the "Using the Web Switching Management Module" chapter of the Foundry ServerIron Installation and Configuration Guide.

EXAMPLE:

To display the currently active NAT translations, enter the following command at any level of the CLI:

ServerIron(config)# show ip nat translationPro Inside global Inside local Outside local Outside global--- 209.157.1.69 10.10.10.69 207.195.2.12 207.195.2.12--- 209.157.1.72 10.10.10.2 207.195.4.69 207.195.4.69

Syntax: show ip nat translation

For information, see the "Configuring Network Address Translation" chapter in the Foundry ServerIron Installation and Configuration Guide.

February 2002 21 - 15



Default value: N/A

show ip policyDisplays the configured global and local session policies defined via the ip policy command.

EXAMPLE:

Index Priority Protocol Socket Type 1 high tcp pop3 global 2 high udp dns global

Syntax: show ip policy


Default value: N/A

show ip routeDisplays the IP route table.


EXAMPLE:

ServerIron(config)# show ip routeTotal number of IP routes: 9Start index: 1 D:Connected S:Static *:Candidate default

Destination NetMask Gateway Port Cost Type1 10.10.10.0 255.255.255.0 0.0.0.0 ve1 1 D2 20.20.20.0 255.255.255.0 0.0.0.0 ve1 1 D3 50.50.50.0 255.255.255.0 20.20.20.10 ve1 1 S4 60.60.60.0 255.255.255.0 20.20.20.10 ve1 1 S5 70.70.70.0 255.255.255.0 120.120.120.10 ve1 1 S6 120.120.120.0 255.255.255.0 0.0.0.0 ve1 1 D7 130.130.130.0 255.255.255.0 0.0.0.0 ve1 1 D8 192.168.2.0 255.255.255.0 0.0.0.0 ve1 1 D9 0.0.0.0 0.0.0.0 192.168.2.1 ve1 1 S


Default value: N/A

show ip sshDisplays information about the SSH management sessions in effect on the device. Up to five SSH connections can be active on the Foundry device. For information about this display and about using SSH, see the “Configuring Secure Shell” chapter.

EXAMPLE:

ServerIron#show ip sshConnection Version Encryption State Username 1 1.5 ARCFOUR 0x82 neville 2 1.5 IDEA 0x82 lynval 3 1.5 3DES 0x82 terry 4 1.5 none 0x00 5 1.5 none 0x00

Syntax: show ip ssh


Default value: N/A

21 - 16 February 2002

Show Commands

show ip static-arpDisplays the static ARP entries.


EXAMPLE:

ServerIron(config)# show ip static-arpStatic ARP table size: 64, configurable from 64 to 128 Index IP Address MAC Address Port 1 10.10.10.10 00d0.0958.9b07 9 2 192.168.2.1 00e0.5205.9056 15 3 192.168.2.157 00e0.2972.2ab5 15 4 192.168.2.14 0050.04bb.81fa 15 5 192.168.2.15 0010.5ad1.3701 15

The <ip-addr> and <ip-mask> parameters let you restrict the display to entries for a specific IP address and network mask. Specify the IP address masks in standard decimal mask format (for example, 255.255.0.0).

NOTE: The <ip-mask> parameter and <mask> parameter perform different operations. The <ip-mask> parameter specifies the network mask for a specific IP address, whereas the <mask> parameter provides a filter for displaying multiple MAC addresses that have specific values in common.


The ethernet <portnum> parameter lets you restrict the display to entries for a specific port.

The mac-address <xxxx.xxxx.xxxx> parameter lets you restrict the display to entries for a specific MAC address.

The <mask> parameter lets you specify a mask for the mac-address <xxxx.xxxx.xxxx> parameter, to display entries for multiple MAC addresses. Specify the MAC address mask as “f”s and “0”s, where “f”s are significant bits.


Default value: N/A

show ip trafficDisplays IP (ICMP, UDP, TCP, and RIP) traffic statistics for a ServerIron.

EXAMPLE:

ServerIron# show ip traffic

IP Statistics 587 received, 593 sent, 14 forwarded 0 fragmented, 0 reassembled, 0 bad header 489 no route, 0 unknown proto, 0 no buffer, 9 other errorsICMP StatisticsReceived: 0 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source sequence, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask 0 addr mask reply, 0 irdp advertisement, 0 irdp solicitationSent: 54 total, 0 errors, 0 unreachable, 0 time exceed 0 parameter, 0 source sequence, 0 redirect, 0 echo, 0 echo reply, 0 timestamp, 0 timestamp rely, 0 addr mask 0 addr mask reply, 54 irdp advertisement, 0 irdp solicitation

February 2002 21 - 17


NOTE: This example is an excerpt, not a complete display.

Syntax: show ip traffic


Default value: N/A

show loggingDisplays the SNMP event log.

EXAMPLE:

This example shows some common Syslog messages.

ServerIron# show loggingSyslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 7 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning

Log Buffer (50 entries):

00d05h44m28s:info:Interface e3/11, state up00d05h44m28s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d04h45m49s:info:Interface e3/11, state down00d04h45m20s:info:Interface e3/11, state up00d04h45m20s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d01h45m13s:info:Interface e3/11, state down00d00h01m00s:info:Interface e3/11, state up00d00h00m05s:info:Bridge topology change, vlan 1, interface 3/11, changed stateto forwarding00d00h00m00s:info:Warm start

Syntax: show logging


Default value: N/A

EXAMPLE:

This example shows log entries for authentication failures. If someone enters an invalid community string when attempting to access the SNMP server on the Foundry device, the device generates a trap in the device's syslog buffer. (If you have configured the device to use a third-party SyslogD server, the device also sends a log entry to the server.)

Here is an example of a log that contains SNMP authentication traps. In this example, someone attempted to access the Foundry device three times using invalid SNMP community strings. The unsuccessful attempts indicate either an authorized user who is also a poor typist, or an unauthorized user who is attempting to access the device.

ServerIron(config)# show logSyslog logging: enabled (0 messages dropped, 0 flushes, 1 overruns)Buffer logging: level ACDMEINW, 50 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning


21 - 18 February 2002

Show Commands

00d01h45m13s:info:SNMP Authentication failure, intruder IP: 207.95.6.5500d00h01m00s:info:SNMP Authentication failure, intruder IP: 207.95.6.5500d00h00m05s:info:SNMP Authentication failure, intruder IP: 207.95.6.55

EXAMPLE:

This example shows a log entry for an IP address conflict between the Foundry device and another device on the network.

In addition to placing an entry in the log, the software sends a log message to the SyslogD server, if you have configured one, and sends a message to each open CLI session.

ServerIron(config)# show logSyslog logging: enabled (0 messages dropped, 0 flushes, 1 overruns)Buffer logging: level ACDMEINW, 50 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning


00d01h45m13s:warning:Duplicate IP address 209.157.23.188 detected,sent from MAC address 00e0.5201.3bc9 coming from port 7/7

EXAMPLE:

Here are some examples of log entries for packets denied by Access Control Lists (ACLs).

NOTE: On devices that also use Layer 2 MAC filters, both types of log entries can appear in the same log. Only ACL log entries are shown in this example.

ServerIron(config)# show log

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns) Buffer logging: level ACDMEINW, 38 messages logged level code: A=alert C=critical D=debugging M=emergency E=error I=informational N=notification W=warning


21d07h02m40s:warning:list 101 denied tcp 209.157.22.191(0)(Ethernet 4/18 0010.5a1f.77ed) -> 198.99.4.69(http), 2 packets



The first time an entry in an ACL denies a packet and logging is enabled for that entry, the software generates a Syslog message and an SNMP trap. Messages for packets denied by ACLs are at the warning level of the Syslog.

When the first Syslog entry for a packet denied by an ACL is generated, the software starts a five-minute ACL timer. After this, the software sends Syslog messages every five minutes. The messages list the number of packets denied by each ACL during the previous five-minute interval. If an ACL entry does not deny any packets during the five-minute interval, the software does not generate a Syslog entry for that ACL entry.

NOTE: For an ACL entry to be eligible to generate a Syslog entry for denied packets, logging must be enabled for the entry. The Syslog contains entries only for the ACL entries that deny packets and have logging enabled.

February 2002 21 - 19


In this example, the two-line message at the bottom is the first entry, which the software immediately generates the first time an ACL entry permits or denies a packet. In this case, an entry in ACL 101denied a packet. The packet was a TCP packet from host 209.157.22.198 and was destined for TCP port 80 (HTTP) on host 198.99.4.69.

When the software places the first entry in the log, the software also starts the five-minute timer for subsequent log entries. Thus, five minutes after the first log entry, the software generates another log entry and SNMP trap for denied packets.

In this example, the software generates the second log entry five minutes later. The second entry indicates that the same ACL denied two packets.

The time stamp for the third entry is much later than the time stamps for the first two entries. In this case, no ACLs denied packets for a very long time. In fact, since no ACLs denied packets during the five-minute interval following the second entry, the software stopped the ACL log timer. The software generated the third entry as soon as the ACL denied a packet. The software restarted the five-minute ACL log timer at the same time. As long as at least one ACL entry permits or denies a packet, the timer continues to generate new log entries and SNMP traps every five minutes.

EXAMPLE:

Here are some examples of log messages for CLI access.

ServerIron(config)# show logging

Syslog logging: enabled (0 messages dropped, 0 flushes, 0 overruns)Buffer logging: level ACDMEINW, 12 messages loggedlevel code: A=alert C=critical D=debugging M=emergency E=errorI=informational N=notification W=warning


Oct 15 18:01:11:info:dg logout from USER EXEC modeOct 15 17:59:22:info:dg logout from PRIVILEDGE EXEC modeOct 15 17:38:07:info:dg login to PRIVILEDGE EXEC modeOct 15 17:38:03:info:dg login to USER EXEC mode

The first message (the one on the bottom) indicates that user “dg” logged in to the CLI’s User EXEC level on October 15 at 5:38 PM and 3 seconds (Oct 15 17:38:03). The same user logged in to the Privileged EXEC level four seconds later.

The user remained in the Privileged EXEC mode until 5:59 PM and 22 seconds. (The user could have used the CONFIG modes as well. Once you access the Privileged EXEC level, no further authentication is required to access the CONFIG levels.) At 6:01 PM and 11 seconds, the user ended the CLI session.

show mac-addressDisplays all MAC addresses on a ServerIron.

EXAMPLE:

To display all MAC addresses on a ServerIron, enter the following:

ServerIron(config)# show mac-addressTotal entries from all ports = 75 MAC Port Age CamF CIDX0 CIDX1 CIDX2 CIDX3 CIDX4 CIDX50000.0300.0000 10 17293 00H 0 0 0 0 0 00060.089f.8086 1 12 0bH 23 15 0 6 0 00060.9709.914b 16 2130 00H 0 0 0 0 0 000a0.249a.0163 16 130 00H 0 0 0 0 0 00060.979d.41a5 11 475 00H 0 0 0 0 0 000a0.24c5.01d1 11 0 0cH 0 0 20 14 0 00060.979d.41df 11 570 00H 0 0 0 0 0 00060.9759.4226 16 240 00H 0 0 0 0 0 00060.9759.4235 16 130 00H 0 0 0 0 0 00800.208f.725b 2 135 00H 0 0 0 0 0 0

21 - 20 February 2002

Show Commands

0060.9759.4264 16 0 0aH 0 14 0 21 0 000a0.24c5.02a1 16 15 09H 5 0 0 33 0 00000.c02c.a2bf 7 11 03H 27 5 0 0 0 000a0.24c5.02f8 4 135 00H 0 0 0 0 0 000a0.24c5.02fc 6 0 06H 0 8 31 0 0 00800.207e.c312 2 2 0dH 25 0 24 13 0 00800.208f.5331 2 135 00H 0 0 0 0 0 000e0.5200.0385 10 5160 00H 0 0 0 0 0 0--More--, next page: Space/Return key, quit: Control-c

NOTE: The information displayed in columns with headings CamF, and CIDX0 through CIDX5, is not relevant for day-to-day management of the ServerIron. The information is used by engineering and technical support staff for debug purposes.

Syntax: show mac-address [ethernet <portnum> | <mac-addr> | session]

Possible values: The session keyword causes information about MAC session entries to be displayed.

Default value: N/A

show mac-address statisticsDisplays the total number of MAC addresses currently active on a ServerIron. This command serves as a numerical summary of the detailed summary provided by the command show mac-addresses.

For each port, the number of learned MAC addresses is displayed.

EXAMPLE:

ServerIron(config)# show mac-address-statistics

Total entries = 41

Port 1 2 3 4 5 6 7 8 9

0 6 11 1 1 1 2 1 1

Port 10 11 12 13 14 15 16

0 3 1 3 1 1 8

Syntax: show mac-address-statistics


Default value: N/A

show mediaShows the types of ports active on a Chassis device.

EXAMPLE:

ServerIron(config)# show media

1/1:SX 1/2:SX 1/3:SX 1/4:SX

2/1:SX 2/2:SX 2/3:SX 2/4:SX 2/5:SX 2/6:SX 2/7:SX 2/8:SX







February 2002 21 - 21


Syntax: show media


Default value: N/A

show moduleShows the types of modules installed on a Chassis device.

EXAMPLE:

Here is an example of the command’s display output on a ServerIron 800.

ServerIron# show module

Module Status Ports Starting MAC

S1: B8GM Fiber Management Module OK 8 00e0.52f0.5a00

S2: B24E Copper Switch Module OK 24 00e0.52f0.5a20



S5: B8G Fiber Switch Module OK 8 00e0.52f0.5a00

S6: B24E Copper Switch Module OK 24 00e0.52f0.5aa0




Default value: N/A

show monitorDisplays the current port mirroring and monitoring configuration.

EXAMPLE:

ServerIron(config)# show monitorMirror Interface: ethernet 4/1Monitored Interfaces: Both Input Output --------------------------------------------------- ethernet 4/3

Syntax: show monitor

In this example, port 4/1 is the mirror interface, to which the software copies (“mirrors”) the traffic on port 4/3. In this case, both directions of traffic on the monitored port are mirrored to port 4/1.

If only the incoming traffic is mirrored, the monitored interface is listed under Input. If only the outbound traffic is mirrored, the monitored interface is listed under Output.


Default value: N/A

show policy-mapDisplays information about the URL switching policies configured on the ServerIron.

21 - 22 February 2002

Show Commands

EXAMPLE:

ServerIron# show policy-map p1Current Policy: 3 Created: 8 Deleted: 5Table slot 210-------------------------------------------------Name : p1 Valid : YesTree root : Yes Method : prefix

Key Type Data--- ---- ----default Map Policy p2/home Group ID 1

Syntax: show policy-map [<policy-map-name>]

Possible values: <policy-map-name> is the name of a URL switching policy. If you omit this parameter, information about all URL switching policies is displayed.

Default value: N/A

show relative-utilizationDisplays an uplink utilization list, which allows you to observe the percentage of the uplink’s bandwidth that each of the downlink ports used during the most recent 30-second port statistics interval. The number of packets sent and received between the two ports is listed, as well as the ratio of each individual downlink port’s packets relative to the total number of packets on the uplink.

EXAMPLE:

To display an uplink utilization list:

ServerIron(config)# show relative-utilization 1 uplink: ethe 130-sec total uplink packet count = 3011packet count ratio (%) 1/ 2:60 1/ 3:40

In this example, ports 2 and 3 are sending traffic to port 1. Port 2 and port 3 are isolated (not shared by multiple clients) and typically do not exchange traffic with other ports except for the uplink port, port 1.

Syntax: show relative-utilization <num>

Possible values: The <num> parameter specifies the list number.

Default value: N/A

show reloadDisplays the time and date for scheduled system reloads.

EXAMPLE:

ServerIron# show reload

Syntax: show reload


Default value: N/A

show rmon alarmThis command will display any reported RMON alarms for the system.

EXAMPLE:

ServerIron# show rmon alarm

Alarm table is empty

February 2002 21 - 23


Syntax: show rmon alarm [<alarm-table-entry>]


Default value: N/A

show rmon eventThis command will display any reported RMON events for the system.

EXAMPLE:

ServerIron# show rmon event

Event table is empty

Syntax: show rmon event [<event-table-entry>]


Default value: N/A

show rmon historyThis command will display the RMON history for the system.

EXAMPLE:

ServerIron# show rmon history

History 1 is active, owned by monitor

Monitors interface 1 (ifIndex 1) every 30 seconds

25 buckets were granted to store statistics










Syntax: show rmon history [<control-table-entry>]


Default value: N/A

show rmon statisticsDisplays detailed statistics for each port.

EXAMPLE:

ServerIron# show rmon statistics

Syntax: show rmon statistics [ethernet <portnum>] | [<num>]

21 - 24 February 2002

Show Commands

The ethernet <portnum> parameter displays the RMON port statistics for the specified port.

The <num> parameter displays the specified entry. Entries are numbered beginning with 1.


Default value: N/A

show running-configDisplays the running configuration of the ServerIron on the terminal screen.

NOTE: This command is equivalent to the write terminal command.

EXAMPLE:

ServerIron# show running-config

Syntax: show running-config


Default value: N/A

show server backupDisplays the backup configuration and the current backup status of the ServerIron.

NOTE: This command applies only to hot standby configurations. If you are using Symmetric SLB, see “show server symmetric” on page 21-29.

show server bindDisplays the services binding between virtual servers and real servers.

EXAMPLE:

ServerIron(config)# show server bind

Virtual Server Name: v100, IP: 209.157.23.100 http -------> s43: 209.157.23.43, http s60: 209.157.23.60, 8080 ftp -------> s43: 209.157.23.43, ftp s60: 209.157.23.60, ftp 70 -------> s43: 209.157.23.43, 70 s60: 209.157.23.60, 70Virtual Server Name: v105, IP: 209.157.23.105 telnet -------> s60: 209.157.23.60, 300 ftp -------> s60: 209.157.23.60, 200 http -------> s60: 209.157.23.60, 100 dns -------> s60: 209.157.23.60, 400 tftp -------> s60: 209.157.23.60, 500

Syntax: show server bind

For descriptions of the information shown in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show server conn-rateShows the global TCP connection rate (per second) and TCP SYN attack rate (per second). This command reports global connection rate information for the ServerIron as well as for each real server.

February 2002 21 - 25


EXAMPLE:

ServerIron# show server conn-rateAvail. Sessions = 524286 Total Sessions = 524288Total C->S Conn = 0 Total S->C Conn = 0Total Reassign = 0 Unsuccessful Conn = 0last conn rate = 0 max conn rate = 0last TCP attack rate = 0 max TCP attack rate = 0SYN def RST = 0 SYN flood = 0Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active

Real Server State CurrConn TotConn LastRate CurrRate MaxRaters1 3 0 0 0 0 0

Syntax: show server conn-rate

For descriptions of the information shown in this display, see the "Protecting Against Denial of Service Attacks" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show server dynamicShows dynamic real server and virtual server port bindings. These are bindings that the ServerIron builds automatically. Use this command if you are working with Foundry technical support to resolve a Global SLB configuration issue.

show server fw-pathShows information for paths configured for firewall load balancing. See the Foundry ServerIron Firewall Load Balancing Guide for information about the fields in this display.

EXAMPLE:

To display path information for firewall load balancing, enter the following command at any level of the CLI:

ServerIron(config)# show server fw-path

Firewall Server Path Info Number of Fwall = 2 Target-ip Next-hop-ip Port Path Status Tx Rx195.188.123.221 10.10.0.1 1 1 0 0 0195.188.123.221 10.10.0.2 2 2 0 0 0

Syntax: show server fw-path


Default value: N/A

show server globalDisplays global server configuration parameters.

EXAMPLE:

ServerIron(config)# show server global

Server Load Balancing - global parameters Predictor = least-conn Force-deletion = 1 Reassign-threshold = 100 Reassign-limit = 3 Ping-interval = 8 Ping-retries = 7 Session ID age = 35

21 - 26 February 2002

Show Commands

TCP-age = 30 UDP-age = 5 Sticky-age = 30 TCP-syn-limit = 65535 TCP-total conn = 4337 Unsuccessful conn = 0 ICMP-message = Disabled

Syntax: show server global

For descriptions of the fields in this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show server hashDisplays information about hashing bucket assignments and the number of hits each bucket has received.

EXAMPLE:

ServerIron# show server hash

Syntax: show server hash


Default value: N/A

show server proxyDisplays web switching statistics.

EXAMPLE:

ServerIron# show server proxy

Slot alloc = 0 Curr free slot = 99999 Slot freed = 0 Slot alloc fail = 0 Pkt stored = 0 Max slot alloc = 0 Pkt freed = 0 Fwd Stored pkt = 0 Session T/O = 0 Sess T/O pkt free = 0 Session del = 0 Sess del pkt free = 0 DB cleanup cnt = 0 DB cleanup pkt free = 0 Serv RST to SYN = 0 Send RST to C = 0 URL not in 1st pkt = 0 Cookie not in 1st pk = 0 URL not complete = 0 Cookie not complete = 0 Sess T/O rev Sess 0 = 0 Sess T/O Sess diff = 0 Dup SYN Sess diff = 0 Curr slot used = 0 Curr pkt stored = 0

Syntax: show server proxy


Default value: N/A

show server realDisplays real IP servers' state information and statistics.

EXAMPLE:

ServerIron(config)# show server real

Real Servers Info

February 2002 21 - 27


Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:activeName:rs1 IP: 209.157.23.60:4 State:1 Wt:1 Max-conn:1000000

Src-nat (cfg:op) = 0: 0 Dest-nat-(cfg:op) = 0: 0Remote server: No Dynamic: NoPort State Ms CurConn TotConns Rx-pkts Tx-pkts Rx-octet Tx-octet Reaspop2 enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledradiusenabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, Username : "reza" Password : "QA", Key : "arvind"imap4 enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledldap enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, LDAP Version : 370 enabled 0 0 0 0 0 0 0 0 Keepalive: Enableddns enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, Zone : "foundrynet.com", Addr Query : ""snmp enabled 0 0 0 0 0 0 0 0 Keepalive: Disabledhttp enabled 0 0 0 0 0 0 0 0 Keepalive: Disabled, status code(s) default (200-299, 401) HTTP URL: "HEAD /"600 unbnd 0 0 0 0 0 0 0 0 Keepalive: Disabled500 enabled 0 0 0 0 0 0 0 0 Keepalive: Disableddefaulunbnd 0 0 0 0 0 0 0 0

Server Total 0 0 0 0 0 0 0

Syntax: show server real [<name> [detail]]

Syntax: show server real [dns | ftp | http | imap4 | ldap | nntp | pop3 | radius | smtp | telnet]


Possible values: The optional keywords display keepalive and bring up statistics for the specified function.

Default value: N/A

show server sessionsDisplays the free and active sessions.

EXAMPLE:

ServerIron(config)# show server sessions

Avail. Sessions = 524287 Total Sessions = 524288Total C->S Conn = 4233 Total S->C Conn = 0Total Reassign = 0 Unsuccessful Conn = 0Server State - 1:enabled, 2:failed, 3:test, 4:suspect, 5:grace_dn, 6:active

Real Server State CurrConn TotConn TotRevConn CurrSess PeakConn

s60 1 0 0 0 0 0s43 1 0 4233 0 0 39

Syntax: show server sessions

21 - 28 February 2002

Show Commands

For descriptions of the information shown by this display, see the "Configuring Server Load Balancing" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show server symmetricDisplays configuration information for Symmetric SLB.

EXAMPLE:

ServerIron# show server symmetric

Syntax: show server symmetric

For descriptions of the information this command shows, see the "Configuring Symmetric SLB and SwitchBack" chapter in the Foundry ServerIron Installation and Configuration Guide.


Default value: N/A

show server trafficDisplays global IP server statistics.

EXAMPLE:

ServerIron(config)# show server traffic

Client->Server = 26753 Server->Client = 24817Drops = 4 Aged = 38Fw_drops = 0 Rev_drops = 0FIN_or_RST = 8429 old-conn = 0Disable_drop = 0 Exceed_drop = 0Stale_drop = 14 Unsuccessful = 0

Syntax: show server traffic



Default value: N/A

show server virtualDisplays virtual IP servers state information and statistics.

EXAMPLE:

ServerIron(config)# show server virtual

Virtual Servers Info

Server Name: v100 IP : 209.157.23.100 : 4Status: enabled Predictor: least-conn TotConn: 4233Dynamic: No HTTP redirect: disabledSym: group = 1 state = 5 priority = 2 keep = 0 Activates = 4, Inactive= 3Port State Sticky Concur CurConn TotConn PeakConn

radius-oenabled NO NO 0 0 0http enabled NO NO 0 4233 39ftp enabled NO NO 0 0 0telnet enabled NO NO 0 0 0

February 2002 21 - 29


ssl enabled YES NO 0 0 0smtp enabled NO NO 0 0 0nntp enabled NO NO 0 0 0ntp enabled NO NO 0 0 0dns enabled NO NO 0 0 0pop2 enabled NO NO 0 0 0pop3 enabled NO NO 0 0 0tftp enabled NO NO 0 0 0imap4 enabled NO NO 0 0 0snmp enabled NO NO 0 0 0ldap enabled NO NO 0 0 070 enabled NO NO 0 0 0default enabled NO NO 0 0 0

information for remaining virtual servers omitted for brevity...

Syntax: show server virtual [<virtual-server-name>]



Default value: N/A

show snmp serverLists system administrative information—contact name, system location, community strings and traps enabled for a ServerIron.

EXAMPLE:

ServerIron# show snmp serverContact: Jack Sphatt Location: HMB x1031Community(ro): publicCommunity(rw): privateTraps Cold start: Enable Link up: Enable Link down: Enable Authentication: Enable [ ..........] L4 switch standby: Enable Total Trap-Receiver Entries: 4 Trap-Receiver IP Address Community 1 207.95.6.211 2 207.95.5.21

Syntax: show snmp server


Default value: N/A

show sntp associationsDisplays information about SNTP associations.

EXAMPLE:

ServerIron# show sntp associations address ref clock st when poll delay disp ~207.95.6.102 0.0.0.0 16 202 4 0.0 5.45 ~207.95.6.101 0.0.0.0 16 202 0 0.0 0.0* synced, ~ configured

21 - 30 February 2002

Show Commands

The following table describes the information displayed by the show sntp associations command.

Syntax: show sntp associations


Default value: N/A

show sntp statusDisplays information about SNTP status.

EXAMPLE:

ServerIron# show sntp statusClock is unsynchronized, stratum = 0, no reference clockprecision is 2**0reference time is 0 .0clock offset is 0.0 msec, root delay is 0.0 msecroot dispersion is 0.0 msec, peer dispersion is 0.0 msec

The following table describes the information displayed by the show sntp status command.

This Field... Displays...

(leading character) One or both of the following:

* Synchronized to this peer

~ Peer is statically configured

address IP address of the peer

ref clock IP address of the peer’s reference clock

st NTP stratum level of the peer

when Amount of time since the last NTP packet was received from the peer

poll Poll interval in seconds

delay Round trip delay in milliseconds

disp Dispersion in seconds

This Field... Indicates...

unsynchronized System is not synchronized to an NTP peer.

synchronized System is synchronized to an NTP peer.

stratum NTP stratum level of this system

reference clock IP Address of the peer (if any) to which the unit is synchronized

precision Precision of this system's clock (in Hz)

reference time Reference time stamp

clock offset Offset of clock to synchronized peer

root delay Total delay along the path to the root clock

root dispersion Dispersion of the root path

February 2002 21 - 31


Syntax: show sntp status


Default value: N/A

show spanDisplays spanning tree statistics for a ServerIron such as root cost, root port and priority.

EXAMPLE:

ServerIron# show span Global STP Parameters:VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec sec sec 1 800000e052801400 0 Root 8000 20 2 2 15 0 1 00e052801400 Port STP Parameters: VLAN Port Prio Path State Fwd Design Design Design ID Num rity Cost Trans Cost Root Bridge Hex 1 1/1 80 1 FORWARDING 1 0 800000e052801400 800000e052801400 1 1/2 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/1 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/3 80 0 DISABLED 0 0 0000000000000000 0000000000000000 1 2/5 80 0 DISABLED 0 0 0000000000000000 0000000000000000

Syntax: show span


Default value: N/A

show span vlanDisplays global and port STP for a given VLAN for a ServerIron.

EXAMPLE:

ServerIron# show span vlan 2Global Bridge Parameters:VLAN Root Root Root Prio Max He- Ho- Fwd Last Chg Bridge ID ID Cost Port rity Age llo ld dly Chang cnt Address Hex sec sec sec2 800000e0520002f5 0 Root 8000 20 2 2 15 0 0 00e0520002f5Port STP Parameters:VLAN Port Prio Path State Fwd Design Design Design ID Num rity Cost Trans Cost Root Bridge Hex 2 1 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 2 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 3 0080 0 DISABLED 0 0000000000000000 0000000000000000 2 4 0080 0 DISABLED 0

peer dispersion Dispersion of the synchronized peer

This Field... Indicates...

21 - 32 February 2002

Show Commands

0000000000000000 0000000000000000 2 5 0080 0 DISABLED 0 0000000000000000 0000000000000000

Syntax: show span vlan <vlan-id> [ethernet <portnum>]


Default value: N/A

show statisticsDisplays port statistics for a ServerIron(transmit, receive, collisions, errors).

EXAMPLE:

ServerIron# show statistics Buffer Manager Queue [Pkt Receive Pkt Transmit] 0 0 Port Counters: Packets Collisions ErrorsPort [Receive Transmit] [Receive Transmit] [Align FCS Giant Short]1/1 15935 5443 0 0 0 0 0 01/2 0 0 0 0 0 0 0 01/3 0 0 0 0 0 0 0 01/4 0 0 0 0 0 0 0 02/1 0 0 0 0 0 0 0 02/2 0 0 0 0 0 0 0 02/3 0 0 0 0 0 0 0 02/4 0 0 0 0 0 0 0 02/5 0 0 0 0 0 0 0 02/6 0 0 0 0 0 0 0 02/7 0 0 0 0 0 0 0 02/8 0 0 0 0 0 0 0 0

Syntax: show statistics [ethernet <portnum>] | [slot <slot-num>]

The pos <portnum> parameter displays statistics for a specific POS port.

The ethernet <portnum> parameter displays statistics for a specific Ethernet port.

The slot <slot-num> parameter displays statistics for a specific chassis slot.

NOTE: The slot <slot-num> parameter applies only to Chassis devices.

NOTE: The pos <portnum> parameter applies only to the POS modules.

This display shows the following information for each port.

Table 21.1: CLI Display of Port Statistics


Packet counters

Receive The number of packets received on this interface.

Transmit The number of packets transmitted on this interface.

Collision counters

Receive The number of collisions that have occurred when receiving packets.

February 2002 21 - 33



Default value: statistics for all ports are displayed

show statistics dos-attackDisplays information about ICMP and TCP SYN packets dropped because burst thresholds were exceeded.

EXAMPLE:

ServerIron# show statistics dos-attack---------------------------- Local Attack Statistics --------------------------ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count--------------- ---------------- -------------- --------------- 0 0 0 0--------------------------- Transit Attack Statistics -------------------------Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count----- --------------- ---------------- -------------- ---------------

Syntax: show statistics dos-attack


Default value: N/A

show tech-supportShows technical details to you for assistance in troubleshooting issues when working with technical support. The information show is a sub-set of all the available information.

Syntax: show tech-support


Default value: N/A

show telnetShows the IP address of the station with the active Telnet session. Up to five read access Telnet sessions can be supported on the ServerIron at one time. Write access through Telnet is limited to one session.

EXAMPLE:

ServerIron# show telnetConsole connections: established, active 14 seconds in idleTelnet connections:

Transmit The number of collisions that have occurred when sending packets.

Packet Errors

These fields show statistics for various types of packet errors. The device drops packets that contain one of these errors.

Align The number of packets that contained frame alignment errors.

FCS The number of packets that contained Frame Check Sequence errors.

Giant The number of packets that were longer than the configured MTU.

Short The number of packets that were shorter than the minimum valid length.

Table 21.1: CLI Display of Port Statistics (Continued)


21 - 34 February 2002

Show Commands

1 established, client ip address 192.168.1.234 7 seconds in idle 2 established, client ip address 192.168.1.234 3 seconds in idle 3 closed 4 closed 5 closedSSH connections: 1 closed 2 closed 3 closed 4 closed 5 closed

Syntax: show telnet


Default value: N/A

show trunkDisplays trunk groups and their port membership for ServerIrons.

EXAMPLE:

ServerIron(config-if)# show trunk

Configured trunks:

Trunk Group Ports

1 1 2 3

Operational trunks:

Trunk Group Ports Duplex Speed Tag Priority

1 1 2 3 Full 100M No High

Syntax: show trunk


Default value: N/A

show usersLists the user accounts configured on the ServerIron. See the Foundry Security Guide.

EXAMPLE:

ServerIron# show users

Syntax: show users


Default value: N/A

show versionLists software, hardware and firmware details for a ServerIron.

EXAMPLE:

ServerIron# show version

Syntax: show version


Default value: N/A

February 2002 21 - 35


show vlansDisplays all VLANs configured on the system, their member ports, assigned priority and STP status. To view a specific VLAN, enter VLAN ID after the show vlans command.

EXAMPLE:

ServerIron(config)# show vlans

Syntax: show vlans [<vlan-id>]


Default value: N/A

show web-connectionDisplays the access levels and IP addresses of the devices that currently have Web management interface sessions with the ServerIron.

To clear all sessions displayed by this command, see “clear web-connection” on page 5-8.

EXAMPLE:

ServerIron(config)# show web-connection

User Privilege IP addressset 0 192.168.1.234

Syntax: show web-connection


Default value: N/A

show whoThe show who command lists the active console and Telnet CLI sessions. This command can be used in conjunction with the kill command, which lets you terminate an active CLI session.

EXAMPLE:

To display the active console and Telnet CLI sessions:

ServerIron# show whoConsole connections: establishedTelnet connections: 1 established, client ip address 209.157.22.63 2 closed 3 closed 4 closed 5 closed

Syntax: show who


Default value: N/A

show wsm-mapDisplays the WSM CPU allocations for the forwarding modules in the chassis.

EXAMPLE:

To display the slot allocations for the WSM CPUs, enter the following command at any CLI level:

ServerIron(config)# show wsm-mapslot 2 (weight 24 x 100M) is processed by WSM 1/2 (weight 24)slot 3 (weight 8 x 1000M) is processed by WSM 1/1 (weight 80)slot 4 (weight 24 x 100M) is processed by WSM 1/3 (weight 24)

21 - 36 February 2002

Show Commands

Syntax: show wsm-map

This example shows the slot allocations for a four-slot chassis. Each row shows the following information:

• The chassis slot (“slot 2” in the first row of the example above)

• The weight of the module in the slot (“weight 24 x 100M” in the first row of the example above)

• The chassis slot that contains the Web Switching Management Module and the WSM CPU to which the forwarding module described by this row is allocated (“is processed by WSM 1/2”). The “1” in this example indicates the Web Switching Management Module is in chassis slot 1. The “2” in this example indicates that WSM CPU 2 is handling Layer 4 – 7 processing for the forwarding module in slot 2.

• The total weight assigned to the WSM CPU (“weight 24“ in the first row of this example)


Default value: N/A

show wsm-stateDisplays general information for a Web Switching Management Module.

EXAMPLE:

ServerIron(config)# show wsm-state==================================================WSM MODULE (6) App CPU 0 MB SHM, 3 Application Processors CPU 0 in state of WSM_STATE_RUNNING CPU 1 in state of WSM_STATE_RUNNING CPU 2 in state of WSM_STATE_RUNNING---------------Module 6 App CPU 1, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 268M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent---------------Module 6 App CPU 2, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 134M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent---------------Module 6 App CPU 3, SW: Version 07.2.00T71Compiled on Sep 25 2000 at 21:33:50 labeled as wsm-cpu3bDRAM 268M, BRAM 262K, FPGA Version 0050Code Flash 4M: Primary (880346 bytes, 07.2.00T71), Secondary (871842 bytes, 07.0.00T71)Boot Flash 131K, Boot Version 06.00.00The system uptime is 0 day 1 hour 54 minute 17 secondGeneral Status: 0 ipc msg rec, 2 ipc msg sent

Syntax: show wsm-state

This command displays the state of the modules in the chassis, the software version running on the modules, and detailed information for each processor on the modules.


February 2002 21 - 37


Default value: N/A

21 - 38 February 2002

Documents

Foundry ServerIron Switch Command Line Interface Reference · Foundry ServerIron® Switch Command Line Interface Reference 2100 Gold Street P.O. Box 649100 San Jose, CA 95164-9100